From owner-firewalls-outgoing Tue Apr 1 00:38:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA07080 for firewalls-outgoing; Tue, 1 Apr 1997 00:26:00 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id AAA07051 for ; Tue, 1 Apr 1997 00:25:54 -0800 (PST) Received: from default (pm3c-4.pacificnet.net [207.171.18.101]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id AAA13390; Tue, 1 Apr 1997 00:24:33 -0800 Message-ID: <3340C7BE.1873@pacificnet.net> Date: Tue, 01 Apr 1997 00:30:54 -0800 From: Osiris Reply-To: osiris@pacificnet.net Organization: Abode of the Dead X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: sunwei@sea.net.edu.cn CC: Firewalls@GreatCircle.COM Subject: Re: PC based network analyzer References: <199703290900.BAA16076@honor.greatcircle.com> <33417F81.317E@sea.net.edu.cn> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ********* Gobbler *********** http://www.macatawa.org/~agent43/gobbler.zip [ALT] ftp://ftp.mzt.hr/pub/tools/pc/sniffers/gobbler/gobbler.zip [ALT] ftp://ftp.tordata.se/www/hokum/gobbler.zip ******** Ethload ********** ftp://oak.oakland.edu/SimTel/msdos/lan/ethld104.zip [ALT] http://www.med.ucalgary.ca:70/1/ftp/dos/regular [ALT] ftp://ftp.vuw.ac.nz/simtel/msdos/lan/ethld104.zip [ALT] http://www.apricot.co.uk/ftp/bbs/atsbbs/allfiles.htm From owner-firewalls-outgoing Tue Apr 1 00:54:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08962 for firewalls-outgoing; Tue, 1 Apr 1997 00:48:14 -0800 (PST) Received: from cemtecasia.com.sg ([202.42.237.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA08954 for ; Tue, 1 Apr 1997 00:48:08 -0800 (PST) Received: by ssy.cemtecasia.com.sg id <14979>; Tue, 1 Apr 1997 16:59:47 +0800 X-MAPI-MessageClass: IPM To: sunwei@sea.net.edu.cn, Firewalls@GreatCircle.COM X-Mailer: FTP Software Internet Mail 2.0 MIME-Version: 1.0 From: Wilson Heng Subject: RE: PC based network analyzer Date: Tue, 1 Apr 1997 17:27:06 +0800 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Message-Id: <97Apr1.165947sst.14979@ssy.cemtecasia.com.sg> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, you could use LANwatch from FTP software. More information could be obtained at www.ftp.com. :-) Subject : PC based network analyzer *Sun Wei (sunwei@sea.net.edu.cn) wrote> Hi, Does anyone know if there is a kind of PC based network packet analyzer? TIA, Wei -- *---------------------------------------------------------------* | Wei Sun | Phone: 86-10-62784997 | | Tsinghua Univ. Network Center | Fax : 86-10-62785933 | | Rm 224, Central Main Building | Email: sunwei@sea.net.edu.cn | | Tsinghua Univ., Beijing, P.R.China | *---------------------------------------------------------------* >>End of message From owner-firewalls-outgoing Tue Apr 1 01:28:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA12823 for firewalls-outgoing; Tue, 1 Apr 1997 01:18:34 -0800 (PST) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA12806 for ; Tue, 1 Apr 1997 01:18:27 -0800 (PST) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id EAA22153; Tue, 1 Apr 1997 04:18:47 -0500 Date: Tue, 1 Apr 1997 04:18:43 -0500 (EST) From: Todd Graham Lewis To: Sun Wei cc: Firewalls@GreatCircle.COM Subject: Re: PC based network analyzer In-Reply-To: <33417F81.317E@sea.net.edu.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Apr 1997, Sun Wei wrote: > Does anyone know if there is a kind of PC based network packet analyzer? Yes; tcpdump. It runs on a number of PC os'es, including Linux, the BSD's, and potentially NT, although I'm not sure about the last. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue Apr 1 01:36:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13168 for firewalls-outgoing; Tue, 1 Apr 1997 01:21:39 -0800 (PST) Received: from us0229.nomura.co.uk (us0229.nomura.co.uk [194.223.136.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id BAA13069 for ; Tue, 1 Apr 1997 01:21:16 -0800 (PST) From: steve.gailey@nomura.co.uk Received: by us0229.nomura.co.uk; id AA24003; Tue, 1 Apr 97 10:27:21 BST Received: from mailhub by us0229.nomura.co.uk via smap (V3.1) id xma023990; Tue, 1 Apr 97 10:27:18 +0100 Received: from by nomura.co.uk (5.x/SMI-SVR4) id AA27873; Tue, 1 Apr 1997 10:21:34 +0100 X-Openmail-Hops: 2 Date: Tue, 1 Apr 97 10:20:48 +0100 Message-Id: In-Reply-To: <33417F81.317E@sea.net.edu.cn> Subject: Re: PC based network analyzer Mime-Version: 1.0 To: sunwei@sea.net.edu.cn Cc: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII; name="PC" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try ethermon, It's on ftp.demon.co.uk amongst other places, somewhere in their PC tree. It uses Packet drivers to work with most PC cards and provides a real time display, mainly aimed at ip, though it does some other stuff as well including IPX. It is a bit long in the tooth now, but I still use it. Ignore the contact details in the readme file though, I have moved several times and changed ISP's too :-) Steve ______________________________ Reply Separator _________________________________ Subject: PC based network analyzer Author: firewalls-owner (firewalls-owner@GreatCircle.COM) at internet-mime Date: 4/1/97 9:34 PM Hi, Does anyone know if there is a kind of PC based network packet analyzer? TIA, Wei -- *---------------------------------------------------------------* | Wei Sun | Phone: 86-10-62784997 | | Tsinghua Univ. Network Center | Fax : 86-10-62785933 | | Rm 224, Central Main Building | Email: sunwei@sea.net.edu.cn | | Tsinghua Univ., Beijing, P.R.China | *---------------------------------------------------------------* From owner-firewalls-outgoing Tue Apr 1 01:51:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA16507 for firewalls-outgoing; Tue, 1 Apr 1997 01:48:08 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA16480 for ; Tue, 1 Apr 1997 01:47:53 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id MAA12130; Tue, 1 Apr 1997 12:48:22 +0300 Date: Tue, 1 Apr 97 12:48:59 From: Ziv Dascalu Subject: RE: Firewall export license To: firewalls@GreatCircle.COM, allan@bellsouth.net X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 31 Mar 1997 10:52:16 -0800 Allan Chong wrote: >How hard is it to get a DES encryption export license for a >firewall? I've got a financial services firm that wants >encryption between their location here in the US and Israel. > > >allan -----------------End of Original Message----------------- Hi, I would suggest looking at firewall vendors that their development was done outside the IS. they are not bounded to the export restrictions that the US manufactures are tied with. In any case I would suggest looking specifically at the VPN solutions that the vendors have and not the end to end ones . /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a trial version at ===============/ From owner-firewalls-outgoing Tue Apr 1 02:06:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15692 for firewalls-outgoing; Tue, 1 Apr 1997 01:41:34 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA15636 for ; Tue, 1 Apr 1997 01:41:19 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id MAA12081; Tue, 1 Apr 1997 12:41:48 +0300 Date: Tue, 1 Apr 97 12:43:53 From: Ziv Dascalu Subject: RE: Microsoft ULS/ILS through a firewall To: "'firewalls@GreatCircle.COM'" , Cato Antonsen X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 1 Apr 1997 00:02:19 +0100 Cato Antonsen wrote: >Hi, > >I've been trying to figure out which ports I need to open on our >firewall to get Netmeeting and the ILS-server to work on our network. > >I've searched the net and browsed through some Internet drafts without >any luck. So now I turn to you guy's... ;-) > >Thanks in advance! > >Mvh, >Cato Antonsen (http://login.nord.eunet.no/~cato) >Systemansvarlig, EUnet NORD AS -----------------End of Original Message----------------- Hi, I would recommend 1st to monitor your system and see what protocols are being used . then block EVERYTHING and just leave the once you detected and want to keep. I found it to be the fastest way to integrate a firewall into an existing netowrk. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a trial version at ===============/ From owner-firewalls-outgoing Tue Apr 1 02:23:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA18960 for firewalls-outgoing; Tue, 1 Apr 1997 02:06:34 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA18899 for ; Tue, 1 Apr 1997 02:06:18 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA12241; Tue, 1 Apr 1997 13:06:47 +0300 Date: Tue, 1 Apr 97 13:09:16 From: Ziv Dascalu Subject: RE: RealAudio To: firewalls@GreatCircle.COM, mmozes@fujitsu.ca X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 31 Mar 97 10:36:00 PST mmozes@fujitsu.ca wrote: > >Does anyone know the port number for RealAudio? > >Thanks, -----------------End of Original Message----------------- realAudio is 7070 TCP /ZIv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Tue Apr 1 02:36:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA23292 for firewalls-outgoing; Tue, 1 Apr 1997 02:33:29 -0800 (PST) Received: from gateway.internet-smartware.com ([195.152.168.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA23249 for ; Tue, 1 Apr 1997 02:33:17 -0800 (PST) Received: by gateway.internet-smartware.com; id LAA20461; Tue, 1 Apr 1997 11:34:36 +0100 (BST) Received: from jupiter.internet-smartware.com(172.16.2.4) by gateway.internet-smartware.com via smap (V3.1.1) id xma020459; Tue, 1 Apr 97 11:34:09 +0100 Received: from jupiter.internet-smartware.com (robin@jupiter.Internet-SmartWare.com [172.16.2.4]) by jupiter.internet-smartware.com (8.7.4/8.7.3) with SMTP id LAA10659; Tue, 1 Apr 1997 11:44:32 +0100 (BST) Date: Tue, 1 Apr 1997 11:44:31 +0100 (BST) From: Robin J Smith To: Cato Antonsen cc: "'firewalls@GreatCircle.COM'" Subject: Re: Microsoft ULS/ILS through a firewall In-Reply-To: <97Apr1.005915bst.11649-2@gateway.peapod.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cato, On Tue, 1 Apr 1997, Cato Antonsen wrote: > I've been trying to figure out which ports I need to open on our > firewall to get Netmeeting and the ILS-server to work on our network. If you really want to let Netmeeting through your firewall: http://www.microsoft.com/kb/articles/q158/6/23.htm ...but you should look at proxying UDP. Robin J Smith - Systems Engineer Internet Smartware Ltd., 1c The Harlequin Centre, Southall Lane, Southall, Middlesex, UB2 5NH, UK Tel:+44 (0) 181 574 9545 Fax:+44 (0) 181 574 8384 http://www.internet-smartware.com From owner-firewalls-outgoing Tue Apr 1 03:08:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA19760 for firewalls-outgoing; Tue, 1 Apr 1997 02:12:01 -0800 (PST) Received: from mozart.adv.magwien.gv.at (mozart.adv.magwien.gv.at [141.203.2.173]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id CAA19732 for ; Tue, 1 Apr 1997 02:11:50 -0800 (PST) Received: by mozart.adv.magwien.gv.at id AA23476 (5.65c8+/MagwienServer(pfp)2.3 for firewalls@greatcircle.com); Tue, 1 Apr 1997 12:14:54 +0200 Received: from ta4014.adv.magwien.gv.at by adv.magwien.gv.at (5.65c8+/MagwienSilly(pfp&stg)1.2/3.10) id AA18687; Tue, 1 Apr 1997 12:14:52 +0200 Message-Id: <2.2.32.19970401101209.006a3af4@pop1.magwien.gv.at> X-Sender: pel@pop1.magwien.gv.at X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Apr 1997 12:12:09 +0200 To: firewalls@GreatCircle.COM From: Michael Pellmann Subject: Re: CNET story on Microsoft defending ActiveX today X-Charset: LATIN1 X-Char-Esc: 29 X-Doublesendmail-From: pel@adv.magwien.gv.at X-Doublesendmail-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Or what happens when you go to an ActiveX class or buy the Microsoft Press >version? How does Microsoft *know* what they are signing? > >Or when someone duplicates the signing technology (Oh, before you run this >neat application, you will need to Upgrade your Cert Authority Now!). > And don't forget that the authentication is only used for downloading. Every page on the net can use all modules already installed. And modules can be installed either by downloading (authentication involved) or by local installed applications or systems (no authentication involved, but maybe you know where you get that one out of thousend modules from). You can use that modules in a way, the author never expected to work. Or you can use it in a way the author has designed it to work, but never to work over the net or only for his application. Remember the good old authorization SVCs on mainframes, you had to know to bypass security. BTW do you know where you have gotten the that module from ? Michael From owner-firewalls-outgoing Tue Apr 1 03:09:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA22216 for firewalls-outgoing; Tue, 1 Apr 1997 02:24:56 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA22199 for ; Tue, 1 Apr 1997 02:24:47 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA12325; Tue, 1 Apr 1997 13:25:18 +0300 Date: Tue, 1 Apr 97 13:26:58 From: Ziv Dascalu Subject: Re: email monitoring To: firewalls@GreatCircle.COM, Information Security X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Fri, 28 Mar 1997 00:25:22 -0500 (EST) Information Security wrote: >Still posting to comp.security.firewalls... > >I'm up through the five month statistics on what was caught >outbound via the firewall...over 400,000 lines of proprietary >source code for one thing. > >All the people had legitimate access internally. > >It makes me feel (almost) that all the regular Unix security >work I've done had no meaning. Who cares if they break root >if distributed thieves and idiots simply email out what they >already have access to? > >Sigh, >---guy -----------------End of Original Message----------------- Hi, Why not just putting some email monitoring software and block messages which do not fit the company policies ? /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a trial version at ===============/ From owner-firewalls-outgoing Tue Apr 1 03:21:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20796 for firewalls-outgoing; Tue, 1 Apr 1997 02:17:12 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA20751 for ; Tue, 1 Apr 1997 02:16:57 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA12286; Tue, 1 Apr 1997 13:17:25 +0300 Date: Tue, 1 Apr 97 13:17:55 From: Ziv Dascalu Subject: RE: Need advice on logging, authentication and encyrption To: firewalls@GreatCircle.COM, FaNgYoU2 X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You asked: 1) How can we get the NT machine to write the log created by cc:Web over a serial port to a stand alone logging machine? *** You can get and use othewr tracking devices that will log and show the whole traffic or needed parts of it for later viewing 2) Can the NT machine be set up to ftp the log file to another hardened machine? *** you can set a FTP server on that machine or use scripts to send it over to somewhere else on specific times 3) What software is out there that we could give to users that would work together with the Secure-ID we are installing on Gauntlet to provide encryption of the connection? *** I would check it with the vendor and also what smart cards companies are working with this /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a trial version at ===============/ From owner-firewalls-outgoing Tue Apr 1 03:41:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20114 for firewalls-outgoing; Tue, 1 Apr 1997 02:13:57 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA20095 for ; Tue, 1 Apr 1997 02:13:49 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA12273; Tue, 1 Apr 1997 13:14:14 +0300 Date: Tue, 1 Apr 97 13:15:59 From: Ziv Dascalu Subject: Re: Need advice on logging, authentication and encyrption To: FaNgYoU2 , Harry Behrens Cc: firewalls@GreatCircle.COM, behrens@mtl.t.u-tokyo.ac.jp X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 31 Mar 1997 02:27:54 +0900 Harry Behrens wrote: >At 08:28 97/03/30 -0500, you wrote: > >>Last Thursday they found that a hacker running a packet sniffer on the >>Internet had been capturing user names and passwords and then logging into >>cc:Web/cc:Mail during off hours. > >How do you suppose a hacker runs a packet sniffer "on the Internet". >Typically packet sniffers are run on your local LAN by listening to all >traffic being sent over the local Ethernet. >I don't see how this can be done on the Internet unless the hacker is placed >on some upstream network through which all traffic to and from that site is >routed. >> -----------------End of Original Message----------------- The sniffing can also be done by doing DNS redirection for specific services In this case there is no need to be upsteam since it will go throu you. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a trial version at ===============/ From owner-firewalls-outgoing Tue Apr 1 04:51:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA14421 for firewalls-outgoing; Tue, 1 Apr 1997 04:36:13 -0800 (PST) Received: from cissco.hq.caci.com (cissco.hq.caci.com [204.177.212.111]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA14414 for ; Tue, 1 Apr 1997 04:36:08 -0800 (PST) Received: by cissco.hq.caci.com; id HAA09259; Tue, 1 Apr 1997 07:38:31 -0500 (EST) Received: from unknown(198.135.9.87) by cissco.hq.caci.com via smap (V3.1.1) id xma009257; Tue, 1 Apr 97 07:38:26 -0500 Received: by cacimta.hq.caci.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 8525646C.0045B228 ; Tue, 1 Apr 1997 07:41:15 -0400 X-Lotus-FromDomain: CACI From: "Ed Martin" To: FIREWALLS@GreatCircle.COM Message-ID: <8525646C.004582CF.00@cacimta.hq.caci.com> Date: Tue, 1 Apr 1997 07:41:20 -0400 Subject: Cisco Enterprise Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Ed Martin on 04/01/97 07:41 AM Anyone have any input/feedback on the overall security of using a Cisco 2500 series router loaded with the Enterprise package as a firewall between internet and internal network? Ed Martin emartin@hq.caci.com From owner-firewalls-outgoing Tue Apr 1 05:07:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA14493 for firewalls-outgoing; Tue, 1 Apr 1997 04:38:38 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA14486 for ; Tue, 1 Apr 1997 04:38:32 -0800 (PST) Message-Id: <199704011238.EAA14486@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA233638035; Tue, 1 Apr 1997 22:33:55 +1000 From: Darren Reed Subject: Re: PC based network analyzer To: lists@reflections.eng.mindspring.net (Todd Graham Lewis) Date: Tue, 1 Apr 1997 22:33:55 +1000 (EST) Cc: sunwei@sea.net.edu.cn, Firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Apr 1, 97 04:18:43 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Graham Lewis, sie said: > > On Tue, 1 Apr 1997, Sun Wei wrote: > > > Does anyone know if there is a kind of PC based network packet analyzer? > > Yes; tcpdump. It runs on a number of PC os'es, including Linux, the > BSD's, and potentially NT, although I'm not sure about the last. On NT, look for "netmon" - a superb packet analyzer! Someone should port it to Unix. From owner-firewalls-outgoing Tue Apr 1 05:21:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15770 for firewalls-outgoing; Tue, 1 Apr 1997 05:17:52 -0800 (PST) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA15763 for ; Tue, 1 Apr 1997 05:17:47 -0800 (PST) Received: by relay.hq.tis.com; id IAA29623; Tue, 1 Apr 1997 08:14:51 -0500 (EST) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma029612; Tue, 1 Apr 97 08:14:33 -0500 Received: from gildor.hq.tis.com (gildor.hq.tis.com [10.33.80.10]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id IAA10042; Tue, 1 Apr 1997 08:17:49 -0500 (EST) Message-Id: <3.0.1.32.19970401081629.006f5e64@pop.hq.tis.com> X-Sender: avolio@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 01 Apr 1997 08:16:29 -0500 To: allan@bellsouth.net, firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Firewall export license In-Reply-To: <333FFD59.1AB1@bellsouth.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Allan, It depends on the firewall and the company. Gauntlet firewalls may be exported with 56bit DES (with or without key recovery technology) and with triple DES (with key recovery). We may be the only firewall vendor able to do this currently. See www.tis.com for details. f At 10:52 AM 3/31/97 -0800, Allan Chong wrote: >How hard is it to get a DES encryption export license for a >firewall? I've got a financial services firm that wants >encryption between their location here in the US and Israel. --- (voice) +1 301-854-5749; (fax) +1 301-854-5363 Web site: http://www.tis.com/ PGP Key: http://www.tis.com/docs/corporate/fredpgp.html PGP Key fingerprint =37 6B 35 BB B2 07 BE B7 D5 47 C3 30 4E 39 A2 EE From owner-firewalls-outgoing Tue Apr 1 05:47:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15936 for firewalls-outgoing; Tue, 1 Apr 1997 05:24:33 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA15928 for ; Tue, 1 Apr 1997 05:24:28 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id IAA27792; Tue, 1 Apr 1997 08:25:22 -0500 (EST) Date: Tue, 1 Apr 1997 08:25:22 -0500 (EST) From: Information Security Message-Id: <199704011325.IAA27792@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: email monitoring Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > --- On Fri, 28 Mar 1997 00:25:22 -0500 (EST) Information Security wrote: > > >Still posting to comp.security.firewalls... > > > >I'm up through the five month statistics on what was caught > >outbound via the firewall...over 400,000 lines of proprietary > >source code for one thing. > > -----------------End of Original Message----------------- > > Hi, > Why not just putting some email monitoring software and block > messages which do not fit the company policies ? > /Ziv How would you programmatically block (or not block) an arbitrary email? ---- I'm through a number of different categories of security incidents, such as o people working on their own jobs while within the firm o Dumb-and-Dumber o last week on the job o people just trying to do work (ex: mailing code to a vendor) If it's scrolled out of your local ISP, try www.dejanews.com. Usenet group 'comp.security.firewalls', subject "Corruption at Salomon Brothers'. Installments "Serial #0" through #12 have been posted. ---guy From owner-firewalls-outgoing Tue Apr 1 05:54:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16326 for firewalls-outgoing; Tue, 1 Apr 1997 05:36:12 -0800 (PST) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id FAA16318 for ; Tue, 1 Apr 1997 05:36:07 -0800 (PST) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Tue, 1 Apr 97 08:36:39 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: Firewalls@GreatCircle.COM Date: Tue, 1 Apr 1997 08:39:28 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: PC based network analyzer Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <33410f672348002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WinNT Server comes with a network analyzer tool whcih will catch and log packets for you. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Tue Apr 1 06:24:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19531 for firewalls-outgoing; Tue, 1 Apr 1997 06:10:11 -0800 (PST) Received: from ferc1.ferc.fed.us (ferc1.ferc.fed.us [199.75.48.241]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA19524 for ; Tue, 1 Apr 1997 06:10:05 -0800 (PST) Received: from mjycdsi ([205.130.8.15]) by ferc1.ferc.fed.us (8.6.9/8.6.9) with SMTP id QAA27541 for ; Tue, 1 Apr 1997 16:39:26 -0500 Message-ID: <33411719.AE2@ferc.fed.us> Date: Tue, 01 Apr 1997 09:09:29 -0500 From: michael yelland Reply-To: myelland@ferc.fed.us Organization: FERC X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Eagle NT 4.0 & DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have Eagle NT 4.0, and Linux DNS. Linux lives on the inside. We want it to erve our domain - as it has. We want to set up Eagle's DNSd so it forwards requests not in our domain to the root servers. Our Eagle's inside add is 13.230, outside is 12.200 and Linux is 13.243, and we want to point our clients at 13.230, so that we can (slowly) move DNS to Eagle completely. We want 13.230 to send requests for _our_ domain to 13.243 and for any other to the root. I've got a 'forwarders 13.230' and 'slave' statement in named.boot on Linux, and...but it doesn't work yet. If I point clients to 13.243 all is fine (inside)... -- Your packet is important to us...clear the DE bit next time... From owner-firewalls-outgoing Tue Apr 1 06:52:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA27061 for firewalls-outgoing; Tue, 1 Apr 1997 06:47:45 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA26753 for ; Tue, 1 Apr 1997 06:46:31 -0800 (PST) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id GAA00168 for ; Tue, 1 Apr 1997 06:30:18 -0800 (PST) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 1 Apr 1997 14:30:35 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 01 Apr 1997 09:31:42 -0500 Message-ID: From: "Chris Kostick" To: "Neale Banks" Cc: Subject: Re: Getting DNS through a firewall. Date: Tue, 1 Apr 1997 09:27:52 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would suggest to run you own dns slave server on the firewall instead of > > unsafely passing DNS Packets. > > Does this not raise a quandry: if it is unsafe to pass DNS packets through > the firewall, then how is it safe to pass them to a dns slave server on > the firewall? > > Or, is it assumed that one will run a "safe" dns slave on the firewall? Refresh my memory. What's so unsafe about DNS, or more specifically, the BIND code that most people use? I think what the poster was suggesting is that an external (i.e. slave server) and internal DNS server be run. Outside access would only have minimal information available to them. This, as opposed to the original question of just getting DNS through the firewall to the only DNS server (TCP and UDP), and having all information available about the internal network. -- chris From owner-firewalls-outgoing Tue Apr 1 07:06:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24535 for firewalls-outgoing; Tue, 1 Apr 1997 06:37:02 -0800 (PST) Received: from prometheus.advstaff.com (advstaff.com [205.136.148.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA24508 for ; Tue, 1 Apr 1997 06:36:55 -0800 (PST) From: mgetter@advstaff.com Received: by prometheus.advstaff.com; id JAA12655; Tue, 1 Apr 1997 09:24:57 -0500 (EST) Received: from art-ntsrv01.advstaff.com(192.168.100.15) by prometheus.advstaff.com via smap (3.2) id xma012653; Tue, 1 Apr 97 09:24:27 -0500 Received: by art-ntsrv01.advstaff.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 8525646C.00503116 ; Tue, 1 Apr 1997 09:35:54 -0400 X-Lotus-FromDomain: ADVANTAGE To: firewalls@greatcircle.com Message-ID: <8525646C.00501F08.00@art-ntsrv01.advstaff.com> Date: Tue, 1 Apr 1997 09:35:52 -0400 Subject: procmail Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it possible to utilize a utility such as Procmail to filter messages passing through a Gauntlet Firewall? From owner-firewalls-outgoing Tue Apr 1 07:22:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA25982 for firewalls-outgoing; Tue, 1 Apr 1997 06:42:31 -0800 (PST) Received: from mercury.csc.com (mercury.csc.com [20.1.20.110]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA25951 for ; Tue, 1 Apr 1997 06:42:22 -0800 (PST) Received: from relay.ashton.csc.com(really [20.2.54.2]) by mercury.csc.com via smtpd with esmtp id for ; Tue, 1 Apr 1997 09:42:13 -0500 (EST) (Smail-3.2.0.91 1997-Jan-14 #7 built 1997-Feb-26) Received: by relay.ashton.csc.com; id JAA25288; Tue, 1 Apr 1997 09:43:38 -0500 Received: from jkerr2.sed.csc.com(20.2.53.152) by relay.ashton.csc.com via smap (g3.0.1) id sma025286; Tue, 1 Apr 97 09:43:15 -0500 Message-ID: <33411F64.6ACB@csc.com> Date: Tue, 01 Apr 1997 09:44:52 -0500 From: John Kerr Reply-To: jkerr2@csc.com Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewall Architecture for Web, Database Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A customer of ours has asked about setting up a security architecture with the Firewall being the main focus. They would like to allow access into their Database inside of the Firewall opposed to having a Database Server that would sit outside the Firewall. They seem to be okay with having a Web server sitting outside the Firewall, so I don't see that as a problem. The problem that they are trying to avoid is having to copy or replicate the data to the Database Server (too time consuming). What are the dangers with adding a third interface to the Firewall and putting the Database on a seperate DMZ. It would look like this: Internet | | ---------- --------- | -Database- - Web - | ---------- --------- --------- | | - FW ------------------------------ --------- | | | Internal Network Rules would be put on the firewall to only allow external access from the internet to the DMZ. We would not allow any access from the DMZ into the internal Network. Any suggestions would be appreciated. Thanks John From owner-firewalls-outgoing Tue Apr 1 08:23:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06030 for firewalls-outgoing; Tue, 1 Apr 1997 08:13:11 -0800 (PST) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA05976 for ; Tue, 1 Apr 1997 08:12:43 -0800 (PST) From: CHRIS.NICHOLS@EY.COM Received: by gateway2.ey.com id AA14602 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 1 Apr 1997 11:13:17 -0500 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-2); Tue, 1 Apr 1997 11:13:17 -0500 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Tue, 1 Apr 1997 11:13:17 -0500 To: " - (052)firewalls (a) greatcircle.com" Subject: sudo Message-Id: <0014500003650391000002L012*@MHS> Date: Tue, 1 Apr 1997 11:10:36 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Who makes a commercial version of sudo? Chris chris.nichols@ey.com From owner-firewalls-outgoing Tue Apr 1 08:36:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA04167 for firewalls-outgoing; Tue, 1 Apr 1997 07:51:29 -0800 (PST) Received: from hydra.prenhall.com (hydra.PRENHALL.COM [192.251.132.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA04159 for ; Tue, 1 Apr 1997 07:51:24 -0800 (PST) From: Laura_Bohde@prenhall.com Received: from ccgate2.prenhall.com ([168.146.69.61]) by hydra.prenhall.com (4.1/SMI-4.1) id AA08119; Tue, 1 Apr 97 10:52:23 EST Received: from ccMail by ccgate2.prenhall.com (IMA Internet Exchange 2.02 Enterprise) id 3412F9D1; Tue, 1 Apr 97 10:54:05 -0500 Date: Tue, 1 Apr 1997 10:47:30 -0500 Message-Id: <3412F9D1.@prenhall.com> Subject: Re: RealAudio To: , mmozes@fujitsu.ca Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Multiple ports ! That's the problem - and the sessions are established from the outside RealAudio servers, to your inside clients. (Someone correct me if I'm wrong. This is what I remember from my testing about a year ago.) There is a defined range of ports however, 6090 through 7010 rings a bell. The Eagle Raptor firewall software supplies a proxy for it and I believe other vendors were building theirs as well. Hope this helps - ______________________________ Reply Separator _________________________________ Subject: RealAudio Author: mmozes@fujitsu.ca at INTERNET-PUB Date: 3/31/97 10:36 AM Does anyone know the port number for RealAudio? Thanks, From owner-firewalls-outgoing Tue Apr 1 08:38:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05186 for firewalls-outgoing; Tue, 1 Apr 1997 08:01:51 -0800 (PST) Received: from hq.idt.net (hq.idt.net [169.132.12.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA05171 for ; Tue, 1 Apr 1997 08:01:43 -0800 (PST) Received: from hq.idt.net (hq.idt.net [169.132.12.10]) by hq.idt.net (8.8.5/NETSYS-LEN) with SMTP id LAA16649; Tue, 1 Apr 1997 11:02:03 -0500 (EST) Date: Tue, 1 Apr 1997 11:02:03 -0500 (EST) From: Parthiv Shah X-Sender: parthiv@hq.idt.net To: mgetter@advstaff.com cc: firewalls@GreatCircle.COM Subject: Re: procmail In-Reply-To: <8525646C.00501F08.00@art-ntsrv01.advstaff.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk setup your .forward as "|IFS=' '&&exec /opt/local/bin/procmail -f-||exit 75 #username" where /opt/local/bin/procmail is your procmail path and #username would be your username, for you it would be #mgetter setup .procmailrc with :0 * ^From +firewalls@GreatCircle.COM firewalls This will put any mail coming from firewalls mailing list to the folder firewalls. or even better if you want to do via subject :0 * ^From +firewalls@GreatCircle.COM * ^Subject:.*route firewalls-route etc.. I hope this helps. see procmail(1) for more details or if you have more questions regarding procmail you can subscribe to the mailinglist procmail@informatik.rwth-aachen.de send an E-mail to procmail-request@informatik.rwth-aachen.de for subscription request. Parthiv -- Parthiv Shah (201) 928 - 4414 Work: parthiv@corp.idt.net http://www.idt.net Personal: parthiv@netadmin.net http://www.netadmin.net On Tue, 1 Apr 1997 mgetter@advstaff.com wrote: > Date: Tue, 1 Apr 1997 09:35:52 -0400 > From: mgetter@advstaff.com > To: firewalls@GreatCircle.COM > Subject: procmail > > > > > > Is it possible to utilize a utility such as Procmail to filter messages > passing through a Gauntlet Firewall? > > From owner-firewalls-outgoing Tue Apr 1 08:44:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA03829 for firewalls-outgoing; Tue, 1 Apr 1997 07:48:24 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA03791 for ; Tue, 1 Apr 1997 07:48:15 -0800 (PST) Received: from clonvick-pc.cisco.com (sj-dial-3-19.cisco.com [171.68.179.20]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA22095; Tue, 1 Apr 1997 07:48:09 -0800 (PST) Message-Id: <2.2.32.19970401154329.00725218@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Apr 1997 09:43:29 -0600 To: Information Security , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: email monitoring Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Guy, There appears to be a new creature on the block. It's called an email guard but sounds like a bear. http://www.nsa.gov:8080/programs/missi/cat_fg.html and as a specific example http://www.nsa.gov:8080/programs/missi/scc_sns.html I'm especially impressed with the dirty-word search filter feature ;-) I bet that the use of this in a commercial environment would bring up a lot of social issues about email privacy, etc. I'd say that with today's technology, guards like these can only perform keyword searches when trying to perform policy enforcement. However, I bet that there's some development going on somewhere to view the content. Probably, with some ingenuity, you could at least get the Microsoft Word viewer to pass judgement on each of the outgoing emails so that they meet, or exceed an 8th grade writing level. If everyone would enforce that policy, that would certainly cut down on the amount of junk emails that I receive :-) or, at least I'd be able to understand some of the rants a little better. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1..713.778.5663 At 08:25 AM 4/1/97 -0500, Information Security wrote: > > --- On Fri, 28 Mar 1997 00:25:22 -0500 (EST) Information Security wrote: > > > > >Still posting to comp.security.firewalls... > > > > > >I'm up through the five month statistics on what was caught > > >outbound via the firewall...over 400,000 lines of proprietary > > >source code for one thing. > > > > -----------------End of Original Message----------------- > > > > Hi, > > Why not just putting some email monitoring software and block > > messages which do not fit the company policies ? > > /Ziv > >How would you programmatically block (or not block) an arbitrary email? > >---- > >I'm through a number of different categories of security incidents, >such as > > o people working on their own jobs while within the firm > o Dumb-and-Dumber > o last week on the job > o people just trying to do work (ex: mailing code to a vendor) > >If it's scrolled out of your local ISP, try www.dejanews.com. >Usenet group 'comp.security.firewalls', >subject "Corruption at Salomon Brothers'. > >Installments "Serial #0" through #12 have been posted. >---guy > > From owner-firewalls-outgoing Tue Apr 1 09:07:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06220 for firewalls-outgoing; Tue, 1 Apr 1997 08:16:10 -0800 (PST) Received: from webhost.tcg.com (mx0.tcg.com [198.177.228.50]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA06197 for ; Tue, 1 Apr 1997 08:15:54 -0800 (PST) Received: from duraflame.tcg.com (duraflame [192.9.200.109]) by webhost.tcg.com (8.8.4/8.8.4) with ESMTP id LAA10594 for ; Tue, 1 Apr 1997 11:16:55 -0500 (EST) Received: from em1.est.tcg.com (em1 [192.9.200.230]) by duraflame.tcg.com (8.8.4/8.8.4) with SMTP id LAA03659 for ; Tue, 1 Apr 1997 11:15:50 -0500 (EST) Received: from tcg.com by em1.est.tcg.com (5.x/SMI-SVR4) id AA21819; Tue, 1 Apr 1997 11:18:51 -0500 Received: from TCGOGW-Message_Server by tcg.com with Novell_GroupWise; Tue, 01 Apr 1997 11:18:51 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 01 Apr 1997 11:18:19 -0500 From: James Pizzirusso To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #134 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the future, can you please send all E-mail correspondence directly to my account at CERFNet (jimp@cerf.net). To send this from Groupwise you need to send it the following manner; TO: Internet("jimp@cerf.net") Also, the TCG Groupwise Mailgateway is not MIME compliant so I am not able to receive mail attachments. The best method to overcome this problem is to cut and paste your attached files into a mail note. Thanks, Jim Pizzirusso From owner-firewalls-outgoing Tue Apr 1 09:19:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06403 for firewalls-outgoing; Tue, 1 Apr 1997 08:19:09 -0800 (PST) Received: from netq.lanoptics.co.il ([194.90.121.37]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA06384 for ; Tue, 1 Apr 1997 08:19:01 -0800 (PST) Received: from roby-nt ([194.90.121.35]) by netq.lanoptics.co.il (Netscape Mail Server v2.0) with ESMTP id AAA43; Tue, 1 Apr 1997 17:16:19 +0200 Message-ID: <334127D0.5FDF@netvision.net.il> Date: Tue, 01 Apr 1997 18:20:48 +0300 From: Roby Roth Reply-To: robyr@netvision.net.il X-Mailer: Mozilla 4.0b2 (WinNT; I) MIME-Version: 1.0 To: sunwei@sea.net.edu.cn CC: Firewalls@GreatCircle.COM Subject: Re: PC based network analyzer X-Priority: 3 (Normal) References: <199703290900.BAA16076@honor.greatcircle.com> <33417F81.317E@sea.net.edu.cn> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sun Wei wrote: > > Hi, > > Does anyone know if there is a kind of PC based network packet analyzer? > > TIA, > > Wei > Well , it also depends on your OS (and your budget) For DOS, Win3.x I would recommend Novel Lanalyzer (~1200 USD) For WinNT, Win95 NetXray from Cinco Net.(~1900 USD). You can download a free demo from their site but it will only record 5 packets. You could find even this pretty good, provided you set up your filters accordingly. regards -- Roby Roth Home |Office ========================+==================================== 1/4 Vitkin St |LanOptics Building, P.O.B. 184 Migdal HaEmek 34756 Haifa |10551 Ramat Gabriel Industrial Park, ISRAEL +972-4-8254825 |Phone:+972-6-6449913, Fax:+972-6-6540124 E-mail: | robyr@netvision.net.il, |roby@netq.lanoptics.co.il ============================================================= From owner-firewalls-outgoing Tue Apr 1 09:27:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08875 for firewalls-outgoing; Tue, 1 Apr 1997 08:43:02 -0800 (PST) Received: from web1.zzz.com (web1.zzz.com [205.238.3.50]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA08858 for ; Tue, 1 Apr 1997 08:42:54 -0800 (PST) Received: from edsawick ([205.238.5.69]) by web1.zzz.com (8.7.4/8.7.3) with ESMTP id IAA27576; Tue, 1 Apr 1997 08:41:31 -0800 (PST) Message-Id: <199704011641.IAA27576@web1.zzz.com> Reply-To: From: "Ed Sawicki" To: "Darren Reed" , "Todd Graham Lewis" Cc: , Subject: Re: PC based network analyzer Date: Tue, 1 Apr 1997 08:41:27 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Darren Reed > To: Todd Graham Lewis > Cc: sunwei@sea.net.edu.cn; Firewalls@GreatCircle.COM > Subject: Re: PC based network analyzer > Date: Tuesday, April 01, 1997 4:33 AM > > In some mail from Todd Graham Lewis, sie said: > > > > On Tue, 1 Apr 1997, Sun Wei wrote: > > > > > Does anyone know if there is a kind of PC based network packet analyzer? > On NT, look for "netmon" - a superb packet analyzer! Someone should port > it to Unix. Where can I get a copy of netmon? From owner-firewalls-outgoing Tue Apr 1 09:56:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA20165 for firewalls-outgoing; Tue, 1 Apr 1997 09:48:44 -0800 (PST) Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA19877 for ; Tue, 1 Apr 1997 09:47:34 -0800 (PST) Received: from yakko.radian.com (yakko.radian.com [129.160.224.1]) by zippy.radian.com (8.8.5/8.8.5) with SMTP id LAA25210; Tue, 1 Apr 1997 11:47:07 -0600 (CST) Received: by yakko.radian.com (SMI-8.6/SMI-SVR4) id LAA10706; Tue, 1 Apr 1997 11:47:05 -0600 From: rtwood@radian.com (Ryan Wood) Message-Id: <199704011747.LAA10706@yakko.radian.com> Subject: Re: sudo To: CHRIS.NICHOLS@EY.COM Date: Tue, 1 Apr 1997 11:47:05 -0600 (CST) Cc: firewalls@GreatCircle.com In-Reply-To: <0014500003650391000002L012*@MHS> from "CHRIS.NICHOLS@EY.COM" at Apr 1, 97 11:10:36 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously, CHRIS.NICHOLS@EY.COM wrote: > Who makes a commercial version of sudo? We just received a product call Symark PowerPak v2.2.3. One of the features it has is the ability to grant users root commands, and you can limit the usage to a variety of conditions (machine, time, etc). To get more info, try: Symark Software 5655 Lindero Canyon Road Suite 502 Westlake Village, CA 91362 818.865.6100 800.234.9072 info@symark.com Ryan P.S. I am not affiliated with Symark. +--------------------+----------------------------+---------------------+ | Ryan T. Wood | Radian International LLC | All the opinions, | | Scientist | Austin, Texas USA | typos, and errors | | Texas A&M '94 | tel: 512.419.5941 | are my own, not n | | rtwood@radian.com | fax: 512.345.9684 | those of Radian | +--------------------+----------------------------+---------------------+ Important Events: 240 .. days till t.u. gets beat in football by A&M!!!!! From owner-firewalls-outgoing Tue Apr 1 09:56:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA03197 for firewalls-outgoing; Tue, 1 Apr 1997 07:43:07 -0800 (PST) Received: from helios.insnet.com (helios.insnet.com [206.54.244.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA03169 for ; Tue, 1 Apr 1997 07:42:59 -0800 (PST) Received: from chester.rmsbus.com (max13.insnet.com [206.54.244.136]) by helios.insnet.com (8.8.4/8.7.3) with SMTP id JAA03067; Tue, 1 Apr 1997 09:34:58 -0600 Message-Id: <3.0.1.32.19970401094257.006d2c20@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 01 Apr 1997 09:42:57 +0600 To: support@tis.com From: chris michael Subject: web servers Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Here's my problem. I have Gauntlet installed with three web servers behind it. The web servers are very light usage/testbeds and the machines they're on are used for other things. It's not practical to move the web servers outside of the firewall and the network behind the the firewall has private (non-routable) IP addresses. Is there any way to get to the three different web servers through the firewall? I thought of running a web server on the firewall with an initial page that pointed to the other webservers, but that was rejected by managment. If it were just one web server I could just plug port 80. If they ran at different ports I could plug different ports--but they don't. I was thinking that perhaps I could assign multiple IP address to the outside interface of the firewall, give the firewall different aliases with different IP addresses and somehow run different instances of plug-gw based on which IP address was connected to. It's the "somehow" part that I'm having trouble with. Any ideas? --- christopher michael*rms business systems* From owner-firewalls-outgoing Tue Apr 1 10:18:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA13964 for firewalls-outgoing; Tue, 1 Apr 1997 09:12:10 -0800 (PST) Received: from cidexchange.infosel.com.mx (cidexchange.infosel.com.mx [148.246.8.22]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA13933 for ; Tue, 1 Apr 1997 09:12:02 -0800 (PST) Received: by cidexchange.infosel.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC3E8C.9D1D54E0@cidexchange.infosel.com.mx>; Tue, 1 Apr 1997 11:05:31 -0600 Message-ID: From: =?iso-8859-1?Q?David_Cant=FA_L=F3pez?= To: "'FIREWALLS@GreatCircle.COM'" , "'Ed Martin'" Subject: RE: Cisco Enterprise Date: Tue, 1 Apr 1997 11:07:21 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Please see: >Cisco IOS Network Address Translation (NAT) http://www.cisco.com/warp/customer/701/60.html David Cantu InfoSel dcantu@infosel.com.mx >---------- >From: Ed Martin[SMTP:emartin@hq.caci.com] >Sent: Martes 1 de Abril de 1997 5:41 AM >To: FIREWALLS@GreatCircle.COM >Subject: Cisco Enterprise > > > > > >From: Ed Martin on 04/01/97 07:41 AM > >Anyone have any input/feedback on the overall security of using a Cisco >2500 series router loaded with the Enterprise package as a firewall >between internet and internal network? > >Ed Martin >emartin@hq.caci.com > > > From owner-firewalls-outgoing Tue Apr 1 11:13:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10941 for firewalls-outgoing; Tue, 1 Apr 1997 08:55:10 -0800 (PST) Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA10889 for ; Tue, 1 Apr 1997 08:54:54 -0800 (PST) Received: from csl031.emirates.net.ae (csl031.emirates.net.ae [194.170.125.211]) by ns2.emirates.net.ae (SMI-8.6/8.6) with SMTP id UAA00117; Tue, 1 Apr 1997 20:55:05 +0400 Received: by csl031.emirates.net.ae with Microsoft Mail id <01BC3EE0.B44F65F0@csl031.emirates.net.ae>; Tue, 1 Apr 1997 21:07:27 -0000 Message-ID: <01BC3EE0.B44F65F0@csl031.emirates.net.ae> From: GSC Prabhakar To: "'Valery Brasseur'" , "firewalls@GreatCircle.COM" Subject: RE: NT security Date: Tue, 1 Apr 1997 20:26:56 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you can find more on NT security at http://www.ntsecurity.com/News/index.html GSC Prabhakar Internet Consultant -----Original Message----- From: Valery Brasseur [SMTP:Valery.Brasseur@sligos.fr] Sent: Tuesday, April 01, 1997 11:13 AM To: firewalls@GreatCircle.COM Subject: NT security Where can I find informations about NT security ? I would like to know what should be done to secure an NT machine connecting to Internet... is there any tools or well known bug who should be tested ? Thanks +----------------------------------------------------------------------+ | Valery Brasseur | | SLIGOS-MARBEN/FAS3 - Arobasse | | 1, avenue Newton BP107 92142 CLAMART CEDEX FRANCE | | Phone (33) 1 41 28 40 89 Fax : (33) 1 41 28 46 59 | | email : Valery.Brasseur@arobasse.sligos.fr | +----------------------------------------------------------------------+ From owner-firewalls-outgoing Tue Apr 1 11:38:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA20674 for firewalls-outgoing; Tue, 1 Apr 1997 09:55:10 -0800 (PST) Received: from ns1.aplatform.com (ns1.aplatform.com [204.29.139.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA20633 for ; Tue, 1 Apr 1997 09:54:59 -0800 (PST) Received: from grant.aplatform.com (grant.aplatform.com [204.29.139.82]) by ns1.aplatform.com (8.8.5/8.8.5) with SMTP id JAA14389 for ; Tue, 1 Apr 1997 09:55:29 -0800 Message-Id: <3.0.32.19970401095451.006bf384@mail.aplatform.com> X-Sender: grant@mail.aplatform.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 01 Apr 1997 09:54:53 -0800 To: firewalls@greatcircle.com From: "Gail L. Grant" Subject: SSL and Firewall Survey for Lynx users Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been using illegal HTML for years, :) but lynx complains (BAD HTML!), being much more of a purist browser, so I've created a special version of the survey for those of you with lynx or other browsers that didn't like my form: http://www.glgc.com/fw-lynx.html Thanks to Bennett Todd for finding the problem. Regards, g. -- Gail L. Grant GLG Consulting http://www.glgc.com grant@glgc.com 415-324-3822 From owner-firewalls-outgoing Tue Apr 1 11:55:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA28719 for firewalls-outgoing; Tue, 1 Apr 1997 10:39:26 -0800 (PST) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA28434 for ; Tue, 1 Apr 1997 10:38:36 -0800 (PST) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id TAA02804; Tue, 1 Apr 1997 19:38:15 +0200 Date: Tue, 1 Apr 1997 19:38:14 +0200 (MET DST) From: Arjan Vos To: mgetter@advstaff.com cc: firewalls@greatcircle.com Subject: Re: procmail In-Reply-To: <8525646C.00501F08.00@art-ntsrv01.advstaff.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Apr 1997 mgetter@advstaff.com wrote: > > > > > Is it possible to utilize a utility such as Procmail to filter messages > passing through a Gauntlet Firewall? > > I'm not quiet sure what you mean by that. If you mean that procmail is used for security-based filtering I would say no. If procmail is used to filter messages which have passed through the firewall (smap), thenI would say yes. But procmail only filters on a per used basis AFAIK. Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue Apr 1 12:35:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA26701 for firewalls-outgoing; Tue, 1 Apr 1997 10:31:41 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA26611 for ; Tue, 1 Apr 1997 10:31:21 -0800 (PST) Received: from scribe.cc.purdue.edu by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id KAA15593; Tue, 1 Apr 1997 10:29:48 -0800 (PST) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Tue, 1 Apr 97 13:31:19 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: Firewalls@GreatCircle.COM Date: Tue, 1 Apr 1997 13:34:07 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: PC based network analyzer Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <334154777228002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Where can I get a copy of netmon? Buy Windows NT Server 4.0..... its part of the standard distribution. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Tue Apr 1 12:53:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA20695 for firewalls-outgoing; Tue, 1 Apr 1997 09:55:25 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA20688 for ; Tue, 1 Apr 1997 09:55:18 -0800 (PST) Received: from beethoven.ins.com (dyn-max14-186.chicago.il.ameritech.net [206.141.214.186]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id JAA02131; Tue, 1 Apr 1997 09:54:05 -0800 (PST) Message-Id: <3.0.32.19970401115339.0075f77c@lexicon.ins.com> X-Sender: daughe_b@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 01 Apr 1997 11:53:46 -0600 To: , "Darren Reed" , "Todd Graham Lewis" From: Brad Daugherty Subject: Re: PC based network analyzer Cc: , Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> On NT, look for "netmon" - a superb packet analyzer! Someone should port >> it to Unix. > >Where can I get a copy of netmon? Another great package is Shomiti's Lan Analyzer for $999 (Windows 95/NT based). You can get a 15 day trial copy at http://www.shomiti.com. If you need an extension you can call Shomiti tech support and they will email you another 15 day unlock code. Good luck, Brad Providing The Power Of Operable Networks (http://www.ins.com) Brad Daugherty - Associate Network Systems Engineer PHONE:(630)942-5770 PAGER:(800)467-1467 Lifetime: (mailto:bsd@pobox.com) (http://www.pobox.com/~bsd) From owner-firewalls-outgoing Tue Apr 1 12:59:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA10100 for firewalls-outgoing; Tue, 1 Apr 1997 11:37:53 -0800 (PST) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA10076 for ; Tue, 1 Apr 1997 11:37:43 -0800 (PST) Received: from monaco (unverified [196.14.41.3]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 01 Apr 1997 20:02:46 +0100 Message-ID: From: "David Harvey-George" To: , "Valery Brasseur" Subject: Re: NT security Date: Tue, 1 Apr 1997 20:02:45 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ISS seems quite good (http://www.iss.com/) but doesn't include a lot of the recent NT holes. You could check out http://www.ntsecurity.net and http://www.ntsecurity.com (two different sites). regards, David ---------- > From: Valery Brasseur > > Where can I find informations about NT security ? I would like to know > what should be done to secure an NT machine connecting to Internet... is there > any tools or well known bug who should be tested ? From owner-firewalls-outgoing Tue Apr 1 13:16:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA09818 for firewalls-outgoing; Tue, 1 Apr 1997 11:35:58 -0800 (PST) Received: from igate2.pabs.com (igate2.pabs.com [38.246.96.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA06477 for ; Tue, 1 Apr 1997 11:10:27 -0800 (PST) Received: from igate2.pabs.com (root@localhost) by igate2.pabs.com (8.7.5/8.7.3) with ESMTP id OAA24462 for ; Tue, 1 Apr 1997 14:15:18 -0500 (EST) Received: from richey.pabs.com (richey.pabs.com [157.154.1.136]) by igate2.pabs.com (8.7.5/8.7.3) with ESMTP id OAA24453 for ; Tue, 1 Apr 1997 14:15:17 -0500 (EST) Received: from richey (richey@richey.pabs.com [157.154.1.136]) by richey.pabs.com (8.8.5/8.8.5) with SMTP id OAA25449; Tue, 1 Apr 1997 14:14:07 -0500 Message-ID: <33415E7E.C26F1E1@highmark.com> Date: Tue, 01 Apr 1997 14:14:06 -0500 From: Jim Richey X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.25 i586) MIME-Version: 1.0 To: Laura_Bohde@prenhall.com CC: firewalls@GreatCircle.COM, mmozes@fujitsu.ca Subject: Re: RealAudio References: <3412F9D1.@prenhall.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RealAudio can be set to use only TCP on port 7070. Laura_Bohde@prenhall.com wrote: > > > Multiple ports ! That's the problem - and the sessions > are established from the outside RealAudio servers, to > your inside clients. (Someone correct me if I'm wrong. > This is what I remember from my testing about a year > ago.) There is a defined range of ports however, 6090 > through 7010 rings a bell. The Eagle Raptor firewall > software supplies a proxy for it and I believe other > vendors were building theirs as well. > > Hope this helps - > > ______________________________ Reply Separator _________________________________ > Subject: RealAudio > Author: mmozes@fujitsu.ca at INTERNET-PUB > Date: 3/31/97 10:36 AM > > > Does anyone know the port number for RealAudio? > > Thanks, -- Jim Richey jrichey@highmark.com Highmark Inc. http://www.highmark.com From owner-firewalls-outgoing Tue Apr 1 13:28:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07525 for firewalls-outgoing; Tue, 1 Apr 1997 11:18:12 -0800 (PST) Received: from intermec.com (gw.intermec.com [204.57.247.200]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA07497 for ; Tue, 1 Apr 1997 11:18:05 -0800 (PST) Received: by intermec.com (4.1/3.1.090690-) id AA09725; Tue, 1 Apr 97 11:18:37 PST Received: from unknown(192.9.210.110) by gw.intermec.com via smap (V1.3) id sma009685; Tue Apr 1 11:18:27 1997 Received: from intermec.com by intermec.com with smtp (Smail3.1.27.1 #4) id m0wC93G-000x2FC; Tue, 1 Apr 97 11:17 GMT-0:41 Received: by intermec.com (5.x/SMI-SVR4) id AA00517; Tue, 1 Apr 1997 11:16:33 -0800 Date: Tue, 1 Apr 1997 11:16:33 -0800 From: kkost@intermec.com (Kathy Kost) Message-Id: <9704011916.AA00517@intermec.com> To: firewalls@greatcircle.com Subject: combo internal/external web servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A company I'm doing some work for is trying to decide on having separate internal and external web servers or having them both on one machine, with some proxy or firewall software keeping them separate. I have only implemented them separately. What is the current feeling on this these days? Is it possible to have them both co-exist on the same box without risking the internal web site? Any suggestions as to the best security software to use (public domain or not)? Or pointers to reference information on the subject? Thanks a bunch, Kathy Kost kkost@intermec.com or kathyk@wolfenet.com From owner-firewalls-outgoing Tue Apr 1 13:36:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14159 for firewalls-outgoing; Tue, 1 Apr 1997 12:02:29 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA14130 for ; Tue, 1 Apr 1997 12:02:21 -0800 (PST) From: gordonp.atc@gao.gov Received: from viper.gao.gov (viper.gao.gov [161.203.16.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id MAA05400 for ; Tue, 1 Apr 1997 12:03:57 -0800 (PST) Received: from viper.gao.gov (root@localhost) by viper.gao.gov (8.7.5/8.7.3) with ESMTP id OAA20808; Tue, 1 Apr 1997 14:52:17 -0500 (EST) Received: from mailgateway.gao.gov (mailgateway.gao.gov [161.203.15.2]) by viper.gao.gov (8.7.5/8.7.3) with SMTP id OAA20789; Tue, 1 Apr 1997 14:52:13 -0500 (EST) Received: from ccMail by mailgateway.gao.gov (SMTPLINK V2.10.04o) id AA859935419; Tue, 01 Apr 97 14:41:10 EST Date: Tue, 01 Apr 97 14:41:10 EST Message-Id: <9703018599.AA859935419@mailgateway.gao.gov> To: support@tis.com, chris michael Cc: firewalls@GreatCircle.COM Subject: Re: web servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Have you explored the possiblities of creating an "Extranet"? (I've been dying to use that buzz word!!) As far as I know, Gauntlet provides the capabilities to use a third network card that you could place these web servers behind. - Paul Gordon, TROY Systems, http://www.troy.com email:pgordon@troy.com, http://mason.gmu.edu/~pgordon ______________________________ Reply Separator _________________________________ Subject: web servers Author: chris michael at INTERNET Date: 4/1/97 1:58 PM Folks, Here's my problem. I have Gauntlet installed with three web servers behind it. The web servers are very light usage/testbeds and the machines they're on are used for other things. It's not practical to move the web servers outside of the firewall and the network behind the the firewall has private (non-routable) IP addresses. Is there any way to get to the three different web servers through the firewall? I thought of running a web server on the firewall with an initial page that pointed to the other webservers, but that was rejected by managment. If it were just one web server I could just plug port 80. If they ran at different ports I could plug different ports--but they don't. I was thinking that perhaps I could assign multiple IP address to the outside interface of the firewall, give the firewall different aliases with different IP addresses and somehow run different instances of plug-gw based on which IP address was connected to. It's the "somehow" part that I'm having trouble with. Any ideas? --- christopher michael*rms business systems* From owner-firewalls-outgoing Tue Apr 1 14:06:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20906 for firewalls-outgoing; Tue, 1 Apr 1997 12:53:10 -0800 (PST) Received: from envirolink.org (envirolink.org [206.210.73.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA20883 for ; Tue, 1 Apr 1997 12:53:02 -0800 (PST) Received: by envirolink.org (SMI-8.6/SMI-SVR4) id PAA08725; Tue, 1 Apr 1997 15:50:27 -0500 Date: Tue, 1 Apr 1997 15:50:26 -0500 (EST) From: Wolf Man To: Ed Sawicki cc: Darren Reed , Todd Graham Lewis , sunwei@sea.net.edu.cn, Firewalls@GreatCircle.COM Subject: Re: PC based network analyzer In-Reply-To: <199704011641.IAA27576@web1.zzz.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On NT, look for "netmon" - a superb packet analyzer! Someone should port > > it to Unix. > > Where can I get a copy of netmon? > It is part of the NT Resource Kit CD for 4.0 JD From owner-firewalls-outgoing Tue Apr 1 14:54:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA18656 for firewalls-outgoing; Tue, 1 Apr 1997 12:35:10 -0800 (PST) Received: from firstunion.com (gate.funb.com [204.5.135.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA18639 for ; Tue, 1 Apr 1997 12:35:01 -0800 (PST) Received: by firstunion.com (4.1/SMI-4.1) id AA27622; Tue, 1 Apr 97 15:35:35 EST Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by gate.funb.com via smap (V2.0beta) id xma027612; Tue, 1 Apr 97 15:35:11 -0500 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id PAA05122 for ; Tue, 1 Apr 1997 15:35:10 -0500 (EST) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id PAA07171; Tue, 1 Apr 1997 15:35:10 -0500 Message-Id: <199704012035.PAA07171@funws302.capmark.funb.com> Date: Tue, 1 Apr 1997 15:35:09 -0500 From: "Mark Horn [ Net Ops ]" To: firewalls@GreatCircle.COM Subject: Re: web servers References: <3.0.1.32.19970401094257.006d2c20@popmail.insnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.68 In-Reply-To: <3.0.1.32.19970401094257.006d2c20@popmail.insnet.com>; from chris michael on Tue, Apr 01, 1997 at 09:42:57AM +0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk chris michael says: >I was thinking that perhaps I could assign multiple IP address to the >outside interface of the firewall, give the firewall different aliases with >different IP addresses and somehow run different instances of plug-gw based >on which IP address was connected to. It's the "somehow" part that I'm >having trouble with. I've done this. However, you have to modify the code to plug-gw. Basically, what I did was modify plug-gw to take a new option: ip. Essentially, an entry for this plug-gw looks like this: plug-gw: ip 1.1.1.1 port 80 * -plug-to 2.2.2.1 plug-gw: ip 1.1.1.2 port 80 * -plug-to 2.2.2.2 plug-gw: ip 1.1.1.3 port 80 * -plug-to 2.2.2.3 This is very easy to do. All I did was use getsockname() on fd 0 to figure out which of the IP aliases was being used. Then I used the existing cfg_get() function to look for 'ip' in the config line. I also created a -srcip option so that if you had multiple IP addresses and you wanted a paritcular connection to appear to come from one of those IP addresses, you could specify it. This was also easy to do. I added two paramaters to bind_conn_server() in lib/conn.c. The first was the IP address to bind to, and the second was the port to bind to. If the srcip flag was set to zero, then bind_conn_server() would bind to any available IP address. If srcport was set to zero, then bind_conn_server() would bind to any available port. Setting both to zero got the normal behavior. Then in the function, just did a bind() prior to doing the connect. I created a patch so that anyone else in our organization could understand what I did. However, I'm uncertain of the legality of distributing it, so I'm nog going to. But believe me, this is not hard. I'm not a programmer and I managed to get this to work! -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Tue Apr 1 15:26:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19646 for firewalls-outgoing; Tue, 1 Apr 1997 12:43:26 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA19632 for ; Tue, 1 Apr 1997 12:43:19 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id PAA24974; Tue, 1 Apr 1997 15:44:11 -0500 (EST) Date: Tue, 1 Apr 1997 15:44:11 -0500 (EST) From: Information Security Message-Id: <199704012044.PAA24974@panix2.panix.com> To: firewalls@GreatCircle.com Subject: Re: email monitoring Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From clonvick@cisco.com Tue Apr 1 10:48:50 1997 > To: Information Security , firewalls@GreatCircle.COM > Subject: Re: email monitoring > > Hello Guy, > > There appears to be a new creature on the block. It's called an email > guard but sounds like a bear. > > http://www.nsa.gov:8080/programs/missi/cat_fg.html > > and as a specific example > > http://www.nsa.gov:8080/programs/missi/scc_sns.html > > I'm especially impressed with the dirty-word search filter feature > ;-) # * Filters: # + ASCII text only # + Classification line # + Sender/Recipient/Host addresses # + Dirty-word search # + Attachment Review Module (ARM) # + Source routing # * Manual review # * Message journaling If this is useful, it is for companies that can afford to assign as many people as necessary to clear each piece of mail manually. Not really feasible unless you have deep pockets and don't mind mail delays. Other than that, it's just filter stuff, unrelated to the Internet Risk Management Analytics I have been posting about. > I bet that the use of this in a commercial environment would bring > up a lot of social issues about email privacy, etc. I've covered that topic in the postings, serial #1. > Chris Lonvick > Cisco Systems > Consulting Engineering > Houston, TX, USA > +1..713.778.5663 > > >If it's scrolled out of your local ISP, try www.dejanews.com. > >Usenet group 'comp.security.firewalls', > >subject "Corruption at Salomon Brothers'. > > > >Installments "Serial #0" through #12 have been posted. > >---guy Cisco is one of the biggest security holes for all sites! ;-) I'm serious! ---guy [ SISS = Salomon Information Security Services ] :From: guy :To: vivian [Legal] :Subject: Snarf: ROUTER REDHOT 6/27/96 :Cc: mon_c ******************************************************************************* ******************************************************************************* ******************************************************************************* SECURITY INCIDENT REPORT, 6/27/96 ROUTER PASSWORDS BRIDGE AND ROUTER CONFIGURATIONS NOC SYSTEMS SECURITY --------------------------------- This is a security incident report regarding the Internet (a public wire) traffic of Salomon Brothers, which is monitored for security/compliance. NOTE: THESE INCIDENTS HAVE NOT STOPPED DESPITE REPEATED SISS REPORTS! This report should be taken as a complaint that insufficient procedures have been put in place to ensure current and new Salomon personnel are made aware of the security issues of Internet transmissions for network device configuration files. Suggest wide-spread distribution of a memo concerning the problem. Perhaps place "no-Internet-transmission" comments in all network config files. Standard warning issued to all new networkers. Three transmissions of live passwords to three different Salomon routers have been sent in cleartext over the Internet by Rock Transves nnn-nnnn of Internet Client Services: SENDER DATE ROUTER LINE PASSWORD Rock Transves 6/27/96 09:37 bc7f7w40 [global] bs345way [and again on] 6/26/96 16:10 con 0 bs345way aux 0 bs345way vty 0 qwerty0 Rock Transves 6/18/96 11:27 ard7w35 [global] z23c4v5b trangobw1 [global] bs345way con 0 bs345way ALL OF THESE ROUTERS *AND* ALL ROUTERS USING THE SAME PASSWORDS MUST HAVE THEIR PASSWORDS CHANGED. [snip, from serial #6] From owner-firewalls-outgoing Tue Apr 1 15:38:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA25747 for firewalls-outgoing; Tue, 1 Apr 1997 13:26:09 -0800 (PST) Received: from dallas-cs-000.novare.net (dallas-cs-000.novare.net [205.229.104.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA25705 for ; Tue, 1 Apr 1997 13:25:57 -0800 (PST) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.6/8.6.9) with SMTP id PAA11698 for ; Tue, 1 Apr 1997 15:31:34 -0600 Message-ID: <33417DF9.636DE59D@novare.net> Date: Tue, 01 Apr 1997 15:28:25 -0600 From: m* Organization: Novare' International Information Systems X-Mailer: Mozilla 3.0Gold (X11; I; Linux 2.0.27 i586) MIME-Version: 1.0 To: firewalls Subject: Re: PC based network analyzer References: <334154777228002@scribe.cc.purdue.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael S Hines wrote: > > > Where can I get a copy of netmon? > > Buy Windows NT Server 4.0..... its part of the standard > distribution. > > wasn't there a post recently about a security bug in metmon? m* -- "The Shining One" -- From owner-firewalls-outgoing Tue Apr 1 15:52:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA28292 for firewalls-outgoing; Tue, 1 Apr 1997 13:42:53 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA28228 for ; Tue, 1 Apr 1997 13:42:36 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id PAA16851; Tue, 1 Apr 1997 15:36:08 -0600 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma016806; Tue Apr 1 15:36:05 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id PAA28610; Tue, 1 Apr 1997 15:42:33 -0600 (CST) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id PAA03507; Tue, 1 Apr 1997 15:42:30 -0600 (CST) Date: Tue, 1 Apr 1997 15:42:30 -0600 (CST) From: Ken Hardy Message-Id: <199704012142.PAA03507@binki.bridge.com> To: mgetter@advstaff.com, arjan@pino.demon.nl Subject: Re: procmail Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arjan Vos wrote: >On Tue, 1 Apr 1997 mgetter@advstaff.com wrote: >> Is it possible to utilize a utility such as Procmail to filter messages >> passing through a Gauntlet Firewall? >> >> >I'm not quiet sure what you mean by that. If you mean that procmail is >used for security-based filtering I would say no. If procmail is used to >filter messages which have passed through the firewall (smap), thenI >would say yes. But procmail only filters on a per used basis AFAIK. There is a global procmail.rc file in /etc (which I haven't played with much), but it only gets used when procmail gets invoked, which is usually only when the local delivery agent gets called. I doubt that happens on the firewall much. Depending on what you want to do, a clever sendmail config might do whatever it is that you have in mind. E.g., there are some fairly simple ways to use sendmail as a spam filter (http://spam.abuse.net/spam/tools/mailblock.html). -- KH From owner-firewalls-outgoing Tue Apr 1 15:52:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA03477 for firewalls-outgoing; Tue, 1 Apr 1997 14:11:54 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA03465 for ; Tue, 1 Apr 1997 14:11:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id RAA02252; Tue, 1 Apr 1997 17:08:38 -0500 (EST) From: Adam Shostack Message-Id: <199704012208.RAA02252@homeport.org> Subject: Re: Getting DNS through a firewall. In-Reply-To: from Chris Kostick at "Apr 1, 97 09:27:52 am" To: christopher.t.kostick@cpmx.saic.com (Chris Kostick) Date: Tue, 1 Apr 1997 17:08:38 -0500 (EST) Cc: neale@planet.NET.AU, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Kostick wrote: | > Does this not raise a quandry: if it is unsafe to pass DNS packets | through | > the firewall, then how is it safe to pass them to a dns slave server on | > the firewall? | Refresh my memory. What's so unsafe about DNS, or more specifically, the | BIND code that most people use? Theres a buffer overflow in some older bind code. There have been attacks where a server returns malicious information supporting Java attacks (lookup(www2.foo.com) returned something in your domain Java, already inside your perimiter, would connect to it.) There exists a telnet over DNS tool. If you let people pass arbitrary packets through your firewall, adding DNS to the list isn't a big deal. If you don't let dns through, then a dns-gw would be a good idea. Cheswick talked about one at SANS 96(?), and I'm wondering why its not part of any commercial product yet. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue Apr 1 16:10:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA06449 for firewalls-outgoing; Tue, 1 Apr 1997 14:26:12 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA06330 for ; Tue, 1 Apr 1997 14:25:41 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wCC0I-0004HMC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Apr 1997 00:26:10 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 2 Apr 97 00:26 MET DST Received: by lina.inka.de id m0wCBqN-00016nC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Apr 1997 00:15:35 +0200 (CEST) Message-ID: <19970402001534.59596@inka.de> Date: Wed, 2 Apr 1997 00:15:34 +0200 From: Bernd Eckenfels To: Chris Kostick Cc: Neale Banks , firewalls@greatcircle.com Subject: Re: Getting DNS through a firewall. References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: ; from Chris Kostick on Apr 04, 1997 at 09:27:52AM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Apr 1, Chris Kostick wrote > server) > and internal DNS server be run. Outside access would only have minimal > information > available to them. This, as opposed to the original question of just > getting > DNS through the firewall to the only DNS server (TCP and UDP), and having > all > information available about the internal network. Well, I was suggesting both. Using a BIND Server between Internet and Resolver Code will (hopefully) add some additiona checks on Answer Packets and will do some trafic and line usage minimizing caching. Additionally it will hide your internal (most probably with broken/unofficial ip addresses) namespace. Additionally the bind server will work like a statefull udp relay for port 520. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Apr 1 16:26:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA13017 for firewalls-outgoing; Tue, 1 Apr 1997 15:05:41 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA12949 for ; Tue, 1 Apr 1997 15:05:20 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wCCck-0004FwC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Apr 1997 01:05:54 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 2 Apr 97 01:05 MET DST Received: by lina.inka.de id m0wCCSu-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Apr 1997 00:55:24 +0200 (CEST) Message-ID: <19970402005522.08462@inka.de> Date: Wed, 2 Apr 1997 00:55:22 +0200 From: Bernd Eckenfels To: Kathy Kost Cc: firewalls@greatcircle.com Subject: Re: combo internal/external web servers References: <9704011916.AA00517@intermec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: <9704011916.AA00517@intermec.com>; from Kathy Kost on Apr 04, 1997 at 11:16:33AM -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Apr 1, Kathy Kost wrote > What is the current feeling on this these days? Is it possible to have > them both co-exist on the same box without risking the internal web site? Its more a question of risking the internal net or the firewall security. I don't see the point of putting internal web on the firewall. You can run a Web-Server for a small Intranet on about any machine in your bureau. If you dont expect heavy usage you can use any internal host. You have to expect cgi-bin and user logins on the web server, something you clearly don't want on the firewall host. Unless you have a trusted OS there is no real possibility toseparate the internal and external servers on one host. Its also a bad idea to put the external Server on your firewall. You will need cgi-bins and Maintennce Logins and you can expect a lot of exploations on your web server. Put it on a small Box on your DMZ. Unless you are going to offer porn pictures an old 486 with Linux or *BSD* will do very well. Actually thats not an answer toyour question, its simply a 'dont do it, its easy to avoid'. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Apr 1 16:36:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA13312 for firewalls-outgoing; Tue, 1 Apr 1997 15:07:25 -0800 (PST) Received: from ns1.seagate.com (ns1.seagate.com [204.160.183.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA13251 for ; Tue, 1 Apr 1997 15:07:06 -0800 (PST) Received: (from smap) by ns1.seagate.com (8.8.5/8.8.5) id OAA16003; Tue, 1 Apr 1997 14:54:19 -0800 Received: from unknown(134.204.114.75) by ns1 via smap (V1.3) id sma015968; Tue Apr 1 22:54:01 1997 Received: from charlot.stsj.seagate.com (charlot.stsj.seagate.com [10.26.0.100]) by auth1.seagate.com (8.6.12/cf-v5) with ESMTP id OAA00299; Tue, 1 Apr 1997 14:55:52 -0800 Received: from MikeOropeza.stsj.seagate.com by charlot.stsj.seagate.com (SMI-8.6/SMI-SVR4) id OAA09147; Tue, 1 Apr 1997 14:55:16 -0800 Message-ID: <334192AC.2235@seagate.com> Date: Tue, 01 Apr 1997 14:56:44 -0800 From: Mike J Oropeza Organization: Corporate Internet Services X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: gordonp.atc@gao.gov CC: support@tis.com, chris michael , firewalls@GreatCircle.COM Subject: Re: web servers X-Priority: 3 (Normal) References: <9703018599.AA859935419@mailgateway.gao.gov> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This appears to be a good situation for reverse proxying. The proxy can behave as a single web server, while mapping to different servers inside a firewall. Access control may also be applied at the proxy server, since the controls are applied after name translation. Of course, the usual constraints may be applied to the firewall so that only the proxy server can access the content servers internally. > Here's my problem. I have Gauntlet installed with three web servers behind > it. The web servers are very light usage/testbeds and the machines they're > on are used for other things. It's not practical to move the web servers > outside of the firewall and the network behind the the firewall has private > (non-routable) IP addresses. Is there any way to get to the three > different web servers through the firewall? > > I thought of running a web server on the firewall with an initial page that > pointed to the other webservers, but that was rejected by managment. > > If it were just one web server I could just plug port 80. If they ran at > different ports I could plug different ports--but they don't. > > I was thinking that perhaps I could assign multiple IP address to the > outside interface of the firewall, give the firewall different aliases with > different IP addresses and somehow run different instances of plug-gw based > on which IP address was connected to. It's the "somehow" part that I'm > having trouble with. > > Any ideas? > --- > christopher michael*rms business systems* -- Mike J Oropeza -------------------------------- Those who hear not the music, think the dancers mad ~{';'}~ From owner-firewalls-outgoing Tue Apr 1 17:23:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA25516 for firewalls-outgoing; Tue, 1 Apr 1997 16:08:22 -0800 (PST) Received: from inet.uni-c.dk (inet.uni-c.dk [130.228.6.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA25483 for ; Tue, 1 Apr 1997 16:08:12 -0800 (PST) Received: (from vader@localhost) by inet.uni-c.dk (8.8.4/8.6.9) id CAA04090; Wed, 2 Apr 1997 02:08:47 +0200 (METDST) Date: Wed, 2 Apr 1997 02:08:47 +0200 (METDST) From: Chris Larsen Subject: Re: PC based network analyzer To: Firewalls@GreatCircle.COM In-Reply-To: <334154777228002@scribe.cc.purdue.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Apr 1997, Michael S Hines wrote: > > Where can I get a copy of netmon? > > Buy Windows NT Server 4.0..... its part of the standard > distribution. > In fact this only enables you to look at traffic comming to/from the installed NIC. To use netmon on a NIC in promiscous mode ie. capturing/analyzing all packets on the lan segment, you need to have the SMS version of netmon. I would myself promote NetXray as the foremost and best quality sniffer for NT. Especially since you can deploy agents around on various positions on the lan. For unix i still like tcpdump on a FreeBSD host because of the flexibility of rules and parsing of the dump files can be customized to just your needs and parsing language :-) just my 0.02$ worth. Chris Larsen | We learn from history, vader@inet.uni-c.dk | that we do not learn from history... System Manager | Struers A/S | All opinions expressed herein are my own | and _not_ those of my employers !!. From owner-firewalls-outgoing Tue Apr 1 21:07:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA22520 for firewalls-outgoing; Tue, 1 Apr 1997 20:58:18 -0800 (PST) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA22495 for ; Tue, 1 Apr 1997 20:58:04 -0800 (PST) Received: from Inf.COM by relay1.smtp.psi.net (8.8.3/SMI-5.4-PSI) id XAA09709; Tue, 1 Apr 1997 23:58:29 -0500 (EST) Received: by Inf.COM (4.1/SMI-4.1) id AA11054; Tue, 1 Apr 97 23:49:49 EST Received: from unknown(204.4.54.92) by infosys.inf.COM via smap (V1.3) id sma010946aaa; Tue Apr 1 23:48:15 1997 Received: from PDMALLYA ([204.4.54.74]) by jhelum.inf.com (8.8.4/) with SMTP id KAA01546; Wed, 2 Apr 1997 10:31:07 -0500 Message-Id: <3341E604.3C67@inf.com> Date: Wed, 02 Apr 1997 10:22:20 +0530 From: "Prabhakar D. Mallya" Reply-To: pdmallya@Inf.COM Organization: Infosys Technologies Ltd X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Cc: John Kerr Subject: Re: Firewall Architecture for Web, Database References: <33411F64.6ACB@csc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Kerr wrote: > > A customer of ours has asked about setting up a security architecture > with the Firewall being the main focus. They would like to allow access > into their Database inside of the Firewall opposed to having a Database > Server that would sit outside the Firewall. They seem to be okay with > having a Web server sitting outside the Firewall, so I don't see that as > a problem. The problem that they are trying to avoid is having to copy > or replicate the data to the Database Server (too time consuming). What > are the dangers with adding a third interface to the Firewall and > putting the Database on a seperate DMZ. It would look like this: > > Internet > | > | ---------- --------- > | -Database- - Web - > | ---------- --------- > --------- | | > - FW ------------------------------ > --------- > | > | > | > Internal > Network > > Rules would be put on the firewall to only allow external access from > the internet to the DMZ. We would not allow any access from the DMZ > into the internal Network. > Any suggestions would be appreciated. > Thanks > John Hi, I'm faced with similar requirements, and I'm evaluating alternatives. My analysis, so far, of this situation: 1. The database server and the Web server are open to attack, wherever you place them, because you want to allow external users to access them. 2. The rationale for placing these servers in the DMZ is that even if they are compromised, the rest of your network is still protected by the firewall; the damage is contained to these servers. 3. You can use the firewall to protect your Web & Database servers by configuring it to reject all traffic between the Internet and the DMZ, except HTTP browser traffic with the Web Server. The DataBase Server should be accessible from the Web Server and from the Internal network. Perhaps you could increase protection to the database server by placing it on a fourth network segment connected to the firewall. Internet | ---------- | --------- -Database- | - Web - ---------- | --------- | --------- | ----------------- FW ------------------------ --------- | | | Internal Network 4. You still have to protect your Web server - e.g., against malicious CGI scripts. I think TIS (http://www.tis.com) have a product for Web server protection. 5. You still have to protect your database server - e.g., you need to ensure that users, especially from the Web server, who access the database server cannot access data they are not authorized to access. I would be interested in further views/analysis/security holes/solutions on this topic. Regards -- Prabhakar D. Mallya Infosys Technologies, Bangalore, India http://www.inf.com/ e-mail: pdmallya@inf.com phone: 91-80-8520261 xtn 1156 fax: 91-80-8520348 From owner-firewalls-outgoing Tue Apr 1 21:45:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25308 for firewalls-outgoing; Tue, 1 Apr 1997 21:30:21 -0800 (PST) Received: from col1.telecom.com.co (COL1.TELECOM.COM.CO [200.21.200.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id VAA25299 for ; Tue, 1 Apr 1997 21:30:16 -0800 (PST) Received: from [200.21.212.34] by col1.telecom.com.co; (5.65v3.2/1.1.8.2/04Oct96-1154AM) id AA17350; Wed, 2 Apr 1997 00:35:02 -0500 Received: by ucauca.edu.co (SMI-8.6/SMI-SVR4) id XAA03710; Tue, 1 Apr 1997 23:32:45 -0400 Date: Tue, 1 Apr 1997 23:32:45 -0400 (CST) From: Mauricio Constain To: firewalls@greatcircle.com Subject: which proxy server is beter? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am seting up a firewall and i want to know what proxy software (for Solaris or linux) can i use to let about 50 pc's have access to internet. Actually I am using CERN HTTPD as proxy server but i am not satisfy whit the performance because sometimes the transfer for FTP shutdowns. It's better to put the proxy server in a sparc station or in a pc whit linux ?. I'm looking for the best comercial or public-domain sofware, any experience can help. Thanks Mauricio Constain mconsta@atenea.ucauca.edu.co From owner-firewalls-outgoing Tue Apr 1 22:13:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26963 for firewalls-outgoing; Tue, 1 Apr 1997 21:46:49 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA26853 for ; Tue, 1 Apr 1997 21:46:24 -0800 (PST) Received: from mrkev.vabo.cz (mrkev.vabo.cz [160.216.1.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id VAA10568 for ; Tue, 1 Apr 1997 21:42:58 -0800 (PST) Message-Id: <199704020542.VAA10568@miles.greatcircle.com> Received: by mrkev.vabo.cz (1.37.109.4/16.2) id AA12792; Wed, 2 Apr 97 07:37:23 +0200 From: Josef Kaderka Subject: Re: PC based network analyzer To: firewalls@greatcircle.com Date: Wed, 2 Apr 97 7:37:23 METDST Phone: +42 5 4118 2704 Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know if there is a kind of PC based network packet > analyzer? I use over 4 years NetSight Analyst from Intel. It's MS DOS based and can works with any (I hope) NIC through packet driver. Full installation has less than 1 MB :-). You can create many filters for receiving or displaying packets, decode any packet etc. This product helped me many times when I doubted what really occurs in network. +---------------------------------------------------------------+ | Josef Kaderka kade@vabo.cz | +---------------------------------------------------------------+ | Network & Internet administrator tel. xx420 5 41182704 | | Department of Computers fax. xx420 5 41182987 | | Brno Military Academy | | Kounicova 65, 612 00 Brno, Czech Republic OK2PWD | +---------------------------------------------------------------+ From owner-firewalls-outgoing Tue Apr 1 22:22:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA00732 for firewalls-outgoing; Tue, 1 Apr 1997 22:18:40 -0800 (PST) Received: from col1.telecom.com.co (COL1.TELECOM.COM.CO [200.21.200.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id WAA00704 for ; Tue, 1 Apr 1997 22:18:31 -0800 (PST) Received: from [200.21.212.34] by col1.telecom.com.co; (5.65v3.2/1.1.8.2/04Oct96-1154AM) id AA16672; Wed, 2 Apr 1997 01:23:22 -0500 Received: by ucauca.edu.co (SMI-8.6/SMI-SVR4) id AAA03927; Wed, 2 Apr 1997 00:21:05 -0400 Date: Wed, 2 Apr 1997 00:21:05 -0400 (CST) From: Mauricio Constain To: firewalls@greatcircle.com Subject: which proxy server is beter? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am seting up a firewall and i want to know what proxy software (for Solaris or linux) can i use to let about 50 pc's have access to internet. Actually I am using CERN HTTPD as proxy server but i am not satisfy whit the performance because sometimes the transfer for FTP shutdowns. It's better to put the proxy server in a sparc station or in a pc whit linux ?. I'm looking for the best comercial or public-domain sofware, any experience can help. Thanks Mauricio Constain mconsta@atenea.ucauca.edu.co From owner-firewalls-outgoing Wed Apr 2 00:37:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA10700 for firewalls-outgoing; Wed, 2 Apr 1997 00:33:29 -0800 (PST) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA10693 for ; Wed, 2 Apr 1997 00:33:20 -0800 (PST) Received: from powercore (dial05.flex.ro [193.230.255.105]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id MAA10062 for ; Wed, 2 Apr 1997 12:25:44 +0300 Message-Id: <199704020925.MAA10062@flex.flex.ro> From: "Viorel Dehelean" To: Subject: VBX Date: Wed, 2 Apr 1997 11:35:44 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any one know if there is a posibility to convert VBX files into OCX files ? Best Regards , Viorel Dehelean AKA Powerman - Risc Team vdehelean@flex.ro powerm@usa.net http://www.flex.ro/RISC Tel. Home : 039-615151 Tel. Work : 039-641841 From owner-firewalls-outgoing Wed Apr 2 01:22:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11707 for firewalls-outgoing; Wed, 2 Apr 1997 00:54:34 -0800 (PST) Received: from TYO9.gate.nec.co.jp (TYO9.gate.nec.co.jp [203.180.98.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA11700 for ; Wed, 2 Apr 1997 00:54:28 -0800 (PST) From: Lo_Chi_Hou@PHI-HKMRO.ccgw.nec.co.jp Received: from mailsv.nec.co.jp ([133.200.254.203]) by TYO9.gate.nec.co.jp (8.8.5+2.7Wbeta5/3.4Wb-NEC-TYO9) with ESMTP id RAA25676 for ; Wed, 2 Apr 1997 17:55:09 +0900 (JST) Received: from gmsjp25.gms.nec.co.jp (gmsjp25.gms.nec.co.jp [10.1.243.2]) by mailsv.nec.co.jp (8.8.5+2.7Wbeta5/3.4W-97040118) with ESMTP id RAA22676 for ; Wed, 2 Apr 1997 17:55:06 +0900 (JST) Received: by gmsjp25.gms.nec.co.jp (8.8.5+2.7Wbeta5/6.4JAIN) id RAA03106; Wed, 2 Apr 1997 17:55:06 +0900 (JST) Message-Id: <199704020855.RAA03106@gmsjp25.gms.nec.co.jp> To: Firewalls@GreatCircle.COM Subject: Network Access Authentication... Date: Wed, 2 Apr 1997 13:40:00 +0900 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi!!! I am currently working on an project that will require me to do some authentication, audit, and accounting on both dial up and LAN user's Internet usage in our University. For dial up we don't have much problem, there is the TACACS and XTACACS that can be use for this purposes. But I am having a problem when it comes to the LAN user. I need to protect and prevent unauthorize users in the campus from accessing the Internet. To do LAN user authentication and control, I am kind of thinking may be a firewall or proxy may do the tricks. Something like the setup below: Internet ----- Router ------+---- Proxy ----- Internal LAN | Bastion Host The proxy should be able to do some authentication, and accounting on the user. Can anyone tell me where I can find such a proxy? or any other software that may help me solve the problem? TACACS use the wtmp format of UNIX for saving accounting data(such as login and logout time, username... etc). I was hoping that the proxy will also be able to log user info in such a format for better management. Thanks in advance.... From owner-firewalls-outgoing Wed Apr 2 02:42:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20038 for firewalls-outgoing; Wed, 2 Apr 1997 02:21:30 -0800 (PST) Received: from mail.vtx.ch (mail.vtx.ch [194.51.92.4]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA20031 for ; Wed, 2 Apr 1997 02:21:21 -0800 (PST) Received: from tla03 ([194.191.78.3]) by mail.vtx.ch (Netscape Mail Server v1.1) with SMTP id AAA2321; Wed, 2 Apr 1997 12:19:32 +0200 Message-ID: <33422236.C68@tla.ch> Date: Wed, 02 Apr 1997 11:09:10 +0200 From: Christian ALT Reply-To: calt@tla.ch Organization: Telecom and Logistics Associates X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Mauricio Constain CC: Firewalls@greatcircle.com Subject: Re: which proxy server is beter? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Go and look for squid, freeware, we replaced our linux cern httpd by a sparc 4 with squid, works great. Many people claim that it is faster than commercial proxy. http://www.nlanr.net/Squid/ Mauricio Constain wrote: > > I am seting up a firewall and i want to know what proxy software (for > Solaris or linux) can i use to let about 50 pc's have access to internet. > > Actually I am using CERN HTTPD as proxy server but i am not satisfy whit > the performance because sometimes the transfer for FTP shutdowns. > > It's better to put the proxy server in a sparc station or in a pc whit > linux ?. > > I'm looking for the best comercial or public-domain sofware, any > experience can help. > > Thanks > > Mauricio Constain > mconsta@atenea.ucauca.edu.co -- Christian ALT E-mail: calt@tla.ch Telecom and Logistics Associates phone & fax : +41 22 328 14 88 10, Rue des Savoises, CH-1205 Geneva http://www.tla.ch From owner-firewalls-outgoing Wed Apr 2 03:21:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA22582 for firewalls-outgoing; Wed, 2 Apr 1997 03:11:56 -0800 (PST) Received: from dallas-cs-000.novare.net (dallas-cs-000.novare.net [205.229.104.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA22545 for ; Wed, 2 Apr 1997 03:11:36 -0800 (PST) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.6/8.6.9) with SMTP id FAA16339 for ; Wed, 2 Apr 1997 05:17:42 -0600 Message-ID: <33423F92.59E69C29@novare.net> Date: Wed, 02 Apr 1997 05:14:26 -0600 From: m* Organization: Novare' International Information Systems X-Mailer: Mozilla 3.0Gold (X11; I; Linux 2.0.27 i586) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: which proxy server is beter? References: <33422236.C68@tla.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christian ALT wrote: > > Go and look for squid, freeware, we replaced our linux cern httpd by a > sparc 4 with squid, works great. Many people claim that it is faster > than commercial proxy. > > http://www.nlanr.net/Squid/ > > Mauricio Constain wrote: > > > > I am seting up a firewall and i want to know what proxy software (for > > Solaris or linux) can i use to let about 50 pc's have access to internet. i have gotten fabulous performance from our squid through our firewall. it's a relative cince to set up and configure too ( on debian linux ). i would highly recommend it. m* -- "The Shining One" -- From owner-firewalls-outgoing Wed Apr 2 03:44:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA22303 for firewalls-outgoing; Wed, 2 Apr 1997 03:09:09 -0800 (PST) Received: from bbbpop.bbamerindus.com.br ([200.250.236.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA22296 for ; Wed, 2 Apr 1997 03:08:59 -0800 (PST) Received: from leste by bbbpop.bbamerindus.com.br with SMTP (1.39.111.2/16.2) id AA116389469; Wed, 2 Apr 1997 08:11:09 -0300 Message-Id: <33423E2D.275C@usa.net> Date: Wed, 02 Apr 1997 08:08:29 -0300 From: Pedro Lineu Orso Organization: Banco Bamerindus do Brasil SA X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Lo_Chi_Hou@PHI-HKMRO.ccgw.nec.co.jp Cc: Firewalls@GreatCircle.COM Subject: Re: Network Access Authentication... References: <199704020855.RAA03106@gmsjp25.gms.nec.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lo_Chi_Hou@PHI-HKMRO.ccgw.nec.co.jp wrote: > > Hi!!! I am currently working on an project that will require > me to do some authentication, audit, and accounting on both > dial up and LAN user's Internet usage in our University. > > For dial up we don't have much problem, there is the TACACS > and XTACACS that can be use for this purposes. But I am > having a problem when it comes to the LAN user. I need to > protect and prevent unauthorize users in the campus from > accessing the Internet. > > To do LAN user authentication and control, I am kind of > thinking may be a firewall or proxy may do the tricks. > > Something like the setup below: > > > Internet ----- Router ------+---- Proxy ----- Internal LAN > | > Bastion Host > > The proxy should be able to do some authentication, and > accounting on the user. > > Can anyone tell me where I can find such a proxy? or any > other software that may help me solve the problem? > > TACACS use the wtmp format of UNIX for saving accounting > data(such as login and logout time, username... etc). I was > hoping that the proxy will also be able to log user info > in such a format for better management. > > Thanks in advance.... Hi Lo Try Squid Proxy at http://squid.nlanr.net/Squid The Squid authentication works fine for me. Pedro L Orso HSBC BAmerindus orso@usa.net Brazil From owner-firewalls-outgoing Wed Apr 2 04:07:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA27347 for firewalls-outgoing; Wed, 2 Apr 1997 03:50:14 -0800 (PST) Received: from linuxdtc. ([194.148.23.67]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id DAA27297 for ; Wed, 2 Apr 1997 03:49:59 -0800 (PST) Received: from Smaret.datelec.ch (smaret. [194.148.23.108]) by linuxdtc. (8.6.12/8.6.9) with SMTP id FAA19897 for ; Wed, 2 Apr 1997 05:00:17 +0100 Message-Id: <2.2.32.19970402134907.006c836c@mail.datelec.ch> X-Sender: smaret@mail.datelec.ch X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Apr 1997 13:49:07 +0000 To: firewalls@GreatCircle.COM From: Sylvain Maret Subject: Re: Network penetration test tool? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:57 AM 3/27/97 -0800, you wrote: >Hi All, > Does anyone have a recommendation of any commercial software or >freeware > that will do network penetration or vulnerability test? > Thanks in advance! >---- >Kay.H.Weng@cpmx.saic.com >FAX: 619-458-2786 Voice: 619-535-7874 > >Science Application International Corp. >10260 Campus Point Dr., Loc. 245, MS A1 >San Diego, CA 92121 > > Have a look on http://www.iss.net This is great scan tools. +------------------------------------------------------------+ Sylvain MARET, Systems Engineer Datelec Networks SA Route du Bois-Genoud 1 CH-1023 Crissier / Lausanne Tel: +41 21 636.26.26 Switzerland Fax: +41 21 636.12.46 Visit our Web Site: http://www.datelec.com +-------------------------------------------------------------+ From owner-firewalls-outgoing Wed Apr 2 05:23:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03221 for firewalls-outgoing; Wed, 2 Apr 1997 04:51:06 -0800 (PST) Received: from tymix.Tymnet.COM (tymix.tymnet.com [131.146.2.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id EAA03197 for ; Wed, 2 Apr 1997 04:50:55 -0800 (PST) Received: by tymix.Tymnet.COM (4.1/SMI-4.1) id AA21391; Wed, 2 Apr 97 04:51:35 PST Received: from titan by tymix.Tymnet.COM (in.smtpd); 2 Apr 0 4:51:34 PDT Received: by titan.tymnet.com (4.1/SMI-4.1) id AA14862; Wed, 2 Apr 97 04:51:32 PST From: dtosic@titan.Tymnet.COM (Dragan Tosic) Message-Id: <9704021251.AA14862@titan.tymnet.com> Subject: FTP site for "The Gobbler" To: firewalls@greatcircle.com Date: Wed, 2 Apr 1997 04:51:31 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, does anybody on this list has a pointer to FTP site which contains program named "The Gobbler" ? This is an fairly old snifffer prog for DOS based PCs,but anyway...... TIA D.B.Tosic Frankfurt/Germany From owner-firewalls-outgoing Wed Apr 2 05:37:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA06056 for firewalls-outgoing; Wed, 2 Apr 1997 05:29:49 -0800 (PST) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id FAA06049 for ; Wed, 2 Apr 1997 05:29:42 -0800 (PST) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Wed, 2 Apr 97 08:30:26 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: Firewalls@greatcircle.com Date: Wed, 2 Apr 1997 08:33:12 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Network penetration test tool? Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <33425f7256f5002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Speaking of penetrtion testing - what tools does SIAC offer? I believe SATAN also does a pretty good job of scanning to assure latest patches are installed. It has a hypertext user interface with drill down for more details. It may be somewhat dated now, but it is user extendable for particular additional tests you want performed. You might check out the Computer Operations, Audit, and Security Technology web site for more information and tools - www.cs.purdue.edu/COAST. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Wed Apr 2 06:17:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07793 for firewalls-outgoing; Wed, 2 Apr 1997 05:49:38 -0800 (PST) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA07763 for ; Wed, 2 Apr 1997 05:49:26 -0800 (PST) Received: from sage1 (sage1.doogie.com [206.50.2.2]) by mailhost.onramp.net (8.8.5/8.6.5) with ESMTP id HAA25572; Wed, 2 Apr 1997 07:50:06 -0600 (CST) Message-Id: <199704021350.HAA25572@mailhost.onramp.net> From: "Jerry Mckane" To: "Dragan Tosic" , Cc: Subject: Re: FTP site for "The Gobbler" Date: Wed, 2 Apr 1997 07:49:51 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk try here http://www.pris.bc.ca/tech/faqs/sniff.htm ---------- > From: Dragan Tosic > To: firewalls@GreatCircle.COM > Subject: FTP site for "The Gobbler" > Date: Wednesday, April 02, 1997 6:51 AM > > Hi there, > does anybody on this list has a pointer to > FTP site which contains program named "The Gobbler" ? > This is an fairly old snifffer prog for DOS based PCs,but anyway...... > TIA > D.B.Tosic Frankfurt/Germany From owner-firewalls-outgoing Wed Apr 2 06:37:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA10983 for firewalls-outgoing; Wed, 2 Apr 1997 06:26:53 -0800 (PST) Received: from dns2.infocom.etecsa.cu ([169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA10957 for ; Wed, 2 Apr 1997 06:26:36 -0800 (PST) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wCR0G-0002U6C; Wed, 2 Apr 97 09:27 EST Received: from manati.in.etecsa.cu by dns2.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa27992; Wed, 02 Apr 97 09:27 EST Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wCR0F-00017iC; Wed, 2 Apr 97 09:27 EST Message-Id: Subject: DNS doble-reverse ...HELP To: firewalls@greatcircle.com Date: Wed, 2 Apr 1997 09:27:07 -0500 (EST) From: Betsy Abreu X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I've problems configuring a double reverse lookups on a DNS server; I heard about a wildcard on PTR records but cannot solve them, this cause that ftp connections to places that make double reverse lookup (like ftp.tis.com) are refused. I'm using SVR3 and BIND 4.9.2 Could anybody give me some information about this ? Thanks BETSY Betsy Abreu e-mail: betsy@mail.infocom.etecsa.cu From owner-firewalls-outgoing Wed Apr 2 07:00:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11993 for firewalls-outgoing; Wed, 2 Apr 1997 06:44:44 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA11986; Wed, 2 Apr 1997 06:44:40 -0800 (PST) From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Received: from stamp.brussels.hp.com (stamp.brussels.hp.com [15.184.0.125]) by palrel3.hp.com with ESMTP (8.7.5/8.7.3) id GAA13632; Wed, 2 Apr 1997 06:45:21 -0800 (PST) Received: from by stamp.brussels.hp.com with SMTP (1.37.109.16/15.5+ECS 3.4 Openmail) id AA040092311; Wed, 2 Apr 1997 16:45:11 +0200 X-Openmail-Hops: 1 Date: Wed, 2 Apr 97 16:44:55 +0200 Message-Id: In-Reply-To: <199703041521.HAA29074@miles.greatcircle.com> Subject: Problems with VPN conf. on Raptor 4.0, NT 4.0 To: firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, I have a small configuration problem with setting up VPN between to Raptor Eagle version 4.0 firewalls. 1: Does anyone know how to see when the tunnel is up and running (Logfiles etc.) 2: Is it right that i can't see anything in the ESP type field under the secure tunnel menu? Best regards Christian Stahl From owner-firewalls-outgoing Wed Apr 2 07:52:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19699 for firewalls-outgoing; Wed, 2 Apr 1997 07:45:31 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA19670 for ; Wed, 2 Apr 1997 07:45:21 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id JAA21321; Wed, 2 Apr 1997 09:41:06 -0600 Received: from 192.43.1.3 by deere-bh.dx.deere.com via smap (V3.1.1) id xma020147; Wed, 2 Apr 97 09:39:41 -0600 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id JAA05122; Wed, 2 Apr 1997 09:43:51 -0600 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id JAA22014; Wed, 2 Apr 1997 09:43:51 -0600 Message-ID: <33427E63.6DD7@90.deere.com> Date: Wed, 02 Apr 1997 09:42:27 -0600 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Robin J Smith CC: Cato Antonsen , "'firewalls@GreatCircle.COM'" Subject: Re: Microsoft ULS/ILS through a firewall X-Priority: 3 (Normal) References: Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone really doing Netmeeting through their firewall. We are considering doing this but it looks unsafe. I'd like to know (other than Microsoft) who is doing this and if I can get any "lessons learned" from thier install. Bert Carroll bc17684@90.deere.com From owner-firewalls-outgoing Wed Apr 2 08:38:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21935 for firewalls-outgoing; Wed, 2 Apr 1997 08:12:17 -0800 (PST) Received: from Bear.COM (wafw.bear.com [207.159.107.81]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA21921 for ; Wed, 2 Apr 1997 08:12:05 -0800 (PST) Received: by Bear.COM (SMI-8.6/SMI-SVR4) id LAA06498; Wed, 2 Apr 1997 11:06:35 -0500 Received: from fastbear(147.107.87.14) by wafw via smap (V2.0beta) id xma003692; Wed, 2 Apr 97 10:57:34 -0500 Received: from whip_xfr by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA12668; Wed, 2 Apr 97 11:06:13 EST Received: from wizard by whip_xfr (SMI-8.6/SMI-SVR4) id LAA04643; Wed, 2 Apr 1997 11:03:43 -0500 Received: from neptune by wizard (SMI-8.6/SMI-SVR4) id LAA07875; Wed, 2 Apr 1997 11:03:42 -0500 Message-Id: <3342835F.3839@bear.com> Date: Wed, 02 Apr 1997 11:03:43 -0500 From: Shahryar Jahangir Organization: Bear Stearns, Inc X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5.1 sun4u) Mime-Version: 1.0 To: Ziv Dascalu Cc: firewalls@GreatCircle.COM, mmozes@fujitsu.ca Subject: Re: RealAudio References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Through a proxy it's 1090. Go to the ralaudio page. You will see that once you have the software installed, it's all done transparently. check out the homepage dude ! sj Ziv Dascalu wrote: > > --- On Mon, 31 Mar 97 10:36:00 PST mmozes@fujitsu.ca wrote: > > > > >Does anyone know the port number for RealAudio? > > > >Thanks, > > -----------------End of Original Message----------------- > > realAudio is 7070 TCP > > /ZIv > /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ > | A B I R N E T Active Network Protection http://www.AbirNet.com | > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From owner-firewalls-outgoing Wed Apr 2 08:52:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA23264 for firewalls-outgoing; Wed, 2 Apr 1997 08:35:33 -0800 (PST) Received: from ns.trade-a-plane.com (ns.trade-a-plane.com [208.138.64.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA23223 for ; Wed, 2 Apr 1997 08:35:20 -0800 (PST) Received: from ns.trade-a-plane.com ([208.138.64.5]) by ns.trade-a-plane.com (Netscape Mail Server v2.0) with ESMTP id AAA18081 for ; Wed, 2 Apr 1997 10:37:01 -0500 Message-ID: <33428AF0.13E7@trade-a-plane.com> Date: Wed, 02 Apr 1997 10:36:00 -0600 From: greg@trade-a-plane.com (Greg Walker) Reply-To: greg@trade-a-plane.com Organization: TAP Publishing Company X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NAT on Firewall-1 X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a net configured like this local net ----------FireWall-1---------Web Server----------Router-------Internet illegal IP version 2.1 DNS Server Email works fine through the Firewall, but I cannot access the web from an internal client(the same client has no problem accessing the web when connected to the external net). I have tried address translation in Firewall-1 along with route and arp commands. All this does is make my email not work. The Firewall is running on Solaris, as is the WEB and DNS servers. My questions: 1. Should I be able to access the web with my internal client through the Firewall? 2. Can you put more than one route in WIN95 (gateway) - one for the internal side of the firewall, and one for the router to the net? 3. Will I have to set up routes on the router? 4. Will DNS work through the firewall? Thanks in advance, Greg Walker greg@trade-a-plane.com From owner-firewalls-outgoing Wed Apr 2 09:03:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24704 for firewalls-outgoing; Wed, 2 Apr 1997 08:50:23 -0800 (PST) Received: from jehova.owl.de (jehova.owl.de [194.121.202.132]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA24695 for ; Wed, 2 Apr 1997 08:50:15 -0800 (PST) Received: from fiction.pb.owl.de (root@fiction.pb.owl.de [193.174.12.5]) by jehova.owl.de (8.8.5/8.8.5) with SMTP id SAA04384 for ; Wed, 2 Apr 1997 18:50:57 +0200 (MET DST) Received: from squirrel.owl.de by fiction.pb.owl.de with bsmtp id m0wCTKr-00003CC; Wed, 2 Apr 97 18:56 MET DST Received: (qmail 5835 invoked by uid 300); 2 Apr 1997 14:52:28 -0000 Date: 2 Apr 1997 14:52:28 -0000 Message-ID: <19970402145228.5834.qmail@squirrel.owl.de> From: Stuart Johnson To: firewalls@greatcircle.com Subject: Haystack info (Steve Smaha) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk About a month ago, I inquired about Haystack and Wheelgroup. I received an email from someone at Haystack that did not want to disclose their identity but revealed a lot of information about the company. I believe this information to be true, but would like to find out to the contrary. >From the inside information, apparently the founder and CEO of Haystack, Steve Smaha has been removed because he was a control freak and raving lunatic inside the company. Haystack is in decay because the Stalker family was a complete misdesign and failure. Also the source said that Steve Smaha was threatening to sue his own investors, partners, and customers. This seems kind of extreme to me, but the confirmation about Haystack suing Wheelgroup leaves this as a definite possibility. Some of the customers for Haystack have emailed me saying they have not received an update for some of the Stalker family in over 3 years. I wouldn't be suprised if Steve Smaha does not get sued himself if this is true. The investors, that removed Steve Smaha, brought in a new CEO. He is currently moving the company to Boston due to the lack of engineering talent in the former Austin HQ of Haystack. The new CEO is trying to recruit engineers that can decipher the source code because it lacked any structure and comments to understand it. I would have probably ignored this email except I am interested in monitoring tools and this seems like a legitimate insider giving me details. I have tried to contact Steve Smaha but have not been able to reach him. I am looking for someone who might know the company better than me to confirm these facts. Stuart From owner-firewalls-outgoing Wed Apr 2 10:01:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA01650 for firewalls-outgoing; Wed, 2 Apr 1997 09:43:51 -0800 (PST) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA01641 for ; Wed, 2 Apr 1997 09:43:45 -0800 (PST) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id MAA27508; Wed, 2 Apr 1997 12:44:27 -0500 Date: Wed, 2 Apr 1997 12:44:27 -0500 (EST) From: Todd Graham Lewis To: Mauricio Constain cc: firewalls@GreatCircle.COM Subject: Re: which proxy server is beter? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Apr 1997, Mauricio Constain wrote: > I am seting up a firewall and i want to know what proxy software (for > Solaris or linux) can i use to let about 50 pc's have access to internet. > > Actually I am using CERN HTTPD as proxy server but i am not satisfy whit > the performance because sometimes the transfer for FTP shutdowns. > > It's better to put the proxy server in a sparc station or in a pc whit > linux ?. > > I'm looking for the best comercial or public-domain sofware, any > experience can help. I can vouch personally for the stability and overall performance of The Squid (http://squid.nlanr.net) under Linux. We support several hundred users using such a configuration as part of our firewall setup, and it has never given us (non-operator-error-related) problems of any sort. Plus, of course, other than hardware everything in such a solution comes free and with full source. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Wed Apr 2 10:19:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02918 for firewalls-outgoing; Wed, 2 Apr 1997 09:52:26 -0800 (PST) Received: from gw.garrison.com ([205.241.58.147]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA02888 for ; Wed, 2 Apr 1997 09:52:09 -0800 (PST) Received: from gw.garrison.com (root@localhost) by gw.garrison.com (8.7.5/8.7.3) with ESMTP id LAA07692; Wed, 2 Apr 1997 11:52:39 -0600 (CST) Received: from garrison.com (garrison.com [10.0.0.2]) by gw.garrison.com (8.7.5/8.7.3) with SMTP id LAA07688; Wed, 2 Apr 1997 11:52:38 -0600 (CST) Received: by garrison.com (4.1/SMI-4.1) id AA01730; Wed, 2 Apr 97 11:52:13 CST Date: Wed, 2 Apr 97 11:52:13 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9704021752.AA01730@garrison.com> To: firewalls@GreatCircle.COM, CHRIS.NICHOLS@EY.COM Subject: Re: sudo Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Who makes a commercial version of sudo? > > Chris > chris.nichols@ey.com > I do believe "Freedman & Associates" as well as Guardian from Datalyxn offer sudo type options, as wel as a load of other things.. Jeromie Jackson Garrison Technologies jeromie@garrison.com From owner-firewalls-outgoing Wed Apr 2 10:41:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02006 for firewalls-outgoing; Wed, 2 Apr 1997 09:45:44 -0800 (PST) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA01965 for ; Wed, 2 Apr 1997 09:45:31 -0800 (PST) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id LAA21075; Wed, 2 Apr 1997 11:46:14 -0600 (CST) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma021054; Wed, 2 Apr 97 11:45:51 -0600 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 2 APR 97 11:45:50 CST Date: 2 APR 97 11:43:32 CST Subject: FW: Problems with VPN conf. on Raptor 4.0, NT 4.0 To: firewalls@greatcircle.com Message-ID: <0007zvrhljfj.H000012201d9df73@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christian, Raptor has a new whitepaper on the 4.0 firewall on their web page, including graphics of the configuration pages. Take a look at: http://www.raptor.com/whitepaper/5.html (VPN chapter) or http://www.raptor.com/whitepaper/title.html (Table of Contents for the new whitepaper) Hope this helps, Bob ---------- From: firewalls-owner Sent: Wednesday, April 02, 1997 10:46 AM To: LeBlanc, Bob J.; ; Subject: Problems with VPN conf. on Raptor 4.0, NT 4.0 Hey, I have a small configuration problem with setting up VPN between to Raptor Eagle version 4.0 firewalls. 1: Does anyone know how to see when the tunnel is up and running (Logfiles etc.) 2: Is it right that i can't see anything in the ESP type field under the secure tunnel menu? Best regards Christian Stahl From owner-firewalls-outgoing Wed Apr 2 10:49:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA05195 for firewalls-outgoing; Wed, 2 Apr 1997 10:09:54 -0800 (PST) Received: from gw.intuit.com (fw.intuit.com [199.2.32.4]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA05185 for ; Wed, 2 Apr 1997 10:09:48 -0800 (PST) Received: by gw.intuit.com (4.1/SMI-4.1) id AA25919; Wed, 2 Apr 97 10:08:09 PST Received: from cliff.intuit.com(199.2.34.38) by gw.intuit.com via smap (V1.3) id sma025703; Wed Apr 2 10:07:28 1997 Received: from ra.intuit.com.intuit.com by cliff.intuit.com (4.1/SMI-4.1d) id AA26127; Wed, 2 Apr 97 10:07:08 PST From: corby@intuit.com (Corby Anderson) Message-Id: <9704021807.AA26127@cliff.intuit.com> Subject: Re: DNS doble-reverse ...HELP To: firewalls@greatcircle.com Date: Wed, 2 Apr 1997 10:08:48 -0800 (PST) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't make any sense of your question. A forward lookup to ftp.tis.com gives a CNAME record for portal.ex.tis.com which in turn give an A record of 192.94.214.101. A reverse lookup on 192.94.214.101 immediately gives a PTR record of portal.ex.tis.com. There's nothing double about it. The only good use I've heard of for wildcards is in MX records. And it's not really a good use at that. So what EXACTLY is your problem? Can you please describe something that your trying to do but can't? Can you provide as many examples as you think are warrented? For example, it would be nice if you provided information like, "when I try to telnet to that host, it drops me immediately, but when I ftp to it, it waits one minute and then lets me in. I can't ping to that name, but I *can* ping to that address." > Betsy Abreu says: > > Hi > I've problems configuring a double reverse lookups on a DNS server; I > heard about a wildcard on PTR records but cannot solve them, this cause > that ftp connections to places that make double reverse lookup (like > ftp.tis.com) are refused. > > I'm using SVR3 and BIND 4.9.2 > > Could anybody give me some information about this ? > > Thanks > > BETSY From owner-firewalls-outgoing Wed Apr 2 12:06:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA13947 for firewalls-outgoing; Wed, 2 Apr 1997 11:19:59 -0800 (PST) Received: from mx01.netaddress.usa.net (mx01.netaddress.usa.net [204.68.24.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA13938 for ; Wed, 2 Apr 1997 11:19:55 -0800 (PST) Received: (qmail 14074 invoked by uid 0); 2 Apr 1997 19:20:38 -0000 Received: from 196.3.144.86 by www01 via web-mailer (2.1) on Wed, 02 Apr 1997 12:20:11 Message-ID: Date: Wed, 02 Apr 1997 12:20:11 From: "Ashram Beachoo" To: firewalls@GreatCircle.COM Subject: New Email Address Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My new email address is swamie@usa.net Please change your records so that I can start receiving my mail at this address. From owner-firewalls-outgoing Wed Apr 2 12:19:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA13742 for firewalls-outgoing; Wed, 2 Apr 1997 11:18:15 -0800 (PST) Received: from castles.com (sparc1.castles.com [199.4.103.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA13721 for ; Wed, 2 Apr 1997 11:18:06 -0800 (PST) Received: from jmcbrea.brwncald.com ([205.185.80.10]) by castles.com (5.x/SMI-SVR4/CASTLES) id AA19402; Wed, 2 Apr 1997 11:13:12 -0800 Message-Id: <2.2.32.19970402192126.00730e60@sparc1.castles.com> X-Sender: jmcbrea@sparc1.castles.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Apr 1997 11:21:26 -0800 To: Firewalls@GreatCircle.COM From: John McBrearty Subject: Re: PC based network analyzer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:34 PM 4/1/97 -0600, Wei Sun purportedly wrote: >Hi, > >Does anyone know if there is a kind of PC based network packet analyzer? > I've found useful a commercial product from the AG Group called Etherpeek (approx. $700 US) , which was originally developed for Macs and steadily improved on that platform. It now also runs on Win 95 (which I use) and reportedly NT. It includes translation filters for many types of packets, and its GUI is very intuitive in terms of filtering, device names, etc. (As I suppose you might expect coming from the Mac world.) The url is http://www.aggroup.com. My relation to the company is just that of a customer. ------------------ John McBrearty jmcbrearty@usa.net Computer and Network Consulting Pleasant Hill, CA 510-974-9171 ------------------ "Work is the curse of the drinking classes." - Oscar Wilde From owner-firewalls-outgoing Wed Apr 2 13:09:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25642 for firewalls-outgoing; Wed, 2 Apr 1997 12:54:02 -0800 (PST) Received: from igate.nrc.gov (igate.nrc.gov [148.184.176.31]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA25631 for ; Wed, 2 Apr 1997 12:53:54 -0800 (PST) Received: from nrc.gov by smtp-gateway SMTP id PAA14132 for ; Wed, 2 Apr 1997 15:54:27 -0500 (EST) Received: from GATED-Message_Server by nrcsmtp.nrc.gov with Novell_GroupWise; Wed, 02 Apr 1997 15:55:49 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 02 Apr 1997 15:52:03 -0500 From: Victor Pham To: firewalls@GreatCircle.COM Subject: Firewall Architecture for Web, Database -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I see 2 problems: 1. From the picture, the Web server is INSIDE the firewall. 2. Put a Database server on the a separate segment is only a start. Questions to ask are: A. How do the public access the Database server? (telnet, http, etc.) B. How does your client plan to populate & manage the Database server? C. How concern do your client feel about network security? Answers to the above questions will make a different on HOW do you deploy the Database server. Victor Pham >>> John Kerr 04/01/97 09:44am >>> A customer of ours has asked about setting up a security architecture with the Firewall being the main focus. They would like to allow access into their Database inside of the Firewall opposed to having a Database Server that would sit outside the Firewall. They seem to be okay with having a Web server sitting outside the Firewall, so I don't see that as a problem. The problem that they are trying to avoid is having to copy or replicate the data to the Database Server (too time consuming). What are the dangers with adding a third interface to the Firewall and putting the Database on a seperate DMZ. It would look like this: Internet | | ---------- --------- | -Database- - Web - | ---------- --------- --------- | | - FW ------------------------------ --------- | | | Internal Network Rules would be put on the firewall to only allow external access from the internet to the DMZ. We would not allow any access from the DMZ into the internal Network. Any suggestions would be appreciated. Thanks John From owner-firewalls-outgoing Wed Apr 2 14:36:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA01204 for firewalls-outgoing; Wed, 2 Apr 1997 13:44:12 -0800 (PST) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA01196 for ; Wed, 2 Apr 1997 13:44:02 -0800 (PST) Received: by inet03.citec.qld.gov.au; id HAA00560; Thu, 3 Apr 1997 07:44:43 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma000553; Thu, 3 Apr 97 07:44:22 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id HAA12028 for firewalls@greatcircle.com; Thu, 3 Apr 1997 07:45:58 +1000 From: Colin Campbell Message-Id: <199704022145.HAA12028@guru.citec.qld.gov.au> Subject: web servers, databases and firewalls - a solution? To: firewalls@greatcircle.com Date: Thu, 3 Apr 1997 07:45:57 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The growing number of questions and lack of solutions regarding firewalls between web servers and databases got me thinking. Why not put the CGI guts inside the firewall? On the web server the CGI just calls a stub which makes a network call through the firewall (using something like a plug-gw) to a well-mashed "httpd" on the inside that knows only how to fork a CGI program and pass it the args it receives on stdin. Or all the CGI programs on the web server are replaced with one that just passes everything to the bastion host. What we have is therefore: +------------+ | httpd | +------------+ |CGI frontend| External Web Server +------------+ | | +------------+ | plug-gw | Bastion Host +------------+ | | +------------+ |pseudo-httpd| +------------+ | real CGI | Internal Host(s) +------------+ | | +------------+ | database | +------------+ This has a number of advantages: 1) independent of database at the firewall (no special proxies reqd) 2) always connects at known port on firewall 3) no external access to the database 4) it's simple 5) probably other things I can't think of right now Disadvantages? 1) need to modify the external CGI scripts or replace them with a generic one that does GET/POST through the firewall 2) no one has written any of this yet 3) prbably others Comments? Colin From owner-firewalls-outgoing Wed Apr 2 14:42:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04964 for firewalls-outgoing; Wed, 2 Apr 1997 14:21:41 -0800 (PST) Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id OAA04956 for ; Wed, 2 Apr 1997 14:21:36 -0800 (PST) Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id OAA01765 for ; Wed, 2 Apr 1997 14:22:25 -0800 Received: from jewels.cadence.com(158.140.32.165) by mailgate.cadence.com via smap (V1.0mjr) id sma860019744.001761; Wed Apr 2 14:22:24 1997 Received: (from julian@localhost) by jewels.Cadence.COM (8.6.8/8.6.8) id OAA24631 for firewalls@GreatCircle.COM; Wed, 2 Apr 1997 14:22:23 -0800 Date: Wed, 2 Apr 1997 14:22:23 -0800 From: Julian Gordon Message-Id: <199704022222.OAA24631@jewels.Cadence.COM> To: firewalls@GreatCircle.COM Subject: libraries Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: L2Nl9HFSI+4Cqsj6oH5p4w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for solaris versions of the fwtk.a and auth.a libraries. Anyone have a spare copy floating around? Thanks, Julian *************************************************************** Julian Gordon Unix System Administration Present Contract: Permanent Address: Cadence Design Systems, Inc. ToLife Net (408) 428-5762 (408) 838-7036 julian@Cadence.COM jewels@well.com "Miracles are seen in Light" Course in Miracles From owner-firewalls-outgoing Wed Apr 2 14:59:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA06794 for firewalls-outgoing; Wed, 2 Apr 1997 14:39:12 -0800 (PST) Received: from sss00205.schwab.com (sss00205.schwab.com [162.93.15.188]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA06734 for ; Wed, 2 Apr 1997 14:38:59 -0800 (PST) Received: (from uucp@localhost) by sss00205.schwab.com (8.7.6/8.7.3) id OAA02933 for ; Wed, 2 Apr 1997 14:41:03 -0800 (PST) Received: from s0743dev(162.93.239.70) by sss00205.schwab.com via smap (V3.1.1) id xma002864; Wed, 2 Apr 97 14:40:27 -0800 Received: (from root@localhost) by s0743dev.schwab.com (8.8.2/8.7.3) id RAA06558 for firewalls@greatcircle.com; Wed, 2 Apr 1997 17:45:10 -0500 (EST) Received: from n1100smx.nt.schwab.com by s0743dev.schwab.com (8.8.2/SMI-SVR4) id RAA06534; Wed, 2 Apr 1997 17:45:08 -0500 (EST) Received: by n1100smx.nt.schwab.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC3F73.C983AC90@n1100smx.nt.schwab.com>; Wed, 2 Apr 1997 14:40:19 -0800 Message-ID: From: "Ricardo, Ray" To: "'firewalls@greatcircle.com'" Cc: "Ricardo, Ray" Subject: Port 781 Date: Wed, 2 Apr 1997 14:40:18 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been seeing alert messages coming from my Internet router with a source port of 781. I'm not certain if it is UDP, TCP or ICMP messages. Does anyone know what this port is being used for? Thnaks. From owner-firewalls-outgoing Wed Apr 2 15:42:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA13484 for firewalls-outgoing; Wed, 2 Apr 1997 15:35:08 -0800 (PST) Received: from noc.belwue.de (noc.BelWue.DE [129.143.2.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA13421 for ; Wed, 2 Apr 1997 15:34:53 -0800 (PST) Received: from ruscdrom.rus.uni-stuttgart.de (ruscdrom.rus.uni-stuttgart.de [129.69.235.40]) by noc.belwue.de (8.8.5/8.8.5) with SMTP id BAA07585; Thu, 3 Apr 1997 01:35:39 +0200 (MET DST) Received: by ruscdrom.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03) id AA12193; Thu, 3 Apr 1997 01:35:21 +0200 Message-Id: <9704022335.AA12193@ruscdrom.rus.uni-stuttgart.de> Subject: Re: Port 781 To: Ray.Ricardo@Schwab.COM (Ricardo, Ray) Date: Thu, 3 Apr 1997 01:35:21 +0200 (MES) Cc: firewalls@GreatCircle.COM, Ray.Ricardo@Schwab.COM In-Reply-To: from "Ricardo, Ray" at Apr 2, 97 02:40:18 pm From: Helmut Springer Organization: Stuttgart University, FRG X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D B3 AC 3C D2 F3 CF FF E7 X-Phone: +49 711 685-2003q X-Fax: +49 711 685-2043 X-Mailer: ELM [version 2.4 PL25 PGP6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ricardo, Ray wrote: > I've been seeing alert messages coming from my Internet router with a > source port of 781. I'm not certain if it is UDP, TCP or ICMP messages. > Does anyone know what this port is being used for? hp-collector 781/tcp # HP Perf. Data Collector hp-collector 781/udp # HP Perf. Data Collector enjoy delta -- helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox delta@RUS.Uni-Stuttgart.DE Stuttgart University, FRG http://home.pages.de/~delta/ phone : +49 711 685-2003 "Freedom's just another word for FAX : +49 711 685-2043 nothing left to lose" Kris Kristofferson From owner-firewalls-outgoing Wed Apr 2 16:19:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA17842 for firewalls-outgoing; Wed, 2 Apr 1997 16:02:02 -0800 (PST) Received: from chaos.coredcs.com (chaos.coredcs.com [198.150.193.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA17834 for ; Wed, 2 Apr 1997 16:01:57 -0800 (PST) Received: (from jleu@localhost) by chaos.coredcs.com (8.8.5/8.6.12) id SAA17293 for firewalls@greatcircle.com; Wed, 2 Apr 1997 18:03:05 -0600 From: "James R. Leu" Message-Id: <199704030003.SAA17293@chaos.coredcs.com> Subject: port forwarding and masq To: firewalls@greatcircle.com Date: Wed, 2 Apr 1997 18:03:04 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone would know if this following setup can be created with ipfwadm on Linux: A = Firewall B = Destination host within the firewall C = Source host outside of the firewall Valid Net Hidden Net addresses addresses |C|--------|A|------------|B| Incoming: --------- Host C sends a packet dest for Host A port 23. Host A translates the incoming request and forwards the packet to Host B port 23. Outgoing: --------- Host B sends a packet to Host C. Host A would masquerade for Host B. Jim -- James R. Leu Network Administrator CORE Digital Communication Services jleu@coredcs.com From owner-firewalls-outgoing Wed Apr 2 16:21:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA19311 for firewalls-outgoing; Wed, 2 Apr 1997 16:12:36 -0800 (PST) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA19228 for ; Wed, 2 Apr 1997 16:12:21 -0800 (PST) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id TAA30581; Wed, 2 Apr 1997 19:12:33 -0500 Date: Wed, 2 Apr 1997 19:12:32 -0500 (EST) From: Todd Graham Lewis To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: web servers, databases and firewalls - a solution? In-Reply-To: <199704022145.HAA12028@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Apr 1997, Colin Campbell wrote: > The growing number of questions and lack of solutions regarding > firewalls between web servers and databases got me thinking. > > Why not put the CGI guts inside the firewall? (...) > This has a number of advantages: > > 1) independent of database at the firewall (no special proxies reqd) True enough. > 2) always connects at known port on firewall Why is this important? Wouldn't simply allowing web access through the firewall do the same thing? > 3) no external access to the database Hmm. tcp-wrapping access would do much the same thing, but this is a benefit. > 4) it's simple I don't always buy the "simpler ergo better" argument. > Disadvantages? > > 1) need to modify the external CGI scripts or replace them with a > generic one that does GET/POST through the firewall 4) CGIs are the single greatest security hole in modern IP servers. I, for one, would lean towards giving your web server limited access to the database (most of which have pretty decent ACL capabilities, even if their overall security, esp. in the network context, suckxs rocks), so you can give your CGI machine limited access into the database. If your CGI machine is compromised, then it has limited rights on the database. If it's behind the firewall, then if it's compromised then your hacker has access to your protected network. Snoop a few passwords as people log into the database (in cleartext, of course, groan) and bam, he has the keys to the kingdom. If you leave CGI outside, then the most significant security failure point has limited access to your goodies; ergo your exposure is limited. If you put CGI inside, then it serves as a conduit past your security controls; ergo your exposure is potentially unlimited. Sure, it's more complex to get database access through your firewall, but it's more secure. (Viz. my comment above about distrusting the "simpler is better" axiom.) I would reccommend the former course of action. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Wed Apr 2 17:06:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA27139 for firewalls-outgoing; Wed, 2 Apr 1997 17:00:25 -0800 (PST) Received: from f15.hotmail.com (F15.hotmail.com [207.82.250.26]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA26939 for ; Wed, 2 Apr 1997 16:59:55 -0800 (PST) Received: (from root@localhost) by f15.hotmail.com (8.7.5/8.7.3) id RAA27166; Wed, 2 Apr 1997 17:01:17 -0800 (PST) Date: Wed, 2 Apr 1997 17:01:17 -0800 (PST) Message-Id: <199704030101.RAA27166@f15.hotmail.com> Received: from 203.120.56.34 by www.hotmail.com with HTTP; Wed, 02 Apr 1997 17:01:16 PST X-Originating-IP: [203.120.56.34] From: " Martin Khoo" To: pdmallya@Inf.COM, firewalls@greatcircle.com Cc: jkerr2@csc.com Subject: Re: Firewall Architecture for Web, Database Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 02 Apr 1997 10:22:20 +0530 >From: "Prabhakar D. Mallya" >To: firewalls@greatcircle.com >Cc: John Kerr >Subject: Re: Firewall Architecture for Web, Database >John Kerr wrote: >> >> A customer of ours has asked about setting up a security architecture >> with the Firewall being the main focus. They would like to allow access >> into their Database inside of the Firewall opposed to having a Database >> Server that would sit outside the Firewall. They seem to be okay with >> having a Web server sitting outside the Firewall, so I don't see that as >> a problem. The problem that they are trying to avoid is having to copy >> or replicate the data to the Database Server (too time consuming). What >> are the dangers with adding a third interface to the Firewall and >> putting the Database on a seperate DMZ. It would look like this: >> >> Internet >> | >> | ---------- --------- >> | -Database- - Web - >> | ---------- --------- >> --------- | | >> - FW ------------------------------ >> --------- >> | >> | >> | >> Internal >> Network >> >> Rules would be put on the firewall to only allow external access from >> the internet to the DMZ. We would not allow any access from the DMZ >> into the internal Network. >> Any suggestions would be appreciated. >> Thanks >> John > >Hi, > >I'm faced with similar requirements, and I'm evaluating alternatives. My >analysis, so far, of this situation: > >1. The database server and the Web server are open to attack, wherever >you place them, because you want to allow external users to access them. > >2. The rationale for placing these servers in the DMZ is that even if >they are compromised, the rest of your network is still protected by the >firewall; the damage is contained to these servers. > To ensure that, your rules on the firewall must not permit any access from the DMZ to the internal network. >3. You can use the firewall to protect your Web & Database servers by >configuring it to reject all traffic between the Internet and the DMZ, >except HTTP browser traffic with the Web Server. The DataBase Server >should be accessible from the Web Server and from the Internal network. >Perhaps you could increase protection to the database server by placing >it on a fourth network segment connected to the firewall. > > Internet > | > ---------- | --------- > -Database- | - Web - > ---------- | --------- > | --------- | > ----------------- FW ------------------------ > --------- > | > | > | > Internal > Network > >4. You still have to protect your Web server - e.g., against malicious >CGI scripts. I think TIS (http://www.tis.com) have a product for Web >server protection. > The product is called ForceField, it is actually a modified version of the TIS Firewall Toolkit (FWTK) and is available for evaluation. >5. You still have to protect your database server - e.g., you need to >ensure that users, especially from the Web server, who access the >database server cannot access data they are not authorized to access. > I would assume that direct access to the DB server is not permitted; all forms of access should be via the Web server. You can rely on the access control provided by the RDBMS but it can get sticky depending on the type of access required. If the Web server is only going to query the DB server then things would be cleaner; if write access is needed then you have to be careful. Perhaps you may consider only putting a subset of your entire DB to be accessible by the Web and not the entire DB. If direct access to the DB via the Net (eg. Telnet or FTP) is required then you have to consider strong authentication mechanism eg. token-based or OTP-based. Regards Martin Khoo Senior IT Architect (Security & Cryptography) Information Infrastructure Group National Computer Board martin@nii.ncb.gov.sg ** Comments above are my personnal opinion and does not reflect the opnion of my organisation ** >I would be interested in further views/analysis/security holes/solutions >on this topic. > >Regards >-- >Prabhakar D. Mallya >Infosys Technologies, Bangalore, India >http://www.inf.com/ >e-mail: pdmallya@inf.com >phone: 91-80-8520261 xtn 1156 >fax: 91-80-8520348 > --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com --------------------------------------------------------- From owner-firewalls-outgoing Wed Apr 2 19:21:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA06566 for firewalls-outgoing; Wed, 2 Apr 1997 19:14:40 -0800 (PST) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA06559 for ; Wed, 2 Apr 1997 19:14:36 -0800 (PST) Received: by relay.rv.tis.com; id WAA25085; Wed, 2 Apr 1997 22:27:59 -0500 (EST) Received: from jethou.rv.tis.com(204.254.155.12) by relay.rv.tis.com via smap (3.2) id xmab25077; Wed, 2 Apr 97 22:27:37 -0500 Message-Id: <3.0.1.32.19970402210710.006d75d0@pop.rv.tis.com> X-Sender: rick@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Apr 1997 21:07:10 -0500 To: Julian Gordon From: Rick Murphy Subject: Re: libraries Cc: firewalls@GreatCircle.COM In-Reply-To: <199704022222.OAA24631@jewels.Cadence.COM> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:22 PM 4/2/97 -0800, Julian Gordon wrote: >I am looking for solaris versions of the fwtk.a and auth.a >libraries. Anyone have a spare copy floating around? Use the source; any copy you get from the net should be presumed to be a carrier of a trojan horse. -Rick From owner-firewalls-outgoing Wed Apr 2 19:38:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA07801 for firewalls-outgoing; Wed, 2 Apr 1997 19:35:08 -0800 (PST) Received: from dax.sai.com (dax.sai.com [207.95.117.66]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id TAA07784 for ; Wed, 2 Apr 1997 19:35:03 -0800 (PST) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0wCdI5-003q5JC; Wed, 2 Apr 97 22:34 EST Date: Wed, 2 Apr 1997 22:34:21 -0500 (EST) From: Darryl Wagoner To: Todd Graham Lewis cc: Colin Campbell , firewalls@GreatCircle.COM Subject: Re: web servers, databases and firewalls - a solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out FastCGI (http://www.fastcgi.com) it can have the fcgi client outside the firewall and the fcgi server on the inside. The server is feed from the client fcgi only the standard cgi stuff and only accept connections from the web server. I think it is the best of both worlds. It is also wicked fast! Anyone know of any risk using this method? -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From owner-firewalls-outgoing Wed Apr 2 19:47:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA06278 for firewalls-outgoing; Wed, 2 Apr 1997 19:09:10 -0800 (PST) Received: from unix1.sysnet.net (unix1.sysnet.net [206.142.32.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA06271 for ; Wed, 2 Apr 1997 19:09:04 -0800 (PST) Received: from [206.142.16.53] (cppp4.sysnet.net [206.142.16.53]) by unix1.sysnet.net (8.8.5/8.6.12) with SMTP id AAA22356 for ; Thu, 3 Apr 1997 00:05:17 -0500 (EST) Message-Id: <199704030505.AAA22356@unix1.sysnet.net> Subject: Re: web servers, databases and firewalls - a solution? Date: Wed, 2 Apr 97 22:10:27 -0400 x-sender: patton@mail.sysnet.net x-mailer: Claris Emailer 1.1 From: Matthew Patton To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, I'm going to add my bandwidth-chewing 2cents worth. I liked Colin Campbell's post and we do something similar with our installation. The product we use is NetDynamics from Spider Technologies which is a Java based application server environment for database access. Put simply the diagram is thus: Outside | FW - Web Server (with application stub) | Internal Net | |-- Farm of application servers | Oracle or other database servers The only 'hole' between the DMZ and the internal net is a single port for the ND application stub to talk to the application server farm controller. This way we don't have to worry about the bouncing SQL*Net ports in a multi-threaded Oracle listener environment. It also keeps our application runtimes (java) on the inside. The concerns include somebody possibly being able to compromise the web server and then send commands down the open pipe. I'm pretty confident in my NT box's setup but only if I could get the blasted localSystem account to behave... That's another reason for moving the application servers to the internal network. They're mighty hard to get to. I do not know how ND would handle a stream of garbage. Neither do I know if one is able to craft a URL to somehow tamper with the backend servers as the URL get's passed thru the communication channel and acted upon. I am not a very enthusiastic supporter of NetDynamics, the product is FULL of bugs and not very good in handling runaway processes. The memory footprint of the java apps are HUGE, too. I've gotten off topic enough.... From owner-firewalls-outgoing Wed Apr 2 23:39:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19977 for firewalls-outgoing; Wed, 2 Apr 1997 23:21:51 -0800 (PST) Received: from passport.cadrus.fr (passport.cadrus.fr [194.51.236.33]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA19968 for ; Wed, 2 Apr 1997 23:21:40 -0800 (PST) Received: by passport.cadrus.fr; Thu, 3 Apr 1997 09:22:10 +0200 (MET DST) Date: Thu, 3 Apr 1997 09:22:10 +0200 (MET DST) From: Eric SPESSOTTO Message-Id: <199704030722.JAA22321@passport.cadrus.fr> To: firewalls@greatcircle.com Subject: Patch for TIS X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a patch for TIS . This parch is for using ports 20 and 21 with ftpd because by default ftpd use port 20 and anyone between 1024-65535. Who knows it ? Eric From owner-firewalls-outgoing Wed Apr 2 23:55:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA20139 for firewalls-outgoing; Wed, 2 Apr 1997 23:27:09 -0800 (PST) Received: from mail.glink.net.hk (mail.glink.net.hk [202.72.0.38]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA20132 for ; Wed, 2 Apr 1997 23:27:02 -0800 (PST) From: ronnieng@glink.net.hk Received: from earth.glink.net.hk (earth [202.72.0.46]) by mail.glink.net.hk (8.8.5/8.8.5) with ESMTP id PAA04590 for ; Thu, 3 Apr 1997 15:26:38 +0800 (HKT) Received: (from ronnieng@localhost) by earth.glink.net.hk (8.8.5/8.8.5) id PAA19777 for Firewalls@GreatCircle.COM; Thu, 3 Apr 1997 15:26:36 +0800 (HKT) Date: Thu, 3 Apr 1997 15:26:36 +0800 (HKT) Message-Id: <199704030726.PAA19777@earth.glink.net.hk> To: Firewalls@GreatCircle.COM Subject: Any UDP traffic between client/server of PB or Sybase Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, Dose somebody know any UDP traffic between client/server of PowerBuilder and Sybase/Open Client applications? I wonder how I can allow UDP traffic with maximum security in the following config. Sybase/Open Client PowerBuilder/Sybase or ----> Firewall-1 ----> Servers PowerBuilder Appl client Best regards, Ronnie From owner-firewalls-outgoing Thu Apr 3 00:08:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA20585 for firewalls-outgoing; Wed, 2 Apr 1997 23:43:14 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id XAA20564 for ; Wed, 2 Apr 1997 23:43:08 -0800 (PST) Received: from ntyne.demon.co.uk ([158.152.82.1]) by relay-11.mail.demon.net id aa1100846; 3 Apr 97 8:42 BST Date: Wed, 2 Apr 1997 14:39:14 GMT From: Greg Taylor Reply-To: gtaylor@ntyne.demon.co.uk Message-Id: <1574@ntyne.demon.co.uk> To: Firewalls@greatcircle.com Subject: Re: Firewall Architecture for Web, Database X-Mailer: FIMail V0.9d Lines: 75 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My fourpenthworth (and my first mailing - no flames please!! :-) ) John Kerr wrote: > > A customer of ours has asked about setting up a security architecture > with the Firewall being the main focus. They would like to allow access > into their Database inside of the Firewall opposed to having a Database > Server that would sit outside the Firewall. They seem to be okay with > having a Web server sitting outside the Firewall, so I don't see that as > a problem. The problem that they are trying to avoid is having to copy > or replicate the data to the Database Server (too time consuming). What > are the dangers with adding a third interface to the Firewall and > putting the Database on a seperate DMZ. It would look like this: > > Internet > | > | ---------- --------- > | -Database- - Web - > | ---------- --------- > --------- | | > - FW ------------------------------ > --------- > | > | > | > Internal > Network > I have been working on a similar problem trying to form an outer "enemy" zone, a secure inner zone but to add sufficent security to the devices in the DMZ (WWW server, DNS) to avoid denial of service attacks etc. Initial idea was a multiple NIC firewall but this adds considerably to the complexity. Plan 2 is to have two firewalls as follows: Internet ---> Firewall A ---> DMZ ------> Firewall B --> Internal Network | | SHIVA MODEMS | Defender | | Own remote users Firewall A permits only WWW (Port 80) and SMTP (Port 24). Firewall B permits WWW (for our Intranet), SMTP, FTP and Telnet (we are shifting all own contractors' remote access through the same firewall). There are also screening routers in front of Firewall A and between the DMZ and the SHIVA Modems. We are still messing with the actual firewall software choice. Likelihood is a pair of Gauntlets but also being considered is Gauntlet/TIS Toolkit on B and Firewall-1 on A. Much of this decision is based on existing knowledge. We are using Unix because we have lots of experience and other Unix systems. I will say though that we have also considered using NT on Firewall A simply to provide a greater variety of targets to be attacked but this is on hold pending getting further experience and training. Hope this helps. Greg. -- Project management is easy, deliver it late, spend lots of money, make sure it doesn't work. At least I think that's the normal way!!! Greg Taylor MBCS, FIAP gtaylor@ntyne.demon.co.uk Open Systems Programme Leader North Tyneside Council From owner-firewalls-outgoing Thu Apr 3 00:37:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25134 for firewalls-outgoing; Thu, 3 Apr 1997 00:18:54 -0800 (PST) Received: from us0229.nomura.co.uk (us0229.nomura.co.uk [194.223.136.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id AAA25039 for ; Thu, 3 Apr 1997 00:18:36 -0800 (PST) From: steve.gailey@nomura.co.uk Received: by us0229.nomura.co.uk; id AA04011; Thu, 3 Apr 97 09:25:07 BST Received: from mailhub by us0229.nomura.co.uk via smap (V3.1) id xma003977; Thu, 3 Apr 97 09:24:58 +0100 Received: from by nomura.co.uk (5.x/SMI-SVR4) id AA28578; Thu, 3 Apr 1997 09:19:15 +0100 X-Openmail-Hops: 2 Date: Thu, 3 Apr 97 09:18:19 +0100 Message-Id: In-Reply-To: <199704030722.JAA22321@passport.cadrus.fr> Subject: Re: Patch for TIS To: Eric.Spessotto@cadrus.fr, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I presume you are refering to Gauntlet and not the toolkit. Gauntlet 3.2 fixes the problem so upgrade if that is an option, otherwise you can hard code it in the FTP proxy. Steve ______________________________ Reply Separator _________________________________ Subject: Patch for TIS Author: firewalls-owner (firewalls-owner@GreatCircle.COM) at unixmail Date: 4/3/97 7:22 AM I'm looking for a patch for TIS . This parch is for using ports 20 and 21 with ftpd because by default ftpd use po rt 20 and anyone between 1024-65535. Who knows it ? Eric From owner-firewalls-outgoing Thu Apr 3 01:22:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA29518 for firewalls-outgoing; Thu, 3 Apr 1997 01:05:05 -0800 (PST) Received: from passport.cadrus.fr (passport.cadrus.fr [194.51.236.33]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA29437 for ; Thu, 3 Apr 1997 01:04:27 -0800 (PST) Received: by passport.cadrus.fr; Thu, 3 Apr 1997 11:04:22 +0200 (MET DST) Date: Thu, 3 Apr 1997 11:04:22 +0200 (MET DST) From: Eric SPESSOTTO Message-Id: <199704030904.LAA07568@passport.cadrus.fr> To: steve.gailey@nomura.co.uk, firewalls@greatcircle.com Subject: Re: Patch for TIS X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > I presume you are refering to Gauntlet and not the toolkit. Gauntlet > 3.2 fixes the problem so upgrade if that is an option, otherwise you > can hard code it in the FTP proxy. I refering to toolkit not Gauntlet. Do you know this patch ?? Eric From owner-firewalls-outgoing Thu Apr 3 01:36:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA02586 for firewalls-outgoing; Thu, 3 Apr 1997 01:27:36 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id BAA02569 for ; Thu, 3 Apr 1997 01:27:30 -0800 (PST) Received: from Asia.Sun.COM ([129.158.1.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id BAA10923 for ; Thu, 3 Apr 1997 01:33:46 -0800 Received: from ruby5.Asia.Sun.COM by Asia.Sun.COM (SMI-8.6/SMI-5.3) id RAA08142; Thu, 3 Apr 1997 17:32:16 +0800 Received: from sunps2.Asia.Sun.COM by ruby5.Asia.Sun.COM (SMI-8.6/SMI-SVR4) id RAA25395; Thu, 3 Apr 1997 17:27:39 +0800 Received: by sunps2.Asia.Sun.COM (SMI-8.6/SMI-SVR4) id RAA09955; Thu, 3 Apr 1997 17:30:15 +0800 Date: Thu, 3 Apr 1997 17:30:15 +0800 From: Ronnie.Ng@Asia.Sun.COM (Ronnie Ng - Sun PS Project Engineer) Message-Id: <199704030930.RAA09955@sunps2.Asia.Sun.COM> To: firewalls-digest@GreatCircle.COM Subject: Any UDP traffic between client/server of PB or Sybase Cc: Ronnie.Ng@Asia.Sun.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, Dose somebody know any UDP traffic between client/server of PowerBuilder and Sybase/Open Client applications? I wonder how I can allow UDP traffic with maximum security in the following config. Sybase/Open Client PowerBuilder/Sybase or ----> Firewall-1 ----> Servers PowerBuilder Appl client Best regards, Ronnie From owner-firewalls-outgoing Thu Apr 3 02:57:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA13396 for firewalls-outgoing; Thu, 3 Apr 1997 02:41:51 -0800 (PST) Received: from wall.pwa.co.in ([206.103.11.183]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id CAA13388 for ; Thu, 3 Apr 1997 02:41:40 -0800 (PST) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notes.pwa.co.in (notes.pwa.co.in [126.0.0.180]) by wall.pwa.co.in (8.6.12/8.6.12) with SMTP id UAA20137 for ; Wed, 2 Apr 1997 20:18:55 +0500 Received: by notes.pwa.co.in(Lotus SMTP MTA Release 1.0) id 6525646E.003B03EC ; Thu, 3 Apr 1997 16:14:36 +300500 X-Lotus-FromDomain: INDIA @ INTERNET To: Firewalls@GreatCircle.COM Message-ID: <6525646E:003A7F22.00@notes.pwa.co.in> Date: Thu, 3 Apr 1997 16:15:26 +300500 Subject: Re: Firewalls-Digest V6 #138 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a TIS tool-kit running on my Linux1.2.13 and I get thes messages repeatedly from kernal. my.hostname named[70] : recv from : Connection refused my.hostname inetd[68] : www/tcp server failing ( looping ), service terminated Could someone explain me what it means. secondly the http-proxy at the most caters to I presume upto three clients for proxy , others are told that server is down try contacting later. Thanks in advance From owner-firewalls-outgoing Thu Apr 3 03:06:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA14156 for firewalls-outgoing; Thu, 3 Apr 1997 02:56:25 -0800 (PST) Received: from relay.eunet.pt (relay.EUnet.pt [193.126.4.65]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA14122 for ; Thu, 3 Apr 1997 02:56:04 -0800 (PST) Received: from mail.bvl.pt (uucp@localhost) by relay.eunet.pt (8.7.5/8.7.3) with UUCP id LAA09170 for firewalls-digest@GreatCircle.COM; Thu, 3 Apr 1997 11:56:53 +0100 (WET DST) Received: from mail.bvl.pt by jessica.bvl.pt with SMTP id AA06214 (5.65c/IDA-1.4.4 for ); Thu, 3 Apr 1997 10:40:02 GMT Received: by mail.bvl.pt with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC4025.2740D860@mail.bvl.pt>; Thu, 3 Apr 1997 11:49:57 +0100 Message-Id: From: =?iso-8859-1?Q?Ant=F3nio_Vasconcelos?= To: "'firewalls-digest@GreatCircle.COM'" , "'Ronnie.Ng@Asia.Sun.COM'" Subject: RE: Any UDP traffic between client/server of PB or Sybase Date: Thu, 3 Apr 1997 11:49:56 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Ronnie.Ng@Asia.Sun.COM[SMTP:Ronnie.Ng@Asia.Sun.COM] >Sent: quinta-feira, 3 de abril de 1997 10:30 >To: firewalls-digest@GreatCircle.COM >Cc: Ronnie.Ng@Asia.Sun.COM >Subject: Any UDP traffic between client/server of PB or Sybase > >Hi guys, > >Dose somebody know any UDP traffic between client/server of = PowerBuilder and >Sybase/Open Client applications? There is *NO* UDP trafic. Open Client or PB access the Sybase server using a single TCP port. However, if your clients are using DNS to get the server's IP addr you'll have to open up the firewall to udp traffic. That or configure the client's Open Client with static IP addrs. --=20 Ant=F3nio Vasconcelos DTSI: Redes Locais e Comunica=E7=F5es BOLSA DE VALORES DE LISBOA | Tel: (+351) 1 790-0000 | Edf. da Bolsa | Fax: (+351) 1 795-2026 | R. Soeiro Pereira Gomes -------------------------- 1600 LISBOA PORTUGAL From owner-firewalls-outgoing Thu Apr 3 03:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA17520 for firewalls-outgoing; Thu, 3 Apr 1997 03:18:54 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA17010 for ; Thu, 3 Apr 1997 03:18:10 -0800 (PST) Received: from martin_d.ins.com (unknown-42-195.dialcall.com [170.206.42.195]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA17378; Thu, 3 Apr 1997 03:19:02 -0800 (PST) Message-Id: <3.0.32.19970403061829.0069c1e8@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Apr 1997 06:18:32 -0500 To: "Ricardo, Ray" , "'firewalls@greatcircle.com'" From: "Darwin L. Martinez" Subject: Re: Port 781 Cc: "Ricardo, Ray" Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Port 781 is used by an app called hp-collector, which I believe is relevant to AIX. It can be UDP or TCP based. At 02:40 PM 4/2/97 -0800, Ricardo, Ray wrote: >I've been seeing alert messages coming from my Internet router with a >source port of 781. I'm not certain if it is UDP, TCP or ICMP messages. >Does anyone know what this port is being used for? > >Thnaks. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Client: 770-825-9783 Network Systems Engineer Pager: 888-346-1320 (Numeric) International Network Services Pager: 800-INS-1-INS (Text) SouthEast Region Office: 770-641-3660 0000,8080,8080Email: darwin_martinez@ins.com INS Website: 0000,8080,8080< "0000,8080,8080Providing the Power of Operable Networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From owner-firewalls-outgoing Thu Apr 3 04:06:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA22609 for firewalls-outgoing; Thu, 3 Apr 1997 04:01:11 -0800 (PST) Received: from wall.pwa.co.in ([206.103.11.183]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id EAA22602 for ; Thu, 3 Apr 1997 04:01:01 -0800 (PST) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notes.pwa.co.in (notes.pwa.co.in [126.0.0.180]) by wall.pwa.co.in (8.6.12/8.6.12) with SMTP id VAA21023 for ; Wed, 2 Apr 1997 21:38:15 +0500 Received: by notes.pwa.co.in(Lotus SMTP MTA Release 1.0) id 6525646E.004245CF ; Thu, 3 Apr 1997 17:33:52 +300500 X-Lotus-FromDomain: INDIA @ INTERNET To: Firewalls@GreatCircle.COM Message-ID: <6525646E:003A7F22.00@notes.pwa.co.in> Date: Thu, 3 Apr 1997 17:34:26 +300500 Subject: Firewalls-Digest V6 #138 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a TIS tool-kit running on my Linux1.2.13 and I get thes messages repeatedly from kernal. my.hostname named[70] : recv from : Connection refused my.hostname inetd[68] : www/tcp server failing ( looping ), service terminated Could someone explain me what it means. secondly the http-proxy at the most caters to I presume upto three clients for proxy , others are told that server is down try contacting later. Thanks in advance From owner-firewalls-outgoing Thu Apr 3 05:36:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA00300 for firewalls-outgoing; Thu, 3 Apr 1997 05:32:25 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id FAA00291 for ; Thu, 3 Apr 1997 05:32:16 -0800 (PST) Received: from ntyne.demon.co.uk ([158.152.82.1]) by relay-5.mail.demon.net id aa0509505; 3 Apr 97 14:17 BST Date: Thu, 3 Apr 1997 14:10:35 GMT From: Greg Taylor Reply-To: gtaylor@ntyne.demon.co.uk Message-Id: <1586@ntyne.demon.co.uk> To: firewalls@greatcircle.com Subject: Re: Firewall Architecture for Web, Database X-Mailer: FIMail V0.9d Lines: 77 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My fourpenthworth (and my first mailing - no flames please!! :-) ) John Kerr wrote: > > A customer of ours has asked about setting up a security architecture > with the Firewall being the main focus. They would like to allow access > into their Database inside of the Firewall opposed to having a Database > Server that would sit outside the Firewall. They seem to be okay with > having a Web server sitting outside the Firewall, so I don't see that as > a problem. The problem that they are trying to avoid is having to copy > or replicate the data to the Database Server (too time consuming). What > are the dangers with adding a third interface to the Firewall and > putting the Database on a seperate DMZ. It would look like this: > > Internet > | > | ---------- --------- > | -Database- - Web - > | ---------- --------- > --------- | | > - FW ------------------------------ > --------- > | > | > | > Internal > Network > I have been working on a similar problem trying to form an outer "enemy" zone, a secure inner zone but to add sufficent security to the devices in the DMZ (WWW server, DNS) to avoid denial of service attacks etc. Initial idea was a multiple NIC firewall but this adds considerably to the complexity. Plan 2 is to have two firewalls as follows: Internet ---> Firewall A ---> DMZ ------> Firewall B --> Internal Network | | SHIVA MODEMS | Defender | | Own remote users Firewall A permits only WWW (Port 80) and SMTP (Port 24). Firewall B permits WWW (for our Intranet), SMTP, FTP and Telnet (we are shifting all own contractors' remote access through the same firewall). There are also screening routers in front of Firewall A and between the DMZ and the SHIVA Modems. We are still messing with the actual firewall software choice. Likelihood is a pair of Gauntlets but also being considered is Gauntlet/TIS Toolkit on B and Firewall-1 on A. Much of this decision is based on existing knowledge. We are using Unix because we have lots of experience and other Unix systems. I will say though that we have also considered using NT on Firewall A simply to provide a greater variety of targets to be attacked but this is on hold pending getting further experience and training. Hope this helps. Greg. -- Project management is easy, deliver it late, spend lots of money, make sure it doesn't work. At least I think that's the normal way!!! Greg Taylor MBCS, FIAP gtaylor@ntyne.demon.co.uk Open Systems Programme Leader North Tyneside Council From owner-firewalls-outgoing Thu Apr 3 05:55:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA00473 for firewalls-outgoing; Thu, 3 Apr 1997 05:37:25 -0800 (PST) Received: from bastion.s-1.com (BASTION.FIVEPACES.COM [204.130.55.230]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA00456 for ; Thu, 3 Apr 1997 05:37:09 -0800 (PST) Received: from UNKNOWN [10.1.1.10] by bastion.s-1.com for id IAA02942; Thu Apr 3 08:37:51 1997 Received: from tick.s-1.com by wine.s-1.com with ESMTP (1.39.111.2/16.2) id AA106394568; Thu, 3 Apr 1997 08:36:08 -0500 Received: from wine.s-1.com (rlanders@localhost [127.0.0.1]) by tick.s-1.com (8.7.5/8.7.3) with ESMTP id IAA18626; Thu, 3 Apr 1997 08:37:24 -0500 Message-Id: <199704031337.IAA18626@tick.s-1.com> X-Mailer: exmh version 2.0gamma 1/24/96 Subject: Re: Microsoft ULS/ILS through a firewall In-Reply-To: Your message of "Tue, 01 Apr 1997 00:02:19 +0100." <97Apr1.000230gmt+0100.15235-5@fw.adm.nord.eunet.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 03 Apr 1997 08:37:23 -0500 To: Cato Antonsen From: Renee Landers Cc: firewalls@greatcircle.com, rlanders@s-1.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I researched this last fall, and this is what I figured out: Microsoft Net Meeting can be downloaded from http://www.microsoft.com. It runs on Windows 95 or Windows NT. Microsoft User Location Server can also be downloaded from http://www.microsoft.com. It runs only on Windows NT Server with IIS running. Net Meeting can be configured to use either TCP/IP or IPX. We tested it using TCP/IP. Net Meeting listens on TCP port 1503. When a connection is made from another client, all data is passed between clients using TCP except for audio data, which uses UDP. The ULS listens on port 522, and makes use of the http server (Microsoft's IIS) to transfer data to the Net Meeting client. We did not test the ULS application, nor did we connect to the existing ULS servers on the 'Net. When a Net Meeting client registers with a ULS, it apparently sends its information (the username, company name, etc) to the ULS, which dynamically keeps track of who is using Net Meeting (= who has registered with the ULS). When you log off, or end your Net Meeting session, presumably, your client sends a logout to the ULS, which removes it from its lists. The ULS is purely a user directory service. It does not proxy connections from one client to another. It merely provides clients with information on how to contact other clients. Net Meeting conferences can be conducted between clients with no intervention from a ULS. For the audio portion of NetMeeting to be proxied, you have to use a UDP proxy. We did not look at that. -------------- So, the short answer is: To proxy NetMeeting traffic, you have to pass TCP/IP connections on port 1503 through, probably in both directions, unless you want to restrict it so that connections can only be made FROM your internal network, or something like that. I believe that the UDP portion (audio data) also uses port 1503. To allow your internal clients to connect to a ULS you have to allow outbound traffic to TCP port 522. If you are running a ULS and want people to be able to connect to it, you have to allow inbound traffic on TCP port 522. Obviously, there are some pretty serious security issues, first with opening up another hole in the firewall/router, and second with the applications themselves. I haven't played with NetMeeting enough to have a tenable opinion on whether it's dangerous, although I suspect that it is. Renee -- *--------------------------------------------------------------------* | Renee Landers network security division | | Security Consultant Security First Technologies | | rlanders@s-1.com 3390 Peachtree Road, Suite 1700 | | (404) 812-6640 Atlanta, GA 30326-1108 | *--------------------------------------------------------------------* From owner-firewalls-outgoing Thu Apr 3 07:16:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05743 for firewalls-outgoing; Thu, 3 Apr 1997 06:56:22 -0800 (PST) Received: from email.gcn.net.tw ([203.77.2.139]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA05735 for ; Thu, 3 Apr 1997 06:56:14 -0800 (PST) Received: from [203.65.191.104] by email.gcn.net.tw (AIX 4.1/UCB 5.64/4.03) id AA34076; Thu, 3 Apr 1997 22:55:33 +0800 Message-Id: <31614110.175D@email.gcn.net.tw> Date: Tue, 02 Apr 1996 23:00:32 +0800 From: Farmer Tien Reply-To: ftien@email.gcn.net.tw Organization: IBM Taiwan X-Mailer: Mozilla 3.01 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: MS Netmeeting Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all: How do we set the firewall configure to permit the NetMeeting traffic without any security issue !! Thanks -- Farmer Tien IBM Taiwan RS/6000 System Service Representative TEL: 886-2-7259359 FAX: 886-2-7201499 206, Sec. 1, Keelung Rd., Taipei Taiwan, R.O.C. From owner-firewalls-outgoing Thu Apr 3 07:40:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05884 for firewalls-outgoing; Thu, 3 Apr 1997 06:58:04 -0800 (PST) Received: from sage.Tri-Sage.COM (tpa-206-41-182-5.ThoughtPort.COM [206.41.182.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA05857 for ; Thu, 3 Apr 1997 06:57:53 -0800 (PST) Received: from jon.cypher-sage.com by sage.Tri-Sage.COM with SMTP (?/BK-2.3.1) id IAA07406; Thu, 3 Apr 1997 08:56:45 -0600 Received: by jon.cypher-sage.com with Microsoft Mail id <01BC400B.CF411C60@jon.cypher-sage.com>; Thu, 3 Apr 1997 08:48:32 -0600 Message-ID: <01BC400B.CF411C60@jon.cypher-sage.com> From: Jon Tegethoff To: "firewalls@greatCircle.com" Subject: RE: NT security Date: Thu, 3 Apr 1997 08:48:31 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sight correction. The url should be http://www.iss.net Jon ---------- From: David Harvey-George[SMTP:david@threewiz.demon.co.uk] Sent: Tuesday, April 01, 1997 1:02 PM To: firewalls@greatCircle.com; Valery Brasseur Subject: Re: NT security ISS seems quite good (http://www.iss.com/) but doesn't include a lot of the recent NT holes. You could check out http://www.ntsecurity.net and http://www.ntsecurity.com (two different sites). regards, David From owner-firewalls-outgoing Thu Apr 3 08:51:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14785 for firewalls-outgoing; Thu, 3 Apr 1997 08:14:10 -0800 (PST) Received: from emout11.mail.aol.com (emout11.mx.aol.com [198.81.11.26]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA14771 for ; Thu, 3 Apr 1997 08:14:06 -0800 (PST) From: BPobric@aol.com Received: (from root@localhost) by emout11.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id LAA13422; Thu, 3 Apr 1997 11:14:56 -0500 (EST) Date: Thu, 3 Apr 1997 11:14:56 -0500 (EST) Message-ID: <970403111453_-736413622@emout11.mail.aol.com> To: ntsecurity@iss.net cc: firewalls@greatcircle.com Subject: PWDump and NTCrack20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I have attempted to use PWDump utilities. It did work but I have no idea where did it put the file and what is the file name. As far as I know, I need to know this file name in order to run NT Crack 2.0 . I would appreciate any help. Thanks Braco Pobric bpobric@aol.com From owner-firewalls-outgoing Thu Apr 3 08:58:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA15305 for firewalls-outgoing; Thu, 3 Apr 1997 08:19:42 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA15295 for ; Thu, 3 Apr 1997 08:19:36 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id IAA02855 for ; Thu, 3 Apr 1997 08:23:24 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA25115; Thu, 3 Apr 97 08:21:18 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id IAA15377 for @sybgate.sybase.com:firewalls-digest@GreatCircle.COM; Thu, 3 Apr 1997 08:19:53 -0800 (PST) Message-Id: <199704031619.IAA15377@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id D86CC969656CAF6D8825646E005A219B; Thu, 3 Apr 97 08:19:43 EDT To: =?iso-8859-1?Q?Ant=F3nio_Vasconcelos?= Cc: "'firewalls-digest@GreatCircle.COM'" , "'Ronnie.Ng@Asia.Sun.COM'" From: Ryan Russell/SYBASE Date: 3 Apr 97 8:25:42 EDT Subject: RE: Any UDP traffic between client/server of PB or Sybase X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can confirm that. Ryan Russell Sybase Corporate Datacomunications ---------- Previous Message ---------- To: firewalls-digest, Ronnie.Ng cc: From: vasco @ mail.bvl.pt (=?iso-8859-1?Q?Ant=F3nio_Vasconcelos?=) @ smtp Date: 04/03/97 11:49:56 AM Subject: RE: Any UDP traffic between client/server of PB or Sybase >---------- >From: Ronnie.Ng@Asia.Sun.COM[SMTP:Ronnie.Ng@Asia.Sun.COM] >Sent: quinta-feira, 3 de abril de 1997 10:30 >To: firewalls-digest@GreatCircle.COM >Cc: Ronnie.Ng@Asia.Sun.COM >Subject: Any UDP traffic between client/server of PB or Sybase > >Hi guys, > >Dose somebody know any UDP traffic between client/server of PowerBuilder and >Sybase/Open Client applications? There is *NO* UDP trafic. Open Client or PB access the Sybase server using a single TCP port. However, if your clients are using DNS to get the server's IP addr you'll have to open up the firewall to udp traffic. That or configure the client's Open Client with static IP addrs. -- Antsnio Vasconcelos DTSI: Redes Locais e Comunicaîues BOLSA DE VALORES DE LISBOA | Tel: (+351) 1 790-0000 | Edf. da Bolsa | Fax: (+351) 1 795-2026 | R. Soeiro Pereira Gomes -------------------------- 1600 LISBOA PORTUGAL From owner-firewalls-outgoing Thu Apr 3 12:32:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07167 for firewalls-outgoing; Thu, 3 Apr 1997 12:01:44 -0800 (PST) Received: from emout06.mail.aol.com (emout06.mx.aol.com [198.81.11.97]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA07141 for ; Thu, 3 Apr 1997 12:01:26 -0800 (PST) From: BPobric@aol.com Received: (from root@localhost) by emout06.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA14982; Thu, 3 Apr 1997 15:02:10 -0500 (EST) Date: Thu, 3 Apr 1997 15:02:10 -0500 (EST) Message-ID: <970403150134_-1537081752@emout06.mail.aol.com> To: pdmallya@inf.com cc: firewalls@greatcircle.com Subject: Re: Firewall Architecture for Web, Database Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why dodn't you have database Server talk NetBui with Web Server. Install NetBui only, if possible, on the database server. Braco Pobric bpobric@aol.com From owner-firewalls-outgoing Thu Apr 3 12:32:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07955 for firewalls-outgoing; Thu, 3 Apr 1997 12:12:00 -0800 (PST) Received: from exp2.is.xpark.pmh.org (exphub.is.xpark.pmh.org [198.215.78.104]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA07880 for ; Thu, 3 Apr 1997 12:11:37 -0800 (PST) Received: from localhost by exp2.is.xpark.pmh.org (AIX 3.2/UCB 5.64/4.03) id AA41397; Thu, 3 Apr 1997 14:12:07 -0600 Message-Id: <33440F17.353C@exphub.pmh.org> Date: Thu, 03 Apr 1997 14:12:07 -0600 From: "Cary Conover(IS) 13897" Organization: Parkland Memorial Hospital X-Mailer: Mozilla 3.01Gold (X11; I; AIX 2) Mime-Version: 1.0 To: Ziv Dascalu Cc: firewalls@GreatCircle.COM, mmozes@fujitsu.ca Subject: Re: RealAudio References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ziv Dascalu wrote: > > --- On Mon, 31 Mar 97 10:36:00 PST mmozes@fujitsu.ca wrote: > > > > >Does anyone know the port number for RealAudio? > > > >Thanks, > > -----------------End of Original Message----------------- > > realAudio is 7070 TCP > > /ZIv > /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ > | A B I R N E T Active Network Protection http://www.AbirNet.com | > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ Yes and the UDP return ports are 6970 - 7170. -- Cary D. Conover AIX Systems Administrator Senior Systems Analyst Parkland Health and Hospital System Dallas, Texas cconov@parknet.pmh.org (Work) carydc@why.net (Home) 817-571-6694 Home Voice / Ans. Mach. 817-571-6793 Home Data/Fax 817-360-8572 Mobile/Voice Mail/Pager 214-590-0244 Work Voice 214-786-0282 Pager 214-590-0202 Work Fax The views I express are mine and do not represent my employer. From owner-firewalls-outgoing Thu Apr 3 12:37:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09130 for firewalls-outgoing; Thu, 3 Apr 1997 12:23:21 -0800 (PST) Received: from ce2usm.valparaiso.cl (ce2usm.valparaiso.cl [200.1.18.30]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA09113 for ; Thu, 3 Apr 1997 12:23:11 -0800 (PST) Received: (from edo@localhost) by ce2usm.valparaiso.cl (8.8.5/8.8.5edo+patch) id QAA22347; Thu, 3 Apr 1997 16:31:40 -0400 From: "Eduardo Romero U." Message-Id: <199704032031.QAA22347@ce2usm.valparaiso.cl> Subject: Re: Firewalls-Digest V6 #138 To: Sandeep_Talwar@INDIA.notes.pwa.co.in Date: Thu, 3 Apr 1997 16:31:39 -0400 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <6525646E:003A7F22.00@notes.pwa.co.in> from "Sandeep_Talwar@INDIA.notes.pwa.co.in" at Apr 3, 97 05:34:26 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > > I have a TIS tool-kit running on my Linux1.2.13 and I get thes messages > repeatedly from kernal. > > my.hostname named[70] : recv from : Connection refused > my.hostname inetd[68] : www/tcp server failing ( looping ), service > terminated Check that the named is running in slave or master [ forward to another dns?] , and the www is probably that the http-proxy is the same with the www port [ try to call this port itself ] . I'm not sure , but could be a possibility. > > Could someone explain me what it means. > > secondly the http-proxy at the most caters to I presume upto three > clients for proxy , others are told that server is down try contacting > later. mmm.. proxy loops with web port.. > Thanks in advance > > Edo. Ren~aca - Chile From owner-firewalls-outgoing Thu Apr 3 13:01:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA01233 for firewalls-outgoing; Thu, 3 Apr 1997 12:57:27 -0800 (PST) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA01212 for ; Thu, 3 Apr 1997 12:57:20 -0800 (PST) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id PAA12335; Thu Apr 3 15:55:38 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id PAA22145; Thu, 3 Apr 1997 15:50:05 -0500 Subject: Measuring latency through a proxy firewall--tools? Date: 03 Apr 1997 15:50:05 -0500 Message-ID: Lines: 11 X-Mailer: Gnus v5.2.39/Emacs 19.34 To: firewalls@greatcircle.com From: Douglas McNaught Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been asked to provide a measurement of the additional packet latency imposed by our proxying firewall. Anybody know of some tools for this purpose, before I go and hack up some custom code? Free source code for Unix preferred... -Doug -- Doug McNaught Senior Network Engineer Premiere Communications Inc ----- doug@tc.net ----- ----- http://www.premierecomm.com/ ----- From owner-firewalls-outgoing Thu Apr 3 13:15:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02033 for firewalls-outgoing; Thu, 3 Apr 1997 13:08:12 -0800 (PST) Received: from Axil.wave.co.nz (Axil.wave.co.nz [202.49.46.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA02026 for ; Thu, 3 Apr 1997 13:08:02 -0800 (PST) Received: from csespl.cse.co.nz (csespl.cse.co.nz [202.49.33.64]) by Axil.wave.co.nz (8.6.12/version) with SMTP id JAA20175 for ; Fri, 4 Apr 1997 09:03:59 +1200 Message-Id: <2.2.32.19970403210351.00efce1c@wave.co.nz> X-Sender: stevel@wave.co.nz X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Apr 1997 09:03:51 +1200 To: "firewalls@greatCircle.com" From: Steve Lang Subject: ICMP Source Quench and Port Unreachable attacks. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I'm looking for information about current ICMP Source Quench, and Port Unreachable attacks that may be going on out there. Is there any information floating around?? Cheers - Steve Lang, Wave internet services, Hamilton Fax: +64-7-838-0977 Voice: +64-7-839-1291 or 0800-80-9283 EMail: stevel@cse.co.nz or slang@wave.co.nz From owner-firewalls-outgoing Thu Apr 3 13:34:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02459 for firewalls-outgoing; Thu, 3 Apr 1997 13:12:42 -0800 (PST) Received: from netcom22.netcom.com (netcom22.netcom.com [192.100.81.136]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA02451 for ; Thu, 3 Apr 1997 13:12:36 -0800 (PST) Received: (from mwallace@localhost) by netcom22.netcom.com (8.6.13/Netcom) id NAA00447; Thu, 3 Apr 1997 13:10:48 -0800 Date: Thu, 3 Apr 1997 13:10:48 -0800 (PST) From: Matt Wallace Subject: Re: sendmail on firewall To: Todd Graham Lewis cc: Jon Spencer , Firewalls Mailing List In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ditto. I've never heard of anyone using a kernel bug to compromise a system. I've heard of some buffer overrun problems at places in kernels, but it invariable corrupts everything and the machine crashes. On Wed, 19 Mar 1997, Todd Graham Lewis wrote: > What exactly do you mean by "the base" here? I can recall fairly few > instances where security on a unix system has been compromised due to > kernel bugs, per se. (Actually, I can think of none, but that's just me. > > > 3) The basic functions of an operating system, including the functions upon > > which firewall functionality is based, must be very high assurance, In theory, yes, this is all true. But it's very easy to poke holes in security as it is today, and not have anything else to replace it. For almost every company I've ever seen, it's not worth implementing a proprietary O/S, and multi-level security, in exchange for eliminating the "weaknesses" of the O/S. > > A firewall is a > > very complex thing, ESPECIALLY if you want it to really work. > > So, if a firewall is to work, it has to be complex? Bah. The more complex it is, the more holes you'll find. Simplicity is a good thing. > > Look for a very famous US gov't security agency to be going online with > > exactly this configuration this spring or early summer (using guess > > who's OS? :-) > > I seem to recall the famous US gov't doing many things. The wrenches in > my garage didn't cost $4,000, and they aren't made of titanium. They're > steel, and I bought them at a hardware store. You know what? My skill as > a mechanic and a 19-year-old airman's skill as a mechanic are still the > single most important factors in how well our machines run. Yes, and my hammer is not a "Manually Powered Hand-held Forcible Insertion Device". (Which may explain why the government's costs $40k) > I doubt that a mainstream firewall, call it Gauntlet or even the FWTK, if > properly configured by a competent administrator, could be broken. I'm > willing to set one up if someone else wants to try. This entire debate, > however, is becoming moot as, increasingly, it's much easier to lure > protected machines into downloading an ActiveX-based packet sniffer which > mails the results of its sniffing back through the firewall. It's always the same thing. Years ago, before firewalls were quite so mainstream, one of the easiest ways to get into a secure standalone system was still to mail a user a file, tell them it was a cool gif, and let them run it and load a listening socket with a shell behind it on a nice unpriveleged port. Why crack a machine when they'll open it up for you? > I really think that a lot of people are wasting a lot of money if they put > a B2 machine (or whatever) as their internet firewall. Turning off port > 80 will buy you a whole lot more security, and it's a lot cheaper. We're so dead set on advancing multimedia and having cute counter applets and scrolling bars, that we'll throw away security to rush into one little gimmick after another at breakneck speed. And you'll hear the whole time how it is "necessary" for half the people in a company to be able to get ActiveX sports scores. :P __ Matt Wallace From owner-firewalls-outgoing Thu Apr 3 14:34:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA08676 for firewalls-outgoing; Thu, 3 Apr 1997 14:01:34 -0800 (PST) Received: from gemcon.com (DNS2.GEMCON.COM [205.223.239.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA08623 for ; Thu, 3 Apr 1997 14:01:08 -0800 (PST) Received: by dns2.gemcon.com id <55334>; Thu, 3 Apr 1997 17:00:56 -0500 From: "Webb, Dean" To: BPobric@aol.com, pdmallya@inf.com Cc: firewalls@GreatCircle.COM Subject: RE: Firewall Architecture for Web, Database Date: Thu, 3 Apr 1997 16:59:10 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Message-Id: <97Apr3.170056est.55334@dns2.gemcon.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NetBEUI is nice on a small LAN, but not on a big one. How big is the network being protected? If it's huge and/or subnetted, NetBEUI may not be feasible. IPX/SPX might actually be a good choice, as it is a routable, non-TCP/IP protocol. Unfortunately for both NetBEUI and IPX/SPX is that most businesses are going over to TCP/IP as the protocol of choice for the corporate network. If that's the case on this solution, then switching protocols would not be an option, appealing though it seems. (True, some readers may be thinking "file this stuff under DUH!" but I feel the need to respond with kindness and compassion.) Hope this helps, Dean Webb dwebb@capgemini.com > -----Original Message----- > From: BPobric@aol.com [SMTP:BPobric@aol.com] > Sent: Thursday, April 03, 1997 2:02 PM > To: pdmallya@inf.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Firewall Architecture for Web, Database > > > Why dodn't you have database Server talk NetBui with Web Server. > Install > NetBui only, if possible, on the database server. > > Braco Pobric > bpobric@aol.com From owner-firewalls-outgoing Thu Apr 3 14:39:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13087 for firewalls-outgoing; Thu, 3 Apr 1997 14:28:10 -0800 (PST) Received: from dns.wye.com ([38.219.43.43]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA13078 for ; Thu, 3 Apr 1997 14:28:04 -0800 (PST) Received: from wyent.wyepriv.com (wyent.wyepriv.com [192.168.0.25]) by dns.wye.com (8.8.5/8.8.5) with ESMTP id RAA12407 for ; Thu, 3 Apr 1997 17:25:43 -0500 Received: by wyent.wyepriv.com with Internet Mail Service (5.0.1457.3) id <2107XJ7Y>; Thu, 3 Apr 1997 17:26:30 -0500 Message-ID: <714A163EDA9ED01194DB0040339040C6010C42@wyent.wyepriv.com> From: Gregory Wilkins To: firewalls@GreatCircle.COM Subject: POP Server Date: Thu, 3 Apr 1997 17:26:28 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How does one setup the firewall to accept a POP protocol. I have a POP Server on the inside of my firewall on a "private" network, and want my users to be able to use Eudora or something to connect to my POP server. I can not move the POP server to the outside of the firewall, since it is an NT Server that is utilized for file and print services. Now the tricky part...my external DNS knows NOTHING about my internal network and it's hosts...so if I can get a POP protcol to pass thru the firewall, how will Eudora know where to find the popserver w/o DNS lookup, since the IP Addresses on the internal network is "bogus"? Help???? From owner-firewalls-outgoing Thu Apr 3 15:09:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13177 for firewalls-outgoing; Thu, 3 Apr 1997 14:28:42 -0800 (PST) Received: from gateway.interdyn.com (gateway.interdyn.com [205.226.36.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id OAA13120 for ; Thu, 3 Apr 1997 14:28:26 -0800 (PST) From: eristone@earthlink.net Message-Id: <199704032228.OAA13120@honor.greatcircle.com> Comments: Authenticated sender is >From: eristone@earthlink.net To: Steve Lang Date: Thu, 3 Apr 1997 14:30:33 -0800 MIME-Version: 1.0 Content-transfer-encoding: 7BIT Subject: Re: ICMP Source Quench and Port Unreachable attacks CC: firewalls@greatcircle.com X-mailer: Pegasus Mail for Win32 (v2.42) Received: from earthlink.net by gateway.interdyn.com; Thu, 3 Apr 1997 14:28 PST Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi. > >I'm looking for information about current ICMP Source Quench, and Port >Unreachable attacks that may be going on out there. > >Is there any information floating around?? Hi Steve, There's a program called "WinNewk" that has been floating around various irc circles now for the past couple of months - it's Windows based, and single-click. It makes it so that even your typical hacker-wanna-be can attack a system. (I'm surprised more info hasn't shown up in this list about this one). If you want, I can send you a copy of the program, so you can take a look at it. The defense against it (I think) is to filter icmp packets at the router... (hey - I'm not a security or networking expert - yet I'm not sure exactly how feasible that'd be to do, and I'm almost positive that someone here'll correct me [please flame at a low temperature, for 2-3 hours until golden brown] if I'm wrong). -- Mike "Eristone" Bryant II eristone@earthlink.net "All questions must be submitted in writing. Thank you for calling." - Willy Wonka From owner-firewalls-outgoing Thu Apr 3 15:23:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA18872 for firewalls-outgoing; Thu, 3 Apr 1997 15:09:39 -0800 (PST) Received: from speedy.burnt-sand.com (NS.BURNT-SAND.COM [204.209.115.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA18801 for ; Thu, 3 Apr 1997 15:09:24 -0800 (PST) Received: by speedy.burnt-sand.com (950413.SGI.8.6.12/951211.SGI) for id QAA00931; Thu, 3 Apr 1997 16:03:26 -0700 Received: from ithilien(192.168.115.3) by speedy via smap (3.1) id xma000888; Thu, 3 Apr 97 16:03:05 -0700 Received: from oxygen ([192.168.115.136]) by ithilien.burnt-sand.com (Netscape Mail Server v2.02) with SMTP id AAA2681 for ; Thu, 3 Apr 1997 16:07:31 -0700 Message-ID: <3344379E.4A7B@burnt-sand.com> Date: Thu, 03 Apr 1997 15:05:02 -0800 From: "Thomas E. Alex" Organization: Burnt Sand Solutions Inc. X-Mailer: Mozilla 3.01SGoldC-SGI (X11; I; IRIX 6.3 IP32) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: PPTP Through Gauntlet Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Has anyone attempted to configure a PPTP plug gateway throught Gauntlet? Does PPTP require udp traffic in addition to the tcp traffic? Thanks. -- Thomas Alex Burnt Sand Solutions Inc. Systems Specialist Phone: 403-262-3330 715, 734 7th Ave. S.W. thomas@burnt-sand.com Fax: 403-264-2044 Calgary, Alberta T2P 3P8 From owner-firewalls-outgoing Thu Apr 3 15:46:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA22683 for firewalls-outgoing; Thu, 3 Apr 1997 15:34:30 -0800 (PST) Received: from ra.nso.org (ra.nso.org [207.30.58.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA22655 for ; Thu, 3 Apr 1997 15:34:23 -0800 (PST) Received: from osiris (osiris.nso.org [207.30.58.40]) by ra.nso.org (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA472 for ; Thu, 3 Apr 1997 18:35:40 -0500 Message-Id: <3.0.32.19970403183527.00954cd0@nso.org> X-Sender: noc@nso.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Apr 1997 18:35:28 -0500 To: firewalls@greatcircle.com From: noc@nso.org (Network Operations Center) Subject: ISR Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk f.y.i. Internet Security Review is now accepting subscriptions (free) at http://www.isr.net The journal appears monthly. regards Bert From owner-firewalls-outgoing Thu Apr 3 16:18:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA29804 for firewalls-outgoing; Thu, 3 Apr 1997 16:10:33 -0800 (PST) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA29795 for ; Thu, 3 Apr 1997 16:10:24 -0800 (PST) Received: from pc (dialin1_local.mwcia.org [192.138.165.169]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id SAA16021; Thu, 3 Apr 1997 18:12:39 -0600 Message-Id: <3.0.32.19970403181019.00954db0@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Apr 1997 18:10:38 -0600 To: Gregory Wilkins , firewalls@GreatCircle.COM From: Richard Hoffbeck Subject: Re: POP Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:26 PM 4/3/97 -0500, Gregory Wilkins wrote: >How does one setup the firewall to accept a POP protocol. > >I have a POP Server on the inside of my firewall on a "private" network, >and want my users to be able to use Eudora or something to connect to my >POP server. > >I can not move the POP server to the outside of the firewall, since it >is an NT Server that is utilized for file and print services. > >Now the tricky part...my external DNS knows NOTHING about my internal >network and it's hosts...so if I can get a POP protcol to pass thru the >firewall, how will Eudora know where to find the popserver w/o DNS >lookup, since the IP Addresses on the internal network is "bogus"? Get the TIS fwtk and set up a plug-gw proxy. It can be configured to take any incoming traffic on port 110 on the firewall and pass it on the the internal server. Then set the external mail clients to use the firewall as the pop server. If you don't restrict it otherwise, and you have folks with laptops that need access from both inside and outside, the proxy will reflect the internal connections back to the NT pop server when they are 'at home'. We just finished testing this for our folks that travel, but we finally decided to use ssh to forward the connections through the firewall. That keeps the pop-mail passwords safe and also allows us to set up access for telnet, sql*net and so on. --rick +-----------------------------------------------------------------+ | Richard Hoffbeck phone: 612.636.4249 | | fax: 612.624.2196 | | Finger rwh@visi.com for PGP key : | | Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B | +-----------------------------------------------------------------+ From owner-firewalls-outgoing Thu Apr 3 16:30:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA29728 for firewalls-outgoing; Thu, 3 Apr 1997 16:09:58 -0800 (PST) Received: from haystack.com (mailserv.haystack.com [207.13.48.60]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id QAA29689 for ; Thu, 3 Apr 1997 16:09:46 -0800 (PST) Received: from satya.haystack.com by haystack.com (SMI-8.6/SMI-SVR4) id SAA08393; Thu, 3 Apr 1997 18:05:44 -0600 Received: from yabba by satya.haystack.com (SMI-8.6/SMI-SVR4) id SAA03086; Thu, 3 Apr 1997 18:07:34 -0600 Message-Id: <3.0.32.19970403175434.006c462c@satya> X-Sender: alisa@satya X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Apr 1997 17:54:35 -0600 To: firewalls@greatcircle.com From: Alisa Nessler Subject: Haystack info Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stuart Johnson's "tabloid" email yesterday is evidence that you can say anything you want without regard to truth or substance on the 'net! Here are the facts: Yes, there have been many changes at Haystack Labs. Most of this information is public and up on our Web site (www.haystack.com). Steve Smaha is still CEO of Haystack Labs. There's been no "removing" of him by the board (Steve's the Chairman). We issued a press release several weeks ago announcing that Jim Geary, former VP/marketing for Security Dynamics has joined HLI as president to augment our sales and marketing capabilities. I've also just joined the company as VP of marketing, and I'm located in Austin with our outstanding development and support staff. Haystack already has offices in California, New York, and Colorado, and we expect to add a Boston office this year too. As with many thriving software companies, we're always looking to augment our technical staff. (Fax your resume to 512-918-1265 if you think you're good!) I can't comment on issues with the Wheelgroup. Other comments relating to Steve Smaha threatening everyone are nonsense. Of all the incorrect items in this posting, it's the uninformed misrepresentation of our code that is most offensive. We have an excellent software architecture (thanks to Steve) based on Haystack's patented technology and an innovative development staff. Our Stalker product remains the premier audit trail management and analysis tool for the UNIX environment. Stalker v 2.1 is scheduled for release within 30 days. Our WebStalker product was initially released in August '96, and the NT version was released in February 97. It has received glowing reviews (see our website). Extended WebStalker Pro response capabilities are slated for this quarter. I hope this helps to provide some clarification for your readers. Feel free to contact me directly if you have any questions. Alisa Nessler VP of Marketing Haystack Labs, Inc. alisa@haystack.com From owner-firewalls-outgoing Thu Apr 3 16:45:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA03237 for firewalls-outgoing; Thu, 3 Apr 1997 16:37:30 -0800 (PST) Received: from ncb.gov.sg ([203.120.56.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id QAA03222 for ; Thu, 3 Apr 1997 16:37:22 -0800 (PST) Received: by ncb.gov.sg (4.1/SMI-4.1) id AA16070; Fri, 4 Apr 97 08:34:35 SST Date: Fri, 4 Apr 1997 08:34:35 +0800 (SST) From: Martin Khoo Boon Hock Subject: DMZ setup for Gauntlet To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am trying to setup Gauntlet to accept a 3rd interface to serve as a DMZ. What do I need to do to the netperm-table to make it accept another interface ? Do I need to define another 'policy' besdie the given 'policy-inside' & 'policy-outside'. Thanks & have a nice day Martin Khoo Senior IT Architect (Security & Cryptography) Information Infrastructure Group National Computer Board martin@nii.ncb.gov.sg From owner-firewalls-outgoing Thu Apr 3 17:00:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04509 for firewalls-outgoing; Thu, 3 Apr 1997 16:49:50 -0800 (PST) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA04494 for ; Thu, 3 Apr 1997 16:49:44 -0800 (PST) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id TAA05197; Thu, 3 Apr 1997 19:47:10 -0500 Date: Thu, 3 Apr 1997 19:47:08 -0500 (EST) From: Todd Graham Lewis To: Steve Lang cc: "firewalls@greatCircle.com" Subject: Re: ICMP Source Quench and Port Unreachable attacks. In-Reply-To: <2.2.32.19970403210351.00efce1c@wave.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Apr 1997, Steve Lang wrote: > Hi. > > I'm looking for information about current ICMP Source Quench, and Port > Unreachable attacks that may be going on out there. > > Is there any information floating around?? RFC792 __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu Apr 3 19:06:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA15592 for firewalls-outgoing; Thu, 3 Apr 1997 18:52:06 -0800 (PST) Received: from jehova.owl.de (jehova.owl.de [194.121.202.132]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id SAA15585 for ; Thu, 3 Apr 1997 18:51:57 -0800 (PST) Received: from fiction.pb.owl.de (root@fiction.pb.owl.de [193.174.12.5]) by jehova.owl.de (8.8.5/8.8.5) with SMTP id EAA26331 for ; Fri, 4 Apr 1997 04:50:17 +0200 (MET DST) Received: from squirrel.owl.de by fiction.pb.owl.de with bsmtp id m0wCz3w-00002lC; Fri, 4 Apr 97 04:49 MET DST Received: (qmail 1374 invoked by uid 300); 4 Apr 1997 01:02:13 -0000 Date: 4 Apr 1997 01:02:13 -0000 Message-ID: <19970404010213.1373.qmail@squirrel.owl.de> From: Stuart Johnson To: firewalls@greatcircle.com Subject: Haystack info (Steve Smaha) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk About a month ago, I inquired about Haystack and Wheelgroup. I received an email from someone at Haystack that did not want to disclose their identity but revealed a lot of information about the company. I believe this information to be true, but would like to find out to the contrary. >From the inside information, apparently the founder and CEO of Haystack, Steve Smaha has been removed because he was a control freak and raving lunatic inside the company. Haystack is in decay because the Stalker family was a complete misdesign and failure. Also the source said that Steve Smaha was threatening to sue his own investors, partners, and customers. This seems kind of extreme to me, but the confirmation about Haystack suing Wheelgroup leaves this as a definite possibility. Some of the customers for Haystack have emailed me saying they have not received an update for some of the Stalker family in over 3 years. I wouldn't be suprised if Steve Smaha does not get sued himself if this is true. The investors, that removed Steve Smaha, brought in a new CEO. He is currently moving the company to Boston due to the lack of engineering talent in the former Austin HQ of Haystack. The new CEO is trying to recruit engineers that can decipher the source code because it lacked any structure and comments to understand it. I would have probably ignored this email except I am interested in monitoring tools and this seems like a legitimate insider giving me details. I have tried to contact Steve Smaha but have not been able to reach him. I am looking for someone who might know the company better than me to confirm these facts. Stuart From owner-firewalls-outgoing Thu Apr 3 19:15:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA16566 for firewalls-outgoing; Thu, 3 Apr 1997 19:13:38 -0800 (PST) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id TAA16554 for ; Thu, 3 Apr 1997 19:13:30 -0800 (PST) Received: from odin.corp.sgi.com (odin.corp.sgi.com [192.26.51.194]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id TAA27887 for <@external-mail-relay.sgi.com:firewalls-digest@GreatCircle.COM>; Thu, 3 Apr 1997 19:11:55 -0800 Received: from sgigz.guangzhou.sgi.com by odin.corp.sgi.com via ESMTP (951211.SGI.8.6.12.PATCH1502/951211.SGI) for <@fddi-odin.corp.sgi.com:firewalls-digest@GreatCircle.COM> id TAA12160; Thu, 3 Apr 1997 19:11:53 -0800 Received: from sgigz by sgigz.guangzhou.sgi.com via SMTP (940816.SGI.8.6.9/930416.SGI) for id IAA07193; Fri, 4 Apr 1997 08:59:40 +0800 Message-ID: <3344527C.41C6@guangzhou.sgi.com> Date: Fri, 04 Apr 1997 08:59:40 +0800 From: James Liang X-Mailer: Mozilla 2.01S (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: UDP through Gauntlet? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a VOD server behind a Guantlet firewall which uses UDP to send video/audio streams. Is there a way for the users outside to access the VOD server without compromising the security ? James Liang james@guangzhou.sgi.com From owner-firewalls-outgoing Thu Apr 3 19:45:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18163 for firewalls-outgoing; Thu, 3 Apr 1997 19:31:59 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id TAA17937 for ; Thu, 3 Apr 1997 19:31:10 -0800 (PST) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA16543; Thu, 3 Apr 1997 22:29:15 -0500 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id WAA12583; Thu, 3 Apr 1997 22:25:56 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199704040325.WAA12583@splinter.rtp.dg.com> Subject: Re: combo internal/external web servers To: kkost@intermec.com (Kathy Kost) Date: Thu, 3 Apr 1997 22:25:53 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9704011916.AA00517@intermec.com> from "Kathy Kost" at Apr 1, 97 11:16:33 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > A company I'm doing some work for is trying to decide on having > separate internal and external web servers or having them both on > one machine, with some proxy or firewall software keeping them separate. > I have only implemented them separately. > > What is the current feeling on this these days? Is it possible to have > them both co-exist on the same box without risking the internal web site? > Any suggestions as to the best security software to use (public domain or > not)? Or pointers to reference information on the subject? > > Thanks a bunch, > > Kathy Kost Sigh .... Sorry to repeat myself, but ... B2 DG/UX provides the basis for doing this. CYBERSHIELD, Oracle Web Server and Open Market (OMI) Webservers and related product families (as well as Mosaic, Apachee, etc.) run on B2 DG/UX. The various environments can be isolated or intermixed, classes of data can be allowed in or out or disallowed in or out, subnets can be isolated or restricted, (scores more features but why list them again). Many organizations (both commercial and gov't) are and will be using the platform in just such a manner (internal web server, external web server, and firewall all on the same host or set of hosts) NSA among them. See www.dg.com. -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From owner-firewalls-outgoing Thu Apr 3 20:30:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA23617 for firewalls-outgoing; Thu, 3 Apr 1997 20:15:34 -0800 (PST) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA23606 for ; Thu, 3 Apr 1997 20:15:27 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55553-1>; Fri, 4 Apr 1997 05:12:22 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 04 Apr 1997 06:13:31 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id HAA03743; Fri, 4 Apr 1997 07:15:25 +0200 Date: Fri, 4 Apr 1997 06:15:24 +0100 From: "Magossa'nyi A'rpa'd" To: Matt Wallace CC: Todd Graham Lewis , Jon Spencer , Firewalls Mailing List Subject: Re: sendmail on firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Apr 1997, Matt Wallace wrote: > Ditto. I've never heard of anyone using a kernel bug to compromise a > system. I've heard of some buffer overrun problems at places in kernels, > but it invariable corrupts everything and the machine crashes. >=20 There is an exploit for Linux kernels from the stone age (1.2.x). I had actually used it to make a joke on a friend. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Thu Apr 3 20:45:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA25684 for firewalls-outgoing; Thu, 3 Apr 1997 20:41:08 -0800 (PST) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA25677 for ; Thu, 3 Apr 1997 20:41:01 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55553-1>; Fri, 4 Apr 1997 05:37:59 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 04 Apr 1997 06:39:02 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id HAA03840; Fri, 4 Apr 1997 07:40:57 +0200 Date: Fri, 4 Apr 1997 06:40:57 +0100 From: "Magossa'nyi A'rpa'd" To: "James R. Leu" CC: firewalls@GreatCircle.COM Subject: Re: port forwarding and masq In-Reply-To: <199704030003.SAA17293@chaos.coredcs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It sounds like plug-gw. Either I didn't read your letter carefully enough, or You failed to do the same with the ipfwadm documentation ^) On Thu, 3 Apr 1997, James R. Leu wrote: > I was wondering if anyone would know if this following setup can be creat= ed > with ipfwadm on Linux: >=20 > A =3D Firewall > B =3D Destination host within the firewall > C =3D Source host outside of the firewall >=20 > Valid Net Hidden Net > addresses addresses > |C|--------|A|------------|B| >=20 > Incoming: > --------- > Host C sends a packet dest for Host A port 23. Host A translates the inc= oming > request and forwards the packet to Host B port 23. >=20 > Outgoing: > --------- > Host B sends a packet to Host C. Host A would masquerade for Host B. >=20 > Jim > --=20 > James R. Leu > Network Administrator > CORE Digital Communication Services > jleu@coredcs.com >=20 --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Thu Apr 3 21:46:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA01731 for firewalls-outgoing; Thu, 3 Apr 1997 21:42:43 -0800 (PST) Received: from dallas-cs-000.novare.net (dallas-cs-000.novare.net [205.229.104.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA01714 for ; Thu, 3 Apr 1997 21:42:37 -0800 (PST) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.6/8.6.9) with SMTP id XAA02555 for ; Thu, 3 Apr 1997 23:46:49 -0600 Message-ID: <334494EC.6EEB16E5@novare.net> Date: Thu, 03 Apr 1997 23:43:16 -0600 From: m* Organization: Novare' International Information Systems X-Mailer: Mozilla 3.0Gold (X11; I; Linux 2.0.27 i586) MIME-Version: 1.0 To: firewalls Subject: Re: Measuring latency through a proxy firewall--tools? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Douglas McNaught wrote: > > I've been asked to provide a measurement of the additional packet > latency imposed by our proxying firewall. Anybody know of some tools > for this purpose, before I go and hack up some custom code? Free > source code for Unix preferred... how about bing? while it's averages may be experimental, can it effectively estimate firewall throughput? m* -- "The Shining One" -- From owner-firewalls-outgoing Thu Apr 3 22:00:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA02552 for firewalls-outgoing; Thu, 3 Apr 1997 21:57:03 -0800 (PST) Received: from swinc.com (swinc.com [198.252.182.233]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA02545 for ; Thu, 3 Apr 1997 21:56:57 -0800 (PST) Received: from grail.austin.swinc.com ([204.107.173.67]) by anthrax.swinc.com with ESMTP id <17025-1>; Thu, 3 Apr 1997 23:55:02 -0600 Received: by grail.austin.swinc.com with Internet Mail Service (5.0.1457.3) id ; Thu, 3 Apr 1997 23:59:57 -0600 Message-ID: <41242F632110D0118B4500A024BF7EB008AA40@grail.austin.swinc.com> From: "Webb, Andy" To: "'firewalls@greatcircle.com'" Subject: RE: Haystack info (Steve Smaha) Date: Thu, 3 Apr 1997 23:59:55 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is all bulls**t. What's your agenda? What's your point? Steve is still around and in the same position. A new exec has been brought in to add to the strength - not replace. Austin is still the headquarters. Austin has plenty of engineering talent (yep, I'm biased, but it's true). Had a couple Haystack folks in my office last week who are very happy with the company and prospects for continued success. Try to do a little better research before smearing a company like this. Andy ====================================================== Andy Webb "The clue meter is reading zero." - Dilbert awebb@swinc.com Simpler-Webb, Inc. Austin, TX ====================================================== > -----Original Message----- > From: Stuart Johnson [SMTP:sjohnson@weasel.owl.de] > Sent: Thursday, April 03, 1997 7:02 PM > To: firewalls@greatcircle.com > Subject: Haystack info (Steve Smaha) > > About a month ago, I inquired about Haystack and Wheelgroup. I > received an email from someone at Haystack that did not want to > disclose their identity but revealed a lot of information about the > company. I believe this information to be true, but would like to find > out to the contrary. > > From the inside information, apparently the founder and CEO of > Haystack, Steve Smaha has > been removed because he was a control freak and raving lunatic inside > the company. > Haystack is in decay because the Stalker family was a complete > misdesign and failure. > > Also the source said that Steve Smaha was threatening to sue his own > investors, partners, and customers. This seems kind of extreme to me, > but the confirmation about Haystack suing Wheelgroup leaves this as a > definite possibility. Some of the customers for Haystack have > emailed me saying they have not received an update for some of the > Stalker family in over 3 years. I wouldn't be suprised if Steve Smaha > does not get sued himself if this is true. > > The investors, that removed Steve Smaha, brought in a new CEO. He is > currently moving the company to Boston due to the lack of engineering > talent in the former Austin HQ of Haystack. > The new CEO is trying to recruit engineers that can decipher the > source code because it lacked any structure and comments to understand > it. > > I would have probably ignored this email except I am interested in > monitoring tools and this > seems like a legitimate insider giving me details. I have tried to > contact Steve Smaha but have not been able to reach him. I am looking > for someone who might know the company better than me to confirm these > facts. > > Stuart From owner-firewalls-outgoing Thu Apr 3 23:05:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA06935 for firewalls-outgoing; Thu, 3 Apr 1997 22:49:28 -0800 (PST) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id WAA06895 for ; Thu, 3 Apr 1997 22:49:15 -0800 (PST) Received: from viorel.forum.com (dial03.flex.ro [193.230.255.103]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id KAA31847 for ; Fri, 4 Apr 1997 10:38:44 +0300 Message-Id: <199704040738.KAA31847@flex.flex.ro> From: "Viorel Dehelean" To: Subject: NT 4.0 Inet Server Date: Fri, 4 Apr 1997 09:48:58 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So , i am bothering you again ... Since this is my first time with NT4.0 , i have installed Internet Server. But from other computers (on lan) i can only connect using the ip adress not the dns name. Why ? I know is bad configured , and i hope to get some answers. Thanx Best Regards , Viorel Dehelean AKA Powerman - Risc Team vdehelean@flex.ro powerm@usa.net http://www.flex.ro/RISC Tel. Home : 039-615151 Tel. Work : 039-641841 From owner-firewalls-outgoing Thu Apr 3 23:45:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA12342 for firewalls-outgoing; Thu, 3 Apr 1997 23:40:11 -0800 (PST) Received: from server3.syd.mail.ozemail.net (server3.syd.mail.ozemail.net [203.108.7.41]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA12319 for ; Thu, 3 Apr 1997 23:40:04 -0800 (PST) Received: from oznet07.ozemail.com.au (oznet07.ozemail.com.au [203.2.192.122]) by server3.syd.mail.ozemail.net (8.8.4/8.6.12) with ESMTP id RAA17460 for ; Fri, 4 Apr 1997 17:38:30 +1000 (EST) Received: from LOCALNAME (slcan5p45.ozemail.com.au [203.108.193.61]) by oznet07.ozemail.com.au (8.8.4/8.6.12) with SMTP id RAA25413 for ; Fri, 4 Apr 1997 17:38:28 +1000 (EST) Message-ID: <3345AD17.29DB@ozemail.com.au> Date: Fri, 04 Apr 1997 17:38:31 -0800 From: "Gerard A. Joseph" Reply-To: gerard@ozemail.com.au X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: ISR References: <3.0.32.19970403183527.00954cd0@nso.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The site looks interesting, but it seems anomalous for a security-oriented site to ask for such details as name, email address, physical address, and password to be transmitted in the clear over the Internet. Gerard Network Operations Center wrote: > > f.y.i. > > Internet Security Review is now accepting > subscriptions (free) at http://www.isr.net > The journal appears monthly. > > regards > > Bert From owner-firewalls-outgoing Fri Apr 4 00:04:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA11836 for firewalls-outgoing; Thu, 3 Apr 1997 23:36:02 -0800 (PST) Received: from central.webforum.de (central.webforum.de [193.141.169.166]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA11829 for ; Thu, 3 Apr 1997 23:35:56 -0800 (PST) Received: (from uucp@localhost) by central.webforum.de (8.7.6/8.7.6-webforum) id JAA08060; Fri, 4 Apr 1997 09:29:18 +0100 Received: from localhost by gaston.m.ISAR.de with smtp (/\oo/\ Smail3.1.29.1 #29.2 #2) id m0wD4MV-00184xC; Fri, 4 Apr 97 09:28 WET DST Date: Fri, 4 Apr 1997 09:28:43 +0100 (WET DST) From: Klaus Lichtenwalder To: Sandeep_Talwar@INDIA.notes.pwa.co.in cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #138 In-Reply-To: <6525646E:003A7F22.00@notes.pwa.co.in> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Apr 1997 Sandeep_Talwar@INDIA.notes.pwa.co.in wrote: > I have a TIS tool-kit running on my Linux1.2.13 and I get thes messages > repeatedly from kernal. > > my.hostname named[70] : recv from : Connection refused > my.hostname inetd[68] : www/tcp server failing ( looping ), service > terminated Well, it means you're running httpd from inetd and get too many requests per time unit. You might consider running httpd standalone or add an number > 40 after the nowait (in my configuration it's 40 connections per second, YMMV, man inetd) Klaus ________________________________________________________________________ Klaus Lichtenwalder, Dipl. Inform., PGP Key: email to key@Four11.com Lichtenwalder@ACM.org, http://www.wp.com/Klaus, fax: +49-89-91072699 Need a (virtual) vacation? Go check: http://www.bavaria.com Unsolicited e-mail advertising and spam will not be tolerated From owner-firewalls-outgoing Fri Apr 4 00:16:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA14001 for firewalls-outgoing; Thu, 3 Apr 1997 23:55:11 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA13994 for ; Thu, 3 Apr 1997 23:55:05 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id BAA01044; Fri, 4 Apr 1997 01:56:06 -0600 Date: Fri, 4 Apr 1997 01:53:20 -0600 (CST) From: Ron DuFresne To: m* cc: firewalls Subject: Re: Measuring latency through a proxy firewall--tools? In-Reply-To: <334494EC.6EEB16E5@novare.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm surprised no one has yet mentioned either tcpspray nor tcpblast: darkstar:/usr/local/sbin# tcpblast -t parka 100 read SO_SNDBUF = 65535 Sending non-random TCP data using 1024 B blocks. .................................................................................................... 100 KB in 14251 msec = 57483.7 b/s = 7185.5 B/s = 7.0 KB/s darkstar:/usr/local/sbin# darkstar:/usr/local/sbin# tcpspray parka Transmitted 102400 bytes in 14.221252 seconds (7.032 kbytes/s) darkstar:/usr/local/sbin# Now, for the testing of firewall proxies, combined with netcat, I think tcpblast is prolly more flexible...though with netcat by hobbit, both may well suit the bill... Later, Ron DuFresne On Thu, 3 Apr 1997, m* wrote: > Douglas McNaught wrote: > > > > I've been asked to provide a measurement of the additional packet > > latency imposed by our proxying firewall. Anybody know of some tools > > for this purpose, before I go and hack up some custom code? Free > > source code for Unix preferred... > > how about bing? > > while it's averages may be experimental, can it effectively > estimate firewall throughput? > > m* > > -- > "The Shining One" > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Fri Apr 4 02:15:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA25364 for firewalls-outgoing; Fri, 4 Apr 1997 01:56:40 -0800 (PST) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA25355 for ; Fri, 4 Apr 1997 01:56:32 -0800 (PST) Received: from pamela.sic.se (pamela [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id LAA09529 for ; Fri, 4 Apr 1997 11:54:25 +0200 (MET DST) From: "Stefan Berg" X-Mailer: InterCon tcpCONNECT4 4.0.2 (Macintosh) MIME-Version: 1.0 Message-Id: <9704041155.AA16445@pamela.sic.se> Date: Fri, 4 Apr 1997 11:55:16 +0100 To: firewalls@GreatCircle.com Subject: Changeroot telnet daemon? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, is there such a thing as a change root telnet daemon for solaris 2.4.x or 2.5.x? Might be a stupid question, but I am in need of one.. /Stefan -- _______________________________________________________ Stefan Berg Computing Science Student University of Uppsala, Sweden. s93sbe@csd.uu.se http://www.csd.uu.se/~s93sbe _______________________________________________________ Hmm.. What do batteries run on?? From owner-firewalls-outgoing Fri Apr 4 02:20:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA25006 for firewalls-outgoing; Fri, 4 Apr 1997 01:48:37 -0800 (PST) Received: from relay.eunet.pt (relay.EUnet.pt [193.126.4.65]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA24996 for ; Fri, 4 Apr 1997 01:48:17 -0800 (PST) Received: from mail.bvl.pt (uucp@localhost) by relay.eunet.pt (8.7.5/8.7.3) with UUCP id KAA29962 for firewalls@GreatCircle.COM; Fri, 4 Apr 1997 10:46:44 +0100 (WET DST) Received: from mail.bvl.pt by jessica.bvl.pt with SMTP id AA12821 (5.65c/IDA-1.4.4 for ); Fri, 4 Apr 1997 10:19:31 GMT Received: by mail.bvl.pt with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC40E1.F6876960@mail.bvl.pt>; Fri, 4 Apr 1997 10:21:30 +0100 Message-Id: From: =?iso-8859-1?Q?Ant=F3nio_Vasconcelos?= To: "'firewalls@GreatCircle.COM'" , "'Gregory Wilkins'" Subject: RE: POP Server Date: Fri, 4 Apr 1997 10:21:30 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Gregory Wilkins[SMTP:greg@wye.com] >Sent: quinta-feira, 3 de abril de 1997 23:26 >To: firewalls@GreatCircle.COM >Subject: POP Server > >How does one setup the firewall to accept a POP protocol. > >I have a POP Server on the inside of my firewall on a "private" network, >and want my users to be able to use Eudora or something to connect to my >POP server. > >I can not move the POP server to the outside of the firewall, since it >is an NT Server that is utilized for file and print services. > >Now the tricky part...my external DNS knows NOTHING about my internal >network and it's hosts...so if I can get a POP protcol to pass thru the >firewall, how will Eudora know where to find the popserver w/o DNS >lookup, since the IP Addresses on the internal network is "bogus"? > >Help???? > Assuming that your firewall soft have something like TIS's plug-gw all you have to do is setup a plug connecting port 110 of the firewall to port 110 of your pop server. The users would call the external ip addr of the firewall, so no DNS proble here. Hope this helps... From owner-firewalls-outgoing Fri Apr 4 02:45:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA27935 for firewalls-outgoing; Fri, 4 Apr 1997 02:31:11 -0800 (PST) Received: from shoukui.pku.edu.cn (shoukui.pku.edu.cn [162.105.127.171]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id CAA27924 for ; Fri, 4 Apr 1997 02:31:02 -0800 (PST) Received: (from ccdzh@localhost) by shoukui.pku.edu.cn (8.6.12/8.6.9) id SAA01069; Fri, 4 Apr 1997 18:31:17 +0800 Date: Fri, 4 Apr 1997 18:31:17 +0800 (GMT+0800) From: Duan Zhenhai To: firewalls@greatcircle.com Subject: statistic of Network incidents Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Everyone, I want to know some statistic of the Internet security incidents, such as there are how many security incidents every year, where can I find them? Thank you in advance! ////////////////////////////////////////////////////////////////// Duan Zhenhai Room 1105,BLDG.47 ccdzh@pku.edu.cn Peking University Beijing 100871 P.R.China URL: http://shoukui.pku.edu.cn/duan From owner-firewalls-outgoing Fri Apr 4 03:00:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA01124 for firewalls-outgoing; Fri, 4 Apr 1997 02:55:47 -0800 (PST) Received: from coyote.tech.telepac.pt (bdshack.telepac.pt [194.65.3.124]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA01073 for ; Fri, 4 Apr 1997 02:55:27 -0800 (PST) Received: from torquemada ([194.65.3.123]) by coyote.tech.telepac.pt (8.8.4/8.8.4) with SMTP id MAA07302 for ; Fri, 4 Apr 1997 12:52:19 +0100 Message-Id: <3.0.1.32.19970404115500.00928370@mail.tech.telepac.pt> X-Sender: jbf@mail.tech.telepac.pt X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 04 Apr 1997 11:55:00 +0100 To: firewalls@GreatCircle.COM From: Joao Brazao Ferreira Subject: RE: POP Server In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 10:21 04-04-1997 +0100, you wrote: >>How does one setup the firewall to accept a POP protocol. >> >>I have a POP Server on the inside of my firewall on a "private" network, >>and want my users to be able to use Eudora or something to connect to my >>POP server. >> >>I can not move the POP server to the outside of the firewall, since it >>is an NT Server that is utilized for file and print services. >> >>Now the tricky part...my external DNS knows NOTHING about my internal >>network and it's hosts...so if I can get a POP protcol to pass thru the >>firewall, how will Eudora know where to find the popserver w/o DNS >>lookup, since the IP Addresses on the internal network is "bogus"? >> >>Help???? >> > >Assuming that your firewall soft have something like TIS's plug-gw all >you have to do is setup a plug connecting port 110 of the firewall to >port 110 of your pop server. >The users would call the external ip addr of the firewall, so no DNS >proble here. > Assuming that your firewall soft doesn't have something like TIS's plug-gw, but has Address Translation, you can map a static address to your POP bogus address, so the server can be recognized. Joao Brazao Ferreira -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQCVAwUBM0TsEfQQmRsxJAS5AQHzQwQAw9PChA8bnmGTgz7GDgZoOY2OmZ2uPUrg wRNf7jvTsBGxIhfpEe+XHJS1NPdDpNV4YxNj8i0t55WK5bfBTX7c/ElHeeL/D9fS gIoZXUDJeWJ5jxio3Z42Mpn2MydaeJsiNutaAoZynUbd1fPBDRuAAD/q0W0qqr8w kx8ZxxbqEJc= =DXRT -----END PGP SIGNATURE----- +------------------------------------------------------------------+ | Consultadoria e Desenvolvimento de Servicos | | Telepac - Servicos de Telecomunicacoes, S.A. | | PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html | +------------------------------------------------------------------+ From owner-firewalls-outgoing Fri Apr 4 06:21:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12889 for firewalls-outgoing; Fri, 4 Apr 1997 06:00:32 -0800 (PST) Received: from netcomm.NetComm.IE (csh069.emirates.net.ae [194.170.124.69]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA12877 for ; Fri, 4 Apr 1997 06:00:23 -0800 (PST) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id RAA05882; Fri, 4 Apr 1997 17:13:14 +0400 X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: References: <334494EC.6EEB16E5@novare.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 4 Apr 1997 17:23:09 +0300 To: Ron DuFresne From: Kevin Brown Subject: Re: Measuring latency through a proxy firewall--tools? Cc: m* , firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget bing, aa bandwidth "ping" tool........simple but effective Kevin At 10:53 +0300 4/4/97, Ron DuFresne wrote: >I'm surprised no one has yet mentioned either tcpspray nor tcpblast: > >darkstar:/usr/local/sbin# tcpblast -t parka 100 >read SO_SNDBUF = 65535 >Sending non-random TCP data using 1024 B blocks. >............................................................................... >..................... >100 KB in 14251 msec = 57483.7 b/s = 7185.5 B/s = 7.0 KB/s >darkstar:/usr/local/sbin# > >darkstar:/usr/local/sbin# tcpspray parka > >Transmitted 102400 bytes in 14.221252 seconds (7.032 kbytes/s) >darkstar:/usr/local/sbin# > >Now, for the testing of firewall proxies, combined with netcat, I think >tcpblast is prolly more flexible...though with netcat by hobbit, both may >well suit the bill... > >Later, > >Ron DuFresne > >On Thu, 3 Apr 1997, m* wrote: > >> Douglas McNaught wrote: >> > >> > I've been asked to provide a measurement of the additional packet >> > latency imposed by our proxying firewall. Anybody know of some tools >> > for this purpose, before I go and hack up some custom code? Free >> > source code for Unix preferred... >> >> how about bing? >> >> while it's averages may be experimental, can it effectively >> estimate firewall throughput? >> >> m* >> >> -- >> "The Shining One" >> -- >> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >"Cutting the space budget really restores my faith in humanity. It >eliminates dreams, goals, and ideals and lets us get straight to the >business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > >OK, so you're a Ph.D. Just don't touch anything. //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / Internet Associate | m \ | / The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Fri Apr 4 06:46:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13630 for firewalls-outgoing; Fri, 4 Apr 1997 06:30:27 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA13619 for ; Fri, 4 Apr 1997 06:30:20 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA21461 for ; Fri, 4 Apr 1997 09:28:18 -0500 (EST) Message-Id: <199704041428.JAA21461@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Fri, 4 Apr 1997 09:31:32 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: inetd looping in toolkit Reply-to: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sandeep_Talwar@INDIA.notes.pwa.co.in writes: > my.hostname named[70] : recv from : Connection refused > my.hostname inetd[68] : www/tcp server failing ( looping ), service Inetd will terminate a process that respawns too fast, as the http-gw does under load. What you need to do is use the "beta" version of the toolkit and instead of starting the proxy from inetd.conf, start it in rc.local with the -daemon portnumber flag. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From owner-firewalls-outgoing Fri Apr 4 06:49:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13538 for firewalls-outgoing; Fri, 4 Apr 1997 06:27:26 -0800 (PST) Received: from niprnet_gw.bragg.army.mil ([158.5.7.72]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA13531 for ; Fri, 4 Apr 1997 06:27:22 -0800 (PST) Received: by niprnet_gw.bragg.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC40DA.3E9EE460@niprnet_gw.bragg.army.mil>; Fri, 4 Apr 1997 09:26:15 -0500 Message-ID: From: Than Maung To: "'FIrewalls@GreatCircle.com'" , "'Viorel Dehelean'" Subject: RE: NT 4.0 Inet Server Date: Fri, 4 Apr 1997 09:26:13 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) Are the other computers on the lan configured to use DNS? 2) Is your IS in your DNS database? 3) Are the netbios name and the DNS name are the same for your IS? Than >---------- >From: Viorel Dehelean[SMTP:vdehelean@flex.ro] >Sent: Friday, April 04, 1997 1:48 AM >To: FIrewalls@GreatCircle.com >Subject: NT 4.0 Inet Server > >So , i am bothering you again ... >Since this is my first time with NT4.0 , i have installed Internet Server. >But from other computers (on lan) i can only connect using the ip adress >not the dns name. >Why ? >I know is bad configured , and i hope to get some answers. > >Thanx > >Best Regards , >Viorel Dehelean AKA Powerman - Risc Team >vdehelean@flex.ro powerm@usa.net >http://www.flex.ro/RISC >Tel. Home : 039-615151 >Tel. Work : 039-641841 > From owner-firewalls-outgoing Fri Apr 4 07:31:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15793 for firewalls-outgoing; Fri, 4 Apr 1997 07:04:51 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA15786 for ; Fri, 4 Apr 1997 07:04:45 -0800 (PST) Received: (from uucp@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id JAA09853 for ; Fri, 4 Apr 1997 09:57:50 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma008057; Fri Apr 4 09:57:47 1997 Received: by carfax.ims.advantis.com (8.6.9/4.03) id KAA120818; Fri, 4 Apr 1997 10:12:23 -0500 Date: Fri, 4 Apr 1997 10:12:22 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.com Subject: SATAN in Linux OS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone tell me if they have run SATAN under the Linux OS? Each time I invoke satan, nothing appears to occur. I've worked with SATAN under x86 Solaris w/o any hitch. Are there special considerations under Linux? Thank you all in advance. From owner-firewalls-outgoing Fri Apr 4 07:33:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13792 for firewalls-outgoing; Fri, 4 Apr 1997 06:33:49 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA13785 for ; Fri, 4 Apr 1997 06:33:43 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA22879 for ; Fri, 4 Apr 1997 09:31:56 -0500 (EST) Message-Id: <199704041431.JAA22879@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Fri, 4 Apr 1997 09:35:10 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Measuring latency through a proxy firewall--tools? Reply-to: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Douglas McNaught writes: > I've been asked to provide a measurement of the additional packet > latency imposed by our proxying firewall. Anybody know of some tools > for this purpose, before I go and hack up some custom code? Free > source code for Unix preferred... Check out the work Andrew Molitor from NSC did for the firewalls performance project: http://www.clark.net/pub/mjr/pubs/fwperf/index.htm It includes source code for a workload generator and some basic measurement tools. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From owner-firewalls-outgoing Fri Apr 4 07:43:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14148 for firewalls-outgoing; Fri, 4 Apr 1997 06:41:08 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA14123 for ; Fri, 4 Apr 1997 06:40:49 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA25441 for ; Fri, 4 Apr 1997 09:38:55 -0500 (EST) Message-Id: <199704041438.JAA25441@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Fri, 4 Apr 1997 09:42:09 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: haystack info Reply-to: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stuart Johnson writes: > I have tried to contact Steve Smaha but have not been able to reach > him. Have you tried a telephone?? The number on their web page works fine and last time I called Steve he answered on the second ring. He's still running the show there and (though I may not be the right person to judge) he's no raving lunatic. On the other hand, one has to wonder what motivates someone to post something like Stuart did to a public mailing list. Bit of the old smear campaign? Which of Haystack's competitors do you work for, Stuart? mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From owner-firewalls-outgoing Fri Apr 4 07:45:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20048 for firewalls-outgoing; Fri, 4 Apr 1997 07:43:35 -0800 (PST) Received: from emout01.mail.aol.com (emout01.mx.aol.com [198.81.11.92]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA20041 for ; Fri, 4 Apr 1997 07:43:30 -0800 (PST) From: BPobric@aol.com Received: (from root@localhost) by emout01.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id KAA27275; Fri, 4 Apr 1997 10:42:01 -0500 (EST) Date: Fri, 4 Apr 1997 10:42:01 -0500 (EST) Message-ID: <970404104159_-1335939100@emout01.mail.aol.com> To: DWebb@capgemini.com cc: pdmallya@inf.com, firewalls@greatcircle.com Subject: Re: Firewall Architecture for Web, Database Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a message dated 97-04-03 19:30:52 EST, you write: << pdmallya@inf.com CC: firewalls@GreatCircle.COM >> Hi Dean, Thanks a lot for your response. What I meant was to use NetBui only between Database server and Web server. This way nobody from the ouitside should be able to attack their Database Server. This would be the case if they do not need to talk to their Database server from the network. If they do, like you said they prabobly need to run TCP/IP. What do you think? Braco Pobric bpobric@aol.com From owner-firewalls-outgoing Fri Apr 4 07:59:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15539 for firewalls-outgoing; Fri, 4 Apr 1997 07:01:14 -0800 (PST) Received: from earth.usa.net (earth.usa.net [192.156.196.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA15506 for ; Fri, 4 Apr 1997 07:01:04 -0800 (PST) Received: (from grey@localhost) by earth.usa.net (8.8.4/8.8.4) id HAA05383 for firewalls@greatcircle.com; Fri, 4 Apr 1997 07:59:31 -0700 (MST) From: Donald Martin Message-Id: <199704041459.HAA05383@earth.usa.net> Subject: VPN Info Desired To: firewalls@greatcircle.com Date: Fri, 4 Apr 1997 07:59:30 -0700 (MST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm certain that I remember discussions about VPN on this list before, but I have a couple simple questions I'm hoping to get help with. Has anybody on the list implemented VPN using the Xylogics or Bay Networks remote annex hardware? Can someone please provide me with a short & sweet technical overview of VPN and implementation tactics please? After a conversation with a fairly talented engineer at Bay Networks who mentioned to me this new SuperISP setup whereas an ISP can offer dialup services in a specific part of the country or world and pipe a network connection to a corporate network or to another ISP in a different part of the country or world via frame relay, I'm wondering if this is precisely the same scenario as setting up a VPN. I don't recall the word 'encryption' coming up in the conversation at all, but instead, we talked about setting up routers and ip filters to avoid possible security issues. Authentication would be performed on the remote network via Radius, the annex being used simply for the modem and local phone line. A menu would be presented to the user dialing in, providing a choice of networks with which to connect, and then the session is piped to that network and the user is authenticated via the Radius server. Hmmm. Is anybody actually setting up something like this? Bye Bye phone companies, hello ISP??? -- Donald R. Martin New Edge Technologies email: grey@usa.net web : www.usa.net/~grey/ From owner-firewalls-outgoing Fri Apr 4 08:32:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25505 for firewalls-outgoing; Fri, 4 Apr 1997 08:18:35 -0800 (PST) Received: from explorer.csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA25411 for ; Fri, 4 Apr 1997 08:18:12 -0800 (PST) Received: from tc24750(really [205.128.247.50]) by explorer.csc.com via smtpd with smtp id for ; Fri, 4 Apr 1997 11:14:16 -0500 (EST) (Smail-3.2.0.92 1997-Feb-9 #2 built 1997-Mar-11) Message-ID: <33452806.6479@csc.com> Date: Fri, 04 Apr 1997 11:10:46 -0500 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Viorel Dehelean CC: FIrewalls@GreatCircle.com Subject: Re: NT 4.0 Inet Server References: <199704040738.KAA31847@flex.flex.ro> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Viorel Dehelean wrote: > > So , i am bothering you again ... > Since this is my first time with NT4.0 , i have installed Internet Server. > But from other computers (on lan) i can only connect using the ip adress > not the dns name. > Why ? > I know is bad configured , and i hope to get some answers. Sounds like the host name has not been entered into the DNS files yet. Joe -- In theory, theory and practice are the same; In practice, they're not even close! From owner-firewalls-outgoing Fri Apr 4 08:48:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA28714 for firewalls-outgoing; Fri, 4 Apr 1997 08:43:03 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA28707 for ; Fri, 4 Apr 1997 08:42:55 -0800 (PST) Received: from netevolve.com by relay6.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcjvm27634; Fri, 4 Apr 1997 11:41:29 -0500 (EST) Received: from lazar (ws8.netevolve.com) by netevolve.com (4.1/SMI-4.1) id AA17433; Fri, 4 Apr 97 11:44:32 EST Message-Id: <3.0.1.32.19970404113029.00854d00@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 04 Apr 1997 11:30:29 -0500 To: firewalls@greatcircle.com From: Irwin Lazar Subject: Dead Web Sites Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I just noticed that the ping of death page at http://prospect.epresence.com/ping/ and Dan Farmer's Internet Security Survey at http://www.trouble.org are both dead. Does anyone know if they have moved or have been taken down for any reason? Thanks, Irwin Lazar <><><><><><><><><><><><><><><><><><><><><><> Irwin Lazar IP Networking References - Network Evolutions, Inc. http://www.netevolve.com/lazar http://www.netevolve.com lazar@netevolve.com From owner-firewalls-outgoing Fri Apr 4 09:45:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05580 for firewalls-outgoing; Fri, 4 Apr 1997 09:36:49 -0800 (PST) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA05569 for ; Fri, 4 Apr 1997 09:36:42 -0800 (PST) Received: by dtcro002.apogee-com.fr; id TAA29781; Fri, 4 Apr 1997 19:45:04 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma029776; Fri, 4 Apr 97 19:44:42 +0200 Received: from ingpc001.apogee-com.fr by (4.1/SMI-4.1) id AA01435; Fri, 4 Apr 97 19:33:02 +0200 Message-Id: <33453B7D.6034@apogee-com.fr> Date: Fri, 04 Apr 1997 19:33:49 +0200 From: Jean-Francois Zwobada Reply-To: zwobada@apogee-com.fr Organization: APOGEE Communications X-Mailer: Mozilla 4.0b2 (Win95; I) Mime-Version: 1.0 To: James Liang Cc: firewalls-digest@GreatCircle.COM Subject: Re: UDP through Gauntlet? X-Priority: 3 (Normal) References: <3344527C.41C6@guangzhou.sgi.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Liang wrote: > > Hi, > > We have a VOD server behind a Guantlet firewall which uses UDP to send > video/audio streams. Is there a way for the users outside to access the > VOD server without compromising the security ? > > James Liang > james@guangzhou.sgi.com A solution exists but is not supported by TIS. The best way is to use udprelay to relay udp as "sessions" with a tcp_wrapper scheme. We did some successful experiments here. Hope this helps Jean-Francois -- _____ Jean-Francois Zwobada (mailto:zwobada@apogee-com.fr) _______ Apogee Communications - Parc Club Orsay Universite - 28, rue Jean Rostand 91893 ORSAY Cedex Tel: +33 1 69.85.56.47 Fax: +33 1 69.85.56.48 ___________ This guy is powered by a Z81 running CP/M ____________ From owner-firewalls-outgoing Fri Apr 4 10:00:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA07484 for firewalls-outgoing; Fri, 4 Apr 1997 09:58:13 -0800 (PST) Received: from servant (servant.mccaw-stg.com [205.172.10.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA07468 for ; Fri, 4 Apr 1997 09:58:07 -0800 (PST) Received: from radiatore.mccaw-stg.com by servant (SMI-8.6/SMI-SVR4) id JAA23335; Fri, 4 Apr 1997 09:56:35 -0800 Received: by radiatore.mccaw-stg.com (SMI-8.6/SMI-SVR4) id JAA11537; Fri, 4 Apr 1997 09:56:35 -0800 Date: Fri, 4 Apr 1997 09:56:35 -0800 From: peter.gregory-unix@mccaw-stg.com (Peter Gregory) Message-Id: <199704041756.JAA11537@radiatore.mccaw-stg.com> To: firewalls@greatcircle.com, lazar@netevolve.com Subject: Re: Dead Web Sites Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: mtxZiGV3ZOkbz2QFgJpYXQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi All, > I just noticed that the ping of death page at > http://prospect.epresence.com/ping/ and Dan Farmer's Internet Security > Survey at http://www.trouble.org are both dead. > > Does anyone know if they have moved or have been taken down for any reason? The ping site appears to be down, but www.trouble.org appears to be alive and well. -pg -- Peter Gregory [NICname PG11] peter.gregory@attws.com IT Manager, AT&T Wireless Services, Strategic Technologies Group From owner-firewalls-outgoing Fri Apr 4 10:16:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA06887 for firewalls-outgoing; Fri, 4 Apr 1997 09:51:35 -0800 (PST) Received: from mail1 (mail1.ci.chi.il.us [199.177.48.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA06870 for ; Fri, 4 Apr 1997 09:51:28 -0800 (PST) Received: by mail1 (SMI-8.6/SMI-SVR4) id LAA16047; Fri, 4 Apr 1997 11:44:34 -0600 From: minaba@mail1.ci.chi.il.us (Mark Inaba) Message-Id: <199704041744.LAA16047@mail1> Subject: Re: New Security Technology (fwd) To: firewalls@GreatCircle.COM Date: Fri, 4 Apr 1997 11:44:33 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > This may actually _not_ be April Fool's joke. As for pornography, I > would say that it is definitely possible. The likeliest way they could > have done it is genetic algorithms applied to neural networks. The > description of how it works is not relevant to this forum, but it > basically involves randomly trying solutions, choosing which one is > best, combining top nn solutions until you get an acceptable result. > THEY probably didn't invent any algorithms themselves, and probably > don't know how their neural network does this. I hasten to add that > neural networks have proven successful in pattern recognition, eg > recognizing male - female faces. It involves a lot of CPU time and > power, and they felt that not many people would view balack&white > pornography, so they probably decided not to waste money on that. > Neural networks and some other advanced AI techniques may have been > applied to make unknown intrusion patterns recognizable through > categorized generalization. > maybe it's just a dumb program that looks for a lot of fleshtones being displayed. using line extractors and neural nets for face recognition might be overkill..and then there's the possibility that faces are not the primary feature in pornography (heheh) :) -Mark From owner-firewalls-outgoing Fri Apr 4 10:30:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10996 for firewalls-outgoing; Fri, 4 Apr 1997 10:27:03 -0800 (PST) Received: from gate1.grandmet.com (gate1.grandmet.com [199.254.239.189]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA10922 for ; Fri, 4 Apr 1997 10:26:50 -0800 (PST) From: DSAWYER@PILLSBURY.COM Received: by gate1.grandmet.com; id AA201818558; Fri, 4 Apr 1997 12:29:18 -0600 Received: from urmph07.grandmet.com(153.13.7.1) by gate1.grandmet.com via smap (3.2) id xma020156; Fri, 4 Apr 97 12:29:14 -0600 X400-Originator: DSAWYER@PILLSBURY.COM X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=PILLSBURY/ADMD=ATTMAIL/C=US/;0035600002046493000002] X400-Content-Type: P2-1988 (22) Message-Id: <0035600002046493000002*@MHS> To: "firewalls(a)greatcircle.com" Subject: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 12:51:20 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gauntlet firewall (TIS) fundamentally does not allow udp based services through the firewall. We really only need it for synchronization, however somebody got the idea of getting time from the Internet and here we are. How can you make xntpd work? In order to reduce the bouncing that could go on, here is what I already know. -Run xntpd on the firewall, chroot it, use authentication, and have it be your highest level stratum server. -Have your second level of time servers poll your time server on the firewall. -Have those second level stratums broadcast to other devices. In a nutshell what I need to know is how do I get udp based packets on port 123 through the firewall? Anybody have any ideas? Thanks in advance- Douglas R. Sawyer From owner-firewalls-outgoing Fri Apr 4 10:46:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13125 for firewalls-outgoing; Fri, 4 Apr 1997 10:42:10 -0800 (PST) Received: from endeavor.flash.net (endeavor.flash.net [208.194.223.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA13112 for ; Fri, 4 Apr 1997 10:42:03 -0800 (PST) Received: from logicon.flash.net (aush2-143.flash.net [207.181.231.143]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id MAA12753; Fri, 4 Apr 1997 12:36:40 -0600 (CST) Message-ID: <3345644F.397B@flash.net> Date: Fri, 04 Apr 1997 12:27:59 -0800 From: Vern Williams Organization: Locicon, Inc X-Mailer: Mozilla 2.02 (Win95; I; 16bit) MIME-Version: 1.0 To: inskeep_chris@geologics.com CC: mam , mmozes@fujitsu.ca, firewalls@GreatCircle.COM Subject: Re: Frame Relay References: <33407C1F.7362@geologics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Inskeep wrote: > > mam wrote: > > > > On Mon, 31 Mar 1997 mmozes@fujitsu.ca wrote: > > > > > > > > Can someone tell me how secure Frame Relay network is? > > > > How secure do you believe the telco's network is? To exploite the frame > > you need switch level access (or someone who does). > > > > Mike > > ( ( | ( Mike Malik (mam@ssds.com) > > ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 > > business driven Columbia, MD 21046 > > technology solutions 410-381-4313 FAX: 410-381-2170 > A really good point is raised in this observation. We put firewalls in > place to protect our networks, but tend to forget about the public > networks that carry our data between firewalls. Does anyone remember > the MCI case a couple of years ago? I am less than sanguine about the > security of the telco people -- after all security is a cost and they > are after a profit. Has anyone put security reqs with real penalties > into their contracts with the telcos? AND the results? I suspect > there would be a fair number of no-bids....which makes a compelling > argurment for encryption -- but for the people who are uncomfortable > with commercially available encryption, how much of a comfort is that? > > Cheers, > C. Inskeep There are several solutions to encryption across WAN links including Frame Relay. The Cisco routers have a software option with for the 11.2.4 IOS that gives you either 40 (not secure) or 56 bit DES encryption and secure router authentication and key ditribution. The info on the 56 bit key length is that is takes 19 days and $500,000 to do a brute force attack. As the $ increases, the time goes down. The other consideration is what % of the info needs security. If only 2-4% is valuable to the snooper then it becomes cost prohibitive ( unless it is extremely valuable) to break all of your traffic to get at that piece. The other option is a stand alone encryptor between your router and the wan. The company I am familiar with in this arena is Cylink out of San Jose Ca. Good luck, Vern Williams From owner-firewalls-outgoing Fri Apr 4 11:12:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA15225 for firewalls-outgoing; Fri, 4 Apr 1997 10:58:04 -0800 (PST) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA15203 for ; Fri, 4 Apr 1997 10:57:53 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55561-1>; Fri, 4 Apr 1997 19:54:47 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 04 Apr 1997 20:55:58 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id VAA00650; Fri, 4 Apr 1997 21:57:52 +0200 Date: Fri, 4 Apr 1997 20:57:52 +0100 From: "Magossa'nyi A'rpa'd" To: Peter Yau CC: firewalls@GreatCircle.COM Subject: Re: SATAN in Linux OS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Apr 1997, Peter Yau wrote: > Date: Fri, 4 Apr 1997 16:12:22 +0100 > From: Peter Yau > To: firewalls@GreatCircle.COM > Subject: SATAN in Linux OS >=20 > Can someone tell me if they have run SATAN under the Linux OS? Each time= I > invoke satan, nothing appears to occur. I've worked with SATAN under x86 > Solaris w/o any hitch. Are there special considerations under Linux? > Thank you all in advance. >=20 Satan tries to run a web browser for its user interface. I could use it wit= h Mosaic. I guess the problem's source was that my other browsers (lynx and Netscape ) had been configured to use proxy. First I've found Satan pretty useless. After I've written the following line: /offers \S+/ $text into rules/services, and changed the facts file as to warn for _every_ version of sendmail, the situation had improved. Anyone has other good rules to improve Satan? It comes with pretty useless set of rules for vulnerability warnings, and can figure out only some operating system. I'm sure, it _can_ be configured to be a very powerful tool. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri Apr 4 11:17:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA16467 for firewalls-outgoing; Fri, 4 Apr 1997 11:10:30 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA16442 for ; Fri, 4 Apr 1997 11:10:22 -0800 (PST) Received: from default (pm3b-29.pacificnet.net [207.171.18.78]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id LAA11011; Fri, 4 Apr 1997 11:04:36 -0800 Message-ID: <3345524D.783@pacificnet.net> Date: Fri, 04 Apr 1997 11:11:09 -0800 From: Osiris Organization: Abode of the Dead X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Irwin Lazar CC: firewalls@GreatCircle.COM Subject: Re: Dead Web Sites References: <3.0.1.32.19970404113029.00854d00@netevolve.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin Lazar wrote: > > Hi All, > I just noticed that the ping of death page at > http://prospect.epresence.com/ping/ and Dan Farmer's Internet Security > Survey at http://www.trouble.org are both dead. > Not true, at least in the second case. You have pointed to Dan's top-level page, which has nothing more than a cool quote by Hunter Thompson. Go here instead: http://www.trouble.org/survey/ From owner-firewalls-outgoing Fri Apr 4 12:16:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23182 for firewalls-outgoing; Fri, 4 Apr 1997 12:09:12 -0800 (PST) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA23144 for ; Fri, 4 Apr 1997 12:09:03 -0800 (PST) Received: from kgibbs.realogic.com ([204.240.200.36]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id MAA02111; Fri, 4 Apr 1997 12:00:07 -0800 (PST) Message-Id: <199704042000.MAA02111@proxy3.ba.best.com> Reply-To: From: "Kelly E. Gibbs" To: , "Irwin Lazar" Subject: Re: Dead Web Sites Date: Fri, 4 Apr 1997 13:55:29 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin: Interesting this happened. Also, quick question, I've been trying to post a message to the firewalls@greatcircle.com group. Do I send my article to majordomo@greatcircle.com or to firewalls@greatcircle.com????? Kelly From owner-firewalls-outgoing Fri Apr 4 12:42:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23617 for firewalls-outgoing; Fri, 4 Apr 1997 12:12:13 -0800 (PST) Received: from twinds.com (eagle.twinds.com [206.153.22.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA23583 for ; Fri, 4 Apr 1997 12:12:05 -0800 (PST) Received: by twinds.com; id PAA23063; Fri, 4 Apr 1997 15:10:26 -0500 (EST) Received: from hawk.twinds.com(207.2.239.3) by eagle.twinds.com via smap (3.2) id xma023056; Fri, 4 Apr 97 15:10:15 -0500 Date: Fri, 4 Apr 1997 15:10:15 -0500 ("EST) From: Arley Carter X-Sender: ac@hawk.twinds.com To: DSAWYER@PILLSBURY.COM cc: "firewalls(a)greatcircle.com" Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: <0035600002046493000002*@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Apr 1997 DSAWYER@PILLSBURY.COM wrote: > > In a nutshell what I need to know is how do I get udp based packets on > port 123 through the firewall? > > Anybody have any ideas? > > Thanks in advance- > Douglas R. Sawyer > Bad Idea. Setup the firewall to be the auhtoritative time source for the domain using xntpd to the outside world. Set the firewall to broadcast time to the networks you want. Have the inside machines listen to time broadcasts from the firewall. No need to pass udp through the firewall. Cheers: -arc Arley Carter Tradewinds Technologies, Inc. Winston-Salem, NC USA email: ac@twinds.com www: http://www.twinds.com From owner-firewalls-outgoing Fri Apr 4 12:56:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25996 for firewalls-outgoing; Fri, 4 Apr 1997 12:31:19 -0800 (PST) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA25971 for ; Fri, 4 Apr 1997 12:31:07 -0800 (PST) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id PAA30793; Fri, 4 Apr 1997 15:29:30 -0500 (EST) Received: by zandar.judge.org with Microsoft Mail id <01BC410C.8EADD060@zandar.judge.org>; Fri, 4 Apr 1997 15:26:24 -0500 Message-ID: <01BC410C.8EADD060@zandar.judge.org> From: Joseph Judge To: "firewalls(a)greatcircle.com" , "'DSAWYER@PILLSBURY.COM'" Subject: RE: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 15:26:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1- Buy a GPS time source (couple hundred US dollars?) and plug it in somewhere: -- on a firewall machine, company can sync against you -- on an internal machine, the firewall can sync against it I'm aiming to get off my butt and pay for a GPS clock soon ... just some higher priority items in the queue first :-) or (what I'm doing now) 2- put xntp on your firewall systems. I haven't heard anyone chroot-ing it. Sync time against some sources out on the Internet (there is a list somewhere) ... just "client" against them. Then, folks inside your firewall can "client" against you. You get time from tick.usno.navy.mil (and tock), which are, say, stratum 1s ... then your firewall systems are stratum 2 ... and you can hierarchically set up the rest of the company from there. (I've had the company name servers and routers client against the firewall ... then just published info to folks on how to set themselves up as clients against their local routers and/or name servers) -- -joe ---------- From: DSAWYER@PILLSBURY.COM[SMTP:DSAWYER@PILLSBURY.COM] Sent: Friday, April 04, 1997 1:51 PM To: firewalls(a)greatcircle.com Subject: xntpd and gauntlet 3.2 Gauntlet firewall (TIS) fundamentally does not allow udp based services through the firewall. We really only need it for synchronization, however somebody got the idea of getting time from the Internet and here we are. How can you make xntpd work? In order to reduce the bouncing that could go on, here is what I already know. -Run xntpd on the firewall, chroot it, use authentication, and have it be your highest level stratum server. -Have your second level of time servers poll your time server on the firewall. -Have those second level stratums broadcast to other devices. In a nutshell what I need to know is how do I get udp based packets on port 123 through the firewall? Anybody have any ideas? Thanks in advance- Douglas R. Sawyer From owner-firewalls-outgoing Fri Apr 4 13:01:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA26130 for firewalls-outgoing; Fri, 4 Apr 1997 12:32:41 -0800 (PST) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA26113 for ; Fri, 4 Apr 1997 12:32:32 -0800 (PST) Received: by brimstone.rnb.com; id PAA16012; Fri, 4 Apr 1997 15:30:54 -0500 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma015964; Fri, 4 Apr 97 15:30:50 -0500 Received: from monarch.rnb.com (monarch [150.1.33.146]) by relay.rnb.com (8.8.4/8.8.4) with SMTP id PAA13262; Fri, 4 Apr 1997 15:30:49 -0500 (EST) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <0035600002046493000002*@MHS> Date: Fri, 04 Apr 1997 15:18:46 -0500 (EST) Organization: Republic National Bank From: Ken Kempster To: DSAWYER@PILLSBURY.COM Subject: RE: xntpd and gauntlet 3.2 Cc: "firewalls(a)greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 04-Apr-97 DSAWYER@PILLSBURY.COM wrote: > Gauntlet firewall (TIS) fundamentally does not allow udp based > services through the firewall. We really only need it for > synchronization, however somebody got the idea of getting time from > the Internet and here we are. How can you make xntpd work? In order > to reduce the bouncing that could go on, here is what I already know. > > -Run xntpd on the firewall, chroot it, use authentication, and have it > be your highest level stratum server. > > -Have your second level of time servers poll your time server on the > firewall. > > -Have those second level stratums broadcast to other devices. > > In a nutshell what I need to know is how do I get udp based packets on > port 123 through the firewall? I use that exact configuration here. configuring your firewall as an ntp time server you do not need to pass udp between interfaces. The firewall will keep time sync. with your internet hosts via the outside interface and then you configure an inside host to be your internal time server which syncs. with the firewall. So if you sync. with a stratum 1 server on the net to your firewall, the firewall will be stratum 2. Then your internal server will sync. with the firewall becoming a stratum 3 server. Then have all your inside hosts which you want to time sync., sync. with your new internal time server. in this config, there is no need to pass UDP between interfaces. > > Anybody have any ideas? > > Thanks in advance- > Douglas R. Sawyer |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Fri Apr 4 13:19:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA00762 for firewalls-outgoing; Fri, 4 Apr 1997 13:10:44 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA00750 for ; Fri, 4 Apr 1997 13:10:37 -0800 (PST) Received: from dojo.mi.org by simtel.Coast.NET (Smail3.1.28.1 #12) id m0wDGEP-0000sOC; Fri, 4 Apr 97 16:09 EST Date: Fri, 4 Apr 1997 16:09:07 -0500 (EST) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: RE: xntpd and gauntlet 3.2 From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <970404160907.mjo@dojo.mi.org> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :2- put xntp on your firewall systems. I haven't heard anyone :chroot-ing it. Sync time against some sources out on the :Internet (there is a list somewhere) ... just "client" against :them. Then, folks inside your firewall can "client" against :you. You get time from tick.usno.navy.mil (and tock), which :are, say, stratum 1s ... then your firewall systems are :stratum 2 ... and you can hierarchically set up the rest :of the company from there. : :(I've had the company name servers and routers client against :the firewall ... then just published info to folks on how to :set themselves up as clients against their local routers :and/or name servers) On a somewhat related note, has anyone seen problems with smartcard authentication mechanisms clashing with NTP from the Internet? How sensitive is some of the stuff "out there" to time changes? -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org InterNIC WHOIS: MJO | (has my PGP & Geek Code info) | Phone: +1 810-848-4481 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "I assert my Fifth Amendment privilege." -Mark Fuhrman From owner-firewalls-outgoing Fri Apr 4 13:30:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA01230 for firewalls-outgoing; Fri, 4 Apr 1997 13:14:46 -0800 (PST) Received: from bncc1.incirlik.af.mil (bncc1.incirlik.af.mil [132.27.209.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA01181 for ; Fri, 4 Apr 1997 13:14:38 -0800 (PST) Received: from localhost by bncc1.incirlik.af.mil with SMTP (1.37.109.15/16.2) id AA072238381; Fri, 4 Apr 1997 23:13:01 +0200 Date: Fri, 4 Apr 1997 23:13:01 +0200 (EET) From: Jason Price To: firewalls@greatcircle.com Subject: MS Exchange thru FWTK. How ? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Anyone proxied MS Exchange or found a secure way to pass it through the firewall ? Thanks ! Jason |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| | Sra Jason Price | | | 39CS/SCBBN | "If you lose your connection with the | | Incirlik AB, Turkey | technology you manage, then you are | | Jason.Price@incirlik.af.mil | stumbling through the world blindly. | | pricej@bncc1.incirlik.af.mil | You may get lucky for a while, but | | Network Security Officer | luck always runs out." | | Unix and Web Administrator | | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMwP7wSPXhzPUoylNAQGv5QQAlQEf20unFw4mkzfvNBE/hyPY1AzfB5Fr Sn0QDriMXWVA881RJR3z/xtSxvlR6ADV0mXi5D+6dOqAGgNHTCS5P5GDyvi4F8DM mzJkCnQpuY2MUGHwz9va4ImeO6PvoXk+E79poz6NWdkQH88EYkD8DlLXyOCJYLwu ezywheYyfuY= =llEB -----END PGP SIGNATURE----- From owner-firewalls-outgoing Fri Apr 4 13:48:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA04260 for firewalls-outgoing; Fri, 4 Apr 1997 13:37:40 -0800 (PST) Received: from lammashta.oai.org (lammashta.oai.org [199.218.110.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA04213 for ; Fri, 4 Apr 1997 13:37:29 -0800 (PST) Received: (from fsgreen@localhost) by lammashta.oai.org (8.8.5/8.8.5) id QAA07966; Fri, 4 Apr 1997 16:41:43 -0500 (EST) Date: Fri, 4 Apr 1997 16:41:43 -0500 (EST) From: Doug Greenwald To: Firewalls Subject: OAI - address translation and checkpoint - pointer please? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk howdy, if there's anyone out there that would be willing to donate some of their precious time, please contact me privately. i'm trying to figure out if my network translation is working (using checkpoint firewall-1 version 2.1 on sun sparc running solaris 2.5.1). i either don't have the static routes set right, or it's working and i just can't verify it. thanx. doug. Doug Greenwald DougGreenwald@oai.org Internet Information Systems Manager (216) 962 3145 Ohio Aerospace Institute ICOMP - NASA Lewis Research Center http://www.oai.org/ http://www.lerc.nasa.gov/ From owner-firewalls-outgoing Fri Apr 4 14:00:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA03844 for firewalls-outgoing; Fri, 4 Apr 1997 13:33:17 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA03815 for ; Fri, 4 Apr 1997 13:33:09 -0800 (PST) Received: from netevolve.com by relay6.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcjwg10271; Fri, 4 Apr 1997 16:31:58 -0500 (EST) Received: from lazar (ws8.netevolve.com) by netevolve.com (4.1/SMI-4.1) id AA18171; Fri, 4 Apr 97 16:34:58 EST Message-Id: <3.0.1.32.19970404162057.00843a70@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 04 Apr 1997 16:20:57 -0500 To: firewalls@greatcircle.com From: Irwin Lazar Subject: Re: Dead Web Sites Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This explains why the ping of death page is down: > >Connectivity problems (alexis) Fri Apr 4 06:56:29 1997 > > Since very early Thursday, panix customers have been unable to reach any > site connected to the net via ANS. This includes AOL and CNN. Even name > service is failing. > > This is due to a routing policy failure between MCI and ANS. They are both > aware of it, and MCI has told me that they expect things to start working > again "soon" (as of 7AM Friday morning). There is a good chance that that's > true, but it's also possible that it could take them as much as the rest > of the day to get things back to normal. > > We're sorry for the trouble this has caused people but it's strictly > beyond our control- we can only harass the offending parties into correcting > their problem. > I've got a link to a mirror up on our IP references site. Irwin. <><><><><><><><><><><><><><><><><><><><><><> Irwin Lazar IP Networking References - Network Evolutions, Inc. http://www.netevolve.com/lazar http://www.netevolve.com lazar@netevolve.com From owner-firewalls-outgoing Fri Apr 4 14:30:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA09363 for firewalls-outgoing; Fri, 4 Apr 1997 14:28:29 -0800 (PST) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA09336 for ; Fri, 4 Apr 1997 14:28:15 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55583-1>; Fri, 4 Apr 1997 23:25:12 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Sat, 05 Apr 1997 00:26:19 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id BAA01478; Sat, 5 Apr 1997 01:28:13 +0200 Date: Sat, 5 Apr 1997 00:28:13 +0100 From: "Magossa'nyi A'rpa'd" To: Stefan Berg CC: firewalls@GreatCircle.COM Subject: Re: Changeroot telnet daemon? In-Reply-To: <9704041155.AA16445@pamela.sic.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Apr 1997, Stefan Berg wrote: > Hi, >=20 > is there such a thing as a change root telnet daemon > for solaris 2.4.x or 2.5.x? >=20 > Might be a stupid question, but I am in need of one.. >=20 Some possibilities I can think of: - do a chroot wrapper, like: main(){chroot("/some/where");system("/real/telnetd");} and use it instead of your original telnetd. - there is a free chroot utility somewhere (seems it came from 4.4BSD-Lite) just found on my linux box. I guess it does basically the same thing. CHROOT(8) UNIX System Manager's Manual NAME chroot - change root directory SYNOPSIS chroot newroot [command] DESCRIPTION The chroot command changes its root directory to the supplied director= y newroot and exec's command, if supplied, or an interactive copy of you= r shell. -grab the source of some free telnetd, and insert a chroot somewhere in the beginning. DISCLAIMER: I haven't tried any of them, just done a quick lookup. QUESTION: Is it safe to use system() with fixed string, or is it also harmful? --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri Apr 4 14:45:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10492 for firewalls-outgoing; Fri, 4 Apr 1997 14:37:50 -0800 (PST) Received: from gemcon.com (DNS2.GEMCON.COM [205.223.239.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA10420 for ; Fri, 4 Apr 1997 14:37:36 -0800 (PST) Received: by dns2.gemcon.com id <55338>; Fri, 4 Apr 1997 17:25:58 -0500 From: "Webb, Dean" To: BPobric@aol.com Cc: pdmallya@inf.com, firewalls@GreatCircle.COM Subject: RE: Firewall Architecture for Web, Database Date: Fri, 4 Apr 1997 17:24:55 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Message-Id: <97Apr4.172558est.55338@dns2.gemcon.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about this? NetBEUI between Firewall and Database NIC #1: No TCP/IP bound to it. TCP/IP between Database NIC #2 and rest of network if they need TCP/IP access to the DB server. This way, the DB can't be touched via the Internet, but is still available to the rest of the company's TCP/IP LAN. The catch is that it has to have the two network cards with different, exclusive bindings. Does this work for y'all? (I'm from Texas...) > << pdmallya@inf.com > CC: firewalls@GreatCircle.COM >> > Hi Dean, > > Thanks a lot for your response. > What I meant was to use NetBui only between Database server and Web > server. > This way nobody from the ouitside should be able to attack their > Database > Server. This would be the case if they do not need to talk to their > Database > server from the network. If they do, like you said they prabobly need > to run > TCP/IP. > > What do you think? > > Braco Pobric > bpobric@aol.com > From owner-firewalls-outgoing Fri Apr 4 15:30:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA11336 for firewalls-outgoing; Fri, 4 Apr 1997 14:45:05 -0800 (PST) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA11295 for ; Fri, 4 Apr 1997 14:44:54 -0800 (PST) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id RAA05318; Fri, 4 Apr 1997 17:43:26 -0500 (EST) Received: by zandar.judge.org with Microsoft Mail id <01BC411F.45519F60@zandar.judge.org>; Fri, 4 Apr 1997 17:40:22 -0500 Message-ID: <01BC411F.45519F60@zandar.judge.org> From: Joseph Judge To: Firewalls Mailing List , "'Mike O'Connor'" Subject: RE: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 17:40:20 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you are using a time-based token thing (SecurID alike) then you are at risk of being locked out if ... the time on the card and the time on the system drift far enough apart. I would think putting a time sync on your system would be good ... except at that initial time when you first implement it and the clock gets fixed up. Then the cards might die. But ... my answer is not to use time as a basis for your authentication :-) -- joe ---------- From: Mike O'Connor[SMTP:mjo@dojo.mi.org] Sent: Friday, April 04, 1997 11:09 AM To: Firewalls Mailing List Subject: RE: xntpd and gauntlet 3.2 :2- put xntp on your firewall systems. I haven't heard anyone :chroot-ing it. Sync time against some sources out on the :Internet (there is a list somewhere) ... just "client" against :them. Then, folks inside your firewall can "client" against :you. You get time from tick.usno.navy.mil (and tock), which :are, say, stratum 1s ... then your firewall systems are :stratum 2 ... and you can hierarchically set up the rest :of the company from there. : :(I've had the company name servers and routers client against :the firewall ... then just published info to folks on how to :set themselves up as clients against their local routers :and/or name servers) On a somewhat related note, has anyone seen problems with smartcard authentication mechanisms clashing with NTP from the Internet? How sensitive is some of the stuff "out there" to time changes? -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org InterNIC WHOIS: MJO | (has my PGP & Geek Code info) | Phone: +1 810-848-4481 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "I assert my Fifth Amendment privilege." -Mark Fuhrman From owner-firewalls-outgoing Fri Apr 4 15:40:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA12727 for firewalls-outgoing; Fri, 4 Apr 1997 14:55:12 -0800 (PST) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA12700 for ; Fri, 4 Apr 1997 14:55:05 -0800 (PST) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id RAA05000; Fri, 4 Apr 1997 17:53:37 -0500 (EST) Received: by zandar.judge.org with Microsoft Mail id <01BC4120.B3B0D240@zandar.judge.org>; Fri, 4 Apr 1997 17:50:36 -0500 Message-ID: <01BC4120.B3B0D240@zandar.judge.org> From: Joseph Judge To: Firewalls Mailing List , "'Mike O'Connor'" Subject: RE: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 17:50:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just wandered past an old firewall posting about time and tokens and risk, whilst looking for something else (serendipitous eh?) http://www.netsys.com/firewalls/firewalls-9508/0019.html -- joe ---------- From: Mike O'Connor[SMTP:mjo@dojo.mi.org] Sent: Friday, April 04, 1997 11:09 AM To: Firewalls Mailing List Subject: RE: xntpd and gauntlet 3.2 :2- put xntp on your firewall systems. I haven't heard anyone :chroot-ing it. Sync time against some sources out on the :Internet (there is a list somewhere) ... just "client" against :them. Then, folks inside your firewall can "client" against :you. You get time from tick.usno.navy.mil (and tock), which :are, say, stratum 1s ... then your firewall systems are :stratum 2 ... and you can hierarchically set up the rest :of the company from there. : :(I've had the company name servers and routers client against :the firewall ... then just published info to folks on how to :set themselves up as clients against their local routers :and/or name servers) On a somewhat related note, has anyone seen problems with smartcard authentication mechanisms clashing with NTP from the Internet? How sensitive is some of the stuff "out there" to time changes? -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org InterNIC WHOIS: MJO | (has my PGP & Geek Code info) | Phone: +1 810-848-4481 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "I assert my Fifth Amendment privilege." -Mark Fuhrman From owner-firewalls-outgoing Fri Apr 4 15:48:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA13906 for firewalls-outgoing; Fri, 4 Apr 1997 15:03:17 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA13877 for ; Fri, 4 Apr 1997 15:03:06 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id QAA05532; Fri, 4 Apr 1997 16:01:28 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd05530aaa; Fri Apr 4 16:01:26 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id QAA15649; Fri, 4 Apr 1997 16:01:36 -0700 From: Bob Beck Message-Id: <199704042301.QAA15649@snouts.obtuse.com> Subject: Re: Changeroot telnet daemon? To: s93sbe@csd.uu.se (Stefan Berg) Date: Fri, 4 Apr 1997 16:01:34 -0700 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9704041155.AA16445@pamela.sic.se> from "Stefan Berg" at Apr 4, 97 11:55:16 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you mean a daemon that runs chrooted? I don't know of one, but I've put them togther. I don't modify the daemon, but rather put the daemon and anything it needs inside a directory to be used as a chrooted hole or "sandbox" and then invoke it with /usr/sbin/chroot. It's easiest to do with a staticly linked daemon so that you avoid the need for shared libraries, which complicate the issue both security-wise and from the point of view of setting it up. As for what It needs, in the sandbox, If I don't know, I ususally find out when I want to set it up by running the command to start the daemon (includeing the chroot) under your faviorite tracing tool, such as truss on solaris. Personally, I'd suggest grabbing either the telnetd from Wietse Venema's "logdaemon" package, or one of the SSLeay enabled telnet daemons from the SSLapps dir on your favorite SSLeay site or mirror. These have worked well for me. If you want the log records via your standard syslog from one of these, grab our utils package from ftp://ftp.obtuse.com/pub/utils/, and look at "holelogd". -Bob > > > Hi, > > is there such a thing as a change root telnet daemon > for solaris 2.4.x or 2.5.x? > > Might be a stupid question, but I am in need of one.. > > /Stefan > > > -- > _______________________________________________________ > Stefan Berg > Computing Science Student > University of Uppsala, Sweden. > s93sbe@csd.uu.se http://www.csd.uu.se/~s93sbe > _______________________________________________________ > Hmm.. What do batteries run on?? > From owner-firewalls-outgoing Fri Apr 4 16:30:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA19403 for firewalls-outgoing; Fri, 4 Apr 1997 15:48:28 -0800 (PST) Received: from TGIEXCH.terraglyph.com (tgiexch.terraglyph.com [206.138.89.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA18980 for ; Fri, 4 Apr 1997 15:45:58 -0800 (PST) Received: by TGIEXCH with Internet Mail Service (5.0.1457.3) id <2JPSNP6T>; Fri, 4 Apr 1997 17:44:45 -0600 Message-ID: <418DB33991ACD011899800A0C9008E756DFA@TGIEXCH> From: Mike Topalovich To: firewalls@greatcircle.com Subject: RE: MS Exchange thru FWTK. How ? Date: Fri, 4 Apr 1997 17:44:43 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For what type of connectors? Just the straight SMTP IMC/IMS, or a site connector? Mike Topalovich TerraGlyph Interactive Studios Topalovich@terraglyph.com > ---------- > From: Jason Price[SMTP:pricej@bncc1.incirlik.af.mil] > Sent: Friday, April 04, 1997 3:13 PM > To: firewalls@greatcircle.com > Subject: MS Exchange thru FWTK. How ? > > Hi, > > Anyone proxied MS Exchange or found a secure way to pass it through > the > firewall ? > > Thanks ! > > Jason > > |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =| > | Sra Jason Price | | > | 39CS/SCBBN | "If you lose your connection with the > | > | Incirlik AB, Turkey | technology you manage, then you are > | > | Jason.Price@incirlik.af.mil | stumbling through the world blindly. > | > | pricej@bncc1.incirlik.af.mil | You may get lucky for a while, but > | > | Network Security Officer | luck always runs out." | > | Unix and Web Administrator | | > |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =| > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMwP7wSPXhzPUoylNAQGv5QQAlQEf20unFw4mkzfvNBE/hyPY1AzfB5Fr > Sn0QDriMXWVA881RJR3z/xtSxvlR6ADV0mXi5D+6dOqAGgNHTCS5P5GDyvi4F8DM > mzJkCnQpuY2MUGHwz9va4ImeO6PvoXk+E79poz6NWdkQH88EYkD8DlLXyOCJYLwu > ezywheYyfuY= > =llEB > -----END PGP SIGNATURE----- > From owner-firewalls-outgoing Fri Apr 4 16:43:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21523 for firewalls-outgoing; Fri, 4 Apr 1997 15:58:15 -0800 (PST) Received: from swinc.com (swinc.com [198.252.182.233]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA21510 for ; Fri, 4 Apr 1997 15:58:07 -0800 (PST) Received: from grail.austin.swinc.com ([204.107.173.67]) by anthrax.swinc.com with ESMTP id <17026-1>; Fri, 4 Apr 1997 17:56:41 -0600 Received: by grail.austin.swinc.com with Internet Mail Service (5.0.1457.3) id ; Fri, 4 Apr 1997 18:00:47 -0600 Message-ID: <41242F632110D0118B4500A024BF7EB008AA4D@grail.austin.swinc.com> From: "Webb, Andy" To: "'Jason Price'" Cc: "'firewalls@greatcircle.com'" Subject: RE: MS Exchange thru FWTK. How ? Date: Fri, 4 Apr 1997 18:00:45 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not a FWTK expert, but here's where to find the Exchange information: Source: MS KB Article Q148732 http://www.microsoft.com/kb/articles/q148/7/32.htm Andy ======================================================= Andy Webb awebb@swinc.com www.swinc.com Simpler-Webb, Inc. Austin, TX 512-322-0071 "The clue meter is reading zero..." - Dilbert ======================================================= > -----Original Message----- > From: Jason Price [SMTP:pricej@bncc1.incirlik.af.mil] > Sent: Friday, April 04, 1997 3:13 PM > To: firewalls@greatcircle.com > Subject: MS Exchange thru FWTK. How ? > > Hi, > > Anyone proxied MS Exchange or found a secure way to pass it through > the > firewall ? > > Thanks ! > > Jason > > |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =| > | Sra Jason Price | | > | 39CS/SCBBN | "If you lose your connection with the > | > | Incirlik AB, Turkey | technology you manage, then you are > | > | Jason.Price@incirlik.af.mil | stumbling through the world blindly. > | > | pricej@bncc1.incirlik.af.mil | You may get lucky for a while, but > | > | Network Security Officer | luck always runs out." | > | Unix and Web Administrator | | > |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =| > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMwP7wSPXhzPUoylNAQGv5QQAlQEf20unFw4mkzfvNBE/hyPY1AzfB5Fr > Sn0QDriMXWVA881RJR3z/xtSxvlR6ADV0mXi5D+6dOqAGgNHTCS5P5GDyvi4F8DM > mzJkCnQpuY2MUGHwz9va4ImeO6PvoXk+E79poz6NWdkQH88EYkD8DlLXyOCJYLwu > ezywheYyfuY= > =llEB > -----END PGP SIGNATURE----- From owner-firewalls-outgoing Fri Apr 4 17:01:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA15440 for firewalls-outgoing; Fri, 4 Apr 1997 15:11:39 -0800 (PST) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA15318 for ; Fri, 4 Apr 1997 15:11:17 -0800 (PST) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA16828; Fri, 4 Apr 1997 18:09:43 -0500 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IHBEZJ5QSW90OKQA@gemini.pios.com> for firewalls@greatcircle.com; Fri, 04 Apr 1997 18:10:55 -0500 (EST) Received: from cal_177.sanjose (192.168.14.177) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IHBEX6ZI0W8Y5MYK@PIOS.PIOS.COM> for firewalls@greatcircle.com; Fri, 04 Apr 1997 18:09:03 -0500 (EST) Date: Fri, 04 Apr 1997 15:09:06 -0800 From: Bill Stout Subject: Tunnels and Security policy X-Sender: stoutb@192.168.0.83 To: firewalls@greatcircle.com Message-Id: <2.2.32.19970404230906.006d3ae0@192.168.0.83> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Question: Can someone give me an example of how security policies are modified when tunnels are implemented? Train of thought: I see more companies actively using tunnels (VPNs) or adding encrypted access into their systems. I see people using tunnels for the following, where admins only have local policy control; o to create a path through a firewall between internal networks and 'partner' networks. o from home PCs/private ISP account to internal network through firewall. o between branches of the same company. AFAIK, tunnels allow _all_ port traffic between a range of hosts in 'network A' to reach a range of hosts in 'network B'. If you use a firewall to protect your network from the internet, and you tunnel through that to a tunnel server either on the firewall or past it, you can't protect against the tunneled traffic without layered firewalls, which gets complex since some proxies don't cascade well. Once an intruder gets past your firewall, he's everywhere. {Net A}--+-FW--{internet}--FW-+--{Net B} | | Tunnel Server Tunnel Server Another reason I ask, Company X requests a quote for a firewall from my or other company, whittles down the price to fit the budget (original estimate of the admin), then adds the tunneling requirement. Not much budget is left for a secondary firewall layer, and I hesitate to say that if you buy a tunnel, you need two firewalls. #include Bill Stout, 'Consultant', Pioneer Standard, San Jose, CA (408)321-0645 www.pios.com (Industrial Distributor for Computer systems, components) Digital-HP-IBM-Intel-MTI-Netframe-NAT-Network_General-Cisco-3COM-Network_Sys tems-Apple-SGI-Tadpole-Cray_Communications-Liebert-Tektronix-QMS-etc,etc. From owner-firewalls-outgoing Sat Apr 5 08:00:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08815 for firewalls-outgoing; Sat, 5 Apr 1997 07:55:07 -0800 (PST) Received: from akasha.tic.com (akasha.tic.com [192.135.128.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA08797 for ; Sat, 5 Apr 1997 07:55:00 -0800 (PST) From: smoot@tic.com Received: from xfrsparc.tic.com by akasha.tic.com (8.7.5/akasha.1.31) id JAA21945; Sat, 5 Apr 1997 09:53:36 -0600 (CST) Received: from localhost by xfrsparc.tic.com (8.7.1/sub.1.6) id JAA03181; Sat, 5 Apr 1997 09:53:36 -0600 (CST) Message-Id: <199704051553.JAA03181@xfrsparc.tic.com> To: Firewalls Mailing List Subject: Re: xntpd and gauntlet 3.2 In-reply-to: Your message of "Fri, 04 Apr 97 17:40:20 EST." <01BC411F.45519F60@zandar.judge.org> Date: Sat, 05 Apr 97 09:53:32 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If you are using a time-based token thing (SecurID alike) >then you are at risk of being locked out if ... the time >on the card and the time on the system drift far enough >apart. SecurID is pretty good about keeping the cards synced with the server. I have a system with a SecureID server which is also running xntpd and I've never had a problem with clock synchronization between the cards and the server. At worst the server asks the client for the card's next token which resynchronizes the card and the server. From owner-firewalls-outgoing Sat Apr 5 08:39:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10097 for firewalls-outgoing; Sat, 5 Apr 1997 08:20:41 -0800 (PST) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA10062 for ; Sat, 5 Apr 1997 08:20:28 -0800 (PST) Received: from rush.nsr.hp.com (rush.nsr.hp.com [15.17.36.5]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id IAA01545; Sat, 5 Apr 1997 08:19:10 -0800 (PST) Received: from localhost by rush.nsr.hp.com with SMTP (1.39.111.2/16.2) id AA234606946; Sat, 5 Apr 1997 08:15:46 -0800 Date: Sat, 5 Apr 1997 08:15:45 -0800 (PST) From: Kevin Steves To: Adam Shostack Cc: firewalls@GreatCircle.COM Subject: Re: Getting DNS through a firewall. In-Reply-To: <199704012208.RAA02252@homeport.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Apr 1997, Adam Shostack wrote: > If you don't let dns through, then a dns-gw would be a good > idea. Cheswick talked about one at SANS 96(?), and I'm wondering why > its not part of any commercial product yet. You may be referring to dnsproxy; see http://cm.bell-labs.com/who/ches/dnsproxy.html. Raptor Eagle 4.0 has a dnsd, but I don't know any details about it. From owner-firewalls-outgoing Sat Apr 5 08:45:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA11387 for firewalls-outgoing; Sat, 5 Apr 1997 08:36:07 -0800 (PST) Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.13]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA11378 for ; Sat, 5 Apr 1997 08:36:00 -0800 (PST) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy2.ba.best.com (8.8.5/8.8.3) with ESMTP id IAA02171; Sat, 5 Apr 1997 08:31:03 -0800 (PST) Message-Id: <199704051631.IAA02171@proxy2.ba.best.com> From: "Kelly Gibbs" To: "Bill Stout" Cc: Subject: Re: Tunnels and Security policy Date: Sat, 5 Apr 1997 07:51:36 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Bill: I installed Firewalls/VPN's for Digital and can help you out on this one. I don't know which tunnel product you have but if it's like Digitals Tunnel which is Firewall and hardware independent, you can set the routes to enable a form of security. For example, lets say at each end you have a group tunnel. Group A is in New York and group B is in San Jose. When A establishes a VPN to B, B assigns A a virtual IP. You control what range of IP's are distributed by their group key configuration. If you give them say a 10.2.1.x range, you set the routes that 10.2.1.x takes. This may require a change also in the routers since 10.2.1.x isn't part of your 10.1.1.x network. This appears to work very well for a large site I installed last year. +--------------------------------------------------------------------------+ | Kelly E. Gibbs, Sr. Internet/UNIX Consultant Realogic, Inc. | | Security architecture, design, implementation, auditing, and | | penetration testing. UNIX, Microsoft Windows NT, and VMS | | Realtime programming, TCP/IP, telephony systems, embedded systems. | | San Francisco, CA 415-956-1300 London, UK (+)44 (1)71 233 07 44 | +--------------------------------------------------------------------------+ ---------- > From: Bill Stout > To: firewalls@GreatCircle.COM > Subject: Tunnels and Security policy > Date: Friday, April 04, 1997 3:09 PM > > Question: Can someone give me an example of how security policies are > modified when tunnels are implemented? > > Train of thought: I see more companies actively using tunnels (VPNs) or > adding encrypted access into their systems. I see people using tunnels for > the following, where admins only have local policy control; > > o to create a path through a firewall between internal networks and > 'partner' networks. > > o from home PCs/private ISP account to internal network through firewall. > > o between branches of the same company. > > AFAIK, tunnels allow _all_ port traffic between a range of hosts in 'network > A' to reach a range of hosts in 'network B'. If you use a firewall to > protect your network from the internet, and you tunnel through that to a > tunnel server either on the firewall or past it, you can't protect against > the tunneled traffic without layered firewalls, which gets complex since > some proxies don't cascade well. Once an intruder gets past your firewall, > he's everywhere. > > {Net A}--+-FW--{internet}--FW-+--{Net B} > | | > Tunnel Server Tunnel Server > > Another reason I ask, Company X requests a quote for a firewall from my or > other company, whittles down the price to fit the budget (original estimate > of the admin), then adds the tunneling requirement. Not much budget is left > for a secondary firewall layer, and I hesitate to say that if you buy a > tunnel, you need two firewalls. > > #include > Bill Stout, 'Consultant', Pioneer Standard, San Jose, CA (408)321-0645 > www.pios.com (Industrial Distributor for Computer systems, components) > Digital-HP-IBM-Intel-MTI-Netframe-NAT-Network_General-Cisco-3COM-Network_Sys > tems-Apple-SGI-Tadpole-Cray_Communications-Liebert-Tektronix-QMS-etc,etc. > > From owner-firewalls-outgoing Sat Apr 5 12:04:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21480 for firewalls-outgoing; Sat, 5 Apr 1997 11:49:37 -0800 (PST) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA21473 for ; Sat, 5 Apr 1997 11:49:27 -0800 (PST) Received: from monaco (unverified [192.168.3.254]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Sat, 05 Apr 1997 20:16:45 +0100 Message-ID: From: "David Harvey-George" To: Cc: Subject: Steelhead / Eraserhead ? Date: Sat, 5 Apr 1997 20:16:45 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anyone tried Microsoft's 'steelhead' router and packet filtering software. It's currently in beta and I've been attempting to build a packet filtering firewall around it using an NT sp2 box. My experiences suggest that there are a few deficiencies that MS need to address in the area of packet filtering. Although it is possible to filter on inbound or outbound interface there is no option to filter based on the TCP flag fields. Okay, maybe not such a big deal. More significant, you can't allow or deny on a range of ports. I have the following filter for HTTP access for my internal network clients: Source Address Destination Address Protocol Source Port Destination Port rule1 192.168.3.0 Any TCP Any 80 rule2 Any 192.168.3.0 TCP 80 Any The intention of this rule is to permit internal clients (net 192.168.3.0) to access Web servers and to permit replies from said servers. However without the ability to either check the ACK flag or add a destination port range in rule 2 this rule is open to someone binding a client to port 80 and contacting any of my internal servers. MS imply that 'steelhead' can be used to build firewall capabilities but I think not, at least not in its present incarnation. Sievehead is currently available in beta 2 from their Website. regards, David From owner-firewalls-outgoing Sat Apr 5 12:15:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21617 for firewalls-outgoing; Sat, 5 Apr 1997 11:57:20 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA21602 for ; Sat, 5 Apr 1997 11:57:11 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA24719; Sat, 5 Apr 1997 14:53:39 -0500 (EST) From: Adam Shostack Message-Id: <199704051953.OAA24719@homeport.org> Subject: Re: combo internal/external web servers In-Reply-To: <9704011916.AA00517@intermec.com> from Kathy Kost at "Apr 1, 97 11:16:33 am" To: kkost@intermec.com (Kathy Kost) Date: Sat, 5 Apr 1997 14:53:38 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What happens if the external server is comprimised? If its in its own chrooted partition, possibly not a lot (if you trust chroot). What happens if you misconfigure your internal server? Are you exposing the information to the outside world? Is that an acceptable risk? What happens if the machine is comprimised through some other mechanism? Could an attacker reconfigure things so that the outside world can get to the internal server? You can build a defense in depth to make this harder/more obvious. I'd suggest going with two machines. You can get a nice pc system with plenty of horses to run a small to medium web server for $1000 or less. The cost & effort to administrate two machines isn't that much greater than one, and you're providing strong compartmentalization. Adam Kathy Kost wrote: | A company I'm doing some work for is trying to decide on having | separate internal and external web servers or having them both on | one machine, with some proxy or firewall software keeping them separate. | I have only implemented them separately. | | What is the current feeling on this these days? Is it possible to have | them both co-exist on the same box without risking the internal web site? | Any suggestions as to the best security software to use (public domain or | not)? Or pointers to reference information on the subject? -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sat Apr 5 17:49:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA06566 for firewalls-outgoing; Sat, 5 Apr 1997 17:37:21 -0800 (PST) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA06525 for ; Sat, 5 Apr 1997 17:37:10 -0800 (PST) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id RAA28896; Sat, 5 Apr 1997 17:35:53 -0800 (PST) Date: Sat, 5 Apr 1997 17:35:52 -0800 (PST) From: "Sameer R. Manek" To: Kathy Kost cc: firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers In-Reply-To: <199704051953.OAA24719@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One idea I really like, though i haven't had the opportunity to try it out. This combination involves 2 boxes in addition to your firewall. Since running a web server on a firewall isn't considered a wise idea in general. Basicly what you do is having two boxes, a web server and a file server. the web server mounts nfs mounts read only /webserver/htdocs from the file server. The web server's only service is httpd, and maybe ftpd which isn't very cpu intensive, so a low end pentium and *bsd or linux will do. In addition because the webserver doesnt have the pages you don't have to give accounts to folks who may not do security concious things, such as the web page development groups. They can have accounts on machines less visible to the public. So you can close of network logins or run sshd. Some have suggested using either a zip drive (with the write protect tab notched) or a writeable cdrom, but i don't think these methords are practical, aside from the fact that zip and cdrom drives are slower. These things are what i call 'making work', they make you, the admin, do things like burn cds, change cds, remount it. My opinion is that the admin is respondsible for maintaining the service, which is time consuming enough, not to create more work. If you put the responsiblity of maintaining the pages, putting them on the server, etc as close to the people who write the pages as possible that is a good thing. Making the system secure and ensuring ease use is our respondsiblity. Your dedicated web page file server can even run something like net-a-talk or samba so they can author the pages directly from the NT/95 or Mac workstations. From owner-firewalls-outgoing Sat Apr 5 19:04:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA10212 for firewalls-outgoing; Sat, 5 Apr 1997 18:56:33 -0800 (PST) Received: from jehova.owl.de (jehova.owl.de [194.121.202.132]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id SAA10098 for ; Sat, 5 Apr 1997 18:55:37 -0800 (PST) Received: from fiction.pb.owl.de (root@fiction.pb.owl.de [193.174.12.5]) by jehova.owl.de (8.8.5/8.8.5) with SMTP id EAA19253 for ; Sun, 6 Apr 1997 04:54:21 +0200 (MET DST) Received: from squirrel.owl.de by fiction.pb.owl.de with bsmtp id m0wDi4X-000032C; Sun, 6 Apr 97 04:52 MET DST Received: (qmail 1037 invoked by uid 300); 6 Apr 1997 00:51:13 -0000 Date: 6 Apr 1997 00:51:13 -0000 Message-ID: <19970406005113.1036.qmail@squirrel.owl.de> From: Stuart Johnson To: firewalls@greatcircle.com Subject: Monitoring Info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As regard to the Haystack information, my message was not intended to be "tabloid". Obviously, it is the marketing managers' responsibility to paint a pretty picture. But I am only interested in finding out why an insider at Haystack would share this information in confidence. Many of the private emails I received confirm others' lack of confidence in Haystack and the fact that many people are leaving due to the turmoil. Is this deniable? I only want to make the best choice for my company. With the enquiry about Haystack and Wheelgroup, I received some email from Marcus Ranum. He is someone I have respected from many of his posts. But his email has suprised me and I have had some doubts about whether he was objectively replying or only trying to sell some new product he is building and denigrate the choices that I am reviewing. I also received email's from others suggesting Marcus' new company as an alternative, but from those messages it is clear he has decided to get out of V-One and thought it was a total failure without direction. This concerns me because he has used V-one to fund this company and I assume they are the majority owners of it. Has anyone actually implemented this stuff or is it just vaporware? I kind of question what kind of business man Marcus is based on what I had overheard at a conference where a small group of people talking, including one of the speakers for NCSA (I believe Dr. Tippett). They were talking about the firewall consortium and someone had asked about Marcus. The speaker from the NCSA said that they removed Marcus from any more influence on the certification process due to his continuous attempts to self promote his own selfish interests and not those of the security community. The second concern about the integrity of Marcus' company is the fact that the Founder and CEO of a competing monitoring company (Steve Smaha of Haystack) is on his board. This is like a CEO of Netscape sitting on Microsoft's board. Obviously, Steve Smaha does notbelieve NetStalker is a competitive product or he wouldn't sit on a competitor's board, or would he? Does this seem fishy? I am not just looking for good technology, I want to do business with people with integrity. Stuart From owner-firewalls-outgoing Sat Apr 5 20:09:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA13206 for firewalls-outgoing; Sat, 5 Apr 1997 19:40:46 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970308-1) id TAA13175 for firewalls@greatcircle.com; Sat, 5 Apr 1997 19:40:36 -0800 (PST) Received: from trifork.gu.net (trifork.gu.net [194.93.190.194]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA27421 for ; Fri, 4 Apr 1997 08:32:40 -0800 (PST) Received: from localhost (localhost.gu.kiev.ua [127.0.0.1]) by trifork.gu.net (8.8.5/8.8.5) with SMTP id TAA02082; Fri, 4 Apr 1997 19:31:04 +0300 (EEST) Date: Fri, 4 Apr 1997 19:31:04 +0300 (EEST) From: Andrew Stesin Reply-To: stesin@gu.net To: "Gerard A. Joseph" cc: firewalls@GreatCircle.COM Subject: Re: ISR In-Reply-To: <3345AD17.29DB@ozemail.com.au> Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Gerard, despite of the thingies you noticed, I'll probably subscribe. (Neither of the pieces you noticed are so much protected and/or classified, anyway :) Though you are right -- and they (ISR) aren't. On Fri, 4 Apr 1997, Gerard A. Joseph wrote: > Date: Fri, 04 Apr 1997 17:38:31 -0800 > From: "Gerard A. Joseph" > To: firewalls@GreatCircle.COM > Subject: Re: ISR > > The site looks interesting, but it seems anomalous for a > security-oriented site to ask for such details as name, email address, > physical address, and password to be transmitted in the clear over the > Internet. > > Gerard > > Network Operations Center wrote: > > > > f.y.i. > > > > Internet Security Review is now accepting > > subscriptions (free) at http://www.isr.net > > The journal appears monthly. > > > > regards > > > > Bert > Best regards, Andrew Stesin nic-hdl: ST73-RIPE From owner-firewalls-outgoing Sat Apr 5 20:09:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA13339 for firewalls-outgoing; Sat, 5 Apr 1997 19:42:26 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970308-1) id TAA13329 for firewalls@greatcircle.com; Sat, 5 Apr 1997 19:42:23 -0800 (PST) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA13786 for ; Fri, 4 Apr 1997 15:02:10 -0800 (PST) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id SAA05687; Fri, 4 Apr 1997 18:00:27 -0500 (EST) Received: by zandar.judge.org with Microsoft Mail id <01BC4121.A7B03340@zandar.judge.org>; Fri, 4 Apr 1997 17:57:26 -0500 Message-ID: <01BC4121.A7B03340@zandar.judge.org> From: Joseph Judge To: "'patrick_scannell@mail.fws.gov'" Cc: "'Firewalls Mailing List'" Subject: RE: RE: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 17:57:24 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The NTP archive at ftp://louie.udel.edu/pub/ntp or=20 somewhere ... have some information on time sources (radio, modem, , GPS and otherwise). The comp.protocols.ntp (??) or such also does. The http://www.eecis.udel.edu/~ntp/database/faq.html=20 NTP FAQ file has some information, also. I don't want to sound vague... but that is the best I have now. I have always gotten time from an Internet source. I am just about to get a Geo Positional Systemthing (GPS) which bounces off satellites and figures out exactly where you are .... which incidently means you better have VERY=20 accurate time to do those calculations. =20 My company's UK firewall has a GPS time source in their firewall ...and I will just probably follow what they are doing after some analysis. The NTP FAQ lists a bunch of units under $5K dollars. I really want to find out what my UK folks are doing so inexpensively. I will be more than happy to post a how-to as soon as=20 I know what I'm doing. --- joe ---------- From: patrick_scannell@mail.fws.gov[SMTP:patrick_scannell@mail.fws.gov] Sent: Friday, April 04, 1997 3:20 PM To: Joseph Judge Subject: Re:RE: xntpd and gauntlet 3.2 Could you please reply to the list with a little more detail about a GPS time source? I have the same problem, and this sounds like a great = solution. Is this a specialized item, or just a navigational GPS that allows one = to query time via serial interface? Clearly I'm groping, where should I look = for more info? Thanks, Patrick ____________________Reply Separator____________________ Subject: RE: xntpd and gauntlet 3.2 Author: Joseph Judge Date: 4/4/97 2:41 PM 1- Buy a GPS time source (couple hundred US dollars?) and=20 plug it in somewhere: -- on a firewall machine, company can sync against you -- on an internal machine, the firewall can sync against it I'm aiming to get off my butt and pay for a GPS clock=20 soon ... just some higher priority items in the queue first :-) or (what I'm doing now) 2- put xntp on your firewall systems. I haven't heard anyone chroot-ing it. Sync time against some sources out on the=20 Internet (there is a list somewhere) ... just "client" against them. Then, folks inside your firewall can "client" against=20 you. You get time from tick.usno.navy.mil (and tock), which are, say, stratum 1s ... then your firewall systems are stratum 2 ... and you can hierarchically set up the rest of the company from there.=20 (I've had the company name servers and routers client against the firewall ... then just published info to folks on how to=20 set themselves up as clients against their local routers=20 and/or name servers) -- -joe ---------- From: DSAWYER@PILLSBURY.COM[SMTP:DSAWYER@PILLSBURY.COM] Sent: Friday, April 04, 1997 1:51 PM To: firewalls(a)greatcircle.com Subject: xntpd and gauntlet 3.2 Gauntlet firewall (TIS) fundamentally does not allow udp based services through the firewall. We really only need it for synchronization, however somebody got the idea of getting time from the Internet and here we are. How can you make xntpd work? In = order to reduce the bouncing that could go on, here is what I already = know. -Run xntpd on the firewall, chroot it, use authentication, and have = it be your highest level stratum server. -Have your second level of time servers poll your time server on = the firewall. -Have those second level stratums broadcast to other devices. In a nutshell what I need to know is how do I get udp based packets = on port 123 through the firewall? Anybody have any ideas? Thanks in advance- Douglas R. Sawyer =20 Received: from relay1.UU.NET by mail.fws.gov (SMTPLINK V2.11.01) ; Fri, 04 Apr 97 14:41:02 MST Return-Path: Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP=20 (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) id QQcjwf15717; Fri, 4 Apr 1997 16:26:44 -0500 (EST) Received: (majordom@localhost) by honor.greatcircle.com = (8.8.5/Honor-Lists-970308-1) id MAA25996 for firewalls-outgoing; Fri, 4 = Apr 1997 12:31:19 -0800 (PST) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by = honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA25971 for = ; Fri, 4 Apr 1997 12:31:07 -0800 (PST) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com = [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id = PAA30793; Fri, 4 Apr 1997 15:29:30 -0500 (EST) Received: by zandar.judge.org with Microsoft Mail id <01BC410C.8EADD060@zandar.judge.org>; Fri, 4 Apr 1997 15:26:24 = -0500 Message-ID: <01BC410C.8EADD060@zandar.judge.org> From: Joseph Judge To: "firewalls(a)greatcircle.com" , = "'DSAWYER@PILLSBURY.COM'" Subject: RE: xntpd and gauntlet 3.2 Date: Fri, 4 Apr 1997 15:26:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=3D"us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Sat Apr 5 21:04:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA21221 for firewalls-outgoing; Sat, 5 Apr 1997 20:59:09 -0800 (PST) Received: from thalia.fm.intel.com (thalia.fm.intel.com [132.233.247.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA21204 for ; Sat, 5 Apr 1997 20:59:02 -0800 (PST) Received: from argus.intel.com by thalia.fm.intel.com (8.8.4/10.0i); Sun, 6 Apr 1997 04:57:46 GMT Received: by argus.intel.com (8.8.4/10.0i); Sat, 5 Apr 1997 20:57:45 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <199704060457.UAA09981@argus.intel.com> Subject: Re: Tunnels and Security policy To: stoutb@pios.com (Bill Stout) Date: Sat, 5 Apr 97 20:57:44 PST Cc: firewalls@greatcircle.com In-Reply-To: <2.2.32.19970404230906.006d3ae0@192.168.0.83> from "Bill Stout" at Apr 4, 97 03:09:06 pm X-Mailer: ELM [version 2.4dev PL66] MIME-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Question: Can someone give me an example of how security policies are > modified when tunnels are implemented? > Train of thought: I see more companies actively using tunnels (VPNs) or > adding encrypted access into their systems. I see people using tunnels for > the following, where admins only have local policy control; > o to create a path through a firewall between internal networks and > 'partner' networks. > o from home PCs/private ISP account to internal network through firewall. > o between branches of the same company. > AFAIK, tunnels allow _all_ port traffic between a range of hosts in 'network > A' to reach a range of hosts in 'network B'. If you use a firewall to > protect your network from the internet, and you tunnel through that to a > tunnel server either on the firewall or past it, you can't protect against > the tunneled traffic without layered firewalls, which gets complex since > some proxies don't cascade well. Once an intruder gets past your firewall, > he's everywhere. > {Net A}--+-FW--{internet}--FW-+--{Net B} > | | > Tunnel Server Tunnel Server > Another reason I ask, Company X requests a quote for a firewall from my or > other company, whittles down the price to fit the budget (original estimate > of the admin), then adds the tunneling requirement. Not much budget is left > for a secondary firewall layer, and I hesitate to say that if you buy a > tunnel, you need two firewalls. It really depends on how you implement the tunnel and the specific product. I have implemented tunnels on the outside of the firewall, so that you still have to negotiate the firewall to get in. I have seen products also that provide a similar capability, where you can have a tunnel across the net to another company, but you still have to go through the firewall to get into your company. I would say that the security policy depends on the situation. Of your three situations, I'd say the following: partner networks - make them go through the firewall and treat them (as much as you can get away with) like they are just another site on the Internet. Your partners probably have Internet gateways, and how can you be sure that those gateways are secure? branch offices - don't make them go through the firewall unless you really really really don't trust them. It happens (seen it happen). remote access by employees - depends how much you trust them. If you really trust them, don't make them go through a firewall. If you don't trust them, make them go through the firewall. The problem here that you have to watch out whether the employee can connect to the Internet and your internal network at the same time. Products vary in what they allow (at least the last time I looked). > #include > Bill Stout, 'Consultant', Pioneer Standard, San Jose, CA (408)321-0645 > www.pios.com (Industrial Distributor for Computer systems, components) > Digital-HP-IBM-Intel-MTI-Netframe-NAT-Network_General-Cisco-3COM-Network_Sys > tems-Apple-SGI-Tadpole-Cray_Communications-Liebert-Tektronix-QMS-etc,etc. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From owner-firewalls-outgoing Sat Apr 5 21:19:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA21855 for firewalls-outgoing; Sat, 5 Apr 1997 21:10:46 -0800 (PST) Received: from point.pch.gc.ca (point.pch.gc.ca [167.33.21.4]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA21844 for ; Sat, 5 Apr 1997 21:10:39 -0800 (PST) From: Bill_Royds@pch.gc.ca Received: from pchgate.pch.gc.ca (pchgate.pch.gc.ca [167.33.21.2]) by point.pch.gc.ca (8.7.6/8.7.3) with SMTP id XAA15517 for ; Sat, 5 Apr 1997 23:27:08 -0500 (EST) Received: from relay.pch.gc.ca by pchgate.pch.gc.ca via smtpd (for point.pch.gc.ca [167.33.21.4]) with SMTP; 6 Apr 1997 04:29:20 UT Received: from pch.gc.ca (notes.pch.gc.ca [167.33.5.11]) by relay.pch.gc.ca (8.7.6/8.7.3) with SMTP id XAA29108 for ; Sat, 5 Apr 1997 23:29:20 -0500 (EST) Received: by pch.gc.ca(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 85256471.0018B7A8 ; Sat, 5 Apr 1997 23:29:58 -0400 X-Lotus-FromDomain: PCH To: Firewalls@greatcircle.com Message-ID: <85256471.0019249F.00@pch.gc.ca> Date: Sat, 5 Apr 1997 23:37:52 -0400 Subject: Individual chroot for ftp users. Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody have a program or system to set up an allow one to set up multiple ftp accounts on Solaris 2.5 so that each one is chrooted to thier own directory? I will have multiple ftp users on a depository machine, that should not have anonymous ftp but still stop an ftp user getting out of her own sandbix. From owner-firewalls-outgoing Sat Apr 5 22:19:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26297 for firewalls-outgoing; Sat, 5 Apr 1997 21:50:52 -0800 (PST) Received: from narya.laserlink.net (narya.laserlink.net [207.77.72.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA26289 for ; Sat, 5 Apr 1997 21:50:45 -0800 (PST) Received: from laser1.laserlink.net (laser1.laserlink.net [207.77.72.201]) by narya.laserlink.net (8.7.4/8.7.3) with SMTP id BAA21862; Sun, 6 Apr 1997 01:58:38 GMT Received: by laser1.laserlink.net with Microsoft Mail id <01BC4224.39A1EB60@laser1.laserlink.net>; Sun, 6 Apr 1997 00:48:21 -0500 Message-ID: <01BC4224.39A1EB60@laser1.laserlink.net> From: George Broadfoot To: "'stesin@gu.net'" , "Gerard A. Joseph" Cc: "firewalls@GreatCircle.COM" Subject: RE: ISR Date: Sun, 6 Apr 1997 00:48:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is also interesting that such a site would not allow characters like = ! or # in the password field. Pretty standard UNIX password characters = !!=20 No matter I joined anyways. -----Original Message----- From: Andrew Stesin [SMTP:stesin@gu.net] Sent: Friday, April 04, 1997 11:31 AM To: Gerard A. Joseph Cc: firewalls@GreatCircle.COM Subject: Re: ISR Hi Gerard, despite of the thingies you noticed, I'll probably subscribe. (Neither of the pieces you noticed are so much protected and/or = classified, anyway :) Though you are right -- and they (ISR) aren't. From owner-firewalls-outgoing Sun Apr 6 00:04:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA04809 for firewalls-outgoing; Sat, 5 Apr 1997 23:55:22 -0800 (PST) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id XAA04800 for ; Sat, 5 Apr 1997 23:55:15 -0800 (PST) Received: from cl.cam.ac.uk [128.232.0.11] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.59 #2) id 0wDmko-0006dF-00; Sun, 6 Apr 1997 08:52:46 +0100 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: Joseph Judge cc: "'patrick_scannell@mail.fws.gov'" , "'Firewalls Mailing List'" Subject: Re: xntpd and gauntlet 3.2 In-reply-to: Your message of Fri, 04 Apr 1997 17:57:24 -0500. <01BC4121.A7B03340@zandar.judge.org> Date: Sun, 06 Apr 1997 08:52:43 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The NTP FAQ lists a bunch of units under $5K dollars. I used to be very active in the xntpd world, but haven't been involved for serveral years. When I last looked into things for someone (Jan 1994!) I found a Trimble receiver for $US 395, making a complete unit $US 580. I would have expected the prices to have dropped (considerably) since then. As such, I suspect that "under $US5K" means just that, rather than "just under $US5K" as some may interpret the above. From owner-firewalls-outgoing Sun Apr 6 01:34:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA10659 for firewalls-outgoing; Sun, 6 Apr 1997 01:26:57 -0800 (PST) Received: from x18.boston.juno.com (x18.boston.juno.com [205.231.101.29]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA10652 for ; Sun, 6 Apr 1997 01:26:50 -0800 (PST) Received: (from lil.c@juno.com) by x18.boston.juno.com (queuemail) id FFX17048; Sun, 06 Apr 1997 05:24:43 EDT To: Firewalls@GreatCircle.COM Date: Sun, 6 Apr 1997 04:59:04 -0400 Message-ID: <19970406.052118.14878.10.lil.c@juno.com> X-Mailer: Juno 1.23 From: lil.c@juno.com (Chris C Rodil) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Sun Apr 6 04:04:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA18018 for firewalls-outgoing; Sun, 6 Apr 1997 03:51:44 -0700 (PDT) Received: from sirius.hkstar.com (sirius.hkstar.com [202.82.0.148]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA18011 for ; Sun, 6 Apr 1997 03:51:39 -0700 (PDT) Received: from hkstar.com.hkstar.com (pluto221.hkstar.com [202.82.50.221]) by sirius.hkstar.com (8.8.4/8.6.6) with ESMTP id SAA19899 for ; Sun, 6 Apr 1997 18:50:12 +0800 (HKT) Message-Id: <199704061050.SAA19899@sirius.hkstar.com> From: "Gary Hui" To: Subject: problems in linux Date: Sun, 6 Apr 1997 18:54:39 +0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=BIG5 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My linux is called " red hat linux " ...is it popular ? what is the differences of it and the others linux ? The red hat linux consist of 6-cd , i only use my disk1 to install the basic components of my system ....what is the file in other disks ?? I have a problems on setup my linux system.... Can i setup a bbs by using a linux ? I can't use my "mouse" stable in my Xwindows...How can i set it ? my mouse is a called " mouse system mouse " in windows 95. How can i setup my internet connection in my linux ( in text mode not X-windows)? after i use ppp to connect the internet...can other people login my sysetm through internet ? ( the ip is different every time ) I am 18 years old, some people said that is very difficult for me to setup a linux or use it ,is this really ? have any people younger than me using linux ? If you have problems. i willing solve it for you.(although it is impossible.) Thanks!! Please answer me by this mailbox : yonnie00@hkstar.com Thanks!! From owner-firewalls-outgoing Sun Apr 6 04:49:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA20333 for firewalls-outgoing; Sun, 6 Apr 1997 04:33:34 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA20307 for ; Sun, 6 Apr 1997 04:33:24 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id EAA01369 for ; Sun, 6 Apr 1997 04:34:33 -0700 (PDT) Received: (qmail 4750 invoked by uid 110); 6 Apr 1997 11:31:38 -0000 MBOX-Line: From best-of-security-request@suburbia.net Sun Apr 6 21:30:09 1997 remote from suburbia.net Received: (from list@localhost) by suburbia.net (8.8.4/8.8.4) id VAA04726 for proff@suburbia.net; Sun, 6 Apr 1997 21:30:09 +1000 (EST) Received: (qmail 4715 invoked from network); 6 Apr 1997 11:30:06 -0000 Received: from plum.cyber.com.au (203.7.155.24) by suburbia.net with SMTP; 6 Apr 1997 11:30:06 -0000 Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id VAA28550 for best-of-security@suburbia.net; Sun, 6 Apr 1997 21:30:01 +1000 From: Darren Reed Message-Id: <199704061130.VAA28550@plum.cyber.com.au> Subject: ActiveX formats your HD To: best-of-security@suburbia.net Date: Sun, 6 Apr 1997 21:30:00 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An excert taken from some notes from the JavaOne conference, recently held in the USA.... [...] > > Highlighting with humor his point about security, McNealy offered up the following equation: ActiveX = > Java + porting + memory loss + viruses. He then dedicated some of his keynote time to running a demo put > together by Fred McLean, who created a Web page championing the shortcomings of ActiveX. > > The demo drops from Windows to DOS and types on the command line, formats a floppy disk, uses > system search capabilities to find Quicken financial files and uses the system calculator to determine that > person's net worth. The demo then launches TurboTax and started propagating information into the tax > forms, which can be filed electronically. > > McLean also wrote Internet "Exploder" for his Web page, which he showed using ActiveX to shut down > the user's computer system, provided it was Windows running on an Intel chip. > > From owner-firewalls-outgoing Sun Apr 6 06:04:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA26611 for firewalls-outgoing; Sun, 6 Apr 1997 05:55:04 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA26598 for ; Sun, 6 Apr 1997 05:54:57 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id PAA21568; Sun, 6 Apr 1997 15:53:44 +0300 Date: Sun, 6 Apr 97 15:56:10 From: Ziv Dascalu Subject: RE: statistic of Network incidents To: firewalls@GreatCircle.COM, Duan Zhenhai X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Fri, 4 Apr 1997 18:31:17 +0800 (GMT+0800) Duan Zhenhai wrote: >Hello, Everyone, > > I want to know some statistic of the Internet security incidents, > such as there are how many security incidents every year, where > can I find them? > > Thank you in advance! > IDC is putting this every year. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Sun Apr 6 06:49:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA28718 for firewalls-outgoing; Sun, 6 Apr 1997 06:33:41 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA28711 for ; Sun, 6 Apr 1997 06:33:34 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA13611; Sun, 6 Apr 1997 09:32:08 -0400 (EDT) Message-Id: <199704061332.JAA13611@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Sun, 6 Apr 1997 09:35:23 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Rather odd mail Reply-to: mjr@clark.net CC: sjohnson@weasel.owl.de, smaha@haystack.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Obviously my previous mail must have irritated "Stuart" enough that he decided I was due a bit of smearing of my own. I'll avoid engaging in debate about my own business ethics, since nobody can be unbiassed about themself! But I'd like to attempt to correct some of what appears to be a deliberate attempt at disinformation. Stuart's tactic seems to be one of "Have you stopped beating your wife yet?" [BTW, anyone who knows my wife would never ask such a question!] It's difficult to know how to handle it, since rising to the bait with a response simply leaves room for more obfuscation. Not responding just leaves the smear job in place. Perhaps what's happening is that someone is trying to give us a little demonstration in "information warfare." :) Stuart Johnson writes: > As regard to the Haystack information, my message was not intended >to be "tabloid". No, it wasn't tabloid. Look in a dictionary under "Innuendo." That is probably a better word. > With the enquiry about Haystack and Wheelgroup, I received some > email from Marcus Ranum. I should mention that the mail you recieved was basically the same thing as I posted here: That Steve is still at Haystack, and that you should try using a telephone if you *really* wanted to get hold of him. > He > is someone I have respected from many of his posts. But his email has suprised me and > I have had some doubts about whether he was objectively replying or only trying to sell > some new product he is building and denigrate the choices that I am reviewing. My email, and my posting to this list, in no way shape or form denigrated anyone, and you know it. How *DARE* you imply that I am denigrating someone, when *YOU* are the one posting half-baked mumbo-jumbo about someone being fired by his board of directors, etc!!! Excuse me, but isn't that backwards? Steve Smaha is someone I respect a great deal, as a person and as a businessman. I also know the folks at Wheelgroup and have always gotten along well with them. But what puzzles me is how you'd jump from my suggesting you call Smaha on a telephone to saying something derogative about anyone's product! > I also received email's from others suggesting Marcus' new company >as an alternative That's interesting. Marcus' new company doesn't build anything that is an alternative to what Haystack or Wheelgroup offers. I'm doing something else. > but from those messages it is clear he has decided to get out of >V-One I am still Chief Scientist at V-One, and am still highly involved in helping run things there. I'm also trying to have a little fun by doing my own thing. V-One and the rest of my investors thought that I had some ideas worth pursuing (so do I!) and support me in doing so. If you want more information about V-One and my relationship with the company, don't ask leading questions on a public mailing list, call V-One's investor relations folks at 301-838-8900, and get the details from them. Or give me a call at 410-889-8569 and we can discuss it rather than having you have to rely on vague "emails" from "various people." > I kind of question what kind of business man Marcus is based on > what I had overheard at a conference where a small group of people > talking, including one of the speakers for NCSA (I believe Dr. > Tippett) ... You're welcome to question what kind of business man I am, and you're welcome to do that in public -- that's certainly your right. Perhaps you'll get more vague "emails" from "various people" saying I'm a nutcase and a dirtbag and no doubt we'll hear ALL about it. With respect to my involvement with NCSA, that was not a business relationship. I worked entirely pro bono and never took a cent from NCSA. I attended one of their meetings (on firewall "certification") and contributed the firewall product summaries format which they are using today. Since I feel firewall testing and certification is difficult to get right, at that point I ceased being involved with that effort. Of course, every story has 2 sides to it. People who are willing to assume I am a dirty businessman because of some "small group of people talking at a conference" can't be helped. > The second concern about the integrity of Marcus' company > is the fact that the Founder and CEO of a competing monitoring > company (Steve Smaha of Haystack) is on his board Yes, I am thrilled to death that Steve is on my board!! Indeed, one of the reasons I invited him to sit on my company's board of directors was because I admire his business sense, his ethics, and appreciate his wise advice. (Characteristics that are directly in contrast with your earlier breathless mail about what a nutcase "an insider" says he is) Of course, Steve wouldn't be on the board of directors of a competitor. That's another way of saying that I don't believe that Haystack and Network Flight Recorder, Inc. (My company) are competitors. You apparently think otherwise, but I'd like to think that since I'm CEO of the company I know a bit more about what we're building than you do. :) > I am not just looking for good technology, I want to do business > with people with integrity. Would *YOU* know a person with integrity if you were looking at one? I doubt it. You've clearly got some kind of axe to grind and you're hiding behind the sham of "I'm just wondering...." I don't know what I did to piss you off -- I tend to be a bit too outspoken for my own good sometimes -- but your technique of using a mailing list as a vehicle for a shadow skirmish is unsavory and will eventually annoy the readership of the list. Rather than continuing this cowardly tactic, if you really want to learn anything about me or my doings, pick up a telephone. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From owner-firewalls-outgoing Sun Apr 6 07:50:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA03432 for firewalls-outgoing; Sun, 6 Apr 1997 07:35:26 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA03423 for ; Sun, 6 Apr 1997 07:35:22 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id JAA04045; Sun, 6 Apr 1997 09:32:37 -0500 (CDT) Date: Sun, 6 Apr 1997 09:32:37 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Stuart Johnson cc: firewalls@GreatCircle.COM Subject: Re: Monitoring Info In-Reply-To: <19970406005113.1036.qmail@squirrel.owl.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 6 Apr 1997, Stuart Johnson wrote: Stuart et al; This really isn't, IMO, appropriate to this mailing list. Would it be possible to take the thread private, or perhaps to a list or forum more suited? The S/N ration on this list is already high enough without throwing in the politics and perceived manuevering of the entire security industry :) From owner-firewalls-outgoing Sun Apr 6 08:34:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05774 for firewalls-outgoing; Sun, 6 Apr 1997 08:20:58 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA05756 for ; Sun, 6 Apr 1997 08:20:52 -0700 (PDT) Received: by relay.hq.tis.com; id LAA29218; Sun, 6 Apr 1997 11:15:44 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma029212; Sun, 6 Apr 97 11:15:37 -0400 Received: (from jcp@localhost) by clipper.hq.tis.com (8.7.5/8.7.3) id LAA18248; Sun, 6 Apr 1997 11:19:14 -0400 (EDT) From: Jody C Patilla Message-Id: <199704061519.LAA18248@clipper.hq.tis.com> Subject: Re: Monitoring Info To: sjohnson@weasel.owl.de (Stuart Johnson) Date: Sun, 6 Apr 1997 11:19:13 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <19970406005113.1036.qmail@squirrel.owl.de> from "Stuart Johnson" at Apr 6, 97 00:51:13 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Stuart Johnson's load of garbage deleted - it doesn't bear repeating.] One has to wonder what wacko personal vendetta Mr. Johnson is pursuing with his campaign of innuendo, slander and character assassination. I don't for a minute believe that he is "just looking for information" - spreading ugly disinformation would appear to be more accurate. However, accuracy doesn't seem to be one of Mr. Johnson's strong points. No matter what his motivation, posting of this type don't belong in the firewalls mailing list. GO away - you clearly have no useful contribution to make here. - jcp -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From owner-firewalls-outgoing Sun Apr 6 09:04:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08873 for firewalls-outgoing; Sun, 6 Apr 1997 09:02:10 -0700 (PDT) Received: from mercury.newyorkview.com (mercury.newyorkview.com [206.152.156.38]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA08866 for ; Sun, 6 Apr 1997 09:02:04 -0700 (PDT) Received: (qmail 10415 invoked by uid 140); 6 Apr 1997 17:43:10 -0000 Date: Sun, 6 Apr 1997 13:43:10 -0400 (EDT) From: Jamshid Abedi To: Bill_Royds@pch.gc.ca cc: Firewalls@greatcircle.com Subject: Re: Individual chroot for ftp users. In-Reply-To: <85256471.0019249F.00@pch.gc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use Wu-ftp with the guest option. Jamshid Abedi / jabedi@newyorkview.com http://titanium.newyorkview.com/~jabedi/pgp.html KeyID 1024/D17B7269 On Sat, 5 Apr 1997 Bill_Royds@pch.gc.ca wrote: > > > > > Does anybody have a program or system to set up an allow one to set up > multiple ftp accounts on Solaris 2.5 so that each one is chrooted to thier > own directory? I will have multiple ftp users on a depository machine, > that should not have anonymous ftp but still stop an ftp user getting out > of her own sandbix. > > > From owner-firewalls-outgoing Sun Apr 6 09:19:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09186 for firewalls-outgoing; Sun, 6 Apr 1997 09:05:17 -0700 (PDT) Received: from uno.canit.se (uno.canit.se [193.13.228.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA09142 for ; Sun, 6 Apr 1997 09:05:02 -0700 (PDT) Received: from localhost (brink@localhost) by uno.canit.se (8.6.10/8.6.10) with SMTP id SAA00349; Sun, 6 Apr 1997 18:03:50 +0200 Date: Sun, 6 Apr 1997 18:03:50 +0200 (MET DST) From: Carl Daniel Brink X-Sender: brink@uno To: Gary Hui cc: Firewalls@GreatCircle.COM Subject: Re: problems in linux In-Reply-To: <199704061050.SAA19899@sirius.hkstar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 6 Apr 1997, Gary Hui wrote: > My linux is called " red hat linux " ...is it popular ? what is the > differences of it and the others linux ? > The red hat linux consist of 6-cd , i only use my disk1 to install the > basic components of my system ....what is the file in other disks ?? > I have a problems on setup my linux system.... > Can i setup a bbs by using a linux ? > I can't use my "mouse" stable in my Xwindows...How can i set it ? my mouse > is a called " mouse system mouse " in windows 95. > How can i setup my internet connection in my linux ( in text mode not > X-windows)? > after i use ppp to connect the internet...can other people login my sysetm > through internet ? ( the ip is different every time ) > I am 18 years old, some people said that is very difficult for me to setup > a linux or use it ,is this really ? have any people younger than me using > linux ? > > If you have problems. i willing solve it for you.(although it is > impossible.) Thanks!! > > Please answer me by this mailbox : yonnie00@hkstar.com > Thanks!! > > > > > Hey! I use Red Hat 4.1. And you only use the first CD to install the system. But the others contain sources and extra packages that you can install. As you was wondering about...you can make it a BBS, and ppl can login to your machine. But they would need an account.You will have to give them your IP address so they can connect to your system. If you need to connect to internet through PPP then you can do that too. Use chat and a few scripts. And pppd. You will have to bind your modem to /dev/modem(or another device name you want to use). If you want to learn more then goto http://www.linux.org or http://www.redhat.com Cenobyte From owner-firewalls-outgoing Sun Apr 6 12:19:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA21191 for firewalls-outgoing; Sun, 6 Apr 1997 12:04:10 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA21177 for ; Sun, 6 Apr 1997 12:04:04 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id NAA10235; Sun, 6 Apr 1997 13:02:15 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd10233aaa; Sun Apr 6 13:02:10 1997 Received: (from uucp@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id NAA17848; Sun, 6 Apr 1997 13:02:29 -0600 From: Bob Beck Received: from UNKNOWN(192.168.20.5), claiming to be "chocolate.obtuse.com" via SMTP by snouts.obtuse.com, id smtpd17846aaa; Sun Apr 6 13:02:23 1997 Received: (from beck@localhost) by chocolate.obtuse.com (8.7.5/8.7.3) id NAA02037; Sun, 6 Apr 1997 13:03:36 -0600 Message-Id: <199704061903.NAA02037@chocolate.obtuse.com> Subject: Re: ISR To: stesin@gu.net Date: Sun, 6 Apr 1997 13:03:35 -0600 (MDT) Cc: gerard@ozemail.com.au, firewalls@GreatCircle.COM In-Reply-To: from "Andrew Stesin" at Apr 4, 97 07:31:04 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk However you should read their little conditions of use where it says you can't reproduce or retransimit materiel from the site on the web in any way. Gee, I hope you're not behind a cacheing proxy. In any case the fine print looked a bit on the silly side all things considered, that and I have to ask why in the heck they bother with a password/id setup if they're giving it away for free, unless it's actually an exercise in seeing how well security people can be social engineered ;-) -Bob > > > Hi Gerard, > > despite of the thingies you noticed, I'll probably subscribe. > (Neither of the pieces you noticed are so much protected and/or classified, > anyway :) Though you are right -- and they (ISR) aren't. > > On Fri, 4 Apr 1997, Gerard A. Joseph wrote: > > > Date: Fri, 04 Apr 1997 17:38:31 -0800 > > From: "Gerard A. Joseph" > > To: firewalls@GreatCircle.COM > > Subject: Re: ISR > > > > The site looks interesting, but it seems anomalous for a > > security-oriented site to ask for such details as name, email address, > > physical address, and password to be transmitted in the clear over the > > Internet. > > > > Gerard > > > > Network Operations Center wrote: > > > > > > f.y.i. > > > > > > Internet Security Review is now accepting > > > subscriptions (free) at http://www.isr.net > > > The journal appears monthly. > > > > > > regards > > > > > > Bert > > > > Best regards, > Andrew Stesin > > nic-hdl: ST73-RIPE > > > From owner-firewalls-outgoing Sun Apr 6 13:04:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23659 for firewalls-outgoing; Sun, 6 Apr 1997 12:53:43 -0700 (PDT) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA23633 for ; Sun, 6 Apr 1997 12:53:35 -0700 (PDT) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id PAA11323 for ; Sun, 6 Apr 1997 15:52:27 -0400 (EDT) Received: by zandar.judge.org with Microsoft Mail id <01BC42A1.F9F6CC00@zandar.judge.org>; Sun, 6 Apr 1997 15:48:31 -0400 Message-ID: <01BC42A1.F9F6CC00@zandar.judge.org> From: Joseph Judge To: "'Firewalls Mailing List'" Subject: Gauntlet / SmartWall source :-( Date: Sun, 6 Apr 1997 15:48:29 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With the release of the Solaris versions of Gauntlet and SmartWall, the ability of buying the source code has disappeared. How has this affected anyone in the firewalls arena? Does anyone else muck with the source code like I do ? or do most folks just use the: - firewall toolkit to just compile - the Gauntlet just to install - the SmartWall just to install ?? -- -joe From owner-firewalls-outgoing Sun Apr 6 13:19:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23977 for firewalls-outgoing; Sun, 6 Apr 1997 12:59:03 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA23970 for ; Sun, 6 Apr 1997 12:58:57 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id PAA21029 for ; Sun, 6 Apr 1997 15:57:35 -0400 (EDT) Message-Id: <199704061957.PAA21029@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Sun, 6 Apr 1997 16:00:50 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: combo internal/external web servers Reply-to: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some have suggested using either a zip drive (with the write protect > tab notched) or a writeable cdrom, but i don't think these methords are > practical, aside from the fact that zip and cdrom drives are slower. > These things are what i call 'making work', they make you, the admin, > do things like burn cds, change cds, remount it. You'll find that once the buffer cache gets loaded, the lower speed of the CDROM is not a performance issue unless you're shoving huge amounts of non-related data out your Web pipe. Also, consider something like a Jaz drive, which can perform pretty quickly, about comparable to an older generation hard disk. I know one site that has a shell job migrate the contents of a Zip disk onto a hard disk and periodically check to make sure that the hard disk copy hasn't been altered. There is the "extra work" issue but I kind of like the idea of being able to instantly revert to a previous copy of my web site on a moment's notice, by just popping in yesterday's disk and remounting it. The big question is how often your web site changes -- if it's constantly under update then just about no readonly media solution will work over time. A lot of it depends on how likely you think you are to come under a "web site redesign attack" mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From owner-firewalls-outgoing Sun Apr 6 13:34:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA25823 for firewalls-outgoing; Sun, 6 Apr 1997 13:30:21 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA25789 for ; Sun, 6 Apr 1997 13:29:24 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55619-1>; Sun, 6 Apr 1997 21:26:54 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Sun, 06 Apr 1997 22:27:57 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id XAA01324; Sun, 6 Apr 1997 23:29:49 +0200 Date: Sun, 6 Apr 1997 22:29:48 +0100 From: "Magossa'nyi A'rpa'd" To: "Sameer R. Manek" CC: Kathy Kost , firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 6 Apr 1997, Sameer R. Manek wrote: I would use scp to periodically copy the webpages out to the web server. Then you don't have connections initiated from outside te firewall. And it desn't involves writing CDs periodically, just setting up a cronjob once. Isn't nfs considered harmful anyway? > One idea I really like, though i haven't had the opportunity to try it > out. This combination involves 2 boxes in addition to your firewall.=20 > Since running a web server on a firewall isn't considered a wise idea in > general.=20 >=20 > Basicly what you do is having two boxes, a web server and a file server. > the web server mounts nfs mounts read only /webserver/htdocs from > the file server. The web server's only service is httpd, and maybe ftpd > which isn't very cpu intensive, so a low end pentium and *bsd or linux > will do. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Sun Apr 6 14:35:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA02677 for firewalls-outgoing; Sun, 6 Apr 1997 14:19:50 -0700 (PDT) Received: from endeavor.flash.net (endeavor.flash.net [208.194.223.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA02660 for ; Sun, 6 Apr 1997 14:19:43 -0700 (PDT) Received: from pepsicos (dasc7-83.flash.net [208.194.218.83]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id QAA03288; Sun, 6 Apr 1997 16:14:46 -0500 (CDT) Message-ID: <334814D6.3179@flash.net> Date: Sun, 06 Apr 1997 16:25:42 -0500 From: Srinivas Nagabhirava Reply-To: srini@flash.net Organization: NEATU X-Mailer: Mozilla 3.0C-E-KIT (Win95; I) MIME-Version: 1.0 To: yoram@abirnet.com CC: firewalls@GreatCircle.COM Subject: Re: Internet Manager References: <9701148559.AA855956338@ccmail.framatech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yoram@abirnet.com wrote: > > Please check SessionWall from AbirNet on our web site www.abirnet.com > Yoram Nissenboim > AbirNet > --- On Fri, 14 Feb 97 11:41:12 EST Jamie_T_Brooks@framatech.com wrote: > Hi Everyone! > > I am in search of a product that will track Internet Access, Usage > monitoring, and generate reports. > > I am using a Gauntlet 3.2 (TIS) firewall running on BSD/OS. > > Anyone who can recommend a product from EXPERIENCE, I would appreciate > hearing from you. > > > Thanks in Advance :-) > > > Jamie > > ---------------End of Original Message----------------- > > ******************************************************** > Yoram Nissenboim > AbirNet - Active Network Protection > Date: 02/16/97 Time: 11:03:01 > > AbirNet provides the next generation in firewalls and > Internet and Intranet intrusion and abuse protection. > AbirNet provides Windows 95 and NT-based software that > provides no-overhead see-it-all filtering, blocking, > alerting, logging, and scanning. > Ask about SessionWall and SessionView (800)245-1688. > Get a free evaluation copy at http://www.abirnet.com > ******************************************************** Do you really want to push your luck advertising your product everyday on this newsgroup? As someone pointed out earlier, please try to add value to the list of just read silently and learn. Srini. From owner-firewalls-outgoing Sun Apr 6 15:04:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04764 for firewalls-outgoing; Sun, 6 Apr 1997 14:59:17 -0700 (PDT) Received: from ups.com (xavier.ups.com [198.80.14.117]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id OAA04727 for ; Sun, 6 Apr 1997 14:59:03 -0700 (PDT) Received: from is.ups.com by ups.com (SMI-8.6/SMI-SVR4) id RAA01199; Sun, 6 Apr 1997 17:57:59 -0400 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) id AA22255; Sun, 6 Apr 1997 17:57:45 -0400 Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) id RAA11072; Sun, 6 Apr 1997 17:58:13 -0400 Date: Sun, 6 Apr 1997 17:58:12 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: Gary Hui Cc: Firewalls@GreatCircle.COM Subject: Re: problems in linux In-Reply-To: <199704061050.SAA19899@sirius.hkstar.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, don't know the policies for responding to off-topic mail. To the list, or to the user? On Sun, 6 Apr 1997, Gary Hui wrote: > My linux is called " red hat linux " ...is it popular ? what is the You got lucky on your first shot. This is my favorite. Check out www.redhat.com for a list of its features. > If you have problems. i willing solve it for you.(although it is > impossible.) Thanks!! Gary, I'm wondering what your message has to do with firewalls. I have seen off-topic posts, but this isn't even a linux list! > Please answer me by this mailbox : yonnie00@hkstar.com Mail a message to redhat-list-request@redhat.com, and put 'subscribe' in the body. You can post redhat linux related questions to this list (redhat-list@redhat.com) once you have subscribed. Dave From owner-firewalls-outgoing Sun Apr 6 15:59:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA08490 for firewalls-outgoing; Sun, 6 Apr 1997 15:45:46 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA08481 for ; Sun, 6 Apr 1997 15:45:37 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id SAA06262; Sun, 6 Apr 1997 18:43:11 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma006254; Sun, 6 Apr 97 18:42:49 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id SAA21690; Sun, 6 Apr 1997 18:43:25 -0400 (EDT) Date: Sun, 6 Apr 1997 18:43:25 -0400 (EDT) Message-Id: <199704062243.SAA21690@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Joseph Judge Cc: "'Firewalls Mailing List'" Subject: Re: Gauntlet / SmartWall source :-( In-Reply-To: <01BC42A1.F9F6CC00@zandar.judge.org> References: <01BC42A1.F9F6CC00@zandar.judge.org> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Joe" == Joseph Judge writes: Joe> With the release of the Solaris versions of Gauntlet and Joe> SmartWall, the ability of buying the source code has disappeared. As some black-hat folks I know might say: "Th4+ $uX0rz" Joe> Does anyone else muck with the source code like I do ? I do... For internal stuff here, I like to use bits of FWTK for various jobs. Some tools are heavily hacked, some are just compiled as-is, and most are somewhere in the middle. In consulting situations, I typically recommend Gauntlet if someone wants to "buy a firewall," or need something like that for a bastion host. I've never known anyone with Gauntlet (besides me) to hack at the code. In reality, I suspect that this is just a sign of the firewalling times. Firewalls are becoming commodity items. People don't typically screw around with their household appliances and other commodity-type things. Firewalls are headed in the same direction, and I think that's only going to continue as many IS organizations continue to want to hire button-pusher types, and buy things that claim to bring their systems to that level. Whether this is a Good Thing, a Bad Thing, or some combination thereof (I vote for the latter, myself) isn't really relevant; it's what's happening. As a result, the here-are-some-tools-build-it-yourself approach will probably continue to be used in places where it has been done alreday, and almost all new installations will be of the simple-enough-for-a-button-pusher type. -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Sun Apr 6 16:19:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA10107 for firewalls-outgoing; Sun, 6 Apr 1997 16:07:16 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id QAA10078 for ; Sun, 6 Apr 1997 16:07:05 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id JAA19225; Mon, 7 Apr 1997 09:05:59 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma019191; Mon, 7 Apr 97 09:05:26 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA18088; Mon, 7 Apr 1997 09:06:54 +1000 From: Colin Campbell Message-Id: <199704062306.JAA18088@guru.citec.qld.gov.au> Subject: Re: Gauntlet / SmartWall source :-( To: joej@joesmac.ultranet.com (Joseph Judge) Date: Mon, 7 Apr 1997 09:06:52 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <01BC42A1.F9F6CC00@zandar.judge.org> from "Joseph Judge" at Apr 6, 97 03:48:29 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Joseph Judge said: > > > > With the release of the Solaris versions of > Gauntlet and SmartWall, the ability of > buying the source code has disappeared. Not true. It is around US$495. The annoying this for me was having this applied retrospectively. We ordered at the time the Solaris version was being released. When we finally got it, we found no source and our reseller, at that time renegotiating with TIS, didn't know the source wasn't available. If we'd know the source was going to cost more, we would have allowed for it. Now I have to go to get some more cash from people who've just spent heaps, because the vendor changed their policy and the product they thought they were getting is different to what the vendor actually sold. > > How has this affected anyone in the firewalls > arena? Pain in the arse, not having it. Afterall it's the only piece of documentation that is accurate complete The man pages and manuals, just aren't. Now we're stuck with "I don't know exactly how it works, let's try this" until "it" works. Experimenting on a firewall? Sounds stupid to me. But that's what we users have been reduced to. Colin From owner-firewalls-outgoing Sun Apr 6 19:05:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA21821 for firewalls-outgoing; Sun, 6 Apr 1997 18:57:14 -0700 (PDT) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id SAA21809 for ; Sun, 6 Apr 1997 18:57:09 -0700 (PDT) Received: from demon.corp.portal.com (demon.corp.portal.com [156.151.1.10]) by nova.unix.portal.com (8.6.11/8.6.5) with ESMTP id SAA24976 for ; Sun, 6 Apr 1997 18:53:38 -0700 Received: from pinpc30.corp.portal.com (pinpc30.corp.portal.com [156.151.1.129]) by demon.corp.portal.com (8.6.11/8.6.5) with SMTP id SAA20619 for ; Sun, 6 Apr 1997 18:53:37 -0700 Received: by pinpc30.corp.portal.com with Microsoft Mail id <01BC42BB.4E390AD0@pinpc30.corp.portal.com>; Sun, 6 Apr 1997 18:49:49 -0700 Message-ID: <01BC42BB.4E390AD0@pinpc30.corp.portal.com> From: Dana Bourgeois To: "firewalls@GreatCircle.COM" Subject: RE: combo internal/external web servers Date: Sun, 6 Apr 1997 18:57:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----Original Message----- From: Sameer R. Manek [SMTP:manek@challenger.atc.fhda.edu] Sent: Saturday, April 05, 1997 18:31 To: Kathy Kost Cc: firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers One idea I really like, though i haven't had the opportunity to try it out. This combination involves 2 boxes in addition to your firewall.=20 Since running a web server on a firewall isn't considered a wise idea in general.=20 Basicly what you do is having two boxes, a web server and a file server. the web server mounts nfs mounts read only /webserver/htdocs from the file server. The web server's only service is httpd, and maybe ftpd which isn't very cpu intensive, so a low end pentium and *bsd or linux will do. [fg=3D> ] Hmmmm....I wouldn't think running an NFSD in your DMZ is a = good idea either. But perhaps Linux NFSDs are not susceptible to attack = like SUNOS or Solaris ones are... In addition because the webserver doesnt have the pages you don't have to give accounts to folks who may not do security concious things, such as the web page development groups. They can have accounts on machines less visible to the public. So you can close of network logins=20 or run sshd. [fg=3D> ] I would instead run the web server and wu-ftp on the same = machine. No telnet or ucb utilities available. No mail or DNS either. = People would ftp into the machine and upload their content to their own = directories which the web server could read. If you use an OS that has = virtual interfaces like Solaris (I don't know if LInux can do this) then = you can have the web server basically set it's root location to the = user's ftp directory and the users cannot expose anything outside their = login directory. =20 Some have suggested using either a zip drive (with the write protect tab notched) or a writeable cdrom, but i don't think these methords are=20 practical, aside from the fact that zip and cdrom drives are slower.=20 These things are what i call 'making work', they make you, the admin, do things like burn cds, change cds, remount it.=20 [fg=3D> ] No reason you can't put your OS and web setup on a physically = write-protected disk. Your users might make daily changes but your host = setup probably wouldn't need that. I've changed our web server (a SUN = but the principle is the same) twice in the last year although the web = people make almost daily changes to the web content. My opinion is that the admin is respondsible for maintaining the = service, which is time consuming enough, not to create more work. If you put the=20 responsiblity of maintaining the pages, putting them on the server, etc as close to the people who write the pages as possible that is a good thing. Making the system secure and ensuring ease use is our respondsiblity. Your dedicated web page file server can even run something like net-a-talk or samba so they can author the pages directly from the NT/95 or Mac workstations.=20 [fg=3D> ] I wouldn't consider NFS except on a trusted network. Never = forget the NFSD accepts commands to add and remove files and = directories. If you can spoof one, you can do that to all files except = probably those owned by root since NFS treats root as special. =20 From owner-firewalls-outgoing Sun Apr 6 19:34:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA23165 for firewalls-outgoing; Sun, 6 Apr 1997 19:32:13 -0700 (PDT) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA23150 for ; Sun, 6 Apr 1997 19:32:04 -0700 (PDT) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id WAA20856; Sun, 6 Apr 1997 22:29:40 -0400 (EDT) Received: by zandar.judge.org with Microsoft Mail id <01BC42D9.74C168A0@zandar.judge.org>; Sun, 6 Apr 1997 22:25:39 -0400 Message-ID: <01BC42D9.74C168A0@zandar.judge.org> From: Joseph Judge To: Joseph Judge , "'cmcurtin@research.megasoft.com'" Cc: "'Firewalls Mailing List'" Subject: RE: Gauntlet / SmartWall source :-( Date: Sun, 6 Apr 1997 22:25:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You mean that most folks don't alter their household appliances like I do ? Sheesh! (mumble, mumble, mumble ...) -- -joe cmcurtin@research.megasoft.com wrote ... times. Firewalls are becoming commodity items. People don't typically screw around with their household appliances and other commodity-type things. Firewalls are headed in the same direction, From owner-firewalls-outgoing Sun Apr 6 21:59:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA06112 for firewalls-outgoing; Sun, 6 Apr 1997 20:49:03 -0700 (PDT) Received: from arup.com (ove.arup.com [193.116.20.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id UAA05875 for ; Sun, 6 Apr 1997 20:48:18 -0700 (PDT) Received: by arup.com (4.1/UNIPALM-V1.3mjr@arup.com) id AA03521; Mon, 7 Apr 97 04:47:13 BST Received: from a_csun01.arup.com(69.69.11.1) by ove via smap (V1.3mjr) id sma003513; Mon Apr 7 04:46:36 1997 Received: from (a_csun14) by arupuk (4.1/SMI-4.1) id AA09730; Mon, 7 Apr 97 04:46:35 BST Received: from arup.com by (4.1/SMI-4.1) id AA23861; Mon, 7 Apr 97 04:43:30 BST Received: from comms-Message_Server by arup.com with Novell_GroupWise; Mon, 07 Apr 1997 04:43:29 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 07 Apr 1997 03:33:41 +0000 From: Scott Fagg To: firewalls@greatcircle.com Subject: POP proxy availabilty Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am building a firewall for a small commercial network (6 PC's, NT, 95, Win3) I'm basing the solution on Linux running the TIS FWTK (primarily because of cost, but i also feel relatively comfortable with the bits and pieces) As it comes, the fwtk supports http, ftp & telnet sufficiently for my needs. The next hurdle is email. I could use the 'plug' proxy to cover most email situations. My understanding is that you can setup 1-to-1 and many-to-1 relationships with the 'plug' proxy but not 1-to-many (ie one client, many mailboxes) This might be limiting. (At the moment their email is a little messy) Does a POP/SMTP proxy exist that would fit in with the fwtk? Is there a standalone POP/SMTP proxy available in some form? (that would run on linux/unix - source code preferably) or does smap/smapd solve the problem? regards, From owner-firewalls-outgoing Sun Apr 6 23:04:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA21804 for firewalls-outgoing; Sun, 6 Apr 1997 23:00:30 -0700 (PDT) Received: from mercury.fhda.edu (tiptoe.fhda.edu [153.18.8.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA21794 for ; Sun, 6 Apr 1997 23:00:25 -0700 (PDT) Received: from challenger.atc.fhda.edu (manek@challenger.atc.fhda.edu [153.18.200.1]) by mercury.fhda.edu (8.8.3/8.8.3) with ESMTP id WAA01674 for ; Sun, 6 Apr 1997 22:57:26 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id WAA28786; Sun, 6 Apr 1997 22:53:43 -0700 (PDT) Date: Sun, 6 Apr 1997 22:53:43 -0700 (PDT) From: "Sameer R. Manek" Reply-To: "Sameer R. Manek" To: "Magossa'nyi A'rpa'd" cc: firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 6 Apr 1997, Magossa'nyi A'rpa'd wrote: > On Sun, 6 Apr 1997, Sameer R. Manek wrote: > > I would use scp to periodically copy the webpages out to the web server. > Then you don't have connections initiated from outside te firewall. And it > desn't involves writing CDs periodically, just setting up a cronjob once. > Isn't nfs considered harmful anyway? an NFS mount could be considered harmfull, but thats why something like the router would block it. My preference towards an nfs Read-only export over something like an scp is that when you do an recursive scp or an tar -cf - . | ssh 'cd webdirectory; tar -xf - ' is that you now have an account that effectively has an .rhosts (the ssh equivlent is a RSAAuthentication with a null password) Since a script would most likely be used to transfer files over via cron. My main reason for doing an nfs export is that if the webserver gets hacked, which has happend to several rather public webservers (DOJ, USAF, just to name a few), this way your web page data is protected. Since page content tend to change more often a server configuration does, backups of the server don't have to done as often. This reduces the possiblity of a hacked server sitting on your server with several trojans for extend periods of time. In the mean time a full backup cycle has gone through, and all backups are trojaned. Also network login ablities on servers that have as much public attention such as a web or ftp servers probably isn't a good thing. I'd rather limit it to console only logins if possible. Hacked webservers tend to be the most embarassing thing for a company, since are so public. Sameer From owner-firewalls-outgoing Sun Apr 6 23:35:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA23189 for firewalls-outgoing; Sun, 6 Apr 1997 23:17:41 -0700 (PDT) Received: from firewall.security.is.co.za (gauntlet.tns.co.za [196.23.1.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id XAA23148 for ; Sun, 6 Apr 1997 23:17:30 -0700 (PDT) Received: by firewall.security.is.co.za; id IAA12052; Mon, 7 Apr 1997 08:16:27 +0200 (SAT) Received: from commerce.tns.co.za(10.0.0.8) by firewall.security.is.co.za via smap (3.2) id xma012048; Mon, 7 Apr 97 08:16:09 +0200 Received: from localhost (craig@localhost) by commerce.tns.co.za (940816.SGI.8.6.9/8.6.12) with SMTP id IAA09916; Mon, 7 Apr 1997 08:14:28 +0200 Date: Mon, 7 Apr 1997 08:14:28 +0200 (SAST) From: Craig Schlenter X-Sender: craig@commerce.tns.co.za To: C Matthew Curtin cc: "'Firewalls Mailing List'" Subject: Re: Gauntlet / SmartWall source :-( In-Reply-To: <199704062243.SAA21690@goffette.research.megasoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 6 Apr 1997, C Matthew Curtin wrote: > Joe> Does anyone else muck with the source code like I do ? > > I do... For internal stuff here, I like to use bits of FWTK for > various jobs. Some tools are heavily hacked, some are just compiled > as-is, and most are somewhere in the middle. > > In consulting situations, I typically recommend Gauntlet if someone > wants to "buy a firewall," or need something like that for a bastion > host. I've never known anyone with Gauntlet (besides me) to hack at > the code. [snip] We have hacked quite a bit of the gauntlet code. In fact we offer our clients some quite nice enhancements including: (1) A MS Windows based user (auth) manager (2) Username based HTML reports accessible through info-gw (3) password expiry and one-time use accounts (4) an authenticating NNTP proxy amongst others. I wouldn't recommend a firewall that doesn't come with source - it's just too inflexible. Admittedly it's not entirely trivial to do most of these things but at least with the source, you can if you need to. My understanding of the gauntlet source code scenario btw. was that it would still be available but was not in the package by default as most people don't use it. Cheers, --Craig From owner-firewalls-outgoing Mon Apr 7 00:39:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA29171 for firewalls-outgoing; Mon, 7 Apr 1997 00:21:34 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA29164 for ; Mon, 7 Apr 1997 00:21:28 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id JAA07182; Mon, 7 Apr 1997 09:30:38 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma007180; Mon, 7 Apr 97 09:30:12 +0200 Received: from DTCNT001 (dtcnt001.apogee-com.fr) by (4.1/SMI-4.1) id AA05732; Mon, 7 Apr 97 09:18:17 +0200 Message-Id: <33489FA9.235A@apogee-com.fr> Date: Mon, 07 Apr 1997 09:18:01 +0200 From: Zwobada Jean-Francois Organization: APOGEE Communications X-Mailer: Mozilla 4.0b2 (WinNT; I) Mime-Version: 1.0 To: kenng@kpmg.com Cc: James Liang , Jean-Francois Zwobada , firewalls-digest@GreatCircle.COM Subject: Re: UDP through Gauntlet? X-Priority: 3 (Normal) References: <0003700B.3365@kpmg.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk kenng@kpmg.com wrote: > > Gauntlet 3.2 supports packet filtering UDP packets. It has their > usual warnings, but it is there. > Bad idea ...real bad idea... The packet filter does not support NAT, does not handle UDP "sessions" like udprelay does, and it does not log anything... If you *really* have to accept UDP through the Gauntlet, use udprelay. Cheers Jean-Francois From owner-firewalls-outgoing Mon Apr 7 01:23:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA01718 for firewalls-outgoing; Mon, 7 Apr 1997 01:03:54 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA01676 for ; Mon, 7 Apr 1997 01:03:40 -0700 (PDT) Received: from gst_web (gst_web.gst.cgs.it [194.21.223.183]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id KAA31939 for ; Mon, 7 Apr 1997 10:24:25 +0200 Message-ID: <3348AB73.7BEC@gst.cgs.it> Date: Mon, 07 Apr 1997 10:08:19 +0200 From: Domenico Viggiani Organization: CAP GEMINI X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NTP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all! This is my first posting in thsi mailing-list. What about the following problem: some machines in the DMZ have to connect with a NTP server in the protected network. Do I need to permit traffic across the firewall, setting simple packet filtering rules? Thank you in advance. Domenico Viggiani (dviggian@gst.cgs.it) CAP GEMINI ITALY SpA From owner-firewalls-outgoing Mon Apr 7 01:41:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA02055 for firewalls-outgoing; Mon, 7 Apr 1997 01:07:55 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA02029 for ; Mon, 7 Apr 1997 01:07:42 -0700 (PDT) Received: from gst_web (gst_web.gst.cgs.it [194.21.223.183]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id KAA32146; Mon, 7 Apr 1997 10:28:31 +0200 Message-ID: <3348AC62.3B28@gst.cgs.it> Date: Mon, 07 Apr 1997 10:12:26 +0200 From: Domenico Viggiani Organization: CAP GEMINI X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: Bill_Royds@pch.gc.ca Subject: Re: Individual chroot for ftp users. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Sat, 5 Apr 1997 23:37:52 -0400 >From: Bill_Royds@pch.gc.ca >Subject: Individual chroot for ftp users. > Does anybody have a program or system to set up an allow one to set up >multiple ftp accounts on Solaris 2.5 so that each one is chrooted to >thier >own directory? I will have multiple ftp users on a depository machine, >that should not have anonymous ftp but still stop an ftp user getting >out >of her own sandbix. I have same needing. If someone can help us, it will be useful! TIA Domenico Viggiani CAP GEMINI SpA From owner-firewalls-outgoing Mon Apr 7 02:04:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA07223 for firewalls-outgoing; Mon, 7 Apr 1997 01:50:16 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA07186 for ; Mon, 7 Apr 1997 01:50:06 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id EAA11039 for ; Mon, 7 Apr 1997 04:48:57 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Apr 1997 03:51:46 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Stuart Johnson's Looney Tunes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our experience with Stuart Johnson and his swarmy allegations against V-One and Marcus Ranum, personally -- and previously, against Haystack and Steve Smaha, personally -- illustrate how difficult it is for a public mailing list to constrain the rants of a honest-to-goodness Network Loon. Johnson writes with a mixture of malevolence and naivete that taints every topic he addresses and stains every company he mentions. With his tortured syntax and Ostwestfalen-Lippe domain, I thought Johnson's leap of the language barrier excused -- just barely -- his original post on Haystack vs. Wheelgroup. (It was also hard to see how his representation of Wheelgroup, the firm he seemed to favor, did anything but embarrass them.) His more recent denunciations of Smaha and Ranum -- in both cases, with long lists of nasty allegations wholly unsupported except by Johnson's unnamed "insider" sources -- are of the sort that make anyone who tries to challenge him feel dirty just to quote his posts. What makes the Network Loon such an intriguing character -- on top of his regular sociopathic displays online -- is his inability to predict how others will react to his broadcast mix of dirty whispers and self-righteous piety. "I'm not just looking for good technologty," explained Mr. Johnson, "I want to do business with people with integrity." Right. Johnson runs some risks with such hypocracy -- but the Loon, almost by definition, hears neither the groans nor the laughter from the rest of us. Looney self-awareness is as rare as looney subtlety. My apologies for off-topic growling and gnashing. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Mon Apr 7 03:21:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA16019 for firewalls-outgoing; Mon, 7 Apr 1997 03:06:39 -0700 (PDT) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA15972 for ; Mon, 7 Apr 1997 03:05:54 -0700 (PDT) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.5/8.8.5) with SMTP id MAA18989; Mon, 7 Apr 1997 12:03:49 +0200 Received: from localhost by finwal01.tu-graz.ac.at (5.65v3.2/1.1.10.5/03Feb97-0824AM) id AA10066; Mon, 7 Apr 1997 12:03:49 +0200 Date: Mon, 7 Apr 1997 12:03:48 +0200 (MET DST) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Domenico Viggiani Cc: firewalls@GreatCircle.COM, Bill_Royds@pch.gc.ca Subject: Re: Individual chroot for ftp users. In-Reply-To: <3348AC62.3B28@gst.cgs.it> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Apr 1997, Domenico Viggiani wrote: > >Date: Sat, 5 Apr 1997 23:37:52 -0400 > >From: Bill_Royds@pch.gc.ca > >Subject: Individual chroot for ftp users. > > > Does anybody have a program or system to set up an allow one to set up > >multiple ftp accounts on Solaris 2.5 so that each one is chrooted to >thier > >own directory? I will have multiple ftp users on a depository machine, > >that should not have anonymous ftp but still stop an ftp user getting >out > >of her own sandbix. > > I have same needing. If someone can help us, it will be useful! Ahh yes and I forgot something: add guestgroup guest to your ftpaccess file. Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From owner-firewalls-outgoing Mon Apr 7 03:37:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA16018 for firewalls-outgoing; Mon, 7 Apr 1997 03:06:37 -0700 (PDT) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA16004 for ; Mon, 7 Apr 1997 03:06:23 -0700 (PDT) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.5/8.8.5) with SMTP id MAA18985; Mon, 7 Apr 1997 12:03:00 +0200 Received: from localhost by finwal01.tu-graz.ac.at (5.65v3.2/1.1.10.5/03Feb97-0824AM) id AA10437; Mon, 7 Apr 1997 12:02:57 +0200 Date: Mon, 7 Apr 1997 12:02:57 +0200 (MET DST) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Domenico Viggiani Cc: firewalls@GreatCircle.COM, Bill_Royds@pch.gc.ca Subject: Re: Individual chroot for ftp users. In-Reply-To: <3348AC62.3B28@gst.cgs.it> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Apr 1997, Domenico Viggiani wrote: > >Date: Sat, 5 Apr 1997 23:37:52 -0400 > >From: Bill_Royds@pch.gc.ca > >Subject: Individual chroot for ftp users. > > > Does anybody have a program or system to set up an allow one to set up > >multiple ftp accounts on Solaris 2.5 so that each one is chrooted to >thier > >own directory? I will have multiple ftp users on a depository machine, > >that should not have anonymous ftp but still stop an ftp user getting >out > >of her own sandbix. > > I have same needing. If someone can help us, it will be useful! You can achieve that using wu-ftpd and setting up "guest" accounts. A guest account needs to be created just like an anonymous FTP account. The user needs to belong to group "guest" (the group name is hardcoded to this in the wu-ftpd - at least in my version). To prevent telnet logins, you can give this user a null shell, for example: gast:xxxxxxxxx:277:31:Gast Account,Gast,,:/home/gast:/bin/nullsh 31 is the group "guest". Be sure to list /bin/nullsh in /etc/shells. You can as well use /bin/sync for that. Finally use something like this in your ftpaccess file: class local real,guest,anonymous *.your.domain class remote real,anonymous * Hope this helps. Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From owner-firewalls-outgoing Mon Apr 7 03:49:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA19768 for firewalls-outgoing; Mon, 7 Apr 1997 03:41:32 -0700 (PDT) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id DAA19732 for ; Mon, 7 Apr 1997 03:41:22 -0700 (PDT) Received: from odin.corp.sgi.com (odin.corp.sgi.com [192.26.51.194]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id DAA09167 for <@external-mail-relay.sgi.com:Firewalls@GreatCircle.COM>; Mon, 7 Apr 1997 03:40:22 -0700 Received: from sgigz.guangzhou.sgi.com by odin.corp.sgi.com via ESMTP (951211.SGI.8.6.12.PATCH1502/951211.SGI) for <@fddi-odin.corp.sgi.com:Firewalls@GreatCircle.COM> id DAA03158; Mon, 7 Apr 1997 03:40:13 -0700 Received: from sgigz by sgigz.guangzhou.sgi.com via SMTP (940816.SGI.8.6.9/930416.SGI) for id RAA25568; Mon, 7 Apr 1997 17:27:57 +0900 Message-ID: <3348B00D.41C6@guangzhou.sgi.com> Date: Mon, 07 Apr 1997 17:27:57 +0900 From: James Liang X-Mailer: Mozilla 2.01S (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Freeware that support NAT ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Is there a freewere that can support NAT (RFC 1631) and can run on Linux and other unix platforms? James Liang james@guangzhou.sgi.com From owner-firewalls-outgoing Mon Apr 7 05:19:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA27184 for firewalls-outgoing; Mon, 7 Apr 1997 05:06:00 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA27177 for ; Mon, 7 Apr 1997 05:05:55 -0700 (PDT) Received: by relay.rv.tis.com; id AAA14305; Mon, 7 Apr 1997 00:40:36 -0400 (EDT) Received: from unknown(192.94.214.122) by relay.rv.tis.com via smap (3.2) id xmaa14294; Mon, 7 Apr 97 00:38:52 -0400 Message-Id: <3.0.1.32.19970406230152.006c7d0c@pop.rv.tis.com> X-Sender: rick@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sun, 06 Apr 1997 23:01:52 -0400 To: Joseph Judge From: Rick Murphy Subject: Re: Gauntlet / SmartWall source :-( Cc: "'Firewalls Mailing List'" In-Reply-To: <01BC42A1.F9F6CC00@zandar.judge.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 4/6/97 -0400, Joseph Judge wrote: >With the release of the Solaris versions of >Gauntlet and SmartWall, the ability of >buying the source code has disappeared. > >How has this affected anyone in the firewalls >arena? That's not true. The Gauntlet source is still available. You WILL have to pay Sun for a compiler license to use it, however :-) -Rick From owner-firewalls-outgoing Mon Apr 7 05:34:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA27847 for firewalls-outgoing; Mon, 7 Apr 1997 05:19:12 -0700 (PDT) Received: from paranoid.convey.ru (ws06.convey.ru [195.182.128.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA27840 for ; Mon, 7 Apr 1997 05:19:04 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA28106; Mon, 7 Apr 1997 16:16:33 +0400 From: ArkanoiD Message-Id: <199704071216.QAA28106@paranoid.convey.ru> Subject: Re: Gauntlet / SmartWall source :-( To: cmcurtin@research.megasoft.com Date: Mon, 7 Apr 1997 16:16:31 +0400 (MSD) Cc: firewalls@greatcircle.com In-Reply-To: <199704062243.SAA21690@goffette.research.megasoft.com> from "C Matthew Curtin" at Apr 6, 97 06:43:25 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > Joe> Does anyone else muck with the source code like I do ? > > I do... For internal stuff here, I like to use bits of FWTK for > various jobs. Some tools are heavily hacked, some are just compiled > as-is, and most are somewhere in the middle. > btw - what tools? i am highly interested in such things ;).. > In consulting situations, I typically recommend Gauntlet if someone > wants to "buy a firewall," or need something like that for a bastion > host. I've never known anyone with Gauntlet (besides me) to hack at > the code. > ..about Gauntlet.. I tried to contact TIS - it was >1month delay between my message and first responce - and the responce wasn't really informative.. I asked additional questions - it was 1.5 weeks ago and i am expecting next delay like first one :( Maybe you do know the answer - i am trying to find out if a) i can run Gauntlet on FreeBSD - even with limited support b) i can get a "poor man's version" with only tools i need - i heared the price more than $10K for complete set and 2 months support - definitely too much for a _small_ ISP c) i can get a limited-time evaluation license - as Borderware offers - i have to play a bit with thing to decide to buy or not.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Mon Apr 7 06:04:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA01727 for firewalls-outgoing; Mon, 7 Apr 1997 06:02:58 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (Sonnet.GSC.GTE.Com [131.131.251.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA01710 for ; Mon, 7 Apr 1997 06:02:51 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com ("port 2175"@ndhm06.ndhm.gtegsc.com) by Sonnet.GSC.GTE.Com (PMDF V5.0-6 #17886) id <01IHF2OCDCLW000Y0L@Sonnet.GSC.GTE.Com> for firewalls@greatcircle.com; Mon, 07 Apr 1997 09:01:28 -0400 (EDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC4332.4613A690@ndhm06.ndhm.gtegsc.com>; Mon, 07 Apr 1997 09:01:26 -0400 Date: Mon, 07 Apr 1997 09:01:24 -0400 From: "Button, Dave" Subject: RE: xntpd and gauntlet 3.2 To: "'DSAWYER@PILLSBURY.COM'" Cc: "'firewalls'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Douglas Sawyer wrote: "Gauntlet firewall (TIS) fundamentally does not allow udp based services through the firewall. We really only need it for synchronization, however somebody got the idea of getting time from the Internet and here we are. How can you make xntpd work? In order to reduce the bouncing that could go on, here is what I already know. Doug, the inadvisability of letting UDP through our firewall was one of the considerations that let to the establishment of our own stratum-1 ntp server. In fact we have two that are hosted on the same machines as our ACE servers. It took awhile to get ntp set up, but once we did it has run flawssly ever since. The ntp software is available from Dr. Mill's ftp site at U. Delaware and GPS receivers are not that expensive, so the real cost is the labor in setting up our time server. This solution is not for everybody. We had both a need for high security which obviated passing UDP through the firewall and a definition of "due diligence" which reqired accurate, high-availibility time, so having our own timeservers was a good solution. Dave Button From owner-firewalls-outgoing Mon Apr 7 06:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA02957 for firewalls-outgoing; Mon, 7 Apr 1997 06:24:51 -0700 (PDT) Received: from tcbru22.cec.be (tcbru22.cec.be [158.169.10.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA02950 for ; Mon, 7 Apr 1997 06:24:45 -0700 (PDT) From: Didier.BREMS@OPOCE.cec.be Received: from MX3.CEC.BE (tcbru10x [158.169.10.20]) by tcbru22.cec.be (8.8.2/8.6.12) with SMTP id PAA13811 for ; Mon, 7 Apr 1997 15:26:09 +0200 (MET DST) Received: by MX3.CEC.BE (Soft-Switch LMS 2.0) with x400 via CEC-NTL01 id 0011500002631081; Mon, 7 Apr 1997 15:23:41 +0200 X400-Received: by /PRMD=CEC/ADMD=RTT/C=BE/; Relayed; Mon, 7 Apr 1997 14:52:24 +0200 X400-Originator: Didier.BREMS@OPOCE.cec.be X400-Recipients: Firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=CEC/ADMD=RTT/C=BE/;0011500002631081000002L012] X400-Content-Type: P2-1988 (22) Date: Mon, 7 Apr 1997 14:52:24 +0200 To: Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would like to know if there is any NTP bugs that can compromize security. The NTP protocol is used across a firewall to synchronize a Cisco router on the untrusted part of our network. Even if I see no reason to allow the protocol both way across the firewall, the network team has defined it on the FW1 machine and I would like to have some arguments to forbidden it from the unthrusted part to the internal network. Answers can be send directely to my Email box: didier.brems@opoce.cec.be Many thanks Didier Brems: security consultant url: www.infeurope.lu From owner-firewalls-outgoing Mon Apr 7 07:41:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA10492 for firewalls-outgoing; Mon, 7 Apr 1997 07:29:42 -0700 (PDT) Received: from coyote.tech.telepac.pt (bdshack.telepac.pt [194.65.3.124]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA10482 for ; Mon, 7 Apr 1997 07:29:34 -0700 (PDT) Received: from torquemada ([194.65.3.123]) by coyote.tech.telepac.pt (8.8.4/8.8.4) with ESMTP id QAA11480; Mon, 7 Apr 1997 16:26:38 +0100 Message-ID: <334904C0.99C4FB17@tech.telepac.pt> Date: Mon, 07 Apr 1997 15:29:20 +0100 From: Joao Brazao Ferreira Organization: Telepac, SA X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: James Liang CC: Firewalls@GreatCircle.COM Subject: Re: Freeware that support NAT ? X-Priority: 3 (Normal) References: <3348B00D.41C6@guangzhou.sgi.com> Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Liang wrote: > Hi all, > > Is there a freewere that can support NAT (RFC 1631) and can run on > Linux > and other unix platforms? You can use ipfwadm ( http://www.xol.nl ), which maquerades IP addresses. Joao Ferreira From owner-firewalls-outgoing Mon Apr 7 07:49:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08429 for firewalls-outgoing; Mon, 7 Apr 1997 07:13:04 -0700 (PDT) Received: from spheara.io360.com (spheara.io360.com [206.33.148.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA08378 for ; Mon, 7 Apr 1997 07:12:52 -0700 (PDT) Received: (from stevek@localhost) by spheara.io360.com (8.7.6/8.6.10-io360) id KAA01783; Mon, 7 Apr 1997 10:11:24 -0400 (EDT) Message-ID: Date: Mon, 7 Apr 1997 10:11:24 -0400 From: stevek@SteveK.COM (Steve Kann) To: lists@reflections.eng.mindspring.net (Todd Graham Lewis) Cc: firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Re: Getting DNS through a firewall. References: X-Mailer: Mutt 0.58.1 Mime-Version: 1.0 X-Blank-Header-Line: (this header intentionally left blank) In-Reply-To: ; from Todd Graham Lewis on Apr 1, 1997 00:59:22 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis writes: > On Tue, 1 Apr 1997, Neale Banks wrote: > > > Does this not raise a quandry: if it is unsafe to pass DNS packets through > > the firewall, then how is it safe to pass them to a dns slave server on > > the firewall? > > > > Or, is it assumed that one will run a "safe" dns slave on the firewall? > > Here's a question for the class: Why give DNS to internal machines at all? > Why do they need it? Isn't everything going through a proxy? Hasn't > everyone read Felten's paper where he mentions DNS as a perfect > back-channel accessible to Java applets and other sandbox-protected > networkable proglets? Actually, I don't remember reading about this -- where can I find this paper? I think I see the point (the java applet can send information to any third parties just by causing certain DNS lookups to occur). But does having a proxy server prevent this? Then the java applet just asks for a URL containing that same hostname, and the proxy server will then do the lookup for the client. The information still flows out either way. It really isn't much different than passing data by requesting data from a third party URL, is it? -SteveK -- Steve Kann i/o 360 digital design 841 Broadway, Suite 502 PGP 1024/C0145E05 F2 D6 24 83 9E 52 9A 61 AA BB 97 61 5C A1 B8 CE Personal:stevek@SteveK.COM Business: stevek@io360.com From owner-firewalls-outgoing Mon Apr 7 08:26:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA13411 for firewalls-outgoing; Mon, 7 Apr 1997 07:56:37 -0700 (PDT) Received: from info.curtin.edu.au (info.curtin.edu.au [134.7.70.222]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA13341 for ; Mon, 7 Apr 1997 07:56:14 -0700 (PDT) Received: from macros.cage.curtin.edu.au (macros.cage.curtin.edu.au [134.7.135.11]) by info.curtin.edu.au (8.8.5/8.8.5) with SMTP id WAA15771 for ; Mon, 7 Apr 1997 22:55:12 +0800 (WST) Received: from MACROS/SMTPQUEUE by macros.cage.curtin.edu.au (Mercury 1.11); Mon, 7 Apr 97 22:55:13 +800 Received: from SMTPQUEUE by MACROS (Mercury 1.11); Mon, 7 Apr 97 22:54:46 +800 Received: from [134.7.108.57] by macros.cage.curtin.edu.au (Mercury 1.11); Mon, 7 Apr 97 22:54:40 +800 X-Sender: watsonb@macros.cage.curtin.edu.au Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Apr 1997 22:53:07 +0800 To: firewalls@GreatCircle.COM From: Bret Watson Subject: POP and Proxies, mail fetchers daemons etc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://sunsite.anu.edu.au/archives/linux/system/mail/pop/INDEX.short.html This seems to be a fairly good start... Cheers, Bret Bret Watson & Associates http://www.bwa.net email watsonb@bwa.net phone +61 41 4411 149 fax +61 9 454 6042 Computer & Information Security Consultants From owner-firewalls-outgoing Mon Apr 7 08:55:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA19033 for firewalls-outgoing; Mon, 7 Apr 1997 08:42:07 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA19024 for ; Mon, 7 Apr 1997 08:41:58 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 7 Apr 1997 15:42:30 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Mon, 07 Apr 1997 11:41:14 -0400 Message-ID: From: "Chris Kostick" To: "Joao Brazao Ferreira" , "James Liang" Cc: Subject: Re: Freeware that support NAT ? Date: Mon, 7 Apr 1997 11:38:37 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Is there a freewere that can support NAT (RFC 1631) and can run on > > Linux > > and other unix platforms? > > You can use ipfwadm ( http://www.xol.nl ), which maquerades IP > addresses. IP Masquerading is not NAT. Well, it's only a special case of NAT. Where NAT can establish 1:1 or many:1 relationships allocating addresses statically or dynamically, IP masquerading under Linux is a many:1, static allocation case of NAT. And if you want info on IP masquerading look at http://www.indyramp.com/masq or http://www.wwonline.com/~achau/ipmasq -- chris From owner-firewalls-outgoing Mon Apr 7 09:05:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20607 for firewalls-outgoing; Mon, 7 Apr 1997 08:56:49 -0700 (PDT) Received: from ra.nso.org (ra.nso.org [207.30.58.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA20571 for ; Mon, 7 Apr 1997 08:56:35 -0700 (PDT) Received: from osiris (osiris.nso.org [207.30.58.40]) by ra.nso.org (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA591 for ; Mon, 7 Apr 1997 11:58:30 -0400 Message-Id: <3.0.32.19970407115832.008f4e30@isr.net> X-Sender: research@isr.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 07 Apr 1997 11:58:33 -0400 To: firewalls@greatcircle.com From: research@isr.net (Research Unit I) Subject: Marcus, Haystack, NCSA Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stuart: For whatever reason you posted comments on Haystack, Marcus Ranum, and others, I fail to see why setting an unfair and untrue atmosphere is so important for you, or for the readers of this list. Arguably this has nothing to do with firewalls, does it ? Nevertheless I feel that I have to respond, since I know some of the individuals you attack. And I regard and respect them very much. On Marcus: Doing business is NOT dirty. If Marcus joined commercial forces with whomever, that absolutely does not decrease his qualities as a scientist. Many times over scientists within industry change positions. Some have the ambition to set up a company for themselves. It also does not mean that a company or product he left or leaves behind is suddenly degraded to a lower level of quality. If MJR is actually in the process of forming a new venture, I'd wish him all the possible luck and wisdom. I'd also watch that new venture carefully, as it could certainly be expected - with recognition of MJR's contributions to the industry - to offer something new and exciting. Possibly something we might want to purchase. Why then pollute this list with disrespect ? On Steve: If Steve happens to be on a board of directors of another company, so be it. That certainly does not make him a bad guy. Normally it improves one's image, you know. Also Steve and his company proved to be of important impact to the industry. If Steve seeks other business opportunities I cannot see what could possibly be wrong about that. On conferences: Anything one hears informaly that is not technically related to the issues and topics of a conference, is by many considered flack and of trivial importance. It certainly does not belong on a list like this one. Political caucusing has many good outlets elsewhere on the net. Since you've chosen to broadcast your thoughts so widely, I'd appreciate very much your apologies addressed to Marcus and Steve. Both deserve respect, neither deserves smut. I believe you owe that. Please don't be insulted by my comment, but I felt - for this rare occasion - that I have to do this. I wish you well. Bertil Dr. Bertil Fortrie Editor-in-Chief Internet Security Review At 12:51 AM 4/6/97 -0000, sjohnson@weasel.owl.de wrote: As regard to the Haystack information, my message was not intended to be "tabloid". Obviously, it is the marketing managers' responsibility to paint a pretty picture. But I am only interested in finding out why an insider at Haystack would share this information in confidence. Many of the private emails I received confirm others' lack of confidence in Haystack and the fact that many people are leaving due to the turmoil. Is this deniable? I only want to make the best choice for my company. >With the enquiry about Haystack and Wheelgroup, I received some email from Marcus Ranum. He >is someone I have respected from many of his posts. But his email has suprised me and >I have had some doubts about whether he was objectively replying or only trying to sell >some new product he is building and denigrate the choices that I am reviewing. >I also received email's from others suggesting Marcus' new company as an alternative, but from those messages it is clear he has decided to get out of V-One and thought it was a total failure without direction. This concerns me because he has used V-one to fund this company and I assume they are the majority owners of it. Has anyone actually implemented this stuff or is it just vaporware? >I kind of question what kind of business man Marcus is based on what I had overheard at a conference where a small group of people talking, including one of the speakers for NCSA (I believe Dr. Tippett). They were talking about the firewall consortium and someone had asked about Marcus. The speaker from the NCSA said that they removed Marcus from any more influence on the certification process due to his continuous attempts to self promote his own selfish interests and not those of the security community. >The second concern about the integrity of Marcus' company is the fact that the Founder and CEO of a competing monitoring company (Steve Smaha of Haystack) is on his board. This is like a CEO of Netscape sitting on Microsoft's board. Obviously, Steve Smaha does notbelieve NetStalker is a competitive product or he wouldn't sit on a competitor's board, or would he? Does this seem fishy? >I am not just looking for good technology, I want to do business with people with integrity. >Stuart From owner-firewalls-outgoing Mon Apr 7 09:47:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA22547 for firewalls-outgoing; Mon, 7 Apr 1997 09:24:54 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA22540 for ; Mon, 7 Apr 1997 09:24:35 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA06868; Mon, 7 Apr 1997 09:20:32 -0700 Received: by march.diginsite.com with Microsoft Mail id <01BC4335.49B11140@march.diginsite.com>; Mon, 7 Apr 1997 09:23:00 -0700 Message-Id: <01BC4335.49B11140@march.diginsite.com> From: David Lang To: Kathy Kost , "'Sameer R. Manek'" Cc: "firewalls@GreatCircle.COM" Subject: RE: combo internal/external web servers Date: Mon, 7 Apr 1997 09:22:59 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Sameer R. Manek[SMTP:manek@challenger.atc.fhda.edu] Sent: Saturday, April 05, 1997 5:36 PM To: Kathy Kost Cc: firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers Some have suggested using either a zip drive (with the write protect tab notched) or a writeable cdrom, but i don't think these methords are=20 practical, aside from the fact that zip and cdrom drives are slower.=20 These things are what i call 'making work', they make you, the admin, do things like burn cds, change cds, remount it.=20 another problem with the zip disks and the ez230 disks is that the write = protect is a software function not a hardware switch. The ez135 and = older iomega and syquiest drives all have hardware switches. David Lang From owner-firewalls-outgoing Mon Apr 7 10:04:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23621 for firewalls-outgoing; Mon, 7 Apr 1997 09:39:40 -0700 (PDT) Received: from mail.instinctive.com (dns.instinctive.com [207.60.135.162]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA23612 for ; Mon, 7 Apr 1997 09:39:35 -0700 (PDT) Received: from mail.instinctive.com by mail.instinctive.com (NTMail 3.02.10) with ESMTP id ea008610 for ; Mon, 7 Apr 1997 12:40:29 -0400 Message-Id: <3.0.1.32.19970407123917.018bf100@mail.instinctive.com> X-Sender: ghaverkamp@mail.instinctive.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 07 Apr 1997 12:39:17 -0500 To: Scott Fagg From: Greg Haverkamp Subject: Re: POP proxy availabilty Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:33 AM 4/7/97 +0000, you wrote: >Does a POP/SMTP proxy exist that would fit in with the fwtk? Is >there a standalone POP/SMTP proxy available in some form? (that >would run on linux/unix - source code preferably) or does >smap/smapd solve the problem? The smap/smapd won't solve any POP3 problems; it may solve SMTP problems. For POP3, I've recently come across a program called pop3gwd. I've not installed it, and I've only done a cursory look through the code to decide if I would use it, but you can find it at the following URL: http://www.cs.unibo.it/~borgia/homepage/Software/Software.html Greg From owner-firewalls-outgoing Mon Apr 7 10:11:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23952 for firewalls-outgoing; Mon, 7 Apr 1997 09:41:32 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA23920 for ; Mon, 7 Apr 1997 09:41:23 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA10375; Mon, 7 Apr 1997 09:38:43 -0700 Received: by march.diginsite.com with Microsoft Mail id <01BC4337.D41A7FE0@march.diginsite.com>; Mon, 7 Apr 1997 09:41:12 -0700 Message-Id: <01BC4337.D41A7FE0@march.diginsite.com> From: David Lang To: "firewalls@greatcircle.com" , "'Scott Fagg'" Subject: RE: POP proxy availabilty Date: Mon, 7 Apr 1997 09:41:10 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Included with the fwtk is the smap/smapd pair for proxying e-mail. It = will handle smtp without blinking. As for POP are you talking that you = need to get POP connection through the firewall or just get mail = through? David Lang ---------- From: Scott Fagg[SMTP:scott.fagg@arup.com] Sent: Sunday, April 06, 1997 8:34 PM To: firewalls@greatcircle.com Subject: POP proxy availabilty I am building a firewall for a small commercial network (6 PC's, NT, 95, Win3) I'm basing the solution on Linux running the TIS FWTK (primarily because of cost, but i also feel relatively comfortable with the bits and pieces) As it comes, the fwtk supports http, ftp & telnet sufficiently for my needs. The next hurdle is email. I could use the 'plug' proxy to cover most email situations. My understanding is that you can setup 1-to-1 and many-to-1 relationships with the 'plug' proxy but not 1-to-many (ie one client, many mailboxes) This might be limiting. (At the moment their email is a little messy) Does a POP/SMTP proxy exist that would fit in with the fwtk? Is there a standalone POP/SMTP proxy available in some form? (that would run on linux/unix - source code preferably) or does=20 smap/smapd solve the problem? regards, From owner-firewalls-outgoing Mon Apr 7 10:19:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA26206 for firewalls-outgoing; Mon, 7 Apr 1997 09:56:24 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA26078 for ; Mon, 7 Apr 1997 09:55:56 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55572-1>; Mon, 7 Apr 1997 17:53:44 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Mon, 07 Apr 1997 18:54:52 MET Received: from localhost (mag@localhost) by piheno.tii.matav.hu (8.8.4/8.8.4) with SMTP id TAA03160; Mon, 7 Apr 1997 19:56:32 +0200 Date: Mon, 7 Apr 1997 18:56:32 +0100 From: "Magossa'nyi A'rpa'd" To: "Button, Dave" CC: "'DSAWYER@PILLSBURY.COM'" , "'firewalls'" Subject: UDP considered harmful? (was: xntpd and gauntlet 3.2) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Apr 1997, Button, Dave wrote: > =09Doug, the inadvisability of letting UDP through our firewall was one= =20 Yet another thing I have to learn about :) Can you explain why UDP considered harmful? Pointers to related documentation is appreciated. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Mon Apr 7 10:44:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25022 for firewalls-outgoing; Mon, 7 Apr 1997 09:48:32 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA24984 for ; Mon, 7 Apr 1997 09:48:19 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA07615; Mon, 7 Apr 1997 09:44:30 -0700 Received: by march.diginsite.com with Microsoft Mail id <01BC4338.A2C6D320@march.diginsite.com>; Mon, 7 Apr 1997 09:46:58 -0700 Message-Id: <01BC4338.A2C6D320@march.diginsite.com> From: David Lang To: Todd Graham Lewis , "'Steve Kann'" Cc: Firewalls Mailing List Subject: RE: Getting DNS through a firewall. Date: Mon, 7 Apr 1997 09:46:57 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The current (8.8) version of sendmail requires some ability to resolve names. David Lang ---------- From: Steve Kann[SMTP:stevek@SteveK.COM] Sent: Monday, April 07, 1997 7:11 AM To: Todd Graham Lewis Cc: Firewalls Mailing List Subject: Re: Getting DNS through a firewall. Todd Graham Lewis writes: > On Tue, 1 Apr 1997, Neale Banks wrote: > > > Does this not raise a quandry: if it is unsafe to pass DNS packets through > > the firewall, then how is it safe to pass them to a dns slave server on > > the firewall? > > > > Or, is it assumed that one will run a "safe" dns slave on the firewall? > > Here's a question for the class: Why give DNS to internal machines at all? > Why do they need it? Isn't everything going through a proxy? Hasn't > everyone read Felten's paper where he mentions DNS as a perfect > back-channel accessible to Java applets and other sandbox-protected > networkable proglets? Actually, I don't remember reading about this -- where can I find this paper? I think I see the point (the java applet can send information to any third parties just by causing certain DNS lookups to occur). But does having a proxy server prevent this? Then the java applet just asks for a URL containing that same hostname, and the proxy server will then do the lookup for the client. The information still flows out either way. It really isn't much different than passing data by requesting data from a third party URL, is it? -SteveK -- Steve Kann i/o 360 digital design 841 Broadway, Suite 502 PGP 1024/C0145E05 F2 D6 24 83 9E 52 9A 61 AA BB 97 61 5C A1 B8 CE Personal:stevek@SteveK.COM Business: stevek@io360.com From owner-firewalls-outgoing Mon Apr 7 11:20:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06580 for firewalls-outgoing; Mon, 7 Apr 1997 10:51:18 -0700 (PDT) Received: from firewall1_int.glaxowellcome.com (firewall1.glaxowellcome.com [192.58.204.204]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA06379 for ; Mon, 7 Apr 1997 10:50:21 -0700 (PDT) Received: by firewall1_int.glaxowellcome.com id NAA18889; Mon, 7 Apr 1997 13:31:35 -0400 (EDT) Received: from ussun2m.glaxo.com(152.51.20.99) by firewall1.glaxo.com via smap (3.2) id xma018873; Mon, 7 Apr 97 13:31:13 -0400 Received: by ussun2m.glaxo.com id NAA24558; Mon, 7 Apr 1997 13:28:40 -0400 (EDT) Received: by ussun2f.glaxo.com id NAA15442; Mon, 7 Apr 1997 13:35:09 -0400 (EDT) Date: Mon, 7 Apr 1997 13:35:07 -0400 (EDT) From: Gary Hull X-Sender: ggh14854@ussun2f To: firewalls Subject: virus scanning Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking at implementing virus scanning sw either at the firewall or on a server that sits between our firewall and the intranet. Can anyone recommend such a product? Thanks. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 483-0056 email: ggh14854@ussun2f.glaxo.com From owner-firewalls-outgoing Mon Apr 7 11:28:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA07573 for firewalls-outgoing; Mon, 7 Apr 1997 10:58:14 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA07538 for ; Mon, 7 Apr 1997 10:58:01 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id NAA25634; Mon, 7 Apr 1997 13:44:08 -0400 Date: Mon, 7 Apr 1997 13:44:07 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Domenico Viggiani cc: firewalls@GreatCircle.COM, Bill_Royds@pch.gc.ca Subject: Re: Individual chroot for ftp users. In-Reply-To: <3348AC62.3B28@gst.cgs.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WU-Archive FTP will do this. I'm probably about the 40th person to tell you this. On Mon, 7 Apr 1997, Domenico Viggiani wrote: > > > Does anybody have a program or system to set up an allow one to set up > >multiple ftp accounts on Solaris 2.5 so that each one is chrooted to >thier > >own directory? I will have multiple ftp users on a depository machine, > >that should not have anonymous ftp but still stop an ftp user getting >out > >of her own sandbix. > > I have same needing. If someone can help us, it will be useful! > > TIA > Domenico Viggiani > CAP GEMINI SpA > Of course my password is the same as my pet's name. My macaw's name is Q47pY!3, and I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Mon Apr 7 11:38:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA09186 for firewalls-outgoing; Mon, 7 Apr 1997 11:06:10 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (Sonnet.GSC.GTE.Com [131.131.251.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA09114 for ; Mon, 7 Apr 1997 11:05:56 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com ("port 2803"@ndhm06.ndhm.gtegsc.com) by Sonnet.GSC.GTE.Com (PMDF V5.0-6 #17886) id <01IHFD9BBVC400118J@Sonnet.GSC.GTE.Com> for firewalls@greatcircle.com; Mon, 07 Apr 1997 14:04:44 -0400 (EDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC435C.A28971A0@ndhm06.ndhm.gtegsc.com>; Mon, 07 Apr 1997 14:04:40 -0400 Date: Mon, 07 Apr 1997 14:04:38 -0400 From: "Button, Dave" Subject: RE: xntpd and gauntlet 3.2 To: "'Eric Demerling'" Cc: "'firewalls'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: multipart/mixed; boundary="---- =_NextPart_000_01BC435C.A29A1370" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BC435C.A29A1370 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit With reference to rolling your own GPS-based time standard, Eric Demerling wrote: "Dave do you have some url's for this info? I poked around on Yahoo and altivista and only came up with using clocks on the net. (not your own gps)" Eric, Dr. David Mills has an FTP site louie.udel.edu in which you may find the source for the xntp daemon, plus lots of other info bundled into the tar file. See this reference: We used a TRAK systems 8821A GPS clock. Surprisingly, TRAK does not have a web site, but they may be reached at 813.884.1411, which is in Tampa FL. A site that has a description of the company is When you read Dr. Mills literature you will find many other receivers for which he has written software drivers. We chose TRAK mainly because of a prior relationship with my company, GTE, and we certainly have no regrets as they have performed flawlessly for about 18 months now. Dave Button ------ =_NextPart_000_01BC435C.A29A1370 Content-Type: application/octet-stream; name="ATLOUI~2.URL" Content-Transfer-Encoding: base64 W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9ZnRwOi8vbG91aWUudWRlbC5lZHUvcHViL250cC8NCg== ------ =_NextPart_000_01BC435C.A29A1370 Content-Type: application/octet-stream; name="TECH-S~2.URL" Content-Transfer-Encoding: base64 W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9aHR0cDovL3d3dy5zeW50cm9uLmNvbS90c3ltL2NvbW0u aHRtDQo= ------ =_NextPart_000_01BC435C.A29A1370-- From owner-firewalls-outgoing Mon Apr 7 11:57:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA14683 for firewalls-outgoing; Mon, 7 Apr 1997 11:43:44 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA14642 for ; Mon, 7 Apr 1997 11:43:33 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (Sonnet.GSC.GTE.Com [131.131.251.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA18937 for ; Mon, 7 Apr 1997 11:44:04 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com ("port 3878"@ndhm06.ndhm.gtegsc.com) by Sonnet.GSC.GTE.Com (PMDF V5.0-6 #17886) id <01IHFEK95GOC00118J@Sonnet.GSC.GTE.Com> for firewalls@greatcircle.com; Mon, 07 Apr 1997 14:41:48 -0400 (EDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC4361.CFFC5300@ndhm06.ndhm.gtegsc.com>; Mon, 07 Apr 1997 14:41:43 -0400 Date: Mon, 07 Apr 1997 14:41:42 -0400 From: "Button, Dave" Subject: RE: UDP considered harmful? (was: xntpd and gauntlet 3.2) To: "'Magossa'nyi A'rpa'd'" Cc: "'firewalls'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Magossa'nyi A'rpa'd wrote: "On Mon, 7 Apr 1997, Button, Dave wrote: > Doug, the inadvisability of letting UDP through our firewall was=20 one Yet another thing I have to learn about :) Can you explain why UDP considered harmful? Pointers to related documentation is appreciated. --- GNU GPL: csak tiszta forr=E1sb=F3l" The quote was specific to OUR situation, though I understand that UDP=20 may be dangerous in situations where RPC is used. More specifically, I=20 was concerned about spoofing attacks that would negate having accurate=20 time, and the problems with relying on outside servers providing=20 claimed stratum 1 accuracy. We are in the certification authority=20 business and so we must avoid the apperance of evil as well as evil=20 itself. Dave Button http://www.cybertrust.com From owner-firewalls-outgoing Mon Apr 7 12:34:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA15553 for firewalls-outgoing; Mon, 7 Apr 1997 11:49:45 -0700 (PDT) Received: from shell.istar.ca (shell.iSTAR.ca [204.191.213.253]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA15490 for ; Mon, 7 Apr 1997 11:49:26 -0700 (PDT) Received: from inforamp.net (InfoRamp.net [204.191.136.8]) by shell.istar.ca (8.8.5/8.8.4) with ESMTP id OAA06025 for ; Mon, 7 Apr 1997 14:48:29 -0400 (EDT) Received: from genel.csnet.can.ibm.com (mpngt5.ny.us.ibm.com [198.133.29.68]) by inforamp.net (8.8.5/8.8.4) with SMTP id PAA18067 for ; Mon, 7 Apr 1997 15:48:00 -0300 (ADT) Received: by genel.csnet.can.ibm.com with Microsoft Mail id <01BC4362.A12A6F20@genel.csnet.can.ibm.com>; Mon, 7 Apr 1997 14:47:34 -0400 Message-ID: <01BC4362.A12A6F20@genel.csnet.can.ibm.com> From: Gene Lee To: "'firewalls@greatcircle.com'" Subject: Level 5 Screened Subnet? Date: Mon, 7 Apr 1997 14:46:38 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know what a screened subnet architecture is, but has anyone ever heard of it referred to as a Level 5 Screened Subnet? Does this denote the level on the OSI model or something else? Personally, I've never heard it referred to this way... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From owner-firewalls-outgoing Mon Apr 7 12:35:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA14532 for firewalls-outgoing; Mon, 7 Apr 1997 11:42:25 -0700 (PDT) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA14335 for ; Mon, 7 Apr 1997 11:41:19 -0700 (PDT) Received: by zeke.gov.yk.ca; id LAA12534; Mon, 7 Apr 1997 11:45:58 -0700 (PDT) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma012526; Mon, 7 Apr 97 11:45:29 -0700 Received: from [199.247.134.75] ([199.247.134.75]) by tempest (8.7.5/8.7.3) with SMTP id LAA20092 for ; Mon, 7 Apr 1997 11:35:48 -0700 From: Larry Kwiat To: "'Firewalls Mailing List'" Subject: Re: Gauntlet / SmartWall source :-( Message-ID: Date: Mon, 7 Apr 1997 11:40:04 -0400 (EDT) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re the post on open code for firewalls, and the comments below... On Sun, 6 Apr 1997 18:43:25 -0400 (EDT) C Matthew Curtin wrote: (snip) > Joe> Does anyone else muck with the source code like I > do? (snip) > I do... For internal stuff here, > In consulting situations, I typically recommend Gauntlet if someone > wants to "buy a firewall," or need something like that for a bastion > host. I've never known anyone with Gauntlet (besides me) to hack at > the code. > > In reality, I suspect that this is just a sign of the firewalling > times. Firewalls are becoming commodity items. (snip) > > Whether this is a Good Thing, a Bad Thing, or some combination thereof > (I vote for the latter, myself) isn't really relevant; it's what's > happening. (snip) > Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com > http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself > Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm Good or bad, from a corporate perspective, I think it is a naive thing. When we are talking security, and all that can mean in today's world, it is plain damn foolishness to cut yourself off from a potential resource for either implementing a product, or damage control after the fact. Whether you have hired a button pusher or a true-grit programmer type, you will eventually _need_ that code. If you don't have the TGP to go along with it, you will have to rent one. But if you buy software for this kind of purpose, and you don't have the source code to go with it, and you are in a corporate position, you're a damn fool. This is my opinion, and may or may not (though I suspect it is) be shared by the government of Yukon. Sincerely, Larry Kwiat Information Security Coordinator Information Services Branch Department of Government Services Government of Yukon Phone: (403) 667-8081 Fax: (403) 667-5304 Netmail: kwiat@gov.yk.ca From owner-firewalls-outgoing Mon Apr 7 12:56:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20250 for firewalls-outgoing; Mon, 7 Apr 1997 12:28:31 -0700 (PDT) Received: from gatekeeper2.mcimail.com (gatekeeper2.mcimail.com [192.147.45.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA20241 for ; Mon, 7 Apr 1997 12:28:25 -0700 (PDT) Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.40.135.23]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id TAA08012; Mon, 7 Apr 1997 19:32:48 GMT Received: from mcimail.com by mailgate2.mcimail.com id ak14780; 7 Apr 97 19:29 WET Date: Mon, 7 Apr 97 14:29 EST From: Karl Janice To: firewalls Subject: HTTP SecureID Authentication on Firewall-1 anyone? Message-Id: <97040719292246/0006731076PK5EM@MCIMAIL.COM> X-MB-Info: v1.10G | 18200030550 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Text item: Text_1 I would like to know if anyone has gotten SecureID to work in an HTTP authentication scheme. We are using version 2.0 of FireWall-1. We are trying to authenticate users of an internal web server. We are having problems. From owner-firewalls-outgoing Mon Apr 7 13:04:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA24025 for firewalls-outgoing; Mon, 7 Apr 1997 12:58:08 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA24008 for ; Mon, 7 Apr 1997 12:58:01 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id OAA25982 for GreatCircle.COM!firewalls; Mon, 7 Apr 1997 14:59:50 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA02709; Mon, 7 Apr 97 15:01:56 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id OAA19574; Mon, 7 Apr 1997 14:56:30 -0400 Message-Id: <199704071856.OAA19574@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: "Button, Dave" Cc: "'Eric Demerling'" , "'firewalls'" Subject: Re: xntpd and gauntlet 3.2 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 07 Apr 1997 14:56:29 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Eric, Dr. David Mills has an FTP site louie.udel.edu in which you may >find the source for the xntp daemon, plus lots of other info bundled >into the tar file. See this reference: additional ntp information: http://www.eecis.udel.edu/~ntp/ http://www.eecis.udel.edu/~ntp/database/html_xntp3.5a/ From owner-firewalls-outgoing Mon Apr 7 15:21:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA03547 for firewalls-outgoing; Mon, 7 Apr 1997 14:01:24 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA03435 for ; Mon, 7 Apr 1997 14:01:04 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id WAA06661; Mon, 7 Apr 1997 22:59:00 +0200 Date: Mon, 7 Apr 1997 22:58:59 +0200 (MET DST) From: Kevin McPeake To: Stuart Johnson cc: firewalls@GreatCircle.COM Subject: Re: Haystack info (Steve Smaha) In-Reply-To: <19970402145228.5834.qmail@squirrel.owl.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know about the reminder of this email, but as far as Austin having a lack of engineering talent, that's bogus. As someone who is FROM Austin, I know for a fact, there are more software/hardware engineer's than they know what to do with. And while many people might argue the facts, Austin is one of the fastest growing cities in the USA, due to the high output of engineer's from University of Texas at Austin, and several other Hi-Tech Institutes and Colleages in the area. I'm not backing up Haystack....in fact, an old friend that I went to high school with in San Antonio, is with WheelGroup these days, but facts is facts, and I find it hard to believe that about Austin. Then again, I've been working in the Netherlands/UK for the last 9 months, so maybe I'm not up on current local events in Austin ;)P Kev On 2 Apr 1997, Stuart Johnson wrote: > > About a month ago, I inquired about Haystack and Wheelgroup. I received an email from > someone at Haystack that did not want to disclose their identity but revealed > a lot of information about the company. I believe this information to be true, but would > like to find out to the contrary. > > >From the inside information, apparently the founder and CEO of Haystack, Steve Smaha has > been removed because he was a control freak and raving lunatic inside the company. > Haystack is in decay because the Stalker family was a complete misdesign and failure. > > Also the source said that Steve Smaha was threatening to sue his own investors, partners, and customers. This seems kind of extreme to me, but the confirmation about Haystack suing Wheelgroup leaves this as a definite possibility. Some of the customers for Haystack have > emailed me saying they have not received an update for some of the Stalker family in over > 3 years. I wouldn't be suprised if Steve Smaha does not get sued himself if this is true. > > The investors, that removed Steve Smaha, brought in a new CEO. He is currently moving the company to Boston due to the lack of engineering talent in the former Austin HQ of Haystack. > The new CEO is trying to recruit engineers that can decipher the source > code because it lacked any structure and comments to understand it. > > I would have probably ignored this email except I am interested in monitoring tools and this > seems like a legitimate insider giving me details. I have tried to contact Steve Smaha but have not been able to reach him. I am looking for someone who might know the company better than me to confirm these facts. > > Stuart > > > > Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Mon Apr 7 16:07:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA13396 for firewalls-outgoing; Mon, 7 Apr 1997 15:24:47 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970308-1) id PAA13365 for firewalls@greatcircle.com; Mon, 7 Apr 1997 15:24:42 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA10538 for ; Mon, 7 Apr 1997 07:30:09 -0700 (PDT) Received: from East.Sun.COM ([129.148.1.241]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id HAA20430 for ; Mon, 7 Apr 1997 07:35:38 -0700 Received: from starsky.East.Sun.COM by East.Sun.COM (SMI-8.6/SMI-5.3) id KAA21367; Mon, 7 Apr 1997 10:29:11 -0400 Received: from disney by starsky.East.Sun.COM (SMI-8.6/SMI-SVR4) id KAA00193; Mon, 7 Apr 1997 10:29:00 -0400 Date: Mon, 7 Apr 1997 10:26:18 -0400 (EDT) From: Michele Mullins - Commercial SE-Sun-Vienna VA Reply-To: Michele Mullins - Commercial SE-Sun-Vienna VA Subject: Re: ISR To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: FQ0R9rtFCLMd5cs1K8xnYg== X-Mailer: dtmail 1.2.0 CDE Version 1.2_14 SunOS 5.6 sun4u sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I paid to subscribe to this magazine when it first started. When it went free, they sent a letter asking people "donate" the remaining value of their subscription to something I don't remember, related to them I believe. They offered a refund as well. After several attempts at getting the refund, not only did I not get the refund, I stopped receiving the magazine. I was extremely dissatisfied with their customer service approach, although to be fair, I had paid for the magazine and had some grounds to expect customer service. The way they handled my requests was totally unprofessional. Now that it's free, the way I was treated would be acceptable, since you get what you pay for. But it left a really bad taste for me when they even stopped sending me something I had paid for. -Michele From owner-firewalls-outgoing Mon Apr 7 16:34:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA15142 for firewalls-outgoing; Mon, 7 Apr 1997 15:49:30 -0700 (PDT) Received: from arup.com (ove.arup.com [193.116.20.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA15135 for ; Mon, 7 Apr 1997 15:49:23 -0700 (PDT) Received: by arup.com (4.1/UNIPALM-V1.3mjr@arup.com) id AA09163; Mon, 7 Apr 97 23:48:28 BST Received: from a_csun01.arup.com(69.69.11.1) by ove via smap (V1.3mjr) id sma009154; Mon Apr 7 23:48:22 1997 Received: from (a_csun14) by arupuk (4.1/SMI-4.1) id AA25117; Mon, 7 Apr 97 23:48:21 BST Received: from arup.com by (4.1/SMI-4.1) id AA13753; Mon, 7 Apr 97 23:45:14 BST Received: from comms-Message_Server by arup.com with Novell_GroupWise; Mon, 07 Apr 1997 23:45:13 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 07 Apr 1997 23:03:24 +0000 From: Scott Fagg To: firewalls@greatcircle.com Subject: POP proxy availability - part 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Based on the responses i got from my first post and some searching i did, it seems that there are a number of POP proxy solutions. I've tried one and have another to try later today. This brings up the next question. If i do install a POP proxy, controlled by tcpd, netacl or some other wrapper, once the daemon has started, how long does it hang around? (i guess ps would answer that) and if it does hang around, would this mean that the control that tcpd/netacl had in starting it would be lost (ie any one can connect) My assumption is that it would, but this seems a little bit too 'open'? regards, From owner-firewalls-outgoing Mon Apr 7 17:16:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA22016 for firewalls-outgoing; Mon, 7 Apr 1997 16:40:37 -0700 (PDT) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA21821 for ; Mon, 7 Apr 1997 16:39:38 -0700 (PDT) Received: from max1-169.hal-pc.org (max1-169.hal-pc.org [209.16.24.169]) by hal-pc.org (8.7.5/8.6.9) with SMTP id SAA15475; Mon, 7 Apr 1997 18:38:34 -0500 (CDT) Message-Id: <199704072338.SAA15475@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" Organization: hal-pc.org To: firewalls@GreatCircle.COM, Michele Mullins - Commercial SE-Sun-Vienna VA Date: Mon, 7 Apr 1997 17:28:28 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: ISR In-reply-to: X-mailer: Pegasus Mail for Windows (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Your not alone. Back last Sept/Oct, I "subscribed". Remember, the web page as "under construction". I sent numerous messages and faxes (also note, there is no e-mail address unless they just added it in the past few days) regarding not only my subscription, but my "password" When it was recently resurrected, I tried my old password with no success. I sent an e-mail to their NOC who said he would "pass my message on" - To date, I have not heard one thing. Not a very professional way of doing business Bob Plaumann Date: Mon, 7 Apr 1997 10:26:18 -0400 (EDT) > From: Michele Mullins - Commercial SE-Sun-Vienna VA > Subject: Re: ISR > I paid to subscribe to this magazine when it first started. > > When it went free, they sent a letter asking people "donate" the remaining > value of their subscription to something I don't remember, related to them > I believe. They offered a refund as well. > > After several attempts at getting the refund, not only did I not get the > refund, I stopped receiving the magazine. > > I was extremely dissatisfied with their customer service approach, although > to be fair, I had paid for the magazine and had some grounds to expect > customer service. The way they handled my requests was totally unprofessional. > Now that it's free, the way I was treated would be acceptable, since you > get what you pay for. But it left a really bad taste for me when they even > stopped sending me something I had paid for. > > -Michele Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard From owner-firewalls-outgoing Mon Apr 7 17:28:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA15925 for firewalls-outgoing; Mon, 7 Apr 1997 16:00:54 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA15900 for ; Mon, 7 Apr 1997 16:00:41 -0700 (PDT) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id SAA17274; Mon, 7 Apr 1997 18:45:54 -0400 Date: Mon, 7 Apr 1997 18:45:51 -0400 (EDT) From: Todd Graham Lewis To: Arley Carter cc: "firewalls(a)greatcircle.com" Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Apr 1997, Arley Carter wrote: > On Fri, 4 Apr 1997 DSAWYER@PILLSBURY.COM wrote: > > > In a nutshell what I need to know is how do I get udp based packets on > > port 123 through the firewall? > > > > Anybody have any ideas? > > Bad Idea. Setup the firewall to be the auhtoritative time source for the > domain using xntpd to the outside world. Set the firewall to broadcast time > to the networks you want. Have the inside machines listen to time > broadcasts from the firewall. No need to pass udp through the firewall. Agreed. If you're super-paranoid, then you can shell out the US$200 for a GPS receiver and make yourself into a stratum-1 server. (If you do this, you should do it outside the firewall, offer stratum-1 services to others, and make your firewall a stratum-2 server, using ntp's builtin cryptographic authentication.) And to whoever said that you shouldn't use time-based cryptography, there are well-respected cryptosystems which rely on accurate time info on both client and server to eliminate replay attacks and other time-based hacks. To dismiss them merely because they require accurate time info is silly. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon Apr 7 17:50:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA27976 for firewalls-outgoing; Mon, 7 Apr 1997 17:31:36 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA27958 for ; Mon, 7 Apr 1997 17:31:28 -0700 (PDT) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id UAA22697; Mon, 7 Apr 1997 20:30:22 -0400 Date: Mon, 7 Apr 1997 20:30:19 -0400 (EDT) From: Todd Graham Lewis To: James Liang cc: Firewalls@GreatCircle.COM Subject: Re: Freeware that support NAT ? In-Reply-To: <3348B00D.41C6@guangzhou.sgi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Apr 1997, James Liang wrote: > Is there a freewere that can support NAT (RFC 1631) and can run on Linux > and other unix platforms? The closest thing of which I know is IP_MASQUERADE, which is a Linux feature. There is talk of making it into a fully-fleged NAT, but for now it's a neat-o sort-of-NAT thing. Go to http://sunsite.unc.edu/linux and read the IP Masquerade HOWTO. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon Apr 7 17:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA15403 for firewalls-outgoing; Mon, 7 Apr 1997 15:53:20 -0700 (PDT) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA15386 for ; Mon, 7 Apr 1997 15:53:09 -0700 (PDT) Received: by zeke.gov.yk.ca; id PAA29378; Mon, 7 Apr 1997 15:57:44 -0700 (PDT) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma029369; Mon, 7 Apr 97 15:57:41 -0700 Received: from [199.247.134.75] ([199.247.134.75]) by tempest (8.7.5/8.7.3) with SMTP id PAA18300 for ; Mon, 7 Apr 1997 15:48:00 -0700 From: Larry Kwiat To: "'Firewalls Mailing List'" Subject: Re: Gauntlet / SmartWall source :-( Message-ID: Date: Mon, 7 Apr 1997 15:52:20 -0400 (EDT) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Apr 1997 11:40:04 -0400 (EDT) Larry Kwiat wrote: > Re the post on open code for firewalls, and the comments > below... > > On Sun, 6 Apr 1997 18:43:25 -0400 (EDT) C Matthew Curtin wrote: > (snip) > > Joe> Does anyone else muck with the source code like I > > do? > (snip) > > I do... For internal stuff here, > > In consulting situations, I typically recommend Gauntlet if someone > > wants to "buy a firewall," or need something like that for a bastion > > host. I've never known anyone with Gauntlet (besides me) to hack at > > the code. > > > > In reality, I suspect that this is just a sign of the firewalling > > times. Firewalls are becoming commodity items. > (snip) > > > > Whether this is a Good Thing, a Bad Thing, or some combination thereof > > (I vote for the latter, myself) isn't really relevant; it's what's > > happening. > (snip) > > Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com > > http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself > > Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm > > Good or bad, from a corporate perspective, I think it is a > naive thing. When we are talking security, and all that can > mean in today's world, it is plain damn foolishness to cut > yourself off from a potential resource for either > implementing a product, or damage control after the fact. > Whether you have hired a button pusher or a true-grit > programmer type, you will eventually _need_ that code. If > you don't have the TGP to go along with it, you will have > to rent one. But if you buy software for this kind of > purpose, and you don't have the source code to go with it, > and you are in a corporate position, you're a damn fool. > This is my opinion, and may or may not (though I suspect it > is) be shared by the government of Yukon. > > Sincerely, > > Larry Kwiat > Information Security Coordinator > Information Services Branch > Department of Government Services > Government of Yukon > Phone: (403) 667-8081 > Fax: (403) 667-5304 > Netmail: kwiat@gov.yk.ca > > Sincerely, Larry Kwiat Information Security Coordinator Information Services Branch Department of Government Services Government of Yukon Phone: (403) 667-8081 Fax: (403) 667-5304 Netmail: kwiat@gov.yk.ca From owner-firewalls-outgoing Mon Apr 7 20:19:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA18480 for firewalls-outgoing; Mon, 7 Apr 1997 20:11:55 -0700 (PDT) Received: from wall.pwa.co.in ([206.103.11.183]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id UAA18465 for ; Mon, 7 Apr 1997 20:11:46 -0700 (PDT) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notes.pwa.co.in (notes.pwa.co.in [126.0.0.180]) by wall.pwa.co.in (8.6.12/8.6.12) with SMTP id MAA16711 for ; Mon, 7 Apr 1997 12:47:15 +0500 Received: by notes.pwa.co.in(Lotus SMTP MTA Release 1.0) id 65256473.0011AB0B ; Tue, 8 Apr 1997 08:42:58 +300500 X-Lotus-FromDomain: INDIA @ INTERNET To: Firewalls@GreatCircle.COM Message-ID: <65256473:00110531.00@notes.pwa.co.in> Date: Tue, 8 Apr 1997 08:43:42 +300500 Subject: Re: Firewalls-Digest V6 #145 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a mail proxy which has sendmail running on it fine.Can I have another name for this machine so that mail would be accepted for this name as well and forwarded to a Mail_Hub. ( I have used a Mail_Hub in my internal LAN to which all the mail gets diverted to ).I tried to do this by telling the DNS so as to point MX records to this machine but I got error messages saying 554 local configuration error and 553 mail loop backs to me. Note that mail is fine for the original name of this machine.The problem is only for the mail to this new name. If someone can give me some clues to what is wrong then let me know.....Thanks in advance From owner-firewalls-outgoing Mon Apr 7 20:34:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA19039 for firewalls-outgoing; Mon, 7 Apr 1997 20:23:28 -0700 (PDT) Received: from pct-b.industryone.net ([208.135.121.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id UAA19021 for ; Mon, 7 Apr 1997 20:23:21 -0700 (PDT) Received: from [208.135.121.146] by pct-b.industryone.net (SMTPD32-3.00) id AA8FA800D8; Mon Apr 07 23:25:03 1997 Received: by CHATSRV.industryone.net with Microsoft Mail id <01BC43AA.53503D00@CHATSRV.industryone.net>; Mon, 7 Apr 1997 23:20:48 -0400 Message-ID: <01BC43AA.53503D00@CHATSRV.industryone.net> From: -= Talon =- To: "'firewalls@greatcircle.com'" Subject: Security / IP Addresses Date: Mon, 7 Apr 1997 23:20:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there ever know how to make yourself anonymous through the = use of some kind of hack utility? I've seen this on some networks, but = never really thought it could happen. I'd just like to know what method = they use so I can defeat them. Jason Burton - Network & Security Specialist World Industry Alliance - ISP www.industryone.net www.earthshop.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2i mQCNAzM1cYEAAAEEALy4CAdtbbFtctzl5bJPH+6UpMZh6P0DTCnflXRhKr9gku8o AYnfCY28PQoL/Tm2xE9ZOHeIh4ONrrYoOmidMIRCwIQwN+7Q/nKCxZeQBMLSS0q3 b+E7Tb/wsKHrGoq/+hobGWCIA8c5BOdcDP7V84N8GjNfEYMztVAzlrqnxGDRAAUT tA1UYWxvbkB3aG8ubmV0 =3DzJLR -----END PGP PUBLIC KEY BLOCK----- Burton, Jason: Beta Test ID 27 From owner-firewalls-outgoing Mon Apr 7 21:19:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA22619 for firewalls-outgoing; Mon, 7 Apr 1997 21:09:51 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA22577 for ; Mon, 7 Apr 1997 21:09:41 -0700 (PDT) Message-Id: <199704080409.VAA22577@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA278942171; Tue, 8 Apr 1997 14:02:51 +1000 From: Darren Reed Subject: Re: Freeware that support NAT ? To: james@guangzhou.sgi.com Date: Tue, 8 Apr 1997 14:02:51 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <334904C0.99C4FB17@tech.telepac.pt> from "Joao Brazao Ferreira" at Apr 7, 97 03:29:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Liang wrote: > Hi all, > > Is there a freewere that can support NAT (RFC 1631) and can run on > Linux > and other unix platforms? Have a look at http://coombs.anu.edu.au/ipfilter It'll run on FreeBSD/NetBSD/OpenBSD/Solaris2/SunOS4 But not Linux. From owner-firewalls-outgoing Mon Apr 7 21:34:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA23926 for firewalls-outgoing; Mon, 7 Apr 1997 21:25:48 -0700 (PDT) Received: from nic2.pf (nic2.pf [208.139.164.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA23874 for ; Mon, 7 Apr 1997 21:25:29 -0700 (PDT) Received: from wizard (pop36.pf [208.139.164.16]) by nic2.pf (8.8.5/8.6.9) with SMTP id SAA18564; Mon, 7 Apr 1997 18:23:53 -1000 Message-ID: <3349C859.7501CE5D@opt.pf> Date: Mon, 07 Apr 1997 18:23:53 -1000 From: Gilles Lorphelin Organization: OPT -- FRENCH POLYNESIA X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.1.7 i586) MIME-Version: 1.0 To: Todd Graham Lewis CC: James Liang , Firewalls@GreatCircle.COM Subject: Re: Freeware that support NAT ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis wrote: > > On Mon, 7 Apr 1997, James Liang wrote: > > > Is there a freewere that can support NAT (RFC 1631) and can run on Linux > > and other unix platforms? > > The closest thing of which I know is IP_MASQUERADE, which is a Linux > feature. There is talk of making it into a fully-fleged NAT, but for now > it's a neat-o sort-of-NAT thing. > > Go to http://sunsite.unc.edu/linux and read the IP Masquerade HOWTO. But How can somebody call me if I'm masqueraded ? Perhaps I'm wrong , but I have to be in a NAT configuration. And you're saying me that I can't do that with my Linux ? Thanks for lighting me . -- ********************************************************************** Gilles Lorphelin Internet Tech. Mgr. OPT -- French Polynesia The IAP/ISP of Tahiti and her islands Tel : (+689) 414 684 Fax : (+689) 435 830 ********************************************************************** From owner-firewalls-outgoing Tue Apr 8 00:36:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11550 for firewalls-outgoing; Tue, 8 Apr 1997 00:25:45 -0700 (PDT) Received: from NURI.NET (mail.nuri.net [203.255.112.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA11536 for ; Tue, 8 Apr 1997 00:25:36 -0700 (PDT) Received: from ns.nuri.net (angel.inet.co.kr [203.255.113.41]) by NURI.NET (8.8.5/8.8.5) with SMTP id QAA20533; Tue, 8 Apr 1997 16:22:37 +0900 (KST) Message-ID: <3349F280.70CC@nuri.net> Date: Tue, 08 Apr 1997 16:23:44 +0900 From: Young-jin Hong Organization: Inet Inc. X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: wits@nuri.net Subject: [CyberGuard] these configuration're possible in NAT? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear readers and experts. Origianally, my company use two B class network address(official) for our internal network without NAT. But as we're configuring our Firewall(CyberGuard Firewall), we like to use NAT with a C class network address to connect with Internet while hiding our conventional B class addresses for internal use. Ex) C class network address : 203.255.111.0 (for internet connection) B class network address : 172.16.0.0 172.17.0.0 in NAT configuration: Type Global address Internal Mask -------- ------------- ---------- ----------- network 203.255.111.0 172.16.0.0 255.255.0.0 network 203.255.111.0 172.17.0.0 255.255.0.0 are these NAT configuration possible? Young-jin Hong E-mail> wits@nuri.net From owner-firewalls-outgoing Tue Apr 8 05:51:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28809 for firewalls-outgoing; Tue, 8 Apr 1997 05:41:48 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.27]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA28792 for ; Tue, 8 Apr 1997 05:41:25 -0700 (PDT) Received: from ae169.du.pipex.com (193.130.244.169) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id NAA09022; Tue, 8 Apr 1997 13:39:47 +0100 (BST) Message-ID: <334A3C7D.3953@dial.pipex.com> Date: Tue, 08 Apr 1997 12:39:25 +0000 From: David Churchill-Saunders Organization: EuroCommerce X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Electronic Commecre For European retailers References: <332279BA.349B@tla.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Attn: Vice President International Marketing & Sales Dear Sir, I am working for an organisation called Eurocommerce. Eurocommerce was founded five years ago by all the top multiple outlet retailers in the member countries of the European Union. (Companies like Sears, Marks & Spencer, Sainsbury etc). Our 5000 members represent some 85% of the European retail market. We were founded to act as their official information provider relating to all aspects of IT & Electronic Commerce. We are currently advising them on the setting up of web sites for on-line home shopping and most importantly how to go about securing payment transactions over the internet. We are looking for companies/solution providers in the following areas: secure electronic transactions, digital cash, micro payments, smart cards, credit card based transaction technology as well web site design and hosting - server hardware/ software etc). If this is of interest to you please could you contact me by return of e-mail with your contact details and I will be in touch to discuss the project further. Best regards, David Churchill-Saunders Project Director From owner-firewalls-outgoing Tue Apr 8 06:24:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA01625 for firewalls-outgoing; Tue, 8 Apr 1997 06:12:44 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA01593 for ; Tue, 8 Apr 1997 06:12:27 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 8 Apr 1997 13:12:34 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 08 Apr 1997 09:11:22 -0400 Message-ID: From: "Chris Kostick" To: "Gilles Lorphelin" Cc: Subject: Re: Freeware that support NAT ? Date: Tue, 8 Apr 1997 09:08:45 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Is there a freewere that can support NAT (RFC 1631) and can run on Linux > > > and other unix platforms? > > > > The closest thing of which I know is IP_MASQUERADE, which is a Linux > > feature. There is talk of making it into a fully-fleged NAT, but for now > > it's a neat-o sort-of-NAT thing. > > > > Go to http://sunsite.unc.edu/linux and read the IP Masquerade HOWTO. > > But How can somebody call me if I'm masqueraded ? You mean make a connection to you? You can't do it with Masquerading, strictly speaking. You could use other utilities to help redirect connections to internal machines. None of them however, are as flexible as a true NAT environment. > Perhaps I'm wrong , but I have to be in a NAT configuration. Yes. > And you're saying me that I can't do that with my Linux ? Well,... yes. > > Thanks for lighting me . From owner-firewalls-outgoing Tue Apr 8 07:24:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04180 for firewalls-outgoing; Tue, 8 Apr 1997 06:41:56 -0700 (PDT) Received: from sunphil.sunphil.mozcom.com ([206.151.138.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA04163 for ; Tue, 8 Apr 1997 06:41:46 -0700 (PDT) Received: by sunphil.sunphil.mozcom.com (SMI-8.6/SMI-SVR4) id VAA24368; Tue, 8 Apr 1997 21:36:54 -0800 Date: Tue, 8 Apr 1997 21:36:54 -0800 From: drexx@sunphil.mozcom.com (Drexx Laggui) Message-Id: <199704090536.VAA24368@sunphil.sunphil.mozcom.com> To: ggh14854@glaxowellcome.com Subject: Re: virus scanning Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Gary, Ever seen Viruswall? See them at www.antivirus.com Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Group /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++632) 813-6453 to 55 loc. 222 \_____\ \\ Fax: (++632) 813-5834 \_____\/ Email: drexx@sunphil.mozcom.com ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ |> Date: Mon, 7 Apr 1997 13:35:07 -0400 (EDT) |> From: Gary Hull |> |> We are looking at implementing virus scanning sw either at the firewall |> or on a server that sits between our firewall and the intranet. Can anyone |> recommend such a product? Thanks. |> |> |/ |> ---o0o-@@-o0o--------- |> |> Gary G. Hull - Technical Consultant |> Howard Systems International - Glaxo Wellcome Inc. |> Five Moore Drive - Raleigh, North Carolina 27709 |> Tel : (919) 941-4867 - Fax : (919) 483-0056 |> email: ggh14854@ussun2f.glaxo.com |> |> From owner-firewalls-outgoing Tue Apr 8 07:41:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA06231 for firewalls-outgoing; Tue, 8 Apr 1997 07:04:45 -0700 (PDT) Received: from firewall-ext.cpg.it (dns.cpg.it [151.99.248.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA06153 for ; Tue, 8 Apr 1997 07:04:23 -0700 (PDT) Received: from giove.cpg.it by firewall-ext.cpg.it via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 8 Apr 1997 13:53:00 UT Received: from sirio.cpg.it by giove.cpg.it (SMI-8.6/SMI-SVR4) id PAA09559; Tue, 8 Apr 1997 15:56:54 +0200 Message-Id: <199704081356.PAA09559@giove.cpg.it> X-MAPI-MessageClass: IPM To: firewalls@greatcircle.com X-Mailer: FTP Software Internet Mail 2.0 MIME-Version: 1.0 From: Serena Mazzoni Subject: X11 Date: Tue, 08 Apr 1997 16:05:21 +0200 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all does anyone know the port number for X11 protocol? thanks in advance. Serena Mazzoni From owner-firewalls-outgoing Tue Apr 8 07:49:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05051 for firewalls-outgoing; Tue, 8 Apr 1997 06:52:10 -0700 (PDT) Received: from ddre.dla.mil (DDRE.DLA.MIL [164.87.1.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA05035 for ; Tue, 8 Apr 1997 06:52:02 -0700 (PDT) Received: from smtp.ddre.dla.mil by ddre.dla.mil (5.65/1.35) id AA27492; Tue, 8 Apr 97 09:52:08 -0400 Received: from cc:Mail by smtp.ddre.dla.mil id AA860518484; Tue, 08 Apr 97 09:47:39 est Date: Tue, 08 Apr 97 09:47:39 est From: "dennis keller" Message-Id: <9703088605.AA860518484@smtp.ddre.dla.mil> To: firewalls@greatcircle.com Subject: FTP Software's Secure Client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! I just received an evaluation copy of FTP Software's Secure Client. I'm not going to install it until our firewall is installed, which will be late May, early June. Has anyone on this list used/evaluated this product? If so did you like it or was it a pain to configure? The reason I ask is this, we've used FTP's PCTCP for some of our users and it's a real pain to configure! Regards! Dennis Keller DLA, Admin Support Center East New Cumberland, PA USA email: dkeller@ddre.dla.mil From owner-firewalls-outgoing Tue Apr 8 08:06:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04658 for firewalls-outgoing; Tue, 8 Apr 1997 06:47:40 -0700 (PDT) Received: from odin.community.net (odin.community.net [140.174.119.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA04651 for ; Tue, 8 Apr 1997 06:47:35 -0700 (PDT) Received: from [205.158.182.130] (ws1.husler.xo.com [205.158.182.130]) by odin.community.net with SMTP id GAA11569; Tue, 8 Apr 1997 06:42:29 -0700 (PDT) Message-Id: <199704081342.GAA11569@odin.community.net> Subject: Re: xntpd and gauntlet 3.2 Date: Tue, 8 Apr 97 06:46:12 -0700 x-mailer: Claris Emailer 2.0 x52, February 26, 1997 From: Bill Husler To: "Arley Carter" cc: "firewalls(a)greatcircle.com" Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Fri, 4 Apr 1997, Arley Carter wrote: > >> On Fri, 4 Apr 1997 DSAWYER@PILLSBURY.COM wrote: >> >> > In a nutshell what I need to know is how do I get udp based packets on >> > port 123 through the firewall? >> > >> > Anybody have any ideas? >> >> Bad Idea. Setup the firewall to be the auhtoritative time source for the >> domain using xntpd to the outside world. Set the firewall to broadcast time >> to the networks you want. Have the inside machines listen to time >> broadcasts from the firewall. No need to pass udp through the firewall. > >Agreed. If you're super-paranoid, then you can shell out the US$200 for a >GPS receiver and make yourself into a stratum-1 server. (If you do this, >you should do it outside the firewall, offer stratum-1 services to others, >and make your firewall a stratum-2 server, using ntp's builtin >cryptographic authentication.) > >And to whoever said that you shouldn't use time-based cryptography, there >are well-respected cryptosystems which rely on accurate time info on both >client and server to eliminate replay attacks and other time-based hacks. >To dismiss them merely because they require accurate time info is silly. > >__ >Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > > Does anyone have a reference for where to get this US$200 GPS NTP server? The Ads I've seen are for 10 times that amount. Bill Please remember to always flame via private eMail - the rest of the group is just not interested. From owner-firewalls-outgoing Tue Apr 8 08:21:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA06105 for firewalls-outgoing; Tue, 8 Apr 1997 07:04:02 -0700 (PDT) Received: from twinds.com (eagle.twinds.com [206.153.22.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA06073 for ; Tue, 8 Apr 1997 07:03:36 -0700 (PDT) Received: by twinds.com; id KAA06866; Tue, 8 Apr 1997 10:02:03 -0400 (EDT) Received: from hawk.twinds.com(207.2.239.3) by eagle.twinds.com via smap (3.2) id xma006864; Tue, 8 Apr 97 10:01:54 -0400 Date: Tue, 8 Apr 1997 10:01:54 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: Todd Graham Lewis cc: "firewalls(a)greatcircle.com" Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Fri, 4 Apr 1997, Arley Carter wrote: On the inadvisabilty of passing udp through a firewall > On Mon, 7 Apr 1997, Todd Graham Lewis wrote: > Agreed. If you're super-paranoid, then you can shell out the US$200 for a > GPS receiver and make yourself into a stratum-1 server. (If you do this, > you should do it outside the firewall, offer stratum-1 services to others, > and make your firewall a stratum-2 server, using ntp's builtin > cryptographic authentication.) > > And to whoever said that you shouldn't use time-based cryptography, there > are well-respected cryptosystems which rely on accurate time info on both > client and server to eliminate replay attacks and other time-based hacks. > To dismiss them merely because they require accurate time info is silly. > >From ac@hawkTue Apr 8 09:46:48 1997 Date: Mon, 7 Apr 1997 16:09:01 -0400 (EDT") From: Arley Carter To: "Button, Dave" Subject: RE: UDP considered harmful? (was: xntpd and gauntlet 3.2) On Mon, 7 Apr 1997, Button, Dave wrote: > > The quote was specific to OUR situation, though I understand that UDP > may be dangerous in situations where RPC is used. More specifically, I > was concerned about spoofing attacks that would negate having accurate > time, and the problems with relying on outside servers providing > claimed stratum 1 accuracy. We are in the certification authority > business and so we must avoid the apperance of evil as well as evil > itself. > This brings up an interesting question about the xnptd protocol. As I understand the algorithm xntp uses, it chooses the "best" time from one of all the servers selected. This is based upon dispersion around a mean time. Outlyers's are discarded. So: Let's assume you pick 6 external servers at random, ( 3 is the recommended minimum.) To serve bogus time to your xtnpd daemon and have it believed, the attacker would have to corrupt the time servers for a majority of your servers that you have chosen at random. Otherwise, the attacker's time stamps would be thrown out of the time selection process because it is a divergent time. I would say then that the possiblity of an attacker being able to launch a successful attack using this method is therefore is quite small. If someone can demonstrate this in not true, please chime in. Cheers: -arc Arley Carter Tradewinds Technologies, Inc. Winston-Salem, NC USA email: ac@twinds.com www: http://www.twinds.com From owner-firewalls-outgoing Tue Apr 8 08:44:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA15214 for firewalls-outgoing; Tue, 8 Apr 1997 08:24:19 -0700 (PDT) Received: from cic.teleco.ulpgc.es (cic.teleco.ulpgc.es [193.145.140.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA15183 for ; Tue, 8 Apr 1997 08:24:06 -0700 (PDT) From: jjjb@neumann.teleco.ulpgc.es Received: from neumann.teleco.ulpgc.es (neumann.teleco.ulpgc.es [193.145.138.66]) by cic.teleco.ulpgc.es (8.8.5/8.8.5) with SMTP id KAA28801 for ; Tue, 8 Apr 1997 10:46:48 GMT Received: from NEUMANN/CORREO by neumann.teleco.ulpgc.es (Mercury 1.12); Tue, 8 Apr 97 10:40:49 +00 Received: from CORREO by NEUMANN (Mercury 1.12); Tue, 8 Apr 97 10:40:36 +00 Received: from juanjo.ulpgc.es by neumann.teleco.ulpgc.es (Mercury 1.12); Tue, 8 Apr 97 10:40:35 +00 Comments: Authenticated sender is To: firewalls@greatcircle.com Date: Tue, 8 Apr 1997 10:51:17 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: dont read is a proof X-mailer: Pegasus Mail for Win32 (v2.52) Message-ID: <1B2631E3E0F@neumann.teleco.ulpgc.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hallo, every body if you know the direcction to write this list send me please. From owner-firewalls-outgoing Tue Apr 8 08:52:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA11180 for firewalls-outgoing; Tue, 8 Apr 1997 07:55:46 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.27]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA11166 for ; Tue, 8 Apr 1997 07:55:36 -0700 (PDT) Received: from an219.du.pipex.com (193.130.253.219) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id PAA00705; Tue, 8 Apr 1997 15:53:51 +0100 (BST) Message-ID: <334A5BE8.234F@dial.pipex.com> Date: Tue, 08 Apr 1997 14:53:28 +0000 From: David Churchill-Saunders Organization: EuroCommerce X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: Harry Munir Behrens CC: Firewalls@GreatCircle.COM Subject: Re: Electronic Commerce For European retailers References: <199704081433.OAA00336@noah.mtl.t.u-tokyo.ac.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Harry Munir Behrens wrote: > > This is in reference to a mail by Mr. David Churchill-Saunders > who claims to be working for Eurocommerce (????) > and doesn't even know how to spell it! (see Subject:) > This seems a classic beginner approach at what's called > "social engineering". > As such it might have relevance to a mailing list, that deals with > technologies for firewalls and computer security :-) > > Pardon me for making a spelling mistake. You should not call someone a liar in public until you have carried out a complete investigation of the facts. I would have thought that a PhD candidate should be aware of this! Please supply me with your fax number so that I may be able to fax you full confirming details of Eurocommerce. Regards From owner-firewalls-outgoing Tue Apr 8 09:07:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA09066 for firewalls-outgoing; Tue, 8 Apr 1997 07:34:51 -0700 (PDT) Received: from noah.mtl.t.u-tokyo.ac.jp (noah.mtl.t.u-tokyo.ac.jp [133.11.96.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA09059 for ; Tue, 8 Apr 1997 07:34:45 -0700 (PDT) Received: from mtl.t.u-tokyo.ac.jp by noah.mtl.t.u-tokyo.ac.jp (8.6.9+2.4W/3.3W/mtl1.3) with ESMTP id OAA00336; Tue, 8 Apr 1997 14:33:03 GMT Message-Id: <199704081433.OAA00336@noah.mtl.t.u-tokyo.ac.jp> To: David Churchill-Saunders cc: Firewalls@greatcircle.com Subject: Re: Electronic Commecre For European retailers In-reply-to: Your message of "Tue, 08 Apr 1997 12:39:25 GMT." <334A3C7D.3953@dial.pipex.com> Date: Tue, 08 Apr 1997 23:32:54 +0900 From: Harry Munir Behrens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is in reference to a mail by Mr. David Churchill-Saunders who claims to be working for Eurocommerce (????) and doesn't even know how to spell it! (see Subject:) This seems a classic beginner approach at what's called "social engineering". As such it might have relevance to a mailing list, that deals with technologies for firewalls and computer security :-) ---------Begin quote------- I am working for an organisation called Eurocommerce. Eurocommerce was founded five years ago by all the top multiple outlet retailers in the member countries of the European Union. (Companies like Sears, Marks & Spencer, Sainsbury etc). Our 5000 members represent some 85% of the European retail market. We were founded to act as their official information provider relating to all aspects of IT & Electronic Commerce. .... ---------End Quote--------- Anybody who has lived in Europe and knows the mechanisms by which the EU moves would immediately doubt this! Harry "Munir Basha" Behrens Tel.: +81-3-3814-4251 #6707 (lab) PhD candidate +81-3-5243-6099 (home) Tanaka Lab Dept. of Electrical Engineering e-mail: behrens@mtl.t.u-tokyo.ac.jp University of Tokyo Harry@Behrens.com Public PGP key = `finger behrens@mtl.t.u-tokyo.ac.jp` From owner-firewalls-outgoing Tue Apr 8 09:21:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA19266 for firewalls-outgoing; Tue, 8 Apr 1997 08:47:57 -0700 (PDT) Received: from mail.hud.ac.uk (mail.hud.ac.uk [161.112.4.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA19176 for ; Tue, 8 Apr 1997 08:47:23 -0700 (PDT) Received: from exchange01.hud.ac.uk by mail.hud.ac.uk with smtp (PP 6.0) id <14749-0@mail.hud.ac.uk>; Tue, 8 Apr 1997 16:46:00 +0100 Received: by exchange01.hud.ac.uk with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC443C.24FE1890@exchange01.hud.ac.uk>; Tue, 8 Apr 1997 16:44:36 +0100 Message-ID: From: Deric Giles To: "'Firewalls@GreatCircle.com'" Subject: Router bottlenecks in ATM network? Date: Tue, 8 Apr 1997 16:44:10 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I like the idea of an extra layer of security in the screened subnet architecture for a firewall as described in Brent's book. This works fine while we have an Ethernet internal network and a slowish Internet connection. However in the near future our site is likely to be connected to a MAN running at maybe 155Mb/sec and our internal network upgraded to ATM at a similar speed. Having two routers in the path acting at layer 3 now seem to pose a bottleneck. How can I maintain the benefits from the speed upgrades without compromising security? The only (partial) solution I can see is to merge the two routers but this then makes the site vulnerable to the compromise of a single router. Any ideas? ------------------------------------------------------------------------ -------------------------------------- : Deric R. Giles : email D.R.Giles@hud.ac.uk : : The University of Huddersfield : telephone (+44) 1484 473025 : : PO Box 341 : fax (+44) 1484 516151 : : Huddersfield, HD1 3YE ,U.K. : : ------------------------------------------------------------------------ -------------------------------------- From owner-firewalls-outgoing Tue Apr 8 09:54:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA21361 for firewalls-outgoing; Tue, 8 Apr 1997 09:02:22 -0700 (PDT) Received: from netcomm.NetComm.IE (csh030.emirates.net.ae [194.170.124.30]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA21279 for ; Tue, 8 Apr 1997 09:02:01 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id SAA11011; Tue, 8 Apr 1997 18:57:58 +0400 X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <334A3C7D.3953@dial.pipex.com> References: <332279BA.349B@tla.ch> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 8 Apr 1997 19:07:22 +0300 To: David Churchill-Saunders From: Kevin Brown Subject: Re: Electronic Commecre For European retailers Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is he David Churchill or Adam Barnett? Or a waste of time? Two different names, one email account. What is the scam here? Kevin At 15:39 +0300 8/4/97, David Churchill-Saunders wrote: Date: Tue, 08 Apr 1997 12:39:25 +0000 >>>>>>>>>From: David Churchill-Saunders Organization: EuroCommerce MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Electronic Commecre For European retailers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk>Attn: Vice President International Marketing & Sales > >Dear Sir, > >I am working for an organisation called Eurocommerce. > >Eurocommerce was founded five years ago by all the top multiple outlet >retailers in the >member countries of the European Union. (Companies like Sears, Marks & >Spencer, Sainsbury etc). Our 5000 members represent some 85% of the >European retail market. > >We were founded to act as their official information provider relating to >all aspects of IT & Electronic Commerce. > >We are currently advising them on the setting up of web sites for on-line >home shopping >and most importantly how to go about securing payment transactions over >the internet. > >We are looking for companies/solution providers in the following areas: >secure >electronic transactions, digital cash, micro payments, smart cards, >credit card based >transaction technology as well web site design and hosting - server >hardware/ software etc). > >If this is of interest to you please could you contact me by return of >e-mail with your >contact details and I will be in touch to discuss the project further. > >Best regards, > >David Churchill-Saunders >Project Director and before : Date: Wed, 12 Feb 1997 08:20:42 +0000 >>>>>>>>>>From: hf85 Organization: Royal Academy Of Engineering MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Firewall vendors please read! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I am working on the 'Get Connected' initiative for the G7 Health Programme - this is the setting up of intranets for the top 1000 primary hospitals in Europe and then connecting these together to form a Virtual Private Network for healthcare industry in Europe. We are looking for IT security companies in this market place (Firewalls, data encryption, access control etc) as well as consultants who have done this work in USA/CAnada. I can be contacted on: +44-171-206-0259 Await to hear. Adam Barnett Royal Academy of Engineering //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / Internet Associate | m \ | / The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Tue Apr 8 10:24:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA03788 for firewalls-outgoing; Tue, 8 Apr 1997 10:06:23 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA24028 for ; Tue, 8 Apr 1997 09:15:42 -0700 (PDT) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id MAA25488; Tue, 8 Apr 1997 12:13:50 -0400 Date: Tue, 8 Apr 1997 12:13:49 -0400 (EDT) From: Todd Graham Lewis To: Serena Mazzoni cc: firewalls@GreatCircle.COM Subject: Re: X11 In-Reply-To: <199704081356.PAA09559@giove.cpg.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Apr 1997, Serena Mazzoni wrote: > does anyone know the port number for X11 protocol? ports 6000 and up, along with various other ports. X is a multi-faceted family of protocols, each with its own peculiarities and clever ways of introducing devastating security holes into your network. You're not really thinking about letting it through, are you? __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue Apr 8 10:30:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA22767 for firewalls-outgoing; Tue, 8 Apr 1997 09:09:50 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA22640 for ; Tue, 8 Apr 1997 09:09:09 -0700 (PDT) Received: from localhost (lists@localhost) by reflections.eng.mindspring.net (8.8.5/8.8.5) with SMTP id MAA25476; Tue, 8 Apr 1997 12:06:56 -0400 Date: Tue, 8 Apr 1997 12:06:55 -0400 (EDT) From: Todd Graham Lewis To: Arley Carter cc: "firewalls(a)greatcircle.com" Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Apr 1997, Arley Carter wrote: > This brings up an interesting question about the xnptd protocol. As I > understand the algorithm xntp uses, it chooses the "best" time from one > of all the servers selected. This is based upon dispersion around a > mean time. Outlyers's are discarded. Pretty close. ntp has a fairly strict definition of "outlyers" which often means "all servers other than the one I think is right". > So: Let's assume you pick 6 external servers at random, ( 3 is the > recommended minimum.) To serve bogus time to your xtnpd daemon and have > it believed, the attacker would have to corrupt the time servers for a > majority of your servers that you have chosen at random. Otherwise, the > attacker's time stamps would be thrown out of the time selection process > because it is a divergent time. > > I would say then that the possiblity of an attacker being able to launch > a successful attack using this method is therefore is quite small. > > If someone can demonstrate this in not true, please chime in. Untrue, because ntp is udp-based and very spoofable. If you control the upstream server, then you can use ntp's builtin authentication functions. These work very well, but they are symmetric-key and have no key-distribution mechanism. (There was a paper somewhere about relaxing the time constraints on Kerberos in a special way which would not threaten Kerberos' security while allowing it to be used to bootstrap NTP, but to my knowledge it has never been implemented, and it depends on kerberos, which is rare, and cross-realm kerberos authentication, which is even rarer.) Ergo, if you do not privately coordinate with the administrator of your upstream NTP server, there is no way to authenticate the time information which you receive from that server. The expiration of the Diffie-Hellman patent should help this situation, as should the deployment of IPSEC (Todd manages to say with a straight face.) In the interim, though, there is nothing stopping an attacker from simply forging udp packets and firing them at your firewall, pretending to be from all 6 servers if he likes. Sure, he has to know which servers you are using, but if he has compromised anything betwixt the protected machine and the nearest NAP, then odds are, not only is it easy for him to figure out which servers you're using, but he has access to inserting packets into the network with high-precision time control, higher-precision than the ntp servers themselves. This can allow him to play with the statistical weighting of the various servers and throw you completely off. (This sounds complicated but really isn't.) So, to answer your question, no, this isn't very secure, and no he doesn't have to compromise half of your upstream servers. He doesn't have to compromise any of your servers. Theoretically he doesn't have to compromise anything, especially if he just wants to deny you the use of ntp to provide accurate time keeping. This used to be a big deal back when GPS receivers were ${Nx10^3}, but today there is no reason, if you are running clock-sensitive applications, not to buy your own GPS receiver and set yourself up as a stratum-1 server. It's the cleanest solution, it's cheaper than trying to contact some outside administrator to set up an NTP security context betwixt your two machines, it offers perfect security (GPS is even resistant to intentional radio interference), and the drivers for xntpd (along with the rest of the packege) are freely available for an absurd number of platforms. Does anyone have any reports of using GPS receivers? Any suggestions as to which ones are good? news:comp.protocols.ntp might be a good place to dig for info. If anyone has anything in the way of these suggestions, then please forward them to the list or to me. I'll be happy to make up a HOWTO for anyone interested. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue Apr 8 10:37:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02093 for firewalls-outgoing; Tue, 8 Apr 1997 09:56:22 -0700 (PDT) Received: from wizard.abirnet.co.il ([194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA02029 for ; Tue, 8 Apr 1997 09:55:57 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA03721; Tue, 8 Apr 1997 19:54:36 +0300 Date: Tue, 8 Apr 97 19:57:32 From: Ziv Dascalu Subject: RE: X11 To: firewalls@GreatCircle.COM, Serena Mazzoni X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; X-MAPIEXTENSION=".TXT" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 08 Apr 1997 16:05:21 +0200 Serena Mazzoni wrote: >Hi all >does anyone know the port number for X11 protocol? >thanks in advance. >Serena Mazzoni -----------------End of Original Message----------------- TCP 6000-6003 /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ /AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get an EVALUATION COPY at ===========/ From owner-firewalls-outgoing Tue Apr 8 10:40:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA01117 for firewalls-outgoing; Tue, 8 Apr 1997 09:50:41 -0700 (PDT) Received: from vortex.CC.McGill.CA (vortex.CC.McGill.CA [132.206.27.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA01051 for ; Tue, 8 Apr 1997 09:50:26 -0700 (PDT) Received: from localhost (quan@localhost) by vortex.CC.McGill.CA (8.8.5/8.6.6) with SMTP id MAA11354; Tue, 8 Apr 1997 12:48:17 -0400 (EDT) Date: Tue, 8 Apr 1997 12:48:17 -0400 (EDT) From: Quan Nguyen To: Deric Giles cc: "'Firewalls@GreatCircle.com'" Subject: Re: Router bottlenecks in ATM network? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Apr 1997, Deric Giles wrote: > I like the idea of an extra layer of security in the screened subnet > architecture for a firewall as described in Brent's book. This works > fine while we have an Ethernet internal network and a slowish Internet > connection. However in the near future our site is likely to be > connected to a MAN running at maybe 155Mb/sec and our internal network > upgraded to ATM at a similar speed. Having two routers in the path > acting at layer 3 now seem to pose a bottleneck. How can I maintain the > benefits from the speed upgrades without compromising security? The > only (partial) solution I can see is to merge the two routers but this > then makes the site vulnerable to the compromise of a single router. > Any ideas? I believe router vendors are developing next generation routers which can almost route at wire-speed while maintaining layer three filtering functionality. Check out the "netflow switching" with Cisco routers. Quan, ----------------Quan Nguyen-------------McGill UNIVERSITY--------------- -o Voice (514)398-3709 Computing Center (Burnside Hall) ()/// FAX (514)398-6876 805 Sherbrooke St West, Rm 222 quan@CC.McGill.CA Montreal, Quebec H3A 2K6 From owner-firewalls-outgoing Tue Apr 8 10:51:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09788 for firewalls-outgoing; Tue, 8 Apr 1997 10:47:31 -0700 (PDT) Received: from gemcon.com (DNS2.GEMCON.COM [205.223.239.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA09780 for ; Tue, 8 Apr 1997 10:47:19 -0700 (PDT) Received: by dns2.gemcon.com id <55326>; Tue, 8 Apr 1997 13:48:44 -0400 From: "Webb, Dean" To: Harry Munir Behrens Cc: Firewalls@GreatCircle.COM Subject: RE: Electronic Commecre For European retailers Date: Tue, 8 Apr 1997 13:46:21 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Message-Id: <97Apr8.134844edt.55326@dns2.gemcon.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eurocommerce is legit. Check out http://www.eurocommerce.be/ehome.htm for further info. I hope no-one's feathers are too ruffled to calm down over this gaffe. I would not want this to become an off-topic, but I feel some defense is in order, here. Look before you leap, Dean Webb > -----Original Message----- > From: Harry Munir Behrens [SMTP:behrens@mtl.t.u-tokyo.ac.jp] > Sent: Tuesday, April 08, 1997 9:33 AM > To: David Churchill-Saunders > Cc: Firewalls@GreatCircle.COM > Subject: Re: Electronic Commecre For European retailers > > > > > This is in reference to a mail by Mr. David Churchill-Saunders > who claims to be working for Eurocommerce (????) > and doesn't even know how to spell it! (see Subject:) > This seems a classic beginner approach at what's called > "social engineering". > As such it might have relevance to a mailing list, that deals with > technologies for firewalls and computer security :-) > > ---------Begin quote------- > I am working for an organisation called Eurocommerce. > > Eurocommerce was founded five years ago by all the top multiple outlet > retailers in the > member countries of the European Union. (Companies like Sears, Marks & > Spencer, Sainsbury etc). Our 5000 members represent some 85% of the > European retail market. > > We were founded to act as their official information provider relating > to > all aspects of IT & Electronic Commerce. > .... > ---------End Quote--------- > > Anybody who has lived in Europe and knows the mechanisms by which > the EU moves would immediately doubt this! > > Harry "Munir Basha" Behrens Tel.: +81-3-3814-4251 #6707 > (lab) > PhD candidate +81-3-5243-6099 (home) > Tanaka Lab > Dept. of Electrical Engineering e-mail: > behrens@mtl.t.u-tokyo.ac.jp > University of Tokyo Harry@Behrens.com > > Public PGP key = `finger behrens@mtl.t.u-tokyo.ac.jp` From owner-firewalls-outgoing Tue Apr 8 11:09:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09426 for firewalls-outgoing; Tue, 8 Apr 1997 10:45:10 -0700 (PDT) Received: from lammashta.oai.org (lammashta.oai.org [199.218.110.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA09379 for ; Tue, 8 Apr 1997 10:44:56 -0700 (PDT) Received: (from fsgreen@localhost) by lammashta.oai.org (8.8.5/8.8.5) id NAA04018; Tue, 8 Apr 1997 13:49:16 -0400 (EDT) Date: Tue, 8 Apr 1997 13:49:15 -0400 (EDT) From: Doug Greenwald To: Firewalls Mailing List Subject: OAI - NAT problem - solaris 2.5.1 based firewall-1 system Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk howdy, i've been through everything i can find to read and i have a bizarre (to me) problems with NAT. here's the details of how everything is connected: firewall is a sparc 5 (solaris 2.5.1). le0 is connected to a 4 port hub (External-Hub). le1 is connected to a 16 port hub (Internal-Hub). le2 is connected to a switch (DMZ-Switch). le0: 199.218.110.2 netmask 255.255.255.0 le1: 172.16.1.1 netmask 255.255.255.0 le2: 172.16.2.1 netmask 255.255.255.0 all interfaces sharing le0's ethernet address: 8:0:20:82:d:6b powerbook (PB) is connected to the External-Hub: 199.218.110.252, default route set to 199.218.110.2 sgi (SGI) is connected to the Internal-Hub: 172.16.1.32, default route set to 172.16.1.1 among other network objects, i've defined: ISC: 172.16.1.32, host, internal, automatic address translate (method static, address 199.218.110.240) on the firewall i've got: route add 199.218.110.240 172.16.1.32 1 arp -s 199.218.110.240 8:0:20:82:d:6b pub connecting from PB to SGI using 172.16.1.32 works fine connecting from PB to SGI using 199.218.110.240 gets me a connection refused on the powerbook i've got my fwlog configured to display (in order, left to right): interface, origin, type, action, service, source, destination, protocol, rule, s_port, xlatesrc, xlatedst, info when the PB gets a connection refused, i get the following 2 entries in the firewall log: 1) inbound le0, 199.218.110.2, log, accept, telnet, 199.218.110.252, 199.218.110.240, tcp, 2, 2094, 199.218.110.252, 172.16.1.32, len 48 2) outbound le1, 199.218.110.2, log, reject, telnet, 199.218.110.252, 199.218.110.240, tcp, 0, 2094, 199.218.110.252, 172.16.1.32, len 48 the only address translation rules i have are for the SGI and are autogenerated (i'm running version 3). so i ran "snoop arp" while doing this and got 2 entries when i tried to telnet from the PB to the SGI using 199.218.110.240: 1) PB-ExtTest.oai.org -> (broadcast) ARP C Who is 199.218.110.240, isc-xl.oai.org? 2) isc-xl.oai.org -> PB-ExtTest.oai.org ARP R 199.218.110.240, isc-xl.oai.org is 8:0:20:82:d:6b so the arp entry seems to be working. if i turn off spoof checking on all interfaces, the reject log entry doesn't show up, but the connection isn't made. spoof setting for the firewall: le0: valid addresses: other le1: valid addresses: this net le2: valid addresses: this net whenever i'm in the interface properties and click OK, it tells me "Warning: IP address overlaps mask" - should i be concerned? i also can't get any address transltion menus when i've got an Address Range or Network object open (i select the Address Translation tab and get a blank screen). pointers to more info for me to read or answers appreciated :-) doug. Doug Greenwald DougGreenwald@oai.org Internet Information Systems Manager (216) 962 3145 Ohio Aerospace Institute ICOMP - NASA Lewis Research Center http://www.oai.org/ http://www.lerc.nasa.gov/ From owner-firewalls-outgoing Tue Apr 8 11:15:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA26291 for firewalls-outgoing; Tue, 8 Apr 1997 09:27:49 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.27]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA26086 for ; Tue, 8 Apr 1997 09:27:08 -0700 (PDT) Received: from ac093.du.pipex.com (193.130.242.93) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id RAA08252; Tue, 8 Apr 1997 17:25:33 +0100 (BST) Message-ID: <334A7165.17BF@dial.pipex.com> Date: Tue, 08 Apr 1997 16:25:09 +0000 From: David Churchill-Saunders Organization: EuroCommerce X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: Kevin Brown CC: Firewalls@GreatCircle.COM Subject: Re: Electronic Commecre For European retailers References: <332279BA.349B@tla.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kevin Brown wrote: > > Is he David Churchill or Adam Barnett? Or a waste of time? > > Two different names, one email account. What is the scam here? > > Kevin > > At 15:39 +0300 8/4/97, David Churchill-Saunders wrote: > > Date: Tue, 08 Apr 1997 12:39:25 +0000 > > >>>>>>>>>From: David Churchill-Saunders > > Organization: EuroCommerce > MIME-Version: 1.0 > To: Firewalls@GreatCircle.COM > Subject: Electronic Commecre For European retailers > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk>Attn: Vice President International Marketing & Sales > > > >Dear Sir, > > > >I am working for an organisation called Eurocommerce. > > > >Eurocommerce was founded five years ago by all the top multiple outlet > >retailers in the > >member countries of the European Union. (Companies like Sears, Marks & > >Spencer, Sainsbury etc). Our 5000 members represent some 85% of the > >European retail market. > > > >We were founded to act as their official information provider relating to > >all aspects of IT & Electronic Commerce. > > > >We are currently advising them on the setting up of web sites for on-line > >home shopping > >and most importantly how to go about securing payment transactions over > >the internet. > > > >We are looking for companies/solution providers in the following areas: > >secure > >electronic transactions, digital cash, micro payments, smart cards, > >credit card based > >transaction technology as well web site design and hosting - server > >hardware/ software etc). > > > >If this is of interest to you please could you contact me by return of > >e-mail with your > >contact details and I will be in touch to discuss the project further. > > > >Best regards, > > > >David Churchill-Saunders > >Project Director > > and before : > Date: Wed, 12 Feb 1997 08:20:42 +0000 > > >>>>>>>>>>From: hf85 > > Organization: Royal Academy Of Engineering > MIME-Version: 1.0 > To: firewalls@GreatCircle.COM > Subject: Firewall vendors please read! > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > > Hi there, > > I am working on the 'Get Connected' initiative for the G7 Health > Programme - this is the setting up of intranets for the top 1000 primary > hospitals in Europe and then connecting these together to form a Virtual > Private Network for healthcare industry in Europe. > > We are looking for IT security companies in this market place > (Firewalls, data encryption, access control etc) as well as consultants > who have done this work in USA/CAnada. > > I can be contacted on: +44-171-206-0259 > > Await to hear. > > Adam Barnett > Royal Academy of Engineering > > //////////////////////////////////////////////////////////// > Kevin Brown | N \ We operate in Ireland, UK > NetComm | e / and the Middle East > Internet Training, | t \ --DUBAI-- > Consultancy and Networking | C / Voice: +971-4-491476 > | o \ Fax: +971-4-492957 > Sun Microsystems | m / > Internet Associate | m \ > | / > The Internet | \ email: kevinbr@netcomm.ie > Experts | / info@netcomm.ie > | \ http://www.netcomm.ie > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Mr Barnett works about ten yards away in the next office for the Royal Academy Of Engineering we are a government concern sharing the same e-mail address, it was in fact Mr Barnett that let me know the benefits of seeking advice from the mailing list. We prepare references on IT for many different Government institutions including: Royal Academy, Interpol, Commenwealth Secretariat, English Tourist Board, From owner-firewalls-outgoing Tue Apr 8 12:29:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21112 for firewalls-outgoing; Tue, 8 Apr 1997 11:48:32 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA21043 for ; Tue, 8 Apr 1997 11:48:17 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id NAA28764; Tue, 8 Apr 1997 13:39:41 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma028762; Tue Apr 8 13:39:39 1997 Received: from ignatz (ignatz.bridge.com [167.76.24.6]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id NAA14540; Tue, 8 Apr 1997 13:46:59 -0500 (CDT) Date: Tue, 8 Apr 1997 13:46:57 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Scott Fagg cc: firewalls@GreatCircle.COM Subject: Re: POP proxy availability - part 2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone considering letting POP3 or IMAP through the firewall, especially inwards,should be aware of the popd and imapd vulnerabilities in a recent CERT advisory: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop On Mon, 7 Apr 1997, Scott Fagg wrote: > Based on the responses i got from my first post and some searching > i did, it seems that there are a number of POP proxy solutions. > > I've tried one and have another to try later today. > > This brings up the next question. > > If i do install a POP proxy, controlled by tcpd, netacl or some > other wrapper, once the daemon has started, how long does it hang > around? (i guess ps would answer that) and if it does hang around, > would this mean that the control that tcpd/netacl had in > starting it would be lost (ie any one can connect) My assumption > is that it would, but this seems a little bit too 'open'? > > regards, > > > > From owner-firewalls-outgoing Tue Apr 8 12:29:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21236 for firewalls-outgoing; Tue, 8 Apr 1997 11:49:14 -0700 (PDT) Received: from noah.mtl.t.u-tokyo.ac.jp (noah.mtl.t.u-tokyo.ac.jp [133.11.96.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA21201 for ; Tue, 8 Apr 1997 11:48:59 -0700 (PDT) Received: from mtl.t.u-tokyo.ac.jp by noah.mtl.t.u-tokyo.ac.jp (8.6.9+2.4W/3.3W/mtl1.3) with ESMTP id SAA01991; Tue, 8 Apr 1997 18:47:18 GMT Message-Id: <199704081847.SAA01991@noah.mtl.t.u-tokyo.ac.jp> To: "Webb, Dean" cc: Firewalls@greatcircle.com Subject: Re: Electronic Commecre For European retailers In-reply-to: Your message of "Tue, 08 Apr 1997 13:46:21 -0400." <97Apr8.134838edt.55324@dns2.gemcon.com> Date: Wed, 09 Apr 1997 03:47:15 +0900 From: Harry Munir Behrens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not doubt the existence of an organisation called Eurocommerce. What I do doubt - and I think a previous mail by Kevin Brown affirms my suspicions - is the legitimacy of Mr. David Churchill-Saunders and his claims to be part of an organisation that claims to have been ---begin quote------- ... founded to act as their official information provider relating to all aspects of IT & Electronic Commerce. ----end quote--------- >>>>> "Webb," == Webb, Dean writes: Webb,> Eurocommerce is legit. Check out Webb,> http://www.eurocommerce.be/ehome.htm for further info. I Webb,> hope no-one's feathers are too ruffled to calm down over Webb,> this gaffe. I would not want this to become an off-topic, Webb,> but I feel some defense is in order, here. Webb,> Look before you leap, Dean Webb Noble as your defense may be: this one's not worth it. Harry "Munir Basha" Behrens Tel.: +81-3-3814-4251 #6707 (lab) PhD candidate +81-3-5243-6099 (home) Tanaka Lab Dept. of Electrical Engineering e-mail: behrens@mtl.t.u-tokyo.ac.jp University of Tokyo Harry@Behrens.com Public PGP key = `finger behrens@mtl.t.u-tokyo.ac.jp` From owner-firewalls-outgoing Tue Apr 8 12:36:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA23255 for firewalls-outgoing; Tue, 8 Apr 1997 11:58:56 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA23224 for ; Tue, 8 Apr 1997 11:58:44 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA63120; Tue, 8 Apr 1997 14:52:08 -0400 Date: Tue, 8 Apr 1997 14:52:08 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9704081852.AA63120@oxygen.house.gov> To: Firewalls@GreatCircle.com, d.r.giles@hud.ac.uk Subject: Re: Router bottlenecks in ATM network? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Deric Giles Date: Tue, 8 Apr 1997 16:44:10 +0100 I like the idea of an extra layer of security in the screened subnet architecture for a firewall as described in Brent's book. This works fine while we have an Ethernet internal network and a slowish Internet connection. However in the near future our site is likely to be connected to a MAN running at maybe 155Mb/sec and our internal network upgraded to ATM at a similar speed. Having two routers in the path acting at layer 3 now seem to pose a bottleneck. Two routers in the path instead of one is a difference of just one router hop in your connection to how many router hops between yours and the other end of any communication over the Internet? If you use routers capable of 155 Mbps, I cannot see that you would have introduced a noticeable problem. You should never consider loss of control of a router in your critical data path as a reasonable part of your network design. I suggest you invest in strong protection for the Internet router, if not for your own good, for the rest of us. I assume you have already blocked outgoing packets without valid source addresses. Where your security policy permits access that cannot be implemented with packet screens, which is why you might have hosts on the screened subnet, consider a really fast firewall application proxy that can support multiple fast (100 Mbps) ethernets. (not intended as a trawl for firewall advertizing) While you are designing your next-generation Internet perimeter, you might want to consider putting your screened subnet out of the path that most traffic takes to/from the Internet. The down-side of any sacraficial host on the screened subnet is that it could be used as a packet sniffing (sorry Network General) spy on the rest of the traffic. Just an extra round trip through the screening router for the portion of traffic that needs proxy help could help isolate the hosts at risk from the traffic that doesn't need the proxy. I am sure you earned the envy of most of us on this list by bragging that you will have 155 Mbps Internet access "in the near future". Congratulations. From owner-firewalls-outgoing Tue Apr 8 13:53:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA00324 for firewalls-outgoing; Tue, 8 Apr 1997 12:44:44 -0700 (PDT) Received: from onshore.com (irc.onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA00296 for ; Tue, 8 Apr 1997 12:44:35 -0700 (PDT) Received: from [206.69.90.196] (tofu.onShore.com [206.69.90.196]) by onshore.com (8.8.5/8.7.3) with ESMTP id OAA21450 for ; Tue, 8 Apr 1997 14:43:37 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 8 Apr 1997 14:45:57 -0500 To: firewalls@GreatCircle.COM From: Stelios Valavanis Subject: chicago Sender: firewalls-owner@GreatCircle.COM Precedence: bulk any of you firewall list people in chicago intereted in doing some unix and security consulting here? ___________________________________________________ stel valavanis stel@onShore.com http://www.onShore.com/ From owner-firewalls-outgoing Tue Apr 8 14:06:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA15590 for firewalls-outgoing; Tue, 8 Apr 1997 11:19:49 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA15563 for ; Tue, 8 Apr 1997 11:19:37 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA02320; Tue, 8 Apr 1997 11:16:17 -0700 Message-Id: <9704081816.AA02320@mail.diginsite.com> From: "David Lang" To: , "Serena Mazzoni" Subject: Re: X11 Date: Tue, 8 Apr 1997 11:18:46 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk source port 6000+n where n is the screen number. David Lang ---------- > From: Serena Mazzoni > To: firewalls@greatcircle.com > Subject: X11 > Date: Tuesday, April 08, 1997 7:05 AM > > Hi all > does anyone know the port number for X11 protocol? > thanks in advance. > Serena Mazzoni > From owner-firewalls-outgoing Tue Apr 8 14:14:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA14887 for firewalls-outgoing; Tue, 8 Apr 1997 11:16:26 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA14822 for ; Tue, 8 Apr 1997 11:16:06 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA10468; Tue, 8 Apr 1997 11:13:15 -0700 Message-Id: <9704081813.AA10468@mail.diginsite.com> From: "David Lang" To: Subject: problems with packet filtering in Linux Date: Tue, 8 Apr 1997 11:15:45 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am attempting to filter icmp packets using linux. I have the ip firewalling and ip forwarding turned on in the kernel. I am able to configure the ip filters for udp and tcp without a problem but when I try and shut off ping from the outside world to my firewall it keeps working. any suggestions? David Lang From owner-firewalls-outgoing Tue Apr 8 14:30:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA01727 for firewalls-outgoing; Tue, 8 Apr 1997 12:54:49 -0700 (PDT) Received: from upsmot05 ([204.95.110.87]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA01627 for ; Tue, 8 Apr 1997 12:54:27 -0700 (PDT) Received: from upmajb06 ([204.95.110.89]) by upsmot05 (8.6.8.1/Configuration 4) with SMTP id MAA12179 for ; Tue, 8 Apr 1997 12:52:11 -0700 Date: Tue, 8 Apr 97 19:55:38 UT From: "Stéphane Routhier" Message-Id: To: firewalls@GreatCircle.COM Subject: Your opinion on... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody, I'm presently doing an evaluation of firewall products for Bombardier Inc. and I will appreciate a bit of help from you. I'm trying to establish the degree of confidence on each company we're looking. I will like if you can send me your degree of confidence on one of the firewall company that you're or had make business with in the list that follow : CheckPoint Software Cisco Systems Cyberguard Corp. Raptor Systems Trusted Informations Systems Sun Corporation Secure Computing Corporation Milkyway Networks Interceptor Firewalls For sure if you can join an explanation it will be please. Best regards S. Routhier StephRouthier@MSN.com Security Consultant From owner-firewalls-outgoing Tue Apr 8 14:34:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA10870 for firewalls-outgoing; Tue, 8 Apr 1997 07:53:20 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA10832 for ; Tue, 8 Apr 1997 07:53:09 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id HAA16674 for ; Tue, 8 Apr 1997 07:54:20 -0700 (PDT) Received: (qmail 29669 invoked by uid 110); 8 Apr 1997 14:51:18 -0000 MBOX-Line: From best-of-security-request@suburbia.net Tue Apr 8 23:18:15 1997 remote from suburbia.net Received: (from list@localhost) by suburbia.net (8.8.4/8.8.4) id XAA27423 for proff@suburbia.net; Tue, 8 Apr 1997 23:18:15 +1000 (EST) Received: (qmail 27411 invoked from network); 8 Apr 1997 13:18:08 -0000 Received: from dsainc.com (205.197.248.139) by suburbia.net with SMTP; 8 Apr 1997 13:18:08 -0000 Received: from picard.dsainc.com (dsainc.com [205.197.248.139]) by dsainc.com (8.6.12/8.6.12) with ESMTP id JAA04941 for ; Tue, 8 Apr 1997 09:17:55 -0400 Message-ID: <334A4491.15F8@dsainc.com> Date: Tue, 08 Apr 1997 09:13:53 -0400 From: Skip Harborth Reply-To: harborts@dsainc.com Organization: Data Systems Analysts, Inc. X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Best of Security Subject: Patrol X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody ever used a network management package called "Patrol"? I'm working on a network where one of the integrators wants to implement this system and it appears there are some security implications but no one really has any experience in using this package. Any help would be greatly appreciated. Skip Harborth Security Engineer Data Systems Analysts, Inc. harborts@dsainc.com From owner-firewalls-outgoing Tue Apr 8 14:41:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05943 for firewalls-outgoing; Tue, 8 Apr 1997 13:25:23 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA05927 for ; Tue, 8 Apr 1997 13:25:14 -0700 (PDT) Received: from th.net (phuket.shore.net [204.167.98.29]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id QAA15477; Tue, 8 Apr 1997 16:24:03 -0400 (EDT) Received: by th.net (SMI-8.6/SMI-SVR4) id QAA05572; Tue, 8 Apr 1997 16:31:12 -0400 From: james@mail.th.net (James Triplett) Message-Id: <199704082031.QAA05572@th.net> Subject: Re: sniffer! To: jdelgado@nexus.net.mx (Jose Luis Delgado) Date: Tue, 8 Apr 1997 16:31:11 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Jose Luis Delgado" at Mar 3, 97 05:59:57 pm X-Mailer: ELM [version 2.4 PL24jt] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use a program called OBSERVER from Network Instrumentss. It cost $300-$600, and runs on NT4.0 just fine. My only concern is that it too heavily focused on MAC layer addresses, rather than the IP addresses we use most frequently. Try www.netinst.com [I have no connection with them, just a satisfied users...] ----james From owner-firewalls-outgoing Tue Apr 8 14:53:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10528 for firewalls-outgoing; Tue, 8 Apr 1997 14:12:53 -0700 (PDT) Received: from runabout.igt.com (runabout.igt.com [206.142.15.96]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA10512 for ; Tue, 8 Apr 1997 14:12:42 -0700 (PDT) Received: (from srini@localhost) by runabout.igt.com (8.7.5/8.7.3) id RAA04093; Tue, 8 Apr 1997 17:11:35 -0400 Message-Id: <199704082111.RAA04093@runabout.igt.com> Subject: Re : Router bottlenecks in ATM network? To: Firewalls@GreatCircle.COM Date: Tue, 8 Apr 1997 17:11:34 -0400 (EDT) Cc: d.r.giles@hud.ac.uk From: srini@igt.com (Srini Seetharam) Reply-to: srini@igt.com (Srini Seetharam) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Deric Giles wirtes : >connection. However in the near future our site is likely to be >connected to a MAN running at maybe 155Mb/sec and our internal network >upgraded to ATM at a similar speed. Having two routers in the path >acting at layer 3 now seem to pose a bottleneck. How can I maintain the >benefits from the speed upgrades without compromising security? The >only (partial) solution I can see is to merge the two routers but this Various networking companies are developing next generation router technology that in many instances is geared towards ATM. These routers will perform at wire speeds around 600Mbps and maybe even beyond. It is sometimes refered to as the BFR (Big Fast/F...ing/Fat Router). IPsilon already has a solution that works atleast with 155mbps ATM, maybe higher. Others may have solution today as well. We, at IgT, design chips and software for ATM networks. We are pursuing this goal of have a solution to this problem with the bulk of the routing and "FLow detection" at wire speeds being done in a single chip. And to add a point that is interetsing to the firewall community, just about all the schemes of flow detection have inherent packet filtering capabilities built in to them. In addition, the software that goes along with these devices can be used to be a basis for firewalling software running with these fast router accelerators. srini -- ------------------------------------------------------------------------ IgT Srini W. Seetharam | ------------------------ Integrated Telecom Technology (IgT), | | __ __ | 18310 Montgomery Village Ave, Suite 300 | |__| |__ __| |____| Gaithersburg Maryland 20879 | | |__| | Tel: 301.990.9890 | | | Fax: 301.990.9893 | ------------------------ Web: http://www.igt.com/ | Net: srini@igt.com | ------------------------------------------------------------------------| Expressed opinions may not be mine and not necessarily be those of IgT. | ------------------------------------------------------------------------| Linux : The choice of the GNU Generation | ------------------------------------------------------------------------ From owner-firewalls-outgoing Tue Apr 8 15:21:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15232 for firewalls-outgoing; Tue, 8 Apr 1997 14:51:20 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA15141 for ; Tue, 8 Apr 1997 14:51:00 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wEili-0004H4C (Debian Smail-3.2 1996-Jul-4 #2); Tue, 8 Apr 1997 23:49:34 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 8 Apr 97 23:49 MET DST Received: by lina.inka.de id m0wEicY-00016qC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 8 Apr 1997 23:39:46 +0200 (CEST) Message-Id: Date: Tue, 8 Apr 1997 23:39:46 +0200 From: Bernd Eckenfels To: Chris Kostick Cc: Gilles Lorphelin , firewalls@greatcircle.com Subject: Re: Freeware that support NAT ? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from Chris Kostick on Tue, Apr 08, 1997 at 09:08:45AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Go to http://sunsite.unc.edu/linux and read the IP Masquerade HOWTO. > > > > But How can somebody call me if I'm masqueraded ? > > You mean make a connection to you? You can't do it with Masquerading, > strictly > speaking. You could use other utilities to help redirect connections to > internal machines. None of them however, are as flexible as a true NAT > environment. KErnels 2.1.x (with large X) support NAT as a flag n the routing table. This will be a full featured NAT in the Future. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Apr 8 16:49:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA19111 for firewalls-outgoing; Tue, 8 Apr 1997 15:18:12 -0700 (PDT) Received: from Milpitas01.POP.InterNex.Net (milpitas01.pop.InterNex.Net [205.158.3.66]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA19061 for ; Tue, 8 Apr 1997 15:17:56 -0700 (PDT) Received: from mail.kansmen.com ([205.158.201.194]) by Milpitas01.POP.InterNex.Net (post.office MTA v1.9.3 ID# 0-11027) with ESMTP id AAA24902 for ; Tue, 8 Apr 1997 15:16:37 -0700 Received: from K1/SpoolDir by mail.kansmen.com (Mercury 1.31); 8 Apr 97 15:17:59 -0800 Received: from SpoolDir by K1 (Mercury 1.31); 8 Apr 97 15:17:35 -0800 From: "Jens Andersen" Organization: Kansmen Corp. To: firewalls@greatcircle.com Date: Tue, 8 Apr 1997 15:17:26 -0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Product announcement: LittleBrother X-mailer: Pegasus Mail for Windows (v2.53/R1) Message-ID: <8C23760989@mail.kansmen.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Monitoring Internet and local traffic just got easier. Kansmen LittleBrother is a traffic monitoring and managing application for TCP/IP, IPX and AppleTalk networks. Unlike LANalyzer, NetXRay and TCPDUMP which allow user to view several seconds worth of traffic in their raw form, LittleBrother monitors all network connections and saves them into a database for later reporting, as well as resolves addresses into computer/site/newsgroup names. The Professional Edition also allows selective rule-based blocking of specific sites, newsgroups, protocols, IP addresses or users. Platform: WinNT or Win95 with TCP/IP installed. Hardware: Pentium-100 with 32MB, single Ethernet card. Installation: under 3 minutes. Will monitor/block UNIX, Apple or DOS-based computers. Free Evaluation: http://www.kansmen.com or klbeval@kansmen.com If you would like to know more about LittleBrother capabilities, or would like to comment on evaluation version, please visit our Web site or send e-mail to info@kansmen.com. Jens Andersen From owner-firewalls-outgoing Tue Apr 8 17:29:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA29778 for firewalls-outgoing; Tue, 8 Apr 1997 16:48:00 -0700 (PDT) Received: from delta.ece.nwu.edu (delta.ece.nwu.edu [129.105.5.103]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA29735 for ; Tue, 8 Apr 1997 16:47:37 -0700 (PDT) Received: (from bonomi@localhost) by delta.ece.nwu.edu (8.8.5/8.8.3) id SAA14545; Tue, 8 Apr 1997 18:46:13 -0500 (CDT) Date: Tue, 8 Apr 1997 18:46:13 -0500 (CDT) From: Robert Bonomi Message-Id: <199704082346.SAA14545@delta.ece.nwu.edu> To: firewalls@GreatCircle.COM, stel@onshore.com Subject: Re: chicago Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + Date: Tue, 8 Apr 1997 14:45:57 -0500 + To: firewalls@GreatCircle.COM + From: Stelios Valavanis + Subject: chicago + + any of you firewall list people in chicago intereted in doing some unix and + security consulting here? + In chicago, and available. 25+ years experience w/ computers, 15+ w/unix. I won't claim to be a security 'guru', my 'claim to fame' in that area is being one of the people Cheswick supplied a late pre-publication _draft_ of "Firewalls..", for comment and feedback. From owner-firewalls-outgoing Tue Apr 8 18:08:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA29263 for firewalls-outgoing; Tue, 8 Apr 1997 16:43:24 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA29210 for ; Tue, 8 Apr 1997 16:43:06 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id TAA31122; Tue, 8 Apr 1997 19:38:10 -0400 Date: Tue, 8 Apr 1997 19:38:10 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Todd Graham Lewis cc: Arley Carter , "firewalls(a)greatcircle.com" Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Apr 1997, Todd Graham Lewis wrote: > Does anyone have any reports of using GPS receivers? Any suggestions as > to which ones are good? news:comp.protocols.ntp might be a good place to > dig for info. If anyone has anything in the way of these suggestions, > then please forward them to the list or to me. I'll be happy to make up a > HOWTO for anyone interested. GPS recievers would seem to be accurate time sources - they have to solve for time to determine position, and that time has to be quite accurate. Because they are (mostly) mobile, they would seem to be ideal time sources for TSD rallyists, where scores are based on hundredths of a minute. At least one rallyist tested GPS receievers and discovered that they were not reliable time sources. The time displayed on the front and reported to the serial connections differed by several seconds after only a relatively short time. If you are interested, I suggest that you check the archives of the rally-l list at http://scifi.squawk.com/rally-l.archives. I think the message was posted in the last month or two. Apparrently, some contain a free-running clock which is not synched with calculated time. Of course my password is the same as my pet's name. My macaw's name is Q47pY!3, and I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Tue Apr 8 18:50:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA08519 for firewalls-outgoing; Tue, 8 Apr 1997 17:52:25 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id RAA08487 for ; Tue, 8 Apr 1997 17:52:09 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA07146; Tue, 8 Apr 1997 17:49:22 -0700 Message-Id: <9704090049.AA07146@mail.diginsite.com> From: "David Lang" To: Subject: Re: problems with packet filtering in Linux Date: Tue, 8 Apr 1997 17:51:51 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk never mind, it turned out that the linux ipfwadm program insists that there is a differance between 0.0.0.0 and 0.0.0.0/0.0.0.0 sigh...6 hours blown on that. David Lang ---------- > From: David Lang > To: firewalls@greatcircle.com > Subject: problems with packet filtering in Linux > Date: Tuesday, April 08, 1997 11:15 AM > > I am attempting to filter icmp packets using linux. I have the ip > firewalling and ip forwarding turned on in the kernel. I am able to > configure the ip filters for udp and tcp without a problem but when I try > and shut off ping from the outside world to my firewall it keeps working. > any suggestions? > > David Lang From owner-firewalls-outgoing Tue Apr 8 19:18:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA19409 for firewalls-outgoing; Tue, 8 Apr 1997 18:52:05 -0700 (PDT) Received: from delta.ece.nwu.edu (delta.ece.nwu.edu [129.105.5.103]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id SAA19385 for ; Tue, 8 Apr 1997 18:51:56 -0700 (PDT) Received: (from bonomi@localhost) by delta.ece.nwu.edu (8.8.5/8.8.3) id UAA16555 for firewalls@greatcircle.com; Tue, 8 Apr 1997 20:50:49 -0500 (CDT) Date: Tue, 8 Apr 1997 20:50:49 -0500 (CDT) From: Robert Bonomi Message-Id: <199704090150.UAA16555@delta.ece.nwu.edu> To: firewalls@greatcircle.com Subject: OOPS! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about that last mail folks. it wasn't supposed to go to the list. please confine the justly deserved jibes to e-mail. :) From owner-firewalls-outgoing Tue Apr 8 20:06:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA26239 for firewalls-outgoing; Tue, 8 Apr 1997 19:36:00 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA26223 for ; Tue, 8 Apr 1997 19:35:55 -0700 (PDT) Received: from [204.156.153.118] (mblakele.vip.best.com [204.156.153.118]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id TAA26473 for ; Tue, 8 Apr 1997 19:34:09 -0700 (PDT) X-Sender: mblakele@pop Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 8 Apr 1997 19:33:46 -0700 To: firewalls@greatcircle.com From: Camille Blakeley Subject: smap troubles Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I must be missing something obvious, but I can't figure it out. I've searched all the FAQs and archives I could find. Anyway.... I am running under Solaris 2.5.1 and running sendmail 8.8.5. I downloaded the latest version of FWTK and installed it on the system. I am only trying to run smap, I don't have a need for any of the other tools at this time. I've configured smap (that is the netperm-table) and set up may inetd.conf exactly like the manual says (for smap) and it still doesn't work. I am way stumped. What happens is, when any outside host connects to port 25, it connects and then gets the connection closed by remote host. I can email internally on the box and outgoing works just fine, it's just incoming that dies. Any ideas? what am I missing? Any help would be greatly appreciated. Please reply to camille_blakeley@idg.com, I will summarize. Thanks Camille Blakeley Camille Blakeley (camille@blakeley.com) From owner-firewalls-outgoing Tue Apr 8 21:17:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA05620 for firewalls-outgoing; Tue, 8 Apr 1997 20:57:57 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA05540 for ; Tue, 8 Apr 1997 20:57:43 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA12403; Tue, 8 Apr 1997 22:54:11 -0500 (EST) From: Adam Shostack Message-Id: <199704090354.WAA12403@homeport.org> Subject: Re: xntpd and gauntlet 3.2 In-Reply-To: from Nick Simicich at "Apr 8, 97 07:38:10 pm" To: njs@scifi.squawk.com (Nick Simicich) Date: Tue, 8 Apr 1997 22:54:10 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should be aware that theres no authentication of the signals from the GPS satelites, the can be forged by someone who is sufficiently out to get you. The same goes for radio clocks. The truly paranoid get their own cesium decay clocks. I'll add that there are probably much easier ways to get through most firewalls I've ever seen than faking time signals. However, if you're concerned about a couple of seconds, there are ways to induce that. Adam Nick Simicich wrote: | At least one rallyist tested GPS receievers and discovered that they were | not reliable time sources. The time displayed on the front and reported | to the serial connections differed by several seconds after only a | relatively short time. If you are interested, I suggest that you check the | archives of the rally-l list at http://scifi.squawk.com/rally-l.archives. | I think the message was posted in the last month or two. Apparrently, | some contain a free-running clock which is not synched with calculated | time. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue Apr 8 21:36:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA07426 for firewalls-outgoing; Tue, 8 Apr 1997 21:22:34 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA07388 for ; Tue, 8 Apr 1997 21:22:25 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-15.cisco.com [171.68.179.16]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id VAA04574; Tue, 8 Apr 1997 21:21:16 -0700 (PDT) Message-Id: <2.2.32.19970409041906.00ed5178@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 08 Apr 1997 23:19:06 -0500 To: srini@igt.com (Srini Seetharam), Firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Re : Router bottlenecks in ATM network? Cc: d.r.giles@hud.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Just to add to what Srini says, there's no magic to gettig high speeds through routers/switches in the ATM world. The "router" part will need to assemble the cells of a new session to see where the packets need to be routed. It will also need to check the packets against any filters that you've setup. If the session passes the filters, the "router" can tell the "switch" part how to modify the future packets (while still in the cell stream) to change the MAC addresses, ttl, appropriate checksums, etc. The 'BFR' name was derived from Doom (registered version) where you could, at some point, get the BFG. Perhaps someone from Id Software could jump in here; everyone assumed that the B stood for Big, and that the G stood for Gun, but I never heard that everyone reached total concensus about the F. Later, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 05:11 PM 4/8/97 -0400, Srini Seetharam wrote: >Deric Giles wirtes : > >>connection. However in the near future our site is likely to be >>connected to a MAN running at maybe 155Mb/sec and our internal network >>upgraded to ATM at a similar speed. Having two routers in the path >>acting at layer 3 now seem to pose a bottleneck. How can I maintain the >>benefits from the speed upgrades without compromising security? The >>only (partial) solution I can see is to merge the two routers but this > >Various networking companies are developing next generation router technology >that in many instances is geared towards ATM. These routers will perform at >wire speeds around 600Mbps and maybe even beyond. It is sometimes refered to >as the BFR (Big Fast/F...ing/Fat Router). IPsilon already has a solution that >works atleast with 155mbps ATM, maybe higher. Others may have solution today >as well. > >We, at IgT, design chips and software for ATM networks. We are pursuing this >goal of have a solution to this problem with the bulk of the routing and "FLow >detection" at wire speeds being done in a single chip. > >And to add a point that is interetsing to the firewall community, just about >all the schemes of flow detection have inherent packet filtering capabilities >built in to them. In addition, the software that goes along with these devices >can be used to be a basis for firewalling software running with these fast >router accelerators. > >srini >-- >------------------------------------------------------------------------ > IgT Srini W. Seetharam | > ------------------------ Integrated Telecom Technology (IgT), | > | __ __ | 18310 Montgomery Village Ave, Suite 300 | > |__| |__ __| |____| Gaithersburg Maryland 20879 | > | |__| | Tel: 301.990.9890 | > | | Fax: 301.990.9893 | > ------------------------ Web: http://www.igt.com/ | > Net: srini@igt.com | >------------------------------------------------------------------------| >Expressed opinions may not be mine and not necessarily be those of IgT. | >------------------------------------------------------------------------| > Linux : The choice of the GNU Generation | >------------------------------------------------------------------------ > > From owner-firewalls-outgoing Tue Apr 8 21:55:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA10518 for firewalls-outgoing; Tue, 8 Apr 1997 21:46:46 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.201.252]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id VAA10458 for ; Tue, 8 Apr 1997 21:46:33 -0700 (PDT) Received: (from uucp@localhost) by out2.ibm.net (8.6.9/8.6.9) id EAA396504 for ; Wed, 9 Apr 1997 04:45:27 GMT Received: from slip202-135-133-140.jk.id.ibm.net(202.135.133.140) by out2.ibm.net via smap (V1.3mjr) id smaGHYDmb; Wed Apr 9 04:45:16 1997 Message-ID: <334B1EFA.7813@ibm.net> Date: Wed, 09 Apr 1997 11:45:46 +0700 From: Budi Santosa Reply-To: djiang@ibm.net X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Greating from Indonesia...! References: <334B1A7F.15B6@ibm.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Dear Fellows, > > First of all I would like to introduce myself to you, I am Budi Santosa, > 22 years old collage student majoring System Information. I live in > Jakarta, Indonesia. > > This is my last academical year, so I have to make a thesis for my > graduation. Because I am so interested on Fire Walls, I have already > subscribed to Fire Walls Mailing List, but personaly I would like to ask > your opinion about interesting Fire Walls topics that I should study for > my thesis, I do not have any ideas:)! I hope you can give me some > opinions, because you are the master:). > > Thanks for your time and guidance. I look forward to your reply. > > Best Regard, > > Budi Santosa From owner-firewalls-outgoing Tue Apr 8 22:52:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA17786 for firewalls-outgoing; Tue, 8 Apr 1997 22:45:47 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id WAA17778 for ; Tue, 8 Apr 1997 22:45:43 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy1.ba.best.com (8.8.5/8.8.3) with SMTP id WAA26247 for ; Tue, 8 Apr 1997 22:42:47 -0700 (PDT) Date: Tue, 8 Apr 1997 22:42:46 -0700 (PDT) From: "Kelly E. Gibbs" To: firewalls@greatcircle.com Subject: POP3/SMTP Performance/impact??? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know where to obtain a study that would indicate the impact of smtp/pop3 mail on a network, perhaps with calculations, graphcs, and methodology. Thanks. From owner-firewalls-outgoing Tue Apr 8 23:06:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA17468 for firewalls-outgoing; Tue, 8 Apr 1997 22:41:43 -0700 (PDT) Received: from skylightsoft.com (skylightsoft.com [205.179.68.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id WAA17461; Tue, 8 Apr 1997 22:41:33 -0700 (PDT) Received: from skylight2.skylightsoft.com (skylight2.skylightsoft.com [192.168.10.2]) by skylightsoft.com (8.6.12/1995.06.26) with SMTP id WAA09754; Tue, 8 Apr 1997 22:31:15 -0700 Message-ID: <334B2D5E.419@skylightsoft.com> Date: Tue, 08 Apr 1997 22:47:10 -0700 From: Shabbir Khan Organization: Skylight Software, Inc. X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #147 References: <199704081938.MAA29525@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am finding Firewall Digest to be a very valuable service. We are using an Intel box (running Craftworks Linux 2.x version) to serve as a firewall between our internal network and the ISP. I need your help as soon as possible to solve a simple problem. Can anyone help us pls ? Here is the problem description: My linux machine contains two interface cards. One provides the internet connection and the other connects to the internal network. The machine is running the SOCKS 4.2 server. The internal network is configured with the class C address 192.168.2.x. The external network interface is totally different (all four fields). I need to run a service on an internal machine (say 192.168.2.4) on a little used port (6780). I would like to open this port on the linux server and direct all incoming requests on port 6780 to be directed to the internal machine (192.168.2.4). I know how to configure sockd.conf on the Linux box to open up this port (6780) to all the source addresses and use sockd.route to redirect the traffic to the internal net. However, since all the incoming requests will contain the internet address of the external interface card as the destination address, how do I tell the port 6780 traffic to go to 192.168.2.4? Is there any way to accomplish this? Thanks very much for your help. Shabbir Khan (shabbir@skylightsoft.com) Skylight Software, Inc. Tel: 408-249-6396 Fax: 408-249-6397 From owner-firewalls-outgoing Wed Apr 9 00:51:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA28289 for firewalls-outgoing; Wed, 9 Apr 1997 00:38:26 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id AAA28282 for ; Wed, 9 Apr 1997 00:38:19 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA22348; Wed, 9 Apr 1997 10:37:55 +0400 Received: from GarantiUser by GarantiMailServer id AA19910; Wed, 9 Apr 1997 10:36:28 +0400 Received: from [10.0.44.30] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA05900; Thu, 10 Apr 1997 10:29:27 +0400 Message-Id: <334BD32B.3157@garanti.com.tr> Date: Wed, 09 Apr 1997 10:34:35 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: No proxies in Netscape Network Preferences.... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our firewall sits in a different building within the city and each office and building has SMTP/POP server but shares the same firewall which is our exit to internet...Our problem is, firewall is running as a SOCKS hosts and our client platform is NETSCAPE...a user somewhere when he/she wants to collect emails, the route that the packets follow is "first go to the firewall then come back to the POP server", to prevent this I tried to use No Proxies setup in Netscape but still the same thing happens...Anybody has any idea how can I discard firewall access using Netscape just for email traffic but leaving the SOCKS hosts setup in the meantime (which our security point as well for the Internet)...My opinion is Use Netscape for browsing,ftp and use another platform for email...But management does not want that on the other hand... Thank You *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Wed Apr 9 02:21:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA09183 for firewalls-outgoing; Wed, 9 Apr 1997 02:15:31 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA09163 for ; Wed, 9 Apr 1997 02:15:23 -0700 (PDT) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id CAA11459 for ; Wed, 9 Apr 1997 02:16:09 -0700 (PDT) From: "M Gillett" Message-Id: <19228.9704090900@sghms.ac.uk> Subject: Protection and Management of a 155MB Network To: D.R.Giles@hud.ac.uk Date: Wed, 9 Apr 1997 10:00:59 +0100 (BST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a connection (almost) to the UKERNA LONDON MAN (see http://www.lonman.net.uk). The problems that you suggest i.e. routers handling the high speed interfaces seem not to be a problem where the router is capable of those speeds (CISCO seem to have few or no problems with the 7xxx series). I have heard reports that multiple high speed connections on the 4xxx series are a problem. The concern about single point of failure is surely still a concern with two routers , I am assuming that only one has a connection to the ATM external network - or are they separate and distinct connections to an intermediate switch e.g. +---------------+ +-----------------+ : ROUTER #1 :--------Internal Network : ATM SWITCH :--------+---------------+ : : : :--------+---------------+ +-----------------+ : ROUTER #2 :--------Internal Network | +---------------+ | | [MAN CONNECTION] The model that I am moving towards here is more like the following. +---------------+ +-----------------+ : :--------Internal Network : ATM SWITCH :--------: : : : : ROUTER : : :--------+ : +-----------------+ : CISCO 7200 :--------Internal Network | +---------------+ | | [MAN CONNECTION] We will then implement a single block of access lists on the single main router. There may be a variation (budgets allowing - unlikely) where a second router could sit on the network before / after the main router. This would allow a DMZ to be created and perhaps protect against single router failure leaving the network open (i.e. allow packets only from the adjacent router. We are also probably going to use one time use passwords (?? secure ID ) on the router to protect against potential compromise there. I would be interested to hear if anyone has done some analysis of the implications of access-lists / other security filters / NAT on router performance. (this is not an invitation for a load of messages telling me I should be proxying - we use proxy firewalls internally to protect sensitive areas of the network. I was also interested to see the suggestions of proxy services running at >100MB/s - again has anyone got any data ? Technical Consultant St. Georges Hospital Medical School University of London From owner-firewalls-outgoing Wed Apr 9 02:51:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA12079 for firewalls-outgoing; Wed, 9 Apr 1997 02:41:25 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA12052 for ; Wed, 9 Apr 1997 02:41:09 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id MAA00548 for ; Wed, 9 Apr 1997 12:01:52 +0200 Message-ID: <334A1261.7F08@gst.cgs.it> Date: Tue, 08 Apr 1997 11:39:45 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: E-mail scanning Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there the possibility to do some e-mail content-scanning in order to avoid data-driven attacks? TIA -- Domenico Viggiani E-mail:dviggian@gst.cgs.it CAP GEMINI ITALY SpA PHONE 39 6 23190509 From owner-firewalls-outgoing Wed Apr 9 03:18:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA12318 for firewalls-outgoing; Wed, 9 Apr 1997 02:43:16 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA12261 for ; Wed, 9 Apr 1997 02:42:58 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id MAA00586 for ; Wed, 9 Apr 1997 12:03:47 +0200 Message-ID: <334A12D5.57B@gst.cgs.it> Date: Tue, 08 Apr 1997 11:41:41 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NNTP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm involved in searching the best way to use NNTP across a firewall. What is the best way to permit such type of traffic? Proxy or packet filtering or other? TIA -- Domenico Viggiani E-mail:dviggian@gst.cgs.it CAP GEMINI ITALY SpA PHONE 39 6 23190509 From owner-firewalls-outgoing Wed Apr 9 03:51:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20068 for firewalls-outgoing; Wed, 9 Apr 1997 03:33:59 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA20052 for ; Wed, 9 Apr 1997 03:33:51 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA02020; Wed, 9 Apr 1997 13:32:46 +0300 Date: Wed, 9 Apr 97 13:34:46 From: Ziv Dascalu Subject: RE: E-mail scanning To: firewalls@GreatCircle.COM, Domenico Viggiani X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 08 Apr 1997 11:39:45 +0200 Domenico Viggiani wrote: >Is there the possibility to do some e-mail content-scanning in order to >avoid data-driven attacks? > >TIA >-- > YES, you can do email scanning in three places. 1. on the firewall, look for plug-ins for email content look at CheckPoint www.checkpoint.com 2. as a separate machine on the network that works like a sniffer and alerts you for abnormalism Look at AbirNet SessionWall (Get an EVALUATION COPY at ) 3. on the client , look at net manage zmail rules, wwww.netmanage.com hope this helps /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Wed Apr 9 04:10:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA21063 for firewalls-outgoing; Wed, 9 Apr 1997 03:41:20 -0700 (PDT) Received: from bigbird2.iis.net (gate.iis.net [207.226.20.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id DAA20901 for ; Wed, 9 Apr 1997 03:40:40 -0700 (PDT) Received: from klaatu.iis.net by bigbird2.iis.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Apr 1997 10:39:36 UT Received: from atlas.iis.net. (atlas.iis.net [172.20.1.200]) by klaatu.iis.net (8.8.5/8.8.5) with SMTP id GAA12415 for ; Wed, 9 Apr 1997 06:39:46 -0400 (EDT) Received: by atlas.iis.net. (SMI-8.6/SMI-SVR4) id GAA19412; Wed, 9 Apr 1997 06:39:57 -0400 Date: Wed, 9 Apr 1997 06:39:57 -0400 From: michael@IIS.NET (Michael Miller) Message-Id: <199704091039.GAA19412@atlas.iis.net.> To: firewalls@greatcircle.com Subject: Re: X11 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correction: The port number is 6000 + n where n is the SERVER NUMBER on the machine. The server number is the first of the two after the colon. E.g. servername:1.0 refers to the machine "servername" X server number 1 on that machine and screen number 0 managed by that X server. Any given machine may run many X servers each having an essentially unlimited number of screens to the limits of the machine's memory or the graphics hardware (if the X server is actually using graphics hardware). >Date: Tue, 8 Apr 1997 11:18:46 -0700 >From: "David Lang" >Subject: Re: X11 > >source port 6000+n where n is the screen number. > >David Lang -- Michael Miller Internet Information Services, Inc. mailto:michael.miller@iis.net 7979 Old Georgetown Rd., Floor 2 http://www.xzaphod.com Bethesda, MD 20814 http://www.iis.net Voice 301-718-1770 Fax 301-719-2944 From owner-firewalls-outgoing Wed Apr 9 04:21:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA23543 for firewalls-outgoing; Wed, 9 Apr 1997 04:04:41 -0700 (PDT) Received: from watchtower.incirlik.af.mil (watchtower.incirlik.af.mil [132.27.211.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA23536 for ; Wed, 9 Apr 1997 04:04:32 -0700 (PDT) Received: (from uucp@localhost) by watchtower.incirlik.af.mil (8.7.6/8.7.3) id OAA24370 for ; Wed, 9 Apr 1997 14:03:20 +0300 Received: from incirlik.af.mil(132.27.210.2) by watchtower.incirlik.af.mil via smap (V2.0) id xma024359; Wed, 9 Apr 97 14:02:35 +0300 Received: by inc-exch-m1.incirlik.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC44EE.C6F63260@inc-exch-m1.incirlik.af.mil>; Wed, 9 Apr 1997 14:03:19 +0300 Message-ID: From: "Price, Jason D. SrA" To: "'firewalls@GreatCircle.COM'" Cc: "'dviggian@gst.cgs.it'" Subject: RE: NNTP Date: Wed, 9 Apr 1997 14:06:01 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The PLUG-GW with TIS works very well for this..... The Linux Firewall Documentation is good info to look at and I think the TIS manual has an example of how to set it up. Packet filtering would also work too. One is just about as easy as the other. Jason >---------- >From: Domenico Viggiani[SMTP:dviggian@gst.cgs.it] >Sent: Wednesday, April 09, 1997 1:57 PM >To: firewalls@GreatCircle.COM >Subject: NNTP > >Hi, >I'm involved in searching the best way to use NNTP across a firewall. >What is the best way to permit such type of traffic? >Proxy or packet filtering or other? > >TIA >-- > >Domenico Viggiani E-mail:dviggian@gst.cgs.it >CAP GEMINI ITALY SpA PHONE 39 6 23190509 > From owner-firewalls-outgoing Wed Apr 9 04:36:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA25396 for firewalls-outgoing; Wed, 9 Apr 1997 04:23:06 -0700 (PDT) Received: from igwpc5.paribas.com ([155.140.123.60]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA25389 for ; Wed, 9 Apr 1997 04:22:55 -0700 (PDT) Received: from igwpc4.paribas.com (155.140.123.61) by igwpc5.paribas.com (Integralis SMTPRS 1.51) with SMTP id ; Wed, 09 Apr 1997 11:17:00 +0000 Received: from ccMail by igwpc4.paribas.com (IMA Internet Exchange 2.01 Enterprise) id 34B7B810; Wed, 9 Apr 97 12:20:33 +0100 MIME-Version: 1.0 Date: Wed, 9 Apr 1997 12:09:57 +0100 Message-Id: <34B7B810.@paribas.com> From: Francois_ARCASEDDA@paribas.com (Francois ARCASEDDA) Subject: FW-1 and Securid cards To: firewalls@greatcircle.com, suggestion-box@securid.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I thought FW-1 was compatible with Dynamics Securid cards and more particularly with token re-synchronisation and new pin creation. From their browser our users are authenticated on the Firewall using their securid cards. This works successfully. However, whenever the user is prompted to give its next token or whenever he is prompt to give its new pin number, a form appears on its browser, but when a user fills it and presses the OK button to submit it, the browser returns a "Contains no data" error, and no modification is made. What's wrong ? TIA. Francois ARCA-SEDDA Banque PARIBAS. From owner-firewalls-outgoing Wed Apr 9 05:51:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA04394 for firewalls-outgoing; Wed, 9 Apr 1997 05:20:29 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id FAA04270 for ; Wed, 9 Apr 1997 05:19:58 -0700 (PDT) Received: from teicher.bbnplanet.com by mail.bbnplanet.com id aa20793; 9 Apr 97 8:18 EDT Message-Id: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com> X-Sender: mteicher@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 07:57:09 -0500 To: firewalls@greatcircle.com From: Mark Teicher Subject: Secure Email Client packages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen or worked with secure email client packages..?? recommendations, thoughts,?? /mark From owner-firewalls-outgoing Wed Apr 9 06:21:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08774 for firewalls-outgoing; Wed, 9 Apr 1997 06:15:11 -0700 (PDT) Received: from fw.mf-lkb.ru (fw.mf-lkb.ru [194.67.40.66]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA08735 for ; Wed, 9 Apr 1997 06:14:57 -0700 (PDT) Received: from unknown by fw.mf-lkb.ru with SMTP id RAA08823; (8.6.12/vak/1.9) Wed, 9 Apr 1997 17:16:51 +0400 Message-ID: X-MSMail-Priority: Normal X-Priority: 3 To: firewalls@greatcircle.com MIME-Version: 1.0 From: "Alexander N. Skinderev" Subject: majordomo@greatcircle.com Date: Wed, 09 Apr 97 17:17:55 PDT Content-Type: text/plain; charset="KOI8-R"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Best regard! Alexander N. Skinderev +7-095-232-13-88 or +7-095-232-13-70 (fax) E-mail: alexsk@mf-lkb.ru From owner-firewalls-outgoing Wed Apr 9 06:57:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12380 for firewalls-outgoing; Wed, 9 Apr 1997 06:49:41 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA12343 for ; Wed, 9 Apr 1997 06:49:31 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id QAA04056; Wed, 9 Apr 1997 16:48:25 +0300 Date: Wed, 9 Apr 97 16:50:54 From: Ziv Dascalu Subject: RE: Secure Email Client packages To: firewalls@GreatCircle.COM, Mark Teicher X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Wed, 09 Apr 1997 07:57:09 -0500 Mark Teicher wrote: >Has anyone seen or worked with secure email client packages..?? >recommendations, thoughts,?? > >/mark Hi, I know netmanage Zmail has this built in. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Wed Apr 9 07:33:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15525 for firewalls-outgoing; Wed, 9 Apr 1997 07:19:43 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA15516 for ; Wed, 9 Apr 1997 07:19:37 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id JAA04619; Wed, 9 Apr 1997 09:18:30 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma004599; Wed, 9 Apr 97 09:18:14 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 9 APR 97 09:18:35 CDT Date: 9 APR 97 09:16:54 CDT Subject: FW: Monitoring Info To: firewalls@greatcircle.com Message-ID: <0007bvtvfljj.H000012201db19c0@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Stuart, I heard from someone who heard from someone else who was talking to someone who thought they heard them mention your name - And they said... Your an A-Hole. > [Stuart Johnson's load of garbage deleted] Take your slander and go away... far away! From owner-firewalls-outgoing Wed Apr 9 07:52:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15699 for firewalls-outgoing; Wed, 9 Apr 1997 07:21:30 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA15683 for ; Wed, 9 Apr 1997 07:21:23 -0700 (PDT) Received: from lambchop.nette.com by relay6.UU.NET with SMTP (peer crosschecked as: [207.79.243.12]) id QQcknp03899; Wed, 9 Apr 1997 10:20:28 -0400 (EDT) Message-Id: X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Lynda J. Meyer" To: , "Mark Teicher" , "Ziv Dascalu" Subject: Re: Secure Email Client packages Date: Wed, 9 Apr 1997 10:21:09 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's an email package by Phil Zimmerman's new company....it used to be called ViaCrypt--the new name for their co escapes me right now. And the new IE 4.0 beta seems to have this built in (although it's a bit premature to deploy in production). Lynda J. Meyer mailto:lmeyer@nette.com 212.889.2015 Net Technologies, Inc. http://www.nette.com/ ---- From: Ziv Dascalu To: firewalls@GreatCircle.COM; Mark Teicher Date: Wednesday, April 09, 1997 10:10 AM Subject: RE: Secure Email Client packages > >--- On Wed, 09 Apr 1997 07:57:09 -0500 Mark Teicher wrote: > >>Has anyone seen or worked with secure email client packages..?? >>recommendations, thoughts,?? >> >>/mark > >Hi, >I know netmanage Zmail has this built in. >/Ziv > > /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \ > | A B I R N E T Active Network Protection http://www.AbirNet.com | > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ / > > From owner-firewalls-outgoing Wed Apr 9 08:23:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20039 for firewalls-outgoing; Wed, 9 Apr 1997 08:02:55 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA20016 for ; Wed, 9 Apr 1997 08:02:42 -0700 (PDT) Received: from teicher.bbnplanet.com by mail.bbnplanet.com id aa15961; 9 Apr 97 11:01 EDT Message-Id: <3.0.32.19970409103928.007cc440@mail.bbnplanet.com> X-Sender: mteicher@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 10:39:51 -0500 To: Greg Perrucci From: Mark Teicher Subject: Re: Secure Email Client packages Cc: firewalls@greatcircle.com, Roger Nebel Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greg, The problem I am having with this, is how does one exchange the public and private keys for encrypted email to work successfully. What it seems that the client on each end has to have a email client that capable of using with having the user modifying their end client. If installation is somewhat tricky, then how do successfully lobby this concept to a potential customer stating this... /mark At 07:12 AM 4/9/97 -0700, you wrote: >Mark, > >Try Deming S/MIME plug in for Eudora 3.0 and Exchange. It is available >from http://www.worldtalk.com. It integrates itself perfectly into Eudora, >but >the installation is somewhat tricky. > >Good luck >Greg Perrucci > > > >At 07:57 AM 4/9/97 -0500, you wrote: >>Has anyone seen or worked with secure email client packages..?? >>recommendations, thoughts,?? >> >>/mark >> >> >> >Greg T. Perrucci Phone: 415.429.3361 >VeriSign, Inc. Fax: 415.961.8870 >2593 Coast Ave. URL: http://www.VeriSign.com >Mountain View, CA. 94043 Email: gperrucci@VeriSign.com > From owner-firewalls-outgoing Wed Apr 9 08:30:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21381 for firewalls-outgoing; Wed, 9 Apr 1997 08:18:19 -0700 (PDT) Received: from bianca.iway.fr (bianca.iway.fr [194.98.67.67]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA21369 for ; Wed, 9 Apr 1997 08:18:09 -0700 (PDT) Received: from xu00aad9.bnp.fr ([159.50.129.128]) by bianca.iway.fr (8.8.5/8.8.5) with SMTP id RAA25634 for ; Wed, 9 Apr 1997 17:17:01 +0200 (MET DST) Message-ID: <334C3132.6599@bnp.fr> Date: Wed, 09 Apr 1997 17:15:46 -0700 From: Olivier Scotti Reply-To: oscotti@bnp.fr Organization: Banque Nationale de Paris, PARIS 9e - (DOSI-IT) X-Mailer: Mozilla 3.01Gold [fr] (Win16; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: How to permit "IDENT" through PIX?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Could someone help us to resolve this problem?: We have connected our network to the Internet (about 20,000 machines). This connection is secured by a firewall which permit http, ftp, smtp and pop3 as outside connections (I mean from our network to the Internet). Our mail server (SMTP/Pop3) is outside our network (It is located inside our provider's network). That's why, the only "inside connection" authorized by our firewall is for IDENT protocol (port 113; from the mail server to the client). The problem is that we are going to change very soon our firewall: the new one will be a PIX (cisco). By default, the PIX blocks every connection arriving from the Internet except if we configure a "conduit" (a pathway between two machines). But our mail server is outside (this will not change before several months) and this server can potentially make IDENT connections with thousands clients wich are inside our network ! So we can not create thousands pathways on the PIX ! Is it possible to create a conduit between a machine (the mail server) and a subnet (our class B)? Otherwise is there an other solution? Thanks, Olivier -- ------------------------------------------------------------------------- Olivier Scotti, Banque Nationale de Paris (DOSI - Telecoms Unix) Paris 9e E-mail: oscotti@bnp.fr Phone: +33 01 40 14 85 23 Fax: +33 01 40 14 35 41 ------------------------------------------------------------------------- From owner-firewalls-outgoing Wed Apr 9 08:37:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA22308 for firewalls-outgoing; Wed, 9 Apr 1997 08:25:32 -0700 (PDT) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA22266 for ; Wed, 9 Apr 1997 08:25:21 -0700 (PDT) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id IAA10133; Wed, 9 Apr 1997 08:23:38 -0700 (PDT) Received: from gperrucci-pc by mentat.verisign.com (8.8.5/BCH1.0) id IAA06974; Wed, 9 Apr 1997 08:23:41 -0700 (PDT) Message-Id: <3.0.32.19970409082341.0095bab0@mail> X-Sender: gperrucci@mail X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 08:23:42 -0700 To: Mark Teicher From: Greg Perrucci Subject: Re: Secure Email Client packages Cc: firewalls@greatcircle.com, Roger Nebel Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The exchange of the public key is automatic when a new message is sent. And yes, both users must be using an S/MIME compliant mail package. I understand that Netscape and Microsoft are building this feature into their new mail clients. This should make the use of S/MIME less difficult. At 10:39 AM 4/9/97 -0500, Mark Teicher wrote: >Greg, > >The problem I am having with this, is how does one exchange the public and >private keys for encrypted email to work successfully. What it seems that >the client on each end has to have a email client that capable of using >with having the user modifying their end client. If installation is >somewhat tricky, then how do successfully lobby this concept to a potential >customer stating this... > >/mark > > >At 07:12 AM 4/9/97 -0700, you wrote: >>Mark, >> >>Try Deming S/MIME plug in for Eudora 3.0 and Exchange. It is available >>from http://www.worldtalk.com. It integrates itself perfectly into Eudora, >>but >>the installation is somewhat tricky. >> >>Good luck >>Greg Perrucci >> >> >> >>At 07:57 AM 4/9/97 -0500, you wrote: >>>Has anyone seen or worked with secure email client packages..?? >>>recommendations, thoughts,?? >>> >>>/mark >>> >>> >>> >>Greg T. Perrucci Phone: 415.429.3361 >>VeriSign, Inc. Fax: 415.961.8870 >>2593 Coast Ave. URL: http://www.VeriSign.com >>Mountain View, CA. 94043 Email: gperrucci@VeriSign.com >> > > From owner-firewalls-outgoing Wed Apr 9 08:52:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20337 for firewalls-outgoing; Wed, 9 Apr 1997 08:06:35 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA20296 for ; Wed, 9 Apr 1997 08:06:23 -0700 (PDT) Received: from teicher.bbnplanet.com by mail.bbnplanet.com id aa16803; 9 Apr 97 11:05 EDT Message-Id: <3.0.32.19970409104329.007a9c90@mail.bbnplanet.com> X-Sender: mteicher@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 10:43:32 -0500 To: firewalls@greatcircle.com, lmeyer@nette.com From: Mark Teicher Subject: Re: Secure Email Client packages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Lynda J. Meyer" OK, Here it is again, the secure feature of encrypted email is the exchange of keys. If this is not correct, can someone please correct me on this. How does one do it without compromising one's security...??? /mark >To: firewalls@greatcircle.com, Mark Teicher , > Ziv Dascalu >MMDF-Warning: Parse error in original version of preceding line at mail.bbnplanet.com >Subject: Re: Secure Email Client packages >Date: Wed, 9 Apr 1997 10:21:09 -0400 >X-MSMail-Priority: Normal >X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 > >There's an email package by Phil Zimmerman's new company....it used to be >called ViaCrypt--the new name for their co escapes me right now. And the >new IE 4.0 beta seems to have this built in (although it's a bit premature >to deploy in production). > >Lynda J. Meyer >mailto:lmeyer@nette.com 212.889.2015 >Net Technologies, Inc. http://www.nette.com/ > > ---- >From: Ziv Dascalu >To: firewalls@GreatCircle.COM; Mark Teicher >Date: Wednesday, April 09, 1997 10:10 AM >Subject: RE: Secure Email Client packages > >> >>--- On Wed, 09 Apr 1997 07:57:09 -0500 Mark Teicher m> wrote: >> >>>Has anyone seen or worked with secure email client packages..?? >>>recommendations, thoughts,?? >>> >>>/mark >> >>Hi, >>I know netmanage Zmail has this built in. >>/Ziv >> >> /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >\ >> | A B I R N E T Active Network Protection http://www.AbirNet.com > | >> \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >/ >> >> > > From owner-firewalls-outgoing Wed Apr 9 09:20:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19083 for firewalls-outgoing; Wed, 9 Apr 1997 07:52:15 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA19030 for ; Wed, 9 Apr 1997 07:51:56 -0700 (PDT) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id HAA28568 for ; Wed, 9 Apr 1997 07:48:13 -0700 (PDT) Message-Id: <199704091448.HAA28568@proxy1.ba.best.com> From: "Kelly Gibbs" To: Subject: Unknown email spam ??? Date: Wed, 9 Apr 1997 07:08:45 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Problem: Junk email, such as the one below, has been showing up in various email boxes. The problem isn't the email itself, but people are confused because this email isn't even addressed to them, and no where in the email header does it have that persons email address. Can anyone offer an idea or answer as to how this is happening? Here's the message header. My email address is kgibbs@best.com. It's addressed to you@proxy2.ba.best.com. Thanks. >Received: from proxy2.ba.best.com (root@proxy2.ba.best.com >[206.184.139.13]) by shellx.best.com (8.8.5/8.8.3) with ESMTP id >WAA16437; Tue, 8 Apr 1997 22:47:42 -0700 (PDT) >Received: from mail.redrove.com (secserver.redrove.com [208.1.237.21]) >by proxy2.ba.best.com (8.8.5/8.8.3) with SMTP id WAA09808; Tue, 8 Apr >1997 22:41:29 -0700 (PDT) >Date: Tue, 8 Apr 1997 22:41:29 -0700 (PDT) >Message-Id: <199704090541.WAA09808@proxy2.ba.best.com> >Received: from [208.1.237.227] by mail.redrove.com > (SMTPD32-3.04) id AD1BBD00D0; Tue, 08 Apr 1997 13:39:55 -0700 >Comments: Authenticated sender is >From: "mail.redrove.com" >To: you@proxy2.ba.best.com >Subject: Hi > We've really missed you!! > > Want to show you all of the new things we have learned about loving each other. > > Find us by entering this address in your web browser. > > http://www.sweeties.com > > Love, > > Amy and Erin > > > Warning: You must be over 21 to enter the commercial site referenced in this message. This message is being sent to interested consumers know of the availability of this site to paying adult customers only. We hope to improve our future communications > with your help. If you do not wish, for any reason, to continue to be on the e-mail distribution list that resulted in this message being sent to you, simply send an e-mail reply with your e-mail address and the message "please remove me from your e-ma > il distribution list." Thank you. From owner-firewalls-outgoing Wed Apr 9 09:35:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA23632 for firewalls-outgoing; Wed, 9 Apr 1997 08:33:59 -0700 (PDT) Received: from phiu15.towers.com (phiu15.towers.com [158.82.40.193]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA23601 for ; Wed, 9 Apr 1997 08:33:49 -0700 (PDT) From: cernigr@towers.com Received: from emx.towers.com by phiu15.towers.com id AA24824; Wed, 9 Apr 1997 11:35:31 -0400 X400-Originator: cernigr@towers.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=TOWERS/ADMD=ATTMAIL/C=US/;0037000003258525000002] X400-Content-Type: P2-1988 (22) Message-Id: <0037000003258525000002*@MHS> To: " - (052)firewalls (a) greatcircle.com" Subject: DNS setup with firewall Date: Wed, 9 Apr 1997 11:33:20 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm basically looking for some advice on how to setup our DNS with our current firewall configuration. We currently have a split DNS configuration. We have an internal primary and a internal secondarynameserver. We currently resolve internal and external names. This is being done with a forwarders line on our name servers. Our firewall is setup (IBM's SNG) as a caching only server. It's resolv.conf points to our internal nameservers. I would like to know the advantages of creating our firewall a primary DNS server which is registered with the internic and allowing internal traffic to get out and not allow anything to come in. Basically eliminating split DNS. Is it safe to do something like that? The main reason we want to get rid of split DNS is because we will have multiple firewalls scattered over the world and we want to eliminate the need for the remote sites to hit our home site for lookups. When ever you do a lookup externally the firewall hits your internal nameservers first before going out to the net. The only way to alleviate this would be to put another DNS server remotely and have that remote firewall point to that nameserver. We are trying to avoid this. If anyone knows how to setup an DNS config with your firewall as a primary server and hide all of your internal information,your help and advice would be greatly appreciated cernigr@towers.com From owner-firewalls-outgoing Wed Apr 9 10:31:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04462 for firewalls-outgoing; Wed, 9 Apr 1997 09:36:14 -0700 (PDT) Received: from mail-oak-2.pilot.net (mail-oak-2.pilot.net [198.232.147.17]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA01238 for ; Wed, 9 Apr 1997 09:15:38 -0700 (PDT) Received: from relay1.clorox.com (relay.clorox.com [168.189.64.36]) by mail-oak-2.pilot.net with ESMTP id JAA25608; Wed, 9 Apr 1997 09:14:18 -0700 (PDT) Received: from maverick (maverick.clorox.com) by relay1.clorox.com with ESMTP (CEMS 5.01/1.37.109.14) id AA281332962; Wed, 9 Apr 1997 09:22:42 -0700 Message-Id: <334BC059.D8E2F042@Clorox.com> Date: Wed, 09 Apr 1997 09:14:17 -0700 From: Paul Rarey Organization: The Clorox Services Company X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: "Kelly E. Gibbs" Cc: firewalls@GreatCircle.COM Subject: Re: POP3/SMTP Performance/impact??? X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kelly E. Gibbs wrote: > > Does anyone know where to obtain a study that would indicate the impact > of smtp/pop3 mail on a network, perhaps with calculations, graphcs, > and methodology. If you find one - let us know. From experience though, SMTP/POP3 is lighter-weight than most every thing else you'd use. [ psr ] From owner-firewalls-outgoing Wed Apr 9 10:36:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA07691 for firewalls-outgoing; Wed, 9 Apr 1997 09:56:05 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA07580 for ; Wed, 9 Apr 1997 09:55:43 -0700 (PDT) Received: by relay.hq.tis.com; id MAA10728; Wed, 9 Apr 1997 12:50:31 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma010706; Wed, 9 Apr 97 12:50:10 -0400 Received: from gildor.hq.tis.com (gildor.hq.tis.com [10.33.80.10]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id MAA01287; Wed, 9 Apr 1997 12:53:55 -0400 (EDT) Message-Id: <3.0.1.32.19970409125409.02acfe94@pop.hq.tis.com> X-Sender: avolio@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 09 Apr 1997 12:54:09 -0400 To: "Kelly Gibbs" , From: Frederick M Avolio Subject: Re: Unknown email spam ??? In-Reply-To: <199704091448.HAA28568@proxy1.ba.best.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I got your mail and *my* address wasn't in any of the headers. Just as with postal mail, there is a difference between the mail header addresses and the envelope addresses. Your address must be on the envelope in order for you to get the mail. Your address was on the SPAM mail envelope. This is not a firewalls subject though, so enough said. Get a book on E-mail, such as Sendmail Theory and Practice by Paul Vixie. Digital Press. f --- (voice) +1 301-854-5749; (fax) +1 301-854-5363 Web site: http://www.tis.com/ PGP Key: http://www.tis.com/docs/corporate/fredpgp.html PGP Key fingerprint =37 6B 35 BB B2 07 BE B7 D5 47 C3 30 4E 39 A2 EE From owner-firewalls-outgoing Wed Apr 9 10:48:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04343 for firewalls-outgoing; Wed, 9 Apr 1997 09:35:35 -0700 (PDT) Received: from mail-oak-2.pilot.net (mail-oak-2.pilot.net [198.232.147.17]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA04329 for ; Wed, 9 Apr 1997 09:35:27 -0700 (PDT) Received: from relay1.clorox.com (relay.clorox.com [168.189.64.36]) by mail-oak-2.pilot.net with ESMTP id JAA28945; Wed, 9 Apr 1997 09:34:18 -0700 (PDT) Received: from maverick (maverick.clorox.com) by relay1.clorox.com with ESMTP (CEMS 5.01/1.37.109.14) id AA284154164; Wed, 9 Apr 1997 09:42:44 -0700 Message-Id: <334BC50C.E5DECF00@Clorox.com> Date: Wed, 09 Apr 1997 09:34:20 -0700 From: Paul Rarey Organization: The Clorox Services Company X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: Mark Teicher Cc: Greg Perrucci , firewalls@GreatCircle.COM, Roger Nebel Subject: Re: Secure Email Client packages X-Priority: 3 (Normal) References: <3.0.32.19970409103928.007cc440@mail.bbnplanet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Teicher wrote: > > Greg, > > The problem I am having with this, is how does one exchange the public and > private keys for encrypted email to work successfully. What it seems that > the client on each end has to have a email client that capable of using > with having the user modifying their end client. If installation is > somewhat tricky, then how do successfully lobby this concept to a potential > customer stating this... > > /mark Ahhh.... you want a different list for this discussion but I'll give you a hint... never ever exchange your private key. Put your public key "finger print" on your business card. [ psr ] From owner-firewalls-outgoing Wed Apr 9 11:06:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03362 for firewalls-outgoing; Wed, 9 Apr 1997 09:29:55 -0700 (PDT) Received: from mail-oak-2.pilot.net (mail-oak-2.pilot.net [198.232.147.17]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA03346 for ; Wed, 9 Apr 1997 09:29:43 -0700 (PDT) Received: from relay1.clorox.com (relay.clorox.com [168.189.64.36]) by mail-oak-2.pilot.net with ESMTP id JAA28079; Wed, 9 Apr 1997 09:28:42 -0700 (PDT) Received: from maverick (maverick.clorox.com) by relay1.clorox.com with ESMTP (CEMS 5.01/1.37.109.14) id AA283243827; Wed, 9 Apr 1997 09:37:07 -0700 Message-Id: <334BC3BA.C0033F2C@Clorox.com> Date: Wed, 09 Apr 1997 09:28:42 -0700 From: Paul Rarey Organization: The Clorox Services Company X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: Mark Teicher Cc: firewalls@GreatCircle.COM Subject: Re: Secure Email Client packages X-Priority: 3 (Normal) References: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Mark Teicher wrote: > > Has anyone seen or worked with secure email client packages..?? > recommendations, thoughts,?? > > /mark There's actually a number of them out there. Question being - where's the interoperabiltiy matrix. RSA's trying to get S/MIME as "the standard" but it has challenges ahead of it. Today PGP is the most pervasive Email privacy standard around. Check-out www.pgp.com. Their 4.5 plug-in for Eudora & Netscape Email agents (3.x - not for Communicator yet) is ... nice. [ psr ] -----BEGIN PGP SIGNATURE----- Version: 4.5 iQCVAgUBM0vDfVN27MyxZ8InAQHergP+N8AOIndf7cWon32pcvqXyTD/QciI9Xrz fC1hiOuvx2/LLLsCIWr9wbfjNhazIzgmjr/Pg6xoUCxo92Yz5Xi/yb28WMwnuEHB y6yagR1RaSKOyBYX4HMNWDtazV7qonhV81CIl6/mJ3w9y2FCPO3UpREMrTdrtuer kDn2+TEZQvM= =L+yj -----END PGP SIGNATURE----- From owner-firewalls-outgoing Wed Apr 9 11:07:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03163 for firewalls-outgoing; Wed, 9 Apr 1997 09:28:56 -0700 (PDT) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA03141 for ; Wed, 9 Apr 1997 09:28:49 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Wed, 9 Apr 97 11:27:44 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@greatcircle.com Date: Wed, 9 Apr 1997 11:30:16 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: FW: Monitoring Info Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <334bc3803585002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: BLeBlanc@igate.sprint.com > Date: 9 APR 97 09:16:54 CDT > Subject: FW: Monitoring Info > To: firewalls@greatcircle.com > Hey Stuart, > > I heard from someone who heard from someone else who was talking to > someone who thought they heard them mention your name - And > they said... Your an A-Hole. > > > [Stuart Johnson's load of garbage deleted] > > Take your slander and go away... far away! I should hope that all slander, liable, etc. might be taken to the appropriate courts of justice and this list could return to firewall subjects... Calling someone an A-Hole does not reflect well upon Sprint.com either, in my opinion and really has nothing at all to do with Firewalls either... ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Wed Apr 9 11:17:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03219 for firewalls-outgoing; Wed, 9 Apr 1997 09:29:14 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA03165 for ; Wed, 9 Apr 1997 09:28:57 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA08251; Wed, 9 Apr 1997 09:25:51 -0700 Message-Id: <9704091625.AA08251@mail.diginsite.com> From: "David Lang" To: "Shabbir Khan" , Subject: Re: Firewalls-Digest V6 #147 Date: Wed, 9 Apr 1997 09:28:21 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you will need to do the masquerading at the kernel level. look at the ipfw and ipfwadm programs. there is a web site that has a html based manual online for this at http://simba.xos.nl/linux/ipfwadm this includes examples David Lang ---------- > From: Shabbir Khan > To: Firewalls@GreatCircle.COM > Cc: firewalls-digest@GreatCircle.COM > Subject: Re: Firewalls-Digest V6 #147 > Date: Tuesday, April 08, 1997 10:47 PM > > I am finding Firewall Digest to be a very valuable service. > We are using an Intel box (running Craftworks Linux 2.x > version) to serve as a firewall between our internal network > and the ISP. I need your help as soon as possible to solve > a simple problem. Can anyone help us pls ? Here is the > problem description: > > My linux machine contains two interface cards. One > provides the internet connection and the other connects > to the internal network. The machine is running the > SOCKS 4.2 server. The internal network is configured with > the class C address 192.168.2.x. The external network > interface is totally different (all four fields). > > I need to run a service on an internal machine > (say 192.168.2.4) on a little used port (6780). I would > like to open this port on the linux server and direct > all incoming requests on port 6780 to be directed to > the internal machine (192.168.2.4). > > I know how to configure sockd.conf on the Linux box to > open up this port (6780) to all the source addresses > and use sockd.route to redirect the traffic to the > internal net. However, since all the incoming requests > will contain the internet address of the external > interface card as the destination address, how do I tell > the port 6780 traffic to go to 192.168.2.4? Is there > any way to accomplish this? > > Thanks very much for your help. > > Shabbir Khan (shabbir@skylightsoft.com) > Skylight Software, Inc. > Tel: 408-249-6396 > Fax: 408-249-6397 From owner-firewalls-outgoing Wed Apr 9 11:46:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09578 for firewalls-outgoing; Wed, 9 Apr 1997 10:07:09 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA09552 for ; Wed, 9 Apr 1997 10:06:59 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id NAA20170; Wed, 9 Apr 1997 13:05:50 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id NAA16408; Wed, 9 Apr 1997 13:05:47 -0400 (EDT) Date: Wed, 9 Apr 1997 13:05:47 -0400 (EDT) Message-Id: <199704091705.NAA16408@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, kgibbs@best.com Subject: Re: Unknown email spam ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: "Kelly Gibbs" >Junk email, such as the one below, has been showing up in various email >boxes. The problem >isn't the email itself, but people are confused because this email isn't >even addressed to them, >and no where in the email header does it have that persons email address. >Can anyone offer >an idea or answer as to how this is happening? > >Here's the message header. My email address is kgibbs@best.com. It's >addressed to >you@proxy2.ba.best.com. Thanks. >[attached message deleted] The real recipient(s) don't have to correspond to the addresses listed in the To:, Cc: or Bcc: headers of the message. They don't even have to show up anywhere in the headers of the message. For example, many messages to mailing lists just show the mailing list name (aka distribution list name) in the To: header: To: Cat Lovers List The individual recipients of the message don't show up in the RFC822 header in this case (nor would you want potentially 3,000+ addresses to). But the real recipients at your site will be listed in the SMTP msg envelope (the out-of-band information that is communicated via the SMTP 'RCPT TO: ' command verb during the transaction with your SMTP relay MTA). Many sites log this information which is outside of the message (body and headers) into /var/log/syslog if they are running Unix and sendmail as part of their e-mail relay to/from the Internet. You can also cause the real recipient(s) to be listed in the Received: headers with the following sendmail.cf code so that you can see who (what address) was actually being mailed to as well as the o-o-b sender address : # # In V8 Sendmail $u is set to the original recipient and is available # for diagnostic/debugging use (ie. in the Received: header) prior to # aliasing. Comment out the original format of the Received: header. # #HReceived: $?sfrom $s $.by $j$?r via $r$.; $b HReceived: $?sfrom $s $.by $j$?r ($v/$V) with $r$. id $i; $b sender $f for $u - Morrow From owner-firewalls-outgoing Wed Apr 9 12:23:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09912 for firewalls-outgoing; Wed, 9 Apr 1997 10:09:15 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA09872 for ; Wed, 9 Apr 1997 10:08:58 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id UAA06199; Wed, 9 Apr 1997 20:07:53 +0300 Date: Wed, 9 Apr 97 20:09:57 From: Ziv Dascalu Subject: RE: Unknown email spam ??? To: firewalls@GreatCircle.COM, Kelly Gibbs X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Wed, 9 Apr 1997 07:08:45 -0700 Kelly Gibbs wrote: >Problem: > >Junk email, such as the one below, has been showing up in various email >boxes. The problem >isn't the email itself, but people are confused because this email isn't >even addressed to them, >and no where in the email header does it have that persons email address. >Can anyone offer >an idea or answer as to how this is happening? > >Here's the message header. My email address is kgibbs@best.com. It's >addressed to >you@proxy2.ba.best.com. Thanks. > >>Received: from proxy2.ba.best.com (root@proxy2.ba.best.com >>[206.184.139.13]) by shellx.best.com (8.8.5/8.8.3) with ESMTP id >>WAA16437; Tue, 8 Apr 1997 22:47:42 -0700 (PDT) >>Received: from mail.redrove.com (secserver.redrove.com [208.1.237.21]) >by >proxy2.ba.best.com (8.8.5/8.8.3) with SMTP id WAA09808; Tue, 8 Apr >1997 >22:41:29 -0700 (PDT) >>Date: Tue, 8 Apr 1997 22:41:29 -0700 (PDT) >>Message-Id: <199704090541.WAA09808@proxy2.ba.best.com> >>Received: from [208.1.237.227] by mail.redrove.com >> (SMTPD32-3.04) id AD1BBD00D0; Tue, 08 Apr 1997 13:39:55 -0700 >>Comments: Authenticated sender is >>From: "mail.redrove.com" >>To: you@proxy2.ba.best.com >>Subject: Hi > > > > >> We've really missed you!! >> >> Want to show you all of the new things we have learned about loving each >other. >> >> Find us by entering this address in your web browser. >> >> http://www.sweeties.com >> >> Love, >> >> Amy and Erin >> >> >> Warning: You must be over 21 to enter the commercial site referenced in >this message. This message is being sent to interested consumers know of >the availability of this site to paying adult customers only. We hope to >improve our future communications >> with your help. If you do not wish, for any reason, to continue to be >on the e-mail distribution list that resulted in this message being sent to >you, simply send an e-mail reply with your e-mail address and the message >"please remove me from your e-ma >> il distribution list." Thank you. -----------------End of Original Message----------------- it is done using BCC usage or just having different commands in the data and the envelop of SMTP /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Wed Apr 9 12:26:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA06950 for firewalls-outgoing; Wed, 9 Apr 1997 09:51:20 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA06807 for ; Wed, 9 Apr 1997 09:50:51 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA25408; Wed, 9 Apr 1997 11:42:11 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma025404; Wed Apr 9 11:42:10 1997 Received: from ignatz (ignatz.bridge.com [167.76.24.6]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id LAA25781; Wed, 9 Apr 1997 11:49:31 -0500 (CDT) Date: Wed, 9 Apr 1997 11:49:31 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Kelly Gibbs cc: firewalls@GreatCircle.COM Subject: Re: Unknown email spam ??? In-Reply-To: <199704091448.HAA28568@proxy1.ba.best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kelly, Well, your message was addressed to "firewalls@greatcircle.com", not to me, but I still got it. It's the same thing; what's in the header and what's on the "envelope" can be two entirely different things. The spammers have gotten somewhat more "sophisticated" in this regard. The To: header really needn't have anything to do with how the message was delivered. Some MTAs, like some newer versions of sendmail, will put the envelope addressee in the Received-from: header that it adds. Though many mail user agents hide those headers, they should still be accessible one way or another if it's important to know how the email was addressed for delivery. Or you can look at the mail logs for messages from the spammer's address. Today I got mgmt's okay to start actively blocking email spam. 8-) See http://spam.abuse.net/spam/. -- KH On Wed, 9 Apr 1997, Kelly Gibbs wrote: > Problem: > > Junk email, such as the one below, has been showing up in various email > boxes. The problem > isn't the email itself, but people are confused because this email isn't > even addressed to them, > and no where in the email header does it have that persons email address. > Can anyone offer > an idea or answer as to how this is happening? > > Here's the message header. My email address is kgibbs@best.com. It's > addressed to > you@proxy2.ba.best.com. Thanks. > > >Received: from proxy2.ba.best.com (root@proxy2.ba.best.com > >[206.184.139.13]) by shellx.best.com (8.8.5/8.8.3) with ESMTP id > >WAA16437; Tue, 8 Apr 1997 22:47:42 -0700 (PDT) > >Received: from mail.redrove.com (secserver.redrove.com [208.1.237.21]) >by > proxy2.ba.best.com (8.8.5/8.8.3) with SMTP id WAA09808; Tue, 8 Apr >1997 > 22:41:29 -0700 (PDT) > >Date: Tue, 8 Apr 1997 22:41:29 -0700 (PDT) > >Message-Id: <199704090541.WAA09808@proxy2.ba.best.com> > >Received: from [208.1.237.227] by mail.redrove.com > > (SMTPD32-3.04) id AD1BBD00D0; Tue, 08 Apr 1997 13:39:55 -0700 > >Comments: Authenticated sender is > >From: "mail.redrove.com" > >To: you@proxy2.ba.best.com > >Subject: Hi > > > > > > We've really missed you!! > > > > Want to show you all of the new things we have learned about loving each > other. > > > > Find us by entering this address in your web browser. > > > > http://www.sweeties.com > > > > Love, > > > > Amy and Erin > > > > > > Warning: You must be over 21 to enter the commercial site referenced in > this message. This message is being sent to interested consumers know of > the availability of this site to paying adult customers only. We hope to > improve our future communications > > with your help. If you do not wish, for any reason, to continue to be > on the e-mail distribution list that resulted in this message being sent to > you, simply send an e-mail reply with your e-mail address and the message > "please remove me from your e-ma > > il distribution list." Thank you. > > From owner-firewalls-outgoing Wed Apr 9 12:30:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA12074 for firewalls-outgoing; Wed, 9 Apr 1997 10:21:37 -0700 (PDT) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA12036 for ; Wed, 9 Apr 1997 10:21:18 -0700 (PDT) Received: from rwh (rickh.mwcia.org [192.138.165.131]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id LAA16449; Wed, 9 Apr 1997 11:25:33 -0500 Message-Id: <3.0.32.19970409122259.00914a30@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 12:23:04 -0500 To: "Lynda J. Meyer" , , "Mark Teicher" , "Ziv Dascalu" From: Richard Hoffbeck Subject: Re: Secure Email Client packages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:21 AM 4/9/97 -0400, you wrote: >There's an email package by Phil Zimmerman's new company....it used to be >called ViaCrypt--the new name for their co escapes me right now. And the >new IE 4.0 beta seems to have this built in (although it's a bit premature >to deploy in production). More information on PGPMail is available at http://www.pgp.com I'm using it with Eudora and it also provides a plug-in for Netscape 3.0. Once the keys are set up its pretty much icon driven. The one annoying thing I've found so far is, as best I can tell, it doesn't encrypt attachments automatically. You have to use the Enclytor Toolbar to encrypt the file and then attach the encrypted version. It also requires that you hit the encrypt/sign icon to process the message. Ideally I'd like a client that will handle as much of this as it can automatically. If keys are available for the recepients, I'd like the message to be automatically encrypted. If someone sends me e-mail that contains a public key that I don't already have, I'd like it at least pop-up an 'Add Key' dialog .... and so on. --rick +-----------------------------------------------------------------+ | Richard Hoffbeck phone: 612.897.6442| | Sr Systems Analyst | | Minnesota Workers Comp Insurer's Association | | | | Finger rwh@visi.com for PGP key : | | Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B | +-----------------------------------------------------------------+ From owner-firewalls-outgoing Wed Apr 9 12:47:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02018 for firewalls-outgoing; Wed, 9 Apr 1997 09:22:01 -0700 (PDT) Received: from bianca.iway.fr (bianca.iway.fr [194.98.67.67]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA01975 for ; Wed, 9 Apr 1997 09:21:47 -0700 (PDT) Received: from xu00aad9.bnp.fr ([159.50.129.128]) by bianca.iway.fr (8.8.5/8.8.5) with SMTP id SAA25713 for ; Wed, 9 Apr 1997 18:20:40 +0200 (MET DST) Message-ID: <334C401F.4327@bnp.fr> Date: Wed, 09 Apr 1997 18:19:27 -0700 From: Olivier Scotti Reply-To: oscotti@bnp.fr Organization: Banque Nationale de Paris, PARIS 9e - (DOSI-IT) X-Mailer: Mozilla 3.01Gold [fr] (Win16; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: How to permit "IDENT" through PIX Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Could someone help us to resolve this problem?: We have connected our network to the Internet (about 20,000 machines). This connection is secured by a firewall which permit http, ftp, smtp and pop3 as outside connections (I mean from our network to the Internet). Our mail server (SMTP/Pop3) is outside our network (It is located inside our provider's network). That's why, the only "inside connection" authorized by our firewall is for IDENT protocol (port 113; from the mail server to the client). The problem is that we are going to change very soon our firewall: the new one will be a PIX (cisco). By default, the PIX blocks every connection arriving from the Internet except if we configure a "conduit" (a pathway between two machines). But our mail server is outside (this will not change before several months) and this server can potentially make IDENT connections with thousands clients wich are inside our network ! So we can not create thousands pathways on the PIX ! Is it possible to create a conduit between a machine (the mail server) and a subnet (our class B)? Otherwise is there an other solution? Thanks, Olivier -- ------------------------------------------------------------------------- Olivier Scotti, Banque Nationale de Paris (DOSI - Telecoms Unix) Paris 9e E-mail: oscotti@bnp.fr Phone: +33 01 40 14 85 23 Fax: +33 01 40 14 35 41 ------------------------------------------------------------------------- -- ------------------------------------------------------------------------- Olivier Scotti, Banque Nationale de Paris (DOSI - Telecoms Unix) Paris 9e E-mail: oscotti@bnp.fr Phone: +33 01 40 14 85 23 Fax: +33 01 40 14 35 41 ------------------------------------------------------------------------- From owner-firewalls-outgoing Wed Apr 9 12:52:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA15179 for firewalls-outgoing; Wed, 9 Apr 1997 10:46:36 -0700 (PDT) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA15172; Wed, 9 Apr 1997 10:46:27 -0700 (PDT) X-Sender: brent@honor.greatcircle.com Message-Id: In-Reply-To: <3.0.1.32.19970409125409.02acfe94@pop.hq.tis.com> References: <199704091448.HAA28568@proxy1.ba.best.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 9 Apr 1997 10:45:24 -0800 To: Frederick M Avolio , From: Brent Chapman Subject: Re: Unknown email spam ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:54 PM -0400 4/9/97, Frederick M Avolio wrote: >I got your mail and *my* address wasn't in any of the headers. > >Just as with postal mail, there is a difference between the mail header >addresses and the envelope addresses. Your address must be on the envelope >in order for you to get the mail. Your address was on the SPAM mail envelope. > >This is not a firewalls subject though, so enough said. Get a book on >E-mail, such as Sendmail Theory and Practice by Paul Vixie. Digital Press. Hey, didn't Vix have a coauthor on that book? Named Avolio or something like that? :-) -Brent -- Brent Chapman Internet/intranet training and consulting, Brent@GreatCircle.COM specializing in network design and security. Great Circle Associates,Inc. Visit us at http://www.greatcircle.com/ From owner-firewalls-outgoing Wed Apr 9 13:17:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA12067 for firewalls-outgoing; Wed, 9 Apr 1997 10:21:32 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA12031 for ; Wed, 9 Apr 1997 10:21:16 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id NAA12300; Wed, 9 Apr 1997 13:18:42 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma012296; Wed, 9 Apr 97 13:18:16 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id NAA01395; Wed, 9 Apr 1997 13:18:29 -0400 (EDT) Date: Wed, 9 Apr 1997 13:18:29 -0400 (EDT) Message-Id: <199704091718.NAA01395@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Ziv Dascalu Cc: firewalls@GreatCircle.COM, Domenico Viggiani Subject: RE: E-mail scanning In-Reply-To: References: X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Ziv" == Ziv Dascalu writes: >>>>> "Domenico" == Domenico Viggiani wrote: Domenico> Is there the possibility to do some e-mail content-scanning in Domenico> order to avoid data-driven attacks? Ziv> YES, you can do email scanning in three places. Ziv> 3. on the client , look at net manage zmail rules, www.netmanage.com This is really the only place where it makes sense, since it's trivial to get around filtering mechanisms in the middle. Simply encoding the naughtiness a la uuencode, Base64, ROT-13, etc., is enough to fool most (any?) mechanisms. But user education is going to be more important (and efficient!) than scanning for badness. (Simple rule: if someone sends you an executable you're not expecting, or you can't somehow prove that the person who sent you the attachment is who he claims to be, don't run it...) -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Wed Apr 9 13:20:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13045 for firewalls-outgoing; Wed, 9 Apr 1997 10:29:23 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA12996 for ; Wed, 9 Apr 1997 10:28:54 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id NAA12397; Wed, 9 Apr 1997 13:26:42 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma012395; Wed, 9 Apr 97 13:26:25 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id NAA01437; Wed, 9 Apr 1997 13:26:38 -0400 (EDT) Date: Wed, 9 Apr 1997 13:26:38 -0400 (EDT) Message-Id: <199704091726.NAA01437@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Mark Teicher Cc: firewalls@GreatCircle.COM Subject: Re: Secure Email Client packages In-Reply-To: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com> References: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Mark" == Mark Teicher writes: Mark> Has anyone seen or worked with secure email client packages..?? Mark> recommendations, thoughts,?? PGP. http://www.viacrypt.com/ (for commercial users) http://web.mit.edu/network/pgp.html (individuals) It's free for individuals, cheap for corporations, ubiquitous, strong, easily integrated into your environment, and runs on practically every platform that has any significant number of users. (Windoze, DOS, OS/2, MacOS, every flavor of Unix imaginable, Amiga, etc.) The noise being made about S/MIME, etc., is currently just noise. The only clients that I've seen that can do it are from RSA, and for Windoze machines only. Things might change with Netscape's incorporation of it into their browser. However, these require certificate authorities and all of that overhead, which might (or might not!) be too far away -- infrastructure-wise -- to solve your problem in the time period that you're looking for. Hope that helps. -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Wed Apr 9 13:55:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13702 for firewalls-outgoing; Wed, 9 Apr 1997 10:35:27 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA13666 for ; Wed, 9 Apr 1997 10:35:14 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id NAA12465; Wed, 9 Apr 1997 13:33:13 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma012463; Wed, 9 Apr 97 13:33:07 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id NAA01457; Wed, 9 Apr 1997 13:33:20 -0400 (EDT) Date: Wed, 9 Apr 1997 13:33:20 -0400 (EDT) Message-Id: <199704091733.NAA01457@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: "Kelly Gibbs" Cc: Subject: Re: Unknown email spam ??? In-Reply-To: <199704091448.HAA28568@proxy1.ba.best.com> References: <199704091448.HAA28568@proxy1.ba.best.com> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Kelly" == Kelly Gibbs writes: Kelly> Problem: Junk email, such as the one below, has been showing up Kelly> in various email boxes. The problem isn't the email itself, (Well, perhaps not the problem at hand, but it's a problem ... believe me...) Kelly> but people are confused because this email isn't even addressed Kelly> to them, and no where in the email header does it have that Kelly> persons email address. Can anyone offer an idea or answer as Kelly> to how this is happening? The way it gets to the destination is by having the real address it's going to in the SMTP envelope. This is what's passed from MTA (Mail Transfer Agent, such as sendmail, qmail, etc.) to MTA before the SMTP DATA command. The "To:" header that shows up in your message is the "To:" that's part of the data part of the message itself, as opposed to the envelope. Only MTAs see the envelope, so the user only sees what's in the message data itself. As a result, the To: header is something bogus, but lots of real people get the spam anyway. Death to spam. http://www.vix.com/spam/ -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Wed Apr 9 14:47:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16819 for firewalls-outgoing; Wed, 9 Apr 1997 13:37:58 -0700 (PDT) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA16767 for ; Wed, 9 Apr 1997 13:37:43 -0700 (PDT) Received: from rwh (rickh.mwcia.org [192.138.165.131]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id OAA19282; Wed, 9 Apr 1997 14:41:24 -0500 Message-Id: <3.0.32.19970409153850.00941ec0@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 15:39:25 -0500 To: Mark Teicher , firewalls@GreatCircle.COM, lmeyer@nette.com From: Richard Hoffbeck Subject: Re: Secure Email Client packages MIME-Version: 1.0 Content-Type: application/x-pkcs7-mime; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Wed Apr 9 15:10:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16721 for firewalls-outgoing; Wed, 9 Apr 1997 13:37:36 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA16515 for ; Wed, 9 Apr 1997 13:37:00 -0700 (PDT) Message-Id: <199704092037.NAA16515@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA28039; Wed, 9 Apr 1997 16:33:34 -0400 From: Stan Wnuck Subject: Re: Secure Email Client packages To: mteicher@bbnplanet.com (Mark Teicher) Date: Wed, 9 Apr 97 16:33:34 EDT Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com>; from "Mark Teicher" at Apr 09, 97 7:57 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Has anyone seen or worked with secure email client packages..?? > recommendations, thoughts,?? > > /mark > > I have worked with FORTEZZA enabled products including: Armor Mail for CC:Mail, Armor Mail for MS Mail, Triteal's TED Secure, and soon Netscape's FORTEZZA enabled server and client. Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Wed Apr 9 15:43:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14721 for firewalls-outgoing; Wed, 9 Apr 1997 10:42:31 -0700 (PDT) Received: from gw.intuit.com (fw.intuit.com [199.2.32.4]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA14704 for ; Wed, 9 Apr 1997 10:42:24 -0700 (PDT) Received: by gw.intuit.com (4.1/SMI-4.1) id AA10034; Wed, 9 Apr 97 10:38:41 PDT Received: from cliff.intuit.com(199.2.34.38) by gw.intuit.com via smap (V1.3) id sma009695; Wed Apr 9 10:37:41 1997 Received: from ra.intuit.com.intuit.com by cliff.intuit.com (4.1/SMI-4.1d) id AA02404; Wed, 9 Apr 97 10:35:52 PDT From: corby@intuit.com (Corby Anderson) Message-Id: <9704091735.AA02404@cliff.intuit.com> Subject: Re: Unknown email spam ??? To: firewalls@greatcircle.com Date: Wed, 9 Apr 1997 10:37:36 -0700 (PDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Problem: > > Junk email, such as the one below, has been showing up in various email > boxes. The problem > isn't the email itself, but people are confused because this email isn't > even addressed to them, > and no where in the email header does it have that persons email address. > Can anyone offer > an idea or answer as to how this is happening? > > Here's the message header. My email address is kgibbs@best.com. It's > addressed to > you@proxy2.ba.best.com. Thanks. E-mail messages have two sets of headers: the envelope headers (which you can't see) and the message headers (which you can see). Junk messages like this supply a dummy To: header in the message headers (you@proxy2.ba.best.com, in this case *) but have legitimate addressees in the envelope. Believe it or not, this is a feature. It's frustrating that advertising weasels who don't know a thing about sendmail can purchase an off-the-shelf package that runs on NT or Windows95 that misuses this feature for Evil. This feature of sendmail is useful for things like mailing lists (we don't see the address of EVERY subscriber in the To: headers for this list) and Bcc: (I bcc:ed you on this e-mail, but you don't see your address anywhere in the headers). ---- the sender for your junk mail, don@mail.redrove.com, is valid. He's ---- using an NT so spam you. Drop him a line and complain. ra$ telnet mail.redrove.com 25 Trying 208.1.237.111 port 25... 220 X1 NT-SMTP Server mail.redrove.com (IMail 3.04 6998-6) vrfy don 250 ok, its for quit 221 Goodbye Remote server has closed connection Connection closed by foreign host. ra$ * the sender probably didn't specify the @proxy2.ba.best.com part -- they probably just put "you" in the header, but the sendmail program at best.com added the domain part of the address. > >Received: from proxy2.ba.best.com (root@proxy2.ba.best.com > >[206.184.139.13]) by shellx.best.com (8.8.5/8.8.3) with ESMTP id > >WAA16437; Tue, 8 Apr 1997 22:47:42 -0700 (PDT) > >Received: from mail.redrove.com (secserver.redrove.com [208.1.237.21]) >by > proxy2.ba.best.com (8.8.5/8.8.3) with SMTP id WAA09808; Tue, 8 Apr >1997 > 22:41:29 -0700 (PDT) > >Date: Tue, 8 Apr 1997 22:41:29 -0700 (PDT) > >Message-Id: <199704090541.WAA09808@proxy2.ba.best.com> > >Received: from [208.1.237.227] by mail.redrove.com > > (SMTPD32-3.04) id AD1BBD00D0; Tue, 08 Apr 1997 13:39:55 -0700 > >Comments: Authenticated sender is > >From: "mail.redrove.com" > >To: you@proxy2.ba.best.com > >Subject: Hi > > [message deleted] From owner-firewalls-outgoing Wed Apr 9 15:51:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24981 for firewalls-outgoing; Wed, 9 Apr 1997 14:26:40 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA24943 for ; Wed, 9 Apr 1997 14:26:15 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id RAA24652; Wed, 9 Apr 1997 17:24:46 -0400 (EDT) Message-Id: <199704092124.RAA24652@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: "'firewalls@greatcircle.com'" , Jonathan McCown Date: Wed, 9 Apr 1997 17:28:10 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NCSA - Dissing MJR? Not so. Reply-to: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathan McCown writes: > Marcus helped us in the beginning, but felt we were > not rigorous enough. Actually, that's not *quite* it. I feel there's an inherent tension in any certification process depending, in a nutshell, on who is paying for it. It's not that I felt that NCSA wasn't being rigorous enough -- it's that I felt NCSA would always be between a rock and a hard place, and your efforts would always be hampered by questions about choosing the right level of rigorousness!! When I think back to the discussions we had back then (and this was a while ago!) I recall that I was mostly annoyed that the people who really "owned" the problem stayed silent. Folks like NIST and other (ahem) nameless branches of the government that also, because of funding or procurement politics or office politics or the fact that they've got an obsolete spook mindset couldn't contribute to a certification effort. I recall the bulk of the discussion went something like this -- mjr (philosophizing): The problem with certification is that to certify something, you must first decide what is "good" and then only certify things that are "good." This will tend to annoy those who don't agree on your definition of "good." Bales & Tippett: BUT - a certification programme can be useful without a globally accepted definition of "good." We start with a baseline criterion and keep raising the bar from there. Truth is, I think both positions are reasonable, but they can't co-exist very well. What's funny is that in the long run, I think my philosophical position was too extreme. I was ignoring the fact that firewall technologies are now all approximately equally "good" and that the biggest factor affecting an individual firewall's security is how the end user configures it. I guess a good analogy would be NTSB testing seatbelts -- as long as it is strong enough, then the real problem is making sure that the user *wears* it. mjr. ----- Marcus J. Ranum, Network Flight Recorder, Inc. New BooK! Personal: http://www.clark.net/pub/mjr Work: http://www.nfr.net From owner-firewalls-outgoing Wed Apr 9 15:58:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA00788 for firewalls-outgoing; Wed, 9 Apr 1997 15:04:55 -0700 (PDT) Received: from seismo2.CSS.GOV (seismo2.CSS.GOV [140.162.1.24]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA00759 for ; Wed, 9 Apr 1997 15:04:46 -0700 (PDT) Received: from zydeco.CSS.GOV (zydeco [140.162.3.172]) by seismo2.CSS.GOV (8.8.5/8.8.5) with ESMTP id RAA02831 for ; Wed, 9 Apr 1997 17:26:00 -0400 (EDT) Received: (from dbrown@localhost) by zydeco.CSS.GOV (8.8.5/8.8.5) id RAA05243 for Firewalls@greatcircle.com; Wed, 9 Apr 1997 17:00:56 -0400 (EDT) From: Dan Brown Message-Id: <199704092100.RAA05243@zydeco.CSS.GOV> Subject: Cisco PIX vs Sun SPF vs Gauntlet. To: Firewalls@greatcircle.com Date: Wed, 9 Apr 1997 17:00:55 -0400 (EDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know were sorta talking apples and oranges... anyone have feelings on the merits of each of these boxes... Cisco's PIX, Sun's SPF and TIS's Gauntlet? AND, does anyone know of any published comparisons? Thanks. Dan. -- Dan Brown dbrown@seismo.css.gov From owner-firewalls-outgoing Wed Apr 9 16:04:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA17383 for firewalls-outgoing; Wed, 9 Apr 1997 11:00:08 -0700 (PDT) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA17268 for ; Wed, 9 Apr 1997 10:59:46 -0700 (PDT) Received: from demon.corp.portal.com (demon.corp.portal.com [156.151.1.10]) by nova.unix.portal.com (8.6.11/8.6.5) with ESMTP id KAA07813 for ; Wed, 9 Apr 1997 10:56:52 -0700 Received: from pinpc30.corp.portal.com (pinpc30.corp.portal.com [156.151.1.129]) by demon.corp.portal.com (8.6.11/8.6.5) with SMTP id KAA00828 for ; Wed, 9 Apr 1997 10:56:52 -0700 Received: by pinpc30.corp.portal.com with Microsoft Mail id <01BC44D4.36880290@pinpc30.corp.portal.com>; Wed, 9 Apr 1997 10:53:09 -0700 Message-ID: <01BC44D4.36880290@pinpc30.corp.portal.com> From: Dana Bourgeois To: "firewalls@greatcircle.com" Subject: RE: Unknown email spam ??? Date: Wed, 9 Apr 1997 11:00:45 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The addressee is in the envelope which is tossed at final delivery. = This is basically how bcc: works. The envelope contains bcc: addresses = but not the header so if you get mail and you're not listed as an = addressee, this is the mechanism that was used. When combined with = bouncing from an unprotected mail host, the effect is total anonymity = after deliver. You might be able to trace it via sendmail logs on all = the hosts it passed through. Good luck.... -----Original Message----- From: Kelly Gibbs [SMTP:kgibbs@best.com] Sent: Wednesday, April 09, 1997 10:27 To: firewalls@greatcircle.com Subject: Unknown email spam ??? Problem: Junk email, such as the one below, has been showing up in various email boxes. The problem isn't the email itself, but people are confused because this email isn't even addressed to them, and no where in the email header does it have that persons email = address.=20 Can anyone offer an idea or answer as to how this is happening? =20 Here's the message header. My email address is kgibbs@best.com. It's addressed to=20 you@proxy2.ba.best.com. Thanks. >Received: from proxy2.ba.best.com (root@proxy2.ba.best.com >[206.184.139.13]) by shellx.best.com (8.8.5/8.8.3) with ESMTP id >WAA16437; Tue, 8 Apr 1997 22:47:42 -0700 (PDT) >Received: from mail.redrove.com (secserver.redrove.com [208.1.237.21]) = >by proxy2.ba.best.com (8.8.5/8.8.3) with SMTP id WAA09808; Tue, 8 Apr >1997 22:41:29 -0700 (PDT) >Date: Tue, 8 Apr 1997 22:41:29 -0700 (PDT) >Message-Id: <199704090541.WAA09808@proxy2.ba.best.com> >Received: from [208.1.237.227] by mail.redrove.com > (SMTPD32-3.04) id AD1BBD00D0; Tue, 08 Apr 1997 13:39:55 -0700 >Comments: Authenticated sender is >From: "mail.redrove.com" >To: you@proxy2.ba.best.com >Subject: Hi > We've really missed you!! =20 >=20 > Want to show you all of the new things we have learned about loving = each other. =20 >=20 > Find us by entering this address in your web browser. >=20 > http://www.sweeties.com >=20 > Love, >=20 > Amy and Erin >=20 >=20 > Warning: You must be over 21 to enter the commercial site referenced = in this message. This message is being sent to interested consumers know = of the availability of this site to paying adult customers only. We hope = to improve our future communications > with your help. If you do not wish, for any reason, to continue to = be on the e-mail distribution list that resulted in this message being sent = to you, simply send an e-mail reply with your e-mail address and the = message "please remove me from your e-ma > il distribution list." Thank you. From owner-firewalls-outgoing Wed Apr 9 16:06:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA06872 for firewalls-outgoing; Wed, 9 Apr 1997 15:43:52 -0700 (PDT) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA06863 for ; Wed, 9 Apr 1997 15:43:46 -0700 (PDT) Received: from kgibbs.realogic.com ([204.240.200.36]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id PAA26651; Wed, 9 Apr 1997 15:35:25 -0700 (PDT) Message-Id: <199704092235.PAA26651@proxy3.ba.best.com> Reply-To: From: "Kelly E. Gibbs" To: Cc: Subject: Re: Unknown email spam ??? Date: Wed, 9 Apr 1997 15:35:55 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any references on the Internet that provide a technical detail of how this actually works? ---------- > From: Sydney Weinstein > To: Kelly Gibbs > Subject: Re: Unknown email spam ??? > Date: Wednesday, April 09, 1997 10:00 AM > > the headers have nothing to do with the delivery, they show the path > taken. The delivery is controlled by the envelope. That is outside > of the message. I can send a message to anyone, regardless of the > contents of the to: or cc: lines. > > Mail spams do this because its easier to send the message to 1000's > of people as a envelope to all 1000 or so with one 'body'. Cuts down > on their connect time/transfer amount. > > -- > Sydney S. Weinstein, CDP, CCP Former Elm Coordinator - Current 2.4PL25 > Myxa Corporation Current Elm Coordinator: elm@myxa.com > syd@Myxa.COM or dsinc!syd Voice: (215) 947-9900, FAX: (215) 938-0235 > Welcome Page: http://www.myxa.com Elm WWW: http://www.myxa.com/elm.html From owner-firewalls-outgoing Wed Apr 9 16:53:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA11314 for firewalls-outgoing; Wed, 9 Apr 1997 16:06:44 -0700 (PDT) Received: from himalia.eastgw.xerox.com (himalia.ext.eastgw.xerox.com [208.140.33.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA11207 for ; Wed, 9 Apr 1997 16:06:11 -0700 (PDT) Received: (from uucp@localhost) by himalia.eastgw.xerox.com (8.8.5/8.8.5) id TAA04190 for ; Wed, 9 Apr 1997 19:05:07 -0400 (EDT) Received: from dnsmaster.cinops.xerox.com(13.252.44.4) by himalia.eastgw.xerox.com via smap (3.2) id xma004186; Wed, 9 Apr 97 19:04:47 -0400 Received: from jchouanard ([13.142.100.2]) by dnsmaster.cinops.xerox.com (8.8.5/8.8.5) with SMTP id TAA19889 for ; Wed, 9 Apr 1997 19:04:43 -0400 (EDT) Message-Id: <3.0.1.32.19970409190333.0098c710@petes.cinops.xerox.com> X-Sender: jean@petes.cinops.xerox.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 09 Apr 1997 19:03:33 -0400 To: firewalls@GreatCircle.COM From: Jean Chouanard Subject: Re: Secure Email Client packages In-Reply-To: <199704092037.NAA16515@honor.greatcircle.com> References: <3.0.32.19970409075702.007b93a0@mail.bbnplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does any of these packages can encrypt and/or sign the documents attached to a mail note and the mail note itself in one step? It should be nice to have this as an option, now that attachments are (unfortunately...:-) more and more common. Jean --- Jean Chouanard jean@cinops.xerox.com Xerox Corp. TSI / Security Phone: (716) 423 4608 Firewalls & Network Security Fax: (716) 423 4240 From owner-firewalls-outgoing Wed Apr 9 16:54:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA00983 for firewalls-outgoing; Wed, 9 Apr 1997 15:06:16 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA23442 for ; Wed, 9 Apr 1997 14:14:59 -0700 (PDT) Received: from ns.ncsa.com (ns.ncsa.com [205.160.199.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id NAA18230 for ; Wed, 9 Apr 1997 13:47:49 -0700 (PDT) Received: from portal.ncsa.com (root@portal.ncsa.com [205.160.199.10]) by ns.ncsa.com (8.6.12/8.6.9) with ESMTP id RAA25044 for ; Wed, 9 Apr 1997 17:52:53 -0400 Received: from serv10.ncsa.com (serv10.ncsa.com [172.20.200.10]) by portal.ncsa.com (8.8.5/8.8.4) with SMTP id QAA14720 for ; Wed, 9 Apr 1997 16:51:14 -0400 Received: by serv10.ncsa.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC4505.7424C0D0@serv10.ncsa.com>; Wed, 9 Apr 1997 16:45:38 -0400 Message-ID: From: Jonathan McCown To: "'firewalls@greatcircle.com'" Cc: "'mjr@v-one.com'" Subject: NCSA - Dissing MJR? Not so. Date: Wed, 9 Apr 1997 16:45:37 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NCSA has tremendous respect for Marcus Ranum both as a technical leader and as a businessman. Marcus was kind enough to attend an early meeting during the organization of our Firewalls consortium and discuss the possibilities of a firewall certification process. We value his input. Although he elected not to continue as one of our advisors (which was indeed, entirely pro bono), we continue to take his input seriously-- pointed though it may be. I can only believe that the questionable statement attributed to Dr. Tippett was misheard or misinterpreted. The statement most often made by any of our staff is that Marcus helped us in the beginning, but felt we were not rigorous enough. In no way did NCSA request that Marcus distance himself due to self promotion. Signed, Jon McCown NCSA Network Security Lab ------------------------------------------------------------------------ - jdm1@ncsa.com http://www.ncsa.com/ From owner-firewalls-outgoing Wed Apr 9 17:02:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA01233 for firewalls-outgoing; Wed, 9 Apr 1997 15:08:05 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA23447 for ; Wed, 9 Apr 1997 14:15:00 -0700 (PDT) Received: from honcho.columbiasc.ncr.com (reverse-153-78.NCR.COM [153.78.17.231]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id NAA18238 for ; Wed, 9 Apr 1997 13:47:53 -0700 (PDT) Received: from exchsmtp.ColumbiaSC.NCR.COM (exchsmtp.ColumbiaSC.NCR.COM [153.78.122.72]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id QAA03304 for ; Wed, 9 Apr 1997 16:45:44 -0400 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC4505.7701A200@exchsmtp.ColumbiaSC.NCR.COM>; Wed, 9 Apr 1997 16:45:43 -0400 Message-ID: From: "Caldwell, Matt" To: "'firewalls@GreatCircle.COM'" Subject: Getting Rid of the SPAM Date: Wed, 9 Apr 1997 16:45:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Send your "I hate SPAM mail" to don@orderamerica.com or just CALL (btw calling usually is more effective) His name is Donald Pulliam (702) 737-7294 He runs several Porn sites and is NOT very conscious of security issues. He seems to be using it for "marketing" however a bigger problem exists , CYBERPROMO.COM sells the services that DON has been using to SPAM mine and everyone else's domains. Cyberpromo.com recently WON a case against AOL for using there system to market many sites. According to the article from Associated Press, AOL had to add a special filtering program to the current AOL version. (Now that is pathetic) So after you finish emailing DON. Email and Call Sanford Wallace (215) 628-9780 domreg@cyberpromo.com request that your domain be removed from the mailing list and you do not want to receive anymore emails from him or you will consider it a Denial of Service Attack In addition check out his webpage he "claims" to have been the PIONEER of SPAM and he offers a solution for a PRICE of $49.95. grrrrrrrrr Matthew F. Caldwell - Security / Unix Administrator -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VC3 Systems Engineer http://www.vc3.com email: matt.caldwell@vc3.com Office: (803) 939-2322 Pager: (803) 954-1855 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Senders of unsolicited commercial E-Mail to this account implicitly agree to a $1000.00 proofing fee -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Key fingerprint = 96 B6 9B 2C 67 A6 69 FF 79 55 56 C1 17 28 35 58 > > > > From owner-firewalls-outgoing Wed Apr 9 19:19:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA10824 for firewalls-outgoing; Wed, 9 Apr 1997 19:02:46 -0700 (PDT) Received: from is.usmo.com (is.usmo.com [206.27.148.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA10789 for ; Wed, 9 Apr 1997 19:02:36 -0700 (PDT) Received: from klt (ppp132027.usmo.com [206.100.132.27]) by is.usmo.com (8.7.6/8.6.9) with SMTP id VAA25221; Wed, 9 Apr 1997 21:05:35 -0500 Message-ID: <334C4986.78C3@mail.usmo.com> Date: Wed, 09 Apr 1997 20:59:34 -0500 From: Charlie Taylor Reply-To: ktaylor@mail.usmo.com Organization: Dell Computer Corporation X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Domenico Viggiani CC: firewalls@GreatCircle.COM Subject: Re: E-mail scanning References: <334A1261.7F08@gst.cgs.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Domenico Viggiani wrote: > > Is there the possibility to do some e-mail content-scanning in order to > avoid data-driven attacks? > > TIA > -- > > Domenico Viggiani E-mail:dviggian@gst.cgs.it > CAP GEMINI ITALY SpA PHONE 39 6 23190509 i don't know, can i ask you something. when you signed up for this firewall thing, did u start getting a bunch of e-mail???? thanx --ct From owner-firewalls-outgoing Wed Apr 9 20:06:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA16058 for firewalls-outgoing; Wed, 9 Apr 1997 19:58:09 -0700 (PDT) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA16043 for ; Wed, 9 Apr 1997 19:58:02 -0700 (PDT) Received: from pc (dialin1_local.mwcia.org [192.138.165.169]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id UAA20406; Wed, 9 Apr 1997 20:48:54 -0500 Message-Id: <3.0.32.19970409214533.00963e00@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Apr 1997 21:45:36 -0500 To: Jean Chouanard , firewalls@GreatCircle.COM From: Richard Hoffbeck Subject: Re: Secure Email Client packages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:03 PM 4/9/97 -0400, Jean Chouanard wrote: >Does any of these packages can encrypt and/or sign the documents attached >to a mail note and the mail note itself in one step? > >It should be nice to have this as an option, now that attachments are >(unfortunately...:-) more and more common. Based on a late beta of PGPMail and a current demo version of Demming's S/MIME plug-in for Eudora the answer seems to be that PGPMail doesn't and Demming's package does encrypt attachments. The Demming package looks fairly well designed except that sending a message without signing it or encrypting bundles the entire message into a big mime attachment. At first look I didn't see an ASCII armor option so the resulting file quoted the high bit characters but left the control characters intact. On the otherhand, I know people with PGP keys but don't know anyone with a Verisign key. I also have a problem with buy encryption software with the name Demming on it. Does anyone know if it actually bears any relationship to the mother of key escrow? --rick +-----------------------------------------------------------------+ | Richard Hoffbeck phone: 612.636.4249 | | fax: 612.624.2196 | | Finger rwh@visi.com for PGP key : | | Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B | +-----------------------------------------------------------------+ From owner-firewalls-outgoing Wed Apr 9 20:41:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA18742 for firewalls-outgoing; Wed, 9 Apr 1997 20:27:12 -0700 (PDT) Received: from mozcom.com (mozcom2.mozcom.com [202.47.132.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA18706 for ; Wed, 9 Apr 1997 20:26:54 -0700 (PDT) Received: from savee ([207.0.113.210]) by mozcom.com (8.8.5/8.8.5) with SMTP id LAA01706 for ; Thu, 10 Apr 1997 11:34:59 +0800 (HKT) Message-ID: <334C608E.7515@mozcom.com> Date: Thu, 10 Apr 1997 11:37:50 +0800 From: "Jet B. Bagadion" Organization: Information Networking X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have Firewall-1 v2.0 and currently it is used in one network to connect to the Internet. We're using NAT to hide our internal IP. I want to connect a remote location connected via RIP and still want to use NAT for this remote location. Is this possible? PCs on remote location are Win95. A diagram is shown below. Thanks. Jet [Internet] | | | [Router] | | [Firewall] | --------------------------------- | [Router] / / / / [Router] | -------------------------------- From owner-firewalls-outgoing Wed Apr 9 21:07:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA19925 for firewalls-outgoing; Wed, 9 Apr 1997 20:35:47 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA19907 for ; Wed, 9 Apr 1997 20:35:41 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id XAA20352; Wed, 9 Apr 1997 23:34:15 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 9 Apr 1997 23:36:54 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: FW-1 and Securid cards Cc: Francois_ARCASEDDA@paribas.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Banque Paribas' Francois ARCA-SEDDA wrote: > I thought FW-1 was compatible with Dynamics Securid cards and more > particularly with token re-synchronisation and new pin creation. > > From their browser our users are authenticated on the Firewall using > their securid cards. This works successfully. > > However, > whenever the user is prompted to give its next token or whenever he is > prompt to give its new pin number, a form appears on its browser, but > when a user fills it and presses the OK button to submit it, the > browser returns a "Contains no data" error, and no modification is > made. > > What's wrong ? Checkpoint acknowledges that there is a problem with their code for handling two-factor authentication over http.. I presume this problem is in the http "proxy" they use to pass SecurID authentication queries to the ACE/Client that is integrated into FW-1. The exact nature of the problem, the cause, and the solution are not yet known fully understood, but some sort of statement is expected soon. I expect you will hear from them directly -- and I hope Checkpoint (or you) will also be willing to share the explanation with the List. I'm curious myself. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Wed Apr 9 21:07:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA20308 for firewalls-outgoing; Wed, 9 Apr 1997 20:39:02 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA20296 for ; Wed, 9 Apr 1997 20:38:56 -0700 (PDT) Received: from lambchop.nette.com by relay6.UU.NET with SMTP (peer crosschecked as: [207.79.243.12]) id QQckpq13071; Wed, 9 Apr 1997 23:37:55 -0400 (EDT) Message-Id: X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Lynda J. Meyer" To: , "Mark Teicher" Subject: Re: Secure Email Client packages Date: Wed, 9 Apr 1997 23:38:21 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's a possible miscommunication in my prior email....I meant to say that MS IE4.0 is offering encryption, not that it was PGP. Both Netscape and MSFT are supporting s/mime. Lynda J. Meyer mailto:lmeyer@nette.com 212.889.2015 Net Technologies, Inc. http://www.nette.com/ ---- From: Mark Teicher To: firewalls@greatcircle.com; lmeyer@nette.com Date: Wednesday, April 09, 1997 11:05 AM Subject: Re: Secure Email Client packages >>From: "Lynda J. Meyer" >OK, Here it is again, the secure feature of encrypted email is the exchange >of keys. If this is not correct, can someone please correct me on this. >How does one do it without compromising one's security...??? > >/mark > > >>To: firewalls@greatcircle.com, Mark Teicher , >> Ziv Dascalu >>MMDF-Warning: Parse error in original version of preceding line at >mail.bbnplanet.com >>Subject: Re: Secure Email Client packages >>Date: Wed, 9 Apr 1997 10:21:09 -0400 >>X-MSMail-Priority: Normal >>X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 >> >>There's an email package by Phil Zimmerman's new company....it used to be >>called ViaCrypt--the new name for their co escapes me right now. And the >>new IE 4.0 beta seems to have this built in (although it's a bit premature >>to deploy in production). >> >>Lynda J. Meyer >>mailto:lmeyer@nette.com 212.889.2015 >>Net Technologies, Inc. http://www.nette.com/ >> >> ---- >>From: Ziv Dascalu >>To: firewalls@GreatCircle.COM; Mark Teicher >>Date: Wednesday, April 09, 1997 10:10 AM >>Subject: RE: Secure Email Client packages >> >>> >>>--- On Wed, 09 Apr 1997 07:57:09 -0500 Mark Teicher >m> wrote: >>> >>>>Has anyone seen or worked with secure email client packages..?? >>>>recommendations, thoughts,?? >>>> >>>>/mark >>> >>>Hi, >>>I know netmanage Zmail has this built in. >>>/Ziv >>> >>> /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >>\ >>> | A B I R N E T Active Network Protection http://www.AbirNet.co m >> | >>> \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >>/ >>> >>> >> >> > From owner-firewalls-outgoing Wed Apr 9 21:16:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA18597 for firewalls-outgoing; Wed, 9 Apr 1997 20:26:23 -0700 (PDT) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id UAA18561 for ; Wed, 9 Apr 1997 20:26:12 -0700 (PDT) Received: from suede.sw.oz.au by swallow.sw.oz.au with ESMTP id DAA27934; Thu, 10 Apr 1997 03:24:38 GMT (8.6.10/Unixware) (from pjc@sw.oz.au for ) Received: from suede.sw.oz.au by suede.sw.oz.au with SMTP id DAA02915; Thu, 10 Apr 1997 03:24:35 GMT (SMI-8.6/1.34) (from pjc@softway.com.au for ) Message-ID: <334C5D73.5E6D@softway.com.au> Date: Thu, 10 Apr 1997 13:24:35 +1000 From: Peter Clark Organization: Softway Pty Ltd X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Mark Teicher CC: firewalls@greatcircle.com Subject: Re: Secure Email Client packages References: <3.0.32.19970409103928.007cc440@mail.bbnplanet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Teicher wrote: > > Greg, > > The problem I am having with this, is how does one exchange the public and > private keys for encrypted email to work successfully. What it seems that > the client on each end has to have a email client that capable of using > with having the user modifying their end client. If installation is > somewhat tricky, then how do successfully lobby this concept to a potential > customer stating this... > > /mark I agree, it really depends on where you think the security problems will occur (internet or internally or both) and finding something to suit that problem. ie. If it's more a worry about the internet security (packet sniffing along the way etc.) then you should probably look into some of the VPN technology. This is really being brought along nicely with Cisco's 11.2 IOS. And the various firewall VPN software. It basically allows you to create a VPN between CERTAIN networks over the net. This is really nice for instance for Advertising Agencies that want to know that their Marketing Schedule for McDonalds for the year in Australia isn't going to be picked up when emailed to them. All other networks it will treat "normally" :) If the problem is more internal or both then PGP would probably be more easily implemented (although not necessarily more easily managed unless the key management has become easier since I last looked). 'luck Peter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Peter Clark http://www.softway.com.au Security Engineer Softway Pty Ltd Phone: (+612) 9698 2322 Fax : (+612) 9699 9174 "If I can't be god, I don't wanna play." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Wed Apr 9 21:48:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26824 for firewalls-outgoing; Wed, 9 Apr 1997 21:20:18 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA26792 for ; Wed, 9 Apr 1997 21:20:03 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id XAA19201; Wed, 9 Apr 1997 23:14:34 -0500 (EST) From: Adam Shostack Message-Id: <199704100414.XAA19201@homeport.org> Subject: Re: Secure Email Client packages In-Reply-To: <3.0.32.19970409214533.00963e00@fw2.mwcia.org> from Richard Hoffbeck at "Apr 9, 97 09:45:36 pm" To: rwh@visi.com (Richard Hoffbeck) Date: Wed, 9 Apr 1997 23:14:34 -0500 (EST) Cc: jean@cinops.xerox.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | On the otherhand, I know people with PGP keys but don't know anyone | with a Verisign key. I also have a problem with buy encryption | software with the name Demming on it. Does anyone know if it | actually bears any relationship to the mother of key escrow? I think you're thinking orf Dr Dorothy DeNNing of Georgetown University, as the mother of key escrow. If she certified that software didn't have key escrow in it, I'd be inclined to trust but verify. She has a political opinion which I strongly and vehemently disagree with. However, while she may twist the facts, I doubt that she'd out and out lie. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed Apr 9 22:07:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26801 for firewalls-outgoing; Wed, 9 Apr 1997 21:20:09 -0700 (PDT) Received: from Jellydonut.COM ([204.75.38.90]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA26786 for ; Wed, 9 Apr 1997 21:19:58 -0700 (PDT) Received: (from tom@localhost) by Jellydonut.COM (8.8.4/8.8.4) id VAA02995; Wed, 9 Apr 1997 21:18:08 -0700 From: Tom Wells Message-Id: <199704100418.VAA02995@Jellydonut.COM> Subject: Re: Re : Router bottlenecks in ATM network? To: clonvick@cisco.com (Chris Lonvick) Date: Wed, 9 Apr 1997 21:18:08 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Chris Lonvick" at Apr 8, 97 11:19:06 pm Reply-To: tom@Jellydonut.COM X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I thought it originated with Tony Lee's team. And knowing vaguely of Tony's reputation, I would've imagined that it was obvious - Big Fucking Router. Of course, since Cisco decided not aim for the anticipated need 3-5 years from now, some other, more aggressive vendor will provide the solution. Then, of course, Chambers and Mortgridge will come knocking, offering muching bucks and stock to become part of Cisco. Which is partly why Tony no longer works there. Tom An ex-grunt in ECS. Chris Lonvick brazenly announced, "I already won a $1.38 in the Publisher's Clearing House Sweepstakes! You, too, can be winner by reading the details below...." Hi All, Just to add to what Srini says, there's no magic to gettig high speeds through routers/switches in the ATM world. The "router" part will need to assemble the cells of a new session to see where the packets need to be routed. It will also need to check the packets against any filters that you've setup. If the session passes the filters, the "router" can tell the "switch" part how to modify the future packets (while still in the cell stream) to change the MAC addresses, ttl, appropriate checksums, etc. The 'BFR' name was derived from Doom (registered version) where you could, at some point, get the BFG. Perhaps someone from Id Software could jump in here; everyone assumed that the B stood for Big, and that the G stood for Gun, but I never heard that everyone reached total concensus about the F. Later, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 05:11 PM 4/8/97 -0400, Srini Seetharam wrote: >Deric Giles wirtes : > >>connection. However in the near future our site is likely to be >>connected to a MAN running at maybe 155Mb/sec and our internal network >>upgraded to ATM at a similar speed. Having two routers in the path >>acting at layer 3 now seem to pose a bottleneck. How can I maintain the >>benefits from the speed upgrades without compromising security? The >>only (partial) solution I can see is to merge the two routers but this > >Various networking companies are developing next generation router technology >that in many instances is geared towards ATM. These routers will perform at >wire speeds around 600Mbps and maybe even beyond. It is sometimes refered to >as the BFR (Big Fast/F...ing/Fat Router). IPsilon already has a solution that >works atleast with 155mbps ATM, maybe higher. Others may have solution today >as well. > >We, at IgT, design chips and software for ATM networks. We are pursuing this >goal of have a solution to this problem with the bulk of the routing and "FLow >detection" at wire speeds being done in a single chip. > >And to add a point that is interetsing to the firewall community, just about >all the schemes of flow detection have inherent packet filtering capabilities >built in to them. In addition, the software that goes along with these devices >can be used to be a basis for firewalling software running with these fast >router accelerators. > >srini >-- >------------------------------------------------------------------------ > IgT Srini W. Seetharam | > ------------------------ Integrated Telecom Technology (IgT), | > | __ __ | 18310 Montgomery Village Ave, Suite 300 | > |__| |__ __| |____| Gaithersburg Maryland 20879 | > | |__| | Tel: 301.990.9890 | > | | Fax: 301.990.9893 | > ------------------------ Web: http://www.igt.com/ | > Net: srini@igt.com | >------------------------------------------------------------------------| >Expressed opinions may not be mine and not necessarily be those of IgT. | >------------------------------------------------------------------------| > Linux : The choice of the GNU Generation | >------------------------------------------------------------------------ > > ------------------------------ From owner-firewalls-outgoing Wed Apr 9 22:29:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26107 for firewalls-outgoing; Wed, 9 Apr 1997 21:15:11 -0700 (PDT) Received: from Jellydonut.COM ([204.75.38.90]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA26068 for ; Wed, 9 Apr 1997 21:15:01 -0700 (PDT) Received: (from tom@localhost) by Jellydonut.COM (8.8.4/8.8.4) id VAA02979; Wed, 9 Apr 1997 21:12:58 -0700 From: Tom Wells Message-Id: <199704100412.VAA02979@Jellydonut.COM> Subject: Re: smap troubles To: camille@blakeley.com (Camille Blakeley) Date: Wed, 9 Apr 1997 21:12:58 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Camille Blakeley" at Apr 8, 97 07:33:46 pm Reply-To: tom@Jellydonut.COM X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Camille, I believe I had the same problem as you when first running smapd. First, you need to create an /etc/netperm-table (location can be changed in the configuration of FWTK). Then you need to put something similar to the following in it: smap, smapd: userid 16 smap, smapd: directory /var/spool/smap smapd: executable /usr/security/smapd smapd: sendmail /usr/sbin/sendmail Of course, you'll want to create a "smap" user and group, and assign an appropriate UID and GUID. I conveniently set my to 16 for both. Second, to ensure that smapd is running to process the mail, you need to create the above directory, fire up smapd, and then edit /etc/rc2.d/Sxxsendmail to have smapd started instead of sendmail. This should be enough. If it isn't, it should be enough for you to find your way from there. BTW, this particular info isn't very well documented. In fact, I had a hard enough time finding this particular nugget of info to help myself. Even though the toolkit is free, it could use some help from someone associated with it to make the documentation a little bit more verbose, as the sources I downloaded from TIS lacked any documentation, and Alta Vista wasn't too much help, with all the dead links and all. Tom Camille Blakeley brazenly announced, "I already won a $1.38 in the Publisher's Clearing House Sweepstakes! You, too, can be winner by reading the details below...." I know I must be missing something obvious, but I can't figure it out. I've searched all the FAQs and archives I could find. Anyway.... I am running under Solaris 2.5.1 and running sendmail 8.8.5. I downloaded the latest version of FWTK and installed it on the system. I am only trying to run smap, I don't have a need for any of the other tools at this time. I've configured smap (that is the netperm-table) and set up may inetd.conf exactly like the manual says (for smap) and it still doesn't work. I am way stumped. What happens is, when any outside host connects to port 25, it connects and then gets the connection closed by remote host. I can email internally on the box and outgoing works just fine, it's just incoming that dies. Any ideas? what am I missing? Any help would be greatly appreciated. Please reply to camille_blakeley@idg.com, I will summarize. Thanks Camille Blakeley Camille Blakeley (camille@blakeley.com) ------------------------------ From owner-firewalls-outgoing Wed Apr 9 23:36:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA14070 for firewalls-outgoing; Wed, 9 Apr 1997 23:28:43 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id XAA14045 for ; Wed, 9 Apr 1997 23:28:34 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA08278; Thu, 10 Apr 1997 09:28:08 +0400 Received: from GarantiUser by GarantiMailServer id AA20978; Thu, 10 Apr 1997 09:26:41 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA38800; Fri, 11 Apr 1997 09:19:38 +0400 Message-Id: <334D1455.531F@garanti.com.tr> Date: Thu, 10 Apr 1997 09:24:53 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Suggest me a better FW.... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are using SNG for about 9 months and seems like with today's figures (+300 users) we are having a bottleneck at the FW...I will appreciate any suggestion about a better replacement...Or anything will work with SNG...(keeping SNG and integrating a better one to offload SNG)... Thanks, -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Apr 10 00:51:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA19279 for firewalls-outgoing; Thu, 10 Apr 1997 00:50:48 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA19272 for ; Thu, 10 Apr 1997 00:50:42 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id KAA11994 for ; Thu, 10 Apr 1997 10:11:10 +0200 Message-ID: <334B7D68.128C@gst.cgs.it> Date: Wed, 09 Apr 1997 13:28:40 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: DNS and IBM AIX Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I read that AIX uses always TCP for both DNS queries and xfer zones. Usually, for DNS queries, UDP is used and, for xfer zones, TCP is used. Is it true? M. -- Domenico Viggiani E-mail:dviggian@gst.cgs.it CAP GEMINI ITALY SpA PHONE 39 6 23190509 From owner-firewalls-outgoing Thu Apr 10 02:26:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25679 for firewalls-outgoing; Thu, 10 Apr 1997 02:09:48 -0700 (PDT) Received: from jehova.owl.de (jehova.owl.de [194.121.202.132]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA25664 for ; Thu, 10 Apr 1997 02:09:36 -0700 (PDT) Received: from fiction.pb.owl.de (root@fiction.pb.owl.de [193.174.12.5]) by jehova.owl.de (8.8.5/8.8.5) with SMTP id LAA19448 for ; Thu, 10 Apr 1997 11:08:17 +0200 (MET DST) Received: from squirrel.owl.de by fiction.pb.owl.de with bsmtp id m0wFFr2-00002rC; Thu, 10 Apr 97 11:09 MET DST Received: (qmail 24201 invoked by uid 300); 10 Apr 1997 04:50:32 -0000 Date: 10 Apr 1997 04:50:32 -0000 Message-ID: <19970410045032.24197.qmail@squirrel.owl.de> From: Stuart Johnson To: firewalls@greatcircle.com Subject: Apology Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to apologize for taking the discussion off-topic to the firewalls mailing list. The firewall mailing lists is where the security community can express some of their concerns from both a technical evaluation as well as an end-user perspective. Marcus responses have become emotional and I may have let my own postings to be on the emotional side. Based upon his private emails he sent me, I find it ironic that he publicly impugns my character, yet privately encourages me to consider his soon to be delivered and competing technology. I guess the world will soon find out why Marcus' technology is "better than Haystack and Wheelgroup" but at the same time, not competitive. Just last week, Marcus denigrated and made fun of MimeStar with the SecureNet Pro technology and now knowing that Marcus will compete with MimeStar, it leads me to question the double standards evident in his emotional response. As a user, perhaps Marcus doesn't fully understand the end-users need to fully evaluate the product as well as the company that stands behind it. I as well as many other end users have been burned by software companies' promises that were never delivered upon. A company in disarray makes buying their products a higher risk decision. The questions I raise are legitimate concerns for anyone considering the implementation of this technology across their enterprise. I have received many very valuable emails from end users who factually responded without emotion. I am sorry valid business concerns are construed as lunacy and mud slinging. Sometimes the truth hurts especially for the guilty party. With asking these concerns, I am stunned that some of these security "experts" without any standards would publically dennounce someone as a "Network Loon" and try to put someone on trial. I should have never been drawn into Marcus' roast as I am not evaluating his products anyways (as they don't exist). Contrary to emotional flames, I only desired to determine if the employee at Haystack was a disgruntled exception or whether the company was truly in as much turmoil and decay as was indicated. This concerns me and any other potential customers of this software. And to this end, customers of both Haystack and Wheelgroup have shared their experiences and have confirmed many of my observations with unbiased facts. To those that have, thank you for your objective input and your professionalism to respond without emotional regard and selfish interest. Stuart From owner-firewalls-outgoing Thu Apr 10 05:21:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05640 for firewalls-outgoing; Thu, 10 Apr 1997 05:06:11 -0700 (PDT) Received: from ha1.ntr.net (ha1.ntr.net [206.112.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA05632 for ; Thu, 10 Apr 1997 05:06:06 -0700 (PDT) Received: (from sean@localhost) by ha1.ntr.net (NTR*NET 2.1.0) id IAA05608; Thu, 10 Apr 1997 08:04:30 -0400 (EDT) From: Sean McPherson Message-Id: <199704101204.IAA05608@ha1.ntr.net> Subject: Re: An easy one To: jhartley@irwin-mdei.army.mil (James Hartley) Date: Thu, 10 Apr 1997 08:04:30 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <334BDC29.1D1@irwin-mdei.army.mil> from "James Hartley" at Apr 9, 97 11:12:57 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > before I kick off this beast a quick question or two. > > one where does the report go -- I assume you redect stdout > if you are running ./tiger (without installing it) > > so the command line would look like > #./tiger > report.asc > or so. > > I know that the question is basic and I apologize for not > finding the answer in the documentation provided with the release > When running tiger, the redirect will simply catch the messages telling about the status as the program runs. The really good stuff (what you actually wanted) goes into a file called security.report.machinename.970406-04:00 Assuming you ran the program on April 6 at 4 am. This file goes into the local directory for tiger, unless you specify differently. This is accurate as of version 2.2.3. Sean McPherson Systems Administration sean@ntr.net -- REALITY.SYS corrupted. Reboot universe? [Y n] -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3a mQCNAzKmLlMAAAEEAMZ8uE5DOYus2ewThUj+hDPhB8FYZkHUpmvzyUwbZ6z9RHpv ptAK1z/5pXubjYHOBKa78EBfqBNS0CPgB1jreeKbU3dNioBerP927elDrS5dzJJc agMBWbb6TLvIvaDdMbALcnCHP/zK+UtLcTcjpuRVEL3+Pa0Iv3he7DGjGXp9AAUR tCBTZWFuIEwuIE1jUGhlcnNvbiA8c2VhbkBudHIubmV0PokAlQMFEDKmLlN4Xuwx oxl6fQEBWDsD/2XqHpZaYK/+RxGopEpO8gxzN7tmHFD7WfL72xtIrpZakcl+qR6y eaJJInHVfX7yvzyxyVXd4DAjHvKyOLkfB4w3wRazT5mXWvL4B2jCXLyUH440T0vz Q+Xhjftm/kTdq7nu7WnCGSvBkzgfZBAcm0lQMUimnFt0rgijMQ8wZfHB =5YqD -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Thu Apr 10 05:37:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA06194 for firewalls-outgoing; Thu, 10 Apr 1997 05:24:31 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA06179 for ; Thu, 10 Apr 1997 05:24:21 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1457.3) id <2NR8XTTD>; Thu, 10 Apr 1997 08:22:58 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'Stuart Johnson'" Subject: RE: Apology Date: Thu, 10 Apr 1997 08:22:56 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let's see, either you work for Owl (but I don't think so), or you desire to keep your company's identity a secret. You use your apology to the list to re-affirm your claims against the various individuals, so obviously your are not really feeling sorry you sent your original message. You claim now to have additional independent support of your claims, but obviously you can't divulge your sources. You didn't divulge any sources in your first message either. But we should trust you, and believe you, and presumably accept your very half-hearted apology. I don't think so. Stuart, if you are truly interested in having an impact by helping other would-be buyers of this "technology", why not try and get a little credibility first? If you are not interested in truly helping, or don't feel you should have to have any credibility to make the kinds of bogus claims you are making (and now saying you have further confirmation of), then why did you make the claims in the first place? In my opinion, your lack of desire to appear in any way credible in your first message led me to believe you are either attempting to affect stock prices or you are a competitor (of course you could also just be trying to create a gig for yourself as a purveyor of supposed inside goop for the net-media). In any event, I considered you a NetLoon although I haven't said so until now. Got a company name? Who's your boss so we can find out if you are even doing a survey? What are your credentials to say you can even figure out the difference from a supposed customer vs. a forged mail from a competitor? You trust email as gospel? Get some business savvy Stuart and then come back to us after you've had *your* education, maybe your experiences will be worthy of attention, but for now you're either being manipulated, or manipulative. As for being put on "trial", what you say publicly is subject to the interpretation of those that read it, that's just the way it is, accept it an move on. > Cheers, > Russ > R.C. Consulting, Inc. - NT/Internet Security > owner of the NTBugTraq mailing list: > http://ntbugtraq.rc.on.ca/index.html > From owner-firewalls-outgoing Thu Apr 10 06:09:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08098 for firewalls-outgoing; Thu, 10 Apr 1997 05:50:02 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA08088 for ; Thu, 10 Apr 1997 05:49:56 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id HAA06388; Thu, 10 Apr 1997 07:48:42 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma006384; Thu, 10 Apr 97 07:48:21 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 10 APR 97 07:48:41 CDT Date: 10 APR 97 07:47:09 CDT Subject: Re: Monitoring Info To: firewalls@greatcircle.com Message-ID: <0007bdxjdhpt.H000012201db5c15@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > mshine wrote: > "...and really has nothing at all to do with Firewalls either..." Michael, Your are correct. I guess I fell into Stuarts trap. Having dealt with all of the parties mentioned in his messages and finding each to be of highest character. The viewpoint was nonetheless mine and of course does not reflect that of my employer or anyone else (as is this message). Apologies for any confusion, and to all for taking the bandwidth. If anyone must comment on this message, please do so directly so it does not further add to the bandwidth. Peace, Bob PS - The "A" stood for "Ace", as defined by Webster's "Ace = An expert in a given field", "Ace in the Hole = Having a hidden advantage". ;-) From owner-firewalls-outgoing Thu Apr 10 06:51:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12944 for firewalls-outgoing; Thu, 10 Apr 1997 06:21:21 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA12904 for ; Thu, 10 Apr 1997 06:21:07 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Apr 1997 13:21:20 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 10 Apr 1997 09:20:10 -0400 Message-ID: From: "Chris Kostick" To: Subject: Re: Apology Date: Thu, 10 Apr 1997 09:15:44 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would like to apologize ... ...and the apology was where? From owner-firewalls-outgoing Thu Apr 10 07:22:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16004 for firewalls-outgoing; Thu, 10 Apr 1997 06:44:45 -0700 (PDT) Received: from sage.Tri-Sage.COM (tpa-206-41-182-5.ThoughtPort.COM [206.41.182.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA15966 for ; Thu, 10 Apr 1997 06:44:34 -0700 (PDT) Received: from jon.cypher-sage.com by sage.Tri-Sage.COM with SMTP (?/BK-2.3.1) id IAA15321; Thu, 10 Apr 1997 08:40:21 -0500 Received: by jon.cypher-sage.com with Microsoft Mail id <01BC4589.9CC7B0E0@jon.cypher-sage.com>; Thu, 10 Apr 1997 08:31:40 -0500 Message-ID: <01BC4589.9CC7B0E0@jon.cypher-sage.com> From: Jon Tegethoff To: "firewalls@greatcircle.com" Subject: RE: Apology Date: Thu, 10 Apr 1997 08:31:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a good email address filter that works on Win 95? I do not know about the rest of the list but I would like to put something in place to always auotmatically delete messages from Stuart Johnson. Any help is welcome! The sooner the better, before he answers this message. Jon Tegethoff From owner-firewalls-outgoing Thu Apr 10 07:36:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15413 for firewalls-outgoing; Thu, 10 Apr 1997 06:40:54 -0700 (PDT) Received: from skye.nis.newscorp.com (skye.nis.newscorp.com [206.15.111.99]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA15389 for ; Thu, 10 Apr 1997 06:40:46 -0700 (PDT) Received: (from dobrich@localhost) by skye.nis.newscorp.com (8.7.3/8.7.2) id JAA10752; Thu, 10 Apr 1997 09:40:13 -0400 (EDT) Date: Thu, 10 Apr 1997 09:40:13 -0400 (EDT) From: Greg Dobrich Message-Id: <199704101340.JAA10752@skye.nis.newscorp.com> To: firewalls@GreatCircle.COM Subject: ssh vs ssl Cc: dobrich@newscorp.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, What are the differences between ssh and ssl? From perusing the RFCs/drafts they appear to be similar in functionality. If my goal was to secure external access (from Windows laptops) to POP3 servers would I prefer one over the other? Are there implementations of both available?? Thanks, Greg --------------------------------------------------------------------------- Greg Dobrich Senior Network Engineer News Internet Services 508 551 1007 Lowell, MA From owner-firewalls-outgoing Thu Apr 10 07:50:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14863 for firewalls-outgoing; Thu, 10 Apr 1997 06:37:15 -0700 (PDT) Received: from godzilla.projo.com (gate.projo.com [147.136.254.253]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA14833 for ; Thu, 10 Apr 1997 06:37:02 -0700 (PDT) Received: (from smtp@localhost) by godzilla.projo.com (8.7.3/8.7.3) id JAA17856 for ; Thu, 10 Apr 1997 09:35:43 -0400 (EDT) Received: from corfu.projo.com(147.136.1.201) by godzilla.projo.com via smap (V2.0alpha) id xma017854; Thu, 10 Apr 97 09:35:36 -0400Received: from death.projo.com (prodigy-pc-99.projo.com [147.136.22.99]) by corfu.projo.com (Netscape Mail Server v2.02) with SMTP id AAA18135 for ; Thu, 10 Apr 1997 09:35:35 -0400 From: brian_stormont@corfu.projo.com (Brian Stormont) X-Priority: Normal Content-Type: text/plain To: firewalls@greatcircle.com Subject: Allowing ICMP X-Mailer: Pronto E-Mail [ver 4.0.0.8] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Date: Thu, 10 Apr 1997 09:35:35 -0400 Message-ID: <19970410133535.AAA18135@death.projo.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are people's thought on what ICMP traffic, if any, should be allowed through a firewall? Currently, I've been taking the very paranoid approach of blocking all incoming ICMP traffic, however I'm wondering whether this might be causing any network problems. I recently noticed a very large number of type 3 (sourcequench) and type 11 packets (time exceeded) destined for my web server which my firewall is currently blocking, and I was curious if it might be a good idea to let these through. Any thoughts on how the different ICMP packets should be handled? -brian ------------------------------ brian_stormont@corfu.projo.com From owner-firewalls-outgoing Thu Apr 10 07:51:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20702 for firewalls-outgoing; Thu, 10 Apr 1997 07:25:55 -0700 (PDT) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA20671 for ; Thu, 10 Apr 1997 07:25:44 -0700 (PDT) Received: (from uucp@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id KAA02321 for ; Thu, 10 Apr 1997 10:18:57 -0400 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma009741; Thu Apr 10 10:18:52 1997 Received: by carfax.ims.advantis.com (8.6.9/4.03) id KAA222713; Thu, 10 Apr 1997 10:33:40 -0400 Date: Thu, 10 Apr 1997 10:33:40 -0400 (EDT) From: Peter Yau To: firewalls@GreatCircle.COM Subject: su root log Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if it's possible to have a bad su root situation yet the machine in question does not show this in its log? Assume the log file has not been tampered with. Thanks in advance. From owner-firewalls-outgoing Thu Apr 10 07:56:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA17179 for firewalls-outgoing; Thu, 10 Apr 1997 06:52:33 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA17160 for ; Thu, 10 Apr 1997 06:52:24 -0700 (PDT) Received: by brimstone.rnb.com; id JAA11144; Thu, 10 Apr 1997 09:51:06 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma011013; Thu, 10 Apr 97 09:50:39 -0400 Received: from monarch.rnb.com (monarch [150.1.33.146]) by relay.rnb.com (8.8.4/8.8.4) with SMTP id JAA23633 for ; Thu, 10 Apr 1997 09:50:38 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Thu, 10 Apr 1997 09:33:01 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: firewalls Subject: DNS timeouts using Gauntlet 3.2 on Solaris Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone had problems with DNS timeouts when using TIS's Gauntlet 3.2 on Solaris? Here's the problem: A reverse lookup request comes in to my primary internal root domain server. The IP is not listed in any rev. lookup tables and there is'nt a table that covers the segment for that IP. So the internal root server forwards the request to my 3.2 gauntlet box for resolution. Using snoop, I am able to see the incoming packets from the internal server to the firewall but I never get a response from the firewall back to the root server. thus, this causes a 20 sec. delay in a response getting back to the requesting host. now, what I have done to solve this problem is create reverse lookup dm files that handle all possibilities of reverse lookups IE: db.xxx.xxx rather than db.xxx.xxx.xxx But my real question here is, why would this; out of the blue; become a problem? Nothing has changed on the internal DNS structure and the firewall was swapped from BSD to solaris OS 6 to 8 weeks prior to this starting to happen. This DNS timeout problem caused some major system problems for me and what I'm looking for is if anyone may know of anything that would or could have caused this to start happening on a system that has been in place for two years. Any insite on this would be great.. thanx. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Thu Apr 10 08:27:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20416 for firewalls-outgoing; Thu, 10 Apr 1997 07:23:57 -0700 (PDT) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA20360 for ; Thu, 10 Apr 1997 07:23:40 -0700 (PDT) Received: (qmail 5247 invoked by uid 500); 10 Apr 1997 14:23:22 -0000 Date: Thu, 10 Apr 1997 10:23:22 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Stuart Johnson cc: firewalls@GreatCircle.COM Subject: Re: Apology In-Reply-To: <19970410045032.24197.qmail@squirrel.owl.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Apr 1997, Stuart Johnson wrote: > Marcus responses have become emotional and I may have let my own postings to be on the > emotional side. Based upon his private emails he sent me, I find it ironic that he publicly impugns my character, yet privately encourages me to consider his soon to be delivered and competing technology. I guess the world will soon find out why Marcus' technology is "better than Haystack and Wheelgroup" but at the same time, not competitive. Marcus' responses were very level considering the personal attack directed at him. > The questions I raise are legitimate concerns for anyone considering the > implementation of this technology across their enterprise. The way you raised them was indicitive of a media tabloid. If you expect to be taken seriously, and professionally, then you'll have to start posting that way. > I am sorry valid business concerns are construed as lunacy and mud > slinging. Sometimes the truth hurts especially for the I'm sorry you can't seem to articulate yourself without appearing to be a raving, mud slinging lunitic. > With asking these concerns, I am stunned that some of these security > "experts" without any standards would publically dennounce > someone as a "Network Loon" and try to put someone on trial. If you don't understand the concept of extension of trust, and how anyone with any depth of experience in this arena deals with it on a professional basis, then you have a great deal to learn. Ask yourself what *you* have done to earn the trust of this list (hint: posting negative innuendo without facts doesn't gain trust points). Try to look at the apparent veracity of what you have posted, and how long you have been posting, and then look back at your target's behaviour. Marcus has acted *very* selflessly in the past, and has contributed a great deal to this community without any direct gain other than perhaps to his ego, which certainly isn't as bad as it could be. > I should have never been drawn into Marcus' roast as I am not > evaluating his products anyways (as they don't exist). Funny how you see yourself being drawn in, when, as far as this list is concerned, the exchange looked like this: 1. Stuart pruports to have 'inside info' on Wheel Group's demise, phrased as a very leading series of questions. 2. Marcus responds to questions with actual info. 3. Stuart attacks Marcus personally. 4. Marcus defends himself. 5. Stuart's "apology" turns into another looney rant. > Contrary to emotional flames, I only desired to determine if the > employee at Haystack was a disgruntled exception or whether the company > was truly in as much turmoil and decay as was indicated. This concerns > me and any other potential customers of this software. And to this > end, customers of both Haystack and Wheelgroup have shared their > experiences and have confirmed many of my observations with > unbiased facts. I haven't seen you post a *fact* yet. Innuendo, slurs, and even some valid questions, but the meat just ain't in there. Gossip and innuendo aren't appropriate here. We've gone from "I heard" to "my observations" in the above paragraph. If it's "my observations", then indeed you were not being forthright in your original post, and if it's "I heard", then you've obviously made up your own mind already, and aren't objective. Either way, stop deluding yourself, you've bought nothing of value to this list. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Thu Apr 10 08:36:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02259 for firewalls-outgoing; Thu, 10 Apr 1997 08:30:28 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id IAA02191 for ; Thu, 10 Apr 1997 08:30:12 -0700 (PDT) Received: (qmail 28811 invoked from smtpd); 10 Apr 1997 15:28:28 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Apr 1997 15:28:28 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA16186; Thu, 10 Apr 1997 10:28:28 -0500 Received: by sonic.nmti.com; id AA29731; Thu, 10 Apr 1997 10:29:22 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9704101529.AA29731@sonic.nmti.com.nmti.com> Subject: Re: Getting Rid of the SPAM To: caldwm@xgate.columbiasc.ncr.com (Caldwell Matt) Date: Thu, 10 Apr 1997 10:29:22 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Caldwell, Matt" at Apr 9, 97 04:45:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Send your "I hate SPAM mail" to > don@orderamerica.com > or just CALL (btw calling usually is more effective) > His name is Donald Pulliam > (702) 737-7294 > Sanford Wallace > (215) 628-9780 > domreg@cyberpromo.com Sanford Wallace has headers in all the messages he sends saying that he doesn't want to promote porn sites. Point out to him that the very tools he uses to spam will make it impossible for him to prevent porn sites from spamming through him. The shoe is on the other foot now. From owner-firewalls-outgoing Thu Apr 10 08:52:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00522 for firewalls-outgoing; Thu, 10 Apr 1997 08:19:45 -0700 (PDT) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA00410 for ; Thu, 10 Apr 1997 08:19:16 -0700 (PDT) Received: from ppp19.sminter.com.ar (ppp19.sminter.com.ar [200.10.100.35]) by ns1.sminter.com.ar (8.8.4/8.8.4) with ESMTP id MAA06030 for ; Thu, 10 Apr 1997 12:17:08 +0300 (GMT) Message-ID: <334D125C.6BB0@usa.net> Date: Thu, 10 Apr 1997 10:16:28 -0600 From: Arnaud Ventura Reply-To: a-ventura@usa.net Organization: BNP X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: SSL Implementation ? X-Priority: 3 (Normal) References: <199704091955.MAA07570@honor.greatcircle.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, I Would like to know how to implement SSL ? I am not sure if this list is a good place to write, if not please excuse me and give be a better place to do it. I would like to devellop a secure system to access a database. I need to : - Secure the transmission ; - Authentificate Client and Server ; - Ensure that the scripts to access the DataBase can't be only access the Database. I was thinking of using SSL to encrypt transmission, but how does it work exactly ? DO Ineed a specific server? How do I configure it ? etc. etc. Thanks for all help, and as receive only a digest of the list if you could email me personnally as well it will be great ! Arnaud --------------------------------------------------- Arnaud Ventura mail: a-ventura@usa.net 25 de Mayo 471 Tel : (54).1 318 3031 Buenos Aires ---------------------------------------------------- From owner-firewalls-outgoing Thu Apr 10 09:38:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06103 for firewalls-outgoing; Thu, 10 Apr 1997 08:50:06 -0700 (PDT) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id IAA06027 for ; Thu, 10 Apr 1997 08:49:50 -0700 (PDT) From: ANDY_HIMAWAN@Non-HP-Indonesia-om1.om.hp.com Received: from hpsx1.indo.hp.com (root@hpsx1.indo.hp.com [15.59.169.1]) by palrel3.hp.com with SMTP (8.7.5/8.7.3) id IAA14481 for ; Thu, 10 Apr 1997 08:48:31 -0700 (PDT) Received: from by hpsx1.indo.hp.com with SMTP (1.38.193.5/15.5+ECS 3.4 Openmail) id AA21074; Thu, 10 Apr 1997 22:49:29 +0700 X-Openmail-Hops: 1 Date: Thu, 10 Apr 97 22:49:18 +0700 Message-Id: Subject: portmapper & RPC Mime-Version: 1.0 To: beldridg@cup46ux.cup.hp.com, Firewalls@GreatCircle.COM Cc: ANDY_HIMAWAN@Non-HP-Indonesia-om1.om.hp.com Content-Type: text/plain; charset=US-ASCII; name="Message" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have problem with this issue using Checkpoint Firewall-1. I run a client/server Trading software. It use rpc and portmapper function. Every time I restart the server, I see from the LOG viewer, that I have to allow port number 111 (portmapper), and a random port number.(dynamic). I think it's not secure if I open many port numbers, for running this software. Any idea to solve this problem ? (URGENT). Is there something I miss about rpc and portmapper, in configuring with firewall-1 ? any ideas would be appreciated. Thank you very much. with best regards, Andy From owner-firewalls-outgoing Thu Apr 10 09:43:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08870 for firewalls-outgoing; Thu, 10 Apr 1997 09:10:24 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA08663 for ; Thu, 10 Apr 1997 09:08:47 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id MAA24479; Thu, 10 Apr 1997 12:03:06 -0400 Date: Thu, 10 Apr 1997 12:03:06 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Domenico Viggiani cc: firewalls@GreatCircle.COM Subject: Re: DNS and IBM AIX In-Reply-To: <334B7D68.128C@gst.cgs.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Apr 1997, Domenico Viggiani wrote: > > I read that AIX uses always TCP for both DNS queries and xfer zones. > Usually, for DNS queries, UDP is used and, for xfer zones, TCP is used. > > Is it true? Where did you read this? It is, um, bullshit. Socksified DNS anyone? Of course my password is the same as my pet's name. My macaw's name is Q47pY!3, and I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Thu Apr 10 09:43:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09400 for firewalls-outgoing; Thu, 10 Apr 1997 09:14:13 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA09312 for ; Thu, 10 Apr 1997 09:13:56 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id JAA08124; Thu, 10 Apr 1997 09:12:17 -0700 (PDT) Date: Thu, 10 Apr 1997 09:12:17 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Peter Yau cc: firewalls@GreatCircle.COM Subject: Re: su root log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With Solaris su, it doesnt log the failed attempt untill after the timeout occurs. This can cause the failed login logging to be delayed. Or not logged entirely, if you ^C before the timeout is up. Are you using sulog and syslog? If so, make sure syslogd.conf hasnt been tampered with. You might also want to look at /etc/default/su. -mike On Thu, 10 Apr 1997, Peter Yau wrote: > Does anyone know if it's possible to have a bad su root situation yet the > machine in question does not show this in its log? Assume the log file has > not been tampered with. > Thanks in advance. > From owner-firewalls-outgoing Thu Apr 10 10:47:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20249 for firewalls-outgoing; Thu, 10 Apr 1997 10:18:30 -0700 (PDT) Received: from genesis.isginc.com (genesis.isginc.com [205.208.61.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA20229 for ; Thu, 10 Apr 1997 10:18:22 -0700 (PDT) Received: from blanche_laptop.isginc.com (blanche.isginc.com [205.208.61.138]) by genesis.isginc.com (8.6.9/8.6.9) with SMTP id NAA24729; Thu, 10 Apr 1997 13:27:21 -0400 Message-Id: <2.2.32.19970410172535.0071c8bc@205.208.61.20> X-Sender: bbeube@205.208.61.20 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Apr 1997 13:25:35 -0400 To: firewalls@GreatCircle.COM From: Blanche Beube Subject: Virus Alert Cc: carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, Just got this from a colleague.Spread the word. Be careful out there. << THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled as soon as possible. A few hours ago, I opened an E-mail that had the subject heading of aol4free.com Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out. It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated. FORWARD this to as many people as you care about!! >> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Blanche Beube E-mail: bbeube@isginc.com Unix Analyst Voice: (416)368-2222 x214 Fax: (416)366-6667 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From owner-firewalls-outgoing Thu Apr 10 11:08:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA21636 for firewalls-outgoing; Thu, 10 Apr 1997 10:26:51 -0700 (PDT) Received: from silence.secnet.com ([199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA21600 for ; Thu, 10 Apr 1997 10:26:42 -0700 (PDT) Received: from localhost (davids@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id LAA06482; Thu, 10 Apr 1997 11:28:37 -0600 (MDT) Date: Thu, 10 Apr 1997 11:28:36 -0600 (MDT) From: David Sacerdote To: firewalls@greatcircle.com cc: pyau@carfax.ims.advantis.com Subject: re: su root log Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Under Solaris 2.5 and earlier, it is possible for an attacker to repeatedly attempt to su to root without being logged. Basically, what happens during a normal su is: 1. person types su 2. person enters a password 3. su determines whether password is valid 4. if password is valid, su logs the event, and gives the user a root shell 5. if the password is not valid, su waits one second, then logs the event and prints an error message Unfortunately, there is a minor problem in step 5. Because users can send signals to su, they can abort su during the one second delay, thus preventing the log message from being written. Since a shell takes significantly less than a second to load, an attacker can try several potential passwords per second via this method. eg: if it has waited longer than the load time for a shell to give you a shell prompt, you know the password is invalid. My understanding is that Sun has fixed this problem in Solaris 2.6, although I have not verified this myself. I am also not aware of any other operating system with this problem, but have not gone out of my way to test various systems. Since there is usually no reason for users not in group wheel to have access to su in the first place, it's probably not a bad idea to issue the commands: chgrp wheel su chmod 4710 su thereby preventing users not already in group wheel from running su in the first place. David Sacerdote From owner-firewalls-outgoing Thu Apr 10 11:26:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12938 for firewalls-outgoing; Thu, 10 Apr 1997 09:40:32 -0700 (PDT) Received: from dns.glo.be (dns.glo.be [206.48.177.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA12911 for ; Thu, 10 Apr 1997 09:40:19 -0700 (PDT) Received: from europa.glo.be (eric@europa.glo.be [194.88.97.3]) by dns.glo.be (8.8.5/8.8.5) with ESMTP id SAA05489; Thu, 10 Apr 1997 18:38:57 +0200 Received: from localhost (eric@localhost) by europa.glo.be (8.8.5/8.8.5) with SMTP id SAA22622; Thu, 10 Apr 1997 18:38:09 +0200 Date: Thu, 10 Apr 1997 18:38:09 +0200 (MET DST) From: Eric To: "Sameer R. Manek" cc: Kathy Kost , firewalls@GreatCircle.COM Subject: Re: combo internal/external web servers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 5 Apr 1997, Sameer R. Manek wrote: > One idea I really like, though i haven't had the opportunity to try it > out. This combination involves 2 boxes in addition to your firewall. > Since running a web server on a firewall isn't considered a wise idea in > general. > > Basicly what you do is having two boxes, a web server and a file server. > the web server mounts nfs mounts read only /webserver/htdocs from > the file server. The web server's only service is httpd, and maybe ftpd > which isn't very cpu intensive, so a low end pentium and *bsd or linux > will do. NFS is terribly slow, so I would sugest that you run some sort of accelerator on the http port. (squid e.g) this would keep the pages localy one the real webserver without compromising the original idea --Eric Globe Internet nv ____________________________________________________ My opinions expressed here, and in any public forum, are my own and do not represent those of my employer or its clients. I am an individual, and I will retain those rights of free speech granted to me, regardless of my employment status. From owner-firewalls-outgoing Thu Apr 10 11:29:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA13523 for firewalls-outgoing; Thu, 10 Apr 1997 09:44:44 -0700 (PDT) Received: from smtp1.sympatico.ca (smtp1.sympatico.ca [204.101.251.52]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA13478 for ; Thu, 10 Apr 1997 09:44:29 -0700 (PDT) Received: from LOCALNAME (ppp4082.on.sympatico.ca [206.172.216.50]) by smtp1.sympatico.ca (SMI-8.6/8.6.12) with SMTP id MAA08948 for ; Thu, 10 Apr 1997 12:43:16 -0400 Message-ID: <334D4368.541B@ottawa.com> Date: Thu, 10 Apr 1997 12:45:44 -0700 From: Brian McIntosh X-Mailer: Mozilla 2.02E-SYMPA (Win95; I; 16bit) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Apology References: <19970410045032.24197.qmail@squirrel.owl.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, The man is obviously disturbed and the attention he has been receiving seems to be fueling his delusions. Perhaps if we all just ignore him, he will go away. Regards, Brian Stuart Johnson wrote: > > I would like to apologize for taking the discussion off-topic to the firewalls mailing list. > The firewall mailing lists is where the security community can express some of their concerns from both a technical evaluation as well as an end-user perspecti > > Marcus responses have become emotional and I may have let my own postings to be on the > emotional side. Based upon his private emails he sent me, I find it ironic that he publicly impugns my character, yet privately encourages me to consider his > > Just last week, Marcus denigrated and made fun of MimeStar with the SecureNet Pro technology and now knowing that Marcus will compete with MimeStar, it leads m > standards evident in his emotional response. > > As a user, perhaps Marcus doesn't fully understand the end-users need to fully evaluate the product as well as the company that stands behind it. I as well as > > The questions I raise are legitimate concerns for anyone considering the implementation of this technology across their enterprise. I have received many very > > With asking these concerns, I am stunned that some of these security "experts" without any standards would publically dennounce someone as a "Network Loon" and > > Contrary to emotional flames, I only desired to determine if the employee at Haystack was a disgruntled exception or whether the company was truly in as much t > > To those that have, thank you for your objective input and your professionalism to respond without emotional regard and selfish interest. > > Stuart From owner-firewalls-outgoing Thu Apr 10 11:42:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27953 for firewalls-outgoing; Thu, 10 Apr 1997 11:15:10 -0700 (PDT) Received: from sluggo.eac.com ([199.99.220.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA27929 for ; Thu, 10 Apr 1997 11:15:01 -0700 (PDT) Received: from ARAGORN [199.99.220.164] (HELO aragorn.eac.com) by sluggo.eac.com (AltaVista Mail V1.0/1.0 BL18 listener) id 0000_0048_334d_2ea5_e6c9; Thu, 10 Apr 1997 14:17:09 -0400 Message-ID: <334D2D60.3788@eac.com> Date: Thu, 10 Apr 1997 14:11:44 -0400 From: Jesse Whyte Reply-To: jesse@eac.com Organization: EAC Network Integrators X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: firewall-1-mailinglist@us.checkpoint.com Subject: Borderware firewall...(if that's what you want to call it) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had to do some performance and security testing on the Borderware firewall product over the last couple of weeks and I have some issues that I wanted to address here... 1) We caused a kernel panic by flooding the firewall system itself with ping ECHO_REQUESTS at less than T-1 bandwidth... 2) The default configuration loads a web server on port 80 for the entire world to see... 3) The firewall doesn't discriminate between internal and external hosts when it proxies, (ie, with a poor setup (the default setup), I can set the proxy in my browser to the external interface of the proxy, then try to go to the internal interface and the firewall will proxy me there...another interesting side effect of this was that you can get packets to the web management port 442) Based on these results, I can't see how I would ever sully my reputation by recommending this product. Has anyone ever dealt successfully with this product...Specifically, does anyone with Firewall-1 experience care to comment on a comparison? My comparison's results should be pretty obvious, by now... Thanks for your help and your advice, Jesse -- *********************************************************************** Jesse Whyte EAC Network Integrators Security Analyst Trumbull, CT jesse@eac.com http://www.eac.com (203) 371-2441 From owner-firewalls-outgoing Thu Apr 10 11:55:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12102 for firewalls-outgoing; Thu, 10 Apr 1997 09:34:47 -0700 (PDT) Received: from mail-oak-2.pilot.net (mail-oak-2.pilot.net [198.232.147.17]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA12085 for ; Thu, 10 Apr 1997 09:34:40 -0700 (PDT) Received: from relay1.clorox.com (relay.clorox.com [168.189.64.36]) by mail-oak-2.pilot.net with ESMTP id JAA09857; Thu, 10 Apr 1997 09:33:10 -0700 (PDT) Received: from maverick (maverick.clorox.com) by relay1.clorox.com with ESMTP (CEMS 5.01/1.37.109.14) id AA111490497; Thu, 10 Apr 1997 09:41:37 -0700 Message-Id: <334D1637.A293D1FC@Clorox.com> Date: Thu, 10 Apr 1997 09:32:55 -0700 From: Paul Rarey Organization: The Clorox Services Company X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: Richard Hoffbeck Cc: Jean Chouanard , firewalls@GreatCircle.COM Subject: Re: Secure Email Client packages X-Priority: 3 (Normal) References: <3.0.32.19970409214533.00963e00@fw2.mwcia.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard Hoffbeck wrote: > > At 07:03 PM 4/9/97 -0400, Jean Chouanard wrote: > >Does any of these packages can encrypt and/or sign the documents attached > >to a mail note and the mail note itself in one step? > > > >It should be nice to have this as an option, now that attachments are > >(unfortunately...:-) more and more common. > > Based on a late beta of PGPMail and a current demo version of Demming's > S/MIME plug-in for Eudora the answer seems to be that PGPMail doesn't > and Demming's package does encrypt attachments. What I believe you're asking is - does S/MIME support RFC1827 (defines multipart/signed and multipart/encrypted MIME parts). The answer is, sorta but not fully. I'd have to re-read the latest S/MIME spec, but it only supports one multi/signed or multi/encrypted - not both. > The Demming package looks fairly well designed except that sending a > message without signing it or encrypting bundles the entire message > into a big mime attachment. At first look I didn't see an ASCII armor > option so the resulting file quoted the high bit characters but left > the control characters intact. > > On the otherhand, I know people with PGP keys but don't know anyone > with a Verisign key. I also have a problem with buy encryption > software with the name Demming on it. Does anyone know if it > actually bears any relationship to the mother of key escrow? I also don't know anyone who's going to pay for a permanent personal VeriSign key, and then keep paying not to loose it. [ psr ] From owner-firewalls-outgoing Thu Apr 10 12:11:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11061 for firewalls-outgoing; Thu, 10 Apr 1997 09:27:07 -0700 (PDT) Received: from spiffy.paradigmsim.com (spiffy.paradigmsim.com [206.7.114.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA11045 for ; Thu, 10 Apr 1997 09:26:58 -0700 (PDT) Received: from kennyspc.paradigmsim.com by spiffy.paradigmsim.com via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id LAA12269; Thu, 10 Apr 1997 11:24:32 -0500 Received: by kennyspc.paradigmsim.com with Microsoft Mail id <01BC4599.71777BE0@kennyspc.paradigmsim.com>; Thu, 10 Apr 1997 10:24:59 -0600 Message-ID: <01BC4599.71777BE0@kennyspc.paradigmsim.com> From: Ken Atkinson To: Stuart Johnson , "'Paul D. Robertson'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Apology Date: Thu, 10 Apr 1997 10:24:58 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Who Cares. =20 ---------- From: Paul D. Robertson[SMTP:proberts@clark.net] Sent: Thursday, April 10, 1997 4:23 AM To: Stuart Johnson Cc: firewalls@GreatCircle.COM Subject: Re: Apology On 10 Apr 1997, Stuart Johnson wrote: > Marcus responses have become emotional and I may have let my own = postings to be on the > emotional side. Based upon his private emails he sent me, I find it = ironic that he publicly impugns my character, yet privately encourages = me to consider his soon to be delivered and competing technology. I = guess the world will soon find out why Marcus' technology is "better = than Haystack and Wheelgroup" but at the same time, not competitive. Marcus' responses were very level considering the personal attack=20 directed at him. =20 > The questions I raise are legitimate concerns for anyone considering = the > implementation of this technology across their enterprise. =20 The way you raised them was indicitive of a media tabloid. If you = expect to be taken seriously, and professionally, then you'll have to start = posting that way. > I am sorry valid business concerns are construed as lunacy and mud=20 > slinging. Sometimes the truth hurts especially for the I'm sorry you can't seem to articulate yourself without appearing to be = a=20 raving, mud slinging lunitic. > With asking these concerns, I am stunned that some of these security=20 > "experts" without any standards would publically dennounce > someone as a "Network Loon" and try to put someone on trial.=20 If you don't understand the concept of extension of trust, and how = anyone with any depth of experience in this arena deals with it on a = professional basis, then you have a great deal to learn. Ask yourself what *you* = have=20 done to earn the trust of this list (hint: posting negative innuendo=20 without facts doesn't gain trust points). Try to look at the apparent=20 veracity of what you have posted, and how long you have been posting, = and=20 then look back at your target's behaviour. Marcus has acted *very*=20 selflessly in the past, and has contributed a great deal to this=20 community without any direct gain other than perhaps to his ego, which=20 certainly isn't as bad as it could be. =20 > I should have never been drawn into Marcus' roast as I am not=20 > evaluating his products anyways (as they don't exist).=20 Funny how you see yourself being drawn in, when, as far as this list is=20 concerned, the exchange looked like this: 1. Stuart pruports to have 'inside info' on Wheel Group's demise, = phrased as a very leading series of questions. 2. Marcus responds to questions with actual info. 3. Stuart attacks Marcus personally. 4. Marcus defends himself. 5. Stuart's "apology" turns into another looney rant. > Contrary to emotional flames, I only desired to determine if the=20 > employee at Haystack was a disgruntled exception or whether the = company=20 > was truly in as much turmoil and decay as was indicated. This = concerns=20 > me and any other potential customers of this software. And to this=20 > end, customers of both Haystack and Wheelgroup have shared their=20 > experiences and have confirmed many of my observations with > unbiased facts. =20 I haven't seen you post a *fact* yet. Innuendo, slurs, and even some=20 valid questions, but the meat just ain't in there. Gossip and innuendo=20 aren't appropriate here. We've gone from "I heard" to "my observations" = in the above paragraph. If it's "my observations", then indeed you were = not being forthright in your original post, and if it's "I heard", then=20 you've obviously made up your own mind already, and aren't objective. =20 Either way, stop deluding yourself, you've bought nothing of value to=20 this list. Paul -------------------------------------------------------------------------= ---- Paul D. Robertson "My statements in this message are personal = opinions proberts@clark.net which may have no basis whatsoever in fact." = PSB#9280 From owner-firewalls-outgoing Thu Apr 10 12:41:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA17988 for firewalls-outgoing; Thu, 10 Apr 1997 10:07:24 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA17855 for ; Thu, 10 Apr 1997 10:06:55 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by guttenberg.correionet.com.br (8.7.5/8.7.3) with SMTP id OAA18856 for ; Thu, 10 Apr 1997 14:04:07 -0400 Date: Thu, 10 Apr 1997 14:04:07 -0400 (AST) From: Bill Coutinho X-Sender: bill@guttenberg.correionet.com.br To: firewalls@greatcircle.com Subject: SOCKS in Netscape Proxy Server 2.5 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using a "test drive" version of Netscape Proxy Server 2.5, downloaded from Netscape site. I have enabled SOCKS daemon, but when I put the server to run, there is no one listening on port 1080. The configuration: Excerpt from /proxy-nome-proxy/config/obj.conf Init log-name="/var/adm/sockd.log" ident-check="none" log-type="syslog-separate" fn="init-sockd" status="on" sockd-conf="/etc/sockd.conf" /etc/sockd.conf file (just one line) permit 10.0.0.0 255.0.0.0 I have noted that /var/adm/sockd.log was created, so I conclude that the above Init line was executed. But still noone is litening on port 1080! Any clue? Thanks in advance! Regards, Bill. -- Bill Coutinho mailto:bill@dextra.com.br Dextra Internet Solutions http://www.dextra.com.br/ Campinas, SP - Brazil voice:+55-19-251-3644 From owner-firewalls-outgoing Thu Apr 10 13:08:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA17688 for firewalls-outgoing; Thu, 10 Apr 1997 10:05:59 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA17656 for ; Thu, 10 Apr 1997 10:05:47 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id NAA25934; Thu, 10 Apr 1997 13:02:13 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma025925; Thu, 10 Apr 97 13:01:45 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id NAA05956; Thu, 10 Apr 1997 13:01:46 -0400 (EDT) Date: Thu, 10 Apr 1997 13:01:46 -0400 (EDT) Message-Id: <199704101701.NAA05956@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Adam Shostack Cc: rwh@visi.com (Richard Hoffbeck), jean@cinops.xerox.com, firewalls@GreatCircle.COM Subject: Re: Secure Email Client packages In-Reply-To: <199704100414.XAA19201@homeport.org> References: <3.0.32.19970409214533.00963e00@fw2.mwcia.org> <199704100414.XAA19201@homeport.org> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Adam" == Adam Shostack writes: Adam> If she certified that software didn't have key escrow in it, Adam> I'd be inclined to trust but verify. She has a political Adam> opinion which I strongly and vehemently disagree with. However, Adam> while she may twist the facts, I doubt that she'd out and out Adam> lie. FYI, she seems to have been shifting her views more toward realism lately. Specifically, a belief that there should be no restrictions on what US citizens can use. She still supports promotion of key recovery technologies, which does seem to make sense within certain contexts (i.e., an organization where someone is conducing official business). I don't mean to start a thread on crypto policy here, but I agree with Adam's modus operandi, and want to give folks the pointer to read her opinion for themselves. She has noted that her views do change, and something she advocated two years ago might not be something she advocates now. I don't think Dr. Denning is someone who can't be trusted; she's someone whose views on crypto policy and such need further revision. :-) http://www.cosc.georgetown.edu/~denning/crypto/position.html -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Thu Apr 10 14:35:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29990 for firewalls-outgoing; Thu, 10 Apr 1997 11:31:40 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA29927 for ; Thu, 10 Apr 1997 11:31:23 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id NAA23592 for firewalls@greatcircle.com; Thu, 10 Apr 1997 13:27:58 -0500 (EST) From: Adam Shostack Message-Id: <199704101827.NAA23592@homeport.org> Subject: DNS server other than BIND? To: firewalls@greatcircle.com (Firewalls mailing list) Date: Thu, 10 Apr 1997 13:27:58 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a DNS server that is not BIND. I worry about a package that is 2mb compressed, so I'm looking for something small enough that I can examine the code. I need it to run on Solaris (other UNIX may be acceptable). It needs to be small, and preferably have security as a design goal. Source must be available. I do not need a free tool, if theres a company that sells a tool and will sell the source as well, thats fine. Please reply to me, and I'll summarize when I'm done evaluating. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu Apr 10 14:42:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04095 for firewalls-outgoing; Thu, 10 Apr 1997 11:55:51 -0700 (PDT) Received: from gaia.dataway.com (mail.dataway.com [205.158.48.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id LAA04046 for ; Thu, 10 Apr 1997 11:55:30 -0700 (PDT) Received: from radioflyer.flycast.com ([205.158.51.94]) by gaia.dataway.com (Netscape Mail Server v2.0) with SMTP id AAA8655; Thu, 10 Apr 1997 11:54:18 -0700 Message-Id: <3.0.32.19970410115425.00cbf74c@gaia.dataway.com> Organization: FlyCast Communications Corporation X-Sender: dsalisbury@gaia.dataway.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 10 Apr 1997 11:54:26 -0700 To: Blanche Beube From: Dylan Salisbury Subject: Re: Virus Alert Cc: firewalls@GreatCircle.COM, carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is a web page about this probably urban myth. Please investigate virus warnings yourself before copying them to mailing lists. http://www.kumite.com/myths/myths/myth031.htm Also, bookmark CIAC's "virus hoax" page at http://ciac.llnl.gov/ciac/CIACHoaxes.html Dylan -- Dylan Salisbury FlyCast Communications Tel. (415) 975-5376 dsalisbury@flycast.com FAX (415) 977-1009 From owner-firewalls-outgoing Thu Apr 10 14:47:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03392 for firewalls-outgoing; Thu, 10 Apr 1997 11:51:35 -0700 (PDT) Received: from burke.burkegroup.com (burke.roc.servtech.com [206.106.148.165]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA03314 for ; Thu, 10 Apr 1997 11:51:17 -0700 (PDT) From: dan@burkegroup.com Received: from Connect2 Message Router by burke.burkegroup.com via Connect2-SMTP 4.00; Thu, 10 Apr 97 14:51:30 -0500 Message-ID: <0D3FAB3101523000@burke.burkegroup.com> Date: Thu, 10 Apr 97 14:50:34 -0500 Organization: Burke Group To: firewalls@greatcircle.com Subject: Re: Virus Alert MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds like a hoax, I don't think Win95 comes with antivirus... > (Blanche Beube) {bbeube@isginc.com} wrote: > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. > > > << THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled > as soon as possible. A few hours ago, I opened an E-mail that had the > subject heading of aol4free.com Within seconds of opening it, a window > appeared and began to display my files that were being deleted. I > immediately shut down my computer, but it was too late. This virus wiped me > out. It ate the Anti-Virus Software that comes with the Windows '95 Program > along with F-Prot AVS. Neither was able to detect it. Please be careful and > send this to as many people as possible, so maybe this new virus can be > eliminated. > > FORWARD this to as many people as you care about!! >> > > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > From owner-firewalls-outgoing Thu Apr 10 15:07:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA05699 for firewalls-outgoing; Thu, 10 Apr 1997 12:06:02 -0700 (PDT) Received: from mail-oak-2.pilot.net (mail-oak-2.pilot.net [198.232.147.17]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA05683 for ; Thu, 10 Apr 1997 12:05:55 -0700 (PDT) Received: from relay1.clorox.com (relay.clorox.com [168.189.64.36]) by mail-oak-2.pilot.net with ESMTP id MAA02582; Thu, 10 Apr 1997 12:04:13 -0700 (PDT) Received: from maverick (maverick.clorox.com) by relay1.clorox.com with ESMTP (CEMS 5.01/1.37.109.14) id AA132369559; Thu, 10 Apr 1997 12:12:39 -0700 Message-Id: <334D39A0.F3D8D65E@Clorox.com> Date: Thu, 10 Apr 1997 12:04:00 -0700 From: Paul Rarey Organization: The Clorox Services Company X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: Blanche Beube Cc: firewalls@GreatCircle.COM, carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Subject: Re: Virus Alert X-Priority: 3 (Normal) References: <2.2.32.19970410172535.0071c8bc@205.208.61.20> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wake up.... http://ciac.llnl.gov/ciac/CIACHoaxes.html Blanche Beube wrote: > > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. > > << THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled > as soon as possible. A few hours ago, I opened an E-mail that had the > subject heading of aol4free.com Within seconds of opening it, a window > appeared and began to display my files that were being deleted. I > immediately shut down my computer, but it was too late. This virus wiped me > out. It ate the Anti-Virus Software that comes with the Windows '95 Program > along with F-Prot AVS. Neither was able to detect it. Please be careful and > send this to as many people as possible, so maybe this new virus can be > eliminated. > > FORWARD this to as many people as you care about!! >> > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [ psr ] From owner-firewalls-outgoing Thu Apr 10 15:17:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA04967 for firewalls-outgoing; Thu, 10 Apr 1997 12:00:56 -0700 (PDT) Received: from gemcon.com (DNS2.GEMCON.COM [205.223.239.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA04928 for ; Thu, 10 Apr 1997 12:00:41 -0700 (PDT) Received: by dns2.gemcon.com id <55345>; Thu, 10 Apr 1997 15:02:36 -0400 From: "Webb, Dean" To: Blanche Beube Cc: firewalls@GreatCircle.COM Subject: RE: Virus Alert Date: Thu, 10 Apr 1997 15:00:13 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Message-Id: <97Apr10.150236edt.55345@dns2.gemcon.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a hoax. Trust me, no virus can launch out of a text message. A big tip is that NO anti-virus software ships with Windows 95. Please visit the Virus-L FAQ at ftp://ftp.infospace.com/pub/virus-l/. I would also recommend the site http://kumite.com/myths/ for further info. Please let your friends know about this and please don't send messages like this. They clog email servers and waste productivity. I'm not angry: I used to be a teacher, so I actually enjoy helping people out with things like this. Hope this helps, Dean Webb > -----Original Message----- > From: Blanche Beube [SMTP:bbeube@isginc.com] > Sent: Thursday, April 10, 1997 12:26 PM > To: firewalls@GreatCircle.COM > Cc: carlo@io.org; testeves@interlog.com; all@genesis.isginc.com; > asimic@bellmobility.com; lpbaziw@bellmobility.com > Subject: Virus Alert > > > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. > > > << THERE IS A NEW AOL SCAM."It is essential that this problem be > reconciled > as soon as possible. A few hours ago, I opened an E-mail that had the > subject heading of aol4free.com Within seconds of opening it, a > window > appeared and began to display my files that were being deleted. I > immediately shut down my computer, but it was too late. This virus > wiped me > out. It ate the Anti-Virus Software that comes with the Windows '95 > Program > along with F-Prot AVS. Neither was able to detect it. Please be > careful and > send this to as many people as possible, so maybe this new virus can > be > eliminated. > > FORWARD this to as many people as you care about!! >> > > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From owner-firewalls-outgoing Thu Apr 10 15:37:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07546 for firewalls-outgoing; Thu, 10 Apr 1997 12:16:57 -0700 (PDT) Received: from genesis.isginc.com (genesis.isginc.com [205.208.61.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA07493 for ; Thu, 10 Apr 1997 12:16:41 -0700 (PDT) Received: from blanche_laptop.isginc.com (blanche.isginc.com [205.208.61.138]) by genesis.isginc.com (8.6.9/8.6.9) with SMTP id PAA27979 for ; Thu, 10 Apr 1997 15:25:52 -0400 Message-Id: <2.2.32.19970410192405.0070d9e8@205.208.61.20> X-Sender: bbeube@205.208.61.20 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Apr 1997 15:24:05 -0400 To: firewalls@GreatCircle.COM From: Blanche Beube Subject: RE:Virus alert Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies for unintentionally promoting a hoax. To those of you who offered constructive information and URL's... thank you. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Blanche Beube E-mail: bbeube@isginc.com Unix Analyst Voice: (416)368-2222 x214 Fax: (416)366-6667 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From owner-firewalls-outgoing Thu Apr 10 16:07:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09676 for firewalls-outgoing; Thu, 10 Apr 1997 12:27:34 -0700 (PDT) Received: from mercury.webserve.net (mercury.webserve.net [206.96.226.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA09652 for ; Thu, 10 Apr 1997 12:27:26 -0700 (PDT) Received: from voxel.webserve.net (voxel.webserve.net [207.49.111.18]) by mercury.webserve.net (8.6.12/8.6.9) with ESMTP id PAA17954 for ; Thu, 10 Apr 1997 15:23:07 -0400 Message-ID: <334D3F47.293F@webserve.net> Date: Thu, 10 Apr 1997 15:28:07 -0400 From: Dennis Fanshaw X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: questions about AOLand Compuserve software port use. X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone tell me what port numbers the AOL and compuserve software uses when accessing thier services over the internet??? I'm working on some packet filters for a client and I know they have a few users making use of the AOL and compuserve software. Thanks, Dennis Fanshaw dfanshaw@webserve.net From owner-firewalls-outgoing Thu Apr 10 16:50:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA10725 for firewalls-outgoing; Thu, 10 Apr 1997 12:33:45 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA10680 for ; Thu, 10 Apr 1997 12:33:30 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1457.3) id <2NR8X4BF>; Thu, 10 Apr 1997 15:31:58 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'jesse@eac.com'" Cc: firewall-1-mailinglist@us.checkpoint.com Subject: RE: Borderware firewall...(if that's what you want to call it) Date: Thu, 10 Apr 1997 15:31:56 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Based on these results, I can't see how I would ever sully my reputation >by recommending this product. Has anyone ever dealt successfully with >this product...Specifically, does anyone with Firewall-1 experience care >to comment on a comparison? My comparison's results should be pretty >obvious, by now... When did we all start being slimy business weasels first, and human beings second? Is this the result of Married with Children still being in production? Jesse, or should I say Stuart? Given that you've stated your reputation would be sullied should you ever recommend this product, why the heck would it matter to you to see favourable commentary on the product? If you were ever convinced to recommend it, I would be extremely upset as you've promised you would never do such a thing. Can your technical expertise be so easily swayed that a few remarks from me, or anyone, would actually make a difference to such a well though out stance? What would happen if it turned out that you had improperly configured the thing and not read all the release notes??? Oh my god! Is it too much for some people to make a public observation without it having to be a slam? Have people forgotten the art of communicating, and instead learned the art of tabloiding? You observed three very interesting things, did you ask the Borderware folks for an explanation? What did they say? From owner-firewalls-outgoing Thu Apr 10 16:51:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09140 for firewalls-outgoing; Thu, 10 Apr 1997 12:25:08 -0700 (PDT) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA09107 for ; Thu, 10 Apr 1997 12:24:56 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Thu, 10 Apr 97 14:23:45 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@greatcircle.com Date: Thu, 10 Apr 1997 14:26:14 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: (Fwd) Re: (Fwd) Virus Alert for Firewalls... Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <334d3e4111af002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the FIRST center... AOL4FREE is a hoax... ------- Forwarded Message Follows ------- From: kinyon@next3.corp.mot.com (John J. Kinyon) Subject: Re: (Fwd) Virus Alert To: miguel@boytoy.csd.sgi.com Date: Thu, 10 Apr 1997 13:37:42 -0500 (CDT) Cc: first-teams@first.org Reply-to: kinyon@next3.corp.mot.com (John J. Kinyon) >From our internal information security news web page: Can you get AOL4free? Well, no. "AOL4free" was originally an illegal program which circumvented AOL security systems. The systems have been modified to be secure, AND the author of the program is now in jail! In March, rumors began circulating that there is an "AOL4free virus". This is a HOAX, according to America Online's Virus Information Center. See details at http://kumite.com/myths/myths/myth031.htm. (1997.04.09) Regards, _JJK -- John Kinyon, Motorola Corporate Information Security 1299 East Algonquin Road, IL06-W2214, Schaumburg, IL 60196-1077, USA E-mail: kinyon@mot.com or John_Kinyon-ajk007@email.mot.com Phone: +1 847-576-0669, Fax: +1 847-538-2153, MCERT: +1 847-576-1616 -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ This message was posted through the FIRST mailing list server. if you wish to unsubscribe from this mailing list, send the message body of "unsubscribe first-teams" to first-majordomo@FIRST.ORG -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Thu Apr 10 17:02:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09686 for firewalls-outgoing; Thu, 10 Apr 1997 12:27:39 -0700 (PDT) Received: from bounty.sssd.navy.mil (bounty.sssd.navy.mil [192.12.7.200]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA09631 for ; Thu, 10 Apr 1997 12:27:20 -0700 (PDT) Received: from pinafore.sssd.navy.mil (pinafore [192.12.7.209]) by bounty.sssd.navy.mil (8.8.5/8.8.5) with SMTP id LAA12862; Thu, 10 Apr 1997 11:55:07 -0700 (PDT) Message-Id: <199704101855.LAA12862@bounty.sssd.navy.mil> Received: by pinafore.sssd.navy.mil (NX5.67f2/NX3.0X) id AA00518; Thu, 10 Apr 97 11:55:05 -0700 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) In-Reply-To: <2.2.32.19970410172535.0071c8bc@205.208.61.20> X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b5) Received: by NeXT.Mailer (1.118.2) From: "John H. Stewart" Date: Thu, 10 Apr 97 11:55:03 -0700 To: Blanche Beube Subject: Re: Virus Alert Cc: firewalls@GreatCircle.COM, carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Reply-To: c101jhs@sssd.navy.mil References: <2.2.32.19970410172535.0071c8bc@205.208.61.20> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: > Hello All, > Just got this from a colleague.Spread the word. Be careful out > there. > > > << THERE IS A NEW AOL SCAM."It is essential that this problem be > reconciled as soon as possible. A few hours ago, I opened an E-mail <> > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > HOAX! HOAX! AOL4FREE is an unusual virus hoax in that it's based on a REAL program name. Written by a college student, its purpose was to give America On Line users free connect time in the days when AOL charged by the minute. Beginning in early March 1997, E-mail began circulating around the Internet warning of a new virus that could: > bypass all virus detection software > crash your hard drive after you turned it off > listed all your files as they were deleted from your hard drive and was named.....AOL4FREE.COM! AOL4FREE.COM is identified as a chain letter virus hoax. No site has been found to have an actual AOL4FREE.COM virus incident. ->>> Users should ignore/erase messages that refer to AOL4FREE.COM <<<- (Note: Had AOL4FREE been a real threat, it classification would be "Trojan", not virus) So what happened to the dude? He was caught and according to "NEWSBYTES" was sentenced to 2 years probation, 6 months home confinement, and had to reimbursed AOL $62,000. (His downfall? Ego. He liked to brag about his program in the AOL Chat rooms!) John Stewart Information Systems Security SUPSHIP San Diego From owner-firewalls-outgoing Thu Apr 10 17:08:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA08198 for firewalls-outgoing; Thu, 10 Apr 1997 12:20:03 -0700 (PDT) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA08141 for ; Thu, 10 Apr 1997 12:19:45 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Thu, 10 Apr 97 14:18:28 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@greatcircle.com Date: Thu, 10 Apr 1997 14:20:57 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Virus Alert - check it out for yourself. Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <334d3d04107f002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone ever verify this information, or do we just blindly follow the leader? "Spread the word" is akin to a denail of service attack intended for everyone to flood the net with this message. Here's some advice I passed along this morning... you might find it of some value.. ----------------------------included stuff------------------ I tried that new search engine www.dogpile.com with the phrase AOL4FREE - InfoSeek returned 27 hits. The original version of AOL4FREE 2.6v4 was designed to allow users of AOL to go into chargeable areas of AOL but appear to be in a free area for billing purposes - it was one of many hacks on AOL which are available for download from ftp://whacked.l0pht.com/pub/AOLCrap/AOL4FREE2.6v4.sit I don't know about this virus alert, but if it is true then someone has hacked AOL4FREE to do something else than it was originally designed for. As with any e-mail or Web document - you should always save it to a file and then examine it with a virus tool before using it. Even then, you may be at risk (virus tools are usually one step behind virus authors at all times). It's even better if you get things from people you trust. I refuse to open any attachment to mail I recieve - I will save it and look at it before I open it - even Word docs, etc... One should be suspicious of any Subject heading with a *.com in it! (why would you put the subject of a message as the name of an executable program?). It's quite likely, if the persons e-mail is set up properly (Improperly?) that the e-mail might automatically launch and execute an binary attachment with a .com suffix (this is a "feature" of MIME mail!). Can't say for sure without seeing the original message. Have you seen the origial message - or are you just seeing rumors of it? Another type of attack (such as the lead in to this message "pass this along to as many people as you know") is the denial of service attack where individuals try to load up the Intnernet with useless traffic (such as this potential hoax) to reduce the chance of doing real work. It's been known to work. A couple of quick tests can tell you if the message is a hoax or authentic. 1. finger the sender of the message - finger is a UNIX command (also on NT) which will look up the computer and user to determine if they are registered on the named system. Most haoxes will come fomr spoofed e-mail, that is you won't find the user registered at the named computer (in fact you typically won't find the named computer either - its all fabricated). 2. see a copy of the actual message - not just a report of the message. it will have to set up in just a particular way to work properly... one can look at it and see if the MIME headers are proper, and one can even extract the attachment and look at it (basically reverse engineer it to determine its modus operandi) to see if it is real or not. Unless you see the real thing, I'd guess it is a hoax. Has anyone contacted the person who was attack by the virus (by phone probabily) to verify the incident actually ocurred (you know the old auditor motto - trust but verify)? But then I could be wrong... :) --------------------------------------------end of included stuff-------------- One last question - what are virus alerts doing on the Firewalls mailing list? Best, ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From owner-firewalls-outgoing Thu Apr 10 17:20:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12141 for firewalls-outgoing; Thu, 10 Apr 1997 12:40:34 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA12116 for ; Thu, 10 Apr 1997 12:40:19 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA06889; Thu, 10 Apr 1997 12:36:39 -0700 Message-Id: <9704101936.AA06889@mail.diginsite.com> From: "David Lang" To: "Jon Tegethoff" , Subject: Re: Apology Date: Thu, 10 Apr 1997 12:39:11 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet mail from microsoft lets you sort mail by incoming address or subject into diffrent folders (including the deleted folder) David Lang ---------- > From: Jon Tegethoff > To: firewalls@greatcircle.com > Subject: RE: Apology > Date: Thursday, April 10, 1997 6:31 AM > > Is there a good email address filter that > works on Win 95? I do not know about the rest > of the list but I would like to put something in > place to always auotmatically delete messages > from Stuart Johnson. Any help is welcome! The > sooner the better, before he answers this message. > > Jon Tegethoff > From owner-firewalls-outgoing Thu Apr 10 17:41:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA02076 for firewalls-outgoing; Thu, 10 Apr 1997 11:43:53 -0700 (PDT) Received: from uscabh01.epri.com (uscabh01.epri.com [144.58.1.149]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA02023 for ; Thu, 10 Apr 1997 11:43:38 -0700 (PDT) Received: by uscabh01.epri.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC45A4.8BED0250@uscabh01.epri.com>; Thu, 10 Apr 1997 11:44:28 -0700 Message-ID: From: "Lowe, Larry" To: "'Blanche Beube'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Virus Alert Date: Thu, 10 Apr 1997 11:41:25 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is another hoax. This one is called aol4free. see: http://ciac.llnl.gov/ciac/CIACHoaxes.html#aol4free >---------- >From: Blanche Beube >Sent: Thursday, April 10, 1997 6:25 PM >To: firewalls@GreatCircle.COM >Cc: carlo@io.org; testeves@interlog.com; all@genesis.isginc.com; >asimic@bellmobility.com; lpbaziw@bellmobility.com >Subject: Virus Alert > >Hello All, >Just got this from a colleague.Spread the word. Be careful out there. > > ><< THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled >as soon as possible. A few hours ago, I opened an E-mail that had the >subject heading of aol4free.com Within seconds of opening it, a window >appeared and began to display my files that were being deleted. I >immediately shut down my computer, but it was too late. This virus wiped me >out. It ate the Anti-Virus Software that comes with the Windows '95 Program >along with F-Prot AVS. Neither was able to detect it. Please be careful and >send this to as many people as possible, so maybe this new virus can be >eliminated. > > FORWARD this to as many people as you care about!! >> > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Blanche Beube E-mail: bbeube@isginc.com >Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > From owner-firewalls-outgoing Thu Apr 10 17:41:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26028 for firewalls-outgoing; Thu, 10 Apr 1997 14:04:38 -0700 (PDT) Received: from server3.syd.mail.ozemail.net (server3.syd.mail.ozemail.net [203.108.7.41]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA26010 for ; Thu, 10 Apr 1997 14:04:30 -0700 (PDT) Received: from oznet02.ozemail.com.au (oznet02.ozemail.com.au [203.2.192.124]) by server3.syd.mail.ozemail.net (8.8.4/8.6.12) with ESMTP id HAA10765 for ; Fri, 11 Apr 1997 07:03:18 +1000 (EST) Received: from LOCALNAME (slcan2p61.ozemail.com.au [203.108.192.77]) by oznet02.ozemail.com.au (8.8.4/8.6.12) with SMTP id HAA07359 for ; Fri, 11 Apr 1997 07:03:15 +1000 (EST) Message-ID: <334E449C.56ED@ozemail.com.au> Date: Fri, 11 Apr 1997 07:03:08 -0700 From: "Gerard A. Joseph" Reply-To: gerard@ozemail.com.au X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Virus Alert References: <2.2.32.19970410172535.0071c8bc@205.208.61.20> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems that not even a firewall mailing list is to be free from the tedium of these puerile and tiresome chain letters. Gerard Blanche Beube wrote: > > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. > > << THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled > as soon as possible. A few hours ago, I opened an E-mail that had the > subject heading of aol4free.com Within seconds of opening it, a window > appeared and began to display my files that were being deleted. I > immediately shut down my computer, but it was too late. This virus wiped me > out. It ate the Anti-Virus Software that comes with the Windows '95 Program > along with F-Prot AVS. Neither was able to detect it. Please be careful and > send this to as many people as possible, so maybe this new virus can be > eliminated. > > FORWARD this to as many people as you care about!! >> > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From owner-firewalls-outgoing Thu Apr 10 17:46:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA23878 for firewalls-outgoing; Thu, 10 Apr 1997 13:49:25 -0700 (PDT) Received: from krypton.hmco.com (krypton.hmco.com [155.44.83.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA23831 for ; Thu, 10 Apr 1997 13:49:13 -0700 (PDT) Received: by krypton.hmco.com(Lotus SMTP MTA v1.06 (346.6 3-18-1997)) id 85256475.0071BF1D ; Thu, 10 Apr 1997 16:42:24 -0400 X-Lotus-FromDomain: HOUGHTONMIFFLIN From: "Vitaly Vanchurin" To: bbeube@isginc.com cc: firewalls@GreatCircle.COM, carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Message-ID: <85256475.00714B1B.00@krypton.hmco.com> Date: Thu, 10 Apr 1997 16:42:15 -0400 Subject: Re: Virus Alert Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone, Most of you have probably just recieved a message about the "AOL SCAM" virus. I say that it is impossible to contract a computer virus from any mail message that does not contain attachments, and even if it does contain attachments, you can only contract a virus by opening them! Thank you, Vitaly Vanchurin From owner-firewalls-outgoing Thu Apr 10 19:07:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA14420 for firewalls-outgoing; Thu, 10 Apr 1997 18:36:28 -0700 (PDT) Received: from svn.com.br (sv1.svn.com.br [200.254.15.33]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA06671 for ; Thu, 10 Apr 1997 17:59:55 -0700 (PDT) Received: from kika (sp41.svn.com.br [200.254.15.89]) by svn.com.br (8.8.5/8.6.9) with SMTP id VAA21809 for ; Thu, 10 Apr 1997 21:59:05 -0300 Message-ID: <334CD59B.4BC9@svn.com.br> Date: Thu, 10 Apr 1997 09:57:15 -0200 From: FABIO VALBUENA Organization: Origin / Philips do Brasil X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: PLEASE, HOW TO GET OUT FROM THIS LIST Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please how anyone know how get out of this list ????? Too many thanks, Fabio From owner-firewalls-outgoing Thu Apr 10 19:22:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA12325 for firewalls-outgoing; Thu, 10 Apr 1997 18:23:11 -0700 (PDT) Received: from mutiara.mutiara.com.my (mutiara.com.my [202.190.132.8]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id SAA11910 for ; Thu, 10 Apr 1997 18:21:58 -0700 (PDT) Received: (from wmphang@localhost) by mutiara.mutiara.com.my (8.7.5/8.7.3) id JAA23102; Fri, 11 Apr 1997 09:20:34 +0800 (MYT) Date: Fri, 11 Apr 1997 09:20:33 +0800 (MYT) From: Phang Wee Meng X-Sender: wmphang@mutiara To: Dennis Fanshaw , firewalls@GreatCircle.COM Subject: Re: questions about AOLand Compuserve software port use. In-Reply-To: <334D3F47.293F@webserve.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Apr 1997, Dennis Fanshaw wrote: > Can anyone tell me what port numbers the AOL and compuserve software > uses when accessing thier services over the internet??? > > I'm working on some packet filters for a client and I know they have a > few users making use of the AOL and compuserve software. > > For the Compuserve software, they used port 4144/tcp for services over the internet. --- From owner-firewalls-outgoing Thu Apr 10 19:36:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA16174 for firewalls-outgoing; Thu, 10 Apr 1997 18:42:42 -0700 (PDT) Received: from orca.sitesonthe.net ([209.12.79.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id SAA15875 for ; Thu, 10 Apr 1997 18:41:49 -0700 (PDT) Received: from golgi.sitesonthe.net by orca.sitesonthe.net (SMI-8.6/SMI-SVR4) id VAA08973; Thu, 10 Apr 1997 21:52:11 -0400 Message-ID: <334D9BD2.7EBD@sitesonthe.net> Date: Thu, 10 Apr 1997 22:02:58 -0400 From: Robert Evans Reply-To: pedro@orca.sitesonthe.net Organization: GETtheNET, Inc. X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Where to find Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am sorry to post this on this list, so please respond by direct email if you can help. I am trying to figure out if a router setup I have created is optimal for my connection. My concern is that there might be a way to make a configuration that runs faster. In particular it is a basic hdlc point to point cisco router config between me and my provider. But I wonder why they are so much slower than my other provider's frame relay connection. Is it just the provider? Thanks for any pointers. Sorry to mispost. Robert Evans GETtheNET, Inc. From owner-firewalls-outgoing Thu Apr 10 19:54:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11425 for firewalls-outgoing; Thu, 10 Apr 1997 15:54:37 -0700 (PDT) Received: from jehova.owl.de (jehova.owl.de [194.121.202.132]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA11273 for ; Thu, 10 Apr 1997 15:53:50 -0700 (PDT) Received: from fiction.pb.owl.de (root@fiction.pb.owl.de [193.174.12.5]) by jehova.owl.de (8.8.5/8.8.5) with SMTP id AAA26112 for ; Fri, 11 Apr 1997 00:52:31 +0200 (MET DST) Received: from squirrel.owl.de by fiction.pb.owl.de with bsmtp id m0wFSjE-00002fC; Fri, 11 Apr 97 00:54 MET DST Received: (qmail 9760 invoked by uid 300); 10 Apr 1997 22:02:45 -0000 Date: 10 Apr 1997 22:02:45 -0000 Message-ID: <19970410220245.9759.qmail@squirrel.owl.de> From: Stuart Johnson To: firewalls@greatcircle.com Subject: Apology Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to apologize for taking the discussion off-topic to the firewalls mailing list. The firewall mailing lists is where the security community can express some of their concerns from both a technical evaluation as well as an end-user perspective. Marcus responses have become emotional and I may have let my own postings to be on the emotional side. Based upon his private emails he sent me, I find it ironic that he publicly impugns my character, yet privately encourages me to consider his soon to be delivered and competing technology. I guess the world will soon find out why Marcus' technology is "better than Haystack and Wheelgroup" but at the same time, not competitive. Just last week, Marcus denigrated and made fun of MimeStar with the SecureNet Pro technology and now knowing that Marcus will compete with MimeStar, it leads me to question the double standards evident in his emotional response. As a user, perhaps Marcus doesn't fully understand the end-users need to fully evaluate the product as well as the company that stands behind it. I as well as many other end users have been burned by software companies' promises that were never delivered upon. A company in disarray makes buying their products a higher risk decision. The questions I raise are legitimate concerns for anyone considering the implementation of this technology across their enterprise. I have received many very valuable emails from end users who factually responded without emotion. I am sorry valid business concerns are construed as lunacy and mud slinging. Sometimes the truth hurts especially for the guilty party. With asking these concerns, I am stunned that some of these security "experts" without any standards would publically dennounce someone as a "Network Loon" and try to put someone on trial. I should have never been drawn into Marcus' roast as I am not evaluating his products anyways (as they don't exist). Contrary to emotional flames, I only desired to determine if the employee at Haystack was a disgruntled exception or whether the company was truly in as much turmoil and decay as was indicated. This concerns me and any other potential customers of this software. And to this end, customers of both Haystack and Wheelgroup have shared their experiences and have confirmed many of my observations with unbiased facts. To those that have, thank you for your objective input and your professionalism to respond without emotional regard and selfish interest. Stuart From owner-firewalls-outgoing Thu Apr 10 19:54:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA16626 for firewalls-outgoing; Thu, 10 Apr 1997 16:21:28 -0700 (PDT) Received: from swinc.com (swinc.com [198.252.182.233]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA16497 for ; Thu, 10 Apr 1997 16:20:55 -0700 (PDT) Received: from grail.austin.swinc.com ([204.107.173.67]) by anthrax.swinc.com with ESMTP id <17026-1>; Thu, 10 Apr 1997 18:22:17 -0500 Received: by grail.austin.swinc.com with Internet Mail Service (5.0.1457.3) id ; Thu, 10 Apr 1997 18:19:15 -0500 Message-ID: <41242F632110D0118B4500A024BF7EB008AA6E@grail.austin.swinc.com> From: "Webb, Andy" To: "'jesse@eac.com'" Cc: firewalls@GreatCircle.COM, "'firewall-1-mailinglist@us.checkpoint.com'" Subject: RE: Borderware firewall...(if that's what you want to call it) Date: Thu, 10 Apr 1997 18:19:13 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) What patches do you have installed and what version of the software is it? 2) This is not true on all the servers I have built. I must EXPLICITLY enable the external web server after install. I also must explicitly enable remote administration (www port 442) for the internal interface since it is disabled in the default config. 3) I don't quite understand your config here. There is no external proxy for port 80 on the firewall. Did the firewall actually pass the packets through to the external side (you can turn on logging and look at the connection logs)? You can get packets to the web management port from where? An internal IP address connected to the Internal NIC of the Firewall? <-- that should work. This seems like a poor place to troll for tech support. If you are an authorized reseller, then you have direct contact to Secure Computing to get all the current patches and ask about how your #3 is working. If not, the perhaps you should contact one. To remove conflict of interest, I'll refer you to NetPartners in California. Andy > -----Original Message----- > From: Jesse Whyte [SMTP:jesse@eac.com] > Sent: Thursday, April 10, 1997 1:12 PM > To: firewalls@greatcircle.com > Cc: firewall-1-mailinglist@us.checkpoint.com > Subject: Borderware firewall...(if that's what you want to call > it) > > I have had to do some performance and security testing on the > Borderware > firewall product over the last couple of weeks and I have some issues > that I wanted to address here... > > 1) We caused a kernel panic by flooding the firewall system itself > with > ping ECHO_REQUESTS at less than T-1 bandwidth... > > 2) The default configuration loads a web server on port 80 for the > entire world to see... > > 3) The firewall doesn't discriminate between internal and external > hosts > when it proxies, (ie, with a poor setup (the default setup), I can set > the proxy in my browser to the external interface of the proxy, then > try > to go to the internal interface and the firewall will proxy me > there...another interesting side effect of this was that you can get > packets to the web management port 442) > > Based on these results, I can't see how I would ever sully my > reputation > by recommending this product. Has anyone ever dealt successfully with > this product...Specifically, does anyone with Firewall-1 experience > care > to comment on a comparison? My comparison's results should be pretty > obvious, by now... > > Thanks for your help and your advice, > > Jesse > -- > ********************************************************************** > * > Jesse Whyte EAC Network Integrators > Security Analyst Trumbull, CT > jesse@eac.com http://www.eac.com > (203) 371-2441 From owner-firewalls-outgoing Thu Apr 10 20:07:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA28559 for firewalls-outgoing; Thu, 10 Apr 1997 19:54:22 -0700 (PDT) Received: from emout17.mail.aol.com (emout17.mx.aol.com [198.81.11.43]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id TAA28530 for ; Thu, 10 Apr 1997 19:54:14 -0700 (PDT) From: NiteRage17@aol.com Received: (from root@localhost) by emout17.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id WAA07382; Thu, 10 Apr 1997 22:53:03 -0400 (EDT) Date: Thu, 10 Apr 1997 22:53:03 -0400 (EDT) Message-ID: <970410225107_672023552@emout17.mail.aol.com> To: fabiomfv@svn.com.br, firewalls@greatcircle.com Subject: Re: PLEASE, HOW TO GET OUT FROM THIS LIST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah, while your at it, get me off of here too. Thanks From owner-firewalls-outgoing Thu Apr 10 20:22:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA03507 for firewalls-outgoing; Thu, 10 Apr 1997 17:44:42 -0700 (PDT) Received: from sybil.mfi.com (sybil.mfi.com [204.33.180.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id RAA03303 for ; Thu, 10 Apr 1997 17:43:49 -0700 (PDT) Received: from mfi.com by sybil.mfi.com (SMI-8.6/SMI-SVR4) id RAA09850; Thu, 10 Apr 1997 17:42:27 -0700 Received: from ccMail by mfi.com (SMTPLINK V2.11) id AA860719220; Thu, 10 Apr 97 17:42:47 PST Date: Thu, 10 Apr 97 17:42:47 PST From: "Richard Power" Message-Id: <9703108607.AA860719220@mfi.com> To: Firewalls@GreatCircle.COM Subject: 1997 Free FIrewall Product Matrix and Analysis Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent, here is something to post if you'd like... Free Firewall Product Analysis on the Web SAN FRANCISCO -- The Computer Security Institute (CSI) released today its third annual "Firewall Product Matrix." It couldn't be more timely. The results of the recent "1997 CSI/FBI Computer Crime and Security Survey" showed a 10% rise in the number of respondents reporting their Internet connection as "a frequent point of attack." The "1997 CSI Firewall Product Matrix" is World Wide Web-based (http:// www.gocsi.com) and provides the most extensive free firewall information available via the Internet. Designed by CSI's Internet/Intranet security intructor and noted author Rik Farrow, this year's matrix delivers the goods on 35 firewalls from 30 vendors. Over thirty categories of firewall functionality are detailed; everything from administrative interfaces to user authentication to customizable alarms to encryption algorithms is explored. In an insightful analysis which accompanies the matrix, Farrow delineates the pros and cons of different types of firewalls, comparing the strengths and weaknesses of "application gateways" versus "stateful inspection." "This year's firewall products center around two competing technologies, application gateways and stateful inspection. Most products weigh-in with application gateway-based firewalls, but the market leader, Checkpoint Software's FireWall-1, relies on stateful inspection. Each technology has its advantages and disadvantages." CSI Editorial Director Richard Power sees the "1997 CSI Product Matrix" site as a vital resource for the Internet community. "There is no authority for firewall evaluation recognized by the leading Internet security experts and there won't be anytime soon. Those who rely on certification schemes based on the running of a few widely available suites of tools may well experience a new kind of sticker shock. The stakes are very high. It is imperative that network and Internet professionals both develop their own in-house expertise and have independent resources to avail themselves of. We've designed this site to provide only the best in firewall editorial analysis. And it's free to everyone, including the firewall vendors." To supplement the matrix and its accompanying analysis, CSI has provided an archive of fascinating documents from leading firewall savants, including Farrow on "Choosing a Firewall with the Right Stuff," Marcus Ranum of V-One Corporation (Rockville, MD) on "How NOT to Build a Firewall," Ranum and Andrew Molitar of Network Systems (Minneapolis, MN) in a Point/Counterpoint on "What Kind of Firewall to Buy?" and Gene Schultz of SRI International (Meno Park, CA) on "How to Test Firewalls." All these practical and timely pieces are excerpted from recent issues of the Computer Security Journal, a bi-annual CSI publication. The site also provides links to other important firewall and Internet security resources on the Web, including Brent Chapmann's Great Circle Firewalls mailing list and Gene Spafford's COAST Labs. The URL to access the site is http://www.gocsi.com. CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations. From owner-firewalls-outgoing Thu Apr 10 20:37:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA20036 for firewalls-outgoing; Thu, 10 Apr 1997 13:27:34 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA20029 for ; Thu, 10 Apr 1997 13:27:28 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id OAA19898; Thu, 10 Apr 1997 14:25:40 -0600 Received: from thepound.evolving.com (thepound.evolving.com [206.214.51.52]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id OAA20919; Thu, 10 Apr 1997 14:25:39 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.9) id OAA16389; Thu, 10 Apr 1997 14:24:16 -0600 From: Todd Truitt Message-Id: <199704102024.OAA16389@thepound.evolving.com> Subject: Re: Re : Router bottlenecks in ATM network? To: clonvick@cisco.com (Chris Lonvick) Date: Thu, 10 Apr 1997 14:24:15 -0600 (MDT) Cc: srini@igt.com, Firewalls@GreatCircle.COM, d.r.giles@hud.ac.uk In-Reply-To: <2.2.32.19970409041906.00ed5178@diablo.cisco.com> from "Chris Lonvick" at Apr 8, 97 11:19:06 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- 'Chris Lonvick once said:' > Just to add to what Srini says, there's no magic to gettig high speeds > through routers/switches in the ATM world. The "router" part will need to > assemble the cells of a new session to see where the packets need to be > routed. It will also need to check the packets against any filters that > you've setup. If the session passes the filters, the "router" can tell the > "switch" part how to modify the future packets (while still in the cell > stream) to change the MAC addresses, ttl, appropriate checksums, etc. I would imagine ATM routers will actually be a bit different in design than the type of router we are used to. I picture something along the lines of each port on the router having it's own ASIC based chipset which will handle all actual switching functions. ASIC's will be much faster and cheaper. The ASICs will query the ATM router's Route Processor only when setting up the original connection. At this time, all higher layer functions (filtering, route calculation...as it applies to the designed ATM network in question) will be processed. The RP will then send this info back to the individual ATM ASIC Switch Processors, which will handle all packet "switching". Also, we will see more multi-layered switches doing this as well. Cheers, - --Todd > At 05:11 PM 4/8/97 -0400, Srini Seetharam wrote: > >Deric Giles wirtes : > > > >>connection. However in the near future our site is likely to be > >>connected to a MAN running at maybe 155Mb/sec and our internal network > >>upgraded to ATM at a similar speed. Having two routers in the path > >>acting at layer 3 now seem to pose a bottleneck. How can I maintain the > >>benefits from the speed upgrades without compromising security? The > >>only (partial) solution I can see is to merge the two routers but this > > > >Various networking companies are developing next generation router technology > >that in many instances is geared towards ATM. These routers will perform at > >wire speeds around 600Mbps and maybe even beyond. It is sometimes refered to > >as the BFR (Big Fast/F...ing/Fat Router). IPsilon already has a solution that > >works atleast with 155mbps ATM, maybe higher. Others may have solution today > >as well. > > > >We, at IgT, design chips and software for ATM networks. We are pursuing this > >goal of have a solution to this problem with the bulk of the routing and "FLow > >detection" at wire speeds being done in a single chip. > > > >And to add a point that is interetsing to the firewall community, just about > >all the schemes of flow detection have inherent packet filtering capabilities > >built in to them. In addition, the software that goes along with these devices > >can be used to be a basis for firewalling software running with these fast > >router accelerators. > > > >srini > >-- > >------------------------------------------------------------------------ > > IgT Srini W. Seetharam | > > ------------------------ Integrated Telecom Technology (IgT), | > > | __ __ | 18310 Montgomery Village Ave, Suite 300 | > > |__| |__ __| |____| Gaithersburg Maryland 20879 | > > | |__| | Tel: 301.990.9890 | > > | | Fax: 301.990.9893 | > > ------------------------ Web: http://www.igt.com/ | > > Net: srini@igt.com | > >------------------------------------------------------------------------| > >Expressed opinions may not be mine and not necessarily be those of IgT. | > >------------------------------------------------------------------------| > > Linux : The choice of the GNU Generation | > >------------------------------------------------------------------------ > > > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBM01MbM9y1J+ua2vxAQHa7QL+LRQ0sYWktf06Nv01YhNXSimJKV+k7CaI mD1Ziest43iAJCb7wXmkxiMSxD/WiT1zQsL9adrtWdM9VCsYVIC/YF9XPXpGHMFN 0UbPSwJOg4n8Xjw+zc8B5LrT+nsGF8jV =KaQ1 -----END PGP SIGNATURE----- From owner-firewalls-outgoing Thu Apr 10 20:41:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29380 for firewalls-outgoing; Thu, 10 Apr 1997 14:36:43 -0700 (PDT) Received: from gw.garrison.com ([205.241.58.147]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA29318 for ; Thu, 10 Apr 1997 14:36:23 -0700 (PDT) Received: from gw.garrison.com (root@localhost) by gw.garrison.com (8.7.5/8.7.3) with ESMTP id QAA01517; Thu, 10 Apr 1997 16:35:09 -0500 (CDT) Received: from garrison.com (garrison.com [10.0.0.2]) by gw.garrison.com (8.7.5/8.7.3) with SMTP id QAA01513; Thu, 10 Apr 1997 16:35:09 -0500 (CDT) Received: by garrison.com (4.1/SMI-4.1) id AA10861; Thu, 10 Apr 97 16:34:30 CDT Date: Thu, 10 Apr 97 16:34:30 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9704102134.AA10861@garrison.com> To: firewalls@GreatCircle.COM, dviggian@gst.cgs.it Subject: Re: E-mail scanning Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Domenico Viggiani > Is there the possibility to do some e-mail content-scanning in order to > avoid data-driven attacks? > > TIA > -- I know Sidewinder from SCC has a very strong e-mail auditing tool that can do several types of content filtering.. Keyword, mime type,etc.. Jeromie Jackson Garrison Technologies jeromie@garrison.com From owner-firewalls-outgoing Thu Apr 10 20:43:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA02886 for firewalls-outgoing; Thu, 10 Apr 1997 15:00:24 -0700 (PDT) Received: from challenger.atc.fhda.edu ([153.18.32.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA02813 for ; Thu, 10 Apr 1997 15:00:09 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id OAA29351; Thu, 10 Apr 1997 14:58:40 -0700 (PDT) Date: Thu, 10 Apr 1997 14:58:40 -0700 (PDT) From: "Sameer R. Manek" To: Jon Tegethoff cc: "firewalls@greatcircle.com" Subject: RE: Apology-Enough ALREADY! In-Reply-To: <01BC4589.9CC7B0E0@jon.cypher-sage.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay lets drop this thread folks, the appology has been give, if it is sincere or not who cares. Next week nobody will remember who you are anyways. Nor does this have anything to do with firewalls. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu Which will finally kill the Internet first? Web TV, ASDL or Cable Modems? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Thu Apr 10 20:49:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29649 for firewalls-outgoing; Thu, 10 Apr 1997 14:38:59 -0700 (PDT) Received: from HIFFMFPAC10.mfp.usmc.mil (emh1.mfp.usmc.mil [158.239.2.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id OAA29598 for ; Thu, 10 Apr 1997 14:38:44 -0700 (PDT) Received: by HIFFMFPAC10.mfp.usmc.mil; Thu, 10 Apr 97 11:37:46 -1000 Date: Thu, 10 Apr 97 11:08:54 HST Message-ID: X-Priority: 3 (Normal) To: From: (SYSTEMS ADMIN, MARFORPAC DSN 477-6820) Subject: DNS Configuration X-Incognito-SN: 504 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, This should be an easy one to answer . I have a V-one Smartwall that I tried putting on-line last week but the only problem was that DNS names were not resolving , I was told to make my firewall a Primary DNS and resolve from the internal Primary. I have a couple of questions. Do I have to create a forwarding record on my internal DNS that points to the firewall? Do I have to tell our parent DNS that the firewall is our new primary or will it be transparent to them? if not how can i set up the firewall so that the internal Primary is maintained as the primary for our domain so that our parent DNS doesn't have to change anything. Richard E Peraza PRC Inc (MARFORPAC/G6) Ph# : 808-477-0456 FAX# : 808-477-2832 e-mail : perazar1@mfp.usmc.mil From owner-firewalls-outgoing Thu Apr 10 20:52:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA26170 for firewalls-outgoing; Thu, 10 Apr 1997 17:11:18 -0700 (PDT) Received: from mail3.voicenet.com (mail3.voicenet.com [207.103.0.45]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA26107 for ; Thu, 10 Apr 1997 17:11:02 -0700 (PDT) Received: from mike-s-pc (matawan107.voicenet.com [207.103.22.26]) by mail3.voicenet.com (8.8.5/8.6.12) with SMTP id UAA28066 for ; Thu, 10 Apr 1997 20:14:08 -0400 (EDT) Message-Id: <199704110014.UAA28066@mail3.voicenet.com> Comments: Authenticated sender is From: "Michael Cunningham" Organization: Paranet To: firewalls@greatcircle.com Date: Thu, 10 Apr 1997 20:10:43 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Urgent assistance needed! Reply-to: malice@voicenet.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a new client that called me at 5:10 pm today freaking out that UUNET is going to disconnect them because a huge number of hits (3000 per minute) on UUNET's dns servers from their domain. They are a medium sized company (1000) employees hooked to UUNET with multiple t1's. They think it is their firewall which is causing the problem, although they don't even know what brand firewall they have. All they know is it is running on a sparc5 solaris box. The firewall is acting as a proxy server/firewall with a dns proxy pointing to UUNET's dns servers for internet dns resolution. They have internal dns servers handeling internal dns. I have a feeling that is some sorta run away clients that are causing the problem since I have never heard of a firewall doing this. I get the FEELING that they are using a gauntlet firewall since UUNET sells gauntlet firewalls and the fact the client has no clue what firewall software they are running. I called uunet to try to determine if they knew what type of firewall their client is running but their support staff didn't have a clue. Has anyone ever heard of this situation?? I have never heard of this type of problem with a firewall before. Supposedly this has been going on since Oct. in spurts..some days good..some really bad like today. Please offer any related stories/info you can.. I want to try to get some further insight into this prior to walking into the clients door at 8am. A beer and my thanks to whoever can help! Thanks... Michael Cunningham Paranet Inc. From owner-firewalls-outgoing Thu Apr 10 21:22:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA24860 for firewalls-outgoing; Thu, 10 Apr 1997 13:55:38 -0700 (PDT) Received: from krypton.hmco.com (krypton.hmco.com [155.44.83.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA24806 for ; Thu, 10 Apr 1997 13:55:26 -0700 (PDT) Received: by krypton.hmco.com(Lotus SMTP MTA v1.06 (346.6 3-18-1997)) id 85256475.00726F92 ; Thu, 10 Apr 1997 16:49:56 -0400 X-Lotus-FromDomain: HOUGHTONMIFFLIN From: "Vitaly Vanchurin" To: firewalls@GreatCircle.COM Message-ID: <85256475.007240E1.00@krypton.hmco.com> Date: Thu, 10 Apr 1997 16:49:49 -0400 Subject: Re: Virus Alert Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone, Most of you have probably just recieved a message about the "AOL SCAM" virus. I say that it is impossible to contract a computer virus from any mail message that does not contain attachments, and even if it does contain attachments, you can only contract a virus by opening them! Thank you, Vitaly Vanchurin From owner-firewalls-outgoing Thu Apr 10 21:42:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12656 for firewalls-outgoing; Thu, 10 Apr 1997 12:43:01 -0700 (PDT) Received: from mercury.webserve.net (mercury.webserve.net [206.96.226.5]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA12591 for ; Thu, 10 Apr 1997 12:42:39 -0700 (PDT) Received: from voxel.webserve.net (voxel.webserve.net [207.49.111.18]) by mercury.webserve.net (8.6.12/8.6.9) with ESMTP id PAA18290 for ; Thu, 10 Apr 1997 15:38:19 -0400 Message-ID: <334D42D8.1CA1@webserve.net> Date: Thu, 10 Apr 1997 15:43:20 -0400 From: Dennis Fanshaw X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: HTTP SecureID Authentication on Firewall-1 anyone? X-Priority: 3 (Normal) References: <97040719292246/0006731076PK5EM@MCIMAIL.COM> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Text item: Text_1 > > I would like to know if anyone has gotten SecureID to work in an HTTP > authentication scheme. We are using version 2.0 of FireWall-1. We are > trying to authenticate users of an internal web server. We are having > problems. We are successfuly using SecureID to athenticate users of our intranet webservers, and it's wokring like a charm. what sort of difficulties are you having? Dennis Fanshaw dfanshaw@webserve.net From owner-firewalls-outgoing Thu Apr 10 21:52:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA23896 for firewalls-outgoing; Thu, 10 Apr 1997 13:49:31 -0700 (PDT) Received: from nagos.lif.icnet.uk (nagos.lif.icnet.uk [143.65.1.21]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA23844 for ; Thu, 10 Apr 1997 13:49:16 -0700 (PDT) Message-Id: <199704102049.NAA23844@honor.greatcircle.com> Received: by nagos.lif.icnet.uk; Thu, 10 Apr 1997 21:46:29 +0100 From: harley@nagos.lif.icnet.uk (David Harley) Subject: Dealing with hoaxes [was Virus Alert] To: firewalls@greatcircle.com Date: Thu, 10 Apr 1997 21:46:28 +0100 (BST) Cc: harley@nagos.lif.icnet.uk (David Harley) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. Someone round here is being conned royally. This alert has so many of the classic symptoms of a hoax alert, I can't help wondering if it's meant to be humorous (but I've seen better parodies.......) If it's of interest to anyone on this list, there's a short paper on dealing with internet hoaxes on my web page: I know many of us spend time we can't afford on dealing with this plague. Comments and corrections are welcome, but let's keep discussion on the list on-topic. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From owner-firewalls-outgoing Thu Apr 10 21:52:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA15792 for firewalls-outgoing; Thu, 10 Apr 1997 21:23:19 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA15650 for ; Thu, 10 Apr 1997 21:22:52 -0700 (PDT) Received: from hsh15-55.flash.net (SVL-dynamic233.ins.com [199.0.193.233]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id VAA04868 for ; Thu, 10 Apr 1997 21:21:38 -0700 (PDT) Received: by hsh15-55.flash.net with Microsoft Mail id <01BC4604.5A54ED60@hsh15-55.flash.net>; Thu, 10 Apr 1997 23:10:16 -0500 Message-ID: <01BC4604.5A54ED60@hsh15-55.flash.net> From: "Michael A. Abbott" To: "'malice@voicenet.com'" , "firewalls@GreatCircle.COM" Subject: RE: Urgent assistance needed! Date: Thu, 10 Apr 1997 23:10:15 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone thought of putting a sniffer on the segment leaving the firewall to determine the source of the DNS queries? +----------------------------------------------------------------+ | Michael A. Abbott | | Managing Consultant | | International Network Services voice: +1.713.777.1404 | | 8323 South West Freeway, Suite 355 fax: +1.713.777.2977 | | Houston, Texas 77074-1602 alpha page: +1.800.467.1467 | | | +----------------------------------------------------------------+ -----Original Message----- From: Michael Cunningham [SMTP:Michael.Cunningham@voicenet.com] Sent: Thursday, April 10, 1997 3:11 PM To: firewalls@GreatCircle.COM Subject: Urgent assistance needed! I have a new client that called me at 5:10 pm today freaking out that UUNET is going to disconnect them because a huge number of hits (3000 per minute) on UUNET's dns servers from their domain. They are a medium sized company (1000) employees hooked to UUNET with multiple t1's. They think it is their firewall which is causing the problem, although they don't even know what brand firewall they have. All they know is it is running on a sparc5 solaris box. The firewall is acting as a proxy server/firewall with a dns proxy pointing to UUNET's dns servers for internet dns resolution. They have internal dns servers handeling internal dns. I have a feeling that is some sorta run away clients that are causing the problem since I have never heard of a firewall doing this. I get the FEELING that they are using a gauntlet firewall since UUNET sells gauntlet firewalls and the fact the client has no clue what firewall software they are running. I called uunet to try to determine if they knew what type of firewall their client is running but their support staff didn't have a clue. Has anyone ever heard of this situation?? I have never heard of this type of problem with a firewall before. Supposedly this has been going on since Oct. in spurts..some days good..some really bad like today. Please offer any related stories/info you can.. I want to try to get some further insight into this prior to walking into the clients door at 8am. A beer and my thanks to whoever can help! Thanks... Michael Cunningham Paranet Inc. From owner-firewalls-outgoing Thu Apr 10 22:22:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA22997 for firewalls-outgoing; Thu, 10 Apr 1997 21:55:50 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA22916 for ; Thu, 10 Apr 1997 21:55:28 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id AAA03117 for ; Fri, 11 Apr 1997 00:53:27 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma003113; Fri, 11 Apr 97 00:53:12 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id AAA09179; Fri, 11 Apr 1997 00:53:14 -0400 (EDT) Date: Fri, 11 Apr 1997 00:53:14 -0400 (EDT) Message-Id: <199704110453.AAA09179@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: firewalls@greatcircle.com Subject: Preventing Email Virii X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx; Thu, 10 Apr 1997 22:22:50 -0700 (PDT) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id WAA26479 for ; Thu, 10 Apr 1997 22:19:46 -0700 (PDT) Message-Id: <199704110519.WAA26479@proxy1.ba.best.com> From: "Kelly Gibbs" To: Subject: NT SIDS? Date: Thu, 10 Apr 1997 21:40:19 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone familiar with NT SIDS? Apparently it has been cracked and the implication of doing so spells another "service-pack" from Microsoft. Also, I was given a demonstration on how to change the system registery. It's actually fairly easy and bypasses all the protection Microsoft setup. I'll be posting my findings on my web page soon. I'm still in the info collection process and continuing to pursue this. Kelly From owner-firewalls-outgoing Thu Apr 10 22:52:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA02305 for firewalls-outgoing; Thu, 10 Apr 1997 17:39:19 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA02292 for ; Thu, 10 Apr 1997 17:39:08 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id UAA08676; Thu, 10 Apr 1997 20:37:35 -0400 (EDT) Message-Id: <199704110037.UAA08676@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Thu, 10 Apr 1997 20:41:00 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: SSL Implementation ? Reply-to: mjr@clark.net CC: a-ventura@usa.net In-reply-to: <199704102208.PAA03933@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arnaud Ventura writes: > I Would like to know how to implement SSL ? > I am not sure if this list is a good place to write, > if not please excuse me and give be a better place to do > it. SSL is certainly a security protocol you could use. There are implementations of it that can be had for free from Eric Young in Australia -- see: http://www.psy.uq.edu.au:8080/~ftp/Crypto/ SSL's one of the security protocols used by a lot of web servers and browsers -- you can get it built into a large number such as Netscape and Microsoft's IIS. The protocol can be used to secure other services than just HTTP, you could use it for SQL or whatever -- there's a package called SSLapps that are SSL-based non-HTTP clients. > I would like to devellop a secure system to access a database. > I need to : > - Secure the transmission ; > - Authentificate Client and Server ; > - Ensure that the scripts to access the DataBase > can't be only access the Database. SSL will do the first 2 and if you configure your server right you can do the last one by isolating it on its own box so the only way to access it is via SSL. The traditional way of doing this kind of thing (where "tradition" means "people have been doing it for at least a year now") is to use an HTTP interface to the database, and to just use an SSL-enabled web server that mediates the access through a CGI script. That way all you're really doing is writing CGI scripts that translate your database to HTTP. That can be painful depending on the complexity of database accesses you plan to allow. mjr. ----- Marcus J. Ranum, Network Flight Recorder, Inc. Personal: http://www.clark.net/pub/mjr Work: http://www.nfr.net From owner-firewalls-outgoing Fri Apr 11 01:52:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15802 for firewalls-outgoing; Fri, 11 Apr 1997 01:44:08 -0700 (PDT) Received: from ns.medcom.se (ns.medcom.se [194.213.80.20]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id BAA15793 for ; Fri, 11 Apr 1997 01:43:59 -0700 (PDT) Received: by ns.medcom.se; id KAA18517; Fri, 11 Apr 1997 10:46:20 +0200 (MET DST) Received: from giscard.medcom.se(194.16.52.41) by ns.medcom.se via smap (3.2) id xma018503; Fri, 11 Apr 97 10:46:06 +0200 Received: from larry (larry.medcom.se) by giscard.medcom.se with ESMTP (1.37.109.16/16.2) id AA256641873; Fri, 11 Apr 1997 10:44:33 +0100 Message-Id: <334DF97D.CF09DAD3@medcom.se> Date: Fri, 11 Apr 1997 10:42:37 +0200 From: Neil Costigan Organization: medcom, sweden. X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: SSL Implementation ? X-Priority: 3 (Normal) References: <199704110800.BAA11486@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arnaud Ventura writes: > I would like to devellop a secure system to access a database. > I need to : > - Secure the transmission ; > - Authentificate Client and Server ; > - Ensure that the scripts to access the DataBase > can't be only access the Database. medcom have a tool which lets you add SSL to generic TCP client-server without modifying the applications adds *full* strength encryption worldwide and SSL based authentication. will help with points 1 and 2. not really sure what 3 refers to. ideal for access to SQL server from ODBC etc. essentially a SSL tunnel for the traditional TCP see http://www.medcom.se/ssr uncrippled NT/95 and unix versions available for download Regards, Neil Costigan note. It is build upon Eric Young's SSLeay package see: http://www.psy.uq.edu.au:8080/~ftp/Crypto/ and I AM connected with this product. ** -- /////////////////////////////// neil costigan mailto:neil@medcom.se http://www.medcom.se/neil ph: +46.8.208585 ////////////////////////////// From owner-firewalls-outgoing Fri Apr 11 02:37:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA19032 for firewalls-outgoing; Fri, 11 Apr 1997 02:22:42 -0700 (PDT) Received: from noc.demon.net (server.noc.demon.net [158.152.1.160]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id CAA19012 for ; Fri, 11 Apr 1997 02:22:31 -0700 (PDT) Received: by noc.demon.net; id KAA27649; Fri, 11 Apr 1997 10:21:26 +0100 (BST) Received: from singsing.security.demon.net(195.11.55.71) by inside.noc.demon.net via smap (3.2) id xma027643; Fri, 11 Apr 97 10:21:20 +0100 Message-ID: <334E0269.48C33392@lemon.net> Date: Fri, 11 Apr 1997 10:20:41 +0100 From: "Gregory R. Block" Organization: Lemon Internet, Unltd. X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: malice@voicenet.com CC: firewalls@GreatCircle.COM Subject: Re: Urgent assistance needed! X-Priority: 3 (Normal) References: <199704110014.UAA28066@mail3.voicenet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm. Michael Cunningham wrote: > I have a new client that called me at 5:10 pm today freaking out > that UUNET is going to disconnect them because a huge number of hits > (3000 per minute) on UUNET's dns servers from their domain. > They are a medium sized company (1000) employees hooked to UUNET > with multiple t1's. They think it is their firewall which is causing > the problem, although they don't even know what brand firewall they > have. All they know is it is running on a sparc5 solaris box. The It seems terribly unlikely to be caused by the firewall. More importantly, though, it's UUNET's job to find out what the cause is before pointing fingers: If they can't show TCPDUMP logs, then tell them, quite frankly, to go and get them. If they're, arbitrarily, determining that it's caused by the company, without any real evidence, solely because of the DNS being unnaturally unpopular, UUNET would be acting in a very unprofessional and rather stupid manner. Point that out kindly, and they'll probably go and grab logs. The logs will tell you, in all likelihood, where it's coming from; they can even trace the traffic to which border it's coming in on, which would determine, without doubt, which leased line or WAN link has the traffic. UUNET hasn't done their homework. Tell them to go back to school before threatening customers without backing it up with actually useful information. Meanwhile, do the same on your own; sniff outgoing traffic on your link to UUNET, and examine how much DNS traffic there is; determine the sources. It *could* be something as simple as the zone refreshing happening way, way too often, or something as complex as a broken client flooding the link. If it's zone refresh problems, then it's probably their fault; if you're seeing the traffic, though, it's going to be some kind of interaction caused by the caching mechanism, which would be well, well unusual. Zone refresh times being really low *could* cause this kind of activity, if there were enough servers trying to keep valid information on the zone, but that's just crapshoot, and meaningless without more information on what's really going on. Sincerely, Gregory R. Block, Security Administrator, Demon Internet Ltd. -- My opinions are my own, and not that of my company. I'm not convinced that my company can manage to have one. From owner-firewalls-outgoing Fri Apr 11 03:07:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA23087 for firewalls-outgoing; Fri, 11 Apr 1997 03:03:39 -0700 (PDT) Received: from wisteria.singnet.com.sg (wisteria.singnet.com.sg [165.21.1.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA23062 for ; Fri, 11 Apr 1997 03:03:30 -0700 (PDT) Received: from csah.com (csa.csah.com [203.127.220.193]) by wisteria.singnet.com.sg (8.8.5/8.7.3) with SMTP id SAA02932 for ; Fri, 11 Apr 1997 18:02:20 +0800 (SST) Received: from capl.csah.com by csah.com (SMI-8.6/SMI-SVR4) id SAA23317; Fri, 11 Apr 1997 18:08:22 GMT Received: from rc3.csah.com by capl.csah.com (SMI-8.6/SMI-SVR4) id SAA14259; Fri, 11 Apr 1997 18:01:51 +0800 Received: by rc3.csah.com (SMI-8.6/SMI-SVR4) id RAA02637; Fri, 11 Apr 1997 17:59:41 +0800 Date: Fri, 11 Apr 1997 17:59:41 +0800 From: bktjia@csah.com (Tjia Bhie Kian (SE - Response Centre)) Message-Id: <199704110959.RAA02637@rc3.csah.com> To: firewalls@greatcircle.com Subject: fw: halloc: memory exhausted X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am running Solstice Firewall-1 ver 2.1 on Solaris 2.5.1. Sometimes I encountered the following error message: Apr 5 13:06:43 fwsvr unix: fw: halloc: memory exhausted Apr 5 13:06:43 fwsvr unix: fw: mem: Total: 524288 Avail: 39200 bytes 31470402 a lloc, 30869622 free, 581465 reject Apr 5 13:06:43 fwsvr unix: fw_init_xlation: ld_set forward failed Apr 5 13:06:43 fwsvr unix: fw_xlate_forw: failed to initialize the connection And then any connection to firewall will fail. Can anyone share with me what causes the error 'memory exhausted' ? Thank you. From owner-firewalls-outgoing Fri Apr 11 03:37:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA25879 for firewalls-outgoing; Fri, 11 Apr 1997 03:24:06 -0700 (PDT) Received: from mail1.isdnet.net (mail1.hol.fr [194.149.160.35]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id DAA25845 for ; Fri, 11 Apr 1997 03:23:50 -0700 (PDT) Received: from LOCALNAME (ppp55.bdx.hol.fr [194.149.162.194]) by mail1.isdnet.net (8.8.5/Havas On Line) with SMTP id MAA18878 for ; Fri, 11 Apr 1997 12:22:44 +0200 (CEST) Message-ID: <334E8F55.255@hol.fr> Date: Fri, 11 Apr 1997 12:21:57 -0700 From: SATCH Reply-To: cedric.zambeaux@hol.fr Organization: hol X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: PLEASE, HOW TO GET OUT FROM THIS LIST References: <970410225107_672023552@emout17.mail.aol.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hey, could someone tell me how to get rid off this list Tx -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> "Another chance to lift my life, Free the sensations in <> <> my heart,to ride the wings of dreams into changing <> <> horizons. <> <> It brings inner peace within my mind, as i'm lifted from <> <> where I've spilt my life. <> <> I hear an innocent voice <> <> I hear kindness, beauty and truth." <> <> * <> <> * <> <> E-Mail : cedric.zambeaux@hol.fr <> <> <> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> From owner-firewalls-outgoing Fri Apr 11 06:07:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA04671 for firewalls-outgoing; Fri, 11 Apr 1997 05:53:42 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id FAA04654 for ; Fri, 11 Apr 1997 05:53:31 -0700 (PDT) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id OAA07553; Fri, 11 Apr 1997 14:48:57 +0200 (MET DST) Received: from negrita (negrita.nmac.ericsson.se [130.100.187.78]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with SMTP id MAA14527; Fri, 11 Apr 1997 12:49:48 +0200 Received: from localhost by negrita (SMI-8.6) id OAA09099; Fri, 11 Apr 1997 14:48:46 +0200 Date: Fri, 11 Apr 1997 14:48:45 +0200 (MET DST) From: Robert Stahlbrand To: "Tjia Bhie Kian (SE - Response Centre)" cc: firewalls@GreatCircle.COM Subject: Re: fw: halloc: memory exhausted In-Reply-To: <199704110959.RAA02637@rc3.csah.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I also have had this problem once or twice but don't know what caused it. A first look and you think you run out of memory or that a process have eaten it all up and there is no more room for another process to start. Of course this will block your firewall completely! The second thought I had was that this was some sort of a DoS-attack which causes my firewall to hang. The only way I found around this problem was to reboot my machine! I'm not sure of anything but if someone comes up with an answer I sure wants to know! /Robert Stahlbrand, Ericsson Telecom AB On Fri, 11 Apr 1997, Tjia Bhie Kian (SE - Response Centre) wrote: > Hi, > > I am running Solstice Firewall-1 ver 2.1 on Solaris 2.5.1. > Sometimes I encountered the following error message: > Apr 5 13:06:43 fwsvr unix: fw: halloc: memory exhausted > Apr 5 13:06:43 fwsvr unix: fw: mem: Total: 524288 Avail: 39200 bytes 31470402 a > lloc, 30869622 free, 581465 reject > Apr 5 13:06:43 fwsvr unix: fw_init_xlation: ld_set forward failed > Apr 5 13:06:43 fwsvr unix: fw_xlate_forw: failed to initialize the connection > > And then any connection to firewall will fail. > > Can anyone share with me what causes the error 'memory exhausted' ? > > Thank you. > From owner-firewalls-outgoing Fri Apr 11 07:32:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA09317 for firewalls-outgoing; Fri, 11 Apr 1997 07:10:19 -0700 (PDT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA09309 for ; Fri, 11 Apr 1997 07:10:12 -0700 (PDT) Received: from JHUNT.SDCLAN (bluebird.state.mo.us [168.166.10.3]) by services.state.mo.us (8.8.3/8.8.0) with SMTP id JAA04611 for ; Fri, 11 Apr 1997 09:09:16 -0500 (CDT) Message-ID: <334E476D.18E1@mail.state.mo.us> Date: Fri, 11 Apr 1997 09:15:09 -0500 From: Jeanne Hunt X-Mailer: Mozilla 2.01 (Win95; U) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: backing up Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are getting ready to review and update out back up and recovery methods for the firewall. I would like any comments, ideas or things to ponder on. Thanks. -Jeanne From owner-firewalls-outgoing Fri Apr 11 07:37:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA09634 for firewalls-outgoing; Fri, 11 Apr 1997 07:17:00 -0700 (PDT) Received: from gate.ncts.navy.mil (gate.ncts.navy.mil [138.147.10.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA09617 for ; Fri, 11 Apr 1997 07:16:49 -0700 (PDT) Received: from pegasus.ncts.navy.mil (pegasus.ncts.navy.mil [138.147.20.3]) by gate.ncts.navy.mil (8.6.9/8.6.9) with SMTP id JAA12020 for ; Fri, 11 Apr 1997 09:20:02 -0500 Received: from medusa.ncts.navy.mil by pegasus.ncts.navy.mil (4.1/SMI-4.1) id AA11753; Fri, 11 Apr 97 09:15:33 CDT Date: Fri, 11 Apr 97 09:15:33 CDT From: Mike.Jenkins@ncts.navy.mil (Mike Jenkins) Message-Id: <9704111415.AA11753@pegasus.ncts.navy.mil> To: firewalls@GreatCircle.COM Subject: Re: Urgent assistance needed! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We fielded some Solaris 2.2 boxes (a while back) using the stock solaris in.named program. Someone called us about a "DNS storm" from one of the boxes. We immediately replaced in.named with the latest and greatest BIND from http://www.vix.com and haven't heard a complaint since. Mike From owner-firewalls-outgoing Fri Apr 11 07:42:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08379 for firewalls-outgoing; Fri, 11 Apr 1997 06:59:10 -0700 (PDT) Received: from hofmann.CS.Berkeley.EDU (hofmann.CS.Berkeley.EDU [128.32.35.123]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA08363 for ; Fri, 11 Apr 1997 06:59:03 -0700 (PDT) Received: from crnyis02 (dyn26.access1.nyc.i-2000.net [207.97.128.91]) by hofmann.CS.Berkeley.EDU (8.6.11/8.6.6.Beta11) with SMTP id GAA27014 for ; Fri, 11 Apr 1997 06:57:52 -0700 Message-ID: <334E43BE.6DC6@vix.net> Date: Fri, 11 Apr 1997 09:59:26 -0400 From: Michael D Owen Reply-To: mikey@vix.net X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Fri Apr 11 07:52:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA12366 for firewalls-outgoing; Fri, 11 Apr 1997 07:46:32 -0700 (PDT) Received: from mx01.netaddress.usa.net (mx01.netaddress.usa.net [204.68.24.129]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA12304 for ; Fri, 11 Apr 1997 07:46:16 -0700 (PDT) Received: (qmail 19214 invoked by uid 0); 11 Apr 1997 14:45:01 -0000 Received: from 196.3.144.81 by www03 via web-mailer (2.1) on Fri, 11 Apr 1997 08:44:20 Message-ID: Date: Fri, 11 Apr 1997 08:44:20 From: "Ashram Beachoo" To: firewalls@greatcircle.com Subject: Microsoft Explorer Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've heard that the new fixes released for Microsoft Explorer allow your hard drive to be scanned when the program is idle and detects any Microsoft products that are unregistered.It then relays the info to Microsoft who deal with the info appropriately. Can someone shed some light on this for me? Ashram Beachoo Computer Software Technician swamie@usa.net From owner-firewalls-outgoing Fri Apr 11 08:13:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA13418 for firewalls-outgoing; Fri, 11 Apr 1997 07:53:39 -0700 (PDT) Received: from shifra.info.umoncton.ca ([139.103.16.13]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA13383 for ; Fri, 11 Apr 1997 07:53:26 -0700 (PDT) Received: from localhost (musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) with SMTP id LAA12116; Fri, 11 Apr 1997 11:56:00 -0300 Date: Fri, 11 Apr 1997 11:56:00 -0300 (ADT) From: Mustapha To: Peter Yau cc: FireWalls Mailing List Subject: Re: su root log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 10 Apr 1997, Peter Yau wrote: > Does anyone know if it's possible to have a bad su root situation > yet the machine in question does not show this in its log? Assume > the log file has not been tampered with. Peter, I don't know if I did really understand what you are looking for. But let's take this scenario: some bad guy launches ``ytalk''. He then presses Esc key to get the ytalk's menu. Then he presses ``s'' for shell. Now from his new shell he tries ``su root'' without get caught. Look what the /var/adm/messages file shows: ------------ Apr 11 11:40:22 shifra su: FAILED SU on /dev/ttyp0 ------------ while it was supposed to show something like: ------------ Apr 11 11:40:22 shifra su: FAILED SU musta on /dev/tty2 ------------ Regards, -Mustapha --- Mustapha Obeid Computer Science Department, "Universit=E9 de Moncton" Moncton, New Brunswick, CANADA - E1A 3E9 Fields of Interest: Network Security & Operating Systems "Life is the EXE file that resulted out of a huge compilation. You gotta look at the source code in order to better understand life!" From owner-firewalls-outgoing Fri Apr 11 08:13:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA09053 for firewalls-outgoing; Fri, 11 Apr 1997 07:06:33 -0700 (PDT) Received: from hofmann.CS.Berkeley.EDU (hofmann.CS.Berkeley.EDU [128.32.35.123]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA09008 for ; Fri, 11 Apr 1997 07:06:23 -0700 (PDT) Received: from crnyis02 (dyn26.access1.nyc.i-2000.net [207.97.128.91]) by hofmann.CS.Berkeley.EDU (8.6.11/8.6.6.Beta11) with SMTP id HAA27055 for ; Fri, 11 Apr 1997 07:05:19 -0700 Message-ID: <334E457B.5C53@vix.net> Date: Fri, 11 Apr 1997 10:06:51 -0400 From: Michael D Owen Reply-To: mikey@vix.net X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: a test message Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Fri Apr 11 08:23:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA11247 for firewalls-outgoing; Fri, 11 Apr 1997 07:37:05 -0700 (PDT) Received: from smtp.surfline.ne.jp (smtp.surfline.ad.jp [210.141.67.32]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id HAA11239 for ; Fri, 11 Apr 1997 07:36:57 -0700 (PDT) Received: from geneh (M1146.surfline.ne.jp [210.141.67.146]) by smtp.surfline.ne.jp (8.6.12+2.5Wb7/3.4W21) with SMTP id XAA21269; Fri, 11 Apr 1997 23:36:37 +0900 Message-ID: <334EEC0B.7C82@surfline.ne.jp> Date: Fri, 11 Apr 1997 16:57:32 -0900 From: Gene Hardesty Reply-To: geneh@surfline.ne.jp X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: dan@burkegroup.com CC: firewalls@greatcircle.com Subject: Re: Virus Alert References: <0D3FAB3101523000@burke.burkegroup.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Sounds like a hoax, I don't think Win95 comes with > antivirus... I think it is. Win95 doesn't come with any antivirus programs. Just opening an email message won't totally mess up your system. Viruses have to be "trigger" somehow. Either another program runs it (macros, etc.), the BIOS (boot sector viruses) does it, or you do it unknowingly... Zeros.... -- My PGP public keys can be found at http://www.geocities/Tokyo/5536/index.html From owner-firewalls-outgoing Fri Apr 11 09:00:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08854 for firewalls-outgoing; Fri, 11 Apr 1997 07:05:11 -0700 (PDT) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA08836 for ; Fri, 11 Apr 1997 07:05:04 -0700 (PDT) Received: from dana.corsof.com (dana.corsof.com [198.22.44.138]) by sierra.corsof.com (8.8.5/8.6.12) with SMTP id KAA08900 for ; Fri, 11 Apr 1997 10:03:53 -0400 (EDT) Message-Id: <3.0.32.19970411100620.006ba228@pop.corsof.com> X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 11 Apr 1997 10:06:22 -0400 To: Firewalls@greatcircle.com From: Dana Nowell Subject: The Net Loon Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Apr 1997 04:50:32 -0000 the 'net.loon' was rumored to say: >With asking these concerns, I am stunned that some of these >security "experts" without any standards would publically dennounce >someone as a "Network Loon" and try to put someone on trial. I >should have never been drawn into Marcus' roast as I am not >evaluating his products anyways (as they don't exist). OK, I tried to stay out of this as it is obviously non productive BUT ... I am stunned that you are stunned. Is it unconceivable that people return your behavior? You post to a public location spreading unsubstantiated rumor and in effect slandering two people and a company or two and wonder why people make derogatory comments about your behavior. Very rational, I now understand why you are stunned at the response (sarcasm, for the humor impaired). The fact that you do this on a list where one of the people is a respected member begs the obvious question. Is this a denial of service attack on the list? Are you REALLY that obtuse or has this been a sick attempt at flame bait? Actually I (and presumably many others) really don't care any more, please let it drop. Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: mailto:DanaNowell@corsof.com Home: mailto:dana@nowell.mv.com MIME attachments preferred, BINHEX and uuencoded acceptable. As usual, I speak only for myself. From owner-firewalls-outgoing Fri Apr 11 10:09:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA27665 for firewalls-outgoing; Fri, 11 Apr 1997 09:15:53 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA27528 for ; Fri, 11 Apr 1997 09:15:05 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id MAA14343; Fri, 11 Apr 1997 12:15:03 -0400 (EDT) Received: from inet05.us.abatos.com(204.207.110.249) by gatekeep.us.landisgyr.com via smap (3.2) id xma014285; Fri, 11 Apr 97 12:14:33 -0400 Received: by news.us.landisstaefa.com; id LAA30555; Fri, 11 Apr 1997 11:14:39 -0500 Received: by usbgrexch01.us.landisstaefa.com with Internet Mail Service (5.0.1457.3) id <2DKNC1DL>; Fri, 11 Apr 1997 11:13:07 -0500 Message-ID: <0C673F68C3A0D011A94208002BE526253497@usbgrexch01.us.landisstaefa.com> From: "Kohn, Joav" To: "'firewalls@greatcircle.com'" Subject: FTP questions Date: Fri, 11 Apr 1997 11:13:04 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a desperate plea for help. i've tried to set port screening on a choke router between my firewall and my internal network, but now ftp doesn't work. on the router both ports 20 (ftp-data) and 21 (ftp) are open, but when i connect to any ftp site, i can't issues any commands (ie. ls). log-on, however, is working. i am perplexed, to say the least. any ideas? -joav kohn landis & staefa From owner-firewalls-outgoing Fri Apr 11 10:17:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29929 for firewalls-outgoing; Fri, 11 Apr 1997 09:32:28 -0700 (PDT) Received: from hydra.prenhall.com (hydra.PRENHALL.COM [192.251.132.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA29912 for ; Fri, 11 Apr 1997 09:32:22 -0700 (PDT) From: Laura_Bohde@prenhall.com Received: from ccgate2.prenhall.com ([168.146.69.61]) by hydra.prenhall.com (4.1/SMI-4.1) id AA23179; Fri, 11 Apr 97 12:31:34 EDT Received: from ccMail by ccgate2.prenhall.com (IMA Internet Exchange 2.02 Enterprise) id 34E683E0; Fri, 11 Apr 97 12:35:10 -0400 Date: Fri, 11 Apr 1997 12:30:08 -0400 Message-Id: <34E683E0.@prenhall.com> Subject: NT Anon FTP Server To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone point me to a recent white paper/info URL on running an NT anonymous FTP server securely ? TIA, Laura From owner-firewalls-outgoing Fri Apr 11 10:20:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29365 for firewalls-outgoing; Fri, 11 Apr 1997 09:28:03 -0700 (PDT) Received: from firewall.uprc.com (sentry.uprc.com [144.94.230.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id JAA29341 for ; Fri, 11 Apr 1997 09:27:56 -0700 (PDT) Received: by firewall.uprc.com; id AA20479; Fri, 11 Apr 97 11:26:11 CDT Received: from clavin.uprc.com(144.94.68.3) by firewall via smap (3.2) id xma020473; Fri, 11 Apr 97 11:26:09 -0500 Received: from kafka.upr.com (kafka.uprc.com [144.94.48.14]) by clavin.uprc.com (8.8.5/8.8.5) with ESMTP id LAA24040 for ; Fri, 11 Apr 1997 11:26:58 -0500 (CDT) From: "Prahl V. E. (Von)" Received: (from z76399@localhost) by kafka.upr.com (8.8.5/8.8.5) id LAA03510 for Firewalls@greatcircle.com; Fri, 11 Apr 1997 11:26:56 -0500 (CDT) Date: Fri, 11 Apr 1997 11:26:56 -0500 (CDT) Message-Id: <199704111626.LAA03510@kafka.upr.com> To: Firewalls@greatcircle.com Subject: pop-3 apop on gauntlet X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk greetings, i am having problems configuring an internal pop server. the firewall machine is running the pop-3gw proxy and the authserver proxy. i configured the firewall per the wonderful gauntlet documentation. i ran authsrv -as pop3-gw and added a user, password, apop, enabled. i also put the user in the autentication database via the gauntlet-admin interface. the userid, password and proto all agree. when the external user (client) attempts a connection using eudora-lite he gets an error that includes what must be the ecrypted password. the firewall logs reflect a BAD AUTH message DIGEST . following the DIGEST message is the encrypted password. the two encrypted passwords do not agree which indicates, to me at least, the problem. what am i doing wron? thanks, von From owner-firewalls-outgoing Fri Apr 11 10:22:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA04918 for firewalls-outgoing; Fri, 11 Apr 1997 10:07:12 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA04885 for ; Fri, 11 Apr 1997 10:07:03 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA11515; Fri, 11 Apr 1997 11:52:07 -0400 Date: Fri, 11 Apr 1997 11:52:03 -0400 (EDT) From: Rabid Wombat To: Stuart Johnson cc: firewalls@GreatCircle.COM Subject: Re: Apology In-Reply-To: <19970410045032.24197.qmail@squirrel.owl.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Apr 1997, Stuart Johnson wrote: > > I would like to apologize for taking the discussion off-topic to the firewalls mailing list. > The firewall mailing lists is where the security community can express some of their concerns from both a technical evaluation as well as an end-user perspective. > > Marcus responses have become emotional and I may have let my own postings to be on the > emotional side. Based upon his private emails he sent me, I find it ironic that he publicly impugns my character, yet privately encourages me to consider his soon to be delivered and competing technology. I guess the world will soon find out why Marcus' technology is "better than Haystack and Wheelgroup" but at the same time, not competitive. > > Just last week, Marcus denigrated and made fun of MimeStar with the SecureNet Pro technology and now knowing that Marcus will compete with MimeStar, it leads me to question the double > standards evident in his emotional response. SNIP What kind of apology is this? Seems like you are just making another opportunity to re-state your arguements. I've occaisionally found Marcus' ideas to be strict, sometimes unbending, and perhaps difficult to apply to a commercial environment, but that's the security world. Emotional? Hardly. -r.w. From owner-firewalls-outgoing Fri Apr 11 10:37:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03896 for firewalls-outgoing; Fri, 11 Apr 1997 09:58:09 -0700 (PDT) Received: from netsrv.js-jtf.af.mil ([131.25.48.18]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id JAA03149 for ; Fri, 11 Apr 1997 09:52:04 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (JTFCOM) by js-jtf.af.mil (PMDF V5.0-6 #13831) id <01IHKTPOP09C0000M2@js-jtf.af.mil> for firewalls@GreatCircle.COM; Fri, 11 Apr 1997 11:49:59 -0500 (EST) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BC4676.F7ABADC0@jtfcom.js-jtf.af.mil>; Fri, 11 Apr 1997 12:50:43 -0400 Date: Fri, 11 Apr 1997 12:50:42 -0400 From: "Engasser, Charlie" Subject: Virus Alert... To: "'firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's my two cents on the Virus Hoax thingamajig. I am currently working with CERT on a "Feature" in Outlook 97 that causes Word to be used as a default editor for mail. It seems that there is an option for this in Outlook that you can select Word as your default editor(now, that Office97 and it's components are such pigs I don't know why anyone would do this but....). This IS optional as I said, but here's the rub. If someone (anyone) creates an Email template in Office97 and sends it to someone that Also uses Outlook97 (not it seems Exchange), then Outlook will automagically open Word to read the message >>Whether you want it to or not<<. I have dubbed this the "Autostart Word Macro Virus Option". I understand from others that Microsoft in a recent update has modified this a bit, and I haven't seen it, but the description sounded to me like all it does is ask you to confirm whether or not you want to open the message, in which case you only get the option of read or don't read. (which to me seems silly, since you will never know what's legit or not). As it stands right now, this is strictly related to Outlook97 and has no other implications. Another wonderful feature from the software team that brought you code bloat. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Charles Engasser, Network Engineer Joint STARS, Joint Test Force. (407)726-7048 engasser@js-jtf.af.mil From owner-firewalls-outgoing Fri Apr 11 10:52:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09920 for firewalls-outgoing; Fri, 11 Apr 1997 10:44:22 -0700 (PDT) Received: from marlin.exis.net (marlin.exis.net [205.252.72.102]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id KAA09857 for ; Fri, 11 Apr 1997 10:44:06 -0700 (PDT) Received: from edub0y (ppp-4-106.exis.net [205.252.76.106]) by marlin.exis.net (8.8.4/8.7.3) with SMTP id NAA05543 for ; Fri, 11 Apr 1997 13:43:02 -0400 Message-Id: <1.5.4.16.19970410035446.5167899a@mailhub.exis.net> X-Sender: edub0y@mailhub.exis.net X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 09 Apr 1997 23:54:46 -0400 To: firewalls@GreatCircle.COM From: Xxxxx Xxxxxxx Subject: test Sender: firewalls-owner@GreatCircle.COM Precedence: bulk test From owner-firewalls-outgoing Fri Apr 11 11:08:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10280 for firewalls-outgoing; Fri, 11 Apr 1997 10:46:22 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA10236 for ; Fri, 11 Apr 1997 10:46:07 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA11639; Fri, 11 Apr 1997 12:31:20 -0400 Date: Fri, 11 Apr 1997 12:31:16 -0400 (EDT) From: Rabid Wombat To: firewalls@greatcircle.com Subject: (OFF-Topic) Intruder? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Not exactly a firewall question here. We recently observed a system playing ping-pong with one of our unprotected servers: The outsider would send a Telnet IAC command, our server would respond, the outsider would sent the same IAC, server would respond ... This continued until we blocked the outside address. Anybody have any idea what this might be, other than a rather lame denial of service? This activity was accounting for about 25% of the traffic into the server, but it is a very low volume server. Didn't appear to affect performance, and we didn't see any other indications of anything unusual. Any ideas? -r.w. From owner-firewalls-outgoing Fri Apr 11 11:27:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA05679 for firewalls-outgoing; Fri, 11 Apr 1997 10:14:19 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id KAA05671 for ; Fri, 11 Apr 1997 10:14:12 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA11546; Fri, 11 Apr 1997 11:59:15 -0400 Date: Fri, 11 Apr 1997 11:59:12 -0400 (EDT) From: Rabid Wombat To: Blanche Beube cc: firewalls@GreatCircle.COM, carlo@io.org, testeves@interlog.com, all@genesis.isginc.com, asimic@bellmobility.com, lpbaziw@bellmobility.com Subject: Re: Virus Alert In-Reply-To: <2.2.32.19970410172535.0071c8bc@205.208.61.20> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somebody buy this man an abacus. -r.w. On Thu, 10 Apr 1997, Blanche Beube wrote: > Hello All, > Just got this from a colleague.Spread the word. Be careful out there. > > > << THERE IS A NEW AOL SCAM."It is essential that this problem be reconciled > as soon as possible. A few hours ago, I opened an E-mail that had the > subject heading of aol4free.com Within seconds of opening it, a window > appeared and began to display my files that were being deleted. I > immediately shut down my computer, but it was too late. This virus wiped me > out. It ate the Anti-Virus Software that comes with the Windows '95 Program > along with F-Prot AVS. Neither was able to detect it. Please be careful and > send this to as many people as possible, so maybe this new virus can be > eliminated. > > FORWARD this to as many people as you care about!! >> > > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > Blanche Beube E-mail: bbeube@isginc.com > Unix Analyst Voice: (416)368-2222 x214 > Fax: (416)366-6667 > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > From owner-firewalls-outgoing Fri Apr 11 12:37:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23010 for firewalls-outgoing; Fri, 11 Apr 1997 12:25:47 -0700 (PDT) Received: from auntbea.rtp.gtegsc.com (auntbea.rtp.gtegsc.com [192.133.124.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA22966 for ; Fri, 11 Apr 1997 12:25:32 -0700 (PDT) Received: from mike_johnson (pc36243.rtp.gtegsc.com [206.241.180.59]) by auntbea.rtp.gtegsc.com (Netscape Mail Server v2.0) with ESMTP id AAA11508; Fri, 11 Apr 1997 15:24:20 -0400 Message-ID: <334E90ED.5D857B94@rtp.gtegsc.com> Date: Fri, 11 Apr 1997 15:28:45 -0400 From: mike.johnson@rtp.gtegsc.com (Mike Johnson) Reply-To: mike.johnson@rtp.gtegsc.com Organization: GTE Government Systems X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: mike.johnson@rtp.gtegsc.com Subject: Re: Microsoft Explorer X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ashram Beachoo wrote: > > I've heard that the new fixes released for Microsoft Explorer allow > your hard drive to be scanned when the program is idle and detects any > Microsoft products that are unregistered.It then relays the info to > Microsoft who deal with the info appropriately. It does this and more! It will search for any credit card numbers you may have written to a file on your machine, debit your account, and install automatically the newest version of Microsoft software, and delete any old copies of the program. Also, be careful if you have Netscape Navigator on your machine, it will delete that and replace it with a virus infected executable. Or, that's what I've heard... > Can someone shed some light on this for me? Done. > Ashram Beachoo > Computer Software Technician > > swamie@usa.net Mike Johnson mike.johnson@rtp.gtegsc.com GTE Government Systems All opinions are mine, not GTE's. From owner-firewalls-outgoing Fri Apr 11 12:52:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25785 for firewalls-outgoing; Fri, 11 Apr 1997 12:50:08 -0700 (PDT) Received: from arl-img-4.compuserve.com (arl-img-4.compuserve.com [149.174.217.134]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id MAA25759 for ; Fri, 11 Apr 1997 12:49:58 -0700 (PDT) Received: by arl-img-4.compuserve.com (8.6.10/5.950515) id PAA06319; Fri, 11 Apr 1997 15:48:59 -0400 Date: Fri, 11 Apr 1997 15:48:22 -0400 From: Clover Subject: Firewall Research Papers To: Unknown Message-ID: <199704111548_MC2-1424-B248@compuserve.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone direct me to any research or white papers written on firewalls and internet security located on the web? Sally Cogswell From owner-firewalls-outgoing Fri Apr 11 13:07:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA24388 for firewalls-outgoing; Fri, 11 Apr 1997 12:39:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id MAA24349 for ; Fri, 11 Apr 1997 12:39:21 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA00857; Fri, 11 Apr 1997 14:36:05 -0500 (EST) From: Adam Shostack Message-Id: <199704111936.OAA00857@homeport.org> Subject: Re: FTP questions In-Reply-To: <0C673F68C3A0D011A94208002BE526253497@usbgrexch01.us.landisstaefa.com> from "Kohn, Joav" at "Apr 11, 97 11:13:04 am" To: joav.kohn@us.landisgyr.com (Kohn, Joav) Date: Fri, 11 Apr 1997 14:36:04 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The problem is the way the FTP data channel is opened. The FTP server tries to open a data channel from port 20 to a high numbered port on your local machine, as instructed by the FTP client. Look into PASV mode FTP. Adam Kohn, Joav wrote: | a desperate plea for help. | | i've tried to set port screening on a choke router between my firewall | and my internal network, but now ftp doesn't work. | | on the router both ports 20 (ftp-data) and 21 (ftp) are open, but when i | connect to any ftp site, i can't issues any commands (ie. ls). log-on, | however, is working. | | i am perplexed, to say the least. | | any ideas? | | -joav kohn | landis & staefa | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Fri Apr 11 13:34:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA28343 for firewalls-outgoing; Fri, 11 Apr 1997 13:07:13 -0700 (PDT) Received: from ncb.gov.sg (mailhub.ncb.gov.sg [203.120.56.40]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA28323 for ; Fri, 11 Apr 1997 13:07:03 -0700 (PDT) Received: by ncb.gov.sg (4.1/SMI-4.1) id AA18663; Sat, 12 Apr 97 04:04:54 SST Date: Sat, 12 Apr 1997 04:04:54 +0800 (SST) From: Security Mail Account Subject: RE: Apology (fwd) To: jamestan@ncb.gov.sg Cc: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Fri, 11 Apr 1997 01:07:05 +0800 From:James_TAN@lms.ncb.gov.sg To: security@ncb.gov.sg Subject: RE: Apology owner-firewalls-outgoing@GreatCircle.COM on 04/11/97 01:04:36 AM Please respond to owner-firewalls-outgoing@GreatCircle.COM @ SMTP To: firewalls@GreatCircle.COM @ SMTP cc: Subject: RE: Apology Is there a good email address filter that works on Win 95? I do not know about the rest of the list but I would like to put something in place to always auotmatically delete messages from Stuart Johnson. Any help is welcome! The sooner the better, before he answers this message. Jon Tegethoff From owner-firewalls-outgoing Fri Apr 11 14:21:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA04630 for firewalls-outgoing; Fri, 11 Apr 1997 13:45:16 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA04530 for ; Fri, 11 Apr 1997 13:44:54 -0700 (PDT) Received: from netevolve.com by relay5.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQckvy28812; Fri, 11 Apr 1997 16:44:05 -0400 (EDT) Received: from lazar (ws5.netevolve.com) by netevolve.com (4.1/SMI-4.1) id AA24913; Fri, 11 Apr 97 16:47:06 EDT Message-Id: <3.0.1.32.19970411163244.0089a9d0@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 11 Apr 1997 16:32:44 -0400 To: Clover , Unknown From: Irwin Lazar Subject: Re: Firewall Research Papers In-Reply-To: <199704111548_MC2-1424-B248@compuserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 4/11/97 -0400, Clover wrote: >Can anyone direct me to any research or white papers written on firewalls >and internet security located on the web? > >Sally Cogswell > Hi Sally, Please see my Network References Site at http://www.netevolve.com/lazar. You will find a bunch of network security related links. Irwin <><><><><><><><><><><><><><><><><><><><><><> Irwin Lazar IP Networking References - Network Evolutions, Inc. http://www.netevolve.com/lazar http://www.netevolve.com lazar@netevolve.com From owner-firewalls-outgoing Fri Apr 11 14:31:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02210 for firewalls-outgoing; Fri, 11 Apr 1997 13:33:33 -0700 (PDT) Received: from blkbox.com (blkbox.com [206.109.97.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA02177 for ; Fri, 11 Apr 1997 13:33:24 -0700 (PDT) Received: from odin.blkbox.com by blkbox.COM id aa27418; 11 Apr 97 14:25 CDT Message-ID: <334E8F6E.CDFB2DD6@blkbox.com> Date: Fri, 11 Apr 1997 14:22:22 -0500 From: renegade X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: Kelly Gibbs CC: firewalls@greatcircle.com Subject: Re: NT SIDS? X-Priority: 3 (Normal) References: <199704110519.WAA26479@proxy1.ba.best.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yes this is a really big problem, yet the denial from m$ also states that it is not and has not been broken, i too am collecting and have collected information, mostly from the source or the problem. as with the netmon expolit, m$ is using a standard md4 one-way hash to secure the sids, this is not even close to the level or their so called cryptoapi kit. more info at http://odin.blkbox.com >Kelly Gibbs wrote: > > Anyone familiar with NT SIDS? Apparently it has been cracked and the > implication of doing so spells another "service-pack" from Microsoft. > Also, > I was given a demonstration on how to change the system registery. It's > actually fairly easy and bypasses all the protection Microsoft setup. I'll > be posting my findings on my web page soon. I'm still in the info > collection process and continuing to pursue this. > > Kelly -- =============================================================================== renegade@blkbox.com | great spirits have often faced violent opposition | | from mediocre minds. a.e | =============================================================================== From owner-firewalls-outgoing Fri Apr 11 14:38:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA06408 for firewalls-outgoing; Fri, 11 Apr 1997 13:57:27 -0700 (PDT) Received: from mail1 (mail1.ci.chi.il.us [199.177.48.3]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id NAA06393 for ; Fri, 11 Apr 1997 13:57:19 -0700 (PDT) Received: by mail1 (SMI-8.6/SMI-SVR4) id PAA29888; Fri, 11 Apr 1997 15:50:54 -0500 From: minaba@mail1.ci.chi.il.us (Mark Inaba) Message-Id: <199704112050.PAA29888@mail1> Subject: streams To: firewalls@GreatCircle.COM Date: Fri, 11 Apr 1997 15:50:53 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what protocol/port do I need to open up for users on the inside to be able to get visual and audio streams? if it weren't for those meddling kids(users), my firewall would be stable :) Mark From owner-firewalls-outgoing Fri Apr 11 14:52:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07377 for firewalls-outgoing; Fri, 11 Apr 1997 14:05:30 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA07351 for ; Fri, 11 Apr 1997 14:05:22 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id OAA17547; Fri, 11 Apr 1997 14:04:21 -0700 (PDT) Date: Fri, 11 Apr 1997 14:04:21 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: "Kohn, Joav" cc: "'firewalls@greatcircle.com'" Subject: Re: FTP questions In-Reply-To: <0C673F68C3A0D011A94208002BE526253497@usbgrexch01.us.landisstaefa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your data connection is being filtered. When you ask for data via commands or file transfers the server initiates a connection to you (the client) on a port > 1024 and transfers the data that way. If you are filtering incoming, but allowing outgoing traffic there is a simple way to fix this. Use passive ftp. If its a unix ftp client, typing PASV, after the connection is established should work. If your ftp client doesnt support passive trasnfers, go get ncftp. Im sure most windows clients have the same capacity. -mike On Fri, 11 Apr 1997, Kohn, Joav wrote: > a desperate plea for help. > > i've tried to set port screening on a choke router between my firewall > and my internal network, but now ftp doesn't work. > > on the router both ports 20 (ftp-data) and 21 (ftp) are open, but when i > connect to any ftp site, i can't issues any commands (ie. ls). log-on, > however, is working. > > i am perplexed, to say the least. > > any ideas? > > -joav kohn > landis & staefa > > From owner-firewalls-outgoing Fri Apr 11 15:37:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA17221 for firewalls-outgoing; Fri, 11 Apr 1997 15:33:55 -0700 (PDT) Received: from mercury.online.uleth.ca (mercury.online.uleth.ca [142.66.5.25]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA17175 for ; Fri, 11 Apr 1997 15:33:45 -0700 (PDT) Received: from rose.cserve.uleth.ca ([142.66.26.250]) by mercury.online.uleth.ca (Netscape Mail Server v2.02) with ESMTP id AAA5630; Fri, 11 Apr 1997 16:32:43 -0600 Message-ID: <334EBC5E.B421AEC8@hg.uleth.ca> Date: Fri, 11 Apr 1997 16:34:06 -0600 From: "Jeffrey L. Oliver" Organization: University of Lethbridge X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: fw-1 , fw Subject: ident X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the ramifications of disallowing the ident service through the firewall? Jeff -- --------------------------------------------------------------- To Err is human; to really screw things up requires a computer! --------------------------------------------------------------- Jeffrey L. Oliver System Support Specialist The University of Lethbridge Phone: (403) 329-5162 Fax: (403) 382-7108 Email: oliver@hg.uleth.ca www: http://home.uleth.ca/~oliver From owner-firewalls-outgoing Fri Apr 11 16:12:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA17681 for firewalls-outgoing; Fri, 11 Apr 1997 15:36:35 -0700 (PDT) Received: from mercury.online.uleth.ca (mercury.online.uleth.ca [142.66.5.25]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id PAA17664 for ; Fri, 11 Apr 1997 15:36:27 -0700 (PDT) Received: from rose.cserve.uleth.ca ([142.66.26.250]) by mercury.online.uleth.ca (Netscape Mail Server v2.02) with ESMTP id AAA5638; Fri, 11 Apr 1997 16:35:26 -0600 Message-ID: <334EBD01.7199BD8E@hg.uleth.ca> Date: Fri, 11 Apr 1997 16:36:49 -0600 From: "Jeffrey L. Oliver" Organization: University of Lethbridge X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: fw , fw-1 Subject: mail problems X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am having a few mail problems, and am wondering if it is my firewall or not. I am running FW-1 on a Solaris box. I am allowing SMTP to flow from my few mail machines and the 'net, but some of our incoming mail does not arive. Any ideas? Jeff -- --------------------------------------------------------------- To Err is human; to really screw things up requires a computer! --------------------------------------------------------------- Jeffrey L. Oliver System Support Specialist The University of Lethbridge Phone: (403) 329-5162 Fax: (403) 382-7108 Email: oliver@hg.uleth.ca www: http://home.uleth.ca/~oliver From owner-firewalls-outgoing Fri Apr 11 17:04:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA28714 for firewalls-outgoing; Fri, 11 Apr 1997 16:48:15 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA28690 for ; Fri, 11 Apr 1997 16:48:08 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id QAA18794; Fri, 11 Apr 1997 16:47:06 -0700 (PDT) Date: Fri, 11 Apr 1997 16:47:06 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: "Jeffrey L. Oliver" cc: fw , fw-1 Subject: Re: mail problems In-Reply-To: <334EBD01.7199BD8E@hg.uleth.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is the mail that isnt arriving always comming from the same place? Try doing "echo test|mail -v root@yoursite.com" from a few different external places.. see if its getting through. Assuming your firewall isnt a mail-gw. Does all the outgoing mail get to its destination ok? See if you can get the headers of the mail that isnt arriving from the original sender. -mike On Fri, 11 Apr 1997, Jeffrey L. Oliver wrote: > Hello All, > > I am having a few mail problems, and am wondering if it is my firewall > or not. I am running FW-1 on a Solaris box. I am allowing SMTP to > flow from my few mail machines and the 'net, but some of our incoming > mail does not arive. Any ideas? > > Jeff > -- > --------------------------------------------------------------- > To Err is human; to really screw things up requires a computer! > --------------------------------------------------------------- > > Jeffrey L. Oliver > System Support Specialist > The University of Lethbridge > Phone: (403) 329-5162 > Fax: (403) 382-7108 > Email: oliver@hg.uleth.ca > www: http://home.uleth.ca/~oliver > From owner-firewalls-outgoing Fri Apr 11 17:08:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA29094 for firewalls-outgoing; Fri, 11 Apr 1997 16:52:42 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA29087 for ; Fri, 11 Apr 1997 16:52:36 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11) id <2YC1JJS3>; Fri, 11 Apr 1997 19:51:33 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'Ashram Beachoo'" Subject: RE: Microsoft Explorer Date: Fri, 11 Apr 1997 19:51:31 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.11) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It just gets better and better. Please, can we switch the list to a moderated list now? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html > ---------- > From: Ashram Beachoo[SMTP:swamie@usa.net] > Sent: Friday, April 11, 1997 4:44 AM > To: firewalls@greatcircle.com > Subject: Microsoft Explorer > > I've heard that the new fixes released for Microsoft Explorer allow > your hard drive to be scanned when the program is idle and detects any > > Microsoft products that are unregistered.It then relays the info to > Microsoft who deal with the info appropriately. > > Can someone shed some light on this for me? > > Ashram Beachoo > Computer Software Technician > > swamie@usa.net > From owner-firewalls-outgoing Fri Apr 11 20:37:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA13449 for firewalls-outgoing; Fri, 11 Apr 1997 20:22:45 -0700 (PDT) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id UAA13440 for ; Fri, 11 Apr 1997 20:22:40 -0700 (PDT) Received: from notes2.compuserve.com ([149.174.221.56]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id BAA10143.; Sat, 12 Apr 1997 01:04:13 -0400 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AB2417; Fri, 11 Apr 97 23:21:42 -0400 Message-Id: <9704120321.AB2417@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 005027440012F8CC86256477000881C1; Fri, 11 Apr 97 23:21:42 To: firewalls-digest From: "steven.j.schulze" Date: 11 Apr 97 20:38:33 Subject: IPSEC / IPV6 and Firewalls & Network Security Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone want to comment on the conventional wisdom of what IPSEC and IPV6 will do for network security, and how this will require changes to firewalls and how they operate? From owner-firewalls-outgoing Fri Apr 11 21:07:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA15794 for firewalls-outgoing; Fri, 11 Apr 1997 21:01:57 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA15786 for ; Fri, 11 Apr 1997 21:01:53 -0700 (PDT) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id UAA22380; Fri, 11 Apr 1997 20:56:10 -0700 (PDT) Message-Id: <199704120356.UAA22380@proxy1.ba.best.com> From: "Kelly Gibbs" To: "Ashram Beachoo" , Subject: Re: Microsoft Explorer Date: Fri, 11 Apr 1997 20:16:43 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently looking into this wonderful "feature". I can't confirm it at this point however. Anyone have anymore info on this yet.... Kelly > I've heard that the new fixes released for Microsoft Explorer allow > your hard drive to be scanned when the program is idle and detects any > Microsoft products that are unregistered.It then relays the info to > Microsoft who deal with the info appropriately. > > Can someone shed some light on this for me? > From owner-firewalls-outgoing Fri Apr 11 21:28:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA17360 for firewalls-outgoing; Fri, 11 Apr 1997 21:18:51 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA17333 for ; Fri, 11 Apr 1997 21:18:43 -0700 (PDT) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id VAA02349; Fri, 11 Apr 1997 21:10:07 -0700 (PDT) Message-Id: <199704120410.VAA02349@proxy1.ba.best.com> From: "Kelly Gibbs" To: "renegade" Cc: Subject: NT SIDS Finally broken! Date: Fri, 11 Apr 1997 20:30:39 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just confirmed that NT SIDS has been broken but the group that broke it (private corporation / security specialist - actually corporate hackers) do not want this known to the general public (at least not yet!). The demo I was given on how to change NT System Registry entries is actually very technical yet effective. For those of you who requested the URL of my web page, I'm waiting to get legals recommendation. Kelly > yes this is a really big problem, yet the denial from m$ also states > that it is not and has not > been broken, i too am collecting and have collected information, mostly > from the source or the problem. > > as with the netmon expolit, m$ is using a standard md4 one-way hash to > secure the sids, this is not even close to > the level or their so called cryptoapi kit. > > more info at > > http://odin.blkbox.com > > > > >Kelly Gibbs wrote: > > > > Anyone familiar with NT SIDS? Apparently it has been cracked and the > > implication of doing so spells another "service-pack" from Microsoft. > > Also, > > I was given a demonstration on how to change the system registery. It's > > actually fairly easy and bypasses all the protection Microsoft setup. I'll > > be posting my findings on my web page soon. I'm still in the info > > collection process and continuing to pursue this. > > > > Kelly > > -- > ============================================================================ === > renegade@blkbox.com | great spirits have often faced violent > opposition | > | from mediocre minds. a.e | > ============================================================================ === From owner-firewalls-outgoing Fri Apr 11 21:37:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA18815 for firewalls-outgoing; Fri, 11 Apr 1997 21:33:27 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA18789 for ; Fri, 11 Apr 1997 21:33:13 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11) id <2Y38WAK1>; Sat, 12 Apr 1997 00:29:04 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'Kelly Gibbs'" Subject: RE: NT SIDS? Date: Sat, 12 Apr 1997 00:28:59 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.11) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This post is off-topic, but given the scope of attention that has surrounded this issue its probably worth Firewalls people being at least aware of it. Anyone interested in this story can find a lot of information at my NTBugTraq web site (http://ntbugtraq.rc.on.ca/index.html). There you will find responses I have published wrt the EE Times articles, as well as links to those articles and Microsoft's responses as well (Microsoft's responses link back to my responses if you'd rather go that route). >Anyone familiar with NT SIDS? Apparently it has been cracked and the >implication of doing so spells another "service-pack" from Microsoft. Yes, I am familiar with NT SIDS, unfortunately they don't really have anything to do with the cracking that's being going on. A SID is simply a Security Identifier. As to them (or something) being cracked, the brief version is this; NT passwords are stored in the NT Registry as representations of the plain-text password. They're first OWF hashed using RSA MD4 hashing function, then obscured (obfuscated) using DES. The first step can't be reversed (generally accepted), but the second step can. The algorithm to do this has been published as part of a really useful SAMBA utility to allow SAMBA systems to create a user database from an NT user accounts database (Security Access Manager dB or SAM). The value retrieved after running this utility is what is referred to as "Plain-Text Equivalent" in that it can be used to construct a challenge/response if other information is also known. It would therefore be conceivable, SHOULD ADMIN ACCESS BE ACHIEVED TO THE REGISTRY, to extract a password hash and turn it into something that could be used to access a network resource as some user. If cracked using a password dictionary (or brute force tool like l0phtcrack for NT), a plain-text password could be yielded and used to log on at a console. The point is that you must first gain access to either the registry itself (in which case you need to be either the Administrator, a member of the Administrators Group, or the Backup Operator), or to a backed up copy of the SAM hive of the registry (either through the %systemroot%\repair directory or by physical access to an Emergency Repair Diskette). Mis-configuring the system could make this access available. >I was given a demonstration on how to change the system registery. It's >actually fairly easy and bypasses all the protection Microsoft setup. I'll The access you refer to needs to be done as Administrator, which doesn't really bypass all the protection Microsoft set up. Starting the Schedule service requires Administrator access, which could then be used to start up the Registry Editor (REGEDT32) as user SYSTEM. User SYSTEM has complete privilege to the entire registry, hence the protections are not bypassed, you are seeing what that user is permitted to see. The user SYSTEM cannot log into a machine, and this methodology cannot be used via a network connection, so it means that physical console presence is a pre-requisite. Its also only useful if this is all done on a Domain Controller. So if you can get Administrator privilege at the console of a Domain Controller, it would be possible to exploit it. It shouldn't take a rocket scientist to figure this out, as well as the ways to prevent such a set of circumstances from occurring unintentionally. The passwords are also stored in DES encrypted format for LanMan compatibility. This version is generally weak and would likely be the target of any cracking attempts (but this isn't what was discussed in the article). CIAC Bulletin H45 discusses this issue, together with some suggestions. See my archives at http://ntbugtraq.rc.on.ca/index.html under the CIAC bulletin message title for some additional comments on their bulletin. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Fri Apr 11 22:22:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA22967 for firewalls-outgoing; Fri, 11 Apr 1997 22:08:16 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id WAA22950 for ; Fri, 11 Apr 1997 22:08:10 -0700 (PDT) From: yoram@abirnet.com Received: from myself.ibm.net (ziva-modem1.abirnet.co.il [194.90.211.13]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id IAA13490; Sat, 12 Apr 1997 08:06:54 +0300 Date: Sat, 12 Apr 97 08:01:31 Israel Daylight Time Subject: Re: Firewall Research Papers To: Clover , Unknown X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <199704111548_MC2-1424-B248@compuserve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recommend http://www.zeuros.co.uk/firewall/ This is the best place to learn about firewalls and internet security located on the web. Yoram --- On Fri, 11 Apr 1997 15:48:22 -0400 Clover wrote: Can anyone direct me to any research or white papers written on firewalls and internet security located on the web? Sally Cogswell ---------------End of Original Message----------------- /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-~~~~~~~~~~\ / Yoram Nissenboim 04/12/97 08:01:32 \ /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-~~~~~~~~~\ / AbirNet provides the next generation in Internet and Intranet Protection.\ | AbirNet provides Windows 95 & NT-based software that lets you know how | | your network is being used while protecting it from intrusions and abuse | | AbirNet SessionWall-3 offers see-it-all filtering, blocking, alerting, | | logging and scanning technologies- all this with no network overhead! | | | \========== Get an EVALUATION COPY at http://www.AbirNet.com ===============/ From owner-firewalls-outgoing Fri Apr 11 22:37:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA23986 for firewalls-outgoing; Fri, 11 Apr 1997 22:19:01 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id WAA23979 for ; Fri, 11 Apr 1997 22:18:57 -0700 (PDT) Received: (qmail 9515 invoked by uid 514); 12 Apr 1997 05:18:01 -0000 Date: Sat, 12 Apr 1997 01:18:00 -0400 (EDT) From: Todd Graham Lewis Reply-To: Todd Graham Lewis To: Firewalls Mailing List Subject: Phrack 50 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The latest issue of Phrack, The Original Hacker Zine, is out. You can (and probably should) read it for the low price of $0; it's available from: ftp://ftp.infonexus.com/pub/p50.tgz Some interesting articles include "SNMP insecurities", "Cracking NT Passwords", and a program called Juggernaut, "a robust network tool (i.e., packet sniffer. --tlewis) for the Linux OS." You definitely should check it out; half the teenagers with access to your network are reading it right now. 8^) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Sat Apr 12 01:22:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA03646 for firewalls-outgoing; Sat, 12 Apr 1997 01:08:48 -0700 (PDT) Received: from gauntlet.qdata.co.za (gauntlet.qdata.co.za [196.29.128.97]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id BAA03638 for ; Sat, 12 Apr 1997 01:08:28 -0700 (PDT) Received: by gauntlet.qdata.co.za; id KAA11260; Sat, 12 Apr 1997 10:17:03 +0200 Received: from unknown(196.11.111.254) by gauntlet.qdata.co.za via smap (V3.1.1) id xma011251; Sat, 12 Apr 97 10:16:35 +0200 Received: by ratface.qdata.co.za with Microsoft Mail id <01BC4729.5B3718E0@ratface.qdata.co.za>; Sat, 12 Apr 1997 10:07:40 +0200 Message-ID: <01BC4729.5B3718E0@ratface.qdata.co.za> From: Richard Chilcott To: "'Todd Graham Lewis'" , Firewalls Mailing List Subject: RE: Phrack 50 Date: Sat, 12 Apr 1997 10:07:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The site is ftp://ftp.infonexus.com/pub/p50.tar.gz Thanks -----Original Message----- From: Todd Graham Lewis [SMTP:lists@reflections.eng.mindspring.net] Sent: Saturday, April 12, 1997 7:18 AM To: Firewalls Mailing List Subject: Phrack 50 The latest issue of Phrack, The Original Hacker Zine, is out. You can (and probably should) read it for the low price of $0; it's available from: ftp://ftp.infonexus.com/pub/p50.tgz Some interesting articles include "SNMP insecurities", "Cracking NT Passwords", and a program called Juggernaut, "a robust network tool (i.e., packet sniffer. --tlewis) for the Linux OS." You definitely should check it out; half the teenagers with access to your network are reading it right now. 8^) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Sat Apr 12 04:52:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA16312 for firewalls-outgoing; Sat, 12 Apr 1997 04:36:13 -0700 (PDT) Received: from gwB.kyoto-inet.or.jp (gwB.kyoto-inet.or.jp [202.245.160.142]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA16305 for ; Sat, 12 Apr 1997 04:36:05 -0700 (PDT) Received: from smtp.kyoto-inet.or.jp.kyoto-inet.or.jp (pppB237.kyoto-inet.or.jp [210.134.102.138]) by gwB.kyoto-inet.or.jp (8.8.5+2.7Wbeta5/3.4W4-08/19/96) with ESMTP id UAA25497 for ; Sat, 12 Apr 1997 20:35:11 +0900 Message-Id: <199704121135.UAA25497@gwB.kyoto-inet.or.jp> To: firewalls@GreatCircle.COM Subject: RE: Phrack 50 From: Tetsuya Nakano Reply-To: nakano@elnis.nissin.co.jp In-Reply-To: Your message of "Sat, 12 Apr 1997 10:07:39 +0200" References: <01BC4729.5B3718E0@ratface.qdata.co.za> X-Mailer: Mew version 1.06 on Emacs 19.28.1, Mule 2.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 12 Apr 1997 20:35:40 +0900 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Change my adress,please. old) geheim@mbox.kyoto-inet.or.jp new) nakano@elnis.nissin.co.jp ----------------------------------------------------- Tetsuya Nakano 34 YoshidaNakaoji-cho, Sakyo-ku Kyoto 606, Japan e-mail: geheim@mbox.kyoto-inet.or.jp ----------------------------------------------------- From owner-firewalls-outgoing Sat Apr 12 06:22:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21291 for firewalls-outgoing; Sat, 12 Apr 1997 06:13:19 -0700 (PDT) Received: from smtp.gte.net (goofy.gte.net [206.124.65.252]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA21284 for ; Sat, 12 Apr 1997 06:13:14 -0700 (PDT) Received: from gearnhart2 ([199.180.4.18]) by smtp.gte.net (SMI-8.6/) via ESMTP id IAA28337 for ; Sat, 12 Apr 1997 08:12:21 -0500 Message-Id: <199704121312.IAA28337@smtp.gte.net> From: "Gregg Earnhart" To: Subject: Checkpoint 3.0 Date: Sat, 12 Apr 1997 08:11:49 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone running the Checkpoint 3.0 version of Firewall-1? Is it in production? what platform? Gregg Earnhart From owner-firewalls-outgoing Sat Apr 12 08:07:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25626 for firewalls-outgoing; Sat, 12 Apr 1997 07:52:32 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA25619 for ; Sat, 12 Apr 1997 07:52:27 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA04102; Sat, 12 Apr 1997 09:48:55 -0500 (EST) From: Adam Shostack Message-Id: <199704121448.JAA04102@homeport.org> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: <9704120321.AB2417@notes2.compuserve.com> from "steven.j.schulze" at "Apr 11, 97 08:38:33 pm" To: steven.j.schulze@ac.com (steven.j.schulze) Date: Sat, 12 Apr 1997 09:48:54 -0500 (EST) Cc: firewalls-digest@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk People with proxy systems won't change them, the security of packet filters will go up relative to how well the key management problem is addressed. (Key mangement is a large problem, and solving parts of it is a very useful thing.) Its worth noting that the fact that you've authenticated some entity does not mean that you should extend them ultimate trust, it could mean that their keys have been comprimised. I expect that as firewalls get cheaper, we'll start to see the technology being pushed deeper inside a company, so that every mailhost runs smtpd, not just the one on "the firewall." Adam steven.j.schulze wrote: | Does anyone want to comment on the conventional wisdom of what IPSEC and IPV6 | will do for network security, and how this will require changes to firewalls | and how they operate? | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sat Apr 12 11:37:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA06529 for firewalls-outgoing; Sat, 12 Apr 1997 11:34:54 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id LAA06522 for ; Sat, 12 Apr 1997 11:34:49 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id MAA05813; Sat, 12 Apr 1997 12:33:51 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd05811aaa; Sat Apr 12 12:33:49 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id MAA26662; Sat, 12 Apr 1997 12:33:46 -0600 From: Bob Beck Message-Id: <199704121833.MAA26662@snouts.obtuse.com> Subject: Re: ident To: oliver@hg.uleth.ca (Jeffrey L. Oliver) Date: Sat, 12 Apr 1997 12:33:45 -0600 (MDT) Cc: fw-1-mailinglist@us.checkpoint.com, firewalls@GreatCircle.COM In-Reply-To: <334EBC5E.B421AEC8@hg.uleth.ca> from "Jeffrey L. Oliver" at Apr 11, 97 04:34:06 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What are the ramifications of disallowing the ident service through > the firewall? > > Jeff > -- > --------------------------------------------------------------- Nothing really awful. Sometimes people have their daemons set up to shoot you with an ident when you make a connection to them. Some will even deny service when you don't answer, although this is rare outside of academic institutions. Some of your outgoing connections may be delayed while this happens. Some IRC servers require ident to allow people to connect to them. so some C users may be inconvenienced. Allowing ident (in a packet filtering firewall) though to your hosts means you have one more daemon to be sure isn't breakable inside, and that ident could give out too much information for you if you consider your login names sacrosanct. You can avoid this by running an ident that either obfuscates the login name (the latest versions of pidentd allow for returning des encrypted responses, the idea being that if someone complains about actions from your site and gives you one of these encrypted ident replies you as the sysadmin can decrypt it and figure our which of your lusers was responsible. However if that's not important it's easier to just configure ident to lie or return a generic reply for everyone, something like "internal_user" returned for every login name. Of course, if you don't have full control over who runs daemons on your internal machines, (i.e. you have DOS or Windows around) and you're allowing ident to all machines, someone could decide to run a telnet BBS login, or web server on port 113 and you'd be none the wiser :-) Cheers, -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From owner-firewalls-outgoing Sat Apr 12 14:22:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13763 for firewalls-outgoing; Sat, 12 Apr 1997 14:15:51 -0700 (PDT) Received: from brickbat9.mindspring.com (brickbat9.mindspring.com [207.69.200.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id OAA13756 for ; Sat, 12 Apr 1997 14:15:45 -0700 (PDT) Received: from hal (ip176.tulsa3.ok.pub-ip.psi.net [38.12.221.176]) by brickbat9.mindspring.com (8.8.5/8.8.5) with SMTP id RAA19030; Sat, 12 Apr 1997 17:13:45 -0400 (EDT) Message-Id: <3.0.32.19970412121001.00c5fb78@pop.mindspring.com> X-Sender: us028272@pop.mindspring.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 12 Apr 1997 14:15:39 -0700 To: Rabid Wombat From: "Jeff C. Flynn" Subject: Re: (OFF-Topic) Intruder? Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perhaps 25% denial of service attacks are harder to detect than the 100% variety. Consequently, the impact over time could be greater. Maybe someone is attempting to manipulate the performance of your organization? Jeff At 12:31 PM 4/11/97 -0400, you wrote: > > >Hi all, > >Not exactly a firewall question here. > >We recently observed a system playing ping-pong with one of our >unprotected servers: > >The outsider would send a Telnet IAC command, our server would respond, >the outsider would sent the same IAC, server would respond ... > >This continued until we blocked the outside address. > >Anybody have any idea what this might be, other than a rather lame denial >of service? This activity was accounting for about 25% of the traffic >into the server, but it is a very low volume server. Didn't appear to >affect performance, and we didn't see any other indications of anything >unusual. > >Any ideas? > >-r.w. > > ------------------------------------ Jeff Flynn & Associates Network Security (714)551-6398 Irvine, Calif. ------------------------------------ From owner-firewalls-outgoing Sat Apr 12 15:52:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA18321 for firewalls-outgoing; Sat, 12 Apr 1997 15:39:28 -0700 (PDT) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id PAA18314 for ; Sat, 12 Apr 1997 15:39:17 -0700 (PDT) Received: from carew.windsor.com (carew.windsor.com [199.181.96.17]) by bramber.windsor.com (8.6.12/8.6.12) with SMTP id SAA06005; Sat, 12 Apr 1997 18:37:55 -0400 Received: by carew.windsor.com with Microsoft Mail id <01BC4770.F74C6720@carew.windsor.com>; Sat, 12 Apr 1997 18:40:17 -0400 Message-ID: <01BC4770.F74C6720@carew.windsor.com> From: "Eric V. Smith" To: Rabid Wombat , "'Jeff C. Flynn'" Cc: "firewalls@GreatCircle.COM" Subject: RE: (OFF-Topic) Intruder? Date: Sat, 12 Apr 1997 18:40:15 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's more likely a buggy telnet client or server. I've seen cases = (especially with proxies themselves) where the negotiation is wrong and = this sort of infinite negotiation takes place. Eric. ---------- From: Jeff C. Flynn[SMTP:us028272@mindspring.com] Sent: Saturday, April 12, 1997 5:16 PM To: Rabid Wombat Cc: firewalls@GreatCircle.COM Subject: Re: (OFF-Topic) Intruder? Perhaps 25% denial of service attacks are harder to detect than the 100% variety. Consequently, the impact over time could be greater. Maybe someone is attempting to manipulate the performance of your = organization? =20 Jeff At 12:31 PM 4/11/97 -0400, you wrote: > > >Hi all, > >Not exactly a firewall question here. > >We recently observed a system playing ping-pong with one of our=20 >unprotected servers: > >The outsider would send a Telnet IAC command, our server would respond, = >the outsider would sent the same IAC, server would respond ... > >This continued until we blocked the outside address. > >Anybody have any idea what this might be, other than a rather lame = denial=20 >of service? This activity was accounting for about 25% of the traffic=20 >into the server, but it is a very low volume server. Didn't appear to=20 >affect performance, and we didn't see any other indications of anything = >unusual. > >Any ideas? > >-r.w. > > ------------------------------------ Jeff Flynn & Associates Network Security (714)551-6398 Irvine, Calif. ------------------------------------ From owner-firewalls-outgoing Sat Apr 12 16:22:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21369 for firewalls-outgoing; Sat, 12 Apr 1997 16:15:17 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA21360 for ; Sat, 12 Apr 1997 16:15:10 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id TAA10898 for ; Sat, 12 Apr 1997 19:13:59 -0400 (EDT) Message-Id: <199704122313.TAA10898@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Sat, 12 Apr 1997 19:17:23 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IPSEC / IPV6 and Firewalls & Network Security Reply-to: mjr@clark.net In-reply-to: <199704120800.BAA03288@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "steven.j.schulze" writes: > Does anyone want to comment on the conventional wisdom of what IPSEC and IPV6 > will do for network security, and how this will require changes to firewalls > and how they operate? I don't know if there's enough conventional wisdom (e.g.: real world experience and painful lessons learned) with respect to IPSEC and what it'll do for security. I have my guesses, though, and I'll offer them as such.. IPSEC will have 2 effects: one moderately useful (but it'll be used wrong) and the other stupid. 1) It'll be very useful for building encryption-secured enclaves 2) It'll mean that plaintext passwords will not go away as a technology With respect to item #2, I suspect that a lot of "security dirt" like passwords is going to get swept under the security blanket of encryption. After all, if we're using an end-to-end public key initialized, machine-to-machine authenticated TCP session, then we don't need to worry about password sniffers. Well, that's true, but that is the worst possible excuse for not fixing a lot of the broken, braindamaged software that we're using today (telnet, FTP, rlogin, http). The end effect of the non-fixing of the broken software is that the real problem: learning how to build secure applications and protocols - will never get addressed. Which brings me neatly to #1... IPSEC will be very useful for building isolated encryption-secured virtual enclaves over untrusted networks. The problem is that, as the Internet has proved, nobody wants to be in an isolated enclave!!! The second you start talking over that encrypted TCP link to a copy of sendmail or then the usefulness of the encryption is gone. :( Suppose I am running a web server on my IPV6 box. All my buddies are using IPV6 machines and if I set up a security association with them, they can now securely reach my web site and browse so that I think I know who they are, and an outsider can't sniff the traffic. (Never mind that they could do this with SSL today -- I'll get to that later!) What if one of my buddies' machines has been broken into by a nefarious hacquer? Well, the nefarious hacquer can use the encrypted tunnel just like a normal TCP, and take advantage of a hole in my web server, and break into just like a normal system. Boy, do I feel secure, now. :( A more likely scenario is that someone breaks into my buddy's machine, and then dummies up a copy of telnet that logs passwords. Since the O/S handles all the "security" of course I am still using passwords - so he steals passwords for my machine and just logs in. Now, suppose my web server is public! In that case, I've added a new risk for my buddies!!! Consider that in order to talk to my public web server *anyone* needs to be able to set up a link to it. If it's encrypted, so what? The hackquer can still exploit a bug in my CGI script and break into my web server. Once he's on my web server, now he can talk - over the IPSEC-secured link - to all my other machines. The situation bears a distressing resemblance to .rhosts files, only with Very Cool Encryption. :( So, predictions -- what'll change is: very little. Rather than developing secure applications, we'll add encryption to the O/S and buy ourselves a humongous trust boundary management problem. I do think IPSEC can be useful if the right mental model is used to approach the problem. All systems sharing security associations are an "enclave" and may establish enclave-wide trust. Any system that shares security associations with more than one enclave is a "firewall" and must be running secured host software that maintains the trust boundary between enclaves. This could be used in a lot of cool ways but I expect it'll be abused more often than not. As I get older and less sane, I am increasingly convinced (or convincing myself) that IPSEC won't buy us anything worth the price we are going to pay in having to upgrade our systems. Indeed, IPV6 probably won't, either, not for a looooong time. What we need are secured application protocols -- written to resist attack. In my most cynical moments I truly fear that the best way to make a step forward for security would be to completely throw out the current set of Intenet applications (yes! all of them!) and start over from scratch with a carefully-designed secure buffered I/O library for network, a secure authentication layer that can be applied to the I/O library, a file security library (ditto), and some skeletal protocols that can be extended into secure firewall-traversable metaprotocols that negotiate security domains, access control, and authorization. Don't hold your breath, though! mjr. ----- Marcus J. Ranum, Network Flight Recorder, Inc. Personal: http://www.clark.net/pub/mjr Work: http://www.nfr.net From owner-firewalls-outgoing Sat Apr 12 18:22:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA28032 for firewalls-outgoing; Sat, 12 Apr 1997 18:17:26 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id SAA28023 for ; Sat, 12 Apr 1997 18:17:21 -0700 (PDT) Received: from march.diginsite.com by mail.diginsite.com (AIX 3.2/UCB 5.64/4.03) id AA09923; Sat, 12 Apr 1997 18:15:02 -0700 Message-Id: <9704130115.AA09923@mail.diginsite.com> From: "David Lang" To: Subject: access requests for the list Date: Sat, 12 Apr 1997 18:17:38 -0700 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a quick reminder to everyone. This is a computer maintained list. if you need to drop off, change your account or anything else you do it by sending mail to majordomo@greatcircle.com just like you did when you subscribed. if you don't remember how just include a line that says 'help' in the body of your message and you will get instructions from there. David Lang From owner-firewalls-outgoing Sat Apr 12 20:07:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA03780 for firewalls-outgoing; Sat, 12 Apr 1997 20:05:47 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA03773 for ; Sat, 12 Apr 1997 20:05:41 -0700 (PDT) Message-Id: <199704130305.UAA03773@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA290090300; Sun, 13 Apr 1997 12:58:20 +1000 From: Darren Reed Subject: Re: IPSEC / IPV6 and Firewalls & Network Security To: mjr@clark.net Date: Sun, 13 Apr 1997 12:58:20 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199704122313.TAA10898@mail.clark.net> from "Marcus J. Ranum" at Apr 12, 97 07:17:23 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: [...] > IPSEC will have 2 effects: one moderately useful (but it'll be > used wrong) and the other stupid. > 1) It'll be very useful for building encryption-secured enclaves > 2) It'll mean that plaintext passwords will not go away as a > technology > > With respect to item #2, I suspect that a lot of "security dirt" > like passwords is going to get swept under the security blanket of > encryption. After all, if we're using an end-to-end public key > initialized, machine-to-machine authenticated TCP session, then we > don't need to worry about password sniffers. Well, that's true, but > that is the worst possible excuse for not fixing a lot of the broken, > braindamaged software that we're using today (telnet, FTP, rlogin, > http). The end effect of the non-fixing of the broken software is > that the real problem: learning how to build secure applications and > protocols - will never get addressed. Which brings me neatly to #1... [...] With respect to the older protocols, telnet/ftp/rlogin, IPSEC will provide encryption, but it won't address the political problems associated with it. For instance, countries where encryption (strong or weak) is "outlawed" will gain 0 from this - and so will anyone wanting to communicate with ppl there via the internet. This will also apply to the WWW. In situations where we're limited to using 40bit keys we can sleep a little easier knowing that at least joe random cracker won't be able to see passwords in "real" time. I don't think we will see any large scale deployment and use of IPSEC until there is some sort of international policy on encryption. Interestingly, reading the NSA document prepared for congress on encryption, they mentioned that part of the reason why it was so easy to guess the keys was that part of the plaintext* was already known. Well, this is going to be the case for telnet/rlogin (telnet option negoiation strings, terminal information). Darren * - I'm not sure it was the plaintext, but the NSA mentioned that part of something was already made known, making the guessing easier. From owner-firewalls-outgoing Sat Apr 12 20:52:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA06866 for firewalls-outgoing; Sat, 12 Apr 1997 20:49:09 -0700 (PDT) Received: from nohackers.com (nohackers.com [206.181.5.130]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA06859 for ; Sat, 12 Apr 1997 20:49:04 -0700 (PDT) Received: by gateway.nohackers.com id <31365>; Sat, 12 Apr 1997 23:45:20 -0400 X-Sender: cbk@ingress.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Charles B. Kaplan" Subject: re-mapping FTP ports ? Message-Id: <97Apr12.234520edt.31365@gateway.nohackers.com> Date: Sat, 12 Apr 1997 23:45:07 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone think of some software (free/share-ware preferred, commercial considered) that could re-map the ports FTP makes use of ? IE I want to ftp through this proxy 'ftp xxx.xxx.xx.xxx' and have my connection arrive on the outside on port xxxx as opposed to port 21. I have a strange case that I could devote a dedicated machine to proxying out to, however a transparent proxy is much preferred due to factors beyond my control. (IE a old mini-computer has to do this FTP in an automated fashion, and as such trying to connect on and off a host to the pseudo-trusted network won't work well.) I am suspicious that some of Linuxs' FTP proxies could be made to do this, however before I undertake the work I figured I would ask around. I am aware that BorderWare (commercial sw) has this as a menu option, however it is a broken option under FTP, and one that the manfacturer is going to remove from the menu rather than fix.......aghhhhhhhhh TIA -Charles Kaplan From owner-firewalls-outgoing Sun Apr 13 00:07:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA13715 for firewalls-outgoing; Sun, 13 Apr 1997 00:02:55 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id AAA13631 for ; Sun, 13 Apr 1997 00:00:40 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11) id <2Y38WBT8>; Sun, 13 Apr 1997 02:54:36 -0400 Message-ID: From: Russ To: "Firewalls@GreatCircle.COM" , "'mjr@clark.net'" Subject: RE: IPSEC / IPV6 and Firewalls & Network Security Date: Sun, 13 Apr 1997 02:54:03 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.11) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk re: getting rid of plain-text passwords. It was my understanding that there was a proposal at one point to have SSL 3.0 be able to dynamically negotiate its encryption level during a session. This would have permitted an application to use SSL during its authentication sequence, and then drop down to completely unencrypted for the data sequence. This would have had the benefit of providing encryption for password authentication but alleviate the overhead of SSL during data communications. If this had been adopted, it would have been a fairly easy way of getting rid of plain-text passwords. Unfortunately, its my understanding that this has not been accepted for inclusion in SSL 3.0. Can anyone comment on this? > Cheers, > Russ > R.C. Consulting, Inc. - NT/Internet Security > owner of the NTBugTraq mailing list: > http://ntbugtraq.rc.on.ca/index.html > From owner-firewalls-outgoing Sun Apr 13 04:52:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA27599 for firewalls-outgoing; Sun, 13 Apr 1997 04:43:21 -0700 (PDT) Received: from netuse.de (nuki.netuse.de [193.98.110.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id EAA27592 for ; Sun, 13 Apr 1997 04:43:15 -0700 (PDT) Received: by netuse.de (8.8.5/SMI-SVR4) id NAA12501; Sun, 13 Apr 1997 13:42:30 +0200 (MET DST) >Received: from black.koehntopp.de by white.koehntopp.de with smtp (Smail3.1.29.0 #3) id m0wGNfE-0008txC; Sun, 13 Apr 97 13:41 MET DST Received: from black.koehntopp.de by white.koehntopp.de with smtp (Smail3.1.29.0 #3) id m0wGNfE-0008txC; Sun, 13 Apr 97 13:41 MET DST Received: by black.koehntopp.de (Smail3.1.29.0 #3) id m0wGNf7-000JE7C; Sun, 13 Apr 97 13:41 MET DST Received: by NeXT.Mailer (1.118.2) Message-Id: MIME-Version: 1.0 (NeXT Mail 3.3 v118.2) X-Nextstep-Mailer: Mail 3.3 (Enhance 1.0) From: =?ISO-8859-1?Q?Kristian_K=F6hntopp?= Date: Sun, 13 Apr 97 13:41:31 +0200 To: firewalls@greatcircle.com Subject: SSL and HTTP filtering Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can SSLed HTTP connections be filtered based on URL or page content? Is it possible to proxy SSLed connections in any form? Assuming it is possible to proxy SSLed connections, given for example a school setup where one HTTP proxy bundles and filters all outbound and inbound traffic: Is it possible to a) suppress access to certain URLs and b) to filter out for example certain applets or images from incoming pages? Which products can do such a thing? Assuming it is possible to proxy SSLed connections: Does the user have a choice or is the user notified that the connection is being proxied and what are the security implications of proxied SSL connections with regard to password gathering, faked responses and/or host spoofing? Kristian From owner-firewalls-outgoing Sun Apr 13 06:22:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03545 for firewalls-outgoing; Sun, 13 Apr 1997 06:10:17 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA03536 for ; Sun, 13 Apr 1997 06:10:12 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id QAA23954 for ; Sun, 13 Apr 1997 16:09:22 +0300 Date: Sun, 13 Apr 97 16:07:24 Israel Daylight Time From: Ziv Dascalu Subject: Internet Security Review To: firewalls@greatcircle.com X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anyone heard of "Internet Security Review" http://www.isr.net Has anyone ready any of their filewalls and internet security reviews? /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Sun Apr 13 06:37:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03520 for firewalls-outgoing; Sun, 13 Apr 1997 06:08:33 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA03512 for ; Sun, 13 Apr 1997 06:08:28 -0700 (PDT) Received: (qmail 15604 invoked from smtpd); 13 Apr 1997 13:07:16 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 13 Apr 1997 13:07:16 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA01734; Sun, 13 Apr 1997 08:07:15 -0500 Received: by sonic.nmti.com; id AA28830; Sun, 13 Apr 1997 08:08:12 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9704131308.AA28830@sonic.nmti.com.nmti.com> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security To: mjr@clark.net Date: Sun, 13 Apr 1997 08:08:12 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199704122313.TAA10898@mail.clark.net> from "Marcus J. Ranum" at Apr 12, 97 07:17:23 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As I get older and less sane, I am increasingly convinced (or > convincing myself) that IPSEC won't buy us anything worth the price > we are going to pay in having to upgrade our systems. Bigger address space? That's the thing that's really pushing IPV6, the encryption stuff is just coming along for the ride... and I agree, it's not that useful in the Internet, though it'll finally give us a universal protocol for crypto tunneling between firewalls. That's not a bad thing. From owner-firewalls-outgoing Sun Apr 13 06:52:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05694 for firewalls-outgoing; Sun, 13 Apr 1997 06:44:39 -0700 (PDT) Received: from relay3.jaring.my (relay3.jaring.my [192.228.128.13]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id GAA05667 for ; Sun, 13 Apr 1997 06:44:28 -0700 (PDT) Received: from extol.extol.my (j19.ptl33.jaring.my [161.142.114.93]) by relay3.jaring.my (8.6.13/8.6.12) with SMTP id VAA28971; Sun, 13 Apr 1997 21:43:05 +0800 Message-ID: <3350F4C8.3F87@pc.jaring.my> Date: Sun, 13 Apr 1997 21:59:20 +0700 From: Peng Chiew X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Ziv Dascalu CC: firewalls@GreatCircle.COM Subject: Re: Internet Security Review References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ziv Dascalu wrote: > Has anyone heard of "Internet Security Review" http://www.isr.net > Has anyone ready any of their filewalls and internet security reviews? I'm not too impressed with their response time. In order to read their pages, you need to register (free) BUT, they take a pretty long time to reply. I've emailed my registration for over a week and until today, no reply at all. Sorry I can't answer your question, BUT if we guys can't get in, how can we tell whether it's good?. :( ciao! From owner-firewalls-outgoing Sun Apr 13 07:07:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04390 for firewalls-outgoing; Sun, 13 Apr 1997 06:30:54 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA04368 for ; Sun, 13 Apr 1997 06:30:33 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id QAA24086; Sun, 13 Apr 1997 16:29:49 +0300 Date: Sun, 13 Apr 97 16:29:04 Israel Daylight Time From: Ziv Dascalu Subject: Re: FTP questions To: "'firewalls@greatcircle.com'" , "Kohn, Joav" X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <0C673F68C3A0D011A94208002BE526253497@usbgrexch01.us.landisstaefa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Fri, 11 Apr 1997 11:13:04 -0500 "Kohn, Joav" wrote: > a desperate plea for help. > > i've tried to set port screening on a choke router between my firewall > and my internal network, but now ftp doesn't work. > > on the router both ports 20 (ftp-data) and 21 (ftp) are open, but when i > connect to any ftp site, i can't issues any commands (ie. ls). log-on, > however, is working. > > i am perplexed, to say the least. > > any ideas? > > -joav kohn > landis & staefa it may be that the FTP data port is not using port 20 but it is using a port which is more then 1024 /ZIv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Sun Apr 13 07:17:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04271 for firewalls-outgoing; Sun, 13 Apr 1997 06:29:00 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id GAA04264 for ; Sun, 13 Apr 1997 06:28:53 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id QAA24075; Sun, 13 Apr 1997 16:28:01 +0300 Date: Sun, 13 Apr 97 16:27:16 Israel Daylight Time From: Ziv Dascalu Subject: RE: Apology (fwd) To: jamestan@ncb.gov.sg, Security Mail Account Cc: firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sat, 12 Apr 1997 04:04:54 +0800 (SST) Security Mail Account wrote: > > > ---------- Forwarded message ---------- > Date: Fri, 11 Apr 1997 01:07:05 +0800 > From:James_TAN@lms.ncb.gov.sg > To: security@ncb.gov.sg > Subject: RE: Apology > > owner-firewalls-outgoing@GreatCircle.COM on 04/11/97 01:04:36 AM > Please respond to owner-firewalls-outgoing@GreatCircle.COM @ SMTP > > To: firewalls@GreatCircle.COM @ SMTP > cc: > Subject: RE: Apology > > > Is there a good email address filter that > works on Win 95? I do not know about the rest > of the list but I would like to put something in > place to always auotmatically delete messages > from Stuart Johnson. Any help is welcome! The > sooner the better, before he answers this message. > > Jon Tegethoff ---------------End of Original Message----------------- Hi, look at netmanage zmail mail rules settings /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ From owner-firewalls-outgoing Sun Apr 13 07:52:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15318 for firewalls-outgoing; Sun, 13 Apr 1997 07:48:12 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id HAA15290 for ; Sun, 13 Apr 1997 07:48:04 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id HAA05452 for ; Sun, 13 Apr 1997 07:49:50 -0700 (PDT) Received: (qmail 23000 invoked by uid 110); 13 Apr 1997 14:20:03 -0000 Message-ID: <19970413142003.22999.qmail@suburbia.net> Subject: [ANNOUNCE]: ipfilter for FreeBSD2.2.x + FreeBSD3.0-current To: firewalls@greatcircle.com Date: Mon, 14 Apr 1997 00:20:03 +1000 (EST) Cc: best-of-security@suburbia.net X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed and contributors' excellent firewall software, ipfilter is now available for FreeBSD2.2/3.0-current. The IP packet filter can: o explicitly deny/permit any packet from passing through o distinguish between various interfaces o filter by IP networks or hosts o selectively filter any IP protocol o selectively filter fragmented IP packets o selectively filter packets with IP options. o send back an ICMP error/TCP reset for blocked packets o keep packet state infromation for TCP, UDP and ICMP packet flows. o keep fragment state information for any IP packet, applying the same rule to all fragments. o act as a Network Address Translator (NAT) o use redirection to setup true transparent proxy connections. Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. The IP Packet filter allows filtering of: o TCP/UDP packets by port number or a port number range o ICMP packets by type/code o "established" TCP packets o on any arbitary combination of TCP flags o "short" (fragmented) IP packets with incomplete headers can be filtered o any of the 19 IP options or 8 registered IP security classes o TOS (Type of Service) field in packets FreeBSD version available from: ftp://suburbia.net/pub/proff/ipfilter-proff-final2.shar.gz ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final2.shar.gz Original: http://cheops.anu.edu.au/~avalon Note that while I (Julian Assange) have fixed various bugs originally found in ipfilter3.2a4, I don't guarentee that this version is bug free, and Darren certainly doesn't, not having had an opportunity to test my changes fully. -Julian # The archive contains: # # ipfilter-proff-README # sys-ipfilter-proff-2.2.1.diff # sys-ipfilter-proff-current-970411.diff # lkm/if_ipf # lkm/if_ipf/Makefile # sbin/ipf # sbin/ipf/ipfstat # sbin/ipf/ipfstat/Makefile # sbin/ipf/ipftest # sbin/ipf/ipftest/Makefile # sbin/ipf/Makefile # sbin/ipf/Makefile.inc # sbin/ipf/mkfilters # sbin/ipf/mkfilters/Makefile # sbin/ipf/ipf # sbin/ipf/ipf/Makefile # sbin/ipf/ipmon # sbin/ipf/ipmon/Makefile # sbin/ipf/ipnat # sbin/ipf/ipnat/Makefile # contrib-sys # contrib-sys/ipfilter # contrib-sys/ipfilter/cflow # contrib-sys/ipfilter/snoop.h # contrib-sys/ipfilter/man # [..] Unpack the new source trees and patch files: root@paranoia# cd /usr root@paranoia# unshar ; Sun, 13 Apr 1997 08:51:33 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id SAA11377 for ; Sun, 13 Apr 1997 18:50:47 +0300 (EET DST) Date: Sun, 13 Apr 1997 18:50:46 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: Secure Email Client packages In-Reply-To: <199704100800.BAA19727@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe there are two things for S/MIME to be used as a standard. It must be available on Unix mail programs (elm, pine, mailtool, whatever) or even better as a command-line utility. It must be available as a public domain package like PGP is. And what is more important: it must come from free world and from USA. People outside US will never use weak easily breakable crypto programs, meaning that Netscape and Microsoft and PGP can just forget their software.=20 J=FCri Kaljundi jk@stallion.ee http://www.stallion.ee/ From owner-firewalls-outgoing Sun Apr 13 13:58:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05904 for firewalls-outgoing; Sun, 13 Apr 1997 13:49:36 -0700 (PDT) Received: from proxy1.ba.best.com (proxy1.ba.best.com [206.184.139.12]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id NAA05895 for ; Sun, 13 Apr 1997 13:49:30 -0700 (PDT) Received: from [204.156.153.118] ([204.156.153.118]) by proxy1.ba.best.com (8.8.5/8.8.3) with ESMTP id NAA22771 for ; Sun, 13 Apr 1997 13:47:44 -0700 (PDT) X-Sender: mblakele@pop Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 13 Apr 1997 13:47:29 -0700 To: firewalls@greatcircle.com From: Camille Blakeley Subject: smap troubles resolved Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hurray! Thank you to everyone who helped. There we a couple of problems (as I suspected), obvious ones at that. To start with, I had not configured my firewall.h right and the system was looking in the wrong place for the netperm-table. The other was I had not put smapd into the rc2.d directory, even though I had remembered to take sendmail out. Works like a charm, now. Again thank you to all. Camille Blakeley __________________________________________________ I know I must be missing something obvious, but I can't figure it out. I've searched all the FAQs and archives I could find. Anyway.... I am running under Solaris 2.5.1 and running sendmail 8.8.5. I downloaded the latest version of FWTK and installed it on the system. I am only trying to run smap, I don't have a need for any of the other tools at this time. I've configured smap (that is the netperm-table) and set up may inetd.conf exactly like the manual says (for smap) and it still doesn't work. I am way stumped. What happens is, when any outside host connects to port 25, it connects and then gets the connection closed by remote host. I can email internally on the box and outgoing works just fine, it's just incoming that dies. Any ideas? what am I missing? Any help would be greatly appreciated. Please reply to camille_blakeley@idg.com, I will summarize. Thanks Camille Blakeley Camille Blakeley (camille@blakeley.com) From owner-firewalls-outgoing Sun Apr 13 14:56:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA01638 for firewalls-outgoing; Sun, 13 Apr 1997 14:54:53 -0700 (PDT) Received: from arup.com (ove.arup.com [193.116.20.1]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id OAA01603 for ; Sun, 13 Apr 1997 14:54:40 -0700 (PDT) Received: by arup.com (4.1/UNIPALM-V1.3mjr@arup.com) id AA10887; Sun, 13 Apr 97 22:53:53 BST Received: from a_csun01.arup.com(69.69.11.1) by ove via smap (V1.3mjr) id sma010877; Sun Apr 13 22:53:37 1997 Received: from (a_csun14) by arupuk (4.1/SMI-4.1) id AA19105; Sun, 13 Apr 97 22:53:35 BST Received: from arup.com by (4.1/SMI-4.1) id AA28266; Sun, 13 Apr 97 22:50:13 BST Received: from comms-Message_Server by arup.com with Novell_GroupWise; Sun, 13 Apr 1997 22:50:12 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 13 Apr 1997 21:47:03 +0000 From: Scott Fagg To: firewalls@greatcircle.com Subject: Re: Microsoft Explorer -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I heard it could it erase your CD-ROMS! The suggestion to turn this into a moderated list seems like an appropriate move, at least to keep out the junk and personal stuff. Some of the 'off-topic' stuff is not that bad, and usually educational. >>> Mike Johnson 12/April/1997 05:28am >>> Ashram Beachoo wrote: > > I've heard that the new fixes released for Microsoft Explorer allow > your hard drive to be scanned when the program is idle and detects any > Microsoft products that are unregistered.It then relays the info to > Microsoft who deal with the info appropriately. It does this and more! It will search for any credit card numbers you may have written to a file on your machine, debit your account, and install automatically the newest version of Microsoft software, and delete any old copies of the program. Also, be careful if you have Netscape Navigator on your machine, it will delete that and replace it with a virus infected executable. Or, that's what I've heard... > Can someone shed some light on this for me? Done. > Ashram Beachoo > Computer Software Technician > > swamie@usa.net Mike Johnson mike.johnson@rtp.gtegsc.com GTE Government Systems All opinions are mine, not GTE's. From owner-firewalls-outgoing Sun Apr 13 16:26:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA06887 for firewalls-outgoing; Sun, 13 Apr 1997 16:17:07 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id QAA06872 for ; Sun, 13 Apr 1997 16:17:00 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id SAA09013; Sun, 13 Apr 1997 18:12:33 -0500 (EST) From: Adam Shostack Message-Id: <199704132312.SAA09013@homeport.org> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: <9704131308.AA28830@sonic.nmti.com.nmti.com> from Peter da Silva at "Apr 13, 97 08:08:12 am" To: peter@baileynm.com (Peter da Silva) Date: Sun, 13 Apr 1997 18:12:33 -0500 (EST) Cc: mjr@clark.net, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may be a nit, but since IPsec is defined for IPv4 as well, so I agree with the original poster, who said IPsec won't buy us anything worth the price. Its nice to see that we'll have some level of security for sessions, in increasing the difficulty of hijacking sessions and forging IP packets for SYN attacks. Its also nice to see authentication & confidentiality seperated out. However, until we have a key management system that resists attack, it won't do a whole heck of a lot of good. Fortunately, pgp keys are pretty widely spread, and I expect real bootstrapping will happen from there.) Adam Peter da Silva wrote: | > As I get older and less sane, I am increasingly convinced (or | > convincing myself) that IPSEC won't buy us anything worth the price | > we are going to pay in having to upgrade our systems. | | Bigger address space? That's the thing that's really pushing IPV6, the | encryption stuff is just coming along for the ride... and I agree, it's | not that useful in the Internet, though it'll finally give us a universal | protocol for crypto tunneling between firewalls. That's not a bad thing. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sun Apr 13 17:26:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09961 for firewalls-outgoing; Sun, 13 Apr 1997 17:14:00 -0700 (PDT) Received: from adn.edu.ph (sili.adn.edu.ph [165.220.57.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id RAA09946 for ; Sun, 13 Apr 1997 17:13:51 -0700 (PDT) Received: from localhost (jonats@localhost) by adn.edu.ph (8.7.5/8.7.3) with SMTP id HAA07995 for ; Mon, 14 Apr 1997 07:29:07 +0800 Date: Mon, 14 Apr 1997 07:29:07 +0800 (PST) From: JoNaTHaN aRCiLLa To: firewalls@GreatCircle.COM Subject: Proxy Servers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We're starting with the implementation of a firewall in our campus LAN. I've just gotten through installing the basic "hardware" firewall setup, as based on the Firewall-HOWTO. I read everything including the instructions on setting up socks to work with it. However, i'm having trouble deciding what software to use on our proxy server. Aside from the mention of sockd in the HOWTO, i've also heard of different proxy softwares such as squid, TIS fwtk and kerberos. What are these softwares for? How do they differ? And can somebody please suggest a good FREE software for us? Another thing, how do these softwares differ from the ipfw in linux? By the way, we're running linux and FreeBSD on our servers. Can somebody please give me light on this? Thanks very much in advance... and forgive me if this all sound too elementary. -aTaN- From owner-firewalls-outgoing Sun Apr 13 18:11:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA13628 for firewalls-outgoing; Sun, 13 Apr 1997 18:08:07 -0700 (PDT) Received: from rara.kotel.co.kr (rara.kotel.co.kr [147.6.30.7]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id SAA13609 for ; Sun, 13 Apr 1997 18:07:49 -0700 (PDT) Received: (from cgkim@localhost) by rara.kotel.co.kr (8.8.5/8.8.5) id KAA04585 for firewalls@GreatCircle.COM; Mon, 14 Apr 1997 10:08:48 +0900 (KST) From: Kim Message-Id: <199704140108.KAA04585@rara.kotel.co.kr> Subject: collision rate on fw interfaces ? To: firewalls@GreatCircle.COM Date: Mon, 14 Apr 1997 10:08:47 +0900 (JST) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=EUC-KR Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are running fw machine in the following configuration. T1x2 10M ----- RouterA ----(le1)FW(le0) ---------RouterB-----Internal | | | machines While reading "System Performance Tuning" book, I mimiked a small script to detect collsion rate during some interval. It showed 40 - 50 % collision rate (Collision/Out pkts * 100 ) in interface le0 and under 1 % in le1. I was shocked and will attach le0 to the RouterB directly without machines to that subnet. Am I doing right ? Can I get a performance gain ? I am thinking the bottleneck is the Internet line not the collisions itself. Any opinions will be appreciated. Thank you. - Kim. From owner-firewalls-outgoing Sun Apr 13 18:56:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA16404 for firewalls-outgoing; Sun, 13 Apr 1997 18:47:17 -0700 (PDT) Received: from ptc.pk ([203.135.1.2]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with SMTP id SAA16381 for ; Sun, 13 Apr 1997 18:47:08 -0700 (PDT) Received: from mahmud.com by ptc.pk (SMI-8.6/SMI-SVR4) id GAA29113; Mon, 14 Apr 1997 06:44:03 -0500 Message-Id: <199704141144.GAA29113@ptc.pk> Comments: Authenticated sender is From: "MAHMUDS" To: firewalls@greatcircle.com Date: Mon, 14 Apr 1997 06:44:09 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: (Fwd) TCPIP LITERARTURE Reply-to: misaq@ibm.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody provide site adresses where i can dl info about tcpip for my paper From owner-firewalls-outgoing Sun Apr 13 21:11:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA23115 for firewalls-outgoing; Sun, 13 Apr 1997 21:10:01 -0700 (PDT) Received: from info.curtin.edu.au (info.curtin.edu.au [134.7.70.222]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA23105 for ; Sun, 13 Apr 1997 21:09:54 -0700 (PDT) Received: from macros.cage.curtin.edu.au (macros.cage.curtin.edu.au [134.7.135.11]) by info.curtin.edu.au (8.8.5/8.8.5) with SMTP id MAA17058 for ; Mon, 14 Apr 1997 12:09:07 +0800 (WST) Received: from MACROS/SMTPQUEUE by macros.cage.curtin.edu.au (Mercury 1.11); Mon, 14 Apr 97 12:09:06 +800 Received: from SMTPQUEUE by MACROS (Mercury 1.11); Mon, 14 Apr 97 12:08:37 +800 Received: from [134.7.108.29] by macros.cage.curtin.edu.au (Mercury 1.11); Mon, 14 Apr 97 12:08:23 +800 X-Sender: watsonb@macros.cage.curtin.edu.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 14 Apr 1997 12:09:58 +0800 To: firewalls@GreatCircle.COM From: Bret Watson Subject: (slightly off topic) Port 855 - usage? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are auditing at a fairly simple system. There is a router external to the network that handle two incoming lines to the network. It is a 3com (don't have the model number). It has the usual management port with telnet access. It also has a port at 855 that presents just a prompt when telnetted to. Anyone know what it is there for? Is it a possible risk? Yours sincerely, Bret Watson Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 9 454 6042 From owner-firewalls-outgoing Sun Apr 13 21:26:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA22730 for firewalls-outgoing; Sun, 13 Apr 1997 20:55:48 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id UAA22696 for ; Sun, 13 Apr 1997 20:55:29 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id XAA24857; Sun, 13 Apr 1997 23:54:31 -0400 (EDT) Message-Id: <199704140354.XAA24857@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Adam Shostack Date: Sun, 13 Apr 1997 23:58:02 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IPSEC / IPV6 and Firewalls & Network Security Reply-to: mjr@clark.net CC: Firewalls@GreatCircle.COM In-reply-to: <199704132312.SAA09013@homeport.org> References: <9704131308.AA28830@sonic.nmti.com.nmti.com> from Peter da Silva at "Apr 13, 97 08:08:12 am" X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Its nice to see that we'll have some level of security for > sessions, in increasing the difficulty of hijacking sessions and > forging IP packets for SYN attacks. Session hijacking and snooping is easily solved at an application level. We do it today with SSL and ssh and whatnot and it works great. Changing to a secure protocol to fix something that applications can do easier, faster, and with more appropriate granularity is silly. SYN flooding's another story but I don't think anything can really "solve" denial of service. The arithmetic of denial of service is the same as terrorism: the good guys can't watch all the possible points of attack. Unless the good guys become terrorists (or "counter terrorists" is the nicer term) they lose. > Its also nice to see > authentication & confidentiality seperated out. Again, applications do this better than kernels... The original designers of UNIX had it right. :) > However, until we > have a key management system that resists attack ...attack from hackers OR from governments. "We're from the government and we're here to help" scares me more than "w3'r3 33l33t && dissin' y0u!" mjr. ----- Marcus J. Ranum, Network Flight Recorder, Inc. Personal: http://www.clark.net/pub/mjr Work: http://www.nfr.net From owner-firewalls-outgoing Sun Apr 13 21:41:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA22917 for firewalls-outgoing; Sun, 13 Apr 1997 21:00:40 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA22898 for ; Sun, 13 Apr 1997 21:00:29 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA10043; Sun, 13 Apr 1997 22:57:19 -0500 (EST) From: Adam Shostack Message-Id: <199704140357.WAA10043@homeport.org> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: from Russ at "Apr 13, 97 02:54:03 am" To: Russ.Cooper@RC.on.ca (Russ) Date: Sun, 13 Apr 1997 22:57:19 -0500 (EST) Cc: firewalls@GreatCircle.COM, mjr@clark.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This strikes me as the Wrong Optimization. Working with the Crypto++ benchmarks at http://www.eskimo.com/~weidai/benchmarks.txt, we see that an RSA operation takes 136 ms (all numbers on a P120). Call that 1/8th of a second. The Rc4 implementation in the same library can handle 5335359 bytes per second. In 1/8th of a second, you get roughly 667,000 bytes of bulk encryption. Add in the hmac that SSL does, at about 10mbytes per second, and you can do 1.25mb in 1/8 of a second. So, in the time it takes to do one RSA decrypt for the SSL key negotiation, you could bulk encrypt and authenticate about 200,000 bytes of data. In terms of getting speed, I like what V-One has done with their challenge response thing. I just wish they'd name & publish the protocols. (You use about 5 des encryptions per side. Zippy.) Adam Russ wrote: | re: getting rid of plain-text passwords. | | It was my understanding that there was a proposal at one point to have | SSL 3.0 be able to dynamically negotiate its encryption level during a | session. This would have permitted an application to use SSL during its | authentication sequence, and then drop down to completely unencrypted | for the data sequence. This would have had the benefit of providing | encryption for password authentication but alleviate the overhead of SSL | during data communications. If this had been adopted, it would have been | a fairly easy way of getting rid of plain-text passwords. | | Unfortunately, its my understanding that this has not been accepted for | inclusion in SSL 3.0. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sun Apr 13 21:56:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA23275 for firewalls-outgoing; Sun, 13 Apr 1997 21:13:55 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id VAA23268 for ; Sun, 13 Apr 1997 21:13:48 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id XAA10143; Sun, 13 Apr 1997 23:10:20 -0500 (EST) From: Adam Shostack Message-Id: <199704140410.XAA10143@homeport.org> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: <199704140354.XAA24857@mail.clark.net> from "Marcus J. Ranum" at "Apr 13, 97 11:58:02 pm" To: mjr@clark.net Date: Sun, 13 Apr 1997 23:10:20 -0500 (EST) Cc: adam@homeport.org, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum wrote: | > Its nice to see that we'll have some level of security for | > sessions, in increasing the difficulty of hijacking sessions and | > forging IP packets for SYN attacks. | | Session hijacking and snooping is easily solved at an | application level. We do it today with SSL and ssh and | whatnot and it works great. Changing to a secure protocol | to fix something that applications can do easier, faster, | and with more appropriate granularity is silly. Fix the foundations, not the buildings. TCP should provide a reliable stream connection, and I think I can make the argument that part of reliable in todays world is authentication. (Not end point authentication, simply "here's my key, now lets exchange packets." Unauthenticated Diffie-Hillman gets you that, even with the MITM attacks. It makes 90+% of TODAYS hijacking go away, which is good.) If you 'fix' applications, I have to replace all my applications. The impossibility of doing this is a big part of "why firewalls." | SYN flooding's another story but I don't think anything can | really "solve" denial of service. The arithmetic of denial | of service is the same as terrorism: the good guys can't | watch all the possible points of attack. Unless the good | guys become terrorists (or "counter terrorists" is the | nicer term) they lose. Thats true, but we can apply evolutionary pressure to the bad guys at the same time as they're applying it to us. The fact that you can't win doesn't mean that resistance is futile. You can maintain a holding action. Raising the bar is a generally good thing, even if you can't raise it high enough. | > Its also nice to see | > authentication & confidentiality seperated out. | | Again, applications do this better than kernels... The | original designers of UNIX had it right. :) I agree in principle, but putting security somewhere I can muck with it external to an application is useful. The IP stack is one reasonable place. Outside it is also reasonable. | > However, until we | > have a key management system that resists attack | | ...attack from hackers OR from governments. "We're from the | government and we're here to help" scares me more than | "w3'r3 33l33t && dissin' y0u!" Is that because you know the people who talk like that have root on government systems? :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sun Apr 13 22:56:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA03479 for firewalls-outgoing; Sun, 13 Apr 1997 22:42:43 -0700 (PDT) Received: from neon.ingenia.ca (neon.ingenia.ca [205.207.220.57]) by honor.greatcircle.com (8.8.5/Honor-970308-1) with ESMTP id WAA03472 for ; Sun, 13 Apr 1997 22:42:38 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.5/8.7.3) id AAA22125; Mon, 14 Apr 1997 00:43:45 -0400 From: Mike Shaver Message-Id: <199704140443.AAA22125@neon.ingenia.ca> Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: <199704140410.XAA10143@homeport.org