From owner-firewalls-outgoing Thu May 1 00:43:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA25536 for firewalls-outgoing; Wed, 30 Apr 1997 23:52:12 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA25514; Wed, 30 Apr 1997 23:52:04 -0700 (PDT) From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Received: from stamp.brussels.hp.com (stamp.brussels.hp.com [15.184.0.125]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id XAA28941; Wed, 30 Apr 1997 23:53:35 -0700 (PDT) Received: from by stamp.brussels.hp.com with SMTP (1.37.109.16/15.5+ECS 3.4 Openmail) id AA272859613; Thu, 1 May 1997 08:53:33 +0200 X-Openmail-Hops: 1 Date: Thu, 1 May 97 08:52:50 +0200 Message-Id: In-Reply-To: <331527D9.3281@chipnet.cz> Subject: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 Mime-Version: 1.0 To: firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Cc: STAHL_CHRISTIAN/HP-Denmark_om1@stamp.brussels.hp.com Content-Type: text/plain; charset=US-ASCII; name="MS" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey everybody, Does anyone now how to set up Raptor Eagel version 4.0, running on NT 4.0, to MS NetMeeting? I Hope that someone can help me. Best Regards Christian Stahl From owner-firewalls-outgoing Thu May 1 00:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA18106 for firewalls-outgoing; Wed, 30 Apr 1997 23:15:49 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA18062 for ; Wed, 30 Apr 1997 23:15:30 -0700 (PDT) Received: (qmail 14338 invoked by uid 514); 1 May 1997 06:17:01 -0000 Date: Thu, 1 May 1997 02:17:01 -0400 (EDT) From: Todd Graham Lewis To: Sean McPherson cc: firewalls@greatcircle.com Subject: Re: NT vs Linux IP Performance In-Reply-To: <199704301218.IAA28974@ha1.ntr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Sean McPherson wrote: > Just wanted to ask what you thought about the server running > a PCMCIA card. How much does this figure in? A lot of NT drivers for > PCMCIA seem to be crap, so I wasn't sure how to take this info :) Yeah, I did sort of overlook that in my comments. If the driver is crap, then it's obviously not a fair test. You might want to try something standard like an SMC. (I would say 3com, but you want something both standard and decent. 8^) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:19:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA20291 for firewalls-outgoing; Wed, 30 Apr 1997 23:26:56 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA20266 for ; Wed, 30 Apr 1997 23:26:49 -0700 (PDT) Received: (qmail 14397 invoked by uid 514); 1 May 1997 06:28:19 -0000 Date: Thu, 1 May 1997 02:28:19 -0400 (EDT) From: Todd Graham Lewis To: Chris Pugrud cc: Firewalls Mailing list Subject: RE: NT vs Linux FTP Performance In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Chris Pugrud wrote: > If I get really bored I will build a 100BT crossover cable and test a > little more formally. I'd love to see those numbers. > I felt that filling a 10BT pipe was more than adequate because this is a > firewalls forum and most of us do not have the joy of T3 or better > connections. Speak for yourself. 8^) > I apologize for adding to already poor S/N ratio on the firewalls list. No problem from this end; signal just fine. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:24:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA17963 for firewalls-outgoing; Wed, 30 Apr 1997 23:14:39 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA17936 for ; Wed, 30 Apr 1997 23:14:32 -0700 (PDT) Received: (qmail 14333 invoked by uid 514); 1 May 1997 06:16:00 -0000 Date: Thu, 1 May 1997 02:16:00 -0400 (EDT) From: Todd Graham Lewis To: Darren Reed cc: arager@mcgraw-hill.com, firewalls@GreatCircle.COM Subject: Re: NT vs Linux IP Performance Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Darren Reed wrote: > Well, how about umounting the filesystem after each "get" and then > mounting it again before the next ? That'd probably help eliminate the FS aspect of the performance stats. > Obviously Linux is doing some sort of disk caching and now you're > seeing that. Obviously NT doesn't do much caching of disk IO (or > at least by default). Or, with only 32 MB of RAM and a 10 MB file, NT might not have enough space to cache the file. (If it is caching based on some LRU algorithm, then the file will keep overwriting itself unless there's at leat 10MB free.) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:39:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22350 for firewalls-outgoing; Wed, 30 Apr 1997 23:37:40 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA22326 for ; Wed, 30 Apr 1997 23:37:32 -0700 (PDT) Received: (qmail 14440 invoked by uid 514); 1 May 1997 06:39:03 -0000 Date: Thu, 1 May 1997 02:39:03 -0400 (EDT) From: Todd Graham Lewis Reply-To: Todd Graham Lewis To: Bob Beck cc: Firewalls Mailing List Subject: Re: NT vs Linux FTP Performance In-Reply-To: <199704301709.LAA08819@snouts.obtuse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Bob Beck wrote: > This thread is neat and interesting. I even like > it. Unfortunately the whole discussion is awfully far removed from > firewalls. Could we please agree to take it somewhere else like > comp.os.linux? It's a neat topic, but it really doesn't belong here. > I would love to participate and even post numbers, but not in this > forum where it is inappropriate. First of all, if you're worried about the S/N, you could have refrained from including about 11k worth of the discussion in your message. Secondly, for those of us who deal with firewall scaling issues, as well as firewalls which see a lot of traffic or operate in high-bandwidth environs, this matter is very pertinent. Let your users know that they're directly connected to multiple T3s with only the firewall in between and see if you don't have performance concerns. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:56:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA21730 for firewalls-outgoing; Wed, 30 Apr 1997 23:34:23 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA21682 for ; Wed, 30 Apr 1997 23:34:10 -0700 (PDT) Received: (qmail 14417 invoked by uid 514); 1 May 1997 06:35:39 -0000 Date: Thu, 1 May 1997 02:35:39 -0400 (EDT) From: Todd Graham Lewis To: David LeBlanc cc: firewalls@GreatCircle.COM Subject: Re: NT vs Linux IP Performance In-Reply-To: <2.2.32.19970430212815.01a54ffc@mail.iss.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, David LeBlanc wrote: > >Here's another contributing factor. I have seen two studies (one of which > >was a very good Usenix paper) which conclude that EXT2 is the fastest file > >system on the planet. > > Is there a faster one off the planet? > > 8-P Hey, you guys have C2 stuff (logging, hit counts, etc.) on NTFS that we'd love to have on EXT2. I didn't say EXT2 was better, only that it was faster. 8^) > >It's not the FTP server; Linux automatically caches file system accesses > >at the filesystem-driver layer. > > Don't you guys cache network I/O? I'm not quite sure what you mean by that in this context. We cache NFS info, but I'm not sure what an FTP server could cache other than FS data. Maybe I missed something. Actually, maybe I'm just dense. > >I am astounded that NT does not cache filesystem data. > > I am astounded that you think NT does not cache FS data. Yeah, I'm astounded that I worded that so poorly. > yes, it could have very different results. Those 2 registry settings > cascade a tremendous number of tuning differences. The server is tuned to > ignore the console to service network requests, and the workstation is just > the opposite. > Not a matter of IP performance, but a matter of who gets more time slices, > and in fact, how long the time slices are. OK, I can see that. So get the the registry munger that turns WS into Server, rerun the tests (with the 90 other changes suggested on the list), and post the results. This is fun; I can't believe that Russ didn't take me up on my offer to do this head-on. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 02:54:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA23925 for firewalls-outgoing; Thu, 1 May 1997 02:41:39 -0700 (PDT) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA23860 for ; Thu, 1 May 1997 02:41:20 -0700 (PDT) Received: from powercore.flex.ro (dial05.flex.ro [193.230.255.105]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id MAA27555 for ; Thu, 1 May 1997 12:33:19 +0300 Message-Id: <199705010933.MAA27555@flex.flex.ro> From: "The RiSC Team - Powerman" To: Subject: OFF Topic : Sorry Date: Thu, 1 May 1997 12:41:27 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is Off topic , but any1 know a Delphi mailing list ? Thanx Best Regards , Viorel Dehelean AKA Powerman - Risc Team vdehelean@flex.ro powerm@usa.net http://www.flex.ro/RISC http://www.geocities.com/ResearchTriangle/6773 Tel. Home : 039-615151 Tel. Work : 039-641841 "To code or not to code" From owner-firewalls-outgoing Thu May 1 04:39:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01837 for firewalls-outgoing; Thu, 1 May 1997 04:28:05 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA01823 for ; Thu, 1 May 1997 04:27:55 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wMtyR-0004GhC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 1 May 1997 13:24:31 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 1 May 97 13:24 MET DST Received: by lina.inka.de id m0wMkm4-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 1 May 1997 03:34:48 +0200 (CEST) Message-Id: Date: Thu, 1 May 1997 03:34:46 +0200 From: Bernd Eckenfels To: Adam Shostack Cc: Eric Vyncke , dbrooks@i2020.net, Firewalls@GreatCircle.COM Subject: Re: Cisco PIX and Remote Access? (FW-1?) References: <2.2.32.19970429122715.0075c438@brussels.cisco.com> <199704300016.UAA28814@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199704300016.UAA28814@homeport.org>; from Adam Shostack on Tue, Apr 29, 1997 at 08:16:22PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Adam, On Apr 29, Adam Shostack wrote > Eric Vyncke wrote: > | With the random TCP sequence number, this TCP/IP connection > | cannot be hijacked > > Don't you mean to say that the connection can only be hijacked if the > attacker can sniff along one of the links over which the connection is > occuring? Yes thats right. Random TCP sequence numbers means "random initial sequence numbers". This will protect you from guessing the ISN for a TCP handshake. If yo ucan guess the first TCP packet, you can di IP spoofing for any address and establish a TCP connection. This is completely unrelated to Hijacking. With hijacking you simply sniff the current sequence numbers, try to get the original host out of sync and continue the existing connection yourself. Random ISNs wont protect you. (They will protect you from blind hijacking, but I'm not aware that this is a practical security problem anyway). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu May 1 05:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05628 for firewalls-outgoing; Thu, 1 May 1997 05:21:12 -0700 (PDT) Received: from afsusexch.SKANDIA.COM ([206.103.7.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05621 for ; Thu, 1 May 1997 05:21:07 -0700 (PDT) Received: by afsusexch.SKANDIA.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5608.4EF46D60@afsusexch.SKANDIA.COM>; Thu, 1 May 1997 08:18:54 -0400 Message-ID: From: "Tollgard, Nic" To: "'Baris Cenberci'" , "'Eric Vyncke'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Opinions on Cisco PIX product? Date: Thu, 1 May 1997 08:18:53 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Cisco says that PIX is getting the places of both application level >> gateways and packet filtering routers. But it has many lack of abilities >> (As I've mentioned before) as logging and authorization, and it is not a >> 5 minute configurable product if you have long access lists. It's only a >> non-routing, well developed router for filtering and NAT (and >> encryption), but not anymore... (Not covering the whole firewall >> co routers already make most of these... > > >[Tollgard, Nic] >I can't say that I agree. PIX together with the Private I utility provides >quite good reporting. > >Authorization is handled by TACACS or RADIUS. It's "WEB configurable" to make >accesslists etc. easier. > >My $0.02....... > >Nic From owner-firewalls-outgoing Thu May 1 05:59:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07728 for firewalls-outgoing; Thu, 1 May 1997 05:49:28 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA07688 for ; Thu, 1 May 1997 05:49:13 -0700 (PDT) Received: from clark.net (badguy@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id IAA11586 for ; Thu, 1 May 1997 08:50:25 -0400 (EDT) Received: from localhost (badguy@localhost) by clark.net (8.8.5/8.7.1) with SMTP id IAA28821 for ; Thu, 1 May 1997 08:50:46 -0400 (EDT) X-Authentication-Warning: clark.net: badguy owned process doing -bs Date: Thu, 1 May 1997 08:50:45 -0400 (EDT) From: Jeff Man To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #194 In-Reply-To: <199705010800.BAA04771@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 1997, Firewalls-Digest wrote: > > Firewalls-Digest Thursday, May 1 1997 Volume 06 : Number 194 > > > > In this issue: > > MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 > Re: NT vs Linux IP Performance > > See the end of the digest for information on subscribing to the Firewalls > or Firewalls-Digest mailing lists and on how to retrieve back issues. > > ---------------------------------------------------------------------- > > Date: Thu, 1 May 97 08:52:50 +0200 > From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com > Subject: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 > > Hey everybody, > > Does anyone now how to set up Raptor Eagel version 4.0, running on NT > 4.0, to MS NetMeeting? > > I Hope that someone can help me. > > Best Regards > > Christian Stahl > > ------------------------------ > > Date: Thu, 1 May 1997 02:17:01 -0400 (EDT) > From: Todd Graham Lewis > Subject: Re: NT vs Linux IP Performance > > On Wed, 30 Apr 1997, Sean McPherson wrote: > > > Just wanted to ask what you thought about the server running > > a PCMCIA card. How much does this figure in? A lot of NT drivers for > > PCMCIA seem to be crap, so I wasn't sure how to take this info :) > > Yeah, I did sort of overlook that in my comments. If the driver is crap, > then it's obviously not a fair test. You might want to try something > standard like an SMC. (I would say 3com, but you want something both > standard and decent. 8^) > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > > ------------------------------ > > End of Firewalls-Digest V6 #194 > ******************************* > > To unsubscribe from Firewalls-Digest, send the following command > in the body of a message to "Majordomo@GreatCircle.COM": > > unsubscribe firewalls-digest > > If you want to subscribe or unsubscribe an address other than the > account the mail is coming from, such as a local redistribution list, > then append that address to the command; for example, to subscribe > "local-firewalls": > > subscribe firewalls-digest local-firewalls@your.domain.net > > A non-digest (direct mail) version of this list is also available; to > subscribe to that instead, replace all instances of "firewalls-digest" > in the commands above with "firewalls". > > Compressed back issues are available for anonymous FTP from > FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" > is the volume number, and "MMM" is the issue number). > From owner-firewalls-outgoing Thu May 1 06:45:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12434 for firewalls-outgoing; Thu, 1 May 1997 06:36:49 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA12425 for ; Thu, 1 May 1997 06:36:42 -0700 (PDT) Received: by brimstone.rnb.com; id JAA23477; Thu, 1 May 1997 09:38:13 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma023464; Thu, 1 May 97 09:38:10 -0400 Received: from monarch.rnb.com (monarch [150.1.33.146]) by relay.rnb.com (8.8.5/8.8.4) with SMTP id JAA12921; Thu, 1 May 1997 09:38:09 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1 [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <01BC5589.8D19F3A0@jeaton.pc.galt.com> Date: Thu, 01 May 1997 09:32:49 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: Jeffrey Eaton Subject: RE: configuring automated email on a dialup link. Cc: firewalls , fwtk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 30-Apr-97 Jeffrey Eaton wrote: >A better solution would be to set up dial-on-demand on the firewall. The >connection would then come up automatically for _any_ network activity which >requires it. (Presumably, you have already set up the firewall to only allow >authorized traffic in and out...) > >The same firewall could then also do news, web, etc... all on demand. > >What OS are you using? This is on SunOS4.1.4 with ppp2.3b3 There is a dial-on-demand feature in ppp2.3b3 but it is for use with static IP addressing not dynamic. > >-jeaton > >---------- >From: Ken Kempster[SMTP:kempster@monarch.rnb.com] >Sent: Wednesday, April 30, 1997 5:06 PM >To: fwtk; firewalls >Subject: configuring automated email on a dialup link. > >[To be removed from this list send the message "unsubscribe fwtk-users" in the >BODY of a mail message to majordomo@ex.tis.com.] > > >Has anyone configured the FWTK/SMAP/SMAPD on a >box which utilizes an ISDN connection to the NET? > >What I want to happen is when an email is send to the firewall >for delivery, the link to the NET is checked and if it's >not up it will bring it up before tring to deliver the email. > >What I was think was customizing the mqueue script to check >for ISDN status and have it bring up the ISDN if need be. > >If anyone has already done this, any ideas are welcome. > > >thanx. > > >|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| >| Ken Kempster kempster@monarch.rnb.com | >| Network Systems Engineer _\|/_ | >| Republic National Bank (o o) | >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Thu May 1 07:10:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15053 for firewalls-outgoing; Thu, 1 May 1997 06:58:31 -0700 (PDT) Received: from hcat.epcorp.com (test.epcorp.com [206.112.200.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15046 for ; Thu, 1 May 1997 06:58:25 -0700 (PDT) Received: from eppcmcw.eapi.com by hcat.epcorp.com id aa01161; 1 May 97 9:56 EDT Message-Id: <3.0.32.19970501100515.006b8098@mail.epcorp.com> X-Sender: martinw@mail.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 01 May 1997 10:05:16 -0400 To: fw1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com From: "Martin C. Walker" Subject: SATAN on Solaris 2.5 x86 HELLLLLLP !! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, enough is enough. I've pissed away a week now trying to get SATAN together on an x86 Solaris 2.5.1 box and haven't even got Perl to compile yet. Can anyone help me out with working binaries etc TIA frustrated ! -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Thu May 1 07:16:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13783 for firewalls-outgoing; Thu, 1 May 1997 06:46:45 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA13774 for ; Thu, 1 May 1997 06:46:39 -0700 (PDT) Received: (from uucp@localhost) by out1.ibm.net (8.6.9/8.6.9) id NAA326453 for ; Thu, 1 May 1997 13:48:10 GMT Received: from slip129-37-238-170.mn.us.ibm.net(129.37.238.170) by out1.ibm.net via smap (V1.3mjr) id sma_4MC92; Thu May 1 13:46:55 1997 Message-ID: <33689EA0.622F@urbantechnology.com> Date: Thu, 01 May 1997 08:46:09 -0500 From: "Urban A. Haas" Organization: Urban Technology, Inc. X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewalls for non-IP protocols Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any firewalls that can extend beyond IP protecting SNA and IPX without encapsulation - or at least encrypting the data? (Or is the encryption portion a different issue altogether?) I have some that are becomming interested in using this kind of technology over their frame-relay links to protect snooping from telco or telco mishaps, etc. I know I can run IP-based Netware, DLS (Data-Link Switching), etc to get a totally-IP based network to accomplish this, but this kind of digs into some firewall vendor's suggestions that their devices be used on Intranets also. The difference, to me being, support for other network protocols. Maybe the best bet is encryption of some kind of all data between point a and point b, ignoring protocols, but I am curious as to anyone's particular experience. Cheers, Urban -- Urban A. Haas CEO - Urban Technology, Inc. E-mail: uhaas@urbantechnology.com (mailto:uhaas@urbantechnology.com) Phone: (612) 938-2610 From owner-firewalls-outgoing Thu May 1 07:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17870 for firewalls-outgoing; Thu, 1 May 1997 07:22:54 -0700 (PDT) Received: from l0pht.com (l0pht.com [199.201.145.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA17859 for ; Thu, 1 May 1997 07:22:41 -0700 (PDT) Received: from localhost (weld@localhost) by l0pht.com (8.8.3/8.6.9) with SMTP id IAA01591; Thu, 1 May 1997 08:31:40 -0400 (EDT) Date: Thu, 1 May 1997 08:31:39 -0400 (EDT) From: Weld Pond To: Dennis Roberts , "'ntsecurity@iss.net'" cc: "'firewalls@greatcircle.com'" Subject: [NTSEC] Re: L0pht Scanning - Beware Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think it is great that the report of someone being scanned from l0pht has started an ethical debate about scanning. A few people have been scanned from what appeared to be l0pht.com. We are investigating this. The scans are NOT being done by any l0pht member and appear to be originating from somewhere else. We have 2 confirmed reports of scanning. If anyone knows of another please send any logs, etc. to me. This is obviously a volitile issue because it has blown way out of proportion. An easy way to do port scans that appear to come from somewhere else is to use a tool like netcat and set the source address to wherever you want the source of the scan to appear come from. You need to create another network interface with the bogus source address on your machine, then do something like: nc -v -z -w 2 -s 10.0.0.2 199.99.99.99 130-140 This will scan ports 130-140 at 199.99.99.99. If someone is logging the scan it will appear to come from 10.0.0.2. You will not get the results of this scan however. Netcat for NT (and Unix) is available at http://www.l0pht.com/~weld/netcat/ There are some sophisticated ways of bouncing scans through other services. I will let those who know these techniques better than me explain them. Weld Pond - weld@l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From owner-firewalls-outgoing Thu May 1 08:53:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA22350 for firewalls-outgoing; Thu, 1 May 1997 07:52:51 -0700 (PDT) Received: from pebbles.gtri.gatech.edu (pebbles.gtri.gatech.edu [130.207.204.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA22294 for ; Thu, 1 May 1997 07:52:39 -0700 (PDT) Received: from jones (107-thomaston.alltel.net [206.229.146.107]) by pebbles.gtri.gatech.edu (8.8.5/8.8.5) with SMTP id KAA24189; Thu, 1 May 1997 10:55:47 -0400 (EDT) Message-Id: <199705011455.KAA24189@pebbles.gtri.gatech.edu> Comments: Authenticated sender is From: "Jim Jones" To: Neil Readwin Date: Thu, 1 May 1997 10:55:38 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Need help getting IP traffic through a router. CC: firewalls@GreatCircle.COM References: <31557D725263D011B53A0060974FB8DC028B0D@sla_nt2.sla.com> In-reply-to: X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 30 Apr 1997, Bill Stackpole wrote: > > I know of no product that could use ICMP as a transport for a tunnel. > > (Hummm, interesting....). > > If you mean that you cannot go to MS, Sun, Cisco or other vendors and > ask for IP over ICMP tunnelling software then I would agree that there > are no products. > > TCP over ICMP is (handwave, handwave) just TCP over IP with a small > MTU. It would be useful (if you wanted to get through a large set of > filtering firewalls), therefore it has been written. Is the code freely available somewhere? -Jim From owner-firewalls-outgoing Thu May 1 09:18:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21425 for firewalls-outgoing; Thu, 1 May 1997 07:46:09 -0700 (PDT) Received: from dresden.bmc.com (dresden.bmc.com [198.64.253.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21358 for ; Thu, 1 May 1997 07:45:52 -0700 (PDT) Received: (from uucp@localhost) by dresden.bmc.com (8.8.5/8.8.5) id JAA12029 for ; Thu, 1 May 1997 09:45:32 -0500 (CDT) Received: from erehwon.bmc.com(172.19.1.156) by dresden.bmc.com via smap (3.2) id xma011918; Thu, 1 May 97 09:45:18 -0500 Received: from erehwon.bmc.com (localhost [127.0.0.1]) by erehwon.bmc.com (8.8.5/8.8.5) with ESMTP id JAA26871; Thu, 1 May 1997 09:47:12 -0500 Message-Id: <199705011447.JAA26871@erehwon.bmc.com> X-Mailer: exmh version 2.0gamma 1/27/96 X-Face: #_4U^`J"d9XQ8Cp7!HaZE=}I^B(;F]!}L})]#-@%<6%5<}##,`z!n7M> To: Tim Wood cc: Ken Kempster , fwtk , firewalls Subject: Re: configuring automated email on a dialup link. In-reply-to: Your message of "Wed, 30 Apr 1997 16:23:07 PDT." <3367D45B.5845@earthlink.net> Reply-to: hdevore@bmc.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 May 1997 09:47:11 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tim_wood@earthlink.net said: > The ISDN setups I've seen use on-demand dialing, that is, the link > layer sees a packet heading for the ISDN interface, and initiates a > call on the interface. That call normally connects and a PPP > handshake begins. It links to the other point and voila, you have > your route. IOW, you may not have any work to do (wonder of wonders.) That's how my ISDN setup works, but then my ISDN "interface device" is a completely separate box (Ascend Pipeline 75 www.ascend.com for info) on my home Ethernet. The Pipeline 75 can be an IP router, an IPX router, or a bridge. My employer sets them up as bridges, validates connections via Caller ID, and has an IP and IPX router at the office between "us" and the rest of the company net. Hal From owner-firewalls-outgoing Thu May 1 09:21:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24885 for firewalls-outgoing; Thu, 1 May 1997 08:09:25 -0700 (PDT) Received: from onshore.com (irc.onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24848 for ; Thu, 1 May 1997 08:09:14 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id KAA21798; Thu, 1 May 1997 10:11:59 -0500 Date: Thu, 1 May 1997 10:11:59 -0500 From: Craig Brozefsky Subject: Re: [NTSEC] RE: L0pht Scanning - Beware To: Dennis Roberts cc: "'inskeep_chris@geologics.com'" , "'firewalls@greatcircle.com'" , "'ntsecurity@iss.net'" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 28 Apr 1997, Dennis Roberts wrote: > I see your point. Until there is a group of "real security people" what > should be done? Nothing? Give up computers, or start running an OS you have source code to and do your own source scans. No such thing as "real security people" anyways. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu May 1 09:24:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26703 for firewalls-outgoing; Thu, 1 May 1997 08:27:48 -0700 (PDT) Received: from mail.siemenscom.com (mail.siemenscom.com [206.154.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA26669 for ; Thu, 1 May 1997 08:27:33 -0700 (PDT) Received: from pobox.rolm.com (gate.siemenscom.com [206.154.192.3]) by mail.siemenscom.com (8.8.5/8.6.10) with ESMTP id IAA09332 for ; Thu, 1 May 1997 08:26:47 -0700 (PDT) Received: from x400gate.rolm.com by pobox.rolm.com (X.400 to RFC822 Gateway); Thu, 1 May 1997 08:28:41 -0700 X400-Received: by mta ROLM-MTA in /c=US/admd=MCI/prmd=SCN/; Relayed; 01 May 1997 08:28:40 -0700 X400-Received: by /c=US/admd=MCI/prmd=SCN/; Relayed; 01 May 1997 08:28:40 -0700 X400-MTS-Identifier: [/c=US/admd=MCI/prmd=SCN/; 0740D3368B6A8036-ROLM-MTA] Content-Identifier: 0740D3368B6A8036 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Edwin.Pon@pnna.rolm.com X400-Recipients: non-disclosure; Message-Id: <"0740D3368B6A8036*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Date: 01 May 1997 08:28:40 -0700 From: "Pon, Edwin" To: "smtp:firewalls-digest@greatcircle.com" (IPM Return requested) Subject: who are you? MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm an email administrator at my company and am trying to track down some undeliverable message problems. firewalls-digest@greatcircle.com seems to be related to some email that is not being delivered t Larry Sherman. Larry Sherman left our company over a year ago and apparently left a few loose ends that need cleaning up. If you are a real person, or an extremely intelligent machine, what is this firewall-digest thing? Thank you for your help. From owner-firewalls-outgoing Thu May 1 09:47:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17364 for firewalls-outgoing; Thu, 1 May 1997 07:19:11 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA17336 for ; Thu, 1 May 1997 07:19:04 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id PAA08404; Thu, 1 May 1997 15:18:39 +0100 (BST) From: Steve Kennedy Message-Id: <199705011418.PAA08404@ford.gbnet.org> Subject: Re: configuring automated email on a dialup link. To: kempster@monarch.rnb.com (Ken Kempster) Date: Thu, 1 May 1997 15:18:39 +0100 (BST) Cc: fwtk-users@tis.com, firewalls@GreatCircle.COM In-Reply-To: from "Ken Kempster" at Apr 30, 97 12:37:23 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ken Kempster > Has anyone configured the FWTK/SMAP/SMAPD on a > box which utilizes an ISDN connection to the NET? > What I want to happen is when an email is send to the firewall > for delivery, the link to the NET is checked and if it's > not up it will bring it up before tring to deliver the email. > What I was think was customizing the mqueue script to check > for ISDN status and have it bring up the ISDN if need be. > If anyone has already done this, any ideas are welcome. You could always use qmail, which supports maildir format. External mail can then be 'queued' to a maildir. When a connection to the ISP is established, another program called maildir2smtp can be run, which will then take all the maildir stored mail and send it out via smtp ... The maildir2smtp can be run from the login script or wherever is suitable. See http://www.qmail.org/ for more details. Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From owner-firewalls-outgoing Thu May 1 10:23:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25637 for firewalls-outgoing; Thu, 1 May 1997 08:18:03 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25618 for ; Thu, 1 May 1997 08:17:50 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id QAA07107; Thu, 1 May 1997 16:25:20 +0200 Date: Thu, 01 May 1997 17:18:31 +0100 To: Richard Heuft From: Oliver Lau Cc: Subject: Re: slow e-mail clients with packet-filter In-Reply-To: <199704291440.OAA02433@mail.eurosys.nl> References: <199704291440.OAA02433@mail.eurosys.nl> Message-Id: <3368D067211.0DCB.lau@mabi.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 X-Priority: 2 X-MSMail-Priority: High Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 29 Apr 1997 16:39:40 +0200 "Richard Heuft" wrote: > Hello All, > > At my site we use a dedicated e-mail server (running SCO OpenServer 5.02) > to send and recieve mail from the internet. Between our internal ethernet > and the mail-server is a Linux packetfilter (ipfwadm) with SMTP and POP3 > forwarding enabled. When we send/recieve e-mail with Win95 clients using > Microsoft internet e-mail client, the POP3 connections are fast but sending > with SMTP is slow. It takes a while before it sends but when it does it's > fast. I've got the feeling that something more than port 25 and 110 are > needed for the delivery that the client does. I checked port 113 (auth) but > that didn't seem to help, any ideas ?? In brief: The reason that POP3 connections are fast is very simple: the client has to find out whom to connect to via the domain name services. This lookup is done very fast, because the name server is normally located in the local area network, and even if it is 'behind' the firewall router on your Linux-box, latency time is short. If you are sending e-mail per smtp, the mailer has to resolve the host name to an IP address. This action may take a while, because it is possible that the host name entry has not been cached yet by the name server. This can be a reason for the delay a priori to the delivery process to the next mail relay host. Hope this helps! Regards, Oliver > From owner-firewalls-outgoing Thu May 1 10:38:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15879 for firewalls-outgoing; Thu, 1 May 1997 07:08:30 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA15860 for ; Thu, 1 May 1997 07:08:20 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id IAA22311; Thu, 1 May 1997 08:09:50 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd22309aaa; Thu May 1 08:09:40 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id IAA10765; Thu, 1 May 1997 08:09:40 -0600 From: Bob Beck Message-Id: <199705011409.IAA10765@snouts.obtuse.com> Subject: Re: NT vs Linux FTP Performance To: lists@reflections.eng.mindspring.net Date: Thu, 1 May 1997 08:09:38 -0600 (MDT) Cc: beck@obtuse.com, firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at May 1, 97 02:39:03 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > First of all, if you're worried about the S/N, you could have refrained > from including about 11k worth of the discussion in your message. > Yes, point taken. > Secondly, for those of us who deal with firewall scaling issues, as well > as firewalls which see a lot of traffic or operate in high-bandwidth > environs, this matter is very pertinent. Let your users know that they're > directly connected to multiple T3s with only the firewall in between and > see if you don't have performance concerns. > I'm not saying you don't Todd, but we don't discuss relative performance differences in CPU's, or of NIC's or other such stuff on this list, and they all matter in these cases too. There are more appropriate forums for that. Security professionals should be able to deal with performance issues in a relevant forum, and deal with issues related to firewalls here. This thread isn't. It's a simple comparison of Linux and NT on general network performance issues. -Bob From owner-firewalls-outgoing Thu May 1 11:27:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA28043 for firewalls-outgoing; Thu, 1 May 1997 08:51:41 -0700 (PDT) Received: from tmpil001.tmp.allied.com (tmpil001.tmp.allied.com [198.80.19.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA28031 for ; Thu, 1 May 1997 08:51:27 -0700 (PDT) Received: by tmpil001.tmp.allied.com id AA09740 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 1 May 1997 08:52:57 -0700 Received: by tmpil001.tmp.allied.com (Internal Mail Agent-1); Thu, 1 May 1997 08:52:57 -0700 Message-Id: From: "Markle, David W." To: Jaime Blanco Cc: "'firewalls@greatcircle.com'" Subject: RE: RAPTOR Date: Thu, 1 May 1997 08:47:33 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, is the 2501 inside or outside the firewall? The firewall will not allow ICMP(ping) through, (if in fact the 2510 is outside the firewall). On the workstation (PC), set the default gateway to the IP address of the OUTSIDE interface on the firewall. (This is assuming that the router is outside the firewall.) >---------- >From: Jaime Blanco[SMTP:jaime@blanco.com] >Sent: Wednesday, April 30, 1997 2:04 PM >To: '1126f930@adp-es.com'; 'alan@gi.net'; 'firewalls@GreatCircle.COM'; >'hauke@ctd.com'; 'info@raptor.com'; 'lists@reflections.mindspring.com'; >'luk@tele.gl'; 'martinq@indigo.ie'; 'mike@esr.com'; 'peter@baileynm.com'; >'proberts@clark.net'; 'Russ.Cooper@rc.toronto.on.ca'; >'stevel@millennium.co.uk' >Subject: RAPTOR > >Hi: >Can you help me? > >I have configured Raptor Eagle NT 3.0.6. It work fine with all PCs attached >to the privated interface, but I have some cisco 2501 (for some others >subnets I must protect with eagle) attached to this private subnet and the >Eagle not route the packets to outside that come from these subnets. I can't >ping from cisco to the eagle's privated interface, however I can ping from >any PC to eagle. > >The 2501s have their default gateway pointing to the Eagle. > >What's wrong? > >Thanks in advance > >Jaime Blanco >Tech Manager >Sinfonet >www.sinfo.net > From owner-firewalls-outgoing Thu May 1 11:41:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA16639 for firewalls-outgoing; Thu, 1 May 1997 10:57:13 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA16632 for ; Thu, 1 May 1997 10:57:05 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id TAA07821; Thu, 1 May 1997 19:04:49 +0200 Date: Thu, 01 May 1997 19:58:05 +0100 To: Dick Mosher From: Oliver Lau Cc: Subject: Re: NT File Sharing In-Reply-To: <9703298623.AA862350652@cc.wstnres.com> References: <9703298623.AA862350652@cc.wstnres.com> Message-Id: <3368F5CD15B.C07D.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings! If you use TCP/IP as the only protocol, file sharings with NetBIOS use port numbers 137 through 138. You have to allow traffic incoming AND outgoing because the server establishes a reciprocal connection back to the client. The same setup applies to all SMB connection like Samba of several Unixes. A good place to look for answers to questions like this is the RFC "Assigned Numbers". On Tue, 29 Apr 97 14:53:04 CST "Dick Mosher" wrote: | We are trying to set up NT file sharing across an internal firewall= , | and can find very little documentation on its mechanics. Can anyon= e | tell me what port(s) it uses? Thanks. | dick_mosher@wstnres.com Hope this helps! Regards,| Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Thu May 1 11:41:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA19769 for firewalls-outgoing; Thu, 1 May 1997 11:19:20 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA19746; Thu, 1 May 1997 11:19:12 -0700 (PDT) Received: from cabe (spg-as13s58.erols.com [207.172.6.58]) by smtp3.erols.com (8.8.5/8.8.5) with SMTP id OAA19355; Thu, 1 May 1997 14:20:42 -0400 Message-Id: <1.5.4.32.19970501182410.00735984@pop.erols.com> X-Sender: cabe@pop.erols.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 May 1997 14:24:10 -0400 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM From: Cabe Franklin Subject: international use of VPN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Chris/Adam/Sandeep: When a U.S. company wishes to export a crypto product to communicate with an overseas subsidiary, even though it's keeping it all in the family, it does have to apply for an export license. If it is going to "maintain control" though, it's not too hard to get. Different from permission to resell, obviously. But does still fall under DoC regs. Check Point doesn't exactly fall under U.S. regs b/c it's listed on Nasdaq. The actions of its U.S. arm are governed by U.S. rules, but if the crypto is developed/manufactured/distributed etc. entirely overseas, it doesn't fall into the realm of US controls. Icing on the cake -- India (AFAIK) has _import_ regulations on crypto, just to keep things interesting. Good luck :) - Cabe P.S. Full disclosure: I do work occasionally for TIS. While I shy away from the AbirNet model, I feel compelled to note that their Gauntlet firewall can give you a 56-bit DES VPN whereever you may be, and if you don't mind using key recovery, you can get 3DES. - Cabe Franklin Ogilvy Adams & Rinehart, Washington DC (202) 452-9504 cabe_franklin@oar-wash.com - From owner-firewalls-outgoing Thu May 1 11:42:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA11014 for firewalls-outgoing; Thu, 1 May 1997 10:27:45 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA10983 for ; Thu, 1 May 1997 10:27:39 -0700 (PDT) Message-Id: <199705011727.KAA10983@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA131537669; Fri, 2 May 1997 03:27:49 +1000 From: Darren Reed Subject: Re: [NTSEC] RE: L0pht Scanning - Beware To: craig@onshore.com (Craig Brozefsky) Date: Fri, 2 May 1997 03:27:49 +1000 (EST) Cc: droberts@excell.com, inskeep_chris@geologics.com, firewalls@GreatCircle.COM, ntsecurity@iss.net In-Reply-To: from "Craig Brozefsky" at May 1, 97 10:11:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Craig Brozefsky, sie said: > > On Mon, 28 Apr 1997, Dennis Roberts wrote: > > > I see your point. Until there is a group of "real security people" what > > should be done? Nothing? > > Give up computers, or start running an OS you have source code to and do > your own source scans. No such thing as "real security people" anyways. Speaking of source code, see http://www.sun.com/edu/hot/hot.html for an interesting offer from Sun on Solaris2.5.1 source code. From owner-firewalls-outgoing Thu May 1 12:32:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA16872 for firewalls-outgoing; Thu, 1 May 1997 10:58:35 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA16809 for ; Thu, 1 May 1997 10:58:18 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA07998; Thu, 1 May 1997 13:59:40 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id NAA16859; Thu, 1 May 1997 13:55:15 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199705011755.NAA16859@splinter.rtp.dg.com> Subject: Re: Ascend Secure Access with Dynamic Firewall To: chrisp@tidalwave.net (Chris Pressley) Date: Thu, 1 May 1997 13:55:11 -0400 (EDT) Cc: firewalls-digest@greatcircle.com In-Reply-To: <3.0.1.32.19970428133225.00709958@tidalwave.net> from "Chris Pressley" at Apr 28, 97 01:32:25 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To hack your way into a firewall such as the one decribed, just attack the OS the firewall is operational on, assuming that Ascend was built using high assurance mechanisms (which would be a pleasant surprise). However, if they actually used the word "impossible," then they most certainly aren't a high assurance system. Scientific American published an article in 1906, where Dr. Newcomb, one of the preeminent mathemeticians of his day, proved it was imposible for a heavier than air vehicle to lift off the ground and maintain sustained flight. Of course, by this time, those pesky Wright brothers were making sustained flight of several hours. "Impossible" is a very dangerous word to use - it usually falls from the lips of those who lack expertise in the area they are pontificating upon. Or people trying to sell you something in the face of stiff competition. Note, however, that I have no knowledge of Ascend making any such claim. Caveat emptor. > > Anyone familiar with Ascend Secure Access with Dynamic Firewall? Ascend > claims it makes use of stateful packet inspection, and it's impossible for > a hacker to penetrate (I just got of the phone with them). The web pages > provides remarkably little information. The Pipeline 75 also offers packet > filtering. > > Thanks, > Chris > > -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From owner-firewalls-outgoing Thu May 1 12:55:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29969 for firewalls-outgoing; Thu, 1 May 1997 09:16:51 -0700 (PDT) Received: from charity.harvard.net (charity.harvard.net [206.137.222.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA29954 for ; Thu, 1 May 1997 09:16:40 -0700 (PDT) Received: from tranquility.harvard.net (root@tranquility.harvard.net [206.64.152.14]) by charity.harvard.net (8.8.5/8.7.3) with ESMTP id MAA16493 for ; Thu, 1 May 1997 12:17:09 -0400 (EDT) Received: from kyoto (gojapan.com [206.137.94.14]) by tranquility.harvard.net id MAA13153; Thu, 1 May 1997 12:15:08 -0400 (EDT) Message-Id: <2.2.32.19970501162414.00921988@postoffice.harvard.net> X-Sender: leon.linkco.com@postoffice.harvard.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 May 1997 12:24:14 -0400 To: firewalls@GreatCircle.COM From: Leonid Charny Subject: Raptor Eagle experience on NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anoyne been using Eagle NT 4.0 and wish to share the experience. We are currently evaluating FW-1 Cisco PIX and Eagle 4.0. We are aware of Z-ff-Davis and Tolly Group reports, but want to hear real-life stories. Any advice from anyone who has done similar evaluation it is appreciated. _______________________________________________________________________________ Leonid Charny, Ph.D. Principal Technical Architect LinkCo, 286 Congress Street, Boston, MA 02210 Phone:(617) 574-9059 Fax:(617) 574-9055 Email: leon@linkco.com "Professionals First Choice for Japanese Business Information" _______________________________________________________________________________ From owner-firewalls-outgoing Thu May 1 13:09:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25959 for firewalls-outgoing; Thu, 1 May 1997 11:56:31 -0700 (PDT) Received: from mercury.earthlink.net (mercury.earthlink.net [198.68.160.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25808 for ; Thu, 1 May 1997 11:55:54 -0700 (PDT) Received: from poseidon.earthlink.net ([206.250.69.156]) by mercury.earthlink.net (8.7.5/8.7.3) with SMTP id LAA19207; Thu, 1 May 1997 11:57:51 -0700 (PDT) Message-Id: <2.2.32.19970501185643.006a9ac4@198.68.160.4> X-Sender: del@198.68.160.4 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Thu, 01 May 1997 11:56:43 -0700 To: Planet_Ocean@profitmaster.com From: POLARIS Subject: Re: Your website's "Findability" -- Search Engine Help Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HEY STEVE....!!!!!!!!! this is a FIREWALL discussion group... get this web shit off this list...!!! NOW!!! and return nevermore what i would like to improve is 'LOSABILITY'.... namely YOURS..... At 05:17 PM 4/30/97 -0700, you wrote: >Would you like to improve your website's >"findability" in the Search Engines? > >During the past year, my company has placed over 100 >webpages into the Top Ten -- the front page -- of the >major search engines... and, for a small fee, I am >willing to show you exactly how we did it. > >My name is Stephen Mahaney. I am the president of >Planet Ocean Communications. My web marketing company >has literally "written the book" on how to position your >website on the front page -- the Top Ten -- of each of >the major search engines... guaranteed! > >Our 45 page book identifies every trick & technique that >is being used on the Internet to gain an almost "unfair" >advantage in landing websites at the top of the search >engine lists -- right where you need to be so that >potential customers who are seeking your services or >products can find you. > >Our monthly Newsletter keeps you abreast of the latest >techniques and frequent changes that take place in the >dynamic world of "search engine" science. > >However, understanding the process does not require >a degree in "rocket" science -- nor do you need to be >"technically oriented". Whether your website is a >"do-it-yourself" project or you are paying someone >to maintain your site, you (or your webmaster) need >to know the tricks in this book in order to compete with >the professionals who are dominating the front pages of >the various search categories. > >To learn more about how you can obtain this essential >information and receive a free subscription to our >Newsletter -- SEARCH ENGINE SECRETS UPDATE, >go to.... > > http://www.profitmaster.com/se-advantage/ > >You'll be glad you did. > >Sincerely, >Stephen Mahaney - President >Planet Ocean Communications > > > *************************************************** >Note: We have contacted you based on information that >we gathered while visiting your website - If you would >prefer not to receive mail from us in the future, >simply reply with the word "remove" and you will be >automatically excluded from future correspondence. Thanks > *************************************************** > >Thought for the day... >"The only thing a man can take >beyond this lifetime is his ethics" > > > > > *************************************************************** Be wise and anticipate the Brutus of your camp. Brutus repaid Caesar for unfailing and ill-deserved loyalty with a sharp currency of steel.' Attila, King of Huns, circa 422 a.d. **************************************************************** Buck/Earthlink Network/framerelay@staffmail.earthlink.net **************************************************************** From owner-firewalls-outgoing Thu May 1 13:40:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA12862 for firewalls-outgoing; Thu, 1 May 1997 13:35:11 -0700 (PDT) Received: from stobyn.ml.org ([205.214.199.244]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA12733 for ; Thu, 1 May 1997 13:34:45 -0700 (PDT) Received: (from uucp@localhost) by stobyn.ml.org (8.8.4/8.8.4) id QAA01662 for ; Thu, 1 May 1997 16:00:31 +0400 Received: from laptop.stokes.com(172.18.1.2) by stobyn.ml.org via smap (V2.0) id xma001660; Thu, 1 May 97 16:00:30 +0400 Date: Thu, 1 May 1997 16:09:04 +0400 (GMT-4) From: Roger Hill X-Sender: rhill@rose.stokes.com To: Firewalls Mailing List Subject: RE: configuring automated email on a dialup link. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use diald for linux...works just fine with dynamic or static IP's. See http://www.dna.lth.se/~erics/diald.html ============================================================================ Roger Hill, P.O.Box 4T, Barbados, West Indies. Tel:246-230-9596 Fax:246-433-8365 E-mail: rhill@stobyn.ml.org ============================================================================ From owner-firewalls-outgoing Thu May 1 14:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA17503 for firewalls-outgoing; Thu, 1 May 1997 14:14:44 -0700 (PDT) Received: from daisy.snet.net (mail.snet.net [204.60.7.83]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA17495 for ; Thu, 1 May 1997 14:14:36 -0700 (PDT) From: k.p@snet.net Received: from default (smfr01-sh2-port84.snet.net [204.60.17.84]) by daisy.snet.net (8.8.5/8.8.5/SNET-1.5) with SMTP id RAA02865 for ; Thu, 1 May 1997 17:16:09 -0400 (EDT) Message-ID: <33690991.6249@snet.net> Date: Thu, 01 May 1997 17:22:26 -0400 X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Anti-Spam [Was: Your website's "Findability"] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warpy wrote: > Is it just me or does everyone get ticked off about these emails that say > reply to make sure you DON'T get any further emails from us. Grrrrr... Forward spam back to sender. Strength in numbers. -- # Exit The System. # #--------><--------# # k.p@snet.net # From owner-firewalls-outgoing Thu May 1 14:54:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20534 for firewalls-outgoing; Thu, 1 May 1997 14:49:56 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20523 for ; Thu, 1 May 1997 14:49:50 -0700 (PDT) Message-Id: <199705012149.OAA20523@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA07276; Thu, 1 May 1997 17:50:36 -0400 From: Stan Wnuck Subject: CheckPoint vs Others To: firewalls@greatcircle.com Date: Thu, 1 May 97 17:50:36 EDT Cc: swnuck@guru.unixpros.com Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello folks. We are presently evaluating Check-Point's Fire-Wall 1. We had a CheckPoint representative even come in today to explain the product. After speaking with him, I got the impression that this is the best fire-wall out on the market. So I figured I throw out some questions to the dogs to chew away on this idea so that I can remain open-minded. :) Check Point's product and it's direct resellers such as Soltice from SUN are stateful inspection technologies. The only two other technologies that I am aware of are: a. proxy services such as Raptor or Gauntlet b. packet filters #1 Are there any other technologies that I am unaware of? #2 Are they as good as state-ful inspection? #3 Why should I use proxy services or packet filters if I can have stateful inspection? #4 Other than Check-Point and their direct resellers, are there any other stateful inspection products that are not assoicated with Check-Point? #5 Do other products offer remote authentication, encrypted links (VPN's), content security, auditing, load balancing, network translation, excersice policies for access? #6 Do other products have a way of creating extranets? I am sorry if this has been discussed already. If need to be, reply direct to me so that others on this list don't have to hear this wasted traffic. Thanks for your time. Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Thu May 1 15:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA21325 for firewalls-outgoing; Thu, 1 May 1997 14:54:36 -0700 (PDT) Received: from pdxchange.escocorp.com (mail.escocorp.com [207.141.1.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA21251 for ; Thu, 1 May 1997 14:54:18 -0700 (PDT) Received: by pdxchange.escocorp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC563F.C4659010@pdxchange.escocorp.com>; Thu, 1 May 1997 14:55:53 -0700 Message-ID: From: "Jenkins, Gary C." To: "'firewalls@GreatCircle.com'" Subject: RE: Your website's "Findability" -- Search Engine Help Date: Thu, 1 May 1997 14:55:51 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest that when someone spams this list or any other list for that matter that we all reply to them directly and not include the list the original spam was sent to. That will save us all grief as we wade through all these messages. That way the only person that gets return spammed is the original sender. Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) >---------- >From: POLARIS[SMTP:del@198.68.160.4] >Sent: Thursday, 01 May, 1997 11:56 >To: Planet_Ocean@profitmaster.com >Cc: firewalls@GreatCircle.com >Subject: Re: Your website's "Findability" -- Search Engine Help > >HEY STEVE....!!!!!!!!! > > this is a FIREWALL discussion group... > get this web shit off this list...!!! NOW!!! > and return nevermore > what i would like to improve is 'LOSABILITY'.... > namely YOURS..... > > > >At 05:17 PM 4/30/97 -0700, you wrote: >>Would you like to improve your website's >>"findability" in the Search Engines? >> >>During the past year, my company has placed over 100 >>webpages into the Top Ten -- the front page -- of the >>major search engines... and, for a small fee, I am >>willing to show you exactly how we did it. >> >>My name is Stephen Mahaney. I am the president of >>Planet Ocean Communications. My web marketing company >>has literally "written the book" on how to position your >>website on the front page -- the Top Ten -- of each of >>the major search engines... guaranteed! >> >>Our 45 page book identifies every trick & technique that >>is being used on the Internet to gain an almost "unfair" >>advantage in landing websites at the top of the search >>engine lists -- right where you need to be so that >>potential customers who are seeking your services or >>products can find you. >> >>Our monthly Newsletter keeps you abreast of the latest >>techniques and frequent changes that take place in the >>dynamic world of "search engine" science. >> >>However, understanding the process does not require >>a degree in "rocket" science -- nor do you need to be >>"technically oriented". Whether your website is a >>"do-it-yourself" project or you are paying someone >>to maintain your site, you (or your webmaster) need >>to know the tricks in this book in order to compete with >>the professionals who are dominating the front pages of >>the various search categories. >> >>To learn more about how you can obtain this essential >>information and receive a free subscription to our >>Newsletter -- SEARCH ENGINE SECRETS UPDATE, >>go to.... >> >> http://www.profitmaster.com/se-advantage/ >> >>You'll be glad you did. >> >>Sincerely, >>Stephen Mahaney - President >>Planet Ocean Communications >> >> >> *************************************************** >>Note: We have contacted you based on information that >>we gathered while visiting your website - If you would >>prefer not to receive mail from us in the future, >>simply reply with the word "remove" and you will be >>automatically excluded from future correspondence. Thanks >> *************************************************** >> >>Thought for the day... >>"The only thing a man can take >>beyond this lifetime is his ethics" >> >> >> >> >> > >*************************************************************** >Be wise and anticipate the Brutus of your camp. >Brutus repaid Caesar for unfailing and ill-deserved loyalty >with a sharp currency of steel.' > Attila, King of Huns, circa 422 a.d. >**************************************************************** >Buck/Earthlink Network/framerelay@staffmail.earthlink.net >**************************************************************** > > > From owner-firewalls-outgoing Thu May 1 16:09:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA25485 for firewalls-outgoing; Thu, 1 May 1997 15:22:19 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA25436 for ; Thu, 1 May 1997 15:22:08 -0700 (PDT) Received: from cup46ux.cup.hp.com (daemon@cup46ux.cup.hp.com [15.9.88.31]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id PAA00646 for ; Thu, 1 May 1997 15:23:47 -0700 (PDT) Received: from f2426bre.nsr.hp.com by cup46ux.cup.hp.com with SMTP (1.37.109.11/15.5+IOS 3.20+cup+OMrelay) id AA107505419; Thu, 1 May 1997 15:23:39 -0700 From: beldridg@cup46ux.cup.hp.com (Brett Eldridge) To: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Cc: firewalls@GreatCircle.COM, beldridg@cup46ux.cup.hp.com Subject: Re: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 Date: Thu, 01 May 1997 22:20:51 GMT Message-Id: <337b1322.99279981@cup46ux.cup.hp.com> References: In-Reply-To: X-Mailer: Forte Agent 1.0/32.390 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 97 08:52:50 +0200, you wrote: >Hey everybody, > >Does anyone now how to set up Raptor Eagel version 4.0, running on NT >4.0, to MS NetMeeting? Hi Christian, This is going to be tough for any application proxy style firewall because you need to open up multiple TCP ports (389 and 522) along with all the TCP/UDP high ports (argh). At least, this is how I read the MS article. This is obviously a large security risk and creates a hole in your firewall system big enough to "fling a moose through" (see Note 1). Basically, for the Raptor Eagle firewall gateway, you need to use the GSP feature to define a service for each of the ports listed below.=20 I have included a portion of the text from one of Microsoft's KnowledgeBse articles. You can find the article at: http://www.microsoft.com/kb/articles/q164/0/38.htm - brett ---- Text of article ---- Microsoft Netmeeting 2.0 uses several secondary TCP and UDP ports to communicate. To allow NetMeeting to communicate fully, the following ports need to be enabled on the WinSock portion of the Proxy Server:=20 389 Internet Locator Server 522 User Location Server 1503 T.120 Protocol 1720 H.323 call setup (TCP) 1731 Audio call control (TCP) Dynamic H.323 Call Control (TCP) Dynamic H.323 streaming (RTP over UDP) =20 Port or Range Type Direction ------------- ---- --------- 389 TCP Inbound 389 TCP OutBound 522 TCP Inbound 522 TCP Outbound 1025-65535 TCP Inbound 1025-65535 TCP Outbound 1025-65535 UDP Inbound 1025-65535 UDP Outbound Note 1: Thanks to Marcus for enlightening me as to the highly technical term to use to aptly describe situations like this. From owner-firewalls-outgoing Thu May 1 16:39:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04340 for firewalls-outgoing; Thu, 1 May 1997 16:31:36 -0700 (PDT) Received: from pdxchange.escocorp.com (mail.escocorp.com [207.141.1.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA04305 for ; Thu, 1 May 1997 16:31:24 -0700 (PDT) Received: by pdxchange.escocorp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC564D.56A29F60@pdxchange.escocorp.com>; Thu, 1 May 1997 16:33:02 -0700 Message-ID: From: "Jenkins, Gary C." To: "'firewalls@GreatCircle.com'" Subject: Replies to spammers Date: Thu, 1 May 1997 16:33:00 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest that when someone spams this list, or any other list for that matter, that anyone wishing to reply to them do so directly and not include the list the original spam was sent to in the recipients. That will save us all grief as we wade through all these messages. That way the only person that gets return spammed is the original sender. Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) >---------- >From: POLARIS[SMTP:del@198.68.160.4] >Sent: Thursday, 01 May, 1997 11:56 >To: Planet_Ocean@profitmaster.com >Cc: firewalls@GreatCircle.com >Subject: Re: Your website's "Findability" -- Search Engine Help > >HEY STEVE....!!!!!!!!! > > this is a FIREWALL discussion group... > get this web shit off this list...!!! NOW!!! > and return nevermore > what i would like to improve is 'LOSABILITY'.... > namely YOURS..... > > > >At 05:17 PM 4/30/97 -0700, you wrote: >>Would you like to improve your website's >>"findability" in the Search Engines? >> >>During the past year, my company has placed over 100 >>webpages into the Top Ten -- the front page -- of the >>major search engines... and, for a small fee, I am >>willing to show you exactly how we did it. >> >>My name is Stephen Mahaney. I am the president of >>Planet Ocean Communications. My web marketing company >>has literally "written the book" on how to position your >>website on the front page -- the Top Ten -- of each of >>the major search engines... guaranteed! >> >>Our 45 page book identifies every trick & technique that >>is being used on the Internet to gain an almost "unfair" >>advantage in landing websites at the top of the search >>engine lists -- right where you need to be so that >>potential customers who are seeking your services or >>products can find you. >> >>Our monthly Newsletter keeps you abreast of the latest >>techniques and frequent changes that take place in the >>dynamic world of "search engine" science. >> >>However, understanding the process does not require >>a degree in "rocket" science -- nor do you need to be >>"technically oriented". Whether your website is a >>"do-it-yourself" project or you are paying someone >>to maintain your site, you (or your webmaster) need >>to know the tricks in this book in order to compete with >>the professionals who are dominating the front pages of >>the various search categories. >> >>To learn more about how you can obtain this essential >>information and receive a free subscription to our >>Newsletter -- SEARCH ENGINE SECRETS UPDATE, >>go to.... >> >> http://www.profitmaster.com/se-advantage/ >> >>You'll be glad you did. >> >>Sincerely, >>Stephen Mahaney - President >>Planet Ocean Communications >> >> >> *************************************************** >>Note: We have contacted you based on information that >>we gathered while visiting your website - If you would >>prefer not to receive mail from us in the future, >>simply reply with the word "remove" and you will be >>automatically excluded from future correspondence. Thanks >> *************************************************** >> >>Thought for the day... >>"The only thing a man can take >>beyond this lifetime is his ethics" >> >> >> >> >> > >*************************************************************** >Be wise and anticipate the Brutus of your camp. >Brutus repaid Caesar for unfailing and ill-deserved loyalty >with a sharp currency of steel.' > Attila, King of Huns, circa 422 a.d. >**************************************************************** >Buck/Earthlink Network/framerelay@staffmail.earthlink.net >**************************************************************** > > > Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) From owner-firewalls-outgoing Thu May 1 17:33:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA08084 for firewalls-outgoing; Thu, 1 May 1997 17:00:17 -0700 (PDT) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA07978 for ; Thu, 1 May 1997 16:59:58 -0700 (PDT) Received: (from george@localhost) by wicked.neato.org (8.8.5/8.8.5) id RAA10908; Thu, 1 May 1997 17:03:56 -0700 (PDT) Date: Thu, 1 May 1997 17:03:56 -0700 (PDT) Message-Id: <199705020003.RAA10908@wicked.neato.org> To: Stan Wnuck Cc: firewalls@greatcircle.com, swnuck@guru.unixpros.com Subject: Re: CheckPoint vs Others From: george@neato.org X-Remailed: true Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You really should also look at SunScreen from Sun. It is Sun's own firewall solution as opposed to just reselling firewall-1. (http://www.sun.com/ security) It is also a stateful firewall that comes as both a turnkey hardware solution (much higher security and stealth technology) and a software solution (along the lines of firewall-1). Sunscreen includes support for VPN (not an add-on like firewall-1 -at an extra cost). It also has a truly secure remote administration capability, network address translation and native support for SKIP encryption (sun invented it). George From owner-firewalls-outgoing Thu May 1 18:09:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA17887 for firewalls-outgoing; Thu, 1 May 1997 18:06:53 -0700 (PDT) Received: from orions0.orion.org (orions0.orion.org [198.209.8.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA17868 for ; Thu, 1 May 1997 18:06:46 -0700 (PDT) Received: from orionc0.orion.org (orionc0 [198.209.8.196]) by orions0.orion.org (8.8.5/8.7.3) with ESMTP id UAA09472 for ; Thu, 1 May 1997 20:08:24 -0500 (CDT) Received: by orionc0.orion.org (8.8.5) id UAA07677; Thu, 1 May 1997 20:08:21 -0500 (CDT) Date: Thu, 1 May 1997 20:08:21 -0500 (CDT) From: "Cheryl L. Jones" X-Sender: cjones01@orionc0 To: firewalls@greatcircle.com Subject: DELETE ALL Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Thu May 1 19:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA23432 for firewalls-outgoing; Thu, 1 May 1997 19:24:52 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA23414 for ; Thu, 1 May 1997 19:24:43 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.8.5/8.8.4) with SMTP id TAA12037; Thu, 1 May 1997 19:25:05 -0700 (PDT) Date: Thu, 1 May 1997 19:25:05 -0700 (PDT) From: To: Illuminati Primus cc: Bob Beck , Mark.Loveless@BNSF.COM, ntsecurity@iss.net, mudge@l0pht.com, firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: Scanning from port 20, and packet filters. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Illuminati Primus wrote: > I wasn't trying to suggest what a packet filter's overall policy should > be.. I just wanted to point out that generally, a connection set up > through an FTP bounce usually comes from port 20. Sure, broken FTP > servers might send it from another port (which ones are these BTW? Are > they also vulnerable to bouncing?), or the port might get remapped by a > masquerading router.. But in the vast majority of the cases, an attacker > wont spend the time to find a bounce-vulnerable ftp server that sends from > a port other than 20.. so those stupid people can be logged and filtered > by knowing what the usual traffic from a bounced connection will look > like. > I think we all know that the tightest security measure is to only allow > connections to known secure services running on secure machines. And of > course, to not have bounce-vulnerable FTP daemons. Before you claim that FTP servers that don't use 20/tcp for the ftp-data channel are broken, you must understand the reason behind this "feature". If you subscribe that all software has bug and you run everything least privileged, then consider this: 1) If the daemon does not have to bind() to a port less than 1023, then you don't have to run it as root ever. (LARGE WIN) 2) This coupled with it 'chroot()'ing is very nice. 3) Most of the people (80% on my last count) are going to PASV you so even if you ran as root to do the ftp-data active open, it is a mute point. The client will issue both the active open to your 21/tcp for the ftp-control channel, and an active open to your >1023/tcp for the PASV ftp-data connection. Last I checked, Marcus J Ranum (all around cool dude) once released some code called 'aftpd' which I believe is still on ftp.tis.com in some misc or contrib dir. If we are talking about a 20/tcp to >1023/tcp scanning, don't have anything >1023/tcp listening. If you have to have it, harden it up. If you cant harden it up, filter for it high in your rule sets having set. --blast +--------------------------------------------------------------------+ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / +--------------------------------------------------------------------+ From owner-firewalls-outgoing Fri May 2 01:25:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11498 for firewalls-outgoing; Fri, 2 May 1997 00:56:01 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11491 for ; Fri, 2 May 1997 00:55:55 -0700 (PDT) Message-Id: <199705020755.AAA11491@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 6464; Fri, 02 May 97 03:57:38 EDT Date: Fri, 02 May 1997 03:57:35 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: FW-1 log files Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, 'fw logswitch' looks fine but does not seem to work on our NT version when the FW-1 service is still running. Is it supposed to work while the FW-1 service runs? (In general?, on NT?). We run FW-1 2.1c on NT 3.51. Switching the log from the log viewer GUI works fine without stopping the FW-1 service but can not be used when you want to automate things. Toon Mordijck From owner-firewalls-outgoing Fri May 2 01:39:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13721 for firewalls-outgoing; Fri, 2 May 1997 01:28:41 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13703 for ; Fri, 2 May 1997 01:28:33 -0700 (PDT) Message-Id: <199705020828.BAA13703@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 7220; Fri, 02 May 97 04:30:15 EDT Date: Fri, 02 May 1997 04:30:13 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: S/N suggestions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, * I agree with the suggestion of Gary to reply directly to the sender of noisy contributions to this list. One can always ask some friends to support him in his reaction but do this by private mail, PLEASE |||||||| * I know that sometimes it is usefull to include the original message to make a reply clear, but some of the members of this list really know how to exaggerate. PLEASE NOT more than necessary ||||| Still a member of this list because of my believe that it really can be usefull for my job, despite of the noise. Toon Mordijck NB: I know this mail is noise too, but I tried to keep it short. From owner-firewalls-outgoing Fri May 2 01:54:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15822 for firewalls-outgoing; Fri, 2 May 1997 01:51:50 -0700 (PDT) Received: from relay2.mail.uk.psi.net (sys1.london.uk.psi.net [154.32.108.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA15786 for ; Fri, 2 May 1997 01:51:37 -0700 (PDT) Received: from lightwork.co.uk (lightwork.co.uk [195.152.206.2]) by relay2.mail.uk.psi.net (8.8.4/) with SMTP id JAA02111 for ; Fri, 2 May 1997 09:52:55 +0100 (BST) Received: by lightwork.co.uk (SMI-8.6/SMI-SVR4) id JAA02695; Fri, 2 May 1997 09:52:17 +0100 Received: from owl(192.9.200.2) by roo via smap (V1.3) id sma002690; Fri May 2 09:51:48 1997 Received: by owl.lightwork.co.uk (SMI-8.6/SMI-SVR4) id JAA01291; Fri, 2 May 1997 09:51:46 +0100 Date: Fri, 2 May 1997 09:51:46 +0100 Message-Id: <199705020851.JAA01291@owl.lightwork.co.uk> From: Julian Briggs To: Firewalls@GreatCircle.COM Subject: looking for socksified PASV ftp client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, I'm looking for socksified PASV ftp client (for Solaris, HPUX, IRIX...). On systems which support dynamic linking runscocks ftp runsocks breaks the shell escape, eg: ftp> !ls ld.so.1: ls: fatal: libsocks5_sh.so: can't open file: errno=2 Killed ftp> On systems which don't support dynamic linking (eg HP-UX-9.05) runsocks is not available. Thanks Julian -- Julian Briggs, System Administrator, LightWork Design Ltd 78 Clarkehouse Road, Sheffield S10 2LJ, UK +44 114 266 8404 ext 228 voice. +44 114 266 1383 fax julian@lightwork.co.uk, http://www.lightwork.com From owner-firewalls-outgoing Fri May 2 02:22:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11479 for firewalls-outgoing; Fri, 2 May 1997 00:55:39 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11463 for ; Fri, 2 May 1997 00:55:28 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id BAA22421; Fri, 2 May 1997 01:07:55 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id AAA15539; Fri, 2 May 1997 00:57:08 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id XAA05530; Thu, 1 May 1997 23:58:42 -0700 Date: Thu, 1 May 1997 23:58:42 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705020658.XAA05530@althea.EBay.Sun.COM> To: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello World, > > First of all, thanks to the many who responded earlier to my routing > pleas. I had been brain-dead enough not to remember then my basic routing > principles and so I had a tough time. (Perhaps I had too much caffeine > from all those Java cups ? );^] ) I'll post a summary later on when I > get my final IP address layout. > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > and Variable-Length Subnet Masking (VLSM) support. > 1] With DHCP, will that finally allow FW1 filtering by hostnames (oh no!)? With DHCP, one will have to define generic hostnames for the range of IP addresses used in the IP allocation and you will not be able to do Authentication for a user coming from a particular host. > 2] How will VLSM make firewalling administration any easier/better ? > No, but it will make it easier to subnet your intranet without loosing precious IP addresses to a subnet without enough hosts to use all of the addresses. /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM > Many thanks, > Drexx. > > "It's a dirty job, but somebody's gotta do it." -- John Wayne > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > ______ > /_____/\ DEXTER D. LAGGUI > /_____\\ \ Systems Engineer, Systems Integration Group > /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. > /_____/ \/ / / Penthouse, Corporate Business Center > /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village > \_____\//\ / / Makati City, Philippines > \_____/ / /\ / > \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 > \_____\ \\ Fax : (++ 63-2) 813-5834 > \_____\/ Email: drexx@pspi.com.ph > Pager: (++ 63-2) 1277-33615 > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > From owner-firewalls-outgoing Fri May 2 02:24:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15967 for firewalls-outgoing; Fri, 2 May 1997 01:53:38 -0700 (PDT) Received: from server.aaku.no (server.oks.no [194.19.121.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA15959 for ; Fri, 2 May 1997 01:53:31 -0700 (PDT) Received: by server.aaku.no with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC56E7.51BBD670@server.aaku.no>; Fri, 2 May 1997 10:55:16 +0200 Message-ID: From: =?iso-8859-1?Q?Bj=F8rn_Arne_Pedersen?= To: "'Firewalls@GreatCircle.COM'" Subject: Sessionwall-3 Date: Fri, 2 May 1997 10:55:15 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody who uses sessionwall-3 out here? I have recieved an evaluation copy of the product, and I like the features, but how is the security? Anyone? Regards Bjorn Arne From owner-firewalls-outgoing Fri May 2 02:39:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA11931 for firewalls-outgoing; Fri, 2 May 1997 01:09:23 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA11923 for ; Fri, 2 May 1997 01:09:15 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55554-1>; Fri, 2 May 1997 10:08:29 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 02 May 1997 10:10:03 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNDTX-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 2 May 1997 10:13:55 +0200 (MET DST) Date: Fri, 2 May 1997 09:13:55 +0100 From: "Magossa'nyi A'rpa'd" To: Stan Wnuck CC: firewalls@GreatCircle.COM, swnuck@guru.unixpros.com Subject: Re: CheckPoint vs Others In-Reply-To: <199705012149.OAA20523@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 1997, Stan Wnuck wrote: > So I figured I throw out some > questions to the dogs to chew away on this idea so > that I can remain open-minded. :) Let it be. >=20 > Check Point's product and it's direct resellers such > as Soltice from SUN are stateful inspection technologies. >=20 > The only two other technologies that I am aware of are: > a. proxy services such as Raptor or Gauntlet > b. packet filters >=20 > #1 Are there any other technologies that I am unaware of? =09In the Data Comm's firewall surwey there is also a thing called =09Circuit Relay, but I don't know what it is. Could anyone explain =09that? > #2 Are they as good as state-ful inspection? =09It depends on usage. Someone had pointed out that stateful =09inspection is something with the "what is not denied is allowed" =09approach, and as such it is not appropriate for a firewall. I don't =09know if it is even true, and either lost track of that thread, or =09was no answer. > #3 Why should I use proxy services or packet filters if > I can have stateful inspection? =09If you don't know the details of the protocol, you will fall back to =09packet filtering in stateful inspection. =09I'm not sure if stateful inspection is able to handle if you want =09to handle things in higher levels of the protocol. > #4 Other than Check-Point and their direct resellers, > are there any other stateful inspection products that are > not assoicated with Check-Point? =09From the Data comm. survey: =09Cyberguard Firewall =09Cycon Labirinth =09GTA Gnat Box =09Netguard Guardian =09Network-1 Firewall/Plus =09Sealab's Watchguard =09Sunscreen EFS > #5 Do other products offer remote authentication, encrypted > links (VPN's), content security, auditing, load balancing, > network translation, excersice policies for access? =09Sure. You can do those even with a stock Linux box. Not talking =09about the pain involved. > #6 Do other products have a way of creating extranets? =09Do you mean DMZ? >=20 >=20 > I am sorry if this has been discussed already. If need to be, > reply direct to me so that others on this list don't have to > hear this wasted traffic. I am replying to the list because there are some issues I don't know much either. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri May 2 03:24:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13130 for firewalls-outgoing; Fri, 2 May 1997 01:19:59 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13123 for ; Fri, 2 May 1997 01:19:52 -0700 (PDT) Message-Id: <199705020819.BAA13123@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 6976; Fri, 02 May 97 04:21:32 EDT Date: Fri, 02 May 1997 04:21:31 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: port scans, netiquette and so on. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When I learned about the Internet a few years ago, people told me that there was something called netiquette. The enforcement of the 'rules' was done by the Internet community itself. If one misbehaved the community would let him know in a convincing way. If I see a portscan to our network I don't like it because I don't know if the intentions behind it are positive or negative. So I try to find out where it comes from. If I find the source, I will do whatever I can to convince the responsibles to stop their activities. QUESTION: All hints to do this are welcome. If I can not find the source, I will raise my alertness and also try to look for help (e.g. with my ISP) to defend myself against a probable attack. QUESTION: All hints to this are welcome. Sorry for my English, Toon Mordijck From owner-firewalls-outgoing Fri May 2 03:54:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA06991 for firewalls-outgoing; Fri, 2 May 1997 03:45:51 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA06826 for ; Fri, 2 May 1997 03:45:20 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id DAA21352 for ; Fri, 2 May 1997 03:18:48 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id LAA11351; Fri, 2 May 1997 11:23:14 +0200 Date: Fri, 02 May 1997 12:16:12 +0100 To: Todd Graham Lewis From: Oliver Lau Cc: Firewalls Mailing list , Chris Pugrud , Martin Sauer , Derek Pokorny Subject: Re[2]: NT vs Linux FTP Performance In-Reply-To: References: Message-Id: <3369DB0C23D.A374.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hallo, all! On Thu, 1 May 1997 02:28:19 -0400 (EDT) Todd Graham Lewis wrote: | On Wed, 30 Apr 1997, Chris Pugrud wrote: | | > I felt that filling a 10BT pipe was more than adequate because this is= a | > firewalls forum and most of us do not have the joy of T3 or better | > connections. Of course, few sites are connected to the Internet as fast as T3 or even better. But there purposes other than securing a local area network from the Internet, where a firewall system is the right choice. Think of separating different networks in a huge company. Imagine an ATM, an FDDI or a Fast Ethernet backbone to which enterprise-wide servers and all departments (accountancy, research facilites, etc.) are attached. A good reason to control traffic between those networks is that about 80 per cent of all security breaches are inside jobs, jobs of misgruntled officers or bitter former employees or friends of them, all provided with internal information. Others are employees who are bored to death, having enough time to test the system's security, and users, who are dumb enough break in by accident ;-), thus compromising integrity and availabilty of important data. This directly leads to a firewall solution that has to be able to (a) filter traffic a very high speeds (b) filter multi-protocol traffic (c) observe the state of communication between two hosts (d) be invisible on the network ('stealth mode'). To (a): self-explaining. To (b): multi-protocol capability means filtering protocols other than IP, such as IPX, AppleTalk, NetBEUI, Banyan, DECnet, because on most networks more than one protocol is used. To (c): the so-called 'stateful inspection' or 'statefulness', providing the highest degree of traffic control, better than isolated packet filtering or inflexible (inconvenient for users) proxies. Packet filtering cannot handle connection-oriented and thus stateful protocols like TCP. Proxies means that users get used to new conditions, adjusting to new environments. No good, because the ordinary user is hard to satisfy and unwilling to learn how network things work. Statefulness is THE fortunate hybrid solution. To (d): Two methods are possible: First, pseudo-invisilibity: e.g. through proxy ARP. Second, complete invisibility: no protocol suites installed, i.e. there has to be a mechanism that fetches all frames from the line directly through the NIC driver, and then forwards the extracted packets to the filtering engine. For detailed explanation please visit: US site: http://www.network-1.com/products/firewall/nt German site: http://www.skp.de/prod Regards, Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Fri May 2 05:24:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13026 for firewalls-outgoing; Fri, 2 May 1997 05:08:48 -0700 (PDT) Received: from colorado.cycare.com (noghri.cycare.com [143.112.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA13019 for ; Fri, 2 May 1997 05:08:43 -0700 (PDT) Received: from dbqnt3.cycare.com (dbqex1.cycare.com [143.112.1.20]) by colorado.cycare.com with SMTP (8.7.1/8.7.1) id HAA10232 for ; Fri, 2 May 1997 07:08:12 -0500 (CDT) Received: by dbqnt3.cycare.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC56C8.F7C9D9A0@dbqnt3.cycare.com>; Fri, 2 May 1997 07:18:01 -0500 Message-ID: From: Tod Wiederholt To: Firewalls Subject: FW: Need help getting IP traffic through a router. Date: Fri, 2 May 1997 07:11:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone else out there know of or heard of this technology of running TCP over ICMP? If so, do you know where to obtain the code to provide this functionality? ---------- From: Neil Readwin To: Tod Wiederholt; jim.jones@gtri.gatech.edu Subject: RE: Need help getting IP traffic through a router. Date: Thursday, May 01, 1997 5:18PM Y'all, no, I do not know of any publically available source that implements TCP over ICMP. In fact I've never seen it myself, but in the past people who I trust have said that they have seen code that does it. Regards, Neil. From owner-firewalls-outgoing Fri May 2 05:48:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13522 for firewalls-outgoing; Fri, 2 May 1997 05:16:09 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA13505 for ; Fri, 2 May 1997 05:15:48 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 08:17:37 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA28043; Fri, 2 May 1997 08:15:57 -0400 Date: Fri, 2 May 1997 08:15:57 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021215.IAA28043@bass.unifiedtech.com> To: swnuck@unixpros.com, mag@bunuel.tii.matav.hu Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: Vd7GKw+llJmpZkXELGaK2Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Magossa'nyi A'rpa'd writes... > On Thu, 1 May 1997, Stan Wnuck wrote: > > So I figured I throw out some > > questions to the dogs to chew away on this idea so > > that I can remain open-minded. :) > Let it be. > > Check Point's product and it's direct resellers such > > as Soltice from SUN are stateful inspection technologies. > > The only two other technologies that I am aware of are: > > a. proxy services such as Raptor or Gauntlet > > b. packet filters > > #2 Are they as good as state-ful inspection? > It depends on usage. Someone had pointed out that stateful > inspection is something with the "what is not denied is allowed" > approach, and as such it is not appropriate for a firewall. I don't > know if it is even true, and either lost track of that thread, or > was no answer. Actually, when you start up FW-1 to build a ruleset, it supplies you = with a "block everything" rule. If you build exceptions up from that rule, then you're working in the "what is not explicitly allowed is denied"=20 rule. You *can* configure it otherwise, but it's FUD at best and lies at worst for someone to claim that that's the basic approach of the system. > > #3 Why should I use proxy services or packet filters if > > I can have stateful inspection? > If you don't know the details of the protocol, you will fall back to > packet filtering in stateful inspection. > I'm not sure if stateful inspection is able to handle if you want > to handle things in higher levels of the protocol. That's a good explanation. Things you can't do with stateful inspection include - URL-level filtering of http transfers - blocking of other "things" riding on top of http, like Java or = ActiveX - allowing ftp PUT but not GET, or vice versa - virus scanning Checkpoint has been adding some of these features into FW-1 by adding=20 proxies, making it sort of a hybrid product. I have mixed feelings about that, actually. I like the stateful inspection approach as a basic = firewalling technology, and when possible I like to put my proxies on other hosts,=20 because proxies can often have functions (like caching) that aren't = really related to security. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 05:54:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15207 for firewalls-outgoing; Fri, 2 May 1997 05:42:13 -0700 (PDT) Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.199.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA15183 for ; Fri, 2 May 1997 05:42:04 -0700 (PDT) Received: by drawbridge.ctc.com (951211.SGI.8.6.12.PATCH1042/951211.SGI) for <@drawbridge.ctc.com:firewalls@GreatCircle.COM> id IAA14965; Fri, 2 May 1997 08:43:49 -0400 Received: from sgi10.ctc.com(147.160.31.8) by drawbridge.ctc.com via smap (V1.3) id sma014955; Fri May 2 08:43:30 1997 Received: from sgi122.ctc.com by sgi10.ctc.com via ESMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id IAA29728; Fri, 2 May 1997 08:43:45 -0400 Received: by sgi122.ctc.com id IAA12947; Fri, 2 May 1997 08:43:33 -0400 From: "Dominick Glavach" Message-Id: <9705020843.ZM12945@sgi122.ctc.com> Date: Fri, 2 May 1997 08:43:32 -0400 X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is slightly off topic but I have need some advise or some products that will restrict http access to sites such as www.porn.com. Aside from building an exhaustive list on my proxy what else can I do. Thanks for the help. -- --------------------------------------------------------------- Dominick Glavach, Unix System Administrator glavach@ctc.com Concurrent Technologies Corporation 814/269-2469 -NCSA- --------------------------------------------------------------- From owner-firewalls-outgoing Fri May 2 06:40:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22403 for firewalls-outgoing; Fri, 2 May 1997 06:30:26 -0700 (PDT) Received: from pandora.gsionline.com ([204.254.209.241]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA22369 for ; Fri, 2 May 1997 06:30:18 -0700 (PDT) Received: from PETER (PETER [204.254.209.22]) by pandora.gsionline.com (NTMail 3.02.09) with ESMTP id fa127847 for ; Fri, 2 May 1997 09:31:33 -0400 Message-Id: <3.0.1.32.19970502093047.0090c470@peter> X-Sender: nbk#204.254.209.2@peter X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 02 May 1997 09:30:47 -0400 To: "Dominick Glavach" From: Nick Keenan Subject: Re: Need to restrict http://www.nude.com and such Cc: firewalls@GreatCircle.COM In-Reply-To: <9705020843.ZM12945@sgi122.ctc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. There was an article in the wall street journal a few days ago about a company in massachusetts that maintains an exhaustive list, and rents it out to corporate companies. They have a staff that spends its days cruising the web and updating the list. I can't remember the name of the company, but it sounds like the best solution I have heard of to date. From owner-firewalls-outgoing Fri May 2 07:07:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24623 for firewalls-outgoing; Fri, 2 May 1997 06:47:35 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA24614 for ; Fri, 2 May 1997 06:47:29 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id IAA12169 for ; Fri, 2 May 1997 08:45:18 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma012096; Fri, 2 May 97 08:45:02 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id IAA15631; Fri, 2 May 1997 08:48:22 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id IAA12443; Fri, 2 May 1997 08:48:21 -0500 Message-ID: <3369F0D7.1AD9D407@90.deere.com> Date: Fri, 02 May 1997 08:49:11 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: A DMZ Question X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In building a redundant DMZ. Can I have a NT workstation with two network cards connected to two different switches and still have the same name and IP address. I think I can do this with UNIX but can NT do the same? Got an example or reference? -----Switch ----- - R ---- NT ----Firewall ---- - -----Switch ----- I know I'm chasing decimal points when it comes to MTBF but that's the question. Tanks In Advance From owner-firewalls-outgoing Fri May 2 07:10:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26743 for firewalls-outgoing; Fri, 2 May 1997 07:06:12 -0700 (PDT) Received: from bdiwall0.bracco.com (bdiwall0.bracco.com [204.255.10.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA26726 for ; Fri, 2 May 1997 07:06:04 -0700 (PDT) Received: by bdiwall0.bracco.com; id KAA06909; Fri, 2 May 1997 10:06:35 -0400 Received: from unknown(204.255.10.36) by bdiwall0.bracco.com via smap (V3.1.1) id xma006906; Fri, 2 May 97 10:06:09 -0400 Received: from ccMail by bdigate0.bracco.com (IMA Internet Exchange 1.04b) id 369f3a90; Fri, 2 May 97 10:01:13 -0400 Mime-Version: 1.0 Date: Fri, 2 May 1997 10:07:11 -0400 Message-ID: <369f3a90@bracco.com> From: mcruz@bracco.com (Michael Cruz) Subject: Re[2]: Need to restrict http://www.nude.com and such To: glavach@ctc.com, Nick Keenan Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds like a great job. Surf for porn and get paid! What's the name of that company? I know a few guys that want to apply! :-) mike ______________________________ Reply Separator _________________________________ Subject: Re: Need to restrict http://www.nude.com and such Author: Nick Keenan at *Internet* Date: 5/2/97 9:30 AM >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. There was an article in the wall street journal a few days ago about a company in massachusetts that maintains an exhaustive list, and rents it out to corporate companies. They have a staff that spends its days cruising the web and updating the list. I can't remember the name of the company, but it sounds like the best solution I have heard of to date. From owner-firewalls-outgoing Fri May 2 07:25:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21746 for firewalls-outgoing; Fri, 2 May 1997 06:26:26 -0700 (PDT) Received: from mail.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA21693 for ; Fri, 2 May 1997 06:26:10 -0700 (PDT) From: Don_Tompkins@esd.tracor.com Received: by mail.vitro.com (5.65/DEC-Ultrix/4.3) id AA25779; Fri, 2 May 1997 09:27:23 -0400 Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) id sma025777; Fri May 02 09:27:14 1997 EDT Received: from ccMail by esd.tracor.com (IMA Internet Exchange 2.1 Enterprise) id 00001587; Fri, 2 May 97 09:29:41 -0400 Mime-Version: 1.0 Date: Fri, 2 May 1997 09:28:21 -0400 Message-Id: <00001587.1688@esd.tracor.com> Subject: Re[2]: Your website's "Findability" -- Search Engine Help To: Planet_Ocean@profitmaster.com, Warpy Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Amen. Maybe we clever security types could invent a dirty word search to deny the unwanted advertisement in the first place. Unfortunately (or maybe fortunately) free speech also includes unwanted speech. I have similar reactions to the junk that violates my snail mail box, but to date the only solution has been the trash can. ______________________________ Reply Separator _________________________________ Subject: Re: Your website's "Findability" -- Search Engine Help Author: Warpy at ESD Date: 5/1/97 3:16 PM Is it just me or does everyone get ticked off about these emails that say reply to make sure you DON'T get any further emails from us. Grrrrr... Warpy --------------------------------------------------- A great hack is accomplished before it has begun... (paraphrased from Sun Tzu) -[warpy@null.net]- http://castle.dyn.ml.org/~warpy --------------------------------------------------- From owner-firewalls-outgoing Fri May 2 07:25:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27990 for firewalls-outgoing; Fri, 2 May 1997 07:13:20 -0700 (PDT) Received: from ns1.capgem.com (ns1.capgem.com [204.153.60.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA27900 for ; Fri, 2 May 1997 07:13:02 -0700 (PDT) Received: from dalex01.capgemini.com by ns1.capgem.com (5.x/SMI-SVR4) id AA04377; Fri, 2 May 1997 09:25:44 -0500 Received: by dalex01.capgemini.com with Internet Mail Service (5.0.1457.3) id ; Fri, 2 May 1997 09:16:23 -0500 Message-Id: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com> From: "Webb, Dean" To: Firewalls@GreatCircle.COM Subject: Firewall gone freaky Date: Fri, 2 May 1997 09:17:03 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to think all the messages sent to this list were made up until something interesting happened to me... All was well until Sunday morning at 6:11:11 AM, CST. That was the last piece of email we received from our Internet connection out east. It was from mailer-daemon at our_domain.com. (No, I did not get a chance to see it. Sorry.) After that, the BorderGuard firewall discarded all SMTP traffic heading to and from our network. The firewall is on a different network in a sister company. I'm here in the south and I could not monitor the firewall remotely. After noticing on Tuesday that I hadn't gotten ANY mail from the Internet since Sunday morn, I tracked things down to our sister company's firewall and got hold of a guy who could read the logs. He saw tons of traffic -much of it bound for and coming from my machine- being denied and discarded due to "Rule 57." Besides being ticked off that I couldn't send or receive my Internet mail, tons of other folks started bugging me about where their mission-critical email was. We were able to route the email through a different firewall closer to this site (which, although part of our company, has a different network address from the rest of the organization... hey, I didn't build this network, so don't get on my case about it...). Now that I'm getting Internet mail again, I got a few questions. The BorderGuard was installed out-of-the-box, configured only with our TCP/IP info. No rules regarding traffic were added or modified by any of us in either company since it was first set up. It was running fine until this last Sunday. What happened? Why did "rule 57" decide to go rouge on us? How can we look it up and modify it? Apparently, there is no command-line interface in BG, so how does one edit individual rules? (Or should one?) (BTW, I would *love* to RTFM, but it's roughly 1500 miles away and the sister company ain't letting it out of their sight or site. Any online BG info on usage, config, and t-shooting would be appreciated.) Any comments or requests for further information, public, private, or otherwise are fine with me, so long as they aren't sick, insane, illegal, dangerous, or obscene. Live free or die, Dean Webb Voltaire (1694-1778): "I may disagree with what you have to say, but I shall defend, to the death, your right to say it." From owner-firewalls-outgoing Fri May 2 07:40:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA00125 for firewalls-outgoing; Fri, 2 May 1997 07:26:22 -0700 (PDT) Received: from c2smtp.ontech.co.uk (c2smtp.ontech.co.uk [194.6.124.133]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA29916 for ; Fri, 2 May 1997 07:25:52 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.ontech.co.uk via Connect2-SMTP 4.01.b35B; Fri, 2 May 1997 15:27:44 +0100 Message-ID: <20216A3301450200@c2smtp.ontech.co.uk> Date: Fri, 2 May 1997 15:27:00 +0100 From: Geoff Malvisi Organization: ON Technology UK To: firewalls@greatcircle.com Subject: Re: CheckPoint vs Others MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-Mailer: Connect2-SMTP 4.01.b35B MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== Magossa'nyi A'rpa'd writes... > On Thu, 1 May 1997, Stan Wnuck wrote: > > So I figured I throw out some > > questions to the dogs to chew away on this idea so > > that I can remain open-minded. :) > Let it be. > > Check Point's product and it's direct resellers such > > as Soltice from SUN are stateful inspection technologies. > > The only two other technologies that I am aware of are: > > a. proxy services such as Raptor or Gauntlet > > b. packet filters > > #2 Are they as good as state-ful inspection? > It depends on usage. Someone had pointed out that stateful > inspection is something with the "what is not denied is allowed" > approach, and as such it is not appropriate for a firewall. I don't > know if it is even true, and either lost track of that thread, or > was no answer. Actually, when you start up FW-1 to build a ruleset, it supplies you with a "block everything" rule. If you build exceptions up from that rule, then you're working in the "what is not explicitly allowed is denied" rule. You *can* configure it otherwise, but it's FUD at best and lies at worst for someone to claim that that's the basic approach of the system. > > #3 Why should I use proxy services or packet filters if > > I can have stateful inspection? > If you don't know the details of the protocol, you will fall back to > packet filtering in stateful inspection. > I'm not sure if stateful inspection is able to handle if you want > to handle things in higher levels of the protocol. That's a good explanation. Things you can't do with stateful inspection include - URL-level filtering of http transfers - blocking of other "things" riding on top of http, like Java or ActiveX - allowing ftp PUT but not GET, or vice versa - virus scanning Checkpoint has been adding some of these features into FW-1 by adding proxies, making it sort of a hybrid product. I have mixed feelings about that, actually. I like the stateful inspection approach as a basic firewalling technology, and when possible I like to put my proxies on other hosts, because proxies can often have functions (like caching) that aren't really related to security. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies ======== Fwd by: Geoff Malvisi ======== The ON Guard firewall from ON Technology uses stateful inspection (all that is not explicitly allowed is denied) and offers URL and Java blocking. http://www.on.com I work for ON Technology, so I appologise in advance if I offend anyone who does not appreciate information from vendors. Have a great day From owner-firewalls-outgoing Fri May 2 07:55:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA04506 for firewalls-outgoing; Fri, 2 May 1997 07:52:58 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA04488 for ; Fri, 2 May 1997 07:52:52 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id HAA10734; Fri, 2 May 1997 07:53:44 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705021453.HAA10734@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Date: Fri, 2 May 1997 07:53:43 -0700 (PDT) Cc: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: <199705020658.XAA05530@althea.EBay.Sun.COM> from "Jerald Josephs" at May 1, 97 11:58:42 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jerald Josephs writes: > > > > > > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > > and Variable-Length Subnet Masking (VLSM) support. Having just purchased this from Sun and having just spoken with their rep. I think you may be in error re: VLSM. > > 2] How will VLSM make firewalling administration any easier/better ? > > > > No, but it will make it easier to subnet your intranet without > loosing precious IP addresses to a subnet without enough > hosts to use all of the addresses. ? I don't understand this last sentence. My exposure to VLSM indicates that it has nothing to do with subnetting your intranet. I ran into this problem when trying to route with rip. Specifically, Sun's implementation of the routing socket interface is not the industry standard. In other words, when you use a Sun machine as a multi-homed host with subnetted networks the rip updates are incorrect. The routers that we used had no problems at all in dealing with the subnetted networks, therefore while we were able to subnet our intranet we had problems with using Sun's as any type of router. mj From owner-firewalls-outgoing Fri May 2 08:10:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA02940 for firewalls-outgoing; Fri, 2 May 1997 07:43:14 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA02933 for ; Fri, 2 May 1997 07:43:08 -0700 (PDT) Received: from clonvick-pc.cisco.com ([171.68.41.80]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA22964; Fri, 2 May 1997 07:44:47 -0700 (PDT) Message-Id: <2.2.32.19970502144128.006f61d4@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 09:41:28 -0500 To: "Dominick Glavach" , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Dominick, I assume that your company policy is to prevent your people from getting/displaying/looking-at "dirty pictures" while on company time and/or while using company equipment. From your question, I see that you're looking for ways to enforce your policy. As far as I know, there are two general methods of enforcing your policy. - making the consequences of failure to comply with the policy a very high cost (like termination) - finding ways to make it difficult for your users to violate the policy Exclusively going down path #2, effectively tells your people that it's OK to continue trying to find the "dirty pictures", and that you're going to be in a very reactive mode to try to keep one step ahead of them - usually doesn't work. I've also seen some of these solutions not work exactly as planned. I can't remember the product now, but if the keyword was in the URL, then you couldn't retrieve it. As an example, people looking for sextants could not access any pages with that name it in because it contained the keyword "sex". This concept will probably not work well in specific industries, anyway. I'm sure that doctors in hospitals _should_ be allowed to look for information on "sexually transmitted diseases". I've seen some companies exclusively use path #1. This has been VERY successful for some of them... well, after the first dozen or so were fired for violating the policy. If you can get this accepted at high levels, then you'll need to review your logs and report any failures to comply. This is much easier on yourself than trying to keep up with the hundreds of new sites added daily. You company may decide that this is a much more effective use of your time as well. When you're writing your policy, keep in mind that accidents do happen; people will click on URLs not knowing what will be deliverd - but not 247 times in a row. In any event, there are some companies that maintain "lists" of URLs. You should find out their criteria for placing them on their lists before you apply them to your company. Here are two that I know of, I'm sure there are more. Surfwatch at http://www.surfwatch.com/ NetNanny at http://www.netnanny.com/netnanny/home.html Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 08:43 AM 5/2/97 -0400, Dominick Glavach wrote: >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. > > >-- > >--------------------------------------------------------------- >Dominick Glavach, Unix System Administrator glavach@ctc.com >Concurrent Technologies Corporation 814/269-2469 > -NCSA- >--------------------------------------------------------------- > > From owner-firewalls-outgoing Fri May 2 08:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08853 for firewalls-outgoing; Fri, 2 May 1997 08:15:38 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08766 for ; Fri, 2 May 1997 08:15:08 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55554-1>; Fri, 2 May 1997 17:14:22 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 02 May 1997 17:16:27 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNK8C-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 2 May 1997 17:20:20 +0200 (MET DST) Date: Fri, 2 May 1997 16:20:20 +0100 From: "Magossa'nyi A'rpa'd" To: Mike Jones CC: swnuck@unixpros.com, firewalls@GreatCircle.COM Subject: stateful inspection (was: CheckPoint vs Others) In-Reply-To: <199705021215.IAA28043@bass.unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mike Jones wrote: > > =09It depends on usage. Someone had pointed out that stateful > > =09inspection is something with the "what is not denied is allowed" > > =09approach, and as such it is not appropriate for a firewall. I don't > > =09know if it is even true, and either lost track of that thread, or > > =09was no answer. >=20 > Actually, when you start up FW-1 to build a ruleset, it supplies you with > a "block everything" rule. If you build exceptions up from that rule, > then you're working in the "what is not explicitly allowed is denied"=20 > rule. You *can* configure it otherwise, but it's FUD at best and lies at > worst for someone to claim that that's the basic approach of the system. Do you mean you can explicitly define in every protocol which states/state transitions are allowed and which not? --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri May 2 08:39:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12804 for firewalls-outgoing; Fri, 2 May 1997 08:33:11 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12620 for ; Fri, 2 May 1997 08:32:22 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id KAA11029; Fri, 2 May 1997 10:33:52 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma011008; Fri, 2 May 97 10:33:45 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 2 MAY 97 10:33:43 CDT Date: 2 MAY 97 10:20:19 CDT Subject: RE: Need to restrict http://www.nude.com and such To: firewalls@greatcircle.com Message-ID: <0007jjzjtpxd.H000012201e0bc53@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are several products that perform this function. Each has pros/cons, and different features. The ones I know of are: CyberSitter, NetNanny, SurfWatch, The Internet Filter, and CyberPatrol. Typically they blocks content that can be separated in to either graphics or text, and can filter on: Violence, Profanity, Full/Partial Nudity, Cult, Drugs, etc. It's not that off-topic since firewall vendors have started including this type of service as an optional feature into their products. Regards, ***************************************************************** Bob LeBlanc, Product Manager, Sprint IP Security bleblanc@igate.sprint.com >>USUAL DISCLAIMERS APPLY << The views expressed are purely my own, blah blah blah ***************************************************************** ______________________________ Reply Separator _________________________________ Subject: Re: Need to restrict http://www.nude.com and such Author: Nick Keenan at *Internet* Date: 5/2/97 9:30 AM >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. From owner-firewalls-outgoing Fri May 2 09:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14816 for firewalls-outgoing; Fri, 2 May 1997 08:43:46 -0700 (PDT) Received: from bigdipper.iagi.net (bigdipper.iagi.net [207.32.101.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA14766 for ; Fri, 2 May 1997 08:43:34 -0700 (PDT) Received: from localhost (daveyb@localhost) by bigdipper.iagi.net (8.8.3/8.6.9) with SMTP id LAA00962; Fri, 2 May 1997 11:45:04 -0400 (EDT) Date: Fri, 2 May 1997 11:45:04 -0400 (EDT) From: "David A. Baldwin" To: Michael Cruz cc: glavach@ctc.com, Nick Keenan , firewalls@GreatCircle.COM Subject: Re: Re[2]: Need to restrict http://www.nude.com and such In-Reply-To: <369f3a90@bracco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor works with a company called Microsystems Software, Inc. to include functionality for a product called CyberNOT into their firewall product. This product is essentialy a list of URLs split into categories such as Full Nudity and Partial Nudity and Violence, etc... I am certain that you could incorporate this into any WWW proxy that you may be using. David Baldwin On Fri, 2 May 1997, Michael Cruz wrote: > Sounds like a great job. Surf for porn and get paid! What's the name > of that company? I know a few guys that want to apply! :-) > > mike > > > ______________________________ Reply Separator _________________________________ > Subject: Re: Need to restrict http://www.nude.com and such > Author: Nick Keenan at *Internet* > Date: 5/2/97 9:30 AM > > > >I know this is slightly off topic but I have need some advise or some > products > >that will restrict http access to sites such as www.porn.com. Aside from > >building an exhaustive list on my proxy what else can I do. Thanks for the > >help. > > There was an article in the wall street journal a few days ago about a > company in massachusetts that maintains an exhaustive list, and rents it > out to corporate companies. They have a staff that spends its days > cruising the web and updating the list. I can't remember the name of the > company, but it sounds like the best solution I have heard of to date. > From owner-firewalls-outgoing Fri May 2 09:20:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA16673 for firewalls-outgoing; Fri, 2 May 1997 08:56:21 -0700 (PDT) Received: from yakko.chicks.net (yakko.chicks.net [205.166.143.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA16659 for ; Fri, 2 May 1997 08:56:14 -0700 (PDT) Received: from localhost (chicks@localhost) by yakko.chicks.net (8.7.4/8.7.3) with SMTP id LAA07420; Fri, 2 May 1997 11:57:52 -0400 X-Authentication-Warning: yakko.chicks.net: chicks owned process doing -bs Date: Fri, 2 May 1997 11:57:52 -0400 (EDT) From: Christopher Hicks To: Nick Keenan cc: Dominick Glavach , firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <3.0.1.32.19970502093047.0090c470@peter> Message-ID: Organization: Flamingo Internet Navigators MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Nick Keenan wrote: > > I know this is slightly off topic but I have need some advise or some > > products that will restrict http access to sites such as www.porn.com. > > Aside from building an exhaustive list on my proxy what else can I do. > > There was an article in the wall street journal a few days ago about a > company in massachusetts that maintains an exhaustive list, and rents it > out to corporate companies. They have a staff that spends its days > cruising the web and updating the list. I can't remember the name of the > company, but it sounds like the best solution I have heard of to date. That really isn't a solution to the problem, though. Some sites contain good and bad stuff. Some sites are pirated into containing bad stuff. Sites come and go like wildfire. A couple of companies actually do content-oriented restrictions. They analyze using "super secret algorithms" whether or not the content is allowed or not. The basic idea is that certain words and combinations of words can with some context make a site rate as unviewable. No lists to maintain. Pornography isn't the only thing corporations have to worry about, though. Playing Java Tetris, sitting in chat rooms, etc. are all things corporations and governments will ultimately want to prohibit. It becomes obvious quickly that lists are not practical. The only list that might be practical is an "allowed" list. And given site-piracy that would still let some smut through. Those who cannot remember the past are doomed to buy Microsoft products. From owner-firewalls-outgoing Fri May 2 09:25:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12665 for firewalls-outgoing; Fri, 2 May 1997 08:32:37 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12593 for ; Fri, 2 May 1997 08:32:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp4.cisco.com [171.68.146.25]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id RAA20221; Fri, 2 May 1997 17:32:03 +0200 (METDST) Message-Id: <2.2.32.19970502173052.006af53c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 17:30:52 +0000 To: newman!jonesmd@uunet.uu.net (Mike Jones), swnuck@unixpros.com, mag@bunuel.tii.matav.hu From: Eric Vyncke Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:15 2/05/97 -0400, Mike Jones wrote: >Magossa'nyi A'rpa'd writes... >> On Thu, 1 May 1997, Stan Wnuck wrote: >> > So I figured I throw out some >> > questions to the dogs to chew away on this idea so >> > that I can remain open-minded. :) >> > #3 Why should I use proxy services or packet filters if >> > I can have stateful inspection? >> If you don't know the details of the protocol, you will fall back to >> packet filtering in stateful inspection. >> I'm not sure if stateful inspection is able to handle if you want >> to handle things in higher levels of the protocol. > >That's a good explanation. Things you can't do with stateful inspection >include > - URL-level filtering of http transfers > - blocking of other "things" riding on top of http, like Java or ActiveX > - allowing ftp PUT but not GET, or vice versa > - virus scanning I guess that at least Checkpoint and Cisco PIX for sure (see my affiliation ! :-) ) can do more than just statefull inspection at layers 3 and 4. They can also check at layer 7: thus allowing special tricks like NAT (Network Address Translation), JAVA applet blocking, possibly filter by URL. As usually such a firewall is built to process packets in a FAST way, they refrain to lookup in all TCP payloads only in the very first ones. This is not a design flaw but rather a design choice: performance against granularity of control. >Checkpoint has been adding some of these features into FW-1 by adding >proxies, making it sort of a hybrid product. I have mixed feelings about >that, actually. I like the stateful inspection approach as a basic firewalling >technology, and when possible I like to put my proxies on other hosts, >because proxies can often have functions (like caching) that aren't really >related to security. Web caching is more a performance problem than a security one :-) So, you can add a Web cache along a stateful inspection filter to get both of two worlds. Eric > >-- > Mike Jones > Sr. Technical Advisor > UNIFIED Technologies > Eric Vyncke Internet, security consultant Cisco Systems Belgium SA/NV /------------------------------------\ Phone: +32-2-778.4677 | Networks bring | Fax: +32-2-778.4300 | people | E-mail: evyncke@cisco.com | together... | Mobile: +32-75-312.458 \------------------------------------/ From owner-firewalls-outgoing Fri May 2 10:11:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24516 for firewalls-outgoing; Fri, 2 May 1997 09:45:22 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA24467 for ; Fri, 2 May 1997 09:45:08 -0700 (PDT) Received: from sunat.gob.pe ([161.132.37.4]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA24924 for ; Fri, 2 May 1997 09:48:20 -0700 (PDT) Received: from lima.sunat.gob.pe ([150.200.100.51]) by firesun.sunat.gob.pe with SMTP id <32261-1>; Fri, 2 May 1997 11:46:23 -0500 Received: by lima.sunat.gob.pe with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC56EE.1C6C3530@lima.sunat.gob.pe>; Fri, 2 May 1997 11:43:53 -0500 Message-ID: From: "Carlos Tay Damaso (Req San Isidro)" To: "'firewalls@GreatCircle.COM'" Subject: RV: PROBLEM.... Date: Fri, 2 May 1997 12:06:43 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >De: Carlos Tay Damaso >Enviado: Jueves, Abril 24, 1997 0:35 AM >Para: 'firewalls@GreatCircle.COM' >Asunto: PROBLEM.... >Importancia: Alta > >I have a Borderware Firewall Relase 4.01 >The problem is : >In my LAN i have a default router (3com Netbuilder II), to which hosts point >all traffic and in the same segment of the LAN i have my Firewall. >My hosts normally reaches internal networks through of my default router, and >reaches the INTERNET through the Firewall.If the Path between default router >and Internal network is disrupted, the routes in my hosts (UNIX, NT,) change >to the firewall. and then in a few minutes the firewall is hangup. > >Please help me... > >send me your solution to : dcarlos@sunat.gob.pe >Thanks... > From owner-firewalls-outgoing Fri May 2 10:24:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24086 for firewalls-outgoing; Fri, 2 May 1997 09:42:49 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA23990 for ; Fri, 2 May 1997 09:42:25 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA11354 for ; Fri, 2 May 1997 18:44:51 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00977; Fri, 2 May 97 18:46:50 +0200 Message-Id: <9705021646.AA00977@tidtest.total.fr> To: firewalls@greatcircle.com Subject: Multiple Internet connections and multiple DMZs X-Cuse: "The dog ate my network" Date: Fri, 02 May 1997 18:46:49 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm toying with the idea of having multiple Internet connections, each with its own firewall and DMZ, and I'm wondering whether anyone else has done this already, and what services are worth replicating or distributing across DMZs. Some background : - There would be a half-dozen Internet connections, spread across the world. Each would have its own firewall and DMZ, and would be connected to a local network. - Local networks are connected to CHQ through 64-256K links. - Likely candidates for distribution are incoming mail (proxied), outgoing mail (proxied), incoming news (proxied or tunneled), outgoing news (proxied or tunneled), access to outside WEB servers (proxied) and outside access to a public WEB server (located in the DMZ). I'm looking for info on what (if any) services are worth the effort, and what the initial configuration and maintenance would require. advTHANKSance Michel Lavondes (lavondes@tidtest.total.fr), speaking only for himself Lord, grant me : - the serenity to accept the things I cannot change - the courage to change the things I can - the wisdom to hide the bodies of those I had to kill because they pissed me off -- Author unknown From owner-firewalls-outgoing Fri May 2 11:10:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04886 for firewalls-outgoing; Fri, 2 May 1997 11:02:27 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04861 for ; Fri, 2 May 1997 11:02:08 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 14:04:05 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id OAA28142; Fri, 2 May 1997 14:02:16 -0400 Date: Fri, 2 May 1997 14:02:16 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021802.OAA28142@bass.unifiedtech.com> To: mag@bunuel.tii.matav.hu Subject: Re: stateful inspection (was: CheckPoint vs Others) Cc: swnuck@unixpros.com, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: Ig8I/RtguScpg4etWszomQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Magossa'nyi A'rpa'd writes... > On Fri, 2 May 1997, Mike Jones wrote: > > > It depends on usage. Someone had pointed out that stateful > > > inspection is something with the "what is not denied is allowed" > > > approach, and as such it is not appropriate for a firewall. I = don't > > > know if it is even true, and either lost track of that thread, or > > > was no answer. > > Actually, when you start up FW-1 to build a ruleset, it supplies you = with > > a "block everything" rule. If you build exceptions up from that = rule, > > then you're working in the "what is not explicitly allowed is = denied"=20 > > rule. You *can* configure it otherwise, but it's FUD at best and = lies at > > worst for someone to claim that that's the basic approach of the = system. > Do you mean you can explicitly define in every protocol which = states/state > transitions are allowed and which not? In at least a limited sense, yes. I'm not completely clear on what you mean by "state transitions". FireWall-1 deals with network objects and protocols, where a network object may be - a host - a network - a group of hosts and/or networks The rules are of the form and identify what action should be taken upon encountering traffic of the specified protocol between the specified source and destination objects. The may be allow, drop, or authenticate.=20 -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 11:47:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA02558 for firewalls-outgoing; Fri, 2 May 1997 10:40:54 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA02484 for ; Fri, 2 May 1997 10:40:28 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.7.5/8.6.12) id NAA02203; Fri, 2 May 1997 13:41:50 -0400 (EDT) Received: from unknown(146.127.39.20) by lehman via smap (V1.3) id tmp002197; Fri May 2 13:41:22 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA18278; Fri, 2 May 97 13:41:20 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17920; Fri, 2 May 97 13:41:10 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id NAA02682; Fri, 2 May 1997 13:41:09 -0400 Date: Fri, 2 May 1997 13:41:09 -0400 Message-Id: <199705021741.NAA02682@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Marc D. Jackson" Cc: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs), firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705021453.HAA10734@Xenon.Stanford.EDU> References: <199705020658.XAA05530@althea.EBay.Sun.COM> <199705021453.HAA10734@Xenon.Stanford.EDU> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having received 2.6 beta refresh, I can state with certainty that Solaris 2.6 _does_ have VLSM support. And DHCP support. And a berkeley 4.4 routing socket. And NTP. And.... Who-ho! -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri May 2 12:05:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA03220 for firewalls-outgoing; Fri, 2 May 1997 10:45:54 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA03203 for ; Fri, 2 May 1997 10:45:35 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11) id ; Fri, 2 May 1997 13:46:50 -0400 Message-ID: From: Russ To: "'Firewalls Mailing List'" Subject: Inbound/Outbound roles of Firewalls Date: Fri, 2 May 1997 13:46:47 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.11) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a question for you all. ~~~~~~~~ +------------+ { } | | { Internet }<-->+ Firewall-1 +<------------+ { } | B | | ~~~~~~~~ +-----+------+ v ^ ~~~~~~~~~~~ | { Corporate } | { } | { LAN } v ~~~~~~~~~~~ ~~~~~~~~ ~~~~~~~~ +-----+------+ ^ { Branch } { } | | | { Office }<-->{ VPN }<-->+ Firewall-1 +<------------+ { LAN } { } | A | ~~~~~~~~ ~~~~~~~~ +------------+ Ok, so let's assume that the VPN is a Firewall-1 to Firewall-1 encrypted tunnel. Clients from the VPN want to access the Server Farm, and Clients from the Internet want to access the Server Farm (using SecuRemote). *BUT*, Clients also want to access the Internet via the VPN to Firewall A then through Firewall B to the Internet (and vice-versa) My question is this. When a Client wants to go to the Internet, they will be treated as an inbound connection on Firewall A, but an outbound connection on Firewall B. Same is true in reverse for Clients coming from the Internet who want to get to the LAN on the other side of the VPN. I'm thinking that using "established" as a basis for return paths for outbound connections isn't going to work here, and in addition, the port assignments are going to be screwy. A Client from the VPN attempts to establish an HTTP connection with a public web server on the Internet. They attempt an inbound port 80 connect on Firewall A. It passes the request through to Firewall B, which in turn passes it through as an outbound connection request to the Internet. The web server assigns a port to the connection, and Firewall B treats it like an "established" connection and allows it through, then sends it on to Firewall A. What would Firewall A do with this as it would not appear to be an outbound connection request?? Don't ask why I'm using two Firewalls, as the question only has to do with using two Firewalls. I realize I could use only one. They are not there to provide redundancy as the Branch Office LAN will not be exposed directly to the Internet. What I'd like to hear about is the idea of using "internal trusted" networks on the Firewall as potentially trusted and untrusted networks. The idea of outbound packets (from the Firewall's perspective) actually being inbound packets (from the trusted LANs perspective) and vice-versa. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Fri May 2 12:11:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA02181 for firewalls-outgoing; Fri, 2 May 1997 10:37:39 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA02055 for ; Fri, 2 May 1997 10:37:06 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.7.5/8.6.12) id NAA02097; Fri, 2 May 1997 13:38:30 -0400 (EDT) Received: from unknown(146.127.39.20) by lehman via smap (V1.3) id tmp002094; Fri May 2 13:38:25 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA17859; Fri, 2 May 97 13:38:24 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17744; Fri, 2 May 97 13:38:23 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id NAA02630; Fri, 2 May 1997 13:38:22 -0400 Date: Fri, 2 May 1997 13:38:22 -0400 Message-Id: <199705021738.NAA02630@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bertrum Carroll Cc: firewalls@GreatCircle.com Subject: Re: A DMZ Question In-Reply-To: <3369F0D7.1AD9D407@90.deere.com> References: <3369F0D7.1AD9D407@90.deere.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use 2 IP addresses on the NT box and the Firewall (and put both in DNS, or your config files, or whatever). Having the same IP address on 2 interfaces is probably not the way to go. -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri May 2 12:21:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA27366 for firewalls-outgoing; Fri, 2 May 1997 10:04:45 -0700 (PDT) Received: from mail.gestronic.ch ([193.246.62.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA27211 for ; Fri, 2 May 1997 10:04:10 -0700 (PDT) Received: from rsleiman (sleiman.gestronic.ch [193.246.62.100]) by mail.gestronic.ch (8.8.5/8.8.5) with ESMTP id TAA01750 for ; Fri, 2 May 1997 19:01:39 +0200 (MET DST) Message-ID: <336A207B.116171C@gestronic.ch> Date: Fri, 02 May 1997 19:12:27 +0200 From: Raymond Sleiman Reply-To: Raymond.Sleiman@gestronic.ch Organization: Gestronic Groupe X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: Firewall 1 version 2.1 on Solaris X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------7497287AA15F0EA80D405D17" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------7497287AA15F0EA80D405D17 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, I have the following message when i try to install rules in inspection module acting as a internet gateway: "Peer asked for deny Authentication but i want fwa1 authentication. Authentication for command load failed. Failed to load security policy on name of the gateway: unauthorized action." Could someone tell me what it could be the problem and how to resolve the problem. -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<< _________________________________________________________ --------------7497287AA15F0EA80D405D17 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Raymond.Sleiman@gestronic.ch Content-Disposition: attachment; filename="vcard.vcf" begin:vcard fn:Raymond.Sleiman@gestronic.ch n:;Raymond.Sleiman@gestronic.ch adr:;;;;;; email;internet:Raymond.Sleiman@gestronic.ch tel;work: tel;fax: tel;home: x-mozilla-cpt:;0 x-mozilla-html:FALSE end:vcard --------------7497287AA15F0EA80D405D17-- From owner-firewalls-outgoing Fri May 2 12:25:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15315 for firewalls-outgoing; Fri, 2 May 1997 12:19:19 -0700 (PDT) Received: from castles.com (sparc1.castles.com [199.4.103.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA15161 for ; Fri, 2 May 1997 12:18:43 -0700 (PDT) Received: from jmcbrea.castles.com ([205.185.80.10]) by castles.com (5.x/SMI-SVR4/CASTLES) id AA29634; Fri, 2 May 1997 12:14:19 -0700 Message-Id: <2.2.32.19970502192222.00731904@sparc1.castles.com> X-Sender: jmcbrea@sparc1.castles.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 12:22:22 -0700 To: firewalls@greatcircle.com From: John McBrearty Subject: Re: CheckPoint vs Others Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes that Stan Wnuck wrote: >We are presently evaluating Check-Point's Fire-Wall 1. > If you are considering Firewall-1 you should be aware that Checkpoint has apparently recently instituted a "hard" policy of off-loading all support to VARs. I had called their tech support with some questions about a month ago and got them readily answered, no problem. I called again last week with some questions and could only get as far as a message that I had to contact my VAR. I also tried sending email to Checkpoint and got back a message saying the same thing. I then called the VAR (to whom we had originally been referred by Checkpoint) with my questions; he said he preferred to work by email and would get back to me that way. The VAR's response mostly consisted of a quoted generic reply from a Checkpoint representative which didn't address the specific questions I had asked. Giving the VAR the benefit of the doubt, I restated my questions in email and asked for more specific information. That was two days ago and I have yet to receive a reply. I know that Cisco's PIX box, for instance, has received varying reviews from people on this list. But when you need tech support information from Cisco there are a variety of ways to get it; and I have found their support people always willing to do what it takes to solve problems. It beats a voice mail message saying "Go to your VAR." John McBrearty Pleasant Hill, CA 94523 510-974-9171 jmcbrearty@usa.net From owner-firewalls-outgoing Fri May 2 12:56:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29804 for firewalls-outgoing; Fri, 2 May 1997 10:24:26 -0700 (PDT) Received: from greta.teleport.com (sandra.teleport.com [192.108.254.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA29790 for ; Fri, 2 May 1997 10:24:18 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by greta.teleport.com (8.8.5/8.7.3) with ESMTP id KAA13698; Fri, 2 May 1997 10:25:45 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id KAA14237; Fri, 2 May 1997 10:25:25 -0700 (PDT) Date: Fri, 2 May 1997 10:25:24 -0700 (PDT) From: Alan To: Dominick Glavach cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <9705020843.ZM12945@sgi122.ctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Dominick Glavach wrote: > I know this is slightly off topic but I have need some advise or some products > that will restrict http access to sites such as www.porn.com. Aside from > building an exhaustive list on my proxy what else can I do. Thanks for the > help. Try finding the wire leading from your firewall out to the Internet. Take a large pair of wire cutters and cut that wire. (Be careful not to confuse the power cord with this wire.) Filters are semi-useful at best. Since any of these filters can be bypassed by web proxies, you will only filter out the more clueless of your userbase. (Middle managers and sales people and the like.) You are better off either cutting off access to the net to all (or most) of your users or deal with problems as they occur. I have seen actions like this taken before. Someone in management gets a hair up their ass about "people for surfing for porn at work", and instead of doing something that would require real hands on involvement, make a request that puts the burden on another department. This sort of management has all sorts of ramifications that are never taken into account. It shows that management does not trust them. It makes the lives of those who do need to use the net more difficult. (Especially since many of these filters are overbroad and restrict legit sites.) It also breeds contempt for both management and IS. All in all, not the best situation. If you are really wanting to deal with the "problem", I suggest using a log on your web proxy and then deal with people who abuse the situation. Filtering will cause more hastles than they will solve. From owner-firewalls-outgoing Fri May 2 13:10:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07532 for firewalls-outgoing; Fri, 2 May 1997 11:19:43 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA07496 for ; Fri, 2 May 1997 11:19:17 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 14:21:04 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id OAA28149; Fri, 2 May 1997 14:19:23 -0400 Date: Fri, 2 May 1997 14:19:23 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021819.OAA28149@bass.unifiedtech.com> To: newman!jonesmd@uunet.uu.net, swnuck@unixpros.com, mag@bunuel.tii.matav.hu, evyncke@cisco.com Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: CcSVhz3Hqa9bGICoRmj5jg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Vyncke writes... > At 08:15 2/05/97 -0400, Mike Jones wrote: > >Magossa'nyi A'rpa'd writes... > >> On Thu, 1 May 1997, Stan Wnuck wrote: > >> > So I figured I throw out some > >> > questions to the dogs to chew away on this idea so > >> > that I can remain open-minded. :) > >> > #3 Why should I use proxy services or packet filters if > >> > I can have stateful inspection? > >> If you don't know the details of the protocol, you will fall back = to > >> packet filtering in stateful inspection. > >> I'm not sure if stateful inspection is able to handle if you want > >> to handle things in higher levels of the protocol. > >That's a good explanation. Things you can't do with stateful = inspection > >include > > - URL-level filtering of http transfers > > - blocking of other "things" riding on top of http, like Java or = ActiveX > > - allowing ftp PUT but not GET, or vice versa > > - virus scanning > I guess that at least Checkpoint and Cisco PIX for sure (see > my affiliation ! :-) ) can do more than just statefull inspection > at layers 3 and 4. They can also check at layer 7: thus > allowing special tricks like NAT (Network Address Translation), > JAVA applet blocking, possibly filter by URL.=20 NAT can (and probably should, for performance) happen at layer 3. I don't know about the PIX, but FW-1 does Java blocking by adding an HTTP proxy, producing the hybrid stateful inspection/proxy configuration I=20 mentioned in an earlier message. Frankly, I'd rather put that stuff on a separate proxy server inside the firewall that could also do caching. =20 > >Checkpoint has been adding some of these features into FW-1 by adding = =20 > >proxies, making it sort of a hybrid product. I have mixed feelings = about > >that, actually. I like the stateful inspection approach as a basic=20 firewalling > >technology, and when possible I like to put my proxies on other = hosts,=20 > >because proxies can often have functions (like caching) that aren't = really > >related to security. > Web caching is more a performance problem than a security one :-) > So, you can add a Web cache along a stateful inspection filter > to get both of two worlds. Right, but going through *two* proxies doesn't sound like a good idea from a performance perspective. If I'm only going to have one proxy, then I'd rather have it off the firewall than adding non-security proxy functions to the firewall. Admittedly, this is a religious issue. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 13:22:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14133 for firewalls-outgoing; Fri, 2 May 1997 12:11:10 -0700 (PDT) Received: from austin.flashcast.com (austin.flashcast.com [207.238.207.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13997 for ; Fri, 2 May 1997 12:10:21 -0700 (PDT) Received: from calesm-cn3.ncr.com ([149.25.22.153]) by austin.flashcast.com (post.office MTA v2.0 0813 ID# 0-16975) with SMTP id AAA194; Fri, 2 May 1997 15:14:36 -0400 X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: calesm@flashcast.com (Mike Cales) To: "'firewalls@greatcircle.com'" , "'ntsecurity@iss.net'" Subject: Re: [NTSEC] RE: L0pht Scanning - Beware Date: Fri, 2 May 1997 15:06:29 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BC570A.69CC08C0" X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Message-ID: <19970502191433267.AAA194@calesm-cn3.ncr.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BC570A.69CC08C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable >From the person who was a teen-age hacker and is now a computer = professional. I can remember waht we did in the good 'ole days. We = scanned and we scanned and we scanned Phone numbers. the rule of = legality as we understood it was, you can call a number once. Perfectily = legal. If you call it more than once it is harrassment. regardless if a = person or computer answered. On one occasion my friend was not exactly = caught "scanning" but someone said they were recieveing harrassing phone = calls, a.e. my friends modem. and his parents were contacted by the = authorieties and it was explaned away as a computer program he was = writing had a glitch in, nothing happend. no adays companies at least = smart companies have remote access methods which a casual scanner will = not pick up on such as you dial a number then enter in a specified = access number then you get a carrier tone. So scanning is now defunct = except by the lonly dumb or persistant hacker. We can't we adopt this = metaphore. a program connects via a port, enters in a access code then = the communication is allowed. sorta like a password. of couse encryption = and misc. other things will have to be implemented. but it would work, = no one would car if there ports were being scanned, and hackers would = stop it. Common world analogies to door and windows do not apply in this = situation. You must think a little more narrowly. ask yourself this = question how is this hurting me? Do I feel as if I have been violated? = The answer to both is No. The fun part of hacking is getting in the = system, I never destroyed any system except systems of my own. But more = than simple hackers trying to get in your computer. hackers in general = are not a problem the problem is when you have someone on the other end = of the port scan who may be considered a "industrial esponige" expert, = but then again they wouldn't go throught the hassle they would just get = a job as a janator where there is no/very little security and just take = the hard drive....a lot less traceable. ....enough ranting about a dumb = subject. ... -Mike ---- From: Bill Stout To: 'firewalls@greatcircle.com'; 'ntsecurity@iss.net' Date: Wednesday, April 30, 1997 9:13 AM Subject: Re: [NTSEC] RE: L0pht Scanning - Beware At 12:04 AM 4/28/97 -0700, Dennis Roberts wrote: >hackers is out to get you. If someone breaks into your house and you >call the police and they do nothing what are you going to do? I bet = you >would maybe buy a gun, or get an alarm system, or do something to >increase your security! Stop bitchin' and learn from them. I think I Someone broke into my Dad's house once, but it never dawned on me until = now that they were doing him a favor. I feel so stupid for wanting to lynch = the thief, thinking that society would be better off without their future actions or from their genes polluting the homosapien gene pool. Ant to = think that IMHO, our overly liberalist* society actually supports the breeding = of the stupid, lazy and criminal! (Note: Sarcasm) *(not to be confused with libetarian) A cop or security guard on the beat checking locks, or a neighbor seeing another's door ajar is a good thing. Someone telling me that my door = latch from 'X' corp is defective, and that I should repace it is a good thing. Entering my house, examining my belongings and spray-painting on the = walls to prove a point about my door having a 'brute force' weakness is a bad = thing. Bill Stout ------=_NextPart_000_01BC570A.69CC08C0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

From the person who was a teen-age hacker and is now a computer = professional.=20 I can remember waht we did in the good 'ole days. We scanned and we = scanned and=20 we scanned Phone numbers. the rule of legality as we understood it was, = you can=20 call a number once. Perfectily legal. If you call it more than once it = is=20 harrassment. regardless if a person or computer answered. On one = occasion my=20 friend was not exactly caught "scanning" but someone said they = were=20 recieveing harrassing phone calls, a.e. my friends modem. and his = parents were=20 contacted by the authorieties and it was explaned away as a computer = program he=20 was writing had a glitch in, nothing happend. no adays companies at = least smart=20 companies have remote access methods which a casual scanner will not = pick up on=20 such as you dial a number then enter in a specified access number then = you get a=20 carrier tone. So scanning is now defunct except by the lonly dumb or = persistant=20 hacker. We can't we adopt this metaphore. a program connects via a port, = enters=20 in a access code then the communication is allowed. sorta like a = password. of=20 couse encryption and misc. other things will have to be implemented. but = it=20 would work, no one would car if there ports were being scanned, and = hackers=20 would stop it. Common world analogies to door and windows do not apply = in this=20 situation. You must think a little more narrowly. ask yourself this = question how=20 is this hurting me? Do I feel as if I have been violated? The answer to = both is=20 No. The fun part of hacking is getting in the system, I never destroyed = any=20 system except systems of my own. But more than simple hackers trying to = get in=20 your computer. hackers in general are not a problem the problem is when = you have=20 someone on the other end of the port scan who may be considered a=20 "industrial esponige" expert, but then again they wouldn't go = throught=20 the hassle they would just get a job as a janator where there is no/very = little =20 security and just take the hard drive....a lot less traceable. = ....enough=20 ranting about a dumb subject. ...

 

-Mike

 

----
From: Bill Stout <stoutb@pios.com>
To: 'firewalls@greatcircle.com'; 'ntsecurity@iss.net'
Date: Wednesday, April 30, 1997 9:13 AM
Subject: Re: [NTSEC] RE: L0pht Scanning - Beware

At 12:04 AM 4/28/97 -0700, Dennis Roberts = wrote:
<snip>
>hackers is out to get you.  If someone breaks into your house = and=20 you
>call the police and they do nothing what are you going to do?  = I bet=20 you
>would maybe buy a gun, or get an alarm system, or do something = to
>increase your security!  Stop bitchin' and learn from = them.  I=20 think I
<snip>

Someone broke into my Dad's house once, but it never dawned on me until = now
that they were doing him a favor.  I feel so stupid for wanting to = lynch=20 the
thief, thinking that society would be better off without their = future
actions or from their genes polluting the homosapien gene pool. Ant to = think
that IMHO, our overly liberalist* society actually supports the breeding = of
the stupid, lazy and criminal!  (Note: Sarcasm)

  *(not to be confused with libetarian)

A cop or security guard on the beat checking locks, or a neighbor = seeing
another's door ajar is a good thing.  Someone telling me that my = door=20 latch
from 'X' corp is defective, and that I should repace it is a good = thing.
Entering my house, examining my belongings and spray-painting on the = walls
to prove a point about my door having a 'brute force' weakness is a bad=20 thing.

Bill Stout

 ------=_NextPart_000_01BC570A.69CC08C0-- From owner-firewalls-outgoing Fri May 2 13:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19261 for firewalls-outgoing; Fri, 2 May 1997 12:53:56 -0700 (PDT) Received: from ivory.lm.com (ivory.lm.com [204.171.44.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19242 for ; Fri, 2 May 1997 12:53:34 -0700 (PDT) Received: from jchess.slip.lm.com (jchess.slip.lm.com [205.201.26.86]) by ivory.lm.com (8.8.5/8.6.12) with SMTP id PAA08936 for ; Fri, 2 May 1997 15:55:11 -0400 (EDT) Message-Id: <199705021955.PAA08936@ivory.lm.com> Comments: Authenticated sender is From: "Jean Chess" To: firewalls@GreatCircle.COM Date: Fri, 2 May 1997 15:51:03 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Need to restrict http://www.nude.com and such In-reply-to: <0007jjzjtpxd.H000012201e0bc53@igate.sprint.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Websense (see www.netpart.com) is another such product which integrates with Firewall-1 and is what I am planning to use at a client site. Jean Chess RPM Associates, Inc. Pager: 800-504-8235 From owner-firewalls-outgoing Fri May 2 14:06:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA08600 for firewalls-outgoing; Fri, 2 May 1997 11:28:39 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA08554 for ; Fri, 2 May 1997 11:28:26 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA04517; Fri, 2 May 1997 11:29:37 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705021829.LAA04517@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: carson@lehman.com Date: Fri, 2 May 1997 11:29:36 -0700 (PDT) Cc: dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: <199705021741.NAA02682@dragon.lehman.com> from "carson@lehman.com" at May 2, 97 01:41:09 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk carson@lehman.com writes: > > Having received 2.6 beta refresh, I can state with certainty that Solaris > 2.6 _does_ have VLSM support. And DHCP support. And a berkeley 4.4 routing I just love it when reps give wrong information. :) mj > socket. And NTP. And.... > > Who-ho! > > -- > -- > Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com > http://www.cs.columbia.edu/~carson/home.html > > From owner-firewalls-outgoing Fri May 2 14:26:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19044 for firewalls-outgoing; Fri, 2 May 1997 12:51:02 -0700 (PDT) Received: from sunat.gob.pe (sunat.gob.pe [161.132.37.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19003 for ; Fri, 2 May 1997 12:50:44 -0700 (PDT) Received: from lima.sunat.gob.pe ([150.200.100.51]) by firesun.sunat.gob.pe with SMTP id <32257-1>; Fri, 2 May 1997 14:53:26 -0500 Received: by lima.sunat.gob.pe with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC5708.3C688950@lima.sunat.gob.pe>; Fri, 2 May 1997 14:50:54 -0500 Message-ID: From: "Carlos Tay Damaso (Req San Isidro)" To: "'firewalls@GreatCircle.COM'" Subject: PROBLEM.... Date: Fri, 2 May 1997 15:13:53 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >De: Carlos Tay Damaso >Enviado: Viernes, Mayo 02, 1997 12:06 PM >Para: 'firewalls@GreatCircle.COM' >Asunto: RV: PROBLEM.... >Importancia: Alta > > > >---------- >De: Carlos Tay Damaso >Enviado: Jueves, Abril 24, 1997 0:35 AM >Para: 'firewalls@GreatCircle.COM' >Asunto: PROBLEM.... >Importancia: Alta > >I have a Borderware Firewall Relase 4.01 >The problem is : >In my LAN i have a default router (3com Netbuilder II), to which hosts point >all traffic and in the same segment of the LAN i have my Firewall. >My hosts normally reaches internal networks through of my default router, and >reaches the INTERNET through the Firewall.If the Path between default router >and Internal network is disrupted, the routes in my hosts (UNIX, NT,) change >to the firewall. and then in a few minutes the firewall is hangup. > >Please help me... > >send me your solution to : dcarlos@sunat.gob.pe >Thanks... > > From owner-firewalls-outgoing Fri May 2 15:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19120 for firewalls-outgoing; Fri, 2 May 1997 12:51:51 -0700 (PDT) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA19104 for ; Fri, 2 May 1997 12:51:39 -0700 (PDT) Received: from joatmon (joatmon.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA12823; Fri, 2 May 97 15:53:01 EDT Received: by joatmon (4.1/SMI-4.1) id AA00690; Fri, 2 May 97 15:53:02 EDT Date: Fri, 2 May 97 15:53:02 EDT From: snorthc@nswc.navy.mil (Stephen Northcutt - CD2S) Message-Id: <9705021953.AA00690@joatmon> To: Firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Nick Keenan wrote: > > I know this is slightly off topic but I have need some advise or some > > products that will restrict http access to sites such as www.porn.com. > > Aside from building an exhaustive list on my proxy what else can I do. > >Christopher Hicks followed with: >A couple of companies actually do content-oriented restrictions. They >analyze using "super secret algorithms" whether or not the content is >allowed or not. The basic idea is that certain words and combinations of >words can with some context make a site rate as unviewable. No lists to >maintain. > Well, this list was developed with tax payer money, you can call it yours and charge what you like, it has proven to be very effective: http://www.nswc.navy.mil/ISSEC/Docs/Progs/keyword.txt most of the other supporting scripts can be found: http://www.nswc.navy.mil/ISSEC/Docs/Progs/index.html description of the system: http://www.nswc.navy.mil/ISSEC/Docs/loggingproject.html and the processes that allow us to operate it fairly: http://www.nswc.navy.mil/ISSEC/SAC/sac.html >Pornography isn't the only thing corporations have to worry about, though. >Playing Java Tetris, sitting in chat rooms, etc. are all things >corporations and governments will ultimately want to prohibit. It becomes >obvious quickly that lists are not practical. The only list that might be >practical is an "allowed" list. And given site-piracy that would still >let some smut through. Covered, all covered, by the system above. Now working on *hard* problems: gigabit firewalls, multi-site intrusion detection, auditing switched nets. Stephen (ichabod on #hack ... like I have time) http://www.nswc.navy.mil/ISSEC/SRN/snorthc.html From owner-firewalls-outgoing Fri May 2 15:55:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA07981 for firewalls-outgoing; Fri, 2 May 1997 15:01:44 -0700 (PDT) Received: from eagle1.raptor.com (raptor.com [204.7.243.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA07742 for ; Fri, 2 May 1997 15:00:45 -0700 (PDT) Received: from raptor1.raptor.com ([204.7.242.10]) by eagle1.raptor.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 May 1997 22:02:19 UT Received: from prouty (user-37kb49i.dialup.mindspring.com [207.69.145.50]) by raptor1.raptor.com (8.7.3/8.7.3) with SMTP id SAA08299; Fri, 2 May 1997 18:01:48 -0400 (EDT) Message-Id: <2.2.32.19970502220405.006e9044@204.7.242.10> X-Sender: aprouty@204.7.242.10 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 18:04:05 -0400 To: Firewalls@GreatCircle.COM From: "Alan Prouty (Raptor Systems, Inc.)" Subject: Re: Need to restrict http://www.nude.com and such Cc: glavach@ctc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Fri, 2 May 1997 08:43:32 -0400 >From: "Dominick Glavach" >Subject: Need to restrict http://www.nude.com and such >I know this is slightly off topic but I have need some advise or some >products that will restrict http access to sites such as www.porn.com. Aside >from building an exhaustive list on my proxy what else can I do. Thanks for >the help. > Stuff deleted... Please note my signature block. Some firewall vendors allow URL's to be blocked based on the firewall administrator's input. Raptor provides this service as well, but takes it a step furthur. Raptor provides a unique service called WebNot that runs as an option on the Eagle. You can block URL's based on 12 pre-configured categories. This configuration can be enforced based on groups of machines, networks, or users and it allows groups to have different sets of rules regarding which sites they can get to. The database is automatically downloaded by the firewall every 6 days. The database is maintaned by CyberPatrol and they update it every day. ----======---- Alan Prouty E-mail: aprouty@raptor.com Southeast Region Systems Engineer Fax: 404-870-9138 Raptor Systems, Inc. Office: 404-870-9058 +++ZDI Internet 1997 BEST FIREWALL+++ From owner-firewalls-outgoing Fri May 2 17:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28294 for firewalls-outgoing; Fri, 2 May 1997 17:05:04 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28282 for ; Fri, 2 May 1997 17:04:56 -0700 (PDT) Received: from brian.us.checkpoint.com (brainiac.us.checkpoint.com [206.86.35.59]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id QAA04268; Fri, 2 May 1997 16:47:52 -0700 (PDT) Message-ID: <336A7C31.C35212A3@us.checkpoint.com> Date: Fri, 02 May 1997 16:43:45 -0700 From: Brian Connolly Reply-To: brian@us.checkpoint.com Organization: Check Point Software Technologies X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Brett Eldridge CC: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com, firewalls@GreatCircle.COM Subject: Re: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 X-Priority: 3 (Normal) References: <337b1322.99279981@cup46ux.cup.hp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want to be able to detect the H.323 protocol that NetMeeting has been built on top of, you'll need to decode the packets to figure out where those "dynamic" ports end up. FireWall-1 has the ability to do this (you need to specifically look at the application data and grab "OpenLogicalChannel" commands) with its H.323 service built into 3.0. When FireWall-1 finds these dynamic port commands, it puts a dynamic rule into the firewall that associates these extra channels (and there could be up to 8 of them) with the existing H.323 control connection, thereby letting it through. Instead, you could always open up TCP and UDP ports 1025 through 65535 both ways through your firewall, as the below chart suggests ;) - Brian Brett Eldridge wrote: > > On Thu, 1 May 97 08:52:50 +0200, you wrote: > > >Hey everybody, > > > >Does anyone now how to set up Raptor Eagel version 4.0, running on NT > >4.0, to MS NetMeeting? > > Hi Christian, > > This is going to be tough for any application proxy style firewall > because you need to open up multiple TCP ports (389 and 522) along > with all the TCP/UDP high ports (argh). At least, this is how I read > the MS article. This is obviously a large security risk and creates a > hole in your firewall system big enough to "fling a moose through" > (see Note 1). > > Basically, for the Raptor Eagle firewall gateway, you need to use the > GSP feature to define a service for each of the ports listed below. > > I have included a portion of the text from one of Microsoft's > KnowledgeBse articles. You can find the article at: > http://www.microsoft.com/kb/articles/q164/0/38.htm > > - brett > > ---- Text of article ---- > > Microsoft Netmeeting 2.0 uses several secondary TCP and UDP ports to > communicate. To allow NetMeeting to communicate fully, the following > ports need to be enabled on the WinSock portion of the Proxy Server: > > 389 Internet Locator Server > 522 User Location Server > 1503 T.120 Protocol > 1720 H.323 call setup (TCP) > 1731 Audio call control (TCP) > Dynamic H.323 Call Control (TCP) > Dynamic H.323 streaming (RTP over UDP) > > > Port or Range Type Direction > ------------- ---- --------- > > 389 TCP Inbound > 389 TCP OutBound > 522 TCP Inbound > 522 TCP Outbound > 1025-65535 TCP Inbound > 1025-65535 TCP Outbound > 1025-65535 UDP Inbound > 1025-65535 UDP Outbound > > Note 1: Thanks to Marcus for enlightening me as to the highly > technical term to use to aptly describe situations like this. -- =================================================================== Brian Connolly brian@us.checkpoint.com Business Development Engineer 415.562.0400, ext 252 Check Point Software Technologies fax 415.562.0410 From owner-firewalls-outgoing Fri May 2 17:24:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28490 for firewalls-outgoing; Fri, 2 May 1997 17:09:02 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28483 for ; Fri, 2 May 1997 17:08:56 -0700 (PDT) Received: from brian.us.checkpoint.com (brainiac.us.checkpoint.com [206.86.35.59]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id RAA05261; Fri, 2 May 1997 17:12:17 -0700 (PDT) Message-ID: <336A81EB.7D96417E@us.checkpoint.com> Date: Fri, 02 May 1997 17:08:11 -0700 From: Brian Connolly Reply-To: brian@us.checkpoint.com Organization: Check Point Software Technologies X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Dominick Glavach CC: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such X-Priority: 3 (Normal) References: <9705020843.ZM12945@sgi122.ctc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FireWall-1 3.0 supports UFP (URL filtering protocol), which allows you to plug in URL scanning software directly into your firewall. A number of the companies already mentioned in this thread are writing to this spec (the first announced was NetPartner's WebSENSE). The model usually works like this: you buy the URL filtering software that supports UFP, and integrate it with your FireWall. It comes with an initial database of URLs, each categorized (pornography, hacking, sports, user-defined, etc). At the firewall, you can create rules such as "Allow all outgoing Web Traffic except for adult entertainment and gambling". You can also purchase a "subscription service" to get your URL database updated every evening. - Brian Dominick Glavach wrote: > > I know this is slightly off topic but I have need some advise or some products > that will restrict http access to sites such as www.porn.com. Aside from > building an exhaustive list on my proxy what else can I do. Thanks for the > help. > > -- > > --------------------------------------------------------------- > Dominick Glavach, Unix System Administrator glavach@ctc.com > Concurrent Technologies Corporation 814/269-2469 > -NCSA- > --------------------------------------------------------------- -- =================================================================== Brian Connolly brian@us.checkpoint.com Business Development Engineer 415.562.0400, ext 252 Check Point Software Technologies fax 415.562.0410 From owner-firewalls-outgoing Fri May 2 19:09:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA06075 for firewalls-outgoing; Fri, 2 May 1997 19:04:13 -0700 (PDT) Received: from sylvania.sev.org (sylvania.sev.org [206.98.18.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA06068 for ; Fri, 2 May 1997 19:04:08 -0700 (PDT) Received: from port181.sev.org by sylvania.sev.org; (5.65v3.2/1.1.8.2/08Dec95-0254PM) id AA12480; Fri, 2 May 1997 22:02:24 -0400 Message-Id: <9705030202.AA12480@sylvania.sev.org> Subject: Macintosh firewall? Date: Fri, 2 May 97 22:06:11 +0100 X-Mailer: Claris Emailer 1.1 From: Mitch Gorsha To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I've been watching the list and waiting for it to surface, but it hasn't yet. So I'll go ahead and ask ... Is there a firewall product out there, somewhere, that runs on a Macintosh? Without having to go to the Mac AIX servers? Whew! Now I feel better , but I'm still interested! thanks ... [mpg] _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Mitch Gorsha Senior Systems Engineer - SFT-CompuWorx (419)843-8200 Do you believe in Macintosh? Please check out and join the EvangeList mailing list by sending an email to . _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From owner-firewalls-outgoing Fri May 2 20:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09987 for firewalls-outgoing; Fri, 2 May 1997 20:20:17 -0700 (PDT) Received: from sylvania.sev.org (sylvania.sev.org [206.98.18.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA09980 for ; Fri, 2 May 1997 20:20:13 -0700 (PDT) Received: from port103.sev.org by sylvania.sev.org; (5.65v3.2/1.1.8.2/08Dec95-0254PM) id AA31782; Fri, 2 May 1997 23:18:29 -0400 Message-Id: <9705030318.AA31782@sylvania.sev.org> Subject: macintosh firewall? Date: Fri, 2 May 97 23:22:15 +0100 X-Mailer: Claris Emailer 1.1 From: Mitch Gorsha To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I've been watching the list and waiting for it to surface, but it hasn't yet. So I'll go ahead and ask ... Is there a firewall product out there, somewhere, that runs on a Macintosh? Without having to go to the Mac AIX servers? Whew! Now I feel better , but I'm still interested! thanks ... [mpg] _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Mitch Gorsha Senior Systems Engineer - SFT-CompuWorx (419)843-8200 Do you believe in Macintosh? Please check out and join the EvangeList mailing list by sending an email to . _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From owner-firewalls-outgoing Fri May 2 20:54:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA12413 for firewalls-outgoing; Fri, 2 May 1997 20:49:57 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA12406 for ; Fri, 2 May 1997 20:49:51 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id UAA18337 for firewalls@greatcircle.com; Fri, 2 May 1997 20:51:42 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Fri May 2 20:51:42 1997 Date: Fri, 2 May 1997 20:51:41 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com Subject: SunOS Gauntlet file permissions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of the sites I do work for runs Gauntlet 3.1 under SunOS 4 (and for the record, it performs quite well, considering the load.) Last week I took a look around the system and found some rather glaring file permsission problems: drwxrwsrwx 2 root staff 512 May 20 1996 /etc/sm drwxrwsrwx 2 root staff 512 May 20 1996 /etc/sm.bak -rwxrwxrwx 1 root wheel 24576 May 22 1996 /usr/local/etc/udpnull -rw-rw-rw- 1 root bin 50036 Apr 10 18:04 /usr/kvm/sys/gauntlet/ swipe/swipemod -rw-rw-rw- 1 root staff 72 Apr 25 14:08 /etc/utmp -rw-rw-rw- 1 root staff 4 Apr 10 18:04 /etc/syslog.pid -rw-rw-rw- 1 root staff 1 May 20 1996 /etc/state ....in other words, a stock SunOS system (right down to the suid /usr/openwin/bin/loadmodule) with some TIS-isms thrown in. These were on the Day 0 dump tape, so the firewall was *installed* this way. Now maybe I'm being excessively paranoid, but isn't the OS supposed to be hardened up a bit before implementing it as a firewall? This is not a TIS flame; I was simply shocked to see all these writable files and setuid binaries on the system. Granted, no one should be able to get a shell-- root or otherwise-- on the system, but who knows what madness lurks in the depths of 3rd party proxies. Just curious if anyone else has seen this... James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Sat May 3 01:24:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA22734 for firewalls-outgoing; Sat, 3 May 1997 01:13:06 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA22726 for ; Sat, 3 May 1997 01:12:59 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55557-1>; Sat, 3 May 1997 10:12:22 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Sat, 03 May 1997 10:14:19 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNa1D-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 3 May 1997 10:18:11 +0200 (MET DST) Date: Sat, 3 May 1997 09:18:11 +0100 From: "Magossa'nyi A'rpa'd" To: Mike Jones CC: swnuck@unixpros.com, firewalls@GreatCircle.COM Subject: Re: stateful inspection (was: CheckPoint vs Others) In-Reply-To: <199705021802.OAA28142@bass.unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mike Jones wrote: > > Do you mean you can explicitly define in every protocol which states/st= ate > > transitions are allowed and which not? >=20 > In at least a limited sense, yes. I'm not completely clear on what > you mean by "state transitions".=20 For example in an smtp session I assure that the other side should start with a helo (state 1), and should continue with a mail from (state 2) and not a vrfy (state 3). Might be a silly example, perhaps it's another protocol level, but is'n it why those firewalls are called "stateful inspection"? >FireWall-1 deals with network objects > and protocols, where a network object may be > - a host > - a network > - a group of hosts and/or networks > The rules are of the form > > and identify what action should be taken upon encountering traffic of > the specified protocol between the specified source and destination > objects. The may be allow, drop, or authenticate.=20 It looks like the good old port filtering. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Sat May 3 03:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA00813 for firewalls-outgoing; Sat, 3 May 1997 03:03:16 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA00796 for ; Sat, 3 May 1997 03:03:05 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id LAA16747; Sat, 3 May 1997 11:10:19 +0200 Date: Sat, 03 May 1997 12:04:11 +0100 To: "Urban A. Haas" From: Oliver Lau Cc: , Derek Pokorny , Martin Sauer Subject: Re: Firewalls for non-IP protocols In-Reply-To: <33689EA0.622F@urbantechnology.com> References: <33689EA0.622F@urbantechnology.com> Message-Id: <336B29BB365.BDB4.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings! On Thu, 01 May 1997 08:46:09 -0500 "Urban A. Haas" wrote: | Are there any firewalls that can extend beyond IP protecting SNA and IPX | without encapsulation - or at least encrypting the data? (Or is the | encryption portion a different issue altogether?) Yes, FireWall/Plus from Network-1, NY, is the only multi-protocol firewall (for DOS and Windows NT with Intel- and Alpha-CPUs) worldwide, capable of filtering about 400 different protocols and subprotocols from OSI layer 2 to 7. It can act as a dual-homed gateway and also be installed on NT workstations and servers to provide full virtual private networks, end to end, i.e. encrypted tunneling from sender to receiver and not only from firewall to firewall. | | I have some that are becomming interested in using this kind of | technology over their frame-relay links to protect snooping from telco | or telco mishaps, etc. No problem, Cisco support is integrated. All routers that are attached via an ethernet link are supported | | I know I can run IP-based Netware, DLS (Data-Link Switching), etc to get | a totally-IP based network to accomplish this, but this kind of digs | into some firewall vendor's suggestions that their devices be used on | Intranets also. The difference, to me being, support for other network | protocols. You don't have to install such strange devices with FireWall/Plus. Any protocol can be filtered, and if you use a protocol that is not listed, define it by your own. This takes two minutes for each new protocol, if you know about the port it addresses and/or the ID it uses. You can also implement connection management for connection-oriented protocols like TCP by adding code in a C- or Pascal-like language, that does detailed filtering, oberserving and controlling the state of communication, better known as 'statefulness'. So filtering to the bit-level is already built in. | | Maybe the best bet is encryption of some kind of all data between point | a and point b, ignoring protocols, but I am curious as to anyone's | particular experience. | See above. Works very well. :-) For detailed information please visit: US site: http://www.network-1.com/products/firewall/nt German site: http://www.skp.de/prod Regards Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Sat May 3 04:39:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA07403 for firewalls-outgoing; Sat, 3 May 1997 04:33:59 -0700 (PDT) Received: from zonk.geko.net.au (zonk.geko.net.au [203.2.239.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA07396 for ; Sat, 3 May 1997 04:33:47 -0700 (PDT) Received: from mozart.void.hell.net (dialup3121.sydney.geko.net.au [203.25.224.121]) by zonk.geko.net.au (8.8.5/8.6.12) with ESMTP id VAA11832 for ; Sat, 3 May 1997 21:44:48 +1000 (EST) Received: from beethoven ([192.168.0.2]) by mozart.void.hell.net with smtp id m0wNadC-000Jn4C (Debian Smail-3.2 1996-Jul-4 #2); Sat, 3 May 1997 18:57:26 +1000 (EST) Message-Id: From: "Norman Widders" Date: Sat, 3 May 1997 18:51:53 +0000 GMT Subject: Re: Need to restrict http://www.nude.com and such To: Reply-To: Organization: WCE Consulting X-Mailer: Paladin IMAP4 Client v2.0 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to Alan > Filters are semi-useful at best. Since any of these filters can be > bypassed by web proxies, you will only filter out the more clueless of > your userbase. (Middle managers and sales people and the like.) You are > better off either cutting off access to the net to all (or most) of your I would mostly agree that filtering does not work. Many legitimate sites will then be blocked with the result that users will not be able to access information that they need. This has been demonstrated many times and the latest German fiasco exemplifies this, with the result that the filter was removed. These companies supplying lists of sites to block also tend to have their own hidden-agenda and will include sites that they are biased against. ie, the National Organisation for Women is on one of the prominant filter-lists supplied by one company. So which list can you in fact trust. Monitoring the log files to see where people are surfing and then taking action is the best remedy surely. If people are using web proxies / anonymizers then this too is suspicious behaviour for an employee and should be noted. Or perhaps keep an up to date ban-list of anonymizers, it puts you between a rock and a hard place :-) It also makes me wonder if security consultants and admins have lost touch with basic office procedures. What ever happened to timesheets that employees fill out each hour, showing what they were doing in that time. If they are surfing the net for a few hours looking at things they shouldn't their timesheets will show unjustifiable amounts of time being spent on trivial work, ie they will falsify their workload which is easy to catch. ie, 2 Hours spent on a memo ? On the other hand if the employees are just spending a few minutes here and there looking at playboy.com or similar, you probably wont catch them. But then whats the difference between that and the interoffice chatting that goes on at the coffee machine and wastes just as much time but is usually thought of as _acceptable_ behaviour. -- +--------------------------------------------------------------+ | #include | | | | E-MAIL: winspace@geko.net.au | | HOMEPAGE: http://www.geocities.com/ResearchTriangle/4431 | | | +--------------------------------------------------------------+ From owner-firewalls-outgoing Sat May 3 07:39:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14240 for firewalls-outgoing; Sat, 3 May 1997 07:32:53 -0700 (PDT) Received: from macbeth.othello.ch (macbeth.othello.ch [193.5.25.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA14233 for ; Sat, 3 May 1997 07:32:47 -0700 (PDT) Received: from othello.ch by macbeth.othello.ch (SMI-8.6/SMI-SVR4-afm-1.3) id QAA16027; Sat, 3 May 1997 16:32:30 +0200 Received: by othello.ch (NX5.67f2/NX3.0M-afm-1.4) id AA11001; Sat, 3 May 97 16:28:55 +0200 Message-Id: <9705031428.AA11001@othello.ch> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Dr Andreas F Muller Date: Sat, 3 May 97 16:28:49 +0200 To: firewalls@greatcircle.com Subject: Re: VLSM, RIP, routing socket Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Marc D. Jackson" wrote: > I ran into this problem when trying to route with rip. Specifically, RIP cannot do subnets, unless you use RIP2. Ordinary routed does not understand RIP2. Many other OSes have the same problem, even some products that call themselves routers. For a real router you need at least two preconditions: . the kernel must understand subnet routes . there must be a decent routing process that understands a real routing protocol (in this sense, routed is not decent). > Sun's implementation of the routing socket interface is not the > industry standard. In other words, when you use a Sun machine as > a multi-homed host with subnetted networks the rip updates are > incorrect. The routers that we used had no problems at all in This has nothing to do with the implementation of the routing socket. It's a fact that Solaris 2.x, x < 6, is unable to handle subnet routes in its kernel routing table, unless they belong to directly connected networks. The work arround is to use host routes for all hosts on a remote subnet. (There was a product from Sun which enabled vlsm in the kernel, however, this does not correct the deficiencies of RIP). The fact that the routers had no problems only indicates that they were using RIP2 or something better. > dealing with the subnetted networks, therefore while we were able > to subnet our intranet we had problems with using Sun's as any type > of router. If you want your Sun to speak to some routers intelligently (doing something more intelligent than RIP), you should consider gated. Just my 0.02$ Andreas Mueller ------------------------------------------------------------ Dr. Andreas Mueller Beratung und Entwicklung Bubental 53, CH - 8852 Altendorf Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485 From owner-firewalls-outgoing Sat May 3 09:39:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA19004 for firewalls-outgoing; Sat, 3 May 1997 09:25:09 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA18996 for ; Sat, 3 May 1997 09:25:04 -0700 (PDT) Received: by relay.rv.tis.com; id MAA25246; Sat, 3 May 1997 12:43:00 -0400 (EDT) Received: from unknown(204.254.155.208) by relay.rv.tis.com via smap (3.2) id xma025240; Sat, 3 May 97 12:42:48 -0400 Message-Id: <3.0.32.19970503122813.006a8e80@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 03 May 1997 12:28:14 -0400 To: firewalls@GreatCircle.COM From: Mimi Herrmann Subject: Re: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:41 AM 5/2/97 -0500, Chris Lonvick wrote: >Hello Dominick, > >I assume that your company policy is to prevent your people from >getting/displaying/looking-at "dirty pictures" while on company >time and/or while using company equipment. From your question, >I see that you're looking for ways to enforce your policy. > >As far as I know, there are two general methods of enforcing your >policy. > - making the consequences of failure to comply with the policy > a very high cost (like termination) > - finding ways to make it difficult for your users to violate > the policy It's so nice to see someone else give the advice that restricting destinations is a *social engineering* problem, not necessarily a technical problem. Most firewalls keep logs of what sites are being accessed, and from what IP. Constructively using this information to discipline employees that violate policy, rather than trying to find technical solutions to ban users from being able to get to these sites in the first place, does take more work but is also more effective. Besides, it's a way of creating jobs, which to me seems a good thing. Just as an example -- say my company had a policy against my visiting www.nude.com. Well, there's nothing to stop me from getting another account elsewhere and visiting that site from there, either using telnet/lynx or, if I have use of a modem from my desk, even opening up a ppp connection and using Netscape. It's a lot harder to outwit employees than it is to discipline them for violating the rules once they're caught. Just my two cents, L From owner-firewalls-outgoing Sat May 3 10:39:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20917 for firewalls-outgoing; Sat, 3 May 1997 10:27:04 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20902 for ; Sat, 3 May 1997 10:26:53 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.8.5/8.7.3) id NAA23496; Sat, 3 May 1997 13:29:38 -0400 From: Rick Romkey Message-Id: <199705031729.NAA23496@maddie.atlantic.com> Subject: Re: CheckPoint vs Others To: jmcbrearty@usa.net (John McBrearty) Date: Sat, 3 May 1997 13:29:38 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970502192222.00731904@sparc1.castles.com> from "John McBrearty" at May 2, 97 12:22:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > people on this list. But when you need tech support information from Cisco > there are a variety of ways to get it; and I have found their support people > always willing to do what it takes to solve problems. It beats a voice mail > message saying "Go to your VAR." > One might argue that you should have been more carefull when selecting your VAR. Some resellers out there can actually help with problems. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From owner-firewalls-outgoing Sat May 3 11:39:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA24142 for firewalls-outgoing; Sat, 3 May 1997 11:30:09 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24133 for ; Sat, 3 May 1997 11:30:04 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id NAA08831; Sat, 3 May 1997 13:30:38 -0500 (CDT) Date: Sat, 3 May 1997 13:30:37 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Mimi Herrmann cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <3.0.32.19970503122813.006a8e80@pop.rv.tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 3 May 1997, Mimi Herrmann wrote: > ppp connection and using Netscape. It's a lot harder to outwit employees > than it is to discipline them for violating the rules once they're caught. In addition, consider this: If I BAN all traffic to www.nude.com, as you said, the user will slip around anyway, not only making it harder for my technical staff, but probably causing me NOT to know about it at all. Far better to know that a problem exists, which enables me to then TALK to the person involved, point out the reasons for the policy, etc etc etc. This opportunity rarely arises when you try to solve people problems with hardware and software ;) From owner-firewalls-outgoing Sat May 3 14:41:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04853 for firewalls-outgoing; Sat, 3 May 1997 14:33:47 -0700 (PDT) Received: from geocities.com (mail3.geocities.com [204.7.246.133]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04846 for ; Sat, 3 May 1997 14:33:42 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id OAA23456 for ; Sat, 3 May 1997 14:27:35 -0700 (PDT) Message-ID: <336C3BEE.2F82@geocities.com> Date: Sun, 04 May 1997 00:34:06 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I don't think this subject needs so much debate... First of all it is absolutely necesary to outwit the employee in order to prove that it is guilty and then take the appropiate measures. Nobody can be accused without a good proof. Now, most of the xxx sites contain a html meta in the web page header that look like this: Just have to filter the web pages containing this kind fo meta... Of course there also other words but there is no place for them here... There are no secret algorithms... It is not a perfect method but it you can obtain good results... You can also log the access of these files and find the employees interested in this. Also active modems can be detected and that call traced... In this way one can prevent unauthorised Internet connections using personal modems at the office... Please anyone tell me if I'm wrong... Gabriel From owner-firewalls-outgoing Sat May 3 15:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA06616 for firewalls-outgoing; Sat, 3 May 1997 14:57:24 -0700 (PDT) Received: from lix.intercom.es (lix.intercom.es [194.179.21.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA06599 for ; Sat, 3 May 1997 14:57:17 -0700 (PDT) Received: from MERLIN (ppp-bcn-163.inf.servicom.es [194.149.194.163]) by lix.intercom.es (8.7.3/8.6.12) with SMTP id AAA03110 for ; Sun, 4 May 1997 00:02:42 +0100 Received: by MERLIN with Microsoft Mail id <01BC581E.13852F90@MERLIN>; Sat, 3 May 1997 23:59:45 +0200 Message-ID: <01BC581E.13852F90@MERLIN> From: Alvaro Redondo To: "'liviu@hip.ro'" , "'Firewalls'" Subject: RE: Win 95 Networking Date: Thu, 1 May 1997 16:26:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can't do it with W95 itself. There may be another package that it is = able to do it under W95, but I don't think so. I was told that setting a special parameter in the registry allows you = to add routing capabalities to W95, but only in a static way, not = dynamic. It is something that the guys who made W95 thought about, but = didn't finish, si I don't think it will work fine. Alvaro Redondo. ---------- Desde: Sas Liviu Enviado el: martes 29 de abril de 1997 16:59 Para: Firewalls Asunto: Re: Win 95 Networking Viorel Dehelean wrote: > Why in Windows 95 when i change the settings for TCP/IP for Dial Up > Adapter > , it automaticaly changes the settings for TCP/IP for NE200 card ? If we were talking about Win95, how can I set up tcp-ip forwarding on Win95? -- That's what Droopy said. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.5 mQCNAjNZNysAAAEEALLxeeDSuee1kgjnfDdZKlUM0n7uMotZcM1XvrWfmiv0u2LU T4nlc5u1Df1Mk9EOJuYBPhg64XrDEaUg3/hUNGXlmmUMdKbo+Ew26FLP14qIKQuo tLSlTzYlQmwVRKSXYYLWe2A4i6zTEeva0x5PReOs/eEbMUqduBSimhPqNH55AAUR tBhTYXMgTGl2aXUgPGxpdml1QGhpcC5ybz4=3D =3DMrOt -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Sun May 4 02:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA01982 for firewalls-outgoing; Sun, 4 May 1997 02:08:57 -0700 (PDT) Received: from relay.bt.net (relay.bt.net [194.72.6.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA01975 for ; Sun, 4 May 1997 02:08:52 -0700 (PDT) Received: from mypc (actually 195.99.62.233) by relay.bt.net with SMTP (PP); Sun, 4 May 1997 10:10:44 +0100 From: jayee@pemail.net (Jayee Enterprises) To: Firewalls@GreatCircle.COM Subject: What line speed do I need? Date: Sun, 04 May 1997 09:10:08 GMT Reply-To: jayee@pemail.net Message-ID: <336afe50.4947988@relay.bt.net> References: In-Reply-To: X-Mailer: Forte Agent 1.0/16.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm setting up Cyber Cafe with about 8 PC's and was would like guidance on what size line I need to my ISP?=20 Would 56/64k be OK to start with and plan for growth or should I start higher ? I plan to have my Cafe open 6 days per week between 10am till 9pm Any comments/experience welcomed. John Jayee -------------------------------------------------- email: jayee@pemail.net I don't work here. I'm on a journey to retirement! What I say are my thoughts at the time of typing. =46or my company's view, please contact the Press Office. ------------------------------------------------------- From owner-firewalls-outgoing Sun May 4 04:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA07854 for firewalls-outgoing; Sun, 4 May 1997 04:24:50 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA07838 for ; Sun, 4 May 1997 04:24:33 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA26936; Sun, 4 May 1997 19:29:22 +0300 Date: Sun, 4 May 97 14:20:27 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: firewalls@GreatCircle.COM, Gabriel Dura X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336C3BEE.2F82@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sun, 04 May 1997 00:34:06 -0700 Gabriel Dura wrote: > Hi! > > I don't think this subject needs so much debate... First of all it is > absolutely necesary to outwit the employee in order to prove that it is > guilty and then take the appropiate measures. Nobody can be accused > without a good proof. > > Now, most of the xxx sites contain a html meta in the web page header > that look like this: > > > > Just have to filter the web pages containing this kind fo meta... Of > course there also other words but there is no place for them here... > There are no secret algorithms... > > It is not a perfect method but it you can obtain good results... > You can also log the access of these files and find the employees > interested in this. > > Also active modems can be detected and that call traced... In this way > one can prevent unauthorised Internet connections using personal modems > at the office... > > Please anyone tell me if I'm wrong... > Gabriel ---------------End of Original Message----------------- It is absolutely necesary to outwit the employee in order to prove that it is guilty and then take the appropiate measures. Nobody can be accused without a good proof. NO, most of the xxx sites do not contain a html meta in the web page header that look like this: if they do have this that it is VERY easy Just have to filter the web pages containing this kind fo meta... Of course there also other words but there is no place for them here... There are no secret algorithms... But do you think that they REALLY want to be filtered out ? This is why it is not a perfect method but it you can obtain good results... By logging the access of these files and find the employees interested in this, you can avoid a lot of cases like this since one they know you are watching, they will avoid this. /Ziv -- SessionWall-3 offers an effective means of preventing employees or intruders from abusing the network. By monitoring all session traffic, it opens a unique window into how employees are using the network, and can pinpoint the need for defenses against outside threats = Get an EVALUATION COPY at = From owner-firewalls-outgoing Sun May 4 09:09:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA16646 for firewalls-outgoing; Sun, 4 May 1997 08:55:29 -0700 (PDT) Received: from pooh.pageplus.com (pooh.pageplus.com [206.168.18.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA16627 for ; Sun, 4 May 1997 08:55:22 -0700 (PDT) Received: from RAMay-Home.pageplus.com (RAMay-Home.pageplus.com [206.168.18.119]) by pooh.pageplus.com (8.8.5/8.8.5) with SMTP id JAA18133; Sun, 4 May 1997 09:52:59 -0600 Message-Id: <199705041552.JAA18133@pooh.pageplus.com> Comments: Authenticated sender is From: "Roger A. May" Organization: R & R Enterprises To: jayee@pemail.net, Firewalls@GreatCircle.COM Date: Sun, 4 May 1997 09:57:24 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: What line speed do I need? Reply-to: Roger@RnR-Ent.Com X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A good rule of thumb is no more than 10 to 12 PC's (doing no more than webbrowsing or email) per 64K of dedicated bandwidth (frame, point-to-point, or ISDN). If ftp or on-line gaming is involved, not more than 4 PC's MAX per 64K of dedicated bandwidth. Those would be the top end limits to balance out costs vs. performance. Optimized for performance would be the same numbers per 128K. Roger A. May Hostmaster and Co-Owner www.net-plus.com www.pageplus.com > I'm setting up Cyber Cafe with about 8 PC's and was would like > guidance on what size line I need to my ISP? > > Would 56/64k be OK to start with and plan for growth or should I start > higher ? I plan to have my Cafe open 6 days per week between 10am > till 9pm > > Any comments/experience welcomed. > > John Jayee > -------------------------------------------------- > email: jayee@pemail.net > I don't work here. I'm on a journey to retirement! > What I say are my thoughts at the time of typing. > For my company's view, please contact the Press Office. > ------------------------------------------------------- > From owner-firewalls-outgoing Sun May 4 13:54:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27582 for firewalls-outgoing; Sun, 4 May 1997 13:52:30 -0700 (PDT) Received: from geocities.com (mail5.geocities.com [204.7.246.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA27575 for ; Sun, 4 May 1997 13:52:25 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id NAA03513; Sun, 4 May 1997 13:51:51 -0700 (PDT) Message-ID: <336D7E4B.6390@geocities.com> Date: Sun, 04 May 1997 23:29:31 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Ziv Dascalu CC: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such References: <336C3BEE.2F82@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry but all porn sites I personally checked have that meta included in their header. Please note that every civilised country in the world have regulations about children's access to pornography, violence, etc. I'm sure there is an Internet standard on this subject... And all sites that are placed in such countries must obey the laws... Other such sites have other meta like this one for instance: > > --- On Sun, 04 May 1997 00:34:06 -0700 Gabriel Dura wrote: > > Hi! > > > > I don't think this subject needs so much debate... First of all it is > > absolutely necesary to outwit the employee in order to prove that it is > > guilty and then take the appropiate measures. Nobody can be accused > > without a good proof. > > > > Now, most of the xxx sites contain a html meta in the web page header > > that look like this: > > > > > > > > Just have to filter the web pages containing this kind fo meta... Of > > course there also other words but there is no place for them here... > > There are no secret algorithms... > > > > It is not a perfect method but it you can obtain good results... > > You can also log the access of these files and find the employees > > interested in this. > > > > Also active modems can be detected and that call traced... In this way > > one can prevent unauthorised Internet connections using personal modems > > at the office... > > > > Please anyone tell me if I'm wrong... > > Gabriel > > ---------------End of Original Message----------------- > > It is absolutely necesary to outwit the employee in order to prove that it is guilty and then > take the appropiate measures. Nobody can be accused without a good proof. > > NO, most of the xxx sites do not contain a html meta in the web page header > that look like this: > > > > if they do have this that it is VERY easy Just have to filter the web pages containing this kind > fo meta... Of course there also other words but there is no place for them here... > There are no secret algorithms... > But do you think that they REALLY want to be filtered out ? > > This is why it is not a perfect method but it you can obtain good results... > > By logging the access of these files and find the employees interested in this, you can > avoid a lot of cases like this since one they know you are watching, they will avoid > this. > > /Ziv > -- > SessionWall-3 offers an effective means of preventing employees or intruders from abusing the > network. By monitoring all session traffic, it opens a unique window into how employees are > using the network, and can pinpoint the need for defenses against outside threats > = Get an EVALUATION COPY at = From owner-firewalls-outgoing Sun May 4 14:39:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00650 for firewalls-outgoing; Sun, 4 May 1997 14:29:47 -0700 (PDT) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA00643 for ; Sun, 4 May 1997 14:29:41 -0700 (PDT) Received: from carew.windsor.com (carew.windsor.com [199.181.96.17]) by bramber.windsor.com (8.6.12/8.6.12) with SMTP id RAA24872; Sun, 4 May 1997 17:30:34 -0400 Received: by carew.windsor.com with Microsoft Mail id <01BC58B0.DF0052C0@carew.windsor.com>; Sun, 4 May 1997 17:30:33 -0400 Message-ID: <01BC58B0.DF0052C0@carew.windsor.com> From: "Eric V. Smith" To: Ziv Dascalu , "'Gabriel Dura'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Need to restrict http://www.nude.com and such Date: Sun, 4 May 1997 17:30:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gabriel Dura said: < about restricting access to sites based on content > > The MS Internet Explorer have such an option about restricting the > access to violence and pornography... Too bad they have so many security > bugs... It could have been succesfully used in this case... The idea is > good but the implementation is bad... In what way is the implementation bad? Do you have some facts or pointers you could share? Eric. From owner-firewalls-outgoing Sun May 4 15:59:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA06669 for firewalls-outgoing; Sun, 4 May 1997 15:50:00 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA06659 for ; Sun, 4 May 1997 15:49:54 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id AAA05964; Mon, 5 May 1997 00:50:42 +0200 Date: Mon, 5 May 1997 00:50:40 +0200 (MET DST) From: Kevin McPeake To: Mitch Gorsha cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: <9705030318.AA31782@sylvania.sev.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mitch Gorsha wrote: > Well, I've been watching the list and waiting for it to surface, but it > hasn't yet. So I'll go ahead and ask ... Always ask. Not asking just breeds ignorance. > Is there a firewall product out there, somewhere, that runs on a > Macintosh? Without having to go to the Mac AIX servers? I figured I'd answer this, since I'm prolly the resident Macintosh expert on this list, and hopefully before any of these NT/Unix lads rip on ya for enjoying mac's. :) No, there is no firewall available for MacintoshOS and will prolly never will be. This most undoubtably will change when Rhapsodey (the NeXT OS for Mac's, based on NeXTStep), but that won't be till the end of this year/begining of next year. Part of the problem is that the current OS is just not up to par with things like preemptive multi-tasking/protected memory etc. There's also a few other reasons, but overall, the common consensus is that Mac's don't need a lot of protection from the Internet, cause in a round about way, they already are. This of course, depends what you are doing with those macintosh's on the network, and some server applications could change this (ie-AppleShareIP, MacNFS Server, etc). However, if your network consists soley of Macintosh's running classic AppleTalk & say a Mac-OS based Server running WebStar HTTPd / Netpresenz FTPd or Apple Internet Mail Server, you don't have a lot to worry about. I know of several Mac-based ISP's, including StarNet, up in the Chicago Area, that built thier ISP using almost all Mac's. Now, if you still think you need a Firewall, because you have some sensitive information on a TCP/IP based Server Application on a Mac, than yeah, you might need a firewall (Oracle Database Server, Informix, etc). But if you want to stay Mac only, without having to fork out the cash for a Apple AIX box (which they are dropping support for AIX, thanks in part to the upcomming release of Rhapsody), I would suggest you get a PowerMac 6100/66 or better machine, download either MkLinux OR LinuxPPC and install that, recompile your kernel as per the HOWTO's for Linux Firewalling (links can be found at http://www.linux.org/) and setup your Firewalling rules with ipfwadm, which comes with Linux. I know of several companies that use this setup, and it's a great free solution (minus cost of old PowerPC 6100/66 or better). MkLinux is still in Dev releases, but I've had it running for over a year, and have virtually beat the ever living tarnation out of it, and have seen it crash maybe 6 times.....it's right up there with Intel Linux now, IMHO. It goes without saying, that if your spare computer is a Intel box, instead of a powerPC, you can do the same thing on linux for intel. Hope that helps ya some. > > Whew! Now I feel better , but I'm still interested! > I hope you continue to feel better after you read this far. ;) Cheers, Kev Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Sun May 4 19:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA15670 for firewalls-outgoing; Sun, 4 May 1997 19:10:43 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15661 for ; Sun, 4 May 1997 19:10:37 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wODG3-0004K5C (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 04:12:07 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 5 May 97 04:12 MET DST Received: by lina.inka.de id m0wOD3p-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 03:59:09 +0200 (CEST) Message-Id: Date: Mon, 5 May 1997 03:59:08 +0200 From: Bernd Eckenfels To: "Webb, Dean" Cc: Firewalls@GreatCircle.COM Subject: Re: Firewall gone freaky References: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com>; from Webb, Dean on Fri, May 02, 1997 at 09:17:03AM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The BorderGuard was installed out-of-the-box, configured only > with our TCP/IP info. No rules regarding traffic were added or modified > by any of us in either company since it was first set up. Well.. I would consider this a 'uninstalled' firewall. > (BTW, I would *love* to RTFM, but it's roughly > 1500 miles away and the sister company ain't letting it out of their > sight or site. This is a simple management problem. If you sis company wont let you mange the frewall you are eighter responisble for the loss, nor you should try to solve the problem. Just ask for your own firewall. Unconfigured Software and unread logfiles wont protect you anyway. Greetings Bernd PS: yes, I know it is not what you wanted to hear. But you should not expect ppl to RTFM for you, even if there are political problems to get on that FM. -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Sun May 4 19:54:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA19056 for firewalls-outgoing; Sun, 4 May 1997 19:51:15 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA19049 for ; Sun, 4 May 1997 19:51:10 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id VAA02379; Sun, 4 May 1997 21:51:44 -0500 (CDT) Date: Sun, 4 May 1997 21:51:43 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Kevin McPeake cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Kevin McPeake wrote: > But if you want to stay Mac only, without having to fork out the cash for > a Apple AIX box (which they are dropping support for AIX, thanks in part *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, AIX is IBM, A/UX is Apple ;) From owner-firewalls-outgoing Sun May 4 21:54:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25694 for firewalls-outgoing; Sun, 4 May 1997 21:50:05 -0700 (PDT) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA25682 for ; Sun, 4 May 1997 21:49:58 -0700 (PDT) Received: from rust.net.204.157.12.254 (mh-31.rust.net [205.199.80.131]) by Fe3.rust.net (8.8.5/8.8.5) with SMTP id AAA14892; Mon, 5 May 1997 00:51:56 -0400 (EDT) Date: Mon, 5 May 1997 00:51:56 -0400 (EDT) Message-Id: <199705050451.AAA14892@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Brian Tackett From: Ken Stephens Subject: Re: macintosh firewall? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 PM 5/4/97 -0500, you wrote: >On Mon, 5 May 1997, Kevin McPeake wrote: > >> But if you want to stay Mac only, without having to fork out the cash for >> a Apple AIX box (which they are dropping support for AIX, thanks in part > >*cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, >AIX is IBM, A/UX is Apple ;) > No, he does mean IBM AIX running on an Apple Hardware platform. It came out a couple of years ago. I watched an interesting demo where the engineer pulled the only hard disk module out of the server and then plugged it back in and rebooted the beast and it worked just fine. Interesting use of a log file. The entire box is field strip-able in about 90 seconds (including the motherboard drop-in rails that slide out of the case and dual hot swappable power supplies). It will run most standard AIX software and speaks fluent Appletalk. If I had 50 more Macs in my shop I would have bought one for a server. Strange bedfellows (IBM and Apple)! Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][] [] Ken_Stephens@miconsulting.com (313) 876-5081 [] [] Senior Capacity Planner/I.S. Security Manager [] [] Michigan Employment Security Agency (MESA) [] [] Millennium Consulting [] [] [] [] Your Security Policy is only as strong as your [] [] organization's commitment to it. [] [][][][][][][][][][][][][][][][][][][][][][][][][][][] From owner-firewalls-outgoing Sun May 4 22:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25912 for firewalls-outgoing; Sun, 4 May 1997 21:58:27 -0700 (PDT) Received: from tempest.stu.rpi.edu (tempest.stu.rpi.edu [128.113.167.164]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA25905 for ; Sun, 4 May 1997 21:58:22 -0700 (PDT) Received: from localhost (jester@localhost) by tempest.stu.rpi.edu (8.8.5/8.8.3) with SMTP id AAA00308; Tue, 6 May 1997 00:59:45 -0400 Date: Tue, 6 May 1997 00:59:45 -0400 (EDT) From: Jester To: Lucas Buckler-Carey cc: firewalls@greatcircle.com, ntsecurity@iss.net Subject: Re: [NTSEC] Re: L0pht Scanning - Beware In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 28 Apr 1997, Lucas Buckler-Carey wrote: > > What, may I ask, did l0pht do to your system? > If they are true hackers in the sense of the word they didn't do jack > shit. Mabey took a peek at some info you didn't want anyone to see but > that's all. Perhaps they even gave everyone with a modem access to all > your data. You would say that I am a hacker and encourage others to be > hackers. You might be right. I've broken into systems and looked at some > info I perhaps wasn't allowed to. So what? Organized hacker groups won't > do anything to your personal life if you don't do anything to thiers. We > all want information. You want it. I want it. Everyone on this list > wants it. Everyohne with a computer wants it. That is what a hacker is. > Someone who wants information from a computer or about a computer and > won't let a security system get in the way. Unless they crashed your I don't think you really know what a hacker is. It has nothing to do with cracking into systems. It is messages like yours which perpetuates this attitude in the media and with the masses. You may very well be a hacker, and according to your description you are indeed a cracker, and finally you conclusions are correct that l0pht are hackers in the true sense of the word (as Ibelieve they are) then they most likely did nothing ... however, you seem to have a warped view of just what a hacker does. :) From owner-firewalls-outgoing Sun May 4 23:54:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA03911 for firewalls-outgoing; Sun, 4 May 1997 23:49:42 -0700 (PDT) Received: from porsche.inabbdb.co.in ([206.103.13.101]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA03840 for ; Sun, 4 May 1997 23:49:16 -0700 (PDT) Received: from bmw.inabbdb.co.in (bmw [192.168.0.4]) by porsche.inabbdb.co.in (8.6.12/8.6.9) with SMTP id PAA00357; Mon, 5 May 1997 15:11:12 +0500 Received: from localhost by bmw.inabbdb.co.in; (5.65v3.2/1.1.8.2/30Mar96-1218PM) id AA13814; Mon, 5 May 1997 12:20:46 +0500 Message-Id: <336D8A4E.794B@porsche.inabbdb.co.in> Date: Mon, 05 May 1997 12:20:46 +0500 From: Raju Krishnan X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: jonw@mntcmp2.demon.co.uk Cc: firewalls@GreatCircle.COM Subject: Firewall routing problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mr Jon, We are facing the same problem in our network as you have mentioned in posting on Oct, 1996. How did you solve your problem regarding pinging to router from internal n/w. We have a class C of our own private network address 192.168.0.*. Netmask is 255.255.255.0. ------- | |eth0 206.103.13.97 Leased line--|Cisco |------- 202.54.5.194 |2501 | | Net: 255.255.255.240 ------- | |eth1 206.103.13.101 __________ | Linux | | Gateway | Firewall FWTK |__________| | |eth0 192.168.0.3 Net: 192.168.0.0 | ---------------------------------- | | | | Other Digital Unix Machines with Netmask 192.168.0.0 Information: Firewall is Linux machine running FWTK (freeware Firewall). CISCO router is 2501 running IPX. Cisco router has following router IP commands. interface Ethernet0 ip address 206.103.13.97 255.255.255.240 ! interface Serial0 ip address 202.54.5.193 255.255.255.252 ! interface Serial1 no ip address shutdown ! router rip network 206.103.13.0 network 202.54.5.0 ! ip route 0.0.0.0 0.0.0.0 202.54.5.194 snmp-server community public RO Linux firewall has default routing to router. The problem we are facing is. The firewall can ping the router and all outside machines on internet. The firewall can ping the internal local machines. The router can ping the internet and the firewall eth0 and eth1 but cannot ping across the firewall to internal machines. Similarly internal machines 192.168.0.1, 192.168.0.2 etc can ping both eth1 and eth0 of linux but cannot ping the router eth0 or outside world. Questions: Does the router also need another route ip command to tell the packets going to the inside net that they have to go via the firewall gateway interface 206.103.13.101? 2. Similarly does the firewall need to have two route commands issued one to pass down and one to pass the packets up via the firewall? Thanks and regards raju Please reply directly to raju@porsche.inabbdb.co.in -- ----------------------------------------------------------------- RAJU KRISHNAN __0 _-\<,_ ABB Daimler Benz Transportation(India) Ltd (_)/ (_) Phone : +91 265 336486 Ext: 432 & +91 265 311766 Fax : +91 265 338368 Email : raju@porsche.inabbdb.co.in ------------------------------------------------------------------ From owner-firewalls-outgoing Mon May 5 00:54:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08502 for firewalls-outgoing; Mon, 5 May 1997 00:52:32 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08495 for ; Mon, 5 May 1997 00:52:26 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id AAA07243; Mon, 5 May 1997 00:54:39 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Mon May 5 00:54:38 1997 Date: Mon, 5 May 1997 00:54:36 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com, Raju Krishnan Subject: Re: Firewall routing problem In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Raju Krishnan wrote: > We are facing the same problem in our network as you have mentioned in > posting on Oct, 1996. How did you solve your problem regarding pinging > to router from internal n/w. [ ... ] > The problem we are facing is. > > The firewall can ping the router and all outside machines on internet. This is normal. > The firewall can ping the internal local machines. This is normal. > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. This too is normal. The router should not be able to reach the internal machines; the router is, for all intents and purposes, the Internet. If the Internet router can reach your internal network, what is the point of a firewall? > Similarly internal machines 192.168.0.1, 192.168.0.2 etc can ping both > eth1 and eth0 of linux but cannot ping the router eth0 or outside world. This too is normal behaviour, unless you've configured your Linux firewall to do ICMP masquerading (kernel 2.0.30 has support for this.) Check out /usr/src/linux/Documentation/networking/masquerading.txt. You don't want the Internet to be able to ping your systems, and you don't necessarily want your systems to ping the Internet. If you do, then you'll need to employ some form of masquerading. James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Mon May 5 01:39:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA12756 for firewalls-outgoing; Mon, 5 May 1997 01:30:00 -0700 (PDT) Received: from monolith.synergy.net (monolith.synergy.net [198.207.229.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA12741 for ; Mon, 5 May 1997 01:29:52 -0700 (PDT) Received: from localhost (sandeep@localhost) by monolith.synergy.net (8.8.5/8.8.5) with SMTP id DAA08160 for ; Mon, 5 May 1997 03:33:50 -0500 Date: Mon, 5 May 1997 03:33:50 -0500 (CDT) From: Sandeep Kumar Talwar To: firewalls@greatcircle.com Subject: Re:Firewalls-Digest V6#197 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a TIS Http proxy running on my Linux. I want to restrict two particular sites from access to our staff. Could someone tell me as to where in which file to make the necessary changes. I guess there is a mailing list for TIS tool-kit users as well,where is it? Thanks in advance. From owner-firewalls-outgoing Mon May 5 01:54:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13557 for firewalls-outgoing; Mon, 5 May 1997 01:36:21 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13550 for ; Mon, 5 May 1997 01:36:16 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id BAA12459; Mon, 5 May 1997 01:49:23 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id KAA00862; Mon, 5 May 1997 10:36:13 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id KAA20962; Mon, 5 May 1997 10:36:09 +0200 Date: Mon, 5 May 1997 10:27:53 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: "Marc D. Jackson" Cc: Jerald Josephs , firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <199705021453.HAA10734@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > No, but it will make it easier to subnet your intranet without > > loosing precious IP addresses to a subnet without enough > > hosts to use all of the addresses. > > ? I don't understand this last sentence. My exposure to VLSM indicates > that it has nothing to do with subnetting your intranet. I ran into > this problem when trying to route with rip. Specifically, Sun's > implementation of the routing socket interface is not the industry > standard. In other words, when you use a Sun machine as a multi-homed > host with subnetted networks the rip updates are incorrect. The routers > that we used had no problems at all in dealing with the subnetted > networks, therefore while we were able to subnet our intranet we had > problems with using Sun's as any type of router. > > mj Marc, It seems that VLSM stands for "variable-length subnet mask", so it looks like it has to do with subnetting your intranet. RIP has no knowledge of subnet addressing, so I am not sure to understand what is the meaning of "Sun's implementation of the routing socket interface is not the industry standard". Which standard is it ? It is a RIP problem, RIP2 adress this problem (and others as well) without any ambiguity. Rgds, Eric From owner-firewalls-outgoing Mon May 5 03:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA25273 for firewalls-outgoing; Mon, 5 May 1997 03:26:06 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA25266 for ; Mon, 5 May 1997 03:25:58 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id MAA08254; Mon, 5 May 1997 12:27:43 +0200 Date: Mon, 5 May 1997 12:27:42 +0200 (MET DST) From: Kevin McPeake To: Brian Tackett cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 4 May 1997, Brian Tackett wrote: > On Mon, 5 May 1997, Kevin McPeake wrote: > > > But if you want to stay Mac only, without having to fork out the cash for > > a Apple AIX box (which they are dropping support for AIX, thanks in part > > *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, > AIX is IBM, A/UX is Apple ;) ehhhh.....NO. :) The Apple Network Servers run AIX, not A/UX. Apple dropped A/UX over a few years ago, but last year, they released some beasts of some machines that specifically were built for IBM AIX. Quite nice machines too, but now Apple has announced that they will be discontinuing support for AIX in the future, and supporting Rhapsodey on them which is basically NeXTStep. This is why Sun is in a bit of a freenzy about the Apple/Next merger. If you have more Questions about this, I'd be glad to answer them, but let's keep this to firewalls on the list. ......after all, I know how you hate high S/N ratio's Brian. ;) Cheers, Kev Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Mon May 5 04:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA29017 for firewalls-outgoing; Mon, 5 May 1997 04:13:03 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA29009 for ; Mon, 5 May 1997 04:12:43 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA04067; Mon, 5 May 1997 19:17:56 +0300 Date: Mon, 5 May 97 14:09:40 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: Gabriel Dura Cc: firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336D7E4B.6390@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sun, 04 May 1997 23:29:31 -0700 Gabriel Dura wrote: > Sorry but all porn sites I personally checked have that meta included in > their header. Please note that every civilised country in the world have > regulations about children's access to pornography, violence, etc. I'm > sure there is an Internet standard on this subject... And all sites that > are placed in such countries must obey the laws... > > Other such sites have other meta like this one for instance: > pronography that don't have any kind of warning in their HTML source and > I'll believe you... If you say that most of these web sites don't have > it I'm sure you can give me a lot of examples... > > And yes if your boss wants to restrict access to all personell to porn > sites and prevent all people from abusing the net then it is necesary to > do it. You don't need a list of the porn sites to do this... This is > just a waste of money... > here are some: the point is that I do not know of any written law that says that they should use these types of META tags. there are sites that can be blocked this way and I have found that one of the ways list providers update their list is by doing a search like this but there are many sites that do not match this META tag. Monitoring is needed, but monitoring can give you TOO mach information. this is exactly why you need to define what exactly you want to monitor. you can say that you want to log all WWW access but it is better to log only the text ones and not the binaries (like gif etc.) it is also important to log / monitor / block by specific keywords that exist in the text like drugs, sex etc. (if you want to do so) /Ziv Dascalu From owner-firewalls-outgoing Mon May 5 04:54:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01328 for firewalls-outgoing; Mon, 5 May 1997 04:44:24 -0700 (PDT) Received: from cscuxfw.cscploenzke.de (cscuxfw.cscploenzke.de [194.45.145.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01248 for ; Mon, 5 May 1997 04:44:03 -0700 (PDT) Received: from win95-keller by cscuxfw.cscploenzke.de with smtp (Smail3.1.29.0 #3) id m0wOMDc-000AyGC; Mon, 5 May 97 13:46 CETDST Received: by win95-keller with Microsoft Mail id <01BC595B.365B9980@win95-keller>; Mon, 5 May 1997 13:49:54 +0200 Message-ID: <01BC595B.365B9980@win95-keller> From: Stefan Keller To: "'firewalls-digest@GreatCircle.com'" Subject: Firewall-1 in NT environment Date: Mon, 5 May 1997 13:49:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there! :-) We're about to install a Firewall-1 NT v3.0. The customer has mostly NT machines. I'd like FW-1 to be able to look up the NT passwords (as stored on the PDC). Check Point wrote me that the *internal* NT passwords (on the bastion host) are a means of authentification. Don't feel good about making the bastion host part of a NT domain. Any opinions/ideas/pointers? Stefan From owner-firewalls-outgoing Mon May 5 05:09:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01639 for firewalls-outgoing; Mon, 5 May 1997 04:46:25 -0700 (PDT) Received: from doc1.ces-galicia.es (ppp.cesga.es [193.144.33.120]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01420 for ; Mon, 5 May 1997 04:45:12 -0700 (PDT) Message-Id: <199705051145.EAA01420@honor.greatcircle.com> Received: from ro [192.168.2.10] by doc1.ces-galicia.es [192.168.2.10] with SMTP (MDaemon.v2.1.rA.b1.32-T) for ; Mon, 05 May 97 13:21:28 +0100 Reply-To: From: "=?ISO-8859-1?Q?Roberto_Rodr=EDguez_Fern=E1ndez?=" To: Subject: RE: [Firewall] Need to restrict http://www.nude.com and such Date: Mon, 5 May 1997 13:21:07 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-MDMail-Server: MDaemon v2.1 rA b1 32-T X-MDaemon-Deliver-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just as an example -- say my company had a policy against my visiting > www.nude.com. Well, there's nothing to stop me from getting another > account elsewhere and visiting that site from there, either using > telnet/lynx or, if I have use of a modem from my desk, even opening up a > ppp connection and using Netscape. It's a lot harder to outwit employees > than it is to discipline them for violating the rules once they're caught. There are some sites you can access, and from this you access another site. Can the logs reflect this?. Roberto. From owner-firewalls-outgoing Mon May 5 05:24:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA04391 for firewalls-outgoing; Mon, 5 May 1997 05:09:14 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA04351 for ; Mon, 5 May 1997 05:09:03 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA50592; Mon, 5 May 1997 15:09:26 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862866740; Mon, 05 May 97 14:04:00 GMT Date: Mon, 05 May 97 14:04:00 GMT Message-Id: <9704058628.AA862866740@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #200 Sent: 5/5/97 2:02:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 05:27:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01326 for firewalls-outgoing; Mon, 5 May 1997 04:44:22 -0700 (PDT) Received: from sunsrv5.lrz-muenchen.de (sunsrv5.lrz-muenchen.de [129.187.10.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01237 for ; Mon, 5 May 1997 04:43:59 -0700 (PDT) Received: from ifkw-2.ifkw.uni-muenchen.de by sunsrv5.lrz-muenchen.de; Mon, 5 May 97 13:45:55 +0200 Received: from IFKW-2/SpoolDir by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31); 5 May 97 13:45:24 GMT +01 Received: from SpoolDir by IFKW-2 (Mercury 1.31); 5 May 97 13:45:13 GMT +01 From: "Peter Meuser" Organization: IfKW, UNI Munich To: firewalls@greatcircle.com Date: Mon, 5 May 1997 13:45:07 MET-1MEST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Attack hole in EagleNT 4.0 with port scan? Reply-to: pmeuser@ifkw.uni-muenchen.de X-mailer: Pegasus Mail for Windows (v2.52) Message-ID: <1A9FA7C5AE8@ifkw-2.ifkw.uni-muenchen.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody out who can retry the following szenario with Raptor EagleNT 4.0? There seem to be a problem with the gopher proxy (gopherd.exe) of EagleNT. QuickSlice of NTReskit shows, that after scanning port 70 of the firewall gateway with UltraScan 1.2 gopherd.exe will nearly get 100% of the processors attention and won't come down anymore. The only solution to get the process down is to stop and restart the Eagle service. After that, gopherd.exe is resistant to the port scan attack. So this szenario only works with a fresh booted system. In my eyes this is a very mysterious bug in EagleNT 4.0 (I have installed the first patch epint40.exe). Any comments? Peter ---------------------------------------------------------------------- Peter Meuser Internet: pmeuser@ifkw.uni-muenchen.de CompuServe: 75310,673 LANline-LAB Telefon: (089) 27 222 33 Munich/Germany FAX: (089) 27 222 28 ---------------------------------------------------------------------- From owner-firewalls-outgoing Mon May 5 05:40:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05956 for firewalls-outgoing; Mon, 5 May 1997 05:18:51 -0700 (PDT) Received: from pwadns.pwa.co.in ([206.103.11.181]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05917 for ; Mon, 5 May 1997 05:18:38 -0700 (PDT) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notesgw.pwa.co.in (notes2.pwa.co.in [206.103.11.180]) by pwadns.pwa.co.in (8.6.12/8.6.9) with SMTP id RAA02715 for ; Mon, 5 May 1997 17:58:45 +0500 Received: by notesgw.pwa.co.in(Lotus SMTP MTA Release 1.0) id 6525648E.00444098 ; Mon, 5 May 1997 17:55:29 +300500 X-Lotus-FromDomain: INDIA @ INTERNET To: Firewalls@GreatCircle.COM Message-ID: <6525648E:00439417.00@notesgw.pwa.co.in> Date: Mon, 5 May 1997 17:55:24 +300500 Subject: Re: Firewalls-Digest V6 #199 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our mail configuration is ----> all incoming mail received at a Linux host running sendmail and this is forwarded to a Lotus Notes server. Where should I be scanning emails---- at the Linux box or on the box running Lotus Notes( OS is OS/2 ). And what are some good email scanning products that any one of you know or are using it. Thanks in advance. sandeep From owner-firewalls-outgoing Mon May 5 05:56:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09419 for firewalls-outgoing; Mon, 5 May 1997 05:41:43 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA09301 for ; Mon, 5 May 1997 05:41:16 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA83492; Mon, 5 May 1997 15:41:41 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862868670; Mon, 05 May 97 14:41:00 GMT Date: Mon, 05 May 97 14:41:00 GMT Message-Id: <9704058628.AA862868670@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #197 Sent: 5/5/97 2:38:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 06:49:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16259 for firewalls-outgoing; Mon, 5 May 1997 06:19:22 -0700 (PDT) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16176 for ; Mon, 5 May 1997 06:19:06 -0700 (PDT) Received: from ppp10.sminter.com.ar (ppp10.sminter.com.ar [200.10.100.26]) by ns1.sminter.com.ar (8.8.4/8.8.4) with ESMTP id KAA20828 for ; Mon, 5 May 1997 10:20:22 +0300 (GMT) Message-ID: <336E0911.6EA7@usa.net> Date: Mon, 05 May 1997 10:21:37 -0600 From: Arnaud Ventura Reply-To: a-ventura@usa.net Organization: BNP X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Solution with Novell ? X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know a little about the Secure Solution of Novell for connection to the Net ? Arnaud --------------------------------------------------- Arnaud Ventura mail: a-ventura@usa.net 25 de Mayo 471 Tel : (54).1 318 0331 Buenos Aires ---------------------------------------------------- From owner-firewalls-outgoing Mon May 5 06:55:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18892 for firewalls-outgoing; Mon, 5 May 1997 06:31:27 -0700 (PDT) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18828 for ; Mon, 5 May 1997 06:31:13 -0700 (PDT) Received: from ppp10.sminter.com.ar (ppp10.sminter.com.ar [200.10.100.26]) by ns1.sminter.com.ar (8.8.4/8.8.4) with ESMTP id KAA23633 for ; Mon, 5 May 1997 10:32:46 +0300 (GMT) Message-ID: <336E0BF8.360C@usa.net> Date: Mon, 05 May 1997 10:34:00 -0600 From: Arnaud Ventura Reply-To: a-ventura@usa.net Organization: BNP X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: FW Solution ? X-Priority: 3 (Normal) References: <199705021727.KAA00469@honor.greatcircle.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a Novell Network and we want to connect it to the Net. Is there specific and appropriate solutions to handle the security on it ? Obviously, the cheapest, the better... For Info, we are more on the NT side than the Unix one... Arnaud --------------------------------------------------- Arnaud Ventura mail: a-ventura@usa.net 25 de Mayo 471 Tel : (54).1 318 0331 Buenos Aires ---------------------------------------------------- From owner-firewalls-outgoing Mon May 5 07:14:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19432 for firewalls-outgoing; Mon, 5 May 1997 06:33:45 -0700 (PDT) Received: from [131.136.47.5] (valet.dreo.dnd.ca [131.136.47.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA19409 for ; Mon, 5 May 1997 06:33:38 -0700 (PDT) Received: from caen-sp.e33.dreo.dnd.ca ([131.136.46.12]) by [131.136.47.5] via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 5 May 1997 13:34:43 UT Received: from ephese-sp ([131.136.46.10]) by caen-sp.cps.dreo.dnd.ca (post.office MTA v2.0 0813 ID# 0-28788U510) with SMTP id AAA278 for ; Mon, 5 May 1997 09:39:53 -0400 Message-Id: <3.0.1.32.19970505093953.00944100@caen-sp.cps.dreo.dnd.ca> X-Sender: marinier@caen-sp.cps.dreo.dnd.ca X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 05 May 1997 09:39:53 -0400 To: Firewalls@GreatCircle.COM From: claude.marinier@dreo.dnd.ca (Marinier, Claude) Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With DHCP, one will have to define generic hostnames for the >range of IP addresses used in the IP allocation and you will >not be able to do Authentication for a user coming from a >particular host. Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? ____________________ Claude Marinier Information Technology Group Defence Research Establishment Ottawa (DREO) Claude.Marinier@dreo.dnd.ca http://www.dreo.dnd.ca 613-998-4901 FAX 613-998-2675 From owner-firewalls-outgoing Mon May 5 07:45:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26148 for firewalls-outgoing; Mon, 5 May 1997 07:27:33 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26129 for ; Mon, 5 May 1997 07:27:25 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id WAA06094; Mon, 5 May 1997 22:32:18 +0300 Date: Mon, 5 May 97 17:27:05 Israel Daylight Time From: Ziv Dascalu Subject: Re: Solution with Novell ? To: Arnaud Ventura , Firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336E0911.6EA7@usa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 05 May 1997 10:21:37 -0600 Arnaud Ventura wrote: > Does anyone know a little about the Secure Solution > of Novell for connection to the Net ? > > Arnaud > > --------------------------------------------------- > Arnaud Ventura mail: a-ventura@usa.net > 25 de Mayo 471 Tel : (54).1 318 0331 > Buenos Aires > ---------------------------------------------------- ---------------End of Original Message----------------- Arnaud, Novell has a solution called IntraNetWare which does tcp over ipx but it is used mainly within the intranet. It may considered more secure since most of the tcp/ip "attack tool" build a TCP frame and not a TCP over IPX packet frames. Ziv Dascalu ABIRNET Active Network Protection http://www.AbirNet.com From owner-firewalls-outgoing Mon May 5 08:10:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29077 for firewalls-outgoing; Mon, 5 May 1997 07:46:59 -0700 (PDT) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29048 for ; Mon, 5 May 1997 07:46:49 -0700 (PDT) From: MSITMI02.XZ46G8@eds.com Received: from nnsa.eds.com (nnsa.eds.com [130.174.31.78]) by ns1.eds.com (8.8.5/8.8.5) with ESMTP id KAA31368 for ; Mon, 5 May 1997 10:49:06 -0400 (EDT) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsa.eds.com (8.8.5/8.8.5) with SMTP id KAA10686 for ; Mon, 5 May 1997 10:48:34 -0400 (EDT) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.com X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000011433556000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000011433556000002*@MHS> To: "firewalls(a)GreatCircle.com":; Subject: Re: Need to restrict http://www.nude.com Date: Mon, 5 May 1997 10:52:52 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone ever realised what a great denial of service attack it is to get your competitor onto one of the automated lists of restricted URLs? It could hang around and get propagated for months, years. This has happened. I downloaded a list a while back that denied access to the whole domain of demon.co.uk. For those who don't know it is not a satanic objects mail-order or game company but a large UK ISP offering mail and web services to thousands of people. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From owner-firewalls-outgoing Mon May 5 08:25:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03767 for firewalls-outgoing; Mon, 5 May 1997 08:16:48 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03759 for ; Mon, 5 May 1997 08:16:42 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id KAA06089; Mon, 5 May 1997 10:17:32 -0500 (CDT) Date: Mon, 5 May 1997 10:17:31 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Ken Stephens cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: <199705050451.AAA14892@Fe3.rust.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Ken Stephens wrote: > If I had 50 more Macs in my shop I would have bought one for a server. > Strange bedfellows (IBM and Apple)! Wow :) I stand corrected, and the pink pig flying past my window is scolding me ferociously. This wouldn't be some weird offshoot of the whole Taligent/Pink mess would it? From owner-firewalls-outgoing Mon May 5 08:39:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05880 for firewalls-outgoing; Mon, 5 May 1997 08:32:11 -0700 (PDT) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA05789 for ; Mon, 5 May 1997 08:31:53 -0700 (PDT) Received: by mail.Germany.EU.net with SMTP (5.59+:34/2.6.2.c) id RAA29970; Mon, 5 May 1997 17:34:07 +0200 Received: by nt-internal-hu.medos.de with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC597A.19FCA080@nt-internal-hu.medos.de>; Mon, 5 May 1997 17:31:01 +0100 Message-ID: From: "Judas, Roland" To: "'Firewalls@GreatCircle.COM'" Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Date: Mon, 5 May 1997 17:30:00 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft RFC compliant DNS implementation in Windows NT 4.0 does not offer a direct integration with DHCP but with the WINS (Windows Internet Name Service). The WINS service is tightly integrated with the DHCP service and therefore has some advantages over DNS. Because the Clients register themselves with the WINS server at boot time, a WINS query will return the current client (even dynamic) IP address. The disadvantages are that this service is only used in the MS Windows and Lan-Manager environment and there is no hierarchical structure like in DNS. With NT 4.0 the WINS is integrated with DNS in the way that the MS DNS server knows about a WINS server and is able to forward queries and reverse lookups to it. They have done it using a MS specific record in MS DNS service ( IN WINS ). This enables you to have the WINS lookup on a per domain basis. So, if you are working in a Windows environment, you can say that DNS is integrated with DHCP (if you use the WINS service). Roland Note: This is just a very short piece of information. There is much more to say about Windows Name resolution, but it would take me hours to explain. -----Original Message----- From: claude.marinier@dreo.dnd.ca [SMTP:claude.marinier@dreo.dnd.ca] Sent: Monday, May 05, 1997 2:40 PM To: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? From owner-firewalls-outgoing Mon May 5 09:04:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA07242 for firewalls-outgoing; Mon, 5 May 1997 08:43:17 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA07217 for ; Mon, 5 May 1997 08:43:05 -0700 (PDT) Received: from uucp1.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp1.UU.NET [192.48.96.39]) id QQcofv23395; Mon, 5 May 1997 11:45:33 -0400 (EDT) Received: from mop.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Mon, 5 May 1997 11:45:23 -0400 Received: by mtb.phil.mop.com (4.1/SMI-4.1) id AA15260; Mon, 5 May 97 11:27:50 EDT Date: Mon, 5 May 97 11:27:50 EDT From: davez@mtb.phil.mop.com (Dave Zarnoch) Message-Id: <9705051527.AA15260@mtb.phil.mop.com> Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please remove From owner-firewalls-outgoing Mon May 5 09:09:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09087 for firewalls-outgoing; Mon, 5 May 1997 09:01:46 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09078 for ; Mon, 5 May 1997 09:01:40 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id JAA14525; Mon, 5 May 1997 09:14:57 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id JAA00722; Mon, 5 May 1997 09:03:23 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id JAA10111; Mon, 5 May 1997 09:02:56 -0700 Date: Mon, 5 May 1997 09:02:56 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705051602.JAA10111@althea.EBay.Sun.COM> To: dechon@CS.Stanford.EDU, Eric.Deschamps@France.Sun.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: TZq3yphbOI/54M66Gx0rmg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > loosing precious IP addresses to a subnet without enough > > > hosts to use all of the addresses. > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > that it has nothing to do with subnetting your intranet. I ran into > > this problem when trying to route with rip. Specifically, Sun's > > implementation of the routing socket interface is not the industry > > standard. In other words, when you use a Sun machine as a multi-homed > > host with subnetted networks the rip updates are incorrect. The routers > > that we used had no problems at all in dealing with the subnetted > > networks, therefore while we were able to subnet our intranet we had > > problems with using Sun's as any type of router. > > > > mj > > Marc, > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > it has to do with subnetting your intranet. RIP has no knowledge of subnet > addressing, so I am not sure to understand what is the meaning of "Sun's > implementation of the routing socket interface is not the industry standard". > Which standard is it ? It is a RIP problem, RIP2 adress this problem (and > others as well) without any ambiguity. > > Rgds, > > Eric Marc, I actually began a lengthy detailed response that I failed to get off before my mail utility did a no-no and I lost the composition. VLSM is refers to the same thing as CIDR, Classless Internet Domain Routing. For those who may not be familiar with this, CIDR addresses the problem that the Internet is seeing with the explosion of Class C addresses all over the place. Traditionally, to reach a network, you need a route. With so many new networks, you need a robust routing table. The shortage of Class B addresses have forced companies to subnet their Class B into Class C. This creates numerous new routing table entries. CIDR says that if you own 192.168.0.0, then I can assume that 192.168.1.0 through 192.168.255.0 are all within your domain, so all I need is a single route to 192.168.0.0 to handle all of the subnets. The problem was that the earlier versions of routed shipped with Solaris as well as the kernel IP routing module, could not handle this. Variable Length Subnet Masks is what is used to faciliate the implementation of CIDR. That is what the CONSULT-VLSM patch provides: this ability to handle this. /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM From owner-firewalls-outgoing Mon May 5 09:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08023 for firewalls-outgoing; Mon, 5 May 1997 08:51:30 -0700 (PDT) Received: from homeport.org ([205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08016 for ; Mon, 5 May 1997 08:51:25 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA01590 for firewalls@greatcircle.com; Mon, 5 May 1997 11:51:00 -0400 (EDT) From: Adam Shostack Message-Id: <199705051551.LAA01590@homeport.org> Subject: Chrooting DNS To: firewalls@greatcircle.com (Firewalls mailing list) Date: Mon, 5 May 1997 11:51:00 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote a short doc on chrooting dns, in the hopes that it will help protect against the next set of stack smashing bugs in the named server. http://www.homeport.org/~adam/dns.html Feedback welcome. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Mon May 5 09:50:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06971 for firewalls-outgoing; Mon, 5 May 1997 08:40:48 -0700 (PDT) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06948 for ; Mon, 5 May 1997 08:40:36 -0700 (PDT) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC592F.93AA0760@exch-bel1.attachmate.com>; Mon, 5 May 1997 08:37:33 -0700 Message-ID: From: Darren Cromer To: "'claude.marinier@dreo.dnd.ca'" , "'Firewalls@GreatCircle.COM'" Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Date: Mon, 5 May 1997 08:40:55 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft DNS shipped with NT4.0 will query a WINS server and respond with the Wins Netbios name. Its an OK DNS, not great, but it is stable. -----Original Message----- From: claude.marinier@dreo.dnd.ca [SMTP:claude.marinier@dreo.dnd.ca] Sent: Monday, May 05, 1997 9:40 AM To: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts >With DHCP, one will have to define generic hostnames for the >range of IP addresses used in the IP allocation and you will >not be able to do Authentication for a user coming from a >particular host. Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? ____________________ Claude Marinier Information Technology Group Defence Research Establishment Ottawa (DREO) Claude.Marinier@dreo.dnd.ca http://www.dreo.dnd.ca 613-998-4901 FAX 613-998-2675 From owner-firewalls-outgoing Mon May 5 10:06:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11382 for firewalls-outgoing; Mon, 5 May 1997 09:21:58 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA11355 for ; Mon, 5 May 1997 09:21:49 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 9300 invoked by uid 1001); 5 May 1997 16:23:46 -0000 Message-ID: <19970505162346.9299.qmail@hanshan.bbnplanet.com> Subject: Re: Firewall routing problem To: raju@porsche.inabbdb.co.in (Raju Krishnan) Date: Mon, 5 May 1997 12:23:45 -0400 (EDT) Cc: jonw@mntcmp2.demon.co.uk, firewalls@GreatCircle.COM In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in> from "Raju Krishnan" at May 5, 97 12:20:46 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ------- > | |eth0 206.103.13.97 > Leased line--|Cisco |------- > 202.54.5.194 |2501 | | Net: 255.255.255.240 > ------- | > |eth1 206.103.13.101 > __________ > | Linux | > | Gateway | Firewall FWTK > |__________| > | > |eth0 192.168.0.3 Net: 192.168.0.0 > | > ---------------------------------- > | | > | | > Other Digital Unix Machines with Netmask 192.168.0.0 > > Information: > > Firewall is Linux machine running FWTK (freeware Firewall). CISCO router > is 2501 running IPX. > > The firewall can ping the router and all outside machines on internet. Yep, thats normal. > The firewall can ping the internal local machines. Yep, thats normal too. > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. Right, because you have nothing forwarding along the ICMP packets to your internal network. You *don't* want people to be able to ping your internal hosts, and you don't really want internal people to be able to ping external hosts aswell.. Allowing ICMP through a firewall is a bad idea in general as people can use it to tunnel information over it, map your internal network, etc.. bad bad bad. > > Does the router also need another route ip command to tell the packets > going to the inside net that they have to go via the firewall gateway > interface 206.103.13.101? > Nope, the problem you are running into is because there is nothing in the linux box telling it to forward the packets through the interfaces. Trust me though, you do *not* want to forward the packets through though. -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Mon May 5 11:03:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA21517 for firewalls-outgoing; Mon, 5 May 1997 10:13:37 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA21489 for ; Mon, 5 May 1997 10:13:29 -0700 (PDT) From: arager@mcgraw-hill.com Received: by interlock.mgh.com id AA17119 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 5 May 1997 13:15:01 -0400 Message-Id: <199705051715.AA17119@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Mon, 5 May 1997 13:15:01 -0400 Date: Mon, 05 May 97 11:07:21 edt To: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I still find this sort of thread hilarious. Ok, my hand's up for being the one to find all those dirty sites!:>> Is this what the job of security administrator has been reduced to.....smut hunter??? Next we will be searching thru desks for playboys and such...by the way..hand over those dirty pictures in your wallet! What's the difference between users bringing diskettes from home with this stuff on them, and users downloading it from the net?? I have to agree, technology is not the problem......policy and management is. If it is against policy for folks to have/view certain materials at work, then it against policy...period. If an employee has items that against policy, then management should take the proper measures. But, content transfer is not very enforcable...There are too many ways to transfer information for companies to monitor and enforce all of them. [I am reminded of the recent stupid Soloman Bros. post -- people can use many different methods to carry info in and out of a company besides HTTP/Email....] Do we want to monitor FAX, modem, diskettes, Info on Laptops, phone calls, Email Content, Internet URLs, LAN traffic, SMail, and all paper in and out of the company? I don't think I want to work for an organization that invades my privacy to quite that extent. A better solution is to arrange folks that are not trustworthy [something tells me this is probably due to poor management] in the traditional 'bullpen' type office......That way the paranoid managers can see and hear everything the employee does. Timesheets [as much as I hate them] will probably also reveal an employee's work ethic. Probably the more reasonable solution is to report URL and email usage stats back to the employee and manager. This gives the manager some indication of technology usage -- which may or may not be appropriate for the particular employee's job. [ie - 1GB/day HTTP transfers for a data entry clerk may be a bit excessive?] Sorry to waste even more bandwidth on this topic. The above opinions are entirely mine. Anton Rager Standard & Poor's Compustat arager@McGraw-Hill.com From owner-firewalls-outgoing Mon May 5 12:02:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA24494 for firewalls-outgoing; Mon, 5 May 1997 10:35:27 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA24472 for ; Mon, 5 May 1997 10:35:19 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA19616; Mon, 5 May 1997 12:23:11 -0400 Date: Mon, 5 May 1997 12:23:07 -0400 (EDT) From: Rabid Wombat To: Alan cc: Dominick Glavach , firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Alan wrote: > On Fri, 2 May 1997, Dominick Glavach wrote: > > > I know this is slightly off topic but I have need some advise or some products > > that will restrict http access to sites such as www.porn.com. Aside from > > building an exhaustive list on my proxy what else can I do. Thanks for the > > help. > > Try finding the wire leading from your firewall out to the Internet. Take > a large pair of wire cutters and cut that wire. (Be careful not to > confuse the power cord with this wire.) > > Filters are semi-useful at best. Since any of these filters can be > bypassed by web proxies, you will only filter out the more clueless of > your userbase. (Middle managers and sales people and the like.) You are > better off either cutting off access to the net to all (or most) of your > users or deal with problems as they occur. > > > I have seen actions like this taken before. Someone in management gets a > hair up their ass about "people for surfing for porn at work", and instead > of doing something that would require real hands on involvement, make a > request that puts the burden on another department. This sort of > management has all sorts of ramifications that are never taken into > account. It shows that management does not trust them. It makes the > lives of those who do need to use the net more difficult. (Especially > since many of these filters are overbroad and restrict legit sites.) It > also breeds contempt for both management and IS. All in all, not the best > situation. > > > If you are really wanting to deal with the "problem", I suggest using a > log on your web proxy and then deal with people who abuse the situation. > Filtering will cause more hastles than they will solve. > > I agree with Alan; I also think that when you start censoring traffic, you are, essentially, becoming a content providor, and *might* find a different set of rules applied to your organization for outbound content originating at your site. This is a Bad Thing(tm). I am not a lawyer, but I suggest you check with one in regard to this. I recommend that your organization formally notify its users that professional standards apply to the use of corporate computer equipment and network connections, just as they do to the use of corporate telephones, fax machines, and other resources. Detailing this in a memo, as well as in the next revision of the employee handbook is a good way to handle this. Most companies allow limited personal use of company resources without explicit limits; the computer equipment/network need not be different. If your company lets you call and make an appointment with your doctor, check up on child care, etc. from work, you probably fall into this category. Most people can see the difference between this and calling Uncle Bob in Katmandu for three hours a day on the company dime. Applying professional standards to personal use should be sufficient. Simply set up logging capability, and make sure that users are formally told that such capability exists. Formally define where the "right to privacy" ends. I would suggest that your policy be to log all site access and mail traffic, but that policy also dictate that no review of logs be performed without some "outside" probable cause, documented in an official memo. For example; your postmaster receives email requesting information regarding harassing email that appears to be originating from an address at your site. The MIS director issues a memo to a member of the IS staff to review the mail logs specifically to determine if such activity is taking place. Or: A worker complains that the person in the next cubicle frequently views offensive material on their PC; that person's supervisor sends a memo to MIS asking that the logs be reviewed to determine if such actions are taking place. This protects your organization from violating an employees "reasonable expectation of privacy", as long as the guidelines for use of equipment, logging capability, and review of such logs have been spelled out. I've also found that formally publishing such a policy is usually a significant deterent, as most of your "violaters" will stop if they know that their use patterns are being logged somewhere. Be alert for people who try to "burn" a co-worker by accessing "banned" sites from that user's station, and then geting someone to log a complaint; I've seen incidents like this as well. Best to set up policy that protects the company's interests, deters most casual abuse, etc., without turning MIS into the Info-Gestapo. Note, before starting a flame war / debate: I'm against censorship, in general, and think that people should be able to read/publish what they like. I don't think that their employer should be obligated to provide them the printing press, or pay them to indulge in their personal pursuits on company time. Home access is cheap. Read/write all you want from there. Once again, I am not a lawyer, this is free advice, and you generally get what you pay for. :) -r.w. From owner-firewalls-outgoing Mon May 5 12:06:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01649 for firewalls-outgoing; Mon, 5 May 1997 11:09:55 -0700 (PDT) Received: from burrito.insource.com (burrito.insource.com [206.97.180.105]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01484 for ; Mon, 5 May 1997 11:09:25 -0700 (PDT) Received: (from rafec@localhost) by burrito.insource.com (8.8.5/8.7.3) id NAA03444; Mon, 5 May 1997 13:12:12 -0500 (CDT) Date: Mon, 5 May 1997 13:12:11 -0500 (CDT) From: Rafe Colburn To: Brian Tackett cc: Kevin McPeake , firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apple has been building server boxes that run a licensed version of AIX 4.1.x for quite some time. They're supposedly pretty nice machines, although I've never seen one in action. >From what I've read most recently, with the latest reorg, Apple is not going to continue this product line and stick with building machines that run the MacOS or Rhapsody. They stopped working on A/UX quite awhile ago. Interestingly, you can run MkLinux on PowerMacs, although it's a pre-release version. See http://www.mklinux.apple.com for more info on that. On Sun, 4 May 1997, Brian Tackett wrote: > On Mon, 5 May 1997, Kevin McPeake wrote: > > > But if you want to stay Mac only, without having to fork out the cash for > > a Apple AIX box (which they are dropping support for AIX, thanks in part > > *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, > AIX is IBM, A/UX is Apple ;) --- Rafe Colburn Consultant, Insource Technology Corp. [finger rafec@burrito.insource.com for PGP Public Key] From owner-firewalls-outgoing Mon May 5 12:10:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA05088 for firewalls-outgoing; Mon, 5 May 1997 11:40:52 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA05061 for ; Mon, 5 May 1997 11:40:42 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA09206; Mon, 5 May 1997 11:42:58 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705051842.LAA09206@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Eric.Deschamps@France.Sun.COM Date: Mon, 5 May 1997 11:42:57 -0700 (PDT) Cc: dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: from "Eric Deschamps" at May 5, 97 10:27:53 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Deschamps writes: > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > loosing precious IP addresses to a subnet without enough > > > hosts to use all of the addresses. > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > that it has nothing to do with subnetting your intranet. I ran into > > this problem when trying to route with rip. Specifically, Sun's > > implementation of the routing socket interface is not the industry > > standard. In other words, when you use a Sun machine as a multi-homed > > host with subnetted networks the rip updates are incorrect. The routers > > that we used had no problems at all in dealing with the subnetted > > networks, therefore while we were able to subnet our intranet we had > > problems with using Sun's as any type of router. > > > > mj > > Marc, > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > it has to do with subnetting your intranet. RIP has no knowledge of subnet Perhaps this is a problem with terminology. On one machine if I have 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask 255.255.255.224 the rip updates from the machine contain information about the various subnets. This would indicate to me that "RIP" *does* understand subnetting. Are you saying that the packets on port 520 are *not* RIP updates? mj From owner-firewalls-outgoing Mon May 5 12:14:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04273 for firewalls-outgoing; Mon, 5 May 1997 11:34:33 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA04244 for ; Mon, 5 May 1997 11:34:25 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA08161; Mon, 5 May 1997 11:33:13 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705051833.LAA08161@Xenon.Stanford.EDU> Subject: Re: VLSM, RIP, routing socket To: Andreas.Mueller@othello.ch (Dr Andreas F Muller) Date: Mon, 5 May 1997 11:33:13 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9705031428.AA11001@othello.ch> from "Dr Andreas F Muller" at May 3, 97 04:28:49 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr Andreas F Muller writes: > > "Marc D. Jackson" wrote: > > I ran into this problem when trying to route with rip. Specifically, > RIP cannot do subnets, unless you use RIP2. Ordinary routed does My understanding of subnetting was this: That you can steal bits from the host part of the ip address in order to create more networks. If that is not the following please explain what it is. ( Sun networking class. ) 192.168.100.33 netmask 255.255.255.224 192.168.100.65 netmask 255.255.255.224 192.168.100.97 netmask 255.255.255.224 > not understand RIP2. Many other OSes have the same problem, even > some products that call themselves routers. > > For a real router you need at least two preconditions: > . the kernel must understand subnet routes > . there must be a decent routing process that understands a real > routing protocol (in this sense, routed is not decent). > > > Sun's implementation of the routing socket interface is not the > > industry standard. In other words, when you use a Sun machine as > > a multi-homed host with subnetted networks the rip updates are > > incorrect. The routers that we used had no problems at all in > This has nothing to do with the implementation of the routing > socket. It's a fact that Solaris 2.x, x < 6, is unable to handle Ok. Then your information is different than what Sun has to say. The line I quoted was a paraphrase of the documentation that came with their VLSM software. It also coinsided with information that I had received from the Gated consortium. Perhaps I misunderstood. > subnet routes in its kernel routing table, unless they belong to > directly connected networks. The work arround is to use host routes > for all hosts on a remote subnet. (There was a product from Sun > which enabled vlsm in the kernel, however, this does not correct the > deficiencies of RIP). > > The fact that the routers had no problems only indicates that they > were using RIP2 or something better. My network engineers made no mention of using RIP2. > > > dealing with the subnetted networks, therefore while we were able > > to subnet our intranet we had problems with using Sun's as any type > > of router. > If you want your Sun to speak to some routers intelligently (doing > something more intelligent than RIP), you should consider gated. > Funny thing. I *AM* using GateD which is how I found out about all of this. Perhaps you can answer a question for me. With the VLSM software installed routed now propagates the routes correctly. Why doesn't Gated? > Just my 0.02$ > Thanx for your 0.02$. Next time please send large bills. Preferably 100's. :) mj > Andreas Mueller > > ------------------------------------------------------------ > Dr. Andreas Mueller Beratung und Entwicklung > Bubental 53, CH - 8852 Altendorf > Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485 > From owner-firewalls-outgoing Mon May 5 14:06:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13230 for firewalls-outgoing; Mon, 5 May 1997 12:38:42 -0700 (PDT) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13206 for ; Mon, 5 May 1997 12:38:34 -0700 (PDT) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id OAA14756; Mon, 5 May 1997 14:41:26 -0500 Date: Mon, 5 May 1997 14:40:41 -0500 (CDT) From: Ron DuFresne Reply-To: Ron DuFresne To: arager@mcgraw-hill.com cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <199705051715.AA17119@interlock.mgh.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997 arager@mcgraw-hill.com wrote: > > > I still find this sort of thread hilarious. Ok, my hand's up for > being the one to find all those dirty sites!:>> Is this what the job > of security administrator has been reduced to.....smut hunter??? Next > we will be searching thru desks for playboys and such...by the > way..hand over those dirty pictures in your wallet! > I've mentioned before, the best way around all this logging and the restricting of URL's for the end user, is to go out to a private account, do all the searching and grabbing there, perhaps then renaming sex1.jpg to something.important, then pulling it back inside. No logs to report the end around, and no admin is the wiser, unless he sees your new found background on your desktop of the orgy scene. I've posted a few times some packages that the k-12 edu sites use for such purposes when this topic has come up, more in an attempt to jestup the folks that think they need to 'guide' and monitor their employees than for anyother reason. It's my guess that a few admins are sorry to have moved out their diskless X stations, and are hopping with glee at the new versions of that old technology that vendors are once again pushing on the masses. Yup, lock down the desktop, and restrict access to the fullest, it costs far too much to actually train and inform users as to proper work methods. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Mon May 5 14:24:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA17871 for firewalls-outgoing; Mon, 5 May 1997 13:08:01 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA17862 for ; Mon, 5 May 1997 13:07:54 -0700 (PDT) Received: (from jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.8.5/8.8.2) id QAA22993; Mon, 5 May 1997 16:10:09 -0400 (EDT) To: claude.marinier@dreo.dnd.ca (Marinier, Claude) Cc: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts References: <3.0.1.32.19970505093953.00944100@caen-sp.cps.dreo.dnd.ca> Mime-Version: 1.0 (generated by tm-edit 7.105) Content-Type: text/plain; charset=US-ASCII From: Jeff Murphy Date: 05 May 1997 16:10:08 -0400 In-Reply-To: claude.marinier@dreo.dnd.ca's message of Mon, 05 May 1997 09:39:53 -0400 Message-ID: Lines: 11 X-Mailer: Gnus v5.4.46/XEmacs 20.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk claude.marinier@dreo.dnd.ca (Marinier, Claude) writes: > Are there not DNS systems which take input from DHCP servers > and provide correct answers to queries? yes. one of the features of the new BIND release by paul vixie is dynamic update abilities. this is really useful in the context of DHCP. in fact, the ISC is supposed to have a DHCP client available with the latest BIND code that will perform pushes of hostname/address pairs into DNS dynamically. see also: www.isc.org jeff From owner-firewalls-outgoing Mon May 5 14:53:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA18059 for firewalls-outgoing; Mon, 5 May 1997 13:09:30 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13458 for ; Mon, 5 May 1997 12:40:13 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wOTdA-0004KXC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 21:41:04 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 5 May 97 21:41 MET DST Received: by lina.inka.de id m0wOTal-00016tC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 21:38:15 +0200 (CEST) Message-Id: Date: Mon, 5 May 1997 21:38:14 +0200 From: Bernd Eckenfels To: Raju Krishnan Cc: firewalls@GreatCircle.COM Subject: Re: Firewall routing problem References: <336D8A4E.794B@porsche.inabbdb.co.in> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in>; from Raju Krishnan on Mon, May 05, 1997 at 12:20:46PM +0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. Besides the info that you dont want to forward ICMP (linux 2.0.30 can do some icmp masquerading if you are realy daring), you should forbid access from external interface (cisco) to internal interface by ip firewalling. Add some rules against IP-Spoofing with ipfwadm. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Mon May 5 15:14:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA08249 for firewalls-outgoing; Mon, 5 May 1997 12:02:11 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA08198 for ; Mon, 5 May 1997 12:01:59 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id MAA07471; Mon, 5 May 1997 12:15:38 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id MAA14369; Mon, 5 May 1997 12:04:05 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id MAA10518; Mon, 5 May 1997 12:03:42 -0700 Date: Mon, 5 May 1997 12:03:42 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705051903.MAA10518@althea.EBay.Sun.COM> To: Jerald.Josephs@Ebay.Sun.COM, postmaster@ram-tnsc-nl1.ramstein.af.mil Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: r68ic2aF2+7LxhOAw+KodQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Murph, You must be running Solaris 1.x (still) NIS is not integrated into DNS, meaning you don't have to configure NIS in order to access DNS with Solaris 2.x DNS in Solaris 2.x is: create /etc/resolv.conf add 'dns' to the hosts line in /etc/nsswitch.conf. I won't go into how to create a DNS server... --- jerald > > BTW - WHY IS NIS INTEGRATED INTO DNS? There are sane people who have no > desire to run NIS, but have a definite need to run DNS - is this SNAFU > to be fixed in future releases? > > murph > > Brian Murphy - PRC > HQ USAFE CSS/SCBT - TNSC > DSN: (314) 480-7005 > mailto:brian.murphy@ramstein.af.mil > "The computer is the computer, the network is the network." > > >---------- > >From: Jerald.Josephs@Ebay.Sun.COM[SMTP:Jerald.Josephs@Ebay.Sun.COM] > >Sent: Monday, May 05, 1997 18:02 > >To: dechon@CS.Stanford.EDU; Eric.Deschamps@France.Sun.COM > >Cc: Jerald.Josephs@Ebay.Sun.COM; firewalls@GreatCircle.COM; > >fw-1-mailinglist@us.checkpoint.com; drexx@pspi.com.ph > >Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts > > > > > >> > >> > > >> > > > 2] How will VLSM make firewalling administration any easier/better ? > >> > > > > >> > > > >> > > No, but it will make it easier to subnet your intranet without > >> > > loosing precious IP addresses to a subnet without enough > >> > > hosts to use all of the addresses. > >> > > >> > ? I don't understand this last sentence. My exposure to VLSM indicates > >> > that it has nothing to do with subnetting your intranet. I ran into > >> > this problem when trying to route with rip. Specifically, Sun's > >> > implementation of the routing socket interface is not the industry > >> > standard. In other words, when you use a Sun machine as a multi-homed > >> > host with subnetted networks the rip updates are incorrect. The routers > >> > that we used had no problems at all in dealing with the subnetted > >> > networks, therefore while we were able to subnet our intranet we had > >> > problems with using Sun's as any type of router. > >> > > >> > mj > >> > >> Marc, > >> > >> It seems that VLSM stands for "variable-length subnet mask", so it looks > >>like > >> it has to do with subnetting your intranet. RIP has no knowledge of subnet > >> addressing, so I am not sure to understand what is the meaning of "Sun's > >> implementation of the routing socket interface is not the industry > >>standard". > >> Which standard is it ? It is a RIP problem, RIP2 adress this problem (and > >> others as well) without any ambiguity. > >> > >> Rgds, > >> > >> Eric > > > >Marc, > > > >I actually began a lengthy detailed response that I failed to get off before > >my mail utility did a no-no and I lost the composition. > > > >VLSM is refers to the same thing as CIDR, Classless Internet Domain Routing. > >For those who may not be familiar with this, CIDR addresses the problem that > >the Internet is seeing with the explosion of Class C addresses all over the > >place. Traditionally, to reach a network, you need a route. With so many > >new networks, you need a robust routing table. > > > >The shortage of Class B addresses have forced companies to subnet their Class > >B > >into Class C. This creates numerous new routing table entries. > > > >CIDR says that if you own 192.168.0.0, then I can assume that 192.168.1.0 > >through 192.168.255.0 are all within your domain, so all I need is a single > >route to 192.168.0.0 to handle all of the subnets. The problem was that the > >earlier versions of routed shipped with Solaris as well as the kernel IP > >routing module, could not handle this. > > > >Variable Length Subnet Masks is what is used to faciliate the implementation > >of CIDR. > > > >That is what the CONSULT-VLSM patch provides: this ability to handle this. > > > > > > > > /\ Jerald E. Josephs > > \\ \ Course Developer - Network Security > > \ \\ / Sun Educational Services > > / \/ / / > >/ / \//\ > >\//\ / / > > / / /\ / > > / \\ \ Phone/VM: 408-276-0941 > > \ \\ FAX: 408-276-1565 > > \/ E-mail: jerald.josephs@EBay.Sun.COM > > > > From owner-firewalls-outgoing Mon May 5 15:55:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA20487 for firewalls-outgoing; Mon, 5 May 1997 13:25:21 -0700 (PDT) Received: from border.com (janus.border.com [199.71.190.98]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA20471 for ; Mon, 5 May 1997 13:25:13 -0700 (PDT) Received: by janus.border.com id <11659>; Mon, 5 May 1997 16:22:34 -0400 Message-Id: <97May5.162234edt.11659@janus.border.com> To: Chris Lonvick cc: Adam Shostack , Sandeep_Talwar@INDIA.notes.pwa.co.in, Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #187 From: "Gene Amdur" Date: Mon, 5 May 1997 16:26:58 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | My own understanding (may be more/less/equally wrong) is that a US | company can purchse any dang thing they want. They can also ship | it around the world as long as they maintain control of it. This | shouldn't fall into the DoC regulations since they're not _exporting_ | it for resale (and it won't fall into the hands of people who may | want to "harm national security and foreign policy interests" (taken | from Clintons' executive order)). | | Sandeep: If Price Waterhouse is a US company, have your US office | contact Checkpoint to see if they (your US office) can buy a pair | of the things (with strong encryption) and ship one to Calcutta. | Please write back to the group and let us know. | | I'm actually just trying to be an | engineer and don't know beans about export control restrictions. Well if you were to follow the above advice you would be guilty of exporting restricted arms from the US. My guess is you really don't want that since the US government can be very nasty about that law. The law states (in a very simplified form) that stong crypto is equivalent to atom bombs (okay it doesn't quite say that :-) but basically that is it). And if you sell one to someone that is not in US or Canada you can go to jail for a long time. And more over, if you give one to someone that is not in US or Canada you can go to jail for a long time. Even if the someone is yourself in a foreign office. You can go to the Department of Commerce (I think) and get special dispensation to ship strong crypto for your foreign offices but you should do that *before* shipping the products. I know this because our product includes strong cryptography and we are forever haggling with the US government over what we can and cannot sell outside of US/Canada. If only someone could make them understand that these algorithms are public knowledge...sigh. Gene Amdur Secure Computing Canada Development Team Leader From owner-firewalls-outgoing Mon May 5 16:03:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA09908 for firewalls-outgoing; Mon, 5 May 1997 15:31:20 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA09850 for ; Mon, 5 May 1997 15:31:07 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id QAA07511; Mon, 5 May 1997 16:33:12 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd07509aaa; Mon May 5 16:33:05 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id QAA17688; Mon, 5 May 1997 16:33:12 -0600 From: Bob Beck Message-Id: <199705052233.QAA17688@snouts.obtuse.com> Subject: Re: Need to restrict http://www.nude.com and such To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Mon, 5 May 1997 16:33:10 -0600 (MDT) Cc: alano@teleport.com, glavach@ctc.com, firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at May 5, 97 12:23:07 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone appearing to be the Rabid Marsupial said: > > Applying professional standards to personal use should be sufficient. > > Simply set up logging capability, and make sure that users are formally > told that such capability exists. Formally define where the "right to > privacy" ends. I would suggest that your policy be to log all site access > and mail traffic, but that policy also dictate that no review of logs be > performed without some "outside" probable cause, documented in an > official memo. > [.... ] > Once again, I am not a lawyer, this is free advice, and you generally get > what you pay for. :) > > -r.w. I've been around when pretty much this actually done at a site. The IS guys told management what the problems would be and at that point it was simple. Once the word got out that IS could track the access to sites if asked, (logs on web proxy and p.f.) it simply wasn't an issue. Could users circumvent it, sure, if they were clued, but for more effort than it took to bring a magazine or a book to work, or in the case of porn, any hardcore CD-rom you can rent at a video store. In the end management's take on it was (once educated by IS) was that it was no different from any other potential workplace distraction, and if anything less than some (like Games on a PC). Was what was done challengable as a violation of privacy in the U.S.? Haven't a clue, I'm in Canada, where the Gestapo is good for you as long as it's pink and fuzzy and only picks on the bad people :-) Was the solution effective with a minimum of user squawking, embarassment, and pain? Yes, and IMNSHO keeps the techincal issues with the techies and the people management issues with the cat herders. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From owner-firewalls-outgoing Mon May 5 16:07:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26001 for firewalls-outgoing; Mon, 5 May 1997 14:04:46 -0700 (PDT) Received: from speedbump.datapark.com (ns1.datapark.com [207.102.240.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA25974 for ; Mon, 5 May 1997 14:04:38 -0700 (PDT) Received: from k2 (k2.datapark.com [207.102.240.32]) by speedbump.datapark.com (8.8.5/8.6.12) with SMTP id OAA01344 for ; Mon, 5 May 1997 14:08:45 -0700 (PDT) Message-ID: <336E4BE5.4F55@datapark.com> Date: Mon, 05 May 1997 14:06:45 -0700 From: Jeff Newton Organization: Tantalus Communications X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall Ruleset Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm about to implement IPFW on BSD for testing purposes and would like to know if anyone has a generic or basic rule set to begin from. I know my network specifics will require rule changes but I would appreciate any help getting started. Cheers, -- Jeff Newton Network Administrator Tantalus Communications Datapark Advanced Communications (604) 664-7454 ----------------- "It's the world, not a call I can screen out"- Headstones From owner-firewalls-outgoing Mon May 5 16:10:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA24381 for firewalls-outgoing; Mon, 5 May 1997 13:51:51 -0700 (PDT) Received: from skye.nis.newscorp.com (skye.nis.newscorp.com [206.15.111.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA24325 for ; Mon, 5 May 1997 13:51:36 -0700 (PDT) Received: (from dobrich@localhost) by skye.nis.newscorp.com (8.7.3/8.7.2) id QAA10742; Mon, 5 May 1997 16:54:33 -0400 (EDT) Date: Mon, 5 May 1997 16:54:33 -0400 (EDT) From: Greg Dobrich Message-Id: <199705052054.QAA10742@skye.nis.newscorp.com> To: firewalls@GreatCircle.COM Subject: FW-1 and OSPF Cc: dobrich@newscorp.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, In reading Checkpoint FW1's list of supported applications I came across OSPF. I would assume that it will pass ospf protocol traffic between ospf speakers on either side rather than actually participate in ospf routing. It left me with a bunch of questions on how this could work given how ospf finds neighbors, establishes adjacencies, computes routes/next hop etc. It seems like the firewall would have to do something fairly involved to pull this off successfully. Has anyone tried this or seen documentation? Thanks, Greg ------------------------------------------------------------------------- Greg Dobrich Senior Network Engineer News Internet Services 508 551 1007 Lowell, MA From owner-firewalls-outgoing Mon May 5 16:54:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA28557 for firewalls-outgoing; Mon, 5 May 1997 14:21:27 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA28545 for ; Mon, 5 May 1997 14:21:16 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id OAA26021 for firewalls@greatcircle.com; Mon, 5 May 1997 14:23:20 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705052123.OAA26021@Xenon.Stanford.EDU> Subject: re: vlsm To: firewalls@greatcircle.com Date: Mon, 5 May 1997 14:23:19 -0700 (PDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've received serveral private emails and I'm thankful of the information that I've received. I think that I have been misunderstood. I don't believe that I said: Rip knows about subnet masks. I said that I see subnets in the RIP update coming from a machine with 3 different subnets on it. In going back and looking at RFC 1058 section 3 as well as talking with 2 network engineers I am convinced that RIP *does* know about subnets. It was explained to me that it *has* to because it is an internal routing protocol. I am *not* saying that route aggregation doesn't occur. But is it correct to say that if route aggregation does occur that subnets can't? To put my statements in a nutshell: On a multihomed host, with the IP configuration of le0: 192.168.100.35 netmask 255.255.255.224 le1: 192.168.100.66 netmask 255.255.255.224 le2: 192.168.100.97 netmask 255.255.255.224 Any packet originating from this machine on port 520 with the destination of the broadcast address and dstport of 520 *WILL* contain information about the other "subnets". All the networking books that I've looked at call this a RIP update. Therefore, 1 of 2 things must be true. a) RIP does know about subnets, but only for special occasions. b) RIP doesn't know about subnets. In which case something is masquerading as a RIP update. Which is it? mj ps. For any who care I can produce these packets at will. From owner-firewalls-outgoing Mon May 5 17:54:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA14703 for firewalls-outgoing; Mon, 5 May 1997 16:03:40 -0700 (PDT) Received: from castles.com (sparc1.castles.com [199.4.103.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA14636 for ; Mon, 5 May 1997 16:03:21 -0700 (PDT) Received: from jmcbrea.castles.com ([205.185.80.10]) by castles.com (5.x/SMI-SVR4/CASTLES) id AA09899; Mon, 5 May 1997 15:59:27 -0700 Message-Id: <2.2.32.19970505230726.00a4bd04@sparc1.castles.com> X-Sender: jmcbrea@sparc1.castles.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 May 1997 16:07:26 -0700 To: firewalls@greatcircle.com From: John McBrearty Subject: Re: CheckPoint vs Others Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had written on 5/2/97: >If you are considering Firewall-1 you should be aware that Checkpoint has >apparently recently instituted a "hard" policy of off-loading all support to >VARs.... OK, in fairness to Checkpoint, I did get a response from my VAR on Friday evening, which contained a detailed approach to the technical issues I had raised by email a couple of days earlier. So the system worked in the end, although it took a while. I also received private email on this issue from Adam Shostack, who asked why I didn't just name the VAR so others could avoid him. As I told Adam, I wanted to give the VAR the benefit of the doubt, in case there were some mitigating circumstance which I didn't know about. But also, as I told Adam, my main concern was with Checkpoint and its hard-line support policy. I realize that Checkpoint needs to support its VARs. But, on the other hand, there is no way that Checkpoint can proactively assure that all its VARs will provide exemplary support all the time. Many other companies (HP, Compaq, Digital, Cisco, etc.) seek to work through VARs but also provide at least some modicum of tech support including answering questions from bona fide customers and providing extensive Web-based documentation and FAQs. I think that Checkpoint's approach to support may hurt itself and its VARS in the long run. John McBrearty Pleasant Hill, CA 94523 510-974-9171 jmcbrearty@usa.net From owner-firewalls-outgoing Mon May 5 18:00:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA16407 for firewalls-outgoing; Mon, 5 May 1997 12:56:29 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA16248 for ; Mon, 5 May 1997 12:55:48 -0700 (PDT) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id PAA02794; Mon, 5 May 1997 15:59:15 -0400 (EDT) Date: Mon, 5 May 1997 15:59:15 -0400 (EDT) From: Ming Lu To: "Marc D. Jackson" cc: Jerald Josephs , firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705021453.HAA10734@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Marc D. Jackson wrote: > Jerald Josephs writes: > > > > > > > > > > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > > > and Variable-Length Subnet Masking (VLSM) support. > > Having just purchased this from Sun and having just spoken with their > rep. I think you may be in error re: VLSM. > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > No, but it will make it easier to subnet your intranet without > > loosing precious IP addresses to a subnet without enough > > hosts to use all of the addresses. > > ? I don't understand this last sentence. My exposure to VLSM indicates > that it has nothing to do with subnetting your intranet. I ran into > this problem when trying to route with rip. Specifically, Sun's Jerald wad right! Rip does not regonize VLSM. > implementation of the routing socket interface is not the industry > standard. In other words, when you use a Sun machine as a multi-homed > host with subnetted networks the rip updates are incorrect. The routers > that we used had no problems at all in dealing with the subnetted > networks, therefore while we were able to subnet our intranet we had > problems with using Sun's as any type of router. > > mj > mlu From owner-firewalls-outgoing Mon May 5 18:01:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21639 for firewalls-outgoing; Mon, 5 May 1997 16:45:25 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA21314 for ; Mon, 5 May 1997 16:44:03 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa00997; 6 May 97 2:40 EETDST Message-ID: <336EFACE.567A@geocities.com> Date: Tue, 06 May 1997 02:33:02 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Ziv Dascalu CC: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such References: <336D7E4B.6390@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Well I think this is the kind of answer we are looking for here!!! Yes you are right about the existance of other sites without any HTML meta included in the web page... here is another one I just found: When I said about the laws regulating such sites I didn't mean including that HTML meta... But they all have to have a warning about explicit sexual activity, violence,etc... This is another thing they have in common... Not only words like drugs, sex, etc. So I think that most of these sites can be blocked... I also agree with what Rabit Wombat said that it is ethical to tell the employees you are monitoring their activity... I think this should be done in any company... Also time sheets are usefull anytime not only for this kind of monitoring... And one more thing... If someone is using company's phone line to call an ISP long distance, for instance, is this ethical? I think privacy is good as long it does not have any efect on company's bills... No problem if they bring anything on disks as long as this does not means wasting company's money... Regards, Gabriel Ziv Dascalu wrote: > > --- On Sun, 04 May 1997 23:29:31 -0700 Gabriel Dura wrote: > > Sorry but all porn sites I personally checked have that meta included in > > their header. Please note that every civilised country in the world have > > regulations about children's access to pornography, violence, etc. I'm > > sure there is an Internet standard on this subject... And all sites that > > are placed in such countries must obey the laws... > > > > Other such sites have other meta like this one for instance: > > > pronography that don't have any kind of warning in their HTML source and > > I'll believe you... If you say that most of these web sites don't have > > it I'm sure you can give me a lot of examples... > > > > And yes if your boss wants to restrict access to all personell to porn > > sites and prevent all people from abusing the net then it is necesary to > > do it. You don't need a list of the porn sites to do this... This is > > just a waste of money... > > > > here are some: > > > > > > > > > > > > > > > the point is that I do not know of any written law that says that they should use > these types of META tags. > there are sites that can be blocked this way and I have found that one of the ways > list providers update their list is by doing a search like this but there are many > sites that do not match this META tag. > > Monitoring is needed, but monitoring can give you TOO mach information. this is exactly why > you need to define what exactly you want to monitor. > you can say that you want to log all WWW access but it is better to log only > the text ones and not the binaries (like gif etc.) > it is also important to log / monitor / block by specific keywords that exist in the text > like drugs, sex etc. (if you want to do so) > > /Ziv Dascalu > From owner-firewalls-outgoing Mon May 5 18:24:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA26099 for firewalls-outgoing; Mon, 5 May 1997 17:09:14 -0700 (PDT) Received: from sf-ptg-ss.pactel.com (sf-ptg-ss.pactel.com [198.95.241.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA22254 for ; Mon, 5 May 1997 16:48:26 -0700 (PDT) Received: (from smap@localhost) by sf-ptg-ss.pactel.com (8.6.10/8.6.10) id QAA18998; Mon, 5 May 1997 16:49:58 -0700 Received: from mmosko.pactel.com(198.95.241.155) by sf-ptg-ss via smap (V1.3) id sma018994; Mon May 5 16:49:50 1997 Message-ID: <336E7325.B14CADEA@tear.com> Date: Mon, 05 May 1997 16:54:13 -0700 From: Marc Mosko Organization: Forte Systems X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: "Marc D. Jackson" CC: Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts X-Priority: 3 (Normal) References: <199705051842.LAA09206@Xenon.Stanford.EDU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc D. Jackson wrote: > > Eric Deschamps writes: > > > > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > > loosing precious IP addresses to a subnet without enough > > > > hosts to use all of the addresses. > > > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > > that it has nothing to do with subnetting your intranet. I ran into > > > this problem when trying to route with rip. Specifically, Sun's > > > implementation of the routing socket interface is not the industry > > > standard. In other words, when you use a Sun machine as a multi-homed > > > host with subnetted networks the rip updates are incorrect. The routers > > > that we used had no problems at all in dealing with the subnetted > > > networks, therefore while we were able to subnet our intranet we had > > > problems with using Sun's as any type of router. > > > > > > mj > > > > Marc, > > > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > > it has to do with subnetting your intranet. RIP has no knowledge of subnet > > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj *Hosts* running RIP understand static subnet masks (/etc/netmasks), but not variable masks. EIGRP (cisco) and OSPF are the best candidates for an internal gateway protocol that support VLSM. I work with a client who has 5 class Cs subnetted with anything from 224 to 252 subnet masks, intermixed in the same class Cs. About the only downside is a bigger routing table if you have the subnets spread out accross your internetwork since you cannot do summary routes (at least easily...). These subnets have very high utilization, usually over 80%. In respect to a firewall, you can run gated instead of routed. HP/UX and IRIX both ship w/ gated (as do others). Sun still only ships routed. Gated will do OSPF. Firewall-1, for instance, can be configured to allow OSPF through to the kernel. -- Marc Mosko Email: marc@tear.com Web: http://www.tear.com/ "If anyone runs against or falls on a person's weapons so that as as result he dies, and it is evident that it is the fault of himself alone, then the responsibility shall lie there." -- Leges Henrici Primi (13th century) PGP Key available via Public Servers and http://www.tear.com/pgp-key.html From owner-firewalls-outgoing Mon May 5 19:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA21812 for firewalls-outgoing; Mon, 5 May 1997 19:15:33 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA21518 for ; Mon, 5 May 1997 19:14:19 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id SAA08001 for ; Mon, 5 May 1997 18:49:09 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wOZLX-0004KqC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 6 May 1997 03:47:15 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 6 May 97 03:47 MET DST Received: by lina.inka.de id m0wOYQm-00016tC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 6 May 1997 02:48:16 +0200 (CEST) Message-Id: Date: Tue, 6 May 1997 02:48:16 +0200 From: Bernd Eckenfels To: "Marc D. Jackson" Cc: firewalls@greatcircle.com Subject: Re: vlsm References: <199705052123.OAA26021@Xenon.Stanford.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199705052123.OAA26021@Xenon.Stanford.EDU>; from Marc D. Jackson on Mon, May 05, 1997 at 02:23:19PM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > a) RIP does know about subnets, but only for special occasions. The Problem with RIP is, if you Mix Subnet Masks like this: 10.0.1.0/24 local eth0 10.0.2.0/24 gw 10.0.1.1 10.1.0.0/16 gw 10.0.1.1 193.197.84.0/24 local eth1 default/0 gw 193.197.84.254 ... Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Mon May 5 19:40:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21670 for firewalls-outgoing; Mon, 5 May 1997 16:45:31 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21392 for ; Mon, 5 May 1997 16:44:21 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA05241 for ; Mon, 5 May 1997 16:44:26 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-224.ca.com.au [203.23.80.224]) by pluto (8.7.6/8.7.3) with SMTP id JAA05130 for ; Tue, 6 May 1997 09:40:59 +1000 Message-Id: <3.0.1.32.19970506093837.007cc290@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 06 May 1997 09:38:37 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Load Sharing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe someone can help.... I have 20+ ISDN lines coming into 6 or so routers. I want to connect them to a Cisco Catalyst switch with two Network interfaces on the inside. Each NI will connect to a Cisco Router which in turn connect to Gauntlet Internet Firewalls (BSDI). The DMZ NI of each firewall then connects to a hub which connects devices (Solaris servers) in the DMZ. The Gauntlets also then connect t o another Cisco and then onto the LAN. Here are my questions... 1. Does anyone know how I could do load sharing between the two paths of the firewall? 2. If not, is there a way to make one of the paths redundant? I have thought of using RIP or something similar but wouldlike to know if anyone has a better idea? Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Mon May 5 19:40:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21002 for firewalls-outgoing; Mon, 5 May 1997 16:41:48 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA20981 for ; Mon, 5 May 1997 16:41:36 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa00992; 6 May 97 2:40 EETDST Message-ID: <336EF58F.1842@geocities.com> Date: Tue, 06 May 1997 02:10:39 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: "Eric V. Smith" CC: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such References: <01BC58B0.DF0052C0@carew.windsor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric, I personally tested the Content Advisor from MS Internet Explorer 3.0 for Windows 95 with a lot of sites not suitable for children... Mostly of them were porn sites... And I can swear that nothing happens when you access it... The content advisor seems to be just a nice thing with some buttons, a few windows, a supervisor password you can assign and that's all... I never seen it working... Maybe other people did but I didn't... It is not the first time when Microsoft does this... I also saw a printer driver included in Windows 95 instalation CD-ROM... I not sure but I think it was for a HP laser printer... The same thing: lots of wonderfull buttons, windows, adjustements for printer, etc. but no effect in real life... I think that's my story... If you have any further questions on this I'll try to answer you... Regards, Gabriel Eric V. Smith wrote: > > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. From owner-firewalls-outgoing Mon May 5 19:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28419 for firewalls-outgoing; Mon, 5 May 1997 17:20:29 -0700 (PDT) Received: from internet.kexin.co.kr (internet.kexin.co.kr [210.126.192.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28350 for ; Mon, 5 May 1997 17:20:12 -0700 (PDT) Received: from jjlee.cloud (kexin.kexin.co.kr [210.126.192.66]) by internet.kexin.co.kr (8.8.5/8.8.4) with ESMTP id JAA20031 for ; Tue, 6 May 1997 09:17:46 +0900 (KST) Message-ID: <336E79E4.68FBB4AB@internet.kexin.co.kr> Date: Tue, 06 May 1997 09:23:00 +0900 From: Jungjun Lee Reply-To: cloud@kexin.co.kr Organization: kexin X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: How can I configure to save duplicate smap messages? X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi.. How can I configure to save duplicate smap messages ? Is there anyone use this configuration ? I use TIS Gauntlet 3.2.. From owner-firewalls-outgoing Mon May 5 19:42:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA12217 for firewalls-outgoing; Mon, 5 May 1997 18:28:29 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA12188 for ; Mon, 5 May 1997 18:28:05 -0700 (PDT) Received: from demo.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 06 May 1997 11:20:42 +1000 Received: by demo.networx.com.au with Microsoft Mail id <01BC5A0F.7F627720@demo.networx.com.au>; Tue, 6 May 1997 11:20:26 +1000 Message-ID: <01BC5A0F.7F627720@demo.networx.com.au> From: "Mr. Leon OBrien" To: "'dura@geocities.com'" , "Eric V. Smith" Cc: "firewalls@greatcircle.com" Subject: RE: Need to restrict http://www.nude.com and such Date: Tue, 6 May 1997 11:20:04 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft Content Advisor only works with sites that have a registered Content ID applied to the HTML. Sorry for the lack of facts and links to references but for the content advisor to work properly the HTMLer needs to submit their Webpage to a Content Advisory Commity and they determine what rating it is given. Currently i haven't found 1 site that supports it, but that doesn't mean that this is a feature of Microsofts IE product that just doesn't work....When HTML designers are made to provide a content rating on their pages then the feature probably will work, hopefully :-) Leon -----Original Message----- From: Gabriel Dura [SMTP:dura@geocities.com] Sent: Tuesday, 6 May 1997 19:11 To: Eric V. Smith Cc: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such Eric, I personally tested the Content Advisor from MS Internet Explorer 3.0 for Windows 95 with a lot of sites not suitable for children... Mostly of them were porn sites... And I can swear that nothing happens when you access it... The content advisor seems to be just a nice thing with some buttons, a few windows, a supervisor password you can assign and that's all... I never seen it working... Maybe other people did but I didn't... It is not the first time when Microsoft does this... I also saw a printer driver included in Windows 95 instalation CD-ROM... I not sure but I think it was for a HP laser printer... The same thing: lots of wonderfull buttons, windows, adjustements for printer, etc. but no effect in real life... I think that's my story... If you have any further questions on this I'll try to answer you... Regards, Gabriel Eric V. Smith wrote: > > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. From owner-firewalls-outgoing Mon May 5 20:54:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA01621 for firewalls-outgoing; Mon, 5 May 1997 20:52:54 -0700 (PDT) Received: from meretrix.com (dirty.meretrix.com [207.42.198.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA01556 for ; Mon, 5 May 1997 20:52:40 -0700 (PDT) Received: from kiri.meretrix.com (kiri.meretrix.com [207.42.198.18]) by meretrix.com (8.8.5/8.7.3) with ESMTP id XAA02651; Mon, 5 May 1997 23:27:04 -0400 (EDT) Received: from kiri.meretrix.com (localhost.meretrix.com [127.0.0.1]) by kiri.meretrix.com (8.8.5/8.8.4) with ESMTP id XAA00479; Mon, 5 May 1997 23:27:02 -0400 (EDT) Message-Id: <199705060327.XAA00479@kiri.meretrix.com> To: "Marc D. Jackson" cc: firewalls@GreatCircle.COM Subject: Re: vlsm In-reply-to: Your message of "Mon, 05 May 1997 14:23:19 PDT." <199705052123.OAA26021@Xenon.Stanford.EDU> Date: Mon, 05 May 1997 23:27:02 -0400 From: Harry Mantakos Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >... Therefore, 1 of 2 things must be true. > >a) RIP does know about subnets, but only for special occasions. >b) RIP doesn't know about subnets. In which case something is >masquerading as a RIP update. > >Which is it? A router running RIPv1 can certainly advertise subnets. The problem is that RIPv1 packets contain only a 32 bit network address without subnet mask information. When a RIPv1 packet contains a network address that looks like a subnet (it has bits set in the "host" portion of the classful address), about the only thing the recipient can do to determine the subnet mask is to see if it has an interface on that same network (where network means classful A, B, or C network) and assume that any addresses it sees in that network share the network mask that it has for its own interface on that network (i.e. it assumes that the network uses the same subnet mask for all subnets, that it is not using VLSM). RIPv2 passes around masks with every network address, so VLSM isn't a problem. -harry ----------------------------------------------------------------------------- Human: Harry Mantakos USPS: 547 E. Gittings St. Baltimore, MD 21230 Email: harry@meretrix.com Evil Twins: harry@torrentnet.com, harry@cs.umd.edu From owner-firewalls-outgoing Mon May 5 21:09:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA00921 for firewalls-outgoing; Mon, 5 May 1997 20:48:36 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA00914 for ; Mon, 5 May 1997 20:48:30 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-36.cisco.com [171.68.179.37]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA16059; Mon, 5 May 1997 20:10:46 -0700 (PDT) Message-Id: <2.2.32.19970506030718.006e4880@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 May 1997 22:07:18 -0500 To: "Gene Amdur" From: Chris Lonvick Subject: Re: Firewalls-Digest V6 #187 Cc: Sandeep_Talwar@INDIA.notes.pwa.co.in, Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Gene, I've had some private converstations and was pointed to some online references that say that _any_ shipment of strong encryption must comply with the DoC regulations. (That was some interesting reading.) My original misconceptions are now corrected. Thanks. I still think, however, that Sandeep should contact Checkpoint to see if they can help his company get the export license (or whatever they may need) to export a firewall to their Calcutta office. Of course, as you say, "before they buy". Your analogy to an atom bomb brings up an interesting point. Do you suppose that the various governments which also prohibit the export of nuclear material (like crypto) have export permits for each bomb? I suppose that they would technically fall under the terms of "export" if they were to shoot one off. Hmmm.. could this be a new way of preventing wars? I do know that the US Government does understand that these algorithms are publically available. I found that in the online version of the EAR at http://bxa.fedworld.gov/ in Part 732.2. Many thanks to the people I had private converstations with who pointed me towards pages like these. I now have a much better understanding of what the EAR defines as an "export". Thanks, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 04:26 PM 5/5/97 -0400, Gene Amdur wrote: > | My own understanding (may be more/less/equally wrong) is that a US > | company can purchse any dang thing they want. They can also ship > | it around the world as long as they maintain control of it. This > | shouldn't fall into the DoC regulations since they're not _exporting_ > | it for resale (and it won't fall into the hands of people who may > | want to "harm national security and foreign policy interests" (taken > | from Clintons' executive order)). > | > | Sandeep: If Price Waterhouse is a US company, have your US office > | contact Checkpoint to see if they (your US office) can buy a pair > | of the things (with strong encryption) and ship one to Calcutta. > | Please write back to the group and let us know. > | > | I'm actually just trying to be an > | engineer and don't know beans about export control restrictions. > >Well if you were to follow the above advice you would be guilty of exporting >restricted arms from the US. My guess is you really don't want that since >the US government can be very nasty about that law. > >The law states (in a very simplified form) that stong crypto is equivalent to >atom bombs (okay it doesn't quite say that :-) but basically that is it). And >if you sell one to someone that is not in US or Canada you can go to jail for >a long time. And more over, if you give one to someone that is not in US or >Canada you can go to jail for a long time. Even if the someone is yourself in >a foreign office. > >You can go to the Department of Commerce (I think) and get special >dispensation to ship strong crypto for your foreign offices but you should do >that *before* shipping the products. > >I know this because our product includes strong cryptography and we are >forever haggling with the US government over what we can and cannot sell >outside of US/Canada. > >If only someone could make them understand that these algorithms are public >knowledge...sigh. > >Gene Amdur >Secure Computing Canada >Development Team Leader > > From owner-firewalls-outgoing Mon May 5 21:48:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA05563 for firewalls-outgoing; Mon, 5 May 1997 21:26:16 -0700 (PDT) Received: from kim.teleport.com (kim.teleport.com [192.108.254.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA05529 for ; Mon, 5 May 1997 21:25:53 -0700 (PDT) Received: from kluge (ip-pdx36-45.teleport.com [206.163.127.172]) by kim.teleport.com (8.8.5/8.7.3) with SMTP id VAA01252; Mon, 5 May 1997 21:27:44 -0700 (PDT) Message-Id: <3.0.1.32.19970505201404.00a77140@mail.teleport.com> X-Sender: alano@mail.teleport.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 05 May 1997 20:14:04 -0700 To: Rabid Wombat From: Alan Olsen Subject: Re: Need to restrict http://www.nude.com and such Cc: Alan , Dominick Glavach , firewalls@GreatCircle.COM In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 12:23 PM 5/5/97 -0400, Rabid Wombat wrote: > > >On Fri, 2 May 1997, Alan wrote: > >> On Fri, 2 May 1997, Dominick Glavach wrote: >> >> > I know this is slightly off topic but I have need some advise or some products >> > that will restrict http access to sites such as www.porn.com. Aside from >> > building an exhaustive list on my proxy what else can I do. Thanks for the >> > help. >> >> Try finding the wire leading from your firewall out to the Internet. Take >> a large pair of wire cutters and cut that wire. (Be careful not to >> confuse the power cord with this wire.) >> >> Filters are semi-useful at best. Since any of these filters can be >> bypassed by web proxies, you will only filter out the more clueless of >> your userbase. (Middle managers and sales people and the like.) You are >> better off either cutting off access to the net to all (or most) of your >> users or deal with problems as they occur. >> >> >> I have seen actions like this taken before. Someone in management gets a >> hair up their ass about "people for surfing for porn at work", and instead >> of doing something that would require real hands on involvement, make a >> request that puts the burden on another department. This sort of >> management has all sorts of ramifications that are never taken into >> account. It shows that management does not trust them. It makes the >> lives of those who do need to use the net more difficult. (Especially >> since many of these filters are overbroad and restrict legit sites.) It >> also breeds contempt for both management and IS. All in all, not the best >> situation. >> >> >> If you are really wanting to deal with the "problem", I suggest using a >> log on your web proxy and then deal with people who abuse the situation. >> Filtering will cause more hastles than they will solve. >> >> > >I agree with Alan; I also think that when you start censoring traffic, >you are, essentially, becoming a content providor, and *might* find a >different set of rules applied to your organization for outbound content >originating at your site. This is a Bad Thing(tm). I am not a lawyer, but I >suggest you check with one in regard to this. I do not do any filtering on the firewall I manage. I suggested it as _A_ solution, not as something I would use myself. Personally I find the idea that employers need to monitor their employees every waking moment repugnant. >I recommend that your organization formally notify its users that >professional standards apply to the use of corporate computer equipment >and network connections, just as they do to the use of corporate >telephones, fax machines, and other resources. Detailing this in a memo, >as well as in the next revision of the employee handbook is a good way to >handle this. > >Most companies allow limited personal use of company resources without >explicit limits; the computer equipment/network need not be different. If >your company lets you call and make an appointment with your doctor, >check up on child care, etc. from work, you probably fall into this >category. Most people can see the difference between this and calling >Uncle Bob in Katmandu for three hours a day on the company dime. > >Applying professional standards to personal use should be sufficient. > >Simply set up logging capability, and make sure that users are formally >told that such capability exists. Formally define where the "right to >privacy" ends. I would suggest that your policy be to log all site access >and mail traffic, but that policy also dictate that no review of logs be >performed without some "outside" probable cause, documented in an >official memo. I have an easier solution for most of them. I just don't tell them the number of the internal DNS server. If they want access bad enough to get that info (and/or learn how to use it), then they can do whatever. (But there are few users there who even know how to spell DNS, let alone what it is used for...) >For example; your postmaster receives email requesting information >regarding harassing email that appears to be originating from an address >at your site. The MIS director issues a memo to a member of the IS staff >to review the mail logs specifically to determine if such activity is >taking place. Or: A worker complains that the person in the next cubicle >frequently views offensive material on their PC; that person's supervisor >sends a memo to MIS asking that the logs be reviewed to determine if such >actions are taking place. > >This protects your organization from violating an employees "reasonable >expectation of privacy", as long as the guidelines for use of equipment, >logging capability, and review of such logs have been spelled out. There are no such expectations because I have told them that it is not private. (I have told them if they need that level of privacy, I will be glad to show them how to use PGP.) >I've also found that formally publishing such a policy is usually a >significant deterent, as most of your "violaters" will stop if they know >that their use patterns are being logged somewhere. I am lucky in that I do not have those problems. I few people know enough of what they can do to become a problem. Those who do have the knowledge know what I could do to stop any difficulty from becoming a "problem". >Be alert for people who try to "burn" a co-worker by accessing "banned" >sites from that user's station, and then geting someone to log a >complaint; I've seen incidents like this as well. Best to set up policy >that protects the company's interests, deters most casual abuse, etc., >without turning MIS into the Info-Gestapo. Since there are no "banned" sites, there is not a problem with this. (Of course, the upper corporate offices may have a policy on this, but what they don't know won't hurt me...) >Note, before starting a flame war / debate: >I'm against censorship, in general, and think that people should be able >to read/publish what they like. I don't think that their employer should >be obligated to provide them the printing press, or pay them to indulge >in their personal pursuits on company time. Home access is cheap. Read/write >all you want from there. That is (almost) exactly what I tell my users. Most of them have little time to goof off anyways. None of it is ever done on the net. (It is done by adhearing to various management fads and other such time wasters.) -----BEGIN PGP SIGNATURE----- Version: 4.5 iQEVAwUBM26h7+QCP3v30CeZAQGY5Qf8C/WNUo3Ju88qvcUv76ffZ9genxNbS4s0 H2w71DWOsqsDxORq1f8rjBZeJhq4Q0TYZszTuYymxp5rGhwu3fvw2aGK7hFDytCQ 9t3ycFSF94PUJ9zqN2c86W5PwV2292IeeL7+rRFiPE4A2zrd9Z1p5fJf2CyFcbY7 RpqqQ5a7GKNxsqL50Mr2jEXXVRqVbJMVMvrRhFtbL3iXjsYYU/QPHdW/ssiVB/cE +cVfJdFwHYoBl2Wbu1MhyZCj0hP9dgZir3V5yTY2/6S9HHhxHJUnWMPOXsOx0NLV p2ALfLVQOvjPKczioMYWP/7MYb1rRC6Rew5RTrHL9uFAA5xSyEw/hw== =rwQ0 -----END PGP SIGNATURE----- --- | "Mi Tio es infermo, pero la carretera es verde!" | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.ctrl-alt-del.com/~alan/ |alan@ctrl-alt-del.com| From owner-firewalls-outgoing Mon May 5 22:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA08590 for firewalls-outgoing; Mon, 5 May 1997 22:07:42 -0700 (PDT) Received: from mailrelay.tiac.net ([199.0.65.237]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA08582 for ; Mon, 5 May 1997 22:07:37 -0700 (PDT) Received: from wotan.icenetsys.com ([206.119.11.248]) by mailrelay.tiac.net (8.8.5/) with SMTP id BAA18351 for ; Tue, 6 May 1997 01:10:35 -0400 (EDT) Message-Id: <2.2.32.19970506061313.0194092c@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 02:13:13 -0400 To: firewalls@GreatCircle.COM From: "Richard A. Hill" Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I'll add my two cents worth in brief. Unless you are experiencing complaints of email-harrassment, or you have incidents of "offensive" material being displayed to persons who do now wish to see it, It is ALWAYS going to cost more in time and energy to play facist, than you will save. I have a personal dislike for any kind of censorship that is not specifically aimed at curbing harrassment. I feel that if your employees, co-workers, or whatever are being productive and doing their jobs at expected (or better) levels, then you are getting what you pay them for. Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. (or Mama ..) Over the last year, I watched a harassment accusation at a former employer's almost blow up into an expensive court case, but for some common sense from a judge: "You say he has offensive materials on the walls of his office?" "yes" "Do you work in his office ?" "no" "Can you see this material from outside the office ?" "no" "Do you ever have to go into his office as part of your job, or has he ever asked you into his office ?" "no" "Well then; I think I have the solution. Don't go into his office" "But I don't think he should have those pictures on the walls" "And I don't think this case belongs in court, but we can't get all we want, now can we." {Above is very close to actual dialogue" By all means, set up logging and tracking procedures to be used if a harassment or similar complaint is brought, as well as evidencing a policy of not tolerating sexual bullies, but stay out of other peoples lives as much as possible. As has already been said, if you are editing content, you risk being held responsible for what you let through, as much as what you do not. I know this goes against our growing "Big-Brother" syndrome of protecting people against themselves, but I'll always choose freedom over order Richard From owner-firewalls-outgoing Mon May 5 23:09:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA17729 for firewalls-outgoing; Mon, 5 May 1997 23:06:41 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA17701 for ; Mon, 5 May 1997 23:06:32 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA31614; Tue, 6 May 1997 09:07:02 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862931400; Tue, 06 May 97 08:06:00 GMT Date: Tue, 06 May 97 08:06:00 GMT Message-Id: <9704068629.AA862931400@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #201 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #201 Sent: 5/6/97 12:10:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 23:25:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA18528 for firewalls-outgoing; Mon, 5 May 1997 23:10:59 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA18426 for ; Mon, 5 May 1997 23:10:31 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA78216; Tue, 6 May 1997 09:11:01 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862931640; Tue, 06 May 97 08:07:00 GMT Date: Tue, 06 May 97 08:07:00 GMT Message-Id: <9704068629.AA862931640@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #202 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #202 Sent: 5/6/97 7:56:00 AM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 23:39:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19220 for firewalls-outgoing; Mon, 5 May 1997 23:14:36 -0700 (PDT) Received: from office.lemon.net (office.lemon.net [194.159.1.30]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA19208 for ; Mon, 5 May 1997 23:14:27 -0700 (PDT) Received: from samsara (samsara.lemon.net [194.159.1.32]) by office.lemon.net (8.7.4/8.7.3) with ESMTP id HAA10504; Tue, 6 May 1997 07:16:35 +0100 (BST) Message-ID: <336EDDD8.89F98802@lemon.net> Date: Tue, 06 May 1997 07:29:29 +0000 From: "Gregory R. Block" Organization: Lemon Internet, Unltd. X-Mailer: Mozilla 4.0b4 [en] (WinNT; I) MIME-Version: 1.0 To: MSITMI02.XZ46G8@eds.com CC: Firewalls@GreatCircle.com Subject: Re: Need to restrict http://www.nude.com X-Priority: 3 (Normal) References: <0095000011433556000002*@MHS> Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MSITMI02.XZ46G8@eds.com wrote: > Anyone ever realised what a great denial of service attack it is to > get > your competitor onto one of the automated lists of restricted URLs? It > > could hang around and get propagated for months, years. Yes; there's a lot of discussion on the fight-censorship list regarding this and other related topics. Blacklisting, in the way that CyberSitter blacklists, is dangerous, plain and simple. > This has happened. I downloaded a list a while back that denied access > to > the whole domain of demon.co.uk. For those who don't know it is not a > satanic objects mail-order or game company but a large UK ISP offering > > mail and web services to thousands of people. Note: I was previously affiliated with Demon as their Security Administrator. Yeah, all of d.c.u was blacklisted, because they felt that we didn't respond to pornography properly. Our policy was that we would remove clearly illegal content, through the Internet Watch Foundation, but that we, ourselves, did not make moral judgements about the content of our web and news servers because it wasn't our place to do so. Because the porn sites weren't immediately removed, we were blacklisted. I don't believe Demon would have done what they did any differently; I hope they continue to follow that path, even if it isn't the one of least resistance. Cheers, Greg From owner-firewalls-outgoing Tue May 6 00:10:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA26157 for firewalls-outgoing; Mon, 5 May 1997 23:52:01 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA26011 for ; Mon, 5 May 1997 23:51:25 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA01689 for ; Tue, 6 May 1997 08:53:27 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA08008 for ; Tue, 6 May 1997 08:53:26 +0200 (MET DST) Date: Tue, 6 May 1997 08:53:26 +0200 (MET DST) From: David Alayeto Salvador To: firewalls@GreatCircle.COM Subject: Config Files Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to see some examples of some of the configuration files needed to set up a firewall properly. I'm in the doubt of believing a firewall is just a way to name a set of components which work together to provide security to a site. Please explain to me the real meaning of the term "firewall". Is it based on software or hardware? Thanks in advance ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Tue May 6 00:24:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA24622 for firewalls-outgoing; Mon, 5 May 1997 23:44:30 -0700 (PDT) Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA24516 for ; Mon, 5 May 1997 23:44:05 -0700 (PDT) Received: from hp00002.koi.ina.de (hp00002.ina.de) by hp00086.ina.de with ESMTP (1.37.109.18/INA-1.0-SER) id AA100821035; Tue, 6 May 1997 08:43:56 +0200 Received: from pc00874.ina.de by koi.ina.de with SMTP (1.37.109.24/INA-1.0) id AA284001485; Tue, 6 May 1997 08:51:25 +0200 Received: by pc00874.ina.de with Microsoft Mail id <01BC59F9.D98D34D0@pc00874.ina.de>; Tue, 6 May 1997 08:45:29 +0200 Message-Id: <01BC59F9.D98D34D0@pc00874.ina.de> From: Basil McCrea To: "'firewalls@greatcircle.com'" Subject: Checkpoint's Firewall-1 3.0 Date: Tue, 6 May 1997 08:45:27 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We just upgraded from FW-1 2.1 to 3.0 and we are having some problems = with the included proxies in particular "asmptd" and "aftpd". The asmptd doesn't seem to want to talk to mail servers which want to = speak ESMTP the connection is dropped as soon as the remote (or local) server = answers with "ESMTP spoken here" After running for a while (a couples of hours to a couple of days) the = ftp proxy starts causing problems. Connections are dropped during file = transfers, the ftp GET command just returns Current working directory is: but = doesn't get the file and ftp's from a Web Browser sometimes return errors from the proxy = about "Ilegal response from server". The illegal response seems to be referring to the = greeting from the ftp server. If the proxy if removed everything works fine except = that we can't=20 Has anyone had similiar experiences? We have passed this on to our VAR = and have been waiting almost 3 weeks without any constructive suggestions. Also, the release notes say that the included Virus-Scanner from = Cheyenne cannot (doesn't) scan .zip files or email attachments, can anyone comfirm this? What good = is a virus scanner that doesn't scan such files?=20 TIA Basil McCrea INA Schaeffler KG 91074 Herzogenaurach Germany From owner-firewalls-outgoing Tue May 6 00:41:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22828 for firewalls-outgoing; Mon, 5 May 1997 23:35:10 -0700 (PDT) Received: from mail.securities.com (market.securities.com [207.239.52.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA22709 for ; Mon, 5 May 1997 23:34:47 -0700 (PDT) Received: by mail.securities.com (Smail3.2.0.91 #1) id m0wObiV-000QY3C; Tue, 6 May 1997 00:19:07 -0400 (EDT) Date: Tue, 6 May 1997 00:19:07 -0400 (EDT) From: Sameer Anja To: Gabriel Dura cc: "Eric V. Smith" , firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <336EF58F.1842@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Organization: Internet Securities, Inc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try Explorer 3.1, they would have fixed it in this version.Don't remember, but I think they have done it. -sam On Tue, 6 May 1997, Gabriel Dura wrote: > Date: Tue, 06 May 1997 02:10:39 -0700 > From: Gabriel Dura > To: "Eric V. Smith" > Cc: firewalls@greatcircle.com > Subject: Re: Need to restrict http://www.nude.com and such > > Eric, > > I personally tested the Content Advisor from MS Internet Explorer 3.0 > for Windows 95 with a lot of sites not suitable for children... Mostly > of them were porn sites... And I can swear that nothing happens when you > access it... The content advisor seems to be just a nice thing with some > buttons, a few windows, a supervisor password you can assign and that's > all... I never seen it working... Maybe other people did but I didn't... > > It is not the first time when Microsoft does this... I also saw a > printer driver included in Windows 95 instalation CD-ROM... I not sure > but I think it was for a HP laser printer... The same thing: lots of > wonderfull buttons, windows, adjustements for printer, etc. but no > effect in real life... > > I think that's my story... If you have any further questions on this > I'll try to answer you... > > Regards, > Gabriel > > > Eric V. Smith wrote: > > > > > > Gabriel Dura said: > > > > < about restricting access to sites based on content > > > > > > The MS Internet Explorer have such an option about restricting the > > > access to violence and pornography... Too bad they have so many security > > > bugs... It could have been succesfully used in this case... The idea is > > > good but the implementation is bad... > > > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > > > Eric. > > > From owner-firewalls-outgoing Tue May 6 02:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA15232 for firewalls-outgoing; Tue, 6 May 1997 02:05:50 -0700 (PDT) Received: from internic.uob.bh ([193.188.12.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA15215 for ; Tue, 6 May 1997 02:05:35 -0700 (PDT) Received: from hisham.uob.bh ([193.188.12.229]) by internic.uob.bh (Netscape Mail Server v2.0) with SMTP id AAA1336 for ; Tue, 6 May 1997 12:11:18 +0300 Message-ID: <336EF4AB.3122@admin.uob.bh> Date: Tue, 06 May 1997 12:06:51 +0300 From: Hisham Al Saad Reply-To: hisham@lords.com Organization: UOB X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Proxy admin error Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have installed a Netscape Proxy server 2.5 on NT/4.0. It worked fine, but the only problem is that when adminestring it remotly via web client, it cuases the admin service to stop and gives an application error of 'Dr. Watson' stuff and the server will not accept any accesses either. Has anyone faced that problem and how can it be solved? I would appreciate any information. Thank you in advance, ======================= Hisham Al Saad University of Bahrain ======================= From owner-firewalls-outgoing Tue May 6 03:54:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20766 for firewalls-outgoing; Tue, 6 May 1997 03:21:47 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA20700 for ; Tue, 6 May 1997 03:21:25 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id DAA10647; Tue, 6 May 1997 03:34:42 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id MAA16030; Tue, 6 May 1997 12:21:15 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id MAA29866; Tue, 6 May 1997 12:21:09 +0200 Date: Tue, 6 May 1997 12:12:55 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Marc Mosko Cc: "Marc D. Jackson" , Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <336E7325.B14CADEA@tear.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In respect to a firewall, you can run gated instead of routed. HP/UX > and IRIX both ship w/ gated (as do others). Sun still only ships > routed. Gated will do OSPF. Firewall-1, for instance, can be > configured to allow OSPF through to the kernel. > > -- > Marc Mosko Email: marc@tear.com > Web: http://www.tear.com/ I am not sure that a firewall should deal with routing at all (and with other stuff as well). I like the idea of building a perimeter defense with a firewall doing only filtering (with states engines) and having some proxies for specific applications. Eric -- Disclaimer: This is my own opinion and not necessarily that of my employer, Sun Microsystems. From owner-firewalls-outgoing Tue May 6 04:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA21204 for firewalls-outgoing; Tue, 6 May 1997 03:26:06 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA21101 for ; Tue, 6 May 1997 03:24:59 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id SAA15747; Tue, 6 May 1997 18:30:23 +0300 Date: Tue, 6 May 97 13:18:57 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: "Richard A. Hill" , firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <2.2.32.19970506061313.0194092c@pop.tiac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 06 May 1997 02:13:13 -0400 "Richard A. Hill" wrote: > > Well, I'll add my two cents worth in brief. > Unless you are experiencing complaints of email-harrassment, or you have > incidents of "offensive" material being displayed to persons who do now wish > to see it, It is ALWAYS going to cost more in time and energy to play > facist, than you will save. > I have a personal dislike for any kind of censorship that is not > specifically aimed at curbing harrassment. I feel that if your employees, > co-workers, or whatever are being productive and doing their jobs at > expected (or better) levels, then you are getting what you pay them for. > Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. > (or Mama ..) > > Over the last year, I watched a harassment accusation at a former employer's > almost blow up into an expensive court case, but for some common sense from > a judge: > "You say he has offensive materials on the walls of his office?" > "yes" > "Do you work in his office ?" > "no" > "Can you see this material from outside the office ?" > "no" > "Do you ever have to go into his office as part of your job, or has he > ever asked you into his office ?" > "no" > "Well then; I think I have the solution. Don't go into his office" > "But I don't think he should have those pictures on the walls" > "And I don't think this case belongs in court, but we can't get all we > want, now can we." > {Above is very close to actual dialogue" > > By all means, set up logging and tracking procedures to be used if a > harassment or similar complaint is brought, as well as evidencing a policy > of not tolerating sexual bullies, but stay out of other peoples lives as > much as possible. As has already been said, if you are editing content, you > risk being held responsible for what you let through, as much as what you do > not. > > I know this goes against our growing "Big-Brother" syndrome of protecting > people against themselves, but I'll always choose freedom over order > > > Richard > WWW browsing may create a situation where the company site name will be logged on a publicly accessed list of sites that have accessed that specific site. some want to prevent this. on NNTP posting there is a liability for the employer for what postings are done by his employees Ziv Dascalu ABIRNET Active Network Protection http://www.AbirNet.com From owner-firewalls-outgoing Tue May 6 04:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20179 for firewalls-outgoing; Tue, 6 May 1997 03:11:20 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA20153 for ; Tue, 6 May 1997 03:11:05 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id DAA09733; Tue, 6 May 1997 03:24:35 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id MAA15731; Tue, 6 May 1997 12:11:09 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id MAA29813; Tue, 6 May 1997 12:11:03 +0200 Date: Tue, 6 May 1997 12:02:48 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: "Marc D. Jackson" Cc: Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <199705051842.LAA09206@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj Here is a small part of RFC 1058 : "When a host evaluates information that it receives via RIP, its interpretation of an address depends upon whether it knows the subnet mask that applies to the net. If so, then it is possible to determine the meaning of the address. For example, consider net 128.6. It has a subnet mask of 255.255.255.0. Thus 128.6.0.0 is a network number, 128.6.4.0 is a subnet number, and 128.6.4.1 is a host address. However, if the host does not know the subnet mask, evaluation of an address may be ambiguous. If there is a non-zero host part, there is no clear way to determine whether the address represents a subnet number or a host address. As a subnet number would be useless without the subnet mask, addresses are assumed to represent hosts in this situation. In order to avoid this sort of ambiguity, hosts must not send subnet routes to hosts that cannot be expected to know the appropriate subnet mask. Normally hosts only know the subnet masks for directly-connected networks. Therefore, unless special provisions have been made, routes to a subnet must not be sent outside the network of which the subnet is a part." I think the last line is self explanatory about the fact that RIP does not know about subnet. Another point is if you look at the format of a RIP message (without the header), you can see that there is no entry for the subnet mask : +------------------------------------+ | IP address | +------------------------------------+ | (must be zero) | +------------------------------------+ | (must be zero) | +------------------------------------+ | metric | +------------------------------------+ and in RIP v2 +------------------------------------+ | IP address | +------------------------------------+ | subnet mask | +------------------------------------+ | next hop IP address | +------------------------------------+ | metric | +------------------------------------+ Eric From owner-firewalls-outgoing Tue May 6 05:10:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA29866 for firewalls-outgoing; Tue, 6 May 1997 04:38:27 -0700 (PDT) Received: from mailrelay.tiac.net (mailrelay.tiac.net [199.0.65.237]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA29841 for ; Tue, 6 May 1997 04:38:13 -0700 (PDT) Received: from wotan.icenetsys.com ([206.119.11.248]) by mailrelay.tiac.net (8.8.5/) with SMTP id HAA27506; Tue, 6 May 1997 07:41:51 -0400 (EDT) Message-Id: <2.2.32.19970506124426.0181f8b0@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 08:44:26 -0400 To: gcrum@us-state.gov From: "Richard A. Hill" Subject: Re: Need to restrict http://www.nude.com and such Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------------Original Message--------------- > > Well, I'll add my two cents worth in brief. >Unless you are experiencing complaints of email-harrassment, or you have >incidents of "offensive" material being displayed to persons who do now wish >to see it, It is ALWAYS going to cost more in time and energy to play >facist, than you will save. > I have a personal dislike for any kind of censorship that is not >specifically aimed at curbing harrassment. I feel that if your employees, >co-workers, or whatever are being productive and doing their jobs at >expected (or better) levels, then you are getting what you pay them for. >Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. >(or Mama ..) > >Over the last year, I watched a harassment accusation at a former employer's >almost blow up into an expensive court case, but for some common sense from >a judge: > "You say he has offensive materials on the walls of his office?" > "yes" > "Do you work in his office ?" > "no" > "Can you see this material from outside the office ?" > "no" > "Do you ever have to go into his office as part of your job, or has he >ever asked you into his office ?" > "no" > "Well then; I think I have the solution. Don't go into his office" > "But I don't think he should have those pictures on the walls" > "And I don't think this case belongs in court, but we can't get all we >want, now can we." >{Above is very close to actual dialogue" > >By all means, set up logging and tracking procedures to be used if a >harassment or similar complaint is brought, as well as evidencing a policy >of not tolerating sexual bullies, but stay out of other peoples lives as >much as possible. As has already been said, if you are editing content, you >risk being held responsible for what you let through, as much as what you do >not. > >I know this goes against our growing "Big-Brother" syndrome of protecting >people against themselves, but I'll always choose freedom over order > > >Richard > At 07:00 5/6/97 PDT, you wrote: >Richard, I agree with you in principal, as I have many things >that I can do with my time, but understand something here. >If I employ someone to do a job, and instead of doing his job, >he goes out on the internet and looks at porno all day, he isn't >being productive is he. It really isn't a porno issue. He could >just as easily be getting 200 emails a day from some list server >with jokes on it. It really doesn't matter. He is stealing from >me. Now, if I have hundreds of employees doing the same thing, >I have really cut into my bottom line. I have seen certain times >when one user on several lists has tied up email so badly, that >they have rendered the email server useless, and everyone else is >effected because of one or two users hogging the existing bandwidth. >I don't like it either, but it is the world we work in. Now if >recent legal cases are any indication, if this guy sits on the net >all day, and starts sending threatening emails or sexually oriented >material via my system, I can be liable for this in court and could >be sued. Far fetched? Not hardly, it has already been done. I think >it is a prudent action to monitor content. Just think what the press >would do if they found out that the vice President was using white house >computers to solicit funds for re-election. Whoops, he did, and might >just have to resign for it, or maybe go to jail for his crimes or something. >You see, sticking our heads into the sand is not the only answer available. >Sometimes costs are not measured in dollars and cents. Yes, but bandwidth issues can be dealt with using technical solutions. It is not a matter of sticking your head in the sand. YOu miss my point. It will ALWAYS cost more for you to paternalize. I mentioned having the logging and tracing in effectd for just such a legal problem as you bring up. The key is that I am NOT wasting the time or energy having these logs or traces touched UNTIL someone brings a complaint. THEN you have the facts to disprove or support the complaint. It's like the Israeli solution to terrorism during the 1973 six day war which worked very well but was not deemed "Acceptable" by later ministers or the US. You WILL be searched and your luggage examined. We WILL cart your ass off in a bag if we find explosives or weapons. Your rights are not being violated because we do NOT care what else we find, drugs, money, etc. These are none of our business. 1 My business is running my business and keeping it safe legally and economically. 2 My business is NOT overseeing my employees every move. 3 If I hire someone, I expect them to do their job. 4 If I cannot tell if they are doing their job, I should not have mine. 5 If they are doing their job, then what else they do on their breaks or lunches is NONE OF MY BUSINESS unless they are doing something (sending threatening emails or sexually oriented material via my system,) which effects my company, or my employers legally. 6 If they are so good at their job that they have time to surf the web, they'll eventually get so bored they'll look for more productive ways to use their time. 7 If they are NOT so good at their job, it will be noticable (see #4) and I can take steps over productivity. and THAT will not cause any issues with other employees, like censoring emails or web traffiking. The issue again is Big Brother-ism, not ignoring illegal practices. Richard ###################################################################### Richard A. Hill ICE Networking Systems rhill@icenetsys.com "If you know what's good for you, you do NOT know what is good for me" "Freedom is a touchy issue when every touch takes some away". ###################################################################### From owner-firewalls-outgoing Tue May 6 06:10:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08938 for firewalls-outgoing; Tue, 6 May 1997 06:08:27 -0700 (PDT) Received: from truth.mccallie.chattanooga.tn.us (truth.mccallie.chattanooga.tn.us [205.244.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA08931 for ; Tue, 6 May 1997 06:08:21 -0700 (PDT) Received: from elewis.mccallie.chattanooga.tn.us (elewis.mccallie.chattanooga.tn.us [205.244.24.27]) by truth.mccallie.chattanooga.tn.us (8.6.11/8.6.9) with SMTP id JAA12868 for ; Tue, 6 May 1997 09:10:47 -0400 Message-Id: <3.0.1.32.19970506091057.0071143c@205.244.24.2> X-Sender: elewis@205.244.24.2 X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 06 May 1997 09:10:57 -0400 To: firewalls@GreatCircle.COM From: Elise Lewis Subject: RE: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft's Internet Explorer works with ratings supplied by RSACi. As I understand it, this is all part of the PICS initiative. But if you block at all, IE blocks all unrated sites as well as sites whose ratings put them in categories you want to block. Further info on PICS: http://www.w3.org/pub/WWW/PICS/ Further info on RSACi: http://www.rsac.org/index.cfm Elise Lewis elewis@mccallie.chattanooga.tn.us Information Systems Director The McCallie School 423-493-5885 (voice) 500 Dodds Avenue 423-629-2852 (fax) Chattanooga, TN 37404 From owner-firewalls-outgoing Tue May 6 06:24:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA06942 for firewalls-outgoing; Tue, 6 May 1997 05:39:12 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06878 for ; Tue, 6 May 1997 05:38:51 -0700 (PDT) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id IAA13079; Tue, 6 May 1997 08:42:41 -0400 (EDT) Date: Tue, 6 May 1997 08:42:41 -0400 (EDT) From: Ming Lu To: "Marc D. Jackson" cc: Eric.Deschamps@France.Sun.COM, dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705051842.LAA09206@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Marc D. Jackson wrote: > Eric Deschamps writes: > > > > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > > loosing precious IP addresses to a subnet without enough > > > > hosts to use all of the addresses. > > > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > > that it has nothing to do with subnetting your intranet. I ran into > > > this problem when trying to route with rip. Specifically, Sun's > > > implementation of the routing socket interface is not the industry > > > standard. In other words, when you use a Sun machine as a multi-homed > > > host with subnetted networks the rip updates are incorrect. The routers > > > that we used had no problems at all in dealing with the subnetted > > > networks, therefore while we were able to subnet our intranet we had > > > problems with using Sun's as any type of router. > > > > > > mj > > > > Marc, > > > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > > it has to do with subnetting your intranet. RIP has no knowledge of subnet > > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj > RIP does understand "traditional" subnet masks(classfull), but not VLSM. mlu From owner-firewalls-outgoing Tue May 6 06:39:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11060 for firewalls-outgoing; Tue, 6 May 1997 06:32:17 -0700 (PDT) Received: from gw.genre.com (genre.com [204.149.79.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11029 for ; Tue, 6 May 1997 06:32:09 -0700 (PDT) From: ygerman@genre.com Received: by gw.genre.com id AA12071 (General Re Group SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 6 May 1997 09:34:05 -0400 Received: by gw.genre.com (Internal Mail Agent-1); Tue, 6 May 1997 09:34:05 -0400 X-Lotus-Fromdomain: GRN@INTERNET To: firewalls@greatcircle.com Message-Id: <8525648F.0049CA6C.00@grcstm-nt07.genre.com> Date: Tue, 6 May 1997 09:30:22 -0400 Subject: RE: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yury German@GRN 05/06/97 09:30 AM Does anyon know about how the rating advisory works and if by changing the advisory in the browser someone would be able to simulate the content advisor through a local web/content server for other sites? > The Microsoft Content Advisor only works with sites that > have a registered Content ID applied to the HTML. > Sorry for the lack of facts and links to references but for the content advisor to work properly the HTMLer needs to submit their Webpage to a Content Advisory > Commity and they determine what rating it is given. From owner-firewalls-outgoing Tue May 6 06:42:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05457 for firewalls-outgoing; Tue, 6 May 1997 05:23:41 -0700 (PDT) Received: from firewall.centro.org (firewall.centro.org [207.127.155.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA05432 for ; Tue, 6 May 1997 05:23:26 -0700 (PDT) Received: by firewall.centro.org; id HAA10406; Tue, 6 May 1997 07:58:14 -0400 (EDT) Received: from centro.org(207.127.155.21) by firewall.centro.org via smap (V3.1.1) id xma010404; Tue, 6 May 97 07:58:11 -0400 Received: by centro-02.centro.org with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC59F6.E0A72AD0@centro-02.centro.org>; Tue, 6 May 1997 08:24:12 -0400 Message-ID: From: "Rajunas, John" To: "'firewalls@GreatCircle.COM'" Subject: FW: Need to restrict http://www.nude.com and such Date: Tue, 6 May 1997 08:24:11 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is my 2 cents on this subject: It is the responsibility of Company management to define a policy in which it's employees function and decide how that policy will be implemented. At CNYRTA, we have a written users policy that specifically forbids the access of pornographic or offensive material, or any material which a co-worker may find offensive. This policy is enforced 2 ways. First, as MIS Manager, I implement our http: access policy using our firewall system. I do not restrict any site, but I log all outbound http requests and can review that log from time to time. If I see a dramatic increase in access to what I believe are pornographic sites, I send an e-mail to all users stating this increase and remind them of the policy and the punishment for it's violation (which includes termination). Therefore, the company has proper documentation that the behavior is not acceptable and that all employees are notified on the occasion of first getting network access, and again when an increase in restricted activity is detected. After the e-mail, activity tends to drop off. Second, I take the time to remind the managers and employees at all levels why the company has made the investment to have access to the Internet, and train network users in the proper business use of the access. Luckily, I work for a relatively small company, so this plan is fairly easy to implement. I believe it is unreasonable for network professionals to be asked to become the "thought police" for an organization. However, We are the providers of necessary tools, and it falls to us to insure the tool is used to the benefit of the organization. John B. Rajunas MIS Manager Central NY Regional Transportation Authority Syracuse, NY USA >---------- >From: Ziv Dascalu[SMTP:ziv@AbirNet.com] >Sent: Tuesday, May 06, 1997 9:18 AM >To: Richard A. Hill; firewalls@GreatCircle.COM >Subject: Re: Need to restrict http://www.nude.com and such > > >--- On Tue, 06 May 1997 02:13:13 -0400 "Richard A. Hill" > wrote: >> >> Well, I'll add my two cents worth in brief. >> Unless you are experiencing complaints of email-harrassment, or you have >> incidents of "offensive" material being displayed to persons who do now >>wish >> to see it, It is ALWAYS going to cost more in time and energy to play >> facist, than you will save. >> I have a personal dislike for any kind of censorship that is not >> specifically aimed at curbing harrassment. I feel that if your employees, >> co-workers, or whatever are being productive and doing their jobs at >> expected (or better) levels, then you are getting what you pay them for. >> Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. >> (or Mama ..) >> >> Over the last year, I watched a harassment accusation at a former >>employer's >> almost blow up into an expensive court case, but for some common sense from >> a judge: >> "You say he has offensive materials on the walls of his office?" >> "yes" >> "Do you work in his office ?" >> "no" >> "Can you see this material from outside the office ?" >> "no" >> "Do you ever have to go into his office as part of your job, or has he >> ever asked you into his office ?" >> "no" >> "Well then; I think I have the solution. Don't go into his office" >> "But I don't think he should have those pictures on the walls" >> "And I don't think this case belongs in court, but we can't get all we >> want, now can we." >> {Above is very close to actual dialogue" >> >> By all means, set up logging and tracking procedures to be used if a >> harassment or similar complaint is brought, as well as evidencing a policy >> of not tolerating sexual bullies, but stay out of other peoples lives as >> much as possible. As has already been said, if you are editing content, >>you >> risk being held responsible for what you let through, as much as what you >>do >> not. >> >> I know this goes against our growing "Big-Brother" syndrome of protecting >> people against themselves, but I'll always choose freedom over order >> >> >> Richard >> > >WWW browsing may create a situation where the company site name will be >logged on >a publicly accessed list of sites that have accessed that specific site. >some want to prevent this. >on NNTP posting there is a liability for the employer for what postings are >done by >his employees > >Ziv Dascalu >ABIRNET Active Network Protection http://www.AbirNet.com > > From owner-firewalls-outgoing Tue May 6 07:55:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20667 for firewalls-outgoing; Tue, 6 May 1997 07:41:28 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA20658 for ; Tue, 6 May 1997 07:41:23 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 17923 invoked by uid 1001); 6 May 1997 14:43:32 -0000 Message-ID: <19970506144332.17922.qmail@hanshan.bbnplanet.com> Subject: Re: Config Files To: davidal@moloc.cps.unizar.es (David Alayeto Salvador) Date: Tue, 6 May 1997 10:43:32 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "David Alayeto Salvador" at May 6, 97 08:53:26 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would like to see some examples of some of the configuration files > needed to set up a firewall properly. > Brent Chapman has a book out through O'Reilly Associates entitled "Building Internet Firewalls" which is pretty good.. Cheswick & Bellovin also have a great book out. You can also get Brent to come out to your site do some consulting, etc.. He's a pretty good speaker although I think he can tighten up his firewall a little more, but then that's just me. -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Tue May 6 08:10:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21539 for firewalls-outgoing; Tue, 6 May 1997 07:54:04 -0700 (PDT) Received: from igwpc5.paribas.com ([155.140.123.60]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21532 for ; Tue, 6 May 1997 07:53:58 -0700 (PDT) Received: from igwpc4.paribas.com (155.140.123.61) by igwpc5.paribas.com (Integralis SMTPRS 1.51) with SMTP id ; Tue, 06 May 1997 14:34:07 +0000 Received: from ccMail by igwpc4.paribas.com (IMA Internet Exchange 2.01 Enterprise) id 36F402B0; Tue, 6 May 97 15:28:59 +0100 MIME-Version: 1.0 Date: Tue, 6 May 1997 15:07:06 +0100 Message-Id: <36F402B0.@paribas.com> From: Francois_ARCASEDDA@paribas.com (Francois ARCASEDDA) Subject: chat tcp/ip ports To: firewalls@greatcircle.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there, What are the tcp/udp ports involved in the chat protocol ? What shall we open to be able to use MS netmeeting ? Best regards Francois ARCA-SEDDA Banque PARIBAS London. From owner-firewalls-outgoing Tue May 6 08:25:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21639 for firewalls-outgoing; Tue, 6 May 1997 07:56:01 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA21581 for ; Tue, 6 May 1997 07:55:40 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wOlbX-000BGNC; Tue, 6 May 97 22:52 GMT+0800 Message-ID: <336F470E.21EA@pdx.com.my> Date: Tue, 06 May 1997 22:58:22 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Need to restrict http://www.nude.com and such] Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <336D3883.751A@pdx.com.my> Date: Mon, 05 May 1997 09:31:47 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Eric V. Smith" CC: dura@geocities.com, ziv@AbirNet.com Subject: Re: Need to restrict http://www.nude.com and such References: <01BC58B0.DF0052C0@carew.windsor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Good Morning guys! Eric V. Smith wrote: > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. Want to have something to ponder about? Try the website below . . . http://www.infoworld.com/cgi-bin/displayStory.pl?970424.entfix.htm http://www.news.com/News/Item/0%2C4%2C10065%2C00.html?nd If it has no bugs, It isn't a M$@&^Soft product. http://www5.zdnet.com/zdnn/content/zdnn/0430/zdnn0002.html Surely, Mr. Smith, you must have heard about your colleagues and friends complaining about security holes in their browser, system hangs, system crashes, etc. From owner-firewalls-outgoing Tue May 6 08:39:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21060 for firewalls-outgoing; Tue, 6 May 1997 07:45:26 -0700 (PDT) Received: from namsa.nato.int (ddnfw0.namsa.nato.int [147.36.201.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20939 for ; Tue, 6 May 1997 07:44:51 -0700 (PDT) Received: by ddnfw0.namsa.nato.int id <17031-1>; Tue, 6 May 1997 16:49:53 +0100 Message-Id: <97May6.164953gmt+0100.17031-1@ddnfw0.namsa.nato.int> Date: Tue, 6 May 1997 15:48:19 +0100 From: Thierry GUINET X-Mailer: Mozilla 3.0 (X11; I; HP-UX A.09.05 9000/735) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such References: <3.0.1.32.19970506091057.0071143c@205.244.24.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I may add my $.02, why not having a look at Secure Computing's SmartFilter. Whe are using it and are pretty happy of the quality of the product. Cheers, Thierry -- Thierry Guinet IS Security Officer, Namsa Luxembourg T.Guinet@namsa.nato.int Phone: +352/30.63-6812 Fax: +352/30.87.21 In order to create an apple pie from scratch, you must first create the universe. Carl Sagan From owner-firewalls-outgoing Tue May 6 08:39:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26298 for firewalls-outgoing; Tue, 6 May 1997 08:34:06 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA26279 for ; Tue, 6 May 1997 08:33:57 -0700 (PDT) Received: by brimstone.rnb.com; id LAA05157; Tue, 6 May 1997 11:36:16 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma004959; Tue, 6 May 97 11:35:55 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.4) with SMTP id LAA16468 for ; Tue, 6 May 1997 11:35:54 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1 [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 06 May 1997 11:30:24 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: firewalls Subject: Communication requirements for Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know what the communication requrements are for passing Compuserve's app. ver. 3.02 through a firewall? what is the service port requirements. thanx. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Tue May 6 09:29:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26990 for firewalls-outgoing; Tue, 6 May 1997 08:39:08 -0700 (PDT) Received: from noah.minimed.com ([206.149.231.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA26963 for ; Tue, 6 May 1997 08:38:55 -0700 (PDT) Received: from ceres.minimed.com by noah.minimed.com (SMI-8.6/SMI-SVR4) id IAA05184; Tue, 6 May 1997 08:38:35 -0700 Received: from martinb by ceres.minimed.com (SMI-8.6/SMI-SVR4) id IAA03935; Tue, 6 May 1997 08:39:47 -0700 Message-Id: <2.2.32.19970506153931.006ca6d8@ceres+> X-Sender: martinb@ceres+ X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 08:39:31 -0700 To: firewalls@greatcircle.com From: Martin Brooks Subject: Firewall platform Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are looking at purchasing a Firewall which will also support encryted domains. But, I am a little unsure about what to spec for a platform. I was think of a Sparc 20 with 64MB of memory. Do you think I need more CPU power ? Thanks -Martin From owner-firewalls-outgoing Tue May 6 09:39:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA27638 for firewalls-outgoing; Tue, 6 May 1997 08:43:58 -0700 (PDT) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA27629 for ; Tue, 6 May 1997 08:43:50 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Tue, 6 May 97 10:46:15 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@GreatCircle.COM Date: Tue, 6 May 1997 10:47:50 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Config Files Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <336f5248332f002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: pnash@hanshan.bbnplanet.com > Subject: Re: Config Files > To: davidal@moloc.cps.unizar.es (David Alayeto Salvador) > Date: Tue, 6 May 1997 10:43:32 -0400 (EDT) > Cc: firewalls@GreatCircle.COM David Alayeto Salvador says.... > > > > I would like to see some examples of some of the configuration files > > needed to set up a firewall properly. > > Paul Nash says.... > > Brent Chapman has a book out through O'Reilly Associates entitled > "Building Internet Firewalls" which is pretty good.. Cheswick & Bellovin > also have a great book out. You can also get Brent to come out to your > site do some consulting, etc.. He's a pretty good speaker although I > think he can tighten up his firewall a little more, but then that's just > me. "The Internet at 56K and Up" from O'Reilly also has some examples. [funny how that O'Reilly name keeps coming up, eh?] Still though, doesn't your firewall configuration depend upon your security policies? This will vary by organization I would think. Actually (in a recent article in April EDPACS) I suggest auditing from the firewall / router table back to policy to test for compliance to policy....since the firewall / router table represents security as it is actually being enforced. The question I wished to raise with this approach is how many technicians are setting access policy? ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University if AC 765 doesn't work, try 317 * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 All views are my own and do not reflect Purdue University policy. From owner-firewalls-outgoing Tue May 6 09:56:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29065 for firewalls-outgoing; Tue, 6 May 1997 08:52:39 -0700 (PDT) Received: from gatekeeper.eastman.com (gatekeeper.eastman.com [164.89.253.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29017 for ; Tue, 6 May 1997 08:52:28 -0700 (PDT) Received: by gatekeeper.eastman.com; id LAA27967; Tue, 6 May 1997 11:58:09 -0400 (EDT) Received: from emngw1.eastman.com(164.89.254.2) by gatekeeper.eastman.com via smap (3.2) id xma027926; Tue, 6 May 97 11:57:56 -0400 Received: by eastman.com id AA13809 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 6 May 1997 11:55:27 -0400 Received: from ntmcon01.emn.com by eastman.com with SMTP id AA44014 (5.67b/SMI-4.1 for ); Tue, 6 May 1997 11:55:27 -0400 Received: by ntmcon01.emn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5A14.6A5AC2B0@ntmcon01.emn.com>; Tue, 6 May 1997 11:55:38 -0400 Message-Id: From: Owens Blaine To: "'Francois_ARCASEDDA@paribas.com'" , "'firewalls@greatcircle.com'" Subject: RE: chat tcp/ip ports Date: Tue, 6 May 1997 11:53:27 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Port 6667 Blaine Owens bowens@eastman.com >-----Original Message----- >From: Francois_ARCASEDDA@paribas.com [SMTP:Francois_ARCASEDDA@paribas.com] >Sent: Tuesday, May 06, 1997 10:07 AM >To: firewalls@greatcircle.com >Subject: chat tcp/ip ports > > Hello there, > > What are the tcp/udp ports involved in the chat protocol ? > What shall we open to be able to use MS netmeeting ? > > Best regards > Francois ARCA-SEDDA > Banque PARIBAS London. From owner-firewalls-outgoing Tue May 6 10:28:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA07419 for firewalls-outgoing; Tue, 6 May 1997 10:02:42 -0700 (PDT) Received: from proof.rain.fr (proof.rain.fr [194.51.3.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA07399 for ; Tue, 6 May 1997 10:02:35 -0700 (PDT) Received: from pc1.ecritel.fr (pc1.ecritel.fr [193.105.29.1]) by proof.rain.fr (8.8.5/8.8.5) with SMTP id TAA04810 for ; Tue, 6 May 1997 19:13:08 +0200 (MET DST) Received: from ppp3e.ecritel.fr by pc1.ecritel.fr id aa13899; 6 May 97 19:04 METDST From: philippe fournier To: Firewalls@greatcircle.com MMDF-Warning: Parse error in original version of preceding line at pc1.ecritel.fr Subject: Re: Firewalls-Digest V6 #191 Date: Tue, 6 May 1997 19:03:25 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <9705061904.aa13899@pc1.ecritel.fr> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL > From owner-firewalls-outgoing Tue May 6 11:08:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05585 for firewalls-outgoing; Tue, 6 May 1997 09:42:24 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05578 for ; Tue, 6 May 1997 09:42:18 -0700 (PDT) Received: from ftp.com by ftp.com ; Tue, 6 May 1997 12:44:47 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Tue, 6 May 1997 12:44:47 -0400 Received: from nepal.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id MAA17131; Tue, 6 May 1997 12:41:28 -0400 Message-Id: <199705061641.MAA17131@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: firewalls@greatcircle.com Cc: mgagne@ftp.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: Shishir belbase Subject: Quick Question regarding CISCO load balancing ! Date: Tue, 06 May 1997 12:52:27 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any help in this subject would be appreciated. I have a scenario where the client PCs are receiving out of sequence packet= s and I am wondering what I can do to solve the problem. Local token Ring = LAN has a CISCO 4000 router with two redundant outgoing Frame Relay links. = Once the load increases on one FR interface, the router will start sending= packets through the other FR interface. One FR link is slower than the ot= her one. No problem. However, the client PC on the other (receiving) side = has only one "out of sequence packet" buffer available and can only keep tr= ack of only one out of seqence packets. =20 Token Ring------CISCO----------FR Cloud------------------------------------= ------------------CISCO---Token Ring LAN | | |-----------FR Cloud---------------------------------------------------= ------| My question is this. Is there any way to configure the CISCO router so tha= t it sends packets through the same link for established hosts/clients con= nections ? Thanks ! From owner-firewalls-outgoing Tue May 6 11:14:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA01733 for firewalls-outgoing; Tue, 6 May 1997 09:07:08 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA01713 for ; Tue, 6 May 1997 09:06:59 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id JAA16537 for ; Tue, 6 May 1997 09:04:37 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id LAA07191; Tue, 6 May 1997 11:00:23 -0500 Date: Tue, 6 May 1997 11:00:22 -0500 (CDT) From: Ken Jones To: firewalls@greatcircle.com Subject: DNS 4.9.5 hack and patches In-Reply-To: <336F470E.21EA@pdx.com.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone hear about a supposed hack to 4.9.5 DNS? I've heard this allows the attacker to change the contents of the DNS cache. One use would be to point the address of a web server to an alternate site. Any difinitive info out there? Ken Jones EDB, Inc. From owner-firewalls-outgoing Tue May 6 11:44:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA15337 for firewalls-outgoing; Tue, 6 May 1997 10:58:56 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA15235 for ; Tue, 6 May 1997 10:58:36 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id TAA00997 for ; Tue, 6 May 1997 19:00:44 +0200 Date: Tue, 6 May 1997 19:00:44 +0200 (MET DST) From: Arjan Vos To: firewalls@greatcircle.com Subject: What are these ports??? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Could somebody tell me what the following ports are for and/or whether vulnerabilities are introduced if TCP-connections can be made to them over the Internet??? I already checked out RFC1700 and did searches via Altavista but was unable to find something useful on these ports... 2001 (File Service Protocol or dc?) 4001 9001 1024 1352 (Lotus Notes) Thanks, Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 12:55:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25591 for firewalls-outgoing; Tue, 6 May 1997 12:07:21 -0700 (PDT) Received: from emout16.mail.aol.com (emout16.mx.aol.com [198.81.11.42]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA25525 for ; Tue, 6 May 1997 12:06:58 -0700 (PDT) From: PHATCAPS@aol.com Received: (from root@localhost) by emout16.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA27873; Tue, 6 May 1997 15:09:21 -0400 (EDT) Date: Tue, 6 May 1997 15:09:21 -0400 (EDT) Message-ID: <970506150911_-666197069@emout16.mail.aol.com> To: pfournier@pl7conseil.fr, Firewalls@greatcircle.com Subject: Re: Firewalls-Digest V6 #191 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk would someone please tell me how I can get rid of these stupid firewalls things...I hate this. I cant get rid of them..please tell mE!!!!!!!!!! From owner-firewalls-outgoing Tue May 6 13:10:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02428 for firewalls-outgoing; Tue, 6 May 1997 13:06:46 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA02383 for ; Tue, 6 May 1997 13:06:32 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 18373 invoked by uid 1001); 6 May 1997 20:08:28 -0000 Message-ID: <19970506200828.18372.qmail@hanshan.bbnplanet.com> Subject: Re: DNS 4.9.5 hack and patches To: kenj@cayman.gblhorizon.com (Ken Jones) Date: Tue, 6 May 1997 16:08:27 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Ken Jones" at May 6, 97 11:00:22 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Anyone hear about a supposed hack to 4.9.5 DNS? > I've heard this allows the attacker to change > the contents of the DNS cache. One use would be > to point the address of a web server to an alternate > site. > > Any difinitive info out there? Your probably refering to the easibility in guessing the query ID and sending fake responses back to the requesting server.. Steve Bellovin had a paper on this back in '90 aswell as someone at Purdue. SNI just put out another paper about this & a buffer overflow if I remember correcty.. They're at http://www.secnet.com/ -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Tue May 6 13:10:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18167 for firewalls-outgoing; Tue, 6 May 1997 11:16:42 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA18143 for ; Tue, 6 May 1997 11:16:35 -0700 (PDT) Received: (from jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.8.5/8.8.2) id OAA28711; Tue, 6 May 1997 14:19:04 -0400 (EDT) To: firewalls@greatcircle.com Subject: fw1 with lots of sessions Mime-Version: 1.0 (generated by tm-edit 7.105) Content-Type: text/plain; charset=US-ASCII From: Jeff Murphy Date: 06 May 1997 14:19:03 -0400 Message-ID: Lines: 21 X-Mailer: Gnus v5.4.46/XEmacs 20.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk looking to hear of experiences by people who use fw1 for the following: more than 1000 sessions concurrently thru it (authenticated users) using one of: NAT, filtering or proxying. we'd be interested in hearing about experiences including hardware configurations, performance issues, etc. (this is in regards to the recent datacomm article showing degradation of performance after about 48 clients). thanks, jeff jcmurphy@smurfland.cit.buffalo.edu The datacomm article is at http://www.data.com/lab_tests/firewalls97.html the performance graph is at http://www.data.com/lab_tests/images/firewalls97_figure1.html From owner-firewalls-outgoing Tue May 6 13:30:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA22501 for firewalls-outgoing; Tue, 6 May 1997 11:46:45 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA22465 for ; Tue, 6 May 1997 11:46:29 -0700 (PDT) Received: from ftp.com by ftp.com ; Tue, 6 May 1997 14:48:55 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Tue, 6 May 1997 14:48:55 -0400 Received: from nepal.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id OAA29502; Tue, 6 May 1997 14:45:36 -0400 Message-Id: <199705061845.OAA29502@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: firewalls@greatcircle.com Cc: mgagne@ftp.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: Shishir belbase Subject: Quick Question regarding CISCO load balancing ! Take 2 Date: Tue, 06 May 1997 14:56:36 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any help in this subject would be appreciated. =20 I have a scenario where the client PCs are receiving out of sequence packe= ts and I am wondering what I can do to solve the problem. Local token Ring LAN has a CISCO 4000 router with two = redundant outgoing Frame Relay links.=20 Once the load increases on one FR interface, the router will start sending= packets through the other FR interface.=20 One FR link is slower than the other one. No problem. However, the client= PC on the other (receiving) side has only one "out of sequence packet" buffer available and can only keep track of o= nly one out of seqence packets. =20 =20 Token Ring------CISCO----------FR Cloud-----------------------------------= -------------------CISCO---Token Ring LAN | | |-----------FR Cloud--------------------------------------------------= -------| =20 My question is this. Is there any way to configure the CISCO router so th= at it sends packets through the same link=20 for established hosts/clients connections ? =20 =20 Thanks ! - shishir From owner-firewalls-outgoing Tue May 6 13:32:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA03169 for firewalls-outgoing; Tue, 6 May 1997 13:10:28 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA03090 for ; Tue, 6 May 1997 13:10:04 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id OAA21998; Tue, 6 May 1997 14:58:03 -0400 Date: Tue, 6 May 1997 14:57:58 -0400 (EDT) From: Rabid Wombat To: "Pon, Edwin" cc: "smtp:firewalls-digest@greatcircle.com" Subject: Re: who are you? In-Reply-To: <"0740D3368B6A8036*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Should we filter him, or assimilate him? -Rabid Borgbat On 1 May 1997, Pon, Edwin wrote: > I'm an email administrator at my company and am trying to track down some > undeliverable message problems. firewalls-digest@greatcircle.com seems to > be related to some email that is not being delivered t Larry Sherman. Larry > Sherman left our company over a year ago and apparently left a few loose > ends that need cleaning up. If you are a real person, or an extremely > intelligent machine, what is this firewall-digest thing? Thank you for your > help. > From owner-firewalls-outgoing Tue May 6 13:57:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07296 for firewalls-outgoing; Tue, 6 May 1997 13:39:12 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA03647 for ; Tue, 6 May 1997 13:14:13 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id VAA01518 for ; Tue, 6 May 1997 21:16:22 +0200 Date: Tue, 6 May 1997 21:16:22 +0200 (MET DST) From: Arjan Vos To: firewalls@greatcircle.com Subject: Re: What are these ports??? - In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to my own mail - totally overlooked it: 2001, 4001 and 9001 are cisco-specific ports....This is what you get when you are so focussed on something you forget to appreciate and use what you already know :-)) Still leaves my question what does port 1024 do - is it an application port? - and what vulnerabilities are introduced when port 1352 for Lotus Notes can be reached over the Internet. Gr. Arjan On Tue, 6 May 1997, Arjan Vos wrote: > Hi, > > Could somebody tell me what the following ports are for and/or whether > vulnerabilities are introduced if TCP-connections can be made to them over > the Internet??? I already checked out RFC1700 and did searches via > Altavista but was unable to find something useful on these ports... > > 2001 (File Service Protocol or dc?) > 4001 > 9001 > 1024 > 1352 (Lotus Notes) > > Thanks, > > Arjan Vos > > -- > Eat hard > Sleep hard > Wear glasses if you need them > -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 14:35:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07450 for firewalls-outgoing; Tue, 6 May 1997 13:40:24 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA07414 for ; Tue, 6 May 1997 13:39:55 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id NAA27879 for ; Tue, 6 May 1997 13:45:36 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA05541; Tue, 6 May 97 13:43:43 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id NAA07258 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Tue, 6 May 1997 13:43:08 -0700 (PDT) Message-Id: <199705062043.NAA07258@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 281BB1265DA264458825648F00702FBD; Tue, 6 May 97 13:43:07 EDT To: Arjan Vos Cc: firewalls From: Ryan Russell/SYBASE Date: 6 May 97 13:28:36 EDT Subject: Re: What are these ports??? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: http://www.sockets.com/services.htm dc 2001/tcp wizard 2001/udp curry 1024/tcp Reserved 1024/udp Reserved Not terribly useful, eh? Could they be a database program running at an arbitrary port? I wouldn't be terribly happy putting holes in for them without whomever is asking for it telling me what they are. Ryan ---------- Previous Message ---------- To: firewalls cc: From: arjan@pino.demon.nl (Arjan Vos) @ smtp Date: 05/06/97 07:00:44 PM Subject: What are these ports??? Hi, Could somebody tell me what the following ports are for and/or whether vulnerabilities are introduced if TCP-connections can be made to them over the Internet??? I already checked out RFC1700 and did searches via Altavista but was unable to find something useful on these ports... 2001 (File Service Protocol or dc?) 4001 9001 1024 1352 (Lotus Notes) Thanks, Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 14:53:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA01086 for firewalls-outgoing; Tue, 6 May 1997 12:56:41 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA01076 for ; Tue, 6 May 1997 12:56:27 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id NAA17046; Tue, 6 May 1997 13:09:45 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id MAA08972; Tue, 6 May 1997 12:57:55 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id MAA13391; Tue, 6 May 1997 12:57:29 -0700 Date: Tue, 6 May 1997 12:57:29 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705061957.MAA13391@althea.EBay.Sun.COM> To: marc@tear.com Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: dechon@CS.Stanford.EDU, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: P1GH2iGNfPxeVKAYBX02uQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > In respect to a firewall, you can run gated instead of routed. HP/UX > > and IRIX both ship w/ gated (as do others). Sun still only ships > > routed. Gated will do OSPF. Firewall-1, for instance, can be > > configured to allow OSPF through to the kernel. > > > > -- > > Marc Mosko Email: marc@tear.com > > Web: http://www.tear.com/ > > I am not sure that a firewall should deal with routing at all (and with other > stuff as well). I like the idea of building a perimeter defense with a > firewall doing only filtering (with states engines) and having some proxies > for specific applications. > > Eric > -- > Disclaimer: This is my own opinion and not necessarily that of my > employer, Sun Microsystems. > > I completely agree that a firewall should not run any routing protocols and depend upon static routes. Routing protocols learn about routes. Routes change, so the routing table changes. What are the differant ways that a route can change? What if a route changes because some cracker has created that change? What if the packets from your network are routed to some unknown destination that is pretending to be the valid destination? --- jerald From owner-firewalls-outgoing Tue May 6 15:22:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07434 for firewalls-outgoing; Tue, 6 May 1997 13:40:23 -0700 (PDT) Received: from mail.siemenscom.com ([206.154.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA07388 for ; Tue, 6 May 1997 13:39:40 -0700 (PDT) Received: from pobox.rolm.com (gate.siemenscom.com [206.154.192.3]) by mail.siemenscom.com (8.8.5/8.6.10) with ESMTP id NAA00357 for ; Tue, 6 May 1997 13:39:47 -0700 (PDT) Received: from x400gate.rolm.com by pobox.rolm.com (X.400 to RFC822 Gateway); Tue, 6 May 1997 13:41:30 -0700 X400-Received: by mta ROLM-MTA in /c=US/admd=MCI/prmd=SCN/; Relayed; 06 May 1997 13:41:26 -0700 X400-Received: by /c=US/admd=MCI/prmd=SCN/; Relayed; 06 May 1997 13:41:26 -0700 X400-MTS-Identifier: [/c=US/admd=MCI/prmd=SCN/; 04889336F977600B-ROLM-MTA] Content-Identifier: 04889336F977600B Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Edwin.Pon@pnna.rolm.com X400-Recipients: non-disclosure; Message-Id: <"04889336F977600B*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Date: 06 May 1997 13:41:26 -0700 From: "Pon, Edwin" To: "smtp:firewalls-digest@greatcir" (IPM Return requested) Subject: FW: who are you? MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all of you for your assistance. The problem has been fixed. I apologize to all of you for the traffic that I created. Thanks for not flaming me, as one of the respondents expressed concern over. ---------- From: Rabid Wombat To: Pon, Edwin Cc: smtp:firewalls-digest@greatcir Subject: Re: who are you? Date: Tuesday, May 06, 1997 1:12PM Should we filter him, or assimilate him? -Rabid Borgbat On 1 May 1997, Pon, Edwin wrote: > I'm an email administrator at my company and am trying to track down some > undeliverable message problems. firewalls-digest@greatcircle.com seems to > be related to some email that is not being delivered t Larry Sherman. Larry > Sherman left our company over a year ago and apparently left a few loose > ends that need cleaning up. If you are a real person, or an extremely > intelligent machine, what is this firewall-digest thing? Thank you for your > help. > From owner-firewalls-outgoing Tue May 6 16:06:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA04430 for firewalls-outgoing; Tue, 6 May 1997 13:18:37 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA04398 for ; Tue, 6 May 1997 13:18:25 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id NAA24562 for ; Tue, 6 May 1997 13:24:00 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA00761; Tue, 6 May 97 13:22:05 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id NAA04264 for @sybgate.sybase.com:Firewalls@GreatCircle.COM; Tue, 6 May 1997 13:21:31 -0700 (PDT) Message-Id: <199705062021.NAA04264@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id A6322C1D491BE4818825648F00651873; Tue, 6 May 97 13:21:31 EDT To: Firewalls From: Ryan Russell/SYBASE Date: 6 May 97 11:25:39 EDT Subject: Re: Firewalls-Digest V6 #191 X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk He must not realize that, with the way he worded his sentence, he's actually asking for more mail... Ryan ---------- Previous Message ---------- To: Firewalls cc: From: pfournier@pl7conseil.fr (philippe fournier) @ smtp Date: 05/06/97 07:03:25 PM Subject: Re: Firewalls-Digest V6 #191 PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL > From owner-firewalls-outgoing Tue May 6 16:55:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28482 for firewalls-outgoing; Tue, 6 May 1997 15:49:44 -0700 (PDT) Received: from blue.thrunet.net (ns2.thrunet.net [206.98.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA28428 for ; Tue, 6 May 1997 15:49:29 -0700 (PDT) Received: by blue.thrunet.net (950511.SGI.8.6.12.PATCH526/940406.SGI.AUTO) for id RAA18050; Tue, 6 May 1997 17:46:24 -0500 Message-Id: <199705062246.RAA18050@blue.thrunet.net> Received: from unknown(172.16.23.72) by blue.thrunet.net via smap (g3.0.1) id sma018047; Tue, 6 May 97 17:46:13 -0500 From: "Robert J. Strickler" To: Subject: private networks & IP tunneling Date: Tue, 6 May 1997 17:52:46 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is our understanding of a IP tunneling correct? We should be able encapsulate traffic bound for hosts on private networks at each side (whose endpoints have routable IP's) of a VPN (virtual private network) tunnel and sending them through the internet without their addresses being blocked by intervening routers. Will M$ PPTP and/or Altavista VPN software perform this service? 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 TIA, bob From owner-firewalls-outgoing Tue May 6 17:10:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21969 for firewalls-outgoing; Tue, 6 May 1997 15:11:18 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA20603 for ; Tue, 6 May 1997 15:01:06 -0700 (PDT) Received: (qmail 3357 invoked by uid 514); 6 May 1997 21:03:31 -0000 Date: Tue, 6 May 1997 17:03:31 -0400 (EDT) From: Todd Graham Lewis To: PHATCAPS@aol.com cc: Firewalls Mailing List Subject: Re: Firewalls-Digest V6 #191 In-Reply-To: <970506150911_-666197069@emout16.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997 PHATCAPS@aol.com wrote: > would someone please tell me how I can get rid of these stupid firewalls > things...I hate this. I cant get rid of them..please tell mE!!!!!!!!!! echo "help" | mail majordomo@greatcircle.com su cat clue > /dev/brain; rm -rf / __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue May 6 17:24:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21459 for firewalls-outgoing; Tue, 6 May 1997 15:06:24 -0700 (PDT) Received: from silence.secnet.com ([199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21295 for ; Tue, 6 May 1997 15:05:31 -0700 (PDT) Received: from localhost (huger@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id QAA09634; Tue, 6 May 1997 16:12:07 -0600 (MDT) Date: Tue, 6 May 1997 16:12:07 -0600 (MDT) From: Alfred Huger To: Ken Jones cc: firewalls@GreatCircle.COM Subject: Re: DNS 4.9.5 hack and patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997, Ken Jones wrote: > > Anyone hear about a supposed hack to 4.9.5 DNS? > I've heard this allows the attacker to change > the contents of the DNS cache. One use would be > to point the address of a web server to an alternate > site. > > Any difinitive info out there? > Ken Jones > EDB, Inc. > > Ken, ftp://ftp.secnet.com/pub/advisories/SNI-12.BIND.advisory From owner-firewalls-outgoing Tue May 6 22:54:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA28787 for firewalls-outgoing; Tue, 6 May 1997 22:51:38 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id WAA28780 for ; Tue, 6 May 1997 22:51:31 -0700 (PDT) Received: from demo.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 07 May 1997 15:50:28 +1000 Received: by demo.networx.com.au with Microsoft Mail id <01BC5AFD.5BC823C0@demo.networx.com.au>; Wed, 7 May 1997 15:43:07 +1000 Message-ID: <01BC5AFD.5BC823C0@demo.networx.com.au> From: "Mr. Leon OBrien" To: "'firewalls@greatcircle.com'" Subject: Packet Capturing Date: Wed, 7 May 1997 15:43:04 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope someone could help with the folowing request: I would like to capture packets coming in through my ISDN so that i can=20 determine why our link is being flooded, however i am trying to = determine how to do this easily.... I am runnning a XYPLEX N3000 router with a Basic ISDN.=20 If anyone has experience with this it would be great if you could pass = on some information. I am unsure whether the router can log the packets to a specified host, = or whether it can display information about the packets on the fly = (highly unlikely). The router documentation is very sparce. For it to really work wouldn't i have to have a system between the ISDN = and the router?? One with two network cards?? As you can see i don't quite know where to start :-) Any assistance is appreciated, Leon O'Brien NetWorx Pty Ltd leon@networx.com.au From owner-firewalls-outgoing Tue May 6 23:54:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA02058 for firewalls-outgoing; Tue, 6 May 1997 23:40:29 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA02034 for ; Tue, 6 May 1997 23:39:50 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA06343; Wed, 7 May 1997 08:41:50 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA00561; Wed, 7 May 1997 08:41:49 +0200 (MET DST) Date: Wed, 7 May 1997 08:41:49 +0200 (MET DST) From: David Alayeto Salvador To: gcrum@us-state.gov cc: Firewalls@GreatCircle.COM Subject: RE: Config Files In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for your interest, but I was not uninformed. I just didn't understand the whole concept of Firewall, but I do know all -almost all- about configurations. You forgot to talk about screened hosts or screened subnets, which allow the dual homed host to not to be dual - it's not necessary since it's connected directly to the internal network and it has nothing to do with packet filtering, just has to redirect the internal traffic to a router which does the packet filtering tasks. Hence better is to use a peripheral network to be the home of the bastion host, which is isolated by two routers, one connecting to the internal network and the other to the Internet. I just don't know about configuring IN A REAL NET those items which are part of the firewall. I would like to see some config files of a router, or the file hosts.allow or hosts.deny, etc. Thank you for your interest. ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Wed May 7 00:09:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA02276 for firewalls-outgoing; Tue, 6 May 1997 23:54:00 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA02254 for ; Tue, 6 May 1997 23:53:21 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA06436; Wed, 7 May 1997 08:55:08 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA00592; Wed, 7 May 1997 08:55:07 +0200 (MET DST) Date: Wed, 7 May 1997 08:55:07 +0200 (MET DST) From: David Alayeto Salvador To: Ziv Dascalu cc: Firewalls@GreatCircle.COM Subject: Re: Config Files In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you for your interest, Ziv. I dont mind the firewall, I want some examples to figure out how it works. I know the theory, but not the practice. I would like to see any modified client service program, or some config files of a router part of a firewall, and stuff of that kind. If you could provide me with some examples - even if they are not real, I would be grateful. Thank you in advance, ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Wed May 7 00:24:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA03060 for firewalls-outgoing; Wed, 7 May 1997 00:07:22 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA03040 for ; Wed, 7 May 1997 00:06:54 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id JAA06511; Wed, 7 May 1997 09:08:46 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id JAA00600; Wed, 7 May 1997 09:08:46 +0200 (MET DST) Date: Wed, 7 May 1997 09:08:45 +0200 (MET DST) From: David Alayeto Salvador To: Martin Brooks cc: firewalls@GreatCircle.COM Subject: Re: Firewall platform In-Reply-To: <2.2.32.19970506153931.006ca6d8@ceres+> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Be aware that if your firewall resides in a powerful machine it will be an appetitous object for hackers and crackers to break it. A firewall does not need big amounts of CPU, it just does some routing . What it needs are amounts of memory to provide multiple connections and to run the proxy servers. Remember that simplicity and discretion are part of the security measures you should take. I know of firewalls runnig on 386 machines, no hacker will say "Hey I broke into a 386 machine!!", it has nothing to do. ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- On Tue, 6 May 1997, Martin Brooks wrote: > Hello, > > We are looking at purchasing a Firewall which will > also support encryted domains. But, I am a little > unsure about what to spec for a platform. I was > think of a Sparc 20 with 64MB of memory. > > Do you think I need more CPU power ? > > Thanks -Martin > > From owner-firewalls-outgoing Wed May 7 01:55:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14353 for firewalls-outgoing; Wed, 7 May 1997 01:41:14 -0700 (PDT) Received: from icarus.nodewarrior.net (icarus.nodewarrior.net [206.117.97.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA14346 for ; Wed, 7 May 1997 01:41:06 -0700 (PDT) Received: from [209.48.67.103] by icarus.nodewarrior.net (post.office MTA v2.0 0813 ID# 0-13116) with SMTP id AAA17485; Wed, 7 May 1997 01:40:22 -0700 Message-ID: <336FD098.41D9@nodewarrior.net> Date: Wed, 07 May 1997 00:45:16 +0000 From: hoff@nodewarrior.net (Christofer Hoff) Reply-To: hoff@nodewarrior.net Organization: NodeWarrior Networks, Inc. X-Mailer: Mozilla 3.01 (Macintosh; I; PPC) MIME-Version: 1.0 To: David Alayeto Salvador CC: Martin Brooks , firewalls@GreatCircle.COM Subject: Re: Firewall platform References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Alayeto Salvador wrote: > > Be aware that if your firewall resides in a powerful machine it will be an > appetitous object for hackers and crackers to break it. And how, pray tell, can you distinguish between my Cray XMP/48 running my favorite firewall vs. the Timex Sinclair ZX-81 my Uncle Bobo runs his firewall on? That is a rediculous assertion. Stealthing the gateway is the first thing we do after installing a firewall. NO Public SNMP, NO direct service provision of ANY kind from the firewall and VERY tight admin. policies are what help keep 'people' from having their way with your firewall devices. > A firewall does > not need big amounts of CPU, it just does some routing . What it needs are > amounts of memory to provide multiple connections and to run the proxy > servers. I'd just LOVE to see your 286 with 128 Mb of RAM running dual FDDI interfaces and desktop-to-firewall DES encryption keep up...this is a blatantly incorrect statement. If this were the case, Cisco 7513 routers would be running the same processors found in my coffee-pot's digital timer! > Remember that simplicity and discretion are part of the security measures > you should take. I know of firewalls runnig on 386 machines, no hacker > will say "Hey I broke into a 386 machine!!", it has nothing to do. I'll agree with the first 14 words, the rest is pure dribble and does NOT answer Martin's queries at all! Martin: we've measured up to a 50% performance hit when utilizing both firewall-firewall and desktop-firewall encryption (using FireWall-1); and the faster the CPU (to a point) the more capable it's forwarding rates, that's why my Sun Ultra 1 outperforms my Sparc 5 running Checkpoint -- each with the same amount of RAM. CHris > > On Tue, 6 May 1997, Martin Brooks wrote: > > > Hello, > > > > We are looking at purchasing a Firewall which will > > also support encryted domains. But, I am a little > > unsure about what to spec for a platform. I was > > think of a Sparc 20 with 64MB of memory. > > > > Do you think I need more CPU power ? > > > > Thanks -Martin > > > > From owner-firewalls-outgoing Wed May 7 02:09:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15450 for firewalls-outgoing; Wed, 7 May 1997 01:56:13 -0700 (PDT) Received: from hosfddi.bragg.army.mil (hosfddi.bragg.army.mil [158.5.3.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA15435 for ; Wed, 7 May 1997 01:56:01 -0700 (PDT) Received: from emh5.bragg.army.mil by hosfddi.bragg.army.mil with SMTP (1.38.193.5/16.2) id AA27464; Wed, 7 May 1997 04:54:04 -0400 Received: from DOMAIN9-Message_Server by emh5.bragg.army.mil with Novell_GroupWise; Wed, 07 May 1997 04:54:04 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 May 1997 04:47:29 -0500 From: Susan Rivery To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #204 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My new email address is: riverys@bragg.army.mil If you are a GroupWise user, please remember to put ddn: in front of it, and change any personal groups that my name may be in. Thank you. From owner-firewalls-outgoing Wed May 7 03:39:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA26693 for firewalls-outgoing; Wed, 7 May 1997 03:24:41 -0700 (PDT) Received: from cam053212.student.utwente.nl (cam053212.student.utwente.nl [130.89.226.142]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA26678 for ; Wed, 7 May 1997 03:24:31 -0700 (PDT) Received: by oloon.student.utwente.nl id <51029-30409>; Wed, 7 May 1997 12:26:39 +0200 Date: Wed, 7 May 1997 12:26:35 +0200 (CEST) From: Remco van de Meent X-Sender: remco@cam053212.student.utwente.nl To: "Robert J. Strickler" cc: firewalls@GreatCircle.COM Subject: Re: private networks & IP tunneling In-Reply-To: <199705062246.RAA18050@blue.thrunet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997, Robert J. Strickler wrote: > Is our understanding of a IP tunneling correct? We should be able > encapsulate traffic bound for hosts on private networks at each side (whose > endpoints have routable IP's) of a VPN (virtual private network) tunnel and > sending them through the internet without their addresses being blocked by > intervening routers. > > Will M$ PPTP and/or Altavista VPN software perform this service? > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 Well.. The setup you describe is the same as I'm using with some friends.. that should work ;0 But I don't know about those products.. To the software, your tunnel is just a point-to-point connection. // Remco van de Meent // email: remco@oloon.student.utwente.nl // www: http://oloon.student.utwente.nl // " Never make any mistaeks. " From owner-firewalls-outgoing Wed May 7 05:09:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03234 for firewalls-outgoing; Wed, 7 May 1997 04:58:32 -0700 (PDT) Received: from netsrv.js-jtf.af.mil ([131.25.48.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA03200 for ; Wed, 7 May 1997 04:58:16 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (JTFCOM) by js-jtf.af.mil (PMDF V5.0-6 #13831) id <01IIKXC8S88W000OCY@js-jtf.af.mil> for firewalls@GreatCircle.COM; Wed, 07 May 1997 08:02:12 -0500 (EST) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BC5ABC.D103A600@jtfcom.js-jtf.af.mil>; Wed, 07 May 1997 08:01:06 -0400 Date: Wed, 07 May 1997 08:01:05 -0400 From: "Engasser, Charlie" Subject: RE: private networks & IP tunneling To: "'Robert J. Strickler'" , "'firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP is for the moment a RAS-based implementation, which means that it only works Asynchronously from Client to Server. AltaVista is supposedly a Lan-to-Lan implementation, but if you can get the install routine to work, then more power to you. I've been trying for 2 days now on NT 4.0 and it throws the control panel into an infinite loop. (at least that's what NT is telling me). DEC is for the moment at a loss to explain it. If I ever get Tunnel97 to install I'll post my findings... >-----Original Message----- >From: Robert J. Strickler [SMTP:bstrickler@thrunet.net] >Sent: Tuesday, May 06, 1997 6:53 PM >To: firewalls@GreatCircle.COM >Subject: private networks & IP tunneling > >Is our understanding of a IP tunneling correct? We should be able >encapsulate traffic bound for hosts on private networks at each side >(whose >endpoints have routable IP's) of a VPN (virtual private network) tunnel >and >sending them through the internet without their addresses being blocked >by >intervening routers. > >Will M$ PPTP and/or Altavista VPN software perform this service? > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 > >TIA, bob From owner-firewalls-outgoing Wed May 7 05:24:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA03989 for firewalls-outgoing; Wed, 7 May 1997 05:09:12 -0700 (PDT) Received: from gate.burrups.com (gate.burrups.com [193.130.126.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA03979 for ; Wed, 7 May 1997 05:08:56 -0700 (PDT) Received: from city2.burrups.st-ives.co.uk by gate.burrups.com (SMI-8.6/UUNET PIPEX simple 1.28) id NAA09982; Wed, 7 May 1997 13:05:05 +0100 Received: from [193.32.10.139] by city2.burrups.st-ives.co.uk (SMI-8.6/UUNET PIPEX simple 1.28) id NAA15295; Wed, 7 May 1997 13:08:47 +0100 From: Roger Shoesmith Reply-To: roger@st-ives.co.uk To: leon@networx.com.au cc: Firewalls@GreatCircle.COM Subject: re: Xyplex Router Packet Capture Message-ID: Date: Wed, 07 May 1997 13:13:28 +0100 Delivery-Receipt-To: Roger Shoesmith X-Mailer: Simeon for Macintosh Version 4.1 Build (2) Evaluation X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Leon, The Xyplex N3000 can log IP traffic statistics rather than capturing raw packets. This may help your The displayed data shows the source and destination addresses, protocol types and ports, also the %-age of total volume, e.g.: Xyplex>> ZERO ALL Xyplex>> DEFINE IP TRAFFIC MONITOR ENABLED Xyplex>> SHOW IP TRAFFIC 08-00-87-01-17-12 (X011712) BR/410 Uptime: 192 23:22:57 Destination Source Dest Sourc Address Address Protocol Port Port Interf %Traffic 192.132.10.134 192.132.10.139 Tcp 23 2085 3 (E3) 41.4 192.132.10.126 192.130.126.20 Tcp 1466 8080 1 (E1) 31.4 192.130.126.20 192.132.10.126 Tcp 8080 1466 2 (E2) 18.5 152.220.136.19 192.132.10.143 Udp 35 49742 3 (E3) 7.1 Xyplex>> DEFINE IP TRAFFIC MONITOR DISABLED XypLAN>> You can limit the display to a particular address, port or source interface/range e.g. "SHOW IP TRAFFIC IF 2-3". You can refresh the display continuously using the command "MONITOR IP TRAFFIC". Hit any key to stop the refresh. You should disable traffic monitoring when you are not actually using it because it imposes a load on the router's CPU. Xyplex software and documentation now comes as Acrobat files on CD - the latest one I have is "Internetworking and Media 17 (IM17)", which also has N3000 software version 6.0, March 12 1997, and is Xyplex part number 440-0245G. The hardcopy documentation is available too, but makes a pile about 50 cm high. Hope this info helps Roger ____________________________________________________________ | Roger Shoesmith, Networks Manager, Burrups Ltd, London, UK | | Voice: + (44) 171-902-6284 eMail: roger@burrups.com | | G3Fax: + (44) 171-902-6524 G4Fax: + (44) 171-261-9273 | | Burrups Ltd is the Financial Print Division of St Ives plc | |____________________________________________________________| From owner-firewalls-outgoing Wed May 7 05:54:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07008 for firewalls-outgoing; Wed, 7 May 1997 05:51:26 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06953 for ; Wed, 7 May 1997 05:51:10 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA15911 for firewalls@greatcircle.com; Wed, 7 May 1997 08:51:22 -0400 (EDT) From: Adam Shostack Message-Id: <199705071251.IAA15911@homeport.org> Subject: BIND 8.1-REL announcement (fwd) To: firewalls@greatcircle.com (Firewalls mailing list) Date: Wed, 7 May 1997 08:51:21 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Forwarded message from Paul A Vixie ----- From ietf-request@ietf.org Tue May 6 19:59:01 1997 Message-Id: <199705062336.QAA13639@wisdom.home.vix.com> X-Authentication-Warning: wisdom.home.vix.com: localhost [127.0.0.1] didn't use HELO protocol To: ietf@CNRI.Reston.VA.US Subject: BIND 8.1-REL announcement Date: Tue, 06 May 1997 16:36:27 -0700 Sender: ietf-request@ietf.org From: Paul A Vixie Source-Info: From (or Sender) name not authenticated. -- Start of PGP signed section. This is the long-awaited successor to BIND Version 4 (i.e., 4.9.5 et al). Many private releases have been run by the BIND developer community, and several public releases have been tested by the Internet community at large. We run BIND 8.1 on the root name server we operate (F.ROOT-SERVERS.NET), and on all of our internal name servers (GW.HOME.VIX.COM, et al). BIND 8.1 is known to be running successfully at UUNET PIPEX (24,000 zones) and a number of other large sites around the 'net. The changes from BIND 8.1-T5B to 8.1-REL are small, but no patch will be released since we would really like the "final cut" to be the only thing on any FTP caches. BIND 8 features are too numerous to mention here, but they include: -> DNS Dynamic Updates (RFC 2136). -> DNS Change Notification (RFC 1996). -> Completely new configuration syntax (and HTML docs for same). -> Flexible, categorized logging system (blackhole lame delegations!). -> IP-address-based access control for queries, zone transfers, and updates that may be specified on a zone-by-zone basis. -> More efficient zone transfers (no fork() on outbound!). -> Improved performance for servers with thousands of zones. -> get*by*() functions can now use Sun NIS if desired/available. -> Many bug fixes, including patches for all known security holes. See the CHANGES file in the source kit for a detailed listing of all changes. Bob and I would like to thank Viraj Bais of Intel for his reference implementation of Dynamic DNS, which 8.1's dynamic DNS is built upon. We'd also like to thank everyone who has sent us bug reports, patches, or operating system ports. The release files are: ftp://ftp.isc.org/isc/bind/src/8.1/bind-contrib.tar.gz ~same as 4.9.5 ftp://ftp.isc.org/isc/bind/src/8.1/bind-contrib.tar.gz.asc PGP sig ftp://ftp.isc.org/isc/bind/src/8.1/bind-doc.tar.gz new HTML,MAN ftp://ftp.isc.org/isc/bind/src/8.1/bind-doc.tar.gz.asc PGP sig ftp://ftp.isc.org/isc/bind/src/8.1/bind-src.tar.gz 8.1 source ftp://ftp.isc.org/isc/bind/src/8.1/bind-src.tar.gz.asc PGP sig Those PGP signatures are signed with the new key, which has been submitted to the MIT key ring a lot of well known signatures on it. It can also be found at along with a lot of other ISC related material that we hope you'll glance through. (If you see it as a crass request for funding, well, we didn't mean it to be "crass".) There is a newish mailing list: . Submit bug reports to it so that both Bob Halley and Paul Vixie will see them, and they will be archived. This is not a mailing list in the traditional sense -- there are no external subscribers. Corresponding security fixes for BIND 4.9.5 will be released shortly, even though the release of BIND 8.1 officially puts BIND 4.9.5 in "end of life." -- End of PGP signed section. ----- End of forwarded message from Paul A Vixie ----- -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed May 7 06:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09870 for firewalls-outgoing; Wed, 7 May 1997 06:15:32 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA09851 for ; Wed, 7 May 1997 06:15:22 -0700 (PDT) Message-Id: <199705071315.GAA09851@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA04595; Wed, 7 May 1997 09:14:55 -0400 From: Stan Wnuck Subject: Re: who are you? / Multicast messages To: firewalls-digest@greatcircle.com Date: Wed, 7 May 97 9:14:54 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK! Sorry, I had to do this: I woke up in a Soho doorway A policeman knew my name He said "You can go sleep at home tonight If you can get up and walk away" I staggered back to the underground And the breeze blew back my hair I remember throwin' punches around And preachin' from my chair chorus: Well, who are you? (Who are you? Who, who, who, who?) I really wanna know (Who are you? Who, who, who, who?) Tell me, who are you? (Who are you? Who, who, who, who?) 'Cause I really wanna know (Who are you? Who, who, who, who?) Pete Townsend (The Who) OK! So that I don't waste precious bandwidth, I do have a ligitmate question. I was doing a snoop on my network interfaces of my fire-wall and found these mysterious multicast packets going thru my private side. I was wondering what they are. They produce a lot of traffic. Thanks. ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> * ETHER Type=7465 (Unknown), size = 64 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> * ETHER Type=7465 (Unknown), size = 64 bytes Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > > > Should we filter him, or assimilate him? > > -Rabid Borgbat > > On 1 May 1997, Pon, Edwin wrote: > > > I'm an email administrator at my company and am trying to track down some > > undeliverable message problems. firewalls-digest@greatcircle.com seems to > > be related to some email that is not being delivered t Larry Sherman. Larry > > Sherman left our company over a year ago and apparently left a few loose > > ends that need cleaning up. If you are a real person, or an extremely > > intelligent machine, what is this firewall-digest thing? Thank you for your > > help. > > > From owner-firewalls-outgoing Wed May 7 06:57:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11175 for firewalls-outgoing; Wed, 7 May 1997 06:42:30 -0700 (PDT) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11166 for ; Wed, 7 May 1997 06:42:22 -0700 (PDT) Received: from us3rmc.pa.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA05222; Wed, 7 May 1997 06:39:59 -0700 Received: from [16.82.160.11] by us3rmc.pa.dec.com (5.65/rmc-22feb94) id AA19465; Wed, 7 May 97 06:25:44 -0700 Received: by siren.cxo.dec.com with Microsoft Exchange (IMC 4.0.837.3) id <01BC5AB7.A8D297E0@siren.cxo.dec.com>; Wed, 7 May 1997 07:24:11 -0600 Message-Id: From: Ernie Beabes To: "'Robert J. Strickler'" , "'firewalls@GreatCircle.COM'" Subject: RE: private networks & IP tunneling Date: Wed, 7 May 1997 07:24:10 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >-----Original Message----- >From: Robert J. Strickler [SMTP:bstrickler@thrunet.net] >Sent: Tuesday, May 06, 1997 4:53 PM >To: firewalls@GreatCircle.COM >Subject: private networks & IP tunneling > >Is our understanding of a IP tunneling correct? We should be able >encapsulate traffic bound for hosts on private networks at each side >(whose >endpoints have routable IP's) of a VPN (virtual private network) tunnel >and >sending them through the internet without their addresses being blocked >by >intervening routers. >[Ernie Beabes] Yes > >Will M$ PPTP and/ >[Ernie Beabes] Can anyone be sure as to M$, today maybe but tomorrow >does bring questions to my mind. > >or Altavista VPN software perform this service? >[Ernie Beabes] AltaVista is a definite, Yes! > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 >[Ernie Beabes] So far so good. > >TIA, bob From owner-firewalls-outgoing Wed May 7 07:55:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15067 for firewalls-outgoing; Wed, 7 May 1997 07:40:55 -0700 (PDT) Received: from gazoo.tidalwave.net (postoffice.tidalwave.net [208.199.94.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15038 for ; Wed, 7 May 1997 07:40:47 -0700 (PDT) Received: from chris ([208.213.202.36]) by gazoo.tidalwave.net (Netscape Mail Server v2.02) with SMTP id AAA167 for ; Wed, 7 May 1997 10:41:37 -0400 Message-Id: <3.0.1.32.19970507092231.006a9cd4@tidalwave.net> X-Sender: chrisp@tidalwave.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 07 May 1997 09:22:31 -0400 To: firewalls-digest@GreatCircle.COM From: chrisp@tidalwave.net (Chris Pressley) Subject: box sizing for firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may have been addressed many times before, but I'm looking for a discussion on box sizing for firewalls. What is most important for firewalls, i.e. I/O, RAM, CPU, etc. and how does this vary based on the type of firewall in place, i.e. proxy, SOCKS, stateful inspection, UNIX, NT, etc. How do all of these considerations then relate to network bandwidth, both local and wide. For example, is there reason for 100 MB ethernet on a firewall? Thanks, Chris From owner-firewalls-outgoing Wed May 7 08:09:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15174 for firewalls-outgoing; Wed, 7 May 1997 07:42:20 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15153 for ; Wed, 7 May 1997 07:42:06 -0700 (PDT) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp2.UU.NET [192.48.96.40]) id QQcona02278; Wed, 7 May 1997 10:44:50 -0400 (EDT) Received: from mop.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Wed, 7 May 1997 10:44:40 -0400 Received: from mailserver.phil.mop.com by mtb.phil.mop.com (4.1/SMI-4.1) id AA29087; Wed, 7 May 97 10:40:16 EDT Received: by mailserver.phil.mop.com (4.1/SMI-4.1) id AA05574; Wed, 7 May 97 10:40:14 EDT Date: Wed, 7 May 1997 10:40:13 -0400 (EDT) From: Craig Donahue To: shishpop@ftp.com Cc: firewalls@greatcircle.com Subject: load balancing question on Cisco Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The answer I would use would be to apply an ACL on one of the outgoing FR interfaces to prevent tcp traffic from your client to exit via that interface. We don't use load balancing so I can not guarantee it will work. Good luck. An example: access-list 170 deny tcp your_client_address any (replace any with endpoint ip# if you know it) int s0.1 access-group 170 out s0.1 = frame interface that you do not want the traffic to go out on. Replace s0.1 with the correct interface This should stop the out of sequence errors (tcp) but it still allows udp and icmp to travel at will across both legs. Craig From owner-firewalls-outgoing Wed May 7 08:25:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA17584 for firewalls-outgoing; Wed, 7 May 1997 08:10:18 -0700 (PDT) Received: from dresden.com (bigbuy.net [209.17.197.39]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA17557 for ; Wed, 7 May 1997 08:09:58 -0700 (PDT) Received: from prelude.dresden.com (prelude.dresden.com [209.17.197.193]) by dresden.com (8.8.5/8.8.5) with SMTP id CAA06060; Wed, 7 May 1997 02:09:36 -0700 Received: by prelude.dresden.com with Microsoft Mail id <01BC5AD7.08308FC0@prelude.dresden.com>; Wed, 7 May 1997 11:08:46 -0400 Message-ID: <01BC5AD7.08308FC0@prelude.dresden.com> From: Robert Augustine To: "'Mr. Leon OBrien'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Packet Capturing Date: Wed, 7 May 1997 11:08:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Leon, You should probably have your Internet Service Provider look into some = kind of packet filtering on their end. Or writing a program to look for = packets with the SYN bit's turned on, out-of-the ordinary ICMP traffic, = or even checking to see if there is too much traffic coming from a = certain host wouldn't be a task at all for anyone who has some decent = network programming experience. It does however depend on the operating = systems you run how easy it would be. If you have any *nix boxes, there = is freely available code and plenty of references on different forms of = denial of service attacks. Detection might be easy however, but = stopping the attacks might be some sort of another problem. Investing = in a good quality firewall might not be stupid considering it would do a = lot of the dirty work for you. Regards, Robert Augustine -- Robert Augustine = Networking = dresden. (770)642-8569 = Programming = com http://www.dresden.com = Security -----Original Message----- From: Mr. Leon OBrien [SMTP:leon@networx.com.au] Sent: Wednesday, May 07, 1997 1:43 AM To: 'firewalls@greatcircle.com' Subject: Packet Capturing I hope someone could help with the folowing request: I would like to capture packets coming in through my ISDN so that i can=20 determine why our link is being flooded, however i am trying to = determine how to do this easily.... I am runnning a XYPLEX N3000 router with a Basic ISDN.=20 If anyone has experience with this it would be great if you could pass = on some information. I am unsure whether the router can log the packets to a specified host, = or whether it can display information about the packets on the fly = (highly unlikely). The router documentation is very sparce. For it to really work wouldn't i have to have a system between the ISDN = and the router?? One with two network cards?? As you can see i don't quite know where to start :-) Any assistance is appreciated, Leon O'Brien NetWorx Pty Ltd leon@networx.com.au From owner-firewalls-outgoing Wed May 7 08:55:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20822 for firewalls-outgoing; Wed, 7 May 1997 08:48:57 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20805 for ; Wed, 7 May 1997 08:48:41 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by guttenberg.correionet.com.br (8.7.5/8.7.3) with SMTP id MAA27544 for ; Wed, 7 May 1997 12:49:23 -0300 Date: Wed, 7 May 1997 12:49:23 -0300 (GRNLNDST) From: Bill Coutinho X-Sender: bill@guttenberg.correionet.com.br To: Firewalls Subject: Socks5 hangs in Linux? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a Pentium 166 running Linux 2.0, with 64M RAM and 2G disk. This machine is our proxy server. It runs Squid 1.1.5 and Socks5 v1.0r1, DNS and sendmail 8.7.5. The problem is: every other day, the socks5 daemon hangs, i.e., it stops forking childs, and I have to kill and re-start it to get things working again. With 64M RAM, the swap is hardly, if ever, used, so I think it is not a memory ploblem. Squid is configured to use 8M memory cache. Any guess? TIA! []s, Bill. -- Bill Coutinho mailto:bill@dextra.com.br Dextra Internet Solutions http://www.dextra.com.br/ Campinas, SP - Brazil voice:+55-19-251-3644 From owner-firewalls-outgoing Wed May 7 09:26:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23782 for firewalls-outgoing; Wed, 7 May 1997 09:17:52 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA23775 for ; Wed, 7 May 1997 09:17:38 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id RAA00718; Wed, 7 May 1997 17:19:47 +0200 Date: Wed, 7 May 1997 17:19:47 +0200 (MET DST) From: Arjan Vos To: Michael S Hines cc: firewalls@greatcircle.com Subject: Access policy (was: Config Files) In-Reply-To: <336f5248332f002@scribe.cc.purdue.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997, Michael S Hines wrote: > The question I wished to raise with this approach is how many > technicians are setting access policy? Good point... While doing audits en testing on firewalls one of the first question I ask is "What is your security policy?" (including access policy). Most of the time you get a blank stare and the answer is kinda like "well... we just wanted to surf and e-mail....". Most of the technicians (and managers as well!!!) don't seem to understand the concept of a firewall very well. They manage firewalls ("don't ask too much, as the supplier X installed and configured the thing and I don't really understand..." :-)) but forget the security perimeter the firewall is supposed to protect. Also auditing just before going live with a firewall may result in proof of complience to some sort of access policy. However, a few months later the administrators plugged themselves realaudio and gave themselves dial-in root access and of course the passwords are being shared.... And oh yeah..., "database supplier A is able to telnet through the firewall as they should be able to do maintenance on our production databases...." And of course, someone is supposed to watch the logs. Isn't it ironic.. don't you think... --- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Wed May 7 09:40:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25308 for firewalls-outgoing; Wed, 7 May 1997 09:34:38 -0700 (PDT) Received: from bubbuh.cisco.com (bubbuh.cisco.com [198.92.30.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA25295 for ; Wed, 7 May 1997 09:34:17 -0700 (PDT) Received: from susan.cisco.com (jbash-pc-home.cisco.com [171.69.139.3]) by bubbuh.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with SMTP id JAA13998; Wed, 7 May 1997 09:36:48 -0700 (PDT) Received: from localhost by susan.cisco.com (SMI-8.6/SPARCbook_POP1.1) id JAA14431; Wed, 7 May 1997 09:32:02 -0700 Message-Id: <199705071632.JAA14431@susan.cisco.com> To: cdonahue@mtb.phil.mop.com (Craig Donahue) cc: shishpop@ftp.com, firewalls@GreatCircle.COM Subject: Re: load balancing question on Cisco In-reply-to: Your message of "07 May 1997 14:40:13 GMT." Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Wed, 07 May 1997 09:32:01 -0700 From: John Bashinski Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The answer I would use would be to apply an ACL on one of the outgoing FR > interfaces to prevent tcp traffic from your client to exit via that > interface. We don't use load balancing so I can not guarantee it will > work. Good luck. That will not work. The routing decision is made before the access list is consulted, and the router will not try to "route around" an access list. All that will happen if you put an access list on one of the outgoing interfaces is that half the traffic will be dropped. This isn't really a firewall question, so I'll send the actual answer in separate private e-mail, but I wanted to correct this error, since I've seen people make it before. -- J. Bashinski Cisco Systems From owner-firewalls-outgoing Wed May 7 10:58:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA26770 for firewalls-outgoing; Wed, 7 May 1997 09:48:17 -0700 (PDT) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA26719 for ; Wed, 7 May 1997 09:48:02 -0700 (PDT) Received: from dana.corsof.com (dana.corsof.com [198.22.44.138]) by sierra.corsof.com (8.8.5/8.6.12) with SMTP id MAA05909 for ; Wed, 7 May 1997 12:50:20 -0400 (EDT) Message-Id: <3.0.32.19970507125321.006aa628@pop.corsof.com> X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 07 May 1997 12:53:21 -0400 To: Firewalls@greatcircle.com From: Dana Nowell Subject: Re: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've tried to ignore this thread but ... For those that claim, this is not a technical issue but a management issue I offer the following case from real life. I installed a firewall in a public library. The library has a very open policy about information and allows public access to all materials (audio tapes/CDs, videos, printed books, audio books, internet terminals, ...). Problem, internet terminals in a busy library being used by 10-13 year old boys (and presumably girls for the politically correct crowd, although they seem less of a problem). Issue, how to avoid being sued by someone because little Johnny looked at dirty pictures when he was supposed to be doing homework. Since these are public access terminals in a busy environment, logging is pretty much useless. Current solution, parental sign-off to get access for minors. Permission sheet specifically states that library is not responsible for material available and that some might be considered offensive (so much for management). Additionally, sites are blocked after individuals are seen viewing 'inappropiate' material (hard call, in general this library WANTS open access, so this usually implies repeated access to a 'dirty picture' site before a block occurs). Unfortunately young folks are VERY resourceful and persistent so blocked sites do get added regularly. BTW, the library does maintain unblocked access behind the counter for legit research needs and will allow access to individuals on a case by case basis. Now if someone can inform me as to how this is not a blocking issue but a management enforcement issue, I'm interested. Understand this library circulates 120,000+ pieces of material a year with a staff of about 5 (plus volunteers and high school student help). Comments related to providing staff supervision at all 4 terminals whenever a minor is present are not even in the ball park of reasonable. If that were required it is more cost effective to shutdown the link. Something the library wants to avoid as it feels that information access (and the internet has ALOT of information) should be available to EVERYONE, the poor, the homeless, the rich, even the lawyers :-). Assuming we can all admit that cases like this exist in the real world, can we get off the management enforcement kick and minimize the S/N ratio (or even drop the entire thread to improve S/N). I believe most people would grant that, where possible, management enforcement is the only truly effective method. Unfortunately in today's world sometimes you need the most effective solution available within 'budget' (time or money), which may NOT be fully effective. On Tue, 06 May 1997 02:13:13 -0400, "Richard A. Hill" scribbled: > > Well, I'll add my two cents worth in brief. >Unless you are experiencing complaints of email-harrassment, or you have >incidents of "offensive" material being displayed to persons who do now wish >to see it, It is ALWAYS going to cost more in time and energy to play >facist, than you will save. > I have a personal dislike for any kind of censorship that is not >specifically aimed at curbing harrassment. I feel that if your employees, >co-workers, or whatever are being productive and doing their jobs at >expected (or better) levels, then you are getting what you pay them for. >Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. >(or Mama ..) > >Over the last year, I watched a harassment accusation at a former employer's >almost blow up into an expensive court case, but for some common sense from >a judge: > "You say he has offensive materials on the walls of his office?" > "yes" > "Do you work in his office ?" > "no" > "Can you see this material from outside the office ?" > "no" > "Do you ever have to go into his office as part of your job, or has he >ever asked you into his office ?" > "no" > "Well then; I think I have the solution. Don't go into his office" > "But I don't think he should have those pictures on the walls" > "And I don't think this case belongs in court, but we can't get all we >want, now can we." >{Above is very close to actual dialogue" > >By all means, set up logging and tracking procedures to be used if a >harassment or similar complaint is brought, as well as evidencing a policy >of not tolerating sexual bullies, but stay out of other peoples lives as >much as possible. As has already been said, if you are editing content, you >risk being held responsible for what you let through, as much as what you do >not. > >I know this goes against our growing "Big-Brother" syndrome of protecting >people against themselves, but I'll always choose freedom over order > Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: mailto:DanaNowell@corsof.com Home: mailto:dana@nowell.mv.com MIME attachments preferred, BINHEX and uuencoded acceptable. As usual, I speak only for myself. From owner-firewalls-outgoing Wed May 7 11:06:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06336 for firewalls-outgoing; Wed, 7 May 1997 10:53:20 -0700 (PDT) Received: from alli.com ([38.252.235.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA06292 for ; Wed, 7 May 1997 10:53:01 -0700 (PDT) Received: from herc by alli.com (SMI-8.6/dg001) id MAA16221; Wed, 7 May 1997 12:50:30 -0500 Message-Id: <3.0.32.19970507125721.00a1a100@145.1.174.7> X-Sender: e_hays@145.1.174.7 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 07 May 1997 12:57:24 -0500 To: firewalls@greatcircle.com From: Eric Hays Subject: video-conferencing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone succesfully used videoconferencing equipment on a VPN using PPTP? If so could you recommend any equipment or specific firewalls? -Eric Hays From owner-firewalls-outgoing Wed May 7 11:55:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06117 for firewalls-outgoing; Wed, 7 May 1997 10:51:31 -0700 (PDT) Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA06084 for ; Wed, 7 May 1997 10:51:21 -0700 (PDT) Received: from dial16.ecua.net.ec by ecua.net.ec (AIX 4.1/UCB 5.64/4.04) id AA23558; Wed, 7 May 1997 12:50:42 -0500 Message-Id: <3.0.1.32.19970507125207.006fbf00@157.100.1.2> X-Sender: jvelasco@157.100.1.2 (Unverified) X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 07 May 1997 12:52:07 -0500 To: firewalls@greatcircle.com From: =?iso-8859-1?Q?Mart=EDn?= Velasco Subject: FW-1 & NT mail servers Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone, What's your opinion regarding the combination of a FW-1 using stateful packet filters and NT mail servers (let's say, Netscape's)? I feel uneasy because, at least in the Unix world, using stateful packet filters and therefore direct access to sendmail would mean a significant risk. With NT, there are no guidelines (except any that you guys could give me).=20 What alternatives do you suggest?=20 Thanks in advance for any comment. -Martin /| ___| /_ /---\/ _\------------------------------- |------/ Mart=EDn Velasco *=09 |------\__ Guayaquil-Ecuador * |---------| South America * \-------/ mailto:jvelasco@ecua.net.ec * \__^__/-------------------------------* From owner-firewalls-outgoing Wed May 7 12:21:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14642 for firewalls-outgoing; Wed, 7 May 1997 12:00:55 -0700 (PDT) Received: from datasource.net ([205.183.26.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA14631 for ; Wed, 7 May 1997 12:00:47 -0700 (PDT) Received: by friday.datasource.net id <17025-1>; Wed, 7 May 1997 13:57:32 -0500 Message-Id: <97May7.135732cdt.17025-1@friday.datasource.net> Date: Wed, 7 May 1997 14:07:52 -0500 From: Nathan Steinbauer Reply-To: nathan@datasource.net Organization: DataSource Hagen X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: private networks & IP tunneling References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Secure Computing's firewalls (Borderware and Sidewinder) both support VPN capabilities for both firewall to firewall and client to firewall. Check out their site http://www.securecomputing.com for more info. Nathan Steinbauer Engasser, Charlie wrote: > > PPTP is for the moment a RAS-based implementation, which means that it > only works Asynchronously from Client to Server. > > AltaVista is supposedly a Lan-to-Lan implementation, but if you can get > the install routine to work, then more power to you. I've been trying > for 2 days now on NT 4.0 and it throws the control panel into an > infinite loop. (at least that's what NT is telling me). DEC is for the > moment at a loss to explain it. If I ever get Tunnel97 to install I'll > post my findings... > > >-----Original Message----- > >From: Robert J. Strickler [SMTP:bstrickler@thrunet.net] > >Sent: Tuesday, May 06, 1997 6:53 PM > >To: firewalls@GreatCircle.COM > >Subject: private networks & IP tunneling > > > >Is our understanding of a IP tunneling correct? We should be able > >encapsulate traffic bound for hosts on private networks at each side > >(whose > >endpoints have routable IP's) of a VPN (virtual private network) tunnel > >and > >sending them through the internet without their addresses being blocked > >by > >intervening routers. > > > >Will M$ PPTP and/or Altavista VPN software perform this service? > > > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 > > > >TIA, bob From owner-firewalls-outgoing Wed May 7 12:26:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA10232 for firewalls-outgoing; Wed, 7 May 1997 11:25:32 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA10186 for ; Wed, 7 May 1997 11:25:18 -0700 (PDT) Received: (from jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.8.5/8.8.2) id OAA04413; Wed, 7 May 1997 14:27:58 -0400 (EDT) To: firewalls@greatcircle.com Subject: [repost] fw1 with lots of concurrent connections Mime-Version: 1.0 (generated by tm-edit 7.105) Content-Type: text/plain; charset=US-ASCII From: Jeff Murphy Date: 07 May 1997 14:27:57 -0400 Message-ID: Lines: 25 X-Mailer: Gnus v5.4.46/XEmacs 20.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sorry about the repost. i see my original message come across the mailing list, and wasn't sure if it went out. jeff ----------------------------------------------------------------------- looking to hear of experiences by people who use fw1 for the following: more than 1000 sessions concurrently thru it (authenticated users) using one of: NAT, filtering or proxying. we'd be interested in hearing about experiences including hardware configurations, performance issues, etc. (this is in regards to the recent datacomm article showing degradation of performance after about 48 clients). thanks, jeff jcmurphy@smurfland.cit.buffalo.edu The datacomm article is at http://www.data.com/lab_tests/firewalls97.html the performance graph is at http://www.data.com/lab_tests/images/firewalls97_figure1.html From owner-firewalls-outgoing Wed May 7 16:54:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA00293 for firewalls-outgoing; Wed, 7 May 1997 16:29:59 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA00283 for ; Wed, 7 May 1997 16:29:52 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id JAA25474; Thu, 8 May 1997 09:29:44 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma025457; Thu, 8 May 97 09:29:25 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA01643; Thu, 8 May 1997 09:32:10 +1000 From: Colin Campbell Message-Id: <199705072332.JAA01643@guru.citec.qld.gov.au> Subject: Re: private networks & IP tunneling To: Engasser@JS-JTF.AF.MIL (Engasser, Charlie) Date: Thu, 8 May 1997 09:32:09 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Engasser, Charlie" at May 7, 97 08:01:05 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Engasser, Charlie said: > > PPTP is for the moment a RAS-based implementation, which means that it > only works Asynchronously from Client to Server. > Not according to the NT4 documentation. They give explicit examples of PPTP over the internet. One example uses an ISP dialup connection to an internet connected host. The second example shows two net-connected hosts using PPTP. Now, unless MS is documenting software that isn't yet shipping ... Oh, yeah. Outside the US you get 40-bit RC4 encryption. Makes it rather useless really. That's why we put Altavista in a recent bid - at least you get 56 bit. Colin From owner-firewalls-outgoing Wed May 7 19:43:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA12837 for firewalls-outgoing; Wed, 7 May 1997 18:27:10 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id SAA12828 for firewalls@greatcircle.com; Wed, 7 May 1997 18:27:07 -0700 (PDT) Received: from asp.cdev.com (aspext.cdev.com [160.207.1.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA27993 for ; Tue, 6 May 1997 22:00:41 -0700 (PDT) Received: from asp.cdev.com (root@localhost) by asp.cdev.com (8.7.5/8.7.3) with ESMTP id AAA15513 for ; Wed, 7 May 1997 00:05:41 -0500 (CDT) Received: from aurora.cdev.com (aurora.cdev.com [160.207.235.1]) by asp.cdev.com (8.7.5/8.7.3) with SMTP id AAA15509 for ; Wed, 7 May 1997 00:05:40 -0500 (CDT) Message-Id: <199705070505.AAA15509@asp.cdev.com> Received: from cdi1p3.cdev.com by aurora.cdev.com id SMTP-00133700d9e021584; Wed, 7 May 97 00:05:36 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 21:17:07 -0700 To: davidal@moloc.cps.unizar.es From: Donald.J.Smith@cdev.com (Donald J Smith) Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Tue, 6 May 1997 08:53:26 +0200 (MET DST) >From: David Alayeto Salvador >Subject: Config Files > >I would like to see some examples of some of the configuration files >needed to set up a firewall properly. The tis fwtk comes with a config file. You just uncomment the services you want and change YOURNET/YOURADDRESS to be the net/address you are supporting on the firewall. > >I'm in the doubt of believing a firewall is just a way to name a set of >components which work together to provide security to a site. Please >explain to me the real meaning of the term "firewall". Is it based on >software or hardware? In a perfect world A firewall is a system (or hardware and software) that slows an intruder long enough for an alert to the sysadm allows same to catch and stop all intrusion attempts. We don't live in a perfect world so start by defining what you have to protect and it's value to your company. That will help you decide what type and how much security you need. > >Thanks in advance > >************************************************* >* David Alayeto Salvador >* E-mail addresses: >* davidal@prometeo.cps.unizar.es >* davidal@oja.cps.unizar.es >* Quinto de Ingenieria Informatica - CPS >************************************************* > >- -----BEGIN PGP PUBLIC KEY BLOCK----- >Version: 2.6.i > >mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 >xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO >Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh >bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== >=vuMi >- -----END PGP PUBLIC KEY BLOCK----- > >------------------------------ > Donald J Smith Network Security Engineer @CDInt design in security @ the beginning & ease_of_use != A*(1/Data_Security) for any A (my opinions are mine and so are the spelling errors ;-) From owner-firewalls-outgoing Wed May 7 19:46:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA11513 for firewalls-outgoing; Wed, 7 May 1997 18:13:38 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id SAA11465 for firewalls@greatcircle.com; Wed, 7 May 1997 18:13:29 -0700 (PDT) Received: from tsb.inet-images.com (tsb.inet-images.com [204.91.224.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA09913 for ; Sun, 4 May 1997 05:01:36 -0700 (PDT) Received: (from apu@localhost) by tsb.inet-images.com (8.8.5/8.7.3) id IAA07007 for spfld@erols.com; Sun, 4 May 1997 08:08:33 -0400 Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by tsb.inet-images.com (8.8.5/8.7.3) with ESMTP id IAA07002 for ; Sun, 4 May 1997 08:08:28 -0400 X-Envelope: Received: from honor.greatcircle.com by relay6.UU.NET with ESMTP (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) id QQcobo12975; Sun, 4 May 1997 08:03:09 -0400 (EDT) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA07854 for firewalls-outgoing; Sun, 4 May 1997 04:24:50 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA07838 for ; Sun, 4 May 1997 04:24:33 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA26936; Sun, 4 May 1997 19:29:22 +0300 Date: Sun, 4 May 97 14:20:27 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: firewalls@GreatCircle.COM, Gabriel Dura X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336C3BEE.2F82@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Loop: apu@inet-images.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sun, 04 May 1997 00:34:06 -0700 Gabriel Dura wrote: > Hi! > > I don't think this subject needs so much debate... First of all it is > absolutely necesary to outwit the employee in order to prove that it is > guilty and then take the appropiate measures. Nobody can be accused > without a good proof. > > Now, most of the xxx sites contain a html meta in the web page header > that look like this: > > > > Just have to filter the web pages containing this kind fo meta... Of > course there also other words but there is no place for them here... > There are no secret algorithms... > > It is not a perfect method but it you can obtain good results... > You can also log the access of these files and find the employees > interested in this. > > Also active modems can be detected and that call traced... In this way > one can prevent unauthorised Internet connections using personal modems > at the office... > > Please anyone tell me if I'm wrong... > Gabriel ---------------End of Original Message----------------- It is absolutely necesary to outwit the employee in order to prove that it is guilty and then take the appropiate measures. Nobody can be accused without a good proof. NO, most of the xxx sites do not contain a html meta in the web page header that look like this: if they do have this that it is VERY easy Just have to filter the web pages containing this kind fo meta... Of course there also other words but there is no place for them here... There are no secret algorithms... But do you think that they REALLY want to be filtered out ? This is why it is not a perfect method but it you can obtain good results... By logging the access of these files and find the employees interested in this, you can avoid a lot of cases like this since one they know you are watching, they will avoid this. /Ziv -- SessionWall-3 offers an effective means of preventing employees or intruders from abusing the network. By monitoring all session traffic, it opens a unique window into how employees are using the network, and can pinpoint the need for defenses against outside threats = Get an EVALUATION COPY at = From owner-firewalls-outgoing Wed May 7 23:58:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA05721 for firewalls-outgoing; Wed, 7 May 1997 23:56:36 -0700 (PDT) Received: from firefly (firefly.parc.anglia.ac.uk [194.82.46.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA05713 for ; Wed, 7 May 1997 23:56:30 -0700 (PDT) Received: from maverick.parc.anglia.ac.uk by firefly (SMI-8.6/SMI-SVR4) id HAA03387; Thu, 8 May 1997 07:56:03 +0100 Received: by maverick.parc.anglia.ac.uk (SMI-8.6/SMI-SVR4) id LAA08147; Sat, 3 May 1997 11:51:28 +0100 Date: Sat, 3 May 1997 11:51:28 +0100 From: colinj@parc.anglia.ac.uk (Colin Johnston) Message-Id: <199705031051.LAA08147@maverick.parc.anglia.ac.uk> To: dechon@CS.Stanford.EDU Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: colinj@parc.anglia.ac.uk, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: LTK59qlKeauJa+hJmajr/Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all I echo Mark's comments regarding the SUN RIP updates being incorrect in a subnetted enviroment. Do you know if 'gated' solves this problem ?? comments Colin ______________________________ Colin Johnston PARC Research Team Anglia Polytechnic University Chelmsford UK Tel 01245 493131 ext 3413 email colinj@parc.anglia.ac.uk From owner-firewalls-outgoing Thu May 8 01:28:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA10859 for firewalls-outgoing; Thu, 8 May 1997 01:06:36 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA10843 for ; Thu, 8 May 1997 01:06:25 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-168.ca.com.au [203.23.80.168]) by pluto (8.7.6/8.7.3) with SMTP id SAA13925 for ; Thu, 8 May 1997 18:05:58 +1000 Message-Id: <3.0.1.32.19970508180325.007da860@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 08 May 1997 18:03:25 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Encryption Outside US Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a way for non-US orgs to get tripple DES or strong encryption. If the product you want is RecoverKey compliant, you can access 128 bit or tripple des or strong encryption (whatever you want to call it). Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Thu May 8 04:28:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA25569 for firewalls-outgoing; Thu, 8 May 1997 04:24:49 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA25562 for ; Thu, 8 May 1997 04:24:42 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA21721; Thu, 8 May 1997 07:21:42 -0400 (EDT) From: Adam Shostack Message-Id: <199705081121.HAA21721@homeport.org> Subject: Re: Encryption Outside US In-Reply-To: <3.0.1.32.19970508180325.007da860@pluto.citadel.com.au> from Aaron Everingham at "May 8, 97 06:03:25 pm" To: aaron@citadel.com.au (Aaron Everingham) Date: Thu, 8 May 1997 07:21:42 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can you cite an instance of a company actually exporting 3des legally from the US? I don't believe its happened yet, GAK* or no. Adam GAK is Government Access to Keys. Enabling Snowman/Pollard/Ames/Hendrickson style cryptanalysis. Giving out the keys to the kingdom. Aaron Everingham wrote: | There is a way for non-US orgs to get tripple DES or strong encryption. If | the product you want is RecoverKey compliant, you can access 128 bit or | tripple des or strong encryption (whatever you want to call it). -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu May 8 05:43:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA29306 for firewalls-outgoing; Thu, 8 May 1997 05:29:13 -0700 (PDT) Received: from omicron.comarch.pl (omicron.comarch.pl [195.116.125.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA29292 for ; Thu, 8 May 1997 05:28:49 -0700 (PDT) Received: from Bond.ComArch.PL (bond.comarch.pl [195.116.125.230]) by omicron.comarch.pl (8.8.5/8.8.2) with SMTP id OAA18309 for ; Thu, 8 May 1997 14:30:36 +0200 Message-ID: <3371C7AE.710E@ComArch.PL> Date: Thu, 08 May 1997 14:31:42 +0200 From: Aleksander Waszkielewicz X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: FW-1 and hardware platforms Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Maybe you know, where can I find info about functional differences of FW-1 working on various platforms. I mean (e.g.): - are the same services supported? - what about performance? - what about cooperation with OS (do you know how it's done on NT?)? - authentication? etc. Thanx in advance Alek From owner-firewalls-outgoing Thu May 8 06:13:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA02743 for firewalls-outgoing; Thu, 8 May 1997 06:11:07 -0700 (PDT) Received: from netsrv.js-jtf.af.mil ([131.25.48.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA02641 for ; Thu, 8 May 1997 06:10:44 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (JTFCOM) by js-jtf.af.mil (PMDF V5.0-6 #13831) id <01IIME2BEG74000PBS@js-jtf.af.mil> for firewalls@greatcircle.com; Thu, 08 May 1997 09:11:22 -0500 (EST) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BC5B8F.A3B28D50@jtfcom.js-jtf.af.mil>; Thu, 08 May 1997 09:10:14 -0400 Date: Thu, 08 May 1997 09:10:12 -0400 From: "Engasser, Charlie" Subject: RE: private networks & IP tunneling To: "'firewalls@greatcircle.com'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Documentation is vague on this, but everything I've been able to figure out from it is that you can connect client->ISP->internet->VPN or Client->LAN->VPN. It still seems to require a single server and a client side, since one side they say you can make network to network connections, yet on another line they state: "PPTP uses Microsoft's implementation of RAS and the Point-to-Point Protocol (PPP) to establish connections with remote computers by using dial-up lines, Ethernet networks, or token ring networks. PPP provides remote-user authentication and data encryption between the PPTP client and the PPTP server. Thus, to use PPTP you must install and configure RAS with Dial-Up Networking on both PPTP clients and PPTP servers." - Microsoft Technet, May 1997. This to me seems to imply that PPTP does not yet have the functionality to be a full-blown WAN connectivity solution. >-----Original Message----- >From: Colin Campbell [SMTP:sgcccdc@citec.qld.gov.au] >Sent: Wednesday, May 07, 1997 7:32 PM >To: Engasser@js-jtf.af.mil >Cc: firewalls@greatcircle.com >Subject: Re: private networks & IP tunneling > >My mailer thinks Engasser, Charlie said: >> >> PPTP is for the moment a RAS-based implementation, which means that it >> only works Asynchronously from Client to Server. >> >Not according to the NT4 documentation. They give explicit examples of >PPTP over the internet. One example uses an ISP dialup connection to >an internet connected host. The second example shows two net-connected >hosts using PPTP. > >Now, unless MS is documenting software that isn't yet shipping ... > >Oh, yeah. Outside the US you get 40-bit RC4 encryption. Makes it rather >useless really. That's why we put Altavista in a recent bid - at least >you get 56 bit. > >Colin From owner-firewalls-outgoing Thu May 8 06:43:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05073 for firewalls-outgoing; Thu, 8 May 1997 06:40:07 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA05061 for ; Thu, 8 May 1997 06:39:59 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id JAA00267 for ; Thu, 8 May 1997 09:39:58 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma000255; Thu, 8 May 97 09:39:35 -0400 Received: from clmail1.erenj.com (clmail1.erenj.com [159.70.1.22]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id JAA23402 for ; Thu, 8 May 1997 09:39:33 -0400 Received: from tiger ([159.129.116.3]) by clmail1.erenj.com (post.office MTA v1.9.3 ID# 0-11437) with SMTP id AAA99; Thu, 8 May 1997 09:13:14 -0400 Message-ID: <3371D809.6201DD56@erenj.com> Date: Thu, 08 May 1997 08:41:57 -0500 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: Dana Nowell CC: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such References: <3.0.32.19970507125321.006aa628@pop.corsof.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana: I would suggest that your library example *is* a management instead of technical issue because the security policy at the library (allow some people access to some sites, disallow others to the same sites, without any user or even workstation authentication) stretches the limits of the current technical solutions. The use of parental authorization forms, to my way of thinking, is a "management" solution. For Web site blocking, both management and technical issues are involved. IMO, if you don't have a strong management security policy and backing first, it is frustrating trying to implement the techncial solution....cheers. Dana Nowell wrote: > > > For those that claim, this is not a technical issue but a management issue > I offer the following case from real life. > > I installed a firewall in a public library. The library has a very open << snipped >> > Now if someone can inform me as to how this is not a blocking issue but a > management enforcement issue, I'm interested. Understand this library << snipped >> -- Andy Howard 713-656-4396 achowar@erenj.com "Think hard! Think Fast! Think Often! But Think!" The contents of this note are my opinion and should be treated only as that. From owner-firewalls-outgoing Thu May 8 08:13:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10474 for firewalls-outgoing; Thu, 8 May 1997 08:03:30 -0700 (PDT) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA10457 for ; Thu, 8 May 1997 08:03:18 -0700 (PDT) Received: from dana.corsof.com (dana.corsof.com [198.22.44.138]) by sierra.corsof.com (8.8.5/8.6.12) with SMTP id LAA07273; Thu, 8 May 1997 11:03:06 -0400 (EDT) Message-Id: <3.0.32.19970508110600.006cf0a0@pop.corsof.com> X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 08 May 1997 11:06:01 -0400 To: Andy Howard From: Dana Nowell Subject: Re: Need to restrict http://www.nude.com and such Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Of course there is management enforcement in effect. Management always has some role even if it is one of playing ostrich. My point was that claiming the techno issues aren't important and it is really JUST a management issue is equally playing ostrich. Ultimately technology will have to play a role. Man (for the PC crowd that is man as in human race, man is shorter to type:-) creates atom bombs, forces man to create means to track launches, monitor power plant waste for siphoning, build hardened sites, etc. The same types of things happened in chem/bio warfare, man creates bugs for war causes man to create NBC suits, anti-nerve gas self injectors, monitoring of exports for components, etc. These are admittly extreme examples and one can argue the effectiveness of the countermeasures developed but technology was used in the solution. In fact technology is USUALLY used in solutions created by today's man. The real issuse is how threatened does man feel by the problem, that is a reasonable measure of the effort spent on countermeasures. In today's US society the headline hot buttons are not cold war topics but cloning, DNA research, the internet, and several other topics. That is where the next moral/legal/techo battle is being fought. Getting connected to the internet was the most important thing for many companies, now they don't know what to do with the link and are lamenting the lost productivity and new attack threat. Joe/Sally Average does tend to dive into the deep end of the pool and THEN look for rocks and technology to make them nice and soft. But my point was not to trash the S/N ratio (done a great job with this message) but try and improve it. Can't we move this to somewhere other than firewalls ... At 08:41 AM 5/8/97 -0500, Andy Howard wrote: >Dana: I would suggest that your library example *is* a management >instead of technical issue because the security policy at the library >(allow some people access to some sites, disallow others to the same >sites, without any user or even workstation authentication) stretches >the limits of the current technical solutions. The use of parental >authorization forms, to my way of thinking, is a "management" solution. > >For Web site blocking, both management and technical issues are >involved. IMO, if you don't have a strong management security policy >and backing first, it is frustrating trying to implement the techncial >solution....cheers. > >Dana Nowell wrote: >> >> >> For those that claim, this is not a technical issue but a management issue >> I offer the following case from real life. >> >> I installed a firewall in a public library. The library has a very open > ><< snipped >> > >> Now if someone can inform me as to how this is not a blocking issue but a >> management enforcement issue, I'm interested. Understand this library > << snipped >> > >-- >Andy Howard 713-656-4396 >achowar@erenj.com >"Think hard! Think Fast! Think Often! But Think!" >The contents of this note are my opinion and should >be treated only as that. > > Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: mailto:DanaNowell@corsof.com Home: mailto:dana@nowell.mv.com MIME attachments preferred, BINHEX and uuencoded acceptable. As usual, I speak only for myself. From owner-firewalls-outgoing Thu May 8 08:59:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12524 for firewalls-outgoing; Thu, 8 May 1997 08:55:35 -0700 (PDT) Received: from uachih.uachnet.mx (uachih.uachnet.mx [148.229.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA12451 for ; Thu, 8 May 1997 08:54:00 -0700 (PDT) Received: from iridium ([200.33.158.131]) by uachih.uachnet.mx (8.6.9/8.6.9) with ESMTP id KAA02358 for ; Thu, 8 May 1997 10:50:04 -0600 Message-Id: <199705081650.KAA02358@uachih.uachnet.mx> From: "Manuel Gomez B." To: Subject: Sign-off Date: Thu, 8 May 1997 10:52:51 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry but I think I lost the mail where was told how to sign-of of this list, could someone help me out? I need the command and the address where I should send it , Thanks __________________________________ L.S.C.A. Manuel Gomez Barrera Host Master TecnoNet Manuel.Gomez@tecno.net TECNONET Tel . (14) 20-0109 Fax. (14) 20-9080 Calle 2º No. 5211 31050 Chihuahua, Chih. Mexico. __________________________________ From owner-firewalls-outgoing Thu May 8 09:13:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12158 for firewalls-outgoing; Thu, 8 May 1997 08:45:11 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12151 for ; Thu, 8 May 1997 08:45:05 -0700 (PDT) Received: by relay.rv.tis.com; id MAA28063; Thu, 8 May 1997 12:01:38 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma028044; Thu, 8 May 97 12:01:18 -0400 Received: from chatte (chatte.rv.tis.com [10.0.1.140]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id LAA11809 for ; Thu, 8 May 1997 11:46:10 -0400 (EDT) Message-Id: <3.0.32.19970508114544.0095a140@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 08 May 1997 11:45:46 -0400 To: Firewalls@greatcircle.com From: Mimi Herrmann Subject: Re: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:53 PM 5/7/97 -0400, Dana Nowell wrote: >I've tried to ignore this thread but ... > >For those that claim, this is not a technical issue but a management issue >I offer the following case from real life. Dana, I think that in the case of the library you're talking about, that YES, you DO need some way to block sites. It's a management issue when you're talking about adults in an office environment going to porn sites instead of doing work. BIG difference. In the library environment, where the parents aren't there to supervise what the kids see, and the library staff can't do that either, it makes PERFECT SENSE to block sites. In my opinion, it makes a lot less sense to block sites in an office environment, where it's adults doing the accessing as opposed to doing their jobs (potentially). From owner-firewalls-outgoing Thu May 8 09:43:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15576 for firewalls-outgoing; Thu, 8 May 1997 09:31:24 -0700 (PDT) Received: from ns1.capgem.com (ns1.capgem.com [204.153.60.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA15567; Thu, 8 May 1997 09:31:16 -0700 (PDT) Received: from dalex01.capgemini.com (smtp.capgemini.com) by ns1.capgem.com (5.x/SMI-SVR4) id AA06605; Thu, 8 May 1997 11:42:43 -0500 Received: by dalex01.capgemini.com with Internet Mail Service (5.0.1457.3) id ; Thu, 8 May 1997 11:33:45 -0500 Message-Id: <2132495A1094D0118744006097307791057653@dalnt032.capgemini.com> From: "Webb, Dean" To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Legal responsibilities of filtering traffic (long) Date: Thu, 8 May 1997 11:34:07 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having done some looking around on this issue, here's what I found. First, I found two sites that gave some good summaries of the legal issues of controlling content: http://www.gdf.com/lb2-2.htm and http://mlb.com/speech1.htm. I strongly urge all sysadmins and webmasters to check these sites out, as they relate directly to YOUR liabilities in such positions. For example, should an employee download sexually explicit material (from any source) and then forward it to other employees, even if all the employees are of the same gender, that employee may be creating a sexually hostile work environment (see Strauss v. Microsoft Corp, mentioned at the second web site). The company, not the employee, is then liable for the work environment and any damages it may cause. No matter what sort of taste it leaves in your mouth, the implication of this is that a company must take reasonable steps to insure a non-hostile work environment. If this means putting in a firewall rule like "All traffic to/from www.buck~nekkid.com/wowee!!! DENY," then that's what must be done. If a company makes no decisions regarding content appearing on its server/BBS, then it is a distributor of said content, much like a newsstand or public library, and is not responsible for said content. If, however, a company does make decisions regarding content on its server/BBS, then it is considered a publisher and is responsible for said content (Stratton Oakmont, Inc. v. Prodigy Services Co., mentioned at the second web site; see also Stern (as in Howard) v. Delphi Internet Servs. Corp., same site). Since a corporation does indeed exercise editorial control and is considered responsible to some degree for maintaining a certain level of acceptable conduct (the "non-hostile environment" concept), then it is not difficult to construe that a company is responsible for the information on its network, including but not limited to email and web access. SUMMARY: Companies are responsible for all the packets zipping around on its wires. But wait, there's more... If a company does not state clearly its intention to monitor any and all network traffic and content of hard drives and floppies, the employees have every reason to assume full privacy of their communications, leaving them under protection of the federal Wiretap Act. Therefore, it is up to the company to clearly state its authority to monitor any and all traffic, etc., even if it does not intend to do so immediately, or it can be in violation of federal and/or state laws regarding the interception of electronic traffic. SUMMARY: Even if you don't like it, you need to reserve your right to read anything and everything on your wires, hard drives, and floppies, etc., or it can be construed that you have surrendered such rights by your privacy-lovin' employees, regardless of what they may be doing with your Internet connection. The legal facts are there for all to see: like it or not, companies MUST preserve the work environment and that might very well entail monitoring network traffic, which MANDATES that a corporate policy informing all employees of the company's right to monitor all traffic must be clearly composed and communicated. Otherwise, your corporation is vulnerable to legal action from a variety of fronts, and your corporation will not have all its bases covered in such actions, leaving its liability waving in the breeze. Furthermore, a company would be very wise to institute non-intrusive monitoring methods and proactive HR methods to insure that no one need be disgruntled, offended or offender. Web traffic and SMTP traffic can be monitored on the company wires by software that only alerts administrators in the case of a potential problem. Not only would this reduce overhead (no one need read EVERY mail), but it would not irk those who play by the rules and keep things clean. Having worked at a company with proactive monitoring policies communicated to its employees and enforced fairly and as evenly as possible, I can say that I have seen it done successfully. That this company had been hit by a series of lawsuits prior to instituting these policies leads me to make the following maxim: If you don't keep an eye on your network traffic now, then you will after you get sued over what was in your network traffic. I'm not a lawyer and none of the above is legal advice. You are responsible for your own actions and should consult with proper legal persons before embarking on any legal course of action. For that matter, be sure to consult with your physician before starting on any weight loss program, your broker before buying stock, your religious authorities before dying, etc. Free speech while supplies last, Dean Webb Voltaire (1694-1778): "I may disagree with what you have to say, but I shall defend, to the death, your right to say it." From owner-firewalls-outgoing Thu May 8 09:59:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15960 for firewalls-outgoing; Thu, 8 May 1997 09:33:45 -0700 (PDT) Received: from wadjet.cerner.com (wadjet.cerner.com [159.140.254.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15942 for ; Thu, 8 May 1997 09:33:38 -0700 (PDT) Received: from wadjet.cerner.com (root@localhost) by wadjet.cerner.com (8.7.5/8.7.3) with ESMTP id LAA29305 for ; Thu, 8 May 1997 11:32:07 -0500 (CDT) Received: from mailwhq03.cerner.com ([159.140.1.68]) by wadjet.cerner.com (8.7.5/8.7.3) with SMTP id LAA29301 for ; Thu, 8 May 1997 11:32:07 -0500 (CDT) Received: by mailwhq03.cerner.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC5BA4.332B6F60@mailwhq03.cerner.com>; Thu, 8 May 1997 11:37:25 -0500 Message-ID: From: "Bird,Tina" To: "'firewalls@greatcircle.com'" Subject: Re: private networks and IP tunneling Date: Thu, 8 May 1997 11:32:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi all -- Hope this information is still timely -- I read the digest! > >My company has been working on implementing VPNs over the >Internet for a year now, with little success until recently. Here's the >summary of our experience: > >AltaVista tunnel -- I've run the server on a Digital UNIX box, as well >as an NT 4.0 machine. Difficult to configure properly, as the documentation >is bad even for DEC and there are important details (such as, you >have< >to enable IP forwarding for the tunnel server to work) that are completely >absent. The AltaVista tunnel works by creating a software "pseudo- >adapter" on the PC client and a "pseudo-gateway" on the server, and >is therefore susceptible to the various quirks of multiple network adapters >under Win95. We were told a year and a half ago that there was a >Web-based interface for key distribution and management that turned >out to be a kludge at best -- I never did manage to get it fully functional. > >As regards the NT server version, we had to delete it because it seemed >to corrupt the NT name resolution "cache" -- that is, even when the >tunnel service was de-activated, the box resolved its own host name >to be the address of the >>pseudo-adapter<<, thereby hosing its >ability to be available on the network. > >I had other fairly serious issues with the way the AltaVista tunnel was >designed. It doesn't do user authentication on the server side -- it >compares keys to authenticate the machine, but there's no plan to >add anything like RADIUS or TACACS authentication of the user >once the connection is live. This seriously detriments my ability to >integrate the VPN access to my network with the other types of >access, like dial-up. And the support was really bad -- even when I could >get the attention of their people, they rarely had the time or resources >to figure out my issues in a timely fashion. > >Secure Computing/Borderware's IPv6 tunnel -- The firewall to firewall >implementation seems to be pretty solid. The PC client, which was >written by a company called FTP Software, has now apparently been >removed from the market. (I worked with a version about 9 months >ago, so this isn't the last word.) Although the marketing info claimed >that the tunnel client would not interfere with the PC's ability to access >local resources, as soon as I installed it I was >unable< to get to >anything on my local network. I didn't pursue the issue, I just >de-installed. > >I've since heard from a few consultant-types that Secure has mostly >abandoned the FTP tunnel client, but I'd be delighted to hear that >was mis-information. > >InfoExpress VTCP/Secure -- InfoExpress is a tiny startup in California. >We pulled their demo software down from the Web, and I've been >very impressed with their VPN software. It supports use of an >external authentication server, making it much easier to integrate >into my network. The server software runs on a wide variety of >platforms, and can be configured for a variety of levels of >encryption. The client software includes a scripting language which >makes management and key distribution straightforward, as well >as greatly simplifying the administrative issues. > >VTCP/Secure works at the WinSock level of M$ networking, not >the adapter layer, so it avoids the multiple network adapters >"feature" of Win95. The only problem we have with it at this point >is that the release version does not support mapping NT drives and >print services over the tunnel (these are natively NetBIOS calls, >rather than WinSock). InfoExpress has an alpha client which does >handle drive mapping. Their tech support has been extremely >efficient -- they are very responsive to requests from their client >base. > >PPTP -- We've been in communications with a network security >consultant here to compare notes about using PPTP through a >firewall. None of us has had any success. Apparently, PPTP opens >a control connection on TCP port 1723, but uses GRE packets >(who knows?), IP protocol 47, for its data channel. I'm not aware >of any firewall which passes IP protocol 47, so this suggests to me >that PPTP is not designed to work with firewalls. > >Hope this helps -- sorry for the length! > >Cheers -- Tina Bird > >Internet Services Manager, Cerner Corporation >2800 Rockcreek Parkway, M/S 1101, Kansas City, MO 64117 >v: (816) 201-2094 f: (816) 474-1742 >http://www.cerner.com "To Automate the Process of Managing Health" > From owner-firewalls-outgoing Thu May 8 10:14:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20836 for firewalls-outgoing; Thu, 8 May 1997 10:07:10 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20820 for ; Thu, 8 May 1997 10:07:04 -0700 (PDT) Received: (qmail 4669 invoked by uid 514); 8 May 1997 17:06:57 -0000 Date: Thu, 8 May 1997 13:06:57 -0400 (EDT) From: Todd Graham Lewis To: Aaron Everingham cc: Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: <3.0.1.32.19970508180325.007da860@pluto.citadel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Aaron Everingham wrote: > There is a way for non-US orgs to get tripple DES or strong encryption. There are other ways: # cat crypt.c | uuencode crypt.c > crypt.uu # lpr (with 9-pt courier) crypt.uu mail the printout to a foreign country via the U.S. Postal Service OCR the printout. # uudecode OCR.in # gcc crypt.c -o crypt Perfectly legal, and always will be, which is one of the many reasons why the crypto policy in the U.S. is so fucked up. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 8 11:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00956 for firewalls-outgoing; Thu, 8 May 1997 11:49:53 -0700 (PDT) Received: from boondoggle.office.aol.com (boondoggle.office.aol.com [152.163.66.181]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA00949 for ; Thu, 8 May 1997 11:49:45 -0700 (PDT) Received: from boondoggle.office.aol.com (boondoggle.office.aol.com [152.163.66.181]) by boondoggle.office.aol.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id OAA27406; Thu, 8 May 1997 14:49:40 -0400 Date: Thu, 8 May 1997 14:49:40 -0400 (EDT) From: Brian Harvell X-Sender: harvell@boondoggle.office.aol.com To: Todd Graham Lewis cc: Aaron Everingham , Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Todd Graham Lewis wrote: > On Thu, 8 May 1997, Aaron Everingham wrote: > > > There is a way for non-US orgs to get tripple DES or strong encryption. > > There are other ways: > > # cat crypt.c | uuencode crypt.c > crypt.uu > # lpr (with 9-pt courier) crypt.uu > > mail the printout to a foreign country via the U.S. Postal Service > > OCR the printout. > > # uudecode OCR.in > # gcc crypt.c -o crypt > > Perfectly legal, and always will be, which is one of the many reasons why > the crypto policy in the U.S. is so fucked up. > I don't think you have to even encode it. I think it's perfectly legal to ship the code out on paper. You just can ship an electronic form. ie no diskettes. Brian Brian Harvell harvell@aol.net http://boondoggle.web.aol.com/ echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From owner-firewalls-outgoing Thu May 8 12:13:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA02363 for firewalls-outgoing; Thu, 8 May 1997 12:00:25 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA02277 for ; Thu, 8 May 1997 12:00:06 -0700 (PDT) Received: (qmail 5036 invoked by uid 514); 8 May 1997 18:59:58 -0000 Date: Thu, 8 May 1997 14:59:58 -0400 (EDT) From: Todd Graham Lewis To: Brian Harvell cc: Aaron Everingham , Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Brian Harvell wrote: > I don't think you have to even encode it. uuencoding makes OCR easier. Also, I forgot to mention gzip'ing it first, which both makes the process faster (OCR is a pain proportional to the size of text R'd) and requires uuencoding. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 8 12:28:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA04156 for firewalls-outgoing; Thu, 8 May 1997 12:22:33 -0700 (PDT) Received: from niccolo.gsfc.nasa.gov (niccolo.gsfc.nasa.gov [192.86.19.253]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA04139 for ; Thu, 8 May 1997 12:22:15 -0700 (PDT) Received: from cscgt.gsfc.nasa.gov by niccolo.gsfc.nasa.gov (4.1/1.34) id AA29637; Thu, 8 May 97 15:31:34 EDT Received: from ccMail by cscgt.gsfc.nasa.gov (IMA Internet Exchange 2.02 Enterprise) id 372280A0; Thu, 8 May 97 15:22:50 -0400 Mime-Version: 1.0 Date: Thu, 8 May 1997 14:14:33 -0400 Message-Id: <372280A0.1746@cscgt.gsfc.nasa.gov> From: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov (Matthew J. Fisher) Subject: Cisco Routers; Logging (?) To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Does anyone know what logging features are common to Cisco routers? Unfortunately I can't get into specific models. How would one establish/configure logging (preferably to a hard disk, as opposed to the router nvram/ram). Thanks in advance, Matt From owner-firewalls-outgoing Thu May 8 12:43:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03988 for firewalls-outgoing; Thu, 8 May 1997 12:20:45 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.201.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03942 for ; Thu, 8 May 1997 12:20:30 -0700 (PDT) From: friend@noreply.com Received: (from uucp@localhost) by out2.ibm.net (8.6.9/8.6.9) id TAA192661; Thu, 8 May 1997 19:15:50 GMT Received: from 1cust94.max14.san-francisco2.ca.ms.uu.net(153.34.188.94) by out2.ibm.net via smap (V1.3mjr) id smapBwfBe; Thu May 8 19:08:00 1997 Received: from mailhost.noreply.com (alt1.noreply.com (209.9.77.61)) by noreply.com (8.8.5/8.6.5) with SMTP id GAA09039 for ; Thu, 08 May 1997 12:00:21 -0600 (EST) To: friend@noreply.com Message-ID: <189703170024.GAA08056@noreply.com> Date: Thu, 08 May 97 12:00:21 EST Subject: FREE MONEY! Reply-To: friend@noreply.com X-UIDL: 2810521097c89bea1d124gha426e9b4h Comments: Authenticated sender is Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Friend, Yes, you read it right! FREE MONEY!!!!! Up to $600 per day!! How can that be possible, you ask? A new money making concept generates income for YOU, automatically. Do you ever wonder how the wealthy, successful people get all their money? Now you can find out how they do it!!!! The secret is AUTOMATIC INCOME. You say it takes money to make money. NOT ANY MORE!!!! No start- up costs, no personal selling, no obligation, no one will call you, EVER!!! Just FREE MONEY each and every month!!! To receive a FREE copy of the report "FREE MONEY", do not hit Reply. Simply e-mail your name and postal address to "Starind@neo-quest.com". Insert "FREE MONEY" in the subject heading. (PS) Free money goes fast, so don't delay. Position and timing are everything!!! From owner-firewalls-outgoing Thu May 8 12:58:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA05827 for firewalls-outgoing; Thu, 8 May 1997 12:51:57 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA05809; Thu, 8 May 1997 12:51:49 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id OAA26666; Thu, 8 May 1997 14:37:01 -0400 Date: Thu, 8 May 1997 14:36:57 -0400 (EDT) From: Rabid Wombat To: "Webb, Dean" cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Re: Legal responsibilities of filtering traffic (long) In-Reply-To: <2132495A1094D0118744006097307791057653@dalnt032.capgemini.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As the subject line indicates, this doesn't relate to the technical aspects of firewalls. My apologies to those who consider this off-topic. Please press your delete key at the beep. On Thu, 8 May 1997, Webb, Dean wrote: > Having done some looking around on this issue, here's what I found. > First, I found two sites that gave some good summaries of the legal > issues of controlling content: http://www.gdf.com/lb2-2.htm and > http://mlb.com/speech1.htm. I strongly urge all sysadmins and webmasters > to check these sites out, as they relate directly to YOUR liabilities in > such positions. You may want to look more closely at: http://www.gdf.com/lb2-2.htm#N5 > > For example, should an employee download sexually explicit material > (from any source) and then forward it to other employees, even if all > the employees are of the same gender, that employee may be creating a > sexually hostile work environment (see Strauss v. Microsoft Corp, > mentioned at the second web site). (actually at: http://www.mlb.com/speech1.htm) I am not a lawyer, but: In general, the company becomes liable for individual's actions which create a hostile work environment when the company fails to take prompt remedial action when such actions have been identified. Implying that this means that the company is obligated to prevent such actions BEFORE they occur is going to far, IMHO. There is absolutely no way that a company can prevent employees from circulating all offensive material before the act; the company can, and should, take steps to stop such actions when discovered, and should, through its policies and enforcements, discourage such activity. The company, not the employee, is > then liable for the work environment and any damages it may cause. No > matter what sort of taste it leaves in your mouth, the implication of > this is that a company must take reasonable steps to insure a > non-hostile work environment. If this means putting in a firewall rule > like "All traffic to/from www.buck~nekkid.com/wowee!!! DENY," then > that's what must be done. This does not appear to me to be reasonable, as current technology does not, in fact, provide the ability to filter all offensive material. OTOH, if visits to specific sites have been reported, and no remedial action is taken (managerial or technical), then the company has failed to take corrective action to protect the workplace environment, and would become liable. Blocking a specific site might provide a legal defense, but is unlikely to stop users from accessing offensive material; they will just go elsewhere. Disciplinary action against offenders is generally more effective. > > If a company makes no decisions regarding content appearing on its > server/BBS, then it is a distributor of said content, much like a > newsstand or public library, and is not responsible for said content. > If, however, a company does make decisions regarding content on its > server/BBS, then it is considered a publisher and is responsible for > said content (Stratton Oakmont, Inc. v. Prodigy Services Co., mentioned > at the second web site; see also Stern (as in Howard) v. Delphi Internet > Servs. Corp., same site). > Since a corporation does indeed exercise > editorial control and is considered responsible to some degree for > maintaining a certain level of acceptable conduct (the "non-hostile > environment" concept), then it is not difficult to construe that a > company is responsible for the information on its network, including but > not limited to email and web access. Your interpretation is that a company does exercise editorial control. Most companies do not exercise editorial control. If they resort to monitoring, however, this could be construed as editorial control, increasing exposure, IMHO. > > SUMMARY: Companies are responsible for all the packets zipping around on > its wires. But wait, there's more... > I disagree with your interpretations; companies are generally not liable for what gets scrawled on the washroom wall. They are liable for leaving it there when it has been identified as a problem. > If a company does not state clearly its intention to monitor any and all > network traffic and content of hard drives and floppies, the employees > have every reason to assume full privacy of their communications, > leaving them under protection of the federal Wiretap Act. Therefore, it > is up to the company to clearly state its authority to monitor any and > all traffic, etc., even if it does not intend to do so immediately, or > it can be in violation of federal and/or state laws regarding the > interception of electronic traffic. > In general, yes. However, a usage policy which states that company computer and telecommunications equipment are to be used only for business purposes offers limited protection. See Bourke v. Nissan Motor Corp., No. BO68705 (Cal.Ct. App. July 26, 1993). I would not risk this, however. The better approach is to implement a usage policy that specifies that monitoring capabilities exist, and may be employed by the IS staff when formally requested by management when evidence of misuse exists. > SUMMARY: Even if you don't like it, you need to reserve your right to > read anything and everything on your wires, hard drives, and floppies, > etc., or it can be construed that you have surrendered such rights by > your privacy-lovin' employees, regardless of what they may be doing with > your Internet connection. > It is wise to add this to formal policy; however, I would add that the review of logs outside normal operating procedure can/will be conducted only upon the written request of management to the IS staff when cause exists. > The legal facts are there for all to see: like it or not, companies MUST > preserve the work environment and that might very well entail monitoring > network traffic, which MANDATES that a corporate policy informing all > employees of the company's right to monitor all traffic must be clearly > composed and communicated. Otherwise, your corporation is vulnerable to > legal action from a variety of fronts, and your corporation will not > have all its bases covered in such actions, leaving its liability waving > in the breeze. > Yes. If you don't have a formal policy, develop and implement one. > Furthermore, a company would be very wise to institute non-intrusive > monitoring methods and proactive HR methods to insure that no one need > be disgruntled, offended or offender. Web traffic and SMTP traffic can > be monitored on the company wires by software that only alerts > administrators in the case of a potential problem. Not only would this > reduce overhead (no one need read EVERY mail), but it would not irk > those who play by the rules and keep things clean. > This is inconsistent with your above arguements that a company must block all offensive material in order to avoid the liability associated with creating/allowing a hostile work environment. If you only monitor SOME traffic, how can you be resonsible for ALL traffic? This is why I oppose technical solutions being implemented as policy; they are better applied as remedial action, after actions have been discovered, and on a case-by-case basis. Disclaimer: I am not a lawyer, this is free advice, and you generally get what you pay for. -r.w. From owner-firewalls-outgoing Thu May 8 13:28:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA08800 for firewalls-outgoing; Thu, 8 May 1997 13:19:12 -0700 (PDT) Received: from ns1.capgem.com (ns1.capgem.com [204.153.60.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA08783; Thu, 8 May 1997 13:19:05 -0700 (PDT) Received: from smtp.capgemini.com by ns1.capgem.com (5.x/SMI-SVR4) id AB08055; Thu, 8 May 1997 15:30:30 -0500 Received: by dalex01.capgemini.com with Internet Mail Service (5.0.1457.3) id ; Thu, 8 May 1997 15:18:41 -0500 Message-Id: <2132495A1094D01187440060973077910576A2@dalnt032.capgemini.com> From: "Webb, Dean" To: Rabid Wombat Cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: RE: Legal responsibilities of filtering traffic (now short) Date: Thu, 8 May 1997 15:18:40 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just to clarify my arguments: I agree that there is *no way in h-e-double-hockey-sticks* that all traffic can be monitored on most networks. I feel, however, that a company should be making a good faith effort to do what it can to keep things clean. I agree with Rabid Wombat (this is one phrase that would get a few yucks out of context ) in that a company is not liable for the "lipstick on the mirror," unless it doesn't make a good faith effort to get the stuff cleaned up. Email is like weaponry: we have a right to use/own the stuff, but its improper use can hurt others and there isn't any foolproof way to prevent *everyone* from doing something wacko with it. To get this back on track, firewalls, proxies, sniffers and the like will be the tools used to enforce a company's security/hr/whatever policy as it relates to network traffic. The how-to on getting this done would belong here, the "You're a fascist!"/"Am not!" stuff, I agree, is off-topic for this list and would be better on the EIC@versalink.com "Ethics in Computing" list. I wrote in to respond to all the nude.com stuff, which was getting to be an ethical, rather than technical, argument. The fact remains that, technically (see? back on track), companies do have a charge to keep their little sandboxes tidy. How tidy and how-to keep it tidy is going to be a matter of debate ad infinitum. So, to get this firmly back on topic, To use multiple internal firewalls or monitor traffic? how much of each is needed to secure your internal stuff from the employees you don't trust and to keep the sleazeoids (my apologies to any sleazeoids that take offense at being called sleazoids) from offending the innocent, overly-sensitive, and other such victims. Techniques, ladies, gents, and otherwise, on architecture and such, if you will. Any war stories on how you might have herded the dogies away from them nekkid wimmin sites or kept the users away from savaging the personnel files? I'd be interested in that stuff and how technology fared against brute humanity. Free speech while supplies last, Dean Webb Voltaire (1694-1778): "I may disagree with what you have to say, but I shall defend, to the death, your right to say it." From owner-firewalls-outgoing Thu May 8 13:44:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA11055 for firewalls-outgoing; Thu, 8 May 1997 13:35:28 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA11008; Thu, 8 May 1997 13:35:13 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id QAA23612; Thu, 8 May 1997 16:35:19 -0400 (EDT) Date: Thu, 8 May 1997 16:35:19 -0400 (EDT) From: Information Security Message-Id: <199705082035.QAA23612@panix2.panix.com> To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Re: Legal responsibilities of filtering traffic (long) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: "Webb, Dean" > > SUMMARY: Companies are responsible for all the packets zipping around on > its wires. But wait, there's more... > > If a company does not state clearly its intention to monitor any and all > network traffic and content of hard drives and floppies, the employees > have every reason to assume full privacy of their communications, > leaving them under protection of the federal Wiretap Act. Therefore, it > is up to the company to clearly state its authority to monitor any and > all traffic, etc., even if it does not intend to do so immediately, or > it can be in violation of federal and/or state laws regarding the > interception of electronic traffic. This is not true. A company in Pennsylvania explicitly told its employees it was not monitoring email, but then fired someone who said hostile things in email. He sued, but lost in court: the court ruled that even though the company said it wasn't monitoring, it still had the legal right to do so. The Federal Wiretap Act has an exemption for private companies, and when a company reads someone's email it is always from disk - not realtime - and so it is considered 'archived' and again not subject to the Act. You are quite correct in your overall thrust however. Put in place a clear policy statement; in the case of Salomon Brothers: "We can audit any and all of our systems EVEN IF YOU PUT PERSONAL INFORMATION on them. My job was to check Internet email traffic, which I did with the aid of specialized analytics. My theory on why this is not "Big Brother" oppressive is that there is now widespread cheap Internet access available for the masses, so if you want to screw around with personal email you can always do so from home. And that that really means you can continue to do personal email from work, but now you've been warned not to pull anything screwy. Like send out Risk Management reports, or Unix passwords, or Sybase passwords, or source code, or employee social security numbers. Gawd, it never stopped even though we warned people again and again and again. Even when we fired people it didn't stop. Even when we prosecuted them. > Having worked at a company with proactive monitoring policies > communicated to its employees and enforced fairly and as evenly as > possible, I can say that I have seen it done successfully. Then you were either A) not privy to all the security incidents and their handling because I've never seen a company get it right yet, or B) your monitoring software was ineffective, yielding very few security incidents. > Web traffic and SMTP traffic can > be monitored on the company wires by software that only alerts > administrators in the case of a potential problem. Now I know you are wrong. No such AI software exists on the planet. You are not qualified to state that, obviously. You put in a disclaimer that you aren't a lawyer, but forgot a technical disclaimer too. ---- If anyone would like to received a detailed document (print it out: it takes about three hours to read) on email monitoring, in the form of a complaint against Salomon Brothers, ask me. No company proprietary information is in it, but it does otherwise show actual security incident reports and talk about monitoring in detail. Real-world experience of a traffic analysis person. An excellent document for a company considering the issues. I am not a vendor, and do not do business with the public. ---guy, Internet Risk Management Analytics creator. From owner-firewalls-outgoing Thu May 8 14:28:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15919 for firewalls-outgoing; Thu, 8 May 1997 14:19:06 -0700 (PDT) Received: from niccolo.gsfc.nasa.gov (niccolo.gsfc.nasa.gov [192.86.19.253]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA15886 for ; Thu, 8 May 1997 14:18:57 -0700 (PDT) Received: from cscgt.gsfc.nasa.gov by niccolo.gsfc.nasa.gov (4.1/1.34) id AA00603; Thu, 8 May 97 17:28:31 EDT Received: from ccMail by cscgt.gsfc.nasa.gov (IMA Internet Exchange 2.02 Enterprise) id 37245180; Thu, 8 May 97 17:26:48 -0400 Mime-Version: 1.0 Date: Thu, 8 May 1997 16:09:57 -0400 Message-Id: <37245180.1746@cscgt.gsfc.nasa.gov> From: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov (Matthew J. Fisher) Subject: Need RFC 1060 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a URL for it? A colleague has searched for it to no avail, but we really need a definitive list of services:port. Many thanks, Matt. From owner-firewalls-outgoing Thu May 8 15:14:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA23093 for firewalls-outgoing; Thu, 8 May 1997 15:09:51 -0700 (PDT) Received: from testwall.dsava.com (testwall.dsava.com [199.98.116.31]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA23056 for ; Thu, 8 May 1997 15:09:37 -0700 (PDT) Received: from leach.dsava.com (leach.dsava.com [192.234.181.155]) by testwall.dsava.com (8.8.3/8.8.3) with SMTP id RAA11458; Thu, 8 May 1997 17:27:10 -0400 Message-Id: <199705082127.RAA11458@testwall.dsava.com> Comments: Authenticated sender is From: "Jim Leach" To: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov (Matthew J. Fisher) Date: Thu, 8 May 1997 18:08:58 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Need RFC 1060 Reply-to: jleach@dsava.com CC: firewalls@GreatCircle.COM In-reply-to: <37245180.1746@cscgt.gsfc.nasa.gov> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt, check out http://ds.internic.net/rfc/rfc1060.txt See also http://ds.internic.net/rfc/rfc1700.txt (1994 version) Hope this helps. --Jim > Date: Thu, 8 May 1997 16:09:57 -0400 > From: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov (Matthew J. Fisher) > Subject: Need RFC 1060 > To: firewalls@GreatCircle.COM > > Hi All, > > Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a > URL for it? > > A colleague has searched for it to no avail, but we really need a > definitive list of services:port. > > Many thanks, > Matt. > > Jim Leach Decision-Science Applications, Inc. 1110 N. Glebe Rd., Suite 400 Arlington, VA 22201 (703) 875-9206 or jleach@dsava.com From owner-firewalls-outgoing Thu May 8 15:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA24629 for firewalls-outgoing; Thu, 8 May 1997 15:23:32 -0700 (PDT) Received: from ender.oakmanor.com ([208.200.123.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA24585 for ; Thu, 8 May 1997 15:23:12 -0700 (PDT) Received: by locke.oakmanor.com with Internet Mail Service (5.0.1457.3) id ; Thu, 8 May 1997 18:20:30 -0400 Message-ID: <71CE53445003D011B77D00805F74C35008027D@locke.oakmanor.com> From: Brian Toole To: "'Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov'" , firewalls@greatcircle.com Subject: RE: Need RFC 1060 Date: Thu, 8 May 1997 18:20:25 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All the RFC documents can be located as : http://www.internic.net/rfc/rfc[number].txt in particular http://www.internic.net/rfc/rfc1060.txt Isn't this a FAQ item somewhere ? If not, it should be. --Brian From owner-firewalls-outgoing Thu May 8 15:58:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA23597 for firewalls-outgoing; Thu, 8 May 1997 15:12:48 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA23537 for ; Thu, 8 May 1997 15:12:36 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id XAA00623; Thu, 8 May 1997 23:12:12 +0200 Date: Thu, 8 May 1997 23:12:12 +0200 (MET DST) From: Arjan Vos To: "Matthew J. Fisher" cc: firewalls@greatcircle.com Subject: Re: Cisco Routers; Logging (?) In-Reply-To: <372280A0.1746@cscgt.gsfc.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Matthew J. Fisher wrote: > Hi All, > > Does anyone know what logging features are common to Cisco routers? > Unfortunately I can't get into specific models. > > How would one establish/configure logging (preferably to a hard disk, > as opposed to the router nvram/ram). > > Thanks in advance, > Matt > Well, I would send log messages via syslog to a log host. You can configure the logging with the following commands (from memory, so correct me if I'm wrong) logging # to configure your levels (facilities) of logging logging trap <..> #send syslog message from level X an up... Also you may enable "access-violations" (from IOS 11.2 I believe), and if you have a VIP (Versatile Interface Processor???) card you can use "slave-log" to log to one or more consoles... Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Thu May 8 16:36:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA00342 for firewalls-outgoing; Thu, 8 May 1997 16:21:04 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA00313; Thu, 8 May 1997 16:20:56 -0700 (PDT) Received: from Mercury.mcs.net (madmac@Mercury.mcs.net [192.160.127.80]) by Kitten.mcs.com (8.8.5/8.8.2) with SMTP id SAA00685; Thu, 8 May 1997 18:20:50 -0500 (CDT) Date: Thu, 8 May 1997 18:20:50 -0500 (CDT) From: "Douglas M. MacFarlane" To: "Webb, Dean" cc: Rabid Wombat , Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: RE: Legal responsibilities of filtering traffic (now short) In-Reply-To: <2132495A1094D01187440060973077910576A2@dalnt032.capgemini.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found Guy Panos's (sp?) serial on "Corruption at Salomon Brothers" quite interesting. I didn't see much in the way of followup. To what extent to organizations actually attempt to monitor (and I mean monitor, not just have the ability but not use it) activity? Most, but not all, of the organizations I deal with adhere to the "we have the ability, but it's up to the individual manager to deal with a specific employee's behavior" doctrine. I konw that NONE of their HR departments were involved indeveloping the AUP and Security Policies, unfortunately, other than to rubber-stamp it and add it to the HR manual. Doug Douglas M. MacFarlane Principal, Vauban Industries madmac@mcs.net From owner-firewalls-outgoing Thu May 8 17:11:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA03132 for firewalls-outgoing; Thu, 8 May 1997 16:48:52 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA03091 for ; Thu, 8 May 1997 16:48:38 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id SAA27078; Thu, 8 May 1997 18:34:11 -0400 Date: Thu, 8 May 1997 18:34:08 -0400 (EDT) From: Rabid Wombat To: "Matthew J. Fisher" cc: firewalls@GreatCircle.COM Subject: Re: Need RFC 1060 In-Reply-To: <37245180.1746@cscgt.gsfc.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Matthew J. Fisher wrote: > > Hi All, > > Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a > URL for it? http://www.cis.ohio-state.edu/htbin/rfc/rfc1060.html -r.w. From owner-firewalls-outgoing Thu May 8 17:13:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA05128 for firewalls-outgoing; Thu, 8 May 1997 17:07:02 -0700 (PDT) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA05089 for ; Thu, 8 May 1997 17:06:52 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id RAA14952; Thu, 8 May 1997 17:05:52 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id RAA17127; Thu, 8 May 1997 17:04:40 -0700 (PDT) Date: Thu, 8 May 1997 17:04:40 -0700 (PDT) From: "Kelly E. Gibbs" To: "Matthew J. Fisher" cc: firewalls@GreatCircle.COM Subject: Re: Cisco Routers; Logging (?) In-Reply-To: <372280A0.1746@cscgt.gsfc.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk syslogd !!! On Thu, 8 May 1997, Matthew J. Fisher wrote: > Hi All, > > Does anyone know what logging features are common to Cisco routers? > Unfortunately I can't get into specific models. > > How would one establish/configure logging (preferably to a hard disk, > as opposed to the router nvram/ram). > > Thanks in advance, > Matt > From owner-firewalls-outgoing Thu May 8 17:28:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA04903 for firewalls-outgoing; Thu, 8 May 1997 17:05:22 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA04883 for ; Thu, 8 May 1997 17:05:13 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-142.ca.com.au [203.23.80.142]) by pluto (8.7.6/8.7.3) with SMTP id KAA16360 for ; Fri, 9 May 1997 10:05:12 +1000 Message-Id: <3.0.1.32.19970509100240.007da190@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 09 May 1997 10:02:40 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Encryption outside US Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I got a lot of emails for the same info so... www.tis.com - then goto RecoverKey for details. Also look up press releases on the site. www.microsoft.com - do a dearch for RecoverKey and Key Recovery and csp and CryptoAPI www.netscape - search for RecoverKey or Key Recovery www.mcafee.com - search TIS and recoverkey This system will manifest itself in TIS Gauntlet Internet Firewll VPN and NetExtender first (probably). Microsoft csp with IE4.0 is also imminent. I am still waiting to see how this might work with IPSec Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Thu May 8 17:43:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA03078 for firewalls-outgoing; Thu, 8 May 1997 16:48:23 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA03028 for ; Thu, 8 May 1997 16:48:05 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-142.ca.com.au [203.23.80.142]) by pluto (8.7.6/8.7.3) with SMTP id JAA16289; Fri, 9 May 1997 09:47:19 +1000 Message-Id: <3.0.1.32.19970509094443.007dd100@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 09 May 1997 09:44:43 +1000 To: Adam Shostack From: Aaron Everingham Subject: Re: Encryption Outside US Cc: Firewalls@GreatCircle.COM In-Reply-To: <199705081121.HAA21721@homeport.org> References: <3.0.1.32.19970508180325.007da860@pluto.citadel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Aaron Everingham wrote: >| There is a way for non-US orgs to get tripple DES or strong encryption. If the product you want is RecoverKey compliant, you can access 128 bit or tripple des or strong encryption (whatever you want to call it). >Adam Shostack wrote: >Can you cite an instance of a company actually exporting 3des legally from the US? I don't believe its happened yet, GAK* or no. Hmmm.... the RecoverKey technology has only been recently licenced and companies are building it into product right now but I can tell you that in Australia where there will be a public KRC by August 1, we are running a VPN module from TIS that will support Key Recovery. So yeah, I can cite one site at least. Some of the companies who have lined up behind this are pretty impressive: Microsoft, IBM, HP, McAfee plus others (Netscape rumored). There are a couple of other things like Microsofts CSP (crypto service provider) a shell into which a crypto engine can be loaded. TIS have a RecoverKey compliant engine for the csp today and it is 3des. Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Thu May 8 18:13:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13389 for firewalls-outgoing; Thu, 8 May 1997 17:56:34 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA13335 for ; Thu, 8 May 1997 17:56:21 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id UAA26172; Thu, 8 May 1997 20:54:16 -0400 (EDT) From: Adam Shostack Message-Id: <199705090054.UAA26172@homeport.org> Subject: Re: Encryption Outside US In-Reply-To: from Todd Graham Lewis at "May 8, 97 02:59:58 pm" To: lists@reflections.eng.mindspring.net (Todd Graham Lewis) Date: Thu, 8 May 1997 20:54:15 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis wrote: | uuencoding makes OCR easier. Also, I forgot to mention gzip'ing it first, | which both makes the process faster (OCR is a pain proportional to the | size of text R'd) and requires uuencoding. You might consider using some variant of OPIE encoding, which makes it longer, but lets you use letter context info to recover errors. Uuencoded text has no redundancy at all, which probably makes scanning a bear. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu May 8 18:28:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13230 for firewalls-outgoing; Thu, 8 May 1997 17:55:54 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA13107 for ; Thu, 8 May 1997 17:55:25 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id UAA26161; Thu, 8 May 1997 20:52:47 -0400 (EDT) From: Adam Shostack Message-Id: <199705090052.UAA26161@homeport.org> Subject: Re: Encryption Outside US In-Reply-To: <3.0.1.32.19970509094443.007dd100@pluto.citadel.com.au> from Aaron Everingham at "May 9, 97 09:44:43 am" To: aaron@citadel.com.au (Aaron Everingham) Date: Thu, 8 May 1997 20:52:46 -0400 (EDT) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Aaron Everingham wrote: | >Aaron Everingham wrote: | >| There is a way for non-US orgs to get tripple DES or strong encryption. | If the product you want is RecoverKey compliant, you can access 128 bit or | tripple des or strong encryption (whatever you want to call it). Not today you can't. Today no one has a license to do general 3des with or without any form of GAK. (You can do special purpose software, but not general encryption.) | >Adam Shostack wrote: | >Can you cite an instance of a company actually exporting 3des legally from | the US? I don't believe its happened yet, GAK* or no. | | Hmmm.... the RecoverKey technology has only been recently licenced and | companies are building it into product right now but I can tell you that in | Australia where there will be a public KRC by August 1, we are running a | VPN module from TIS that will support Key Recovery. So yeah, I can cite one | site at least. Again, I don't believe anyone has an export license for 3des. TIS, as far as I know, has an export license for single des. If I'm wrong, I invite any of the TIS folks here to say so in public or drop me a private mail message, and I'll retract this. But TODAY, there is no export of 3des. Commerce is still stringing people along. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu May 8 19:12:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22389 for firewalls-outgoing; Thu, 8 May 1997 18:42:50 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA22363 for ; Thu, 8 May 1997 18:42:42 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id TAA19536; Thu, 8 May 1997 19:42:42 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd19534aaa; Thu May 8 19:42:39 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id TAA22825; Thu, 8 May 1997 19:42:35 -0600 From: Bob Beck Message-Id: <199705090142.TAA22825@snouts.obtuse.com> Subject: Re: Need to restrict http://www.nude.com and such To: lothie@tis.com (Mimi Herrmann) Date: Thu, 8 May 1997 19:42:34 -0600 (MDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970508114544.0095a140@pop.rv.tis.com> from "Mimi Herrmann" at May 8, 97 11:45:46 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Dana, I think that in the case of the library you're talking about, that > YES, you DO need some way to block sites. It's a management issue when > you're talking about adults in an office environment going to porn sites > instead of doing work. BIG difference. In the library environment, where > the parents aren't there to supervise what the kids see, and the library > staff can't do that either, it makes PERFECT SENSE to block sites. In my > opinion, it makes a lot less sense to block sites in an office environment, > where it's adults doing the accessing as opposed to doing their jobs > (potentially). (Sigh..) I particularly disagree in the library case, and this comes from a parent with children who shouldn't be looking at that stuff. Blocking sites is never that effective, and merely ends up with the kids finding their way around it. I've watched it done! All think you will accomplish by doing it is give parents the idea that it is perfectly ok to let their kids roam on the internet unsupervised. NO! it just plain isn't. The net is a mirror of society as a whole, the best, the worst, and the great clueless masses. Lots of it is great and lots isn't. Would you let someone take your children on a field trip to roam around "partially" supervised in a randomly chosen neighborhood in a large city? Might be good, might be bad. The net's the same way. Do I think the library should turn kids loose on the net without parental consent indicating the parent is aware of the consequences and will supervise? No. Same as I don't think they should give a kid a library card without the same. Both entail some responsablilties and risks that the parents need to be made aware of. Aside from promoting censorship (which really has no business in a library) and begging for a lawsuit when it misses something, I think this is simply an excuse for parents wanting the library to do their job for them. Forget it. Spend some time with your kids on the net. Teach them what's right, wrong, and just plain stupid. Don't turn them loose and expect technology to supervise. -Bob From owner-firewalls-outgoing Thu May 8 19:43:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA28164 for firewalls-outgoing; Thu, 8 May 1997 19:28:25 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA28149 for ; Thu, 8 May 1997 19:28:19 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA26636; Thu, 8 May 1997 22:25:31 -0400 (EDT) From: Adam Shostack Message-Id: <199705090225.WAA26636@homeport.org> Subject: Re: Encryption outside US In-Reply-To: <3.0.1.32.19970509100240.007da190@pluto.citadel.com.au> from Aaron Everingham at "May 9, 97 10:02:40 am" To: aaron@citadel.com.au (Aaron Everingham) Date: Thu, 8 May 1997 22:25:31 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll add a few URLs to the list. http://people.qualcomm.com/karn/export/3des.html is Phil Karns 1996 attempt to export 3des to two US citizens working in the Singapore office of a US company. ftp://ftp.cygnus.com/pub/export/export.html is John Gilmore's page on export control, with links to the Bernstien case, the Karn case, and the Zimmerman case. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu May 8 20:14:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA29512 for firewalls-outgoing; Thu, 8 May 1997 19:44:35 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA29505 for ; Thu, 8 May 1997 19:44:28 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wPfeP-0004FZC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 9 May 1997 04:43:17 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 9 May 97 04:43 MET DST Received: by lina.inka.de id m0wPfET-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 9 May 1997 04:16:09 +0200 (CEST) Message-Id: Date: Fri, 9 May 1997 04:16:08 +0200 From: Bernd Eckenfels To: Adam Shostack Cc: Aaron Everingham , Firewalls mailing list Subject: Re: Encryption Outside US References: <3.0.1.32.19970509094443.007dd100@pluto.citadel.com.au> <199705090052.UAA26161@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199705090052.UAA26161@homeport.org>; from Adam Shostack on Thu, May 08, 1997 at 08:52:46PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Not today you can't. Today no one has a license to do general > 3des with or without any form of GAK. (You can do special purpose > software, but not general encryption.) Well, since IDEA (128true Bits) is faster anyway, nobody would be so foolish and use 3DES :) Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu May 8 20:43:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA06252 for firewalls-outgoing; Thu, 8 May 1997 20:36:42 -0700 (PDT) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA06245 for ; Thu, 8 May 1997 20:36:37 -0700 (PDT) Received: from max0-104.hal-pc.org (max0-104.hal-pc.org [209.16.24.104]) by hal-pc.org (8.7.5/8.6.9) with SMTP id WAA16910 for ; Thu, 8 May 1997 22:36:41 -0500 (CDT) Message-Id: <199705090336.WAA16910@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" Organization: hal-pc.org To: firewalls@greatcircle.com Date: Thu, 8 May 1997 22:37:57 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Password Aging System for Unix X-mailer: Pegasus Mail for Windows (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have approximately 12 Sun's and a similar number of Solaris workstations behind an ANS Interlock Firewall/SecureID combination. The Sun's and Solaris workstations contain extremely sensitive information that we have protected Password protected. I'm trying to locate some type of an application that I can put on BOTH types of workstations to alert me when passwords are 30 days old and also send a message to the user that their password is about to expire. The only thing I'm aware of is NIS Plus that I can use on Solaris however, it will not work with the Sun's. Any help would be appreciated. Since this is only remotely related to firewalls, please e-mail me direct at rplauman@ems.jsc.nasa.gov Many thanks Bob Plaumann Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard From owner-firewalls-outgoing Fri May 9 00:28:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA16994 for firewalls-outgoing; Fri, 9 May 1997 00:20:04 -0700 (PDT) Received: from chaos.coredcs.com (chaos.coredcs.com [198.150.193.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA16984 for ; Fri, 9 May 1997 00:19:52 -0700 (PDT) Received: (from jleu@localhost) by chaos.coredcs.com (8.8.5/8.8.0) id CAA10205; Fri, 9 May 1997 02:19:45 -0500 From: "James R. Leu" Message-Id: <199705090719.CAA10205@chaos.coredcs.com> Subject: Re: Cisco Routers; Logging (?) To: arjan@pino.demon.nl (Arjan Vos) Date: Fri, 9 May 1997 02:19:45 -0500 (CDT) Cc: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov, firewalls@GreatCircle.COM In-Reply-To: from "Arjan Vos" at May 8, 97 11:12:12 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Make sure you tell syslogd to allow outside connections. I beleive it is the -f option. James R. Leu -- James R. Leu Network Administrator CORE Digital Communication Services jleu@coredcs.com > > On Thu, 8 May 1997, Matthew J. Fisher wrote: > > > Hi All, > > > > Does anyone know what logging features are common to Cisco routers? > > Unfortunately I can't get into specific models. > > > > How would one establish/configure logging (preferably to a hard disk, > > as opposed to the router nvram/ram). > > > > Thanks in advance, > > Matt > > > > Well, I would send log messages via syslog to a log host. You can > configure the logging with the following commands (from memory, so correct > me if I'm wrong) > > logging logging facility <...> # to configure your levels (facilities) of logging > logging trap <..> #send syslog message from level X an up... > > Also you may enable "access-violations" (from IOS 11.2 I believe), and if > you have a VIP (Versatile Interface Processor???) card you can use > "slave-log" to log to one or more consoles... > > Gr. Arjan > > -- > Eat hard > Sleep hard > Wear glasses if you need them > From owner-firewalls-outgoing Fri May 9 01:58:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA23920 for firewalls-outgoing; Fri, 9 May 1997 01:44:00 -0700 (PDT) Received: from mari.co.uk (atlas.mari.co.uk [195.92.37.208]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA23913 for ; Fri, 9 May 1997 01:43:51 -0700 (PDT) Received: by firewall.mari.co.uk id <4298-1>; Fri, 9 May 1997 09:49:29 +0100 From: Robert Campbell To: "firewalls@greatcircle.com" Subject: Re: Need to restrict http://www.nude.com and such Unacceptable site filtering Date: Fri, 9 May 1997 17:43:00 +0100 Message-Id: <97May9.094929bst.4298-1@firewall.mari.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk all that stuff about unacceptable site filtering, it all comes down to the fact that as an employer, or service provider (to the library for example), especially where PUBLIC access concerned, you have a 'duty of care' to all who may use the system. In the UK its likley that the employer especially local government may be liable for the consequences of an employee's misuse. For the best product in this are look at Secure Computing's Smart Filter. Available as a stand alone, or netscape/MS proxy plug in robert.campbell@mari.co.uk MARI Group Ltd. [ and yes we are Secure Computing's reseller] From owner-firewalls-outgoing Fri May 9 02:20:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA26042 for firewalls-outgoing; Fri, 9 May 1997 02:06:40 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA26016 for ; Fri, 9 May 1997 02:06:24 -0700 (PDT) Received: by h01.scientia.com with SMTP id KAA03580 for ; Fri, 9 May 1997 10:06:11 +0100 Message-Id: <199705090906.KAA03580@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 May 1997 10:05:40 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Encryption Outside US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There is a way for non-US orgs to get tripple DES or strong encryption. Yes. No problem at all, just don't try to get it from the US. There are plenty of other sources of first grade encryption technology in the rest of the world. If you don't know where to start looking, check out my private collection of cryptography links:- http://www.bifroest.demon.co.uk/links/crypto.html Ian From owner-firewalls-outgoing Fri May 9 03:43:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA06679 for firewalls-outgoing; Fri, 9 May 1997 03:31:17 -0700 (PDT) Received: from jason.interalpha.net (jason.interalpha.net [194.176.136.60]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA06672 for ; Fri, 9 May 1997 03:31:07 -0700 (PDT) Received: from jason (jbrown@localhost [127.0.0.1]) by jason.interalpha.net (8.7.5/8.7.3) with SMTP id LAA31125 for ; Fri, 9 May 1997 11:34:35 GMT Message-ID: <33730BCB.7AD9BDCA@interalpha.co.uk> Date: Fri, 09 May 1997 11:34:35 +0000 From: Jason Brown Organization: Inter@lpha X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Cisco Routers; Logging (?) References: <199705090719.CAA10205@chaos.coredcs.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James R. Leu wrote: > > Make sure you tell syslogd to allow outside connections. I beleive it is the > -f option. Linux requires syslogd -r for remote connections with the newer syslogd..the older version supplied with pre 2.0.0 kernals did it automatically. From owner-firewalls-outgoing Fri May 9 03:58:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA06689 for firewalls-outgoing; Fri, 9 May 1997 03:31:57 -0700 (PDT) Received: from europa.pop-rn.rnp.br (europa.pop-rn.rnp.br [200.137.0.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA06682 for ; Fri, 9 May 1997 03:31:44 -0700 (PDT) Received: from localhost (paulo@localhost) by europa.pop-rn.rnp.br (8.7.5/8.7.3) with SMTP id HAA00853; Fri, 9 May 1997 07:30:38 -0300 Date: Fri, 9 May 1997 07:30:38 -0300 (EST) From: Paulo Motta To: "Matthew J. Fisher" cc: firewalls@GreatCircle.COM Subject: Re: Need RFC 1060 In-Reply-To: <37245180.1746@cscgt.gsfc.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You can get RFCs at : http://ds.internic.net/ds/rfc-index-html Motta On Thu, 8 May 1997, Matthew J. Fisher wrote: > > Hi All, > > Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a > URL for it? > > A colleague has searched for it to no avail, but we really need a > definitive list of services:port. > > Many thanks, > Matt. > From owner-firewalls-outgoing Fri May 9 04:13:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA07060 for firewalls-outgoing; Fri, 9 May 1997 03:48:54 -0700 (PDT) Received: from clockwork.dementia.org (CLOCKWORK.CC.CMU.EDU [128.2.35.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA07041 for ; Fri, 9 May 1997 03:48:46 -0700 (PDT) Received: from happie.res.cmu.edu (HAPPIE.RES.CMU.EDU [128.2.91.209]) by clockwork.dementia.org (8.7.1/8.7.1) with SMTP id GAA10172; Fri, 9 May 1997 06:48:54 -0400 (EDT) Message-Id: <3.0.32.19970509065159.00732ef4@nb.net> X-Sender: security@nb.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 09 May 1997 06:52:06 -0400 To: Firewalls@GreatCircle.COM From: Security Subject: external "internal" networks? Cc: security@halotech.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm just starting to jump into configuring a firewall, and was wondering if someone can give me a hand in what is possible and/or optimal in setting up a firewall architecture. My apologies for all the questions, but in my searching through some standard firewall books and configuration options I've seen being publicized, I'm unable to find answers that make me confident on these issues. I will really appreciate anyone giving my their options or any facts to keep in mind... I'm pretty familar with networking, but just started thinking about firewall design and could use some guidance to ensure I'm not divergent with the world in my understanding. :) Ideally, I want to provide a service very similar to the standard DMZ firewall setup. Firewall security is important and I wish to address it; however, opinions are that the segment shouldn't be a target and security should not make unreasonable restrictions on user access or be unreasonably pricy in implementation. <<< Internet >>> ---[Router]---[FireWall-1]--------- <<< Internal Network >>> | | <<< DMZ/Internet Services >>> I wish to have very few restrictions for the internal users: they should be able to access WWW, ftp, gopher, telnet, etc. services and FW-1 should handle these on a time basis to ensure it starts on the internal end. The Internet should be able to access the DMZ for httpd services and possibly jdbc connections (etc). Internal users manage and update content on the DMZ. (?) Off the bat, my simple questions are: - Should I be concerned with "hiding" the IPs of either side? (guess: no) I don't see any reason to do this beyond obsecurity-security mentalities, but I figure it's worth asking. Is there any reason to toss in proxies anywhere? (gut feel: no). Ok, now, for the _real_ question: Lets say I want this: << Remote Network >> --------------- .... [diagram above] [a plant/office/group we wish to consider part of our "internal network" by some means] or << Mobile User >> ------------------ .... [diagram above] (?) First off, the "remote internal" network: How does one connect two networks via an insecure link? I'm assuming that FW-1 could be set up to allow connections in through based on an IP address and authentication of sorts. Assuming the network wants to be linked 24/7/365, would it be in my best interest allow connections in and encrypt them? Is the external networks such a vulnerability that I should purchase a leased line link instead of use public networks? Would I need to set up a tightly secure gateway machine to provide this service? (?) Mobile user question: I see this as a similar problem, except few (if any) known information about the IP address the user is coming from. One thing I can say is that the user could call in via modem to configure the connection as an exception if needed, but may need the bandwidth of a higher speed connections than modems (so wants to use a public network enventually). How does this case compare to the "remote internal" network? My guess at a solution would be to have a gateway with authentication (challenge-response of sorts) and provide the access in. The only question would be if I should worry about injections into the packet sequencing of live connections, or setting up the network so the gateway or notes cannot be starved by someone malicious. Also, is it "professionally" regarded as ok to accept the fact that user's internal network passwords may be compromised by monitoring (even though challenge-response, in theory, will keep them out of getting past the gateway in the first place). Oh, feel free to replace FW-1 with the package of your choice... I'm just getting the impression it seems to be one of the more robust choices. Incidently, does FW-1 provide the gateway services? Xhosting proxies? Any any other recommendations to check other than Guantlet and FTK? Many thanks, Jason Miller Halo Technologies Limited security@halotech.com Jason Miller || WWW-Intranet-Database-Apps-Security-MM CTO, Halo Technologies Limited || jason@halotech.com www.halotech.com Public Key available by request. || Phone 412/361-HALO Fax 412/661-8399 From owner-firewalls-outgoing Fri May 9 04:58:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA13754 for firewalls-outgoing; Fri, 9 May 1997 04:45:57 -0700 (PDT) Received: from wall.pwa.co.in ([206.103.11.183]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA13677 for ; Fri, 9 May 1997 04:45:39 -0700 (PDT) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notes.pwa.co.in (notes.pwa.co.in [126.0.0.180]) by wall.pwa.co.in (8.6.12/8.6.12) with SMTP id VAA04383 for ; Thu, 8 May 1997 21:21:44 +0500 Received: by notes.pwa.co.in(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 65256492.0040CE4E ; Fri, 9 May 1997 17:17:51 +300500 X-Lotus-FromDomain: INDIA@INTERNET To: Firewalls@GreatCircle.COM Message-ID: <65256492.003EAEBC.00@notes.pwa.co.in> Date: Fri, 9 May 1997 17:04:10 +300500 Subject: Re: Firewalls-Digest V6 #207 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was going through the Altavista firewall documentation and it says about "Dual Name Server". Does this mean that we can have entries for our internal ( non-routable ip_addresses ) as well as registered ones. Is this right. ie when I set up my named.hosts and named.rev files can I give entries for both types of addresses ? Secondly they also talk about Transparent Proxies. what are these proxies, are these different from our proxies we provide for services such as http and telnet or ftp etc ? Thanks in advance if could let me knoe more about them. From owner-firewalls-outgoing Fri May 9 05:13:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA14335 for firewalls-outgoing; Fri, 9 May 1997 04:53:41 -0700 (PDT) Received: from hil-img-1.compuserve.com (hil-img-1.compuserve.com [149.174.177.131]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA14328 for ; Fri, 9 May 1997 04:53:36 -0700 (PDT) Received: by hil-img-1.compuserve.com (8.6.10/5.950515) id HAA27254; Fri, 9 May 1997 07:53:47 -0400 Date: Fri, 9 May 1997 07:53:16 -0400 From: John Schoonover Subject: SATAN on Linux To: Firewall List Message-ID: <199705090753_MC2-1643-1D37@compuserve.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having trouble compiling SATAN 1.1.1 under Linux 2.0. The compiler errors are : make[2]: Entering directory `/root/satan-1.1.1/src/port_scan' cc -O -I/root/satan-1.1.1/include -DAUTH_GID_T=int -c tcp_scan.c -o tcp_scan.o tcp_scan.c:468: field `ip' has incomplete type tcp_scan.c:486: dereferencing pointer to incomplete type tcp_scan.c:487: dereferencing pointer to incomplete type tcp_scan.c:494: dereferencing pointer to incomplete type tcp_scan.c:495: `ICMP_MINLEN' undeclared (first use this function) tcp_scan.c:495: (Each undeclared identifier is reported only once tcp_scan.c:495: for each function it appears in.) tcp_scan.c:502: dereferencing pointer to incomplete type tcp_scan.c:502: `ICMP_UNREACH' undeclared (first use this function) tcp_scan.c:508: dereferencing pointer to incomplete type tcp_scan.c:508: dereferencing pointer to incomplete type tcp_scan.c:512: dereferencing pointer to incomplete type tcp_scan.c:513: dereferencing pointer to incomplete type tcp_scan.c:515: dereferencing pointer to incomplete type tcp_scan.c:521: dereferencing pointer to incomplete type tcp_scan.c:532: dereferencing pointer to incomplete type tcp_scan.c:533: `ICMP_UNREACH_NET' undeclared (first use this function) tcp_scan.c:534: `ICMP_UNREACH_PROTOCOL' undeclared (first use this function) tcp_scan.c:537: `ICMP_UNREACH_PORT' undeclared (first use this function) tcp_scan.c:538: `ICMP_UNREACH_HOST' undeclared (first use this function) I would be most grateful for some clues on this problem. Please reply off the list to keep the noise level down. TIA John From owner-firewalls-outgoing Fri May 9 05:28:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA17790 for firewalls-outgoing; Fri, 9 May 1997 05:25:59 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA17780 for ; Fri, 9 May 1997 05:25:51 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 May 1997 12:27:42 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 09 May 1997 08:21:36 -0400 Message-ID: From: "Chris Kostick" To: , Subject: Re: Password Aging System for Unix Date: Fri, 9 May 1997 08:19:47 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have approximately 12 Sun's and a similar number of Solaris > workstations behind an ANS Interlock Firewall/SecureID combination. > > The Sun's and Solaris workstations contain extremely sensitive > information that we have protected Password protected. As a general rule, you don't need (or should) give out this type of information to a public forum. > I'm trying to > locate some type of an application that I can put on BOTH types of > workstations to alert me when passwords are 30 days old and also > send a message to the user that their password is about to expire. > The only thing I'm aware of is NIS Plus that I can use on Solaris > however, it will not work with the Sun's. > SunOS 4.1.x does support password aging but there are no tools within the OS to take advantage of it. If you manually install aging characters as a part of the password field it will be paid attention to. Someone may have written the code to do it. > Any help would be appreciated. Since this is only remotely related to > firewalls, please e-mail me direct at rplauman@ems.jsc.nasa.gov > > Many thanks > > Bob Plaumann From owner-firewalls-outgoing Fri May 9 07:20:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24856 for firewalls-outgoing; Fri, 9 May 1997 06:58:14 -0700 (PDT) Received: from mail.toronto.istar.net (Mail.Toronto.iSTAR.net [204.191.136.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA24846 for ; Fri, 9 May 1997 06:58:09 -0700 (PDT) Received: from istar.ca (iSTAR.ca [204.191.136.4]) by mail.toronto.istar.net (8.8.5/8.8.4) with ESMTP id JAA20735 for ; Fri, 9 May 1997 09:58:08 -0400 (EDT) Received: from hp-laptop (1Cust99.Max3.Toronto.ON.MS.UU.NET [153.34.105.99]) by istar.ca (8.8.5/8.8.4) with SMTP id JAA15759 for ; Fri, 9 May 1997 09:58:17 -0400 (EDT) Message-Id: <3.0.32.19970509095728.0080c590@istar.ca> X-Sender: hpearman@istar.ca X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 09 May 1997 09:57:38 -0400 To: firewalls@GreatCircle.com From: H_Pearman Subject: Filtering Inbound Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone out there filter incoming URLs for hostile contents, and if so are commercial products which do this. Thanks From owner-firewalls-outgoing Fri May 9 07:28:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25151 for firewalls-outgoing; Fri, 9 May 1997 07:06:39 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA25122 for ; Fri, 9 May 1997 07:06:28 -0700 (PDT) Received: (qmail 21191 invoked from smtpd); 9 May 1997 14:06:09 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 9 May 1997 14:06:09 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA19347; Fri, 9 May 1997 09:06:08 -0500 Received: by sonic.nmti.com; id AA05403; Fri, 9 May 1997 09:06:59 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9705091406.AA05403@sonic.nmti.com.nmti.com> Subject: Re: Legal responsibilities of filtering traffic (long) To: guy@panix.com (Information Security) Date: Fri, 9 May 1997 09:06:59 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM In-Reply-To: <199705082035.QAA23612@panix2.panix.com> from "Information Security" at May 8, 97 04:35:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > A company in Pennsylvania explicitly told its employees it was not > monitoring email, but then fired someone who said hostile things > in email. > He sued, but lost in court: the court ruled that even though the company > said it wasn't monitoring, it still had the legal right to do so. Was this before or after the passage of the Electronic Communications Privacy Act? From owner-firewalls-outgoing Fri May 9 07:44:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25178 for firewalls-outgoing; Fri, 9 May 1997 07:07:11 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA25121 for ; Fri, 9 May 1997 07:06:28 -0700 (PDT) Received: (qmail 21191 invoked from smtpd); 9 May 1997 14:06:09 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 9 May 1997 14:06:09 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA19347; Fri, 9 May 1997 09:06:08 -0500 Received: by sonic.nmti.com; id AA05403; Fri, 9 May 1997 09:06:59 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9705091406.AA05403@sonic.nmti.com.nmti.com> Subject: Re: Legal responsibilities of filtering traffic (long) To: guy@panix.com (Information Security) Date: Fri, 9 May 1997 09:06:59 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM In-Reply-To: <199705082035.QAA23612@panix2.panix.com> from "Information Security" at May 8, 97 04:35:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > A company in Pennsylvania explicitly told its employees it was not > monitoring email, but then fired someone who said hostile things > in email. > He sued, but lost in court: the court ruled that even though the company > said it wasn't monitoring, it still had the legal right to do so. Was this before or after the passage of the Electronic Communications Privacy Act? From owner-firewalls-outgoing Fri May 9 07:59:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25063 for firewalls-outgoing; Fri, 9 May 1997 07:04:15 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25054 for ; Fri, 9 May 1997 07:04:05 -0700 (PDT) Received: by relay.hq.tis.com; id JAA21675; Fri, 9 May 1997 09:57:22 -0400 (EDT) Received: from dhcp6.ex.tis.com(192.94.214.126) by relay.hq.tis.com via smap (3.2) id xma021651; Fri, 9 May 97 09:56:53 -0400 Message-Id: <3.0.1.32.19970509095711.006fbf00@pop.hq.tis.com> X-Sender: avolio@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 09 May 1997 09:57:11 -0400 To: Adam Shostack , aaron@citadel.com.au (Aaron Everingham) From: Frederick M Avolio Subject: Re: Encryption Outside US Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199705090052.UAA26161@homeport.org> References: <3.0.1.32.19970509094443.007dd100@pluto.citadel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Again, I don't believe anyone has an export license for 3des. >TIS, as far as I know, has an export license for single des. If I'm >wrong, I invite any of the TIS folks here to say so in public or drop >me a private mail message, and I'll retract this. TIS has approval to export: 56 bit DES 56 bit DES with RecoverKey (we've done this since January 1996 (no typo) 3DES with RecoveryKey 128-bit RC2 or RC4 with RecoverKey This was announced last month. See http://www.tis.com/docs/corporate/press/97/despr.html Fred --- (voice) +1 301-854-5749; (fax) +1 301-854-5363 Web site: http://www.tis.com/ PGP Key: http://www.tis.com/docs/corporate/fredpgp.html PGP Key fingerprint =37 6B 35 BB B2 07 BE B7 D5 47 C3 30 4E 39 A2 EE From owner-firewalls-outgoing Fri May 9 08:11:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25070 for firewalls-outgoing; Fri, 9 May 1997 07:04:24 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25056 for ; Fri, 9 May 1997 07:04:11 -0700 (PDT) Received: by relay.hq.tis.com; id JAA21679; Fri, 9 May 1997 09:57:22 -0400 (EDT) Received: from dhcp6.ex.tis.com(192.94.214.126) by relay.hq.tis.com via smap (3.2) id xmaa21651; Fri, 9 May 97 09:56:55 -0400 Message-Id: <3.0.1.32.19970509100029.007021ec@pop.hq.tis.com> X-Sender: avolio@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 09 May 1997 10:00:29 -0400 To: Ian Miller , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Encryption Outside US In-Reply-To: <199705090906.KAA03580@h01.scientia.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In addition, you can check TIS' web page. "TIS has conducted a comprehensive Crypto Products Survey which looks at the availability of cryptographic products throughout the entire world." Check out http://www.tis.com/docs/research/crypto/survey/index.html Fred At 10:05 AM 5/9/97 +0100, Ian Miller wrote: >>There is a way for non-US orgs to get tripple DES or strong encryption. > >Yes. No problem at all, just don't try to get it from the US. There are >plenty of other sources of first grade encryption technology in the rest of >the world. If you don't know where to start looking, check out my private >collection of cryptography links:- >http://www.bifroest.demon.co.uk/links/crypto.html > >Ian > > --- (voice) +1 301-854-5749; (fax) +1 301-854-5363 Web site: http://www.tis.com/ PGP Key: http://www.tis.com/docs/corporate/fredpgp.html PGP Key fingerprint =37 6B 35 BB B2 07 BE B7 D5 47 C3 30 4E 39 A2 EE From owner-firewalls-outgoing Fri May 9 08:25:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25104 for firewalls-outgoing; Fri, 9 May 1997 07:05:56 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA25092 for ; Fri, 9 May 1997 07:05:44 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 May 1997 14:07:35 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 09 May 1997 10:01:28 -0400 Message-ID: From: "Chris Kostick" To: Subject: Re: Password Aging System for Unix Date: Fri, 9 May 1997 09:59:39 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm trying to > > locate some type of an application that I can put on BOTH types of > > workstations to alert me when passwords are 30 days old and also > > send a message to the user that their password is about to expire. > > The only thing I'm aware of is NIS Plus that I can use on Solaris > > however, it will not work with the Sun's. > > > > SunOS 4.1.x does support password aging but there are no tools within the > OS to take advantage of it. If you manually install aging characters as > a part of the password field it will be paid attention to. Someone may have > written the code to do it. > I take some of this back. The passwd command does have some aging utility with it. I seem to remember if you do passwd -e user it will expire the passwd. I can't remember if other options are supported for setting parameters. > > Any help would be appreciated. Since this is only remotely related to > > firewalls, please e-mail me direct at rplauman@ems.jsc.nasa.gov > > > > Many thanks > > > > Bob Plaumann From owner-firewalls-outgoing Fri May 9 08:59:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01377 for firewalls-outgoing; Fri, 9 May 1997 08:10:57 -0700 (PDT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01224 for ; Fri, 9 May 1997 08:10:12 -0700 (PDT) From: john@qnet.com Received: from ikoedemmoses (bluebird.state.mo.us [168.166.10.3]) by services.state.mo.us (8.8.3/8.8.0) with SMTP id KAA24344 for ; Fri, 9 May 1997 10:10:31 -0500 (CDT) Message-ID: <33198A03.45E0@qnet.com> Date: Sun, 02 Mar 1997 09:09:08 -0500 Reply-To: j@services.state.mo.us X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: unix/firewall administrators Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please post to the list if you have these positions. From owner-firewalls-outgoing Fri May 9 09:15:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00823 for firewalls-outgoing; Fri, 9 May 1997 08:07:55 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA00781 for ; Fri, 9 May 1997 08:07:42 -0700 (PDT) Received: (qmail 4352 invoked by uid 514); 9 May 1997 15:07:53 -0000 Date: Fri, 9 May 1997 11:07:53 -0400 (EDT) From: Todd Graham Lewis To: Adam Shostack cc: Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: <199705090054.UAA26172@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Adam Shostack wrote: > Uuencoded text has no redundancy at all, which probably makes > scanning a bear. Additionally, you could (I can't believe I'm suggesting this): take the 7-bit uuencoded file add an eighth, parity bit (3 (??) lines of perl) take the resulting 8-bit file and uuencode it back to 7 bits send that Yep, I've got Raid-5 on my 8.5x11! __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Fri May 9 09:26:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29443 for firewalls-outgoing; Fri, 9 May 1997 07:59:32 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA29396 for ; Fri, 9 May 1997 07:59:21 -0700 (PDT) Received: (qmail 4326 invoked by uid 514); 9 May 1997 14:59:31 -0000 Date: Fri, 9 May 1997 10:59:31 -0400 (EDT) From: Todd Graham Lewis To: "Matthew J. Fisher" cc: firewalls@greatcircle.com Subject: Re: Need RFC 1060 In-Reply-To: <37245180.1746@cscgt.gsfc.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Matthew J. Fisher wrote: > Hi All, Hello. > Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a > URL for it? ftp://ds.internic.net/rfc/rfc1060.txt Incidentally, all RFCs are available in that directory. There are mirrors on most continents. > A colleague has searched for it to no avail, but we really need a > definitive list of services:port. Well in that case, why not get the authoritative port assignment list? ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Fri May 9 09:29:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA04796 for firewalls-outgoing; Fri, 9 May 1997 08:32:13 -0700 (PDT) Received: from mustang.netsolve.net (mustang.netsolve.net [199.98.14.55]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA04770; Fri, 9 May 1997 08:32:03 -0700 (PDT) Received: from cobra.netsolve.net (cobra.netsolve.net [199.98.14.138]) by mustang.netsolve.net (8.8.4/8.7.3) with ESMTP id KAA19235; Fri, 9 May 1997 10:32:15 -0500 (CDT) Received: by cobra.netsolve.net with Internet Mail Service (5.0.1389.3) id <01BC5C64.2D0C5840@cobra.netsolve.net>; Fri, 9 May 1997 10:31:38 -0500 Message-ID: <51DA9B95CF9FD01193B600A024EB760704BF43@cobra.netsolve.net> From: "Gomes, Carlos" To: "'firewalls-owner@GreatCircle.COM'" , "'H_Pearman'" , firewalls@GreatCircle.COM Subject: RE: Filtering Inbound Date: Fri, 9 May 1997 10:31:36 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually the URL I listed for the old bugs was for one of the password bug from late last year. For a summary of MSIE bug reports see http://just4u.com/webconsultants/dig824.htm#bugs. regards, C.G. -----Original Message----- From: firewalls-owner@GreatCircle.COM [SMTP:firewalls-owner@GreatCircle.COM] On Behalf Of H_Pearman Sent: Friday, May 09, 1997 8:58 AM To: firewalls@GreatCircle.COM Subject: Filtering Inbound Does anyone out there filter incoming URLs for hostile contents, and if so are commercial products which do this. Thanks -- Carlos Macedo Gomes ProWatch Secure Service NetSolve, Inc. 800-234-9034x3097 From owner-firewalls-outgoing Fri May 9 09:49:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29520 for firewalls-outgoing; Fri, 9 May 1997 07:59:55 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29462; Fri, 9 May 1997 07:59:36 -0700 (PDT) Received: by relay.hq.tis.com; id KAA24400; Fri, 9 May 1997 10:53:12 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma024351; Fri, 9 May 97 10:52:47 -0400 Received: from jupiter.hq.tis.com (jupiter.hq.tis.com [10.33.112.189]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id KAA02376; Fri, 9 May 1997 10:59:16 -0400 (EDT) From: Jody C Patilla Message-Id: <199705091459.KAA02376@clipper.hq.tis.com> Subject: Re: Legal responsibilities of filtering traffic (long) To: peter@baileynm.com (Peter da Silva) Date: Fri, 9 May 1997 10:58:06 -0400 (EDT) Cc: guy@panix.com, Firewalls@greatcircle.com, firewalls-digest@greatcircle.com In-Reply-To: <9705091406.AA05403@sonic.nmti.com.nmti.com> from "Peter da Silva" at May 9, 97 09:06:59 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > A company in Pennsylvania explicitly told its employees it was not > > monitoring email, but then fired someone who said hostile things > > in email. > > He sued, but lost in court: the court ruled that even though the company > > said it wasn't monitoring, it still had the legal right to do so. > > Was this before or after the passage of the Electronic Communications > Privacy Act? Yes. The company was Pillsbury, and the decision came this past fall. However, there are additional factors. Two employees exchanged mail about their manager which was quite derogatory. One employee PRINTED IT OUT and tossed it in a trash can. A third employee retrieved it and brought it to the manager who was the subject of the remarks. No monitoring of email took place. - jcp -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From owner-firewalls-outgoing Fri May 9 09:54:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00783 for firewalls-outgoing; Fri, 9 May 1997 08:07:44 -0700 (PDT) Received: from gw.garrison.com ([205.241.58.147]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA00707 for ; Fri, 9 May 1997 08:07:28 -0700 (PDT) Received: from gw.garrison.com (root@localhost) by gw.garrison.com (8.7.5/8.7.3) with ESMTP id KAA08318 for ; Fri, 9 May 1997 10:08:10 -0500 (CDT) Received: from garrison.com (garrison.com [10.0.0.2]) by gw.garrison.com (8.7.5/8.7.3) with SMTP id KAA08314 for ; Fri, 9 May 1997 10:08:10 -0500 (CDT) Received: by garrison.com (4.1/SMI-4.1) id AA05399; Fri, 9 May 97 10:06:42 CDT Date: Fri, 9 May 97 10:06:42 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9705091506.AA05399@garrison.com> To: Firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk know this is slightly off topic but I have need some advise or some > >products that will restrict http access to sites such as www.porn.com. > Aside >from building an exhaustive list on my proxy what else can I do. > Thanks for >the help. > > > Alan Prouty wrote: > Some firewall vendors allow URL's to be blocked based on the firewall > administrator's input. Raptor provides this service as well, but takes it a > step furthur. Raptor provides a unique service called WebNot that runs as > an option on the Eagle. You can block URL's based on 12 pre-configured > categories. This configuration can be enforced based on groups of machines, > networks, or users and it allows groups to have different sets of rules > regarding which sites they can get to. Also, Sidewinder from SCC has this capability. SCC purched Webtrack, and threw its functionality into the Sidewinder product. I do believe you can still purchase WebTrack seperately from the firewall. You could also purchase other products, such as the one from netpartners. Jeromie Jackson Garrison Technologies jeromie@garrison.com From owner-firewalls-outgoing Fri May 9 10:14:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20691 for firewalls-outgoing; Fri, 9 May 1997 10:08:08 -0700 (PDT) Received: from gatekeeper.eastman.com (gatekeeper.eastman.com [164.89.253.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20657 for ; Fri, 9 May 1997 10:07:59 -0700 (PDT) Received: by gatekeeper.eastman.com; id NAA25139; Fri, 9 May 1997 13:12:14 -0400 (EDT) Received: from emngw1.eastman.com(164.89.254.2) by gatekeeper.eastman.com via smap (3.2) id xma025128; Fri, 9 May 97 13:12:11 -0400 Received: by eastman.com id AA21150 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Fri, 9 May 1997 13:08:50 -0400 Received: from ntmcon01.emn.com by eastman.com with SMTP id AA24731 (5.67b/SMI-4.1 for ); Fri, 9 May 1997 13:08:49 -0400 Received: by ntmcon01.emn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5C7A.4314E6A0@ntmcon01.emn.com>; Fri, 9 May 1997 13:09:44 -0400 Message-Id: From: Owens Blaine To: "'j@services.state.mo.us'" , "'firewalls@GreatCircle.COM'" Subject: RE: unix/firewall administrators Date: Fri, 9 May 1997 13:06:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since the rest of this page is blank I assume you mean people who do nothing for a living. Yes, we have some of those. >-----Original Message----- >From: john@qnet.com [SMTP:john@qnet.com] >Sent: Sunday, March 02, 1997 9:09 AM >To: firewalls@GreatCircle.COM >Subject: unix/firewall administrators > >Please post to the list if you have these positions. From owner-firewalls-outgoing Fri May 9 10:28:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA17662 for firewalls-outgoing; Fri, 9 May 1997 09:53:26 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA17635 for ; Fri, 9 May 1997 09:53:18 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id JAA13053; Fri, 9 May 1997 09:53:17 -0700 (PDT) Date: Fri, 9 May 1997 09:53:17 -0700 (PDT) From: "Sameer R. Manek" Reply-To: "Sameer R. Manek" To: "robertp@hal-pc.org" cc: firewalls@GreatCircle.COM Subject: Re: Password Aging System for Unix In-Reply-To: <199705090336.WAA16910@hal-pc.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, robertp@hal-pc.org wrote: > The Sun's and Solaris workstations contain extremely sensitive > information that we have protected Password protected. I'm trying to > locate some type of an application that I can put on BOTH types of > workstations to alert me when passwords are 30 days old and also > send a message to the user that their password is about to expire. > The only thing I'm aware of is NIS Plus that I can use on Solaris > however, it will not work with the Sun's. > >From what i've seen running some form of password expiring only tends to cause people to pick insecure passwords, especially if you force them to change passwords too often. A better thing to do is to run crack on your passwords on a regular basis, lock the accounts of those who get their account cracked. Install something like passwd+ that makes sure you can't pick a poor password. Also make a script that checks the password field once a month that sees if the password has been changed lately or not. From owner-firewalls-outgoing Fri May 9 10:35:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03439 for firewalls-outgoing; Fri, 9 May 1997 08:24:59 -0700 (PDT) Received: from mustang.netsolve.net (mustang.netsolve.net [199.98.14.55]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03329; Fri, 9 May 1997 08:24:35 -0700 (PDT) Received: from cobra.netsolve.net (cobra.netsolve.net [199.98.14.138]) by mustang.netsolve.net (8.8.4/8.7.3) with ESMTP id KAA19149; Fri, 9 May 1997 10:24:35 -0500 (CDT) Received: by cobra.netsolve.net with Internet Mail Service (5.0.1389.3) id <01BC5C63.1917D040@cobra.netsolve.net>; Fri, 9 May 1997 10:23:55 -0500 Message-ID: <51DA9B95CF9FD01193B600A024EB760704BF42@cobra.netsolve.net> From: "Gomes, Carlos" To: "'firewalls-owner@GreatCircle.COM'" , "'H_Pearman'" , firewalls@GreatCircle.COM Subject: RE: Filtering Inbound Date: Fri, 9 May 1997 10:23:53 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----Original Message----- From: firewalls-owner@GreatCircle.COM [SMTP:firewalls-owner@GreatCircle.COM] On Behalf Of H_Pearman Sent: Friday, May 09, 1997 8:58 AM To: firewalls@GreatCircle.COM Subject: Filtering Inbound Does anyone out there filter incoming URLs for hostile contents, and if so are commercial products which do this. Thanks For the latest Microsoft Internet Explorer bug (http://microsoft.com/ie/security/powerpoint.htm) and the previous one (http://cnnfn.com/digitaljam/wires/9608/16/microsoft_explorer_wg/) we at NetSolve have setup filters in the product we use in our managerd internet security service to allow customers to block incoming traffic from possible hostile sites or even block all outbound MSIE connections until bug fixes can be installed. The product we use is the WheelGroup, Corp., NetRanger. More information on the product and our service can be found at http://www.wheelgroup.com and http://www.netsolve.net respectively. regards, C.G. -- arlos Macedo Gomes ProWatch Secure Service NetSolve, Inc. 800-234-9034x3097 From owner-firewalls-outgoing Fri May 9 11:25:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA24925 for firewalls-outgoing; Fri, 9 May 1997 10:27:25 -0700 (PDT) Received: from datasource.net (friday.datasource.net [205.183.26.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA24906 for ; Fri, 9 May 1997 10:27:17 -0700 (PDT) Received: by friday.datasource.net id <17026-1>; Fri, 9 May 1997 12:21:15 -0500 Message-Id: <97May9.122115cdt.17026-1@friday.datasource.net> Date: Fri, 9 May 1997 12:31:41 -0500 From: Nathan Steinbauer Reply-To: nathan@datasource.net Organization: DataSource Hagen X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Filtering Inbound References: <3.0.32.19970509095728.0080c590@istar.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Secure Computing has a stand alone server or a module that runs on their firewalls to filter out content your company deems unsavory. The sites are uploaded weekly and are broken into a bunch of different catagories so you could filter out all sex sites but allow the sports sites to go through. Here's the URL for the Smartfiler site: http://www.securecomputing.com/P_Tool_SF_FRS.html Good luck, Nathan Steinbauer Datasource Hagen nathan@datasource.net H_Pearman wrote: > > Does anyone out there filter incoming URLs for hostile contents, and if so > are commercial products which do this. > > Thanks From owner-firewalls-outgoing Fri May 9 11:44:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA25638 for firewalls-outgoing; Fri, 9 May 1997 10:30:47 -0700 (PDT) Received: from mail1.sla.com ([207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA25408; Fri, 9 May 1997 10:29:49 -0700 (PDT) Received: by mail.sla.com with Internet Mail Service (5.0.1457.3) id ; Fri, 9 May 1997 10:31:50 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028B1B@mail.sla.com> From: Bill Stackpole To: "'Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov'" , firewalls@greatcircle.com Cc: firewalls@greatcircle.com Subject: RE: Cisco Routers; Logging (?) Date: Fri, 9 May 1997 10:31:48 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Depending on the version, logging can be set to log various events, logging can be directly to the console screen, redirected to another port, (for example the AUX port for hard copy on a printer) or to any host system running a SYSLOG daemon. Starting at version 11 a log parameter can be added to access-list entries so filtering activity can be monitored. Some additional information can be logged by setting SNMP traps and setting the log level to include traps. When the traps are sent they will also appear in the log. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov > [SMTP:Matthew_J._Fisher_at_ssdlncpo@cscgt.gsfc.nasa.gov] > Sent: Thursday, May 08, 1997 11:15 AM > To: firewalls@greatcircle.com > Subject: Cisco Routers; Logging (?) > > Hi All, > > Does anyone know what logging features are common to Cisco > routers? > Unfortunately I can't get into specific models. > > How would one establish/configure logging (preferably to a hard > disk, > as opposed to the router nvram/ram). > > Thanks in advance, > Matt From owner-firewalls-outgoing Fri May 9 11:59:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA09777 for firewalls-outgoing; Fri, 9 May 1997 11:52:24 -0700 (PDT) Received: from ceddec.com (brickwall.ceddec.com [207.91.200.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA09768 for ; Fri, 9 May 1997 11:52:18 -0700 (PDT) Received: by brickwall.ceddec.com id <32257-1>; Fri, 9 May 1997 14:50:11 -0400 Date: Fri, 9 May 1997 14:53:02 -0400 From: tzeruch@ceddec.com X-Sender: nobody@mars.ceddec.com Reply-To: tzeruch@ceddec.com To: Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: <3.0.1.32.19970508180325.007da860@pluto.citadel.com.au> Message-Id: <97May9.145011edt.32257-1@brickwall.ceddec.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 May 1997, Aaron Everingham wrote: > There is a way for non-US orgs to get tripple DES or strong encryption. If Better yet, get SSLeay, which includes Eric A Young's DES implementation, which I think included ECB and 3DES. It is also available separately, but I don't know where (probably in one of the side FTP directories). http://www.psy.uq.edu.au:8080/~ftp/Crypto/ It is already outside the US where it was developed. You still cannot import it and then export it. From owner-firewalls-outgoing Fri May 9 12:23:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07809 for firewalls-outgoing; Fri, 9 May 1997 11:35:45 -0700 (PDT) Received: from mc2-csr.com (lestat.mc2-csr.com [204.107.238.150]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA07773 for ; Fri, 9 May 1997 11:35:29 -0700 (PDT) Received: from merlin (merlin.mc2-csr.com [204.107.238.176]) by mc2-csr.com (8.7.3/8.7.3) with SMTP id OAA28167; Fri, 9 May 1997 14:35:34 -0400 (EDT) Message-Id: <3.0.32.19970509143532.00f59168@mc2-csr.com> X-Sender: lglaze@mc2-csr.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 09 May 1997 14:35:33 -0400 To: "Sameer R. Manek" , "robertp@hal-pc.org" From: Larry Glaze Subject: Re: Password Aging System for Unix Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:53 AM 5/9/97 -0700, Sameer R. Manek wrote: >On Thu, 8 May 1997, robertp@hal-pc.org wrote: > >> The Sun's and Solaris workstations contain extremely sensitive >> information that we have protected Password protected. I'm trying to >> locate some type of an application that I can put on BOTH types of >> workstations to alert me when passwords are 30 days old and also >> send a message to the user that their password is about to expire. >> The only thing I'm aware of is NIS Plus that I can use on Solaris >> however, it will not work with the Sun's. >> > >>From what i've seen running some form of password expiring only tends >to cause people to pick insecure passwords, especially if you force them >to change passwords too often. A better thing to do is to run crack >on your passwords on a regular basis, lock the accounts of those >who get their account cracked. > >Install something like passwd+ that makes sure you can't pick a poor >password. Also make a script that checks the password field once a >month that sees if the password has been changed lately or not. Agreed on the passwd+. The key to having good passwords is preventing your users from picking bad ones in the first place. Do not, under any circumstances, rely soley on crack for password security. Crack can only test on the dictionaries you give it, and you have no idea where your users are getting their ideas for passwords. Plus, your user may think that "G00dpasS" is a good password, but crack will test for capital letters at the beginning and end of the word, and it will also test for number substitution (using 1 for i/I and l/L, using 3 for e/E, 0 for o/O, etc). The above password stands a good chance at being cracked, but not right away. You might be broken into before your crack run catches the bad password (especially if you have a large password file). However, on the other hand, do not rely on passwd+ alone either. Still run your crack jobs, adding new dictionaries as you find them, to make sure someone didn't somehow slip through your password system. There are other password programs available as well (some may be hard to find though) such as: npasswd, anlpasswd, and spm. Larry -- ------------------------------------------------------------------------ | Larry Glaze | "...Life's a bummer..." | | System/Network Administrator | --Smashing Pumpkins | | MC2 Cyberspace, Ltd | | | http://www.mc2-csr.com/~lglaze | lglaze@mc2-csr.com | ------------------------------------------------------------------------ | All opinions are my own, as they should be! | ------------------------------------------------------------------------ From owner-firewalls-outgoing Fri May 9 12:30:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13366 for firewalls-outgoing; Fri, 9 May 1997 12:12:05 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13333 for ; Fri, 9 May 1997 12:11:54 -0700 (PDT) Received: from seane (pm16s12.intergate.bc.ca [207.34.180.117]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with SMTP id MAA19549 for ; Fri, 9 May 1997 12:12:00 -0700 (PDT) Message-ID: <3373783A.2187@intergate.bc.ca> Date: Fri, 09 May 1997 12:17:14 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Filtering Inbound Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk H_Pearman wrote: > > Does anyone out there filter incoming URLs for hostile contents, and if so > are commercial products which do this. > > Thanks By 'hostile contents' perhaps you mean Java or ActiveX based attacks rather than dirty pictures? Finjin is developing some stuff to block these but I don't know how good it is. You can block Java at a firewall by blocking .class files or looking for the APPLET tag in the datastream. Trend Micro's (www.trendmicro.com) gateway antivirus software can also block Java system wide when scanning HTTP traffic for viruses. -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Fri May 9 12:59:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20136 for firewalls-outgoing; Fri, 9 May 1997 12:51:56 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA20104 for ; Fri, 9 May 1997 12:51:46 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id PAA01816 for Firewalls@greatcircle.com; Fri, 9 May 1997 15:52:09 -0400 (EDT) Date: Fri, 9 May 1997 15:52:09 -0400 (EDT) From: Information Security Message-Id: <199705091952.PAA01816@panix2.panix.com> To: Firewalls@greatcircle.com Subject: Re: Legal responsibilities of filtering traffic (long) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have the article somewhere. It stated the court ruled even though the company told its employees that they wouldn't monitor, that the company had the right to read their email anyway. That is my memory of the ruling by the judge. Perhaps after being notified of something nasty in email, the company then pulled his email to verify someone didn't just create a printout from thin air. ---guy > From jcp@tis.com Fri May 9 10:59:52 1997 > > > > A company in Pennsylvania explicitly told its employees it was not > > > monitoring email, but then fired someone who said hostile things > > > in email. > > > He sued, but lost in court: the court ruled that even though the company > > > said it wasn't monitoring, it still had the legal right to do so. > > > > Was this before or after the passage of the Electronic Communications > > Privacy Act? > > Yes. The company was Pillsbury, and the decision came this past fall. > However, there are additional factors. Two employees exchanged mail > about their manager which was quite derogatory. One employee PRINTED IT > OUT and tossed it in a trash can. A third employee retrieved it and > brought it to the manager who was the subject of the remarks. No monitoring > of email took place. > > - jcp > > -- > ========================================================================= > Jody C. Patilla jcp@tis.com > Trusted Information Systems Glenwood, Md. From owner-firewalls-outgoing Fri May 9 13:12:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04729 for firewalls-outgoing; Fri, 9 May 1997 11:14:59 -0700 (PDT) Received: from davinci.icad.puc-rio.br (davinci.icad.puc-rio.br [139.82.4.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04645 for ; Fri, 9 May 1997 11:14:42 -0700 (PDT) Received: by davinci.icad.puc-rio.br (4.1/SMI-4.1) id AA27921; Fri, 9 May 97 15:12:20 EST Date: Fri, 9 May 97 15:12:20 EST From: paulo@icad.puc-rio.br (Paulo Henrique M. Sant' Anna) Message-Id: <9705091812.AA27921@davinci.icad.puc-rio.br> To: davidal@moloc.cps.unizar.es, Donald.J.Smith@cdev.com Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From owner-firewalls-outgoing@GreatCircle.COM Thu May 8 00:21:55 1997 >Return-Path: >Message-Id: <199705070505.AAA15509@asp.cdev.com> >X-Sender: djs3wn39@aurora.cdev.com >X-Mailer: Windows Eudora Version 1.4.4 >Mime-Version: 1.0 >Content-Type>: >text/plain>; >charset="us-ascii"> >Date: Tue, 06 May 1997 21:17:07 -0700 >To: davidal@moloc.cps.unizar.es >From: Donald.J.Smith@cdev.com (Donald J Smith) >Cc: Firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >Content-Length: 1872 >X-Lines: 48 >Status: RO > >>Date: Tue, 6 May 1997 08:53:26 +0200 (MET DST) >>From: David Alayeto Salvador >>Subject: Config Files >> >>I would like to see some examples of some of the configuration files >>needed to set up a firewall properly. >The tis fwtk comes with a config file. You just uncomment the services >you want and change YOURNET/YOURADDRESS to be the net/address you are supporting >on the firewall. >> >>I'm in the doubt of believing a firewall is just a way to name a set of >>components which work together to provide security to a site. Please >>explain to me the real meaning of the term "firewall". Is it based on >>software or hardware? >In a perfect world A firewall is a system (or hardware and software) that >slows an intruder long enough for an alert to the sysadm allows same to catch > and stop all intrusion attempts. >We don't live in a perfect world so start by defining what you have to >protect and it's value to your company. That will help you decide what >type and how much security you need. >> >>Thanks in advance >> >>************************************************* >>* David Alayeto Salvador >>* E-mail addresses: >>* davidal@prometeo.cps.unizar.es >>* davidal@oja.cps.unizar.es >>* Quinto de Ingenieria Informatica - CPS >>************************************************* >> >>- -----BEGIN PGP PUBLIC KEY BLOCK----- >>Version: 2.6.i >> >>mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 >>xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO >>Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh >>bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== >>=vuMi >>- -----END PGP PUBLIC KEY BLOCK----- >> >>------------------------------ >> >Donald J Smith Network Security Engineer @CDInt >design in security @ the beginning & >ease_of_use != A*(1/Data_Security) for any A >(my opinions are mine and so are the spelling errors ;-) > > If you want a definition I'got one i guess from "Firewalls and Internet Security". A Firewall is a set of components that (at least ideally) can do the following: - Sites between the Internal Network and the outside world in a way that all traffic must pass thourgh it - Only Allowed traffic should (must?) pass - The Firewall must be imune to attacks itself (so that nobody can change the rules that say what is the allowed traffic). -- Paulo Henrique From owner-firewalls-outgoing Fri May 9 14:08:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA28390 for firewalls-outgoing; Fri, 9 May 1997 13:56:56 -0700 (PDT) Received: from firewall.uprc.com (sentry.uprc.com [144.94.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA28382 for ; Fri, 9 May 1997 13:56:51 -0700 (PDT) Received: by firewall.uprc.com; id AA14181; Fri, 9 May 97 15:56:25 CDT Received: from clavin.uprc.com(144.94.68.3) by firewall via smap (3.2) id xma014168; Fri, 9 May 97 15:56:08 -0500 Received: from kafka.upr.com (kafka.uprc.com [144.94.48.14]) by clavin.uprc.com (8.8.5/8.8.5) with ESMTP id PAA11603 for ; Fri, 9 May 1997 15:37:48 -0500 (CDT) From: "Prahl V. E. (Von)" Received: (from z76399@localhost) by kafka.upr.com (8.8.5/8.8.5) id PAA12528 for Firewalls@greatcircle.com; Fri, 9 May 1997 15:37:45 -0500 (CDT) Date: Fri, 9 May 1997 15:37:45 -0500 (CDT) Message-Id: <199705092037.PAA12528@kafka.upr.com> To: Firewalls@greatcircle.com Subject: MAXQUIRIES X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are running Gauntlet V3.2. The logfiles are full of the following "firewall named[335]: MAXQUERIES exceeded, possible data loop in resolving (reports.com) The message occurs whenever, in this case, reports.com is down or unreachable. Is there a problem with my DNS configuration? Any help will be greatly appreciated. Von Prahl From owner-firewalls-outgoing Fri May 9 14:36:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00242 for firewalls-outgoing; Fri, 9 May 1997 14:11:04 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA00197 for ; Fri, 9 May 1997 14:10:49 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA26889; Fri, 9 May 1997 17:10:53 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IIO94WY45S8WYPD4@gemini.pios.com> for firewalls@greatcircle.com; Fri, 09 May 1997 17:12:17 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IIO9369RWW8Y5XU9@PIOS.PIOS.COM> for firewalls@greatcircle.com; Fri, 09 May 1997 17:10:53 -0400 (EDT) Date: Fri, 09 May 1997 14:12:56 -0700 From: Bill Stout Subject: Firewall farm paper X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970509211256.006dbee4@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my quest to understand distributed firewall management, delegation, desktop authentication integration, and operation, I put together a short, 7-page draft paper on Firewall Farms. Last time I asked for comments on a draft 'NT vs. UNIX network security whitepaper', I expected maybe 10 replies, I received 800 requests for copies the next morning... This time I don't really expect much traffic either, but it's on the web this time at http://www.geocities.com/researchtriangle/3372/firewall_farms.html . It's also short, 7 pages vs. the 33 page NT paper, no pretty pictures, not detailed or referenced yet. I'm sure some pieces of FFs have been implemented already either in the real or marketing sense, but I'd be surprised if all of it has been. Again, this is mostly for my own education, but I'll update it on-line, and hopefully it will be useful to others as well. Bill Stout From owner-firewalls-outgoing Fri May 9 15:48:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA08749 for firewalls-outgoing; Fri, 9 May 1997 15:36:11 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA08706; Fri, 9 May 1997 15:36:00 -0700 (PDT) Received: from cabe (spg-as27s30.erols.com [207.172.46.30]) by smtp3.erols.com (8.8.5/8.8.5) with SMTP id SAA00484; Fri, 9 May 1997 18:36:14 -0400 Message-Id: <1.5.4.32.19970509223944.006edb20@pop.erols.com> X-Sender: cabe@pop.erols.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 May 1997 18:39:44 -0400 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM From: Cabe Franklin Subject: Encryption export approvals Sender: firewalls-owner@GreatCircle.COM Precedence: bulk re: Adam and Aaron's conversation -- In late March TIS got general purpose export approval for its MS CAPI-compliant CSP which employs DES, 3DES and 128-bit RC2 and RC4. While the stronger algorithms require key recovery, with DES you can choose to enable it or not. Also, the domestic and int'l versions of the CSP interoperate, so you can use 3DES domestically w/o key recovery, and use the same program to communicate internationally, for which the CSP will automatically turn on the key recovery feature. press release with more info at: http://www.tis.com/docs/corporate/press/97/despr.html - Cabe P.S. just to maintain some level of connection to the list -- TIS is also putting 3DES into the new version of Gauntlet, which they announced a week or two ago. - Cabe Franklin Ogilvy Adams & Rinehart, Washington DC (202) 452-9504 cabe_franklin@oar-wash.com - From owner-firewalls-outgoing Fri May 9 19:24:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA17490 for firewalls-outgoing; Fri, 9 May 1997 17:42:26 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id RAA17469 for firewalls@greatcircle.com; Fri, 9 May 1997 17:42:21 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA27530 for ; Thu, 8 May 1997 19:21:04 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id WAA20018; Thu, 8 May 1997 22:21:20 -0400 (EDT) Date: Thu, 8 May 1997 22:21:20 -0400 (EDT) From: Information Security Message-Id: <199705090221.WAA20018@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: Encryption Outside US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Key recovery means the information necessary to decrypt the message is built into the message. The message is cleartext to the government. Even future 128 bit Netscape S/MIME. Would it be reasonable to fear that the key recovery implementation might become known at a later date to someone other than the government? Yes. Why use encryption with built-in crackability? A company would be totally foolish to use the compromised crypto. Following is one of the posts on the matter I made in the alt.cypherpunks group recently. I was trying to support (in my own way) Cypherpunk Tim May's attack on the SAFE bill. Note that EPIC (see comp.org.eff.talk) just said the SAFE bill with criminal penalties for using crypto in conjunction with another crime is advancing. [Also dig around URL 'eff.org' for the text of the legislation for that and the "Pro-Code" bill, which attempt to overthrow the government's insistence on mandated key recovery.] See the 'Crypto A.G.' part regarding key recovery. Key recovery: an oops waiting to happen. ---guy > Subject: Re: Response to Alan Davidson of CDT > Newsgroups: alt.cypherpunks,talk.politics.crypto,comp.org.eff.talk > Followup-To: alt.cypherpunks,talk.politics.crypto,comp.org.eff.talk > Organization: NYC, Third Planet From the Sun eagle (eagle@nyx10.cs.du.edu) wrote: : The Senators awful oversight of the intelligence community has been due to : the intelligence community, not the US Senate. You ever met a real live : spook before? Or do they exist solely in your imagination and reading? So, you are saying what? That Congress can't be expected to do better than the status quo? The pits? And: I am a company spook. Internet email traffic analysis. Boo. guy wrote: : >If you have no specific objections to an Internet review process that would : >raise the quality of the bill to include 'what if' scenarios for clarity, : >then support it. eagle wrote: : Do you think this is a realistic expectation of legislation that is already : clearing committee? I thought about it, and decided to push for quality. If my code passes code review, and I subsequently spot a bug, I'm going to fix it before going into production, even if I have to rewrite the whole thing. Wouldn't you? Out of curiousity, what are you, a kid? (I mean young student ;-) And while it means more work for the sponsors, it improves the quality of the legislation tremendously. The other Senators can read through the bill and see all the intended consequences. Congress needs additional infrastructure for doing this for all legislation, but hey, we netizens are glad to help for free. It's the beginning of the Netification of governments. eagle wrote: : If you think that the intelligence community had a hand in architecting : the Pro Code bill...that qualifies as a flaky idea. Okay, I admit to just being suspicious of an intelligence hand. Given the opaque language, it reasonable to wonder darkly why. Why a bill whose purpose is important to us can't be MUCH clearer. guy wrote: : >If you don't know what the reference to 'financial institutions' means, : >then you have no right to assert that. eagle wrote: : You may or may not know more about current DES security of financial : transactions, but I was well tutored... I don't want third-hand interpretations. I want a plain English bill with extended examples that anyone can understand. guy wrote: : >And what does the language extra-penalizing people who use crypto in : >conjunction with a crime have to do with a no-mandatory-key-escrow bill : >that is oriented towards helping US businesses compete in the world market? eagle wrote: : That has to do with bi-partisan support of a bill that does not ignore law : enforcement concerns. Bingo. The most generalized crypto-is-a-crime-with-another-crime language that could possibly be inserted into the bill has made it. Absolutely no intended consequences have been enumerated. : "What if" scenarios smack of fear and paranoia to me. Your point? You say this language is for "law enforcement concerns". Let us take into consideration actions by the government because of their "law enforcement concerns". ---- They have raided private homes and seized computer equipment after monitoring Internet traffic and spotting regular people browsing WWW/USENET clicking on nude pixels representing children. Remember, "child porn" is one of the great "law enforcement concerns" about cryptography. The FBI has groused that encryption has stymied prosecutions. What happens with a five year prison clause? Well, let's say the person managed to encrypt a copy of the picture, and delete it from the browser's cache. But the encrypted file is the same size, and/or its modification time matches the read/execute time on PGP when the raid occurs. So the government says if you don't plead guilty to child porn, then we'll prosecute you for the crypto-crime provision of this bill too. i.e. Mr. May's succinct complaint "It's wrong when I'm a felon under an ever increasing number of laws". Because they will lean on you with it: In the AAA BBS case, the government threat included prosecuting the person's wife too. Just like it could in the private home raid scenario above. Only now with a new club to swing. The government will use every available tool to menace crypto users. They have absolutely no scruples, often. In the AAA BBS case, the Feds PURPOSELY PULLED graphics legal in California into hick Tennessee, and succeeded in jailing the CA owner. Wow. In addition, they sent UNSOLICITED real child porno to the owner, and charged him with possession of child porno. It is because of this lack of scruples that we must be very very careful of the wording going into these bills. ---- We netizens are rightfully paranoid because the government has no scruples. What the FBI did to photographer Jock Sturges was criminal. Do not underestimate what they'll do with the new language. Excerpt from 'TO: A Journal of Poetry, Prose + the Visual Arts', Summer 1992: * Hounded by the Federal Bureau of Investigation in a bizarre witchhunt * at an expense to the taxpayers of over a million dollars, Sturges had * survived an attempt to destroy his life and his work and was now * countersuing the agency. * * Recapitulated briefly, Sturges, who's based in San Francisco, has for * years been photographing young people whose families practice nudity. * * He's done so with his subjects' permission, as well as that of their * parents, who often appear in the photographs along with their offspring. * Rejecting the use of standard model releases, with their blanket * permissions, the photographer chooses instead to request approval * from his subjects for each and every exhibition and publication * of each and every image --- an exemplary scrupulousness. * * Then, in 1990, alerted to the "questionable" content of some of his * images by a local processing lab, the FBI arrested Joe Semien, Sturge's * assistant, invaded the photographer's San Francisco studio without a * warrant, and seized all his prints, negatives, records, and equipment; * thereafter, without arresting Sturges, or even charging him with * anything, they refused to return his property and did everything * possible to destroy him personally and professionally by branding * him a child pornographer The New York Times eventually reported that the Feds took the case to a grand jury after fifteen months, and immediately threw it out. And that "this was unusual because only the prosecution's evidence is presented to a grand jury". Excerpt from 'TO: A Journal of Poetry, Prose + the Visual Arts', Summer 1992: * Jock Sturges: * * It took another month to get the U.S. Attorney to admit they had * finished the investigation and that the case was closed. * * Before they were through they had interviewed forty-four families in * France to whom they lied outrageously. * * It seems the Feds were unable to get the French interested because * the French Police thought the photographs were just lovely. So the * French were given the impression by the U.S. government that I had * been convicted of incest in the United States and that I was a * dangerous individual. * * And based on this assumption, the French Police conducted their own * interviews, but my friends happily knew me well enough. When they * found out they had been misled, the French Police called everybody * back and apologized. * * Nevertheless, an enormous amount of effort was put out in France to * go and talk to all these people and a similar thing was done in * Germany. This was not all free. It was hideously expensive. And the * repercussions --- I don't know what they are yet. I haven't talked * to all the families. * * In the end, everything I received back was essentially destroyed. * * My computer was broken. * * All my prints were badly damaged. * * Some of them had been wadded up and thrown away and then taken out * of the waste basket and flattened out again. NYT 2/19/95: it cost Sturges $100,000 in legal fees. ---- The law refers to "lascivious exhibition of the genitals or pubic area". The FBI takes that to mean naked. Obviously. A poorly written bill. Guess what? 1/18/95 NYT: In a case that did not involve nudity or genital visibility, Attorney General Janet Reno filed a brief with the Supreme Court that said it was not necessary for a child pornography conviction. That is how she interprets the language of the bill. Wow. And I thought Ed Meese was a bad Attorney General. Is it unreasonable to ask our Senators for clear unambiguous language? 10/3/96 NYT: Because of computers, a bill was passed that changes the definition of child pornography to include generated images that do not involve actual children. It's the least they can do. Thought crime is now legal!!! ---- We would prefer to have no language about a crypto+ penalty. It is not too much to ask that if it IS put in there, to spell out all the intended consequences, including our 'what if' questions. ---- And what about the opaque language regarding exceptions? Bear with me while I build this point using concrete examples. The Washington Post Magazine, June 23 1996: * The Foreign Intelligence Surveillance Act, is a 1978 law that permits * secret buggings and wiretaps of individuals suspected of being agents * of a hostile foreign government or international terrorist organization * EVEN WHEN THE TARGET IS NOT SUSPECTED OF COMMITTING ANY CRIME. * * The FBI used the court to bug a building on 48th Street in NYC. * * The court operates outside the normal constitutional standards for * searches and seizures. Non-government personnel are not allowed. * * The average U.S. citizen might reasonably assume use of this court * is at the least: unusual. * * It is not. In fact, in the United States today it is increasingly * common. In 1994, federal courts authorized more wiretaps for * intelligence-gathering and national security purposes than they * did to investigate ordinary federal crimes. Tim May asked about the ramifications of being associated - somehow - with a hostile government / terrorists. Remember Ronald "I am a Contra" Reagan? Well, he didn't like a peaceful Texas based group called CISPES, which was against the United States' support of the El Salvadore government. The El Salvadore government was torturing people. So the FBI had one of their agents infiltrate the group, and "plant" a gun. Thus giving them a terrorist organization designation. Not only did the FBI hassle them big time, but also the NSA broke into attorney's offices nationwide that were associated with the group. The FBI director (Sessions?) ended up apologizing big time on C-SPAN, saying that sort of thing would NEVER happen again. [Why did it happen in the first place?] Covert Action Quarterly, #59: * In October 1996, after being endorsed by CIA director John Deutch, * this method of maintaining the government's ability to spy on * encrypted communications REPLACED KEY ESCROW as the favored * technology. KEY RECOVERY works by locating information that is * woven into the header of each message. This mechanism allows * a recovery 'agent' to extract or reconstruct the message's key * and decrypt its contents. * * Key recovery may have been the basis for NSA's most successful * post-Cold War project for deciphering coded messages. Since the * 1940's, the NSA reportedly rigged encryption systems sold by the * Swiss firm Crypto A.G. so that the agency retained the ability * to break the codes of anyone using the machines. * * Thus, Fort Meade was able to listen in on the coded military and * diplomatic traffic of the more than 130 countries that were Crypto * A.G. customers. All righty then: We have a secret court that the FBI/NSA won't hesitate to use. We have the NSA doing everything in its power to foil our strong crypto. Mr. May said Bidzos' Japanese effort to legally work around the U.S. export restrictions have been stymied: this would be the heavy hand of the NSA. They would have threatened to cut off Japan from the U.S. intelligence network. Even though what Bidzos was doing was fully legal. What screwup might this opaque language help NSA with in the secret court? Given the G-Men's stunning lack of scruples, perhaps order Bidzos to weaken S/MIME so just the NSA can crack it? Is Bidzos releasing the source to that part of it? I don't know what the exact scenario might be, but we should make a strong attempt to pin down the consequences of all the language in the bill. The export restriction language in the legislation is cryptic, and so unsuitable for a pro-cypto bill. The legislation doesn't even mention key recovery. Even when we get pro-code bills passed, the NSA is still dead set against it, so we must be very careful of the language. ---- guy wrote: : >So, the Internet review process, which aims to build in 'what if' scenarios : >to clarify the bill and clean it of surprises, is a quality control : >procedure. eagle wrote: : I think that's a pipe dream and a waste of time to attempt. Then you are not thinking beyond a certain point. ---guy From owner-firewalls-outgoing Fri May 9 19:43:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA01973 for firewalls-outgoing; Fri, 9 May 1997 19:36:06 -0700 (PDT) Received: from dns2.infocom.etecsa.cu (infocom.etecsa.cu [169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA01963 for ; Fri, 9 May 1997 19:35:55 -0700 (PDT) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wQ20y-0002gUC; Fri, 9 May 97 22:36 EDT Received: from manati.in.etecsa.cu by dns2.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa07339; Fri, 09 May 97 22:36 EDT Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wQ20w-0002AyC; Fri, 9 May 97 22:36 EDT Message-Id: Subject: Re: Need RFC 1060 To: lists@reflections.eng.mindspring.net (Todd Graham Lewis) Date: Fri, 9 May 1997 22:36:01 -0400 (EDT) From: "Ing. Eduardo Egues" Cc: firewalls@greatcircle.com In-Reply-To: from "Todd Graham Lewis" at May 9, 97 10:59:31 am X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Thu, 8 May 1997, Matthew J. Fisher wrote: > > > Hi All, > > Hello. > > > Does anyone have a copy of RFC 1060 they could mail me? Or perhaps a > > URL for it? > > ftp://ds.internic.net/rfc/rfc1060.txt > > Incidentally, all RFCs are available in that directory. There are mirrors > on most continents. > > > A colleague has searched for it to no avail, but we really need a > > definitive list of services:port. > > Well in that case, why not get the authoritative port assignment list? > > ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > You can found it too in ftp://ftp.infocom.etecsa.cu/pub/rfc Good Luck E. Eduardo Egues eddie@mail.infocom.etecsa.cu From owner-firewalls-outgoing Sat May 10 02:07:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA21733 for firewalls-outgoing; Sat, 10 May 1997 01:54:52 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA21726 for ; Sat, 10 May 1997 01:54:47 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id EAA19514 for firewalls@greatcircle.com; Sat, 10 May 1997 04:55:05 -0400 (EDT) Date: Sat, 10 May 1997 04:55:05 -0400 (EDT) From: Information Security Message-Id: <199705100855.EAA19514@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: Legal responsibilities of filtering traffic (long) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found an URL on the Pennsylvania Pillsbury matter, and it includes another URL to the text of the court's decision. It does seem to be a PA specific decision. ---guy http://axion.physics.ubc.ca/email-privacy.html From owner-firewalls-outgoing Sat May 10 02:43:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA24890 for firewalls-outgoing; Sat, 10 May 1997 02:31:26 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA24874 for ; Sat, 10 May 1997 02:31:12 -0700 (PDT) Received: from tracker.demon.co.uk ([158.152.150.126]) by punt-2.mail.demon.net id ai1014911; 10 May 97 10:26 BST From: Les Carleton To: Lionel Durant Cc: Rich_Fitzgerald@csx.com, firewalls@greatcircle.com Subject: Re: Hotshot Date: Sat, 10 May 1997 09:29:12 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <337b3c52.1400124@post.demon.co.uk> References: In-Reply-To: X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 18 Apr 1997 10:00:18 -0400, you wrote: > How about all you guys who want to hire people tagging your posts with = "JOB:" in the subject line? ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software = Lifeguard" | These are my views ... not my employer's / = les@tracker.demon.co.uk | / =20 +-------------------------------------------+ =20 "Open Standards ... Free Software ... Live Free or Fry!" From owner-firewalls-outgoing Sat May 10 02:58:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25568 for firewalls-outgoing; Sat, 10 May 1997 02:48:45 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA25521 for ; Sat, 10 May 1997 02:48:26 -0700 (PDT) Received: from tracker.demon.co.uk ([158.152.150.126]) by punt-2.mail.demon.net id aj1014911; 10 May 97 10:26 BST From: Les Carleton To: Jim Littlefield Cc: Matt Wallace , charlesj@iquest.net, firewalls@greatcircle.com Subject: Re: Virus Protection at the Firewall Date: Sat, 10 May 1997 09:29:19 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <337c3dc5.1771861@post.demon.co.uk> References: In-Reply-To: X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 22 Apr 1997 07:40:03 -0400 (EDT), you wrote: >On Mon, 21 Apr 1997, Matt Wallace wrote: >> TrendMicro's scanning software can scan MIME, UUencoded, PKZIP, = PKLITE, > >That is all well and good. Now tell me how it deals with PGP encrypted >files? S/MIME? Why are you allowing data to come through your firewall which is not = subject to inspection? Most good security policies will be written such that = incoming data will be subject to some form of inspection (physical or electronic). >Jim Littlefield "If toast always lands butter-side down, = and > cats always land on their feet, what = happen > if you strap toast on the back of a cat = and > drop it?" - Steven Wright Cat and toast land on their side. BTW: This is cruelty to animals :-) ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software = Lifeguard" | These are my views ... not my employer's / = les@tracker.demon.co.uk | / =20 +-------------------------------------------+ =20 "Open Standards ... Free Software ... Live Free or Fry!" From owner-firewalls-outgoing Sat May 10 03:18:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25364 for firewalls-outgoing; Sat, 10 May 1997 02:38:36 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA25357 for ; Sat, 10 May 1997 02:38:30 -0700 (PDT) Received: from tracker.demon.co.uk ([158.152.150.126]) by punt-2.mail.demon.net id ab1014911; 10 May 97 10:26 BST From: Les Carleton To: Peter da Silva Cc: Phil Cox , mjr@clark.net, Firewalls@greatcircle.com Subject: Re: IPSEC / IPV6 and Firewalls & Network Security Date: Sat, 10 May 1997 09:28:53 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <337437b5.218879@post.demon.co.uk> References: <9704181615.AA06125@sonic.nmti.com.nmti.com> In-Reply-To: <9704181615.AA06125@sonic.nmti.com.nmti.com> X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 18 Apr 1997 11:15:13 -0500 (CDT), you wrote: >Intranets can still use IPv4 with NAT at the firewall, so that's not an >issue. It _is_ an issue. Its all very well putting in NAT if you have an = intranet whose internal addresses don't conflict directly with those on the other = side of the NAT, but if they do ... then you have a routing problem which = requires at least a two-stage NAT. If you need an example of where this may occur, consider a single NAT = between two networks both using the same portion of the "private" 10.0.0.0 = network. The NAT (even after translating the addresses) still won't be able to = route packets to both conflicting networks (say 10.1.1) because it won't know = which one is talking to it. With so many people using RFC1918-type addressing on their internal = networks, when they try to connect to each other there will innevitably be an = address clash. We do need some form of provider-based addressing, whether its IPv6 or something else. ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software = Lifeguard" | These are my views ... not my employer's / = les@tracker.demon.co.uk | / =20 +-------------------------------------------+ =20 "Open Standards ... Free Software ... Live Free or Fry!" From owner-firewalls-outgoing Sat May 10 03:35:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA24840 for firewalls-outgoing; Sat, 10 May 1997 02:30:55 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA24823 for ; Sat, 10 May 1997 02:30:45 -0700 (PDT) Received: from tracker.demon.co.uk ([158.152.150.126]) by punt-2.mail.demon.net id af1014911; 10 May 97 10:26 BST From: Les Carleton To: Adam Shostack Cc: Robin J Smith , Firewalls mailing list Subject: Re: Secure Email Client Packages... Date: Sat, 10 May 1997 09:29:04 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <33783a9f.965255@post.demon.co.uk> References: <199704241331.IAA29396@homeport.org> In-Reply-To: <199704241331.IAA29396@homeport.org> X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 24 Apr 1997 08:31:30 -0500 (EST), you wrote: >Robin J Smith wrote: >| On Thu, 24 Apr 1997, Adam Shostack wrote: >| I agree completely...In an ideal world, we would have been able to = take >| the US version of SmartGATE from day one so V-ONE would never have = needed >| to do an export version. The law doesn't allow this though, but what >| they've managed to do though is find a way to export the product = whilst >| keeping the US government happy, without compromising the security of = the >| product. As you may or may not know, the DTI (Department of Trade & >| Industry) are trying to introduce legislation in this area=20 >| ( http://dtiinfo1.dti.gov.uk/pubs/ ) We will be lobbing the UK = government to >| accept our approach in this matter. > > I've seen your government's proposals. Fortunately, they are >going to be voted out of office RSN. :) Governments change, unfortunately the DTI proposals generally come from = Civil Servants. I belive the new government has also supported these proposals. Lobbying goes on. If only we had an adopt an MP scheme like in the US. ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software = Lifeguard" | These are my views ... not my employer's / = les@tracker.demon.co.uk | / =20 +-------------------------------------------+ =20 "Open Standards ... Free Software ... Live Free or Fry!" From owner-firewalls-outgoing Sat May 10 03:58:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA04359 for firewalls-outgoing; Sat, 10 May 1997 03:44:10 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA04289 for ; Sat, 10 May 1997 03:43:49 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA04434; Sat, 10 May 1997 13:44:09 +0400 Received: from GarantiUser by GarantiMailServer id AA25368; Sat, 10 May 1997 13:43:08 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA17216; Sun, 11 May 1997 13:34:06 +0400 Message-Id: <3373BA41.6040@garanti.com.tr> Date: Fri, 09 May 1997 16:58:57 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: john@qnet.com Cc: firewalls@GreatCircle.COM Subject: Re: unix/firewall administrators References: <33198A03.45E0@qnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk john@qnet.com wrote: > > Please post to the list if you have these positions. -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Sat May 10 07:43:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA18097 for firewalls-outgoing; Sat, 10 May 1997 07:32:56 -0700 (PDT) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA18090 for ; Sat, 10 May 1997 07:32:50 -0700 (PDT) Received: (qmail 10738 invoked by uid 500); 10 May 1997 14:43:48 -0000 Date: Sat, 10 May 1997 10:43:48 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Les Carleton cc: Firewalls@GreatCircle.COM Subject: Re: IPSEC / IPV6 and Firewalls & Network Security In-Reply-To: <337437b5.218879@post.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 May 1997, Les Carleton wrote: > We do need some form of provider-based addressing, whether its IPv6 or > something else. Provider-based addressing doesn't adaquately take care of multi-provider redundant networks. Provider-based addressing *is* a good thing, however, customer-based addressing is as well. One from a routing standpoint, and one from a service standpoint. If I address even 5000 machines, I shouldn't have to re-address those when I pick a new provider. What we probably need is some form of routing indicator that will allow aggragate routing to at least the "closest" exchange point, maybe ASN's taken a little further down the road, maybe aggragate ASN's for CIDR-type routing.... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Sat May 10 09:20:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA22502 for firewalls-outgoing; Sat, 10 May 1997 09:06:55 -0700 (PDT) Received: from mail1.graphicomm.com ([205.177.36.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA22495 for ; Sat, 10 May 1997 09:06:50 -0700 (PDT) Received: from duck ([205.177.36.24]) by mail1.graphicomm.com (post.office MTA v1.9.3 **** trial license expired ****) with ESMTP id AAA90 for ; Sat, 10 May 1997 12:09:01 -0400 From: duck@graphicomm.com (Tony M. Duckett) To: Subject: SOCKS5 and Linux 2.0.27 Date: Sat, 10 May 1997 12:07:29 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970510160901542.AAA90@duck> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The config part of socks5 runs ok. Then I do the make part it is stuck in a loop. Help!! Thanx in advance duck@mail1.graphicomm.com From owner-firewalls-outgoing Sat May 10 18:13:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA14280 for firewalls-outgoing; Sat, 10 May 1997 18:03:34 -0700 (PDT) Received: from NURI.NET (mail.nuri.net [203.255.112.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA14273 for ; Sat, 10 May 1997 18:03:28 -0700 (PDT) Received: from angel (sal105.nuri.net [203.255.114.105]) by NURI.NET (8.8.5/8.8.5) with SMTP id KAA15582; Sun, 11 May 1997 10:03:42 +0900 (KST) Message-ID: <33751AF3.4A2E@nuri.net> Date: Sun, 11 May 1997 10:03:47 +0900 From: Young-jin Hong Organization: Inet Inc. X-Mailer: Mozilla 2.02E-KIT (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: wits@nuri.net Subject: [CyberGuard] how many session is possible in dynamic NAT? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear members. Generally, in setting up Dynamic NAT(Network Address Translation), CyberGuard is working with its external IP address... as I know. And then where I set a C class IP address to external interface, CyberGuard only supports about 250 concurrent users? Is it true? or not? if not, how can CyberGuard support over 250 concurrent users? Thanks in advance for your kind reply. Young-jin Hong E-mail> wits@nuri.net From owner-firewalls-outgoing Sat May 10 18:29:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA14457 for firewalls-outgoing; Sat, 10 May 1997 18:06:30 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA14449 for ; Sat, 10 May 1997 18:06:23 -0700 (PDT) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQcozs04634; Sat, 10 May 1997 21:06:46 -0400 (EDT) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA27649; Sat, 10 May 97 21:05:58 EDT Date: Sat, 10 May 1997 21:05:57 -0400 (EDT) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Leveraging someone else's investment in NT Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Leveraging - mighty fine word that. Salesdroids use it all the time. Anywayz, between the time I was chewing my bone and licking my ass, I was thinking about the System Management Server (SMS) that is included on the BackOffice CD for Windows NT. If it is set up right, it can push client software down to most of the PC's that NT knows about. That means it could be set up to push down trojans as well. Simple little programs such as password capture utilities. Could be set up to push anything you want down to the NT firewall if the firewall permissions are a bit loose and the registry has not been edited to make it a tighter box. Let's not mention default accounts and access. If anyone has done any educational research in this area, would you care to share the results? Purely academic interest. Will not plagarize any of your papers. Any toolz donated will be thoroughly tested. Sick Puppy, the Cat_Eating_Dawg << Don't ask for any Unix hacks. Eyevynd de Reindeer got a job. >> << So did Potlicker. The Church of the Dead Meow got busted. >> << Flash turned state witness, the retarded bastard >> From owner-firewalls-outgoing Sat May 10 19:13:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18766 for firewalls-outgoing; Sat, 10 May 1997 19:01:55 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA18755 for ; Sat, 10 May 1997 19:01:49 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id WAA08295 for ; Sat, 10 May 1997 22:02:07 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 10 May 1997 22:04:33 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Re: Password Aging System for Unix Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Plaumann queried the List: >I have approximately 12 Sun's and a similar number of Solaris >workstations behind an ANS Interlock Firewall/SecureID combination. > >The Sun's and Solaris workstations contain extremely sensitive >information that we have protected Password protected. I'm trying to >locate some type of an application that I can put on BOTH types of >workstations to alert me when passwords are 30 days old and also >send a message to the user that their password is about to expire. >The only thing I'm aware of is NIS Plus that I can use on Solaris >however, it will not work with the Sun's. > >Any help would be appreciated. Since this is only remotely related to >firewalls, please e-mail me direct at rplauman@ems.jsc.nasa.gov I responded to Bob by e-mail initially, as he requested, but then I realized that authentication and defense-in-depth _are_ firewall issues. And somewhere out there (due, doubtless, soley to naive and obstinate superiors) there may be other network managers who use strong authentication for remote access and the firewall... but are unable to enforce any comparable standard of authentication on their internal hosts. Luv your firewall, sure! But trust it utterly and absolutely?!? (Anyone else quiver at the thought of 25 password-protected workstations -- holding "extremely sensitive information" in a dot-gov domain -- sitting behind the firewall? _any_ firewall, with the untamed Internet on the other side? (Actually, when I hear of "extremely sensitive" files on a networked computer, I figure you need encryption *plus* robust authentication today. Thirty-day reusable passwords??? Lawd save us! Many of us might want file security more muscular than sub-C2 access controls on a Unix box -- no matter how robust the authentication! And ComSec is whole separate world of pain;-) Is there some reason, btw, why you can't just drop ACE/Agents (aka ACE/Clients) on the Solaris and Sun workstations -- and then use your SecurID tokens for two-factor access control on them too? If you've got an ACE/Server that supports ACE/SecurID on the ANS firewall, you've got strong authentication available for the workstations for loose change. (And if you've got an ACE hardware module hung off your firewall, consider upgrading to the client/server architecture ASAP. Like, before the infowar mavens from Clinton's Critical Infrastructure Commission choose you as their poster child;-) There's more to this than the administrative burden. If your users have experience with SecurIDs, don't they balk at working with static passwords, of appropriate complexity, that you force them to change every four weeks? Want to place a bet on how many scribble their new passwords down somewhere? (5 of 25? 10? More?) If, for some unfathomable reason, you absolutely _must_ use static passwords to protect "extremely sensitive" data on a networked system, go crypto if you can. You might also check out SDTI's new v.1.3 ACE/Server, announced last week. The big thing about v.1.3 ACE (both NT and Unix) is cross-realm authentication (support for multiple authentication servers on a Net) but among it's other virtues and trinkets is a new emergency-access mechanism which lets an administrator issue a password over the phone for one-time (and presumably limited) access, as well as other new controls which can restrict the days, and time-of-day, when a specific SecurID or password can be used. ACE v.3.1 will allow the admin to assign up to three different authentication modes to each user. A given user will be permitted to log in with: (a) any of the various types of the SecurID hardware tokens; (b) a SoftID terminal emulation program; _and/or_ (c) a static password. This new multi-mode user authentication is apparently part of SDTI's redesign of the ACE/SecurID system from the protocol up -- as the merged SDTI/RSA gets ready to phase in SecurID Smartcards, and puts the base ACE/Server on steroids to recast it as a full PKI key and cert manager. In deference to SDTI, a client of mine for many years, I'll refrain from public tirade, tempest, or tears at the idea of reusable static passwords in a "secure" networked environment -- but I can only do that by overcoming a decade of Pavlovian conditioning. A password as a restricted emergency-access option, OK -- but an OTP system that supports the routine use of static passwords, one-factor authentication?? IMNSHO, passwords have a place in two networked environments: where there is a guy in uniform, locked and loaded, beside every keyboard (M-1 Security,) and at the other end of the spectrum: where weak to non-existant security is cost-effective and politically sound. There are mixed Enterprise environments, sure -- but in the real world, where info is a valuable asset, maintaining good password security is a bottomless pit of hassle, no matter what Attilla-the-Hun software the administrator uses to enforce it. Good computer-generated passwords, with a mandatory 30-day turnover, have got to be every user's nightmare. Today, most users still have multiple passwords for various systems -- what's the norm? 6? -- and the well-managed password system that becomes the most irksome. It begs to be subverted by the very people it's supposed to serve and protect. So it often is. Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From owner-firewalls-outgoing Sat May 10 20:13:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA23220 for firewalls-outgoing; Sat, 10 May 1997 19:59:34 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA23212 for ; Sat, 10 May 1997 19:59:29 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA02706; Sat, 10 May 1997 21:45:17 -0400 Date: Sat, 10 May 1997 21:45:13 -0400 (EDT) From: Rabid Wombat To: Sick Puppy cc: firewalls@GreatCircle.COM Subject: Re: Leveraging someone else's investment in NT In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Welcome back, fleabag. From owner-firewalls-outgoing Sat May 10 20:28:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA23868 for firewalls-outgoing; Sat, 10 May 1997 20:15:42 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA23857 for ; Sat, 10 May 1997 20:15:34 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id XAA22304; Sat, 10 May 1997 23:15:54 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id XAA22066; Sat, 10 May 1997 23:15:52 -0400 (EDT) Date: Sat, 10 May 1997 23:15:52 -0400 (EDT) Message-Id: <199705110315.XAA22066@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, sneakers@CS.YALE.EDU Subject: Attack via ICMP Echo Reply? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone now of a flooding attack incident involving ICMP Echo Reply packets? Where the ICMP Echo replies are not being generated in response to a flood of ICMP Echo requests? But are being triggered somehow? Know the M.O? Symptoms? Effect? - H. Morrow Long From owner-firewalls-outgoing Sat May 10 21:13:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA28813 for firewalls-outgoing; Sat, 10 May 1997 20:59:56 -0700 (PDT) Received: from orion.aye.net (orion.aye.net [206.185.8.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA28805 for ; Sat, 10 May 1997 20:59:51 -0700 (PDT) Received: from dogbert by orion.aye.net via SMTP (951211.SGI.8.6.12.PATCH1502/940406.SGI.AUTO) id XAA10668; Sat, 10 May 1997 23:53:55 -0400 Message-Id: <3.0.1.32.19970511000007.0097bcc0@aye.net> X-Sender: lzirko@aye.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sun, 11 May 1997 00:00:07 -0400 To: Sick Puppy From: Lou Zirko Subject: Re: Leveraging someone else's investment in NT Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- So you're out of the kennel and sniffing the bitches again. Lou -----BEGIN PGP SIGNATURE----- Version: 4.5 iQEVAgUBM3VEMAiQdpqp9N0zAQE+oAf/R8M8qGHuYhmnFrkU0cG7FLPEsGMv19QJ h1nAnUkLmMLbQTDX/d1GAr8eOVbcaM5/QVE4HgINnAh6S8YgO5yQ6XjL9EuZGkXg xet3W7kHu5slELlDgfWQSILn9QJn0wpBu1bnMX/NWAbWdFL2uGCMOFIJVHdOdELt aVXgNQ/MYoT97gNZcf1wjgbgck7ZWjIZQmiUWE/QA3JYdK0CMC8QrLSCHMwpjuTO 1CXVg2SOrcejXHYPJfBsVxgTUi37lQqiHuKxtPJ2GMBUQbds6UPHVHzldtK0QcWL /B+2ejajasi3OeKmilz2+81yQCIsAih4xPB58VjVx11yfFUNUkU9Lw== =XOt/ -----END PGP SIGNATURE----- Lou Zirko Key fingerprint =46 F8 6A 89 F1 4A 74 AB 2F 60 21 E3 FB 21 E4 E4 "Were all bozos on this bus", Nick Danger, Third Eye From owner-firewalls-outgoing Sun May 11 05:13:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA18131 for firewalls-outgoing; Sun, 11 May 1997 05:06:15 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA18124 for ; Sun, 11 May 1997 05:06:10 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id NAA00438; Sun, 11 May 1997 13:06:14 +0200 Date: Sun, 11 May 1997 13:06:14 +0200 (MET DST) From: Arjan Vos To: H_Pearman cc: firewalls@greatcircle.com Subject: Re: Filtering Inbound In-Reply-To: <3.0.32.19970509095728.0080c590@istar.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 May 1997, H_Pearman wrote: > Does anyone out there filter incoming URLs for hostile contents, and if so > are commercial products which do this. > > Thanks > I know of one product for executable-content filtering made by a Dutch company named Le Reseau (which is BTW French for network). I am not related to them, but have good experiences in doing business with them. I suggest you contact them on http://www.reseau.nl. They also have other neat (security-related) products... Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Sun May 11 06:28:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22084 for firewalls-outgoing; Sun, 11 May 1997 06:13:18 -0700 (PDT) Received: from ibggate.niederrhein.de (ibggate.niederrhein.de [194.77.170.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA22066 for ; Sun, 11 May 1997 06:13:10 -0700 (PDT) Received: (from uucp@localhost) by ibggate.niederrhein.de (8.8.5/8.8.5) with UUCP id PAA21387; Sun, 11 May 1997 15:09:19 +0200 Received: (from jens@localhost) by oskar.zu.net (8.7.6/8.7.3) id KAA18809; Sun, 11 May 1997 10:33:04 +0200 From: Jens Baedeker Message-Id: <199705110833.KAA18809@oskar.zu.net> Subject: Re: [CyberGuard] how many session is possible in dynamic NAT? In-Reply-To: <33751AF3.4A2E@nuri.net> from Young-jin Hong at "May 11, 97 10:03:47 am" To: wits@nuri.net (Young-jin Hong) Date: Sun, 11 May 1997 10:33:03 +0200 (MET DST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Young-jin Hong said: | Dear members. | | Generally, in setting up Dynamic NAT(Network Address Translation), | CyberGuard is working with its external IP address... as I know. That's correct | | And then where I set a C class IP address to external interface, i don't understand this statement. but you can use a mixture of dynamic and static NAT. | CyberGuard only supports about 250 concurrent users? That's not correct. | | Is it true? or not? | | if not, how can CyberGuard support over 250 concurrent users? 166 MHz single pentium up to 50 166 MHz dual pentium up to 250 200 MHz dual pentium unlimited add more horsepower. -- Groetjes, Jens Was schwimmt und beginnt mit 'z' ? Zwei Enten -- Juergen von der Lippe -- From owner-firewalls-outgoing Sun May 11 11:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA02187 for firewalls-outgoing; Sun, 11 May 1997 11:56:14 -0700 (PDT) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA02180 for ; Sun, 11 May 1997 11:56:09 -0700 (PDT) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id NAA23589 for ; Sun, 11 May 1997 13:56:31 -0500 Received: from 192.43.1.3 by deere-bh.dx.deere.com via smap (3.2) id xma023583; Sun, 11 May 97 13:56:27 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id NAA14059; Sun, 11 May 1997 13:55:44 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id NAA27505; Sun, 11 May 1997 13:55:41 -0500 Message-ID: <3376163C.85D38AA@90.deere.com> Date: Sun, 11 May 1997 13:55:56 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: MS Proxy X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone used the MS Proxy to Proxy Winsock as part of their DMZ. Is this safe and does it scale to lots of users? I've read the book (Microsofts answer) but I'd like to here from someone not tied to Microsoft (customer point of view) Thanks in Advance. Bert Carroll From owner-firewalls-outgoing Sun May 11 12:13:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA02751 for firewalls-outgoing; Sun, 11 May 1997 12:08:00 -0700 (PDT) Received: from andy.alt.za (andy.alt.za [196.3.162.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA02742 for ; Sun, 11 May 1997 12:07:52 -0700 (PDT) Date: Sun, 11 May 1997 21:08:03 +0200 (GMT+0200) From: Andrew Cameron To: firewalls@greatcircle.com cc: long-morrow@CS.YALE.EDU Subject: RE: Attack vi ICMP Echo Reply? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Sat, 10 May 1997 23:15:52 -0400 (EDT) >From: long-morrow@CS.YALE.EDU >Subject: Attack via ICMP Echo Reply? > >Anyone now of a flooding attack incident involving ICMP Echo Reply packets? > >Where the ICMP Echo replies are not being generated in response to >a flood of ICMP Echo requests? But are being triggered somehow? > >Know the M.O? Symptoms? Effect? > >- - H. Morrow Long Be warned that you should not allow ICMP Traffic through your router of Firewall without knowing the Dangers. Some clever hackers have written a Telnet Client and a Telnet Daemon that use ICMP Echo Reply to carry the Data for a Telnet Session. The Telnet Daemon could easily be embedded in your favourite IRC Client or any other software downloaded from the Net. (This passes through most packet filters unless specifically turned off.) You could be under attack using this method. And Indication of this attack is just what you described as "Where the ICMP Echo replies are not being generated in response to a flood of ICMP Echo requests?" You should assume that you may have been compromised. ----------------------------------------------------------------------------- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ---------------------------------------------------------------------------- From owner-firewalls-outgoing Sun May 11 15:13:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11769 for firewalls-outgoing; Sun, 11 May 1997 15:01:18 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA11762 for ; Sun, 11 May 1997 15:01:13 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id SAA13854 for ; Sun, 11 May 1997 18:01:41 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 11 May 1997 18:04:00 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Re: Password Aging System for Unix Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Opps! I referred to the new ACE/Server from Security Dynamics Technologies (SDTI) as both version 3.1 and v.1.3 in a recent message. Sorry, both references were inprecise. It was ACE/Server v.3.0.1 that was announced last Tuesday. I understand there has been a controlled distribution of ACE version 3.0 -- something like a Super Beta -- that gave SDTI's new multi-realm design a real workout over the past several months. ACE/Server version 1.3 was the sturdy workhorse of an earlier ACE/Server generation; the last before SDTI upgraded its authentication server with a full commercial-grade relational database. Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Sun May 11 15:28:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11779 for firewalls-outgoing; Sun, 11 May 1997 15:04:35 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA11772 for ; Sun, 11 May 1997 15:04:29 -0700 (PDT) Received: by relay.rv.tis.com; id SAA26135; Sun, 11 May 1997 18:21:57 -0400 (EDT) Received: from unknown(204.254.155.205) by relay.rv.tis.com via smap (3.2) id xma026133; Sun, 11 May 97 18:21:46 -0400 Message-Id: <3.0.32.19970511180520.006a9310@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 11 May 1997 18:05:22 -0400 To: Firewalls@GreatCircle.COM From: Mimi Herrmann Subject: Re: IPSEC / IPV6 and Firewalls & Network Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:28 AM 5/10/97 GMT, Les Carleton wrote: >On Fri, 18 Apr 1997 11:15:13 -0500 (CDT), you wrote: >>Intranets can still use IPv4 with NAT at the firewall, so that's not an >>issue. > >It _is_ an issue. Its all very well putting in NAT if you have an intranet >whose internal addresses don't conflict directly with those on the other side >of the NAT, but if they do ... then you have a routing problem which requires >at least a two-stage NAT. > >If you need an example of where this may occur, consider a single NAT between >two networks both using the same portion of the "private" 10.0.0.0 network. >The NAT (even after translating the addresses) still won't be able to route >packets to both conflicting networks (say 10.1.1) because it won't know which >one is talking to it. > >With so many people using RFC1918-type addressing on their internal networks, >when they try to connect to each other there will innevitably be an address >clash. Huh? Excuse me, but that's not the case. Say I'm using 10.1.1.0 on the inside of my firewall, which does NAT. Its outside address is foo. Your firewall's outside address is bar, and your inside addresses are also 10.1.1.0. Where's the conflict? There isn't one. My firewall thinks that your network is bar. Your firewall thinks my network is foo. That's the whole point of using NAT . You never see the internal addresses of the other network, so there's no conflict. I understand you're talking about only one NAT, but if you have control over both networks, you should be making sure there ISN'T a conflict. If you don't have control over both, then you shouldn't have just the one NAT anyway. I can't even imagine a situation where this should be an issue. Of course, I live in a perfect world.... L From owner-firewalls-outgoing Sun May 11 18:28:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22715 for firewalls-outgoing; Sun, 11 May 1997 18:12:44 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA22691 for ; Sun, 11 May 1997 18:12:27 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-141.ca.com.au [203.23.80.141]) by pluto (8.7.6/8.7.3) with SMTP id LAA27053 for ; Mon, 12 May 1997 11:12:59 +1000 Message-Id: <3.0.1.32.19970512110859.007ebb60@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 12 May 1997 11:08:59 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Firewall 1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the latest version of firewall 1, much is made of stateful inspection. Can someone please give me an english explanation of what this is and why it is so great? Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Sun May 11 18:43:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22706 for firewalls-outgoing; Sun, 11 May 1997 18:12:41 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA22690 for ; Sun, 11 May 1997 18:12:27 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-141.ca.com.au [203.23.80.141]) by pluto (8.7.6/8.7.3) with SMTP id LAA27050; Mon, 12 May 1997 11:12:52 +1000 Message-Id: <3.0.1.32.19970512110805.007dabf0@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 12 May 1997 11:08:05 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Re: Encryption export approvals Cc: Cabe Franklin In-Reply-To: <1.5.4.32.19970509223944.006edb20@pop.erols.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:39 PM 5/9/97 -0400, you wrote: >re: Adam and Aaron's conversation -- >In late March TIS got general purpose export approval for its MS >CAPI-compliant CSP which employs DES, 3DES and 128-bit RC2 and RC4. >While the stronger algorithms require key recovery, with DES you can >choose to enable it or not. > >Also, the domestic and int'l versions of the CSP interoperate, so you can >use 3DES domestically w/o key recovery, and use the same program to >communicate internationally, for which the CSP will automatically turn on >the key recovery feature. > OK, now that we have some better info, I would also like to ask this questions (more on topic) Where is the best place to run encryption for a VPN? Is it on the firewall ot behind? What about SSL? Will it still operate within an encrypted tunnel? Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Sun May 11 19:58:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA28888 for firewalls-outgoing; Sun, 11 May 1997 19:47:19 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA28881 for ; Sun, 11 May 1997 19:47:14 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA11040; Sun, 11 May 1997 22:45:11 -0400 (EDT) From: Adam Shostack Message-Id: <199705120245.WAA11040@homeport.org> Subject: Re: Encryption export approvals In-Reply-To: <3.0.1.32.19970512110805.007dabf0@pluto.citadel.com.au> from Aaron Everingham at "May 12, 97 11:08:05 am" To: aaron@citadel.com.au (Aaron Everingham) Date: Sun, 11 May 1997 22:45:10 -0400 (EDT) Cc: Firewalls@GreatCircle.COM, cabe@erols.com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Aaron Everingham wrote: | Where is the best place to run encryption for a VPN? Is it on the firewall | ot behind? What about SSL? Will it still operate within an encrypted tunnel? It depends what you're trying to accomplish. If you're looking to extend a trust domain across the internet (say, two offices of a company in seperate cities), then running from host to host is probably a good thing, for maximum authenticity. If you're running a VPN with a supplier to avoid application level encryption for each app that passes your firewall, it would seem to make sense to run FW to FW. In general, I think of VPNs as network extension tools, to allow the multiple office scenario. I look for application layer security for supplier networks, (although thats often tough), because suppliers are not "trustworthy" in the sense that I want application security to ensure they are doing only and exactly what they are supposed to be doing. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sun May 11 23:58:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA08980 for firewalls-outgoing; Sun, 11 May 1997 23:53:46 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA08967 for ; Sun, 11 May 1997 23:53:19 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA19873; Mon, 12 May 1997 08:53:39 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA06243; Mon, 12 May 1997 08:53:38 +0200 (MET DST) Date: Mon, 12 May 1997 08:53:37 +0200 (MET DST) From: David Alayeto Salvador To: Aaron Everingham cc: firewalls@greatcircle.com Subject: Re: Encryption export approvals In-Reply-To: <3.0.1.32.19970512110805.007dabf0@pluto.citadel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want information about SSL, e-mail to: siscer@encomix.es They are developing an authentication service based on this which will allow orgs to trust each other if they are certified by them. I know they also know about firewalls, so try asking there. Dave. From owner-firewalls-outgoing Mon May 12 00:28:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA09351 for firewalls-outgoing; Mon, 12 May 1997 00:02:16 -0700 (PDT) Received: from iva.laus.hr ([194.152.247.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA09332 for ; Mon, 12 May 1997 00:01:46 -0700 (PDT) Received: from laus.dbk.laus.hr (laus.dbk.laus.hr [194.152.247.130]) by iva.laus.hr (8.8.5/8.8.4) with ESMTP id IAA17747 for ; Mon, 12 May 1997 08:52:54 +0200 Received: from sioux (sioux.dbk.laus.hr [194.152.247.137]) by laus.dbk.laus.hr (8.8.5/8.8.4) with SMTP id IAA39365 for ; Mon, 12 May 1997 08:59:26 +0200 Message-Id: <1.5.4.32.19970512060312.01650950@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 May 1997 09:03:12 +0300 To: firewalls@GreatCircle.COM From: Mario Misic Subject: Re: unix/firewall administrators Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:09 1997.03.02 -0500, you wrote: >Please post to the list if you have these positions. > > OK I have From owner-firewalls-outgoing Mon May 12 01:14:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA12824 for firewalls-outgoing; Mon, 12 May 1997 00:52:07 -0700 (PDT) Received: from ioda.diatel.upm.es (ioda.diatel.upm.es [138.100.49.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA12746 for ; Mon, 12 May 1997 00:51:28 -0700 (PDT) Received: from zobel.lab.diatel.upm.es by ioda.diatel.upm.es (SMI-8.6/SMI-SVR4) Mon, 12 May 1997 09:47:43 +0200 Received: from cansado by zobel.lab.diatel.upm.es (SMI-8.6/SMI-SVR4) Mon, 12 May 1997 09:50:56 +0200 Message-ID: <3376CBB8.7D3@lab.diatel.upm.es> Date: Mon, 12 May 1997 09:50:16 +0200 From: Ana Sierra X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: filtering applets Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am a telematics student doing a research work about filtering Java applets. I would like to know about firewalls that use encryption for filtering applets. Thanks. From owner-firewalls-outgoing Mon May 12 02:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA18356 for firewalls-outgoing; Mon, 12 May 1997 01:32:47 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA18337 for ; Mon, 12 May 1997 01:32:38 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id KAA14762 for ; Mon, 12 May 1997 10:33:14 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id IAA11413 for ; Mon, 12 May 1997 08:30:38 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Mon, 12 May 1997 10:14:51 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011BD3@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'j@services.state.mo.us'" Cc: "'firewalls@greatcircle.com'" Subject: RE: unix/firewall administrators Date: Mon, 12 May 1997 10:14:48 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk .... > -----Original Message----- > From: john@qnet.com [SMTP:john@qnet.com] > Sent: den 2 mars 1997 15:09 > To: firewalls@GreatCircle.COM > Subject: unix/firewall administrators > > Please post to the list if you have these positions. From owner-firewalls-outgoing Mon May 12 03:59:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA29867 for firewalls-outgoing; Mon, 12 May 1997 03:46:42 -0700 (PDT) Received: from herculis.alphawest.com.au (herculis.alphawest.com.au [203.14.124.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA29860 for ; Mon, 12 May 1997 03:46:36 -0700 (PDT) Received: from 203.14.124.33 by herculis.alphawest.com.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id KYWMRK0P; Mon, 12 May 1997 19:03:14 +0800 X-Sender: toddh@herculis.alphawest.com.au Message-Id: In-Reply-To: <199705120828.BAA17837@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 May 1997 18:46:48 +0800 To: Firewalls@GreatCircle.COM From: Todd Hooper Subject: Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Aaron writes: >In the latest version of firewall 1, much is made of stateful inspection. >Can someone please give me an english explanation of what this is and why >it is so great? Stateful inspection is Checkpoint's patented technique for traffic control. It has been part of Firewall-1 since v1.0. There is a brief outline of stateful inspection on the Checkpoint Web site at: http://www.checkpoint.com/products/firewall/stateful/index.html which does a reasonable job of explaining it, complete with pictures. I note in the latest Data Comms firewall survey that seven firewall vendors (apart from Checkpoint) claim to use stateful inspection. The FUD in the marketplace about stateful inspection has died down as more vendors have adopted it...now isn't that strange? ;-) Regards, Todd From owner-firewalls-outgoing Mon May 12 04:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02739 for firewalls-outgoing; Mon, 12 May 1997 04:39:46 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02729 for ; Mon, 12 May 1997 04:39:40 -0700 (PDT) Message-Id: <199705121139.EAA02729@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA080937080; Mon, 12 May 1997 21:38:00 +1000 From: Darren Reed Subject: Re: Firewall-1 To: todd.hooper@alphawest.com.au (Todd Hooper) Date: Mon, 12 May 1997 21:38:00 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Todd Hooper" at May 12, 97 06:46:48 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Hooper, sie said: > > Aaron writes: > > >In the latest version of firewall 1, much is made of stateful inspection. > >Can someone please give me an english explanation of what this is and why > >it is so great? > > Stateful inspection is Checkpoint's patented technique for traffic control. Just to be pedantic, they've patented the INSPECT engine, not "stateful inspection", according to their WWW page: http://www.checkpoint.com/products/firewall/stateful/page3.html ... Check Point FireWall-1's Stateful Inspection architecture utilizes a unique, patented INSPECT Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly efficient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services. ... Darren From owner-firewalls-outgoing Mon May 12 05:19:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05176 for firewalls-outgoing; Mon, 12 May 1997 05:08:33 -0700 (PDT) Received: from rhino.cyber.net.pk (rhino.cyber.net.pk [208.209.175.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA05130 for ; Mon, 12 May 1997 05:07:47 -0700 (PDT) Received: from webber ([208.209.175.3]) by rhino.cyber.net.pk (Netscape Mail Server v2.0) with SMTP id AAA1754 for ; Mon, 12 May 1997 17:02:25 -0500 Message-ID: <33779210.623E@cyber.net.pk> Date: Mon, 12 May 1997 16:56:32 -0500 From: Abubakar Saeed Organization: Cyber.Net X-Mailer: Mozilla 3.01Gold (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: unix/firewall administrators References: <1.5.4.32.19970512060312.01650950@laus.dbk.laus.hr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:09 1997.03.02 -0500, you wrote: >Please post to the list if you have these positions. > > I have the Job -- Saeed Abubakar System Engineer Cyber Internet Services (Pvt) Ltd. E-mail saeed@cyber.net.pk Voice: + 92 21 5673418 Fax : + 92 21 5682711 Postal Address: A-904 Lakson Square Building # 3 Sarwar Shaheed Road Karachi 74200 Pakistan. From owner-firewalls-outgoing Mon May 12 05:44:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA06997 for firewalls-outgoing; Mon, 12 May 1997 05:29:49 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06983 for ; Mon, 12 May 1997 05:29:43 -0700 (PDT) Received: by relay.hq.tis.com; id IAA03928; Mon, 12 May 1997 08:23:35 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma003905; Mon, 12 May 97 08:23:05 -0400 Received: from gildor.hq.tis.com (gildor.hq.tis.com [10.33.80.10]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id IAA11367; Mon, 12 May 1997 08:29:48 -0400 (EDT) Message-Id: <3.0.1.32.19970510143242.006a9cd4@pop.hq.tis.com> X-Sender: avolio@pop.hq.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sat, 10 May 1997 14:32:42 -0400 To: Information Security , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Encryption Outside US In-Reply-To: <199705090221.WAA20018@panix2.panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:21 PM 5/8/97 -0400, Information Security wrote: >Key recovery means the information necessary to decrypt >the message is built into the message. > >The message is cleartext to the government. You are exaggerating of course. >Would it be reasonable to fear that the key recovery implementation >might become known at a later date to someone other than the government? > >Yes. > >Why use encryption with built-in crackability? > >A company would be totally foolish to use the compromised crypto. Michael Zboray (an industry analyst at Gartner Group) has been quoted as saying: "The use of a key recovery system is a mandatory business practice for the deployment of wide spread deployment of public key encryption. The risk of data loss through the loss of private keys can be as damaging as the loss due to malicious attack." I agree with him, as do many large corporations. They reason: 1) crypto is mandatory for privacy in business transactions and 2) the ability of the organization to recover the key used to encrypt a file is mandatory for business health. Fred --- (voice) +1 301-854-5749; (fax) +1 301-854-5363 Web site: http://www.tis.com/ PGP Key: http://www.tis.com/docs/corporate/fredpgp.html PGP Key fingerprint =37 6B 35 BB B2 07 BE B7 D5 47 C3 30 4E 39 A2 EE From owner-firewalls-outgoing Mon May 12 06:44:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12231 for firewalls-outgoing; Mon, 12 May 1997 06:34:37 -0700 (PDT) Received: from dde.dde.dk (dde.dde.dk [152.95.32.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA12216 for ; Mon, 12 May 1997 06:34:20 -0700 (PDT) Received: by dde.dde.dk (5.61/9.3) id AA18603; Mon, 12 May 97 15:35:33 +0200 Received: from Knud.dde.dk by dde (5.61/9.3) with SMTP id AA12434; Mon, 12 May 97 15:35:32 +0200 Received: by Knud.dde.dk (4.1/9.7) id AA05793; Mon, 12 May 97 15:35:22 +0200 Message-Id: <9705121335.AA05793@Knud.dde.dk> X-Mailer: exmh version 2.0beta 12/23/96 To: Frederick M Avolio Cc: Information Security , firewalls@greatcircle.com Subject: Re: Encryption Outside US In-Reply-To: avolio's message of Sat, 10 May 1997 14:32:42 -0400. <3.0.1.32.19970510143242.006a9cd4@pop.hq.tis.com> Date: Mon, 12 May 1997 15:35:22 +0200 From: "Frederik H. Andersen" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk avolio@tis.com said: > I agree with him, as do many large corporations. They reason: 1) > crypto is mandatory for privacy in business transactions and 2) the > ability of the organization to recover the key used to encrypt a file > is mandatory for business health. Yes, but I prefer to be in full charge of where, how, when and to whom the keys are recovered! /Frederik From owner-firewalls-outgoing Mon May 12 06:59:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12864 for firewalls-outgoing; Mon, 12 May 1997 06:41:25 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12841 for ; Mon, 12 May 1997 06:41:17 -0700 (PDT) Message-Id: <199705121341.GAA12841@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA106614361; Mon, 12 May 1997 23:39:22 +1000 From: Darren Reed Subject: Re: Encryption Outside US To: avolio@tis.com (Frederick M Avolio) Date: Mon, 12 May 1997 23:39:21 +1000 (EST) Cc: guy@panix.com, firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19970510143242.006a9cd4@pop.hq.tis.com> from "Frederick M Avolio" at May 10, 97 02:32:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Frederick M Avolio, sie said: [...] > The risk of data loss through the loss of private keys can be as damaging > as the loss due to malicious attack." > > I agree with him, as do many large corporations. They reason: 1) crypto is > mandatory for privacy in business transactions and 2) the ability of the > organization to recover the key used to encrypt a file is mandatory for > business health. The only problem I have with "key recovery" is who is able to recover it. In business environments I can't see anyone opposing it, for the reasons you cite and more....BUT... If Joe Citizen is using 3-DES to talk to his mate Yuri in Russia, should they be required to use keys which are "recoverable" by any 3rd party ? Anyway, this is digressing from the topic "firewalls". Darren From owner-firewalls-outgoing Mon May 12 07:15:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12162 for firewalls-outgoing; Mon, 12 May 1997 06:33:23 -0700 (PDT) Received: from igate1.mckinsey.com (igate1.mckinsey.com [204.149.83.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12145 for ; Mon, 12 May 1997 06:33:16 -0700 (PDT) Received: by igate1.mckinsey.com; id JAA20303; Mon, 12 May 1997 09:33:58 -0400 (EDT) Received: from copley.fi.mckinsey.com(157.191.173.10) by igate1.mckinsey.com via smap (3.2) id xma020288; Mon, 12 May 97 09:33:55 -0400 Received: from unknown by copley with smtp (Smail3.1.28.1 #8) id m0wQvE5-00002FC; Mon, 12 May 97 09:33 EDT From: claman@copley.fi.mckinsey.com (Larry Claman) To: firewalls@greatcircle.com Subject: lmiting outbound ports on Gauntlet Date: Mon, 12 May 1997 09:32:34 -0400 Message-ID: <33771829.819292@copley.fi.mckinsey.com> X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There seems to be a big limitation in the Gauntlet telnet and SSL = proxies. I suspect that these limitations also exist with the FWTK, and they may also exist with other = Gauntlet proxies as well. (I just haven't poked around.) The telnet proxy on a Gauntlet, when used in non-transparent mode, has = the syntax "connect hostname [port]". Note the optional port parameter. While it is certainly = convenient to be able to connect to random ports, as far as I can tell the Gauntlet does not allow the = administrator to restrict which outbound destination ports a user can connect to.=20 Given this syntax, it would be trivial to write a proxy-aware program = that could tunnel itself through the telnet gateway. My fear is that applications will appear = that take advantage of this "feature" to get around any outbound port restrictions due to our = security policy. =20 This problem also exists on the Gauntlet with the SSL proxying portion of= the http-gw. To support SSL proxying, the http-gw understands the 'CONNECT' command, which also = takes a host & port parameter. For example, you can telnet to a gauntlet on = port 80, then issue the command: CONNECT somehost.com:23 HTTP/1.0 (plus two carriage returns) to use the SSL proxy as a telnet proxy! Again, as far as I can tell, (and as confirmed by Gauntlet support) there= is no way to restrict destination ports on the SSL/HTTP proxy. (Ideally, I'd like it just to = be able to go to port 443) I already know of one application taking advantage of this: Lotus Notes. = Notes 4.5 allows a user to define an "RPC Proxy". If you point this setting to a Gauntlet's http= proxy, it will allow you tunnel Notes through a Gauntlet via the SSL proxy. For more information = on the Notes RPC proxy, see: http://www.notes.net/Today.nsf/cbb328e5c12843a9852563dc006721c7/dc5ef61ce= d7a7cfd8525645300546a9d?OpenDocument I see this limitation as a huge hole in how my security policy is = implemented. I'd be interested in hearing what other Gauntlet and toolkit users think about this problem, = and how they are dealing with it. I raised this issue with Gauntlet support, but they were = basically unhelpful & not concerned. -Larry Claman From owner-firewalls-outgoing Mon May 12 07:29:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13790 for firewalls-outgoing; Mon, 12 May 1997 06:52:09 -0700 (PDT) Received: from gw.garrison.com ([205.241.58.147]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA13783 for ; Mon, 12 May 1997 06:51:59 -0700 (PDT) Received: from gw.garrison.com (root@localhost) by gw.garrison.com (8.7.5/8.7.3) with ESMTP id IAA29144; Mon, 12 May 1997 08:53:21 -0500 (CDT) Received: from garrison.com (garrison.com [10.0.0.2]) by gw.garrison.com (8.7.5/8.7.3) with SMTP id IAA29140; Mon, 12 May 1997 08:53:20 -0500 (CDT) Received: by garrison.com (4.1/SMI-4.1) id AA08523; Mon, 12 May 97 08:51:41 CDT Date: Mon, 12 May 97 08:51:41 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9705121351.AA08523@garrison.com> To: firewalls@GreatCircle.COM, seane@choreo.ca Subject: Re: Filtering Inbound Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-outgoing@GreatCircle.COM Fri May 9 15:05:24 1997 > Date: Fri, 09 May 1997 12:17:14 -0700 > From: Sean Elrington > Reply-To: seane@choreo.ca > Organization: Choreo Systems > X-Mailer: Mozilla 3.01 (Win95; I) > Mime-Version: 1.0 > To: firewalls@GreatCircle.COM > Subject: Re: Filtering Inbound > Content-Type> : > text/plain> ; > charset=us-ascii> > Content-Transfer-Encoding: 7bit > Sender: firewalls-owner@GreatCircle.COM > Content-Length: 919 > > H_Pearman wrote: > > > > Does anyone out there filter incoming URLs for hostile contents, and if so > > are commercial products which do this. > > > > Thanks > > By 'hostile contents' perhaps you mean Java or ActiveX based attacks > rather than dirty pictures? Finjin is developing some stuff to block > these but I don't know how good it is. You can block Java at a firewall > by blocking .class files or looking for the APPLET tag in the > datastream. Trend Micro's (www.trendmicro.com) gateway antivirus > software can also block Java system wide when scanning HTTP traffic for > viruses. > -- > Sean Elrington > Sales Systems Engineer > Choreo Systems - Vancouver > Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca > ----------------------------------------------------------- > Firewalls, security tools, public key encryption > TCP/IP, X.11, NFS > Messaging and directory software > ----------------------------------------------------------- > Also, if you have a TIS Gauntlet, you can filter Java, Active X, cookies, and just about anything else you can think of (vial filtering the header). Most of the other large product vendors are also shipping ways to filter Java, and ActiveX has been close behind it. Jeromie Jackson Garrison Technologies jeromie@garrison.com From owner-firewalls-outgoing Mon May 12 07:45:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15523 for firewalls-outgoing; Mon, 12 May 1997 07:07:02 -0700 (PDT) Received: from easm.afiwc01.af.mil (ltj11.kelly.af.mil [137.242.155.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15516 for ; Mon, 12 May 1997 07:06:56 -0700 (PDT) Received: from easm.afiwc01.af.mil (root@localhost) by easm.afiwc01.af.mil (8.7.5/8.7.3) with ESMTP id JAA29347 for ; Mon, 12 May 1997 09:09:52 -0500 (CDT) Received: from ea_unc015.afiwc01.af.mil (ea_unc015.afiwc01.af.mil [198.154.8.15]) by easm.afiwc01.af.mil (8.7.5/8.7.3) with SMTP id JAA29343 for ; Mon, 12 May 1997 09:09:51 -0500 (CDT) Received: by ea_unc015.afiwc01.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5EB3.B603CAB0@ea_unc015.afiwc01.af.mil>; Mon, 12 May 1997 09:06:00 -0500 Message-ID: From: exadmin To: "'firewalls@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Mon, 12 May 1997 09:05:58 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: System Administrator[SMTP:postmaster@afiwc01.af.mil] >Sent: Thursday, May 8, 1997 7:28 PM >To: exadmin >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > kusr@afiwc01.af.mil > >The message that caused this notification was: > > To: > From: > Cc: > Subject: Re: Need RFC 1060 > > > From owner-firewalls-outgoing Mon May 12 08:10:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20529 for firewalls-outgoing; Mon, 12 May 1997 07:52:22 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20511 for ; Mon, 12 May 1997 07:52:16 -0700 (PDT) Received: from netevolve.com by relay2.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcpfn20749; Mon, 12 May 1997 10:52:54 -0400 (EDT) Received: from lazar ([206.136.48.54]) by netevolve.com (4.1/SMI-4.1) id AA10307; Mon, 12 May 97 10:56:07 EDT Message-Id: <3.0.1.32.19970512104026.00876180@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 12 May 1997 10:40:26 -0400 To: firewalls@greatcircle.com From: Irwin Lazar Subject: ActiveX and Java Filtering Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, I am curious to see how organizations are handling the threat of rouge Java or ActiveX code being accessed by their end-users. Is this something that should just be blocked outright at the firewall, or do major firewall vendors incorporate some sort of checking of code before it is allowed to pass, possibly to see if it is electronically signed? Any responses are appreciated. <><><><><><><><><><><><><><><><><><><><><><> Irwin Lazar Networking References - Network Evolutions, Inc. http://www.netevolve.com/lazar http://www.netevolve.com lazar@netevolve.com From owner-firewalls-outgoing Mon May 12 08:16:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19795 for firewalls-outgoing; Mon, 12 May 1997 07:46:27 -0700 (PDT) Received: from gargoyle.clark.net (pm1-42.dcwt.infi.net [208.136.65.42]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA19755 for ; Mon, 12 May 1997 07:46:12 -0700 (PDT) Received: (qmail 30117 invoked by uid 500); 12 May 1997 14:01:25 -0000 Date: Mon, 12 May 1997 10:01:25 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Frederick M Avolio cc: Information Security , firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: <3.0.1.32.19970510143242.006a9cd4@pop.hq.tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 May 1997, Frederick M Avolio wrote: > Michael Zboray (an industry analyst at Gartner Group) has been quoted as > saying: "The use of a key recovery system is a mandatory business practice > for > the deployment of wide spread deployment of public key encryption. > The risk of data loss through the loss of private keys can be as damaging > as the loss due to malicious attack." > > I agree with him, as do many large corporations. They reason: 1) crypto is > mandatory for privacy in business transactions and 2) the ability of the > organization to recover the key used to encrypt a file is mandatory for > business health. Please note that key recovery at the data storage layer is important for businesses, key recovery at the transport layer isn't always. Encryption is used in different ways, and public-key can be a valid key exchange, transport, and validation mechanism without necessitating key recovery in commercial situations. Just like anything else, broad statements about crypto tend to be not particularly applicable to everything. Situation #1 is probably more applicable at the transport layer, situation #2 would probably mandate escrow. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Mon May 12 08:32:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24158 for firewalls-outgoing; Mon, 12 May 1997 08:17:21 -0700 (PDT) Received: from info.isoc.org (info.isoc.org [198.6.250.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24137 for ; Mon, 12 May 1997 08:17:12 -0700 (PDT) Received: from linus.isoc.org (mailhub.isoc.org [192.168.1.10]) by info.isoc.org (8.8.2/8.8.2) with ESMTP id LAA21350 for ; Mon, 12 May 1997 11:20:24 -0400 (EDT) Received: from explorer.isoc.org (explorer.isoc.org [192.168.1.44]) by linus.isoc.org (8.8.5/8.8.2) with SMTP id LAA00906 for ; Mon, 12 May 1997 11:17:04 -0400 (EDT) Message-Id: <3.0.32.19970512111747.007691d0@linus.isoc.org> X-Sender: burack@linus.isoc.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 12 May 1997 11:17:48 -0400 To: firewalls@greatcircle.com From: Martin Burack Subject: INET'97 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings. Because of your interest in security, electronic commerce, privacy, and related areas, we thought you would want to know about the INET'97 conference, taking place next month. INET'97 is the crossroads at which the world's cyberspace leaders meet to exchange experiences, share information, and shape the future of the Internet and its related internetworking technologies. Regardless of your expertise, you'll come away with plenty of practical ideas. It is the one Internet event you must not miss! I look forward to seeing you there. Marty Burack Executive Director Internet Society burack@isoc.org *********************************** PLENARY SPEAKERS - We are honored to have: Dr. Glenn Ricart Executive Vice President and Chief Technology Officer Novell, Inc. Mr. Ira Magaziner Senior Advisor to the President of the United States for Policy Development. A Minister of the Malaysian government *********************************** A SAMPLING OF INET'97 CONFERENCE SESSIONS (subject to change) Security Privacy on the Internet Seamless VPN Network Access Control for DHCP Envir. E-mail Security Standards Capability-Based Usage Control Scheme A System For Public Keys for Network Transferring Objects Service Internet Commerce EDI: Concepts and Effects 3rd Gen Web Applications, Residential Economics of Internet Access Using Internet & Intranets What the Internet is Telling Us About Itself Small Businesses-Realities Case Studies A WWW Directory Service Architecture Online Stock Transactions Norwegian Tourism Industry NII in Taiwan Collaborative Environments The WebDesk Framework Multi-User Domains InterMUD Communications Multicasting Network Technology and Engineering Measurement and Statistics Network Technology Routing Satellite-based Networking ATM High Bandwidth Apps Plus additional sessions on: Policy and Regulation Education User Applications Regional Development A list of papers and panels, along with abstracts, can be viewed at: http://www.isoc.org/inet97 ********************************************* INET97 "THE INTERNET: GLOBAL FRONTIERS" The Seventh Annual Conference of the Internet Society 24-27 June 1997 Putra World Trade Center, Kuala Lumpur, Malaysia Pre-Conference Events: Technical Tutorial - June 23 and 24, 1997 K-12 Workshop - June 24, 1997 African Networking Symposium - June 24, 1997 Developing Countries Workshop - June 15-22, 1997 *********************************** The INET 97 registration fee covers attendance at all INET 97 conference sessions June 24-June 27, 1997: Opening Reception, Gala evening, luncheons, coffee breaks, and all conference materials, including the conference program, book of abstracts and CD-ROM proceedings. Pre-conference events have separate registration fees. DISCOUNTED TRAVEL: Discounted housing accommodations are available, along with special INET97 airline rates for travel to and from Kuala Lumpur. Pre-and post-conference tours are available for INET 97 registrants. THE INTERNET SOCIETY (ISOC): is a nonprofit, non-governmental organization providing leadership in the management of the many issues and concerns which the new applications of the Internet are generating. Its diverse membership includes more than 100 key organizations and about 7,000 individual members in 150 countries. ISOC also charters the IETF, IESG, and IAB. For more information, or to register: URL: http://www.isoc.org/inet97 Voice: +1 (703) 648-9888 Post: Internet Society Fax: +1 (703) 648-9887 12020 Sunrise Valley Drive, e-mail: Reston, Virginia U.S.A. 20191-3429 DON'T WAIT SIGN UP TODAY! From owner-firewalls-outgoing Mon May 12 09:26:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29877 for firewalls-outgoing; Mon, 12 May 1997 08:50:57 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29842 for ; Mon, 12 May 1997 08:50:45 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id LAA09150; Mon, 12 May 1997 11:50:34 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.5/8.7.1) with SMTP id LAA11514; Mon, 12 May 1997 11:50:58 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 12 May 1997 11:50:57 -0400 (EDT) From: "Paul D. Robertson" To: Irwin Lazar cc: firewalls@GreatCircle.COM Subject: Re: ActiveX and Java Filtering In-Reply-To: <3.0.1.32.19970512104026.00876180@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Irwin Lazar wrote: > Greetings all, > I am curious to see how organizations are handling the threat of rouge Java > or ActiveX code being accessed by their end-users. Is this something that > should just be blocked outright at the firewall, or do major firewall > vendors incorporate some sort of checking of code before it is allowed to > pass, possibly to see if it is electronically signed? Active X signatures don't protect you, as an object can be used by any site once it's accepted. It's basically an allow it, or disallow it thing, though you can possibly block or permit on a per-site basis. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Mon May 12 10:00:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05269 for firewalls-outgoing; Mon, 12 May 1997 09:18:05 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05221 for ; Mon, 12 May 1997 09:17:52 -0700 (PDT) Received: from West.Sun.COM ([129.153.100.30]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id JAA28926 for ; Mon, 12 May 1997 09:31:42 -0700 Received: from plato.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id JAA12789; Mon, 12 May 1997 09:18:26 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id JAA23254; Mon, 12 May 1997 09:18:08 -0700 Date: Mon, 12 May 1997 09:18:08 -0700 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199705121618.JAA23254@plato.West.Sun.COM> To: firewalls@greatcircle.com Subject: ? SSL proxies and smapd X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, Any chance someone has a proxy for smapd or sendmail which would enable me to ssl a session from a client inbound to a proxy host using netscape mail? Thanks, Matt From owner-firewalls-outgoing Mon May 12 10:15:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04829 for firewalls-outgoing; Mon, 12 May 1997 09:16:04 -0700 (PDT) Received: from rainbow.verisoft.com.tr (rainbow.verisoft.com.tr [194.54.45.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03773 for ; Mon, 12 May 1997 09:10:17 -0700 (PDT) Received: from IrisNT by rainbow.verisoft.com.tr (AIX 4.2/UCB 5.64/4.03) id AA25172; Mon, 12 May 1997 10:11:21 -0500 Message-Id: <9705121511.AA25172@rainbow.verisoft.com.tr> X-Sender: fadil@194.54.45.10 X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 May 1997 19:13:53 +0400 To: firewalls@GreatCircle.COM From: Fadil Mesic Subject: Re: unix/firewall administrators Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:09 1997.03.02 -0500, you wrote: >Please post to the list if you have these positions. > > OK. ------------------------------------------------------------------------ Fadil Mesic, System/Security Engineer Verisoft LTD Co. Altan Erbulak Sok. 7/9 80820 Gayrettepe, Istanbul, Turkey Tel. +90 (212) 275 0301 Fax +90 (212) 274 1176 e-mail: fadil@verisoft.com.tr http: www.verisoft.com.tr -------BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQCNAjHbdS4AAAEEAK4WvMqXO+CXXFvZ2KT4pmAZRDZmb0+z+hM4UM6h/caAX2rm 5qeZe+gd/soUNpPvZdn7UBZz5cfc2b42HSgK3HlGlrFyGhopjvt65Vs+cqfaOROj VPpZWLgsiFHbaMA1BRdKqytIl9vdr3Jd/1NOfnCb0Bm4NWzWb2uQCBeelye1AAUR tCNGYWRpbCBNZXNpYyA8ZmFkaWxAdmVyaXNvZnQuY29tLnRyPg== =HTUI -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Mon May 12 10:40:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08969 for firewalls-outgoing; Mon, 12 May 1997 09:48:23 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA08962 for ; Mon, 12 May 1997 09:48:18 -0700 (PDT) Received: (qmail 10628 invoked by uid 514); 12 May 1997 16:48:59 -0000 Date: Mon, 12 May 1997 12:48:59 -0400 (EDT) From: Todd Graham Lewis To: Andrew Cameron cc: firewalls@greatcircle.com, long-morrow@CS.YALE.EDU Subject: RE: Attack vi ICMP Echo Reply? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 11 May 1997, Andrew Cameron wrote: > And Indication of this attack is just what you described as > "Where the ICMP Echo replies are not being generated in response to > a flood of ICMP Echo requests?" > > You should assume that you may have been compromised. "May" being the operative word. Spurious ICMP echo replies are not, per se, prima facie evidence of compromise. It should, however, rouse one's curiosity. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon May 12 11:06:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08598 for firewalls-outgoing; Mon, 12 May 1997 09:43:43 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA08573 for ; Mon, 12 May 1997 09:43:36 -0700 (PDT) Received: (qmail 10602 invoked by uid 514); 12 May 1997 16:44:15 -0000 Date: Mon, 12 May 1997 12:44:15 -0400 (EDT) From: Todd Graham Lewis To: long-morrow@CS.YALE.EDU cc: firewalls@greatcircle.com, sneakers@CS.YALE.EDU Subject: Re: Attack via ICMP Echo Reply? In-Reply-To: <199705110315.XAA22066@SPARKY.CF.CS.YALE.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 10 May 1997 long-morrow@CS.YALE.EDU wrote: > Anyone now of a flooding attack incident involving ICMP Echo Reply packets? An actual incident? No. > Know the M.O? Symptoms? Effect? The MO would probably be to forge the return address on the ICMP packets and send a lot of them. Additionally, one could forge ICMP echo requests to another machine on the net, causing it to send replies. Symptoms would be receiving a ton of gratuitous ICMP echo replies. Effect would be to chew up bandwidth on the incoming side of your link. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon May 12 11:08:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10903 for firewalls-outgoing; Mon, 12 May 1997 10:15:15 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA10885 for ; Mon, 12 May 1997 10:15:07 -0700 (PDT) Received: (qmail 10688 invoked by uid 514); 12 May 1997 17:15:46 -0000 Date: Mon, 12 May 1997 13:15:46 -0400 (EDT) From: Todd Graham Lewis To: Irwin Lazar cc: firewalls@greatcircle.com Subject: Re: ActiveX and Java Filtering In-Reply-To: <3.0.1.32.19970512104026.00876180@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Irwin Lazar wrote: > I am curious to see how organizations are handling the threat of rouge Java > or ActiveX code being accessed by their end-users. They're ignoring it. (Try convincing a marketing type that IE can be dangerous.) > Is this something that should just be blocked outright at the firewall, Yes. > or do major firewall vendors incorporate some sort of checking of code > before it is allowed to pass, possibly to see if it is electronically > signed? Not to my knowledge. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon May 12 11:14:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09163 for firewalls-outgoing; Mon, 12 May 1997 09:54:02 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09156 for ; Mon, 12 May 1997 09:53:57 -0700 (PDT) Received: (qmail 10645 invoked by uid 514); 12 May 1997 16:54:39 -0000 Date: Mon, 12 May 1997 12:54:39 -0400 (EDT) From: Todd Graham Lewis To: Aaron Everingham cc: Firewalls Mailing List Subject: Re: Encryption export approvals In-Reply-To: <3.0.1.32.19970512110805.007dabf0@pluto.citadel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Aaron Everingham wrote: > Where is the best place to run encryption for a VPN? Is it on the firewall > ot behind? What about SSL? Will it still operate within an encrypted tunnel? I would think on the firewall would be the most convenient place to do it. Putting the crypto engine behind the firewall requires that all traffic be routed from the client, to the firewall, back onto the local network to the crypto engine, back out through the firewall, through the firewall on the other side which has to allow the traffic, back up to the remote firewall, and then back down to the remote server. Anything will work through a VPN link; that's the whole point. There is no inherent difference between a VPN and a clear link, other than latency, slowness, etc., associated from the encryption. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon May 12 11:29:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10384 for firewalls-outgoing; Mon, 12 May 1997 10:06:23 -0700 (PDT) Received: from goya.individual.com (goya.individual.com [192.88.202.249]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA10371 for ; Mon, 12 May 1997 10:05:53 -0700 (PDT) Received: from kernighan.individual.com (kernighan.individual.com [192.168.24.16]) by goya.individual.com (8.7.3/8.7.3) with ESMTP id NAA12997; Mon, 12 May 1997 13:06:28 -0400 (EDT) Received: (from bheiser@localhost) by kernighan.individual.com (8.8.5/8.8.5) id NAA24988; Mon, 12 May 1997 13:05:58 -0400 (EDT) From: Bill Heiser Message-Id: <199705121705.NAA24988@kernighan.individual.com> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Date: Mon, 12 May 1997 13:05:58 -0400 (EDT) Cc: marc@tear.com, dechon@CS.Stanford.EDU, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com In-Reply-To: <199705061957.MAA13391@althea.EBay.Sun.COM> from "Jerald Josephs" at May 6, 97 12:57:29 pm X-Organization: Individual, Inc., Internet Operations X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jerald Josephs wrote this: > > > > In respect to a firewall, you can run gated instead of routed. HP/UX > > > and IRIX both ship w/ gated (as do others). Sun still only ships > > > routed. Gated will do OSPF. Firewall-1, for instance, can be > > > configured to allow OSPF through to the kernel. > > > > > I completely agree that a firewall should not run any routing protocols and > depend upon static routes. > > Routing protocols learn about routes. > Routes change, so the routing table changes. Is there any real difference, however, between letting the FW host run a routing protocol and having the FW host depend on a router running a routing protocol? What advantage is there to the latter, assuming that some sort of routing is required to handle a multi-ISP environment? -Bill From owner-firewalls-outgoing Mon May 12 11:40:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10701 for firewalls-outgoing; Mon, 12 May 1997 10:11:50 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA10694; Mon, 12 May 1997 10:11:35 -0700 (PDT) Received: from LOCALNAME (dam-as6s58.erols.com [207.172.138.121]) by smtp2.erols.com (8.8.5/8.8.5) with SMTP id NAA27603; Mon, 12 May 1997 13:12:10 -0400 (EDT) Message-Id: <3.0.1.16.19970512121929.1b9f1646@pop.erols.com> X-Sender: safier@pop.erols.com (Unverified) X-Mailer: Windows Eudora Light Version 3.0.1 (16) Date: Mon, 12 May 1997 12:19:29 To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Re: Firewalls-Digest V6 #211 Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199705120828.BAA17837@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam (Shostack), Can you clarify your reply/reasoning? Seems to me that as a rule of thumb you would encrypt at the application level with business partners while at the link level with your own company's satelite offices. That seems the opposite of what your suggested. I beleive that FW - FW or link encyrption is usefull if you trust the entire network at either end of the encyrpted link. i.e. you have a satelite office for your company with very solid physical security (rare ): and those systems have full access to your internal system. For a supplier or business partner you want application level security - they can only run certain applications and do only selected things within the applications. By encrypting their entire App-to-App link it makes it harder for the "business partner" to issue illegal network/system commands on systems and service ports on which they are not welcome. Of course, you still need to limit their, and everyone elses, traffic from reaching your other (private) systems (you need a firewall anyway). Now you don't have to worry about the partners security as much - if their site is cracked the attacker can only mess up their, but no one elses, data on your system. And of course you have backups and disaster recovery procedures....:) You should also be careful about definition of application level encryption/security. Kerberos is an application level authentication/encryption system. But once a client has access to your Kerberos domain he can connect to any Kerberized application. If someone has access to a single Kerberized application they can run all Kerberized apps on your system - your firewall is needed to restrict the client to selected hosts and service ports. Apps that don't stick to a well defined port are a real pain. (DCE security is supposed to have a service authentication mechanism addition to the basic secure RPC and Kerberos mechanisms.) You're certainly right that it all depends on what you're trying to accomplish! Adam (Safier) >Date: Sun, 11 May 1997 22:45:10 -0400 (EDT) >From: Adam Shostack >Subject: Re: Encryption export approvals > >Aaron Everingham wrote: > >| Where is the best place to run encryption for a VPN? Is it on the firewall >| ot behind? What about SSL? Will it still operate within an encrypted tunnel? > > It depends what you're trying to accomplish. > > If you're looking to extend a trust domain across the internet >(say, two offices of a company in seperate cities), then running from >host to host is probably a good thing, for maximum authenticity. > > If you're running a VPN with a supplier to avoid application >level encryption for each app that passes your firewall, it would seem >to make sense to run FW to FW. > > In general, I think of VPNs as network extension tools, to >allow the multiple office scenario. I look for application layer >security for supplier networks, (although thats often tough), because >suppliers are not "trustworthy" in the sense that I want application >security to ensure they are doing only and exactly what they are >supposed to be doing. > >Adam > > >- -- >"It is seldom that liberty of any kind is lost all at once." > -Hume > >------------------------------ ----------- Adam Safier asafier@csc.com http://www.csc.com Computer Scientist (301) 794-1349 (301) 552-3272 (fax) CSC-SED, INFOSEC, Network Security Dept. Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From owner-firewalls-outgoing Mon May 12 11:44:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10502 for firewalls-outgoing; Mon, 12 May 1997 10:09:16 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA10494; Mon, 12 May 1997 10:09:03 -0700 (PDT) Received: from LOCALNAME (dam-as11s32.erols.com [207.172.139.159]) by smtp2.erols.com (8.8.5/8.8.5) with SMTP id NAA27411; Mon, 12 May 1997 13:09:17 -0400 (EDT) Message-Id: <3.0.1.16.19970512120107.09b7bd98@pop.erols.com> X-Sender: safier@pop.erols.com (Unverified) X-Mailer: Windows Eudora Light Version 3.0.1 (16) Date: Mon, 12 May 1997 12:01:07 To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Re: Firewalls-Digest V6 #211 Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199705120828.BAA17837@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam (Shostack), Can you clarify your reply/reasoning? Seems to me that as a rule of thumb you would encrypt at the application level with business partners while at the link level with your own company's satelite offices. That seems the opposite of what your suggested. I beleive that FW - FW or link encyrption is usefull if you trust the entire network at either end of the encyrpted link. i.e. you have a satelite office for your company with very solid physical security (rare ): and those systems have full access to your internal system. For a supplier or business partner you want application level security - they can only run certain applications and do only selected things within the applications. By encrypting their entire App-to-App link it makes it harder for the "business partner" to issue illegal network/system commands on systems and service ports on which they are not welcome. Of course, you still need to limit their, and everyone elses, traffic from reaching your other (private) systems (you need a firewall anyway). Now you don't have to worry about the partners security as much - if their site is cracked the attacker can only mess up their, but no one elses, data on your system. And of course you have backups and disaster recovery procedures....:) You should also be careful about definition of application level encryption/security. Kerberos is an application level authentication/encryption system. But once a client has access to your Kerberos domain he can connect to any Kerberized application. If someone has access to a single Kerberized application they can run all Kerberized apps on your system - your firewall is needed to restrict the client to selected hosts and service ports. Apps that don't stick to a well defined port are a real pain. (DCE security is supposed to have a service authentication mechanism addition to the basic secure RPC and Kerberos mechanisms.) You're certainly right that it all depends on what you're trying to accomplish! Adam (Safier) >Date: Sun, 11 May 1997 22:45:10 -0400 (EDT) >From: Adam Shostack >Subject: Re: Encryption export approvals > >Aaron Everingham wrote: > >| Where is the best place to run encryption for a VPN? Is it on the firewall >| ot behind? What about SSL? Will it still operate within an encrypted tunnel? > > It depends what you're trying to accomplish. > > If you're looking to extend a trust domain across the internet >(say, two offices of a company in seperate cities), then running from >host to host is probably a good thing, for maximum authenticity. > > If you're running a VPN with a supplier to avoid application >level encryption for each app that passes your firewall, it would seem >to make sense to run FW to FW. > > In general, I think of VPNs as network extension tools, to >allow the multiple office scenario. I look for application layer >security for supplier networks, (although thats often tough), because >suppliers are not "trustworthy" in the sense that I want application >security to ensure they are doing only and exactly what they are >supposed to be doing. > >Adam > > >- -- >"It is seldom that liberty of any kind is lost all at once." > -Hume > >------------------------------ ----------- Adam Safier asafier@csc.com http://www.csc.com Computer Scientist (301) 794-1349 (301) 552-3272 (fax) CSC-SED, INFOSEC, Network Security Dept. Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From owner-firewalls-outgoing Mon May 12 12:24:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA24466 for firewalls-outgoing; Mon, 12 May 1997 11:39:33 -0700 (PDT) Received: from uhura.cc.rochester.edu (uhura.cc.rochester.edu [128.151.224.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24377 for ; Mon, 12 May 1997 11:39:14 -0700 (PDT) Received: from commerce (commerce.ssb.rochester.edu [128.151.246.110]) by uhura.cc.rochester.edu (8.8.5/8.8.5) with SMTP id OAA06549; Mon, 12 May 1997 14:39:50 -0400 (EDT) Message-Id: <3.0.32.19970512143802.00965100@uhura.cc.rochester.edu> X-Sender: kalakota@uhura.cc.rochester.edu X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 12 May 1997 14:38:03 -0500 To: firewalls@GreatCircle.COM From: Ravi Kalakota Subject: Electronic Commerce and Firewalls - Bottleneck Analysis Cc: kalakota@uhura.cc.rochester.edu Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From discussions at various large firms attempting to conduct commerce over the Internet, it was quite clear that most of them are beginning to face the resource bottleneck problem especially at the firewall and CGI access to databases. One obviously frustrated manager commented that in his company "bottlenecks are all over the network! The worst culprit is the firewall. We are afraid to mess with it!" In the e-commerce day-to-day operations management, increasing attention is being given to the need to manage online resource bottlenecks. Why? According to the theory of constraints (from Operations Research), overall system capacity is delimited by bottlenecks, and optimal capacity utilization depends upon alleviating these barriers to increased production or throughput. In our group, we are currently doing analytical modeling of the bottleneck problem in Internet commerce and its implications on capacity deployment. Before going further, we would like to know if there are any other groups involved in bottleneck analysis research or if there are papers we should be referencing. If any one on this mailing list has any suggestions we would be most obliged. Thanks in advance, -- Ravi ___________________________________________________________________ Ravi Kalakota POTS: (716) 275-3102 Fax: (716)273-1140 Xerox Assistant Professor of Information Systems Simon School--University of Rochester Rochester, New York 14627 e-mail: kalakota@uhura.cc.rochester.edu Author of: Frontiers of Electronic Commerce (Addison-Wesley) Electronic Commerce: A Manager's Guide (Addison-Wesley) http://commerce.ssb.rochester.edu/ _____________________________________________________________ From owner-firewalls-outgoing Mon May 12 12:52:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27213 for firewalls-outgoing; Mon, 12 May 1997 11:53:06 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27136 for ; Mon, 12 May 1997 11:52:50 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA25868; Mon, 12 May 1997 14:53:33 -0400 (EDT) Date: Mon, 12 May 1997 14:53:33 -0400 (EDT) From: Information Security Message-Id: <199705121853.OAA25868@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: Encryption Outside US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From avolio@tis.com Mon May 12 08:30:27 1997 > > At 10:21 PM 5/8/97 -0400, Information Security wrote: > >Key recovery means the information necessary to decrypt > >the message is built into the message. > > > >The message is cleartext to the government. > > You are exaggerating of course. Nope. In case it was buried too deep in the posting: Covert Action Quarterly, #59: * In October 1996, after being endorsed by CIA director John Deutch, * this method of maintaining the government's ability to spy on * encrypted communications REPLACED KEY ESCROW as the favored * technology. KEY RECOVERY works by locating information that is * woven into the header of each message. This mechanism allows * a recovery 'agent' to extract or reconstruct the message's key * and decrypt its contents. * * Key recovery may have been the basis for NSA's most successful * post-Cold War project for deciphering coded messages. Since the * 1940's, the NSA reportedly rigged encryption systems sold by the * Swiss firm Crypto A.G. so that the agency retained the ability * to break the codes of anyone using the machines. * * Thus, Fort Meade was able to listen in on the coded military and * diplomatic traffic of the more than 130 countries that were Crypto * A.G. customers. > >Why use encryption with built-in crackability? > > > >A company would be totally foolish to use the compromised crypto. > > Michael Zboray (an industry analyst at Gartner Group) has been quoted as > saying: "The use of a key recovery system is a mandatory business practice > for > the deployment of wide spread deployment of public key encryption. > The risk of data loss through the loss of private keys can be as damaging > as the loss due to malicious attack." > > I agree with him, as do many large corporations. They reason: 1) crypto is > mandatory for privacy in business transactions and 2) the ability of the > organization to recover the key used to encrypt a file is mandatory for > business health. As someone else pointed out, that is a red herring regarding outbound traffic. The message is encrypted in the receiver's public key: there is no way for you to decrypt it anyway. As far as internally goes: back up the private keys, do not use compromised crypto. As for internal personnel encrypting files you "need back" if they become disgruntled: no way around that, since they could always use uncompromised crypto to encrypt the file. Or they could simply delete it. Good backups are among the top three most important security tools. --- This is all pertinent to firewall security: the politics of encryption are having a big negative effect on U.S. businesses. And if you don't think these compromised key recovery systems are cleartext to the government: here is a blurb showing just how deeply they've had their hooks in us for decades. Think. ---guy > Subject: Re: Threaten U.S. Domestic ECHELON > Newsgroups: alt.cypherpunks,talk.politics.crypto,comp.org.eff.talk This is a heavily annotated book. Massive domestic spying by the NSA. Including our phone calls. * "The Secret War Against the Jews" * Authors: John Loftus and Mark Aarons * ISBN 0-312-11057-X, 1994 * * According to several of the "old spies" who worked in Communications * Intelligence, the NSA headquarters is also the chief British espionage * base in the United States. The presence of British wiretappers at the * keyboards of American eavesdropping computers is a closely guarded * secret, one that very few people in the intelligence community have * been aware of, but it is true. * * An American historian, David Kahn, first stumbled onto a corner of * the British connection in 1966, while writing his book The Codebreakers. * * One indication of just how sensitive this information is considered on * both sides of the Atlantic is the fact that Kahn's publishers in New * York and London were put under enormous pressure to censor a great deal * of the book. In the main, Kahn simply revealed the existence of the * liaison relationship, but when he wrote that the NSA and its British * equivalent, the Government Communications Headquarters, "exchange * personnel on a temporary basis", he had come too close to revealing * the truth. * * The U.S. government told Kahn to hide the existence of British * electronic spies from the American public. Kahn eventually agreed * to delete a few of the most sensitive paragraphs describing the * exchange of codes, techniques, and personnel with the British * government * * His innocuous few sentences threatened to disclose a larger truth. * * By the 1960s the "temporary" British personnel at Fort Meade had * become a permanent fixture. The British enjoyed continued access * to the greatest listening post in the world. * * The NSA is a giant vacuum cleaner. It sucks in every form of * electronic communication. from telephone calls to telegrams, * across the United States. The presence of British personnel * is essential for the American wiretappers to claim plausible * deniability. * * Here is how the game is played. The British liaison officer at * Fort Meade types the target list of "suspects" into the American * computer. The NSA sorts through its wiretaps and gives the * British officer the recording of any American citizen he wants. * * Since it is technically a *British* target of surveillance, no * *American* search warrant is necessary. The British officer then * simply hands the results over to his American liaison officer. * * Of course, the Americans provide the same service to the British * in return. All international and domestic telephone calls in Great * Britan are run through the NSA's station in the British Government * Communications Headquarters (GCHQ) at Menwith Hill, which allows * the American liaison officer to spy on any British citizen without * a warrant. * * According to our sources, this duplicitous, reciprocal arrangement * disguises the most massive, and illegal, domestic espionage apparatus * in the world. Not even the Soviets could touch the U.K.-U.S. intercept * technology. * * Through this charade, the intelligence services of each country can * claim they are not targeting their own citizens. This targeting is * done by an authorized foreign agent, the intelligence liaison * resident in Britan or the United States. * * Thus, in 1977, during an investigation by the House Government * Operations Committee, Admiral Inman could claim, with a straight face, * that "there are no U.S. Citizens now targeted by the NSA in the United * States or abroad, none." * * Since the targeting was done not by NSA but by employees of British * GCHQ, he was literally telling the truth. Those of you who supported any version of the FBI/NSA Digital Telephony Act sold us down the river, making use of this technology legal domestically for the first time. Next thing ya know, the FBI will claim that wasn't so bad, let's do MORE, because of all the crime it can [and will] catch. Want a glimpse of how much crime it will catch, via extrapolation of my own experiences monitoring email at Wall Street companies? Ask me for an email copy of the tale, which is in the form of a complaint against Salomon Brothers. Use subject line 'Requesting email monitoring tale'. And those were people told again and again Internet email was being monitored. Do you want to live in a real live Big Brother world? Do you want to become a Singapore? This technology is serious business. Question: How can the FBI use computers to monitor thousands of phone calls simultaneously, as they said they would do with the bill, when we Americans speak so many different accents? Answer: Twenty years of fine tuning, y'all. ---guy From owner-firewalls-outgoing Mon May 12 13:14:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06794 for firewalls-outgoing; Mon, 12 May 1997 12:48:24 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA06770 for ; Mon, 12 May 1997 12:48:09 -0700 (PDT) Received: (qmail 11094 invoked by uid 514); 12 May 1997 19:48:52 -0000 Date: Mon, 12 May 1997 15:48:52 -0400 (EDT) From: Todd Graham Lewis To: Adam Safier cc: Firewalls Mailing List Subject: Re: Firewalls-Digest V6 #211 In-Reply-To: <3.0.1.16.19970512121929.1b9f1646@pop.erols.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Adam Safier wrote: > You should also be careful about definition of application level > encryption/security. Kerberos is an application level > authentication/encryption system. But once a client has access to your > Kerberos domain he can connect to any Kerberized application. If someone > has access to a single Kerberized application they can run all Kerberized > apps on your system - your firewall is needed to restrict the client to > selected hosts and service ports. This is, per se, untrue. While many kerberized apps unfortunately enforce no authorization mechanism (as opposed to authentication), many, including krsh and ssh, do. There's nothing stopping kerberized apps from enforcing any sort of authorization mechanism they chose above and beyond kerberos' mere authentication. To say that "once a client has access to your Kerberos domain he can connect to any Kerberized application" is misleading in this respect. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Mon May 12 15:29:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA18259 for firewalls-outgoing; Mon, 12 May 1997 14:15:51 -0700 (PDT) Received: from ns1.tddc.net (tddc.net [204.71.88.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA18197 for ; Mon, 12 May 1997 14:15:34 -0700 (PDT) Received: from breid (comsoltx.com [204.71.89.189]) by ns1.tddc.net (8.6.12/8.6.9) with SMTP id QAA06268 for ; Mon, 12 May 1997 16:16:13 -0500 Received: by breid with Microsoft Mail id <01BC5EF0.48DAEBC0@breid>; Mon, 12 May 1997 16:19:36 -0500 Message-ID: <01BC5EF0.48DAEBC0@breid> From: Brent Reid To: "'firewalls@GreatCircle.COM'" Subject: Eagle Raptor and MS Exchange Date: Mon, 12 May 1997 16:19:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all experts: We are about to order Raptor's Eagle for our firewall. We have Exchange 5.0 running our internal e-mail We plan to use Exchange 5.0 for our Internet mail when our T-1 is installed at the end of the month. Does Eagle allow Exchange to pick up mail from the Internet while still providing internal e-mail as well? Will Eagle allow access to a CITRIX Winframe Box? Thanks for any feedback, Brent From owner-firewalls-outgoing Mon May 12 16:08:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23845 for firewalls-outgoing; Mon, 12 May 1997 14:59:11 -0700 (PDT) Received: from mercury.interpath.com (mercury.interpath.com [199.72.1.61]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA23813; Mon, 12 May 1997 14:58:58 -0700 (PDT) Received: (from rbw@localhost) by mercury.interpath.com (8.6.12/v1.0) id RAA27257; Mon, 12 May 1997 17:59:38 -0400 Date: Mon, 12 May 1997 17:59:38 -0400 From: Bob Warren - Computing Works Message-Id: <199705122159.RAA27257@mercury.interpath.com> To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #212 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Mon May 12 16:09:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA24756 for firewalls-outgoing; Mon, 12 May 1997 15:07:49 -0700 (PDT) Received: from pha-web.chipnet.cz (WEB.chipnet.cz [194.213.202.30]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA24738 for ; Mon, 12 May 1997 15:07:37 -0700 (PDT) Received: from BRAVE.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id KV1DCHKG; Tue, 13 May 1997 00:08:15 +0200 Message-ID: <3375922D.2D03@chipnet.cz> Date: Sun, 11 May 1997 11:32:29 +0200 From: Pavel Galynin X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Do we need a firewall:school net X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Our network of Macs and PPCs is getting connected to the internet. I will be allowed to install Linux on one machine. We are going to run a WWW server (Apache), News server and sendmail (probably some more), maybe irc. The question is: Do we need a firewall to protect those macs (most of them will be protected by At Ease) and if we do, is it feasible to run a modest self-made ipwfdm firewall on a machine with so many services? Paul From owner-firewalls-outgoing Mon May 12 16:59:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23686 for firewalls-outgoing; Mon, 12 May 1997 14:57:54 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23676; Mon, 12 May 1997 14:57:41 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id RAA16672; Mon, 12 May 1997 17:56:13 -0400 (EDT) From: Adam Shostack Message-Id: <199705122156.RAA16672@homeport.org> Subject: Re: Firewalls-Digest V6 #211 In-Reply-To: <3.0.1.16.19970512121929.1b9f1646@pop.erols.com> from Adam Safier at "May 12, 97 12:19:29 pm" To: safier@erols.com (Adam Safier) Date: Mon, 12 May 1997 17:56:12 -0400 (EDT) Cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Safier wrote: | Adam (Shostack), | | Can you clarify your reply/reasoning? Seems to me that as a rule of thumb | you would encrypt at the application level with business partners while at | the link level with your own company's satelite offices. That seems the | opposite of what your suggested. Its unlikely that your business partner and you agree on the tools to use, or that they offer any real application layer security. (SSL is network layer encryption in my book.) Within your company, it may be useful to have machine to machine connections encrypted, for example, between mail servers, so that mail travels encrypted between mail hosts, not between firewalls. Thats not to say its not useful to also do something at the firewall-firewall level between your offices, only that you may well want, and be able to implement, more. | I beleive that FW - FW or link encyrption is usefull if you trust the | entire network at either end of the encyrpted link. i.e. you have a | satelite office for your company with very solid physical security (rare ): | and those systems have full access to your internal system. Yes, but why not encrypt to the end point? | For a supplier or business partner you want application level security - | they can only run certain applications and do only selected things within | the applications. By encrypting their entire App-to-App link it makes it | harder for the "business partner" to issue illegal network/system commands | on systems and service ports on which they are not welcome. Of course, you | still need to limit their, and everyone elses, traffic from reaching your | other (private) systems (you need a firewall anyway). Now you don't have | to worry about the partners security as much - if their site is cracked the | attacker can only mess up their, but no one elses, data on your system. And | of course you have backups and disaster recovery procedures....:) Replace "encrypting" with "authenticating" (or authorization) in the above. You need firewalling technology like application gateways more than you need encryption. No, thats not it--the firewalling technology such as application gateways is harder to acheive than a VPN. The network level encryption is easy, and gets you a fair bit. As I think about it, I was drawn into answering the wrong question. Its not VPN or host to host, its which applications require what cryptographic services? Adam (S) :) | You should also be careful about definition of application level | encryption/security. Kerberos is an application level | authentication/encryption system. But once a client has access to your | Kerberos domain he can connect to any Kerberized application. If someone | has access to a single Kerberized application they can run all Kerberized | apps on your system - your firewall is needed to restrict the client to | selected hosts and service ports. Apps that don't stick to a well defined | port are a real pain. (DCE security is supposed to have a service | authentication mechanism addition to the basic secure RPC and Kerberos | mechanisms.) | You're certainly right that it all depends on what you're trying to | accomplish! | | Adam (Safier) | Adam | >Date: Sun, 11 May 1997 22:45:10 -0400 (EDT) | >From: Adam Shostack | >Subject: Re: Encryption export approvals | > | >Aaron Everingham wrote: | > | >| Where is the best place to run encryption for a VPN? Is it on the firewall | >| ot behind? What about SSL? Will it still operate within an encrypted | tunnel? | > | > It depends what you're trying to accomplish. | > | > If you're looking to extend a trust domain across the internet | >(say, two offices of a company in seperate cities), then running from | >host to host is probably a good thing, for maximum authenticity. | > | > If you're running a VPN with a supplier to avoid application | >level encryption for each app that passes your firewall, it would seem | >to make sense to run FW to FW. | > | > In general, I think of VPNs as network extension tools, to | >allow the multiple office scenario. I look for application layer | >security for supplier networks, (although thats often tough), because | >suppliers are not "trustworthy" in the sense that I want application | >security to ensure they are doing only and exactly what they are | >supposed to be doing. | > | >Adam | > | > | >- -- | >"It is seldom that liberty of any kind is lost all at once." | > -Hume | > | >------------------------------ | | | ----------- | Adam Safier asafier@csc.com http://www.csc.com | Computer Scientist (301) 794-1349 (301) 552-3272 (fax) | CSC-SED, INFOSEC, Network Security Dept. | | Technology Abuse: 1) Netscape Frames on a 14" screen. | 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. | | The above are my own opinions. | I'm proud to live in a country where I'm free to express them! | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue May 13 00:31:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA04551 for firewalls-outgoing; Mon, 12 May 1997 23:39:53 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA04324 for ; Mon, 12 May 1997 23:39:12 -0700 (PDT) Received: from cinna.ultra.net (cinna.ultra.net [199.232.56.8]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id UAA04916 for ; Mon, 12 May 1997 20:29:43 -0700 (PDT) Received: from zandar.judge.org (firewall-user@joesmac.ultranet.com [199.232.59.222]) by cinna.ultra.net (8.8.5/ult1.04) with SMTP id XAA26709; Mon, 12 May 1997 23:26:02 -0400 (EDT) Received: by zandar.judge.org with Microsoft Mail id <01BC5F2B.F54B0C60@zandar.judge.org>; Mon, 12 May 1997 23:26:46 -0400 Message-ID: <01BC5F2B.F54B0C60@zandar.judge.org> From: Joseph Judge To: "'Matthew Archibald'" Cc: "'Firewalls Mailing List'" Subject: RE: ? SSL proxies and smapd Date: Mon, 12 May 1997 23:26:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've not seen anyone muck with smap except to correct how it handles "bad addresses" (to make it more correct and to stop throwing away some OK addressing). Why would you want the ability of a NS client to SSL "in" to a company mail transport ? (as opposed to just hitting the local mail transport where you are ... the ISP's, etc) - joe ---------- From: Matthew Archibald[SMTP:matt@plato.West.Sun.COM] Sent: Monday, May 12, 1997 12:18 PM To: firewalls@GreatCircle.COM Subject: ? SSL proxies and smapd Greetings all, Any chance someone has a proxy for smapd or sendmail which would enable me to ssl a session from a client inbound to a proxy host using netscape mail? Thanks, Matt From owner-firewalls-outgoing Tue May 13 00:32:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA06069 for firewalls-outgoing; Tue, 13 May 1997 00:22:37 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA06061 for ; Tue, 13 May 1997 00:22:29 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id IAA01527 for ; Tue, 13 May 1997 08:47:59 +0200 Message-ID: <337816E6.5B47@gst.cgs.it> Date: Tue, 13 May 1997 09:23:18 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SQL*net & SNMP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In order to fulfill the requirements of a project, I need a firewall product having a SQL*net proxy and the capability to send SNMP alerts in response to selectable events. Actually, only products having a SQL*net proxy are: - Checkpoint Firewall 1 - Altavista Firewall 97 - Gauntlet TIS Firewall but none of this claims to send SNMP alerts. Only IBM Firewall has this but it haven't SQL*net proxy. Is this survey exact? Thanks. Mimmo -- Domenico Viggiani Internet Systems Engineer CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 From owner-firewalls-outgoing Tue May 13 01:08:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA04570 for firewalls-outgoing; Mon, 12 May 1997 23:39:58 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA04330 for ; Mon, 12 May 1997 23:39:13 -0700 (PDT) Received: from lammashta.oai.org (lammashta.oai.org [199.218.110.11]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id UAA04739 for ; Mon, 12 May 1997 20:22:54 -0700 (PDT) Received: (from fsgreen@localhost) by lammashta.oai.org (8.8.5/8.8.5) id XAA28854; Mon, 12 May 1997 23:22:29 -0400 (EDT) Date: Mon, 12 May 1997 23:22:28 -0400 (EDT) From: Doug Greenwald To: Pavel Galynin cc: firewalls@GreatCircle.COM Subject: Re: Do we need a firewall:school net In-Reply-To: <3375922D.2D03@chipnet.cz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 11 May 1997, Pavel Galynin wrote: > Hello, > > Our network of Macs and PPCs is getting connected to the internet. I > will be allowed to install Linux on one machine. We are going to run a > WWW server (Apache), News server and sendmail (probably some more), > maybe irc. The question is: > Do we need a firewall to protect those macs (most of them will be > protected by At Ease) and if we do, is it feasible to run a modest > self-made ipwfdm firewall on a machine with so many services? depends on what you're running on the macs. if the services you're trying to protect are all appletalk based, then by not routing appletalk at your connection point, they'll be protected by default. if you wnat to discuss this further off-line, let me know (we've got 50 macs here) doug. Doug Greenwald DougGreenwald@oai.org Internet Information Systems Manager (216) 962 3145 Ohio Aerospace Institute ICOMP - NASA Lewis Research Center http://www.oai.org/ http://www.lerc.nasa.gov/ From owner-firewalls-outgoing Tue May 13 01:16:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA07404 for firewalls-outgoing; Tue, 13 May 1997 00:32:47 -0700 (PDT) Received: from indigo (indigo.iet.unipi.it [193.204.168.79]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA07347 for ; Tue, 13 May 1997 00:32:27 -0700 (PDT) Received: from indigo.iet.unipi.it by indigo via SMTP (940816.SGI.8.6.9/930416.SGI) for id JAA02057; Tue, 13 May 1997 09:28:36 +0200 Message-ID: <33781823.41C6@indigo.iet.unipi.it> Date: Tue, 13 May 1997 09:28:35 +0200 From: Maurizio-Cinotti Organization: DIIP X-Mailer: Mozilla 2.02 (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: "Firewalls (mailinglist)" Subject: PPTP through a Cisco PIX Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, I am curious to know whether any network administrator has tested point-to-point tunneling protocol through a Cisco PIX Firewall. Any response and/or hint is appreciated... -------------- Dr. Maurizio Cinotti Dipartimento Ingegneria dell'Informazione University of PISA - ITALY mau@indigo.iet.unipi.it -------------- From owner-firewalls-outgoing Tue May 13 01:19:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA06754 for firewalls-outgoing; Tue, 13 May 1997 00:28:25 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA05472 for ; Mon, 12 May 1997 23:44:14 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id TAA03835 for ; Mon, 12 May 1997 19:50:45 -0700 (PDT) Received: from max414197.servers.unsw.EDU.AU by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IITL35IRDCHT4GDJ@vmsuser.acsu.unsw.EDU.AU>; Tue, 13 May 1997 12:48:27 +1000 Date: Tue, 13 May 1997 12:42:20 +1000 From: "Chartas C. " Subject: Re: Electronic Commerce and Firewalls To: firewalls@GreatCircle.COM Message-id: <01IITL363NOYHT4GDJ@vmsuser.acsu.unsw.EDU.AU> MIME-version: 1.0 X-Mailer: Microsoft Internet Mail 4.70.1155 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-Priority: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to all, Is there a good site on Electronic Commerce and the issues facing the Company that plans to do business over the net? Constantinos C. | From discussions at various large firms attempting to conduct commerce | over the Internet, it was quite clear that most of them are beginning to | face the resource bottleneck problem especially at the firewall and CGI | access to databases. | | | One obviously frustrated manager commented that in his company | "bottlenecks are all over the | | network! The worst culprit is the firewall. We are afraid to mess with | it!" | | | In the e-commerce day-to-day operations management, increasing attention | is being given to the need to manage online resource bottlenecks. Why? | According to the theory of constraints (from Operations Research), | overall system capacity is delimited by bottlenecks, and optimal capacity | utilization depends upon alleviating these barriers to increased | production or throughput. | | | In our group, we are currently doing analytical modeling of the | bottleneck problem in Internet commerce and its implications on capacity | deployment. Before going further, we would like to know if there are any | other groups involved in bottleneck analysis research or if there are | papers we should be referencing. If any one on this mailing list has any | suggestions we would be most obliged. | | | Thanks in advance, | | | -- Ravi | | | ___________________________________________________________________ | | Ravi Kalakota POTS: (716) 275-3102 Fax: (716)273-1140 | | Xerox Assistant Professor of Information Systems | | Simon School--University of Rochester | | Rochester, New York 14627 e-mail: | kalakota@uhura.cc.rochester.edu | | | Author of: Frontiers of Electronic Commerce (Addison-Wesley) | | Electronic Commerce: A Manager's Guide (Addison-Wesley) | | http://commerce.ssb.rochester.edu/ | | _____________________________________________________________ | | | | | From owner-firewalls-outgoing Tue May 13 01:28:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA06859 for firewalls-outgoing; Tue, 13 May 1997 00:29:31 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA05677 for ; Mon, 12 May 1997 23:44:48 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id TAA03677 for ; Mon, 12 May 1997 19:42:48 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id WAA16855 for ; Mon, 12 May 1997 22:39:15 -0400 (EDT) Message-Id: <199705130239.WAA16855@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Mon, 12 May 1997 22:38:22 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Encryption Outside US Reply-to: mjr@clark.net In-reply-to: <199705121953.MAA07486@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred Avolio writes: > Michael Zboray (an industry analyst at Gartner Group) has been quoted as > saying: "The use of a key recovery system is a mandatory business practice I have to disagree rather strongly with some of the wording of Zboray's comment. Namely, the use of "mandatory." In the present technopolitical environment, it is the US Government's policy to promote exactly that: *MANDATORY* key recovery. Had Zboray said "desirable" or even "good practice" or "common sense" I think he'd maybe be right. However, The Government's policy is to, effectively, remove that *CHOICE* from businesses and individuals. If we were talking business desirability then it'd be an option in the software. What we're really talking about is Government spooks and their shills foisting a software version of Clipper onto the public and mandating (that word again) that encryption software must *ALWAYS* include key "recovery." "Mandatory" is precisely the right word to use. :-P Never mind that the concept is fundamentally unAmerican, it's fundamentally braindamaged as well. All that the mandatory key "recovery" efforts will do is hamper US business' software sales efforts, or promote an increase of offshore software development. Countries that do not have mandatory key "recovery" systems will be able to sell their customers the *CHOICE* for the same price, and US business will lose. > I agree with him, as do many large corporations. They reason: 1) crypto is > mandatory for privacy in business transactions and 2) the ability of the > organization to recover the key used to encrypt a file is mandatory for > business health. Then it should be an *OPTION* in the software not a *MANDATORY* feature built in by spooks and their shills as a way of carrying out Government's intelligence policies by other means. Clipper stunk. It still stinks. TIS' CEO was one of the outstanding opponents to Clipper. Now TIS is selling Clipper in software. I guess now that you're selling it, and hold key patents on it, it's a "feature." Guess what? It still stinks no matter how much money you get for it. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work From owner-firewalls-outgoing Tue May 13 01:29:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA07185 for firewalls-outgoing; Tue, 13 May 1997 00:31:22 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA03231 for ; Mon, 12 May 1997 23:36:02 -0700 (PDT) Received: from mail.gci-net.com (gci-net.com [208.2.166.101]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id VAA06504 for ; Mon, 12 May 1997 21:52:07 -0700 (PDT) Received: from ip167-010.gci-net.com (ip167-010.gci-net.com [208.2.167.10]) by mail.gci-net.com (NTMail 3.02.13) with ESMTP id ra063795 for ; Mon, 12 May 1997 21:49:06 -0700 Message-Id: <1.5.4.16.19970512214303.2a4791f6@gci-net.com> X-Sender: wellington@gci-net.com X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Pavel Galynin From: Doug Wellington Subject: Re: Do we need a firewall:school net Cc: firewalls@greatcircle.com, wellington@gci-net.com Date: Mon, 12 May 1997 21:49:06 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Paul, >Our network of Macs and PPCs is getting connected to the internet. I >will be allowed to install Linux on one machine. We are going to run a >WWW server (Apache), News server and sendmail (probably some more), >maybe irc. The question is: >Do we need a firewall to protect those macs (most of them will be >protected by At Ease) and if we do, is it feasible to run a modest >self-made ipwfdm firewall on a machine with so many services? Well, my first thought is no, but that depends upon what you want to restrict. How are you going to be connected to the Internet? Check to see if whatever is connecting you to the Internet will let Appletalk pass through. I don't think you would want that... The other question I would have is, are you trying to block incoming access to the Macs, or do you want to prevent your Mac users from accessing the outside? Macs, by their nature, are single user computers. Unless you leave a copy of NCSA telnet running with FTP enabled (or a similar ftp server) or if you are allowing Appletalk to the rest of the Internet, there really isn't much that someone can do to get "logged in" to the Macs. The Linux box, however, is by its nature, a multiuser computer. That will make it a possible target for hackers. You can make the Linux box relatively secure by using TCP-Wrappers for denying any access to telnet, ftp, etc from outside of your local net. If you are worried about Mac users doing the hacking, I'd suggest disabling inetd completely on the Linux box so that you have to login at the console. Also, make sure that you keep up with the latest sendmail, apache and netnews patches as well as Linux patches. If you are going to let the Macs access the Linux box via pop to retrieve mail, I'd suggest using Qpopper and installing the HDS patches so that there are no actual login accounts. (Qpopper is at ftp.qualcomm.com. I don't remember where the HDS patches are but I think HDS is Hitachi Data Systems or something to that effect...) Now, the other reason to use a firewall is to prevent "denial of service" attacks. That is, it may be possible that someone will want to try a syn flood or a ping flood against any one of the computers. Some kind of filtering firewall/bridge may be able to help. In the academic world, I really like Drawbridge, which is a free PC-based filtering bridge from Texas A&M. Check it out at: ftp://net.tamu.edu/pub/security/TAMU. Don't forget to check your logs! Make sure to reconcile TCP-Wrapper logs against the lastlog... If you can't make a complete correlation, that should send up some warning flags. Take responsibility for learning and protecting your computers yourself. Remember the old addage of if you want it done right, do it yourself! -Doug wellington@gci-net.com http://www.gci-net.com/~users/w/wellington From owner-firewalls-outgoing Tue May 13 01:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA18475 for firewalls-outgoing; Tue, 13 May 1997 01:45:22 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA18465 for ; Tue, 13 May 1997 01:45:09 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id DAA26898; Tue, 13 May 1997 03:48:08 -0500 Date: Tue, 13 May 1997 03:48:07 -0500 From: Craig Brozefsky Subject: Re: SQL*net & SNMP To: Domenico Viggiani cc: firewalls@GreatCircle.COM In-Reply-To: <337816E6.5B47@gst.cgs.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 May 1997, Domenico Viggiani wrote: That's what CMU SNMP library is for Seriously if you do not need anything of extreme complexity, I reccomend filtering your logfiles and triggering SNMP traps. Such filtering would be easy with Perl or Tcl. > In order to fulfill the requirements of a project, I need a firewall > product having a SQL*net proxy and the capability to send SNMP alerts in > response to selectable events. > > Actually, only products having a SQL*net proxy are: > - Checkpoint Firewall 1 > - Altavista Firewall 97 > - Gauntlet TIS Firewall > but none of this claims to send SNMP alerts. > Only IBM Firewall has this but it haven't SQL*net proxy. > > Is this survey exact? > > Thanks. > Mimmo > -- > > Domenico Viggiani Internet Systems Engineer > CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it > Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 > Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Tue May 13 02:42:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA22382 for firewalls-outgoing; Tue, 13 May 1997 02:31:07 -0700 (PDT) Received: from gateway.reims.net (gateway.reims.net [194.75.234.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA22314 for ; Tue, 13 May 1997 02:30:40 -0700 (PDT) Received: by gateway.reims.net; id AA06715; Tue, 13 May 97 10:32:23 BST Received: from smtpgate.saa-cons.co.uk(10.1.11.182) by gateway.reims.net via smap (3.2) id xma006711; Tue, 13 May 97 10:32:15 +0100 Received: by smtpgate.saaconsultants.com (8.6.8.1/1.3-eef) id JAA16598; Tue, 13 May 1997 09:37:15 GMT Received: from haddock.saa-cons.co.uk(10.1.11.2) by amnesiac via smap (V1.3) id sma016596; Tue May 13 09:37:03 1997 Received: from localhost by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA41632; Tue, 13 May 1997 10:37:02 +0100 Date: Tue, 13 May 1997 10:37:02 +0100 (BST) From: Dave Roberts To: Firewalls Mailing List Subject: Re: lmiting outbound ports on Gauntlet In-Reply-To: <33771829.819292@copley.fi.mckinsey.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Larry Claman wrote: > I see this limitation as a huge hole in how my security policy is implemented. I'd be interested in > hearing what other Gauntlet and toolkit users think about this problem, and how they are dealing I see your point, but there are ways to help you around this. Your external router could block packets to other ports apart from the ones you want (like http, ftp, telnet etc). Although this obviously doesn't stop someone connecting to a webserver and trying to break it by hand. The other option is to add authentication to outbound telnet. That gives you accountability. The logs would tell you who connected to where, what and when. - Dave. From owner-firewalls-outgoing Tue May 13 03:58:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA04523 for firewalls-outgoing; Tue, 13 May 1997 03:33:13 -0700 (PDT) Received: from cic.teleco.ulpgc.es (cic.teleco.ulpgc.es [193.145.140.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA04453 for ; Tue, 13 May 1997 03:32:50 -0700 (PDT) From: jjjb@neumann.teleco.ulpgc.es Received: from neumann.teleco.ulpgc.es (neumann.teleco.ulpgc.es [193.145.138.66]) by cic.teleco.ulpgc.es (8.8.5/8.8.5) with SMTP id LAA13395 for ; Tue, 13 May 1997 11:31:45 GMT Received: from NEUMANN/CORREO by neumann.teleco.ulpgc.es (Mercury 1.12); Tue, 13 May 97 11:34:21 +00 Received: from CORREO by NEUMANN (Mercury 1.12); Tue, 13 May 97 11:34:16 +00 Received: from juanjo.ulpgc.es by neumann.teleco.ulpgc.es (Mercury 1.12); Tue, 13 May 97 11:34:15 +00 Comments: Authenticated sender is To: firewalls@greatcircle.com Date: Tue, 13 May 1997 11:34:13 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Manuals for TIS TOOLKIT X-mailer: Pegasus Mail for Win32 (v2.52) Message-ID: <1B6E371C63@neumann.teleco.ulpgc.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm doing a proyect of network security and I trying to implement a firewall. I need information about setup TIS firewall toolkit and it's configuration. I'd like obtain information about ssl and autentication, if somebody can help me please send me a message. Thanks a lot. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |..Juan Jose Jover Barbero............jjjb@neumann.teleco.ulpgc.es |..Estudiante de Ingenieria Tecnica de Telecomunicaciones esp. Telematica |..Las Palmas de Gran Canaria...(ISLAS CANARIAS-ESPANA)....TFNO:928-452929 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -CADA FRACASO ENSENA ALGO QUE EL HOMBRE DEBERIA APRENDER. From owner-firewalls-outgoing Tue May 13 04:12:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA21125 for firewalls-outgoing; Tue, 13 May 1997 02:21:20 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA21105 for ; Tue, 13 May 1997 02:21:12 -0700 (PDT) Received: from gateway.reims.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id CAA21675; Tue, 13 May 1997 02:19:06 -0700 (PDT) Received: by gateway.reims.net; id AA06551; Tue, 13 May 97 10:18:52 BST Received: from smtpgate.saa-cons.co.uk(10.1.11.182) by gateway.reims.net via smap (3.2) id xma006544; Tue, 13 May 97 10:18:39 +0100 Received: by smtpgate.saaconsultants.com (8.6.8.1/1.3-eef) id JAA16571; Tue, 13 May 1997 09:23:40 GMT Received: from haddock.saa-cons.co.uk(10.1.11.2) by amnesiac via smap (V1.3) id sma016569; Tue May 13 09:23:22 1997 Received: from localhost by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA20619; Tue, 13 May 1997 10:23:20 +0100 Date: Tue, 13 May 1997 10:23:19 +0100 (BST) From: Dave Roberts To: Firewalls Mailing List Subject: Re: ActiveX and Java Filtering In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Todd Graham Lewis wrote: > On Mon, 12 May 1997, Irwin Lazar wrote: > > > I am curious to see how organizations are handling the threat of rouge Java > > or ActiveX code being accessed by their end-users. > > They're ignoring it. (Try convincing a marketing type that IE can be > dangerous.) Whilst I agree that it's difficult to explain to people that java and activex is dangerous, it can be done. Although the majority of exploits that have been posted have been fixed, it does show that there have been problems, and that there may be more. I seem to have convinced my management that letting this stuff through is a bad idea. For the moment - I'm winning, but not for long. > > or do major firewall vendors incorporate some sort of checking of code > > before it is allowed to pass, possibly to see if it is electronically > > signed? > > Not to my knowledge. Gauntlet has the ability to block out java, javascript, activex, and vbscript. They are building in the Authenticode stuff from microsoft, to give the ability to allow only signed objects/applets through. As pointed out by someone else, this obviously doesn't provide assurances to the safety of the code, but it is supposed to give accountability of it. I see more management types going down this road, and selecting a number of (possibly all) signed and verified objects. - Dave. From owner-firewalls-outgoing Tue May 13 04:27:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA10514 for firewalls-outgoing; Tue, 13 May 1997 04:13:58 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA10489 for ; Tue, 13 May 1997 04:13:46 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id MAA05976 for ; Tue, 13 May 1997 12:39:17 +0200 Message-ID: <33784D22.527E@gst.cgs.it> Date: Tue, 13 May 1997 13:14:42 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: IBM Firewall FTP proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anyone out there who can send me the screen capture of logging phase to the IBM firewall FTP proxy? I need something of type to include in a project specification (without first install IBM firewall!): prompt%ftp ftp-proxy.domain.com port Connected to ftp-proxy.domain.com 220 domain.com FTP proxy (Version V1.3) ready. Name (domain.com:user):user@ftp.site.com 331-(----GATEWAY CONNECTED TO ftp.site.com----) 331-(220 ftp Company FTP Service (Version 3.0).) 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230-Welcome to ftp.site.com. 230 user user logged in. ftp> Thank you very much in advance. Mimmo -- Domenico Viggiani Internet Systems Engineer CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 From owner-firewalls-outgoing Tue May 13 05:38:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16077 for firewalls-outgoing; Tue, 13 May 1997 05:15:25 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16035 for ; Tue, 13 May 1997 05:15:10 -0700 (PDT) Message-Id: <199705131215.FAA16035@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA219035596; Tue, 13 May 1997 22:13:16 +1000 From: Darren Reed Subject: Re: Encryption Outside US To: mjr@clark.net Date: Tue, 13 May 1997 22:13:16 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199705130239.WAA16855@mail.clark.net> from "Marcus J. Ranum" at May 12, 97 10:38:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: [...] > Never mind that the concept is fundamentally unAmerican, it's > fundamentally braindamaged as well. All that the mandatory > key "recovery" efforts will do is hamper US business' software > sales efforts, or promote an increase of offshore software > development. Countries that do not have mandatory key > "recovery" systems will be able to sell their customers the > *CHOICE* for the same price, and US business will lose. There's one angle to this which potentially scares me and that is groups like the OECD meeting and deciding that what the USA is doing is right and adopting the same policies, be it outlawing crypto export or just outlawing all crypto which doesn't include key recovery (regardless of whether or not it is imported or exported). I have seen reports that such groups have met to discuss such issues but I've never seen anything with detail on those meetings. Darren From owner-firewalls-outgoing Tue May 13 06:12:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19930 for firewalls-outgoing; Tue, 13 May 1997 05:51:32 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA19883 for ; Tue, 13 May 1997 05:51:01 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA14638; Tue, 13 May 1997 15:52:07 +0400 Received: from GarantiUser by GarantiMailServer id AA04456; Tue, 13 May 1997 15:51:08 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA16950; Tue, 13 May 1997 15:51:34 +0400 Message-Id: <3378EF52.27ED@garanti.com.tr> Date: Tue, 13 May 1997 15:46:42 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: IBM SNG 3.1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How much different from Version 2.2? -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Tue May 13 06:39:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22979 for firewalls-outgoing; Tue, 13 May 1997 06:25:11 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA22972 for ; Tue, 13 May 1997 06:25:05 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA20529; Tue, 13 May 1997 09:22:35 -0400 (EDT) From: Adam Shostack Message-Id: <199705131322.JAA20529@homeport.org> Subject: Re: Encryption Outside US In-Reply-To: <199705131215.FAA16035@honor.greatcircle.com> from Darren Reed at "May 13, 97 10:13:16 pm" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 13 May 1997 09:22:35 -0400 (EDT) Cc: mjr@clark.net, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The OECD has not gone that route. The EFF, EPIC, and VTW seemed pretty happy with this release. Adam http://www.oecd.org/dsti/iccp/legal/secur-en.html Darren Reed wrote: | In some mail from Marcus J. Ranum, sie said: | [...] | > Never mind that the concept is fundamentally unAmerican, it's | > fundamentally braindamaged as well. All that the mandatory | > key "recovery" efforts will do is hamper US business' software | > sales efforts, or promote an increase of offshore software | > development. Countries that do not have mandatory key | > "recovery" systems will be able to sell their customers the | > *CHOICE* for the same price, and US business will lose. | | There's one angle to this which potentially scares me and that is groups | like the OECD meeting and deciding that what the USA is doing is right | and adopting the same policies, be it outlawing crypto export or just | outlawing all crypto which doesn't include key recovery (regardless of | whether or not it is imported or exported). | | I have seen reports that such groups have met to discuss such issues but | I've never seen anything with detail on those meetings. | | Darren | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue May 13 06:43:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20232 for firewalls-outgoing; Tue, 13 May 1997 05:54:31 -0700 (PDT) Received: from mail.gestronic.ch ([193.246.62.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20202 for ; Tue, 13 May 1997 05:54:16 -0700 (PDT) Received: from rsleiman (sleiman.gestronic.ch [193.246.62.100]) by mail.gestronic.ch (8.8.5/8.8.5) with ESMTP id OAA01870; Tue, 13 May 1997 14:50:27 +0200 (MET DST) Message-ID: <33786624.D4A7EE43@gestronic.ch> Date: Tue, 13 May 1997 15:01:25 +0200 From: Raymond Sleiman Reply-To: Raymond.Sleiman@gestronic.ch Organization: Gestronic Groupe X-Mailer: Mozilla 4.0b4 [en] (WinNT; I) MIME-Version: 1.0 To: "fw-1-mailinglist@us.checkpoint.com" , "firewalls@GreatCircle.COM" , sbeyls@gestronic.com Subject: Authentication problem with firewall 1 on solaris 2.5 and sunos 4.1.4 X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------3FBEF32EB5595C653BBDF724" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------3FBEF32EB5595C653BBDF724 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, We have management console running on sunos 4.1.4 machine having only one network interface and we manage two inspection modules running in solaris 2.5 machines. It is working perfectly. We add a new inspection module running on solaris 2.5 machine acting as a internet gateway. We add a second network interface to the management console et we faced authentication problem. Description of the problem: if the hostname of the management console is the same as the network interface name and the inspection module is connected to the same segment as the conosle management we can get logs and download policy, otherwise we get the message authentication problem unautherized action i want fwa1 authentication. We are sure that the problem is related to the hostname and network interfaces names. We give the seond network interface the name of the hostname et we did download successfully the policy to the firewall and of course we lost communication with the working inspection module. Questions: did someone faced this kind of problem ? Could we run the conosle management with two network interfaces on solaris 4.1.4 ? Please send any commets or suggestions. Best Reagards Raymond Sleiman -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<< _________________________________________________________ --------------3FBEF32EB5595C653BBDF724 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Raymond.Sleiman@gestronic.ch Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Raymond.Sleiman@gestronic.ch n: ;Raymond.Sleiman@gestronic.ch adr: ;;;;;; email;internet: Raymond.Sleiman@gestronic.ch tel;work: tel;fax: tel;home: x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------3FBEF32EB5595C653BBDF724-- From owner-firewalls-outgoing Tue May 13 07:14:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA23616 for firewalls-outgoing; Tue, 13 May 1997 06:31:06 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA23595 for ; Tue, 13 May 1997 06:30:55 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA20570; Tue, 13 May 1997 09:28:58 -0400 (EDT) From: Adam Shostack Message-Id: <199705131328.JAA20570@homeport.org> Subject: Re: ? SSL proxies and smapd In-Reply-To: <01BC5F2B.F54B0C60@zandar.judge.org> from Joseph Judge at "May 12, 97 11:26:44 pm" To: joej@joesmac.ultranet.com (Joseph Judge) Date: Tue, 13 May 1997 09:28:57 -0400 (EDT) Cc: matt@plato.West.Sun.COM, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reading/sending mail from the company on the road? The scenario I'm thinking of is a POP/IMAP proxy for a remote system. Some firewalls include SMAP proxies, but you may find that a 'secure remote' client such as can be obtained from V-One, Raptor or DEC is more useful. Adam Joseph Judge wrote: | | I've not seen anyone muck with smap except to correct how it | handles "bad addresses" (to make it more correct and to | stop throwing away some OK addressing). | | Why would you want the ability of a NS client to SSL "in" to a | company mail transport ? (as opposed to just hitting the local | mail transport where you are ... the ISP's, etc) | | ---------- | From: Matthew Archibald[SMTP:matt@plato.West.Sun.COM] | | Any chance someone has a proxy for smapd or sendmail which would | enable me to ssl a session from a client inbound to a proxy host | using netscape mail? -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue May 13 07:27:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24543 for firewalls-outgoing; Tue, 13 May 1997 06:43:26 -0700 (PDT) Received: from dublin.iona.ie (operation.dublin.iona.ie [192.122.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA24536 for ; Tue, 13 May 1997 06:43:15 -0700 (PDT) Received: from ultra (ultra [192.122.221.136]) by dublin.iona.ie (8.7.5/jm-1.01) with ESMTP id OAA03261; Tue, 13 May 1997 14:42:39 +0100 (BST) Message-Id: <199705131342.OAA03261@dublin.iona.ie> X-Mailer: exmh version 1.6.6 3/24/96 To: Darren Reed cc: firewalls@greatcircle.com X-uri: http://www.iona.com/~jmason/ Subject: Re: Encryption Outside US In-reply-to: <199705131215.FAA16035@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 13 May 1997 14:41:25 +0100 From: Justin Mason Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed said: >There's one angle to this which potentially scares me and that is groups >like the OECD meeting and deciding that what the USA is doing is right >and adopting the same policies, be it outlawing crypto export or just >outlawing all crypto which doesn't include key recovery (regardless of >whether or not it is imported or exported). > >I have seen reports that such groups have met to discuss such issues but >I've never seen anything with detail on those meetings. Yep, at present there isn't enough political pressure in non-US nations to protect our rights to use crypto - none of the ordinary folks out here (even less than in the US) know what crypto is. ;) It's getting to be more of an issue (slowly); witness Ross Anderson in the UK, who's been doing a very good job of monitoring the UK's crypto policymaking. However, the bigger the organisation, the harder it is to get a feel of what's going on -- we've been trying to follow EU and OECD policymaking on the subject, and apart from a few snippets from newspapers, it's very difficult to find out. Crypto pressure groups need a higher international profile, is my conclusion. --j. Justin Mason "Machine code [...] is to do with the Old Testament, jmason@iona.com and is talmudic and cabalistic..." -- Umberto Eco See IIOP live on the internet! http://www.iona.com/Orbix/Wonderwall/demo/ From owner-firewalls-outgoing Tue May 13 07:42:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26938 for firewalls-outgoing; Tue, 13 May 1997 07:02:02 -0700 (PDT) Received: from f33.hotmail.com (F33.hotmail.com [207.82.250.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26912 for ; Tue, 13 May 1997 07:01:55 -0700 (PDT) Received: (from root@localhost) by f33.hotmail.com (8.8.5/8.8.5) id HAA19609; Tue, 13 May 1997 07:02:42 -0700 (PDT) Message-Id: <199705131402.HAA19609@f33.hotmail.com> Received: from 194.7.74.148 by www.hotmail.com with HTTP; Tue, 13 May 1997 07:02:42 PDT X-Originating-IP: [194.7.74.148] From: "Vincent Vangoethem" To: firewalls@greatcircle.com Subject: IRC proxy...which works Content-Type: text/plain Date: Tue, 13 May 1997 07:02:42 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for an IRC proxy program which works (for example with mIRC or WS_PROXY). The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work :( Does someone already has successfully performed an IRC proxy ? Thx in advance Vincent Vangoethem. Network Eng. --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com --------------------------------------------------------- From owner-firewalls-outgoing Tue May 13 08:18:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26860 for firewalls-outgoing; Tue, 13 May 1997 07:00:37 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA26548 for ; Tue, 13 May 1997 06:59:45 -0700 (PDT) Received: from sol.corp.Harris.COM (sol.corp.harris.com [137.237.104.14]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id GAA12638 for ; Tue, 13 May 1997 06:58:53 -0700 (PDT) Received: from sb.lanier.com by sol.corp.Harris.COM (8.6.12/ Harris.COM Unix mail relay) id JAA03663; Tue, 13 May 1997 09:55:44 -0400 Received: from ss.lanier.com (ss.lanier.com [151.114.129.93]) by sb.lanier.com (8.6.13/8.6.6) with ESMTP id JAA17833; Tue, 13 May 1997 09:56:41 -0400 Received: (from bisley@localhost) by ss.lanier.com (8.6.13/8.6.6) id JAA19823; Tue, 13 May 1997 09:55:23 -0400 From: Brad Isley Message-Id: <199705131355.JAA19823@ss.lanier.com> Subject: Re: [CyberGuard] how many session is possible in dynamic NAT? To: Jens.Baedeker@zu.NET (Jens Baedeker) Date: Tue, 13 May 1997 09:55:22 -0400 (EDT) Cc: wits@nuri.net, firewalls@GreatCircle.COM In-Reply-To: <199705110833.KAA18809@oskar.zu.net> from "Jens Baedeker" at May 11, 97 10:33:03 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Young-jin Hong said: > > | Dear members. > | > | Generally, in setting up Dynamic NAT(Network Address Translation), > | CyberGuard is working with its external IP address... as I know. > > That's correct > > | > | And then where I set a C class IP address to external interface, > > i don't understand this statement. but you can use a mixture of > dynamic and static NAT. > > | CyberGuard only supports about 250 concurrent users? > > That's not correct. > > | > | Is it true? or not? > | > | if not, how can CyberGuard support over 250 concurrent users? > > 166 MHz single pentium up to 50 > 166 MHz dual pentium up to 250 > 200 MHz dual pentium unlimited Hi, Jens, I think the question may have been directed to address limitations? Maybe? If so, the answer is: Each session is mapped back to the dynamic NAT client via IP port assignment. In other words, all sessions using dynamic NAT appear to originate from the Cyberguard, as you said. Each connection is assigned a unique port number, which the cyberguard remembers. This introduces other limitations, because port numbers are finite. From owner-firewalls-outgoing Tue May 13 08:19:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29602 for firewalls-outgoing; Tue, 13 May 1997 07:29:05 -0700 (PDT) Received: from ns.research.att.com (ns.research.att.com [192.20.225.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA29594 for ; Tue, 13 May 1997 07:28:53 -0700 (PDT) Received: from research.att.com ([135.205.32.20]) by ns; Tue May 13 10:15:13 EDT 1997 Received: from amontillado.research.att.com ([135.205.42.32]) by research; Tue May 13 10:04:04 EDT 1997 Received: from mgoblue.research.att.com (mgoblue.research.att.com [135.205.43.102]) by amontillado.research.att.com (8.8.5/8.8.5) with ESMTP id KAA26241 for ; Tue, 13 May 1997 10:03:59 -0400 (EDT) From: Avi Rubin Received: (from rubin@localhost) by mgoblue.research.att.com (8.7.5/8.7) id KAA06788 for firewalls@greatcircle.com; Tue, 13 May 1997 10:03:59 -0400 (EDT) Date: Tue, 13 May 1997 10:03:59 -0400 (EDT) Message-Id: <199705131403.KAA06788@mgoblue.research.att.com> To: firewalls@greatcircle.com Subject: Announcing: a new John Wiley book on Web Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Announcing: The Web Security Sourcebook (John Wiley & Sons, Inc.) by Avi Rubin, Dan Geer, Marcus Ranum foreward by Steve Bellovin A new book on all aspects of web security. More information can be found at http://www.clark.net/pub/mjr/websec/ ********************************************************************* Aviel D. Rubin rubin@research.att.com Secure Systems Research Dept. Adjunct Professor at NYU AT&T Research Labs 180 Park Avenue http://www.research.att.com/~rubin/ Florham Park, NJ 07932-0971 Voice: +1 973 360-8356 USA FAX: +1 973 360-8809 From owner-firewalls-outgoing Tue May 13 08:58:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06857 for firewalls-outgoing; Tue, 13 May 1997 08:30:20 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06645 for ; Tue, 13 May 1997 08:29:33 -0700 (PDT) Received: from West.Sun.COM ([129.153.100.30]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id IAA16188; Tue, 13 May 1997 08:43:09 -0700 Received: from plato.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id IAA04483; Tue, 13 May 1997 08:29:37 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id IAA06316; Tue, 13 May 1997 08:29:18 -0700 Date: Tue, 13 May 1997 08:29:18 -0700 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199705131529.IAA06316@plato.West.Sun.COM> To: matt@plato.West.Sun.COM, joej@joesmac.ultranet.com Subject: RE: ? SSL proxies and smapd Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are using ssh to tunnel POP3 for privacy outbound to clients dialed into ISP's and would like similar service inbound for smtp connections. I setup forwarding from MacTCP to smtp via a non-priveldeged port and this seemed to work fine, at least snooping the wire showed that the connection was not in the clear... I started working on Win95 w/MS-TCP and cannot get the same results. I have yet to give up though. Any pointers to ssh forwarding, given the lack of detailed docs on my part, is appreciated. Regardless, becuase we are allowing POP3, SMTP and 80/443-WWW service for employees via ISP and TIS proxies we were curious as to wether anyone had put together an SSL-aware client-server model for smtp connectivity. The web stuff is easy as the TIS proxy is set to connect only to https when inbound from the 'Net and the POP3 tunnel via ssh works exactly as advertised so only the smtp inbound issues are left to resolve. Pointers? Matt From owner-firewalls-outgoing Tue May 13 09:53:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08535 for firewalls-outgoing; Tue, 13 May 1997 08:41:17 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA08475 for ; Tue, 13 May 1997 08:41:00 -0700 (PDT) Received: (qmail 11674 invoked from smtpd); 13 May 1997 15:41:21 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 13 May 1997 15:41:21 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA10509; Tue, 13 May 1997 10:41:20 -0500 Received: by sonic.nmti.com; id AA00868; Tue, 13 May 1997 10:42:10 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9705131542.AA00868@sonic.nmti.com.nmti.com> Subject: Re: IRC proxy...which works To: vangoethem@hotmail.com (Vincent Vangoethem) Date: Tue, 13 May 1997 10:42:10 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199705131402.HAA19609@f33.hotmail.com> from "Vincent Vangoethem" at May 13, 97 07:02:42 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for an IRC proxy program which works (for example with mIRC or > WS_PROXY). > The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work What's wrong with a plug-gw to irc.foo.net port 6667? From owner-firewalls-outgoing Tue May 13 10:36:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA17068 for firewalls-outgoing; Tue, 13 May 1997 09:30:36 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA17023 for ; Tue, 13 May 1997 09:30:19 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id UAA27061; Tue, 13 May 1997 20:29:46 +0400 From: ArkanoiD Message-Id: <199705131629.UAA27061@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: vangoethem@hotmail.com (Vincent Vangoethem) Date: Tue, 13 May 1997 20:29:43 +0400 (MSD) Cc: firewalls@GreatCircle.COM In-Reply-To: <199705131402.HAA19609@f33.hotmail.com> from "Vincent Vangoethem" at May 13, 97 07:02:42 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > I'm looking for an IRC proxy program which works (for example with mIRC or > WS_PROXY). > The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work > :( > > Does someone already has successfully performed an IRC proxy ? > afaik no. i was trying to find one for a long time - all i could find were plug-gw variants unable to work with dcc. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Tue May 13 10:52:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA07964 for firewalls-outgoing; Tue, 13 May 1997 08:37:33 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA07935 for ; Tue, 13 May 1997 08:37:23 -0700 (PDT) Received: from West.Sun.COM ([129.153.100.30]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id IAA17736; Tue, 13 May 1997 08:50:30 -0700 Received: from plato.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id IAA04698; Tue, 13 May 1997 08:36:59 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id IAA06356; Tue, 13 May 1997 08:36:40 -0700 Date: Tue, 13 May 1997 08:36:40 -0700 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199705131536.IAA06356@plato.West.Sun.COM> To: joej@joesmac.ultranet.com, adam@homeport.org Subject: Re: ? SSL proxies and smapd Cc: matt@plato.West.Sun.COM, firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should clarify... We need to privatize the provided connectivity specifically for Mac systems running MacTCP. Win95 is easy as we can use SKIP and get virtually complete IP privacy. Unfortunately there are very few easily installed low cost solutions for Mac privacy and nomadics over the 'Net via ISP's specifically which, unfortunately, are the restrictions placed by the customer. Yeah, we can argue about what the value of security is against loss of revenue etc.. Been there for many years and argued it as well and long as anyone else on this list. Or the use of ISP's which provide 'private', (Uh Yeah right), connectivity, looked at this for just as many years and it has yet to be proven to me to be cost effective or truly private. Anyway, once again any input into SSL or SSH configurations for inbound smtp services would be real helpful. In the meantime I am working on writing one myself, just for the Mac mind you, and if I get is done I'll post it. Thanks, Matt Adam Shostack wrote: | |The scenario I'm thinking of is a POP/IMAP proxy for a remote system. |Some firewalls include SMAP proxies, but you may find that a 'secure |remote' client such as can be obtained from V-One, Raptor or DEC is |more useful. | |Adam From owner-firewalls-outgoing Tue May 13 11:52:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA25712 for firewalls-outgoing; Tue, 13 May 1997 10:23:50 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA25705 for ; Tue, 13 May 1997 10:23:43 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id KAA26172; Tue, 13 May 1997 10:23:38 -0700 (PDT) Date: Tue, 13 May 1997 10:23:38 -0700 (PDT) From: "Sameer R. Manek" To: Doug Wellington cc: Pavel Galynin , firewalls@GreatCircle.COM Subject: Re: Do we need a firewall:school net In-Reply-To: <1.5.4.16.19970512214303.2a4791f6@gci-net.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 12 May 1997, Doug Wellington wrote: > Don't forget to check your logs! Make sure to reconcile TCP-Wrapper > logs against the lastlog... If you can't make a complete correlation, > that should send up some warning flags. Take responsibility for learning > and protecting your computers yourself. Remember the old addage of if > you want it done right, do it yourself! > Checking the logs is a good thing, you may want to consider doing something like this to allow you to monitor the logs w/o logging in, really nice if the server is going to be near your desk or something. Just put these lines in your /etc/inittab c8:12345:respawn:/usr/bin/tail -f /usr/adm/httpd/access_log < /dev/tty8 > /dev/tty8 2> /dev/tty8 c9:12345:respawn:/usr/bin/tail -f /usr/adm/httpd/error_log < /dev/tty9 > /dev/tty9 2> /dev/tty9 cb:12345:respawn:/usr/bin/tail -f /usr/adm/messages < /dev/tty10 > /dev/tty10 2> /dev/tty10 cc:12345:respawn:/usr/bin/top -s< /dev/tty11 > /dev/tty11 2> /dev/tty11 From owner-firewalls-outgoing Tue May 13 13:28:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA28774 for firewalls-outgoing; Tue, 13 May 1997 10:52:42 -0700 (PDT) Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA28750 for ; Tue, 13 May 1997 10:52:22 -0700 (PDT) Received: (mailer@localhost) by gatekeeper.ray.com (8.7.5/8.7.3) id NAA12286 for ; Tue, 13 May 1997 13:53:03 -0400 Received: from dnsid.rac.ray.com by gatekeeper.ray.com; Tue May 13 13:51:28 1997 Received: from n01926.rac.ray.com by pop.rac.ray.com (AIX 4.1/UCB 5.64/4.03) id AA14170; Tue, 13 May 1997 12:08:49 -0500 Date: Tue, 13 May 1997 12:08:49 -0500 Message-Id: <2.2.16.19970513121810.305f0e38@pop.rac.ray.com> X-Sender: ts26849@pop.rac.ray.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Melanie Humphrey Subject: Gauntlet proxy 'opportunities' Cc: melanie.humphrey@pop.rac.ray.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Mon, 12 May 1997 09:32:34 -0400 >From: claman@copley.fi.mckinsey.com (Larry Claman) >Subject: lmiting outbound ports on Gauntlet > >There seems to be a big limitation in the Gauntlet telnet and SSL = >proxies. I suspect that these >limitations also exist with the FWTK, and they may also exist with other = >Gauntlet proxies as >well. (I just haven't poked around.) > [...] >I already know of one application taking advantage of this: Lotus Notes. = > Notes 4.5 allows a user >to define an "RPC Proxy". If you point this setting to a Gauntlet's http= > proxy, it will allow you >tunnel Notes through a Gauntlet via the SSL proxy. For more information = >on the Notes RPC proxy, see: >http://www.notes.net/Today.nsf/cbb328e5c12843a9852563dc006721c7/dc5ef61ce= >d7a7cfd8525645300546a9d?OpenDocument > > >I see this limitation as a huge hole in how my security policy is = >implemented. I'd be interested in >hearing what other Gauntlet and toolkit users think about this problem, = >and how they are dealing >with it. I raised this issue with Gauntlet support, but they were = >basically unhelpful & not >concerned. > >- -Larry Claman yes, this is a bit of a hole. not big enough for a moose, but probably large enough for an antelope ;-) if it's any consolation, gauntlet support wasn't real helpful with me either when i pointed out that the x proxy doesn't provide a way to 'match' ip addresses once it's up and running -- that is, there's no way for the firewall client/x server user to specify what ip address or hostname can connect to his/her x server. the x proxy cheerily accepts and forwards incoming traffic from any IP address. once a client inside the firewall has fired up the x proxy any host on the internet can attempt to connect to the client's xserver, and i know my users tend to not read all that bothersome fine print above the 'OK' box... Melanie Humphrey 316-676-6518 | 'vi-sion: 1: something seen in a dream, Raytheon Aircraft Co. Wichita KS | trance, or ecstasy; 'vi-sion 'state-ment melanie.humphrey@pop.rac.ray.com | 1: a missive written while in a dreaming, melanie@bluerock.niar.twsu.edu | trancelike or hallucinatory state -- Opinions expressed are not necessarily those of Raytheon Aircraft. -- From owner-firewalls-outgoing Tue May 13 13:32:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14875 for firewalls-outgoing; Tue, 13 May 1997 12:56:41 -0700 (PDT) Received: from mail1 (mail1.ci.chi.il.us [199.177.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA11956 for ; Tue, 13 May 1997 12:29:58 -0700 (PDT) Received: by mail1 (SMI-8.6/SMI-SVR4) id OAA28471; Tue, 13 May 1997 14:25:00 -0500 From: minaba@mail1.ci.chi.il.us (Mark Inaba) Message-Id: <199705131925.OAA28471@mail1> Subject: is this an attack To: firewalls@greatcircle.com Date: Tue, 13 May 1997 14:25:00 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oh! if people want, i can summarize the responses that come to me personally (or not if i see it's on open broadcast) :) thanks again! -Mark From owner-firewalls-outgoing Tue May 13 13:45:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07208 for firewalls-outgoing; Tue, 13 May 1997 11:57:33 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA07141 for ; Tue, 13 May 1997 11:57:06 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 3050 invoked by uid 1001); 13 May 1997 18:57:41 -0000 Message-ID: <19970513185741.3049.qmail@hanshan.bbnplanet.com> Subject: Re: IRC proxy...which works To: ark@paranoid.convey.ru (ArkanoiD) Date: Tue, 13 May 1997 14:57:41 -0400 (EDT) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <199705131629.UAA27061@paranoid.convey.ru> from "ArkanoiD" at May 13, 97 08:29:43 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > afaik no. i was trying to find one for a long time - all i could find > were plug-gw variants unable to work with dcc. Right. Allowing DCC through a firewall is a *bad* idea. If your going to restrict ftp connections going in & out, why would you even consider allowing users to be able to transfer files in/out through your firewall over UDP? -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Tue May 13 13:58:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07209 for firewalls-outgoing; Tue, 13 May 1997 11:57:35 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA07135 for ; Tue, 13 May 1997 11:57:05 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id WAA27270 for firewalls@greatcircle.com; Tue, 13 May 1997 22:56:47 +0400 From: ArkanoiD Message-Id: <199705131856.WAA27270@paranoid.convey.ru> Subject: ssh-compatible protocol tunnel To: firewalls@greatcircle.com Date: Tue, 13 May 1997 22:56:45 +0400 (MSD) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, Did anybody try to make such a thing? I mean a modified sshd that - say - will connect you to a proxy running on the same machine instead of shell - tis tn-gw for example.. i made a quick hack today but it is so ugly i'd prefer any other solution.. anybody tried to integrate ssh with fwtk somehow? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Tue May 13 14:53:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11822 for firewalls-outgoing; Tue, 13 May 1997 12:29:22 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA11794 for ; Tue, 13 May 1997 12:29:08 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id XAA27310; Tue, 13 May 1997 23:28:30 +0400 From: ArkanoiD Message-Id: <199705131928.XAA27310@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: peter@baileynm.com (Peter da Silva) Date: Tue, 13 May 1997 23:28:24 +0400 (MSD) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <9705131542.AA00868@sonic.nmti.com.nmti.com> from "Peter da Silva" at May 13, 97 10:42:10 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > > I'm looking for an IRC proxy program which works (for example with mIRC or > > WS_PROXY). > > The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work > > What's wrong with a plug-gw to irc.foo.net port 6667? > inability to handle dcc. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Tue May 13 15:05:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11812 for firewalls-outgoing; Tue, 13 May 1997 12:29:16 -0700 (PDT) Received: from mail1 (mail1.ci.chi.il.us [199.177.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA11795 for ; Tue, 13 May 1997 12:29:09 -0700 (PDT) Received: by mail1 (SMI-8.6/SMI-SVR4) id OAA28460; Tue, 13 May 1997 14:24:10 -0500 From: minaba@mail1.ci.chi.il.us (Mark Inaba) Message-Id: <199705131924.OAA28460@mail1> Subject: is this an attack? To: firewalls@greatcircle.com Date: Tue, 13 May 1997 14:24:09 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i got some odd stuff on my console and of course, i'm suspicious of anything sendmail does especially since this is a backwater system that no one really should be sending mail from (and I was going to turn it off sometime..but..) anyway, does this look like some kind of attempt to exploit? May 10 22:38:26 host1 sendmail[1076]: WAA01076: SYSERR: putoutmsg (NO-HOST): error on output channel sending "550 done.... User unknown": Broken pipe May 10 22:38:27 host1w3 sendmail[1079]: WAA01079: SYSERR: putoutmsg (NO-HOST): error on output channel sending "550 a... User unknown": Broken pipe May 10 22:40:46 host1w3 sendmail[1095]: WAA01095: SYSERR: putoutmsg (NO-HOST): error on output channel sending "550 done.... User unknown": Broken pipe May 10 22:40:46 host1w3 sendmail[1098]: WAA01098: SYSERR: putoutmsg (NO-HOST): error on output channel sending "550 a... User unknown": Broken pipe thanks for any clues/warnings/hints :) -Mark From owner-firewalls-outgoing Tue May 13 15:08:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14284 for firewalls-outgoing; Tue, 13 May 1997 12:50:28 -0700 (PDT) Received: from ees1a0.engr.ccny.cuny.edu (ees1a0.engr.ccny.cuny.edu [134.74.16.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA14229 for ; Tue, 13 May 1997 12:50:00 -0700 (PDT) Received: by ees1a0.engr.ccny.cuny.edu (4.1/SMI-4.1-970424-1) id AA21648; Tue, 13 May 97 15:50:39 EDT Date: Tue, 13 May 1997 15:50:38 -0400 (EDT) From: Dan Schlitt To: "Marcus J. Ranum" Cc: Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US In-Reply-To: <199705130239.WAA16855@mail.clark.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't this discussion of the business need for key recovery mix together a number of different things you might encrypt that have rather different requirements and then try to draw the conclusion that you need key recovery for all of them because you need it for some. Preserving the privacy of important business records would seem to require stronger encryption and need key recovery. Preserving privacy for am message in transit across an insecure network where the contents are of transient value and do not constitute a "business record" might well use weaker encryption and not require key recovery. However it is just the later messages that the spooks are most interrested in being able to crack. Or am I missing some key point? /dan -- Dan Schlitt School of Engineering Computer Systems dan@ee-mail.engr.ccny.cuny.edu City College of New York (212)650-6760 New York, NY 10031 From owner-firewalls-outgoing Tue May 13 15:55:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09897 for firewalls-outgoing; Tue, 13 May 1997 12:16:01 -0700 (PDT) Received: from argenet.com.ar ([200.5.127.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA09877 for ; Tue, 13 May 1997 12:15:46 -0700 (PDT) Received: from localhost (martaf@localhost) by argenet.com.ar (8.8.5/8.8.5) with SMTP id QAA14093; Tue, 13 May 1997 16:20:12 -0300 Date: Tue, 13 May 1997 16:20:12 -0300 (ARST) From: Marta Ferreyra Reply-To: Marta Ferreyra To: Todd Graham Lewis cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: Attack via ICMP Echo Reply? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have an attack and now the ICMP:xxx.xxx.xxx.xxx :host unreachable messages go to console Do you Know something about this ??? +-------------------------+ | ARGENET | | Ing. Marta Ferreyra | | martaf@argenet.com.ar | +-------------------------+ On Mon, 12 May 1997, Todd Graham Lewis wrote: > On Sat, 10 May 1997 long-morrow@CS.YALE.EDU wrote: > > > Anyone now of a flooding attack incident involving ICMP Echo Reply packets? > > An actual incident? No. > > > Know the M.O? Symptoms? Effect? > > The MO would probably be to forge the return address on the ICMP packets > and send a lot of them. Additionally, one could forge ICMP echo requests > to another machine on the net, causing it to send replies. > > Symptoms would be receiving a ton of gratuitous ICMP echo replies. > > Effect would be to chew up bandwidth on the incoming side of your link. > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > From owner-firewalls-outgoing Tue May 13 16:16:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA18244 for firewalls-outgoing; Tue, 13 May 1997 13:28:57 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA18226 for ; Tue, 13 May 1997 13:28:43 -0700 (PDT) Received: (qmail 16423 invoked by uid 514); 13 May 1997 20:29:19 -0000 Date: Tue, 13 May 1997 16:29:19 -0400 (EDT) From: Todd Graham Lewis To: Marta Ferreyra cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: Attack via ICMP Echo Reply? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 May 1997, Marta Ferreyra wrote: > We have an attack and now the ICMP:xxx.xxx.xxx.xxx :host unreachable > messages go to console > > Do you Know something about this ??? Not really; do a "tcpdump -n icmp" and send me the results. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue May 13 16:58:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA25942 for firewalls-outgoing; Tue, 13 May 1997 10:26:51 -0700 (PDT) Received: from citel.upc.es (citel.upc.es [147.83.36.47]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA25923 for ; Tue, 13 May 1997 10:26:36 -0700 (PDT) Received: from jolibus.upc.es (jolibus.upc.es [147.83.36.68]) by citel.upc.es (8.8.5/8.8.5) with ESMTP id TAA27012 for ; Tue, 13 May 1997 19:23:08 +0100 (WET DST) Message-ID: <3378A444.C9C4197A@citel.upc.es> Date: Tue, 13 May 1997 19:26:28 +0200 From: Francesc Guasch Reply-To: frankie@citel.upc.es Organization: UPC X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: routing 2 domains X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------E1EDA5FB7991C9037A61BAE3" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------E1EDA5FB7991C9037A61BAE3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I need to know if this can be done : example inside a.b.c.3---| | a.b.c.4---| ---fw---cisco---- outside (internet) x.y.z.3---| | x.y.z.4---| Inside there are computers with ip addresses from two different ISPs and I'm wondering if I could set up a linux firewall that could handle this Thanks in advance -- ^-^_-----\ mailto:frankie@citel.upc.es o o ) http://www.etsetb.upc.es/~frankie Y (_ (___(ssss phone: (343) 401 6809 All those moments will be lost in time, like tears in the rain. --------------E1EDA5FB7991C9037A61BAE3 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Francesc Guasch Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Francesc Guasch n: Guasch;Francesc org: UPC email;internet: frankie@citel.upc.es x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------E1EDA5FB7991C9037A61BAE3-- From owner-firewalls-outgoing Tue May 13 17:12:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA10379 for firewalls-outgoing; Tue, 13 May 1997 15:52:36 -0700 (PDT) Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA10250 for ; Tue, 13 May 1997 15:51:52 -0700 (PDT) Received: from falcon.UUCP by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA20390 for firewalls@greatcircle.com; Tue, 13 May 97 18:52:46 -0400 Received: from auspex.cimco.com by cimco.com (4.1/SMI-4.1) id AA24820; Tue, 13 May 97 18:49:46 EDT Received: from gandalf.cimco.com by auspex.cimco.com (4.1/SMI-4.1) id AA11406; Tue, 13 May 97 18:49:46 EDT Received: by gandalf.cimco.com (SMI-8.6/SMI-SVR4) id SAA02158; Tue, 13 May 1997 18:49:44 -0400 Date: Tue, 13 May 1997 18:49:44 -0400 From: erics@mailhost.cimco.com (Eric M. Stone) Message-Id: <199705132249.SAA02158@gandalf.cimco.com> To: firewalls@greatcircle.com Subject: add X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk add From owner-firewalls-outgoing Tue May 13 17:42:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA02977 for firewalls-outgoing; Tue, 13 May 1997 15:11:59 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.201.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA02871 for ; Tue, 13 May 1997 15:11:32 -0700 (PDT) Received: (from uucp@localhost) by out2.ibm.net (8.6.9/8.6.9) id WAA221303; Tue, 13 May 1997 22:12:24 GMT Received: from slip129-37-240-66.nc.us.ibm.net(129.37.240.66) by out2.ibm.net via smap (V1.3mjr) id smadQgDe7; Tue May 13 22:11:45 1997 Received: by slip129-37-104-81.mn.us.ibm.net with Microsoft Mail id <01BC5FC9.637098C0@slip129-37-104-81.mn.us.ibm.net>; Tue, 13 May 1997 18:13:42 -0400 Message-ID: <01BC5FC9.637098C0@slip129-37-104-81.mn.us.ibm.net> From: Ray Hooker To: "'Firewall Mailing List'" Cc: "'p2135380@vmsuser.acsu.unsw.EDU.AU'" Subject: Re: Electronic Commerce and Firewalls Date: Tue, 13 May 1997 18:13:35 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have found a number of interesting urls with information on Ecommerce. http://www.commerce.net - online publication http://ecworld.utexas.edu/ - EC World http://www.ecworld.org/ - Electronic Commerce World Institute http://www.computerworld.com/emmerce/index.html - ComputerWorld Emmerce. Ray Hooker From owner-firewalls-outgoing Tue May 13 18:18:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA02338 for firewalls-outgoing; Tue, 13 May 1997 15:07:02 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA02289 for ; Tue, 13 May 1997 15:06:43 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG) id PAA29903; Tue, 13 May 1997 15:07:18 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199705132207.PAA29903@mail.marben.com> Subject: Re: IRC proxy...which works To: ark@paranoid.convey.ru (ArkanoiD) Date: Tue, 13 May 1997 15:07:17 -0700 (PDT) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <199705131629.UAA27061@paranoid.convey.ru> from "ArkanoiD" at May 13, 97 08:29:43 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm looking for an IRC proxy program which works (for example with mIRC or > > WS_PROXY). > > The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work > > :( > > > > Does someone already has successfully performed an IRC proxy ? > > > afaik no. i was trying to find one for a long time - all i could find > were plug-gw variants unable to work with dcc. 'DCC' is not part of the "IRC protocol", but is a separated stuff. You can easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as someone else suggested. DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but then open a direct connect between two hosts, bypassing completly the IRC servers. The connection can be established on any random port, so there's no way to proxy that, except if you hack around the clients to open fixed ports. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From owner-firewalls-outgoing Tue May 13 18:42:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA10008 for firewalls-outgoing; Tue, 13 May 1997 15:50:24 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA09971 for ; Tue, 13 May 1997 15:50:05 -0700 (PDT) Received: from West.Sun.COM ([129.153.100.30]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id QAA08439; Tue, 13 May 1997 16:03:20 -0700 Received: from plato.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id PAA17093; Tue, 13 May 1997 15:49:45 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id PAA08782; Tue, 13 May 1997 15:49:25 -0700 Date: Tue, 13 May 1997 15:49:25 -0700 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199705132249.PAA08782@plato.West.Sun.COM> To: joej@joesmac.ultranet.com, adam@homeport.org, matt@plato.West.Sun.COM Subject: Re: ? SSL proxies and smapd Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh how painful it is to have to humble myself... Turns out that if you use Netscape's Mail front-end in just about any version it truly believes that is must always connect to port 25. We had movd sendmail to an alternate port and so the major headaches began. I switched to Eudora and lo and behold connectivity via SSH to my alternate was perfect. I sent sendmail back to port 25 and tunneled port 25 through localhost and the Netscape Mail'r is happy as the proverbial clam. FYI: TIS (smapd, ssh, http-gw, plug-gw-ssl) | | ClientHost(ISP connected)----[Firewall]---(DMZ) | | InsideHosts Comm's from the client destined for InsideHosts are redirected via the Fireweall to the TIS proxy and are private via SSH tunneling betwwen clients and TIS. Smap forwards via sendmail to the inside. Some overhead for this but this is a short-term, limited user topology so currently negligible. Thanks for all of the feedback. Matt From owner-firewalls-outgoing Tue May 13 19:02:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA14141 for firewalls-outgoing; Tue, 13 May 1997 16:20:38 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA14076 for ; Tue, 13 May 1997 16:20:17 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id TAA23080; Tue, 13 May 1997 19:21:11 -0400 (EDT) Date: Tue, 13 May 1997 19:21:11 -0400 (EDT) From: Information Security Message-Id: <199705132321.TAA23080@panix2.panix.com> To: Firewalls@GreatCircle.COM Subject: Re: Encryption Outside US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Darren Reed wrote: > | There's one angle to this which potentially scares me and that is groups > | like the OECD meeting and deciding that what the USA is doing is right > | and adopting the same policies... > The OECD has not gone that route. The EFF, EPIC, and VTW seemed > pretty happy with this release. > > Adam > > http://www.oecd.org/dsti/iccp/legal/secur-en.html A big fluffy document that doesn't offend anyone, or offer real help. Thanks bunches bureaucrats. > Darren Reed wrote: > | > | There's one angle to this which potentially scares me and that is groups > | like the OECD meeting and deciding that what the USA is doing is right > | and adopting the same policies, be it outlawing crypto export or just > | outlawing all crypto which doesn't include key recovery (regardless of > | whether or not it is imported or exported). Import restrictions in the U.S.? Outlaw all non-government approved crypto? That would never happen...would it? http://cgi.pathfinder.com/netly/ [search for article title] The Netly News Bill of Goods by Declan McCullagh May 9, 1997 Senate Democrats are preparing legislation that requires universities and other groups receiving Federal grants to make their communication networks snoopable by the government, The Netly News has learned. The draft also includes penalties for "unauthorized breaking of another's encryption codes," and restrictions on importing encryption products. At a Democratic leadership press briefing, Sen. Bob Kerrey (D-Neb.) yesterday said his bill slightly relaxed export rules in exchange for greater federal control over crypto imports. But what he appears to be truly aiming for is a full-scale assault on your right to use whatever encryption software you want in your own home. [snip] It's diabolical. Researchers already have to comply with a legion of rules to qualify for grants. Kerrey's proposed bill, called "The Secure Public Network Act," would add yet another provision to the fine print. It requires that "all encryption software purchased with federal funds shall be software based on a system of key recovery" and "all encrypted networks established with the use of federal funds shall use encryption based on a system of key recovery." Key recovery, or key escrow, technology enables law-enforcement officials to obtain copies of the mathematical keys needed to decipher messages. In other words, someone else keeps a copy of your secret key -- and some proposed bills say that the cops may not even need a search warrant to seize it. [snip] What about the penalties for "unauthorized breaking of another's encryption codes?" That would criminalize cryptanalysis, the way to verify the security of encryption software you buy. "The only way to know the strength of a cipher is cryptanalysis," says Marc Briceno, a cryptography guru at Community ConneXion. Then there's Kerrey's statement saying "there will be" restrictions on what encryption products you're permitted to buy from overseas firms. This contradicts Justice Department official Michael Vatis, who told me at a conference this year that the Clinton administration did not want import controls. Though Cabe Franklin, spokesperson for Trusted Information Systems, says Kerrey was misunderstood. "In the briefing afterwards, I found out he didn't mean that at all. He meant import controls, but more regulation than restriction. The same way they wouldn't let a car with faulty steering controls in the country. He meant more quality control," Franklin says. (I don't know about you, but I'm not convinced.) [snip] Kerrey's sudden interest in cryptologic arcana likely stems from a recent addition to his staff: policy aide Chris McLean. McLean is hardly a friend of the Net. While in former Sen. Jim Exon's (D-Neb.) office, McLean drafted the notorious Communications Decency Act and went on to prompt Exon to derail "Pro-CODE" pro-encryption legislation last fall. Then, not long after McLean moved to his current job, his new boss stood up on the Senate floor and bashed Pro-CODE in favor of the White House party line: "The President has put forward a plan which in good faith attempts to balance our nation's interests in commerce, security, and law enforcement." Now, more ominously, McLean just might be Bill Clinton's appointee to fill a vacant slot at the Federal Communications Commission. If you think the White House is out to slam the Net, imagine what the FCC could do... ---- * "Above the Law" * ISBN 0-684-80699-1, 1996 * by David Burnham * * "Sure", said Al Bayse of the FBI, "I believe there is an absolute * right to privacy. But that doesn't mean you have the right to break * the law in a serious way. Any private conversation that doesn't * involve criminality should be private" * * In other words, as the debate was framed by Bayse, the right to * privacy is at least partly contingent on a determination by an FBI * agent or clerk that the conversations they already intercepted and * understood do not involve a crime. * * [snip] * * The suspicion that the government might one day try to outlaw any * encryption device which did not provide easy government access was * reinforced by comments made by FBI Director Freeh at a 1994 Washington * conference on cryptography. "The objective for us is to get those * conversations...wherever they are, whatever they are", he said in * response to a question. * * Freeh indicated that if five years from now the FBI had solved the * access problem but was only hearing encrypted messages, further * legislation might be required. * * The obvious solution: a federal law prohibiting the use of any * cryptographic device that did not provide government access. * * Freeh's hints that the government might have to outlaw certain kinds * of coding devices gradually became more explicit. "The drug cartels * are buying sophisticated communications equipment", he told Congress. * "Unless the encryption issue is RESOLVED soon, criminal conversations * over the telephone and other communications devices will become * indecipherable by law enforcement. This, as much as any issue, * jeopardizes the public safety and national security of this country." Those of you in the U.S. wake up and contact your Senators. See http://www.webslingerz.com/jhoffman/congress-email.html for contact info. Speaking of munitions and dangerous drug cartel devices... * "U.S. Classifies a Device to Surf the Web as a Weapon" * The New York Times, Nov 8 1996 * by John Markoff * * American couch potatoes have become empowered - too empowered, in * the eyes of the Government. * * A $300 television set-top device for browsing the World Wide Web, * which Sony and Philips Electronics recently began selling at chain * stores like Sears Roebuck and Circuit City Stores, uses computer * security so powerful that the government is classifying it as a * weapon that will require a special export license before it can * be sold overseas. * [snip] * * The Web-TV device does not have a key-recovery feature. * [snip] * * "We have not given any licenses for 128-bit encryption schemes", * said a Government official, who spoke on the condition of * anonymity. [YEA ANONYMITY! ---guy] * * In light of the Government's recent key-recovery "compromise" offer, * few industry experts expect the Administration to grant an export * license for the Web-TV devices. * * The export confrontation, first reported in the current issue of * Electronic Buyers' News, a trade publication, is one example of * a growing challenge to the Clinton Administration as United States * computer and consumer electronics companies attempt to compete for * the exploding Internet market with Asian and European companies * not bound by American export laws. Any company using compromised (key recovery) crypto for their Internet business traffic are fools. (my personal opinion) ---guy, rootguy@WebTV.net, guy@panix.com [use the latter] From owner-firewalls-outgoing Tue May 13 19:27:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA15151 for firewalls-outgoing; Tue, 13 May 1997 19:12:51 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15061 for ; Tue, 13 May 1997 19:12:31 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wRTZH-0004KcC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 14 May 1997 04:13:27 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 14 May 97 04:13 MET DST Received: by lina.inka.de id m0wRTAp-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 14 May 1997 03:48:11 +0200 (CEST) Message-Id: Date: Wed, 14 May 1997 03:48:10 +0200 From: Bernd Eckenfels To: Arnaud Girsch Cc: ArkanoiD , vangoethem@hotmail.com, firewalls@GreatCircle.COM Subject: Re: IRC proxy...which works References: <199705131629.UAA27061@paranoid.convey.ru> <199705132207.PAA29903@mail.marben.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199705132207.PAA29903@mail.marben.com>; from Arnaud Girsch on Tue, May 13, 1997 at 03:07:17PM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > The connection can be established on any random port, so there's > no way to proxy that, except if you hack around the clients to open fixed > ports. This is the 20th century. Proxies are clever enough to parse the irc protocoll and modify it. Handling dcc is very similiar to handling ftp. No dont know a DCC capable Proxy. (Good Feature would be to allow DCC CHAT and deny DCC GET. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue May 13 19:37:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA04574 for firewalls-outgoing; Tue, 13 May 1997 18:16:16 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA04567 for ; Tue, 13 May 1997 18:16:10 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wRSgh-0004JCC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 14 May 1997 03:17:03 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 14 May 97 03:17 MET DST Received: by lina.inka.de id m0wRSDI-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 14 May 1997 02:46:40 +0200 (CEST) Message-Id: Date: Wed, 14 May 1997 02:46:39 +0200 From: Bernd Eckenfels To: frankie@citel.upc.es Cc: firewalls@greatcircle.com Subject: Re: routing 2 domains References: <3378A444.C9C4197A@citel.upc.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <3378A444.C9C4197A@citel.upc.es>; from Francesc Guasch on Tue, May 13, 1997 at 07:26:28PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On May 13, Francesc Guasch wrote > Inside there are computers with ip addresses from two > different ISPs and I'm wondering if I could set up > a linux firewall that could handle this Sure why not. The question is if your ISP can/want to handle it. With recent Linux Kernels you may also be able to do policy based routing (you can use 2 routing tables, one for each net to give different default-routes based on the sender (or much more). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue May 13 19:42:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA19710 for firewalls-outgoing; Tue, 13 May 1997 19:36:58 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA19683 for ; Tue, 13 May 1997 19:36:50 -0700 (PDT) Received: from sdfpc2.gsfc.nasa.gov by csc.com via smtpd with smtp id for ; Tue, 13 May 97 22:36 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-Id: <3.0.1.16.19970513221515.1e7f837e@explorer.csc.com> X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 3.0.1 (16) Date: Tue, 13 May 1997 22:15:15 To: Eric Deschamps From: Adam Safier Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: Marc Mosko , "Marc D. Jackson" , Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: References: <"Your message with ID" <336E7325.B14CADEA@tear.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:12 PM 5/6/97 +0200, Eric Deschamps wrote: >I am not sure that a firewall should deal with routing at all (and with other >stuff as well). I like the idea of building a perimeter defense with a >firewall doing only filtering (with states engines) and having some proxies >for specific applications. > A firewall is effectively a router. The vulnerability that makes people antsy is the protocols used to update the routing tables. Most rout update protocols are subject to being fed misinformation resulting in incorrect routs, potentially making IP spoofing attacks easier. The solution of most firewallers is static routs. OSPF has a password option to help avoid getting routing areas mixed up - but it's sent with the updates in the clear. If you encrypt the link between 2 firewalls you can safely send routing info. Just watch the overhead from updates that are too frequent. Adam My opinion only counts with those who want it. From owner-firewalls-outgoing Tue May 13 20:22:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA04337 for firewalls-outgoing; Tue, 13 May 1997 18:14:46 -0700 (PDT) Received: from elm.ncs.com.sg (elm.ncs.com.sg [203.116.16.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA04082 for ; Tue, 13 May 1997 18:13:58 -0700 (PDT) Received: from exch1.ncs.com.sg (exch1.ncs.com.sg [192.168.249.12]) by elm.ncs.com.sg (8.7.3/8.7.3) with SMTP id JAA28857 for ; Wed, 14 May 1997 09:02:27 +0800 (SGT) Received: by exch1.ncs.com.sg with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC6047.33F15610@exch1.ncs.com.sg>; Wed, 14 May 1997 09:14:18 +0800 Message-ID: From: LAI CHACK AN ITSC NCS To: "'firewalls@GreatCircle.COM'" Subject: Gauntlet http-gw problem Date: Wed, 14 May 1997 09:12:38 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hi, > Encountered 2 problem with the http-gw and would appreciate it if someone >could help me out. > >Problem1 : >Network setup : client -- Gauntlet -- FTPD > > When I GET a ftp URL(via http-gw), the directories will be retreived as >text.(ie the icons are text icons.) A snoop (Solaris) on the interface shows >that the http-gw upon contacting the ftpd will first issue a SYST command. As >most ftpd (at least those I've tried) do not understand SYST, a COMMAND >UNKNOWN is replied. > Afterwhich, the http-gw will issue a NLST to retreive the files in the ftpd. >The returned files are all treated as text files and hence the icons are also >as such. I believe that an NLST -LF will solve the problem here. > On one of my linux box, the ftpd replys to the SYST command and the http-gw >will issue a NLST -LF command instead and hence the replied FTP-DATA have the >dirs correctly labelled as such. > > So, I believe that this problem could be easily solved by issuing an NLST >-LF for all ftpd which do not understand the SYST command of ftpd and returns >a "500 command not understood " error. > > > >Problem2 : >Network setup : client -- Gauntlet -- FW-1(as a firewall) -- FW-1 (as a NAT >machine) -- Internet >(The NAT FW-1 has both hiding and mapping address translations on it) > > In this scenerio, the http-gw do not know how to automatically do a CWD to >the directory for a file listing. The sequence of events are as follows : > > http-gw ftpd > > - SYST > - SYST unknown > - RETR pub > - 550 pub: not a plain file.\r\n > > Afterwhich the http-gw will disconnect. > > However using the network in problem 1, the following will be the events >sequence > > - SYST > -SYST unknown > -RETR pub > - 550 pub: not a plain file.\r\n > -CWD pub > - COMMAND successful > -NLST > - FTP-DATA (files info) > The question here is why does it not do an auto CWD and NLST upon receiving >a 550 error message using the second network configuration? We are really >puzzled here and any solutions/suggestions would be really appreciated. > > >Lai Chack An >Security Systems Engineer >National Computer Systems Pte Ltd > > From owner-firewalls-outgoing Tue May 13 20:30:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA09432 for firewalls-outgoing; Tue, 13 May 1997 18:42:06 -0700 (PDT) Received: from lucifer.adams.edu (lucifer.adams.edu [192.156.134.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA09423 for ; Tue, 13 May 1997 18:42:00 -0700 (PDT) Received: from localhost (jjj@localhost) by lucifer.adams.edu (8.7.5/8.7.3) with SMTP id TAA04301; Tue, 13 May 1997 19:10:02 -0600 Date: Tue, 13 May 1997 19:10:02 -0600 (MDT) From: Joel J Jensen To: Domenico Viggiani cc: firewalls@GreatCircle.COM Subject: Re: SQL*net & SNMP In-Reply-To: <337816E6.5B47@gst.cgs.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 May 1997, Domenico Viggiani wrote: > In order to fulfill the requirements of a project, I need a firewall > product having a SQL*net proxy and the capability to send SNMP alerts in > response to selectable events. > > Actually, only products having a SQL*net proxy are: > - Checkpoint Firewall 1 > - Altavista Firewall 97 > - Gauntlet TIS Firewall > but none of this claims to send SNMP alerts. > Only IBM Firewall has this but it haven't SQL*net proxy. > > Is this survey exact? > Also, be aware that the SQL*net proxy may not run on all platforms the firewall ostensibly supports. The TIS proxy only runs on Suns. After discussing this anamoly (I need it to run on the BSDI platform) with TIS I've come to understand that the code/information to proxy SQL*net comes from Oracle and that Oracle will not support the proxy code on other platforms. This would seem to shoot giant holes in Oracle's claim of broad platform support and really limits, in my opinion, the environments that Oracle should be considered suitable for (a really great database if you don't have or intend to implement networks!). ------------------------------------------------------------------------------- Joel J Jensen | Adams State College | (719)589-7790 (voice) jjj@lucifer.adams.edu | 208 Edgemont Blvd | (719)589-7522 (fax) | Alamosa, CO 81102 | ------------------------------------------------------------------------------- From owner-firewalls-outgoing Tue May 13 21:13:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29673 for firewalls-outgoing; Tue, 13 May 1997 14:54:54 -0700 (PDT) Received: from argenet.com.ar ([200.5.127.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA29636 for ; Tue, 13 May 1997 14:54:39 -0700 (PDT) Received: from localhost (martaf@localhost) by argenet.com.ar (8.8.5/8.8.5) with SMTP id SAA17590; Tue, 13 May 1997 18:59:23 -0300 Date: Tue, 13 May 1997 18:59:22 -0300 (ARST) From: Marta Ferreyra To: Todd Graham Lewis cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: Attack via ICMP Echo Reply? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't tcpdump i am going to find it. In really we have two attacks in servers linux, in one of them happened what i told you with ICMP messages, and in /var/adm/messages after this where say "server kernel:ICMP..." now say "server linux: ICMP..." and in the other server the same for the /var/adm/messages and say "server linux:*** tcp.c:tcp_data bug acked < copied" and this messages go to the console. When I find the tcpdump I'll do what you asked me thanks in advance +-------------------------+ | ARGENET | | Ing. Marta Ferreyra | | martaf@argenet.com.ar | +-------------------------+ On Tue, 13 May 1997, Todd Graham Lewis wrote: > On Tue, 13 May 1997, Marta Ferreyra wrote: > > > We have an attack and now the ICMP:xxx.xxx.xxx.xxx :host unreachable > > messages go to console > > > > Do you Know something about this ??? > > Not really; do a "tcpdump -n icmp" and send me the results. > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > From owner-firewalls-outgoing Tue May 13 21:27:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA29598 for firewalls-outgoing; Tue, 13 May 1997 20:33:14 -0700 (PDT) Received: from NURI.NET (mail.nuri.net [203.255.112.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA29537 for ; Tue, 13 May 1997 20:33:01 -0700 (PDT) Received: from bae.nuri.net (bae.nuri.net [203.255.113.80]) by NURI.NET (8.8.5/8.8.5) with ESMTP id MAA03044 for ; Wed, 14 May 1997 12:33:45 +0900 (KST) From: Jufa Hong Received: (wits@localhost) by bae.nuri.net (8.6.12h2/8.6.12) id MAA02812 for firewalls@greatcircle.com; Wed, 14 May 1997 12:38:06 +0900 Message-Id: <199705140338.MAA02812@bae.nuri.net> Subject: Secure password generation! To: firewalls@greatcircle.com Date: Wed, 14 May 1997 12:38:06 +0900 (KST) X-Mailer: ELM [version 2.4 PL21-h4] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear members. I'm afraid that users on my system are using a secure password. Therefore, I'd like to inforce all users to make their own password more unexpectable for outsider or hacker and the making-password can be controlled by the system administrator. For example, all users can not use their login name as a password or system make the user's secure password automatically. Are there any tools for this? Young-jin Hong E-mail> wits@nuri.net From owner-firewalls-outgoing Tue May 13 21:42:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA21900 for firewalls-outgoing; Tue, 13 May 1997 19:52:14 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA21880 for ; Tue, 13 May 1997 19:52:05 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id WAA03158; Tue, 13 May 1997 22:52:47 -0400 Date: Tue, 13 May 1997 22:52:47 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Arnaud Girsch cc: ArkanoiD , vangoethem@hotmail.com, firewalls@GreatCircle.COM Subject: Re: IRC proxy...which works In-Reply-To: <199705132207.PAA29903@mail.marben.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 May 1997, Arnaud Girsch wrote: > > > I'm looking for an IRC proxy program which works (for example with mIRC or > > > WS_PROXY). > > > The only (free) IRC proxy that I found is "Zen-IRC-Proxy", but it doesn't work > > > :( > > > > > > Does someone already has successfully performed an IRC proxy ? > > > > > afaik no. i was trying to find one for a long time - all i could find > > were plug-gw variants unable to work with dcc. > > 'DCC' is not part of the "IRC protocol", but is a separated stuff. You can > easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as > someone else suggested. > DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but > then open a direct connect between two hosts, bypassing completly the IRC > servers. The connection can be established on any random port, so there's > no way to proxy that, except if you hack around the clients to open fixed > ports. Socks works. You have to use a socksified stack or socksify your IRC proxy. As is typical with DCC, the problem is that one of the communicators in DCC passes the ip address and port number to the other by doing a 'getsockname' and sending the results. Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Tue May 13 22:12:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA13090 for firewalls-outgoing; Tue, 13 May 1997 21:57:40 -0700 (PDT) Received: from mail.dserve.net ([207.108.135.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA13078 for ; Tue, 13 May 1997 21:57:32 -0700 (PDT) Received: from eric ([10.4.11.29]) by mail.dserve.net (Netscape Mail Server v2.02) with SMTP id AAA207 for ; Tue, 13 May 1997 21:59:07 -0700 Message-Id: <3.0.32.19970513233802.009c4d30@mail.dserve.net> X-Sender: ericr@mail.dserve.net X-Mailer: Windows Eudora Pro Version 3.0 (32) To: firewalls@GreatCircle.COM From: "Eric C. Rodziewicz" Subject: delete Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 13 May 1997 21:59:07 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk delete From owner-firewalls-outgoing Tue May 13 22:27:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA16041 for firewalls-outgoing; Tue, 13 May 1997 22:15:42 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA16017 for ; Tue, 13 May 1997 22:15:26 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55557-1>; Wed, 14 May 1997 07:13:45 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 14 May 1997 07:16:13 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wRWU1-002QmQC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 14 May 1997 07:20:13 +0200 (MET DST) Date: Wed, 14 May 1997 06:20:12 +0100 From: "Magossa'nyi A'rpa'd" To: ArkanoiD CC: firewalls@GreatCircle.COM Subject: Re: ssh-compatible protocol tunnel In-Reply-To: <199705131856.WAA27270@paranoid.convey.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 May 1997, ArkanoiD wrote: > nuqneH, >=20 > Did anybody try to make such a thing? I mean a modified sshd that - say - > will connect you to a proxy running on the same machine instead of shell = - > tis tn-gw for example.. i made a quick hack today but it is so ugly i'd > prefer any other solution.. > anybody tried to integrate ssh with fwtk somehow? >=20 It maybe not exactly what you've asked for, but it has something to do with firewalls and ssh; How to set up a VPN with ssh: http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html And you can use the -R option of ssh for port tunnelling. You knew that already, I guess. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Tue May 13 22:42:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA20090 for firewalls-outgoing; Tue, 13 May 1997 22:39:57 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA20074 for ; Tue, 13 May 1997 22:39:52 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id WAA28605; Tue, 13 May 1997 22:40:40 -0700 (PDT) Date: Tue, 13 May 1997 22:40:39 -0700 (PDT) From: "Sameer R. Manek" To: Jufa Hong cc: firewalls@GreatCircle.COM Subject: Re: Secure password generation! In-Reply-To: <199705140338.MAA02812@bae.nuri.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 14 May 1997, Jufa Hong wrote: > > I'm afraid that users on my system are using a secure password. > Therefore, I'd like to inforce all users to make their own password > more unexpectable for outsider or hacker and the making-password can > be controlled by the system administrator. > > For example, all users can not use their login name as a password or > system make the user's secure password automatically. > > Are there any tools for this? Basicly you need to do two things, first you need to make sure that everyone's current password is secure, if you have a relatively fast cpu that you can run crack on, then do so. Second install password+, password+ makes sure that you can't have a weak password in the first place. What you may want to do since you don't know how secure everyone's current password is, is expire it as soon you install password+ From owner-firewalls-outgoing Tue May 13 23:12:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA22949 for firewalls-outgoing; Tue, 13 May 1997 22:58:14 -0700 (PDT) Received: from mail.MCESTATE.COM (mail.MCESTATE.COM [207.211.200.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA22905 for ; Tue, 13 May 1997 22:58:03 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA26673 for ; Tue, 13 May 1997 22:58:45 -0700 (PDT) Date: Tue, 13 May 1997 22:58:43 -0700 (PDT) From: Vincent Poy To: firewalls@greatcircle.com Subject: Postmaster notify: Host unknown (Name server: hahahahaha: host not found) (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-588752430-863589523=:26356" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-588752430-863589523=:26356 Content-Type: TEXT/PLAIN; charset=US-ASCII How does one get around a problem like this when mail.MCESTATE.COM doesn't even have that user? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] --0-588752430-863589523=:26356 Content-Type: MESSAGE/RFC822 Content-ID: Content-Description: Postmaster notify: Host unknown (Name server: hahahahaha: host not found) (fwd) Received: from earth.GAIANET.NET (earth.GAIANET.NET [207.211.200.28]) by mail.MCESTATE.COM (8.8.5/8.8.5) with ESMTP id WAA26518 for ; Tue, 13 May 1997 22:55:53 -0700 (PDT) Received: from localhost (localhost) by earth.GAIANET.NET (8.8.5/8.8.5) with internal id HAE09772; Fri, 9 May 1997 07:02:58 -0700 (PDT) Date: Fri, 9 May 1997 07:02:58 -0700 (PDT) From: Mail Delivery Subsystem Message-Id: <199705091402.HAE09772@earth.GAIANET.NET> To: postmaster@earth.GAIANET.NET MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="HAE09772.863186578/earth.GAIANET.NET" Subject: Postmaster notify: Host unknown (Name server: hahahahaha: host not found) Auto-Submitted: auto-generated (postmaster-notification) This is a MIME-encapsulated message --HAE09772.863186578/earth.GAIANET.NET The original message was received at Fri, 9 May 1997 07:02:57 -0700 (PDT) from localhost ----- The following addresses had permanent fatal errors ----- <@HAHAHAHAHA,@russia.com,@hkstar.com,@babylon.beyondirc.net,@idt.net,@netvision.net,@vader.institute.wnyric.org,@irc.limited.net:quelqu'un> ----- Transcript of session follows ----- 550 <@HAHAHAHAHA,@russia.com,@hkstar.com,@babylon.beyondirc.net,@idt.net,@netvision.net,@vader.institute.wnyric.org,@irc.limited.net:quelqu'un>... Host unknown (Name server: hahahahaha: host not found) --HAE09772.863186578/earth.GAIANET.NET Content-Type: message/delivery-status Reporting-MTA: dns; earth.GAIANET.NET Arrival-Date: Fri, 9 May 1997 07:02:57 -0700 (PDT) Final-Recipient: RFC822; @HAHAHAHAHA,@russia.com,@hkstar.com,@babylon.beyondirc.net,@idt.net,@netvision.net,@vader.institute.wnyric.org,@irc.limited.net:quelqu'un Action: failed Status: 5.1.2 Remote-MTA: DNS; hahahahaha Last-Attempt-Date: Fri, 9 May 1997 07:02:57 -0700 (PDT) --HAE09772.863186578/earth.GAIANET.NET Content-Type: message/rfc822 Return-Path: Received: from localhost (localhost) by earth.GAIANET.NET (8.8.5/8.8.5) with internal id HAD09772; Fri, 9 May 1997 07:02:57 -0700 (PDT) Date: Fri, 9 May 1997 07:02:57 -0700 (PDT) From: Mail Delivery Subsystem Message-Id: <199705091402.HAD09772@earth.GAIANET.NET> To: <@HAHAHAHAHA,@russia.com,@hkstar.com,@babylon.beyondirc.net,@idt.net,@netvision.net,@vader.institute.wnyric.org,@irc.limited.net:quelqu'un> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="HAD09772.863186577/earth.GAIANET.NET" Subject: Warning: could not send message for past 4 hours Auto-Submitted: auto-generated (warning-timeout) This is a MIME-encapsulated message --HAD09772.863186577/earth.GAIANET.NET ********************************************** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ********************************************** The original message was received at Thu, 8 May 1997 14:17:14 -0700 (PDT) from ppp105.219.mtimi.videotron.net [207.96.219.105] ----- The following addresses had transient non-fatal errors ----- <@SF.CA.US.Chatnet.Org,@StrathRoy.ON.CA.Cobra.Net,@mail.sojourn.com:dieujg@hotmail.com> ----- Transcript of session follows ----- <@SF.CA.US.Chatnet.Org,@StrathRoy.ON.CA.Cobra.Net,@mail.sojourn.com:dieujg@hotmail.com>... Deferred: Connection refused by sf.ca.us.chatnet.org. Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old --HAD09772.863186577/earth.GAIANET.NET Content-Type: message/delivery-status Reporting-MTA: dns; earth.GAIANET.NET Arrival-Date: Thu, 8 May 1997 14:17:14 -0700 (PDT) Final-Recipient: RFC822; @SF.CA.US.Chatnet.Org,@StrathRoy.ON.CA.Cobra.Net,@mail.sojourn.com:dieujg@hotmail.com Action: delayed Status: 4.4.1 Remote-MTA: DNS; sf.ca.us.chatnet.org Last-Attempt-Date: Fri, 9 May 1997 07:02:53 -0700 (PDT) Will-Retry-Until: Tue, 13 May 1997 14:17:14 -0700 (PDT) --HAD09772.863186577/earth.GAIANET.NET Content-Type: message/rfc822 Return-Path: <<@HAHAHAHAHA,@russia.com,@hkstar.com,@babylon.beyondirc.net,@idt.net,@netvision.net,@vader.institute.wnyric.org,@irc.limited.net:quelqu'un>> Received: from HAHAHAHAHA (ppp105.219.mtimi.videotron.net [207.96.219.105]) by earth.GAIANET.NET (8.8.5/8.8.5) with SMTP id OAA05033 for <@SF.CA.US.Chatnet.Org,@StrathRoy.ON.CA.Cobra.Net,@mail.sojourn.com:dieujg@hotmail.com>; Thu, 8 May 1997 14:17:14 -0700 (PDT) Received: from russia.com (russia.com [138.117.40.154]) by HAHAHAHAHA (2.0.7/4.4.8) with SMTP id LQB34506 for <@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PET Received: from hkstar.com (hkstar.com [68.217.5.168]) by russia.com (8.3.7/8.8.0)093413wdj with SMTP id MUM64934 for <@HAHAHAHAHA,@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PCT Received: from babylon.beyondirc.net (babylon.beyondirc.net [79.88.108.139]) by hkstar.com (6.1.8/1.2.2)161063jah with SMTP id GFD90903 for <@russia.com,@HAHAHAHAHA,@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PPT Received: from idt.net (idt.net [144.78.216.219]) by babylon.beyondirc.net (4.7.0/0.4.5) with SMTP id RFT33239 for <@hkstar.com,@russia.com,@HAHAHAHAHA,@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PGT Received: from netvision.net (netvision.net [218.19.31.194]) by idt.net (1.3.0/0.7.7) with SMTP id OYH61524 for <@babylon.beyondirc.net,@hkstar.com,@russia.com,@HAHAHAHAHA,@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PYT Received: by netvision.net (5.65/DEC-Ultrix/4.3) id NN90953; Tue, 5 Aug 1997 17:04:26 -0500 Received: from irc.limited.net by vader.institute.wnyric.org id xj10505; Aug97 17:04:26 CYT Received: from quelqu'un (quelqu'un [107.94.56.191]) by irc.limited.net (5.5.8/8.9.7) with SMTP id YNV16265 for <@vader.institute.wnyric.org,@netvision.net,@idt.net,@babylon.beyondirc.net,@hkstar.com,@russia.com,@HAHAHAHAHA,@Losangeles.ca.us.Kidsworld.org,@mail.sojourn.com,@StrathRoy.ON.CA.Cobra.Net,@SF.CA.US.Chatnet.Org:dieujg@hotmail.com>; Tue, 5 Aug 1997 17:04:26 PWT Message-Id: <497191603197.WXQ12697@HAHAHAHAHA> X-Mailer: Avalanche 3.0 (16) Date: Tue, 5 Aug 1997 17:04:26 PWT To: dieujg@hotmail.com From: quelqu'un Subject: Yo' momma's so stupid, she ordered her sushi well done! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit tu fa rire Yo' momma's so hairy, she's got afros on her breasts! --HAD09772.863186577/earth.GAIANET.NET-- --HAE09772.863186578/earth.GAIANET.NET-- --0-588752430-863589523=:26356-- From owner-firewalls-outgoing Wed May 14 00:12:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02811 for firewalls-outgoing; Wed, 14 May 1997 00:05:59 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA02799 for ; Wed, 14 May 1997 00:05:53 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id AAA24478 for ; Wed, 14 May 1997 00:09:03 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id IAA14283; Wed, 14 May 1997 08:30:52 +0200 Message-ID: <33796471.5D1A@gst.cgs.it> Date: Wed, 14 May 1997 09:06:25 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: Joel J Jensen CC: firewalls@greatcircle.com Subject: Re: SQL*net & SNMP References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joel J Jensen wrote: > > On Tue, 13 May 1997, Domenico Viggiani wrote: > > > In order to fulfill the requirements of a project, I need a firewall > > product having a SQL*net proxy and the capability to send SNMP alerts in > > response to selectable events. > > > > Actually, only products having a SQL*net proxy are: > > - Checkpoint Firewall 1 > > - Altavista Firewall 97 > > - Gauntlet TIS Firewall > > but none of this claims to send SNMP alerts. > > Only IBM Firewall has this but it haven't SQL*net proxy. > > > > Is this survey exact? > > > Also, be aware that the SQL*net proxy may not run on all platforms the > firewall ostensibly supports. The TIS proxy only runs on Suns. After > discussing this anamoly (I need it to run on the BSDI platform) with TIS > I've come to understand that the code/information to proxy SQL*net comes > from Oracle and that Oracle will not support the proxy code on other > platforms. This would seem to shoot giant holes in Oracle's claim of > broad platform support and really limits, in my opinion, the environments > that Oracle should be considered suitable for (a really great database if > you don't have or intend to implement networks!). Thank you very much for your suggestions. Thus, having to run firewall on IBM AIX platform, have you any idea to fulfill both SQL*net and SNMP alerting requirements for my project? Is any 'true' SQL*net proxy available on AIX platform? M. -- Domenico Viggiani Internet Systems Engineer CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 From owner-firewalls-outgoing Wed May 14 00:42:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA06873 for firewalls-outgoing; Wed, 14 May 1997 00:37:25 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA06865 for ; Wed, 14 May 1997 00:37:18 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28204; Wed, 14 May 1997 11:36:55 +0400 From: ArkanoiD Message-Id: <199705140736.LAA28204@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: pnash@hanshan.bbnplanet.com Date: Wed, 14 May 1997 11:36:51 +0400 (MSD) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <19970513185741.3049.qmail@hanshan.bbnplanet.com> from "pnash@hanshan.bbnplanet.com" at May 13, 97 02:57:41 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > > afaik no. i was trying to find one for a long time - all i could find > > were plug-gw variants unable to work with dcc. > > Right. Allowing DCC through a firewall is a *bad* idea. If your going to > restrict ftp connections going in & out, why would you even consider > allowing users to be able to transfer files in/out through your firewall > over UDP? > I do *not* restrict _my_ users' ability to ftp files in and out. If i did they could just toss the crap in and out on floppies,via http,via email or anything. I just implement proper authentication (and encryption if required) technology when they do access our network from outside world . I am protecting network from outside,i am not restricting access _to_ outside. And i just want irc dcc to be easy to control and monitor as ftp protocol is. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 00:57:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08426 for firewalls-outgoing; Wed, 14 May 1997 00:50:30 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08350 for ; Wed, 14 May 1997 00:50:08 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28272; Wed, 14 May 1997 11:49:47 +0400 From: ArkanoiD Message-Id: <199705140749.LAA28272@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: lists@lina.inka.de (Bernd Eckenfels) Date: Wed, 14 May 1997 11:49:46 +0400 (MSD) Cc: girsch@marben.com, vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: from "Bernd Eckenfels" at May 14, 97 03:48:10 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > The connection can be established on any random port, so there's > > no way to proxy that, except if you hack around the clients to open fixed > > ports. > > This is the 20th century. Proxies are clever enough to parse the irc > protocoll and modify it. Handling dcc is very similiar to handling ftp. No > dont know a DCC capable Proxy. (Good Feature would be to allow DCC CHAT and > deny DCC GET. > Not simply deny ;). Control,log it and let you allow or disallow at will. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 01:12:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08905 for firewalls-outgoing; Wed, 14 May 1997 00:56:43 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08031 for ; Wed, 14 May 1997 00:46:33 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28216; Wed, 14 May 1997 11:40:46 +0400 From: ArkanoiD Message-Id: <199705140740.LAA28216@paranoid.convey.ru> Subject: Re: Attack via ICMP Echo Reply? To: martaf@argenet.com.ar Date: Wed, 14 May 1997 11:40:41 +0400 (MSD) Cc: lists@reflections.eng.mindspring.net, long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU In-Reply-To: from "Marta Ferreyra" at May 13, 97 04:20:12 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > We have an attack and now the ICMP:xxx.xxx.xxx.xxx :host unreachable > messages go to console > > Do you Know something about this ??? > I get tons of such messages everyday and i am sure it is not an attack ;) -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 01:27:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA09054 for firewalls-outgoing; Wed, 14 May 1997 00:57:56 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA09016 for ; Wed, 14 May 1997 00:57:40 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28320; Wed, 14 May 1997 11:56:39 +0400 From: ArkanoiD Message-Id: <199705140756.LAA28320@paranoid.convey.ru> Subject: Re: ssh-compatible protocol tunnel To: mag@bunuel.tii.matav.hu (Magossa'nyi A'rpa'd) Date: Wed, 14 May 1997 11:56:37 +0400 (MSD) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Magossa'nyi A'rpa'd" at May 14, 97 06:20:12 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > tis tn-gw for example.. i made a quick hack today but it is so ugly i'd > > prefer any other solution.. > > anybody tried to integrate ssh with fwtk somehow? > >=20 > It maybe not exactly what you've asked for, but it has something to do with > firewalls and ssh; How to set up a VPN with ssh: > http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html Definitely *not* the thing i need ;) > And you can use the -R option of ssh for port tunnelling. You knew that > already, I guess. Yep. Does not help anyhow too - requires a shell account on firewall to be estabilished (no-no!) -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 01:57:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA09864 for firewalls-outgoing; Wed, 14 May 1997 01:01:15 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA09402 for ; Wed, 14 May 1997 00:59:35 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28286; Wed, 14 May 1997 11:51:28 +0400 From: ArkanoiD Message-Id: <199705140751.LAA28286@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: njs@scifi.squawk.com (Nick Simicich) Date: Wed, 14 May 1997 11:51:28 +0400 (MSD) Cc: girsch@marben.com, vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: from "Nick Simicich" at May 13, 97 10:52:47 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > 'DCC' is not part of the "IRC protocol", but is a separated stuff. You can > > easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as > > someone else suggested. > > DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but > > then open a direct connect between two hosts, bypassing completly the IRC > > servers. The connection can be established on any random port, so there's > > no way to proxy that, except if you hack around the clients to open fixed > > ports. > > Socks works. You have to use a socksified stack or socksify your IRC > proxy. As is typical with DCC, the problem is that one of the > communicators in DCC passes the ip address and port number to the other by > doing a 'getsockname' and sending the results. > I do not use socks - i don't like it somehow - not enough features for me :( -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 02:52:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA20589 for firewalls-outgoing; Wed, 14 May 1997 01:59:05 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA20329 for ; Wed, 14 May 1997 01:57:30 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id KAA18159; Wed, 14 May 1997 10:58:19 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id KAA09021; Wed, 14 May 1997 10:58:18 +0200 (MET DST) Date: Wed, 14 May 1997 10:58:18 +0200 (MET DST) From: David Alayeto Salvador To: Francesc Guasch cc: firewalls@GreatCircle.COM Subject: Re: routing 2 domains In-Reply-To: <3378A444.C9C4197A@citel.upc.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Of course you can. The routing rules that allow you connecting to the Internet sholud be revised to do the packet filtering. Try with any of the commercial packages mentioned here, maybe the problem will be Linux, but I think recompiling the code will work. ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Wed May 14 02:57:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA26811 for firewalls-outgoing; Wed, 14 May 1997 02:36:35 -0700 (PDT) Received: from molhub.mol.net.my (molhub.mol.net.my [202.190.128.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA26693 for ; Wed, 14 May 1997 02:36:01 -0700 (PDT) Received: from pc-34kl1.mol.net.my by molhub.mol.net.my; Wed, 14 May 97 17:44:04 +0800 Message-ID: <337A570F.250C@mol.net.my> Date: Wed, 14 May 1997 17:21:35 -0700 From: Lee Nan Phin Organization: CS X-Mailer: Mozilla 2.01KIT (Win95; I; 16bit) MIME-Version: 1.0 To: firewall Subject: Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are currently doing evaluation on firewall products. We would appreciate if someone would help us clarify some of the issues:- 1. Milkyway SecurIT firewall. Can someone who has been using this product give some feedback? How is the product as compared to Firewall-1. 2. I was told that NT 4.0 has some security flaws, so if I run the firewall-1 on top of NT 4.0, what are the risks? 3. I was told that recently someone has managed to breakinto Checkpoint and copied out their software source code, is it true? Thanks in advanced. From owner-firewalls-outgoing Wed May 14 03:27:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA07969 for firewalls-outgoing; Wed, 14 May 1997 00:46:22 -0700 (PDT) Received: from paranoid.convey.ru (ws14.convey.ru [195.182.128.29]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA07910 for ; Wed, 14 May 1997 00:46:07 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA28247; Wed, 14 May 1997 11:45:45 +0400 From: ArkanoiD Message-Id: <199705140745.LAA28247@paranoid.convey.ru> Subject: Re: IRC proxy...which works To: girsch@marben.com (Arnaud Girsch) Date: Wed, 14 May 1997 11:45:44 +0400 (MSD) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <199705132207.PAA29903@mail.marben.com> from "Arnaud Girsch" at May 13, 97 03:07:17 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > > Does someone already has successfully performed an IRC proxy ? > > > > > afaik no. i was trying to find one for a long time - all i could find > > were plug-gw variants unable to work with dcc. > > 'DCC' is not part of the "IRC protocol", but is a separated stuff. You can > easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as > someone else suggested. > DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > then open a direct connect between two hosts, bypassing completly the IRC > servers. The connection can be established on any random port, so there's > no way to proxy that, except if you hack around the clients to open fixed > ports. > It _is_ possible to proxy dcc. Just catch out connection requests on irc and handle it properly. natd does that but i haven't seen other things that do implement this technology :( -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed May 14 04:12:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA10305 for firewalls-outgoing; Wed, 14 May 1997 03:54:37 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA10271 for ; Wed, 14 May 1997 03:54:24 -0700 (PDT) Received: from max214011.servers.unsw.EDU.AU by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IIVGFZVLPCHT76FB@vmsuser.acsu.unsw.EDU.AU>; Wed, 14 May 1997 20:56:50 +1000 Date: Wed, 14 May 1997 20:50:48 +1000 From: "Chartas C. " Subject: Re: Electronic Commerce and Firewalls To: "'Firewall Mailing List'" Message-id: <01IIVGG0LL9UHT76FB@vmsuser.acsu.unsw.EDU.AU> MIME-version: 1.0 X-Mailer: Microsoft Internet Mail 4.70.1155 Content-type: text/plain; charset=ISO-8859-7 Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-Priority: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks Ray, I have collected a few others as well. I will organise them and sent them to the list for everybody else. Constantinos C. | I have found a number of interesting urls with information on Ecommerce. | http://www.commerce.net - online publication | http://ecworld.utexas.edu/ - EC World | http://www.ecworld.org/ - Electronic Commerce World Institute | http://www.computerworld.com/emmerce/index.html - ComputerWorld Emmerce. | | Ray Hooker | From owner-firewalls-outgoing Wed May 14 04:27:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA29415 for firewalls-outgoing; Wed, 14 May 1997 02:49:44 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA29338 for ; Wed, 14 May 1997 02:49:22 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id MAA14301; Wed, 14 May 1997 12:49:41 +0300 (EET DST) Date: Wed, 14 May 1997 12:49:40 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM cc: Domenico Viggiani Subject: Re: SQL*net & SNMP In-Reply-To: <199705140827.BAA14163@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 14 May 1997, Domenico Viggiani wrote: > Thus, having to run firewall on IBM AIX platform, have you any idea to > fulfill both SQL*net and SNMP alerting requirements for my project? > Is any 'true' SQL*net proxy available on AIX platform? I am pretty sure FireWall-1 supports SQL*net on all platforms (Solaris/HPUX/WinNT) and I am pretty sure it also has SNMP support. And FireWall-1 is right now in beta I believe and should be available for IBM AIX in autumn - IBM has OEM licenced the FireWall-1 product. Still I don't think you can wait that long. J=FCri From owner-firewalls-outgoing Wed May 14 05:27:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19348 for firewalls-outgoing; Wed, 14 May 1997 05:11:40 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA19330 for ; Wed, 14 May 1997 05:11:30 -0700 (PDT) Received: by relay.rv.tis.com; id IAA13990; Wed, 14 May 1997 08:29:41 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma013988; Wed, 14 May 97 08:29:28 -0400 Received: from chatte (chatte.rv.tis.com [10.0.1.140]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id IAA27395 for ; Wed, 14 May 1997 08:13:24 -0400 (EDT) Message-Id: <3.0.32.19970514082031.0094dba0@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 May 1997 08:20:34 -0400 To: firewalls@greatcircle.com From: Mimi Herrmann Subject: Re: Gauntlet proxy 'opportunities' Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:05 PM 5/13/97 -0400, Melanie Humphrey wrote (in response to Larry Claman): >if it's any consolation, gauntlet support wasn't real helpful with me either >when i pointed out that the x proxy doesn't provide a way to 'match' ip >addresses once it's up and running -- that is, there's no way for the >firewall client/x server user to specify what ip address or hostname can >connect to his/her x server. the x proxy cheerily accepts and forwards >incoming traffic from any IP address. once a client inside the firewall has >fired up the x proxy any host on the internet can attempt to connect to the >client's xserver, and i know my users tend to not read all that bothersome >fine print above the 'OK' box... I think that's a bit unfair; after all, Gauntlet Support can't make code changes (that's why we're "Support", not "Development"). All requests for changes are taken seriously by Support, and are filed as feature requests to Development. The case mentioned above is no exception (I'm the one who worked on it ;). I'd urge anybody who has problems with the Support department of their firewall of choice to make themselves heard. If you don't like the answer you get from Support, tell them so, and tell your sales rep too. Thanks, -- Mimi Herrmann, aka Lothie Gauntlet Internet Firewall Technical Support Trusted Information Systems - Rockville, MD phone: 301-527-9555 fax: 301-527-0482 mailto:gauntlet-support@tis.com http://www.tis.com/support From owner-firewalls-outgoing Wed May 14 06:06:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20375 for firewalls-outgoing; Wed, 14 May 1997 05:28:47 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20368 for ; Wed, 14 May 1997 05:28:38 -0700 (PDT) Received: by relay.rv.tis.com; id IAA14474; Wed, 14 May 1997 08:46:51 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma014472; Wed, 14 May 97 08:46:25 -0400 Received: from chatte (chatte.rv.tis.com [10.0.1.140]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id IAA27791 for ; Wed, 14 May 1997 08:30:22 -0400 (EDT) Message-Id: <3.0.32.19970514083731.00953100@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 May 1997 08:37:32 -0400 To: firewalls@greatcircle.com From: Mimi Herrmann Subject: Re: IRC proxy...which works Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:07 PM 5/13/97 -0700, Arnaud Girsch wrote: >> afaik no. i was trying to find one for a long time - all i could find >> were plug-gw variants unable to work with dcc. > >'DCC' is not part of the "IRC protocol", but is a separated stuff. You can >easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as >someone else suggested. >DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but >then open a direct connect between two hosts, bypassing completly the IRC >servers. The connection can be established on any random port, so there's >no way to proxy that, except if you hack around the clients to open fixed >ports. A lot of people don't use dcc anymore anyway (I haven't used it in years). You can certainly chat on IRC using a plug-gw. L From owner-firewalls-outgoing Wed May 14 06:12:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22448 for firewalls-outgoing; Wed, 14 May 1997 06:04:00 -0700 (PDT) Received: from seh-exch-s2.sembach.af.mil ([131.54.127.246]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA22440 for ; Wed, 14 May 1997 06:03:54 -0700 (PDT) Received: by seh-exch-s2.sembach.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC6079.36704D10@seh-exch-s2.sembach.af.mil>; Wed, 14 May 1997 15:12:18 +0200 Message-ID: From: Welker Clinton SSgt 886CS/SCSNB To: "'Firewalls@GreatCircle.COM'" Subject: Change of mail list Date: Wed, 14 May 1997 15:12:16 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please remove powersw@sembach.af.mil of your mailing list and add: clinton.welker@sembach.af.mil Thanks From owner-firewalls-outgoing Wed May 14 08:06:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA03070 for firewalls-outgoing; Wed, 14 May 1997 07:39:52 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [206.236.37.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA03052 for ; Wed, 14 May 1997 07:39:31 -0700 (PDT) Received: from dantooine.progressive-systems.com (overkill.Progressive-Systems.com [206.236.37.250]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with SMTP id KAA05026 for ; Wed, 14 May 1997 10:40:24 -0400 (EDT) Message-Id: <2.2.32.19970514143942.0076f3cc@pop.progressive-systems.com> X-Sender: dawsonm@pop.progressive-systems.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 May 1997 10:39:42 -0400 To: Firewalls@GreatCircle.COM From: Matthew Dawson Subject: Re: Firewalls-Digest V6 #213 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ouch. I think it's safe to say that MJR thinks key recovery stinks? ;-) At 10:57 AM 5/13/97 -0700, you wrote: >------------------------------ > >Date: Mon, 12 May 1997 22:38:22 +0000 >From: "Marcus J. Ranum" >Subject: Re: Encryption Outside US > > >Clipper stunk. It still stinks. TIS' CEO was one of the outstanding >opponents to Clipper. Now TIS is selling Clipper in software. I >guess now that you're selling it, and hold key patents on it, it's a >"feature." Guess what? It still stinks no matter how much money >you get for it. > >mjr. >- ----- >Marcus J. Ranum, CEO, Network Flight Recorder, Inc. >Personal >Work > >------------------------------ _______________________________________________________________ Matthew H. Dawson, President Voice: 614.326.4600 Progressive Systems, Inc. FAX: 614.326.4601 3518 Riverside Drive, Suite 201 Columbus, OH 43221 http://www.Progressive-Systems.com From owner-firewalls-outgoing Wed May 14 08:12:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA03051 for firewalls-outgoing; Wed, 14 May 1997 07:39:26 -0700 (PDT) Received: from citel.upc.es (citel.upc.es [147.83.36.47]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA03038 for ; Wed, 14 May 1997 07:38:56 -0700 (PDT) Received: from jolibus.upc.es (jolibus.upc.es [147.83.36.68]) by citel.upc.es (8.8.5/8.8.5) with ESMTP id QAA00878; Wed, 14 May 1997 16:35:37 +0100 (WET DST) Message-ID: <3379CE83.BABA3CA8@citel.upc.es> Date: Wed, 14 May 1997 16:38:59 +0200 From: Francesc Guasch Reply-To: frankie@citel.upc.es Organization: UPC X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: Scott Taschler , firewalls@greatcircle.com Subject: Re: routing 2 domains X-Priority: 3 (Normal) References: <3.0.1.32.19970514084209.0068c800@datakey.com> Content-Type: multipart/mixed; boundary="------------025F1125C68917A9941C8821" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------025F1125C68917A9941C8821 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Scott Taschler wrote: > > At 07:26 PM 5/13/97 +0200, you wrote: > >I need to know if this can be done : > > > >example inside > > > > a.b.c.3---| > > | > > a.b.c.4---| > > ---fw---cisco---- outside (internet) > > x.y.z.3---| > > | > > x.y.z.4---| > > > >Inside there are computers with ip addresses from two > >different ISPs and I'm wondering if I could set up > >a linux firewall that could handle this > > I might be making a NULL point here, but that has rarely stopped me > before... > > Does this arrangement make anyone else uncomfortable? It is my > understanding that in order to accomplish an arrangement like this, > one > would need to turn on routing in the Linux kernel. Would this not > then > provide a mechanism for packets to bypass any nifty application-layer > proxies/filters/gizmos that are supposed to be protecting the internal > networks? How much safer would this arrangement be if a low-end > router was > inserted between the firewall and the two internal networks? Why do I should have to turn ip-forwarding on ? If I don't do it having only one route why should I do it with two ? -- ^-^_-----\ mailto:frankie@citel.upc.es o o ) http://www.etsetb.upc.es/~frankie Y (_ (___(ssss phone: (343) 401 6809 All those moments will be lost in time, like tears in the rain. --------------025F1125C68917A9941C8821 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Francesc Guasch Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Francesc Guasch n: Guasch;Francesc org: UPC email;internet: frankie@citel.upc.es x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------025F1125C68917A9941C8821-- From owner-firewalls-outgoing Wed May 14 08:42:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05352 for firewalls-outgoing; Wed, 14 May 1997 08:12:31 -0700 (PDT) Received: from circulo.pop-rs.rnp.br (circulo.pop-rs.rnp.br [200.132.0.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA05271 for ; Wed, 14 May 1997 08:12:00 -0700 (PDT) From: berthold@pop-rs.rnp.br Received: (from berthold@localhost) by circulo.pop-rs.rnp.br (8.7.5/8.7.3) id MAA19908; Wed, 14 May 1997 12:03:56 -0300 Date: Wed, 14 May 1997 12:03:56 -0300 Message-Id: <199705141503.MAA19908@circulo.pop-rs.rnp.br> To: martaf@argenet.com.ar, ark@paranoid.convey.ru Subject: Re: Attack via ICMP Echo Reply? Cc: lists@reflections.eng.mindspring.net, long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-MD5: /lZxpMOuQJkq6o3ibCeyZA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > nuqneH, > > > > > We have an attack and now the ICMP:xxx.xxx.xxx.xxx :host unreachable > > messages go to console > > > > Do you Know something about this ??? > > > I get tons of such messages everyday and i am sure it is not an attack ;) > > -- > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! Have you seen the use of your bandwidth ?? +----------------------------------+------------------------------------+ | Leandro Marcio Bertholdo | Grupo de Redes de Computadores | | Rede Nacional de Pesquisa POP-RS | http://www.pop-rs.rnp.br/~berthold | | Porto Alegre/RS - BRASIL | Tel: +55(51) 316.5039 | +----------------------------------+------------------------------------+ From owner-firewalls-outgoing Wed May 14 08:51:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05595 for firewalls-outgoing; Wed, 14 May 1997 08:16:26 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA05581 for ; Wed, 14 May 1997 08:16:19 -0700 (PDT) Received: by relay.rv.tis.com; id LAA22504; Wed, 14 May 1997 11:34:32 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma022491; Wed, 14 May 97 11:34:22 -0400 Received: from inno-laptop.rv.tis.com (inno-laptop.rv.tis.com [10.0.1.112]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id LAA04441; Wed, 14 May 1997 11:18:18 -0400 (EDT) Message-Id: <2.2.32.19970514151538.00713d64@pop.hq.tis.com> X-Sender: eroraha@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 May 1997 11:15:38 -0400 To: Todd Graham Lewis From: Inno Eroraha Subject: Re: Encryption Outside US Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:06 PM 5/8/97 -0400, you wrote: >On Thu, 8 May 1997, Aaron Everingham wrote: > >> There is a way for non-US orgs to get tripple DES or strong encryption. > >There are other ways: > ># cat crypt.c | uuencode crypt.c > crypt.uu ># lpr (with 9-pt courier) crypt.uu > >mail the printout to a foreign country via the U.S. Postal Service > >OCR the printout. > ># uudecode OCR.in ># gcc crypt.c -o crypt > >Perfectly legal, and always will be, which is one of the many reasons why >the crypto policy in the U.S. is so fucked up. > Yeap, which reminds me... Some crypto algorithms books (with real codes) can be exported but the same exact codes on a diskette or other electronic forms can't. Why can't I simply export the book, and OCR it? The crypto policy DMS (doesn't make sense) in this regard. -0- inno >__ >Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > > > From owner-firewalls-outgoing Wed May 14 08:57:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA09457 for firewalls-outgoing; Wed, 14 May 1997 08:51:53 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA09245 for ; Wed, 14 May 1997 08:51:01 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA28171; Wed, 14 May 1997 11:48:33 -0400 (EDT) From: Adam Shostack Message-Id: <199705141548.LAA28171@homeport.org> Subject: Re: Secure password generation! In-Reply-To: <199705140338.MAA02812@bae.nuri.net> from Jufa Hong at "May 14, 97 12:38:06 pm" To: wits@nuri.net (Jufa Hong) Date: Wed, 14 May 1997 11:48:33 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Passwords are not secure. They're sniffable, guessable, and replayable. If you care about security, get ssh, and use handheld authenticators (or S/Key) inside of it. The --with-tis option to call authserv makes this easy. Adam Jufa Hong wrote: | Dear members. | | I'm afraid that users on my system are using a secure password. | Therefore, I'd like to inforce all users to make their own password | more unexpectable for outsider or hacker and the making-password can | be controlled by the system administrator. | | For example, all users can not use their login name as a password or | system make the user's secure password automatically. | | Are there any tools for this? | | Young-jin Hong | E-mail> wits@nuri.net | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed May 14 09:30:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA04410 for firewalls-outgoing; Wed, 14 May 1997 07:56:58 -0700 (PDT) Received: from circulo.pop-rs.rnp.br (circulo.pop-rs.rnp.br [200.132.0.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA04352 for ; Wed, 14 May 1997 07:56:32 -0700 (PDT) From: berthold@pop-rs.rnp.br Received: (from berthold@localhost) by circulo.pop-rs.rnp.br (8.7.5/8.7.3) id LAA24952; Wed, 14 May 1997 11:53:02 -0300 Date: Wed, 14 May 1997 11:53:02 -0300 Message-Id: <199705141453.LAA24952@circulo.pop-rs.rnp.br> To: firewalls@GreatCircle.COM, andrew@andy.alt.za Subject: RE: Attack via ICMP Echo Reply? Cc: long-morrow@CS.YALE.EDU Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-MD5: As3XdPC2KHECw2R3cAoztg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We had an incident(ICMP flooding), and our router catched packets ECHO REPLY only, but when we contacted 10.150.47.0 administrator and he cut off those machines that sending ECHO REQUEST packets, the problem was solved. We suspect that packets ECHO REQUESTS were NOT logged by our router, because they don't appear in the log files and not because they not exists. This log file was generated by a cisco 7000 router. (...) May 7 11:07:53 10.150.0.17 103: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:54 10.150.0.17 309: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:55 10.150.0.17 367: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:56 10.150.0.17 424: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:57 10.150.0.17 495: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:58 10.150.0.17 551: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:07:59 10.150.0.17 629: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:00 10.150.0.17 679: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:01 10.150.0.17 751: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:02 10.150.0.17 943: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:02 10.150.0.17 953: ICMP: time exceeded (time to live) sent to 129.46.50.7 (dest was 10.150.44.100) May 7 11:08:03 10.150.0.17 1049: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:03 10.150.0.17 1068: ICMP: dst (10.150.2.194) host unreachable sent to 200.17.249.84 May 7 11:08:04 10.150.0.17 1134: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:05 10.150.0.17 1177: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:05 10.150.0.17 1202: ICMP: dst (10.150.1.10) host unreachable sent to 205.187.182.135 May 7 11:08:06 10.150.0.17 1212: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:06 10.150.0.17 1217: ICMP: time exceeded (time to live) sent to 129.46.50.7 (dest was 10.150.44.100) May 7 11:08:10 10.150.0.17 3105: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:11 10.150.0.17 3119: ICMP: dst (10.150.1.10) host unreachable sent to 205.187.182.135 May 7 11:08:11 10.150.0.17 3168: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:12 10.150.0.17 3209: ICMP: dst (10.150.1.10) host unreachable sent to 205.187.182.135 May 7 11:08:12 10.150.0.17 3225: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:13 10.150.0.17 3326: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 May 7 11:08:13 10.150.0.17 3345: ICMP: dst (10.150.1.10) host unreachable sent to 205.187.182.135 May 7 11:08:14 10.150.0.17 3581: ICMP: echo reply sent, src 10.150.0.17, dst 10.150.47.253 (...) > > >Date: Sat, 10 May 1997 23:15:52 -0400 (EDT) > >From: long-morrow@CS.YALE.EDU > >Subject: Attack via ICMP Echo Reply? > > > >Anyone now of a flooding attack incident involving ICMP Echo Reply packets? > > > >Where the ICMP Echo replies are not being generated in response to > >a flood of ICMP Echo requests? But are being triggered somehow? > > > >Know the M.O? Symptoms? Effect? > > > >- - H. Morrow Long > > Be warned that you should not allow ICMP Traffic through your router of > Firewall without knowing the Dangers. > > Some clever hackers have written a Telnet Client and a Telnet Daemon that > use ICMP Echo Reply to carry the Data for a Telnet Session. The Telnet > Daemon could easily be embedded in your favourite IRC Client or any other > software downloaded from the Net. > > (This passes through most packet filters unless specifically turned off.) > > You could be under attack using this method. > > And Indication of this attack is just what you described as > "Where the ICMP Echo replies are not being generated in response to > a flood of ICMP Echo requests?" > > You should assume that you may have been compromised. > > ----------------------------------------------------------------------------- > > Andrew Cameron > Internet : andrew@andy.alt.za > X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 > > ---------------------------------------------------------------------------- > +----------------------------------+------------------------------------+ | Leandro Marcio Bertholdo | Grupo de Redes de Computadores | | Rede Nacional de Pesquisa POP-RS | http://www.pop-rs.rnp.br/~berthold | | Porto Alegre/RS - BRASIL | Tel: +55(51) 316.5039 | +----------------------------------+------------------------------------+ From owner-firewalls-outgoing Wed May 14 09:38:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22302 for firewalls-outgoing; Wed, 14 May 1997 06:01:18 -0700 (PDT) Received: from nohackers.com (nohackers.com [206.181.5.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA22291 for ; Wed, 14 May 1997 06:01:06 -0700 (PDT) Received: by gateway.nohackers.com id <31364>; Wed, 14 May 1997 08:54:56 -0400 Message-Id: <97May14.085456edt.31364@gateway.nohackers.com> X-Sender: dreich@nohackers.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 May 1997 09:01:29 -0400 To: ArkanoiD , girsch@marben.com (Arnaud Girsch) From: Daniel Reich Subject: Re: IRC proxy...which works Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:45 AM 5/14/97 -0400, ArkanoiD wrote: >nuqneH, > >> > > Does someone already has successfully performed an IRC proxy ? >> > > >> > afaik no. i was trying to find one for a long time - all i could find >> > were plug-gw variants unable to work with dcc. >> >> 'DCC' is not part of the "IRC protocol", but is a separated stuff. You can >> easily proxy IRc itself, using a plu-gw to a 6667/whatever port, as >> someone else suggested. >> DCC (Direct Client-to-Client) protocol uses IRC to ask for a connection, but > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> then open a direct connect between two hosts, bypassing completly the IRC >> servers. The connection can be established on any random port, so there's >> no way to proxy that, except if you hack around the clients to open fixed >> ports. >> >It _is_ possible to proxy dcc. Just catch out connection requests on irc >and handle it properly. natd does that but i haven't seen other things >that do implement this technology :( Linux has an IRC Proxy that supports DCC. Take a look at the IP Masquerading modules in the /lib/modules/2.x.y directory. -------------------------------------------------------------- Daniel Reich Phone 888-INGRESS Development Engineer Fax 617-440-2646 Ingress Consulting Group, LTD. www.nohackers.com -------------------------------------------------------------- From owner-firewalls-outgoing Wed May 14 09:39:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29091 for firewalls-outgoing; Wed, 14 May 1997 06:49:49 -0700 (PDT) Received: from wall.pwa.co.in ([206.103.11.183]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA29073 for ; Wed, 14 May 1997 06:49:39 -0700 (PDT) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notes.pwa.co.in (notes.pwa.co.in [126.0.0.180]) by wall.pwa.co.in (8.6.12/8.6.12) with SMTP id XAA02522 for ; Tue, 13 May 1997 23:26:38 +0500 Received: by notes.pwa.co.in(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 65256497.004BAFB6 ; Wed, 14 May 1997 19:16:41 +300500 X-Lotus-FromDomain: INDIA@INTERNET To: Firewalls@GreatCircle.COM Message-ID: <65256497.004B7C5B.00@notes.pwa.co.in> Date: Wed, 14 May 1997 19:21:10 +300500 Subject: Re: Firewalls-Digest V6 #215 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to configure Altavista firewall on WindowsNT4.0 and I have some queries.If any one of you has configured Altavista for NT4.0 please let me know. 1. Do I have to edit the reverse.db and other similar files. 2. The web proxy is contacting the host address but then the message delivered is HOST NAME INVALID IN PROXY REQUEST. Any more suggestions would be welcome as I am kind of stuck. Thanks in advance. Sandeep From owner-firewalls-outgoing Wed May 14 10:03:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06907 for firewalls-outgoing; Wed, 14 May 1997 08:30:08 -0700 (PDT) Received: from firewall1.Lehman.COM (firewall.Lehman.COM [192.147.65.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06881 for ; Wed, 14 May 1997 08:29:58 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by firewall1.Lehman.COM (SMI-8.6/8.6.12) id LAA20909; Wed, 14 May 1997 11:30:43 -0400 Received: from unknown(146.127.39.20) by firewall1 via smap (V1.3) id tmp020861; Wed May 14 11:30:36 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA10981; Wed, 14 May 97 11:30:35 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA24379; Wed, 14 May 97 11:30:26 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id LAA03505; Wed, 14 May 1997 11:30:26 -0400 Date: Wed, 14 May 1997 11:30:26 -0400 Message-Id: <199705141530.LAA03505@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: pnash@hanshan.bbnplanet.com Cc: ark@paranoid.convey.ru (ArkanoiD), vangoethem@hotmail.com, firewalls@GreatCircle.COM Subject: Re: IRC proxy...which works In-Reply-To: <19970513185741.3049.qmail@hanshan.bbnplanet.com> References: <199705131629.UAA27061@paranoid.convey.ru> <19970513185741.3049.qmail@hanshan.bbnplanet.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Paul" == pnash writes: Paul> Right. Allowing DCC through a firewall is a *bad* idea. If your going Paul> to restrict ftp connections going in & out, why would you even Paul> consider allowing users to be able to transfer files in/out through Paul> your firewall over UDP? OK. I've heard this enough times that I think it's time for some fresh air. DCC is no worse than FTP, _if_ you have an application proxy for it. You have the same controls that you have over FTP transfers. While UDP protocols aren't quite as convenient to proxy, there's no black magic involved. Of course, if you block FTP, allowing DCC is silly. But people _will_ find ways around your firewall if you make them, and I'd _much_ rather have logged, authenticated DCC transfers with possible virus checking or archival storage for later lawsuits than have someone doing DCC over a dialup to their ISP from their desk. Now, if I just had the copious free time to write an IRC proxy (or if the protocol were even _documented_ someplace other than the source code...). -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Wed May 14 10:56:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10525 for firewalls-outgoing; Wed, 14 May 1997 08:57:34 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA10475 for ; Wed, 14 May 1997 08:57:21 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA28244; Wed, 14 May 1997 11:55:29 -0400 (EDT) From: Adam Shostack Message-Id: <199705141555.LAA28244@homeport.org> Subject: Re: ssh-compatible protocol tunnel In-Reply-To: <199705131856.WAA27270@paranoid.convey.ru> from ArkanoiD at "May 13, 97 10:56:45 pm" To: ark@paranoid.convey.ru (ArkanoiD) Date: Wed, 14 May 1997 11:55:29 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a couple of hacks to use SSL relays to move SSH. You write a little perl script that does a "CONNECT host.example.org:22 HTTP/1.0\n\n" and pipe your ssh connect through that. Look at the SSH mailing list archives. Adam ArkanoiD wrote: | Did anybody try to make such a thing? I mean a modified sshd that - say - | will connect you to a proxy running on the same machine instead of shell - | tis tn-gw for example.. i made a quick hack today but it is so ugly i'd | prefer any other solution.. | anybody tried to integrate ssh with fwtk somehow? -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed May 14 11:13:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08807 for firewalls-outgoing; Wed, 14 May 1997 08:47:59 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08800 for ; Wed, 14 May 1997 08:47:52 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA28159; Wed, 14 May 1997 11:46:13 -0400 (EDT) From: Adam Shostack Message-Id: <199705141546.LAA28159@homeport.org> Subject: Re: Firewalls-Digest V6 #213 In-Reply-To: <2.2.32.19970514143942.0076f3cc@pop.progressive-systems.com> from Matthew Dawson at "May 14, 97 10:39:42 am" To: dawsonm@progressive-systems.com (Matthew Dawson) Date: Wed, 14 May 1997 11:46:13 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nope. Its fair to say that the US government plan for GAK (Government Access to Keys) stinks. The security implications have not been studied, and the FBI is shoving a vulnerability that no one understands down our throats. The fair statement is thus "'Key recovery' stinks, and MJR noticed." Adam Matthew Dawson wrote: | Ouch. I think it's safe to say that MJR thinks key recovery stinks? ;-) | | At 10:57 AM 5/13/97 -0700, you wrote: | >Date: Mon, 12 May 1997 22:38:22 +0000 | >From: "Marcus J. Ranum" | >Subject: Re: Encryption Outside US | > | > | >Clipper stunk. It still stinks. TIS' CEO was one of the outstanding | >opponents to Clipper. Now TIS is selling Clipper in software. I | >guess now that you're selling it, and hold key patents on it, it's a | >"feature." Guess what? It still stinks no matter how much money | >you get for it. | > | >mjr. | >- ----- | >Marcus J. Ranum, CEO, Network Flight Recorder, Inc. | >Personal | >Work -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed May 14 11:28:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29953 for firewalls-outgoing; Wed, 14 May 1997 06:55:56 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA29927 for ; Wed, 14 May 1997 06:55:46 -0700 (PDT) Received: (qmail 18328 invoked from smtpd); 14 May 1997 13:56:15 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 14 May 1997 13:56:15 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA29057; Wed, 14 May 1997 08:56:15 -0500 Received: by sonic.nmti.com; id AA15505; Wed, 14 May 1997 08:57:05 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9705141357.AA15505@sonic.nmti.com.nmti.com> Subject: Re: IRC proxy...which works To: ark@paranoid.convey.ru (ArkanoiD) Date: Wed, 14 May 1997 08:57:04 -0500 (CDT) Cc: vangoethem@hotmail.com, firewalls@GreatCircle.COM In-Reply-To: <199705131629.UAA27061@paranoid.convey.ru> from "ArkanoiD" at May 13, 97 08:29:43 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > afaik no. i was trying to find one for a long time - all i could find > were plug-gw variants unable to work with dcc. Given that DCC is a massive security nightmare, I'd say you're better off with it disabled. (The "never IRC as root" advice goes double for firewalls) From owner-firewalls-outgoing Wed May 14 11:42:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA17023 for firewalls-outgoing; Wed, 14 May 1997 09:31:31 -0700 (PDT) Received: from Rt66.com (mack.rt66.com [198.59.162.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA16990 for ; Wed, 14 May 1997 09:31:23 -0700 (PDT) From: CDean@slfcu.org Received: (from uucp@localhost) by Rt66.com (8.7.5/8.7.3) with UUCP id KAA04775 for firewalls@greatcircle.com; Wed, 14 May 1997 10:32:35 -0600 (MDT) Received: from cc:Mail by slfcu.slfcu.org id AA863630610 Wed, 14 May 97 10:23:30 Date: Wed, 14 May 97 10:23:30 Message-Id: <9704148636.AA863630610@slfcu.slfcu.org> To: firewalls@greatcircle.com Subject: IBM's Internet Connection Secure Server (ICSS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know anything about ICSS for OS/2 as web server software? I have a document in front of me that states "To this date, there have been no known successful intrusions with ICSS. OS/2 operating system is not commonly used and therefore is not as well known to those prone to intrusion attempts. Viruses are also almost nonexistent on OS/2. ICSS is a secure, reliable solution that is known for its user-friendly configuration." Given that this info is coming from a vendor, pushing a product which runs under ICSS, I'm taking it with a grain of salt (actually, with a salt shaker full...). And no, we don't already have OS/2 at our shop, so that info is irrelevant. Thanks for any opinions. (I know there are plenty on this list...that's why I'm asking here ) Cyndi Electronic Services Manager Sandia Laboratory Federal Credit Union From owner-firewalls-outgoing Wed May 14 11:45:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA25002 for firewalls-outgoing; Wed, 14 May 1997 10:12:08 -0700 (PDT) Received: from mail2.digital.com (mail2.digital.com [204.123.2.56]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA24975 for ; Wed, 14 May 1997 10:12:00 -0700 (PDT) Received: from us3rmc.pa.dec.com by mail2.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA21814; Wed, 14 May 1997 10:08:36 -0700 Received: from [16.82.160.11] by us3rmc.pa.dec.com (5.65/rmc-22feb94) id AA10814; Wed, 14 May 97 09:55:21 -0700 Received: by siren.cxo.dec.com with Microsoft Exchange (IMC 4.0.837.3) id <01BC6055.1926EF80@siren.cxo.dec.com>; Wed, 14 May 1997 10:53:47 -0600 Message-Id: From: Ernie Beabes To: "'Firewalls@GreatCircle.COM'" Subject: FW: You have been traced!!! Date: Wed, 14 May 1997 10:53:45 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hello > >These folks were guilty of blatent advertising a while back and are now >guilty of this type of subliminal advertising. They are now >blacklisted on firewalls that I administer. All messages from their >domain will be automaticaly deleted from my systems on the networks >whose firewalls I do not administer. > >Ernest Beabes >Consultant > >-----Original Message----- >From: Ayelet [SMTP:Ayelet@abirnet.co.il] >Sent: Thursday, April 24, 1997 1:23 AM >Subject: You have been traced!!! >Importance: High > >As part of our company's efforts to avoid Email abuse, >it is our policy to electronically monitor internal and external Email. >At least one of your Email messages was monitored. > >This message was sent by the AbirNet's >SessionWall-3 Active Network Protection Tool. >For more information see http://www.AbirNet.com > > From owner-firewalls-outgoing Wed May 14 12:21:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA21376 for firewalls-outgoing; Wed, 14 May 1997 09:52:33 -0700 (PDT) Received: from ra.nso.org (ra.nso.org [207.30.58.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA21349 for ; Wed, 14 May 1997 09:52:25 -0700 (PDT) Received: from osiris (osiris.nso.org [207.30.58.40]) by ra.nso.org (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA322 for ; Wed, 14 May 1997 12:56:13 -0400 Message-Id: <3.0.32.19970514125845.00933270@isr.net> X-Sender: research@isr.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 14 May 1997 12:58:46 -0400 To: firewalls@GreatCircle.COM From: research@isr.net (Research Unit I) Subject: Re: Encryption Outside US Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was part of that OECD Expert Group, and believe I may shine at least some light on what exactly was said and happened at the meetings. The main conflict during all sessions was the demand of the US to be able to decrypt anything, anywhere at any time versus the European focus: we want to have the choice - with an open end - to maintain own surveillance. The US demand would have caused an immediate ability to tap into what the European intelligence community believes to be its sole and exclusive territory. In fact the Europeans were not at all pleased with the US view points of controlling ALL crypto. Germany and France vigorously refused to work with the US on this issue. The Clipper initiative (at the time not readily developed) was completely banned, except for the Australian and UK views that felt some obligation from the 1947 UKUSA treaty (dealing with interchange of intelligence). With a vast majority the US was cor