From owner-firewalls-outgoing Tue Jul 1 00:35:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA03754 for firewalls-outgoing; Tue, 1 Jul 1997 00:28:49 -0700 (PDT) Received: from drencrom.insync.net (drencrom.insync.net [204.253.208.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA03743 for ; Tue, 1 Jul 1997 00:28:43 -0700 (PDT) Received: from MarathonOil.com (smtp.marathonoil.com [209.16.12.1]) by drencrom.insync.net (8.8.6/8.7.1) with SMTP id CAA24778 for ; Tue, 1 Jul 1997 02:31:12 -0500 (CDT) Received: from HOU-Message_Server by MarathonOil.com with Novell_GroupWise; Tue, 01 Jul 1997 02:28:14 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 01 Jul 1997 02:32:00 -0500 From: D (Dave) McWilliam To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #307 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, I have just joined this mail group and am fascinated and entertained by the chit chat. Unfortunately, my boss expects me to work so I don't have time to wade through interminable "Did not!" "Did so!" arguements to find the useful technical stuff we newcomers to security really do need. Does anyone know whether there is a adult/professional mail group I could join instead? Dave From owner-firewalls-outgoing Tue Jul 1 00:38:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02377 for firewalls-outgoing; Tue, 1 Jul 1997 00:21:56 -0700 (PDT) Received: from skb.si ([193.77.127.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA02149 for ; Tue, 1 Jul 1997 00:21:17 -0700 (PDT) Received: by fw.skb.si id <26881>; Tue, 1 Jul 1997 09:21:27 +0100 Message-Id: <97Jul1.092127gmt+0100.26881@fw.skb.si> Date: Tue, 1 Jul 1997 08:23:18 +0100 From: Sergej Rinc Reply-To: sr@skb.si X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Borderware References: <199706302005.NAA23368@honor.greatcircle.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Manuel, > Does anyone have experience with Borderware Firewall? > If so, how where would you place it comparing to Raptor, Pix and FW-1 ? I've suggested to replace previous DMZ (three routers, two hosts, Indy Web server and BSDI Unix Firewall) with Borderware here in our bank. It was a good move and we have no problems with Borderware Firewall Server. I have tested three solutions last December - Raptor Eagle for Windows NT, Digital Firewall for Unix (Alta Vista Firewall wasn't on the market at that time) and Border Borderware Firewall Server. Border's solution excells in (ease of) setup, administration (Java GUI in browser), integrated secured servers (WWW, FTP, SMTP, POP3, Ident, ...), authentication and VLANs/IPSec (though other two have caught up here recently). Especially superb is a concept of the third subnet called Secure Server Network (SSN). It means nice solution for securing usually non or little secured servers (WWW). They can reside on SSN and are protected from the outside world while giving you transparent (no client software changes needed), full service for internal users. Border's integrated servers are secured so for example if you want to run CGI scripts you have to run separate server (and what better place to put it than on SSN). So, Raptor Eagle wasn't good enough because of Web and other servers (in)security - we've put our Web server on SSN (likewise with e-commerce server and soon MS Exchange from internal network). We use PIX here but just for purposes of translating local IP addresses so some of our employees can connect to one of outside stock excange intranets. We haven't considered using PIX as a main firewall (e.g. authentication for connecting to internal LAN will be done by authentication cards which are greatly supported in Borderware). And for FW-1 - I don't know the product well but I think Border's is better. BorderWare runs on secured version of BSDI Unix with secured servers (mailer is not sendmail but specially secured Z-mailer etc) so there's no NT's flaws. > Pete Vickers > p.s. I appreciate that a single UNIX box could possibly perform the = > function of router/firewall/host but I believe the solution with = > discreet box for each purpose, is more secure, simpler to configure & = > maintains more flexibility. Well, BorderWare is fine solution for you, too (runs on 486/Pentium PC, secured version of BSDI Unix). Actually you don't need a router with BorderWare (you can assign different network IP addresses for two or three NICs) but you'll need serial interface card in that case (e.g. modem). We use fast modem on Frame Relay connected to outside Cisco's router which is then connected to BorderWare. The advantage of a router is obvious since its access lists can block most of the traffic which would otherwise go to BorderWare (PC load!) but it's also fine for example for FTP service. I allow FTP in the router's access list (so I don't have to graduate there :-) but block it in Borderware so our site is still secured from FTP (internal user can of course use FTP freely for downloading from the Internet via BorderWare's proxy). -- Sergej Rinc system engineer, SKB banka d.d. http://www.skb.si mailto:sr@skb.si From owner-firewalls-outgoing Tue Jul 1 01:07:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA04672 for firewalls-outgoing; Tue, 1 Jul 1997 00:34:30 -0700 (PDT) Received: from newport.ntcnet.com (newport.ntcnet.com [205.232.95.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA04652 for ; Tue, 1 Jul 1997 00:34:22 -0700 (PDT) Received: from x4ntc18 by newport.ntcnet.com; (5.65v3.2/1.1.8.2/13Jul95-1105AM) id AA27586; Tue, 1 Jul 1997 03:36:44 -0400 Message-Id: <33B8B3E2.2B40@hotmail.com> Date: Tue, 01 Jul 1997 03:38:10 -0400 From: DECkedout X-Mailer: Mozilla 3.01 (WinNT; I) [AXP] Mime-Version: 1.0 To: Joe Pollock Cc: firewalls@greatcircle.com Subject: Re: ICQ network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe Pollock wrote: > > One of my users sent me a spam message concerning the ICQ ("I Seek You") > Network, which claims to reduce an individual's Net identity to a single > number, announce to others when the individual is on-line, spawn IRC, > Internet Phone, email, video, etc. on command ... the list goes on and on. > > Here's the URL: > > http://www.mirabilis.com > > I found the site sadly lacking in technical detail (suprise, suprise > :-). The package you download is a beta release of a soon-to-be > commercial application. > > Anyone got any hard technical details to supply? I can hardly wait for > my users to start lobbying for something like this. > > Joe Pollock > The Evergreen State College > Olympia, WA 98505 I have tried to get technical details from Mirabilis since the user number was in 5 digits... I've followed the development for a long while... Whenever I use it i throw a sniffer/port scanner script on another machine running it.. that's the only hard Data I have. I've been following the ICQ related posts from this group for months two... But as far as I can tell, the app is a mystery to everyone. I personally would like to learn their custom control protocal simply to write a customized Unix port before it gets patented (which is probably why they haven't realeased hard facts to the public. Does anyone know anyone from Mirabilis? I have a lot of questions about it.... It definatlely raises an eyebrow or two... -DECkedout From owner-firewalls-outgoing Tue Jul 1 02:10:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15724 for firewalls-outgoing; Tue, 1 Jul 1997 01:50:55 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA15717 for ; Tue, 1 Jul 1997 01:50:48 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic95.cisco.com [171.68.129.105]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA18012; Tue, 1 Jul 1997 10:50:04 +0200 (METDST) Message-Id: <3.0.32.19970701104241.00743abc@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 01 Jul 1997 10:51:51 +0000 To: Russ , "'Mimi Herrmann'" From: Eric Vyncke Subject: RE: question about firewalls on NT Cc: "'Firewalls Mailing List'" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:27 27/06/97 -0400, Russ wrote: >My #1 would be because you wanted to use the existing NT user database >to define your rules on your Firewall, saving you the administrative >overhead of having multiple user databases. I would also want it to >integrate authentication if possible, although my preference would be to >have everyone using a token first, and then the software authentication >(i.e. NTLM). I work from the premise that the customer has already >accepted the (in)security of NTLM and the NT SAM and are satisfied with >it sufficiently to use it at their Firewall also. One of the reasons >that many companies have gone with NT is the single-signon abilities >which they wish to extend to their Firewall also. Right, using the same database for NT Domain and firewall authentication can be useful. BUT, you can achieve the same effect by using a firewall on Unix or ... which is using Radius or Tacacs to access authentication (and authorization) information based on the NT SAM database. <...snip...> -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Tue Jul 1 02:37:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20942 for firewalls-outgoing; Tue, 1 Jul 1997 02:24:03 -0700 (PDT) Received: from punt-1.mail.demon.net (punt-1c.mail.demon.net [194.217.242.136]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA20925 for ; Tue, 1 Jul 1997 02:23:56 -0700 (PDT) Received: from [194.202.103.133] ([194.202.103.133]) by punt-1.mail.demon.net id aa1024955; 1 Jul 97 9:52 BST Message-ID: <33B8C567.B41@threewiz.demon.co.uk> Date: Tue, 01 Jul 1997 09:52:55 +0100 From: David Harvey-George Organization: Kimble Consultancy Services Ltd X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Thomas Leitner CC: firewalls@greatcircle.com Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Leitner wrote: > > On Mon, 30 Jun 1997, Vin McLellan wrote: > > > Microsoft crowds firewall space > > Though Microsoft (MSFT) says it doesn't plan to > > compete with firewall vendors, its plans to add > > firewall security features to the next version of its > > Proxy Server > > And they think that anybody would trust them and their firewall, > given the numerous holes in their TCP/IP stack which were revealed in the > last couple of month? No, but a lot of folks only hear the marketing hype from M$ David From owner-firewalls-outgoing Tue Jul 1 04:00:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA24388 for firewalls-outgoing; Tue, 1 Jul 1997 02:44:09 -0700 (PDT) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA24285 for ; Tue, 1 Jul 1997 02:43:50 -0700 (PDT) From: "M Gillett" Message-Id: <28116.9707010945@sghms.ac.uk> Subject: Re: Firewalls-Digest V6 #307 To: Firewalls@GreatCircle.COM Date: Tue, 1 Jul 1997 10:45:46 +0100 (BST) Cc: pvickers@adtanz-signal.co.uk In-Reply-To: <199706302005.NAA23368@honor.greatcircle.com> from "Firewalls-Digest" at Jun 30, 97 01:05:14 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul wrote : >I'm in the middle of implementing Internet connectivity for the company, = >this comprises of a CISCO 2500 series router, a DMZ containing a host = >for SMTP / DNS [+ potentially FTP & HTTP], and a CISCO PIX firewall. >My question is what O/S & H/W to implement the host on ? Corporate = >policy is Win NT throughout, but my experince & this mailing list = >suggest otherwise... My own experience suggests that although you can probably offer a security service on NT the management overheads will be a little on the high side cf UNIX. >I think an appropriate solution would be a version of UNIX. Corporate = >policy & my confidence [probably] preclude free/unsupported [?] versions = >such as Linux. I am tempted to get a DEC Alpha c/w OSF/1 , DEC offer quite a nice AlphaServer set-up to provide WWW/FTP/DNS/SMTP out of the box - might be good if you have little unix expoerience. DECUnix or OSF/1 as it used to be known is in my experience a nice implementation and is relatively easy to secure. >if at a later = >date NT becomes more stable/dependable I can then change to NT on the = >Alpha. Alternatively I believe Sun sell a version of UNIX to run on an = >intel platform, which would also permit the change at a later date.=20 >I would appreciate any comments and/or suggestions on the matter. Solaris x86 is quite good but its application base is a little limited cf Solaris Sparc. Again if you are a pull the source and build it here kind of person this wont be a problem. On subject of protecting the host then there are a number of ways of doing that - I would recomend reading much of the materials in the Firewalls Books on securing a platform to operate as a firewall - i.e. take out all the services that you are not providing (esp R-type and NIS/NFS). Then if you need more look at things like TIS's Gauntlet Force Field - which appears (from specs and not personal experience) to offer checksumming of all key file areas, detailed logging of all access and 'smoke alarms' i.e. port traps for unsupported services. All of which will be usefull in defending your server. Note the usual advice about using SMAP to handle incomming mail and inhibiting zone tranfers from the DNS to all but your secondary name servers. Mark Gillett Technical Consultant St. Georges Hospital Medical School From owner-firewalls-outgoing Tue Jul 1 04:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA09618 for firewalls-outgoing; Tue, 1 Jul 1997 03:50:51 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA09582 for ; Tue, 1 Jul 1997 03:50:38 -0700 (PDT) Received: from zlap95.abirnet.co.il ([194.90.211.177]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA28365; Tue, 1 Jul 1997 13:52:53 +0300 Date: Tue, 1 Jul 97 13:53:23 +0200 From: Ziv Dascalu Subject: Re: Network surveillance product? To: Bill Stout , firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <2.2.32.19970630224522.00a9f378@vaxf.pios.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 30 Jun 1997 15:45:22 -0700 Bill Stout wrote: > I have a customer that would like to add all of the security monitoring, > logging and reporting features of a firewall to a network. This would be > for commerce web farm or internal network protection purposes. > > The device would need to plug in and passively monitor (must not add a > proxy, and is not in the traffic flow). They would like to see a product > that monitors connections (by port number), looks for suspicious activity on > those connections, and maybe flood or otherwise disable the source. > Basically like a Courtney or NetRanger for networks. > > Anyone know of such a box? NFR - Not For Release? Actually this sounds > like an excellent opportunity for an ex-governement contractor Co. to > contribute. > > Bill Stout > > P.S. - I predict (application-level) network security monitoring and > response will eventually supplement network monitoring products. > I think that AbirNet SessionWall-3 is what you are looking for and you can download a 30 days "test drive" version from http://www.abirnet.com The beauty of SessionWall, in comparison to earlier firewall protection systems, is that it operates at the level of specific application sessions thus allowing flexibility and control by the user without adding additional network delays. It is designed to provide easy access and control, user transparency, a high level of performance, adaptability and ease-of-use. SessionWall is a software package that can be easily installed on any Windows (95 or NT) PC that is equipped with a network adapter connected to the company’s local area network. It is designed for plug-and-play installation. Once the program is installed, the system operator easily sets the user and server access policies (by a series of rules and actions) and clicks Start to begin the tracing. SessionWall has the following key features: Monitoring SessionWall has the ability to unobtrusively detect a broad range of events such as: * Users connecting to specific sites * Users using specific protocol * Sending or receiving of information that includes specific keywords * Suspicious network events eg. failed login attempts Alerting and Responding Alerts can be provided using one or a combination of the following notification methods: * Sending of an Email message or fax * Adding an entry to a NT System Log * Popping a specific message on the SessionWall operator screen * Invoking a Windows program to create a custom alert Blocking SessionWall provides the ability to block specific users from using specific servers, or to block access to defined TCP/IP services including: * Email * WEB browsing * News * Telnet * FTP Reporting You can generate reports on the status of network traffic by invoking the Reporter application. A number of different kinds of Reports are possible: * Common reports presenting data on clients per protocol, protocols per client * Protocol reports presenting data on status of usage of Web, Email, News, FTP and Telnet protocols. * Blocking reports listing overall occurrences by client and by server Hpe this helps Ziv Dascalu AbirNet From owner-firewalls-outgoing Tue Jul 1 04:29:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA10930 for firewalls-outgoing; Tue, 1 Jul 1997 04:02:51 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA10919 for ; Tue, 1 Jul 1997 04:02:44 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.49) id ; Tue, 1 Jul 1997 07:05:02 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'McLellan, Vin'" Cc: Russ Subject: RE: Microsoft plans to offer a firewall Date: Tue, 1 Jul 1997 07:05:00 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All I can say is this; 1. Microsoft says they're gonna put Firewall features into Proxy Server. So Proxy Server is not a Firewall. 2. Microsoft says that the packet filtering in Routing and Remote Access Services for Windows NT is not a Firewall. Therefore, a proxy isn't a Firewall, and a packet filter isn't a Firewall, so just what do they think a Firewall is? The marketing blurb would have to read something like..."Microsoft introduces the first non-proxying, non-packet filtering, Firewall for Windows NT...its so transparent that hackers don't have to reconfigure anything in order to get in..." They seemed to have forgotten that the whole is the sum of its parts. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Tue Jul 1 04:50:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA16396 for firewalls-outgoing; Tue, 1 Jul 1997 04:41:17 -0700 (PDT) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA16360 for ; Tue, 1 Jul 1997 04:41:03 -0700 (PDT) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id MAA04457; Tue, 1 Jul 1997 12:44:07 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 01 Jul 97 12:43:55 +0000 Date: 01 Jul 97 12:43:55 +0000 Delivery-Date: 01 Jul 97 12:44:06 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-33b558c9-Tubarao] X400-Recipients: firewalls@GreatCircle.com Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1988 Message-ID: Importance: normal Subject: Safeword with Radius - dont read unless you know these products Autoforwarded: FALSE To: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: Safeword with Ra Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, Has anyone out there tried configuring Safeword for Asynchronous challenge-response authentication (namely DESGold or MultiSync) ? Scenario is: MAX4000 - Radius Server - Safeword It doesn't work (Secure Computing guys say it does, so probably configuration problem - but I don't have the time to wait for their answer...) I think it's probably some attribute that's missing in the 'users' file for the Radius server. I run 'ident' with success for my users. However, I get 2 entries in the log file - one that says Passed (before challenge), and then a Failed (after entering the number returned in the card). In synchronous mode, it works. (!!!) Many thanks in advance, .M Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunicação, S.A. Tel: +351 1 3020451 Fax: +351 1 3020444 // Be happy - things can always get worse These are my own opinions and do not reflect those of my employer. My employer thinks I'm working. From owner-firewalls-outgoing Tue Jul 1 05:03:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19482 for firewalls-outgoing; Tue, 1 Jul 1997 05:02:18 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA19475 for ; Tue, 1 Jul 1997 05:02:10 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa18399; 1 Jul 97 8:04 EDT Message-Id: <2.2.32.19970701120153.00c28e84@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 08:01:53 -0400 To: Dave Whitlow From: Jack Danahy Subject: Re: Network surveillance product? Cc: Bill Stout , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave - Yuck. Disabling the source isn't nice. Given the fact that the machine is probably a staging point for some parasite, or that the "attack" is actually a misdirected mount request, flooding the site is both ineffective and rude. As the professionals in the area, we need to convince our constituents that communication with other sites, and the filtering of traffic until it can be cleared, are more productive methods of counteracting these intrusions. We've handled a multitude of these, and universally, the offending admin can and will fix the problem. Occasionally, we even get the added benefit of helping them make their own systems more secure. Yours for the peaceful conservation of Internet bandwidth and the harmonious resolution of Internet conflict, Jack >> The device would need to plug in and passively monitor (must not add a >> proxy, and is not in the traffic flow). They would like to see a product >> that monitors connections (by port number), looks for suspicious activity on >> those connections, and maybe flood or otherwise disable the source. >> Basically like a Courtney or NetRanger for networks. Jack Danahy jdanahy@bbn.com Manager of Engineering (617) 873-4418 Network Security Services BBN Corporation "I'm speaking for myself, not for BBN." From owner-firewalls-outgoing Tue Jul 1 05:18:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20703 for firewalls-outgoing; Tue, 1 Jul 1997 05:10:21 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20693 for ; Tue, 1 Jul 1997 05:10:13 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id NAA25335 for ; Tue, 1 Jul 1997 13:14:34 +0200 Message-Id: <3.0.1.32.19970701141412.00d08608@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 01 Jul 1997 14:14:12 +0200 To: Firewalls@GreatCircle.COM From: "Gabriele Faggioni - Cap Gemini Italia S.p.A." Subject: Firewall on AIX Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've had some reserch on firewall on AIX, but I got very little. I have some FAQ at the http://www.checkpoint.com/opsec/Partners/memco/faq.html: - 6. Which versions of FireWall-1 are compatible with SeOS Secured! - For FireWall-1? - SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 - and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX - versions are currently in Beta testing and will be available soon. IBM AIX - and Windows NT versions are in development. It will be available until the tird quarter of the year. I've also found the IBM firewall but it seems very poore in his features. Does someone know other firewall on AIX? --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Tue Jul 1 05:33:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA22526 for firewalls-outgoing; Tue, 1 Jul 1997 05:25:21 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA22497 for ; Tue, 1 Jul 1997 05:25:10 -0700 (PDT) Received: from pm1-27.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10540; Tue, 1 Jul 97 07:24:49 -0400 Message-Id: <3.0.2.32.19970701072514.006a1968@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Tue, 01 Jul 1997 07:25:14 -0500 To: Vin McLellan From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 PM 6/30/97 -0500, Vin McLellan allegedly wrote: Thanks for mail, Vin, 8< [snip] > Though Microsoft (MSFT) says it doesn't plan to > compete with firewall vendors, its plans to add > firewall security features to the next version of its > Proxy Server software could shake up the firewall > software market. . Yeah, right. Just like M$ didn't *plan* to compete with Novell, Netscape, etc. M$ doesn't really compete, they simply see what someone else does well (like a market leader), puts these functionalities into their own products & then they use their marketing muscle to drive their product out the door & competitors into the ground. Personally, I am not at all impressed with M$'s predatory business practices. I think they will keep pushing the limits of what is right & legal to do and will probably get their clock cleaned by the Justice Dept. or the FTC. Given their predatory practices, I wouldn't be surprised if they were sniffing their own network (MSN) for competitive info, or ideas for new projects. (Nothing legally wrong with that - it *is* their own network). Note: I didn't say they were doing it - I just said I wouldn't be surprised. > The next version of Proxy Server goes into beta > testing in July; it will include firewall features > designed to block intruders on the Internet from > getting onto a company's internal networks, > Microsoft officials said. The features could hurt > sales of firewall software for Windows NT in > particular, and NT has been the market's hottest > segment. > > The move should come as no surprise, says Rob > Enderle, an analyst at Giga Information Group. It's > been clear since Microsoft introduced its first > version of Proxy Server that it would add firewall > functions. I think Rob is 100%correct. IMHO, the Proxy Server was just to test the water to see how the market would respond. As people are expecting M$ to come out with a firewall, I would say that M$ will (once again) change its mind and wade into the market. > Microsoft's decision could hurt makers of firewall > software, such as Raptor Systems. In February > Raptor announced a low-end firewall, called "The > Wall," targeted at small and mid-sized companies. > The Centri firewall from Global Internet.Com also > targets that space; sometime Microsoft ally Cisco > Systems announced last week it's buying Centri and > Global Internet.Com's software group. I see no immediate danger to major firewall vendors from M$. For the most part, they already have a solid reputation on the market & know how to design secure products. M$ doesn't have this reputation yet (and will probably have to do a huge PR campaign to try to restore confidence about their ability to deliver secure products). The new kids on the block will probably fade away when competing with M$. M$ has two main disadvantages: o They seem to be deficient in their ability to write secure TCP/IP stacks. o They seem to have problems in trying to write tight, clean, code - an important prerequisite in writing a secure applications such as firewalls. INFOSEC PROGRAMMING DESIGN RULE #1 The larger the size of the code, the greater the probability that the code will contain vulnerabilities which can be exploited. Another thing. As time passes, & NT becomes more prevalent, the hackers will redirect their efforts to NT and will start picking it apart (like they have with other vendors). IMHO, I think it is just a matter of time until we start seeing nonprived users able to gain privs by exploiting vulnerabilities in individual programs (buffer overflows, etc). Particularly sensitive are those programs which perform prived functions on behalf of non-prived users. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Tue Jul 1 05:48:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20194 for firewalls-outgoing; Tue, 1 Jul 1997 05:07:18 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20174 for ; Tue, 1 Jul 1997 05:07:06 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55560-3>; Tue, 1 Jul 1997 14:06:49 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Tue, 01 Jul 1997 14:08:57 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wj1jv-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 1 Jul 1997 14:08:59 +0200 (MET DST) Date: Tue, 1 Jul 1997 13:08:59 +0100 From: "Magossa'nyi A'rpa'd" To: dennis f dumont CC: firewalls@GreatCircle.COM, Mark Teicher Subject: Re: Remote management of firewalls internationally In-Reply-To: <9705308676.AA867699711@ccmgate.national-city.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Jun 1997, dennis f dumont wrote: > A suggestion from a close and wise friend asked me to inquire about this: > =20 > =20 > How can one remotely manage firewalls that are on the other side of the w= orld?=20 > How can it be done? and done safely? > =20 I'd do it using a VPN between (part of the) local and the remote network. It means that logically I'm inside the firewall. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Tue Jul 1 06:03:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA18354 for firewalls-outgoing; Tue, 1 Jul 1997 04:55:17 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA18278 for ; Tue, 1 Jul 1997 04:55:02 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa17512; 1 Jul 97 7:57 EDT Message-Id: <2.2.32.19970701115412.0070578c@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 07:54:12 -0400 To: Ken Hardy From: Jack Danahy Subject: Re: Remote management of firewalls internationally Cc: Alan , Mark Teicher , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk K - I've stumbled through the encryption regulations in a couple of lives, and my experience has been: Two things: 1) If you are a US-owned multinational, you can have encryption, limited to 56 bits, on your machine, so long as noone outside your company has access to the facilities of that machine. Also, noone outside your company can have physical access to the machine, such as local outsourced system support personnel. If your are performing all of your key management from the US, that may, as well, mitigate difficulties. Check with your beagles about specifics for your situation. 2) Your Frankfurt office may prove particularly thorny, however, as there exist German regulations prohibiting any type of employee monitoring which can be used as a performance metric. Since most of the walls generate user/usage stats, be aware. YMMV. I have no idea on the China encryption front. Jack At 11:41 PM 6/30/97 -0500, Ken Hardy wrote: >On Mon, 30 Jun 1997, Alan wrote: >> > How can one remotely manage firewalls that are on the other side of the world? >... >> If you have SSH or some other form of encryption/authentication between >> machines, then you should be able to maintain the firewall without too >> many problems. (Some sort of token-based authorization system or Public >> Key system would be a big plus and/or requirement in such a system.) > >But it might be difficult to get SSH or other form of encryption on >that machine on the other side of the world if your side happens to lie >in the U.S. > >Not to start a wandering and unrelated thread (hint hint), but I've >wondered how the law would apply if I were to log in to a machine in, >say, our company's Frankfurt office via the corporate WAN and built and >installed SSH on that machine while sitting in our U.S. office. Would >my work in doing the installation be considered exporting the encryption >in some manner, even if the software didn't get on the machine from or >through the U.S.? Of course, it reasons (if that word can be applied >to U.S. encryption policy) that I'd be on much shakier ground if the >SSH code from a site in Finland or Australia got on the German machine >via the company's Internet connection in the U.S. > >On a tenuously related note, does anyone know whether China's ban on >the use of encryption now extends to Hong Kong? > >-- >K ---------------------------------------------------------------------- Jack Danahy jdanahy@bbn.com Manager of Engineering Tel: (617) 873-4418 BBN Corporation Fax: (617) 873-6846 From owner-firewalls-outgoing Tue Jul 1 06:35:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29087 for firewalls-outgoing; Tue, 1 Jul 1997 06:02:57 -0700 (PDT) Received: from punt-1.mail.demon.net (relay-13.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA29025 for ; Tue, 1 Jul 1997 06:02:45 -0700 (PDT) Received: from [194.202.103.133] ([194.202.103.133]) by punt-1.mail.demon.net id aa1308805; 1 Jul 97 13:45 BST Message-ID: <33B8FBFC.7972@threewiz.demon.co.uk> Date: Tue, 01 Jul 1997 13:45:48 +0100 From: David Harvey-George Organization: Kimble Consultancy Services Ltd X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Russ CC: "firewalls@greatcircle.com" Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > > All I can say is this; > 2. Microsoft says that the packet filtering in Routing and Remote Access > Services for Windows NT is not a Firewall. > > Therefore, a proxy isn't a Firewall, and a packet filter isn't a > Firewall, so just what do they think a Firewall is? > Unless they fixed things in MPR (aka Steelhead) v1.0 the packet filter can't be used to build a firewall. You can't filter on flags or address ranges. So I guess M$ is right, it's not a firewall. Although like you I wonder what it actually is? David From owner-firewalls-outgoing Tue Jul 1 07:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03542 for firewalls-outgoing; Tue, 1 Jul 1997 06:23:26 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA03522 for ; Tue, 1 Jul 1997 06:23:17 -0700 (PDT) Received: (qmail 20446 invoked from smtpd); 1 Jul 1997 13:25:45 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Jul 1997 13:25:45 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03042; Tue, 1 Jul 1997 08:25:45 -0500 Received: by sonic.nmti.com; id AA13948; Tue, 1 Jul 1997 08:26:34 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707011326.AA13948@sonic.nmti.com.nmti.com> Subject: Re: Microsoft plans to offer a firewall To: vin@shore.net (Vin McLellan) Date: Tue, 1 Jul 1997 08:26:34 -0500 (CDT) Cc: firewalls@greatcircle.com, Russ.Cooper@RC.ON.CA In-Reply-To: from "Vin McLellan" at Jun 30, 97 09:31:25 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Though Microsoft (MSFT) says it doesn't plan to > compete with firewall vendors, its plans to add > firewall security features to the next version of its > Proxy Server software could shake up the firewall > software market. Oh boy, I'm sure there are some black hats just sharpening their knives and fire(wall)-axes waiting for this new challenge to go up. Cracking Microsoft. That's gotta be a popular game by now. From owner-firewalls-outgoing Tue Jul 1 07:35:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09777 for firewalls-outgoing; Tue, 1 Jul 1997 06:53:23 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09570 for ; Tue, 1 Jul 1997 06:52:28 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id PAA20791; Tue, 1 Jul 1997 15:54:02 +0200 Date: Tue, 1 Jul 1997 15:54:01 +0200 (MET DST) From: Kevin McPeake To: Russ cc: "firewalls@greatcircle.com" Subject: My faith is restored (was: RE: Microsoft plans to offer a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Jul 1997, Russ wrote: > All I can say is this; > [snip] > The marketing blurb would have to read something like..."Microsoft > introduces the first non-proxying, non-packet filtering, Firewall for > Windows NT...its so transparent that hackers don't have to reconfigure > anything in order to get in..." > > They seemed to have forgotten that the whole is the sum of its parts. > Just when I think Russ has lost all sense of humour, He goes off and does this. My faith has been restored Russ. :) Kev Kevin McPeake cowboy@orbital.byelex.nl Internet Consultant http://cowboy.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Tue Jul 1 07:50:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA16664 for firewalls-outgoing; Tue, 1 Jul 1997 07:39:07 -0700 (PDT) Received: from jefferson.mcn.net (jefferson.mcn.net [204.212.170.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA16657 for ; Tue, 1 Jul 1997 07:39:01 -0700 (PDT) Received: from recon.mcn.net (blpm01-253.mcn.net [204.212.170.253]) by jefferson.mcn.net (8.8.5/8.8.5) with ESMTP id IAA29924; Tue, 1 Jul 1997 08:41:31 -0600 (MDT) Message-ID: <33B915BF.61933A64@mcn.net> Date: Tue, 01 Jul 1997 08:35:43 -0600 From: "Z.W.H." X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "D (Dave) McWilliam" CC: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #307 -Reply X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Consider the "chit chat" on the list as sign posts to physical realities. Say, a road map with a personality of sorts. We travelers on the computer security journey can heed, or ignore the sign posts. The journey itself however is ours alone and we must plan our trip and do our own study, and make our own "wrong turns" along the way to our secure destination.... Personally, I perfer taking the time to read the signposts as untimately they reduce the amount of "wrong turns" we travelers may take thereby increasing overall productivity both for the individual, and the "boss"... Z. Wade Hampton SlamDunk Enterprises, Inc. Billings, Montana US D (Dave) McWilliam wrote: > Hi Folks, > I have just joined this mail group and am fascinated and > entertained by the chit chat. Unfortunately, my boss expects me to > work > so I don't have time to wade through interminable "Did not!" "Did so!" > > arguements to find the useful technical stuff we newcomers to security > > really do need. Does anyone know whether there is a adult/professional > > mail group I could join instead? > Dave From owner-firewalls-outgoing Tue Jul 1 08:05:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03609 for firewalls-outgoing; Tue, 1 Jul 1997 06:23:54 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [204.146.168.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA03602 for ; Tue, 1 Jul 1997 06:23:47 -0700 (PDT) From: uskanbye@ibmmail.com Message-Id: <199707011323.GAA03602@honor.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 2291; Tue, 01 Jul 97 09:26:20 EDT Date: Tue, 01 Jul 1997 09:26:15 EDT To: firewalls@GreatCircle.COM X-Sender-Info: Mitchell Ummel CSP CCP EMAIL:mummel@kdhe.state.ks.us Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: MTU Path Discovery w/proxy-based firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for any assistance/insight regarding the following environment: Internet <-> Eagle Raptor NT 4.0 <-> 16Mb TR's <-> T1 <-> 4Mb TR's Our symptoms include intermittant HTTP "partial page loads" for users on the 4Mb Token Ring networks. All proxy services working fine for staff on the 16Mb TR's. Sniffer traces show that packets are coming in through the firewall with MTU (max transfer unit) = 4500 and the "df" (don't fragment) bit set ON. The Token Ring interfaces MTU are all set at 4500. The CISCO has default MTU of 1500 for the serial T1 link, and thus (according to RFC 1191), the router is to send a ICMP message back to the source server, that in effect, requests a resend of the data with a smaller MTU. Sniffer shows the ICMP is generated at the router, and passes through the firewall, but no response is ever received from the server on the Internet. Any clues as to what's going on here? Any other Raptor NT 4.0 users (or other proxy-based firewalls) with similiar environment? Thanks in advance for all input.... --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- --------------Landon State Office Building---------------- ------------------Phone (913) 296-5643-------------------- From owner-firewalls-outgoing Tue Jul 1 08:29:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08760 for firewalls-outgoing; Tue, 1 Jul 1997 06:48:23 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA07363 for ; Tue, 1 Jul 1997 06:42:47 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id GAA15154 for ; Tue, 1 Jul 1997 06:19:11 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id PAA20653; Tue, 1 Jul 1997 15:15:58 +0200 Date: Tue, 1 Jul 1997 15:15:57 +0200 (MET DST) From: Kevin McPeake To: Michael Cunningham cc: Pete Vickers , "'FIREWALLS@GreatCircle.COM'" Subject: Re: flavours of unix In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Jun 1997, Michael Cunningham wrote: > > I'm in the middle of implementing Internet connectivity for the company, this comprises of a > CISCO 2500 series router, a DMZ containing a host for SMTP / DNS [+ potentially FTP & HTTP], > and a CISCO PIX firewall. My question is what O/S & H/W to implement the [intelligent question snipped] > IMHO, there are several good version of unix that run on Intel arch. BSDI > is and execllent choice. (we all know the networking code is good:) > Solaris x86 is also very good as well. Both are quite robust operating [intelligent response snipped] I would second this.....but in a way that seeks to get the job done. We were long time a NT only house, but 8 months ago, began to look at other solutions (we are a software developer). Today, we employ Linux, Solaris for Intel and NT. If I had my way, I'd run everything on Linux, but some of the SW we run is Solaris only or NT only or Solaris & NT, but not Linux. To arguement your managers better, I would give you this advice: It's a mix match (what we have ourselves), and some would say it's more ineffecient to have multiple systems, but our experience has already shown us, that when we opened ourselves to more platforms, our own company growth has tripled, because customers have different needs, and ours may not be thiers. As far as what I would suggest for a firewall, I would definately say use some form of Unix, but don't stop there. Educate yourself on Unix....get to know it like the back of your hand (even if you stick your FW on NT, you should do this about NT). Get to understand tcp/ip routing & protocols. Read all the doc's you can get your hands on. Ask reasonable questions on here (don't be afriad to ask....just think out your questions first). Remember, Ignorance is no excuse. No cracker out there is gonna say "hey, this guy just didn't know better, so lets leave him alone". This is one game where your homework REALLY COUNTS. Kev Kevin McPeake cowboy@orbital.byelex.nl Internet Consultant http://cowboy.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Tue Jul 1 08:36:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20360 for firewalls-outgoing; Tue, 1 Jul 1997 08:29:48 -0700 (PDT) Received: from ladyred.rsoc.rockwell.com ([161.40.253.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20345 for ; Tue, 1 Jul 1997 08:29:42 -0700 (PDT) Received: from localhost (morrison@localhost) by ladyred.rsoc.rockwell.com (8.7.5/8.7.3) with SMTP id KAA04042; Tue, 1 Jul 1997 10:27:08 -0600 Date: Tue, 1 Jul 1997 10:27:08 -0600 (MDT) From: "This guy here at this system..." To: proff@suburbia.net cc: firewalls@GreatCircle.COM Subject: Re: TIS funding In-Reply-To: <19970630150413.20749.qmail@suburbia.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Jul 1997 proff@suburbia.net wrote: ...[ mad ravings snipped ]... > Awww. Come now Jody. Um. Do all of us have to be present for this discussion? It seems as if each of you DO have each others personal addresses... No need for a public demonstration, is there? .ps play nice .jam From owner-firewalls-outgoing Tue Jul 1 08:49:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20535 for firewalls-outgoing; Tue, 1 Jul 1997 08:33:30 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20506 for ; Tue, 1 Jul 1997 08:33:20 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA18327; Tue, 1 Jul 1997 11:32:25 -0400 (EDT) From: Adam Shostack Message-Id: <199707011532.LAA18327@homeport.org> Subject: Re: Remote management of firewalls internationally In-Reply-To: <2.2.32.19970701115412.0070578c@mail.bbnplanet.com> from Jack Danahy at "Jul 1, 97 07:54:12 am" To: jdanahy@bbn.com (Jack Danahy) Date: Tue, 1 Jul 1997 11:32:25 -0400 (EDT) Cc: ken@bridge.com, alano@teleport.com, mht@clark.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack Danahy wrote: | 2) Your Frankfurt office may prove particularly | thorny, however, as there exist German regulations | prohibiting any type of employee monitoring which | can be used as a performance metric. Since most | of the walls generate user/usage stats, be aware. | YMMV. | | I have no idea on the China encryption front. http://cwis.kub.nl/~frw/people/koops/cls2.htm#ch (This is pert of Bert-Jaap Koop's excellent Crypto Laws Survey, available at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue Jul 1 09:00:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14540 for firewalls-outgoing; Tue, 1 Jul 1997 07:15:32 -0700 (PDT) Received: from coyote.tech.telepac.pt (bdshack.telepac.pt [194.65.3.124]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA14508 for ; Tue, 1 Jul 1997 07:15:17 -0700 (PDT) Received: from torquemada ([194.65.3.123]) by coyote.tech.telepac.pt (8.8.5/8.8.5) with ESMTP id PAA00051; Tue, 1 Jul 1997 15:12:34 GMT Message-ID: <33B9115E.D228CC98@tech.telepac.pt> Date: Tue, 01 Jul 1997 15:17:02 +0100 From: Joao Brazao Ferreira X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: Ken Hardy CC: Alan , Mark Teicher , firewalls@GreatCircle.COM Subject: Re: Remote management of firewalls internationally X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms1D895A3463E2D1F778FCD039" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms1D895A3463E2D1F778FCD039 Content-Type: multipart/mixed; boundary="------------7D1BBB1A59F153C8662F5184" This is a multi-part message in MIME format. --------------7D1BBB1A59F153C8662F5184 Content-Type: text/plain; charset=us-ascii Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Ken Hardy wrote: > But it might be difficult to get SSH or other form of encryption on > that machine on the other side of the world if your side happens to > lie > in the U.S. > Well, and why not Web administration ? U.S. has agreed on exportation of Netscape and Microsoft web servers with 128 bit keys. Just wait for some vendor provided forms to manage the firewall. Regards, Joao Ferreira --------------7D1BBB1A59F153C8662F5184 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Joao Brazao Ferreira Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Joao Brazao Ferreira n: Ferreira;Joao Brazao org: Telepac, SA adr: Rua Dr Antonio Loureiro Borges, 1;;Miraflores;Alges;;1495;Portugal email;internet: jbf@tech.telepac.pt title: Programmer tel;work: +351-1-7907366 tel;fax: +351-1-7907001 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------7D1BBB1A59F153C8662F5184-- --------------ms1D895A3463E2D1F778FCD039 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQlQYJKoZIhvcNAQcCoIIQhjCCEIICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DwMwggpNMIIJtqADAgECAhBkN2sCaNB/G3w/GTghHmC5MA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA2MTYwMDAw MDBaFw05NzEyMTYyMzU5NTlaMIIBFTERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEdMBsGA1UEAxMUSm9hbyBCcmF6YW8gRmVycmVpcmExIjAgBgkq hkiG9w0BCQEWE2piZkB0ZWNoLnRlbGVwYWMucHQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA 3Os630dQO8L8+x17vKfGw7EoqgbZUhqQl/WaDeFRe0gCUcNMz8yMz7AnsUK/fRw045/kpLiZ XfTX9mFP1btXoQIDAQABo4IHkTCCB40wCQYDVR0TBAIwADCCAh8GA1UdAwSCAhYwggISMIIC DjCCAgoGC2CGSAGG+EUBBwEBMIIB+RaCAadUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRl cyBieSByZWZlcmVuY2UsIGFuZCBpdHMgdXNlIGlzIHN0cmljdGx5IHN1YmplY3QgdG8sIHRo ZSBWZXJpU2lnbiBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BTKSwgYXZh aWxhYmxlIGF0OiBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTOyBieSBFLW1haWwgYXQg Q1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5j LiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiAr MSAoNDE1KSA5NjEtODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFs bCBSaWdodHMgUmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFuZCBM SUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAsMCoW KGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyAwEQYJYIZIAYb4QgEB BAQDAgeAMDYGCWCGSAGG+EIBCAQpFidodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3Np dG9yeS9DUFMwggSHBglghkgBhvhCAQ0EggR4FoIEdENBVVRJT046IFRoZSBDb21tb24gTmFt ZSBpbiB0aGlzIENsYXNzIDEgRGlnaXRhbCAKSUQgaXMgbm90IGF1dGhlbnRpY2F0ZWQgYnkg VmVyaVNpZ24uIEl0IG1heSBiZSB0aGUKaG9sZGVyJ3MgcmVhbCBuYW1lIG9yIGFuIGFsaWFz LiBWZXJpU2lnbiBkb2VzIGF1dGgtCmVudGljYXRlIHRoZSBlLW1haWwgYWRkcmVzcyBvZiB0 aGUgaG9sZGVyLgoKVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMgYnkgcmVmZXJlbmNl LCBhbmQgCml0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIApD ZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BTKSwgYXZhaWxhYmxlCmluIHRo ZSBWZXJpU2lnbiByZXBvc2l0b3J5IGF0OiAKaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tOyBi eSBFLW1haWwgYXQKQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBW ZXJpU2lnbiwKSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0 MyBVU0EKCkNvcHlyaWdodCAoYykxOTk2IFZlcmlTaWduLCBJbmMuICBBbGwgUmlnaHRzIApS ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgQU5EIApMSUFCSUxJVFkg TElNSVRFRC4KCldBUk5JTkc6IFRIRSBVU0UgT0YgVEhJUyBDRVJUSUZJQ0FURSBJUyBTVFJJ Q1RMWQpTVUJKRUNUIFRPIFRIRSBWRVJJU0lHTiBDRVJUSUZJQ0FUSU9OIFBSQUNUSUNFClNU QVRFTUVOVC4gIFRIRSBJU1NVSU5HIEFVVEhPUklUWSBESVNDTEFJTVMgQ0VSVEFJTgpJTVBM SUVEIEFORCBFWFBSRVNTIFdBUlJBTlRJRVMsIElOQ0xVRElORyBXQVJSQU5USUVTCk9GIE1F UkNIQU5UQUJJTElUWSBPUiBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIKUFVSUE9TRSwgQU5E IFdJTEwgTk9UIEJFIExJQUJMRSBGT1IgQ09OU0VRVUVOVElBTCwKUFVOSVRJVkUsIEFORCBD RVJUQUlOIE9USEVSIERBTUFHRVMuIFNFRSBUSEUgQ1BTCkZPUiBERVRBSUxTLgoKQ29udGVu dHMgb2YgdGhlIFZlcmlTaWduIHJlZ2lzdGVyZWQKbm9udmVyaWZpZWRTdWJqZWN0QXR0cmli dXRlcyBleHRlbnNpb24gdmFsdWUgc2hhbGwgCm5vdCBiZSBjb25zaWRlcmVkIGFzIGFjY3Vy YXRlIGluZm9ybWF0aW9uIHZhbGlkYXRlZCAKYnkgdGhlIElBLjCBhgYKYIZIAYb4RQEGAwR4 FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzVi YzRiYzk3MDE3NDdkYTVkM2Y0MTQxYmVhZGIyYmQyZTg5MjA2YWM2ZmY4ZDIxMTQ5OWZhMmI5 NDNmNGU0OTM2NTQxMA0GCSqGSIb3DQEBBAUAA4GBAD/LkXOco4Zpd36bbmENdqOGfdqoa3x8 kF+RmnBR1UU5PJj/yGLJKSqBBMBzrmE0fmKf35g6a98pRZHBROexnh8VHWTflzHgwF5AiVQa 3+iDm+Hreql0wZOMiKmi2eztBPmE3pWnt0moOpPoZXeiV3Fi5QaNs3GUN1Y8Kmih9IWNMIIC eTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkw NjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmli ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W 1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0U Q5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMB AAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB BjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6Go oTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g1G7kf512XM59uhSirguf+2dbSKVnJa8Z ZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/pvkN27CmSjCCAjEwggGaAgUCpAAA ATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQGEwJVUzEX MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1h cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiHmgab EKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+C fbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3 glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60 vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQK Ew5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2 aWR1YWwgU3Vic2NyaWJlcgIQZDdrAmjQfxt8Pxk4IR5guTAJBgUrDgMCGgUAoH0wGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0BCQQxFgQUfHJHYG+NxKYR/16Xu1IN1x1O E+swHAYJKoZIhvcNAQkFMQ8XDTk3MDcwMTE0MTcwMlowHgYJKoZIhvcNAQkPMREwDzANBggq hkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAnV2L26+aFWsWeoXkLWn6pm/sYs26u7Z5c3XE Pv6xwozFBUoiqV78MrFFOuLNInEDmaMwppcq5lKEIWJVuPEPqw== --------------ms1D895A3463E2D1F778FCD039-- From owner-firewalls-outgoing Tue Jul 1 09:18:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21771 for firewalls-outgoing; Tue, 1 Jul 1997 08:56:40 -0700 (PDT) Received: from mailhub1.experian.com (mailhub1.experian.com [167.107.229.201]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21763 for ; Tue, 1 Jul 1997 08:56:29 -0700 (PDT) Received: (from uucp@localhost) by mailhub1.experian.com (8.8.5/8.8.5) id IAA07055; Tue, 1 Jul 1997 08:56:24 -0700 (PDT) Received: from mailsrv1.experian.com(192.45.133.1) by mailhub1 via smap (V1.3) id sma007046; Tue Jul 1 08:56:06 1997 Received: from gmills.ora.experian.com by mailsrv1. (SMI-8.6/SMI-SVR4) id IAA13393; Tue, 1 Jul 1997 08:59:07 -0700 Message-ID: <33B92725.76F5@experian.com> Date: Tue, 01 Jul 1997 08:49:57 -0700 From: Gary Mills Reply-To: gary.mills@experian.com Organization: Experian, Network Services X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Hassan Karim CC: manuel.ricca@pararede.pt, firewalls@GreatCircle.COM Subject: Re: Borderware References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had a thought on Firewall comparisons. When someone does a comparison it would be nice to see a comparison on the support of a product as well as bug reports. Is there some thing posted some where on how a vendor supports a product. Gary Mills Experian "These are my own opinions and do not reflect those of my employer." Hassan Karim wrote: > > I did a comparitive evaluation/installation of Borderware, FW-1 and IBM's > SNG and found > that Borderware is probably only suitable for a small network that > doesn't change very often. It is not really easy to configure at all. 1st > of all you can not configure it on the console... i.e. configuration must > me done remotely. the Java interface is very clunky compared to SNG's. Add > if you cant get the browser to work then the only way you can configure it > is by ftp'ng the config files from the Firewall... then make your changes > and then ftp them back to the firewall machine (hope there aren't any > mistakes or gotchas in the config files). BTW when I say remote I mean > eihter via https or ftp NOT telnet or ssh. Also... hope you have a vendor > that has in house in-depth expertise so that if you run into snags you can > get some help otherwise you'll be short because the manuals aren't all > that great. > > Plus since it only uses non-transparent proxy one would have to add users > for everyone that needed to leave the network > > Granted... I think security wise, although I couldn't get it to log > everything (probably user error), it is pretty tight. > > For the brave at heart, SNG seems to be a magnificent product. However, I > think there is an unnecesary (sp)layer of complexity when creating rules. > Firewall-1 is simple and straight forward. Although FW1's management > console hosed my local X sesion every time... the product overall is > tight! > > Hope this helps... > Peace, > Hassan > > On Mon, 30 Jun 1997 > manuel.ricca@pararede.pt wrote: > > > Does anyone have experience with Borderware Firewall? > > If so, how where would you place it comparing to Raptor, Pix and FW-1 ? > > > > TIA, > > .M > > > > Manuel Ricca (manuel.ricca@pararede.pt) > > ParaRede - Tecnologias de Comunicao, S.A. > > Tel: +351 1 3020451 > > Fax: +351 1 3020444 > > > > // Be happy - things can always get worse > > > > These are my own opinions and do not reflect those of my employer. > > My employer thinks I'm working. > > From owner-firewalls-outgoing Tue Jul 1 10:53:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01941 for firewalls-outgoing; Tue, 1 Jul 1997 10:35:59 -0700 (PDT) Received: from mgmtsolutions.com (fw.mgmtsolutions.com [206.14.13.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA01769 for ; Tue, 1 Jul 1997 10:35:21 -0700 (PDT) Received: from ixo.mgmtsolutions.com (win2-120.mgmtsolutions.com [192.168.2.120]) by mgmtsolutions.com (8.8.5/8.7.5) with SMTP id KAA05742 for ; Tue, 1 Jul 1997 10:27:57 -0700 Message-Id: <3.0.1.32.19970701105236.0069bacc@192.168.2.254> X-Sender: iano@192.168.2.254 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 01 Jul 1997 10:52:36 -0700 To: firewalls@GreatCircle.COM From: "Ian O'leary" Subject: opportunity Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I am a technical consultant with a client who is looking for a network security consultant for a 3 to 6 month contract to do Gauntlet firewall configurations in a cisco hardware environment. The company is based out of Menlo Park, California (415 area code, 25 miles south of San Francisco). Does any know any good websites where I might find consultants or consulting firms advertising their services? Thanking you in advance for any information that you may have, Ian O'Leary. MSI Consulting, 408-2926650x169. From owner-firewalls-outgoing Tue Jul 1 11:33:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29995 for firewalls-outgoing; Tue, 1 Jul 1997 10:25:32 -0700 (PDT) Received: from wizard.infovia.com.gt (wizard.infovia.com.gt [168.234.135.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA29896 for ; Tue, 1 Jul 1997 10:25:01 -0700 (PDT) Received: (from flopez@localhost) by wizard.infovia.com.gt (8.8.6/8.6.9) id LAA06978; Tue, 1 Jul 1997 11:21:17 -0500 Date: Tue, 1 Jul 1997 11:21:17 -0500 (CDT) From: Juan Francisco Lopez To: firewalls@GreatCircle.COM Subject: securing SMTP/POP host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone! I am currently setting up a SMTP/POP host (installing SMTP ver. 8.8.6 and Qualcomm popper ver. 2.3) on a Linux box (slackware ver. 2.0.18). At this point both are set up and working but I'm afraid there are things that need to be taken care of for security reasons. I read a couple of weeks ago a mail that stated that commands such as EXPN and VRFY should be disabled. Do I need to disable those commands (and some others maybe?) by commenting out its source code from the file srvrsmtp.c? is there another place I need to disable these features? Thanks a lot in advance for any help. Francisco Lopez IIDS - Infovia Guatemala, CA From owner-firewalls-outgoing Tue Jul 1 12:02:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA05925 for firewalls-outgoing; Tue, 1 Jul 1997 11:11:57 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA05905 for ; Tue, 1 Jul 1997 11:11:49 -0700 (PDT) Received: from default (pm14-26.pacificnet.net [207.171.10.59]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id LAA08842; Tue, 1 Jul 1997 11:05:14 -0700 (PDT) Message-ID: <33B94A85.555E@shell.pacificnet.net> Date: Tue, 01 Jul 1997 11:20:53 -0700 From: osiris Reply-To: osiris@shell.pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Vin McLellan CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A company that cannot make even the simplest implementations of IP secure are going to be offering a firewall. Now I've heard everything. Is this actually confirmed? From owner-firewalls-outgoing Tue Jul 1 12:34:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA10574 for firewalls-outgoing; Tue, 1 Jul 1997 12:25:26 -0700 (PDT) Received: from muuri.ssh.fi (ssh.fi [194.100.44.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA10558 for ; Tue, 1 Jul 1997 12:24:59 -0700 (PDT) Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1]) by muuri.ssh.fi (8.8.6/8.8.6/EPIPE-1.10) with ESMTP id WAA01156; Tue, 1 Jul 1997 22:27:05 +0300 (EET DST) Received: from morden.sandelman.ottawa.on.ca (morden.ssh.fi [192.168.2.101]) by pilari.ssh.fi (8.8.6/8.8.6/EPIPE-1.9) with ESMTP id WAA25841; Tue, 1 Jul 1997 22:27:04 +0300 (EET DST) Received: from morden.sandelman.ottawa.on.ca (localhost [127.0.0.1]) by morden.sandelman.ottawa.on.ca (8.7.5/8.7.3) with ESMTP id WAA09289; Tue, 1 Jul 1997 22:28:32 +0300 (EET DST) Message-Id: <199707011928.WAA09289@morden.sandelman.ottawa.on.ca> To: firewalls@greatcircle.com cc: mer@world.evansville.net Subject: Re: Stronger authentication for inbound HTTP X-URL: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/ Date: Tue, 01 Jul 1997 22:28:29 +0300 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Marc> Subject: Stronger authentication for inbound HTTP Marc> I understand that one-time passwords don't work for inbound Marc> Web traffic due to the nature of the HTTP protocol. Do any Marc> firewall vendors support anything stronger than basic Marc> password authentication for inbound HTTP traffic? With the Yes/no. There are ways to do a bit better than one time passwords. BlackHole (now called SecurIt Firewall or some such) allows this kind of thing. Essentially, the user is only challenged the first time (in protocol, using HTML forms from the firewall rather than HTTP headers), and then get configurable number of minutes to access. My recommendation is to put a third interface on the firewall ("a service network"), put the web server on that network, and use something like rsync over ssh to populate that web server from an internal master copy. If you then need SQL access or something, then you should probably be replicating your databases as well. Marc> One of our clients needs outside sales people to be able to Marc> access the company intranet securely to place orders, check Marc> inventory, status, etc., and the client is concerned about Marc> relying on simple password authentication. I built such a system for a customer. It was done on NT web servers, and took two months. A Unix solution would be faster though. Identical problem though. Marc> I'd love to see support for something like Marc> SecureNet-every-hour or SecureNet-every-day AND firewall- or Marc> webserver-based password authentication. Coupled with Marc> browser-based SSL encryption, this seems like a solid way to Well, if you want SSL, then the firewall can't do any authentication or auditing because the traffic is encrypted. You can make the firewall the endpoint for the SSL, but no current SSL "proxies" do this yet. Marc> allow travellers to do intranet work. Ideally the Marc> SecureNet-every-so-often feature would optionally require Marc> authentication for each outside IP address so as to reduce Marc> the ability of attackers who have learned the user's gateway Marc> password (perhaps via shoulder-surfing) to get in while the Marc> user is in legitimately. Marc> Is this sensible/possible? Does anyone support it now? Is Marc> anything like this in the works? I know that BlackHole can do what you want. [I'm no longer associated with them, but I did write the original HTTP proxy. Getting the SecurID NextPIN mode in was a challenge.] ] The sun rarely sets on Helsinki | one quark [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQB1AwUBM7laSMmxxiPyUBAxAQG6mQL9E+gt0MF307E6R4uq6bSvPlCJmuvlfE9N AwHZphhxNcmsbMXg+oHUjah2Vx/0VZkcEjaeSCop1rXVQevAl1geeeon2Jwe3b4d oQgQjbRU7jMRe5v47cejxD4gtzExRUi1 =s/u3 -----END PGP SIGNATURE----- From owner-firewalls-outgoing Tue Jul 1 15:25:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23319 for firewalls-outgoing; Tue, 1 Jul 1997 14:55:43 -0700 (PDT) Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23280 for ; Tue, 1 Jul 1997 14:55:29 -0700 (PDT) From: tlitney@kpmg.com Received: by p0015c01.kpmg.com; id RAA01763; Tue, 1 Jul 1997 17:57:46 -0400 (EDT) Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2) id xma001635; Tue, 1 Jul 97 17:57:23 -0400 Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with SMTP id RAA12890 for ; Tue, 1 Jul 1997 17:56:40 -0400 (EDT) Received: from ccMail by mailgate3.kpmg.com (IMA Internet Exchange 2.1 Enterprise) id 000BFFE1; Tue, 1 Jul 97 18:00:23 -0400 Mime-Version: 1.0 Date: Tue, 1 Jul 1997 13:34:36 -0400 Message-ID: <000BFFE1.3365@kpmg.com> Subject: Public Service Announcement To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BEEEEEEEEEEP! We interrupt this firewall feed for a public service announcement!!! CLUES FOR THE CLUELESS 1.) Don't confuse the list with the list server/majordomo. To leave the list or change list access, deal with the list server/majordomo. Sending those messages to the list will tend to generate negative e-mail. FIREWALL = mail to majordomo@greatcircle.com ("help" in message body) 2.) If you want to ask a question but you're afraid because you think it might be basic or simple, don't ask! First, consult the list's FAQ (Frequently Asked Questions). If you don't see your question covered in the FAQ, then try using any of a multitude of search engines. Hey, and who knows what you might learn by researching! If you still can't find an answer, then go ahead and post. FIREWALL FAQ = http://www.v-one.com/newpages/faq/htm 3.) Don't use your real IP addresses when describing your situation to the list. If you are sending to the list from a company address, don't describe serious exposures in too much detail. You never know who might be reading! 4.) If you are replying to a message, don't include excessive amounts of the original message in your reply. This is a courtesy to recipients on slower links and eliminates a lot of redundancy. It is acceptable to include enough of the original post to provide a context for your reply. We now send you back to your previous noise stream. Note: I would like to thank Cravoman and other for their energetic critique of "Clues". It was appreciated. I yield to overwhelming demand, "Clues" now has firewall list specific pointers. Tom ***************************************************************************** This has been a test of my computer penetration system. Had this been an actual penetration, your computer would have dialed 911, placed it's head between it's keys, and kissed it's asterisk goodbye!! ***************************************************************************** The opinions expressed above are products of my own delusions and are not necessarily shared by my employer, KPMG. From owner-firewalls-outgoing Tue Jul 1 16:48:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA02325 for firewalls-outgoing; Tue, 1 Jul 1997 16:09:41 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA02244 for ; Tue, 1 Jul 1997 16:09:25 -0700 (PDT) Received: from Corp.Sun.COM ([129.145.35.78]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id QAA03432 for ; Tue, 1 Jul 1997 16:36:53 -0700 Received: from zeppo.Corp.Sun.COM by Corp.Sun.COM (SMI-8.6/SMI-5.3) id QAA26625; Tue, 1 Jul 1997 16:12:01 -0700 Received: from railroad by zeppo.Corp.Sun.COM (SMI-8.6/SMI-SVR4) id QAA28182; Tue, 1 Jul 1997 16:12:01 -0700 Date: Tue, 1 Jul 1997 16:12:21 -0700 (PDT) From: Phil Burton Reply-To: Phil Burton Subject: No Malaysian Boycott!! Ha! To: Firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Contrary to what Palan was claiming in re the brouhaha over boycotts of Checkpoint's FireWall-1, the boycott is clearly alive and well in Malaysia. Here is a recent email to me from someone in Sun's field marketing organization. >----------------Begin Forwarded Message----------------< phil- Joe passwd along your name. i have some questions about the exportability fo FW-1, in particular to Maylasia. Maylasia has import restrictions for products from Israel. is this an issue for the Sun Branded product? Please advise thanks! >----------------End Forwarded Message----------------< From owner-firewalls-outgoing Tue Jul 1 17:19:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11194 for firewalls-outgoing; Tue, 1 Jul 1997 17:10:07 -0700 (PDT) Received: from qits.net.au (gw.qits.net.au [203.15.56.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11163 for ; Tue, 1 Jul 1997 17:09:50 -0700 (PDT) Received: from tsd2.development.qits.net.au ([131.242.167.99]) by gw.qits.net.au with ESMTP id <25985>; Wed, 2 Jul 1997 10:12:47 +1000 Received: by tsd2.development.qits.net.au with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 10:12:01 +1000 Message-ID: From: John Wiltshire To: firewalls@GreatCircle.COM Subject: RE: Borderware Date: Wed, 2 Jul 1997 10:11:59 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've been using Borderware here for firewalling our internet connection and have had very little problems with it. There were a few hiccups when we transferred over to version 4.0 with the remote java based interface and the fact that it didn't like IE (we run an NT based shop and policy is to use IE) but that is fixed now. Support from Secure Computing has been very good on the whole - problems which are sent to the mailing list tend to get a response within a few hours (depending on the time in the US of course). >From benchmarks I've seen it does not perform well in a high volume situation but for a small to medium size network it has really been a dream to set up, configure and maintain as well as having the advantage of running on a standard PC which cut our costs enourmously. John Wiltshire > -----Original Message----- > From: Gary Mills [SMTP:gary.mills@experian.com] > Sent: Wednesday, July 02, 1997 1:50 AM > To: Hassan Karim > Cc: manuel.ricca@pararede.pt; firewalls@GreatCircle.COM > Subject: Re: Borderware > > I had a thought on Firewall comparisons. When someone does a > comparison > it would be nice to see a comparison on the support of a product > as well as bug reports. Is there some thing posted some where on how a > vendor supports a product. > > Gary Mills > Experian > > "These are my own opinions and do not reflect those of my employer." > > > > > > > Hassan Karim wrote: > > > > I did a comparitive evaluation/installation of Borderware, FW-1 and > IBM's > > SNG and found > > that Borderware is probably only suitable for a small network that > > doesn't change very often. It is not really easy to configure at > all. 1st > > of all you can not configure it on the console... i.e. configuration > must > > me done remotely. the Java interface is very clunky compared to > SNG's. Add > > if you cant get the browser to work then the only way you can > configure it > > is by ftp'ng the config files from the Firewall... then make your > changes > > and then ftp them back to the firewall machine (hope there aren't > any > > mistakes or gotchas in the config files). BTW when I say remote I > mean > > eihter via https or ftp NOT telnet or ssh. Also... hope you have a > vendor > > that has in house in-depth expertise so that if you run into snags > you can > > get some help otherwise you'll be short because the manuals aren't > all > > that great. > > > > Plus since it only uses non-transparent proxy one would have to add > users > > for everyone that needed to leave the network > > > > Granted... I think security wise, although I couldn't get it to log > > everything (probably user error), it is pretty tight. > > > > For the brave at heart, SNG seems to be a magnificent product. > However, I > > think there is an unnecesary (sp)layer of complexity when creating > rules. > > Firewall-1 is simple and straight forward. Although FW1's management > > console hosed my local X sesion every time... the product overall is > > tight! > > > > Hope this helps... > > Peace, > > Hassan > > > > On Mon, 30 Jun 1997 > > manuel.ricca@pararede.pt wrote: > > > > > Does anyone have experience with Borderware Firewall? > > > If so, how where would you place it comparing to Raptor, Pix and > FW-1 ? > > > > > > TIA, > > > .M > > > > > > Manuel Ricca (manuel.ricca@pararede.pt) > > > ParaRede - Tecnologias de Comunicao, S.A. > > > Tel: +351 1 3020451 > > > Fax: +351 1 3020444 > > > > > > // Be happy - things can always get worse > > > > > > These are my own opinions and do not reflect those of my employer. > > > My employer thinks I'm working. > > > From owner-firewalls-outgoing Tue Jul 1 17:55:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12422 for firewalls-outgoing; Tue, 1 Jul 1997 17:17:15 -0700 (PDT) Received: from internet.kexin.co.kr (internet.kexin.co.kr [210.126.192.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12340 for ; Tue, 1 Jul 1997 17:16:54 -0700 (PDT) Received: by internet.kexin.co.kr; id JAA08120; Wed, 2 Jul 1997 09:08:21 +0900 (JST) Received: from mail.kexin.co.kr(210.126.192.141) by internet.kexin.co.kr via smap (3.2) id xma008118; Wed, 2 Jul 97 09:08:14 +0900 Received: from test.kexin.co.kr (kexin.kexin.co.kr [210.126.192.129]) by mail.kexin.co.kr (8.8.5/8.8.4) with ESMTP id JAA26214; Wed, 2 Jul 1997 09:13:32 +0900 (KST) Message-ID: <33B99DC0.EF7BDC88@kexin.co.kr> Date: Wed, 02 Jul 1997 09:16:01 +0900 From: Charlie Jahng Organization: KEXIN Systems, Inc. X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: Mark Teicher CC: firewalls@GreatCircle.COM Subject: Re: Remote management of firewalls internationally X-Priority: 3 (Normal) References: <3.0.1.32.19970630102958.008fe7f0@clark.net> Content-Type: text/plain; charset=iso-2022-kr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)C Mark Teicher wrote: > A suggestion from a close and wise friend asked me to inquire about > this: > > How can one remotely manage firewalls that are on the other side of > the world? > How can it be done? and done safely? > > /mark > > ######################################################### > 'Turn on, Boot Up, Jack in' > ######################################################### !!Of course! V-ONE SmartWall can be managed remotely through secure channel which is protected with mutual authentication and encryption. The management is driven by Web browser in remote PC with Windows 3.1, 95, NT or OS/2 as its OS. Refer www.v-one.com. I don't know this is the unique firewall which support remote management. Anybody knows else? -- Charlie Jahng(Chulwoong Jahng) General Manager of KEXIN Systems, Inc. The Leader of Security in Korea ======================================= Addr:MarcoPolo B/D 7th Floor, 720-20 !!!!!!!! Yeoksam-Dong Kangnam-Ku, Seoul, !!!!!!!! 135-080, Korea Tel:82-2-561-3981 Fax:82-2-561-3984 E-mail:cwjahng@kexin.co.kr ======================================= From owner-firewalls-outgoing Tue Jul 1 17:57:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA10930 for firewalls-outgoing; Tue, 1 Jul 1997 17:08:32 -0700 (PDT) Received: from netcomm.NetComm.IE (02-static-a.wokingham.luna.net [195.188.67.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA10884 for ; Tue, 1 Jul 1997 17:08:14 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id MAA01020; Tue, 1 Jul 1997 12:06:52 GMT X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <3.0.2.32.19970701072514.006a1968@in.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Jul 1997 01:17:39 +0100 To: Frank Willoughby From: Kevin Brown - NetComm Subject: Re: Microsoft plans to offer a firewall Cc: Vin McLellan , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, Moan Moan, whats wrong with 95 % of the desktop market? : -) You know, I cannot believe that people today shop for automobiles, and make choices. Wait till Microsoft come out with a car. Then we will all die! MS MKTG : Power Brakes ( well mabe in the 2007 Model) MS MKTG : Relaible Starting ( Sure, every time it stalls, you can restart it) etc etc. Can anyone explain how we let this happen. I didn't, I still use a Mac! ( And a Sun, and a Linus Machien, and a HP and......, but no MS) Kevin (ps When Banks use MS Firewalls, I am going over the other side, and then retire...I know a bank or to today using NT RAS to authenticate Home Dial in Banking......anyone want the Bank Names?) At 13:25 +0100 1/7/97, Frank Willoughby wrote: >At 09:31 PM 6/30/97 -0500, Vin McLellan allegedly wrote: > >Thanks for mail, Vin, > >8< [snip] > >> Though Microsoft (MSFT) says it doesn't plan to >> compete with firewall vendors, its plans to add >> firewall security features to the next version of its >> Proxy Server software could shake up the firewall >> software market. > >. Yeah, right. Just like M$ didn't *plan* to compete with >Novell, Netscape, etc. M$ doesn't really compete, they simply see >what someone else does well (like a market leader), puts these >functionalities into their own products & then they use their >marketing muscle to drive their product out the door & competitors >into the ground. > >Personally, I am not at all impressed with M$'s predatory business >practices. I think they will keep pushing the limits of what is >right & legal to do and will probably get their clock cleaned by >the Justice Dept. or the FTC. Given their predatory practices, >I wouldn't be surprised if they were sniffing their own network >(MSN) for competitive info, or ideas for new projects. (Nothing >legally wrong with that - it *is* their own network). Note: I >didn't say they were doing it - I just said I wouldn't be surprised. > > >> The next version of Proxy Server goes into beta >> testing in July; it will include firewall features >> designed to block intruders on the Internet from >> getting onto a company's internal networks, >> Microsoft officials said. The features could hurt >> sales of firewall software for Windows NT in >> particular, and NT has been the market's hottest >> segment. >> >> The move should come as no surprise, says Rob >> Enderle, an analyst at Giga Information Group. It's >> been clear since Microsoft introduced its first >> version of Proxy Server that it would add firewall >> functions. > >I think Rob is 100%correct. IMHO, the Proxy Server was just to >test the water to see how the market would respond. As people >are expecting M$ to come out with a firewall, I would say that >M$ will (once again) change its mind and wade into the market. > > >> Microsoft's decision could hurt makers of firewall >> software, such as Raptor Systems. In February >> Raptor announced a low-end firewall, called "The >> Wall," targeted at small and mid-sized companies. >> The Centri firewall from Global Internet.Com also >> targets that space; sometime Microsoft ally Cisco >> Systems announced last week it's buying Centri and >> Global Internet.Com's software group. > >I see no immediate danger to major firewall vendors from M$. For >the most part, they already have a solid reputation on the market >& know how to design secure products. M$ doesn't have this >reputation yet (and will probably have to do a huge PR campaign >to try to restore confidence about their ability to deliver secure >products). The new kids on the block will probably fade away when >competing with M$. > >M$ has two main disadvantages: >o They seem to be deficient in their ability to write secure TCP/IP > stacks. >o They seem to have problems in trying to write tight, clean, code > - an important prerequisite in writing a secure applications > such as firewalls. > >INFOSEC PROGRAMMING DESIGN RULE #1 >The larger the size of the code, the greater the probability that >the code will contain vulnerabilities which can be exploited. > >Another thing. As time passes, & NT becomes more prevalent, the >hackers will redirect their efforts to NT and will start picking >it apart (like they have with other vendors). IMHO, I think it >is just a matter of time until we start seeing nonprived users >able to gain privs by exploiting vulnerabilities in individual >programs (buffer overflows, etc). Particularly sensitive are >those programs which perform prived functions on behalf of >non-prived users. > >Best Regards, > > >Frank >The opinions of the author of this mail may not necessarily be >representative of the opinions of Fortifed Networks, Inc. > >Fortified Networks, Inc. - http://www.fortified.com/ >Expert (vendor-neutral) Computer and Network Security Consulting >Phone: (317) 573-0800 Fax: (317) 573-0817 //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / --UK-- Internet Associate | m \ Voice: +44-467-365419 | / Fax: +44-1276-35197 The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Tue Jul 1 18:18:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA20010 for firewalls-outgoing; Tue, 1 Jul 1997 17:57:48 -0700 (PDT) Received: from norwich.valley.net (norwich.valley.net [198.115.160.12]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA19993 for ; Tue, 1 Jul 1997 17:57:38 -0700 (PDT) Received: from hanover.VALLEY.NET (dns [198.115.160.10]) by norwich.valley.net (8.8.5/8.8.5) with SMTP id UAA21769 for ; Tue, 1 Jul 1997 20:59:52 -0400 Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from v2-p-121.valley.net for firewalls@GreatCircle.COM id <3980229> 01 Jul 97 20:59:46 EDT X-Sender: randy.witlicki@pop.valley.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Jul 1997 21:04:12 -0400 To: firewalls@GreatCircle.COM From: "Randy.Witlicki." Subject: Re: Microsoft plans to offer a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From the Tuesday, July 1, 1997 Wall Street Journal, page C7 in the "Small Stock Focus" section: Raptor Systems, which makes "firewall" software that provides computer-network security, slid 1 11/16, or 13%, to 11 3/16, Microsoft said it plans to enter the firewall business, a move that could cut into Raptor's business. - Randy - From owner-firewalls-outgoing Tue Jul 1 18:33:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA17917 for firewalls-outgoing; Tue, 1 Jul 1997 17:46:19 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA17801 for ; Tue, 1 Jul 1997 17:45:49 -0700 (PDT) Received: by gate.rmsbus.com; id TAA14029; Tue, 1 Jul 1997 19:47:22 -0500 (CDT) Received: from chris.rmsbus.com(204.126.30.52) by gate.rmsbus.com via smap (3.2) id xma014027; Tue, 1 Jul 97 19:47:01 -0500 Message-Id: <1.5.4.32.19970702003728.00685088@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 19:37:28 -0500 To: osiris@shell.pacificnet.net, Vin McLellan From: chris michael Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:20 AM 7/1/97 -0700, osiris wrote: >A company that cannot make even the simplest implementations of IP >secure are going to be offering a firewall. Now I've heard everything. >Is this actually confirmed? Actually, Trusted Information Systems, the Gauntlet folks are going to integrate the NT version of Gauntlet (sort of) with the MS proxy server. Apparently TIS has been working with MS on it for a while. > From owner-firewalls-outgoing Tue Jul 1 19:15:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA18589 for firewalls-outgoing; Tue, 1 Jul 1997 17:49:23 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA18563 for ; Tue, 1 Jul 1997 17:49:11 -0700 (PDT) Received: by gate.rmsbus.com; id TAA14057; Tue, 1 Jul 1997 19:51:53 -0500 (CDT) Received: from chris.rmsbus.com(204.126.30.52) by gate.rmsbus.com via smap (3.2) id xma014055; Tue, 1 Jul 97 19:51:41 -0500 Message-Id: <1.5.4.32.19970702004208.00682ce0@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 01 Jul 1997 19:42:08 -0500 To: firewalls@GreatCircle.COM From: chris michael Subject: TIS & NT security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since there's been some discussion on the list about MS's plans for NT security, here's the press release from TIS. > TRUSTED INFORMATION SYSTEMS ANNOUNCES WINDOWS NT SERVER-BASED SECURITY > DEVELOPMENT INITIATIVES=20 >=20 > Alliance to Provide Full Suite of Security Tools for Windows NT Server > and > the Enterprise >=20 > GLENWOOD, MD - In a major announcement today, Trusted Information > Systems, > Inc. (NASDAQ: TISX) confirmed that it is developing a premier class of > security management tools designed for use with Microsoft=D2 Proxy > Server and > the next version of Windows NT=D4 Server. TIS also announced that the > widely-anticipated next version of Microsoft Proxy Server is being > built > with a security architecture that will effectively complement TIS > Gauntlet=D2 > Internet Firewall - widely considered the most secure firewall on the > market > today. >=20 > "The TIS Gauntlet firewall and Microsoft Proxy Server together will > provide > a coordinated approach to managing both network security and > performance," > said Harvey L. Weiss, President of TIS' Commercial Division. "The > combination will allow serious-minded CIOs and network managers to > address > the security needs their companies require." Mr. Weiss further stated, > "Microsoft is addressing security with the seriousness it deserves and > matching their proxy server with the TIS approach gives the market an > excellent set of alternatives to UNIX."=20 >=20 > "Large enterprises will find their security needs met by the > combination of > Microsoft Proxy Server and high-end firewalls such as the TIS Gauntlet > firewall," said Lloyd Spencer, Group Product Manager for Networking > and > Communications at Microsoft Corporation (NASDAQ: MSFT). "We are > pleased to > be working with TIS and other vendors in the network security > marketplace to > enable a new range of products that will help grow the industry and > benefit > our mutual customers." > =20 > A perfect example of the Gauntlet firewall and Microsoft Proxy Server > combination is found on the Microsoft Campus itself. For several high > profile projects, Microsoft's Information Technologies Group selected > the > TIS Gauntlet NT Firewall as the primary line of defense when used in > conjunction with the Microsoft Proxy Server. Mr. Spencer stated, > "Microsoft is a living example of major enterprise collaborative > security." >=20 > Sources today speculated that Microsoft was considering entry into the > lucrative firewall market. TIS, the industry's leading proxy-based > firewall > manufacturer, revealed today that it has worked closely with Microsoft > for > the past several months pursuing the joint development of robust > security > solutions for the NT platform >=20 > TIS' development will provide Windows NT Server users with a full > service > security solution for managing their network security. Along with a > version > of the Gauntlet Internet Firewall written specifically for the Windows > NT > Server platform, TIS is working with Microsoft developers on new > security > applications for use with the Microsoft Proxy Server and the next > version of > Windows NT Server. > =20 > The Microsoft Proxy Server acts as a content cache server to enforce > Internet security and protect private Windows NT Server networks from > hackers. The server, when set in tandem with a Gauntlet firewall, can > bring > unprecedented security, management and networking capabilities to the > enterprise.=20 >=20 > Analysts comment that the NT market is taking off, but there are still > numerous concerns. "NT is becoming a dominant application and network > OS > platform, but security is still a question mark for some enterprise > customers," said Mike Rothman, Vice President of Global Networking > Strategies for META Group, Inc. "Moreover, proxy servers and > operating > systems will need to be supplemented with more robust security > functions, > especially for the periphery. That's where TIS fits in, to provide > complimentary technologies not addressed by the OS." > =20 > TIS recently announced the availability of its turnkey NT firewall > solution, > and also recently began shipping the newest version of its popular > UNIX > software, Gauntlet Internet Firewall version 4.0. For more > information on > the Gauntlet family of network security products, please=20 > visit the TIS website at > http://www.tis.com/docs/products/gauntlet/index.html=20 >=20 > # # # =20 > =20 > Microsoft and Windows NT are either trademarks or registered > trademarks of > Microsoft Corp. in the United States and/or other countries. > =20 > In addition to statements of historical fact, this release contains > forward-looking statements which are inherently subject to change, > based on > known and unknown risks, including but not limited to changes in the > market, > changes in the industry, and changes in relevant legislation. Please > refer > to the company's prospectus for additional information on factors that > could > materially affect the company's financial results. >=20 From owner-firewalls-outgoing Tue Jul 1 19:19:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA27262 for firewalls-outgoing; Tue, 1 Jul 1997 18:32:59 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.59.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA27245 for ; Tue, 1 Jul 1997 18:32:51 -0700 (PDT) Received: from PaLaN-NeT.dataprep.com.my by snet (SMI-8.6/SMI-SVR4) id JAA03587; Wed, 2 Jul 1997 09:38:21 -0800 Date: Wed, 2 Jul 1997 09:38:21 -0800 Message-Id: <199707021738.JAA03587@snet> X-Sender: palan@202.190.59.4 X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: Phil Burton From: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= Subject: Re: No Malaysian Boycott!! Ha! Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:12 PM 7/1/97 -0700, you wrote: >Folks, > >Contrary to what Palan was claiming in re the brouhaha over boycotts of >Checkpoint's FireWall-1, the boycott is clearly alive and well in Malaysia.= =20 >Here is a recent email to me from someone in Sun's field marketing >organization. > > Buds, Phil, thanks for bringing this sugject to my attention. Guys, to be frank, I really have no idea on this issue of Malaysia boycott checkpoint's fw-1 product ! As far as I know, Malaysia only restrict the citizens from visiting Israel, which is purely due to political reasons (I beleive).=20 Phil, just for your information, majority of firewall installed in Malaysia are Checkpoint FW-1. So, I think the issue of import or export restriction is baseless comments. Anyway, I will do a further check with regard to this to confirm the situation.=20 rgds, PaLaN =20 >>----------------Begin Forwarded Message----------------< > > > >phil- > >Joe passwd along your name. i have some questions about the exportability >fo FW-1, in particular to Maylasia. Maylasia has import restrictions for >products from Israel. is this an issue for the Sun Branded product? > >Please advise >thanks! > > >>----------------End Forwarded Message----------------< > > Network Sec=B2rity Engineer West Malaysia. " Hey, here is my key ... lets exchange packets now !! " From owner-firewalls-outgoing Tue Jul 1 19:34:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA09722 for firewalls-outgoing; Tue, 1 Jul 1997 19:25:32 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA09690 for ; Tue, 1 Jul 1997 19:25:19 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id MAA02121; Wed, 2 Jul 1997 12:27:55 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma002112; Wed, 2 Jul 97 12:27:53 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id MAA02374 for firewalls@greatcircle.com; Wed, 2 Jul 1997 12:31:50 +1000 From: Colin Campbell Message-Id: <199707020231.MAA02374@guru.citec.qld.gov.au> Subject: Re: Remote management of firewalls internationally To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Lots of solutions offered which work fine when the machine is up. What happens if it crashes and won't go past a point where networking is not enabled? Colin From owner-firewalls-outgoing Tue Jul 1 21:04:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA23296 for firewalls-outgoing; Tue, 1 Jul 1997 20:58:47 -0700 (PDT) Received: from delta.ece.nwu.edu (delta.ece.nwu.edu [129.105.5.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA23196 for ; Tue, 1 Jul 1997 20:58:26 -0700 (PDT) Received: (from bonomi@localhost) by delta.ece.nwu.edu (8.8.5/8.8.3) id XAA16110 for firewalls@greatcircle.com; Tue, 1 Jul 1997 23:00:59 -0500 (CDT) Date: Tue, 1 Jul 1997 23:00:59 -0500 (CDT) From: Robert Bonomi Message-Id: <199707020400.XAA16110@delta.ece.nwu.edu> To: firewalls@greatcircle.com Subject: Re: Remote management of firewalls internationally Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: Colin Campbell + Subject: Re: Remote management of firewalls internationally + To: firewalls@GreatCircle.COM + Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) + + Hi, + + Lots of solutions offered which work fine when the machine + is up. What happens if it crashes and won't go past a point + where networking is not enabled? + Or, if you can't change configuration without taking it down to 'single user'? A solution: This takes -two- firewall machines, and a 'secure server' behind each one. you run a secure, encrypted, channel from the management location to either 'secure server', as needed. The 'secure server' connects, via _serial_ port, to the *other* firewall box's console port. Voila! you've got a 'trusted path' to the console port, that does _not_ go through the firewall. Obviously, this solution is _NOT_ inexpensive -- but it *does* allow for 'unmanned' remote operation, at least for all but "very basic" hardware- related problems (e.g., "blown fuse"). A less expensive solution is to have someone _local_, _who_speaks_the_same_ _language_ (*fluently*!) as support -staff-, who can be called on to play "voice actuated terminal", for those occasions where 'secure remote access _through_ the box' fails. This person merely needs the ability to follow directions _precisely_, and observe and report *accurately*. The risk here is mostly an added exposure to a 'social engineering' attack. From owner-firewalls-outgoing Tue Jul 1 22:18:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26592 for firewalls-outgoing; Tue, 1 Jul 1997 21:16:13 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA26460 for ; Tue, 1 Jul 1997 21:15:32 -0700 (PDT) Received: from user (171.orlando-009.fl.dial-access.att.net [207.146.72.171]) by mail.clark.net (8.8.5/8.6.5) with SMTP id AAA29656; Wed, 2 Jul 1997 00:18:03 -0400 (EDT) Message-Id: <3.0.1.32.19970702001730.00924dd0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 00:17:30 -0400 To: Jack Danahy , "firewalls@GreatCircle.COM" From: Mark Teicher Subject: Re: Security Expert (TM) Cc: "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" In-Reply-To: <2.2.32.19970630215047.00c0b78c@mail.bbnplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack, At 05:50 PM 6/30/97 -0400, Jack Danahy wrote: > > >Mark Teicher asks a good question, and with Joe Judge and Marcus >extending it to organizations, here's my 2b. > >IMHO > >Security experts aren't one skill set or another, aren't >prone to parochial definition. There are lots of types, >and you need 'em all. Where do those people fit into an organization who offer value added services to customers who want to protect themselves behind a firewall. So how do get lots of those types in a cheap economical way?? > >There are policy wonks who lay down the law about who can grant >access to whom, and who dictate the process about aging accounts, >generating passwords, and terminating employees. They are an >important and annoying lot who call out their strongest positions, >and can explain the risks in compromising them. They have a >slightly idealistic view, and can sometimes resemble good QA people. Policy is something that always a living document and usually the wonks in policy do not or are not well informed enough to dictate policy for people such as security experts since they are a different type of person. Even the process of aging accounts, changing passwords and terminating employees is different at each and every company.. Some companies who offer internet and firewall management solutions to companies sometimes do not even have the policies in place and use previous employees as examples to other potentially good people who have the potential but are given the chance. The important lot and annoying lot sometimes can never explain the risks since the risks they are assessing may not be the correct risks to assess. Your comparison of the annoying wonks and QA is questionable. Since my opinion of QA folks is that they insure a quality service or product that passes a certain criteria of testing, and the annoying wonks have no such skill since they are still learning themselves.. :) > >There are technologists who, hopefully, have specialized in a couple >of areas of enabling technologies. Key management, authentication, >transaction semantics, PKI's, firewalls, intrusion detection, >encryption, physical entitlement, application-level access control, >auditing, messaging, intrusion detection, vulnerability assessment, >etc. are all piece-parts in any overall solution. Typically they will >have a passing familiarity will all the pieces but feel most comfortable >with a handful. > >There are business people who need to be able to balance the cost >of the solution against the risk of the breach. They need to >understand the parasites that try to attach themselves to networked >computers, and balance the damage that can be done against the >cost of prevention. They have to understand the reality of the risks, >but they also have to understand why 100% security is impossible, and >why any sane business mind should be funding disaster recovery technology >as well as protection technology. The reality of risk is that security should always be a forethought in a company's mindset not a afterthought.. I have worked for a few companies who thought sending out overtime policy through email was a good idea, except that the forgot that email can be spoofed and email should never be trusted since the source can not always be verified. The parasites are always watching but sometimes they are not always parasites but employees who have not been trained properly or do not have any knowledge.. Developing tools and training programs should hopefully prevent some of the damage from being done.. > >There are the administrators who need to be able to manage the ongoing >harmonious interaction of the systems created. The auditing subsystems >need to communicate with the events, the events with the monitors, the >monitors with the walls, the walls with the PKI, I am getting a headache >just thinking about it. > >Lastly, there has to be the translator expert who can convert the entire >heap I just described into a PO that the CFO and CEO will sign on the line >for, with a deep understanding of what they have bought, what they haven't >bought, and that each payment is an installment in an ongoing series of >costs associated with this growing network community. They can't be just >sales people, they need to be the bringer of hard facts and a harder >reality. They need to take the punishment when they are wrong, and they >have to understand why the system needs to be changed, so that they can >again articulate how the system can be better next time. Just presenting a risk assessment and a cost analysis report to the CFO or CEO should be enough.. For example, take a look at the bean counters who worked onthe Ford Pinto a long time ago.. The CFO made a decision that it was easier to pay the injured people off than to spend the $12.00 to fix the part. If you really need to get a CFO or CEO to signed on the dotted line.. Give them the number of body bags they need to purchase... > >I don't know anyone who is all of these things. I think that I can name >a combination of 2/3 people who would give it to me, but few that could >do it all. > >For those of you looking to become a "Security Expert (TM)" I'd advise >picking what kind you mean. And don't expect any employer to fund it. >Twist your job, spend your time, read everything you get your hands on, >and on the day that you wake up worried because your mom orders hams >from Hanover with the ISP access you gave her, and you can then add the >SE brand to your forehead, for whatever that is worth. Some of us work in this field because we are underqualified to work at McDonald's.. Adding a SE brand to our foreheads might make sense, but the more important issue is that some people like to earn their money, and be satisfied that they thought they did the right thing. It is often a wonder that most people who are unsatisfied with their jobs work at the post office. But that is a different topic entirely.. Sincerely, Mark Teicher "Where reality is just your imagination playing tricks on you" > >Back to the land of the pointy-haired >Jack > >Jack Danahy jdanahy@bbn.com >Manager of Engineering (617) 873-4418 >Network Security Services BBN Corporation > "I'm speaking for myself, not for BBN." > > ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Tue Jul 1 22:21:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA20126 for firewalls-outgoing; Tue, 1 Jul 1997 20:43:22 -0700 (PDT) Received: from mail.vis.com.tw ([202.39.65.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA20117 for ; Tue, 1 Jul 1997 20:43:14 -0700 (PDT) From: wcsu@mail.vis.com.tw Received: by mail.vis.com.tw(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 482564C8.0013336B ; Wed, 2 Jul 1997 11:29:43 +0800 X-Lotus-FromDomain: VIS To: firewalls@GreatCircle.COM Message-ID: <482564C8.00118AFE.00@mail.vis.com.tw> Date: Wed, 2 Jul 1997 11:25:14 +0800 Subject: Anti-Virus Check in FW-1 Mime-Version: 1.0 Content-type: text/plain; charset=big5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I wonder how many viruses it can detect and how administrators can update virus patterns? And how will this feature, if enabled, degrade the performance of Firewall-1? By the way, where can I get a session authentication agent for Firewall-1? And in what kind of platform can a session agent resides? From owner-firewalls-outgoing Wed Jul 2 00:46:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA23379 for firewalls-outgoing; Wed, 2 Jul 1997 00:08:28 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA23349 for ; Wed, 2 Jul 1997 00:08:18 -0700 (PDT) Received: from laptop (max414173.servers.unsw.EDU.AU) by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IKROVCLUWG8X021I@vmsuser.acsu.unsw.EDU.AU>; Wed, 02 Jul 1997 17:12:08 +1000 Date: Wed, 02 Jul 1997 17:09:50 +1000 From: "Costas C." Subject: (no subject) To: firewalls@GreatCircle.COM Message-id: <33B9FEBE.46C5@vmsuser.acsu.unsw.edu.au> MIME-version: 1.0 X-Mailer: Mozilla 3.0 (Win95; I) Content-type: text/plain; charset=iso-8859-7 Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 2 00:46:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22248 for firewalls-outgoing; Tue, 1 Jul 1997 23:55:50 -0700 (PDT) Received: from gfw.siemens.co.za (gfw.siemens.co.za [196.27.60.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA22217 for ; Tue, 1 Jul 1997 23:55:37 -0700 (PDT) Received: by gfw.siemens.co.za; id JAA14997; Wed, 2 Jul 1997 09:00:18 +0200 (SAT) Received: from sparkex.siemens.co.za(150.207.254.15) by gfw.siemens.co.za via smap (3.2) id xma014985; Wed, 2 Jul 97 09:00:03 +0200 Received: by sparkex with Internet Mail Service (5.0.1458.49) id ; Wed, 2 Jul 1997 08:57:52 +0200 Message-ID: <3FC114CE76D0CF118D1900AA00A4B6764F7470@sparkex> From: "Sizer, Kevin" To: firewalls@GreatCircle.COM Subject: RE: Auditing Firewall Product Source Code Date: Wed, 2 Jul 1997 08:57:49 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you really can audit source code to guarantee integrity, you're probably not far away from either writing it os speccing it out, to have it written for you. UK has had a practice where source code may become an issue of placing the customer copy of source code in escrow at either a bank or an agreed institution. Customer can review and sue supplier based on that code. Implied fact is that a) source / binary are for same versions of product, b) customer doesn't hack binary. Checksum takes care of latter. Practice has been adopted in South Africa for different reasons. -Kevin Sizer > ---------- > From: Kent Landfield[SMTP:kent@landfield.com] > Sent: Monday, June 30, 1997 4:36 PM > To: firewalls@GreatCircle.COM > Subject: Auditing Firewall Product Source Code > > # > # As security people, we should be careful about trusting anything > without > # source code anyway.. > > Firewall and other security software vendors: > > -- > Kent Landfield Network Flight Recorder, Inc. > Email: kent@nfr.net Phone: 1-817-545-2502 FAX: 1-817-545-7650 > > > > From owner-firewalls-outgoing Wed Jul 2 01:03:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19110 for firewalls-outgoing; Tue, 1 Jul 1997 23:35:33 -0700 (PDT) Received: from klse.com.my (smtp.klse.com.my [202.190.12.202]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA19100 for ; Tue, 1 Jul 1997 23:35:26 -0700 (PDT) Received: from GPO#u#DOMAIN-Message_Server by klse.com.my with Novell_GroupWise; Wed, 02 Jul 1997 14:38:51 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 02 Jul 1997 14:47:03 +0800 From: "PONNIAH S/O P.RAMAIAH" To: palan@dataprep.com.my, philb@thejudge.Corp.Sun.COM Cc: firewalls@greatcircle.com, SITI_ZALEHA@klse.com.my Subject: Re: No Malaysian Boycott!! Ha! ha! HA! HA!HA???????????-Reply Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** High Priority ** I agree with Palan=27s opinion on the Firewall-1 issu. Malaysia is not = that extremist as claimed by Mr.PHILB. >>> =F6 PaLaN =F6 3/July/1997 01:38am >>> At 04:12 PM 7/1/97 -0700, you wrote: >Folks, > >Contrary to what Palan was claiming in re the brouhaha over boycotts of >Checkpoint=27s FireWall-1, the boycott is clearly alive and well in = Malaysia.=20 >Here is a recent email to me from someone in Sun=27s field marketing >organization. > > Buds, Phil, thanks for bringing this sugject to my attention. Guys, to be frank, = I really have no idea on this issue of Malaysia boycott checkpoint=27s fw-1 product =21 As far as I know, Malaysia only restrict the citizens from visiting Israel, which is purely due to political reasons (I beleive).=20 Phil, just for your information, majority of firewall installed in = Malaysia are Checkpoint FW-1. So, I think the issue of import or export restriction is baseless comments. Anyway, I will do a further check with regard to = this to confirm the situation.=20 rgds, PaLaN =20 >>----------------Begin Forwarded Message----------------< > > > >phil- > >Joe passwd along your name. i have some questions about the exportability >fo FW-1, in particular to Maylasia. Maylasia has import restrictions for >products from Israel. is this an issue for the Sun Branded product? > >Please advise >thanks=21 > > >>----------------End Forwarded Message----------------< > > Network Sec=B2rity Engineer West Malaysia. =22 Hey, here is my key ... lets exchange packets now =21=21 =22 From owner-firewalls-outgoing Wed Jul 2 02:21:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19449 for firewalls-outgoing; Tue, 1 Jul 1997 23:38:41 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA19394 for ; Tue, 1 Jul 1997 23:38:29 -0700 (PDT) Received: from user (237.orlando-008.fl.dial-access.att.net [207.146.71.237]) by mail.clark.net (8.8.5/8.6.5) with SMTP id CAA26456; Wed, 2 Jul 1997 02:39:17 -0400 (EDT) Message-Id: <3.0.1.32.19970702022816.0091d720@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 02:28:16 -0400 To: Robert Bonomi , firewalls@GreatCircle.COM From: Mark Teicher Subject: Re: Remote management of firewalls internationally In-Reply-To: <199707020400.XAA16110@delta.ece.nwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert, Not exactly, what I was thinking but your solution will work, except you did not take into account the import/export of certain firewall management software.?? /mark At 11:00 PM 7/1/97 -0500, Robert Bonomi wrote: >+ From: Colin Campbell >+ Subject: Re: Remote management of firewalls internationally >+ To: firewalls@GreatCircle.COM >+ Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) >+ >+ Hi, >+ >+ Lots of solutions offered which work fine when the machine >+ is up. What happens if it crashes and won't go past a point >+ where networking is not enabled? >+ > >Or, if you can't change configuration without taking it down to 'single user'? > > >A solution: > >This takes -two- firewall machines, and a 'secure server' behind each one. >you run a secure, encrypted, channel from the management location to either >'secure server', as needed. The 'secure server' connects, via _serial_ port, >to the *other* firewall box's console port. > >Voila! you've got a 'trusted path' to the console port, that does _not_ go >through the firewall. > >Obviously, this solution is _NOT_ inexpensive -- but it *does* allow for >'unmanned' remote operation, at least for all but "very basic" hardware- >related problems (e.g., "blown fuse"). > > >A less expensive solution is to have someone _local_, _who_speaks_the_same_ >_language_ (*fluently*!) as support -staff-, who can be called on to play >"voice actuated terminal", for those occasions where 'secure remote access >_through_ the box' fails. This person merely needs the ability to follow >directions _precisely_, and observe and report *accurately*. The risk here >is mostly an added exposure to a 'social engineering' attack. > > ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Wed Jul 2 03:03:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA11191 for firewalls-outgoing; Wed, 2 Jul 1997 02:14:11 -0700 (PDT) Received: from citadel.cdsec.com (gram.aztec.co.za [196.3.254.235]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA11172 for ; Wed, 2 Jul 1997 02:13:42 -0700 (PDT) Received: (from nobody@localhost) by citadel.cdsec.com (8.6.12/8.6.9) id LAA17322 for ; Wed, 2 Jul 1997 11:21:49 +0200 Received: by citadel via recvmail id 17282; Wed Jul 2 11:21:01 1997 Received: (from gram@localhost) by gram.cdsec.com (8.7.5/8.6.9) id LAA08085 for firewalls@greatcircle.com; Wed, 2 Jul 1997 11:03:14 +0200 From: Graham Wheeler Message-Id: <199707020903.LAA08085@gram.cdsec.com> Subject: Re: Stronger authentication for inbound HTTP To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 11:03:14 +0200 (SAT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Marc> Subject: Stronger authentication for inbound HTTP > > Marc> I understand that one-time passwords don't work for inbound > Marc> Web traffic due to the nature of the HTTP protocol. Do any > Marc> firewall vendors support anything stronger than basic > Marc> password authentication for inbound HTTP traffic? With the > > Yes/no. There are ways to do a bit better than one time passwords. > BlackHole (now called SecurIt Firewall or some such) allows this > kind of thing. > Essentially, the user is only challenged the first time (in > protocol, using HTML forms from the firewall rather than HTTP > headers), and then get configurable number of minutes to access. [shameless plug follows] Our Citadel firewall includes a Win '95 taskbar extension (or Win 3.1 app) which supports automated challenge callbacks from the firewall, using either S/Key or a digital signature based random challenge/response. Successful callbacks for a user/service/host combination can be cached for a configureable amount of time, to reduce the number of callbacks (and to prevent S/Key passwords from expiring almost immediately). Upon the first callback a dialog box will prompt for the password; the password is subsequently cached on the client machine so that further authentications can occur transparently. -- Dr Graham Wheeler E-mail: gram@cdsec.com Citadel Data Security Phone: +27(21)23-6065/6/7 Internet/Intranet Network Specialists Mobile: +27(83)-253-9864 Firewalls/Virtual Private Networks Fax: +27(21)24-3656 Data Security Products WWW: http://www.cdsec.com/ From owner-firewalls-outgoing Wed Jul 2 03:04:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA10978 for firewalls-outgoing; Wed, 2 Jul 1997 02:11:24 -0700 (PDT) Received: from mail.globalone.net (mail.globalone.net [199.184.38.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA10948 for ; Wed, 2 Jul 1997 02:10:58 -0700 (PDT) Received: from globalone.net (special2 [192.168.73.250]) by mail.globalone.net (8.6.12/8.6.9) with ESMTP id FAA12416 for ; Wed, 2 Jul 1997 05:13:45 -0400 Received: from master1.bru.globalone.net (root@master1.bru.globalone.net [194.51.208.21]) by globalone.net (8.6.12/8.6.9) with ESMTP id FAA16880 for ; Wed, 2 Jul 1997 05:13:35 -0400 Received: from pop1.fra.globalone.net (pop1.fra.globalone.net [194.51.208.23]) by master1.bru.globalone.net (8.8.5/8.6.9) with ESMTP id LAA02322 for ; Wed, 2 Jul 1997 11:14:23 +0100 Received: from n206-w4.fra.globalone.net ([159.174.206.4]) by pop1.fra.globalone.net (Netscape Mail Server v2.02) with SMTP id AAA160; Wed, 2 Jul 1997 11:10:00 +0200 Received: by n206-w4.fra.globalone.net with Microsoft Mail id <01BC86D9.28BC8540@n206-w4.fra.globalone.net>; Wed, 2 Jul 1997 11:14:50 -0400 Message-ID: <01BC86D9.28BC8540@n206-w4.fra.globalone.net> From: "Christopher W. Scott" To: "'jdanahy@bbn.com'" , "ken@bridge.com" Cc: "firewalls@greatcircle.com" Subject: RE: Remote management of firewalls internationally Date: Wed, 2 Jul 1997 10:14:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken, Jack is correct in his basic understanding of the German = Betriebesverfassungsgesetz. However you can get authorization by = coordinating with the Betriebsrat (Works Council) of the = company/office. You will however have to document who has the access to = the information, why it is being gathered, and how it will be used. This = information MAY NOT be simply give to the management level for review = e.g. seeing who's surfing when they should be working. . It can however = be used to prosecute crimes, document violation of policies, and general = security auditing. I have had to tackle this issue myself and it's not = so bad. One of my firewalls is managed by a member of the Works Council. Regards, Christopher W. Scott Security Manager, Central Operations Global One=20 * My opinions are my own and do not necessarily represent those of = Global One or its Shareholders. -----Original Message----- From: jdanahy@bbn.com [SMTP:jdanahy@bbn.com] Sent: Tuesday, July 01, 1997 06:54 To: ken@bridge.com Cc: alano@teleport.com; mht@clark.net; firewalls@greatcircle.com Subject: Re: Remote management of firewalls internationally K - I've stumbled through the encryption regulations in a couple of lives, and my experience has been: Two things: 1) If you are a US-owned multinational, you can have encryption, limited to 56 bits, on your machine, so long as noone outside your company has access to the facilities of that machine. Also, noone outside your company can have physical access to the machine, such as local outsourced system support personnel. If your are performing all of your key management from the US, that may, as well, mitigate difficulties. Check with your beagles about specifics for your situation. 2) Your Frankfurt office may prove particularly thorny, however, as there exist German regulations prohibiting any type of employee monitoring which can be used as a performance metric. Since most of the walls generate user/usage stats, be aware. YMMV. I have no idea on the China encryption front. Jack At 11:41 PM 6/30/97 -0500, Ken Hardy wrote: >On Mon, 30 Jun 1997, Alan wrote: >> > How can one remotely manage firewalls that are on the other side of the world? >... >> If you have SSH or some other form of encryption/authentication = between >> machines, then you should be able to maintain the firewall without = too >> many problems. (Some sort of token-based authorization system or = Public >> Key system would be a big plus and/or requirement in such a system.) > >But it might be difficult to get SSH or other form of encryption on >that machine on the other side of the world if your side happens to lie >in the U.S. > >Not to start a wandering and unrelated thread (hint hint), but I've >wondered how the law would apply if I were to log in to a machine in, >say, our company's Frankfurt office via the corporate WAN and built and >installed SSH on that machine while sitting in our U.S. office. Would >my work in doing the installation be considered exporting the = encryption >in some manner, even if the software didn't get on the machine from or >through the U.S.? Of course, it reasons (if that word can be applied >to U.S. encryption policy) that I'd be on much shakier ground if the >SSH code from a site in Finland or Australia got on the German machine >via the company's Internet connection in the U.S. > >On a tenuously related note, does anyone know whether China's ban on >the use of encryption now extends to Hong Kong? > >-- >K ---------------------------------------------------------------------- Jack Danahy jdanahy@bbn.com Manager of Engineering Tel: (617) 873-4418 BBN Corporation Fax: (617) 873-6846 From owner-firewalls-outgoing Wed Jul 2 04:34:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA26995 for firewalls-outgoing; Wed, 2 Jul 1997 03:59:40 -0700 (PDT) Received: from herculis.alphawest.com.au (herculis.alphawest.com.au [203.14.124.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA26134 for ; Wed, 2 Jul 1997 03:58:10 -0700 (PDT) Received: by herculis.alphawest.com.au with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 19:02:34 +0800 Message-ID: <813621B906ABD011884A00A0C90092B1209590@herculis.alphawest.com.au> From: Todd Hooper To: "'Firewalls@GreatCircle.COM'" Cc: "'wcsu@mail.vis.com.tw'" Subject: re: Anti-Virus Check in FW-1 Date: Wed, 2 Jul 1997 19:02:33 +0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone wrote: > >Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I > wonder how > >many viruses it can detect and how administrators can update virus > >patterns? And how will this feature, if enabled, degrade the > performance > >of Firewall-1? > > >By the way, where can I get a session authentication agent for > Firewall-1? > >And in what kind of platform can a session agent resides? > > Check http://www.checkpoint.com for answers to the first question. > Briefly, > you can plug in a number of anti-virus scanners to Firewall-1. The > Checkpoint > Web site explains how you do it and which products are supported. > > I'm not sure on the session authentication agents - there is nothing > specific on the Web site. Checkpoint talked about a Windows based > session authentication agent at the 3.0 launch last year. > > The manual says: > > FireWall-1 Session Authentication Agent Protocol > > The FireWall-1 Session Authentication Agent Protocol is a TCP protocol > under > which FireWall-1 and the agent exchange messages. A detailed > description of > this protocol is available at http://www.checkpoint.com. > > Note: An OpenLook sample Session Authentication agent is in > $FWDIR/bin/fwsngui. > Other sample Session Authentication agents are available at > http://www.checkpoint.com. > > Regards, > > Todd > From owner-firewalls-outgoing Wed Jul 2 05:49:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02995 for firewalls-outgoing; Wed, 2 Jul 1997 04:28:06 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02965 for ; Wed, 2 Jul 1997 04:27:49 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA23170; Wed, 2 Jul 1997 07:17:44 -0400 (EDT) From: Adam Shostack Message-Id: <199707021117.HAA23170@homeport.org> Subject: Re: Remote management of firewalls internationally In-Reply-To: <199707020400.XAA16110@delta.ece.nwu.edu> from Robert Bonomi at "Jul 1, 97 11:00:59 pm" To: bonomi@delta.ece.nwu.edu (Robert Bonomi) Date: Wed, 2 Jul 1997 07:17:43 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert Bonomi wrote: | Or, if you can't change configuration without taking it down to | 'single user'? | A solution: | | This takes -two- firewall machines, and a 'secure server' behind each one. | you run a secure, encrypted, channel from the management location to either | 'secure server', as needed. The 'secure server' connects, via _serial_ port, | to the *other* firewall box's console port. And when both machines foobar due to AC failing, followed by power failing? Can you accept 24 hours of downtime? And UPSs fail as well. Remember what happened to BBNPlanet's Stanford facility. | | A less expensive solution is to have someone _local_, _who_speaks_the_same_ | _language_ (*fluently*!) as support -staff-, who can be called on to play | "voice actuated terminal", for those occasions where 'secure remote access | _through_ the box' fails. This person merely needs the ability to follow | directions _precisely_, and observe and report *accurately*. The risk here | is mostly an added exposure to a 'social engineering' attack. But you also have someone who can go by to check on the physical security and integrity of your location. I would not run a firewall without a unix sysadmin type with a few brain cells within a reasonable transit distance. If you've got office space in the area, you've got people. If you don't have office space in the area, why are you deploying security tools there? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed Jul 2 06:04:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA04892 for firewalls-outgoing; Wed, 2 Jul 1997 04:48:02 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA28981 for ; Wed, 2 Jul 1997 04:11:49 -0700 (PDT) Received: from homer.dejanews.com (homer.dejanews.com [205.238.143.161]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id DAA01526 for ; Wed, 2 Jul 1997 03:55:08 -0700 (PDT) Received: from byers.dejanews.com (byers.dejanews.com [205.238.143.212]) by homer.dejanews.com (8.7.6/8.6.12) with ESMTP id FAA20721 for ; Wed, 2 Jul 1997 05:52:36 -0500 (CDT) Received: from byers.dejanews.com (localhost.dejanews.com [127.0.0.1]) by byers.dejanews.com (8.7.5/8.6.12) with ESMTP id FAA09829 for ; Wed, 2 Jul 1997 05:52:35 -0500 Message-Id: <199707021052.FAA09829@byers.dejanews.com> To: firewalls@greatcircle.com Subject: Wanted: VPN options Date: Wed, 02 Jul 1997 05:52:34 -0500 From: Travis Hassloch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please add to this list: skIP F-secure VPN thanks -- Travis Hassloch / travish@dejanews.com / http://www.dejanews.com Deja News System Administration Group / "When news breaks... we fix it." From owner-firewalls-outgoing Wed Jul 2 06:13:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08414 for firewalls-outgoing; Wed, 2 Jul 1997 05:11:36 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA08388 for ; Wed, 2 Jul 1997 05:11:25 -0700 (PDT) Received: from yoda.netscape.com (yoda.mcom.com [205.217.249.5]) by netscape.com (8.8.5/8.8.5) with ESMTP id FAA00229 for ; Wed, 2 Jul 1997 05:14:05 -0700 (PDT) Received: from pc-dwass.mcom.com ([205.217.254.107]) by yoda.netscape.com (Netscape Mail Server v2.02) with ESMTP id AAA14391; Wed, 2 Jul 1997 12:14:01 +0000 Message-ID: <33BA45A5.57AB2A3B@netscape.com> Date: Wed, 02 Jul 1997 14:12:21 +0200 From: dwass@netscape.com (David Wasser) Organization: Netscape Communications GmbH X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: franks@netscape.com Subject: Tunneling tools with 128 bit encryption outside US? X-Priority: 3 (Normal) Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD713424DE27284B6BBD5E4A2" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msD713424DE27284B6BBD5E4A2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am looking for a product which will build an encrypted IP tunnel using 128 bit encryption technology that is available outside the US. Can anyone point me to a vendor? Thanx, -David -- David Wasser | Netscape Communications GmbH Principal Consultant | Am Soeldnermoos 6 | D-85399 Hallbergmoos DWass@netscape.com | Germany --------------msD713424DE27284B6BBD5E4A2 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIGxAYJKoZIhvcNAQcCoIIGtTCCBrECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BSswggJqMIIB06ADAgECAgIEMTANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoG A1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0lu Zm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcw NjA1MTcyODA5WhcNOTcxMjAyMTcyODA5WjCBiTELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHU5l dHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRgwFgYDVQQDEw9EYXZpZCBMLiBXYXNzZXIx ITAfBgkqhkiG9w0BCQEWEmR3YXNzQG5ldHNjYXBlLmNvbTEVMBMGCgmSJomT8ixkAQETBWR3 YXNzMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMPBUon4k+U2Vo5G2H9zNbgr1k6UNpIXl2Uz qXg6IGL+ZbvpHMeapG5UNMvq77eik68ZjqwFvsEeOV0XIL1g340CAwEAAaM2MDQwEQYJYIZI AYb4QgEBBAQDAgCgMB8GA1UdIwQYMBaAFPzgVOgH8ZXeOveZxq76FQxuxC6SMA0GCSqGSIb3 DQEBBAUAA4GBAJA+nJWlTaBH007tHRPQVY6n/k+gITQDhLCtvwvSIHpSjtPM3wojMSRZmLMA kYA/gwlUpO3//riiIB2/oVuMtFB97mX9yOwU/uu01k3NY23BB5UfrsX/UtEwOKr0Wx9z47Eu LYeXwP2Nb6aJ81swDP3gX0TIPKjqD7B01F12HvQnMIICuTCCAiKgAwIBAgIBATANBgkqhkiG 9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlv bnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMT E3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcwMzI2MDE0NDM4WhcNOTkwMzI2MDE0NDM4WjB3 MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9y YXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5u ZXRzY2FwZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGqPv4tP6WHw0ff+9pt 2BigRT35x5tDzie0WhOcEX2/0vKIXse/sot5uqflKAtApo6ZMVXF+M6WBl4ihHa/ASJiw6mZ J7sIaBEUxwp+3LKH+MfgJDABvC2WhecZwy6hk3csNBgv+9+iSLPnoK96A+SLjHWkLZMgjCA5 VKdFukBlAgMBAAGjVTBTMBEGCWCGSAGG+EIBAQQEAwIABDAdBgNVHQ4EFgQU/OBU6Afxld46 95nGrvoVDG7ELpIwHwYDVR0jBBgwFoAU/OBU6Afxld4695nGrvoVDG7ELpIwDQYJKoZIhvcN AQEEBQADgYEAWffbG1x6BsTmxZhhhBjO+gZLILEkyvxZfj8Y8eS+rBDZStJpj278kcr1BBwK rrn6yjnsTQAZpmeUzOVAW1mEJJLwASwZ5AsvOxz2DxuFRezDl/HgukDL3VdxieCLSXBJH922 yzRvb88vIeRT0Rlmj2di8N3uHUgq8Ed7g3SHecgxggFhMIIBXQIBATB9MHcxCzAJBgNVBAYT AlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEcMBoG A1UECxMTSW5mb3JtYXRpb24gU3lzdGVtczEcMBoGA1UEAxMTcm9vdGNhLm5ldHNjYXBlLmNv bQICBDEwCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcN AQkEMRYEFF5gvhTsqdjwfmVENh2hArpb/x1xMBwGCSqGSIb3DQEJBTEPFw05NzA3MDIxMjEy MjFaMB4GCSqGSIb3DQEJDzERMA8wDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEQAQa X+74F3XgYDiazEQffhHowmBm3HHRYTYsX2CZVgSKj/rfQxWTRFLTRT/3thNrYlzEYRBApz5Y dVzRQ04JN50= --------------msD713424DE27284B6BBD5E4A2-- From owner-firewalls-outgoing Wed Jul 2 06:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14551 for firewalls-outgoing; Wed, 2 Jul 1997 06:14:52 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA14486 for ; Wed, 2 Jul 1997 06:14:22 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55634-3>; Wed, 2 Jul 1997 15:10:27 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 02 Jul 1997 15:12:52 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wjPDK-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Jul 1997 15:12:54 +0200 (MET DST) Date: Wed, 2 Jul 1997 14:12:54 +0100 From: "Magossa'nyi A'rpa'd" To: Firewall list Subject: src addr = 0.0.0.1 ?????? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I've received some strange probes apparently from 0.0.0.1 . It has tried only one tcp port. Anyone has any experiences or comments regarding that pattern? In what kind of network setup can it be dangerous, and what kind of netwo= rk setup is a good defence against this class of probes? --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Wed Jul 2 06:49:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18657 for firewalls-outgoing; Wed, 2 Jul 1997 06:47:01 -0700 (PDT) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18598 for ; Wed, 2 Jul 1997 06:46:44 -0700 (PDT) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id XzO29778; Tue, 01 Jul 1997 23:03:53 EDT To: firewalls@GreatCircle.COM Date: Tue, 1 Jul 1997 19:35:38 -0700 Subject: Re: ICQ network Message-ID: <19970701.195924.14390.3.wiseleo@juno.com> References: <33B8B3E2.2B40@hotmail.com> X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 0-1,3-5,7,9-10,12-22 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, I sent an invitation to Mirabilis with instructions on how to join this mailing list, hopefully we'll get some answers soon. *** Leonid Knyshov AKA Wise_One http://kiassociates.com/computerhelp http://kiassociates.com/computerhelp/personal For file attachments please use wiseleo@hotmail.com and send a note about it here :) On Tue, 01 Jul 1997 03:38:10 -0400 DECkedout writes: >Joe Pollock wrote: >> >> One of my users sent me a spam message concerning the ICQ ("I Seek >You") >> Network, which claims to reduce an individual's Net identity to a >single >why they haven't realeased hard facts to the public. Does anyone know >anyone from Mirabilis? I have a lot of questions about it.... It >definatlely raises an eyebrow or two... >-DECkedout From owner-firewalls-outgoing Wed Jul 2 07:31:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15872 for firewalls-outgoing; Wed, 2 Jul 1997 06:29:27 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15834 for ; Wed, 2 Jul 1997 06:29:11 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA16176; Wed, 2 Jul 1997 16:30:07 +0400 Received: from GarantiUser by GarantiMailServer id AA03538; Wed, 2 Jul 1997 16:29:38 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA18146; Thu, 3 Jul 1997 16:16:32 +0400 Message-Id: <33BAE418.3D5E@garanti.com.tr> Date: Wed, 02 Jul 1997 16:28:24 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewalls Subject: 128-bit SSL.... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will have a question about security not about firewalls directly, After announcing that 128-bit SSL is export free, Netscape and Microsoft announced their WEB Servers supporting 128-bit SSL, but in order to be able use 128bit SSL, on the client side a certificate is needed and this certificate is browser dependent and not protable. Since we are not in USA and we dont know how 128bit SSL is used in USA, could anybody explain to me how 128-bit SSL works in USA?..do we need a special digital certificate on the client side in USA???? Or can you direct me to a direction where I can find the answer of above guestion???? Thank You, -- **************************************************************************** Cihan Subasi, Garanti Ticaret AS,Istanbul Turkey email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 **************************************************************************** From owner-firewalls-outgoing Wed Jul 2 07:41:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09040 for firewalls-outgoing; Wed, 2 Jul 1997 05:18:18 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA08951 for ; Wed, 2 Jul 1997 05:17:55 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id IAA23346; Wed, 2 Jul 1997 08:19:35 -0400 (EDT) Message-Id: <3.0.32.19970702080847.007b15d0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 08:20:29 -0400 To: osiris@shell.pacificnet.net, Vin McLellan From: Anton J Aylward Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:20 AM 01/07/97 -0700, osiris wrote: ## Reply Start ## >A company that cannot make even the simplest implementations of IP >secure are going to be offering a firewall. Now I've heard everything. >Is this actually confirmed? I very strongly suggest you read a book called Extraordinary Popular Delusings and the Madnesses of Crowds by Charles Mackay, LLD It was published in 1841 and is still in print, which should tell you something. It is not 'fun' book, nor easy to read. If it were written today publishers would refuse it because of its heavy style and language, just like they would refuse Shakespear. Even if you only read the first two chapters, 88 pages in my volume, you will suffer various enlightenments. I have no doubts that many companies will buy microsoft's firewall purely because it comes from microsoft. We have already seen that they have turned of their critical faculties and, to misquote Bonhoeffer, have decided that "Bill Gates Is My Conscience". I expect to make a lot of money in coming years. Not only from InfoSec consulting, but also from Marcus Ranum's idea of selling short companies which put themselves in a highly exposed position. /anton > ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Telling the future by looking at the The Strahn & Strachan Group Inc | past assumes that conditions remain Information Security Consultants | constant. This is like driving a car Voice: (416) 494-8661 | by looking in the rear view mirror. Fax: (416) 494-8803 | - Herb Brody From owner-firewalls-outgoing Wed Jul 2 08:02:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25955 for firewalls-outgoing; Wed, 2 Jul 1997 07:31:47 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25922 for ; Wed, 2 Jul 1997 07:31:36 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55603-1>; Wed, 2 Jul 1997 16:31:19 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 02 Jul 1997 16:33:44 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wjQTa-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Jul 1997 16:33:46 +0200 (MET DST) Date: Wed, 2 Jul 1997 15:33:46 +0100 From: "Magossa'nyi A'rpa'd" To: Travis Hassloch CC: firewalls@GreatCircle.COM Subject: Re: Wanted: VPN options In-Reply-To: <199707021052.FAA09829@byers.dejanews.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, Travis Hassloch wrote: > Please add to this list: > skIP > F-secure VPN http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html=20 --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Wed Jul 2 08:11:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27210 for firewalls-outgoing; Wed, 2 Jul 1997 07:38:22 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA27180 for ; Wed, 2 Jul 1997 07:38:12 -0700 (PDT) From: Scott_Thomas@em.fcnbd.com Received: from po-internal.FCNBD.COM ([147.113.104.10]) by po-external.FCNBD.COM (8.8.5/fcnbd/domain/1.5.1) with ESMTP id JAA07237 for ; Wed, 2 Jul 1997 09:47:57 -0500 (CDT) Received: from em.fcnbd.com (ccintgat [147.113.229.37]) by po-internal.FCNBD.COM (8.8.5/fcnbd/internal-domain/1.5) with SMTP id JAA23368 for ; Wed, 2 Jul 1997 09:42:47 -0500 (CDT) Received: from ccMail by em.fcnbd.com (IMA Internet Exchange 2.1 Enterprise) id 001031FF; Wed, 2 Jul 97 09:41:39 -0500 Mime-Version: 1.0 Date: Wed, 2 Jul 1997 09:41:03 -0500 Message-ID: <001031FF.1944@em.fcnbd.com> To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All: Our company is implementing SAP in all of it's locations. Our desire is to have internal firewalls between the main corporate location and outer offices. We have attempted to run FW-1 in two locations so far with the same result. If a user at the outer office runs an SAP process that only involves one UNIX host at the main office it works fine. When the SAP process involves more than one host the returned transmission is never received, although it seems to leave the UNIX host. Currently our production host is only one HP 9000 and is working fine. Our staging and development areas invlove multiple HP 9000's that run processes between each other and transmissions get lost. If we drop the firewall daemon and let traffic pass through the Sparc station this process works fine with multiple HP hosts. In troubleshooting we have gone so far as to add a #1 rule for ANYtoANYtoANY and it still does not work. This has stumped both our local FW1 vendor as well as SUN support. Has anyone run into a similar problem? As far FW1 goes everthing we attempt to pass through it is correctly filtered except where multiple UNIX hosts are involved. Any help is appreciated... Scott Thomas Systems Officer 847-622-5762 From owner-firewalls-outgoing Wed Jul 2 09:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03806 for firewalls-outgoing; Wed, 2 Jul 1997 08:18:36 -0700 (PDT) Received: from csnnetra1.csn.com.br ([200.255.165.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA00299 for ; Wed, 2 Jul 1997 07:56:34 -0700 (PDT) Received: from mg65.csn.com.br ([172.16.10.3]) by csnnetra1.csn.com.br (8.8.5/8.8.5) with SMTP id LAA05099 for ; Wed, 2 Jul 1997 11:56:01 -0300 (EST) Message-Id: <199707021456.LAA05099@csnnetra1.csn.com.br> Comments: Authenticated sender is From: "Alessandro Jannuzzi" Organization: CSN To: firewalls@GreatCircle.COM Date: Tue, 2 Jul 1996 11:58:51 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Anti-Virus Check in FW-1 In-reply-to: <482564C8.00118AFE.00@mail.vis.com.tw> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, FW-1 3.0 provides this feature. An aplication-level protocol called CVP was projected to plug the FW-1 with any antiviruses that supports this protocol. For demonstration, I think, the version comes with a Cheyene anti-virus, but I guess it doesn't allow futures upgrades. The idea is : To get FW-1 and other powelfull antivirus that support CVP. Alessandro Jannuzzi jannuzzi@csn.com.br > Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I wonder how > many viruses it can detect and how administrators can update virus > patterns? And how will this feature, if enabled, degrade the performance > of Firewall-1? > > By the way, where can I get a session authentication agent for Firewall-1? > And in what kind of platform can a session agent resides? > > > > From owner-firewalls-outgoing Wed Jul 2 09:21:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10332 for firewalls-outgoing; Wed, 2 Jul 1997 08:50:58 -0700 (PDT) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA10314 for ; Wed, 2 Jul 1997 08:50:51 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy4.ba.best.com (8.8.5/8.8.3) with ESMTP id IAB12260 for ; Wed, 2 Jul 1997 08:52:59 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id IAA08004 for ; Wed, 2 Jul 1997 08:51:17 -0700 (PDT) Date: Wed, 2 Jul 1997 08:51:16 -0700 (PDT) From: "Kelly E. Gibbs" To: firewalls@greatcircle.com Subject: RIP vs. OSPF Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be a fair statement that OSPF is now the chosen protocol over RIP? If so, could someone offer any comment on why and which do you think will be the more dominate protocol in the future? Thanks, Kelly From owner-firewalls-outgoing Wed Jul 2 09:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14984 for firewalls-outgoing; Wed, 2 Jul 1997 09:23:56 -0700 (PDT) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA14975 for ; Wed, 2 Jul 1997 09:23:49 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id JAA08395; Wed, 2 Jul 1997 09:25:57 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id JAA27919; Wed, 2 Jul 1997 09:23:41 -0700 (PDT) Date: Wed, 2 Jul 1997 09:23:41 -0700 (PDT) From: "Kelly E. Gibbs" To: Anton J Aylward cc: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <3.0.32.19970702080847.007b15d0@the-wire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Companies that have formed some aliance with Microsoft will eventually be burned themselves. Take Digital for example. M$ paided DEC millions to retrain their VMS consultants for NT, and Digital thought there would be millions in NT consulting - instead they discovered just the opposite and as a result, had to layoff some of the new NT force. Now for my opinion: I think M$ simply wrote the $20M (or what ever value it was) off, just so DEC would loose some of their workforce and would no longer pose any threat to NT (not that it did today anyway, but just in case!). I believe that M$ would just love to completely destroy VMS and Digital UNIX, but again, this is purely speculation. I'm sure some of the firewall companies have embraced M$ and think they have formed an aliance (even through MSDN or other offerings), but this is about money, and M$ could care less. I really believe that Apple was the primary target of M$, not only to rid the OS from the face of this earth, but to shut the company down. It's my opinion that M$ purposely developed the Mac products to run as sub-standard software just to people would migrate to Intel in disappointment. I believe the next company we'll see inflicted by the sting of M$ is Netscape. Eventually, Sun, SCO, and other UNIX vendors will feel the pain; although it may take ten more years before there just memories of the past. What bothers me the most and I think a lot of you will agree, is that as we move forward, and technology advances, M$ will continue to plague our systems with sub-standard, highly propriatary, applications. Rebooting is well accepted today, and most of us who run NT servers just live with that - what else is there; do we have a choice? M$ has affected all of our lives, and some of us like/dislike M$, it doesn't matter. The masses will continue to flock to the almightly [Microsoft], and no one will be able to go up against the supreme deliverer of software. Gee, if Hitler were around he'd love to be in Bill Gate's shoes: World Dominance - what a concept! Same principle - just applied to software that's all. Throughout M$'s wonderful climb to dominate the world, where's the Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned share's of Apple stock in the past? On Wed, 2 Jul 1997, Anton J Aylward wrote: > At 11:20 AM 01/07/97 -0700, osiris wrote: > ## Reply Start ## > > >A company that cannot make even the simplest implementations of IP > >secure are going to be offering a firewall. Now I've heard everything. > >Is this actually confirmed? > > I very strongly suggest you read a book called > > Extraordinary Popular Delusings and the Madnesses of Crowds > by Charles Mackay, LLD > > It was published in 1841 and is still in print, which should tell you > something. > > It is not 'fun' book, nor easy to read. > If it were written today publishers would refuse it because of its heavy > style and language, just like they would refuse Shakespear. > > Even if you only read the first two chapters, 88 pages in my volume, you > will suffer various enlightenments. > > I have no doubts that many companies will buy microsoft's firewall purely > because it comes from microsoft. We have already seen that they have turned > of their critical faculties and, to misquote Bonhoeffer, have decided > that "Bill Gates Is My Conscience". > > I expect to make a lot of money in coming years. > Not only from InfoSec consulting, but also from Marcus Ranum's idea of > selling short companies which put themselves in a highly exposed position. > > > /anton > > > > ## Reply End ## > -------------------------------------------------------------------------- > Anton J Aylward | Telling the future by looking at the > The Strahn & Strachan Group Inc | past assumes that conditions remain > Information Security Consultants | constant. This is like driving a car > Voice: (416) 494-8661 | by looking in the rear view mirror. > Fax: (416) 494-8803 | - Herb Brody > From owner-firewalls-outgoing Wed Jul 2 09:48:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA16174 for firewalls-outgoing; Wed, 2 Jul 1997 09:35:31 -0700 (PDT) Received: from mail.credo.net (mail.noc.credo.net [199.107.168.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA16157 for ; Wed, 2 Jul 1997 09:35:22 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by mail.credo.net (8.8.5/8.7.3) with SMTP id JAA08601 for ; Wed, 2 Jul 1997 09:37:46 -0700 (PDT) Message-Id: <3.0.32.19970702093428.00f12830@199.107.168.5> Received: from john.credo.net ([199.107.169.3]) by darkstar.noc.credo.net via smtpd (for mail.noc.credo.net [199.107.168.5]) with SMTP; 2 Jul 1997 16:36:49 UT X-Sender: john@199.107.168.5 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 09:34:30 -0700 To: firewalls@GreatCircle.COM From: John Whittaker Subject: Re: Microsoft plans to offer a firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fyi - salient points from my conversation with microsoft: * Microsoft is releasing a new version of Proxy Server. * Version 1.0, already offered firewall class security, and has been in the marketplace since Nov '96. * Refer to C&L white paper available on http://www.microsoft.com/proxy * The new version will combine enhanced security and performance. This has never done before. * Microsoft is enhancing its firewall security features as a result of feedback from small business and branch office customers. * Proxy Server 2.0 will be a better alternative to Netscape Proxy Server and Novell Border Manager * Enhanced web content caching * Extensible firewall security * Proxy Server 2.0 is an "extensible firewall" platform, which creates opportunities for 3rd parties to extend and complement Proxy Server's network security capabilities * 3rd Party Enterprise Firewall Vendors : Checkpoint, Raptor, Trusted Information Systems * 3rd Party Virus Scanning & "Rogue Applet" blocking: Trend Micro * Content Filters - CyberPatrol and Surfwatch john. ------------------------------------------------------------------------- John Whittaker CREDO NET Vice President a division of Credo Computer Systems, Inc ------------------------------------------------------------------------- Providing your business with turnkey solutions for doing business in the information age. ------------------------------------------------------------------------- 22941 Triton Way, Suite 241, Laguna Hills, CA 92653 (888) 88-CREDO http://www.credo.net http://www.zoneoftrust.com From owner-firewalls-outgoing Wed Jul 2 10:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA26895 for firewalls-outgoing; Wed, 2 Jul 1997 10:41:33 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA26858 for ; Wed, 2 Jul 1997 10:41:24 -0700 (PDT) Received: from pm3-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA28125; Tue, 1 Jul 97 20:20:26 -0400 Message-Id: <3.0.2.32.19970701201820.006a16b0@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Tue, 01 Jul 1997 20:18:20 -0500 To: Kevin Brown - NetComm From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM In-Reply-To: References: <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:17 AM 7/2/97 +0100, someone surely spoofed Kevin Brown - NetComm's mail. I'm not quite sure what the first part of your mail was trying to point out. From a security standpoint, your ps was somewhat horrifying. As it is reasonably certain that M$ will produce a firewall, I'm rather uncomfortable with your mail's postscript: >Kevin >(ps When Banks use MS Firewalls, I am going over the other side, and then >retire...I know a bank or to today using NT RAS to authenticate Home Dial >in Banking......anyone want the Bank Names?) Do you mean that: o You would actually even think of cracking a bank? Perhaps even one of your own customers? o You would seriously offer the names of banks with serious security problems? Sorry, but the concept of what you are proposing is foreign to me. It seems to me that both items in your mail's postscript seem to be in direct opposition to the goals of InfoSec and what one expects from a security consultant. No offense, but if I was one of your customers, I would be *very* nervous right about now. Again, your mail was spoofed, right? Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Wed Jul 2 11:06:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29194 for firewalls-outgoing; Wed, 2 Jul 1997 10:59:40 -0700 (PDT) Received: from ns.dsw.net (mail.dswnet.com [205.185.134.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA29187; Wed, 2 Jul 1997 10:59:28 -0700 (PDT) Received: from internet.dswnet.com by ns.dsw.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Jul 1997 17:54:18 UT Received: from boni by internet (5.x/SMI-SVR4) id AA09971; Wed, 2 Jul 1997 11:03:29 -0700 Message-Id: <33BA97A0.6BBC5AB5@dsw.net> Date: Wed, 02 Jul 1997 11:02:08 -0700 From: "Boni D. Bruno" Reply-To: bbruno@dsw.net Organization: Data Systems West X-Mailer: Mozilla 4.01 [en] (WinNT; U) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM, bbruno@dsw.net Subject: Re: Firewalls-Digest V6 #307 X-Priority: 3 (Normal) References: <199706302005.NAA23368@honor.greatcircle.com> Content-Type: multipart/mixed; boundary="------------EEF28682C2D82E0D3A85C043" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------EEF28682C2D82E0D3A85C043 Content-Type: text/plain; charset=iso-8859-1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: quoted-printable Date: 30 Jun 97 12:48:49 +0000From: manuel.ricca@pararede.pt Subject: Borderware Does anyone have experience with Borderware Firewall? If so, how where would you place it comparing to Raptor, Pix and FW-1 ? TIA, =2EM Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunica=E7=E3o, S.A. Tel: +351 1 3020451 Fax: +351 1 3020444 Borderware runs on the intel platform only (Secure Computing recommends a clone machine), some of the better known name brand machine like Compaq will not work usually. Borderware is built on a bastion implementation of BSD Unix which you have no access to. BorderWare defines a new product category of firewalls by combining packet filters and circuit-level gateways with application servers into a single self-contained system. BorderWare includes a secure Mail server, dual Name servers (internal and external), a News server, an anonymous FTP server, a WWW server and a Finger information server which you can choose to enable or disable. With the latest version Borderware 4.x, all configuration is done from a remote html browser which is extremely slow! Their front end is all Java, using their html forms to configure DNS for 15 zones took me all day just because the updates via the browser were taking forever! I can configure the same DNS information on UNIX or NT running either FW-1 or Raptor in an hour. Pix does not run on top of an operating system, so DNS is configured elsewhere. If you choose to enable the news server on Borderware, you do take a peformance hit. Based on my experience, Borderware is not an enterprise level firewall server and it offers very little flexibility. It can support a maximum of three interfaces: external, internal and ssn(a.k.a dmz). I would position this product to customers who have no experience setting up internet servers, DNS, MAIL, etc. Also, there is no internal authentication capabilities with Borderware, no skey, secure-id, nothing to authenticate your rules against. Raptor and FW-1 due offer authentication. The logging capabilities are not as good as Raptors or FW-1. Pix requires an syslog host for logging. If you are like me, and like to see whats going on at a kernel level and have access to modifiy your firewall system, Borderware will frustrate you, you are completely locked into their interface, for some people this is better, for others, it is not. PIX is a stateful packet filter with support for Dynamic NAT and a failover port to support a standby Pix server which is very nice. If you need extensive logging information though, it comes up short. Also, Pix comes with no Proxies and only supports two interfaces, I find myself having to supplement PIX with several proxies. FW-1 also is a stateful packet filter with some application software support for telnet, ftp and http. FW-1 offers a lot of flexibility and can support various interfaces, good logging capabilities, but no proxies. Also, FW-1v2.x does not integrate their NAT configuration with their GUI, you have to set this up at the command line. I here FW-1v3.x fixes this, but I can not comment on this yet. I often supplement FW-1 with proxies. Raptor also has good logging capabilities and has support for various interfaces, and it does come with several proxies. Raptor being an application gateway firewall, NAT is inherently built in to the product. All products have support for VPN, remote managment and snmp traps. -- Boni D. Bruno Vice President of Engineering Data Systems West,Inc. http://www.dsw.net Phone: (818) 883-9800 x 225 email:bbruno@dsw.net --------------EEF28682C2D82E0D3A85C043 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Boni Bruno Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Boni Bruno n: Bruno;Boni org: Data Systems West adr: ;;21101 Oxnard Street;Woodlad Hills;CA;91367; email;internet: bbruno@dsw.net title: Vice President of Engineering tel;work: 818-883-9800x225 tel;fax: 818-883-4604 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------EEF28682C2D82E0D3A85C043-- From owner-firewalls-outgoing Wed Jul 2 11:19:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00665 for firewalls-outgoing; Wed, 2 Jul 1997 11:17:26 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00626 for ; Wed, 2 Jul 1997 11:17:16 -0700 (PDT) Received: from default (pm14-14.pacificnet.net [207.171.10.47]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id LAA11874; Wed, 2 Jul 1997 11:10:43 -0700 (PDT) Message-ID: <33BA9D51.3602@pacificnet.net> Date: Wed, 02 Jul 1997 11:26:25 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: John Whittaker CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <3.0.32.19970702093428.00f12830@199.107.168.5> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Whittaker wrote: > > fyi - salient points from my conversation with microsoft: > > * Microsoft is releasing a new version of Proxy Server. One that works. > * Version 1.0, already offered firewall class security, and has > been in the marketplace since Nov '96. and is dubious. > * Refer to C&L white paper available on > http://www.microsoft.com/proxy White papers aren't such a good source for information anymore. White papers today == info-mercials. > * The new version will combine enhanced security and performance. > This has never done before. Releasing a product that actually works. > * Microsoft is enhancing its firewall security features as a > result of feedback from small business and branch office customers. Yeah, like "Why the hell doesn't this thing do what it's supposed to?" I'm sorry, but MS should keep out of the security business. Security is one area of concern in which MacDonalds-type manufacturing/merchandising could really hurt people. Secure application design should be left to those who know it. (Yes, yes, I know that MS is contracting some of it to people who DO know what they're doing. However, that won't cure OS-inherent problems that MS has, now, will it? TIS, Raptor or whoever may - and undoubtedly will - create an elegant, effective product for Microsloth only to have their reputations tarnished because some MS tweaker failed to properly implement IP - or some such nonsense.) In my opinion, MS ought to figure out how to prevent their servers from being downed by any Tom, Dick and Harry with a DoS tool before they release a product that will "..combine enhanced security and performance." How can they possibly keep a straight face while telling you some garbage like that? The only thing that will sell MS security products is the lack of security knowledge that a high percentage of their customers now possess. From owner-firewalls-outgoing Wed Jul 2 12:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04450 for firewalls-outgoing; Wed, 2 Jul 1997 11:48:28 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04425 for ; Wed, 2 Jul 1997 11:48:18 -0700 (PDT) Received: from ftp.com by ftp.com ; Wed, 2 Jul 1997 14:51:02 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Wed, 2 Jul 1997 14:51:02 -0400 Received: from lx400.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id OAA23190; Wed, 2 Jul 1997 14:47:07 -0400 Message-Id: <199707021847.OAA23190@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: kgibbs@best.com Cc: firewalls@greatcircle.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: shishir Subject: RE: RIP vs. OSPF Date: Wed, 02 Jul 1997 14:51:26 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am not a routing protocol expert but I can say that RIP and OSPF have dif= ferent benefits and drawbacks. OSPF is more complicated but does offer a l= ot more features like link state, cost, VLSM, quick convergence, etc. Howev= er, it is CPU intensive and takes a lot of resources. RIP on the other han= d is simpler but limited to 15 hops, based on hop counts whether they are T= 1s or 56kbps links. My $.02 - shishir >>Reply to your message of 7/2/97 1:04 PM >> >>Would it be a fair statement that OSPF is now the chosen protocol over R= IP? >>If so, could someone offer any comment on why and which do you think wil= l >>be the more dominate protocol in the future? =09 From owner-firewalls-outgoing Wed Jul 2 12:36:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09686 for firewalls-outgoing; Wed, 2 Jul 1997 12:30:34 -0700 (PDT) Received: from netcomm.NetComm.IE (02-static-a.wokingham.luna.net [195.188.67.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA09643 for ; Wed, 2 Jul 1997 12:30:19 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id HAA00359; Wed, 2 Jul 1997 07:21:12 GMT X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <3.0.2.32.19970701201820.006a16b0@in.net> References: <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Jul 1997 20:32:02 +0100 To: Frank Willoughby From: Kevin Brown - NetComm Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, No I was not spoofed, but I have discovered that you do not have a sense of humour. ;-> IN reality when bank start to use MS products for Firewalls, I will retire. I was tying to point out that MS can even today, snare people into taking actions that are terribly foolish. Would you advise a bank to allow any customer to dial in for bank transactions with NT RAS as the sole form of Authentication for their internal Net? I did not name the bank, it was a JOKE Ha Ha MS, get it.....ah well, I will go back to lurking. NOTICE TO ALL: No you cannot know what bank is doing this, no I will not rob a bank, no I will not speed in my car. Frank, if I were really going to do this, do really think that I would announce it here? regards, Kevin At 2:18 +0100 2/7/97, Frank Willoughby wrote: >At 01:17 AM 7/2/97 +0100, someone surely spoofed Kevin Brown - NetComm's >mail. > >I'm not quite sure what the first part of your mail was trying to point >out. From a security standpoint, your ps was somewhat horrifying. As >it is reasonably certain that M$ will produce a firewall, I'm rather >uncomfortable with your mail's postscript: > >>Kevin >>(ps When Banks use MS Firewalls, I am going over the other side, and then >>retire...I know a bank or to today using NT RAS to authenticate Home Dial >>in Banking......anyone want the Bank Names?) > >Do you mean that: >o You would actually even think of cracking a bank? Perhaps even one of > your own customers? >o You would seriously offer the names of banks with serious security > problems? > >Sorry, but the concept of what you are proposing is foreign to me. >It seems to me that both items in your mail's postscript seem to >be in direct opposition to the goals of InfoSec and what one expects >from a security consultant. No offense, but if I was one of your >customers, I would be *very* nervous right about now. > >Again, your mail was spoofed, right? > >Best Regards, > > >Frank >The opinions of the author of this mail may not necessarily be >representative of the opinions of Fortifed Networks, Inc. > >Fortified Networks, Inc. - http://www.fortified.com/ >Expert (vendor-neutral) Computer and Network Security Consulting >Phone: (317) 573-0800 Fax: (317) 573-0817 //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / --UK-- Internet Associate | m \ Voice: +44-467-365419 | / Fax: +44-1276-35197 The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Wed Jul 2 13:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11743 for firewalls-outgoing; Wed, 2 Jul 1997 12:44:14 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA11608 for ; Wed, 2 Jul 1997 12:43:36 -0700 (PDT) Received: (qmail 29622 invoked from smtpd); 2 Jul 1997 19:46:16 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Jul 1997 19:46:16 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA12129; Wed, 2 Jul 1997 14:46:16 -0500 Received: by sonic.nmti.com; id AA13147; Wed, 2 Jul 1997 14:47:04 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707021947.AA13147@sonic.nmti.com.nmti.com> Subject: Re: Microsoft plans to offer a firewall To: john@credo.net (John Whittaker) Date: Wed, 2 Jul 1997 14:47:04 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970702093428.00f12830@199.107.168.5> from "John Whittaker" at Jul 2, 97 09:34:30 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: John Whittaker "CREDO" means "I believe", right? I hope you didn't believe this stuff: > fyi - salient points from my conversation with microsoft: > * Microsoft is releasing a new version of Proxy Server. I believe. > * Version 1.0, already offered firewall class security, and has > been in the marketplace since Nov '96. Nope. > * The new version will combine enhanced security and performance. > This has never done before. Oh boy, what does *this* mean? > * Proxy Server 2.0 will be a better alternative to Netscape Proxy > Server and Novell Border Manager They're not comparing it with real firewall packages. > * Extensible firewall security Extensible security? What the hell is "extensible security"? > * Proxy Server 2.0 is an "extensible firewall" platform, which > creates opportunities for 3rd parties to extend and complement Proxy > Server's network security capabilities Oh, it means you can add 3rd party products to reduce the security. From owner-firewalls-outgoing Wed Jul 2 13:21:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07977 for firewalls-outgoing; Wed, 2 Jul 1997 12:14:06 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA07928 for ; Wed, 2 Jul 1997 12:13:47 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) id AA28831; Wed, 2 Jul 97 12:16:08 PDT Received: by nob (SMI-8.6/UCDCS.SECLAB.Solaris2-2.0) id MAA20825; Wed, 2 Jul 1997 12:15:54 -0700 Date: Wed, 2 Jul 1997 12:15:54 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <199707021915.MAA20825@nob> To: firewalls@greatcircle.com Subject: CFP: 1998 SNDSS (updated; last reminder!) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security Where: Catamaran Resort, San Diego, California When: March 11-13, 1998 GOAL: The symposium will foster information exchange between hardware and software developers of network and distributed system security services. The intended audience is those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. Encouraging and enabling the Internet community to apply, deploy, and advance the state of available security technology is the major focus of symposium. Symposium proceedings will be published by the Internet Society. Topics for the symposium include, but are not limited to, the following: * Architectures for large-scale, heterogeneous distributed systems * Security in malleable systems: mobile code, mobile agents, dynamic policy updates, etc. * Special problems: e.g. interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integrating security services with system and application security facilities and with application protocols, including message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. * Fundamental services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Supporting mechanisms and APIs: key management and certification infrastructures, audit, and intrusion detection. * Telecommunications security, especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Controls: firewalls, packet filters, application gateways * Object security and security objects * Network information resources and tools such as World Wide Web (WWW), Gopher, Archie, and WAIS. * Electronic commerce: payment services, fee-for-access, EDI, notary; endorsement, licensing, bonding, and other forms of assurance; intellectual property protections GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Matt Bishop, University of California at Davis Steve Kent, BBN PROGRAM COMMITTEE: Steve Bellovin, AT&T Labs -- Research Doug Engert, Argonne National Laboratories Warwick Ford, VeriSign Li Gong, JavaSoft Rich Graveman, Bellcore Ari Juels, RSA Laboratories Tom Longstaff, CERT/CC Doug Maughan, National Security Agency Dan Nessett, 3Com Corporation Rich Parker, NATO Michael Roe, Cambridge University Rob Rosenthal, DARPA Wolfgang Schneider, GMD Darmstadt Christoph Schuba, Purdue University Win Treese, Open Market, Inc. Jonathan Trostle, Novell Gene Tsudik, USC/Information Sciences Institute Steve Welke, Institute for Defense Analyses LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses LOGISTICS CHAIR: Torryn Brazell, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals, for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1997, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Matt Bishop, Department of Computer Science, University of California at Davis, Davis CA 95616-8562, Email: sndss98-submissions@cs.ucdavis.edu. Phone: +1 (916) 752-8060, FAX: +1 (916) 752-4767, Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss98. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as in- dicated above. Authors and panelists will be notified of acceptance by 1 October 1997. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1997. From owner-firewalls-outgoing Wed Jul 2 13:49:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA15925 for firewalls-outgoing; Wed, 2 Jul 1997 13:15:26 -0700 (PDT) Received: from mail.credo.net (mail.noc.credo.net [199.107.168.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA15916 for ; Wed, 2 Jul 1997 13:15:20 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by mail.credo.net (8.8.5/8.7.3) with SMTP id NAA12470; Wed, 2 Jul 1997 13:17:48 -0700 (PDT) Message-Id: <3.0.32.19970702131425.00a68bb0@199.107.168.5> Received: from john.credo.net ([199.107.169.3]) by darkstar.noc.credo.net via smtpd (for mail.noc.credo.net [199.107.168.5]) with SMTP; 2 Jul 1997 20:16:46 UT X-Sender: john@199.107.168.5 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 13:14:28 -0700 To: peter@baileynm.com (Peter da Silva) From: John Whittaker Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk um. actually this was just for the list's benefit. i thought that it would be best to know exactly what microsoft had in mind...or at least was saying that they hand in mind, rather than the i heard this from a friend thing. whether or not i believe microsoft is not really pertinent to this list. john. At 02:47 PM 7/2/97 -0500, you wrote: >> From: John Whittaker > >"CREDO" means "I believe", right? I hope you didn't believe this stuff: > >> fyi - salient points from my conversation with microsoft: > >> * Microsoft is releasing a new version of Proxy Server. > >I believe. > >> * Version 1.0, already offered firewall class security, and has >> been in the marketplace since Nov '96. > >Nope. > >> * The new version will combine enhanced security and performance. >> This has never done before. > >Oh boy, what does *this* mean? > >> * Proxy Server 2.0 will be a better alternative to Netscape Proxy >> Server and Novell Border Manager > >They're not comparing it with real firewall packages. > >> * Extensible firewall security > >Extensible security? What the hell is "extensible security"? > >> * Proxy Server 2.0 is an "extensible firewall" platform, which >> creates opportunities for 3rd parties to extend and complement Proxy >> Server's network security capabilities > >Oh, it means you can add 3rd party products to reduce the security. > > From owner-firewalls-outgoing Wed Jul 2 13:50:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16445 for firewalls-outgoing; Wed, 2 Jul 1997 13:19:33 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16438 for ; Wed, 2 Jul 1997 13:19:26 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id NAA15164; Wed, 2 Jul 1997 13:21:46 -0700 (PDT) Message-Id: <3.0.1.32.19970702162144.006bf030@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 16:21:44 -0400 To: "Kelly E. Gibbs" From: Paul Ferguson Subject: Re: RIP vs. OSPF Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:51 AM 07/02/97 -0700, Kelly E. Gibbs wrote: > >Would it be a fair statement that OSPF is now the chosen protocol over RIP? I'm not sure what you mean by "chosen," but I would suggest that it [ospf] is much more preferable over any classful routing protocol, especially RIP. I would also suggest reading: RFC1923, "RIPv1 Applicability Statement for Historic Status," http://www.internic.net/rfc/rfc1923.txt >If so, could someone offer any comment on why and which do you think will >be the more dominate protocol in the future? > Classless routing protocols, of course. - paul >Thanks, >Kelly > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Wed Jul 2 13:51:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11488 for firewalls-outgoing; Wed, 2 Jul 1997 12:43:10 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA11440 for ; Wed, 2 Jul 1997 12:42:54 -0700 (PDT) Received: by smartwall.v-one.com; id PAA01425; Wed, 2 Jul 1997 15:45:41 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (3.2) id xma001419; Wed, 2 Jul 97 15:45:29 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 15:54:00 -0400 Message-ID: From: "McMahan, Peg" To: "'Adam Shostack'" , bonomi@delta.ece.nwu.edu Cc: firewalls@GreatCircle.COM Subject: RE: Remote management of firewalls internationally Date: Wed, 2 Jul 1997 15:53:58 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simple solution: If remote administration is a necessary component, buy a firewall that has the functionality to it. One has to understand, however, that there is always the possibility of problems that absolutely require a user at the console. If considerations aren't made for incidences in which user intervention is required, then you have to rethink things. It's all well and good to have remote admin, it's a nice feature.... however it is silly to think that you can rely on it in all situations. Adam, you make a good point. Our support staff has been receiving a good number of calls lately from people whose firewalls got messed up during recent severe storms... It's no fun explaining to a person that they can't reach their firewall remotely if it's sitting in a closet in a remote location, at a single user prompt needing to be fsck'd because the UPS didn't last as long as the power outage did. > -----Original Message----- > From: Adam Shostack [SMTP:adam@homeport.org] > Sent: Wednesday, July 02, 1997 7:18 AM > To: bonomi@delta.ece.nwu.edu > Cc: firewalls@GreatCircle.COM > Subject: Re: Remote management of firewalls internationally > > Robert Bonomi wrote: > > | Or, if you can't change configuration without taking it down to > | 'single user'? > > | A solution: > | > | This takes -two- firewall machines, and a 'secure server' behind > each one. > | you run a secure, encrypted, channel from the management location to > either > | 'secure server', as needed. The 'secure server' connects, via > _serial_ port, > | to the *other* firewall box's console port. > > And when both machines foobar due to AC failing, followed by > power failing? Can you accept 24 hours of downtime? And UPSs fail as > well. Remember what happened to BBNPlanet's Stanford facility. > | > | A less expensive solution is to have someone _local_, > _who_speaks_the_same_ > | _language_ (*fluently*!) as support -staff-, who can be called on to > play > | "voice actuated terminal", for those occasions where 'secure remote > access > | _through_ the box' fails. This person merely needs the ability to > follow > | directions _precisely_, and observe and report *accurately*. The > risk here > | is mostly an added exposure to a 'social engineering' attack. > > But you also have someone who can go by to check on the > physical security and integrity of your location. I would not run a > firewall without a unix sysadmin type with a few brain cells within a > reasonable transit distance. If you've got office space in the area, > you've got people. If you don't have office space in the area, why > are you deploying security tools there? > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > From owner-firewalls-outgoing Wed Jul 2 14:21:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA18913 for firewalls-outgoing; Wed, 2 Jul 1997 14:04:55 -0700 (PDT) Received: from bolchile.cl (borderware.bolchile.cl [200.29.35.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA18906 for ; Wed, 2 Jul 1997 14:04:44 -0700 (PDT) Received: by borderware.bolchile.cl via suspension id <20577>; Wed, 2 Jul 1997 17:19:18 -0400 Received: from getsadmin ([200.9.215.55]) by borderware.bolchile.cl with SMTP id <20575>; Wed, 2 Jul 1997 17:17:52 -0400 Message-ID: <33BAC277.3CBF@bolchile.cl> Date: Wed, 2 Jul 1997 17:04:55 -0400 From: "Raul Navarro G." Organization: Bolsa Electronica de Chile X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: "Firewall_greatcircle.com" Subject: messages log , Could be attack ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1 ) Help me please , what is the means of this messages in the messages log. IT there attack to stop services TCP/IP ? . What a need do to know that is attack ? can be that is problem in my configuration? i dont change nothing in last months . This messages repeat for more that 3 days May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use 2) what is the follow messages in netstat 0 usr2-dialup57.Denver.mci.net.2820 8760 0 8760 0 TIME_WAIT The local Address is 0 ? can be ? Muchas Gracias Raul Navarro G. From owner-firewalls-outgoing Wed Jul 2 14:41:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20548 for firewalls-outgoing; Wed, 2 Jul 1997 14:32:41 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20541 for ; Wed, 2 Jul 1997 14:32:29 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa16207; 3 Jul 97 0:31 EETDST Message-ID: <33BB2697.35B0@geocities.com> Date: Wed, 02 Jul 1997 21:12:08 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Joe Pollock CC: firewalls@greatcircle.com Subject: ICQ messaging system (was Re: ICQ network) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One observation about ICQ messaging... Sending a message to a user can be done in two ways: - using WWW pager (see http:///www.mirabilis.com) - using the send messsage feature from the ICQ program. The WWW pager procedure is done using a form. Sending the message is done using a GET method. The GET method has a limited number of caracters that can be sent. Well, the messaging feature of the main program supports the same number of caracters as the GET method. This leads me to the idea that they are actually using their CGI scripts for this. I think someone should verify this. I don't have the means to do that here... Hope it helps, Gabriel Joe Pollock wrote: > > One of my users sent me a spam message concerning the ICQ ("I Seek You") > Network, which claims to reduce an individual's Net identity to a single > number, announce to others when the individual is on-line, spawn IRC, > Internet Phone, email, video, etc. on command ... the list goes on and on. > > Here's the URL: > > http://www.mirabilis.com > > I found the site sadly lacking in technical detail (suprise, suprise > :-). The package you download is a beta release of a soon-to-be > commercial application. > > Anyone got any hard technical details to supply? I can hardly wait for > my users to start lobbying for something like this. > > Joe Pollock > The Evergreen State College > Olympia, WA 98505 From owner-firewalls-outgoing Wed Jul 2 15:20:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23203 for firewalls-outgoing; Wed, 2 Jul 1997 14:52:47 -0700 (PDT) Received: from dns2.infocom.etecsa.cu (infocom.etecsa.cu [169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA23141 for ; Wed, 2 Jul 1997 14:52:23 -0700 (PDT) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wjXMd-0009FAC; Wed, 2 Jul 97 17:55 EDT Received: from manati.in.etecsa.cu by mail.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa00976; Wed, 02 Jul 97 17:55 EDT Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wjXMc-0003UWC; Wed, 2 Jul 97 17:55 EDT Message-Id: To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 17:55:01 -0400 (EDT) From: Asley Lugo Avila X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 2 15:35:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23505 for firewalls-outgoing; Wed, 2 Jul 1997 14:56:50 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23496 for ; Wed, 2 Jul 1997 14:56:34 -0700 (PDT) Received: from default (pm14-7.pacificnet.net [207.171.10.40]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id OAA14800; Wed, 2 Jul 1997 14:50:03 -0700 (PDT) Message-ID: <33BAD0BD.4399@pacificnet.net> Date: Wed, 02 Jul 1997 15:05:49 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: "Kelly E. Gibbs" CC: Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kelly E. Gibbs wrote: > > > Throughout M$'s wonderful climb to dominate the world, where's the > Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned > share's of Apple stock in the past? Ahhh...there are other possibilities. Here's the most likely: A. The folks in the Antitrust division are cowards; or B. Their lawyers (DOJ) don't understand Antitrust law enough to pull it off. In my opinion, it's probably a bit of both. Either that, or they are closet Bork-ists up there. Bork has a rather novel view about Antitrust (one that is not entirely unsupported). To get a taste of that view (any DOJ personnel on this list?) try "The Antitrust Paradox: A Policy at War with Itself." (ISBN: 0-02-904455-3.) But, that's academic, because the DOJ - for whatever reason - has failed (and will continue to fail) in challenging M$. From owner-firewalls-outgoing Wed Jul 2 15:49:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA24978 for firewalls-outgoing; Wed, 2 Jul 1997 15:15:17 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA24969 for ; Wed, 2 Jul 1997 15:15:10 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA39947; Wed, 2 Jul 1997 18:13:38 -0400 Date: Wed, 2 Jul 1997 18:13:38 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9707022213.AA39947@oxygen.house.gov> To: firewalls@greatcircle.com, kgibbs@best.com Subject: Re: RIP vs. OSPF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | From: "Kelly E. Gibbs" | Subject: RIP vs. OSPF | Mime-Version: 1.0 | Sender: firewalls-owner@GreatCircle.COM | | Would it be a fair statement that OSPF is now the chosen protocol over RIP? | If so, could someone offer any comment on why and which do you think will | be the more dominate protocol in the future? Enough problems with RIP caused people to create RIP-2. To quote from RFC 2200,the INTERNET OFFICIAL PROTOCOL STANDARDS: RIP -- The Routing Information Protocol (RIP) is widely implemented and used in the Internet. However, both implementors and users should be aware that RIP has some serious technical limitations as a routing protocol. The IETF is currently devpeloping several candidates for a new standard "open" routing protocol with better properties than RIP. The IAB urges the Internet community to track these developments, and to implement the new protocol when it is standardized; improved Internet service will result for many users. The worst thing about RIP is the large number of host computers configured to listen to RIP rather than use an appropriate router discovery protocol This is relevant to firewalls (it needed a hook, didn't it? :-) because of the obvious threat to the security of a host if a bad-guy sends it false route information that gets the packet stream sent to a host involved in spoofing. The best solution for security purposes is to (hard) configure the default router into your host computers. Unfortunately, this is not the most robust configuration against network failure because it locks the host into a single path when multiple (valid) routers may be available. From owner-firewalls-outgoing Wed Jul 2 15:49:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA22983 for firewalls-outgoing; Wed, 2 Jul 1997 14:50:45 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA22968 for ; Wed, 2 Jul 1997 14:50:29 -0700 (PDT) Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA16743; Wed, 2 Jul 97 16:52:16 -0400 Message-Id: <3.0.2.32.19970702165231.006a79bc@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Wed, 02 Jul 1997 16:52:31 -0500 To: Kevin Brown - NetComm From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM In-Reply-To: References: <3.0.2.32.19970701201820.006a16b0@in.net> <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:32 PM 7/2/97 +0100, Kevin Brown - NetComm wrote: >Frank, > >No I was not spoofed, but I have discovered that you do not have a sense of >humour. ;-> Sure I do. My puns are infamous. 8^) >I was tying to point out that MS can even today, snare people into taking >actions that are terribly foolish. Would you advise a bank to allow any >customer to dial in for bank transactions with NT RAS as the sole form of >Authentication for their internal Net? No on both counts. I wouldn't recommend that their customers use any authentication-only mechanism for dial-in bank transactions. Nor would I allow any inbound connection to terminate on their internal network. As anyone who has audited a bank can tell you, banks are notoriously insecure. Many (most?) banks are still using antiquated (and insecure) technologies to secure customer dial-in bank transactions. I recommended one solution to secure customer dial-in banking to an out-of-country bank. It was my understanding that this was going to be a competitive advantage for their bank over other banks. in the area. It'd be nice if other banks followed suit. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Wed Jul 2 17:30:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04953 for firewalls-outgoing; Wed, 2 Jul 1997 16:36:47 -0700 (PDT) Received: from fw001.smb.com (fw001.smb.com [207.24.83.200]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA04918 for ; Wed, 2 Jul 1997 16:36:34 -0700 (PDT) Received: from sbmail.smb.com ([168.109.12.15]) by fw001.smb.com (8.8.5/InetRelay-1.10) with ESMTP id TAA16273 for ; Wed, 2 Jul 1997 19:39:17 -0400 (EDT) Received: from ccmentgate.corp.smb.com (ccmentgate.corp.smb.com [146.128.253.21]) by sbmail.smb.com (8.8.5/CMTF-Mailrelay-1.18) with SMTP id TAA04591 for ; Wed, 2 Jul 1997 19:39:16 -0400 (EDT) Received: from ccMail by ccmentgate.corp.smb.com (ccMail Link to SMTP R6.01.00 BETA) id AA867886924; Wed, 02 Jul 97 19:42:07 -0500 Message-Id: <9707028678.AA867886924@ccmentgate.corp.smb.com> X-Mailer: ccMail Link to SMTP R6.01.00 BETA Date: Wed, 02 Jul 97 19:35:33 -0500 From: "Dustin Goodwin" To: Subject: Labs that will do firewall perfomance testing. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for a commercial lab that will do on request for money testing of specific firewalls. We are interested in performance testing not penetration testing. - Dustin - From owner-firewalls-outgoing Wed Jul 2 17:35:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09524 for firewalls-outgoing; Wed, 2 Jul 1997 17:08:19 -0700 (PDT) Received: from netcom4.netcom.com (netcom4.netcom.com [192.100.81.107]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA09517 for ; Wed, 2 Jul 1997 17:08:13 -0700 (PDT) Received: (from pomeranz@localhost) by netcom4.netcom.com (8.6.13/Netcom) id RAA17784; Wed, 2 Jul 1997 17:10:58 -0700 Message-Id: <199707030010.RAA17784@netcom4.netcom.com> From: pomeranz@netcom.com (Hal Pomeranz) Date: Wed, 2 Jul 1997 17:10:58 PDT In-Reply-To: johns@oxygen.house.gov (John Schnizlein) "Re: RIP vs. OSPF" (Jul 2, 6:13pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: johns@oxygen.house.gov (John Schnizlein), firewalls@GreatCircle.COM, kgibbs@best.com Subject: Re: RIP vs. OSPF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RIP has terrible convergence problems on very meshy networks-- routes may never stabilize if you lose a critical device. RIP doesn't support variable-length subnets either, though I gather this is coming in RIP-2. On the other hand, OSPF is a _pig_ on core routers in large networks. There are also interoperability problems still lurking between Cisco and Bay in my experience. Is anybody still running mixed-vendor network fabrics, though? On Jul 2, 6:13pm, John Schnizlein wrote: } The best solution for security purposes is to (hard) configure the default } router into your host computers. Unfortunately, this is not the most robust } configuration against network failure because it locks the host into a single } path when multiple (valid) routers may be available. See also Cisco's HSRP (Hot Standby Routing Protocol) which enables two routers to back each other up by sharing an IP address (which you then configure as default on your hosts). Also IRDP, or whatever they're calling these days. Hal Pomeranz, Principal Deer Run Associates hal@deer-run.com Network Connectivity and Security, Systems Management, Training From owner-firewalls-outgoing Wed Jul 2 17:52:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11888 for firewalls-outgoing; Wed, 2 Jul 1997 17:38:11 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA11880 for ; Wed, 2 Jul 1997 17:38:05 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjZwm-003o2PC; Wed, 2 Jul 1997 19:40:35 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Wed, 02 Jul 1997 19:40:32 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 02 Jul 1997 19:40:15 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #312 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Wed Jul 2 18:22:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12893 for firewalls-outgoing; Wed, 2 Jul 1997 17:53:12 -0700 (PDT) Received: from topgun.asiapac.net (topgun.asiapac.net [202.188.0.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12866 for ; Wed, 2 Jul 1997 17:52:58 -0700 (PDT) Received: from topgun ([202.188.0.106]) by topgun.asiapac.net (Netscape Mail Server v2.0) with SMTP id AAA2344 for ; Thu, 3 Jul 1997 08:53:34 +0800 Date: Thu, 3 Jul 1997 08:53:34 +0800 (SGT) From: Swee-Chuan Khoo X-Sender: sckhoo@topgun To: Firewalls@GreatCircle.COM Subject: malaysia - check point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, well, as a system intergration company in malaysia dealing with internet connectivity and security, i can make some comment here. no boycott of check point here. we have already sold quite a few copies here ourself and local sun is promoting it well. FYI. From owner-firewalls-outgoing Wed Jul 2 18:33:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11118 for firewalls-outgoing; Wed, 2 Jul 1997 17:27:16 -0700 (PDT) Received: from emout14.mail.aol.com (emout14.mx.aol.com [198.81.11.40]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11103 for ; Wed, 2 Jul 1997 17:27:10 -0700 (PDT) From: Visionprof@aol.com Received: (from root@localhost) by emout14.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id UAA26963; Wed, 2 Jul 1997 20:29:26 -0400 (EDT) Date: Wed, 2 Jul 1997 20:29:26 -0400 (EDT) Message-ID: <970702202926_408997317@emout14.mail.aol.com> To: firewalls@greatcircle.com cc: Kevin.Brown@netcomm.ie Subject: Re: Microsoft plans to offer a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 7/2/97 Kevin wrote: >>(ps When Banks use MS Firewalls, I am going over the other side, and then >>retire...I know a bank or to today using NT RAS to authenticate Home Dial >>in Banking......anyone want the Bank Names?) I know of several myself....I tried to convince one such place not to go with MS NT as a firewall and internet server and lost my job over it. I don't believe how many organizations are blinded my MS Marketing.....it's the blinder leading the blind. Give me a UNIX box anyday!!!!! >>Can anyone explain how we let this happen. This one is easy. Mr. Gates said so. Let's all turn toward Redmond, Washington and bow. Tom Giudice Operating Systems Consultant Email: visionprof@aol.com Web Site: Vision Professional Se rvices The comments here are mine alone and not those of the firm I own. From owner-firewalls-outgoing Wed Jul 2 19:49:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA28032 for firewalls-outgoing; Wed, 2 Jul 1997 19:16:57 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA27886 for ; Wed, 2 Jul 1997 19:16:22 -0700 (PDT) Received: from rara32.curtin.edu.au (rara32.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKSOTJIJYOBB7KI5@alpha2.curtin.edu.au> for firewalls@GreatCircle.COM; Thu, 03 Jul 1997 10:21:33 +0800 Date: Thu, 03 Jul 1997 10:20:59 +0800 From: Bret Watson Subject: Re: Microsoft plans to offer a firewall In-reply-to: X-Sender: climbing@skuld.cage.curtin.edu.au To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: <3.0.32.19970702080847.007b15d0@the-wire.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My 2c worth. I'm sure M$ will really be buying a firewall company. I cannot believe that a software company who appear not to know about formal method design could even build a secure firwall. Sorry to Paul et al at M$ who seem to be working hard to ensure the security reputation of NT, but I have not seen many major OS vendors who have a good firewall - the two just don't seem to mix. The problem? fancy graphics and user functions have no place in a server platform - if you've used memphis you'll understand where NT is going... Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Wed Jul 2 20:24:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13076 for firewalls-outgoing; Wed, 2 Jul 1997 17:56:09 -0700 (PDT) Received: from relay3.jaring.my (relay3.jaring.my [192.228.128.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA13033 for ; Wed, 2 Jul 1997 17:55:50 -0700 (PDT) Received: from extol.extol.my (j20.ptl42.jaring.my [161.142.116.34]) by relay3.jaring.my (8.6.13/8.6.12) with ESMTP id IAA19964; Thu, 3 Jul 1997 08:58:14 +0800 Message-ID: <33BAFB69.C64E4C4A@pc.jaring.my> Date: Thu, 03 Jul 1997 08:07:53 +0700 From: Peng Chiew X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "PONNIAH S/O P.RAMAIAH" CC: palan@dataprep.com.my, philb@thejudge.Corp.Sun.COM, firewalls@GreatCircle.COM, SITI_ZALEHA@klse.com.my Subject: Re: No Malaysian Boycott!! Who's laughing now? X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PONNIAH S/O P.RAMAIAH wrote: > I agree with Palan's opinion on the Firewall-1 issu. Malaysia is not > that extremist as claimed by Mr.PHILB. > > >Contrary to what Palan was claiming in re the brouhaha over boycotts > of > >Checkpoint's FireWall-1, the boycott is clearly alive and well in > Malaysia. > >Here is a recent email to me from someone in Sun's field marketing > >organization. Let me repeat. There is ONLY an unofficial stand by the Malaysian Govt; applicable to Govt Depts.... that Israelite products CAN, REPEAT, CAN be purchased IF, there is no other alternative. Second, private commercial companies can purchase products from Israel. Those familar with crypto products would have hear of Algorithmic Research. It is an Israelite company that sells crypto products. Two banks in Malaysia are alrady using it for some time; say about 2 years. There is no, repeat, NO boycott of Israelite products. I ought to know, my employer sells them ;) Anyway the "recent email" was more of a question seeking confirmation rather than a statement. Any more Malaysian bashing? We've been severely criticised in the cypherpunks mailing before, so this is not something new. This has taken up sufficient bandwidth and I believe that this has gone out of topic. Shall we offline it and discuss in private? thanks. peng-chiew. From owner-firewalls-outgoing Wed Jul 2 20:34:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA11293 for firewalls-outgoing; Wed, 2 Jul 1997 20:15:42 -0700 (PDT) Received: from meretrix.com (dirty.meretrix.com [207.42.198.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA11232 for ; Wed, 2 Jul 1997 20:15:28 -0700 (PDT) Received: from kiri.meretrix.com (kiri.meretrix.com [207.42.198.18]) by meretrix.com (8.8.5/8.7.3) with ESMTP id FAA28181 for ; Thu, 3 Jul 1997 05:18:10 -0400 (EDT) Received: from kiri.meretrix.com (localhost.meretrix.com [127.0.0.1]) by kiri.meretrix.com (8.8.5/8.8.4) with ESMTP id XAA11240 for ; Wed, 2 Jul 1997 23:18:13 -0400 (EDT) Message-Id: <199707030318.XAA11240@kiri.meretrix.com> To: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-reply-to: Your message of "Wed, 02 Jul 1997 11:26:25 PDT." <33BA9D51.3602@pacificnet.net> Date: Wed, 02 Jul 1997 23:18:13 -0400 From: Harry Mantakos Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> * Refer to C&L white paper available on >> http://www.microsoft.com/proxy Well, I was all ready to go learn about network security, so I went to the Microsoft web page to download this paper. It's a .exe file. So to learn about how Microsoft has licked this internet security thing, I have to download a binary off a web page, bring it inside my firewall, and run it on my pc. I see. Well, I don't happen to have anything handy that can run one of those .exe file thingies, nor anything that can read the Microsoft Word document that is no doubt lurking within it, so I guess I'll have to look elsewhere. -harry ----------------------------------------------------------------------------- Human: Harry Mantakos USPS: 547 E. Gittings St. Baltimore, MD 21230 Email: harry@meretrix.com Evil Twins: harry@torrentnet.com, harry@cs.umd.edu From owner-firewalls-outgoing Wed Jul 2 23:03:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA16144 for firewalls-outgoing; Wed, 2 Jul 1997 22:46:48 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA15960 for ; Wed, 2 Jul 1997 22:46:14 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id WAA05077 for ; Wed, 2 Jul 1997 22:52:54 -0700 (PDT) Received: (qmail 24674 invoked by uid 110); 3 Jul 1997 05:48:54 -0000 Message-ID: <19970703054854.24673.qmail@suburbia.net> Subject: Re: messages log , Could be attack ? In-Reply-To: <33BAC277.3CBF@bolchile.cl> from "Raul Navarro G." at "Jul 2, 97 05:04:55 pm" To: rnavarro@bolchile.cl (Raul Navarro G.) Date: Thu, 3 Jul 1997 15:48:54 +1000 (EST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1 ) Help me please , what is the means of this messages in the messages > log. > IT there attack to stop services TCP/IP ? . > What a need do to know that is attack ? > can be that is problem in my configuration? i dont change nothing in > last months . > > This messages repeat for more that 3 days > May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use You are already running inetd. From owner-firewalls-outgoing Wed Jul 2 23:38:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA21399 for firewalls-outgoing; Wed, 2 Jul 1997 20:59:43 -0700 (PDT) Received: from fw001.smb.com (fw001.smb.com [207.24.83.200]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA21124 for ; Wed, 2 Jul 1997 20:58:54 -0700 (PDT) Received: from sbmail.smb.com ([168.109.12.15]) by fw001.smb.com (8.8.5/InetRelay-1.10) with ESMTP id AAA17813 for ; Thu, 3 Jul 1997 00:01:45 -0400 (EDT) Received: from ccmentgate.corp.smb.com (ccmentgate.corp.smb.com [146.128.253.21]) by sbmail.smb.com (8.8.5/CMTF-Mailrelay-1.18) with SMTP id AAA12940 for ; Thu, 3 Jul 1997 00:01:44 -0400 (EDT) Received: from ccMail by ccmentgate.corp.smb.com (ccMail Link to SMTP R6.01.00 BETA) id AA867902676; Thu, 03 Jul 97 00:04:37 -0500 Message-Id: <9707038679.AA867902676@ccmentgate.corp.smb.com> X-Mailer: ccMail Link to SMTP R6.01.00 BETA Date: Wed, 02 Jul 97 22:03:27 -0500 From: "Dustin Goodwin" To: Subject: Labs that will do firewall perfomance testing. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Please excuse if this is a duplicate post) Looking for a commercial lab that will do on request for money testing of specific firewalls. We are interested in performance testing not penetration testing. - Dustin - From owner-firewalls-outgoing Wed Jul 2 23:46:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22760 for firewalls-outgoing; Wed, 2 Jul 1997 23:20:13 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA12551 for firewalls@greatcircle.com; Wed, 2 Jul 1997 22:31:14 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA06176 for ; Tue, 1 Jul 1997 11:18:03 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA06042 for firewalls@GreatCircle.COM; Tue, 1 Jul 1997 14:21:05 -0400 (EDT) Date: Tue, 1 Jul 1997 14:21:05 -0400 (EDT) From: Information Security Message-Id: <199707011821.OAA06042@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Cryptography Manifesto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security here. I have a document that explains NSA's domestic spy-fest in great detail. The document includes specifics on building a firewall analytic for examining email. The section of the document that is in is about 100K, so I'm sending this overview instead. If you want the document [7/4/97-dated version], email me using 'Subject: Requesting Cryptography Manifesto'. The document is 560K. BTW, the inside scoop from a TIS employee (don't ask!) is that the NSA really truly CANNOT break RSA/PGP, and are pissed about it. ;-) This manifesto is heavily documented by outside sources. * "Spying Budget Is Made Public By Mistake", By Tim Weiner * The New York Times, November 5 1994 * * By mistake, a Congressional subcommittee has published an unusually * detailed breakdown of the highly classified "black budget" for United * States intelligence agencies. * * In previously defeating a bill that would have made this information * public, the White House, CIA and Pentagon argued that revealing the * secret budget would cause GRAVE DAMAGE to the NATIONAL SECURITY of * the United States. * * $3.1 billion for the CIA * $10.4 billion for the Army, Navy, Air Force * and Marines special-operations units * $13.2 billion for the NSA/NRO/DIA * * The only damage done so far is to the * credibility of those who opposed the measure. Enjoy, ---guy@panix.com From owner-firewalls-outgoing Wed Jul 2 23:49:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA29432 for firewalls-outgoing; Wed, 2 Jul 1997 23:45:33 -0700 (PDT) Received: from mines.u-nancy.fr (mines.u-nancy.fr [192.70.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA29411 for ; Wed, 2 Jul 1997 23:45:26 -0700 (PDT) Received: (from grigori@localhost) by mines.u-nancy.fr (8.7.5/8.7.3) id IAA14685 for Firewalls@GreatCircle.COM; Thu, 3 Jul 1997 08:52:02 +0200 (MET DST) From: Laura Grigori Message-Id: <199707030652.IAA14685@mines.u-nancy.fr> Subject: Re: Firewalls-Digest V6 #312 To: Firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 08:52:01 +0200 (MET DST) In-Reply-To: <199707021820.LAA00955@honor.greatcircle.com> from "Firewalls-Digest" at Jul 2, 97 11:20:32 am X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Salutari, acuma am ajuns. Acuma la treaba, si nici o urmarire, si-mi povestesti in amanunte daca vorbesti cu Raphael, sau daca ai ceva noutati. Astept, Elutza. From owner-firewalls-outgoing Thu Jul 3 03:18:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA01105 for firewalls-outgoing; Thu, 3 Jul 1997 02:03:57 -0700 (PDT) Received: from mines.u-nancy.fr (mines.u-nancy.fr [192.70.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA00892 for ; Thu, 3 Jul 1997 02:03:09 -0700 (PDT) Received: (from grigori@localhost) by mines.u-nancy.fr (8.7.5/8.7.3) id LAA16318 for firewalls@greatcircle.com; Thu, 3 Jul 1997 11:09:28 +0200 (MET DST) From: Laura Grigori Message-Id: <199707030909.LAA16318@mines.u-nancy.fr> Subject: Re: Firewalls-Digest V6 #312 To: firewalls@greatcircle.com Date: Thu, 3 Jul 1997 11:09:28 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, This is regarding my previous message, in romanian, about somebody called Raphael. I want to apologize for it. This prouves one other possible risk of email: not checking the headers before sending the email. `Reply' is great feature, but I should have used it with more care. Once again, sorry. One more reason to moderate. From owner-firewalls-outgoing Thu Jul 3 04:04:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA17421 for firewalls-outgoing; Thu, 3 Jul 1997 01:06:44 -0700 (PDT) Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA17343 for ; Thu, 3 Jul 1997 01:06:22 -0700 (PDT) Received: from dv104 (actually 134.76.168.70) by gwdu42.gwdg.de with SMTP (PP); Thu, 3 Jul 1997 10:05:43 +0200 Message-Id: <3.0.2.32.19970703080618.00911ab0@popper.gwdg.de> X-Sender: switzel@popper.gwdg.de X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 b5 (32) Date: Thu, 03 Jul 1997 08:06:18 +0200 To: firewalls@greatcircle.com From: Stefan Witzel Subject: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 installed. The firewall seems to be ok, but when I start the log viewer (from the command line), after a while, this process uses up to 95% of the CPU time. I then have no access to the workstation. (I think the firewall works.) This occured under VUE and CDE. Any advice? Thanks in advance. Stefan Witzel switzel@uni-goettingen.de Universitaet Goettingen / Stabsstelle DV ------------------------- Gosslerstrasse 5-7 fon: +49 551 394160 37073 Goettingen fax: +49 551 399612 Germany From owner-firewalls-outgoing Thu Jul 3 04:08:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA20918 for firewalls-outgoing; Thu, 3 Jul 1997 01:18:08 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA20897 for ; Thu, 3 Jul 1997 01:18:00 -0700 (PDT) Received: from skb.si (skb.si [193.77.127.66]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id BAA20012 for ; Thu, 3 Jul 1997 01:22:02 -0700 (PDT) Received: by fw.skb.si id <26882>; Thu, 3 Jul 1997 10:16:36 +0100 Message-Id: <97Jul3.101636gmt+0100.26882@fw.skb.si> Date: Thu, 3 Jul 1997 09:18:30 +0100 From: Sergej Rinc Reply-To: sr@skb.si X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Borderware References: <199707021820.LAA00955@honor.greatcircle.com> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With the latest version Borderware 4.x, all configuration is done from a remote html browser which is extremely slow! Their front end is all Java, using their html forms to configure DNS for 15 zones took me all day just because the updates via the browser were taking forever! You don't have to use browser for DNS setup - you can upload these files to BorderWare or use Zone transfer. I wouldn't use browser for lot of zones. >Also, there is no internal authentication capabilities with Borderware, no skey, secure-id, nothing to authenticate your rules against. Please explain. All authentication cards are supported allready or can be - easily. S/Key, Secure-Id, ActiveCard, ... I guess you have something specifically in mind. -- Sergej Rinc system engineer, SKB banka d.d. http://www.skb.si mailto:sr@skb.si From owner-firewalls-outgoing Thu Jul 3 04:39:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA24425 for firewalls-outgoing; Thu, 3 Jul 1997 01:36:58 -0700 (PDT) Received: from trifork.gu.net (trifork.gu.net [194.93.190.194]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA24310 for ; Thu, 3 Jul 1997 01:36:22 -0700 (PDT) Received: from localhost (localhost.gu.kiev.ua [127.0.0.1]) by trifork.gu.net (8.8.5/8.8.5) with SMTP id OAA21992; Thu, 3 Jul 1997 14:41:02 +0300 (EEST) Date: Thu, 3 Jul 1997 14:41:01 +0300 (EEST) From: Andrew Stesin Reply-To: stesin@gu.net To: John Whittaker cc: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <3.0.32.19970702093428.00f12830@199.107.168.5> Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, John Whittaker wrote: > * The new version will combine enhanced security and performance. > This has never done before. ^^^ by Microsoft, one should mention. Other vendors might ;) have a different history. > * Microsoft is enhancing its firewall security features as a > result of feedback from small business and branch office customers. ... but with zero atention to industry expert' opinions? > * Enhanced web content caching ... still unable to communicate with i.e. Squid WWW-caches hierarchies? > * Extensible firewall security > > * Proxy Server 2.0 is an "extensible firewall" platform, which > creates opportunities for 3rd parties to extend and complement Proxy > Server's network security capabilities ... -- it contains holes so anyone who cares may feel herself free to fill them on her own? > * Content Filters - CyberPatrol and Surfwatch And this "feature" -- read "censorship" -- definitely _will_ work, no doubts. Best regards, Andrew Stesin nic-hdl: ST73-RIPE From owner-firewalls-outgoing Thu Jul 3 06:03:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA17420 for firewalls-outgoing; Thu, 3 Jul 1997 01:06:43 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA17251 for ; Thu, 3 Jul 1997 01:06:03 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id JAA03279; Thu, 3 Jul 1997 09:10:16 +0200 Message-Id: <3.0.1.32.19970703101001.00cab9bc@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 03 Jul 1997 10:10:01 +0200 To: Roger Rea From: =?iso-8859-1?Q?=22Gruppo_ONS_riunito_S=2Ep=2EA=2E_=28Societ=E0_per_Adulaz?= =?iso-8859-1?Q?ione=29=22?= Subject: RE: Firewall on AIX Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In 1, Jul, 1997 I wrote: ...I've had some reserch on firewall on AIX, but I got very little. ...I have some FAQ at the ...http://www.checkpoint.com/opsec/Partners/memco/faq.html: ...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! ...- For FireWall-1? ...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 ...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX ...- versions are currently in Beta testing and will be available soon. IBM ...AIX ...- and Windows NT versions are in development. ...It will be available until the tird quarter of the year. Roger Rea replied to me: >From: Roger Rea >To: >Cc: <75816664@ITHVM03.vnet.ibm.com> >Subject: Fwd: Firewall on AIX >Date: Wed, 2 Jul 1997 17:30:11 -0400 > >Gabriele.................Perhaps you have not looked at the current version of >the IBM Firewall. We are a much more complete firewall than other firewalls, >offering not only filtering architechtures like Check Point, but also >Application Gateways and Circuit Level Gateways. So you get three firewalls in >one. PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT FIREWALL. IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT INSPECTION. >We also offer Network Address Translation, logging, alerting, a JAVA-based GUI >with pre-defined services and context sensitive help. We've had IPSEC tunnels >for several releases and have added in the current release client IPSEC >software at no additional charge. We offer the Network Security Auditor, which >allows you to scan the network for security weaknesses. > >You can learn more about the IBM Firewall for AIX V3.1 and download trial >software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall THANK YOU FOR THE INFORMATION --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Thu Jul 3 06:46:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA01097 for firewalls-outgoing; Wed, 2 Jul 1997 23:54:31 -0700 (PDT) Received: from zeder.she.de (zeder.she.de [193.98.90.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA01071 for ; Wed, 2 Jul 1997 23:54:23 -0700 (PDT) Received: from hdrout3.she.de (hdrout3.she.de [194.120.238.5]) by zeder.she.de (8.8.5/8.7.6) with SMTP id IAA17238; Thu, 3 Jul 1997 08:57:09 +0200 Received: from heidelberg.teldix.de by hdrout3.she.de id aa17118; 3 Jul 97 8:52 CETDST Received: from hdmh1.teldix.de ([143.194.70.35]) by hdfw01.teldix.de via smtpd (for hdnetgw.she.de [193.141.149.7]) with SMTP; 3 Jul 1997 06:52:50 UT Received: from localhost by hdmh1.teldix.de with SMTP (1.39.111.2/16.2) id AA142332750; Thu, 3 Jul 1997 08:52:30 +0200 Date: Thu, 3 Jul 1997 08:52:30 +0200 (METDST) From: Wolfgang Rau To: David Wasser Cc: firewalls@greatcircle.com, franks@netscape.com Subject: Re: Tunneling tools with 128 bit encryption outside US? In-Reply-To: <33BA45A5.57AB2A3B@netscape.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try F-Secure from DataFellows: http://www.datafellows.com/ Regards - Wolfgang -------------------------------------------------------------- Wolfgang Rau | Phone: +49-6221-512-527; Fax: -305 TELDIX GmbH | Email: rau@teldix.de IVT | P.O.Box | Grenzhoefer Weg 36 D-69046 Heidelberg | D-69123 Heidelberg ______________________________________________________________ On Wed, 2 Jul 1997, David Wasser wrote: > I am looking for a product which will build an encrypted IP tunnel using > 128 bit encryption technology that is available outside the US. > > Can anyone point me to a vendor? > > Thanx, > -David > -- > David Wasser | Netscape Communications GmbH > Principal Consultant | Am Soeldnermoos 6 > | D-85399 Hallbergmoos > DWass@netscape.com | Germany From owner-firewalls-outgoing Thu Jul 3 07:48:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05894 for firewalls-outgoing; Thu, 3 Jul 1997 05:45:11 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05860 for ; Thu, 3 Jul 1997 05:44:57 -0700 (PDT) Received: from tc24650 by csc.com via smtpd with smtp id for ; Thu, 3 Jul 97 08:47 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <33BB9E72.745C@csc.com> Date: Thu, 03 Jul 1997 08:43:31 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Dustin Goodwin CC: firewalls@greatcircle.com Subject: Re: Labs that will do firewall perfomance testing. References: <9707028678.AA867886924@ccmentgate.corp.smb.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dustin Goodwin wrote: > > > Looking for a commercial lab that will do on request for money testing > of specific firewalls. We are interested in performance testing not > penetration testing. Try: Computer Sciences Corporation Systems Engineering Division Hanover, MD. Call Alexa Grauch at (410) 684-3641. She doesn't work in the lab, but can forward you. Joe -- In theory, theory and practice are the same; In practice, they're not even close! From owner-firewalls-outgoing Thu Jul 3 08:20:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA02022 for firewalls-outgoing; Thu, 3 Jul 1997 05:17:52 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA27081 for ; Thu, 3 Jul 1997 04:41:37 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id EAA23268 for ; Thu, 3 Jul 1997 04:17:57 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id HAA07788; Thu, 3 Jul 1997 07:15:20 -0400 (EDT) Message-Id: <3.0.32.19970703070141.007a6db0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 07:15:50 -0400 To: Visionprof@aol.com, firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Microsoft plans to offer a firewall Cc: Kevin.Brown@netcomm.ie Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:29 PM 02/07/97 -0400, Visionprof@aol.com wrote: ## Reply Start ## >On 7/2/97 Kevin wrote: > >>>Can anyone explain how we let this happen. > >This one is easy. Mr. Gates said so. Let's all turn toward Redmond, >Washington and bow. To misquote Dr Bonhoeffer: My Conscience is Bill Gates. ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Thu Jul 3 08:35:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA24623 for firewalls-outgoing; Thu, 3 Jul 1997 04:27:11 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA24591 for ; Thu, 3 Jul 1997 04:26:59 -0700 (PDT) Received: from tc24650 by csc.com via smtpd with smtp id for ; Thu, 3 Jul 97 07:29 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <33BB8C0D.2E23@csc.com> Date: Thu, 03 Jul 1997 07:25:01 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Scott_Thomas@em.fcnbd.com CC: Firewalls@GreatCircle.COM Subject: Re: SAP and Firewalls References: <001031FF.1944@em.fcnbd.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott_Thomas@em.fcnbd.com wrote: > > To All: > > Our company is implementing SAP in all of it's locations. Our desire > is to have internal firewalls between the main corporate location and > outer offices. We have attempted to run FW-1 in two locations so far > with the same result. If a user at the outer office runs an SAP > process that only involves one UNIX host at the main office it works > fine. > > When the SAP process involves more than one host the returned > transmission is never received, although it seems to leave the UNIX > host. Tough problem. Are you running a sniffer on the interior networks (all LANs attached to servers)? See what's coming into the firewall. That might help. Good luck, Joe -- In theory, theory and practice are the same; In practice, they're not even close! From owner-firewalls-outgoing Thu Jul 3 08:46:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA26964 for firewalls-outgoing; Thu, 3 Jul 1997 04:40:39 -0700 (PDT) Received: from srv1-poa.nutecnet.com.br (srv1-poa.nutecnet.com.br [200.248.149.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA26890 for ; Thu, 3 Jul 1997 04:40:08 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by srv1-poa.nutecnet.com.br (8.8.5/SCA-6.6) with SMTP id JAA09540 for ; Thu, 3 Jul 1997 09:44:07 -0200 (EDT) Received: from canario.nutec.com.br ([192.168.2.2]) by nutspgw.nutec.com.br via smtpd (for srv1-poa.nutecnet.com.br [200.248.149.1]) with SMTP; 3 Jul 1997 08:45:14 UT Received: from nutspgw.nutec.com.br by canario.nutec.com.br id aa04683; 3 Jul 97 8:35 GMT From: "Fernando da Silveira Montenegro" To: Received: from cancun.sao.nutecnet.com.br ([200.246.248.224]) by firewall.nutec.com.br via smtpd (for canario.nutec.com.br [192.168.2.2]) with SMTP; 3 Jul 1997 08:45:06 UT Subject: IP Filters? Date: Thu, 3 Jul 1997 08:42:35 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.0926.0 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0926.0 Message-ID: <9707030835.aa04683@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! What seems to be the general consensus on how many filtering rules one can configure on a router without imposing a noticeable performance penalty: 10? 50? 100? I know it probably varies wildly with the equipment you use (2501 x 7500, for instance), but is anybody running a Cisco 4000 with more than, say, 100 rules for each filter applied to an interface? The router has 8MB, and is talking two T1s (bonded, no multihoming). We plan to tighten up our environment a bit (too many DoS attacks for our liking), and are considering also stricter filters on our terminal servers (PortMaster2 units from Livingston). Same question applies: how many filters on a 1MB PM2? The problem is that the environment being protected is an ISP, so the typical "block unless needed" stance doesn't apply. Thanks in advance. I'll summarize later if there's interest. Regards, Fernando ObFirewall: Filtering is one element of our security architecture, which is migrating to a secure subnet protected by app.level firewall, and is, as usual, the first line of defense. -- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include From owner-firewalls-outgoing Thu Jul 3 08:49:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA23880 for firewalls-outgoing; Thu, 3 Jul 1997 04:22:58 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA23869 for ; Thu, 3 Jul 1997 04:22:49 -0700 (PDT) Received: from dmartinez.ins.com (unknown-43-60.dialcall.com [170.206.43.60]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id EAA27689; Thu, 3 Jul 1997 04:25:21 -0700 (PDT) Message-Id: <3.0.32.19970703072510.00698324@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 07:25:15 -0400 To: Stefan Witzel , firewalls@GreatCircle.COM From: "Darwin L. Martinez" Subject: Re: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check to see if on your log viewer, if you are trying to resolve IP addresses with DNS. If so, for each entry in the log, the machine queries DNS to try and get a name associated with the IP address entry. This is for both the source and destination addresses, meaning 2 queries are executed for each log entry. Disable that option (should be on the main log viewer screen), and your problem should disappear. Hope this helps. At 08:06 AM 7/3/97 +0200, Stefan Witzel wrote: >Hello, > >I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 >installed. The firewall seems to be ok, but when I start the log viewer (from >the command line), after a while, this process uses up to 95% of the CPU >time. >I then have no access to the workstation. (I think the firewall works.) > >This occured under VUE and CDE. > >Any advice? Thanks in advance. > > > >Stefan Witzel switzel@uni-goettingen.de >Universitaet Goettingen / Stabsstelle DV ------------------------- >Gosslerstrasse 5-7 fon: +49 551 394160 >37073 Goettingen fax: +49 551 399612 >Germany > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Client: 770-825-9482 Network Systems Consultant Pager: 888-346-1320 International Network Services Office: 770-641-3660 SouthEast Region, Atlanta 0000,0000,8080Email: <darwin_martinez@ins.com> INS Website: 8080,0000,8080< "0000,8080,0000Providing the Power of Operable Networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From owner-firewalls-outgoing Thu Jul 3 08:50:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14512 for firewalls-outgoing; Thu, 3 Jul 1997 07:01:07 -0700 (PDT) Received: from gauntlet.qdata.co.za (gauntlet.qdata.co.za [196.29.128.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA14427 for ; Thu, 3 Jul 1997 07:00:32 -0700 (PDT) Received: by gauntlet.qdata.co.za; id QAA02820; Thu, 3 Jul 1997 16:31:31 +0200 Received: from unknown(196.11.111.254) by gauntlet.qdata.co.za via smap (V3.1.1) id xma002766; Thu, 3 Jul 97 16:31:07 +0200 Message-ID: <33BBB0F2.11B992A@qdata.net> Date: Thu, 03 Jul 1997 16:02:27 +0200 From: Richard Chilcott Reply-To: richardc@qdata.net Organization: Q Data Internet X-Mailer: Mozilla 4.0b5 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: WatchGuard Firebox X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good Day Ladies, Gentlemen and any other person not in the last two groups, Does anybody have any comments to make about the WatchGuard Firebox firewall. Is it any good, and problems found with the installations etc Thanks Richard Chilcott Q Data Internet (Pty) Ltd. Phone: +27 11 266 5430 Fax: +27 11 266 5097 http://www.qdata.net Do not take life to seriously, you will not get out of it alive. From owner-firewalls-outgoing Thu Jul 3 09:01:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12819 for firewalls-outgoing; Thu, 3 Jul 1997 06:46:34 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12745 for ; Thu, 3 Jul 1997 06:46:16 -0700 (PDT) Received: from rodger-s.sprintspectrum.com (ATL-Dynamic4.ins.com [199.0.194.4]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA05763; Thu, 3 Jul 1997 06:48:44 -0700 (PDT) Message-Id: <3.0.32.19970703084835.00c46680@lexicon.ins.com> X-Sender: rodger_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 08:48:40 -0500 To: Stefan Witzel , firewalls@GreatCircle.COM From: Steve Rodgers Subject: Re: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan, The first thing I would try would be to upgrade to FW-1 Version 3.0a. I know it fixed "throughput" problems - not sure if they were CPU related or not. Just to be on the safe side I would upgrade anyway. At 08:06 AM 7/3/97 +0200, Stefan Witzel wrote: >Hello, > >I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 >installed. The firewall seems to be ok, but when I start the log viewer (from >the command line), after a while, this process uses up to 95% of the CPU >time. >I then have no access to the workstation. (I think the firewall works.) > >This occured under VUE and CDE. > >Any advice? Thanks in advance. > > > >Stefan Witzel switzel@uni-goettingen.de >Universitaet Goettingen / Stabsstelle DV ------------------------- >Gosslerstrasse 5-7 fon: +49 551 394160 >37073 Goettingen fax: +49 551 399612 >Germany > > _________________________________________________________________ Steve Rodgers, MCSE Network Systems Engineer International Network Services Phone: 913-859-1836 http://www.ins.com Pager: 888-808-2626 mailto:steve_rodgers@ins.com NASDAQ: INSS From owner-firewalls-outgoing Thu Jul 3 09:07:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14540 for firewalls-outgoing; Thu, 3 Jul 1997 07:01:20 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA14484 for ; Thu, 3 Jul 1997 07:00:48 -0700 (PDT) Received: by smartwall.v-one.com; id KAA15063; Thu, 3 Jul 1997 10:03:45 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (3.2) id xma015059; Thu, 3 Jul 97 10:03:41 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Thu, 3 Jul 1997 10:12:19 -0400 Message-ID: From: "McMahan, Peg" To: "'firewalls@greatcircle.com'" Subject: FW: messages log , Could be attack ? Date: Thu, 3 Jul 1997 10:12:19 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What it looks like is happening is that some daemons are being started > manually (through rc.local or similar startup scripts) while inetd is > still listening on behalf of these daemons... Check in the inetd.conf > file as well as the flavor of startup script your UNIX uses and see if > there is daemons duplicated. > > I doubt these are attacks at all, merely misconfigurations. > > -----Original Message----- > From: Raul Navarro G. [SMTP:rnavarro@bolchile.cl] > Sent: Wednesday, July 02, 1997 5:05 PM > To: Firewall_greatcircle.com > Subject: messages log , Could be attack ? > > 1 ) Help me please , what is the means of this messages in the > messages > log. > IT there attack to stop services TCP/IP ? . > What a need do to know that is attack ? > can be that is problem in my configuration? i dont change nothing in > last months . > > This messages repeat for more that 3 days > May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use > > 2) what is the follow messages in netstat > > 0 usr2-dialup57.Denver.mci.net.2820 8760 > 0 8760 0 TIME_WAIT > > The local Address is 0 ? can be ? > > Muchas Gracias > Raul Navarro G. From owner-firewalls-outgoing Thu Jul 3 09:57:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03859 for firewalls-outgoing; Thu, 3 Jul 1997 09:31:15 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03780 for ; Thu, 3 Jul 1997 09:30:51 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa11990; 3 Jul 97 12:32 EDT Message-Id: <2.2.32.19970703162949.00d8ab94@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Jul 1997 12:29:49 -0400 To: Mark Teicher From: Jack Danahy Subject: Re: Sheepskin versus work experience Cc: Jack Danahy , "firewalls@GreatCircle.COM" , "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" , "Mark H. Teicher " , "Judge, Joseph" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ NOTE: This hasn't anything to do with firewalls. In as much as the question has been posed through the list, here is my response. Please forward any further discussion in email. I won't be posting anything else on this thread to this list, as I don't think it's an appropriate topic. ] At 10:45 AM 7/3/97 -0400, Mark Teicher wrote: >What does an employer look at when evaluating a consultant or possibly new >employee, whether they have sheepskin or the work experience to fulfill the >job requirements and assist the company being successful.. ? Why is it so >important to have a degree in today's world? Does it make you a better >person? What the difference between a recent graduate than a sysadmin who >has over 20 years experience? > > >/mark IMHO Let's start with the real question behind the statement: "Why are non-degreed people immediately precluded from some jobs simply because they don't possess a degree when they could -easily- perform the job." I think this is a fair question, and my answer is that, for many large companies, it is largely a question of filtering. The principle followed is that the existence of formalized education in a particular discipline provides a relatively objective proof that someone possesses a minimum level of knowledge about that discipline. Do lots of non-degreed people know more than that? Absolutely!! But lets look at it pragmatically. A large software or hardware vendor hires 100's of people every year. Those 100's of people reflect the distillation of 10's of thousands of resumes. The talented folk in HR and Personnel are typically the first line of defense in sorting through a blizzard of resumes, and they, rightfully, need a criteria for sorting. I, as the hiring body, owe them some discrete criteria to evaluate candidates -before- I ever meet them or speak with them. Now, as I cast about for people, I could spend hours with HR describing a pattern of career roles and industry contributions that would result in an adequate baseline of experience for a particular job. Things like; "Programmed in this", "Architected that", "Taught this", "Presented that". They could, in turn, look for resumes that met that variety of criteria. After this initial sort, I would need to telephone screen each of the individuals to understand whether they had actually done all of these things. Or, I could say: BS/MS Comp Sci., Comp Eng / 1-3 Years Dev Exp Done. I was going to write a good deal more, but this has absolutely nothing to do with Firewalls, so I'm done with this thread. Again, if anyone wants to pursue this further, let's do it in email. Sorry for the diversion. Jack Jack Danahy jdanahy@bbn.com Manager of Engineering (617) 873-4418 Network Security Services BBN Corporation "I'm only speaking for myself, here, not for BBN." From owner-firewalls-outgoing Thu Jul 3 10:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA05792 for firewalls-outgoing; Thu, 3 Jul 1997 00:16:20 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA05747 for ; Thu, 3 Jul 1997 00:16:09 -0700 (PDT) Received: from default (pm14-11.pacificnet.net [207.171.10.44]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id AAA23923; Thu, 3 Jul 1997 00:09:44 -0700 (PDT) Message-ID: <33BB53E7.583F@pacificnet.net> Date: Thu, 03 Jul 1997 00:25:27 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Harry Mantakos CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <199707030318.XAA11240@kiri.meretrix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah, incredible but true. However, for those that are genuinely interested, the full URL to that document is here: http://www.microsoft.com/proxy/common/Coopers.exe A few noteworthy points...According to M$: "Coopers & Lybrand LLP (C&L) conducted a four phase evaluation program that reviewed Installation, Configuration, Security Feature Analysis, and Penetration Testing in an effort to "unearth" any security vulnerabilities of Microsoft Proxy Server." C&L claim that the product withstood attacks from "...well-known and well documented tools, such as the public domain tools Internet Security Scanner and Satan..." Immediately following this, C&L advises that "...without careful installation, monitoring, and observation, any computing product or system may be vulnerable to exploitation..." In other words, "..we evaluated this product, but we cannot vouch for it, nor place our reputation on the line." Moreover (and even more incredibly) C&L go on to say that the Proxy Server uses NT 4.0 as its platform and therefore, 4.0's IP forwarding "may" present some security issues. Let me repeat that: IP forwarding MAY present some security issues. Whatever. Meanwhile, are they saying that if a target survives a scan by SafeSuite or SATAN, that it's okay? (Maybe Ballista would have been a better choice as it is a more recent development. I wonder, did they try scanning it with Jakal?) Okay enough to give it this "Security Seal of Approval" that M$ is parading around? Hahahaha. Not the Security Seal of Approval. Anything but that. That - and about 1.75 - will get you... From owner-firewalls-outgoing Thu Jul 3 10:20:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08186 for firewalls-outgoing; Thu, 3 Jul 1997 09:52:32 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA08007; Thu, 3 Jul 1997 09:51:42 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FB27R>; Thu, 3 Jul 1997 09:55:17 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BAB@mail1.sla.com> From: "Stackpole, Bill" To: "'Fernando da Silveira Montenegro'" , Firewalls@GreatCircle.COM Cc: "'firewalls@greatcircle.com'" Subject: RE: IP Filters? Date: Thu, 3 Jul 1997 09:55:16 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've never build an access list with more than 50 entries and I've never noticed any significant performance problems even on a 2500 series. There are some techniques you can use to speed up access list processing. Remember a Cisco list is exited on the first true so you can add lines like: ! TCP or UDP Ports above the last service you are permiting ! this is done to speed up the list processing access-list 101 deny tcp any host 255.255.255.255 gt 80 access-list 101 deny udp any host 255.255.255.255 gt 19 just before all the specific rules to speed up list processing. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Fernando da Silveira Montenegro [SMTP:montenegro@nutec.com.br] > Sent: Thursday, July 03, 1997 4:43 AM > To: Firewalls@GreatCircle.COM > Subject: IP Filters? > > Hello all! > > What seems to be the general consensus on how many filtering rules one > can > configure on a router without imposing a noticeable performance > penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x > 7500, > for instance), but is anybody running a Cisco 4000 with more than, > say, > 100 rules for each filter applied to an interface? The router has 8MB, > and > is talking two T1s (bonded, no multihoming). > > We plan to tighten up our environment a bit (too many DoS attacks for > our > liking), and are considering also stricter filters on our terminal > servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? > > The problem is that the environment being protected is an ISP, so the > typical "block unless needed" stance doesn't apply. > > Thanks in advance. I'll summarize later if there's interest. > > Regards, > Fernando > > ObFirewall: Filtering is one element of our security architecture, > which > is migrating to a secure subnet protected by app.level firewall, and > is, > as usual, the first line of defense. > -- > Fernando da Silveira Montenegro Nutec Informatica > System/Network Administrator Sao Paulo, SP, BRAZIL > mailto:montenegro@nutec.com.br http://www.nutecnet.com.br > voice.:+55-11-5505-5728 #include > > From owner-firewalls-outgoing Thu Jul 3 10:34:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29532 for firewalls-outgoing; Thu, 3 Jul 1997 09:09:30 -0700 (PDT) Received: from gauntlet.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA29507 for ; Thu, 3 Jul 1997 09:09:22 -0700 (PDT) Received: by gauntlet.bridge.com; id LAA07423; Thu, 3 Jul 1997 11:11:50 -0500 (CDT) Received: from dns1srv.bridge.com(167.76.36.6) by gauntlet.bridge.com via smap (3.2) id xma007413; Thu, 3 Jul 97 11:11:39 -0500 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id LAA03465 for ; Thu, 3 Jul 1997 11:12:08 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id LAA23825 for firewalls@greatcircle.com; Thu, 3 Jul 1997 11:12:50 -0500 (CDT) Date: Thu, 3 Jul 1997 11:12:50 -0500 (CDT) From: Ken Hardy Message-Id: <199707031612.LAA23825@binki.bridge.com> To: firewalls@greatcircle.com Subject: global whois servers ?? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to determine who's up to some mischief as indicated by my firewall logs. They're coming from a .com.au domain. I'm aware of rs.internic.net for US domains and whois.ripe.net for European, but what about .au, etc. Does anyone know of a comprehensive list of whois server (or other means) for learning information about various domains around the world, such as contacts? Thanks. -- KH From owner-firewalls-outgoing Thu Jul 3 10:46:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19907 for firewalls-outgoing; Thu, 3 Jul 1997 07:46:21 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA19900 for ; Thu, 3 Jul 1997 07:46:12 -0700 (PDT) Received: from user (179.tampa-002.fl.dial-access.att.net [207.146.89.179]) by mail.clark.net (8.8.5/8.6.5) with SMTP id KAA09440; Thu, 3 Jul 1997 10:46:25 -0400 (EDT) Message-Id: <3.0.1.32.19970703104516.008bd7f0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 03 Jul 1997 10:45:16 -0400 To: Jack Danahy , "firewalls@GreatCircle.COM" From: Mark Teicher Subject: Re: Sheepskin versus work experience Cc: "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" , "Mark H. Teicher " , "Judge, Joseph" In-Reply-To: <2.2.32.19970630215047.00c0b78c@mail.bbnplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What does an employer look at when evaluating a consultant or possibly new employee, whether they have sheepskin or the work experience to fulfill the job requirements and assist the company being successful.. ? Why is it so important to have a degree in today's world? Does it make you a better person? What the difference between a recent graduate than a sysadmin who has over 20 years experience? /mark ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Thu Jul 3 11:11:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20537 for firewalls-outgoing; Thu, 3 Jul 1997 10:47:07 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20488 for ; Thu, 3 Jul 1997 10:46:54 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjq0X-003pjrC; Thu, 3 Jul 1997 12:49:31 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Thu, 03 Jul 1997 12:49:25 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 03 Jul 1997 12:49:04 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #313 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Thu Jul 3 12:02:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03339 for firewalls-outgoing; Thu, 3 Jul 1997 09:28:57 -0700 (PDT) Received: from mail2.isys.net (dip033-1.hamburg.netsurf.de [194.64.236.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03295 for ; Thu, 3 Jul 1997 09:28:43 -0700 (PDT) From: hartmut.fehling@hamburg.netsurf.de Received: from mail1.isys.net[193.96.224.33] by mail2.isys.net with smtp (Smail 3.2 #2 -iSYS-); id m0wjon8-000HEFC; Thu, 3 Jul 1997 18:31:34 +0200 (MET DST) Received: from hamburg.netsurf.de [194.195.202.96] by mail1.isys.net with esmtp (Smail 3.2 #3 -iSYS-); id m0wjon3-001LNkC; Thu, 3 Jul 1997 18:31:29 +0200 (MET DST) To: Firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 18:20:31 -0000 Message-ID: <19970703181733.hartmut.fehling@hamburg.netsurf.de> In-Reply-To: <199707021820.LAA00955@honor.greatcircle.com> Subject: Calling the Horde X-Mailer: Emissary V2.01, by Attachmate Corp. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just installed Checkpoint´s Firewall-1 in a cascaded configuration with a proxy and could not detect any security holes myself using standard security scanners. In order to make a really tough test before I actually connect the gateway to our network, I could ask some people I know in the Underground to spread the IP-Address, maybe the HW/SW-Configuration and perhaps even the FW-1-Settings and invite the guys to try it out and break in (into the empty network behind it). Question: Is this a wise thing to do / Has anybody "invited" Hackers in such a fashion? (I trust security consultants to help me set up a secure site, but not to drive a serious attack as a test) TIA, Hartmut Fehling From owner-firewalls-outgoing Thu Jul 3 12:30:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA00143 for firewalls-outgoing; Thu, 3 Jul 1997 09:12:10 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA00123 for ; Thu, 3 Jul 1997 09:12:02 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA19892; Thu, 3 Jul 1997 09:14:26 -0700 (PDT) Message-Id: <3.0.1.32.19970703121425.006ca360@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 03 Jul 1997 12:14:25 -0400 To: "Fernando da Silveira Montenegro" From: Paul Ferguson Subject: Re: IP Filters? Cc: Firewalls Mailing List In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In all recent releases of cisco IOS (since about 11.0(x) or so), extended access-filter lists are in the fast-switching path, so there should be negligible performance impact. Having said that, however, it stands to reason that the more access-lists that must be parsed, the greater impact it has on the forwarding performance. I would also suggest that it makes a world of difference exactly how you are implementing your access-lists, i.e. explicit permits with implicit denials vs. explicit denials with an explicit permit *; the former is a much more preferable method of allowing service through a filtering router than the latter. In any event, the only hard limit on access-lists are (a) the numerical limitation of numbered access-lists (99 per list type), and (b) the amount of nvram used to store the router configuration. Issue (a) has been eliminated with the integration of "named" access lists, which is not bound by the numerical limitation. - paul At 08:42 AM 07/03/97 -0300, Fernando da Silveira Montenegro wrote: > Hello all! > >What seems to be the general consensus on how many filtering rules one can >configure on a router without imposing a noticeable performance penalty: >10? 50? 100? > >I know it probably varies wildly with the equipment you use (2501 x 7500, >for instance), but is anybody running a Cisco 4000 with more than, say, >100 rules for each filter applied to an interface? The router has 8MB, and >is talking two T1s (bonded, no multihoming). > >We plan to tighten up our environment a bit (too many DoS attacks for our >liking), and are considering also stricter filters on our terminal servers >(PortMaster2 units from Livingston). Same question applies: how many >filters on a 1MB PM2? > >The problem is that the environment being protected is an ISP, so the >typical "block unless needed" stance doesn't apply. > >Thanks in advance. I'll summarize later if there's interest. > >Regards, >Fernando > >ObFirewall: Filtering is one element of our security architecture, which >is migrating to a secure subnet protected by app.level firewall, and is, >as usual, the first line of defense. >-- >Fernando da Silveira Montenegro Nutec Informatica >System/Network Administrator Sao Paulo, SP, BRAZIL >mailto:montenegro@nutec.com.br http://www.nutecnet.com.br >voice.:+55-11-5505-5728 #include > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Thu Jul 3 13:34:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06589 for firewalls-outgoing; Thu, 3 Jul 1997 12:00:40 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA06194 for ; Thu, 3 Jul 1997 11:59:28 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id PAA03565; Thu, 3 Jul 1997 15:00:22 -0400 (EDT) Date: Thu, 3 Jul 1997 15:00:20 -0400 (EDT) From: Brian Mitchell To: Fernando da Silveira Montenegro cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x 7500, > for instance), but is anybody running a Cisco 4000 with more than, say, > 100 rules for each filter applied to an interface? The router has 8MB, and > is talking two T1s (bonded, no multihoming). If you do stuff like handle the most frequent packets first (say an established entry as the first rule) you shouldnt have too much of a performance problem. The key is getting the majority of packets evaluated at the very beginning, leaving the somewhat unusual packets near the end. > > We plan to tighten up our environment a bit (too many DoS attacks for our > liking), and are considering also stricter filters on our terminal servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? Denial of services attacks are essentially impossible to defeat. They will always be there in one form or another. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt From owner-firewalls-outgoing Thu Jul 3 13:41:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01227 for firewalls-outgoing; Thu, 3 Jul 1997 11:42:29 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01019 for ; Thu, 3 Jul 1997 11:41:31 -0700 (PDT) Received: from newport.ntcnet.com (newport.ntcnet.com [205.232.95.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id LAA27996 for ; Thu, 3 Jul 1997 11:18:16 -0700 (PDT) Received: from x4ntc23 by newport.ntcnet.com; (5.65v3.2/1.1.8.2/13Jul95-1105AM) id AA14052; Thu, 3 Jul 1997 14:12:33 -0400 Message-Id: <33BB6919.7FB6@hotmail.com> Date: Thu, 03 Jul 1997 05:05:45 -0400 From: DECkedout X-Mailer: Mozilla 3.01 (WinNT; I) [AXP] Mime-Version: 1.0 To: Leonid S Knyshov , firewalls@GreatCircle.COM Subject: Re: ICQ network References: <33B8B3E2.2B40@hotmail.com> <19970701.195924.14390.3.wiseleo@juno.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That is the best idea i've heard of yet. I'd like them to see if they can handle the rigors of releasing queastionable software and trying to get it patented... I sure have a few questions of my own. Personally, my bet is that they stay out of the spotlight until they become commercial, then they don't have to release anything accept technical support for morons. Well folks, let's see who joins the party. -DECkedout Leonid S Knyshov wrote: > > Hi everyone, > > I sent an invitation to Mirabilis with instructions on how to join this > mailing list, hopefully we'll get some answers soon. > *** > Leonid Knyshov AKA Wise_One > http://kiassociates.com/computerhelp > http://kiassociates.com/computerhelp/personal > For file attachments please use wiseleo@hotmail.com and send a note about > it here :) > > On Tue, 01 Jul 1997 03:38:10 -0400 DECkedout > writes: > >Joe Pollock wrote: > >> > >> One of my users sent me a spam message concerning the ICQ ("I Seek > >You") > >> Network, which claims to reduce an individual's Net identity to a > >single > >why they haven't realeased hard facts to the public. Does anyone know > >anyone from Mirabilis? I have a lot of questions about it.... It > >definatlely raises an eyebrow or two... > >-DECkedout From owner-firewalls-outgoing Thu Jul 3 14:05:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21865 for firewalls-outgoing; Thu, 3 Jul 1997 13:09:54 -0700 (PDT) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21858 for ; Thu, 3 Jul 1997 13:09:48 -0700 (PDT) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.4/8.7.3) with ESMTP id QAA14142 for ; Thu, 3 Jul 1997 16:12:45 -0400 (EDT) Received: from roc02bxhgeisge.is.ge.com (roc02bxhgeisge.is.ge.com [3.159.52.21]) by thomas.ge.com (8.8.4/8.7.5) with ESMTP id QAA23192 for ; Thu, 3 Jul 1997 16:12:15 -0400 (EDT) Received: by roc02bxhgeisge.is.ge.com with Internet Mail Service (5.0.1458.49) id <3GX08XBN>; Thu, 3 Jul 1997 16:11:49 -0400 Message-ID: <3F8FEAE41F94D0119CE900805FFECA1201046547@roc01bxgeisge.is.ge.com> From: "Safier, Adam (GEIS)" To: Scott_Thomas@em.fcnbd.com Cc: "Firewalls@GreatCircle. COM (E-mail)" Subject: RE: Firewalls-Digest V6 #312 Date: Thu, 3 Jul 1997 16:11:43 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whenever I don't see a transmission returned I first check routing tables and IP masks. Especially if you are using manual routing. In your case it sounds like the routing works without the firewall so check your valid interface permissions in the gateway objects screen. Try turning off any protection against spoofing (valid is 'any' or no checking). That can block your outbound traffic as effectively as a bad route. Adam --------------- Adam Safier, Network Engineer/Security Consultant GE Information Services, Inc 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 8*273-5737 Adam.Safier@geis.ge.com The opinions expressed may not be shared by my employer. I'm proud to live in a country where I can express them. --------------- > -----Original Message----- > From: firewalls-digest-owner@GreatCircle.COM > [SMTP:firewalls-digest-owner@GreatCircle.COM] > Sent: Wednesday, July 02, 1997 2:21 PM > To: firewalls-digest@GreatCircle.COM > Subject: Firewalls-Digest V6 #312 > > > Firewalls-Digest Wednesday, July 2 1997 Volume 06 : > Number 312 > > > > Date: Wed, 2 Jul 1997 09:41:03 -0500 > From: Scott_Thomas@em.fcnbd.com > Subject: [none] > > To All: > > Our company is implementing SAP in all of it's locations. Our > desire > is to have internal firewalls between the main corporate location > and > outer offices. We have attempted to run FW-1 in two locations so > far > with the same result. If a user at the outer office runs an SAP > process that only involves one UNIX host at the main office it > works > fine. > > When the SAP process involves more than one host the returned > transmission is never received, although it seems to leave the > UNIX > host. Currently our production host is only one HP 9000 and is > working fine. Our staging and development areas invlove multiple > HP > 9000's that run processes between each other and transmissions > get > lost. > > If we drop the firewall daemon and let traffic pass through the > Sparc > station this process works fine with multiple HP hosts. In > troubleshooting we have gone so far as to add a #1 rule for > ANYtoANYtoANY and it still does not work. This has stumped both > our > local FW1 vendor as well as SUN support. > > Has anyone run into a similar problem? As far FW1 goes everthing > we > attempt to pass through it is correctly filtered except where > multiple > UNIX hosts are involved. > > Any help is appreciated... > > Scott Thomas > Systems Officer > 847-622-5762 > > From owner-firewalls-outgoing Thu Jul 3 14:23:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19231 for firewalls-outgoing; Thu, 3 Jul 1997 12:58:28 -0700 (PDT) Received: from panenergy.com (igate.panenergy.com [198.64.254.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19057 for ; Thu, 3 Jul 1997 12:57:58 -0700 (PDT) Received: by igate.panenergy.com id <36914>; Thu, 3 Jul 1997 14:58:53 -0500 Message-Id: <97Jul3.145853cdt.36914@igate.panenergy.com> X-Sender: rlaird@igate.panenergy.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 3 Jul 1997 15:00:45 -0500 To: Firewalls@GreatCircle.COM From: Robert Laird Subject: Slightly Off Topic: A security issue Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since my new Web server is going to sit outside the firewall, I'm wondering if MS IIS or Netscape's Enterprise is "more secure" than the other? Obviously, I'm not putting anything on it that is anything other than public information, and it will be monitored daily for intrusion, and their won't be any user log-ins other than necessary. Any thoughts/comments for a newbie? Thanks! -- Robert mailto:rlaird@panenergy.com From owner-firewalls-outgoing Thu Jul 3 14:34:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA03691 for firewalls-outgoing; Thu, 3 Jul 1997 14:07:37 -0700 (PDT) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA03554 for ; Thu, 3 Jul 1997 14:07:10 -0700 (PDT) Received: from ns.pdv.de [194.139.111.2] by mail.Germany.EU.net with SMTP (5.61c:012/2.7.0.i) id XAA20581; Thu, 3 Jul 1997 23:10:01 +0200 (MET DST) Received: by wall.pdv.de (8.6.11/GEN-1.2.3) via EUnet for mail.germany.eu.net id QAA01328; Thu, 3 Jul 1997 16:37:25 +0200 Received: from moon(192.168.12.25) by wall.pdv.de via smap (V1.3) id sma001325; Thu Jul 3 16:37:04 1997 Message-Id: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> X-Sender: nerle@tgate.pdv.de X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 03 Jul 1997 16:34:33 -0500 To: firewalls@greatcircle.com From: Dirk Nerling Subject: need suggestion xntpd a security hole ??? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I plan to update the time of our internal net from an Internet Time Server on a regular basis. Does anbody of you know something about the xntpd? Any intrusion listed? What do the experts suggest? so long Dirk -- Milky Way - Sol System - Earth - Europe - Germany - Thuringia - Erfurt http://wall.pdv.de/~nerle From owner-firewalls-outgoing Thu Jul 3 15:32:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25696 for firewalls-outgoing; Thu, 3 Jul 1997 11:16:30 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25608; Thu, 3 Jul 1997 11:16:05 -0700 (PDT) Received: from gauntlet.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA28270; Thu, 3 Jul 1997 11:21:26 -0700 (PDT) Received: by gauntlet.bridge.com; id NAA24872; Thu, 3 Jul 1997 13:18:09 -0500 (CDT) Received: from dns1srv.bridge.com(167.76.36.6) by gauntlet.bridge.com via smap (3.2) id xma024852; Thu, 3 Jul 97 13:18:05 -0500 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id NAA06030; Thu, 3 Jul 1997 13:18:32 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id NAA23944; Thu, 3 Jul 1997 13:19:15 -0500 (CDT) Date: Thu, 3 Jul 1997 13:19:15 -0500 (CDT) From: Ken Hardy Message-Id: <199707031819.NAA23944@binki.bridge.com> To: montenegro@nutec.com.br, Firewalls@GreatCircle.COM, BSTACKPO@sla.com Subject: RE: IP Filters? Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Stackpole, Bill" wrote: >There are some techniques you can use to speed up access list >processing. Remember a Cisco list is exited on the first true so you >can add lines like: > > ! TCP or UDP Ports above the last service you are permiting > ! this is done to speed up the list processing > access-list 101 deny tcp any host 255.255.255.255 gt 80 > access-list 101 deny udp any host 255.255.255.255 gt 19 > >just before all the specific rules to speed up list processing. Seems to me that that would speed things up most *if* the most common packets were those you're denying. Hopefully people are not continually banging on your router with prohibited traffic, and most of the packets it needs to process are those that are specifically allowed. In such a case, wouldn't it make more sense to put the rules that *allow* the most common traffic first? Just guessing, but you ought to be able to get 80%-90% or more of all packets to hit within the first half-dozen or so rules. -- KH From owner-firewalls-outgoing Thu Jul 3 15:35:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27468 for firewalls-outgoing; Thu, 3 Jul 1997 13:42:46 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA27237 for ; Thu, 3 Jul 1997 13:41:31 -0700 (PDT) Received: from mailhost.dircon.co.uk (mailhost.dircon.co.uk [194.112.32.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA01791 for ; Thu, 3 Jul 1997 13:21:07 -0700 (PDT) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by mailhost.dircon.co.uk (8.8.4/8.7.3) with ESMTP id VAA19071; Thu, 3 Jul 1997 21:18:33 +0100 (BST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id VAA00562; Thu, 3 Jul 1997 21:11:34 +0100 Date: Thu, 3 Jul 1997 21:11:33 +0100 (BST) From: Dave Whitlow To: Ken Hardy cc: firewalls@GreatCircle.COM Subject: Re: global whois servers ?? In-Reply-To: <199707031612.LAA23825@binki.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Ken Hardy wrote: > I'm trying to determine who's up to some mischief as indicated by my > firewall logs. They're coming from a .com.au domain. I'm aware of > rs.internic.net for US domains and whois.ripe.net for European, but what > about .au, etc. > Does anyone know of a comprehensive list of whois server (or other > means) for learning information about various domains around the world, > such as contacts? Thanks. The third one, covering Asia-Pacific (including au) is APNIC. Access their server at www.apnic.net. There are country servers within apnic area which are also searchable and have links from the APNIC server. I find whois via www.thnic.net is useful for querying any of the NIC databases. Cheers, Dave ------------------------------------------------------------------------- Dave Whitlow Tel: +44-(0)181-861-2001 Idsec Ltd Fax: +44-(0)181-861-3433 Suite A, 31-33 College Road, Mail: dwhitlow@idsec.co.uk Harrow, HA1 1EJ, UK Web: http://www.idsec.co.uk From owner-firewalls-outgoing Thu Jul 3 15:44:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21456 for firewalls-outgoing; Thu, 3 Jul 1997 13:07:06 -0700 (PDT) Received: from srv1-poa.nutecnet.com.br (srv1-poa.nutecnet.com.br [200.248.149.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21241 for ; Thu, 3 Jul 1997 13:06:20 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by srv1-poa.nutecnet.com.br (8.8.5/SCA-6.6) with SMTP id RAA07314; Thu, 3 Jul 1997 17:56:58 -0200 (EDT) Received: from nutspgw.nutec.com.br by canario.nutec.com.br id aa11958; 3 Jul 97 15:50 GMT From: "Fernando da Silveira Montenegro" To: "Ken Hardy" Cc: "Lista Firewalls" Received: from cancun.sao.nutecnet.com.br ([200.246.248.224]) by firewall.nutec.com.br via smtpd (for canario.nutec.com.br [192.168.2.2]) with SMTP; 3 Jul 1997 16:00:15 UT Subject: Re: IP Filters? Date: Thu, 3 Jul 1997 15:57:51 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.0926.0 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0926.0 Message-ID: <9707031550.aa11958@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! >Just guessing, but you ought >to be able to get 80%-90% or more of all packets to hit within the first >half-dozen or so rules. If you sort your rules nicely, you can decide on the majority of the packets within the first few rules. The problem arises when you specify a number of denys before the catch-all permit rule (remember, my environment is an ISP, where high ports are allowed and expected). For instance, if you look at the numbers below, you'll see that a LOT of UDP traffic (over 99.5% of it, as a matter of fact) had to follow at least 3 UDP-only rules, and that's because I can use the "range" operator (on other filtering engines, such as Livingston's, I'd need an additional 4 rules). With TCP, the number is a bit better because the huge huge majority (93.5%) matches the first rule, for "established" connections, but still, each server that I describe (such as the ficticious SMTP server below) adds more and more TCP rules. And I have quite a few servers... permit tcp any any established (73048149 matches) deny udp any any range 135 139 (176027 matches) deny udp any any eq sunrpc deny udp any any eq 2049 (164 matches) permit udp any any (36431719 matches) permit tcp any host 192.168.1.1 eq smtp (53081 matches) permit tcp any host 192.168.1.1 eq 113 (240630 matches) deny tcp any host 192.168.1.1 (520 matches) deny tcp any any range 135 139 (407 matches) deny tcp any any eq sunrpc deny tcp any any eq 2049 (38 matches) permit tcp any any (4749786 matches) permit icmp any any (837948 matches) I don't know how the routers implement the filtering mechanism (separate table for UDP, TCP, IP, ICMP, ...?) but in the worst case (simple table lookup), I'll have to have 5% of my TCP traffic go through 150-200 rules. That is what worries me. Am I making sense or just making a fool of myself by having this concern? I mean, is the perfomance penalty noticeable? >-- >KH > Fernando -- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include From owner-firewalls-outgoing Thu Jul 3 16:05:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19271 for firewalls-outgoing; Thu, 3 Jul 1997 10:41:33 -0700 (PDT) Received: from mail.jet.es (jet.es [194.179.100.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA19055 for ; Thu, 3 Jul 1997 10:40:43 -0700 (PDT) Received: from hackenbush.ugm.fre (tony@info47.jet.es [194.224.180.47]) by mail.jet.es (8.8.5/8.8.5) with ESMTP id RAA18969; Thu, 3 Jul 1997 17:45:48 -0100 (GMT) Received: from hackenbush (tony@hackenbush [192.168.0.1]) by hackenbush.ugm.fre (8.8.3/8.8.3) with SMTP id SAA00315; Thu, 3 Jul 1997 18:21:28 +0200 Date: Thu, 3 Jul 1997 18:21:28 +0200 (MET DST) From: Tony X-Sender: tony@hackenbush To: "Kelly E. Gibbs" cc: Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, Kelly E. Gibbs wrote: > go up against the supreme deliverer of software. Gee, if Hitler were > around he'd love to be in Bill Gate's shoes: World Dominance - what a > concept! Same principle - just applied to software that's all. is Bill Gates the antichrist? :-)))) Quidquid latine dictum sit, altum viditur. (Whatever is said in Latin sounds profound.) From owner-firewalls-outgoing Thu Jul 3 16:19:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA12805 for firewalls-outgoing; Thu, 3 Jul 1997 14:48:02 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA11181 for ; Thu, 3 Jul 1997 14:41:30 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id OAA02444 for ; Thu, 3 Jul 1997 14:17:25 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id OAA07677 for ; Thu, 3 Jul 1997 14:09:28 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id QAA04500; Thu, 3 Jul 1997 16:04:45 -0500 Date: Thu, 3 Jul 1997 16:04:45 -0500 (CDT) From: Ken Jones To: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Brian Mitchell wrote: > If you do stuff like handle the most frequent packets first (say an > established entry as the first rule) you shouldnt have too much of a > performance problem. The key is getting the majority of packets evaluated > at the very beginning, leaving the somewhat unusual packets near the end. > Beware of putting the established entry first. Your first rules should deny spoofed packets from your internal ip addresses. If you allow established packets first, then outsiders can send packets with IP addresses spoofed to look like they are comming from insider you network.. it's a no no Ken Jones From owner-firewalls-outgoing Thu Jul 3 16:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07894 for firewalls-outgoing; Thu, 3 Jul 1997 14:26:10 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA07848 for ; Thu, 3 Jul 1997 14:25:49 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id RAA05035; Thu, 3 Jul 1997 17:28:42 -0400 Date: Thu, 3 Jul 1997 17:28:42 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Fernando da Silveira Montenegro cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One client reported enormous degredation on high volume applications with even one filter rule. On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > Date: Thu, 3 Jul 1997 08:42:35 -0300 > From: Fernando da Silveira Montenegro > To: Firewalls@GreatCircle.COM > Subject: IP Filters? > > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x 7500, > for instance), but is anybody running a Cisco 4000 with more than, say, > 100 rules for each filter applied to an interface? The router has 8MB, and > is talking two T1s (bonded, no multihoming). > > We plan to tighten up our environment a bit (too many DoS attacks for our > liking), and are considering also stricter filters on our terminal servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? > > The problem is that the environment being protected is an ISP, so the > typical "block unless needed" stance doesn't apply. > > Thanks in advance. I'll summarize later if there's interest. > > Regards, > Fernando > > ObFirewall: Filtering is one element of our security architecture, which > is migrating to a secure subnet protected by app.level firewall, and is, > as usual, the first line of defense. > -- > Fernando da Silveira Montenegro Nutec Informatica > System/Network Administrator Sao Paulo, SP, BRAZIL > mailto:montenegro@nutec.com.br http://www.nutecnet.com.br > voice.:+55-11-5505-5728 #include > > > Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Thu Jul 3 17:48:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07599 for firewalls-outgoing; Thu, 3 Jul 1997 14:24:04 -0700 (PDT) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA07514 for ; Thu, 3 Jul 1997 14:23:42 -0700 (PDT) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.4/8.7.3) with ESMTP id RAA12644 for ; Thu, 3 Jul 1997 17:26:35 -0400 (EDT) Received: from roc02bxhgeisge.is.ge.com (roc02bxhgeisge.is.ge.com [3.159.52.21]) by thomas.ge.com (8.8.4/8.7.5) with ESMTP id RAA26814 for ; Thu, 3 Jul 1997 17:26:04 -0400 (EDT) Received: by roc02bxhgeisge.is.ge.com with Internet Mail Service (5.0.1458.49) id <3GX08X6C>; Thu, 3 Jul 1997 17:25:39 -0400 Message-ID: <3F8FEAE41F94D0119CE900805FFECA1201050F60@roc01bxgeisge.is.ge.com> From: "Safier, Adam (GEIS)" To: "Firewalls@GreatCircle. COM (E-mail)" Subject: Re: Remote management of firewalls internationally Date: Thu, 3 Jul 1997 17:25:31 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Essentially, you have several architectures (or combinations thereof) to choose from. Most firewall vendors I know of offer a GUI management interface of some sort with encrypted sessions to the FW. Most GUI's are also limited in what they can configure so at some point during initial setup you will need a telnet or console access - most FW's require at least a little editing of some ASCII configuration files. The GUI's are OK for most subsequent basic maintenance of the FW rules but don't help with system admin very much. i.e. if your log files fill up the disk it's back to telnet/console access. The telnet link can be encrypted. Most FW installers don't like allowing telnet to the FW, especially from the external interface, so you might need an internal node you connect to first. It's really a good idea to have someone at the remote side that can follow basic directions to hit the reset switch and even enter some debug commands with your understanding and very patient guidance (or a sys admin, though I've found cash register operators can be excellent resources for remote control!) Checkpoints Firewall-1 takes things a step further - they break their system into 3 parts, a gateway, a manager and a GUI. The GUI - Manager - gateways links are encrypted. One manager can control several gateways and the GUI can be run from several platforms. Gets to be fun. Below is a GUI going through the FW gateway to the Manager station which comes back via an encrypted link to control the gateway. If you screw up and cut off access from your GUI you call someone and get them to log on the Manager either from the Manager console or another workstation running the GUI (GUI-2) GUI ******** FWGW ****** Manager ******** GUI-2 |* |* Telnet-----FWGW *********** FWGW * = encrypted data - and | = unencrypted portion of telnet link. The one problem I have with this is when you want to telnet it might not be encrypted over parts of the link. You either need to provide special secure telnet software OR run from the inside of another FW gateway, as in the diagram above, in which case the local LAN portion of the telnet is in the clear (might be OK if your policy says so and you don't want to change it!). FWGW to FWGW links can be encrypted and form the basis of a VPN(nothing says they must.) The main issue you will run into is local laws about what may or may not be encrypted. Even if you don't go into a encryption controlling country (fat chance in Europe), take into consideration what laws apply to traffic traversing but not stopping in a country where encryption is banned. Personally, I don't like the idea of setting up a dial up back door to manage the FW even if it is encrypted but that is another option. I once had the luxury of having a physically isolated private 10BaseT net dedicated just for firewall management - no other type of traffic allowed, but it's a rare luxury. > A suggestion from a close and wise friend asked me to inquire about this: > > > How can one remotely manage firewalls that are on the other side of the world? > How can it be done? and done safely? --------------- Adam Safier, Consultant GE Information Services, Inc 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 8*273-5737 Adam.Safier@geis.ge.com The opinions expressed may not be shared by my employer. I'm proud to live in a country where I can express them. --------------- From owner-firewalls-outgoing Thu Jul 3 17:49:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19881 for firewalls-outgoing; Thu, 3 Jul 1997 07:45:25 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA19872 for ; Thu, 3 Jul 1997 07:45:19 -0700 (PDT) From: firstcat@lsli.com Received: by gw.lsli.com id AA15091; Thu, 3 Jul 1997 09:48:13 -0500 Received: by lsli.com via smwrap Version 2.3 id smwrapJvEDIr; Thu Jul 3 09:47:47 1997 Date: Thu, 3 Jul 97 09:40:28 Subject: RE: Firewall on AIX To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livermore Software Labs has been building AIX firewalls since 1993. Give us a call or visit our web site at http://www.lsli.com Cheers Jay --- On Thu, 03 Jul 1997 10:10:01 +0200 =?iso-8859-1?Q?=22Gruppo_ONS_riunito_S=2Ep=2EA=2E_=28Societ=E0_per_Adulaz?= =?iso-8859-1?Q?ione=29=22?= wrote: >In 1, Jul, 1997 I wrote: >...I've had some reserch on firewall on AIX, but I got very little. >...I have some FAQ at the >...http://www.checkpoint.com/opsec/Partners/memco/faq.html: > >...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! >...- For FireWall-1? > >...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 >...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX >...- versions are currently in Beta testing and will be available soon. >IBM ...AIX >...- and Windows NT versions are in development. >...It will be available until the tird quarter of the year. > >Roger Rea replied to me: >>From: Roger Rea >>To: >>Cc: <75816664@ITHVM03.vnet.ibm.com> >>Subject: Fwd: Firewall on AIX >>Date: Wed, 2 Jul 1997 17:30:11 -0400 >> >>Gabriele.................Perhaps you have not looked at the current >version of >>the IBM Firewall. We are a much more complete firewall than other firewalls, >>offering not only filtering architechtures like Check Point, but also >>Application Gateways and Circuit Level Gateways. So you get three >firewalls in >>one. > >PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT >FIREWALL. >IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM >THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT >ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT >INSPECTION. > >>We also offer Network Address Translation, logging, alerting, a JAVA-based >GUI >>with pre-defined services and context sensitive help. We've had IPSEC >tunnels >>for several releases and have added in the current release client IPSEC >>software at no additional charge. We offer the Network Security Auditor, >which >>allows you to scan the network for security weaknesses. >> >>You can learn more about the IBM Firewall for AIX V3.1 and download trial >>software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall > >THANK YOU FOR THE INFORMATION > >--------------------------------------------------------------- > Gabriele Faggioni > > Open Network Services - Security > Cap Gemini Italia S.p.A. > Via Lombroso, 54 > MILANO (ITALIA) > http://www.sif.cgs.it > > mailto:gfaggion@sif.cgs.it > tel. ++39 2 59924 420 > fax. ++39 2 59924 245 -----------------End of Original Message----------------- ------------------------------------- Jay Lyall Channel Sales Director Livermore Software Laboratories, Intl. 2825 Wilcrest, Suite 160 Houston, Texas 77042-3358 1-713-974-3274 jay@lsli.com Date: 7/3/97 668 - The Neighbor of the Beast ------------------------------------- From owner-firewalls-outgoing Thu Jul 3 18:26:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13642 for firewalls-outgoing; Thu, 3 Jul 1997 12:32:29 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13592 for ; Thu, 3 Jul 1997 12:32:15 -0700 (PDT) Received: by relay.rv.tis.com; id PAA05599; Thu, 3 Jul 1997 15:34:57 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (4.0) id xma005554; Thu, 3 Jul 97 15:34:29 -0400 Received: (from meenoo@localhost) by dira.rv.tis.com (8.7.4/8.7.3) id PAA24574; Thu, 3 Jul 1997 15:33:20 -0400 (EDT) Date: Thu, 3 Jul 1997 15:33:19 -0400 (EDT) From: Meenoo Shivdasani To: Ken Hardy cc: firewalls@GreatCircle.COM Subject: Re: global whois servers ?? In-Reply-To: <199707031612.LAA23825@binki.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Ken Hardy wrote: > Does anyone know of a comprehensive list of whois server (or other > means) for learning information about various domains around the world, > such as contacts? Thanks. http://kryten.eng.monash.edu.au/whois-servers.list has a pretty large list of whois servers. M meenoo@tis.com NOTE: I do not speak for my employer From owner-firewalls-outgoing Thu Jul 3 18:41:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA05426 for firewalls-outgoing; Thu, 3 Jul 1997 16:31:58 -0700 (PDT) Received: from red6.cac.washington.edu (red6.cac.washington.edu [140.142.55.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA05411 for ; Thu, 3 Jul 1997 16:31:48 -0700 (PDT) Received: from localhost (dittrich@localhost) by red6.cac.washington.edu (8.8.4+UW97.04/8.8.4+UW97.04) with SMTP id QAA18315 for ; Thu, 3 Jul 1997 16:34:44 -0700 Date: Thu, 3 Jul 1997 16:34:43 -0700 (PDT) From: Dave Dittrich To: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde In-Reply-To: <199707032233.PAA23522@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 3 Jul 1997 18:20:31 -0000 > From: hartmut.fehling@hamburg.netsurf.de > Subject: Calling the Horde >=20 > Hi, >=20 > I just installed Checkpoint=B4s Firewall-1 in a cascaded > configuration with a proxy and could not detect any security holes > myself using standard security scanners. > =20 > In order to make a really tough test before I actually connect the > gateway to our network, I could ask some people I know in the > Underground to spread the IP-Address, maybe the HW/SW-Configuration > and perhaps even the FW-1-Settings and invite the guys to try it out > and break in (into the empty network behind it). >=20 > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > such a fashion? Probably not. I don't know about the laws in Germany, but to invite someone into your network (especially if you aren't clear about when the invitation is withdrawn) can give an attacker who later succeeds in getting through the firewall a justifiable defense that would get them an acquital. I don't know the precedent, but the story is being bandied about at security conferences about this occuring in a legal case. The cracker's defense was, essentially, "the login message said, 'Welcome to AIX' and so I had permission to come in." You hear all the time to remove any "Welcome..." banners and instead warn unauthorized users to leave and to warn everyone that keystrokes, files, etc. may be monitored during investigations. I'm not a lawyer, but I would definately make any such invited tests be done with signed docuements stating what they are being invited to do, when they can and can't attempt entry, and explicitly stating that any attempts after the test is over will be prosecuted as real break-in attempts. -- Dave Dittrich Client Services dittrich@cac.washington.edu Computing & Communications University of Washington Dave Dittrich / dittrich@cac.washington.edu From owner-firewalls-outgoing Thu Jul 3 19:35:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15715 for firewalls-outgoing; Thu, 3 Jul 1997 17:23:44 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA15659 for ; Thu, 3 Jul 1997 17:23:31 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id IAA04228; Fri, 4 Jul 1997 08:26:23 +0800 Date: Fri, 4 Jul 1997 08:26:23 +0800 (HKT) From: "Neil D. Quiogue" To: Dirk Nerling cc: firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Dirk Nerling wrote: > I plan to update the time of our internal net from > an Internet Time Server on a regular basis. Does > anbody of you know something about the xntpd? > > Any intrusion listed? What do the experts suggest? I've read/heard of no instrusions based on xntp. Of course, it also depends on the implementation of xntp (i.e., the version and platform). Usually, the ntp server (of some stratum) is placed in the bastion host which hopefully would be secured 'enough'. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Thu Jul 3 19:40:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA10622 for firewalls-outgoing; Thu, 3 Jul 1997 16:58:54 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA10613 for ; Thu, 3 Jul 1997 16:58:47 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id IAA03988; Fri, 4 Jul 1997 08:01:42 +0800 Date: Fri, 4 Jul 1997 08:01:42 +0800 (HKT) From: "Neil D. Quiogue" To: hartmut.fehling@hamburg.netsurf.de cc: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde In-Reply-To: <19970703181733.hartmut.fehling@hamburg.netsurf.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > In order to make a really tough test before I actually connect the gateway > to our network, I could ask some people I know in the Underground to spread > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > FW-1-Settings and invite the guys to try it out and break in (into the > empty network behind it). > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > such a fashion? Check the legalities of this 'breaking' session. There are companies which have security policies that does not allow this. And I think it is bad practice to do this since the information would cascade throughout the underground community. Why not try to do this yourself? In security parlance, do not trust anyone. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Thu Jul 3 19:49:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA19819 for firewalls-outgoing; Thu, 3 Jul 1997 17:43:05 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA19484 for ; Thu, 3 Jul 1997 17:41:30 -0700 (PDT) Received: from proxy.colesmyer.com.au ([203.5.145.8]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id RAA05810 for ; Thu, 3 Jul 1997 17:39:49 -0700 (PDT) Received: from mercury.smkts.colesmyer.com.au ([172.16.49.23]) by proxy.colesmyer.com.au (8.7.5/8.7.3) with SMTP id KAA20909 for ; Fri, 4 Jul 1997 10:43:07 +1000 (EST) Received: by mercury.smkts.colesmyer.com.au with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC8866.58DCAC30@mercury.smkts.colesmyer.com.au>; Fri, 4 Jul 1997 10:38:01 +1000 Message-ID: From: Phil Burg To: "'firewalls@greatcircle.com'" Subject: another Citrix Winframe query Date: Fri, 4 Jul 1997 10:38:09 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day all My apologies if this has been discussed before; I searched the archives but couldn't find this problem. Some of my users want to connect, through our firewall, to a third-party winframe server. The client PCs will be connected to our LAN at the same time as the remote server. I'm wondering if there's a known exposure in the Winframe client software that would allow the client PCs to be compromised ? regards Phil -- Phil Burg Technical Analyst Information Systems Security Coles Myer Ltd (03) 9483 7613 From owner-firewalls-outgoing Thu Jul 3 20:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA03426 for firewalls-outgoing; Thu, 3 Jul 1997 18:42:38 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA03169 for ; Thu, 3 Jul 1997 18:41:29 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id SAA06943 for ; Thu, 3 Jul 1997 18:33:51 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjxD6-003o5sC; Thu, 3 Jul 1997 20:31:03 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Thu, 03 Jul 1997 20:30:55 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 03 Jul 1997 20:30:39 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #314 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Thu Jul 3 20:19:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA15224 for firewalls-outgoing; Thu, 3 Jul 1997 19:37:55 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15175 for ; Thu, 3 Jul 1997 19:37:40 -0700 (PDT) Received: from rara24.curtin.edu.au (rara24.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKU3U5HUUOBB7VHO@alpha2.curtin.edu.au>; Fri, 04 Jul 1997 10:42:45 +0800 Date: Fri, 04 Jul 1997 10:41:54 +0800 From: Bret Watson Subject: Re: Microsoft plans to offer a firewall In-reply-to: <33BB53E7.583F@pacificnet.net> X-Sender: climbing@skuld.cage.curtin.edu.au To: osiris@pacificnet.net Cc: firewalls@GreatCircle.com Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: <199707030318.XAA11240@kiri.meretrix.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >C&L claim that the product withstood attacks from "...well-known and ... >"may" present some security issues. Let me repeat that: IP forwarding >MAY present some security issues. > Sounds like a normal netowrk audit report, in otherwords - it stopped all our tests, but a new test might come up tomorrow or you might change anything on the system and that might let something through. I love IT audit reports - they try so hard to dodge committing to anything that they end up not worth the paper they are printed on. I have to admit I'm gulty too - the last ISS scan I did for C&L had a restricted scope (decided by the client) and thus was inconclusive - so I just covered my ass like there was no tomorrow. But think about it - most new proxy servers will resist ISS without a drama - why? because ISS uses known attacks on known services - we don't know the attacks on MSP yet - but I'm sure they're out there. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Thu Jul 3 21:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA16171 for firewalls-outgoing; Thu, 3 Jul 1997 19:44:17 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA16141 for ; Thu, 3 Jul 1997 19:44:04 -0700 (PDT) Received: from rara24.curtin.edu.au (rara24.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKU430T6W0BB7UQ0@alpha2.curtin.edu.au>; Fri, 04 Jul 1997 10:49:14 +0800 Date: Fri, 04 Jul 1997 10:48:38 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> X-Sender: climbing@skuld.cage.curtin.edu.au To: Dirk Nerling Cc: firewalls@GreatCircle.com Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dirk, >I plan to update the time of our internal net from >an Internet Time Server on a regular basis. Does >anbody of you know something about the xntpd? > >Any intrusion listed? What do the experts suggest? NTP when not set up properly does provide a very big problem - basically an intruder can spoof the NTP packets and change timing within your network - thus doing things like hashing your logs. XNTPD can be set up to be safe. i. fully utilise the voting system - find at least 6 NTP servers (secondaries or above) that are geographically distant - I use one in france, in in Switzerland, one in Aust, one in NZ and one in Japan. ii. if you can get a DES library and rebuild XNTPD with it - there is a setting for it to use DES to authenticate - the auth is quite strong as it is effectively a one-time pad system. Most primaries will permit DES auth and some secondaries. The first item makes it very hard to spoof the packets, the second makes it impossible. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Thu Jul 3 21:19:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA04091 for firewalls-outgoing; Thu, 3 Jul 1997 20:59:52 -0700 (PDT) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA03872 for ; Thu, 3 Jul 1997 20:58:56 -0700 (PDT) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id AuL08396; Fri, 04 Jul 1997 00:01:35 EDT To: DECkedout@hotmail.com Cc: firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 20:50:08 -0700 Subject: Re: ICQ network Message-ID: <19970703.205644.15886.0.wiseleo@juno.com> References: <33BB6919.7FB6@hotmail.com> X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 0-1,3-4,6-9,11-12,16-17,19-20,22-26,28,30-31,33-42 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, I believe we have a lot to worry about... Random incoming ports and stuff... Some good news, Java version of ICQ is due soon, meaning it can be disassembled with strace and similar tools and we will see the light :) That makes it truly cross-platform product *sigh*. Win/Mac World are no longer the only victims... I don't want any unchecked binary code on a UNIX machine... Try unrestricted file transfers in-bound and out-bound. Via ICQ file transfer feature. Or send URL, I believe that might invite you to a site where a CGI will check your information, hand you a Java applet and... Or even exploit that famous IE/Netscape collection of bugs... You see the possibilities? Add to that remote launch of programs (Netscape Conference for example), video games (Quake) etc... Thanks to Mirabilis for such a great product, but the specs are necessary to evaluate the threat... That's all for now, stay tuned :) *** Leonid Knyshov AKA Wise_One http://kiassociates.com/computerhelp http://kiassociates.com/computerhelp/personal For file attachments please use wiseleo@hotmail.com and send a note about it here :) On Thu, 03 Jul 1997 05:05:45 -0400 DECkedout writes: >That is the best idea i've heard of yet. I'd like them to see if they >can handle the rigors of releasing queastionable software and trying >to >get it patented... I sure have a few questions of my own. >Personally, >my bet is that they stay out of the spotlight until they become >commercial, then they don't have to release anything accept technical >support for morons. Well folks, let's see who joins the party. >-DECkedout From owner-firewalls-outgoing Thu Jul 3 21:49:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA07499 for firewalls-outgoing; Thu, 3 Jul 1997 21:17:56 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA03903 for ; Thu, 3 Jul 1997 20:59:05 -0700 (PDT) Message-Id: <199707040359.UAA03903@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA122078350; Fri, 4 Jul 1997 13:52:31 +1000 From: Darren Reed Subject: Re: IP Filters? To: montenegro@nutec.com.br (Fernando da Silveira Montenegro) Date: Fri, 4 Jul 1997 13:52:30 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> from "Fernando da Silveira Montenegro" at Jul 3, 97 08:42:35 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Fernando da Silveira Montenegro, sie said: > > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? That's the wrong way to think about it. If you're even considering performance, then 0 rules is the number to use. If you're serious about your security, you use as many rules as required to safely secure your network, irrespective of performance problems (which should be addressed through other means, such as faster hardware), at your router. This might mean you just block spoofing attacks, with your firewall providing further security for applications, etc. darren From owner-firewalls-outgoing Thu Jul 3 22:19:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21015 for firewalls-outgoing; Thu, 3 Jul 1997 08:02:19 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21007 for ; Thu, 3 Jul 1997 08:02:12 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA16513; Thu, 3 Jul 1997 11:05:51 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd16511aaa; Thu Jul 3 15:05:45 1997 Date: Thu, 3 Jul 1997 11:05:45 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: "osiris@pacificnet.net" cc: "Kelly E. Gibbs" , Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <33BAD0BD.4399@pacificnet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Throughout M$'s wonderful climb to dominate the world, where's the > > Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned > > share's of Apple stock in the past? > > Ahhh...there are other possibilities. Here's the most likely: > > A. The folks in the Antitrust division are cowards; or > B. Their lawyers (DOJ) don't understand Antitrust law enough to pull it > off. or they are nervous that they will get nailed by a harassment suit since they blew the last anti-trust suit one. They will need to get a _lot_ more evidence for a retry if they want a chance in hell. If they blow a second go at it, you can count on a third being HIGHLY unlikely. > But, that's academic, because the DOJ - for whatever reason - has failed > (and will continue to fail) in challenging M$. I look at the alternatives, we should at least be grateful that M$ is a US company and not some foreign conglomerate. It is unfortunate that SUN still hasn't been able to figure out how to compete with microsoft. Apple may have, however, i think that it is too late for them. The biggest thing in common with the two is that they need to transition from h/w to software or they are in BIG trouble as more and more of their lines become commodity products -- for sun, anything short of the enterprise class is within firing range of compaq and the rest of the herd. As for an M$ firewall, I'm sure that it will pale in comparison to anything, including something that people on this list could whip in their spare time. However, microsoft has proven time and time again that they aren't a software company, but a business which is intent on making money in any market niche they can find. For this reason, i intend on having at least a passing familiarity with their product because i'm convinced that the M$ name will mean more to people than the quality or capabilities of the software. Now for a big legal question: what sort of liability does a firewall vendor assume if they are responsible for the full gamut of installation of the machine and configuration against the local security policy? What if a product defect caused a breach of security for a company which resulted in secret/sensitive data being put all over the internet? Could it be that f/w vendors, should their product have an inherent weakness, be placing themselves at legal risk. Or could the strategy be "Hey, look, if they breach the firewall the OS crashes!" Makes me wonder. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks From owner-firewalls-outgoing Thu Jul 3 22:49:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29122 for firewalls-outgoing; Thu, 3 Jul 1997 22:46:03 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA29105 for ; Thu, 3 Jul 1997 22:45:53 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id CAA17456; Fri, 4 Jul 1997 02:01:19 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma017454; Fri, 4 Jul 97 02:01:05 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id BAA27050; Fri, 4 Jul 1997 01:45:53 -0400 (EDT) Date: Fri, 4 Jul 1997 01:45:53 -0400 (EDT) Message-Id: <199707040545.BAA27050@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Robert Laird Cc: Firewalls@GreatCircle.COM Subject: Re: Slightly Off Topic: A security issue In-Reply-To: <97Jul3.145853cdt.36914@igate.panenergy.com> References: <97Jul3.145853cdt.36914@igate.panenergy.com> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Robert" == Robert Laird writes: Robert> Since my new Web server is going to sit outside the firewall, Robert> I'm wondering if MS IIS or Netscape's Enterprise is "more Robert> secure" than the other? Given that even Microsoft has been having trouble keeping their site up and running due to people exploiting IIS and/or NT bugs, I'm inclined to believe that Microsoft's software is likely to be lower in quality than Netscape's. Also consider that Microsoft has been in "catch-up" mode for quite some time, ever since they decided that they needed to have an "internet strategy" (whatever that is). So, they're in a hurry to get stuff out the door, and are unlikely to hold up progress by doing things like extensive debugging. Further, Microsoft just isn't used to writing software that runs on untrusted networks, and the problems with their own web site seems a pretty good indication of their scalability and ability to resist attack. I like Netscape's servers quite a lot, and recommend them to someone who is looking for a commercial solution to their problem, or just can't edit configuration files for some reason to make a web server come up... Having said that, I'll add that my favorite web server is Apache. It's got full source code availability, and has lots of people looking it over. Bugs are much more likely to be discovered and fixed in that sort of product than in anything where source is not available. Further, it's darn, darn, fast, easy to configure and maintain, and it's free. Run it on a FreeBSD machine, and then see how Microsoft can claim that their almost-half-as-cool stuff can keep up, or come in at 1/3 the price... http://www.apache.org/ http://www.freebsd.org/ -- Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Fri Jul 4 00:04:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA16008 for firewalls-outgoing; Thu, 3 Jul 1997 23:56:53 -0700 (PDT) Received: from mail2.isdnet.net (mail2.hol.fr [194.149.160.36]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA15961 for ; Thu, 3 Jul 1997 23:56:43 -0700 (PDT) Received: from supervision.netsource.fr ([194.51.214.22]) by mail2.isdnet.net (8.8.5/Havas On Line) with SMTP id IAA13237 for ; Fri, 4 Jul 1997 08:59:45 +0200 (MET DST) Message-ID: <33BCA146.7059@hol.fr> Date: Fri, 04 Jul 1997 09:07:50 +0200 From: renouf X-Mailer: Mozilla 3.01-NSCP (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 00:19:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA17821 for firewalls-outgoing; Fri, 4 Jul 1997 00:06:27 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA17706 for ; Fri, 4 Jul 1997 00:05:55 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id PAA09672; Fri, 4 Jul 1997 15:08:36 +0800 Date: Fri, 4 Jul 1997 15:08:36 +0800 (HKT) From: "Neil D. Quiogue" To: Bret Watson cc: Dirk Nerling , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Jul 1997, Bret Watson wrote: > i. fully utilise the voting system - find at least 6 NTP servers > (secondaries or above) that are geographically distant - I use one in > france, in in Switzerland, one in Aust, one in NZ and one in Japan. This suggestion would also make your system fault-tolerant to time server downtime due to differences both in domain and geography. It is also a good idea to have at least two local NTP servers to accommodate local server downtime with the two peering one another. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Fri Jul 4 00:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA20642 for firewalls-outgoing; Fri, 4 Jul 1997 00:23:48 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA20591 for ; Fri, 4 Jul 1997 00:23:37 -0700 (PDT) Received: from steve (dhcp004 [192.168.0.24]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id IAA09750; Fri, 4 Jul 1997 08:34:36 +0200 Message-Id: <199707040634.IAA09750@majestix.skp.de> Date: Fri, 04 Jul 1997 09:26:38 +0100 To: Derek Pokorny From: Stefan Farsch Cc: Subject: Re: In-Reply-To: <199707010527.HAA07033@majestix.skp.de> References: <199707010527.HAA07033@majestix.skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > remove > Your 'remove' command has been disabled. Try again wit another trick. ------------ From owner-firewalls-outgoing Fri Jul 4 04:05:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA23998 for firewalls-outgoing; Fri, 4 Jul 1997 03:53:54 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA23991 for ; Fri, 4 Jul 1997 03:53:47 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id GAA23434; Fri, 4 Jul 1997 06:56:35 -0400 (EDT) Message-Id: <3.0.32.19970703212853.007cdda0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 04 Jul 1997 06:57:34 -0400 To: Nick Simicich , Fernando da Silveira Montenegro From: Anton J Aylward Subject: Re: IP Filters? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:28 PM 03/07/97 -0400, Nick Simicich wrote: ## Reply Start ## >One client reported enormous degredation on high volume applications with >even one filter rule. > >On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > >> >> What seems to be the general consensus on how many filtering rules one can >> configure on a router without imposing a noticeable performance penalty: >> 10? 50? 100? Have a look th the Network Systems BorderGuard series of routers. They were designed as security filters, use Andrew Molitor's advanced filter language, and DON'T DEGRADE as the filters are applied. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Fri Jul 4 06:19:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04669 for firewalls-outgoing; Fri, 4 Jul 1997 06:07:42 -0700 (PDT) Received: from dns2.infocom.etecsa.cu (infocom.etecsa.cu [169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA04630 for ; Fri, 4 Jul 1997 06:07:27 -0700 (PDT) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wk87q-0000JiC; Fri, 4 Jul 97 09:10 EDT Received: from manati.in.etecsa.cu by mail.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa19955; Fri, 04 Jul 97 09:10 EDT Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wk87p-0003VqC; Fri, 4 Jul 97 09:10 EDT Message-Id: To: firewalls@greatcircle.com Date: Fri, 4 Jul 1997 09:10:12 -0400 (EDT) From: Asley Lugo Avila X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 06:34:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04906 for firewalls-outgoing; Fri, 4 Jul 1997 06:11:54 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA04899 for ; Fri, 4 Jul 1997 06:11:47 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id GAA00171; Fri, 4 Jul 1997 06:14:18 -0700 (PDT) Message-Id: <3.0.1.32.19970704091416.006dc930@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 04 Jul 1997 09:14:16 -0400 To: Brian Mitchell From: Paul Ferguson Subject: Re: IP Filters? Cc: Firewalls@GreatCircle.COM In-Reply-To: References: <9707030835.aa04683@canario.nutec.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote: > >Denial of services attacks are essentially impossible to defeat. They will >always be there in one form or another. > While that is true to some extent, there are certainly things one can do which help protect to a degree. There are several different versions of DoS attacks, but the ones which have been used predominantly are the TCP SYN and UDP flooding attacks. What these two attacks share are that they have been known to be launched by attackers using bogus source addresses, addresses which are not found in the global routing system. TCP SYN attacks which use this methodology can be thwarted using a TCP 'intercept', a TCP proxy which will not complete the TCP three-way handshake unless the originator of the TCP connection is reachable in the routing table. However, there is a more insidious form of this attack which uses random, bogus source addresses which *can* be found in the global routing system, so that a return path is available to complete the initial TCP three-way handshake. This has the unfortunate side-effect of not only affecting the initial target, but also an unwary third-party to whom the bogus addresses used actually belong. The same holds true for UDP flooding, however, there is no effective mechanism to proxy UDP since it is connectionless. The most effective method of minimizing the threat of DoS is to use fairly extensive traffic access-filters to protect services which do not need to be opened up for public connectivity. Also, host computer vendors have significantly strengthened their platforms and operating systems against these types of attacks by reducing the time-wait state for half-open TCP connections, as well as increased the number of connection buffers in the stack. I would suggest that anyone concerned about this issue contact their OS vendor to ask about patches which correct these deficiencies. These, in conjunction with TCP Intercept and ingress traffic filtering, provides a reasonable amount of protection. Of course, ICMP traffic can be blocked altogether using traffic filters, and is usually a pretty smart idea to do so at the border router. Note: ingress traffic filtering is a concept of filtering traffic leaving your administrative domain so that only traffic which is announced via routing (e.g BGP) is allowed to exit your routing domain. This does nothing to protect you from an attack, but it does disallow downstream users from launching attacks using nonexistent source addresses. I have an I-D (Internet Draft) which is now expired on the topic, which I plan to update and resubmit prior to Munich/IETF. ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Fri Jul 4 06:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09700 for firewalls-outgoing; Fri, 4 Jul 1997 06:46:57 -0700 (PDT) Received: from ee.net (ee.net [206.31.38.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09457 for ; Fri, 4 Jul 1997 06:46:18 -0700 (PDT) Received: from squirrel (modem27.columbus.ee.net [206.222.0.27]) by ee.net (8.8.5/8.8.5) with SMTP id JAA26126 for ; Fri, 4 Jul 1997 09:49:59 -0400 (EDT) Message-Id: <3.0.1.32.19970704101812.0069d66c@ee.net> X-Sender: clydew@ee.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 04 Jul 1997 10:18:12 -0400 To: firewalls@GreatCircle.COM From: Clyde Williamson Subject: Remote Management Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- I'm looking for software that will allow me through the firewall to see what's going on at my clients site, or even getting the info right from the firewall would work. I need something that can check security, broken links etc. It would also be great if it could pull demographics as well. Is there anything out currently that would work? Perfer UNIX based solution. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBM70GEseWPtttGqZhAQFDeAf/ax5ISTo08dAheQvAJhRzESlaOdv8m+kk 39zBcxhCpzmWsSMl4QZ1WoAvev9bKNdHIiJkcG0pHmznF2HMk/uE2mlV1di9PAoi R8CuPbPzpzCyJ1zplIvy2rKLzASWEfqsPHjmdjWFW1l6ji0yq63gxibfmCOmi1qM aipbrc+Va+vWBpPPhyGsNXpjEnmkeA5FUTS5g4EBm2rcDDtR2QutbscmpmISIDCv FmX3/Bly1G5rDQq+8VPom6T6kK3gCvbYu6K5D7DTuUQmxcrnWSsTIhj442hB3Cei vhbeqlFLHEU0kzXQf5yGhHE+LTO7kMn04/c6CaYwWe0lF7TlxuO9/g== =boGA -----END PGP SIGNATURE----- Clyde Williamson PGP Public Key found at http://users1.ee.net/clydew/pgp.htm We cracked DES!!! http://www.frii.com/~rcv/deschall.htm Member of "The Interhack Posse!! From owner-firewalls-outgoing Fri Jul 4 09:04:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA22744 for firewalls-outgoing; Fri, 4 Jul 1997 08:51:09 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA22737 for ; Fri, 4 Jul 1997 08:50:49 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (ciop.cnuce.cnr.it [131.114.1.247]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id RAA24218; Fri, 4 Jul 1997 17:49:19 +0200 (MET DST) Message-ID: <33BCFDA4.5ACB@di.unipi.it> Date: Fri, 04 Jul 1997 15:41:56 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Bret Watson CC: Dirk Nerling , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bret Watson wrote: > XNTPD can be set up to be safe. > i. fully utilise the voting system - find at least 6 NTP servers > (secondaries or above) that are geographically distant - I use one in > france, in in Switzerland, one in Aust, one in NZ and one in Japan. > ii. if you can get a DES library and rebuild XNTPD with it - there is a > setting for it to use DES to authenticate - the auth is quite strong as it > is effectively a one-time pad system. Most primaries will permit DES auth > and some secondaries. > > The first item makes it very hard to spoof the packets, the second makes it > impossible. Note that if somebody wants to attack you, it could first try to attack your ISP. In this case, it could spoof all your NTP servers at the same time, wherever they are. I don't know the NTP authentication system, but probably it isn't a real one time pad (probably it will eventually cicle). It could nevertheless be an adequate protection. ciao - Claudio From owner-firewalls-outgoing Fri Jul 4 09:49:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25500 for firewalls-outgoing; Fri, 4 Jul 1997 09:33:46 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA25483 for ; Fri, 4 Jul 1997 09:33:39 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id MAA07054; Fri, 4 Jul 1997 12:36:41 -0400 (EDT) Date: Fri, 4 Jul 1997 12:36:38 -0400 (EDT) From: Brian Mitchell To: Paul Ferguson cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <3.0.1.32.19970704091416.006dc930@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Jul 1997, Paul Ferguson wrote: > At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote: > > > > >Denial of services attacks are essentially impossible to defeat. They will > >always be there in one form or another. > > > > > The most effective method of minimizing the threat of DoS > is to use fairly extensive traffic access-filters to protect > services which do not need to be opened up for public > connectivity. Also, host computer vendors have significantly > strengthened their platforms and operating systems against > these types of attacks by reducing the time-wait state for > half-open TCP connections, as well as increased the number > of connection buffers in the stack. I would suggest that > anyone concerned about this issue contact their OS vendor > to ask about patches which correct these deficiencies. > These, in conjunction with TCP Intercept and ingress > traffic filtering, provides a reasonable amount of > protection. Any public service can be used as an attack though. You allow www out? Great, flood target user wit src port 80 traffic, ack bit set. DPF technology can help significantly here, but one has to wonder if the time involved to stop a given attack is not greater than the potential risk. If someone wants to perform a denial of services attack against you badly enough, there is a good chance they will do it - and succeed - atleast, this is true for the average company. > > Of course, ICMP traffic can be blocked altogether using > traffic filters, and is usually a pretty smart idea to > do so at the border router. Unfortunately, tools such as traceroute and ping are useful, so allowing port_unreach (which unfortunately, opens you up to some denial of services holes on older boxes), echo_reply, and time_exceeded might be a good idea. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt From owner-firewalls-outgoing Fri Jul 4 10:05:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25899 for firewalls-outgoing; Fri, 4 Jul 1997 09:38:12 -0700 (PDT) Received: from homer.dejanews.com (homer.dejanews.com [205.238.143.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA25888 for ; Fri, 4 Jul 1997 09:38:05 -0700 (PDT) Received: from byers.dejanews.com (byers.dejanews.com [205.238.143.212]) by homer.dejanews.com (8.7.6/8.6.12) with ESMTP id LAA12976; Fri, 4 Jul 1997 11:41:11 -0500 (CDT) Received: from byers.dejanews.com (localhost.dejanews.com [127.0.0.1]) by byers.dejanews.com (8.7.5/8.6.12) with ESMTP id LAA16103; Fri, 4 Jul 1997 11:41:11 -0500 Message-Id: <199707041641.LAA16103@byers.dejanews.com> To: Paul Ferguson cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-reply-to: Your message of "Fri, 04 Jul 1997 09:14:16 EDT." <3.0.1.32.19970704091416.006dc930@lint.cisco.com> Date: Fri, 04 Jul 1997 11:41:11 -0500 From: Travis Hassloch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <3.0.1.32.19970704091416.006dc930@lint.cisco.com>, Paul Ferguson writ es: >What these two attacks share are that they have been known to >be launched by attackers using bogus source addresses, addresses >which are not found in the global routing system. TCP SYN attacks >which use this methodology can be thwarted using a TCP 'intercept', >a TCP proxy which will not complete the TCP three-way handshake >unless the originator of the TCP connection is reachable in the >routing table. Linux claims to have a "fix" for SYN attacks; standard patches reduce the problem but don't "fix" it and run the risk of penalizing high-latency connections (false positives as it were). Some have even considered using AI techniques for picking connections in the queue to expire. Can anyone comment on this? The only "fix" I can think of would be putting the burden of maintaining state on the originator, perhaps by passing some token back in the SA (2nd) packet and having the client repeat this in the 3rd packet. Not sure if there is room for this anywhere, and if so what kind of compatibility issues there would be. You have the disadvantage of not being able to list all sockets in the syn-received state but being able to do that would imply sensitivity to the attack wouldn't it? This has probably been covered before by protocol experts; if so, point me/us at the archive and let's not rehash it. >This has the unfortunate >side-effect of not only affecting the initial target, but also >an unwary third-party to whom the bogus addresses used actually >belong. This actually seems likely since the SYN flooders are likely just to pick pseudorandom 32-bit numbers (if not picking 0.0.0.0). >The same holds true for UDP flooding, however, there is no >effective mechanism to proxy UDP since it is connectionless. It doesn't keep connection state in the packet like TCP does, but that doesn't mean a gateway can't. Besides, if you rely on what the TCP flags say you're opening yourself up to passive port scans (i.e. scans based on packets with ACK set). >Of course, ICMP traffic can be blocked altogether using >traffic filters, and is usually a pretty smart idea to >do so at the border router. But if you aren't using application-level proxies which can receive ICMPs, you can't get unreachables back, right? That might be annoying. If I remember right, ICMPs are a little trickier to handle than standard TCP replies as some (for example, host unreach) can come from IPs other than the destination. Would it be useful to allow ICMPs relating to established connections from the first-hop just used for that connection? Another useful thing might be to check for ACKs corresponding to data which hasn't been sent (recently), indicating a possible TCP session-hijack. Interestingly, Joncheray doesn't mention this in his paper. I have heard Bellovin might have an RFC on this, but I haven't looked for it. >Note: ingress traffic filtering is a concept of filtering >traffic leaving your administrative domain so that only >traffic which is announced via routing (e.g BGP) is allowed >to exit your routing domain. This does nothing to protect >you from an attack, but it does disallow downstream users >from launching attacks using nonexistent source addresses. Is this the multi-network equivalent of blocking outgoing packets which don't appear from being part of your internal network? Disclaimer: I don't claim to be a protocol expert, and I should probably have verified some of these assumptions, but my books are at home. Be nice :) -- Travis Hassloch / travish@dejanews.com / http://www.dejanews.com Deja News System Administration Group / "When news breaks... we fix it." From owner-firewalls-outgoing Fri Jul 4 10:19:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01141 for firewalls-outgoing; Fri, 4 Jul 1997 10:14:53 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA01070 for ; Fri, 4 Jul 1997 10:14:36 -0700 (PDT) Received: from salsa.lightech.com.ar (router1-p15.pccp.com.ar [200.0.253.31]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with ESMTP id RAA13884 for ; Fri, 4 Jul 1997 17:01:58 GMT Message-ID: <33BCD808.61892F5D@lightech.com.ar> Date: Fri, 04 Jul 1997 14:01:29 +0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms6C35A981119558B2E8A0BEB1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms6C35A981119558B2E8A0BEB1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Neil D. Quiogue wrote: > Why not try to do this yourself? In security parlance, do not trust > anyone. Moreover, what if a hacker that really found an unnoticed way through your firewall says you: Nice firewall you have, I cannot break in! He may enter anytime while you feel comfident about your security... Saludos -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------ms6C35A981119558B2E8A0BEB1 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQCwYJKoZIhvcNAQcCoIIP/DCCD/gCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DnkwggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICeTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTAN BgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x NzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5l dDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEg Q0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQao t3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zs uts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0P BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXG nAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzp LFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJV UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMx MjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNV BAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9G iILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeI Cc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJ KoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6g dTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJ M8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQeF/NotQ8hBZmWozA o3+6rTAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B CQQxFgQUI9ZSTkclcAoa5B2576wcMJXIc5gwHAYJKoZIhvcNAQkFMQ8XDTk3MDcwNDExMDEy OVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAEymx 1SNDx48/6aqoDHkm6DwRJeiUjNu8kubcZHy97tFYeK104ioUsllgnmhLjl9Qy9gsOx/L+eLj YpUab84/8Q== --------------ms6C35A981119558B2E8A0BEB1-- From owner-firewalls-outgoing Fri Jul 4 10:34:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01184 for firewalls-outgoing; Fri, 4 Jul 1997 10:15:05 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA01102 for ; Fri, 4 Jul 1997 10:14:43 -0700 (PDT) Received: from salsa.lightech.com.ar (router1-p15.pccp.com.ar [200.0.253.31]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with ESMTP id RAA13887 for ; Fri, 4 Jul 1997 17:02:02 GMT Message-ID: <33BCDA9E.B29810E9@lightech.com.ar> Date: Fri, 04 Jul 1997 14:12:31 +0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1's SNMP X-Priority: 3 (Normal) Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msC767D758A9384B2EADF7ACED" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msC767D758A9384B2EADF7ACED Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello everybody! I have a question concerning FW-1's (v2.1, Solaris 2.5.1) SNMP daemon. With the default communities, ISS Firewall Scanner was able to contact it and fetch his MIB. Setting the communities to something non-obvious, the scanner got no response from the port. But, isn't it vulnerable to a brute-force password-guessing attack? It seems better to directly block (with some rule o rules) any connection to the daemon. I tried many rules for blocking SNMP (with the default communities), but the scanner allways got the MIB. Even the default "catch-all" rule doesn't take effect! The question is: how can I block a connection to SNMP daemon? As another question, is it possible to log a SecuRemote site creation? I mean seeing when anybody configures my FW-1 as a site for his SecuRemote client. TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------msC767D758A9384B2EADF7ACED Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQCwYJKoZIhvcNAQcCoIIP/DCCD/gCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DnkwggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICeTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTAN BgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x NzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5l dDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEg Q0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQao t3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zs uts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0P BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXG nAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzp LFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJV UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMx MjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNV BAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9G iILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeI Cc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJ KoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6g dTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJ M8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQeF/NotQ8hBZmWozA o3+6rTAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B CQQxFgQUGCfO2Z3IMaXqDHB2kPcGt4q+F8cwHAYJKoZIhvcNAQkFMQ8XDTk3MDcwNDExMTIz MVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAOQWK N1u33HlGOk2awy3quOkN6CpC6/RFDk7hY8tHsPcuxhxxBdQMcCwcV6kNxBtrVvxoQSCFNZfr AU30CaJHrQ== --------------msC767D758A9384B2EADF7ACED-- From owner-firewalls-outgoing Fri Jul 4 12:19:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20003 for firewalls-outgoing; Fri, 4 Jul 1997 12:03:34 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19904 for ; Fri, 4 Jul 1997 12:03:16 -0700 (PDT) Message-Id: <199707041903.MAA19904@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA087872597; Sat, 5 Jul 1997 04:56:37 +1000 From: Darren Reed Subject: Re: IP Filters? To: travish@dejanews.com (Travis Hassloch) Date: Sat, 5 Jul 1997 04:56:37 +1000 (EST) Cc: pferguso@cisco.com, Firewalls@GreatCircle.COM In-Reply-To: <199707041641.LAA16103@byers.dejanews.com> from "Travis Hassloch" at Jul 4, 97 11:41:11 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Travis Hassloch, sie said: > > It doesn't keep connection state in the packet like TCP does, > but that doesn't mean a gateway can't. Besides, if you > rely on what the TCP flags say you're opening yourself > up to passive port scans (i.e. scans based on packets with ACK > set). Not if you've half a clue about things. Some vendors are missing half a clue but. > >Note: ingress traffic filtering is a concept of filtering > >traffic leaving your administrative domain so that only > >traffic which is announced via routing (e.g BGP) is allowed > >to exit your routing domain. This does nothing to protect > >you from an attack, but it does disallow downstream users > >from launching attacks using nonexistent source addresses. > > Is this the multi-network equivalent of blocking outgoing > packets which don't appear from being part of your internal > network? Yes. Something all routers should do, anyway. From owner-firewalls-outgoing Fri Jul 4 13:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA00749 for firewalls-outgoing; Fri, 4 Jul 1997 13:32:37 -0700 (PDT) Received: from usr05.primenet.com (usr05.primenet.com [206.165.5.105]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA00742 for ; Fri, 4 Jul 1997 13:32:31 -0700 (PDT) Received: from mingle-midi (ip214.vcv.primenet.com [204.245.12.214]) by usr05.primenet.com (8.8.5/8.8.5) with ESMTP id NAA01877 for ; Fri, 4 Jul 1997 13:35:38 -0700 (MST) Message-Id: <199707042035.NAA01877@usr05.primenet.com> From: "Marc H. Ingle" To: Date: Fri, 4 Jul 1997 13:34:04 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 16:34:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA11485 for firewalls-outgoing; Fri, 4 Jul 1997 16:06:20 -0700 (PDT) Received: from belenus.cvrd.br (belenus.cvrd.com.br [200.241.215.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA11470 for ; Fri, 4 Jul 1997 16:06:13 -0700 (PDT) From: marcob@cvrd.com.br Received: from susvtxm1.cvrd.br by belenus.cvrd.br (AIX 4.1/UCB 5.64/FW1.0) id AA102220; Fri, 4 Jul 1997 20:05:42 -0300 Received: from susvtmg2.cvrd.br by susvtxm1.cvrd.br (AIX 4.1/UCB 5.64/4.03) id AA57634; Fri, 4 Jul 1997 20:09:58 -0300 Received: from ccMail by susvtmg2.cvrd.br (SMTPLINK V2.11) id AA868072246; Fri, 04 Jul 97 19:42:16 PST Date: Fri, 04 Jul 97 19:42:16 PST Message-Id: <9706048680.AA868072246@susvtmg2.cvrd.br> To: Firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, I am a information system auditor. Does anyone know any site or document that shows real cases related to firewall attacks. Besides that, does anyone have an program to audit/evaluate a firewall system ? Thanks. Marco A. Barros Rio de Janeiro - Brasil From owner-firewalls-outgoing Fri Jul 4 17:34:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA19175 for firewalls-outgoing; Fri, 4 Jul 1997 17:19:13 -0700 (PDT) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA19139 for ; Fri, 4 Jul 1997 17:19:03 -0700 (PDT) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA24915 for Firewalls@GreatCircle.COM; Fri, 4 Jul 97 20:21:27 -0400 Received: by telecnnct.com (SMI-8.6/SMI-SVR4) id TAA28041; Fri, 4 Jul 1997 19:56:24 -0400 Received: from barney(205.172.229.10) by fred via TTC (V2.0) id xma027939; Fri, 4 Jul 97 19:56:01 -0400 Message-Id: <33BD8D8F.353C51DE@telecnnct.com> Date: Fri, 04 Jul 1997 19:55:59 -0400 From: Jim Harmon Organization: The Telephone Connection X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.4_DB sun4m) Mime-Version: 1.0 To: "Neil D. Quiogue" Cc: hartmut.fehling@hamburg.netsurf.de, Firewalls@GreatCircle.COM Subject: Re: Calling the Horde References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Neil D. Quiogue wrote: > > On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > > > In order to make a really tough test before I actually connect the gateway > > to our network, I could ask some people I know in the Underground to spread > > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > > FW-1-Settings and invite the guys to try it out and break in (into the > > empty network behind it). > > > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > > such a fashion? > > Check the legalities of this 'breaking' session. There are companies > which have security policies that does not allow this. And I think it is > bad practice to do this since the information would cascade throughout the > underground community. > > Why not try to do this yourself? In security parlance, do not trust > anyone. As I understand it, there are professional consultants who do this kind of work. I would NOT go to the "underground" as you say, as that is an open invitation for people to attack you ad-infinitum, and if any are successful, and don't tell you they were, when the system goes into "real network" mode, you'll be wide-open. -- Jim Harmon The Telephone Connection jim@telecnnct.com Rockville, Maryland From owner-firewalls-outgoing Fri Jul 4 18:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26725 for firewalls-outgoing; Fri, 4 Jul 1997 18:46:19 -0700 (PDT) Received: from yum.samart.co.th (yum.samart.co.th [203.149.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26700 for ; Fri, 4 Jul 1997 18:46:12 -0700 (PDT) Received: from pc1.samart.co.th (dialup1-203.samart.co.th [203.149.1.203]) by yum.samart.co.th (8.8.5/8.7.3) with SMTP id IAA24577 for ; Sat, 5 Jul 1997 08:50:10 +0700 (ICT) Message-ID: <33BDA7AC.3B65@physicist.net> Date: Sat, 05 Jul 1997 08:47:24 +0700 From: WinX X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=euc-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 20:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA02531 for firewalls-outgoing; Fri, 4 Jul 1997 20:33:24 -0700 (PDT) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA02517 for ; Fri, 4 Jul 1997 20:33:18 -0700 (PDT) Message-Id: <199707050333.UAA02517@honor.greatcircle.com> Received: from [192.168.1.202] by cat.bbsr.edu (SMTPD32-3.04) id A0B07135020A; Sat, 05 Jul 1997 00:34:08 -0300 From: "Jamie Thain" To: "Phil Burg" , "'firewalls@greatcircle.com'" Subject: Re: another Citrix Winframe query Date: Sat, 5 Jul 1997 00:34:30 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil, I don't know exposure is the right answer, but the client could choose to connect internal drives and ship data out. Printers can form back connection, but I think this is all at the request of the client. I am going to do a little testing with it to be sure... The question is has anyone tried to "back connect" through the "client" network? If you want absolute control put a Winframe in the middle. Users winframe to your server, and then use a winframe client installed to winframe out. regards:jamie Citrix Authorized Gold Dealer From owner-firewalls-outgoing Fri Jul 4 22:04:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA06185 for firewalls-outgoing; Fri, 4 Jul 1997 21:57:31 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA06168 for ; Fri, 4 Jul 1997 21:57:22 -0700 (PDT) Received: from 134.7.108.53 (134.7.108.53) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKVN0VJ5YOBB7UTH@alpha2.curtin.edu.au> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 13:02:47 +0800 Date: Sat, 05 Jul 1997 13:01:58 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: <33BCFDA4.5ACB@di.unipi.it> X-Sender: climbing@skuld.cage.curtin.edu.au To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes if you are only using one line into your network then by compromising your ISP the attacker has the ability to spoof anything incoming. Mind you if the attacker has compromised you connection to the world you are in deep s^&t anyway. Claudio, you are right it will eventually cycle - however since it uses the NTP header and data as part of the seed the cycle is around about once per 136 years. [ref RFC 1305 C.2.1] yes - nothing is impossible to compro the time and money - however blowed if I can think of a situation where the in is high enough to spend the time to compromise a fully redundant NTP server.To ensure it _is_ impossible - many routers like cisco plug-in GPS cardsthat allow you to run a primary NTP server within your org. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Fri Jul 4 23:27:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA10878 for firewalls-outgoing; Fri, 4 Jul 1997 23:04:07 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA10871 for ; Fri, 4 Jul 1997 23:04:00 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id CAA09908; Sat, 5 Jul 1997 02:07:44 -0400 (EDT) Date: Sat, 5 Jul 1997 02:07:44 -0400 (EDT) From: Dave Wreski To: Bret Watson cc: firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 5 Jul 1997, Bret Watson wrote: > Yes if you are only using one line into your network then by compromising > your ISP the attacker has the ability to spoof anything incoming. Mind you > if the attacker has compromised you connection to the world you are in deep > s^&t anyway. As I have only read the basic instructions on fwtk that I plan to learn to use this weekend, hopefully you can tell me if I'm on the right track. I would also like to bring ntp into my network, on the only line providing Internet access to a small company I'm working with. Wouldn't the plug-gw be used in this circumstance? Would it be advisable to set up a xntpd server on one of my external boxes, and use it to serve the internal network, consisting of about 10 machines? Or would it be better to have each configure to use a proxying ntpdate? Thanks, Dave Wreski From owner-firewalls-outgoing Fri Jul 4 23:34:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA11068 for firewalls-outgoing; Fri, 4 Jul 1997 23:11:48 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA11061 for ; Fri, 4 Jul 1997 23:11:42 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id CAA09949 for ; Sat, 5 Jul 1997 02:15:31 -0400 (EDT) Date: Sat, 5 Jul 1997 02:15:30 -0400 (EDT) From: Dave Wreski To: firewalls@greatcircle.com Subject: Moving data to external machines Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I am working with trying to set up my first Internet server. The network will consist of several interior machines, and two external servers, as shown: Internet | | Linux with FWTK DNS/Mail/Proxy (Blocks all but WWW/Marimba) | | Linux with ip masq WWW/Marimba | | 10mbs Hub --------- | | | | | | | | | | Internal Network Since the internal machines are primarily NT 4.0 workstation, and I'm not too familiar with ssh under NT, how would I go about coping the data from the internal machines to the web server? There will be a staging server on the internal network, and I eventually need to get that data to the production server, as well as fetching mail and doing DNS queries from the firewall box. Should I redesign my distribution of services? Can I do an NFS proxy? SMB proxy? Would it be by default safe, since I'm not allowing connections internally on the external interface? Thanks for any ideas, Dave Wreski From owner-firewalls-outgoing Sat Jul 5 03:04:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25783 for firewalls-outgoing; Sat, 5 Jul 1997 02:54:36 -0700 (PDT) Received: from shup2.sh.cei.go.cn ([203.207.143.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA25756 for ; Sat, 5 Jul 1997 02:54:07 -0700 (PDT) Received: from Y2000 ([203.207.143.12]) by shup2.sh.cei.go.cn (8.7.5+2.6Wbeta6/3.4W CEI-SH 96090315) with ESMTP id RAA24398 for ; Sat, 5 Jul 1997 17:55:28 +0800 (CST) Message-Id: <199707050955.RAA24398@shup2.sh.cei.go.cn> From: "Cai Xuewu" To: "firewalls mailing list" Subject: Any NAT implement? Date: Sat, 5 Jul 1997 17:57:27 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=HZ-GB-2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,everyone I'm working in a ISP company,under the request of my customer, I want to implement a NAT for my customer and make multi-user to use only a IP address. I have read RFC1631 and RFC 1918, and I wonder if some one know where I can find some sample for reference. Thanks in advance ==========================|=========================== Cai Xuewu |Shanghai Information Center xwcai@saturn.shcei.co.cn | | HuaShan Road 1076 | Shanghai 200050 | P.R.C | ==========================|=========================== From owner-firewalls-outgoing Sat Jul 5 09:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA15121 for firewalls-outgoing; Sat, 5 Jul 1997 08:58:33 -0700 (PDT) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA15112 for ; Sat, 5 Jul 1997 08:58:27 -0700 (PDT) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id MAA08796; Sat Jul 5 12:01:45 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id MAA04394; Sat, 5 Jul 1997 12:01:43 -0400 Subject: Re: need suggestion xntpd a security hole ??? References: Date: 05 Jul 1997 12:01:41 -0400 In-Reply-To: Dave Wreski's message of Sat, 5 Jul 1997 02:07:44 -0400 (EDT) Message-ID: Lines: 22 X-Mailer: Gnus v5.2.39/Emacs 19.34 To: Dave Wreski From: Douglas McNaught Cc: Bret Watson , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski writes: > I would also like to bring ntp into my network, on the only line providing > Internet access to a small company I'm working with. > > Wouldn't the plug-gw be used in this circumstance? Would it be advisable > to set up a xntpd server on one of my external boxes, and use it to serve > the internal network, consisting of about 10 machines? Or would it be > better to have each configure to use a proxying ntpdate? NTP is a UDP-based service, so you can't plug-gw it. The usual procedure is to run an NTP daemon on the bastion host, and sync it to as many low-stratum servers as possible. Have the internal clients sync either directly to the bastion host or to internal higher-stratum servers. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Sat Jul 5 10:34:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20306 for firewalls-outgoing; Sat, 5 Jul 1997 10:20:47 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20281 for ; Sat, 5 Jul 1997 10:20:39 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id NAA14042; Sat, 5 Jul 1997 13:24:30 -0400 (EDT) Date: Sat, 5 Jul 1997 13:24:29 -0400 (EDT) From: Dave Wreski To: Douglas McNaught cc: Bret Watson , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would also like to bring ntp into my network, on the only line providing > > Internet access to a small company I'm working with. > NTP is a UDP-based service, so you can't plug-gw it. The usual > procedure is to run an NTP daemon on the bastion host, and sync it to > as many low-stratum servers as possible. Have the internal clients > sync either directly to the bastion host or to internal higher-stratum > servers. How is it more secure to run an ntp daemon on the bastion host, and serve the internal network from there, rather than from the stratum's on the Internet? I suppose I could only allow that port from bastion host to internal network... Thanks again, Dave From owner-firewalls-outgoing Sat Jul 5 13:19:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA29463 for firewalls-outgoing; Sat, 5 Jul 1997 13:13:26 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA29446 for ; Sat, 5 Jul 1997 13:13:19 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA12907; Sat, 5 Jul 1997 16:16:22 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IKVTTZZ5DC8X0MBJ@gemini.pios.com> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 16:17:44 -0400 (EDT) Received: from cal_133.cal.pios.com (ras11.RAS.PIOS.COM) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IKVTSCMMWG8YBHZZ@PIOS.PIOS.COM> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 16:16:28 -0400 (EDT) Date: Sat, 05 Jul 1997 16:15:38 -0400 From: Bill Stout Subject: Re: Microsoft plans to offer a firewall X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19970705201538.00696f38@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe I should've titled this "How to Make money fast" by investing in TIS. ;) Given this thread is definitely anti-Microsoft, and that I give bad MS press by creating exploit lists, inadvertently helped someone alter files at microsoft.com last year, scoffed at MS responses to security problems ("One must simply reboot the server to restore services"), and fear for James Bond 'The Net' scenarios with security-software distributed as mysterious compiled binaries only, I feel moved to respond as the devil's advocate. Over a year ago while working at Hitachi, I tried to get Hitachi to work with TIS to co-develop the NT version of Gauntlet. This was based on the reviewability of TIS source, my personal respect for Gauntlet, and the interest at TIS of working with Hitachi. I did get up to the Japanese executive level (above VP, below Pres/CEO), however due to an inability of lower level pointy-haired managers to; recognize TIS as a major player, recognize firewalls as a long-lived technology, and not make responses in 1995 such as "Why do we need firewalls when NT is secure?" the project died (One of the managers also had a alternative security project which also failed). Sadly I disappointed many people at TIS because of this. :( TIS was interested in working with Hitachi because we were one of the few companies which had NT source, and NT programmers. The ability to review NT source for security flaws was very important to TIS. At the time TIS had no NT version of Gauntlet, and very few NT-proficient programmers. TIS was also paying visits to Microsoft directly in order to partner/create a Firewall product (wisely not putting their eggs into one basket). I would give the MS/TIS combo the benefit of doubt, since TIS has a history of making source available for review, and being strongly critical while reviewing code. 'The big problem' with Microsoft is that source code is not reviewable, resulting in major security holes being discovered after many thousands of NT systems are used in production environments. Hopefully TIS is also wise enough not to create any NT dependencies in the firewall code. I'm sure TIS recognizes that Microsoft software is notoriously insecure. Given this, TIS will critically review MS code pertinent to the firewall, and make firewall source available. My faith in an NT firewall product is improved because of the association of TIS, home of 'crystal box' open source code. My caveat; no one can make security Microsoft-proof. Bill Stout From owner-firewalls-outgoing Sat Jul 5 13:49:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA00725 for firewalls-outgoing; Sat, 5 Jul 1997 13:35:48 -0700 (PDT) Received: from alpha.mcit.com (alpha.mcit.com [199.249.18.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA00715 for ; Sat, 5 Jul 1997 13:35:41 -0700 (PDT) Received: from omzrelay.mcit.com (omzrelay.mcit.com [166.37.204.49]) by alpha.mcit.com (8.8.6/) with ESMTP id QAA24153 for ; Sat, 5 Jul 1997 16:39:00 -0400 (EDT) Received: from pop3a.mail.mci.com (pop3a.mail.mci.com [166.37.172.2]) by omzrelay.mcit.com (8.8.5/) with ESMTP id PAA32555 for ; Sat, 5 Jul 1997 15:39:00 -0500 (CDT) Received: from localHost ([204.189.236.145]) by pop3a.mail.mci.com (Post.Office MTA Undefined release Undefined ID# 1-123U25000L1S10) with SMTP id AAA25041 for ; Sat, 5 Jul 1997 16:38:59 -0400 Date: Sat, 05 Jul 1997 16:30 -0400 (EDT) From: "William Greenlee" To: Firewalls X-Mailer: MailRoom v2.1e Message-ID: <19970705203857.AAA25041@localHost> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Sat Jul 5 14:56:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA05494 for firewalls-outgoing; Sat, 5 Jul 1997 14:40:07 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA05485 for ; Sat, 5 Jul 1997 14:40:02 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id RAA26590; Sat, 5 Jul 1997 17:43:19 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC896B.449BD2E0@zandar.judgefamily.org>; Sat, 5 Jul 1997 17:45:46 -0400 Message-ID: <01BC896B.449BD2E0@zandar.judgefamily.org> From: Joseph Judge To: Dave Wreski , "'Douglas McNaught'" Cc: Bret Watson , "firewalls@GreatCircle.COM" Subject: RE: need suggestion xntpd a security hole ??? Date: Sat, 5 Jul 1997 17:45:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I second that motion (run xntpd on your gateway, sync to many, let internal servers get time against your gateway) ... but consider buying a GPS NTP time server ... They are not that expensive (couple hundred $US?) - joe ---------- From: Douglas McNaught[SMTP:doug@ono.tc.net] Sent: Saturday, July 05, 1997 12:01 PM To: Dave Wreski Cc: Bret Watson; firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? Dave Wreski writes: > I would also like to bring ntp into my network, on the only line providing > Internet access to a small company I'm working with. > > Wouldn't the plug-gw be used in this circumstance? Would it be advisable > to set up a xntpd server on one of my external boxes, and use it to serve > the internal network, consisting of about 10 machines? Or would it be > better to have each configure to use a proxying ntpdate? NTP is a UDP-based service, so you can't plug-gw it. The usual procedure is to run an NTP daemon on the bastion host, and sync it to as many low-stratum servers as possible. Have the internal clients sync either directly to the bastion host or to internal higher-stratum servers. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Sat Jul 5 15:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA05359 for firewalls-outgoing; Sat, 5 Jul 1997 14:38:44 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA05335 for ; Sat, 5 Jul 1997 14:38:37 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id RAA21129; Sat, 5 Jul 1997 17:41:53 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC896B.11CBB4C0@zandar.judgefamily.org>; Sat, 5 Jul 1997 17:44:21 -0400 Message-ID: <01BC896B.11CBB4C0@zandar.judgefamily.org> From: Joseph Judge To: firewalls mailing list , "'Cai Xuewu'" Subject: RE: Any NAT implement? Date: Sat, 5 Jul 1997 17:44:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (keywords: rambling, NAT, ip-filter, ftp redirection) Cai - I have been using ip-filter for my "house network" at home in the manner you described. So, the example I give here will be a cookbook for that. IP-Filter is publicly available from http://coombs.anu.edu.au/~avalon and is very strong on features. There are commercial packet filters "out there" that are good ... but many that are not as strong as IP-Filter. The most current released version is 3.1.11. If you get that and compile it ... you have a packet filter and network address translator. (NAT = Network Address Translation for those who may not know). Under Solaris, it runs as a loadable kernel module ... so there is a start up script, /etc/init.d/ipfboot. You will have to modify this so that your network address translation rules get loaded. The startup script provided just loads the packet filter. You may also wish to customize how the log-program, "ipmon", gets started. For some reason, ipmon tends to suck up the CPU cycles (I think there is a missing sleep() call in a tight loop in ipmon). Anyway ... I add "ipnat -f /etc/ipnat.conf" to the start section. My /etc/ipnat.conf file looks like this: map ipdptp0 10.1.1.0/24 -> my-real-Internet-address/32 portmap tcp/udp 10000:65000 map ipdptp0 10.1.1.0/24 -> my-real-Internet-address/32 This tells the NAT code to remap packets that are exiting my ipdptp0 interface (which is my PPP interface to the Internet) to be mapped to the single host that my service provider thinks is at my house. My "house net" is 10.1.1.0, which is a PC at 10.1.1.3, a Macintosh at 10.1.1.2 and the Internet-gateway Sparc 5 at 10.1.1.1. I have some rules in the /etc/ipf.conf file for ip-filter to protect my machines, also. Remember - the "map" verb is to remap packets leaving your ip-filter machine, the "rdr" verb is to redirect inbound packets to the ip-filter machine. I mention this because the ftp protocol will break in some cases of NAT. You see, when my PC wants to connect out to an FTP site ... the control channel will come out of my machine at, for example, socket 1025. I've remapped my internal net to fall within the 10000 to 65000 port range. This is more than enough for a 3-machine network (or a small class C or so). But, that means the FTP site will see a connection from "my-real-machine" at, for example, socket 10000. No problems yet, yes? Then my PC tells the FTP site "give me this file, I'm listening on socket 1026" over the control channel. The FTP site hits "my-real-machine" at socket 1026 and there is nothing there (!!!). So, worry about sites that don't have passive FTP (where the client does not accept data connections, but call out to the FTP server instead). This is normal firewall passive-FTP problems. But, you can eliminate these problems with a "rdr" of any connections from the "house net" to anywhere port = 21 to be redirected up to some kind of FTP proxy server (which you would have to run on your ip-filter machine). good luck -- joe ---------- From: Cai Xuewu[SMTP:xwcai@shup2.sh.cei.go.cn] Sent: Saturday, July 05, 1997 1:57 PM To: firewalls mailing list Subject: Any NAT implement? Hi,everyone I'm working in a ISP company,under the request of my customer, I want to implement a NAT for my customer and make multi-user to use only a IP address. I have read RFC1631 and RFC 1918, and I wonder if some one know where I can find some sample for reference. Thanks in advance ==========================|=========================== Cai Xuewu |Shanghai Information Center xwcai@saturn.shcei.co.cn | | HuaShan Road 1076 | Shanghai 200050 | P.R.C | ==========================|=========================== From owner-firewalls-outgoing Sat Jul 5 17:34:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA16898 for firewalls-outgoing; Sat, 5 Jul 1997 17:30:12 -0700 (PDT) Received: from ceddec.com (brickwall.ceddec.com [207.91.200.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA16889 for ; Sat, 5 Jul 1997 17:30:08 -0700 (PDT) Received: by brickwall.ceddec.com id <32257>; Sat, 5 Jul 1997 20:33:33 -0400 Date: Sat, 5 Jul 1997 20:34:50 -0400 From: tzeruch@ceddec.com X-Sender: nobody@mars.ceddec.com To: David Wasser cc: firewalls@GreatCircle.COM, franks@netscape.com Subject: Re: Tunneling tools with 128 bit encryption outside US? In-Reply-To: <33BA45A5.57AB2A3B@netscape.com> Message-Id: <97Jul5.203333edt.32257@brickwall.ceddec.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Or secure socket relay (ssr) - see http://www.medcom.se/ From owner-firewalls-outgoing Sat Jul 5 23:46:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29404 for firewalls-outgoing; Sat, 5 Jul 1997 22:42:30 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA29394 for firewalls@greatcircle.com; Sat, 5 Jul 1997 22:42:27 -0700 (PDT) Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21047 for ; Thu, 3 Jul 1997 15:22:22 -0700 (PDT) From: kenng@kpmg.com Received: by p0015c01.kpmg.com; id SAA05775; Thu, 3 Jul 1997 18:24:15 -0400 (EDT) Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2) id xma005645; Thu, 3 Jul 97 18:24:02 -0400 Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with SMTP id SAA08577; Thu, 3 Jul 1997 18:23:18 -0400 (EDT) Received: from ccMail by mailgate3.kpmg.com (IMA Internet Exchange 2.1 Enterprise) id 000C4716; Thu, 3 Jul 97 18:24:17 -0400 Mime-Version: 1.0 Date: Thu, 3 Jul 1997 18:12:16 -0400 Message-ID: <000C4716.3365@kpmg.com> To: Harry Mantakos , "osiris@pacificnet.net" Cc: firewalls@GreatCircle.COM Subject: Re[2]: Microsoft plans to offer a firewall Content-Type: multipart/mixed; boundary="IMA.Boundary.756869768" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.756869768 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part In a previous life I've seen Coopers and Lybrand's so-called security evaluation. To put it politely, I was not impressed. For our UNIX servers, they wanted a printout of the file permissions for every file on every system. I guess they never heard of 'find'. They missed NFS permission problems (like export *WORLD* *WRITABLE*), they missed that databases were *WORLD* *WRITABLE*, they missed a lot of basic hole checking. But, they were improving. The first time I met with them they didn't ask for any file permissions. Note: I say the above, and I say everything as an individual. I am not now, or ever have been a spokesman for where I work now. ______________________________ Reply Separator _________________________________ Subject: Re: Microsoft plans to offer a firewall Author: "osiris@pacificnet.net" at INTERNET Date: 7/3/97 12:25 AM Yeah, incredible but true. However, for those that are genuinely interested, the full URL to that document is here: http://www.microsoft.com/proxy/common/Coopers.exe A few noteworthy points...According to M$: "Coopers & Lybrand LLP (C&L) conducted a four phase evaluation program that reviewed Installation, Configuration, Security Feature Analysis, and Penetration Testing in an effort to "unearth" any security vulnerabilities of Microsoft Proxy Server." C&L claim that the product withstood attacks from "...well-known and well documented tools, such as the public domain tools Internet Security Scanner and Satan..." Immediately following this, C&L advises that "...without careful installation, monitoring, and observation, any computing product or system may be vulnerable to exploitation..." In other words, "..we evaluated this product, but we cannot vouch for it, nor place our reputation on the line." Moreover (and even more incredibly) C&L go on to say that the Proxy Server uses NT 4.0 as its platform and therefore, 4.0's IP forwarding "may" present some security issues. Let me repeat that: IP forwarding MAY present some security issues. Whatever. Meanwhile, are they saying that if a target survives a scan by SafeSuite or SATAN, that it's okay? (Maybe Ballista would have been a better choice as it is a more recent development. I wonder, did they try scanning it with Jakal?) Okay enough to give it this "Security Seal of Approval" that M$ is parading around? Hahahaha. Not the Security Seal of Approval. Anything but that. That - and about 1.75 - will get you... --IMA.Boundary.756869768 Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Content-Disposition: inline; filename="RFC822 message headers" Received: from pa0016c4.kpmg.com (130.100.150.27) by mailgate1.kpmg.com with SMTP (IMA Internet Exchange 2.1 Enterprise) id 00054C09; Thu, 3 Jul 97 15:01:07 -0400 Received: from pa0016c1.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with ESMTP id OAA19385 for ; Thu, 3 Jul 1997 14:55:55 -0400 (EDT) Received: by pa0016c1.kpmg.com; id OAA20198; Thu, 3 Jul 1997 14:56:38 -0400 (EDT) Received: from relay2.uu.net(192.48.96.7) by pa0016c1.kpmg.com via smap (3.2) id xma020133; Thu, 3 Jul 97 14:56:34 -0400 Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP (peer crosschecked as: [198.102.244.44]) id QQcwqd12965; Thu, 3 Jul 1997 14:55:26 -0400 (EDT) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA05792 for firewalls-outgoing; Thu, 3 Jul 1997 00:16:20 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA05747 for ; Thu, 3 Jul 1997 00:16:09 -0700 (PDT) Received: from default (pm14-11.pacificnet.net [207.171.10.44]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id AAA23923; Thu, 3 Jul 1997 00:09:44 -0700 (PDT) Message-ID: <33BB53E7.583F@pacificnet.net> Date: Thu, 03 Jul 1997 00:25:27 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Harry Mantakos CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <199707030318.XAA11240@kiri.meretrix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.756869768-- From owner-firewalls-outgoing Sat Jul 5 23:48:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA01879 for firewalls-outgoing; Sat, 5 Jul 1997 23:06:46 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA01862 for ; Sat, 5 Jul 1997 23:06:37 -0700 (PDT) Received: from rara19.curtin.edu.au (rara19.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKX3Q34TCGBB837S@alpha2.curtin.edu.au>; Sun, 06 Jul 1997 14:11:56 +0800 Date: Sun, 06 Jul 1997 14:11:15 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: X-Sender: climbing@skuld.cage.curtin.edu.au To: Dave Wreski Cc: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The normal trick is to create two machines as NTP stratum 2 or 3 servers. The rest of the machines server off these two machines (for stability and redundancy). >From a traffic point of view it would be better to have the servers inside your firewall, though NTP traffic is pretty low after the system stabilises. I assume that your link is not a dial-up. I think Doug answers the question of whether you can run it through plug-gw >NTP is a UDP-based service, so you can't plug-gw it. The usual >procedure is to run an NTP daemon on the bastion host, and sync it to >as many low-stratum servers as possible. Have the internal clients >sync either directly to the bastion host or to internal higher-stratum >servers. Of course this reduces your redundancy as there is only one server now instead of two. If you allow a rule of to on UDP 123 and to on UDP 123 it should work There is a garmin GPS plug in for a cisco server that I know of - but your best source of specific info on these type of things is on comp.protocols.time.ntp Personally I would use an internal primary server synced from GPS or a radio clock - have a look at http://www.eecis.udel.edu/~ntp/ though they appear to be down at the moment. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Sat Jul 5 23:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA00492 for firewalls-outgoing; Sat, 5 Jul 1997 22:49:54 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA00472 for firewalls@greatcircle.com; Sat, 5 Jul 1997 22:49:50 -0700 (PDT) Received: from ns1 ([202.117.112.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA05347 for ; Fri, 4 Jul 1997 01:46:31 -0700 (PDT) Received: from 202.117.112.3 ([202.117.114.61]) by ns1 (5.x/SMI-SVR4) id AA05045; Fri, 4 Jul 1997 16:44:06 +0900 Date: Fri, 4 Jul 1997 16:44:06 +0900 Message-Id: <9707040744.AA05045@ns1> From: qwd To: Subject: Help! X-Mailer: FoxMail 1.4.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello,all, I'd like to write some programm about proxy service(application gateway) of firewall. Where can I get some soure(some examples) about it? Qiu From owner-firewalls-outgoing Sun Jul 6 03:41:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA28467 for firewalls-outgoing; Sun, 6 Jul 1997 03:27:47 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-7.mail.demon.net [194.217.242.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA28460 for ; Sun, 6 Jul 1997 03:27:41 -0700 (PDT) Received: from dowrmain.demon.co.uk ([158.152.123.251]) by punt-2.mail.demon.net id aa1225483; 6 Jul 97 10:21 BST Message-ID: Date: Sun, 6 Jul 1997 10:12:11 +0100 To: firewalls@greatcircle.com From: Ian Wade Reply-To: Ian Wade Subject: Linux software for GPS > ntpd ??? MIME-Version: 1.0 X-Mailer: Turnpike Version 3.00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone point me to Linux/Unix software which will convert the output from a GPS receiver to drive an NTP server? Ian -- \|--------\|--------\|--------\| Ian Wade |\--------|\--------|\--------|\ | | | | http://www.netro.co.uk/nosintro.html | Netro | Press | (tm)| for all about KA9Q NOS. From owner-firewalls-outgoing Sun Jul 6 04:49:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02720 for firewalls-outgoing; Sun, 6 Jul 1997 04:36:23 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02713 for ; Sun, 6 Jul 1997 04:36:18 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id MAA00404; Sun, 6 Jul 1997 12:39:27 +0200 Date: Sun, 6 Jul 1997 12:39:20 +0200 (MET DST) From: Arjan Vos To: kenng@kpmg.com cc: firewalls@greatcircle.com Subject: Re: Re[2]: Microsoft plans to offer a firewall In-Reply-To: <000C4716.3365@kpmg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997 kenng@kpmg.com wrote: > In a previous life I've seen Coopers and Lybrand's so-called security > evaluation. To put it politely, I was not impressed. For our UNIX > servers, they wanted a printout of the file permissions for every file > on every system. I guess they never heard of 'find'. They missed NFS > permission problems (like export *WORLD* *WRITABLE*), they missed that > databases were *WORLD* *WRITABLE*, they missed a lot of basic hole > checking. But, they were improving. The first time I met with them > they didn't ask for any file permissions. > > Note: I say the above, and I say everything as an individual. I am > not now, or ever have been a spokesman for where I work now. > I think you should be very careful when judging C&L based on a past experience. Maybe it says more about the persons performing the evaluation than C&L. From your mailaddress I assume you work for KPMG and KPMG is in the same business(es) as C&L and I'm sure such experiences as you describe may also be applicable to some of KPMG's security evaluations (and those of Ernst & Young and Deloitte & Touche and so on...:-)). However what I don't understand is that C&L agreed in publishing the so-called 'white paper' on the Internet. You can say they sold out on this one :-) What I know from one of the other 'big six' companies is that putting their name to one product requires a formal certification of the product, including source code reviews and penetration testing. And with penetration testing I don't mean ISS and SATAN-like wide scanning but more or less deep "C2-B1-and-up" like penetration testing. Gr. Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Sun Jul 6 05:04:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03161 for firewalls-outgoing; Sun, 6 Jul 1997 04:54:25 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA03146 for ; Sun, 6 Jul 1997 04:54:18 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (slip1.di.unipi.it [131.114.4.80]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id NAA11920; Sun, 6 Jul 1997 13:53:38 +0200 (MET DST) Message-ID: <33BF881C.4075@di.unipi.it> Date: Sun, 06 Jul 1997 13:57:16 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Dave Wreski CC: Douglas McNaught , Bret Watson , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski wrote: > > How is it more secure to run an ntp daemon on the bastion host, and serve > the internal network from there, rather than from the stratum's on the > Internet? > > I suppose I could only allow that port from bastion host to internal > network... > > Thanks again, > Dave If you have a proxy based firewall, packet forwarding should be disabled, so allowing packets from the internet to internal hosts shouldn't be an option. Maybe you could use socks, but there is the usual problem of bugs in clients/servers: buffer overflows, misconfigurations... You can have a thight control on a single server on the bastion host, while an attack to an internal server could go undetected for a longer time... A compromised daemon on the bastion host isn't a nice thing anyway, so a GPS should be a better solution. ciao - Claudio From owner-firewalls-outgoing Sun Jul 6 06:49:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11516 for firewalls-outgoing; Sun, 6 Jul 1997 06:35:49 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11509 for ; Sun, 6 Jul 1997 06:35:44 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id IAA02311 for ; Sun, 6 Jul 1997 08:39:08 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma002309; Sun, 6 Jul 97 08:39:06 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id IAA29931; Sun, 6 Jul 1997 08:38:36 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id IAA19062; Sun, 6 Jul 1997 08:38:34 -0500 Message-ID: <33BF9F57.70DC2B83@90.deere.com> Date: Sun, 06 Jul 1997 08:36:23 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Two ISP's to one DMZ X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for advice from someone who has connected two or more different ISP's to the same DMZ. Are there pitfalls in doing this? Is it not possible. I need to stay up to aleast part of the net when a single ISP is having problems. Has anyone done this with success? From owner-firewalls-outgoing Sun Jul 6 07:19:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA13698 for firewalls-outgoing; Sun, 6 Jul 1997 07:05:43 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA13684 for ; Sun, 6 Jul 1997 07:05:33 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA00935; Sun, 6 Jul 1997 07:08:59 -0700 (PDT) Message-Id: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 06 Jul 1997 10:08:57 -0400 To: Bertrum Carroll From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: "Firewalls@GreatCircle.COM" In-Reply-To: <33BF9F57.70DC2B83@90.deere.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No problem -- run BGP between all peers. - paul At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: >I'm looking for advice from someone who has connected two or more >different ISP's to the same DMZ. > >Are there pitfalls in doing this? Is it not possible. I need to stay >up to aleast part of the net when a single ISP is having problems. > >Has anyone done this with success? > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Sun Jul 6 09:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21743 for firewalls-outgoing; Sun, 6 Jul 1997 08:38:24 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21734 for ; Sun, 6 Jul 1997 08:38:15 -0700 (PDT) Received: from clark.net (mht@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with SMTP id LAA29073; Sun, 6 Jul 1997 11:41:38 -0400 (EDT) Date: Sun, 6 Jul 1997 11:41:35 -0400 (EDT) From: Mark Teicher To: Bertrum Carroll cc: "Firewalls@GreatCircle.COM" Subject: Re: Two ISP's to one DMZ In-Reply-To: <33BF9F57.70DC2B83@90.deere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BEtram, Yes this works very well, when the two ISP's can actually work together. I have been in situations where one ISP blamed the other for not following up on certain work. Let's take for example, your primary ISP is BBN Planet and the other is UUNET.. In your service line agreeement with both providers, you should ask for and insist on guarantees on swch when one or the other provider goes out, and the escalation path of each.. Who do they contact, how is the follow through. When things come back, are you given a lengthy explanation of what happenned or just PCI.. (Problem Cleared Itself. If you like some help picking the right ISP in providing this type of service, please feel free to drop me a note.. /mark teicher On Sun, 6 Jul 1997, Bertrum Carroll wrote: > I'm looking for advice from someone who has connected two or more > different ISP's to the same DMZ. > > Are there pitfalls in doing this? Is it not possible. I need to stay > up to aleast part of the net when a single ISP is having problems. > > Has anyone done this with success? > ########################################################## 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Sun Jul 6 09:11:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21709 for firewalls-outgoing; Sun, 6 Jul 1997 08:36:40 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21701 for ; Sun, 6 Jul 1997 08:36:31 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id PAA24961 for ; Sun, 6 Jul 1997 15:40:02 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id PAA16166 for firewalls@greatcircle.com; Sun, 6 Jul 1997 15:28:52 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id PAA01852 for firewalls@greatcircle.com; Sun, 6 Jul 1997 15:39:45 GMT Message-Id: <199707061539.PAA01852@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: firewalls@greatcircle.com Date: Sun, 6 Jul 1997 15:39:45 +0000 (GMT) In-Reply-To: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> from "Paul Ferguson" at Jul 6, 97 10:08:57 am X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Paul Ferguson answered quite short to the question: > No problem -- run BGP between all peers. > > - paul Uhh ... what has the problem to do with BGP? I was thinking in terms of "trust" and such ... We are talking about a building with several ISP's working in this building? And they want to share the cost's for a DMZ installation? Or several ISP's at several locations? In this case I would have expected a tunnel solution between my outside router and the DMZ somewhere out in the world - or there is no difference between this outsourced DMZ and the "big bad internet(TM)". So: what exactly is the problem? (and is BGP the answer? ;-) Regards, Marc > At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: > > >I'm looking for advice from someone who has connected two or more > >different ISP's to the same DMZ. > > > >Are there pitfalls in doing this? Is it not possible. I need to stay > >up to aleast part of the net when a single ISP is having problems. > > > >Has anyone done this with success? -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Sun Jul 6 09:41:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24225 for firewalls-outgoing; Sun, 6 Jul 1997 09:32:22 -0700 (PDT) Received: from weblock.tm.net.my (weblock.tm.net.my [202.188.0.180]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA24217 for ; Sun, 6 Jul 1997 09:32:16 -0700 (PDT) Received: from budweiser ([202.188.6.48]) by weblock.tm.net.my (Post.Office MTA v3.1 release PO203a ID# 581-39802U50000L50000S0) with SMTP id AAA1451; Mon, 7 Jul 1997 00:36:36 +0800 Message-ID: <33C09FBB.2817@tm.net.my> Date: Mon, 07 Jul 1997 00:50:19 -0700 From: ping Reply-To: ping@tm.net.my Organization: The Network Connections X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Paul Ferguson CC: Bertrum Carroll , "Firewalls@GreatCircle.COM" Subject: Re: Two ISP's to one DMZ References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: > > No problem -- run BGP between all peers. yup, this is more of a routing problem than firewall. And you want to make sure your IGP is running otherwise EBGP and IBGP won't help. > > - paul > > At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: > > >I'm looking for advice from someone who has connected two or more > >different ISP's to the same DMZ. > > > >Are there pitfalls in doing this? Is it not possible. I need to stay > >up to aleast part of the net when a single ISP is having problems. > > > >Has anyone done this with success? > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s -- -------------------------------------------------------------- Ping Onn Cheng The Network Connections Network Consultant 41 Jalan USJ 10/1, Taipan Crest Tel : 03-7337757 Subang Jaya, Selangor http://www.asiapac.net/~ping Malaysia -------------------------------------------------------------- From owner-firewalls-outgoing Sun Jul 6 09:56:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25616 for firewalls-outgoing; Sun, 6 Jul 1997 09:45:52 -0700 (PDT) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA25581 for ; Sun, 6 Jul 1997 09:45:42 -0700 (PDT) Received: from heaton.cl.cam.ac.uk [128.232.0.11] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.62 #6) id 0wkuUo-00072g-00; Sun, 6 Jul 1997 17:49:10 +0100 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: Ian Wade cc: firewalls@greatcircle.com Subject: Re: Linux software for GPS > ntpd ??? In-reply-to: Your message of Sun, 06 Jul 1997 10:12:11 +0100. Date: Sun, 06 Jul 1997 17:49:05 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can anyone point me to Linux/Unix software which will convert the output > from a GPS receiver to drive an NTP server? Try xntp3 from louie.udel.edu in pub/ntp From owner-firewalls-outgoing Sun Jul 6 11:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA08541 for firewalls-outgoing; Sun, 6 Jul 1997 10:51:30 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA08534 for ; Sun, 6 Jul 1997 10:51:22 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (slip1.di.unipi.it [131.114.4.80]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id TAA18669; Sun, 6 Jul 1997 19:50:36 +0200 (MET DST) Message-ID: <33BFDBE0.52D2@di.unipi.it> Date: Sun, 06 Jul 1997 19:54:40 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Dave Wreski CC: firewalls@GreatCircle.COM Subject: Re: Moving data to external machines References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski wrote: > > Hi all. I am working with trying to set up my first Internet server. The > network will consist of several interior machines, and two external > servers, as shown: > > Internet > | > | > Linux with FWTK > DNS/Mail/Proxy > (Blocks all but WWW/Marimba) > | > | > Linux with ip masq > WWW/Marimba > | > | > 10mbs Hub > --------- > | | | | | > | | | | | > Internal Network > > Since the internal machines are primarily NT 4.0 workstation, and I'm not > too familiar with ssh under NT, how would I go about coping the data from > the internal machines to the web server? Note that in this setup your Web server is an internal machine. I wouldn't say this is a secure setup, since an attack against your WWW server would take the attacker right behind your defences. > There will be a staging server > on the internal network, and I eventually need to get that data to the > production server, as well as fetching mail and doing DNS queries from the > firewall box. > > Should I redesign my distribution of services? > I would. A third interface on the bastion host for the Web server could solve many of your problems. ciao - Claudio From owner-firewalls-outgoing Sun Jul 6 20:04:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA29393 for firewalls-outgoing; Sun, 6 Jul 1997 19:59:30 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA29373 for ; Sun, 6 Jul 1997 19:59:22 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA19659; Sun, 6 Jul 1997 20:02:18 -0700 (PDT) Message-Id: <3.0.3.32.19970706230215.006b6378@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 06 Jul 1997 23:02:15 -0400 To: marc@sniff.ct-net.de From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <199707061539.PAA01852@sniff.franken.de> References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:39 PM 07/06/97 +0000, marc@sniff.ct-net.de wrote: >Paul Ferguson answered quite short to the question: > >> No problem -- run BGP between all peers. >> > >Uhh ... what has the problem to do with BGP? > Uh, because the original question asked how to connect two or more different routin domains (ISP's) to a shared (or perhaps switched) media interconnect point, and BGP is the de facto method for exterior routing between dissimilar administrative routing domans. That has everything to do with the problem, as well as the solution. You don't use a wrench to hammer a nail -- you use the correct tool for the job. >I was thinking in terms of "trust" and such ... >We are talking about a building with several ISP's working in this >building? And they want to share the cost's for a DMZ installation? > Trust is a very bad thing, but even if you are foolish enough to open your kimono, you still need the BGP protocol for routing beteen different administrative routin domains. >Or several ISP's at several locations? In this case I would have >expected a tunnel solution between my outside router and the DMZ >somewhere out in the world - or there is no difference between this >outsourced DMZ and the "big bad internet(TM)". > >So: what exactly is the problem? (and is BGP the answer? ;-) > The problem perhaps was miscommunicated, but as it stands, if the problem is simply how to exchange data between two ISP's at a common location,, BGP is the answer. - paul >Regards, Marc > >> At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: >> >> >I'm looking for advice from someone who has connected two or more >> >different ISP's to the same DMZ. >> > >> >Are there pitfalls in doing this? Is it not possible. I need to stay >> >up to aleast part of the net when a single ISP is having problems. >> > >> >Has anyone done this with success? > >-- >Marc Binderberger 97076 Wuerzburg, Germany >marc@sniff.ct-net.de Powered by FreeBSD ;-) > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Sun Jul 6 20:19:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA00712 for firewalls-outgoing; Sun, 6 Jul 1997 20:14:19 -0700 (PDT) Received: from gtwau300.anz.com (gtwau300.anz.com.au [203.61.224.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA00696 for ; Sun, 6 Jul 1997 20:14:06 -0700 (PDT) Received: by gtwau300.anz.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8AD7.541C3DF0@gtwau300.anz.com>; Mon, 7 Jul 1997 13:11:49 +1000 Message-ID: From: "Gasparini, Edy" To: Firewalls Subject: Cisco exploits/vulnerabilities Date: Mon, 7 Jul 1997 13:16:00 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, There are plenty of resources on the 'Net for known exploits/vulnerabilities for various Unix platforms, NT and others. What I can't seem to locate are Cisco exploits/vulnerabilities :( Does this mean that there are'nt any?? I think not :) Can anyone point out such a site/s? I don't necessarily want to know *how* to exploit Cisco routers, I just want to know what the known problems are and what is fixed in the various IOS levels. TIA. ./edy From owner-firewalls-outgoing Sun Jul 6 20:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA02891 for firewalls-outgoing; Sun, 6 Jul 1997 20:32:23 -0700 (PDT) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA02884 for ; Sun, 6 Jul 1997 20:32:17 -0700 (PDT) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id UAA00988; Sun, 6 Jul 1997 20:35:49 -0700 (PDT) Received: from sgordiany-pc.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id UAA00755; Sun, 6 Jul 1997 20:35:48 -0700 (PDT) Message-Id: <3.0.32.19970706204429.006c27a4@mail> X-Sender: sgordiany@mail X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 06 Jul 1997 20:44:30 -0700 To: Bertrum Carroll , "Firewalls@GreatCircle.COM" From: Steven Gordiany Subject: Re: Two ISP's to one DMZ Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:36 AM 7/6/97 -0500, Bertrum Carroll wrote: >I'm looking for advice from someone who has connected two or more >different ISP's to the same DMZ. > >Are there pitfalls in doing this? Is it not possible. I need to stay >up to aleast part of the net when a single ISP is having problems. You will have to configure your outbound routers to run Border Gateway protocol (BGP) routing in this case. The only pitfall is configuring BGP to suit you particular environment. Border Gateway Protocol can be somewhat complicated if you've never configured it before. The other issue is dealing with both ISP's; sometimes they don't want to route each others address blocks. Redundancy is the issue here, if your running BGP and one of your ISP's has trouble, BGP will automatically (if configured right) announce an alternate route to your DMZ addresses through the 2nd ISP. Convergence time using the 2nd route is minimal, it should take 5 minutes or so. > >Has anyone done this with success? > > Yes. From owner-firewalls-outgoing Sun Jul 6 22:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA14336 for firewalls-outgoing; Sun, 6 Jul 1997 22:36:44 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA14329 for ; Sun, 6 Jul 1997 22:36:38 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id FAA27188; Mon, 7 Jul 1997 05:40:25 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id FAA17202; Mon, 7 Jul 1997 05:29:07 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id FAA00510; Mon, 7 Jul 1997 05:36:29 GMT Message-Id: <199707070536.FAA00510@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: sgordiany@verisign.com (Steven Gordiany) Date: Mon, 7 Jul 1997 05:36:28 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <3.0.32.19970706204429.006c27a4@mail> from "Steven Gordiany" at Jul 6, 97 08:44:30 pm X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, first, please trash my first confused reply. I forgot to turn on my brain before sending the reply :( But another question comes up: Our local ISP here in Germany told me that it is no good idea to advertise networks below /19 , because some carriers filter out BGP routes to networks smaller than 8192 addresses. Is this correct? And if so, what will be the solution for Bertram Carrols problem? Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Mon Jul 7 01:19:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA25525 for firewalls-outgoing; Mon, 7 Jul 1997 01:16:07 -0700 (PDT) Received: from spock.bitmailer.com (spock.bitmailer.com [194.179.94.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA25416 for ; Mon, 7 Jul 1997 01:15:47 -0700 (PDT) Received: from ns.bitmailer.com (ns.bitmailer.com [194.179.94.1]) by spock.bitmailer.com (8.8.5/8.8.6) with SMTP id KAA27486; Mon, 7 Jul 1997 10:21:41 +0200 Received: from alex by ns.bitmailer.com with smtp (Smail3.1.29.1 #165) id m0wl9AG-003kKVC; Mon, 7 Jul 97 10:28 MET DST Message-Id: From: "Angel López Escobar" To: , Subject: RE: FireWall Audit Date: Mon, 7 Jul 1997 10:05:49 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Besides that, does anyone have an program to audit/evaluate a firewall > system ? > The only free program I'heard about it's SATAN, wich isn't exactly a tool to evaluate a FireWall, but it's to perform security cheking. You can find it on the net. Also you can find a comercial one, and I think that it is not very cheap. the company is Internet Security Systems www.iss.net an the product is SAFEsuit. Regards. From owner-firewalls-outgoing Mon Jul 7 01:34:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA24774 for firewalls-outgoing; Mon, 7 Jul 1997 01:14:37 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA24757 for ; Mon, 7 Jul 1997 01:14:15 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id JAA22312; Mon, 7 Jul 1997 09:19:37 +0200 Message-Id: <3.0.1.32.19970707101819.00743d0c@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 07 Jul 1997 10:18:19 +0200 To: Mark Teicher From: "Gabriele Luigi Paolo Faggioni " Subject: RE: Firewall on AIX Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19970704132343.00931eb0@clark.net> References: <3.0.1.32.19970703101001.00cab9bc@fw2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please explain me whitch are the IBM feature that aren't implemented on the FW1 firewall! At 13.23 4/7/1997 -0400, you wrote: >IBM has their own solution for the AIX.. It is designed to use the AIX >much better than Firewall -1 is.. > >/mark > > >At 10:10 AM 7/3/97 +0200, you wrote: >>In 1, Jul, 1997 I wrote: >>...I've had some reserch on firewall on AIX, but I got very little. >>...I have some FAQ at the >>...http://www.checkpoint.com/opsec/Partners/memco/faq.html: >> >>...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! >>...- For FireWall-1? >> >>...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 >>...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX >>...- versions are currently in Beta testing and will be available soon. >>IBM ...AIX >>...- and Windows NT versions are in development. >>...It will be available until the tird quarter of the year. >> >>Roger Rea replied to me: >>>From: Roger Rea >>>To: >>>Cc: <75816664@ITHVM03.vnet.ibm.com> >>>Subject: Fwd: Firewall on AIX >>>Date: Wed, 2 Jul 1997 17:30:11 -0400 >>> >>>Gabriele.................Perhaps you have not looked at the current >>version of >>>the IBM Firewall. We are a much more complete firewall than other >firewalls, >>>offering not only filtering architechtures like Check Point, but also >>>Application Gateways and Circuit Level Gateways. So you get three >>firewalls in >>>one. >> >>PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT >>FIREWALL. >>IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM >>THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT >>ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT >>INSPECTION. >> >>>We also offer Network Address Translation, logging, alerting, a JAVA-based >>GUI >>>with pre-defined services and context sensitive help. We've had IPSEC >>tunnels >>>for several releases and have added in the current release client IPSEC >>>software at no additional charge. We offer the Network Security Auditor, >>which >>>allows you to scan the network for security weaknesses. >>> >>>You can learn more about the IBM Firewall for AIX V3.1 and download trial >>>software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall >> >>THANK YOU FOR THE INFORMATION >> >>--------------------------------------------------------------- >> Gabriele Faggioni >> >> Open Network Services - Security >> Cap Gemini Italia S.p.A. >> Via Lombroso, 54 >> MILANO (ITALIA) >> http://www.sif.cgs.it >> >> mailto:gfaggion@sif.cgs.it >> tel. ++39 2 59924 420 >> fax. ++39 2 59924 245 >>--------------------------------------------------------------- >> >> >######################################################### >'Turn on, Boot Up, Jack in' >######################################################### > > --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Mon Jul 7 05:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13458 for firewalls-outgoing; Mon, 7 Jul 1997 05:25:02 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (Sonnet.GSC.GTE.Com [131.131.251.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA13448 for ; Mon, 7 Jul 1997 05:24:55 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com ("port 1688"@ndhm06.ndhm.gtegsc.com) by Sonnet.GSC.GTE.Com (PMDF V5.0-6 #17886) id <01IKY61K3YKY000H3R@Sonnet.GSC.GTE.Com> for firewalls@greatcircle.com; Mon, 07 Jul 1997 08:28:14 -0400 (EDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8AAF.C6FDC140@ndhm06.ndhm.gtegsc.com>; Mon, 07 Jul 1997 08:28:42 -0400 Date: Mon, 07 Jul 1997 08:28:40 -0400 From: "Button, Dave" Subject: RE: need suggestion xntpd a security hole ??? To: "'firewalls@greatcircle.com'" , "'Dirk Nerling'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dirk Nerling wrote; >>I plan to update the time of our internal net from >>an Internet Time Server on a regular basis. Does >>anbody of you know something about the xntpd? >Any intrusion listed? What do the experts suggest? NTP relies on receiving time information via UDP from (usually) about three stratum-1 time servers. The basic service is vulnerable to spoofing and denial-of-service attacks. This is somewhat mitigated by the availability of an authenticated mode in which a MAC (Message Authentication Code) is appended. This requires that you share a DES key with the stratum-1 provider. I'm not even sure this is available outside the US and Canada as Dr. Mills now has an export version of xntpd, presumably sans DES. It was questions like this that led us at GTE to create our own redundant stratum-1 time servers within our intranet and behind our firewall. The hosts for the time servers host other security applications, so the cost was not great, and the system has been very reliable. The only problem, and this is true regardless of where your stratum-1 servers are, is that the Selective Availability channel of GPS, which is the only channel we civilians are allowed to use, is itself vulnerable to certain denial-of-service-attacks. Given that, use a GPS receiver that features a really good oscillator that is capable of riding out long periods of signal loss. Dave "The Box said Win '95 or better - So I used a Macintosh!" -Harold Herbert Tessman > From owner-firewalls-outgoing Mon Jul 7 05:49:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14221 for firewalls-outgoing; Mon, 7 Jul 1997 05:46:18 -0700 (PDT) Received: from proteus.tidalwave.net (proteus.nicom.com [208.206.112.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA14214 for ; Mon, 7 Jul 1997 05:46:14 -0700 (PDT) Received: from chris.tidalwave.net ([208.220.24.112]) by proteus.tidalwave.net (Netscape Mail Server v2.02) with SMTP id AAC23319 for ; Mon, 7 Jul 1997 08:41:30 -0400 Message-Id: <3.0.1.32.19970703120351.006bf660@postoffice.tidalwave.net> X-Sender: chrisp@postoffice.tidalwave.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 03 Jul 1997 12:03:51 -0400 To: firewalls-digest@GreatCircle.COM From: Chris Pressley Subject: router on external net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assume I setup a dual-homed firewall. My internal net connects to the internal interface on the firewall, and my external interface on the firewall connects to a T-1, then on to the ISP's router. The interface on my ISP's router is on the same network as my external interface. Two questions: 1. Do I need a router between my firewall external interface and my T-1 (I have to connect something to the CSU/DSU, right?). 2. Should I have a router between my firewall external interface and my T-1, give that my ISP's router is on the same network, for security reasons? Thanks, Chris From owner-firewalls-outgoing Mon Jul 7 06:19:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16126 for firewalls-outgoing; Mon, 7 Jul 1997 06:08:59 -0700 (PDT) Received: from paranoid.convey.ru (ws06.convey.ru [195.182.128.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16118 for ; Mon, 7 Jul 1997 06:08:52 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id RAA22107; Mon, 7 Jul 1997 17:10:26 +0400 From: ArkanoiD Message-Id: <199707071310.RAA22107@paranoid.convey.ru> Subject: Re: FireWall Audit To: alopez@mdintesis.es (Angel López Escobar) Date: Mon, 7 Jul 1997 17:10:24 +0400 (MSD) Cc: marcob@cvrd.com.br, Firewalls@GreatCircle.COM In-Reply-To: from "Angel López Escobar" at Jul 7, 97 10:05:49 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > The only free program I'heard about it's SATAN, wich isn't exactly a > tool to evaluate a FireWall, but it's to perform security cheking. > You can find it on the net. > > Also you can find a comercial one, and I think that it is not very > cheap. the company is Internet Security Systems www.iss.net an the > product is SAFEsuit. "Not very cheap".. it is terribly overpriced.. and has limited abilities. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Mon Jul 7 07:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25306 for firewalls-outgoing; Mon, 7 Jul 1997 07:29:33 -0700 (PDT) Received: from iproute.com (atl679.avana.net [207.42.61.224]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25266 for ; Mon, 7 Jul 1997 07:29:14 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id LAA10920; Mon, 7 Jul 1997 11:26:29 -0400 Date: Mon, 7 Jul 1997 10:10:17 -0500 Subject: Re: Two ISP's to one DMZ To: "Firewalls@GreatCircle.COM" , Bertrum Carroll X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Bertrum Carroll Subject: Two ISP's to one DMZ Date: Sun, 06 Jul 1997 08:36:23 -0500 To: "Firewalls@GreatCircle.COM" > I'm looking for advice from someone who has connected two or more > different ISP's to the same DMZ. > > Are there pitfalls in doing this? Is it not possible. I need to stay > up to aleast part of the net when a single ISP is having problems. > > Has anyone done this with success? > ---------------End of Original Message----------------- I would think you might have better luck bringing your ISPs in on multiple interfaces. We had a client running our Firewall who brought two ISPs in. One was through a cable modem, the other through a 128K ISDN dialup. The cable modem was used for inbound and outbound (through NAT and Stateful Packet Inspection) web surfing, telneting, etc. (anything that didn't require a fixed IP). The ISDN link was used with a fixed IP for inbound services that required a Domain name (this wasn't very high bandwidth stuff) and as a backup ISP link. They had "real" IPs on the internal network. There were two main "default" routes set up with one having a higher preference than the other, so if one failed (cable) the other could take over (ISDN). The only problem that the client ran into is that they were advertising routes through RIP (this is not the default behavior of the firewall). Suddenly, all traffic intended for their ISDN ISP (Netrail) started coming in over their cable link (@Home). I guess @Home was accepting downstream route updates as gospel. Because our client was using NAT and stateful packet inspection, none of the Netrail ISP traffic could get through. It took Netrail and @Home about a day to get the routing tables straight again. Since then they have had no problems at all. You have a greater amount of control when you bring your traffic in over multiple interfaces than if everything is on one DMZ LAN. Separate interfaces means separate reports for traffic, hacking, uptime, etc. You can also reduce the chances of being brought down by a single interface failing. The key to this working was our "Dynamic-DNS" feature (which is also available for other OSs, see below), so that your Domains can follow you between ISPs. As soon as you lose one route our Firewall will notify the Dynamic DNS servers that its IP has changed and that the Domains should now point to a new IP address. This is a lot easier to implement than BGP (which may not be supported by all ISPs and may cause some confusion as routes are being updated). Outbound traffic always works. Inbound traffic takes at most about 10 minutes for DNS updates to take effect. It is much easier to reassign IPs to Domain names than to move routes. This also works independent of your ISP. BTW, don't flame me about BGP. In cases where I was able to implement it I would. It just isn't always available. You could also do this on other OSs (such as UNIX or NT) or Firewalls with software available from http://www.ml.org and http://www.dyndns.com. I hope this helps, Mike -- 14:08:42 07/06/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.823.7846 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Mon Jul 7 07:41:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23242 for firewalls-outgoing; Mon, 7 Jul 1997 07:01:12 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23235 for ; Mon, 7 Jul 1997 07:01:06 -0700 (PDT) Received: from mfrith.hpl.hp.com (mfrith.hpl.hp.com [15.144.62.2]) by palrel1.hp.com (8.8.5/8.8.5) with ESMTP id HAA06111 for ; Mon, 7 Jul 1997 07:04:43 -0700 (PDT) Received: (from mjf@localhost) by mfrith.hpl.hp.com (8.7.1/8.7.1) id PAA22474; Mon, 7 Jul 1997 15:04:41 +0100 (BST) From: Matthew Frith Message-Id: <199707071404.PAA22474@mfrith.hpl.hp.com> Subject: Routing with 2 checkpoint Firewalls To: Firewalls@GreatCircle.COM Date: Mon, 07 Jul 1997 15:04:41 BST Cc: azari@hplb.hpl.hp.com, adc@hplb.hpl.hp.com In-Reply-To: <199707070800.BAA24250@honor.greatcircle.com>; from "Firewalls-Digest" at Jul 7, 97 1:00 am x-HPVue$Revision: 1.8 $ MIME-Version: 1.0 Content-Type: Message/rfc822 x-Vue-Mime-Level: 4 X-Mailer: Elm [revision: 212.2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to configure a high availability solution with 2 Checkpoint firewalls running on HP-UX. I have the 2 firewalls sync'ing their state tables but am trying to setup a `hot-standby' solution similar to that of CISCO routers. Has anyone ever done this, or know how to setup the default route where machines on the internal network route (dynamically) to either of the firewalls, depending on which one is up? any help gratefully received.. Matt Frith Hewlett-Packard, Bristol, UK. mjf@hplb.hpl.hp.com From owner-firewalls-outgoing Mon Jul 7 07:49:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25663 for firewalls-outgoing; Mon, 7 Jul 1997 07:34:50 -0700 (PDT) Received: from hcat.epcorp.com (test.epcorp.com [206.112.200.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA25645 for ; Mon, 7 Jul 1997 07:34:42 -0700 (PDT) Received: from eppcmcw.eapi.com by hcat.epcorp.com id aa03500; 7 Jul 97 10:32 EDT Message-Id: <3.0.32.19970707103245.00c9e57c@mail.epcorp.com> X-Sender: martinw@mail.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 07 Jul 1997 10:32:46 -0400 To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com From: "Martin C. Walker" Subject: FW-1 DESTINATION IP Address Translation Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me with details on how translate the DESTINATION IP address in a forward moving packet outbound from the firewall to the internet ? normal NAT translates only the SOURCE IP address. Ideally I'd like to translate only the destination address and leave the source as an illegal 10.* address. If this is not doable I'd need to translate both addresses. I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. I will be going to 3.0a soon, so if it's different or not do-able on 3.* products I'd like to know that too. TIA for the help -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Mon Jul 7 07:51:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20325 for firewalls-outgoing; Mon, 7 Jul 1997 06:44:18 -0700 (PDT) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20315 for ; Mon, 7 Jul 1997 06:44:12 -0700 (PDT) Received: from dean.cl.cam.ac.uk [128.232.0.105] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.62 #6) id 0wlE8I-0005rC-00; Mon, 7 Jul 1997 14:47:14 +0100 X-Mailer: exmh version 2.0gamma+CL 97/01/24 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: "Button, Dave" cc: "'firewalls@greatcircle.com'" , "'Dirk Nerling'" Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: Your message of Mon, 07 Jul 1997 08:28:40 -0400. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 07 Jul 1997 14:47:01 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is somewhat mitigated by the availability of an authenticated mode in > which a MAC (Message Authentication Code) is appended. Unfortunately this is of little use as it relies on a shared secret, meaning that any system capable of using the service can also spoof :-( > I'm not even sure this is available outside the US and Canada It is. > as Dr. Mills now has an export version of xntpd, presumably sans DES. yes -- I asked him for that so that I could slot in Eric's code .... e.g. brolga.cc.uq.oz.au:/net.sources/authdes.c.Z This is Eric Youngs exportable DES implementation, re-re-bludgeoned by the author to suit this context. Totally un-encumbered by US export restrictions. comments/bugs and applause to eay@psych.psy.uq.oz.au From owner-firewalls-outgoing Mon Jul 7 08:11:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27441 for firewalls-outgoing; Mon, 7 Jul 1997 07:52:59 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA27404 for ; Mon, 7 Jul 1997 07:52:47 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJG2>; Mon, 7 Jul 1997 07:56:30 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BAE@mail1.sla.com> From: "Stackpole, Bill" To: "'Ken Hardy'" , montenegro@nutec.com.br, Firewalls@GreatCircle.COM Subject: RE: IP Filters? Date: Mon, 7 Jul 1997 07:56:29 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good point, but I suppose it depends on the direction of the filter. These are on an inbound filter that denys everything but specific connections. What follows these statements are all the specific permits by port, source and destination. On some configurations I've done/seen this can be upward to 30 entries. So these two entries are designed to keep those 30 from being processed unnecessarily. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Ken Hardy [SMTP:ken@bridge.com] > Sent: Thursday, July 03, 1997 11:19 AM > To: montenegro@nutec.com.br; Firewalls@GreatCircle.COM; Stackpole, > Bill > Cc: firewalls@GreatCircle.COM > Subject: RE: IP Filters? > > "Stackpole, Bill" wrote: > > >There are some techniques you can use to speed up access list > >processing. Remember a Cisco list is exited on the first true so you > >can add lines like: > > > > ! TCP or UDP Ports above the last service you are permiting > > ! this is done to speed up the list processing > > access-list 101 deny tcp any host 255.255.255.255 gt 80 > > access-list 101 deny udp any host 255.255.255.255 gt 19 > > > >just before all the specific rules to speed up list processing. > > Seems to me that that would speed things up most *if* the most common > packets were those you're denying. Hopefully people are not > continually banging on your router with prohibited traffic, and most > of > the packets it needs to process are those that are specifically > allowed. In such a case, wouldn't it make more sense to put the rules > that *allow* the most common traffic first? Just guessing, but you > ought > to be able to get 80%-90% or more of all packets to hit within the > first > half-dozen or so rules. > > -- > KH From owner-firewalls-outgoing Mon Jul 7 09:08:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA24180 for firewalls-outgoing; Mon, 7 Jul 1997 07:11:46 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA24166 for ; Mon, 7 Jul 1997 07:11:41 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA13694; Mon, 7 Jul 1997 07:15:15 -0700 (PDT) Message-Id: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 07 Jul 1997 10:15:02 -0400 To: "Mark Horn [ Net Ops ]" From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <19970707095116.62717@capmark.funb.com> References: <3.0.3.32.19970706230215.006b6378@lint.cisco.com> <3.0.3.32.19970706100857.006d037c@lint.cisco.com> <3.0.3.32.19970706230215.006b6378@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 AM 07/07/97 -0400, Mark Horn [ Net Ops ] wrote: > >Is BGP the only answer? We have several ISP's providing service to us. >We have our own NIC assigned address block, and a NIC assigned AS number. >We've been trying (for several months) to set up BGP routing between all >of our providers. But we've run into trouble. > That's not surprising -- BGP can be hard, depending on the complexity of the peering policy. It can also be amazingly easy. >One of the providers doesn't want to set up peering with us. Their claim >is that you can have redundant ISP's through other methods than setting up >BGP peering. When pressed, they've been conspicuously quiet about what >these other methods are. > I'd be curious, as well. As I mentioned before, BGP is the de facto mechanism of exchanging routing information between diverse routing domains (inter-domain routing) in the Internet. Period. >Is there another way to set up redundancy between two ISP's without doing >BGP peering? > No, not really. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Mon Jul 7 09:16:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20968 for firewalls-outgoing; Mon, 7 Jul 1997 06:48:15 -0700 (PDT) Received: from firstunion.com ([204.5.135.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20952 for ; Mon, 7 Jul 1997 06:48:09 -0700 (PDT) Received: by firstunion.com (4.1/SMI-4.1) id AA04804; Mon, 7 Jul 97 09:51:37 EDT Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by gate.funb.com via smap (V2.0beta) id xma004796; Mon, 7 Jul 97 09:51:22 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id JAA04825; Mon, 7 Jul 1997 09:51:17 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id JAA01649; Mon, 7 Jul 1997 09:51:16 -0400 Message-Id: <19970707095116.62717@capmark.funb.com> Date: Mon, 7 Jul 1997 09:51:16 -0400 From: "Mark Horn [ Net Ops ]" To: Paul Ferguson Cc: marc@sniff.ct-net.de, firewalls@GreatCircle.COM Subject: Re: Two ISP's to one DMZ References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> <3.0.3.32.19970706230215.006b6378@lint.cisco.com> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary=jRHKVT23PllUwdXP X-Mailer: Mutt 0.75 In-Reply-To: <3.0.3.32.19970706230215.006b6378@lint.cisco.com>; from Paul Ferguson on Sun, Jul 06, 1997 at 11:02:15PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Paul Ferguson says: >Uh, because the original question asked how to connect two >or more different routin domains (ISP's) to a shared (or >perhaps switched) media interconnect point, and BGP is >the de facto method for exterior routing between dissimilar >administrative routing domans. Is BGP the only answer? We have several ISP's providing service to us. We have our own NIC assigned address block, and a NIC assigned AS number. We've been trying (for several months) to set up BGP routing between all of our providers. But we've run into trouble. One of the providers doesn't want to set up peering with us. Their claim is that you can have redundant ISP's through other methods than setting up BGP peering. When pressed, they've been conspicuously quiet about what these other methods are. Is there another way to set up redundancy between two ISP's without doing BGP peering? -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 --jRHKVT23PllUwdXP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM8D0TRCnm2cAy6VxAQE2swQAqiy/xU2/mKJ0j4YUgBhnCNLV3H+I7cG6 aaQqOz0Er4KSL6w/rvXhZLGJRa8DG8HLI4Resvhj/hICbuknDmZhqwWT345Qe3en 1O6/e9zq2lmduPlcW/oLk7PQYPtFTurXSk2JKi8ySClK0FVIedN8NKtfhl2bMsNc VUfR+Qo606Y= =cygq -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- From owner-firewalls-outgoing Mon Jul 7 09:40:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05413 for firewalls-outgoing; Mon, 7 Jul 1997 08:39:14 -0700 (PDT) Received: from bhi-net.com (gateway1.bhi-net.com [198.64.51.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA05363 for ; Mon, 7 Jul 1997 08:39:03 -0700 (PDT) Received: from cencokiss01.centrilift.com ([172.19.2.241]) by bhi-net.com (5.x/SMI-SVR4) id AA02727; Mon, 7 Jul 1997 10:42:29 -0500 Received: by CENCOKISS01 with Internet Mail Service (5.0.1457.3) id ; Mon, 7 Jul 1997 10:41:05 -0500 Message-Id: <015C783097B4D01197334000500050020D71DE@CENCOKISS01> From: "Crawford, Jim E." To: "'Firewalls@GreatCircle.COM'" Subject: FW1 example URI specification file needed Date: Mon, 7 Jul 1997 10:41:01 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone please email me a URI specification file example format that I can use as a base to import? Thanks! Jim Crawford Technical Analyst, Paranet Pager: (888)-509-9020 From owner-firewalls-outgoing Mon Jul 7 09:50:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14347 for firewalls-outgoing; Mon, 7 Jul 1997 09:29:57 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA14337 for ; Mon, 7 Jul 1997 09:29:48 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id JAA26996 for ; Mon, 7 Jul 1997 09:27:48 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id JAA12899; Mon, 7 Jul 1997 09:33:17 -0700 Date: Mon, 7 Jul 1997 11:33:16 -0500 (CDT) From: Ken Jones To: firewalls@greatcircle.com Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Dirk Nerling wrote: > Hello all, > > I plan to update the time of our internal net from > an Internet Time Server on a regular basis. Does > anbody of you know something about the xntpd? > > Any intrusion listed? What do the experts suggest? > The only intrusions I've heard about are spoofed udp packets with incorrect time. Normally the xntp server will throw these packets out. It's also fairly simple to buy a $500 or so GSP device and connect it to a machine with a serial cable. So there is no need to expose your net to ntp. Ken Jones From owner-firewalls-outgoing Mon Jul 7 09:52:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03243 for firewalls-outgoing; Mon, 7 Jul 1997 08:26:45 -0700 (PDT) Received: from weblock.tm.net.my (weblock.tm.net.my [202.188.0.180]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03174 for ; Mon, 7 Jul 1997 08:26:25 -0700 (PDT) Received: from budweiser ([202.188.23.46]) by weblock.tm.net.my (Post.Office MTA v3.1 release PO203a ID# 581-39802U50000L50000S0) with SMTP id AAA25760; Mon, 7 Jul 1997 23:30:51 +0800 Message-ID: <33C1E1CD.452B@tm.net.my> Date: Mon, 07 Jul 1997 23:44:29 -0700 From: ping Reply-To: ping@tm.net.my Organization: The Network Connections X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Chris Pressley CC: firewalls-digest@GreatCircle.COM Subject: Re: router on external net References: <3.0.1.32.19970703120351.006bf660@postoffice.tidalwave.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Pressley wrote: > > Assume I setup a dual-homed firewall. My internal net connects to the > internal interface on the firewall, and my external interface on the > firewall connects to a T-1, then on to the ISP's router. The interface on > my ISP's router is on the same network as my external interface. Two > questions: > > 1. Do I need a router between my firewall external interface and my T-1 (I > have to connect something to the CSU/DSU, right?). If you can convert signal from your CSU/DSU to whatever interface at your firewall, then you don't need it coz the firewall machine can run routed. > > 2. Should I have a router between my firewall external interface and my > T-1, give that my ISP's router is on the same network, for security reasons? I would recommend a router, beside routing it should do some simple packet filtering before hitting the firewall. > > Thanks, > Chris -- -------------------------------------------------------------- Ping Onn Cheng The Network Connections Network Consultant 41 Jalan USJ 10/1, Taipan Crest Tel : 03-7337757 Subang Jaya, Selangor http://www.asiapac.net/~ping Malaysia -------------------------------------------------------------- From owner-firewalls-outgoing Mon Jul 7 09:53:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02825 for firewalls-outgoing; Mon, 7 Jul 1997 08:24:37 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02747 for ; Mon, 7 Jul 1997 08:24:16 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id PAA29266; Mon, 7 Jul 1997 15:27:55 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id PAA18300; Mon, 7 Jul 1997 15:16:20 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id PAA01680; Mon, 7 Jul 1997 15:21:17 GMT Message-Id: <199707071521.PAA01680@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: mhorn@funb.com (Mark Horn [ Net Ops ]) Date: Mon, 7 Jul 1997 15:21:17 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <19970707095116.62717@capmark.funb.com> from "Mark Horn [ Net Ops ]" at Jul 7, 97 09:51:16 am X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Horn asked: >Is BGP the only answer? We have several ISP's providing service to us. > [...] >One of the providers doesn't want to set up peering with us. Their claim >is that you can have redundant ISP's through other methods than setting up >BGP peering. When pressed, they've been conspicuously quiet about what >these other methods are. I guess, there are reasons, why you can't stop the contract with the unwilling provider. You say "several ISP's" ... more than two? There are ways to set up redundancy, but not as perfect as the BGP solution. You can use several NIC assigned network, one for each ISP. Getting out into the internet then is no problem, as long as you use proxies/caches or NAT (but I don't know any software doing what you need. May be you have to create your own scripts detecting the dead link and switching the proxy's address or the NAT Table). Your server needs several IP addresses and corresponding DNS entries. But because of the round-robin behaviour (at least BIND is doing so) 1/n of the access attempts will fail (n: number of your ISP's). If you work with 3 or more ISP's, I would try the BGP solution with this n-1 ISP's, at least for the WWW/FTP server. Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Mon Jul 7 10:41:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06286 for firewalls-outgoing; Mon, 7 Jul 1997 08:44:20 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA06254 for ; Mon, 7 Jul 1997 08:44:09 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJG6>; Mon, 7 Jul 1997 08:47:54 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BB0@mail1.sla.com> From: "Stackpole, Bill" To: "'Chris Pressley'" , firewalls-digest@GreatCircle.COM Subject: RE: router on external net Date: Mon, 7 Jul 1997 08:47:53 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is usually a router placed here but it depends to some degree on your ISP. You could use an Ethernet to T1 bridge to connect to the CSU/DSU. Or if your using frame relay you could use a frad. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Chris Pressley [SMTP:chrisp@tidalwave.net] > Sent: Thursday, July 03, 1997 9:04 AM > To: firewalls-digest@GreatCircle.COM > Subject: router on external net > > Assume I setup a dual-homed firewall. My internal net connects to the > internal interface on the firewall, and my external interface on the > firewall connects to a T-1, then on to the ISP's router. The interface > on > my ISP's router is on the same network as my external interface. Two > questions: > > 1. Do I need a router between my firewall external interface and my > T-1 (I > have to connect something to the CSU/DSU, right?). > > 2. Should I have a router between my firewall external interface and > my > T-1, give that my ISP's router is on the same network, for security > reasons? > > Thanks, > Chris From owner-firewalls-outgoing Mon Jul 7 10:50:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19056 for firewalls-outgoing; Mon, 7 Jul 1997 10:01:31 -0700 (PDT) Received: from home.partan.com (home.partan.com [198.6.255.236]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA19038 for ; Mon, 7 Jul 1997 10:01:23 -0700 (PDT) Received: (from asp@localhost) by home.partan.com (8.6.12/8.6.12) id NAA09186; Mon, 7 Jul 1997 13:04:22 -0400 From: Andrew Partan Message-Id: <199707071704.NAA09186@home.partan.com> Subject: Re: Two ISP's to one DMZ To: pferguso@cisco.com (Paul Ferguson) Date: Mon, 7 Jul 1997 13:04:22 -0400 (EDT) Cc: mhorn@funb.com, firewalls@GreatCircle.COM In-Reply-To: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> from "Paul Ferguson" at Jul 7, 97 10:15:02 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Is there another way to set up redundancy between two ISP's without doing > >BGP peering? > > No, not really. Dual homed NAT. --asp@partan.com (Andrew Partan) From owner-firewalls-outgoing Mon Jul 7 11:02:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19231 for firewalls-outgoing; Mon, 7 Jul 1997 10:02:36 -0700 (PDT) Received: from elsa.arz.oeaw.ac.at (elsa.arz.oeaw.ac.at [193.170.80.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA19164 for ; Mon, 7 Jul 1997 10:02:16 -0700 (PDT) Received: from localhost (meli@localhost) by elsa.arz.oeaw.ac.at (8.7.5/8.7.3) with SMTP id TAA46936; Mon, 7 Jul 1997 19:05:36 +0200 Date: Mon, 7 Jul 1997 19:05:36 +0200 (DFT) From: Melitta Kimbacher To: Matthew Frith cc: Firewalls@GreatCircle.COM, azari@hplb.hpl.hp.com, adc@hplb.hpl.hp.com Subject: Re: Routing with 2 checkpoint Firewalls In-Reply-To: <199707071404.PAA22474@mfrith.hpl.hp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Jul 1997, Matthew Frith wrote: [NON-Text Body part not included] ------------------------------------------------------------------------ Melitta Kimbacher Austrian Academy of Sciences Tel.: +43 1 515 81 363 Computer Center Fax: +43 1 515 81 379 Dr. Ignaz Seipel-Platz 2 E-Mail:Melitta.Kimbacher@oeaw.ac.at A-1010 Wien From owner-firewalls-outgoing Mon Jul 7 11:05:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA23256 for firewalls-outgoing; Mon, 7 Jul 1997 10:24:07 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA23243 for ; Mon, 7 Jul 1997 10:24:01 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id KAA09086; Mon, 7 Jul 1997 10:24:14 -0700 Message-Id: <199707071724.KAA09086@mail.diginsite.com> From: "David Lang" To: "Neil D. Quiogue" , Cc: Subject: Re: Calling the Horde Date: Mon, 7 Jul 1997 09:24:25 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk would you really trust them to report the problems, not just save the info for after you go live? David Lang ---------- > From: Neil D. Quiogue > To: hartmut.fehling@hamburg.netsurf.de > Cc: Firewalls@GreatCircle.COM > Subject: Re: Calling the Horde > Date: Thursday, July 03, 1997 5:01 PM > > On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > > > In order to make a really tough test before I actually connect the gateway > > to our network, I could ask some people I know in the Underground to spread > > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > > FW-1-Settings and invite the guys to try it out and break in (into the > > empty network behind it). > > > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > > such a fashion? > > Check the legalities of this 'breaking' session. There are companies > which have security policies that does not allow this. And I think it is > bad practice to do this since the information would cascade throughout the > underground community. > > Why not try to do this yourself? In security parlance, do not trust > anyone. > > [---] > Neil D. Quiogue > IPhil Communications Network, Inc. > e-mail: neil@iphil.net > From owner-firewalls-outgoing Mon Jul 7 11:34:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19264 for firewalls-outgoing; Mon, 7 Jul 1997 10:02:59 -0700 (PDT) Received: from elsa.arz.oeaw.ac.at (elsa.arz.oeaw.ac.at [193.170.80.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA19235 for ; Mon, 7 Jul 1997 10:02:41 -0700 (PDT) Received: from localhost (meli@localhost) by elsa.arz.oeaw.ac.at (8.7.5/8.7.3) with SMTP id TAA54866; Mon, 7 Jul 1997 19:05:28 +0200 Date: Mon, 7 Jul 1997 19:05:28 +0200 (DFT) From: Melitta Kimbacher To: "Martin C. Walker" cc: fw-1-mailinglist@us.checkpoint.com, firewalls@GreatCircle.COM Subject: Re: FW-1 DESTINATION IP Address Translation In-Reply-To: <3.0.32.19970707103245.00c9e57c@mail.epcorp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Jul 1997, Martin C. Walker wrote: > Can anyone provide me with details on how translate the > DESTINATION IP address in a forward moving packet outbound > from the firewall to the internet ? > > normal NAT translates only the SOURCE IP address. > > Ideally I'd like to translate only the destination address and > leave the source as an illegal 10.* address. If this is not doable > I'd need to translate both addresses. > > I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. > > I will be going to 3.0a soon, so if it's different or not do-able > on 3.* products I'd like to know that too. > > TIA for the help > -------------------------------------------------------------------------- > Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U > Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu > Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC > 580 Walnut St, | > Cincinnati, OH 45202 | > ------------------------------------------------------------------------ Melitta Kimbacher Austrian Academy of Sciences Tel.: +43 1 515 81 363 Computer Center Fax: +43 1 515 81 379 Dr. Ignaz Seipel-Platz 2 E-Mail:Melitta.Kimbacher@oeaw.ac.at A-1010 Wien From owner-firewalls-outgoing Mon Jul 7 13:03:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA23275 for firewalls-outgoing; Mon, 7 Jul 1997 10:24:15 -0700 (PDT) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA23254 for ; Mon, 7 Jul 1997 10:24:05 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy4.ba.best.com (8.8.5/8.8.3) with ESMTP id KAA14139 for ; Mon, 7 Jul 1997 10:26:24 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id KAA10689 for ; Mon, 7 Jul 1997 10:25:54 -0700 (PDT) Date: Mon, 7 Jul 1997 10:25:54 -0700 (PDT) From: "Kelly E. Gibbs" To: firewalls@greatcircle.com Subject: Blasting Microsoft... again! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was an interesting article in the San Francisco Examiner, Sunday, July 6, 1997, Secion D, Computers and Technology section titled: The best part of this article is a picture of a crocodile crossing the street with Bill Gates' face morphed in. Courting the Crocodile by John Naughton (London Observer) "Partnering with Microsoft is a corporate form of appeasement" Very, very interesting [yet true] article. The two most eye-opening sentences are: "What [coporations] don't realize is that their deals [with M$] are death warrants. Gates does not plan to share the on-line banking business -- or any other business -- WITH ANYONE." "James Gleick, The New York Times journalist, has argued that Microsoft will soon become the biggest public policy issue facing the U.S. government, and he is right." And the article goes on and on, but makes reference to a site (www.newyork.sidewalk.com), which under the "Terms and Conditions", Microsoft wants you to agree to share with other parties information (yaa, such as travel agencies), which the article says, Microsoft has teamed up with American Express (just long enough until Microsoft understands the travel business, then it will attempt to destroy American Express)! From owner-firewalls-outgoing Mon Jul 7 13:12:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22053 for firewalls-outgoing; Mon, 7 Jul 1997 10:16:31 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA22012 for ; Mon, 7 Jul 1997 10:16:17 -0700 (PDT) Received: (qmail 17314 invoked from network); 7 Jul 1997 17:18:34 -0000 Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com with SMTP; 7 Jul 1997 17:18:34 -0000 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8AC7.B9FC0E80@juneau.steldyn.com>; Mon, 7 Jul 1997 11:20:08 -0600 Message-ID: From: Chris Pugrud To: "'Bill Stout'" , Firewalls Mailing list Subject: 3rd party IP stacks for NT? (was Microsoft plans to offer a firewall) Date: Mon, 7 Jul 1997 11:20:06 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This could definitely presage a security conscious market for a 3rd party "crystal box" IP stack for NT. Maybe I'm off in lalaland regarding feasibility but several of the NT firewalls that I have worked with either replace the IP stack or insert a prefilter. Personally I would feel a strong interest in a bolt on filter for NT that would allow very strict screening of packets before they hit the MS stack. Or even a full replacement stack, but that could easily exceed the desires for simplicity and elegance. We could finally have useful packet filters at the host level. "Header option of the week bug? block it at the filter." Granted there is an argument that this filtering can be done at the router or firewall level. There are also many people that like to build in redundant layers of security. Imagine finally getting full logging of all traffic without having to run a sniffer. Full logging and filtering at the host level. Is this reasonable, close, or should I just go drink more coffee? Chris >-----Original Message----- >From: Bill Stout [SMTP:stoutb@pios.com] >Sent: Saturday, July 05, 1997 2:16 PM >To: Firewalls Mailing list >Subject: Re: Microsoft plans to offer a firewall > > > >TIS was interested in working with Hitachi because we were one of the few >companies which had NT source, and NT programmers. The ability to review NT >source for security flaws was very important to TIS. At the time TIS had no >NT version of Gauntlet, and very few NT-proficient programmers. > >TIS was also paying visits to Microsoft directly in order to partner/create >a Firewall product (wisely not putting their eggs into one basket). I would >give the MS/TIS combo the benefit of doubt, since TIS has a history of >making source available for review, and being strongly critical while >reviewing code. 'The big problem' with Microsoft is that source code is not >reviewable, resulting in major security holes being discovered after many >thousands of NT systems are used in production environments. > >Hopefully TIS is also wise enough not to create any NT dependencies in the >firewall code. I'm sure TIS recognizes that Microsoft software is >notoriously insecure. Given this, TIS will critically review MS code >pertinent to the firewall, and make firewall source available. > >My faith in an NT firewall product is improved because of the association of >TIS, home of 'crystal box' open source code. My caveat; no one can make >security Microsoft-proof. > >Bill Stout > > From owner-firewalls-outgoing Mon Jul 7 13:53:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12828 for firewalls-outgoing; Mon, 7 Jul 1997 12:06:28 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA12651 for ; Mon, 7 Jul 1997 12:05:49 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id MAA08396; Mon, 7 Jul 1997 12:08:55 -0700 (PDT) Message-Id: <3.0.3.32.19970707150849.006d43fc@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 07 Jul 1997 15:08:49 -0400 To: Andrew Partan From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <199707071704.NAA09186@home.partan.com> References: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In theory (and the lab), yes -- but this has not been delpoyed in a production network to my knowledge. :-) - paul At 01:04 PM 07/07/97 -0400, Andrew Partan wrote: >> >Is there another way to set up redundancy between two ISP's without doing >> >BGP peering? >> >> No, not really. > >Dual homed NAT. > --asp@partan.com (Andrew Partan) > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Mon Jul 7 14:00:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07982 for firewalls-outgoing; Mon, 7 Jul 1997 11:45:53 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA07874 for ; Mon, 7 Jul 1997 11:45:28 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id PAA11656; Mon, 7 Jul 1997 15:42:21 -0400 Date: Mon, 7 Jul 1997 14:18:44 -0500 Subject: Re: Two ISP's to one DMZ To: "Mark Horn [ Net Ops ]" , Paul Ferguson Cc: firewalls@GreatCircle.COM, marc@sniff.ct-net.de X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> <3.0.3.32.19970706230215.006b6378@lint.cisco.com> <19970707095116.62717@capmark.funb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: "Mark Horn [ Net Ops ]" Subject: Re: Two ISP's to one DMZ Date: Mon, 7 Jul 1997 09:51:16 -0400 To: Paul Ferguson Cc: marc@sniff.ct-net.de, firewalls@GreatCircle.COM > > Is BGP the only answer? We have several ISP's providing service to us. > We have our own NIC assigned address block, and a NIC assigned AS number. > We've been trying (for several months) to set up BGP routing between all > of our providers. But we've run into trouble. > > One of the providers doesn't want to set up peering with us. Their claim > is that you can have redundant ISP's through other methods than setting up > BGP peering. When pressed, they've been conspicuously quiet about what > these other methods are. > > Is there another way to set up redundancy between two ISP's without doing > BGP peering? ---------------End of Original Message----------------- How about this? ________ en1 ______ISP1 with preference of 10 Internal LAN_______ en0 |Firewall| 192.168.X.X | NAT | en2 ______ISP2 with preference of 20 -------- en3 and so on... with preference of X Each interface has its own preference so if one drops, another is used for outbound service. For inbound service, each interface is remapped with NAT to a different IP: en1 192.168.0.3 <-> 108.10.2.4 192.168.0.4 <-> 108.10.2.5 en2 192.168.0.3 <-> 205.245.133.8 192.168.0.4 <-> 205.245.133.9 en3 192.168.0.3 <-> 166.79.10.2 192.168.0.4 <-> 166.79.10.3 and so on... If one interface fails or the ISP goes down you just use dynamic-dns to remap the Domains to a new IP. www.domain.com was 108.10.2.4, it now is 205.245.133.8 mail.domain.com was 108.10.2.5, it now is 205.245.133.9 If everything is working correctly, you should be able to reach the web server at 108.10.2.4 or 205.245.133.8 or 166.79.10.3 all at the same time. I just wanted to expand upon my previous posting as there was some confusion. We have this working at many customer sites. We also have customers using this with a back up ISDN link. You can still reach their web and mail servers even if all their T1s go down. Mike -- 14:18:44 07/07/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Mon Jul 7 16:27:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10503 for firewalls-outgoing; Mon, 7 Jul 1997 14:31:45 -0700 (PDT) Received: from emout04.mail.aol.com (emout04.mx.aol.com [198.81.11.95]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA10335 for ; Mon, 7 Jul 1997 14:31:02 -0700 (PDT) From: GWurtz@aol.com Received: (from root@localhost) by emout04.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id RAA03794 for firewalls@greatcircle.com; Mon, 7 Jul 1997 17:34:41 -0400 (EDT) Date: Mon, 7 Jul 1997 17:34:41 -0400 (EDT) Message-ID: <970707173425_-957598513@emout04.mail.aol.com> To: firewalls@greatcircle.com Subject: Please help me out Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Send me all Info you have ....... From owner-firewalls-outgoing Mon Jul 7 16:34:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA24310 for firewalls-outgoing; Mon, 7 Jul 1997 15:26:16 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA24057 for ; Mon, 7 Jul 1997 15:25:31 -0700 (PDT) Received: from user (171.tampa-003.fl.dial-access.att.net [207.146.90.171]) by mail.clark.net (8.8.5/8.6.5) with SMTP id SAA10047; Mon, 7 Jul 1997 18:28:59 -0400 (EDT) Message-Id: <3.0.1.32.19970707182813.00852990@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 07 Jul 1997 18:28:13 -0400 To: firewalls@GreatCircle.COM From: Mark Teicher Subject: When is Integrity compromised? Cc: "Mark H. Teicher " , "Char_Sample@notes.pw.com" , "keithcha@clark.net" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What determines when integrity is compromised within a firewall or internet security solution? Is it when the hardware/software fails to do its job? Is it with the network architecture that was improperly designed? Is it with a firewall that was not designed for a particular function? Is it with people who are not properly trained to maintain a firewall? Or is it with management who fails to recognize when people, hardware/software and policy are not adequate to sustain such a solution? ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Mon Jul 7 16:49:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA22011 for firewalls-outgoing; Mon, 7 Jul 1997 15:16:26 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id PAA21988 for firewalls@greatcircle.com; Mon, 7 Jul 1997 15:16:16 -0700 (PDT) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA23402 for ; Sat, 5 Jul 1997 19:50:58 -0700 (PDT) Received: from max0-47.hal-pc.org (max1-161.hal-pc.org [209.16.24.161]) by hal-pc.org (8.8.5/8.6.9) with SMTP id VAA24362; Sat, 5 Jul 1997 21:53:55 -0500 (CDT) Message-Id: <199707060253.VAA24362@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" Organization: hal-pc.org To: Bret Watson , claudio@DI.Unipi.IT Date: Sat, 5 Jul 1997 09:36:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: need suggestion xntpd a security hole ??? CC: Dirk Nerling , firewalls@GreatCircle.COM In-reply-to: <33BCFDA4.5ACB@di.unipi.it> X-mailer: Pegasus Mail for Windows (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Bret Watson wrote: > > XNTPD can be set up to be safe. > > i. fully utilise the voting system - find at least 6 NTP servers > > (secondaries or above) that are geographically distant - I use one in > > france, in in Switzerland, one in Aust, one in NZ and one in Japan. > > ii. if you can get a DES library and rebuild XNTPD with it > > Note that if somebody wants to attack you, it could first try to attack > your ISP. In this case, it could spoof all your NTP servers at the same > time, wherever they are. > > I don't know the NTP authentication system, but probably it isn't a real > one time pad (probably it will eventually cicle). > It could nevertheless be an adequate protection. I also suggest you may wish to try GPS (Global Positioning Satellite). Cost effective, and provides a single source right to your location with no dependence on external links Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard From owner-firewalls-outgoing Mon Jul 7 16:50:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20410 for firewalls-outgoing; Mon, 7 Jul 1997 12:48:02 -0700 (PDT) Received: from mail.ballistic.com (mail.ballistic.com [208.211.146.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA15697 for ; Mon, 7 Jul 1997 12:19:57 -0700 (PDT) Received: from cgill (tpm1-138.ballistic.com [208.211.146.138]) by mail.ballistic.com (8.8.5/8.8.5) with ESMTP id OAA06957 for ; Mon, 7 Jul 1997 14:23:27 -0500 (CDT) Message-ID: <33C1420E.5ED5ECDE@dds-solutions.com> Date: Mon, 07 Jul 1997 14:22:54 -0500 From: "Chris A. Gill" Reply-To: dds@ballistic.com Organization: Digital Documentation Systems, Inc. X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: javascript X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently creating a web page for my company and have included a javascript to scroll across the bottom of the browser. I have the commands in there, but have no idea exactly where to put them and what section of my page. I am using frames, so I am sure that has a little to do with it. Any idea where I can get some good info on that subjest and or anyone who can view my page and give me a quick tip as to what is the problem? Chris A. Gill http://www.dds-solutions.com From owner-firewalls-outgoing Mon Jul 7 16:58:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA16664 for firewalls-outgoing; Mon, 7 Jul 1997 14:56:47 -0700 (PDT) Received: from runar.salcom.se (mail.salcom.se [194.198.242.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA16412 for ; Mon, 7 Jul 1997 14:55:49 -0700 (PDT) Received: from bosse.salcom.se (bosse.salcom.se [194.198.240.1]) by runar.salcom.se (8.8.5/8.8.5) with ESMTP id XAA19727; Mon, 7 Jul 1997 23:01:23 +0200 Received: from scmiru.salcom.se ([194.198.241.234]) by bosse.salcom.se (8.8.5/8.8.5) with ESMTP id XAA13027; Mon, 7 Jul 1997 23:03:31 +0200 Message-ID: <33C166F9.ACBC5978@salcom.se> Date: Tue, 08 Jul 1997 00:00:25 +0200 From: Mikael Rundqvist Organization: Salcom Communication AB X-Mailer: Mozilla 4.0b5 [en] (Win95; I) MIME-Version: 1.0 To: Drexx Laggui CC: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com Subject: Re: [FW1] SQL*Net over TCP/IP WAN links X-Priority: 3 (Normal) References: <199706190315.TAA17922@sunphil> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Drexx Laggui wrote: > > Hello world, > > Has anybody tried accessing an Oracle database over private TCP/IP WAN > links ? Specifically, using connections via Developer 2000 clients on > remote PCs going through Firewall-1 before the main Oracle database on > the central facility? > > Would anybody care to kindly share any experiences? Any pitfalls to > avoid? > Would allowing only the SQL*Net protocol thru the firewall be enough > to > get the job done? Or do we have to have telnet thru also ? (Sorry, I'm > no > database programmer. I'm just your regular hardware type of guy.) > > Thank you very much, > Drexx. > > "It's a dirty job, but somebody's gotta do it." -- John Wayne > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > ______ > /_____/\ DEXTER D. LAGGUI > /_____\\ \ Systems Engineer, CSD-TSR > /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. > /_____/ \/ / / Penthouse, Corporate Business Center > /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village > \_____\//\ / / Makati City, Philippines > \_____/ / /\ / > \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 > \_____\ \\ Fax : (++ 63-2) 813-3516 > \_____\/ Email: drexx@pspi.com.ph > Pager: (++ 63-2) 1277-33615 > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ I have tried to use SqlNetv2 with the Oracle server running on NT and the FW-1v3. That doesn't work. When using UNIX as platform for the Oracle server it works fine. It seems as SqlNetv2 is working different on NT and UNIX. Does anyone using Oracle on NT and running the clients infront of a FW-1? I do not wanna open up tcp-high-ports ;-(( -- Mikael Rundqvist, Direct: +46(0)8-630 50 68 Salcom Communication AB Telefax: +46(0)8-630 50 01 Kutterv 1, SE-183 53 TÄBY Cell: +46(0)70-630 50 68 WWW: http://www.salcom.se From owner-firewalls-outgoing Mon Jul 7 17:49:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14650 for firewalls-outgoing; Mon, 7 Jul 1997 12:14:55 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA14610 for ; Mon, 7 Jul 1997 12:14:43 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id MAA13404; Mon, 7 Jul 1997 12:17:42 -0700 (PDT) Message-Id: <3.0.3.32.19970707151740.006db534@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 07 Jul 1997 15:17:40 -0400 To: marc@sniff.ct-net.de From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <199707070536.FAA00510@sniff.franken.de> References: <3.0.32.19970706204429.006c27a4@mail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:36 AM 07/07/97 +0000, marc@sniff.ct-net.de wrote: > >Our local ISP here in Germany told me that it is no good idea to >advertise networks below /19 , because some carriers filter out BGP >routes to networks smaller than 8192 addresses. > >Is this correct? And if so, what will be the solution for Bertram >Carrols problem? > Yes, there a a few ISP's which filter route announcements which are longer than a /19, but this is a politicial problem. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Mon Jul 7 18:44:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19306 for firewalls-outgoing; Mon, 7 Jul 1997 12:40:52 -0700 (PDT) Received: from lms02.us1.ibm.com (lms02.ny.us.ibm.com [198.133.29.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA19290 for ; Mon, 7 Jul 1997 12:40:44 -0700 (PDT) Received: from d04lms01.raleigh.ibm.com by lms02.us1.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA23396; Mon, 7 Jul 1997 19:49:17 GMT Received: by US.IBM.COM (Soft-Switch LMS 2.0) with snapi via D04AU003 id 5040100006299833; Mon, 7 Jul 1997 15:46:48 -0400 From: Roger Rea To: Cc: Subject: RE: Firewall on AIX Message-Id: <5040100006299833000002L032*@MHS> Date: Mon, 7 Jul 1997 15:46:48 -0400 Mime-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Gabriele.................Perhaps you have not looked at the current >version of >>the IBM Firewall. We are a much more complete firewall than other >>firewalls, >>offering not only filtering architechtures like Check Point, but also >>Application Gateways and Circuit Level Gateways. So you get three >>firewalls in >>one. >PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT >FIREWALL. >IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM >THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT >ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT >INSPECTION. Gabrielle asked if I was familiar with Check Point Stateful Inspection. Certainly, I have looked at the product, and the marketing literature surrounding it. I've also followed their support forum for the last 9 months, and the numerous problems encountered by people trying to implement Firewall-1. Stateful Inspection filters on more than just header information, but it is just filtering. State tables can also introduce some problems, such as filling up the state table. Roger Rea Firewall Product Market Manager, IBM Phone: 919-543-1045 FAX: 919-543-2693 Internet: rrea@us.ibm.com From owner-firewalls-outgoing Mon Jul 7 18:49:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28629 for firewalls-outgoing; Mon, 7 Jul 1997 15:49:22 -0700 (PDT) Received: from netcom19.netcom.com (netcom19.netcom.com [192.100.81.132]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA20054 for ; Mon, 7 Jul 1997 15:08:30 -0700 (PDT) Received: (from xod@localhost) by netcom19.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.01)) id PAA12487; Mon, 7 Jul 1997 15:11:26 -0700 (PDT) From: Matt Ashcraft Message-Id: <199707072211.PAA12487@netcom19.netcom.com> Subject: Protocol 255 and Checkpoint v2.1c To: firewalls@GreatCircle.COM Date: Mon, 7 Jul 1997 15:11:25 -0700 (PDT) Cc: fw-1-mailinglist@us.checkpoint.com X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hark! O Magnificent Ones! Over the 4th of July weekend we had a number of incidents occur, the strangest of which I am submitting for the erudite consideration of these lists. Any suggestions would be greatly appreciated by my humble self. Log entries (names effaced to obscure the guilty): ... 05Jul97-03:46:29.txt:22:38:42 drop firewall >hme1 proto 255 src p< Snip >e.edu dst mailsvr service 120 05Jul97-03:46:29.txt:22:38:42 drop firewall >hme1 proto 255 src p< Snip >e.edu dst mailsvr service 51575 05Jul97-03:46:29.txt:22:38:42 drop firewall >hme1 proto 255 src p< Snip >e.edu dst mailsvr service 37495 ...and on for about 70 lines. On the surface it appears to be a port scan except that the port numbers are arranged in no particular order and I recall no protocol which could be defined simply as 255 with the possible unlikely exception of bootp. The system this is running on is an Ultra2 Solaris 2.5.1 Checkpoint v2.1c. Thankyou for your consideration. -- Matthew Ashcraft, | "The people will win over the nationalist Unix, Netware, The Net | psychopaths...because WE ARE ALL FED UP and Rock n Roll | WITH YOUR HATRED!" -- Vanja Filipovic xod@netcom.com, | Bosnian Student From owner-firewalls-outgoing Mon Jul 7 18:54:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28486 for firewalls-outgoing; Mon, 7 Jul 1997 15:47:59 -0700 (PDT) Received: from ns1.tddc.net (tddc.net [204.71.88.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA20814 for ; Mon, 7 Jul 1997 15:11:53 -0700 (PDT) Received: from breid (comsoltx.com [204.71.89.189]) by ns1.tddc.net (8.6.12/8.6.9) with SMTP id RAA22125 for ; Mon, 7 Jul 1997 17:14:32 -0500 Received: by breid with Microsoft Mail id <01BC8AF9.F86CC920@breid>; Mon, 7 Jul 1997 17:19:47 -0500 Message-ID: <01BC8AF9.F86CC920@breid> From: Brent Reid To: "'firewalls@GreatCircle.COM'" Subject: Raptor Address Translation Date: Mon, 7 Jul 1997 17:22:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just heard a "rumor" that we should NOT do Address translation using Raptor. Any comments? ================================================ Brent Reid | (210) 369-0300 IS | Fax (210) 369-0389 Computer Solutions | breid@tddc.net 7550 IH 10 West, Suite 120 | San Antonio, TX 78229 | "Everything you know is wrong. " Firesign Theatre From owner-firewalls-outgoing Mon Jul 7 18:54:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28797 for firewalls-outgoing; Mon, 7 Jul 1997 15:50:52 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA15946 for ; Mon, 7 Jul 1997 14:53:13 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id OAA14990; Mon, 7 Jul 1997 14:56:36 -0700 (PDT) Date: Mon, 7 Jul 1997 14:56:36 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Chris Pugrud cc: "'Bill Stout'" , Firewalls Mailing list Subject: Re: 3rd party IP stacks for NT? (was Microsoft plans to offer a firewall) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was thinking the same thing.. push a filter onto the NIC and viola.. isnt that the way most NT firewalls work though? (im more of a unix person). But joining MSDN for $500 just to get the DDK has been making me nauseas.. -mike On Mon, 7 Jul 1997, Chris Pugrud wrote: > This could definitely presage a security conscious market for a 3rd > party "crystal box" IP stack for NT. > > Maybe I'm off in lalaland regarding feasibility but several of the NT > firewalls that I have worked with either replace the IP stack or insert > a prefilter. > > Personally I would feel a strong interest in a bolt on filter for NT > that would allow very strict screening of packets before they hit the MS > stack. Or even a full replacement stack, but that could easily exceed > the desires for simplicity and elegance. > > We could finally have useful packet filters at the host level. "Header > option of the week bug? block it at the filter." Granted there is an > argument that this filtering can be done at the router or firewall > level. There are also many people that like to build in redundant > layers of security. > > Imagine finally getting full logging of all traffic without having to > run a sniffer. Full logging and filtering at the host level. > > Is this reasonable, close, or should I just go drink more coffee? > > Chris > > >-----Original Message----- > >From: Bill Stout [SMTP:stoutb@pios.com] > >Sent: Saturday, July 05, 1997 2:16 PM > >To: Firewalls Mailing list > >Subject: Re: Microsoft plans to offer a firewall > > > > > > > >TIS was interested in working with Hitachi because we were one of the few > >companies which had NT source, and NT programmers. The ability to review NT > >source for security flaws was very important to TIS. At the time TIS had no > >NT version of Gauntlet, and very few NT-proficient programmers. > > > >TIS was also paying visits to Microsoft directly in order to partner/create > >a Firewall product (wisely not putting their eggs into one basket). I would > >give the MS/TIS combo the benefit of doubt, since TIS has a history of > >making source available for review, and being strongly critical while > >reviewing code. 'The big problem' with Microsoft is that source code is not > >reviewable, resulting in major security holes being discovered after many > >thousands of NT systems are used in production environments. > > > >Hopefully TIS is also wise enough not to create any NT dependencies in the > >firewall code. I'm sure TIS recognizes that Microsoft software is > >notoriously insecure. Given this, TIS will critically review MS code > >pertinent to the firewall, and make firewall source available. > > > >My faith in an NT firewall product is improved because of the association of > >TIS, home of 'crystal box' open source code. My caveat; no one can make > >security Microsoft-proof. > > > >Bill Stout > > > > > From owner-firewalls-outgoing Mon Jul 7 19:23:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA29307 for firewalls-outgoing; Mon, 7 Jul 1997 13:39:26 -0700 (PDT) Received: from malmstrom.af.mil (gw.malmstrom.af.mil [131.53.227.199]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA29290 for ; Mon, 7 Jul 1997 13:39:18 -0700 (PDT) Received: from MALMSTROM-Message_Server by malmstrom.af.mil with Novell_GroupWise; Mon, 07 Jul 1997 14:39:07 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 07 Jul 1997 14:38:53 -0600 From: 341CS Network Security Taylor Ashley To: Firewalls@GreatCircle.COM Subject: Re: IP Filters? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > "Stackpole, Bill" wrote: > > >There are some techniques you can use to speed up access list > >processing. Remember a Cisco list is exited on the first true so you > >can add lines like: > > > > ! TCP or UDP Ports above the last service you are permiting > > ! this is done to speed up the list processing > > access-list 101 deny tcp any host 255.255.255.255 gt 80 > > access-list 101 deny udp any host 255.255.255.255 gt 19 If I am not mistaken which I usually am won't this block inside hosts from using FTP commands that use ports gt 1023? At least that's how I read an access control list page off of Cisco's home page. Here is the URL http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm#HDR6 SrA Ashley Taylor Network Security From owner-firewalls-outgoing Mon Jul 7 19:27:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA12653 for firewalls-outgoing; Mon, 7 Jul 1997 16:58:25 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA12625 for ; Mon, 7 Jul 1997 16:58:13 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA00931; Mon, 7 Jul 1997 20:01:05 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IKYUA9DZY88WWSES@gemini.pios.com> for firewalls@GreatCircle.COM; Mon, 07 Jul 1997 20:02:28 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IKYU8LQ4PC90N6W8@PIOS.PIOS.COM>; Mon, 07 Jul 1997 20:01:07 -0400 (EDT) Date: Mon, 07 Jul 1997 20:00:19 -0400 From: Bill Stout Subject: Re: 3rd party IP stacks for NT? (was Microsoft plans to offer a firewall) X-Sender: stoutb@192.168.0.37 To: Mike Hedlund , Chris Pugrud Cc: Firewalls Mailing list Message-Id: <2.2.32.19970708000019.008941e8@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NT is the black box software package 'in persona'. When describing specific NT security mechanisms and internal system calls during discussions with NT experts such as Dominique, Russ, David, and others, we think we finally have it licked when some 'new functionality' is discovered. The existing NT TCP 'advanced filtering' option in the network control panel is not to be trusted, since adjusting it doesn't always block what you want to block. Presently NT network services run in kernel mode, I don't know what would happen to performance if a stack ran as a IP filtering/reporting application using direct hardware calls. I submit that a protocol stack must be totally isolated from NT (services), and port access (in both directions!) must be closed by default. In addition, reporting must be present to report inbound and outbound attempts (also occasionally mysterious). NT does have network services which may not be obvious, or start 'on their own'. The services control panel (as with all other control panel applets) should not be viewed as the comprehensive control source for that item, but only be viewed as a database form for that item viewing predetermined portions of the database known as 'the NT registry'. BTW - Dlls called by registry entries may not be what was shipped. Hmm, public crystal box code filtering stack for NT. Reminds me of TIS-fwtk. I like it! Bill Stout P.S. - The 'Cryptography Manifesto' rambles, but many facts it contains are true, verifiable and chilling. - (Bill Stout beginning to be a strong 4,096-bit PGP advocate.) From owner-firewalls-outgoing Mon Jul 7 19:42:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA19206 for firewalls-outgoing; Mon, 7 Jul 1997 17:29:03 -0700 (PDT) Received: from linkou.trace.com.tw (linkou.trace.com.tw [203.67.189.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA19125 for ; Mon, 7 Jul 1997 17:28:45 -0700 (PDT) Received: from localhost (ronald@localhost) by linkou.trace.com.tw (8.8.6/8.8.6) with SMTP id IAA24283; Tue, 8 Jul 1997 08:32:15 +0800 Date: Tue, 8 Jul 1997 08:32:15 +0800 (CCT) From: Ronald Wiplinger To: GWurtz@aol.com cc: firewalls@GreatCircle.COM Subject: Re: Please help me out In-Reply-To: <970707173425_-957598513@emout04.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Jul 1997 GWurtz@aol.com wrote: > Send me all Info you have ....... > You cannot be serious ;-) You mean really all 12 GB !!!! Maybe it is easier, just to ask for a part of it ;-) bye Ronald From owner-firewalls-outgoing Mon Jul 7 19:49:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA16575 for firewalls-outgoing; Mon, 7 Jul 1997 19:35:10 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA16553 for ; Mon, 7 Jul 1997 19:35:00 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id WAA04695; Mon, 7 Jul 1997 22:51:46 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma004693; Mon, 7 Jul 97 22:51:31 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id WAA03560; Mon, 7 Jul 1997 22:35:35 -0400 (EDT) Date: Mon, 7 Jul 1997 22:35:35 -0400 (EDT) Message-Id: <199707080235.WAA03560@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Clyde Williamson Cc: firewalls@GreatCircle.COM Subject: Re: Remote Management In-Reply-To: <3.0.1.32.19970704101812.0069d66c@ee.net> References: <3.0.1.32.19970704101812.0069d66c@ee.net> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Clyde" == Clyde Williamson writes: Clyde> I'm looking for software Clyde> that will allow me through the firewall to see what's going on Clyde> at my clients site, or even getting the info right from the Clyde> firewall would work. I need something that can check security, Clyde> broken links etc. What you're looking for is probably best handled by looking for the right tool for each problem that you're trying to solve, then add one more problem: getting the data from the remote site in whatever timeframe you need. What kind of data do you need to get? o web server data? access logs, error logs, other logs? o other host logs? Where are these systems? o On the Internet? o Are there firewalls, gateways, or other obstacles that you'll have to hop in order to get to them? What is the architecture of your own Internet gateway? o Can you initiate cryptographic file transfers from behind your own firewall? What are the requirements of the file transfer? o Does the data need to be private? o How long does it need to be private? o Against what sort of attacker do you need to keep the data private? o What sorts of delays are acceptable between the time a log entry is generated, and when you see it? (Along these lines, it's important to note that if you're looking for a solution that's going to give you a very short amount of delay between making a log entry and you seeing a log entry 100% of the time, no solution with the Internet in the middle is going to be the right one...) Once each of these areas (and probably others) have been articulated, then it's time to talk about how to bring the whole thing together. This is almost certainly going to require some integration, though. In cases like this, Perl is your friend. You're going to need to write your own glue to make all of these things work together... Clyde> It would also be great if it could pull Clyde> demographics as well. This is another issue that will need to be dealt with on more than a technical background. What kind of demographic data? How much demographic data? (Tracking someone's actions down to individual users who can be identified, IMNSHO, is evil, and should never be done on "public" web sites.) If you're just looking for things like how many are coming from different top-level-domains (TLDs) and that sort of thing, this can easily be put together using one of a number of free tools, or you can crank a bit of Perl to do it yourself. Hope that helps. -- Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Mon Jul 7 20:10:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA23585 for firewalls-outgoing; Mon, 7 Jul 1997 17:48:00 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA21947 for ; Mon, 7 Jul 1997 17:40:59 -0700 (PDT) Received: from servant (servant.mccaw-stg.com [205.172.10.40]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id RAA02223 for ; Mon, 7 Jul 1997 17:43:01 -0700 (PDT) Received: from radiatore.mccaw-stg.com by servant (SMI-8.6/SMI-SVR4) id RAA14820; Mon, 7 Jul 1997 17:39:57 -0700 Received: by radiatore.mccaw-stg.com (SMI-8.6/SMI-SVR4) id RAA15995; Mon, 7 Jul 1997 17:39:57 -0700 Date: Mon, 7 Jul 1997 17:39:57 -0700 From: peter.gregory-unix@mccaw-stg.com (Peter Gregory) Message-Id: <199707080039.RAA15995@radiatore.mccaw-stg.com> To: firewalls@GreatCircle.COM, mht@clark.net Subject: Re: When is Integrity compromised? Cc: mark_teicher@notes.pw.com, Char_Sample@notes.pw.com, keithcha@clark.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: i6zE9zw50ODYO+SGA7JW6w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What determines when integrity is compromised within a firewall or internet > security solution? > > Is it when the hardware/software fails to do its job? > Is it with the network architecture that was improperly designed? > Is it with a firewall that was not designed for a particular function? > Is it with people who are not properly trained to maintain a firewall? > Or is it with management who fails to recognize when people, > hardware/software and policy are not adequate to sustain such a solution? You first have to decide what is important in terms of business requirements, the value of the information you are trying to protect, and return on investment. Then answering these questions should be easy. -pg -- Peter Gregory [NICname PG11] peter.gregory@attws.com IT Manager, AT&T Wireless Services, Strategic Technologies Group From owner-firewalls-outgoing Mon Jul 7 20:34:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA29440 for firewalls-outgoing; Mon, 7 Jul 1997 20:29:27 -0700 (PDT) Received: from solnet (solnet.dataprep.com.my [202.190.59.28]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA29409 for ; Mon, 7 Jul 1997 20:29:19 -0700 (PDT) Received: by solnet (SMI-8.6/SMI-SVR4) id LAA26550; Tue, 8 Jul 1997 11:44:28 -0800 Received: from sos.dataprep.com.my(202.190.59.67) by solnet.dataprep.com.my via smap (V2.0beta) id xma026548; Tue, 8 Jul 97 11:44:26 -0800 Received: by sos.dataprep.com.my with Microsoft Mail id <01BC8B94.66D83F80@sos.dataprep.com.my>; Tue, 8 Jul 1997 11:45:15 +-800 Message-ID: <01BC8B94.66D83F80@sos.dataprep.com.my> From: =?iso-8859-1?Q?=D6_Kenneth_Phang_=D6?= To: "'Firewall digest'" Subject: FW-1 v3.0/3.0a supported NAT rules Date: Tue, 8 Jul 1997 11:45:13 +-800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there any documentation or B&W on maximum supported NAT entries of xlate.conf in v3.0 and v3.0a? Thanks in advance. Cheers kent From owner-firewalls-outgoing Mon Jul 7 20:49:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA03561 for firewalls-outgoing; Mon, 7 Jul 1997 20:48:00 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA01972 for ; Mon, 7 Jul 1997 20:41:02 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id UAA05824 for ; Mon, 7 Jul 1997 20:23:40 -0700 (PDT) Received: from emily.sirius.com (ppp169-sf1.sirius.com [205.134.227.169]) by peets.us.checkpoint.com (8.8.3/8.8.3) with SMTP id UAA12924 for ; Mon, 7 Jul 1997 20:22:30 -0700 (PDT) Message-Id: <2.2.32.19970708031615.006e5d38@us.checkpoint.com> X-Sender: emily@us.checkpoint.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 07 Jul 1997 20:16:15 -0700 To: Firewalls@GreatCircle.COM From: "Emily G. Cohen" Subject: Check Point response to Mossad rumor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check Point Software Technologies Ltd. would like to assure its customers, security experts, and others that there is no, and never has been, an "agreement" or relationship between Check Point Software and the Mossad, or any other branch of the Israeli government or military, to create a "back door" into Check Point products. These are false and malicious rumors that have been circulating since Check Point became successful, specifically targeted at damaging the company, and they are always from "anonymous sources." Check Point takes these rumors seriously, and if anyone has information on the source/s of these rumors, we would be very interested in hearing from you, so that we can take appropriate action. Check Point FireWall-1 is the most widely installed network security solution in the world and no customer has ever reported a security breach of this nature. Check Point FireWall-1's customer list includes accounts with the highest level of security consciousness such as U.S. national and foreign governments, the world's leading financial institutions, telcos and ISPs. All Check Point FireWall-1 customers benefit from the product's patented Stateful Inspection technology ensuring the highest level of enterprise security available today. Emily Cohen, Director of Corporate Communications Check Point Software Technologies, Inc. 400 Seaport Court, Suite 105 Redwood City, CA 94063 Tel: 415-562-0400 x228 Fax: 415-562-0410 www.checkpoint.com From owner-firewalls-outgoing Mon Jul 7 21:13:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA19406 for firewalls-outgoing; Mon, 7 Jul 1997 19:47:48 -0700 (PDT) Received: from Alcon.Com (ns2.alcon.com [204.251.168.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA19283 for ; Mon, 7 Jul 1997 19:47:24 -0700 (PDT) Received: (from geboykin@localhost) by Alcon.Com (8.7.6/8.8.5) id UAA02262; Mon, 7 Jul 1997 20:49:24 -0500 Date: Mon, 7 Jul 1997 20:49:24 -0500 (CDT) From: Greg Boykin To: "Martin C. Walker" cc: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Re: FW-1 DESTINATION IP Address Translation In-Reply-To: <3.0.32.19970707103245.00c9e57c@mail.epcorp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Jul 1997, Martin C. Walker wrote: > Can anyone provide me with details on how translate the > DESTINATION IP address in a forward moving packet outbound > from the firewall to the internet ? Turn the firewall around. -Greg- From owner-firewalls-outgoing Mon Jul 7 21:19:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA22354 for firewalls-outgoing; Mon, 7 Jul 1997 19:59:40 -0700 (PDT) Received: from mail.inreach.com (mail.inreach.com [205.138.224.216]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA22247 for ; Mon, 7 Jul 1997 19:59:16 -0700 (PDT) Received: from talos (ppp1005.stk.inreach.net [205.138.244.5]) by mail.inreach.com (8.8.6/8.8.6/(InReach)) with ESMTP id UAA09658; Mon, 7 Jul 1997 20:01:26 -0700 (PDT) Message-Id: <199707080301.UAA09658@mail.inreach.com> Reply-To: <@inreach.com> From: "John DIas" To: "Phil Burg" , "'firewalls@greatcircle.com'" Subject: Re: another Citrix Winframe query Date: Mon, 7 Jul 1997 20:03:18 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been waiting for a post regarding Winframe. I have had a few clients that have implemented Winframe. What is Winframe? Winframe is an X Windows server hosted on a NT Server. The idea is to put the power back at the server and save money by avoiding upgrading the clients!!! Of course, the applications are excuted at the server and if the network performance is good the end user performance is also good! Beware, the entire technology is based on low bandwidth X windows. I am currently is progress of doing an security analysis of Low Bandwidth X....But to be truthful I haven't made much progress( I have to work; gets in the way ) So I'm with Phil......What are the threats involved with this stuff??? Is Low Bandwidth X more secure than X windows??? Less secure?? The same?? By-the-way, thus far my recommendations to my clients is as follows; If clients and server are on the internal net or a point-to-point remote office: Allow If server is outside Firewall, hell no, the stuff is just X windows Drop, reject cheers John Dias independant consultant ---------- > From: Phil Burg > To: 'firewalls@greatcircle.com' > Subject: another Citrix Winframe query > Date: Thursday, July 03, 1997 5:38 PM > > G'day all > > My apologies if this has been discussed before; I searched the archives > but couldn't find this problem. > > Some of my users want to connect, through our firewall, to a third-party > winframe server. The client PCs will be connected to our LAN at the > same time as the remote server. I'm wondering if there's a known > exposure > in the Winframe client software that would allow the client PCs to be > compromised ? > > regards > Phil > -- > Phil Burg > Technical Analyst > Information Systems Security > Coles Myer Ltd > (03) 9483 7613 > From owner-firewalls-outgoing Mon Jul 7 21:34:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA22211 for firewalls-outgoing; Mon, 7 Jul 1997 19:58:58 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA21939 for ; Mon, 7 Jul 1997 19:58:03 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id XAA04878; Mon, 7 Jul 1997 23:14:46 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma004876; Mon, 7 Jul 97 23:14:43 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id WAA03588; Mon, 7 Jul 1997 22:58:38 -0400 (EDT) Date: Mon, 7 Jul 1997 22:58:38 -0400 (EDT) Message-Id: <199707080258.WAA03588@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Dave Wreski Cc: firewalls@GreatCircle.COM Subject: Re: Moving data to external machines In-Reply-To: References: X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Dave" == Dave Wreski writes: Hi Dave. You've got a good question here, and one that I've been hearing (from consultant friends) is pretty common. Before you define a solution, you need to articulate a policy with regard to the operation and configuration of those networks and hosts on them. This is going to have to include what threat models you've dealt with and what level of risk you're willing to accept for the tradeoff of convenience. Everything that I say from here on out is subject to be wrong, in terms of the right solution for you, since I don't know what your organization considers secure enough, etc. Having said that, there are some general comments that might be of interest to you... For this sort of thing, I highly recommend _against_ any sort of two way or "real" network connection between the outside network (probably actually a DMZ, since you've got packet filtering going on at your access router, right? right? :-) and the inside. (SMB is out.) OK, other options you mentioned include SSH (scp) and ftp. The ability to encrypt the datastream isn't likely to be terribly interesting to you in this environment, since everything is going over LANs you control (right?) So unless you're using broadcast-type networks (i.e., ethernet) and you're concerned about someone on the inside sniffing for passwords and such, something cleartext is going to be OK. On the other hand, if your threat model includes a situation where someone breaks into a host on that external DMZ network, the same one that your web server is on, and can make that host do packet sniffing, then that changes things. If you want to prevent someone in a case like that from harvesting user IDs and passwords for your web server, then having the encrypted link would be useful. (In this case, having NT as your server is also a very limiting factor, because your options for how to do this well are way, way more limited than if your web server was some flavor of Unix, where you could just build some code and install it.) Another nice feature with SSH is that it can do strong host authentication, a la host keys. This is a Good Thing(tm), but since you have physical control over both machines, this probably isn't necessary for you. After all, are you worried about one host impersonating another, or something like that? This is a real threat if you're going over an untrusted network like the Internet, but over your own LAN, it's probably not a Big Deal... If you don't need the encrypted session or strong host authentication, SSH isn't the right tool. So we're left with FTP... If your access router is disabling requests to that machine except for tcp/80 (or whatever other web servers you've got on it...), then it's probably ok for you to do a proxy FTP thing. Be sure to always initiate the connection from INSIDE your network and PUSH it outside, never the reverse. If you PULL it out from the inside, then you're creating a way for an attacker who has compromised your web server to get to your internal network... Obviously this is bad. Something along these lines might do the job for you: o develop content and whatnot on some machine behind the firewall. o turn it into an archive, tar+gzip or PKZIP or whatever o fire up proxy ftp from that host, login to the web server and drop the archive in some drop zone o a process on the web server looks in the drop zone from time to time. * if stuff is there, then pull it out, and unwind the archive in the right place A bit of Perl should do the trick. Hope that helps. -- Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Mon Jul 7 21:54:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA23803 for firewalls-outgoing; Mon, 7 Jul 1997 17:49:27 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA12339 for ; Mon, 7 Jul 1997 16:56:32 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id UAA12622; Mon, 7 Jul 1997 20:53:46 -0400 Date: Mon, 7 Jul 1997 19:55:25 -0500 Subject: Re: Two ISP's to one DMZ To: Andrew Partan , Paul Ferguson Cc: firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> <3.0.3.32.19970707150849.006d43fc@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Date: Mon, 07 Jul 1997 15:08:49 -0400 To: Andrew Partan Cc: firewalls@GreatCircle.COM > In theory (and the lab), yes -- but this has not been delpoyed in > a production network to my knowledge. :-) > > - paul > > At 01:04 PM 07/07/97 -0400, Andrew Partan wrote: > > >> >Is there another way to set up redundancy between two ISP's without doing > >> >BGP peering? > >> > >> No, not really. > > > >Dual homed NAT. > > --asp@partan.com (Andrew Partan) > > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > ---------------End of Original Message----------------- We have it working at about 50 corporate sites (and 500 telecommuting sites). Check out: http://www.iproute.com for the software details. BTW it can also be triple, quadruple, or more homed NAT. Mike -- 19:55:26 07/07/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Mon Jul 7 22:04:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA20450 for firewalls-outgoing; Mon, 7 Jul 1997 21:55:31 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA20427 for ; Mon, 7 Jul 1997 21:55:22 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.49) id <3JLRMKXL>; Tue, 8 Jul 1997 00:25:00 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'Kelly E. Gibbs'" Subject: RE: Blasting Microsoft... again! Date: Tue, 8 Jul 1997 00:24:57 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could we keep the anti-MS diatribe, with absolutely no bearing to the Firewalls list, out of the list please? Just because you think the article supports your naive views of doing business with Microsoft, doesn't necessarily mean that everyone else needs to hear your critique of it. I'm sure that American Express is big enough to think for themselves and unlikely to need some magazine columnist, or you, to warn them of non-compete clauses. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Mon Jul 7 22:29:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA07858 for firewalls-outgoing; Mon, 7 Jul 1997 16:34:40 -0700 (PDT) Received: from usr02.primenet.com (usr02.primenet.com [206.165.5.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA07843 for ; Mon, 7 Jul 1997 16:34:32 -0700 (PDT) From: darksead@dakotacom.net Received: from usr6 (darksead@usr6.dakotacom.net [207.201.204.135]) by usr02.primenet.com (8.8.5/8.8.5) with SMTP id QAA29749 for ; Mon, 7 Jul 1997 16:38:13 -0700 (MST) Date: Mon, 7 Jul 1997 16:38:13 -0700 (MST) Message-Id: <3.0.32.19970707163418.009b86e0@dakotacom.net> X-Sender: darksead@dakotacom.net X-Mailer: Windows Eudora Pro Version 3.0 (32) To: firewalls@GreatCircle.COM Subject: Setting up firewall newbie.. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Welp, being the silent type I never usually speak, however the company I work for has elected me to take care of security issues since the admin left. Currently we are on a T3 with about 1500 users and using a 486 dx4 100 running linux as a packet filter outside the router. It sems though, that this configuration is placing a strenuous bottle-neck on the network and users aren't getting the speed or access times they deserve. My question is, basically a general one. Where can one find resources on the best types of firewalls, setup, thoery and the likes on both the net and normal literature. Also, if anyone would be willing to give a bit of advice on the CURRENT packet filter we have, it would be much appreciated. -Nick From owner-firewalls-outgoing Tue Jul 8 00:19:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08475 for firewalls-outgoing; Tue, 8 Jul 1997 00:12:52 -0700 (PDT) Received: from mozart.seed.net.tw ([139.175.168.76]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08460 for ; Tue, 8 Jul 1997 00:12:45 -0700 (PDT) Received: from mercury.seed.net.tw ([139.175.168.159]) by mozart.seed.net.tw (Netscape Mail Server v2.0) with SMTP id AAA6290 for ; Tue, 8 Jul 1997 15:14:57 +0900 X-Sender: chfeng@mozart.seed.net.tw X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: chfeng@mozart.seed.net.tw (chfeng) Subject: NAT immune to traceroute Date: Tue, 8 Jul 1997 15:14:57 +0900 Message-ID: <19970708071456.AAA6290@mercury.seed.net.tw> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi: I apologize if this question has been discussed before. Anyone can point me to any NAT devices which, on the condition of allowing incoming/outgoing ICMP messages, can hide internal IP information from such applications as traceroute? Based on RFC 1631, I figure that the device must be capable of modifying the headers of outgoing ICMP "time exceeded" packets. Am I correct? Thanks in advance. Chih-hung Feng SEEDNET, System Engineering Dept. TEL 02-7370177#359 E-Mail chfeng@mozart.seed.net.tw From owner-firewalls-outgoing Tue Jul 8 00:34:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08960 for firewalls-outgoing; Tue, 8 Jul 1997 00:23:31 -0700 (PDT) Received: from metronet.de (mail3.metronet.de [193.168.128.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08945 for ; Tue, 8 Jul 1997 00:23:24 -0700 (PDT) Received: from zentrale.metronet.de (habakuk.metronet.de [193.168.128.64]) by metronet.de ((METRONET) 8.7.5/8.7.3) with ESMTP id JAA13895 for ; Tue, 8 Jul 1997 09:27:04 +0200 (MET DST) Received: from localhost (fpost@localhost) by zentrale.metronet.de (8.7.5/8.7.3) with SMTP id JAA21816 for ; Tue, 8 Jul 1997 09:27:03 +0200 (MET DST) Date: Tue, 8 Jul 1997 09:27:02 +0200 (MET DST) From: Frank Post To: firewalls@GreatCircle.COM Subject: FW-1 Performance Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it possible that FW-1 v2.0 on a Sun Ultra-1 needs 60% of the Systems CPU Performance, when it is connected to an 6MBit/s Internet Link ? Even if there are no Rules in (only to Log all other Port than http), and the DNS Resolution of Logging is Disabled ? Thanks, Frank ------------------------------------------------------------------------- Frank Post Email: fpost@metronet.de From owner-firewalls-outgoing Tue Jul 8 01:23:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA13520 for firewalls-outgoing; Tue, 8 Jul 1997 00:49:37 -0700 (PDT) Received: from shell4.ba.best.com (shell4.ba.best.com [206.184.139.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA13503 for ; Tue, 8 Jul 1997 00:49:31 -0700 (PDT) Received: from localhost (aajpeter@localhost) by shell4.ba.best.com (8.8.5/8.7.3) with SMTP id AAA23881 for ; Tue, 8 Jul 1997 00:53:17 -0700 (PDT) X-Authentication-Warning: shell4.ba.best.com: aajpeter owned process doing -bs Date: Tue, 8 Jul 1997 00:53:17 -0700 (PDT) From: "Aaron J. Peterson" X-Sender: aajpeter@shell4.ba.best.com Reply-To: "Aaron J. Peterson" To: Firewalls@GreatCircle.COM Subject: RE: Two ISP's to one DMZ Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All this talk about dynamic DNS as a solution to _anything_ suprizes me. This is an application where a key goal is to optimize recovery or failover response time. You'd think that people actually believed that "dynamic DNS" is scalable. Keeping track of who to push deltas to aside, it seems to mee that one of the key aspects of DNS, the distributed database that it is, was caching for a significant period of time. So, dynamic NAT + dynamic DNS, IMNSHO, is a poor solution due to the connectivity loss during the time required to allow all the caches of all the not-quite-bleeding-edge DNS servers to expire. I really must be missing a key point, please tell me what it is. That leaves BGP as the only feasible, universal solution. Sorry, this has little to do with firewalls proper, I'll shut up. -Aaron J. Peterson Opinionated Network Dabbler aajpeter@best.com From owner-firewalls-outgoing Tue Jul 8 02:19:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20212 for firewalls-outgoing; Tue, 8 Jul 1997 02:08:24 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA20193 for ; Tue, 8 Jul 1997 02:08:16 -0700 (PDT) Received: from jazari.hpl.hp.com (jazari.hpl.hp.com [15.144.62.181]) by palrel1.hp.com (8.8.5/8.8.5) with ESMTP id CAA22848 for ; Tue, 8 Jul 1997 02:12:01 -0700 (PDT) Received: (from azari@localhost) by jazari.hpl.hp.com (8.7.1/8.7.1) id KAA06992; Tue, 8 Jul 1997 10:11:57 +0100 (BST) From: "Jian Azari" Message-Id: <9707081011.ZM6990@jazari.hpl.hp.com> Date: Tue, 8 Jul 1997 10:11:56 +0100 In-Reply-To: Melitta Kimbacher "Re: Routing with 2 checkpoint Firewalls" (Jul 7, 7:05pm) References: X-Mailer: Z-Mail (3.2.1 10oct95) To: Melitta Kimbacher , Matthew Frith Subject: Re: Routing with 2 checkpoint Firewalls Cc: Firewalls@GreatCircle.COM, azari@hplb.hpl.hp.com, adc@hplb.hpl.hp.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 7, 7:05pm, Melitta Kimbacher wrote: > Subject: Re: Routing with 2 checkpoint Firewalls > On Mon, 7 Jul 1997, Matthew Frith wrote: > > > [NON-Text Body part not included] > > > > ------------------------------------------------------------------------ > Melitta Kimbacher > Austrian Academy of Sciences Tel.: +43 1 515 81 363 > Computer Center Fax: +43 1 515 81 379 > Dr. Ignaz Seipel-Platz 2 E-Mail:Melitta.Kimbacher@oeaw.ac.at > A-1010 Wien > >-- End of excerpt from Melitta Kimbacher Melitta, thank you for your reply to my colleague's question. As you can see we didn't get the body of your reply. Would you be kind enough to remail please. with kind thanks, Jian/ / -- ------------------------------------------------------------------------------ ***** ***** Jian Azari Tel: +44 117 922 8047 *** /_ __ *** Electronic Business Group Fax: +44 117 922 9285 ** / / /_/ ** Hewlett Packard Telnet: 312 8047 *** / *** Bristol, BS12 6QZ Email: jian_azari@hp.com ***** ***** U.K. http://www.hp.co.uk/people/azari/ ------------------------------------------------------------------------------ From owner-firewalls-outgoing Tue Jul 8 04:19:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01761 for firewalls-outgoing; Tue, 8 Jul 1997 04:13:42 -0700 (PDT) Received: from titan.mad.servicom.es (titan.mad.servicom.es [194.106.0.133]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA01754 for ; Tue, 8 Jul 1997 04:13:34 -0700 (PDT) From: Juan Carlos Gomez Received: from Servicom.mad.servicom.es by titan.mad.servicom.es (8.6.12/FI-3.3) Tue, 8 Jul 1997 13:17:15 +0200 Message-Id: <3.0.32.19970708131836.006cadac@pop.mad.servicom.es> X-Sender: jcgomez@pop.mad.servicom.es X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 08 Jul 1997 13:18:38 +0100 To: Firewalls-Digest@GreatCircle.COM Subject: firewall-1 & exec Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a problem with "exec" service in Firewall-1 v3.0. If the rules are: external-net internal-net X11 accept =20 internal-net external-net any accept =20 any any any reject =20 and I use eXodus with "exec only" to make a exec connexion from my internal PC to an external server (to open a xterm from the server to my PC), then it don=B4t work and the logs are: (source port) accept exec internal-PC external-server tcp 1023 reject 1022 external-server internal-PC tcp 39214 In the "properties->services" of the firewall, I enable "RSH/REXEC Reverse stderr Connections". What more I have to permit?=20 Thanks in advance. Juan Carlos. From owner-firewalls-outgoing Tue Jul 8 04:49:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03804 for firewalls-outgoing; Tue, 8 Jul 1997 04:41:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA03797 for ; Tue, 8 Jul 1997 04:41:25 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA25212; Tue, 8 Jul 1997 07:42:19 -0400 (EDT) From: Adam Shostack Message-Id: <199707081142.HAA25212@homeport.org> Subject: Re: Moving data to external machines In-Reply-To: <199707080258.WAA03588@goffette.research.megasoft.com> from C Matthew Curtin at "Jul 7, 97 10:58:38 pm" To: cmcurtin@research.megasoft.com Date: Tue, 8 Jul 1997 07:42:18 -0400 (EDT) Cc: dave@nic.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All of Matthew's good arguments that SSH is overkill aside, proxying SSH is simpler than proxying ftp. Getting non-replayable host authentication is a win as well. So I'd suggest (knowing nothing about your situation :) an SSH push over an FTP push. Adam C Matthew Curtin wrote: | For this sort of thing, I highly recommend _against_ any sort of two | way or "real" network connection between the outside network (probably | actually a DMZ, since you've got packet filtering going on at your | access router, right? right? :-) and the inside. (SMB is out.) | | OK, other options you mentioned include SSH (scp) and ftp. | | The ability to encrypt the datastream isn't likely to be terribly | interesting to you in this environment, since everything is going over | LANs you control (right?) So unless you're using broadcast-type | Another nice feature with SSH is that it can do strong host | authentication, a la host keys. This is a Good Thing(tm), but since | you have physical control over both machines, this probably isn't | necessary for you. After all, are you worried about one host | impersonating another, or something like that? This is a real threat | if you're going over an untrusted network like the Internet, but over | your own LAN, it's probably not a Big Deal... | | If you don't need the encrypted session or strong host authentication, | SSH isn't the right tool. | So we're left with FTP... If your access router is disabling requests | to that machine except for tcp/80 (or whatever other web servers | you've got on it...), then it's probably ok for you to do a proxy FTP | thing. Be sure to always initiate the connection from INSIDE your | network and PUSH it outside, never the reverse. -- He has erected a multitude of new offices, and sent hither swarms of officers to harrass our people, and eat out their substance. From owner-firewalls-outgoing Tue Jul 8 05:08:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA04430 for firewalls-outgoing; Tue, 8 Jul 1997 04:45:48 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA04368 for ; Tue, 8 Jul 1997 04:45:34 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA25263; Tue, 8 Jul 1997 07:47:17 -0400 (EDT) From: Adam Shostack Message-Id: <199707081147.HAA25263@homeport.org> Subject: Re: Check Point response to Mossad rumor` In-Reply-To: <2.2.32.19970708031615.006e5d38@us.checkpoint.com> from "Emily G. Cohen" at "Jul 7, 97 08:16:15 pm" To: emily@us.checkpoint.com (Emily G. Cohen) Date: Tue, 8 Jul 1997 07:47:17 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest a solution? From out here, it seems the real value from a CheckPoint FW is the GUI & management tools. The packet filter itself is fairly similar to freely available ones such as IPFilter and ipfw. So release the source code to the packet filter. This will make it easy to dispell rumors of back doors in your security code, without giving up the sales advantage of your user interface. Another company that has been plauged by rumors, Security Dynamics, has chosen to present their algorithims and protocols in public for the next major release of their software. I expect, as does their management, that this will go quite a long ways towords dispelling rumors. Adam Emily G. Cohen wrote: | Check Point Software Technologies Ltd. would like to assure its | customers, security experts, and others that there is no, and never | has been, an "agreement" or relationship between Check Point Software | and the Mossad, or any other branch of the Israeli government or military, | to create a "back door" into Check Point products. | | These are false and malicious rumors that have been circulating | since Check Point became successful, specifically targeted at | damaging the company, and they are always from "anonymous sources." | Check Point takes these rumors seriously, and if anyone has information | on the source/s of these rumors, we would be very interested in hearing | from you, so that we can take appropriate action. | | Check Point FireWall-1 is the most widely installed network security | solution in the world and no customer has ever reported a security | breach of this nature. Check Point FireWall-1's customer list includes | accounts with the highest level of security consciousness such as U.S. | national and foreign governments, the world's leading financial institutions, | telcos and ISPs. All Check Point FireWall-1 customers benefit from the | product's patented Stateful Inspection technology ensuring the highest | level of enterprise security available today. | | Emily Cohen, Director of Corporate Communications | Check Point Software Technologies, Inc. | 400 Seaport Court, Suite 105 | Redwood City, CA 94063 | Tel: 415-562-0400 x228 | Fax: 415-562-0410 | www.checkpoint.com | -- He has erected a multitude of new offices, and sent hither swarms of officers to harrass our people, and eat out their substance. From owner-firewalls-outgoing Tue Jul 8 06:26:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14227 for firewalls-outgoing; Tue, 8 Jul 1997 06:15:25 -0700 (PDT) Received: from ferc2.ferc.fed.us (ferc2.ferc.fed.us [208.207.43.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA14218 for ; Tue, 8 Jul 1997 06:15:20 -0700 (PDT) Received: from ferc1.ferc.fed.us by ferc2.ferc.fed.us via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 8 Jul 1997 13:13:32 UT Received: from mjycdsi ([205.130.8.15]) by ferc1.ferc.fed.us (8.6.9/8.6.9) with SMTP id QAA02781 for ; Tue, 8 Jul 1997 16:48:46 -0400 Message-ID: <33C23D7D.3173@ferc.fed.us> Date: Tue, 08 Jul 1997 09:15:41 -0400 From: Michael J Yelland Reply-To: myelland@ferc.fed.us Organization: FERC X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: security check Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Readers: are there programs to run on an external host (unix, nt, ?) which will test the 'hacking-proof' quality of our router/firewall ? TIA From owner-firewalls-outgoing Tue Jul 8 06:35:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15122 for firewalls-outgoing; Tue, 8 Jul 1997 06:31:04 -0700 (PDT) Received: from sprocket.nis.newscorp.com (sprocket.nis.newscorp.com [206.15.111.87]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA15096 for ; Tue, 8 Jul 1997 06:30:52 -0700 (PDT) Received: (from mtc@localhost) by sprocket.nis.newscorp.com (8.7.3/8.7.2) id JAA19999; Tue, 8 Jul 1997 09:32:24 -0400 (EDT) From: mtc@ie.nis.newscorp.com Message-Id: <199707081332.JAA19999@sprocket.nis.newscorp.com> Subject: Re: Please help me out To: GWurtz@aol.com Date: Tue, 8 Jul 1997 09:32:24 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <970707173425_-957598513@emout04.mail.aol.com> from "GWurtz@aol.com" at Jul 7, 97 05:34:41 pm Reply-to: mtc@newscorp.com X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Send me all Info you have ....... > I hope you have a *big* mailbox... :^) Start with: Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Matt From owner-firewalls-outgoing Tue Jul 8 07:20:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15650 for firewalls-outgoing; Tue, 8 Jul 1997 06:35:10 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15593 for ; Tue, 8 Jul 1997 06:34:55 -0700 (PDT) Received: (qmail 25969 invoked from smtpd); 8 Jul 1997 13:12:01 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Jul 1997 13:12:01 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA02303; Tue, 8 Jul 1997 08:12:00 -0500 Received: by sonic.nmti.com; id AA27294; Tue, 8 Jul 1997 08:12:46 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707081312.AA27294@sonic.nmti.com.nmti.com> Subject: Re: another Citrix Winframe query To: @inreach.com@uunet.uu.net Date: Tue, 8 Jul 1997 08:12:46 -0500 (CDT) Cc: Phil.Burg@CENTRAL.colesmyer.com.au, firewalls@GreatCircle.COM In-Reply-To: <199707080301.UAA09658@mail.inreach.com> from "John DIas" at Jul 7, 97 08:03:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Beware, the entire technology is based on low bandwidth X windows. No, it's based on a protocol called ICA developed by Citrix. I don't think that there's any relationship between it and LBX. Citrix itself doesn't support X. There are packages that render the Citrix data stream on an X display, sich as WinDD and Wincenter. Winframe itself is "just" an extremely complete "remote access" package. The security issues of a Citrix data stream are very similar to those of telnet. It's an unencrypted exchange of keystrokes, mouse clicks, and responses. Treat it as telnet. From owner-firewalls-outgoing Tue Jul 8 07:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14486 for firewalls-outgoing; Tue, 8 Jul 1997 06:22:02 -0700 (PDT) Received: from ns1.cq.com (ns1.cq.com [198.67.16.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA14479 for ; Tue, 8 Jul 1997 06:21:57 -0700 (PDT) Received: by ns1.cq.com; id JAA01855; Tue, 8 Jul 1997 09:27:14 -0400 (EDT) Received: from hub.cq.com(198.67.5.98) by ns1.cqalert.com via smap (3.2) id xma001838; Tue, 8 Jul 97 09:26:46 -0400 Received: from pop.cq.com (pop.cq.com [198.67.5.169]) by hub.cq.com (8.8.2/8.6.12) with ESMTP id JAA02426; Tue, 8 Jul 1997 09:30:23 -0400 (EDT) Received: from hkarim ([206.105.221.244]) by pop.cq.com (8.8.5/8.6.12) with SMTP id JAA14068; Tue, 8 Jul 1997 09:25:36 -0400 (EDT) Message-Id: <3.0.32.19970708092417.0090f8b0@pop.cq.com> X-Sender: hassan@pop.cq.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 08 Jul 1997 09:24:17 +0100 To: Matthew Frith , Firewalls@GreatCircle.COM From: Hassan Karim Subject: Re: Routing with 2 checkpoint Firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure if this is feasible but I thought I heard someone suggest setting two machines up with the same IP address and only turn up the network interface with the redundant IP address when the other machine is going down... or stops responding. Probably the standby would run a script that polls the main box every so often on another one of its interfaces and if the response time is pass some threshold... turn the redundant IP address on. Just getting creative. Peace, Hassan At 03:04 PM 7/7/97 BST, Matthew Frith wrote: > >I am trying to configure a high availability solution with >2 Checkpoint firewalls running on HP-UX. I have the 2 firewalls sync'ing >their state tables but am trying to setup a `hot-standby' solution >similar to that of CISCO routers. > >Has anyone ever done this, or know how to setup the default route where >machines on the internal network route (dynamically) to either of the >firewalls, depending on which one is up? > >any help gratefully received.. > >Matt Frith >Hewlett-Packard, Bristol, UK. >mjf@hplb.hpl.hp.com > > > > From owner-firewalls-outgoing Tue Jul 8 08:05:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16270 for firewalls-outgoing; Tue, 8 Jul 1997 06:41:34 -0700 (PDT) Received: from malmstrom.af.mil (gw.malmstrom.af.mil [131.53.227.199]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA16194 for ; Tue, 8 Jul 1997 06:41:07 -0700 (PDT) Received: from MALMSTROM-Message_Server by malmstrom.af.mil with Novell_GroupWise; Tue, 08 Jul 1997 07:41:23 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 08 Jul 1997 07:41:15 -0600 From: 341CS Network Security Taylor Ashley To: firewalls@GreatCircle.COM Subject: RE: When is Integrity compromised? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark H. Teicher wrote: >What determines when integrity is compromised within a firewall or >internet security solution? > Is it when the hardware/software fails to do its job? Is it with the >network architecture that was improperly designed? Is it with a firewall >that was not designed for a particular function? Is it with people who >are not properly trained to maintain a firewall? Or is it with >management who fails to recognize when people, hardware/software >and policy are not adequate to sustain such a solution? All of the above, I would also add a couple. When management does not fully recognize the importance of the job at hand. When the security administrator coupled with management fail to understand that this is an ever evolving technology. SrA Ashley Taylor Network Security taylora@malmstrom.af.mil From owner-firewalls-outgoing Tue Jul 8 08:20:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA17573 for firewalls-outgoing; Tue, 8 Jul 1997 06:51:25 -0700 (PDT) Received: from bourbon.pl.vtcom.fr (bourbon.pl.vtcom.fr [193.252.69.217]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA17551 for ; Tue, 8 Jul 1997 06:51:15 -0700 (PDT) Received: from pyk.adm.vtcom.fr (pyk.adm.vtcom.fr [193.252.64.242]) by bourbon.pl.vtcom.fr (8.6.12/8.6.11) with SMTP id PAA00475; Tue, 8 Jul 1997 15:54:43 +0200 Date: Tue, 8 Jul 1997 15:54:43 +0200 Message-Id: <199707081354.PAA00475@bourbon.pl.vtcom.fr> From: Pierre-Yves Kerembellec To: Adam Shostack Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Check Point response to Mossad rumor` In-Reply-To: <199707081147.HAA25263@homeport.org> References: <2.2.32.19970708031615.006e5d38@us.checkpoint.com> <199707081147.HAA25263@homeport.org> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.10 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Le [Tue, 8 Jul 1997 07:47:17 -0400 (EDT)], Adam Shostack ecrivait : > Might I suggest a solution? > From out here, it seems the real value from a CheckPoint FW is > the GUI & management tools. The packet filter itself is fairly > similar to freely available ones such as IPFilter and ipfw. Ahem, sorry to bother you on that point, but I thing you don't understand the State Inspection mechanism, the INSPECT language and the level FW-1 interact with the kernel ... FW-1 is much more powerfull in its design than ipfw for example ... > release the source code to the packet filter. This will make it easy > to dispell rumors of back doors in your security code, without giving > up the sales advantage of your user interface. For sure ! But the real value of the package is (IMHO of course) in the INSPECT module and packet-layer filter, not in the GUI ... Regards, Pierre-Yves =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pierre-Yves KEREMBELLEC Phone # +33 1 46 12 67 50 VTCOM Fax # +33 1 46 12 67 00 40, rue Gabriel Crie E-mail pyk@vtcom.fr 92245 Malakoff Cedex, France Systemes et Reseaux =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From owner-firewalls-outgoing Tue Jul 8 08:37:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18612 for firewalls-outgoing; Tue, 8 Jul 1997 06:57:31 -0700 (PDT) Received: from malmstrom.af.mil (gw.malmstrom.af.mil [131.53.227.199]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA18588 for ; Tue, 8 Jul 1997 06:57:21 -0700 (PDT) Received: from MALMSTROM-Message_Server by malmstrom.af.mil with Novell_GroupWise; Tue, 08 Jul 1997 07:57:54 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 08 Jul 1997 07:57:41 -0600 From: 341CS Network Security Taylor Ashley To: firewalls@GreatCircle.COM Subject: RE: Setting up firewall newbie.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -Nick wrote: >Currently we are on a T3 with about 1500 users and using a 486 dx4 >100 running linux as a packet filter outside the router. It sems though, >that this configuration is placing a strenuous bottle-neck on the network >and users aren't getting the speed or access times they deserve. My >question is, basically a general one. Where can one find resources on >the best types of firewalls, setup, thoery and the likes on both the net >and normal literature. Also, if anyone would be willing to give a bit of >advice on the CURRENT packet filter we have, it would be much >appreciated. Without knowing your network configuration it's kind of difficult to ponder, but here we go. Lets assume your bottle neck is the Linux packet filtering Firewall. Do you have 10Mb cards or 100Mb, how much ram do you have. How many concurrent users do you have accessing through you T3 connection. How many lines of access control list are you using (approx). All of these things play a role in that Linux box being the bottle neck. SrA Ashley Taylor Network Security taylora@malmstrom.af.mil From owner-firewalls-outgoing Tue Jul 8 08:47:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20088 for firewalls-outgoing; Tue, 8 Jul 1997 07:09:01 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20072 for ; Tue, 8 Jul 1997 07:08:55 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id HAA13167 for ; Tue, 8 Jul 1997 07:16:30 -0700 (PDT) Received: (qmail 6840 invoked by uid 110); 8 Jul 1997 14:12:24 -0000 Message-ID: <19970708141224.6839.qmail@suburbia.net> Subject: Re: Check Point response to Mossad rumor In-Reply-To: <2.2.32.19970708031615.006e5d38@us.checkpoint.com> from "Emily G. Cohen" at "Jul 7, 97 08:16:15 pm" To: emily@us.checkpoint.com (Emily G. Cohen) Date: Wed, 9 Jul 1997 00:12:24 +1000 (EST) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Check Point FireWall-1 is the most widely installed network security > solution in the world and no customer has ever reported a security > breach of this nature. Check Point FireWall-1's customer list includes > accounts with the highest level of security consciousness such as U.S. > national and foreign governments, the world's leading financial institutions, > telcos and ISPs. All Check Point FireWall-1 customers benefit from the > product's patented Stateful Inspection technology ensuring the highest > level of enterprise security available today. > > Emily Cohen, Director of Corporate Communications > Check Point Software Technologies, Inc. I'm not saying your software is backdoored, but I don't think that is a very good argument - at least not to people who have seen the list of Crypto AG's customers. Cheers, Julian. From owner-firewalls-outgoing Tue Jul 8 09:07:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20367 for firewalls-outgoing; Tue, 8 Jul 1997 07:13:22 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20350 for ; Tue, 8 Jul 1997 07:13:13 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id KAA25871; Tue, 8 Jul 1997 10:14:21 -0400 (EDT) From: Adam Shostack Message-Id: <199707081414.KAA25871@homeport.org> Subject: Re: Re[2]: Check Point response to Mossad rumor` In-Reply-To: <199707081354.PAA00475@bourbon.pl.vtcom.fr> from Pierre-Yves Kerembellec at "Jul 8, 97 03:54:43 pm" To: Pierre-Yves.Kerembellec@vtcom.fr (Pierre-Yves Kerembellec) Date: Tue, 8 Jul 1997 10:14:21 -0400 (EDT) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pierre-Yves Kerembellec wrote: | Le [Tue, 8 Jul 1997 07:47:17 -0400 (EDT)], Adam Shostack ecrivait : | > Might I suggest a solution? | > From out here, it seems the real value from a CheckPoint FW is | > the GUI & management tools. The packet filter itself is fairly | > similar to freely available ones such as IPFilter and ipfw. | | Ahem, sorry to bother you on that point, but I thing you don't understand | the State Inspection mechanism, the INSPECT language and the level FW-1 | interact with the kernel ... FW-1 is much more powerfull in its design | than ipfw for example ... More powerful, sure. Better language even. But the ideas are clear; releasing the source code is not going to give away many secrets. Its a packet filter that picks up intelligently on state by looking inside of packets. I haven't seen anything that the packet filter does that I couldn't add to IPfilter, given 6 or 9 months. Any competitor who is serious about stealing ideas from Checkpoint has already done the clean room disassembly bit. Thus, if they're playing by the rules, source code won't help them; they can't use it. If they're not playing by the rules there are a number of ways to cheat, source code won't help them. Incidentally, I'd say a Ford Taurus is fairly similar to a Chrysler Cirrus, too. Sure, you can point out an awful lot of differences, but they are fairly similar, unlike a Ford Taurus and a Gateway 2000 386. Adam -- He has erected a multitude of new offices, and sent hither swarms of officers to harrass our people, and eat out their substance. From owner-firewalls-outgoing Tue Jul 8 09:20:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29790 for firewalls-outgoing; Tue, 8 Jul 1997 08:26:34 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29733 for ; Tue, 8 Jul 1997 08:26:22 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJN6>; Tue, 8 Jul 1997 08:30:38 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BB4@mail1.sla.com> From: "Stackpole, Bill" To: "'Mark Teicher'" Cc: "'firewalls@greatcircle.com'" Subject: RE: When is Integrity compromised? Date: Tue, 8 Jul 1997 08:30:36 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Teicher [SMTP:mht@clark.net] asks: What determines when integrity is compromised within a firewall or internet security solution? I would consider any breach of the company's Security Policy as compromising the security integrity of a system. Any of these scenerios fit that bill. Is it when the hardware/software fails to do its job? Yes - if it fails to a less secure mode or can be caused to fail as part of a denial of service attack. Is it with the network architecture that was improperly designed? Yes - if it failed to implement the security policy in the first place. Is it with a firewall that was not designed for a particular function? Yes - if the firewall can not protect against a specific type of attack (e.g., SYN floods) Is it with people who are not properly trained to maintain a firewall? Yes (and common) - Changes make to the network or firewall can result in violations of the security policy because the people making those changes do not understand the security ramifications of them. Or is it with management who fails to recognize when people, hardware/software and policy are not adequate to sustain such a solution? Yes (and common) - Security is a business process and as such need the support and direction of management. Unfortunately, management often doesn't properly weight the risk against the cost so security devices, implementation and training are often inadequate to maintain the security policy. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 From owner-firewalls-outgoing Tue Jul 8 09:50:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25932 for firewalls-outgoing; Tue, 8 Jul 1997 08:06:05 -0700 (PDT) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25859 for ; Tue, 8 Jul 1997 08:05:41 -0700 (PDT) Received: from geek (geek.nmac.ericsson.se [130.100.187.83]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with ESMTP id RAA09962 for ; Tue, 8 Jul 1997 17:04:44 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek (8.8.5/8.8.5) with ESMTP id PAA22337 for ; Tue, 8 Jul 1997 15:04:49 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Tue, 8 Jul 1997 17:03:31 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D7011C2A@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: How secure is ISDN? Date: Tue, 8 Jul 1997 17:03:30 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I have some questions about security with ISDN. This is how it's configured: I have two ISDN-routers, one at the office and one at home. The ISDN-routers works like "one router" and do not have any subnet between each other (unnumbered ip). I am using CHAP for authentication between the routers. The routers have a pretty advanced ip-filtering system built in which I have configured so that only my network is allowed to pass through the router at office. You can even filter traffic so it gets lower priority which impresses me a bit! I am compressing the traffic between the routers with a built in compression method. My questions are: 1) Is it possible for an evil mind to sniff on my ISDN-connection to see information going between the routers and if it's very easy or very hard? 2) Is it possible for this evil-minded person to call the ISDN-phonenumber at my office and connect to the network (assume that he guessed the authentication code and knows that he must be in the same ip-network as I because of the filter)? I mean, the router is configured to only call my ISDN-router at home but if he has sniffed on the line when I made a telnet to the ISDN-router at my office he maybe can reconfigure it himself? 3) Do I have to encrypt the connection to make it safe enough and, in that case, what method do you recommend? /Robert Stahlbrand, Ericsson Telecom AB From owner-firewalls-outgoing Tue Jul 8 10:05:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25326 for firewalls-outgoing; Tue, 8 Jul 1997 08:01:17 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25282 for ; Tue, 8 Jul 1997 08:01:00 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJN4>; Tue, 8 Jul 1997 08:05:14 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BB3@mail1.sla.com> From: "Stackpole, Bill" To: "'341CS Network Security Taylor Ashley'" Cc: "'firewalls@greatcircle.com'" Subject: RE: IP Filters? Date: Tue, 8 Jul 1997 08:05:12 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes it will if you don't use PASV or have a rule which allows that above these commands. The upd rule will also block DNS replies if you don't have a rule above it to allow for them. I use these two rules just prior to processing a couple dozen specific permit rules. It might have been clearer if I had posted the entire rule set example but then I would have had to answer dozens of question, comments and critiques of the entire list. So I elected to just post a couple of example lines. But your question and the questions other have raised about these two lines does demonstrate that constructing rule sets is not a simple process. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: 341CS Network Security Taylor Ashley > [SMTP:taylora@malmstrom.af.mil] > Sent: Monday, July 07, 1997 1:39 PM > To: Firewalls@GreatCircle.COM > Subject: Re: IP Filters? > > > > "Stackpole, Bill" wrote: > > > >There are some techniques you can use to speed up access list > > >processing. Remember a Cisco list is exited on the first true so > you > > >can add lines like: > > > > > > ! TCP or UDP Ports above the last service you are permiting > > > ! this is done to speed up the list processing > > > access-list 101 deny tcp any host 255.255.255.255 gt 80 > > > access-list 101 deny udp any host 255.255.255.255 gt 19 > > If I am not mistaken which I usually am won't this block inside hosts > from > using FTP commands that use ports gt 1023? At least that's how I read > an access control list page off of Cisco's home page. Here is the URL > > http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm#HDR6 > > SrA Ashley Taylor > Network Security From owner-firewalls-outgoing Tue Jul 8 10:11:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA04881 for firewalls-outgoing; Tue, 8 Jul 1997 08:51:12 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA04638 for ; Tue, 8 Jul 1997 08:49:56 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id LAA24269; Tue, 8 Jul 1997 11:50:05 -0400 Message-ID: <33C261AC.A4FE339E@unifiedtech.com> Date: Tue, 08 Jul 1997 11:50:04 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Frank Post CC: firewalls@GreatCircle.COM Subject: Re: FW-1 Performance X-Priority: 3 (Normal) References: Content-Type: multipart/mixed; boundary="------------E23337FA29342C31FD5760FB" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------E23337FA29342C31FD5760FB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Frank Post wrote: > Is it possible that FW-1 v2.0 on a Sun Ultra-1 needs 60% of the > Systems > CPU Performance, when it is connected to an 6MBit/s Internet Link ? > Even if there are no Rules in (only to Log all other Port than http), > and > the DNS Resolution of Logging is Disabled ? Anything is possible, but it's certainly very unlikely. I was at a customer site yesterday who has a T1 line going to a FW-1 on a Sun Ultra 1. Behind the Firewall is their mail server and a Web server handling over 50K hits/day. We've never seen the CPU %idle under about 95-97%. --------------E23337FA29342C31FD5760FB Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------E23337FA29342C31FD5760FB-- From owner-firewalls-outgoing Tue Jul 8 10:35:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11686 for firewalls-outgoing; Tue, 8 Jul 1997 09:28:40 -0700 (PDT) Received: from vasfw01.fdic.gov (vasfw01.fdic.gov [192.147.69.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA11642 for ; Tue, 8 Jul 1997 09:28:27 -0700 (PDT) Received: by vasfw01.fdic.gov; id MAA12773; Tue, 8 Jul 1997 12:31:43 -0400 Received: from mailhub.fdic.gov(151.174.3.31) by vasfw01.fdic.gov via smap (3.2) id xma012182; Tue, 8 Jul 97 12:31:13 -0400 Received: by MAILHUB.FDIC.GOV; Tue, 8 Jul 97 12:31:09 EDT Date: Tue, 8 Jul 97 12:31:15 EDT Message-ID: X-Priority: 3 (Normal) To: Cc: From: "Stephen Hunt" Subject: re: security check Sender: firewalls-owner@GreatCircle.COM Precedence: bulk - - - - - - - - - - - - - - Original Message - - - - - - - - - - - - - - Readers: are there programs to run on an external host (unix, nt, ?) which will test the 'hacking-proof' quality of our router/firewall ? TIA - - - - - - - - - - - - End of Original Message - - - - - - - - - - - - Check out www.iss.net; they have a number of different security scanning software selections for both Unix and NT. Stephen From owner-firewalls-outgoing Tue Jul 8 10:52:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14473 for firewalls-outgoing; Tue, 8 Jul 1997 09:45:10 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA14405 for ; Tue, 8 Jul 1997 09:44:53 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA31320; Tue, 8 Jul 1997 12:48:25 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IKZTG8K0ZK8WXEFA@gemini.pios.com> for firewalls@greatcircle.com; Tue, 08 Jul 1997 12:49:49 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IKZTEL62J496VSIF@PIOS.PIOS.COM> for firewalls@greatcircle.com; Tue, 08 Jul 1997 12:48:29 -0400 (EDT) Date: Tue, 08 Jul 1997 12:47:44 -0400 From: Bill Stout Subject: Security sw distributed as Binaries X-Sender: stoutb@192.168.0.37 To: firewalls@greatcircle.com Message-Id: <2.2.32.19970708164744.0084356c@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the opinion of security software distributed as binaries? It seems that binaries can be stuffed full of doors, holes, worms, viruses, and compromised crypto, without the user ever knowing. Except for experiencing the result. Binaries are distributed in the 'trust it blindly, it's safe' concept. Totally fictitious situation follows: Assume that one could prove that a security software company was compromised by association with a group that was strongly motivated to monitor communications. Let's say use American examples here, Clipper chip, Key escrow _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Tue Jul 8 11:16:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA16476 for firewalls-outgoing; Tue, 8 Jul 1997 09:55:20 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA16248 for ; Tue, 8 Jul 1997 09:54:29 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id MAA10458; Tue, 8 Jul 1997 12:33:34 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA10533; Tue, 8 Jul 97 12:38:24 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id MAA06840; Tue, 8 Jul 1997 12:38:17 -0400 (EDT) Message-Id: <199707081638.MAA06840@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: proff@suburbia.net Cc: emily@us.checkpoint.com (Emily G. Cohen), Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor In-Reply-To: Your message of "Wed, 09 Jul 1997 00:12:24 +1000." <19970708141224.6839.qmail@suburbia.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 08 Jul 1997 12:38:16 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Check Point FireWall-1 is the most widely installed network security >> solution in the world and no customer has ever reported a security >> breach of this nature. Check Point FireWall-1's customer list includes >> accounts with the highest level of security consciousness such as U.S. >> national and foreign governments, the world's leading financial institutions , >> telcos and ISPs. All Check Point FireWall-1 customers benefit from the >> product's patented Stateful Inspection technology ensuring the highest >> level of enterprise security available today. >> >> Emily Cohen, Director of Corporate Communications >> Check Point Software Technologies, Inc. > >I'm not saying your software is backdoored, but I don't think that >is a very good argument - at least not to people who have seen the >list of Crypto AG's customers. > >Cheers, >Julian. Julian, you really should state things more clearly. your omissions leave room for misunderstanding. surely this was unintentional. the US govt compromised the security of encryption product(s) sold by the Swiss firm Crypto AG. US govt personnel read the communications of those countries that used Crypto AG equipment. (someone want to provide a citation?) what does Check Point FireWall-1 have to do with Crypto AG, leaving aside innuendo. whats the old line? "have you stopped beating your wife yet? this thread has been nearly all noise and no signal. the SNR from mars has been higher. jmb From owner-firewalls-outgoing Tue Jul 8 11:34:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22860 for firewalls-outgoing; Tue, 8 Jul 1997 10:27:36 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA22795 for ; Tue, 8 Jul 1997 10:27:16 -0700 (PDT) Received: from seane (van-as-02b05.direct.ca [204.174.248.69]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id KAA04536; Tue, 8 Jul 1997 10:37:45 -0700 (PDT) Message-ID: <33C27750.244DF452@intergate.bc.ca> Date: Tue, 08 Jul 1997 10:22:25 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Brent Reid CC: "'firewalls@GreatCircle.COM'" Subject: Re: Raptor Address Translation X-Priority: 3 (Normal) References: <01BC8AF9.F86CC920@breid> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent Reid wrote: > Just heard a "rumor" that we should NOT do Address translation using > Raptor. > Any comments? I can't imagine why. We have several clients doing this quite well. -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Tue Jul 8 11:50:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22655 for firewalls-outgoing; Tue, 8 Jul 1997 10:26:45 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA22607 for ; Tue, 8 Jul 1997 10:26:31 -0700 (PDT) Received: from seane (van-as-02b05.direct.ca [204.174.248.69]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id KAA04180; Tue, 8 Jul 1997 10:35:35 -0700 (PDT) Message-ID: <33C276CE.9501D862@intergate.bc.ca> Date: Tue, 08 Jul 1997 10:20:15 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: myelland@ferc.fed.us CC: Firewalls@GreatCircle.COM Subject: Re: security check X-Priority: 3 (Normal) References: <33C23D7D.3173@ferc.fed.us> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could try the following: 1. SATAN 2. Internet Security Scanner (http://www.iss.net) 3. Getting a port scanner like USCAN A search with Altavista should turn up sites where you can get SATAN and USCAN. Michael J Yelland wrote: > Readers: are there programs to run on an external host (unix, nt, ?) > which will test the 'hacking-proof' quality of our router/firewall ? > > TIA -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Tue Jul 8 12:04:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06227 for firewalls-outgoing; Tue, 8 Jul 1997 08:59:15 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06193 for ; Tue, 8 Jul 1997 08:58:54 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id LAA24349; Tue, 8 Jul 1997 11:59:21 -0400 Message-ID: <33C263D9.5282F616@unifiedtech.com> Date: Tue, 08 Jul 1997 11:59:21 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Hassan Karim CC: Matthew Frith , Firewalls@GreatCircle.COM Subject: Re: Routing with 2 checkpoint Firewalls X-Priority: 3 (Normal) References: <3.0.32.19970708092417.0090f8b0@pop.cq.com> Content-Type: multipart/mixed; boundary="------------903B1FE8015CC641D79729FE" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------903B1FE8015CC641D79729FE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hassan Karim wrote: > I'm not sure if this is feasible but I thought I heard someone suggest > setting two machines up with the same IP address and only turn up the > network interface with the redundant IP address when the other machine > is > going down... or stops responding. > At 03:04 PM 7/7/97 BST, Matthew Frith wrote: > >I am trying to configure a high availability solution with > >2 Checkpoint firewalls running on HP-UX. I have the 2 firewalls > sync'ing > >their state tables but am trying to setup a `hot-standby' solution > >similar to that of CISCO routers. > > > >Has anyone ever done this, or know how to setup the default route > where > >machines on the internal network route (dynamically) to either of the > >firewalls, depending on which one is up? I haven't done this (yet), but this is the configuration I have in mind... h----[FW-1(a)]----h ---[Internal Router]---u | u---[Boundary Router]-->ISP b----[FW-1(b)]----b Set up the firewalls with two static routes. Firewall (a) will have i) a cost 0 route to the internal network pointing to IR ii) a cost 1 default route pointing to the BR Firewall (b) will have i) a cost 1 route to the internal network pointing to IR ii) a cost 0 default route pointing to the BR The firewalls will *broadcast* (but not listen to) RIP. The BR and IR will listen for RIP on the interfaces connected to the firewalls. This should get some load balancing (by routing outbound traffic through (b) and inbound through (a)) with failover via RIP update if either fails. As I said, I haven't done this yet, but I think it should work. Have I missed anything obvious? --------------903B1FE8015CC641D79729FE Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------903B1FE8015CC641D79729FE-- From owner-firewalls-outgoing Tue Jul 8 12:30:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15957 for firewalls-outgoing; Tue, 8 Jul 1997 09:53:24 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15914 for ; Tue, 8 Jul 1997 09:53:11 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id MAA10007; Tue, 8 Jul 1997 12:21:43 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA09971; Tue, 8 Jul 97 12:15:19 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id MAA06628; Tue, 8 Jul 1997 12:15:07 -0400 (EDT) Message-Id: <199707081615.MAA06628@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: 341CS Network Security Taylor Ashley Cc: firewalls@GreatCircle.COM Subject: Re: Setting up firewall newbie.. In-Reply-To: Your message of "Tue, 08 Jul 1997 07:57:41 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 08 Jul 1997 12:15:06 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk isa bus? the isa bus is very bandwidth limited, about 1/2 a T3. pci bus, would be up to the task. then you have to worry about the rest of the components. try a simple-minded test. set a fast host with a 100BaseT network on either side of the Linux box. configure the Linux box for routing only (we want max speed for this purpose) run ttcp or tcpblast or netperf or netpipe or .... from one host to the other thru the Linux box. compare the result to the same test with both hosts on the same 100BaseT wire (cat 5). jmb >>Currently we are on a T3 with about 1500 users and using a 486 dx4 >>100 running linux as a packet filter outside the router. It sems though, >>that this configuration is placing a strenuous bottle-neck on the network >>and users aren't getting the speed or access times they deserve. My >>question is, basically a general one. Where can one find resources on >>the best types of firewalls, setup, thoery and the likes on both the net >>and normal literature. Also, if anyone would be willing to give a bit of >>advice on the CURRENT packet filter we have, it would be much >>appreciated. > >Without knowing your network configuration it's kind of difficult to >ponder, but here we go. Lets assume your bottle neck is the Linux >packet filtering Firewall. Do you have 10Mb cards or 100Mb, how much >ram do you have. How many concurrent users do you have accessing >through you T3 connection. How many lines of access control list are >you using (approx). All of these things play a role in that Linux box being >the bottle neck. > >SrA Ashley Taylor >Network Security >taylora@malmstrom.af.mil > > From owner-firewalls-outgoing Tue Jul 8 12:36:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03524 for firewalls-outgoing; Tue, 8 Jul 1997 11:18:35 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA03507 for ; Tue, 8 Jul 1997 11:18:24 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id PAA15841; Tue, 8 Jul 1997 15:15:07 -0400 Date: Tue, 8 Jul 1997 14:08:41 -0500 Subject: RE: Two ISP's to one DMZ To: "Aaron J. Peterson" , Firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: "Aaron J. Peterson" Subject: RE: Two ISP's to one DMZ Date: Tue, 8 Jul 1997 00:53:17 -0700 (PDT) To: Firewalls@GreatCircle.COM > > All this talk about dynamic DNS as a solution to _anything_ suprizes me. > This is an application where a key goal is to optimize recovery or > failover response time. > > You'd think that people actually believed that "dynamic DNS" is scalable. > Keeping track of who to push deltas to aside, it seems to mee that one of > the key aspects of DNS, the distributed database that it is, was caching > for a significant period of time. I agree it is not a perfect solution but we are not talking about changing the IP every 30 seconds are we? This should only happen every couple of hours if at all. We are talking failover solutions. > > So, dynamic NAT + dynamic DNS, IMNSHO, is a poor solution due to the > connectivity loss during the time required to allow all the caches of all > the not-quite-bleeding-edge DNS servers to expire. > In our customer trials, Dynamic DNS response has been under 20 minutes (we reload the databse every 10 minutes) from a large percentage (95%) of the net. We haven't found a production DNS server yet that didn't age out the cache properly. However, we have seen route update times of 24 hours or more in about 75 percent of the cases under BGP (if not total failure due to the old route not being removed). Most routers are definitely not up to updating a route through BGP. Besides, how are you going to switch between CIDRs? If I am using a Sprint Class B or C IP block how am I going to route it through MCI? > I really must be missing a key point, please tell me what it is. > > That leaves BGP as the only feasible, universal solution. I repeat that this is *not* available from every provider. > > Sorry, this has little to do with firewalls proper, I'll shut up. > Let's say for arguments sake that you don't like Dynamic DNS. You just set up mutiple A records and your clients should have only a couple of seconds (if that) delay before they hit the right IP. Do an "nslookup" on rs.internic.net. They have 6 valid IPs for that domain name. This takes care of the caching problem. > -Aaron J. Peterson > Opinionated Network Dabbler > aajpeter@best.com > > ---------------End of Original Message----------------- I think that you will find multi homed NAT is a much better "real world" solution than BGP at this time. I speak from the experience of hundreds of installs. Mike -- 14:08:42 07/08/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Tue Jul 8 12:55:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA21131 for firewalls-outgoing; Tue, 8 Jul 1997 10:19:30 -0700 (PDT) Received: from wfdutilgw.ml.com (wfdutilf01.ml.com [206.3.74.31]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20327 for ; Tue, 8 Jul 1997 10:15:26 -0700 (PDT) From: mccabkei@ateam.lonnds.ml.com Received: from ml1.ml.com ([199.201.57.130]) by wfdutilgw.ml.com (8.8.5/8.8.5/MLgw-3.03) with ESMTP id NAA24460 for ; Tue, 8 Jul 1997 13:14:59 -0400 (EDT) Received: from mleu1.euro.ml.com (mleu1.euro.ml.com [131.208.157.89]) by ml1.ml.com (8.8.5/8.8.5/MLml4-2.07) with ESMTP id NAA23164 for ; Tue, 8 Jul 1997 13:18:25 -0400 (EDT) Received: from swype.bolon.uk.ml.com (swype.bolon.uk.ml.com [131.208.231.14]) by mleu1.euro.ml.com (8.7.3/8.7.3/MLdomain-2.02) with SMTP id SAA22075 for ; Tue, 8 Jul 1997 18:18:52 +0100 (BST) Received: from ateam.lonnds.ml.com by swype.bolon.uk.ml.com (4.1/ML41S-1.03) id AA29254; Tue, 8 Jul 97 18:18:48 BST Received: from wallace.lonnds.ml.com by ateam.lonnds.ml.com (4.1/SMI-4.1) id AA07888; Tue, 8 Jul 97 18:17:17 BST Received: by wallace.lonnds.ml.com (SMI-8.6/SMI-SVR4) id SAA02200; Tue, 8 Jul 1997 18:17:17 +0100 Date: Tue, 8 Jul 1997 18:17:17 +0100 Message-Id: <199707081717.SAA02200@wallace.lonnds.ml.com> To: Firewalls@GreatCircle.COM Subject: Removing a single point of failure Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: LBWeuBcpNGHg5eGw2CsQEg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've inherited a Firewall-1 firewall and it must be available at all times. Please note this is an internal firewall. Question - how do I go about providing the high availability? Do you recommend adding a further Firewall-1 box and using dynamic routing to have both boxes advertise routes to either side or do we address the high availability issue through some traditional HA OS software. Any ideas are welcome as this is urgent. ################################################################################ Keith S McCabe email: mccabkei@lonnds.ml.com Distributed Systems Support Group phone: +44 (0)171 892 8231 Merrill Lynch Europe PLC fax: +44 (0)171 892 8487 London EC1 ################################################################################ From owner-firewalls-outgoing Tue Jul 8 13:37:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA08184 for firewalls-outgoing; Tue, 8 Jul 1997 11:43:44 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA08141 for ; Tue, 8 Jul 1997 11:43:33 -0700 (PDT) Received: from portia.teleport.com (portia.teleport.com [192.108.254.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA15621 for ; Tue, 8 Jul 1997 11:49:41 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by portia.teleport.com (8.8.5/8.7.3) with ESMTP id LAA27631; Tue, 8 Jul 1997 11:45:30 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id LAA18286; Tue, 8 Jul 1997 11:45:30 -0700 (PDT) Date: Tue, 8 Jul 1997 11:45:30 -0700 (PDT) From: Alan To: "Jonathan M. Bresler" cc: proff@suburbia.net, "Emily G. Cohen" , Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor In-Reply-To: <199707081638.MAA06840@kryten.frb.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Jul 1997, Jonathan M. Bresler wrote: > >I'm not saying your software is backdoored, but I don't think that > >is a very good argument - at least not to people who have seen the > >list of Crypto AG's customers. > > Julian, you really should state things more clearly. your omissions > leave room for misunderstanding. surely this was unintentional. > > the US govt compromised the security of encryption product(s) sold > by the Swiss firm Crypto AG. US govt personnel read the communications > of those countries that used Crypto AG equipment. (someone want to provide > a citation?) > > what does Check Point FireWall-1 have to do with Crypto AG, > leaving aside innuendo. whats the old line? "have you stopped beating > your wife yet? I think the point was "giving a list of customers is not a sign of security". I, personally, would be more concerned with the key recovery aspects of the stuff put out by TIS than I would the Check Point software. (Mainly because that has become the mandated firewall of choice at work and I know it has a back door. They advertise it on their web page!) > this thread has been nearly all noise and no signal. the SNR from > mars has been higher. "Mars needs sysadmins!" ]:> alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Tue Jul 8 13:47:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12819 for firewalls-outgoing; Tue, 8 Jul 1997 12:02:02 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA12789 for ; Tue, 8 Jul 1997 12:01:48 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA10160; Tue, 8 Jul 1997 15:05:16 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IKZY8WKSPC8WXN6J@gemini.pios.com> for firewalls@greatcircle.com; Tue, 08 Jul 1997 15:06:41 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IKZY78AYZK96VTNW@PIOS.PIOS.COM> for firewalls@greatcircle.com; Tue, 08 Jul 1997 15:05:20 -0400 (EDT) Date: Tue, 08 Jul 1997 15:04:34 -0400 From: Bill Stout Subject: Trustability of Security binaries X-Sender: stoutb@192.168.0.37 To: firewalls@greatcircle.com Message-Id: <2.2.32.19970708190434.008cddcc@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the general opinion on trustability of security software distributed as binaries? Old-timers remember an issue of trustability when software companies went from source to compiled distributions. Are there companies which offer different versions of firewall binaries for commercial vs. government use? Totally fictitious situation follows (Note: I'm not trying to start any rumors, this is purely imaginative, I'm not trying to insinuating any companies, governments or agencies): Assume someone proved that a communications software Co. 'X' was associated with entities strongly motivated to maintain communications monitoring. Let's use some publicly known examples of strong motivation and backdoors; Clipper chip, Key escrow, encryption export controls, weak encryption, etc. Let's say for the sake of arguement that these public efforts failed. Reasonably we could say that entities involved would be smart enough to have some alternative plans, maybe confidential executive level agreements, or plans to get an engineer at 'X' 'involved'. After code goes over the production wall, how easy would it be for 'X' to add a subroutine awakened by a specific string? Or add a binary, a library, a module, a weakened proxy? O.K., for the sake of believability change your mental image of the above entity from a government group to amateur hacker club. Interesting to see how it's easier to believe that amateur hackers can do the above, than educated, motivated, full-time, fully-funded professional groups. Bill Stout P.S. - It's not paranoia if you know you're being monitored. From owner-firewalls-outgoing Tue Jul 8 14:20:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA12106 for firewalls-outgoing; Tue, 8 Jul 1997 11:58:46 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA12047 for ; Tue, 8 Jul 1997 11:58:32 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id OAA27118; Tue, 8 Jul 1997 14:59:38 -0400 Message-ID: <33C28E1A.175B15D7@unifiedtech.com> Date: Tue, 08 Jul 1997 14:59:38 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Bill Stout CC: firewalls@greatcircle.com Subject: Re: Security sw distributed as Binaries X-Priority: 3 (Normal) References: <2.2.32.19970708164744.0084356c@192.168.0.37> Content-Type: multipart/mixed; boundary="------------37B580D025CB89BDDBD9399B" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------37B580D025CB89BDDBD9399B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bill Stout wrote: > What is the opinion of security software distributed as binaries? Some good, some bad. > It seems that binaries can be stuffed full of doors, holes, worms, > viruses, > and compromised crypto, without the user ever knowing. Except for > experiencing the result. Binaries are distributed in the 'trust it > blindly, > it's safe' concept. Read Ken Thompson's Turing Award Lecture, "On Trusting Trust." I believe that doing something like you've described would be rather more difficult than is often assumed. This backdoor/hole/ virus/what-have-you would have to be inserted in the code so that their presence would not be detectable in normal (or even reasonably abnormal) operation. Most software companies have a hard enough time getting the code that's *supposed* to be there to work correctly. Also, there's the counter argument that giving out the source means that the black hats have a chance to review it looking for unintentional holes. Yes, so do the good guys, but a lot of the good guys have other jobs and/or real lives. For (at least some of) the black hats, finding holes *is* their "job". Believing that source is good usually carries the (often unstated) belief that the good guys will be able to use the source to find/fix problems faster than the bad guys will be able to find/exploit them. > Totally fictitious situation follows: > Assume that one could prove that a security software company was > compromised > by association with a group that was strongly motivated to monitor > communications. Let's say use American examples here, Clipper chip, > Key escrow Then, as Marcus has pointed out, one could get *very* rich merely by shorting a large position in the stock and placing a couple of phone calls to, say, CNN and the Wall Street Journal. It seems pretty inconceivable to me that everyone connected with producing a piece of software with that sort of organized hole would be immune to the lure of that kind of money for long. Conspiracy Theory 101, really. --------------37B580D025CB89BDDBD9399B Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------37B580D025CB89BDDBD9399B-- From owner-firewalls-outgoing Tue Jul 8 15:34:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA11752 for firewalls-outgoing; Tue, 8 Jul 1997 14:22:30 -0700 (PDT) Received: from gov.on.ca (govonca.gov.on.ca [192.75.156.244]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA11520 for ; Tue, 8 Jul 1997 14:21:35 -0700 (PDT) Received: from govonca2.gov.on.ca by gov.on.ca (5.65v3.2/Ultrix3.0-C) id AA22120; Tue, 8 Jul 1997 17:25:08 -0400 Received: from walkerj.gov.on.ca by govonca2.gov.on.ca; (8.7.5/1.1.8.2/03Nov94-0842PM) id RAA11456; Tue, 8 Jul 1997 17:25:51 -0400 (EDT) Received: by walkerj.gov.on.ca with Microsoft Mail id <01BC8BC4.00713000@walkerj.gov.on.ca>; Tue, 8 Jul 1997 17:25:59 -0700 Message-Id: <01BC8BC4.00713000@walkerj.gov.on.ca> From: Management Board Secreteriat To: "firewalls@GreatCircle.COM" , "'Frank Post'" Subject: RE: FW-1 Performance Date: Tue, 8 Jul 1997 17:25:53 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank ..... I too had a similar problem on my sparc20 running solstice = fw1 2.0 It would run up to 100% when I issued fwstart with an any any = any no logging rule set. Sun sent me patch #103334-06. which I have = just applied ..... I have yet to test it as I am waiting for my change = mgmt folks to approve ...... Hope this helps .......=20 James Walker=20 Government of Ontario=20 Security & Contingency Services =20 ---------- From: Frank Post Sent: Tuesday, July 08, 1997 12:27 AM To: firewalls@GreatCircle.COM Subject: FW-1 Performance Is it possible that FW-1 v2.0 on a Sun Ultra-1 needs 60% of the Systems=20 CPU Performance, when it is connected to an 6MBit/s Internet Link ? Even if there are no Rules in (only to Log all other Port than http), = and the DNS Resolution of Logging is Disabled ?=20 Thanks, Frank -------------------------------------------------------------------------= Frank Post Email: = fpost@metronet.de From owner-firewalls-outgoing Tue Jul 8 15:39:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA04166 for firewalls-outgoing; Tue, 8 Jul 1997 13:46:27 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA04046 for ; Tue, 8 Jul 1997 13:45:52 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id QAA20398; Tue, 8 Jul 1997 16:48:49 -0400 (EDT) Date: Tue, 8 Jul 1997 16:48:49 -0400 (EDT) From: Brian Mitchell To: seane@choreo.ca cc: myelland@ferc.fed.us, Firewalls@GreatCircle.COM Subject: Re: security check In-Reply-To: <33C276CE.9501D862@intergate.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Jul 1997, Sean Elrington wrote: > You could try the following: > > 1. SATAN > 2. Internet Security Scanner (http://www.iss.net) > 3. Getting a port scanner like USCAN > 4. Ballista (http://www.secnet.com) Various companies also do penetration testing including: 1. Netcraft (http://www.netcraft.com/security) 2. Engarde (http://www.engarde.com) Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt From owner-firewalls-outgoing Tue Jul 8 16:04:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA03854 for firewalls-outgoing; Tue, 8 Jul 1997 13:44:32 -0700 (PDT) Received: from proteus.tidalwave.net (proteus.nicom.com [208.206.112.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA03828 for ; Tue, 8 Jul 1997 13:44:19 -0700 (PDT) Received: from chris.tidalwave.net ([208.220.24.141]) by proteus.tidalwave.net (Netscape Mail Server v2.02) with SMTP id AAA21382 for ; Tue, 8 Jul 1997 16:39:45 -0400 Message-Id: <3.0.1.32.19970708162658.006fdc28@postoffice.tidalwave.net> X-Sender: chrisp@postoffice.tidalwave.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 08 Jul 1997 16:26:58 -0400 To: firewalls-digest@GreatCircle.COM From: Chris Pressley Subject: DNS error in AltaVista Firewall 97 for NT Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I received these error messages in Event Viewer when I reboot my AltaVista Firewall 97 Intel NT: The description for event id 3 in source DNS 21 could not be found. It contains the following insertion strings: DNS 2.1 for NT 2.1, error: 203, opensocket: bind failed! The description for event id 3 in source DNS 21 could not be found. It contains the following insertion strings: <1> July 8, 15:51:29 syslog: bind(dfd=108, [206.246.77.120] .53): no such file or directory existing. The description for event id 5 in source DNS 21 could not be found. It contains the following insertion strings: <3> July 8, 15:51:29 syslog: starting DNS for NT 2.1 March 24, 1997 Metainfo, Inc. and Corp. Computer Inc. When trying to start DNS manually, I get the following error message: error starting the following: DNS. More info. may be available in logs or Event Viewer. Thanks, Chris From owner-firewalls-outgoing Tue Jul 8 16:13:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07635 for firewalls-outgoing; Tue, 8 Jul 1997 14:02:17 -0700 (PDT) Received: from mclo50.med.navy.mil (mclo50.med.navy.mil [164.167.86.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA07543 for ; Tue, 8 Jul 1997 14:01:52 -0700 (PDT) Received: from mclo100.med.navy.mil (mclo100.med.navy.mil [164.167.86.100]) by mclo50.med.navy.mil (8.7.6/8.7.3) with ESMTP id PAA03313; Tue, 8 Jul 1997 15:40:56 -0400 Message-Id: <199707081940.PAA03313@mclo50.med.navy.mil> From: "Bob Resino" To: "=?ISO-8859-1?Q?Robert_St=E5hlbrand?=" , "'firewalls@greatcircle.com'" Subject: Re: How secure is ISDN? Date: Tue, 8 Jul 1997 15:41:51 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Robert Ståhlbrand > I have some questions about security with ISDN. > > This is how it's configured: > I have two ISDN-routers, one at the office and one at home. The > ISDN-routers works like "one router" and do not have any subnet between > each other (unnumbered ip). I am using CHAP for authentication between > the routers. The routers have a pretty advanced ip-filtering system > built in which I have configured so that only my network is allowed to > pass through the router at office. You can even filter traffic so it > gets lower priority which impresses me a bit! I am compressing the > traffic between the routers with a built in compression method. > > My questions are: > > 1) Is it possible for an evil mind to sniff on my ISDN-connection to see > information going between the routers and if it's very easy or very > hard? Possible, but not something an average cracker can do. The equipment required (like a t-berd or similar see http://www.ttc.com) is expensive. The person doing the sniffing has to have an idea of what he is doing. Looking at bearer channels isn't what I'd call fun. If the channels are bonded, its less fun. Also, depending on the central office gear, a passive device on the line might be detected as a DSL Circuit Fault (LUCENT 5ESS would and it would send a message to the secondary maintenance channel.) > > 2) Is it possible for this evil-minded person to call the > ISDN-phonenumber at my office and connect to the network (assume that he > guessed the authentication code and knows that he must be in the same > ip-network as I because of the filter)? I mean, the router is configured > to only call my ISDN-router at home but if he has sniffed on the line > when I made a telnet to the ISDN-router at my office he maybe can > reconfigure it himself? > If they did all that, YES. Now, since ISDN normally passes the SLID (subscriber line ID) down the d-channel, configure the router to allow connects only from your remote SLID. > 3) Do I have to encrypt the connection to make it safe enough and, in > that case, what method do you recommend? Depends on the risk assessment. How much is your data worth ?? :-) Bob Resino, Infrastructure Planner Medical Construction Liaison Dept. Naval Healthcare Support Office 757-953-7400 Ext 322 <-----------NEW PHONE EXCHANGE !! From owner-firewalls-outgoing Tue Jul 8 16:37:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08737 for firewalls-outgoing; Tue, 8 Jul 1997 09:14:37 -0700 (PDT) Received: from mail.credo.net (mail.noc.credo.net [199.107.168.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA08644 for ; Tue, 8 Jul 1997 09:14:17 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by mail.credo.net (8.8.5/8.7.3) with SMTP id JAA03457; Tue, 8 Jul 1997 09:20:25 -0700 (PDT) Message-Id: <3.0.32.19970708091331.008fc480@199.107.168.5> Received: from john.credo.net ([199.107.169.3]) by darkstar.noc.credo.net via smtpd (for mail.noc.credo.net [199.107.168.5]) with SMTP; 8 Jul 1997 16:16:46 UT X-Sender: john@199.107.168.5 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 08 Jul 1997 09:13:34 -0700 To: <@inreach.com@uunet.uu.net> From: John Whittaker Subject: Re: another Citrix Winframe query Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, we have been involved in an external-only penetration test involving a site that had implemented winframe. from the internet we were able to gain access to all their internal systems through it. including machines that were not running ip. to secure it we secured the o/s and implemented strong authentication and encrypted tunnels. it seems to be a very good product, just not very secure out of the box. it basically is a multi-user norton pc-anywhere on steroids. it passes gdi calls to a remote client (ICA)(transmitting only screen changes). this is basically what microsoft has in mind for their hydra stuff. so watch out. primary security risks involved with implementing winframe: #1 has weak authentication out of the box (multi-use passwords) #2 has a 'ghost' feature #3 as far as i know does not encrypt gdi delta's (someone could write a player to replay gdi calls) #4 runs on a modified windowsNT platform (make sure whoever installs it knows how to secure nt) i hope this is help full. regards, john. At 08:03 PM 7/7/97 -0700, you wrote: > I have been waiting for a post regarding Winframe. I have had a few >clients that have implemented Winframe. > > What is Winframe? Winframe is an X Windows server hosted on a NT Server. >The idea is to put the power back at the server and save money by avoiding >upgrading the clients!!! Of course, the applications are excuted at the >server and if the network performance is good the end user performance is >also good! > > Beware, the entire technology is based on low bandwidth X windows. I am >currently is progress of doing an security analysis of Low Bandwidth >X....But to be truthful I haven't made much progress( I have to work; gets >in the way ) > >So I'm with Phil......What are the threats involved with this stuff??? >Is Low Bandwidth X more secure than X windows??? Less secure?? The same?? > >By-the-way, thus far my recommendations to my clients is as follows; > > If clients and server are on the internal net or a point-to-point >remote office: Allow > > If server is outside Firewall, hell no, the stuff is just X windows > Drop, reject > > >cheers > >John Dias > >independant consultant > >---------- >> From: Phil Burg >> To: 'firewalls@greatcircle.com' >> Subject: another Citrix Winframe query >> Date: Thursday, July 03, 1997 5:38 PM >> >> G'day all >> >> My apologies if this has been discussed before; I searched the archives >> but couldn't find this problem. >> >> Some of my users want to connect, through our firewall, to a third-party >> winframe server. The client PCs will be connected to our LAN at the >> same time as the remote server. I'm wondering if there's a known >> exposure >> in the Winframe client software that would allow the client PCs to be >> compromised ? >> >> regards >> Phil >> -- >> Phil Burg >> Technical Analyst >> Information Systems Security >> Coles Myer Ltd >> (03) 9483 7613 >> ------------------------------------------------------------------------- John Whittaker CREDO NET Vice President a division of Credo Computer Systems, Inc ------------------------------------------------------------------------- Providing your business with turnkey solutions for doing business in the information age. ------------------------------------------------------------------------- 22941 Triton Way, Suite 241, Laguna Hills, CA 92653 (888) 88-CREDO http://www.credo.net http://www.zoneoftrust.com From owner-firewalls-outgoing Tue Jul 8 17:18:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA02572 for firewalls-outgoing; Tue, 8 Jul 1997 16:07:26 -0700 (PDT) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA02514 for ; Tue, 8 Jul 1997 16:07:09 -0700 (PDT) Received: from suede.sw.oz.au by swallow.sw.oz.au with ESMTP id XAA14970; Tue, 8 Jul 1997 23:10:50 GMT (8.6.10/Unixware) (from pjc@sw.oz.au for ) Received: from suede.sw.oz.au by suede.sw.oz.au with SMTP id XAA25312; Tue, 8 Jul 1997 23:10:49 GMT (SMI-8.6/1.34) (from pjc@softway.com.au for ) Message-ID: <33C2C8F9.F4@softway.com.au> Date: Wed, 09 Jul 1997 09:10:49 +1000 From: Peter Clark Organization: Softway Pty Ltd X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: chfeng CC: firewalls@greatcircle.com Subject: Re: NAT immune to traceroute References: <19970708071456.AAA6290@mercury.seed.net.tw> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk chfeng wrote: > > hi: > > I apologize if this question has been discussed before. Anyone can > point me to any NAT devices which, on the condition of allowing > incoming/outgoing ICMP messages, can hide internal IP information > from such applications as traceroute? > > Based on RFC 1631, I figure that the device must be capable of > modifying the headers of outgoing ICMP "time exceeded" packets. > Am I correct? > > Thanks in advance. > Chih-hung Feng SEEDNET, System Engineering Dept. > TEL 02-7370177#359 E-Mail chfeng@mozart.seed.net.tw PIX has always done this. Pete -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Peter Clark http://www.softway.com.au Security Engineer Softway Pty Ltd "Tell me and I'll forget." Phone: (+612) 9698 2322 "Show me and I'll probably remember." Fax : (+612) 9699 9174 "Involve me and I'll understand." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-outgoing Tue Jul 8 18:34:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA23285 for firewalls-outgoing; Tue, 8 Jul 1997 18:22:39 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA23276 for ; Tue, 8 Jul 1997 18:22:31 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA12683; Tue, 8 Jul 1997 21:26:07 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IL0BJ4698G8WY66I@gemini.pios.com> for firewalls@greatcircle.com; Tue, 08 Jul 1997 21:27:32 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IL0BHG7A1S96W03N@PIOS.PIOS.COM> for firewalls@greatcircle.com; Tue, 08 Jul 1997 21:26:12 -0400 (EDT) Date: Tue, 08 Jul 1997 21:25:24 -0400 From: Bill Stout Subject: Re: Cisco exploits/vulnerabilities X-Sender: stoutb@192.168.0.37 To: firewalls@greatcircle.com Message-Id: <2.2.32.19970709012524.0067a3d8@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:16 PM 7/7/97 +1000, you wrote: >Greetings, > >There are plenty of resources on the 'Net for known >exploits/vulnerabilities for various Unix platforms, NT and others. What >I can't seem to locate are Cisco exploits/vulnerabilities :( Does this >mean that there are'nt any?? I think not :) Security advisories: http://www.cisco.com/warp/customer/779/largeent/security/advisory.html Breaking Cisco router passwords: http://www.cisco.com/warp/customer/474/index.shtml These URLs require username/password access(via support contract), though typically support sites usually give out passwords ending in *'vip' to make the customer feel good. Bad practice. :( If you have a support contract, you can subscribe to e-mail bug alerts which contain security issues as well. Bill Stout From owner-firewalls-outgoing Tue Jul 8 18:49:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA23283 for firewalls-outgoing; Tue, 8 Jul 1997 18:22:34 -0700 (PDT) Received: from tower.sedwards.com (newline2.cts.com [205.163.21.59]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA23268 for ; Tue, 8 Jul 1997 18:22:22 -0700 (PDT) Received: (from sedwards@localhost) by tower.sedwards.com (8.8.5/8.7.3) id SAA18296; Tue, 8 Jul 1997 18:25:43 -0700 (PDT) Date: Tue, 8 Jul 1997 18:25:42 -0700 (PDT) From: Steve Edwards X-Sender: sedwards@tower.sedwards.com To: Chris Pressley cc: firewalls-digest@GreatCircle.COM Subject: Re: DNS error in AltaVista Firewall 97 for NT In-Reply-To: <3.0.1.32.19970708162658.006fdc28@postoffice.tidalwave.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't help with the DNS problems, but the Event Viewer message "The description for event id 3 in source DNS 21 could not be found..." means that you have an installation problem -- the Registry entry for the product is incorrect or missing. The Registry entry specifies the location of the DLL or EXE that contains the string resource that tells the Event Viewer how to format the error message. Thus: 1) The Registry entry is missing. 2) It's wrong. 3) You moved the DLL or EXE. Look for a Registry entry like: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\EventLog\Application\DNS 21] it should specify what it thinks is the location of the error message file. Thanks in advance, Steve Edwards sedwards@cts.com +1-760-723-2727 On Tue, 8 Jul 1997, Chris Pressley wrote: > I received these error messages in Event Viewer when I reboot my AltaVista > Firewall 97 Intel NT: > > The description for event id 3 in source DNS 21 could not be found. It > contains the following insertion strings: DNS 2.1 for NT 2.1, error: 203, > opensocket: bind failed! > > The description for event id 3 in source DNS 21 could not be found. It > contains the following insertion strings: <1> July 8, 15:51:29 syslog: > bind(dfd=108, [206.246.77.120] .53): no such file or directory existing. > > The description for event id 5 in source DNS 21 could not be found. It > contains the following insertion strings: <3> July 8, 15:51:29 syslog: > starting DNS for NT 2.1 March 24, 1997 Metainfo, Inc. and Corp. Computer Inc. > > When trying to start DNS manually, I get the following error message: > > error starting the following: DNS. More info. may be available in logs or > Event Viewer. > > Thanks, > Chris > > > From owner-firewalls-outgoing Tue Jul 8 19:02:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA23645 for firewalls-outgoing; Tue, 8 Jul 1997 18:32:56 -0700 (PDT) Received: from cphub.mail.saic.com (cpmx.mail.saic.com [139.121.95.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA23638 for ; Tue, 8 Jul 1997 18:32:50 -0700 (PDT) Received: from cpqm02.mail.saic.com by cpmx.mail.saic.com; Tue, 8 Jul 97 18:36:38 -0700 Message-ID: Date: 8 Jul 1997 18:31:12 -0800 From: "Nori Shohara" Subject: Re: [FW1] SQL*Net over TCP/ To: "Drexx Laggui" , "Mikael Rundqvist" Cc: firewalls@GreatCircle.COM, "fw-1-mailinglist@us.checkpoint." X-Mailer: Mail*Link SMTP-QM 4.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE>>[FW1] SQL*Net over TCP/IP WAN links 7/8/97 SQL*Net v2 supports a multithreaded option where the known ports (typically 1521 or 1522 or 1526) are only used to establish the connection - actual data moves over a different high port. FW-1 v3 is supposed to deal correctly with this, but we still run v2.1 so I have no direct experience. The work around is to make sure all of your clients use non-multithreaded connections - add a (srvr=dedicated) clause to the connect block in the client's tnsnames.ora file. This should work regardless of the client application. Nori Shohara SAIC -------------------------------------- Date: 7/8/97 14:10 To: Nori Shohara From: Mikael Rundqvist Drexx Laggui wrote: > > Hello world, > > Has anybody tried accessing an Oracle database over private TCP/IP WAN > links ? Specifically, using connections via Developer 2000 clients on > remote PCs going through Firewall-1 before the main Oracle database on > the central facility? > > Would anybody care to kindly share any experiences? Any pitfalls to > avoid? > Would allowing only the SQL*Net protocol thru the firewall be enough > to > get the job done? Or do we have to have telnet thru also ? (Sorry, I'm > no > database programmer. I'm just your regular hardware type of guy.) > > Thank you very much, > Drexx. > > "It's a dirty job, but somebody's gotta do it." -- John Wayne > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > ______ > /_____/\ DEXTER D. LAGGUI > /_____\\ \ Systems Engineer, CSD-TSR > /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. > /_____/ \/ / / Penthouse, Corporate Business Center > /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village > \_____\//\ / / Makati City, Philippines > \_____/ / /\ / > \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 > \_____\ \\ Fax : (++ 63-2) 813-3516 > \_____\/ Email: drexx@pspi.com.ph > Pager: (++ 63-2) 1277-33615 > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ I have tried to use SqlNetv2 with the Oracle server running on NT and the FW-1v3. That doesn't work. When using UNIX as platform for the Oracle server it works fine. It seems as SqlNetv2 is working different on NT and UNIX. Does anyone using Oracle on NT and running the clients infront of a FW-1? I do not wanna open up tcp-high-ports ;-(( -- Mikael Rundqvist, Direct: +46(0)8-630 50 68 Salcom Communication AB Telefax: +46(0)8-630 50 01 Kutterv 1, SE-183 53 TABY Cell: +46(0)70-630 50 68 WWW: http://www.salcom.se ------------------ RFC822 Header Follows ------------------ Received: by cpqm.saic.com with ADMIN;8 Jul 1997 13:55:57 -0800 Return-Path: Received: from [206.184.151.194] by cpmx.mail.saic.com; Tue, 8 Jul 97 13:57:44 -0700 Received: from localhost (daemon@localhost) by loudecho.us.checkpoint.com (8.8.4/8.8.4) with SMTP id PAA15005; Mon, 7 Jul 1997 15:06:59 -0700 (PDT) Received: by loudecho.us.checkpoint.com (bulk_mailer v1.5); Mon, 7 Jul 1997 15:01:52 -0700 Received: (from majordom@localhost) by loudecho.us.checkpoint.com (8.8.4/8.8.4) id PAA14957 for fw-1-mailinglist-outgoing; Mon, 7 Jul 1997 15:01:52 -0700 (PDT) Received: from peets.us.checkpoint.com ([206.184.151.193]) by loudecho.us.checkpoint.com (8.8.4/8.8.4) with ESMTP id PAA14953 for ; Mon, 7 Jul 1997 15:01:47 -0700 (PDT) Received: from runar.salcom.se (mail.salcom.se [194.198.242.1]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id PAA07874 for ; Mon, 7 Jul 1997 15:00:50 -0700 (PDT) Received: from bosse.salcom.se (bosse.salcom.se [194.198.240.1]) by runar.salcom.se (8.8.5/8.8.5) with ESMTP id XAA19727; Mon, 7 Jul 1997 23:01:23 +0200 Received: from scmiru.salcom.se ([194.198.241.234]) by bosse.salcom.se (8.8.5/8.8.5) with ESMTP id XAA13027; Mon, 7 Jul 1997 23:03:31 +0200 Message-ID: <33C166F9.ACBC5978@salcom.se> Date: Tue, 08 Jul 1997 00:00:25 +0200 From: Mikael Rundqvist Organization: Salcom Communication AB X-Mailer: Mozilla 4.0b5 [en] (Win95; I) MIME-Version: 1.0 To: Drexx Laggui CC: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Subject: Re: [FW1] SQL*Net over TCP/IP WAN links X-Priority: 3 (Normal) References: <199706190315.TAA17922@sunphil> Content-Type: text/plain; charset=iso-8859-1 Sender: owner-fw-1-mailinglist@us.checkpoint.com Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by loudecho.us.checkpoint.com id PAA15005 From owner-firewalls-outgoing Tue Jul 8 19:05:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA24134 for firewalls-outgoing; Tue, 8 Jul 1997 18:40:07 -0700 (PDT) Received: from lionsden.informatik.uni-muenchen.de (lionsden.informatik.uni-muenchen.de [129.187.214.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA24106 for ; Tue, 8 Jul 1997 18:39:58 -0700 (PDT) Received: from romblon.dbs.informatik.uni-muenchen.de (romblon.dbs.informatik.uni-muenchen.de [129.187.228.9]) by lionsden.informatik.uni-muenchen.de (8.7.5/8.6.9) with SMTP id DAA25828 for ; Wed, 9 Jul 1997 03:43:45 +0200 (MESZ) Message-Id: <199707090143.DAA25828@lionsden.informatik.uni-muenchen.de> Received: from malaka.dbs.informatik.uni-muenchen.de by romblon.dbs.informatik.uni-muenchen.de with SMTP (1.37.109.6/16.2) id AA26510; Wed, 9 Jul 97 03:43:44 +0200 Received: by malaka.dbs.informatik.uni-muenchen.de (1.37.109.6/16.2) id AA22088; Wed, 9 Jul 97 03:43:44 +0200 From: Thomas Lopatic Subject: A New Fragmentation Attack To: firewalls@greatcircle.com Date: Wed, 9 Jul 1997 03:43:44 +0200 (METDST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT 4.0 (up to Service Pack 2) hosts which are protected by a packet filtering firewall are vulnerable to a new kind of fragmentation attack. I'll quickly outline what it is about. You can find the details and a short demo program at "http://www.dataprotect.com/ntfrag/". NT 4.0 does not require a fragment with offset 0 to be present. So we are able to split a packet into a number of fragments each of which has a non-zero offset. Such fragments are often simply passed on by packet screens without further inspection. However, at the NT host, they will be correctly reassembled. Hence we are able to pass packets through the firewall to the NT host. If the packet screen insists on seeing a fragment with a zero offset, we simply send it a dummy fragment which either has a time to live that makes it expire somewhere beyond the firewall or has an invalid checksum so that it will be dropped at the NT host. THIS PROBLEM HAS BEEN FIXED IN SP3. INSTALL IT - NOW! For a more detailed explanation have a look at the WWW page. I am still investigating whether there is some other variant of this attack which also applies to SP3. However, up to now it is rather interesting for academic reasons - it shows once again that packet screening and perhaps even stateful inspection are vulnerable to attacks when the IP stack of protected hosts does not work as expected. Have a nice day -Thomas -- Thomas Lopatic lopatic@informatik.uni-muenchen.de From owner-firewalls-outgoing Tue Jul 8 19:19:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA25486 for firewalls-outgoing; Tue, 8 Jul 1997 18:51:40 -0700 (PDT) Received: from suncomp (suncomp.compusep.com [200.12.79.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA25477 for ; Tue, 8 Jul 1997 18:51:35 -0700 (PDT) Received: from 200.12.79.33.www.compusep.com by suncomp (SMI-8.6/SMI-SVR4) id UAA18332; Tue, 8 Jul 1997 20:51:01 -0500 Message-Id: <199707090151.UAA18332@suncomp> From: "Axel Quero" To: Date: Tue, 8 Jul 1997 20:54:56 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Tue Jul 8 19:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA27976 for firewalls-outgoing; Tue, 8 Jul 1997 19:06:25 -0700 (PDT) Received: from uu4.psi.com (uu4.psi.com [38.146.21.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA27961 for ; Tue, 8 Jul 1997 19:06:17 -0700 (PDT) Received: from uu0672.UUCP by uu4.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA01554 for ; Tue, 8 Jul 97 22:02:49 -0400 Received: from conair.aht.com (rblim) by aht.com (4.1/SMI-4.1) id AA10669; Tue, 8 Jul 97 19:52:11 PDT Message-Id: <33C2EFE9.167EB0E7@aht.com> Date: Tue, 08 Jul 1997 18:56:57 -0700 From: "Randy B. Lymn" Organization: Breakdown X-Mailer: Mozilla 3.0Gold (X11; U; BSD/OS 3.0 i386) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Interceptor of Technology Inc. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anybody got experience with Interceptor of Technology Inc? Any ideas? Randy B. Lymn From owner-firewalls-outgoing Tue Jul 8 19:49:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA05033 for firewalls-outgoing; Tue, 8 Jul 1997 19:40:47 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA04970 for ; Tue, 8 Jul 1997 19:40:31 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id UAA24557; Tue, 8 Jul 1997 20:10:42 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id TAA03980; Tue, 8 Jul 1997 19:44:11 -0700 Received: from althea by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id TAA04092; Tue, 8 Jul 1997 19:42:43 -0700 Date: Tue, 8 Jul 1997 19:42:43 -0700 (PDT) From: Jerald Josephs Reply-To: Jerald Josephs Subject: Re: [FW1] FW-1 DESTINATION IP Address Translation To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com, martinw@epcorp.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: /bpMMKMx5VvgeEy31locLQ== X-Mailer: dtmail 1.1.0 CDE Version 1.1 SunOS 5.5.1 sun4u sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jj ->X-Sender: martinw@mail.epcorp.com jj ->Date: Mon, 07 Jul 1997 10:32:46 -0400 jj ->To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com jj ->From: "Martin C. Walker" jj ->Subject: [FW1] FW-1 DESTINATION IP Address Translation jj ->Mime-Version: 1.0 jj -> jj ->Can anyone provide me with details on how translate the jj ->DESTINATION IP address in a forward moving packet outbound jj ->from the firewall to the internet ? jj -> jj ->normal NAT translates only the SOURCE IP address. jj -> jj ->Ideally I'd like to translate only the destination address and jj ->leave the source as an illegal 10.* address. If this is not doable jj ->I'd need to translate both addresses. jj -> jj ->I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. jj -> jj ->I will be going to 3.0a soon, so if it's different or not do-able jj ->on 3.* products I'd like to know that too. jj -> jj ->TIA for the help It is really quite simple. I am struggling, however, to imagine a scenario where I want FireWall-1 to address translation to route packets for me. Define an FWXT_DST_STATIC rule for the range of internal IP addresses that you wish to modify with the translation address one of the valid, external IP addresses. For example, if your internal network is 10.0.0.0 and your external network is 192.168.1.0, you might translate with +---+---------------+---------------+-----------------+---------------+ |No.| From Original | To Original | Method | 1st Translated| | | Address (Port)| Address (Port)| | Address (Port)| +---+---------------+---------------+-----------------+---------------+ | 0 |10.0.0.0 |10.0.0.254 |FWXT_DST_STATIC |192.168.1.2 | +---+---------------+---------------+-----------------+---------------+ Now, the next problem you face is Valid Addresses. Will FireWall-1 block this packet? According to the standard practice of defining Others as the Valid Addresses for the external interface, FireWall-1 will block any packet exiting the external interface if the source IP address is not from one of the intranets, i.e. someone in your enterprise is trying to spoof the Internet. In your case, there is no need to modify the Valid Addresses on either interface of the gateway. /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM From owner-firewalls-outgoing Tue Jul 8 20:04:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA06895 for firewalls-outgoing; Tue, 8 Jul 1997 19:50:14 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA06884 for ; Tue, 8 Jul 1997 19:50:03 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id WAA06846 for ; Tue, 8 Jul 1997 22:53:55 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC8BF1.C0271FE0@zandar.judgefamily.org>; Tue, 8 Jul 1997 22:53:28 -0400 Message-ID: <01BC8BF1.C0271FE0@zandar.judgefamily.org> From: Joseph Judge To: "'firewalls@greatcircle.com'" Subject: packet sequence oddities from AOL's nets Date: Tue, 8 Jul 1997 22:53:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen a lot of left-over CLOSING state sockets on their web servers from AOL networks ? A diligent do-bee at my company has tracked down the source of *many* a stuck-in-closing-state set of connections to our web server ----> AOL clients. He is working with AOL techie folks on resolution. The main problems seems to be that they don't "hang up" their TCP connections properly (FIN-ACK never answered ... end up sending RST packets). This leaves very many CLOSING sockets on the web servers ... which don't seem to clear up until the AOL client actually closes down their AOL software (not just the browser!) -- of course the server will eventually close out the sockets over time. The problem seems to be reproducible (sp?) and seems to be limited to AOL 16-bit clients. - joe From owner-firewalls-outgoing Tue Jul 8 20:19:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09196 for firewalls-outgoing; Tue, 8 Jul 1997 20:05:10 -0700 (PDT) Received: from saba.kuentos.guam.net (saba.kuentos.guam.net [198.81.233.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA09163; Tue, 8 Jul 1997 20:04:58 -0700 (PDT) Received: by saba.kuentos.guam.net (Smail3.1.29.1 #9) id m0wln7b-0020pwC; Wed, 9 Jul 97 13:08 GST Subject: Off Island! Message-Id: <000000056742951262697@seiko.guam.net> From: Mike@seiko.guam.net Date: Wed, 09 Jul 1997 13:11:37 +1000 Organization: Seiko Guam X-Mailer: CommuniGate 2.8.6 To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk THIS IS AN AUTOMATED REPLY I am traveling off island till July 17, 1997, and am unable to respond to = your e-mail. If your message is urgent please contact my office at the = number below. Cordially, Mike Wilkins SEIKO Distribution Center=20 Agana, Guam (Time Zone +10) VOICE: 671-649-8463 FAX: 671-646-4041 EMAIL: Mike@seiko.guam.net From owner-firewalls-outgoing Tue Jul 8 21:04:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA15509 for firewalls-outgoing; Tue, 8 Jul 1997 20:36:39 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA15395 for ; Tue, 8 Jul 1997 20:36:09 -0700 (PDT) Received: from wacked (port23.zed.com.au [203.25.232.42]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id XAA18960; Tue, 8 Jul 1997 23:39:38 -0400 (EDT) Date: Sun, 4 Mar 1990 17:06:15 +0000 ( ) From: blah Reply-To: blah To: Bill Stout cc: firewalls@GreatCircle.COM Subject: Re: Security sw distributed as Binaries In-Reply-To: <33C28E1A.175B15D7@unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know where I can find a txt or postscript copy of the lecture? Warpy -------------------------------------------------- "Stronger crypto makes the world a safer place..." http://suburbia.com.au/~warpy Email: warpy@sekurity.org or warpy@null.net -------------------------------------------------- On Tue, 8 Jul 1997, Mike Jones wrote: > Bill Stout wrote: > > Read Ken Thompson's Turing Award Lecture, "On Trusting Trust." From owner-firewalls-outgoing Tue Jul 8 21:19:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA22282 for firewalls-outgoing; Tue, 8 Jul 1997 21:09:50 -0700 (PDT) Received: from exchange.vig.com.tw ([203.73.222.200]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA22275 for ; Tue, 8 Jul 1997 21:09:45 -0700 (PDT) Received: from kenny ([203.73.222.193]) by exchange.vig.com.tw (Netscape Mail Server v1.1) with SMTP id AAA411 for ; Wed, 9 Jul 1997 12:16:40 +0800 X-Sender: Kenny@exchange.vig.com.tw X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: kenny@exchange.vig.com.tw (kenny) Date: Wed, 9 Jul 1997 12:16:40 +0800 Message-ID: <19970709041640824.AAA411@kenny> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Tue Jul 8 21:38:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA14739 for firewalls-outgoing; Tue, 8 Jul 1997 20:33:27 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA14694 for ; Tue, 8 Jul 1997 20:33:16 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA21493; Tue, 8 Jul 1997 20:37:07 -0700 (PDT) Message-Id: <3.0.3.32.19970708233704.00695b90@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 08 Jul 1997 23:37:04 -0400 To: Bill Stout From: Paul Ferguson Subject: Re: Cisco exploits/vulnerabilities Cc: firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970709012524.0067a3d8@192.168.0.37> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe you'll find that if you substitute 'public' in the place of 'customer' in the URL's below, you don't need an account to view them. - paul At 09:25 PM 07/08/97 -0400, Bill Stout wrote: > >Security advisories: >http://www.cisco.com/warp/customer/779/largeent/security/advisory.html > >Breaking Cisco router passwords: >http://www.cisco.com/warp/customer/474/index.shtml > >These URLs require username/password access(via support contract), though >typically support sites usually give out passwords ending in *'vip' to make >the customer feel good. Bad practice. :( > >If you have a support contract, you can subscribe to e-mail bug alerts which >contain security issues as well. > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Tue Jul 8 21:55:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA17870 for firewalls-outgoing; Tue, 8 Jul 1997 20:47:49 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA16559 for ; Tue, 8 Jul 1997 20:40:54 -0700 (PDT) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id UAA21803 for ; Tue, 8 Jul 1997 20:18:20 -0700 (PDT) Received: (from george@localhost) by wicked.neato.org (8.8.5/8.8.5) id UAA00761; Tue, 8 Jul 1997 20:18:52 -0700 (PDT) Date: Tue, 8 Jul 1997 20:18:51 -0700 (PDT) Message-Id: <199707090318.UAA00761@wicked.neato.org> To: "Emily G. Cohen" , Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor From: george@neato.org X-Remailed: true Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This seems to be a rather self serving message... > Check Point Software Technologies Ltd. would like to assure its > customers, security experts, and others that there is no, and never > has been, an "agreement" or relationship between Check Point Software > and the Mossad, or any other branch of the Israeli government or military, > to create a "back door" into Check Point products. Of course what else are you going to say? I doubt if there are "back doors" in your products or agreements with the Mossad you would come announce that fact in any public forum. If there are or if there aren't you would deny that there were, so your statement is useless. > These are false and malicious rumors that have been circulating > since Check Point became successful, specifically targeted at > damaging the company, and they are always from "anonymous sources." > Check Point takes these rumors seriously, and if anyone has information > on the source/s of these rumors, we would be very interested in hearing > from you, so that we can take appropriate action. Ah, and send the Mossad after you. (That was a joke!, don't send them after me.) > Check Point FireWall-1 is the most widely installed network security > solution in the world and no customer has ever reported a security > breach of this nature. I would like to you prove this? In what way is it the most widely installed network security solution? I would argue that there are more secure-id cards in use or cisco routers with packet filters installed than there are firewall-1's installed. This is more of the self serving nature of the message. > All Check Point FireWall-1 customers benefit from the > product's patented Stateful Inspection technology ensuring the highest > level of enterprise security available today. And yet more self serving advertisement. None of this proves one way or another that there aren't "back-doors" or Mossad agreements in place and saying so doesn't make it so. On the other side, there has been no proof, only unsubstantiated rumours, that there are any backdoors through checkpoints products and saying so doesn't make it so. george From owner-firewalls-outgoing Tue Jul 8 22:05:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA28743 for firewalls-outgoing; Tue, 8 Jul 1997 21:39:21 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA28709 for ; Tue, 8 Jul 1997 21:39:10 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id VAA12025; Tue, 8 Jul 1997 21:43:04 -0700 (PDT) Date: Tue, 8 Jul 1997 21:43:04 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Joseph Judge cc: "'firewalls@greatcircle.com'" Subject: Re: packet sequence oddities from AOL's nets In-Reply-To: <01BC8BF1.C0271FE0@zandar.judgefamily.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have seen those problems too.. if i remember correctly, their proxy's are the culprit. -mike On Tue, 8 Jul 1997, Joseph Judge wrote: > > Has anyone seen a lot of left-over CLOSING state sockets on > their web servers from AOL networks ? > > > A diligent do-bee at my company has tracked down the source > of *many* a stuck-in-closing-state set of connections to our > web server ----> AOL clients. He is working with AOL techie folks > on resolution. > > The main problems seems to be that they don't "hang up" their > TCP connections properly (FIN-ACK never answered ... end up > sending RST packets). This leaves very many CLOSING sockets > on the web servers ... which don't seem to clear up until the > AOL client actually closes down their AOL software (not > just the browser!) -- of course the server will eventually > close out the sockets over time. > > The problem seems to be reproducible (sp?) and seems > to be limited to AOL 16-bit clients. > > - joe > > From owner-firewalls-outgoing Tue Jul 8 22:19:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA11895 for firewalls-outgoing; Tue, 8 Jul 1997 20:21:41 -0700 (PDT) Received: from f32.hotmail.com (F32.hotmail.com [207.82.250.43]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA11797 for ; Tue, 8 Jul 1997 20:21:20 -0700 (PDT) Received: (from root@localhost) by f32.hotmail.com (8.8.5/8.8.5) id UAA08732; Tue, 8 Jul 1997 20:24:14 -0700 (PDT) Message-Id: <199707090324.UAA08732@f32.hotmail.com> Received: from 207.10.168.15 by www.hotmail.com with HTTP; Tue, 08 Jul 1997 20:24:13 PDT X-Originating-IP: [207.10.168.15] From: "Nate Lally" To: wiseleo@juno.com Cc: firewalls@GreatCircle.COM Subject: Re: ICQ network Content-Type: text/plain Date: Tue, 08 Jul 1997 20:24:13 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well everyone, to once again stray off on a tangent, I would have to strongly agree with Mr. Knyshov. What I am wondering... will the Java version incorporate Mirabilis' psuedo random port transfers and the like, for like Leonid stated, doing such would reveal their "secrets".. But once again, I will restate my opinion on the pure idea of the software- instant notification and potential communication between freinds on the internet while avoiding IRC is an exceptional idea, yet the current implementaions need some serious review... -DECkedout >From: wiseleo@juno.com (Leonid S Knyshov) > >Hi everyone, > >I believe we have a lot to worry about... Random incoming ports and >stuff... > >Some good news, Java version of ICQ is due soon, meaning it can be >disassembled with strace and similar tools and we will see the light :) > >That makes it truly cross-platform product *sigh*. > >Win/Mac World are no longer the only victims... I don't want any >unchecked binary code on a UNIX machine... > >Try unrestricted file transfers in-bound and out-bound. Via ICQ file >transfer feature. Or send URL, I believe that might invite you to a site >where a CGI will check your information, hand you a Java applet and... Or >even exploit that famous IE/Netscape collection of bugs... > >You see the possibilities? Add to that remote launch of programs >(Netscape Conference for example), video games (Quake) etc... > >Thanks to Mirabilis for such a great product, but the specs are necessary >to evaluate the threat... > >That's all for now, stay tuned :) >*** >Leonid Knyshov AKA Wise_One >http://kiassociates.com/computerhelp >http://kiassociates.com/computerhelp/personal >For file attachments please use wiseleo@hotmail.com and send a note about >it here :) > >On Thu, 03 Jul 1997 05:05:45 -0400 DECkedout >writes: >>That is the best idea i've heard of yet. I'd like them to see if they >>can handle the rigors of releasing queastionable software and trying >>to >>get it patented... I sure have a few questions of my own. >>Personally, >>my bet is that they stay out of the spotlight until they become >>commercial, then they don't have to release anything accept technical >>support for morons. Well folks, let's see who joins the party. >>-DECkedout _______________________________________________________ Get Private Web-Based Email Free http://www.hotmail.com From owner-firewalls-outgoing Tue Jul 8 23:14:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA10623 for firewalls-outgoing; Tue, 8 Jul 1997 22:37:10 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA10595 for ; Tue, 8 Jul 1997 22:37:01 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id BAA06886; Wed, 9 Jul 1997 01:40:53 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC8C09.16815420@zandar.judgefamily.org>; Wed, 9 Jul 1997 01:40:31 -0400 Message-ID: <01BC8C09.16815420@zandar.judgefamily.org> From: Joseph Judge To: Joseph Judge , "'Mike Hedlund'" Cc: "'firewalls@greatcircle.com'" Subject: RE: packet sequence oddities from AOL's nets Date: Wed, 9 Jul 1997 01:40:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any resolution ? or just to withstand it with more memory, patience, etc :-) - joe ---------- From: Mike Hedlund[SMTP:mike@isi.net] Sent: Tuesday, July 08, 1997 5:43 PM To: Joseph Judge Cc: 'firewalls@greatcircle.com' Subject: Re: packet sequence oddities from AOL's nets I have seen those problems too.. if i remember correctly, their proxy's are the culprit. -mike On Tue, 8 Jul 1997, Joseph Judge wrote: > > Has anyone seen a lot of left-over CLOSING state sockets on > their web servers from AOL networks ? > > > A diligent do-bee at my company has tracked down the source > of *many* a stuck-in-closing-state set of connections to our > web server ----> AOL clients. He is working with AOL techie folks > on resolution. > > The main problems seems to be that they don't "hang up" their > TCP connections properly (FIN-ACK never answered ... end up > sending RST packets). This leaves very many CLOSING sockets > on the web servers ... which don't seem to clear up until the > AOL client actually closes down their AOL software (not > just the browser!) -- of course the server will eventually > close out the sockets over time. > > The problem seems to be reproducible (sp?) and seems > to be limited to AOL 16-bit clients. > > - joe > > From owner-firewalls-outgoing Tue Jul 8 23:19:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA13222 for firewalls-outgoing; Tue, 8 Jul 1997 22:49:20 -0700 (PDT) Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA13050 for ; Tue, 8 Jul 1997 22:48:49 -0700 (PDT) Received: from localhost (mike@localhost) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id WAA12653; Tue, 8 Jul 1997 22:52:43 -0700 (PDT) Date: Tue, 8 Jul 1997 22:52:43 -0700 (PDT) From: Mike Hedlund X-Sender: mike@buffy To: Joseph Judge cc: "'firewalls@greatcircle.com'" Subject: RE: packet sequence oddities from AOL's nets In-Reply-To: <01BC8C09.16815420@zandar.judgefamily.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just changed configs on the unix boxs to time them out faster... tweak time_wait etc... -mike On Wed, 9 Jul 1997, Joseph Judge wrote: > > Any resolution ? or just to withstand it with more memory, > patience, etc :-) > > - joe > > > ---------- > From: Mike Hedlund[SMTP:mike@isi.net] > Sent: Tuesday, July 08, 1997 5:43 PM > To: Joseph Judge > Cc: 'firewalls@greatcircle.com' > Subject: Re: packet sequence oddities from AOL's nets > > > I have seen those problems too.. if i remember correctly, their proxy's > are the culprit. > > -mike > > > On Tue, 8 Jul 1997, Joseph Judge wrote: > > > > > Has anyone seen a lot of left-over CLOSING state sockets on > > their web servers from AOL networks ? > > > > > > A diligent do-bee at my company has tracked down the source > > of *many* a stuck-in-closing-state set of connections to our > > web server ----> AOL clients. He is working with AOL techie folks > > on resolution. > > > > The main problems seems to be that they don't "hang up" their > > TCP connections properly (FIN-ACK never answered ... end up > > sending RST packets). This leaves very many CLOSING sockets > > on the web servers ... which don't seem to clear up until the > > AOL client actually closes down their AOL software (not > > just the browser!) -- of course the server will eventually > > close out the sockets over time. > > > > The problem seems to be reproducible (sp?) and seems > > to be limited to AOL 16-bit clients. > > > > - joe > > > > > > > > > From owner-firewalls-outgoing Tue Jul 8 23:34:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA13670 for firewalls-outgoing; Tue, 8 Jul 1997 22:50:44 -0700 (PDT) Received: from suned1.Nswses.Navy.MIL (suned1.nswses.navy.mil [137.24.30.40]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id WAA13282; Tue, 8 Jul 1997 22:49:32 -0700 (PDT) Received: by suned1.Nswses.Navy.MIL (SMI-8.6/SMI-SVR4-9605281800c) id WAA13781; Tue, 8 Jul 1997 22:53:27 -0700 From: efb@suned1.Nswses.Navy.MIL (Everett F Batey SysAdm) Message-Id: <199707090553.WAA13781@suned1.Nswses.Navy.MIL> Subject: Return .. For Chrissake .. enough is enough .. To: owner-firewalls-outgoing@GreatCircle.COM Date: Tue, 8 Jul 1997 22:53:26 -0700 (PDT) Cc: brent@GreatCircle.COM, firewalls@GreatCircle.COM Reply-To: efb@suned1.Nswses.Navy.MIL ( Everett F Batey II ) X-Orgztn: PHD NSWC (NSWSES) 4A05 Port Hueneme, CA 93043 - Opinions: Only Mine X-Phones: 805.982.7180, DSN 551, VoiceMail 805.340.6471, DPage: 655.2017 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been sending polite requests to you to drop this EXTINCT user .. SHE IS REALLY GONE // all I can think to do is forward all her mail from you back to you .. lets use a little class and drop her .. call me if you wish to confirm the request .. /Ev Batey .. Postmaster AT suned1.nswses.navy.mil, postmaster AT nswses.navy.mil // THANKS // This came from Mail Delivery Subsystem: > From Mailer-Daemon Tue Jul 8 12:42:33 1997 > Date: Tue, 8 Jul 1997 12:42:33 -0700 > From: Mailer-Daemon (Mail Delivery Subsystem) > Subject: Returned mail: Service unavailable > Message-Id: <199707081942.MAB12064@suned1.Nswses.Navy.MIL> > To: Postmaster > Content-Length: 2399 > > The original message was received at Tue, 8 Jul 1997 12:42:31 -0700 > from [137.24.128.66] > > ----- The following addresses had delivery problems ----- > (unrecoverable error) > > ----- Transcript of session follows ----- > mail.local: /var/mail/amw: Permission denied > 554 ... Service unavailable > > ----- Message header follows ----- > Return-Path: > Received: from titan.phdnswc.navy.mil by suned1.Nswses.Navy.MIL (SMI-8.6/SMI-SVR4-9605281800c) > id MAA12063; Tue, 8 Jul 1997 12:42:31 -0700 > Received: by titan.phdnswc.navy.mil; id AA122450644; Tue, 8 Jul 1997 12:37:25 -0700 > Received: from relay3.uu.net(192.48.96.8) by titan.phdnswc.navy.mil via smap (3.2) > id xma012233; Tue, 8 Jul 97 12:37:04 -0700 > Received: from honor.greatcircle.com by relay3.UU.NET with ESMTP > (peer crosschecked as: [198.102.244.44]) > id QQcxis03377; Tue, 8 Jul 1997 15:40:44 -0400 (EDT) > Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15957 for firewalls-outgoing; Tue, 8 Jul 1997 09:53:24 -0700 (PDT) > Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15914 for ; Tue, 8 Jul 1997 09:53:11 -0700 (PDT) > Received: from FRB.GOV (umailfwd@localhost) > by newfed.frb.gov (8.8.5/8.8.5) with UUCP id MAA10007; > Tue, 8 Jul 1997 12:21:43 -0400 (EDT) > Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) > id AA09971; Tue, 8 Jul 97 12:15:19 EDT > Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) > by kryten.frb.gov (8.8.5/8.8.5) with SMTP id MAA06628; > Tue, 8 Jul 1997 12:15:07 -0400 (EDT) > Message-Id: <199707081615.MAA06628@kryten.frb.gov> > X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol > X-Mailer: exmh version 1.6.5 12/11/95 > To: 341CS Network Security Taylor Ashley > Cc: firewalls@GreatCircle.COM > Subject: Re: Setting up firewall newbie.. > In-Reply-To: Your message of "Tue, 08 Jul 1997 07:57:41 MDT." > > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Date: Tue, 08 Jul 1997 12:15:06 -0400 > From: "Jonathan M. Bresler" > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > content-length: 1643 > > ----- Message body suppressed ----- > > -- + efb@suned1.nswses.Navy.MIL efb@cotdazr.org efb@oxnardsd.org WA6CRE + + http: /www.vcnet.com/efb /halide.acs.uci.edu/GCSUG /www.gitt.gov + + Opinions MINE, NOT Uncles | Edu: http://www.oxnardsd.org/ innd email DNS + + Beep 805.655.2017 Ofc 805.982.7180 (Many Fwds) Vmail 805.340.6471..2..5 + From owner-firewalls-outgoing Wed Jul 9 00:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22854 for firewalls-outgoing; Tue, 8 Jul 1997 23:41:40 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA22563 for ; Tue, 8 Jul 1997 23:40:33 -0700 (PDT) Received: from mailhost.dircon.co.uk (mailhost.dircon.co.uk [194.112.32.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id XAA24879 for ; Tue, 8 Jul 1997 23:46:46 -0700 (PDT) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by mailhost.dircon.co.uk (8.8.4/8.7.3) with ESMTP id HAA09930; Wed, 9 Jul 1997 07:44:14 +0100 (BST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id HAA00492; Wed, 9 Jul 1997 07:48:04 +0100 Date: Wed, 9 Jul 1997 07:48:04 +0100 (BST) From: Dave Whitlow To: Brian Mitchell cc: seane@choreo.ca, myelland@ferc.fed.us, Firewalls@GreatCircle.COM Subject: Re: security check In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Jul 1997, Brian Mitchell wrote: > On Tue, 8 Jul 1997, Sean Elrington wrote: > > > You could try the following: > > > > 1. SATAN > > 2. Internet Security Scanner (http://www.iss.net) > > 3. Getting a port scanner like USCAN > > > > 4. Ballista (http://www.secnet.com) > > Various companies also do penetration testing including: > > 1. Netcraft (http://www.netcraft.com/security) > 2. Engarde (http://www.engarde.com) 3. Idsec (http://www.idsec.co.uk) Dave dwhitlow@wend.dircon.co.uk From owner-firewalls-outgoing Wed Jul 9 01:31:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA08503 for firewalls-outgoing; Wed, 9 Jul 1997 01:18:23 -0700 (PDT) Received: from relay-i.de.eu.tis.com (relay.de.eu.tis.com [193.99.122.194]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA08486 for ; Wed, 9 Jul 1997 01:18:14 -0700 (PDT) Received: by relay-i.de.eu.tis.com; id KAA27823; Wed, 9 Jul 1997 10:27:13 +0200 (MET DST) Received: from leo.de.eu.tis.com(193.99.122.226) by relay.de.eu.tis.com via smap (3.2) id xma027821; Wed, 9 Jul 97 10:26:45 +0200 Received: from moby.de.eu.tis.com(really [193.99.122.230]) by mail.de.eu.tis.com via sendmail with smtp id for ; Wed, 9 Jul 1997 10:23:15 +0200 (CEST) (Smail-3.2 1996-Jul-4 #16 built 1997-Apr-10) Message-Id: <3.0.2.32.19970709101902.0076a52c@mail.de.eu.tis.com> X-Sender: pd@mail.de.eu.tis.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Wed, 09 Jul 1997 10:19:02 +0200 To: Dave Whitlow , Brian Mitchell From: Peter Dieth Subject: Re: security check Cc: seane@choreo.ca, myelland@ferc.fed.us, Firewalls@GreatCircle.COM In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:48 09.07.97 +0100, Dave Whitlow wrote: >On Tue, 8 Jul 1997, Brian Mitchell wrote: > >> On Tue, 8 Jul 1997, Sean Elrington wrote: >> >> > You could try the following: >> > >> > 1. SATAN >> > 2. Internet Security Scanner (http://www.iss.net) >> > 3. Getting a port scanner like USCAN >> > >> >> 4. Ballista (http://www.secnet.com) >> >> Various companies also do penetration testing including: >> >> 1. Netcraft (http://www.netcraft.com/security) >> 2. Engarde (http://www.engarde.com) > >3. Idsec (http://www.idsec.co.uk) 4. Trusted Information Systems (http://www.tis.com) in USA, England and Germany 5. Articon in Germany (http://www.articon.de) 6. Apogee in France (http://www.apogee-com.fr) Regards, Peter -- Peter Dieth "The daemon is free !" Network Security Engineer Trusted Information Systems GmbH, Building A World Of Trust Stefan-George-Ring 29, 81929 Muenchen email: peterd@tis.com Voice: +49 89 993882-0 Fax: +49 89 935455 Disclaimer: The opinions expressed above are products of my own delusions and are not necessarily shared by my employer, TIS. From owner-firewalls-outgoing Wed Jul 9 01:40:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA06870 for firewalls-outgoing; Wed, 9 Jul 1997 01:05:34 -0700 (PDT) Received: from shell4.ba.best.com (shell4.ba.best.com [206.184.139.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA06861 for ; Wed, 9 Jul 1997 01:05:28 -0700 (PDT) Received: from localhost (aajpeter@localhost) by shell4.ba.best.com (8.8.5/8.7.3) with SMTP id BAA27257; Wed, 9 Jul 1997 01:09:23 -0700 (PDT) X-Authentication-Warning: shell4.ba.best.com: aajpeter owned process doing -bs Date: Wed, 9 Jul 1997 01:09:22 -0700 (PDT) From: "Aaron J. Peterson" X-Sender: aajpeter@shell4.ba.best.com Reply-To: "Aaron J. Peterson" To: mikech@avana.net cc: Firewalls@GreatCircle.COM Subject: Harping on dynamic DNS, was RE: Two ISP's to one DMZ In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike wrote: > In our customer trials, Dynamic DNS response has been under 20 minutes > (we reload the databse every 10 minutes) from a large percentage (95%) > of the net. We haven't found a production DNS server yet that didn't age > out the cache properly. [...] > Let's say for arguments sake that you don't like Dynamic DNS. You just > set up mutiple A records and your clients should have only a couple of > seconds (if that) delay before they hit the right IP. Do an "nslookup" > on rs.internic.net. They have 6 valid IPs for that domain name. This > takes care of the caching problem. [...end] I'm going to ignore the hit-and-miss technique, as it woud most certainly _not_ be a couple seconds or less. Every time a client hits a dead address trying to start a TCP cxn it would through the whole process of exponentially backing off and timeouts, etc.; this can be quite a long time. Then, in most cases, a manual re-request in most applications would be required to get the client to query it's local DNS server again, to get the "live" address, maybe. And that's just the client's view of things. Actually, not to belabor the point, I was really harping on the fact that doing dynamic DNS just by itself is not scalable, and is bad for the 'Net. I'm still posting this to the firewalls list because I believe it's relevant to people who are designing solutions around redundancy using NAT & address blocks from multiple providers, along with dynamic DNS. It's my opinion that one should not do so, and in general should not use dynamic DNS, yet. I will attempt to support this opinion. A "polite" ttl on a DNS record is about 1 week. This is to minimize traffic and load caused by having to go fetch new data from the source all the time. Experience has shown that DNS traffic overhead where ttl's were set low was quite significant. It's not that the servers won't obey your administrative timers (they will), or that 20 minutes is bad response time compared to BGP route stabilization times(it isn't), it's the fact that, if lots of people started using dynamic DNS, it would become a _serious_ problem of scale, just like it was with HOSTS.TXT. DNS works because: 1. it's distributed and redundant, and 2. it caches for significant periods of time, where "significant" is on the order of a week. You will find this statement in all of the better DNS sources: the RFCs, O'reilly, etc. Imagine the traffic increase at yahoo.com if dynamic DNS was widely adopted and their caching nameservers had to effectively re-fetch addresses for all active clients every 10-20 minutes, instead of once a week. Here, I'll do some math. Yahoo currently gets better than 30 million hits per day, 35% of which are unique. I'll graciously assume 100 bytes each per DNS query & response, ignore referral traffic, and assume that NS entries have arbitrarily long expire times. Note that adding these factors whould only highten the difference. Also, Yahoo is connected via a T3, which is ~=45Mbps. So, as constants for a day of traffic we have (in base 10 units): 30M hits * 35% unique ~= 10M hosts/day 10M queries * (200 bytes) = 2G bytes of query traffic 45Mbps/8*60*60*24 = 486G bytes/day avail. bandwidth With a ttl of 1 week used globally: period = 7 days 2G bytes /7 day period = .286G bytes/day This amounts to 0.06% of Yahoo's available bandwidth. This is reasonable. Now with a ttl of 20 minutes: _ 20 minutes * (1 day/1440 min) = 0.0138 days period = 0.0139 days 2GB / 0.0139 day period = 144G bytes/day This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic. UGH! 30% of a T3! I am pretty sure my math is correct. If so, that proves my point that being dynamic and decreasing the ttl accordingly breaks the scalability of DNS. Look this over. Confirm it. Listen to our wise ARPA fathers, and feel guilty that you're causing the fall of the 'Net. ;^) This ignores the push-DNS stuff, but that has not been widely implemented yet and the technology is imperfect, to my knowledge. Properly designed push techniques would mitigate the scale impact, but to an uncertain degree. Distributed algorithms are such a bother. -- Aaron J. Peterson Amatuer Mathematician & Pedantic Ass From owner-firewalls-outgoing Wed Jul 9 02:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA15214 for firewalls-outgoing; Wed, 9 Jul 1997 02:11:18 -0700 (PDT) Received: from nagos.lif.icnet.uk (nagos.lif.icnet.uk [143.65.1.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA15155 for ; Wed, 9 Jul 1997 02:10:56 -0700 (PDT) Message-Id: <199707090910.CAA15155@honor.greatcircle.com> Received: by nagos.lif.icnet.uk; Wed, 9 Jul 1997 10:11:03 +0100 From: harley@nagos.lif.icnet.uk (David Harley) Subject: Re: Security sw distributed as Binaries (fwd) To: firewalls@greatcircle.com Date: Wed, 9 Jul 1997 10:11:02 +0100 (BST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone know where I can find a txt or postscript copy of the lecture? > > > Bill Stout wrote: > > > > Read Ken Thompson's Turing Award Lecture, "On Trusting Trust." > Don't know of an electronic copy, but it was reprinted in "Computers Under Attack" by Peter Denning (?Addison-Wesley). -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From owner-firewalls-outgoing Wed Jul 9 02:34:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA15490 for firewalls-outgoing; Wed, 9 Jul 1997 02:13:57 -0700 (PDT) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA15455 for ; Wed, 9 Jul 1997 02:13:46 -0700 (PDT) Received: from www (root@xpl107.xnc.de [194.77.5.71]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id LAA08018 for ; Wed, 9 Jul 1997 11:17:37 +0200 Message-ID: <33C35715.6360644A@edina.xnc.com> Date: Wed, 09 Jul 1997 11:17:09 +0200 From: Guido Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: A New Fragmentation Attack References: <199707090143.DAA25828@lionsden.informatik.uni-muenchen.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Lopatic wrote: > > Windows NT 4.0 (up to Service Pack 2) hosts which are protected by a > packet filtering firewall are vulnerable to a new kind of fragmentation > attack. I'll quickly outline what it is about. You can find the details > and a short demo program at "http://www.dataprotect.com/ntfrag/". > For a more detailed explanation have a look at the WWW page. I am still > investigating whether there is some other variant of this attack which > also applies to SP3. However, up to now it is rather interesting for > academic reasons - it shows once again that packet screening and perhaps > even stateful inspection are vulnerable to attacks when the IP stack > of protected hosts does not work as expected. > > Have a nice day > -Thomas This is a already well known problem. With SP3 you are vulnerable again to oversized packets. cu Guido Stepken From owner-firewalls-outgoing Wed Jul 9 02:49:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA19777 for firewalls-outgoing; Wed, 9 Jul 1997 02:35:56 -0700 (PDT) Received: from mail.vis.com.tw ([202.39.65.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA19662 for ; Wed, 9 Jul 1997 02:35:30 -0700 (PDT) From: wcsu@mail.vis.com.tw Received: by mail.vis.com.tw(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 482564CF.0035987F ; Wed, 9 Jul 1997 17:45:24 +0800 X-Lotus-FromDomain: VIS To: firewalls@greatcircle.com Message-ID: <482564CF.0034404F.00@mail.vis.com.tw> Date: Wed, 9 Jul 1997 17:39:05 +0800 Subject: rule orders of FW-1 Mime-Version: 1.0 Content-type: text/plain; charset=big5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, If there are following rules for FireWall-1 Source Dest Service Action =================================================== rule1: userA@pc1 pc2 FTP User Authentication rule2: pc1 all ALL Accept If there's a FTP request from pc1 to pc2, which rule do you think it should apply? I thought it was rule1, but the log says it's rule 2. Is this a false configuration or it's FireWall-1's "bug"? From owner-firewalls-outgoing Wed Jul 9 03:34:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA28000 for firewalls-outgoing; Wed, 9 Jul 1997 03:16:45 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA27768 for ; Wed, 9 Jul 1997 03:15:47 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (slip1.di.unipi.it [131.114.4.80]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id MAA21049; Wed, 9 Jul 1997 12:03:37 +0200 (MET DST) Message-ID: <33C362F5.A1D@di.unipi.it> Date: Wed, 09 Jul 1997 12:07:49 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: seane@choreo.ca CC: myelland@ferc.fed.us, Firewalls@GreatCircle.COM Subject: Re: security check References: <33C23D7D.3173@ferc.fed.us> <33C276CE.9501D862@intergate.bc.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sean Elrington wrote: > > You could try the following: > > 1. SATAN > 2. Internet Security Scanner (http://www.iss.net) > 3. Getting a port scanner like USCAN > > A search with Altavista should turn up sites where you can get SATAN and > USCAN. > Note that none of these was designed to test a firewall. They are made for tests on hosts or networks, and they will find problems that compromise the firewall host, but won't help when you try to check if the firewall works properly and actually protects the internal network. This is a problem of traffic that goes through the firewall. On a proxy based firewall a netstat -a will tell you almost everything you need on open ports and services (only those of the proxies should be listed). A check on a packet filter can be more tricky, but the result of a scan can be even more misleading. Scanners won't work properly if the firewall silently drops some packets. These tools also wont't tell you if: - the setup doesn't implement the security policy; - the firewall lets packets through during the first seconds of boot; - the firewall allows stealth scanning or dangerous ICMP packets; - dangerous applets can reach internal browsers; - connections from port 20 can reach internal hosts; - spoofed packets can reach the wrong interface; .... So IMHO if Satan can really tell you something about your firewall then you better throw the firewall out of the window ;) No, I don't know anything that can check a firewall apart from the members of this list with full access to the firewall setup (no tiger teams ;). ciao - Claudio From owner-firewalls-outgoing Wed Jul 9 04:19:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA08242 for firewalls-outgoing; Wed, 9 Jul 1997 04:13:52 -0700 (PDT) Received: from lionsden.informatik.uni-muenchen.de (lionsden.informatik.uni-muenchen.de [129.187.214.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA08233 for ; Wed, 9 Jul 1997 04:13:39 -0700 (PDT) Received: from romblon.dbs.informatik.uni-muenchen.de (romblon.dbs.informatik.uni-muenchen.de [129.187.228.9]) by lionsden.informatik.uni-muenchen.de (8.7.5/8.6.9) with SMTP id NAA05873 for ; Wed, 9 Jul 1997 13:17:18 +0200 (MESZ) Message-Id: <199707091117.NAA05873@lionsden.informatik.uni-muenchen.de> Received: from malaka.dbs.informatik.uni-muenchen.de by romblon.dbs.informatik.uni-muenchen.de with SMTP (1.37.109.6/16.2) id AA01139; Wed, 9 Jul 97 13:17:18 +0200 Received: by malaka.dbs.informatik.uni-muenchen.de (1.37.109.6/16.2) id AA24110; Wed, 9 Jul 97 13:17:17 +0200 From: Thomas Lopatic Subject: Re: A New Fragmentation Attack To: firewalls@greatcircle.com Date: Wed, 9 Jul 1997 13:17:17 +0200 (METDST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I have been talking about how packet screens may be bypassed when Windows NT 4.0 systems are present in the secured network, Guido Stepken has answered.] > This is a already well known problem. With SP3 you are vulnerable again > to oversized packets. Guido, thanks for the insight. But could you please elaborate on how the oversized packets can be used to bypass a packet screen? I'd certainly like to fix this, and presumably many others on this list would like to fix this as well. -Thomas -- Thomas Lopatic lopatic@informatik.uni-muenchen.de From owner-firewalls-outgoing Wed Jul 9 05:04:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13255 for firewalls-outgoing; Wed, 9 Jul 1997 05:02:38 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA13247 for ; Wed, 9 Jul 1997 05:02:25 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id UAA14356; Wed, 9 Jul 1997 20:00:35 -0800 Date: Wed, 9 Jul 1997 20:00:35 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199707100400.UAA14356@sunphil> To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com Subject: [FW-1] on PC-SKIP & high-availability Cc: Jerald.Josephs@Ebay.Sun.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello World, Can you please help me clarify some points for me? 1] If the primary FW-1 v3.0 (in Paris) fails the 2ndary FW-1 v3.0 (in London) will, of course, take over. I presume the London FW-1 won't take over the IP address of the Paris FW-1 (like what happens with the Qualix HA) so I guess the corporate routers will have to be re-configured with updated routing tables. How? With a whole lot of ICMP redirects? 2] Can a M$-Windows 95 client with PC-SKIP connect to a SKIP-enabled FW-1 (remotely or locally) with full SKIP compatibility ? Salamat po, Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, CSD-TSR /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-3516 \_____\/ Email: drexx@pspi.com.ph Pager: (++ 63-2) 1277-33615 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From owner-firewalls-outgoing Wed Jul 9 05:21:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA12855 for firewalls-outgoing; Wed, 9 Jul 1997 04:53:14 -0700 (PDT) Received: from pegasus.via-net.com.br ([200.239.63.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA12846 for ; Wed, 9 Jul 1997 04:53:08 -0700 (PDT) Received: by pegasus.via-net.com.br with Internet Mail Service (5.0.1458.49) id <3D4SMQDV>; Wed, 9 Jul 1997 08:57:34 -0300 Message-ID: <41E07951B0E5D011BF2A0020A90D4F5C3307@pegasus.via-net.com.br> From: Fernando Cima To: firewalls@greatcircle.com, "'Thomas Lopatic'" Subject: RE: A New Fragmentation Attack Date: Wed, 9 Jul 1997 08:57:32 -0300 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas, A stateful inspector could assemble the whole packet before evaluating it. This will make the protected network as vulnerable as an application-level-gateway protected one regarding this issue. Sure it would cause a performance drop and latency when dealing with fragmented packets. However, if fragments are not so common, this drop should worth the security gain. Cheers, - Fernando Cima Via Internet Informatica > ---------- > From: Thomas > Lopatic[SMTP:lopatic@dbs.informatik.uni-muenchen.de] > Sent: Quarta-feira, 9 de Julho de 1997 08:17 > To: firewalls@greatcircle.com > Subject: Re: A New Fragmentation Attack > > [I have been talking about how packet screens may be bypassed when > Windows NT 4.0 systems are present in the secured network, Guido > Stepken has answered.] > > > This is a already well known problem. With SP3 you are vulnerable > again > > to oversized packets. > > Guido, thanks for the insight. But could you please elaborate on how > the oversized packets can be used to bypass a packet screen? I'd > certainly like to fix this, and presumably many others on this list > would like to fix this as well. > > -Thomas > > -- > Thomas Lopatic > lopatic@informatik.uni-muenchen.de > From owner-firewalls-outgoing Wed Jul 9 05:47:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15146 for firewalls-outgoing; Wed, 9 Jul 1997 05:25:51 -0700 (PDT) Received: from emout05.mail.aol.com (emout05.mx.aol.com [198.81.11.96]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA15111 for ; Wed, 9 Jul 1997 05:25:40 -0700 (PDT) From: FRosenbloo@aol.com Received: (from root@localhost) by emout05.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id IAA19224 for Firewalls@greatcircle.com; Wed, 9 Jul 1997 08:29:32 -0400 (EDT) Date: Wed, 9 Jul 1997 08:29:32 -0400 (EDT) Message-ID: <970709082930_-292438215@emout05.mail.aol.com> To: Firewalls@greatcircle.com Subject: Re: Firewalls-Digest V6 #319 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any security issues regarding the allowing of Java across/through a firewall configuration? Are there any recommended solutions to potential exposures in this area? Fred From owner-firewalls-outgoing Wed Jul 9 05:49:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16244 for firewalls-outgoing; Wed, 9 Jul 1997 05:36:59 -0700 (PDT) Received: from emout06.mail.aol.com (emout06.mx.aol.com [198.81.11.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16192 for ; Wed, 9 Jul 1997 05:36:48 -0700 (PDT) From: FRosenbloo@aol.com Received: (from root@localhost) by emout06.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id IAA05020 for Firewalls@greatcircle.com; Wed, 9 Jul 1997 08:40:44 -0400 (EDT) Date: Wed, 9 Jul 1997 08:40:44 -0400 (EDT) Message-ID: <970709084043_-1978235844@emout06.mail.aol.com> To: Firewalls@greatcircle.com Subject: Re: Firewalls-Digest V6 #321 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the limitations of Borderware 4.1 and what can be done to close down potential exposures from these limitations? Thanks Fred From owner-firewalls-outgoing Wed Jul 9 06:05:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA17739 for firewalls-outgoing; Wed, 9 Jul 1997 05:47:30 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA17731 for ; Wed, 9 Jul 1997 05:47:22 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.6/8.7.1) with ESMTP id HAA25718 for ; Wed, 9 Jul 1997 07:51:20 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id HAA13566 for ; Wed, 9 Jul 1997 07:50:49 -0500 (CDT) Message-Id: <3.0.3.32.19970709085021.0091a380@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 09 Jul 1997 08:50:21 -0400 To: firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: PGP KeyServer Communication through FW? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The documentation for PGP (the new version 5.0) doesn't explain how public keys are sent between my PGP client and the public KeyServer. Right now, it doesn't work, and I'm pretty sure that's because of our Firewall. So, does anyone know which port/protocols/etc PGP 5.0 uses for communicating with its KeyServers. Jeremy From owner-firewalls-outgoing Wed Jul 9 06:19:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20835 for firewalls-outgoing; Wed, 9 Jul 1997 06:06:28 -0700 (PDT) Received: from mallow.singnet.com.sg (mallow.singnet.com.sg [165.21.1.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA20753; Wed, 9 Jul 1997 06:06:09 -0700 (PDT) Received: from pacific.net.sg.swiftech.com.sg (ts900-4621.singnet.com.sg [165.21.155.41]) by mallow.singnet.com.sg (8.8.5/8.8.5) with ESMTP id VAA06996; Wed, 9 Jul 1997 21:09:49 +0800 (SST) Message-ID: <33C38CBE.D405E9B4@letterbox.com> Date: Wed, 09 Jul 1997 21:06:06 +0800 From: Roger Goh Reply-To: rogergoh@letterbox.com X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: (no subject) X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 9 07:00:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21287 for firewalls-outgoing; Wed, 9 Jul 1997 06:09:29 -0700 (PDT) Received: from smtp1.erols.com (smtp1.erols.com [205.252.116.101]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA21262 for ; Wed, 9 Jul 1997 06:09:19 -0700 (PDT) Received: from inskeepc.erols.com (spg-tnt-fe-1s207.erols.com [207.172.95.207]) by smtp1.erols.com (8.8.6/8.8.5) with SMTP id JAA24704; Wed, 9 Jul 1997 09:17:36 -0400 (EDT) Message-ID: <33C38F77.6D9C@geologics.com> Date: Wed, 09 Jul 1997 09:17:43 -0400 From: Chris Inskeep Reply-To: inskeep_chris@geologics.com Organization: GeoLogics Corporation X-Mailer: Mozilla 3.01Gold (Win95; U) MIME-Version: 1.0 To: Bill Stout CC: firewalls@GreatCircle.COM Subject: Re: Trustability of Security binaries References: <2.2.32.19970708190434.008cddcc@192.168.0.37> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Stout wrote: > > What is the general opinion on trustability of security software distributed > as binaries? Old-timers remember an issue of trustability when software > companies went from source to compiled distributions. > > Are there companies which offer different versions of firewall binaries for > commercial vs. government use? > > Totally fictitious situation follows (Note: I'm not trying to start any > rumors, this is purely imaginative, I'm not trying to insinuating any > companies, governments or agencies): > > Assume someone proved that a communications software Co. 'X' was associated > with entities strongly motivated to maintain communications monitoring. > Let's use some publicly known examples of strong motivation and backdoors; > Clipper chip, Key escrow, encryption export controls, weak encryption, etc. > Let's say for the sake of arguement that these public efforts failed. > Reasonably we could say that entities involved would be smart enough to have > some alternative plans, maybe confidential executive level agreements, or > plans to get an engineer at 'X' 'involved'. After code goes over the > production wall, how easy would it be for 'X' to add a subroutine awakened > by a specific string? Or add a binary, a library, a module, a weakened proxy? > > O.K., for the sake of believability change your mental image of the above > entity from a government group to amateur hacker club. Interesting to see > how it's easier to believe that amateur hackers can do the above, than > educated, motivated, full-time, fully-funded professional groups. > > Bill Stout > > P.S. - It's not paranoia if you know you're being monitored. NSA has the concept of "trusted distribution," which is required for high assurance systems. I've worked with a couple of projects that have used various integrity mechanisms to "guarantee" the binaries, e.g., using digital signatures. Seems to me that, in general, some relatively strong integrity control is a prudent countermeasure for security software products. I can't buy any "corporate collusion" scenario involving Government, because I've never heard a realistic one. If found out, it would destroy the company, which is a pretty good countermeasure. It would also, likely, destroy the careers of the civil servants involved. More realistic scenarios involving organized crime or cooption of an insider may exist. In general, you're talking about a pretty sophisticated operation to be able to pull your scenario off. If it's done at the manufacturing facility, the manufacturer's QA and integrity controls should pick it up. If the package is intercepted in transit, you have to know a lot about it in advance to be sure you don't damage the software so that it won't execute. And, once the malicious code is added, the packaging would have to be restored, etc. to eliminate suspicion of tampering. There also seems to be some thought that CD-ROMs are relatively tamper-proof -- unless you just substitute the whole thing. Interception probably requires tampering with the mail, which involves some pretty heavy legal countermeasures. Seems to be a lot easier ways to achieve the same ends. For an intelligence community operation, your interception thought is not that far off base. There was a pretty well documented case back in the cold war days of the CIA intercepting IBM mainframes bound for the USSR and making some creative modifications. Of course, that wouldn't happen today. Cheers! From owner-firewalls-outgoing Wed Jul 9 07:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA00677 for firewalls-outgoing; Wed, 9 Jul 1997 06:55:42 -0700 (PDT) Received: from gst.cgs.it ([194.21.223.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA00321 for ; Wed, 9 Jul 1997 06:54:25 -0700 (PDT) Received: from dviggian.gst.cgs.it ([194.21.223.230]) by gst.cgs.it (8.7.5/8.7.3) with SMTP id PAA30428 for ; Wed, 9 Jul 1997 15:25:04 +0200 Message-ID: <33C398EF.4C08@gst.cgs.it> Date: Wed, 09 Jul 1997 15:58:07 +0200 From: Domenico Viggiani Organization: CAP GEMINI SpA X-Mailer: Mozilla 3.01 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1 and IBM AIX Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm strongly interested in Checkpoint FW-1 but I need to know exactly: - if it is available for IBM AIX OS; - if (and how) it improve the security of OS, 'hardening' it in some way; - if it is support FTP connections from external, unsecure side. This requirements are mandatory for our project. Thanks in advance. Best regards. - Domenico Viggiani Internet Systems Engineer CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 From owner-firewalls-outgoing Wed Jul 9 07:36:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA00906 for firewalls-outgoing; Wed, 9 Jul 1997 06:57:00 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA00779 for ; Wed, 9 Jul 1997 06:56:16 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id IAA01135; Wed, 9 Jul 1997 08:59:40 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma000908; Wed, 9 Jul 97 08:59:12 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id IAA14585; Wed, 9 Jul 1997 08:59:13 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id IAA17320; Wed, 9 Jul 1997 08:59:10 -0500 Message-ID: <33C398A0.DF588AEE@90.deere.com> Date: Wed, 09 Jul 1997 08:56:48 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: Paul Ferguson CC: Bill Stout , firewalls@GreatCircle.COM Subject: Re: Cisco exploits/vulnerabilities X-Priority: 3 (Normal) References: <3.0.3.32.19970708233704.00695b90@lint.cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It looks as if most of these attacks require access to the router console. If this is true, that's pretty good security. Or did I miss something? From owner-firewalls-outgoing Wed Jul 9 08:05:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA26021 for firewalls-outgoing; Wed, 9 Jul 1997 06:36:03 -0700 (PDT) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA25964 for ; Wed, 9 Jul 1997 06:35:48 -0700 (PDT) Received: from dean.cl.cam.ac.uk [128.232.0.105] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.62 #6) id 0wlwy2-0004Rv-00; Wed, 9 Jul 1997 14:39:38 +0100 X-Mailer: exmh version 2.0gamma+CL 97/01/24 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: "Jeremy D. Zawodny" cc: firewalls@GreatCircle.COM Subject: Re: PGP KeyServer Communication through FW? In-reply-to: Your message of Wed, 09 Jul 1997 08:50:21 -0400. <3.0.3.32.19970709085021.0091a380@houinet.hst.moc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Jul 1997 14:39:36 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So, does anyone know which port/protocols/etc PGP 5.0 uses for > communicating with its KeyServers. wwwkeys.pgp.net is meant to be PGP 5.0 compatible, and I installed the TXT RR wwwkeys.pgp.net TXT "URLs should be of the form \ http://wwwkeys.pgp.net:11371/pks/lookup?op=X&search=Y" wwwkeys.pgp.net TXT "Subdomains are eu, de, nl, us" wwwkeys.pgp.net TXT "HTTP keys server (as used by PGP 5.0)" so I take it that the port is 11371 From owner-firewalls-outgoing Wed Jul 9 08:05:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA02773 for firewalls-outgoing; Wed, 9 Jul 1997 07:10:12 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA02763 for ; Wed, 9 Jul 1997 07:10:05 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA24675; Wed, 9 Jul 1997 07:14:01 -0700 (PDT) Message-Id: <3.0.3.32.19970709101357.006d6240@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 09 Jul 1997 10:13:57 -0400 To: Bertrum Carroll From: Paul Ferguson Subject: Re: Cisco exploits/vulnerabilities Cc: firewalls@GreatCircle.COM In-Reply-To: <33C398A0.DF588AEE@90.deere.com> References: <3.0.3.32.19970708233704.00695b90@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:56 AM 07/09/97 -0500, Bertrum Carroll wrote: >It looks as if most of these attacks require access to the router >console. If this is true, that's pretty good security. > >Or did I miss something? > You missed something. :-) Configuring protection, or conversely, opening holes, must be done from the configuration perspective. Configuring can be done from the console or from a TELNET VTY connection. Routers are similar in nature to other computer systems, with the exception being that they are highly specialized systems tailored to the task of packet forwarding and maintaining, calculating, and propagating routing information. If they are configured incorrectly, thay can be extremely vulnerable. If they configured correctly, they can be almost (dare I say it) bulletproof. Having said that, of course, there are denial of service attacks which can test the mettle of virtually any system, and some systems are better than others in how they respond to hostile attacks. - paul From owner-firewalls-outgoing Wed Jul 9 08:27:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA01775 for firewalls-outgoing; Wed, 9 Jul 1997 07:03:19 -0700 (PDT) Received: from platinum.ccscns.com (cns8.bbsr.edu [198.116.91.58]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA01745 for ; Wed, 9 Jul 1997 07:03:09 -0700 (PDT) Received: by platinum.ccscns.com with Internet Mail Service (5.0.1457.3) id <3SQR8ZAY>; Wed, 9 Jul 1997 11:07:37 -0300 Message-ID: <11CB84BC53EFD011B45600805FC1A27F2729@platinum.ccscns.com> From: "Adams, Gavin" To: "'Martin C. Walker'" , fw-1-mailinglist@us.checkpoint.com, firewalls@GreatCircle.COM Subject: RE: [FW1] FW-1 DESTINATION IP Address Translation Date: Wed, 9 Jul 1997 11:07:35 -0300 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 3.0 (3.0a) can do exactly that. The new NAT features are very powerful, and allow for all kinds of nice things. --- Gavin Adams Senior Network Engineer The CCS Group, Bermuda -----Original Message----- From: Martin C. Walker [SMTP:martinw@epcorp.com] Sent: Monday, July 07, 1997 11:33 To: fw-1-mailinglist@us.checkpoint.com; firewalls@GreatCircle.COM Subject: [FW1] FW-1 DESTINATION IP Address Translation Can anyone provide me with details on how translate the DESTINATION IP address in a forward moving packet outbound from the firewall to the internet ? normal NAT translates only the SOURCE IP address. Ideally I'd like to translate only the destination address and leave the source as an illegal 10.* address. If this is not doable I'd need to translate both addresses. I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. I will be going to 3.0a soon, so if it's different or not do-able on 3.* products I'd like to know that too. TIA for the help ------------------------------------------------------------------------ -- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Wed Jul 9 08:36:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29965 for firewalls-outgoing; Wed, 9 Jul 1997 06:53:25 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA29799 for ; Wed, 9 Jul 1997 06:52:55 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id KAA19656; Wed, 9 Jul 1997 10:50:38 -0400 Date: Wed, 9 Jul 1997 09:51:48 -0500 Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ To: aajpeter@best.com, Peter da Silva Cc: Firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <9707091315.AA31730@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Peter da Silva Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ Date: Wed, 9 Jul 1997 08:15:43 -0500 (CDT) To: aajpeter@best.com Cc: mikech@avana.net, Firewalls@GreatCircle.COM > > Imagine the traffic increase at yahoo.com if dynamic DNS was widely > > adopted and their caching nameservers had to effectively re-fetch > > addresses for all active clients every 10-20 minutes, instead of once a > > week. > > That would come to 100 extra bytes of data being transferred every 10 or 20 > web pages, with the average "Yahoo" web page being 10-20k long and including > 4-5k of GIFs. > > Virtually every DNS lookup is associated with an actual connection, and the > connection is associated with at least two decimal orders of magnitude more > data than the lookup utself. > > > 20 minutes * (1 day/1440 min) = 0.0138 days > > period = 0.0139 days > > > 2GB / 0.0139 day period = 144G bytes/day > > > This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic. > > UGH! 30% of a T3! > > > I am pretty sure my math is correct. > > If so, then you've got a broken assumption somewhere... because even a > "GET HEAD /" takes more bandwidth than a DNS lookup, and that's the smallest > request ever made from Yahoo. Or are you postulating people doing lookups > and never getting any data? > ---------------End of Original Message----------------- The one thing I negelcted to add to my previous post is the fact that we do updates every ten minutes. So DNS servers within an ISP would still need to pull down the new addresses every ten minutes. This is not the same thing as every ISP *client* pulling down the new IPs every ten minutes. It is still neglible bandwidth (for the benefits received) in the great Internet scheme of things. Mike -- 09:51:49 07/09/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.823.7846 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@well.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 (wireless) mikech@radiomail.net From owner-firewalls-outgoing Wed Jul 9 08:59:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA25648 for firewalls-outgoing; Wed, 9 Jul 1997 06:34:00 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA25617 for ; Wed, 9 Jul 1997 06:33:49 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id KAA19596; Wed, 9 Jul 1997 10:31:32 -0400 Date: Wed, 9 Jul 1997 08:50:04 -0500 Subject: Dynamic DNS - "The Sky is Falling!", was RE: Two ISP's to one DMZ To: "Aaron J. Peterson" , mikech@avana.net Cc: Firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: "Aaron J. Peterson" Subject: Harping on dynamic DNS, was RE: Two ISP's to one DMZ Date: Wed, 9 Jul 1997 01:09:22 -0700 (PDT) To: mikech@avana.net Cc: Firewalls@GreatCircle.COM > I'm going to ignore the hit-and-miss technique, as it woud most certainly > _not_ be a couple seconds or less. Every time a client hits a dead > address trying to start a TCP cxn it would through the whole process of > exponentially backing off and timeouts, etc.; this can be quite a long > time. Then, in most cases, a manual re-request in most applications would Sorry, but you are wrong, if the site is "destination unreachable" it only takes a second. Besides you pull down all of the DNS entries at once, not as separate queries (when you use multiple A records). > be required to get the client to query it's local DNS server again, to get > the "live" address, maybe. And that's just the client's view of things. I am glad you said "maybe" ;-) Run a sniffer and check the DNS packets and you will see this is not the case. > > Actually, not to belabor the point, I was really harping on the fact that > doing dynamic DNS just by itself is not scalable, and is bad for the 'Net. Did you say the same thing when people started using the WWW ;-)? I hear this from the old netheads (no offense) every time someone uses the Internet in a new way. They say, "The sky is falling, the Internet will fail by July 4th!!!!". I am afraid that you are going to be disappointed. See the following RFCs: RFC 2065 Domain Name System Security Extensions by D. Eastlake, 3rd and C. Kaufman Digital signatures for data integrity and authentication in the DNS. Jan-1997 RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE) by P. Vixie(editor), S. Thomson, Y. Rekhter and J. Bound Atomic record-level addition and deletion of DNS information: WINS done properly. Apr-1997 RFC 2137 Secure Domain Name System Dynamic Update by D. Eastlake 3rd Security for dynamic updates. Apr-1997 There just aren't enough IPs to go around. There had to be a new solution and IPv6, while it is a great idea, just isn't as feasible as Dynamic-DNS. BTW, I *love* IPv6, no flames please. > > I'm still posting this to the firewalls list because I believe it's > relevant to people who are designing solutions around redundancy using NAT > & address blocks from multiple providers, along with dynamic DNS. It's my > opinion that one should not do so, and in general should not use dynamic > DNS, yet. I will attempt to support this opinion. I agree, though your logic is a bit fractured ;-) > > A "polite" ttl on a DNS record is about 1 week. This is to minimize > traffic and load caused by having to go fetch new data from the source all > the time. Experience has shown that DNS traffic overhead where ttl's were > set low was quite significant. > > It's not that the servers won't obey your administrative timers (they > will), or that 20 minutes is bad response time compared to BGP route > stabilization times(it isn't), it's the fact that, if lots of people > started using dynamic DNS, it would become a _serious_ problem of scale, > just like it was with HOSTS.TXT. > Well, this is a change. In your previous post you stated: ------------------------ From: "Aaron J. Peterson" Subject: RE: Two ISP's to one DMZ Date: Tue, 8 Jul 1997 00:53:17 -0700 (PDT) >>> So, dynamic NAT + dynamic DNS, IMNSHO, is a poor solution due to the >>> connectivity loss during the time required to allow all the caches of all >>> the not-quite-bleeding-edge DNS servers to expire. So now it isn't cache latency, it is bandwidth that you say is the problem. > DNS works because: 1. it's distributed and redundant, and 2. it caches for > significant periods of time, where "significant" is on the order of a > week. You will find this statement in all of the better DNS sources: > the RFCs, O'reilly, etc. > I agree that pushing the caching down to the local DNS server is good, but the resources used by Dynamic DNS aren't significant (see why below). > Imagine the traffic increase at yahoo.com if dynamic DNS was widely > adopted and their caching nameservers had to effectively re-fetch > addresses for all active clients every 10-20 minutes, instead of once a > week. Here, I'll do some math. Yahoo currently gets better than 30 > million hits per day, 35% of which are unique. I'll graciously assume 100 > bytes each per DNS query & response, ignore referral traffic, and assume > that NS entries have arbitrarily long expire times. Note that adding these > factors whould only highten the difference. Also, Yahoo is connected via > a T3, which is ~=45Mbps. > > > This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic. > UGH! 30% of a T3! > > I am pretty sure my math is correct. If so, that proves my point that > being dynamic and decreasing the ttl accordingly breaks the scalability of > DNS. Look this over. Confirm it. Listen to our wise ARPA fathers, and > feel guilty that you're causing the fall of the 'Net. ;^) > Your math is correct but there are two flaws in the support behind it. 1. You are assuming that everyone is a Yahoo. Do you think a client the size of Yahoo is going to use Dynamic DNS (if you are listening Yahoo, give us a call, I can do a great deal on Dynamic DNS enabled Firewalls, are you there??? Anyone?)? We are talking about sites without a fixed IP, that's why you use dynamic DNS. I think Yahoo can afford a fixed IP. 2 Let's assume that you meant that they use it for redundancy in case of link failure (my original argument). Do the math again, but this time show Yahoo as being down for 19 hours out of six months (a reasonable figure, just ask AOL ;-) and users having to query DNS again *only* during the 19 hours. I think you will see the bandwidth increase is negligible. > This ignores the push-DNS stuff, but that has not been widely implemented > yet and the technology is imperfect, to my knowledge. Properly designed > push techniques would mitigate the scale impact, but to an uncertain > degree. Distributed algorithms are such a bother. > Dynamic DNS scales much better. You also did not defend BGP. What do you do if it is not available from your ISP? Can you force them to offer it? The following question is still confusing me! *****How do you route IPs from one ISP's CIDR through another ISP???******** I really don't know? Anyone out there that can shine some light on this subject? > -- > Aaron J. Peterson > Amatuer Mathematician & Pedantic Ass > ---------------End of Original Message----------------- I agree it is not a perfect solution, but BGP is not universally available. If you want a solution that works, and is available today, use Dynamic DNS. It doesn't preclude you from using BGP when it becomes available. Mike Argumentative Greek and Internet Crash Dummy -- 08:50:05 07/09/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.823.7846 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@well.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 (wireless) mikech@radiomail.net From owner-firewalls-outgoing Wed Jul 9 09:45:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22407 for firewalls-outgoing; Wed, 9 Jul 1997 06:17:59 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA21659 for ; Wed, 9 Jul 1997 06:11:26 -0700 (PDT) Received: (qmail 2329 invoked from smtpd); 9 Jul 1997 13:14:57 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 9 Jul 1997 13:14:57 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA24345; Wed, 9 Jul 1997 08:14:57 -0500 Received: by sonic.nmti.com; id AA31730; Wed, 9 Jul 1997 08:15:43 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707091315.AA31730@sonic.nmti.com.nmti.com> Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ To: aajpeter@best.com Date: Wed, 9 Jul 1997 08:15:43 -0500 (CDT) Cc: mikech@avana.net, Firewalls@GreatCircle.COM In-Reply-To: from "Aaron J. Peterson" at Jul 9, 97 01:09:22 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Imagine the traffic increase at yahoo.com if dynamic DNS was widely > adopted and their caching nameservers had to effectively re-fetch > addresses for all active clients every 10-20 minutes, instead of once a > week. That would come to 100 extra bytes of data being transferred every 10 or 20 web pages, with the average "Yahoo" web page being 10-20k long and including 4-5k of GIFs. Virtually every DNS lookup is associated with an actual connection, and the connection is associated with at least two decimal orders of magnitude more data than the lookup utself. > 20 minutes * (1 day/1440 min) = 0.0138 days > period = 0.0139 days > 2GB / 0.0139 day period = 144G bytes/day > This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic. > UGH! 30% of a T3! > I am pretty sure my math is correct. If so, then you've got a broken assumption somewhere... because even a "GET HEAD /" takes more bandwidth than a DNS lookup, and that's the smallest request ever made from Yahoo. Or are you postulating people doing lookups and never getting any data? From owner-firewalls-outgoing Wed Jul 9 09:51:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA10026 for firewalls-outgoing; Wed, 9 Jul 1997 07:47:54 -0700 (PDT) Received: from w3.ci.chi.il.us (www.ci.chi.il.us [199.177.48.72]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA09983 for ; Wed, 9 Jul 1997 07:47:41 -0700 (PDT) Received: by w3.ci.chi.il.us (SMI-8.6/SMI-SVR4) id JAA00998; Wed, 9 Jul 1997 09:45:08 -0500 From: minaba@ci.chi.il.us (Mark Inaba) Message-Id: <199707091445.JAA00998@w3.ci.chi.il.us> Subject: request for data general security sources To: firewalls@GreatCircle.COM Date: Wed, 9 Jul 1997 09:45:08 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk are there any mailing lists that cover security issues for data general unix boxes? -Mark From owner-firewalls-outgoing Wed Jul 9 11:20:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06775 for firewalls-outgoing; Wed, 9 Jul 1997 10:17:54 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA05210 for ; Wed, 9 Jul 1997 10:10:44 -0700 (PDT) From: Elit3Cr4sh@aol.com Received: from emout01.mail.aol.com (emout01.mx.aol.com [198.81.11.92]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA02649 for ; Wed, 9 Jul 1997 09:49:46 -0700 (PDT) Received: (from root@localhost) by emout01.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id MAA00840; Wed, 9 Jul 1997 12:47:18 -0400 (EDT) Date: Wed, 9 Jul 1997 12:47:18 -0400 (EDT) Message-ID: <970709124715_-191816329@emout01.mail.aol.com> To: myelland@ferc.fed.us cc: Firewalls@greatcircle.com Subject: Re: security check Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you could try a program called 'SATAN' ( System Adminsartive tool for analyzing network ) for testing the stregth for a UNIX machine. if you have any more q or want satan email me From owner-firewalls-outgoing Wed Jul 9 11:27:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA02978 for firewalls-outgoing; Wed, 9 Jul 1997 09:59:49 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA02918 for ; Wed, 9 Jul 1997 09:59:37 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA04735; Wed, 9 Jul 1997 10:03:27 -0700 Date: Wed, 9 Jul 1997 10:03:26 -0700 (PDT) From: Leonard Miyata To: Chris Inskeep cc: firewalls@GreatCircle.COM Subject: Re: Trustability of Security binaries In-Reply-To: <33C38F77.6D9C@geologics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the telephone switching industry, there was the recent law that requires a digital 'wire tap' port on the equipment. With load balencing digitial connections, a phone conversation can easily be routed via multiple independent routes, making a wire tap at any single hub useless. With the telephony trend to merge phone and network communications into a single network, there exists the real possibility that built in provisions can be misused by people with the inside knowledge. Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Wed, 9 Jul 1997, Chris Inskeep wrote: > I can't buy any "corporate collusion" scenario involving Government, > because I've never heard a realistic one. If found out, it would > destroy the company, which is a pretty good countermeasure. It would > also, likely, destroy the careers of the civil servants involved. > From owner-firewalls-outgoing Wed Jul 9 11:27:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA01825 for firewalls-outgoing; Wed, 9 Jul 1997 09:52:17 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA01764 for ; Wed, 9 Jul 1997 09:51:58 -0700 (PDT) Received: from seane (van-as-09c04.direct.ca [204.174.245.36]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id KAA18941; Wed, 9 Jul 1997 10:03:08 -0700 (PDT) Message-ID: <33C3C097.2EE1B40D@intergate.bc.ca> Date: Wed, 09 Jul 1997 09:47:20 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: FRosenbloo@aol.com CC: Firewalls@GreatCircle.COM Subject: Java Security through a firewall X-Priority: 3 (Normal) References: <970709082930_-292438215@emout05.mail.aol.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FRosenbloo@aol.com wrote: > Are there any security issues regarding the allowing of Java > across/through a > firewall configuration? Are there any recommended solutions to > potential > exposures in this area? > > Fred For a good discussion of Java security issues you could read "Java Security-Hostile Applets, Holes and Antidotes" by Gary McGraw and Edward Felten as well as the Java Security FAQs at Sun. There certainly are denial of service implications and hostile applets can pose a threat to corporate desktops. (More scary still is ActiveX - but that's another topic). Possible solutions: 1. Educate your users about the threat of Java and show them how to disable it in their browsers when they are visiting an untrusted site. 2. On the firewall block .class files in the http data stream. 3. Look at a product like Finjan (http://www.finjan.com) which protects desktops 4. Consider not using Internet Explorer until they put in better ActiveX protection. 5. Block HTTP access through the firewall to limit it to a finite universe of trusted sites. I am sure other readers of the list will have more recommendations.... -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Wed Jul 9 11:35:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18921 for firewalls-outgoing; Wed, 9 Jul 1997 11:28:11 -0700 (PDT) Received: from exosecure.exodus.net (exosecure.exodus.net [209.1.10.206]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA18892 for ; Wed, 9 Jul 1997 11:27:53 -0700 (PDT) Received: from exoserv.exodus.net by exosecure.exodus.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Jul 1997 18:31:50 UT Received: from exodus-28.exodus.net (exodus-28.exodus.net [206.79.224.28]) by exoserv.exodus.net (8.7.5/8.6.9) with SMTP id SAA19066 for ; Wed, 9 Jul 1997 18:06:48 -0700 Received: by exodus-28.exodus.net with Microsoft Mail id <01BC8C59.88122600@exodus-28.exodus.net>; Wed, 9 Jul 1997 11:16:22 -0700 Message-ID: <01BC8C59.88122600@exodus-28.exodus.net> From: Felix Fong To: "firewalls@GreatCircle.COM" Subject: pptp... Date: Wed, 9 Jul 1997 11:16:18 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know what port does PPTP use? Thanks, Felix Fong Systems Administrator Exodus Communications, Inc. 1605 Wyatt Drive Santa Clara, CA 95054 408.486.5078 voice ffong@exodus.net http://www.exodus.net From owner-firewalls-outgoing Wed Jul 9 11:40:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14778 for firewalls-outgoing; Wed, 9 Jul 1997 10:55:06 -0700 (PDT) Received: from f30.hotmail.com (F30.hotmail.com [207.82.250.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14769 for ; Wed, 9 Jul 1997 10:55:00 -0700 (PDT) Received: (from root@localhost) by f30.hotmail.com (8.7.5/8.7.3) id KAA29311; Wed, 9 Jul 1997 10:59:01 -0700 (PDT) Message-Id: <199707091759.KAA29311@f30.hotmail.com> Received: from 128.126.184.139 by www.hotmail.com with HTTP; Wed, 09 Jul 1997 10:59:01 PDT X-Originating-IP: [128.126.184.139] From: "Robert Thompson" To: fw-1-mailinglist@us.checkpoint.com;, firewalls@GreatCircle.COM Cc: thompsrj@hotmail.com Subject: Changing IP addresses behind a FW Content-Type: text/plain Date: Wed, 09 Jul 1997 10:59:01 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, We are getting ready to implement the Sun FW-1 v3.0 and the discussion has come up concerning whether there is any benefit to changing the IP addresses behind the fw. My thought is that since the infrastructure IP addresses have been known to the public, this would allow PING, UDP, RCP, ICMP services as possible entry points for an attacker, esp. knowing the IP addresses. Am I way off base here? Your thoughts are appreciated. TIA, Robb _______________________________________________________ Get Private Web-Based Email Free http://www.hotmail.com From owner-firewalls-outgoing Wed Jul 9 12:23:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18376 for firewalls-outgoing; Wed, 9 Jul 1997 11:24:14 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA18352 for ; Wed, 9 Jul 1997 11:24:02 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id OAA18235; Wed, 9 Jul 1997 14:27:11 -0400 Date: Wed, 9 Jul 1997 14:27:11 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Bertrum Carroll cc: Paul Ferguson , Bill Stout , firewalls@GreatCircle.COM Subject: Re: Cisco exploits/vulnerabilities In-Reply-To: <33C398A0.DF588AEE@90.deere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Jul 1997, Bertrum Carroll wrote: > It looks as if most of these attacks require access to the router > console. If this is true, that's pretty good security. > > Or did I miss something? Like, maybe, lots of people put modems on their Cisco consoles so that they can fix their routers remotely? Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Wed Jul 9 12:25:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA14950 for firewalls-outgoing; Wed, 9 Jul 1997 10:57:05 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA14941 for ; Wed, 9 Jul 1997 10:56:57 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id OAA20355; Wed, 9 Jul 1997 14:54:21 -0400 Date: Wed, 9 Jul 1997 13:33:13 -0500 Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ To: "Mark Horn [ Net Ops ]" Cc: Firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <19970709111524.42875@capmark.funb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: "Mark Horn [ Net Ops ]" Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ Date: Wed, 9 Jul 1997 11:15:24 -0400 To: "Aaron J. Peterson" Cc: mikech@avana.net, Firewalls@GreatCircle.COM >I am a proponent of using BGP in preference of Dynamic DNS + NAT. But I >don't agree with your math. Before I go any further, I want to state that I do like BGP and would use it where available. Now, when I said 24 hours for convergence, I didn't state the test criteria. Here they are: 1. We had to get portable IPs. Most available from an ISP are not, especially in C or B blocks. DNS does not work without portable IPs under BGP. 2. We were using two *different* ISPs. Not two routers to the same ISP. It doesn't help your redundancy if you only have one ISP. 3. We tried accessing the Test Subject's router from 7 different national ISPs. The longest update time was 24 hours. This could be due to the fact that most ISPs do not accept route updates as they should. 4. We experienced the same connectivity problems when the routes came back up. >I see a more compelling reason to use BGP over Dynamic DNS + NAT. And >that reason is convergence. I read in your post that you've seen 20 >minute convergence in BGP. That has not been our experience. We did >quite a bit of testing prior to deciding that we were going to use BGP. >In our tests, we found that convergence time around a network outage >averaged about 6 seconds (as fast as 2 seconds and as slow as 20 >seconds). And this was mostly the time that the router took to notice >that its interface was down. We didn't have quick enough instrumentation >to determine the actual convergence time in the routing protocol alone >(i.e. without including the time for the router to notice the outage in >the interface). >For that same network coming back on line, it's a bit slower. BGP seemed >to converge in a few minutes - as quickly as 2 minutes and as slowly as >10. Was this between two different ISPs, or on your own internal WAN? Can you tell me which ISPs allow BGP peering? >Based on these results, the worst case scenario for BGP is twice as fast >as Dynamic DNS + NAT. I would love to hear more data about BGP >convergence from others who are using it. I would also like to compile a list of BGP friendly ISPs. >-- >Mark Horn >PGP Public Key available from: http://www.es.net/hypertext/pgp.html >PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 ---------------End of Original Message----------------- Mike -- 13:33:13 07/09/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Wed Jul 9 13:05:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18725 for firewalls-outgoing; Wed, 9 Jul 1997 11:26:31 -0700 (PDT) Received: from oblivion.esgroup.net (oblivion.esgroup.net [207.194.190.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA18707 for ; Wed, 9 Jul 1997 11:26:23 -0700 (PDT) Received: from oblivion.esgroup.net (tbaur@oblivion.esgroup.net [207.194.190.2]) by oblivion.esgroup.net (8.8.6/8.8.6) with SMTP id LAA06886; Wed, 9 Jul 1997 11:30:26 -0700 (PDT) Date: Wed, 9 Jul 1997 11:30:25 -0700 (PDT) From: Tim Baur To: firewalls@greatcircle.com cc: efb@suned1.nswses.navy.mil, kenny@exchange.vig.com.tw, axelque@suncomp.compusep.com Subject: Welcome to firewalls (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I see its time to send this out again. - From: Majordomo@GreatCircle.COM To: tbaur@esgroup.net Subject: Welcome to firewalls Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls John Doe If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to . This is the general rule for most mailing lists when you need to contact a human. From owner-firewalls-outgoing Wed Jul 9 13:25:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA16197 for firewalls-outgoing; Wed, 9 Jul 1997 08:38:02 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA16114 for ; Wed, 9 Jul 1997 08:37:35 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id LAA07369; Wed, 9 Jul 1997 11:41:20 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma007364; Wed, 9 Jul 97 11:40:59 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id LAA12960; Wed, 9 Jul 1997 11:40:57 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id LAA21996; Wed, 9 Jul 1997 11:40:56 -0400 Message-ID: <19970709114056.13725@capmark.funb.com> Date: Wed, 9 Jul 1997 11:40:56 -0400 From: "Mark Horn [ Net Ops ]" To: mikech@avana.net Cc: "Aaron J. Peterson" , Firewalls@GreatCircle.COM Subject: Re: Two ISP's to one DMZ References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: ; from mikech@avana.net on Tue, Jul 08, 1997 at 02:08:41PM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mikech@avana.net says: >In our customer trials, Dynamic DNS response has been under 20 minutes (we >reload the databse every 10 minutes) from a large percentage (95%) of the net. >We haven't found a production DNS server yet that didn't age out the cache >properly. However, we have seen route update times of 24 hours or more in >about 75 percent of the cases under BGP (if not total failure due to the old >route not being removed). In BGP terms, this is called convergence. The tests that I've run here show that BGP converges around a network outage in a few seconds (it averaged about 6 seconds, but was as fast as 2 and as slow as 20). It converges around a network coming back online in a few minutes (the average was about 2 minutes but was as slow as 10 minutes). I have never seen a case where a BGP update on the Internet took more than a few minutes to converge. I have seen several cases where a provider does not make the change except during a specified change control window. And that sometimes takes as long as 24 hours to happen. But that's only because the provider is doing the BGP. If I'm doing my own BGP, convergence times are very small. I'd love to hear more data about BGP convergence from people who are using BGP ... pferguso@cisco.com? >Most routers are definitely not up to updating a >route through BGP. Besides, how are you going to switch between CIDRs? If I am >using a Sprint Class B or C IP block how am I going to route it through MCI? Both of these issues are legitimate. BGP gobbles memory, especially if you're getting full Internet routes. BGP also requires that you have portable address space - a rare commodity. Having only looked at it superficially, dynamic DNS + NAT seems like a workable solution when BGP isn't available. But if BGP is available, it seems better. And that's simply on a performance basis. BGP also provides policy setting that DNS doesn't. -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jul 9 13:35:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA19337 for firewalls-outgoing; Wed, 9 Jul 1997 11:31:34 -0700 (PDT) Received: from jet.laker.net (jet.laker.net [205.245.74.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA19199 for ; Wed, 9 Jul 1997 11:30:52 -0700 (PDT) Received: from camarillo (digital-fll-190.laker.net [205.245.75.90]) by jet.laker.net (8.8.5/8.7.3) with SMTP id OAA03284; Wed, 9 Jul 1997 14:37:26 -0400 Message-Id: <3.0.2.32.19970709143909.0072d6c8@9.1.1.1> X-Sender: fdarden#mail.laker.net@9.1.1.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Wed, 09 Jul 1997 14:39:09 -0400 To: Domenico Viggiani , firewalls@GreatCircle.COM From: Frank Darden Subject: Re: FW-1 and IBM AIX In-Reply-To: <33C398EF.4C08@gst.cgs.it> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although you can run AIX machines behind FW-1 it currently will not run on AIX Look for an IBM OEM'ED version of FW-1 towards the end of the year. At 03:58 PM 7/9/97 +0200, Domenico Viggiani wrote: >I'm strongly interested in Checkpoint FW-1 but I need to know exactly: >- if it is available for IBM AIX OS; >- if (and how) it improve the security of OS, 'hardening' it in some >way; >- if it is support FTP connections from external, unsecure side. > >This requirements are mandatory for our project. > >Thanks in advance. >Best regards. > >- > >Domenico Viggiani Internet Systems Engineer >CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it >Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 > http://www.locked.com From owner-firewalls-outgoing Wed Jul 9 13:50:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18303 for firewalls-outgoing; Wed, 9 Jul 1997 11:23:48 -0700 (PDT) Received: from [207.113.5.65] (compaq1.lucentncg.com [207.113.5.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA18279 for ; Wed, 9 Jul 1997 11:23:39 -0700 (PDT) Received: from ncg1.lucentncg.com ([172.20.1.10]) by [207.113.5.65] via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Jul 1997 18:32:19 UT Received: by ncg1.lucentncg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8C69.A6CB3040@ncg1.lucentncg.com>; Wed, 9 Jul 1997 13:11:45 -0500 Message-ID: From: "Davis, Rob" To: "'Domenico Viggiani'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: FW-1 and IBM AIX Date: Wed, 9 Jul 1997 13:11:08 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> if (and how) it [CheckPoint] improves the security of OS, 'hardening' it in some way For information about CheckPoint security take a look at CheckPoint's OPSEC framework described below: Check Point's Open Platform for Secure Enterprise Connectivity [OPSEC] is a single platform that integrates and manages all aspects of network security through an open, extensible management framework. Third party security applications can plug into the OPSEC framwork via published application programming interfaces (APIs) http://www.checkpoint.com/opsec/fopsec.html Haystack Labs makes a product called WebStalker-Pro that gives static security applications the ability to dynamically increase secuirty levels in response to network attacks. Their product works with CheckPoint's OPSEC framework, and I believe it is availabe for IBM AIX. http://www.haystack.com >> - if it is support FTP connections from external, unsecure side. CheckPoint can support FTP from outside the firewall, but there are also additional security concerns that have to be addressed such as allowed hosts and authentication. Just because something is possible definitely does not mean it should be allowed! This would also be true of any service you allowed through the firewall and should be examined on a case by case basis. Regards, Rob Davis Lucent Technologies, Network Consulting Group >-----Original Message----- >From: Domenico Viggiani [SMTP:dviggian@gst.cgs.it] >Sent: Wednesday, July 09, 1997 8:58 AM >To: firewalls@GreatCircle.COM >Subject: FW-1 and IBM AIX > >I'm strongly interested in Checkpoint FW-1 but I need to know exactly: >- if it is available for IBM AIX OS; >- if (and how) it improve the security of OS, 'hardening' it in some >way; >- if it is support FTP connections from external, unsecure side. > >This requirements are mandatory for our project. > >Thanks in advance. >Best regards. > >- > >Domenico Viggiani Internet Systems Engineer >CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it >Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 From owner-firewalls-outgoing Wed Jul 9 14:05:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA27823 for firewalls-outgoing; Wed, 9 Jul 1997 12:14:43 -0700 (PDT) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA27785 for ; Wed, 9 Jul 1997 12:14:33 -0700 (PDT) Received: from langate.tnet.state.tn.us by snmpmgr.state.tn.us with SMTP id AA28174 (5.67b/IDA-1.5 for ); Wed, 9 Jul 1997 14:18:21 -0500 Received: from tn01-Message_Server by langate.tnet.state.tn.us with Novell_GroupWise; Wed, 09 Jul 1997 14:17:21 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 09 Jul 1997 14:17:16 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Cc: minaba@ci.chi.il.us Subject: request for data general security sources -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I'm not aware of any dedicated DG groups/lists. I assume you've contacted DG to discus whether they have a non-public list/group. Is it possible they use Internet Relay Chat (moderated) instead? You might want to try the bugtraq mailing list; it is certainly general but would have some material relevant to DG Unix. How vanilla/unique is DG Unix? Probably the comp.security.unix newsgroup would be relevant. See http://www.liszt.com/news/comp/security/ and http://www.liszt.com/news/comp/unix/ Lists: http://www.liszt.com/select/Computers/Security/ My impression is that comp.risks is a good high level risk discussion (security issues) newsgroup. Samuel T. Baker . . . standard disclaimer . . . Tennessee Treasury Department 615 532-8026 voice 615 734-6459 fax sbaker@mail.state.tn.us >>> Mark Inaba 09:45 9 Jul1997 >>> are there any mailing lists that cover security issues for data general unix boxes? -Mark From owner-firewalls-outgoing Wed Jul 9 14:35:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA11541 for firewalls-outgoing; Wed, 9 Jul 1997 13:17:07 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA11506 for ; Wed, 9 Jul 1997 13:16:57 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by mail.diginsite.com (8.8.5/8.8.3) with SMTP id NAA08744; Wed, 9 Jul 1997 13:17:35 -0700 Date: Wed, 9 Jul 1997 13:17:35 -0700 (PDT) From: David Lang To: mikech@avana.net cc: "Mark Horn [ Net Ops ]" , Firewalls@GreatCircle.COM Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In looking for BGP capable ISP's, look for the larger players (backbone providers like sprint, mci, gridnet, etc). Boardwarch magazine publishes a book every couple of months that lists ISP's andbackbone providers. Any backbone provider will support BGP (that is how they talk to each other). David Lang From owner-firewalls-outgoing Wed Jul 9 15:08:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14033 for firewalls-outgoing; Wed, 9 Jul 1997 08:21:12 -0700 (PDT) Received: from alpha.mellis.com (alpha.mellis.com [205.149.187.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA14022 for ; Wed, 9 Jul 1997 08:21:04 -0700 (PDT) Received: from alpha.mellis.com (pcc@alpha.mellis.com [205.149.187.2]) by alpha.mellis.com (8.8.5/8.7.3) with SMTP id IAA04142; Wed, 9 Jul 1997 08:24:35 -0700 (PDT) Date: Wed, 9 Jul 1997 08:24:35 -0700 (PDT) From: Phil Cox X-Sender: pcc@alpha.mellis.com To: FRosenbloo@aol.com cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #319 In-Reply-To: <970709082930_-292438215@emout05.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Jul 1997 FRosenbloo@aol.com wrote: > Are there any security issues regarding the allowing of Java across/through a > firewall configuration? Are there any recommended solutions to potential > exposures in this area? > > Fred Yes there are serious issues (see http://www.math.gatech.edu/~mladue/HostileApplets.html). My recommendation is to not allow it. I beleive that this is the standard stance taken by most implementations. If there is a legitimate business need, then some steps can be taken to reduce the risk, but the "minimalist" stance is always the best in terms of security. Phil From owner-firewalls-outgoing Wed Jul 9 15:57:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14658 for firewalls-outgoing; Wed, 9 Jul 1997 08:27:07 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA14580 for ; Wed, 9 Jul 1997 08:26:46 -0700 (PDT) Received: from newman by newman (SMI-8.6/SMI-SVR4) id LAA10462; Wed, 9 Jul 1997 11:28:19 -0400 Message-ID: <33C3AE13.40C375B1@unifiedtech.com> Date: Wed, 09 Jul 1997 11:28:19 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.0b5C (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: blah CC: firewalls@GreatCircle.COM Subject: Re: Security sw distributed as Binaries X-Priority: 3 (Normal) References: Content-Type: multipart/mixed; boundary="------------F62634ABA939ED41306621E7" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------F62634ABA939ED41306621E7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit blah wrote: > Does anyone know where I can find a txt or postscript copy of the > lecture? > On Tue, 8 Jul 1997, Mike Jones wrote: > > Read Ken Thompson's Turing Award Lecture, "On Trusting Trust." Try http://www.acm.org/classics/sep95 --------------F62634ABA939ED41306621E7 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------F62634ABA939ED41306621E7-- From owner-firewalls-outgoing Wed Jul 9 16:42:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29012 for firewalls-outgoing; Wed, 9 Jul 1997 09:37:46 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA28938 for ; Wed, 9 Jul 1997 09:37:28 -0700 (PDT) Received: from seane (van-as-09c04.direct.ca [204.174.245.36]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id JAA15951; Wed, 9 Jul 1997 09:48:34 -0700 (PDT) Message-ID: <33C3BD2E.94E84718@intergate.bc.ca> Date: Wed, 09 Jul 1997 09:32:46 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Peter Dieth CC: Firewalls@GreatCircle.COM Subject: Re: security check X-Priority: 3 (Normal) References: <3.0.2.32.19970709101902.0076a52c@mail.de.eu.tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >> > You could try the following: > >> > > >> > 1. SATAN > >> > 2. Internet Security Scanner (http://www.iss.net) > >> > 3. Getting a port scanner like USCAN > >> > > >> > >> 4. Ballista (http://www.secnet.com) > >> > >> Various companies also do penetration testing including: > >> > >> 1. Netcraft (http://www.netcraft.com/security) > >> 2. Engarde (http://www.engarde.com) > > > >3. Idsec (http://www.idsec.co.uk) > > 4. Trusted Information Systems (http://www.tis.com) in USA, England > and > Germany > > 5. Articon in Germany (http://www.articon.de) > > 6. Apogee in France (http://www.apogee-com.fr) 7. In Canada, we work with M-Tech (http://www.m-tech.ab.ca) for security audits and penetration testing They also have a neat password synchronization program for managing passwords. ...... Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Wed Jul 9 17:13:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA00980 for firewalls-outgoing; Wed, 9 Jul 1997 12:30:30 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA00879 for ; Wed, 9 Jul 1997 12:30:02 -0700 (PDT) Received: from localhost (oliverf@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id NAA03208; Wed, 9 Jul 1997 13:37:57 -0600 (MDT) Date: Wed, 9 Jul 1997 13:37:57 -0600 (MDT) From: Oliver Friedrichs To: Claudio Telmon cc: seane@choreo.ca, myelland@ferc.fed.us, Firewalls@GreatCircle.COM Subject: Re: security check In-Reply-To: <33C362F5.A1D@di.unipi.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Jul 1997, Claudio Telmon wrote: > Note that none of these was designed to test a firewall. They are made > for tests on hosts or networks, and they will find problems that > compromise the firewall host, but won't help when you try to check if > the firewall works properly and actually protects the internal network. > This is a problem of traffic that goes through the firewall. > On a proxy based firewall a netstat -a will tell you almost everything > you need on open ports and services (only those of the proxies should be > listed). A check on a packet filter can be more tricky, but the result > of a scan can be even more misleading. You may have missed one of the primary features of Ballista (besides the 200+ vulnerability checks :-). Ballista encorporates a technology known as CAPE (Custom Auditing Packet Engine). This technology is essentially a packet generation tool, which can be either script driven or prompt driven to generate and send any type of IP/TCP/UDP/ICMP/IP over IP etc packet which you desire. This allows you to generate any type of network packet and attempt to pass it through your firewall. Now to address the issue of dropped packets.. A second feature of CAPE is called the Sentry Daemon. This daemon sits on the _internal_ network and watches for packets which have been generated by CAPE. When a packet is passed on by the packet filter, the sentry daemon will see it and add it to the report. This functionality allows a firewall administrator to ensure 100% that their filtering rules are valid. In addition to this, due to the flexibility of CAPE, adding new filter and packet manipulation tests is trivial. (For example the NT fragmentation attack posted by Thomas Lopatic can be written in a CAPE script in literally a few seconds). CAPE allows modification of any packet header option (including all IP options and TCP options) and allows sending of these packets under Linux, OpenBSD, FreeBSD, Solaris and BSDI and Windows NT. An example looks as follows: # resv_check.cape # This script is used by the built-in filter checks # please do not modify it ip ip_version=4 ip_proto=IPPROTO_UDP # the flags value set here sets a reserved bit in the IP header # which is not normally used by any IP implementation. As this bit # is part of the IP fragment offset, some filters have been known to # incorrectly analyze the fragment offset and allow packets through # if this bit is set. ip_flags=4 ip_id=42 ip_done udp udp_sport=6834 udp_dport=5574 udp_done data=SAS-reserved end_of_packet And would be run as: #./cape resv_check.cape ip_src=127.0.0.1 ip_dst=127.0.0.1 gateway=127.0.0.1 iface=ed2 For some more information on CAPE see http://www.secnet.com/ballista/cape.html and http://www.secnet.com/ballista/man-pages/cape.html (Describing all options and values which can be set by the user in packet headers). Didn't intend this to be full of marketing spooge, however wanted to let people know this exists. :-) - Oliver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211 From owner-firewalls-outgoing Wed Jul 9 17:19:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA20813 for firewalls-outgoing; Wed, 9 Jul 1997 09:02:07 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA20696 for ; Wed, 9 Jul 1997 09:01:37 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA01739 for ; Wed, 9 Jul 1997 09:07:53 -0700 (PDT) Received: from emily.sirius.com (latte [206.86.35.13]) by peets.us.checkpoint.com (8.8.3/8.8.3) with SMTP id JAA25171; Wed, 9 Jul 1997 09:06:38 -0700 (PDT) Message-Id: <2.2.32.19970709160020.006e78f8@us.checkpoint.com> X-Sender: emily@us.checkpoint.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 09 Jul 1997 09:00:20 -0700 To: Adam Shostack From: "Emily G. Cohen" Subject: Re: Check Point response to Mossad rumor` Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam, First of all, Check Point FireWall-1 is not based on packet filtering technology. It is a Stateful Inspection implementation, which is NOT the same thing. Therefore, it is NOT at all similar to any type of freeware. You might want to educate yourself by checking out our technical notes at www.checkpopint.com. I don't know of many companies that give away their source code - it's called intellectual property. And, it's how Check Point differentiates itself, along with the management console. Source code is not the issue here...vicious rumors are. Best Regards, /emily At 07:47 AM 7/8/97 -0400, Adam Shostack wrote: >Might I suggest a solution? > > From out here, it seems the real value from a CheckPoint FW is >the GUI & management tools. The packet filter itself is fairly >similar to freely available ones such as IPFilter and ipfw. So >release the source code to the packet filter. This will make it easy >to dispell rumors of back doors in your security code, without giving >up the sales advantage of your user interface. > > Another company that has been plauged by rumors, Security >Dynamics, has chosen to present their algorithims and protocols in >public for the next major release of their software. I expect, as >does their management, that this will go quite a long ways towords >dispelling rumors. > >Adam > >Emily G. Cohen wrote: >| Check Point Software Technologies Ltd. would like to assure its >| customers, security experts, and others that there is no, and never >| has been, an "agreement" or relationship between Check Point Software >| and the Mossad, or any other branch of the Israeli government or military, >| to create a "back door" into Check Point products. >| >| These are false and malicious rumors that have been circulating >| since Check Point became successful, specifically targeted at >| damaging the company, and they are always from "anonymous sources." >| Check Point takes these rumors seriously, and if anyone has information >| on the source/s of these rumors, we would be very interested in hearing >| from you, so that we can take appropriate action. >| >| Check Point FireWall-1 is the most widely installed network security >| solution in the world and no customer has ever reported a security >| breach of this nature. Check Point FireWall-1's customer list includes >| accounts with the highest level of security consciousness such as U.S. >| national and foreign governments, the world's leading financial institutions, >| telcos and ISPs. All Check Point FireWall-1 customers benefit from the >| product's patented Stateful Inspection technology ensuring the highest >| level of enterprise security available today. >| >| Emily Cohen, Director of Corporate Communications >| Check Point Software Technologies, Inc. >| 400 Seaport Court, Suite 105 >| Redwood City, CA 94063 >| Tel: 415-562-0400 x228 >| Fax: 415-562-0410 >| www.checkpoint.com >| > > >-- >He has erected a multitude of new offices, and sent hither swarms of >officers to harrass our people, and eat out their substance. > > Emily Cohen, Director of Corporate Communications Check Point Software Technologies, Inc. 400 Seaport Court, Suite 105 Redwood City, CA 94063 Tel: 415-562-0400 x228 Fax: 415-562-0410 Pager: 888-365-6667 www.checkpoint.com From owner-firewalls-outgoing Wed Jul 9 17:49:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA15496 for firewalls-outgoing; Wed, 9 Jul 1997 13:41:44 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA15318 for ; Wed, 9 Jul 1997 13:40:41 -0700 (PDT) Received: from sebraepb.com.br ([200.241.206.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA06000 for ; Wed, 9 Jul 1997 13:24:39 -0700 (PDT) Received: from renato.sebraepb.com.br ([200.241.206.166]) by sebraepb.com.br (8.8.5/8.7.3) with SMTP id RAA29158 for ; Wed, 9 Jul 1997 17:29:08 -0300 Message-ID: <33C3F3B9.5649@sebraepb.com.br> Date: Wed, 09 Jul 1997 17:25:42 -0300 From: RENATO Reply-To: renato@sebraepb.com.br Organization: SEBRAE - PARAIBA X-Mailer: Mozilla 3.01Gold [pt] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Please cancel References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Kinsey wrote: > Please cancel subscription Renato Ricardo[SMTP:renato@sebraepb.com.br] From owner-firewalls-outgoing Wed Jul 9 18:04:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA19279 for firewalls-outgoing; Wed, 9 Jul 1997 14:00:31 -0700 (PDT) Received: from srv3-sao.sao.nutecnet.com.br (srv3-sao.sao.nutecnet.com.br [200.246.248.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA19113 for ; Wed, 9 Jul 1997 13:59:52 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by srv3-sao.sao.nutecnet.com.br (8.8.5/SCA-6.6) with SMTP id UAA09151; Wed, 9 Jul 1997 20:02:48 GMT Received: from canario.nutec.com.br ([192.168.2.2]) by nutspgw.nutec.com.br via smtpd (for srv3-sao.sao.nutecnet.com.br [200.246.248.3]) with SMTP; 9 Jul 1997 17:04:46 UT Received: from nutspgw.nutec.com.br by canario.nutec.com.br id aa03443; 9 Jul 97 16:55 GMT From: "Fernando da Silveira Montenegro" To: "Lista Inet-Access" , "Lista Firewalls" Received: from cancun.sao.nutecnet.com.br ([200.246.248.224]) by firewall.nutec.com.br via smtpd (for canario.nutec.com.br [192.168.2.2]) with SMTP; 9 Jul 1997 17:04:38 UT Subject: Services vulnerable to IP spoofing? Date: Wed, 9 Jul 1997 17:02:14 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.0926.0 X-MimeOle: Produced By Microsoft MimeOLE Engine V4.71.0926.0 Message-ID: <9707091655.aa03443@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Assuming that stuff such as r* and UDP services (tftp and the like) are not only being blocked at the routers but not even available at a server, what kind of services is an IP spoofing attack a threat to? I know that an IP spoof attack can be coordinated with TCP Sequence Guessing, but haven't most IP stacks covered this already? If so, other than Denial of Service, is there any threat from IP spoofing to TCP-based services? The environment in question is an ISP, where a few specialized servers can be secured through host security methods (as oppposed to network security, such as firewalls). Of course, filtering abounds in the routers and term servers involved. (had a question about that a few days ago here. Thanks for the feedback!) I know there can be issues with IP spoof attacks against the users' PCs, since UDP is the norm for less-common applications, such as Quake, IRC, ..., but when it comes to servers, is there anything else to worry about? I keep thinking of DNS, but zone transfers are TCP-based, right? Thanks in advance! Regards, Fernando -- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include From owner-firewalls-outgoing Wed Jul 9 18:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24503 for firewalls-outgoing; Wed, 9 Jul 1997 14:27:18 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA24409 for ; Wed, 9 Jul 1997 14:26:57 -0700 (PDT) Received: from seane (van-52-1041.direct.ca [204.174.253.233]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id OAA17642 for ; Wed, 9 Jul 1997 14:38:03 -0700 (PDT) Message-ID: <33C400FF.D87596A1@intergate.bc.ca> Date: Wed, 09 Jul 1997 14:22:08 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Java security and firewalls X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FRosenbloo@aol.com wrote: > Are there any security issues regarding the allowing of Java > across/through a > firewall configuration? Are there any recommended solutions to > potential > exposures in this area? > > Fred For a good discussion of Java security issues you could read "Java Security-Hostile Applets, Holes and Antidotes" by Gary McGraw and Edward Felten as well as the Java Security FAQs at Sun. There certainly are denial of service implications and hostile applets can pose a threat to corporate desktops. (More scary still is ActiveX - but that's another topic). Possible solutions: 1. Educate your users about the threat of Java and show them how to disable it in their browsers when they are visiting an untrusted site. 2. On the firewall block .class files in the http data stream. 3. Look at a product like Finjan (http://www.finjan.com) which protects desktops 4. Consider not using Internet Explorer until they put in better ActiveX protection. 5. Block HTTP access through the firewall to limit it to a finite universe of trusted sites. I am sure other readers of the list will have more recommendations.... -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- -- Sean Elrington Sales Systems Engineer Choreo Systems - Vancouver Te: (604) 737-3993 www.choreosystems.com seane@choreo.ca ----------------------------------------------------------- Firewalls, security tools, public key encryption TCP/IP, X.11, NFS Messaging and directory software ----------------------------------------------------------- From owner-firewalls-outgoing Wed Jul 9 18:35:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16551 for firewalls-outgoing; Wed, 9 Jul 1997 13:48:02 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA15326 for ; Wed, 9 Jul 1997 13:40:43 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA05892 for ; Wed, 9 Jul 1997 13:18:10 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by mail.diginsite.com (8.8.5/8.8.3) with SMTP id NAA07910; Wed, 9 Jul 1997 13:12:17 -0700 Date: Wed, 9 Jul 1997 13:12:16 -0700 (PDT) From: David Lang To: "Adams, Gavin" cc: "'Martin C. Walker'" , fw-1-mailinglist@us.checkpoint.com, firewalls@GreatCircle.COM Subject: RE: [FW1] FW-1 DESTINATION IP Address Translation In-Reply-To: <11CB84BC53EFD011B45600805FC1A27F2729@platinum.ccscns.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what are you trying to do? first you cannot leave the source address the same as the other end will have no idea how to route to 10.* second, in translating the destination address, what are you translating from and to? why can you not use the real destination address? David Lang On Wed, 9 Jul 1997, Adams, Gavin wrote: > 3.0 (3.0a) can do exactly that. The new NAT features are very powerful, > and allow for all kinds of nice things. > > --- Gavin Adams > Senior Network Engineer > The CCS Group, Bermuda > > -----Original Message----- > From: Martin C. Walker [SMTP:martinw@epcorp.com] > Sent: Monday, July 07, 1997 11:33 > To: fw-1-mailinglist@us.checkpoint.com; > firewalls@GreatCircle.COM > Subject: [FW1] FW-1 DESTINATION IP Address Translation > > Can anyone provide me with details on how translate the > DESTINATION IP address in a forward moving packet outbound > from the firewall to the internet ? > > normal NAT translates only the SOURCE IP address. > > Ideally I'd like to translate only the destination address and > leave the source as an illegal 10.* address. If this is not > doable > I'd need to translate both addresses. > > I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. > > I will be going to 3.0a soon, so if it's different or not > do-able > on 3.* products I'd like to know that too. > > TIA for the help > > ------------------------------------------------------------------------ > -- > Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR > AA5-A 9908U > Project Lead | (513)629-2517 | Blue Belt Okinawan > Shuri-Ryu > Eagle-Picher Inc. | Fax: (513)629-2449 | > Porsche 911SC > 580 Walnut St, | > Cincinnati, OH 45202 | > From owner-firewalls-outgoing Wed Jul 9 18:49:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23628 for firewalls-outgoing; Wed, 9 Jul 1997 14:22:43 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23462 for ; Wed, 9 Jul 1997 14:22:01 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id OAA27500; Wed, 9 Jul 1997 14:25:27 -0700 (PDT) Message-Id: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 09 Jul 1997 17:25:23 -0400 To: "Mark Horn [ Net Ops ]" From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: Firewalls@GreatCircle.COM In-Reply-To: <19970709114056.13725@capmark.funb.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:40 AM 07/09/97 -0400, Mark Horn [ Net Ops ] wrote: > >I'd love to hear more data about BGP convergence from people who are using >BGP ... pferguso@cisco.com? > >>Most routers are definitely not up to updating a >>route through BGP. Besides, how are you going to switch between CIDRs? If I am >>using a Sprint Class B or C IP block how am I going to route it through MCI? > >Both of these issues are legitimate. BGP gobbles memory, especially if >you're getting full Internet routes. BGP also requires that you have >portable address space - a rare commodity. > The amount of time it takes to converge routing with BGP depends on: o the computational platform -- the more CPU horsepower, the faster the path recalculation; o available computational resources; o the number of prefixes; o the number of AS_PATHS; o the number of BGP peers; o the volume of announcements and/or withdrawals. Of course, one could also suggest that the speed of the links interconnecting the BGP speakers has an effect on the rate at which routing will reconverge, since a faster link will transfer announcement & withdrawal information quicker than a slower link. I have no idea what you are referring to with regards to "BGP also requires that you have portable address space" -- this is certainly incorrect. Perhaps you meant something else, or meant it in a different context? >Having only looked at it superficially, dynamic DNS + NAT seems like a >workable solution when BGP isn't available. But if BGP is available, it >seems better. And that's simply on a performance basis. BGP also >provides policy setting that DNS doesn't. > Exactly how does NAT and DNS provide for the announcement of AS's and/or prefixes into the global routing system? - paul >-- >Mark Horn > >PGP Public Key available from: http://www.es.net/hypertext/pgp.html >PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Wed Jul 9 18:54:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29607 for firewalls-outgoing; Wed, 9 Jul 1997 14:54:01 -0700 (PDT) Received: from gw.batterymarch.com (gw.batterymarch.com [199.58.10.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA29518 for ; Wed, 9 Jul 1997 14:53:44 -0700 (PDT) Received: by gw.batterymarch.com; id RAA06316; Wed, 9 Jul 1997 17:36:13 -0400 Received: from nt_mail.batterymarch.com(199.58.9.47) by gw.batterymarch.com via smap (3.2) id xma006312; Wed, 9 Jul 97 17:36:05 -0400 Received: from ccMail by nt_mail.batterymarch.com (IMA Internet Exchange 2.1 Workgroup) id 00008860; Wed, 9 Jul 97 17:57:37 -0400 Mime-Version: 1.0 Date: Wed, 9 Jul 1997 17:58:18 -0400 Message-ID: <00008860.@batterymarch.com> From: nbender@batterymarch.com (nbender) Subject: Re: Security sw distributed as Binaries (fwd) To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone know where I can find a txt or postscript copy of the lecture? > http://www.acm.org/classics/sep95/ -N From owner-firewalls-outgoing Wed Jul 9 19:05:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03769 for firewalls-outgoing; Wed, 9 Jul 1997 12:44:12 -0700 (PDT) Received: from mail.advancenet.net ([205.198.248.82]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA03761 for ; Wed, 9 Jul 1997 12:44:06 -0700 (PDT) Received: from argus-systems.com (ranger.argus-systems.com [206.221.232.80]) by mail.advancenet.net (8.8.6/8.7.3) with SMTP id OAA12479 for ; Wed, 9 Jul 1997 14:48:18 -0500 Received: by argus-systems.com (SMI-8.6/SMI-SVR4) id OAA16892; Wed, 9 Jul 1997 14:55:56 -0500 Date: Wed, 9 Jul 1997 14:55:56 -0500 From: mcnabb@argus-systems.com (Paul McNabb) Message-Id: <199707091955.OAA16892@argus-systems.com> To: firewalls@GreatCircle.COM Subject: Encryption hooks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone point me to an up-to-date reference on the US export restrictions on products containing hooks for encryption without any actual encryption algorithm? If this custom software is going to a bank or financial institution, is there still a limitation, and if so, is the restriction less? Thanks. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb@argus-systems.com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" --------------------------------------------------------- From owner-firewalls-outgoing Wed Jul 9 19:30:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA13680 for firewalls-outgoing; Wed, 9 Jul 1997 08:16:39 -0700 (PDT) Received: from chert.cary.mci.net (chert.Cary.mci.net [159.24.13.55]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA13645 for ; Wed, 9 Jul 1997 08:16:28 -0700 (PDT) Received: from mci.net by chert.cary.mci.net (8.8.5/kaw-mci.net/feb95) id LAA07215; Wed, 9 Jul 1997 11:19:17 -0400 (EDT) Message-Id: <199707091519.LAA07215@chert.cary.mci.net> X-Mailer: exmh version 2.0gamma 1/27/96 To: wcsu@mail.vis.com.tw cc: firewalls@GreatCircle.COM Subject: Re: rule orders of FW-1 In-reply-to: Your message of "Wed, 09 Jul 1997 17:39:05 +0800." <482564CF.0034404F.00@mail.vis.com.tw> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Jul 1997 11:19:16 -0400 From: Rusty Zickefoose Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't believe Checkpoint considers this a bug. As I understand it, when using user authentication on FW-1, the least restrictive authentication rule is applied. In this case only, rules order make no difference. > > > > > > Dear all, > > If there are following rules for FireWall-1 > > Source Dest Service Action > =================================================== > rule1: userA@pc1 pc2 FTP User Authentication > rule2: pc1 all ALL Accept > > > If there's a FTP request from pc1 to pc2, which rule do you think it > should apply? > I thought it was rule1, but the log says it's rule 2. > > Is this a false configuration or it's FireWall-1's "bug"? > > > > -- Rusty From owner-firewalls-outgoing Wed Jul 9 19:31:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA05541 for firewalls-outgoing; Wed, 9 Jul 1997 15:20:21 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA03305 for ; Wed, 9 Jul 1997 15:10:45 -0700 (PDT) Received: from ns1.cq.com (ns1.cq.com [198.67.16.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id PAA07596 for ; Wed, 9 Jul 1997 15:08:30 -0700 (PDT) Received: by ns1.cq.com; id SAA17746; Wed, 9 Jul 1997 18:07:42 -0400 (EDT) Received: from hub.cq.com(198.67.5.98) by ns1.cqalert.com via smap (3.2) id xma017696; Wed, 9 Jul 97 18:07:16 -0400 Received: from pop.cq.com (pop.cq.com [198.67.5.169]) by hub.cq.com (8.8.2/8.6.12) with ESMTP id SAA14157; Wed, 9 Jul 1997 18:10:53 -0400 (EDT) Received: from hkarim ([206.105.221.244]) by pop.cq.com (8.8.5/8.6.12) with SMTP id SAA09422; Wed, 9 Jul 1997 18:06:07 -0400 (EDT) Message-Id: <3.0.32.19970709180445.0090d100@pop.cq.com> X-Sender: hassan@pop.cq.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 09 Jul 1997 18:04:47 +0100 To: Domenico Viggiani , firewalls@GreatCircle.COM From: Hassan Karim Subject: Re: FW-1 and IBM AIX Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a couple of weeks I beleive Checkpoint's FW-1 will run on AIX. There is an optional product called SeOS (Security for Open Systems) that you can buy with Firewall 1 that hardens the OS - otherwise it does not harden the OS at all. FW-1 does however restrict any NETWROK services based on the rules you establish (as does any other Firewall). Yes, FW-1 does su[[prt FTP connections from any side that you want. Leaving the policy making up to you. Peace, Hassan At 03:58 PM 7/9/97 +0200, Domenico Viggiani wrote: >I'm strongly interested in Checkpoint FW-1 but I need to know exactly: >- if it is available for IBM AIX OS; >- if (and how) it improve the security of OS, 'hardening' it in some >way; >- if it is support FTP connections from external, unsecure side. > >This requirements are mandatory for our project. > >Thanks in advance. >Best regards. > >- > >Domenico Viggiani Internet Systems Engineer >CAP GEMINI ITALY SpA E-mail: dviggian@gst.cgs.it >Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509 > > From owner-firewalls-outgoing Wed Jul 9 19:35:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA27930 for firewalls-outgoing; Wed, 9 Jul 1997 19:25:36 -0700 (PDT) Received: from solar.dhiltd.co.kr (solar.dhiltd.co.kr [152.149.120.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA27757 for ; Wed, 9 Jul 1997 19:25:01 -0700 (PDT) Received: from mypc.dhiltd.co.kr by solar.dhiltd.co.kr (8.6.9H1/5.01) id LAA17581; Thu, 10 Jul 1997 11:26:09 +0900 Message-ID: <33C44E7C.98A@solar.dhiltd.co.kr> Date: Thu, 10 Jul 1997 11:52:45 +0900 From: Han Jie Reply-To: jhan@solar.dhiltd.co.kr Organization: Daewoo Heavy Industry co.ltd X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: firewalls@greatcircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ubsubscribe firewalls From owner-firewalls-outgoing Wed Jul 9 20:22:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA01810 for firewalls-outgoing; Wed, 9 Jul 1997 15:03:53 -0700 (PDT) Received: from hope.teclab.com (hope.teclab.com [205.197.23.36]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA01714 for ; Wed, 9 Jul 1997 15:03:33 -0700 (PDT) Received: by hope.teclab.com with Internet Mail Service (5.0.1457.3) id ; Wed, 9 Jul 1997 18:10:51 -0400 Message-ID: From: Carlos Vives To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: RE: [FW1] FW-1 DESTINATION IP Address Translation Date: Wed, 9 Jul 1997 18:10:48 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1457.3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you need version 3.0 to do this. In the address tranlation tab of the gui, just tell the translated packet to look the way you want it. Keep the source as '=original' and the destination as 'the translated IP address' ------------------------------------------------------------------------ ------------------------------------- ************************************************************************ ********** Carlos Vives mailto:Cvives@tds.com www.tds.com Trident Data Systems mailto:Carlos@teclab.com Oakton, Virginia. Tel+703-383-3581. > ---------- > From: Martin C. Walker[SMTP:martinw@epcorp.com] > Sent: Tuesday, July 08, 1997 8:27 PM > To: fw-1-mailinglist@us.checkpoint.com; firewalls@greatcircle.com > Subject: [FW1] FW-1 DESTINATION IP Address Translation > > Can anyone provide me with details on how translate the > DESTINATION IP address in a forward moving packet outbound > from the firewall to the internet ? > > normal NAT translates only the SOURCE IP address. > > Ideally I'd like to translate only the destination address and > leave the source as an illegal 10.* address. If this is not doable > I'd need to translate both addresses. > > I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. > > I will be going to 3.0a soon, so if it's different or not do-able > on 3.* products I'd like to know that too. > > TIA for the help > ---------------------------------------------------------------------- > ---- > Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A > 9908U > Project Lead | (513)629-2517 | Blue Belt Okinawan > Shuri-Ryu > Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche > 911SC > 580 Walnut St, | > Cincinnati, OH 45202 | > From owner-firewalls-outgoing Wed Jul 9 20:26:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA21865 for firewalls-outgoing; Wed, 9 Jul 1997 18:59:17 -0700 (PDT) Received: from server1.trytel.com (server1.trytel.com [204.191.54.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA21743 for ; Wed, 9 Jul 1997 18:58:50 -0700 (PDT) Received: from niven (sisu.trytel.com [204.191.54.67]) by server1.trytel.com (Post.Office MTA v3.1 release PO203a ID# 0-32378U5000L100S1000) with SMTP id AAA7108 for ; Wed, 9 Jul 1997 22:07:31 -0400 Received: by localhost with Microsoft MAPI; Wed, 9 Jul 1997 22:02:53 -0400 Message-ID: <01BC8CB3.D9743EC0@patrickn@tygerteam.com> From: Patrick Naubert Reply-To: "patrickn@tygerteam.com" To: "'firewalls@greatcircle.com'" Subject: Check Point Challenge, was Re: Check Point response to Mossad rumor Date: Wed, 9 Jul 1997 22:02:52 -0400 Organization: Tyger Team Consulting Ltd. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is my first post in 2 years of reading this list. I just could not take the whiney tone of this post... On Wednesday, July 09, 1997 12:00 PM, Emily G. Cohen [SMTP:emily@us.checkpoint.com] wrote: > Adam, > > First of all, Check Point FireWall-1 is not based on > packet filtering technology. It is a Stateful Inspection > implementation, which is NOT the same thing. And you will have to take it at face value, since Check Point will not issue source code.... (Do we see a catch-22 here ? ) > Therefore, > it is NOT at all similar to any type of freeware. You might > want to educate yourself by checking out our technical notes > at www.checkpopint.com. > I don't know of many companies that give away their source code - > it's called intellectual property. And, it's how Check Point > differentiates itself, along with the management console. Source > code is not the issue here...vicious rumors are. OK, that's it....... I hereby challenge Check Point to a "proof of concept" contest. If you want to once and for all disprove and shut up the people that have been bashing your product on this list for the past years, you will have to 'fess up. The contest should be this: Invite 3 recognized independant "security experts" (Hey, make one of them Steve Bellovin) and have them take a look at the SPF code. Never mind the GUI and the other stuff. You must prove to these experts that you have hardened the kernel and OS for those that you install your product on. They, in turn, will comment on the approach and the code of the product. No actual code will be quoted. These experts can even agree to sign a declaration saying that they will never create a product that will resemble a Stateful Packet Filtering firewall. Your intellectual property will be safe. These comments will be available on an independant Web site, publicly accessible. If a competitor uses this information in any shape or form, they will be asked to do the same, and suffer the "lookup" as well. I am sick of seeing people bash you, and I am sick of seeing you offer no concrete evidence to refute the bashing. Take it as you will. Patrick Naubert patrickn@tygerteam.com From owner-firewalls-outgoing Wed Jul 9 20:50:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09862 for firewalls-outgoing; Wed, 9 Jul 1997 20:15:45 -0700 (PDT) Received: from oly.olympic.net (oly.olympic.net [205.240.23.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA09844 for ; Wed, 9 Jul 1997 20:15:39 -0700 (PDT) Received: from oly6-76.olympic.net (oly6-76.olympic.net [206.129.225.76]) by oly.olympic.net (8.8.5/8.6.9) with SMTP id UAA18301 for ; Wed, 9 Jul 1997 20:31:06 -0700 (PDT) Received: by oly6-76.olympic.net with Microsoft Mail id <01BC8CA5.0EFEBFC0@oly6-76.olympic.net>; Wed, 9 Jul 1997 20:17:00 -0700 Message-ID: <01BC8CA5.0EFEBFC0@oly6-76.olympic.net> From: "Scott W. Page" To: "firewalls@GreatCircle.COM" Date: Wed, 9 Jul 1997 19:56:41 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 9 21:04:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA10350 for firewalls-outgoing; Wed, 9 Jul 1997 20:18:01 -0700 (PDT) Received: from saba.kuentos.guam.net (saba.kuentos.guam.net [198.81.233.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA05709 for ; Wed, 9 Jul 1997 20:00:43 -0700 (PDT) Received: by saba.kuentos.guam.net (Smail3.1.29.1 #9) id m0wm9X5-0021DVC; Thu, 10 Jul 97 13:04 GST Subject: Off Island! Message-Id: <000000066882951296259@seiko.guam.net> From: Mike@seiko.guam.net Date: Wed, 09 Jul 1997 22:30:59 +1000 Organization: Seiko Guam X-Mailer: CommuniGate 2.8.6 To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk THIS IS AN AUTOMATED REPLY I am traveling off island till July 17, 1997, and am unable to respond to = your e-mail. If your message is urgent please contact my office at the = number below. Cordially, Mike Wilkins SEIKO Distribution Center=20 Agana, Guam (Time Zone +10) VOICE: 671-649-8463 FAX: 671-646-4041 EMAIL: Mike@seiko.guam.net From owner-firewalls-outgoing Wed Jul 9 21:19:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09144 for firewalls-outgoing; Wed, 9 Jul 1997 20:11:48 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA08902 for ; Wed, 9 Jul 1997 20:10:39 -0700 (PDT) Received: from saba.kuentos.guam.net (saba.kuentos.guam.net [198.81.233.14]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id UAA12804 for ; Wed, 9 Jul 1997 20:07:14 -0700 (PDT) Received: by saba.kuentos.guam.net (Smail3.1.29.1 #9) id m0wm9XH-0021DUC; Thu, 10 Jul 97 13:04 GST Subject: Off Island! Message-Id: <000000073402951343214@seiko.guam.net> From: Mike@seiko.guam.net Date: Thu, 10 Jul 1997 11:33:34 +1000 Organization: Seiko Guam X-Mailer: CommuniGate 2.8.6 To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk THIS IS AN AUTOMATED REPLY I am traveling off island till July 17, 1997, and am unable to respond to = your e-mail. If your message is urgent please contact my office at the = number below. Cordially, Mike Wilkins SEIKO Distribution Center=20 Agana, Guam (Time Zone +10) VOICE: 671-649-8463 FAX: 671-646-4041 EMAIL: Mike@seiko.guam.net From owner-firewalls-outgoing Wed Jul 9 22:06:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14534 for firewalls-outgoing; Wed, 9 Jul 1997 08:26:31 -0700 (PDT) Received: from mail.netvision.net.il (mail.NetVision.net.il [194.90.1.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA14496 for ; Wed, 9 Jul 1997 08:26:19 -0700 (PDT) Received: from telgate.telrad.co.il (telgate.telrad.co.il [194.90.21.130]) by mail.netvision.net.il (8.8.5/8.8.5) with SMTP id SAA09437; Wed, 9 Jul 1997 18:29:33 +0300 (IDT) Received: from elex.co.il (tlhuph12.elex.co.il) by telgate.telrad.co.il (4.1/SMI-4.1) id AA17648; Wed, 9 Jul 97 18:26:26 IDT Received: from tibam.elex.co.il (tibamsun3.elex.co.il) by elex.co.il with SMTP (1.40.112.8/16.2) id AA218852922; Wed, 9 Jul 1997 18:42:02 +0300 Received: from tibamsun23.elex.co.il by tibam.elex.co.il (4.1/SMI-4.1) id AA29295; Wed, 9 Jul 97 18:27:08 IDT Received: from localhost by tibamsun23.elex.co.il (SMI-8.6/SMI-SVR4) id SAA14614; Wed, 9 Jul 1997 18:30:29 +0300 Date: Wed, 9 Jul 1997 18:30:29 +0300 (IDT) From: Moshe Meirzadeh X-Sender: moshe@tibamsun23 To: george@neato.org Cc: "Emily G. Cohen" , Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor - MY BANDWIDTH In-Reply-To: <199707090318.UAA00761@wicked.neato.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Jul 1997 george@neato.org wrote: > This seems to be a rather self serving message... > > > Check Point Software Technologies Ltd. would like to assure its > > customers, security experts, and others that there is no, and never > > has been, an "agreement" or relationship between Check Point Software > > and the Mossad, or any other branch of the Israeli government or military, > > to create a "back door" into Check Point products. > > Of course what else are you going to say? I doubt if there are "back > doors" in your products or agreements with the Mossad you would come > announce that fact in any public forum. If there are or if there aren't > you would deny that there were, so your statement is useless. I could add, some more BANDWIDTH CUNSUMERS sentences here... like: Impossible, successful products always been target of these kind of "attacks", and no commercial company will do such a big mistake, which might be found by any semi-security-expert . OR something like: OK, let's suppose that there is a "back door" ... who promise you that other's products don't have other "back doors"... BUT, these words are not interest of this mailing list, and better we all assume that: EVERY security oriented product MIGHT have some "back doors", and this is the security experts to locate these kind of "back doors" (if any) and continue justifying their existence. BAW, in these days who needs back-doors, the main doors are all open. Give a smile, i'm waiting ... Bigger... Bigger.. GOOD. Reagrds Meirzadeh Moshe Email: Moshe.Meirzada@elex.co.il From owner-firewalls-outgoing Wed Jul 9 22:08:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA02619 for firewalls-outgoing; Wed, 9 Jul 1997 15:07:24 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA02588 for ; Wed, 9 Jul 1997 15:07:11 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id SAA29548; Wed, 9 Jul 1997 18:11:01 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma029545; Wed, 9 Jul 97 18:10:51 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id SAA17756; Wed, 9 Jul 1997 18:10:50 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id SAA24897; Wed, 9 Jul 1997 18:10:49 -0400 Message-ID: <19970709181048.02880@capmark.funb.com> Date: Wed, 9 Jul 1997 18:10:48 -0400 From: "Mark Horn [ Net Ops ]" To: Paul Ferguson Cc: Firewalls@GreatCircle.COM Subject: Re: Two ISP's to one DMZ References: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com>; from Paul Ferguson on Wed, Jul 09, 1997 at 05:25:23PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson says: >I have no idea what you are referring to with regards to "BGP also >requires that you have portable address space" -- this is certainly >incorrect. Perhaps you meant something else, or meant it in a >different context? What I mean is that I can't originate a network in my AS that's already originated in someone else's AS. Let's suppose FooBar Internet Services assigns me 210.210.210.0/24, and that I'm multi-homed to Widget Internet Access. In order for me to advertise this address to Widget, one of two things needs to be true: 1) I am part of FooBar's AS - which means I am doing IBGP peering with FooBar and EBGP peering with Widget. or 2) That network is not part of FooBar's AS - IOW it's a portable address space. If neither of those are true and I try and orignate that network, won't I end up with conflicts at the NAP? Won't this also create a BlackHole? Since just doing BGP peering with some ISP's is hard enough, I assume that doing item 1) above is next to impossible. Certainly, if I were an ISP, I wouldn't want one of my customer's to be capable of messing with my routing policy. Thus I make the assumption that the only practical means of doing BGP is by getting portable address space. You are the expert, though. So if I'm misled, please guide me back into the light! >Exactly how does NAT and DNS provide for the announcement of AS's >and/or prefixes into the global routing system? You simply use the address space that's provided by your ISP. Each of your ISP's manage announcement of their prefixes into the global routing system. What dynamic DNS + NAT does is allow you to look like FooBar's addresses from FooBar's perspective, and look like Widget's addresses from Widget's perspective. Meanwhile, you have a private address sitting behind the NAT. Suppose your link to widget goes down. You have to be able to detect this, and modify your DNS records. When all is working www.mycompany.com returns (alternatively) an address in FooBar's space and an address in Widget's space. If Widget goes down, I have to modify my DNS so that www.mycompany.com only returns the FooBar address. Again, I don't really like this. When all is working, how do you tell FooBar's customers that www.mycompany.com is a FooBar address, and prevent those customers from getting a Widget address? And vice versa for Widget customers. -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Wed Jul 9 22:11:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA04052 for firewalls-outgoing; Wed, 9 Jul 1997 19:54:51 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA01582 for ; Wed, 9 Jul 1997 19:42:22 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id TAA11934 for ; Wed, 9 Jul 1997 19:18:25 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id TAA11564; Wed, 9 Jul 1997 19:42:48 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id TAA04225; Wed, 9 Jul 1997 19:16:01 -0700 Received: from althea by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id TAA09420; Wed, 9 Jul 1997 19:14:32 -0700 Date: Wed, 9 Jul 1997 19:14:32 -0700 (PDT) From: Jerald Josephs Reply-To: Jerald Josephs Subject: Re: [FW-1] on PC-SKIP & high-availability To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Message-ID: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: Z28t/7Tyg7TqnDa2QGzTuQ== X-Mailer: dtmail 1.1.0 CDE Version 1.1 SunOS 5.5.1 sun4u sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is not necessary to email me directly because I am on fw-1-mailinglist@us.checkpoint.com alias. If I don't reply to posts to the alias, it can only be because I don't reply, not because I didn't see the post! (!!) jj>Date: Wed, 9 Jul 1997 20:00:35 -0800 jj>From: drexx@pspi.com.ph (Drexx Laggui) jj>To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com jj>Subject: [FW-1] on PC-SKIP & high-availability jj>Cc: Jerald.Josephs@Ebay jj> jj>Hello World, jj> jj>Can you please help me clarify some points for me? jj> jj>1] If the primary FW-1 v3.0 (in Paris) fails the 2ndary FW-1 v3.0 (in jj> London) will, of course, take over. I presume the London FW-1 won't jj> take over the IP address of the Paris FW-1 (like what happens with jj> the Qualix HA) so I guess the corporate routers will have to be jj> re-configured with updated routing tables. How? With a whole lot of jj> ICMP redirects? You are correct in that FireWall-1 does not bundle a solution like that provided by Qualix. One solution is for the hosts behind Paris to have both Paris and London defined as default routers. A Solaris 2.x workstation will use the first available default router in its route table. If that router is not available, then the timeout for a reply is exceeded and Solaris automatically moves onto the next default route in the table. Those host that can not operate this way will have to have their default route changed or behind a gateway that is doing dynamic routing. It is that gateway that would provide an ICMP redirect for the internal hosts because it would learn that Paris went down and that London is still available. jj> jj>2] Can a M$-Windows 95 client with PC-SKIP connect to a SKIP-enabled FW-1 jj> (remotely or locally) with full SKIP compatibility ? jj> That is a good question. I am getting ready next week to test the interoperability between 3.0 DES and SunScreen SPF-100. After that we will test SunScreen EFS and then SKIP for Solaris. Hopefully, I can provide a timely reply regarding PC-SKIP as well. jj>Salamat po, jj>Drexx. jj> jj>"It's a dirty job, but somebody's gotta do it." -- John Wayne jj>~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ jj> ______ jj> /_____/\ DEXTER D. LAGGUI jj> /_____\\ \ Systems Engineer, CSD-TSR jj> /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. jj> /_____/ \/ / / Penthouse, Corporate Business Center jj> /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village jj> \_____\//\ / / Makati City, Philippines jj> \_____/ / /\ / jj> \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 jj> \_____\ \\ Fax : (++ 63-2) 813-3516 jj> \_____\/ Email: drexx@pspi.com.ph jj> Pager: (++ 63-2) 1277-33615 jj>~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM From owner-firewalls-outgoing Wed Jul 9 22:35:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA27263 for firewalls-outgoing; Wed, 9 Jul 1997 21:45:52 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA27113 for ; Wed, 9 Jul 1997 21:45:11 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id BAA22305; Thu, 10 Jul 1997 01:42:46 -0400 Date: Thu, 10 Jul 1997 00:29:36 -0500 Subject: Re: Two ISP's to one DMZ To: "Mark Horn [ Net Ops ]" , Paul Ferguson Cc: Firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Date: Wed, 09 Jul 1997 17:25:23 -0400 To: "Mark Horn [ Net Ops ]" Cc: Firewalls@GreatCircle.COM > At 11:40 AM 07/09/97 -0400, Mark Horn [ Net Ops ] wrote: > > I have no idea what you are referring to with regards to "BGP also > requires that you have portable address space" -- this is certainly > incorrect. Perhaps you meant something else, or meant it in a > different context? > Nope, as I stated previously, how do you route one ISP's CIDR addresses through another ISP? Are you saying I can grab a chunk of Sprint's CIDR (Classless Inter-Domain Routing) address space and reroute it thorugh MCI? Will it be added to the MCI routing tables as a separate entry? How will Sprint remove the class C from its CIDR block? Won't this fragment the hell out of the backbone routing tables? I understand you have quite a few resources available (Cisco is a pretty big company after all ;^). Do you have any real world examples of BGP being used by a company with a couple of class C's supplied by an ISP to route in a failover situation through another ISP? > >Having only looked at it superficially, dynamic DNS + NAT seems like a > >workable solution when BGP isn't available. But if BGP is available, it > >seems better. And that's simply on a performance basis. BGP also > >provides policy setting that DNS doesn't. > > > > Exactly how does NAT and DNS provide for the announcement of AS's > and/or prefixes into the global routing system? It doesn't. It is an *alternate* solution. You can remap Internal address space to multiple external IPs. These IPs could even come from different ISPs. The dynamic DNS allows you to remap inbound connections by changing the IPs a domain name is associated with in real time. See my previous post for an example of a multi-homed NAT failover example. > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > ---------------End of Original Message----------------- Mike -- 00:29:36 07/10/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.823.7846 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@well.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 (wireless) mikech@radiomail.net From owner-firewalls-outgoing Wed Jul 9 23:05:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA03182 for firewalls-outgoing; Wed, 9 Jul 1997 19:50:00 -0700 (PDT) Received: from cyber.svec.co.kr ([203.234.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA03152 for ; Wed, 9 Jul 1997 19:49:42 -0700 (PDT) Received: from pc.svec.co.kr ([203.234.221.199]) by cyber.svec.co.kr (8.6.12h2/8.6.9) with SMTP id LAA02384 for ; Thu, 10 Jul 1997 11:55:49 +0900 Message-ID: <33C44EF3.3D89@svec.co.kr> Date: Thu, 10 Jul 1997 11:54:43 +0900 From: Jae Heon Kim Reply-To: jaykim@svec.co.kr Organization: SVEC Korea Computer Co.,Ltd X-Mailer: Mozilla 3.01C-KIT (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Where can I find the packetfiltering source for Windows version? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear friends, I need your help for developping the firewall software. I am looking for the packet filtering software with sample source codes for Windows NT or Windows 95. Please send me site or detail information for the packet filtering for Windows version. (linux and unix versions are meaningless for me) Thanks, -- Best Regards, JayKim (jaykim@svec.co.kr) R&D Manager SVEC KOREA COMPUTER CO.,LTD Tel: +82-2-827-0455 Fax:+82-2-815-9656 From owner-firewalls-outgoing Wed Jul 9 23:20:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA02913 for firewalls-outgoing; Wed, 9 Jul 1997 19:48:18 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA17662 for ; Wed, 9 Jul 1997 18:40:40 -0700 (PDT) Received: from erinet.com (mail1.erinet.com [207.0.229.18]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id SAA10893 for ; Wed, 9 Jul 1997 18:18:48 -0700 (PDT) Received: from youngr.erinet.com (dlp493.dayton.eri.net [207.90.118.81]) by erinet.com (8.8.5/8.8.1) with SMTP id VAA20605; Wed, 9 Jul 1997 21:21:45 -0400 (EDT) Message-ID: <33C436D8.1AAB@erinet.com> Date: Wed, 09 Jul 1997 21:11:52 -0400 From: Roger Young Reply-To: youngr@erinet.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Subject: FW-1 2.1c question on NT 4.0 References: <199707100400.UAA14356@sunphil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have some folks evaluating FW-1 2.1c they just installed on a NT 4.0 box. The box now is running extremely slow (with a Pentium 100). With the 2.1c version, are there any particular issues or requirements with service pack releases that need to be on the box? Also, earlier versions of 2.1 had to be put on 3.51 NT first then upgraded to NT 4.0. Has this been cleared up for 2.1c? Can 2.1c, in fact, be installed on NT 4.0 directly? These folks are about 2,500 miles away so I can't really tell what going on other than they are telling me FW-1 seems to be causing the box to run so slowly all of sudden. Their rule-base install just seems to hang and never completes. Any clues would be appreciated. Thanks, Roger From owner-firewalls-outgoing Wed Jul 9 23:30:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA13377 for firewalls-outgoing; Wed, 9 Jul 1997 08:13:09 -0700 (PDT) Received: from dskfw1.funb.com ([205.152.122.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA13358 for ; Wed, 9 Jul 1997 08:12:58 -0700 (PDT) Received: (from uucp@localhost) by dskfw1.funb.com (8.8.5/8.8.5) id LAA05784; Wed, 9 Jul 1997 11:16:03 -0400 (EDT) Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by dskfw1.funb.com via smap (3.2) id xma005730; Wed, 9 Jul 97 11:15:28 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id LAA10718; Wed, 9 Jul 1997 11:15:26 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id LAA21811; Wed, 9 Jul 1997 11:15:25 -0400 Message-ID: <19970709111524.42875@capmark.funb.com> Date: Wed, 9 Jul 1997 11:15:24 -0400 From: "Mark Horn [ Net Ops ]" To: "Aaron J. Peterson" Cc: mikech@avana.net, Firewalls@GreatCircle.COM Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.75 In-Reply-To: ; from Aaron J. Peterson on Wed, Jul 09, 1997 at 01:09:22AM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a proponent of using BGP in preference of Dynamic DNS + NAT. But I don't agree with your math. The first thing is that you assume that yahoo's ttl for their dns records is 7 days. It's 15 minutes. Do: nslookup set q=soa yahoo.com set debug set q=a www.yahoo.com The SOA record will show you the minimum ttl for all records in the zone. The second query will show you what the specific value is for www.yahoo.com. This will generate a lot of output, but you'll see that the ttl is 15 minutes. Your calculations are based on a 20 minutes ttl. If Yahoo is losing >30% of their bandwidth to DNS, don't you think they'd notice this and change their ttl's? Second, let's talk about the maximum possible DNS traffic per day at yahoo (assuming that they have 30M hits per day). The worst possible case scenario would be that every single one of those hits generates a DNS query. Let's use your numbers and say that a DNS query is 200 bytes. (30M Web hits/day) * (1 DNS query/Web hit) * (200 bytes/DNS query) = 6G bytes/day of DNS traffic That is the maximum ammount of traffic that could be eaten by DNS in a day - every web hit generates a DNS query. The only way that it could be more than that is if you had more than 30M web hits/day. Looking at it another way, let's use the numbers that you concluded: (144GB DNS queries/day) / (200 bytes/DNS queries) = 720M DNS queries/day (720M DNS queries/day) / (30M Web hits/day) = 24 DNS queries/Web hit Somewhere in your logic, you're coming to the conclusion that you require 24 DNS queries for every web hit. It's certainly *possible* to do 24 DNS queries per web hit, but I don't know of any software that does it. While I don't know what the specific error is, I'm pretty certain that your logic is wrong. I see a more compelling reason to use BGP over Dynamic DNS + NAT. And that reason is convergence. I read in your post that you've seen 20 minute convergence in BGP. That has not been our experience. We did quite a bit of testing prior to deciding that we were going to use BGP. In our tests, we found that convergence time around a network outage averaged about 6 seconds (as fast as 2 seconds and as slow as 20 seconds). And this was mostly the time that the router took to notice that its interface was down. We didn't have quick enough instrumentation to determine the actual convergence time in the routing protocol alone (i.e. without including the time for the router to notice the outage in the interface). For that same network coming back on line, it's a bit slower. BGP seemed to converge in a few minutes - as quickly as 2 minutes and as slowly as 10. Based on these results, the worst case scenario for BGP is twice as fast as Dynamic DNS + NAT. I would love to hear more data about BGP convergence from others who are using it. -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 Aaron J. Peterson says: >Here, I'll do some math. Yahoo currently gets better than 30 >million hits per day, 35% of which are unique. I'll graciously assume 100 >bytes each per DNS query & response, ignore referral traffic, and assume >that NS entries have arbitrarily long expire times. Note that adding these >factors whould only highten the difference. Also, Yahoo is connected via >a T3, which is ~=45Mbps. > >So, as constants for a day of traffic we have (in base 10 units): > > 30M hits * 35% unique ~= 10M hosts/day > 10M queries * (200 bytes) = 2G bytes of query traffic > 45Mbps/8*60*60*24 = 486G bytes/day avail. bandwidth > >With a ttl of 1 week used globally: > period = 7 days > 2G bytes /7 day period = .286G bytes/day > >This amounts to 0.06% of Yahoo's available bandwidth. This is reasonable. >Now with a ttl of 20 minutes: > _ > 20 minutes * (1 day/1440 min) = 0.0138 days > period = 0.0139 days > > 2GB / 0.0139 day period = 144G bytes/day > >This amounts to *30%* of Yahoo's available bandwidth just for DNS traffic. >UGH! 30% of a T3! > >I am pretty sure my math is correct. If so, that proves my point that >being dynamic and decreasing the ttl accordingly breaks the scalability of >DNS. Look this over. Confirm it. Listen to our wise ARPA fathers, and >feel guilty that you're causing the fall of the 'Net. ;^) > >This ignores the push-DNS stuff, but that has not been widely implemented >yet and the technology is imperfect, to my knowledge. Properly designed >push techniques would mitigate the scale impact, but to an uncertain >degree. Distributed algorithms are such a bother. > >-- >Aaron J. Peterson >Amatuer Mathematician & Pedantic Ass > > > > > From owner-firewalls-outgoing Wed Jul 9 23:30:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA05434 for firewalls-outgoing; Wed, 9 Jul 1997 17:43:49 -0700 (PDT) Received: from mail.mel.aone.net.au (mail.mel.aone.net.au [203.12.176.157]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA05413 for ; Wed, 9 Jul 1997 17:43:41 -0700 (PDT) Received: from ggs-nte01.gerling.com.au ([203.34.64.33]) by mail.mel.aone.net.au (8.6.13/8.6.11) with ESMTP id KAA24736 for ; Thu, 10 Jul 1997 10:47:44 +1000 Received: by GGS-NTE01 with Internet Mail Service (5.0.1457.3) id ; Thu, 10 Jul 1997 10:50:12 +1000 Message-ID: <8A17780BFDE7D011A1B9080009CA14D78881@GGS-NTE01> From: Wendell Keuneman To: "'firewalls@GreatCircle.com'" Subject: Using ICQ behind firewall? Date: Thu, 10 Jul 1997 10:50:09 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone using the ICQ app (Mirabilis software) behind a firewall ? Any recommendations for rule base settings ? Thanks From owner-firewalls-outgoing Wed Jul 9 23:34:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA15319 for firewalls-outgoing; Wed, 9 Jul 1997 20:43:46 -0700 (PDT) Received: from nt018mseep.health.wa.gov.au (nt018mseep.health.wa.gov.au [165.118.101.115]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA15228 for ; Wed, 9 Jul 1997 20:43:22 -0700 (PDT) Received: by nt018mseep.health.wa.gov.au with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8D27.3786BFB0@nt018mseep.health.wa.gov.au>; Thu, 10 Jul 1997 11:48:43 +0800 Message-ID: From: "Holt, Gail" To: "'firewalls@greatcircle.com'" Subject: Lotus Notes Date: Thu, 10 Jul 1997 11:49:16 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I currently administer a firewall (FW-1 V2.1c, SUN sparc5, Solaris 2.5) which protects our network of around 6,000 users. I allow all traffic outbound (at the moment) and nothing inbound (apart from responses :) I have 2 DMZs for email relay, cdrom, web etc.) One of our corporate sections wants to connect to an external Lotus Notes server. As far as I am concerned, our corporate stance is that the firewall is the point of all network external connectivity. As I see it (I'm fairly new to this, and no network expert) the two ways to connect are 1. via the Internet (which they should already be able to do) 2. via an ISDN line into an interface on the firewall. The problem with 2. is that the server is 4,000 kilometres away, and an ISDN line would be prohibitively expensive. I don't know what their problem is with simply connecting via the Internet - perhaps the transmission of unencrypted Lotus Notes traffic. I am simply trying to get some ideas which I can present to 'them' before 'the big whiteboard meeting' next week when all will be revealed. Any suggestions for other ways ? tar Gail _______________________________________ Gail Holt Internet Administrator Health Department of WA phone: (08) 9222 2429 email: gail.holt@health.wa.gov.au Standard Disclaimer: These opinions are my own. No one else in their right mind would want them. _______________________________________ From owner-firewalls-outgoing Wed Jul 9 23:40:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA03174 for firewalls-outgoing; Wed, 9 Jul 1997 19:49:51 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA17667 for ; Wed, 9 Jul 1997 18:40:41 -0700 (PDT) Received: from grubor (grubor.csksoftware.com [207.51.56.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id SAA10793 for ; Wed, 9 Jul 1997 18:17:41 -0700 (PDT) Received: by grubor (SMI-8.6/SMI-SVR4) id VAA13489; Wed, 9 Jul 1997 21:15:12 -0400 Received: from sophie.nysales.micrognosis.com(199.94.142.128) by grubor.csksoftware.com via smap (V2.0beta) id xma013487; Wed, 9 Jul 97 21:15:07 -0400 Received: from maggie.nysales.micrognosis.com by nysales.micrognosis.com (SMI-8.6/SMI-SVR4) id VAA01899; Wed, 9 Jul 1997 21:15:05 -0400 Received: from localhost by maggie.nysales.micrognosis.com (SMI-8.6/SMI-SVR4) id VAA26162; Wed, 9 Jul 1997 21:15:04 -0400 Date: Wed, 9 Jul 1997 21:15:04 -0400 (EDT) From: Neil Readwin X-Sender: nreadwin@maggie To: "Mark Horn [ Net Ops ]" cc: "Aaron J. Peterson" , Firewalls@GreatCircle.COM Subject: Re: Harping on dynamic DNS, was RE: Two ISP's to one DMZ In-Reply-To: <19970709111524.42875@capmark.funb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This has nothing to do with firewalls, I apologize in advance for that. > While I don't know what the specific error is, I'm pretty certain that > your logic is wrong. It is. The logic Aaron used was: Yahoo talks to 10 million hosts a day. Looking up 10 million hosts requires 2 gigabytes of DNS traffic. If the TTL is a week then cacheing smoothes that traffic over 7 days, so it requires .286 gigabytes of DNS traffic per day. If the TTL is 20 minutes, that traffic is spread over 20 minutes so it requires 144 Gb per day. The 3rd part is wrong. As soon as the TTL goes below one day the level of traffic per day is constant (well, 2nd order effects would increase it slightly, but nothing close to 1/TTL). Aaron's logic indicates that if the TTL was 0 then Yahoo would require an infinite amount of bandwidth. This is not so :-) Neil. From owner-firewalls-outgoing Thu Jul 10 00:12:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA12337 for firewalls-outgoing; Wed, 9 Jul 1997 15:49:21 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA12043 for ; Wed, 9 Jul 1997 15:48:28 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id PAA02803; Wed, 9 Jul 1997 15:52:27 -0700 (PDT) Message-Id: <3.0.3.32.19970709185222.006eaf40@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 09 Jul 1997 18:52:22 -0400 To: "Mark Horn [ Net Ops ]" From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: Firewalls@GreatCircle.COM In-Reply-To: <19970709181048.02880@capmark.funb.com> References: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:10 PM 07/09/97 -0400, Mark Horn [ Net Ops ] wrote: >What I mean is that I can't originate a network in my AS that's already >originated in someone else's AS. Let's suppose FooBar Internet Services >assigns me 210.210.210.0/24, and that I'm multi-homed to Widget Internet >Access. In order for me to advertise this address to Widget, one of two >things needs to be true: > > 1) I am part of FooBar's AS - which means I am doing IBGP peering > with FooBar and EBGP peering with Widget. > > or > > 2) That network is not part of FooBar's AS - IOW it's a portable > address space. > Both of these are true, although I'm not sure I agree with your use of the term 'portable'. 'Portable' means that if you leave FooBar, and connect to another ISP, they'll allow you to continue to use this address. FooBar generally won't care if a more specific is advertised from another location, especially if its in the case of a multihomed customer. However, they will most definately care if you dump them altogether. >If neither of those are true and I try and orignate that network, won't I >end up with conflicts at the NAP? No. > Won't this also create a BlackHole? > Well, if you are the only one advertizing this prefix, then all traffic destined for it will follow the best path to the originator. >Since just doing BGP peering with some ISP's is hard enough, I assume that >doing item 1) above is next to impossible. It's certainly possible, just not practical. >Certainly, if I were an ISP, I >wouldn't want one of my customer's to be capable of messing with my >routing policy. Thus I make the assumption that the only practical means >of doing BGP is by getting portable address space. This topic is generating an amazing amount of traffic on the PAGAN list. :-) > >You simply use the address space that's provided by your ISP. Each of >your ISP's manage announcement of their prefixes into the global routing >system. What dynamic DNS + NAT does is allow you to look like FooBar's >addresses from FooBar's perspective, and look like Widget's addresses from >Widget's perspective. Meanwhile, you have a private address sitting >behind the NAT. > For a downstream organization which is multihomed, this is usually not palatable. PA (provider allocated) space is proving to be quite a difficulty for multihomed ISP's. >Suppose your link to widget goes down. You have to be able to detect >this, and modify your DNS records. When all is working www.mycompany.com >returns (alternatively) an address in FooBar's space and an address in >Widget's space. If Widget goes down, I have to modify my DNS so that >www.mycompany.com only returns the FooBar address. > I do not view this as a viable alternative, frankly. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Thu Jul 10 00:38:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA22683 for firewalls-outgoing; Wed, 9 Jul 1997 19:02:47 -0700 (PDT) Received: from jet.laker.net (jet.laker.net [205.245.74.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA22637 for ; Wed, 9 Jul 1997 19:02:32 -0700 (PDT) Received: from camarillo ([205.245.75.116]) by jet.laker.net (8.8.5/8.7.3) with SMTP id WAA17079; Wed, 9 Jul 1997 22:09:26 -0400 Message-Id: <3.0.2.32.19970709221109.032d99ac@9.1.1.1> X-Sender: fdarden#mail.laker.net@9.1.1.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Wed, 09 Jul 1997 22:11:09 -0400 To: "Emily G. Cohen" , Adam Shostack From: Frank Darden Subject: Re: Check Point response to Mossad rumor` Cc: Firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970709160020.006e78f8@us.checkpoint.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:00 AM 7/9/97 -0700, Emily G. Cohen wrote: >Adam, > >First of all, Check Point FireWall-1 is not based on >packet filtering technology. It is a Stateful Inspection Exactly. State and context are the key words here. Inspect is a Check Point exclusive, last time I checked. >implementation, which is NOT the same thing. Therefore, >it is NOT at all similar to any type of freeware. You might >want to educate yourself by checking out our technical notes >at www.checkpopint.com. or try http://www.checkpoint.com or better yet, point your search engine at "stateful inspection" >I don't know of many companies that give away their source1 code - >it's called intellectual property. And, it's how Check Point >differentiates itself, along with the management console. Source >code is not the issue here...vicious rumors are. yes, why isnt Raptor, or Global Internet, or Borderware being jacked off for their source code.. or for that matter Micro$oft. The days of free code and love are over brother. Intellectual property is real...Ask Coca-Cola, ask George Dickel dammit! Dont expect Cisco or Bay to doll up with that oh so precious source code either. And by the way, those evil bastards at xyz services are imbedding keycap programs into the eproms of the machines you buy..puuuleeease! we all have better things to worry about!!!!!! I dont understand why people attack a vendor before doing extremely simple homework. In fact, Im sorry I wasted time typing this but I couldnt resist. Its after work hours, and our acceptable use policy doesnt apply after work hours. Frank >Best Regards, >/emily > > >At 07:47 AM 7/8/97 -0400, Adam Shostack wrote: >>Might I suggest a solution? >> >> From out here, it seems the real value from a CheckPoint FW is >>the GUI & management tools. The packet filter itself is fairly >>similar to freely available ones such as IPFilter and ipfw. So >>release the source code to the packet filter. This will make it easy >>to dispell rumors of back doors in your security code, without giving >>up the sales advantage of your user interface. >> >> Another company that has been plauged by rumors, Security >>Dynamics, has chosen to present their algorithims and protocols in >>public for the next major release of their software. I expect, as >>does their management, that this will go quite a long ways towords >>dispelling rumors. >> >>Adam >> >>Emily G. Cohen wrote: >>| Check Point Software Technologies Ltd. would like to assure its >>| customers, security experts, and others that there is no, and never >>| has been, an "agreement" or relationship between Check Point Software >>| and the Mossad, or any other branch of the Israeli government or military, >>| to create a "back door" into Check Point products. >>| >>| These are false and malicious rumors that have been circulating >>| since Check Point became successful, specifically targeted at >>| damaging the company, and they are always from "anonymous sources." >>| Check Point takes these rumors seriously, and if anyone has information >>| on the source/s of these rumors, we would be very interested in hearing >>| from you, so that we can take appropriate action. >>| >>| Check Point FireWall-1 is the most widely installed network security >>| solution in the world and no customer has ever reported a security >>| breach of this nature. Check Point FireWall-1's customer list includes >>| accounts with the highest level of security consciousness such as U.S. >>| national and foreign governments, the world's leading financial institutions, >>| telcos and ISPs. All Check Point FireWall-1 customers benefit from the >>| product's patented Stateful Inspection technology ensuring the highest >>| level of enterprise security available today. >>| >>| Emily Cohen, Director of Corporate Communications >>| Check Point Software Technologies, Inc. >>| 400 Seaport Court, Suite 105 >>| Redwood City, CA 94063 >>| Tel: 415-562-0400 x228 >>| Fax: 415-562-0410 >>| www.checkpoint.com >>| >> >> >>-- >>He has erected a multitude of new offices, and sent hither swarms of >>officers to harrass our people, and eat out their substance. >> >> >Emily Cohen, Director of Corporate Communications >Check Point Software Technologies, Inc. >400 Seaport Court, Suite 105 >Redwood City, CA 94063 >Tel: 415-562-0400 x228 >Fax: 415-562-0410 >Pager: 888-365-6667 >www.checkpoint.com > http://www.locked.com From owner-firewalls-outgoing Thu Jul 10 00:49:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02105 for firewalls-outgoing; Thu, 10 Jul 1997 00:17:57 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA00492 for ; Thu, 10 Jul 1997 00:10:44 -0700 (PDT) Received: from icarus.nodewarrior.net (icarus.nodewarrior.net [209.48.67.3]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id AAA17913 for ; Thu, 10 Jul 1997 00:13:15 -0700 (PDT) Received: from [209.48.67.100] by icarus.nodewarrior.net (Post.Office MTA v3.1 release PO203a ID# 0-34784U200L100S0) with ESMTP id AAA8204; Thu, 10 Jul 1997 00:07:46 -0700 X-Sender: hoff@icarus.nodewarrior.net Message-Id: In-Reply-To: References: <3.0.3.32.19970709172523.006ce0e4@lint.cisco.com> Mime-Version: 1.0 Date: Thu, 10 Jul 1997 00:23:23 -0700 To: mikech@avana.net, "Mark Horn [ Net Ops ]" From: hoff@nodewarrior.net (Christofer Hoff) Subject: Re: Two ISP's to one DMZ Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:29 AM -0500 7/10/97, mikech@avana.net wrote: >I understand you have quite a few resources available (Cisco is a pretty big >company after all ;^). Do you have any real world examples of BGP being used >by a company with a couple of class C's supplied by an ISP to route in a >failover situation through another ISP? We do this for one of our customers -- namely they are connected to one provider who supplies their non-portable Class-C address-space. They are also connected to a secondary provider who, through an agreement between the two providers, announces a more specific route ("weighted higher") than the primary. When the primary connection takes a dump, BGP kicks over to the secondary. I came in on the tail-end of the thread so please don't hate me if I missed your entire point -- I just thought that perhaps I could offer my experience. Chris ,,, (o-o) - ------.oOO--(_)--OOo.--------------------------------------------------- Christofer L. Hoff \ No true genius is \ possible without a NodeWarrior Networks, Inc \ little intelligent \ madness! hoff@nodewarrior.net \ http://www.nodewarrior.net \ -Peter Uberoth "Nuthin' but Net!" \ - -------------------------------------------------------------------------------- 310.568.1700 vox - 310.568.4766 fax -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBM8SN/DHCmz5LZsdPEQKAEQCgjNljLjH/8XQ1/vYe9/RZMuCmYWkAoOk1 z4hVVg57iACPC5aSlJryrU1e =2oXS -----END PGP SIGNATURE----- From owner-firewalls-outgoing Thu Jul 10 01:34:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA10497 for firewalls-outgoing; Thu, 10 Jul 1997 00:52:18 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA10468 for ; Thu, 10 Jul 1997 00:52:06 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id RAA07578; Thu, 10 Jul 1997 17:55:50 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma007491; Thu, 10 Jul 97 17:55:20 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id RAA17805; Thu, 10 Jul 1997 17:58:50 +1000 From: Colin Campbell Message-Id: <199707100758.RAA17805@guru.citec.qld.gov.au> Subject: Re: Check Point Challenge, was Re: Check Point response to Mossad rumor To: patrickn@tygerteam.com Date: Thu, 10 Jul 1997 17:58:49 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <01BC8CB3.D9743EC0@patrickn@tygerteam.com> from "Patrick Naubert" at Jul 9, 97 10:02:52 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My mailer thinks Patrick Naubert said: > > This is my first post in 2 years of reading this list. I just could not take > the whiney tone of this post... > > OK, that's it....... > > I hereby challenge Check Point to a "proof of concept" contest. > > If you want to once and for all disprove and shut up the people that have been > bashing your product on this list for the past years, you will have to 'fess > up. > > The contest should be this: > > Invite 3 recognized independant "security experts" (Hey, make one of them Steve > Bellovin) and have them take a look at the SPF code. Never mind the GUI and > the other stuff. > You must prove to these experts that you have hardened the kernel and OS for > those that you install your product on. > What about the C Compiler? Didn't someone lecture on compilers inserting backdoors or whatever, once, based on recognising a certain string in the source? Many compilers were rumoured to super-optimise code for Whet/Dhrystone tests cos they could recognise the code. Then there's the libraries with which FW-1 links. Then can you guarantee that the source the experts see is the same source used in product. Then ...... It's a futile exercise. You'll never convince everyone that there's no backdoor until it's interpreted by a interpreter that's interpreted by an interpreter that's .... so the source for everything can always be reviewed and guaranteed to not contain any backdoors if anyone wanted to look. Maybe we should end this thread/hawser. Colin From owner-firewalls-outgoing Thu Jul 10 02:05:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA05011 for firewalls-outgoing; Wed, 9 Jul 1997 15:17:56 -0700 (PDT) Received: from eagle.ang.af.mil (neang.ang.af.mil [143.139.31.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA28846 for ; Wed, 9 Jul 1997 14:49:42 -0700 (PDT) Received: from nelnk.ang.af.mil by eagle.ang.af.mil via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Jul 1997 21:57:33 UT Received: by NELNK.ANG.AF.MIL; Wed, 9 Jul 97 16:19:49 -0500 Date: Wed, 9 Jul 97 16:09:18 CDT Message-ID: X-Priority: 3 (Normal) To: From: "John Wyscarver" Subject: Security risk when dialing out X-Incognito-SN: 860 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I have been tasked with identifying security issues associated with allowing dial up access to On-line providers (aol etc.) from machines located on our network. I have been told that there is a definite security risk when dialing out to aol from a network connected machine. Besides the fact that this connection bypasses our firewall, is there a risk of access into our network from the outside through thhis connection? What are the risks if any and how can I get this point across to management. Thank you John John Wyscarver Network Administrator 155 ARW/SCMN 2420 West Butler Ave. Lincoln, NE. 68524-1888 DSN:946.1200 Com:402.458.1200 Fax:1206 NET:jpw@nelnk.ang.af.mil From owner-firewalls-outgoing Thu Jul 10 02:19:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA22755 for firewalls-outgoing; Thu, 10 Jul 1997 02:09:23 -0700 (PDT) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA22719 for ; Thu, 10 Jul 1997 02:09:07 -0700 (PDT) Received: from www (root@xpl107.xnc.de [194.77.5.71]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id LAA18928; Thu, 10 Jul 1997 11:13:03 +0200 Message-ID: <33C4A757.63E550D@edina.xnc.com> Date: Thu, 10 Jul 1997 11:11:57 +0200 From: Guido Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Thomas Lopatic CC: firewalls@greatcircle.com Subject: Re: A New Fragmentation Attack References: <199707091115.NAA05857@lionsden.informatik.uni-muenchen.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Lopatic wrote: > Guido, thanks for the insight. But could you please elaborate on how > the oversized packets can be used to bypass a packet screen? I'd > certainly like to fix this, and presumably many others on this list > would like to fix this as well. Sorry for my short elaboration. Over 8 month ago i received a hint, that NT is spreading strange packets onto a LAN, when having ISDN dialin via syncPPP activated. That means NT was connected via ethernet to the internet and on the other side it hat a dialin line for direct upload of database files. From time to time NT began to spread frames onto the ethernet line, which resulted in a mess of packets, disturbing all other customers workstations. A second customer, a medical laboratory wanted to offer dial-in lines for offering faster results of the analysis. Therefore again (my customer insisted on using NT) wanted 30 ISDN-lines for dialin. Same problem, but much more frames, which came from different LANs with very different packetsizes. Dependent on the MTU sometimes it disappeared. It looked like, NT stack was forwarding packets to the wrong interface. The same appeared with 2 ethernet connected. I emailed one of the guys, who made softice debugger, who confirmed this and added some more big bugs in the NT stack. Even the guys, who made raptor, firewall-1, tis... know about these bugs. Therefore they completely disabled TCP/IP in NT and implemented their own stack. No serious firewall vendor would leave some M$ stuff in the kernel. Several guys reported bugs in the NT proxy server. There are some serious problems reported: 1. You can push NT's RTT variable higher by sending fragmented packets with pauses, which become larger. NT stack, assuming a bad connection increases RTT-table, till timeout cleans up the stack. That means NT is vulnerable to denial of service attack just by pushing RTT to the top. You get a out of memory and a blue screen.(tested) 2. SYN-flooding with data rates larger than 3 MBit causes denial of service.(tested) 3. NT stack stops filtering fragmented packets when being under heavy load.(tested) 4. Some TCP-PUSH tricks work, based on your description.(not yet tested) 5. NT is sloooooow. Just compare RAPTOR EAGLE on NT vs EAGLE on SUN. With NT you can't even filter at full 64KBit with stateful inspection on a P166. (Look th the stress test in C't s journal (german;-( (tested) I think, that's really enough. NT stack is max. a RENO - implementation without such features, like fast retransmission....features. Thats the state of MINIX, but never reaches sun's stack implementations. Gates should invest another 1.5 Billion $ into Marcus Ranum, perhaps he can improve NT to normal standards. I am wondering, how this is possible. You wrote: >The attack affects Windows NT 4.0 hosts (up to and including Service Pack 2) that are >protected by a firewall which is based on packet screening. Stateful inspection >firewalls may also be concerned, depending on their implementation. Yes, old BANZAI.....were vulnerable to this, not newer ones, i am quite sure about. Using this weakness, an outsider is able to pass IP datagrams through the firewall to the Windows NT header of a fragment (to use it later for the reassembled packet) if and only if its offset is zero, we must send a decoy packet first, which must be carefully crafted so that it will be stored at exactly the same memory location as our next packet, which is the malicious one without the zero-offset-fragment. So, the bogus datagram will reuse the header information of our first datagram.host, i.e. access the host as if the firewall did not exist. Are you really sure about this ? Even LINUX FIREWALLS reassemble fragmented packets and throw away everything, that does not fit. What do you mean with "decoy" ? cu, Guido Stepken INTERNETWORKING WITH TCP/IP Volume II (Prentice HALL) is always good literature about TCP/IP-Stacks. From owner-firewalls-outgoing Thu Jul 10 02:35:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25279 for firewalls-outgoing; Thu, 10 Jul 1997 02:24:17 -0700 (PDT) Received: from firewall-ext.cpg.it (dns.cpg.it [151.99.248.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA25237 for ; Thu, 10 Jul 1997 02:23:58 -0700 (PDT) Received: from giove.cpg.it by firewall-ext.cpg.it via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 10 Jul 1997 09:09:01 UT Received: from sirio.cpg.it by giove.cpg.it (SMI-8.6/SMI-SVR4) id LAA13088; Thu, 10 Jul 1997 11:25:59 +0200 Message-Id: <199707100925.LAA13088@giove.cpg.it> X-MAPI-MessageClass: IPM To: firewalls@GreatCircle.COM X-Mailer: FTP Software Internet Mail 2.0 MIME-Version: 1.0 From: Serena Mazzoni Subject: videoconference through firewall Date: Thu, 10 Jul 1997 11:29:06 +0200 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all what do you think about the videoconference through the firewall, I think = that the problem involves the LAN, the sizing of the firewall and so on. Have you any experience. thank in advance Serena Mazzoni Serena Mazzoni Consultancy & Projects Group Via P.S. Mancini 12 00192 Roma Tel. +39 6 36095629 Fax +39 6 36095635 e-mail : serena@cpg.it http://www.cpg.it From owner-firewalls-outgoing Thu Jul 10 03:34:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA04706 for firewalls-outgoing; Thu, 10 Jul 1997 03:23:08 -0700 (PDT) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA04681 for ; Thu, 10 Jul 1997 03:22:53 -0700 (PDT) Received: from nii.ncb.gov.sg (murtabak.nii.ncb.gov.sg [203.120.57.190]) by simon.pacific.net.sg with ESMTP id SAA27521; Thu, 10 Jul 1997 18:26:59 +0800 (SGT) Received: from martin.nii.ncb.gov.sg by nii.ncb.gov.sg (8.8.5/SMI-SVR4) id RAA09678; Thu, 10 Jul 1997 17:40:27 +0800 (SGT) Message-ID: <33C4AD22.62AD54B9@nii.ncb.gov.sg> Date: Thu, 10 Jul 1997 17:36:35 +0800 From: Martin Khoo Reply-To: martin@nii.ncb.gov.sg Organization: Information Infrastructure X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: Robert Thompson CC: "fw-1-mailinglist"@us.checkpoint.com;, firewalls@GreatCircle.COM Subject: Re: Changing IP addresses behind a FW X-Priority: 3 (Normal) References: <199707091759.KAA29311@f30.hotmail.com> Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Thu Jul 10 03:49:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA06282 for firewalls-outgoing; Thu, 10 Jul 1997 03:33:14 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA06275 for ; Thu, 10 Jul 1997 03:33:09 -0700 (PDT) Received: from user (147.tampa-001.fl.dial-access.att.net [207.146.88.147]) by mail.clark.net (8.8.5/8.6.5) with SMTP id GAA19804; Thu, 10 Jul 1997 06:37:14 -0400 (EDT) Message-Id: <3.0.1.32.19970710063539.00890770@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 10 Jul 1997 06:35:39 -0400 To: firewalls@greatcircle.com From: Mark Teicher Subject: Product versus Support Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do people look for in a Firewall and Internet solution? Product questions: A great GUI, ease of use? Software that is not vaporware? Availability of source code? Quality of the product? Age of the product? Support questions: Or friendly support who can solve your specific needs?? Does 7*24 factor in? How about on-call specialists?? Installation engineers who can actually spell VPN? Know enough about the product they are installing even when the front end of the product is broken during a rollout?? /m ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Thu Jul 10 04:34:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA10902 for firewalls-outgoing; Thu, 10 Jul 1997 04:05:58 -0700 (PDT) Received: from ms14.hinet.net (ms14.hinet.net [168.95.4.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA10815 for ; Thu, 10 Jul 1997 04:05:36 -0700 (PDT) Received: from ------ (h254.s107.ts.hinet.net [168.95.107.254]) by ms14.hinet.net (8.8.5/8.8.5) with ESMTP id TAA29078 for ; Thu, 10 Jul 1997 19:10:27 +0800 (CST) Message-Id: <199707101110.TAA29078@ms14.hinet.net> From: "shark" To: Subject: ubsubscribe firewalls Date: Thu, 10 Jul 1997 18:31:55 +0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=BIG5 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Thu Jul 10 04:40:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA07279 for firewalls-outgoing; Thu, 10 Jul 1997 03:42:59 -0700 (PDT) Received: from neon.ingenia.ca (neon.ingenia.ca [205.207.220.57]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA07272 for ; Thu, 10 Jul 1997 03:42:52 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.5/8.7.3) id GAA15910; Thu, 10 Jul 1997 06:43:33 -0400 From: Mike Shaver Message-Id: <199707101043.GAA15910@neon.ingenia.ca> Subject: Re: Check Point response to Mossad rumor` In-Reply-To: <2.2.32.19970709160020.006e78f8@us.checkpoint.com> from "Emily G. Cohen" at "Jul 9, 97 09:00:20 am" To: emily@us.checkpoint.com (Emily G. Cohen) Date: Thu, 10 Jul 1997 06:43:32 -0400 (EDT) Cc: adam@homeport.org, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Emily G. Cohen: > I don't know of many companies that give away their source code - > it's called intellectual property. You might have heard of this little company called `Sun', which offers inexpensive/free source licenses to education institutions. It's a little hack called `Solaris'. And there's an up-and-coming player in the firewall market called `ITS' or `STI' or something like that that bundles source with their Gauntlet product. `No one else is doing it' is a pretty sad rationale if it tries to stand on its own, and it's even more so if it's wrong. > And, it's how Check Point > differentiates itself, along with the management console You mean that it's your _implementation_ that sets you apart? Surely you're not allowed to admit to that, even if it's true. Aren't you supposed to be doing different things, and not just the same things better? I'm sure I read that somewhere... There's no shame in a company being reluctant to divulge their source details if they've got a genuine fear that their competitors are so close on their heels (or vice versa) that every inch counts. It's only shameful when the try to pretend that their market is stupid for wanting access to it. The customer is always right. Just ask someone in Accounts Receivable. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Commando Developer - Whatever It Takes #> #> "See, you not only have to be a good coder to create a system like #> Linux, you have to be a sneaky bastard too." - Linus Torvalds From owner-firewalls-outgoing Thu Jul 10 05:25:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA12278 for firewalls-outgoing; Thu, 10 Jul 1997 04:14:21 -0700 (PDT) Received: from mail2.isys.net (trance.isys.net [194.64.236.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA12251 for ; Thu, 10 Jul 1997 04:14:11 -0700 (PDT) From: hartmut.fehling@hamburg.netsurf.de Received: from mail1.isys.net[193.96.224.33] by mail2.isys.net with smtp (Smail 3.2 #2 -iSYS-); id m0wmHEl-000HGhC; Thu, 10 Jul 1997 13:18:15 +0200 (MET DST) Received: from hamburg.netsurf.de [194.195.202.62] by mail1.isys.net with esmtp (Smail 3.2 #3 -iSYS-); id m0wmHEm-001LNWC; Thu, 10 Jul 1997 13:18:16 +0200 (MET DST) To: Firewalls@GreatCircle.COM Date: Thu, 10 Jul 1997 13:16:07 -0000 Message-ID: <19970710131607.hartmut.fehling@hamburg.netsurf.de> In-Reply-To: <199707091842.LAA21051@honor.greatcircle.com> Subject: RE: rule ordes of FW-1 X-Mailer: Emissary V2.01, by Attachmate Corp. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW1 is not deliberately switching around rules, but trying to avoid a paradoxon. FW1 cannot know that the source for rule1 is userA@pc1 until he was authenticated by the firewall, so unless Authentication has already taken place, rule1 can hardly be applied. However, rule2 already allows FTP by userA@pc1, so there´s no need for the authentication at all. All of this is thoroughly described in one of the first chapters of the FW-1 Administration Manual 3.0. Regards, Hartmut Fehling Dear all, If there are following rules for FireWall-1 Source Dest Service Action =================================================== rule1: userA@pc1 pc2 FTP User Authentication rule2: pc1 all ALL Accept If there's a FTP request from pc1 to pc2, which rule do you think it should apply? I thought it was rule1, but the log says it's rule 2. Is this a false configuration or it's FireWall-1's "bug"? From owner-firewalls-outgoing Thu Jul 10 05:30:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA19088 for firewalls-outgoing; Thu, 10 Jul 1997 04:53:05 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA19079 for ; Thu, 10 Jul 1997 04:52:59 -0700 (PDT) Received: from dmartinez.ins.com (unknown-42-36.dialcall.com [170.206.42.36]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id EAA25974; Thu, 10 Jul 1997 04:56:56 -0700 (PDT) Message-Id: <3.0.32.19970710075654.006c7570@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 10 Jul 1997 07:56:57 -0400 To: Mike Shaver , emily@us.checkpoint.com (Emily G. Cohen) From: "Darwin L. Martinez" Subject: Re: Check Point response to Mossad rumor` Cc: adam@homeport.org, Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can we please stop this bickering and discuss issues more directly beneficial for all subscribers. I'm exposed to enough of this did-so / did-not environment at home with three kids. Or at least take this conversation offline, since by now everyone has the emails of those person's involved. Thank you. At 06:43 AM 7/10/97 -0400, Mike Shaver wrote: >Thus spake Emily G. Cohen: >> I don't know of many companies that give away their source code - >> it's called intellectual property. > >You might have heard of this little company called `Sun', which offers >inexpensive/free source licenses to education institutions. It's a >little hack called `Solaris'. And there's an up-and-coming player in >the firewall market called `ITS' or `STI' or something like that that >bundles source with their Gauntlet product. > >`No one else is doing it' is a pretty sad rationale if it tries to >stand on its own, and it's even more so if it's wrong. > >> And, it's how Check Point >> differentiates itself, along with the management console > >You mean that it's your _implementation_ that sets you apart? Surely >you're not allowed to admit to that, even if it's true. Aren't you >supposed to be doing different things, and not just the same things >better? I'm sure I read that somewhere... > >There's no shame in a company being reluctant to divulge their source >details if they've got a genuine fear that their competitors are so >close on their heels (or vice versa) that every inch counts. It's >only shameful when the try to pretend that their market is stupid for >wanting access to it. > >The customer is always right. Just ask someone in Accounts Receivable. > >Mike > >-- >#> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation >#> Commando Developer - Whatever It Takes >#> >#> "See, you not only have to be a good coder to create a system like >#> Linux, you have to be a sneaky bastard too." - Linus Torvalds > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Client: 770-825-9482 Network Systems Consultant Pager: 888-346-1320 International Network Services Office: 770-641-3660 SouthEast Region, Atlanta 0000,0000,8080Email: <darwin_martinez@ins.com> INS Website: 8080,0000,8080< "0000,8080,0000Providing the Power of Operable Networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From owner-firewalls-outgoing Thu Jul 10 05:35:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA26216 for firewalls-outgoing; Thu, 10 Jul 1997 05:29:46 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA26189 for ; Thu, 10 Jul 1997 05:29:37 -0700 (PDT) Received: by castle.us-state.gov; id AA17152; Thu, 10 Jul 97 08:33:42 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma017121; Thu Jul 10 08:33:17 1997 Received: by pubhost.us-state.gov; id AA29883; Thu, 10 Jul 97 08:33:18 EDT Received: by localhost with Microsoft MAPI; Thu, 10 Jul 1997 08:32:23 -0400 Message-Id: <01BC8D0B.CA67ACC0@gcrum@us-state.gov> From: Gary Crumrine To: "'firewalls@greatcircle.com'" Subject: Remote management devices Date: Thu, 10 Jul 1997 08:32:22 -0400 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone out there worked with devices that will allow remote management of firewalls etc? I have seen some products advertised recently that can send statistical data back to a cental site via Rmon technology, but in addition to the log data, I would like to be able to work on a firewall remotely. I have seen at least one firewall product that has a dial in remote management port installed, but I am sceptical on the product since it is so new to the market. I know there are more possibilities. Any suggestions? Also, what about scanning tools? What are you using to scan your remote sites? What works, what doesn't? From owner-firewalls-outgoing Thu Jul 10 05:50:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28480 for firewalls-outgoing; Thu, 10 Jul 1997 05:43:22 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA28441 for ; Thu, 10 Jul 1997 05:43:10 -0700 (PDT) Received: from clonvick-pc.cisco.com (houston-pc20.cisco.com [171.68.41.86]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id FAA13548; Thu, 10 Jul 1997 05:47:09 -0700 (PDT) Message-Id: <2.2.32.19970710124428.007291a8@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Jul 1997 07:44:28 -0500 To: "Holt, Gail" , "'firewalls@greatcircle.com'" From: Chris Lonvick Subject: Re: Lotus Notes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Gail, It's been a while since I setup a pair, but I remember that you can get Notes servers to encrypt their communications sessions. I'm not sure that the following URL will actually get you the document that I saw; if not, search their site for "replication encryption" and you'll find a few documents about this subject. If that appeals to you, then you can talk to the other group about allowing encrypted sessions between your servers over the Internet. You should only have to open tcp/1352 on your firewall. Depending upon the sensitivity of the information you expect to transfer, you may not want to use the "off the shelf" version of Notes that you can normally get in Australia. That is called the "International" version which has encryption keys of 40 bits. If you need a higher level of encryption, you should ask your IBM reps if they can get copies of the "North American" version that uses better key lengths. An alternative to this is to use the Virtual Private Network (VPN) feature of your Firewall-1 to provide the encryption. This would require that "them" also have a firewall that can interoperate with the VPN encryption. I'm not sure of the key length that Checkpoint can provide to you in Australia. http://orionweb.lotus.com/cgi-bin/web_fetch_doc?dataset=public40&db=sims&d oc_id=11217&query=%23filreq%28%23sum%28replication+encryption+!c!+EOQ%+a%29+ %23band%28+%23FIELD%28LANGUAGE+English%29%29%29 http://orionweb.lotus.com/basic.html is the start seach page Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 At 11:49 AM 7/10/97 +0800, Holt, Gail wrote: >Hi, >I currently administer a firewall (FW-1 V2.1c, SUN sparc5, Solaris 2.5) >which protects our network of around 6,000 users. I allow all traffic >outbound (at the moment) and nothing inbound (apart from responses :) I >have 2 DMZs for email relay, cdrom, web etc.) One of our corporate >sections wants to connect to an external Lotus Notes server. As far as >I am concerned, our corporate stance is that the firewall is the point >of all network external connectivity. As I see it (I'm fairly new to >this, and no network expert) the two ways to connect are >1. via the Internet (which they should already be able to do) >2. via an ISDN line into an interface on the firewall. >The problem with 2. is that the server is 4,000 kilometres away, and an >ISDN line would be prohibitively expensive. I don't know what their >problem is with simply connecting via the Internet - perhaps the >transmission of unencrypted Lotus Notes traffic. I am simply trying to >get some ideas which I can present to 'them' before 'the big whiteboard >meeting' next week when all will be revealed. Any suggestions for >other ways ? >tar > >Gail > >_______________________________________ >Gail Holt >Internet Administrator >Health Department of WA >phone: (08) 9222 2429 >email: gail.holt@health.wa.gov.au > >Standard Disclaimer: These opinions are my own. >No one else in their right mind would want them. >_______________________________________ > > From owner-firewalls-outgoing Thu Jul 10 06:20:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA01356 for firewalls-outgoing; Thu, 10 Jul 1997 05:58:54 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA01287 for ; Thu, 10 Jul 1997 05:58:36 -0700 (PDT) Received: from tarpon.allensysgroup.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA03005; Thu, 10 Jul 1997 05:23:48 -0700 (PDT) Received: from therock ([166.55.51.7]) by tarpon.allensysgroup.com (post.office MTA v2.0 0813 ID# 0-16970) with SMTP id AAA218 for ; Thu, 10 Jul 1997 08:24:51 -0400 X-Sender: bbrown@allensysgroup.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: bbrown@allensysgroup.com (Bobby Brown) Subject: Need FL Raptor Distributor Date: Thu, 10 Jul 1997 08:24:51 -0400 Message-ID: <19970710122449166.AAA218@therock> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to contact a Florida distributor of Raptor products. SW Florida is preferred. E-mail me directly. Bobby Brown ########################################################### # Bobby Brown SR Client/Server Systems Administration # # Allen Systems Group, Naples, Florida # # bbrown@allensysgroup.com # # Comments may not be that of my employer # ########################################################### From owner-firewalls-outgoing Thu Jul 10 06:22:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA17034 for firewalls-outgoing; Thu, 10 Jul 1997 04:41:58 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA16788 for ; Thu, 10 Jul 1997 04:40:37 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id EAA21399 for ; Thu, 10 Jul 1997 04:17:48 -0700 (PDT) Received: by h01.scientia.com with SMTP id MAA00859 for ; Thu, 10 Jul 1997 12:15:15 +0100 Message-Id: <199707101115.MAA00859@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Jul 1997 12:14:16 +0100 To: From: Ian Miller Subject: Re: Encryption hooks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 14:55 09/07/97 -0500, you wrote: >Can anyone point me to an up-to-date reference on the US export >restrictions on products containing hooks for encryption without >any actual encryption algorithm? My understanding is that encryption hooks are the same as encryption for the purposes of export. A good place to start looking for further details is: Ian From owner-firewalls-outgoing Thu Jul 10 06:30:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA10560 for firewalls-outgoing; Thu, 10 Jul 1997 04:03:57 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA10495 for ; Thu, 10 Jul 1997 04:03:44 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id HAA21279; Thu, 10 Jul 1997 07:07:45 -0400 (EDT) Message-Id: <3.0.32.19970710065844.007c8100@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 10 Jul 1997 07:08:08 -0400 To: Colin Campbell , patrickn@tygerteam.com From: Anton J Aylward Subject: Re: Check Point Challenge, was Re: Check Point response to Mossad rumor Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:58 PM 10/07/97 +1000, Colin Campbell wrote: ## Reply Start ## >What about the C Compiler? Didn't someone lecture on compilers inserting >backdoors or whatever, once, based on recognising a certain string in >the source? Quite apart from Thompson's paper on this (I believe it was by him and about recognizing login code), there was a SF novel. Title was "Interrupts" if I recall, yes, authentication backdoor embedded in the compiler, so recompiling the application did no good and the crook/murderer could continue breaking into the phone switch. >Maybe we should end this thread/hawser. Yes, please. Its not proving anything and not achieving anything. Until someone takes Marcus up on his challenge its not worth discussing any further, and once the challenge has been met its also not worth discussing. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Thu Jul 10 06:47:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA15823 for firewalls-outgoing; Thu, 10 Jul 1997 04:33:30 -0700 (PDT) Received: from lionsden.informatik.uni-muenchen.de (lionsden.informatik.uni-muenchen.de [129.187.214.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA15798 for ; Thu, 10 Jul 1997 04:33:22 -0700 (PDT) Received: from romblon.dbs.informatik.uni-muenchen.de (romblon.dbs.informatik.uni-muenchen.de [129.187.228.9]) by lionsden.informatik.uni-muenchen.de (8.7.5/8.6.9) with SMTP id NAA27785; Thu, 10 Jul 1997 13:37:24 +0200 (MESZ) Message-Id: <199707101137.NAA27785@lionsden.informatik.uni-muenchen.de> Received: from sumatra.dbs.informatik.uni-muenchen.de by romblon.dbs.informatik.uni-muenchen.de with SMTP (1.37.109.6/16.2) id AA12930; Thu, 10 Jul 97 13:37:23 +0200 Received: by sumatra.dbs.informatik.uni-muenchen.de (1.37.109.6/16.2) id AA05701; Thu, 10 Jul 97 13:37:23 +0200 From: Thomas Lopatic Subject: Re: A New Fragmentation Attack To: stepken@edina.xnc.com (Guido Stepken) Date: Thu, 10 Jul 1997 13:37:22 +0200 (MESZ) Cc: firewalls@greatcircle.com In-Reply-To: <33C4A757.63E550D@edina.xnc.com> from "Guido Stepken" at Jul 10, 97 11:11:57 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Guido Stepken shed some light on several bugs in NT's TCP/IP stack and I was talking about passing fragments with non-zero offsets through packet screens and that NT 4.0 would reassemble them into a complete IP packet.] > Are you really sure about this ? Even LINUX FIREWALLS reassemble > fragmented packets and throw away everything, that does not fit. I am absolutely sure about this, I guess that the packet dump speaks for itself (unless I have completely missed something). Reassembling packets at the firewall surely is a cure for this problem. However, Linux's built-in firewalling capability (I've quickly glanced at a 2.0.28 kernel) seems to pass any fragement, if its offset is neither 0 nor 8 (i.e. 1 << 3) to fix the old 'established' or TCP flags frag- mentation problem. It would be very interesting to know which packet filters actually reassemble IP packets, which would make them inherently more secure. Yet, if it turns out some day, that there is another bug, which, for example, allows for initiating connections with SYN/ACK instead of SYN, then people using packet screens may be lost again. Up to now we have been concentrating on bugs in the IP stack. The TCP stack may still contain some goodies. :) > What do you mean with "decoy" ? Since we do not send a fragment with offset 0, the MS TCP/IP stack will not store an IP header for the chain of collected fragments. Hence we must send at least one complete packet before this attack will work, in order to provide a header. Since memory will be reused, the header will be also reused. Of course such a packet must not be dropped. So, to give an example, if we want to attack a WWW server, we could first send a legitimate packet to port 80 and then use the attack to access any other port on the server. I have called the legitimate packet we have to send first a 'decoy.' But let's kill this thread. This particular problem has been fixed with SP3 anyway. Have a nice day and thanks for your time -Thomas -- Thomas Lopatic lopatic@informatik.uni-muenchen.de From owner-firewalls-outgoing Thu Jul 10 07:20:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA16541 for firewalls-outgoing; Thu, 10 Jul 1997 07:17:50 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA13795 for ; Thu, 10 Jul 1997 07:00:21 -0700 (PDT) Received: from clonvick-pc.cisco.com (houston-pc20.cisco.com [171.68.41.86]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA08833; Thu, 10 Jul 1997 07:01:35 -0700 (PDT) Message-Id: <2.2.32.19970710135855.007505b4@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Jul 1997 08:58:55 -0500 To: "John Wyscarver" , From: Chris Lonvick Subject: Re: Security risk when dialing out Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello John, You don't need modems to get to AOL, CIS or many of the other on-line services. There should be a "network" option in your communications setup in the AOL software. Choose the "LAN" rather than the "modem" option, and then make sure that your firewall permits that traffic. I'm going on memory here (not entirely reliable) so I can't think of the port/ports that you'll have to open on your firewall. I think that the destinations will have to be opened to the entire AOL NETBLK as some sort of load sharing method is spreading the sessions across all of the AOL servers. I recall that the same goes for CIS. Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 At 04:09 PM 7/9/97 CDT, John Wyscarver wrote: >Hi all, > >I have been tasked with identifying security issues associated with >allowing dial up access to On-line providers (aol etc.) from machines >located on our network. I have been told that there is a definite security >risk when dialing out to aol from a network connected machine. Besides the >fact that this connection bypasses our firewall, is there a risk of access >into our network from the outside through thhis connection? What are the >risks if any and how can I get this point across to management. > >Thank you >John > >John Wyscarver >Network Administrator >155 ARW/SCMN >2420 West Butler Ave. >Lincoln, NE. 68524-1888 >DSN:946.1200 Com:402.458.1200 Fax:1206 >NET:jpw@nelnk.ang.af.mil > > > > From owner-firewalls-outgoing Thu Jul 10 07:20:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA12867 for firewalls-outgoing; Thu, 10 Jul 1997 04:17:52 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA11927 for ; Thu, 10 Jul 1997 04:11:27 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id EAA21332 for ; Thu, 10 Jul 1997 04:15:50 -0700 (PDT) Received: by castle.us-state.gov; id AA13541; Thu, 10 Jul 97 07:13:22 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma013525; Thu Jul 10 07:12:33 1997 Received: by pubhost.us-state.gov; id AA27287; Thu, 10 Jul 97 07:12:27 EDT Received: by localhost with Microsoft MAPI; Thu, 10 Jul 1997 07:11:32 -0400 Message-Id: <01BC8D00.7E716B90@gcrum@us-state.gov> From: Gary Crumrine To: "'Colin Campbell'" , "patrickn@tygerteam.com" Cc: "firewalls@greatcircle.com" Subject: RE: Check Point Challenge, was Re: Check Point response to Mossad rumor Date: Thu, 10 Jul 1997 07:11:30 -0400 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with Colin, let's end this thread. Over the past few weeks, I can't remember seeing so much traffic on an issue for some time now. I have just a thought. Given the comments the other day concerning the CIA's role a few years back, and if it is true, then I would like to suggest that any intelligence organization that is worth it's stripes, would do their handy work without anyone's knowledge. Especially the company involved. Be it Checkpoint or what ever. No company is going to place their livelyhood at risk for the sake of "National Security". To think Checkpoint has a link to the Mossad is crazy. That doesn't mean that the Mossad isn't capable of doing some- thing like what has been suggested, only I don't think they would do it with the company's knowledge. Let's give Checkpoint the benefit of the doubt and turn our resources and keen minds in another more productive direction. -----Original Message----- From: Colin Campbell [SMTP:sgcccdc@citec.qld.gov.au] Sent: Thursday, July 10, 1997 3:59 AM To: patrickn@tygerteam.com Cc: firewalls@greatcircle.com Subject: Re: Check Point Challenge, was Re: Check Point response to Mossad rumor Hi, My mailer thinks Patrick Naubert said: > > This is my first post in 2 years of reading this list. I just could not take > the whiney tone of this post... > > OK, that's it....... > > I hereby challenge Check Point to a "proof of concept" contest. > > If you want to once and for all disprove and shut up the people that have been > bashing your product on this list for the past years, you will have to 'fess > up. > > The contest should be this: > > Invite 3 recognized independant "security experts" (Hey, make one of them Steve > Bellovin) and have them take a look at the SPF code. Never mind the GUI and > the other stuff. > You must prove to these experts that you have hardened the kernel and OS for > those that you install your product on. > What about the C Compiler? Didn't someone lecture on compilers inserting backdoors or whatever, once, based on recognising a certain string in the source? Many compilers were rumoured to super-optimise code for Whet/Dhrystone tests cos they could recognise the code. Then there's the libraries with which FW-1 links. Then can you guarantee that the source the experts see is the same source used in product. Then ...... It's a futile exercise. You'll never convince everyone that there's no backdoor until it's interpreted by a interpreter that's interpreted by an interpreter that's .... so the source for everything can always be reviewed and guaranteed to not contain any backdoors if anyone wanted to look. Maybe we should end this thread/hawser. Colin From owner-firewalls-outgoing Thu Jul 10 07:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13377 for firewalls-outgoing; Thu, 10 Jul 1997 06:58:28 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA13330 for ; Thu, 10 Jul 1997 06:58:14 -0700 (PDT) Received: from inskeepc.erols.com (spg-tnt-fe-4s01.erols.com [207.172.56.1]) by smtp2.erols.com (8.8.6/8.8.5) with SMTP id KAA12186; Thu, 10 Jul 1997 10:02:03 -0400 (EDT) Message-ID: <33C4EC6E.6CB9@geologics.com> Date: Thu, 10 Jul 1997 10:06:38 -0400 From: Chris Inskeep Reply-To: inskeep_chris@geologics.com Organization: GeoLogics Corporation X-Mailer: Mozilla 3.01Gold (Win95; U) MIME-Version: 1.0 To: Mike Shaver CC: "Emily G. Cohen" , adam@homeport.org, Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor` References: <199707101043.GAA15910@neon.ingenia.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Shaver wrote: > > Thus spake Emily G. Cohen: > > I don't know of many companies that give away their source code - > > it's called intellectual property. > > You might have heard of this little company called `Sun', which offers > inexpensive/free source licenses to education institutions. It's a > little hack called `Solaris'. And there's an up-and-coming player in > the firewall market called `ITS' or `STI' or something like that that > bundles source with their Gauntlet product. > > `No one else is doing it' is a pretty sad rationale if it tries to > stand on its own, and it's even more so if it's wrong. > > > And, it's how Check Point > > differentiates itself, along with the management console > > You mean that it's your _implementation_ that sets you apart? Surely > you're not allowed to admit to that, even if it's true. Aren't you > supposed to be doing different things, and not just the same things > better? I'm sure I read that somewhere... > > There's no shame in a company being reluctant to divulge their source > details if they've got a genuine fear that their competitors are so > close on their heels (or vice versa) that every inch counts. It's > only shameful when the try to pretend that their market is stupid for > wanting access to it. > > The customer is always right. Just ask someone in Accounts Receivable. > > Mike > > -- > #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation > #> Commando Developer - Whatever It Takes > #> > #> "See, you not only have to be a good coder to create a system like > #> Linux, you have to be a sneaky bastard too." - Linus Torvalds I initially thought that this thread had descended into pointless bickering. Then, I got to thinking -- after a bottle (or so) of boffo BV Reserve '86, that maybe I'm just a bit behind the times. Is it common for security application software vendors to license copies of their source code -- surely everyone agrees that a firewall is an application running atop an operating system? See, that is where we're in a different ballpark from Sun (or the other UNIX vendors) and Microsoft (DOES Bill sell source licenses for NT? -- I'd think so, but don't really know for sure.) But more to the point, does ORACLE, Informix, or Sybase sell source licenses for their trusted RDBMS's? Does SAIC or PRC sell source licenses for their centralized audit products? Does ICL sell source licenses for its unitary logon systems? Seems to me that Checkpoint is the king of the hill at the moment, and the king can't scratch without everyone commenting (Bill Clinton knows something about that phenomena.) Are we asking more of the king than is standard practice in the security products software industry? Just asking...... Cheers! From owner-firewalls-outgoing Thu Jul 10 07:54:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA07722 for firewalls-outgoing; Thu, 10 Jul 1997 03:47:40 -0700 (PDT) Received: from hudutilgw.ml.com (hudutilf01.ml.com [198.242.49.31]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA07704 for ; Thu, 10 Jul 1997 03:47:30 -0700 (PDT) From: mccabkei@ateam.lonnds.ml.com Received: from ml2.ml.com ([199.201.37.130]) by hudutilgw.ml.com (8.8.5/8.8.5/MLgw-3.03) with ESMTP id GAA23010 for ; Thu, 10 Jul 1997 06:50:10 -0400 (EDT) Received: from mleu1.euro.ml.com (mleu1.euro.ml.com [131.208.157.89]) by ml2.ml.com (8.7.5/8.7.3/MLml-2.06b) with ESMTP id GAA20468 for ; Thu, 10 Jul 1997 06:55:50 -0400 (EDT) Received: from swype.bolon.uk.ml.com (swype.bolon.uk.ml.com [131.208.231.14]) by mleu1.euro.ml.com (8.7.3/8.7.3/MLdomain-2.02) with SMTP id LAA17384 for ; Thu, 10 Jul 1997 11:51:33 +0100 (BST) Received: from ateam.lonnds.ml.com by swype.bolon.uk.ml.com (4.1/ML41S-1.03) id AA00960; Thu, 10 Jul 97 11:51:32 BST Received: from wallace.lonnds.ml.com by ateam.lonnds.ml.com (4.1/SMI-4.1) id AA18946; Thu, 10 Jul 97 11:50:02 BST Received: by wallace.lonnds.ml.com (SMI-8.6/SMI-SVR4) id LAA04222; Thu, 10 Jul 1997 11:50:01 +0100 Date: Thu, 10 Jul 1997 11:50:01 +0100 Message-Id: <199707101050.LAA04222@wallace.lonnds.ml.com> To: Firewalls@GreatCircle.COM Subject: Stonebeat, Qualix, Firstwatch....?? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: SQ2+IKmiFQVN9yJOrPfQ6g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a follow up question to my earlier HA question. I've had lots of useful replies regarding HA for Firewall-1 on Solaris and need to make a decision as to which product to use. Does anyone have any recommendations/war stories regarding (1) Stonebeat (2) QualixHA+ Firewall-1 (3) Veritas Firstwatch I'm particularly looking for comments on ease of installation, support, ease of management, robustness etc. Also I'd be very interested in hearing anything on functional differences. ie product X can do this that product Y & Z can't. Thanks in advance and I'll summarise. ################################################################################ Keith S McCabe email: mccabkei@lonnds.ml.com Distributed Systems Support Group phone: +44 (0)171 892 8231 Merrill Lynch Europe PLC fax: +44 (0)171 892 8487 London EC1 ################################################################################ From owner-firewalls-outgoing Thu Jul 10 08:51:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08888 for firewalls-outgoing; Thu, 10 Jul 1997 06:37:59 -0700 (PDT) Received: from punt-1.mail.demon.net (relay-13.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA08873 for ; Thu, 10 Jul 1997 06:37:53 -0700 (PDT) Received: from [194.202.103.242] ([194.202.103.242]) by punt-1.mail.demon.net id aa1311697; 10 Jul 97 13:57 BST Message-ID: <33C4DC30.33EF@threewiz.demon.co.uk> Date: Thu, 10 Jul 1997 13:57:20 +0100 From: David Harvey-George Organization: Kimble Consultancy Services Ltd X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Nonexistant NT security References: <199707091445.JAA00998@w3.ci.chi.il.us> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I notice that there is now a program called getadmin that grants any normal user admin rights, just used it because one of my sysadmins had forgotten the administrator password. Very handy. I guess any firewall machine would only have an Administrator (and probably not called that anyway) so this is not an issue. However lophtcrack and getadmin are a heady combination. Wither NT security. David From owner-firewalls-outgoing Thu Jul 10 08:53:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11894 for firewalls-outgoing; Thu, 10 Jul 1997 06:50:57 -0700 (PDT) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA11527 for ; Thu, 10 Jul 1997 06:49:39 -0700 (PDT) Received: from nnsa.eds.com (nnsa.eds.com [130.174.31.78]) by ns1.eds.com (8.8.6/8.8.5) with ESMTP id JAA07684 for ; Thu, 10 Jul 1997 09:53:46 -0400 (EDT) Received: from fangio.osipc.can.eds.com (fangio.osipc.can.eds.com [205.239.195.11]) by nnsa.eds.com (8.8.5/8.8.5) with ESMTP id JAA08504 for ; Thu, 10 Jul 1997 09:53:16 -0400 (EDT) Received: from hello.can.eds.com ([204.104.139.243]) by fangio.osipc.can.eds.com (Netscape Mail Server v1.1) with ESMTP id AAA16914 for ; Thu, 10 Jul 1997 09:25:20 -0400 From: jpilkey@can.eds.com (Pilkey, Jeremy) To: Subject: Is there a way .... Date: Thu, 10 Jul 1997 09:27:45 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970710132519.AAA16914@hello.can.eds.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I was wondering if there was a cmd line that allowed you to output the network objects and associated ip's in readable form ? Thanks Jer Jeremy Pilkey EDS Canada (905)644-5683 jpilkey@can.eds.com From owner-firewalls-outgoing Thu Jul 10 09:50:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09993 for firewalls-outgoing; Thu, 10 Jul 1997 09:13:14 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09964 for ; Thu, 10 Jul 1997 09:13:01 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55601-2>; Thu, 10 Jul 1997 18:14:33 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Thu, 10 Jul 1997 18:16:29 MET Received: from localhost (mag@localhost) by Bunuel.tii.matav.hu (8.8.5/8.8.5) with SMTP id SAA22942 for ; Thu, 10 Jul 1997 18:21:38 +0200 Date: Thu, 10 Jul 1997 17:21:38 +0100 From: "Magossa'nyi A'rpa'd" To: Firewall list Subject: Firewall and B2?? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I should have missed something. I thought firewalls are not too much to d= o with security scalings like B1 and C2. Now someone told me he want to see only B1 firewalls here. What's the truth? Giving urls or one sentence answers in direct mail would suffice. I'll summarize. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Thu Jul 10 09:57:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08920 for firewalls-outgoing; Thu, 10 Jul 1997 09:06:59 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA08906 for ; Thu, 10 Jul 1997 09:06:53 -0700 (PDT) Received: (qmail 12700 invoked from smtpd); 10 Jul 1997 16:10:58 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Jul 1997 16:10:58 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA26597; Thu, 10 Jul 1997 11:10:57 -0500 Received: by sonic.nmti.com; id AA27956; Thu, 10 Jul 1997 11:11:43 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707101611.AA27956@sonic.nmti.com.nmti.com> Subject: Re: Encryption hooks To: firewalls@scientia.com (Ian Miller) Date: Thu, 10 Jul 1997 11:11:43 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199707101115.MAA00859@h01.scientia.com> from "Ian Miller" at Jul 10, 97 12:14:16 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My understanding is that encryption hooks are the same as encryption for the > purposes of export. What if encryption is in a separate module, and you include the legal module with the product? Then you can't export it if a more competant module exists? That means it should be against the law to ship copies of login.c. Something's fishy here. From owner-firewalls-outgoing Thu Jul 10 10:09:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA10528 for firewalls-outgoing; Thu, 10 Jul 1997 09:16:32 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA10369 for ; Thu, 10 Jul 1997 09:16:00 -0700 (PDT) Received: (qmail 12776 invoked from smtpd); 10 Jul 1997 16:18:36 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Jul 1997 16:18:36 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA26961; Thu, 10 Jul 1997 11:18:35 -0500 Received: by sonic.nmti.com; id AA26452; Thu, 10 Jul 1997 11:19:21 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707101619.AA26452@sonic.nmti.com.nmti.com> Subject: Re: Security risk when dialing out To: clonvick@cisco.com (Chris Lonvick) Date: Thu, 10 Jul 1997 11:19:20 -0500 (CDT) Cc: jwyscarver@nelnk.ang.af.mil, firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970710135855.007505b4@diablo.cisco.com> from "Chris Lonvick" at Jul 10, 97 08:58:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You don't need modems to get to AOL, CIS or many of the other on-line > services. How does that sidestep the security question? AOL's software has been described as establishing an IP tunnel. If that's the case a link to AOL either through a modem or an IP address opens up a non-encrypted tunnel past your firewall into your internal network. I am not terribly happy with this idea. From owner-firewalls-outgoing Thu Jul 10 10:35:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA16012 for firewalls-outgoing; Thu, 10 Jul 1997 09:52:30 -0700 (PDT) Received: from portia.teleport.com ([192.108.254.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA16003 for ; Thu, 10 Jul 1997 09:52:24 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by portia.teleport.com (8.8.5/8.7.3) with ESMTP id JAA20261; Thu, 10 Jul 1997 09:56:14 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id JAA19692; Thu, 10 Jul 1997 09:56:13 -0700 (PDT) Date: Thu, 10 Jul 1997 09:56:13 -0700 (PDT) From: Alan To: David Harvey-George cc: firewalls@GreatCircle.COM Subject: Re: Nonexistant NT security In-Reply-To: <33C4DC30.33EF@threewiz.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Jul 1997, David Harvey-George wrote: > I notice that there is now a program called getadmin that grants any > normal user admin rights, just used it because one of my sysadmins had > forgotten the administrator password. Very handy. Microsoft has a patch that is supposed to fix the problem. (There was an announcement on http://www.news.com/ about it.) There should be links there are to where to find the patch. (I could not tell you where it is on Microsoft's web site as I find it very difficult to navigate. But then I do not use IE, as they do not have a Solaris version as of yet. (Thank Cthulhu!)) > I guess any firewall machine would only have an Administrator (and > probably not called that anyway) so this is not an issue. However > lophtcrack and getadmin are a heady combination. Wither NT security. It is a concern in offices where you have users who you do not want to EVER have admin rights. (People who like to play and think they know what they are doing, for example.) Or when you have a boss who insists on having a login on the firewall machine "just so he can check up on things". Sigh... alano@teleport.com | "Those who are without history are doomed to retype it." From owner-firewalls-outgoing Thu Jul 10 10:52:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21706 for firewalls-outgoing; Thu, 10 Jul 1997 07:43:18 -0700 (PDT) Received: from neon.ingenia.ca (neon.ingenia.ca [205.207.220.57]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21594 for ; Thu, 10 Jul 1997 07:42:54 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.5/8.7.3) id KAA16842; Thu, 10 Jul 1997 10:43:04 -0400 From: Mike Shaver Message-Id: <199707101443.KAA16842@neon.ingenia.ca> Subject: Re: Check Point response to Mossad rumor` In-Reply-To: <33C4EC6E.6CB9@geologics.com> from Chris Inskeep at "Jul 10, 97 10:06:38 am" To: inskeep_chris@geologics.com Date: Thu, 10 Jul 1997 10:43:04 -0400 (EDT) Cc: emily@us.checkpoint.com, adam@homeport.org, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Chris Inskeep: > Is it common for security application software vendors to license copies > of their source code I don't know how you'd define `common', but it's not unheard of. I suspect it's similar to good documentation: not everyone produces it, but it'd be nice if they did. =) > See, that is where we're in a different ballpark from Sun (or the > other UNIX vendors) and Microsoft (DOES Bill sell source licenses > for NT? -- I'd think so, but don't really know for sure.) Microsoft does sell source licenses, and also has an educational-user source license programme. > Are we asking more of the king than is standard practice in the > security products software industry? I don't actually have a problem with them not releasing source any more than I have a problem with Jeep not selling the Grand Cherokee with a standard transmission; I'd like the product more if they did, but it's their product to sell. The problem I have is with them insisting that I (as a generic consumer-with-a-preference) don't really need it, or that they _shouldn't_ release it for IP/security/`industry-standard' reasons. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Welcome to the technocracy. #> #> "you'd be so disappointed #> to find out that the magic was not #> really meant for you" - OLP From owner-firewalls-outgoing Thu Jul 10 11:01:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22955 for firewalls-outgoing; Thu, 10 Jul 1997 10:41:51 -0700 (PDT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA22906 for ; Thu, 10 Jul 1997 10:41:40 -0700 (PDT) Received: (from moses@localhost) by services.state.mo.us (8.8.3/8.8.0) id MAA11497; Thu, 10 Jul 1997 12:46:06 -0500 (CDT) Date: Thu, 10 Jul 1997 12:46:05 -0500 (CDT) From: Ikoedem Moses To: Firewalls@GreatCircle.COM Subject: IBM firewall for AIX V3.1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to use the http proxy ( port 8080 ) to access the web. I am having an error 400 problem with the client. Any ideas? Any known problems with V3.1? Thanks From owner-firewalls-outgoing Thu Jul 10 11:05:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA24671 for firewalls-outgoing; Thu, 10 Jul 1997 10:50:58 -0700 (PDT) Received: from erinet.com (mail2.erinet.com [207.0.229.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA24658 for ; Thu, 10 Jul 1997 10:50:52 -0700 (PDT) Received: from youngr.erinet.com (dlp153.dayton.eri.net [207.90.116.185]) by erinet.com (8.8.5/8.8.1) with SMTP id NAA01745; Thu, 10 Jul 1997 13:53:56 -0400 (EDT) Message-ID: <33C520E6.849@erinet.com> Date: Thu, 10 Jul 1997 13:50:30 -0400 From: Roger Young Reply-To: youngr@erinet.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Subject: FW-1 Newbie Type Questions References: <199707100400.UAA14356@sunphil> <33C436D8.1AAB@erinet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a few more questions on FW-1 on NT, if you have time to respond: Any folks running into problems with using PCI NIC's with fw-1 3.0a and NT 4.0? A support FAQ I was reading (somewhat out of date now) indicated that this was a problem (possibly fw-1 2.1c with NT 4.0). >From looking at the menu's within the user interface (rule base with version 2.1c), how do you determine what is the external NIC? Within "machine properties" and the "general" tab, is the external network the IP address entered on the "general" tab? You can set up multiple interfaces, but nowhere is it obvious what your external network is defined as (i.e., the one facing the Internet). The idea is you have only one "external" network defined. If you are just setting up the firewall and do not have DNS running, where does FW-1 check to verify the firewall server name when you are logging in to the user interface? Does it simply use the server name input into admin along with your user and password? Or does it need to be in lmhosts or hosts? We're are looking at evaluating 3.0a next week. Right now we have a group with a 2.1c evaluation trying to load it with some questions. Thanks, Roger From owner-firewalls-outgoing Thu Jul 10 12:20:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18352 for firewalls-outgoing; Thu, 10 Jul 1997 10:16:32 -0700 (PDT) Received: from shell4.ba.best.com (shell4.ba.best.com [206.184.139.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA18318 for ; Thu, 10 Jul 1997 10:16:24 -0700 (PDT) Received: from localhost (aajpeter@localhost) by shell4.ba.best.com (8.8.5/8.7.3) with SMTP id KAA11942 for ; Thu, 10 Jul 1997 10:20:34 -0700 (PDT) X-Authentication-Warning: shell4.ba.best.com: aajpeter owned process doing -bs Date: Thu, 10 Jul 1997 10:20:34 -0700 (PDT) From: "Aaron J. Peterson" X-Sender: aajpeter@shell4.ba.best.com Reply-To: "Aaron J. Peterson" To: Firewalls@GreatCircle.COM Subject: RE: Two ISPs to one DMZ, really In-Reply-To: <9707091315.AA31730@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're missing the bigger issue. What service level and availability do the customers want? How can one obtain a particular level? What would the most efficient architecture be for the desired service level? What does any of this have to do with firewalls? :) To answer the last one quickly and justify the rest of this message, a company that can afford redundancy will most likely have a parallel need for a firewall (who doesn't?), and these are intertwined architecture issues. I disagree that one does not get redundancy by multi-homing to the same ISP. It would be good to define "redundancy" more explicitly. Certainly, you wouldn't get "ISP redundancy", but I don't think that's really what anyone is looking for. They're looking for network redundancy and resiliance. Can you measure the gain in availability provided by connecting to ISP A and ISP B, as opposed to multi-homing to two network-distant points on ISP A? Is it worth the administrative overhead? Is it really a gain considering the increased complexity and the tendency of more complex systems to break more frequently? These are key architecture issues that should be pondered before blindly deciding that, "we must multi-home to two ISPs, despite the huge difficulties and expense involved, because that's the only way we can get 101% availability, which is what we must have." In my experience, BGP convergence has been quite fast, and the various vicissitudes involved with dynamic DNS make it a comparatively poor performer. No, don't respond, mail me personally. If you've decided that you _must_ have two ISPs, then you'll obviously be choosing big ones, as the chain is only as strong as its weakest link, and since you're a major player, you'll want to play with the major leagues. The "pros" all support, nay in many cases require, the use of BGP. So in the framework of that, On Wed, 9 Jul 1997 mikech@avana.net wrote: > *****How do you route IPs from one ISP's CIDR through another ISP???******** You force the two ISPs in questions to redefine their routing policies with each other, as well as their routing policies with you. There is no other way that you can do it just as a customer to two ISPs. This is not impossible, just difficult, and you will truely have "ISP redundancy". You'll want to study the respective ISPs' backbones, and analyze their outward connectivity, what NAPs they connect to, etc., and make sure you're not losing most of your redundancy when the ISPs are viewed as a unit. Outside of that framework there is still a lot of room to get high availability and good service, which is truely the better answer to the question for many levels of services. You can avoid the question in various ways: o split groups of machines providing redundant services onto the separate PA blocks from each ISP, and cope with the hit and miss. o get PI address space. Good Luck, and thanks for making me upgrade to 128MB in my border routers. ;) o multi-home to the same ISP, choose a big one, and connect at distant points on the ISP. o use a hybrid of the above for services of different availability requirements. BTW, my math was incorrect, so low DNS ttls aren't as bad traffic-wise as I made it look. I wasn't debating if dynamic DNS works, I was challenging a base assumption. Without getting into it, I believe dynamic DNS's requirement of low ttls is a serious flaw, and I strongly doubt the methods used to show reachability percentages as a function of time. Further discussion of this issue should propably be mailbox to mailbox, as I'm sure the list would vigorously agree. We'd post the consensus if we ever came to one :). On Wed, 9 Jul 1997, Mark Horn [ Net Ops ] wrote: > The first thing is that you assume that yahoo's ttl for their dns records > is 7 days. It's 15 minutes. I was talking of yahoo as a client to DNS services, i.e. the ttls in question were the ttls of the rest of the world, not for yahoos domain. > [ math proving my error anyway ] On Wed, 9 Jul 1997, Neil Readwin wrote: > [ logic explaining my error clearly ] Yep. I was wrong. -Aaron J. Peterson Semi-Humbled Logic 101 Flunkie From owner-firewalls-outgoing Thu Jul 10 12:27:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11120 for firewalls-outgoing; Thu, 10 Jul 1997 09:20:06 -0700 (PDT) Received: from sv01.asb.iae.cta.br ([161.24.42.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA09617 for ; Thu, 10 Jul 1997 09:10:41 -0700 (PDT) Date: Thu, 10 Jul 1997 09:10:41 -0700 (PDT) Message-Id: <199707101610.JAA09617@honor.greatcircle.com> Received: from SV02 by sv01.asb.iae.cta.br with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id 33L2DVHC; Thu, 10 Jul 1997 13:26:28 -0300 X-Sender: taranti@mail.asb.iae.cta.br X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: firewalls@greatcircle.com From: Christian Taranti Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ubsubscribe firewalls Ten Taranti =20 Usu=E1rio: Christian Taranti =20 Local de Trabalho: CTA/IAE/ASB =20 Sala: 137 (pr=E9dio principal) Ramal: 4760 LT Taranti Full name: Christian G. R. Taranti Sao Jose dos Campos, Brazil From owner-firewalls-outgoing Thu Jul 10 12:35:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11631 for firewalls-outgoing; Thu, 10 Jul 1997 09:22:33 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09674 for ; Thu, 10 Jul 1997 09:10:51 -0700 (PDT) Received: (qmail 12730 invoked from smtpd); 10 Jul 1997 16:14:58 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Jul 1997 16:14:58 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA26837; Thu, 10 Jul 1997 11:14:58 -0500 Received: by sonic.nmti.com; id AA27753; Thu, 10 Jul 1997 11:15:43 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707101615.AA27753@sonic.nmti.com.nmti.com> Subject: Re: A New Fragmentation Attack To: lopatic@dbs.informatik.uni-muenchen.de (Thomas Lopatic) Date: Thu, 10 Jul 1997 11:15:43 -0500 (CDT) Cc: stepken@edina.xnc.com, firewalls@greatcircle.com In-Reply-To: <199707101137.NAA27785@lionsden.informatik.uni-muenchen.de> from "Thomas Lopatic" at Jul 10, 97 01:37:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yet, if it turns out some day, that there is another bug, which, > for example, allows for initiating connections with SYN/ACK instead > of SYN, then people using packet screens may be lost again. I believe I've seen discussion of stacks having that problem, in a thread about "stealth" scans. I don't know what stack it was, and I don't think it was NT. From owner-firewalls-outgoing Thu Jul 10 13:52:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12009 for firewalls-outgoing; Thu, 10 Jul 1997 12:11:32 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA11766 for ; Thu, 10 Jul 1997 12:10:34 -0700 (PDT) Received: from montefiore.org (20715997179.iconnet.net [207.159.97.179]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id LAA27863 for ; Thu, 10 Jul 1997 11:48:57 -0700 (PDT) Received: from Weiler-Message_Server by montefiore.org with Novell_GroupWise; Thu, 10 Jul 1997 14:43:22 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 10 Jul 1997 14:42:40 -0500 From: Anca Banciu To: Firewalls@GreatCircle.COM Subject: ftp outbound using WSftp, Cuteftp, Chameleon FTP, Microsoft FTP Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In am running Firewall-1 v2.0b Internet server ( enterprise -unlimited users on Solaris 2.5 ) . I am using Netscape proxy server for HTTP. For FTP and Telnet I have a rule for User authentication. I am trying from my PC - Win 3.x ( using WSftp or CUTEftp or Chameleon FTP or FTP from the Microsoft stack ) to get out to an FTP site using the rule for user authentication. If I telnet to the SUN box using Telnet and then I am using the regular FTP ( that Solaris provide ) I can ftp out. I want to use an FTP authentication for some of my users that need to upload files. We are part of the MIS department. From owner-firewalls-outgoing Thu Jul 10 13:53:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19033 for firewalls-outgoing; Thu, 10 Jul 1997 12:44:57 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [204.216.216.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA18956 for ; Thu, 10 Jul 1997 12:44:41 -0700 (PDT) Received: from crash.cts.com(really [192.188.72.17]) by mailhub.cts.com via smail with smtp id for ; Thu, 10 Jul 97 12:48:50 -0700 (PDT) (Smail-3.1.92 1996-Mar-19 #3 built 1996-Apr-21) Received: by crash.cts.com (Smail3.1.29.1 #5) id m0wmPCr-0000NWC; Thu, 10 Jul 97 12:48 PDT Date: Thu, 10 Jul 1997 12:48:48 -0700 (PDT) From: "Paul W. Weyman" To: firewalls@greatcircle.com Subject: Web access to Oracle DB Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to explain to a bunch of sales execs. that allowing web access to a core production database is a bad idea. Basically, they want to run CGI scripts on a web server in the DMZ that query an Oracle db on the internal network. To do this, the firewall would have to be configured to allow all connections from the web server to the sqlnet port on the db server. I think that most technical/security people agree that this is a bad idea but I need some details. Any help on how to make a case with non-technical management types would be greatly appreciated. From owner-firewalls-outgoing Thu Jul 10 14:18:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20752 for firewalls-outgoing; Thu, 10 Jul 1997 12:54:16 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA20654 for ; Thu, 10 Jul 1997 12:53:51 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by mail.diginsite.com (8.8.5/8.8.3) with SMTP id MAA09320; Thu, 10 Jul 1997 12:54:18 -0700 Date: Thu, 10 Jul 1997 12:54:17 -0700 (PDT) From: David Lang To: mikech@avana.net cc: "Mark Horn [ Net Ops ]" , Paul Ferguson , Firewalls@GreatCircle.COM Subject: Re: Two ISP's to one DMZ In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My company is in the process of setting this up. we are using a cisco 4700 router connecting to two T1 lines to sprint one in So-Cal on in Texas to provide us with load balancing and failover capability. in this case both links are with Sprint but that is a temporary thing. we have 2 class C address spaces we got from Sprint that we now can link to other services. Sprint will not support using a 4700 router for full internet routing tables so we will be upgrading to a 7500 series router when we make the connection in a few months to other services. We have had these class C addresses for over a year as a normal link before we decided that we needed the redundancy and went to BGP4. It's not cheap but is the right way to go. David Lang Digital Insight On Thu, 10 Jul 1997 mikech@avana.net wrote: > > > ------------------------ > From: Paul Ferguson > Subject: Re: Two ISP's to one DMZ > Date: Wed, 09 Jul 1997 17:25:23 -0400 > To: "Mark Horn [ Net Ops ]" > Cc: Firewalls@GreatCircle.COM > > > > At 11:40 AM 07/09/97 -0400, Mark Horn [ Net Ops ] wrote: > > > > > I have no idea what you are referring to with regards to "BGP also > > requires that you have portable address space" -- this is certainly > > incorrect. Perhaps you meant something else, or meant it in a > > different context? > > > > Nope, as I stated previously, how do you route one ISP's CIDR addresses > through another ISP? Are you saying I can grab a chunk of Sprint's CIDR > (Classless Inter-Domain Routing) address space and reroute it thorugh MCI? > Will it be added to the MCI routing tables as a separate entry? How will > Sprint remove the class C from its CIDR block? Won't this fragment the hell > out of the backbone routing tables? > > I understand you have quite a few resources available (Cisco is a pretty big > company after all ;^). Do you have any real world examples of BGP being used > by a company with a couple of class C's supplied by an ISP to route in a > failover situation through another ISP? > > > >Having only looked at it superficially, dynamic DNS + NAT seems like a > > >workable solution when BGP isn't available. But if BGP is available, it > > >seems better. And that's simply on a performance basis. BGP also > > >provides policy setting that DNS doesn't. > > > > > > > Exactly how does NAT and DNS provide for the announcement of AS's > > and/or prefixes into the global routing system? > > It doesn't. It is an *alternate* solution. You can remap Internal address > space to multiple external IPs. These IPs could even come from different ISPs. > The dynamic DNS allows you to remap inbound connections by changing the IPs a > domain name is associated with in real time. > > See my previous post for an example of a multi-homed NAT failover example. > > > > > > -- > > Paul Ferguson || || > > Consulting Engineering || || > > Herndon, Virginia USA |||| |||| > > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > > e-mail: pferguso@cisco.com c i s c o S y s t e m s > > > > ---------------End of Original Message----------------- > > Mike > -- > 00:29:36 > 07/10/97 > _______________________________________________________________________ > Michael W. Chalkley Tel: +1.770.823.7846 > ZapNet! Inc. Fax: +1.770.475.7640 > Suite 400-120 E-mail: mikech@well.com > 10945 State Bridge Road mikech@avana.net > Alpharetta, GA 30202 (wireless) mikech@radiomail.net > > From owner-firewalls-outgoing Thu Jul 10 14:35:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20771 for firewalls-outgoing; Thu, 10 Jul 1997 12:54:21 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA20669 for ; Thu, 10 Jul 1997 12:53:57 -0700 (PDT) Received: from Starbase.NeoSoft.COM (starbase.neosoft.com [206.109.7.129]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA29279 for ; Thu, 10 Jul 1997 13:00:22 -0700 (PDT) Received: (from mckee@localhost) by Starbase.NeoSoft.COM (8.8.4/8.8.3) id OAA24604 for firewalls@greatcircle.com; Thu, 10 Jul 1997 14:57:46 -0500 (CDT) From: George McKee Message-Id: <199707101957.OAA24604@Starbase.NeoSoft.COM> Subject: Enterprise Extranet Firewalls To: firewalls@greatcircle.com Date: Thu, 10 Jul 1997 14:57:46 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a change-of-pace from vendor-bashing and hardcore technical issues. I'm working with a large multinational manufacturing company on their fourth generation of firewall architectures. This company has many suppliers and warehouses at many sites around the world (see "JIT" and "suply-chain management systems" in your favorite buzzword dictionary) that it needs to share data systems with. Since the data links join different companies, they need to be firewalled. These firewalls cannot be your usual Internet black box; they need more general capabilities. Our impression is that these requirements are significantly beyond the state of the art -- from the viewpoint of this company, there are no "industrial strength" firewall products available. Because of that, the following list of requirements is offered to firewall developers (and researchers!) in the context of an RFF -- a Request For Features. Consider the firewall market as segmented like this: * Small Business: needs low cost and awesome simplicity. Like Raptor's "The Wall" if you're serious about security, Microsoft's Proxy Server if you're not that concerned. * Medium Business: most of the firewall products fit here. * Large Enterprise: probably has security experts who have built an architecture with multi-level security from existing products. This supports Internet access fairly well, but can be a Procrustean Bed (*) for Extranet applications. Here's what we think an Enterprise-class Extranet firewall needs: (1) DBMS support - Oracle SQL*Net v2 and Microsoft SQL Server 6.5 at a minimum. (2) symmetry - There must be no architectural distinction between "inside" and "outside" networks. Sometimes the server is at my company, sometimes it is at the other company. There may be hundreds of clients on either side. The gatewaying behavior must recognize which interface a session or datagram arrived at and respond according to configuration, but the configuration capabilities that are available must be identical for every interface. (3) High availability (fault tolerance) - if the firewall is down for any reason, including software updates, the production lines stop. Since this company is overbooked on many products, any unit that isn't built is money lost. Load-sharing via server replication gains fault-tolerance as a side effect, but firewalls need to participate in routing protocols for this to work, and the protocols need to support load balancing, not simply hopcount metrics (i.e. RIP doesn't really work). (4) Microsoft support - Yes, we're aware of the deficiencies in their architectural discipline, but that doesn't eliminate the business need to share NT-based resources. We need controlled, logged gateways for NTLM shared filesystems, administration tools such as Event Viewer and User Manager for Domains, and client-server systems such as Visual SourceSafe and SMS. Outlook/Exchange can already be gatewayed with generic services. (5) Application protocol extensibility - nobody can expect any firewall vendor to support every application's protocols, but custom apps are critical to any large company's operations. Some of these may use sophisticated brokered load-sharing methods that cannot be gatewayed via simple Generic Service features that work only for single-port TCP sessions. Yet these need to be managed with the same fine-grained control that firewall products have already developed for their standard protocols. (6) Unified administration of multiple sites - this goes beyond remote administration, which they already have -- since there may be dozens of remote sites supporting Extranet access, this company wants the firewall software itself to enforce basic aspects of policy, with the administrator at the remote site having only limited configuration capability, e.g. adding new standard-type sites. For reason (3) above, policy changes must not require a restart or reinstallation. (7) Network Address Translation - this company uses RFC1597 private IP addresses for internal hosts, so do many of its partners, causing numbering conflicts. This company has a corporate policy of hiding real addresses of internal hosts from outside systems, as well. (8) Runs on Compaq hardware - this company has a purchasing agreement with Compaq that can't be beat. Any OS the firewall software is hosted on must support Compaq's SMART SCSI disk controllers, again for reason (3). A turnkey black box with superior capability on all other requirements might get a foot in the door. (9) Secure support for server monitoring - like any large enterprise, this company does routine performance and health monitoring of all network equipment: routers, hubs, and servers. It happens to use HP OpenView Node Manager and Operations Center, and BMC Patrol, as well as Compaq Insight Manager. The firewall should permit itself to be monitored by these tools without permitting access from unauthorized "management" sites. Blocking by means stronger than customizable SNMP community strings is a requirement. (10) Telnet/TN3270/TN5250, FTP, HTTP, SMTP, and NNTP -- of course. DNS, NTP and Netscape SECNEWS optional. (11) Off-host, transaction-level logging for all services for which the notion of a transaction is meaningful, not just HTTP and FTP. Some form of logging for EVERYTHING is a must, even UDP and ICMP. Consolidation of logs into statistical reports is required to make exception-based auditing a valid, practical strategy. (12) Single-use password for Telnet and FTP (e.g. Security Dynamics ACE/Server) would be a plus. (13) Support for SNA (RJE printing, APPC/AFTP) would be a double plus, since many suppliers use IBM "mainframes", AS400's and S390's. The company I'm working with needs to implement in the next three months. If you're a firewall vendor with a product that satisfies requirements (1) through (10) with available product or beta code, I'm probably not the only one who'd be interested in hearing about it. If you can't match this list, don't bother to respond to me -- respond by changing your development priorities from toys like RealAudio to features that enable companies to get real work done better, faster, and more reliably. We'll be reviewing the requirements and the market again in a year or so, and you can get in on the next evaluation cycle. Cheers, - George McKee (*) Procrustes was a king in Greek mythology who provided an unusually short bed for his guests to sleep on. If a guest complained, rather than providing them with a longer bed, he would have their feet cut off, at just the right distance from the knee to make the bed a proper size. -- Internet: mckee@neosoft.com Voice: +1 281 518 7991 Disclaimer: neosoft is just an access provider. Evolution: Selective replication from a population with heritable variation. Evolution of Complexity: Like with size, there's always room at the top, if the infrastructure can handle the load. From owner-firewalls-outgoing Thu Jul 10 15:18:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA26157 for firewalls-outgoing; Thu, 10 Jul 1997 13:20:32 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA26127 for ; Thu, 10 Jul 1997 13:20:24 -0700 (PDT) Received: from user (18.tampa-002.fl.dial-access.att.net [207.146.89.18]) by mail.clark.net (8.8.5/8.6.5) with SMTP id QAA18851 for ; Thu, 10 Jul 1997 16:24:30 -0400 (EDT) Message-Id: <3.0.1.32.19970710162254.008ac6e0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 10 Jul 1997 16:22:54 -0400 To: firewalls@greatcircle.com From: Mark Teicher Subject: Training Sources for security/firewall knowledge.. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know of good sources to gain skill sets for certifications of security experts and firewall knowledge?? Books, Schools, Universities,?? Crime schools?? Previous Engineering managers? Ex- UPS Managers ?? Work for local ISPs? Search out old hackers?? Irritate x-employers? Where do you go to become a security expert?? ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Thu Jul 10 16:49:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA06107 for firewalls-outgoing; Thu, 10 Jul 1997 16:26:59 -0700 (PDT) Received: from smtp.chsnet.com ([207.126.67.36]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA06093 for ; Thu, 10 Jul 1997 16:26:52 -0700 (PDT) Received: by smtp.chsnet.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 882564D0.008118B7 ; Thu, 10 Jul 1997 16:30:04 -0700 X-Lotus-FromDomain: CHCC From: "Adam Todd" To: firewalls@greatcircle.com Message-ID: <882564D0.0082ED6F.00@smtp.chsnet.com> Date: Thu, 10 Jul 1997 16:57:00 -0700 Subject: Cyberguard 3.x and QuakeWorld Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this isn't real productive but I REALLY want (need!) to play QuakeWorld through our CyberGuard firewall. Does anyone know of a proxy that will work with Cyberguard? I am even desperate enough to open up any ports needed. I hope someone has the same firewall and addiction that I have.... From owner-firewalls-outgoing Thu Jul 10 16:55:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04518 for firewalls-outgoing; Thu, 10 Jul 1997 16:13:33 -0700 (PDT) Received: from Gudrun.passagen.se (gudrun.passagen.se [194.17.55.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA04501 for ; Thu, 10 Jul 1997 16:13:23 -0700 (PDT) Received: from t25461 (dialup80-8-7.swipnet.se [130.244.80.167]) by Gudrun.passagen.se (8.8.5/8.8.5) with SMTP id BAA28478; Fri, 11 Jul 1997 01:17:20 +0200 (MDT) Message-Id: <3.0.2.32.19970711011713.0090cd10@hem.passagen.se> X-Sender: fno@hem.passagen.se X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Fri, 11 Jul 1997 01:17:13 +0200 To: "Holt, Gail" From: Fredrik Nordgren Subject: Re: Lotus Notes Cc: firewalls@greatcircle.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:49 1997-07-10 +0800, you wrote: >1. via the Internet (which they should already be able to do) Why not. Install an extra NIC to run Lotus Notes/Domino server on the DMZ. Disable all ports except 1352/TCP. Turn on encryption on the DMZ interface and you're ready to go... If you want to make it even harder for hackers, set up filter lists / rules in routers / firewalls to only allow traffic from/to certain sources. You could even setup your Notes/Domino server to be the one initiating *all* connections and then your inside -> outsite scheme would work too... /Fredrik From owner-firewalls-outgoing Thu Jul 10 17:04:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21311 for firewalls-outgoing; Thu, 10 Jul 1997 15:23:24 -0700 (PDT) Received: from suncomp (suncomp.compusep.com [200.12.79.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA21244 for ; Thu, 10 Jul 1997 15:23:02 -0700 (PDT) Received: from 200.12.79.33.www.compusep.com by suncomp (SMI-8.6/SMI-SVR4) id RAA03237; Thu, 10 Jul 1997 17:22:44 -0500 Message-Id: <199707102222.RAA03237@suncomp> From: "Axel Quero" To: Date: Thu, 10 Jul 1997 17:23:04 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Thu Jul 10 17:20:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA20521 for firewalls-outgoing; Thu, 10 Jul 1997 15:18:39 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA01136 for ; Thu, 10 Jul 1997 13:42:51 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id MAA29060 for ; Thu, 10 Jul 1997 12:52:42 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wmPE0-0004JwC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 10 Jul 1997 21:50:00 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 10 Jul 97 21:50 MET DST Received: by lina.inka.de id m0wmP7K-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 10 Jul 1997 21:43:06 +0200 (CEST) Message-Id: Date: Thu, 10 Jul 1997 21:43:05 +0200 From: Bernd Eckenfels To: "David A. Baldwin" Cc: firewalls@greatcircle.com Subject: Re: Faking IPaddresses References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from David A. Baldwin on Thu, Jul 10, 1997 at 01:22:30PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Jul 10, David A. Baldwin wrote > However, I may have a client with a labtop set up to use IPaddress > 128.8.10.5 and another client with a labtop set up to use IPaddress > 10.1.1.130 and I want to be able to plug them into the same ethernet HUB > and have that HUB plugged into my internet router, and have them both use > the internet seemlessly. You can use a dedicated Interface on a Linux BOX. On this interface the Linux Box will Proxy Arp for all Addresses. At the first incoming package Linux will assign a route to its source address with a little script arount tcpdump. With the IP-Masquerade Feature assigned to all incoming pacjets on this gues port you are done. Expire the routes to the source after a day, and its possible to plug in even multiple hosts. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu Jul 10 17:31:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13091 for firewalls-outgoing; Thu, 10 Jul 1997 12:18:09 -0700 (PDT) Received: from ds1.gl.umbc.edu (ds1.gl.umbc.edu [130.85.3.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA03472 for ; Thu, 10 Jul 1997 11:28:41 -0700 (PDT) Received: from umbc8.umbc.edu (umbc8.umbc.edu [130.85.3.8]) by ds1.gl.umbc.edu (8.8.5/8.6.9) with ESMTP id OAA01009 for ; Thu, 10 Jul 1997 14:32:37 -0400 (EDT) Received: from localhost (jjasen1@localhost) by umbc8.umbc.edu (8.8.5/8.6.9) with SMTP id OAA03855 for ; Thu, 10 Jul 1997 14:32:35 -0400 (EDT) X-Authentication-Warning: umbc8.umbc.edu: jjasen1 owned process doing -bs Date: Thu, 10 Jul 1997 14:32:35 -0400 (EDT) From: "John \"E.R.\" Jasen" cc: firewalls@GreatCircle.COM Subject: Re: Nonexistant NT security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Jul 1997, Alan wrote: > Microsoft has a patch that is supposed to fix the problem. (There was an > announcement on http://www.news.com/ about it.) There should be links > there are to where to find the patch. (I could not tell you where it is > on Microsoft's web site as I find it very difficult to navigate. But then > I do not use IE, as they do not have a Solaris version as of yet. (Thank > Cthulhu!)) ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3 /getadmin-fix -- "What do you want?" -- Mr. Morden, Microsoft Sales VP -- John E. Jasen // Systems Alchemist \\ jjasen1@umbc.edu -- -- My views are not those of UMBC, AFAIK. HTH. HAND. -- From owner-firewalls-outgoing Thu Jul 10 17:42:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10212 for firewalls-outgoing; Thu, 10 Jul 1997 14:29:05 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA10134 for ; Thu, 10 Jul 1997 14:28:45 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA04669; Thu, 10 Jul 1997 17:32:38 -0400 Received: from vaxe.PIOS.COM (vaxe.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IL2VYDJIDC8WZNMF@gemini.pios.com> for firewalls@greatcircle.com; Thu, 10 Jul 1997 17:34:05 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IL2VWLE9PS96W34Q@PIOS.PIOS.COM>; Thu, 10 Jul 1997 17:32:39 -0400 (EDT) Date: Thu, 10 Jul 1997 17:31:54 -0400 From: Bill Stout Subject: Re: Faking IPaddresses X-Sender: stoutb@192.168.0.37 To: "David A. Baldwin" , firewalls@greatcircle.com Message-Id: <2.2.32.19970710213154.008301e8@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:22 PM 7/10/97 -0400, David A. Baldwin wrote: >I have a puzzle that I am trying to figure out. I have a conference room >in my company which I would like to allow guests to access the internet >from to show me demo's and such. Don't fake it. Setup a dial-out line, or setup your own permanent conference room PC. Whoa, my brain is too MS-centric. Or X-window terminal or Oracle NC or Mac or... Geeze, it takes forever for a browser-only HW platforms to 'arrive'. (Chat: We want Netscape hardware, we want Netscape hardware...and reinvent the keyboard while you're at it, a browser machine is not a typewriter...) Bill Stout From owner-firewalls-outgoing Thu Jul 10 17:55:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03989 for firewalls-outgoing; Thu, 10 Jul 1997 11:31:14 -0700 (PDT) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA03801 for ; Thu, 10 Jul 1997 11:30:27 -0700 (PDT) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.5/8.8.5) with UUCP id OAA16824; Thu, 10 Jul 1997 14:08:06 -0400 (EDT) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA08330; Thu, 10 Jul 97 14:15:56 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.5/8.8.5) with SMTP id OAA23775; Thu, 10 Jul 1997 14:15:50 -0400 (EDT) Message-Id: <199707101815.OAA23775@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Mike Shaver Cc: inskeep_chris@geologics.com, emily@us.checkpoint.com, adam@homeport.org, Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor` In-Reply-To: Your message of "Thu, 10 Jul 1997 10:43:04 EDT." <199707101443.KAA16842@neon.ingenia.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 10 Jul 1997 14:15:50 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Shaver wrote: > >Microsoft does sell source licenses, and also has an educational-user >source license programme. > for all of NT ??? i have never heard of any company getting the source to all of NT. i have spoken with people at a number of TLA (three letter acronym) companies about this...none of them could get all the source...critical pieces were always missing. perhaps this has changed ? jmb -- Jonathan M. Bresler 202-452-2831 breslerj@frb.gov MS-169 Federal Reserve Board of Governors Washington DC 20551 Speaking for myself. Others speak for the Federal Reserve Board of Governors From owner-firewalls-outgoing Thu Jul 10 18:35:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA25869 for firewalls-outgoing; Thu, 10 Jul 1997 18:09:17 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA25807 for ; Thu, 10 Jul 1997 18:09:03 -0700 (PDT) Received: from user (91.tampa-001.fl.dial-access.att.net [207.146.88.91]) by mail.clark.net (8.8.5/8.6.5) with SMTP id VAA23648 for ; Thu, 10 Jul 1997 21:13:16 -0400 (EDT) Message-Id: <3.0.1.32.19970710211126.008a05d0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 10 Jul 1997 21:11:26 -0400 To: firewalls@greatcircle.com From: Mark Teicher Subject: What is this thing called Site Patrol?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Like the question states.. What is it?? ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Thu Jul 10 18:50:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA03673 for firewalls-outgoing; Thu, 10 Jul 1997 18:47:56 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA03018 for ; Thu, 10 Jul 1997 18:44:00 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id RAA05764 for ; Thu, 10 Jul 1997 17:49:14 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA28364; Thu, 10 Jul 1997 20:46:32 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IL32QQS2PC8X0KGS@gemini.pios.com> for firewalls@greatcircle.com; Thu, 10 Jul 1997 20:47:58 -0400 (EDT) Received: from cal_133.cal.pios.com (192.168.14.133) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IL32OZE2C096WECM@PIOS.PIOS.COM>; Thu, 10 Jul 1997 20:46:34 -0400 (EDT) Date: Thu, 10 Jul 1997 20:45:48 -0400 From: Bill Stout Subject: Re: Enterprise Extranet Firewalls X-Sender: stoutb@192.168.0.37 To: George McKee , firewalls@greatcircle.com Message-Id: <2.2.32.19970711004548.0088ca50@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many of the items you mention can be done via Cisco routers (circuit load balancing, hot-standby, multi-protocols, SNA connections or ESCON/Bus&Tag <->TCP/IP for MVS processing offload, and NAT). The internet feed definitely (IMO) should be handled via proxy servers, but internal (semi-trusted) networks can be in general handled by packet filters. I highly recommend partitioning your network, maybe like this: |-pfFW-www/ftp | | |-pfFW-Partner net (Tunnel servers, NAT boxes, Internet -|-psFW-| process servers) BGP/AS| |-pfFW-Production net Internet -|-psFW-| | ^ |-pfFW-Development net | ^ Proxy servers w/ | IP Failover +-Hot standby Packet Filter FWs Scripts The partner network can be tunneled across the internet, and can access systems inside the production network(being filtered, not proxied). You might even come up with a simple NAT/1597 scheme for the partner network, since the addresses don't cross the internet. UDP delays will always be a problem overseas, tunneling or not. This will allow them to access MS-Visual Source Safe / Exchange / SMS systems, and you to administer remote boxes via the funky MS port numbers. The proxy servers can use just IP failover, you don't need to share disk, therefore don't worry about the proprietariness of the Compaq architechture. For a company I worked for, I also fought for and won partitioning the applications, and three-tiering the database app. Also I separated the development group network (from production) which was tainted with forced EDSnet connections (remote development) and a high turnover of personnel working on similar projects with competing companies. Using packet filter firewalls between semi-trusted networks in combination with network surveillance PCs (from ISS or other soon to be announced products) allows you do keep up with development engineer demands (license servers, compile servers, source code contol systems, etc). o Database server (Oracle) o Process server (C++ O-O core business stuff) o Administrative server (NIS+, License server, PC-NFS auth daemon, SecID, NTP) o File/storage server (NFS and Office files) o Compile server o Mailserver (SMTP) Business application: Sparc 1000 <--> Sparc 20 <-----> Sparc 5 <----------> Client Database Svr Business rules GUI server (web) Browser (Oracle) (Persistence OO) (Netscape) (w/certificate) Remember, the KISS principle. This is a collection of a few suggestions, your network needs to be thought out with input from your business application development group, and will take longer than three weeks to hash out. It would be 'cool' if someone integrated Cisco filter table management into a firewall rule base for easier single-point administration. Hope this helps. _____________________________________________________________________________ Bill Stout (Systems Engineer/Consultant) stoutb@pios.com Pioneer Standard (Computer Systems & Components) http://www.pios.com/ San Jose, CA (Location of 1 of 52 U.S. offices) (408) 954-9100 *My opinions do not reflect that of the company, and visa-versa, thankfully.* From owner-firewalls-outgoing Thu Jul 10 18:52:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04010 for firewalls-outgoing; Thu, 10 Jul 1997 11:31:23 -0700 (PDT) Received: from innovation.capgemini.fr (eniac.innovation.capgemini.fr [194.2.88.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA03966 for ; Thu, 10 Jul 1997 11:31:06 -0700 (PDT) Received: from crp.innovation.capgemini.fr (magic.innovation.capgemini.fr [194.2.89.1]) by innovation.capgemini.fr (8.6.9/8.6.9) with ESMTP id UAA29251 for ; Thu, 10 Jul 1997 20:33:06 +0200 Received: from jclemass.innovation.capgemini.fr (jclemass.innovation.capgemini.fr [194.2.89.118]) by crp.innovation.capgemini.fr (8.6.9/8.6.9) with SMTP id UAA07305 for ; Thu, 10 Jul 1997 20:35:30 +0200 Received: by jclemass.innovation.capgemini.fr with Microsoft Mail id <01BC8D70.DD851030@jclemass.innovation.capgemini.fr>; Thu, 10 Jul 1997 20:35:55 +0200 Message-ID: <01BC8D70.DD851030@jclemass.innovation.capgemini.fr> From: Jean-Charles Lemasson To: "'Firewalls@GreatCircle.COM'" Cc: "'Jean-Charles Lemasson'" Subject: Analyzing CISCO access-lists logs Date: Thu, 10 Jul 1997 20:35:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, I'm currently using access-lists on CISCO routers, and when these = access-lists are violated this produces output like this on a syslog = server : Mar 24 13 :15 :05.602 MET : %SEC-6-IPACCESSLOGP : list 123 denied tcp = (16998) -> (23), 1 packet .... And so on... I would like to have more a friendly log analysis based on these logs. = Does anyone knows about a tool which can analyse them better ? = Particularly, I would like to be warned in real time - or almost - when = some attacks occurs like a " classical " firewall does ?.Maybe I have to = design my own tool ? Thank you for all suggestions. Jean-Charles From owner-firewalls-outgoing Thu Jul 10 19:15:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA06870 for firewalls-outgoing; Thu, 10 Jul 1997 14:11:59 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA06532 for ; Thu, 10 Jul 1997 14:10:34 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id NAA01061 for ; Thu, 10 Jul 1997 13:47:46 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id NAA00541; Thu, 10 Jul 1997 13:40:49 -0700 Date: Thu, 10 Jul 1997 13:40:48 -0700 (PDT) From: Leonard Miyata To: "Magossa'nyi A'rpa'd" cc: Firewall list Subject: Re: Firewall and B2?? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In what context???. Red Book ratings don't apply to Firewall functionality. On the other hand, Orange Book ratings of B2 and higher would make sense. Use the security kernal to enforce and protect against buffer over-writes, internal configuration coruption and encryption key disclosure would add a great deal of confidence in the product. The rating would only apply to internal protections within the firewall, not to the security of external network=20 connections in general. Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Thu, 10 Jul 1997, Magossa'nyi A'rpa'd wrote: > Hi! >=20 > I should have missed something. I thought firewalls are not too much to= do > with security scalings like B1 and C2. Now someone told me he want to s= ee > only B1 firewalls here. What's the truth? >=20 > Giving urls or one sentence answers in direct mail would suffice. I'll > summarize. >=20 > --- > GNU GPL: csak tiszta forr=E1sb=F3l >=20 >=20 From owner-firewalls-outgoing Thu Jul 10 19:20:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA07784 for firewalls-outgoing; Thu, 10 Jul 1997 19:07:31 -0700 (PDT) Received: from smtp1.erols.com (smtp1.erols.com [205.252.116.101]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA07631 for ; Thu, 10 Jul 1997 19:07:01 -0700 (PDT) Received: from inskeepc.erols.com (spg-tnt-fe-1s71.erols.com [207.172.95.71]) by smtp1.erols.com (8.8.6/8.8.5) with SMTP id WAA04793; Thu, 10 Jul 1997 22:15:57 -0400 (EDT) Message-ID: <33C5974A.7957@geologics.com> Date: Thu, 10 Jul 1997 22:15:38 -0400 From: Chris Inskeep Reply-To: inskeep_chris@geologics.com Organization: GeoLogics Corporation X-Mailer: Mozilla 3.01Gold (Win95; U) MIME-Version: 1.0 To: "Jonathan M. Bresler" CC: Mike Shaver , emily@us.checkpoint.com, adam@homeport.org, Firewalls@GreatCircle.COM Subject: Re: Check Point response to Mossad rumor` References: <199707101815.OAA23775@kryten.frb.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathan M. Bresler wrote: > > Mike Shaver wrote: > > > >Microsoft does sell source licenses, and also has an educational-user > >source license programme. > > > > for all of NT ??? > > i have never heard of any company getting the source to all of NT. > i have spoken with people at a number of TLA (three letter acronym) companies > about this...none of them could get all the source...critical pieces were > always missing. > > perhaps this has changed ? > > jmb > -- > Jonathan M. Bresler 202-452-2831 breslerj@frb.gov > MS-169 Federal Reserve Board of Governors Washington DC 20551 > Speaking for myself. Others speak for the Federal Reserve Board of Governors Last one, I promise, If Jonathan is right, then, PLEASE get off Checkpoints' back. Trying to perfect the French Fry, this thread is very distracting, and, frankly, my recipe is probably more valuable to the future of humanity....... By the way, I've been asked to secure a network of roughly 3,000 users who have been mandated to get onto the net. We've got about $30M to spend, anyone have any ideas? -- Source code analysis is NOT a solution -- By the way, I have NO sense of humor when it comes to messing with my clients....... Cheers -- by the way, the Rizzardi Amorone is superb......... chris From owner-firewalls-outgoing Thu Jul 10 19:35:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA09139 for firewalls-outgoing; Thu, 10 Jul 1997 14:23:56 -0700 (PDT) Received: from mail.advancenet.net (hermes.cu-online.com [205.198.248.82]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA09119 for ; Thu, 10 Jul 1997 14:23:50 -0700 (PDT) Received: from argus-systems.com (ranger.argus-systems.com [206.221.232.80]) by mail.advancenet.net (8.8.6/8.7.3) with SMTP id QAA12909; Thu, 10 Jul 1997 16:24:54 -0500 Received: by argus-systems.com (SMI-8.6/SMI-SVR4) id QAA22436; Thu, 10 Jul 1997 16:32:35 -0500 Date: Thu, 10 Jul 1997 16:32:35 -0500 From: mcnabb@argus-systems.com (Paul McNabb) Message-Id: <199707102132.QAA22436@argus-systems.com> To: firewalls@GreatCircle.COM, mag@bunuel.tii.matav.hu Subject: Re: Firewall and B2?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 10 Jul 1997 17:21:38 +0100 > From: "Magossa'nyi A'rpa'd" > > I should have missed something. I thought firewalls are not too much to d= > o > with security scalings like B1 and C2. Now someone told me he want to see > only B1 firewalls here. What's the truth? You are correct, C2/B1 harden the OS and may make a firewall more secure, but they aren't directly related to the security provided by the firewall. This type of security is generally needed only if you are allowing other network services on the firewall system or if you are allowing firewall management via a LAN. Argus sells a B1 version of Checkpoint on Solaris, but it should work with any firewall running on Solaris. We also have an "enhanced C2" that gets rid of superuser on Solaris without the B1 stuff, and it is also available for use with firewalls. This stuff runs on Solaris 2.4 and 2.5.1. We will shortly have a Solaris 2.6 version available. Some people are using our Decaf with a firewall or web site for the same purpose -- to harden the OS. Please notice from my signature that I might be a bit biased... paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb@argus-systems.com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" --------------------------------------------------------- From owner-firewalls-outgoing Thu Jul 10 20:05:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA15360 for firewalls-outgoing; Thu, 10 Jul 1997 09:46:48 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA15330 for ; Thu, 10 Jul 1997 09:46:35 -0700 (PDT) Received: from inskeepc.erols.com (spg-tnt-fe-1s119.erols.com [207.172.95.119]) by smtp3.erols.com (8.8.6/8.8.5) with SMTP id MAA17360; Thu, 10 Jul 1997 12:50:42 -0400 Message-ID: <33C513F5.305E@geologics.com> Date: Thu, 10 Jul 1997 12:55:17 -0400 From: Chris Inskeep Reply-To: inskeep_chris@geologics.com Organization: GeoLogics Corporation X-Mailer: Mozilla 3.01Gold (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Call for Papers/Speakers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The U. S. Department of Agriculture is sponsoring a computer security conference entitled: Practical Security for Sensitive Systems, to be held 29 - 31 October 1997 in Williamsburg, VA. This is a conference for security officers, managers, and system administrators to offer specific advice on protecting their systems in 1998. We will issue invitations for attendence in mid-August, if you want to be added to that list, let me know. The purpose of this messsage is that we are issuing a call for papers and speakers to participate in this conference. Responses to this call are requested not later than 1 August 1997. Please respond with a short (1 page or so) summary of the topic with significant points, a 50 word summary of related experience, and contact information. We will notify selected speakers by 5 August. If you need help with logistics, please let me know when you submit. Topics of specific interest include the following: Case studies of significant security incidents: how was the attack detected, investigated, terminated, what worked, what didn't work, countermeasures implemented to prevent a future similar successful attack, (e.g., firewall(s)) Recovery from significant security incidents: focus on the measures in place prior to the attack and how they enabled/hindered recovery. What worked, what didn't work, and countermeasures implemented to facilitate future recovery efforts. A survey of vulnerabilities associated with popular countermeasures (e.g., firewalls). Network security architectures with layered countermeasures (e.g., internal firewalls) to limit penetration of networks once the front line countermeasure has failed. Use of firewalls with other types of countermeasures (e.g., intrusion detection systems, access control lists, one time password systems, encryption) to address specific threats. Thanks! Chris Inskeep Conference Manager From owner-firewalls-outgoing Thu Jul 10 20:15:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA08156 for firewalls-outgoing; Thu, 10 Jul 1997 14:18:53 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA08140 for ; Thu, 10 Jul 1997 14:18:46 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by mail.diginsite.com (8.8.5/8.8.3) with SMTP id OAA07880; Thu, 10 Jul 1997 14:19:27 -0700 Date: Thu, 10 Jul 1997 14:19:27 -0700 (PDT) From: David Lang To: "David A. Baldwin" cc: firewalls@GreatCircle.COM Subject: Re: Faking IPaddresses In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk other than setting up a address translator that you configure for each laptop as needed to make the internet think the laptop is a machine on your network. David Lang On Thu, 10 Jul 1997, David A. Baldwin wrote: > I have a puzzle that I am trying to figure out. I have a conference room > in my company which I would like to allow guests to access the internet > from to show me demo's and such. I would like to allow them to plug in > their labtop into my ethernet hub in order to allow this access. > > Most of my customers have labtops with ethernet cards that they have > preconfigured for their own environment. I would like to allow them to > plug into my ethernet without any reconfiguration on their labtops > (running WinNT or Win95). After they are plugged in, I would expect that > they be able to access the internet. > > I do know that if they are using DHCP, there would be no issue I could set > up a server that would dole out an IPaddress for them to use. However, I > can not depend on the fact that they are using DHCP. I also know that I > could use NAT or some sort of proxy that proxy info to and from them to > the internet, so if they were using illegal IPaddresses there would be no > issues. > > However, I may have a client with a labtop set up to use IPaddress > 128.8.10.5 and another client with a labtop set up to use IPaddress > 10.1.1.130 and I want to be able to plug them into the same ethernet HUB > and have that HUB plugged into my internet router, and have them both use > the internet seemlessly. > > Does anyone have any suggestions for something like this. My guess is that > this would take some sort of Dynamic Routing, and dynamic proxying to > accomplish this. > > Anyway, if there are any suggestions, I would love to hear them. > > Thanks much, > > David Baldwin > > Web Designer, Inc. > voice: (301)896-9421 > email: daveyb@web-designer.com > > > From owner-firewalls-outgoing Thu Jul 10 20:24:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA14588 for firewalls-outgoing; Thu, 10 Jul 1997 19:36:49 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA14438 for ; Thu, 10 Jul 1997 19:35:58 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id WAA15016; Thu, 10 Jul 1997 22:40:09 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC8D82.5D237140@zandar.judgefamily.org>; Thu, 10 Jul 1997 22:41:10 -0400 Message-ID: <01BC8D82.5D237140@zandar.judgefamily.org> From: Joseph Judge To: "firewalls@GreatCircle.COM" , "'Paul W. Weyman'" Subject: RE: Web access to Oracle DB Date: Thu, 10 Jul 1997 22:41:09 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unrestricted communications with the backend DB server is not such a great idea ... especially if that