From owner-firewalls-list Wed Oct 1 00:44:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA24577; Tue, 30 Sep 1997 02:30:45 -0700 (PDT) Received: from ildico.comnet.com.tr (ildico.comnet.com.tr [195.46.158.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA24559 for ; Tue, 30 Sep 1997 02:30:21 -0700 (PDT) Received: (from uucp@localhost) by ildico.comnet.com.tr (8.8.7/8.7.3) id MAA04640; Tue, 30 Sep 1997 12:33:01 +0300 (EET DST) Received: from volkan.comnet.com.tr(195.46.159.10) by ildico.comnet.com.tr via smap (V2.0) id xma004637; Tue, 30 Sep 97 12:32:56 +0300 Message-Id: <3.0.3.32.19970930133329.00804100@mail.comnet.com.tr> X-Sender: ferioli@mail.comnet.com.tr X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 13:33:29 +0200 To: "steven.j.schulze" , firewalls From: Michael Ferioli Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <9709290558.AA2100@notes2.compuserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:02 PM 9/28/97, steven.j.schulze wrote: >I have a client who is running VLANs on Cisco switches, mostly for convenience >and flexibility reasons. This client is wondering if any level of security >is achieved due to this "virtual" network segmentation. I realize that VLANs >are not firewalls, strong encryption+authentication, etc. however, to achieve >separation and prevent snooping / interception, do the VLANs in effect take >each node out of eachother's "Collision Domain" (to use the Ethernet term)? >Assume the worst-- competing clients on the network, with NICs in promiscuous >mode (trivial to do today), what would that PC / Unix box see? VLAN's segregate switch ports into segments. In other words, once you have created three VLAN's, you can think of it as three separate physical switches. Now, within each switched VLAN: - Broadcasts are forwarded to each port (within same VLAN) - A packet is only forwarded from one port to another if the switch determines that the destination is reachable via another switch port - a PC in promiscuous mode would be able to sniff: - Broadcasts within same VLAN - Packets being sent across a hub connected to s single switch port Typically you would use a router to route between VLAN's. You can connect an ethernet interface to each VLAN or you can create a global port and put multiple addresses on the interface. That's a design issue. Some switches now have routing capability built in. To answer your question: - Switching with no VLAN's provides protection because not all users see all packets (each switch port is it's own collision domain). - Switching with no VLAN's provides no protection in sniffing for broadcast packets - Switching with VLAN's provides some protection against broadcast sniffing as long as the offending PC is not within the same VLAN. Mike +----------------------------------------------------------+ | Michael D. Ferioli ferioli@comnet.com.tr | | Comnet A.S. http://www.comnet.com.tr | +----------------------------------------------------------+ From owner-firewalls-outgoing Wed Oct 1 01:29:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA08776 for firewalls-outgoing; Tue, 23 Sep 1997 16:02:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA00920 for ; Tue, 23 Sep 1997 15:22:05 -0700 (PDT) Received: from nexus.net.mx by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA24801; Tue, 23 Sep 1997 14:38:25 -0700 (PDT) Received: (from jdelgado@localhost) by nexus.net.mx (8.8.5/8.7.2) id QAA09676; Tue, 23 Sep 1997 16:39:55 -0600 (CST) Date: Tue, 23 Sep 1997 16:39:54 -0600 (CST) From: Jose Luis Delgado To: Firewalls@GreatCircle.COM Subject: two questions! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to everybody! I need a bit of your help! I apologize if this is off topic! Question1: I have two routers, with one of them, I can 'see' the Internet! with the other I can't! just I can telnet to the first router! How can I configure my router to 'route' to the Internet?? (of course, I have an ISP) Question2: I have a Sparc20 con 160MB running Raptor Firewall! and I have another Sparc470 not utilized! I would like to use the SIMMS of the Sparc470 in the Sparc20!! can I do that?? the SIMMS are compatibles?? Thanks in advance! P.S.: Since I'm not in your mailing list, can you response directly, please?? From owner-firewalls-list Wed Oct 1 01:44:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA03568; Tue, 30 Sep 1997 03:52:41 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA03498 for ; Tue, 30 Sep 1997 03:52:20 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp4.cisco.com [171.68.146.25]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id MAA27494; Tue, 30 Sep 1997 12:51:36 +0200 (METDST) Message-Id: <3.0.3.32.19970930115845.01313614@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 11:58:45 +0000 To: "steven.j.schulze" , firewalls From: Eric Vyncke Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <9709290558.AA2100@notes2.compuserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:02 28/09/97, steven.j.schulze wrote: >I have a client who is running VLANs on Cisco switches, mostly for convenience >and flexibility reasons. This client is wondering if any level of security >is achieved due to this "virtual" network segmentation. I realize that VLANs >are not firewalls, strong encryption+authentication, etc. however, to achieve >separation and prevent snooping / interception, do the VLANs in effect take >each node out of eachother's "Collision Domain" (to use the Ethernet term)? >Assume the worst-- competing clients on the network, with NICs in promiscuous >mode (trivial to do today), what would that PC / Unix box see? First notice my affiliation by looking in my signature ;-) Now, VLAN adds to your security, they are useful but are only part of your security: - Ethernet switches are preventing sniffing, actually, if you put one single host per Ethernet switch port, than, this host will receive traffic for only this MAC address + broadcast + multicast. Thus, a sniffer cannot snif any packet not addressed/sourced by it. - you can also fix the MAC address to the switch port: then you can prevent local IP spoofing if you use a static MAC/port mapping TOGETHER with a static ARP table in hosts and routers (mainly used in 'high danger' DMZ) - by partionning your LAN (can be done via switch+VLAN and/or physical partionning of your hubs), you can define sub-domain of trust and using firewall (or routers with authentication) to control the traffic among these sub-domains - you can also use a dedicated VLAN for managing your routers, switches, ... by SNMP or Telnet, as no end-user are connected to this VLAN they cannot snif the passwords, config, community strings - you can also restrict one user to belong to one VLAN only (the user is authenticated by username+password) - ... Hope this helps, -eric > >Related question, anyone have any hands on with products like McAfee NetCrypto >for local network encryption? > >I realize that security must be looked at holistically (must look at the >threat, what are you trying to protect, etc.), and realize that I have not laid >out the entire environment. Suffice it to say, though, that there are a >minimum of 5 security "domains" in this office environment that require >separation in the same or nearby physical area... an application multi-homed >firewall can do a great job of separating these domains by interface and >appropriate rulesets applied, but if you don't have LAN separation, forget >about Firewalls and threats from the Internet. > >Any thoughts appreciated, > >Steven Schulze > > >Andersen Consulting >steven.j.schulze@ac.com > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 1 05:17:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA28377; Tue, 30 Sep 1997 06:15:53 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA28301 for ; Tue, 30 Sep 1997 06:15:35 -0700 (PDT) Received: from csc.com by csc.com via smtpd with smtp id for ; Tue, 30 Sep 97 09:16 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <3430FBC5.D56E45E7@csc.com> Date: Tue, 30 Sep 1997 09:16:53 -0400 From: john kerr Reply-To: jkerr2@csc.com X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Downfalls of Proxy Server? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I was wondering what the downfalls of using Microsofts proxy server to authenticate internal users to the Internet for HTTP services only. I realize that a rule must be put in the firewall to allow HTTP out from the proxy servers IP Address and that you no longer have a centralized location for all of the logs, but are their any other shortcomings? The internal network would be a windows NT network. The problem I'm trying to solve here is opposed to perfoming user authentication at the firewall and setting up users. I would use the NT groups already set-up in the internal and then selectively allow each group HTTP access. Any thoughts? John From owner-firewalls-list Wed Oct 1 05:22:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA27969; Tue, 30 Sep 1997 06:14:06 -0700 (PDT) Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA27862 for ; Tue, 30 Sep 1997 06:13:42 -0700 (PDT) From: dharris@kcp.com Message-Id: <199709301313.GAA27862@honor.greatcircle.com> Received: by kcpgw.kcp.com id AA10028 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.com); Tue, 30 Sep 1997 08:14:16 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-2); Tue, 30 Sep 1997 08:14:16 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-1); Tue, 30 Sep 1997 08:14:16 -0500 Mime-Version: 1.0 Date: Tue, 30 Sep 1997 08:12:28 -0500 Subject: Re: Finding a wiretap or NIC card with a TDR To: firewalls@GreatCircle.com, Sick Puppy Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't TDR *require* actively creating a pulse so you can measure its reflection? If you don't know when you emitted the pulse how can you measure the time until its echo? I suppose a pattern-matching oscilloscope could be configured to measure the time between an outgoing 'ping' and its echo ;-) ______________________________ Reply Separator _________________________________ Subject: Finding a wiretap or NIC card with a TDR Author: Sick Puppy at INTERNET-MAIL Date: 9/27/97 9:40 PM We have reason to believe that some looser geeks or phederal phucks have sneaked a wiretap onto a network segment that we often cross. We also happen to have a couple of Time Domain Reflectometers left over from previous academic research on satellite channels. If we plug the TDR's into the network segment there is a real good chance that the looser geeks or whatever will spot us so we need to run in stealth mode. The network segment hosts several Unix boxes on which we are privileged users. (Our network, our boxes of course. What else could they be?) Does anybody know of any software that will run on a Unix or NT box and provide the same information as a TDR? Does anybody know of an equivalent software package that will run on Unix or NT and help us find the wiretap or silent NIC card we think is there? Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Wed Oct 1 05:32:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06522; Tue, 30 Sep 1997 06:53:25 -0700 (PDT) Received: from mail.orca.net (otbdc1.orca.net [38.211.180.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06486 for ; Tue, 30 Sep 1997 06:53:11 -0700 (PDT) Received: by otbdc1.orca.net with Internet Mail Service (5.0.1457.3) id ; Tue, 30 Sep 1997 08:48:06 -0500 Message-ID: <711E7DBC93BDD011A3F100805F8AF4A30244C3@otbdc1.orca.net> From: Mike Adams To: "'Brian Mitchell'" , "Cline, Robert" Cc: firewalls@GreatCircle.COM Subject: RE: Ascend's Secure Access Firewall - Failures Date: Tue, 30 Sep 1997 08:48:05 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One issue to be mindful of... Ascend Routers are not power houses. A basic install of a SAF on a Pipeline 50 will work. However, in my experiences it seems that if you specify a lot of specific IP traffic and block a lot of traffic based on IP you run into timing problems. One site we have had 38 entries in the FTP and WWW sections to allow these 19 hosts to have access in and out while preventing others from passing traffic. The results were that often times the web sites from inside the firewall would not be served through the wall completely. If we enabled * and * for web access or even cut the number down to around 6 hosts with access allowed this seemed to correct the issues. We used 5.x on several 50 and 75 units with the same results. The new Pipeline 220 will not suffer from this, nor should the MAX 20xx / 40xx. > -----Original Message----- > From: Brian Mitchell [SMTP:brian@firehouse.net] > Sent: Tuesday, September 30, 1997 12:04 AM > To: Cline, Robert > Cc: firewalls@GreatCircle.COM > Subject: Re: Ascend's Secure Access Firewall > > On Mon, 29 Sep 1997, Cline, Robert wrote: > > > I've been considering using Ascend's Secure Access Firewall. There > are > > two main reasons: we are seriously considering using their routers > no > > matter which firewall we use, and it would be MUCH less expensive to > use > > their firewalls (assuming of course, we use their routers) than any > > other firewall I've seen. Everything I've read about SAF seems to be > > very much like what I've read about the other products. It seems to > be a > > solid, modern, commercial product. We would lose some flexibility > > (pretty much only works with Ascend), but we would gain lower cost > and a > > same-vendor match with our routers and firewall. Also, our current > ISP > > and the leading contender as a replacement use a lot of Ascend and > are > > very familiar with Ascend. > > I'm not sure how must trust I would place in a product from a company > that > thinks checking the 21st byte for source routing information > sufficiently > blocks loose and strict source routing. From my perspective, it looks > like > a cheap pix knockoff, although my view may be horribly tainted. > From owner-firewalls-list Wed Oct 1 05:44:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10552; Tue, 30 Sep 1997 07:14:07 -0700 (PDT) Received: from emout14.mail.aol.com (emout14.mx.aol.com [198.81.11.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA10545 for ; Tue, 30 Sep 1997 07:14:00 -0700 (PDT) From: Dsmgmt@aol.com Received: (from root@localhost) by emout14.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id KAA26926 for firewalls@greatcircle.com('firewalls@greatcircle.com'); Tue, 30 Sep 1997 10:14:33 -0400 (EDT) Date: Tue, 30 Sep 1997 10:14:33 -0400 (EDT) Message-ID: <970930101322_71048934@emout14.mail.aol.com> To: firewalls@greatcircle.com ('firewalls@greatcircle.com') Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 05:53:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10758; Tue, 30 Sep 1997 07:15:40 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA10723 for ; Tue, 30 Sep 1997 07:15:31 -0700 (PDT) Received: by relay.rv.tis.com; id KAA16908; Tue, 30 Sep 1997 10:13:34 -0400 (EDT) Received: from rubicon.rv.tis.com(10.0.1.144) by relay.rv.tis.com via smap (4.0) id xma016872; Tue, 30 Sep 97 10:13:17 -0400 Received: (from jcp@localhost) by rubicon.rv.tis.com (8.8.5/8.7.3) id KAA01985; Tue, 30 Sep 1997 10:13:00 -0400 (EDT) From: Jody Patilla Message-Id: <199709301413.KAA01985@rubicon.rv.tis.com> Subject: Re: Haystack Stalker To: tommyling@hotmail.com (tommy ling) Date: Tue, 30 Sep 1997 10:13:00 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <19970929062914.5100.qmail@hotmail.com> from "tommy ling" at Sep 28, 97 11:29:13 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Isn't Haystack bundled on Checkpoint's firewall? Based on below post > I found on the Unix sysadmin mailing list, I wonder how much Haystack's > technology is providing value. I remember seeing some posts about > Haystack on firewall mailing list and wanted to see if anyone knew if > Webstalker would slow down the firewall. Does Checkpoint come with > Haystack enabled? In case you missed it, the posting which you attached was written by the director of business development at Wheelgroup, which has a competing product, NetRanger. You may want to weigh his comments with a grain of salt, and see what kind of information you can get from independent sources. - jcp > From: Paul Di Bello > Subject: Haystack review > ------------------------------------------------------------------------ -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Rockville, Md. From owner-firewalls-list Wed Oct 1 07:10:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14944; Tue, 30 Sep 1997 07:41:09 -0700 (PDT) Received: from stjohns.se.highway1.com (stjohns.se.highway1.com [24.129.0.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14934 for ; Tue, 30 Sep 1997 07:41:02 -0700 (PDT) Received: from sroberts.acr2000.com ([12.8.110.200]) by stjohns.se.highway1.com (Netscape Mail Server v2.02) with SMTP id AAA27159 for ; Tue, 30 Sep 1997 10:41:37 -0400 Received: by localhost with Microsoft MAPI; Tue, 30 Sep 1997 10:41:35 -0400 Message-ID: <01BCCD8D.6C57AFA0.scottrob@mediaone.net> From: Scott Roberts Reply-To: "scottrob@mediaone.net" To: "Firewalls (E-mail)" Subject: Which Firewall? Date: Tue, 30 Sep 1997 10:41:33 -0400 Organization: Roberts' Keyboard Connection X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently running 2 LAN's that are connected with AT&T frame relay service (AWICS). I have access from this frame relay direct to the internet. I want to put a firewall at each location that will allow traffic to flow freely to each location and to the internet. I want to block all traffic from the internet back in to out network. Here are the other details and exceptions to what I have just said... 1) I want to allow certain traffic back in from the internet. 2) I want to be able to view/print reports that will tell me who from the inside has accessed the internet and for how long. 3) I need a firewall that is easily maintained remotely. I need to be able to get information and make changes to the firewall from 3000 miles away. Any help I can get on this would be very much appreciated. ---------- Scott Roberts ScottRob@mediaone.net From owner-firewalls-list Wed Oct 1 07:55:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12106; Tue, 30 Sep 1997 07:23:54 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [209.41.220.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA28439 for ; Tue, 30 Sep 1997 06:16:12 -0700 (PDT) Received: from Progressive-Systems.com (alex@overkill.Progressive-Systems.Com [209.41.220.250]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with ESMTP id JAA16344; Tue, 30 Sep 1997 09:10:34 -0400 (EDT) Message-ID: <3430FB16.484088B8@Progressive-Systems.com> Date: Tue, 30 Sep 1997 09:13:58 -0400 From: Alex Hutton X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Brian Mitchell CC: "Cline, Robert" , firewalls@GreatCircle.COM, brian@firehouse.net Subject: Re: Ascend's Secure Access Firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seeing as the Ascend product evolved from the Morning Star product, I doubt it is a PIX knock-off. Brian Mitchell wrote: > > On Mon, 29 Sep 1997, Cline, Robert wrote: > > > I've been considering using Ascend's Secure Access Firewall. There are > > two main reasons: we are seriously considering using their routers no > > matter which firewall we use, and it would be MUCH less expensive to use > > their firewalls (assuming of course, we use their routers) than any > > other firewall I've seen. Everything I've read about SAF seems to be > > very much like what I've read about the other products. It seems to be a > > solid, modern, commercial product. We would lose some flexibility > > (pretty much only works with Ascend), but we would gain lower cost and a > > same-vendor match with our routers and firewall. Also, our current ISP > > and the leading contender as a replacement use a lot of Ascend and are > > very familiar with Ascend. > > I'm not sure how must trust I would place in a product from a company that > thinks checking the 21st byte for source routing information sufficiently > blocks loose and strict source routing. From my perspective, it looks like > a cheap pix knockoff, although my view may be horribly tainted. From owner-firewalls-list Wed Oct 1 07:57:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA13650; Tue, 30 Sep 1997 07:33:25 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA13614 for ; Tue, 30 Sep 1997 07:33:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp2.cisco.com [171.68.146.23]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id QAA02674; Tue, 30 Sep 1997 16:32:18 +0200 (METDST) Message-Id: <3.0.3.32.19970930161540.006d34a8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 16:15:40 +0000 To: Anna Grieve , "'firewalls@GreatCircle.COM'" From: Eric Vyncke Subject: Re: Does Winframe need a firewall? In-Reply-To: <3.0.3.16.19970926010747.0a6f20bc@mail-hub> References: <3BFE2589D330D111AE87006008062DE45912@EXCHANGE2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 12:46 PM 9/25/97 +0100, Anna Grieve wrote: >>Interested to hear that you have got Winframe working through your >>firewall. We can access the server on the local LAN via dial-up with no >>problems, but access through the firewall is denied. >> >>I understand that we need to open the port 1494 for ICA traffic, but >>this still doesn't work. We're not keen on putting the server completely >>outside the firewall, so have you got any suggestions? I would suggest an alternative design, put the Winframe server in your DMZ (i.e. BEFORE the firewall). With this alternative design, even if the Winframe server is cracked for any reason (you can roughly protect it with NT and/or with the access/serial router) then you loose nearly nothing. With your design, if the Winframe server is cracked (the firewall does not add a lot of further security except if you are using some authentication on the firewall), then the cracker has a much broader access to your NT network inside. Of course, the alternate design may be unsafe IFF your secret (e.g. files, ...) are stored ON the Winframe server Any comments ? -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 1 07:59:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11074; Tue, 30 Sep 1997 07:17:36 -0700 (PDT) Received: from orion.science-computing.de (orion.science-computing.de [193.197.16.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA11004 for ; Tue, 30 Sep 1997 07:17:16 -0700 (PDT) Received: from idefix.science-computing.de (idefix.science-computing.de [10.148.25.2]) by orion.science-computing.de (8.6.10/s+c 1.3) with ESMTP id QAA27660 for <@orion.science-computing.de:firewalls@GreatCircle.COM>; Tue, 30 Sep 1997 16:17:54 +0200 Received: from localhost (ralf@localhost) by idefix.science-computing.de (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id QAA10387 for ; Tue, 30 Sep 1997 16:18:54 +0200 Date: Tue, 30 Sep 1997 16:18:52 +0200 (MES) From: ralf To: firewalls@GreatCircle.COM Subject: A question about x-gw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, hopefully, someone can give me a hint how to configure/modify x-gw from the TIS fwtk to support the following firewall configuration: Linux with masquerading and TIS firewall toolkit +----------------+ | | | tn-gw | | ftp-gw | | | | x-gw | | | | | 10.xx.yy.zz | eth0 isdn0 | external-ip --> ISDN | | | | +----------------+ | +---+---+----+ We want to be able to telnet to some host reachable via external-ip, this works fine in the current setup, no problem. Further we'd like to display x-applications from some host on external-ip on our display on internal-ip. The tn-gw from TIS fwtk supports this with the "x-gw"-command, but when using it, the proposed variable DISPLAY is "internal-ip:10" which is not reachable from "external-ip" because they don't know about our internal IP-Adresses (which actually are 10.xxx :-). So the question is: how can we get x-gw to generate the variable DISPLAY "external-ip:10" and to listen to the proper socket on the proper "external-ip"-interface? May be there is no way because the "x-gw"-command is given before the "connect"-command, so how should x-gw know about the destination of the "connect"-command? Any hints are appreciated, TIA, Ralf --------------------------------------------------------------------------- Dr. Ralf Allrutz | email: R.Allrutz@science-computing.de science+computing gmbh | phone: +49 7071 9457-26 Hagellocherweg 71 | fax: -27 D-72070 Tuebingen | venus: how to manage a heterogeneous UNIX-cluster PGP Key fingerprint = FB 97 58 43 5F D9 A4 B6 F2 BA 3D 4E 77 E2 C6 33 --------------------------------------------------------------------------- % fatal system error: ran out of coffee - user halted From owner-firewalls-list Wed Oct 1 08:45:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11628; Tue, 30 Sep 1997 07:20:21 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA22880 for ; Tue, 30 Sep 1997 05:50:19 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id IAA04682; Tue, 30 Sep 1997 08:48:09 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id IAA18765; Tue, 30 Sep 1997 08:48:43 -0400 (EDT) Message-Id: <3.0.32.19970930083232.0079c4d0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 30 Sep 1997 08:49:56 -0400 To: "Magossa'nyi A'rpa'd" , Colin Campbell From: Anton J Aylward Subject: Re: Blocking spam mail (was: about sendmail security) Cc: Kristian =?iso-8859-1?Q?K=F6hntopp?= , firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:39 AM 28/09/97 +0100, Magossa'nyi A'rpa'd wrote: >Anyway I can't think of many situations when I would _need_ a secondary MX. OUCH! This is a sign of something, but I'm too old and wizened to remember what. Tell me again, Virginia, why in days of old did we all go to great lengths to make sure we had DNS and MX secondaries which were no only off site, but on a different network branch? Why did I go to such lengths to make sure they were on different tectonic plates and strike zones? /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Nothing is more difficult to carry out, The Strahn & Strachan Group Inc | nor more doubtful of success, nor more Information Security Consultants | dangerous to handle, than to initiate a Voice: (416) 494-8661 | new order of things." ---- Machiavelli Fax: (416) 494-8803 | From owner-firewalls-list Wed Oct 1 08:45:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18184; Tue, 30 Sep 1997 08:03:05 -0700 (PDT) Received: from ganymede.frii.com (ganymede.frii.com [208.146.240.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA18168 for ; Tue, 30 Sep 1997 08:02:57 -0700 (PDT) Received: from ora40.int.amrion.com (bou-0440.ppp.frii.com [208.146.244.232]) by ganymede.frii.com (8.8.5/8.8.4) with SMTP id JAA00878 for ; Tue, 30 Sep 1997 09:03:50 -0600 (MDT) Message-Id: <3.0.1.32.19970930090327.00718ea4@mail.frii.com> X-Sender: grat@mail.frii.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 30 Sep 1997 09:03:27 -0600 To: "'Firewalls@GreatCircle.COM'" From: "Franklin R. Jones" Subject: Re: Solaris v. NT Performance (FW-1) In-Reply-To: <199709281300.JAA21654@kryten.frb.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:00 AM 9/28/97 -0400, Jonathan M. Bresler wrote: > >>I appreciate Checkpoint putting up the NT vs. Solaris comparison, but >>maybe someone could compare NT versus Solaris x86? Who out there >>believes a P200 even comes close to the performance (or cost) of an >>Ultra II? Don't get me wrong, I advocate UNIX for firewalls whenever >>possible, but a fair comparison would be nice. > > UltraSparc vs Pentium Pro? > > the result might surprise you.....firewalls and operating systems >are integer code. a pentium pro 200MHz outperforms an Ultra 248MHz until >the data set size exceeds 256kB, then the larger cache of the Ultra >predominates. a pentiumII outperforms an Ultra 248MHz. > > but dont take my word for it.....run the *hardware* benchmarks yourself. >http://www.scl.ameslab.gov/scl/HINT/HINT.html. the database there does not >have Ultra results so you'll have to run the test yourself, or ask me to >mail you the results. > > in floating point the Ultra 248MHz outperforms intel cpu's across the >board. I think the original request is still the most valid question. There is more involved here that pure processor speed. The overall system environment is more a factor in this case that just the processor. All of the processing that matters in firewalls deal with I/O. What happens outside the processor chip is of more importance as the problem only exacerbates if it up to snuff. If the system is deficient in its internal bus (mother board) transfer rates, memory access, process exchange and even file I/O if really doesn't matter how fast the processor is if the rest of the system can't keep up (you can even have the same type disk/controller but if the internal bus and DMA transfer methods aren't up to speed it doesn't compare). This the area (in my experience) where one OS functions better than another. An OS has to be multi-tasking to handle all the OS maintenance stuff too, not just real-time benchmarks. You can put a Ferrari engine in a Miata. That doesn't make them the comparable. fj.. From owner-firewalls-list Wed Oct 1 09:44:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14805; Tue, 30 Sep 1997 10:47:55 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA14500 for ; Tue, 30 Sep 1997 10:45:42 -0700 (PDT) Received: (qmail 6101 invoked from smtpd); 30 Sep 1997 17:46:07 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 30 Sep 1997 17:46:07 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA13950; Tue, 30 Sep 1997 12:46:06 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA26551; Tue, 30 Sep 1997 12:48:24 -0500 From: Peter da Silva Message-Id: <9709301748.AA26551@baileynm.com> Subject: Re: Solaris v. NT Performance (FW-1) To: jmb@FRB.GOV (Jonathan M. Bresler) Date: Tue, 30 Sep 1997 12:48:24 -0500 (CDT) Cc: gadams@ccscns.com, Firewalls@GreatCircle.COM In-Reply-To: <199709281300.JAA21654@kryten.frb.gov> from "Jonathan M. Bresler" at Sep 28, 97 09:00:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > UltraSparc vs Pentium Pro? More, Sun's latest descendent of SBUS versus PCI. From owner-firewalls-list Wed Oct 1 10:02:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01385; Tue, 30 Sep 1997 09:26:04 -0700 (PDT) Received: from dev.avnet.com (dev.avnet.com [204.163.162.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA01324 for ; Tue, 30 Sep 1997 09:25:48 -0700 (PDT) Received: from az101-nt-imc1.avnet.com by dev.avnet.com with ESMTP (1.39.111.2/16.2) id AA268486583; Tue, 30 Sep 1997 09:23:03 -0700 Received: by az101-nt-imc1.avnet.com with Internet Mail Service (5.0.1458.49) id ; Tue, 30 Sep 1997 09:29:10 -0700 Message-Id: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet.com> From: "Schlueter, Ian" To: firewalls-digest@GreatCircle.COM Subject: High Availability between two HPUX 10.20 FW1 machines Date: Tue, 30 Sep 1997 09:28:09 -0700 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am attempting to utilize the synchronization capabilities of FW1 ver 3.0b to implement "high-availability" and I am running into a problem. I have two HPUX C100's configured identically. Installed are a total of four network interfaces in each. Interface 1: to the Internet Interface 2: to the intranet Interface 3: to the DMZ Interface 4: to the "firewall sync network" The firewall sync network only has the two firewalls on it, I am using a non-internet routable "test" range to address that segment. The firewalls each have an entry in the /etc/fw/conf/sync.conf file pointing to their counterpart. Here is the problem: I am continuously seeing a "Got Connection from firewall-1" then immediately seeing a "End Connection from firewall-1" These messages appear simultaneously on both firewall consoles. Logs appear to be shared, but state tables only seem to be shared part of the time. Checkpoint suggested that if the two machines system clocks were more than 5 seconds out of synchronization that it could cause this problem. We set the clocks to the same time, and tested, still no luck. We even installed ntp between them and it did not change the results. Anyone have any ideas? - - -/ W. Ian Schlueter ian.schlueter@avnet.com - - / Project Manager, Global Internet/intranet support - -/ Avnet, Inc. Chandler, AZ - / (602) 940-5977 From owner-firewalls-list Wed Oct 1 10:14:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA26511; Tue, 30 Sep 1997 11:53:19 -0700 (PDT) Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA26258 for ; Tue, 30 Sep 1997 11:52:27 -0700 (PDT) Received: from dcrocker-omni (mg-20425421-235.ricochet.net [204.254.21.235]) by mail.proper.com (8.8.7/8.7.3) with SMTP id LAA06636; Tue, 30 Sep 1997 11:50:05 -0700 (PDT) Message-Id: <3.0.3.32.19970930091049.031c3000@ng.netgate.net> X-Sender: dcrocker@ng.netgate.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 09:10:49 -0400 To: Russ From: Dave Crocker Subject: RE: SMTP VRFY (was: Microsoft vs The world) Cc: "'Ned Freed'" , firewalls@GreatCircle.COM In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C6670439C9@ns.ntadvice.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:56 AM 9/28/97 -0400, Russ wrote: >First of all, let me remind you that RFC1123 specifically denotes rules >for INTERNET servers, not SMTP servers in general. It does state that >servers that are not exposed to the Internet may have their own rules. The primary purpose of language like that is to leave door open for later profiles which deal with the difference between intranet/internet behavior. Note that it is NOT blanket permission to do whatever one wants, since ultimately what matters is interoperability in multi-vendor environments. Any one vendor making changes on their own creates non-interoperability. d/ -------------------- Dave Crocker +1 408 246 8253 Brandenburg Consulting fax: +1 408 249 6205 675 Spruce Dr. dcrocker@brandenburg.com Sunnyvale, CA 94086 USA http://www.brandenburg.com Internet Mail Consortium info@imc.org, http://www.imc.org From owner-firewalls-list Wed Oct 1 10:25:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA29087; Tue, 30 Sep 1997 12:07:15 -0700 (PDT) Received: from firewall.cwa.com (firewall.cwa.com [192.100.4.193]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA29034 for ; Tue, 30 Sep 1997 12:06:50 -0700 (PDT) Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) id AA06588; Tue, 30 Sep 97 12:07:00 PDT Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3jcf) id sma006583; Tue Sep 30 12:06:09 1997 Received: from hilo.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA08894; Tue, 30 Sep 97 12:06:06 PDT Received: by hilo.cwa.com (SMI-8.6/SMI-SVR4) id MAA11028; Tue, 30 Sep 1997 12:06:03 -0700 Date: Tue, 30 Sep 1997 12:06:03 -0700 From: dmurphy@cwa.com (Dan Murphy x286) Message-Id: <199709301906.MAA11028@hilo.cwa.com> To: jsdy@cospo.osis.gov, trott@remus.rutgers.edu Subject: Re: snmp broadcasts Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Mon, 22 Sep 1997, Joseph S. D. Yao wrote: > > > As your subject line notes, 161 == SNMP - Simple Network Management > > Protocol. These machines may be trying to update their Network > > Neighbourhoods? > > Is it generally safe to ignore snmp broadcast packets on your internal > network? > > > As for why some and not others ... are they all the same version of MS > > Winlose 95? > > Probably not...time to do an inventory... > The source of the SNMP PDUs is likely an HP printer driver installed under Win95 that is attempting to auto-discover reachable HP network printers by broadcasting SNMP 'get' requests and listening for responses. Check in the Win95 Printer Manager for HP printers installed as network resources... +-------------------------------------------------------------------+ | Dan Murphy, CWA Communication Products | email: dmurphy@cwa.com | | 401 Alberto Way, Los Gatos, CA 95032 | voice: 408-358-1529 | | (Nihon-go wa mada jouzo ja arimasen.) | faxen: 408-356-7061 | +-------------------------------------------------------------------+ From owner-firewalls-list Wed Oct 1 10:25:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA25194; Tue, 30 Sep 1997 11:48:07 -0700 (PDT) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA20035 for ; Tue, 30 Sep 1997 11:16:03 -0700 (PDT) Received: from notes2.compuserve.com (cserve-aagw2.notes.compuserve.com [149.174.221.199]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id QAA28288.; Tue, 30 Sep 1997 16:32:41 -0400 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA1039; Tue, 30 Sep 97 14:16:39 -0400 Message-Id: <9709301816.AA1039@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 005027440012F8CC86256522005120EF; Tue, 30 Sep 97 14:16:39 To: firewalls-digest From: "steven.j.schulze" Date: 30 Sep 97 9:46:09 Subject: Question Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a client who is running VLANs on Cisco switches, mostly for convenience and flexibility reasons. This client is wondering if any level of security is achieved due to this "virtual" network segmentation. I realize that VLANs are not firewalls, strong encryption+authentication, etc. however, to achieve separation and prevent snooping / interception, do the VLANs in effect take each node out of eachother's "Collision Domain" (to use the Ethernet term)? Assume the worst-- competing clients on the network, with NICs in promiscuous mode (trivial to do today), what would that PC / Unix box see? Related question, anyone have any hands on with products like McAfee NetCrypto for local network encryption? I realize that security must be looked at holistically (must look at the threat, what are you trying to protect, etc.), and realize that I have not laid out the entire environment. Suffice it to say, though, that there are a minimum of 5 security "domains" in this office environment that require separation in the same or nearby physical area... an application multi-homed firewall can do a great job of separating these domains by interface and appropriate rulesets applied, but if you don't have LAN separation, forget about Firewalls and threats from the Internet. Any thoughts appreciated, Steven Schulze Andersen Consulting steven.j.schulze@ac.com From owner-firewalls-list Wed Oct 1 10:28:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11171; Tue, 30 Sep 1997 13:08:31 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA11000 for ; Tue, 30 Sep 1997 13:07:36 -0700 (PDT) Received: (qmail 7995 invoked from smtpd); 30 Sep 1997 20:08:06 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 30 Sep 1997 20:08:06 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA12637; Tue, 30 Sep 1997 15:08:06 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA19076; Tue, 30 Sep 1997 15:10:24 -0500 From: Peter da Silva Message-Id: <9709302010.AA19076@baileynm.com> Subject: Re: VPNs and PPTP To: mje@intersec.com (Mike Endrizzi) Date: Tue, 30 Sep 1997 15:10:23 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <19970831140318880.AAB254@polenta.intersec.com> from "Mike Endrizzi" at Aug 30, 97 09:06:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) weak authentication > 2) slower > 3) bitch to install and figure out routing > 4) GRE doesn't pass through all firewalls > 5) precious little debug information 6) uses existing NT RAS administrative model 7) no support for non-MS based servers and clients. 8) black box implementation 9) Extra hardware if you're not currently running NT server NT server isn't cheap. 10) uses existing user database 11) no key mgt 12) transports IPX and native NETBEUI From owner-firewalls-list Wed Oct 1 12:08:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA02757; Tue, 30 Sep 1997 14:48:00 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA26264 for ; Tue, 30 Sep 1997 14:18:01 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com via Connect2-SMTP 4.30A; Tue, 30 Sep 1997 17:16:04 -0400 Message-ID: <98E79E3801D40000@c2smtp.on.com> Date: Tue, 30 Sep 1997 17:14:00 -0400 From: Stephen McLarey Disposition-Notification-To: Organization: ON Technology - Cambridge To: trott@remus.rutgers.edu (Richard Trott) Cc: firewalls@greatcircle.com (Firewall list) Subject: Re: snmp broadcasts Importance: normal MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-disposition: inline Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.30A MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== On Mon, 22 Sep 1997, Joseph S. D. Yao wrote: > As your subject line notes, 161 == SNMP - Simple Network Management > Protocol. These machines may be trying to update their Network > Neighbourhoods? Is it generally safe to ignore snmp broadcast packets on your internal network? > As for why some and not others ... are they all the same version of MS > Winlose 95? Probably not...time to do an inventory... Richard Trott trott@remus.rutgers.edu ======== Fwd by: Stephen McLar ======== Very good point. Some versions of Windoze 95 do not answer ARP correctly. As a matter of fact Novell has an open ticket with Micro$oft concerning this very issue. From owner-firewalls-list Wed Oct 1 12:32:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA06049; Wed, 1 Oct 1997 00:48:40 -0700 (PDT) Received: from cscuxfw.cscploenzke.de (cscuxfw.cscploenzke.de [194.45.145.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA23965 for ; Tue, 30 Sep 1997 23:51:32 -0700 (PDT) Received: from win95-boettger by cscuxfw.cscploenzke.de with smtp (Smail3.1.29.0 #3) id m0xGIdq-000FBcC; Wed, 1 Oct 97 08:52 CETDST Received: by win95-boettger with Microsoft Mail id <01BCCE47.4F8753C0@win95-boettger>; Wed, 1 Oct 1997 08:52:13 +0100 Message-ID: <01BCCE47.4F8753C0@win95-boettger> From: =?iso-8859-1?Q?Ulrich_B=F6ttger?= To: "firewalls@GreatCircle.COM" Date: Wed, 1 Oct 1997 08:52:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 12:32:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05843; Tue, 30 Sep 1997 17:05:18 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA05808 for ; Tue, 30 Sep 1997 17:05:00 -0700 (PDT) Received: from dissident (slip202-135-73-200.sy.au.ibm.net [202.135.73.200]) by out1.ibm.net (8.8.5/8.6.9) with ESMTP id AAA84426 for ; Wed, 1 Oct 1997 00:05:16 GMT Message-Id: <199710010005.AAA84426@out1.ibm.net> From: "Michael " To: Date: Wed, 1 Oct 1997 10:09:30 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SUBSRIBE From owner-firewalls-list Wed Oct 1 13:40:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA18895; Tue, 30 Sep 1997 18:20:43 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA18774 for ; Tue, 30 Sep 1997 18:20:18 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjht04287; Tue, 30 Sep 1997 21:21:20 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08757; Tue, 30 Sep 97 21:19:37 EDT Date: Tue, 30 Sep 1997 21:19:37 -0400 (EDT) From: Sick Puppy To: dharris@kcp.com Cc: firewalls@GreatCircle.com Subject: Re: Finding a wiretap or NIC card with a TDR In-Reply-To: <9709301312.AA28757@maestro.Maestro.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > apologies. > Doesn't TDR *require* actively creating a pulse so you can measure its > reflection? Yes it does. You need physical access. TRW equipment shows up real good. SP, tCED From owner-firewalls-list Wed Oct 1 13:41:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA19751; Tue, 30 Sep 1997 18:24:29 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA19714 for ; Tue, 30 Sep 1997 18:24:12 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xGDVv-0005hT-00; Wed, 1 Oct 1997 03:23:43 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 1 Oct 97 03:23 MET DST Received: by lina.inka.de id m0xGDPN-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 1 Oct 1997 03:16:57 +0200 (CEST) Message-Id: Date: Wed, 1 Oct 1997 03:16:55 +0200 From: Bernd Eckenfels To: Marco Tarquini Cc: Firewalls@GreatCircle.COM Subject: Re: Netbeui and SSH References: <199709251551.RAA18347@dns.ermes.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199709251551.RAA18347@dns.ermes.it>; from Marco Tarquini on Thu, Sep 25, 1997 at 05:48:52PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, browsing in subents without broadcast connection is possible if you use a WINS Server. You can use MS WINS Server or SAMBA's. Greetings Bernd On Sep 25, Marco Tarquini wrote > I've a problem setting up an shhd encrypted tunnel between two Win95 lan: > netbeui broadcast doesn't work correctly so it's impossible browsing the two > lan by the graceful Desktop Icon "Network Neighborood": -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Wed Oct 1 13:43:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA19723; Tue, 30 Sep 1997 18:24:16 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA19611 for ; Tue, 30 Sep 1997 18:23:52 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xGDVv-0005hU-00; Wed, 1 Oct 1997 03:23:43 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 1 Oct 97 03:23 MET DST Received: by lina.inka.de id m0xGDTP-00014SC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 1 Oct 1997 03:21:07 +0200 (CEST) Message-Id: Date: Wed, 1 Oct 1997 03:21:05 +0200 From: Bernd Eckenfels To: Sick Puppy Cc: Bill Stout , firewalls@GreatCircle.com Subject: Re: Red Beard's Network Flight Recorder References: <2.2.32.19970923161132.009aac90@192.168.0.37> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from Sick Puppy on Tue, Sep 23, 1997 at 08:51:27PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > General's CyberCop inside their network, with a firewall device in between > them, we are, to put it delicately, fucked. This is the best marketing I have read for a long time on this list. Puppy, your mails getting sick. :) Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Wed Oct 1 13:44:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA24204; Tue, 30 Sep 1997 18:48:59 -0700 (PDT) Received: from southcentral.net (ppp-206-170-65-28.grdn01.pacbell.net [206.170.65.28]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA24182 for ; Tue, 30 Sep 1997 18:48:50 -0700 (PDT) Received: from southcentral.net (southcentral.net [206.233.216.222]) by southcentral.net (8.8.5/8.8.5) with SMTP id SAA01533; Tue, 30 Sep 1997 18:51:08 -0700 Date: Tue, 30 Sep 1997 18:51:08 -0700 (PDT) From: Richard Pouncy X-Sender: prc@southcentral.net To: Domenico Viggiani cc: dcostello@cmol.com, firewalls@GreatCircle.COM Subject: Re: Public/Private DNS In-Reply-To: <34224DA9.183FF628@diemme.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 19 Sep 1997, Domenico Viggiani wrote: > You have to put internal DNS in so-called 'slave-forwarder' > configuration. > > Add to your internal named.boot file the following lines: > > options forward-only > forwarders > > In the same time, configure your external server to use the internal DNS > (as client) --> Edit /etc/resolv.conf file, if you are on a UNIX box. Could you give me an example of the entry for the resolv.conf? I understand the normal way to enter a line to have to resolver point to a DNS server, but how do you make it resolve inside names. Thanks =-=-=-=-=-=-=-=-=-=-=-= http://www.southcentral.net =-=-=-=-=-=-=-=-=-=-=-= Richard Pouncy | rTs Computer Systems/Southcentral Network prc@rtscomp.com | P.O. Box 1434 310-342-0454 | Inglewood, CA 90308-1434 =-=-=-=-=-=-=-=- Supporting LA South Central Communities -=-=-=-=-=-=-=-=-= From owner-firewalls-list Wed Oct 1 14:12:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA20155; Tue, 30 Sep 1997 18:26:52 -0700 (PDT) Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net [204.119.177.22]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA20033 for ; Tue, 30 Sep 1997 18:26:16 -0700 (PDT) Received: from earthlink.net (1Cust5.max58.new-york.ny.ms.uu.net [153.35.28.133]) by denmark.it.earthlink.net (8.8.7/8.8.5) with ESMTP id SAA00709; Tue, 30 Sep 1997 18:26:51 -0700 (PDT) Message-ID: <3431A673.7CB217D0@earthlink.net> Date: Tue, 30 Sep 1997 21:25:07 -0400 From: Joseph Iacovelli X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Sami Mousa CC: Firewalls@GreatCircle.COM Subject: Re: PIX : big FTP downloads stop a 99% References: <3.0.32.19970925174450.006adb80@lexicon.ins.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sami, I don't know the exact command, but you want to have HP-OpenView read the MIB (which is based on the SNMP protocol) on the PIX firewall. All information relevant to the firewall should be in the MIB. If this was a computer, you could have some SNMP agent software relay information by polling or setting thresholds for SNMP traps. If you have anything specific, let me know. - Joseph Sami Mousa wrote: > Hello all, > > Can someone tell me the MIB or how monitor the PIX firewall using HP-OPEN VIEW. > > Thanks in advance, > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ** Sami Mousa, FORE ATM(WAN) Certified ** > ** International Network Services Office: (908)603-8541 x320 ** > ** Network Systems Engineer e-mail: sami_mousa@ins.com ** > ** 120 Wood Ave South Pager: (888)896-4064 ** > ** Suite #615 Fax: (908)548-5630 ** > ** Iselin, New Jersey 08830 www.ins.com ** > ============================================================================= > "My statements in this message are personal opinions \ > which may have no basis whatsoever in fact." -- +----------------------------------------- | Joseph Iacovelli | Systems Engineer | http://home.earthlink.net/~wolfboy/ +----------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzQlG9YAAAEEAL/OfMvec86OCRCl85jGZyFv5rkIHuojkfVUpsC0dXlYI5/+ KeVNv9GkfbrcquuPrE4u2rO2TXKTBUW+3Lzqq2zABq+vLFM0C2/y9DQiMsaDlbWb gGCv5eFZJBAG1A5VGVrwlG4yoELX+WEFBl6AUUiD48Ys5+LB8PeUGAaNmWaZAAUR tChKb3NlcGggSWFjb3ZlbGxpIDx3b2xmYm95QGVhcnRobGluay5uZXQ+ =Bkwo -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Wed Oct 1 15:19:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA15163; Tue, 30 Sep 1997 20:14:26 -0700 (PDT) Received: from alpha.CES.CWRU.Edu (alpha.CES.CWRU.Edu [129.22.16.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA14986 for ; Tue, 30 Sep 1997 20:13:51 -0700 (PDT) Received: from fox.CES.CWRU.Edu (fox.CES.CWRU.Edu [129.22.16.17]) by alpha.CES.CWRU.Edu (8.7.3/8.7.3) with ESMTP id XAA27755; Tue, 30 Sep 1997 23:14:24 -0400 (EDT) From: Tim Basher Received: (from basher@localhost) by fox.CES.CWRU.Edu (8.7.3/8.7.3) id XAA02982; Tue, 30 Sep 1997 23:14:24 -0400 (EDT) Message-Id: <199710010314.XAA02982@fox.CES.CWRU.Edu> Subject: Re: Radius To: ahy@ziplink.net (Arthur Young) Date: Tue, 30 Sep 97 23:14:24 EDT Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It may not be appropriate for this list, but where can I find out about > Radius servers? If you have to ask whether it is appropriate, it isn't appropriate for this list. This list is about firewalls, not general network security, not general virus scanners, and not general network administration. To find out more about the purpose of the list I would recommend reading the message you received when you joined or going to the online information. http://www.greatcircle.com/firewalls/ If you have a question, I would first recommend doing a search of the mailing list archives. That is what they are there for. This saves you time and the list a lot of useless repetition. http://www.nexial.nl/cgi-bin/firewalls You should also try doing a search in Yahoo or Altavista or another WWW search engine. Once again, this will save everyone time and grief. Using this you could have quickly found the following URLs: http://www.ietf.org/html.charters/radius-charter.html http://www.scomm.net/inet-access/ http://www.cryptocard.com/products.html http://www.cyno.com/ http://www.emerald.iea.com/radius http://www.livingston.com/ http://www.merit.edu/aaa/ http://www.itrans.com/ http://www.ascend.com/324.html http://www.bsdi.com/products/internet/new-features.mhtml http://www.baynetworks.com/Products/Briefs/baysecra.html http://www.cisco.com/univercd/data/doc/software/11_2/csecur/2cauthen.htm http://www.digital.com/info/SP5619/SP5619SC.TXT http://www.gandalf.ca/Whitepaper/security.html http://www.novell.com/novellsw/brands.html http://www.shiva.com/pacrim/japan/prod/docs/sem/RE0133.HTM http://www.telebit.com/Support/Links/index.html http://www.xyplex.com/hot/ccradius.html http://www.3com.com/carrier/nsd/products/30419.html From owner-firewalls-list Wed Oct 1 16:40:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05151; Tue, 30 Sep 1997 17:00:23 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA05004 for ; Tue, 30 Sep 1997 16:59:50 -0700 (PDT) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.6/8.8.6) with SMTP id QAA22915; Tue, 30 Sep 1997 16:54:46 -0700 Date: Tue, 30 Sep 1997 16:57:16 -0700 (PDT) From: David Lang To: Marco Tarquini cc: Firewalls@GreatCircle.COM Subject: Re: Netbeui and SSH In-Reply-To: <199709251551.RAA18347@dns.ermes.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk if you used bridges instead of routers it would work, otherwise you are in trouble, you cannot broadcase between two networks. David Lang On Thu, 25 Sep 1997, Marco Tarquini wrote: > Date: Thu, 25 Sep 1997 17:48:52 +0200 > From: Marco Tarquini > To: Firewalls@GreatCircle.COM > Subject: Netbeui and SSH > > Hi all!!! > > I've a problem setting up an shhd encrypted tunnel between two Win95 lan: > netbeui broadcast doesn't work correctly so it's impossible browsing the two > lan by the graceful Desktop Icon "Network Neighborood": > > Well, this is the setup: two Unix machine, under Linux and HP-UX which are > the endpoint of the tunnel made by sshd. > They correctly forward IP protocol. > The Linux box also acts as a WINS server ( SMB ) for Lan B. > > So I could summarize all network as: > > > ROUTER ROUTER > .------. .------. > | | Point-to-Point line | | > | |-------------------------| | > | | | | > .------. .------. > | | > | | > | | |----|SERVER > | |--|WS +--| |SAMBA > +--| |WIN95 | |----| > | |--| | > | LAN A | |--|WS LAN B > | |--|WS +--| |WIN95 > +--| |WIN95 | |--| > | |--| | > | | > | | > > And so on ... > > > Well, with the Samba server up and running we can share pretty well all > network resources but we cannot browse the network: AFAIK I mean it depends > of Netbeui broadcasting, which should provide resolving workgroup names but > I dunno how to force Netbeui packets to go through the encrypted tunnel > > Any idea??? > > > Please, sorry for my english: TIA and I hope You could help me > > best regards > > Marco > > ( P.S.: I read the Firewall list in the Digest fashion: so any direct e-mail > to me will be very much appreciated ) > > From owner-firewalls-list Wed Oct 1 16:40:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA00636; Tue, 30 Sep 1997 19:20:17 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA00468 for ; Tue, 30 Sep 1997 19:19:43 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id UAA11106; Tue, 30 Sep 1997 20:50:39 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BCCDE3.482CD820@zandar.judgefamily.org>; Tue, 30 Sep 1997 20:56:11 -0400 Message-ID: <01BCCDE3.482CD820@zandar.judgefamily.org> From: Joseph Judge To: "firewalls@GreatCircle.COM" , "'Bob Gerrish'" Subject: RE: Checkpoint and FWTK 1.2 ftp proxy hangs Date: Tue, 30 Sep 1997 20:56:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob - Some simple tests to isolate the problem would be to try the ftp session *from* the FWTK box directly ... still a problem ? (maybe it is ftp-gw) Not? then it looks like their problem. Realize that when you do a "pwd" or "cd" that you are just communicating over that established control channel. That is a client -> server connection But, when you wish to do a GET, PUT, DIR or ls that you are actually building a second, data channel between the 2 systems. ... or, in your case, not building that second channel :-) The channel can be client -> server to "grab" the data or could be client <- server to have the data "given" to you. Snooping, watching truss/trace output and watching the network stats on my FWTK box shows that the ftp-gw process get the client "PORT clientip,clientport" command and tells the remote server side "PORT firewallip,20" ... so the remote server should connect *back* to your FWTK box to give you the data. (I should have just read the source code, I know). ... my fwtk is 2.0 -- joe ---------- From: Bob Gerrish[SMTP:u-rpg@nta.com] Sent: Friday, September 26, 1997 10:10 AM To: firewalls@GreatCircle.COM Subject: Checkpoint and FWTK 1.2 ftp proxy hangs I ran into a problem between Firewall Toolkit's ftp-gw proxy server and Checkpoint. One of our trading partners purchased it from a consultant. We were using the ftp-gw proxy from our end to transfer files. Checkpoint was installed on the other end on an NT server. We could still ftp to their system. pwd and cd worked but the connection hung when we tried to do a get, put or dir. If we connected outside of the firewall, everything worked fine. Of course, according to their consultant, it was our problem and Checkpoint could never possibly have any bugs! We had no problem connecting to/through other firewalls including wrappers and Gauntlet. (They have since had another customer experience the same problem.) They found that the ftp process was not sending a new line (or perhaps a CR/LF) and they hacked Checkpoint to add it. We found that upgrading to FWTK 2.0 also solved the problem. The only documented patch to any version of ftp-gw (the patch was for version 1.2) which looked even close was one to "Fixed timeout code in ftp-gw to be more forgiving of systems that decrement the passed timeout value." They are supposed to call next week when their consultant is in so we can determine which was the actual problem and what actually cured it. From owner-firewalls-list Wed Oct 1 16:44:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA27757; Wed, 1 Oct 1997 02:31:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA27717 for ; Wed, 1 Oct 1997 02:30:57 -0700 (PDT) Received: from gw.kappa.ro by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id CAA15251; Wed, 1 Oct 1997 02:14:32 -0700 (PDT) Received: from localhost (dunarea@localhost) by gw.kappa.ro (8.8.7/8.7.3) with SMTP id MAA12208 for ; Wed, 1 Oct 1997 12:24:38 -0200 Date: Wed, 1 Oct 1997 12:24:38 -0200 (GMT+2) From: Dunarea Textil To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 16:59:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22929; Tue, 30 Sep 1997 20:51:11 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA15324 for ; Tue, 30 Sep 1997 18:04:00 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id TAA06463; Tue, 30 Sep 1997 19:51:58 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma006460; Tue, 30 Sep 97 19:51:54 -0400 Message-Id: <3.0.3.32.19970930193043.006c8574@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 19:30:43 -0400 To: Tim Evans From: Rick Murphy Subject: Re: Raptor VPN and Port 420 Cc: firewalls@GreatCircle.COM In-Reply-To: <199709251424.KAA24864@eplrx7.es.dupont.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:24 AM 9/25/97 -0400, Tim Evans wrote: >Raptor's VPN product communicates using port number 420/tcp, protocol >94 (IP over IP). A Raptor FAQ on the product mentions that some >ISP's may block this port/protocol. > >I expect to be doing battle with one or more ISP's on this >question. Can anyone tell me why this port might be blocked? And >provide arguments for enabling it? It's unlikely that any ISP would get into protocol filtering - their job is to provide connectivity. Firewalls would likely block this, however. > >(No religion please; the commitment to Raptor's already been made.) Sorry, I can't resist a comment - one would think that a company as big as Dupont would be using a secure VPN implementation - single DES (which is what swIPe is) isn't secure enough these days.. -Rick From owner-firewalls-list Wed Oct 1 17:08:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22956; Tue, 30 Sep 1997 20:51:49 -0700 (PDT) Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA22949 for ; Tue, 30 Sep 1997 20:51:37 -0700 (PDT) Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id OAA19974 for ; Wed, 1 Oct 1997 14:00:13 +1000 (EST) Received: from euphoria.abm.com.au(203.16.203.130) by paranoia.abm.com.au via smap (V1.3) id sma019972; Wed Oct 1 14:00:08 1997 Received: by euphoria. (SMI-8.6/SMI-SVR4) id NAA18916; Wed, 1 Oct 1997 13:52:43 +1000 Message-Id: <199710010352.NAA18916@euphoria.> Received: from austlabs.ozemail.com.au(203.108.63.220) by euphoria via smap (V1.3) id sma018912; Wed Oct 1 13:52:28 1997 From: "Jan Zeilinga" To: Subject: Firewalls on NT Date: Wed, 1 Oct 1997 13:46:40 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Coming from a heavy UNIX background ( Solaris, HPUX) I do not fully understand all the services a NT server has. Hence I was wondering does any one out there, know of how to secure a NT server 4.0 ( service pack 3) correctly and could they possibly give me some pointers so as to make this firewall secure. AND most importantly are there any hidden undocumented features in FW1-3 on NT. In all the previous NT vs Solaris people have been more concerned with speed rather than which OS provides the better security. Against my better judgment the customer wants NT to be the be the OS for the firewall ( check point 3.0b as the firewall ) { {{{{ shiver }}} } Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Wed Oct 1 18:22:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA24894; Tue, 30 Sep 1997 16:18:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA22759 for ; Tue, 30 Sep 1997 16:09:39 -0700 (PDT) Received: from mail.the-wire.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id QAA08095; Tue, 30 Sep 1997 16:04:04 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id TAA23403; Tue, 30 Sep 1997 19:09:09 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id TAA01111; Tue, 30 Sep 1997 19:09:37 -0400 (EDT) Message-Id: <3.0.32.19970930190330.0096dcc0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 30 Sep 1997 19:11:06 -0400 To: Joseph Judge From: Anton J Aylward Subject: RE: 10.10.30.30 Cc: "firewalls@GreatCircle.COM" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:03 PM 09/09/97 -0400, you wrote: ## Reply Start ## >On the packet filters (or routers) in front of the firewall and web lans, >I usually make sure there is a list of "anti-spoof" rules --- these protect >from such silliness. Good. I wish more ISPs did. >For example, we know 10.0.0.0 is not routed (and 192.168.0.0, etc). I "is" or "should not be" ? Do you actually have a rule which means its not routed, as opposed to the 'default" taking care of it as most do? >But ... it sounds like an annoyance more than a denial of service. >So, I imagine some bonehead out there is "leaking" their private >(reserved) addresses out to the Internet. :-( Most sites I visit I try a traceroute on these addresses to what happens. I may have to pick a subnet which isn't being used internally. Mostly it goes out into the internet and round a round for a bit. The "backbone" providers - we all know who they are - are not doing their jobs with this one. Do they have an excuse? Perhaps "adding these filters degrades throughput". Well get a router where it doesn't degrade - they exist. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 494-8661 | constraints and items which do not add Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-list Wed Oct 1 18:56:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA17067; Wed, 1 Oct 1997 05:05:40 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA17038 for ; Wed, 1 Oct 1997 05:05:31 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Wed, 01 Oct 1997 07:08:28 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Oct 1997 07:07:59 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #471 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Wed Oct 1 18:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA01382; Wed, 1 Oct 1997 03:00:57 -0700 (PDT) Received: from mnl.sequel.net ([204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA00933 for ; Wed, 1 Oct 1997 02:59:05 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id RAA10166; Wed, 1 Oct 1997 17:50:29 +0800 Message-Id: <3.0.1.32.19971001174904.00ab4290@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 01 Oct 1997 17:49:04 To: drexx@sunphil.mozcom.com (Dexter D. Laggui), firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com From: Gaddy Gumbao Subject: FW-1 and Hypercom's NMS protocol In-Reply-To: <199703202027.MAA08539@sunphil.sunphil.mozcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I would like to register on the mailing list for firewall-1.How can I be enlisted there. From owner-firewalls-list Wed Oct 1 19:04:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA23087; Tue, 30 Sep 1997 18:41:24 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA23080 for ; Tue, 30 Sep 1997 18:41:15 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjhu08309; Tue, 30 Sep 1997 21:42:20 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08972; Tue, 30 Sep 97 21:40:36 EDT Date: Tue, 30 Sep 1997 21:40:36 -0400 (EDT) From: Sick Puppy To: Bernd Eckenfels Cc: Bill Stout , firewalls@GreatCircle.com Subject: Re: Red Beard's Network Flight Recorder In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Oct 1997, Bernd Eckenfels wrote: > > General's CyberCop inside their network, with a firewall device in between > > them, we are, to put it delicately, fucked. > > This is the best marketing I have read for a long time on this list. Puppy, > your mails getting sick. :) > There needs to be a clarification here. This isn't marketing. Its a warning to the other d00dz that read this list. alt.2600 if full of kids and wannabe's. The kewl d00dz read this list. I have mucked about with Red Beard's code and hit his Gauntlet code pretty hard. He would make a first class cracker, so I have respect for his intellect. I have respect for Network General too. I am just better at what they do than they are. If anybody tries to convince you that Sick Puppy is marketing anything, then that person has his head firmly embedded in his ass. Sorry for going off topic, but I am not associated with anyone selling anything and I believe there is a real need for independent academic research. SP, tCED From owner-firewalls-list Wed Oct 1 19:05:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA09437; Wed, 1 Oct 1997 04:04:01 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA09403 for ; Wed, 1 Oct 1997 04:03:44 -0700 (PDT) Received: from farroyo39.geologics.com (spg-as53s24.erols.com [207.172.99.215]) by smtp3.erols.com (8.8.6/8.8.5) with SMTP id HAA14070 for ; Wed, 1 Oct 1997 07:04:29 -0400 Received: by farroyo39.geologics.com with Microsoft Mail id <01BCCE2F.344A4A80@farroyo39.geologics.com>; Wed, 1 Oct 1997 05:59:39 -0400 Message-ID: <01BCCE2F.344A4A80@farroyo39.geologics.com> From: Chris Inskeep To: "'Firewalls@GreatCircle.COM'" Subject: Williamsburg Security Seminar Date: Wed, 1 Oct 1997 05:58:49 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My boss is hosting an information security seminar, Practical Security for Sensitive Systems, in Williamsburg, Virginia the week of 27 - 31 November. I mention this here because I frequently see requests from novices for inexpensive training (this is a week for $300, and you get fed! (I also have some scholarships for students.) Which is a pretty good deal if you're already in the mid-Atlantic region (the same week, NCSA's firewall seminar is equally good if you're on the West coast.)) 22 presentations (roughly 30% of the total) deal specifically with firewalls and/or network security. Just so this message isn't totally spam, if you can't attend the seminar, a limited number of copies (300 or so) of the proceedings will be available (free) the first week of November. They will be in the form of PowerPoint presentations on diskettes. The copies will go out by snail mail, so I'll need a mailing address. If you're interested in the seminar, return this message and I'll send you the full agenda. If you want a copy of the proceedings return this message with your mailing address. An extract of the agenda detailing the firewall and network security specific presentations is below Practical Security for Sensitive Systems Ramada Inn and Conference Center, Williamsburg, Virginia 27 - 31 October 1997 Novice training, Monday and Tuesday 27 - 28 October Management Track: Information Security for Managers. (full day) A workshop will be provided to acquaint managers and others with the basics of information security. This workshop is intended to lay a foundation for seminar attendance by providing a working vocabulary and familiarity with the essential concepts of information protection. Management Track: Information Risk Management for Managers. (full day) A workshop will be provided to acquaint managers and others with the basics of information risk management. This workshop is intended to lay a foundation for seminar attendance by providing a working vocabulary and familiarity with the essential concepts of information risk management. Seminar presentations, Wednesday, Thursday, and Friday 29 - 31 October Wednesday, 29 October 1:00 Standard Firewall/Web Server Vulnerabilities Presenter: Jay Heiser, Director, Internet Product Development, HomeCom Communications This presentation will discus the results of the compilation of findings from a large number of commercial network security analyses in the area of firewall and web server vulnerability. 1:45 Considerations in Selecting An Operating System for a Firewall/Web Server Presenter: Sammy Migues, Chief Scientist, HomeCom Communications This presentation will discuss the considerations and tradeoffs associated with operational vulnerabilities when selecting an operating system for a firewall or web server. Thursday, 30 October 1997 Information Security Presentations 11:00 Top 12 Lessons Learned from Hacker Attacks Presenter: Mark Boster, Department of Justice This presentation will discuss lessons learned from a number of hacker attacks. 1:00 The Betty Cracker Story Presenter: Steven Manning, Principle, CSTACK Inc. This presentation will discuss a case study of a complex hacker attack. 1:45 Sniffer-Safe Networks, Experience From a Recent Incident Presenter: Peter Bivesand, Linkoping University, Sweden This presentation will discuss lessons learned by a Swedish Computer Emergency Response Team to a recent hacker incident. 3:00 The National Finance Center's Certification Authority and the Use of Digital Signature Presenter: Kathy Sharp, National Finance Center, USDA This presentation will discuss activities related to implementation of a certificate authority and the use of digital signature within the USDA. 3:45 Practical Implementation of Secure Socket Layer in a Managed Products Environment Presenter: Trevor Ramsaran, L3 Communications This presentation will discuss L3's efforts to manage their product development and associated data electronically. This case study addresses the various security technology options L3 analyzed in implementing their Product Data Management initiative. Track 2: Information Security Best Practices 9:00 A Primer for Firewall Administration for a Secure Network Presenter: Stu Thomas, National Finance Center, USDA This presentation will discuss recommended best practices related to the management of firewalls based on NFC's experiences. 9:45 Anatomy of a Hack Presenter: Don Creamer, QuesTech This presentation will discuss typical hacking techniques and the types of vulnerabilities that hackers look for. Methods of decreasing your chances of being hacked will be presented. 11:00 So You Think You're Secure? (Security Holes in Relatively Secure Networks) Presenter: Kathie Brady, QuesTech This panel will discuss QuesTech's assessment of re-occurring security holes on relatively secure networks while performing Vulnerability Assessments and Penetration Analyses of commercial and Government networks. QuesTech will present typical vulnerabilities found on relatively secure networks and methods of correcting these vulnerabilities without significantly affecting the operation of the network. 1:00 She Said/He Said: Tales From the Trenches Presenter: Char Sample and Mark Teicher, Price Waterhouse LLP This tutorial addresses real life firewall integration experience gained in the implementation of over 250 firewalls as seen through the eyes of the presenters. Both presenters have noticed that certain problems have made the installation process for many sites a difficult experience. Additionally the presenters have noticed that many problems have a way of exhibiting behavior that causes the administrator to look for solutions in different places other than the source. For example: DNS causing administrators to look for network or routing problems. 1:45 Firewall Secure Installation Presenter: Michael McEvilley, Mitretek This presentation will discuss Mitretek's experiences gained when implementing an in-house firewall. This includes resolution of requirements through collaboration with the vendor, implementation of the ruleset, re-location of existing network services, and operational issues. 3:00 Public Key Infrastructure Presenter: Bill Bialick, Spyrus Technologies This presentation will discuss the concept and reality of Public Key Infrastructure as a foundation for next generation encryption. Friday, 31 October 1997 Information Security Presentations Track 1: Security Technology 9:00 Understanding Centralized Audit Presenter: Paul Proctor, Science Applications International Corp. This presentation will discuss technology to enable implementation of individual accountability in a client/server network environment. 9:45 Understanding Unitary Logon Presenter: Tom McHale, Platinum Technology This presentation will provide an overview of unitary logon technology, enabling users in a network to securely gain access to network resources with a single password and no danger of masquerading. 11:00 Remote Authentication Technology Presenter: Chris Kosting, Science Applications International Corp. This presentation will discuss available remote authentication technology to securely enable individuals access to remote information resources without danger of compromise or masquerading. Track 2: Firewalls 9:00 Firewall Basics, Part 1 Presenter: Chris Kosting, Science Applications International Corp. This presentation is the first of a two part tutorial explaining the basics of firewall technology. 9:45 Firewall Basics, Part 2 Presenter: Chris Kosting, Science Applications International Corp. This presentation is the second of a two part tutorial explaining the basics of firewall technology. 11:00 Network Architectures for Firewalls Presenter: To be named, DSA Systems, Inc. This presentation will discuss network architecture options when implementing a firewall. 1:00 Use of Firewalls with Other Countermeasures Presenter: Joachim (Vic) Winkler, SUN Microsystems This presentation will discuss the use of multiple countermeasures to achieve a layered protection scheme. Track 3: Panel Discussions 9:00 Emerging Security Technologies Moderator: Chris Inskeep, Senior Security Engineer, GeoLogics Corp. This panel will consist of a series of presentations from vendors related to products and technology to be available in 1998 and 1999. There will also be a group discussion on the general direction of security technology. 1:00 Available and Next Generation Firewall Technology Moderator: Ken Alonge, Director of Information Security, GeoLogics Corporation This panel will discuss issues related to the integration of security products into a cohesive, secure environment. From owner-firewalls-list Wed Oct 1 19:06:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26930; Wed, 1 Oct 1997 06:03:00 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA26894 for ; Wed, 1 Oct 1997 06:02:41 -0700 (PDT) Received: from csc.com by csc.com via smtpd with smtp id for ; Wed, 1 Oct 97 09:03 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <34324A41.B262FC86@csc.com> Date: Wed, 01 Oct 1997 09:04:01 -0400 From: john kerr Reply-To: jkerr2@csc.com X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Arthur Young CC: "'firewalls@greatcircle.com'" Subject: Re: Radius References: <01BCC886.84D9CB50@MEDSS> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arthur, RFC2138 is a good start. Arthur Young wrote: > It may not be appropriate for this list, but where can I find out about Radius servers? From owner-firewalls-list Wed Oct 1 19:08:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26586; Wed, 1 Oct 1997 06:00:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26552 for ; Wed, 1 Oct 1997 06:00:35 -0700 (PDT) Received: from ..southconn.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA16102; Wed, 1 Oct 1997 05:54:53 -0700 (PDT) X-ROUTED: Wed, 1 Oct 1997 08:58:08 -0500 Received: from southconn.com [208.147.237.2] by ..southconn.com with smtp id AIDIDJFG ; Wed, 1 Oct 1997 08:56:58 -0500 Message-ID: <343249FE.1DF77F12@southconn.com> Date: Wed, 01 Oct 1997 09:02:54 -0400 From: Gary Bryant X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #471 References: <199710010847.BAA21248@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to allow X windows through the firewall but not having much success. Can anyone help me - or is this not a good thing? We are trying to use the SecureRemote through the CheckPoint firewall. Any suggestions on how to get this to work? From owner-firewalls-list Wed Oct 1 19:09:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA25539; Wed, 1 Oct 1997 05:55:19 -0700 (PDT) Received: from gatekeeper.verio.net (gatekeeper.verio.net [205.238.63.242]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA25442 for ; Wed, 1 Oct 1997 05:54:41 -0700 (PDT) Received: from mail.verio.net by gatekeeper.verio.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Oct 1997 12:53:29 UT Received: from opendoor.hq.verio.net (opendoor.hq.verio.net [172.16.1.1]) by buster.verio.net (8.8.7/8.8.5) with SMTP id MAA08993 for ; Wed, 1 Oct 1997 12:47:09 GMT Message-ID: <34324801.CC77AAED@verio.net> Received: from [205.238.63.165] by opendoor.hq.verio.net via smtpd (for mail.verio.net [172.16.1.21]) with SMTP; 1 Oct 1997 12:53:21 UT Date: Wed, 01 Oct 1997 06:54:25 -0600 From: Jeffrey Porter X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SPAM filters on Raptor Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Currently, we use Eagle 4.0 as an SMTP proxy between our corporate mail server and the internet. The corp. server (internal) uses sendmail and we could implement anti-spam rule sets on it. However, the problem resides in the fact that we have our firewall proxy SMTP - thus the internal mail server thinks that every piece of mail comes from the firewall. I could have the firewall just pass SMTP through to the mail server - yet I would like to avoid exposing my sendmail to the outside world if I can get away with it. Does anyone know of a way to handle anti-spamming on a Raptor firewall???? Jeff Porter jporter@verio.net Verio Inc. http://www.verio.net From owner-firewalls-list Wed Oct 1 19:11:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA19598; Tue, 30 Sep 1997 20:31:15 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA19401 for ; Tue, 30 Sep 1997 20:30:32 -0700 (PDT) Received: from hawking.research.megasoft.com (hawking.research.megasoft.com [192.168.2.2]) by gw.research.megasoft.com (8.8.5/8.8.5) with ESMTP id XAA08966; Tue, 30 Sep 1997 23:34:43 -0400 (EDT) Received: (from cmcurtin@localhost) by hawking.research.megasoft.com (8.8.5/8.8.5) id XAA22006; Tue, 30 Sep 1997 23:32:12 -0400 (EDT) Date: Tue, 30 Sep 1997 23:32:12 -0400 (EDT) Message-Id: <199710010332.XAA22006@hawking.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: John Clark Cc: firewalls@GreatCircle.COM Subject: Re: This List, Hummmmm.... In-Reply-To: <3.0.3.32.19970917105153.00973c10@192.168.1.100> References: <3.0.3.32.19970917105153.00973c10@192.168.1.100> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx; Wed, 1 Oct 1997 05:55:49 -0700 (PDT) Received: from mousa_s.ins.com ([192.240.38.220]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id FAA09775; Wed, 1 Oct 1997 05:56:32 -0700 (PDT) Message-Id: <3.0.32.19971001085255.0075db10@lexicon.ins.com> X-Sender: mousa_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Oct 1997 08:56:21 -0400 To: Karl_Horn@krzmail.krz.uni-heidelberg.de, firewalls@GreatCircle.COM From: Sami Mousa Subject: Re: firewall evaluation Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: Technical Comparison of Firewalls -- Will Everyone PLEASE Chill References: <<199709120003.SAA26732@future.mulligan.com> Sender: firewalls-owner@GreatCircle.COM The traffic devoted to this argument is hardly worth the effort. Below, you will find what GNSS currently has on it. (A little nicety for the original, poor soul that asked the question.) But, really, chill...it ain't no thang. Info follows: "Comparison: Firewalls." June 17, 1996. LanTimes. Comprehensive comparison of seven or eight of firewall products. http://www.lantimes.com/lantimes/usetech/compare/pcfirewl.html Do you use NT? Start here: Windows NT Firewalls: Guardian Vs. Firewall/Plus Vs. Eagle NT Vs. AltaVista Firewall (PC Today) http://www.pctoday.com/editorial/hth/970720.html InfoWorld's Firewall Product Comparison (Good resource that also discusses cost) http://www.infoworld.com/cgi-bin/displayArchive.pl?/96/46/firea.dat.htm Seven Locks' now-watered-down comparison: it states only the characteristics of each: http://www.sevenlocks.com/quarc/security/tocfirewallcomparisoncharts.htm Can Firewalls Take the Heat? Study at data.com. Short but sweet, important because of the comparison chart (However, caveat emptor, as always) http://www.data.com/Lab_Tests/Firewalls.html Filtering Gateways vs. Application Gateways David Dalva, Trusted Information Systems, Inc. (You know what this is; just a look at methodology) http://www.tis.com/docs/products/gauntlet/FWComp.html Defending the Front Line Lan Times Kevin Tolly, John Curtis, and Elke Passarge http://www.raptor.com/news/lantimes/firetext.html#comp Scorecard from above article (hard-core) http://www.wcmh.com/96jun/606s054b.html Find the Right Firewall (ZDNET.) Bench Test and Stats: http://www8.zdnet.com/zdimag/content/anchors/970127/1.html Feature Comparison: (Comprehensive) http://www8.zdnet.com/zdimag/content/anchors/970127/features.html Behind the line of fire. (PC Mag. Short, sweet, blah.) http://www8.zdnet.com/pcmag/issues/1522/pcmg0058.htm The whole bloody list of vendors and sites: http://www.zeuros.co.uk/firewall/vendors.htm "Firewall products today," Cooper, S P. UCRL-JC-119743, 18 pgs., February 28, 1995. http://www.llnl.gov/tid/lof/documents/pdf/225846.pdf "Firewall Performance Measurement Techniques: A Scientific Approach." Marcus Ranum. February 4, 1996 (Ask Marcus Ranum...he has moved this document.) Fortified evaluation checklist on firewall products: Comma Delimited: http://www.fortified.com/files/fweval.txt Excel Spreadsheet: http://www.fortified.com/files/fweval.zip Rating of application layer proxies AT-0008 Revision 2 Michael C. Richardson -- mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html Just the Facts About Firewalls Chey Cobb, Webmaster, NCSA (Some Interesting Info) http://www.ncsa.com/library/firefacts.html Group of 15 firewalls hold up under security scrutiny Stephen Lawson , InfoWorld Electric http://www.infoworld.com/cgi-bin/displayArchives.pl?96067.firewall.htm Firewall purchasing decisions are not always obvious First Union Bank and Intersolv find similar solutions to network security dilemma Anne Knowles , Infoworld (Interesting article) http://www.infoworld.com/cgi-bin/displayArchives.pl?97-nr03-12.58d.htm Internet firewalls Playing with fire Tested and reviewed by Mark Pace Additional testing by Brooks Talley Technology Analyst Introduction by Michelle Murdock Edited by Julia C. Carreon - Associate Editor http://www.infoworld.com/cgi-bin/displayArchives.pl?dt_iwe31-96_84.htm Choosing a Firewall ZED Data Systems http://www.zed.ca/firewall.htm George R. Kurtz & David Roath. "Shopping for Firewalls", in Infosecurity News, MIS Institute Press, 1995. "Firewall Application Notes." More general document that describes building a firewall. Also addresses application proxies, Sendmail in relation to firewalls, and the characteristics of a bastion host. Livingston Enterprises, Inc. http://www.telstra.com.au/pub/docs/security/firewall-1.1.ps.Z Firewall theory and architecture http://fw4.iti.salford.ac.uk/ice-tel/firewall/theory.html and finally, some more traditional reading materials: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Publishing Company. William R. Cheswick and Steven M. Bellovin. April, 1994. ISBN: 0-201-63357-4. Internet Security Resource Library: Internet Firewalls and Network Security, Internet Security Techniques, Implementing Internet Security. New Riders. ISBN: 1-56205-506-2. 1995. Internet Firewalls and Network Security. Chris Hare and Karanjit Siyan. Second Edition. New Riders. ISBN: 1-56205-632-8. 1996. Internet Security : Risk Analysis, Strategies and Firewalls by Othmar Kyas. ISBN: 185032302X Protecting Your Web Site With Firewalls Marcus Goncalves, Vinicius A. Goncalves April 1997. ISBN: 0136282075 Designing & Implementing Internet Firewalls Tina Darmohray. July 1997. ISBN: 0133730026 Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls BPI Information Services. December 1994 ISBN: 1579791867 "Network Firewalls." Steven M. Bellovin and William R. Cheswick. IEEECM, 32(9), pp. 50[nd]57. September 1994. PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso and Ron Sharp. Ziff-Davis Press. 1996. ISBN: 1562764225. Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O'Reilly & Associates. ISBN: 1-56592-124-0. 1995 I trust that will get the original, requesting party off the in the right direction. This has been a public service from the bozos at http://www.gnss.com. I believe we can move on now. (I should say this, though: all of us - at one time or another - plug our product or service. Perhaps the better approach would be this: if you are going to do it, also include a healthy list of other resources. But, the sheer volume of messages we received here over that last plug was just...surprising.) To the original, requesting, party...if you are still out there: The link: http://www.zeuros.co.uk/firewall/vendors.htm will take you to *every* last vendor out there. In my opinion, I would use this as a starting point and judge the products for myself. Some of the articles above have been subjected to scrutiny - as everything eventually does on this network - and therefore, you may find inconsistencies, corrections and so forth. Believe it or not, only the vendors have the latest and greatest on their own stuff. Put on a wetsuit and dive in. Oh yes...one last note: the above articles may not be as "technical" as you had wanted. If so, we apologize. If anyone actually has resources of this nature that are updated or newer (and not just further flames to the original spamming party) please forward them to GNSS. We'd love to have them. Osiris -- Team Leader and Head Bozo Global Network Security Systems At 04:15 PM 9/24/97 MEZ, Karl_Horn@krzmail.krz.uni-heidelberg.de wrote: > > > > Hallo, > > I m looking for a list of general questions to evaluate/compare > firewall-products. > I remember a helpfull list from someone in U.K. but forgot the URL. > > Someone remembers the URL ? > > Thank u > > Regards K.Horn > > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ** Sami Mousa, ffff,0000,0000FORE ATM(WAN) Certified ** ** International Network Services Office: (908)603-8541 x320 ** ** Network Systems Engineer e-mail: sami_mousa@ins.com ** ** 120 Wood Ave South Pager: (888)896-4064 ** ** Suite #615 Fax: (908)548-5630 ** ** Iselin, New Jersey 08830 www.ins.com ** ============================================================================= "My statements in this message are personal opinions \ which may have no basis whatsoever in fact." From owner-firewalls-list Wed Oct 1 19:13:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA07784; Wed, 1 Oct 1997 06:58:03 -0700 (PDT) Received: from bastion.s-1.com ([204.130.55.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA07575 for ; Wed, 1 Oct 1997 06:57:13 -0700 (PDT) Received: from [10.1.1.10] by bastion.s-1.com for id JAA04878; Wed Oct 1 09:57:54 1997 Received: from phoenix.s-1.com (jamie.s-1.com) by wine.s-1.com with SMTP (1.39.111.2/16.2) id AA049377811; Wed, 1 Oct 1997 09:56:51 -0500 Message-Id: <3.0.32.19971001095635.00a97234@pophost> X-Sender: jamie@pophost X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Oct 1997 09:56:36 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM ('firewalls@greatcircle.com') From: Jamie Pratcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 19:16:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA10175; Wed, 1 Oct 1997 01:06:50 -0700 (PDT) Received: from gis.de (gis.de [194.195.163.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA10122 for ; Wed, 1 Oct 1997 01:06:29 -0700 (PDT) Received: from bast.gis.de (bast.gis.de [194.195.163.14]) by gis.de (8.8.6/8.8.6) with ESMTP id KAA00279 for ; Wed, 1 Oct 1997 10:07:11 +0200 Received: (from jens@localhost) by bast.gis.de (8.8.6/8.8.6) id KAA00182 for firewalls@GreatCircle.COM; Wed, 1 Oct 1997 10:07:09 +0200 Message-Id: <199710010807.KAA00182@bast.gis.de> To: firewalls@GreatCircle.COM Date: Wed, 1 Oct 1997 10:07:09 +0200 (MET DST) From: "Jens-Erik Hansen" X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 19:16:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15830; Wed, 1 Oct 1997 07:34:04 -0700 (PDT) Received: from dub-img-7.compuserve.com (dub-img-7.compuserve.com [149.174.206.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA15751 for ; Wed, 1 Oct 1997 07:33:48 -0700 (PDT) Received: (from mailgate@localhost) by dub-img-7.compuserve.com (8.8.6/8.8.6/2.5) id KAA04800 for Firewalls@greatcircle.com; Wed, 1 Oct 1997 10:34:37 -0400 (EDT) Date: Wed, 1 Oct 1997 10:34:00 -0400 From: Terry Dugan Subject: Cyberguard and Gauntlet To: All Message-ID: <199710011034_MC2-2272-5758@compuserve.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are evaluating two firewall offerings - Cyberguard and Gauntlet. Does anyone know of any concerns we should have about either of the products? Or, does anyone have any technical pluses about either product? = Besides their core firewall, we also want to interface with a virus protection product and utilize VPN capabilities down the road. We also would like to consider using transparent proxies. Thanks for any input you may have. From owner-firewalls-list Wed Oct 1 19:17:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA05585; Wed, 1 Oct 1997 06:48:20 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA05475 for ; Wed, 1 Oct 1997 06:47:54 -0700 (PDT) Received: (qmail 11866 invoked from smtpd); 1 Oct 1997 13:48:29 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Oct 1997 13:48:29 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA08514; Wed, 1 Oct 1997 08:48:28 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA12823; Wed, 1 Oct 1997 08:50:46 -0500 From: Peter da Silva Message-Id: <9710011350.AA12823@baileynm.com> Subject: Re: split dns - bind 4 To: lists@lina.inka.de (Bernd Eckenfels) Date: Wed, 1 Oct 1997 08:50:46 -0500 (CDT) Cc: sgcccdc@citec.qld.gov.au, ark@paranoid.convey.ru, firewalls@GreatCircle.COM In-Reply-To: from "Bernd Eckenfels" at Sep 24, 97 02:47:03 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What is this DNS Server used for? Resolving only from the Firewall? Is this > realy a big win compared with the additional RAM you need to do? Why dont > ulet the firewallsimply resolv to the mentioned internal DNS Servers? You can only put three names in resolv.conf. Which means the firewall has to do without a redundant name service on either the internal or external side. Which means if said server goes down you lose nameservice on the firewall. From owner-firewalls-list Wed Oct 1 19:19:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA27381; Wed, 1 Oct 1997 08:26:23 -0700 (PDT) Received: from stjohns.se.highway1.com (stjohns.se.highway1.com [24.129.0.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA27334 for ; Wed, 1 Oct 1997 08:26:05 -0700 (PDT) Received: from sroberts.acr2000.com ([12.8.110.200]) by stjohns.se.highway1.com (Netscape Mail Server v2.02) with SMTP id AAA12217 for ; Wed, 1 Oct 1997 11:26:53 -0400 Received: by localhost with Microsoft MAPI; Wed, 1 Oct 1997 11:28:25 -0400 Message-ID: <01BCCE5D.22089740.scottrob@mediaone.net> From: Scott Roberts Reply-To: "scottrob@mediaone.net" To: "Firewalls (E-mail)" Subject: Which Firewall Date: Wed, 1 Oct 1997 11:28:23 -0400 Organization: Roberts' Keyboard Connection X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If this is a repost, please forgive me, but I do not think the first one went through... I am the Network Administrator for 2 LAN's. We have just gotten set up on AT&T WICS service to provide our frame relay and internet connect services. The problem that I am obviously having is that now both of my LAN's are accessible from the internet. I know I can use my routers to provide some blocking, but what I need is the ability to allow certain people access form the internet into any part of the LAN's - for example...me. I also need the ability to provide reports to certain of our Directors that want to know who from their department access the internet and for how long. What firewall solution would be best for us? ---------- Scott Roberts ScottRob@mediaone.net From owner-firewalls-list Wed Oct 1 19:20:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20639; Wed, 1 Oct 1997 07:55:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA20619 for ; Wed, 1 Oct 1997 07:55:40 -0700 (PDT) Received: from libofmich.lib.mi.us by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA16712; Wed, 1 Oct 1997 07:50:03 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA25183; Wed, 1 Oct 1997 10:59:05 -0400 Date: Wed, 1 Oct 1997 10:59:05 -0400 (EDT) From: "Amy (Cremer) Briggs" To: firewalls@GreatCircle.COM Subject: Java & Java Script Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently having discussions at our site as to whether or not to allow Java and/or Java script into our network. In the past we'd decided not to allow it based on security concerns we'd read about and discussions I'd seen on this topic coming from this list. This decision is being re-hashed again because some folks believe that there are no reasons for Java/Java Script security concerns. I really don't know a lot about Java/Java Script so I'm wondering if some of you would be willing to answer the following questions for me: 1. What security concerns are there with letting Java into your network? 2. What security concerns are there with letting Java Script into your network? 3. What are some examples of what can be done with Java to compromise your network? 4. What are some examples of what can be done with Java Script to compromise your network? I'm also being asked to provide materials discussing these security risks from an authoritative source such as CIAC. If you could point me to some good sources of information published by authoritative sources that would be very helpful. TIA, Amy From owner-firewalls-list Wed Oct 1 19:22:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18733; Wed, 1 Oct 1997 07:48:29 -0700 (PDT) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA11971 for ; Wed, 1 Oct 1997 07:19:17 -0700 (PDT) Received: by interlock.reston.ans.net id AA00540 (InterLock SMTP Gateway 4.1 for firewalls@GreatCircle.COM); Wed, 1 Oct 1997 10:19:53 -0400 Message-Id: <199710011419.AA00540@interlock.reston.ans.net> From: "Conrad Minor" To: , , "Sick Puppy" Subject: Re: Finding a wiretap or NIC card with a TDR Date: Wed, 1 Oct 1997 10:18:25 -0400 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick et all, I was thinking more that you'd need to find a way to make the Ethernet cards burp out packets unintentionally. Has anyone looked into the new manageable ENet cards? Can they be made to reveal themselves? Your Ethernet TDR would send some magic packet which made the Ethernet cards reply unbeknownst to the owner of the card (only if the transmit part of the card is still enabled though). TDR does emit a pulse like radar or sonar. It measured impedance changes in the wire based on reflection (VSWR?). You can even see the changes that individual connectors make to the general impedance of a cable. Conrad ---------- > From: dharris@kcp.com > To: firewalls@GreatCircle.COM; Sick Puppy > Subject: Re: Finding a wiretap or NIC card with a TDR > Date: Tuesday, September 30, 1997 9:12 AM > > > Doesn't TDR *require* actively creating a pulse so you can measure its > reflection? If you don't know when you emitted the pulse how can you measure > the time until its echo? I suppose a pattern-matching oscilloscope could be > configured to measure the time between an outgoing 'ping' and its echo ;-) > > > > ______________________________ Reply Separator _________________________________ > Subject: Finding a wiretap or NIC card with a TDR > Author: Sick Puppy at INTERNET-MAIL > Date: 9/27/97 9:40 PM > > > We have reason to believe that some looser geeks or phederal phucks > have sneaked a wiretap onto a network segment that we often cross. > We also happen to have a couple of Time Domain Reflectometers left over > from previous academic research on satellite channels. If we plug the > TDR's into the network segment there is a real good chance that the > looser geeks or whatever will spot us so we need to run in stealth > mode. > > The network segment hosts several Unix boxes on which we are privileged > users. (Our network, our boxes of course. What else could they be?) > > Does anybody know of any software that will run on a Unix or NT box and > provide the same information as a TDR? > > Does anybody know of an equivalent software package that will run on Unix > or NT and help us find the wiretap or silent NIC card we think is there? > > Sick Puppy, the Cat_Eating_Dawg > > > From owner-firewalls-list Wed Oct 1 19:23:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA17528; Wed, 1 Oct 1997 10:07:07 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA17478 for ; Wed, 1 Oct 1997 10:06:56 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA26774; Wed, 1 Oct 1997 10:04:49 -0700 Date: Wed, 1 Oct 1997 10:04:48 -0700 (PDT) From: Leonard Miyata To: Gary Crumrine cc: firewalls@greatcircle.com Subject: RE: EE Times Article In-Reply-To: <01BCCE32.2128A610@gcrum@us-state.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I finally found their web posting of the article http://techweb.cmp.com/eet/whitepaper/whitepaper.html Personally, I perfer the old fashion paper copy myself (And they left out the picture of the hacked S/Key card !?!?) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 1 Oct 1997, Gary Crumrine wrote: > Kind of hard to comment on something you can't get your > hands on Leonard. Perhaps if you could paraphrase > somewhat?? > > On Friday, September 26, 1997 1:06 PM, Leonard Miyata > [SMTP:leonard@geminisecure.com] wrote: > | There is an article in this week Electronic Engineering > | Times > | (CMP Media Publisher) Sept 22, 1997, titled 'The Rise of > | the > | Underground Engineer' that is worth your time looking at. > | It covers WinNT Security (Old Topic) as well as network > | security issues in general. > | > | For those people in the know, any comments???? > | From owner-firewalls-list Wed Oct 1 19:24:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA15870; Wed, 1 Oct 1997 09:57:33 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA15772 for ; Wed, 1 Oct 1997 09:57:14 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id LAA07877; Wed, 1 Oct 1997 11:45:29 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma007872; Wed, 1 Oct 97 11:45:02 -0400 Message-Id: <3.0.3.32.19971001125152.006b6a48@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 12:51:52 -0400 To: ralf From: Rick Murphy Subject: Re: A question about x-gw Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:18 PM 9/30/97 +0200, ralf wrote: >The tn-gw from TIS fwtk supports this with the "x-gw"-command, but when >using it, the proposed variable DISPLAY is "internal-ip:10" which is not >reachable from "external-ip" because they don't know about our internal >IP-Adresses (which actually are 10.xxx :-). So the question is: how can >we get x-gw to generate the variable DISPLAY "external-ip:10" and to listen >to the proper socket on the proper "external-ip"-interface? May be there >is no way because the "x-gw"-command is given before the "connect"-command, >so how should x-gw know about the destination of the "connect"-command? The x-gw proxy does not set the DISPLAY variable - what's going on is that your Telnet client and server are passing the value of the DISPLAY variable on the local host (telnet client) to the remote host (telnet server). You'll have to change the DISPLAY value on the target host yourself. The X proxy on the firewall will accept connections from either the inside or the outside interfaces, so you shouldn't have to do anything else. -Rick From owner-firewalls-list Wed Oct 1 19:26:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08966; Wed, 1 Oct 1997 09:20:48 -0700 (PDT) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA08918 for ; Wed, 1 Oct 1997 09:20:37 -0700 (PDT) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCCE64.63459FD0@xchangebox2.USADOMAIN1>; Wed, 1 Oct 1997 12:20:21 -0400 Message-ID: From: "Zilber, Alexey" To: "'firewalls@greatcircle.com'" , "'jkerr2@csc.com'" Subject: RE: Downfalls of Proxy Server? Date: Wed, 1 Oct 1997 12:19:40 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >All, > I was wondering what the downfalls of using Microsofts proxy server >to authenticate internal users to the Internet for HTTP services only. >I realize that a rule must be put in the firewall to allow HTTP out from > >the proxy servers IP Address and that you no longer have a centralized >location for all of the logs, but are their any other shortcomings? The We've had great success with Proxy 1.0. >internal network would be a windows NT network. The problem I'm trying >to solve here is opposed to perfoming user authentication at the >firewall and setting up users. I would use the NT groups already set-up You can do it one of two way. M$ Proxy comes with both Winsock Proxy and Web Proxy. It looks to me like you'll -JUST- be doing http proxying. If that's the case, then you can use the web proxy so not just the Windows machines have access. (Or use both and only use Web Proxy for the non windows mahcines.). User authentication is indeed done on the NT domain. >in the internal and then selectively allow each group HTTP access. Any >thoughts? That is exactly how we have it set up. It seems to be working fine, and it's mostly transparent to the users. No need for them to cllammer helpdesk with questions on proxy configurations... > John > > > > From owner-firewalls-list Wed Oct 1 21:22:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01992; Wed, 1 Oct 1997 11:18:57 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA01907 for ; Wed, 1 Oct 1997 11:18:37 -0700 (PDT) Received: from localhost (huger@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id MAA28702; Wed, 1 Oct 1997 12:29:52 -0600 (MDT) Date: Wed, 1 Oct 1997 12:29:51 -0600 (MDT) From: Alfred Huger To: manuel.ricca@pararede.pt cc: Non Receipt Notification Requested Subject: Re: Milkyway SecurIT - what for? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > Hello everybody, > Here is a quotation from Milkyway's insufficiently documented website: > > "All Ports Accept Communications > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > distinguish one port from another. No new information is gained." > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > Or did I just miss the point here? You missed the point, completely. The reason the Milkyway Firewall keeps all it's ports listening is to confuse port scanners. When a user performs a scan, they find *all* ports listening and therefore have no easily definable targets. It also rings bells for the Firewall Admin so he/she can see he/she is being scanned. It's not a panacea, nor is it a poor idea. Honeypots and fake services are an important part of any perimeter system IMO. The longer you keep a would be intruder poking the more of a chance you stand of noticing the activity. In fact, we wrote a similar utility at our company just for kicks to see what we would get. The service is a fake portmapper which returns a number of fake services. Any requests to the portmapper or to the services is packet logged. We manage to log 3 or 4 people a week door knocking, handy stuff really. rpcinfo -p silence.secnet.com /************************************************************************* Alfred Huger Phone: 403.262.9211 Secure Networks Inc. Fax: 403.262.9221 **************************************************************************/ From owner-firewalls-list Wed Oct 1 23:15:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA07536; Wed, 1 Oct 1997 19:17:26 -0700 (PDT) Received: from news.mtu.edu (news.mtu.edu [141.219.70.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA07515 for ; Wed, 1 Oct 1997 19:16:45 -0700 (PDT) From: msrao@mtu.edu Received: from mtu.edu (root@mtu.edu [141.219.70.1]) by news.mtu.edu (8.8.7/8.8.7) with ESMTP id WAA02101 for ; Wed, 1 Oct 1997 22:17:22 -0400 (EDT) Received: from pobox.ee.mtu.edu (pobox.ee.mtu.edu [141.219.23.145]) by mtu.edu (8.8.7/8.8.7) with ESMTP id WAA12873 for ; Wed, 1 Oct 1997 22:17:18 -0400 (EDT) Received: from eegrad6.ee.mtu.edu (eegrad6.ee.mtu.edu [141.219.22.170]) by pobox.ee.mtu.edu (8.8.7/8.8.7/mturelay-1.2) with ESMTP id WAA10003 for ; Wed, 1 Oct 1997 22:17:08 -0400 (EDT) Received: (from msrao@localhost) by eegrad6.ee.mtu.edu (8.6.10/MTU-C1.3) id WAA00637 for Firewalls@GreatCircle.COM; Wed, 1 Oct 1997 22:17:06 -0400 Message-Id: <199710020217.WAA00637@eegrad6.ee.mtu.edu> Subject: Re: Firewalls-Digest V6 #471 To: Firewalls@GreatCircle.COM Date: Wed, 1 Oct 1997 22:17:06 -0400 (EDT) In-Reply-To: <199710010847.BAA21248@honor.greatcircle.com> from "Firewalls-Digest" at Oct 1, 97 01:47:50 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi , I wanted to know if anybody is working on performance evaluation of wireless networks. I'll be interested to correspond with them. Thanks Manjunath From owner-firewalls-list Wed Oct 1 23:45:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA08508; Wed, 1 Oct 1997 19:29:58 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA08487 for ; Wed, 1 Oct 1997 19:29:48 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id VAA08809; Wed, 1 Oct 1997 21:17:59 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma008806; Wed, 1 Oct 97 21:17:28 -0400 Message-Id: <3.0.3.32.19971001222732.006a4e0c@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 22:27:32 -0400 To: Joseph Judge From: Rick Murphy Subject: RE: Checkpoint and FWTK 1.2 ftp proxy hangs Cc: "firewalls@GreatCircle.COM" , "'Bob Gerrish'" In-Reply-To: <01BCCDE3.482CD820@zandar.judgefamily.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 (at least older versions, they may have fixed this in current software) requires that the FTP "PORT" command arrive complete in a single IP packet. The older FWTK ftp-gw sent the PORT command in one write, then sent the terminating CR/LF in a second write. While this does not violate the protocol, it was not what the Firewall-1 FTP code expected. We used to joke about the fact that the supposed "stateful" firewall couldn't keep state across two packets :-) I changed the ftp-gw to send the PORT command in a single write, thus working around the FW-1 bug. (To be fair, there are other firewall products that have the same bug - even application proxy firewalls, which fact I found rather surprising..) -Rick From owner-firewalls-list Thu Oct 2 01:58:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02713; Wed, 1 Oct 1997 23:55:01 -0700 (PDT) Received: from mobile.global.slb.com ([163.185.133.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id WAA19143 for ; Wed, 1 Oct 1997 22:49:40 -0700 (PDT) Received: by mobile.global.slb.com (5.0/SMI-SVR4) id AA22471; Thu, 2 Oct 1997 00:37:29 +0600 Date: Thu, 2 Oct 1997 00:37:28 -0500 (CDT) From: Seacol Chin To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #472 In-Reply-To: <199710020157.SAA05789@honor.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a NT-based router software that will act as router and bridge for 100VG and ethernet. Thanks, Seacol From owner-firewalls-list Thu Oct 2 04:38:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA25471; Thu, 2 Oct 1997 02:23:58 -0700 (PDT) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA25380 for ; Thu, 2 Oct 1997 02:23:25 -0700 (PDT) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id LAA09215 for ; Thu, 2 Oct 1997 11:22:14 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id LAA06770 for ; Thu, 2 Oct 1997 11:23:57 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Thu, 2 Oct 1997 11:24:29 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D70BBA62@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: PPTP and STEELHEAD Date: Thu, 2 Oct 1997 11:24:28 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi list! We are planning on using Steelhead to give certain customers a preview over new products via WWW-GUI over the internet. The idea is to connect one interface on our Steelhead machine to Internet and one to a "second DMZ" to our firewall (FW-1). With Steelhead we use PPTP to create a VPN to the customer. My questions are: 1) What about safety in the protocol PPTP? What kind of encryption-methodic is it using? How many bits of encryption is PPTP using (outside U.S)? 2) What is needed on the client (customer) side? Do you have to have another steelhead machine or any other client program? 3) Any comments on the connection to internet via a "second DMZ" (security aspects only, no routing problems)? Name: Robert St=E5hlbrand Company: Ericsson Telecom AB Company-Address: Fl=F6jelbergsv=E4gen 1C, Box 333 Zip-Code: 431 24 M=F6lndal Phone Number: +46 31 747 6162 Fax Number: +46 31 747 3777 Email: robert.stahlbrand@nmac.ericsson.se From owner-firewalls-list Thu Oct 2 05:01:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA05047; Thu, 2 Oct 1997 03:26:27 -0700 (PDT) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA05029 for ; Thu, 2 Oct 1997 03:26:00 -0700 (PDT) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id LAA25660; Thu, 2 Oct 1997 11:27:51 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 02 Oct 97 11:27:49 +0000 Date: 02 Oct 97 11:27:49 +0000 Delivery-Date: 02 Oct 97 11:27:51 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-340e1965-Tubarao] X400-Recipients: non-disclosure Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: Re: Milkyway SecurIT - what for? Autoforwarded: FALSE To: huger@silence.secnet.com (Non Receipt Notification Requested) CC: firewalls@greatcircle.com (Non Receipt Notification Requested) In-Reply-To: Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: Re: Milkyway Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). In practice, you will only have well-known services running on well-known ports, so you can expect well-known attacks for which you will have well-known defence. So, the method Milkyway is using would apply only if the firewall had other services running at other ports, which is definitely not a good security policy altogether, and that's what I meant in the previous mail. What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. I still think the hole shouldn't be there to start with. Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the ports if you want). But it can be avoided as well. ----------------- Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunicação, S.A. R. D. Constantino de Bragança, 12 1400 Lisboa Tel: +351 1 3020451 Fax: +351 1 3020444 ------------------- From: huger@silence.secnet.com To: manuel ricca Cc: firewalls@GreatCircle.COM Subject: Re: Milkyway SecurIT - what for? Date: 01-10-1997 20:31 On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > Hello everybody, > Here is a quotation from Milkyway's insufficiently documented website: > > "All Ports Accept Communications > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > distinguish one port from another. No new information is gained." > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > Or did I just miss the point here? You missed the point, completely. The reason the Milkyway Firewall keeps all it's ports listening is to confuse port scanners. When a user performs a scan, they find *all* ports listening and therefore have no easily definable targets. It also rings bells for the Firewall Admin so he/she can see he/she is being scanned. It's not a panacea, nor is it a poor idea. Honeypots and fake services are an important part of any perimeter system IMO. The longer you keep a would be intruder poking the more of a chance you stand of noticing the activity. In fact, we wrote a similar utility at our company just for kicks to see what we would get. The service is a fake portmapper which returns a number of fake services. Any requests to the portmapper or to the services is packet logged. We manage to log 3 or 4 people a week door knocking, handy stuff really. rpcinfo -p silence.secnet.com /************************************************************************* Alfred HugerPhone: 403.262.9211 Secure Networks Inc.Fax: 403.262.9221 **************************************************************************/ From owner-firewalls-list Thu Oct 2 05:59:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23052; Thu, 2 Oct 1997 02:03:18 -0700 (PDT) Received: from smtp.gte.net (smtp.gte.net [207.115.153.29]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA23022 for ; Thu, 2 Oct 1997 02:03:04 -0700 (PDT) Received: from pc (1Cust122.max5.philadelphia.pa.ms.uu.net [153.35.149.122]) by smtp.gte.net (SMI-8.6/SMI-SVR4) with SMTP id EAA28430 for ; Thu, 2 Oct 1997 04:03:48 -0500 (CDT) Received: by localhost with Microsoft MAPI; Thu, 2 Oct 1997 05:03:29 -0400 Message-ID: <01BCCEF0.85D2F840.khearn@gte.net> From: khearn Reply-To: "khearn@gte.net" To: "Firewalls (E-mail)" Subject: what ports to pass for exchange/outlook Date: Thu, 2 Oct 1997 05:03:28 -0400 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone know what ports I need to leave open for Microsoft Exchange and Outlook so the Internet access to the exchange server is possible? From owner-firewalls-list Thu Oct 2 06:07:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA05060; Thu, 2 Oct 1997 00:06:49 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id AAA05038 for firewalls@greatcircle.com; Thu, 2 Oct 1997 00:06:44 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA14211 for ; Tue, 30 Sep 1997 17:59:20 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA08106; Wed, 1 Oct 1997 05:02:23 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA23121; Wed, 1 Oct 1997 02:10:27 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA19456; Tue, 30 Sep 1997 16:56:45 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCCDC1.DE230330@mailserv.dammam.ingr.com>; Tue, 30 Sep 1997 16:56:59 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: Software for testing a firewall Date: Tue, 30 Sep 1997 16:56:54 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any public-domain softwares for Windows NT that can be used to test for security holes on a firewall? I'm currently evaluating several firewalls but I don't have the necessary tools of the trade to do some in-depth testing. Please reply directly as I don't subscribe to firewalls. Thanks. Joselito V. Boac jvboac@dammam.ingr.com From owner-firewalls-list Thu Oct 2 06:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03038; Wed, 1 Oct 1997 23:57:01 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id XAA03026 for firewalls@greatcircle.com; Wed, 1 Oct 1997 23:56:58 -0700 (PDT) Received: from THOR.INNOSOFT.COM (THOR.INNOSOFT.COM [192.160.253.66]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA20898 for ; Sun, 28 Sep 1997 02:05:46 -0700 (PDT) Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.1-10 #8694) id <01IO3SK6E5BK94GI1L@INNOSOFT.COM> for firewalls@GreatCircle.COM; Sun, 28 Sep 1997 02:05:02 PDT Date: Sun, 28 Sep 1997 00:15:00 -0700 (PDT) From: Ned Freed Subject: RE: SMTP VRFY (was: Microsoft vs The world) In-reply-to: "Your message dated Sun, 28 Sep 1997 01:56:54 -0400" <61B80F9FF411D1118DEF0000E8D5C6670439C9@ns.ntadvice.com> To: Russ Cc: "'Ned Freed'" , firewalls@GreatCircle.COM Message-id: <01IO5QU4BGUE94GI1L@INNOSOFT.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > First of all, let me remind you that RFC1123 specifically denotes rules > for INTERNET servers, not SMTP servers in general. It does state that > servers that are not exposed to the Internet may have their own rules. > An implementation of SMTP does not then *have* to conform to RFC1123, > but must if used on the Internet (or is highly recommended by RFC1123). > So leaving this fact out was, IMO, significantly attempting to leverage > the quoted section of RFC1123 to support your argument rather than truly > attempting to describe a standard. Such "tactics" should not be used > when quoting RFC's, again, IMO. First of all, as a long-time active participant in the development of IETF standards, I hardly need to be reminded that standards-track RFCs specify standards for the Internet and that such RFCs do not necessarily apply to non-Internet situations. But I was talking specifically about the Internet and nothing else. In fact the very first thing I said in this discussion was: Unfortunately almost all of this is wrong insofar as current Internet standards are concerned. I also changed the subject line of my response to make it clear I was moving the discussion away from Microsoft's compliance or non-compliance and instead try to clarify some incorrect assertions that had been made about what the standards do or do not require for operation on the Internet. The former is not relevant to this list in my opinion but the latter concerns me greatly, because I often see incorrect reading of the standards leading to non-interoperable behavior on the part of firewalls attached to the Internet. In other words, your argument here appears to be directed at a strawman of your own creation rather than anything I said. But even so, there is one assertion you make that I have to refute. The IETF develops standards for the Internet. And there is only one such standard as far as the IETF is concerned for SMTP, and it is the one specifed by an entire family of documents -- RFC821, RFC1123, and so on. This colection even has a name: It is called STD10. (Unfortunately the IETF doesn't have a very good way of defining STDs, and the definition given for STD 10 doesn't include the relevant sections of RFC1123. I am going to see if I can't get this corrected.) But if you're not on the Internet and choose not to follow Internet rules you can do whatever you wish. The IETF doesn't make standards for use anywhere but on the Internet. As such, this notion that there's some sort of distinction between standards that apply to the Internet only and standards that have some sort of broader applicability is entirely specious. This concept doesn't exist in the standards-making process for the simple reason that the IETF isn't concerned with making standards for things other than the Internet. This doesn't mean that intranets (or whatever you call non-Internet setups) can't follow Internet standards. They can if they want to. Or they can ignore them all. Or they can reject some and keep others -- conforming to RFC821 but not RFC1123 is one such combination, but there are of course many others. Anything is permissible on the intranet; the IETF just doesn't care (assuming of course that you can get vendors to build the stuff for you). > Microsoft initially released Exchange 4.0 stating support for > RFC821/822. They did not claim to be RFC1123 compliant, so their quote > in KB article Q155684 was, and is, still correct. You're trotting out another strawman here. I never said a single, solitary word about what Microsoft claimed to support. I neither know nor care what KB article Q155684 is, and I certainly didn't mention any such thing in any of my messages. > RFC1123 doesn't supercede RFC821 when the system is used off of the Internet. Nor does RFC821 supercede RFC788 in such a context. Or RFC788 and RFC780. Nothing can supercede anything in a place where the very notion of supercession isn't defined. > In any event, VRFY was implemented according to RFC1123 in SP3, released > in October of 1996. I verified this against an Exchange 4.0 server > tonight, receiving the following exchange; > 220 xxxxxx.xxxxxx.xx Microsoft Exchange Internet Mail Connector > 4.0.995.52 > ready > 214-Commands: > 214- HELO MAIL RCPT DATA RSET > 214- NOOP QUIT HELP VRFY EXPN > 214 End of HELP info > helo fred > 250 OK > vrfy Russ.Cooper@rc.on.ca > 252 Cannot verify user > The IMC version listed is consistent with the SP3 time-frame. I fail to see what this has to do with any of the points I was trying to make. My only reference to Microsoft in my original message was in a small parenthetical note near the end -- and one which I've already stated was in error. I also speculated subsequently that it might have been 4.0 I had seen anomalous behavior in. It now seems that this speculation was also incorrect. I have been playing around with Exchange ever since the first betas came out and it is entirely possible I saw this in something even earlier. However, if it will make you feel better I will withdraw any assertion I have made as to Exchange ever having produced an incorrect 5xx response at some point. > Internet Mail Connector had a number of limitations in its initial > release, but it did not have the focus that came about during the > balance of 1996. In addition, the issue of whether or not VRFY or EXPN > should be implemented *still* has not been resolved. Actually I believe it has been resolved as part of the DRUMS work. > You yourself admit > that it shouldn't be there, yet condemn someone else for making a > similar call. Not one more strawman but two... I have yet to condemn any implementation as part of this discussion. The closest I have come is to gripe about the general lack of support for EHLO In most firewall implementations. I have tried to discuss what the standards require implementations on the Internet to do and I have tried to discuss what various specific implementations do, but this is light years away from condemning anything. Nor have I said that support for VRFY should not be there. I did say that I think it is dumb for an SMTP client to use VRFY, but that's not the same thing. > Clearly there are many issues in RFC1123 that are > "controversial", and many implementations of various services that do > not conform to their suggested practices. It could be considered yet > another example of how RFC compliance is not always the best thing to > do. Actually I would disagree that there are many issues in RFC1123 that are all that controversial. VRFY, in particular, seems to me to be one which is handled reasonably well -- it is possible for a SMTP server implementation to adhere to both the letter and intent of the specifications, interoperate properly with all conformant clients out there, and provide complete security. > Besides, being over 8 years old, its continued "life" is more a > testament to the number of legacy systems than to its continued value as > a BCP. RFC1123 is a full Internet standard. It is not a BCP. (The very concept of BCP didn't exist at the time RFC1123 was written.) And while it might be true that some parts of RFC1123 would probably end up with BCP status if it were reissued now, the discussion of VRFY in RFC1123 isn't such a part.. This is demonstrated by the fact the DRUMS is incorporating this part of RFC1123 into a document that will become a proposed standard (PS), not a BCP. > Robert Braden states in the document that it will be updated to > reflect the evolution of the stated services, yet this clearly has not > been done in the last 8 years. In fact, I would go so far as to say that > RFC1123 has virtually become redundant based on the plethora of RFCs > covering the various services themselves. This is certainly true in many cases but does not generalize to all cases. There are many parts of RFC1123 that have not been superceded in other service-specific documents. Thankfully once DRUMS is done we will have superceded all the parts specific to email, and once that happens we'll have a much leaner and cleaner set of specifications for messaging. I for one am not happy it has taken so long to clean up the specifications for email, but given that I have donated lots of my own time and the company I work for, Innosoft, has donated not only some of my time but the time other other employees (e.e. Chris Newman, the DRUMS chair, works for Innosoft) to email standards work, it isn't something I feel at all guilty about. Like it or not, standards work takes time, and it especially takes time to get concensus when revisions to a service as important as email are being considered. > Today, it is far more likely you'll receive a 252 from an SMTP server in > response to a valid query than not, thereby showing that this > "requirement" of RFC1123 has not been updated to reflect today's > Internet usage and the choices made by administrators. This does not make any sense at all. Far from banning the 252 response, it is RFC1123 that introduced this response. An implementation in strict compliance with RFC821 cannot issue a 252 response to VRFY. > In fact, VRFY is not "turned on" by default in Exchange Server to this > date, for this very reason. You now get a 252 regardless of whether or > not the user account exists on the server, can be found by the server, > or is unknown to the server. There is an option to enable it, but in my > opinion its there simply to satisfy those environments that must have it > turned on for "questionable" reasons (i.e. the French DNS authority). It sounds like Exchange is doing exactly the right thing then. > Nevertheless, you should have verified your facts before you went to > such lengths to prove your point (only to find that its not been an > issue for almost a year now). Russ, you seem to have an agenda here that requires that you take offense where not only was none intended, none was even offered. And this agenda is leading you to claim that I'm being intentionally misleading in trying to carry over Internet requirements to non-Internet venues, that I'm incorrectly asserting that Microsoft's claims in some publication are incorrect, and so on. But I'm doing none of these things, and frankly it irks me more than a little when you claim that I am. And for various personal reasons I really try to avoid these sorts of confrontational situations whenever possible. So here's the deal. If you want to calm down and discuss the various technical issues here, either online if they relate to firewalls, or offline if they don't (I think enough of the messages on this list are off-topic without contributing a whole mess of SMTP nuance discussion to the collection), rationally and without all the accusatory hyperbole, I'll be happy to continue this discussion with you or anyone else who is interested. (I've already learned some very interesting things in both online and offline followups.) And if not, well, this discussion with you is over as far as I'm concerned. Ned From owner-firewalls-list Thu Oct 2 07:00:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06969; Thu, 2 Oct 1997 06:33:08 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06940 for ; Thu, 2 Oct 1997 06:32:57 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Thu, 02 Oct 1997 08:35:41 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Oct 1997 08:35:19 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #473 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Thu Oct 2 07:14:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA09596; Thu, 2 Oct 1997 06:48:32 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA02686 for ; Thu, 2 Oct 1997 06:11:41 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id NAA22421 for ; Thu, 2 Oct 1997 13:12:35 GMT Date: Thu, 2 Oct 1997 08:12:35 -0500 (CDT) From: Andy Lewis To: firewalls@GreatCircle.COM Subject: Fire Wall Checklist? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all. I am new to this list and also new to firewalls as well as IPFWADM. Our network is running all Intels 166-200 with Linux 2.0.x. I am interested in setting up a machine to act as a firewall for the complete network. Question one: Is there a good source of documentation for beginners using IPFWADM? Question two: Are there any sites that provide online information and documentation for such a project? Something that may provide a detailed checklist? Thanks in advance. ANdy From owner-firewalls-list Thu Oct 2 07:16:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA25825; Thu, 2 Oct 1997 05:39:03 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA25781 for ; Thu, 2 Oct 1997 05:38:50 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id HAA10969; Thu, 2 Oct 1997 07:39:44 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id HAA05731; Thu, 2 Oct 1997 07:39:12 -0500 (CDT) Message-Id: <3.0.3.32.19971002083222.00960a90@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 02 Oct 1997 08:32:22 -0400 To: "Zilber, Alexey" , "'firewalls@greatcircle.com'" , "'jkerr2@csc.com'" From: "Jeremy D. Zawodny" Subject: RE: Downfalls of Proxy Server? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:19 PM 10/1/97 -0400, Zilber, Alexey wrote: > That is exactly how we have it set up. It seems to be working fine, >and it's mostly transparent to the users. No need for them to cllammer >helpdesk with questions on proxy configurations... We're thinking of trying a similar implementation. A few questions for those who've already done this: What have you seen in terms of performance? How many users do you have? How big is your pipe to the 'net? Is the proxy running on a box dedicated to just that? What sort of HD, RAM, and CPU setup is on the proxy? Any info would be greatly appreciated... Thanks, Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Thu Oct 2 09:01:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22391; Thu, 2 Oct 1997 07:49:24 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10084 for ; Thu, 2 Oct 1997 06:51:39 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id JAA27964; Thu, 2 Oct 1997 09:52:06 -0400 (EDT) Date: Thu, 2 Oct 1997 09:52:03 -0400 (EDT) From: Brian Mitchell To: manuel.ricca@pararede.pt cc: huger@silence.secnet.com, firewalls@GreatCircle.COM Subject: RE: Re: Milkyway SecurIT - what for? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 2 Oct 1997 manuel.ricca@pararede.pt wrote: > > My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open > are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). > In practice, you will only have well-known services running on well-known ports, so you can expect well-known > attacks for which you will have well-known defence. So, the method Milkyway is using would apply only > if the firewall had other services running at other ports, which is definitely not a good security policy altogether, > and that's what I meant in the previous mail. > What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. > I still think the hole shouldn't be there to start with. > Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the > ports if you want). But it can be avoided as well. > No, the point is: You want to see who is knocking on your door. You give them lots of services to play with to keep them knocking. I really advise you read Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and Bellovin) it goes into great detail about this sort of thing. From owner-firewalls-list Thu Oct 2 09:05:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA22659; Thu, 2 Oct 1997 05:17:47 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA18424 for ; Thu, 2 Oct 1997 04:50:56 -0700 (PDT) Received: from transfer.usit.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA00533; Thu, 2 Oct 1997 04:45:37 -0700 (PDT) Received: from dqisystems.com ([199.1.59.2] (may be forged)) by transfer.usit.net (8.8.6/8.8.5) with ESMTP id HAA29662; Thu, 2 Oct 1997 07:51:10 -0400 (EDT) Received: from gcollins.dqisystems.com ([172.16.128.100]) by dqisystems.com (8.8.5/8.6.12) with SMTP id HAA14741; Thu, 2 Oct 1997 07:38:26 -0400 Message-Id: <199710021138.HAA14741@dqisystems.com> Reply-To: "Greg Collins" X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Greg Collins" To: "Anna Grieve" , "'firewalls@GreatCircle.COM'" , "Eric Vyncke" Subject: Re: Does Winframe need a firewall? Date: Thu, 2 Oct 1997 07:37:44 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With your design, if the Winframe server is cracked (the firewall >does not add a lot of further security except if you are using >some authentication on the firewall), then the cracker has a much >broader access to your NT network inside. > >Of course, the alternate design may be unsafe IFF your secret >(e.g. files, ...) are stored ON the Winframe server > >Any comments ? > >-eric > >Eric Vyncke >Technical Consultant Cisco Systems Belgium SA/NV >Phone: +32-2-778.4677 Fax: +32-2-778.4300 >E-mail: evyncke@cisco.com Mobile: +32-75-312.458 > Citrix does have an Internet security pack available for Winframes connected to the Internet. The primary problem I see is that if your users are not using strong passwords the system is at risk. Once NT security has been bypassed/cracked the attacker would have access to , at a minimum, everthing a user does. Worse case an NT based "sniffer" could be loaded and the internal LAN traffic "sniffed" or a direct attack could be made on internal resources. Greg Collins Data Quest Information Systems gcollins@dqisystems.com "I have but one thing which cannot be taken from me, and that is my integrity. It I must give up of my own will." From owner-firewalls-list Thu Oct 2 09:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23045; Thu, 2 Oct 1997 07:52:46 -0700 (PDT) Received: from hirame.wwa.com (hirame.wwa.com [198.49.174.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA23000 for ; Thu, 2 Oct 1997 07:52:34 -0700 (PDT) Received: from wwa.com [207.241.63.182] by hirame.wwa.com with esmtp (Smail3.1.29.WWA) id m0xGmae-000VuyC@hirame.wwa.com; Thu, 2 Oct 1997 09:51:28 -0500 (CDT) Message-ID: <3433B60C.2EE4626B@wwa.com> Date: Thu, 02 Oct 1997 09:56:12 -0500 From: Richard Dodson Organization: InterPRO Solutions, Ltd. X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: Jan Zeilinga Subject: Re: Firewalls on NT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Start at http://www.microsoft.com/ntserver/info/security.htm in particular http://www.microsoft.com/ntserver/info/secure_NTinstall.htm + Get the WindowsNT Server Resource Kit ($US150) it has a CD ROM with utilities you'll probably be interested in I also referenced http://www.ntsecurity.com/A2NT/default.htm http://www.byte.com/art/9702/sec10/art1.htm http://www.winntmag.com/issues/Oct96/confront.html > Against my better judgment the customer wants NT to be the > be the OS for the firewall (check point 3.0b as the firewall) I sympathize. I recently had to do the same (hence the research). Please let me know if you find anything I missed. All the best, -- Richard Dodson ___________________________________________s k y___ richard@interpro-solutions.com ___________________t h e___ http://www.interpro-solutions.com/ ___t o u c h___ From owner-firewalls-list Thu Oct 2 09:30:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14628; Thu, 2 Oct 1997 07:06:52 -0700 (PDT) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14417 for ; Thu, 2 Oct 1997 07:06:00 -0700 (PDT) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA07897 for ; Thu, 2 Oct 1997 16:04:52 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA07773 for ; Thu, 2 Oct 1997 16:06:44 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Thu, 2 Oct 1997 16:07:16 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D70BBA64@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'khearn@gte.net'" Cc: "'firewalls@greatcircle.com'" Subject: RE: what ports to pass for exchange/outlook Date: Thu, 2 Oct 1997 16:07:13 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ehh...you mean mail to your exchange-server??? Port 25 SMTP of course! No matter what mail-server (sendmail, exchange....) you run. Outlook? Will user on internet read mail through your firewall?? Not very likely is it? Then Outlook has nothing to do with this. /Robert Stahlbrand > -----Original Message----- > From: khearn [SMTP:khearn@gte.net] > Sent: den 2 oktober 1997 11:03 > To: Firewalls (E-mail) > Subject: what ports to pass for exchange/outlook > > does anyone know what ports I need to leave open for Microsoft > Exchange and > Outlook so the Internet access to the exchange server is possible? From owner-firewalls-list Thu Oct 2 09:37:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03127; Thu, 2 Oct 1997 08:41:20 -0700 (PDT) Received: from public.cq.sc.cn (public.cq.cq.cn [202.98.32.111]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id IAA03058 for ; Thu, 2 Oct 1997 08:41:00 -0700 (PDT) Received: from kh2 (ppp38.cq.sc.cn [202.98.33.38]) by public.cq.sc.cn (SMI-8.6/8.6.11) with ESMTP id XAA09624 for ; Thu, 2 Oct 1997 23:41:54 +0800 Message-ID: <32528D2F.1DEC0EC@public.cq.sc.cn> Date: Wed, 02 Oct 1996 23:41:35 +0800 From: "HuangMin(Tunny)" X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Any suggestions? X-Priority: 3 (Normal) Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, sir, I'm using a FreeBSD 2.2.2 system, and now I'd like to install a firewall on it, do you have any suggestions? Which firewall system is the most powerful now? Huang Min From owner-firewalls-list Thu Oct 2 10:29:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA07324; Thu, 2 Oct 1997 09:15:18 -0700 (PDT) Received: from gatewayb.anheuser-busch.com (gatewayb.anheuser-busch.com [151.145.250.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA07263 for ; Thu, 2 Oct 1997 09:14:54 -0700 (PDT) Received: by gatewayb.anheuser-busch.com; id LAA15936; Thu, 2 Oct 1997 11:14:35 -0500 Message-Id: <199710021614.LAA15936@gatewayb.anheuser-busch.com> Received: from stlabcexg002.anheuser-busch.com(151.145.101.152) by gatewayb.anheuser-busch.com via smap (3.2) id xma015621; Thu, 2 Oct 97 11:14:02 -0500 Received: by STLABCEXG002 with Internet Mail Service (5.0.1458.49) id <4DP15726>; Thu, 2 Oct 1997 11:17:44 -0500 From: "Davidson, Grover" To: firewalls@GreatCircle.COM Subject: SAP Gateway Date: Thu, 2 Oct 1997 11:05:00 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! Does anyone here know anything about the SAP Internet gateway? Thanks, Grover From owner-firewalls-list Thu Oct 2 11:00:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05767; Thu, 2 Oct 1997 09:03:37 -0700 (PDT) Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA05760 for ; Thu, 2 Oct 1997 09:03:31 -0700 (PDT) Received: by gateway id LAA18298; Thu, 2 Oct 1997 11:57:21 -0400 Message-Id: <2.2.32.19971002155838.0098e290@jupiter.milkyway.com> X-Sender: hungvu@jupiter.milkyway.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Oct 1997 11:58:38 -0400 To: firewalls@GreatCircle.COM From: Hung Vu Subject: Re: Milkyway SecurIT - what for? Cc: huger@silence.secnet.com, manuel.ricca@pararede.pt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: 02 Oct 97 11:27:49 +0000 >From: manuel.ricca@pararede.pt >Subject: RE: Re: Milkyway SecurIT - what for? > >My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open >are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). >In practice, you will only have well-known services running on well-known ports, so you can expect well-known >attacks for which you will have well-known defence. So, the method Milkyway is using would apply only >if the firewall had other services running at other ports, which is definitely not a good security policy altogether, >and that's what I meant in the previous mail. >What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. >I still think the hole shouldn't be there to start with. >Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the >ports if you want). But it can be avoided as well. "All ports accept communication" does not mean you have to have any service serving the port. It's done at the system level (harden kernel for both Unix and NT) to confuse the inruder and to log all the invalid requests through the firewall. Would you rather have firewall that can tell you that it is under attacked or the ones that simply doesn't know? We simply offer an easy to use feature enabling our user to monitor and log all accesses through the firewall without having to configure ACL 64K times. This feature can be turned off if the user do not want it. BTW, the worst attacks are the not-so-well-known ones ;-) Hung. From owner-firewalls-list Thu Oct 2 14:17:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA01639; Thu, 2 Oct 1997 12:07:59 -0700 (PDT) Received: from mole.aleph.com.br (mole.aleph.com.br [200.246.9.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA01524 for ; Thu, 2 Oct 1997 12:07:32 -0700 (PDT) Received: from mole (mole [200.246.9.131]) by mole.aleph.com.br (8.8.5/8.8.5) with SMTP id QAA20516; Thu, 2 Oct 1997 16:11:30 -0300 (EST) Date: Thu, 2 Oct 1997 16:11:30 -0300 (EST) From: Hugo Leonardo Wolff Souza X-Sender: hugo@mole To: Andy Lewis cc: firewalls@GreatCircle.COM Subject: Re: Fire Wall Checklist? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this page: http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.html Hugo On Thu, 2 Oct 1997, Andy Lewis wrote: > Hello all. I am new to this list and also new to firewalls > as well as IPFWADM. > Our network is running all Intels 166-200 with Linux 2.0.x. > I am interested in setting up a machine to act as a firewall > for the complete network. > Question one: Is there a good source of documentation for > beginners using IPFWADM? > Question two: Are there any sites that provide online > information and documentation for such a project? Something > that may provide a detailed checklist? > Thanks in advance. > ANdy -- # Hugo - hugo@aleph.com.br - Estacao Aleph Internet Link # From owner-firewalls-list Thu Oct 2 14:28:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA02692; Thu, 2 Oct 1997 12:13:46 -0700 (PDT) Received: from syr.edu (syr.edu [128.230.1.49]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA02579; Thu, 2 Oct 1997 12:13:12 -0700 (PDT) Received: from pm by syr.edu (8.8.5/CNS) id OAA22945; Thu, 2 Oct 1997 14:56:47 -0400 (EDT) Message-ID: <3433F274.C6FB1DC6@syr.edu> Date: Thu, 02 Oct 1997 15:13:56 -0400 From: Peter Morissey X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com Subject: Protecting Novell Servers X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are some good solutions for protecting Novell servers? We have a 100mbps Novell server farm and 10 megabit networks that have individuals that we need to deny access to some of the servers. Is there a TCP Wrapper equivaent for Novell servers? Are there firewall solutions that perform well at 100mbps? We know we can do this on our Cisco7513, but are afraid that it will have a significant performance hit on the whole router. If Cisco supported Netflow for IPX, this might be a possibility. The Karlbridge products would probably do what we want, which is to prevent devices on one network from accessing servers on another network. We can't deny access from the whole network because there are usually a few devices that we want to give access to servers on the target network. Wit the Karlbridge we would have to have one for each of the 10 megabit network that we are denying access from, and given how difficult it is to manage and configure the Karlbridges, this is not an option. Pete M. From owner-firewalls-list Thu Oct 2 14:31:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08933; Thu, 2 Oct 1997 09:24:15 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA08532 for ; Thu, 2 Oct 1997 09:22:07 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA15786; Thu, 2 Oct 1997 12:22:22 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOBXKMO4DC8WZIA6@gemini.pios.com> for firewalls@GreatCircle.com; Thu, 02 Oct 1997 12:22:56 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOBXITIIKW8Y64ID@PIOS.PIOS.COM> for firewalls@GreatCircle.com; Thu, 02 Oct 1997 12:21:30 -0400 (EDT) Date: Thu, 02 Oct 1997 09:22:03 -0700 From: Bill Stout Subject: Re: !NSA, Call for Papers X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.com Message-Id: <2.2.32.19971002162203.010c7840@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:07 PM 9/29/97 -0400, Sick Puppy wrote: >How do the TIS Gauntlets have to be set up to permit the virtual private >network? What has to be done to them? Ports for PPTP 1723/tcp (Session Control) 5678/tcp (Legacy port) - No longer used GRE (Generic Routing Encapsulation - RFC 1701/1702) For a Cisco: interface serial 0 ... ip access group 101 in ... access-list 101 permit gre any host x.x.x.x access-list 101 permit tcp any host x.x.x.x eq 1723 For a Gauntlet: Use a generic plug-gw for 1723, then there's that GRE thingie... ?:^?> >Can the CyberCop, NFR and NSA thingy see inside of our virtual private >network? Encrypted links/VPNs are protected from analysis, as long as traffic is still in the VPN where the IDS is watching. If the network uses switches, the IDS either needs to be connected to a monitoring port on the switch, or has to be connected to each segment off the switch. Just like a packet analyzer. Packet analyzers or IDS systems can see inside cleartext packets, but cannot see inside encrypted packets. You need a different piece of NSA gear for that. Hmm, wait a minute, PPTP has not proven itself yet cryptographically, has it? Your X-33 (Aurora?) Dawgplane _is_ more stealthy if you fly inside pipes. Next project: making stealth pipes. Bill Stout http://www.geocities.com/researchtriangle/3372/ Temp site. From owner-firewalls-list Thu Oct 2 14:32:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA26664; Wed, 1 Oct 1997 23:27:58 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA26485 for ; Wed, 1 Oct 1997 23:27:21 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA25672; Thu, 2 Oct 1997 09:27:38 +0400 Received: from GarantiUser by GarantiMailServer id AA04326; Thu, 2 Oct 1997 09:28:58 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA09368; Fri, 3 Oct 1997 09:09:39 +0400 Message-Id: <3433BC74.6577@garanti.com.tr> Date: Thu, 02 Oct 1997 08:23:32 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: "Schlueter, Ian" Cc: firewalls-digest@GreatCircle.COM Subject: Re: High Availability between two HPUX 10.20 FW1 machines References: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet.com> Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Schlueter, Ian wrote: > > I am attempting to utilize the synchronization capabilities of FW1 ver > 3.0b to implement "high-availability" and I am running into a problem. > > I have two HPUX C100's configured identically. Installed are a total of > four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > The firewall sync network only has the two firewalls on it, I am using a > non-internet routable "test" range to address that segment. The > firewalls each have an entry in the /etc/fw/conf/sync.conf file > pointing to their counterpart. > > Here is the problem: > > I am continuously seeing a "Got Connection from firewall-1" > then immediately seeing a "End Connection from firewall-1" > > These messages appear simultaneously on both firewall consoles. Logs > appear to be shared, but state tables only seem to be shared part of the > time. > > Checkpoint suggested that if the two machines system clocks were more > than 5 seconds out of synchronization that it could cause this problem. > We set the clocks to the same time, and tested, still no luck. We even > installed ntp between them and it did not change the results. > > Anyone have any ideas? > > - - -/ W. Ian Schlueter ian.schlueter@avnet.com > - - / Project Manager, Global Internet/intranet support > - -/ Avnet, Inc. Chandler, AZ > - / (602) 940-5977 We had the same problem and we stopped using backup firewall, it is said that they will fix this problem very soon.... -- ************************************************************* Cihan Subasi Garanti Ticaret AS Istanbul/Turkey email: csubasi@garanti.com.tr tel : +902126570404 ext 2422 fax: +902126570473 ************************************************************* From owner-firewalls-list Thu Oct 2 14:34:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA18691; Thu, 2 Oct 1997 14:11:00 -0700 (PDT) Received: from blackhole1.tactik.com (bgs1.tactik.com [206.47.15.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA18638 for ; Thu, 2 Oct 1997 14:10:39 -0700 (PDT) X-Authentication-Warning: ceb.qc.ca: Host [204.101.110.173] claimed to be 6706hvw4p750 Message-ID: <34340DF2.68E@tactik.com> Date: Thu, 02 Oct 1997 17:11:14 -0400 From: Alex Fournier Reply-To: afournie@tactik.com X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: RE: what ports to pass for exchange/outlook Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, = I have a setup (sorry, customer wants a setup) where the Exchange client would be on the opposite side of the firewall than the Exchange server... So all though it's not very likely, what ports would then be used ?? (any NetBIOS over IP need to be travelling across the firewall?? or what?? What information do the Exchange client and server exchange and how??) Being a Unix child, I'm just ignorant when it come to NT and Exchange so any help or pointers would be appreciated. = Robert St=E5hlbrand wrote: > = > Ehh...you mean mail to your exchange-server??? Port 25 SMTP of course! > No matter what mail-server (sendmail, exchange....) you run. > Outlook? Will user on internet read mail through your firewall?? Not > very likely is it? Then Outlook has nothing to do with this. > = > /Robert Stahlbrand > = > > -----Original Message----- > > From: khearn [SMTP:khearn@gte.net] > > Sent: den 2 oktober 1997 11:03 > > To: Firewalls (E-mail) > > Subject: what ports to pass for exchange/outlook > > > > does anyone know what ports I need to leave open for Microsoft > > Exchange and > > Outlook so the Internet access to the exchange server is possible? -- = Alex Fournier Unix and Network consultant From owner-firewalls-list Thu Oct 2 14:34:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA13035; Wed, 1 Oct 1997 22:27:42 -0700 (PDT) Received: from hkt005.hkt.net ([205.252.130.220]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA12873 for ; Wed, 1 Oct 1997 22:27:11 -0700 (PDT) Received: from comexp.hkcg.com ([202.84.208.3]) by hkt005.hkt.net (Netscape Mail Server v2.02) with SMTP id AAA23482 for ; Thu, 2 Oct 1997 13:27:44 +0800 Received: by comexp.hkcg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCCF37.2D8ABFF0@comexp.hkcg.com>; Thu, 2 Oct 1997 13:29:15 +0800 Message-ID: From: "Denis Koo N.C." To: "'firewalls@GreatCircle.COM'" Date: Thu, 2 Oct 1997 13:29:14 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 2 16:38:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22478; Thu, 2 Oct 1997 11:10:57 -0700 (PDT) Received: from ns.csg.stercomm.com ([204.214.3.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA22284 for ; Thu, 2 Oct 1997 11:10:09 -0700 (PDT) From: sarah_mcardle@csg.stercomm.com Received: ns.csg.stercomm.com id AA14965; Thu, 2 Oct 1997 12:08:36 -0500 Message-Id: <9710028758.AA875812756@csg.stercomm.com> X-Mailer: ccMail Link to SMTP R6.01.01 Date: Thu, 02 Oct 97 09:26:32 -0600 To: Subject: Security Seminars Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just How Safe Is Your Information? Join us for our free Fall information security seminars in the following cities: 10/14/97 Boston, MA Hyatt Regency Cambridge 10/15/97 New York, NY Sheraton New York 10/16/97 Tyson's Corner, VA Reston Sheraton 10/17/97 Washington, DC Wyndam Bristol 10/21/97 Dallas, TX Westin Galleria 10/22/97 Chicago, IL Sutton Place Chicago 10/23/97 San Francisco, CA Hyatt Fisherman's Wharf 10/24/97 Orange County, CA Hyatt Regency Alicante You may register by phone 1-888-868-1099, or register online at www.csg.stercomm.com/connect. The seminars will be held from 8:30 am until 12:30 pm. You can enjoy a complimentary continental breakfast while you learn about the next generation in security technologies. You will discover what you need to do to secure their enterprise, and ensure your users confidentiality of information. 8:30 a.m. Registration & Continental Breakfast 9:00 - 9:15 Welcome from Sterling Commerce 9:15 - 9:45 Defend Your Enterprise: Security is much more than access control. Identify the multiple levels of security essential to protect your enteprise - authentication, authorization, confidentiality, integrity, administration and management 9:45 - 10:30 Conceal Your Information Part 1: Learn about the benefits of combining Public Key and Roles-Based Cryptography to provide cost effective, scalable, and manageable encryption for thousands of users 10:30 - 10:45 Break 10:45 - 11:15 Conceal Your Information Part 2: Preview a real world encryption implementation 11:15 - 12:00 Fortify Your Network: Discover the benefits of implementing a firewall to provide perimeter protection, user access control, and timely intrusion detection Just How Safe Is Your Information? Join us for our free Fall information security seminars in the following cities: 10/14/97 Boston, MA Hyatt Regency Cambridge 10/15/97 New York, NY Sheraton New York 10/16/97 Tyson's Corner, VA Reston Sheraton 10/17/97 Washington, DC Wyndam Bristol 10/21/97 Dallas, TX Westin Galleria 10/22/97 Chicago, IL Sutton Place Chicago 10/23/97 San Francisco, CA Hyatt Fisherman's Wharf 10/24/97 Orange County, CA Hyatt Regency Alicante You may register by phone 1-888-868-1099, or register online at www.csg.stercomm.com/connect. The seminars will be held from 8:30 am until 12:30 pm. You can enjoy a complimentary continental breakfast while you learn about the next generation in security technologies. You will discover what you need to do to secure their enterprise, and ensure your users confidentiality of information. 8:30 a.m. Registration & Continental Breakfast 9:00 - 9:15 Welcome from Sterling Commerce 9:15 - 9:45 Defend Your Enterprise: Security is much more than access control. Identify the multiple levels of security essential to protect your enteprise - authentication, authorization, confidentiality, integrity, administration and management 9:45 - 10:30 Conceal Your Information Part 1: Learn about the benefits of combining Public Key and Roles-Based Cryptography to provide cost effective, scalable, and manageable encryption for thousands of users 10:30 - 10:45 Break 10:45 - 11:15 Conceal Your Information Part 2: Preview a real world encryption implementation 11:15 - 12:00 Fortify Your Network: Discover the benefits of implementing a firewall to provide perimeter protection, user access control, and timely intrusion detection From owner-firewalls-list Thu Oct 2 19:29:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28540; Thu, 2 Oct 1997 17:48:25 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA23774 for ; Thu, 2 Oct 1997 17:18:52 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjoz25988; Thu, 2 Oct 1997 20:20:14 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA10792; Thu, 2 Oct 97 20:18:31 EDT Date: Thu, 2 Oct 1997 20:18:31 -0400 (EDT) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Just wondering - pipeline computer firewalls? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not too long ago I had a lot of free time to think about things and I became somewhat familiar with the Galaxy Pipeline Computer (rough translation) developed at Tokyo University. For about $20,000 they built a pipeline computer that models the interactions of thousands of stars within a galaxy with the speed of a Cray supercomputer. The computer only performs one function - that set of calculations. The instructions are broken down into sets of about 200 instructions and each set is hard coded on a different chip. There are hundreds of chips (processors) and the output of one chip is the direct input of the next. One calculation with blazing speed. It seems to me that firewalls are not incredibly complex machines and it should be possible to break the instructions into sets and hard code them on hundreds of processors. Such a machine should be able to keep up with a T3 line quite easily. Anybody looking at this? Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Thu Oct 2 19:45:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA26651; Thu, 2 Oct 1997 17:36:52 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA26594 for ; Thu, 2 Oct 1997 17:36:37 -0700 (PDT) Received: from cwiz.com by relay6.UU.NET with SMTP (peer crosschecked as: [208.210.163.10]) id QQdjpa27331; Thu, 2 Oct 1997 20:37:54 -0400 (EDT) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id TAA09879; Thu, 2 Oct 1997 19:37:26 -0500 Date: Thu, 2 Oct 1997 19:37:26 -0500 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199710030037.TAA09879@cwiz.com> To: Ian.Schlueter@avnet.com, csubasi@garanti.com.tr Subject: RE: High Availability between two HPUX 10.20 FW1 machines Cc: firewalls-digest@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian, There seems to be a problem with the synchronization of FW-1, if you are looking for HA for your firewall, you may want to take a look at the HA+ solution from Qualix that uses FW-1 (http://www.qualix.com/html/ha_firewall.html) Regards, /Martin Schlueter, Ian wrote: > > I am attempting to utilize the synchronization capabilities of FW1 ver > 3.0b to implement "high-availability" and I am running into a problem. > > I have two HPUX C100's configured identically. Installed are a total of > four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > The firewall sync network only has the two firewalls on it, I am using a > non-internet routable "test" range to address that segment. The > firewalls each have an entry in the /etc/fw/conf/sync.conf file > pointing to their counterpart. > > Here is the problem: > > I am continuously seeing a "Got Connection from firewall-1" > then immediately seeing a "End Connection from firewall-1" > > These messages appear simultaneously on both firewall consoles. Logs > appear to be shared, but state tables only seem to be shared part of the > time. > > Checkpoint suggested that if the two machines system clocks were more > than 5 seconds out of synchronization that it could cause this problem. > We set the clocks to the same time, and tested, still no luck. We even > installed ntp between them and it did not change the results. > > Anyone have any ideas? > > - - -/ W. Ian Schlueter ian.schlueter@avnet.com > - - / Project Manager, Global Internet/intranet support > - -/ Avnet, Inc. Chandler, AZ > - / (602) 940-5977 From owner-firewalls-list Thu Oct 2 20:03:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA16716; Thu, 2 Oct 1997 18:54:15 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA16705 for ; Thu, 2 Oct 1997 18:53:51 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id LAA25144; Fri, 3 Oct 1997 11:54:05 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma024945; Fri, 3 Oct 97 11:53:36 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id LAA30021; Fri, 3 Oct 1997 11:58:33 +1000 From: Colin Campbell Message-Id: <199710030158.LAA30021@guru.citec.qld.gov.au> Subject: Re: Re: Milkyway SecurIT - what for? To: brian@firehouse.net (Brian Mitchell) Date: Fri, 3 Oct 1997 11:58:32 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Brian Mitchell" at Oct 2, 97 09:52:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Brian Mitchell said: > [stuff deleted] > > You want to see who is knocking on your door. You give them lots of > services to play with to keep them knocking. I really advise you read > Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and > Bellovin) it goes into great detail about this sort of thing. > Of course if you are running something like Gauntlet, the packet filters pick up this sort of activity anyway and log it without the ports actually being open. Colin From owner-firewalls-list Thu Oct 2 20:15:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21456; Thu, 2 Oct 1997 19:27:45 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA21449 for ; Thu, 2 Oct 1997 19:27:38 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id WAA29799; Thu, 2 Oct 1997 22:28:31 -0400 (EDT) Date: Thu, 2 Oct 1997 22:28:26 -0400 (EDT) From: Brian Mitchell To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: Re: Milkyway SecurIT - what for? In-Reply-To: <199710030158.LAA30021@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Oct 1997, Colin Campbell wrote: > My mailer thinks Brian Mitchell said: > > > [stuff deleted] > > > > You want to see who is knocking on your door. You give them lots of > > services to play with to keep them knocking. I really advise you read > > Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and > > Bellovin) it goes into great detail about this sort of thing. > > > Of course if you are running something like Gauntlet, the packet filters > pick up this sort of activity anyway and log it without the ports actually > being open. > > Colin > Not enough information. with something like that, you would know, for instance, that someone connected to portmapper. You wouldnt know what procedure they tried calling. Logging port accesses just doesnt do the trick, in my opinion. You usually want something more. With portmapper, for instance, you can provide a number of fake honeypot services. Anything using unix authentication will pass a user id. That can be valuable information (knowing full well it is client side specifiable, and therefore not trustable). Knowing what services the proper is interested in is also valuable information. Knowing that they are trying to talk portmapper into executing a rpc call for them is also valuable information. This is just an example of information that can be gleaned from one service. There are a multitude of examples, although portmapper is one of the most useful. From owner-firewalls-list Thu Oct 2 20:29:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14931; Thu, 2 Oct 1997 13:39:40 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA14905 for ; Thu, 2 Oct 1997 13:39:24 -0700 (PDT) Received: (qmail 22384 invoked from smtpd); 2 Oct 1997 20:39:17 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Oct 1997 20:39:17 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA10545 for ; Thu, 2 Oct 1997 15:39:17 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA21896; Thu, 2 Oct 1997 15:41:35 -0500 Date: Thu, 2 Oct 1997 15:41:35 -0500 From: Peter da Silva Message-Id: <9710022041.AA21896@baileynm.com> To: firewalls@greatcircle.com Subject: Free plug daemon. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've written a little "plug proxy" daemon and released it under a Berkeley style license. It's nowhere near as sophisticated as the one in the firewall toolkit, but for most purposes it's much simpler to set up and use. http://www.taronga.com/plugdaemon.shar From owner-firewalls-list Thu Oct 2 21:14:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14514; Wed, 1 Oct 1997 12:22:49 -0700 (PDT) Received: from gate (gate.mcc.net [209.29.243.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA14264 for ; Wed, 1 Oct 1997 12:22:04 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324845-23315>; Wed, 1 Oct 1997 13:22:41 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Oct 1997 13:22:31 -0600 Message-ID: From: "Paquette, Trevor" To: "'Andrzej Blaszczyk'" , firewalls-digest@GreatCircle.COM Subject: RE: PC-Anywhere - Custom Protocol? Date: Wed, 1 Oct 1997 13:22:28 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This was not an issue with the client who requested this. Security was not an issue for them, even after we told them of the risks. They are willing to accept the risks. I've never setup encryption on pcANYWHERE so I'm not alot of help on this. Anyone else? > -----Original Message----- > From: Andrzej Blaszczyk [SMTP:A.Blaszczyk@supermedia.pl] > Sent: Wednesday, September 24, 1997 1:36 AM > To: firewalls-digest@GreatCircle.COM > Subject: RE: PC-Anywhere - Custom Protocol? > > > Date: Mon, 22 Sep 1997 12:27:34 -0600 > > From: "Paquette, Trevor" > > Subject: RE: PC-Anywhere - Custom Protocol? > > > pcANYWHERE can be used through > > > TCP Port 5631 > > UDP Port 5632 > > > Works for us. > > Great. What kind of encryption do you use in your PCA? I think it is > quite > important to use any encryption in WAN. There are several options: > pcANYWHERE, Symmetric or Public-Key to choose from. Do you know any > specification of pcANYWHERE encryption level? What kind of security am > I > supposed to obtain using Symmetric encrytpion. Hmmm... looks like a > few > questions. There is one more. Do you know how to run Public-Key > encryption > on PCA? > > I will appreciate any help from you > regards, > Andrzej Blaszczyk > A.Blaszczyk@supermedia.pl > SuperMedia CUI > ul. Senatorska 13/15 > tel. +48 22 8280979 ext 172 (fax: 102) From owner-firewalls-list Thu Oct 2 21:27:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA27741; Thu, 2 Oct 1997 15:12:50 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA27719 for ; Thu, 2 Oct 1997 15:12:42 -0700 (PDT) Received: from pse01.pios.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA09397; Thu, 2 Oct 1997 15:07:22 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA03208; Thu, 2 Oct 1997 18:12:56 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOC9T9LFEO8WZRMJ@gemini.pios.com> for firewalls@greatcircle.com; Thu, 02 Oct 1997 18:13:30 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOC9RG2WS08Y607Q@PIOS.PIOS.COM> for firewalls@greatcircle.com; Thu, 02 Oct 1997 18:12:03 -0400 (EDT) Date: Thu, 02 Oct 1997 15:12:36 -0700 From: Bill Stout Subject: Encryption future? X-Sender: stoutb@192.168.0.37 (Unverified) To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19971002221236.00af0058@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems that the government has a perception that crypto _will_ be controlled through key escrow and export restrictions. I think no one knows the answer to these questions: Does anyone know if strong encryption (SSL, PGP, VPN) systems will be 'grandfathered' into legality, or will strong encryption systems have to be replaced with damaged versions? In other words, will today's 128-bit VPN routers/firewalls/tunnel servers/webservers need to be swapped out by law, in the near future? I'd rather keep existing 128-bit systems in place than do 'key escrow' or weak encryption. Bill Stout Below is the background for asking: ______________________________________________________________________ Extract from Fight Censorship Announce list: Date: Thu, 02 Oct 1997 17:20:05 -0400 Subject: FC: Crypto-continuation in Washington: FBI/DoJ keep up the pressure Sender: owner-fight-censorship-announce@vorlon.mit.edu X-Fc-Url: Fight-Censorship is at http://www.eff.org/~declan/fc/ Crypto is hot in Washington. Don't think the battle's over; it's just beginning: * This afternoon when the Senate Intelligence committee met to consider a new CIA deputy director, Sen. Bob Kerrey said "there's a real urgency" to get an encryption bill passed. (Presumably, that would be his bill, the "Key Escrow Infrastructure" McCain-Kerrey/S.909.) * Last week Janet Reno talked at her weekly press conference about balancing law enforcement rights with privacy rights -- through mandatory domestic key escrow. * Yesterday Louis Freeh spoke at length before the House International Relations committee about the spread of nuclear weapons... and reminded committee members about the problems the FBI has with nonescrowed crypto... * Sen. Jon "Mandatory Domestic Key Escrow" Kyl said on Sunday that the Clinton administration's export controls on crypto were *not tight enough*... From owner-firewalls-list Thu Oct 2 21:29:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08496; Wed, 1 Oct 1997 16:46:25 -0700 (PDT) Received: from gtwau301.anz.com ([203.61.224.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA08413 for ; Wed, 1 Oct 1997 16:45:59 -0700 (PDT) Received: by gtwau301.anz.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCCF18.1DA50510@gtwau301.anz.com>; Thu, 2 Oct 1997 09:46:54 +1000 Message-ID: X-MS-TNEF-Correlator: From: "Gasparini, Edy" To: "Firewalls@GreatCircle.COM" , Jay Bahel Subject: RE: Security Plan/Policy Date: Thu, 2 Oct 1997 09:44:04 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BCCF18.1DA68BB0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BCCF18.1DA68BB0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thursday, 25 September 1997 7:40, Jay Bahel[SMTP:jbahel@mcs.net] wrote: > Does anyone out there have any template or web-site to point to for building > a security plan for a business. Try http://www.dsd.gov.au/ ./edy gasparini (...the thing I miss most is my mind). ------ =_NextPart_000_01BCCF18.1DA68BB0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IjcXAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQmAAQAhAAAAODA1MEEyRjdBOTNBRDExMThBMTUwMDAwRjY2OUVD NEEACQcBIIADAA4AAADNBwoAAgAJAC4AMwAEAE4BAQWAAwAOAAAAzQcKAAIACQAsAAQABAAdAQEN gAQAAgAAAAIAAgABBIABABkAAABSRTogU2VjdXJpdHkgUGxhbi9Qb2xpY3kAkwgBA5AGACQEAAAY AAAAAwAuAAAAAABAADkAgByQ5sPOvAEeAHAAAQAAABkAAABSRTogU2VjdXJpdHkgUGxhbi9Qb2xp Y3kAAAAAAgFxAAEAAAAWAAAAAbzOw+Zp96JQgTqpEdGKFQAA9mnsSgAAAwAGEATVGL0DAAcQ1QAA AB4ACBABAAAAZQAAAE9OVEhVUlNEQVksMjVTRVBURU1CRVIxOTk3Nzo0MCxKQVlCQUhFTFNNVFA6 SkJBSEVMQE1DU05FVFdST1RFOkRPRVNBTllPTkVPVVRUSEVSRUhBVkVBTllURU1QTEFURU9SV0UA AAAAAwAQEAAAAAADABEQAQAAAAIBCRABAAAAvQEAALkBAACfAgAATFpGdWByb7f/AAoBDwIVAqQD 5AXrAoMAUBMDVAIAY2gKwHNldG4yBgAGwwKDMgPFAgBw3HJxEiAHEwKDMwPGE+giNA96aGVsAyBE bNpnAoM1Fc8W030KgAjPHwnZAoAKgQ2xC2BuZzEMMDMUgAsOMTYgTwkDoFRoCHBzZGF5sCwgMjUG UQUwZQbQAQSQIDE5OTcgNyg6NDAdoEodgCBCAmEWgVtTTVRQOgRqYh+SQG1jcy5ibhIAXSB3A2Ae IDp9CoU+CuELZBSCAdAWwG/LB5EAcHkCIGUgCGAFQNZ0FoAZoCARwHYjsCNhPyQAHjALUR4gI8AF wHdlDGItAJAlYXRvIHA+bwuAI/EmYAIQBcBidXUDEGQLgGccDSGfIqVh6iAR8GMIcXQfYAtRA6A/ JxIqQCdQAJAg4AQQLiBTKLYKhVRyH2BoAkBwkDovL3ct4C5kHWAALmdvdi5hdS/vCocLZBLyDAFj DeAotgtGtRdSMR7ALjDqIuEvCYCxH2BnYXMKsQuAaSwwPCguM+AkESQBJ6EgSewgbQQCBGBzBUAE ADTAwx9gNNBuZCkuCoUYwQIANuAAAAADADYAAAAAAAMAJgAAAAAAAgH5PwEAAAAeAAAAAAAAANyn QMjAQhAatLkIACsv4YIBAAAAAAAAAC4AAAAeAPg/AQAAABUAAABTeXN0ZW0gQWRtaW5pc3RyYXRv cgAAAAACAfs/AQAAAB4AAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAALgAAAB4A+j8BAAAA FQAAAFN5c3RlbSBBZG1pbmlzdHJhdG9yAAAAAEAABzAQtlnLw868AUAACDDAtIhKxM68AQMADTT9 PwAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyolFx4APQABAAAABQAAAFJFOiAAAAAACwApAAAA AAALACMAAAAAAAIBfwABAAAAQwAAADxjPUFVJWE9XyVwPUFOWiVsPUFOWklORVRETVovTUVMSU5F VERNWi8wMDI4M0M4Q0BndHdhdTMwMS5hbnouY29tPgAArgg= ------ =_NextPart_000_01BCCF18.1DA68BB0-- From owner-firewalls-list Thu Oct 2 21:29:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA10444; Wed, 1 Oct 1997 16:56:53 -0700 (PDT) Received: from denver.denversys.com ([208.203.232.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA10384 for ; Wed, 1 Oct 1997 16:56:39 -0700 (PDT) Received: by DENVER with Internet Mail Service (5.0.1458.49) id <4BYPW3A8>; Wed, 1 Oct 1997 19:56:29 +0100 Message-ID: From: Stephen Greenwalt To: "'David LeBlanc'" , osiris@gnss.com Cc: firewalls@GreatCircle.COM Subject: RE: Microsoft vs The world (apology) Date: Wed, 1 Oct 1997 19:56:27 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is all due to the channel feature, with push technology, and it is completely configurable by the end user: it can be shut off. There is nothing shady going on here. However, I still don't know what to think of it . . . it might be nice for people at 28.8 who don't want to sit there waiting for pages to load. But, I wonder if the 'automatic' nature of this technology opens up any potential security risks . . . also, another concern . . . I think it is very likely to increase bandwidth usage. I can see lot's of irrelvant information being downloaded for no reason. Steve Greenwalt > -----Original Message----- > From: David LeBlanc [SMTP:dleblanc@iss.net] > Sent: Monday, September 15, 1997 3:10 PM > To: osiris@gnss.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Microsoft vs The world (apology) > > At 10:47 9/15/97 -0700, you wrote: > > >In this morning's newspaper (reference follows), I found an article > of > >some interest. In it, there was an interview with a beta tester of IE > >4.0. Apparently, IE 4.0 - if left unattended - will routinely > initiate > >a connection to Microsoft. Purportedly, this feature (not a bug, a > >feature) allows updates and special web pages to be downloaded while > >the user is away from the teriminal (busy, asleep, etc.) These > updates > >are then stored on the hard disk drive of the user. According to the > >beta tester: > > >"I...discovered that my computer had connected itself to the > >Internet...I was completely freaking out. I pulled the phone plug > >right out of the wall." > > Odd - I've had IE 4.0 on my home box for some weeks, and it has never > once > taken it upon itself to call my ISP and connect to MS. I haven't > really > monitored what it does while on line extremely carefully, and I > haven't > taken any special precautions to prevent this from happening, either. > It > is possible this is because I don't have any of the "pointcast" junk > turned > on - blew up first time I tried it, and I haven't fooled with it > since. > > Perhaps "freaking out" users may not be the most reliable source of > info. > Although I'd certainly be displeased if it did start dialing home, I > can > think of less destructive ways to stop this behavior than yanking on > wires. > > >More bizzare yet is this: in > >addition to the 250K download, his machine also UPLOADED 58,000 bytes > >of information. The beta tester reported that he did not know what > >data had been uploaded. > > Be interesting to see what it is doing - it could be just requests and > that > sort of thing. > > >I am wondering this: suppose such a box was located behind a firewall > >but was allowed outside access. Does this not constitute an EXTREME > >security risk? If 4.0 is capable of uploading information from a > local > >drive of a 95 box, it can presumably do this from badly managed > shares > >as well, no? > > No telling. IMHO, we need to examine this a bit before we get cranked > about it. Be interesting to see if it can be duplicated, then log the > traffic. > > > ----------------------------------------------------------- > David LeBlanc | Voice: (770)395-0150 x138 > Internet Security Systems, Inc. | Fax: (404)395-1972 > 41 Perimeter Center East | E-Mail: dleblanc@iss.net > Suite 660 | www: http://www.iss.net/ > Atlanta, GA 30328 | From owner-firewalls-list Thu Oct 2 21:31:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA14775; Thu, 2 Oct 1997 18:43:44 -0700 (PDT) Received: from hotmail.com (F29.hotmail.com [207.82.250.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA18957 for ; Thu, 2 Oct 1997 16:59:34 -0700 (PDT) Received: (qmail 21972 invoked by uid 0); 3 Oct 1997 00:00:38 -0000 Message-ID: <19971003000038.21971.qmail@hotmail.com> Received: from 207.115.229.147 by www.hotmail.com with HTTP; Thu, 02 Oct 1997 17:00:38 PDT X-Originating-IP: [207.115.229.147] From: "Matrix Venus" To: Firewalls@GreatCircle.COM Content-Type: text/plain Date: Thu, 02 Oct 1997 17:00:38 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Thu Oct 2 21:33:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA24928; Wed, 1 Oct 1997 20:57:25 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA24918 for ; Wed, 1 Oct 1997 20:57:08 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Wed, 01 Oct 1997 22:59:35 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Oct 1997 22:59:10 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #472 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Thu Oct 2 21:33:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09519; Wed, 1 Oct 1997 14:22:21 -0700 (PDT) Received: from rohan.btg.com (rohan.btg.com [199.29.53.67]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA21600 for ; Wed, 1 Oct 1997 12:56:08 -0700 (PDT) Received: from fsapc.btg.com (home1.sanderson.btg.com [204.176.118.201]) by rohan.btg.com (8.8.5/8.7.3) with SMTP id PAA10213; Wed, 1 Oct 1997 15:56:37 -0400 (EDT) Message-Id: <3.0.3.32.19971001154620.00b9ec30@pop.ssmg.com> X-Sender: scot@pop.ssmg.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 15:46:20 -0400 To: "Schlueter, Ian" From: Scot Anderson Subject: Re: High Availability between two HPUX 10.20 FW1 machines Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have set up the synchronized feature and found the same sort of message in my logs. I just went ahead and tested them, and found the feature to work. If you're "out" for long periods of time, I would be inclined to sample that firewall-sync network to see what's going on. In my implementation, I had the same networks attached to both machines and had one "master" the other to ensure identical rule sets for them. I ran the sync traffic over one of the operational networks ( one with physical security associated with it, internal to my networks ). It was quite a nice surprise to see it work. I hear that it's not a bad idea to reboot the machines periodically and flush the state tables in the process (remove everything in ${FWDIR}/state/ ).. Particularly if you are in the habit of connecting to a unix security module from Win95/WinNT clients. At 09:28 AM 9/30/97 -0700, you wrote: >I am attempting to utilize the synchronization capabilities of FW1 ver >3.0b to implement "high-availability" and I am running into a problem. > >I have two HPUX C100's configured identically. Installed are a total of >four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > >The firewall sync network only has the two firewalls on it, I am using a >non-internet routable "test" range to address that segment. The >firewalls each have an entry in the /etc/fw/conf/sync.conf file >pointing to their counterpart. > >Here is the problem: > >I am continuously seeing a "Got Connection from firewall-1" >then immediately seeing a "End Connection from firewall-1" > >These messages appear simultaneously on both firewall consoles. Logs >appear to be shared, but state tables only seem to be shared part of the >time. > >Checkpoint suggested that if the two machines system clocks were more >than 5 seconds out of synchronization that it could cause this problem. >We set the clocks to the same time, and tested, still no luck. We even >installed ntp between them and it did not change the results. > > > Anyone have any ideas? > > >- - -/ W. Ian Schlueter ian.schlueter@avnet.com >- - / Project Manager, Global Internet/intranet support >- -/ Avnet, Inc. Chandler, AZ >- / (602) 940-5977 > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDKojDMEsrBG2tSvEQIdGACaA9IfXOZErVE5hln7lg8AXpYqD78AoLkL eP9CJ/CL8cSDqxoZQzffMDJM =kS7z -----END PGP SIGNATURE----- --------------------------------------------------------- Scot Anderson | Voice: 703-383-7950 | www.btg.com/[~scot] From owner-firewalls-list Thu Oct 2 21:36:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15852; Thu, 2 Oct 1997 10:21:09 -0700 (PDT) Received: from lox.sandelman.ottawa.on.ca (lox.sandelman.ottawa.on.ca [205.233.54.146]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA15748 for ; Thu, 2 Oct 1997 10:20:36 -0700 (PDT) Received: from istari.sandelman.ottawa.on.ca (istari.sandelman.ottawa.on.ca [205.233.54.136]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.7) with ESMTP id NAA06985 for ; Thu, 2 Oct 1997 13:39:57 -0400 (EDT) Received: from istari.sandelman.ottawa.on.ca ([[UNIX: localhost]]) by istari.sandelman.ottawa.on.ca (8.7.5/8.7.3) with ESMTP id NAA10710 for ; Thu, 2 Oct 1997 13:17:38 -0400 (EDT) Message-Id: <199710021717.NAA10710@istari.sandelman.ottawa.on.ca> To: firewalls@greatcircle.com Subject: Re: Milkyway SecurIT - what for? In-reply-to: Your message of "02 Oct 1997 11:27:49 -0000." Date: Thu, 02 Oct 1997 13:17:31 -0400 From: "Michael C. Richardson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- [I had to reformat your very long line text] manuel> My point was that a firewall shouldn't have many inbound manuel> ports open anyway. The ones that are open are probably It doesn't open 64k ports. That would be silly and wasteful. It has one port open that listens to all ports not otherwise listened to. Remember: it runs on a secure OS, with a modified TCP/IP stack. It used to ship with all relevant vendor patches installed, and it used to install from CD. Expecting users to install a dozen vendor patches before the firewall, is not a good idea, nor is installing the whole OS! I understand that the NT and Solaris versions have changed this... one reason why I can't recommend it anymore. The only firewall that I know of that ships with the OS included is now Secure Computing/BorderWare. One feature of BlackHole (I'm sorry. The new names suck) is that is allows one to write a rule that allows all services. So a policy might read: use telnet or HTTP for single sign on. once signed on ("transparent mode"), allow all outgoing services. BUT, no HTTP to www.playboy.com, and no IRC during business hours. no Pointcast ever, due to bandwidth and security considerations manuel> previous mail. What they are saying is that if you have a manuel> hole in your firewall it will be harder for the attacker to manuel> find it. I still think the hole shouldn't be there to start manuel> with. Besides, what they are doing can be done with any manuel> other firewall anyway (you can define ACL's for all the manuel> ports if you want). But it can be avoided as well. There are two ways to avoid giving away your security policy: 1. try and always return RST to intruders as if the service was not there. but, you have to connect to legitimate people, so you risk false *negatives* which is a denial of service. 2. always bring up a connection, providing false positives. At one point, however, a SYN scan would cause the log system to go overboard, and it would take several hours to catch up. I think this got fixed by detecting the scan earlier. I do not believe that there any defense against SYN spamming, despite claims by Milkyway Networks. It would be easy for them to add, since they already have the TCP/IP stack source. :!mcr!: | Network security programming, currently Michael Richardson | on contract with SSH IPSEC (http://www.ssh.fi/) WWW: mcr@sandelman.ottawa.on.ca. PGP key available. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQB1AwUBNDPXKKZpLyXYhL+BAQHsQAL9GzNed4qW6CpMxp/rzRCtFe3vK5l/35lY T4U849dnehOeU/HaAgDIxzZ0VvsDwTUUhhUg4qEryWBdIjrZAB5i38szv9oHRg2v /8cZeCd+8qPz7X1goE6/Y0ORwjVAo1HQ =OKMX -----END PGP SIGNATURE----- From owner-firewalls-list Thu Oct 2 22:00:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08848; Wed, 1 Oct 1997 16:48:25 -0700 (PDT) Received: from athena.compulink.gr (athena.compulink.gr [195.242.129.99]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA08757 for ; Wed, 1 Oct 1997 16:47:57 -0700 (PDT) Received: from macman.compulink.gr (pppath136.compulink.gr [195.242.130.136]) by athena.compulink.gr (8.8.7/COMPULINK-3.0) with SMTP id BAA13468 for ; Thu, 2 Oct 1997 01:42:48 +0200 (EET) Message-Id: <3.0.1.32.19971002025313.00aeec7c@athena.compulink.gr> X-Sender: macman@athena.compulink.gr X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 02 Oct 1997 02:53:13 +0200 To: firewalls@greatcircle.com From: Emmanouil Magos Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 2 22:14:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24294; Wed, 1 Oct 1997 15:31:15 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA24204 for ; Wed, 1 Oct 1997 15:30:51 -0700 (PDT) Received: from cayman.gblhorizon.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA20063; Wed, 1 Oct 1997 14:29:36 -0700 (PDT) Received: (from kenj@localhost) by cayman.gblhorizon.com (8.8.7/8.8.7) id RAA22105; Wed, 1 Oct 1997 17:34:42 -0400 (PDT) Date: Wed, 1 Oct 1997 14:34:41 -0700 (PDT) From: Ken Jones To: firewalls@GreatCircle.COM In-Reply-To: <199710010807.KAA00182@bast.gis.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 00:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28962; Thu, 2 Oct 1997 23:20:27 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA28803 for ; Thu, 2 Oct 1997 23:19:48 -0700 (PDT) Received: by fw4.tns.co.za; id IAA18120; Fri, 3 Oct 1997 08:20:42 +0200 (SAT) Message-Id: <199710030620.IAA18120@fw4.tns.co.za> Received: from unknown(89.0.3.186) by fw4.tns.co.za via smap (V3.1.1) id xma018102; Fri, 3 Oct 97 08:20:13 +0200 Reply-To: From: "Billy Verreynne" To: Subject: Re: Just wondering - pipeline computer firewalls? Date: Fri, 3 Oct 1997 08:18:36 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Sick Puppy wrote: > Not too long ago I had a lot of free time to think about things Now this is definitely scary... :-) > It seems to me that firewalls are not incredibly complex machines > and it should be possible to break the instructions into sets and hard > code them on hundreds of processors. Such a machine should be able to > keep up with a T3 line quite easily. I think the major problem with this approach is complexity. It's much more complex designing hardware than software. Software is cheaper to develop, easier to maintain and change. Software life cycles are also much shorter than hardware life cycles - which usually means larger sales volumes. And would there be a market for firewall hardware? Most corporates are reluctant to try new technologies. > Anybody looking at this? Not a bad idea I think, but one that would only work (IMHO) if a network hardware vendor bundles this type of firewall hardware with their bridges and routers. regards, Billy From owner-firewalls-list Fri Oct 3 01:17:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA13901; Fri, 3 Oct 1997 00:38:23 -0700 (PDT) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA13869 for ; Fri, 3 Oct 1997 00:38:13 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 02 Oct 1997 23:48:12 +0100 Message-ID: From: "David Harvey-George" To: "Non Receipt Notification Requested" Subject: Re: Milkyway SecurIT - what for? Date: Thu, 2 Oct 1997 23:37:32 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Alfred Huger > To: manuel.ricca@pararede.pt > Cc: Non Receipt Notification Requested > Subject: Re: Milkyway SecurIT - what for? > Date: Wednesday, October 01, 1997 7:29 PM > > > > On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > > > > > Hello everybody, > > Here is a quotation from Milkyway's insufficiently documented website: > > > > "All Ports Accept Communications > > > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > > distinguish one port from another. No new information is gained." > > > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > > Or did I just miss the point here? > > > You missed the point, completely. The reason the Milkyway Firewall keeps > all it's ports listening is to confuse port scanners. When a user performs > a scan, they find *all* ports listening and therefore have no easily > definable targets. > > It also rings bells for the Firewall Admin so he/she can see he/she is > being scanned. It's not a panacea, nor is it a poor idea. Honeypots and > fake services are an important part of any perimeter system IMO. The > longer you keep a would be intruder poking the more of a chance you stand > of noticing the activity. > > In fact, we wrote a similar utility at our company just for kicks to > see what we would get. The service is a fake portmapper which returns > a number of fake services. Any requests to the portmapper or to the > services is packet logged. We manage to log 3 or 4 people a week door > knocking, handy stuff really. > > rpcinfo -p silence.secnet.com > > /************************************************************************* > Alfred Huger Phone: 403.262.9211 > Secure Networks Inc. Fax: 403.262.9221 > **************************************************************************/ From owner-firewalls-list Fri Oct 3 03:15:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA16589; Fri, 3 Oct 1997 02:57:55 -0700 (PDT) Received: from aragorn.ind.mh.se (aragorn.ind.mh.se [193.10.112.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA16406 for ; Fri, 3 Oct 1997 02:57:18 -0700 (PDT) Received: from s403d7.ind.mh.se (s403d7 [193.10.112.97]) by aragorn.ind.mh.se (8.8.5/8.8.5) with ESMTP id LAA20152 for ; Fri, 3 Oct 1997 11:58:07 +0200 (MET DST) Message-Id: <490.875872519.514720.7261@> Date: Fri, 3 Oct 1997 11:55:19 +0200 From: Jens Askengren To: Reply-To: Jens Askengren X-Importance: normal X-Sensitivity: normal X-Priority: normal X-Mailer: TeamWARE Embla 2.02, Final, Build: 64 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-ID: <31770.875872519.514740.18945@> Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 03:51:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA21877; Fri, 3 Oct 1997 03:23:25 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA21792 for ; Fri, 3 Oct 1997 03:23:03 -0700 (PDT) Received: from noam (slip139-92-89-68.tel.il.ibm.net [139.92.89.68]) by out1.ibm.net (8.8.5/8.6.9) with ESMTP id KAA48468 for ; Fri, 3 Oct 1997 10:23:56 GMT Message-ID: <3434C779.7987040A@israelmail.com> Date: Fri, 03 Oct 1997 12:22:49 +0200 From: Noam Rathaus X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: what ports to pass for exchange/outlook X-Priority: 3 (Normal) References: <34340DF2.68E@tactik.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alex Fournier wrote: > > Actually, > > I have a setup (sorry, customer wants a setup) where the Exchange client > would be on the opposite side of the firewall than the Exchange > server... So all though it's not very likely, what ports would then be > used ?? (any NetBIOS over IP need to be travelling across the > firewall?? or what?? What information do the Exchange client and server > exchange and how??) Being a Unix child, I'm just ignorant when it come > to NT and Exchange so any help or pointers would be appreciated. > > Robert Ståhlbrand wrote: Unless configured otherwise, it will use port 139, (RPC) and then a dynamic address above 1024 (TCP). If u want to make them static, there is a knowledge base article, look for firewall access and microsoft exchange server. -- Thanks Noam Rathaus NT / Exchange / Network Administrator. Certified CNA/MSCE - Site Builder Network 2 Israel mailto://dolittle@israelmail.com UIN: 486098 (http://www.mirabilis.com) From owner-firewalls-list Fri Oct 3 06:00:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA07958; Fri, 3 Oct 1997 05:46:08 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA07924; Fri, 3 Oct 1997 05:45:54 -0700 (PDT) Message-Id: <199710031245.FAA07924@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA131392404; Fri, 3 Oct 1997 08:40:04 -0400 Date: Fri, 3 Oct 1997 08:40:04 -0400 From: gary flynn To: Firewalls@GreatCircle.COM, owner-firewalls-list@GreatCircle.COM Subject: Re: Williamsburg Security Seminar Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please send full agenda of Williamsburg security seminar. Thanks, Gary Flynn Network Analyst James Madison University From owner-firewalls-list Fri Oct 3 06:30:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10453; Fri, 3 Oct 1997 06:17:12 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10428 for ; Fri, 3 Oct 1997 06:17:03 -0700 (PDT) Received: by relay.hq.tis.com; id JAA19042; Fri, 3 Oct 1997 09:23:10 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0) id xma019031; Fri, 3 Oct 97 09:22:49 -0400 Received: from gildor.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id JAA04921 for ; Fri, 3 Oct 1997 09:14:31 -0400 (EDT) Message-Id: <3.0.3.32.19971003091517.0072e520@localhost> X-Sender: avolio@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 09:15:17 -0400 To: firewalls@greatcircle.com From: Frederick M Avolio Subject: Firewalls BoF at Interop Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Firewalls Birds-of-a-Feather Wednesday, Oct. 8 @ 8:00 pm-10:00 pm GWCC, Room 260W From owner-firewalls-list Fri Oct 3 07:24:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16690; Fri, 3 Oct 1997 07:09:46 -0700 (PDT) Received: from dns.wye.com (dns.wye.com [38.219.43.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA16627 for ; Fri, 3 Oct 1997 07:09:25 -0700 (PDT) Received: from wyent.wyepriv.com (wyent.wyepriv.com [192.168.0.25]) by dns.wye.com (8.8.5/8.8.5) with ESMTP id JAA09256 for ; Fri, 3 Oct 1997 09:10:39 -0400 Received: by wyent.wyepriv.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Oct 1997 10:17:49 -0400 Message-ID: <714A163EDA9ED01194DB0040339040C610FB5E@wyent.wyepriv.com> From: Gregory Wilkins To: Firewall Newsgroup Subject: Plug Help Date: Fri, 3 Oct 1997 10:17:47 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am assuming that I could support a user with the plug-gw that needs to use his/her AOL program to connect to AOL via the Internet. I know that AOL uses TCP/IP as one of the dialers, and indeed it does work on the "public" net, but has anyone created a plug to do this (e.g.: does anyone have any samples that they might be able to send me, showing how they did this?). I've tried to put the plug in myself, but it continues not to work. Please help. I've got a user (one of my boss's) who needs to access his AOL account. Please - no flames about how bad, stupid, etc AOL is - I'm not wanting to debate that issue at all. Thanks in advance -Greg From owner-firewalls-list Fri Oct 3 07:30:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18964; Fri, 3 Oct 1997 07:19:09 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA18754 for ; Fri, 3 Oct 1997 07:18:33 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id KAA21699; Fri, 3 Oct 1997 10:19:12 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id KAA18289; Fri, 3 Oct 1997 10:19:46 -0400 (EDT) Message-Id: <3.0.32.19971003082727.007b3790@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 10:23:02 -0400 To: Sick Puppy From: Anton J Aylward Subject: Re: Just wondering - pipeline computer firewalls? Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:18 PM 02/10/97 -0400, you wrote: ## Reply Start ## >It seems to me that firewalls are not incredibly complex machines >and it should be possible to break the instructions into sets and hard >code them on hundreds of processors. Such a machine should be able to >keep up with a T3 line quite easily. Blech! As the guy said, those who are doomed to repeat history haven't studied it. Just as the special purpose chips which once were designed for signal processing have been booted from our repertoire by things like the pentium and power PC - FASTER general purpose processing and economies of scale, as it is with routers and firewalls. In case you hand't noticed, and I'm sure there are some people involved on the list who can amplify this, even before the great explosion in ISPs and sprint, MCI and ATnT getting in on the act, (say around 1990) the NSF T-3 backbone was handled by ANS who ran it on the old, slow (by todays standards) RS/6000's. Now if you say that firewall policy and filtering slows things down, right. But ANS ran a policy based routing system - NSF and CO+RE. I think the additional processing is comparable. No, a lot of the poor performance is because of linear algorithms. See for example the Network Systems BorderGuard. It uses a regular off the shelf CPU, but doesn not degrade as filtering is added. It also has what might be described as the "4GL' of filter languages - Molitor's response to Chapman's paper on the evils of filtering. Its internal algorithms are 'parallel", so adding filter statements doesn't degrade it. Elsewhere, we have things like Bernstein's qmail and Weitze's vmail, while make use of multi-threading to offer very significant improvements in speed over vendor distributed mail transfer agents. On a personal note: many decades ago when I was learning at the feet of the masters, Kernighan and Plauger and Ritchie, I learnt two important things. 1. Get it right first, then make it faster. 2. Speed is entirely a function of the algorithm, not coding tricks I look at the marketplace, at Risks digest, and I'm convinced we still haven't got to stage 1 yet. Until we do, I don't think my toaster needs an operating system, especially not one with a graphical interface. Same for my camera, my lawn mower, my dishwasher (bless her dainty little hands and cute buns ;-)(she probably says the same thing about me) and many other instruments which have served me well. Which, I suppose, means there is a need for special purpose processing, but not necessarily using semiconductors ;-) /anton ## Reply End ## -------------------------------------------------------------------------- "The Singapore government isn't interested in controlling information, but wants a gradual phase-in of services to protect ourselves. It's not to control, but to protect the citizens of Singapore. In our society, you can state your views, but they have to be correct." - Ernie Hai, coordinator of the Singapore Government Internet Project ** Anton J Aylward * The Strahn & Strachan Group Inc Voice: (416) 494-8661 ** Information Security Consultants **** Fax: (416) 494-8803 From owner-firewalls-list Fri Oct 3 08:01:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24173; Fri, 3 Oct 1997 07:47:57 -0700 (PDT) Received: from public.js.hb.cn ([202.103.8.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA21057 for ; Fri, 3 Oct 1997 07:29:54 -0700 (PDT) Received: from pga97001.public.js.hb.cn (ppp18.js.hb.cn [202.103.8.81]) by public.js.hb.cn (8.6.11/8.6.11) with SMTP id WAA09328 for ; Fri, 3 Oct 1997 22:27:35 +0800 Message-ID: <34350117.1B3E@public.js.hb.cn> Date: Fri, 03 Oct 1997 22:28:39 +0800 From: "ga97001@public.js.hb.cn" Reply-To: ga97001@public.js.hb.cn Organization: ga97001@public.js.hb.cn X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 08:53:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01843; Fri, 3 Oct 1997 08:23:40 -0700 (PDT) Received: from mail0.tor.acc.ca (mail0.tor.acc.ca [204.92.54.110]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA01817 for ; Fri, 3 Oct 1997 08:23:32 -0700 (PDT) Received: from classik (ppp-014.m2-8.tor.ican.net [142.154.22.14]) by mail0.tor.acc.ca (8.8.7/8.8.6) with SMTP id LAA23026 for ; Fri, 3 Oct 1997 11:24:43 -0400 (EDT) Message-Id: <3.0.2.32.19971003112501.007b9100@ican.net> X-Sender: asb@ican.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 03 Oct 1997 11:25:01 -0400 To: firewalls@GreatCircle.COM From: "Ayal S. Bida" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 09:02:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24827; Fri, 3 Oct 1997 07:50:52 -0700 (PDT) Received: from ragroup.co.uk ([194.129.45.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA24648 for ; Fri, 3 Oct 1997 07:50:02 -0700 (PDT) From: mbeech@csc.ragroup.co.uk Received: from csc.ragroup.co.uk ([194.129.44.250]) by khepera.ragroup.co.uk with SMTP id <27778>; Fri, 3 Oct 1997 15:48:19 +0100 Received: from ccMail by csc.ragroup.co.uk (IMA Internet Exchange 2.11 Enterprise) id 0000AC3C; Fri, 3 Oct 1997 15:45:09 +0100 Mime-Version: 1.0 Date: Fri, 3 Oct 1997 15:48:06 +0100 Message-ID: <0000AC3C.1453@csc.ragroup.co.uk> Subject: TCP Ports To: Firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a definitive list of TCP port numbers and their functions? Over the past couple of months I have logged attempts to connect to our systems on ports 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Thanks for nay help Martin Beech From owner-firewalls-list Fri Oct 3 09:15:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA04927; Fri, 3 Oct 1997 08:47:46 -0700 (PDT) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA00355 for ; Fri, 3 Oct 1997 08:16:40 -0700 (PDT) Received: from heather.greatbasin.com (mg128-097.ricochet.net [204.179.128.97]) by heather.greatbasin.com (8.8.5/8.8.5) with SMTP id IAA20863 for ; Fri, 3 Oct 1997 08:05:23 -0700 (PDT) Message-Id: <3.0.3.32.19971003075140.007fa450@glatz.com> X-Sender: Pacme@glatz.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 07:51:40 -0700 To: firewalls-digest@GreatCircle.COM From: Phil Glatz Subject: IE 4 security hole? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any more information on this? The channel definition format (.CDF) http://www.microsoft.com/standards/cdf-f.htm includes a LOGTARGET feature that allows a web site provider to make your browser deliver logs of your usage via an http post or put. Even hits from cache are logged. This is all not so good and getting worse. Not only is the information posted material, you wouldn't want to give to a provider, (considering) "http post/put" is normally spoofable anyway. From owner-firewalls-list Fri Oct 3 10:15:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16694; Fri, 3 Oct 1997 09:57:41 -0700 (PDT) Received: from racoon.uucom.com (racoon.uucom.com [198.202.217.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA16653 for ; Fri, 3 Oct 1997 09:57:30 -0700 (PDT) Received: from localhost (lmann@localhost) by racoon.uucom.com (8.8.7/8.8.5) with SMTP id MAA05390; Fri, 3 Oct 1997 12:58:19 -0400 Date: Fri, 3 Oct 1997 12:58:18 -0400 (EDT) From: Lee Mann To: mbeech@csc.ragroup.co.uk cc: Firewalls@GreatCircle.COM Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at: ftp://venera.isi.edu/in-notes/iana/assignments/port-numbers On Fri, 3 Oct 1997 mbeech@csc.ragroup.co.uk wrote: > Is there a definitive list of TCP port numbers and their functions? Over the > past couple of months I have logged attempts to connect to our systems on ports > 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > > Thanks for nay help > > Martin Beech > Lee --- Lashley H. Mann II | UUcom, Inc. Email: lmann@uucom.com | Voice: 703.461.1350 | Fax: 703.461.1360 From owner-firewalls-list Fri Oct 3 10:32:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA20649; Fri, 3 Oct 1997 10:20:55 -0700 (PDT) Received: from omicron.comarch.pl (omicron.comarch.pl [195.116.125.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA20640 for ; Fri, 3 Oct 1997 10:20:50 -0700 (PDT) From: pawlik@comarch.pl Received: from pawlik.comarch.pl (pcblasiak.comarch.pl [195.116.125.145]) by omicron.comarch.pl (8.8.5/8.8.2) with SMTP id TAA20521 for ; Fri, 3 Oct 1997 19:32:38 +0200 Message-Id: <3.0.32.19971003192146.0069b018@omicron.comarch.pl> X-Sender: pawlik@omicron.comarch.pl X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 19:21:47 +0200 To: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 10:46:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23151; Fri, 3 Oct 1997 10:41:42 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA23107 for ; Fri, 3 Oct 1997 10:41:15 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id MAA05402; Fri, 3 Oct 1997 12:42:04 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id MAA00535; Fri, 3 Oct 1997 12:41:33 -0500 (CDT) Message-Id: <3.0.3.32.19971003134130.009744d0@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 13:41:30 -0400 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Other than in /etc/services, I believe so. The Internet Assigned Numbers Authority (IANA), I *think*, is who maintains such a list. Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Fri Oct 3 12:00:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA26227; Fri, 3 Oct 1997 10:59:47 -0700 (PDT) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA26198 for ; Fri, 3 Oct 1997 10:59:33 -0700 (PDT) Received: by balder.ssds.com id LAA14027; Fri, 3 Oct 1997 11:57:25 -0600 (MDT) Received: from denver.ssds.com(134.127.16.1) by balder.ssds.com via smap (3.2) id xma014010; Fri, 3 Oct 97 11:56:52 -0600 Received: by denver.ssds.com id MAA20167; Fri, 3 Oct 1997 12:00:07 -0600 (MDT) Message-Id: <2.2.32.19971003175830.006f3774@denver.ssds.com> X-Sender: svl@denver.ssds.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Oct 1997 11:58:30 -0600 To: mbeech@csc.ragroup.co.uk, Firewalls@greatcircle.com From: Scott Lupfer Subject: Re: TCP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the following site: http://www.con.wesleyan.edu/~triemer/network/docservs.html Scott At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech > > > Scott Lupfer Network Engineer SSDS, Inc 4065 Sinton Road Suite 201 Colorado Springs, CO 80907 Phone (719) 630-0100 ext 104 Pager (888) 284-0286 Leaders in IT Architecture for Networked Solutions From owner-firewalls-list Fri Oct 3 12:20:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12828; Fri, 3 Oct 1997 09:39:12 -0700 (PDT) Received: from clyde ([194.80.246.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA12283 for ; Fri, 3 Oct 1997 09:35:48 -0700 (PDT) Received: from mel-s-pc by clyde (SMI-8.6/SMI-SVR4) id RAA15709; Fri, 3 Oct 1997 17:33:04 +0100 Message-Id: <199710031633.RAA15709@clyde> From: "Melford John" To: Date: Fri, 3 Oct 1997 17:39:12 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 12:27:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12192; Fri, 3 Oct 1997 09:35:13 -0700 (PDT) Received: from PROMETHEUS.ADVSTAFF.COM (advstaff.com [205.136.148.15]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA12153 for ; Fri, 3 Oct 1997 09:35:02 -0700 (PDT) From: mgetter@advstaff.com Received: by PROMETHEUS.ADVSTAFF.COM; id MAA02294; Fri, 3 Oct 1997 12:30:17 -0400 (EDT) Received: from art-ntsrv01.advstaff.com(192.168.100.15) by prometheus.advstaff.com via smap (3.2) id xma002277; Fri, 3 Oct 97 12:29:48 -0400 Received: by art-ntsrv01.advstaff.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256525.005B2049 ; Fri, 3 Oct 1997 12:35:20 -0400 X-Lotus-FromDomain: ADVANTAGE To: greg@wye.com cc: firewalls@GreatCircle.COM Message-ID: <85256525.005B1965.00@art-ntsrv01.advstaff.com> Date: Fri, 3 Oct 1997 12:35:50 -0400 Subject: Re: Plug Help Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check http://www.tis.com/support There is a document there with instructions for setting up the Plug-GW with AOL as the example. greg@wye.com on 10/03/97 10:17:47 AM To: firewalls@GreatCircle.COM cc: (bcc: Marc A Getter/Systems/ART/Advantage) Subject: Plug Help I am assuming that I could support a user with the plug-gw that needs to use his/her AOL program to connect to AOL via the Internet. I know that AOL uses TCP/IP as one of the dialers, and indeed it does work on the "public" net, but has anyone created a plug to do this (e.g.: does anyone have any samples that they might be able to send me, showing how they did this?). I've tried to put the plug in myself, but it continues not to work. Please help. I've got a user (one of my boss's) who needs to access his AOL account. Please - no flames about how bad, stupid, etc AOL is - I'm not wanting to debate that issue at all. Thanks in advance -Greg From owner-firewalls-list Fri Oct 3 12:31:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA10883; Fri, 3 Oct 1997 12:18:01 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA00693 for ; Fri, 3 Oct 1997 11:23:15 -0700 (PDT) Received: from clonvick-pc.cisco.com (houcons.cisco.com [171.68.41.7]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id LAA01395; Fri, 3 Oct 1997 11:24:01 -0700 (PDT) Message-Id: <2.2.32.19971003181721.008b4b88@localhost> X-Sender: clonvick@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Oct 1997 13:17:21 -0500 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: TCP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, RFC-1700 is the definitive guide. You can also look at IANA. http://www.iana.org/iana/assignments.html ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX +1.713.778.5663 At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech > > > From owner-firewalls-list Fri Oct 3 12:48:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29965; Fri, 3 Oct 1997 11:19:54 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA29932 for ; Fri, 3 Oct 1997 11:19:40 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com via Connect2-SMTP 4.30A; Fri, 3 Oct 1997 14:18:03 -0400 Message-ID: <5D909F3801D40000@c2smtp.on.com> Date: Fri, 3 Oct 1997 14:17:00 -0400 From: Stephen McLarey Disposition-Notification-To: Organization: ON Technology - Cambridge To: mbeech@csc.ragroup.co.uk Cc: firewalls@greatcircle.com (Firewall list) Subject: TCP Ports Importance: normal MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-disposition: inline Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.30A MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== Is there a definitive list of TCP port numbers and their functions? Over the past couple of months I have logged attempts to connect to our systems on ports 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Thanks for nay help Martin Beech ======== Fwd by: Stephen McLar ======== Get a copy of RFC 1700. This lists all the standard ports. _\|/_ (o o) ****oOO-(_)-OOo****************************************** * Stephen McLarey Senior Firewall Support Engineer * * ON Technology Corporation * * Customer Support Line 800 407 7453 * * mailto: smclarey@on.com * * http://www.on.com * ********************************************************* From owner-firewalls-list Fri Oct 3 12:52:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29909; Fri, 3 Oct 1997 11:19:14 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA26544 for ; Fri, 3 Oct 1997 11:01:24 -0700 (PDT) Received: from test95.lib.com ([206.34.216.2]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id LAA00259; Fri, 3 Oct 1997 11:01:14 -0700 (PDT) Message-Id: <3.0.2.32.19971003140043.006a09ec@199.0.193.11> X-Sender: betterton@199.0.193.11 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 b4 (32) Date: Fri, 03 Oct 1997 14:00:43 -0400 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: Brian Betterton Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech A good source for this sort of information is: ftp://ftp.isi.edu/in-notes/iana/assignments/ Check port-numbers first. The file has port/protocols, what it is and most points of contact. Lots of the stuff have RFCs referring to them. brian ======================================================= Brian D. Betterton email:<<0000,0000,ffffbrian_betterton@ins.com> Network Systems Consultant 0000,0000,ffffhttp://www.ins.com International Network Services voice: (617) 376-2450 x244 300 Crown Colony Drive fax: (617) 376-2458 Quincy, MA 02169 From owner-firewalls-list Fri Oct 3 13:31:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23824; Fri, 3 Oct 1997 13:27:36 -0700 (PDT) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA23757 for ; Fri, 3 Oct 1997 13:27:15 -0700 (PDT) Received: (from dyabolyk@localhost) by columbia.digiweb.com (8.8.5/8.8.5) id QAA04586; Fri, 3 Oct 1997 16:27:46 -0400 (EDT) Date: Fri, 3 Oct 1997 16:27:46 -0400 (EDT) From: jon tobin To: Firewalls@GreatCircle.com Subject: RFC Index? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not firewalls rlated, but is there a good Index of RFCs that is searchable? phleshitally: jonathan tobin digitally: www.dyabolyk.com Czech out version two of the site, eh? From owner-firewalls-list Fri Oct 3 13:46:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA06251; Fri, 3 Oct 1997 11:48:08 -0700 (PDT) Received: from mctel.fr ([194.5.73.129]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA06151 for ; Fri, 3 Oct 1997 11:47:46 -0700 (PDT) Received: from mctel.fr ([194.5.73.20]) by mctel.fr (5.x/SMI-SVR4) id AA06675; Fri, 3 Oct 1997 20:42:37 GMT for Firewalls@greatcircle.com Xx: Firewalls@greatcircle.com Message-Id: <34354B17.89A94974@mctel.fr> Date: Fri, 03 Oct 1997 20:44:24 +0100 From: Daniel Mavrakis Organization: Monaco Telematique MC-TEL X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: mbeech@csc.ragroup.co.uk Cc: Firewalls@greatcircle.com Subject: Re: TCP Ports References: <0000AC3C.1453@csc.ragroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, The port numbers assignments are managed by IANA (Internet Assigned Numbers Authority). You could find the updated list of well-known, registered and private ports at: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Looking at this file you will find the assignments and contact points for ports 1496, 1526, 5632. The other ports (such 1054 or 2149) do not seem assigned (but that does not mean they are not used, unfortunately some software are sloopy and use any available -or not so available- port for their specific needs without bothering to request for an assignment). liberty-lm 1496/tcp liberty-lm liberty-lm 1496/udp liberty-lm # Jim Rogers pdap-np 1526/tcp Prospero Data Access Prot non-priv pdap-np 1526/udp Prospero Data Access Prot non-priv # B. Clifford Neuman pcanywherestat 5632/tcp pcANYWHEREstat pcanywherestat 5632/udp pcANYWHEREstat # Jon Rosarky Best regards, Daniel Mavrakis mbeech@csc.ragroup.co.uk wrote: > > Is there a definitive list of TCP port numbers and their functions? Over the > past couple of months I have logged attempts to connect to our systems on ports > 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > Thanks for nay help > > Martin Beech From owner-firewalls-list Fri Oct 3 14:00:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA25984; Fri, 3 Oct 1997 10:57:54 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA25876 for ; Fri, 3 Oct 1997 10:57:24 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id MAA15620; Fri, 3 Oct 1997 12:58:19 -0500 (CDT) Date: Fri, 3 Oct 1997 12:58:19 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: mbeech@csc.ragroup.co.uk cc: Firewalls@GreatCircle.COM Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Oct 1997 mbeech@csc.ragroup.co.uk wrote: > Is there a definitive list of TCP port numbers and their functions? Over the ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers From owner-firewalls-list Fri Oct 3 16:19:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22915; Fri, 3 Oct 1997 16:02:22 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA22716 for ; Fri, 3 Oct 1997 16:01:43 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA20370; Fri, 3 Oct 1997 19:02:53 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IODPUKQ7TS8X0Q8L@gemini.pios.com> for Firewalls@greatcircle.com; Fri, 03 Oct 1997 19:03:29 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IODPSPK41S8Y65TZ@PIOS.PIOS.COM>; Fri, 03 Oct 1997 19:01:59 -0400 (EDT) Date: Fri, 03 Oct 1997 16:02:33 -0700 From: Bill Stout Subject: Re: TCP Ports X-Sender: stoutb@192.168.0.37 To: Daniel Mavrakis , mbeech@csc.ragroup.co.uk Cc: Firewalls@greatcircle.com Message-Id: <2.2.32.19971003230233.01419cfc@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:44 PM 10/3/97 +0100, Daniel Mavrakis wrote: >liberty-lm 1496/tcp liberty-lm >liberty-lm 1496/udp liberty-lm There's a port for liberty? I've been filtering that out! ;^) Bill ______________________________________________________________________ "It shall be unlawful for any person to solicit or receive any contribution...in any room or building occupied in the discharge of official duties...Any person who violates this section shall be fined under this title or imprisoned for not more than 3 years" - Section 607 of the U.S. Criminal Code. From owner-firewalls-list Fri Oct 3 16:46:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28759; Fri, 3 Oct 1997 16:22:51 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA28854 for ; Fri, 3 Oct 1997 14:03:23 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id VAA10244 for ; Fri, 3 Oct 1997 21:04:27 GMT Date: Fri, 3 Oct 1997 16:04:27 -0500 (CDT) From: Andy Lewis To: Firewalls@GreatCircle.COM Subject: hosts.allow Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope that this is not off topic. Is it possible to put a local system users name in the /etc/hosts.allow file. I want that person to be able to login from anywhere? I am running Linux 2.0.30 Thanks From owner-firewalls-list Fri Oct 3 16:58:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29778; Fri, 3 Oct 1997 11:17:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA25271 for ; Fri, 3 Oct 1997 10:54:39 -0700 (PDT) Received: from insync.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA21868; Fri, 3 Oct 1997 10:49:29 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id MAA08170; Fri, 3 Oct 1997 12:55:09 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id MAA03998; Fri, 3 Oct 1997 12:54:37 -0500 (CDT) Message-Id: <3.0.3.32.19971003135433.00970610@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 13:54:33 -0400 To: Phil Glatz , firewalls-digest@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: IE 4 security hole? In-Reply-To: <3.0.3.32.19971003075140.007fa450@glatz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:51 AM 10/3/97 -0700, Phil Glatz wrote: >Does anyone have any more information on this? > >The channel definition format (.CDF) >http://www.microsoft.com/standards/cdf-f.htm includes a >LOGTARGET feature that allows a web site provider to make >your browser deliver logs of your usage via an http post or >put. Even hits from cache are logged. This is all not so good >and getting worse. Not only is the information posted >material, you wouldn't want to give to a provider, >(considering) "http post/put" is normally spoofable anyway. It is already being actively discussed on Bugtraq. It seems like a more appropriate form for discussion than the Firewalls list, anyway... Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Fri Oct 3 17:06:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28857; Fri, 3 Oct 1997 16:24:31 -0700 (PDT) Received: from netobjects.com (portal.netobjects.com [206.111.138.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA01029 for ; Fri, 3 Oct 1997 14:19:28 -0700 (PDT) Received: from joshua (joshua.netobjects.com [206.111.138.105]) by netobjects.com (8.8.5/8.8.5) with SMTP id OAA08770; Fri, 3 Oct 1997 14:24:34 -0700 (PDT) Message-Id: <3.0.1.32.19971003142919.00a77d60@joshr.com> X-Sender: joshr@joshr.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 03 Oct 1997 14:29:19 -0700 To: Firewalls@GreatCircle.COM From: Joshua Rabinowitz Subject: registering port numbers for software? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello World: this is slightly off topic, but I am working on some commercial software that operates in client/server mode over tcp/ip. How should we decide which port to use for communication, and then how do we go about registering it with the iata to avoid clashing with other future software? Thanks in advance, joshr@netobjects.com From owner-firewalls-list Fri Oct 3 17:19:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28887; Fri, 3 Oct 1997 16:25:31 -0700 (PDT) Received: from drencrom.insync.net (drencrom.insync.net [204.253.208.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA13572 for ; Fri, 3 Oct 1997 15:20:21 -0700 (PDT) Received: from deepsea (dialup-164-156.insync.net [206.222.164.156]) by drencrom.insync.net (8.8.7/8.7.1) with SMTP id RAA15096 for ; Fri, 3 Oct 1997 17:21:23 -0500 (CDT) Message-ID: <34357DF2.6FCC@cyberjunkie.com> Date: Fri, 03 Oct 1997 17:21:22 -0500 From: Brian Nunes Reply-To: phloyd@cyberjunkie.com Organization: TekNopia Publications X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Audio Electronic Engineering Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need information on the first steps in becoming an Audio Electronic Engineer. I was wondering if anyone could recommend a starting point, whether it be a specialized school, or college courses? Was wondering about expected income, what qualifications are needed, any good schools, and general employment outlook. Thanks in advance... Brian ps... i realize the topic of the list, but my general question was what tech schools would be good for this sort of thing. From owner-firewalls-list Fri Oct 3 18:05:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA17515; Fri, 3 Oct 1997 17:48:40 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA17507 for ; Fri, 3 Oct 1997 17:48:35 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-40.cisco.com [171.68.53.40]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id RAA03917; Fri, 3 Oct 1997 17:49:13 -0700 (PDT) Message-Id: <3.0.3.32.19971003204911.0080d310@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 20:49:11 -0400 To: Joshua Rabinowitz From: Paul Ferguson Subject: Re: registering port numbers for software? Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19971003142919.00a77d60@joshr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You'll need an assignment from the IANA (Internet Assigned Numbers Authority). See: http://www.isi.edu/div7/iana/ - paul At 02:29 PM 10/3/97 -0700, Joshua Rabinowitz wrote: >Hello World: > >this is slightly off topic, but I am working on some >commercial software that operates in client/server mode over >tcp/ip. How should we decide which port to use for communication, and >then how do we go about registering it with the iata to avoid >clashing with other future software? > >Thanks in advance, >joshr@netobjects.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: ferguson@cisco.com c i s c o S y s t e m s From owner-firewalls-list Fri Oct 3 20:30:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00320; Fri, 3 Oct 1997 20:25:26 -0700 (PDT) Received: from mail.cgocable.net (mail.cgocable.net [207.134.42.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA00309 for ; Fri, 3 Oct 1997 20:25:18 -0700 (PDT) Received: from nathan.home (nathan@cgowave-2-226.cgocable.net [24.226.2.226]) by mail.cgocable.net (8.8.7/8.8.6) with SMTP id XAA14334 for ; Fri, 3 Oct 1997 23:26:24 -0400 (EDT) Message-Id: <3.0.32.19971003232647.009f7480@main.home> X-Sender: maillist@main.home X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 23:26:54 -0400 To: Firewalls@GreatCircle.COM From: Nathan Zych - ML Subject: Please help - Linux anon FTP Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would anyone be willing to explain to me how to create additional anonymous users on a linux system running with wu-ftpd. They cannot be normal users, they must be chroot'ed so they have access just to their home directory. If there is a HOWTO or Faq that may help me could someone please point me in the right direction. Thanks! Nathan From owner-firewalls-list Fri Oct 3 20:45:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA01079; Fri, 3 Oct 1997 20:34:46 -0700 (PDT) Received: from BBPC4.tconl.com ([204.26.80.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA01042 for ; Fri, 3 Oct 1997 20:34:36 -0700 (PDT) Received: from elfering8188.tconl.com ([10.41.0.67]) by BBPC4.tconl.com (Netscape Mail Server v2.02) with ESMTP id AAA31373 for ; Fri, 3 Oct 1997 22:38:49 -0500 Message-ID: <3435B98F.F02F074F@tconl.com> Date: Fri, 03 Oct 1997 22:35:43 -0500 From: Dave Elfering Reply-To: elfering@tconl.com X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall-1, packet -VS- Proxy X-Priority: 3 (Normal) References: <199710030331.UAA01011@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been wallowing in an analysis paralysis between Firewall-1 and one or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). I've been leaning toward Gauntlet, partially based upon an a suspicion I have of a packet filtering product like Firewall-1. There seem to be little whisperings about possible exploits for the packet based products, yet I've not seen anything substantial to back that up. Is there anything to all this? No I don't care to discuss the fact that Checkpoint is an Israeli company (or whether Marcus Ranum works for the Masaad :) . I really mean to find out if FW1 and stateful inspection are any less "secure" than a proxy technology like Gauntlet. I've always told management that the biggest risk with any of these products is proper setup and administration, not the actual firewall technology. Feedback, tips and tea leave readings welcome... Dave Elfering elfering@tconl.com From owner-firewalls-list Fri Oct 3 22:30:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA12700; Fri, 3 Oct 1997 22:28:59 -0700 (PDT) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA12693 for ; Fri, 3 Oct 1997 22:28:54 -0700 (PDT) Received: from newguy (usr0a45.rut.sover.net [206.25.64.145]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id BAA14645; Sat, 4 Oct 1997 01:30:07 -0400 (EDT) Message-Id: <199710040530.BAA14645@pike.sover.net> From: "Chris Brenton" To: "Andy Lewis" , Subject: Re: hosts.allow Date: Sat, 4 Oct 1997 01:39:45 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk host.allow is used for system access, not user logon names. You would either need to enter a system's FQDN or IP address. You can create multiple entries or allow access from entire subnet ranges but this would allow anyone at these IP addresses to attempt to logon to the system, not just this one user. Keep in mind that this just allows the remote system to connect to a service (Telnet, FTP, etc.). They still need to authenticate to gain access to the system. Hope this helps, Chris ---------- > From: Andy Lewis > To: Firewalls@GreatCircle.COM > Subject: hosts.allow > Date: Friday, October 03, 1997 5:04 PM > > I hope that this is not off topic. > > Is it possible to put a local system users name in the > /etc/hosts.allow file. > > I want that person to be able to login from anywhere? > > I am running Linux 2.0.30 > > Thanks From owner-firewalls-list Sat Oct 4 04:45:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00694; Sat, 4 Oct 1997 04:42:39 -0700 (PDT) Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA00687 for ; Sat, 4 Oct 1997 04:42:35 -0700 (PDT) Received: from rhb1-home.gte.com by gte.com (8.8.4/8.8.4) Message-Id: <3.0.32.19970929215049.00699c7c@pophost.gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Oct 1997 07:43:22 -0400 To: firewalls@GreatCircle.com From: Bob Bryant Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 4 07:30:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09035; Sat, 4 Oct 1997 07:28:58 -0700 (PDT) Received: from alpha2000.tech-comm.com (ns.tech-comm.com [204.251.171.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA09028 for ; Sat, 4 Oct 1997 07:28:53 -0700 (PDT) Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM) id JAA09502; Sat, 4 Oct 1997 09:24:50 -0500 (CDT) Date: Sat, 4 Oct 1997 09:24:50 -0500 (CDT) From: Dick Brooks Message-Id: <199710041424.JAA09502@alpha2000.tech-comm.com> To: Firewalls@GreatCircle.COM, dick@8760.com Subject: Tunneling IPX. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't recall seeing this topic discussed so here goes: We have a client that wants to provide File and Print access to Corporate LAN servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. We have looked at, DEC's AltaVista tunnels, however there is no support for encapsulating IPX in IP. Does anyone know of a way to securely provide remote access to "secure side" Netware LAN services from Internet clients? Dick Brooks dick@8760.com Chief Technical Officer Tel. 205-250-8053 Group 8760 LLC WWW URL: http://www.8760.com/ SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port Ready From owner-firewalls-list Sat Oct 4 08:04:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09997; Sat, 4 Oct 1997 07:55:51 -0700 (PDT) Received: from mail0.tor.acc.ca (mail0.tor.acc.ca [204.92.54.110]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA09990 for ; Sat, 4 Oct 1997 07:55:47 -0700 (PDT) Received: from classik (ppp-105.m2-10.tor.ican.net [142.154.22.105]) by mail0.tor.acc.ca (8.8.7/8.8.6) with SMTP id KAA16549 for ; Sat, 4 Oct 1997 10:57:00 -0400 (EDT) Message-Id: <3.0.2.32.19971004105719.007b03c0@ican.net> X-Sender: asb@ican.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Sat, 04 Oct 1997 10:57:19 -0400 To: firewalls@GreatCircle.COM From: "Ayal S. Bida" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 4 10:15:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA21065; Sat, 4 Oct 1997 10:04:31 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA21058 for ; Sat, 4 Oct 1997 10:04:25 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjvg25877; Sat, 4 Oct 1997 13:05:59 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02709; Sat, 4 Oct 97 13:04:22 EDT Date: Sat, 4 Oct 1997 13:04:22 -0400 (EDT) From: Sick Puppy To: Anton J Aylward Cc: firewalls@greatcircle.com Subject: Re: Just wondering - pipeline computer firewalls? In-Reply-To: <3.0.32.19971003082727.007b3790@mail.the-wire.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As the guy said, those who are doomed to repeat history haven't studied it. > > Just as the special purpose chips which once were designed for signal > processing have been booted from our repertoire by things like the > pentium and power PC - FASTER general purpose processing and economies > of scale, as it is with routers and firewalls. Seemed like a reasonable arguement so I accepted it. Sat there licking my ass for a while. My hindbrain chipped in "You been suckered dude. That ain't no Vulcan logic. Think about ASIC's" Um, well, er, yes, right Hindbrain. The latest/fastest/state-of-the-art equipment from Cabletron and Cisco uses ASIC's because the old historical Pentium processors are too phucking slow. An ASIC looks a hell of a lot like a signal processor. With ASIC's embedded in their equipment, Cabletron can provide a 1.2 gigibit switched ethernet backbone network without ATM. With a similar approach, Cisco provides .8 gigabit switched ethernet backbone. Neither backbone uses one of those quaint historical devices called routers. As the Great Sage Confusion said, those who have studied history are doomed to read the phucking newspapers. Sick Puppy, tCED From owner-firewalls-list Sat Oct 4 11:30:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA26040; Sat, 4 Oct 1997 11:18:29 -0700 (PDT) Received: from hotmail.com (F66.hotmail.com [207.82.250.152]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA26026 for ; Sat, 4 Oct 1997 11:18:25 -0700 (PDT) Received: (qmail 28656 invoked by uid 0); 4 Oct 1997 18:19:54 -0000 Message-ID: <19971004181954.28655.qmail@hotmail.com> Received: from 207.175.1.188 by www.hotmail.com with HTTP; Sat, 04 Oct 1997 11:19:53 PDT X-Originating-IP: [207.175.1.188] From: "Matrix Venus" To: firewalls@GreatCircle.com Content-Type: text/plain Date: Sat, 04 Oct 1997 11:19:53 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Am I on your list or something?? I'm gettin' a lot of your e-mail and I don't know how, I sent that 'remove' letter, but it doesn't seemed to have worked, =-? E-mail me back plz and let me know something Matrix ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Sat Oct 4 11:45:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27762; Sat, 4 Oct 1997 11:40:49 -0700 (PDT) Received: from alef.bogon.nul (lwby-85ppp63.epix.net [199.224.85.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA27738 for ; Sat, 4 Oct 1997 11:40:40 -0700 (PDT) Received: from lwby-85ppp63.epix.net (localhost [127.0.0.1]) by alef.bogon.nul (8.8.5/8.8.5) with ESMTP id OAA27082 for ; Sat, 4 Oct 1997 14:40:02 -0400 Message-Id: <199710041840.OAA27082@alef.bogon.nul> X-Mailer: exmh version 1.6.9 05/05/96 Reply-to: Al Potter To: firewalls@GreatCircle.COM Subject: SINUS Firewall X-face: k+]^-0#M!2jXI7A"4yH$r6aVf6oQnUazbkG $ZIRI6jtu~1tgSj:IQ~jGS!F>3l46t`>:1-&F,lw1G~i}|iY Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: Hava any of the august and most learned members of this list encountered the SINUS firewall? http://www.ifi.unizh.ch/groups/bauknecht/SINUS/firewall.html It's a packet filter implimented as a linux kernel module, and appears to be fairly full featured and well implimented, albeit not so well documented. It's GPL'd, so the source is available for modification ( and investigation for government agency APIs ) and of course the price is right. I'm interested in the opinions of others who have used it, or evaluated it and rejected it. Al Manually edit the reply-to for return email. From owner-firewalls-list Sat Oct 4 16:01:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09563; Sat, 4 Oct 1997 15:52:08 -0700 (PDT) Received: from mole.aleph.com.br (mole.aleph.com.br [200.246.9.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA09554 for ; Sat, 4 Oct 1997 15:51:44 -0700 (PDT) Received: from mole (mole [200.246.9.131]) by mole.aleph.com.br (8.8.5/8.8.5) with SMTP id TAA01319; Sat, 4 Oct 1997 19:55:58 -0300 (EST) Date: Sat, 4 Oct 1997 19:55:58 -0300 (EST) From: Hugo Leonardo Wolff Souza X-Sender: hugo@mole To: jon tobin cc: Firewalls@GreatCircle.COM Subject: Re: RFC Index? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://nic.mil/rfc Hugo On Fri, 3 Oct 1997, jon tobin wrote: > Not firewalls rlated, but is there a good Index of RFCs that is > searchable? -- # Hugo - hugo@aleph.com.br - Estacao Aleph Internet Link # From owner-firewalls-list Sat Oct 4 20:02:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA19637; Sat, 4 Oct 1997 19:51:06 -0700 (PDT) Received: from public.js.hb.cn ([202.103.8.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA19620 for ; Sat, 4 Oct 1997 19:50:49 -0700 (PDT) Received: from pga97003.public.js.hb.cn (ppp26.js.hb.cn [202.103.8.89]) by public.js.hb.cn (8.6.11/8.6.11) with ESMTP id KAA27408 for ; Sun, 5 Oct 1997 10:51:06 +0800 Message-ID: <343700DC.20CE7B4C@public.js.hb.cn> Date: Sun, 05 Oct 1997 10:52:16 +0800 From: liu jun Reply-To: ga97001@public.js.hb.cn Organization: ga97001@public.js.hb.cn X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------343B788847E93D63F3395559" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------343B788847E93D63F3395559 Content-Type: text/plain; charset=iso-8859-1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit remove -- MZ --------------343B788847E93D63F3395559 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for liu jun Áõ¾ü Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: liu jun Áõ¾ü n: Áõ¾ü;liu jun org: ¹«°² ÏØÓʵç¾Ö adr: ¹«°²ÏØÓʵç¾Ö;;;¹«°²ÏØ;;434300;Öйú email;internet: ga97001@public.js.hb.cn title: welcome to meet you tel;work: 0716-5220000 tel;fax: 0716-5224444 tel;home: 0716-5220000 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------343B788847E93D63F3395559-- From owner-firewalls-list Sat Oct 4 23:45:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02492; Sat, 4 Oct 1997 23:39:14 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA02460 for ; Sat, 4 Oct 1997 23:38:59 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA00964; Sun, 5 Oct 1997 10:42:53 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA03136; Sat, 4 Oct 1997 17:02:46 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA01777; Sat, 4 Oct 1997 08:01:07 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD09B.B35BD6E0@mailserv.dammam.ingr.com>; Sat, 4 Oct 1997 08:01:20 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Software for testing a firewall Date: Sat, 4 Oct 1997 08:01:18 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >"Boac, Lito" wrote: >jvboac >Are there any public-domain softwares for Windows NT that can be used >to >Yes, > >I can help here. I'm doing a study of them right now, and I have started >to build a web page detailing them. > >Look at http://www.securit.net in about two weeks! > >It's still under construction! >------------------------------------------------------------- >Edward Cracknell - >Security Administrator > > From owner-firewalls-list Sun Oct 5 00:01:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02493; Sat, 4 Oct 1997 23:39:19 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA02461 for ; Sat, 4 Oct 1997 23:39:00 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA00974; Sun, 5 Oct 1997 10:42:58 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA03144; Sat, 4 Oct 1997 17:02:50 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA01785; Sat, 4 Oct 1997 08:02:20 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD09B.DED79570@mailserv.dammam.ingr.com>; Sat, 4 Oct 1997 08:02:33 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Software for testing a firewall Date: Sat, 4 Oct 1997 08:02:32 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Check out Internet Security Scanner and Ballista.. both have NT versiosn >now... > > >> From: "Boac, Lito" >> To: "'Firewalls@GreatCircle.COM'" >> Subject: Software for testing a firewall >> Date: Tue, 30 Sep 1997 16:56:54 +0300 > >> Are there any public-domain softwares for Windows NT that can be used to >> test for security holes on a firewall? I'm currently evaluating several >> firewalls but I don't have the necessary tools of the trade to do some >> in-depth testing. >> >> Please reply directly as I don't subscribe to firewalls. >> >> Thanks. >> >> Joselito V. Boac >> jvboac@dammam.ingr.com >> >> > >----------------------------------------------------------------- >Internet: mshines@purdue.edu * Michael S. Hines, CISA,CIA,CDP,CFE >Voice: (765) 494-5845 * Sr. Information Systems Auditor >FAX: (765) 496-1814 * Purdue University > * 1065 Freehafer Hall > * West Lafayette, IN 47907-1065 >All views are my own and do not reflect Purdue University policy. > From owner-firewalls-list Sun Oct 5 01:45:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA14733; Sun, 5 Oct 1997 01:39:28 -0700 (PDT) Received: from hugin.mainz.dk (Hugin.mainz.dk [130.227.10.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA14708 for ; Sun, 5 Oct 1997 01:39:20 -0700 (PDT) Date: Sun, 05 Oct 1997 10:41:45 +0100 From: Kim Wohlert Subject: RE: Tunneling IPX. To: "'Dick Brooks'" Cc: "'Firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >-----Original Message----- >From: Dick Brooks [SMTP:dick@tech-comm.com] >Sent: Saturday, October 04, 1997 3:25 PM >To: Firewalls@GreatCircle.COM; dick@8760.com >Subject: Tunneling IPX. > >I don't recall seeing this topic discussed so here goes: > >We have a client that wants to provide File and Print access to Corporate LAN >servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. >[Kim Wohlert] >I haven't had time to try this yet, but in theory you should be able to use >Netware/IP with AltaVista Tunnel. > >On the Corp LAN you would need to set up Netware/IP on one of you servers >Netware servers, and this would tunnel between IP and IPX. On the client you >need to install Netware/IP client (comes with all newer Netware Client kits). > >The trick then is to get Netware/IP to talk to the AltaVista Personal Tunnel >Pseudo Adapter. > >I'd love hear if you get it to work. > >- Kim > >We have looked at, DEC's AltaVista tunnels, however there is no support >for encapsulating IPX in IP. Does anyone know of a way to securely provide >remote access to "secure side" Netware LAN services from Internet clients? > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port >Ready > From owner-firewalls-list Sun Oct 5 04:30:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA26111; Sun, 5 Oct 1997 04:17:46 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA26103 for ; Sun, 5 Oct 1997 04:17:39 -0700 (PDT) Received: from client ([194.244.74.130]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id TAA20410; Sun, 5 Oct 1997 19:11:54 +0200 Message-Id: <199710051711.TAA20410@pinux.selfin.net> From: "Franco RUGGIERI" To: Cc: Subject: R: Firewall-1, packet -VS- Proxy Date: Sat, 4 Oct 1997 20:21:38 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a hearsay: two, among the FW-1 biggest problems I heard of. 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. Can anyone confirm this hearsay? Hope this will light up a fiery discussion: I love fights (when not involved) ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Dave Elfering > A: Firewalls@GreatCircle.COM > Oggetto: Firewall-1, packet -VS- Proxy > Data: sabato 4 ottobre 1997 5.35 > > I've been wallowing in an analysis paralysis between Firewall-1 and one > or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). > > I've been leaning toward Gauntlet, partially based upon an a suspicion I > have of a packet filtering product like Firewall-1. There seem to be > little whisperings about possible exploits for the packet based > products, yet I've not seen anything substantial to back that up. > > Is there anything to all this? No I don't care to discuss the fact that > Checkpoint is an Israeli company (or whether Marcus Ranum works for the > Masaad :) . I really mean to find out if FW1 and stateful inspection are > any less "secure" than a proxy technology like Gauntlet. I've always > told management that the biggest risk with any of these products is > proper setup and administration, not the actual firewall technology. > > Feedback, tips and tea leave readings welcome... > > Dave Elfering > elfering@tconl.com From owner-firewalls-list Sun Oct 5 05:45:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01334; Sun, 5 Oct 1997 05:30:36 -0700 (PDT) Received: from mail.tds.net (mail.tds.net [204.246.1.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA01326 for ; Sun, 5 Oct 1997 05:30:31 -0700 (PDT) From: webbs@tds.net Received: from Comp1 (mewi0-a04.midway.tds.net [204.246.12.101]) by mail.tds.net (8.8.5/8.8.5) with SMTP id HAA18674; Sun, 5 Oct 1997 07:10:22 -0500 (CDT) Date: Sun, 5 Oct 1997 07:10:22 -0500 (CDT) Message-Id: <199710051210.HAA18674@mail.tds.net> Subject: Your Home And Family Sender: firewalls-owner@GreatCircle.COM Precedence: bulk YOUR HOME AND FAMILY Now available,(Your Home and Family), the consumer guide everyone has been asking for. This guide is filled with information every household should be aware of. Protect yourself and your family, be informed of the real life events that can happen to you and your household. Read about wills and trusts (don’t let the government take everything)! Parents worst fears- (Drug Abuse, maybe its already there)! Be informed! Dealing with divorce “Get It Together” “Not The End”. Safeguards against rape....Don’t let it happen to you, worse yet a member of your family! Household: Don’t let your house get the better of you, TAKE CONTROL! This guide is packed full of important information that you will want to share with friends and other family members. This is “MUST HAVE INFORMATION”. Get this NOW! Send for your copy today! Here is how to order: Send check or money order for $19.95 (shipping and handling included in price) to: Affordable Services PO Box 352 Medford, WI 54451 PS: You won’t believe the startling information in the guide! Order an extra report for your friends and neighbors! Give yourself a little piece of mind. From owner-firewalls-list Sun Oct 5 06:15:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03121; Sun, 5 Oct 1997 05:54:45 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA03084 for ; Sun, 5 Oct 1997 05:54:30 -0700 (PDT) Message-Id: <199710051254.FAA03084@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA287305874; Sun, 5 Oct 1997 22:51:14 +1000 From: Darren Reed Subject: Re: R: Firewall-1, packet -VS- Proxy To: fruggieri@selfin.net (Franco RUGGIERI) Date: Sun, 5 Oct 1997 22:51:14 +1000 (EST) Cc: elfering@tconl.com, Firewalls@GreatCircle.COM In-Reply-To: <199710051711.TAA20410@pinux.selfin.net> from "Franco RUGGIERI" at Oct 4, 97 08:21:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Franco RUGGIERI, sie said: [...] > 2) setting up the rules is a real headache, most of it defining all the > objects that make up the network. And everything which is difficult to > implement is error prone. > Can anyone confirm this hearsay? Whilst this is required, it is this which a lot find attractive. If I can create an artificial group of 10 hosts and represent that with one rule, which is easier to read: one rule or 10 ? Darren From owner-firewalls-list Sun Oct 5 07:00:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10045; Sun, 5 Oct 1997 06:45:37 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10037 for ; Sun, 5 Oct 1997 06:45:32 -0700 (PDT) Received: from zepher.milkyway.com ([12.70.7.129]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA8990; Sun, 5 Oct 1997 13:47:03 +0000 Message-Id: <3.0.3.32.19971005094530.006a325c@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 05 Oct 1997 09:45:30 -0500 To: Dick Brooks , Firewalls@GreatCircle.COM, dick@8760.com From: Steve Kruse Subject: Re: Tunneling IPX. In-Reply-To: <199710041424.JAA09502@alpha2000.tech-comm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurIT Access from Milkyway is one product that will allow you to do that. You can bind any protocol to the Milkyway VPN driver that you bind to any other LAN driver. Check out http://www.milkyway.com At 02:24 PM 10/4/97 +0000, Dick Brooks wrote: >I don't recall seeing this topic discussed so here goes: > >We have a client that wants to provide File and Print access to Corporate LAN >servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. > >We have looked at, DEC's AltaVista tunnels, however there is no support >for encapsulating IPX in IP. Does anyone know of a way to securely provide >remote access to "secure side" Netware LAN services from Internet clients? > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port Ready > > From owner-firewalls-list Sun Oct 5 07:06:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10175; Sun, 5 Oct 1997 06:51:30 -0700 (PDT) Received: from scullin.starway.net.au (scullin.starway.net.au [203.34.26.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10168 for ; Sun, 5 Oct 1997 06:51:22 -0700 (PDT) Received: from a4.canberra.starway.net.au (a4.canberra.starway.net.au [203.32.22.43]) by scullin.starway.net.au (8.8.5/8.7.3) with SMTP id UAA04390; Sun, 5 Oct 1997 20:16:29 +1000 Received: by a4.canberra.starway.net.au with Microsoft Mail id <01BCD1CA.CC065FA0@a4.canberra.starway.net.au>; Sun, 5 Oct 1997 20:10:59 +1000 Message-ID: <01BCD1CA.CC065FA0@a4.canberra.starway.net.au> From: Craig Keegan Subject: NTS - Windows NT Security, Event Log Management and UpTime reporting Date: Sun, 5 Oct 1997 19:34:47 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Previously I contacted you about some revolutionary tools for Windows NT = Security and Systems Management. These can be used for documenting, = standardising or auditing single or multiple domain, small (3) or large = (100+) Windows NT networks. Please note that as at October 7 1997 a new version of NTSecurity = Administrator has been released, the new version has a totally new = Explorer GUI with a new database engine, improved sorting, searching and = filtering and improved performance. To try a sample of the new version please visit the download area at = http://www.scullin.starway.net.au/~ckeegan/index.html. Windows NT Security, Daily Event Log Summary, System Up Time Report This includes Users, Groups, server Services, Domain Policies, User = Rights and File, Share & Printer security exceptions. There are also = other tools for producing a summary of every Event Log on every server = every day and another for showing server UpTime and disk space = availability. These products are "passive" in that they do not have to = be installed on your servers and do not require any changes to your = servers. The intention of NTS is to provide you with unique tools to simplify and = manage your Windows NT environment, by filling the gaps that Microsoft = has left. Please visit out interim WWW site at = http://www.scullin.starway.net.au/~ckeegan/index.html to find further = information and download a sample of the product. If I can be of any use at all during your investigations of these = products please reply back. I am confidant you will agree, this product = is quite unique, and an invaluable tool for managing your Windows NT = environment. I look forward to our next contact and hope to be a = valuable asset to your organisation. Thankyou for your time, this was not intended to be "SPAM", I am = extremely sorry to anyone who may have been inconvenienced by this = e-mail. If you do not wish to receive any further messages, please = reply back with "NO" as the subject. I anxiously await your response. ------------------------------------- Craig Keegan Technical Manager NTS (0412) 141719 ckeegan@scullin.starway.net.au=00=00 From owner-firewalls-list Sun Oct 5 07:07:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10258; Sun, 5 Oct 1997 06:56:28 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10251 for ; Sun, 5 Oct 1997 06:56:22 -0700 (PDT) Received: from mousa_s.ins.com ([199.0.201.225]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA25317 for ; Sun, 5 Oct 1997 06:57:53 -0700 (PDT) Message-Id: <3.0.32.19971004130027.006d45f4@lexicon.ins.com> X-Sender: mousa_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 05 Oct 1997 09:57:44 -0400 To: firewalls@GreatCircle.COM From: Sami Mousa Subject: SNA/IBM Security Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. Security in the host today is accomplished through RACF, which defines user accounts, and specifies which resources the users can access. ---------------- My client has remote sites with various degrees of trust. Some remotes are part of the company, but not strictly controlled by IS as what they can or think they can do with their network. These sites are considered pretty secure, although not completely trusted. IS wants to have more control on what access they have to the corporate campus LAN. We have a firewall in place, which permits IS santioned IP applications to pass through. However, one of the requirements is SNA, with an AS400 located at the remote site connecting to an FEP with access to a mainframe located at the corporate site. The SNA is encapsulated into TCP and forwarded from the remote router to a corporate router, which de-encapsulates the TCP and forwards SNA onto the token ring. The firewall is currently set up to pass the DLSW TCP port number through, as long as the source and destination IP address are correct. The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not allowed to be bridged. Netbios is not passed through the DLSW tunnel either. We currently have the following: AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP only | --LAN-- | firewall (permits dlsw tcp port 2065) | | CAMPUS Token ring | DLSW Peer2 Router (No bridging on interface to Campus Ring) | ring | IBM FEP, 3745 | IBM MAINFRAME Note that DLSW Peer2 router is inside the firewall. The interface that connects to the corporate campus Token ring does not have bridging enabled, so the SNA packets, when deencapsulated, do not get forwarded back onto that ring. They only get forwarded on to the FEP connected ring. There is no telnet access from outside the firewall to internal campus resources, without authentication at the firewall itself. There are other FEPs and FEP ring interfaces that connect directly to the campus token ring, which also connect to the MAINFRAME, for host access by people located on the campus network. There are some security risks, including denial of service attacks through excessive bridging packets, access to the FEP by anyone on a remote ring,... ----- We are considering a redesign. I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP dlsw peer | \ --LAN-- \ | ring firewall \ | FEP | CAMPUS Token ring As you can see, the dlsw will no longer be tunneled through the firewall. The connection to the FEP would be outside the firewall. Nothing else is on the fep ring. The dlsw peer router would have to be set up with specific addresses of remote routers that could establish dlsw connections to it. The only added threat is that the router which is configured with the peer is also outside the firewall. Someone could potentially bring another router up, telnet to and break into the dlsw peer router, configure themself, and have access to the fep. Thanks, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ** Sami Mousa, ffff,0000,0000FORE ATM(WAN) Certified ** ** International Network Services Office: (908)603-8541 x320 ** ** Network Systems Engineer e-mail: sami_mousa@ins.com ** ** 120 Wood Ave South Pager: (888)896-4064 ** ** Suite #615 Fax: (908)548-5630 ** ** Iselin, New Jersey 08830 www.ins.com ** ============================================================================= "My statements in this message are personal opinions \ which may have no basis whatsoever in fact." From owner-firewalls-list Sun Oct 5 08:00:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA17291; Sun, 5 Oct 1997 07:55:49 -0700 (PDT) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA17221 for ; Sun, 5 Oct 1997 07:55:32 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id WAA03892; Sun, 5 Oct 1997 22:54:23 +0800 Message-Id: <3.0.1.32.19971005225034.00adb100@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Sun, 05 Oct 1997 22:50:34 To: msrao@mtu.edu, Firewalls@GreatCircle.COM From: Gaddy Gumbao Subject: Re: Firewalls-Digest V6 #471 In-Reply-To: <199710020217.WAA00637@eegrad6.ee.mtu.edu> References: <199710010847.BAA21248@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there , Can anybody tell me some good reasonns in a wide area network why there should we one DNS only? Thanks for the help.... At 10:17 PM 10/1/97 -0400, msrao@mtu.edu wrote: >Hi , > >I wanted to know if anybody is working on performance evaluation of >wireless networks. I'll be interested to correspond with them. > >Thanks >Manjunath > > From owner-firewalls-list Sun Oct 5 08:39:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15036; Sun, 5 Oct 1997 07:45:28 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA15001 for ; Sun, 5 Oct 1997 07:45:17 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by kcsun3.kcstar.com (8.8.5/8.7.3) with SMTP id JAA16067 for ; Sun, 5 Oct 1997 09:52:47 -0500 (CDT) Date: Sun, 5 Oct 1997 09:52:47 -0500 (CDT) From: elroy To: firewalls@greatcircle.com Subject: Proxying Citrix WinFrame? (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody - I'm building a firewall using Linux and the FWTK, and need a way to proxy Citrix WinFrame. Does anyone know of a proxy available in source-code form for WinFrame? I think I could use plug-gw, but plug-gw won't scale well in the event that I need to proxy to more than one WinFrame server. I'm proxying WinFrame requests *inward* to an internal WinFrame server from a WAN, not from the Internet, btw. Any help or pointers are greatly appreciated - -elroy (elroy@kcstar.com) From owner-firewalls-list Sun Oct 5 08:45:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19743; Sun, 5 Oct 1997 08:06:08 -0700 (PDT) Received: from emout15.mail.aol.com (emout15.mx.aol.com [198.81.11.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA19701 for ; Sun, 5 Oct 1997 08:05:58 -0700 (PDT) From: Justface@aol.com Received: (from root@localhost) by emout15.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id LAA23196 for firewalls@greatcircle.com; Sun, 5 Oct 1997 11:07:29 -0400 (EDT) Date: Sun, 5 Oct 1997 11:07:29 -0400 (EDT) Message-ID: <971005110728_1999046941@emout15.mail.aol.com> To: firewalls@greatcircle.com Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sun Oct 5 09:00:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA22438; Sun, 5 Oct 1997 08:17:49 -0700 (PDT) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA17458 for ; Sun, 5 Oct 1997 07:56:31 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id WAA03900; Sun, 5 Oct 1997 22:54:26 +0800 Message-Id: <3.0.1.32.19971005225252.00ae18f0@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Sun, 05 Oct 1997 22:52:52 To: rich , tomhong@usa.net From: Gaddy Gumbao Subject: 1 DNS Cc: firewalls@GreatCircle.COM, seguridad@iti.upv.es In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi there, I think this is a newbie question but thats what i am what i am Can you please explain to me why there should be one DNS on your Netowrk . Especiall on a wide Area Network. Thanks for your help From owner-firewalls-list Sun Oct 5 10:01:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10366; Sun, 5 Oct 1997 09:57:14 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (concord01.pop.InterNex.Net [205.158.3.82]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA10359 for ; Sun, 5 Oct 1997 09:57:08 -0700 (PDT) Message-Id: <199710051657.JAA10359@honor.greatcircle.com> Received: from [205.158.182.130] by Concord01.POP.InterNex.Net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 0-34792U7500L7500S0) with SMTP id AAA2020 for ; Sun, 5 Oct 1997 09:58:39 -0700 Subject: Re: VLANs for Security Inside the Firewall Date: Sun, 5 Oct 97 09:58:51 -0700 x-sender: INX-10108b@Concord01 x-mailer: Claris Emailer 2.0v2, June 6, 1997 From: Bill Husler To: "firewalls" Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 01:02 PM 9/28/97, steven.j.schulze wrote: >>I have a client who is running VLANs on Cisco switches, mostly for convenience > >>and flexibility reasons. This client is wondering if any level of security >>is achieved due to this "virtual" network segmentation. I realize that VLANs > >>are not firewalls, strong encryption+authentication, etc. however, to achieve >>separation and prevent snooping / interception, do the VLANs in effect take >>each node out of eachother's "Collision Domain" (to use the Ethernet term)? > >>Assume the worst-- competing clients on the network, with NICs in promiscuous >>mode (trivial to do today), what would that PC / Unix box see? > >VLAN's segregate switch ports into segments. In other words, once >you have created three VLAN's, you can think of it as three >separate physical switches. > >Now, within each switched VLAN: >- Broadcasts are forwarded to each port (within same VLAN) >- A packet is only forwarded from one port to another if > the switch determines that the destination is reachable > via another switch port >- a PC in promiscuous mode would be able to sniff: > - Broadcasts within same VLAN > - Packets being sent across a hub connected to s single > switch port > >Typically you would use a router to route between VLAN's. >You can connect an ethernet interface to each VLAN >or you can create a global port and put multiple addresses >on the interface. That's a design issue. Some switches >now have routing capability built in. > >To answer your question: >- Switching with no VLAN's provides protection because not all > users see all packets (each switch port is it's own collision > domain). >- Switching with no VLAN's provides no protection in sniffing > for broadcast packets >- Switching with VLAN's provides some protection against broadcast > sniffing as long as the offending PC is not within the same > VLAN. > >Mike > >+----------------------------------------------------------+ >| Michael D. Ferioli ferioli@comnet.com.tr | >| Comnet A.S. http://www.comnet.com.tr | >+----------------------------------------------------------+ > I understand that these switches are configured via a telnet session. Is there a way (on the switch) to ensure that this activity may only be performed via specific switch ports (ie. I would like to ensure that if someone is remapping the VLANs, they are doing so from something along the lines of a console or secured area). Bill From owner-firewalls-list Sun Oct 5 12:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22160; Sun, 5 Oct 1997 11:45:18 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA22151 for ; Sun, 5 Oct 1997 11:45:11 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id LAA09198 for ; Sun, 5 Oct 1997 11:45:58 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA07524; Sun, 5 Oct 97 11:49:37 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id LAA13528 for @sybgate.sybase.com:Firewalls@GreatCircle.COM; Sun, 5 Oct 1997 11:48:08 -0700 (PDT) Message-Id: <199710051848.LAA13528@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id FAAD34AC3D1D356F8825652700679D75; Sun, 5 Oct 97 11:48:05 EDT To: "Franco RUGGIERI" Cc: elfering , Firewalls From: Ryan Russell/SYBASE Date: 5 Oct 97 11:55:22 EDT Subject: Re: R: Firewall-1, packet -VS- Proxy X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1 is true, all the security for the host is based on the assumption that you will have rules that protect the host itself. It's a good idea to review the services running on the host. As for 2, I don't find it particularly hard to administer in terms of the ruleset or dfining objects. It find it could be easier in terms of how address translation is done (defineing the static ARP entries, etc..) and the encryption settings used with SecuRemote, and doing static address translations (the need for a static route IS in the manual, but an example would have been helpful.) Ryan ---------- Previous Message ---------- To: elfering cc: Firewalls From: fruggieri@selfin.net ("Franco RUGGIERI") @ smtp Date: 10/04/97 08:21:38 PM Subject: R: Firewall-1, packet -VS- Proxy Just a hearsay: two, among the FW-1 biggest problems I heard of. 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. Can anyone confirm this hearsay? Hope this will light up a fiery discussion: I love fights (when not involved) ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Dave Elfering > A: Firewalls@GreatCircle.COM > Oggetto: Firewall-1, packet -VS- Proxy > Data: sabato 4 ottobre 1997 5.35 > > I've been wallowing in an analysis paralysis between Firewall-1 and one > or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). > > I've been leaning toward Gauntlet, partially based upon an a suspicion I > have of a packet filtering product like Firewall-1. There seem to be > little whisperings about possible exploits for the packet based > products, yet I've not seen anything substantial to back that up. > > Is there anything to all this? No I don't care to discuss the fact that > Checkpoint is an Israeli company (or whether Marcus Ranum works for the > Masaad :) . I really mean to find out if FW1 and stateful inspection are > any less "secure" than a proxy technology like Gauntlet. I've always > told management that the biggest risk with any of these products is > proper setup and administration, not the actual firewall technology. > > Feedback, tips and tea leave readings welcome... > > Dave Elfering > elfering@tconl.com From owner-firewalls-list Sun Oct 5 12:36:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA29670; Sun, 5 Oct 1997 12:26:59 -0700 (PDT) Received: from mailhost.na-cp.rnp.br (halley.na-cp.rnp.br [200.136.100.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA29628 for ; Sun, 5 Oct 1997 12:26:46 -0700 (PDT) Received: from halley (forster@halley [200.136.100.17]) by mailhost.na-cp.rnp.br (8.8.7/8.8.7) with SMTP id QAA24112 for ; Sun, 5 Oct 1997 16:29:34 -0300 (EST) Date: Sun, 5 Oct 1997 16:29:30 -0300 (EST) From: Antonio Paulo Salgado Forster X-Sender: forster@halley To: Firewalls@GreatCircle.COM Subject: re: hosts.allow In-Reply-To: Message-ID: Organization: Rede Nacional de Pesquisa - RNP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I saw some days ago someone asking about user authentication via tcp_wrappers' hosts.allow file.I dont have original mail, but I tried something here that worked out. Here's the hint: If you have identd running on the client machine, you may put something like "username@unix.client.machine" in hosts.allow, and forbid everything from that machine on hosts.deny, and then tcp wrappers will allow connections from that machine *if* the user running the client is the one in hosts.allow. Hope this helps. Regards, Antonio Paulo Salgado Forster Operacoes em Redes - RNP From owner-firewalls-list Sun Oct 5 13:21:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA07698; Sun, 5 Oct 1997 13:06:30 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (concord01.pop.InterNex.Net [205.158.3.82]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA07691 for ; Sun, 5 Oct 1997 13:06:22 -0700 (PDT) Message-Id: <199710052006.NAA07691@honor.greatcircle.com> Received: from [205.158.182.130] by Concord01.POP.InterNex.Net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 0-34792U7500L7500S0) with SMTP id AAA2849; Sun, 5 Oct 1997 13:07:55 -0700 Subject: Re: SNA/IBM Security Date: Sun, 5 Oct 97 13:08:06 -0700 x-sender: INX-10108b@Concord01 x-mailer: Claris Emailer 2.0v2, June 6, 1997 From: Bill Husler To: "Sami Mousa" , Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't the current OS/400 support IP natively? We use IP to communicate between our AS400s and our mainframe - eliminating the need for encapsulation and allowing the firewall greater control over the traffic. Bill > >Hello, > >I'd like to get your opinions of the security in place compared to the >security of the redesign. Also, opinions on security in SNA/IBM >environments, and risks. > >Security in the host today is accomplished through RACF, which defines user >accounts, and specifies which resources the users can access. > >---------------- > >My client has remote sites with various degrees of trust. Some remotes are >part of the company, but not strictly controlled by IS as what they can or >think they can do with their network. > >These sites are considered pretty secure, although not completely trusted. >IS wants to have more control on what access they have to the corporate >campus LAN. > >We have a firewall in place, which permits IS santioned IP applications to >pass through. > >However, one of the requirements is SNA, with an AS400 located at the >remote site connecting to an FEP with access to a mainframe located at the >corporate site. > >The SNA is encapsulated into TCP and forwarded from the remote router to a >corporate router, which de-encapsulates the TCP and forwards SNA onto the >token ring. > >The firewall is currently set up to pass the DLSW TCP port number through, >as long as the source and destination IP address are correct. > >The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not >allowed to be bridged. Netbios is not passed through the DLSW tunnel either. > >We currently have the following: > > > AS400 > | > (sna, token ring) > | > router dlsw peer (encapsulates sna into tcp, forwards tcp >session to peer2) > | > FRAME RELAY NETWORK > | > | > router, IP only > | > --LAN-- > | > firewall (permits dlsw tcp port 2065) > | > | > CAMPUS Token ring > | > DLSW Peer2 Router (No bridging on interface to Campus Ring) > | > ring > | > IBM FEP, 3745 > | > IBM MAINFRAME > >Note that DLSW Peer2 router is inside the firewall. The interface that >connects to the corporate campus Token ring does not have bridging enabled, >so the SNA packets, when deencapsulated, do not get forwarded back onto >that ring. They only get forwarded on to the FEP connected ring. There is >no telnet access from outside the firewall to internal campus resources, >without authentication at the firewall itself. > >There are other FEPs and FEP ring interfaces that connect directly to the >campus token ring, which also connect to the MAINFRAME, for host access by >people located on the campus network. > >There are some security risks, including denial of service attacks through >excessive bridging packets, access to the FEP by anyone on a remote ring,... > >----- > >We are considering a redesign. I'd like to get your opinions of the >security in place compared to the security of the redesign. Also, opinions >on security in SNA/IBM environments, and risks. > > AS400 > | > (sna, token ring) > | > router dlsw peer (encapsulates sna into tcp, forwards tcp >session to peer2) > | > FRAME RELAY NETWORK > | > | > router, IP > dlsw peer > | \ > --LAN-- \ > | ring > firewall \ > | FEP > | >CAMPUS Token ring > >As you can see, the dlsw will no longer be tunneled through the firewall. >The connection to the FEP would be outside the firewall. Nothing else is >on the fep ring. > >The dlsw peer router would have to be set up with specific addresses of >remote routers that could establish dlsw connections to it. The only added >threat is that the router which is configured with the peer is also outside >the firewall. >Someone could potentially bring another router up, telnet to and break into >the dlsw peer router, configure themself, and have access to the fep. > >Thanks, > > > > > > > >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >** Sami Mousa, FORE ATM(WAN) Certified ** >** International Network Services Office: (908)603-8541 x320 ** >** Network Systems Engineer e-mail: sami_mousa@ins.com ** >** 120 Wood Ave South Pager: (888)896-4064 ** >** Suite #615 Fax: (908)548-5630 ** >** Iselin, New Jersey 08830 www.ins.com ** >============================================================================= > "My statements in this message are personal opinions \ > which may have no basis whatsoever in fact." > > > From owner-firewalls-list Sun Oct 5 15:36:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24382; Sun, 5 Oct 1997 15:22:26 -0700 (PDT) Received: from smtp1.erols.com (smtp1.erols.com [205.252.116.101]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA24375 for ; Sun, 5 Oct 1997 15:22:20 -0700 (PDT) Received: from farroyo39.geologics.com (spg-as55s36.erols.com [207.172.49.99]) by smtp1.erols.com (8.8.6/8.8.5) with SMTP id SAA11007 for ; Sun, 5 Oct 1997 18:29:21 -0400 (EDT) Received: by farroyo39.geologics.com with Microsoft Mail id <01BCD1B2.C1ADADA0@farroyo39.geologics.com>; Sun, 5 Oct 1997 17:18:54 -0400 Message-ID: <01BCD1B2.C1ADADA0@farroyo39.geologics.com> From: Chris Inskeep To: "firewalls@GreatCircle.COM" Subject: Need Vendors for Williamsburg Conference Date: Sun, 5 Oct 1997 17:18:50 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you're not a firewall vendor or reseller, please hit delete now. If you are a vendor or reseller: I need to recruit 4 - 5 firewall vendors and/or resellers to provide technology demonstrations at a security seminar 29 - 31 October in Williamsburg, Virginia primarily designed for the Department of Agriculture (but with a much broader audience.) This makes the most sense for companies in the mid-Atlantic who can follow up on interest within the Department. If your firm is interested, I will forward the specifics (a fee applies.) Vendors will also have the opportunity to make a presentation as part of a panel on Friday, 31 October. Thanks! Chris From owner-firewalls-list Sun Oct 5 17:41:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03891; Sun, 5 Oct 1997 16:32:10 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA03883 for firewalls@greatcircle.com; Sun, 5 Oct 1997 16:32:04 -0700 (PDT) Received: from paleale.cisco.com (paleale.cisco.com [171.69.95.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA14846 for ; Thu, 2 Oct 1997 10:12:11 -0700 (PDT) Received: from Baden.cisco.com (dhcp-i-91-123.cisco.com [171.69.91.123]) by paleale.cisco.com (8.8.4-Cisco.1/8.6.5) with SMTP id KAA24222 for ; Thu, 2 Oct 1997 10:12:40 -0700 (PDT) Message-Id: <3.0.1.32.19971002101237.00b119b0@lexicon.ins.com> X-Sender: ljrebar@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 02 Oct 1997 10:12:37 -0700 To: firewalls@GreatCircle.COM From: "Rebar - Lawrence J. Rebarchik" Subject: firewall-wizards mailing list... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Was a bounce.... -- Since I opened my big mouth about the firewall wizards list, I was asked by an umber of people to repost the subscription information here. In short, mail majordomo@nfr.net with the line: subscribe firewall-wizards in the body of the email. Cheers, --Dg From owner-firewalls-list Sun Oct 5 19:30:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25574; Sun, 5 Oct 1997 19:14:12 -0700 (PDT) Received: from AIKEN.AIK.TEC.SC.US (AIKEN.AIK.TEC.SC.US [199.4.146.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA25567 for ; Sun, 5 Oct 1997 19:14:07 -0700 (PDT) Date: Sun, 5 Oct 1997 22:15:44 -0400 From: LISTS@aik.tec.sc.us To: FIREWALLS@GREATCIRCLE.COM Message-Id: <971005221544.20e1fb5c@aik.tec.sc.us> Subject: Three way firewall wanted Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We need a firewall to protect our Admin segment from our students as well as both from the Internet (and maybe the Internet from our students). Two firewall systems should work, but don't have the budget for two. Right now we have the Internet coming in over 1/2 T1 using frame relay to a Cisco 2514 router to two C-class segments on regular ethernet. However, we expect to soon have a much faster internet fiber optic connection (of a yet to be determined nature but the pipe going by us is OC3), be adding some fast ethernet segments with switchers, and adding one or two more class-C address ranges. Are there any words of wisdom, or suggestions of where to visit during Networld in Atlanta? Ray Timmons From owner-firewalls-list Sun Oct 5 21:00:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA10983; Sun, 5 Oct 1997 20:59:29 -0700 (PDT) Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA10941 for ; Sun, 5 Oct 1997 20:59:13 -0700 (PDT) Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA20284; Sun, 5 Oct 1997 23:59:37 -0400 Date: Sun, 5 Oct 1997 23:59:36 -0400 (EDT) From: Richard Reno Subject: Re: Just wondering - pipeline computer firewalls? To: Sick Puppy Cc: firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Oct 1997, Sick Puppy wrote: > Not too long ago I had a lot of free time to think about things and I > became somewhat familiar with the Galaxy Pipeline Computer (rough > translation) developed at Tokyo University. For about $20,000 they built Could you spare some of that free time? :) > It seems to me that firewalls are not incredibly complex machines > and it should be possible to break the instructions into sets and hard > code them on hundreds of processors. Such a machine should be able to > keep up with a T3 line quite easily. > Actually, this might well be economically feasible now and not have the problems that a hardware solution would have had a few years ago. Large fpga's are approaching 100K gates or more. (To put this in perspective, early computers were built from a few thousand gates) That alone would not make it practical, but many of the newer ones are programmed not by device programmers but by the contents of static ram bits spread around the chip. The users of these chips are increasingly doing the design in vhdl which is just another programming language. Wouldn't be a hoot if someone built a C -> vhdl translator and then put the firewall code directly in these chips? Also because the programming is set in the static ram, fixes could be incorporated by just rebooting after reloading the program. This is a simplistic view, of course, but there is a possibility of approaching it this way. I could see as a first step the placement of the entire tcp/ip stack into this hardware. Golly, this could lead to Really intelligent NIC's. Richard From owner-firewalls-list Mon Oct 6 01:16:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28812; Mon, 6 Oct 1997 00:57:20 -0700 (PDT) Received: from gate.netbenefit.co.uk (gate.netbenefit.co.uk [195.153.24.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA28805 for ; Mon, 6 Oct 1997 00:57:15 -0700 (PDT) Received: from Luna.netbenefit.co.uk [195.153.24.28] by gate.netbenefit.co.uk with smtp (Exim 1.61 #5) id 0xI837-0002Pu-01; Mon, 6 Oct 1997 08:57:53 +0100 Message-Id: <3.0.32.19971006085327.0074f1b4@gate.netbenefit.co.uk> X-Sender: adam@gate.netbenefit.co.uk X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 06 Oct 1997 08:53:28 +0100 To: firewalls@GreatCircle.COM From: Adam Threadgold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 01:23:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28861; Mon, 6 Oct 1997 00:57:36 -0700 (PDT) Received: from gate.netbenefit.co.uk (gate.netbenefit.co.uk [195.153.24.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA28836 for ; Mon, 6 Oct 1997 00:57:26 -0700 (PDT) Received: from Luna.netbenefit.co.uk [195.153.24.28] by gate.netbenefit.co.uk with smtp (Exim 1.61 #5) id 0xI83J-0002Q0-00; Mon, 6 Oct 1997 08:58:05 +0100 Message-Id: <3.0.32.19971006085339.0074f1b4@gate.netbenefit.co.uk> X-Sender: adam@gate.netbenefit.co.uk X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 06 Oct 1997 08:53:40 +0100 To: firewalls@GreatCircle.COM From: Adam Threadgold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 01:24:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28910; Mon, 6 Oct 1997 00:58:28 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA28903 for ; Mon, 6 Oct 1997 00:58:18 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic72.cisco.com [171.68.129.82]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA25556; Mon, 6 Oct 1997 09:59:02 +0200 (METDST) Message-Id: <3.0.3.32.19971006095301.0074102c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:53:01 +0000 To: Bill Husler , "firewalls" From: Eric Vyncke Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <199710051657.JAA10359@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 5/10/97 -0700, Bill Husler wrote: ...... >I understand that these switches are configured via a telnet session. Is >there a way (on the switch) to ensure that this activity may only be >performed via specific switch ports (ie. I would like to ensure that if >someone is remapping the VLANs, they are doing so from something along >the lines of a console or secured area). I can only speak from the switches of my employer (Cisco), yes you can restrict the management to be done via only one VLAN (thus a couple of port(s)) and there is obviously a username/password prompt which can be redirected to a Radius/Tacacs+ server. -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Mon Oct 6 01:31:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA01132; Mon, 6 Oct 1997 01:18:42 -0700 (PDT) Received: from mail.arcor.net (tm.cni.net [194.115.51.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA01123 for ; Mon, 6 Oct 1997 01:18:36 -0700 (PDT) Received: from arcor.net by mail.arcor.net with ESMTP (8.6.5:29/GEN-1.1.9:5) via EUnet for greatcircle.com id KAA03743; Mon, 6 Oct 1997 10:19:46 +0100 Message-ID: <3438AD44.862C2CE2@arcor.net> Date: Mon, 06 Oct 1997 10:20:04 +0200 From: Benjamin Brumaire X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 04:15:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA22643; Mon, 6 Oct 1997 04:13:49 -0700 (PDT) Received: from stl_firewall ([192.172.5.200]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA22636 for ; Mon, 6 Oct 1997 04:13:44 -0700 (PDT) From: STEVE.CONNOLLY@arpstl-emh2.army.mil Received: from ARPSTL-EMH2.ARMY.MIL by stl_firewall (AIX 4.1/UCB 5.64/4.03) id AA11418; Mon, 6 Oct 1997 06:02:09 -0500 X400-Originator: STEVE.CONNOLLY@arpstl-emh2.army.mil X400-Recipients: Firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=BLANK/C=US/;0008200001397503000002] X400-Content-Type: P2-1988 (22) Message-Id: <0008200001397503000002*@MHS> To: " - (052)Firewalls(a)GreatCircle.COM" , "/S=owner-firewalls-list(a)GreatCircle.COM/ADMD=BLANK/C=US/"@ARPSTL-EMH2.ARMY.MIL (a) Subject: Re:Williamsburg Security Seminar Date: Mon, 6 Oct 1997 06:21:26 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please send me the full agenda on the seminar. Thanks. Steve Connolly steve.connolly@arpstl-emh2.army.mil From owner-firewalls-list Mon Oct 6 06:46:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01426; Mon, 6 Oct 1997 06:32:49 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01403 for ; Mon, 6 Oct 1997 06:32:41 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03829; Mon, 6 Oct 1997 08:34:22 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11543; Mon, 6 Oct 1997 08:33:48 -0500 (CDT) Message-Id: <3.0.3.32.19971006093026.009617d0@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:30:26 -0400 To: Andy Lewis , Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: hosts.allow In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:04 PM 10/3/97 -0500, Andy Lewis wrote: >I hope that this is not off topic. You lose. Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 07:01:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01482; Mon, 6 Oct 1997 06:33:07 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01423 for ; Mon, 6 Oct 1997 06:32:45 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03843; Mon, 6 Oct 1997 08:34:26 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11570; Mon, 6 Oct 1997 08:33:54 -0500 (CDT) Message-Id: <3.0.3.32.19971006093345.00964140@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:33:45 -0400 To: phloyd@cyberjunkie.com, firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: Audio Electronic Engineering In-Reply-To: <34357DF2.6FCC@cyberjunkie.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:21 PM 10/3/97 -0500, Brian Nunes wrote: >I need information on the first steps in becoming an Audio Electronic >Engineer. I was wondering if anyone could recommend a starting point, >whether it be a specialized school, or college courses? >Was wondering about expected income, what qualifications are needed, any >good schools, and general employment outlook. This is off-topic for the firewalls list. Please take the discussion elsewhere. Jeremy, the self-appointed list cop of the day... :-) -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 07:16:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01481; Mon, 6 Oct 1997 06:33:04 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01405 for ; Mon, 6 Oct 1997 06:32:41 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03836; Mon, 6 Oct 1997 08:34:23 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11560; Mon, 6 Oct 1997 08:33:51 -0500 (CDT) Message-Id: <3.0.3.32.19971006093220.00931530@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:32:20 -0400 To: Nathan Zych - ML , Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: Please help - Linux anon FTP In-Reply-To: <3.0.32.19971003232647.009f7480@main.home> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:26 PM 10/3/97 -0400, Nathan Zych - ML wrote: > >Would anyone be willing to explain to me how to create additional anonymous >users on a linux system running with wu-ftpd. They cannot be normal users, >they must be chroot'ed so they have access just to their home directory. >If there is a HOWTO or Faq that may help me could someone please point me >in the right direction. This is off-topic for the firewalls list. Please take the discussion elsewhere. Jeremy, the self-appointed list cop of the day... :-) -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 08:04:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA04997; Mon, 6 Oct 1997 07:13:54 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA04963 for ; Mon, 6 Oct 1997 07:13:43 -0700 (PDT) Received: by castle.us-state.gov; id AA14626; Mon, 6 Oct 97 06:45:19 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma014617; Mon Oct 6 06:44:42 1997 Received: by pubhost.us-state.gov; id AA15956; Mon, 6 Oct 97 06:44:06 EDT Received: by localhost with Microsoft MAPI; Mon, 6 Oct 1997 06:41:22 -0400 Message-Id: <01BCD222.DC69E620@gcrum@us-state.gov> From: Gary Crumrine Reply-To: "gcrum@us-state.gov" To: "'David LeBlanc'" , "osiris@gnss.com" Cc: "firewalls@GreatCircle.COM" Subject: RE: Microsoft vs The world (apology) Date: Mon, 6 Oct 1997 06:41:19 -0400 Organization: US Dept of State (Contractor) X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't seen this on my system yet, but I am a little miffed over something I experienced last night though. I was installing one of the cd packages from one of the bigger known ISP providers (3 letters) and when I had it all installed, and up and running, I found that when I tried to exit the system, it pops up a message concerning problems with MS Explorer, and starts into this 20 minute download of a supposed fix. Now I don't know about you, but I'd sure like to know what is getting pushed to my system and given an opportunity to choose if I want to kill it or not. On Monday, September 15, 1997 6:10 PM, David LeBlanc [SMTP:dleblanc@iss.net] wrote: | At 10:47 9/15/97 -0700, you wrote: | | >In this morning's newspaper (reference follows), I found | >an article of | >some interest. In it, there was an interview with a beta | >tester of IE | >4.0. Apparently, IE 4.0 - if left unattended - will | >routinely initiate | >a connection to Microsoft. Purportedly, this feature (not | >a bug, a | >feature) allows updates and special web pages to be | >downloaded while | >the user is away from the teriminal (busy, asleep, etc.) | >These updates | >are then stored on the hard disk drive of the user. | >According to the | >beta tester: | | >"I...discovered that my computer had connected itself to | >the | >Internet...I was completely freaking out. I pulled the | >phone plug | >right out of the wall." | | Odd - I've had IE 4.0 on my home box for some weeks, and | it has never once | taken it upon itself to call my ISP and connect to MS. I | haven't really | monitored what it does while on line extremely carefully, | and I haven't | taken any special precautions to prevent this from | happening, either. It | is possible this is because I don't have any of the | "pointcast" junk turned | on - blew up first time I tried it, and I haven't fooled | with it since. | | Perhaps "freaking out" users may not be the most reliable | source of info. | Although I'd certainly be displeased if it did start | dialing home, I can | think of less destructive ways to stop this behavior than | yanking on wires. | | >More bizzare yet is this: in | >addition to the 250K download, his machine also UPLOADED | >58,000 bytes | >of information. The beta tester reported that he did not | >know what | >data had been uploaded. | | Be interesting to see what it is doing - it could be just | requests and that | sort of thing. | | >I am wondering this: suppose such a box was located | >behind a firewall | >but was allowed outside access. Does this not constitute | >an EXTREME | >security risk? If 4.0 is capable of uploading information | >from a local | >drive of a 95 box, it can presumably do this from badly | >managed shares | >as well, no? | | No telling. IMHO, we need to examine this a bit before we | get cranked | about it. Be interesting to see if it can be duplicated, | then log the | traffic. | | | ------------------------------------------------------ ---- | - | David LeBlanc | Voice: (770)395-0150 | x138 | Internet Security Systems, Inc. | Fax: (404)395-1972 | 41 Perimeter Center East | E-Mail: | dleblanc@iss.net | Suite 660 | www: http://www.iss.net/ | Atlanta, GA 30328 | From owner-firewalls-list Mon Oct 6 08:31:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA15053; Mon, 6 Oct 1997 08:00:20 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14897 for ; Mon, 6 Oct 1997 07:59:39 -0700 (PDT) Received: by bdc9000.pccmis.com with Internet Mail Service (5.0.1457.3) id <4CB0AYX4>; Mon, 6 Oct 1997 11:02:47 -0400 Message-ID: <951A67E9EBBFD011993E0000E82C67F0047157@bdc9000.pccmis.com> From: Chris Brenton To: firewalls@greatcircle.com Subject: MS Windows and their security status Date: Mon, 6 Oct 1997 11:02:46 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, I've had yet another off-line discussion with a member of this list who has hit me with "but Windows NT _must_ be secure, it received a C2 security rating". For others who are in the same mindset, some links to check out: http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html Lists the NSA systems that have met their predefined levels of security. One thing worth noting is that NT 3.5 is listed under C2, but NT 4.0 is not. If you follow the link: http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html You will get a summary of their review process for Windows NT. Two comments worth noting: "Because the evaluated configuration does not include a network environment, both products (Windows NT server and Workstation) are considered stand-alone workstations." "A network configuration of the Windows NT platform is currently pending evaluation agreement." In other words, Microsoft has not yet agreed to allow their product to undergo an evaluation in a networked environment. Now, based upon this evaluation, Microsoft has found it proper to advertise the following: http://www.microsoft.com/ntserver/info/security.htm They "imply" without directly stating that the C2 certification is for a networked environment when it is not. If you want some more "fun" reading, check out the "Microsoft Responses" link off of this page. My personal favorite is the "Password snatcher" article where Microsoft does not deem the ability to grab logon names and passwords as being a problem because: "Because the effectiveness of this tool is limited to a single physical segment of the network, Microsoft has determined that this does not compromise security of a corporate network." LOL From owner-firewalls-list Mon Oct 6 09:00:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA26147; Mon, 6 Oct 1997 08:57:34 -0700 (PDT) Received: from gatekeeper.kpmg.co.uk (gatekeeper.kpmg.co.uk [158.177.32.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26063 for ; Mon, 6 Oct 1997 08:57:14 -0700 (PDT) Received: by gatekeeper.kpmg.co.uk; id QAA13475; Mon, 6 Oct 1997 16:59:20 +0100 (BST) Received: from unknown(158.174.24.70) by gatekeeper.kpmg.co.uk via smap (V3.1) id xmaa13419; Mon, 6 Oct 97 16:59:06 +0100 Received: from ccMail by ccgate.kpmg.co.uk (IMA Internet Exchange 2.1 Enterprise) id 00070FDA; Mon, 6 Oct 97 17:00:59 +0100 Mime-Version: 1.0 Date: Mon, 6 Oct 1997 16:56:21 +0100 Message-ID: <00070FDA.3043@kpmg.co.uk> From: Craig.Penton@kpmg.co.uk (Craig Penton) Subject: Info To: firewalls@greatcircle.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. From owner-firewalls-list Mon Oct 6 10:01:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA00945; Mon, 6 Oct 1997 09:26:55 -0700 (PDT) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA00841 for ; Mon, 6 Oct 1997 09:26:33 -0700 (PDT) Received: from uymfdlvk ([207.116.216.244]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with ESMTP id AAB29558; Mon, 6 Oct 1997 16:28:13 +0000 Reply-To: From: "Mark Teicher" To: , "'David LeBlanc'" , Cc: Subject: Re: Microsoft vs The world (apology) Date: Mon, 6 Oct 1997 12:27:51 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19971006162808.AAB29558@uymfdlvk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Boy, I agree with Gary on this one.. I just installed IE 4.0 on one my machines and it does a lot of changes to the registry and such, but even after examination of the changes. It does not leave you with an audit record of the real changes it did to the system.. Even at one point during the install "Now optimizing system" I have no idea what this message means, but since I did not know what it was doing, I uninstalled it.. Programs that size that change your environment, should have audit trail through the process to ensure or guarantee to the user that it is not installing/changing settings you have done. I have seen those 20 minute fixes for certain programs. I am truly amazed that corporations who design software that try to make it easy for the client or end user that the security factor is almost eliminated from the equation. My .02 /mht ---------- > From: Gary Crumrine > To: 'David LeBlanc' ; osiris@gnss.com > Cc: firewalls@GreatCircle.COM > Subject: RE: Microsoft vs The world (apology) > Date: Monday, October 06, 1997 6:41 AM > > I haven't seen this on my system yet, but I am a little > miffed over something I experienced last night though. I > was installing one of the cd packages from one of the > bigger known ISP providers (3 letters) and when I had it > all installed, and up and running, I found that when I > tried to exit the system, it pops up a message concerning > problems with MS Explorer, and starts into this 20 minute > download of a supposed fix. Now I don't know about you, > but I'd sure like to know what is getting pushed to my > system and given an opportunity to choose if I want to kill > it or not. > > On Monday, September 15, 1997 6:10 PM, David LeBlanc > [SMTP:dleblanc@iss.net] wrote: > | At 10:47 9/15/97 -0700, you wrote: > | > | >In this morning's newspaper (reference follows), I found > | >an article of > | >some interest. In it, there was an interview with a beta > | >tester of IE > | >4.0. Apparently, IE 4.0 - if left unattended - will > | >routinely initiate > | >a connection to Microsoft. Purportedly, this feature > (not > | >a bug, a > | >feature) allows updates and special web pages to be > | >downloaded while > | >the user is away from the teriminal (busy, asleep, etc.) > | >These updates > | >are then stored on the hard disk drive of the user. > | >According to the > | >beta tester: > | > | >"I...discovered that my computer had connected itself to > | >the > | >Internet...I was completely freaking out. I pulled the > | >phone plug > | >right out of the wall." > | > | Odd - I've had IE 4.0 on my home box for some weeks, and > | it has never once > | taken it upon itself to call my ISP and connect to MS. I > | haven't really > | monitored what it does while on line extremely carefully, > | and I haven't > | taken any special precautions to prevent this from > | happening, either. It > | is possible this is because I don't have any of the > | "pointcast" junk turned > | on - blew up first time I tried it, and I haven't fooled > | with it since. > | > | Perhaps "freaking out" users may not be the most reliable > | source of info. > | Although I'd certainly be displeased if it did start > | dialing home, I can > | think of less destructive ways to stop this behavior than > | yanking on wires. > | > | >More bizzare yet is this: in > | >addition to the 250K download, his machine also UPLOADED > | >58,000 bytes > | >of information. The beta tester reported that he did not > | >know what > | >data had been uploaded. > | > | Be interesting to see what it is doing - it could be just > | requests and that > | sort of thing. > | > | >I am wondering this: suppose such a box was located > | >behind a firewall > | >but was allowed outside access. Does this not constitute > | >an EXTREME > | >security risk? If 4.0 is capable of uploading > information > | >from a local > | >drive of a 95 box, it can presumably do this from badly > | >managed shares > | >as well, no? > | > | No telling. IMHO, we need to examine this a bit before > we > | get cranked > | about it. Be interesting to see if it can be duplicated, > | then log the > | traffic. > | > | > | ------------------------------------------------------ > ---- > | - > | David LeBlanc | Voice: (770)395-0150 > | x138 > | Internet Security Systems, Inc. | Fax: (404)395-1972 > | 41 Perimeter Center East | E-Mail: > | dleblanc@iss.net > | Suite 660 | www: http://www.iss.net/ > | Atlanta, GA 30328 | From owner-firewalls-list Mon Oct 6 10:22:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08598; Mon, 6 Oct 1997 10:13:24 -0700 (PDT) Received: from ecbull20.frec.bull.fr (ecbull20.frec.bull.fr [129.183.1.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA08570 for ; Mon, 6 Oct 1997 10:13:12 -0700 (PDT) Received: from esquelet.frec.bull.fr (esquelet.frec.bull.fr [129.183.82.33]) by ecbull20.frec.bull.fr (8.8.5/8.8.2) with ESMTP id TAA22096 for ; Mon, 6 Oct 1997 19:17:03 +0200 Received: from localhost (deignan@localhost) by esquelet.frec.bull.fr (8.7.5/8.7) with SMTP id TAA94088 for ; Mon, 6 Oct 1997 19:14:50 +0200 X-Authentication-Warning: esquelet.frec.bull.fr: deignan owned process doing -bs Date: Mon, 6 Oct 1997 19:14:50 +0200 (DFT) From: Ciaran Deignan X-Sender: deignan@esquelet To: firewalls@greatcircle.com Subject: dynamic address translation... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not on this mailing list, so pleas copy me in any replies and please forgive me if its an old question (I've checked the Firewall FAQ on clark.net). I work in the Bull Unix R&D centre in France. The Bull firewall product, NetWall, is developped here. The developers of NetWall have implemented a new Dynamic Address Translation function in NetWall, and I'm looking for information on the limitations inherent in the technology they're using. Basically the new dyanmic address translation in netwall replaces the calling address and port number in TCP and UDP "connection" requests coming from a "mapable" host by the IP address of the interface by which the packet exits the machine. The source port is replaced by a number grater than 65000. For starters I've no idea how its possible to generate TCP frames with source port numbers grater than 2 to-the-power-of 16. But I suppose its documented in an RFC somewhere. I've heard that this type of dynamic address translation has also been implemented by Cisco, and that its called "Source Port Multiplexing" or "Source Port Mapping" or something. Obvoiusly this technology only supports TCP and UDP communications. However I have the unnerving feeling that some commonly-used services wont like this sort of magic. The engineering has told me that FTP is supported, but what about sendmail? Has anybody had any experience with a real-life application of this sort of technology, and are there any "gotchas" that you could help us avoid? Thanks Ciaran +-------------------------------------------------------------------------+ Ciaran Deignan Tel: (France) 04 76 29 79 92 BULL OSPBU (http://www-frec.bull.com) Internet Support Project Leader Office: C1/048 Bullcom: 229 79 92 Mail to: B1/054 or C.Deignan@frec.bull.fr Fax: 229 78 62 +-------------------------------------------------------------------------+ From owner-firewalls-list Mon Oct 6 10:31:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA27300; Mon, 6 Oct 1997 09:03:50 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (jtfcom.pafb.af.mil [131.25.50.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA27160 for ; Mon, 6 Oct 1997 09:03:10 -0700 (PDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCD194.817F4D60@jtfcom.js-jtf.af.mil>; Sun, 5 Oct 1997 13:42:21 -0400 Message-ID: From: "Engasser, Charlie" To: "'Franco RUGGIERI'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy Date: Sun, 5 Oct 1997 13:42:21 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 1: Firewall-1 does install a kernel driver between the NIC driver and the OS. (except on HPUX). So at least in theory the OS should be protected by whatever the firewall itself is hardened against. As for the sys admin not being smart enough to do it, well, companies get what they pay for. If the admin person isn't savvy enough to do it right, then that's not the fault of the firewall. Personally I find it appalling that someone would claim to be an administrator of their company's network security and take it on blind faith that a product protects them as claimed (or for that matter does anything as claimed). So what if one firewall says it hardens the system it's on? What exactly does that mean anyway? Do >>you<< know? In my opinion, the cost of a firewall product itself is only part of the equation, the other half is cost of testing the product once it's setup. If you are not willing to fork over $$$ (beit time, resources, product or services) then it really doesn't matter if someone tells you the system was automagically "hardened" does it? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. 2: Setting up rules in Firewall-1 is easier than the other 1/2 dozen firewall's I've used and looked at. First off, Firewall-1 is cabable if resolving network names just as any other system would, through DNS, HOSTS, NIS or SNMP. If the rest of your network is running properly, defining network objects is nothing more difficult than telling Firewall-1 what the name of the system is, and letting it do all the hard stuff (like remembering IP addresses). The only objects that need to be defined are the ones that are directly affected by the rules policy. If you wish to define a global rule based on a subnet, then you define the subnet, then all systems in that subnet are affected by the rule in question. As for the previous poster, I don't think that I would decide on Gauntlet unless I had already put a few more firewalls on a testbed. Gauntlet is rated fairly well as far as security goes, but it's performance figures suck. It drops packets left and right when under high loads. If you want a contact # of a rep I know that would be happy to get you eval copies of just about anything drop me an email. As for the systems >>I<< would personally look at I would start with: Firewall-1, AltaVista, Raptor, Gauntlet, Cisco PIX (hardware). I would avoid at all costs: Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail me for details if you need them. > From owner-firewalls-list Mon Oct 6 11:31:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA18616; Mon, 6 Oct 1997 11:17:57 -0700 (PDT) Received: from ex11434ab073.bragg.army.mil (emh4.bragg.army.mil [158.5.7.73]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA16981 for ; Mon, 6 Oct 1997 11:09:14 -0700 (PDT) Received: by emh4.bragg.army.mil with Internet Mail Service (5.0.1458.49) id <41J119SJ>; Mon, 6 Oct 1997 14:12:13 -0400 Message-ID: <5116B73B522CD1118DA200C06C703485011402@EX11434AA144> From: "Maung, Than" To: "'Craig.Penton@kpmg.co.uk'" , firewalls@greatcircle.com Subject: RE: Info Date: Mon, 6 Oct 1997 14:09:59 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Then don't send it out on this list!!!!!!!!!!!!!!!!!!!!!!!!! -----Original Message----- From: Craig.Penton@kpmg.co.uk [SMTP:Craig.Penton@kpmg.co.uk] Sent: Monday, October 06, 1997 11:56 AM To: firewalls@greatcircle.com Subject: Info Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. From owner-firewalls-list Mon Oct 6 12:00:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA23727; Mon, 6 Oct 1997 11:52:43 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA23700 for ; Mon, 6 Oct 1997 11:52:34 -0700 (PDT) Received: by relay.hq.tis.com; id OAA01814; Mon, 6 Oct 1997 14:59:30 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0) id xma001806; Mon, 6 Oct 97 14:59:24 -0400 Received: from gildor (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id OAA28980; Mon, 6 Oct 1997 14:50:27 -0400 (EDT) Message-Id: <3.0.3.32.19971006145133.03238028@localhost> X-Sender: avolio@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 14:51:33 -0400 To: "Engasser, Charlie" , "'Franco RUGGIERI'" From: Frederick M Avolio Subject: RE: Firewall-1, packet -VS- Proxy Cc: "'Firewalls@GreatCircle.COM'" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As for the previous poster, I don't think that I would decide on >Gauntlet unless I had already put a few more firewalls on a testbed. >Gauntlet is rated fairly well as far as security goes, but it's >performance figures suck. It drops packets left and right when under >high loads. If you want a contact # of a rep I know that would be happy >to get you eval copies of just about anything drop me an email. As for Not sure what performance figures you are referring to (the ones that suck I mean). To view the NSTL test results visit the TIS website at http://www.tis.com/testing. To view University of Kansas test results visit their website at http://www.ittc.ukans.edu/projects/performance/gauntlet/. And feel free to contact TIS directly for sales and evaluation copies. I've got to believe someone working for the USAF has better things to do. :-) They will even point you to customers who are serious about security and are running Gauntlet firewalls under heavy loads. Fred From owner-firewalls-list Mon Oct 6 12:15:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA27003; Mon, 6 Oct 1997 09:02:08 -0700 (PDT) Received: from ex11434ab073.bragg.army.mil ([158.5.7.73]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA26961 for ; Mon, 6 Oct 1997 09:01:56 -0700 (PDT) Received: by emh4.bragg.army.mil with Internet Mail Service (5.0.1458.49) id <41J11874>; Mon, 6 Oct 1997 10:14:08 -0400 Message-ID: <5116B73B522CD1118DA200C06C7034850113FD@EX11434AA144> From: "Maung, Than" To: "'LISTS@aik.tec.sc.us'" , FIREWALLS@GREATCIRCLE.COM Subject: RE: Three way firewall wanted Date: Mon, 6 Oct 1997 10:06:27 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know where to direct you to at Networld, but I've been running that way with 2 OC3 and 1 ether. Just make sure you got your routes streight. Depending on the platform you are using make sure to beef up your memory. Than M Maung -----Original Message----- From: LISTS@aik.tec.sc.us [SMTP:LISTS@aik.tec.sc.us] Sent: Sunday, October 05, 1997 10:16 PM To: FIREWALLS@GREATCIRCLE.COM Subject: Three way firewall wanted We need a firewall to protect our Admin segment from our students as well as both from the Internet (and maybe the Internet from our students). Two firewall systems should work, but don't have the budget for two. Right now we have the Internet coming in over 1/2 T1 using frame relay to a Cisco 2514 router to two C-class segments on regular ethernet. However, we expect to soon have a much faster internet fiber optic connection (of a yet to be determined nature but the pipe going by us is OC3), be adding some fast ethernet segments with switchers, and adding one or two more class-C address ranges. Are there any words of wisdom, or suggestions of where to visit during Networld in Atlanta? Ray Timmons From owner-firewalls-list Mon Oct 6 13:15:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA06672; Mon, 6 Oct 1997 13:11:22 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA06486 for ; Mon, 6 Oct 1997 13:10:28 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id QAA06927; Mon, 6 Oct 1997 16:11:52 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.7/8.8.7) with SMTP id QAA27911; Mon, 6 Oct 1997 16:11:50 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 6 Oct 1997 16:11:50 -0400 (EDT) From: "Paul D. Robertson" To: "Engasser, Charlie" cc: "'Franco RUGGIERI'" , "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 5 Oct 1997, Engasser, Charlie wrote: > 1: Firewall-1 does install a kernel driver between the NIC driver and > the OS. (except on HPUX). So at least in theory the OS should be > protected by whatever the firewall itself is hardened against. As for > the sys admin not being smart enough to do it, well, companies get what > they pay for. Looking at past exploits, and Checkpoint's reaction to the OOB bug in Windows NT, I would say that the hosting machine's services for administration and VPN support seem to be unhardened, and vulnerable to expliotation without extra work. If those responses are indicitive of the overall argument of a hardened system versus a shim in the driver layer, then that shim boat just don't float. > it hardens the system it's on? What exactly does that mean anyway? Do > >>you<< know? In my opinion, the cost of a firewall product itself is If the vendor can't quantify 'harden' to your satisfaction, you're dealing with the wrong vendor. There is value to having a hardened OS, network stack, filesystem, etc. A great deal of value in many instances, a number of which depend on the specific installation. For instance, if your firewall is going to play with a global authentication strategy, then you'll want to know the stack can survive low-level attacks. Dismissing hardning because you can't quantify a particular instantiation doesn't remove the value of someone having poked deep enough into the OS to remove some of its inherent problems. > As for the previous poster, I don't think that I would decide on > Gauntlet unless I had already put a few more firewalls on a testbed. > Gauntlet is rated fairly well as far as security goes, but it's > performance figures suck. It drops packets left and right when under Funny, all the studies I've seen for Gauntlet's performance far outstrip the available Internet bandwidth at most sites. Care to reference some figures? I'm preparing for some benchmarks in the near future on a few products, and I'd be more than happy to check your results. Given FW-1's lack of _complete_ implementation of stateful filtering, as well as the complexity of being able to do it well would steer me away from it as a solution. For instance, Firewall-1 does *not* maintain state information for ICMP as it ships. All those reverse-telnet over ICMP programs floating around the net tend to worry me. Consistancy is important in security. You should be able to predict what your firewall will do with traffic, and how it applies its protection mechanisms. Unfortunately, the only way to find that out with FW-1 seems to be with a sniffer and a *lot* of time. If you've got the time to write Inspect code, and you trust the state engine to pass the right packets up, the FW-1 can make a good tool. However, it is marketed as a solution, not a tool, and frankly, it *needs* work for anything but the most blatent policies which are *much* more easily verifyable via application layer gateway. Making it *easy* for someone to punch large gaping holes in their perimeter without quantifying the risks is generally thought to be a bad thing. Personally, I think you should have to drag out the manual and understand what you are doing. > I would avoid at all costs: > > Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail > me for details if you need them. If you're going to slam them in public, then make your accusations known. Given the lack of data backing up your assertions of Guantlet's performance, and the existance of data to the contrary, I, for one am skeptical. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Mon Oct 6 14:57:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA16582; Mon, 6 Oct 1997 14:34:47 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA16575 for ; Mon, 6 Oct 1997 14:34:42 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id QAA12030 for ; Mon, 6 Oct 1997 16:36:18 -0500 (CDT) Date: Mon, 6 Oct 1997 16:36:18 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: firewalls@greatcircle.com Subject: Gauntlet, VPN/WAN/Dialups In-Reply-To: <3.0.3.32.19971006145133.03238028@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Interesting question. We're currently engaged in doing some initial research for a customer which operates an international WAN, with much of the processing done in a stateside location. Here is my series of questions: 1) We're using the following setup.... INTERNET <---T1---> | | | | NT servers, with Oracle, other internal stuff RAS Server with remote dialups | | Remote offices worldwide, dialing in. Now..... 2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN behind the firewall. Backdoors are evil. However, the customer is very reluctant to relocate those outside the firewall, since they feel this would a) load the firewall much more, and b) introduce more failure points. What are some options as far as VPN or like products which could be used to secure dialups and/or FR sites? Specifically, can anyone give solid reccomendations for something that does strong authentication and encryption over international telephone lines? From owner-firewalls-list Mon Oct 6 17:30:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA29474; Mon, 6 Oct 1997 17:29:40 -0700 (PDT) Received: from gate (gate.mcc.net [209.29.243.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA29432 for ; Mon, 6 Oct 1997 17:29:25 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324838-11649>; Mon, 6 Oct 1997 18:31:01 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1458.49) id <4DFGGK5S>; Mon, 6 Oct 1997 18:31:00 -0600 Message-ID: From: "Paquette, Trevor" To: "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls@GreatCircle.COM'" Subject: Split DNS question Date: Mon, 6 Oct 1997 18:30:57 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alot of folks keep talking about split DNS and how it seems to solve alot of resolution problems.. But no-one says how they actually have it implemented. Anyone care to share? Solaris 2.5.1 please. Also what about multiple-personality DNS? more then 1 internal DNS server? Possible? Does Bind 8.1 support this? When is a newer version of Bind 8.1 being released? Marcus Ranum had a very cool DNS resolve patch that would change the format of the resolv.conf file to something like: domain xyz.com nameserver domaina.com 10.3.4.5 nameserver domainb.com 10.60.87.98 nameserver 65.78.10.in-addr.arpa 10.78.65.2 nameserver 10.2.2.30 Which basically said: my domain is xyz.com if resolving names for the domain "domaina.com" I contact 10.3.4.5 if resolving names for the domain "domainb.com" I contact 10.60.87.98 if reverse resolving for net 10.78.65.0 contact 10.78.65.2 otherwise all other queries get sent to 10.2.2.30 His patch only worked with bind 4.9.3 and lower.. pity. He says that he is to busy to add it for 4.9.5 and higher.. -- Trevor Paquette | MetroNet Solutions |Work:(403)543-2355 TrevorPaquette@mcc.net | 4300, 150 6th Ave SW | Fax:(403)543-2854 http://www.mcc.net | Calgary, AB, Canada |ICBM:51'03"N/114'05"W Senior Unix Network Architect| T2P 4K9 |Mind:In the Rockies From owner-firewalls-list Mon Oct 6 20:15:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA10027; Mon, 6 Oct 1997 20:03:54 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA10020 for ; Mon, 6 Oct 1997 20:03:46 -0700 (PDT) Received: from zepher.milkyway.com ([12.70.7.250]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA25798; Tue, 7 Oct 1997 03:05:30 +0000 Message-Id: <3.0.3.32.19971006230513.006a2484@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 23:05:13 -0500 To: Brian Tackett , firewalls@greatcircle.com From: Steve Kruse Subject: Re: Gauntlet, VPN/WAN/Dialups In-Reply-To: References: <3.0.3.32.19971006145133.03238028@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian: Hmmm.... the problem, it would seem, is that you want STRONG encryption and authentication over international phone lines. There are a spate of products including packet filtering/encrypting routers, 3rd party VPN solutions, Firewalls with VPN encryption, etc, on the market. Finding one isn't all that difficult. In fact, picking out out of the "herd" is the toughest part, not finding one anymore. The PROBLEM you have is that word "international". If you buy a North American product (ie, US / CANADA) you can't export the strong encryption except in certain cases. As I understand the rules (and someone PLEASE correct me if I am incorrect...) IF the foreign office is => 51% US ownership AND the host country allows it, you can export at least 56bit DES and possibly IDEA (some countries such as Switzerland allow it). Some countries, (France for one) force you to escrow the keys, so dynamic keymanagement can not be done. Getting the US export licence, with proper documentation and a vendor who has all the right contacts could possibly get this through in under a couple of months. As to the configuration, the RAS behind the firewall is, to say the least, really a bad bad bad idea. I'm getting a rash thinking about it. It's like putting all the right locks and bars on the door and leaving the window open with a neon sign pointing to it. The compromise, as I see it, would be to put the dial up on the service net, make the dial up users use S/Key or some token card, and use very strict plug-to's through the firewall. It's not perfect, but it's a damn site better than having RAS behind the locked door! My $.02 (US) worth. This would change the picture slightly using 3 interfaces on the Firewall, not 2: ( Internet ) | | {PKT RTR} | | Service Net ((FIREWALL))------------------- | | | | | | | | | WWW DNS RAS | ----------------------------- PRIVATE NET Comments Welcome. Flames ignored! At 09:36 PM 10/6/97 +0000, Brian Tackett wrote: >All, > > Interesting question. We're currently engaged in doing some initial >research for a customer which operates an international WAN, with much of >the processing done in a stateside location. Here is my series of >questions: > >1) We're using the following setup.... > > INTERNET <---T1---> > | > > | > | > > | > NT servers, with Oracle, other internal stuff > RAS Server with remote dialups > | > | > Remote offices worldwide, dialing in. > > >Now..... > >2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN >behind the firewall. Backdoors are evil. However, the customer is very >reluctant to relocate those outside the firewall, since they feel this >would a) load the firewall much more, and b) introduce more failure >points. What are some options as far as VPN or like products which could >be used to secure dialups and/or FR sites? Specifically, can anyone give >solid reccomendations for something that does strong authentication and >encryption over international telephone lines? > > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDmzztIk6V3CiVjTEQLV2QCeOIoWDzxN3mNbm4JOx+7DZlXNzesAn03I nend8K/tI4kFBIy2uUgqQhbH =JNWE -----END PGP SIGNATURE----- *********************************************************************** * Check out http://www.milkyway.com for the best in network security! * * Steve Kruse PGP Key on most servers * * PGP Fingerprint: 4BBF 43D2 69A4 E111 3089 C54B D224 E95D C289 58D3 * *********************************************************************** From owner-firewalls-list Tue Oct 7 01:30:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02300; Tue, 7 Oct 1997 01:15:49 -0700 (PDT) Received: from abgate.alfredberg.se (ns.alfredberg.se [130.244.126.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA01964 for ; Tue, 7 Oct 1997 01:15:20 -0700 (PDT) Received: by abgate.alfredberg.se; (5.65v3.2/1.3/10May95) id AA11200; Tue, 7 Oct 1997 10:16:04 +0200 Received: from aasmail.abnamro-software.com ([10.84.1.7]) by abslns8056.sto.alfredberg.se (Netscape Mail Server v2.0) with ESMTP id AAA896 for ; Tue, 7 Oct 1997 09:16:21 +0100 Received: from abnamro-software.com ([10.84.1.22]) by aasmail.abnamro-software.com (Netscape Messaging Server 3.01) with ESMTP id 407 for ; Tue, 7 Oct 1997 10:18:29 +0200 Message-Id: <3439F025.F97DA132@abnamro-software.com> Date: Tue, 07 Oct 1997 10:17:41 +0200 From: Peter Enderborg Organization: AbnAmro Software X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.1.57 i686) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Multi-interface firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We need to set up an firewall with at least 8 ethernet interfaces, and it is good if they are 100Mbit/s interfaces. Does it exist on the market ? Most of the firewalls that I have seen had only 3 interfaces. Some whould be very easy to extend to 8, but what about the software ? I know that Linux chould do it, but what about Firewall-1 on a sparc ? Any other good ideas ? From owner-firewalls-list Tue Oct 7 02:30:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA08734; Tue, 7 Oct 1997 02:11:01 -0700 (PDT) Received: from achilles.nikkei.co.jp (achilles.nikkei.co.jp [138.101.197.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA08713 for ; Tue, 7 Oct 1997 02:10:33 -0700 (PDT) Received: from penelope.nikkei.co.jp (root@penelope.nikkei.co.jp [138.101.198.6]) by achilles.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA12061; Tue, 7 Oct 1997 18:12:05 +0900 (JST) Received: from bear.koto.nikkei.co.jp by penelope.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA07644; Tue, 7 Oct 1997 18:15:04 +0900 (JST) Received: from saturn.koto.nikkei.co.jp by bear.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA12349; Tue, 7 Oct 1997 18:12:30 +0900 Received: from saturn by saturn.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA10953; Tue, 7 Oct 1997 18:11:43 +0900 (JST) Message-Id: <199710070911.SAA10953@saturn.koto.nikkei.co.jp> To: Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls In-reply-to: Your message of "Tue, 07 Oct 1997 10:17:41 +0200." <3439F025.F97DA132@abnamro-software.com> Date: Tue, 07 Oct 1997 18:11:43 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, linux could feature how many interfaces. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-list Tue Oct 7 03:46:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA15735; Tue, 7 Oct 1997 03:23:34 -0700 (PDT) Received: from feijoada.ime.usp.br (feijoada.ime.usp.br [143.107.45.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA15689 for ; Tue, 7 Oct 1997 03:23:18 -0700 (PDT) Received: (qmail 29470 invoked from network); 7 Oct 1997 10:26:27 -0000 Received: from jaca.ime.usp.br (143.107.45.56) by feijoada.ime.usp.br with SMTP; 7 Oct 1997 10:26:27 -0000 Received: (qmail 25970 invoked by uid 1046); 7 Oct 1997 10:17:14 -0000 Message-ID: <19971007101714.25969.qmail@jaca.ime.usp.br> From: Paulo Augusto Rosa Date: Tue, 07 Oct 1997 08:17:14 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: firewalls@GreatCircle.COM X-Mailer: VM 6.32 under Emacs 20.2.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Tue Oct 7 05:02:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA24758; Tue, 7 Oct 1997 04:54:49 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA24751 for ; Tue, 7 Oct 1997 04:54:44 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1664.3) id <4MDMPDB1>; Tue, 7 Oct 1997 07:56:30 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667043AF9@ns.ntadvice.com> From: Russ To: "'Noam Rathaus'" , firewalls@GreatCircle.COM Subject: RE: what ports to pass for exchange/outlook Date: Tue, 7 Oct 1997 07:56:28 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1664.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Unless configured otherwise, it will use port 139, (RPC) and then >a dynamic address above 1024 (TCP). It will also use TCP135 to get to the RPC EndPointMapper and figure out what higher port to use for the Information Store and Directory Store (which, as Noam said, can be configured to be a static port so you don't need to leave a range open on your FW). You can set it to use encrypted communications in the Outlook Client's Remote Mail setup. You'll need to put an entry in your client's LMHOSTS file as well so it knows where to find your Exchange Server. Cheers, Russ From owner-firewalls-list Tue Oct 7 05:31:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA26383; Tue, 7 Oct 1997 05:15:46 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA26356 for ; Tue, 7 Oct 1997 05:15:38 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1664.3) id <4MDMPDBL>; Tue, 7 Oct 1997 08:17:27 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667043AFA@ns.ntadvice.com> From: Russ To: firewalls@greatcircle.com Subject: RE: VPNs and PPTP Date: Tue, 7 Oct 1997 08:17:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1664.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) weak authentication Security Dynamics say they have made PPTP work with SecurID. > 2) slower Than what?? Personally, with PPP compression, my speeds have been quite reasonable, dare I say fast? > 3) bitch to install and figure out routing Details, details, details, its not a bitch to install, although it may be a bitch to figure out the routing if you haven't read the manuals...;-] > 4) GRE doesn't pass through all firewalls Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a generic protocol, which FW doesn't support passing GRE through? > 5) precious little debug information Interesting, you can get full PPP debug information through RAS. As for the PPTP control channel, well that may be an area lacking. Of course you could just sniff 1723 and see for yourself, but I suppose you think their should be some sort of logging?? With Routing and Remote Access Server (RRAS) you do get a whole lot more information. 6) uses existing NT RAS administrative model I don't see why this is a big issue, for customers who are upgrading modem connections to ISP-style connections, its logical. 7) no support for non-MS based servers and clients. and SecuRemote runs on...??? (no slam against CP, but it only runs on W95 and NT, right (or server to server as long as their both CP FWs) Same is true of more than a few VPN clients). 8) black box implementation and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of black boxes around these days...;-] 9) Extra hardware if you're not currently running NT server NT server isn't cheap. and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN is definitely not unique to PPTP, and few of them are cheap. Maybe the point should be that if you *are* running NT, its FREE. 10) uses existing user database most see this as an advantage, but obviously coupled with item #1 above could be a disadvantage. It certainly doesn't have to be your existing user database, you could easily create a separate domain with a single user for each person connecting in and then use Trusts to determine what they can get to. IOW, it doesn't have to use an existing user database. 11) no key mgt well, maybe that's because their are no keys...;-]...but really, isn't this one of the reasons for #1 above? SecurID is supposed to work, I've been told it works, but I haven't seen it work yet with PPTP. 12) transports IPX and native NETBEUI and this is a bad thing(tm)??? Better talk to those folks over at Network-1, their Firewall/Plus transports anything, and I mean anything...;-] Don't get me wrong, I'm not advocating the use of PPTP or saying its the best thing since sliced bread or anything. As always, I just don't like the idea that things MS get slammed due to lack of understanding. PPTP is proprietary, since it wasn't readily adopted, and will eventually be L2TP instead, so mass deployment may not be a good idea until you've talked to MS and found out whether the upgrade is going to be painless or not (if you do, let me know). If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes a whole lot of sense in my mind. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From owner-firewalls-list Tue Oct 7 05:46:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA27034; Tue, 7 Oct 1997 05:32:24 -0700 (PDT) Received: from abgate.alfredberg.se (ns.alfredberg.se [130.244.126.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA27022 for ; Tue, 7 Oct 1997 05:32:07 -0700 (PDT) Received: by abgate.alfredberg.se; (5.65v3.2/1.3/10May95) id AA17192; Tue, 7 Oct 1997 14:32:57 +0200 Received: from aasmail.abnamro-software.com ([10.84.1.7]) by abslns8056.sto.alfredberg.se (Netscape Mail Server v2.0) with ESMTP id AAA1301 for ; Tue, 7 Oct 1997 13:33:15 +0100 Received: from abnamro-software.com ([10.84.1.22]) by aasmail.abnamro-software.com (Netscape Messaging Server 3.01) with ESMTP id 440; Tue, 7 Oct 1997 14:35:25 +0200 Message-Id: <343A2C5C.693554D1@abnamro-software.com> Date: Tue, 07 Oct 1997 14:34:36 +0200 From: Peter Enderborg Organization: AbnAmro Software X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.1.57 i686) Mime-Version: 1.0 To: Nobuhiko Yoshimoto Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls References: <199710070911.SAA10953@saturn.koto.nikkei.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nobuhiko Yoshimoto wrote: > > We need to set up an firewall with at least 8 ethernet interfaces, and > > it is good if they are 100Mbit/s interfaces. > > Does it exist on the market ? Most of the firewalls that I have seen > > had only 3 interfaces. Some whould be very > > easy to extend to 8, but what about the software ? I know that Linux > > chould do it, but what about Firewall-1 > > on a sparc ? Any other good ideas ? > > > > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, > linux could feature how many interfaces. > > Nobuhiko Yoshimoto > Nihon Keizai Shimbun Inc. > yoshi@nikkei.co.jp > phone:813-5690-0256 > fax:813-5690-0250 We have a linux running as a router in a test enviroment with 9 x100 Mbit/s, and a dont think it too mush job to get in an other 12 interfaces. But don't ask me to guess the troughput... (We use Znyx 4x100 on each pci-card) From owner-firewalls-list Tue Oct 7 06:35:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29302; Tue, 7 Oct 1997 05:58:01 -0700 (PDT) Received: from paulaner (paulaner.unifiedtech.com [38.251.136.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA29294 for ; Tue, 7 Oct 1997 05:57:54 -0700 (PDT) Received: from unifiedtech.com by paulaner (SMI-8.6/SMI-SVR4) id IAA25810; Tue, 7 Oct 1997 08:55:52 -0400 Message-ID: <343A3468.E9BF1989@unifiedtech.com> Date: Tue, 07 Oct 1997 09:08:56 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Peter Enderborg CC: firewalls@greatcircle.com Subject: Re: Multi-interface firewalls References: <3439F025.F97DA132@abnamro-software.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Enderborg wrote: > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? My company has implemented FW-1 on SPARC with 9 network interfaces for a customer. I believe that all but 1 of them is 10 Mb/sec, though. If you're serious about needing that kind of throughput, you're going to need a pretty beefy machine. Sun recommends one processor per two 100Mbit interfaces with their Quad Fast Ethernet card. Personally, I think that's kind of overkill, but I'd still look at something like a 6-processor E3000 with a pair of Quad Fast Ethernet cards. From owner-firewalls-list Tue Oct 7 07:17:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA00920; Tue, 7 Oct 1997 06:09:05 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA00913 for ; Tue, 7 Oct 1997 06:08:58 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA03396; Tue, 7 Oct 1997 15:08:59 +0200 (METDST) Message-Id: <3.0.3.32.19971007145928.00710898@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Oct 1997 14:59:28 +0000 To: Ciaran Deignan , firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: dynamic address translation... In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ciaran, some comments in-line: At 19:14 6/10/97 +0200, Ciaran Deignan wrote: ...... >Basically the new dyanmic address translation in netwall replaces the calling >address and port number in TCP and UDP "connection" requests coming from a >"mapable" host by the IP address of the interface by which the packet exits >the machine. The source port is replaced by a number grater than 65000. > >For starters I've no idea how its possible to generate TCP frames with source >port numbers grater than 2 to-the-power-of 16. But I suppose its documented in >an RFC somewhere. You cannot do this, TCP/UDP ports are 16 bits so must be less than the magic number 65.535 BTW, with Network Address Translation, NAT, usually only the IP address is translated leaving the UDP/TCP ports unchanged. There is a RFC describing NAT (RFC 1631 but I'm not sure about the number). If you want to change also the UDP/TCP port (e.g. to allow the use of a single official IP address to hide your internal network), then: - you should try to keep the implicit meaning of ports by keeping the ranges < 1024 and > 1024 apart - you should also translate INTO the UDP/TCP payload for some protocols > >I've heard that this type of dynamic address translation has also been >implemented by Cisco, and that its called "Source Port Multiplexing" or >"Source Port Mapping" or something. BTW I'm working for Cisco, so my comments are probably biased ;-) Now we call this mechanism (changing the UDP/TCP ports when changing the source IP address) PAT Port Address Translation. > >Obvoiusly this technology only supports TCP and UDP communications. However I >have the unnerving feeling that some commonly-used services wont like this >sort of magic. The engineering has told me that FTP is supported, but >what about sendmail? Hummm hummmm FTP is not easy, you have to check/translate the PORT PASV commands as well ! sendmail/SMTP will be fine. But think about GRE (directly above IP) which is part of Microsoft PPTP. > >Has anybody had any experience with a real-life application of this sort of >technology, and are there any "gotchas" that you could help us avoid? > >Thanks >Ciaran > Bonne chance (ou devrais dire bonne M....) -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Tue Oct 7 07:31:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12791; Tue, 7 Oct 1997 07:25:31 -0700 (PDT) Received: from bastion.s-1.com ([204.130.55.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA12753 for ; Tue, 7 Oct 1997 07:25:22 -0700 (PDT) Received: from [10.1.1.10] by bastion.s-1.com for id KAA04180; Tue Oct 7 10:27:13 1997 Received: from phoenix.s-1.com (jamie.s-1.com) by wine.s-1.com with SMTP (1.39.111.2/16.2) id AA014637970; Tue, 7 Oct 1997 10:26:10 -0500 Message-Id: <3.0.32.19971007102521.00aa582c@pophost> X-Sender: jamie@pophost X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 07 Oct 1997 10:25:22 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Jamie Pratcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Tue Oct 7 07:45:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06256; Tue, 7 Oct 1997 06:48:20 -0700 (PDT) Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06083 for ; Tue, 7 Oct 1997 06:47:47 -0700 (PDT) Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id JAA21911 for ; Tue, 7 Oct 1997 09:49:26 -0400 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD306.44ED7B10@exchsmtp.ColumbiaSC.NCR.COM>; Tue, 7 Oct 1997 09:49:13 -0400 Message-ID: From: "Caldwell, Matt" To: "'Firewalls@GreatCircle.COM'" , "'Andy Lewis'" Subject: RE: hosts.allow Date: Tue, 7 Oct 1997 09:51:29 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can limit access from the username with tcpwrappers, but this also will affect the rest of your user base. Also the identd protocol is not very secure, someone with root access to a machine can modify the identd too show that the user is someone else, or possibly the person you are allowing in with that username. It is better to do a combination of the both for more security. I suggest you get the newest TCPwrappers and read the documentation. >---------- >From: Andy Lewis[SMTP:alewis@mpsi.net] >Sent: Friday, October 03, 1997 5:04 PM >To: Firewalls@GreatCircle.COM >Subject: hosts.allow > >I hope that this is not off topic. > >Is it possible to put a local system users name in the >/etc/hosts.allow file. > >I want that person to be able to login from anywhere? > >I am running Linux 2.0.30 > >Thanks > > From owner-firewalls-list Tue Oct 7 09:01:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06781; Tue, 7 Oct 1997 06:53:27 -0700 (PDT) Received: from mls_exchange.microlan.com (news.microlan.com [207.239.33.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06756 for ; Tue, 7 Oct 1997 06:53:16 -0700 (PDT) Received: by MLS_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Tue, 7 Oct 1997 09:57:11 -0400 Message-ID: From: WALLY To: "'Steve Kruse'" , Brian Tackett , firewalls@greatcircle.com Subject: RE: Gauntlet, VPN/WAN/Dialups Date: Tue, 7 Oct 1997 09:57:10 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following companies claim to have solutions for your needs. www.securitydynamics.com www.vpnet.com www.infoexpress.com I like the www.vpnet.com solution. - Wally Madison Technology Group (a division of MicroLan Systems, Inc.) "In Touch With People, In Touch With Technology..." www.microlan.com wally@microlan.com 212-883-1000 x 251 (Voice) 212-883-9080 (Fax) -----Original Message----- From: Steve Kruse [SMTP:jsk347@worldnet.att.net] Sent: Tuesday, October 07, 1997 12:05 AM To: Brian Tackett; firewalls@greatcircle.com Subject: Re: Gauntlet, VPN/WAN/Dialups -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian: Hmmm.... the problem, it would seem, is that you want STRONG encryption and authentication over international phone lines. There are a spate of products including packet filtering/encrypting routers, 3rd party VPN solutions, Firewalls with VPN encryption, etc, on the market. Finding one isn't all that difficult. In fact, picking out out of the "herd" is the toughest part, not finding one anymore. The PROBLEM you have is that word "international". If you buy a North American product (ie, US / CANADA) you can't export the strong encryption except in certain cases. As I understand the rules (and someone PLEASE correct me if I am incorrect...) IF the foreign office is => 51% US ownership AND the host country allows it, you can export at least 56bit DES and possibly IDEA (some countries such as Switzerland allow it). Some countries, (France for one) force you to escrow the keys, so dynamic keymanagement can not be done. Getting the US export licence, with proper documentation and a vendor who has all the right contacts could possibly get this through in under a couple of months. As to the configuration, the RAS behind the firewall is, to say the least, really a bad bad bad idea. I'm getting a rash thinking about it. It's like putting all the right locks and bars on the door and leaving the window open with a neon sign pointing to it. The compromise, as I see it, would be to put the dial up on the service net, make the dial up users use S/Key or some token card, and use very strict plug-to's through the firewall. It's not perfect, but it's a damn site better than having RAS behind the locked door! My $.02 (US) worth. This would change the picture slightly using 3 interfaces on the Firewall, not 2: ( Internet ) | | {PKT RTR} | | Service Net ((FIREWALL))------------------- | | | | | | | | | WWW DNS RAS | ----------------------------- PRIVATE NET Comments Welcome. Flames ignored! At 09:36 PM 10/6/97 +0000, Brian Tackett wrote: >All, > > Interesting question. We're currently engaged in doing some initial >research for a customer which operates an international WAN, with much of >the processing done in a stateside location. Here is my series of >questions: > >1) We're using the following setup.... > > INTERNET <---T1---> > | > > | > | > > | > NT servers, with Oracle, other internal stuff > RAS Server with remote dialups > | > | > Remote offices worldwide, dialing in. > > >Now..... > >2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN >behind the firewall. Backdoors are evil. However, the customer is very >reluctant to relocate those outside the firewall, since they feel this >would a) load the firewall much more, and b) introduce more failure >points. What are some options as far as VPN or like products which could >be used to secure dialups and/or FR sites? Specifically, can anyone give >solid reccomendations for something that does strong authentication and >encryption over international telephone lines? > > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDmzztIk6V3CiVjTEQLV2QCeOIoWDzxN3mNbm4JOx+7DZlXNzesAn03I nend8K/tI4kFBIy2uUgqQhbH =JNWE -----END PGP SIGNATURE----- *********************************************************************** * Check out http://www.milkyway.com for the best in network security! * * Steve Kruse PGP Key on most servers * * PGP Fingerprint: 4BBF 43D2 69A4 E111 3089 C54B D224 E95D C289 58D3 * *********************************************************************** From owner-firewalls-list Tue Oct 7 09:06:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29835; Tue, 7 Oct 1997 08:53:18 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA29817 for ; Tue, 7 Oct 1997 08:53:11 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id PAA16765; Tue, 7 Oct 1997 15:54:44 GMT Date: Tue, 7 Oct 1997 10:54:44 -0500 (CDT) From: Andy Lewis To: "Caldwell, Matt" cc: "'Firewalls@GreatCircle.COM'" Subject: RE: hosts.allow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Oct 1997, Caldwell, Matt wrote: > I suggest you get the >newest TCPwrappers and read the documentation. > Where might I get TCPwrappers? Andy From owner-firewalls-list Tue Oct 7 09:20:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA26935; Tue, 7 Oct 1997 08:38:13 -0700 (PDT) Received: from mail.chat.ru (light.express.ru [193.125.142.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26876 for ; Tue, 7 Oct 1997 08:37:57 -0700 (PDT) Received: from username.cityline.ru (localhost [127.0.0.1]) by mail.chat.ru (8.8.5/8.8.4) with ESMTP id TAA21740 for ; Tue, 7 Oct 1997 19:40:23 +0400 (MSD) Message-Id: <199710071540.TAA21740@mail.chat.ru> From: "Maxim_Kotliarov" To: Subject: Registration Date: Tue, 7 Oct 1997 19:35:19 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-list Tue Oct 7 09:22:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA27011; Tue, 7 Oct 1997 08:38:38 -0700 (PDT) Received: from mail.chat.ru (light.express.ru [193.125.142.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26983 for ; Tue, 7 Oct 1997 08:38:24 -0700 (PDT) Received: from username.cityline.ru (localhost [127.0.0.1]) by mail.chat.ru (8.8.5/8.8.4) with ESMTP id TAA21839 for ; Tue, 7 Oct 1997 19:40:56 +0400 (MSD) Message-Id: <199710071540.TAA21839@mail.chat.ru> From: "Maxim_Kotliarov" To: Subject: Registration Date: Tue, 7 Oct 1997 19:35:29 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-list Tue Oct 7 09:32:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA02607; Tue, 7 Oct 1997 09:12:15 -0700 (PDT) Received: from mercury.imx-exchange.com (mercury.imx-exchange.com [207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA02575 for ; Tue, 7 Oct 1997 09:12:05 -0700 (PDT) Received: by mercury.imx-exchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD301.13402450@mercury.imx-exchange.com>; Tue, 7 Oct 1997 09:12:03 -0700 Message-ID: From: James Terry To: "'Peter Enderborg'" , "'Nobuhiko Yoshimoto'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Multi-interface firewalls Date: Tue, 7 Oct 1997 09:11:54 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW1 could do it, but expect trouble if you need to do NAT on more than one of them. james@imx-exchange.com >-----Original Message----- >From: Peter Enderborg [SMTP:pme@imxexchange.co] >Sent: Tuesday, October 07, 1997 5:35 AM >To: Nobuhiko Yoshimoto >Cc: firewalls@GreatCircle.COM >Subject: Re: Multi-interface firewalls > >Nobuhiko Yoshimoto wrote: > >> > We need to set up an firewall with at least 8 ethernet interfaces, and >> > it is good if they are 100Mbit/s interfaces. >> > Does it exist on the market ? Most of the firewalls that I have seen >> > had only 3 interfaces. Some whould be very >> > easy to extend to 8, but what about the software ? I know that Linux >> > chould do it, but what about Firewall-1 >> > on a sparc ? Any other good ideas ? >> > >> >> The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, >> linux could feature how many interfaces. >> >> Nobuhiko Yoshimoto >> Nihon Keizai Shimbun Inc. >> yoshi@nikkei.co.jp >> phone:813-5690-0256 >> fax:813-5690-0250 > > We have a linux running as a router in a test enviroment with 9 x100 >Mbit/s, and a dont think it >too mush job to get in an other 12 interfaces. But don't ask me to guess >the troughput... >(We use Znyx 4x100 on each pci-card) > From owner-firewalls-list Tue Oct 7 09:42:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06997; Tue, 7 Oct 1997 06:54:43 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (jtfcom.pafb.af.mil [131.25.50.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06856 for ; Tue, 7 Oct 1997 06:53:54 -0700 (PDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCD306.C44211A0@jtfcom.js-jtf.af.mil>; Tue, 7 Oct 1997 09:52:47 -0400 Message-ID: From: "Engasser, Charlie" To: "'Paul D. Robertson'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy Date: Tue, 7 Oct 1997 09:52:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Looking at past exploits, and Checkpoint's reaction to the OOB bug in >Windows NT, I would say that the hosting machine's services for >administration and VPN support seem to be unhardened, and vulnerable to >expliotation without extra work. If those responses are indicitive of >the >overall argument of a hardened system versus a shim in the driver >layer, >then that shim boat just don't float. > >Checkpoint released a patch for 3.0 that dropped all urgent data, so? >And if you are running it on NT you can also install the OOBFIX if you >are that paranoid. > >> it hardens the system it's on? What exactly does that mean anyway? Do >> >>you<< know? In my opinion, the cost of a firewall product itself is > >If the vendor can't quantify 'harden' to your satisfaction, you're >dealing >with the wrong vendor. > >That is one of the very reasons I said to avoid Secure. That and lousy >phone support with people that obviously didn't know their own >products. > >There is value to having a hardened OS, network >stack, filesystem, etc. A great deal of value in many instances, a >number >of which depend on the specific installation. For instance, if your >firewall is going to play with a global authentication strategy, then >you'll want to know the stack can survive low-level attacks. > >I never said that a hardened OS wasn't bad strategy, I mearly said that >I don't take a vendors claims at face value. . > >Dismissing hardning because you can't quantify a particular >instantiation >doesn't remove the value of someone having poked deep enough into the >OS >to remove some of its inherent problems. > >Sorry, I just don't see why you'd take it on blind faith. Again, as I >stated in my earlier message, if you are not willing to test a >firewall's feature sets against what the vendor claims, then what's the >point of putting it in? Why should anyone dismiss Firewall-1 out of >hand just because they have "heard" that it's hard to configure and >that it doesn't automatically harden the OS? So what? This goes back to >my experiences with Secure, they >>insisted<< you could pass NBT >traffic through Borderware, but NOBODY could tell me how to do it. Why >say it's possible, but it really isn't? They said you >should< be able >to do it with 4 (I was running 3.1) but then, nobody would let me have >an eval copy to test it because I didn't buy a support contract (Border >Technologies didn't require a support contract, but after Secure bought >them out, they did). > >> As for the previous poster, I don't think that I would decide on >> Gauntlet unless I had already put a few more firewalls on a testbed. >> Gauntlet is rated fairly well as far as security goes, but it's >> performance figures suck. It drops packets left and right when under > >Funny, all the studies I've seen for Gauntlet's performance far >outstrip >the available Internet bandwidth at most sites. Care to reference some >figures? I'm preparing for some benchmarks in the near future on a few >products, and I'd be more than happy to check your results. > >Available internet bandwidth yes, but not intranet bandwidth. The >Poster didn't specify. In my case I've got 2 T-1's, a leased 56, and a >128kb ISDN running through mine, with another pair of T-1's definitely >on the way and maybe another T-1 in the far distant future. Not to >mention a host of remote dialins. > >I was thinking of the March 97 issue of data communications magazine. >This responds to the TIS person that posted earlier. One of Datacom's >stress tests on 100bt intranet links showed that Gauntlet performed at >the bottom of the pack when used in that scenario. Since the original >poster didn't specify what he wanted it for I made a global statement. >Later, in the message I said that I thought Gauntlet would suffice when >used as an internet gateway. I believe it was their website they posted >figures that showed some 10-30 percent of the packets being dropped >when under that high load. Maybe it was misconfigured, maybe not. > >Given FW-1's lack of _complete_ implementation of stateful filtering, >as >well as the complexity of being able to do it well would steer me away >from it as a solution. For instance, Firewall-1 does *not* maintain >state >information for ICMP as it ships. All those reverse-telnet over ICMP >programs floating around the net tend to worry me. > >I'd only be worried about them if I allowed telnet in. I wouldn't, and >even if I did, I'd use a VPN. Besides, isn't telnet dead? (thats a joke >son). > >Consistancy is important in security. You should be able to predict >what >your firewall will do with traffic, and how it applies its protection >mechanisms. Unfortunately, the only way to find that out with FW-1 >seems >to be with a sniffer and a *lot* of time. If you've got the time to >write >Inspect code, and you trust the state engine to pass the right packets >up, >the FW-1 can make a good tool. However, it is marketed as a solution, >not a tool, and frankly, it *needs* work for anything but the most >blatent >policies which are *much* more easily verifyable via application layer >gateway. > >Such as what? Enlighten me. I work on a relatively small network that >has limited inbound requirements. If I install Firewall-1 to block >incoming traffic (or any firewall for that matter) what do I care how >it does it? If Firewall-1 does what it claims to (and I have not seen >anything that shows otherwise) then why should I care? And another >thing, how >>does<< one go about "predicting" what a proxy will do with >a packet? > >What have you shown Firewall-1 to be vulnerable too in your testbeds? >How about some specifics? > >Making it *easy* for someone to punch large gaping holes in their >perimeter without quantifying the risks is generally thought to be a >bad >thing. Personally, I think you should have to drag out the manual and >understand what you are doing. > >Why am I making it easy? I told him to check their claims. Why do you >have a problem with that. Or are you just pissed because I don't have a >high opinion of Gauntlet? > >> I would avoid at all costs: >> >> Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail >> me for details if you need them. > >If you're going to slam them in public, then make your accusations >known. >Given the lack of data backing up your assertions of Guantlet's >performance, and the existance of data to the contrary, I, for one am >skeptical. > >Then I provide it. Big deal. I didn't think it was relevant. If he >wanted to email me, or anyone else for that matter, they are welcome >to. I didn't feel like getting into a tirade over a mail list. Since I >have already stated what I found wrong with Secure, My problems with >Ontrack were that they are a black box hardware solution and they >shipped me 2 firewalls that ate themselves after less than 2 hours on >the bench. Maybe their product works fine. When it's not smokin'. >Another thing wrong with OnGuard was at least in the version I tested, >You can only configure the system from a remote client, not from the >console. When you install the system, it's possible to configure the >box so that it tells you "WARNING If you proceed with this operation >you will be disconnected from the Firewall and you may not be able to >reconnect". Hit "OK". Thats it. NO Hit "cancel, abort" Just OK. Now >someone who knew better would shut the system off at that point, but >since the "feature" wasn't documented, I hit "OK" thinking it would >drop back into the menu. Nope. Sure enough, you hit OK. And boom. And >while I'm on the phone with Tech support, the system dies completely. >They send me a second one, which dies on it's own without me even >touching it. > >I didn't press on with the solution. > >Now, the vendor I'm working with that provided me with eval copies of >the various products bent over backwards to give me anything I wanted, >and their tech support even knows a thing or two about the stuff they >sell. > >Paul >------------------------------------------------------------------------ >----- >Paul D. Robertson "My statements in this message are personal >opinions >proberts@clark.net which may have no basis whatsoever in fact." > >PSB#9280 > From owner-firewalls-list Tue Oct 7 10:09:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06699; Tue, 7 Oct 1997 09:47:48 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06678 for ; Tue, 7 Oct 1997 09:47:33 -0700 (PDT) Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id MAA13366; Tue, 7 Oct 1997 12:49:15 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id MAA09292; Tue, 7 Oct 1997 12:49:12 -0400 (EDT) Date: Tue, 7 Oct 1997 12:49:12 -0400 (EDT) Message-Id: <199710071649.MAA09292@SPARKY.CF.CS.YALE.EDU> To: Russ.Cooper@rc.on.ca, firewalls@greatcircle.com Subject: RE: VPNs and PPTP From: "H. Morrow Long" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: >> 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). You can get PPTP clients from Network TeleSystems (www.nts.com) for MacOS. According to the definitive Microsoft web page on the latest update of RRAS/PPTP ( http://www.microsoft.com/ntserver/info/rasopfaq.htm ) there is also a vendor working on a port of PPTP to Unix. There are a few router/terminal-server vendors who make PPTP compliant PPP dialup servers. CISCO is likely to get into this business as well for the merged L2TP (a merger of CISCO L2F and MS PPTP) standard. As I understand it, L2TP will be put forward as a standard available for anyone who wants to develop clients or servers. It is a compromise between Cisco and Microsoft which both wanted to put forward their own protocols as Internet standards. B.T.W. MS NT 5.0 beta is also supposed to contain IPSEC according to someone who attended the recent developers conference in San Diego as well as the web page : http://www.microsoft.com/ntserver/info/nt5_features.htm H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX) INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469@pager.mcb.com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09 From owner-firewalls-list Tue Oct 7 10:17:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09236; Tue, 7 Oct 1997 10:11:55 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA09206 for ; Tue, 7 Oct 1997 10:11:45 -0700 (PDT) Received: by gate.rmsbus.com; id MAA03370; Tue, 7 Oct 1997 12:13:28 -0500 (CDT) Received: from max10.insnet.com(207.227.192.86) by gate.rmsbus.com via smap (3.2) id xma003365; Tue, 7 Oct 97 12:13:16 -0500 Message-Id: <3.0.3.32.19971007121314.00e94790@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Oct 1997 12:13:14 -0500 To: Steve Kruse , Brian Tackett , firewalls@GreatCircle.COM From: Christopher Michael Subject: Re: Gauntlet, VPN/WAN/Dialups In-Reply-To: <3.0.3.32.19971006230513.006a2484@postoffice.worldnet.att.n et> References: <3.0.3.32.19971006145133.03238028@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:05 PM 10/6/97 -0500, Steve Kruse wrote: >The PROBLEM you have is that word "international". If you buy a >North American product (ie, US / CANADA) you can't export the strong >encryption except in certain cases. Gauntlet is pre-approved to export to most friendly places. >As to the configuration, the RAS behind the firewall is, to say the >least, really a bad bad bad idea. Look at Gauntlet's PC extender. It does encryption from a PC to the firewall so you could put the RAS stuff on the outside of the firewall without compromising security. -- <--listserv unconfuser { | Christopher Michael | RMS: information technology integrators | | PGP fingerprint: 585A 5EAA 6A93 EF98 EF15 F79F 7B42 4B2A } From owner-firewalls-list Tue Oct 7 10:31:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11140; Tue, 7 Oct 1997 07:18:09 -0700 (PDT) Received: from mls_exchange.microlan.com (news.microlan.com [207.239.33.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06306 for ; Tue, 7 Oct 1997 06:48:42 -0700 (PDT) Received: by MLS_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Tue, 7 Oct 1997 09:52:27 -0400 Message-ID: From: WALLY To: "'Nobuhiko Yoshimoto'" , Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: RE: Multi-interface firewalls Date: Tue, 7 Oct 1997 09:52:26 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at the Ipsilon product with Checkpoint running on it. It should provide you with the throughput that you are looking for. - Wally Madison Technology Group (a division of MicroLan Systems, Inc.) "In Touch With People, In Touch With Technology..." www.microlan.com wally@microlan.com 212-883-1000 x 251 (Voice) 212-883-9080 (Fax) -----Original Message----- From: Nobuhiko Yoshimoto [SMTP:yoshi@koto.nikkei.co.jp] Sent: Tuesday, October 07, 1997 5:12 AM To: Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, linux could feature how many interfaces. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-list Tue Oct 7 12:47:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA24669; Tue, 7 Oct 1997 11:44:45 -0700 (PDT) Received: from lab58-12.ims.advantis.com ([192.231.11.167]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA24615 for ; Tue, 7 Oct 1997 11:44:30 -0700 (PDT) Received: (from uucp@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id OAA21232; Tue, 7 Oct 1997 14:33:54 -0400 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma010730; Tue Oct 7 14:33:51 1997 Received: from d5664655.ims.advantis.com () by carfax.ims.advantis.com (8.8.5/) with ESMTP id OAA570018; Tue, 7 Oct 1997 14:44:32 -0400 sender hfarkas@d5664655.ims.advantis.com for Received: from localhost (Henry Farkas) by d5664655.ims.advantis.com (8.8.5/) with SMTP id OAA18232; Tue, 7 Oct 1997 14:44:31 -0400 sender hfarkas@d5664655.ims.advantis.com for Date: Tue, 7 Oct 1997 14:44:31 -0400 (EDT) From: "Henry W. Farkas" To: Andy Lewis cc: "Caldwell, Matt" , "'Firewalls@GreatCircle.COM'" Subject: RE: hosts.allow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Oct 1997, Andy Lewis wrote: > On Tue, 7 Oct 1997, Caldwell, Matt wrote: > Where might I get TCPwrappers? ftp://coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers/ =========================================================================== You can no more win a war than you can win an earthquake. -Jeanette Rankin PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53 From owner-firewalls-list Tue Oct 7 13:05:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15480; Tue, 7 Oct 1997 10:56:35 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA15330 for ; Tue, 7 Oct 1997 10:55:49 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA26748; Tue, 7 Oct 1997 13:57:30 -0400 Received: from vaxf.PIOS.COM (vaxf.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOJ0DDCBW08WXQ2T@gemini.pios.com> for firewalls@GreatCircle.COM; Tue, 07 Oct 1997 13:58:08 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOJ0BC4HAO8Y572Q@PIOS.PIOS.COM> for firewalls@GreatCircle.COM; Tue, 07 Oct 1997 13:56:31 -0400 (EDT) Date: Tue, 07 Oct 1997 10:57:09 -0700 From: Bill Stout Subject: RE: what ports to pass for exchange/outlook X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19971007175709.0101adf4@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might want to consider using PPTP, Net-net Tunnel servers, or PC-Firewall Tunnel VPNs rather than opening a slew of ports for each new service on your firewall. The more you let through, the less of a firewall it is. Behind the tunnel use packet filtering to decide who gets to what (security in layers). As someone stated before, firewalls are good at filtering solicited services, and not so good at filtering unsolicited services. I submit that for these new unsolicited services you have to fall back on strong authentication & encryption rather than rely on a generic proxy. Proxy developers can't keep up with all new applications, since proxies essentially are copies of that application running on a gateway machine(i.e.; to proxy, to act for). I believe the future of firewalls will be as a group of proxy servers, VPN machines and secure application servers. (Oh, here he goes with that farm thing again...). ;) Bill Stout From owner-firewalls-list Tue Oct 7 13:14:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA21938; Tue, 7 Oct 1997 11:27:13 -0700 (PDT) Received: from gate1.shellus.com (gate1.shellus.com [204.71.91.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA21879 for ; Tue, 7 Oct 1997 11:26:49 -0700 (PDT) Received: by gate1.shellus.com; id NAA27835; Tue, 7 Oct 1997 13:29:09 -0500 (CDT) Received: from unknown(134.163.2.2) by gate1.shellus.com via smap (3.2) id xma027069; Tue, 7 Oct 97 13:28:01 -0500 Received: from icsscxh1 by icsrv01 (AIX 4.1/UCB 5.64/FEJ.AIX.1.2) id AA59104; Tue, 7 Oct 1997 13:26:22 -0500 Received: by icsscxh1.shell.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD324.FF3E2F00@icsscxh1.shell.com>; Tue, 7 Oct 1997 13:29:11 -0500 Message-Id: From: "Bowers T (Thomas) at MSXSSC" To: "'firewalls@greatcircle.com'" , "'Russ'" Subject: RE: VPNs and PPTP Date: Tue, 7 Oct 1997 13:28:01 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have practical experience running large numbers of concurrent sessions through a PPTP server? We've measured an x % performance penalty (relative to throughput for a PPTP session versus a non-PPTP session) Basically a performance penalty doesn't bother me... it the thought of many cumulative flows dragging down a common point of convergence (i.e. the server) My gut feeling isn't that its not practical to expect PPTP to scale well... It might work great for a limited set of users but if many people started using it, it wouldn't perform as well as other hardware-based products... >---------- >From: Russ[SMTP:Russ.Cooper@rc.on.ca] >Sent: Tuesday, October 07, 1997 7:17 AM >To: firewalls@greatcircle.com >Subject: RE: VPNs and PPTP > >> 1) weak authentication > >Security Dynamics say they have made PPTP work with SecurID. > >> 2) slower > >Than what?? Personally, with PPP compression, my speeds have been quite >reasonable, dare I say fast? > >> 3) bitch to install and figure out routing > >Details, details, details, its not a bitch to install, although it may >be a bitch to figure out the routing if you haven't read the >manuals...;-] > >> 4) GRE doesn't pass through all firewalls > >Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a >generic protocol, which FW doesn't support passing GRE through? > >> 5) precious little debug information > >Interesting, you can get full PPP debug information through RAS. As for >the PPTP control channel, well that may be an area lacking. Of course >you could just sniff 1723 and see for yourself, but I suppose you think >their should be some sort of logging?? With Routing and Remote Access >Server (RRAS) you do get a whole lot more information. > > 6) uses existing NT RAS administrative model > >I don't see why this is a big issue, for customers who are upgrading >modem connections to ISP-style connections, its logical. > > 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). > > 8) black box implementation > >and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of >black boxes around these days...;-] > > 9) Extra hardware if you're not currently running NT server > NT server isn't cheap. > >and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN >is definitely not unique to PPTP, and few of them are cheap. Maybe the >point should be that if you *are* running NT, its FREE. > > 10) uses existing user database > >most see this as an advantage, but obviously coupled with item #1 above >could be a disadvantage. It certainly doesn't have to be your existing >user database, you could easily create a separate domain with a single >user for each person connecting in and then use Trusts to determine what >they can get to. IOW, it doesn't have to use an existing user database. > > 11) no key mgt > >well, maybe that's because their are no keys...;-]...but really, isn't >this one of the reasons for #1 above? SecurID is supposed to work, I've >been told it works, but I haven't seen it work yet with PPTP. > > 12) transports IPX and native NETBEUI > >and this is a bad thing(tm)??? Better talk to those folks over at >Network-1, their Firewall/Plus transports anything, and I mean >anything...;-] > >Don't get me wrong, I'm not advocating the use of PPTP or saying its the >best thing since sliced bread or anything. As always, I just don't like >the idea that things MS get slammed due to lack of understanding. PPTP >is proprietary, since it wasn't readily adopted, and will eventually be >L2TP instead, so mass deployment may not be a good idea until you've >talked to MS and found out whether the upgrade is going to be painless >or not (if you do, let me know). > >If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes >a whole lot of sense in my mind. > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security > From owner-firewalls-list Tue Oct 7 14:16:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11015; Tue, 7 Oct 1997 13:20:57 -0700 (PDT) Received: from u1.abs.net (u1.abs.net [207.114.0.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA10978 for ; Tue, 7 Oct 1997 13:20:43 -0700 (PDT) Received: from smtp.normandev.com (root@smtp.normandev.com [207.114.72.7]) by u1.abs.net (8.8.5/8.8.5) with ESMTP id QAA22632 for ; Tue, 7 Oct 1997 16:22:31 -0400 (EDT) Received: from firewall (firewall.normandev.com [207.114.72.3]) by smtp.normandev.com (8.7.5/8.7.3) with SMTP id KAA01691 for ; Tue, 7 Oct 1997 10:19:35 -0400 Received: by NORMANMAIL with Internet Mail Service (5.0.1457.3) id <4CAKT43W>; Tue, 7 Oct 1997 16:23:09 -0400 Message-ID: <310DA102753AD111A9DD0060976CEEB71512@NORMANMAIL> From: Tim Shoemaker To: "'firewalls@greatcircle.com'" Subject: Security Show Date: Tue, 7 Oct 1997 16:23:08 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For anyone interested there is a security show in the Baltimore Convention Center on Wednesday and Thursday Oct 7&8 from 10 to 4pm. If anyone is interested please get in touch with me. We will be exhibiting the Norman Firewall version 4.0 for HP-UX and Sun Solaris through HP on both days so stop by and check us out! Thanks, Tim Shoemaker Norman Development, USA http://www.normandev.com or http://www.norman.com From owner-firewalls-list Tue Oct 7 14:18:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA12652; Tue, 7 Oct 1997 13:30:10 -0700 (PDT) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA12498 for ; Tue, 7 Oct 1997 13:29:35 -0700 (PDT) Received: from bbdo.com by relay1.smtp.psi.net (8.8.5/SMI-5.4-PSI) id QAA25004; Tue, 7 Oct 1997 16:31:20 -0400 (EDT) Message-ID: Date: 7 Oct 1997 16:19:01 -0500 From: "David Glosser" Subject: Internet email security & r To: "firewalls" X-Mailer: Mail*Link SMTP-QM 4.1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 16:16:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA12089; Tue, 7 Oct 1997 16:00:27 -0700 (PDT) Received: from mail2.noc.netcom.net (mail2.noc.netcom.net [199.183.9.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA12043 for ; Tue, 7 Oct 1997 16:00:13 -0700 (PDT) Received: from svl-mail ([149.64.70.9]) by mail2.noc.netcom.net (8.8.5/8.8.5) with SMTP id QAA03501; Tue, 7 Oct 1997 16:06:04 -0700 (PDT) Received: from scitor.com ([149.64.70.9]) by svl-mail (InterScan E-Mail VirusWall NT) Received: from ccMail by scitor.com (IMA Internet Exchange 2.1 Enterprise) id 000363BA; Tue, 7 Oct 97 16:04:02 -0700 Mime-Version: 1.0 Date: Tue, 7 Oct 1997 16:01:20 -0700 Message-ID: <000363BA.1249@scitor.com> From: dbovee@scitor.com (David Bovee) Subject: Re: Internet email security & r To: "firewalls" , "David Glosser" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May I interpret this as a question that has *already* been answered...? "...why it is not appropriate for corporate use?" ^^^ Pardon me, but isn't a lot of business conducted via Internet email daily? Anyway, what's the different the Internet email and email going from a subnetted/firewalled corporate intranet to an entirely different intranet within the same large corporation??? -David Bovee ______________________________ Reply Separator _________________________________ Subject: Internet email security & r Author: "David Glosser" at Internet Date: 10/7/97 3:59 PM Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 16:48:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15504; Tue, 7 Oct 1997 16:30:27 -0700 (PDT) Received: from mail2.noc.netcom.net (mail2.noc.netcom.net [199.183.9.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA15485 for ; Tue, 7 Oct 1997 16:30:10 -0700 (PDT) Received: from svl-mail ([149.64.70.9]) by mail2.noc.netcom.net (8.8.5/8.8.5) with SMTP id QAA04457; Tue, 7 Oct 1997 16:36:08 -0700 (PDT) Received: from scitor.com ([149.64.70.9]) by svl-mail (InterScan E-Mail VirusWall NT) Received: from ccMail by scitor.com (IMA Internet Exchange 2.1 Enterprise) id 000363E1; Tue, 7 Oct 97 16:34:06 -0700 Mime-Version: 1.0 Date: Tue, 7 Oct 1997 16:30:14 -0700 Message-ID: <000363E1.1249@scitor.com> From: dbovee@scitor.com (David Bovee) Subject: Re[2]: VPNs and PPTP To: "'firewalls@greatcircle.com'" , "'Russ'" , "Bowers T (Thomas) _at_MSXSSC" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you willing to divulge the quantitative data? I am personally curious to know what sort of impact you have measured as a result of PPTP? We are in the process of putting up such a server and expect it to service hundreds of sessions daily, which probably is not in the range of the load you were initially questioning...? Thanks. -David Bovee ______________________________ Reply Separator _________________________________ Subject: RE: VPNs and PPTP Author: "Bowers T (Thomas) _at_MSXSSC" at Internet Date: 10/7/97 4:28 PM Does anyone have practical experience running large numbers of concurrent sessions through a PPTP server? We've measured an x % performance penalty (relative to throughput for a PPTP session versus a non-PPTP session) Basically a performance penalty doesn't bother me... it the thought of many cumulative flows dragging down a common point of convergence (i.e. the server) My gut feeling isn't that its not practical to expect PPTP to scale well... It might work great for a limited set of users but if many people started using it, it wouldn't perform as well as other hardware-based products... >---------- >From: Russ[SMTP:Russ.Cooper@rc.on.ca] >Sent: Tuesday, October 07, 1997 7:17 AM >To: firewalls@greatcircle.com >Subject: RE: VPNs and PPTP > >> 1) weak authentication > >Security Dynamics say they have made PPTP work with SecurID. > >> 2) slower > >Than what?? Personally, with PPP compression, my speeds have been quite >reasonable, dare I say fast? > >> 3) bitch to install and figure out routing > >Details, details, details, its not a bitch to install, although it may >be a bitch to figure out the routing if you haven't read the >manuals...;-] > >> 4) GRE doesn't pass through all firewalls > >Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a >generic protocol, which FW doesn't support passing GRE through? > >> 5) precious little debug information > >Interesting, you can get full PPP debug information through RAS. As for >the PPTP control channel, well that may be an area lacking. Of course >you could just sniff 1723 and see for yourself, but I suppose you think >their should be some sort of logging?? With Routing and Remote Access >Server (RRAS) you do get a whole lot more information. > > 6) uses existing NT RAS administrative model > >I don't see why this is a big issue, for customers who are upgrading >modem connections to ISP-style connections, its logical. > > 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). > > 8) black box implementation > >and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of >black boxes around these days...;-] > > 9) Extra hardware if you're not currently running NT server > NT server isn't cheap. > >and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN >is definitely not unique to PPTP, and few of them are cheap. Maybe the >point should be that if you *are* running NT, its FREE. > > 10) uses existing user database > >most see this as an advantage, but obviously coupled with item #1 above >could be a disadvantage. It certainly doesn't have to be your existing >user database, you could easily create a separate domain with a single >user for each person connecting in and then use Trusts to determine what >they can get to. IOW, it doesn't have to use an existing user database. > > 11) no key mgt > >well, maybe that's because their are no keys...;-]...but really, isn't >this one of the reasons for #1 above? SecurID is supposed to work, I've >been told it works, but I haven't seen it work yet with PPTP. > > 12) transports IPX and native NETBEUI > >and this is a bad thing(tm)??? Better talk to those folks over at >Network-1, their Firewall/Plus transports anything, and I mean >anything...;-] > >Don't get me wrong, I'm not advocating the use of PPTP or saying its the >best thing since sliced bread or anything. As always, I just don't like >the idea that things MS get slammed due to lack of understanding. PPTP >is proprietary, since it wasn't readily adopted, and will eventually be >L2TP instead, so mass deployment may not be a good idea until you've >talked to MS and found out whether the upgrade is going to be painless >or not (if you do, let me know). > >If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes >a whole lot of sense in my mind. > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security > From owner-firewalls-list Tue Oct 7 17:01:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21080; Tue, 7 Oct 1997 14:11:59 -0700 (PDT) Received: from custmail.Internex.NET (custmail.internex.net [199.2.14.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA20883 for ; Tue, 7 Oct 1997 14:11:10 -0700 (PDT) Received: from logistix.com (gatekeeper.logistix.com [205.158.31.130]) by custmail.Internex.NET (8.8.5/8.8.5) with SMTP id OAA14767 for ; Tue, 7 Oct 1997 14:12:20 -0700 (PDT) Received: from snm.logistix.com by logistix.com (SMI-8.6/SMI-SVR4) id OAA01110; Tue, 7 Oct 1997 14:12:20 -0700 Received: from fremont.logistix.com by snm.logistix.com (SMI-8.6/SMI-SVR4) id OAA29220; Tue, 7 Oct 1997 14:21:43 -0700 Received: from sirius.com ([10.11.51.245]) by fremont.logistix.com (Netscape Mail Server v1.1) with ESMTP id AAA78 for ; Tue, 7 Oct 1997 14:07:56 -0700 Message-ID: <343AA6D7.AAAEA938@sirius.com> Date: Tue, 07 Oct 1997 14:17:11 -0700 From: "Alberto U. Begliomini" Organization: Coldstone Consulting X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: PIX Firewall and DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a PIX Firewall running 4.0.7 and DNS configured with a split-horizon topology. The old DNS servers are running BIND 4.8.3 and they work fine. I also have two new servers, one internal and one external running BIND 4.9.6 and unfortunately I have problems with those. Every time the new internal server forward a query to the external server (I use the "forwarders" directive and the "forward-only" option) it takes several tries for the internal server to get a response. This does not happen with the old servers. To debug the problem, I have also tried to forward the queries from the new internal server to the old internal server and even if this introduces an additional hop, it works fine and fast. Forwarding queries from the new internal server to the old external server cause the problem to happen again. It looks like every time I try to forward the queries from the new server running 4.9.6 to any of the DNS servers (old or new) on the DMZ through the PIX I run into troubles. I have tried this configuration from different internal servers running 4.9.6 or with the 4.9.3 that comes with the Solaris recommended 2.5.1 patches, same result. I wonder if anybody has the same DNS topology (split-horizon) with BIND at level 4.9.x and a PIX router in the middle, running without any performance problem. Any idea? -- Alberto U. Begliomini Email: aub@sirius.com Coldstone Consulting Phone: 415-370-7723 Theory guides, experiment decides. Fax: 415-631-8722 From owner-firewalls-list Tue Oct 7 19:01:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA02303; Tue, 7 Oct 1997 18:47:43 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA02273 for ; Tue, 7 Oct 1997 18:47:34 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult.n14191) with SMTP id VAA23072; Tue, 7 Oct 1997 21:49:29 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BCD36B.30262960@zandar.judgefamily.org>; Tue, 7 Oct 1997 21:51:38 -0400 Message-ID: <01BCD36B.30262960@zandar.judgefamily.org> From: Joseph Judge To: firewalls , David Glosser , "'David Bovee'" Subject: RE: Internet email security & r Date: Tue, 7 Oct 1997 21:51:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll hazard a position on the subject ... but realize that I know email is used for business over the Internet and is viable. But I also realize folks have varying ideas of what "business" is (info, customer contact versus regulated business correspondence). Within a company, your company controls the elements that affect the mail flow. This can give better quality and assurance of delivery ... but also can give a increased level of security. Our employees are bonded; the dns servers are monitored and protected from Internet-based coercion; the mail servers are restricted access in a controlled physical environ also. On the Internet, your firewall gateway or email gateways have to trust that the DNS server "out there" who says that "att.com" is relayed through "foo.bar.net" is giving valid information. That foo.bar.net is a ??? machine located at ??? run by ??? who are sure(?) not to peek around in the email spool ? and it has quality metrics in place so that email is delivered in a timely fashion? You can increase your trust that the communications are private by using PGP, SMIME, etc ... but the other factors are still an unknown quantity. In the financial world, for example, I would guess that the SEC wouldn't allow "business correspondence" to occur over email -- they have strict rules (i.e. must acknowledge communication within 48 hrs., etc). -- joe ---------- From: David Bovee[SMTP:dbovee@scitor.com] Sent: Tuesday, October 07, 1997 7:01 PM To: firewalls; David Glosser Subject: Re: Internet email security & r May I interpret this as a question that has *already* been answered...? "...why it is not appropriate for corporate use?" ^^^ Pardon me, but isn't a lot of business conducted via Internet email daily? Anyway, what's the different the Internet email and email going from a subnetted/firewalled corporate intranet to an entirely different intranet within the same large corporation??? -David Bovee ______________________________ Reply Separator _________________________________ Subject: Internet email security & r Author: "David Glosser" at Internet Date: 10/7/97 3:59 PM Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 22:16:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA23427; Tue, 7 Oct 1997 22:05:54 -0700 (PDT) Received: from magpage.com (alaska.magpage.com [204.179.92.50]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA23418 for ; Tue, 7 Oct 1997 22:05:40 -0700 (PDT) Received: from [204.179.92.181] (modem131.magpage.com [204.179.92.181]) by magpage.com (8.8.7/8.8.5) with ESMTP id BAA06905 for ; Wed, 8 Oct 1997 01:07:30 -0400 (EDT) X-Sender: kozmando@mail.magpage.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Oct 1997 02:47:16 -0400 To: Firewalls@GreatCircle.COM From: kozmando Subject: OpenStep Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings and Salutations, What firewall solutions (packet filter and proxy) are there for OpenStep and where can they be found? What firewalls support XTI and/or Streams and wctbf? (macintosh Open Transport is a superset) If Apple decides to run OT native on Rhapsody, how will this affect firewall implementation? If one was going to put together a commercial firewall for Rhapsody, what tools would one use, what existing free code base would serve best (TIS FWTK)? Has anyone ported a firewall to mklinux? Is it free? koz From owner-firewalls-list Tue Oct 7 23:30:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28432; Tue, 7 Oct 1997 23:21:46 -0700 (PDT) Received: from ntserver.newoak.com (gatekeeper.newoak.com [146.115.61.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA28408 for ; Tue, 7 Oct 1997 23:21:37 -0700 (PDT) Received: from mike-feinstein ([10.0.21.199]) by ntserver.newoak.com (Netscape Mail Server v2.02) with ESMTP id AAA49 for ; Wed, 8 Oct 1997 02:35:24 -0400 Message-ID: <343B26C0.A7C275D@newoak.com> Date: Wed, 08 Oct 1997 02:22:56 -0400 From: mfeinstein@newoak.com (Michael G. Feinstein) Reply-To: mfeinstein@newoak.com Organization: New Oak Communications X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: VPNs and PPTP X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You may want to check out my company's product, the NOC 4000. It is a dedicated machine that can terminate large numbers of many different types of tunnels, including PPTP. We can terminate up to 2,000 simultaneous sessions, up to 45 Mbps of aggregated bandwdith. Our web site address is http://www.newoak.com -- Michael Feinstein New Oak Communications VP, Product Marketing 125 Nagog Park Tel: 978-266-1011 x103 Acton, MA 01720 Fax: 978-266-1080 http://www.newoak.com mfeinstein@newoak.com From owner-firewalls-list Wed Oct 8 01:46:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA09805; Wed, 8 Oct 1997 01:34:40 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA09788 for ; Wed, 8 Oct 1997 01:34:29 -0700 (PDT) Received: by fw4.tns.co.za; id KAA01039; Wed, 8 Oct 1997 10:36:03 +0200 (SAT) Message-Id: <199710080836.KAA01039@fw4.tns.co.za> Received: from unknown(89.0.3.186) by fw4.tns.co.za via smap (V3.1.1) id xma001030; Wed, 8 Oct 97 10:35:53 +0200 Reply-To: From: "Billy Verreynne" To: , Subject: Re: VPNs and PPTP Date: Wed, 8 Oct 1997 10:34:06 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Michael G. Feinstein wrote > You may want to check out my company's product, the NOC 4000. It is a > dedicated machine that can terminate large numbers of many different > types of tunnels, including PPTP. We can terminate up to 2,000 > simultaneous sessions, up to 45 Mbps of aggregated bandwdith. I can terminate up 1000+ plus connections using a shovel to dig up the fibre cable and wirecutters to cut it. Much cheaper than your solution I think. Think it's funny? Well, it really happened a Friday afternoon a few years back when Sun City was hosting Miss World the next night (and no I was not responsible ). Worse, the guy (engineering contractor) who cut the cable, did it at both ends and threw about a metre long cable in the back of his pickup before driving home for the weekend. Ever tried to patch a cable when you're missing a meter? All casino computers were down, all hotels computers and there were no telecoms to the outside world. Maybe firewalls should include offensive systems to? - like targeting computers systems connected to a few strategically placed M60's and M203's... ;-) Billy From owner-firewalls-list Wed Oct 8 06:16:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA25324; Wed, 8 Oct 1997 06:11:39 -0700 (PDT) Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA25317 for ; Wed, 8 Oct 1997 06:11:10 -0700 (PDT) Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id JAA17517 for ; Wed, 8 Oct 1997 09:12:53 -0400 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD3CA.54C2AC30@exchsmtp.ColumbiaSC.NCR.COM>; Wed, 8 Oct 1997 09:12:41 -0400 Message-ID: From: "Caldwell, Matt" To: "'firewalls'" , "'David Glosser'" , "'dbovee@scitor.com'" Subject: RE: Internet email security & r Date: Wed, 8 Oct 1997 09:14:54 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Believe it or not but there are some issues with having a different mail system other than SMTP for a Corporate environment. SMTP servers that are with in a firewall usually trust the computers in that subnet thus email is easily faked. Email could be spoofed from a near IP. Commercial email packages (such as Lotus Notes, Exchange, maybe even cc:Mail) make it a little more difficult to spoof or fake email from with in the corporate network because a lot of these servers are not solely client side oriented. You can restrict email from outside being faked, but in most cases you must trust your corporate subnet. Some have encryption systems built in that allow for mail to be protected from (not very good systems) plain text viewing. SMTP Mail can be appropriate or not appropriate, it depends on your company, and how much money your willing to spend. >---------- >From: dbovee@scitor.com[SMTP:dbovee@scitor.com] >Sent: Tuesday, October 07, 1997 7:01 PM >To: firewalls; David Glosser >Subject: Re: Internet email security & r > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee > > > > >______________________________ Reply Separator >_________________________________ >Subject: Internet email security & r >Author: "David Glosser" at Internet >Date: 10/7/97 3:59 PM > > >Subject: Internet email security & reliability > >I apologize if this is not directly related to firewalls, but I did a search >of the Net and couldn't find anything.... > >Are there any white papers, studies, hard facts, etc. that are related to the >lack of security and reliability of internet e-mail and why it is not >appropriate for corporate use? > >Any articles, pointers, links, publications, etc. (or suggestions of other >forums) would be appreciated. Please e-mail be directly since I know this >not >directly related to firewalls; I'll post a summary. > >Thanks in advance >David Glosser >glosser@bbdo.com > Matthew F. Caldwell - Security Analyst -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VC3 Systems Engineering http://www.vc3.com email: matt.caldwell@vc3.com pager: matt.caldwell@pager.vc3.com Office: (803) 939-2322 Pager: (803) 690-2505 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Senders of unsolicited commercial E-Mail to this account implicitly agree to a $1000.00 proofing fee -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzQf9JoAAAEEAL2IIJjuEqgzzi0gL5pHmdZNwSxBd7fjmS4/aVVFQAPEN2O6 bRt3wMZ5MiDbPbgnIDFCNR49Sjlew9ie1sxg07yTAdSPItrK4X3+MfmjaJ309JjP /AO9RpOeZGtKqca9/LlYl8HV7hx+oaJ6LT3z/Dax7JgAfbaUrws09AHbijaZAAUR tCtNYXR0aGV3IEYuIENhbGR3ZWxsIDxtYXR0LmNhbGR3ZWxsQHZjMy5jb20+ =2M64 -----END PGP PUBLIC KEY BLOCK----- > > > From owner-firewalls-list Wed Oct 8 06:46:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26301; Wed, 8 Oct 1997 06:32:12 -0700 (PDT) Received: from slowy.NETCS.COM (slowy.netcs.com [138.199.32.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26293 for ; Wed, 8 Oct 1997 06:32:03 -0700 (PDT) Received: from netcs.com (16.185.144.1) by slowy.NETCS.COM (NPlex 1.3.159); 8 Oct 1997 15:33:51 +0200 Message-ID: <343B8BBE.25691EDE@netcs.com> Date: Wed, 08 Oct 1997 15:33:50 +0200 From: Oliver Korfmacher Reply-To: okorf@netcs.com Organization: NetCS GmbH X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi- this there a FAQ for NAT? please reply direct. Thanks. -- Gruesse, Oliver Korfmacher (okorf@netcs.com, whois OK11 URL: http://www.netcs.com/PEOPLE/okorf.html) From owner-firewalls-list Wed Oct 8 07:30:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26950; Wed, 8 Oct 1997 06:42:50 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26940 for ; Wed, 8 Oct 1997 06:42:41 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id JAA26166; Wed, 8 Oct 1997 09:43:44 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma026133; Wed, 8 Oct 97 09:43:19 -0400 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id JAA27371; Wed, 8 Oct 1997 09:43:02 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id JAA04734; Wed, 8 Oct 1997 09:43:01 -0400 (EDT) Message-ID: <343B8DEC.31DFF4F5@erenj.com> Date: Wed, 08 Oct 1997 08:43:08 -0500 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: David Bovee CC: firewalls@greatcircle.com Subject: Re: Internet email security & r References: <000363BA.1249@scitor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Bovee wrote: > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee As has been mentioned in another note... if the email stays in the control of the same corp the whole time, there is a better chance of being able to control the security around its path, including controlling who is watching it go by. Still gotta watch out for the disgruntled employee, but, hey, just pay them lots of money (-: -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Wed Oct 8 07:59:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05599; Wed, 8 Oct 1997 07:40:52 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA05480 for ; Wed, 8 Oct 1997 07:40:21 -0700 (PDT) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id WAA31283; Wed, 8 Oct 1997 22:34:53 +0200 Message-Id: <199710082034.WAA31283@pinux.selfin.net> From: "Franco RUGGIERI" To: "Engasser, Charlie" Cc: Subject: R: Firewall-1, packet -VS- Proxy Date: Wed, 8 Oct 1997 15:10:58 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Very glad to have such an exhaustive reply. Let me reply starting with your last proposal: since I'm a newcomer in the firewall field, I' d very much appreciate your keeping your promise of giving me (and all the interested other ones) the address of the rep yoiu mention. I'm also glad to see that your preferred Firewalls are exactly the same ones I'd cite, if asked for. In cauda venenum: every word of your comment about not smart sys admins is true, but maybe I mislead you by using the word "smart". I meant that "Errare humanum est", and that it is preferrable not to have to deal with cumbersom tasks. Were it not so we would still be working with Assembler. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Engasser, Charlie > A: 'Franco RUGGIERI' > Cc: 'Firewalls@GreatCircle.COM' > Oggetto: RE: Firewall-1, packet -VS- Proxy > Data: domenica 5 ottobre 1997 19.42 > > 1) It doesn't harden the system (Unix or NT or whatever it runs/will run > on) by itself: it's up to the security admin to harden it: what if > he/she > is not so smart to do it properly? > > 1: Firewall-1 does install a kernel driver between the NIC driver and > the OS. (except on HPUX). So at least in theory the OS should be > protected by whatever the firewall itself is hardened against. As for > the sys admin not being smart enough to do it, well, companies get what > they pay for. > > If the admin person isn't savvy enough to do it right, then that's not > the fault of the firewall. Personally I find it appalling that someone > would claim to be an administrator of their company's network security > and take it on blind faith that a product protects them as claimed (or > for that matter does anything as claimed). So what if one firewall says > it hardens the system it's on? What exactly does that mean anyway? Do > >>you<< know? In my opinion, the cost of a firewall product itself is > only part of the equation, the other half is cost of testing the product > once it's setup. If you are not willing to fork over $$$ (beit time, > resources, product or services) then it really doesn't matter if someone > tells you the system was automagically "hardened" does it? > > 2) setting up the rules is a real headache, most of it defining all the > objects that make up the network. And everything which is difficult to > implement is error prone. > > 2: Setting up rules in Firewall-1 is easier than the other 1/2 dozen > firewall's I've used and looked at. First off, Firewall-1 is cabable if > resolving network names just as any other system would, through DNS, > HOSTS, NIS or SNMP. If the rest of your network is running properly, > defining network objects is nothing more difficult than telling > Firewall-1 what the name of the system is, and letting it do all the > hard stuff (like remembering IP addresses). The only objects that need > to be defined are the ones that are directly affected by the rules > policy. If you wish to define a global rule based on a subnet, then you > define the subnet, then all systems in that subnet are affected by the > rule in question. > > As for the previous poster, I don't think that I would decide on > Gauntlet unless I had already put a few more firewalls on a testbed. > Gauntlet is rated fairly well as far as security goes, but it's > performance figures suck. It drops packets left and right when under > high loads. If you want a contact # of a rep I know that would be happy > to get you eval copies of just about anything drop me an email. As for > the systems >>I<< would personally look at I would start with: > > Firewall-1, AltaVista, Raptor, Gauntlet, Cisco PIX (hardware). > > I would avoid at all costs: > > Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail > me for details if you need them. > > > > > > > From owner-firewalls-list Wed Oct 8 08:31:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11464; Wed, 8 Oct 1997 08:21:39 -0700 (PDT) Received: from marble.litc.lockheed.com (marble.litc.lockheed.com [198.7.15.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA11445 for ; Wed, 8 Oct 1997 08:21:33 -0700 (PDT) Received: from arkons.lmsc.lockheed.com (arkons.lmsc.lockheed.com [129.197.2.84]) by marble.litc.lockheed.com (8.8.3/8.8.2) with ESMTP id JAA01684 for ; Wed, 8 Oct 1997 09:23:35 -0600 (MDT) Received: by ARKONS with Internet Mail Service (5.0.1457.3) id ; Wed, 8 Oct 1997 08:23:40 -0700 Message-ID: From: "Sadler, Connie J" To: "'fwalls'" Subject: POP across a firewlll... Date: Wed, 8 Oct 1997 08:23:33 -0700 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1457.3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a "safe" way to support POP through a firewall? Any help or direction would be appreciated! Connie From owner-firewalls-list Wed Oct 8 08:47:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11953; Wed, 8 Oct 1997 08:25:33 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA11910 for ; Wed, 8 Oct 1997 08:25:23 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id LAA14497; Wed, 8 Oct 1997 11:27:54 -0400 (EDT) Date: Wed, 8 Oct 1997 11:27:54 -0400 (EDT) From: Information Security Message-Id: <199710081527.LAA14497@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: RE: Internet email security & r Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Tue Oct 7 22:35:03 1997 > From: Joseph Judge > Subject: RE: Internet email security & r > > I'll hazard a position on the subject ... but realize that > I know email is used for business over the Internet and > is viable. But I also realize folks have varying ideas of > what "business" is (info, customer contact versus > regulated business correspondence). > > In the financial world, for example, I would guess that the > SEC wouldn't allow "business correspondence" to occur > over email -- they have strict rules (i.e. must acknowledge > communication within 48 hrs., etc). No, there is heavy use of the Internet for business correspondence without any red tape. Traders regularly send list of stocks and offering prices around to each other, I remember one list called "AXEs", whatever that is. They sent it daily to other firms to get them to trade. There are all sorts of reports, orders for equipment, IPOs sent to the SEC even. It's when the IPO hasn't yet become public information, or a company's financing summary evaluation is sent out, that it becomes a security incident. Or trade confirmations: another no-no. While traders sending out financial talk email is a violation of SEC rules, it is not actively tracked by companies. We're talking firewall SMTP traffic capture for analyzing the traders' email. ---guy From owner-firewalls-list Wed Oct 8 09:01:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA14795; Wed, 8 Oct 1997 08:46:27 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA14753 for ; Wed, 8 Oct 1997 08:46:09 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id LAA12984; Wed, 8 Oct 1997 11:18:16 -0400 (EDT) Date: Wed, 8 Oct 1997 11:18:16 -0400 (EDT) From: Information Security Message-Id: <199710081518.LAA12984@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: Internet email security & reliability Cc: dbovee@scitor.com, glosser@bbdo.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Posted and emailed ] > Subject: Internet email security & r > Author: "David Glosser" at Internet > Date: 10/7/97 3:59 PM > > > Subject: Internet email security & reliability > > I apologize if this is not directly related to firewalls, but I did a search > of the Net and couldn't find anything.... > > Are there any white papers, studies, hard facts, etc. that are related to the > lack of security and reliability of internet e-mail and why it is not > appropriate for corporate use? > > Any articles, pointers, links, publications, etc. (or suggestions of other > forums) would be appreciated. Please e-mail be directly since I know this not > directly related to firewalls; I'll post a summary. > > Thanks in advance > David Glosser > glosser@bbdo.com Of course Internet email is related to firewall security!!! > Date: Tue, 7 Oct 1997 16:01:20 -0700 > From: dbovee@scitor.com (David Bovee) > Subject: Re: Internet email security & r > To: "firewalls" , > "David Glosser" > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee What's the difference? Security incidents on the firewall box! > Thread: Five Months Statistics > ---- ------ ---------- > > I created and did the traffic analysis for five months before handing it > off. The time includes a 2.5 month parallel run with the new person. > > o caught over 400,000 lines of Salomon proprietary source code outbound > > o Risk Management reports ("positions") caught outbound, including DRMS > (Derivatives) going to someone who started working for Merrill Lynch > > o Risk Management reports inbound: Phibro positions [Salomon subsidiary] > > o Internal product documentation and trading desk procedures outbound > > o Many hostname/username/password transmissions for Salomon's internal systems > > o Many Sybase database passwords, including SA passwords > > o People working on their own businesses while within Salomon > > o Someone soliciting people for porno videos from Salomon > > o Phibro Chart of Accounts and internal accounting procedures > > o Year-end summary of lawsuits filed against subsidiary Basis Petroleum > > o Pirating of third-party copyright programs > > o Other firms' IUO (Internal Use Only) inbound > > o Our detailed systems inventory > > o Determined what PGP (encrypted) traffic was occurring > > o Salomon's Official Restricted List being repeatedly transmitted outbound > (list of securities Salomon can't purchase without a conflict of interest) > > o Unreleased Financing Summaries and unreleased IPO's: SEC violations > > o Internal Use Only documents > > o Trade confirmations > > o JobTalk hits concerning internal budget details by an SOO. > > o JobTalk hit of a resume of a risk management person who wanted to > "explain how it works" here > > o Hundreds of router (security) configurations > > o 42,000 lines of OASYS data > > o router and bridge passwords > > o Hostname/username/password for unmonitored outbound ISDN access from Salomon > > o An FBI investigation into theft of Salomon's Risk Management source code > > o An accepted-for-FBI-investigation into theft of FDTS source code > > o RadioMail: spotted that all the big cheeses who use it have all their highly > sensitive email going out over the unprotected Internet, because we were too > cheap to buy a transmitter, and so are forwarding all the email over the > Internet to RadioMail's transmitter!!! > > o The key to one's financial life: Social Security numbers of Salomon > retirees transmitted in/out the Internet. Names, birth dates... > > o caught our proprietary infrastructure code running at JP Morgan Well, you asked for "studies" / hard facts. If you are a large corporation, you are guaranteed to have continuing Internet email traffic security incidents. It didn't matter how many times the employees were told Internet email was being monitored: it's apparently human nature to do it anyway. Why, one can transfer megabytes without barely having to move. I didn't matter if every employee had to sign and return a form concerning Internet email monitoring. Go figure. ---- I've sold this NSA-like keyword-based Internet Email Risk Management Analytics to a NYC company, Aspen Computers Inc. It's going into the first major beta client company in the next two weeks. "It" meaning the complete rewrite, so it is no longer proprietary to the companies where I originally implemented it as a consultant. Plus, of course, "new and improved". ;-) Anyway, it's not for sale yet, but if you want information, email nox@panix.com. Larger companies are being targeted first; please email from the company, and include, if you would, some misc info: o approx. Mb of daily email traffic o do you have a security incident reporting procedure o have you been getting at least one email security incident a week ...and any other color or questions. All your internal systems are connected to the rest of the world via your firewall box. If you don't know what's passing through SMTP, you've got a joke for a firewall. ---guy@panix.com From owner-firewalls-list Wed Oct 8 10:32:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00275; Wed, 8 Oct 1997 10:17:56 -0700 (PDT) Received: from bbnplanet.com ([198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA29735 for ; Wed, 8 Oct 1997 10:11:26 -0700 (PDT) Received: from pasilla.bbnplanet.com by mail.bbnplanet.com id aa07173; 8 Oct 97 13:12 EDT Received: by pasilla.bbnplanet.com (SMI-8.6/SMI-4.1) id NAA28194; Wed, 8 Oct 1997 13:12:10 -0400 Message-Id: <199710081712.NAA28194@pasilla.bbnplanet.com> Subject: Re: POP across a firewlll... To: "Sadler, Connie J" Date: Wed, 8 Oct 1997 13:12:09 -0400 (EDT) From: Ed Forbes Cc: firewalls@greatcircle.com In-Reply-To: from "Sadler, Connie J" at Oct 8, 97 08:23:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Connie, > Does anyone know of a "safe" way to support POP through a firewall? Any > help or direction would be appreciated! I guess it all depends upon what you mean by "support". If you have a POP server on the outside of your firewall, then you just put a plug into your firewall letting your inside users contact the POP server and download their mail. This is pretty simple. If you have a POP server inside the firewall, then you can configure your firewall to just relay the mail into it. Hope this helps, Ed From owner-firewalls-list Wed Oct 8 11:31:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04416; Wed, 8 Oct 1997 11:14:23 -0700 (PDT) Received: from WorldHQ.com ([195.188.92.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA04383 for ; Wed, 8 Oct 1997 11:14:13 -0700 (PDT) Received: from firebird.worldhq.com..worldhq.com. ([195.188.105.83]) by WorldHQ.com (8.8.7/Nohj.2.0) with SMTP id TAA08242; Wed, 8 Oct 1997 19:11:16 +0100 (BST) Date: Wed, 8 Oct 1997 19:11:16 +0100 (BST) Message-Id: <199710081811.TAA08242@WorldHQ.com> From: Phil Cracknell To: Adam Shostack Cc: "Firewall Wizards (Marcus J. Ranum's new moderated mail list)" , Firewalls Alias , Frank Willoughby , Kevin Brown - NetComm Subject: System Spec for Penetration test MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.22 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've cc'd this to firewalls and firewall-wizards, it may be off-topic, so I apologise up front; I need a little advice on the spec of a laptop for penetration testing. Originally I wanted a Sparcbook, but this is not possible now (for lots of reasons) so I thought about a high-powered pentium laptop and loading Solaris X86 and I can then also install NT. Does X86 support most PCM/CIA network cards? Would I be best advised to choose a SCSI-based disk/CD for ease of install? (X86 again!) Can you think of anything else? Many thanks ------------------------------------------------------------- Edward Cracknell - Security Administrator From owner-firewalls-list Wed Oct 8 12:31:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11427; Wed, 8 Oct 1997 12:21:26 -0700 (PDT) Received: from gabriel.advsys.com (gabriel.advsys.com [198.49.218.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA11419 for ; Wed, 8 Oct 1997 12:21:20 -0700 (PDT) Received: from sting.advsys.com ([129.203.1.25]) by gabriel.advsys.com (8.8.7/8.8.7) with ESMTP id PAA16804 for ; Wed, 8 Oct 1997 15:23:09 -0400 (EDT) Received: from geek.advsys.com (geek [129.203.1.22]) by sting.advsys.com (8.8.6/8.8.6) with ESMTP id PAA00318 for ; Wed, 8 Oct 1997 15:23:00 -0400 (EDT) Received: (from gabrams@localhost) by geek.advsys.com (8.7/8.7) id PAA04896; Wed, 8 Oct 1997 15:24:25 -0400 (EDT) From: "Gary O. Abrams" Message-Id: <199710081924.PAA04896@geek.advsys.com> Subject: Re: System Spec for Penetration test To: firewalls@greatcircle.com Date: Wed, 8 Oct 1997 15:24:25 -0400 (EDT) In-Reply-To: <199710081811.TAA08242@WorldHQ.com> from "Phil Cracknell" at Oct 8, 97 07:11:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Cracknell scribbled: > > I've cc'd this to firewalls and firewall-wizards, it may be off-topic, > so I apologise up front; > > I need a little advice on the spec of a laptop for penetration testing. > > Originally I wanted a Sparcbook, but this is not possible now (for lots > of reasons) so I thought about a high-powered pentium laptop and > loading Solaris X86 and I can then also install NT. > > Does X86 support most PCM/CIA network cards? > > Would I be best advised to choose a SCSI-based disk/CD for ease of > install? (X86 again!) > You take a look at the Solaris Hardware Compatibility List, which can be found at: http://access1.sun.com/certify/hcl.html. later, -- Gary From owner-firewalls-list Wed Oct 8 15:43:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA23663; Wed, 8 Oct 1997 14:20:25 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id OAA23653 for firewalls@greatcircle.com; Wed, 8 Oct 1997 14:20:21 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06745 for ; Tue, 7 Oct 1997 09:48:30 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id MAA23412; Tue, 7 Oct 1997 12:50:10 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.7/8.8.7) with SMTP id MAA03772; Tue, 7 Oct 1997 12:49:07 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Tue, 7 Oct 1997 12:49:07 -0400 (EDT) From: "Paul D. Robertson" Reply-To: "Paul D. Robertson" To: "Engasser, Charlie" cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The quoting on your reply is very mixed up, but I'll try to address these. On Tue, 7 Oct 1997, Engasser, Charlie wrote: > >Looking at past exploits, and Checkpoint's reaction to the OOB bug in > >Windows NT, I would say that the hosting machine's services for > >administration and VPN support seem to be unhardened, and vulnerable to > >expliotation without extra work. If those responses are indicitive of > >the > >overall argument of a hardened system versus a shim in the driver > >layer, > >then that shim boat just don't float. > > > >Checkpoint released a patch for 3.0 that dropped all urgent data, so? So, it leads to the obvious conclusion that a host *should* be hardened, and that putting potection near the driver layers _does not_ provide a level of security sufficient to prevent the 'firewall' host from being successfully attacked. > >And if you are running it on NT you can also install the OOBFIX if you > >are that paranoid. I'm too paranoid to run NT, as a matter of fact. But it is directly illustrative of the point that packet filters are not a clean cut solution. > > > >> it hardens the system it's on? What exactly does that mean anyway? Do > >> >>you<< know? In my opinion, the cost of a firewall product itself is > > > >If the vendor can't quantify 'harden' to your satisfaction, you're > >dealing > >with the wrong vendor. > > > >That is one of the very reasons I said to avoid Secure. That and lousy > >phone support with people that obviously didn't know their own > >products. I've never had a problem with Secure Computing, and NSA's evaluation of Sidewinder seems to be very positive. http://mitten.ie.org/ Firewalling is about security, and all the customer support in the world doesn't make up for an improperly chosen or configured platform. > > > >There is value to having a hardened OS, network > >stack, filesystem, etc. A great deal of value in many instances, a > >number > >of which depend on the specific installation. For instance, if your > >firewall is going to play with a global authentication strategy, then > >you'll want to know the stack can survive low-level attacks. > > > >I never said that a hardened OS wasn't bad strategy, I mearly said that > >I don't take a vendors claims at face value. . You seemed to be dismissive of hardening, or the quantification thereof. In the case of Sidewinder specifically, I've always gotten good technical answers from Secure Computing when I've asked the relevent questions. The same is true of Data General's under evaluation B-2 system with BDM's Cybershield, as well as TIS' implementation of Gauntlet on BSD. Hardening a host has a lot of value, and I don't believe it should be easily dismissed, or scorned because of a lack of understanding from one person. > >Sorry, I just don't see why you'd take it on blind faith. Again, as I > >stated in my earlier message, if you are not willing to test a > >firewall's feature sets against what the vendor claims, then what's the > >point of putting it in? Why should anyone dismiss Firewall-1 out of > >hand just because they have "heard" that it's hard to configure and > >that it doesn't automatically harden the OS? So what? This goes back to > >my experiences with Secure, they >>insisted<< you could pass NBT > >traffic through Borderware, but NOBODY could tell me how to do it. Why > >say it's possible, but it really isn't? They said you >should< be able > >to do it with 4 (I was running 3.1) but then, nobody would let me have > >an eval copy to test it because I didn't buy a support contract (Border > >Technologies didn't require a support contract, but after Secure bought > >them out, they did). I've never had Borderware on my list of things to test, but I've also never had a problem getting evaluation copies of products from any vendor. Most of that is probably because I represent a large potential sale, so I won't expound more on it. > > > >> As for the previous poster, I don't think that I would decide on > >> Gauntlet unless I had already put a few more firewalls on a testbed. > >> Gauntlet is rated fairly well as far as security goes, but it's > >> performance figures suck. It drops packets left and right when under > > > >Funny, all the studies I've seen for Gauntlet's performance far > >outstrip > >the available Internet bandwidth at most sites. Care to reference some > >figures? I'm preparing for some benchmarks in the near future on a few > >products, and I'd be more than happy to check your results. > > > >Available internet bandwidth yes, but not intranet bandwidth. The > >Poster didn't specify. In my case I've got 2 T-1's, a leased 56, and a > >128kb ISDN running through mine, with another pair of T-1's definitely > >on the way and maybe another T-1 in the far distant future. Not to > >mention a host of remote dialins. Not to sound dismissive, but that's what I'd consider a trivial bandwidth requirement. I won't bore you with "My pipe is bigger than yours" arguments, but I'd expect DOS-based Karlbridge to handle that load, on the appropriate platform. > >I was thinking of the March 97 issue of data communications magazine. > >This responds to the TIS person that posted earlier. One of Datacom's > >stress tests on 100bt intranet links showed that Gauntlet performed at > >the bottom of the pack when used in that scenario. Since the original > >poster didn't specify what he wanted it for I made a global statement. > >Later, in the message I said that I thought Gauntlet would suffice when > >used as an internet gateway. I believe it was their website they posted > >figures that showed some 10-30 percent of the packets being dropped > >when under that high load. Maybe it was misconfigured, maybe not. I seem to recall that it was a configuration problem, and that TIS had responded to DataComm, and even funded a retest, but the TIS folks can answer that specifically. I don't tend to put much stock on most 3rd party tests unless I know the methodology is sound, and the evaluation is given real-world needs and boundries. DataComm hasn't been in my list of authoritative publications for quite some time. Your trust may vary. > > > >Given FW-1's lack of _complete_ implementation of stateful filtering, > >as > >well as the complexity of being able to do it well would steer me away > >from it as a solution. For instance, Firewall-1 does *not* maintain > >state > >information for ICMP as it ships. All those reverse-telnet over ICMP > >programs floating around the net tend to worry me. > > > >I'd only be worried about them if I allowed telnet in. I wouldn't, and > >even if I did, I'd use a VPN. Besides, isn't telnet dead? (thats a joke > >son). Acutally, you should only be worried about them if you allow ping or traceroute to function. It's telnet encapsulated in ICMP, and it's rather popular with the opposition. > > > >Consistancy is important in security. You should be able to predict > >what > >your firewall will do with traffic, and how it applies its protection > >mechanisms. Unfortunately, the only way to find that out with FW-1 > >seems > >to be with a sniffer and a *lot* of time. If you've got the time to > >write > >Inspect code, and you trust the state engine to pass the right packets > >up, > >the FW-1 can make a good tool. However, it is marketed as a solution, > >not a tool, and frankly, it *needs* work for anything but the most > >blatent > >policies which are *much* more easily verifyable via application layer > >gateway. > > > >Such as what? Enlighten me. I work on a relatively small network that > >has limited inbound requirements. If I install Firewall-1 to block > >incoming traffic (or any firewall for that matter) what do I care how > >it does it? If Firewall-1 does what it claims to (and I have not seen You should care very much. *Especially* with a packet filter. If you don't understand the nature of the risks, then you're flying blind, and open to compromise. The first thing you need to realize is that you aren't *blocking* inbound traffic, you are selectively allowing it in response to outbound traffic. There's a major gulf between the two stances. With an application layer gateway, you only need know how the host's IP stack will respond to packet level attacks, not so with a packet filter. With a packet filter, you have to worry about how the target host's IP stack handles things, or how the filter drops individual packets before you even get to the point of worrying about how the application layer is handled. Will the filter pass TCP packets with an FO of 1, will the filter pass packets with the same sequence number as an already passed packet? How does the end stack handle that during out-of-order reception? Will it just overlay the packet, discard it, merge the two.... Can the target stack be made to fall over by passing it everything but the final fragment of a very large packet a few times? When you have PCs, printers, terminal servers, mainframes, minicomputers, and who-knows-what-else all talking TCP/IP, and you are using a packet filter, you should *know* what behaviour should be expected in each version of each stack. That's one reason why application layer gateways have a much higher level of trust than packet filters, for those you only need to know how the gateway's stack will react to those attacks and situations. > >anything that shows otherwise) then why should I care? And another > >thing, how >>does<< one go about "predicting" what a proxy will do with > >a packet? State diagrams of the IP stack, and proxy code are a very good start. With a proxy, unlike with a packet filter, you generally don't have to know what will happen to each packet, just packets in general and then application data streams. That is a great deal easier to model than every packet for every protocol. > > > >What have you shown Firewall-1 to be vulnerable too in your testbeds? > >How about some specifics? As I said, it doesn't maintain state information for ICMP. Other than that, I've only recently gotten an evaluation unit to try to re-create some attacks that I've heard of. It won't be high on my list, because I've personally lost trust in the product, and don't see it as a viable choice for the bulk of my security needs in the near future. I also won't cast further aspersions on the product without having done my own tests, no matter what I've heard, or who I've heard it from. ICMP state is non-existant as shipped in Firewall-1. Checkpoint has said that they didn't see it as important to add an Inspect program for it implemented as a default. It is possible to add Inspect code to make it work "as it should" if you're to buy into the state implementation. Personally, I think OOB showed it to be fairly flawed methodology-wise, your paranoia may vary. > >Why am I making it easy? I told him to check their claims. Why do you > >have a problem with that. Or are you just pissed because I don't have a > >high opinion of Gauntlet? Nope, I don't represent TIS, and couldn't care less what your opinion of a particular instantiation of a firewall technology is. I do think that spreading disinformation is wrong, and I had a problem with some of the things you've stated, and some of the ways that they were stated. I also have some problems with the way packet filtering based on state is represented, and I think I've articulated them enough here and in comp.security.firewalls for one lifetime. It's well and good to ramble on about testing and evaluations when you've done them, but then to drop back to articles which were cited without reference, and 'in this particular instance' seem to me to be not so authoritative a source as the original article seemed to imply. Perhaps I read too much into it. Maybe it's time for me to completely jump ship to firewall-wizards with everyone else and leave all the mud-slinging misinformation to people who don't seem to be able to talk with the various vendors or do a bunch more than re-hash sales brochures and magazine articles... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Wed Oct 8 15:44:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21930; Wed, 8 Oct 1997 14:00:14 -0700 (PDT) Received: from wcl4.timeplex.com (wcl4.timeplex.com [134.196.240.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA21869 for ; Wed, 8 Oct 1997 14:00:01 -0700 (PDT) Received: from timeplex.com (admin.timeplex.com [134.196.233.4]) by wcl4.timeplex.com (Netscape Messaging Server 3.01) with ESMTP id AAA12790; Wed, 8 Oct 1997 17:03:54 -0400 Message-ID: <343BF4CC.F5E41692@timeplex.com> Date: Wed, 08 Oct 1997 17:02:05 -0400 From: Dave Zwieback Organization: ascom Timeplex X-Mailer: Mozilla 4.03 [en] (X11; I; SunOS 5.6 sun4u) MIME-Version: 1.0 To: Unix Wizards Mailing List , Firewalls@GreatCircle.COM Subject: Firewall routing setup, Solaris 2.5.1 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, I am trying to setup a three-host firewall, with Firewall-1 ver 3.0 on it. The machine has 3 interfaces, one for the outside (on the same network as the ISP router), one for the inside, and one for the DMZ. The outside interface is a class B address given to us by our ISP. The inside address belongs to a class B network, subnetted to a class C (255.255.255.0). The DMZ network address is also part of the class B network. The internal address is on a wire which goes to our enterprise router, which is brodacasting RIP, all the time. Couple of questions: 1) How do you configure routing for this setup? 2) Do you turn on in.routed and/or in.rdisc? With what options? 3) Do you turn on ip_forwarding? 4) Any idea about the netmasks? 5) RIP? 6) Static or dynamic routes? I would appreciate any help you can give me, pointers to on-line information, etc. Thanks in advance. Dave. From owner-firewalls-list Wed Oct 8 15:46:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA22792; Wed, 8 Oct 1997 14:10:47 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA22783 for ; Wed, 8 Oct 1997 14:10:35 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id RAA19588; Wed, 8 Oct 1997 17:11:53 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id RAA21588; Wed, 8 Oct 1997 17:12:33 -0400 (EDT) Message-Id: <3.0.32.19971008154929.009bcaa0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 08 Oct 1997 17:14:15 -0400 To: Phil Cracknell From: Anton J Aylward Subject: Re: System Spec for Penetration test Cc: Firewalls Alias Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:11 PM 08/10/97 +0100, Phil Cracknell wrote: ## Reply Start ## > > I need a little advice on the spec of a laptop for penetration testing. > > Originally I wanted a Sparcbook, but this is not possible now (for lots > of reasons) so I thought about a high-powered pentium laptop and > loading Solaris X86 and I can then also install NT. > > Does X86 support most PCM/CIA network cards? > > Would I be best advised to choose a SCSI-based disk/CD for ease of > install? (X86 again!) Why make it complicated. There are plenty of tools written in C which will compile to run under DOS. If you really want to be fancy and run UNIX, try a lightweight LINUX. You could probably make do with an old 386 or 486 discard, 8Meg or RAM and just a few hundred meg of disk. Cost is asymptotic zero. It certainly saved my old laptop from being a boat anchor. /anton ## Reply End ## From owner-firewalls-list Wed Oct 8 17:56:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA13903; Wed, 8 Oct 1997 16:56:31 -0700 (PDT) Received: from foo.icanect.net (foo.icanect.net [208.202.14.72]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA13780 for ; Wed, 8 Oct 1997 16:55:46 -0700 (PDT) Received: from localhost (merc@localhost) by foo.icanect.net (8.8.5/ICA3.2) with SMTP id TAA22764 for ; Wed, 8 Oct 1997 19:57:43 -0400 (EDT) Date: Wed, 8 Oct 1997 19:57:43 -0400 (EDT) From: High Mercury To: firewalls@greatcircle.com Subject: adding a rule on firewall1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been trying to set up the following on a ultra sparc running firewall1 v2.1. Here is the network. | | external | | internal network | | network | | --------- ------------- -------------- --------- | Host1 |----------| Firewall1 |-----| GauntletFW |----| Host2 | --------- ------------- -------------- --------- GauntletFW is the tis gauntlet firewall I want to be able to connect to port 1138 on Host2 from Host1. I have added the appropriate rules on gauntletfw and I can telnet to host2 from gauntletfw sucsessfully using the "telnet host2 1138" command. However When trying to do the same from host1, it will not connect. The rule I added (#15) was the follwing: Source : Host1 defined as external,host,firewall1 not installed Dest : Host2 defined as internal,host,firewall1 not installed Service : Created a service called test with port 1138 and no src port range. Instl on: Gateways Action : Accept This is set to accept those packets. However when I try to telnet from host1 to host2 on port 1138, this is what the log gives me: act serv. src dest prot rule S_Port 107224 8Oct97 19:20:05 le0 helius STOP test host1 host2 tcp 15 1088 len60 Now even though it said rule 15 is the rule which prevented the packet from being let through, I have found no matter what rule I set for #15, even if it has nothing at all to do with that port or hosts, it still says 15 is the rule which is not letting it through. This leads me to believe that either my changes have not taken effect ( I have saved it and exited and rentered the fwui app many times and it will always come up with the changes I last made ). Is this all you need to do to make the changes take effect or am I missing a step? If that's not it, what could it be then? Also, each time I do a "telnet host2 1138" from host1, I notice that the S_port in the log is usually increased by one. I have tried to set up the test service with a src port range of 1024-1500 but still it didn't work. I have also tried defining the serivce in the /etc/services file on the firewall1 host and host1. I don't know if that is needed or not but tried so it would recognize the service and it still failed. Any help would be appreciated. merc From owner-firewalls-list Wed Oct 8 21:02:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26133; Wed, 8 Oct 1997 18:24:35 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA26068 for ; Wed, 8 Oct 1997 18:24:08 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id VAA23174; Wed, 8 Oct 1997 21:25:18 -0400 (EDT) Date: Wed, 8 Oct 1997 21:25:18 -0400 (EDT) From: Information Security Message-Id: <199710090125.VAA23174@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: The risk management system mentioned below... Cc: Larry.Kwiat@gov.yk.ca Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From Larry.Kwiat@gov.yk.ca Wed Oct 8 13:13:43 1997 > To: guy@panix.com > From: Larry Kwiat > Subject: The risk management system mentioned below... > > I would like to see more information about the product mentioned > below. Thanks, BTW, your other email address reports as invalid > on trial. ( Genius at work ;-) Aspen Computer, Inc. has informed me that the _correct_ email address for contacting them is noz@AspenComputer.com. ---guy > ================================================== > I've sold this NSA-like keyword-based Internet Email Risk Management > Analytics to a NYC company, Aspen Computer, Inc. From owner-firewalls-list Thu Oct 9 02:20:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04225; Thu, 9 Oct 1997 01:52:59 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA03988 for ; Thu, 9 Oct 1997 01:52:10 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 04:53:34 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 04:53:13 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #470 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 02:32:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA23340; Wed, 8 Oct 1997 21:41:58 -0700 (PDT) Received: from ntns1.adia.co.ae (ntns1.adia.co.ae [194.170.24.6]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id VAA23294 for ; Wed, 8 Oct 1997 21:41:34 -0700 (PDT) Received: from HITS02_W95B (HITS02_W95B [194.170.24.20]) by ntns1.adia.co.ae (NTMail 3.02.10) with ESMTP id va009927 for ; Thu, 9 Oct 1997 08:44:28 +0400 Message-Id: <3.0.3.32.19971009084439.007c0210@pop.peg.apc.org> X-Sender: forster@pop.peg.apc.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 09 Oct 1997 08:44:39 +0400 To: "Sadler, Connie J" , "'fwalls'" From: Andrew M Forster Subject: Re: POP across a firewlll... In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Connie, Depending on how your pop3 server works you may have to plug another port to allow users to change their pop account passwords. In our case we plugged 110 to our outside mail server for pop3 traffic and also port 106 for the password changing facility between our iNTernet Mail POP/SMTP server and Eudora Clients. Regards, AMF At 08:23 AM 10/8/97 -0700, Sadler, Connie J wrote: > >Does anyone know of a "safe" way to support POP through a firewall? Any >help or direction would be appreciated! > >Connie > > ========================================================================== Andrew M Forster [GMT +4] Email: forster@peg.apc.org Phone: (w) +9712 262556 or (h) +9712 453613 ========================================================================== From owner-firewalls-list Thu Oct 9 02:48:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA01847; Thu, 9 Oct 1997 01:38:26 -0700 (PDT) Received: from data.roka.net (data.roka.NET [194.97.3.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA01821 for ; Thu, 9 Oct 1997 01:38:14 -0700 (PDT) Received: from 193.22.160.2 by data.roka.net with SMTP (PP) id <06469-0@data.roka.net>; Thu, 9 Oct 1997 10:38:16 +0200 Message-ID: <343C983E.3CBC@westlb.de> Date: Thu, 09 Oct 1997 10:39:26 +0200 From: "B.Stoltefu " Organization: WestLB X-Mailer: Mozilla 3.01 [de] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 9 03:34:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA13206; Thu, 9 Oct 1997 03:13:07 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA13178 for ; Thu, 9 Oct 1997 03:12:40 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 06:14:04 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 06:13:47 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #475 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 03:49:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA29780; Thu, 9 Oct 1997 01:25:41 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA29673 for ; Thu, 9 Oct 1997 01:25:09 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 04:26:34 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 04:26:14 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #478 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 04:02:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA12413; Thu, 9 Oct 1997 03:01:59 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA12383 for ; Thu, 9 Oct 1997 03:01:38 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 06:03:04 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 06:02:39 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #469 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 04:03:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA12068; Thu, 9 Oct 1997 02:59:01 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA11900 for ; Thu, 9 Oct 1997 02:58:09 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 05:59:34 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 05:59:12 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #479 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 04:05:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA22772; Thu, 9 Oct 1997 00:43:26 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA22709 for ; Thu, 9 Oct 1997 00:43:07 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 03:44:35 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 03:44:12 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #476 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 05:29:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA25101; Thu, 9 Oct 1997 00:59:00 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA25055 for ; Thu, 9 Oct 1997 00:58:40 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 04:00:05 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 03:59:47 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #481 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 08:17:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA07747; Thu, 9 Oct 1997 08:08:49 -0700 (PDT) Received: from fl.dk (ns.fl.dk [193.88.152.146]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA07544 for ; Thu, 9 Oct 1997 08:08:12 -0700 (PDT) From: bjm@fl.dk Received: by gw.fl.dk id <26881-4>; Thu, 9 Oct 1997 17:10:19 +0100 Message-Id: <97Oct9.171019gmt+0100.26881-4@gw.fl.dk> X-Mailer: ccMail Link to SMTP R6.00.01 Date: Thu, 9 Oct 1997 17:12:30 +0100 To: Subject: Single point of failure. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Does someone have any comments on the following issue which I see as being more relevant when using firewalls internally or as access point for Intranet/Extranet connected through public networks (e.g. Internet): A couple of firewall products offer the ability to support multiple network interface cards. These products are often used in solutions where different kind of user groups, servers/services etc. are separated on different LAN-segments connected to the firewall. If a company uses this functionality on a firewall, they introduce a single point of failure which I think is often neglected or forgotten. If a situation occurs where a firewall shuts down a service, an interface or the whole server due to an attack or due to a bug in the software, the sysadm is supposed to investigate why, before he/she re-open the service, interface or firewall again. This could potential cause a denial of service for several users using services through the firewall. This threat might be serious, and if the company does not have a backup firewall, which could be used while tracing the problems, the affected users might have to wait for a long time before they could work normally again. Of course the backup firewall could be affected by an attack immediately when it starts up, but that does not make the problem irrelevant. Thanks in advance Bjoern Mose Fischer & Lorenz From owner-firewalls-list Thu Oct 9 08:32:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08026; Thu, 9 Oct 1997 08:09:40 -0700 (PDT) Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA07757 for ; Thu, 9 Oct 1997 08:08:51 -0700 (PDT) Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49) id <4SHRV684>; Thu, 9 Oct 1997 10:11:59 -0500 Message-ID: From: "Waegner.Rick" To: Phil Cracknell , "'Anton J Aylward'" Cc: Firewalls Alias Subject: RE: System Spec for Penetration test Date: Thu, 9 Oct 1997 10:11:57 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey guys, SUN states that several laptops are certified for solaris 2.6, intel edition. One of the best on the list is the Fujitsu Lifebook 555tx. And yes, many PCMCIA network cards are supported. You can get an updated compatibility list from: http://access1.sun.com/certify/hcl.html This laptop ships with a cdrom (internal). All of this info is from the Solaris 2.6 intel manuals (i'm running it at home). Rick Waegner UNIX sys admin The Boeing Co. > ---------- > From: Anton J Aylward > Sent: Wednesday, October 8, 1997 16:14 > To: Phil Cracknell > Cc: Firewalls Alias > Subject: Re: System Spec for Penetration test > > At 07:11 PM 08/10/97 +0100, Phil Cracknell wrote: > ## Reply Start ## > > > > I need a little advice on the spec of a laptop for penetration > testing. > > > > Originally I wanted a Sparcbook, but this is not possible now (for > lots > > of reasons) so I thought about a high-powered pentium laptop and > > loading Solaris X86 and I can then also install NT. > > > > Does X86 support most PCM/CIA network cards? > > > > Would I be best advised to choose a SCSI-based disk/CD for ease of > > install? (X86 again!) > > Why make it complicated. > There are plenty of tools written in C which will compile to run under > DOS. > If you really want to be fancy and run UNIX, try a lightweight LINUX. > You could probably make do with an old 386 or 486 discard, 8Meg or RAM > and just a few hundred meg of disk. Cost is asymptotic zero. > It certainly saved my old laptop from being a boat anchor. > > /anton > > ## Reply End ## > From owner-firewalls-list Thu Oct 9 09:48:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA12694; Thu, 9 Oct 1997 03:06:02 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA12667 for ; Thu, 9 Oct 1997 03:05:39 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 06:07:04 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 06:06:37 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #471 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 09:48:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA17040; Thu, 9 Oct 1997 06:46:04 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA16986 for ; Thu, 9 Oct 1997 06:45:52 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 09:47:27 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 09:47:04 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #482 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 11:49:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA02515; Thu, 9 Oct 1997 10:10:23 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA02295 for ; Thu, 9 Oct 1997 10:09:24 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA12253; Thu, 9 Oct 1997 13:11:33 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOLRC7BYDC8WZUK9@gemini.pios.com> for firewalls@greatcircle.com; Thu, 09 Oct 1997 13:12:16 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOLRA1YQW08Y5US1@PIOS.PIOS.COM> for firewalls@greatcircle.com; Thu, 09 Oct 1997 13:10:34 -0400 (EDT) Date: Thu, 09 Oct 1997 10:11:14 -0700 From: Bill Stout Subject: Looking for feedback on SCC Firewalls X-Sender: stoutb@192.168.0.37 To: firewalls@greatcircle.com Message-Id: <2.2.32.19971009171114.0123763c@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't seen many of my customers use SCC products, so I'm curious about experiences with their products. 'Sidewinder' uses 'Type Enforcement', which is used by the operational kernel to tighten BSD security (in which no super-user status exists). One boots into an administrative kernel which has no networking capabilites to administer the system. Not being familiar with BSD, is 'Type Enforcement' non-proprietary? I do like their 'strikeback' capability, which collects data about an attack source or triggers other commands. The NSA also has a favorable sidewinder report at http://mitten.ie.org/sidewinder/sidewinder.htm. SCC 'Firewall for NT' states the primary component of the security architechture is a 'software wedge' between the network access layer and the protocol stacks. Uh, oh, seems they use the standard MS TCP/IP stack which has it's own vulnerabilities and mysteries. :( I'm also interested in Borderguard experience. One of the bullets for Borderguard is that each service is 'compartmented', limiting service attacks to that service. Are they doing something different here? Bill Stout ______________________________________________________________________ Our State Department praised the US/NATO military jamming, signal hijack, then finally physical takeover of Bosnian Television stations, to make a system `free of the monopolizing influence of political parties.' http://cnn.com/WORLD/9709/11/bosnia.jammers/ http://www.pathfinder.com/@@*IrLOQUAih6QgJfh/news/latest/RB/1997Oct01/235.html Sure hope they don't 'free us' here of free speech in America. From owner-firewalls-list Thu Oct 9 11:55:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA14543; Thu, 9 Oct 1997 11:01:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10159 for ; Thu, 9 Oct 1997 06:10:37 -0700 (PDT) Received: from homeport.org by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA03311; Thu, 9 Oct 1997 06:06:07 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA16601; Thu, 9 Oct 1997 08:57:31 -0400 (EDT) From: Adam Shostack Message-Id: <199710091257.IAA16601@homeport.org> Subject: Re: System Spec for Penetration test In-Reply-To: <199710081811.TAA08242@WorldHQ.com> from Phil Cracknell at "Oct 8, 97 07:11:16 pm" To: phil@securIT.net Date: Thu, 9 Oct 1997 08:57:31 -0400 (EDT) Cc: adam@homeport.org, firewall-wizards@nfr.net, firewalls@GreatCircle.COM, frankw@in.net, Kevin.Brown@NetComm.ie X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having just gone through this, its essential that you look at the hardware compatibility lists, and get the latest driver updates. Both are available on http://access1.sun.com., Buy hardware on the HCL, and read the lab notes for the test. Installing on IDE was only a problem in that my drivers were out of date, and it saw my 2.1 gb disk as a 1.0. Adam Phil Cracknell wrote: | I've cc'd this to firewalls and firewall-wizards, it may be off-topic, | so I apologise up front; | | I need a little advice on the spec of a laptop for penetration testing. | | Originally I wanted a Sparcbook, but this is not possible now (for lots | of reasons) so I thought about a high-powered pentium laptop and | loading Solaris X86 and I can then also install NT. | | Does X86 support most PCM/CIA network cards? | | Would I be best advised to choose a SCSI-based disk/CD for ease of | install? (X86 again!) | | Can you think of anything else? | | Many thanks | | ------------------------------------------------------------- | Edward Cracknell - | Security Administrator | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Thu Oct 9 12:06:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09832; Thu, 9 Oct 1997 02:42:52 -0700 (PDT) Received: from punt-1.mail.demon.net (punt-1d.mail.demon.net [194.217.242.138]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA09807 for ; Thu, 9 Oct 1997 02:42:35 -0700 (PDT) Received: from mailgate.browns.co.uk ([194.217.147.100]) by punt-1.mail.demon.net id aa0914146; 9 Oct 97 9:56 BST Received: from santi.brownsbox.com by post.browns.co.uk id aa12083; 9 Oct 97 10:10 BST Reply-To: santi@browns.co.uk MMDF-Warning: Parse error in original version of preceding line at post.browns.co.uk From: "Santi Ribas - Brown's Operating System Services" To: Ed Forbes Cc: firewalls@greatcircle.com MMDF-Warning: Parse error in original version of preceding line at post.browns.co.uk Subject: Re: POP across a firewlll... Date: Thu, 9 Oct 1997 09:51:23 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <9710091010.aa12083@post.browns.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do you mean by "just put a plug into your firewall letting your inside users contact the POP server and download their mail"? A packet filter entry to allow connections to the POP host and port? Whenever you retrieve mail from your POP server you are transmitting the ID/PSW of your email account in clear, as well as the messages that you download unless they are encrypted by a mail encrypting system. So if you send these packages through Internet or a non-secure network, then everyone with a datascope can have a look on your mails and IDS/PSW. Normally, UNIX users use the same ID/PSW for POP than for other services (like FTP or Telnet), so if anyone gets hold of the ID/PSW, then will probably get the same access as the real user. I wouldn't suggest to use POP across the Internet unless using encryption and access control by user to the POP server (like SOCKS does). bye... Santi Ribas ---------- > From: Ed Forbes > To: Sadler, Connie J > Cc: firewalls@greatcircle.com > Subject: Re: POP across a firewlll... > Date: 08 October 1997 18:12 > > Hi Connie, > > > Does anyone know of a "safe" way to support POP through a firewall? Any > > help or direction would be appreciated! > > I guess it all depends upon what you mean by "support". > > If you have a POP server on the outside of your firewall, then you > just put a plug into your firewall letting your inside users contact > the POP server and download their mail. This is pretty simple. > > If you have a POP server inside the firewall, then you can configure > your firewall to just relay the mail into it. > > Hope this helps, > Ed From owner-firewalls-list Thu Oct 9 13:02:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA12327; Thu, 9 Oct 1997 03:00:44 -0700 (PDT) Received: from vogon.de.deuba.com (vogon.de.deuba.com [194.175.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA12153 for ; Thu, 9 Oct 1997 02:59:56 -0700 (PDT) Received: by vogon.de.deuba.com id AA118816; Thu, 9 Oct 1997 12:00:28 +0200 Received: vogon.de.deuba.com via smap (V2.0) id xma068604; Thu, 9 Oct 97 12:00:26 +0200 Received: by smap.mail.deuba.com id MAA12800; Thu, 9 Oct 1997 12:00:40 +0200 Received: proxy2.esb.eur.deuba.com via smap (V2.0) id xma028412; Thu, 9 Oct 97 12:00:36 +0200 Received: from marc.ksfw.esb.eur.deuba.com by marvin.ose.eur.deuba.com id MAA25416; Thu, 9 Oct 1997 12:01:29 +0200 Received: (from marc@localhost) by marc.ksfw.esb.eur.deuba.com (8.8.7/8.8.5) id MAA03049; Thu, 9 Oct 1997 12:01:49 +0200 From: Marc Heuse Message-Id: <199710091001.MAA03049@marc.ksfw.esb.eur.deuba.com> Subject: DNS on the Firewall - security problem To: firewall-wizards@nfr.net Date: Thu, 9 Oct 1997 12:01:49 +0200 (CEST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, being in firewalls for some time now, I'm wondering why several firewall companies ship their product with a dns-server - for running on the firewall of course - with the standard named from the bind package. Of course a dns is needed on the fw when you are using an application gateway firewall, but why don't they use a minimal/secure dns server? All vendors label their dns server on the firewall as "secure", but many of them just want to say "the dns-server doesn't give out dns information of the internal network to the world". I think this is a big security risk. Just take a look at the Changes file of the newest bind. If you examine the first lines, you'll see that they fixed a bufferoverflow - so for quite some time their was a possibility to run arbitary commands - on the firewall! *sigh* I found so far two possiblities to solve this problem ... The first is to chroot named. pointer : www.homeport.org/~adam/dns.html The second is to just forward the dns resolving to a host in the dmz plus running also the primary external dns there. Do you see any problems with these suggestions? And another question, are there any secure/minimal dns-servers out there? pointers? Regards, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Thu Oct 9 13:02:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20289; Thu, 9 Oct 1997 07:04:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA20241 for ; Thu, 9 Oct 1997 07:03:55 -0700 (PDT) Received: from lexicon.ins.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA04989; Thu, 9 Oct 1997 06:59:14 -0700 (PDT) Received: from test.lib.com ([206.34.216.2]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id HAA06695; Thu, 9 Oct 1997 07:03:34 -0700 (PDT) Message-Id: <3.0.2.32.19971009100255.011c20fc@199.0.193.11> X-Sender: betterton@199.0.193.11 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 b4 (32) Date: Thu, 09 Oct 1997 10:02:55 -0400 To: Dave Zwieback , Unix Wizards Mailing List , Firewalls@GreatCircle.COM From: Brian Betterton Subject: Re: Firewall routing setup, Solaris 2.5.1 In-Reply-To: <343BF4CC.F5E41692@timeplex.com> References: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave, With three interfaces configured on solaris, i.e. you have the hostname.interface files in /etc, then routing (in.routed and in.rdisc) will start up by default. 0000,0000,ffffIt is highly recommended never to run a dynamic routing protocol on a firewall. Its best to use static routes. If you create an /etc/defaultrouter file with an entry of the ISP's router's interface IP, closest to your external firewall interface, then on reboot, the solaris system will not turn on routing, and you will have a default route pointing out. You'll need to add your static routes to handle your internal networks. Solaris also lets you create a multihomed host by "touching" /etc/notrouter, which creates an empty file. Then, on reboot, in.routed and in.rdisc will not start, and Ip forwarding will not be turned on all interfaces configured up by ifconfig. Again, you'll need your static routes and default route. As far as netmasks, edit the /etc/netmasks file with the network you need to subnet, for example: X.X.0.0 255.255.255.0 Regarding IP forwarding, the Checkpoint Arch 3.0 manual, page 265 describes how to edit the /etc/rc2.d/S69inet file to turn off IP forwarding and source routed packets. The book doesn't mention it, but you also may want to consider turning off ICMP redirects. I hope this helps some, brian At 05:02 PM 10/8/97 -0400, Dave Zwieback wrote: >Hey, > >I am trying to setup a three-host firewall, with Firewall-1 ver 3.0 on >it. The machine has 3 interfaces, one for the outside (on the same >network as the ISP router), one for the inside, and one for the DMZ. The >outside interface is a class B address given to us by our ISP. The >inside address belongs to a class B network, subnetted to a class >C (255.255.255.0). The DMZ network address is also part of the class B >network. > >The internal address is on a wire which goes to our enterprise router, >which is brodacasting RIP, all the time. > >Couple of questions: > 1) How do you configure routing for this setup > 2) Do you turn on in.routed and/or in.rdisc? With what options? > 3) Do you turn on ip_forwarding? > 4) Any idea about the netmasks? > 5) RIP? > 6) Static or dynamic routes? > >I would appreciate any help you can give me, pointers to on-line >information, etc. Thanks in advance. > >Dave. > > > ======================================================= Brian D. Betterton email:<<0000,0000,ffffbrian_betterton@ins.com> Network Systems Consultant 0000,0000,ffffhttp://www.ins.com International Network Services voice: (617) 376-2450 x244 300 Crown Colony Drive fax: (617) 376-2458 Quincy, MA 02169 From owner-firewalls-list Thu Oct 9 13:16:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA21585; Thu, 9 Oct 1997 00:34:43 -0700 (PDT) Received: from mantech.com (groupwise.mantech.com [206.65.236.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA21472 for ; Thu, 9 Oct 1997 00:34:02 -0700 (PDT) Received: from MANTECH-Message_Server by mantech.com with Novell_GroupWise; Thu, 09 Oct 1997 03:35:05 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Oct 1997 03:34:49 -0400 From: David Lane Reply-To: dlane@mantech.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #477 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office until Tuesday October 14th. For critial emergencies, please call the Help Desk at 703.218.8230. I will respond to your message when I return DAVID David A. Lane, CNE Technical Director From owner-firewalls-list Thu Oct 9 13:23:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA18693; Thu, 9 Oct 1997 11:29:58 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA18662 for ; Thu, 9 Oct 1997 11:29:50 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com via Connect2-SMTP 4.30A; Thu, 9 Oct 1997 14:29:31 -0400 Message-ID: <2337A03801D40000@c2smtp.on.com> Date: Thu, 9 Oct 1997 14:27:00 -0400 From: Chris Wall Organization: ON Technology - Cambridge To: firewalls@greatcircle.com Subject: Signing off for a bit ... Importance: normal MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-disposition: inline Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.30A MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlemen: I've thouroughly enjoyed the technical information and discussion in both groups, minus some of the flame-wars, which have not been too bad here. My email address will be different when I sign back on. I can be contacted at chriswall@juno.com till then, Take care and keep the faith ! Chris Wall From owner-firewalls-list Thu Oct 9 13:24:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA18961; Thu, 9 Oct 1997 09:02:27 -0700 (PDT) Received: from compaq1.lucentncg.com (lucentncg.com [207.113.5.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA18894 for ; Thu, 9 Oct 1997 09:02:12 -0700 (PDT) Received: from ncg1.lucentncg.com by compaq1.lucentncg.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 9 Oct 1997 16:13:59 UT Received: by ncg1.lucentncg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD4A3.12B3C3E0@ncg1.lucentncg.com>; Thu, 9 Oct 1997 11:04:11 -0500 Message-ID: From: "Davis, Rob" To: "'firewalls@greatcircle.com'" Cc: "Galvin, Dean" Subject: RE: Keyword filtering of email through firewall Date: Thu, 9 Oct 1997 11:03:19 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is tangentially related to firewalls, so I apologize in advance. If anyone knows of a more appropriate venue for this, please let me know. I have a multi-national customer with approximately 200 sites that will soon be connected with a WAN and additionally have Internet access through some yet to be determined firewall. They would like a mechanism that would allow them to detect incoming/outgoing Internet mail that did not meet "company policies". This could be sexual content, frivilous material, trade secrets, etc. The obvious places to check are the firewall and mail server(s). I realize that there are still a million ways to get the info out and it's probably a bad idea, but I'm curious about potential commercial or custom-built applications and the price. Thanks in advance for your help. regards, Rob >________________________________ >Rob Davis >Lucent Technologies, Network Consulting Group >Network Consultant >http://www.lucentncg.com >(972) 419-3815 >1-800-SKY-PAGE #126-9384 From owner-firewalls-list Thu Oct 9 15:28:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA21263; Thu, 9 Oct 1997 11:47:54 -0700 (PDT) Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA18732 for ; Thu, 9 Oct 1997 11:30:08 -0700 (PDT) Received: by relay2.cospo.osis.gov (4.1/SMI-4.1) id AA15435; Thu, 9 Oct 97 14:28:30 EDT Message-Id: <9710091828.AA15435@relay2.cospo.osis.gov> Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3) id sma015426; Thu Oct 9 14:28:08 1997 Received: by washington.cospo.osis.gov (1.38.193.4/16.2) id AA14436; Thu, 9 Oct 1997 14:31:21 -0400 From: "Joseph S. D. Yao" Subject: Re: Plug Help To: Firewalls@GreatCircle.COM Date: Thu, 9 Oct 1997 14:31:21 -0400 (EDT) Cc: greg@wye.com In-Reply-To: <199710090048.RAA22002@honor.greatcircle.com> from "Firewalls-Digest" at Oct 8, 97 05:48:59 pm X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Fri, 3 Oct 1997 10:17:47 -0400 > From: Gregory Wilkins > Subject: Plug Help > > I am assuming that I could support a user with the plug-gw that needs to > use his/her AOL program to connect to AOL via the Internet. > > I know that AOL uses TCP/IP as one of the dialers, and indeed it does > work on the "public" net, but has anyone created a plug to do this > (e.g.: does anyone have any samples that they might be able to send me, > showing how they did this?). > > I've tried to put the plug in myself, but it continues not to work. > > Please help. I've got a user (one of my boss's) who needs to access his > AOL account. We had an identical request, including the Importance Level. We investigated, and found that AOL uses a proprietary protocol for its interface program. You can't just telnet in, or SMTP in, or anything so pedestrian. We also asked some people we happened to know at AOL. They assured us that there was a proxy for the AOL protocol. But I don't remember what the URL was. Becaue the next thing they said was that it opened an IP stream over that port, and made a hole big enough - and I quote - to fly the star ship Enterprise through. We passed that quote up verbatim. The request disappeared. -- Joe Yao jsdy@cospo.osis.gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. From owner-firewalls-list Thu Oct 9 15:58:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA21678; Thu, 9 Oct 1997 11:50:13 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA21614 for ; Thu, 9 Oct 1997 11:49:39 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA19950; Thu, 9 Oct 1997 14:52:23 -0400 (EDT) Date: Thu, 9 Oct 1997 14:52:23 -0400 (EDT) From: Information Security Message-Id: <199710091852.OAA19950@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: RE: The risk management system mentioned below... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From gcrum@us-state.gov Thu Oct 9 11:32:15 1997 > > Guy, have you looked at the product called mimesweeper? It > has a string search / dirty word search capability built in > On Wednesday, October 08, 1997 9:25 PM, Information > Security [SMTP:guy@panix.com] wrote: > | > | ( Genius at work ;-) > | > | Aspen Computer, Inc. has informed me that the _correct_ > | email > | address for contacting them is noz@AspenComputer.com. > | ---guy > | > | > ================================================== > | > I've sold this NSA-like keyword-based Internet > | > Email Risk Management > | > Analytics to a NYC company, Aspen Computer, Inc. I hope I'm not annoying list members too much with this... Previously, I shared the painful experiences of having an email analyzer that was so damn successful, it caused problems when I caught and pursued a person with friends "in high places". It was fine to fire regular employees, but when I caught a senior manager in Internal Audit... Anyway, I'm not supposed to going into that again, and I'm not part of Aspen Computers, and won't be on anyone's systems doing traffic analysis anymore. Selling it was my way of getting out of the loop. ---- To answer your question: there is nothing unique about searching for keywords... What is unique was the overall combination of techniques, which yielded over 400,000 lines of proprietary source code caught, EVEN THOUGH I HAD NO KEYWORDS LOOKING FOR SOURCE CODE. Basically, the primary daily "radar" file is built using *exclusion* logic, not keywords to find things. It is a completely different technique than a MIMESWEEPER approach, a technique that allows one to do traffic analysis to spot problem transfers. The product does not compete with MIMESWEEPER or any other virus spotter. It does, however, spot _hoax_ viruses. ;-) ---guypanix.com From owner-firewalls-list Thu Oct 9 16:13:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18359; Thu, 9 Oct 1997 08:59:41 -0700 (PDT) Received: from do.nachtwacht.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA18232 for ; Thu, 9 Oct 1997 08:59:12 -0700 (PDT) Received: from localhost (arjan@localhost) by do.nachtwacht.nl (8.8.4/8.8.4) with SMTP id SAA00556; Thu, 9 Oct 1997 18:02:06 +0200 Date: Thu, 9 Oct 1997 18:02:06 +0200 (MET DST) From: Arjan Vos To: phil@securIT.netB cc: Firewalls Alias Subject: Re: System Spec for Penetration test In-Reply-To: <3.0.32.19971008154929.009bcaa0@mail.the-wire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Oct 1997, Anton J Aylward wrote: > At 07:11 PM 08/10/97 +0100, Phil Cracknell wrote: > ## Reply Start ## > > > > I need a little advice on the spec of a laptop for penetration testing. > > > > Originally I wanted a Sparcbook, but this is not possible now (for lots > > of reasons) so I thought about a high-powered pentium laptop and > > loading Solaris X86 and I can then also install NT. > > > > Does X86 support most PCM/CIA network cards? > > > > Would I be best advised to choose a SCSI-based disk/CD for ease of > > install? (X86 again!) > > Why make it complicated. > There are plenty of tools written in C which will compile to run under DOS. > If you really want to be fancy and run UNIX, try a lightweight LINUX. > You could probably make do with an old 386 or 486 discard, 8Meg or RAM > and just a few hundred meg of disk. Cost is asymptotic zero. > It certainly saved my old laptop from being a boat anchor. > I don't agree (that is: for me potential boat anchors don't do the job) My penetration laptop is a Pentium 120. You definitely will go for fast machines. To me it proves to be a time saver as I keep my kernel as small as possible, and sometimes I need Token Ring, then I need Ethernet or radio or other drivers (I don't like using loading modules, but maybe that's a matter of preference), so I recompile my kernel a lot. Also sometimes you need specific drivers/software you need to compile on the fly... Also lot's of memory is really convenient (8 meg is out of the question): Most of the time I have several windows opened: one for giving commands, one for tailing log files, one for tailing a tcpdump during the test, etc.. When using tools such as ISS or Ballista, log-analysing tools or when connecting to 100 MB/s networks, lot's of memory is very nice to have. And that brings us to of disk space: megabytes of tcpdump output is no exception for me, so I would go for big disks. I use Linux and FreeBSD on my laptops. I also have Windows NT (go for fast!!!). I don't have any experience with SPARCbooks. I use 3Com PCMCIA Ethernet/Token Ring cards and Angia PCMCIA modems and don't have any problems with these. Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-list Thu Oct 9 16:30:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA16566; Thu, 9 Oct 1997 08:51:09 -0700 (PDT) Received: from iccu6.ipswich.gil.com.au (iccu6.ipswich.gil.com.au [203.1.75.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA28278 for ; Thu, 9 Oct 1997 07:38:07 -0700 (PDT) Received: from home1 (cs18p16.ipswich.gil.com.au [203.1.73.94]) by iccu6.ipswich.gil.com.au with SMTP id AAA24880 (8.6.12/IDA-1.6 for ); Fri, 10 Oct 1997 00:38:13 +1000 Received: by home1 with Microsoft Mail id <01BCD513.C818E1A0@home1>; Fri, 10 Oct 1997 00:30:59 +-1000 Message-ID: <01BCD513.C818E1A0@home1> From: Anthony Burow To: "'firewalls@greatcircle.com'" Subject: PIX : big FTP downloads stop a 99% (side-tracked a little) Date: Fri, 10 Oct 1997 00:29:54 +-1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I encountered a similar problem last week with another proxy product = that even removal of the proxy service from the network all-together = proved to be of no help at all. On the site I was on I had an external router screening out basically = everything, allowing "tcp established". I even went through the process = of specifying filtering for FTP-DATA back into the system. On most = sites this worked however, on one individual site (a sister company) FTP = just plain-out refused to upload or download any files. To cut a long story short I traced packets coming from their gateway = router sending ICMP UNREACHABLE with the Fragmentation Required - DF = flag set (syslog/console reports - ICMP [3/4] ??? ). Allowing ICMP in = again and through to the originating machine (well "icmp any any = unreachable" and "icmp any any source-quench") seemed to resolve the = problem. I closed off the problem by notifying the admin at the remote site that = they have a serious bandwidth problem (no doubt they knew this already) = and detailed what I was getting from my end of the bargain. I put the = proxy service back in place and changed the router rules to allow icmp = unreachables and quenches in to the proxy service only. It's been working happily ever since. Now my question is this, what sort of a hole has been made? There is no = acknowledgement back to the sender of these packets, there never would = be anyway, I filter all outgoing icmp and have disabled icmp generated = messages (host unreachables, etc) on the external router's external = interface. How could ICMP be used to an outsiders advantage, I would = guess that there could be some sort of DOS attack that could be launched = against this proxy server using quenches or unreachables. How realistic = is that thought? Thanks Anthony FYI, I took the rest of the internal network off-line as well while the = DMZ was in pieces... > Date: Thu, 18 Sep 1997 19:22:22 +0000 > From: "Lionel MARIE" > Subject: PIX : big FTP downloads stop a 99% > > Hello all, > > We experience a strange problem with 2 of our custumers where we = installed > PIX with 4.05 OS Version. When they want to download a big file (> = 2MO)=20 > form the internet, using FTP, the downloads often stop at 99% of the = progress=20 > bar. Most of the users use Netscape (3.0x & 4.0x), IE (3.0x) on INTEL = based=20 > computers, MacIntosh and LINUX. One of the custumers has tested with = FTP=20 > explorer and he got the same result... > > We have made on about 50 computers and it's the same problem on each, = so i'm > quiet sure it's a network/firewall filtering problem. >=20 > Any idea? >=20 > regards, > Lionel. From owner-firewalls-list Thu Oct 9 17:16:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA26879; Thu, 9 Oct 1997 12:22:16 -0700 (PDT) Received: from csnnetra1.csn.com.br ([200.255.165.102]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA26835 for ; Thu, 9 Oct 1997 12:22:04 -0700 (PDT) Received: from mg65.csn.com.br ([172.16.10.3]) by csnnetra1.csn.com.br (8.8.5/8.8.5) with SMTP id QAA19634 for ; Thu, 9 Oct 1997 16:19:27 -0300 (EST) Received: by mg65.csn.com.br with Microsoft Mail id <01BBB606.D5011EA0@mg65.csn.com.br>; Wed, 9 Oct 1996 17:25:14 -0300 Message-ID: <01BBB606.D5011EA0@mg65.csn.com.br> From: Alessandro Jannuzzi To: "'firewalls@greatcircle.com'" Subject: Log Analyser Date: Thu, 9 Oct 1997 17:24:11 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Does anyone here know some tool to extract statistics and reports from the Solstice Firewall-1 log file ? Thanks in advance. Alessandro. From owner-firewalls-list Thu Oct 9 17:21:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA04121; Thu, 9 Oct 1997 12:59:30 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA04104 for ; Thu, 9 Oct 1997 12:59:22 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id QAA00992; Thu, 9 Oct 1997 16:01:36 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma000917; Thu, 9 Oct 97 16:01:12 -0400 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id QAA08612; Thu, 9 Oct 1997 16:00:22 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id QAA18992; Thu, 9 Oct 1997 16:00:20 -0400 (EDT) Message-ID: <343D37DD.6201DD56@erenj.com> Date: Thu, 09 Oct 1997 15:00:29 -0500 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: bjm@fl.dk CC: firewalls@greatcircle.com Subject: Re: Single point of failure. References: <97Oct9.171019gmt+0100.26881-4@gw.fl.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This should be (isn't always) addressed in the risk assessment done *before* the firewall/access point is installed. If the single point of failure is rated as low risk compared to time/money lost during the outage and the cost to put in spares,etc, then don't sweat it. If high risk, then the controls would dictate spares, alternate routes, etc. As has been said on this list multiple times, a firewall (and its type) should be dictacted by the security policy and risk needs of the organization and not plug in some sort of firewall and try to fashion policy and needs around it. Easy to preach, not always easy to follow........ bjm@fl.dk wrote: > > Hi > Does someone have any comments on the following issue which I see as > being more relevant when using firewalls internally or as access point > for Intranet/Extranet connected through public networks (e.g. > Internet): > > A couple of firewall products offer the ability to support multiple > network interface cards. These products are often used in solutions > where different kind of user groups, servers/services etc. are > separated on different LAN-segments connected to the firewall. If a > company uses this functionality on a firewall, they introduce a single > point of failure which I think is often neglected or forgotten. <<< rest snipped >>>> -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Thu Oct 9 17:29:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA03004; Thu, 9 Oct 1997 17:17:39 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA02923 for ; Thu, 9 Oct 1997 17:17:20 -0700 (PDT) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.6/8.8.6) with SMTP id RAA29154 for ; Thu, 9 Oct 1997 17:14:18 -0700 Date: Thu, 9 Oct 1997 17:16:40 -0700 (PDT) From: David Lang To: Firewalls Alias In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- I am attempting to use the SNK one-time-password tokens with the TIS firewall toolkit. In the documentation it mentions several files that need to be compiled into the code. When I called Axent (who make the keycards) they said call TIS. When I call TIS they only want to talk about gauntlet (of course :-) Can anyone tell me where I can find the files needed to make the toolkit use the SNK passwords? David Lang -----BEGIN PGP SIGNATURE----- Version: PGP 4.01 Business Edition iQEVAwUBND1z6D7msCGEppcbAQHkWwgAySBqei5ayZuUij3SzhNQETb0e0F5wxFl JgMBeeKaCWShYJj1y4PiedUtFgWe1h4GRbg9P4u3f7inSv4dXpkd3Ml+lv4yiNtW TZfON8gzSVlwxs/wahj4bF58lyaMgjNDqQtXcM2GuiMPjtaoNWWHJtgw3F+BgNut YXioA2o1mUF8snxp4DhA85kFwjWk4oEROESclMmMf9LsaQDxqovazw7jDmwBJR6a RciiULeN2gnMTCab/oLEbd/UHrw0gnZM5arTKnMWWCU6870Y9VYQQWCS/AIIBbVU OYfoLP2Pkz5ViaE+YZRae7r5VBTkIqXytPsigxK5vxKAQNA6A3mXpw== =ICpA -----END PGP SIGNATURE----- From owner-firewalls-list Thu Oct 9 19:26:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24978; Thu, 9 Oct 1997 12:12:54 -0700 (PDT) Received: from emout03.mail.aol.com (emout03.mx.aol.com [198.81.11.94]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA24943 for ; Thu, 9 Oct 1997 12:12:42 -0700 (PDT) From: Justface@aol.com Received: (from root@localhost) by emout03.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA18844 for Firewalls@greatcircle.com; Thu, 9 Oct 1997 15:14:52 -0400 (EDT) Date: Thu, 9 Oct 1997 15:14:52 -0400 (EDT) Message-ID: <971009151347_-695320316@emout03.mail.aol.com> To: Firewalls@greatcircle.com Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 9 19:26:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05867; Thu, 9 Oct 1997 17:31:40 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA05648 for ; Thu, 9 Oct 1997 17:31:00 -0700 (PDT) Message-Id: <199710100031.RAA05648@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA113523317; Fri, 10 Oct 1997 10:28:37 +1000 From: Darren Reed Subject: Re: System Spec for Penetration test To: arjan@pino.demon.nl (Arjan Vos) Date: Fri, 10 Oct 1997 10:28:37 +1000 (EST) Cc: phil@securit.netb, firewalls@GreatCircle.COM In-Reply-To: from "Arjan Vos" at Oct 9, 97 06:02:06 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Arjan Vos, sie said: [...] > My penetration laptop is a Pentium 120. You definitely will go for fast > machines. To me it proves to be a time saver as I keep my kernel as small > as possible, and sometimes I need Token Ring, then I need Ethernet or > radio or other drivers (I don't like using loading modules, but maybe > that's a matter of preference), so I recompile my kernel a lot. Also > sometimes you need specific drivers/software you need to compile on the > fly... > > Also lot's of memory is really convenient (8 meg is out of the question): > Most of the time I have several windows opened: one for giving commands, > one for tailing log files, one for tailing a tcpdump during the test, > etc.. When using tools such as ISS or Ballista, log-analysing tools or > when connecting to 100 MB/s networks, lot's of memory is very nice to > have. And that brings us to of disk space: megabytes of tcpdump output is > no exception for me, so I would go for big disks. I can't stand using laptops...using two NICs is tricky and I hate having to do byteswapping in my head...SPARCbooks would be nice, if they were still made and could run SunOS4 :) Darren From owner-firewalls-list Thu Oct 9 20:13:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA06479; Thu, 9 Oct 1997 19:43:07 -0700 (PDT) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA07057 for ; Thu, 9 Oct 1997 13:21:36 -0700 (PDT) Received: (from dyabolyk@localhost) by columbia.digiweb.com (8.8.5/8.8.5) id QAA11502; Thu, 9 Oct 1997 16:23:46 -0400 (EDT) Date: Thu, 9 Oct 1997 16:23:46 -0400 (EDT) From: jon tobin To: firewalls@GreatCircle.com Subject: Re: POP across a firewlll... In-Reply-To: <9710091010.aa12083@post.browns.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Oct 1997, Santi Ribas - Brown's Operating System Services wrote: > I wouldn't suggest to use POP across the Internet unless using encryption > and access control by user to the POP server (like SOCKS does). what is SOCKS? A POP server? phleshitally: jonathan tobin digitally: www.dyabolyk.com From owner-firewalls-list Thu Oct 9 22:13:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA23384; Thu, 9 Oct 1997 22:04:25 -0700 (PDT) Received: from australia. (australia.euronet.nl [194.134.0.155]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id WAA23363; Thu, 9 Oct 1997 22:03:56 -0700 (PDT) From: 73266932@lanka.com Received: from www.euronet.nl by australia. (SMI-8.6/SMI-SVR4) id GAA09677; Fri, 10 Oct 1997 06:57:18 +0200 Date: Fri, 10 Oct 97 01:00:57 EST To: B188F76@lanka.com Subject: Your Own Software Business Message-ID: <> X-UIDL: xaaff42 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Ray Dubois, Software Publisher & Distributor STAY HOME AND MAKE $2500/WEEK ...WITH YOUR COMPUTER Dear Friend, Just think about it. The richest man in America IS NOT in the real estate business, NOT in the oil business or any other old-style business of the last three decades. The richest man in America today is in the computer software business. His name is Bill Gates, founder of Microsoft who was rated by Fortune Magazine to be worth $34 Billion. OFFERS BEST ODDS TO MAKE YOU RICH The computer software business can bring you to your financial goals quicker than any other business can. Every single day, the computer revolution going on in America today is making more millionaires out of ordinary people than any other business has, today or at any time in the past. AN HONEST AND LUCRATIVE BUSINESS Everyday, more than 203 Million computer owners buy a wide assortment of software programs at full retail prices of $49 to $700 each, that's where you come in: I'm offrering YOU to jump in this lucrative market and make AT LEAST $2500 per week by offering these software people really want, want it quickly and need it badly, by using our "Most-Wanted" computer program on which we've spent OVER $237,000! The "WEALTH CREATING SOFTWARE" is more than a Catalog-On-Disk, and more than an ordinary Money-Making Opportunity... See for yourself what all the excitement is about, this "Long Waited For" computer program includes: #Hundreds of products database. CASH-IN on today's HOTTEST software. Each title can bring you a fortune...we'll show you how easy it is when you have the right formula. No inventory required. No minimum order. #Built-in & easy to use "Worldwide Opportunities Manager". Run this automatized & lucrative business from anywhere in the world, even while you're in vacation. #Unrivaled Windows3.x and Windows95 Graphical Interface. #Built-in "Marketing Analyzer". #Takes orders. You get paid directly by your customers. No face to face. #The structure and the means to capitalize on the common aims of millions of people. #You do not have to worry about competition, there is 203 Million prospects...and growing. #This is a 100% Turn-Key program to make tons of money, and anyone, regardless of age, race, state of health, country of origin or financial standing can participate. #This is totally new, and 100% legitimate. YOU ALSO GET... # 50 of the BEST KILLER MARKETING REPORTS ever written and I even give you the right to sell them as a single item or in group. You can sell them on disk, on paper or online. # EXPLOSIVE MARKETING SECRETS (HOT Training!) # Complete step by step instructions showing you the exact steps to follow to be making $1000/week only one week after you get started. THREE WAYS TO MAKE YOUR FORTUNE!!! 1-*We give you the right to reproduce up-to 100,000 copies of the "WEALTH CREATING SOFTWARE". *Use our 100% tested on-line or off-line marketing material to advertise this software program. *People will send you $74.95 per software program. Earning you a total of $7,495,000. 100% commission. This is your first Money-Making Opportunity. 2-Sell any software from catalog. Get 50% commission paid directly by your customers. Each title can bring you a fortune...we'll show you how. Your pocket will, of course, feel the change. You'll have a major, systematic career edge. This is your second Money-Making or Saving Opportunity. Savvy businessmen always WIN! 3-Discover this unbelievable third Money-Making Opportunity when you get your package! UNCONDITIONAL GUARANTEE OF SUCCESS: Go ahead and try our software program for the next few months. Try it for 90 days if you like. If at any time during that period you follow our system as instructed and fail to make the kind of money we've mentionned above, simply return the package and I'll send you a full refund. But I know that you'll be pleasantly surprised, in fact no one has ever returned it! THAT'S NOT ALL... ACT NOW AND SAVE! If you act within 10 days, the "WEALTH CREATING SOFTWARE" can be yours for $29.95 during this special, limited-time offer! REGULAR PRICE: $74.95 TO SAVE ON THIS SOFTWARE AND HUNDREDS OF OTHERS...FAX YOUR COUPON TODAY! Sincerely, Ray Dubois PS:Don't be one of these who later say "if only I had known:..." Do it now: Hop on the band wagon before it leaves without you. See for yourself how fast you'll pocket BIG: OUR CUSTOMERS SAY IT BETTER THAN WE CAN!! ***"I was pleasantly surprised by the quantity and the quality of the information and products" -John Collins, Miami ***"Your program appears to be one of the best on the market today." -Dick Ray, Dallas ***"Much of what you have to say is based in reality, not theoretical mumbo-jumbo. To the person anxious to start... this is of inestimable importance..." -Brian Conklin, Houston ***"Thank you for making this program available at such an unbelievable price." -Bob Dubois, Laval ***"I also like the fact that you really care about your clients and are willing to talk and answer questions....refreshing in the vast world of cyberspace! If you Email Ray, he gets back with ya!" -Dan Gore ________________________________________________________ (x01) FILL OUT, MAIL OR FAX IN COUPON BELOW ________________________________________________________ Yes! I want to make $2500/week from my own home with the "WEALTH CREATING SOFTWARE"! Please RUSH me my complete package immediately so I can start making real money with my computer! I understand that after followig your instructions, if I have not made the kind of money you describe, I can return your package for a full refund. Enclosed is my __Check __Cash __Money Order __Credit Card for this "limited-time price" of $29.95. Name:_________________________________________________ Address:______________________________________________ City:_________________________________________________ Zip:________________________Country:__________________ Email:________________________________________________ Payment must be issued in U.S. funds. Make Check Or Money Order payable to: Ray Dubois 2996 Place de La Bastille Boisbriand, QC Canada J7H 1K6 FAX TODAY: 1-514-979-8685 Please provide the following information when ordering by credit card: [ ] Master Card [ ] Visa Credit Card Number: _____________________________________ Expiration Date: ____/_______ Name of Cardholder ______________________________________ From owner-firewalls-list Fri Oct 10 02:43:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10480; Fri, 10 Oct 1997 02:39:10 -0700 (PDT) Received: from punt-2.mail.demon.net (punt-2b.mail.demon.net [194.217.242.6]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA10473 for ; Fri, 10 Oct 1997 02:39:03 -0700 (PDT) Received: from mailgate.browns.co.uk ([194.217.147.100]) by punt-2.mail.demon.net id ab1200673; 10 Oct 97 10:30 BST Received: from santi.brownsbox.com by post.browns.co.uk id aa15943; 10 Oct 97 10:44 BST Reply-To: santi@browns.co.uk MMDF-Warning: Parse error in original version of preceding line at post.browns.co.uk From: "Santi Ribas - Brown's Operating System Services" To: firewalls@greatcircle.com MMDF-Warning: Parse error in original version of preceding line at post.browns.co.uk Subject: Re: POP across a firewlll... Date: Fri, 10 Oct 1997 10:25:48 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <9710101044.aa15943@post.browns.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SOCKS is a proxy toolkit that allows the conversion of standard TCP clients to proxied packets. You can configure your firewall (if supports it) as a SOCKS server. Behind your firewall you can have your private servers (like POP). On the other side (i.e. Internet), you have a client PC with the email software and a SOCKS software for PC. What SOCKS does, is allow a previous authentication (i.e. ID/PSW to the SOCKS server or even with secure authentication). Once this is done, all packets with destination to your internal POP server, can go first to SOCKS, and SOCKS as a Proxy, will create new IP packets with the source address of the SOCKS server, not the remote PC. If you create a packet filter entry disallowing any packet through from Internet to the mail server (port 110 POP3), and you allow the connection from the SOCKS server to the Mail server, then no one will be able to connect directly to the mail server. First they will have to authenticate in the SOCKS server, so you just add a more secure connection. Something else to say about it, is that SOCKS doesn't encrypt packets itself, so you still have the possibility of internet hackers to see your mails and POP accounts. Another possible problem is that you need a SOCKS client software, which you can find as a freeware but not in all the platforms. You can find yourself to buy a commercial SOCKS client for Windows NT because you cound't find any freeware. Santi Ribas ---------- > From: jon tobin > To: firewalls@greatcircle.com > Subject: Re: POP across a firewlll... > Date: 09 October 1997 21:23 > > > On Thu, 9 Oct 1997, Santi Ribas - Brown's Operating System Services wrote: > > I wouldn't suggest to use POP across the Internet unless using encryption > > and access control by user to the POP server (like SOCKS does). > > what is SOCKS? A POP server? > > > phleshitally: jonathan tobin > digitally: www.dyabolyk.com From owner-firewalls-list Fri Oct 10 04:28:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA23684; Fri, 10 Oct 1997 04:03:34 -0700 (PDT) Received: from mail.mkm.de ([194.233.223.129]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA23662 for ; Fri, 10 Oct 1997 04:03:25 -0700 (PDT) Received: from bbf.mkm.de (bbf.mkm.de [194.233.223.132]) by mail.mkm.de (9.9.9/9.9.9) with SMTP id NAA05918; Fri, 10 Oct 1997 13:05:03 +0200 Received: from localhost by bbf.mkm.de (SMI-8.6/SMI-SVR4) id NAA02058; Fri, 10 Oct 1997 13:04:58 +0200 Date: Fri, 10 Oct 1997 13:04:58 +0200 (MET DST) From: Ralf Thomas Klar To: "Sadler, Connie J" cc: firewalls@GreatCircle.COM Subject: Re: POP across a firewlll... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Oct 1997, Sadler, Connie J wrote: > > Does anyone know of a "safe" way to support POP through a firewall? Any > help or direction would be appreciated! > > Connie I use this configuration: - allow ssh-connections through the firewall - the user, who wants to pop mail, invokes ssh with port-forwarding (port 110 from pop-server is forwarded to e.g. 4711 on his localhost) - the user connects the pop-client to port 4711 on the localhost Ralf -- Ralf Thomas Klar | Tel.: 0721-9663066 | http://www.hadiko.de/ Klosterweg 28/H210 | Fax.: 0721-9663064 | Das einzige Studenten- D-76131 Karlsruhe | eMail: ralf@hadiko.de | wohnheim mit ATM-Netz From owner-firewalls-list Fri Oct 10 04:58:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27495; Fri, 10 Oct 1997 04:52:20 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA27462 for ; Fri, 10 Oct 1997 04:52:11 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA21529; Fri, 10 Oct 1997 07:51:09 -0400 (EDT) From: Adam Shostack Message-Id: <199710101151.HAA21529@homeport.org> Subject: Re: DNS on the Firewall - security problem In-Reply-To: <199710091001.MAA03049@marc.ksfw.esb.eur.deuba.com> from Marc Heuse at "Oct 9, 97 12:01:49 pm" To: Marc.Heuse@mail.DeuBa.COM Date: Fri, 10 Oct 1997 07:51:09 -0400 (EDT) Cc: firewall-wizards@nfr.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc Heuse wrote: | I found so far two possiblities to solve this problem ... | The first is to chroot named. pointer : www.homeport.org/~adam/dns.html | The second is to just forward the dns resolving to a host in the dmz plus | running also the primary external dns there. | | Do you see any problems with these suggestions? | And another question, are there any secure/minimal dns-servers out there? | pointers? Since I wrote the chrooting a named doc, I'll remind everyone that a root process chrooted is not all that great an imrpovement in the theoretical analysis. Its a nice improvement in practicality, since there is no egg* to overflow and break a chroot. Thus, if you don't put CHROOT/bin/sh in place, the standard attacks will fail, but a smart attacker can still get in. In practicality, there are few smart attackers. Adam *An egg is the core of code that a biuffer overflow includes to do the real work. Its the thing that hatches and gets you root. See some early l0pht advisory. And make that "no egg generally available." -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Fri Oct 10 08:13:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA12189; Fri, 10 Oct 1997 08:10:19 -0700 (PDT) Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA12182 for ; Fri, 10 Oct 1997 08:10:13 -0700 (PDT) Received: from emss03g01.ems.lmco.com ([141.240.4.144]) by mailgw3.lmco.com (PMDF V5.1-10 #20547) with ESMTP id <0EHU00H1ECUF9K@mailgw3.lmco.com> for firewalls@GreatCircle.COM; Fri, 10 Oct 1997 11:11:26 -0400 (EDT) Received: from emss01m01.ems.lmco.com ([129.197.181.56]) by lmco.com (PMDF V5.1-10 #20544) with ESMTP id <0EHU00A0MCTSYU@lmco.com> for firewalls@GreatCircle.COM; Fri, 10 Oct 1997 11:10:42 -0400 (EDT) Received: by emss01m01.ems.lmco.com with Internet Mail Service (5.0.1458.49) id <443520G0>; Fri, 10 Oct 1997 08:08:34 -0700 Content-return: allowed Date: Fri, 10 Oct 1997 08:05:21 -0700 From: "Messano, Jim" Subject: To Gauntlet or not to Gauntlet To: "'Firewalls Q?'" Message-id: <31E6F4087DC3D0119DF6006097B7704D5E3485@emss01tmp1.ems.lmco.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-type: text/plain X-Priority: 1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a customer who wants to setup a LAN for Company employees as well as employees of other companies, all of whom will be working together on a joint venture project. This LAN will be external to the Company Intranet. However, the customer also wants Company employees to be able to access the Company's Intranet. If I insert a Gauntlet between a LAN router and a router to the Company Intranet, would I be able to enforce strong, two factor authentication (via an ACE server) and then establish a plug-gw so they could access all of the same services as if the Company employees were directly connected to the Company Intranet, without having to re-authenticate themselves for each service? Basically, my customer wants to authenticate once, then keep the "pipe" open for all intranet access. I realize that this implementation, if valid, is alien to the purpose of installing a Gauntlet. However, since I need to connect an external LAN to the Company intranet and I need to differentiate between the good guys and the bad guys, I thought to use the granular filtering of a Gauntlet. The main purpose of the Gauntlet is to not allow non-Company employees to access the Intranet. (Yeah, I know I used a double negative. My apologies to any English majors who read this note.) Any comments/suggestions would be welcome. From owner-firewalls-list Fri Oct 10 08:23:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA12047; Fri, 10 Oct 1997 08:06:04 -0700 (PDT) Received: from aeat.co.uk (gw.aeat.co.uk [151.182.136.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA12039 for ; Fri, 10 Oct 1997 08:05:58 -0700 (PDT) Received: from pandora.harwell.aeat.co.uk by aeat.co.uk with ESMTP (8.8.6/AEAT-GW-1.11) id QAA03162; Fri, 10 Oct 1997 16:08:04 +0100 (BST) sender John.Lines for Received: from localhost by pandora.harwell.aeat.co.uk with SMTP id QAA06071; 8.8.5/jl1.3; Fri, 10 Oct 1997 16:08:00 +0100 (BST) sender ccgjli@pandora.harwell.aeat.co.uk for Message-Id: <199710101508.QAA06071@pandora.harwell.aeat.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: "Davis, Rob" cc: firewalls@greatcircle.com, "Galvin, Dean" Subject: Content Vector Protocol - was Re: Keyword filtering of email through firewall In-reply-to: Your message of "Thu, 09 Oct 1997 11:03:19 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 10 Oct 1997 16:07:50 +0100 From: John Lines Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob Davis wrote: > This is tangentially related to firewalls, so I apologize in advance. > If anyone knows of a more appropriate venue for this, please let me > know. > > I have a multi-national customer with approximately 200 sites that will > soon be connected with a WAN and additionally have Internet access > through some yet to be determined firewall. > > They would like a mechanism that would allow them to detect > incoming/outgoing Internet mail that did not meet "company policies". > This could be sexual content, frivilous material, trade secrets, etc. > The obvious places to check are the firewall and mail server(s). > > I realize that there are still a million ways to get the info out and > it's probably a bad idea, but I'm curious about potential commercial or > custom-built applications and the price. > TIS Gauntlet 4.0 (and some other firewalls - I believe) support something called Content Vectoring Protocol (CVP) - which I have not really looked into yet. It allows you to pass email messages, or attachments, or web pages to a CVP server running on your internal network. From the documentation this can then scan for viruses, or for undesireable content. I dont know if CVP is documented anywhere - you may be able use a firewall which supports it, and write or buy in a scanning engine which would meet the company policy. John Lines From owner-firewalls-list Fri Oct 10 08:43:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA13433; Fri, 10 Oct 1997 08:30:27 -0700 (PDT) Received: from sun.khemani.com ([192.245.235.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA13373 for ; Fri, 10 Oct 1997 08:30:04 -0700 (PDT) Received: from teczar.com ([192.245.235.26]) by sun.khemani.com (Netscape Mail Server v2.02) with ESMTP id AAA2747; Fri, 10 Oct 1997 11:32:16 -0400 Message-ID: <343E4A7F.7B6A0330@teczar.com> Date: Fri, 10 Oct 1997 11:32:15 -0400 From: Yash Khemani X-Mailer: Mozilla 4.03 [en] (X11; I; SunOS 5.6 sun4m) MIME-Version: 1.0 To: Andy Lewis CC: "Caldwell, Matt" , "'Firewalls@GreatCircle.COM'" Subject: Re: hosts.allow References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy Lewis wrote: > > On Tue, 7 Oct 1997, Caldwell, Matt wrote: > > > I suggest you get the > >newest TCPwrappers and read the documentation. > > > > Where might I get TCPwrappers? > > Andy ftp://ftp.win.tue.nl:/pub/security/index.html alternatively, check your favourite search engine/indexer. cheers! yash From owner-firewalls-list Fri Oct 10 08:52:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA14088; Fri, 10 Oct 1997 08:37:45 -0700 (PDT) Received: from squirrel.jerboa.com (squirrel.jerboa.com [206.64.153.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA14080 for ; Fri, 10 Oct 1997 08:37:34 -0700 (PDT) Received: (from uucp@localhost) by squirrel.jerboa.com (8.8.5/8.7.3) id LAA01287; Fri, 10 Oct 1997 11:44:46 -0400 (EDT) Received: from moose.jerboa.com(206.64.153.50) by squirrel.jerboa.com via smap (V1.3 deluxe) id sma001274; Fri Oct 10 11:44:32 1997 Message-Id: <3.0.3.32.19971010113738.007cfb90@squirrel> X-Sender: ian@squirrel X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 10 Oct 1997 11:37:38 -0400 To: "Messano, Jim" , "'Firewalls Q?'" From: Ian Poynter Subject: Re: To Gauntlet or not to Gauntlet In-Reply-To: <31E6F4087DC3D0119DF6006097B7704D5E3485@emss01tmp1.ems.lmco .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:05 AM 10/10/97 -0700, Messano, Jim wrote: >[Stuff Deleted} >The main purpose of the Gauntlet is to not allow non-Company employees >to access the Intranet. (Yeah, I know I used a double negative. My >apologies to any English majors who read this note.) > >Any comments/suggestions would be welcome. You may want to look at something like V-ONE's SmartWall, which gives you encrypted connections back to your office, along with strong authentication among other things. It can work with or without the Gauntlet... Just a thought, Ian ----- Ian Poynter ian@jerboa.com Jerboa, Inc. +1-617-492-8084 PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com Providing unbiased Internet consulting for businesses. Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73 DSS: 2769 277A 9F69 F605 3743 D574 C8F5 C147 17D4 76B7 From owner-firewalls-list Fri Oct 10 09:35:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA18487; Fri, 10 Oct 1997 09:12:37 -0700 (PDT) Received: from ragroup.co.uk ([194.129.45.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA18452 for ; Fri, 10 Oct 1997 09:12:27 -0700 (PDT) From: mbeech@csc.ragroup.co.uk Received: from csc.ragroup.co.uk ([194.129.44.250]) by khepera.ragroup.co.uk with SMTP id <27778>; Fri, 10 Oct 1997 17:11:57 +0100 Received: from ccMail by csc.ragroup.co.uk (IMA Internet Exchange 2.11 Enterprise) id 0000B288; Fri, 10 Oct 1997 17:10:21 +0100 Mime-Version: 1.0 Date: Fri, 10 Oct 1997 17:11:37 +0100 Message-ID: <0000B288.1453@csc.ragroup.co.uk> Subject: Re:RE: Keyword filtering of email through firewall To: "'firewalls@greatcircle.com'" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob, MIMESweeper (www.integralis.com) provides content checking for e-mail and web pages, as well as virus checking functions. Smartfilter (www.securecomputing.com) will block access to web pages/sites based on catagories. This can be hosted on a Borderware firewall, MS-proxy server, netscape proxy serve, UNIX. NT, sidewinder firewall, cached or CSM Proxy plus. Martin ____________________Reply Separator____________________ Subject: RE: Keyword filtering of email through firewall Author: "Davis; Rob" Date: 10/9/97 5:03 PM This is tangentially related to firewalls, so I apologize in advance. If anyone knows of a more appropriate venue for this, please let me know. I have a multi-national customer with approximately 200 sites that will soon be connected with a WAN and additionally have Internet access through some yet to be determined firewall. They would like a mechanism that would allow them to detect incoming/outgoing Internet mail that did not meet "company policies". This could be sexual content, frivilous material, trade secrets, etc. The obvious places to check are the firewall and mail server(s). I realize that there are still a million ways to get the info out and it's probably a bad idea, but I'm curious about potential commercial or custom-built applications and the price. Thanks in advance for your help. regards, Rob >________________________________ >Rob Davis >Lucent Technologies, Network Consulting Group >Network Consultant >http://www.lucentncg.com >(972) 419-3815 >1-800-SKY-PAGE #126-9384 From owner-firewalls-list Fri Oct 10 09:43:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20592; Fri, 10 Oct 1997 09:23:21 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA20500 for ; Fri, 10 Oct 1997 09:23:00 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA23527 for ; Fri, 10 Oct 1997 09:24:36 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA17866; Fri, 10 Oct 97 09:27:04 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA08113 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 10 Oct 1997 09:26:59 -0700 (PDT) Message-Id: <199710101626.JAA08113@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id A60E8277DEBC38398825652C005AA255; Fri, 10 Oct 97 09:26:56 EDT To: "Messano Jim" Cc: "'Firewalls Q?'" From: Ryan Russell/SYBASE Date: 10 Oct 97 9:33:31 EDT Subject: Re: To Gauntlet or not to Gauntlet X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So you want to create a VPN for the employees to get back in, and not the folks from the other company, yes? (This is a VPN minus the encryption or tunneling, it looks like, so there goes a fair portion of the security.) However, the non-employees will have access (across the net) to the employee machines that do have access to the intranet? So, if I'm one of these non-employees, and I decide to access your intranet, then I will have to telnet to one of the employee machines first? (I say telnet, but it could be just about any protocol.. even me dropping a trojan file of some sort on the fileshare of one of the employee's Win95 boxes.) Ryan ---------- Previous Message ---------- To: firewalls cc: From: jim.messano@lmco.com ("Messano, Jim") @ smtp Date: 10/10/97 08:05:21 AM Subject: To Gauntlet or not to Gauntlet I have a customer who wants to setup a LAN for Company employees as well as employees of other companies, all of whom will be working together on a joint venture project. This LAN will be external to the Company Intranet. However, the customer also wants Company employees to be able to access the Company's Intranet. If I insert a Gauntlet between a LAN router and a router to the Company Intranet, would I be able to enforce strong, two factor authentication (via an ACE server) and then establish a plug-gw so they could access all of the same services as if the Company employees were directly connected to the Company Intranet, without having to re-authenticate themselves for each service? Basically, my customer wants to authenticate once, then keep the "pipe" open for all intranet access. I realize that this implementation, if valid, is alien to the purpose of installing a Gauntlet. However, since I need to connect an external LAN to the Company intranet and I need to differentiate between the good guys and the bad guys, I thought to use the granular filtering of a Gauntlet. The main purpose of the Gauntlet is to not allow non-Company employees to access the Intranet. (Yeah, I know I used a double negative. My apologies to any English majors who read this note.) Any comments/suggestions would be welcome. From owner-firewalls-list Fri Oct 10 11:29:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA07497; Fri, 10 Oct 1997 11:11:28 -0700 (PDT) Received: from igate1.rkv.nasd.com ([204.71.174.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA07486 for ; Fri, 10 Oct 1997 11:11:20 -0700 (PDT) Received: by igate1.rkv.nasd.com; id OAA27691; Fri, 10 Oct 1997 14:13:14 -0400 (EDT) Received: from pd00_fddi.rkv.nasd.com(150.123.209.1) by igate1.nasd.com via smap (3.2) id xma025703; Fri, 10 Oct 97 14:09:40 -0400 Received: from trm_srv_exch1.nut.nasdaq.com by rksqpd00.rkv.nasd.com (8.6.13/1.35) id OAA29157; Fri, 10 Oct 1997 14:09:36 -0400 Received: by trm_srv_exch1.nut.nasdaq.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD586.2F3F1AD0@trm_srv_exch1.nut.nasdaq.com>; Fri, 10 Oct 1997 14:09:55 -0400 Message-ID: From: "Heisner, Jeff" To: "'John Lines'" Cc: "'firewalls@GreatCircle.COm'" Subject: RE: Content Vector Protocol - Interest Date: Fri, 10 Oct 1997 14:09:54 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there documentation availaable? Where? Thanks, Jeff Heisner Nasdaq Information Security >---------- >From: John Lines[SMTP:John.Lines@aeat.co.uk] >Sent: Friday, October 10, 1997 11:07 AM >To: Davis, Rob >Cc: firewalls@GreatCircle.COM; Galvin, Dean >Subject: Content Vector Protocol - was Re: Keyword filtering of email >through firewall > >Rob Davis wrote: > >> This is tangentially related to firewalls, so I apologize in advance. >> If anyone knows of a more appropriate venue for this, please let me >> know. >> >> I have a multi-national customer with approximately 200 sites that will >> soon be connected with a WAN and additionally have Internet access >> through some yet to be determined firewall. >> >> They would like a mechanism that would allow them to detect >> incoming/outgoing Internet mail that did not meet "company policies". >> This could be sexual content, frivilous material, trade secrets, etc. >> The obvious places to check are the firewall and mail server(s). >> >> I realize that there are still a million ways to get the info out and >> it's probably a bad idea, but I'm curious about potential commercial or >> custom-built applications and the price. >> >TIS Gauntlet 4.0 (and some other firewalls - I believe) support something >called >Content Vectoring Protocol (CVP) - which I have not really looked into yet. >It >allows you to pass email messages, or attachments, or web pages to a CVP >server running on your internal network. From the documentation this can >then scan for viruses, or for undesireable content. > >I dont know if CVP is documented anywhere - you may be able use >a firewall which supports it, and write or buy in a scanning engine which >would meet the company policy. > > > > John Lines > > > From owner-firewalls-list Fri Oct 10 11:38:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA07094; Fri, 10 Oct 1997 11:06:09 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA07036 for ; Fri, 10 Oct 1997 11:05:47 -0700 (PDT) Received: from client ([194.244.74.134]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id CAA04152; Sat, 11 Oct 1997 02:00:02 +0200 Message-Id: <199710110000.CAA04152@pinux.selfin.net> From: "Franco RUGGIERI" To: "Bill Stout" Cc: "GreatCircle forum" Subject: your signature file Date: Fri, 10 Oct 1997 14:55:55 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, I realize that from somewhere within USA, Bosnia may appear distorted by a distant perspective, but, please, focus your mind on what you are talking about, or at least try to go back with your memory to just one year ago. And, please, drop your "politically correct" (you name it this way, don't you?) signature file when addressing this forum, not to unleash political discussions where only technical ones are supposed to be hosted. BTW: you seem to me to be technically OK and I like reading from you. TIA. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Bill Stout > A: firewalls@GreatCircle.COM > Oggetto: Looking for feedback on SCC Firewalls > Data: giovedì 9 ottobre 1997 19.11 > > I haven't seen many of my customers use SCC products, so I'm curious about > experiences with their products. > > 'Sidewinder' uses 'Type Enforcement', which is used by the operational > kernel to tighten BSD security (in which no super-user status exists). One > boots into an administrative kernel which has no networking capabilites to > administer the system. Not being familiar with BSD, is 'Type Enforcement' > non-proprietary? I do like their 'strikeback' capability, which collects > data about an attack source or triggers other commands. The NSA also has a > favorable sidewinder report at http://mitten.ie.org/sidewinder/sidewinder.htm. > > SCC 'Firewall for NT' states the primary component of the security > architechture is a 'software wedge' between the network access layer and the > protocol stacks. Uh, oh, seems they use the standard MS TCP/IP stack which > has it's own vulnerabilities and mysteries. :( > > I'm also interested in Borderguard experience. One of the bullets for > Borderguard is that each service is 'compartmented', limiting service > attacks to that service. Are they doing something different here? > > Bill Stout > ______________________________________________________________________ > Our State Department praised the US/NATO military jamming, signal hijack, > then finally physical takeover of Bosnian Television stations, to make a > system `free of the monopolizing influence of political parties.' > http://cnn.com/WORLD/9709/11/bosnia.jammers/ > http://www.pathfinder.com/@@*IrLOQUAih6QgJfh/news/latest/RB/1997Oct01/235.ht ml > > Sure hope they don't 'free us' here of free speech in America. From owner-firewalls-list Fri Oct 10 12:39:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15827; Fri, 10 Oct 1997 12:12:12 -0700 (PDT) Received: from emout31.mail.aol.com (emout31.mx.aol.com [198.81.11.14]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA15793 for ; Fri, 10 Oct 1997 12:12:05 -0700 (PDT) From: Justface@aol.com Received: (from root@localhost) by emout31.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA11242 for firewalls@greatcircle.com; Fri, 10 Oct 1997 15:14:29 -0400 (EDT) Date: Fri, 10 Oct 1997 15:14:29 -0400 (EDT) Message-ID: <971010150950_1654736401@emout11.mail.aol.com> To: firewalls@greatcircle.com Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 10 12:43:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15335; Fri, 10 Oct 1997 12:09:26 -0700 (PDT) Received: from emout11.mail.aol.com (emout11.mx.aol.com [198.81.11.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA15327 for ; Fri, 10 Oct 1997 12:09:20 -0700 (PDT) From: Justface@aol.com Received: (from root@localhost) by emout11.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA07380 for firewalls@greatcircle.com; Fri, 10 Oct 1997 15:11:45 -0400 (EDT) Date: Fri, 10 Oct 1997 15:11:45 -0400 (EDT) Message-ID: <971010150950_1654736401@emout11.mail.aol.com> To: firewalls@greatcircle.com Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 10 13:15:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22386; Fri, 10 Oct 1997 13:00:42 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA22357 for ; Fri, 10 Oct 1997 13:00:30 -0700 (PDT) Received: from localhost (ahuger@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id OAA03694; Fri, 10 Oct 1997 14:12:22 -0600 (MDT) Date: Fri, 10 Oct 1997 14:12:22 -0600 (MDT) From: Alfred Huger To: Adam Shostack cc: Marc.Heuse@mail.deuba.com, firewall-wizards@nfr.net, firewalls@GreatCircle.COM Subject: Re: DNS on the Firewall - security problem In-Reply-To: <199710101151.HAA21529@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > there is no egg* to overflow and break a chroot. Thus, if you don't > put CHROOT/bin/sh in place, the standard attacks will fail, but a > smart attacker can still get in. In practicality, there are few smart > attackers. > It only takes *one* smart attacker with a subscription to Bugtraq and a predeliction to share his or her work. The l0pht (which you referanced) is a perfect example of this. /**************************************************************************** Alfred Huger http://www.secnet.com/ballista Project Director ahuger@secnet.com Secure Networks Inc. (SNI) *****************************************************************************/ From owner-firewalls-list Fri Oct 10 13:58:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA27466; Fri, 10 Oct 1997 13:47:02 -0700 (PDT) Received: from smtp.cmol.com (smtp.cmol.com [207.113.101.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA27418 for ; Fri, 10 Oct 1997 13:46:47 -0700 (PDT) From: dcostello@cmol.com Received: from mail.cmol.com ([207.113.101.9]) by smtp.cmol.com (Post.Office MTA v3.1 release PO205e ID# 0-0U10L2S100) with SMTP id AAA136 for ; Fri, 10 Oct 1997 17:00:35 -0400 Received: from ccMail by mail.cmol.com (ccMail Link to SMTP R8.00.01) id AA876516620; Fri, 10 Oct 97 16:50:21 -0500 Message-Id: <9710108765.AA876516620@mail.cmol.com> X-Mailer: ccMail Link to SMTP R8.00.01 Date: Fri, 10 Oct 97 16:48:30 -0500 To: Subject: IE 4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just when we finally get rid of PointCast along comes M$ I scrEam 4.0 with it's push (or squeeze as far as my bandwidth is concerned) technology. I haven't looked closely at it yet but this was my quick thought. If I filter out any incomming HTTP packet that does not have the ACK bit set would that stop the traffic? Does anyone know or have any other ideas? Dave From owner-firewalls-list Fri Oct 10 14:28:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA03754; Fri, 10 Oct 1997 14:24:12 -0700 (PDT) Received: from mailmtx.acnet.net (mailmtx.acnet.net [170.76.16.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA03649 for ; Fri, 10 Oct 1997 14:23:46 -0700 (PDT) Received: from avatar.netspace.com.mx (ppp22-tcl.acnet.net [167.114.24.247]) by mailmtx.acnet.net (8.8.4/8.8.4) with SMTP id QAA18446 for ; Fri, 10 Oct 1997 16:32:18 -0500 (CDT) Message-ID: <343EACAD.3B11@acnet.net> Date: Fri, 10 Oct 1997 16:31:09 -0600 From: Salvador Fernández Barquín Reply-To: sferbar@acnet.net X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: References: <343C983E.3CBC@westlb.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 10 15:22:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09483; Fri, 10 Oct 1997 15:04:58 -0700 (PDT) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id PAA09474 for ; Fri, 10 Oct 1997 15:04:49 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 10 Oct 1997 16:14:59 +0100 Message-ID: From: "David Harvey-George" To: Cc: Subject: Re: DNS on the Firewall - security problem Date: Fri, 10 Oct 1997 15:50:04 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To: Marc.Heuse@mail.DeuBa.COM > Of course a dns is needed on the fw when you are using an application > gateway firewall, This is one case where you don't need a DNS server on the firewall, or anywhere else within you org for that matter. Client connects to application proxy with request, application proxy uses DNS resolver to get IP address. DNS resolver can use ISP's DNS server. Of course if you are using DNS as your LAN nameserver (e.g. you are not using NIS, /etc/hosts or WINS), then you need the soln. you mentioned below. > | I found so far two possiblities to solve this problem ... > | The second is to just forward the dns resolving to a host in the dmz plus > | running also the primary external dns there. Bill Cheswick's trick described in the O'Reilly book. The intention being to stop random ports having to be opened on the firewall to internal resolvers. The forward requests always being made on port 53 between two known (trusted?) systems. Works with BIND but perhaps not with all implementations of DNS. David From owner-firewalls-list Fri Oct 10 15:28:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09481; Fri, 10 Oct 1997 15:04:54 -0700 (PDT) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id PAA09467 for ; Fri, 10 Oct 1997 15:04:44 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 10 Oct 1997 16:14:59 +0100 Message-ID: From: "David Harvey-George" To: "Amy (Cremer) Briggs" , Subject: Re: Java & Java Script Date: Fri, 10 Oct 1997 15:17:24 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Amy (Cremer) Briggs > We are currently having discussions at our site as to whether or not to > allow Java and/or Java script into our network. You can run Java apps outside your firewall using products such as 'The Cage' (www.digitivity.com). This relays the drawing directives through the firewall to an applet running on the user's browser. I assume this amount of access is secure. Secure Shell (SSH) may be worth a look too. An old colleague from the OSF (John Loverso) found many bugs in JavaScript. These are documented at http://www.osf.org/~loverso/javascript. As regards Java, McGraw and Felton have a book on the risks, don't remember the exact title but there is a link to the site from my links page: http://www.threewiz.demon.co.uk/papers/security/index.html Most of the problems with Java and Javascript (JScript) were fixed with releases 3.0 of Netscape and IE (I'd wait a bit before going down the 4.0 route). I wouldn't touch none-local ActiveX with a long barge pole. Check out the above resources as they tell you what's been done. A lot of the early Java bugs were just plain stupid... like not properly verifying where the applet came from so that rogue coders could kid you that the applet had rights to access machines behind the firewall. Javascript problems involved being able to read the local disk or trojan horse like applications to capture data from naive users. regards, David From owner-firewalls-list Fri Oct 10 16:35:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA16582; Fri, 10 Oct 1997 15:54:08 -0700 (PDT) Received: from mailmtx.acnet.net (mailmtx.acnet.net [170.76.16.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA16575 for ; Fri, 10 Oct 1997 15:54:00 -0700 (PDT) Received: from avatar.netspace.com.mx (ppp19-tcl.acnet.net [167.114.24.244]) by mailmtx.acnet.net (8.8.4/8.8.4) with SMTP id SAA25700 for ; Fri, 10 Oct 1997 18:02:32 -0500 (CDT) Message-ID: <343EC1D3.4464@netspace.com.mx> Date: Fri, 10 Oct 1997 18:01:23 -0600 From: Salvador Fernández Barquín Reply-To: salvador@netspace.com.mx X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 10 16:38:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA21064; Fri, 10 Oct 1997 16:26:24 -0700 (PDT) Received: from exp2.pmh.org (exp.pmh.org [198.215.78.166]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA21020 for ; Fri, 10 Oct 1997 16:26:07 -0700 (PDT) Received: from e34.pmh.org by exp2.pmh.org (AIX4.2/UCB 8.7/4.03) id XAA13452; Fri, 10 Oct 1997 23:27:32 GMT Message-Id: <3.0.1.16.19971010182726.0927e626@why.net> X-Sender: carydc@why.net X-Mailer: Windows Eudora Pro Version 3.0.1 (16) Date: Fri, 10 Oct 1997 18:27:26 To: "David Harvey-George" From: Cary Conover Subject: Re: DNS on the Firewall - security problem Cc: , In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:50 PM 10/10/97 +0100, David Harvey-George wrote: > >> To: Marc.Heuse@mail.DeuBa.COM > >> Of course a dns is needed on the fw when you are using an application >> gateway firewall, > >This is one case where you don't need a DNS server on the firewall, or >anywhere else within you org for that matter. Client connects to >application proxy with request, application proxy uses DNS resolver to get >IP address. DNS resolver can use ISP's DNS server. Of course if you are >using DNS as your LAN nameserver (e.g. you are not using NIS, /etc/hosts or >WINS), then you need the soln. you mentioned below. > David, This will only work if you don't have a need for anyone out side of your network to connect to your network. If they need to resolv to an IP inside your network it WON'T as the ISP's don't normally provide DNS service unless you request that they do this. They are usually not to responcive to changes in DNS info as well. (Talking from experience) Marc Cary D. Conover Senior Systems Programmer UNIX Parkland Health and Hospital System Phones 214-590-0244 Voice 214-590-0202 Fax 214-786-0282 Pager 817-360-8572 Mobile 817-571-6694 Home E-Mail cconov@parknet.pmh.org carydc@usa.net carydc@why.net From owner-firewalls-list Fri Oct 10 18:28:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA08993; Fri, 10 Oct 1997 18:24:08 -0700 (PDT) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA08985 for ; Fri, 10 Oct 1997 18:24:03 -0700 (PDT) Received: from uymfdlvk ([207.116.216.247]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with ESMTP id AAA19700; Sat, 11 Oct 1997 01:26:20 +0000 Reply-To: From: "Mark Teicher" To: "David Lang" , Subject: Re: PIX and other "Black boxes" vs normal firewalls. Date: Fri, 10 Oct 1997 21:25:49 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19971011012618.AAA19700@uymfdlvk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One question: Wouldn't you like to know what the black box underlying code is actually made up of before protecting your site with it?? /mht ---------- > From: David Lang > To: firewalls@GreatCircle.COM > Subject: PIX and other "Black boxes" vs normal firewalls. > Date: Friday, October 10, 1997 8:27 PM > > I am relativly new to firewalls (I have set up several with the TIS fwtk and > managed some others) and I am running into management that is saying we need to > replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX being > used as an example). I would like to get info from both sides of the issue > before deciding which way to jump. > > Current arguments are. > > 1. black-boxes are more secure as they do not run Unix which everyone knows and > which has unknown security holes in it. > > 2. black-boxes require less time to manage reducing the need for > firewall/security staff. > > 3. Unix based firewalls are more flexable as they can be tailored to the > specific application better then what the "black-box" designers decided was > needed. > > Any other thoughts? > > my knee jerk reaction is to prefer the control of a unix based setup but I am > willing to be pursuaded if the reasons are there. > > As a second issue what are the "black-box" competiters? I know about PIX what > others are out there? (URL's please rather then full descriptions) > > David Lang > > From owner-firewalls-list Fri Oct 10 18:44:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA29981; Fri, 10 Oct 1997 17:28:15 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA29963 for ; Fri, 10 Oct 1997 17:28:03 -0700 (PDT) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.6/8.8.6) with SMTP id RAA19352 for ; Fri, 10 Oct 1997 17:25:12 -0700 Date: Fri, 10 Oct 1997 17:27:34 -0700 (PDT) From: David Lang To: firewalls@greatcircle.com Subject: PIX and other "Black boxes" vs normal firewalls. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am relativly new to firewalls (I have set up several with the TIS fwtk and managed some others) and I am running into management that is saying we need to replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX being used as an example). I would like to get info from both sides of the issue before deciding which way to jump. Current arguments are. 1. black-boxes are more secure as they do not run Unix which everyone knows and which has unknown security holes in it. 2. black-boxes require less time to manage reducing the need for firewall/security staff. 3. Unix based firewalls are more flexable as they can be tailored to the specific application better then what the "black-box" designers decided was needed. Any other thoughts? my knee jerk reaction is to prefer the control of a unix based setup but I am willing to be pursuaded if the reasons are there. As a second issue what are the "black-box" competiters? I know about PIX what others are out there? (URL's please rather then full descriptions) David Lang From owner-firewalls-list Fri Oct 10 20:43:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA12283; Fri, 10 Oct 1997 20:13:07 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA12276 for ; Fri, 10 Oct 1997 20:13:02 -0700 (PDT) Received: from farroyo39.geologics.com (spg-as67s57.erols.com [207.172.52.120]) by smtp3.erols.com (8.8.6/8.8.5) with SMTP id XAA29032; Fri, 10 Oct 1997 23:15:27 -0400 Received: by farroyo39.geologics.com with Microsoft Mail id <01BCD5C9.4527A4A0@farroyo39.geologics.com>; Fri, 10 Oct 1997 22:10:08 -0400 Message-ID: <01BCD5C9.4527A4A0@farroyo39.geologics.com> From: Chris Inskeep To: "firewalls@GreatCircle.COM" Subject: Williamsburg Security Seminar -- Yet again.... Date: Fri, 10 Oct 1997 22:10:04 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Delete if you're bored with the whole idea.......this message is of most value to people on the East Coast of the USA. Folks who asked for the proceedings are on the list and need not respond. I have caught a number of flames related to the organizational cost of sending someone to a week long security seminar, therefore, we are trying to be responsive...... We recognize that system administrators and security folks are mission critical. I've recently gotten expanded space at the hotel and we will accommodate "single day registrations" for Wednesday, Thursday and Friday, October 29, 30, and 31 (respectively). Cost per day is $125. I've sent out LOADS of agendas to the folks that responded to my initial message. But if you want one, come back to me, otherwise, if you want to attend please send a registration per the instructions and mark it "One Day Registration" and the day you want to attend. Please give first and second choices for the days (I can only accommodate about 35 more people per day before I bust the seams on the building......) The following schedule applies: Wednesday, 29 October Single Day Attendance Tuesday afternoon/evening arrival Wednesday: 7:30 a.m. Intro to Information Security 8:15 Intro to Information Security Risk Management 9;00 - 11:45 Requirements for Information Security (3 tracks) 11:45 - 1:00 Luncheon with speaker 1:00 - 4:30 Requirements for Information Security (3 tracks) 6:00 p.m. Reception Thursday, 30 October Single Day Attendance Wednesday afternoon/evening arrival Thursday: 7:30 a.m. Intro to Information Security 8:15 Intro to Information Security Risk Management 9;00 - 11:45 Lessons Learned (3 tracks) 11:45 - 1:00 Luncheon with speaker 1:00 - 4:30 Lessons Learned (3 tracks) 7:30 p.m. Banquet with speaker Friday, 31 October Single Day Attendance Thursday afternoon/evening arrival Thursday: 7:30 p.m. Seminar banquet, with speaker Friday 7:30 a.m. Intro to Information Security 8:15 Intro to Information Security Risk Management 9;00 - 11:45 Security Technology (3 tracks) 11:45 - 1:00 Luncheon with speaker 1:00 - 2:30 Security Technology (3 tracks) From owner-firewalls-list Fri Oct 10 23:43:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA00125; Fri, 10 Oct 1997 23:41:34 -0700 (PDT) Received: from remus.rutgers.edu (remus.rutgers.edu [128.6.13.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA00118 for ; Fri, 10 Oct 1997 23:41:29 -0700 (PDT) Received: from localhost (trott@localhost) by remus.rutgers.edu (8.8.5/8.8.5) with SMTP id CAA19452 for ; Sat, 11 Oct 1997 02:44:00 -0400 (EDT) Date: Sat, 11 Oct 1997 02:44:00 -0400 (EDT) From: Richard Trott To: firewalls@GreatCircle.com Subject: Gauntlet and NTLM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if the Guantlet Net Extender and PC Extender products can be used to enable an NT workstation to authenticate via NT Challenge/Response (NTLM) to a machine on the other side of the firewall? NTLM doesn't work through proxies as far as I can tell. So, if you are trying to use MS FrontPage through your firewall, you're stuck with Basic Authentication which sends passwords in the clear! I'm wondering if use of one of these products will allow NTLM to work on a VPN/VNP/whatever. I mailed this question to the sales people at TIS, but I haven't heard back from them. Thanks. Richard Trott trott@remus.rutgers.edu From owner-firewalls-list Sat Oct 11 00:14:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA00698; Fri, 10 Oct 1997 23:50:44 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id XAA00687 for firewalls@greatcircle.com; Fri, 10 Oct 1997 23:50:40 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06745 for ; Tue, 7 Oct 1997 09:48:30 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id MAA23412; Tue, 7 Oct 1997 12:50:10 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.7/8.8.7) with SMTP id MAA03772; Tue, 7 Oct 1997 12:49:07 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Tue, 7 Oct 1997 12:49:07 -0400 (EDT) From: "Paul D. Robertson" Reply-To: "Paul D. Robertson" To: "Engasser, Charlie" cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The quoting on your reply is very mixed up, but I'll try to address these. On Tue, 7 Oct 1997, Engasser, Charlie wrote: > >Looking at past exploits, and Checkpoint's reaction to the OOB bug in > >Windows NT, I would say that the hosting machine's services for > >administration and VPN support seem to be unhardened, and vulnerable to > >expliotation without extra work. If those responses are indicitive of > >the > >overall argument of a hardened system versus a shim in the driver > >layer, > >then that shim boat just don't float. > > > >Checkpoint released a patch for 3.0 that dropped all urgent data, so? So, it leads to the obvious conclusion that a host *should* be hardened, and that putting potection near the driver layers _does not_ provide a level of security sufficient to prevent the 'firewall' host from being successfully attacked. > >And if you are running it on NT you can also install the OOBFIX if you > >are that paranoid. I'm too paranoid to run NT, as a matter of fact. But it is directly illustrative of the point that packet filters are not a clean cut solution. > > > >> it hardens the system it's on? What exactly does that mean anyway? Do > >> >>you<< know? In my opinion, the cost of a firewall product itself is > > > >If the vendor can't quantify 'harden' to your satisfaction, you're > >dealing > >with the wrong vendor. > > > >That is one of the very reasons I said to avoid Secure. That and lousy > >phone support with people that obviously didn't know their own > >products. I've never had a problem with Secure Computing, and NSA's evaluation of Sidewinder seems to be very positive. http://mitten.ie.org/ Firewalling is about security, and all the customer support in the world doesn't make up for an improperly chosen or configured platform. > > > >There is value to having a hardened OS, network > >stack, filesystem, etc. A great deal of value in many instances, a > >number > >of which depend on the specific installation. For instance, if your > >firewall is going to play with a global authentication strategy, then > >you'll want to know the stack can survive low-level attacks. > > > >I never said that a hardened OS wasn't bad strategy, I mearly said that > >I don't take a vendors claims at face value. . You seemed to be dismissive of hardening, or the quantification thereof. In the case of Sidewinder specifically, I've always gotten good technical answers from Secure Computing when I've asked the relevent questions. The same is true of Data General's under evaluation B-2 system with BDM's Cybershield, as well as TIS' implementation of Gauntlet on BSD. Hardening a host has a lot of value, and I don't believe it should be easily dismissed, or scorned because of a lack of understanding from one person. > >Sorry, I just don't see why you'd take it on blind faith. Again, as I > >stated in my earlier message, if you are not willing to test a > >firewall's feature sets against what the vendor claims, then what's the > >point of putting it in? Why should anyone dismiss Firewall-1 out of > >hand just because they have "heard" that it's hard to configure and > >that it doesn't automatically harden the OS? So what? This goes back to > >my experiences with Secure, they >>insisted<< you could pass NBT > >traffic through Borderware, but NOBODY could tell me how to do it. Why > >say it's possible, but it really isn't? They said you >should< be able > >to do it with 4 (I was running 3.1) but then, nobody would let me have > >an eval copy to test it because I didn't buy a support contract (Border > >Technologies didn't require a support contract, but after Secure bought > >them out, they did). I've never had Borderware on my list of things to test, but I've also never had a problem getting evaluation copies of products from any vendor. Most of that is probably because I represent a large potential sale, so I won't expound more on it. > > > >> As for the previous poster, I don't think that I would decide on > >> Gauntlet unless I had already put a few more firewalls on a testbed. > >> Gauntlet is rated fairly well as far as security goes, but it's > >> performance figures suck. It drops packets left and right when under > > > >Funny, all the studies I've seen for Gauntlet's performance far > >outstrip > >the available Internet bandwidth at most sites. Care to reference some > >figures? I'm preparing for some benchmarks in the near future on a few > >products, and I'd be more than happy to check your results. > > > >Available internet bandwidth yes, but not intranet bandwidth. The > >Poster didn't specify. In my case I've got 2 T-1's, a leased 56, and a > >128kb ISDN running through mine, with another pair of T-1's definitely > >on the way and maybe another T-1 in the far distant future. Not to > >mention a host of remote dialins. Not to sound dismissive, but that's what I'd consider a trivial bandwidth requirement. I won't bore you with "My pipe is bigger than yours" arguments, but I'd expect DOS-based Karlbridge to handle that load, on the appropriate platform. > >I was thinking of the March 97 issue of data communications magazine. > >This responds to the TIS person that posted earlier. One of Datacom's > >stress tests on 100bt intranet links showed that Gauntlet performed at > >the bottom of the pack when used in that scenario. Since the original > >poster didn't specify what he wanted it for I made a global statement. > >Later, in the message I said that I thought Gauntlet would suffice when > >used as an internet gateway. I believe it was their website they posted > >figures that showed some 10-30 percent of the packets being dropped > >when under that high load. Maybe it was misconfigured, maybe not. I seem to recall that it was a configuration problem, and that TIS had responded to DataComm, and even funded a retest, but the TIS folks can answer that specifically. I don't tend to put much stock on most 3rd party tests unless I know the methodology is sound, and the evaluation is given real-world needs and boundries. DataComm hasn't been in my list of authoritative publications for quite some time. Your trust may vary. > > > >Given FW-1's lack of _complete_ implementation of stateful filtering, > >as > >well as the complexity of being able to do it well would steer me away > >from it as a solution. For instance, Firewall-1 does *not* maintain > >state > >information for ICMP as it ships. All those reverse-telnet over ICMP > >programs floating around the net tend to worry me. > > > >I'd only be worried about them if I allowed telnet in. I wouldn't, and > >even if I did, I'd use a VPN. Besides, isn't telnet dead? (thats a joke > >son). Acutally, you should only be worried about them if you allow ping or traceroute to function. It's telnet encapsulated in ICMP, and it's rather popular with the opposition. > > > >Consistancy is important in security. You should be able to predict > >what > >your firewall will do with traffic, and how it applies its protection > >mechanisms. Unfortunately, the only way to find that out with FW-1 > >seems > >to be with a sniffer and a *lot* of time. If you've got the time to > >write > >Inspect code, and you trust the state engine to pass the right packets > >up, > >the FW-1 can make a good tool. However, it is marketed as a solution, > >not a tool, and frankly, it *needs* work for anything but the most > >blatent > >policies which are *much* more easily verifyable via application layer > >gateway. > > > >Such as what? Enlighten me. I work on a relatively small network that > >has limited inbound requirements. If I install Firewall-1 to block > >incoming traffic (or any firewall for that matter) what do I care how > >it does it? If Firewall-1 does what it claims to (and I have not seen You should care very much. *Especially* with a packet filter. If you don't understand the nature of the risks, then you're flying blind, and open to compromise. The first thing you need to realize is that you aren't *blocking* inbound traffic, you are selectively allowing it in response to outbound traffic. There's a major gulf between the two stances. With an application layer gateway, you only need know how the host's IP stack will respond to packet level attacks, not so with a packet filter. With a packet filter, you have to worry about how the target host's IP stack handles things, or how the filter drops individual packets before you even get to the point of worrying about how the application layer is handled. Will the filter pass TCP packets with an FO of 1, will the filter pass packets with the same sequence number as an already passed packet? How does the end stack handle that during out-of-order reception? Will it just overlay the packet, discard it, merge the two.... Can the target stack be made to fall over by passing it everything but the final fragment of a very large packet a few times? When you have PCs, printers, terminal servers, mainframes, minicomputers, and who-knows-what-else all talking TCP/IP, and you are using a packet filter, you should *know* what behaviour should be expected in each version of each stack. That's one reason why application layer gateways have a much higher level of trust than packet filters, for those you only need to know how the gateway's stack will react to those attacks and situations. > >anything that shows otherwise) then why should I care? And another > >thing, how >>does<< one go about "predicting" what a proxy will do with > >a packet? State diagrams of the IP stack, and proxy code are a very good start. With a proxy, unlike with a packet filter, you generally don't have to know what will happen to each packet, just packets in general and then application data streams. That is a great deal easier to model than every packet for every protocol. > > > >What have you shown Firewall-1 to be vulnerable too in your testbeds? > >How about some specifics? As I said, it doesn't maintain state information for ICMP. Other than that, I've only recently gotten an evaluation unit to try to re-create some attacks that I've heard of. It won't be high on my list, because I've personally lost trust in the product, and don't see it as a viable choice for the bulk of my security needs in the near future. I also won't cast further aspersions on the product without having done my own tests, no matter what I've heard, or who I've heard it from. ICMP state is non-existant as shipped in Firewall-1. Checkpoint has said that they didn't see it as important to add an Inspect program for it implemented as a default. It is possible to add Inspect code to make it work "as it should" if you're to buy into the state implementation. Personally, I think OOB showed it to be fairly flawed methodology-wise, your paranoia may vary. > >Why am I making it easy? I told him to check their claims. Why do you > >have a problem with that. Or are you just pissed because I don't have a > >high opinion of Gauntlet? Nope, I don't represent TIS, and couldn't care less what your opinion of a particular instantiation of a firewall technology is. I do think that spreading disinformation is wrong, and I had a problem with some of the things you've stated, and some of the ways that they were stated. I also have some problems with the way packet filtering based on state is represented, and I think I've articulated them enough here and in comp.security.firewalls for one lifetime. It's well and good to ramble on about testing and evaluations when you've done them, but then to drop back to articles which were cited without reference, and 'in this particular instance' seem to me to be not so authoritative a source as the original article seemed to imply. Perhaps I read too much into it. Maybe it's time for me to completely jump ship to firewall-wizards with everyone else and leave all the mud-slinging misinformation to people who don't seem to be able to talk with the various vendors or do a bunch more than re-hash sales brochures and magazine articles... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sat Oct 11 01:13:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA08496; Sat, 11 Oct 1997 01:06:10 -0700 (PDT) Received: from redcross.dk (ns.redcross.dk [147.29.204.52]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA08413 for ; Sat, 11 Oct 1997 01:05:43 -0700 (PDT) Received: from [192.168.51.1] by redcross.dk with ESMTP (Eudora Internet Mail Server 1.1.2); Sat, 11 Oct 1997 10:20:04 +0200 X-Sender: lars-bertelsen@mail.redcross.dk Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora 2.0.1 X-Charset: US-DK X-Char-Esc: 29 Date: Sat, 11 Oct 1997 10:06:26 +0200 To: firewalls@GreatCircle.COM From: Lars Bertelsen Subject: Re: PIX and other "Black boxes" vs normal firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In your message you write: >I am relativly new to firewalls (I have set up several with the TIS fwtk and >managed some others) and I am running into management that is saying we >need to >replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX >being >used as an example). I would like to get info from both sides of the issue >before deciding which way to jump. > >Current arguments are. > >1. black-boxes are more secure as they do not run Unix which everyone >knows and >which has unknown security holes in it. > Black boxes may have holes in them too. Blackboxes run off software and software has bugs! Cisco have made many bugfixes to their operating system over time. Oh, and Cisco's run on a small unix or very unix-like OS! The difference between Unix based firewalls and blackboxes in this respect is that if a blackbox has a hole in it, only the manufacturer can confirm and fix it. It is not that holes aren't existant! Oh, and Unix doesn't have security holes as far as I know... Certain servers running under Unix have security holes, but that is something entirely different. Don't run anything on your Unix boxwhich isn't both safe and necessary! That way Unix is safe. >2. black-boxes require less time to manage reducing the need for >firewall/security staff. No comment. I haven't set up a Cisco PIX. But I would assume that if it does as many things as a Unix based firewall the it will take roughly as much setup and maintainence. A router takes less setup than an application-firewall because it only does one thing: Filter on packets. > >3. Unix based firewalls are more flexable as they can be tailored to the >specific application better then what the "black-box" designers decided was >needed. True. You can install and deinstall just what you want on a Unix box. Which sort og introduces : 4) Blackboxes are safer in inexperienced hands because you _can't_ change so much about them! Lars Bertelsen Gartnervang 29 tlf. 4635 1115 4000 Roskilde, DK e-mail of choice: lbe@login.dknet.dk From owner-firewalls-list Sat Oct 11 05:59:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01112; Sat, 11 Oct 1997 05:55:31 -0700 (PDT) Received: from netra2.cyberec.com (www.riva.com.hk [202.60.252.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA01095 for ; Sat, 11 Oct 1997 05:55:21 -0700 (PDT) Received: from techie.com (max2-010.cyberec.com [202.60.254.10]) by netra2.cyberec.com (8.8.4/8.7.3) with ESMTP id UAA12178; Sat, 11 Oct 1997 20:56:04 +0800 (HKT) Message-ID: <343E27D6.CAE18E73@techie.com> Date: Fri, 10 Oct 1997 21:04:22 +0800 From: Emmanuel Yiu Reply-To: e@techie.com Organization: Home of ICE X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Lars Bertelsen CC: firewalls@GreatCircle.COM Subject: Re: PIX and other "Black boxes" vs normal firewalls. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Glad that somebody bring up this thread. I am also evaluating a box - Firebox from Watchguard. This box seems to have great vision in mind. I feel that they are try hard to push firwall to commodity level. Their solution is kind of neat to me. They have a box which run a "harden" Linux kernel, this sounds to me a good edge, it is base in UNIX, a lot of people know it and probably when there is security hole, it will be identified quick and potentially closed quick (owing to the accessibility of source code by WORLD of experts). You can constantly bugging your vendor of any security hole that you know from any souce, like this list. This seems to better with PIX as you depend soly on CISCO for any fix which they may not even ACTIVELY inform you. That serves as the hardware part of the whole solution. The software bit is also neat, as the company's commodity focus, they based their Security Management Software (SMS) on readily available platform, Win 95, Win NT 4.0 & Red head Linux with X. As I should have point out the Firebox need a FLOPPY to boot up the SMS provide a wizard like tools to walk you thru the BASIC configuration. After that you can create your BOOT FLOPPY to boot up the firewall. Upon initial boot up you can canfig the box thru network thru SECURE channel. Most importantly it got a very reasonable price range. I personaly feel a great future for this product in the ever blooming market especially those enterprises who can't afford the luxuary of UNIX proficient security expert, not to mention the expensive UNIX workstation which most high end firwall solution RECOMMEND. I do hope you guys can give me some guild line to METHODOLIGICALLY test the Firbox - not firewall ;-). Best regards Emmanuel Lars Bertelsen wrote: > In your message you write: > > Black boxes may have holes in them too. Blackboxes run off software and > software has bugs! > Cisco have made many bugfixes to their operating system over time. > Oh, and Cisco's run on a small unix or very unix-like OS! > The difference between Unix based firewalls and blackboxes in this respect > is that if a blackbox has a hole in it, only the manufacturer can confirm > and fix it. It is not that holes aren't existant! > > Oh, and Unix doesn't have security holes as far as I know... Certain > servers running under Unix have security holes, but that is something > entirely different. Don't run anything on your Unix boxwhich isn't both > safe and necessary! > That way Unix is safe. > > >2. black-boxes require less time to manage reducing the need for > >firewall/security staff. > No comment. I haven't set up a Cisco PIX. > But I would assume that if it does as many things as a Unix based firewall > the it will take roughly as much setup and maintainence. > A router takes less setup than an application-firewall because it only does > one thing: Filter on packets. > > > > >3. Unix based firewalls are more flexable as they can be tailored to the > >specific application better then what the "black-box" designers decided was > >needed. > True. You can install and deinstall just what you want on a Unix box. > > Which sort og introduces : > 4) Blackboxes are safer in inexperienced hands because you _can't_ change > so much about them! > > Lars Bertelsen > Gartnervang 29 tlf. 4635 1115 > 4000 Roskilde, DK e-mail of choice: lbe@login.dknet.dk From owner-firewalls-list Sat Oct 11 13:13:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA16978; Sat, 11 Oct 1997 13:02:35 -0700 (PDT) Received: from gargoyle.clark.net (pm1-43.dcwt.infi.net [208.136.65.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA16971 for ; Sat, 11 Oct 1997 13:02:24 -0700 (PDT) Received: (qmail 30985 invoked by uid 500); 11 Oct 1997 18:22:01 -0000 Date: Sat, 11 Oct 1997 14:22:00 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Ryan Russell/SYBASE cc: Messano Jim , "'Firewalls Q?'" Subject: Re: To Gauntlet or not to Gauntlet In-Reply-To: <199710101626.JAA08113@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Oct 1997, Ryan Russell/SYBASE wrote: > So, if I'm one of these non-employees, and I decide > to access your intranet, then I will have to telnet > to one of the employee machines first? > > (I say telnet, but it could be just about any protocol.. > even me dropping a trojan file of some sort on > the fileshare of one of the employee's Win95 boxes.) I tend to use HTTP proxies these days as an example of this. Employee A sets up a caching proxy on her local machine, then proceedes to use it to access the intranet, and authenticates. Non-employee B points to Employee A's proxy, and has access to the intranet. This even works with VPNs (It's always been a tennant that allowing unencrypted access to an encrypted machine _breaks_ the crypto model.) Add browsers that go and get updates, like MSIE 4.0, and open fileshares, and the problem gets worse. At this point, total control of the desktop software and configuration are about the only way of gaining a bit of control over this, outside of denying access completely. Castle gates are only effective against attack when they're barred against attack. If all the serfs aren't behind the walls, your chances of being overrun increase significantly. The enemy, of course, would love to dress up as a bunch of serfs and sneak in. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sat Oct 11 14:43:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA20540; Sat, 11 Oct 1997 14:33:30 -0700 (PDT) Received: from mailhost.dircon.co.uk (mailhost.dircon.co.uk [194.112.32.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA20497 for ; Sat, 11 Oct 1997 14:33:19 -0700 (PDT) Received: from 586 (emerald@gw5-214.pool.dircon.co.uk [194.112.36.214]) by mailhost.dircon.co.uk (8.8.5/8.8.7) with SMTP id WAA27664 for ; Sat, 11 Oct 1997 22:35:52 +0100 (BST) Message-Id: <3.0.32.19971011222651.007dd4c0@popmail.dircon.co.uk> X-Sender: ventura@popmail.dircon.co.uk X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 11 Oct 1997 22:35:08 +0100 To: firewalls@GreatCircle.COM From: Paul Wick Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 11 17:28:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05067; Sat, 11 Oct 1997 17:26:18 -0700 (PDT) Received: from mls_exchange.microlan.com (news.microlan.com [207.239.33.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA05050 for ; Sat, 11 Oct 1997 17:26:08 -0700 (PDT) Received: by MLS_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Sat, 11 Oct 1997 14:38:55 -0400 Message-ID: From: WALLY To: "'Caldwell, Matt'" , "'firewalls'" , "'David Glosser'" , "'dbovee@scitor.com'" Subject: RE: Internet email security & r Date: Sat, 11 Oct 1997 14:38:54 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are some email gateway products that provide virus scanning and VPNs between their respective gateways. TenFour is one of them. - Wally > -----Original Message----- > From: Caldwell, Matt [SMTP:caldwm@xgate.columbiasc.ncr.com] > Sent: Wednesday, October 08, 1997 9:15 AM > To: 'firewalls'; 'David Glosser'; 'dbovee@scitor.com' > Subject: RE: Internet email security & r > > Believe it or not but there are some issues with having a different > mail > system other than SMTP for a Corporate environment. SMTP servers that > are with in a firewall usually trust the computers in that subnet thus > email is easily faked. Email could be spoofed from a near IP. > Commercial > email packages (such as Lotus Notes, Exchange, maybe even cc:Mail) > make > it a little more difficult to spoof or fake email from with in the > corporate network because a lot of these servers are not solely > client > side oriented. You can restrict email from outside being faked, but in > most cases you must trust your corporate subnet. Some have encryption > systems built in that allow for mail to be protected from (not very > good > systems) plain text viewing. SMTP Mail can be appropriate or not > appropriate, it depends on your company, and how much money your > willing > to spend. > > >---------- > >From: dbovee@scitor.com[SMTP:dbovee@scitor.com] > >Sent: Tuesday, October 07, 1997 7:01 PM > >To: firewalls; David Glosser > >Subject: Re: Internet email security & r > > > > May I interpret this as a question that has *already* been > > answered...? > > > > "...why it is not appropriate for corporate use?" > > ^^^ > > > > Pardon me, but isn't a lot of business conducted via Internet > email > > daily? Anyway, what's the different the Internet email and > email > > going from a subnetted/firewalled corporate intranet to an > entirely > > different intranet within the same large corporation??? > > > > -David Bovee > > > > > > > > > >______________________________ Reply Separator > >_________________________________ > >Subject: Internet email security & r > >Author: "David Glosser" at Internet > >Date: 10/7/97 3:59 PM > > > > > >Subject: Internet email security & reliability > > > >I apologize if this is not directly related to firewalls, but I did a > search > >of the Net and couldn't find anything.... > > > >Are there any white papers, studies, hard facts, etc. that are > related to the > >lack of security and reliability of internet e-mail and why it is not > > >appropriate for corporate use? > > > >Any articles, pointers, links, publications, etc. (or suggestions of > other > >forums) would be appreciated. Please e-mail be directly since I know > this > >not > >directly related to firewalls; I'll post a summary. > > > >Thanks in advance > >David Glosser > >glosser@bbdo.com > > > > > Matthew F. Caldwell - Security Analyst > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > VC3 Systems Engineering http://www.vc3.com > email: matt.caldwell@vc3.com > pager: matt.caldwell@pager.vc3.com > Office: (803) 939-2322 Pager: (803) 690-2505 > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Senders of unsolicited commercial E-Mail to this > account implicitly agree to a $1000.00 proofing fee > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQCNAzQf9JoAAAEEAL2IIJjuEqgzzi0gL5pHmdZNwSxBd7fjmS4/aVVFQAPEN2O6 > bRt3wMZ5MiDbPbgnIDFCNR49Sjlew9ie1sxg07yTAdSPItrK4X3+MfmjaJ309JjP > /AO9RpOeZGtKqca9/LlYl8HV7hx+oaJ6LT3z/Dax7JgAfbaUrws09AHbijaZAAUR > tCtNYXR0aGV3IEYuIENhbGR3ZWxsIDxtYXR0LmNhbGR3ZWxsQHZjMy5jb20+ > =2M64 > -----END PGP PUBLIC KEY BLOCK----- > > > > > > > > From owner-firewalls-list Sat Oct 11 22:58:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA21286; Sat, 11 Oct 1997 22:42:38 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA21279 for ; Sat, 11 Oct 1997 22:42:32 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id BAA29582; Sun, 12 Oct 1997 01:41:39 -0400 (EDT) From: Adam Shostack Message-Id: <199710120541.BAA29582@homeport.org> Subject: Re: DNS on the Firewall - security problem In-Reply-To: from Alfred Huger at "Oct 10, 97 02:12:22 pm" To: ahuger@silence.secnet.com Date: Sun, 12 Oct 1997 01:41:38 -0400 (EDT) Cc: firewall-wizards@nfr.com, firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alfred is absolutely right. I forgot how little what I first wrote references this; I've added a paragraph to make more clear that this is not a real fix, but a temporary hack. I'm working on a paper on the topic of DNS, and working on some kernel hacks to allow a special user or group (other than root) to bind to low numbered ports. Another way to deal with the problem is to use a packet filter that does port translation so that the DNS server can live on a high numbered port (eg, 5353), and still appear to be on port 53. Both these allow you to run the DNS server as an unprivleged user in a chroot jail. Sorry, the kernel kludges are not available. Adam Alfred Huger wrote: | | > there is no egg* to overflow and break a chroot. Thus, if you don't | > put CHROOT/bin/sh in place, the standard attacks will fail, but a | > smart attacker can still get in. In practicality, there are few smart | > attackers. | > | | It only takes *one* smart attacker with a subscription to Bugtraq and a | predeliction to share his or her work. The l0pht (which you referanced) is | a perfect example of this. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Sun Oct 12 00:43:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA27769; Sun, 12 Oct 1997 00:28:18 -0700 (PDT) Received: from koto.qnet.com (koto.qnet.com [207.155.37.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA27754; Sun, 12 Oct 1997 00:28:12 -0700 (PDT) Received: from frock.networkcommerce.com (k56-palm-00-05.ca.qnet.com [207.155.33.37]) by koto.qnet.com (Post.Office MTA v3.1.2 release (PO203-101c) ID# 3-41930U500L2S100) with SMTP id AAA25899; Sun, 12 Oct 1997 00:30:47 -0700 Message-ID: <34407C5D.41C67EA6@networkcommerce.com> Date: Sun, 12 Oct 1997 00:29:33 -0700 From: "Fred T. Langston" Organization: Network Commerce, Inc. X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.2.1-RELEASE i386) MIME-Version: 1.0 To: firewalls@GreatCircle.com CC: firewalls-digest-owner@GreatCircle.com Subject: Re: NEW Security-Related List Server Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about the digest? Will it be available at the new site also? -- Fred T. Langston, System Engineer / fred@networkcommerce.com Network Commerce Incorporated / Secure Business Networks (818) 889-9985 / http://www.networkcommerce.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzNO6+IAAAEEAM2UBUI/GRrSvlPoSckXnnUlHB1a/B7p0sXrfX2q1UJKhDzN V4BJKymiaSIlTGRuRD0twYJl+cyukWbMPh6F565zZZjMn673kd8sOL34yi/gJgna RBW1EGhgbb+r3CUQwcDBoI8iRgJ+2oMHo7/Dtt8Ob/KOt2Nh306ivT4Qz1HtAAUR tC5GcmVkIExhbmdzdG9uIDxmcmVkQGZyb2NrLm5ldHdvcmtjb21tZXJjZS5jb20+ =IOCv -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Sun Oct 12 01:10:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA27853; Sun, 12 Oct 1997 00:33:07 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA27846 for ; Sun, 12 Oct 1997 00:33:00 -0700 (PDT) Message-Id: <199710120733.AAA27846@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA283601396; Sun, 12 Oct 1997 17:29:56 +1000 From: Darren Reed Subject: Re: DNS on the Firewall - security problem To: adam@homeport.org (Adam Shostack) Date: Sun, 12 Oct 1997 17:29:56 +1000 (EST) Cc: ahuger@silence.secnet.com, firewall-wizards@nfr.com, firewalls@GreatCircle.COM In-Reply-To: <199710120541.BAA29582@homeport.org> from "Adam Shostack" at Oct 12, 97 01:41:38 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Adam Shostack, sie said: [...] > I'm working on a paper on the topic of DNS, and working on some kernel > hacks to allow a special user or group (other than root) to bind to > low numbered ports. Another way to deal with the problem is to use a > packet filter that does port translation so that the DNS server can > live on a high numbered port (eg, 5353), and still appear to be on > port 53. Both these allow you to run the DNS server as an unprivleged > user in a chroot jail. > > Sorry, the kernel kludges are not available. You might want to have a look around for implementations already available which do this. I'm pretty sure this has been done by a few people already, once for Linux and one for FreeBSD. Of course neither solution is what I'd call elegant (at this stage) but nor is there anything (that I know of) resembling a POSIX standard which defines how it should be done. Darren From owner-firewalls-list Sun Oct 12 06:58:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21233; Sun, 12 Oct 1997 06:50:39 -0700 (PDT) Received: from emout17.mail.aol.com (emout17.mx.aol.com [198.81.11.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA21226 for ; Sun, 12 Oct 1997 06:50:35 -0700 (PDT) From: PHuffman11@aol.com Received: (from root@localhost) by emout17.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id JAA02065 for firewalls@greatcircle.com; Sun, 12 Oct 1997 09:53:20 -0400 (EDT) Date: Sun, 12 Oct 1997 09:53:20 -0400 (EDT) Message-ID: <971012095319_-925762311@emout17.mail.aol.com> To: firewalls@greatcircle.com Subject: (no subject) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sun Oct 12 11:58:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA03927; Sun, 12 Oct 1997 11:44:06 -0700 (PDT) Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA03919 for ; Sun, 12 Oct 1997 11:43:59 -0700 (PDT) Received: from [[UNIX: localhost]] ([[UNIX: localhost]]) by jekyll.piermont.com (8.8.6/8.6.12) with SMTP id OAA03984; Sun, 12 Oct 1997 14:46:16 -0400 (EDT) Message-Id: <199710121846.OAA03984@jekyll.piermont.com> X-Authentication-Warning: jekyll.piermont.com: [[UNIX: localhost]] didn't use HELO protocol To: Darren Reed cc: adam@homeport.org (Adam Shostack), ahuger@silence.secnet.com, firewall-wizards@nfr.net, firewalls@greatcircle.com Subject: Re: DNS on the Firewall - security problem In-reply-to: Your message of "Sun, 12 Oct 1997 17:29:56 +1000." <199710120731.CAA14265@nfr.net> Reply-To: perry@piermont.com X-Reposting-Policy: redistribute only with permission Date: Sun, 12 Oct 1997 14:46:05 -0400 From: "Perry E. Metzger" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed writes: > > Sorry, the kernel kludges are not available. > > You might want to have a look around for implementations already available > which do this. I'm pretty sure this has been done by a few people already, > once for Linux and one for FreeBSD. There is a standard NetBSD kernel build option that I added a long time ago to let non-privileged processes bind low numbered ports. Perry From owner-firewalls-list Sun Oct 12 12:58:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA10499; Sun, 12 Oct 1997 12:45:53 -0700 (PDT) Received: from dfw.dfw.net (DFW.DFW.NET [198.175.15.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA10471 for ; Sun, 12 Oct 1997 12:45:44 -0700 (PDT) Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA24018; Sun, 12 Oct 97 14:48:59 CDT Date: Sun, 12 Oct 1997 14:48:59 -0500 (CDT) From: Aleph One To: Darren Reed Cc: Adam Shostack , ahuger@silence.secnet.com, firewall-wizards@nfr.net, firewalls@GreatCircle.COM Subject: Re: DNS on the Firewall - security problem In-Reply-To: <199710120731.CAA14265@nfr.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 12 Oct 1997, Darren Reed wrote: > You might want to have a look around for implementations already available > which do this. I'm pretty sure this has been done by a few people already, > once for Linux and one for FreeBSD. Of course neither solution is what I'd > call elegant (at this stage) but nor is there anything (that I know of) > resembling a POSIX standard which defines how it should be done. Actually there is, POSIX.1e. The particular capability that allows a process to bind to ports under 1024 is CAP_NET_BIND_SERVICE. You can find a reference implementation of POSIX capabilities at http://parc.power.net/morgan/Orange-Linux/linux-privs/ For those not familiar with POSIX.1e is an attempt at standarizing Capabilities (used to be Priviledges), Labels, MACs, Auditing, and ACLs. The work under Linux so far has included working capabilities and some inroads into auditing. Remy Card also claims to have a working ext2fs with ACLs but he always seems to fall of the face of the earth. > Darren Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From owner-firewalls-list Sun Oct 12 13:13:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA12662; Sun, 12 Oct 1997 13:09:45 -0700 (PDT) Received: from ccnet.ccnet.com (ccnet.ccnet.com [192.215.96.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA12613 for ; Sun, 12 Oct 1997 13:09:33 -0700 (PDT) Received: from host.linknet.net (ip87.phoenix2.az.pub-ip.psi.net [38.12.228.87]) by ccnet.ccnet.com (8.6.12/8.6.12) with SMTP id NAA10607; Sun, 12 Oct 1997 13:09:39 -0700 Date: Sun, 12 Oct 1997 13:09:39 -0700 Message-Id: <199710122009.NAA10607@ccnet.ccnet.com> From: MET To: "Masters@RealDeals" Reply-To: marketetc@ultramailweb.com Subject: 'Beta Test' Your Own Virtual Community Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To be Removed from our mailing list Reply to: Type Remove in the Subject Line. Please allow 48 hours for your address to be manually removed from our mailing list. - - - - - - - - - - - - - - - - - - - - - - - We would like you to "beta test" our new software. A free website.... but this is nothing like any free website we hae seen! This is one of the most incredible things we have seen come through the Software Shak.. and we had to show you! How would you like to add chat boards, databases, calendars, surveys, newsletters, bulletin boards, and file archives to your existing website in seconds? Imagine...you sell "flowers" on your website. Why not add a bulletin board for "Flower Planting". Add another bulletin board for "Flower Growers". Create calendars to show "Best Flower Planting Dates" and even create calendars for your visitors to add THEIR events! You can easily add several databases (up to 50 fields each) to make a "Flower Seed Inventory" or searchable "Flower Growers' Guest Book". As fast as you can type, create surveys to get INSTANT feedback from your web visitors. Let them tell you what they want from you website! Create excitement and create a community! This is the new wave of the Internet. Here's your chance to be first! If you DON'T have a website now, you may use this site as your primary site. If you DO have a website, then simply link your current page to a special URL and then you may link your new "interactive" section back. You are able to offer a "virtual community" to your web visitors, and YOU are the mayor and YOU control the site.Your visitors will keep coming back again and again to your website. Internet Media, Inc. is making an unbelievable FREE offer. Go to and sign up for 3-2-1Media!. In the payment information put the following code in the credit card number field: 10000200000000. AND YOU MUST PUT ID CODE MORE3706 in the ID Code field to be eligible for a free beta. Of course you will not billed, but within a few hours your OWN URL will be emailed to you and passwords. THIS FREE OFFER IS VALID FOR ONLY 7 DAYS. OFFER ENDS 5:00 PM SATURDAY OCT. 18th. Any email dated after that time will not be eligible for a free 3-2-1Media! and no install fees. You may keep your 3-2-1Media! site for 30 days. You will be notified by email if you wish to keep your 3-2-1Media! site after 30 days. The price beyond 30 days is only $99 per month. This includes hosting fees and support. Internet Media, Inc. will waive the $199 setup fee, too. DO IT TODAY! Murray Smith From owner-firewalls-list Sun Oct 12 15:58:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA27498; Sun, 12 Oct 1997 15:49:32 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id PAA27471 for ; Sun, 12 Oct 1997 15:49:21 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xKWqq-0006Oy-00; Mon, 13 Oct 1997 00:51:08 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 13 Oct 97 00:51 MET DST Received: by lina.inka.de id m0xGsrW-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 2 Oct 1997 23:32:46 +0200 (CEST) Message-Id: Date: Thu, 2 Oct 1997 23:32:45 +0200 From: Bernd Eckenfels To: "Davidson, Grover" Cc: firewalls@GreatCircle.COM Subject: Re: SAP Gateway References: <199710021614.LAA15936@gatewayb.anheuser-busch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199710021614.LAA15936@gatewayb.anheuser-busch.com>; from Davidson, Grover on Thu, Oct 02, 1997 at 11:05:00AM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Oct 2, Davidson, Grover wrote > Does anyone here know anything about the SAP Internet gateway? SAP as in sap-ag.de? SAP Has a Program called saprouter, which is used to connect R3 Systems via TCP/IP. Just used an unofficial Linux Port to connect our R3 System the SAP's OSS. Works rather well with Linux. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Sun Oct 12 17:58:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05570; Sun, 12 Oct 1997 17:43:05 -0700 (PDT) Received: from duesseldorf2 (duesseldorf2.pop.metronet.de [193.168.211.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA05563 for ; Sun, 12 Oct 1997 17:42:59 -0700 (PDT) Date: Sun, 12 Oct 1997 17:42:59 -0700 (PDT) From: mgm@metronet.de Message-Id: <199710130042.RAA05563@honor.greatcircle.com> Received: (qmail 28133 invoked from network); 13 Oct 1997 00:40:33 -0000 Received: from unknown (HELO metronet.de) (192.168.103.57) by pop-mail.metronet.de with SMTP; 13 Oct 1997 00:40:33 -0000 To: mgm@metronet.de Subject: Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TODAY, walking close to home a little girl will be killed as she steps on a landmine. Tomorrow a farmer will lose his legs and another will be blinded. What difference can 3 days make? Message-ID: <19971013004034.28054.qmail@duesseldorf2> Warning: Sender was mgm@metronet.de Just 3 days ago the "International Campaign to Ban Landmines" received word that the work to ban and clear landmines had been awarded the 1997 Nobel Peace Prize. Unfortunately, this wonderful news made no difference to the dozens of children, farmers and other people who were killed or crippled forever by landmines that exploded in just these past 3 days. A landmine explodes somewhere in the world every 22 minutes. To stop this we must ban their manufacture and use. And clear the mines that are already lying, hidden and waiting to kill. . With a click to http://www.landmine.org you can help to "kill a landmine" - it's so easy. Thank's for your kindness. Yours Christoph Brocks The Humanitarian Foundation of People Against Landmines www.mgm.org info@landmine.org From owner-firewalls-list Sun Oct 12 19:28:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA10635; Sun, 12 Oct 1997 19:23:03 -0700 (PDT) Received: from halla2.dacom.co.kr (halla2.dacom.co.kr [164.124.1.108]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA10628 for ; Sun, 12 Oct 1997 19:22:57 -0700 (PDT) Received: from dacom.dacom.co.kr ([130.9.81.158]) by halla2.dacom.co.kr (8.6.12H1/8.6.9) with ESMTP id LAA23552 for ; Mon, 13 Oct 1997 11:21:05 GMT Message-ID: <344186C2.CE7905B@halla2.dacom.co.kr> Date: Mon, 13 Oct 1997 11:26:10 +0900 From: leen seung jin Reply-To: howard7@halla2.dacom.co.kr X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sun Oct 12 23:28:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA21593; Sun, 12 Oct 1997 22:56:37 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id WAA21585 for firewalls@greatcircle.com; Sun, 12 Oct 1997 22:56:34 -0700 (PDT) Received: from mercury.webnology.com (mercury.webnology.com [207.51.255.70]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA13840 for ; Thu, 9 Oct 1997 13:56:26 -0700 (PDT) Received: from snoopy.webnology.com (web32.webnology.com [207.51.255.112]) by mercury.webnology.com (8.8.7/8.8.7) with SMTP id QAA00196; Thu, 9 Oct 1997 16:02:53 -0500 Message-Id: <199710092102.QAA00196@mercury.webnology.com> Comments: Authenticated sender is From: "Greg Barnes" To: bjm@fl.dk, Firewalls@GreatCircle.COM Date: Thu, 9 Oct 1997 15:56:58 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Single point of failure. X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 Oct 97, bjm@fl.dk wrote about Single point of failure.: [snip] > A couple of firewall products offer the ability to support multiple > network interface cards. These products are often used in solutions > where different kind of user groups, servers/services etc. are > separated on different LAN-segments connected to the firewall. If a > company uses this functionality on a firewall, they introduce a single > point of failure which I think is often neglected or forgotten. There are more single points of failure in any given network on any given day than I think most care to admit. While this does not negate your argument, These option are best weighed in a 'risk-analysis'. You check your probable risks, improbable risks and possible risks associated with a given network/network device. You then take very specific and measurable steps to protect the device or the network as a whole. Backup devices are ALWAYS a good thing, but rarely financially feasible. If the probable winds up being a directed attack or a high failure rate for the firewall then a backup is in order. If not...? While I abhor the fact that finances are sometimes an issue when planning/protecting your network I do respect a calculated risk. The short version of my philosophy...which is subject to change at any moment without prior notice from the managment. ;-) 1. Sometimes you're better off setting up a link state routing protocol on your backbone, adding a redundant link and adding access lists to each of your routers (solving the lack of dynamic recovery on a failed state interface). 2. The support for additional security features through the use of `packet header extensions' provided by IPv6 (thus allowing every host behind the gateway router to authenticate / deny incoming packets) eliminates the 'all or nothing' philosophy of the firewall. To some this is a more appetizing course of action. Specially since IPv6 is free. Firewalls (no offense) be damned if I can have my cake and eat it too. Egads....I wrote a book even. =-o Regards, Greg Barnes Webnology LLC ________________________________________________ |\===============W=E=B=N=O=L=O=G=Y===============\ greg@ou812.com Phone (830)768-2292 noc@ou812.com FAX (830)774-1518 |/===============W=E=B=N=O=L=O=G=Y===============/ 'If you're a horse and someone gets on you and falls off, then gets right back on you...I think you should buck him off right away' -- Deep Thoughts, By Jack Handey *ANTISPAM-NOTE* To respond to this message, replace 'ou812.' with 'webnology.' in the return address. From owner-firewalls-list Mon Oct 13 03:43:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA14528; Mon, 13 Oct 1997 03:39:04 -0700 (PDT) Received: from hkt005.hkt.net ([205.252.130.220]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA14521 for ; Mon, 13 Oct 1997 03:38:57 -0700 (PDT) Received: from comexp.hkcg.com ([202.84.208.3]) by hkt005.hkt.net (Netscape Mail Server v2.02) with SMTP id AAA18609 for ; Mon, 13 Oct 1997 18:41:21 +0800 Received: by comexp.hkcg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD807.D3115370@comexp.hkcg.com>; Mon, 13 Oct 1997 18:42:57 +0800 Message-ID: From: "Denis Koo N.C." To: "'Firewalls@GreatCircle.COM'" Subject: Radius for Firewall-1 3.0 Date: Mon, 13 Oct 1997 18:42:55 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk any information on the Radius server that is already certifiy or works with firewall-1 3.0? cheers denis From owner-firewalls-list Mon Oct 13 05:28:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA21353; Mon, 13 Oct 1997 05:27:02 -0700 (PDT) Received: from keyline.co.uk (mailhost.keyline.co.uk [194.203.104.242]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA21346 for ; Mon, 13 Oct 1997 05:26:56 -0700 (PDT) Received: from mailhost.keyline.co.uk (groupwise.keyline.co.uk [126.0.0.40]) by keyline.co.uk (8.8.5/8.8.3) with ESMTP id NAA25740 for ; Mon, 13 Oct 1997 13:36:10 GMT Received: from groupwise.keyline.co.uk (root@localhost) by mailhost.keyline.co.uk (8.8.5/8.8.3) with SMTP id NAA11112 for ; Mon, 13 Oct 1997 13:35:42 GMT Received: from Keyline-Message_Server by groupwise.keyline.co.uk with Novell_GroupWise; Mon, 13 Oct 1997 13:35:41 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 13 Oct 1997 13:35:28 +0000 From: Rik Hemsley To: Firewalls@GreatCircle.COM Subject: Re: my Promiscuous mode query Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I found the cause of my eth0 being in promisc mode, 'twas a little util called netwatch, which also does packet watching, and naughtily doesn't set your interface back to non-promisc when it exits, or even warn you. oh yes, ifconfig eth0 -promisc worked for me ( a guess, man don't tell you properly ) Rik From owner-firewalls-list Mon Oct 13 05:44:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA20712; Mon, 13 Oct 1997 05:16:18 -0700 (PDT) Received: from keyline.co.uk (mailhost.keyline.co.uk [194.203.104.242]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA20700 for ; Mon, 13 Oct 1997 05:16:11 -0700 (PDT) Received: from mailhost.keyline.co.uk (groupwise.keyline.co.uk [126.0.0.40]) by keyline.co.uk (8.8.5/8.8.3) with ESMTP id NAA25642 for ; Mon, 13 Oct 1997 13:25:28 GMT Received: from groupwise.keyline.co.uk (root@localhost) by mailhost.keyline.co.uk (8.8.5/8.8.3) with SMTP id NAA10580 for ; Mon, 13 Oct 1997 13:25:02 GMT Received: from Keyline-Message_Server by groupwise.keyline.co.uk with Novell_GroupWise; Mon, 13 Oct 1997 13:25:02 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 13 Oct 1997 13:24:39 +0000 From: Rik Hemsley To: Firewalls@GreatCircle.COM Subject: Promiscuous mode Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm new to the list. During my seacurity self-teaching process, I've heard about network interfaces being in 'promiscous' mode.. and this being a Bad Thing(tm) I get the idea, but what kind of workarounds are there, aside from encrypting every communication ? A sniffer needs a machine to run on; and to read packets over the local net, it needs to be inside, right ? ( or can it spoof ? ) Is it every necessary for an interface to be in promisc. mode and if not, how do you 'switch it off ?' Thanks in advance, Rik From owner-firewalls-list Mon Oct 13 06:13:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26509; Mon, 13 Oct 1997 06:06:45 -0700 (PDT) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA26479 for ; Mon, 13 Oct 1997 06:06:33 -0700 (PDT) Received: from rcpi by mnl.sequel.net (SMI-8.6/SMI-SVR4) id VAA01461; Mon, 13 Oct 1997 21:06:17 +0800 Message-Id: <3.0.1.32.19971013210446.00ad9b90@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 13 Oct 1997 21:04:46 To: Adam Shostack , ahuger@silence.secnet.com From: Gaddy Gumbao Subject: Re: DNS on the Firewall - security problem Cc: firewall-wizards@nfr.com, firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199710120541.BAA29582@homeport.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I'm new here in the list and still getting into the process of familiarizing to the world of Firewall-1.I am proposing a network setup that is my DNS is behind firewall-1. Will you be able to send me some security problems and solutions for this kind of a setup. Thanks in Advance.... From owner-firewalls-list Mon Oct 13 06:28:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29623; Mon, 13 Oct 1997 06:23:42 -0700 (PDT) Received: from isis.corefacts.co.uk (corefact.demon.co.uk [158.152.25.111]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA29567 for ; Mon, 13 Oct 1997 06:23:27 -0700 (PDT) Received: by isis.corefacts.co.uk (8.6.9/CoreFacts Version 2.1) id OAA02195; Mon, 13 Oct 1997 14:23:23 +0100 From: Security Mail list Message-Id: <199710131323.OAA02195@isis.corefacts.co.uk> Subject: Re: Firewall routing setup, Solaris 2.5.1 To: zwieback_dave@timeplex.com (Dave Zwieback) Date: Mon, 13 Oct 1997 14:23:22 +0200 (BST) Cc: firewalls@greatcircle.com, neil@corefacts.co.uk (Neil C Mackie) In-Reply-To: <343BF4CC.F5E41692@timeplex.com> from "Dave Zwieback" at Oct 8, 97 05:02:05 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hey, >I am trying to setup a three-host firewall, with Firewall-1 ver 3.0 on >it. The machine has 3 interfaces, one for the outside (on the same >network as the ISP router), one for the inside, and one for the DMZ. The >outside interface is a class B address given to us by our ISP. The >inside address belongs to a class B network, subnetted to a class >C (255.255.255.0). The DMZ network address is also part of the class B >network. > >The internal address is on a wire which goes to our enterprise router, >which is brodacasting RIP, all the time. > >Couple of questions: > 1) How do you configure routing for this setup? See steps below > 2) Do you turn on in.routed and/or in.rdisc? With what options? You don't on a Internet firewall if you can avoid it, you might on an Intranet Firewall but that varies by opinion and circumstances. > 3) Do you turn on ip_forwarding? When you install Firewall-1 V3.0 it will add the necessary lines to startup scripts (See /etc/rc2.d/S69inet) to prevent IP forwarding. NT version must have IP forwarding set on in the routing dialog box. > 4) Any idea about the netmasks See below > 5) RIP? No definitely not. > 6) Static or dynamic routes? Definitely static routes. >I would appreciate any help you can give me, pointers to on-line >information, etc. Thanks in advance. >Dave. I had to write the following up for something else so here's some help. ----------------- Assumptions for this example: ISP's network address and subnet mask they gave you 158.145.0.0 255.255.255.240 This is a reasonable subnet mask coming from an ISP. Allows you to have 16 addresses, 14 physically useable, for example if they gave you 158.145.1.0 you could use 158.145.1.1 to 158.145.1.14 158.145.1.0 is the network address 158.145.1.15 is the broadcast address Your network Class B is 172.16.0.0 one of the RFC1918 networks Outside Inferface of Firewall: gatekeeper 158.145.1.1 Inside Interface of Firewall: fw1-gw 172.16.1.254 Dmz-side Interface of Firewall: dmz-gw 172.16.2.254 Enterperise router: ent-gw 172.16.1.253 --------------------- Step 1. Edit the /etc/hostname.[le0 | le1 | le2] files, create if necessary, may be hostname.[le0 | qe0 | qe1 | qe2 | qe3] if you have a a quad card. Edit each file, it should contain the hostname for each interface. /etc/hostname.le0 gatekeeper /etc/hostname.le1 fw1-gw /etc/hostname.le2 dmz-gw --------------------- Step 2. Edit your /etc/hosts file and add the hostnames and IP addresses 158.145.1.1 gatekeeper.yourdomain.com gatekeeper 172.16.1.254 fw1-gw 172.16.2.254 dmz-gw --------------------- Step 3. Edit your /etc/netmasks file and add the networks and their subnet masks # ISP network address and subnet mask, if this is not here then Solaris # will assume the whole of class B 158.145.0.0 is on le0 and you'll # never be able to connect to the ISPs other customers. 158.145 255.255.255.240 # Treat 172.16.0.0 and it's subnets as class C networks 172.16 255.255.255.0 --------------------- Step 4. Create a startup file that configures the static routes required by the firewall. For example, /etc/rc3.d/S80fw1-routes which contains the static routes and proxy arps required by the address translation. It's in the rc3.d dir because proxy arps don't take affect if the file is in the rc2.d directory. # Set silly host routes to ensure packets leave from the correct # inteface to accomodate address translation # Assummes 158.145.1.2 is your external SMTP host address that you # advertise to the world. # Assummes 172.16.1.10 is your internal SMTP host # route add host 158.145.1.2 172.16.1.10 1 # Set the proxy arps, note the IP address 158.145.1.2 is not assigned # to any physical interface. The MAC address is that of the outside # inferface of the firewall. In this case, Solaris, all interfaces use # the same MAC address. (different for NT installs). arp -s 158.145.1.2 8:0:23:7b:e3:4 pub # Configure the routes to the rest of 172.16.0.0 # route add net 172.16.3.0 172.16.1.253 1 route add net 172.16.4.0 172.16.1.253 1 route add net 172.16.5.0 172.16.1.253 1 route add net 172.16.6.0 172.16.1.253 1 route add net 172.16.7.0 172.16.1.253 1 .... route add net 172.16.254.0 172.16.1.253 1 No doubt you won't have used all of the class C subnets of 172.16.0.0 but if you do the table is large, it's X-large if you subnetted the 10.0.0.0 network as class C. Personally I would use 192.168.1.0 as the firewall inside network and 192.168.2.0 as the dmz network and then have a single route to your enterprise router for the 172.16.0.0 network. It only requires a single route but that depends on what you have on that network and if you have spare ports on your router or altrernatively can configure virtual IP address for the router ports. The documentation in Version 3 mentions how to get address translation and routing working a lot better than 2.1 so I've left the proxy arps and host routes out as that really requires diagrams with the explanation. Well that should get you started, I don't I've forgotten anything but...until it works you never know. ---------------------------- Neil Mackie From owner-firewalls-list Mon Oct 13 07:23:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA02098; Mon, 13 Oct 1997 06:38:20 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA02090 for ; Mon, 13 Oct 1997 06:38:11 -0700 (PDT) Received: by relay.hq.tis.com; id JAA11916; Mon, 13 Oct 1997 09:46:36 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0) id xma011893; Mon, 13 Oct 97 09:46:24 -0400 Received: from gildor.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id JAA04341; Mon, 13 Oct 1997 09:36:08 -0400 (EDT) Message-Id: <3.0.3.32.19971013093128.0073949c@localhost> X-Sender: avolio@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 13 Oct 1997 09:31:28 -0400 To: "Messano, Jim" , "'Firewalls Q?'" From: Frederick M Avolio Subject: Re: To Gauntlet or not to Gauntlet In-Reply-To: <31E6F4087DC3D0119DF6006097B7704D5E3485@emss01tmp1.ems.lmco .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We resell V-ONE's SmartGate with the Gauntlet firewall. Sounds at first blush like that is what you need. f At 08:05 AM 10/10/97 -0700, Messano, Jim wrote: >I have a customer who wants to setup a LAN for Company employees as well >as employees of other companies, all of whom will be working together on >a joint venture project. This LAN will be external to the Company >Intranet. However, the customer also wants Company employees to be able >to access the Company's Intranet. > >If I insert a Gauntlet between a LAN router and a router to the Company >Intranet, would I be able to enforce strong, two factor authentication >(via an ACE server) and then establish a plug-gw so they could access >all of the same services as if the Company employees were directly >connected to the Company Intranet, without having to re-authenticate >themselves for each service? Basically, my customer wants to >authenticate once, then keep the "pipe" open for all intranet access. > >I realize that this implementation, if valid, is alien to the purpose of >installing a Gauntlet. However, since I need to connect an external LAN >to the Company intranet and I need to differentiate between the good >guys and the bad guys, I thought to use the granular filtering of a >Gauntlet. > >The main purpose of the Gauntlet is to not allow non-Company employees >to access the Intranet. (Yeah, I know I used a double negative. My >apologies to any English majors who read this note.) > >Any comments/suggestions would be welcome. > > From owner-firewalls-list Mon Oct 13 08:14:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09837; Mon, 13 Oct 1997 07:43:18 -0700 (PDT) Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA09830 for ; Mon, 13 Oct 1997 07:43:13 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA05318 for ; Mon, 13 Oct 1997 07:46:08 -0700 (PDT) Received: from netscape.com ([198.93.95.113]) by judge.mcom.com (Netscape Messaging Server 3.0) with ESMTP id AAA7144 for ; Mon, 13 Oct 1997 07:46:08 -0700 Message-ID: <3442341F.7C7ABAC3@netscape.com> Date: Mon, 13 Oct 1997 09:45:53 -0500 From: Bill Burns Reply-To: shadow@netscape.com Organization: Netscape Communications X-Mailer: Mozilla 4.03C-NSCP (Macintosh; U; PPC) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: re: FW-1 and ICMP (lack of) statefulness Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Paul D. Robertson" " was quoted as saying: >As I said, it doesn't maintain state information for ICMP. Other than >that, I've only recently gotten an evaluation unit to try to re-create >some attacks that I've heard of. It won't be high on my list, because >I've personally lost trust in the product, and don't see it as a viable >choice for the bulk of my security needs in the near future. I also won't >cast further aspersions on the product without having done my own tests, >no matter what I've heard, or who I've heard it from. > >ICMP state is non-existant as shipped in Firewall-1. Checkpoint has said >that they didn't see it as important to add an Inspect program for it >implemented as a default. > >It is possible to add Inspect code to make it work "as it should" if >you're to buy into the state implementation. Personally, I think OOB >showed it to be fairly flawed methodology-wise, your paranoia may vary. I can certainly vouch for the fact that ICMP is not handled statefully as FW-1. I was getting a lot of flack from my user base when they wanted to run Vitalsign's NetMedic on their Win95 boxes. (http://www.vitalsigns.com). Because it relies on ICMP traceroute and ping it failed to pass our FW-1 box. When I looked at the INSPECT code that handles ICMP I was appalled to see that the FW-1 checkbox "allow ICMP" meant "allow ICMP packets; except for ICMP redirect". Yikes! So much for stateful inspection which I had come to know FW-1 for. Turns out that Checkpoint doesn't handle ICMP statefully nor does it handle valid ICMP responses to staefully-tracked UDP or TCP packets. So, after two weeks of learing the INSPECT language (as best as anyone can learn a language that's not really documented) we came up with our own INSPECT code to handle ping and traceroute packets. So....in one respect it was certainly nice to be able to check out their code to handle these packets and have the flexibility to add to it to accomidate one's own security policy. On the other hand, it still seems lame to have to go through this trouble. We're evaluating the PIX box as well just to give it our due diligence, but I must confess that I don't like the feeling of lack of control I have with a black box approach. With FW-1 at least I was able to peek around in their code and tell THEM that something wasn't up to snuff. With black boxes, you're more or less at the mercy of the salesperson or technical support person you're talking to in order to get the straight answer of what they allow. From owner-firewalls-list Mon Oct 13 08:43:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA15046; Mon, 13 Oct 1997 08:29:40 -0700 (PDT) Received: from homer.facm.fit.edu (homer.facm.fit.edu [163.118.70.71]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA15028 for ; Mon, 13 Oct 1997 08:29:28 -0700 (PDT) From: ccurtis@facm.fit.edu Received: from localhost (ccurtis@localhost) by homer.facm.fit.edu (8.8.5/8.6.12) with SMTP id LAA25126 for ; Mon, 13 Oct 1997 11:30:09 -0400 Date: Mon, 13 Oct 1997 11:30:08 -0400 (EDT) X-Sender: ccurtis@homer To: "'firewalls@greatcircle.com'" Subject: Re: PIX : big FTP downloads stop a 99% (side-tracked a little) In-Reply-To: <01BCD513.C818E1A0@home1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, I haven't been following this thread. I had the same problem with my Linux firewall - FTP transfers stopping at 99% and never completing. But instead of pulling out an ethernet sniffer I pulled out TFMs. I still disallow ICMP wholly, but FTPs work. For Linux, the problem is that the module ip_masq_ftp.o (I obviously have a masquerading firewall) has to be insmod'd in order for FTP to work properly if you use modules. If you don't have a modular kernel, this should not be a problem. It should also be noted that kerneld, if loaded, will not autoload this module - it has to be loaded manually. kerneld itself is a whole other can of worms. ;) Regards, Christopher From owner-firewalls-list Mon Oct 13 10:44:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29551; Mon, 13 Oct 1997 10:38:44 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA29544 for ; Mon, 13 Oct 1997 10:38:37 -0700 (PDT) Received: from test.lib.com ([206.34.216.2]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id KAA01906; Mon, 13 Oct 1997 10:41:11 -0700 (PDT) Message-Id: <3.0.2.32.19971013134039.006a2088@199.0.193.11> X-Sender: betterton@199.0.193.11 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 b4 (32) Date: Mon, 13 Oct 1997 13:40:39 -0400 To: "Denis Koo N.C." , "'Firewalls@GreatCircle.COM'" From: Brian Betterton Subject: Re: Radius for Firewall-1 3.0 In-Reply-To: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk denis, radius is a protocol. as far as vendor implemetations, I've used Funk's Steel-Belted, Shiva's, and Novell's. there are several others, including Livingston (who wrote the spec), Merit, Sebring. All the ones I've tested work fine with Checkpoint 3.0a. each has its own pros/cons. look for what platforms it runs on, logging, proxing capabilities, etc, and match to meet best what you need, then eval/test. brian At 06:42 PM 10/13/97 +0800, Denis Koo N.C. wrote: >any information on the Radius server that is already certifiy or works >with firewall-1 3.0? > >cheers > >denis > > ======================================================= Brian D. Betterton email:<<0000,0000,ffffbrian_betterton@ins.com> Network Systems Consultant 0000,0000,ffffhttp://www.ins.com International Network Services voice: (617) 376-2450 x244 300 Crown Colony Drive fax: (617) 376-2458 Quincy, MA 02169 From owner-firewalls-list Mon Oct 13 12:44:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA07303; Mon, 13 Oct 1997 12:32:38 -0700 (PDT) Received: from palrel3.hp.com (palrel3.hp.com [156.153.255.219]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA07281 for ; Mon, 13 Oct 1997 12:32:31 -0700 (PDT) Received: from hpuamsa.neth.hp.com (hpuamsa.neth.hp.com [15.162.8.150]) by palrel3.hp.com (8.8.5/8.8.5tis) with ESMTP id MAA01396 for ; Mon, 13 Oct 1997 12:35:26 -0700 (PDT) Received: from tavdvalk.neth.hp.com (namdynams81.neth.hp.com) by hpuamsa.neth.hp.com with ESMTP (1.37.109.16/15.5+ECS 3.3) id AA275730834; Mon, 13 Oct 1997 21:27:14 +0200 Message-Id: <344285AA.CFD3A24E@neth.hp.com> Date: Mon, 13 Oct 1997 21:33:46 +0100 From: Arjan van der Valk Organization: Hewlett-Packard Nederland B.V. X-Mailer: Mozilla 4.01 [en] (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: firewall-I and eliashim antivirus X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My customer has a HP-UX system with Firewall-I 3.0b installed on it. They have an external mail-relay (latest sendmail) in the DMZ and a NT box with the Eliashim anti-virus software running on it (version 1.30). We defined the security server for SMTP and defined everything according to the documentation. The moment we install the rule for the virusscanning, mail will NOT come through anymore. We tested with a telnet on port 25 and used SendMail commands (HELO, MAIL FROM and RCPT TO). The moment we type RCPT TO and give a valid e-mail address, the SMTP security server from CheckPoint says "Mailbox unavailable" and will not deliver the mail. Someone ever encountered this problem before? We defined the external mail-rela as default server in the 'smtp.conf' file , CheckPoint told us to do so, but it still didn't work! Thanks a lot in advance, Arjan! -- Arjan van der Valk Hewlett-Packard Nederland B.V. tel.: +31- 20-547 6583 e-mail: arjan-van-der_valk@hp.com Do or do not. There is no 'try'. Yoda ('The Empire strikes back') From owner-firewalls-list Mon Oct 13 12:59:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA08136; Mon, 13 Oct 1997 12:44:46 -0700 (PDT) Received: from MAIL2 (dns2.cvtci.com.ar [24.232.0.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA08129 for ; Mon, 13 Oct 1997 12:44:39 -0700 (PDT) Received: from involcable - 24.232.0.17 by cvtci.com.ar with Microsoft SMTPSVC; Mon, 13 Oct 1997 16:49:29 -0300 Message-ID: <34427B04.298FD6A5@cvtci.com.ar> Date: Mon, 13 Oct 1997 16:48:20 -0300 From: Silvina Di Como Organization: CableVision-TCI X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 13 13:15:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA09863; Mon, 13 Oct 1997 13:03:58 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA09853 for ; Mon, 13 Oct 1997 13:03:46 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xKqkS-0002Ta-00; Mon, 13 Oct 1997 22:05:52 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 13 Oct 97 22:05 MET DST Received: by lina.inka.de id m0xKqUN-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 13 Oct 1997 21:49:15 +0200 (CEST) Message-Id: Date: Mon, 13 Oct 1997 21:49:14 +0200 From: Bernd Eckenfels To: Rik Hemsley Cc: Firewalls@GreatCircle.COM Subject: Re: Promiscuous mode References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from Rik Hemsley on Mon, Oct 13, 1997 at 01:24:39PM +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Oct 13, Rik Hemsley wrote > I get the idea, but what kind of workarounds are > there, aside from encrypting every communication ? Use Routers or Switches between subnets, then a host on one subnet can't sniff on the other (with promisc mode interfaces, since the packets never reach the hosts nic). This is especially handy for making sure that the firewall will never see any local traffic (by putting an router between the local net and the firewall). Switches will smartly route Traffic based on the Ethernet Address. If you put one host at each Port this will minimize the possibilty of sniffing. Of course both is only true for switches and router which cant be re-configured. > A sniffer needs a machine to run on; and to read packets > over the local net, it needs to be inside, right ? > ( or can it spoof ? ) The sniffer itself needs to "see" the packets. But one might be able to "reroute" the traffic (for example spoofing routing-protocol packets). It may also be possible to use remote sniffing cababilities (rmon). > Is it every necessary for an interface to be in promisc. > mode and if not, how do you 'switch it off ?' It might be necessary if you have Multicast Traffic on your Network and NICs which dont support Multicasting natively. I have heared rumours about NICs with a switch to disable promisc Mode. In Unix you can patch the Kernel to never set the Interface to promisc mode. (Be aware, that promisc mode is not necesaryly needed to sniff traffic. False ARP responses can redirect packets, too). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Mon Oct 13 13:43:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14205; Mon, 13 Oct 1997 13:37:12 -0700 (PDT) Received: from endeavor.flash.net (endeavor.flash.net [209.30.0.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA14190 for ; Mon, 13 Oct 1997 13:37:06 -0700 (PDT) Received: from default (FuGe@sdsh8-133.flash.net [209.30.94.133]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id PAA23060; Mon, 13 Oct 1997 15:38:41 -0500 (CDT) Message-ID: <199710130138400080.001E0730@mail.flash.net> X-Mailer: Calypso Evaluation Version 2.30.23 Date: Mon, 13 Oct 1997 01:38:40 -0700 From: "travis" To: succesor@mnl.sequel.net, adam@homeport.org, ahuger@silence.secnet.com Cc: firewall-wizards@nfr.com, firewalls@GreatCircle.COM (Firewalls mailing list) Subject: BIG linux problem. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, i just installed linux on my computer... formarly, i ran win95... now, i have a problem running linux at all! i have no idea how to run the program... please help me if you know how i can... the boot disk just froze when i tried to run it. From owner-firewalls-list Mon Oct 13 13:46:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14205; Mon, 13 Oct 1997 13:37:12 -0700 (PDT) Received: from endeavor.flash.net (endeavor.flash.net [209.30.0.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA14190 for ; Mon, 13 Oct 1997 13:37:06 -0700 (PDT) Received: from default (FuGe@sdsh8-133.flash.net [209.30.94.133]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id PAA23060; Mon, 13 Oct 1997 15:38:41 -0500 (CDT) Message-ID: <199710130138400080.001E0730@mail.flash.net> X-Mailer: Calypso Evaluation Version 2.30.23 Date: Mon, 13 Oct 1997 01:38:40 -0700 From: "travis" To: succesor@mnl.sequel.net, adam@homeport.org, ahuger@silence.secnet.com Cc: firewall-wizards@nfr.com, firewalls@GreatCircle.COM (Firewalls mailing list) Subject: BIG linux problem. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, i just installed linux on my computer... formarly, i ran win95... now, i have a problem running linux at all! i have no idea how to run the program... please help me if you know how i can... the boot disk just froze when i tried to run it. From owner-firewalls-list Mon Oct 13 14:50:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA06121; Mon, 13 Oct 1997 14:30:39 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA06092 for ; Mon, 13 Oct 1997 14:30:25 -0700 (PDT) Received: from brutus.ibm.net (slip129-37-49-98.dc.us.ibm.net [129.37.49.98]) by out1.ibm.net (8.8.5/8.6.9) with SMTP id VAA09798; Mon, 13 Oct 1997 21:33:13 GMT Reply-To: "Luke Gill" From: "Luke Gill" To: "Rik Hemsley" , Subject: Re: Promiscuous mode Date: Mon, 13 Oct 1997 17:28:20 -0400 Message-ID: <01bcd81e$eda58f00$62312581@brutus.ibm.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is interesting, because I am having the opposite problem. I have installed two Interphase FDDI SAS cards in my Ultra 1 running Gauntlet 3.2a and running gated version 3.5.5. I cannot get gated to "hear" the routers unless I have snoop running on each interface to put the card in promiscuous mode. How do I put the card in promiscuous mode by default? Or is there better way to get gated to listen for the OSPF multicasts? Luke -----Original Message----- From: Rik Hemsley To: Firewalls@GreatCircle.COM Date: Monday, October 13, 1997 9:35 AM Subject: Promiscuous mode >Hi, I'm new to the list. > >During my seacurity self-teaching process, I've >heard about network interfaces being in 'promiscous' >mode.. and this being a Bad Thing(tm) > >I get the idea, but what kind of workarounds are >there, aside from encrypting every communication ? > >A sniffer needs a machine to run on; and to read packets >over the local net, it needs to be inside, right ? >( or can it spoof ? ) > >Is it every necessary for an interface to be in promisc. >mode and if not, how do you 'switch it off ?' > >Thanks in advance, >Rik > > > >========================================================================== >PostOne tip: Too busy at work? Use AutoReply to let senders know >Check it out at http://www.post1.com/cgi-bin/member/pshowauto >========================================================================== > > From owner-firewalls-list Mon Oct 13 15:02:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09467; Mon, 13 Oct 1997 14:56:13 -0700 (PDT) Received: from brickbat9.mindspring.com (brickbat9.mindspring.com [207.69.200.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA09381 for ; Mon, 13 Oct 1997 14:55:48 -0700 (PDT) Received: from dell-133c (ACCS-AS43-DP09.DLLS.grid.net [206.80.176.226]) by brickbat9.mindspring.com (8.8.5/8.8.5) with SMTP id RAA01601 for ; Mon, 13 Oct 1997 17:58:44 -0400 (EDT) Message-Id: <3.0.3.32.19971013165741.007cda80@mail.io.com> X-Sender: ryan@mail.io.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 13 Oct 1997 16:57:41 -0500 To: firewalls@GreatCircle.COM From: Ryan Bullock Subject: Installing a firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm new to the list. I need to set up a firewall for my department, however, I need to protect sensitive information on the intranet and leave the internet server open to the public. It was explained to me that a firewall would protect all the servers on a network (and thus our internet server would be protected, which we don't want). Incidentally, our internet address is www.opt.uh.edu and our intranet address is intranet.opt.uh.edu Additionally, we want to set up a password entry for those not accessing the intranet from our domain (I believe this would be IP filtering). What would be a good package to do this on an Win NT server running MS IIS 3.0? -- Ryan Bullock University of Houston College of Optometry From owner-firewalls-list Mon Oct 13 15:03:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA07656; Mon, 13 Oct 1997 14:41:03 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA07580 for ; Mon, 13 Oct 1997 14:40:46 -0700 (PDT) Received: from cer.credo.net ([199.107.169.102]) by darkstar.noc.credo.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 13 Oct 1997 21:42:39 UT Received: by cer.office.credo.net with Internet Mail Service (5.0.1458.49) id <45XYRN7N>; Mon, 13 Oct 1997 14:34:27 -0700 Message-ID: <21355A7DCA15D111A2DD0040051475231329@cer.office.credo.net> From: John Whittaker To: "'firewalls@greatcircle.com'" Subject: RE: Keyword filtering of email through firewall Date: Mon, 13 Oct 1997 14:34:25 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, you might want to consider a 'trusted intermediary' like saic's gatekeyper. i don't remember their url, but we have a brochure about it on our page. http://zoneoftrust.com/html/beyondfw.html best, john. > ---------- > From: Davis, Rob[SMTP:rdavis@lucentncg.com] > Sent: Thursday, October 09, 1997 9:03 AM > To: 'firewalls@greatcircle.com' > Cc: Galvin, Dean > Subject: RE: Keyword filtering of email through firewall > > This is tangentially related to firewalls, so I apologize in advance. > If anyone knows of a more appropriate venue for this, please let me > know. > > I have a multi-national customer with approximately 200 sites that > will > soon be connected with a WAN and additionally have Internet access > through some yet to be determined firewall. > > They would like a mechanism that would allow them to detect > incoming/outgoing Internet mail that did not meet "company policies". > This could be sexual content, frivilous material, trade secrets, etc. > The obvious places to check are the firewall and mail server(s). > > I realize that there are still a million ways to get the info out and > it's probably a bad idea, but I'm curious about potential commercial > or > custom-built applications and the price. > > Thanks in advance for your help. > > regards, > > Rob > >________________________________ > >Rob Davis > >Lucent Technologies, Network Consulting Group > >Network Consultant > >http://www.lucentncg.com > >(972) 419-3815 > >1-800-SKY-PAGE #126-9384 > From owner-firewalls-list Mon Oct 13 15:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09096; Mon, 13 Oct 1997 14:53:03 -0700 (PDT) Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA09077 for ; Mon, 13 Oct 1997 14:52:56 -0700 (PDT) Received: from dcrocker-omni (equant-208-212-202-81.ipass.com [208.212.202.81]) by mail.proper.com (8.8.7/8.7.3) with SMTP id OAA27496; Mon, 13 Oct 1997 14:52:23 -0700 (PDT) Message-Id: <3.0.3.32.19971008191154.0075cff4@imc.org> X-Sender: dhcmail@imc.org (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 08 Oct 1997 19:11:54 +0200 To: "David Glosser" From: Dave Crocker Subject: Re: Internet email security & r Cc: "firewalls" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:19 PM 10/7/97 -0500, David Glosser wrote: >Are there any white papers, studies, hard facts, etc. that are related to the >lack of security and reliability of internet e-mail and why it is not >appropriate for corporate use? As noted by others, your question is slanted towards the assumption that Internet mail is inappropriate for use by business, yet business uses Internet mail extensively. Please feel free to visit the IMC website for assorted information. As I recall, powerpoint slides for a presentation on just this topic are among the material we've posted. Concerns for reliability of Internet mail are universally unfounded... as long as originator and recipient are using competent Internet service providers and/or are administering their own Internet gateways properly. Almost all reports of reliability problems for Internet mail are from badly run relays or gateways. On the matter of security, as noted, snap-on tools for high-quality privacy and authentication are available, via PGP and, just coming out, S/MIME. Services for legal certification (non-repudiation) of sending by the originator or receipt by the addressee, along the lines of the postal registered return receipt, are not in place but are being explored. d/ -------------------- Dave Crocker dcrocker@brandenburg.com Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 USA http://www.brandenburg.com Internet Mail Consortium info@imc.org, http://www.imc.org From owner-firewalls-list Mon Oct 13 17:17:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA00152; Mon, 13 Oct 1997 17:11:15 -0700 (PDT) Received: from endeavor.flash.net (endeavor.flash.net [209.30.0.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA00133 for ; Mon, 13 Oct 1997 17:11:05 -0700 (PDT) Received: from default (sdsh3-214.flash.net [209.30.92.214]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id TAA16013 for ; Mon, 13 Oct 1997 19:13:58 -0500 (CDT) Message-ID: <199710131656590090.00421FA6@mail.flash.net> X-Mailer: Calypso Evaluation Version 2.30.23 Date: Mon, 13 Oct 1997 16:56:59 -0700 From: "travis" To: firewalls@GreatCircle.COM Subject: Re: Installing a firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I need to set up a firewall for my department, >however, I need to protect sensitive information >on the intranet and leave the internet server >open to the public. It was explained to me that >a firewall would protect all the servers on a >network (and thus our internet server would be >protected, which we don't want). to do this, you CAN set up specific host names which will be the only ones able to access the system... what this does is reads the incomming ip and sees if it is on the list, then connects, if you are not in that local server, the system won't let you in... =95FuGe=95 =A4 e-mail: =B9=B7 wardt@flash.net =B2=B7 wardt@playground.bishops.com =95=A4Best Viewed with a Premium Mailing System=A4=95 |\=AF=AF=AF=AF=AF\/=AF=AF=AF=AF/| /=AF=AF=AF=AF/|= =AF=AF=AF| | | |\____| ||\=AF=AF\ /=AF=AF/|'| / | |= /=AF=AF=AF=AF=AF'\ =A0 \| =AF=AF=AF| '|/ | | | | | |'| | /___/| /= =BA /| =A0 | |=AF=AF=A8|_=B8|' \| | | |/ | |= |=AF=AF=AF=AF=AF=AF|| /|=AF=AF| '| =A0 | |__=B8| | |_| | | \ =AF| |=AF |\= \|_/=AF=AF=AF| =A0 |\____\ |\_____ /| |\ ___\/___/| | \____/\_=B8_\ =A0 | | =AB=9BPo0=8B=BB | | | |'| | | | \= | | | | =A0=A0 \|____| \|_____ |/ \|______ |/ \|___|^|___| =95 Support the Blue Ribbon Campaign for =95 =95 Free Speech on the Internet =95 From owner-firewalls-list Mon Oct 13 17:31:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA01848; Mon, 13 Oct 1997 17:22:58 -0700 (PDT) Received: from duq3b.cc.duq.edu (duq3b.cc.duq.edu [165.190.9.208]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA01826 for ; Mon, 13 Oct 1997 17:22:51 -0700 (PDT) From: SHOCK9881@duq3.cc.duq.edu Date: Mon, 13 Oct 1997 20:28:36 -0400 (EDT) To: firewalls@greatcircle.com Message-ID: <876788916.564571.SHOCK9881@duq3.cc.duq.edu> Mail-System-Version: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 13 21:46:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA26189; Mon, 13 Oct 1997 21:40:45 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA26180 for ; Mon, 13 Oct 1997 21:40:38 -0700 (PDT) Received: from default ([12.64.126.136]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with ESMTP id AAA6012; Tue, 14 Oct 1997 04:43:37 +0000 Reply-To: From: "Narednik" To: "Lars Bertelsen" Cc: Subject: Re: PIX and other "Black boxes" vs normal firewalls. Date: Mon, 13 Oct 1997 21:43:42 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1162 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BCD821.13151380" Content-Transfer-Encoding: 7bit Message-ID: <19971014044336.AAA6012@default> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BCD821.13151380 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Dear Mr. Bertelsen, Somehow, by mistake, this message was forwarded to me. I'll cc: it to the intended recipient. Have a nice day! Sincerely, Ivan ---------- > From: Lars Bertelsen > To: firewalls@GreatCircle.COM > Subject: Re: PIX and other "Black boxes" vs normal firewalls. > Date: Saturday, October 11, 1997 1:06 AM > > In your message you write: > > >I am relativly new to firewalls (I have set up several with the TIS fwtk and > >managed some others) and I am running into management that is saying we > >need to > >replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX > >being > >used as an example). I would like to get info from both sides of the issue > >before deciding which way to jump. > > > >Current arguments are. > > > >1. black-boxes are more secure as they do not run Unix which everyone > >knows and > >which has unknown security holes in it. > > > Black boxes may have holes in them too. Blackboxes run off software and > software has bugs! > Cisco have made many bugfixes to their operating system over time. > Oh, and Cisco's run on a small unix or very unix-like OS! > The difference between Unix based firewalls and blackboxes in this respect > is that if a blackbox has a hole in it, only the manufacturer can confirm > and fix it. It is not that holes aren't existant! > > Oh, and Unix doesn't have security holes as far as I know... Certain > servers running under Unix have security holes, but that is something > entirely different. Don't run anything on your Unix boxwhich isn't both > safe and necessary! > That way Unix is safe. > > > >2. black-boxes require less time to manage reducing the need for > >firewall/security staff. > No comment. I haven't set up a Cisco PIX. > But I would assume that if it does as many things as a Unix based firewall > the it will take roughly as much setup and maintainence. > A router takes less setup than an application-firewall because it only does > one thing: Filter on packets. > > > > > >3. Unix based firewalls are more flexable as they can be tailored to the > >specific application better then what the "black-box" designers decided was > >needed. > True. You can install and deinstall just what you want on a Unix box. > > Which sort og introduces : > 4) Blackboxes are safer in inexperienced hands because you _can't_ change > so much about them! > > > Lars Bertelsen > Gartnervang 29 tlf. 4635 1115 > 4000 Roskilde, DK e-mail of choice: lbe@login.dknet.dk > ------=_NextPart_000_01BCD821.13151380 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Dear Mr. Bertelsen,

Somehow, by = mistake, this message was forwarded to me.   I'll cc: it to = the intended recipient.

Have a nice = day!

Sincerely,

Ivan

----------
> From: Lars = Bertelsen <lbe@login.dknet.dk>
> To: firewalls@GreatCircle.COM
> Subject: Re: PIX and other "Black = boxes" vs normal firewalls.
> Date: Saturday, October 11, = 1997 1:06 AM
>
> In your message you write:
> =
> >I am relativly new to firewalls (I have set up several with = the TIS fwtk and
> >managed some others) and I am running into = management that is saying we
> >need to
> >replace the = Unix based firewalls with "black-box" firewalls (the CISCO = PIX
> >being
> >used as an example). I would like to = get info from both sides of the issue
> >before deciding which = way to jump.
> >
> >Current arguments are.
> = >
> >1. black-boxes are more secure as they do not run Unix = which everyone
> >knows and
> >which has unknown = security holes in it.
> >
> Black boxes may have holes in = them too. Blackboxes run off software and
> software has = bugs!
> Cisco have made many bugfixes to their operating system = over time.
> Oh, and Cisco's run on a small unix or very unix-like = OS!
> The difference between Unix based firewalls and blackboxes = in this respect
> is that if a blackbox has a hole in it, only the = manufacturer can confirm
> and fix it. It is not that holes aren't = existant!
>
> Oh, and Unix doesn't have security holes as = far as I know... Certain
> servers running under Unix have = security holes, but that is something
> entirely different. Don't = run anything on your Unix boxwhich isn't both
> safe and = necessary!
> That way Unix is safe.
>
>
> = >2. black-boxes require less time to manage reducing the need = for
> >firewall/security staff.
> No comment. I haven't = set up a Cisco PIX.
> But I would assume that if it does as many = things as a Unix based firewall
> the it will take roughly as much = setup and maintainence.
> A router takes less setup than an = application-firewall because it only does
> one thing: Filter on = packets.
>
>
> >
> >3. Unix based = firewalls are more flexable as they can be tailored to the
> = >specific application better then what the "black-box" = designers decided was
> >needed.
> True. You can install = and deinstall just what you want on a Unix box.
>
> Which = sort og introduces :
> 4) Blackboxes are safer in inexperienced = hands because you _can't_ change
> so much about them!
> =
>
> Lars Bertelsen
> Gartnervang 29 =         tlf. 4635 1115
> = 4000 Roskilde, DK      e-mail of choice: lbe@login.dknet.dk
>

------=_NextPart_000_01BCD821.13151380-- From owner-firewalls-list Tue Oct 14 04:16:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA14200; Tue, 14 Oct 1997 02:41:04 -0700 (PDT) Received: from corpus.cz (ns.corpus.cz [194.213.34.200]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA14152 for ; Tue, 14 Oct 1997 02:40:39 -0700 (PDT) Received: from ws14.corpus.cz (marek@marek [194.213.34.219]) by corpus.cz (8.8.7/8.8.7) with ESMTP id LAA00976 for ; Tue, 14 Oct 1997 11:43:33 +0200 (MET DST) Received: (from marek@localhost) by ws14.corpus.cz (8.8.3/8.8.5) id LAA00228; Tue, 14 Oct 1997 11:43:28 +0200 Message-ID: <19971014114326.38447@corpus.cz> Date: Tue, 14 Oct 1997 11:43:26 +0200 From: Marek Kubita To: firewalls@GreatCircle.COM Subject: Re: POP across a firewlll... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: ; from Ralf Thomas Klar on Fri, Oct 10, 1997 at 01:04:58PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, Oct 10, 1997, Ralf Thomas Klar wrote: > I use this configuration: > > - - allow ssh-connections through the firewall > - - the user, who wants to pop mail, invokes ssh with > port-forwarding (port 110 from pop-server is forwarded > to e.g. 4711 on his localhost) > - - the user connects the pop-client to port 4711 on the > localhost If you are using ssh forwarding, make sure that the client machines have some packet filtering package installed and used. Otherwise anybody could connect to the clients port 4711 (or do port scan for listening high ports) and will be tunelled to to the pop server inside the firewall. Or is there an option, which would tell ssh to listen for forwarded ports on localhost only? It would be handy. . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : : Czech Republic . : tel. +420-2-771990, 701719, 701748, fax 704814 . From owner-firewalls-list Tue Oct 14 04:46:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA21905; Tue, 14 Oct 1997 04:25:13 -0700 (PDT) Received: from mailgw1.br.ibm.com (igw1.br.ibm.com [32.96.196.66]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA21889 for ; Tue, 14 Oct 1997 04:25:03 -0700 (PDT) From: d24bml02/24/M/IBM@br.ibm.com Received: from mailhub1.br.ibm.com (mailhub1.br.ibm.com [9.179.254.168]) by mailgw1.br.ibm.com (8.8.7/MGw 3.0) with SMTP id JAA07334?u for ; Tue, 14 Oct 1997 09:27:12 -0400 Received: from d24mta01.br.ibm.com by mailhub1.br.ibm.com (AIX 4.1/UCB 5.64/05Oct97) id AA57520; Tue, 14 Oct 1997 09:22:35 -0200 Received: by d24mta01.br.ibm.com(Lotus SMTP MTA v1.1b1 (341.13 3-12-1997)) id 02256530.003EB2F9 ; Tue, 14 Oct 1997 09:24:50 -0200 X-Lotus-Fromdomain: IBMBR To: Firewalls@GreatCircle.COM Message-Id: <02256530.003E8FA8.00@d24mta01.br.ibm.com> Date: Tue, 14 Oct 1997 09:23:20 -0200 Subject: Esthon F Medeiros/Brazil/IBM is out of the office. Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk d24bml02@IBMBR 14/10/97 09:23 I am out of the office from 13/10/97, returning 03/11/97. You will receive only this notification of my absence prior to my return, at which time I will respond. Any urgent matter please contact: from 13/10/97 to 17/10/97: Luiz Mendes at phone 55-21-271-2443. from 20/10/97 to 31/10/97: Wilson Gellacic at phone 55-11-886-3495. From owner-firewalls-list Tue Oct 14 06:02:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA02348; Tue, 14 Oct 1997 05:31:19 -0700 (PDT) Received: from mclo10.med.navy.mil (mclo10.med.navy.mil [164.167.86.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA02329 for ; Tue, 14 Oct 1997 05:31:11 -0700 (PDT) Received: from mclo60.med.navy.mil (mclo60.med.navy.mil [164.167.86.60]) by mclo10.med.navy.mil (8.7.6/8.7.3) with SMTP id IAA05975; Tue, 14 Oct 1997 08:36:57 -0400 Received: by mclo60.med.navy.mil with Microsoft Mail id <01BCD87C.23B65EF0@mclo60.med.navy.mil>; Tue, 14 Oct 1997 08:35:34 -0400 Message-ID: <01BCD87C.23B65EF0@mclo60.med.navy.mil> From: Bob Resino To: "'Bernd Eckenfels'" , Rik Hemsley Cc: "Firewalls@GreatCircle.COM" Subject: RE: Promiscuous mode Date: Tue, 14 Oct 1997 08:35:33 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, there are a few points here to disagree with. Switches don't route. They switch. One of the ways we use switches is to form v-lans. By using a "per-port" configurable hub and presenting all the v-lans to that hub, we are able to connect our sniffer to any segment on the campus from inside the computer room. If you're using a Bay Router with "Blackfish" or "Bluefish", (this is their Virtual Network Routing software), cross segment traffic is presented across v-lans. This would be similar to using E-lans from each switched segment into a Cisco. About the only thing that you can bet on with a switch is that it will break a single broadcast domain into multiple collision domains. The security model just isn't there at Layer 2. Then again, I don't think Layer 3 is security oriented either. Maybe when IPV6. Bob Resino Infrastructure Strategic Planner Medical Construction Liaison Dept. Healthcare Support Office Norfolk, VA 757-953-7400 Ext 322. "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines." Ralph Waldo Emerson -----Original Message----- From: Bernd Eckenfels [SMTP:lists@lina.inka.de] Sent: Monday, October 13, 1997 3:49 PM To: Rik Hemsley Cc: Firewalls@GreatCircle.COM Subject: Re: Promiscuous mode Hello, On Oct 13, Rik Hemsley wrote > I get the idea, but what kind of workarounds are > there, aside from encrypting every communication ? Use Routers or Switches between subnets, then a host on one subnet can't sniff on the other (with promisc mode interfaces, since the packets never reach the hosts nic). This is especially handy for making sure that the firewall will never see any local traffic (by putting an router between the local net and the firewall). Switches will smartly route Traffic based on the Ethernet Address. If you put one host at each Port this will minimize the possibilty of sniffing. Of course both is only true for switches and router which cant be re-configured. > A sniffer needs a machine to run on; and to read packets > over the local net, it needs to be inside, right ? > ( or can it spoof ? ) The sniffer itself needs to "see" the packets. But one might be able to "reroute" the traffic (for example spoofing routing-protocol packets). It may also be possible to use remote sniffing cababilities (rmon). > Is it every necessary for an interface to be in promisc. > mode and if not, how do you 'switch it off ?' It might be necessary if you have Multicast Traffic on your Network and NICs which dont support Multicasting natively. I have heared rumours about NICs with a switch to disable promisc Mode. In Unix you can patch the Kernel to never set the Interface to promisc mode. (Be aware, that promisc mode is not necesaryly needed to sniff traffic. False ARP responses can redirect packets, too). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Oct 14 07:01:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA09328; Tue, 14 Oct 1997 06:51:19 -0700 (PDT) Received: from callisto ([205.129.215.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA09321 for ; Tue, 14 Oct 1997 06:51:14 -0700 (PDT) Message-Id: Date: 14 Oct 1997 09:46:41 -0400 From: "Jerry Edmiston" Subject: Disable port 137/138 To: "Firewalls GreatCircle" X-Mailer: Mail*Link SMTP-QM 4.0.0 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 9:28 = AM OFFICE MEMO Disable port 137/138 Date: = 10/14/97 My firewall, and network, is being flooded with packets destined for = ports 137/138, Windows NT and '95 NetBios request. When PCs arrive we = strip NetBios from the OS, but the OS still broadcast for them. Is there = anyway we can disable these broadcast requests ... thanks in advance ... = Jerry ... jle9@eci-esyst.com From owner-firewalls-list Tue Oct 14 08:31:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14478; Tue, 14 Oct 1997 07:45:28 -0700 (PDT) Received: from sj-fte02-sun.cisco.com (sj-fte02-sun.cisco.com [171.68.200.96]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA14443 for ; Tue, 14 Oct 1997 07:45:19 -0700 (PDT) Received: (from rbharani@localhost) by sj-fte02-sun.cisco.com (8.6.11/CA/950118) id HAA19867 for Firewalls@GreatCircle.COM; Tue, 14 Oct 1997 07:48:22 -0700 Date: Tue, 14 Oct 1997 07:48:22 -0700 From: Rakesh Bharania Message-Id: <199710141448.HAA19867@sj-fte02-sun.cisco.com> To: Firewalls@GreatCircle.COM Subject: PIX FTP hanging at 99% Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI, This is usually caused by one of two things. 1. Lack of PTR records for the global pool (the infamous in-addr.arpa entries) 2. or your "conn" timeout kills the port 21 (FTP "telemetry") port during the file transfer. In which case, you should up your conn timeout so that it won't fire until your FTP is done (in other words, if your FTP will take say, half an hour, set your conn timeout to 45 min) -- Rakesh Bharania [Th' Cosmic Armadillo] rakesh@cisco.com Customer Support Engineer (CSE-Apps) V:(408) 526-5981 Cisco Systems TAC, San Jose CA F:(408) 527-8050 ~/o Semper Ubi Sub Ubi o/~ From owner-firewalls-list Tue Oct 14 09:21:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA21435; Tue, 14 Oct 1997 08:57:25 -0700 (PDT) Received: from fantom.com (fantom.com [204.101.76.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA21360 for ; Tue, 14 Oct 1997 08:56:56 -0700 (PDT) Received: by firewall.fantom.com id <1003>; Tue, 14 Oct 1997 11:55:22 -0400 Message-Id: <97Oct14.115522edt.1003@firewall.fantom.com> From: Patrick Prue To: "'Bernd Eckenfels'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: SAP Gateway Date: Tue, 14 Oct 1997 11:59:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Or was he refering to the Internet Mail Gateway for connecting Sap Office to Internet Mail . ? If so what version of R3 ?? -----Original Message----- From: Bernd Eckenfels [SMTP:lists@lina.inka.de] Sent: Thursday, October 02, 1997 5:33 PM To: Davidson, Grover Cc: firewalls@GreatCircle.COM Subject: Re: SAP Gateway Hello, On Oct 2, Davidson, Grover wrote > Does anyone here know anything about the SAP Internet gateway? SAP as in sap-ag.de? SAP Has a Program called saprouter, which is used to connect R3 Systems via TCP/IP. Just used an unofficial Linux Port to connect our R3 System the SAP's OSS. Works rather well with Linux. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Oct 14 11:02:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA04511; Tue, 14 Oct 1997 10:57:03 -0700 (PDT) Received: from dfw-ix10.ix.netcom.com (dfw-ix10.ix.netcom.com [206.214.98.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA04479 for ; Tue, 14 Oct 1997 10:56:53 -0700 (PDT) From: gbf@dmc10.com Received: (from smap@localhost) by dfw-ix10.ix.netcom.com (8.8.4/8.8.4) id MAA23231 for ; Tue, 14 Oct 1997 12:59:50 -0500 (CDT) Date: Tue, 14 Oct 1997 12:59:50 -0500 (CDT) Message-Id: <199710141759.MAA23231@dfw-ix10.ix.netcom.com> Received: from trn-nj2-06.ix.netcom.com(206.214.121.70) by dfw-ix10.ix.netcom.com via smap (V1.3) id rma023163; Tue Oct 14 12:59:05 1997 To: firewalls@greatcircle.com Subject: Database Manager Needed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please excues the intrusion. Your email address was linked to a SQL site on the web. Consequently I thought I'd take a chance and write, perhaps you can help me. I'm looking to hire an information systems professional out of an insurance environment to handle the actual systems architecture implementation. Individual will have 5+ years experience in data base management and have experience in object based technology and SQL server in a windows environment. Position is located in the Hartford, Connecticut area and is with a fast growing and dynamic company that offers an exciting corporate culture, full benefits and an in-house gym. Position will pay up to $100,000 and is a full time position. If interested, please e-mail back or call Greg Foss at 609-584-1453 ext 270. From owner-firewalls-list Tue Oct 14 11:16:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA02289; Tue, 14 Oct 1997 10:35:50 -0700 (PDT) Received: from stargate.ctp.com (stargate.ctp.com [149.44.2.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA02258 for ; Tue, 14 Oct 1997 10:35:35 -0700 (PDT) Received: from ctp.com (wormhole.ctp.com [149.44.3.33]) by stargate.ctp.com (8.6.12/8.6.12) with ESMTP id NAA13001 for ; Tue, 14 Oct 1997 13:36:12 -0400 Received: from jaguar.ctp.com (jaguar.ctp.com [149.44.109.17]) by ctp.com (8.8.6/8.8.5) with SMTP id NAA27404 for ; Tue, 14 Oct 1997 13:38:40 -0400 (EDT) Received: by jaguar.ctp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD8A6.F89EF8F0@jaguar.ctp.com>; Tue, 14 Oct 1997 13:42:10 -0400 Message-ID: From: Dennis Nwaigbo To: "'best-of-security@cyber.com.au'" , "'firewalls@GreatCircle.com'" Subject: Secure Logon System for Windows NT Date: Tue, 14 Oct 1997 13:42:06 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guys, Has anybody heard about the Secure Logon System for Windows NT? It is based on the Sony Fingerprint Identification Unit (FIU) method for authentication and access. Checkout this site and then voice your comments and concerns/feedback: http://www.iosoftware.com/fiu/ Regards, Dennis Nwaigbo ( w-e-e-bo ) Cambridge Network Solutions Cambridge Technology Partners, Inc. 2828 Routh Street Suite 825 Dallas, Texas 75201 Phone: 214-860-1274 , Fax: 214-860-1400 mailto:dnwaig@ctp.com From owner-firewalls-list Tue Oct 14 11:51:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA04098; Tue, 14 Oct 1997 10:49:13 -0700 (PDT) Received: from gatewayb.anheuser-busch.com (gatewayb.anheuser-busch.com [151.145.250.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA04072 for ; Tue, 14 Oct 1997 10:49:01 -0700 (PDT) Received: by gatewayb.anheuser-busch.com; id MAA06546; Tue, 14 Oct 1997 12:51:24 -0500 Message-Id: <199710141751.MAA06546@gatewayb.anheuser-busch.com> Received: from stlabcexg002.anheuser-busch.com(151.145.101.152) by gatewayb.anheuser-busch.com via smap (3.2) id xmab06442; Tue, 14 Oct 97 12:51:18 -0500 Received: by STLABCEXG002 with Internet Mail Service (5.0.1458.49) id <47GFM5TM>; Tue, 14 Oct 1997 12:54:47 -0500 From: "Davidson, Grover" To: "'Bernd Eckenfels'" , Patrick Prue Cc: "'firewalls@GreatCircle.COM'" Subject: RE: SAP Gateway Date: Tue, 14 Oct 1997 12:51:00 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was inquiring about the A and W gateways for SAP R3. As I understand it, it allows for SAP connectivity across a firewall. Grover ---------- From: Patrick Prue To: 'Bernd Eckenfels' Cc: 'firewalls@GreatCircle.COM' Subject: RE: SAP Gateway Date: Tuesday, October 14, 1997 10:59AM Or was he refering to the Internet Mail Gateway for connecting Sap Office to Internet Mail . ? If so what version of R3 ?? -----Original Message----- From: Bernd Eckenfels [SMTP:lists@lina.inka.de] Sent: Thursday, October 02, 1997 5:33 PM To: Davidson, Grover Cc: firewalls@GreatCircle.COM Subject: Re: SAP Gateway Hello, On Oct 2, Davidson, Grover wrote > Does anyone here know anything about the SAP Internet gateway? SAP as in sap-ag.de? SAP Has a Program called saprouter, which is used to connect R3 Systems via TCP/IP. Just used an unofficial Linux Port to connect our R3 System the SAP's OSS. Works rather well with Linux. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Oct 14 12:18:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA02119; Tue, 14 Oct 1997 10:34:03 -0700 (PDT) Received: from mailrelay.atsi.com ([204.209.211.162]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA02099 for ; Tue, 14 Oct 1997 10:33:52 -0700 (PDT) Received: (from styx@localhost) by mailrelay.atsi.com (8.7.5/8.6.9) id LAA11192 for ; Tue, 14 Oct 1997 11:42:03 -0600 X-Authentication-Warning: cerberus.atsi.com: styx set sender to using -f Received: from mailhub.atsi.com by mailrelay.atsi.com via smap (V2.0) id xma011185; Tue, 14 Oct 97 11:41:31 -0600 Received: from zeus.atsi.com (BRobinson@atsi.com) by atsi.com (8.8.5/8.6.9) with SMTP id LAA23205; Tue, 14 Oct 1997 11:37:49 -0600 (MDT) Received: by zeus.atsi.com (SMI-8.6) id LAA11473; Tue, 14 Oct 1997 11:40:56 -0600 Date: Tue, 14 Oct 1997 11:40:56 -0600 Message-Id: <199710141740.LAA11473@atsi.com> From: Bret Robinson To: firewalls@greatcircle.com Subject: VPNs and Windows95/NT clients Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently testing two products to allow employees to access our network using VPNs: Gauntlet with PC Extender and DECs AltaVista Tunnel software. Both products use different "design philosophies" in the way the VPNs are configured WRT to the IP stack. PC Extender is configured such that if the VPN is not "up" you can't access any network resources - you can only access your local PC. When the VPN is up, you can access all network resources (internal and the Internet at large). The problem is that all Internet destined traffic is sent to the Gauntlet firewall and then passed on to the Internet site. This causes all Internet destined traffic to travel across our companies Internet connection twice - once to the firewall and then again to the Internet. The AltaVista software only sends encrypted packets to the firewall that are destined for internal hosts - Internet destined packets are sent directly to the host. I queried the Gauntlet people about their set-up and was told that when the VPN is up, you shouldn't access the Internet as someone can use your PC as a point to access your internal network. Is this true for a Windows95 or NT host? If so, exactly how can this be achieved (assuming no network resources are shared from the Win95/NT machine)? Thanks for any info (or pointers to web sites that have this info). Bret Robinson | Bret Robinson, Snr. System Admin \ Voice: +1-403-213-8413 | | Applied Terravision Systems, Inc. \ Fax: +1-403-264-2122 | | Calgary, Alberta Canada \ Web site: www.atsi.com | | BRobinson@atsi.com \ | | "Keep your stick on the ice" \___ o <- puck (for US viewers) | From owner-firewalls-list Tue Oct 14 12:55:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05351; Tue, 14 Oct 1997 11:10:06 -0700 (PDT) Received: from josephus.furph.com (josephus.furph.com [38.154.194.160]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA05339 for ; Tue, 14 Oct 1997 11:09:58 -0700 (PDT) Received: from localhost (beckers@localhost) by josephus.furph.com (8.8.0/8.8.0) with SMTP id OAA23689 for ; Tue, 14 Oct 1997 14:13:52 -0400 (EDT) Date: Tue, 14 Oct 1997 14:13:52 -0400 (EDT) From: Becki Kain To: firewalls@GreatCircle.COM Subject: closing berkeley services Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a couple of berkeley machines (nextstep and ultrix) that have a gazillion services defined in /etc/inetd.conf, most of which I cannot find man pages for. Anyone have a nice reference of what I can blow away for better security without messing up the os? thanks beckers From owner-firewalls-list Tue Oct 14 13:47:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05111; Tue, 14 Oct 1997 11:06:55 -0700 (PDT) Received: from nvt.netvision.net.il (nvt.NetVision.net.il [194.90.6.14]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA05104 for ; Tue, 14 Oct 1997 11:06:45 -0700 (PDT) Received: from wandor (wandor.NetVision.net.il [194.90.6.37]) by nvt.netvision.net.il (8.8.6/8.7.3) with SMTP id UAA09339; Tue, 14 Oct 1997 20:09:43 +0200 (IST) Message-Id: <3.0.2.32.19971014201052.009af100@nvt.netvision.net.il> X-Sender: dorh@nvt.netvision.net.il X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Tue, 14 Oct 1997 20:10:52 +0200 To: firewalls-digest@GreatCircle.COM From: Doron Hasid Subject: sunrpc udp Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi i have this udp sunrpc coming to my FW1 from internal Netware server and its filling my log file with a rate of 3 records for minute. it is random udp high ports. how can i get rid of that ? thanks 0000,0000,ffff---------------------------------------------------------------------- Doron Hasid ffff,0000,0000NetVision 0000,0000,ffffTechnical support - WAN team Phone: +972-4-8560550 Fax: +972-4-8551132 ---------------------------Netvision ---------------------------- From owner-firewalls-list Tue Oct 14 13:49:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA19671; Tue, 14 Oct 1997 12:36:02 -0700 (PDT) Received: from hotmail.com (F35.hotmail.com [207.82.250.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA19528 for ; Tue, 14 Oct 1997 12:35:17 -0700 (PDT) Received: (qmail 18012 invoked by uid 0); 14 Oct 1997 19:38:21 -0000 Message-ID: <19971014193821.18011.qmail@hotmail.com> Received: from 15.255.208.3 by www.hotmail.com with HTTP; Tue, 14 Oct 1997 12:38:21 PDT X-Originating-IP: [15.255.208.3] From: "S. Fung" To: firewalls@GreatCircle.com Subject: IIS behind firewall? Content-Type: text/plain Date: Tue, 14 Oct 1997 12:38:21 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a NT box running IIS and database, if we put it behind a firewall in a DMZ and let the general public to access the web, what is the security concern, if any? Can anybody comment on this configuration? Thanks! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Tue Oct 14 14:40:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA12317; Tue, 14 Oct 1997 11:55:45 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA12130 for ; Tue, 14 Oct 1997 11:54:46 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xLC8l-0003Nr-00; Tue, 14 Oct 1997 20:56:23 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 14 Oct 97 20:56 MET DST Received: by lina.inka.de id m0xLC88-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 14 Oct 1997 20:55:44 +0200 (CEST) Message-Id: Date: Tue, 14 Oct 1997 20:55:42 +0200 From: Bernd Eckenfels To: Bob Resino Cc: "'Bernd Eckenfels'" , Rik Hemsley , "Firewalls@GreatCircle.COM" Subject: Re: Promiscuous mode References: <01BCD87C.23B65EF0@mclo60.med.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <01BCD87C.23B65EF0@mclo60.med.navy.mil>; from Bob Resino on Tue, Oct 14, 1997 at 08:35:33AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, switches filter traffic on the MAC Level. On different Ports of a switch zou onlz see Ethernet Broadcasts or PAckets which are directed to a Host on the corresponding Port. Thats the difference between Switches and Hubs. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Oct 14 15:31:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA28776; Tue, 14 Oct 1997 13:41:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA28753 for ; Tue, 14 Oct 1997 13:41:18 -0700 (PDT) From: doconnell@bigyellow.com Received: from nircxch1.bigyellow.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id NAA08237; Tue, 14 Oct 1997 13:37:52 -0700 (PDT) Received: from LYNSMTP1 by nircxch1.bigyellow.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id T68G5S0D; Tue, 14 Oct 1997 16:47:02 -0400 Received: by Lynsmtp1.bigyellow.com(Lotus SMTP MTA v1.06 (346.8 3-18-1997)) id 85256530.0071FEE0 ; Tue, 14 Oct 1997 16:45:08 -0400 X-Lotus-FromDomain: NIRC To: firewalls@GreatCircle.COM Message-ID: <85256530.0071B6ED.00@Lynsmtp1.bigyellow.com> Date: Tue, 14 Oct 1997 16:44:54 -0400 Subject: port 81?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone tell me what port 81 is used for?? All I know is that it is for HOSTS2-NS hosts2 name service. But I haven't been able to find out anything else about this service. Can anyone give me some info? Thanks, Donna From owner-firewalls-list Tue Oct 14 15:36:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA00258; Tue, 14 Oct 1997 13:48:22 -0700 (PDT) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA29890 for ; Tue, 14 Oct 1997 13:47:32 -0700 (PDT) Received: from verio.net ([206.67.12.8]) by compute.com (4.1/SMI-4.1) id AA19922; Tue, 14 Oct 97 13:49:26 PDT Message-Id: <3443DA78.A49F2F01@verio.net> Date: Tue, 14 Oct 1997 13:47:52 -0700 From: Robert Roell X-Mailer: Mozilla 4.03 [en] (Win95; U) Mime-Version: 1.0 To: Marek Kubita Cc: firewalls@GreatCircle.COM Subject: Re: POP across a firewlll... References: <19971014114326.38447@corpus.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use F-Secure, and it has the "accept local connections only" option, specifically for this reason. Rob Marek Kubita wrote: > > On Fri, Oct 10, 1997, Ralf Thomas Klar wrote: > > > I use this configuration: > > > > - - allow ssh-connections through the firewall > > - - the user, who wants to pop mail, invokes ssh with > > port-forwarding (port 110 from pop-server is forwarded > > to e.g. 4711 on his localhost) > > - - the user connects the pop-client to port 4711 on the > > localhost > > If you are using ssh forwarding, make sure that the client machines have > some packet filtering package installed and used. Otherwise anybody could > connect to the clients port 4711 (or do port scan for listening high > ports) and will be tunelled to to the pop server inside the firewall. > > Or is there an option, which would tell ssh to listen for forwarded > ports on localhost only? It would be handy. > > . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : > : Czech Republic . > : tel. +420-2-771990, 701719, 701748, fax 704814 . -- ------------------------------------------------------------- V E R I O C O N S U L T I N G G R O U P Robert Roell Senior Internet Engineer rob@verio.net Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-list Tue Oct 14 17:21:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA00899; Tue, 14 Oct 1997 16:34:26 -0700 (PDT) Received: from klingon.netkonect.net (ns1.netkonect.net [194.62.44.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA00892 for ; Tue, 14 Oct 1997 16:34:19 -0700 (PDT) Received: from compfun.netkonect.co.uk (compfun [194.164.10.12]) by klingon.netkonect.net (8.8.7/8.8.7) with SMTP id AAA07401; Wed, 15 Oct 1997 00:36:14 +0100 (BST) Received: by compfun.netkonect.co.uk with Microsoft Mail id <01BCD903.571BCBE0@compfun.netkonect.co.uk>; Wed, 15 Oct 1997 00:43:22 +0100 Message-ID: <01BCD903.571BCBE0@compfun.netkonect.co.uk> From: Glenn To: "'Robert Roell'" , Marek Kubita Cc: "firewalls@GreatCircle.COM" Subject: RE: POP across a firewlll... Date: Wed, 15 Oct 1997 00:41:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks like someone is sending these mails all over the place... -----Original Message----- From: Robert Roell [SMTP:rob@verio.net] Sent: 14 October 1997 21:48 To: Marek Kubita Cc: firewalls@GreatCircle.COM Subject: Re: POP across a firewlll... Thanks for using NetForward! http://www.netforward.com v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v I use F-Secure, and it has the "accept local connections only" option, specifically for this reason. Rob Marek Kubita wrote: > > On Fri, Oct 10, 1997, Ralf Thomas Klar wrote: > > > I use this configuration: > > > > - - allow ssh-connections through the firewall > > - - the user, who wants to pop mail, invokes ssh with > > port-forwarding (port 110 from pop-server is forwarded > > to e.g. 4711 on his localhost) > > - - the user connects the pop-client to port 4711 on the > > localhost > > If you are using ssh forwarding, make sure that the client machines have > some packet filtering package installed and used. Otherwise anybody could > connect to the clients port 4711 (or do port scan for listening high > ports) and will be tunelled to to the pop server inside the firewall. > > Or is there an option, which would tell ssh to listen for forwarded > ports on localhost only? It would be handy. > > . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : > : Czech Republic . > : tel. +420-2-771990, 701719, 701748, fax 704814 . -- ------------------------------------------------------------- V E R I O C O N S U L T I N G G R O U P Robert Roell Senior Internet Engineer rob@verio.net Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-list Tue Oct 14 23:16:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA04934; Tue, 14 Oct 1997 23:00:27 -0700 (PDT) Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.31]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA04916 for ; Tue, 14 Oct 1997 23:00:21 -0700 (PDT) Received: by mail5.microsoft.com with Internet Mail Service (5.5.1664.16) id <45V6M2L5>; Tue, 14 Oct 1997 23:03:36 -0700 Message-ID: <8D8EF175E72CD111805800805F3198EE1A5697@RED-MSG-46.dns.microsoft.com> From: Peter Ford To: "'firewalls@greatcircle.com'" Subject: TCP options and firewalls Date: Tue, 14 Oct 1997 20:38:47 -0700 X-Mailer: Internet Mail Service (5.5.1664.16) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How many firewalls out there are looking at TCP traffic and dropping/blocking packets with TCP options set? thanks, Peter Ford Microsoft OS networking From owner-firewalls-list Wed Oct 15 00:20:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA11197; Wed, 15 Oct 1997 00:01:20 -0700 (PDT) Received: from mannheim.isc-deutschland.de (mannheim.isc-deutschland.de [194.74.137.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA11173 for ; Wed, 15 Oct 1997 00:01:05 -0700 (PDT) Received: from www.argus.de (www.argus.de [195.99.117.7]) by mannheim.isc-deutschland.de (8.8.5/8.6.10) with SMTP id JAA25722 for ; Wed, 15 Oct 1997 09:03:52 +0200 Received: from SYSTEM-01 (194.74.137.9) by www.argus.de (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 15 Oct 1997 09:03:49 +0200 Received: by SYSTEM-01 with Microsoft Mail id <01BCD8AE.764A4820@SYSTEM-01>; Tue, 14 Oct 1997 14:35:48 +0200 Message-ID: <01BCD8AE.764A4820@SYSTEM-01> From: Marc Dorando To: "'firewalls@GreatCircle.COM'" Date: Tue, 14 Oct 1997 14:27:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 15 00:51:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA13057; Wed, 15 Oct 1997 00:32:05 -0700 (PDT) Received: from abhiweb.com (bonn.abhiweb.com [205.138.236.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA13049 for ; Wed, 15 Oct 1997 00:32:00 -0700 (PDT) Received: from byrd (ppp-byrd.abhiweb.com [205.216.164.6]) by abhiweb.com (8.6.12/8.6.12) with SMTP id AAA25497 for ; Wed, 15 Oct 1997 00:34:04 -0700 Message-Id: <2.2.32.19971015073502.006f3ee8@bonn.abhiweb.com> X-Sender: byrd@bonn.abhiweb.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 15 Oct 1997 00:35:02 -0700 To: firewalls@GreatCircle.COM From: Bruce Byrd Subject: Re: PIX and other "Black boxes" vs normal firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:27 PM 10/10/97 -0700, David Lang wrote: From owner-firewalls-list Wed Oct 15 00:52:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA14080; Wed, 15 Oct 1997 00:39:53 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA14062 for ; Wed, 15 Oct 1997 00:39:40 -0700 (PDT) Received: by fw4.tns.co.za; id JAA06117; Wed, 15 Oct 1997 09:42:10 +0200 (SAT) Message-Id: <199710150742.JAA06117@fw4.tns.co.za> Received: from unknown(89.0.4.243) by fw4.tns.co.za via smap (V3.1.1) id xma006114; Wed, 15 Oct 97 09:42:09 +0200 Reply-To: From: "Billy Verreynne" To: , Subject: Re: port 81?? Date: Wed, 15 Oct 1997 09:39:48 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >doconnell@bigyellow.com wrote: > > Can anyone tell me what port 81 is used for?? All I know is that it is for > HOSTS2-NS hosts2 name service. But I haven't been able to find out > anything else about this service. Can anyone give me some info? I've seen some web servers running on port 81, usually a second instance for load distribution, or the web server administration instance. Interesting that until few month ago, www.oracle.com had a second Oracle Web Server running on port 81. regards, Billy From owner-firewalls-list Wed Oct 15 01:23:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA15711; Wed, 15 Oct 1997 00:52:55 -0700 (PDT) Received: from Virtuel.Net (yes.virtuel.net [207.134.62.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA15704 for ; Wed, 15 Oct 1997 00:52:48 -0700 (PDT) Received: from by Virtuel.Net (SMI-8.6/SMI-SVR4) id DAA19673; Wed, 15 Oct 1997 03:56:33 -0400 Message-ID: <3444A0AD.2CB1@virtuel.net> Date: Wed, 15 Oct 1997 03:53:33 -0700 From: Michel Arsenault Organization: T O W P ! X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 15 09:45:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA22666; Wed, 15 Oct 1997 02:20:06 -0700 (PDT) Received: from relay-1.mail.demon.net (relay-1.mail.demon.net [194.217.242.139]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA22616 for ; Wed, 15 Oct 1997 02:19:28 -0700 (PDT) From: rob.holman@ganda.demon.co.uk Received: from ganda.demon.co.uk ([158.152.117.135]) by relay-1.mail.demon.net id aa0108229; 15 Oct 97 10:11 BST Date: Wed, 15 Oct 1997 10:01:04 +0000 To: firewalls@greatcircle.com Subject: DMZ Implementation X-Mailer: TFS Gateway /220000000/220680071/220660071/220750071/ Message-ID: <876906719.018229.0@ganda.demon.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Chaps I'm interested to know how many of you have installed DMZ's, and whether you have installed them between the firewall and the router. Have you experienced any difficulties? Rgrds Rob Holman IT Security Consultant "Only the crumbliest, flakiest software fails like software never tested before" From owner-firewalls-list Wed Oct 15 09:51:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23848; Wed, 15 Oct 1997 02:32:24 -0700 (PDT) Received: from galaxy.chez.com ([194.98.133.161]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA23781 for ; Wed, 15 Oct 1997 02:32:00 -0700 (PDT) Received: from LHfrancois.DTL ([195.99.83.43]) by galaxy.chez.com (8.8.5/8.8.5) with SMTP id LAA16531 for ; Wed, 15 Oct 1997 11:32:09 +0200 (CEST) Received: by LHfrancois.DTL with Microsoft Mail id <01BCD95D.51FF4100@LHfrancois.DTL>; Wed, 15 Oct 1997 11:27:29 +-100 Message-ID: <01BCD95D.51FF4100@LHfrancois.DTL> From: jonah To: "'firewalls@greatcircle.com'" Subject: firewalls with linux OS Date: Wed, 15 Oct 1997 11:26:40 +-100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, I need to install a firewall for a non profit organisation. I have almost no budget so it has to be a freeware (or shareware) and to run on a PC with linux OS. This is my first experience in installing and configuring a firewall. I have heard of two solutions : socks and fwtk. does anyone know the differences between this two firewalls ? is there any other free firewalls availables ? If you have any experience with any freeware firewall with linux please answer. Thanks. jonah Paris, France. From owner-firewalls-list Wed Oct 15 10:25:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23483; Wed, 15 Oct 1997 02:28:40 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA23315 for ; Wed, 15 Oct 1997 02:28:03 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id LAA13393; Wed, 15 Oct 1997 11:30:04 +0200 (METDST) Message-Id: <3.0.3.32.19971015111638.013da360@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 15 Oct 1997 11:16:38 +0000 To: Peter Ford , "'firewalls@greatcircle.com'" From: Eric Vyncke Subject: Re: TCP options and firewalls In-Reply-To: <8D8EF175E72CD111805800805F3198EE1A5697@RED-MSG-46.dns.micr osoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:38 14/10/97 -0700, Peter Ford wrote: > > >How many firewalls out there are looking at TCP traffic and >dropping/blocking packets with TCP options set? If you mean IP options (i.e. options set in the IP header), then Most of them ;-) at least for options like strict/loose source routing, record route, ... Even tcp_wrappers are doing that on the server side. Best regards -eric > >thanks, > >Peter Ford >Microsoft OS networking > > > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 15 10:45:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06966; Wed, 15 Oct 1997 09:11:49 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06776 for ; Wed, 15 Oct 1997 09:11:10 -0700 (PDT) From: PHuffman11@aol.com Received: from emout11.mail.aol.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id DAA11568; Wed, 15 Oct 1997 03:30:52 -0700 (PDT) Received: (from root@localhost) by emout11.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id GAA21174 for firewalls@greatcircle.com; Wed, 15 Oct 1997 06:35:41 -0400 (EDT) Date: Wed, 15 Oct 1997 06:35:41 -0400 (EDT) Message-ID: <971015063540_-360975481@emout11.mail.aol.com> To: firewalls@GreatCircle.COM Subject: (none) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 15 12:08:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02531; Wed, 15 Oct 1997 08:56:59 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA02288 for ; Wed, 15 Oct 1997 08:56:04 -0700 (PDT) Received: from cheops.anu.edu.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA14013; Wed, 15 Oct 1997 06:57:56 -0700 (PDT) Message-Id: <199710151357.GAA14013@mycroft.GreatCircle.COM> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA223673864; Wed, 15 Oct 1997 23:57:44 +1000 From: Darren Reed Subject: Re: TCP options and firewalls1 To: peterf@microsoft.com (Peter Ford) Date: Wed, 15 Oct 1997 23:57:44 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <8D8EF175E72CD111805800805F3198EE1A5697@RED-MSG-46.dns.microsoft.com> from "Peter Ford" at Oct 14, 97 08:38:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Peter Ford, sie said: > > > > How many firewalls out there are looking at TCP traffic and > dropping/blocking packets with TCP options set? So far, there aren't any TCP header options which pose a threat to security, so one might argue there is no reason to check them for flagging a packet to drop. But I wouldn't put it past a firewall to check that the TCP options present are recognised - an interesting place to put a covert channel :) However, all proxy firewalls will interpret TCP header options locally and the other connection made by the proxy is not likely to reflect the originator (so far as TCP options go) and this is quite valid. You may get lucky with the window size but that is constrained by the host's operating system. But I wouldn't go adding new, undocumented TCP header options just because you can (and get away with it), expecting them to work. Darren From owner-firewalls-list Wed Oct 15 13:56:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA17483; Wed, 15 Oct 1997 10:19:32 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA01093 for ; Wed, 15 Oct 1997 08:51:09 -0700 (PDT) Received: from guttenberg.correionet.com.br by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA14871; Wed, 15 Oct 1997 07:49:15 -0700 (PDT) Received: from dextra.com.br (modem077.correionet.com.br [200.246.35.108]) by guttenberg.correionet.com.br (8.8.7/8.8.7) with ESMTP id MAA02007 for ; Wed, 15 Oct 1997 12:17:20 GMT Message-ID: <33A408FE.417FA35F@dextra.com.br> Date: Sun, 15 Jun 1997 12:23:42 -0300 From: Bill Coutinho Organization: Dextra Informatica [http://www.dextra.com.br] X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Mailing List Subject: SQL*Net v2 through FW-1 with encryption Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to access an Oracle server behind a FW-1 3.0b from a Win95 machine running SecuRemote 3.0, using client encryption. Relevant FW-1 rule is: Source Destination Service Action ... --------------- --------------- --------------- --------------- DBMUsers@Any OracleServer sqlnet2 Client Encrypt We are using NAT for machines behind FW-1. When I try to connect to the server, FW-1's log shows a "decrypt", Oracle server's log shows a connection attempt, but the client doesn't receive the reply. I tried a connection *without* encryption, and everything worked fine. The rule I used for this test is: Any OracleServer sqlnet2 Accept ... (I killed SecuRemote in the client machine.) Oracle is running on an NT 4.0. Has someone had any experience with this kind of configuration? -- Cheers, Bill. _________________________________________________________________ B i l l C o u t i n h o D E X T R A Informática mailto:bill@dextra.com.br http://www.dextra.com.br From owner-firewalls-list Wed Oct 15 14:07:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA18141; Wed, 15 Oct 1997 10:22:32 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA04124 for ; Wed, 15 Oct 1997 09:02:29 -0700 (PDT) Received: from mclo10.med.navy.mil by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA13169; Wed, 15 Oct 1997 06:07:51 -0700 (PDT) Received: from mclo60.med.navy.mil (mclo60.med.navy.mil [164.167.86.60]) by mclo10.med.navy.mil (8.7.6/8.7.3) with SMTP id JAA12732; Wed, 15 Oct 1997 09:03:03 -0400 Received: by mclo60.med.navy.mil with Microsoft Mail id <01BCD948.F287CCB0@mclo60.med.navy.mil>; Wed, 15 Oct 1997 09:01:38 -0400 Message-ID: <01BCD948.F287CCB0@mclo60.med.navy.mil> From: Bob Resino To: "'Bernd Eckenfels'" Cc: Rik Hemsley , "Firewalls@GreatCircle.COM" Subject: RE: Promiscuous mode Date: Wed, 15 Oct 1997 09:01:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, This is NOT true in all cases. Backbone switches move a lot of traffic. The filtering and MAC specific traffic comments are only true of edge switches used instead of hubs. Most of this is not true in the case of a backbone switch in a flat network. Bob Resino Infrastructure Strategic Planner Medical Construction Liaison Dept. Healthcare Support Office Norfolk, VA 757-953-7400 Ext 322. "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines." Ralph Waldo Emerson -----Original Message----- From: Bernd Eckenfels [SMTP:lists@lina.inka.de] Sent: Tuesday, October 14, 1997 2:56 PM To: Bob Resino Cc: 'Bernd Eckenfels'; Rik Hemsley; Firewalls@GreatCircle.COM Subject: Re: Promiscuous mode Hello, switches filter traffic on the MAC Level. On different Ports of a switch zou onlz see Ethernet Broadcasts or PAckets which are directed to a Host on the corresponding Port. Thats the difference between Switches and Hubs. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Wed Oct 15 15:17:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02517; Wed, 15 Oct 1997 08:56:55 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA02283 for ; Wed, 15 Oct 1997 08:56:03 -0700 (PDT) From: STEVE.CONNOLLY@arpstl-emh2.army.mil Received: from stl_firewall by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA14574; Wed, 15 Oct 1997 07:25:36 -0700 (PDT) Received: from ARPSTL-EMH2.ARMY.MIL by stl_firewall (AIX 4.1/UCB 5.64/4.03) id AA10018; Wed, 15 Oct 1997 09:15:47 -0500 X400-Originator: STEVE.CONNOLLY@arpstl-emh2.army.mil X400-Recipients: firewalls@GreatCircle.com X400-Mts-Identifier: [/ADMD=BLANK/C=US/;0008200001406812000002] X400-Content-Type: P2-1988 (22) Message-Id: <0008200001406812000002*@MHS> To: " - (052)firewalls(a)GreatCircle.com" Subject: NAT on IBM SNG. Date: Wed, 15 Oct 1997 09:36:44 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone could give a little help on a problem we are having. We are running IBM SNG 2.2.1 and we are trying to get NAT to work. Or users access the network through either a Fore Systems Powerhub 7000 or a Cabletron MMAC+. We are able to get NAT to work for users that are coming through the MMAC, but we can not get it to work for users on the Powerhub. IBM has been giving us the run around, what else is new. Any help? Does anyone know of a mailing list specifically for IBM's SNG? Steve Connolly Infrastructure Specialist EDS steve.connolly@arpstl-emh2.army.mil From owner-firewalls-list Wed Oct 15 15:17:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29443; Wed, 15 Oct 1997 11:23:49 -0700 (PDT) Received: from rohan.btg.com (rohan.btg.com [199.29.53.67]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA29404 for ; Wed, 15 Oct 1997 11:23:29 -0700 (PDT) Received: from exchserver.btg.com (exchserver.btg.com [199.29.53.73]) by rohan.btg.com (8.8.5/8.7.3) with SMTP id OAA09873 for ; Wed, 15 Oct 1997 14:26:07 -0400 (EDT) Received: by exchserver.btg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD976.53CF63C0@exchserver.btg.com>; Wed, 15 Oct 1997 14:26:29 -0400 Message-ID: From: "Anderson, Scot" To: "'jonah'" , "'firewalls@greatcircle.com'" Subject: RE: firewalls with linux OS Date: Wed, 15 Oct 1997 14:25:59 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Facillities to control traffic (firewall type junk) is part of linux - you need only configure it. Sort of an "it's in there" type of thing. I believe it is implemented as part of the operating system itself. ----------------------------------------------------------------- Scot Anderson | 703-383-7950 | SkyTel 800-413-4612 BTG, Inc. | www.btg.com[/~scot] | scot@btg.com On Wednesday, October 15, 1997 7:27 AM, jonah [SMTP:jonah@chez.com] wrote: > hello, > > I need to install a firewall for a non profit > organisation. > I have almost no budget so it has to be a freeware (or > shareware) > and to run on a PC with linux OS. > This is my first experience in installing and configuring > a firewall. > > I have heard of two solutions : socks and fwtk. > does anyone know the differences between this two > firewalls ? > is there any other free firewalls availables ? > > If you have any experience with any freeware firewall with > linux > please answer. > Thanks. > > jonah > Paris, France. From owner-firewalls-list Wed Oct 15 15:36:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29880; Wed, 15 Oct 1997 11:27:32 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA29813 for ; Wed, 15 Oct 1997 11:27:01 -0700 (PDT) Received: (from mail@localhost) by majestix.skp.de (8.7.5/8.7.3) id TAA26564; Wed, 15 Oct 1997 19:42:41 +0200 X-Authentication-Warning: majestix.skp.de: mail set sender to using -f Received: from joe(192.168.0.2) by majestix.skp.de via smap (V1.3) id sma026561; Wed Oct 15 19:42:17 1997 Date: Wed, 15 Oct 1997 20:28:37 +0100 To: jonah From: Oliver Lau Cc: Subject: Re: firewalls with linux OS (supplement) In-Reply-To: <01BCD95D.51FF4100@LHfrancois.DTL> References: <01BCD95D.51FF4100@LHfrancois.DTL> Message-Id: <3445358522.6CF9.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! Please excuse, the "send mail"-button has been hit a bit too fast: Anything you do depends on what you want achieve. This question needs your further explanation. A fourth possibility is to use something that is called a wrapper, like tcpd or netacl. This is very easy to install and configure: some hacks in /etc/inetd.conf, and setting up the configuration files /etc/hosts.allow, /etc/hosts.deny for tcpd and for netacl /usr/local/etc/netperm-table. In sequence with a packet filter like ipfwadm this becomes a rather mighty security tool. Here also applies what I have mentioned in my previous posting: RTFM before you begin! ;-) On Wed, 15 Oct 1997 11:26:40 +-100 jonah wrote: | hello, | | I need to install a firewall for a non profit organisation. | I have almost no budget so it has to be a freeware (or shareware) | and to run on a PC with linux OS. | This is my first experience in installing and configuring a firewall. | Regards, Oliver Lau [CTO] Sauer und Partner GmbH, NetzwerkTechnologie und Sicherheit Dietrich-Bonhoeffer-Strasse 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: http://www.skp.de/ PGP-Fingerprint: 6696 C8B6 F351 A381 D1C9 BC41 98F2 6DE3 From owner-firewalls-list Wed Oct 15 16:38:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27277; Wed, 15 Oct 1997 11:12:50 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA27263 for ; Wed, 15 Oct 1997 11:12:43 -0700 (PDT) Received: (from mail@localhost) by majestix.skp.de (8.7.5/8.7.3) id TAA26502; Wed, 15 Oct 1997 19:28:10 +0200 X-Authentication-Warning: majestix.skp.de: mail set sender to using -f Received: from joe(192.168.0.2) by majestix.skp.de via smap (V1.3) id sma026500; Wed Oct 15 19:28:03 1997 Date: Wed, 15 Oct 1997 20:14:23 +0100 To: jonah From: Oliver Lau Cc: Subject: Re: firewalls with linux OS In-Reply-To: <01BCD95D.51FF4100@LHfrancois.DTL> References: <01BCD95D.51FF4100@LHfrancois.DTL> Message-Id: <3445322F42.6CF8.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Jonah! On Wed, 15 Oct 1997 11:26:40 +-100 jonah wrote: | I have heard of two solutions : socks and fwtk. | does anyone know the differences between this two firewalls ? | is there any other free firewalls availables ? | | If you have any experience with any freeware firewall with linux | please answer. The TIS Firewall Toolkit (FWTK) http://www.tis.com/docs/products/fwtk/ is a collection of several proxies, all of which need reconfiguration on the clients' side. Too much work, thus too expensive, if a lot of clients are concerned. SOCKS is unlike the FWTK, but has the same drawback of incompatibility to existing implementations on the clients' side, although the hottest web browser support SOCKS. A nice and quickly to install solution might be the ipfwadm-kit, which comes with Linux. It implements a pure packet filter, which runs very stable, very fast and very reliable. It also supports masquerading, i.e. address translation of a whole LAN to a single IP address of the firewall machine. Latest releases are mirrored all around the world. Configuring a firewall is a hard job. You have to know a lot about IP an its higher-layer protocols. It's best to study the standard literature before you begin to experiment, thus wasting time. If there are few clients, you may install any combination of the above, but for a quick start ipfwadm is IMHO the best choice. If you need further performance and a little bit of extra security, you may install a caching WWW proxy with optional authentication like Squid http://squid.nlanr.net/Squid/. Consider this: Bellovin, Cheswick: Firewalls and Internet Security Chapman, Zwicky: Building Internet Firewalls and of course the billions of websites that discuss this topic Remember: The slightest mistake may ruin the whole policy, and security could easily breached!! Regards, Oliver Lau [CTO] Sauer und Partner GmbH, NetzwerkTechnologie und Sicherheit Dietrich-Bonhoeffer-Strasse 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: http://www.skp.de/ PGP-Fingerprint: 6696 C8B6 F351 A381 D1C9 BC41 98F2 6DE3 From owner-firewalls-list Wed Oct 15 17:26:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19082; Wed, 15 Oct 1997 13:24:10 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [204.76.194.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA18959 for ; Wed, 15 Oct 1997 13:23:46 -0700 (PDT) Received: (qmail 22504 invoked from network); 15 Oct 1997 20:25:21 -0000 Received: from juneau.steldyn.com (172.16.31.1) by gate.steldyn.com with SMTP; 15 Oct 1997 20:25:21 -0000 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD976.2B0BC050@juneau.steldyn.com>; Wed, 15 Oct 1997 14:25:21 -0600 Message-ID: From: Chris Pugrud To: "'jonah'" , Firewalls Mailing list Subject: RE: firewalls with linux OS Date: Wed, 15 Oct 1997 14:25:19 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Part of your firewall planning is needing to determine what to support. In Windows based organizations I have found the answer to generally be http, ftp, and smtp (web and e-mail basically). In this situation it is relatively easy to set up a simple, effective firewall using Linux, Apache, and Qmail. Apache has a pretty good web/ftp proxy function built in. The caching functionality doesn't seem to be very effective, but I really haven't played with the settings. For added security I tend to run two apache daemons, one for the inside with the proxy functions built in, and one for the outside web server that is stripped and gutted to the bare essentials (the less code there is, the less that can be compromised). Qmail is very fast and effective as an e-mail gateway. I would recommend using an internal e-mail server, and just have Qmail relay mail between the world and the office. Qmail also has a very easy setup to disable the relay functionality, so you can avoid being victimized by spammers using your server. If you strip and gut the Linux server appropriately you will end up with a very tight configuration, with only three ports open to attack (http, smtp, and dns). A complete configuration with pwebstats for traffic analysis and reporting, apache, qmail, and all of the tools you acutely need on the server is less than 20 MB. Be sure and setup a separate and large partition for log files. I have run systems like the above on everything from 33.6 dialup links to full t1 links. They have proven to be extremely reliable. The only maintenance needed is occasional security patches (apache has been fairly frequent lately), and log cleanup. The next obvious step up would be to work with the FWTK to gain the proxies for news or command line ftp. I am getting ready to integrate this into the systems I have now, because I am finally seeing some requests for them. I am anticipating a fairly simple integration, but we'll see. Questions, comments? Chris >-----Original Message----- >From: jonah [SMTP:jonah@chez.com] >Sent: Wednesday, October 15, 1997 5:27 AM >To: Firewalls Mailing list >Subject: firewalls with linux OS > >hello, > >I need to install a firewall for a non profit organisation. >I have almost no budget so it has to be a freeware (or shareware) >and to run on a PC with linux OS. >This is my first experience in installing and configuring a firewall. > >I have heard of two solutions : socks and fwtk. >does anyone know the differences between this two firewalls ? >is there any other free firewalls availables ? > >If you have any experience with any freeware firewall with linux >please answer. >Thanks. > >jonah >Paris, France. > > From owner-firewalls-list Wed Oct 15 18:11:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23761; Wed, 15 Oct 1997 13:51:22 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA23703 for ; Wed, 15 Oct 1997 13:51:02 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA27755; Wed, 15 Oct 1997 16:53:54 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOUCV1DRJK8WZTM3@gemini.pios.com> for firewalls@GreatCircle.com; Wed, 15 Oct 1997 16:54:42 -0400 (EDT) Received: from ghost (192.168.14.190) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOUCSLFUB490N96E@PIOS.PIOS.COM> for firewalls@GreatCircle.com; Wed, 15 Oct 1997 16:52:44 -0400 (EDT) Date: Wed, 15 Oct 1997 13:53:25 -0700 From: Bill Stout Subject: Re: IIS behind firewall? X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.com Message-Id: <2.2.32.19971015205325.0135e9d8@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One possible problem (not security) is attemping to log hits, as the IP connections are coming from the inside port of your proxy. Performance-wise, you do put additional load on your firewall. Security-wise, you're allowing more to pass through your firewall, and the more you open your firewall, the less of a firewall it remains. If your webserver is on your internal lan, any trojan or vulnerability on the webserver is an open gate to the rest of the network. That sort of entry would require a skilled intruder, but then again, any sort of NetBIOS attack one year ago would've required advanced skills at the time also. Today they're automated and trivial. Options to Consider - Place the webserver on a third interface off the firewall. - Place the webserver on both inside and outside networks, and treat the webserver as tightly as a proxy, running only IIS, and filtering all ports but http/https/dns lookups on the outside, and run only NetBEUI on the inside. Of course, don't make it part of your domain, and think twice about establishing any trust relationships with it, Matthew Pattons' excellent whitepaper on securing IIS systems (ftp://gnpr.pae.osd.mil/pub/nt) is a must read, etc. Bill Stout At 12:38 PM 10/14/97 -0700, S. Fung wrote: >We have a NT box running IIS and database, if we put it behind a >firewall in a DMZ and let the general public to access the web, >what is the security concern, if any? Can anybody comment on >this configuration? Thanks! From owner-firewalls-list Wed Oct 15 18:13:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA24813; Wed, 15 Oct 1997 13:58:04 -0700 (PDT) Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA24759 for ; Wed, 15 Oct 1997 13:57:49 -0700 (PDT) Received: from uu11.psi.com by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA20640 for firewalls@GreatCircle.com; Wed, 15 Oct 97 17:00:47 -0400 Received: from mailhost.pericom.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA20527 for firewalls@GreatCircle.com; Wed, 15 Oct 97 17:00:36 -0400 Received: from smtpgate.pericom.com by pericom.com (4.1/SMI-4.1) id AA14919; Wed, 15 Oct 1997 13:57:15 PDT Received: from ccMail by smtpgate.pericom.com (SMTPLINK V2.11.01) id AA876949357; Wed, 15 Oct 97 14:02:30 PST Date: Wed, 15 Oct 97 14:02:30 PST From: "helen liu" Message-Id: <9709158769.AA876949357@smtpgate.pericom.com> To: firewalls@GreatCircle.com Subject: Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a firewall for my company. The network structure is as following now: UNIX work stations | ----------------------------------- router---internet... | ethernet bridge | __________Novell Network---- NT NetWork We'd like to have a firewall between the Lan and internet. The router it's having now is Ascend PipeLine 50. I would very appreciate if anybody could give some advice on 1. Where is the best place to install a firewall? Do we need a extra proxy server ? 2. Which product is the best solution for our company? Thank you very much. Helen Received: from uu2.psi.com by smtpgate.pericom.com (SMTPLINK V2.11.01) ; Wed, 15 Oct 97 12:53:07 PST Return-Path: Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet); id AA16577 for Helen_Liu@smtpgate.pericom.com; Wed, 15 Oct 97 15:50:37 -0400 Date: Wed, 15 Oct 97 15:50:37 -0400 From: MAILER-DAEMON@uu2.psi.com Subject: Returned mail: User unknown Message-Id: <9710151950.AA16577@uu2.psi.com> To: Helen_Liu@smtpgate.pericom.com Received: from uu2.psi.com by smtpgate.pericom.com (SMTPLINK V2.11.01) ; Wed, 15 Oct 97 13:08:16 PST Return-Path: Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet); id AA17221 for Helen_Liu@smtpgate.pericom.com; Wed, 15 Oct 97 16:05:48 -0400 Date: Wed, 15 Oct 97 16:05:48 -0400 From: MAILER-DAEMON@uu2.psi.com Subject: Returned mail: Host unknown Message-Id: <9710152005.AA17221@uu2.psi.com> To: Helen_Liu@smtpgate.pericom.com From owner-firewalls-list Wed Oct 15 18:18:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA01899; Wed, 15 Oct 1997 17:40:47 -0700 (PDT) Received: from tandem.tandem.cl (tandem.tandem.cl [200.10.234.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA01786 for ; Wed, 15 Oct 1997 17:40:17 -0700 (PDT) Received: by tandem.tandem.cl(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 03256532.00036CD1 ; Wed, 15 Oct 1997 21:37:24 -0300 X-Lotus-FromDomain: TANDEM From: "Marcelo Diaz" To: firewalls@GreatCircle.COM Message-ID: <03256532.00033155.00@tandem.tandem.cl> Date: Wed, 15 Oct 1997 21:37:18 -0300 Subject: ipsilon Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where I can find information about competitive analysis between IPSILON with FW-1 and Sun with FW-1. Thanks in advanced. ================================== Marcelo Diaz Product manager Tandem Chile S.A. From owner-firewalls-list Wed Oct 15 18:20:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA09074; Wed, 15 Oct 1997 16:03:09 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA08852 for ; Wed, 15 Oct 1997 16:02:45 -0700 (PDT) Received: from localhost (oliverf@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id RAA17447; Wed, 15 Oct 1997 17:17:45 -0600 (MDT) Date: Wed, 15 Oct 1997 17:17:45 -0600 (MDT) From: Oliver Friedrichs To: Darren Reed cc: Peter Ford , Firewalls Mailing List Subject: Re: TCP options and firewalls1 In-Reply-To: <199710151357.GAA14013@mycroft.GreatCircle.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Oct 1997, Darren Reed wrote: > So far, there aren't any TCP header options which pose a threat to > security, so one might argue there is no reason to check them for > flagging a packet to drop. But I wouldn't put it past a firewall to > check that the TCP options present are recognised - an interesting Unless you consider denial of service a security problem, in which case all sorts of routers will fall over due to invalid TCP options. - Oliver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211 From owner-firewalls-list Wed Oct 15 18:40:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA06480; Wed, 15 Oct 1997 17:59:23 -0700 (PDT) Received: from ns.buptnet.edu.cn (ns.buptnet.edu.cn [202.112.10.37]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA06319 for ; Wed, 15 Oct 1997 17:58:50 -0700 (PDT) From: zmhu@bupt.edu.cn Received: from noya.bupt.edu.cn (noya.bupt.edu.cn [202.112.96.2]) by ns.buptnet.edu.cn (8.8.4/8.8.4) with SMTP id IAA23400 for ; Thu, 16 Oct 1997 08:57:16 +0800 (CST) Received: from DNS ([202.112.108.172]) by noya.bupt.edu.cn (5.x/SMI-SVR4) id AA16489; Thu, 16 Oct 1997 08:57:13 +0800 Message-Id: <3.0.32.19971016085508.00685930@noya.bupt.edu.cn> X-Sender: zmhu@noya.bupt.edu.cn X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 16 Oct 1997 08:55:10 +0800 To: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 15 21:33:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA11794; Wed, 15 Oct 1997 21:29:27 -0700 (PDT) Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.29]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA11726 for ; Wed, 15 Oct 1997 21:29:09 -0700 (PDT) Received: by mail4.microsoft.com with Internet Mail Service (5.5.1664.3) id <40ZVD5LY>; Wed, 15 Oct 1997 21:30:14 -0700 Message-ID: <8D8EF175E72CD111805800805F3198EE1A56A2@RED-MSG-46.dns.microsoft.com> From: Peter Ford To: "'Eric Vyncke'" , "'firewalls@greatcircle.com'" Subject: RE: TCP options and firewalls Date: Wed, 15 Oct 1997 21:29:02 -0700 X-Mailer: Internet Mail Service (5.5.1664.3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I actually mean TCP options, and I am actually interested in "new" TCP options that firewalls might not recognize. thanks, peter > -----Original Message----- > From: Eric Vyncke [SMTP:evyncke@cisco.com] > Sent: Wednesday, October 15, 1997 4:17 AM > To: Peter Ford; 'firewalls@greatcircle.com' > Subject: Re: TCP options and firewalls > > At 20:38 14/10/97 -0700, Peter Ford wrote: > > > > > >How many firewalls out there are looking at TCP traffic and > >dropping/blocking packets with TCP options set? > > If you mean IP options (i.e. options set in the IP header), > then > > Most of them ;-) at least for options like strict/loose > source routing, record route, ... > > Even tcp_wrappers are doing that on the server side. > > Best regards > > -eric > > > > >thanks, > > > >Peter Ford > >Microsoft OS networking > > > > > > > Eric Vyncke > Technical Consultant Cisco Systems Belgium SA/NV > Phone: +32-2-778.4677 Fax: +32-2-778.4300 > E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 15 23:18:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA25122; Wed, 15 Oct 1997 23:13:22 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA25115 for ; Wed, 15 Oct 1997 23:13:11 -0700 (PDT) Received: (from mail@localhost) by majestix.skp.de (8.7.5/8.7.3) id HAA30274 for ; Thu, 16 Oct 1997 07:26:26 +0200 X-Authentication-Warning: majestix.skp.de: mail set sender to using -f Received: from joe(192.168.0.2) by majestix.skp.de via smap (V1.3) id sma030269; Thu Oct 16 07:25:58 1997 Date: Thu, 16 Oct 1997 08:12:11 +0100 To: From: Oliver Lau Subject: Re: firewalls with linux OS In-Reply-To: <01BCD95D.51FF4100@LHfrancois.DTL> References: <01BCD95D.51FF4100@LHfrancois.DTL> Message-Id: <3445DA6B2BC.2A0E.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Jonah! On Wed, 15 Oct 1997 11:26:40 +-100 jonah wrote: | I have heard of two solutions : socks and fwtk. | does anyone know the differences between this two firewalls ? | is there any other free firewalls availables ? | | If you have any experience with any freeware firewall with linux | please answer. The TIS Firewall Toolkit (FWTK) http://www.tis.com/docs/products/fwtk/ is a collection of several proxies, all of which need reconfiguration on the clients' side. Too much work, thus too expensive, if a lot of clients are concerned. SOCKS is unlike the FWTK, but has the same drawback of incompatibility to existing implementations on the clients' side, although the hottest web browser support SOCKS. A nice and quickly to install solution might be the ipfwadm-kit, which comes with Linux. It implements a pure packet filter, which runs very stable, very fast and very reliable. It also supports masquerading, i.e. address translation of a whole LAN to a single IP address of the firewall machine. Latest releases are mirrored all around the world. Configuring a firewall is a hard job. You have to know a lot about IP an its higher-layer protocols. It's best to study the standard literature before you begin to experiment, thus wasting time. If there are few clients, you may install any combination of the above, but for a quick start ipfwadm is IMHO the best choice. If you need further performance and a little bit of extra security, you may install a caching WWW proxy with optional authentication like Squid http://squid.nlanr.net/Squid/. Consider this: Bellovin, Cheswick: Firewalls and Internet Security Chapman, Zwicky: Building Internet Firewalls and of course the billions of websites that discuss this topic Remember: The slightest mistake may ruin the whole policy, and security could easily breached!! Regards, Oliver Lau [CTO] Sauer und Partner GmbH, NetzwerkTechnologie und Sicherheit Dietrich-Bonhoeffer-Strasse 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: http://www.skp.de/ PGP-Fingerprint: 6696 C8B6 F351 A381 D1C9 BC41 98F2 6DE3 From owner-firewalls-list Wed Oct 15 23:42:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA25628; Wed, 15 Oct 1997 23:24:17 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA25621 for ; Wed, 15 Oct 1997 23:24:12 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id XAA14667; Wed, 15 Oct 1997 23:24:02 -0700 (PDT) Date: Wed, 15 Oct 1997 23:24:01 -0700 (PDT) From: "Sameer R. Manek" Reply-To: "Sameer R. Manek" To: Chris Pugrud cc: "'jonah'" , Firewalls Mailing list Subject: RE: firewalls with linux OS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Oct 1997, Chris Pugrud wrote: > Apache has a pretty good web/ftp proxy function built in. The caching > functionality doesn't seem to be very effective, but I really haven't > played with the settings. For added security I tend to run two apache > daemons, one for the inside with the proxy functions built in, and one > for the outside web server that is stripped and gutted to the bare > essentials (the less code there is, the less that can be compromised). > I like using apache to do double duty as proxy/webserver, but then again my security model isn't as strict as yours probably is. One free proxy server that i've heard is pretty good with performance is Squid, (squid.nlanr.net) Has anyone tried this one out? Any reactions to it's performance/security? Sameer -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu A "No" uttered from deepest conviction is better and greater than a "Yes" merely uttered to please, or what is worse, to avoid trouble. -- Mahatma Ghandi -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From owner-firewalls-list Thu Oct 16 00:16:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28470; Wed, 15 Oct 1997 23:43:21 -0700 (PDT) Received: from cpc.mel.dbe.csiro.au (cpc.mel.dbe.csiro.au [202.8.39.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA28383 for ; Wed, 15 Oct 1997 23:43:00 -0700 (PDT) Received: by cpc.mel.dbe.csiro.au; id AA04908; Thu, 16 Oct 97 16:44:43 EST Received: from tigger.mel.dbe.csiro.au(202.8.38.64) by cpc.mel.dbe.csiro.au via smap (3.2) id xma004898; Thu, 16 Oct 97 16:44:13 +1000 Received: from tigger.mel.dbe.csiro.au (tigger.mel.dbe.csiro.au [202.8.38.64]) by tigger.mel.dbe.csiro.au (8.8.7/8.7.2) with SMTP id QAA11275 for ; Thu, 16 Oct 1997 16:42:29 +1000 (EST) Date: Thu, 16 Oct 1997 16:42:29 +1000 (EST) From: Colin Linahan X-Sender: cfl@tigger.mel.dbe.csiro.au Reply-To: Colin Linahan To: firewalls@GreatCircle.COM Subject: Windows NT domain through Gauntlet firewall In-Reply-To: <199710120733.AAA27846@honor.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, We want to do what many may consider a security risk - allow Windows NT ports 137,138 and 139 between initially three geographically separate sites. We are wanting to run a Windows NT domain over our TCP/IP based WAN ( which is connected to the Internet ) - through CISCO routers and a Gauntlet 3.2 firewall running on SunOS 4.1.4 based host ( which will later this year be running Gauntlet 4.0 for Solaris ). Our site is the only one with a proxy-based firewall. The plan is to have ip-helper and forward running on the gateway CISCO at each site. On the firewall we will configure packet screening to allow ports137,138 and 139 from our internal NT servers to 137, 138 and 139 on the external NT servers and also to the same ports on our gateway router. Has anyone sucessfully done just this, or know if it can be done ? Basically - will someone at another of our sites be able to join or log in to our domain if the PDC is at our site, behind our firewall ? Thanks for any help, Colin.Linahan@molsci.CSIRO.AU Network & Systems Administrator Biomolecular Research Institute Computing Section 343 Royal Parade, Parkville, tel: +61 3 9662 7372 Victoria 3052 Australia fax: +61 3 9662 7346 From owner-firewalls-list Thu Oct 16 04:55:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA21667; Thu, 16 Oct 1997 04:04:17 -0700 (PDT) Received: from bom.ahk.nl (bom.ahk.nl [194.178.30.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA21660 for ; Thu, 16 Oct 1997 04:04:11 -0700 (PDT) Received: from fox.bwk.ahk.nl (bwk.bwk.ahk.nl [193.67.24.78] (may be forged)) by bom.ahk.nl (8.8.6/8.8.6) with ESMTP id NAA09613 for ; Thu, 16 Oct 1997 13:04:09 +0200 Message-ID: <3445F463.9BD59E08@ahk.nl> Date: Thu, 16 Oct 1997 12:03:02 +0100 From: Hilco Jonkeren X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 05:33:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA27973; Thu, 16 Oct 1997 05:20:10 -0700 (PDT) Received: from notemail.acq.osd.mil (procyon.acq.osd.mil [134.152.25.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA27941 for ; Thu, 16 Oct 1997 05:20:00 -0700 (PDT) Received: by notemail.acq.osd.mil(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256532.0043CE2F ; Thu, 16 Oct 1997 08:20:36 -0400 X-Lotus-FromDomain: OUSD_AT From: "Tom Rozylowicz" To: firewalls@GreatCircle.COM Message-ID: <85256532.0043C69A.00@notemail.acq.osd.mil> Date: Thu, 16 Oct 1997 08:20:35 -0400 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 05:48:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA15282; Thu, 16 Oct 1997 01:56:06 -0700 (PDT) Received: from relay.mail.pipex.net (duct.mail.pipex.net [158.43.128.61]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA15270 for ; Thu, 16 Oct 1997 01:55:46 -0700 (PDT) Received: (qmail 19705 invoked from network); 16 Oct 1997 08:55:49 -0000 Received: from unknown (HELO 3Dlabs.com) (193.133.230.34) by relay.mail.pipex.net with SMTP; 16 Oct 1997 08:55:49 -0000 Received: from exchuk01.3dlabs.com by 3Dlabs.com (4.1/SMI-4.1) id AA26265; Thu, 16 Oct 97 09:55:40 BST Received: by exchuk01.3dlabs.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCDA18.E67E04E0@exchuk01.3dlabs.com>; Thu, 16 Oct 1997 09:50:14 +0100 Message-Id: From: Doug Bridgens To: "'firewalls@greatcircle.com'" Subject: Firewalls: Exchange mail proxy in DMZ. Date: Thu, 16 Oct 1997 09:50:13 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anyone set up a MS Exchange mail server proxy in the DMZ of their firewall? We have a few remote users who will need to access email accounts in our servers. Is a mail server proxy the best way to achieve this, or are there other ways? Thanks Doug From owner-firewalls-list Thu Oct 16 06:04:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA22806; Thu, 16 Oct 1997 04:37:14 -0700 (PDT) Received: from c2smtp.herrmann.de ([194.95.204.134]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA22790 for ; Thu, 16 Oct 1997 04:37:07 -0700 (PDT) Received: from rfhs8011 (194.95.108.27) by c2smtp.herrmann.de (Connect2-SMTP 4.30.b8C.0000622) for ; Thu, 16 Oct 1997 13:37:08 +0200 Message-ID: <3445FC62.1EED@mail.teleconsult.de> Date: Thu, 16 Oct 1997 13:37:06 +0200 From: Mario Muehlbauer X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall-1 on NT References: <199710150800.BAA16426@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to implement Firewall-1 on Windows NT 4.0. What securtiy holes could be in NT? How can I harden the OS? Please no philosophic discussions about NT versus UNIX! Mario Muehlbauer From owner-firewalls-list Thu Oct 16 07:12:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA05309; Thu, 16 Oct 1997 06:02:13 -0700 (PDT) Received: from mailman.iscorltd.co.za (mailman.iscorltd.co.za [139.53.1.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA05205 for ; Thu, 16 Oct 1997 06:01:40 -0700 (PDT) Received: from winnwe00.new.iscorltd.co.za ([139.53.64.170]) by mailman.iscorltd.co.za (Netscape Mail Server v2.02) with ESMTP id AAA235 for ; Thu, 16 Oct 1997 15:00:53 +0200 Received: from asylum.new.iscorltd.co.za ([139.53.64.70]) by winnwe00.new.iscorltd.co.za (Netscape Mail Server v2.02) with SMTP id AAA320 for ; Thu, 16 Oct 1997 15:03:32 +0200 From: marcelg@new.iscorltd.co.za (Marcel Groenewald) To: Subject: Simple UDP & ActiveX question Date: Thu, 16 Oct 1997 15:01:23 +0200 Message-ID: <01bcda33$9afeac20$4640358b@asylum.new.iscorltd.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Please tell me if the following statements are true, and if so, if it's a good enough reason to stop the relevent services from going accross the firewall: "UDP should be blocked, since it is not possible to reliably authenticate the origin of UDP packets" "ActiveX (but not Java) should be blocked by the firewall" Thank you Marcel Groenewald /*******************************************************************/ The views expressed above are not necessarily those of Iscor Limited /*******************************************************************/ From owner-firewalls-list Thu Oct 16 08:19:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14149; Thu, 16 Oct 1997 06:47:08 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [209.41.220.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA14048 for ; Thu, 16 Oct 1997 06:46:46 -0700 (PDT) Received: from Progressive-Systems.com (alex@overkill.Progressive-Systems.Com [209.41.220.250]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with ESMTP id JAA17132 for ; Thu, 16 Oct 1997 09:46:47 -0400 (EDT) Message-ID: <34461B9E.5000010@Progressive-Systems.com> Date: Thu, 16 Oct 1997 09:50:22 -0400 From: Alex Hutton X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 08:31:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20058; Thu, 16 Oct 1997 03:29:45 -0700 (PDT) Received: from mail.mkm.de (mail.mkm.de [194.233.223.129]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA20051 for ; Thu, 16 Oct 1997 03:29:37 -0700 (PDT) Received: from bbf.mkm.de (bbf.mkm.de [194.233.223.132]) by mail.mkm.de (9.9.9/9.9.9) with SMTP id MAA00828; Thu, 16 Oct 1997 12:29:30 +0200 Received: from localhost by bbf.mkm.de (SMI-8.6/SMI-SVR4) id MAA24987; Thu, 16 Oct 1997 12:29:32 +0200 Date: Thu, 16 Oct 1997 12:29:32 +0200 (MET DST) From: Ralf Thomas Klar To: "Sameer R. Manek" cc: Chris Pugrud , "'jonah'" , Firewalls Mailing list Subject: RE: firewalls with linux OS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Oct 1997, Sameer R. Manek wrote: > On Wed, 15 Oct 1997, Chris Pugrud wrote: > > > Apache has a pretty good web/ftp proxy function built in. The caching > > functionality doesn't seem to be very effective, but I really haven't > > played with the settings. For added security I tend to run two apache > > daemons, one for the inside with the proxy functions built in, and one > > for the outside web server that is stripped and gutted to the bare > > essentials (the less code there is, the less that can be compromised). > > > > I like using apache to do double duty as proxy/webserver, but then again > my security model isn't as strict as yours probably is. One free proxy > server that i've heard is pretty good with performance is Squid, > (squid.nlanr.net) Has anyone tried this one out? Any reactions to it's > performance/security? > > Sameer Squid is really good - we have about 180.000 hits/day and 2 GB www- traffic/day. squid runs on a linux-box (amd k6/200, 128 mb ram) and there have been absolutly no problems till today. Ralf -- Ralf Thomas Klar | Tel.: 0721-9663066 | http://www.hadiko.de/ Klosterweg 28/H210 | Fax.: 0721-9663064 | Das einzige Studenten- D-76131 Karlsruhe | eMail: ralf@hadiko.de | wohnheim mit ATM-Netz From owner-firewalls-list Thu Oct 16 08:31:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA15127; Thu, 16 Oct 1997 01:48:12 -0700 (PDT) Received: from relay.mail.pipex.net (duct.mail.pipex.net [158.43.128.61]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA15120 for ; Thu, 16 Oct 1997 01:48:04 -0700 (PDT) Received: (qmail 19102 invoked from network); 16 Oct 1997 08:48:07 -0000 Received: from unknown (HELO 3Dlabs.com) (193.133.230.34) by relay.mail.pipex.net with SMTP; 16 Oct 1997 08:48:07 -0000 Received: from exchuk01.3dlabs.com by 3Dlabs.com (4.1/SMI-4.1) id AA26225; Thu, 16 Oct 97 09:47:58 BST Received: by exchuk01.3dlabs.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCDA17.D31E69E0@exchuk01.3dlabs.com>; Thu, 16 Oct 1997 09:42:32 +0100 Message-Id: From: Doug Bridgens To: "'firewalls@greatcircle.com'" Subject: Firewalls: www & high port numbers Date: Thu, 16 Oct 1997 09:42:31 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, When browsing the WWW lots of site offer downloadable software. When you click on the link to the download you are shoved to a new page at a high port number (eg. 34200). When ever a browser tries to go to download something it just hangs because the firewall is stopping its communication throught the high port number. Can anyone tell me what should be doneto allow downloading software from the web but not open up every port? Thanks Doug From owner-firewalls-list Thu Oct 16 08:49:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02561; Thu, 16 Oct 1997 08:15:38 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA01827 for ; Thu, 16 Oct 1997 08:10:52 -0700 (PDT) Received: from sla-nt2.sla.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id IAA23231; Thu, 16 Oct 1997 08:10:56 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <43KTR3RM>; Thu, 16 Oct 1997 08:06:56 -0700 Message-ID: From: "Stackpole, Bill" To: "'Doug Bridgens'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls: Exchange mail proxy in DMZ. Date: Thu, 16 Oct 1997 08:06:54 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you set Exchange up to do POP3 you can use the POP3 proxy on your firewall to give remote users access to their mail. > -----Original Message----- > From: Doug Bridgens [SMTP:Doug.Bridgens@3Dlabs.com] > Sent: Thursday, October 16, 1997 1:50 AM > To: 'firewalls@greatcircle.com' > Subject: Firewalls: Exchange mail proxy in DMZ. > > Hi, > Has anyone set up a MS Exchange mail server proxy in the DMZ of > their > firewall? We have a few remote users who will need to access email > accounts in our servers. Is a mail server proxy the best way to > achieve this, or are there other ways? > > Thanks > Doug From owner-firewalls-list Thu Oct 16 09:19:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01374; Thu, 16 Oct 1997 08:07:48 -0700 (PDT) Received: from gw.pinewood.nl (gw.pinewood.nl [194.171.50.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA01303 for ; Thu, 16 Oct 1997 08:07:29 -0700 (PDT) Received: (from smap@localhost) by gw.pinewood.nl (8.8.4/8.6.12) id RAA09177; Thu, 16 Oct 1997 17:07:28 +0200 (CEST) X-Authentication-Warning: gw.pinewood.nl: smap set sender to using -f Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma009173; Thu Oct 16 17:07:10 1997 Received: (from ewout@localhost) by pwood1.pinewood.nl (8.7.3/8.6.12) id RAA26368; Thu, 16 Oct 1997 17:07:10 +0200 (METDST) From: "Ewout Meij" Message-Id: <971016170709.ZM26366@pwood1.pinewood.nl> Date: Thu, 16 Oct 1997 17:07:09 +0000 In-Reply-To: Mario Muehlbauer "Firewall-1 on NT" (Oct 16, 13:37) References: <199710150800.BAA16426@honor.greatcircle.com> <3445FC62.1EED@mail.teleconsult.de> X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (4.0.1 13Jan97) To: Mario Muehlbauer , Firewalls@GreatCircle.COM Subject: Re: Firewall-1 on NT MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mario, Your question comes at a perfect time for me, since I need to do (about) the samething. I think that your qestions are nice for a good discussion but that question should be different. Since only the outside ethernet adaptor is connected to the net, your focus should be on that part of the machine. Hardening the OS will only be benefical if your FW machine is comprimized... in which case (I think) you really only want to be notified, and turn the machine off... What I am going to be looking at and am interested in is the basic stability of FW-1 on NT... I have heard from sources that Checkpoint is now developing FW-1 for NT and than ports it to UNIX, not the otherway around. true? This should be good for the basic stability of FW-1-on-NT but again: I am more interested in the expirences other admins have. Your wish to 'plug holes in NT' is a cry for a tremendus list of patches, advisories, updates and other goodies but again, what you realy want to look at is all that touches your networkcard... So I would like to ask the list: how much ip-stack in a FW-1 config is MS's and how much is replaced by Checkpoint's? emj On Oct 16, 13:37, Mario Muehlbauer wrote: > Subject: Firewall-1 on NT > I need to implement Firewall-1 on Windows NT 4.0. > > What securtiy holes could be in NT? > > How can I harden the OS? > > Please no philosophic discussions about NT versus UNIX! > > Mario Muehlbauer >-- End of excerpt from Mario Muehlbauer -- ------------------------------------------------------------------- Ewout Meij Pinewood Automatisering b.v. E-mail: ewout@pinewood.nl Kluyverweg 2a Phone: +31-15 268.25.43 2629 HT Delft Some man are wise and some are otherwise From owner-firewalls-list Thu Oct 16 10:10:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20801; Thu, 16 Oct 1997 09:59:37 -0700 (PDT) Received: from mercury.imx-exchange.com (mercury.imx-exchange.com [207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA20794 for ; Thu, 16 Oct 1997 09:59:31 -0700 (PDT) Received: by mercury.imx-exchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCDA19.EC556BF0@mercury.imx-exchange.com>; Thu, 16 Oct 1997 09:57:33 -0700 Message-ID: From: James Terry To: "'Doug Bridgens'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls: Exchange mail proxy in DMZ. Date: Thu, 16 Oct 1997 09:57:02 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are other ways of course, software being what it is. We've got some positive preliminary results from our testing of MS pptp over SecureRemote to a translated address. A little costly perhaps, but it DOES seem to work. james@imx-exchange.com >-----Original Message----- >From: Doug Bridgens [SMTP:doug.bridgens@imxexchange.com] >Sent: Thursday, October 16, 1997 1:50 AM >To: 'firewalls@greatcircle.com' >Subject: Firewalls: Exchange mail proxy in DMZ. > >Hi, > Has anyone set up a MS Exchange mail server proxy in the DMZ of their >firewall? We have a few remote users who will need to access email >accounts in our servers. Is a mail server proxy the best way to >achieve this, or are there other ways? > >Thanks >Doug From owner-firewalls-list Thu Oct 16 10:35:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20189; Thu, 16 Oct 1997 09:55:30 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA20132 for ; Thu, 16 Oct 1997 09:55:16 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA13148; Thu, 16 Oct 1997 09:51:37 -0700 Date: Thu, 16 Oct 1997 09:51:37 -0700 (PDT) From: Leonard Miyata To: Doug Bridgens cc: "'firewalls@greatcircle.com'" Subject: Re: Firewalls: www & high port numbers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi There You have encountered the problem with FTP PASSIV mode. Passive mode connects from a random high port to a random high port. It is directional, as the side initiating the data connection (always the Client) always has the SYNC bit set on the first packet. Without a true FTP proxy that supports PASSIV mode, you have to open all high port to high port connections. By filtering on the SYNC bit, at least you can restrict who can start the transfer to only 'inside to outside' connections. The book 'Building Internet Firewalls' by Chapman and Zwicky has a good write up on the details. Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Thu, 16 Oct 1997, Doug Bridgens wrote: > Hi, > When browsing the WWW lots of site offer downloadable software. When > you click on the link to the download you are shoved to a new page at a > high port number (eg. 34200). When ever a browser tries to go to > download something it just hangs because the firewall is stopping its > communication throught the high port number. Can anyone tell me what > should be doneto allow downloading software from the web but not open up > every port? > > Thanks > Doug > From owner-firewalls-list Thu Oct 16 10:38:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA22213; Thu, 16 Oct 1997 10:10:19 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA22129 for ; Thu, 16 Oct 1997 10:09:58 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id KAA03822 for ; Thu, 16 Oct 1997 10:09:17 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA10151; Thu, 16 Oct 97 10:11:47 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id KAA11124 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Thu, 16 Oct 1997 10:11:35 -0700 (PDT) Message-Id: <199710161711.KAA11124@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 0BB5E3B583A9BB4B88256532005C9E51; Thu, 16 Oct 97 10:11:34 EDT To: Marcel Groenewald Cc: firewalls From: Ryan Russell/SYBASE Date: 16 Oct 97 10:18:47 EDT Subject: Re: Simple UDP & ActiveX question Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's not possible to reliably authenticate the origin of ANY packet unless it's cryptographically signed by a trusted party you've previously exchanged keys with, and you trust them to manage their keys properly. UDP is just easier to spoof. ActiveX acknowledges the fact that downloaded code can essentially do whatever it wants, and it's security is based on the fact that the applets are cryptographically signed (hopefully by a trustworth party) but the end user typically gets to decide if they will download an applet, signed by good guys, bad guys, or not at all. Java pretends that it doesn't have security problems. The latest also adds a signed-applet-with-full-privs mechanism like ActiveX. So, no, depending on your level of paranoia, none of those are good enough. Ryan marcelg@new.iscorltd.co.za (Marcel Groenewald) on 10/16/97 03:01:23 PM To: firewalls@GreatCircle.COM @ smtp cc: (bcc: Ryan Russell/SYBASE) Subject: Simple UDP & ActiveX question Hi all, Please tell me if the following statements are true, and if so, if it's a good enough reason to stop the relevent services from going accross the firewall: "UDP should be blocked, since it is not possible to reliably authenticate the origin of UDP packets" "ActiveX (but not Java) should be blocked by the firewall" Thank you Marcel Groenewald /*******************************************************************/ The views expressed above are not necessarily those of Iscor Limited /*******************************************************************/ From owner-firewalls-list Thu Oct 16 11:09:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28143; Thu, 16 Oct 1997 10:38:35 -0700 (PDT) Received: from mailgw1.almaden.ibm.com (mailgw1.almaden.ibm.com [198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA28117 for ; Thu, 16 Oct 1997 10:38:25 -0700 (PDT) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256532.005F8F60 ; Thu, 16 Oct 1997 10:23:46 -0700 X-Lotus-FromDomain: ALMADEN To: firewalls@greatcircle.com Message-ID: <88256532.005E4976.00@mailgw1.almaden.ibm.com> Date: Thu, 16 Oct 1997 10:23:20 -0700 Subject: RE: Firewalls: www & high port numbers Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Stackpole, Bill" wrote: >>Some routers and firewalls allow you to filter on "established" connections. This feature allows any inbound packets to pass through if the connection was established internally (outbound) and will overcome this particular problem. However, it may create other security problems. I would like to hear from some others about the pit falls of using this mechanism. << You're not quite right about the meaning of "established". With Cisco it means that any packet with the ACK or RST bit in the flags will match (a connection initiation packet normally contains only SYN). If your access-list says to permit this, such packets will be allowed through. This means that an attacker could get packets through to the target simply by including the ACK bit. There are some exploits that try to make use of this. This could involve: * Forging the origin IP address to try to match an existing connection (generally would need to guess at the TCP sequence number too, but there are ways to do this on some stacks). * Simply probing for flaws in the target's stack; i.e., it should ignore any established packet unless it's part of an existing connection, but you never know (I haven't heard of successful attacks using this). Tony Rall From owner-firewalls-list Thu Oct 16 11:14:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28941; Thu, 16 Oct 1997 10:46:37 -0700 (PDT) Received: from mail.istar.ca (mail1.toronto.istar.net [209.89.75.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA28934 for ; Thu, 16 Oct 1997 10:46:30 -0700 (PDT) Received: from pc9191 [142.176.37.19] by mail.istar.ca with smtp (Exim 1.70 #1) id 0xLtzj-0000Y3-00; Thu, 16 Oct 1997 13:45:59 -0400 From: "Kevin Speichts" To: "Jyri Kaljundi" , "Frank Darden" Cc: , "Firewalls mailing list" Subject: Re: [FW1] Re: Virus Protection on FW-1 Date: Thu, 16 Oct 1997 14:46:06 -0300 Message-ID: <01bcda5b$61214260$140ea8c0@pc9191> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----Original Message----- From: Jyri Kaljundi To: Frank Darden Cc: fw-1-mailinglist@us.checkpoint.com ; Firewalls mailing list Date: Thursday, October 16, 1997 1:46 PM Subject: Re: [FW1] Re: Virus Protection on FW-1 snip. >I don't know about NT, may be that really is so stupid it does not know >how to use both processors. > >Jyri Kaljundi >jk@stallion.ee >AS Stallion Ltd >http://www.stallion.ee/ > > Smartly NT will use both processors, it was designed from the start to use them. Unlike other OS's like NetWare where multiprocessor support was graphed onto the primary OS. NT workstation supports 2, NT server supports 4, OEM versions (like Compaq) can support up to 32. If the application isn't multithreaded then it can't take advantage of the second processor. The OS will use them for its other services though. Jyri, please keep the OS religious chatter off this list please and thank you. From owner-firewalls-list Thu Oct 16 11:18:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01179; Thu, 16 Oct 1997 11:05:22 -0700 (PDT) Received: from point.sybronint.com ([208.19.132.70]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA01147 for ; Thu, 16 Oct 1997 11:05:09 -0700 (PDT) Received: from xxxaaa ([208.19.132.152]) by point.sybronint.com (8.8.5/8.8.5) with SMTP id NAA05874 for ; Thu, 16 Oct 1997 13:04:26 -0500 From: "Matt Eide" To: Subject: Re: Firewall-1 on NT Date: Thu, 16 Oct 1997 13:02:58 -0500 Message-ID: <01bcda5d$bca6e840$988413d0@xxxaaa> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not to be argumentative. --------------------Ewout Meij wrote ----------------- >Dear Mario, > >Your question comes at a perfect time for me, since I need >to do (about) the samething. > >I think that your qestions are nice for a good discussion but >that question should be different. Since only the outside >ethernet adaptor is connected to the net, your focus >should be on that part of the machine. True, only if you have an Internet Firewall and are not worried about somebody comprimising it from the inside. >Hardening the OS will only be benefical if your FW machine >is comprimized... in which case (I think) you really only want >to be notified, and turn the machine off... > You may also want to prevent that individual from modifying the system before you hit the power switch. -----Snipped ----- ... > >So I would like to ask the list: how much ip-stack in >a FW-1 config is MS's and how much is replaced by >Checkpoint's? I believe the whole stack is replaced. I took a NT 4.0 box and ran Winnuke against it and it gave an exception error with TCPIP.SYS. When I ran Ping of Death2 tests against a box running FW1 2.1 it gave a exception error with I believe FW.SYS (maybe wrong name I did not write it down and I have not tried it against my box running FW 3.0, maybe later today). FW1 would not forward any packets inbound or outbound after the exception error would happen. That was my experience, somebody a little more literate on the internals of FW1 might want to comment. In response to questions of stability, I got a Compaq Proliant Pentium Pro with 3COM NIC's running 2.1C on NT4 running as an Internet firewall that has worked great l with moderate usage for the last 8 months. The only problem I had was when somebody decided to run a Denial of Service attack against it. I will sooning be swapping in a box running FW 3.0 and I'm pretty confident that I can configure the new Firewall to be more resistant to Denial of Service attacks. --- Snipped Mario Muehlbauer original post ------------- that is my two cents, maybe later I will have a little better info on the FW-1 TCP/IP stack to post on the list. Mail me if you would like to talking about this. Good Luck, Matt Eide Network Admin Sybron International From owner-firewalls-list Thu Oct 16 11:35:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA13607; Thu, 16 Oct 1997 09:23:47 -0700 (PDT) Received: from maindns.buaa.edu.cn (maindns.buaa.edu.cn [202.112.128.50]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA13586 for ; Thu, 16 Oct 1997 09:23:39 -0700 (PDT) Received: by maindns.buaa.edu.cn; (5.65/1.1.8.2/09May97-1131PM) id AA30706; Thu, 16 Oct 1997 23:28:47 +0800 Date: Thu, 16 Oct 1997 23:28:47 +0800 From: Zhu Chun Message-Id: <9710161528.AA30706@maindns.buaa.edu.cn> Apparently-To: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 12:25:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12550; Thu, 16 Oct 1997 09:16:45 -0700 (PDT) Received: from exchange.argus.de (dialin.argus.de [194.74.137.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA12535 for ; Thu, 16 Oct 1997 09:16:40 -0700 (PDT) Received: by ARGUS-PDC with Internet Mail Service (5.0.1457.3) id ; Thu, 16 Oct 1997 18:17:15 +0200 Message-ID: <35F80E47DCD8D011AACA00A0CC660C5E026357@ARGUS-PDC> From: Marc Dorando To: firewalls@GreatCircle.COM Date: Thu, 16 Oct 1997 18:17:12 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 12:34:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12425; Thu, 16 Oct 1997 09:15:57 -0700 (PDT) Received: from fes3.cs.tol.it (mail.tin.it [194.243.154.39]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA12145 for ; Thu, 16 Oct 1997 09:14:16 -0700 (PDT) Received: from Davide (mits2-05.pn.ITnet.it [151.2.19.169]) by fes3.cs.tol.it (8.8.4/8.8.4) with ESMTP id SAA09351 for ; Thu, 16 Oct 1997 18:13:41 +0200 (MET DST) Message-ID: <34463D5B.B0C940@tin.it> Date: Thu, 16 Oct 1997 18:14:20 +0200 From: advide Consonni X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: letter X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 12:37:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23781; Thu, 16 Oct 1997 07:34:04 -0700 (PDT) Received: from ln.active.ch (ln.active.ch [193.246.240.19]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA23712 for ; Thu, 16 Oct 1997 07:33:50 -0700 (PDT) Received: from w95-cuco.active.ch (dial-na4.active.ch [193.135.163.24]) by ln.active.ch (8.8.7/8.8.6) with ESMTP id QAA26019 for ; Thu, 16 Oct 1997 16:36:37 +0200 Message-ID: <34463479.B8AEE216@active.ch> Date: Thu, 16 Oct 1997 16:36:25 +0100 From: cuco X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall for linux X-Priority: 3 (Normal) References: <199710160800.BAA11501@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello Jonah, you can see the following url http://www.ifi.unizh.ch/ikm/SINUS/firewall.html from the University of Zurich. There is a firewall, that runs on linux. Greetings Alex From owner-firewalls-list Thu Oct 16 12:39:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05146; Thu, 16 Oct 1997 11:34:27 -0700 (PDT) Received: from mail.telepac.pt (venus.telepac.pt [194.65.3.39]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA05129 for ; Thu, 16 Oct 1997 11:34:20 -0700 (PDT) Received: from nop44887 ([194.65.233.55]) by mail.telepac.pt (Post.Office MTA v3.1 release PO203a ID# 584-40066L0S0) with SMTP id AAA3848 for ; Thu, 16 Oct 1997 19:35:24 +0000 Message-Id: <3.0.2.32.19971016193455.0068dbc4@mail.telepac.pt> X-Sender: nop44887@mail.telepac.pt X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Thu, 16 Oct 1997 19:34:55 +0100 To: Firewalls@GreatCircle.COM From: Ana Catarina Silva Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry but I'm receiving some mails, I mean a lot of mails and they are not for me because they refer to windows and windows nt and I'M NOT INTERESTED. See if you can arrange the situation. Best wishes, Ana Catarina Silva. From owner-firewalls-list Thu Oct 16 12:41:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24986; Thu, 16 Oct 1997 07:37:58 -0700 (PDT) Received: from ziplink.net (relay-0.ziplink.net [199.232.240.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA24861 for ; Thu, 16 Oct 1997 07:37:32 -0700 (PDT) Received: from p150-server ([199.232.254.15]) by ziplink.net (8.8.7/8.8.7) with SMTP id KAA15998 for firewalls@GreatCircle.COM; Thu, 16 Oct 1997 10:35:10 -0400 (EDT) Received: by localhost with Microsoft MAPI; Thu, 16 Oct 1997 10:35:54 -0400 Message-ID: <01BCDA1F.48048B70@ahy@ziplink.net> From: Arthur Young Reply-To: "ary@medss.com" To: "firewalls@GreatCircle.COM" Date: Thu, 16 Oct 1997 10:35:19 -0400 Organization: Medical Systems Solutions, Inc. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4008 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any product out there that could dynamicly identify the ports used by a web site ... e.g. if I connect to a site it would tell me that it is using port 80, 81, etc. It seems that more and more sites are using multiple ports and it would be helpful to identify them to allow secure access through the firewall. - Arthur Young, Medical Systems Solutions, Inc. (508) 429-3956 From owner-firewalls-list Thu Oct 16 12:49:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19541; Thu, 16 Oct 1997 07:16:34 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA08007 for ; Thu, 16 Oct 1997 06:17:11 -0700 (PDT) Received: from csnnetra1.csn.com.br by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA21959; Thu, 16 Oct 1997 06:17:09 -0700 (PDT) Received: from mg65.csn.com.br ([172.16.10.3]) by csnnetra1.csn.com.br (8.8.5/8.8.5) with SMTP id KAA23674 for ; Thu, 16 Oct 1997 10:11:41 -0300 (EST) Received: by mg65.csn.com.br with Microsoft Mail id <01BBBB53.A020BB80@mg65.csn.com.br>; Wed, 16 Oct 1996 11:17:32 -0300 Message-ID: <01BBBB53.A020BB80@mg65.csn.com.br> From: Alessandro Jannuzzi To: "'firewalls@greatcircle.com'" Subject: Wrong time logged Date: Thu, 16 Oct 1997 11:16:26 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am experimenting the following problem: In my Firewall-1 3.0 log file all entries are been logged in the wrong time. I am using two machines, running Solaris, one with the inspection module and the other with the management module. The system date is ok in the two machines. Any tips ? Thanks in advance. Regards, Alessandro Jannuzzi jannuzzi@csn.com.br From owner-firewalls-list Thu Oct 16 13:26:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19896; Thu, 16 Oct 1997 13:08:41 -0700 (PDT) Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA19885 for ; Thu, 16 Oct 1997 13:08:34 -0700 (PDT) Received: from rhblaptop.gte.com by gte.com (8.8.4/8.8.4) X-Authentication-Warning: newman.gte.com: rhblaptop.gte.com [132.197.66.17] didn't use HELO protocol Message-Id: <3.0.3.32.19971016161004.006fb3b4@pophost.gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 16 Oct 1997 16:10:04 -0400 To: firewalls@GreatCircle.COM From: bob bryant Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove Bob Bryant Email rbryant@gte.com Member Technical Staff Fax 617-466-2838 Secure Systems Department Phone 617-466-2821 GTE Laboratories Incorporated 40 Sylvan Rd Waltham, Ma 02254 From owner-firewalls-list Thu Oct 16 14:48:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA28190; Thu, 16 Oct 1997 13:53:12 -0700 (PDT) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA28156 for ; Thu, 16 Oct 1997 13:53:03 -0700 (PDT) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCDA3A.D5C1FDB0@irwin-exch2.army.mil>; Thu, 16 Oct 1997 13:53:08 -0700 Message-ID: From: "Wolfgang, Karl" To: "'Doug Bridgens'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls: Exchange mail proxy in DMZ. Date: Thu, 16 Oct 1997 13:47:40 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you tried using a Remote Access Service with Challenge Handshake Authentication Protocol for DES-encrypted authentication? The remote user would then pass through to the Exchange server. You could set Performance Monitor to alert if unauthorized nasty folks try to access the net through the RAS. Of course this assumes that you are using NT OS. Check out Tom Sheldon's book Windows NT Security Handbook for more information. >---------- >From: Doug Bridgens[SMTP:Doug.Bridgens@3Dlabs.com] >Sent: Thursday, October 16, 1997 1:50 AM >To: 'firewalls@greatcircle.com' >Subject: Firewalls: Exchange mail proxy in DMZ. > >Hi, > Has anyone set up a MS Exchange mail server proxy in the DMZ of their >firewall? We have a few remote users who will need to access email >accounts in our servers. Is a mail server proxy the best way to >achieve this, or are there other ways? > >Thanks >Doug > From owner-firewalls-list Thu Oct 16 15:08:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA06903; Thu, 16 Oct 1997 14:59:21 -0700 (PDT) Received: from monet.mingpaoxpress.com (babbage.mingpaoxpress.com [205.150.120.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA06837 for ; Thu, 16 Oct 1997 14:59:04 -0700 (PDT) Received: by www.mingpaoxpress.com id <1931-256>; Thu, 16 Oct 1997 17:59:10 -0400 Received: from acli@localhost by www.mingpaoxpress.com id <1929-258>; Thu, 16 Oct 1997 17:58:55 -0400 Path: acli Subject: Re: PIX and other "Black boxes" vs normal firewalls. Distribution: local Organization: Ming Pao Daily News (Canada) Message-ID: References: <343E27D6.CAE18E73@techie.com> Date: Thu, 16 Oct 1997 21:58:48 GMT From: Ambrose Li To: firewalls@greatcircle.com Reply-To: Ambrose Li Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is also the Borderware firewall, which is also a "black box" (once it is installed), also based on "hardened Unix" (BSD). In article <343E27D6.CAE18E73@techie.com>, Emmanuel Yiu wrote: > >Their solution is kind of neat to me. They have a box which run a "harden" Linux >kernel, this sounds to me a good edge, it is base in UNIX, a lot of people know >it and probably when there is security hole, it will be identified quick and >potentially closed quick (owing to the accessibility of source code by WORLD of >experts). You can constantly bugging your vendor of any security hole that you >know from any souce, like this list. This seems to better with PIX as you depend >soly on CISCO for any fix which they may not even ACTIVELY inform you. That >serves as the hardware part of the whole solution. -- Ambrose C. Li Programmer-analyst (sysadmin) Toronto EDP, Ming Pao Daily News +1(416)321-0088 1355 Huntingwood Dr Scarborough ON Canada M1S 3J1 [<- work ] [ home ->] From owner-firewalls-list Thu Oct 16 15:40:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA10201; Thu, 16 Oct 1997 15:16:44 -0700 (PDT) Received: from umr.edu (hermes.cc.umr.edu [131.151.1.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA10115 for ; Thu, 16 Oct 1997 15:16:23 -0700 (PDT) From: jphillip@umr.edu Received: from rocket.cc.umr.edu (rocket.cc.umr.edu [131.151.1.141]) via ESMTP by hermes.cc.umr.edu (8.8.7/R.4.20) id RAA23540; Thu, 16 Oct 1997 17:16:24 -0500 (CDT) Received: from (jphillip@localhost) by rocket.cc.umr.edu (8.8.4/M.4.00) id RAA20260; Thu, 16 Oct 1997 17:16:24 -0500 (CDT) Message-Id: <199710162216.RAA20260@rocket.cc.umr.edu> To: firewalls@GreatCircle.COM Date: Thu, 16 Oct 1997 17:16:24 -0500 (CDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 16 15:43:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA08911; Thu, 16 Oct 1997 15:09:57 -0700 (PDT) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA08809 for ; Thu, 16 Oct 1997 15:09:34 -0700 (PDT) Received: from zepher.milkyway.com ([12.70.1.239]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB7766; Thu, 16 Oct 1997 22:09:42 +0000 Message-Id: <3.0.3.32.19971016180546.006d4ac8@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 16 Oct 1997 18:05:46 -0400 To: "Stackpole, Bill" , "'Doug Bridgens'" , "'firewalls@greatcircle.com'" From: Steve Kruse Subject: RE: Firewalls: www & high port numbers In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 03:15 PM 10/16/97 +0000, Stackpole, Bill wrote: >Some routers and firewalls allow you to filter on "established" >connections. This feature allows any inbound packets to pass through if >the connection was established internally (outbound) and will overcome >this particular problem. However, it may create other security >problems. I would like to hear from some others about the pit falls of >using this mechanism. This becomes a religous issue with some, but the major thing about packet filtering is that it relies primarily on IP and port number assignments, with some routers going a bit farther to control things such as the TCP_EST and other flags. Packet filters are fast and efficent. Using more advanced "filtering" such as "stateful inspection" and full Proxy offers more options in tighening down security policy. Just one example: With a proxy you can control whether someone can do a put or get, chdir etc in an FTP session. This is either impossible or very very difficult to do with packet filters. The price paid is in slightly degraded performance compared to packet filters. The security managers decision, as always is: "What is my level of paranoia"? What am I willing to pay for my security? Cost of the solution? Speed/Performance? Ease of use/administration?? Good luck! Steve Kruse > >> -----Original Message----- >> From: Doug Bridgens [SMTP:Doug.Bridgens@3Dlabs.com] >> Sent: Thursday, October 16, 1997 1:43 AM >> To: 'firewalls@greatcircle.com' >> Subject: Firewalls: www & high port numbers >> >> Hi, >> When browsing the WWW lots of site offer downloadable software. S T U F F D E L E T E D TO S A V E B A N D W I D T H rt number (eg. 34200). When ever a browser tries to go to >> download something it just hangs because the firewall is stopping its >> communication throught the high port number. Can anyone tell me what >> should be doneto allow downloading software from the web but not open >> up >> every port? >> >> Thanks >> Doug > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNEaPuNIk6V3CiVjTEQJfngCgraHkfy9ETaxJbyklQ3DVhgQw2kUAn0MX pw7hb1f7Ex7g18Hg6p1QWy3F =ajmt -----END PGP SIGNATURE----- ***************************************************** * Steve Kruse Milkyway Networks * * Network Systems Engineer 1342 E. Vine St. #224 * * 407-847-8977 Voice Kissimmee, FL 34744 * * 407-847-7203 Fax http://www.milkyway.com * ***************************************************** From owner-firewalls-list Thu Oct 16 15:49:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19036; Thu, 16 Oct 1997 13:00:53 -0700 (PDT) Received: from di2.disclosure.com (di2.disclosure.com [206.181.208.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA18976 for ; Thu, 16 Oct 1997 13:00:39 -0700 (PDT) Received: from smtpgate.disclosure.com (smtpgate.disclosure.com [192.168.101.5]) by di2.disclosure.com (8.8.7/8.8.7) with SMTP id QAA03088 for ; Thu, 16 Oct 1997 16:00:35 -0400 (EDT) Received: from ccMail by smtpgate.disclosure.com (IMA Internet Exchange 2.1 Enterprise) id 00044B04; Thu, 16 Oct 97 16:02:02 -0400 Mime-Version: 1.0 Date: Thu, 16 Oct 1997 15:51:53 -0400 Message-ID: <00044B04.3452@disclosure.com> From: Larry.Riley@disclosure.com (Larry Riley) Subject: Connect: Conceal Encryption Server To: firewalls@Greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at evaluating the Connect: Conceal Encryption Server and Firewall for Unix from Sterling Commerce, for my company. Does anyone have either of these system up and running? Or have tested these system in the past? Thank for your input. Larry From owner-firewalls-list Thu Oct 16 17:16:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19895; Thu, 16 Oct 1997 07:19:11 -0700 (PDT) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA11227 for ; Thu, 16 Oct 1997 06:32:59 -0700 (PDT) Received: (qmail 7786 invoked by uid 500); 16 Oct 1997 13:38:35 -0000 Date: Thu, 16 Oct 1997 09:38:34 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Peter Ford cc: "'firewalls@greatcircle.com'" Subject: RE: TCP options and firewalls In-Reply-To: <8D8EF175E72CD111805800805F3198EE1A56A2@RED-MSG-46.dns.microsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Oct 1997, Peter Ford wrote: > I actually mean TCP options, and I am actually interested in > "new" TCP options that firewalls might not recognize. In the case of proxies, the bastion's stack isn't going to pass the options through to the clients. So, you may as well say that none of them will be recognized for the case of non-packet filters. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Thu Oct 16 18:03:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA17750; Thu, 16 Oct 1997 09:42:24 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA17610 for ; Thu, 16 Oct 1997 09:41:42 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id TAA21495; Thu, 16 Oct 1997 19:39:16 +0300 (EET DST) Date: Thu, 16 Oct 1997 19:39:14 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Frank Darden cc: fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: Re: [FW1] Re: Virus Protection on FW-1 In-Reply-To: <3.0.2.32.19971016085845.007be270@9.1.1.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 16 Oct 1997, Frank Darden wrote: > >By the way, does the CheckPoint firewall service take advantage of Windows > >NT symmetric multi-processing? > > Firewall-1 is a single threaded application. In 3.0a, multi-processor > support was there, but they have mysteriously removed it from 3.0b. So for > the time being, the answer is no, on all platforms. This should already go into a FAQ somewhere: yes, FireWall-1 at least on Solaris Sparc and Solaris x86 Intel does take advantage of multiprocessing. Why: because Solaris itself distributes the load between two or more processors. Believe me, if you add a second processor to dual Pentium for example you can see how it gets better. I don't know about NT, may be that really is so stupid it does not know how to use both processors. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Thu Oct 16 18:41:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA07646; Thu, 16 Oct 1997 08:50:56 -0700 (PDT) Received: from hnssysb.hns.com (hnssysb.hns.com [139.85.52.101]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA07525 for ; Thu, 16 Oct 1997 08:50:29 -0700 (PDT) From: tcooper@hns.com Received: from ngw2.hns.com (ngw2.hns.com [139.85.177.38]) by hnssysb.hns.com (8.8.3/) with SMTP id LAA09441 for ; Thu, 16 Oct 1997 11:50:21 -0400 (EDT) Received: by ngw2.hns.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256532.005713F4 ; Thu, 16 Oct 1997 11:51:07 -0400 X-Lotus-FromDomain: HNS To: Firewalls@GreatCircle.COM Message-ID: <85256532.004AE374.00@ngw2.hns.com> Date: Thu, 16 Oct 1997 09:43:46 -0400 Subject: Re: Firewalls-Digest V6 #489 Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NT uses TCP ports 138 and 139, as well as UDP 138 and 139. > ------------------------------ > Date: Thu, 16 Oct 1997 16:42:29 +1000 (EST) > From: Colin Linahan > Subject: Windows NT domain through Gauntlet firewall > > Hi everyone, > We want to do what many may consider a security risk - allow Windows > NT ports 137,138 and 139 between initially three geographically > separate sites. Make sure that your solution supports TCP and UDP! > Basically - will someone at another of our sites be able to join > or log in to our domain if the PDC is at our site, behind our > firewall ? One domain, three sites? PDC at main site with BDC's at remote sites? You want your users to do local logins - so setting up a BDC at your remotes makes good sense. Multiple domains - one per site, with trust relationships? This is still workable, but again, it's better if you can have a BDC locally to minimize WAN traffic..... Regards, Tom From owner-firewalls-list Thu Oct 16 18:48:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26274; Thu, 16 Oct 1997 07:45:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA19553 for ; Thu, 16 Oct 1997 07:16:58 -0700 (PDT) Received: from relay.mail.pipex.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA22988; Thu, 16 Oct 1997 07:17:01 -0700 (PDT) Received: (qmail 17024 invoked from network); 16 Oct 1997 14:16:28 -0000 Received: from unknown (HELO 3Dlabs.com) (193.133.230.34) by relay.mail.pipex.net with SMTP; 16 Oct 1997 14:16:28 -0000 Received: from exchuk01.3dlabs.com by 3Dlabs.com (4.1/SMI-4.1) id AA27619; Thu, 16 Oct 97 15:16:13 BST Received: by exchuk01.3dlabs.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCDA45.AE7C94D0@exchuk01.3dlabs.com>; Thu, 16 Oct 1997 15:10:47 +0100 Message-Id: From: Doug Bridgens To: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1 on NT Date: Thu, 16 Oct 1997 15:10:46 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I read an knowledge base (I think) article which said things like rename the admin account, disable all no essential accounts, disable all non-essential services. You can also set the admin account to be accessible only from the console (ie. not remotely). I think most of these are set in the registry though. Doug >-----Original Message----- >From: Mario Muehlbauer [SMTP:mamuehl@mail.teleconsult.de] >Sent: Thursday, October 16, 1997 12:37 PM >To: Firewalls@GreatCircle.COM >Subject: Firewall-1 on NT > >I need to implement Firewall-1 on Windows NT 4.0. > >What securtiy holes could be in NT? > >How can I harden the OS? > >Please no philosophic discussions about NT versus UNIX! > >Mario Muehlbauer From owner-firewalls-list Thu Oct 16 19:31:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20477; Thu, 16 Oct 1997 07:22:24 -0700 (PDT) Received: from jet.laker.net (jet.laker.net [205.245.74.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA04103 for ; Thu, 16 Oct 1997 05:55:26 -0700 (PDT) Received: from camarillo.locked.com (digital-fll-154.laker.net [205.245.75.54]) by jet.laker.net (8.8.5/8.8.5.NO-SPAM.SPAMMERS.AND.RELAYS.WILL.BE.TRACKED.AND.PROSECUTED.) with SMTP id IAA05043; Thu, 16 Oct 1997 08:58:22 -0400 Message-Id: <3.0.2.32.19971016085845.007be270@9.1.1.1> X-Sender: fdarden#mail.laker.net@9.1.1.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Thu, 16 Oct 1997 08:58:45 -0400 To: "Jay K. Bahel" , "Didier Raelet" , , From: Frank Darden Subject: Re: Virus Protection on FW-1 In-Reply-To: <199707310221.VAA03004@Kitten.mcs.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:24 PM 7/30/97 -0500, Jay K. Bahel wrote: >How much of a performance hit is it to have firewall virus protection A very large performance hit. None of these products run well when placed on the Firewall. (I know Esafe actually warns against this). I should also mention that if you run the CVP server by itself on a high end Pentium, the CVP actions are nearly transparent to the user. I strongly recommend only running whats neccesary on your Firewall. Dont be penny wise, and pound foolish. >snap-ins (i.e. ViruSafe and the Symantec solution) installed directly on >the firewall server (WINNT) as opposed to on another server using CVP? I >plan to have my firewall machine have a LOT of horsepower. I still recommend you run it seperately. >By the way, does the CheckPoint firewall service take advantage of Windows >NT symmetric multi-processing? Firewall-1 is a single threaded application. In 3.0a, multi-processor support was there, but they have mysteriously removed it from 3.0b. So for the time being, the answer is no, on all platforms. >-Jay >---------- >> From: Didier Raelet http://www.locked.com From owner-firewalls-list Thu Oct 16 19:33:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA11019; Thu, 16 Oct 1997 09:08:18 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA10930 for ; Thu, 16 Oct 1997 09:07:58 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <43KTR3SB>; Thu, 16 Oct 1997 09:04:37 -0700 Message-ID: From: "Stackpole, Bill" To: "'marcelg@new.iscorltd.co.za'" , firewalls@greatcircle.com Subject: RE: Simple UDP & ActiveX question Date: Thu, 16 Oct 1997 09:04:36 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > -----Original Message----- > From: marcelg@new.iscorltd.co.za [SMTP:marcelg@new.iscorltd.co.za] > Sent: Thursday, October 16, 1997 6:01 AM > To: firewalls@greatcircle.com > Subject: Simple UDP & ActiveX question > > Hi all, > > Please tell me if the following statements are true, and if so, if > it's a > good enough reason to stop the relevent services from going accross > the > firewall: > > "UDP should be blocked, since it is not possible to reliably > authenticate > the origin of UDP packets" > [Bill Stackpole] It's not possible to reliably authenticate IP > packets in general unless you implement some authenication protocol. > But if you block all UDP you are going to have significate problems > getting services (e.g., DNS) that use UDP to work. > > "ActiveX (but not Java) should be blocked by the firewall" > [Bill Stackpole] ActiveX is a security nightmare. And the developers > have openly stated that they have no intention of adding secure > features to it. I would definately deny ActiveX use on my network. > Java also has some security problems and (in my opinion) it's use > should be restricted until Sun has addresses some of the problems that > have surfaced. > > Thank you > Marcel Groenewald > > /*******************************************************************/ > The views expressed above are not necessarily those of Iscor Limited > /*******************************************************************/ From owner-firewalls-list Thu Oct 16 19:40:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10148; Thu, 16 Oct 1997 09:03:49 -0700 (PDT) Received: from wg. (used17720.btg.com [208.213.177.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA10107 for ; Thu, 16 Oct 1997 09:03:36 -0700 (PDT) Received: from localhost by wg. (SMI-8.6/SMI-SVR4) id MAA14832; Thu, 16 Oct 1997 12:02:39 -0400 Date: Thu, 16 Oct 1997 12:02:39 -0400 (EDT) From: "M. Dodge Mumford" To: jonah cc: "'firewalls@greatcircle.com'" Subject: Re: firewalls with linux OS In-Reply-To: <01BCD95D.51FF4100@LHfrancois.DTL> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've implemented a firewall at home using Linux using the ipfadm package that's part of the 2.x.x kernel. I'm not using any of the proxies (yet), allowing only a few things out and allowing only one protocol in. It appears to be working well, but I haven't bashed on it hard. A good reference I used to aid in the setup was "Unix Security" from the editors of SysAdmin magazine, published this year. It has one chapter dedicated to installing a Linux firewall. That chapter was written a while ago (while 1.3.68 was the most current), but enough has stayed the same to make it worthwhile. The man pages only started to make sense once I'd installed a few rules and tested to see if they did what I'd expected. Dodge Defensive Information Warfare Group M. Dodge Mumford http://www.btg.com dmumford@btg.com PGP Public Key Available On Wed, 15 Oct 1997, jonah wrote: > hello, > > I need to install a firewall for a non profit organisation. > I have almost no budget so it has to be a freeware (or shareware) > and to run on a PC with linux OS. > This is my first experience in installing and configuring a firewall. > > I have heard of two solutions : socks and fwtk. > does anyone know the differences between this two firewalls ? > is there any other free firewalls availables ? > > If you have any experience with any freeware firewall with linux > please answer. > Thanks. > > jonah > Paris, France. > > From owner-firewalls-list Thu Oct 16 20:24:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25225; Thu, 16 Oct 1997 19:36:08 -0700 (PDT) Received: from molhub.mol.net.my (aimsvan.mol.net.my [202.190.128.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA25139 for ; Thu, 16 Oct 1997 19:35:40 -0700 (PDT) Received: from ts20-p12.mol.net.my by molhub.mol.net.my; Fri, 17 Oct 97 10:39:45 +0800 Message-ID: <3447A0DC.1482@mol.net.my> Date: Fri, 17 Oct 1997 10:31:08 -0700 From: Lee Nan Phin Reply-To: nplee@mol.net.my Organization: CS X-Mailer: Mozilla 3.0 (Win95; I; 16bit) MIME-Version: 1.0 To: firewall Subject: WinGate Proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Need to seek expert's advise on the above. We have difficulty setting up Lotus Client accessing Domino server through WinGate Proxy server. I notice that there is no predefine proxy for Lotus Note connection (port 1351). What should I do? Any advise would be appreciated. Thanks in advance. Regards. From owner-firewalls-list Thu Oct 16 20:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00302; Thu, 16 Oct 1997 20:19:00 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA00760 for ; Thu, 16 Oct 1997 20:03:53 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id DAA11537 for ; Fri, 17 Oct 1997 03:04:04 GMT Date: Thu, 16 Oct 1997 22:04:03 -0500 (CDT) From: Andy Lewis To: firewalls@GreatCircle.COM Subject: REMOVES Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I get I don't know how many e-mails a day from people removing themselves from this list. Isn't there any way to not bounce removes to those of us that are on the list? This certainly could save a heck of alot of BW.... ANdy From owner-firewalls-list Thu Oct 16 20:49:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA04209; Thu, 16 Oct 1997 20:36:03 -0700 (PDT) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA03999 for ; Thu, 16 Oct 1997 20:34:57 -0700 (PDT) Received: from uymfdlvk ([12.68.9.138]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with ESMTP id AAA29373; Fri, 17 Oct 1997 00:23:01 +0000 Reply-To: From: "Mark Teicher" To: "Ambrose Li" , Subject: Re: PIX and other "Black boxes" vs normal firewalls. Date: Thu, 16 Oct 1997 20:22:16 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19971017002259.AAA29373@uymfdlvk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This seems to better with PIX as you depend > >soly on CISCO for any fix which they may not even ACTIVELY inform you. That > >serves as the hardware part of the whole solution. What do you mean by this?? "may not even ACTIVELY inform you" /mht ---------- > From: Ambrose Li > To: firewalls@GreatCircle.COM > Subject: Re: PIX and other "Black boxes" vs normal firewalls. > Date: Thursday, October 16, 1997 5:58 PM > > There is also the Borderware firewall, which is also a "black box" > (once it is installed), also based on "hardened Unix" (BSD). > > > > In article <343E27D6.CAE18E73@techie.com>, Emmanuel Yiu wrote: > > > >Their solution is kind of neat to me. They have a box which run a "harden" Linux > >kernel, this sounds to me a good edge, it is base in UNIX, a lot of people know > >it and probably when there is security hole, it will be identified quick and > >potentially closed quick (owing to the accessibility of source code by WORLD of > >experts). You can constantly bugging your vendor of any security hole that you > >know from any souce, like this list. This seems to better with PIX as you depend > >soly on CISCO for any fix which they may not even ACTIVELY inform you. That > >serves as the hardware part of the whole solution. > > -- > Ambrose C. Li Programmer-analyst (sysadmin) > Toronto EDP, Ming Pao Daily News +1(416)321-0088 1355 Huntingwood Dr > Scarborough ON Canada M1S 3J1 [<- work ] > [ home ->] From owner-firewalls-list Thu Oct 16 21:04:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA03472; Thu, 16 Oct 1997 20:33:26 -0700 (PDT) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA03369 for ; Thu, 16 Oct 1997 20:33:06 -0700 (PDT) Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id FAA04519; Fri, 17 Oct 1997 05:32:43 +0200 Message-ID: <3446DC5A.278F1148@edina.xnc.com> Date: Fri, 17 Oct 1997 05:32:42 +0200 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Chris Pugrud CC: firewalls@GreatCircle.COM Subject: Re: firewalls with linux OS References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Pugrud wrote: > > Part of your firewall planning is needing to determine what to support. > In Windows based organizations I have found the answer to generally be > http, ftp, and smtp (web and e-mail basically). In this situation it is > relatively easy to set up a simple, effective firewall using Linux, > Apache, and Qmail. > > Apache has a pretty good web/ftp proxy function built in. The caching > functionality doesn't seem to be very effective, but I really haven't > played with the settings. For added security I tend to run two apache > daemons, one for the inside with the proxy functions built in, and one > for the outside web server that is stripped and gutted to the bare > essentials (the less code there is, the less that can be compromised). Apache is quite stable. You should let it run in chroot() environment. For security purposes I really only trust CERN-HTTPD. It's the only one, which is bullet proof. > Qmail is very fast and effective as an e-mail gateway. I would > recommend using an internal e-mail server, and just have Qmail relay > mail between the world and the office. Qmail also has a very easy setup > to disable the relay functionality, so you can avoid being victimized by > spammers using your server. QMAIL still is not bullet proof, but seems to be better than sendmail. I'd recommend a sendmail proxy (there are some free ones) and qmail running in user-mode. > If you strip and gut the Linux server appropriately you will end up with > a very tight configuration, with only three ports open to attack (http, > smtp, and dns). A complete configuration with pwebstats for traffic > analysis and reporting, apache, qmail, and all of the tools you acutely > need on the server is less than 20 MB. Be sure and setup a separate and > large partition for log files. I am not really sure about, that buffer overflows are not possible with bind. I would suggest to be very carefull. I will test it right now. By the way - I've found LINUX to be very stable and save, if you invest some time to harden the system. cu, Guido Stepken From owner-firewalls-list Thu Oct 16 21:55:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04380; Thu, 16 Oct 1997 11:29:37 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA04332 for ; Thu, 16 Oct 1997 11:29:22 -0700 (PDT) Received: from localhost (avishay2@localhost) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id VAA12589; Thu, 16 Oct 1997 21:29:15 +0300 Date: Thu, 16 Oct 1997 21:29:10 +0300 (IDT) From: Avishay Dinar To: rdavis@lucentncg.com cc: "'firewalls@greatcircle.com'" Subject: Re:RE: Keyword filtering of email through firewall In-Reply-To: <0000B288.1453@csc.ragroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have a look at AbirNet's SessionWall-3 (http://www.abirnet.com). contains email content checking and blocking, virus detection, as well as other services logging and blocking (like telnet,web,ftp and all TCP services blocking by criterias). Also contains "SmartFilter" - url blocking by category and Finjan - active HTML components checking and blocking. Avishay. On Fri, 10 Oct 1997 mbeech@csc.ragroup.co.uk wrote: > Rob, > > MIMESweeper (www.integralis.com) provides content checking for e-mail and web > pages, as well as virus checking functions. > > Smartfilter (www.securecomputing.com) will block access to web pages/sites based > on catagories. This can be hosted on a Borderware firewall, MS-proxy server, > netscape proxy serve, UNIX. NT, sidewinder firewall, cached or CSM Proxy plus. > > Martin > > > > ____________________Reply Separator____________________ > Subject: RE: Keyword filtering of email through firewall > Author: "Davis; Rob" > Date: 10/9/97 5:03 PM > > This is tangentially related to firewalls, so I apologize in advance. > If anyone knows of a more appropriate venue for this, please let me > know. > > I have a multi-national customer with approximately 200 sites that will > soon be connected with a WAN and additionally have Internet access > through some yet to be determined firewall. > > They would like a mechanism that would allow them to detect > incoming/outgoing Internet mail that did not meet "company policies". > This could be sexual content, frivilous material, trade secrets, etc. > The obvious places to check are the firewall and mail server(s). > > I realize that there are still a million ways to get the info out and > it's probably a bad idea, but I'm curious about potential commercial or > custom-built applications and the price. > > Thanks in advance for your help. > > regards, > > Rob > >________________________________ > >Rob Davis > >Lucent Technologies, Network Consulting Group > >Network Consultant > >http://www.lucentncg.com > >(972) 419-3815 > >1-800-SKY-PAGE #126-9384 > From owner-firewalls-list Thu Oct 16 22:04:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09667; Thu, 16 Oct 1997 09:01:33 -0700 (PDT) Received: from relay.mail.pipex.net (duct.mail.pipex.net [158.43.128.61]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA09644 for ; Thu, 16 Oct 1997 09:01:22 -0700 (PDT) Received: (qmail 26344 invoked from network); 16 Oct 1997 16:01:27 -0000 Received: from unknown (HELO 3Dlabs.com) (193.133.230.34) by relay.mail.pipex.net with SMTP; 16 Oct 1997 16:01:27 -0000 Received: from exchuk01.3dlabs.com by 3Dlabs.com (4.1/SMI-4.1) id AA28212; Thu, 16 Oct 97 17:01:17 BST Received: by exchuk01.3dlabs.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCDA54.5B867DE0@exchuk01.3dlabs.com>; Thu, 16 Oct 1997 16:55:50 +0100 Message-Id: From: Doug Bridgens To: "'firewalls@greatcircle.com'" Subject: RE: Firewalls: www & high port numbers Date: Thu, 16 Oct 1997 16:55:49 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [copied back to the firewalls@greatcircle.com list.] Hi, On this note (letting internal users use any port to connect to anything) this would also let 'rogue' programs use these ports to connect to their original hosts? Which would be very difficult to monitor, unlike just allowing ftp and www connections where you can use content checking. Doug >-----Original Message----- >From: Chris Pugrud [SMTP:ChrisP@steldyn.com] >Sent: Thursday, October 16, 1997 4:43 PM >To: Doug Bridgens >Subject: RE: Firewalls: www & high port numbers > >Unfortunately you didn't provide enough information to really point to >what is going on, but the information that you would need to provide >should _not_ be discussed in a public forum. > >A standard proxy firewall will have no problem with this type of >situation, because all requests are sent to the firewall and initiated >from there. Where I have seen this problem before is with packet >filters. To allow this the packet filter needs to be set so that it >allows access to high ports, as long as the access is originated >internally. This is a fairly straightforward change, but it varies with >the firewall that you have. It doesn't really open you up to more >vulnerabilities except for what people inside do. It allows people >inside to connect to external services on high numbered ports that you >may not be planning on allowing. About the only way to control this is >to install a proxy firewall that will work with this situation and still >restrict what is allowed to web and ftp. > >Chris > >>-----Original Message----- >>From: Doug Bridgens [SMTP:Doug.Bridgens@3Dlabs.com] >>Sent: Thursday, October 16, 1997 2:43 AM >>To: Firewalls Mailing list >>Subject: Firewalls: www & high port numbers >> >>Hi, >> When browsing the WWW lots of site offer downloadable software. When >>you click on the link to the download you are shoved to a new page at a >>high port number (eg. 34200). When ever a browser tries to go to >>download something it just hangs because the firewall is stopping its >>communication throught the high port number. Can anyone tell me what >>should be doneto allow downloading software from the web but not open up >>every port? >> >>Thanks >>Doug From owner-firewalls-list Thu Oct 16 23:11:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA24064; Thu, 16 Oct 1997 13:35:21 -0700 (PDT) Received: from ns1.pnsi.net ([198.145.134.15]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA23880 for ; Thu, 16 Oct 1997 13:34:45 -0700 (PDT) Received: from ed.alcpress by ns1.pnsi.net (Unoverica 2.90b) id 00000746; Thu, 16 Oct 1997 13:42:59 -0700 Message-Id: <199710162042.00000746@ns1.pnsi.net> Reply-To: From: "Ed Sawicki" To: "Kevin Speichts" , "Jyri Kaljundi" , "Frank Darden" Cc: , "Firewalls mailing list" Subject: Re: [FW1] Re: Virus Protection on FW-1 Date: Thu, 16 Oct 1997 13:33:46 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Smartly NT will use both processors, it was designed from the start to use > them. Unlike other OS's like NetWare where multiprocessor support was > graphed onto the primary OS. NetWare was designed many years before NT at a time where multiple processor machines were not available or needed. You're implying that once a product is released, any changes to the product are "grafted" on and are, therefore, not as good as features that were put in the original design. While I certainly don't agree with this, I hope you apply this belief consistently. NT will soon have Wolfpack and Active Directory _grafted_ on to it. Is this correct? Even today, NetWare running on a single processor box will usually outperform NT running on a multiple processor box. > Jyri, please keep the OS religious chatter off this list please and thank > you. Yes, Jyri - don't go preaching religion unless it's the one "true" religion. Ed Sawicki - ALC Press From owner-firewalls-list Thu Oct 16 23:19:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA00123; Thu, 16 Oct 1997 22:37:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA29970 for ; Thu, 16 Oct 1997 22:37:39 -0700 (PDT) Received: from miswinnt.tricom.com.hk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id WAA01092; Thu, 16 Oct 1997 22:37:10 -0700 (PDT) Received: by miswinnt.tricom.com.hk with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCDB01.4F38BD20@miswinnt.tricom.com.hk>; Fri, 17 Oct 1997 13:33:53 +0800 Message-ID: From: Emmanuel Yiu To: "'mark-teicher@worldnet.att.net'" , "'firewalls@GreatCircle.COM'" Subject: RE: PIX and other "Black boxes" vs normal firewalls. Date: Fri, 17 Oct 1997 13:33:51 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh! Sorry for the confusion. What I really mean is by having a firwall basing on an open OS like Linux, you would have much better access to information regarding potential security loophole in it, for instance from mailing list, from Internet. While on the other hand, PIX is based on a propriatary embedded OS, CISCO would have full control of ANY information regaurding the box. There is the possibility that CISCO will not EASILY disclose information to their customer when there will be a POTENTIAL security hole BEFORE they are 100% sure of the problem. Icefox >-----Original Message----- >From: Mark Teicher [SMTP:mark-teicher@worldnet.att.net] >Sent: Friday, October 17, 1997 8:22 AM >To: Ambrose Li; firewalls@GreatCircle.COM >Subject: Re: PIX and other "Black boxes" vs normal firewalls. > > > This seems to better with PIX as you depend >> >soly on CISCO for any fix which they may not even ACTIVELY inform you. >That >> >serves as the hardware part of the whole solution. > >What do you mean by this?? > >"may not even ACTIVELY inform you" > >/mht >---------- >> From: Ambrose Li >> To: firewalls@GreatCircle.COM >> Subject: Re: PIX and other "Black boxes" vs normal firewalls. >> Date: Thursday, October 16, 1997 5:58 PM >> >> There is also the Borderware firewall, which is also a "black box" >> (once it is installed), also based on "hardened Unix" (BSD). >> >> >> >> In article <343E27D6.CAE18E73@techie.com>, Emmanuel Yiu >wrote: >> > >> >Their solution is kind of neat to me. They have a box which run a >"harden" Linux >> >kernel, this sounds to me a good edge, it is base in UNIX, a lot of >people know >> >it and probably when there is security hole, it will be identified quick >and >> >potentially closed quick (owing to the accessibility of source code by >WORLD of >> >experts). You can constantly bugging your vendor of any security hole >that you >> >know from any souce, like this list. This seems to better with PIX as >you depend >> >soly on CISCO for any fix which they may not even ACTIVELY inform you. >That >> >serves as the hardware part of the whole solution. >> >> -- >> Ambrose C. Li Programmer-analyst (sysadmin) >> Toronto EDP, Ming Pao Daily News +1(416)321-0088 1355 Huntingwood Dr >> Scarborough ON Canada M1S 3J1 [<- work ] >> [ home ->] From owner-firewalls-list Thu Oct 16 23:48:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA10671; Thu, 16 Oct 1997 21:07:11 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id VAA10614 for ; Thu, 16 Oct 1997 21:06:53 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xM3ej-0000Yz-00; Fri, 17 Oct 1997 06:04:57 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 17 Oct 97 06:04 MET DST Received: by lina.inka.de id m0xM3Oe-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 17 Oct 1997 05:48:20 +0200 (CEST) Message-Id: Date: Fri, 17 Oct 1997 05:48:18 +0200 From: Bernd Eckenfels To: Bob Resino Cc: "'Bernd Eckenfels'" , Rik Hemsley , "Firewalls@GreatCircle.COM" Subject: Re: Promiscuous mode References: <01BCD948.F287CCB0@mclo60.med.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <01BCD948.F287CCB0@mclo60.med.navy.mil>; from Bob Resino on Wed, Oct 15, 1997 at 09:01:37AM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Oct 15, Bob Resino wrote > This is NOT true in all cases. Backbone switches move a lot of traffic. > The filtering and MAC specific traffic comments are only true of edge > switches used instead of hubs. Most of this is not true in the case of a > backbone switch in a flat network. What is the difference between those "non switching" Backbone switches and hubs? I think you are talking to bridges (which do most of the time some switching, too). I dont see any reason to call a device switch if it doesnt filter traffic. It is a hub or a bridge, depending on the Hardware used. Of course this is not true for salesman speak, but of course I use the term switch for a device filtering on Level 1 (TCP/IP Stack). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Thu Oct 16 23:48:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03000; Thu, 16 Oct 1997 08:18:46 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA02970 for ; Thu, 16 Oct 1997 08:18:36 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <43KTR3RP>; Thu, 16 Oct 1997 08:15:26 -0700 Message-ID: From: "Stackpole, Bill" To: "'Doug Bridgens'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls: www & high port numbers Date: Thu, 16 Oct 1997 08:15:25 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some routers and firewalls allow you to filter on "established" connections. This feature allows any inbound packets to pass through if the connection was established internally (outbound) and will overcome this particular problem. However, it may create other security problems. I would like to hear from some others about the pit falls of using this mechanism. > -----Original Message----- > From: Doug Bridgens [SMTP:Doug.Bridgens@3Dlabs.com] > Sent: Thursday, October 16, 1997 1:43 AM > To: 'firewalls@greatcircle.com' > Subject: Firewalls: www & high port numbers > > Hi, > When browsing the WWW lots of site offer downloadable software. > When > you click on the link to the download you are shoved to a new page at > a > high port number (eg. 34200). When ever a browser tries to go to > download something it just hangs because the firewall is stopping its > communication throught the high port number. Can anyone tell me what > should be doneto allow downloading software from the web but not open > up > every port? > > Thanks > Doug From owner-firewalls-list Fri Oct 17 01:10:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26914; Fri, 17 Oct 1997 00:42:13 -0700 (PDT) Received: from skb.si (skb.si [193.77.127.66]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA26895 for ; Fri, 17 Oct 1997 00:42:02 -0700 (PDT) Received: by fw.skb.si id <26882>; Fri, 17 Oct 1997 09:39:19 +0100 Message-Id: <97Oct17.093919gmt+0100.26882@fw.skb.si> From: Rinc Sergej To: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls: Exchange mail proxy in DMZ. Date: Fri, 17 Oct 1997 08:37:59 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can try setting up MS IIS as mail gateway to Exchange. Authentication is done on this IIS (I suggest usage of SSL, additional encryption cards etc.). It's handy - your user use a browser to read and reply to their mail. Functionality is probably little smaller than with full Exchange client (I have only see it working once and will probably be implemented at our site) but perfectly suitable. And - you stil control security on your firewall without having to hassle with PPTP, RAS, VPN etc thus exposing your internal network (don't flame me with qualitiy of security solutions for this - when you open internal network, it's opened). Though you have to be careful more at firewall (what you probably are :-). Sergej Rinc system engineer mailto:sergej.rinc@skb.si > ---------- Date: Thu, 16 Oct 1997 09:50:13 +0100 From: Doug Bridgens Subject: Firewalls: Exchange mail proxy in DMZ. Hi, Has anyone set up a MS Exchange mail server proxy in the DMZ of their firewall? We have a few remote users who will need to access email accounts in our servers. Is a mail server proxy the best way to achieve this, or are there other ways? From owner-firewalls-list Fri Oct 17 04:19:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA25551; Fri, 17 Oct 1997 00:34:13 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA25502 for ; Fri, 17 Oct 1997 00:33:57 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id DAA17752; Fri, 17 Oct 1997 03:33:34 -0400 (EDT) Date: Fri, 17 Oct 1997 03:33:33 -0400 (EDT) From: Brian Mitchell To: Oliver Lau cc: jonah , firewalls@GreatCircle.COM Subject: Re: firewalls with linux OS In-Reply-To: <3445322F42.6CF8.lau@skp.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Oct 1997, Oliver Lau wrote: > Greetings, Jonah! > > On Wed, 15 Oct 1997 11:26:40 +-100 > jonah wrote: > > | I have heard of two solutions : socks and fwtk. > | does anyone know the differences between this two firewalls ? > | is there any other free firewalls availables ? > | > | If you have any experience with any freeware firewall with linux > | please answer. > > The TIS Firewall Toolkit (FWTK) http://www.tis.com/docs/products/fwtk/ is > a collection of several proxies, all of which need reconfiguration on the > clients' side. Too much work, thus too expensive, if a lot of clients are > concerned. Depends what you consider too much work, although it's clear that fwtk is not designed to be transparent. It also does not let you bind to a specific address (rather than INADDR_ANY), but that can easily be fixed. > > SOCKS is unlike the FWTK, but has the same drawback of incompatibility > to existing implementations on the clients' side, although the hottest > web browser support SOCKS. This really isn't true. There are several windows based stack replacements that let you transparently use socks5 based firewalls. > > A nice and quickly to install solution might be the ipfwadm-kit, which > comes with Linux. It implements a pure packet filter, which runs very > stable, very fast and very reliable. It also supports masquerading, i.e. > address translation of a whole LAN to a single IP address of the > firewall machine. > Latest releases are mirrored all around the world. > packet filtering technology has serious drawbacks. It simply does not give you the control you want. You can say 'i allow this service' or 'i dont allow this service' but not 'i allow this service but a, b, and c features are disabled; features d, e, f are allowed, if the user comes from secure.org and feature g is allowed unless the user comes from spammer.net. This is where application level proxys are useful (to be fair, socks doesnt let you do this either. circuit level gateways dont seem to have much to add, beyond that provided by nat -- although, socks5 has authentication (with some exts to do chap, otp, and ssl encryption)). > Configuring a firewall is a hard job. You have to know a lot about IP an > its higher-layer protocols. It's best to study the standard literature > before you begin to experiment, thus wasting time. A read of the cheswick/bellovin book will eliminate most of this research, making the assumption you understand the basics of IP. > > If there are few clients, you may install any combination of the above, > but for a quick start ipfwadm is IMHO the best choice. > > Consider this: > Bellovin, Cheswick: Firewalls and Internet Security Excellent book, the author does not seem to like packet filtering technology though, and doesnt recommend it alone. From owner-firewalls-list Fri Oct 17 05:12:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA06974; Fri, 17 Oct 1997 01:19:36 -0700 (PDT) Received: from exchange.argus.de (dialin.argus.de [194.74.137.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA06775 for ; Fri, 17 Oct 1997 01:18:51 -0700 (PDT) Received: by ARGUS-PDC with Internet Mail Service (5.0.1457.3) id ; Fri, 17 Oct 1997 10:19:11 +0200 Message-ID: <35F80E47DCD8D011AACA00A0CC660C5E02635E@ARGUS-PDC> From: Marc Dorando To: firewalls@GreatCircle.COM Date: Fri, 17 Oct 1997 10:19:07 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 05:19:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA09214; Fri, 17 Oct 1997 01:31:35 -0700 (PDT) Received: from emout34.mail.aol.com (emout34.mx.aol.com [198.81.11.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA09101 for ; Fri, 17 Oct 1997 01:31:05 -0700 (PDT) From: Stguchi@aol.com Received: (from root@localhost) by emout34.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id EAA12647 for firewalls@greatcircle.com; Fri, 17 Oct 1997 04:14:15 -0400 (EDT) Date: Fri, 17 Oct 1997 04:14:15 -0400 (EDT) Message-ID: <971016225414_2067495936@emout19.mail.aol.com> To: firewalls@greatcircle.com Subject: bombing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk do u have the bombing program ? if so please e-mail it to me From owner-firewalls-list Fri Oct 17 05:59:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA14621; Fri, 17 Oct 1997 02:04:51 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA14610 for ; Fri, 17 Oct 1997 02:04:35 -0700 (PDT) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id MAA12689; Fri, 17 Oct 1997 12:01:37 +0300 (EET DST) Date: Fri, 17 Oct 1997 12:01:35 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@nebula To: Kevin Speichts cc: Frank Darden , fw-1-mailinglist@us.checkpoint.com, Firewalls mailing list Subject: multiprocessor firewalls (was: Re: Virus Protection on FW-1) In-Reply-To: <01bcda5b$61214260$140ea8c0@pc9191> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 16 Oct 1997, Kevin Speichts wrote: > If the application isn't multithreaded then it can't take advantage of the > second processor. The OS will use them for its other services though. What we were talking about was if FireWall-1 will take advantage of multiple processors. And I was replying to someone saying that there is no use of 2 or more processors. And I said that this is wrong, FireWall-1 will take advantage of multiple processors, although it is not multithreaded. Of course I was not saying that any operating system distributes one processor between two processors. Why: because there are _always_ multiple processes running. Right now when I look at a small NT firewall there are at least 4-5 fw.exe running. Under Solaris ps shows also multiple processes. And then there are also many system processes running. So even if the firewall would run as one process, you could move at least some OS processes to one processor and firewall to another. Undoubted that the performance will rise. > Jyri, please keep the OS religious chatter off this list please and thank > you. I use NT and Solaris x86 and Solaris Sparc and FreeBSD, and then sometimes I use Win95 or FreeBSD, and sometimes even something else. I know some of them are slow and some fast, some take less know-how to administer and some are very easy, etc. This has nothing to do with religion. It has to do with the question, if FireWall-1 will take advantage of multiple processors. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Fri Oct 17 06:04:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA05170; Fri, 17 Oct 1997 01:14:59 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA04984 for ; Fri, 17 Oct 1997 01:14:24 -0700 (PDT) Received: (from mail@localhost) by majestix.skp.de (8.7.5/8.7.3) id JAA16323; Fri, 17 Oct 1997 09:23:24 +0200 X-Authentication-Warning: majestix.skp.de: mail set sender to using -f Received: from joe(192.168.0.2) by majestix.skp.de via smap (V1.3) id sma016321; Fri Oct 17 09:23:03 1997 Date: Fri, 17 Oct 1997 10:12:03 +0100 To: Brian Mitchell From: Oliver Lau Cc: jonah , , Oliver Lau Subject: Re[2]: firewalls with linux OS In-Reply-To: References: <3445322F42.6CF8.lau@skp.de> Message-Id: <3447480310C.691C.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings! On Fri, 17 Oct 1997 03:33:33 -0400 (EDT) Brian Mitchell wrote: | On Wed, 15 Oct 1997, Oliver Lau wrote: | | > The TIS Firewall Toolkit (FWTK) http://www.tis.com/docs/products/fwtk/is | > a collection of several proxies, all of which need reconfiguration on the | > clients' side. Too much work, thus too expensive, if a lot of clients are | > concerned. | | Depends what you consider too much work, although it's clear that fwtk is | not designed to be transparent. That's exactly the point. As I said, you have to reconfigure the clients. You also have to train the users. It's a kind of social engineering to let the users accept the new features/drawbacks. And: time is money! The more time you spend, the more it costs. If you have - say - ten users or less this might be acceptable, but if there are dozens or even hundreds and thousands of users, a non-transparent proxy is not applicable, if you don't have the financial background. | | > SOCKS is unlike the FWTK, but has the same drawback of incompatibility | > to existing implementations on the clients' side, although the hottest | > web browser support SOCKS. | | This really isn't true. There are several windows based stack replacements | that let you transparently use socks5 based firewalls. Right! But I have talked about EXISTING implementations, i.e. the IP stack already installed on the client system. | | packet filtering technology has serious drawbacks. It simply does not give | you the control you want. You can say 'i allow this service' or 'i dont | allow this service' but not 'i allow this service but a, b, and c features | are disabled; features d, e, f are allowed, if the user comes from | secure.org and feature g is allowed unless the user comes from | spammer.net. This is where application level proxys are useful (to be | fair, socks doesnt let you do this either. circuit level gateways dont | seem to have much to add, beyond that provided by nat -- although, socks5 | has authentication (with some exts to do chap, otp, and ssl encryption)). OK, too! I know that packet filtering with its simple SYN-ACK-NACK-IP- TCP-UDP-ICMP-port awareness is weak compared to to the capabilities of stateful filtering and/or sophisticated proxies. I also know that only one kind of security mechanism like packet filtering may be easily compromised. For my own installations at customers' sites I prefer something some people call the "layered approach", mostly with commercial firewalls like (ahm, are trademarks allowed in here?) ... But if it's a matter of money, and you sure know the aphorism "Security is only restricted by the businessman!", you have to use what comes with a system or what is in the public domain. Refer to my supplement to the mail you replied to. Best regards, Oliver Lau [CTO] Sauer und Partner GmbH, NetzwerkTechnologie und Sicherheit Dietrich-Bonhoeffer-Strasse 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: http://www.skp.de/ PGP-Fingerprint: 6696 C8B6 F351 A381 D1C9 BC41 98F2 6DE3 From owner-firewalls-list Fri Oct 17 06:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA28225; Fri, 17 Oct 1997 03:31:41 -0700 (PDT) Received: from eupmt.upc.es (iluro.eupmt.upc.es [147.83.11.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA27860 for ; Fri, 17 Oct 1997 03:30:45 -0700 (PDT) Received: from localhost by eupmt.upc.es (SMI-8.6/SMI-SVR4) id MAA07767; Fri, 17 Oct 1997 12:23:10 +0200 Date: Fri, 17 Oct 1997 12:23:10 +0200 (MET DST) From: Pere Barberan Agut X-Sender: barberan@iluro To: firewalls@GreatCircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 07:01:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA28323; Fri, 17 Oct 1997 03:31:59 -0700 (PDT) Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA28314 for ; Fri, 17 Oct 1997 03:31:53 -0700 (PDT) Received: from rhblaptop.gte.com by gte.com (8.8.4/8.8.4) X-Authentication-Warning: newman.gte.com: rhblaptop.gte.com [132.197.66.17] didn't use HELO protocol Message-Id: <3.0.3.32.19971017063323.007001f0@pophost.gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 17 Oct 1997 06:33:23 -0400 To: firewalls@GreatCircle.com From: bob bryant Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 07:22:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA03040; Fri, 17 Oct 1997 04:32:43 -0700 (PDT) Received: from mail.istar.ca (mail1.toronto.istar.net [209.89.75.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA02991 for ; Fri, 17 Oct 1997 04:32:28 -0700 (PDT) Received: from pc9191 [142.176.37.19] by mail.istar.ca with smtp (Exim 1.70 #1) id 0xMAdT-0005bN-00; Fri, 17 Oct 1997 07:32:07 -0400 From: "Kevin Speichts" Cc: , "Firewalls mailing list" Subject: Re: [FW1] Re: Virus Protection on FW-1 Date: Fri, 17 Oct 1997 08:32:18 -0300 Message-ID: <01bcdaf0$537edb00$140ea8c0@pc9191> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----Original Message----- From: Ed Sawicki To: Kevin Speichts ; Jyri Kaljundi ; Frank Darden Cc: fw-1-mailinglist@us.checkpoint.com ; Firewalls mailing list Date: Thursday, October 16, 1997 5:34 PM Subject: Re: [FW1] Re: Virus Protection on FW-1 >NetWare was designed many years before NT at a time where multiple >processor machines were not available or needed. You're implying >that once a product is released, any changes to the product are >"grafted" on and are, therefore, not as good as features that were >put in the original design. While I certainly don't agree with this, >I hope you apply this belief consistently. NT will soon have >Wolfpack and Active Directory _grafted_ on to it. Is this correct? Actually your implying that I implied that. The facts are that Netware Multiprocessor support is an add. I used that as an example given the context of the discussion, nothing more. > >Even today, NetWare running on a single processor box will usually >outperform NT running on a multiple processor box. > Where did I say NT would outperform Netware? >> Jyri, please keep the OS religious chatter off this list please and thank >> you. >Yes, Jyri - don't go preaching religion unless it's the one "true" >religion. > Yes all hail the mighty Banyan ... umm I mean Novell... sorry couldn't resist! ;) From owner-firewalls-list Fri Oct 17 08:34:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14465; Fri, 17 Oct 1997 07:49:14 -0700 (PDT) Received: from email-server.msgroup.com (email-server.msgroup.com [207.8.31.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA07828 for ; Fri, 17 Oct 1997 07:17:56 -0700 (PDT) Received: from msginstinet.msgroup.com ([207.8.31.11]) by email-server.msgroup.com (post.office MTA v2.0 0813 ID# 0-30995U110) with SMTP id AAA119 for ; Fri, 17 Oct 1997 09:22:16 -0500 Received: by msginstinet.msgroup.com with Microsoft Mail id <01BCDADE.061BC790@msginstinet.msgroup.com>; Fri, 17 Oct 1997 09:21:17 -0500 Message-ID: <01BCDADE.061BC790@msginstinet.msgroup.com> From: jhuffman@msgroup.com (Jim Huffman) To: "'firewalls@greatcircle.com'" Date: Fri, 17 Oct 1997 09:21:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 08:55:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15200; Fri, 17 Oct 1997 07:52:49 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA07770 for ; Fri, 17 Oct 1997 07:17:48 -0700 (PDT) Received: from csc.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA04493; Fri, 17 Oct 1997 07:17:45 -0700 (PDT) Received: from tc24650 by csc.com via smtpd with smtp id for ; Fri, 17 Oct 97 10:17 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <34477220.5A1F@csc.com> Date: Fri, 17 Oct 1997 10:11:44 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Stguchi@aol.com CC: firewalls@GreatCircle.COM Subject: Re: bombing References: <971016225414_2067495936@emout19.mail.aol.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stguchi@aol.com wrote: > > do u have the bombing program ? if so please e-mail it to me What's your IP address, I'll send it to you. Joe -- Joe Loiacono (301) 415-6153 Computer Sciences Corporation http://www.csc.com From owner-firewalls-list Fri Oct 17 09:09:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10925; Fri, 17 Oct 1997 07:32:46 -0700 (PDT) Received: from eagle.bmc.org (eagle.bmc.org [155.41.80.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA10742 for ; Fri, 17 Oct 1997 07:32:09 -0700 (PDT) Received: from phantom.bmc.org (root@phantom.bmc.org [155.41.10.10]) by eagle.bmc.org (8.8.6/8.7.1/bumc-hub) with ESMTP id KAA22000 for ; Fri, 17 Oct 1997 10:32:05 -0400 (EDT) Received: from mbox.bmc.org (pc100.is.bmc.org [155.41.25.98]) by phantom.bmc.org (8.8.4/8.8.4/bmc-pop-imap-server) with ESMTP id KAA23851 for ; Fri, 17 Oct 1997 10:32:04 -0400 (EDT) Message-ID: <3447A2DA.3E9C0E4B@mbox.bmc.org> Date: Fri, 17 Oct 1997 10:39:39 -0700 From: Tim Farrell Reply-To: tim.farrell@bmc.org X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: VT emulation through a browser? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know if this question appropriate in this forum, so I apologize if it is not. I am currently attempting to launch VMS apps through my browser in an effort to complete our intranet application shell. Our network apps require VT emulation to run. My question is, does anyone know how I can get the client browser (Netscape 4.0) to launch an executible from the local drive. All of our clients have VT emulation software loaded on them. All I want to do is through a link, make a call to a local executible on the cilent to launch this VT emulation software to run under the browser. Any Ideas???? From owner-firewalls-list Fri Oct 17 09:45:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA12181; Fri, 17 Oct 1997 01:49:22 -0700 (PDT) Received: from khtp.usm.my ([161.142.10.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA02449 for ; Fri, 17 Oct 1997 01:05:27 -0700 (PDT) Received: from pknk ([161.142.207.85]) by khtp.usm.my (Netscape Mail Server v1.1) with SMTP id AAA50 for ; Fri, 17 Oct 1997 16:05:32 +0800 Message-ID: <34471BBD.37A8@khtp.usm.my> Date: Fri, 17 Oct 1997 16:03:09 +0800 From: SOKIM KHOO Reply-To: skkhoo@khtp.usm.my Organization: KTMSB X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: REMOVES References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy Lewis wrote: > > I get I don't know how many e-mails a day from people > removing themselves from this list. Isn't there any way to > not bounce removes to those of us that are on the list? > > This certainly could save a heck of alot of BW.... > > ANdy From owner-firewalls-list Fri Oct 17 09:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14760; Fri, 17 Oct 1997 07:50:36 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA14619 for ; Fri, 17 Oct 1997 07:50:03 -0700 (PDT) Received: (qmail 23773 invoked from smtpd); 17 Oct 1997 14:43:13 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 17 Oct 1997 14:43:13 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA07853; Fri, 17 Oct 1997 09:43:12 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA31518; Fri, 17 Oct 1997 09:45:34 -0500 From: Peter da Silva Message-Id: <9710171445.AA31518@baileynm.com> Subject: Re: Simple UDP & ActiveX question To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Fri, 17 Oct 1997 09:45:34 -0500 (CDT) Cc: marcelg@new.iscorltd.co.za, firewalls@GreatCircle.COM In-Reply-To: <199710161711.KAA11124@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Oct 16, 97 10:18:47 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Java pretends that it doesn't have security problems. This is an unfair characterization. Any product may have security problems, including ones signed by ActiveX. At least with Java I only have to worry about security problems in one program. With ActiveX I have to depend on every company with a certificate. I have been forced to allow Javascript through because there are business reasons for it... we have sites we need to access that are not navigable without javascript (and yes, I complained to the vendor that it wasn't responsible to disable normal HTML browsing just so you could make the buttons "glow" when the mouse moved over them!)... but Java and ActiveX are so far verboten. From owner-firewalls-list Fri Oct 17 10:18:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09001; Fri, 17 Oct 1997 07:23:55 -0700 (PDT) Received: from ernie.ucop.edu (ernie.ucop.edu [128.48.141.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA08984 for ; Fri, 17 Oct 1997 07:23:45 -0700 (PDT) Received: from rescate.ucop.edu (rescate.ucop.edu [128.48.133.111]) by ernie.ucop.edu (AIX4.2/UCB 8.7/8.7) with SMTP id HAA30860 for ; Fri, 17 Oct 1997 07:23:46 -0700 (PDT) Message-Id: <3.0.3.32.19971017072243.0069c3ac@popserv.ucop.edu> X-Sender: nratzlaf@popserv.ucop.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 17 Oct 1997 07:22:43 -0700 To: Firewalls@GreatCircle.COM From: Neil Ratzlaff Subject: Stealing data via Internet Explorer 4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not an area in which I am knowledgeable, but is it as bad as it sounds? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Microsoft's new Internet Explorer 4 allows the hiding of commands in an email or Web page that secretly send files to unauthorized people. Internet Consultant Ralf Hueskes, who reviewed IE4 for the German computer magazine c't, considers this security hole a severe problem for end users and companies: "Even a corporate network secured by a firewall is not protected against this attack." The security hole is not an error in the code, but has its reasons in the concept of the program, he says. It even exists when the browsers security options are set to the standard values for "high". The only obstacle for the intruder: he has to specify exact path names or Intranet addresses for the files. Since a lot of programs, e.g. when running with Windows, use standardized directory names, the thief has a good chance to get the security file for a homebanking program, for example. A spokesperson from Microsoft stated "Microsoft regards the failure not to be severe", he said, "It wouldn't be possible to change or destroy files this way." Detailed information about the IFRAME security hole and protection mechanisms can be read on the Web server of Ralf Hueskes (http://www.jabadoo.de/press/ie4_us.html) and also in the upcoming issue 12/97 of c't, that will be published on October, 27th. (ct/jk) excerpted from Verlag Heinz Heise GmbH & Co KG NewstickerAdmin 1.41 From owner-firewalls-list Fri Oct 17 10:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA09683; Thu, 16 Oct 1997 11:55:48 -0700 (PDT) Received: from paladin.bsquare.com (mail.bsquare.com [204.57.230.102]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA09551 for ; Thu, 16 Oct 1997 11:55:17 -0700 (PDT) Received: by paladin.bsquare.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCDA2A.5B164900@paladin.bsquare.com>; Thu, 16 Oct 1997 11:55:11 -0700 Message-ID: <01BCDA2A.5B164900@paladin.bsquare.com> From: Beau Monday To: "'Jyri Kaljundi'" , "'Frank Darden'" Cc: "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls mailing list'" Subject: RE: [FW1] Re: Virus Protection on FW-1 Date: Thu, 16 Oct 1997 11:55:10 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That's a cool feature! Sending a single thread to multiple processors! Gotta get me some of that UNIX! NT supports 8 processors, or up to 32 if you're Compaq (or some other large OEM). It's dependent on the app whether it takes advantage of multiple processors, it's not a limitation of the OS. It is a failure of Firewall-1 that it is unable to take advantage of multiple processors. On the other hand, a second processor would allow *real* multi-threaded apps (like services or daemons) to access the second processor, perhaps leaving more cycles for Firewall-1 to use on the primary processor. Beau Beau Monday, MCSE Network Administrator Lead BSQUARE corporation 425.519.5931 bmonday@bsquare.com -----Original Message----- From: Jyri Kaljundi [SMTP:jk@stallion.ee] Sent: Thursday, October 16, 1997 9:39 AM To: Frank Darden Cc: fw-1-mailinglist@us.checkpoint.com; Firewalls mailing list Subject: Re: [FW1] Re: Virus Protection on FW-1 On Thu, 16 Oct 1997, Frank Darden wrote: > >By the way, does the CheckPoint firewall service take advantage of Windows > >NT symmetric multi-processing? > > Firewall-1 is a single threaded application. In 3.0a, multi-processor > support was there, but they have mysteriously removed it from 3.0b. So for > the time being, the answer is no, on all platforms. This should already go into a FAQ somewhere: yes, FireWall-1 at least on Solaris Sparc and Solaris x86 Intel does take advantage of multiprocessing. Why: because Solaris itself distributes the load between two or more processors. Believe me, if you add a second processor to dual Pentium for example you can see how it gets better. I don't know about NT, may be that really is so stupid it does not know how to use both processors. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Fri Oct 17 10:44:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA09580; Thu, 16 Oct 1997 11:55:27 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA09532 for ; Thu, 16 Oct 1997 11:55:13 -0700 (PDT) Received: (qmail 18443 invoked from smtpd); 16 Oct 1997 18:55:18 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 16 Oct 1997 18:55:18 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA08104; Thu, 16 Oct 1997 13:55:18 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA30977; Thu, 16 Oct 1997 13:57:40 -0500 From: Peter da Silva Message-Id: <9710161857.AA30977@baileynm.com> Subject: Re: Firewalls: www & high port numbers To: trall@almaden.ibm.com Date: Thu, 16 Oct 1997 13:57:40 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <88256532.005E4976.00@mailgw1.almaden.ibm.com> from "trall@almaden.ibm.com" at Oct 16, 97 10:23:20 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > * Simply probing for flaws in the target's stack; i.e., it should ignore > any established packet unless it's part of an existing connection, but you > never know (I haven't heard of successful attacks using this). You can probe to see what IPs are behind the firewall and what services they're using by looking at whether you get a RST or not. From owner-firewalls-list Fri Oct 17 11:27:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15092; Fri, 17 Oct 1997 10:19:22 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA02457 for ; Fri, 17 Oct 1997 09:21:09 -0700 (PDT) Received: from cayman.gblhorizon.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA05003; Fri, 17 Oct 1997 09:20:24 -0700 (PDT) Received: (from kenj@localhost) by cayman.gblhorizon.com (8.8.7/8.8.7) id MAA16122; Fri, 17 Oct 1997 12:19:32 -0400 (PDT) Date: Fri, 17 Oct 1997 09:19:32 -0700 (PDT) From: Ken Jones To: firewalls@GreatCircle.COM In-Reply-To: <35F80E47DCD8D011AACA00A0CC660C5E02635E@ARGUS-PDC> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 11:29:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA21834; Fri, 17 Oct 1997 10:43:06 -0700 (PDT) Received: from phawd.com-stock.com ([204.255.137.249]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA29140 for ; Fri, 17 Oct 1997 09:06:06 -0700 (PDT) Received: from localhost (zaph0d@localhost) by phawd.com-stock.com (8.8.7/8.8.6) with SMTP id QAA01221; Fri, 17 Oct 1997 16:06:31 -0400 (EDT) Date: Fri, 17 Oct 1997 16:06:31 -0400 (EDT) From: zaph0d To: skkhoo@khtp.usm.my cc: firewalls@GreatCircle.COM Subject: Re: REMOVES In-Reply-To: <34471BBD.37A8@khtp.usm.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, i'm figureing theres a help file somewhere misdirecting people to remove themselves through the main list address. But who knows. John On Fri, 17 Oct 1997, SOKIM KHOO wrote: > Andy Lewis wrote: > > > > I get I don't know how many e-mails a day from people > > removing themselves from this list. Isn't there any way to > > not bounce removes to those of us that are on the list? > > > > This certainly could save a heck of alot of BW.... > > > > ANdy > From owner-firewalls-list Fri Oct 17 11:31:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA12649; Fri, 17 Oct 1997 10:07:50 -0700 (PDT) Received: from gatekeeper.oss.akzonobel.nl (gatekeeper.oss.akzonobel.nl [192.87.3.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA12598 for ; Fri, 17 Oct 1997 10:07:36 -0700 (PDT) Received: (from mail@localhost) by gatekeeper.oss.akzonobel.nl (8.7.5/8.7.3) id TAA09960 for ; Fri, 17 Oct 1997 19:20:44 +0200 (MET DST) Received: from apou02.akzonobel.nl(145.49.90.250) by gatekeeper.oss.akzonobel.nl via smap (V2.0alpha) id xma016913; Fri, 17 Oct 97 19:16:45 +0200 Received: by apou02.akzonobel.nl id SAA02826; Fri, 17 Oct 1997 18:03:05 GMT Date: Fri, 17 Oct 1997 18:03:05 GMT Received: from umc by apou02.akzonobel.nl via MR/VESTA with conversational-MRIF; Fri, 17 Oct 97 18:03:04 +0000 Posted: Fri, 17 Oct 97 12:42:33 +0000 From: "Donald Six" Message-ID: <2232421217101997/A01781/FATHER> App-Message-ID: <2232421217101997/A01781/FATHER/11BA8B2A1D00> To: "Firewalls Mailing List" Reply-Requested-From: "Firewalls Mailing List" Subject: Sensitivity: Company-Confidential Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone one know if there is a firewall that handles both routed TCP/Ip and decnet. We are in search of such an animal. Or, if there is a good way to handl checking decnet packets over IP. thanks, don From owner-firewalls-list Fri Oct 17 11:32:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23529; Fri, 17 Oct 1997 10:50:30 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA23342 for ; Fri, 17 Oct 1997 10:49:54 -0700 (PDT) Received: (qmail 24785 invoked from smtpd); 17 Oct 1997 17:49:47 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 17 Oct 1997 17:49:47 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA16128 for ; Fri, 17 Oct 1997 12:49:47 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA17359; Fri, 17 Oct 1997 12:52:09 -0500 From: Peter da Silva Message-Id: <9710171752.AA17359@baileynm.com> Subject: Re: Simple UDP & ActiveX question To: firewalls@greatcircle.com Date: Fri, 17 Oct 1997 12:52:09 -0500 (CDT) In-Reply-To: <199710171707.KAA18230@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Oct 17, 97 10:15:45 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was being sarcastic, of course, but I get the > impression that the Java proponents are in a little > bit of denial about the security problems. I'm not a java proponent. Hell, I came up with a basic flaw in their security model right after it was posted here. To their credit they responded pretty quickly. I prefer the Safe-Tcl security model. Instead of "let's define checks before we let you do dangerous things", it's "let's not include dangerous things in the interpreter at all". > To their > credit, they seem to get them fixed when they are > discovered. But, I don't think the Java folks should > be trying to claim "secure sand box" in comparison > to ActiveX until there have been enough iterations > to get most of the bugs worked out. I'd buy > a "less risk" arguement. All security arguments are "less risk" arguments. The problem I have with ActiveX is that it doesn't really reduce risk any, and may increase it. > I also find it ironic that Java > (in v 1.2 or 1.1?) is adopting the signed, non-protected > applet model of ActiveX. People don't WANT security. It's inconvenient. It doesn't sell. From owner-firewalls-list Fri Oct 17 11:34:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24109; Fri, 17 Oct 1997 10:53:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA12373 for ; Fri, 17 Oct 1997 10:06:49 -0700 (PDT) Received: from halon.sybase.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA05485; Fri, 17 Oct 1997 10:06:47 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id KAA12746 for ; Fri, 17 Oct 1997 10:05:33 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA16334; Fri, 17 Oct 97 10:08:04 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id KAA18234 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 17 Oct 1997 10:07:50 -0700 (PDT) Message-Id: <199710171707.KAA18234@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 35C57141993C239B88256533005E06A5; Fri, 17 Oct 97 10:07:49 EDT To: Peter da Silva Cc: firewalls From: Ryan Russell/SYBASE Date: 17 Oct 97 10:15:45 EDT Subject: Re: Simple UDP & ActiveX question Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was being sarcastic, of course, but I get the impression that the Java proponents are in a little bit of denial about the security problems. To their credit, they seem to get them fixed when they are discovered. But, I don't think the Java folks should be trying to claim "secure sand box" in comparison to ActiveX until there have been enough iterations to get most of the bugs worked out. I'd buy a "less risk" arguement. I also find it ironic that Java (in v 1.2 or 1.1?) is adopting the signed, non-protected applet model of ActiveX. FWIW, I prefer the sandboxed concept. I'd just like to get through all the interations it takes to actually secure the stuff. Ryan peter@baileynm.com (Peter da Silva) on 10/17/97 09:45:34 AM To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) @ smtp cc: marcelg@new.iscorltd.co.za @ smtp, firewalls@GreatCircle.COM @ smtp (bcc: Ryan Russell/SYBASE) Subject: Re: Simple UDP & ActiveX question > Java pretends that it doesn't have security problems. This is an unfair characterization. Any product may have security problems, including ones signed by ActiveX. At least with Java I only have to worry about security problems in one program. With ActiveX I have to depend on every company with a certificate. I have been forced to allow Javascript through because there are business reasons for it... we have sites we need to access that are not navigable without javascript (and yes, I complained to the vendor that it wasn't responsible to disable normal HTML browsing just so you could make the buttons "glow" when the mouse moved over them!)... but Java and ActiveX are so far verboten. From owner-firewalls-list Fri Oct 17 11:36:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA25486; Fri, 17 Oct 1997 08:39:22 -0700 (PDT) Received: from icondata.com (gateway.icondata.com [198.167.251.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA25425 for ; Fri, 17 Oct 1997 08:39:05 -0700 (PDT) Received: from nt1 ([10.0.0.10]) by gateway.icondata.com with SMTP id <11650>; Fri, 17 Oct 1997 12:37:47 -0300 Message-ID: <34478658.5C85@icondata.com> Date: Fri, 17 Oct 1997 12:38:00 -0300 From: Jeff Simms Reply-To: jsimms@icondata.com Organization: Icon Data Systems X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 11:37:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19264; Fri, 17 Oct 1997 08:17:01 -0700 (PDT) Received: from monet.mingpaoxpress.com (babbage.mingpaoxpress.com [205.150.120.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA19253 for ; Fri, 17 Oct 1997 08:16:50 -0700 (PDT) Received: from ns.mingpaoxpress.com ([127.0.0.1] HELO localhost ident: acli [port 22123]) by www.mingpaoxpress.com with SMTP id <1928-256>; Fri, 17 Oct 1997 11:16:41 -0400 Date: Fri, 17 Oct 1997 11:16:40 -0400 (EDT) From: Ambrose Li To: Mark Teicher cc: firewalls@GreatCircle.COM Subject: Re: PIX and other "Black boxes" vs normal firewalls. In-Reply-To: <19971017002259.AAA29373@uymfdlvk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 16 Oct 1997, Mark Teicher wrote: > Date: Thu, 16 Oct 1997 20:22:16 -0400 > From: Mark Teicher > To: Ambrose Li , firewalls@GreatCircle.COM > Subject: Re: PIX and other "Black boxes" vs normal firewalls. > > > This seems to better with PIX as you depend > > >soly on CISCO for any fix which they may not even ACTIVELY inform you. > That > > >serves as the hardware part of the whole solution. ^^^ > > What do you mean by this?? ^^^ I did not say this. Note the double-> in your own quote. From owner-firewalls-list Fri Oct 17 12:04:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA02629; Fri, 17 Oct 1997 11:52:27 -0700 (PDT) Received: from notes950.cc.bellcore.com ([192.4.194.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA02584 for ; Fri, 17 Oct 1997 11:52:14 -0700 (PDT) From: pthermos@notes.cc.bellcore.com Received: by notes950.cc.bellcore.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256533.0067A0C1 ; Fri, 17 Oct 1997 14:51:53 -0400 X-Lotus-FromDomain: BELLCORE To: jloiacon@csc.com cc: firewalls@GreatCircle.COM Message-ID: <85256533.0066CF36.00@notes950.cc.bellcore.com> Date: Fri, 17 Oct 1997 14:45:27 -0400 Subject: Re: bombing Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You have his e-mail address ... ;-) PT To: Stguchi@aol.com cc: firewalls@GreatCircle.COM (bcc: Peter Thermos/Bellcore) From: jloiacon@csc.com Date: 10/17/97 10:11:44 AM AST Subject: Re: bombing Stguchi@aol.com wrote: > > do u have the bombing program ? if so please e-mail it to me What's your IP address, I'll send it to you. Joe -- Joe Loiacono (301) 415-6153 Computer Sciences Corporation http://www.csc.com From owner-firewalls-list Fri Oct 17 12:20:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA02324; Fri, 17 Oct 1997 06:57:24 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA02087 for ; Fri, 17 Oct 1997 06:56:39 -0700 (PDT) Received: by castle.us-state.gov; id AA08964; Fri, 17 Oct 97 09:56:33 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma008951; Fri Oct 17 09:56:27 1997 Received: by pubhost.us-state.gov; id AA00871; Fri, 17 Oct 97 09:56:26 EDT Received: by GREGW with Microsoft Mail id <01BCDAE2.34512B10@GREGW>; Fri, 17 Oct 1997 09:51:13 -0400 Message-Id: <01BCDAE2.34512B10@GREGW> From: Greg Witte To: "'Stguchi@aol.com'" Cc: "'firewalls@greatcircle.com'" Subject: RE: bombing Date: Fri, 17 Oct 1997 09:51:11 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have several of them. Internet Explorer bombs on me several times a day. Due to licensing restrictions, however, I am unable to mail you copies of these. Please purchase them at your favorite retail store. Stguchi@aol.com wrote: > do u have the bombing program ? if so please e-mail it to me > > From owner-firewalls-list Fri Oct 17 14:18:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14827; Fri, 17 Oct 1997 12:52:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA14809 for ; Fri, 17 Oct 1997 12:52:26 -0700 (PDT) From: hodgsone@itsi.disa.mil Received: from jcdbs.itsi.disa.mil by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA06600; Fri, 17 Oct 1997 12:52:26 -0700 (PDT) Received: from SMTPLink-Logicon.itsi.disa.mil (SMTPLink-Logicon.itsi.disa.mil [192.234.182.8]) by jcdbs.itsi.disa.mil (8.7.6/8.7.1) with SMTP id PAA05200 for ; Fri, 17 Oct 1997 15:48:12 -0400 (EDT) Received: from ccMail by SMTPLink-Logicon.itsi.disa.mil (SMTPLINK V2.11 PreRelease 4) id AA877129192; Fri, 17 Oct 97 15:51:15 EST Date: Fri, 17 Oct 97 15:51:15 EST Message-Id: <9709178771.AA877129192@SMTPLink-Logicon.itsi.disa.mil> To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 15:04:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA06866; Fri, 17 Oct 1997 14:28:21 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA06629 for ; Fri, 17 Oct 1997 14:27:36 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id RAA29116; Fri, 17 Oct 1997 17:27:31 -0400 Date: Fri, 17 Oct 1997 17:27:30 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: skkhoo@khtp.usm.my cc: firewalls@GreatCircle.COM Subject: Re: REMOVES In-Reply-To: <34471BBD.37A8@khtp.usm.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 17 Oct 1997, SOKIM KHOO wrote: > Andy Lewis wrote: > > > > I get I don't know how many e-mails a day from people > > removing themselves from this list. Isn't there any way to > > not bounce removes to those of us that are on the list? > > > > This certainly could save a heck of alot of BW.... I have /^remove\s*$/i in my Majordomo illegal body filter list. Works for me on the lists I administer. That which does not kill us, makes us stronger. That which does kill us makes us smell stronger, after a few days, anyway. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-list Fri Oct 17 16:24:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA01061; Fri, 17 Oct 1997 16:11:39 -0700 (PDT) Received: from redcross.dk (ns.redcross.dk [147.29.204.52]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA13027 for ; Fri, 17 Oct 1997 12:45:22 -0700 (PDT) Received: from [192.168.51.1] by redcross.dk with ESMTP (Eudora Internet Mail Server 1.1.2); Fri, 17 Oct 1997 21:56:57 +0200 X-Sender: lars-bertelsen@mail.redcross.dk Message-Id: In-Reply-To: <01BCDAE2.34512B10@GREGW> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora 2.0.1 X-Charset: US-DK X-Char-Esc: 29 Date: Fri, 17 Oct 1997 21:43:26 +0200 To: firewalls@GreatCircle.COM From: Lars Bertelsen Subject: RE: bombing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greg writes: >I have several of them. Internet Explorer bombs on me several times a day. > >Due to licensing restrictions, however, I am unable to mail you copies of >these. >Please purchase them at your favorite retail store. > >Stguchi@aol.com wrote: >> do u have the bombing program ? if so please e-mail it to me >> >> Any version of Windows is a pretty good candidate in itself! :-) Between people wanting us to help them with mailbombing apps and people who cannot remove themselves from this list on their own... Well I can only say that if I were a hacker I would shure as hell know where I would start! :-)) Lars Bertelsen Gartnervang 29 tlf. 4635 1115 4000 Roskilde, DK e-mail of choice: lbe@login.dknet.dk From owner-firewalls-list Fri Oct 17 16:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20548; Fri, 17 Oct 1997 15:30:20 -0700 (PDT) Received: from mail1-gui.server.virgin.net (mail1-gui.server.virgin.net [194.168.54.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA23253 for ; Fri, 17 Oct 1997 13:25:07 -0700 (PDT) Received: from col-paradise.private.cableol.net ([194.168.50.224]) by mail1-gui.server.virgin.net (Post.Office MTA v3.1 release PO203a ID# 549-33929U100000L2S50) with SMTP id AAA24262; Fri, 17 Oct 1997 21:25:06 +0100 Message-ID: <3447C9A0.5CF0@virgin.net> Date: Fri, 17 Oct 1997 21:25:04 +0100 From: paolo Reply-To: p.meletti@virgin.net X-Mailer: Mozilla 3.02 (Win95; I) MIME-Version: 1.0 To: pthermos@notes.cc.bellcore.com CC: jloiacon@csc.com, firewalls@GreatCircle.COM Subject: Re: bombing References: <85256533.0066CF36.00@notes950.cc.bellcore.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk pthermos@notes.cc.bellcore.com wrote: > > You have his e-mail address ... ;-) > > PT > > To: Stguchi@aol.com > cc: firewalls@GreatCircle.COM (bcc: Peter Thermos/Bellcore) > From: jloiacon@csc.com > Date: 10/17/97 10:11:44 AM AST > Subject: Re: bombing > > Stguchi@aol.com wrote: > > > > do u have the bombing program ? if so please e-mail it to me > What's your IP address, I'll send it to you. > Joe > -- > Joe Loiacono (301) 415-6153 > Computer Sciences Corporation http://www.csc.com Read between the lines. From owner-firewalls-list Fri Oct 17 17:04:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA17772; Fri, 17 Oct 1997 15:19:28 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA15453 for ; Fri, 17 Oct 1997 15:06:41 -0700 (PDT) Received: from cgi.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA07745; Fri, 17 Oct 1997 15:06:38 -0700 (PDT) Message-Id: <3447E1E8.7566@cgi.com> Date: Fri, 17 Oct 1997 18:08:41 -0400 From: Rex Espiritu Organization: Carnegie Group, Inc. X-Mailer: Mozilla 3.01 (X11; I; IRIX 5.3 IP22) Mime-Version: 1.0 To: "william.wells" Cc: Mark Smith <76374.2304@compuserve.com> Subject: Re: udprelay using select() instead of poll() References: <9709101302.AA22523@damark.com> Content-Type: multipart/mixed; boundary="------------428733594DAA" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------428733594DAA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I'm also attempting to compile udprelay under Gauntlet 3 on BSD and am getting "udprelay.c:72: poll.h: No such file or directory". Please contact me if you've already got this working or know how to, e.g.: http://www.socks.nec.com/socksmail/msg00130.html Any information/assistance on this would be much appreciated. Thanks in advance. -- M. Rex Espiritu, Jr. MailTo:espiritu@cgi.com william.wells wrote: > > Out of curiosity > > Has anyone implemented udprelay under Gauntlet 3 on BSD? > If so, can you contact me? > > Does 'udprelay' do the necessary address translation? > > William.Wells@damark.com > Manager, System Administration > ---------- > >From: Mark Smith > To: firewalls@GreatCircle.COM > Subject: udprelay questions. > Date: Tuesday, September 09, 1997 14:33PM > > We've been exploring the use of udprelay and I'd like to find out if > someone is clear on what I've missed which might encourage it to > function. > > As I understand it, you install udprelay on the bastion host and then > aim your UDP traffic at the bastion. udprelay then forwards it based > on the rules in the configuration file. So far, so good. > Unfortunately, when we try running it on a test firewall box we get > back ICMP 3/3 (destination unreachable / port unreachable ). The trace > appears to show that the packet reaches the firewall just prior to the > ICMP message, and that udprelay doesn't appear to try to send it on. > The firewall in question (NetSP) does not do packet forwarding by > default. Vendor info to the effect of "if only you used OUR > firewall..." doesn't help me -- we're not in the market -- so please > don't "help" that way. > > If anyone can provide some info on this, please let me know. At present > the alternate solution is the NT SOCKS 5 code. --------------428733594DAA Content-Type: text/html; charset=us-ascii; name="msg00130.html" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="msg00130.html" Content-Base: "http://www.socks.nec.com/socksmail/msg 00130.html" udprelay using select() instead of poll()
[Prev][Next][Index][Thread]

udprelay using select() instead of poll()

Hello,

I was hoping to use udprelay on a DECstation running Ultrix 4.3 or 4.4.
However, it uses the poll() system call and Ultrix only supplies select().
I looked at the FAQ and this issue was not addressed.

I'll look into making the changes myself, but thought I could save reinventing
the wheel if someone had already done this and had diffs that they could 
share.

Thanks in advance,

Sean 
---------
Sean Emery					sbemery@switch.com
Manager, System Development Environment		(412)369-2267
Union Switch and Signal Inc.
Pittsburgh, PA  15237

"When Hiro learned how to do this, way back fifteen years ago, a hacker could
 sit down and write an entire piece of software by himself.  Now, that's no
 longer possible.  Software comes out of factories, and hackers are, to a 
 greater or lesser extent, assembly-line workers.  Worse yet, they may become
 managers who never write any code themselves."  
						- Hiro Protagonist, "Snow Crash"
--------------428733594DAA-- From owner-firewalls-list Fri Oct 17 17:16:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21247; Fri, 17 Oct 1997 06:13:42 -0700 (PDT) Received: from easm.afiwc01.af.mil (ltj11.kelly.af.mil [137.242.155.51]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA21192 for ; Fri, 17 Oct 1997 06:13:30 -0700 (PDT) Received: from easm.afiwc01.af.mil (root@localhost) by easm.afiwc01.af.mil (8.7.5/8.7.3) with ESMTP id IAA04733 for ; Fri, 17 Oct 1997 08:16:39 -0500 (CDT) Received: from ea_unc015.afiwc01.af.mil (ea_unc015.afiwc01.af.mil [198.154.8.15]) by easm.afiwc01.af.mil (8.7.5/8.7.3) with SMTP id IAA04729 for ; Fri, 17 Oct 1997 08:16:39 -0500 (CDT) Received: by ea_unc015.afiwc01.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCDAD5.7BDC5DE0@ea_unc015.afiwc01.af.mil>; Fri, 17 Oct 1997 08:20:10 -0500 Message-ID: From: Exadmin To: "'firewalls@GreatCircle.COM'" Subject: Firewalls: www & high port number Date: Fri, 17 Oct 1997 08:20:08 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To Whom it may concern, This email address is no longer valid for this individual, they have relocated out of the country. Please remove it from your distribution list. "kroy@afiwc01.af.mil" From owner-firewalls-list Fri Oct 17 18:05:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA28060; Fri, 17 Oct 1997 09:01:28 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA28037 for ; Fri, 17 Oct 1997 09:01:20 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA01896; Fri, 17 Oct 1997 12:00:04 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOWV6IWXU88X0TGU@gemini.pios.com> for firewalls@GreatCircle.COM; Fri, 17 Oct 1997 12:00:56 -0400 (EDT) Received: from ghost (192.168.14.190) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOWV3ZW06O90NMO0@PIOS.PIOS.COM> for firewalls@GreatCircle.COM; Fri, 17 Oct 1997 11:58:55 -0400 (EDT) Date: Fri, 17 Oct 1997 08:59:38 -0700 From: Bill Stout Subject: Re: Windows NT domain through Gauntlet firewall X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19971017155938.010fe658@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:42 PM 10/16/97 +1000, Colin Linahan wrote: >Hi everyone, > We want to do what many may consider a security risk - allow Windows >NT ports 137,138 and 139 between initially three geographically separate sites. > We are wanting to run a Windows NT domain over our TCP/IP based >WAN ( which is connected to the Internet ) - through CISCO routers and a > Gauntlet 3.2 firewall running on SunOS 4.1.4 based host ( which will later > this year be running Gauntlet 4.0 for Solaris ). >Our site is the only one with a proxy-based firewall. >...yada... Use tunnels between trusted sites. Remember NetBEUI is not routable. The more holes you put in a firewall, the less of a 'firewall' it is. Open NetBIOS ports on you firewall can become party-time for intrusions. You can download the Altavista tunnel eval to see if it works for you, I think that's the only tunnel that doesn't have live on the firewall (runs on PCs inside the firewalls). Port 6666 is opened to the IP address of the tunnel, though only encrypted links are accepted. BTW - Are there any other tunnels available that don't have to run on the firewall? Bill Stout ____________________________________________________________________________ Some people though signing 'worst ever El Nino' warnings four months ago was sick. Now _I'm_ sick of hearing of it every stinkin' day. From owner-firewalls-list Fri Oct 17 18:19:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA01680; Fri, 17 Oct 1997 14:00:32 -0700 (PDT) Received: from notes950.cc.bellcore.com (notes950.cc.bellcore.com [128.96.115.72]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA01574 for ; Fri, 17 Oct 1997 14:00:10 -0700 (PDT) From: pthermos@notes.cc.bellcore.com Received: by notes950.cc.bellcore.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256533.00735CAD ; Fri, 17 Oct 1997 17:00:03 -0400 X-Lotus-FromDomain: BELLCORE To: mshines@purdue.edu cc: firewalls@GreatCircle.COM Message-ID: <85256533.006FAD05.00@notes950.cc.bellcore.com> Date: Fri, 17 Oct 1997 16:53:37 -0400 Subject: Re: bombing Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive me, if my comment regarding e-mail bombing was disturbing to you or anyone else in the mailing list. But I also have a few things to point out regarding comments that were raised: a) Someone who has the interest to belong on a security related mailing list, I assume he/she has some knowledge of the technology and related Internet resources. b) Posting articles and requesting tools for mail-bombing on a firewall mailing list, with no related information such as testing against a firewall et. al., denotes something more than just a work/study related interest. c) If the later is true, did you ever think that the potential victim could reside in your site? d) I have no problem sharing information related to my work interests with others. e) Any information I post is my opinion and doesn't reflect any of Bellcore's policies either ! f) Comments against specific people, parties or companies should have more direct and detailed explanation as to "how" and "why" such comments are true or raised. g) Stguchi can use one of the search engines using his/her browser to find a whole lot more information on the subject. Have a mail-bomb free weekend ! PT To: Peter Thermos/Bellcore, jloiacon@csc.com cc: From: mshines@purdue.edu Date: 10/17/97 02:58:41 PM Subject: Re: bombing > You have his e-mail address ... ;-) > > PT > > To: Stguchi@aol.com > cc: firewalls@GreatCircle.COM (bcc: Peter Thermos/Bellcore) > From: jloiacon@csc.com > Date: 10/17/97 10:11:44 AM AST > Subject: Re: bombing > > Stguchi@aol.com wrote: > > > > do u have the bombing program ? if so please e-mail it to me > What's your IP address, I'll send it to you. > Joe > -- > Joe Loiacono (301) 415-6153 > Computer Sciences Corporation http://www.csc.com ----------------------------------------------------------------- Observations - 1. someone isn't familiar with ping, finger, whois or dig... (or even just going to the is.internic.net siteO to get an IP address 2. someone isn't planning to respond on port 23 (smtp).... 3. Stugchi (and AOL in the process) is going to get a lot more than he asked for.. it appears. Curious - this coming from CSC and Bellcore... but perhaps I presume too much. Best wishes for a good weekend. ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CISA,CIA,CDP,CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 All views are my own and do not reflect Purdue University policy. From owner-firewalls-list Fri Oct 17 18:19:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA03921; Fri, 17 Oct 1997 12:01:02 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA03864 for ; Fri, 17 Oct 1997 12:00:48 -0700 (PDT) From: phoenix@clark.net Received: from clark.net (phoenix@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id PAA10040; Fri, 17 Oct 1997 15:00:40 -0400 (EDT) Received: from localhost (phoenix@localhost) by clark.net (8.8.7/8.8.7) with SMTP id PAA07018; Fri, 17 Oct 1997 15:00:38 -0400 (EDT) X-Authentication-Warning: clark.net: phoenix owned process doing -bs Date: Fri, 17 Oct 1997 15:00:38 -0400 (EDT) To: Lee Nan Phin cc: firewall Subject: Re: WinGate Proxy In-Reply-To: <3447A0DC.1482@mol.net.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 17 Oct 1997, Lee Nan Phin wrote: > Hi all, > > Need to seek expert's advise on the above. > > We have difficulty setting up Lotus Client accessing Domino server > through WinGate Proxy server. > > I notice that there is no predefine proxy for Lotus Note connection > (port 1351). I think you mean port 1352. > > What should I do? Any advise would be appreciated. > > Thanks in advance. > > Regards. > From owner-firewalls-list Fri Oct 17 18:49:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA28721; Fri, 17 Oct 1997 03:46:28 -0700 (PDT) Received: from antares.serpro.gov.br (antares.serpro.gov.br [161.148.1.8]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA28714 for ; Fri, 17 Oct 1997 03:46:18 -0700 (PDT) Received: from dos2104.sede.serpro.gov.br by antares.serpro.gov.br (AIX 3.2/UCB 5.64/4.03) id AA14134; Fri, 17 Oct 1997 08:50:17 -0500 Received: by dos2104.sede.serpro.gov.br with Microsoft Mail id <01BCD69C.393750E0@dos2104.sede.serpro.gov.br>; Sat, 11 Oct 1997 23:20:12 -0300 Message-Id: <01BCD69C.393750E0@dos2104.sede.serpro.gov.br> From: augusto ewerton dias To: "'firewalls@greatcircle.com'" Date: Sat, 11 Oct 1997 23:20:08 -0300 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 17 19:04:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA03675; Fri, 17 Oct 1997 18:48:43 -0700 (PDT) Received: from endeavor.flash.net (endeavor.flash.net [209.30.0.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA03631 for ; Fri, 17 Oct 1997 18:48:31 -0700 (PDT) Received: from default (sdsh13-61.flash.net [209.30.132.61]) by endeavor.flash.net (8.8.5/8.8.5) with SMTP id UAA09242; Fri, 17 Oct 1997 20:48:31 -0500 (CDT) Message-ID: <199710171848040900.00511722@mail.flash.net> X-Mailer: Calypso Evaluation Version 2.30.23 Date: Fri, 17 Oct 1997 18:48:04 -0700 From: "travis" To: pthermos@notes951.cc.bellcore.com, mshines@purdue.edu Cc: firewalls@GreatCircle.COM Subject: Re: bombing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i don't really believe that he wanted to protect from a firewall... he's= just a "lamer" from AoLLe =3DP btw... anyone got "warez" ; ) =A4 e-mail: =B9=B7 wardt@flash.net =B2=B7 wardt@playground.bishops.com =95=A4Best Viewed with a Premium Mailing System=A4=95 |\=AF=AF=AF=AF=AF\/=AF=AF=AF=AF/| /=AF=AF=AF=AF/|= =AF=AF=AF| | | |\____| ||\=AF=AF\ /=AF=AF/|'| / | |= /=AF=AF=AF=AF=AF'\ =A0 \| =AF=AF=AF| '|/ | | | | | |'| | /___/| /= =BA /| =A0 | |=AF=AF=A8|_=B8|' \| | | |/ | |= |=AF=AF=AF=AF=AF=AF|| /|=AF=AF| '| =A0 | |__=B8| | |_| | | \ =AF| |=AF |\= \|_/=AF=AF=AF| =A0 |\____\ |\_____ /| |\ ___\/___/| | \____/\_=B8_\ =A0 | | =AB=9BPo0=8B=BB | | | |'| | | | \= | | | | =A0=A0 \|____| \|_____ |/ \|______ |/ \|___|^|___| =95 Support the Blue Ribbon Campaign for =95 =95 Free Speech on the Internet =95 From owner-firewalls-list Fri Oct 17 19:48:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA11373; Fri, 17 Oct 1997 19:44:18 -0700 (PDT) Received: from jet.laker.net (jet.laker.net [205.245.74.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA11334 for ; Fri, 17 Oct 1997 19:44:08 -0700 (PDT) Received: from camarillo.locked.com (digital-fll-111.laker.net [205.245.75.11]) by jet.laker.net (8.8.5/8.8.5.NO-SPAM.SPAMMERS.AND.RELAYS.WILL.BE.TRACKED.AND.PROSECUTED.) with SMTP id WAA06403 for ; Fri, 17 Oct 1997 22:47:40 -0400 Message-Id: <3.0.2.32.19971017224755.00a3d4c0@9.1.1.1> X-Sender: fdarden#mail.laker.net@9.1.1.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 17 Oct 1997 22:47:55 -0400 To: firewalls@GreatCircle.COM From: Frank Darden Subject: sex, lies, and firewall code Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You know, it is so humorous. These Firewall manufacturers will stop at nothing to "out compete" one another. Now I am not trying to start any religious wars over firewalls, but I feel the time comes when you have to say enough is enough. I am referring to the following publication http://www.tis.com/docs/products/gauntlet/firewallcomp.html Where's the beef man? where are the facts, speeds and feeds? Clearly, TIS has stepped over the line this time. I would be suprised if the author of this article even knew a packet header if he saw one. Read this and see for yourself. It is fairly content free, but at the same time to the untrained eye, would lead you to believe all kinds of bad things about Firewall-1. Lets get the facts out front! Frank http://www.locked.com From owner-firewalls-list Fri Oct 17 23:18:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28329; Fri, 17 Oct 1997 23:05:07 -0700 (PDT) Received: from hotmail.com (F93.hotmail.com [207.82.250.199]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA28321 for ; Fri, 17 Oct 1997 23:05:02 -0700 (PDT) Received: (qmail 14704 invoked by uid 0); 18 Oct 1997 06:05:12 -0000 Message-ID: <19971018060512.14703.qmail@hotmail.com> Received: from 206.86.246.145 by www.hotmail.com with HTTP; Fri, 17 Oct 1997 23:05:11 PDT X-Originating-IP: [206.86.246.145] From: "Dameon Welch" To: fdarden@locked.com, jk@stallion.ee Cc: fw-1-mailinglist@us.checkpoint.com, firewalls@GreatCircle.COM Subject: Re: [FW1] Re: Virus Protection on FW-1 Content-Type: text/plain Date: Fri, 17 Oct 1997 23:05:11 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This should already go into a FAQ somewhere: yes, FireWall-1 at least on >Solaris Sparc and Solaris x86 Intel does take advantage of >multiprocessing. Why: because Solaris itself distributes the load between >two or more processors. Believe me, if you add a second processor to dual >Pentium for example you can see how it gets better. This only works *really* well with programs that are multi-threaded, though. If the program is not thread safe, "bad things happen." I've seen cases of programs ON SOLARIS where they weren't thread safe and occasional glitches and such happened. In short, if you want the advantages of a multiprocessor box, you really need to run programs that are thread-safe and are written to take advantage of it. -- Dameon D. Welch, a.k.a. "PhoneBoy", a.k.a. "JungleMan" dwelch@phoneboy.com, http://www.phoneboy.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Sat Oct 18 02:38:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA28228; Fri, 17 Oct 1997 13:45:15 -0700 (PDT) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA28157 for ; Fri, 17 Oct 1997 13:44:58 -0700 (PDT) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id QIL16725; Fri, 17 Oct 1997 16:39:29 EDT To: tim.farrell@bmc.org Cc: firewalls@GreatCircle.COM Date: Fri, 17 Oct 1997 13:12:25 -0700 Subject: Re: VT emulation through a browser? Message-ID: <19971017.133316.5903.3.wiseleo@juno.com> References: <3447A2DA.3E9C0E4B@mbox.bmc.org> X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 1-4,6-7,10-15,17-18,20-21,25-31,33-34,36-48 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim (and Firewalls readers don't be mad, I am sure you might benefit some day from a setup like this :), The solution is very simple. What you can do is define this program as your telnet application in Netscape and reference it with telnet:// URL If it's multiple software (2 different products or more), then you have to create multiple MIME filetypes and associate them under Windows with your software. I would go like this: .ex1 application/x-vt1 c:\vtsoftware\vt1.exe Actually, I would add it in a .reg script. :) Just export the hives from registry. I assume you are using Windows 32 bit (95/NT) because you said it's Netscape 4.0. Then all you do is add those MIME types to your web server and create links to .ex1 (or whatever you call them) files. $ touch vt1 should do the trick. The browser could care less about what the files are since at this point VT emulation takes over :) I hope this works/helps, and if it's original, give me credit ;) Leo. *** Leonid Knyshov AKA Wise_One For file attachments please use wiseleo@hotmail.com and send a note about it here :) On Fri, 17 Oct 1997 10:39:39 -0700 Tim Farrell writes: >I don't know if this question appropriate in this forum, so I >apologize >if it is not. I am currently attempting to launch VMS apps through my >browser in an effort to complete our intranet application shell. Our >network apps require VT emulation to run. My question is, does anyone >know how I can get the client browser (Netscape 4.0) to launch an >executible from the local drive. All of our clients have VT emulation >software loaded on them. All I want to do is through a link, make a >call to a local executible on the cilent to launch this VT emulation >software to run under the browser. > >Any Ideas???? From owner-firewalls-list Sat Oct 18 02:52:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA17204; Sat, 18 Oct 1997 02:44:49 -0700 (PDT) Received: from dwarpal.wipsys.soft.net ([164.164.29.22]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA17197 for ; Sat, 18 Oct 1997 02:44:36 -0700 (PDT) Received: by dwarpal.wipsys.soft.net (SMI-8.6/SMI-SVR4) id PAA28761; Sat, 18 Oct 1997 15:13:03 -0500 Received: from ace.wipsys.soft.net(164.164.29.18) by dwarpal via smap (V2.0) id xma028759; Sat, 18 Oct 97 15:12:50 -0500 Received: from wipsys.soft.net by ace.wipsys.soft.net (SMI-8.6/SMI-SVR4) id PAA03315; Sat, 18 Oct 1997 15:18:22 GMT Message-ID: <34488448.E2059E7@wipsys.soft.net> Date: Sat, 18 Oct 1997 15:11:35 +0530 From: Param Organization: Wipro Systems Banglore X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 18 08:54:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA07780; Sat, 18 Oct 1997 08:45:31 -0700 (PDT) Received: from molhub.mol.net.my (aimsvan.mol.net.my [202.190.128.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id IAA07773 for ; Sat, 18 Oct 1997 08:45:25 -0700 (PDT) Received: from ts18-p9.mol.net.my by molhub.mol.net.my; Sat, 18 Oct 97 23:48:32 +0800 Message-ID: <3449AAAD.2A40@mol.net.my> Date: Sat, 18 Oct 1997 23:37:33 -0700 From: Lee Nan Phin Reply-To: nplee@mol.net.my Organization: CS X-Mailer: Mozilla 3.0 (Win95; I; 16bit) MIME-Version: 1.0 To: phoenix@clark.net CC: firewall Subject: Re: WinGate Proxy References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks all, Actually we started with port 1352, but everytime we connected to Domino (ver 4.5a on NT 4.0 SP3) it causes error - device buffer full. So we are now switching to 1351. It seemed OK without the Proxy. Any body know why?? Thanks. phoenix@clark.net wrote: > > On Fri, 17 Oct 1997, Lee Nan Phin wrote: > > > Hi all, > > > > Need to seek expert's advise on the above. > > > > We have difficulty setting up Lotus Client accessing Domino server > > through WinGate Proxy server. > > > > I notice that there is no predefine proxy for Lotus Note connection > > (port 1351). > > I think you mean port 1352. > > > > > What should I do? Any advise would be appreciated. > > > > Thanks in advance. > > > > Regards. > > From owner-firewalls-list Sat Oct 18 11:19:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA18198; Sat, 18 Oct 1997 11:07:20 -0700 (PDT) Received: from ra.nso.org (ra.nso.org [206.103.141.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA18153 for ; Sat, 18 Oct 1997 11:07:10 -0700 (PDT) Received: from osiris (osiris.nso.org [206.103.141.40]) by ra.nso.org (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA102; Sat, 18 Oct 1997 14:09:55 -0400 Message-Id: <3.0.3.32.19971018142203.009a3100@isr.net> X-Sender: red@isr.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 18 Oct 1997 14:22:03 -0400 To: Frank Darden , firewalls@GreatCircle.COM From: red@isr.net (Research Editor) Subject: Re: sex, lies, and firewall code In-Reply-To: <3.0.2.32.19971017224755.00a3d4c0@9.1.1.1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well Frank, you stated that you didn't want any religious wars, but I'm afraid your brief comment (enclosed), at the very least, has all the characteristics of wellknown initial hostilities. The author of the document is Fred Avolio. And Fred Avolio is as far as I am (and thousands of others with me) concerned within the World top of firewall experts. Before attacking Fred in such an open forum, I'd appreciate that you consult with him first. If you want 'beef', I'm sure he can help you out. Please, be a bit more thoughtful, and show some respect for peers. Thank you. Bertil Fortrie -- At 10:47 PM 10/17/97 -0400, Frank Darden wrote: >You know, it is so humorous. These Firewall manufacturers will stop at >nothing to "out compete" one another. Now I am not trying to start any >religious wars over firewalls, but I feel the time comes when you have to >say enough is enough. I am referring to the following publication >http://www.tis.com/docs/products/gauntlet/firewallcomp.html >Where's the beef man? where are the facts, speeds and feeds? Clearly, TIS >has stepped over the line this time. I would be suprised if the author of >this article even knew a packet header if he saw one. Read this and see for >yourself. It is fairly content free, but at the same time to the untrained >eye, would lead you to believe all kinds of bad things about Firewall-1. >Lets get the facts out front! > >Frank >http://www.locked.com > From owner-firewalls-list Sat Oct 18 12:04:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA20165; Sat, 18 Oct 1997 11:49:00 -0700 (PDT) Received: from sd.pbx.org (p21-33.hftd.dialin.ntplx.com [204.213.189.72]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA20151 for ; Sat, 18 Oct 1997 11:48:53 -0700 (PDT) Received: from lsd.pbx.org (segfault@lsd.pbx.org [192.168.0.1]) by sd.pbx.org (8.8.6/8.8.5) with SMTP id OAA05905; Sat, 18 Oct 1997 14:45:24 -0400 Date: Sat, 18 Oct 1997 14:45:23 -0400 (EDT) From: "Mark 'segfault' Guzman" To: Stepken cc: Chris Pugrud , firewalls@GreatCircle.COM Subject: Re: firewalls with linux OS In-Reply-To: <3446DC5A.278F1148@edina.xnc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 17 Oct 1997, Stepken wrote: > Chris Pugrud wrote: > > > Apache is quite stable. You should let it run in chroot() environment. > For security purposes I really only trust CERN-HTTPD. It's the only > one, which is bullet proof. nothing is bullet proof, also i have never had a security problem with sendmail, if you configure it right it doesnt lead to problems. From owner-firewalls-list Sat Oct 18 13:34:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23757; Sat, 18 Oct 1997 12:25:37 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA23747 for ; Sat, 18 Oct 1997 12:25:27 -0700 (PDT) Received: from client ([194.244.74.132]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id DAA00445; Sun, 19 Oct 1997 03:17:22 +0200 Message-Id: <199710190117.DAA00445@pinux.selfin.net> From: "Franco RUGGIERI" To: Cc: "GreatCircle forum" Subject: I: sex, lies, and firewall code Date: Sat, 18 Oct 1997 21:26:07 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not to poke a fight, but I'd like you to reply, just for sake of knowledge. TIA ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Frank Darden > A: firewalls@GreatCircle.COM > Oggetto: sex, lies, and firewall code > Data: sabato 18 ottobre 1997 4.47 > > You know, it is so humorous. These Firewall manufacturers will stop at > nothing to "out compete" one another. Now I am not trying to start any > religious wars over firewalls, but I feel the time comes when you have to > say enough is enough. I am referring to the following publication > http://www.tis.com/docs/products/gauntlet/firewallcomp.html > Where's the beef man? where are the facts, speeds and feeds? Clearly, TIS > has stepped over the line this time. I would be suprised if the author of > this article even knew a packet header if he saw one. Read this and see for > yourself. It is fairly content free, but at the same time to the untrained > eye, would lead you to believe all kinds of bad things about Firewall-1. > Lets get the facts out front! > > Frank > http://www.locked.com From owner-firewalls-list Sat Oct 18 14:33:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA04792; Sat, 18 Oct 1997 14:19:18 -0700 (PDT) Received: from post3.inre.asu.edu (post3.inre.asu.edu [129.219.10.148]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA04785 for ; Sat, 18 Oct 1997 14:19:14 -0700 (PDT) Received: from general3.asu.edu by asu.edu (PMDF V5.1-9 #24133) with ESMTP id <01IOYEBLWZC48Y5U51@asu.edu> for Firewalls@GreatCircle.COM; Sat, 18 Oct 1997 14:19:28 MST Received: from general3.asu.edu (localhost [127.0.0.1]) by general3.asu.edu (8.8.5/8.8.5) with SMTP id OAA20194 for ; Sat, 18 Oct 1997 14:19:26 -0700 (MST) Date: Sat, 18 Oct 1997 14:19:25 -0700 (MST) From: Vandana Shah Subject: Firewalls, and virus X-Sender: vanashah@general3.asu.edu To: Firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, I have a question, that whether firewall can itself be infected by virus or Trojan Horse. If yes, why and if not why not? reply back -Vandana ********* Vandana Shah 1031 E Lemon Street, #31 Tempe, AZ 85281 ph: (602)927-9720 email: vshah@asu.edu******* From owner-firewalls-list Sat Oct 18 17:34:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA14724; Sat, 18 Oct 1997 17:26:07 -0700 (PDT) Received: from remus.rutgers.edu (remus.rutgers.edu [128.6.13.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA14717 for ; Sat, 18 Oct 1997 17:26:02 -0700 (PDT) Received: from localhost (trott@localhost) by remus.rutgers.edu (8.8.5/8.8.5) with SMTP id UAA25454 for ; Sat, 18 Oct 1997 20:26:20 -0400 (EDT) Date: Sat, 18 Oct 1997 20:26:19 -0400 (EDT) From: Richard Trott To: firewalls@GreatCircle.COM Subject: Re: sex, lies, and firewall code In-Reply-To: <3.0.2.32.19971017224755.00a3d4c0@9.1.1.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The document you cite doesn't refer to speeds, etc., but why should it? That's not what it's about. It's about security and the strengths and weaknesses of different approaches to creating a firewall. The author gives very relevant and important pieces of information. For example, the author points out that FireWall-1 cannot verify "Sybase header field format and content." Instead, the "solution" for getting Sybase across the firewall is to poke a hole for that particular port. That is hardly a "content-free" observation. Now, if you want to make a case that such a statement is wrong or misleading, or that the danger that is implied is quite exaggerated, then by all means, make your case. But to suggest that this is not information that is of use to someone who is trying to decide what firewall product to use seems grossly in error. To suggest that some speed tests might be more useful suggests that your priorities may be in the wrong place. But that is addressed perfectly well in the last paragraph of the document you derided. For a much better example of "content-free" marketing, you should examine your own web page at http://www.locked.com. I was unable to find a single document there with a fraction of the information presented in the TIS document which you felt was so appalling that you were compelled to send a message to the list about how disgusted you were upon reading it. Rich On Fri, 17 Oct 1997, Frank Darden wrote: > You know, it is so humorous. These Firewall manufacturers will stop at > nothing to "out compete" one another. Now I am not trying to start any > religious wars over firewalls, but I feel the time comes when you have to > say enough is enough. I am referring to the following publication > http://www.tis.com/docs/products/gauntlet/firewallcomp.html > Where's the beef man? where are the facts, speeds and feeds? Clearly, TIS > has stepped over the line this time. I would be suprised if the author of > this article even knew a packet header if he saw one. Read this and see for > yourself. It is fairly content free, but at the same time to the untrained > eye, would lead you to believe all kinds of bad things about Firewall-1. > Lets get the facts out front! > > Frank > http://www.locked.com > Richard Trott trott@remus.rutgers.edu From owner-firewalls-list Sat Oct 18 19:18:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21624; Sat, 18 Oct 1997 19:05:08 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA21598 for ; Sat, 18 Oct 1997 19:05:01 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id WAA24965; Sat, 18 Oct 1997 22:05:05 -0400 (EDT) Date: Sat, 18 Oct 1997 22:05:02 -0400 (EDT) From: Brian Mitchell To: Richard Trott cc: firewalls@GreatCircle.COM Subject: Re: sex, lies, and firewall code In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 18 Oct 1997, Richard Trott wrote: > For a much better example of "content-free" marketing, you should examine > your own web page at http://www.locked.com. I was unable to find a single > document there with a fraction of the information presented in the TIS > document which you felt was so appalling that you were compelled to send a > message to the list about how disgusted you were upon reading it. The fact that checkpoint is a partner of locked.com (according to their own web page) may have something to do with this. Of course, the poster neglected to mention this in his anti tis rant, must have slipped his mind. I too read the TIS review. I thought it raised some interesting points - none of which condemn the technology, just the existing implementations. From owner-firewalls-list Sat Oct 18 19:48:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25007; Sat, 18 Oct 1997 19:40:30 -0700 (PDT) Received: from ms3.hinet.net (ms3.hinet.net [168.95.4.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA24985 for ; Sat, 18 Oct 1997 19:40:17 -0700 (PDT) Received: from MYHOSTNAME (txg40.catv.com.tw [203.66.174.40]) by ms3.hinet.net (8.8.3/8.8.3) with SMTP id KAA22416 for ; Sun, 19 Oct 1997 10:33:49 +0800 (CST) Message-ID: <344A45D0.3C69@hotmail.com> Date: Sun, 19 Oct 1997 10:39:28 -0700 From: must_do Organization: Only me X-Mailer: Mozilla 3.03Gold (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Content-Type: text/plain; charset=big5 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 18 19:54:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25732; Sat, 18 Oct 1997 19:44:53 -0700 (PDT) Received: from pip2.pip.com.au (pip2.pip.com.au [203.24.52.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA25683 for ; Sat, 18 Oct 1997 19:44:40 -0700 (PDT) Received: (from root@localhost) by pip2.pip.com.au (8.8.6/8.6.9) id MAA02204 for ; Sun, 19 Oct 1997 12:44:37 +1000 Received: from test3.ozemail.com.au(203.108.32.248) by pip2.pip.com.au via smap (V2.0) id xma002202; Sun, 19 Oct 97 12:44:31 +1000 Received: by aragon with Microsoft Mail id <01BCDC8C.B5A23550@aragon>; Sun, 19 Oct 1997 12:44:16 +1000 Message-ID: <01BCDC8C.B5A23550@aragon> From: "Craig S. Wright" To: "'firewalls@GreatCircle.COM'" Subject: RE: sex, lies, and firewall code Date: Sun, 19 Oct 1997 12:44:14 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Proxies and statefull filters both currently have a place. Though a = different one. Used together they may form a secure network (if the = rules are correctly set). There are holes in both products. All issues = like this do is remove the focus on what is really needed. The real issue comes down to management and accounting of the gateway. = NO firewall will defend you if it is not maintained and the logs = regularly checked. The issues should not be based on proxy vs filter gateways, rather the = two need to be deployed together (note that TIS uses a packet filter = too, so both FW-1 and TIS are hybrids). What vendors need to do is = include cryptographically hardened methods of authentication and access = control. Neither a proxy nor a packet filter alone makes a good barrier. Nor = does a single machine. Nor does a single O/S. Nor does a single vendor.=20 When there is finally a gateway product that has full authenication = based on digital certification. That links to all machines in the = domain. That does a host AND user authenication simultaneously. Than = maybe some of the vendors may be going in the right direction. There is currenlty NO reason this may not be achieved. It has been done = already. What needs to happen is that we have to stop fighting over what = is the better overall product and have a security model based on what is = needed, not based on the current religious ferver. Craig S. Wright Network Security Specialist craig.wright@asx.com.au ---------- From: Richard Trott Sent: Sunday, October 19, 1997 10:26 AM To: firewalls@GreatCircle.COM Subject: Re: sex, lies, and firewall code The document you cite doesn't refer to speeds, etc., but why should it?=20 That's not what it's about. It's about security and the strengths and weaknesses of different approaches to creating a firewall.=20 The author gives very relevant and impo