From owner-firewalls-list Wed Oct 1 00:44:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA24577; Tue, 30 Sep 1997 02:30:45 -0700 (PDT) Received: from ildico.comnet.com.tr (ildico.comnet.com.tr [195.46.158.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA24559 for ; Tue, 30 Sep 1997 02:30:21 -0700 (PDT) Received: (from uucp@localhost) by ildico.comnet.com.tr (8.8.7/8.7.3) id MAA04640; Tue, 30 Sep 1997 12:33:01 +0300 (EET DST) Received: from volkan.comnet.com.tr(195.46.159.10) by ildico.comnet.com.tr via smap (V2.0) id xma004637; Tue, 30 Sep 97 12:32:56 +0300 Message-Id: <3.0.3.32.19970930133329.00804100@mail.comnet.com.tr> X-Sender: ferioli@mail.comnet.com.tr X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 13:33:29 +0200 To: "steven.j.schulze" , firewalls From: Michael Ferioli Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <9709290558.AA2100@notes2.compuserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:02 PM 9/28/97, steven.j.schulze wrote: >I have a client who is running VLANs on Cisco switches, mostly for convenience >and flexibility reasons. This client is wondering if any level of security >is achieved due to this "virtual" network segmentation. I realize that VLANs >are not firewalls, strong encryption+authentication, etc. however, to achieve >separation and prevent snooping / interception, do the VLANs in effect take >each node out of eachother's "Collision Domain" (to use the Ethernet term)? >Assume the worst-- competing clients on the network, with NICs in promiscuous >mode (trivial to do today), what would that PC / Unix box see? VLAN's segregate switch ports into segments. In other words, once you have created three VLAN's, you can think of it as three separate physical switches. Now, within each switched VLAN: - Broadcasts are forwarded to each port (within same VLAN) - A packet is only forwarded from one port to another if the switch determines that the destination is reachable via another switch port - a PC in promiscuous mode would be able to sniff: - Broadcasts within same VLAN - Packets being sent across a hub connected to s single switch port Typically you would use a router to route between VLAN's. You can connect an ethernet interface to each VLAN or you can create a global port and put multiple addresses on the interface. That's a design issue. Some switches now have routing capability built in. To answer your question: - Switching with no VLAN's provides protection because not all users see all packets (each switch port is it's own collision domain). - Switching with no VLAN's provides no protection in sniffing for broadcast packets - Switching with VLAN's provides some protection against broadcast sniffing as long as the offending PC is not within the same VLAN. Mike +----------------------------------------------------------+ | Michael D. Ferioli ferioli@comnet.com.tr | | Comnet A.S. http://www.comnet.com.tr | +----------------------------------------------------------+ From owner-firewalls-outgoing Wed Oct 1 01:29:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA08776 for firewalls-outgoing; Tue, 23 Sep 1997 16:02:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA00920 for ; Tue, 23 Sep 1997 15:22:05 -0700 (PDT) Received: from nexus.net.mx by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA24801; Tue, 23 Sep 1997 14:38:25 -0700 (PDT) Received: (from jdelgado@localhost) by nexus.net.mx (8.8.5/8.7.2) id QAA09676; Tue, 23 Sep 1997 16:39:55 -0600 (CST) Date: Tue, 23 Sep 1997 16:39:54 -0600 (CST) From: Jose Luis Delgado To: Firewalls@GreatCircle.COM Subject: two questions! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi to everybody! I need a bit of your help! I apologize if this is off topic! Question1: I have two routers, with one of them, I can 'see' the Internet! with the other I can't! just I can telnet to the first router! How can I configure my router to 'route' to the Internet?? (of course, I have an ISP) Question2: I have a Sparc20 con 160MB running Raptor Firewall! and I have another Sparc470 not utilized! I would like to use the SIMMS of the Sparc470 in the Sparc20!! can I do that?? the SIMMS are compatibles?? Thanks in advance! P.S.: Since I'm not in your mailing list, can you response directly, please?? From owner-firewalls-list Wed Oct 1 01:44:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA03568; Tue, 30 Sep 1997 03:52:41 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA03498 for ; Tue, 30 Sep 1997 03:52:20 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp4.cisco.com [171.68.146.25]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id MAA27494; Tue, 30 Sep 1997 12:51:36 +0200 (METDST) Message-Id: <3.0.3.32.19970930115845.01313614@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 11:58:45 +0000 To: "steven.j.schulze" , firewalls From: Eric Vyncke Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <9709290558.AA2100@notes2.compuserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:02 28/09/97, steven.j.schulze wrote: >I have a client who is running VLANs on Cisco switches, mostly for convenience >and flexibility reasons. This client is wondering if any level of security >is achieved due to this "virtual" network segmentation. I realize that VLANs >are not firewalls, strong encryption+authentication, etc. however, to achieve >separation and prevent snooping / interception, do the VLANs in effect take >each node out of eachother's "Collision Domain" (to use the Ethernet term)? >Assume the worst-- competing clients on the network, with NICs in promiscuous >mode (trivial to do today), what would that PC / Unix box see? First notice my affiliation by looking in my signature ;-) Now, VLAN adds to your security, they are useful but are only part of your security: - Ethernet switches are preventing sniffing, actually, if you put one single host per Ethernet switch port, than, this host will receive traffic for only this MAC address + broadcast + multicast. Thus, a sniffer cannot snif any packet not addressed/sourced by it. - you can also fix the MAC address to the switch port: then you can prevent local IP spoofing if you use a static MAC/port mapping TOGETHER with a static ARP table in hosts and routers (mainly used in 'high danger' DMZ) - by partionning your LAN (can be done via switch+VLAN and/or physical partionning of your hubs), you can define sub-domain of trust and using firewall (or routers with authentication) to control the traffic among these sub-domains - you can also use a dedicated VLAN for managing your routers, switches, ... by SNMP or Telnet, as no end-user are connected to this VLAN they cannot snif the passwords, config, community strings - you can also restrict one user to belong to one VLAN only (the user is authenticated by username+password) - ... Hope this helps, -eric > >Related question, anyone have any hands on with products like McAfee NetCrypto >for local network encryption? > >I realize that security must be looked at holistically (must look at the >threat, what are you trying to protect, etc.), and realize that I have not laid >out the entire environment. Suffice it to say, though, that there are a >minimum of 5 security "domains" in this office environment that require >separation in the same or nearby physical area... an application multi-homed >firewall can do a great job of separating these domains by interface and >appropriate rulesets applied, but if you don't have LAN separation, forget >about Firewalls and threats from the Internet. > >Any thoughts appreciated, > >Steven Schulze > > >Andersen Consulting >steven.j.schulze@ac.com > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 1 05:17:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA28377; Tue, 30 Sep 1997 06:15:53 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA28301 for ; Tue, 30 Sep 1997 06:15:35 -0700 (PDT) Received: from csc.com by csc.com via smtpd with smtp id for ; Tue, 30 Sep 97 09:16 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <3430FBC5.D56E45E7@csc.com> Date: Tue, 30 Sep 1997 09:16:53 -0400 From: john kerr Reply-To: jkerr2@csc.com X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Downfalls of Proxy Server? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I was wondering what the downfalls of using Microsofts proxy server to authenticate internal users to the Internet for HTTP services only. I realize that a rule must be put in the firewall to allow HTTP out from the proxy servers IP Address and that you no longer have a centralized location for all of the logs, but are their any other shortcomings? The internal network would be a windows NT network. The problem I'm trying to solve here is opposed to perfoming user authentication at the firewall and setting up users. I would use the NT groups already set-up in the internal and then selectively allow each group HTTP access. Any thoughts? John From owner-firewalls-list Wed Oct 1 05:22:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA27969; Tue, 30 Sep 1997 06:14:06 -0700 (PDT) Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA27862 for ; Tue, 30 Sep 1997 06:13:42 -0700 (PDT) From: dharris@kcp.com Message-Id: <199709301313.GAA27862@honor.greatcircle.com> Received: by kcpgw.kcp.com id AA10028 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.com); Tue, 30 Sep 1997 08:14:16 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-2); Tue, 30 Sep 1997 08:14:16 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-1); Tue, 30 Sep 1997 08:14:16 -0500 Mime-Version: 1.0 Date: Tue, 30 Sep 1997 08:12:28 -0500 Subject: Re: Finding a wiretap or NIC card with a TDR To: firewalls@GreatCircle.com, Sick Puppy Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't TDR *require* actively creating a pulse so you can measure its reflection? If you don't know when you emitted the pulse how can you measure the time until its echo? I suppose a pattern-matching oscilloscope could be configured to measure the time between an outgoing 'ping' and its echo ;-) ______________________________ Reply Separator _________________________________ Subject: Finding a wiretap or NIC card with a TDR Author: Sick Puppy at INTERNET-MAIL Date: 9/27/97 9:40 PM We have reason to believe that some looser geeks or phederal phucks have sneaked a wiretap onto a network segment that we often cross. We also happen to have a couple of Time Domain Reflectometers left over from previous academic research on satellite channels. If we plug the TDR's into the network segment there is a real good chance that the looser geeks or whatever will spot us so we need to run in stealth mode. The network segment hosts several Unix boxes on which we are privileged users. (Our network, our boxes of course. What else could they be?) Does anybody know of any software that will run on a Unix or NT box and provide the same information as a TDR? Does anybody know of an equivalent software package that will run on Unix or NT and help us find the wiretap or silent NIC card we think is there? Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Wed Oct 1 05:32:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06522; Tue, 30 Sep 1997 06:53:25 -0700 (PDT) Received: from mail.orca.net (otbdc1.orca.net [38.211.180.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06486 for ; Tue, 30 Sep 1997 06:53:11 -0700 (PDT) Received: by otbdc1.orca.net with Internet Mail Service (5.0.1457.3) id ; Tue, 30 Sep 1997 08:48:06 -0500 Message-ID: <711E7DBC93BDD011A3F100805F8AF4A30244C3@otbdc1.orca.net> From: Mike Adams To: "'Brian Mitchell'" , "Cline, Robert" Cc: firewalls@GreatCircle.COM Subject: RE: Ascend's Secure Access Firewall - Failures Date: Tue, 30 Sep 1997 08:48:05 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One issue to be mindful of... Ascend Routers are not power houses. A basic install of a SAF on a Pipeline 50 will work. However, in my experiences it seems that if you specify a lot of specific IP traffic and block a lot of traffic based on IP you run into timing problems. One site we have had 38 entries in the FTP and WWW sections to allow these 19 hosts to have access in and out while preventing others from passing traffic. The results were that often times the web sites from inside the firewall would not be served through the wall completely. If we enabled * and * for web access or even cut the number down to around 6 hosts with access allowed this seemed to correct the issues. We used 5.x on several 50 and 75 units with the same results. The new Pipeline 220 will not suffer from this, nor should the MAX 20xx / 40xx. > -----Original Message----- > From: Brian Mitchell [SMTP:brian@firehouse.net] > Sent: Tuesday, September 30, 1997 12:04 AM > To: Cline, Robert > Cc: firewalls@GreatCircle.COM > Subject: Re: Ascend's Secure Access Firewall > > On Mon, 29 Sep 1997, Cline, Robert wrote: > > > I've been considering using Ascend's Secure Access Firewall. There > are > > two main reasons: we are seriously considering using their routers > no > > matter which firewall we use, and it would be MUCH less expensive to > use > > their firewalls (assuming of course, we use their routers) than any > > other firewall I've seen. Everything I've read about SAF seems to be > > very much like what I've read about the other products. It seems to > be a > > solid, modern, commercial product. We would lose some flexibility > > (pretty much only works with Ascend), but we would gain lower cost > and a > > same-vendor match with our routers and firewall. Also, our current > ISP > > and the leading contender as a replacement use a lot of Ascend and > are > > very familiar with Ascend. > > I'm not sure how must trust I would place in a product from a company > that > thinks checking the 21st byte for source routing information > sufficiently > blocks loose and strict source routing. From my perspective, it looks > like > a cheap pix knockoff, although my view may be horribly tainted. > From owner-firewalls-list Wed Oct 1 05:44:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10552; Tue, 30 Sep 1997 07:14:07 -0700 (PDT) Received: from emout14.mail.aol.com (emout14.mx.aol.com [198.81.11.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA10545 for ; Tue, 30 Sep 1997 07:14:00 -0700 (PDT) From: Dsmgmt@aol.com Received: (from root@localhost) by emout14.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id KAA26926 for firewalls@greatcircle.com('firewalls@greatcircle.com'); Tue, 30 Sep 1997 10:14:33 -0400 (EDT) Date: Tue, 30 Sep 1997 10:14:33 -0400 (EDT) Message-ID: <970930101322_71048934@emout14.mail.aol.com> To: firewalls@greatcircle.com ('firewalls@greatcircle.com') Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 05:53:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10758; Tue, 30 Sep 1997 07:15:40 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA10723 for ; Tue, 30 Sep 1997 07:15:31 -0700 (PDT) Received: by relay.rv.tis.com; id KAA16908; Tue, 30 Sep 1997 10:13:34 -0400 (EDT) Received: from rubicon.rv.tis.com(10.0.1.144) by relay.rv.tis.com via smap (4.0) id xma016872; Tue, 30 Sep 97 10:13:17 -0400 Received: (from jcp@localhost) by rubicon.rv.tis.com (8.8.5/8.7.3) id KAA01985; Tue, 30 Sep 1997 10:13:00 -0400 (EDT) From: Jody Patilla Message-Id: <199709301413.KAA01985@rubicon.rv.tis.com> Subject: Re: Haystack Stalker To: tommyling@hotmail.com (tommy ling) Date: Tue, 30 Sep 1997 10:13:00 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <19970929062914.5100.qmail@hotmail.com> from "tommy ling" at Sep 28, 97 11:29:13 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Isn't Haystack bundled on Checkpoint's firewall? Based on below post > I found on the Unix sysadmin mailing list, I wonder how much Haystack's > technology is providing value. I remember seeing some posts about > Haystack on firewall mailing list and wanted to see if anyone knew if > Webstalker would slow down the firewall. Does Checkpoint come with > Haystack enabled? In case you missed it, the posting which you attached was written by the director of business development at Wheelgroup, which has a competing product, NetRanger. You may want to weigh his comments with a grain of salt, and see what kind of information you can get from independent sources. - jcp > From: Paul Di Bello > Subject: Haystack review > ------------------------------------------------------------------------ -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Rockville, Md. From owner-firewalls-list Wed Oct 1 07:10:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14944; Tue, 30 Sep 1997 07:41:09 -0700 (PDT) Received: from stjohns.se.highway1.com (stjohns.se.highway1.com [24.129.0.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14934 for ; Tue, 30 Sep 1997 07:41:02 -0700 (PDT) Received: from sroberts.acr2000.com ([12.8.110.200]) by stjohns.se.highway1.com (Netscape Mail Server v2.02) with SMTP id AAA27159 for ; Tue, 30 Sep 1997 10:41:37 -0400 Received: by localhost with Microsoft MAPI; Tue, 30 Sep 1997 10:41:35 -0400 Message-ID: <01BCCD8D.6C57AFA0.scottrob@mediaone.net> From: Scott Roberts Reply-To: "scottrob@mediaone.net" To: "Firewalls (E-mail)" Subject: Which Firewall? Date: Tue, 30 Sep 1997 10:41:33 -0400 Organization: Roberts' Keyboard Connection X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently running 2 LAN's that are connected with AT&T frame relay service (AWICS). I have access from this frame relay direct to the internet. I want to put a firewall at each location that will allow traffic to flow freely to each location and to the internet. I want to block all traffic from the internet back in to out network. Here are the other details and exceptions to what I have just said... 1) I want to allow certain traffic back in from the internet. 2) I want to be able to view/print reports that will tell me who from the inside has accessed the internet and for how long. 3) I need a firewall that is easily maintained remotely. I need to be able to get information and make changes to the firewall from 3000 miles away. Any help I can get on this would be very much appreciated. ---------- Scott Roberts ScottRob@mediaone.net From owner-firewalls-list Wed Oct 1 07:55:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12106; Tue, 30 Sep 1997 07:23:54 -0700 (PDT) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [209.41.220.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA28439 for ; Tue, 30 Sep 1997 06:16:12 -0700 (PDT) Received: from Progressive-Systems.com (alex@overkill.Progressive-Systems.Com [209.41.220.250]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with ESMTP id JAA16344; Tue, 30 Sep 1997 09:10:34 -0400 (EDT) Message-ID: <3430FB16.484088B8@Progressive-Systems.com> Date: Tue, 30 Sep 1997 09:13:58 -0400 From: Alex Hutton X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Brian Mitchell CC: "Cline, Robert" , firewalls@GreatCircle.COM, brian@firehouse.net Subject: Re: Ascend's Secure Access Firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seeing as the Ascend product evolved from the Morning Star product, I doubt it is a PIX knock-off. Brian Mitchell wrote: > > On Mon, 29 Sep 1997, Cline, Robert wrote: > > > I've been considering using Ascend's Secure Access Firewall. There are > > two main reasons: we are seriously considering using their routers no > > matter which firewall we use, and it would be MUCH less expensive to use > > their firewalls (assuming of course, we use their routers) than any > > other firewall I've seen. Everything I've read about SAF seems to be > > very much like what I've read about the other products. It seems to be a > > solid, modern, commercial product. We would lose some flexibility > > (pretty much only works with Ascend), but we would gain lower cost and a > > same-vendor match with our routers and firewall. Also, our current ISP > > and the leading contender as a replacement use a lot of Ascend and are > > very familiar with Ascend. > > I'm not sure how must trust I would place in a product from a company that > thinks checking the 21st byte for source routing information sufficiently > blocks loose and strict source routing. From my perspective, it looks like > a cheap pix knockoff, although my view may be horribly tainted. From owner-firewalls-list Wed Oct 1 07:57:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA13650; Tue, 30 Sep 1997 07:33:25 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA13614 for ; Tue, 30 Sep 1997 07:33:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp2.cisco.com [171.68.146.23]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id QAA02674; Tue, 30 Sep 1997 16:32:18 +0200 (METDST) Message-Id: <3.0.3.32.19970930161540.006d34a8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 16:15:40 +0000 To: Anna Grieve , "'firewalls@GreatCircle.COM'" From: Eric Vyncke Subject: Re: Does Winframe need a firewall? In-Reply-To: <3.0.3.16.19970926010747.0a6f20bc@mail-hub> References: <3BFE2589D330D111AE87006008062DE45912@EXCHANGE2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 12:46 PM 9/25/97 +0100, Anna Grieve wrote: >>Interested to hear that you have got Winframe working through your >>firewall. We can access the server on the local LAN via dial-up with no >>problems, but access through the firewall is denied. >> >>I understand that we need to open the port 1494 for ICA traffic, but >>this still doesn't work. We're not keen on putting the server completely >>outside the firewall, so have you got any suggestions? I would suggest an alternative design, put the Winframe server in your DMZ (i.e. BEFORE the firewall). With this alternative design, even if the Winframe server is cracked for any reason (you can roughly protect it with NT and/or with the access/serial router) then you loose nearly nothing. With your design, if the Winframe server is cracked (the firewall does not add a lot of further security except if you are using some authentication on the firewall), then the cracker has a much broader access to your NT network inside. Of course, the alternate design may be unsafe IFF your secret (e.g. files, ...) are stored ON the Winframe server Any comments ? -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Wed Oct 1 07:59:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11074; Tue, 30 Sep 1997 07:17:36 -0700 (PDT) Received: from orion.science-computing.de (orion.science-computing.de [193.197.16.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA11004 for ; Tue, 30 Sep 1997 07:17:16 -0700 (PDT) Received: from idefix.science-computing.de (idefix.science-computing.de [10.148.25.2]) by orion.science-computing.de (8.6.10/s+c 1.3) with ESMTP id QAA27660 for <@orion.science-computing.de:firewalls@GreatCircle.COM>; Tue, 30 Sep 1997 16:17:54 +0200 Received: from localhost (ralf@localhost) by idefix.science-computing.de (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id QAA10387 for ; Tue, 30 Sep 1997 16:18:54 +0200 Date: Tue, 30 Sep 1997 16:18:52 +0200 (MES) From: ralf To: firewalls@GreatCircle.COM Subject: A question about x-gw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, hopefully, someone can give me a hint how to configure/modify x-gw from the TIS fwtk to support the following firewall configuration: Linux with masquerading and TIS firewall toolkit +----------------+ | | | tn-gw | | ftp-gw | | | | x-gw | | | | | 10.xx.yy.zz | eth0 isdn0 | external-ip --> ISDN | | | | +----------------+ | +---+---+----+ We want to be able to telnet to some host reachable via external-ip, this works fine in the current setup, no problem. Further we'd like to display x-applications from some host on external-ip on our display on internal-ip. The tn-gw from TIS fwtk supports this with the "x-gw"-command, but when using it, the proposed variable DISPLAY is "internal-ip:10" which is not reachable from "external-ip" because they don't know about our internal IP-Adresses (which actually are 10.xxx :-). So the question is: how can we get x-gw to generate the variable DISPLAY "external-ip:10" and to listen to the proper socket on the proper "external-ip"-interface? May be there is no way because the "x-gw"-command is given before the "connect"-command, so how should x-gw know about the destination of the "connect"-command? Any hints are appreciated, TIA, Ralf --------------------------------------------------------------------------- Dr. Ralf Allrutz | email: R.Allrutz@science-computing.de science+computing gmbh | phone: +49 7071 9457-26 Hagellocherweg 71 | fax: -27 D-72070 Tuebingen | venus: how to manage a heterogeneous UNIX-cluster PGP Key fingerprint = FB 97 58 43 5F D9 A4 B6 F2 BA 3D 4E 77 E2 C6 33 --------------------------------------------------------------------------- % fatal system error: ran out of coffee - user halted From owner-firewalls-list Wed Oct 1 08:45:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11628; Tue, 30 Sep 1997 07:20:21 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA22880 for ; Tue, 30 Sep 1997 05:50:19 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id IAA04682; Tue, 30 Sep 1997 08:48:09 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id IAA18765; Tue, 30 Sep 1997 08:48:43 -0400 (EDT) Message-Id: <3.0.32.19970930083232.0079c4d0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 30 Sep 1997 08:49:56 -0400 To: "Magossa'nyi A'rpa'd" , Colin Campbell From: Anton J Aylward Subject: Re: Blocking spam mail (was: about sendmail security) Cc: Kristian =?iso-8859-1?Q?K=F6hntopp?= , firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:39 AM 28/09/97 +0100, Magossa'nyi A'rpa'd wrote: >Anyway I can't think of many situations when I would _need_ a secondary MX. OUCH! This is a sign of something, but I'm too old and wizened to remember what. Tell me again, Virginia, why in days of old did we all go to great lengths to make sure we had DNS and MX secondaries which were no only off site, but on a different network branch? Why did I go to such lengths to make sure they were on different tectonic plates and strike zones? /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Nothing is more difficult to carry out, The Strahn & Strachan Group Inc | nor more doubtful of success, nor more Information Security Consultants | dangerous to handle, than to initiate a Voice: (416) 494-8661 | new order of things." ---- Machiavelli Fax: (416) 494-8803 | From owner-firewalls-list Wed Oct 1 08:45:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18184; Tue, 30 Sep 1997 08:03:05 -0700 (PDT) Received: from ganymede.frii.com (ganymede.frii.com [208.146.240.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA18168 for ; Tue, 30 Sep 1997 08:02:57 -0700 (PDT) Received: from ora40.int.amrion.com (bou-0440.ppp.frii.com [208.146.244.232]) by ganymede.frii.com (8.8.5/8.8.4) with SMTP id JAA00878 for ; Tue, 30 Sep 1997 09:03:50 -0600 (MDT) Message-Id: <3.0.1.32.19970930090327.00718ea4@mail.frii.com> X-Sender: grat@mail.frii.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 30 Sep 1997 09:03:27 -0600 To: "'Firewalls@GreatCircle.COM'" From: "Franklin R. Jones" Subject: Re: Solaris v. NT Performance (FW-1) In-Reply-To: <199709281300.JAA21654@kryten.frb.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:00 AM 9/28/97 -0400, Jonathan M. Bresler wrote: > >>I appreciate Checkpoint putting up the NT vs. Solaris comparison, but >>maybe someone could compare NT versus Solaris x86? Who out there >>believes a P200 even comes close to the performance (or cost) of an >>Ultra II? Don't get me wrong, I advocate UNIX for firewalls whenever >>possible, but a fair comparison would be nice. > > UltraSparc vs Pentium Pro? > > the result might surprise you.....firewalls and operating systems >are integer code. a pentium pro 200MHz outperforms an Ultra 248MHz until >the data set size exceeds 256kB, then the larger cache of the Ultra >predominates. a pentiumII outperforms an Ultra 248MHz. > > but dont take my word for it.....run the *hardware* benchmarks yourself. >http://www.scl.ameslab.gov/scl/HINT/HINT.html. the database there does not >have Ultra results so you'll have to run the test yourself, or ask me to >mail you the results. > > in floating point the Ultra 248MHz outperforms intel cpu's across the >board. I think the original request is still the most valid question. There is more involved here that pure processor speed. The overall system environment is more a factor in this case that just the processor. All of the processing that matters in firewalls deal with I/O. What happens outside the processor chip is of more importance as the problem only exacerbates if it up to snuff. If the system is deficient in its internal bus (mother board) transfer rates, memory access, process exchange and even file I/O if really doesn't matter how fast the processor is if the rest of the system can't keep up (you can even have the same type disk/controller but if the internal bus and DMA transfer methods aren't up to speed it doesn't compare). This the area (in my experience) where one OS functions better than another. An OS has to be multi-tasking to handle all the OS maintenance stuff too, not just real-time benchmarks. You can put a Ferrari engine in a Miata. That doesn't make them the comparable. fj.. From owner-firewalls-list Wed Oct 1 09:44:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14805; Tue, 30 Sep 1997 10:47:55 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA14500 for ; Tue, 30 Sep 1997 10:45:42 -0700 (PDT) Received: (qmail 6101 invoked from smtpd); 30 Sep 1997 17:46:07 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 30 Sep 1997 17:46:07 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA13950; Tue, 30 Sep 1997 12:46:06 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA26551; Tue, 30 Sep 1997 12:48:24 -0500 From: Peter da Silva Message-Id: <9709301748.AA26551@baileynm.com> Subject: Re: Solaris v. NT Performance (FW-1) To: jmb@FRB.GOV (Jonathan M. Bresler) Date: Tue, 30 Sep 1997 12:48:24 -0500 (CDT) Cc: gadams@ccscns.com, Firewalls@GreatCircle.COM In-Reply-To: <199709281300.JAA21654@kryten.frb.gov> from "Jonathan M. Bresler" at Sep 28, 97 09:00:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > UltraSparc vs Pentium Pro? More, Sun's latest descendent of SBUS versus PCI. From owner-firewalls-list Wed Oct 1 10:02:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01385; Tue, 30 Sep 1997 09:26:04 -0700 (PDT) Received: from dev.avnet.com (dev.avnet.com [204.163.162.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA01324 for ; Tue, 30 Sep 1997 09:25:48 -0700 (PDT) Received: from az101-nt-imc1.avnet.com by dev.avnet.com with ESMTP (1.39.111.2/16.2) id AA268486583; Tue, 30 Sep 1997 09:23:03 -0700 Received: by az101-nt-imc1.avnet.com with Internet Mail Service (5.0.1458.49) id ; Tue, 30 Sep 1997 09:29:10 -0700 Message-Id: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet.com> From: "Schlueter, Ian" To: firewalls-digest@GreatCircle.COM Subject: High Availability between two HPUX 10.20 FW1 machines Date: Tue, 30 Sep 1997 09:28:09 -0700 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am attempting to utilize the synchronization capabilities of FW1 ver 3.0b to implement "high-availability" and I am running into a problem. I have two HPUX C100's configured identically. Installed are a total of four network interfaces in each. Interface 1: to the Internet Interface 2: to the intranet Interface 3: to the DMZ Interface 4: to the "firewall sync network" The firewall sync network only has the two firewalls on it, I am using a non-internet routable "test" range to address that segment. The firewalls each have an entry in the /etc/fw/conf/sync.conf file pointing to their counterpart. Here is the problem: I am continuously seeing a "Got Connection from firewall-1" then immediately seeing a "End Connection from firewall-1" These messages appear simultaneously on both firewall consoles. Logs appear to be shared, but state tables only seem to be shared part of the time. Checkpoint suggested that if the two machines system clocks were more than 5 seconds out of synchronization that it could cause this problem. We set the clocks to the same time, and tested, still no luck. We even installed ntp between them and it did not change the results. Anyone have any ideas? - - -/ W. Ian Schlueter ian.schlueter@avnet.com - - / Project Manager, Global Internet/intranet support - -/ Avnet, Inc. Chandler, AZ - / (602) 940-5977 From owner-firewalls-list Wed Oct 1 10:14:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA26511; Tue, 30 Sep 1997 11:53:19 -0700 (PDT) Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA26258 for ; Tue, 30 Sep 1997 11:52:27 -0700 (PDT) Received: from dcrocker-omni (mg-20425421-235.ricochet.net [204.254.21.235]) by mail.proper.com (8.8.7/8.7.3) with SMTP id LAA06636; Tue, 30 Sep 1997 11:50:05 -0700 (PDT) Message-Id: <3.0.3.32.19970930091049.031c3000@ng.netgate.net> X-Sender: dcrocker@ng.netgate.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 09:10:49 -0400 To: Russ From: Dave Crocker Subject: RE: SMTP VRFY (was: Microsoft vs The world) Cc: "'Ned Freed'" , firewalls@GreatCircle.COM In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C6670439C9@ns.ntadvice.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:56 AM 9/28/97 -0400, Russ wrote: >First of all, let me remind you that RFC1123 specifically denotes rules >for INTERNET servers, not SMTP servers in general. It does state that >servers that are not exposed to the Internet may have their own rules. The primary purpose of language like that is to leave door open for later profiles which deal with the difference between intranet/internet behavior. Note that it is NOT blanket permission to do whatever one wants, since ultimately what matters is interoperability in multi-vendor environments. Any one vendor making changes on their own creates non-interoperability. d/ -------------------- Dave Crocker +1 408 246 8253 Brandenburg Consulting fax: +1 408 249 6205 675 Spruce Dr. dcrocker@brandenburg.com Sunnyvale, CA 94086 USA http://www.brandenburg.com Internet Mail Consortium info@imc.org, http://www.imc.org From owner-firewalls-list Wed Oct 1 10:25:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA29087; Tue, 30 Sep 1997 12:07:15 -0700 (PDT) Received: from firewall.cwa.com (firewall.cwa.com [192.100.4.193]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA29034 for ; Tue, 30 Sep 1997 12:06:50 -0700 (PDT) Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) id AA06588; Tue, 30 Sep 97 12:07:00 PDT Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3jcf) id sma006583; Tue Sep 30 12:06:09 1997 Received: from hilo.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA08894; Tue, 30 Sep 97 12:06:06 PDT Received: by hilo.cwa.com (SMI-8.6/SMI-SVR4) id MAA11028; Tue, 30 Sep 1997 12:06:03 -0700 Date: Tue, 30 Sep 1997 12:06:03 -0700 From: dmurphy@cwa.com (Dan Murphy x286) Message-Id: <199709301906.MAA11028@hilo.cwa.com> To: jsdy@cospo.osis.gov, trott@remus.rutgers.edu Subject: Re: snmp broadcasts Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Mon, 22 Sep 1997, Joseph S. D. Yao wrote: > > > As your subject line notes, 161 == SNMP - Simple Network Management > > Protocol. These machines may be trying to update their Network > > Neighbourhoods? > > Is it generally safe to ignore snmp broadcast packets on your internal > network? > > > As for why some and not others ... are they all the same version of MS > > Winlose 95? > > Probably not...time to do an inventory... > The source of the SNMP PDUs is likely an HP printer driver installed under Win95 that is attempting to auto-discover reachable HP network printers by broadcasting SNMP 'get' requests and listening for responses. Check in the Win95 Printer Manager for HP printers installed as network resources... +-------------------------------------------------------------------+ | Dan Murphy, CWA Communication Products | email: dmurphy@cwa.com | | 401 Alberto Way, Los Gatos, CA 95032 | voice: 408-358-1529 | | (Nihon-go wa mada jouzo ja arimasen.) | faxen: 408-356-7061 | +-------------------------------------------------------------------+ From owner-firewalls-list Wed Oct 1 10:25:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA25194; Tue, 30 Sep 1997 11:48:07 -0700 (PDT) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA20035 for ; Tue, 30 Sep 1997 11:16:03 -0700 (PDT) Received: from notes2.compuserve.com (cserve-aagw2.notes.compuserve.com [149.174.221.199]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id QAA28288.; Tue, 30 Sep 1997 16:32:41 -0400 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA1039; Tue, 30 Sep 97 14:16:39 -0400 Message-Id: <9709301816.AA1039@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 005027440012F8CC86256522005120EF; Tue, 30 Sep 97 14:16:39 To: firewalls-digest From: "steven.j.schulze" Date: 30 Sep 97 9:46:09 Subject: Question Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a client who is running VLANs on Cisco switches, mostly for convenience and flexibility reasons. This client is wondering if any level of security is achieved due to this "virtual" network segmentation. I realize that VLANs are not firewalls, strong encryption+authentication, etc. however, to achieve separation and prevent snooping / interception, do the VLANs in effect take each node out of eachother's "Collision Domain" (to use the Ethernet term)? Assume the worst-- competing clients on the network, with NICs in promiscuous mode (trivial to do today), what would that PC / Unix box see? Related question, anyone have any hands on with products like McAfee NetCrypto for local network encryption? I realize that security must be looked at holistically (must look at the threat, what are you trying to protect, etc.), and realize that I have not laid out the entire environment. Suffice it to say, though, that there are a minimum of 5 security "domains" in this office environment that require separation in the same or nearby physical area... an application multi-homed firewall can do a great job of separating these domains by interface and appropriate rulesets applied, but if you don't have LAN separation, forget about Firewalls and threats from the Internet. Any thoughts appreciated, Steven Schulze Andersen Consulting steven.j.schulze@ac.com From owner-firewalls-list Wed Oct 1 10:28:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11171; Tue, 30 Sep 1997 13:08:31 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA11000 for ; Tue, 30 Sep 1997 13:07:36 -0700 (PDT) Received: (qmail 7995 invoked from smtpd); 30 Sep 1997 20:08:06 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 30 Sep 1997 20:08:06 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA12637; Tue, 30 Sep 1997 15:08:06 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA19076; Tue, 30 Sep 1997 15:10:24 -0500 From: Peter da Silva Message-Id: <9709302010.AA19076@baileynm.com> Subject: Re: VPNs and PPTP To: mje@intersec.com (Mike Endrizzi) Date: Tue, 30 Sep 1997 15:10:23 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <19970831140318880.AAB254@polenta.intersec.com> from "Mike Endrizzi" at Aug 30, 97 09:06:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) weak authentication > 2) slower > 3) bitch to install and figure out routing > 4) GRE doesn't pass through all firewalls > 5) precious little debug information 6) uses existing NT RAS administrative model 7) no support for non-MS based servers and clients. 8) black box implementation 9) Extra hardware if you're not currently running NT server NT server isn't cheap. 10) uses existing user database 11) no key mgt 12) transports IPX and native NETBEUI From owner-firewalls-list Wed Oct 1 12:08:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA02757; Tue, 30 Sep 1997 14:48:00 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA26264 for ; Tue, 30 Sep 1997 14:18:01 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com via Connect2-SMTP 4.30A; Tue, 30 Sep 1997 17:16:04 -0400 Message-ID: <98E79E3801D40000@c2smtp.on.com> Date: Tue, 30 Sep 1997 17:14:00 -0400 From: Stephen McLarey Disposition-Notification-To: Organization: ON Technology - Cambridge To: trott@remus.rutgers.edu (Richard Trott) Cc: firewalls@greatcircle.com (Firewall list) Subject: Re: snmp broadcasts Importance: normal MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-disposition: inline Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.30A MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== On Mon, 22 Sep 1997, Joseph S. D. Yao wrote: > As your subject line notes, 161 == SNMP - Simple Network Management > Protocol. These machines may be trying to update their Network > Neighbourhoods? Is it generally safe to ignore snmp broadcast packets on your internal network? > As for why some and not others ... are they all the same version of MS > Winlose 95? Probably not...time to do an inventory... Richard Trott trott@remus.rutgers.edu ======== Fwd by: Stephen McLar ======== Very good point. Some versions of Windoze 95 do not answer ARP correctly. As a matter of fact Novell has an open ticket with Micro$oft concerning this very issue. From owner-firewalls-list Wed Oct 1 12:32:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA06049; Wed, 1 Oct 1997 00:48:40 -0700 (PDT) Received: from cscuxfw.cscploenzke.de (cscuxfw.cscploenzke.de [194.45.145.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA23965 for ; Tue, 30 Sep 1997 23:51:32 -0700 (PDT) Received: from win95-boettger by cscuxfw.cscploenzke.de with smtp (Smail3.1.29.0 #3) id m0xGIdq-000FBcC; Wed, 1 Oct 97 08:52 CETDST Received: by win95-boettger with Microsoft Mail id <01BCCE47.4F8753C0@win95-boettger>; Wed, 1 Oct 1997 08:52:13 +0100 Message-ID: <01BCCE47.4F8753C0@win95-boettger> From: =?iso-8859-1?Q?Ulrich_B=F6ttger?= To: "firewalls@GreatCircle.COM" Date: Wed, 1 Oct 1997 08:52:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 12:32:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05843; Tue, 30 Sep 1997 17:05:18 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA05808 for ; Tue, 30 Sep 1997 17:05:00 -0700 (PDT) Received: from dissident (slip202-135-73-200.sy.au.ibm.net [202.135.73.200]) by out1.ibm.net (8.8.5/8.6.9) with ESMTP id AAA84426 for ; Wed, 1 Oct 1997 00:05:16 GMT Message-Id: <199710010005.AAA84426@out1.ibm.net> From: "Michael " To: Date: Wed, 1 Oct 1997 10:09:30 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SUBSRIBE From owner-firewalls-list Wed Oct 1 13:40:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA18895; Tue, 30 Sep 1997 18:20:43 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA18774 for ; Tue, 30 Sep 1997 18:20:18 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjht04287; Tue, 30 Sep 1997 21:21:20 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08757; Tue, 30 Sep 97 21:19:37 EDT Date: Tue, 30 Sep 1997 21:19:37 -0400 (EDT) From: Sick Puppy To: dharris@kcp.com Cc: firewalls@GreatCircle.com Subject: Re: Finding a wiretap or NIC card with a TDR In-Reply-To: <9709301312.AA28757@maestro.Maestro.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > apologies. > Doesn't TDR *require* actively creating a pulse so you can measure its > reflection? Yes it does. You need physical access. TRW equipment shows up real good. SP, tCED From owner-firewalls-list Wed Oct 1 13:41:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA19751; Tue, 30 Sep 1997 18:24:29 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA19714 for ; Tue, 30 Sep 1997 18:24:12 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xGDVv-0005hT-00; Wed, 1 Oct 1997 03:23:43 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 1 Oct 97 03:23 MET DST Received: by lina.inka.de id m0xGDPN-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 1 Oct 1997 03:16:57 +0200 (CEST) Message-Id: Date: Wed, 1 Oct 1997 03:16:55 +0200 From: Bernd Eckenfels To: Marco Tarquini Cc: Firewalls@GreatCircle.COM Subject: Re: Netbeui and SSH References: <199709251551.RAA18347@dns.ermes.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199709251551.RAA18347@dns.ermes.it>; from Marco Tarquini on Thu, Sep 25, 1997 at 05:48:52PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, browsing in subents without broadcast connection is possible if you use a WINS Server. You can use MS WINS Server or SAMBA's. Greetings Bernd On Sep 25, Marco Tarquini wrote > I've a problem setting up an shhd encrypted tunnel between two Win95 lan: > netbeui broadcast doesn't work correctly so it's impossible browsing the two > lan by the graceful Desktop Icon "Network Neighborood": -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Wed Oct 1 13:43:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA19723; Tue, 30 Sep 1997 18:24:16 -0700 (PDT) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA19611 for ; Tue, 30 Sep 1997 18:23:52 -0700 (PDT) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xGDVv-0005hU-00; Wed, 1 Oct 1997 03:23:43 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 1 Oct 97 03:23 MET DST Received: by lina.inka.de id m0xGDTP-00014SC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 1 Oct 1997 03:21:07 +0200 (CEST) Message-Id: Date: Wed, 1 Oct 1997 03:21:05 +0200 From: Bernd Eckenfels To: Sick Puppy Cc: Bill Stout , firewalls@GreatCircle.com Subject: Re: Red Beard's Network Flight Recorder References: <2.2.32.19970923161132.009aac90@192.168.0.37> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from Sick Puppy on Tue, Sep 23, 1997 at 08:51:27PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > General's CyberCop inside their network, with a firewall device in between > them, we are, to put it delicately, fucked. This is the best marketing I have read for a long time on this list. Puppy, your mails getting sick. :) Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Wed Oct 1 13:44:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA24204; Tue, 30 Sep 1997 18:48:59 -0700 (PDT) Received: from southcentral.net (ppp-206-170-65-28.grdn01.pacbell.net [206.170.65.28]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA24182 for ; Tue, 30 Sep 1997 18:48:50 -0700 (PDT) Received: from southcentral.net (southcentral.net [206.233.216.222]) by southcentral.net (8.8.5/8.8.5) with SMTP id SAA01533; Tue, 30 Sep 1997 18:51:08 -0700 Date: Tue, 30 Sep 1997 18:51:08 -0700 (PDT) From: Richard Pouncy X-Sender: prc@southcentral.net To: Domenico Viggiani cc: dcostello@cmol.com, firewalls@GreatCircle.COM Subject: Re: Public/Private DNS In-Reply-To: <34224DA9.183FF628@diemme.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 19 Sep 1997, Domenico Viggiani wrote: > You have to put internal DNS in so-called 'slave-forwarder' > configuration. > > Add to your internal named.boot file the following lines: > > options forward-only > forwarders > > In the same time, configure your external server to use the internal DNS > (as client) --> Edit /etc/resolv.conf file, if you are on a UNIX box. Could you give me an example of the entry for the resolv.conf? I understand the normal way to enter a line to have to resolver point to a DNS server, but how do you make it resolve inside names. Thanks =-=-=-=-=-=-=-=-=-=-=-= http://www.southcentral.net =-=-=-=-=-=-=-=-=-=-=-= Richard Pouncy | rTs Computer Systems/Southcentral Network prc@rtscomp.com | P.O. Box 1434 310-342-0454 | Inglewood, CA 90308-1434 =-=-=-=-=-=-=-=- Supporting LA South Central Communities -=-=-=-=-=-=-=-=-= From owner-firewalls-list Wed Oct 1 14:12:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA20155; Tue, 30 Sep 1997 18:26:52 -0700 (PDT) Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net [204.119.177.22]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA20033 for ; Tue, 30 Sep 1997 18:26:16 -0700 (PDT) Received: from earthlink.net (1Cust5.max58.new-york.ny.ms.uu.net [153.35.28.133]) by denmark.it.earthlink.net (8.8.7/8.8.5) with ESMTP id SAA00709; Tue, 30 Sep 1997 18:26:51 -0700 (PDT) Message-ID: <3431A673.7CB217D0@earthlink.net> Date: Tue, 30 Sep 1997 21:25:07 -0400 From: Joseph Iacovelli X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Sami Mousa CC: Firewalls@GreatCircle.COM Subject: Re: PIX : big FTP downloads stop a 99% References: <3.0.32.19970925174450.006adb80@lexicon.ins.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sami, I don't know the exact command, but you want to have HP-OpenView read the MIB (which is based on the SNMP protocol) on the PIX firewall. All information relevant to the firewall should be in the MIB. If this was a computer, you could have some SNMP agent software relay information by polling or setting thresholds for SNMP traps. If you have anything specific, let me know. - Joseph Sami Mousa wrote: > Hello all, > > Can someone tell me the MIB or how monitor the PIX firewall using HP-OPEN VIEW. > > Thanks in advance, > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ** Sami Mousa, FORE ATM(WAN) Certified ** > ** International Network Services Office: (908)603-8541 x320 ** > ** Network Systems Engineer e-mail: sami_mousa@ins.com ** > ** 120 Wood Ave South Pager: (888)896-4064 ** > ** Suite #615 Fax: (908)548-5630 ** > ** Iselin, New Jersey 08830 www.ins.com ** > ============================================================================= > "My statements in this message are personal opinions \ > which may have no basis whatsoever in fact." -- +----------------------------------------- | Joseph Iacovelli | Systems Engineer | http://home.earthlink.net/~wolfboy/ +----------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzQlG9YAAAEEAL/OfMvec86OCRCl85jGZyFv5rkIHuojkfVUpsC0dXlYI5/+ KeVNv9GkfbrcquuPrE4u2rO2TXKTBUW+3Lzqq2zABq+vLFM0C2/y9DQiMsaDlbWb gGCv5eFZJBAG1A5VGVrwlG4yoELX+WEFBl6AUUiD48Ys5+LB8PeUGAaNmWaZAAUR tChKb3NlcGggSWFjb3ZlbGxpIDx3b2xmYm95QGVhcnRobGluay5uZXQ+ =Bkwo -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Wed Oct 1 15:19:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA15163; Tue, 30 Sep 1997 20:14:26 -0700 (PDT) Received: from alpha.CES.CWRU.Edu (alpha.CES.CWRU.Edu [129.22.16.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA14986 for ; Tue, 30 Sep 1997 20:13:51 -0700 (PDT) Received: from fox.CES.CWRU.Edu (fox.CES.CWRU.Edu [129.22.16.17]) by alpha.CES.CWRU.Edu (8.7.3/8.7.3) with ESMTP id XAA27755; Tue, 30 Sep 1997 23:14:24 -0400 (EDT) From: Tim Basher Received: (from basher@localhost) by fox.CES.CWRU.Edu (8.7.3/8.7.3) id XAA02982; Tue, 30 Sep 1997 23:14:24 -0400 (EDT) Message-Id: <199710010314.XAA02982@fox.CES.CWRU.Edu> Subject: Re: Radius To: ahy@ziplink.net (Arthur Young) Date: Tue, 30 Sep 97 23:14:24 EDT Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It may not be appropriate for this list, but where can I find out about > Radius servers? If you have to ask whether it is appropriate, it isn't appropriate for this list. This list is about firewalls, not general network security, not general virus scanners, and not general network administration. To find out more about the purpose of the list I would recommend reading the message you received when you joined or going to the online information. http://www.greatcircle.com/firewalls/ If you have a question, I would first recommend doing a search of the mailing list archives. That is what they are there for. This saves you time and the list a lot of useless repetition. http://www.nexial.nl/cgi-bin/firewalls You should also try doing a search in Yahoo or Altavista or another WWW search engine. Once again, this will save everyone time and grief. Using this you could have quickly found the following URLs: http://www.ietf.org/html.charters/radius-charter.html http://www.scomm.net/inet-access/ http://www.cryptocard.com/products.html http://www.cyno.com/ http://www.emerald.iea.com/radius http://www.livingston.com/ http://www.merit.edu/aaa/ http://www.itrans.com/ http://www.ascend.com/324.html http://www.bsdi.com/products/internet/new-features.mhtml http://www.baynetworks.com/Products/Briefs/baysecra.html http://www.cisco.com/univercd/data/doc/software/11_2/csecur/2cauthen.htm http://www.digital.com/info/SP5619/SP5619SC.TXT http://www.gandalf.ca/Whitepaper/security.html http://www.novell.com/novellsw/brands.html http://www.shiva.com/pacrim/japan/prod/docs/sem/RE0133.HTM http://www.telebit.com/Support/Links/index.html http://www.xyplex.com/hot/ccradius.html http://www.3com.com/carrier/nsd/products/30419.html From owner-firewalls-list Wed Oct 1 16:40:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA05151; Tue, 30 Sep 1997 17:00:23 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA05004 for ; Tue, 30 Sep 1997 16:59:50 -0700 (PDT) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.6/8.8.6) with SMTP id QAA22915; Tue, 30 Sep 1997 16:54:46 -0700 Date: Tue, 30 Sep 1997 16:57:16 -0700 (PDT) From: David Lang To: Marco Tarquini cc: Firewalls@GreatCircle.COM Subject: Re: Netbeui and SSH In-Reply-To: <199709251551.RAA18347@dns.ermes.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk if you used bridges instead of routers it would work, otherwise you are in trouble, you cannot broadcase between two networks. David Lang On Thu, 25 Sep 1997, Marco Tarquini wrote: > Date: Thu, 25 Sep 1997 17:48:52 +0200 > From: Marco Tarquini > To: Firewalls@GreatCircle.COM > Subject: Netbeui and SSH > > Hi all!!! > > I've a problem setting up an shhd encrypted tunnel between two Win95 lan: > netbeui broadcast doesn't work correctly so it's impossible browsing the two > lan by the graceful Desktop Icon "Network Neighborood": > > Well, this is the setup: two Unix machine, under Linux and HP-UX which are > the endpoint of the tunnel made by sshd. > They correctly forward IP protocol. > The Linux box also acts as a WINS server ( SMB ) for Lan B. > > So I could summarize all network as: > > > ROUTER ROUTER > .------. .------. > | | Point-to-Point line | | > | |-------------------------| | > | | | | > .------. .------. > | | > | | > | | |----|SERVER > | |--|WS +--| |SAMBA > +--| |WIN95 | |----| > | |--| | > | LAN A | |--|WS LAN B > | |--|WS +--| |WIN95 > +--| |WIN95 | |--| > | |--| | > | | > | | > > And so on ... > > > Well, with the Samba server up and running we can share pretty well all > network resources but we cannot browse the network: AFAIK I mean it depends > of Netbeui broadcasting, which should provide resolving workgroup names but > I dunno how to force Netbeui packets to go through the encrypted tunnel > > Any idea??? > > > Please, sorry for my english: TIA and I hope You could help me > > best regards > > Marco > > ( P.S.: I read the Firewall list in the Digest fashion: so any direct e-mail > to me will be very much appreciated ) > > From owner-firewalls-list Wed Oct 1 16:40:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA00636; Tue, 30 Sep 1997 19:20:17 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA00468 for ; Tue, 30 Sep 1997 19:19:43 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id UAA11106; Tue, 30 Sep 1997 20:50:39 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BCCDE3.482CD820@zandar.judgefamily.org>; Tue, 30 Sep 1997 20:56:11 -0400 Message-ID: <01BCCDE3.482CD820@zandar.judgefamily.org> From: Joseph Judge To: "firewalls@GreatCircle.COM" , "'Bob Gerrish'" Subject: RE: Checkpoint and FWTK 1.2 ftp proxy hangs Date: Tue, 30 Sep 1997 20:56:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob - Some simple tests to isolate the problem would be to try the ftp session *from* the FWTK box directly ... still a problem ? (maybe it is ftp-gw) Not? then it looks like their problem. Realize that when you do a "pwd" or "cd" that you are just communicating over that established control channel. That is a client -> server connection But, when you wish to do a GET, PUT, DIR or ls that you are actually building a second, data channel between the 2 systems. ... or, in your case, not building that second channel :-) The channel can be client -> server to "grab" the data or could be client <- server to have the data "given" to you. Snooping, watching truss/trace output and watching the network stats on my FWTK box shows that the ftp-gw process get the client "PORT clientip,clientport" command and tells the remote server side "PORT firewallip,20" ... so the remote server should connect *back* to your FWTK box to give you the data. (I should have just read the source code, I know). ... my fwtk is 2.0 -- joe ---------- From: Bob Gerrish[SMTP:u-rpg@nta.com] Sent: Friday, September 26, 1997 10:10 AM To: firewalls@GreatCircle.COM Subject: Checkpoint and FWTK 1.2 ftp proxy hangs I ran into a problem between Firewall Toolkit's ftp-gw proxy server and Checkpoint. One of our trading partners purchased it from a consultant. We were using the ftp-gw proxy from our end to transfer files. Checkpoint was installed on the other end on an NT server. We could still ftp to their system. pwd and cd worked but the connection hung when we tried to do a get, put or dir. If we connected outside of the firewall, everything worked fine. Of course, according to their consultant, it was our problem and Checkpoint could never possibly have any bugs! We had no problem connecting to/through other firewalls including wrappers and Gauntlet. (They have since had another customer experience the same problem.) They found that the ftp process was not sending a new line (or perhaps a CR/LF) and they hacked Checkpoint to add it. We found that upgrading to FWTK 2.0 also solved the problem. The only documented patch to any version of ftp-gw (the patch was for version 1.2) which looked even close was one to "Fixed timeout code in ftp-gw to be more forgiving of systems that decrement the passed timeout value." They are supposed to call next week when their consultant is in so we can determine which was the actual problem and what actually cured it. From owner-firewalls-list Wed Oct 1 16:44:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA27757; Wed, 1 Oct 1997 02:31:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA27717 for ; Wed, 1 Oct 1997 02:30:57 -0700 (PDT) Received: from gw.kappa.ro by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id CAA15251; Wed, 1 Oct 1997 02:14:32 -0700 (PDT) Received: from localhost (dunarea@localhost) by gw.kappa.ro (8.8.7/8.7.3) with SMTP id MAA12208 for ; Wed, 1 Oct 1997 12:24:38 -0200 Date: Wed, 1 Oct 1997 12:24:38 -0200 (GMT+2) From: Dunarea Textil To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 16:59:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22929; Tue, 30 Sep 1997 20:51:11 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA15324 for ; Tue, 30 Sep 1997 18:04:00 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id TAA06463; Tue, 30 Sep 1997 19:51:58 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma006460; Tue, 30 Sep 97 19:51:54 -0400 Message-Id: <3.0.3.32.19970930193043.006c8574@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 30 Sep 1997 19:30:43 -0400 To: Tim Evans From: Rick Murphy Subject: Re: Raptor VPN and Port 420 Cc: firewalls@GreatCircle.COM In-Reply-To: <199709251424.KAA24864@eplrx7.es.dupont.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:24 AM 9/25/97 -0400, Tim Evans wrote: >Raptor's VPN product communicates using port number 420/tcp, protocol >94 (IP over IP). A Raptor FAQ on the product mentions that some >ISP's may block this port/protocol. > >I expect to be doing battle with one or more ISP's on this >question. Can anyone tell me why this port might be blocked? And >provide arguments for enabling it? It's unlikely that any ISP would get into protocol filtering - their job is to provide connectivity. Firewalls would likely block this, however. > >(No religion please; the commitment to Raptor's already been made.) Sorry, I can't resist a comment - one would think that a company as big as Dupont would be using a secure VPN implementation - single DES (which is what swIPe is) isn't secure enough these days.. -Rick From owner-firewalls-list Wed Oct 1 17:08:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22956; Tue, 30 Sep 1997 20:51:49 -0700 (PDT) Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA22949 for ; Tue, 30 Sep 1997 20:51:37 -0700 (PDT) Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id OAA19974 for ; Wed, 1 Oct 1997 14:00:13 +1000 (EST) Received: from euphoria.abm.com.au(203.16.203.130) by paranoia.abm.com.au via smap (V1.3) id sma019972; Wed Oct 1 14:00:08 1997 Received: by euphoria. (SMI-8.6/SMI-SVR4) id NAA18916; Wed, 1 Oct 1997 13:52:43 +1000 Message-Id: <199710010352.NAA18916@euphoria.> Received: from austlabs.ozemail.com.au(203.108.63.220) by euphoria via smap (V1.3) id sma018912; Wed Oct 1 13:52:28 1997 From: "Jan Zeilinga" To: Subject: Firewalls on NT Date: Wed, 1 Oct 1997 13:46:40 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Coming from a heavy UNIX background ( Solaris, HPUX) I do not fully understand all the services a NT server has. Hence I was wondering does any one out there, know of how to secure a NT server 4.0 ( service pack 3) correctly and could they possibly give me some pointers so as to make this firewall secure. AND most importantly are there any hidden undocumented features in FW1-3 on NT. In all the previous NT vs Solaris people have been more concerned with speed rather than which OS provides the better security. Against my better judgment the customer wants NT to be the be the OS for the firewall ( check point 3.0b as the firewall ) { {{{{ shiver }}} } Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Wed Oct 1 18:22:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA24894; Tue, 30 Sep 1997 16:18:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA22759 for ; Tue, 30 Sep 1997 16:09:39 -0700 (PDT) Received: from mail.the-wire.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id QAA08095; Tue, 30 Sep 1997 16:04:04 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id TAA23403; Tue, 30 Sep 1997 19:09:09 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id TAA01111; Tue, 30 Sep 1997 19:09:37 -0400 (EDT) Message-Id: <3.0.32.19970930190330.0096dcc0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 30 Sep 1997 19:11:06 -0400 To: Joseph Judge From: Anton J Aylward Subject: RE: 10.10.30.30 Cc: "firewalls@GreatCircle.COM" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:03 PM 09/09/97 -0400, you wrote: ## Reply Start ## >On the packet filters (or routers) in front of the firewall and web lans, >I usually make sure there is a list of "anti-spoof" rules --- these protect >from such silliness. Good. I wish more ISPs did. >For example, we know 10.0.0.0 is not routed (and 192.168.0.0, etc). I "is" or "should not be" ? Do you actually have a rule which means its not routed, as opposed to the 'default" taking care of it as most do? >But ... it sounds like an annoyance more than a denial of service. >So, I imagine some bonehead out there is "leaking" their private >(reserved) addresses out to the Internet. :-( Most sites I visit I try a traceroute on these addresses to what happens. I may have to pick a subnet which isn't being used internally. Mostly it goes out into the internet and round a round for a bit. The "backbone" providers - we all know who they are - are not doing their jobs with this one. Do they have an excuse? Perhaps "adding these filters degrades throughput". Well get a router where it doesn't degrade - they exist. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 494-8661 | constraints and items which do not add Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-list Wed Oct 1 18:56:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA17067; Wed, 1 Oct 1997 05:05:40 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA17038 for ; Wed, 1 Oct 1997 05:05:31 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Wed, 01 Oct 1997 07:08:28 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Oct 1997 07:07:59 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #471 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Wed Oct 1 18:58:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA01382; Wed, 1 Oct 1997 03:00:57 -0700 (PDT) Received: from mnl.sequel.net ([204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA00933 for ; Wed, 1 Oct 1997 02:59:05 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id RAA10166; Wed, 1 Oct 1997 17:50:29 +0800 Message-Id: <3.0.1.32.19971001174904.00ab4290@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 01 Oct 1997 17:49:04 To: drexx@sunphil.mozcom.com (Dexter D. Laggui), firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com From: Gaddy Gumbao Subject: FW-1 and Hypercom's NMS protocol In-Reply-To: <199703202027.MAA08539@sunphil.sunphil.mozcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I would like to register on the mailing list for firewall-1.How can I be enlisted there. From owner-firewalls-list Wed Oct 1 19:04:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA23087; Tue, 30 Sep 1997 18:41:24 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA23080 for ; Tue, 30 Sep 1997 18:41:15 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjhu08309; Tue, 30 Sep 1997 21:42:20 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08972; Tue, 30 Sep 97 21:40:36 EDT Date: Tue, 30 Sep 1997 21:40:36 -0400 (EDT) From: Sick Puppy To: Bernd Eckenfels Cc: Bill Stout , firewalls@GreatCircle.com Subject: Re: Red Beard's Network Flight Recorder In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Oct 1997, Bernd Eckenfels wrote: > > General's CyberCop inside their network, with a firewall device in between > > them, we are, to put it delicately, fucked. > > This is the best marketing I have read for a long time on this list. Puppy, > your mails getting sick. :) > There needs to be a clarification here. This isn't marketing. Its a warning to the other d00dz that read this list. alt.2600 if full of kids and wannabe's. The kewl d00dz read this list. I have mucked about with Red Beard's code and hit his Gauntlet code pretty hard. He would make a first class cracker, so I have respect for his intellect. I have respect for Network General too. I am just better at what they do than they are. If anybody tries to convince you that Sick Puppy is marketing anything, then that person has his head firmly embedded in his ass. Sorry for going off topic, but I am not associated with anyone selling anything and I believe there is a real need for independent academic research. SP, tCED From owner-firewalls-list Wed Oct 1 19:05:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA09437; Wed, 1 Oct 1997 04:04:01 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA09403 for ; Wed, 1 Oct 1997 04:03:44 -0700 (PDT) Received: from farroyo39.geologics.com (spg-as53s24.erols.com [207.172.99.215]) by smtp3.erols.com (8.8.6/8.8.5) with SMTP id HAA14070 for ; Wed, 1 Oct 1997 07:04:29 -0400 Received: by farroyo39.geologics.com with Microsoft Mail id <01BCCE2F.344A4A80@farroyo39.geologics.com>; Wed, 1 Oct 1997 05:59:39 -0400 Message-ID: <01BCCE2F.344A4A80@farroyo39.geologics.com> From: Chris Inskeep To: "'Firewalls@GreatCircle.COM'" Subject: Williamsburg Security Seminar Date: Wed, 1 Oct 1997 05:58:49 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My boss is hosting an information security seminar, Practical Security for Sensitive Systems, in Williamsburg, Virginia the week of 27 - 31 November. I mention this here because I frequently see requests from novices for inexpensive training (this is a week for $300, and you get fed! (I also have some scholarships for students.) Which is a pretty good deal if you're already in the mid-Atlantic region (the same week, NCSA's firewall seminar is equally good if you're on the West coast.)) 22 presentations (roughly 30% of the total) deal specifically with firewalls and/or network security. Just so this message isn't totally spam, if you can't attend the seminar, a limited number of copies (300 or so) of the proceedings will be available (free) the first week of November. They will be in the form of PowerPoint presentations on diskettes. The copies will go out by snail mail, so I'll need a mailing address. If you're interested in the seminar, return this message and I'll send you the full agenda. If you want a copy of the proceedings return this message with your mailing address. An extract of the agenda detailing the firewall and network security specific presentations is below Practical Security for Sensitive Systems Ramada Inn and Conference Center, Williamsburg, Virginia 27 - 31 October 1997 Novice training, Monday and Tuesday 27 - 28 October Management Track: Information Security for Managers. (full day) A workshop will be provided to acquaint managers and others with the basics of information security. This workshop is intended to lay a foundation for seminar attendance by providing a working vocabulary and familiarity with the essential concepts of information protection. Management Track: Information Risk Management for Managers. (full day) A workshop will be provided to acquaint managers and others with the basics of information risk management. This workshop is intended to lay a foundation for seminar attendance by providing a working vocabulary and familiarity with the essential concepts of information risk management. Seminar presentations, Wednesday, Thursday, and Friday 29 - 31 October Wednesday, 29 October 1:00 Standard Firewall/Web Server Vulnerabilities Presenter: Jay Heiser, Director, Internet Product Development, HomeCom Communications This presentation will discus the results of the compilation of findings from a large number of commercial network security analyses in the area of firewall and web server vulnerability. 1:45 Considerations in Selecting An Operating System for a Firewall/Web Server Presenter: Sammy Migues, Chief Scientist, HomeCom Communications This presentation will discuss the considerations and tradeoffs associated with operational vulnerabilities when selecting an operating system for a firewall or web server. Thursday, 30 October 1997 Information Security Presentations 11:00 Top 12 Lessons Learned from Hacker Attacks Presenter: Mark Boster, Department of Justice This presentation will discuss lessons learned from a number of hacker attacks. 1:00 The Betty Cracker Story Presenter: Steven Manning, Principle, CSTACK Inc. This presentation will discuss a case study of a complex hacker attack. 1:45 Sniffer-Safe Networks, Experience From a Recent Incident Presenter: Peter Bivesand, Linkoping University, Sweden This presentation will discuss lessons learned by a Swedish Computer Emergency Response Team to a recent hacker incident. 3:00 The National Finance Center's Certification Authority and the Use of Digital Signature Presenter: Kathy Sharp, National Finance Center, USDA This presentation will discuss activities related to implementation of a certificate authority and the use of digital signature within the USDA. 3:45 Practical Implementation of Secure Socket Layer in a Managed Products Environment Presenter: Trevor Ramsaran, L3 Communications This presentation will discuss L3's efforts to manage their product development and associated data electronically. This case study addresses the various security technology options L3 analyzed in implementing their Product Data Management initiative. Track 2: Information Security Best Practices 9:00 A Primer for Firewall Administration for a Secure Network Presenter: Stu Thomas, National Finance Center, USDA This presentation will discuss recommended best practices related to the management of firewalls based on NFC's experiences. 9:45 Anatomy of a Hack Presenter: Don Creamer, QuesTech This presentation will discuss typical hacking techniques and the types of vulnerabilities that hackers look for. Methods of decreasing your chances of being hacked will be presented. 11:00 So You Think You're Secure? (Security Holes in Relatively Secure Networks) Presenter: Kathie Brady, QuesTech This panel will discuss QuesTech's assessment of re-occurring security holes on relatively secure networks while performing Vulnerability Assessments and Penetration Analyses of commercial and Government networks. QuesTech will present typical vulnerabilities found on relatively secure networks and methods of correcting these vulnerabilities without significantly affecting the operation of the network. 1:00 She Said/He Said: Tales From the Trenches Presenter: Char Sample and Mark Teicher, Price Waterhouse LLP This tutorial addresses real life firewall integration experience gained in the implementation of over 250 firewalls as seen through the eyes of the presenters. Both presenters have noticed that certain problems have made the installation process for many sites a difficult experience. Additionally the presenters have noticed that many problems have a way of exhibiting behavior that causes the administrator to look for solutions in different places other than the source. For example: DNS causing administrators to look for network or routing problems. 1:45 Firewall Secure Installation Presenter: Michael McEvilley, Mitretek This presentation will discuss Mitretek's experiences gained when implementing an in-house firewall. This includes resolution of requirements through collaboration with the vendor, implementation of the ruleset, re-location of existing network services, and operational issues. 3:00 Public Key Infrastructure Presenter: Bill Bialick, Spyrus Technologies This presentation will discuss the concept and reality of Public Key Infrastructure as a foundation for next generation encryption. Friday, 31 October 1997 Information Security Presentations Track 1: Security Technology 9:00 Understanding Centralized Audit Presenter: Paul Proctor, Science Applications International Corp. This presentation will discuss technology to enable implementation of individual accountability in a client/server network environment. 9:45 Understanding Unitary Logon Presenter: Tom McHale, Platinum Technology This presentation will provide an overview of unitary logon technology, enabling users in a network to securely gain access to network resources with a single password and no danger of masquerading. 11:00 Remote Authentication Technology Presenter: Chris Kosting, Science Applications International Corp. This presentation will discuss available remote authentication technology to securely enable individuals access to remote information resources without danger of compromise or masquerading. Track 2: Firewalls 9:00 Firewall Basics, Part 1 Presenter: Chris Kosting, Science Applications International Corp. This presentation is the first of a two part tutorial explaining the basics of firewall technology. 9:45 Firewall Basics, Part 2 Presenter: Chris Kosting, Science Applications International Corp. This presentation is the second of a two part tutorial explaining the basics of firewall technology. 11:00 Network Architectures for Firewalls Presenter: To be named, DSA Systems, Inc. This presentation will discuss network architecture options when implementing a firewall. 1:00 Use of Firewalls with Other Countermeasures Presenter: Joachim (Vic) Winkler, SUN Microsystems This presentation will discuss the use of multiple countermeasures to achieve a layered protection scheme. Track 3: Panel Discussions 9:00 Emerging Security Technologies Moderator: Chris Inskeep, Senior Security Engineer, GeoLogics Corp. This panel will consist of a series of presentations from vendors related to products and technology to be available in 1998 and 1999. There will also be a group discussion on the general direction of security technology. 1:00 Available and Next Generation Firewall Technology Moderator: Ken Alonge, Director of Information Security, GeoLogics Corporation This panel will discuss issues related to the integration of security products into a cohesive, secure environment. From owner-firewalls-list Wed Oct 1 19:06:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26930; Wed, 1 Oct 1997 06:03:00 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA26894 for ; Wed, 1 Oct 1997 06:02:41 -0700 (PDT) Received: from csc.com by csc.com via smtpd with smtp id for ; Wed, 1 Oct 97 09:03 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <34324A41.B262FC86@csc.com> Date: Wed, 01 Oct 1997 09:04:01 -0400 From: john kerr Reply-To: jkerr2@csc.com X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Arthur Young CC: "'firewalls@greatcircle.com'" Subject: Re: Radius References: <01BCC886.84D9CB50@MEDSS> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arthur, RFC2138 is a good start. Arthur Young wrote: > It may not be appropriate for this list, but where can I find out about Radius servers? From owner-firewalls-list Wed Oct 1 19:08:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26586; Wed, 1 Oct 1997 06:00:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26552 for ; Wed, 1 Oct 1997 06:00:35 -0700 (PDT) Received: from ..southconn.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA16102; Wed, 1 Oct 1997 05:54:53 -0700 (PDT) X-ROUTED: Wed, 1 Oct 1997 08:58:08 -0500 Received: from southconn.com [208.147.237.2] by ..southconn.com with smtp id AIDIDJFG ; Wed, 1 Oct 1997 08:56:58 -0500 Message-ID: <343249FE.1DF77F12@southconn.com> Date: Wed, 01 Oct 1997 09:02:54 -0400 From: Gary Bryant X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #471 References: <199710010847.BAA21248@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to allow X windows through the firewall but not having much success. Can anyone help me - or is this not a good thing? We are trying to use the SecureRemote through the CheckPoint firewall. Any suggestions on how to get this to work? From owner-firewalls-list Wed Oct 1 19:09:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA25539; Wed, 1 Oct 1997 05:55:19 -0700 (PDT) Received: from gatekeeper.verio.net (gatekeeper.verio.net [205.238.63.242]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA25442 for ; Wed, 1 Oct 1997 05:54:41 -0700 (PDT) Received: from mail.verio.net by gatekeeper.verio.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Oct 1997 12:53:29 UT Received: from opendoor.hq.verio.net (opendoor.hq.verio.net [172.16.1.1]) by buster.verio.net (8.8.7/8.8.5) with SMTP id MAA08993 for ; Wed, 1 Oct 1997 12:47:09 GMT Message-ID: <34324801.CC77AAED@verio.net> Received: from [205.238.63.165] by opendoor.hq.verio.net via smtpd (for mail.verio.net [172.16.1.21]) with SMTP; 1 Oct 1997 12:53:21 UT Date: Wed, 01 Oct 1997 06:54:25 -0600 From: Jeffrey Porter X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SPAM filters on Raptor Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Currently, we use Eagle 4.0 as an SMTP proxy between our corporate mail server and the internet. The corp. server (internal) uses sendmail and we could implement anti-spam rule sets on it. However, the problem resides in the fact that we have our firewall proxy SMTP - thus the internal mail server thinks that every piece of mail comes from the firewall. I could have the firewall just pass SMTP through to the mail server - yet I would like to avoid exposing my sendmail to the outside world if I can get away with it. Does anyone know of a way to handle anti-spamming on a Raptor firewall???? Jeff Porter jporter@verio.net Verio Inc. http://www.verio.net From owner-firewalls-list Wed Oct 1 19:11:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA19598; Tue, 30 Sep 1997 20:31:15 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA19401 for ; Tue, 30 Sep 1997 20:30:32 -0700 (PDT) Received: from hawking.research.megasoft.com (hawking.research.megasoft.com [192.168.2.2]) by gw.research.megasoft.com (8.8.5/8.8.5) with ESMTP id XAA08966; Tue, 30 Sep 1997 23:34:43 -0400 (EDT) Received: (from cmcurtin@localhost) by hawking.research.megasoft.com (8.8.5/8.8.5) id XAA22006; Tue, 30 Sep 1997 23:32:12 -0400 (EDT) Date: Tue, 30 Sep 1997 23:32:12 -0400 (EDT) Message-Id: <199710010332.XAA22006@hawking.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: John Clark Cc: firewalls@GreatCircle.COM Subject: Re: This List, Hummmmm.... In-Reply-To: <3.0.3.32.19970917105153.00973c10@192.168.1.100> References: <3.0.3.32.19970917105153.00973c10@192.168.1.100> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx; Wed, 1 Oct 1997 05:55:49 -0700 (PDT) Received: from mousa_s.ins.com ([192.240.38.220]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id FAA09775; Wed, 1 Oct 1997 05:56:32 -0700 (PDT) Message-Id: <3.0.32.19971001085255.0075db10@lexicon.ins.com> X-Sender: mousa_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Oct 1997 08:56:21 -0400 To: Karl_Horn@krzmail.krz.uni-heidelberg.de, firewalls@GreatCircle.COM From: Sami Mousa Subject: Re: firewall evaluation Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: Technical Comparison of Firewalls -- Will Everyone PLEASE Chill References: <<199709120003.SAA26732@future.mulligan.com> Sender: firewalls-owner@GreatCircle.COM The traffic devoted to this argument is hardly worth the effort. Below, you will find what GNSS currently has on it. (A little nicety for the original, poor soul that asked the question.) But, really, chill...it ain't no thang. Info follows: "Comparison: Firewalls." June 17, 1996. LanTimes. Comprehensive comparison of seven or eight of firewall products. http://www.lantimes.com/lantimes/usetech/compare/pcfirewl.html Do you use NT? Start here: Windows NT Firewalls: Guardian Vs. Firewall/Plus Vs. Eagle NT Vs. AltaVista Firewall (PC Today) http://www.pctoday.com/editorial/hth/970720.html InfoWorld's Firewall Product Comparison (Good resource that also discusses cost) http://www.infoworld.com/cgi-bin/displayArchive.pl?/96/46/firea.dat.htm Seven Locks' now-watered-down comparison: it states only the characteristics of each: http://www.sevenlocks.com/quarc/security/tocfirewallcomparisoncharts.htm Can Firewalls Take the Heat? Study at data.com. Short but sweet, important because of the comparison chart (However, caveat emptor, as always) http://www.data.com/Lab_Tests/Firewalls.html Filtering Gateways vs. Application Gateways David Dalva, Trusted Information Systems, Inc. (You know what this is; just a look at methodology) http://www.tis.com/docs/products/gauntlet/FWComp.html Defending the Front Line Lan Times Kevin Tolly, John Curtis, and Elke Passarge http://www.raptor.com/news/lantimes/firetext.html#comp Scorecard from above article (hard-core) http://www.wcmh.com/96jun/606s054b.html Find the Right Firewall (ZDNET.) Bench Test and Stats: http://www8.zdnet.com/zdimag/content/anchors/970127/1.html Feature Comparison: (Comprehensive) http://www8.zdnet.com/zdimag/content/anchors/970127/features.html Behind the line of fire. (PC Mag. Short, sweet, blah.) http://www8.zdnet.com/pcmag/issues/1522/pcmg0058.htm The whole bloody list of vendors and sites: http://www.zeuros.co.uk/firewall/vendors.htm "Firewall products today," Cooper, S P. UCRL-JC-119743, 18 pgs., February 28, 1995. http://www.llnl.gov/tid/lof/documents/pdf/225846.pdf "Firewall Performance Measurement Techniques: A Scientific Approach." Marcus Ranum. February 4, 1996 (Ask Marcus Ranum...he has moved this document.) Fortified evaluation checklist on firewall products: Comma Delimited: http://www.fortified.com/files/fweval.txt Excel Spreadsheet: http://www.fortified.com/files/fweval.zip Rating of application layer proxies AT-0008 Revision 2 Michael C. Richardson -- mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html Just the Facts About Firewalls Chey Cobb, Webmaster, NCSA (Some Interesting Info) http://www.ncsa.com/library/firefacts.html Group of 15 firewalls hold up under security scrutiny Stephen Lawson , InfoWorld Electric http://www.infoworld.com/cgi-bin/displayArchives.pl?96067.firewall.htm Firewall purchasing decisions are not always obvious First Union Bank and Intersolv find similar solutions to network security dilemma Anne Knowles , Infoworld (Interesting article) http://www.infoworld.com/cgi-bin/displayArchives.pl?97-nr03-12.58d.htm Internet firewalls Playing with fire Tested and reviewed by Mark Pace Additional testing by Brooks Talley Technology Analyst Introduction by Michelle Murdock Edited by Julia C. Carreon - Associate Editor http://www.infoworld.com/cgi-bin/displayArchives.pl?dt_iwe31-96_84.htm Choosing a Firewall ZED Data Systems http://www.zed.ca/firewall.htm George R. Kurtz & David Roath. "Shopping for Firewalls", in Infosecurity News, MIS Institute Press, 1995. "Firewall Application Notes." More general document that describes building a firewall. Also addresses application proxies, Sendmail in relation to firewalls, and the characteristics of a bastion host. Livingston Enterprises, Inc. http://www.telstra.com.au/pub/docs/security/firewall-1.1.ps.Z Firewall theory and architecture http://fw4.iti.salford.ac.uk/ice-tel/firewall/theory.html and finally, some more traditional reading materials: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Publishing Company. William R. Cheswick and Steven M. Bellovin. April, 1994. ISBN: 0-201-63357-4. Internet Security Resource Library: Internet Firewalls and Network Security, Internet Security Techniques, Implementing Internet Security. New Riders. ISBN: 1-56205-506-2. 1995. Internet Firewalls and Network Security. Chris Hare and Karanjit Siyan. Second Edition. New Riders. ISBN: 1-56205-632-8. 1996. Internet Security : Risk Analysis, Strategies and Firewalls by Othmar Kyas. ISBN: 185032302X Protecting Your Web Site With Firewalls Marcus Goncalves, Vinicius A. Goncalves April 1997. ISBN: 0136282075 Designing & Implementing Internet Firewalls Tina Darmohray. July 1997. ISBN: 0133730026 Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls BPI Information Services. December 1994 ISBN: 1579791867 "Network Firewalls." Steven M. Bellovin and William R. Cheswick. IEEECM, 32(9), pp. 50[nd]57. September 1994. PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso and Ron Sharp. Ziff-Davis Press. 1996. ISBN: 1562764225. Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O'Reilly & Associates. ISBN: 1-56592-124-0. 1995 I trust that will get the original, requesting party off the in the right direction. This has been a public service from the bozos at http://www.gnss.com. I believe we can move on now. (I should say this, though: all of us - at one time or another - plug our product or service. Perhaps the better approach would be this: if you are going to do it, also include a healthy list of other resources. But, the sheer volume of messages we received here over that last plug was just...surprising.) To the original, requesting, party...if you are still out there: The link: http://www.zeuros.co.uk/firewall/vendors.htm will take you to *every* last vendor out there. In my opinion, I would use this as a starting point and judge the products for myself. Some of the articles above have been subjected to scrutiny - as everything eventually does on this network - and therefore, you may find inconsistencies, corrections and so forth. Believe it or not, only the vendors have the latest and greatest on their own stuff. Put on a wetsuit and dive in. Oh yes...one last note: the above articles may not be as "technical" as you had wanted. If so, we apologize. If anyone actually has resources of this nature that are updated or newer (and not just further flames to the original spamming party) please forward them to GNSS. We'd love to have them. Osiris -- Team Leader and Head Bozo Global Network Security Systems At 04:15 PM 9/24/97 MEZ, Karl_Horn@krzmail.krz.uni-heidelberg.de wrote: > > > > Hallo, > > I m looking for a list of general questions to evaluate/compare > firewall-products. > I remember a helpfull list from someone in U.K. but forgot the URL. > > Someone remembers the URL ? > > Thank u > > Regards K.Horn > > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ** Sami Mousa, ffff,0000,0000FORE ATM(WAN) Certified ** ** International Network Services Office: (908)603-8541 x320 ** ** Network Systems Engineer e-mail: sami_mousa@ins.com ** ** 120 Wood Ave South Pager: (888)896-4064 ** ** Suite #615 Fax: (908)548-5630 ** ** Iselin, New Jersey 08830 www.ins.com ** ============================================================================= "My statements in this message are personal opinions \ which may have no basis whatsoever in fact." From owner-firewalls-list Wed Oct 1 19:13:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA07784; Wed, 1 Oct 1997 06:58:03 -0700 (PDT) Received: from bastion.s-1.com ([204.130.55.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA07575 for ; Wed, 1 Oct 1997 06:57:13 -0700 (PDT) Received: from [10.1.1.10] by bastion.s-1.com for id JAA04878; Wed Oct 1 09:57:54 1997 Received: from phoenix.s-1.com (jamie.s-1.com) by wine.s-1.com with SMTP (1.39.111.2/16.2) id AA049377811; Wed, 1 Oct 1997 09:56:51 -0500 Message-Id: <3.0.32.19971001095635.00a97234@pophost> X-Sender: jamie@pophost X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Oct 1997 09:56:36 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM ('firewalls@greatcircle.com') From: Jamie Pratcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 19:16:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA10175; Wed, 1 Oct 1997 01:06:50 -0700 (PDT) Received: from gis.de (gis.de [194.195.163.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA10122 for ; Wed, 1 Oct 1997 01:06:29 -0700 (PDT) Received: from bast.gis.de (bast.gis.de [194.195.163.14]) by gis.de (8.8.6/8.8.6) with ESMTP id KAA00279 for ; Wed, 1 Oct 1997 10:07:11 +0200 Received: (from jens@localhost) by bast.gis.de (8.8.6/8.8.6) id KAA00182 for firewalls@GreatCircle.COM; Wed, 1 Oct 1997 10:07:09 +0200 Message-Id: <199710010807.KAA00182@bast.gis.de> To: firewalls@GreatCircle.COM Date: Wed, 1 Oct 1997 10:07:09 +0200 (MET DST) From: "Jens-Erik Hansen" X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Wed Oct 1 19:16:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15830; Wed, 1 Oct 1997 07:34:04 -0700 (PDT) Received: from dub-img-7.compuserve.com (dub-img-7.compuserve.com [149.174.206.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA15751 for ; Wed, 1 Oct 1997 07:33:48 -0700 (PDT) Received: (from mailgate@localhost) by dub-img-7.compuserve.com (8.8.6/8.8.6/2.5) id KAA04800 for Firewalls@greatcircle.com; Wed, 1 Oct 1997 10:34:37 -0400 (EDT) Date: Wed, 1 Oct 1997 10:34:00 -0400 From: Terry Dugan Subject: Cyberguard and Gauntlet To: All Message-ID: <199710011034_MC2-2272-5758@compuserve.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are evaluating two firewall offerings - Cyberguard and Gauntlet. Does anyone know of any concerns we should have about either of the products? Or, does anyone have any technical pluses about either product? = Besides their core firewall, we also want to interface with a virus protection product and utilize VPN capabilities down the road. We also would like to consider using transparent proxies. Thanks for any input you may have. From owner-firewalls-list Wed Oct 1 19:17:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA05585; Wed, 1 Oct 1997 06:48:20 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA05475 for ; Wed, 1 Oct 1997 06:47:54 -0700 (PDT) Received: (qmail 11866 invoked from smtpd); 1 Oct 1997 13:48:29 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Oct 1997 13:48:29 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA08514; Wed, 1 Oct 1997 08:48:28 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA12823; Wed, 1 Oct 1997 08:50:46 -0500 From: Peter da Silva Message-Id: <9710011350.AA12823@baileynm.com> Subject: Re: split dns - bind 4 To: lists@lina.inka.de (Bernd Eckenfels) Date: Wed, 1 Oct 1997 08:50:46 -0500 (CDT) Cc: sgcccdc@citec.qld.gov.au, ark@paranoid.convey.ru, firewalls@GreatCircle.COM In-Reply-To: from "Bernd Eckenfels" at Sep 24, 97 02:47:03 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What is this DNS Server used for? Resolving only from the Firewall? Is this > realy a big win compared with the additional RAM you need to do? Why dont > ulet the firewallsimply resolv to the mentioned internal DNS Servers? You can only put three names in resolv.conf. Which means the firewall has to do without a redundant name service on either the internal or external side. Which means if said server goes down you lose nameservice on the firewall. From owner-firewalls-list Wed Oct 1 19:19:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA27381; Wed, 1 Oct 1997 08:26:23 -0700 (PDT) Received: from stjohns.se.highway1.com (stjohns.se.highway1.com [24.129.0.68]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA27334 for ; Wed, 1 Oct 1997 08:26:05 -0700 (PDT) Received: from sroberts.acr2000.com ([12.8.110.200]) by stjohns.se.highway1.com (Netscape Mail Server v2.02) with SMTP id AAA12217 for ; Wed, 1 Oct 1997 11:26:53 -0400 Received: by localhost with Microsoft MAPI; Wed, 1 Oct 1997 11:28:25 -0400 Message-ID: <01BCCE5D.22089740.scottrob@mediaone.net> From: Scott Roberts Reply-To: "scottrob@mediaone.net" To: "Firewalls (E-mail)" Subject: Which Firewall Date: Wed, 1 Oct 1997 11:28:23 -0400 Organization: Roberts' Keyboard Connection X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If this is a repost, please forgive me, but I do not think the first one went through... I am the Network Administrator for 2 LAN's. We have just gotten set up on AT&T WICS service to provide our frame relay and internet connect services. The problem that I am obviously having is that now both of my LAN's are accessible from the internet. I know I can use my routers to provide some blocking, but what I need is the ability to allow certain people access form the internet into any part of the LAN's - for example...me. I also need the ability to provide reports to certain of our Directors that want to know who from their department access the internet and for how long. What firewall solution would be best for us? ---------- Scott Roberts ScottRob@mediaone.net From owner-firewalls-list Wed Oct 1 19:20:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20639; Wed, 1 Oct 1997 07:55:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA20619 for ; Wed, 1 Oct 1997 07:55:40 -0700 (PDT) Received: from libofmich.lib.mi.us by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA16712; Wed, 1 Oct 1997 07:50:03 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA25183; Wed, 1 Oct 1997 10:59:05 -0400 Date: Wed, 1 Oct 1997 10:59:05 -0400 (EDT) From: "Amy (Cremer) Briggs" To: firewalls@GreatCircle.COM Subject: Java & Java Script Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently having discussions at our site as to whether or not to allow Java and/or Java script into our network. In the past we'd decided not to allow it based on security concerns we'd read about and discussions I'd seen on this topic coming from this list. This decision is being re-hashed again because some folks believe that there are no reasons for Java/Java Script security concerns. I really don't know a lot about Java/Java Script so I'm wondering if some of you would be willing to answer the following questions for me: 1. What security concerns are there with letting Java into your network? 2. What security concerns are there with letting Java Script into your network? 3. What are some examples of what can be done with Java to compromise your network? 4. What are some examples of what can be done with Java Script to compromise your network? I'm also being asked to provide materials discussing these security risks from an authoritative source such as CIAC. If you could point me to some good sources of information published by authoritative sources that would be very helpful. TIA, Amy From owner-firewalls-list Wed Oct 1 19:22:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18733; Wed, 1 Oct 1997 07:48:29 -0700 (PDT) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA11971 for ; Wed, 1 Oct 1997 07:19:17 -0700 (PDT) Received: by interlock.reston.ans.net id AA00540 (InterLock SMTP Gateway 4.1 for firewalls@GreatCircle.COM); Wed, 1 Oct 1997 10:19:53 -0400 Message-Id: <199710011419.AA00540@interlock.reston.ans.net> From: "Conrad Minor" To: , , "Sick Puppy" Subject: Re: Finding a wiretap or NIC card with a TDR Date: Wed, 1 Oct 1997 10:18:25 -0400 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick et all, I was thinking more that you'd need to find a way to make the Ethernet cards burp out packets unintentionally. Has anyone looked into the new manageable ENet cards? Can they be made to reveal themselves? Your Ethernet TDR would send some magic packet which made the Ethernet cards reply unbeknownst to the owner of the card (only if the transmit part of the card is still enabled though). TDR does emit a pulse like radar or sonar. It measured impedance changes in the wire based on reflection (VSWR?). You can even see the changes that individual connectors make to the general impedance of a cable. Conrad ---------- > From: dharris@kcp.com > To: firewalls@GreatCircle.COM; Sick Puppy > Subject: Re: Finding a wiretap or NIC card with a TDR > Date: Tuesday, September 30, 1997 9:12 AM > > > Doesn't TDR *require* actively creating a pulse so you can measure its > reflection? If you don't know when you emitted the pulse how can you measure > the time until its echo? I suppose a pattern-matching oscilloscope could be > configured to measure the time between an outgoing 'ping' and its echo ;-) > > > > ______________________________ Reply Separator _________________________________ > Subject: Finding a wiretap or NIC card with a TDR > Author: Sick Puppy at INTERNET-MAIL > Date: 9/27/97 9:40 PM > > > We have reason to believe that some looser geeks or phederal phucks > have sneaked a wiretap onto a network segment that we often cross. > We also happen to have a couple of Time Domain Reflectometers left over > from previous academic research on satellite channels. If we plug the > TDR's into the network segment there is a real good chance that the > looser geeks or whatever will spot us so we need to run in stealth > mode. > > The network segment hosts several Unix boxes on which we are privileged > users. (Our network, our boxes of course. What else could they be?) > > Does anybody know of any software that will run on a Unix or NT box and > provide the same information as a TDR? > > Does anybody know of an equivalent software package that will run on Unix > or NT and help us find the wiretap or silent NIC card we think is there? > > Sick Puppy, the Cat_Eating_Dawg > > > From owner-firewalls-list Wed Oct 1 19:23:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA17528; Wed, 1 Oct 1997 10:07:07 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA17478 for ; Wed, 1 Oct 1997 10:06:56 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA26774; Wed, 1 Oct 1997 10:04:49 -0700 Date: Wed, 1 Oct 1997 10:04:48 -0700 (PDT) From: Leonard Miyata To: Gary Crumrine cc: firewalls@greatcircle.com Subject: RE: EE Times Article In-Reply-To: <01BCCE32.2128A610@gcrum@us-state.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I finally found their web posting of the article http://techweb.cmp.com/eet/whitepaper/whitepaper.html Personally, I perfer the old fashion paper copy myself (And they left out the picture of the hacked S/Key card !?!?) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 1 Oct 1997, Gary Crumrine wrote: > Kind of hard to comment on something you can't get your > hands on Leonard. Perhaps if you could paraphrase > somewhat?? > > On Friday, September 26, 1997 1:06 PM, Leonard Miyata > [SMTP:leonard@geminisecure.com] wrote: > | There is an article in this week Electronic Engineering > | Times > | (CMP Media Publisher) Sept 22, 1997, titled 'The Rise of > | the > | Underground Engineer' that is worth your time looking at. > | It covers WinNT Security (Old Topic) as well as network > | security issues in general. > | > | For those people in the know, any comments???? > | From owner-firewalls-list Wed Oct 1 19:24:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA15870; Wed, 1 Oct 1997 09:57:33 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA15772 for ; Wed, 1 Oct 1997 09:57:14 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id LAA07877; Wed, 1 Oct 1997 11:45:29 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma007872; Wed, 1 Oct 97 11:45:02 -0400 Message-Id: <3.0.3.32.19971001125152.006b6a48@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 12:51:52 -0400 To: ralf From: Rick Murphy Subject: Re: A question about x-gw Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:18 PM 9/30/97 +0200, ralf wrote: >The tn-gw from TIS fwtk supports this with the "x-gw"-command, but when >using it, the proposed variable DISPLAY is "internal-ip:10" which is not >reachable from "external-ip" because they don't know about our internal >IP-Adresses (which actually are 10.xxx :-). So the question is: how can >we get x-gw to generate the variable DISPLAY "external-ip:10" and to listen >to the proper socket on the proper "external-ip"-interface? May be there >is no way because the "x-gw"-command is given before the "connect"-command, >so how should x-gw know about the destination of the "connect"-command? The x-gw proxy does not set the DISPLAY variable - what's going on is that your Telnet client and server are passing the value of the DISPLAY variable on the local host (telnet client) to the remote host (telnet server). You'll have to change the DISPLAY value on the target host yourself. The X proxy on the firewall will accept connections from either the inside or the outside interfaces, so you shouldn't have to do anything else. -Rick From owner-firewalls-list Wed Oct 1 19:26:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08966; Wed, 1 Oct 1997 09:20:48 -0700 (PDT) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA08918 for ; Wed, 1 Oct 1997 09:20:37 -0700 (PDT) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCCE64.63459FD0@xchangebox2.USADOMAIN1>; Wed, 1 Oct 1997 12:20:21 -0400 Message-ID: From: "Zilber, Alexey" To: "'firewalls@greatcircle.com'" , "'jkerr2@csc.com'" Subject: RE: Downfalls of Proxy Server? Date: Wed, 1 Oct 1997 12:19:40 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >All, > I was wondering what the downfalls of using Microsofts proxy server >to authenticate internal users to the Internet for HTTP services only. >I realize that a rule must be put in the firewall to allow HTTP out from > >the proxy servers IP Address and that you no longer have a centralized >location for all of the logs, but are their any other shortcomings? The We've had great success with Proxy 1.0. >internal network would be a windows NT network. The problem I'm trying >to solve here is opposed to perfoming user authentication at the >firewall and setting up users. I would use the NT groups already set-up You can do it one of two way. M$ Proxy comes with both Winsock Proxy and Web Proxy. It looks to me like you'll -JUST- be doing http proxying. If that's the case, then you can use the web proxy so not just the Windows machines have access. (Or use both and only use Web Proxy for the non windows mahcines.). User authentication is indeed done on the NT domain. >in the internal and then selectively allow each group HTTP access. Any >thoughts? That is exactly how we have it set up. It seems to be working fine, and it's mostly transparent to the users. No need for them to cllammer helpdesk with questions on proxy configurations... > John > > > > From owner-firewalls-list Wed Oct 1 21:22:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01992; Wed, 1 Oct 1997 11:18:57 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA01907 for ; Wed, 1 Oct 1997 11:18:37 -0700 (PDT) Received: from localhost (huger@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id MAA28702; Wed, 1 Oct 1997 12:29:52 -0600 (MDT) Date: Wed, 1 Oct 1997 12:29:51 -0600 (MDT) From: Alfred Huger To: manuel.ricca@pararede.pt cc: Non Receipt Notification Requested Subject: Re: Milkyway SecurIT - what for? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > Hello everybody, > Here is a quotation from Milkyway's insufficiently documented website: > > "All Ports Accept Communications > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > distinguish one port from another. No new information is gained." > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > Or did I just miss the point here? You missed the point, completely. The reason the Milkyway Firewall keeps all it's ports listening is to confuse port scanners. When a user performs a scan, they find *all* ports listening and therefore have no easily definable targets. It also rings bells for the Firewall Admin so he/she can see he/she is being scanned. It's not a panacea, nor is it a poor idea. Honeypots and fake services are an important part of any perimeter system IMO. The longer you keep a would be intruder poking the more of a chance you stand of noticing the activity. In fact, we wrote a similar utility at our company just for kicks to see what we would get. The service is a fake portmapper which returns a number of fake services. Any requests to the portmapper or to the services is packet logged. We manage to log 3 or 4 people a week door knocking, handy stuff really. rpcinfo -p silence.secnet.com /************************************************************************* Alfred Huger Phone: 403.262.9211 Secure Networks Inc. Fax: 403.262.9221 **************************************************************************/ From owner-firewalls-list Wed Oct 1 23:15:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA07536; Wed, 1 Oct 1997 19:17:26 -0700 (PDT) Received: from news.mtu.edu (news.mtu.edu [141.219.70.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA07515 for ; Wed, 1 Oct 1997 19:16:45 -0700 (PDT) From: msrao@mtu.edu Received: from mtu.edu (root@mtu.edu [141.219.70.1]) by news.mtu.edu (8.8.7/8.8.7) with ESMTP id WAA02101 for ; Wed, 1 Oct 1997 22:17:22 -0400 (EDT) Received: from pobox.ee.mtu.edu (pobox.ee.mtu.edu [141.219.23.145]) by mtu.edu (8.8.7/8.8.7) with ESMTP id WAA12873 for ; Wed, 1 Oct 1997 22:17:18 -0400 (EDT) Received: from eegrad6.ee.mtu.edu (eegrad6.ee.mtu.edu [141.219.22.170]) by pobox.ee.mtu.edu (8.8.7/8.8.7/mturelay-1.2) with ESMTP id WAA10003 for ; Wed, 1 Oct 1997 22:17:08 -0400 (EDT) Received: (from msrao@localhost) by eegrad6.ee.mtu.edu (8.6.10/MTU-C1.3) id WAA00637 for Firewalls@GreatCircle.COM; Wed, 1 Oct 1997 22:17:06 -0400 Message-Id: <199710020217.WAA00637@eegrad6.ee.mtu.edu> Subject: Re: Firewalls-Digest V6 #471 To: Firewalls@GreatCircle.COM Date: Wed, 1 Oct 1997 22:17:06 -0400 (EDT) In-Reply-To: <199710010847.BAA21248@honor.greatcircle.com> from "Firewalls-Digest" at Oct 1, 97 01:47:50 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi , I wanted to know if anybody is working on performance evaluation of wireless networks. I'll be interested to correspond with them. Thanks Manjunath From owner-firewalls-list Wed Oct 1 23:45:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA08508; Wed, 1 Oct 1997 19:29:58 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA08487 for ; Wed, 1 Oct 1997 19:29:48 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id VAA08809; Wed, 1 Oct 1997 21:17:59 -0400 Received: from dhcp19.paimail.com(10.0.2.19) by fw.paimail.com via smap (V2.0) id xma008806; Wed, 1 Oct 97 21:17:28 -0400 Message-Id: <3.0.3.32.19971001222732.006a4e0c@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 22:27:32 -0400 To: Joseph Judge From: Rick Murphy Subject: RE: Checkpoint and FWTK 1.2 ftp proxy hangs Cc: "firewalls@GreatCircle.COM" , "'Bob Gerrish'" In-Reply-To: <01BCCDE3.482CD820@zandar.judgefamily.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 (at least older versions, they may have fixed this in current software) requires that the FTP "PORT" command arrive complete in a single IP packet. The older FWTK ftp-gw sent the PORT command in one write, then sent the terminating CR/LF in a second write. While this does not violate the protocol, it was not what the Firewall-1 FTP code expected. We used to joke about the fact that the supposed "stateful" firewall couldn't keep state across two packets :-) I changed the ftp-gw to send the PORT command in a single write, thus working around the FW-1 bug. (To be fair, there are other firewall products that have the same bug - even application proxy firewalls, which fact I found rather surprising..) -Rick From owner-firewalls-list Thu Oct 2 01:58:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02713; Wed, 1 Oct 1997 23:55:01 -0700 (PDT) Received: from mobile.global.slb.com ([163.185.133.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id WAA19143 for ; Wed, 1 Oct 1997 22:49:40 -0700 (PDT) Received: by mobile.global.slb.com (5.0/SMI-SVR4) id AA22471; Thu, 2 Oct 1997 00:37:29 +0600 Date: Thu, 2 Oct 1997 00:37:28 -0500 (CDT) From: Seacol Chin To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #472 In-Reply-To: <199710020157.SAA05789@honor.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a NT-based router software that will act as router and bridge for 100VG and ethernet. Thanks, Seacol From owner-firewalls-list Thu Oct 2 04:38:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA25471; Thu, 2 Oct 1997 02:23:58 -0700 (PDT) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA25380 for ; Thu, 2 Oct 1997 02:23:25 -0700 (PDT) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id LAA09215 for ; Thu, 2 Oct 1997 11:22:14 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id LAA06770 for ; Thu, 2 Oct 1997 11:23:57 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Thu, 2 Oct 1997 11:24:29 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D70BBA62@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: PPTP and STEELHEAD Date: Thu, 2 Oct 1997 11:24:28 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi list! We are planning on using Steelhead to give certain customers a preview over new products via WWW-GUI over the internet. The idea is to connect one interface on our Steelhead machine to Internet and one to a "second DMZ" to our firewall (FW-1). With Steelhead we use PPTP to create a VPN to the customer. My questions are: 1) What about safety in the protocol PPTP? What kind of encryption-methodic is it using? How many bits of encryption is PPTP using (outside U.S)? 2) What is needed on the client (customer) side? Do you have to have another steelhead machine or any other client program? 3) Any comments on the connection to internet via a "second DMZ" (security aspects only, no routing problems)? Name: Robert St=E5hlbrand Company: Ericsson Telecom AB Company-Address: Fl=F6jelbergsv=E4gen 1C, Box 333 Zip-Code: 431 24 M=F6lndal Phone Number: +46 31 747 6162 Fax Number: +46 31 747 3777 Email: robert.stahlbrand@nmac.ericsson.se From owner-firewalls-list Thu Oct 2 05:01:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA05047; Thu, 2 Oct 1997 03:26:27 -0700 (PDT) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA05029 for ; Thu, 2 Oct 1997 03:26:00 -0700 (PDT) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id LAA25660; Thu, 2 Oct 1997 11:27:51 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 02 Oct 97 11:27:49 +0000 Date: 02 Oct 97 11:27:49 +0000 Delivery-Date: 02 Oct 97 11:27:51 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-340e1965-Tubarao] X400-Recipients: non-disclosure Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: Re: Milkyway SecurIT - what for? Autoforwarded: FALSE To: huger@silence.secnet.com (Non Receipt Notification Requested) CC: firewalls@greatcircle.com (Non Receipt Notification Requested) In-Reply-To: Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: Re: Milkyway Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). In practice, you will only have well-known services running on well-known ports, so you can expect well-known attacks for which you will have well-known defence. So, the method Milkyway is using would apply only if the firewall had other services running at other ports, which is definitely not a good security policy altogether, and that's what I meant in the previous mail. What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. I still think the hole shouldn't be there to start with. Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the ports if you want). But it can be avoided as well. ----------------- Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunicação, S.A. R. D. Constantino de Bragança, 12 1400 Lisboa Tel: +351 1 3020451 Fax: +351 1 3020444 ------------------- From: huger@silence.secnet.com To: manuel ricca Cc: firewalls@GreatCircle.COM Subject: Re: Milkyway SecurIT - what for? Date: 01-10-1997 20:31 On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > Hello everybody, > Here is a quotation from Milkyway's insufficiently documented website: > > "All Ports Accept Communications > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > distinguish one port from another. No new information is gained." > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > Or did I just miss the point here? You missed the point, completely. The reason the Milkyway Firewall keeps all it's ports listening is to confuse port scanners. When a user performs a scan, they find *all* ports listening and therefore have no easily definable targets. It also rings bells for the Firewall Admin so he/she can see he/she is being scanned. It's not a panacea, nor is it a poor idea. Honeypots and fake services are an important part of any perimeter system IMO. The longer you keep a would be intruder poking the more of a chance you stand of noticing the activity. In fact, we wrote a similar utility at our company just for kicks to see what we would get. The service is a fake portmapper which returns a number of fake services. Any requests to the portmapper or to the services is packet logged. We manage to log 3 or 4 people a week door knocking, handy stuff really. rpcinfo -p silence.secnet.com /************************************************************************* Alfred HugerPhone: 403.262.9211 Secure Networks Inc.Fax: 403.262.9221 **************************************************************************/ From owner-firewalls-list Thu Oct 2 05:59:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23052; Thu, 2 Oct 1997 02:03:18 -0700 (PDT) Received: from smtp.gte.net (smtp.gte.net [207.115.153.29]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA23022 for ; Thu, 2 Oct 1997 02:03:04 -0700 (PDT) Received: from pc (1Cust122.max5.philadelphia.pa.ms.uu.net [153.35.149.122]) by smtp.gte.net (SMI-8.6/SMI-SVR4) with SMTP id EAA28430 for ; Thu, 2 Oct 1997 04:03:48 -0500 (CDT) Received: by localhost with Microsoft MAPI; Thu, 2 Oct 1997 05:03:29 -0400 Message-ID: <01BCCEF0.85D2F840.khearn@gte.net> From: khearn Reply-To: "khearn@gte.net" To: "Firewalls (E-mail)" Subject: what ports to pass for exchange/outlook Date: Thu, 2 Oct 1997 05:03:28 -0400 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone know what ports I need to leave open for Microsoft Exchange and Outlook so the Internet access to the exchange server is possible? From owner-firewalls-list Thu Oct 2 06:07:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA05060; Thu, 2 Oct 1997 00:06:49 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id AAA05038 for firewalls@greatcircle.com; Thu, 2 Oct 1997 00:06:44 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA14211 for ; Tue, 30 Sep 1997 17:59:20 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA08106; Wed, 1 Oct 1997 05:02:23 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA23121; Wed, 1 Oct 1997 02:10:27 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA19456; Tue, 30 Sep 1997 16:56:45 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCCDC1.DE230330@mailserv.dammam.ingr.com>; Tue, 30 Sep 1997 16:56:59 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: Software for testing a firewall Date: Tue, 30 Sep 1997 16:56:54 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any public-domain softwares for Windows NT that can be used to test for security holes on a firewall? I'm currently evaluating several firewalls but I don't have the necessary tools of the trade to do some in-depth testing. Please reply directly as I don't subscribe to firewalls. Thanks. Joselito V. Boac jvboac@dammam.ingr.com From owner-firewalls-list Thu Oct 2 06:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03038; Wed, 1 Oct 1997 23:57:01 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id XAA03026 for firewalls@greatcircle.com; Wed, 1 Oct 1997 23:56:58 -0700 (PDT) Received: from THOR.INNOSOFT.COM (THOR.INNOSOFT.COM [192.160.253.66]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA20898 for ; Sun, 28 Sep 1997 02:05:46 -0700 (PDT) Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.1-10 #8694) id <01IO3SK6E5BK94GI1L@INNOSOFT.COM> for firewalls@GreatCircle.COM; Sun, 28 Sep 1997 02:05:02 PDT Date: Sun, 28 Sep 1997 00:15:00 -0700 (PDT) From: Ned Freed Subject: RE: SMTP VRFY (was: Microsoft vs The world) In-reply-to: "Your message dated Sun, 28 Sep 1997 01:56:54 -0400" <61B80F9FF411D1118DEF0000E8D5C6670439C9@ns.ntadvice.com> To: Russ Cc: "'Ned Freed'" , firewalls@GreatCircle.COM Message-id: <01IO5QU4BGUE94GI1L@INNOSOFT.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > First of all, let me remind you that RFC1123 specifically denotes rules > for INTERNET servers, not SMTP servers in general. It does state that > servers that are not exposed to the Internet may have their own rules. > An implementation of SMTP does not then *have* to conform to RFC1123, > but must if used on the Internet (or is highly recommended by RFC1123). > So leaving this fact out was, IMO, significantly attempting to leverage > the quoted section of RFC1123 to support your argument rather than truly > attempting to describe a standard. Such "tactics" should not be used > when quoting RFC's, again, IMO. First of all, as a long-time active participant in the development of IETF standards, I hardly need to be reminded that standards-track RFCs specify standards for the Internet and that such RFCs do not necessarily apply to non-Internet situations. But I was talking specifically about the Internet and nothing else. In fact the very first thing I said in this discussion was: Unfortunately almost all of this is wrong insofar as current Internet standards are concerned. I also changed the subject line of my response to make it clear I was moving the discussion away from Microsoft's compliance or non-compliance and instead try to clarify some incorrect assertions that had been made about what the standards do or do not require for operation on the Internet. The former is not relevant to this list in my opinion but the latter concerns me greatly, because I often see incorrect reading of the standards leading to non-interoperable behavior on the part of firewalls attached to the Internet. In other words, your argument here appears to be directed at a strawman of your own creation rather than anything I said. But even so, there is one assertion you make that I have to refute. The IETF develops standards for the Internet. And there is only one such standard as far as the IETF is concerned for SMTP, and it is the one specifed by an entire family of documents -- RFC821, RFC1123, and so on. This colection even has a name: It is called STD10. (Unfortunately the IETF doesn't have a very good way of defining STDs, and the definition given for STD 10 doesn't include the relevant sections of RFC1123. I am going to see if I can't get this corrected.) But if you're not on the Internet and choose not to follow Internet rules you can do whatever you wish. The IETF doesn't make standards for use anywhere but on the Internet. As such, this notion that there's some sort of distinction between standards that apply to the Internet only and standards that have some sort of broader applicability is entirely specious. This concept doesn't exist in the standards-making process for the simple reason that the IETF isn't concerned with making standards for things other than the Internet. This doesn't mean that intranets (or whatever you call non-Internet setups) can't follow Internet standards. They can if they want to. Or they can ignore them all. Or they can reject some and keep others -- conforming to RFC821 but not RFC1123 is one such combination, but there are of course many others. Anything is permissible on the intranet; the IETF just doesn't care (assuming of course that you can get vendors to build the stuff for you). > Microsoft initially released Exchange 4.0 stating support for > RFC821/822. They did not claim to be RFC1123 compliant, so their quote > in KB article Q155684 was, and is, still correct. You're trotting out another strawman here. I never said a single, solitary word about what Microsoft claimed to support. I neither know nor care what KB article Q155684 is, and I certainly didn't mention any such thing in any of my messages. > RFC1123 doesn't supercede RFC821 when the system is used off of the Internet. Nor does RFC821 supercede RFC788 in such a context. Or RFC788 and RFC780. Nothing can supercede anything in a place where the very notion of supercession isn't defined. > In any event, VRFY was implemented according to RFC1123 in SP3, released > in October of 1996. I verified this against an Exchange 4.0 server > tonight, receiving the following exchange; > 220 xxxxxx.xxxxxx.xx Microsoft Exchange Internet Mail Connector > 4.0.995.52 > ready > 214-Commands: > 214- HELO MAIL RCPT DATA RSET > 214- NOOP QUIT HELP VRFY EXPN > 214 End of HELP info > helo fred > 250 OK > vrfy Russ.Cooper@rc.on.ca > 252 Cannot verify user > The IMC version listed is consistent with the SP3 time-frame. I fail to see what this has to do with any of the points I was trying to make. My only reference to Microsoft in my original message was in a small parenthetical note near the end -- and one which I've already stated was in error. I also speculated subsequently that it might have been 4.0 I had seen anomalous behavior in. It now seems that this speculation was also incorrect. I have been playing around with Exchange ever since the first betas came out and it is entirely possible I saw this in something even earlier. However, if it will make you feel better I will withdraw any assertion I have made as to Exchange ever having produced an incorrect 5xx response at some point. > Internet Mail Connector had a number of limitations in its initial > release, but it did not have the focus that came about during the > balance of 1996. In addition, the issue of whether or not VRFY or EXPN > should be implemented *still* has not been resolved. Actually I believe it has been resolved as part of the DRUMS work. > You yourself admit > that it shouldn't be there, yet condemn someone else for making a > similar call. Not one more strawman but two... I have yet to condemn any implementation as part of this discussion. The closest I have come is to gripe about the general lack of support for EHLO In most firewall implementations. I have tried to discuss what the standards require implementations on the Internet to do and I have tried to discuss what various specific implementations do, but this is light years away from condemning anything. Nor have I said that support for VRFY should not be there. I did say that I think it is dumb for an SMTP client to use VRFY, but that's not the same thing. > Clearly there are many issues in RFC1123 that are > "controversial", and many implementations of various services that do > not conform to their suggested practices. It could be considered yet > another example of how RFC compliance is not always the best thing to > do. Actually I would disagree that there are many issues in RFC1123 that are all that controversial. VRFY, in particular, seems to me to be one which is handled reasonably well -- it is possible for a SMTP server implementation to adhere to both the letter and intent of the specifications, interoperate properly with all conformant clients out there, and provide complete security. > Besides, being over 8 years old, its continued "life" is more a > testament to the number of legacy systems than to its continued value as > a BCP. RFC1123 is a full Internet standard. It is not a BCP. (The very concept of BCP didn't exist at the time RFC1123 was written.) And while it might be true that some parts of RFC1123 would probably end up with BCP status if it were reissued now, the discussion of VRFY in RFC1123 isn't such a part.. This is demonstrated by the fact the DRUMS is incorporating this part of RFC1123 into a document that will become a proposed standard (PS), not a BCP. > Robert Braden states in the document that it will be updated to > reflect the evolution of the stated services, yet this clearly has not > been done in the last 8 years. In fact, I would go so far as to say that > RFC1123 has virtually become redundant based on the plethora of RFCs > covering the various services themselves. This is certainly true in many cases but does not generalize to all cases. There are many parts of RFC1123 that have not been superceded in other service-specific documents. Thankfully once DRUMS is done we will have superceded all the parts specific to email, and once that happens we'll have a much leaner and cleaner set of specifications for messaging. I for one am not happy it has taken so long to clean up the specifications for email, but given that I have donated lots of my own time and the company I work for, Innosoft, has donated not only some of my time but the time other other employees (e.e. Chris Newman, the DRUMS chair, works for Innosoft) to email standards work, it isn't something I feel at all guilty about. Like it or not, standards work takes time, and it especially takes time to get concensus when revisions to a service as important as email are being considered. > Today, it is far more likely you'll receive a 252 from an SMTP server in > response to a valid query than not, thereby showing that this > "requirement" of RFC1123 has not been updated to reflect today's > Internet usage and the choices made by administrators. This does not make any sense at all. Far from banning the 252 response, it is RFC1123 that introduced this response. An implementation in strict compliance with RFC821 cannot issue a 252 response to VRFY. > In fact, VRFY is not "turned on" by default in Exchange Server to this > date, for this very reason. You now get a 252 regardless of whether or > not the user account exists on the server, can be found by the server, > or is unknown to the server. There is an option to enable it, but in my > opinion its there simply to satisfy those environments that must have it > turned on for "questionable" reasons (i.e. the French DNS authority). It sounds like Exchange is doing exactly the right thing then. > Nevertheless, you should have verified your facts before you went to > such lengths to prove your point (only to find that its not been an > issue for almost a year now). Russ, you seem to have an agenda here that requires that you take offense where not only was none intended, none was even offered. And this agenda is leading you to claim that I'm being intentionally misleading in trying to carry over Internet requirements to non-Internet venues, that I'm incorrectly asserting that Microsoft's claims in some publication are incorrect, and so on. But I'm doing none of these things, and frankly it irks me more than a little when you claim that I am. And for various personal reasons I really try to avoid these sorts of confrontational situations whenever possible. So here's the deal. If you want to calm down and discuss the various technical issues here, either online if they relate to firewalls, or offline if they don't (I think enough of the messages on this list are off-topic without contributing a whole mess of SMTP nuance discussion to the collection), rationally and without all the accusatory hyperbole, I'll be happy to continue this discussion with you or anyone else who is interested. (I've already learned some very interesting things in both online and offline followups.) And if not, well, this discussion with you is over as far as I'm concerned. Ned From owner-firewalls-list Thu Oct 2 07:00:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06969; Thu, 2 Oct 1997 06:33:08 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06940 for ; Thu, 2 Oct 1997 06:32:57 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Thu, 02 Oct 1997 08:35:41 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Oct 1997 08:35:19 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #473 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Thu Oct 2 07:14:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA09596; Thu, 2 Oct 1997 06:48:32 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA02686 for ; Thu, 2 Oct 1997 06:11:41 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id NAA22421 for ; Thu, 2 Oct 1997 13:12:35 GMT Date: Thu, 2 Oct 1997 08:12:35 -0500 (CDT) From: Andy Lewis To: firewalls@GreatCircle.COM Subject: Fire Wall Checklist? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all. I am new to this list and also new to firewalls as well as IPFWADM. Our network is running all Intels 166-200 with Linux 2.0.x. I am interested in setting up a machine to act as a firewall for the complete network. Question one: Is there a good source of documentation for beginners using IPFWADM? Question two: Are there any sites that provide online information and documentation for such a project? Something that may provide a detailed checklist? Thanks in advance. ANdy From owner-firewalls-list Thu Oct 2 07:16:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA25825; Thu, 2 Oct 1997 05:39:03 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA25781 for ; Thu, 2 Oct 1997 05:38:50 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id HAA10969; Thu, 2 Oct 1997 07:39:44 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id HAA05731; Thu, 2 Oct 1997 07:39:12 -0500 (CDT) Message-Id: <3.0.3.32.19971002083222.00960a90@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 02 Oct 1997 08:32:22 -0400 To: "Zilber, Alexey" , "'firewalls@greatcircle.com'" , "'jkerr2@csc.com'" From: "Jeremy D. Zawodny" Subject: RE: Downfalls of Proxy Server? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:19 PM 10/1/97 -0400, Zilber, Alexey wrote: > That is exactly how we have it set up. It seems to be working fine, >and it's mostly transparent to the users. No need for them to cllammer >helpdesk with questions on proxy configurations... We're thinking of trying a similar implementation. A few questions for those who've already done this: What have you seen in terms of performance? How many users do you have? How big is your pipe to the 'net? Is the proxy running on a box dedicated to just that? What sort of HD, RAM, and CPU setup is on the proxy? Any info would be greatly appreciated... Thanks, Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Thu Oct 2 09:01:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22391; Thu, 2 Oct 1997 07:49:24 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10084 for ; Thu, 2 Oct 1997 06:51:39 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id JAA27964; Thu, 2 Oct 1997 09:52:06 -0400 (EDT) Date: Thu, 2 Oct 1997 09:52:03 -0400 (EDT) From: Brian Mitchell To: manuel.ricca@pararede.pt cc: huger@silence.secnet.com, firewalls@GreatCircle.COM Subject: RE: Re: Milkyway SecurIT - what for? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 2 Oct 1997 manuel.ricca@pararede.pt wrote: > > My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open > are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). > In practice, you will only have well-known services running on well-known ports, so you can expect well-known > attacks for which you will have well-known defence. So, the method Milkyway is using would apply only > if the firewall had other services running at other ports, which is definitely not a good security policy altogether, > and that's what I meant in the previous mail. > What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. > I still think the hole shouldn't be there to start with. > Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the > ports if you want). But it can be avoided as well. > No, the point is: You want to see who is knocking on your door. You give them lots of services to play with to keep them knocking. I really advise you read Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and Bellovin) it goes into great detail about this sort of thing. From owner-firewalls-list Thu Oct 2 09:05:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA22659; Thu, 2 Oct 1997 05:17:47 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA18424 for ; Thu, 2 Oct 1997 04:50:56 -0700 (PDT) Received: from transfer.usit.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA00533; Thu, 2 Oct 1997 04:45:37 -0700 (PDT) Received: from dqisystems.com ([199.1.59.2] (may be forged)) by transfer.usit.net (8.8.6/8.8.5) with ESMTP id HAA29662; Thu, 2 Oct 1997 07:51:10 -0400 (EDT) Received: from gcollins.dqisystems.com ([172.16.128.100]) by dqisystems.com (8.8.5/8.6.12) with SMTP id HAA14741; Thu, 2 Oct 1997 07:38:26 -0400 Message-Id: <199710021138.HAA14741@dqisystems.com> Reply-To: "Greg Collins" X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Greg Collins" To: "Anna Grieve" , "'firewalls@GreatCircle.COM'" , "Eric Vyncke" Subject: Re: Does Winframe need a firewall? Date: Thu, 2 Oct 1997 07:37:44 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With your design, if the Winframe server is cracked (the firewall >does not add a lot of further security except if you are using >some authentication on the firewall), then the cracker has a much >broader access to your NT network inside. > >Of course, the alternate design may be unsafe IFF your secret >(e.g. files, ...) are stored ON the Winframe server > >Any comments ? > >-eric > >Eric Vyncke >Technical Consultant Cisco Systems Belgium SA/NV >Phone: +32-2-778.4677 Fax: +32-2-778.4300 >E-mail: evyncke@cisco.com Mobile: +32-75-312.458 > Citrix does have an Internet security pack available for Winframes connected to the Internet. The primary problem I see is that if your users are not using strong passwords the system is at risk. Once NT security has been bypassed/cracked the attacker would have access to , at a minimum, everthing a user does. Worse case an NT based "sniffer" could be loaded and the internal LAN traffic "sniffed" or a direct attack could be made on internal resources. Greg Collins Data Quest Information Systems gcollins@dqisystems.com "I have but one thing which cannot be taken from me, and that is my integrity. It I must give up of my own will." From owner-firewalls-list Thu Oct 2 09:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23045; Thu, 2 Oct 1997 07:52:46 -0700 (PDT) Received: from hirame.wwa.com (hirame.wwa.com [198.49.174.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA23000 for ; Thu, 2 Oct 1997 07:52:34 -0700 (PDT) Received: from wwa.com [207.241.63.182] by hirame.wwa.com with esmtp (Smail3.1.29.WWA) id m0xGmae-000VuyC@hirame.wwa.com; Thu, 2 Oct 1997 09:51:28 -0500 (CDT) Message-ID: <3433B60C.2EE4626B@wwa.com> Date: Thu, 02 Oct 1997 09:56:12 -0500 From: Richard Dodson Organization: InterPRO Solutions, Ltd. X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: Jan Zeilinga Subject: Re: Firewalls on NT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Start at http://www.microsoft.com/ntserver/info/security.htm in particular http://www.microsoft.com/ntserver/info/secure_NTinstall.htm + Get the WindowsNT Server Resource Kit ($US150) it has a CD ROM with utilities you'll probably be interested in I also referenced http://www.ntsecurity.com/A2NT/default.htm http://www.byte.com/art/9702/sec10/art1.htm http://www.winntmag.com/issues/Oct96/confront.html > Against my better judgment the customer wants NT to be the > be the OS for the firewall (check point 3.0b as the firewall) I sympathize. I recently had to do the same (hence the research). Please let me know if you find anything I missed. All the best, -- Richard Dodson ___________________________________________s k y___ richard@interpro-solutions.com ___________________t h e___ http://www.interpro-solutions.com/ ___t o u c h___ From owner-firewalls-list Thu Oct 2 09:30:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14628; Thu, 2 Oct 1997 07:06:52 -0700 (PDT) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14417 for ; Thu, 2 Oct 1997 07:06:00 -0700 (PDT) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA07897 for ; Thu, 2 Oct 1997 16:04:52 +0200 (MET DST) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA07773 for ; Thu, 2 Oct 1997 16:06:44 +0200 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Thu, 2 Oct 1997 16:07:16 +0200 Message-ID: <43BED8177D10D011A69A0800092C15D70BBA64@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'khearn@gte.net'" Cc: "'firewalls@greatcircle.com'" Subject: RE: what ports to pass for exchange/outlook Date: Thu, 2 Oct 1997 16:07:13 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ehh...you mean mail to your exchange-server??? Port 25 SMTP of course! No matter what mail-server (sendmail, exchange....) you run. Outlook? Will user on internet read mail through your firewall?? Not very likely is it? Then Outlook has nothing to do with this. /Robert Stahlbrand > -----Original Message----- > From: khearn [SMTP:khearn@gte.net] > Sent: den 2 oktober 1997 11:03 > To: Firewalls (E-mail) > Subject: what ports to pass for exchange/outlook > > does anyone know what ports I need to leave open for Microsoft > Exchange and > Outlook so the Internet access to the exchange server is possible? From owner-firewalls-list Thu Oct 2 09:37:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03127; Thu, 2 Oct 1997 08:41:20 -0700 (PDT) Received: from public.cq.sc.cn (public.cq.cq.cn [202.98.32.111]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id IAA03058 for ; Thu, 2 Oct 1997 08:41:00 -0700 (PDT) Received: from kh2 (ppp38.cq.sc.cn [202.98.33.38]) by public.cq.sc.cn (SMI-8.6/8.6.11) with ESMTP id XAA09624 for ; Thu, 2 Oct 1997 23:41:54 +0800 Message-ID: <32528D2F.1DEC0EC@public.cq.sc.cn> Date: Wed, 02 Oct 1996 23:41:35 +0800 From: "HuangMin(Tunny)" X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Any suggestions? X-Priority: 3 (Normal) Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, sir, I'm using a FreeBSD 2.2.2 system, and now I'd like to install a firewall on it, do you have any suggestions? Which firewall system is the most powerful now? Huang Min From owner-firewalls-list Thu Oct 2 10:29:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA07324; Thu, 2 Oct 1997 09:15:18 -0700 (PDT) Received: from gatewayb.anheuser-busch.com (gatewayb.anheuser-busch.com [151.145.250.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA07263 for ; Thu, 2 Oct 1997 09:14:54 -0700 (PDT) Received: by gatewayb.anheuser-busch.com; id LAA15936; Thu, 2 Oct 1997 11:14:35 -0500 Message-Id: <199710021614.LAA15936@gatewayb.anheuser-busch.com> Received: from stlabcexg002.anheuser-busch.com(151.145.101.152) by gatewayb.anheuser-busch.com via smap (3.2) id xma015621; Thu, 2 Oct 97 11:14:02 -0500 Received: by STLABCEXG002 with Internet Mail Service (5.0.1458.49) id <4DP15726>; Thu, 2 Oct 1997 11:17:44 -0500 From: "Davidson, Grover" To: firewalls@GreatCircle.COM Subject: SAP Gateway Date: Thu, 2 Oct 1997 11:05:00 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! Does anyone here know anything about the SAP Internet gateway? Thanks, Grover From owner-firewalls-list Thu Oct 2 11:00:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05767; Thu, 2 Oct 1997 09:03:37 -0700 (PDT) Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA05760 for ; Thu, 2 Oct 1997 09:03:31 -0700 (PDT) Received: by gateway id LAA18298; Thu, 2 Oct 1997 11:57:21 -0400 Message-Id: <2.2.32.19971002155838.0098e290@jupiter.milkyway.com> X-Sender: hungvu@jupiter.milkyway.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Oct 1997 11:58:38 -0400 To: firewalls@GreatCircle.COM From: Hung Vu Subject: Re: Milkyway SecurIT - what for? Cc: huger@silence.secnet.com, manuel.ricca@pararede.pt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: 02 Oct 97 11:27:49 +0000 >From: manuel.ricca@pararede.pt >Subject: RE: Re: Milkyway SecurIT - what for? > >My point was that a firewall shouldn't have many inbound ports open anyway. The ones that are open >are probably either going to the DMZ (for example HTTP) or stopping at the firewall itself (for example SMTP). >In practice, you will only have well-known services running on well-known ports, so you can expect well-known >attacks for which you will have well-known defence. So, the method Milkyway is using would apply only >if the firewall had other services running at other ports, which is definitely not a good security policy altogether, >and that's what I meant in the previous mail. >What they are saying is that if you have a hole in your firewall it will be harder for the attacker to find it. >I still think the hole shouldn't be there to start with. >Besides, what they are doing can be done with any other firewall anyway (you can define ACL's for all the >ports if you want). But it can be avoided as well. "All ports accept communication" does not mean you have to have any service serving the port. It's done at the system level (harden kernel for both Unix and NT) to confuse the inruder and to log all the invalid requests through the firewall. Would you rather have firewall that can tell you that it is under attacked or the ones that simply doesn't know? We simply offer an easy to use feature enabling our user to monitor and log all accesses through the firewall without having to configure ACL 64K times. This feature can be turned off if the user do not want it. BTW, the worst attacks are the not-so-well-known ones ;-) Hung. From owner-firewalls-list Thu Oct 2 14:17:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA01639; Thu, 2 Oct 1997 12:07:59 -0700 (PDT) Received: from mole.aleph.com.br (mole.aleph.com.br [200.246.9.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA01524 for ; Thu, 2 Oct 1997 12:07:32 -0700 (PDT) Received: from mole (mole [200.246.9.131]) by mole.aleph.com.br (8.8.5/8.8.5) with SMTP id QAA20516; Thu, 2 Oct 1997 16:11:30 -0300 (EST) Date: Thu, 2 Oct 1997 16:11:30 -0300 (EST) From: Hugo Leonardo Wolff Souza X-Sender: hugo@mole To: Andy Lewis cc: firewalls@GreatCircle.COM Subject: Re: Fire Wall Checklist? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this page: http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.html Hugo On Thu, 2 Oct 1997, Andy Lewis wrote: > Hello all. I am new to this list and also new to firewalls > as well as IPFWADM. > Our network is running all Intels 166-200 with Linux 2.0.x. > I am interested in setting up a machine to act as a firewall > for the complete network. > Question one: Is there a good source of documentation for > beginners using IPFWADM? > Question two: Are there any sites that provide online > information and documentation for such a project? Something > that may provide a detailed checklist? > Thanks in advance. > ANdy -- # Hugo - hugo@aleph.com.br - Estacao Aleph Internet Link # From owner-firewalls-list Thu Oct 2 14:28:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA02692; Thu, 2 Oct 1997 12:13:46 -0700 (PDT) Received: from syr.edu (syr.edu [128.230.1.49]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA02579; Thu, 2 Oct 1997 12:13:12 -0700 (PDT) Received: from pm by syr.edu (8.8.5/CNS) id OAA22945; Thu, 2 Oct 1997 14:56:47 -0400 (EDT) Message-ID: <3433F274.C6FB1DC6@syr.edu> Date: Thu, 02 Oct 1997 15:13:56 -0400 From: Peter Morissey X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com Subject: Protecting Novell Servers X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are some good solutions for protecting Novell servers? We have a 100mbps Novell server farm and 10 megabit networks that have individuals that we need to deny access to some of the servers. Is there a TCP Wrapper equivaent for Novell servers? Are there firewall solutions that perform well at 100mbps? We know we can do this on our Cisco7513, but are afraid that it will have a significant performance hit on the whole router. If Cisco supported Netflow for IPX, this might be a possibility. The Karlbridge products would probably do what we want, which is to prevent devices on one network from accessing servers on another network. We can't deny access from the whole network because there are usually a few devices that we want to give access to servers on the target network. Wit the Karlbridge we would have to have one for each of the 10 megabit network that we are denying access from, and given how difficult it is to manage and configure the Karlbridges, this is not an option. Pete M. From owner-firewalls-list Thu Oct 2 14:31:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08933; Thu, 2 Oct 1997 09:24:15 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA08532 for ; Thu, 2 Oct 1997 09:22:07 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA15786; Thu, 2 Oct 1997 12:22:22 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOBXKMO4DC8WZIA6@gemini.pios.com> for firewalls@GreatCircle.com; Thu, 02 Oct 1997 12:22:56 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOBXITIIKW8Y64ID@PIOS.PIOS.COM> for firewalls@GreatCircle.com; Thu, 02 Oct 1997 12:21:30 -0400 (EDT) Date: Thu, 02 Oct 1997 09:22:03 -0700 From: Bill Stout Subject: Re: !NSA, Call for Papers X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.com Message-Id: <2.2.32.19971002162203.010c7840@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:07 PM 9/29/97 -0400, Sick Puppy wrote: >How do the TIS Gauntlets have to be set up to permit the virtual private >network? What has to be done to them? Ports for PPTP 1723/tcp (Session Control) 5678/tcp (Legacy port) - No longer used GRE (Generic Routing Encapsulation - RFC 1701/1702) For a Cisco: interface serial 0 ... ip access group 101 in ... access-list 101 permit gre any host x.x.x.x access-list 101 permit tcp any host x.x.x.x eq 1723 For a Gauntlet: Use a generic plug-gw for 1723, then there's that GRE thingie... ?:^?> >Can the CyberCop, NFR and NSA thingy see inside of our virtual private >network? Encrypted links/VPNs are protected from analysis, as long as traffic is still in the VPN where the IDS is watching. If the network uses switches, the IDS either needs to be connected to a monitoring port on the switch, or has to be connected to each segment off the switch. Just like a packet analyzer. Packet analyzers or IDS systems can see inside cleartext packets, but cannot see inside encrypted packets. You need a different piece of NSA gear for that. Hmm, wait a minute, PPTP has not proven itself yet cryptographically, has it? Your X-33 (Aurora?) Dawgplane _is_ more stealthy if you fly inside pipes. Next project: making stealth pipes. Bill Stout http://www.geocities.com/researchtriangle/3372/ Temp site. From owner-firewalls-list Thu Oct 2 14:32:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA26664; Wed, 1 Oct 1997 23:27:58 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA26485 for ; Wed, 1 Oct 1997 23:27:21 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA25672; Thu, 2 Oct 1997 09:27:38 +0400 Received: from GarantiUser by GarantiMailServer id AA04326; Thu, 2 Oct 1997 09:28:58 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA09368; Fri, 3 Oct 1997 09:09:39 +0400 Message-Id: <3433BC74.6577@garanti.com.tr> Date: Thu, 02 Oct 1997 08:23:32 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: "Schlueter, Ian" Cc: firewalls-digest@GreatCircle.COM Subject: Re: High Availability between two HPUX 10.20 FW1 machines References: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet.com> Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Schlueter, Ian wrote: > > I am attempting to utilize the synchronization capabilities of FW1 ver > 3.0b to implement "high-availability" and I am running into a problem. > > I have two HPUX C100's configured identically. Installed are a total of > four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > The firewall sync network only has the two firewalls on it, I am using a > non-internet routable "test" range to address that segment. The > firewalls each have an entry in the /etc/fw/conf/sync.conf file > pointing to their counterpart. > > Here is the problem: > > I am continuously seeing a "Got Connection from firewall-1" > then immediately seeing a "End Connection from firewall-1" > > These messages appear simultaneously on both firewall consoles. Logs > appear to be shared, but state tables only seem to be shared part of the > time. > > Checkpoint suggested that if the two machines system clocks were more > than 5 seconds out of synchronization that it could cause this problem. > We set the clocks to the same time, and tested, still no luck. We even > installed ntp between them and it did not change the results. > > Anyone have any ideas? > > - - -/ W. Ian Schlueter ian.schlueter@avnet.com > - - / Project Manager, Global Internet/intranet support > - -/ Avnet, Inc. Chandler, AZ > - / (602) 940-5977 We had the same problem and we stopped using backup firewall, it is said that they will fix this problem very soon.... -- ************************************************************* Cihan Subasi Garanti Ticaret AS Istanbul/Turkey email: csubasi@garanti.com.tr tel : +902126570404 ext 2422 fax: +902126570473 ************************************************************* From owner-firewalls-list Thu Oct 2 14:34:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA18691; Thu, 2 Oct 1997 14:11:00 -0700 (PDT) Received: from blackhole1.tactik.com (bgs1.tactik.com [206.47.15.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA18638 for ; Thu, 2 Oct 1997 14:10:39 -0700 (PDT) X-Authentication-Warning: ceb.qc.ca: Host [204.101.110.173] claimed to be 6706hvw4p750 Message-ID: <34340DF2.68E@tactik.com> Date: Thu, 02 Oct 1997 17:11:14 -0400 From: Alex Fournier Reply-To: afournie@tactik.com X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: RE: what ports to pass for exchange/outlook Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, = I have a setup (sorry, customer wants a setup) where the Exchange client would be on the opposite side of the firewall than the Exchange server... So all though it's not very likely, what ports would then be used ?? (any NetBIOS over IP need to be travelling across the firewall?? or what?? What information do the Exchange client and server exchange and how??) Being a Unix child, I'm just ignorant when it come to NT and Exchange so any help or pointers would be appreciated. = Robert St=E5hlbrand wrote: > = > Ehh...you mean mail to your exchange-server??? Port 25 SMTP of course! > No matter what mail-server (sendmail, exchange....) you run. > Outlook? Will user on internet read mail through your firewall?? Not > very likely is it? Then Outlook has nothing to do with this. > = > /Robert Stahlbrand > = > > -----Original Message----- > > From: khearn [SMTP:khearn@gte.net] > > Sent: den 2 oktober 1997 11:03 > > To: Firewalls (E-mail) > > Subject: what ports to pass for exchange/outlook > > > > does anyone know what ports I need to leave open for Microsoft > > Exchange and > > Outlook so the Internet access to the exchange server is possible? -- = Alex Fournier Unix and Network consultant From owner-firewalls-list Thu Oct 2 14:34:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA13035; Wed, 1 Oct 1997 22:27:42 -0700 (PDT) Received: from hkt005.hkt.net ([205.252.130.220]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA12873 for ; Wed, 1 Oct 1997 22:27:11 -0700 (PDT) Received: from comexp.hkcg.com ([202.84.208.3]) by hkt005.hkt.net (Netscape Mail Server v2.02) with SMTP id AAA23482 for ; Thu, 2 Oct 1997 13:27:44 +0800 Received: by comexp.hkcg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCCF37.2D8ABFF0@comexp.hkcg.com>; Thu, 2 Oct 1997 13:29:15 +0800 Message-ID: From: "Denis Koo N.C." To: "'firewalls@GreatCircle.COM'" Date: Thu, 2 Oct 1997 13:29:14 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 2 16:38:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22478; Thu, 2 Oct 1997 11:10:57 -0700 (PDT) Received: from ns.csg.stercomm.com ([204.214.3.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA22284 for ; Thu, 2 Oct 1997 11:10:09 -0700 (PDT) From: sarah_mcardle@csg.stercomm.com Received: ns.csg.stercomm.com id AA14965; Thu, 2 Oct 1997 12:08:36 -0500 Message-Id: <9710028758.AA875812756@csg.stercomm.com> X-Mailer: ccMail Link to SMTP R6.01.01 Date: Thu, 02 Oct 97 09:26:32 -0600 To: Subject: Security Seminars Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just How Safe Is Your Information? Join us for our free Fall information security seminars in the following cities: 10/14/97 Boston, MA Hyatt Regency Cambridge 10/15/97 New York, NY Sheraton New York 10/16/97 Tyson's Corner, VA Reston Sheraton 10/17/97 Washington, DC Wyndam Bristol 10/21/97 Dallas, TX Westin Galleria 10/22/97 Chicago, IL Sutton Place Chicago 10/23/97 San Francisco, CA Hyatt Fisherman's Wharf 10/24/97 Orange County, CA Hyatt Regency Alicante You may register by phone 1-888-868-1099, or register online at www.csg.stercomm.com/connect. The seminars will be held from 8:30 am until 12:30 pm. You can enjoy a complimentary continental breakfast while you learn about the next generation in security technologies. You will discover what you need to do to secure their enterprise, and ensure your users confidentiality of information. 8:30 a.m. Registration & Continental Breakfast 9:00 - 9:15 Welcome from Sterling Commerce 9:15 - 9:45 Defend Your Enterprise: Security is much more than access control. Identify the multiple levels of security essential to protect your enteprise - authentication, authorization, confidentiality, integrity, administration and management 9:45 - 10:30 Conceal Your Information Part 1: Learn about the benefits of combining Public Key and Roles-Based Cryptography to provide cost effective, scalable, and manageable encryption for thousands of users 10:30 - 10:45 Break 10:45 - 11:15 Conceal Your Information Part 2: Preview a real world encryption implementation 11:15 - 12:00 Fortify Your Network: Discover the benefits of implementing a firewall to provide perimeter protection, user access control, and timely intrusion detection Just How Safe Is Your Information? Join us for our free Fall information security seminars in the following cities: 10/14/97 Boston, MA Hyatt Regency Cambridge 10/15/97 New York, NY Sheraton New York 10/16/97 Tyson's Corner, VA Reston Sheraton 10/17/97 Washington, DC Wyndam Bristol 10/21/97 Dallas, TX Westin Galleria 10/22/97 Chicago, IL Sutton Place Chicago 10/23/97 San Francisco, CA Hyatt Fisherman's Wharf 10/24/97 Orange County, CA Hyatt Regency Alicante You may register by phone 1-888-868-1099, or register online at www.csg.stercomm.com/connect. The seminars will be held from 8:30 am until 12:30 pm. You can enjoy a complimentary continental breakfast while you learn about the next generation in security technologies. You will discover what you need to do to secure their enterprise, and ensure your users confidentiality of information. 8:30 a.m. Registration & Continental Breakfast 9:00 - 9:15 Welcome from Sterling Commerce 9:15 - 9:45 Defend Your Enterprise: Security is much more than access control. Identify the multiple levels of security essential to protect your enteprise - authentication, authorization, confidentiality, integrity, administration and management 9:45 - 10:30 Conceal Your Information Part 1: Learn about the benefits of combining Public Key and Roles-Based Cryptography to provide cost effective, scalable, and manageable encryption for thousands of users 10:30 - 10:45 Break 10:45 - 11:15 Conceal Your Information Part 2: Preview a real world encryption implementation 11:15 - 12:00 Fortify Your Network: Discover the benefits of implementing a firewall to provide perimeter protection, user access control, and timely intrusion detection From owner-firewalls-list Thu Oct 2 19:29:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28540; Thu, 2 Oct 1997 17:48:25 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA23774 for ; Thu, 2 Oct 1997 17:18:52 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjoz25988; Thu, 2 Oct 1997 20:20:14 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA10792; Thu, 2 Oct 97 20:18:31 EDT Date: Thu, 2 Oct 1997 20:18:31 -0400 (EDT) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Just wondering - pipeline computer firewalls? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not too long ago I had a lot of free time to think about things and I became somewhat familiar with the Galaxy Pipeline Computer (rough translation) developed at Tokyo University. For about $20,000 they built a pipeline computer that models the interactions of thousands of stars within a galaxy with the speed of a Cray supercomputer. The computer only performs one function - that set of calculations. The instructions are broken down into sets of about 200 instructions and each set is hard coded on a different chip. There are hundreds of chips (processors) and the output of one chip is the direct input of the next. One calculation with blazing speed. It seems to me that firewalls are not incredibly complex machines and it should be possible to break the instructions into sets and hard code them on hundreds of processors. Such a machine should be able to keep up with a T3 line quite easily. Anybody looking at this? Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Thu Oct 2 19:45:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA26651; Thu, 2 Oct 1997 17:36:52 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA26594 for ; Thu, 2 Oct 1997 17:36:37 -0700 (PDT) Received: from cwiz.com by relay6.UU.NET with SMTP (peer crosschecked as: [208.210.163.10]) id QQdjpa27331; Thu, 2 Oct 1997 20:37:54 -0400 (EDT) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id TAA09879; Thu, 2 Oct 1997 19:37:26 -0500 Date: Thu, 2 Oct 1997 19:37:26 -0500 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199710030037.TAA09879@cwiz.com> To: Ian.Schlueter@avnet.com, csubasi@garanti.com.tr Subject: RE: High Availability between two HPUX 10.20 FW1 machines Cc: firewalls-digest@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian, There seems to be a problem with the synchronization of FW-1, if you are looking for HA for your firewall, you may want to take a look at the HA+ solution from Qualix that uses FW-1 (http://www.qualix.com/html/ha_firewall.html) Regards, /Martin Schlueter, Ian wrote: > > I am attempting to utilize the synchronization capabilities of FW1 ver > 3.0b to implement "high-availability" and I am running into a problem. > > I have two HPUX C100's configured identically. Installed are a total of > four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > The firewall sync network only has the two firewalls on it, I am using a > non-internet routable "test" range to address that segment. The > firewalls each have an entry in the /etc/fw/conf/sync.conf file > pointing to their counterpart. > > Here is the problem: > > I am continuously seeing a "Got Connection from firewall-1" > then immediately seeing a "End Connection from firewall-1" > > These messages appear simultaneously on both firewall consoles. Logs > appear to be shared, but state tables only seem to be shared part of the > time. > > Checkpoint suggested that if the two machines system clocks were more > than 5 seconds out of synchronization that it could cause this problem. > We set the clocks to the same time, and tested, still no luck. We even > installed ntp between them and it did not change the results. > > Anyone have any ideas? > > - - -/ W. Ian Schlueter ian.schlueter@avnet.com > - - / Project Manager, Global Internet/intranet support > - -/ Avnet, Inc. Chandler, AZ > - / (602) 940-5977 From owner-firewalls-list Thu Oct 2 20:03:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA16716; Thu, 2 Oct 1997 18:54:15 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA16705 for ; Thu, 2 Oct 1997 18:53:51 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id LAA25144; Fri, 3 Oct 1997 11:54:05 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma024945; Fri, 3 Oct 97 11:53:36 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id LAA30021; Fri, 3 Oct 1997 11:58:33 +1000 From: Colin Campbell Message-Id: <199710030158.LAA30021@guru.citec.qld.gov.au> Subject: Re: Re: Milkyway SecurIT - what for? To: brian@firehouse.net (Brian Mitchell) Date: Fri, 3 Oct 1997 11:58:32 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Brian Mitchell" at Oct 2, 97 09:52:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Brian Mitchell said: > [stuff deleted] > > You want to see who is knocking on your door. You give them lots of > services to play with to keep them knocking. I really advise you read > Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and > Bellovin) it goes into great detail about this sort of thing. > Of course if you are running something like Gauntlet, the packet filters pick up this sort of activity anyway and log it without the ports actually being open. Colin From owner-firewalls-list Thu Oct 2 20:15:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21456; Thu, 2 Oct 1997 19:27:45 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA21449 for ; Thu, 2 Oct 1997 19:27:38 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id WAA29799; Thu, 2 Oct 1997 22:28:31 -0400 (EDT) Date: Thu, 2 Oct 1997 22:28:26 -0400 (EDT) From: Brian Mitchell To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: Re: Milkyway SecurIT - what for? In-Reply-To: <199710030158.LAA30021@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Oct 1997, Colin Campbell wrote: > My mailer thinks Brian Mitchell said: > > > [stuff deleted] > > > > You want to see who is knocking on your door. You give them lots of > > services to play with to keep them knocking. I really advise you read > > Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and > > Bellovin) it goes into great detail about this sort of thing. > > > Of course if you are running something like Gauntlet, the packet filters > pick up this sort of activity anyway and log it without the ports actually > being open. > > Colin > Not enough information. with something like that, you would know, for instance, that someone connected to portmapper. You wouldnt know what procedure they tried calling. Logging port accesses just doesnt do the trick, in my opinion. You usually want something more. With portmapper, for instance, you can provide a number of fake honeypot services. Anything using unix authentication will pass a user id. That can be valuable information (knowing full well it is client side specifiable, and therefore not trustable). Knowing what services the proper is interested in is also valuable information. Knowing that they are trying to talk portmapper into executing a rpc call for them is also valuable information. This is just an example of information that can be gleaned from one service. There are a multitude of examples, although portmapper is one of the most useful. From owner-firewalls-list Thu Oct 2 20:29:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14931; Thu, 2 Oct 1997 13:39:40 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA14905 for ; Thu, 2 Oct 1997 13:39:24 -0700 (PDT) Received: (qmail 22384 invoked from smtpd); 2 Oct 1997 20:39:17 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Oct 1997 20:39:17 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA10545 for ; Thu, 2 Oct 1997 15:39:17 -0500 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA21896; Thu, 2 Oct 1997 15:41:35 -0500 Date: Thu, 2 Oct 1997 15:41:35 -0500 From: Peter da Silva Message-Id: <9710022041.AA21896@baileynm.com> To: firewalls@greatcircle.com Subject: Free plug daemon. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've written a little "plug proxy" daemon and released it under a Berkeley style license. It's nowhere near as sophisticated as the one in the firewall toolkit, but for most purposes it's much simpler to set up and use. http://www.taronga.com/plugdaemon.shar From owner-firewalls-list Thu Oct 2 21:14:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14514; Wed, 1 Oct 1997 12:22:49 -0700 (PDT) Received: from gate (gate.mcc.net [209.29.243.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA14264 for ; Wed, 1 Oct 1997 12:22:04 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324845-23315>; Wed, 1 Oct 1997 13:22:41 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Oct 1997 13:22:31 -0600 Message-ID: From: "Paquette, Trevor" To: "'Andrzej Blaszczyk'" , firewalls-digest@GreatCircle.COM Subject: RE: PC-Anywhere - Custom Protocol? Date: Wed, 1 Oct 1997 13:22:28 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This was not an issue with the client who requested this. Security was not an issue for them, even after we told them of the risks. They are willing to accept the risks. I've never setup encryption on pcANYWHERE so I'm not alot of help on this. Anyone else? > -----Original Message----- > From: Andrzej Blaszczyk [SMTP:A.Blaszczyk@supermedia.pl] > Sent: Wednesday, September 24, 1997 1:36 AM > To: firewalls-digest@GreatCircle.COM > Subject: RE: PC-Anywhere - Custom Protocol? > > > Date: Mon, 22 Sep 1997 12:27:34 -0600 > > From: "Paquette, Trevor" > > Subject: RE: PC-Anywhere - Custom Protocol? > > > pcANYWHERE can be used through > > > TCP Port 5631 > > UDP Port 5632 > > > Works for us. > > Great. What kind of encryption do you use in your PCA? I think it is > quite > important to use any encryption in WAN. There are several options: > pcANYWHERE, Symmetric or Public-Key to choose from. Do you know any > specification of pcANYWHERE encryption level? What kind of security am > I > supposed to obtain using Symmetric encrytpion. Hmmm... looks like a > few > questions. There is one more. Do you know how to run Public-Key > encryption > on PCA? > > I will appreciate any help from you > regards, > Andrzej Blaszczyk > A.Blaszczyk@supermedia.pl > SuperMedia CUI > ul. Senatorska 13/15 > tel. +48 22 8280979 ext 172 (fax: 102) From owner-firewalls-list Thu Oct 2 21:27:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA27741; Thu, 2 Oct 1997 15:12:50 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA27719 for ; Thu, 2 Oct 1997 15:12:42 -0700 (PDT) Received: from pse01.pios.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA09397; Thu, 2 Oct 1997 15:07:22 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA03208; Thu, 2 Oct 1997 18:12:56 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOC9T9LFEO8WZRMJ@gemini.pios.com> for firewalls@greatcircle.com; Thu, 02 Oct 1997 18:13:30 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOC9RG2WS08Y607Q@PIOS.PIOS.COM> for firewalls@greatcircle.com; Thu, 02 Oct 1997 18:12:03 -0400 (EDT) Date: Thu, 02 Oct 1997 15:12:36 -0700 From: Bill Stout Subject: Encryption future? X-Sender: stoutb@192.168.0.37 (Unverified) To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19971002221236.00af0058@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems that the government has a perception that crypto _will_ be controlled through key escrow and export restrictions. I think no one knows the answer to these questions: Does anyone know if strong encryption (SSL, PGP, VPN) systems will be 'grandfathered' into legality, or will strong encryption systems have to be replaced with damaged versions? In other words, will today's 128-bit VPN routers/firewalls/tunnel servers/webservers need to be swapped out by law, in the near future? I'd rather keep existing 128-bit systems in place than do 'key escrow' or weak encryption. Bill Stout Below is the background for asking: ______________________________________________________________________ Extract from Fight Censorship Announce list: Date: Thu, 02 Oct 1997 17:20:05 -0400 Subject: FC: Crypto-continuation in Washington: FBI/DoJ keep up the pressure Sender: owner-fight-censorship-announce@vorlon.mit.edu X-Fc-Url: Fight-Censorship is at http://www.eff.org/~declan/fc/ Crypto is hot in Washington. Don't think the battle's over; it's just beginning: * This afternoon when the Senate Intelligence committee met to consider a new CIA deputy director, Sen. Bob Kerrey said "there's a real urgency" to get an encryption bill passed. (Presumably, that would be his bill, the "Key Escrow Infrastructure" McCain-Kerrey/S.909.) * Last week Janet Reno talked at her weekly press conference about balancing law enforcement rights with privacy rights -- through mandatory domestic key escrow. * Yesterday Louis Freeh spoke at length before the House International Relations committee about the spread of nuclear weapons... and reminded committee members about the problems the FBI has with nonescrowed crypto... * Sen. Jon "Mandatory Domestic Key Escrow" Kyl said on Sunday that the Clinton administration's export controls on crypto were *not tight enough*... From owner-firewalls-list Thu Oct 2 21:29:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08496; Wed, 1 Oct 1997 16:46:25 -0700 (PDT) Received: from gtwau301.anz.com ([203.61.224.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA08413 for ; Wed, 1 Oct 1997 16:45:59 -0700 (PDT) Received: by gtwau301.anz.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCCF18.1DA50510@gtwau301.anz.com>; Thu, 2 Oct 1997 09:46:54 +1000 Message-ID: X-MS-TNEF-Correlator: From: "Gasparini, Edy" To: "Firewalls@GreatCircle.COM" , Jay Bahel Subject: RE: Security Plan/Policy Date: Thu, 2 Oct 1997 09:44:04 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BCCF18.1DA68BB0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BCCF18.1DA68BB0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thursday, 25 September 1997 7:40, Jay Bahel[SMTP:jbahel@mcs.net] wrote: > Does anyone out there have any template or web-site to point to for building > a security plan for a business. Try http://www.dsd.gov.au/ ./edy gasparini (...the thing I miss most is my mind). ------ =_NextPart_000_01BCCF18.1DA68BB0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IjcXAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQmAAQAhAAAAODA1MEEyRjdBOTNBRDExMThBMTUwMDAwRjY2OUVD NEEACQcBIIADAA4AAADNBwoAAgAJAC4AMwAEAE4BAQWAAwAOAAAAzQcKAAIACQAsAAQABAAdAQEN gAQAAgAAAAIAAgABBIABABkAAABSRTogU2VjdXJpdHkgUGxhbi9Qb2xpY3kAkwgBA5AGACQEAAAY AAAAAwAuAAAAAABAADkAgByQ5sPOvAEeAHAAAQAAABkAAABSRTogU2VjdXJpdHkgUGxhbi9Qb2xp Y3kAAAAAAgFxAAEAAAAWAAAAAbzOw+Zp96JQgTqpEdGKFQAA9mnsSgAAAwAGEATVGL0DAAcQ1QAA AB4ACBABAAAAZQAAAE9OVEhVUlNEQVksMjVTRVBURU1CRVIxOTk3Nzo0MCxKQVlCQUhFTFNNVFA6 SkJBSEVMQE1DU05FVFdST1RFOkRPRVNBTllPTkVPVVRUSEVSRUhBVkVBTllURU1QTEFURU9SV0UA AAAAAwAQEAAAAAADABEQAQAAAAIBCRABAAAAvQEAALkBAACfAgAATFpGdWByb7f/AAoBDwIVAqQD 5AXrAoMAUBMDVAIAY2gKwHNldG4yBgAGwwKDMgPFAgBw3HJxEiAHEwKDMwPGE+giNA96aGVsAyBE bNpnAoM1Fc8W030KgAjPHwnZAoAKgQ2xC2BuZzEMMDMUgAsOMTYgTwkDoFRoCHBzZGF5sCwgMjUG UQUwZQbQAQSQIDE5OTcgNyg6NDAdoEodgCBCAmEWgVtTTVRQOgRqYh+SQG1jcy5ibhIAXSB3A2Ae IDp9CoU+CuELZBSCAdAWwG/LB5EAcHkCIGUgCGAFQNZ0FoAZoCARwHYjsCNhPyQAHjALUR4gI8AF wHdlDGItAJAlYXRvIHA+bwuAI/EmYAIQBcBidXUDEGQLgGccDSGfIqVh6iAR8GMIcXQfYAtRA6A/ JxIqQCdQAJAg4AQQLiBTKLYKhVRyH2BoAkBwkDovL3ct4C5kHWAALmdvdi5hdS/vCocLZBLyDAFj DeAotgtGtRdSMR7ALjDqIuEvCYCxH2BnYXMKsQuAaSwwPCguM+AkESQBJ6EgSewgbQQCBGBzBUAE ADTAwx9gNNBuZCkuCoUYwQIANuAAAAADADYAAAAAAAMAJgAAAAAAAgH5PwEAAAAeAAAAAAAAANyn QMjAQhAatLkIACsv4YIBAAAAAAAAAC4AAAAeAPg/AQAAABUAAABTeXN0ZW0gQWRtaW5pc3RyYXRv cgAAAAACAfs/AQAAAB4AAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAALgAAAB4A+j8BAAAA FQAAAFN5c3RlbSBBZG1pbmlzdHJhdG9yAAAAAEAABzAQtlnLw868AUAACDDAtIhKxM68AQMADTT9 PwAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyolFx4APQABAAAABQAAAFJFOiAAAAAACwApAAAA AAALACMAAAAAAAIBfwABAAAAQwAAADxjPUFVJWE9XyVwPUFOWiVsPUFOWklORVRETVovTUVMSU5F VERNWi8wMDI4M0M4Q0BndHdhdTMwMS5hbnouY29tPgAArgg= ------ =_NextPart_000_01BCCF18.1DA68BB0-- From owner-firewalls-list Thu Oct 2 21:29:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA10444; Wed, 1 Oct 1997 16:56:53 -0700 (PDT) Received: from denver.denversys.com ([208.203.232.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA10384 for ; Wed, 1 Oct 1997 16:56:39 -0700 (PDT) Received: by DENVER with Internet Mail Service (5.0.1458.49) id <4BYPW3A8>; Wed, 1 Oct 1997 19:56:29 +0100 Message-ID: From: Stephen Greenwalt To: "'David LeBlanc'" , osiris@gnss.com Cc: firewalls@GreatCircle.COM Subject: RE: Microsoft vs The world (apology) Date: Wed, 1 Oct 1997 19:56:27 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is all due to the channel feature, with push technology, and it is completely configurable by the end user: it can be shut off. There is nothing shady going on here. However, I still don't know what to think of it . . . it might be nice for people at 28.8 who don't want to sit there waiting for pages to load. But, I wonder if the 'automatic' nature of this technology opens up any potential security risks . . . also, another concern . . . I think it is very likely to increase bandwidth usage. I can see lot's of irrelvant information being downloaded for no reason. Steve Greenwalt > -----Original Message----- > From: David LeBlanc [SMTP:dleblanc@iss.net] > Sent: Monday, September 15, 1997 3:10 PM > To: osiris@gnss.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Microsoft vs The world (apology) > > At 10:47 9/15/97 -0700, you wrote: > > >In this morning's newspaper (reference follows), I found an article > of > >some interest. In it, there was an interview with a beta tester of IE > >4.0. Apparently, IE 4.0 - if left unattended - will routinely > initiate > >a connection to Microsoft. Purportedly, this feature (not a bug, a > >feature) allows updates and special web pages to be downloaded while > >the user is away from the teriminal (busy, asleep, etc.) These > updates > >are then stored on the hard disk drive of the user. According to the > >beta tester: > > >"I...discovered that my computer had connected itself to the > >Internet...I was completely freaking out. I pulled the phone plug > >right out of the wall." > > Odd - I've had IE 4.0 on my home box for some weeks, and it has never > once > taken it upon itself to call my ISP and connect to MS. I haven't > really > monitored what it does while on line extremely carefully, and I > haven't > taken any special precautions to prevent this from happening, either. > It > is possible this is because I don't have any of the "pointcast" junk > turned > on - blew up first time I tried it, and I haven't fooled with it > since. > > Perhaps "freaking out" users may not be the most reliable source of > info. > Although I'd certainly be displeased if it did start dialing home, I > can > think of less destructive ways to stop this behavior than yanking on > wires. > > >More bizzare yet is this: in > >addition to the 250K download, his machine also UPLOADED 58,000 bytes > >of information. The beta tester reported that he did not know what > >data had been uploaded. > > Be interesting to see what it is doing - it could be just requests and > that > sort of thing. > > >I am wondering this: suppose such a box was located behind a firewall > >but was allowed outside access. Does this not constitute an EXTREME > >security risk? If 4.0 is capable of uploading information from a > local > >drive of a 95 box, it can presumably do this from badly managed > shares > >as well, no? > > No telling. IMHO, we need to examine this a bit before we get cranked > about it. Be interesting to see if it can be duplicated, then log the > traffic. > > > ----------------------------------------------------------- > David LeBlanc | Voice: (770)395-0150 x138 > Internet Security Systems, Inc. | Fax: (404)395-1972 > 41 Perimeter Center East | E-Mail: dleblanc@iss.net > Suite 660 | www: http://www.iss.net/ > Atlanta, GA 30328 | From owner-firewalls-list Thu Oct 2 21:31:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA14775; Thu, 2 Oct 1997 18:43:44 -0700 (PDT) Received: from hotmail.com (F29.hotmail.com [207.82.250.40]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA18957 for ; Thu, 2 Oct 1997 16:59:34 -0700 (PDT) Received: (qmail 21972 invoked by uid 0); 3 Oct 1997 00:00:38 -0000 Message-ID: <19971003000038.21971.qmail@hotmail.com> Received: from 207.115.229.147 by www.hotmail.com with HTTP; Thu, 02 Oct 1997 17:00:38 PDT X-Originating-IP: [207.115.229.147] From: "Matrix Venus" To: Firewalls@GreatCircle.COM Content-Type: text/plain Date: Thu, 02 Oct 1997 17:00:38 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Thu Oct 2 21:33:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA24928; Wed, 1 Oct 1997 20:57:25 -0700 (PDT) Received: from balch.com (mail.balch.com [205.241.1.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA24918 for ; Wed, 1 Oct 1997 20:57:08 -0700 (PDT) Received: from BALCHBHM-Message_Server by balch.com with Novell_GroupWise; Wed, 01 Oct 1997 22:59:35 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Oct 1997 22:59:10 -0600 From: BILL LOWRY Reply-To: blowry@balch.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #472 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry, I'll be in class this week. If you need immediate attention, please contact Eric Hunter. Thanks, WRL From owner-firewalls-list Thu Oct 2 21:33:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09519; Wed, 1 Oct 1997 14:22:21 -0700 (PDT) Received: from rohan.btg.com (rohan.btg.com [199.29.53.67]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA21600 for ; Wed, 1 Oct 1997 12:56:08 -0700 (PDT) Received: from fsapc.btg.com (home1.sanderson.btg.com [204.176.118.201]) by rohan.btg.com (8.8.5/8.7.3) with SMTP id PAA10213; Wed, 1 Oct 1997 15:56:37 -0400 (EDT) Message-Id: <3.0.3.32.19971001154620.00b9ec30@pop.ssmg.com> X-Sender: scot@pop.ssmg.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Oct 1997 15:46:20 -0400 To: "Schlueter, Ian" From: Scot Anderson Subject: Re: High Availability between two HPUX 10.20 FW1 machines Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <714D6BA7BBF1D0118A510060B0673BD31D4880@az101-nt-msx2.avnet .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have set up the synchronized feature and found the same sort of message in my logs. I just went ahead and tested them, and found the feature to work. If you're "out" for long periods of time, I would be inclined to sample that firewall-sync network to see what's going on. In my implementation, I had the same networks attached to both machines and had one "master" the other to ensure identical rule sets for them. I ran the sync traffic over one of the operational networks ( one with physical security associated with it, internal to my networks ). It was quite a nice surprise to see it work. I hear that it's not a bad idea to reboot the machines periodically and flush the state tables in the process (remove everything in ${FWDIR}/state/ ).. Particularly if you are in the habit of connecting to a unix security module from Win95/WinNT clients. At 09:28 AM 9/30/97 -0700, you wrote: >I am attempting to utilize the synchronization capabilities of FW1 ver >3.0b to implement "high-availability" and I am running into a problem. > >I have two HPUX C100's configured identically. Installed are a total of >four network interfaces in each. > > Interface 1: to the Internet > Interface 2: to the intranet > Interface 3: to the DMZ > Interface 4: to the "firewall sync network" > > >The firewall sync network only has the two firewalls on it, I am using a >non-internet routable "test" range to address that segment. The >firewalls each have an entry in the /etc/fw/conf/sync.conf file >pointing to their counterpart. > >Here is the problem: > >I am continuously seeing a "Got Connection from firewall-1" >then immediately seeing a "End Connection from firewall-1" > >These messages appear simultaneously on both firewall consoles. Logs >appear to be shared, but state tables only seem to be shared part of the >time. > >Checkpoint suggested that if the two machines system clocks were more >than 5 seconds out of synchronization that it could cause this problem. >We set the clocks to the same time, and tested, still no luck. We even >installed ntp between them and it did not change the results. > > > Anyone have any ideas? > > >- - -/ W. Ian Schlueter ian.schlueter@avnet.com >- - / Project Manager, Global Internet/intranet support >- -/ Avnet, Inc. Chandler, AZ >- / (602) 940-5977 > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDKojDMEsrBG2tSvEQIdGACaA9IfXOZErVE5hln7lg8AXpYqD78AoLkL eP9CJ/CL8cSDqxoZQzffMDJM =kS7z -----END PGP SIGNATURE----- --------------------------------------------------------- Scot Anderson | Voice: 703-383-7950 | www.btg.com/[~scot] From owner-firewalls-list Thu Oct 2 21:36:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15852; Thu, 2 Oct 1997 10:21:09 -0700 (PDT) Received: from lox.sandelman.ottawa.on.ca (lox.sandelman.ottawa.on.ca [205.233.54.146]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA15748 for ; Thu, 2 Oct 1997 10:20:36 -0700 (PDT) Received: from istari.sandelman.ottawa.on.ca (istari.sandelman.ottawa.on.ca [205.233.54.136]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.7) with ESMTP id NAA06985 for ; Thu, 2 Oct 1997 13:39:57 -0400 (EDT) Received: from istari.sandelman.ottawa.on.ca ([[UNIX: localhost]]) by istari.sandelman.ottawa.on.ca (8.7.5/8.7.3) with ESMTP id NAA10710 for ; Thu, 2 Oct 1997 13:17:38 -0400 (EDT) Message-Id: <199710021717.NAA10710@istari.sandelman.ottawa.on.ca> To: firewalls@greatcircle.com Subject: Re: Milkyway SecurIT - what for? In-reply-to: Your message of "02 Oct 1997 11:27:49 -0000." Date: Thu, 02 Oct 1997 13:17:31 -0400 From: "Michael C. Richardson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- [I had to reformat your very long line text] manuel> My point was that a firewall shouldn't have many inbound manuel> ports open anyway. The ones that are open are probably It doesn't open 64k ports. That would be silly and wasteful. It has one port open that listens to all ports not otherwise listened to. Remember: it runs on a secure OS, with a modified TCP/IP stack. It used to ship with all relevant vendor patches installed, and it used to install from CD. Expecting users to install a dozen vendor patches before the firewall, is not a good idea, nor is installing the whole OS! I understand that the NT and Solaris versions have changed this... one reason why I can't recommend it anymore. The only firewall that I know of that ships with the OS included is now Secure Computing/BorderWare. One feature of BlackHole (I'm sorry. The new names suck) is that is allows one to write a rule that allows all services. So a policy might read: use telnet or HTTP for single sign on. once signed on ("transparent mode"), allow all outgoing services. BUT, no HTTP to www.playboy.com, and no IRC during business hours. no Pointcast ever, due to bandwidth and security considerations manuel> previous mail. What they are saying is that if you have a manuel> hole in your firewall it will be harder for the attacker to manuel> find it. I still think the hole shouldn't be there to start manuel> with. Besides, what they are doing can be done with any manuel> other firewall anyway (you can define ACL's for all the manuel> ports if you want). But it can be avoided as well. There are two ways to avoid giving away your security policy: 1. try and always return RST to intruders as if the service was not there. but, you have to connect to legitimate people, so you risk false *negatives* which is a denial of service. 2. always bring up a connection, providing false positives. At one point, however, a SYN scan would cause the log system to go overboard, and it would take several hours to catch up. I think this got fixed by detecting the scan earlier. I do not believe that there any defense against SYN spamming, despite claims by Milkyway Networks. It would be easy for them to add, since they already have the TCP/IP stack source. :!mcr!: | Network security programming, currently Michael Richardson | on contract with SSH IPSEC (http://www.ssh.fi/) WWW: mcr@sandelman.ottawa.on.ca. PGP key available. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQB1AwUBNDPXKKZpLyXYhL+BAQHsQAL9GzNed4qW6CpMxp/rzRCtFe3vK5l/35lY T4U849dnehOeU/HaAgDIxzZ0VvsDwTUUhhUg4qEryWBdIjrZAB5i38szv9oHRg2v /8cZeCd+8qPz7X1goE6/Y0ORwjVAo1HQ =OKMX -----END PGP SIGNATURE----- From owner-firewalls-list Thu Oct 2 22:00:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08848; Wed, 1 Oct 1997 16:48:25 -0700 (PDT) Received: from athena.compulink.gr (athena.compulink.gr [195.242.129.99]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA08757 for ; Wed, 1 Oct 1997 16:47:57 -0700 (PDT) Received: from macman.compulink.gr (pppath136.compulink.gr [195.242.130.136]) by athena.compulink.gr (8.8.7/COMPULINK-3.0) with SMTP id BAA13468 for ; Thu, 2 Oct 1997 01:42:48 +0200 (EET) Message-Id: <3.0.1.32.19971002025313.00aeec7c@athena.compulink.gr> X-Sender: macman@athena.compulink.gr X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 02 Oct 1997 02:53:13 +0200 To: firewalls@greatcircle.com From: Emmanouil Magos Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Thu Oct 2 22:14:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24294; Wed, 1 Oct 1997 15:31:15 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA24204 for ; Wed, 1 Oct 1997 15:30:51 -0700 (PDT) Received: from cayman.gblhorizon.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA20063; Wed, 1 Oct 1997 14:29:36 -0700 (PDT) Received: (from kenj@localhost) by cayman.gblhorizon.com (8.8.7/8.8.7) id RAA22105; Wed, 1 Oct 1997 17:34:42 -0400 (PDT) Date: Wed, 1 Oct 1997 14:34:41 -0700 (PDT) From: Ken Jones To: firewalls@GreatCircle.COM In-Reply-To: <199710010807.KAA00182@bast.gis.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 00:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28962; Thu, 2 Oct 1997 23:20:27 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA28803 for ; Thu, 2 Oct 1997 23:19:48 -0700 (PDT) Received: by fw4.tns.co.za; id IAA18120; Fri, 3 Oct 1997 08:20:42 +0200 (SAT) Message-Id: <199710030620.IAA18120@fw4.tns.co.za> Received: from unknown(89.0.3.186) by fw4.tns.co.za via smap (V3.1.1) id xma018102; Fri, 3 Oct 97 08:20:13 +0200 Reply-To: From: "Billy Verreynne" To: Subject: Re: Just wondering - pipeline computer firewalls? Date: Fri, 3 Oct 1997 08:18:36 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Sick Puppy wrote: > Not too long ago I had a lot of free time to think about things Now this is definitely scary... :-) > It seems to me that firewalls are not incredibly complex machines > and it should be possible to break the instructions into sets and hard > code them on hundreds of processors. Such a machine should be able to > keep up with a T3 line quite easily. I think the major problem with this approach is complexity. It's much more complex designing hardware than software. Software is cheaper to develop, easier to maintain and change. Software life cycles are also much shorter than hardware life cycles - which usually means larger sales volumes. And would there be a market for firewall hardware? Most corporates are reluctant to try new technologies. > Anybody looking at this? Not a bad idea I think, but one that would only work (IMHO) if a network hardware vendor bundles this type of firewall hardware with their bridges and routers. regards, Billy From owner-firewalls-list Fri Oct 3 01:17:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA13901; Fri, 3 Oct 1997 00:38:23 -0700 (PDT) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA13869 for ; Fri, 3 Oct 1997 00:38:13 -0700 (PDT) Received: from monaco (unverified [192.168.1.2]) by monaco.kimble.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 02 Oct 1997 23:48:12 +0100 Message-ID: From: "David Harvey-George" To: "Non Receipt Notification Requested" Subject: Re: Milkyway SecurIT - what for? Date: Thu, 2 Oct 1997 23:37:32 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Alfred Huger > To: manuel.ricca@pararede.pt > Cc: Non Receipt Notification Requested > Subject: Re: Milkyway SecurIT - what for? > Date: Wednesday, October 01, 1997 7:29 PM > > > > On 24 Sep 1997 manuel.ricca@pararede.pt wrote: > > > > > > > Hello everybody, > > Here is a quotation from Milkyway's insufficiently documented website: > > > > "All Ports Accept Communications > > > > An effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the > > system. As described, port scanning normally provides an intruder with exploitable information about a system. However, if all > > the would-be intruder learns is that all ports are accepting communications the intruder is no further ahead. There is nothing to > > distinguish one port from another. No new information is gained." > > > > What??? Is this supposed to be an idiot-security-manager-proof measure? At the expense of performance (has to)? > > Or did I just miss the point here? > > > You missed the point, completely. The reason the Milkyway Firewall keeps > all it's ports listening is to confuse port scanners. When a user performs > a scan, they find *all* ports listening and therefore have no easily > definable targets. > > It also rings bells for the Firewall Admin so he/she can see he/she is > being scanned. It's not a panacea, nor is it a poor idea. Honeypots and > fake services are an important part of any perimeter system IMO. The > longer you keep a would be intruder poking the more of a chance you stand > of noticing the activity. > > In fact, we wrote a similar utility at our company just for kicks to > see what we would get. The service is a fake portmapper which returns > a number of fake services. Any requests to the portmapper or to the > services is packet logged. We manage to log 3 or 4 people a week door > knocking, handy stuff really. > > rpcinfo -p silence.secnet.com > > /************************************************************************* > Alfred Huger Phone: 403.262.9211 > Secure Networks Inc. Fax: 403.262.9221 > **************************************************************************/ From owner-firewalls-list Fri Oct 3 03:15:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA16589; Fri, 3 Oct 1997 02:57:55 -0700 (PDT) Received: from aragorn.ind.mh.se (aragorn.ind.mh.se [193.10.112.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA16406 for ; Fri, 3 Oct 1997 02:57:18 -0700 (PDT) Received: from s403d7.ind.mh.se (s403d7 [193.10.112.97]) by aragorn.ind.mh.se (8.8.5/8.8.5) with ESMTP id LAA20152 for ; Fri, 3 Oct 1997 11:58:07 +0200 (MET DST) Message-Id: <490.875872519.514720.7261@> Date: Fri, 3 Oct 1997 11:55:19 +0200 From: Jens Askengren To: Reply-To: Jens Askengren X-Importance: normal X-Sensitivity: normal X-Priority: normal X-Mailer: TeamWARE Embla 2.02, Final, Build: 64 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-ID: <31770.875872519.514740.18945@> Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 03:51:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA21877; Fri, 3 Oct 1997 03:23:25 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA21792 for ; Fri, 3 Oct 1997 03:23:03 -0700 (PDT) Received: from noam (slip139-92-89-68.tel.il.ibm.net [139.92.89.68]) by out1.ibm.net (8.8.5/8.6.9) with ESMTP id KAA48468 for ; Fri, 3 Oct 1997 10:23:56 GMT Message-ID: <3434C779.7987040A@israelmail.com> Date: Fri, 03 Oct 1997 12:22:49 +0200 From: Noam Rathaus X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: what ports to pass for exchange/outlook X-Priority: 3 (Normal) References: <34340DF2.68E@tactik.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alex Fournier wrote: > > Actually, > > I have a setup (sorry, customer wants a setup) where the Exchange client > would be on the opposite side of the firewall than the Exchange > server... So all though it's not very likely, what ports would then be > used ?? (any NetBIOS over IP need to be travelling across the > firewall?? or what?? What information do the Exchange client and server > exchange and how??) Being a Unix child, I'm just ignorant when it come > to NT and Exchange so any help or pointers would be appreciated. > > Robert Ståhlbrand wrote: Unless configured otherwise, it will use port 139, (RPC) and then a dynamic address above 1024 (TCP). If u want to make them static, there is a knowledge base article, look for firewall access and microsoft exchange server. -- Thanks Noam Rathaus NT / Exchange / Network Administrator. Certified CNA/MSCE - Site Builder Network 2 Israel mailto://dolittle@israelmail.com UIN: 486098 (http://www.mirabilis.com) From owner-firewalls-list Fri Oct 3 06:00:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA07958; Fri, 3 Oct 1997 05:46:08 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA07924; Fri, 3 Oct 1997 05:45:54 -0700 (PDT) Message-Id: <199710031245.FAA07924@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA131392404; Fri, 3 Oct 1997 08:40:04 -0400 Date: Fri, 3 Oct 1997 08:40:04 -0400 From: gary flynn To: Firewalls@GreatCircle.COM, owner-firewalls-list@GreatCircle.COM Subject: Re: Williamsburg Security Seminar Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please send full agenda of Williamsburg security seminar. Thanks, Gary Flynn Network Analyst James Madison University From owner-firewalls-list Fri Oct 3 06:30:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10453; Fri, 3 Oct 1997 06:17:12 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10428 for ; Fri, 3 Oct 1997 06:17:03 -0700 (PDT) Received: by relay.hq.tis.com; id JAA19042; Fri, 3 Oct 1997 09:23:10 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0) id xma019031; Fri, 3 Oct 97 09:22:49 -0400 Received: from gildor.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id JAA04921 for ; Fri, 3 Oct 1997 09:14:31 -0400 (EDT) Message-Id: <3.0.3.32.19971003091517.0072e520@localhost> X-Sender: avolio@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 09:15:17 -0400 To: firewalls@greatcircle.com From: Frederick M Avolio Subject: Firewalls BoF at Interop Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Firewalls Birds-of-a-Feather Wednesday, Oct. 8 @ 8:00 pm-10:00 pm GWCC, Room 260W From owner-firewalls-list Fri Oct 3 07:24:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16690; Fri, 3 Oct 1997 07:09:46 -0700 (PDT) Received: from dns.wye.com (dns.wye.com [38.219.43.43]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA16627 for ; Fri, 3 Oct 1997 07:09:25 -0700 (PDT) Received: from wyent.wyepriv.com (wyent.wyepriv.com [192.168.0.25]) by dns.wye.com (8.8.5/8.8.5) with ESMTP id JAA09256 for ; Fri, 3 Oct 1997 09:10:39 -0400 Received: by wyent.wyepriv.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Oct 1997 10:17:49 -0400 Message-ID: <714A163EDA9ED01194DB0040339040C610FB5E@wyent.wyepriv.com> From: Gregory Wilkins To: Firewall Newsgroup Subject: Plug Help Date: Fri, 3 Oct 1997 10:17:47 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am assuming that I could support a user with the plug-gw that needs to use his/her AOL program to connect to AOL via the Internet. I know that AOL uses TCP/IP as one of the dialers, and indeed it does work on the "public" net, but has anyone created a plug to do this (e.g.: does anyone have any samples that they might be able to send me, showing how they did this?). I've tried to put the plug in myself, but it continues not to work. Please help. I've got a user (one of my boss's) who needs to access his AOL account. Please - no flames about how bad, stupid, etc AOL is - I'm not wanting to debate that issue at all. Thanks in advance -Greg From owner-firewalls-list Fri Oct 3 07:30:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18964; Fri, 3 Oct 1997 07:19:09 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA18754 for ; Fri, 3 Oct 1997 07:18:33 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id KAA21699; Fri, 3 Oct 1997 10:19:12 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.8.7) with SMTP id KAA18289; Fri, 3 Oct 1997 10:19:46 -0400 (EDT) Message-Id: <3.0.32.19971003082727.007b3790@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 10:23:02 -0400 To: Sick Puppy From: Anton J Aylward Subject: Re: Just wondering - pipeline computer firewalls? Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:18 PM 02/10/97 -0400, you wrote: ## Reply Start ## >It seems to me that firewalls are not incredibly complex machines >and it should be possible to break the instructions into sets and hard >code them on hundreds of processors. Such a machine should be able to >keep up with a T3 line quite easily. Blech! As the guy said, those who are doomed to repeat history haven't studied it. Just as the special purpose chips which once were designed for signal processing have been booted from our repertoire by things like the pentium and power PC - FASTER general purpose processing and economies of scale, as it is with routers and firewalls. In case you hand't noticed, and I'm sure there are some people involved on the list who can amplify this, even before the great explosion in ISPs and sprint, MCI and ATnT getting in on the act, (say around 1990) the NSF T-3 backbone was handled by ANS who ran it on the old, slow (by todays standards) RS/6000's. Now if you say that firewall policy and filtering slows things down, right. But ANS ran a policy based routing system - NSF and CO+RE. I think the additional processing is comparable. No, a lot of the poor performance is because of linear algorithms. See for example the Network Systems BorderGuard. It uses a regular off the shelf CPU, but doesn not degrade as filtering is added. It also has what might be described as the "4GL' of filter languages - Molitor's response to Chapman's paper on the evils of filtering. Its internal algorithms are 'parallel", so adding filter statements doesn't degrade it. Elsewhere, we have things like Bernstein's qmail and Weitze's vmail, while make use of multi-threading to offer very significant improvements in speed over vendor distributed mail transfer agents. On a personal note: many decades ago when I was learning at the feet of the masters, Kernighan and Plauger and Ritchie, I learnt two important things. 1. Get it right first, then make it faster. 2. Speed is entirely a function of the algorithm, not coding tricks I look at the marketplace, at Risks digest, and I'm convinced we still haven't got to stage 1 yet. Until we do, I don't think my toaster needs an operating system, especially not one with a graphical interface. Same for my camera, my lawn mower, my dishwasher (bless her dainty little hands and cute buns ;-)(she probably says the same thing about me) and many other instruments which have served me well. Which, I suppose, means there is a need for special purpose processing, but not necessarily using semiconductors ;-) /anton ## Reply End ## -------------------------------------------------------------------------- "The Singapore government isn't interested in controlling information, but wants a gradual phase-in of services to protect ourselves. It's not to control, but to protect the citizens of Singapore. In our society, you can state your views, but they have to be correct." - Ernie Hai, coordinator of the Singapore Government Internet Project ** Anton J Aylward * The Strahn & Strachan Group Inc Voice: (416) 494-8661 ** Information Security Consultants **** Fax: (416) 494-8803 From owner-firewalls-list Fri Oct 3 08:01:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24173; Fri, 3 Oct 1997 07:47:57 -0700 (PDT) Received: from public.js.hb.cn ([202.103.8.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA21057 for ; Fri, 3 Oct 1997 07:29:54 -0700 (PDT) Received: from pga97001.public.js.hb.cn (ppp18.js.hb.cn [202.103.8.81]) by public.js.hb.cn (8.6.11/8.6.11) with SMTP id WAA09328 for ; Fri, 3 Oct 1997 22:27:35 +0800 Message-ID: <34350117.1B3E@public.js.hb.cn> Date: Fri, 03 Oct 1997 22:28:39 +0800 From: "ga97001@public.js.hb.cn" Reply-To: ga97001@public.js.hb.cn Organization: ga97001@public.js.hb.cn X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 08:53:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01843; Fri, 3 Oct 1997 08:23:40 -0700 (PDT) Received: from mail0.tor.acc.ca (mail0.tor.acc.ca [204.92.54.110]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA01817 for ; Fri, 3 Oct 1997 08:23:32 -0700 (PDT) Received: from classik (ppp-014.m2-8.tor.ican.net [142.154.22.14]) by mail0.tor.acc.ca (8.8.7/8.8.6) with SMTP id LAA23026 for ; Fri, 3 Oct 1997 11:24:43 -0400 (EDT) Message-Id: <3.0.2.32.19971003112501.007b9100@ican.net> X-Sender: asb@ican.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 03 Oct 1997 11:25:01 -0400 To: firewalls@GreatCircle.COM From: "Ayal S. Bida" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 09:02:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24827; Fri, 3 Oct 1997 07:50:52 -0700 (PDT) Received: from ragroup.co.uk ([194.129.45.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA24648 for ; Fri, 3 Oct 1997 07:50:02 -0700 (PDT) From: mbeech@csc.ragroup.co.uk Received: from csc.ragroup.co.uk ([194.129.44.250]) by khepera.ragroup.co.uk with SMTP id <27778>; Fri, 3 Oct 1997 15:48:19 +0100 Received: from ccMail by csc.ragroup.co.uk (IMA Internet Exchange 2.11 Enterprise) id 0000AC3C; Fri, 3 Oct 1997 15:45:09 +0100 Mime-Version: 1.0 Date: Fri, 3 Oct 1997 15:48:06 +0100 Message-ID: <0000AC3C.1453@csc.ragroup.co.uk> Subject: TCP Ports To: Firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a definitive list of TCP port numbers and their functions? Over the past couple of months I have logged attempts to connect to our systems on ports 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Thanks for nay help Martin Beech From owner-firewalls-list Fri Oct 3 09:15:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA04927; Fri, 3 Oct 1997 08:47:46 -0700 (PDT) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA00355 for ; Fri, 3 Oct 1997 08:16:40 -0700 (PDT) Received: from heather.greatbasin.com (mg128-097.ricochet.net [204.179.128.97]) by heather.greatbasin.com (8.8.5/8.8.5) with SMTP id IAA20863 for ; Fri, 3 Oct 1997 08:05:23 -0700 (PDT) Message-Id: <3.0.3.32.19971003075140.007fa450@glatz.com> X-Sender: Pacme@glatz.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 07:51:40 -0700 To: firewalls-digest@GreatCircle.COM From: Phil Glatz Subject: IE 4 security hole? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any more information on this? The channel definition format (.CDF) http://www.microsoft.com/standards/cdf-f.htm includes a LOGTARGET feature that allows a web site provider to make your browser deliver logs of your usage via an http post or put. Even hits from cache are logged. This is all not so good and getting worse. Not only is the information posted material, you wouldn't want to give to a provider, (considering) "http post/put" is normally spoofable anyway. From owner-firewalls-list Fri Oct 3 10:15:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16694; Fri, 3 Oct 1997 09:57:41 -0700 (PDT) Received: from racoon.uucom.com (racoon.uucom.com [198.202.217.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA16653 for ; Fri, 3 Oct 1997 09:57:30 -0700 (PDT) Received: from localhost (lmann@localhost) by racoon.uucom.com (8.8.7/8.8.5) with SMTP id MAA05390; Fri, 3 Oct 1997 12:58:19 -0400 Date: Fri, 3 Oct 1997 12:58:18 -0400 (EDT) From: Lee Mann To: mbeech@csc.ragroup.co.uk cc: Firewalls@GreatCircle.COM Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at: ftp://venera.isi.edu/in-notes/iana/assignments/port-numbers On Fri, 3 Oct 1997 mbeech@csc.ragroup.co.uk wrote: > Is there a definitive list of TCP port numbers and their functions? Over the > past couple of months I have logged attempts to connect to our systems on ports > 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > > Thanks for nay help > > Martin Beech > Lee --- Lashley H. Mann II | UUcom, Inc. Email: lmann@uucom.com | Voice: 703.461.1350 | Fax: 703.461.1360 From owner-firewalls-list Fri Oct 3 10:32:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA20649; Fri, 3 Oct 1997 10:20:55 -0700 (PDT) Received: from omicron.comarch.pl (omicron.comarch.pl [195.116.125.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA20640 for ; Fri, 3 Oct 1997 10:20:50 -0700 (PDT) From: pawlik@comarch.pl Received: from pawlik.comarch.pl (pcblasiak.comarch.pl [195.116.125.145]) by omicron.comarch.pl (8.8.5/8.8.2) with SMTP id TAA20521 for ; Fri, 3 Oct 1997 19:32:38 +0200 Message-Id: <3.0.32.19971003192146.0069b018@omicron.comarch.pl> X-Sender: pawlik@omicron.comarch.pl X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 19:21:47 +0200 To: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 10:46:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23151; Fri, 3 Oct 1997 10:41:42 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA23107 for ; Fri, 3 Oct 1997 10:41:15 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id MAA05402; Fri, 3 Oct 1997 12:42:04 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id MAA00535; Fri, 3 Oct 1997 12:41:33 -0500 (CDT) Message-Id: <3.0.3.32.19971003134130.009744d0@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 13:41:30 -0400 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Other than in /etc/services, I believe so. The Internet Assigned Numbers Authority (IANA), I *think*, is who maintains such a list. Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Fri Oct 3 12:00:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA26227; Fri, 3 Oct 1997 10:59:47 -0700 (PDT) Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA26198 for ; Fri, 3 Oct 1997 10:59:33 -0700 (PDT) Received: by balder.ssds.com id LAA14027; Fri, 3 Oct 1997 11:57:25 -0600 (MDT) Received: from denver.ssds.com(134.127.16.1) by balder.ssds.com via smap (3.2) id xma014010; Fri, 3 Oct 97 11:56:52 -0600 Received: by denver.ssds.com id MAA20167; Fri, 3 Oct 1997 12:00:07 -0600 (MDT) Message-Id: <2.2.32.19971003175830.006f3774@denver.ssds.com> X-Sender: svl@denver.ssds.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Oct 1997 11:58:30 -0600 To: mbeech@csc.ragroup.co.uk, Firewalls@greatcircle.com From: Scott Lupfer Subject: Re: TCP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the following site: http://www.con.wesleyan.edu/~triemer/network/docservs.html Scott At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech > > > Scott Lupfer Network Engineer SSDS, Inc 4065 Sinton Road Suite 201 Colorado Springs, CO 80907 Phone (719) 630-0100 ext 104 Pager (888) 284-0286 Leaders in IT Architecture for Networked Solutions From owner-firewalls-list Fri Oct 3 12:20:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12828; Fri, 3 Oct 1997 09:39:12 -0700 (PDT) Received: from clyde ([194.80.246.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA12283 for ; Fri, 3 Oct 1997 09:35:48 -0700 (PDT) Received: from mel-s-pc by clyde (SMI-8.6/SMI-SVR4) id RAA15709; Fri, 3 Oct 1997 17:33:04 +0100 Message-Id: <199710031633.RAA15709@clyde> From: "Melford John" To: Date: Fri, 3 Oct 1997 17:39:12 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Fri Oct 3 12:27:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12192; Fri, 3 Oct 1997 09:35:13 -0700 (PDT) Received: from PROMETHEUS.ADVSTAFF.COM (advstaff.com [205.136.148.15]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA12153 for ; Fri, 3 Oct 1997 09:35:02 -0700 (PDT) From: mgetter@advstaff.com Received: by PROMETHEUS.ADVSTAFF.COM; id MAA02294; Fri, 3 Oct 1997 12:30:17 -0400 (EDT) Received: from art-ntsrv01.advstaff.com(192.168.100.15) by prometheus.advstaff.com via smap (3.2) id xma002277; Fri, 3 Oct 97 12:29:48 -0400 Received: by art-ntsrv01.advstaff.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256525.005B2049 ; Fri, 3 Oct 1997 12:35:20 -0400 X-Lotus-FromDomain: ADVANTAGE To: greg@wye.com cc: firewalls@GreatCircle.COM Message-ID: <85256525.005B1965.00@art-ntsrv01.advstaff.com> Date: Fri, 3 Oct 1997 12:35:50 -0400 Subject: Re: Plug Help Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check http://www.tis.com/support There is a document there with instructions for setting up the Plug-GW with AOL as the example. greg@wye.com on 10/03/97 10:17:47 AM To: firewalls@GreatCircle.COM cc: (bcc: Marc A Getter/Systems/ART/Advantage) Subject: Plug Help I am assuming that I could support a user with the plug-gw that needs to use his/her AOL program to connect to AOL via the Internet. I know that AOL uses TCP/IP as one of the dialers, and indeed it does work on the "public" net, but has anyone created a plug to do this (e.g.: does anyone have any samples that they might be able to send me, showing how they did this?). I've tried to put the plug in myself, but it continues not to work. Please help. I've got a user (one of my boss's) who needs to access his AOL account. Please - no flames about how bad, stupid, etc AOL is - I'm not wanting to debate that issue at all. Thanks in advance -Greg From owner-firewalls-list Fri Oct 3 12:31:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA10883; Fri, 3 Oct 1997 12:18:01 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA00693 for ; Fri, 3 Oct 1997 11:23:15 -0700 (PDT) Received: from clonvick-pc.cisco.com (houcons.cisco.com [171.68.41.7]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id LAA01395; Fri, 3 Oct 1997 11:24:01 -0700 (PDT) Message-Id: <2.2.32.19971003181721.008b4b88@localhost> X-Sender: clonvick@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Oct 1997 13:17:21 -0500 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: TCP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, RFC-1700 is the definitive guide. You can also look at IANA. http://www.iana.org/iana/assignments.html ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX +1.713.778.5663 At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech > > > From owner-firewalls-list Fri Oct 3 12:48:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29965; Fri, 3 Oct 1997 11:19:54 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA29932 for ; Fri, 3 Oct 1997 11:19:40 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com via Connect2-SMTP 4.30A; Fri, 3 Oct 1997 14:18:03 -0400 Message-ID: <5D909F3801D40000@c2smtp.on.com> Date: Fri, 3 Oct 1997 14:17:00 -0400 From: Stephen McLarey Disposition-Notification-To: Organization: ON Technology - Cambridge To: mbeech@csc.ragroup.co.uk Cc: firewalls@greatcircle.com (Firewall list) Subject: TCP Ports Importance: normal MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-disposition: inline Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.30A MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== Is there a definitive list of TCP port numbers and their functions? Over the past couple of months I have logged attempts to connect to our systems on ports 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. Thanks for nay help Martin Beech ======== Fwd by: Stephen McLar ======== Get a copy of RFC 1700. This lists all the standard ports. _\|/_ (o o) ****oOO-(_)-OOo****************************************** * Stephen McLarey Senior Firewall Support Engineer * * ON Technology Corporation * * Customer Support Line 800 407 7453 * * mailto: smclarey@on.com * * http://www.on.com * ********************************************************* From owner-firewalls-list Fri Oct 3 12:52:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29909; Fri, 3 Oct 1997 11:19:14 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA26544 for ; Fri, 3 Oct 1997 11:01:24 -0700 (PDT) Received: from test95.lib.com ([206.34.216.2]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id LAA00259; Fri, 3 Oct 1997 11:01:14 -0700 (PDT) Message-Id: <3.0.2.32.19971003140043.006a09ec@199.0.193.11> X-Sender: betterton@199.0.193.11 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 b4 (32) Date: Fri, 03 Oct 1997 14:00:43 -0400 To: mbeech@csc.ragroup.co.uk, Firewalls@GreatCircle.COM From: Brian Betterton Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:48 PM 10/3/97 +0100, mbeech@csc.ragroup.co.uk wrote: >Is there a definitive list of TCP port numbers and their functions? Over the >past couple of months I have logged attempts to connect to our systems on ports >1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > >Thanks for nay help > >Martin Beech A good source for this sort of information is: ftp://ftp.isi.edu/in-notes/iana/assignments/ Check port-numbers first. The file has port/protocols, what it is and most points of contact. Lots of the stuff have RFCs referring to them. brian ======================================================= Brian D. Betterton email:<<0000,0000,ffffbrian_betterton@ins.com> Network Systems Consultant 0000,0000,ffffhttp://www.ins.com International Network Services voice: (617) 376-2450 x244 300 Crown Colony Drive fax: (617) 376-2458 Quincy, MA 02169 From owner-firewalls-list Fri Oct 3 13:31:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23824; Fri, 3 Oct 1997 13:27:36 -0700 (PDT) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA23757 for ; Fri, 3 Oct 1997 13:27:15 -0700 (PDT) Received: (from dyabolyk@localhost) by columbia.digiweb.com (8.8.5/8.8.5) id QAA04586; Fri, 3 Oct 1997 16:27:46 -0400 (EDT) Date: Fri, 3 Oct 1997 16:27:46 -0400 (EDT) From: jon tobin To: Firewalls@GreatCircle.com Subject: RFC Index? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not firewalls rlated, but is there a good Index of RFCs that is searchable? phleshitally: jonathan tobin digitally: www.dyabolyk.com Czech out version two of the site, eh? From owner-firewalls-list Fri Oct 3 13:46:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA06251; Fri, 3 Oct 1997 11:48:08 -0700 (PDT) Received: from mctel.fr ([194.5.73.129]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA06151 for ; Fri, 3 Oct 1997 11:47:46 -0700 (PDT) Received: from mctel.fr ([194.5.73.20]) by mctel.fr (5.x/SMI-SVR4) id AA06675; Fri, 3 Oct 1997 20:42:37 GMT for Firewalls@greatcircle.com Xx: Firewalls@greatcircle.com Message-Id: <34354B17.89A94974@mctel.fr> Date: Fri, 03 Oct 1997 20:44:24 +0100 From: Daniel Mavrakis Organization: Monaco Telematique MC-TEL X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: mbeech@csc.ragroup.co.uk Cc: Firewalls@greatcircle.com Subject: Re: TCP Ports References: <0000AC3C.1453@csc.ragroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, The port numbers assignments are managed by IANA (Internet Assigned Numbers Authority). You could find the updated list of well-known, registered and private ports at: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Looking at this file you will find the assignments and contact points for ports 1496, 1526, 5632. The other ports (such 1054 or 2149) do not seem assigned (but that does not mean they are not used, unfortunately some software are sloopy and use any available -or not so available- port for their specific needs without bothering to request for an assignment). liberty-lm 1496/tcp liberty-lm liberty-lm 1496/udp liberty-lm # Jim Rogers pdap-np 1526/tcp Prospero Data Access Prot non-priv pdap-np 1526/udp Prospero Data Access Prot non-priv # B. Clifford Neuman pcanywherestat 5632/tcp pcANYWHEREstat pcanywherestat 5632/udp pcANYWHEREstat # Jon Rosarky Best regards, Daniel Mavrakis mbeech@csc.ragroup.co.uk wrote: > > Is there a definitive list of TCP port numbers and their functions? Over the > past couple of months I have logged attempts to connect to our systems on ports > 1054, 2149, 5632, 1496, 1526 as well as the more identifiable telnets, nfs, etc. > > Thanks for nay help > > Martin Beech From owner-firewalls-list Fri Oct 3 14:00:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA25984; Fri, 3 Oct 1997 10:57:54 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA25876 for ; Fri, 3 Oct 1997 10:57:24 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id MAA15620; Fri, 3 Oct 1997 12:58:19 -0500 (CDT) Date: Fri, 3 Oct 1997 12:58:19 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: mbeech@csc.ragroup.co.uk cc: Firewalls@GreatCircle.COM Subject: Re: TCP Ports In-Reply-To: <0000AC3C.1453@csc.ragroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Oct 1997 mbeech@csc.ragroup.co.uk wrote: > Is there a definitive list of TCP port numbers and their functions? Over the ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers From owner-firewalls-list Fri Oct 3 16:19:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22915; Fri, 3 Oct 1997 16:02:22 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id QAA22716 for ; Fri, 3 Oct 1997 16:01:43 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA20370; Fri, 3 Oct 1997 19:02:53 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IODPUKQ7TS8X0Q8L@gemini.pios.com> for Firewalls@greatcircle.com; Fri, 03 Oct 1997 19:03:29 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IODPSPK41S8Y65TZ@PIOS.PIOS.COM>; Fri, 03 Oct 1997 19:01:59 -0400 (EDT) Date: Fri, 03 Oct 1997 16:02:33 -0700 From: Bill Stout Subject: Re: TCP Ports X-Sender: stoutb@192.168.0.37 To: Daniel Mavrakis , mbeech@csc.ragroup.co.uk Cc: Firewalls@greatcircle.com Message-Id: <2.2.32.19971003230233.01419cfc@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:44 PM 10/3/97 +0100, Daniel Mavrakis wrote: >liberty-lm 1496/tcp liberty-lm >liberty-lm 1496/udp liberty-lm There's a port for liberty? I've been filtering that out! ;^) Bill ______________________________________________________________________ "It shall be unlawful for any person to solicit or receive any contribution...in any room or building occupied in the discharge of official duties...Any person who violates this section shall be fined under this title or imprisoned for not more than 3 years" - Section 607 of the U.S. Criminal Code. From owner-firewalls-list Fri Oct 3 16:46:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28759; Fri, 3 Oct 1997 16:22:51 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA28854 for ; Fri, 3 Oct 1997 14:03:23 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id VAA10244 for ; Fri, 3 Oct 1997 21:04:27 GMT Date: Fri, 3 Oct 1997 16:04:27 -0500 (CDT) From: Andy Lewis To: Firewalls@GreatCircle.COM Subject: hosts.allow Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope that this is not off topic. Is it possible to put a local system users name in the /etc/hosts.allow file. I want that person to be able to login from anywhere? I am running Linux 2.0.30 Thanks From owner-firewalls-list Fri Oct 3 16:58:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29778; Fri, 3 Oct 1997 11:17:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA25271 for ; Fri, 3 Oct 1997 10:54:39 -0700 (PDT) Received: from insync.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA21868; Fri, 3 Oct 1997 10:49:29 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id MAA08170; Fri, 3 Oct 1997 12:55:09 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id MAA03998; Fri, 3 Oct 1997 12:54:37 -0500 (CDT) Message-Id: <3.0.3.32.19971003135433.00970610@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 13:54:33 -0400 To: Phil Glatz , firewalls-digest@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: IE 4 security hole? In-Reply-To: <3.0.3.32.19971003075140.007fa450@glatz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:51 AM 10/3/97 -0700, Phil Glatz wrote: >Does anyone have any more information on this? > >The channel definition format (.CDF) >http://www.microsoft.com/standards/cdf-f.htm includes a >LOGTARGET feature that allows a web site provider to make >your browser deliver logs of your usage via an http post or >put. Even hits from cache are logged. This is all not so good >and getting worse. Not only is the information posted >material, you wouldn't want to give to a provider, >(considering) "http post/put" is normally spoofable anyway. It is already being actively discussed on Bugtraq. It seems like a more appropriate form for discussion than the Firewalls list, anyway... Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Fri Oct 3 17:06:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28857; Fri, 3 Oct 1997 16:24:31 -0700 (PDT) Received: from netobjects.com (portal.netobjects.com [206.111.138.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA01029 for ; Fri, 3 Oct 1997 14:19:28 -0700 (PDT) Received: from joshua (joshua.netobjects.com [206.111.138.105]) by netobjects.com (8.8.5/8.8.5) with SMTP id OAA08770; Fri, 3 Oct 1997 14:24:34 -0700 (PDT) Message-Id: <3.0.1.32.19971003142919.00a77d60@joshr.com> X-Sender: joshr@joshr.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 03 Oct 1997 14:29:19 -0700 To: Firewalls@GreatCircle.COM From: Joshua Rabinowitz Subject: registering port numbers for software? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello World: this is slightly off topic, but I am working on some commercial software that operates in client/server mode over tcp/ip. How should we decide which port to use for communication, and then how do we go about registering it with the iata to avoid clashing with other future software? Thanks in advance, joshr@netobjects.com From owner-firewalls-list Fri Oct 3 17:19:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA28887; Fri, 3 Oct 1997 16:25:31 -0700 (PDT) Received: from drencrom.insync.net (drencrom.insync.net [204.253.208.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA13572 for ; Fri, 3 Oct 1997 15:20:21 -0700 (PDT) Received: from deepsea (dialup-164-156.insync.net [206.222.164.156]) by drencrom.insync.net (8.8.7/8.7.1) with SMTP id RAA15096 for ; Fri, 3 Oct 1997 17:21:23 -0500 (CDT) Message-ID: <34357DF2.6FCC@cyberjunkie.com> Date: Fri, 03 Oct 1997 17:21:22 -0500 From: Brian Nunes Reply-To: phloyd@cyberjunkie.com Organization: TekNopia Publications X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Audio Electronic Engineering Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need information on the first steps in becoming an Audio Electronic Engineer. I was wondering if anyone could recommend a starting point, whether it be a specialized school, or college courses? Was wondering about expected income, what qualifications are needed, any good schools, and general employment outlook. Thanks in advance... Brian ps... i realize the topic of the list, but my general question was what tech schools would be good for this sort of thing. From owner-firewalls-list Fri Oct 3 18:05:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA17515; Fri, 3 Oct 1997 17:48:40 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA17507 for ; Fri, 3 Oct 1997 17:48:35 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-40.cisco.com [171.68.53.40]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id RAA03917; Fri, 3 Oct 1997 17:49:13 -0700 (PDT) Message-Id: <3.0.3.32.19971003204911.0080d310@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 03 Oct 1997 20:49:11 -0400 To: Joshua Rabinowitz From: Paul Ferguson Subject: Re: registering port numbers for software? Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19971003142919.00a77d60@joshr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You'll need an assignment from the IANA (Internet Assigned Numbers Authority). See: http://www.isi.edu/div7/iana/ - paul At 02:29 PM 10/3/97 -0700, Joshua Rabinowitz wrote: >Hello World: > >this is slightly off topic, but I am working on some >commercial software that operates in client/server mode over >tcp/ip. How should we decide which port to use for communication, and >then how do we go about registering it with the iata to avoid >clashing with other future software? > >Thanks in advance, >joshr@netobjects.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: ferguson@cisco.com c i s c o S y s t e m s From owner-firewalls-list Fri Oct 3 20:30:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00320; Fri, 3 Oct 1997 20:25:26 -0700 (PDT) Received: from mail.cgocable.net (mail.cgocable.net [207.134.42.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA00309 for ; Fri, 3 Oct 1997 20:25:18 -0700 (PDT) Received: from nathan.home (nathan@cgowave-2-226.cgocable.net [24.226.2.226]) by mail.cgocable.net (8.8.7/8.8.6) with SMTP id XAA14334 for ; Fri, 3 Oct 1997 23:26:24 -0400 (EDT) Message-Id: <3.0.32.19971003232647.009f7480@main.home> X-Sender: maillist@main.home X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 03 Oct 1997 23:26:54 -0400 To: Firewalls@GreatCircle.COM From: Nathan Zych - ML Subject: Please help - Linux anon FTP Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would anyone be willing to explain to me how to create additional anonymous users on a linux system running with wu-ftpd. They cannot be normal users, they must be chroot'ed so they have access just to their home directory. If there is a HOWTO or Faq that may help me could someone please point me in the right direction. Thanks! Nathan From owner-firewalls-list Fri Oct 3 20:45:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA01079; Fri, 3 Oct 1997 20:34:46 -0700 (PDT) Received: from BBPC4.tconl.com ([204.26.80.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA01042 for ; Fri, 3 Oct 1997 20:34:36 -0700 (PDT) Received: from elfering8188.tconl.com ([10.41.0.67]) by BBPC4.tconl.com (Netscape Mail Server v2.02) with ESMTP id AAA31373 for ; Fri, 3 Oct 1997 22:38:49 -0500 Message-ID: <3435B98F.F02F074F@tconl.com> Date: Fri, 03 Oct 1997 22:35:43 -0500 From: Dave Elfering Reply-To: elfering@tconl.com X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall-1, packet -VS- Proxy X-Priority: 3 (Normal) References: <199710030331.UAA01011@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been wallowing in an analysis paralysis between Firewall-1 and one or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). I've been leaning toward Gauntlet, partially based upon an a suspicion I have of a packet filtering product like Firewall-1. There seem to be little whisperings about possible exploits for the packet based products, yet I've not seen anything substantial to back that up. Is there anything to all this? No I don't care to discuss the fact that Checkpoint is an Israeli company (or whether Marcus Ranum works for the Masaad :) . I really mean to find out if FW1 and stateful inspection are any less "secure" than a proxy technology like Gauntlet. I've always told management that the biggest risk with any of these products is proper setup and administration, not the actual firewall technology. Feedback, tips and tea leave readings welcome... Dave Elfering elfering@tconl.com From owner-firewalls-list Fri Oct 3 22:30:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA12700; Fri, 3 Oct 1997 22:28:59 -0700 (PDT) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA12693 for ; Fri, 3 Oct 1997 22:28:54 -0700 (PDT) Received: from newguy (usr0a45.rut.sover.net [206.25.64.145]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id BAA14645; Sat, 4 Oct 1997 01:30:07 -0400 (EDT) Message-Id: <199710040530.BAA14645@pike.sover.net> From: "Chris Brenton" To: "Andy Lewis" , Subject: Re: hosts.allow Date: Sat, 4 Oct 1997 01:39:45 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk host.allow is used for system access, not user logon names. You would either need to enter a system's FQDN or IP address. You can create multiple entries or allow access from entire subnet ranges but this would allow anyone at these IP addresses to attempt to logon to the system, not just this one user. Keep in mind that this just allows the remote system to connect to a service (Telnet, FTP, etc.). They still need to authenticate to gain access to the system. Hope this helps, Chris ---------- > From: Andy Lewis > To: Firewalls@GreatCircle.COM > Subject: hosts.allow > Date: Friday, October 03, 1997 5:04 PM > > I hope that this is not off topic. > > Is it possible to put a local system users name in the > /etc/hosts.allow file. > > I want that person to be able to login from anywhere? > > I am running Linux 2.0.30 > > Thanks From owner-firewalls-list Sat Oct 4 04:45:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00694; Sat, 4 Oct 1997 04:42:39 -0700 (PDT) Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA00687 for ; Sat, 4 Oct 1997 04:42:35 -0700 (PDT) Received: from rhb1-home.gte.com by gte.com (8.8.4/8.8.4) Message-Id: <3.0.32.19970929215049.00699c7c@pophost.gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Oct 1997 07:43:22 -0400 To: firewalls@GreatCircle.com From: Bob Bryant Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 4 07:30:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09035; Sat, 4 Oct 1997 07:28:58 -0700 (PDT) Received: from alpha2000.tech-comm.com (ns.tech-comm.com [204.251.171.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA09028 for ; Sat, 4 Oct 1997 07:28:53 -0700 (PDT) Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM) id JAA09502; Sat, 4 Oct 1997 09:24:50 -0500 (CDT) Date: Sat, 4 Oct 1997 09:24:50 -0500 (CDT) From: Dick Brooks Message-Id: <199710041424.JAA09502@alpha2000.tech-comm.com> To: Firewalls@GreatCircle.COM, dick@8760.com Subject: Tunneling IPX. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't recall seeing this topic discussed so here goes: We have a client that wants to provide File and Print access to Corporate LAN servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. We have looked at, DEC's AltaVista tunnels, however there is no support for encapsulating IPX in IP. Does anyone know of a way to securely provide remote access to "secure side" Netware LAN services from Internet clients? Dick Brooks dick@8760.com Chief Technical Officer Tel. 205-250-8053 Group 8760 LLC WWW URL: http://www.8760.com/ SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port Ready From owner-firewalls-list Sat Oct 4 08:04:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09997; Sat, 4 Oct 1997 07:55:51 -0700 (PDT) Received: from mail0.tor.acc.ca (mail0.tor.acc.ca [204.92.54.110]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA09990 for ; Sat, 4 Oct 1997 07:55:47 -0700 (PDT) Received: from classik (ppp-105.m2-10.tor.ican.net [142.154.22.105]) by mail0.tor.acc.ca (8.8.7/8.8.6) with SMTP id KAA16549 for ; Sat, 4 Oct 1997 10:57:00 -0400 (EDT) Message-Id: <3.0.2.32.19971004105719.007b03c0@ican.net> X-Sender: asb@ican.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Sat, 04 Oct 1997 10:57:19 -0400 To: firewalls@GreatCircle.COM From: "Ayal S. Bida" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sat Oct 4 10:15:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA21065; Sat, 4 Oct 1997 10:04:31 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA21058 for ; Sat, 4 Oct 1997 10:04:25 -0700 (PDT) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdjvg25877; Sat, 4 Oct 1997 13:05:59 -0400 (EDT) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02709; Sat, 4 Oct 97 13:04:22 EDT Date: Sat, 4 Oct 1997 13:04:22 -0400 (EDT) From: Sick Puppy To: Anton J Aylward Cc: firewalls@greatcircle.com Subject: Re: Just wondering - pipeline computer firewalls? In-Reply-To: <3.0.32.19971003082727.007b3790@mail.the-wire.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As the guy said, those who are doomed to repeat history haven't studied it. > > Just as the special purpose chips which once were designed for signal > processing have been booted from our repertoire by things like the > pentium and power PC - FASTER general purpose processing and economies > of scale, as it is with routers and firewalls. Seemed like a reasonable arguement so I accepted it. Sat there licking my ass for a while. My hindbrain chipped in "You been suckered dude. That ain't no Vulcan logic. Think about ASIC's" Um, well, er, yes, right Hindbrain. The latest/fastest/state-of-the-art equipment from Cabletron and Cisco uses ASIC's because the old historical Pentium processors are too phucking slow. An ASIC looks a hell of a lot like a signal processor. With ASIC's embedded in their equipment, Cabletron can provide a 1.2 gigibit switched ethernet backbone network without ATM. With a similar approach, Cisco provides .8 gigabit switched ethernet backbone. Neither backbone uses one of those quaint historical devices called routers. As the Great Sage Confusion said, those who have studied history are doomed to read the phucking newspapers. Sick Puppy, tCED From owner-firewalls-list Sat Oct 4 11:30:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA26040; Sat, 4 Oct 1997 11:18:29 -0700 (PDT) Received: from hotmail.com (F66.hotmail.com [207.82.250.152]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA26026 for ; Sat, 4 Oct 1997 11:18:25 -0700 (PDT) Received: (qmail 28656 invoked by uid 0); 4 Oct 1997 18:19:54 -0000 Message-ID: <19971004181954.28655.qmail@hotmail.com> Received: from 207.175.1.188 by www.hotmail.com with HTTP; Sat, 04 Oct 1997 11:19:53 PDT X-Originating-IP: [207.175.1.188] From: "Matrix Venus" To: firewalls@GreatCircle.com Content-Type: text/plain Date: Sat, 04 Oct 1997 11:19:53 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Am I on your list or something?? I'm gettin' a lot of your e-mail and I don't know how, I sent that 'remove' letter, but it doesn't seemed to have worked, =-? E-mail me back plz and let me know something Matrix ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Sat Oct 4 11:45:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27762; Sat, 4 Oct 1997 11:40:49 -0700 (PDT) Received: from alef.bogon.nul (lwby-85ppp63.epix.net [199.224.85.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA27738 for ; Sat, 4 Oct 1997 11:40:40 -0700 (PDT) Received: from lwby-85ppp63.epix.net (localhost [127.0.0.1]) by alef.bogon.nul (8.8.5/8.8.5) with ESMTP id OAA27082 for ; Sat, 4 Oct 1997 14:40:02 -0400 Message-Id: <199710041840.OAA27082@alef.bogon.nul> X-Mailer: exmh version 1.6.9 05/05/96 Reply-to: Al Potter To: firewalls@GreatCircle.COM Subject: SINUS Firewall X-face: k+]^-0#M!2jXI7A"4yH$r6aVf6oQnUazbkG $ZIRI6jtu~1tgSj:IQ~jGS!F>3l46t`>:1-&F,lw1G~i}|iY Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: Hava any of the august and most learned members of this list encountered the SINUS firewall? http://www.ifi.unizh.ch/groups/bauknecht/SINUS/firewall.html It's a packet filter implimented as a linux kernel module, and appears to be fairly full featured and well implimented, albeit not so well documented. It's GPL'd, so the source is available for modification ( and investigation for government agency APIs ) and of course the price is right. I'm interested in the opinions of others who have used it, or evaluated it and rejected it. Al Manually edit the reply-to for return email. From owner-firewalls-list Sat Oct 4 16:01:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09563; Sat, 4 Oct 1997 15:52:08 -0700 (PDT) Received: from mole.aleph.com.br (mole.aleph.com.br [200.246.9.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA09554 for ; Sat, 4 Oct 1997 15:51:44 -0700 (PDT) Received: from mole (mole [200.246.9.131]) by mole.aleph.com.br (8.8.5/8.8.5) with SMTP id TAA01319; Sat, 4 Oct 1997 19:55:58 -0300 (EST) Date: Sat, 4 Oct 1997 19:55:58 -0300 (EST) From: Hugo Leonardo Wolff Souza X-Sender: hugo@mole To: jon tobin cc: Firewalls@GreatCircle.COM Subject: Re: RFC Index? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://nic.mil/rfc Hugo On Fri, 3 Oct 1997, jon tobin wrote: > Not firewalls rlated, but is there a good Index of RFCs that is > searchable? -- # Hugo - hugo@aleph.com.br - Estacao Aleph Internet Link # From owner-firewalls-list Sat Oct 4 20:02:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA19637; Sat, 4 Oct 1997 19:51:06 -0700 (PDT) Received: from public.js.hb.cn ([202.103.8.46]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA19620 for ; Sat, 4 Oct 1997 19:50:49 -0700 (PDT) Received: from pga97003.public.js.hb.cn (ppp26.js.hb.cn [202.103.8.89]) by public.js.hb.cn (8.6.11/8.6.11) with ESMTP id KAA27408 for ; Sun, 5 Oct 1997 10:51:06 +0800 Message-ID: <343700DC.20CE7B4C@public.js.hb.cn> Date: Sun, 05 Oct 1997 10:52:16 +0800 From: liu jun Reply-To: ga97001@public.js.hb.cn Organization: ga97001@public.js.hb.cn X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: (no subject) X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------343B788847E93D63F3395559" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------343B788847E93D63F3395559 Content-Type: text/plain; charset=iso-8859-1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit remove -- MZ --------------343B788847E93D63F3395559 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for liu jun Áõ¾ü Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: liu jun Áõ¾ü n: Áõ¾ü;liu jun org: ¹«°² ÏØÓʵç¾Ö adr: ¹«°²ÏØÓʵç¾Ö;;;¹«°²ÏØ;;434300;Öйú email;internet: ga97001@public.js.hb.cn title: welcome to meet you tel;work: 0716-5220000 tel;fax: 0716-5224444 tel;home: 0716-5220000 x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard --------------343B788847E93D63F3395559-- From owner-firewalls-list Sat Oct 4 23:45:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02492; Sat, 4 Oct 1997 23:39:14 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA02460 for ; Sat, 4 Oct 1997 23:38:59 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA00964; Sun, 5 Oct 1997 10:42:53 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA03136; Sat, 4 Oct 1997 17:02:46 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA01777; Sat, 4 Oct 1997 08:01:07 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD09B.B35BD6E0@mailserv.dammam.ingr.com>; Sat, 4 Oct 1997 08:01:20 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Software for testing a firewall Date: Sat, 4 Oct 1997 08:01:18 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >"Boac, Lito" wrote: >jvboac >Are there any public-domain softwares for Windows NT that can be used >to >Yes, > >I can help here. I'm doing a study of them right now, and I have started >to build a web page detailing them. > >Look at http://www.securit.net in about two weeks! > >It's still under construction! >------------------------------------------------------------- >Edward Cracknell - >Security Administrator > > From owner-firewalls-list Sun Oct 5 00:01:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02493; Sat, 4 Oct 1997 23:39:19 -0700 (PDT) Received: from dubai.dubai.ingr.com (dubai.dubai.ingr.com [148.53.185.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id XAA02461 for ; Sat, 4 Oct 1997 23:39:00 -0700 (PDT) Received: by dubai.dubai.ingr.com (5.65c/1.920109) id AA00974; Sun, 5 Oct 1997 10:42:58 +0400 Received: from dammam.ingr.com by riyadh.riyadh.ingr.com (5.65c/1.920109) id AA03144; Sat, 4 Oct 1997 17:02:50 -0600 Received: from mailserv.dammam.ingr.com (mailserv) by dammam.dammam.ingr.com (5.65c/1.920109) id AA01785; Sat, 4 Oct 1997 08:02:20 +0300 Received: by mailserv.dammam.ingr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD09B.DED79570@mailserv.dammam.ingr.com>; Sat, 4 Oct 1997 08:02:33 +0300 Message-Id: From: "Boac, Lito" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Software for testing a firewall Date: Sat, 4 Oct 1997 08:02:32 +0300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Check out Internet Security Scanner and Ballista.. both have NT versiosn >now... > > >> From: "Boac, Lito" >> To: "'Firewalls@GreatCircle.COM'" >> Subject: Software for testing a firewall >> Date: Tue, 30 Sep 1997 16:56:54 +0300 > >> Are there any public-domain softwares for Windows NT that can be used to >> test for security holes on a firewall? I'm currently evaluating several >> firewalls but I don't have the necessary tools of the trade to do some >> in-depth testing. >> >> Please reply directly as I don't subscribe to firewalls. >> >> Thanks. >> >> Joselito V. Boac >> jvboac@dammam.ingr.com >> >> > >----------------------------------------------------------------- >Internet: mshines@purdue.edu * Michael S. Hines, CISA,CIA,CDP,CFE >Voice: (765) 494-5845 * Sr. Information Systems Auditor >FAX: (765) 496-1814 * Purdue University > * 1065 Freehafer Hall > * West Lafayette, IN 47907-1065 >All views are my own and do not reflect Purdue University policy. > From owner-firewalls-list Sun Oct 5 01:45:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA14733; Sun, 5 Oct 1997 01:39:28 -0700 (PDT) Received: from hugin.mainz.dk (Hugin.mainz.dk [130.227.10.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA14708 for ; Sun, 5 Oct 1997 01:39:20 -0700 (PDT) Date: Sun, 05 Oct 1997 10:41:45 +0100 From: Kim Wohlert Subject: RE: Tunneling IPX. To: "'Dick Brooks'" Cc: "'Firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >-----Original Message----- >From: Dick Brooks [SMTP:dick@tech-comm.com] >Sent: Saturday, October 04, 1997 3:25 PM >To: Firewalls@GreatCircle.COM; dick@8760.com >Subject: Tunneling IPX. > >I don't recall seeing this topic discussed so here goes: > >We have a client that wants to provide File and Print access to Corporate LAN >servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. >[Kim Wohlert] >I haven't had time to try this yet, but in theory you should be able to use >Netware/IP with AltaVista Tunnel. > >On the Corp LAN you would need to set up Netware/IP on one of you servers >Netware servers, and this would tunnel between IP and IPX. On the client you >need to install Netware/IP client (comes with all newer Netware Client kits). > >The trick then is to get Netware/IP to talk to the AltaVista Personal Tunnel >Pseudo Adapter. > >I'd love hear if you get it to work. > >- Kim > >We have looked at, DEC's AltaVista tunnels, however there is no support >for encapsulating IPX in IP. Does anyone know of a way to securely provide >remote access to "secure side" Netware LAN services from Internet clients? > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port >Ready > From owner-firewalls-list Sun Oct 5 04:30:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA26111; Sun, 5 Oct 1997 04:17:46 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA26103 for ; Sun, 5 Oct 1997 04:17:39 -0700 (PDT) Received: from client ([194.244.74.130]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id TAA20410; Sun, 5 Oct 1997 19:11:54 +0200 Message-Id: <199710051711.TAA20410@pinux.selfin.net> From: "Franco RUGGIERI" To: Cc: Subject: R: Firewall-1, packet -VS- Proxy Date: Sat, 4 Oct 1997 20:21:38 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a hearsay: two, among the FW-1 biggest problems I heard of. 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. Can anyone confirm this hearsay? Hope this will light up a fiery discussion: I love fights (when not involved) ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Dave Elfering > A: Firewalls@GreatCircle.COM > Oggetto: Firewall-1, packet -VS- Proxy > Data: sabato 4 ottobre 1997 5.35 > > I've been wallowing in an analysis paralysis between Firewall-1 and one > or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). > > I've been leaning toward Gauntlet, partially based upon an a suspicion I > have of a packet filtering product like Firewall-1. There seem to be > little whisperings about possible exploits for the packet based > products, yet I've not seen anything substantial to back that up. > > Is there anything to all this? No I don't care to discuss the fact that > Checkpoint is an Israeli company (or whether Marcus Ranum works for the > Masaad :) . I really mean to find out if FW1 and stateful inspection are > any less "secure" than a proxy technology like Gauntlet. I've always > told management that the biggest risk with any of these products is > proper setup and administration, not the actual firewall technology. > > Feedback, tips and tea leave readings welcome... > > Dave Elfering > elfering@tconl.com From owner-firewalls-list Sun Oct 5 05:45:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01334; Sun, 5 Oct 1997 05:30:36 -0700 (PDT) Received: from mail.tds.net (mail.tds.net [204.246.1.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA01326 for ; Sun, 5 Oct 1997 05:30:31 -0700 (PDT) From: webbs@tds.net Received: from Comp1 (mewi0-a04.midway.tds.net [204.246.12.101]) by mail.tds.net (8.8.5/8.8.5) with SMTP id HAA18674; Sun, 5 Oct 1997 07:10:22 -0500 (CDT) Date: Sun, 5 Oct 1997 07:10:22 -0500 (CDT) Message-Id: <199710051210.HAA18674@mail.tds.net> Subject: Your Home And Family Sender: firewalls-owner@GreatCircle.COM Precedence: bulk YOUR HOME AND FAMILY Now available,(Your Home and Family), the consumer guide everyone has been asking for. This guide is filled with information every household should be aware of. Protect yourself and your family, be informed of the real life events that can happen to you and your household. Read about wills and trusts (don’t let the government take everything)! Parents worst fears- (Drug Abuse, maybe its already there)! Be informed! Dealing with divorce “Get It Together” “Not The End”. Safeguards against rape....Don’t let it happen to you, worse yet a member of your family! Household: Don’t let your house get the better of you, TAKE CONTROL! This guide is packed full of important information that you will want to share with friends and other family members. This is “MUST HAVE INFORMATION”. Get this NOW! Send for your copy today! Here is how to order: Send check or money order for $19.95 (shipping and handling included in price) to: Affordable Services PO Box 352 Medford, WI 54451 PS: You won’t believe the startling information in the guide! Order an extra report for your friends and neighbors! Give yourself a little piece of mind. From owner-firewalls-list Sun Oct 5 06:15:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03121; Sun, 5 Oct 1997 05:54:45 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA03084 for ; Sun, 5 Oct 1997 05:54:30 -0700 (PDT) Message-Id: <199710051254.FAA03084@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA287305874; Sun, 5 Oct 1997 22:51:14 +1000 From: Darren Reed Subject: Re: R: Firewall-1, packet -VS- Proxy To: fruggieri@selfin.net (Franco RUGGIERI) Date: Sun, 5 Oct 1997 22:51:14 +1000 (EST) Cc: elfering@tconl.com, Firewalls@GreatCircle.COM In-Reply-To: <199710051711.TAA20410@pinux.selfin.net> from "Franco RUGGIERI" at Oct 4, 97 08:21:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Franco RUGGIERI, sie said: [...] > 2) setting up the rules is a real headache, most of it defining all the > objects that make up the network. And everything which is difficult to > implement is error prone. > Can anyone confirm this hearsay? Whilst this is required, it is this which a lot find attractive. If I can create an artificial group of 10 hosts and represent that with one rule, which is easier to read: one rule or 10 ? Darren From owner-firewalls-list Sun Oct 5 07:00:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10045; Sun, 5 Oct 1997 06:45:37 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10037 for ; Sun, 5 Oct 1997 06:45:32 -0700 (PDT) Received: from zepher.milkyway.com ([12.70.7.129]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA8990; Sun, 5 Oct 1997 13:47:03 +0000 Message-Id: <3.0.3.32.19971005094530.006a325c@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 05 Oct 1997 09:45:30 -0500 To: Dick Brooks , Firewalls@GreatCircle.COM, dick@8760.com From: Steve Kruse Subject: Re: Tunneling IPX. In-Reply-To: <199710041424.JAA09502@alpha2000.tech-comm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurIT Access from Milkyway is one product that will allow you to do that. You can bind any protocol to the Milkyway VPN driver that you bind to any other LAN driver. Check out http://www.milkyway.com At 02:24 PM 10/4/97 +0000, Dick Brooks wrote: >I don't recall seeing this topic discussed so here goes: > >We have a client that wants to provide File and Print access to Corporate LAN >servers behind a DEC AltaVista Firewall. The LAN servers are Netware 3.x/4.x. > >We have looked at, DEC's AltaVista tunnels, however there is no support >for encapsulating IPX in IP. Does anyone know of a way to securely provide >remote access to "secure side" Netware LAN services from Internet clients? > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE INTERNET CREDIT CARD PROCESSING SOFTWARE - VISA CERTIFIED POS-port Ready > > From owner-firewalls-list Sun Oct 5 07:06:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10175; Sun, 5 Oct 1997 06:51:30 -0700 (PDT) Received: from scullin.starway.net.au (scullin.starway.net.au [203.34.26.36]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10168 for ; Sun, 5 Oct 1997 06:51:22 -0700 (PDT) Received: from a4.canberra.starway.net.au (a4.canberra.starway.net.au [203.32.22.43]) by scullin.starway.net.au (8.8.5/8.7.3) with SMTP id UAA04390; Sun, 5 Oct 1997 20:16:29 +1000 Received: by a4.canberra.starway.net.au with Microsoft Mail id <01BCD1CA.CC065FA0@a4.canberra.starway.net.au>; Sun, 5 Oct 1997 20:10:59 +1000 Message-ID: <01BCD1CA.CC065FA0@a4.canberra.starway.net.au> From: Craig Keegan Subject: NTS - Windows NT Security, Event Log Management and UpTime reporting Date: Sun, 5 Oct 1997 19:34:47 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Previously I contacted you about some revolutionary tools for Windows NT = Security and Systems Management. These can be used for documenting, = standardising or auditing single or multiple domain, small (3) or large = (100+) Windows NT networks. Please note that as at October 7 1997 a new version of NTSecurity = Administrator has been released, the new version has a totally new = Explorer GUI with a new database engine, improved sorting, searching and = filtering and improved performance. To try a sample of the new version please visit the download area at = http://www.scullin.starway.net.au/~ckeegan/index.html. Windows NT Security, Daily Event Log Summary, System Up Time Report This includes Users, Groups, server Services, Domain Policies, User = Rights and File, Share & Printer security exceptions. There are also = other tools for producing a summary of every Event Log on every server = every day and another for showing server UpTime and disk space = availability. These products are "passive" in that they do not have to = be installed on your servers and do not require any changes to your = servers. The intention of NTS is to provide you with unique tools to simplify and = manage your Windows NT environment, by filling the gaps that Microsoft = has left. Please visit out interim WWW site at = http://www.scullin.starway.net.au/~ckeegan/index.html to find further = information and download a sample of the product. If I can be of any use at all during your investigations of these = products please reply back. I am confidant you will agree, this product = is quite unique, and an invaluable tool for managing your Windows NT = environment. I look forward to our next contact and hope to be a = valuable asset to your organisation. Thankyou for your time, this was not intended to be "SPAM", I am = extremely sorry to anyone who may have been inconvenienced by this = e-mail. If you do not wish to receive any further messages, please = reply back with "NO" as the subject. I anxiously await your response. ------------------------------------- Craig Keegan Technical Manager NTS (0412) 141719 ckeegan@scullin.starway.net.au=00=00 From owner-firewalls-list Sun Oct 5 07:07:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10258; Sun, 5 Oct 1997 06:56:28 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10251 for ; Sun, 5 Oct 1997 06:56:22 -0700 (PDT) Received: from mousa_s.ins.com ([199.0.201.225]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA25317 for ; Sun, 5 Oct 1997 06:57:53 -0700 (PDT) Message-Id: <3.0.32.19971004130027.006d45f4@lexicon.ins.com> X-Sender: mousa_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 05 Oct 1997 09:57:44 -0400 To: firewalls@GreatCircle.COM From: Sami Mousa Subject: SNA/IBM Security Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. Security in the host today is accomplished through RACF, which defines user accounts, and specifies which resources the users can access. ---------------- My client has remote sites with various degrees of trust. Some remotes are part of the company, but not strictly controlled by IS as what they can or think they can do with their network. These sites are considered pretty secure, although not completely trusted. IS wants to have more control on what access they have to the corporate campus LAN. We have a firewall in place, which permits IS santioned IP applications to pass through. However, one of the requirements is SNA, with an AS400 located at the remote site connecting to an FEP with access to a mainframe located at the corporate site. The SNA is encapsulated into TCP and forwarded from the remote router to a corporate router, which de-encapsulates the TCP and forwards SNA onto the token ring. The firewall is currently set up to pass the DLSW TCP port number through, as long as the source and destination IP address are correct. The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not allowed to be bridged. Netbios is not passed through the DLSW tunnel either. We currently have the following: AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP only | --LAN-- | firewall (permits dlsw tcp port 2065) | | CAMPUS Token ring | DLSW Peer2 Router (No bridging on interface to Campus Ring) | ring | IBM FEP, 3745 | IBM MAINFRAME Note that DLSW Peer2 router is inside the firewall. The interface that connects to the corporate campus Token ring does not have bridging enabled, so the SNA packets, when deencapsulated, do not get forwarded back onto that ring. They only get forwarded on to the FEP connected ring. There is no telnet access from outside the firewall to internal campus resources, without authentication at the firewall itself. There are other FEPs and FEP ring interfaces that connect directly to the campus token ring, which also connect to the MAINFRAME, for host access by people located on the campus network. There are some security risks, including denial of service attacks through excessive bridging packets, access to the FEP by anyone on a remote ring,... ----- We are considering a redesign. I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP dlsw peer | \ --LAN-- \ | ring firewall \ | FEP | CAMPUS Token ring As you can see, the dlsw will no longer be tunneled through the firewall. The connection to the FEP would be outside the firewall. Nothing else is on the fep ring. The dlsw peer router would have to be set up with specific addresses of remote routers that could establish dlsw connections to it. The only added threat is that the router which is configured with the peer is also outside the firewall. Someone could potentially bring another router up, telnet to and break into the dlsw peer router, configure themself, and have access to the fep. Thanks, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ** Sami Mousa, ffff,0000,0000FORE ATM(WAN) Certified ** ** International Network Services Office: (908)603-8541 x320 ** ** Network Systems Engineer e-mail: sami_mousa@ins.com ** ** 120 Wood Ave South Pager: (888)896-4064 ** ** Suite #615 Fax: (908)548-5630 ** ** Iselin, New Jersey 08830 www.ins.com ** ============================================================================= "My statements in this message are personal opinions \ which may have no basis whatsoever in fact." From owner-firewalls-list Sun Oct 5 08:00:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA17291; Sun, 5 Oct 1997 07:55:49 -0700 (PDT) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA17221 for ; Sun, 5 Oct 1997 07:55:32 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id WAA03892; Sun, 5 Oct 1997 22:54:23 +0800 Message-Id: <3.0.1.32.19971005225034.00adb100@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Sun, 05 Oct 1997 22:50:34 To: msrao@mtu.edu, Firewalls@GreatCircle.COM From: Gaddy Gumbao Subject: Re: Firewalls-Digest V6 #471 In-Reply-To: <199710020217.WAA00637@eegrad6.ee.mtu.edu> References: <199710010847.BAA21248@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there , Can anybody tell me some good reasonns in a wide area network why there should we one DNS only? Thanks for the help.... At 10:17 PM 10/1/97 -0400, msrao@mtu.edu wrote: >Hi , > >I wanted to know if anybody is working on performance evaluation of >wireless networks. I'll be interested to correspond with them. > >Thanks >Manjunath > > From owner-firewalls-list Sun Oct 5 08:39:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15036; Sun, 5 Oct 1997 07:45:28 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA15001 for ; Sun, 5 Oct 1997 07:45:17 -0700 (PDT) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by kcsun3.kcstar.com (8.8.5/8.7.3) with SMTP id JAA16067 for ; Sun, 5 Oct 1997 09:52:47 -0500 (CDT) Date: Sun, 5 Oct 1997 09:52:47 -0500 (CDT) From: elroy To: firewalls@greatcircle.com Subject: Proxying Citrix WinFrame? (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody - I'm building a firewall using Linux and the FWTK, and need a way to proxy Citrix WinFrame. Does anyone know of a proxy available in source-code form for WinFrame? I think I could use plug-gw, but plug-gw won't scale well in the event that I need to proxy to more than one WinFrame server. I'm proxying WinFrame requests *inward* to an internal WinFrame server from a WAN, not from the Internet, btw. Any help or pointers are greatly appreciated - -elroy (elroy@kcstar.com) From owner-firewalls-list Sun Oct 5 08:45:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19743; Sun, 5 Oct 1997 08:06:08 -0700 (PDT) Received: from emout15.mail.aol.com (emout15.mx.aol.com [198.81.11.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA19701 for ; Sun, 5 Oct 1997 08:05:58 -0700 (PDT) From: Justface@aol.com Received: (from root@localhost) by emout15.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id LAA23196 for firewalls@greatcircle.com; Sun, 5 Oct 1997 11:07:29 -0400 (EDT) Date: Sun, 5 Oct 1997 11:07:29 -0400 (EDT) Message-ID: <971005110728_1999046941@emout15.mail.aol.com> To: firewalls@greatcircle.com Subject: no subject Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Sun Oct 5 09:00:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA22438; Sun, 5 Oct 1997 08:17:49 -0700 (PDT) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA17458 for ; Sun, 5 Oct 1997 07:56:31 -0700 (PDT) Received: from Mind_Ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id WAA03900; Sun, 5 Oct 1997 22:54:26 +0800 Message-Id: <3.0.1.32.19971005225252.00ae18f0@mnl.sequel.net> X-Sender: succesor@mnl.sequel.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Sun, 05 Oct 1997 22:52:52 To: rich , tomhong@usa.net From: Gaddy Gumbao Subject: 1 DNS Cc: firewalls@GreatCircle.COM, seguridad@iti.upv.es In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi there, I think this is a newbie question but thats what i am what i am Can you please explain to me why there should be one DNS on your Netowrk . Especiall on a wide Area Network. Thanks for your help From owner-firewalls-list Sun Oct 5 10:01:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10366; Sun, 5 Oct 1997 09:57:14 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (concord01.pop.InterNex.Net [205.158.3.82]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA10359 for ; Sun, 5 Oct 1997 09:57:08 -0700 (PDT) Message-Id: <199710051657.JAA10359@honor.greatcircle.com> Received: from [205.158.182.130] by Concord01.POP.InterNex.Net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 0-34792U7500L7500S0) with SMTP id AAA2020 for ; Sun, 5 Oct 1997 09:58:39 -0700 Subject: Re: VLANs for Security Inside the Firewall Date: Sun, 5 Oct 97 09:58:51 -0700 x-sender: INX-10108b@Concord01 x-mailer: Claris Emailer 2.0v2, June 6, 1997 From: Bill Husler To: "firewalls" Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 01:02 PM 9/28/97, steven.j.schulze wrote: >>I have a client who is running VLANs on Cisco switches, mostly for convenience > >>and flexibility reasons. This client is wondering if any level of security >>is achieved due to this "virtual" network segmentation. I realize that VLANs > >>are not firewalls, strong encryption+authentication, etc. however, to achieve >>separation and prevent snooping / interception, do the VLANs in effect take >>each node out of eachother's "Collision Domain" (to use the Ethernet term)? > >>Assume the worst-- competing clients on the network, with NICs in promiscuous >>mode (trivial to do today), what would that PC / Unix box see? > >VLAN's segregate switch ports into segments. In other words, once >you have created three VLAN's, you can think of it as three >separate physical switches. > >Now, within each switched VLAN: >- Broadcasts are forwarded to each port (within same VLAN) >- A packet is only forwarded from one port to another if > the switch determines that the destination is reachable > via another switch port >- a PC in promiscuous mode would be able to sniff: > - Broadcasts within same VLAN > - Packets being sent across a hub connected to s single > switch port > >Typically you would use a router to route between VLAN's. >You can connect an ethernet interface to each VLAN >or you can create a global port and put multiple addresses >on the interface. That's a design issue. Some switches >now have routing capability built in. > >To answer your question: >- Switching with no VLAN's provides protection because not all > users see all packets (each switch port is it's own collision > domain). >- Switching with no VLAN's provides no protection in sniffing > for broadcast packets >- Switching with VLAN's provides some protection against broadcast > sniffing as long as the offending PC is not within the same > VLAN. > >Mike > >+----------------------------------------------------------+ >| Michael D. Ferioli ferioli@comnet.com.tr | >| Comnet A.S. http://www.comnet.com.tr | >+----------------------------------------------------------+ > I understand that these switches are configured via a telnet session. Is there a way (on the switch) to ensure that this activity may only be performed via specific switch ports (ie. I would like to ensure that if someone is remapping the VLANs, they are doing so from something along the lines of a console or secured area). Bill From owner-firewalls-list Sun Oct 5 12:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22160; Sun, 5 Oct 1997 11:45:18 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA22151 for ; Sun, 5 Oct 1997 11:45:11 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id LAA09198 for ; Sun, 5 Oct 1997 11:45:58 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA07524; Sun, 5 Oct 97 11:49:37 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id LAA13528 for @sybgate.sybase.com:Firewalls@GreatCircle.COM; Sun, 5 Oct 1997 11:48:08 -0700 (PDT) Message-Id: <199710051848.LAA13528@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id FAAD34AC3D1D356F8825652700679D75; Sun, 5 Oct 97 11:48:05 EDT To: "Franco RUGGIERI" Cc: elfering , Firewalls From: Ryan Russell/SYBASE Date: 5 Oct 97 11:55:22 EDT Subject: Re: R: Firewall-1, packet -VS- Proxy X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1 is true, all the security for the host is based on the assumption that you will have rules that protect the host itself. It's a good idea to review the services running on the host. As for 2, I don't find it particularly hard to administer in terms of the ruleset or dfining objects. It find it could be easier in terms of how address translation is done (defineing the static ARP entries, etc..) and the encryption settings used with SecuRemote, and doing static address translations (the need for a static route IS in the manual, but an example would have been helpful.) Ryan ---------- Previous Message ---------- To: elfering cc: Firewalls From: fruggieri@selfin.net ("Franco RUGGIERI") @ smtp Date: 10/04/97 08:21:38 PM Subject: R: Firewall-1, packet -VS- Proxy Just a hearsay: two, among the FW-1 biggest problems I heard of. 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. Can anyone confirm this hearsay? Hope this will light up a fiery discussion: I love fights (when not involved) ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Dave Elfering > A: Firewalls@GreatCircle.COM > Oggetto: Firewall-1, packet -VS- Proxy > Data: sabato 4 ottobre 1997 5.35 > > I've been wallowing in an analysis paralysis between Firewall-1 and one > or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm). > > I've been leaning toward Gauntlet, partially based upon an a suspicion I > have of a packet filtering product like Firewall-1. There seem to be > little whisperings about possible exploits for the packet based > products, yet I've not seen anything substantial to back that up. > > Is there anything to all this? No I don't care to discuss the fact that > Checkpoint is an Israeli company (or whether Marcus Ranum works for the > Masaad :) . I really mean to find out if FW1 and stateful inspection are > any less "secure" than a proxy technology like Gauntlet. I've always > told management that the biggest risk with any of these products is > proper setup and administration, not the actual firewall technology. > > Feedback, tips and tea leave readings welcome... > > Dave Elfering > elfering@tconl.com From owner-firewalls-list Sun Oct 5 12:36:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA29670; Sun, 5 Oct 1997 12:26:59 -0700 (PDT) Received: from mailhost.na-cp.rnp.br (halley.na-cp.rnp.br [200.136.100.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA29628 for ; Sun, 5 Oct 1997 12:26:46 -0700 (PDT) Received: from halley (forster@halley [200.136.100.17]) by mailhost.na-cp.rnp.br (8.8.7/8.8.7) with SMTP id QAA24112 for ; Sun, 5 Oct 1997 16:29:34 -0300 (EST) Date: Sun, 5 Oct 1997 16:29:30 -0300 (EST) From: Antonio Paulo Salgado Forster X-Sender: forster@halley To: Firewalls@GreatCircle.COM Subject: re: hosts.allow In-Reply-To: Message-ID: Organization: Rede Nacional de Pesquisa - RNP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I saw some days ago someone asking about user authentication via tcp_wrappers' hosts.allow file.I dont have original mail, but I tried something here that worked out. Here's the hint: If you have identd running on the client machine, you may put something like "username@unix.client.machine" in hosts.allow, and forbid everything from that machine on hosts.deny, and then tcp wrappers will allow connections from that machine *if* the user running the client is the one in hosts.allow. Hope this helps. Regards, Antonio Paulo Salgado Forster Operacoes em Redes - RNP From owner-firewalls-list Sun Oct 5 13:21:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA07698; Sun, 5 Oct 1997 13:06:30 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (concord01.pop.InterNex.Net [205.158.3.82]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA07691 for ; Sun, 5 Oct 1997 13:06:22 -0700 (PDT) Message-Id: <199710052006.NAA07691@honor.greatcircle.com> Received: from [205.158.182.130] by Concord01.POP.InterNex.Net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 0-34792U7500L7500S0) with SMTP id AAA2849; Sun, 5 Oct 1997 13:07:55 -0700 Subject: Re: SNA/IBM Security Date: Sun, 5 Oct 97 13:08:06 -0700 x-sender: INX-10108b@Concord01 x-mailer: Claris Emailer 2.0v2, June 6, 1997 From: Bill Husler To: "Sami Mousa" , Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't the current OS/400 support IP natively? We use IP to communicate between our AS400s and our mainframe - eliminating the need for encapsulation and allowing the firewall greater control over the traffic. Bill > >Hello, > >I'd like to get your opinions of the security in place compared to the >security of the redesign. Also, opinions on security in SNA/IBM >environments, and risks. > >Security in the host today is accomplished through RACF, which defines user >accounts, and specifies which resources the users can access. > >---------------- > >My client has remote sites with various degrees of trust. Some remotes are >part of the company, but not strictly controlled by IS as what they can or >think they can do with their network. > >These sites are considered pretty secure, although not completely trusted. >IS wants to have more control on what access they have to the corporate >campus LAN. > >We have a firewall in place, which permits IS santioned IP applications to >pass through. > >However, one of the requirements is SNA, with an AS400 located at the >remote site connecting to an FEP with access to a mainframe located at the >corporate site. > >The SNA is encapsulated into TCP and forwarded from the remote router to a >corporate router, which de-encapsulates the TCP and forwards SNA onto the >token ring. > >The firewall is currently set up to pass the DLSW TCP port number through, >as long as the source and destination IP address are correct. > >The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not >allowed to be bridged. Netbios is not passed through the DLSW tunnel either. > >We currently have the following: > > > AS400 > | > (sna, token ring) > | > router dlsw peer (encapsulates sna into tcp, forwards tcp >session to peer2) > | > FRAME RELAY NETWORK > | > | > router, IP only > | > --LAN-- > | > firewall (permits dlsw tcp port 2065) > | > | > CAMPUS Token ring > | > DLSW Peer2 Router (No bridging on interface to Campus Ring) > | > ring > | > IBM FEP, 3745 > | > IBM MAINFRAME > >Note that DLSW Peer2 router is inside the firewall. The interface that >connects to the corporate campus Token ring does not have bridging enabled, >so the SNA packets, when deencapsulated, do not get forwarded back onto >that ring. They only get forwarded on to the FEP connected ring. There is >no telnet access from outside the firewall to internal campus resources, >without authentication at the firewall itself. > >There are other FEPs and FEP ring interfaces that connect directly to the >campus token ring, which also connect to the MAINFRAME, for host access by >people located on the campus network. > >There are some security risks, including denial of service attacks through >excessive bridging packets, access to the FEP by anyone on a remote ring,... > >----- > >We are considering a redesign. I'd like to get your opinions of the >security in place compared to the security of the redesign. Also, opinions >on security in SNA/IBM environments, and risks. > > AS400 > | > (sna, token ring) > | > router dlsw peer (encapsulates sna into tcp, forwards tcp >session to peer2) > | > FRAME RELAY NETWORK > | > | > router, IP > dlsw peer > | \ > --LAN-- \ > | ring > firewall \ > | FEP > | >CAMPUS Token ring > >As you can see, the dlsw will no longer be tunneled through the firewall. >The connection to the FEP would be outside the firewall. Nothing else is >on the fep ring. > >The dlsw peer router would have to be set up with specific addresses of >remote routers that could establish dlsw connections to it. The only added >threat is that the router which is configured with the peer is also outside >the firewall. >Someone could potentially bring another router up, telnet to and break into >the dlsw peer router, configure themself, and have access to the fep. > >Thanks, > > > > > > > >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >** Sami Mousa, FORE ATM(WAN) Certified ** >** International Network Services Office: (908)603-8541 x320 ** >** Network Systems Engineer e-mail: sami_mousa@ins.com ** >** 120 Wood Ave South Pager: (888)896-4064 ** >** Suite #615 Fax: (908)548-5630 ** >** Iselin, New Jersey 08830 www.ins.com ** >============================================================================= > "My statements in this message are personal opinions \ > which may have no basis whatsoever in fact." > > > From owner-firewalls-list Sun Oct 5 15:36:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24382; Sun, 5 Oct 1997 15:22:26 -0700 (PDT) Received: from smtp1.erols.com (smtp1.erols.com [205.252.116.101]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA24375 for ; Sun, 5 Oct 1997 15:22:20 -0700 (PDT) Received: from farroyo39.geologics.com (spg-as55s36.erols.com [207.172.49.99]) by smtp1.erols.com (8.8.6/8.8.5) with SMTP id SAA11007 for ; Sun, 5 Oct 1997 18:29:21 -0400 (EDT) Received: by farroyo39.geologics.com with Microsoft Mail id <01BCD1B2.C1ADADA0@farroyo39.geologics.com>; Sun, 5 Oct 1997 17:18:54 -0400 Message-ID: <01BCD1B2.C1ADADA0@farroyo39.geologics.com> From: Chris Inskeep To: "firewalls@GreatCircle.COM" Subject: Need Vendors for Williamsburg Conference Date: Sun, 5 Oct 1997 17:18:50 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you're not a firewall vendor or reseller, please hit delete now. If you are a vendor or reseller: I need to recruit 4 - 5 firewall vendors and/or resellers to provide technology demonstrations at a security seminar 29 - 31 October in Williamsburg, Virginia primarily designed for the Department of Agriculture (but with a much broader audience.) This makes the most sense for companies in the mid-Atlantic who can follow up on interest within the Department. If your firm is interested, I will forward the specifics (a fee applies.) Vendors will also have the opportunity to make a presentation as part of a panel on Friday, 31 October. Thanks! Chris From owner-firewalls-list Sun Oct 5 17:41:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03891; Sun, 5 Oct 1997 16:32:10 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA03883 for firewalls@greatcircle.com; Sun, 5 Oct 1997 16:32:04 -0700 (PDT) Received: from paleale.cisco.com (paleale.cisco.com [171.69.95.88]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA14846 for ; Thu, 2 Oct 1997 10:12:11 -0700 (PDT) Received: from Baden.cisco.com (dhcp-i-91-123.cisco.com [171.69.91.123]) by paleale.cisco.com (8.8.4-Cisco.1/8.6.5) with SMTP id KAA24222 for ; Thu, 2 Oct 1997 10:12:40 -0700 (PDT) Message-Id: <3.0.1.32.19971002101237.00b119b0@lexicon.ins.com> X-Sender: ljrebar@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 02 Oct 1997 10:12:37 -0700 To: firewalls@GreatCircle.COM From: "Rebar - Lawrence J. Rebarchik" Subject: firewall-wizards mailing list... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Was a bounce.... -- Since I opened my big mouth about the firewall wizards list, I was asked by an umber of people to repost the subscription information here. In short, mail majordomo@nfr.net with the line: subscribe firewall-wizards in the body of the email. Cheers, --Dg From owner-firewalls-list Sun Oct 5 19:30:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25574; Sun, 5 Oct 1997 19:14:12 -0700 (PDT) Received: from AIKEN.AIK.TEC.SC.US (AIKEN.AIK.TEC.SC.US [199.4.146.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA25567 for ; Sun, 5 Oct 1997 19:14:07 -0700 (PDT) Date: Sun, 5 Oct 1997 22:15:44 -0400 From: LISTS@aik.tec.sc.us To: FIREWALLS@GREATCIRCLE.COM Message-Id: <971005221544.20e1fb5c@aik.tec.sc.us> Subject: Three way firewall wanted Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We need a firewall to protect our Admin segment from our students as well as both from the Internet (and maybe the Internet from our students). Two firewall systems should work, but don't have the budget for two. Right now we have the Internet coming in over 1/2 T1 using frame relay to a Cisco 2514 router to two C-class segments on regular ethernet. However, we expect to soon have a much faster internet fiber optic connection (of a yet to be determined nature but the pipe going by us is OC3), be adding some fast ethernet segments with switchers, and adding one or two more class-C address ranges. Are there any words of wisdom, or suggestions of where to visit during Networld in Atlanta? Ray Timmons From owner-firewalls-list Sun Oct 5 21:00:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA10983; Sun, 5 Oct 1997 20:59:29 -0700 (PDT) Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA10941 for ; Sun, 5 Oct 1997 20:59:13 -0700 (PDT) Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA20284; Sun, 5 Oct 1997 23:59:37 -0400 Date: Sun, 5 Oct 1997 23:59:36 -0400 (EDT) From: Richard Reno Subject: Re: Just wondering - pipeline computer firewalls? To: Sick Puppy Cc: firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Oct 1997, Sick Puppy wrote: > Not too long ago I had a lot of free time to think about things and I > became somewhat familiar with the Galaxy Pipeline Computer (rough > translation) developed at Tokyo University. For about $20,000 they built Could you spare some of that free time? :) > It seems to me that firewalls are not incredibly complex machines > and it should be possible to break the instructions into sets and hard > code them on hundreds of processors. Such a machine should be able to > keep up with a T3 line quite easily. > Actually, this might well be economically feasible now and not have the problems that a hardware solution would have had a few years ago. Large fpga's are approaching 100K gates or more. (To put this in perspective, early computers were built from a few thousand gates) That alone would not make it practical, but many of the newer ones are programmed not by device programmers but by the contents of static ram bits spread around the chip. The users of these chips are increasingly doing the design in vhdl which is just another programming language. Wouldn't be a hoot if someone built a C -> vhdl translator and then put the firewall code directly in these chips? Also because the programming is set in the static ram, fixes could be incorporated by just rebooting after reloading the program. This is a simplistic view, of course, but there is a possibility of approaching it this way. I could see as a first step the placement of the entire tcp/ip stack into this hardware. Golly, this could lead to Really intelligent NIC's. Richard From owner-firewalls-list Mon Oct 6 01:16:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28812; Mon, 6 Oct 1997 00:57:20 -0700 (PDT) Received: from gate.netbenefit.co.uk (gate.netbenefit.co.uk [195.153.24.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA28805 for ; Mon, 6 Oct 1997 00:57:15 -0700 (PDT) Received: from Luna.netbenefit.co.uk [195.153.24.28] by gate.netbenefit.co.uk with smtp (Exim 1.61 #5) id 0xI837-0002Pu-01; Mon, 6 Oct 1997 08:57:53 +0100 Message-Id: <3.0.32.19971006085327.0074f1b4@gate.netbenefit.co.uk> X-Sender: adam@gate.netbenefit.co.uk X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 06 Oct 1997 08:53:28 +0100 To: firewalls@GreatCircle.COM From: Adam Threadgold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 01:23:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28861; Mon, 6 Oct 1997 00:57:36 -0700 (PDT) Received: from gate.netbenefit.co.uk (gate.netbenefit.co.uk [195.153.24.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA28836 for ; Mon, 6 Oct 1997 00:57:26 -0700 (PDT) Received: from Luna.netbenefit.co.uk [195.153.24.28] by gate.netbenefit.co.uk with smtp (Exim 1.61 #5) id 0xI83J-0002Q0-00; Mon, 6 Oct 1997 08:58:05 +0100 Message-Id: <3.0.32.19971006085339.0074f1b4@gate.netbenefit.co.uk> X-Sender: adam@gate.netbenefit.co.uk X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 06 Oct 1997 08:53:40 +0100 To: firewalls@GreatCircle.COM From: Adam Threadgold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 01:24:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28910; Mon, 6 Oct 1997 00:58:28 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA28903 for ; Mon, 6 Oct 1997 00:58:18 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic72.cisco.com [171.68.129.82]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id JAA25556; Mon, 6 Oct 1997 09:59:02 +0200 (METDST) Message-Id: <3.0.3.32.19971006095301.0074102c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:53:01 +0000 To: Bill Husler , "firewalls" From: Eric Vyncke Subject: Re: VLANs for Security Inside the Firewall In-Reply-To: <199710051657.JAA10359@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 5/10/97 -0700, Bill Husler wrote: ...... >I understand that these switches are configured via a telnet session. Is >there a way (on the switch) to ensure that this activity may only be >performed via specific switch ports (ie. I would like to ensure that if >someone is remapping the VLANs, they are doing so from something along >the lines of a console or secured area). I can only speak from the switches of my employer (Cisco), yes you can restrict the management to be done via only one VLAN (thus a couple of port(s)) and there is obviously a username/password prompt which can be redirected to a Radius/Tacacs+ server. -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Mon Oct 6 01:31:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA01132; Mon, 6 Oct 1997 01:18:42 -0700 (PDT) Received: from mail.arcor.net (tm.cni.net [194.115.51.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA01123 for ; Mon, 6 Oct 1997 01:18:36 -0700 (PDT) Received: from arcor.net by mail.arcor.net with ESMTP (8.6.5:29/GEN-1.1.9:5) via EUnet for greatcircle.com id KAA03743; Mon, 6 Oct 1997 10:19:46 +0100 Message-ID: <3438AD44.862C2CE2@arcor.net> Date: Mon, 06 Oct 1997 10:20:04 +0200 From: Benjamin Brumaire X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Mon Oct 6 04:15:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA22643; Mon, 6 Oct 1997 04:13:49 -0700 (PDT) Received: from stl_firewall ([192.172.5.200]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA22636 for ; Mon, 6 Oct 1997 04:13:44 -0700 (PDT) From: STEVE.CONNOLLY@arpstl-emh2.army.mil Received: from ARPSTL-EMH2.ARMY.MIL by stl_firewall (AIX 4.1/UCB 5.64/4.03) id AA11418; Mon, 6 Oct 1997 06:02:09 -0500 X400-Originator: STEVE.CONNOLLY@arpstl-emh2.army.mil X400-Recipients: Firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=BLANK/C=US/;0008200001397503000002] X400-Content-Type: P2-1988 (22) Message-Id: <0008200001397503000002*@MHS> To: " - (052)Firewalls(a)GreatCircle.COM" , "/S=owner-firewalls-list(a)GreatCircle.COM/ADMD=BLANK/C=US/"@ARPSTL-EMH2.ARMY.MIL (a) Subject: Re:Williamsburg Security Seminar Date: Mon, 6 Oct 1997 06:21:26 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please send me the full agenda on the seminar. Thanks. Steve Connolly steve.connolly@arpstl-emh2.army.mil From owner-firewalls-list Mon Oct 6 06:46:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01426; Mon, 6 Oct 1997 06:32:49 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01403 for ; Mon, 6 Oct 1997 06:32:41 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03829; Mon, 6 Oct 1997 08:34:22 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11543; Mon, 6 Oct 1997 08:33:48 -0500 (CDT) Message-Id: <3.0.3.32.19971006093026.009617d0@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:30:26 -0400 To: Andy Lewis , Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: hosts.allow In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:04 PM 10/3/97 -0500, Andy Lewis wrote: >I hope that this is not off topic. You lose. Jeremy -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 07:01:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01482; Mon, 6 Oct 1997 06:33:07 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01423 for ; Mon, 6 Oct 1997 06:32:45 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03843; Mon, 6 Oct 1997 08:34:26 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11570; Mon, 6 Oct 1997 08:33:54 -0500 (CDT) Message-Id: <3.0.3.32.19971006093345.00964140@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:33:45 -0400 To: phloyd@cyberjunkie.com, firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: Audio Electronic Engineering In-Reply-To: <34357DF2.6FCC@cyberjunkie.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:21 PM 10/3/97 -0500, Brian Nunes wrote: >I need information on the first steps in becoming an Audio Electronic >Engineer. I was wondering if anyone could recommend a starting point, >whether it be a specialized school, or college courses? >Was wondering about expected income, what qualifications are needed, any >good schools, and general employment outlook. This is off-topic for the firewalls list. Please take the discussion elsewhere. Jeremy, the self-appointed list cop of the day... :-) -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 07:16:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA01481; Mon, 6 Oct 1997 06:33:04 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01405 for ; Mon, 6 Oct 1997 06:32:41 -0700 (PDT) Received: from houinet1.hou.moc.com (houinet1.hou.moc.com [192.70.218.1]) by insync.net (8.8.7/8.7.1) with ESMTP id IAA03836; Mon, 6 Oct 1997 08:34:23 -0500 (CDT) Received: from fdyp62120 ([89.2.21.94]) by houinet1.hou.moc.com (8.8.4/8.8.4) with SMTP id IAA11560; Mon, 6 Oct 1997 08:33:51 -0500 (CDT) Message-Id: <3.0.3.32.19971006093220.00931530@houinet.hst.moc.com> X-Sender: zawodny@houinet.hst.moc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 09:32:20 -0400 To: Nathan Zych - ML , Firewalls@GreatCircle.COM From: "Jeremy D. Zawodny" Subject: Re: Please help - Linux anon FTP In-Reply-To: <3.0.32.19971003232647.009f7480@main.home> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:26 PM 10/3/97 -0400, Nathan Zych - ML wrote: > >Would anyone be willing to explain to me how to create additional anonymous >users on a linux system running with wu-ftpd. They cannot be normal users, >they must be chroot'ed so they have access just to their home directory. >If there is a HOWTO or Faq that may help me could someone please point me >in the right direction. This is off-topic for the firewalls list. Please take the discussion elsewhere. Jeremy, the self-appointed list cop of the day... :-) -- Jeremy Zawodny Internet Technology Group Information Technology Services Marathon Oil Company, Findlay Ohio http://www.marathon.com/ Unless explicitly stated, these are my opinions only--not those of my employer. From owner-firewalls-list Mon Oct 6 08:04:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA04997; Mon, 6 Oct 1997 07:13:54 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA04963 for ; Mon, 6 Oct 1997 07:13:43 -0700 (PDT) Received: by castle.us-state.gov; id AA14626; Mon, 6 Oct 97 06:45:19 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma014617; Mon Oct 6 06:44:42 1997 Received: by pubhost.us-state.gov; id AA15956; Mon, 6 Oct 97 06:44:06 EDT Received: by localhost with Microsoft MAPI; Mon, 6 Oct 1997 06:41:22 -0400 Message-Id: <01BCD222.DC69E620@gcrum@us-state.gov> From: Gary Crumrine Reply-To: "gcrum@us-state.gov" To: "'David LeBlanc'" , "osiris@gnss.com" Cc: "firewalls@GreatCircle.COM" Subject: RE: Microsoft vs The world (apology) Date: Mon, 6 Oct 1997 06:41:19 -0400 Organization: US Dept of State (Contractor) X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't seen this on my system yet, but I am a little miffed over something I experienced last night though. I was installing one of the cd packages from one of the bigger known ISP providers (3 letters) and when I had it all installed, and up and running, I found that when I tried to exit the system, it pops up a message concerning problems with MS Explorer, and starts into this 20 minute download of a supposed fix. Now I don't know about you, but I'd sure like to know what is getting pushed to my system and given an opportunity to choose if I want to kill it or not. On Monday, September 15, 1997 6:10 PM, David LeBlanc [SMTP:dleblanc@iss.net] wrote: | At 10:47 9/15/97 -0700, you wrote: | | >In this morning's newspaper (reference follows), I found | >an article of | >some interest. In it, there was an interview with a beta | >tester of IE | >4.0. Apparently, IE 4.0 - if left unattended - will | >routinely initiate | >a connection to Microsoft. Purportedly, this feature (not | >a bug, a | >feature) allows updates and special web pages to be | >downloaded while | >the user is away from the teriminal (busy, asleep, etc.) | >These updates | >are then stored on the hard disk drive of the user. | >According to the | >beta tester: | | >"I...discovered that my computer had connected itself to | >the | >Internet...I was completely freaking out. I pulled the | >phone plug | >right out of the wall." | | Odd - I've had IE 4.0 on my home box for some weeks, and | it has never once | taken it upon itself to call my ISP and connect to MS. I | haven't really | monitored what it does while on line extremely carefully, | and I haven't | taken any special precautions to prevent this from | happening, either. It | is possible this is because I don't have any of the | "pointcast" junk turned | on - blew up first time I tried it, and I haven't fooled | with it since. | | Perhaps "freaking out" users may not be the most reliable | source of info. | Although I'd certainly be displeased if it did start | dialing home, I can | think of less destructive ways to stop this behavior than | yanking on wires. | | >More bizzare yet is this: in | >addition to the 250K download, his machine also UPLOADED | >58,000 bytes | >of information. The beta tester reported that he did not | >know what | >data had been uploaded. | | Be interesting to see what it is doing - it could be just | requests and that | sort of thing. | | >I am wondering this: suppose such a box was located | >behind a firewall | >but was allowed outside access. Does this not constitute | >an EXTREME | >security risk? If 4.0 is capable of uploading information | >from a local | >drive of a 95 box, it can presumably do this from badly | >managed shares | >as well, no? | | No telling. IMHO, we need to examine this a bit before we | get cranked | about it. Be interesting to see if it can be duplicated, | then log the | traffic. | | | ------------------------------------------------------ ---- | - | David LeBlanc | Voice: (770)395-0150 | x138 | Internet Security Systems, Inc. | Fax: (404)395-1972 | 41 Perimeter Center East | E-Mail: | dleblanc@iss.net | Suite 660 | www: http://www.iss.net/ | Atlanta, GA 30328 | From owner-firewalls-list Mon Oct 6 08:31:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA15053; Mon, 6 Oct 1997 08:00:20 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14897 for ; Mon, 6 Oct 1997 07:59:39 -0700 (PDT) Received: by bdc9000.pccmis.com with Internet Mail Service (5.0.1457.3) id <4CB0AYX4>; Mon, 6 Oct 1997 11:02:47 -0400 Message-ID: <951A67E9EBBFD011993E0000E82C67F0047157@bdc9000.pccmis.com> From: Chris Brenton To: firewalls@greatcircle.com Subject: MS Windows and their security status Date: Mon, 6 Oct 1997 11:02:46 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, I've had yet another off-line discussion with a member of this list who has hit me with "but Windows NT _must_ be secure, it received a C2 security rating". For others who are in the same mindset, some links to check out: http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html Lists the NSA systems that have met their predefined levels of security. One thing worth noting is that NT 3.5 is listed under C2, but NT 4.0 is not. If you follow the link: http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html You will get a summary of their review process for Windows NT. Two comments worth noting: "Because the evaluated configuration does not include a network environment, both products (Windows NT server and Workstation) are considered stand-alone workstations." "A network configuration of the Windows NT platform is currently pending evaluation agreement." In other words, Microsoft has not yet agreed to allow their product to undergo an evaluation in a networked environment. Now, based upon this evaluation, Microsoft has found it proper to advertise the following: http://www.microsoft.com/ntserver/info/security.htm They "imply" without directly stating that the C2 certification is for a networked environment when it is not. If you want some more "fun" reading, check out the "Microsoft Responses" link off of this page. My personal favorite is the "Password snatcher" article where Microsoft does not deem the ability to grab logon names and passwords as being a problem because: "Because the effectiveness of this tool is limited to a single physical segment of the network, Microsoft has determined that this does not compromise security of a corporate network." LOL From owner-firewalls-list Mon Oct 6 09:00:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA26147; Mon, 6 Oct 1997 08:57:34 -0700 (PDT) Received: from gatekeeper.kpmg.co.uk (gatekeeper.kpmg.co.uk [158.177.32.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26063 for ; Mon, 6 Oct 1997 08:57:14 -0700 (PDT) Received: by gatekeeper.kpmg.co.uk; id QAA13475; Mon, 6 Oct 1997 16:59:20 +0100 (BST) Received: from unknown(158.174.24.70) by gatekeeper.kpmg.co.uk via smap (V3.1) id xmaa13419; Mon, 6 Oct 97 16:59:06 +0100 Received: from ccMail by ccgate.kpmg.co.uk (IMA Internet Exchange 2.1 Enterprise) id 00070FDA; Mon, 6 Oct 97 17:00:59 +0100 Mime-Version: 1.0 Date: Mon, 6 Oct 1997 16:56:21 +0100 Message-ID: <00070FDA.3043@kpmg.co.uk> From: Craig.Penton@kpmg.co.uk (Craig Penton) Subject: Info To: firewalls@greatcircle.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. From owner-firewalls-list Mon Oct 6 10:01:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA00945; Mon, 6 Oct 1997 09:26:55 -0700 (PDT) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA00841 for ; Mon, 6 Oct 1997 09:26:33 -0700 (PDT) Received: from uymfdlvk ([207.116.216.244]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with ESMTP id AAB29558; Mon, 6 Oct 1997 16:28:13 +0000 Reply-To: From: "Mark Teicher" To: , "'David LeBlanc'" , Cc: Subject: Re: Microsoft vs The world (apology) Date: Mon, 6 Oct 1997 12:27:51 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19971006162808.AAB29558@uymfdlvk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Boy, I agree with Gary on this one.. I just installed IE 4.0 on one my machines and it does a lot of changes to the registry and such, but even after examination of the changes. It does not leave you with an audit record of the real changes it did to the system.. Even at one point during the install "Now optimizing system" I have no idea what this message means, but since I did not know what it was doing, I uninstalled it.. Programs that size that change your environment, should have audit trail through the process to ensure or guarantee to the user that it is not installing/changing settings you have done. I have seen those 20 minute fixes for certain programs. I am truly amazed that corporations who design software that try to make it easy for the client or end user that the security factor is almost eliminated from the equation. My .02 /mht ---------- > From: Gary Crumrine > To: 'David LeBlanc' ; osiris@gnss.com > Cc: firewalls@GreatCircle.COM > Subject: RE: Microsoft vs The world (apology) > Date: Monday, October 06, 1997 6:41 AM > > I haven't seen this on my system yet, but I am a little > miffed over something I experienced last night though. I > was installing one of the cd packages from one of the > bigger known ISP providers (3 letters) and when I had it > all installed, and up and running, I found that when I > tried to exit the system, it pops up a message concerning > problems with MS Explorer, and starts into this 20 minute > download of a supposed fix. Now I don't know about you, > but I'd sure like to know what is getting pushed to my > system and given an opportunity to choose if I want to kill > it or not. > > On Monday, September 15, 1997 6:10 PM, David LeBlanc > [SMTP:dleblanc@iss.net] wrote: > | At 10:47 9/15/97 -0700, you wrote: > | > | >In this morning's newspaper (reference follows), I found > | >an article of > | >some interest. In it, there was an interview with a beta > | >tester of IE > | >4.0. Apparently, IE 4.0 - if left unattended - will > | >routinely initiate > | >a connection to Microsoft. Purportedly, this feature > (not > | >a bug, a > | >feature) allows updates and special web pages to be > | >downloaded while > | >the user is away from the teriminal (busy, asleep, etc.) > | >These updates > | >are then stored on the hard disk drive of the user. > | >According to the > | >beta tester: > | > | >"I...discovered that my computer had connected itself to > | >the > | >Internet...I was completely freaking out. I pulled the > | >phone plug > | >right out of the wall." > | > | Odd - I've had IE 4.0 on my home box for some weeks, and > | it has never once > | taken it upon itself to call my ISP and connect to MS. I > | haven't really > | monitored what it does while on line extremely carefully, > | and I haven't > | taken any special precautions to prevent this from > | happening, either. It > | is possible this is because I don't have any of the > | "pointcast" junk turned > | on - blew up first time I tried it, and I haven't fooled > | with it since. > | > | Perhaps "freaking out" users may not be the most reliable > | source of info. > | Although I'd certainly be displeased if it did start > | dialing home, I can > | think of less destructive ways to stop this behavior than > | yanking on wires. > | > | >More bizzare yet is this: in > | >addition to the 250K download, his machine also UPLOADED > | >58,000 bytes > | >of information. The beta tester reported that he did not > | >know what > | >data had been uploaded. > | > | Be interesting to see what it is doing - it could be just > | requests and that > | sort of thing. > | > | >I am wondering this: suppose such a box was located > | >behind a firewall > | >but was allowed outside access. Does this not constitute > | >an EXTREME > | >security risk? If 4.0 is capable of uploading > information > | >from a local > | >drive of a 95 box, it can presumably do this from badly > | >managed shares > | >as well, no? > | > | No telling. IMHO, we need to examine this a bit before > we > | get cranked > | about it. Be interesting to see if it can be duplicated, > | then log the > | traffic. > | > | > | ------------------------------------------------------ > ---- > | - > | David LeBlanc | Voice: (770)395-0150 > | x138 > | Internet Security Systems, Inc. | Fax: (404)395-1972 > | 41 Perimeter Center East | E-Mail: > | dleblanc@iss.net > | Suite 660 | www: http://www.iss.net/ > | Atlanta, GA 30328 | From owner-firewalls-list Mon Oct 6 10:22:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08598; Mon, 6 Oct 1997 10:13:24 -0700 (PDT) Received: from ecbull20.frec.bull.fr (ecbull20.frec.bull.fr [129.183.1.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA08570 for ; Mon, 6 Oct 1997 10:13:12 -0700 (PDT) Received: from esquelet.frec.bull.fr (esquelet.frec.bull.fr [129.183.82.33]) by ecbull20.frec.bull.fr (8.8.5/8.8.2) with ESMTP id TAA22096 for ; Mon, 6 Oct 1997 19:17:03 +0200 Received: from localhost (deignan@localhost) by esquelet.frec.bull.fr (8.7.5/8.7) with SMTP id TAA94088 for ; Mon, 6 Oct 1997 19:14:50 +0200 X-Authentication-Warning: esquelet.frec.bull.fr: deignan owned process doing -bs Date: Mon, 6 Oct 1997 19:14:50 +0200 (DFT) From: Ciaran Deignan X-Sender: deignan@esquelet To: firewalls@greatcircle.com Subject: dynamic address translation... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not on this mailing list, so pleas copy me in any replies and please forgive me if its an old question (I've checked the Firewall FAQ on clark.net). I work in the Bull Unix R&D centre in France. The Bull firewall product, NetWall, is developped here. The developers of NetWall have implemented a new Dynamic Address Translation function in NetWall, and I'm looking for information on the limitations inherent in the technology they're using. Basically the new dyanmic address translation in netwall replaces the calling address and port number in TCP and UDP "connection" requests coming from a "mapable" host by the IP address of the interface by which the packet exits the machine. The source port is replaced by a number grater than 65000. For starters I've no idea how its possible to generate TCP frames with source port numbers grater than 2 to-the-power-of 16. But I suppose its documented in an RFC somewhere. I've heard that this type of dynamic address translation has also been implemented by Cisco, and that its called "Source Port Multiplexing" or "Source Port Mapping" or something. Obvoiusly this technology only supports TCP and UDP communications. However I have the unnerving feeling that some commonly-used services wont like this sort of magic. The engineering has told me that FTP is supported, but what about sendmail? Has anybody had any experience with a real-life application of this sort of technology, and are there any "gotchas" that you could help us avoid? Thanks Ciaran +-------------------------------------------------------------------------+ Ciaran Deignan Tel: (France) 04 76 29 79 92 BULL OSPBU (http://www-frec.bull.com) Internet Support Project Leader Office: C1/048 Bullcom: 229 79 92 Mail to: B1/054 or C.Deignan@frec.bull.fr Fax: 229 78 62 +-------------------------------------------------------------------------+ From owner-firewalls-list Mon Oct 6 10:31:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA27300; Mon, 6 Oct 1997 09:03:50 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (jtfcom.pafb.af.mil [131.25.50.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA27160 for ; Mon, 6 Oct 1997 09:03:10 -0700 (PDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCD194.817F4D60@jtfcom.js-jtf.af.mil>; Sun, 5 Oct 1997 13:42:21 -0400 Message-ID: From: "Engasser, Charlie" To: "'Franco RUGGIERI'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy Date: Sun, 5 Oct 1997 13:42:21 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) It doesn't harden the system (Unix or NT or whatever it runs/will run on) by itself: it's up to the security admin to harden it: what if he/she is not so smart to do it properly? 1: Firewall-1 does install a kernel driver between the NIC driver and the OS. (except on HPUX). So at least in theory the OS should be protected by whatever the firewall itself is hardened against. As for the sys admin not being smart enough to do it, well, companies get what they pay for. If the admin person isn't savvy enough to do it right, then that's not the fault of the firewall. Personally I find it appalling that someone would claim to be an administrator of their company's network security and take it on blind faith that a product protects them as claimed (or for that matter does anything as claimed). So what if one firewall says it hardens the system it's on? What exactly does that mean anyway? Do >>you<< know? In my opinion, the cost of a firewall product itself is only part of the equation, the other half is cost of testing the product once it's setup. If you are not willing to fork over $$$ (beit time, resources, product or services) then it really doesn't matter if someone tells you the system was automagically "hardened" does it? 2) setting up the rules is a real headache, most of it defining all the objects that make up the network. And everything which is difficult to implement is error prone. 2: Setting up rules in Firewall-1 is easier than the other 1/2 dozen firewall's I've used and looked at. First off, Firewall-1 is cabable if resolving network names just as any other system would, through DNS, HOSTS, NIS or SNMP. If the rest of your network is running properly, defining network objects is nothing more difficult than telling Firewall-1 what the name of the system is, and letting it do all the hard stuff (like remembering IP addresses). The only objects that need to be defined are the ones that are directly affected by the rules policy. If you wish to define a global rule based on a subnet, then you define the subnet, then all systems in that subnet are affected by the rule in question. As for the previous poster, I don't think that I would decide on Gauntlet unless I had already put a few more firewalls on a testbed. Gauntlet is rated fairly well as far as security goes, but it's performance figures suck. It drops packets left and right when under high loads. If you want a contact # of a rep I know that would be happy to get you eval copies of just about anything drop me an email. As for the systems >>I<< would personally look at I would start with: Firewall-1, AltaVista, Raptor, Gauntlet, Cisco PIX (hardware). I would avoid at all costs: Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail me for details if you need them. > From owner-firewalls-list Mon Oct 6 11:31:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA18616; Mon, 6 Oct 1997 11:17:57 -0700 (PDT) Received: from ex11434ab073.bragg.army.mil (emh4.bragg.army.mil [158.5.7.73]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA16981 for ; Mon, 6 Oct 1997 11:09:14 -0700 (PDT) Received: by emh4.bragg.army.mil with Internet Mail Service (5.0.1458.49) id <41J119SJ>; Mon, 6 Oct 1997 14:12:13 -0400 Message-ID: <5116B73B522CD1118DA200C06C703485011402@EX11434AA144> From: "Maung, Than" To: "'Craig.Penton@kpmg.co.uk'" , firewalls@greatcircle.com Subject: RE: Info Date: Mon, 6 Oct 1997 14:09:59 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Then don't send it out on this list!!!!!!!!!!!!!!!!!!!!!!!!! -----Original Message----- From: Craig.Penton@kpmg.co.uk [SMTP:Craig.Penton@kpmg.co.uk] Sent: Monday, October 06, 1997 11:56 AM To: firewalls@greatcircle.com Subject: Info Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. From owner-firewalls-list Mon Oct 6 12:00:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA23727; Mon, 6 Oct 1997 11:52:43 -0700 (PDT) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA23700 for ; Mon, 6 Oct 1997 11:52:34 -0700 (PDT) Received: by relay.hq.tis.com; id OAA01814; Mon, 6 Oct 1997 14:59:30 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0) id xma001806; Mon, 6 Oct 97 14:59:24 -0400 Received: from gildor (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id OAA28980; Mon, 6 Oct 1997 14:50:27 -0400 (EDT) Message-Id: <3.0.3.32.19971006145133.03238028@localhost> X-Sender: avolio@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 14:51:33 -0400 To: "Engasser, Charlie" , "'Franco RUGGIERI'" From: Frederick M Avolio Subject: RE: Firewall-1, packet -VS- Proxy Cc: "'Firewalls@GreatCircle.COM'" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As for the previous poster, I don't think that I would decide on >Gauntlet unless I had already put a few more firewalls on a testbed. >Gauntlet is rated fairly well as far as security goes, but it's >performance figures suck. It drops packets left and right when under >high loads. If you want a contact # of a rep I know that would be happy >to get you eval copies of just about anything drop me an email. As for Not sure what performance figures you are referring to (the ones that suck I mean). To view the NSTL test results visit the TIS website at http://www.tis.com/testing. To view University of Kansas test results visit their website at http://www.ittc.ukans.edu/projects/performance/gauntlet/. And feel free to contact TIS directly for sales and evaluation copies. I've got to believe someone working for the USAF has better things to do. :-) They will even point you to customers who are serious about security and are running Gauntlet firewalls under heavy loads. Fred From owner-firewalls-list Mon Oct 6 12:15:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA27003; Mon, 6 Oct 1997 09:02:08 -0700 (PDT) Received: from ex11434ab073.bragg.army.mil ([158.5.7.73]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA26961 for ; Mon, 6 Oct 1997 09:01:56 -0700 (PDT) Received: by emh4.bragg.army.mil with Internet Mail Service (5.0.1458.49) id <41J11874>; Mon, 6 Oct 1997 10:14:08 -0400 Message-ID: <5116B73B522CD1118DA200C06C7034850113FD@EX11434AA144> From: "Maung, Than" To: "'LISTS@aik.tec.sc.us'" , FIREWALLS@GREATCIRCLE.COM Subject: RE: Three way firewall wanted Date: Mon, 6 Oct 1997 10:06:27 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know where to direct you to at Networld, but I've been running that way with 2 OC3 and 1 ether. Just make sure you got your routes streight. Depending on the platform you are using make sure to beef up your memory. Than M Maung -----Original Message----- From: LISTS@aik.tec.sc.us [SMTP:LISTS@aik.tec.sc.us] Sent: Sunday, October 05, 1997 10:16 PM To: FIREWALLS@GREATCIRCLE.COM Subject: Three way firewall wanted We need a firewall to protect our Admin segment from our students as well as both from the Internet (and maybe the Internet from our students). Two firewall systems should work, but don't have the budget for two. Right now we have the Internet coming in over 1/2 T1 using frame relay to a Cisco 2514 router to two C-class segments on regular ethernet. However, we expect to soon have a much faster internet fiber optic connection (of a yet to be determined nature but the pipe going by us is OC3), be adding some fast ethernet segments with switchers, and adding one or two more class-C address ranges. Are there any words of wisdom, or suggestions of where to visit during Networld in Atlanta? Ray Timmons From owner-firewalls-list Mon Oct 6 13:15:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA06672; Mon, 6 Oct 1997 13:11:22 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA06486 for ; Mon, 6 Oct 1997 13:10:28 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id QAA06927; Mon, 6 Oct 1997 16:11:52 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.7/8.8.7) with SMTP id QAA27911; Mon, 6 Oct 1997 16:11:50 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 6 Oct 1997 16:11:50 -0400 (EDT) From: "Paul D. Robertson" To: "Engasser, Charlie" cc: "'Franco RUGGIERI'" , "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 5 Oct 1997, Engasser, Charlie wrote: > 1: Firewall-1 does install a kernel driver between the NIC driver and > the OS. (except on HPUX). So at least in theory the OS should be > protected by whatever the firewall itself is hardened against. As for > the sys admin not being smart enough to do it, well, companies get what > they pay for. Looking at past exploits, and Checkpoint's reaction to the OOB bug in Windows NT, I would say that the hosting machine's services for administration and VPN support seem to be unhardened, and vulnerable to expliotation without extra work. If those responses are indicitive of the overall argument of a hardened system versus a shim in the driver layer, then that shim boat just don't float. > it hardens the system it's on? What exactly does that mean anyway? Do > >>you<< know? In my opinion, the cost of a firewall product itself is If the vendor can't quantify 'harden' to your satisfaction, you're dealing with the wrong vendor. There is value to having a hardened OS, network stack, filesystem, etc. A great deal of value in many instances, a number of which depend on the specific installation. For instance, if your firewall is going to play with a global authentication strategy, then you'll want to know the stack can survive low-level attacks. Dismissing hardning because you can't quantify a particular instantiation doesn't remove the value of someone having poked deep enough into the OS to remove some of its inherent problems. > As for the previous poster, I don't think that I would decide on > Gauntlet unless I had already put a few more firewalls on a testbed. > Gauntlet is rated fairly well as far as security goes, but it's > performance figures suck. It drops packets left and right when under Funny, all the studies I've seen for Gauntlet's performance far outstrip the available Internet bandwidth at most sites. Care to reference some figures? I'm preparing for some benchmarks in the near future on a few products, and I'd be more than happy to check your results. Given FW-1's lack of _complete_ implementation of stateful filtering, as well as the complexity of being able to do it well would steer me away from it as a solution. For instance, Firewall-1 does *not* maintain state information for ICMP as it ships. All those reverse-telnet over ICMP programs floating around the net tend to worry me. Consistancy is important in security. You should be able to predict what your firewall will do with traffic, and how it applies its protection mechanisms. Unfortunately, the only way to find that out with FW-1 seems to be with a sniffer and a *lot* of time. If you've got the time to write Inspect code, and you trust the state engine to pass the right packets up, the FW-1 can make a good tool. However, it is marketed as a solution, not a tool, and frankly, it *needs* work for anything but the most blatent policies which are *much* more easily verifyable via application layer gateway. Making it *easy* for someone to punch large gaping holes in their perimeter without quantifying the risks is generally thought to be a bad thing. Personally, I think you should have to drag out the manual and understand what you are doing. > I would avoid at all costs: > > Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail > me for details if you need them. If you're going to slam them in public, then make your accusations known. Given the lack of data backing up your assertions of Guantlet's performance, and the existance of data to the contrary, I, for one am skeptical. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Mon Oct 6 14:57:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA16582; Mon, 6 Oct 1997 14:34:47 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA16575 for ; Mon, 6 Oct 1997 14:34:42 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id QAA12030 for ; Mon, 6 Oct 1997 16:36:18 -0500 (CDT) Date: Mon, 6 Oct 1997 16:36:18 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: firewalls@greatcircle.com Subject: Gauntlet, VPN/WAN/Dialups In-Reply-To: <3.0.3.32.19971006145133.03238028@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Interesting question. We're currently engaged in doing some initial research for a customer which operates an international WAN, with much of the processing done in a stateside location. Here is my series of questions: 1) We're using the following setup.... INTERNET <---T1---> | | | | NT servers, with Oracle, other internal stuff RAS Server with remote dialups | | Remote offices worldwide, dialing in. Now..... 2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN behind the firewall. Backdoors are evil. However, the customer is very reluctant to relocate those outside the firewall, since they feel this would a) load the firewall much more, and b) introduce more failure points. What are some options as far as VPN or like products which could be used to secure dialups and/or FR sites? Specifically, can anyone give solid reccomendations for something that does strong authentication and encryption over international telephone lines? From owner-firewalls-list Mon Oct 6 17:30:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA29474; Mon, 6 Oct 1997 17:29:40 -0700 (PDT) Received: from gate (gate.mcc.net [209.29.243.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA29432 for ; Mon, 6 Oct 1997 17:29:25 -0700 (PDT) Received: from a01fs002.nsci.net ([10.1.1.20]) by gate.mcc.net with ESMTP id <324838-11649>; Mon, 6 Oct 1997 18:31:01 -0600 Received: by A01FS002.mcc.net with Internet Mail Service (5.0.1458.49) id <4DFGGK5S>; Mon, 6 Oct 1997 18:31:00 -0600 Message-ID: From: "Paquette, Trevor" To: "'fw-1-mailinglist@us.checkpoint.com'" , "'Firewalls@GreatCircle.COM'" Subject: Split DNS question Date: Mon, 6 Oct 1997 18:30:57 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alot of folks keep talking about split DNS and how it seems to solve alot of resolution problems.. But no-one says how they actually have it implemented. Anyone care to share? Solaris 2.5.1 please. Also what about multiple-personality DNS? more then 1 internal DNS server? Possible? Does Bind 8.1 support this? When is a newer version of Bind 8.1 being released? Marcus Ranum had a very cool DNS resolve patch that would change the format of the resolv.conf file to something like: domain xyz.com nameserver domaina.com 10.3.4.5 nameserver domainb.com 10.60.87.98 nameserver 65.78.10.in-addr.arpa 10.78.65.2 nameserver 10.2.2.30 Which basically said: my domain is xyz.com if resolving names for the domain "domaina.com" I contact 10.3.4.5 if resolving names for the domain "domainb.com" I contact 10.60.87.98 if reverse resolving for net 10.78.65.0 contact 10.78.65.2 otherwise all other queries get sent to 10.2.2.30 His patch only worked with bind 4.9.3 and lower.. pity. He says that he is to busy to add it for 4.9.5 and higher.. -- Trevor Paquette | MetroNet Solutions |Work:(403)543-2355 TrevorPaquette@mcc.net | 4300, 150 6th Ave SW | Fax:(403)543-2854 http://www.mcc.net | Calgary, AB, Canada |ICBM:51'03"N/114'05"W Senior Unix Network Architect| T2P 4K9 |Mind:In the Rockies From owner-firewalls-list Mon Oct 6 20:15:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA10027; Mon, 6 Oct 1997 20:03:54 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA10020 for ; Mon, 6 Oct 1997 20:03:46 -0700 (PDT) Received: from zepher.milkyway.com ([12.70.7.250]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA25798; Tue, 7 Oct 1997 03:05:30 +0000 Message-Id: <3.0.3.32.19971006230513.006a2484@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Oct 1997 23:05:13 -0500 To: Brian Tackett , firewalls@greatcircle.com From: Steve Kruse Subject: Re: Gauntlet, VPN/WAN/Dialups In-Reply-To: References: <3.0.3.32.19971006145133.03238028@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian: Hmmm.... the problem, it would seem, is that you want STRONG encryption and authentication over international phone lines. There are a spate of products including packet filtering/encrypting routers, 3rd party VPN solutions, Firewalls with VPN encryption, etc, on the market. Finding one isn't all that difficult. In fact, picking out out of the "herd" is the toughest part, not finding one anymore. The PROBLEM you have is that word "international". If you buy a North American product (ie, US / CANADA) you can't export the strong encryption except in certain cases. As I understand the rules (and someone PLEASE correct me if I am incorrect...) IF the foreign office is => 51% US ownership AND the host country allows it, you can export at least 56bit DES and possibly IDEA (some countries such as Switzerland allow it). Some countries, (France for one) force you to escrow the keys, so dynamic keymanagement can not be done. Getting the US export licence, with proper documentation and a vendor who has all the right contacts could possibly get this through in under a couple of months. As to the configuration, the RAS behind the firewall is, to say the least, really a bad bad bad idea. I'm getting a rash thinking about it. It's like putting all the right locks and bars on the door and leaving the window open with a neon sign pointing to it. The compromise, as I see it, would be to put the dial up on the service net, make the dial up users use S/Key or some token card, and use very strict plug-to's through the firewall. It's not perfect, but it's a damn site better than having RAS behind the locked door! My $.02 (US) worth. This would change the picture slightly using 3 interfaces on the Firewall, not 2: ( Internet ) | | {PKT RTR} | | Service Net ((FIREWALL))------------------- | | | | | | | | | WWW DNS RAS | ----------------------------- PRIVATE NET Comments Welcome. Flames ignored! At 09:36 PM 10/6/97 +0000, Brian Tackett wrote: >All, > > Interesting question. We're currently engaged in doing some initial >research for a customer which operates an international WAN, with much of >the processing done in a stateside location. Here is my series of >questions: > >1) We're using the following setup.... > > INTERNET <---T1---> > | > > | > | > > | > NT servers, with Oracle, other internal stuff > RAS Server with remote dialups > | > | > Remote offices worldwide, dialing in. > > >Now..... > >2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN >behind the firewall. Backdoors are evil. However, the customer is very >reluctant to relocate those outside the firewall, since they feel this >would a) load the firewall much more, and b) introduce more failure >points. What are some options as far as VPN or like products which could >be used to secure dialups and/or FR sites? Specifically, can anyone give >solid reccomendations for something that does strong authentication and >encryption over international telephone lines? > > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDmzztIk6V3CiVjTEQLV2QCeOIoWDzxN3mNbm4JOx+7DZlXNzesAn03I nend8K/tI4kFBIy2uUgqQhbH =JNWE -----END PGP SIGNATURE----- *********************************************************************** * Check out http://www.milkyway.com for the best in network security! * * Steve Kruse PGP Key on most servers * * PGP Fingerprint: 4BBF 43D2 69A4 E111 3089 C54B D224 E95D C289 58D3 * *********************************************************************** From owner-firewalls-list Tue Oct 7 01:30:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02300; Tue, 7 Oct 1997 01:15:49 -0700 (PDT) Received: from abgate.alfredberg.se (ns.alfredberg.se [130.244.126.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA01964 for ; Tue, 7 Oct 1997 01:15:20 -0700 (PDT) Received: by abgate.alfredberg.se; (5.65v3.2/1.3/10May95) id AA11200; Tue, 7 Oct 1997 10:16:04 +0200 Received: from aasmail.abnamro-software.com ([10.84.1.7]) by abslns8056.sto.alfredberg.se (Netscape Mail Server v2.0) with ESMTP id AAA896 for ; Tue, 7 Oct 1997 09:16:21 +0100 Received: from abnamro-software.com ([10.84.1.22]) by aasmail.abnamro-software.com (Netscape Messaging Server 3.01) with ESMTP id 407 for ; Tue, 7 Oct 1997 10:18:29 +0200 Message-Id: <3439F025.F97DA132@abnamro-software.com> Date: Tue, 07 Oct 1997 10:17:41 +0200 From: Peter Enderborg Organization: AbnAmro Software X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.1.57 i686) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Multi-interface firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We need to set up an firewall with at least 8 ethernet interfaces, and it is good if they are 100Mbit/s interfaces. Does it exist on the market ? Most of the firewalls that I have seen had only 3 interfaces. Some whould be very easy to extend to 8, but what about the software ? I know that Linux chould do it, but what about Firewall-1 on a sparc ? Any other good ideas ? From owner-firewalls-list Tue Oct 7 02:30:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA08734; Tue, 7 Oct 1997 02:11:01 -0700 (PDT) Received: from achilles.nikkei.co.jp (achilles.nikkei.co.jp [138.101.197.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA08713 for ; Tue, 7 Oct 1997 02:10:33 -0700 (PDT) Received: from penelope.nikkei.co.jp (root@penelope.nikkei.co.jp [138.101.198.6]) by achilles.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA12061; Tue, 7 Oct 1997 18:12:05 +0900 (JST) Received: from bear.koto.nikkei.co.jp by penelope.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA07644; Tue, 7 Oct 1997 18:15:04 +0900 (JST) Received: from saturn.koto.nikkei.co.jp by bear.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA12349; Tue, 7 Oct 1997 18:12:30 +0900 Received: from saturn by saturn.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id SAA10953; Tue, 7 Oct 1997 18:11:43 +0900 (JST) Message-Id: <199710070911.SAA10953@saturn.koto.nikkei.co.jp> To: Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls In-reply-to: Your message of "Tue, 07 Oct 1997 10:17:41 +0200." <3439F025.F97DA132@abnamro-software.com> Date: Tue, 07 Oct 1997 18:11:43 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, linux could feature how many interfaces. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-list Tue Oct 7 03:46:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA15735; Tue, 7 Oct 1997 03:23:34 -0700 (PDT) Received: from feijoada.ime.usp.br (feijoada.ime.usp.br [143.107.45.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA15689 for ; Tue, 7 Oct 1997 03:23:18 -0700 (PDT) Received: (qmail 29470 invoked from network); 7 Oct 1997 10:26:27 -0000 Received: from jaca.ime.usp.br (143.107.45.56) by feijoada.ime.usp.br with SMTP; 7 Oct 1997 10:26:27 -0000 Received: (qmail 25970 invoked by uid 1046); 7 Oct 1997 10:17:14 -0000 Message-ID: <19971007101714.25969.qmail@jaca.ime.usp.br> From: Paulo Augusto Rosa Date: Tue, 07 Oct 1997 08:17:14 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: firewalls@GreatCircle.COM X-Mailer: VM 6.32 under Emacs 20.2.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Tue Oct 7 05:02:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA24758; Tue, 7 Oct 1997 04:54:49 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA24751 for ; Tue, 7 Oct 1997 04:54:44 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1664.3) id <4MDMPDB1>; Tue, 7 Oct 1997 07:56:30 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667043AF9@ns.ntadvice.com> From: Russ To: "'Noam Rathaus'" , firewalls@GreatCircle.COM Subject: RE: what ports to pass for exchange/outlook Date: Tue, 7 Oct 1997 07:56:28 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1664.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Unless configured otherwise, it will use port 139, (RPC) and then >a dynamic address above 1024 (TCP). It will also use TCP135 to get to the RPC EndPointMapper and figure out what higher port to use for the Information Store and Directory Store (which, as Noam said, can be configured to be a static port so you don't need to leave a range open on your FW). You can set it to use encrypted communications in the Outlook Client's Remote Mail setup. You'll need to put an entry in your client's LMHOSTS file as well so it knows where to find your Exchange Server. Cheers, Russ From owner-firewalls-list Tue Oct 7 05:31:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA26383; Tue, 7 Oct 1997 05:15:46 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA26356 for ; Tue, 7 Oct 1997 05:15:38 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1664.3) id <4MDMPDBL>; Tue, 7 Oct 1997 08:17:27 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667043AFA@ns.ntadvice.com> From: Russ To: firewalls@greatcircle.com Subject: RE: VPNs and PPTP Date: Tue, 7 Oct 1997 08:17:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1664.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) weak authentication Security Dynamics say they have made PPTP work with SecurID. > 2) slower Than what?? Personally, with PPP compression, my speeds have been quite reasonable, dare I say fast? > 3) bitch to install and figure out routing Details, details, details, its not a bitch to install, although it may be a bitch to figure out the routing if you haven't read the manuals...;-] > 4) GRE doesn't pass through all firewalls Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a generic protocol, which FW doesn't support passing GRE through? > 5) precious little debug information Interesting, you can get full PPP debug information through RAS. As for the PPTP control channel, well that may be an area lacking. Of course you could just sniff 1723 and see for yourself, but I suppose you think their should be some sort of logging?? With Routing and Remote Access Server (RRAS) you do get a whole lot more information. 6) uses existing NT RAS administrative model I don't see why this is a big issue, for customers who are upgrading modem connections to ISP-style connections, its logical. 7) no support for non-MS based servers and clients. and SecuRemote runs on...??? (no slam against CP, but it only runs on W95 and NT, right (or server to server as long as their both CP FWs) Same is true of more than a few VPN clients). 8) black box implementation and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of black boxes around these days...;-] 9) Extra hardware if you're not currently running NT server NT server isn't cheap. and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN is definitely not unique to PPTP, and few of them are cheap. Maybe the point should be that if you *are* running NT, its FREE. 10) uses existing user database most see this as an advantage, but obviously coupled with item #1 above could be a disadvantage. It certainly doesn't have to be your existing user database, you could easily create a separate domain with a single user for each person connecting in and then use Trusts to determine what they can get to. IOW, it doesn't have to use an existing user database. 11) no key mgt well, maybe that's because their are no keys...;-]...but really, isn't this one of the reasons for #1 above? SecurID is supposed to work, I've been told it works, but I haven't seen it work yet with PPTP. 12) transports IPX and native NETBEUI and this is a bad thing(tm)??? Better talk to those folks over at Network-1, their Firewall/Plus transports anything, and I mean anything...;-] Don't get me wrong, I'm not advocating the use of PPTP or saying its the best thing since sliced bread or anything. As always, I just don't like the idea that things MS get slammed due to lack of understanding. PPTP is proprietary, since it wasn't readily adopted, and will eventually be L2TP instead, so mass deployment may not be a good idea until you've talked to MS and found out whether the upgrade is going to be painless or not (if you do, let me know). If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes a whole lot of sense in my mind. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From owner-firewalls-list Tue Oct 7 05:46:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA27034; Tue, 7 Oct 1997 05:32:24 -0700 (PDT) Received: from abgate.alfredberg.se (ns.alfredberg.se [130.244.126.137]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA27022 for ; Tue, 7 Oct 1997 05:32:07 -0700 (PDT) Received: by abgate.alfredberg.se; (5.65v3.2/1.3/10May95) id AA17192; Tue, 7 Oct 1997 14:32:57 +0200 Received: from aasmail.abnamro-software.com ([10.84.1.7]) by abslns8056.sto.alfredberg.se (Netscape Mail Server v2.0) with ESMTP id AAA1301 for ; Tue, 7 Oct 1997 13:33:15 +0100 Received: from abnamro-software.com ([10.84.1.22]) by aasmail.abnamro-software.com (Netscape Messaging Server 3.01) with ESMTP id 440; Tue, 7 Oct 1997 14:35:25 +0200 Message-Id: <343A2C5C.693554D1@abnamro-software.com> Date: Tue, 07 Oct 1997 14:34:36 +0200 From: Peter Enderborg Organization: AbnAmro Software X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.1.57 i686) Mime-Version: 1.0 To: Nobuhiko Yoshimoto Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls References: <199710070911.SAA10953@saturn.koto.nikkei.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nobuhiko Yoshimoto wrote: > > We need to set up an firewall with at least 8 ethernet interfaces, and > > it is good if they are 100Mbit/s interfaces. > > Does it exist on the market ? Most of the firewalls that I have seen > > had only 3 interfaces. Some whould be very > > easy to extend to 8, but what about the software ? I know that Linux > > chould do it, but what about Firewall-1 > > on a sparc ? Any other good ideas ? > > > > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, > linux could feature how many interfaces. > > Nobuhiko Yoshimoto > Nihon Keizai Shimbun Inc. > yoshi@nikkei.co.jp > phone:813-5690-0256 > fax:813-5690-0250 We have a linux running as a router in a test enviroment with 9 x100 Mbit/s, and a dont think it too mush job to get in an other 12 interfaces. But don't ask me to guess the troughput... (We use Znyx 4x100 on each pci-card) From owner-firewalls-list Tue Oct 7 06:35:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29302; Tue, 7 Oct 1997 05:58:01 -0700 (PDT) Received: from paulaner (paulaner.unifiedtech.com [38.251.136.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA29294 for ; Tue, 7 Oct 1997 05:57:54 -0700 (PDT) Received: from unifiedtech.com by paulaner (SMI-8.6/SMI-SVR4) id IAA25810; Tue, 7 Oct 1997 08:55:52 -0400 Message-ID: <343A3468.E9BF1989@unifiedtech.com> Date: Tue, 07 Oct 1997 09:08:56 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Peter Enderborg CC: firewalls@greatcircle.com Subject: Re: Multi-interface firewalls References: <3439F025.F97DA132@abnamro-software.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Enderborg wrote: > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? My company has implemented FW-1 on SPARC with 9 network interfaces for a customer. I believe that all but 1 of them is 10 Mb/sec, though. If you're serious about needing that kind of throughput, you're going to need a pretty beefy machine. Sun recommends one processor per two 100Mbit interfaces with their Quad Fast Ethernet card. Personally, I think that's kind of overkill, but I'd still look at something like a 6-processor E3000 with a pair of Quad Fast Ethernet cards. From owner-firewalls-list Tue Oct 7 07:17:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA00920; Tue, 7 Oct 1997 06:09:05 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA00913 for ; Tue, 7 Oct 1997 06:08:58 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp3.cisco.com [171.68.146.24]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA03396; Tue, 7 Oct 1997 15:08:59 +0200 (METDST) Message-Id: <3.0.3.32.19971007145928.00710898@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Oct 1997 14:59:28 +0000 To: Ciaran Deignan , firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: dynamic address translation... In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ciaran, some comments in-line: At 19:14 6/10/97 +0200, Ciaran Deignan wrote: ...... >Basically the new dyanmic address translation in netwall replaces the calling >address and port number in TCP and UDP "connection" requests coming from a >"mapable" host by the IP address of the interface by which the packet exits >the machine. The source port is replaced by a number grater than 65000. > >For starters I've no idea how its possible to generate TCP frames with source >port numbers grater than 2 to-the-power-of 16. But I suppose its documented in >an RFC somewhere. You cannot do this, TCP/UDP ports are 16 bits so must be less than the magic number 65.535 BTW, with Network Address Translation, NAT, usually only the IP address is translated leaving the UDP/TCP ports unchanged. There is a RFC describing NAT (RFC 1631 but I'm not sure about the number). If you want to change also the UDP/TCP port (e.g. to allow the use of a single official IP address to hide your internal network), then: - you should try to keep the implicit meaning of ports by keeping the ranges < 1024 and > 1024 apart - you should also translate INTO the UDP/TCP payload for some protocols > >I've heard that this type of dynamic address translation has also been >implemented by Cisco, and that its called "Source Port Multiplexing" or >"Source Port Mapping" or something. BTW I'm working for Cisco, so my comments are probably biased ;-) Now we call this mechanism (changing the UDP/TCP ports when changing the source IP address) PAT Port Address Translation. > >Obvoiusly this technology only supports TCP and UDP communications. However I >have the unnerving feeling that some commonly-used services wont like this >sort of magic. The engineering has told me that FTP is supported, but >what about sendmail? Hummm hummmm FTP is not easy, you have to check/translate the PORT PASV commands as well ! sendmail/SMTP will be fine. But think about GRE (directly above IP) which is part of Microsoft PPTP. > >Has anybody had any experience with a real-life application of this sort of >technology, and are there any "gotchas" that you could help us avoid? > >Thanks >Ciaran > Bonne chance (ou devrais dire bonne M....) -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-list Tue Oct 7 07:31:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12791; Tue, 7 Oct 1997 07:25:31 -0700 (PDT) Received: from bastion.s-1.com ([204.130.55.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA12753 for ; Tue, 7 Oct 1997 07:25:22 -0700 (PDT) Received: from [10.1.1.10] by bastion.s-1.com for id KAA04180; Tue Oct 7 10:27:13 1997 Received: from phoenix.s-1.com (jamie.s-1.com) by wine.s-1.com with SMTP (1.39.111.2/16.2) id AA014637970; Tue, 7 Oct 1997 10:26:10 -0500 Message-Id: <3.0.32.19971007102521.00aa582c@pophost> X-Sender: jamie@pophost X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 07 Oct 1997 10:25:22 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Jamie Pratcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-list Tue Oct 7 07:45:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06256; Tue, 7 Oct 1997 06:48:20 -0700 (PDT) Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06083 for ; Tue, 7 Oct 1997 06:47:47 -0700 (PDT) Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id JAA21911 for ; Tue, 7 Oct 1997 09:49:26 -0400 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD306.44ED7B10@exchsmtp.ColumbiaSC.NCR.COM>; Tue, 7 Oct 1997 09:49:13 -0400 Message-ID: From: "Caldwell, Matt" To: "'Firewalls@GreatCircle.COM'" , "'Andy Lewis'" Subject: RE: hosts.allow Date: Tue, 7 Oct 1997 09:51:29 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can limit access from the username with tcpwrappers, but this also will affect the rest of your user base. Also the identd protocol is not very secure, someone with root access to a machine can modify the identd too show that the user is someone else, or possibly the person you are allowing in with that username. It is better to do a combination of the both for more security. I suggest you get the newest TCPwrappers and read the documentation. >---------- >From: Andy Lewis[SMTP:alewis@mpsi.net] >Sent: Friday, October 03, 1997 5:04 PM >To: Firewalls@GreatCircle.COM >Subject: hosts.allow > >I hope that this is not off topic. > >Is it possible to put a local system users name in the >/etc/hosts.allow file. > >I want that person to be able to login from anywhere? > >I am running Linux 2.0.30 > >Thanks > > From owner-firewalls-list Tue Oct 7 09:01:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06781; Tue, 7 Oct 1997 06:53:27 -0700 (PDT) Received: from mls_exchange.microlan.com (news.microlan.com [207.239.33.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06756 for ; Tue, 7 Oct 1997 06:53:16 -0700 (PDT) Received: by MLS_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Tue, 7 Oct 1997 09:57:11 -0400 Message-ID: From: WALLY To: "'Steve Kruse'" , Brian Tackett , firewalls@greatcircle.com Subject: RE: Gauntlet, VPN/WAN/Dialups Date: Tue, 7 Oct 1997 09:57:10 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following companies claim to have solutions for your needs. www.securitydynamics.com www.vpnet.com www.infoexpress.com I like the www.vpnet.com solution. - Wally Madison Technology Group (a division of MicroLan Systems, Inc.) "In Touch With People, In Touch With Technology..." www.microlan.com wally@microlan.com 212-883-1000 x 251 (Voice) 212-883-9080 (Fax) -----Original Message----- From: Steve Kruse [SMTP:jsk347@worldnet.att.net] Sent: Tuesday, October 07, 1997 12:05 AM To: Brian Tackett; firewalls@greatcircle.com Subject: Re: Gauntlet, VPN/WAN/Dialups -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian: Hmmm.... the problem, it would seem, is that you want STRONG encryption and authentication over international phone lines. There are a spate of products including packet filtering/encrypting routers, 3rd party VPN solutions, Firewalls with VPN encryption, etc, on the market. Finding one isn't all that difficult. In fact, picking out out of the "herd" is the toughest part, not finding one anymore. The PROBLEM you have is that word "international". If you buy a North American product (ie, US / CANADA) you can't export the strong encryption except in certain cases. As I understand the rules (and someone PLEASE correct me if I am incorrect...) IF the foreign office is => 51% US ownership AND the host country allows it, you can export at least 56bit DES and possibly IDEA (some countries such as Switzerland allow it). Some countries, (France for one) force you to escrow the keys, so dynamic keymanagement can not be done. Getting the US export licence, with proper documentation and a vendor who has all the right contacts could possibly get this through in under a couple of months. As to the configuration, the RAS behind the firewall is, to say the least, really a bad bad bad idea. I'm getting a rash thinking about it. It's like putting all the right locks and bars on the door and leaving the window open with a neon sign pointing to it. The compromise, as I see it, would be to put the dial up on the service net, make the dial up users use S/Key or some token card, and use very strict plug-to's through the firewall. It's not perfect, but it's a damn site better than having RAS behind the locked door! My $.02 (US) worth. This would change the picture slightly using 3 interfaces on the Firewall, not 2: ( Internet ) | | {PKT RTR} | | Service Net ((FIREWALL))------------------- | | | | | | | | | WWW DNS RAS | ----------------------------- PRIVATE NET Comments Welcome. Flames ignored! At 09:36 PM 10/6/97 +0000, Brian Tackett wrote: >All, > > Interesting question. We're currently engaged in doing some initial >research for a customer which operates an international WAN, with much of >the processing done in a stateside location. Here is my series of >questions: > >1) We're using the following setup.... > > INTERNET <---T1---> > | > > | > | > > | > NT servers, with Oracle, other internal stuff > RAS Server with remote dialups > | > | > Remote offices worldwide, dialing in. > > >Now..... > >2) I am VERY uneasy about having a) RAS dialups and b) a Frame Relay WAN >behind the firewall. Backdoors are evil. However, the customer is very >reluctant to relocate those outside the firewall, since they feel this >would a) load the firewall much more, and b) introduce more failure >points. What are some options as far as VPN or like products which could >be used to secure dialups and/or FR sites? Specifically, can anyone give >solid reccomendations for something that does strong authentication and >encryption over international telephone lines? > > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNDmzztIk6V3CiVjTEQLV2QCeOIoWDzxN3mNbm4JOx+7DZlXNzesAn03I nend8K/tI4kFBIy2uUgqQhbH =JNWE -----END PGP SIGNATURE----- *********************************************************************** * Check out http://www.milkyway.com for the best in network security! * * Steve Kruse PGP Key on most servers * * PGP Fingerprint: 4BBF 43D2 69A4 E111 3089 C54B D224 E95D C289 58D3 * *********************************************************************** From owner-firewalls-list Tue Oct 7 09:06:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29835; Tue, 7 Oct 1997 08:53:18 -0700 (PDT) Received: from shell.mpsi.net (shell.mpsi.net [207.238.102.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA29817 for ; Tue, 7 Oct 1997 08:53:11 -0700 (PDT) Received: from localhost (alewis@localhost) by shell.mpsi.net (8.8.6/8.8.6.Beta3) with SMTP id PAA16765; Tue, 7 Oct 1997 15:54:44 GMT Date: Tue, 7 Oct 1997 10:54:44 -0500 (CDT) From: Andy Lewis To: "Caldwell, Matt" cc: "'Firewalls@GreatCircle.COM'" Subject: RE: hosts.allow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Oct 1997, Caldwell, Matt wrote: > I suggest you get the >newest TCPwrappers and read the documentation. > Where might I get TCPwrappers? Andy From owner-firewalls-list Tue Oct 7 09:20:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA26935; Tue, 7 Oct 1997 08:38:13 -0700 (PDT) Received: from mail.chat.ru (light.express.ru [193.125.142.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26876 for ; Tue, 7 Oct 1997 08:37:57 -0700 (PDT) Received: from username.cityline.ru (localhost [127.0.0.1]) by mail.chat.ru (8.8.5/8.8.4) with ESMTP id TAA21740 for ; Tue, 7 Oct 1997 19:40:23 +0400 (MSD) Message-Id: <199710071540.TAA21740@mail.chat.ru> From: "Maxim_Kotliarov" To: Subject: Registration Date: Tue, 7 Oct 1997 19:35:19 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-list Tue Oct 7 09:22:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA27011; Tue, 7 Oct 1997 08:38:38 -0700 (PDT) Received: from mail.chat.ru (light.express.ru [193.125.142.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26983 for ; Tue, 7 Oct 1997 08:38:24 -0700 (PDT) Received: from username.cityline.ru (localhost [127.0.0.1]) by mail.chat.ru (8.8.5/8.8.4) with ESMTP id TAA21839 for ; Tue, 7 Oct 1997 19:40:56 +0400 (MSD) Message-Id: <199710071540.TAA21839@mail.chat.ru> From: "Maxim_Kotliarov" To: Subject: Registration Date: Tue, 7 Oct 1997 19:35:29 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-list Tue Oct 7 09:32:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA02607; Tue, 7 Oct 1997 09:12:15 -0700 (PDT) Received: from mercury.imx-exchange.com (mercury.imx-exchange.com [207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA02575 for ; Tue, 7 Oct 1997 09:12:05 -0700 (PDT) Received: by mercury.imx-exchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD301.13402450@mercury.imx-exchange.com>; Tue, 7 Oct 1997 09:12:03 -0700 Message-ID: From: James Terry To: "'Peter Enderborg'" , "'Nobuhiko Yoshimoto'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Multi-interface firewalls Date: Tue, 7 Oct 1997 09:11:54 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW1 could do it, but expect trouble if you need to do NAT on more than one of them. james@imx-exchange.com >-----Original Message----- >From: Peter Enderborg [SMTP:pme@imxexchange.co] >Sent: Tuesday, October 07, 1997 5:35 AM >To: Nobuhiko Yoshimoto >Cc: firewalls@GreatCircle.COM >Subject: Re: Multi-interface firewalls > >Nobuhiko Yoshimoto wrote: > >> > We need to set up an firewall with at least 8 ethernet interfaces, and >> > it is good if they are 100Mbit/s interfaces. >> > Does it exist on the market ? Most of the firewalls that I have seen >> > had only 3 interfaces. Some whould be very >> > easy to extend to 8, but what about the software ? I know that Linux >> > chould do it, but what about Firewall-1 >> > on a sparc ? Any other good ideas ? >> > >> >> The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, >> linux could feature how many interfaces. >> >> Nobuhiko Yoshimoto >> Nihon Keizai Shimbun Inc. >> yoshi@nikkei.co.jp >> phone:813-5690-0256 >> fax:813-5690-0250 > > We have a linux running as a router in a test enviroment with 9 x100 >Mbit/s, and a dont think it >too mush job to get in an other 12 interfaces. But don't ask me to guess >the troughput... >(We use Znyx 4x100 on each pci-card) > From owner-firewalls-list Tue Oct 7 09:42:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06997; Tue, 7 Oct 1997 06:54:43 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (jtfcom.pafb.af.mil [131.25.50.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06856 for ; Tue, 7 Oct 1997 06:53:54 -0700 (PDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCD306.C44211A0@jtfcom.js-jtf.af.mil>; Tue, 7 Oct 1997 09:52:47 -0400 Message-ID: From: "Engasser, Charlie" To: "'Paul D. Robertson'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy Date: Tue, 7 Oct 1997 09:52:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Looking at past exploits, and Checkpoint's reaction to the OOB bug in >Windows NT, I would say that the hosting machine's services for >administration and VPN support seem to be unhardened, and vulnerable to >expliotation without extra work. If those responses are indicitive of >the >overall argument of a hardened system versus a shim in the driver >layer, >then that shim boat just don't float. > >Checkpoint released a patch for 3.0 that dropped all urgent data, so? >And if you are running it on NT you can also install the OOBFIX if you >are that paranoid. > >> it hardens the system it's on? What exactly does that mean anyway? Do >> >>you<< know? In my opinion, the cost of a firewall product itself is > >If the vendor can't quantify 'harden' to your satisfaction, you're >dealing >with the wrong vendor. > >That is one of the very reasons I said to avoid Secure. That and lousy >phone support with people that obviously didn't know their own >products. > >There is value to having a hardened OS, network >stack, filesystem, etc. A great deal of value in many instances, a >number >of which depend on the specific installation. For instance, if your >firewall is going to play with a global authentication strategy, then >you'll want to know the stack can survive low-level attacks. > >I never said that a hardened OS wasn't bad strategy, I mearly said that >I don't take a vendors claims at face value. . > >Dismissing hardning because you can't quantify a particular >instantiation >doesn't remove the value of someone having poked deep enough into the >OS >to remove some of its inherent problems. > >Sorry, I just don't see why you'd take it on blind faith. Again, as I >stated in my earlier message, if you are not willing to test a >firewall's feature sets against what the vendor claims, then what's the >point of putting it in? Why should anyone dismiss Firewall-1 out of >hand just because they have "heard" that it's hard to configure and >that it doesn't automatically harden the OS? So what? This goes back to >my experiences with Secure, they >>insisted<< you could pass NBT >traffic through Borderware, but NOBODY could tell me how to do it. Why >say it's possible, but it really isn't? They said you >should< be able >to do it with 4 (I was running 3.1) but then, nobody would let me have >an eval copy to test it because I didn't buy a support contract (Border >Technologies didn't require a support contract, but after Secure bought >them out, they did). > >> As for the previous poster, I don't think that I would decide on >> Gauntlet unless I had already put a few more firewalls on a testbed. >> Gauntlet is rated fairly well as far as security goes, but it's >> performance figures suck. It drops packets left and right when under > >Funny, all the studies I've seen for Gauntlet's performance far >outstrip >the available Internet bandwidth at most sites. Care to reference some >figures? I'm preparing for some benchmarks in the near future on a few >products, and I'd be more than happy to check your results. > >Available internet bandwidth yes, but not intranet bandwidth. The >Poster didn't specify. In my case I've got 2 T-1's, a leased 56, and a >128kb ISDN running through mine, with another pair of T-1's definitely >on the way and maybe another T-1 in the far distant future. Not to >mention a host of remote dialins. > >I was thinking of the March 97 issue of data communications magazine. >This responds to the TIS person that posted earlier. One of Datacom's >stress tests on 100bt intranet links showed that Gauntlet performed at >the bottom of the pack when used in that scenario. Since the original >poster didn't specify what he wanted it for I made a global statement. >Later, in the message I said that I thought Gauntlet would suffice when >used as an internet gateway. I believe it was their website they posted >figures that showed some 10-30 percent of the packets being dropped >when under that high load. Maybe it was misconfigured, maybe not. > >Given FW-1's lack of _complete_ implementation of stateful filtering, >as >well as the complexity of being able to do it well would steer me away >from it as a solution. For instance, Firewall-1 does *not* maintain >state >information for ICMP as it ships. All those reverse-telnet over ICMP >programs floating around the net tend to worry me. > >I'd only be worried about them if I allowed telnet in. I wouldn't, and >even if I did, I'd use a VPN. Besides, isn't telnet dead? (thats a joke >son). > >Consistancy is important in security. You should be able to predict >what >your firewall will do with traffic, and how it applies its protection >mechanisms. Unfortunately, the only way to find that out with FW-1 >seems >to be with a sniffer and a *lot* of time. If you've got the time to >write >Inspect code, and you trust the state engine to pass the right packets >up, >the FW-1 can make a good tool. However, it is marketed as a solution, >not a tool, and frankly, it *needs* work for anything but the most >blatent >policies which are *much* more easily verifyable via application layer >gateway. > >Such as what? Enlighten me. I work on a relatively small network that >has limited inbound requirements. If I install Firewall-1 to block >incoming traffic (or any firewall for that matter) what do I care how >it does it? If Firewall-1 does what it claims to (and I have not seen >anything that shows otherwise) then why should I care? And another >thing, how >>does<< one go about "predicting" what a proxy will do with >a packet? > >What have you shown Firewall-1 to be vulnerable too in your testbeds? >How about some specifics? > >Making it *easy* for someone to punch large gaping holes in their >perimeter without quantifying the risks is generally thought to be a >bad >thing. Personally, I think you should have to drag out the manual and >understand what you are doing. > >Why am I making it easy? I told him to check their claims. Why do you >have a problem with that. Or are you just pissed because I don't have a >high opinion of Gauntlet? > >> I would avoid at all costs: >> >> Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail >> me for details if you need them. > >If you're going to slam them in public, then make your accusations >known. >Given the lack of data backing up your assertions of Guantlet's >performance, and the existance of data to the contrary, I, for one am >skeptical. > >Then I provide it. Big deal. I didn't think it was relevant. If he >wanted to email me, or anyone else for that matter, they are welcome >to. I didn't feel like getting into a tirade over a mail list. Since I >have already stated what I found wrong with Secure, My problems with >Ontrack were that they are a black box hardware solution and they >shipped me 2 firewalls that ate themselves after less than 2 hours on >the bench. Maybe their product works fine. When it's not smokin'. >Another thing wrong with OnGuard was at least in the version I tested, >You can only configure the system from a remote client, not from the >console. When you install the system, it's possible to configure the >box so that it tells you "WARNING If you proceed with this operation >you will be disconnected from the Firewall and you may not be able to >reconnect". Hit "OK". Thats it. NO Hit "cancel, abort" Just OK. Now >someone who knew better would shut the system off at that point, but >since the "feature" wasn't documented, I hit "OK" thinking it would >drop back into the menu. Nope. Sure enough, you hit OK. And boom. And >while I'm on the phone with Tech support, the system dies completely. >They send me a second one, which dies on it's own without me even >touching it. > >I didn't press on with the solution. > >Now, the vendor I'm working with that provided me with eval copies of >the various products bent over backwards to give me anything I wanted, >and their tech support even knows a thing or two about the stuff they >sell. > >Paul >------------------------------------------------------------------------ >----- >Paul D. Robertson "My statements in this message are personal >opinions >proberts@clark.net which may have no basis whatsoever in fact." > >PSB#9280 > From owner-firewalls-list Tue Oct 7 10:09:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06699; Tue, 7 Oct 1997 09:47:48 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06678 for ; Tue, 7 Oct 1997 09:47:33 -0700 (PDT) Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id MAA13366; Tue, 7 Oct 1997 12:49:15 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id MAA09292; Tue, 7 Oct 1997 12:49:12 -0400 (EDT) Date: Tue, 7 Oct 1997 12:49:12 -0400 (EDT) Message-Id: <199710071649.MAA09292@SPARKY.CF.CS.YALE.EDU> To: Russ.Cooper@rc.on.ca, firewalls@greatcircle.com Subject: RE: VPNs and PPTP From: "H. Morrow Long" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: >> 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). You can get PPTP clients from Network TeleSystems (www.nts.com) for MacOS. According to the definitive Microsoft web page on the latest update of RRAS/PPTP ( http://www.microsoft.com/ntserver/info/rasopfaq.htm ) there is also a vendor working on a port of PPTP to Unix. There are a few router/terminal-server vendors who make PPTP compliant PPP dialup servers. CISCO is likely to get into this business as well for the merged L2TP (a merger of CISCO L2F and MS PPTP) standard. As I understand it, L2TP will be put forward as a standard available for anyone who wants to develop clients or servers. It is a compromise between Cisco and Microsoft which both wanted to put forward their own protocols as Internet standards. B.T.W. MS NT 5.0 beta is also supposed to contain IPSEC according to someone who attended the recent developers conference in San Diego as well as the web page : http://www.microsoft.com/ntserver/info/nt5_features.htm H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX) INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469@pager.mcb.com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09 From owner-firewalls-list Tue Oct 7 10:17:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09236; Tue, 7 Oct 1997 10:11:55 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA09206 for ; Tue, 7 Oct 1997 10:11:45 -0700 (PDT) Received: by gate.rmsbus.com; id MAA03370; Tue, 7 Oct 1997 12:13:28 -0500 (CDT) Received: from max10.insnet.com(207.227.192.86) by gate.rmsbus.com via smap (3.2) id xma003365; Tue, 7 Oct 97 12:13:16 -0500 Message-Id: <3.0.3.32.19971007121314.00e94790@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Oct 1997 12:13:14 -0500 To: Steve Kruse , Brian Tackett , firewalls@GreatCircle.COM From: Christopher Michael Subject: Re: Gauntlet, VPN/WAN/Dialups In-Reply-To: <3.0.3.32.19971006230513.006a2484@postoffice.worldnet.att.n et> References: <3.0.3.32.19971006145133.03238028@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:05 PM 10/6/97 -0500, Steve Kruse wrote: >The PROBLEM you have is that word "international". If you buy a >North American product (ie, US / CANADA) you can't export the strong >encryption except in certain cases. Gauntlet is pre-approved to export to most friendly places. >As to the configuration, the RAS behind the firewall is, to say the >least, really a bad bad bad idea. Look at Gauntlet's PC extender. It does encryption from a PC to the firewall so you could put the RAS stuff on the outside of the firewall without compromising security. -- <--listserv unconfuser { | Christopher Michael | RMS: information technology integrators | | PGP fingerprint: 585A 5EAA 6A93 EF98 EF15 F79F 7B42 4B2A } From owner-firewalls-list Tue Oct 7 10:31:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA11140; Tue, 7 Oct 1997 07:18:09 -0700 (PDT) Received: from mls_exchange.microlan.com (news.microlan.com [207.239.33.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06306 for ; Tue, 7 Oct 1997 06:48:42 -0700 (PDT) Received: by MLS_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Tue, 7 Oct 1997 09:52:27 -0400 Message-ID: From: WALLY To: "'Nobuhiko Yoshimoto'" , Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: RE: Multi-interface firewalls Date: Tue, 7 Oct 1997 09:52:26 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at the Ipsilon product with Checkpoint running on it. It should provide you with the throughput that you are looking for. - Wally Madison Technology Group (a division of MicroLan Systems, Inc.) "In Touch With People, In Touch With Technology..." www.microlan.com wally@microlan.com 212-883-1000 x 251 (Voice) 212-883-9080 (Fax) -----Original Message----- From: Nobuhiko Yoshimoto [SMTP:yoshi@koto.nikkei.co.jp] Sent: Tuesday, October 07, 1997 5:12 AM To: Peter Enderborg Cc: firewalls@GreatCircle.COM Subject: Re: Multi-interface firewalls > We need to set up an firewall with at least 8 ethernet interfaces, and > it is good if they are 100Mbit/s interfaces. > Does it exist on the market ? Most of the firewalls that I have seen > had only 3 interfaces. Some whould be very > easy to extend to 8, but what about the software ? I know that Linux > chould do it, but what about Firewall-1 > on a sparc ? Any other good ideas ? > The Firewall-1 supports up to 12 NW interfaces. I've no idea, however, linux could feature how many interfaces. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-list Tue Oct 7 12:47:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA24669; Tue, 7 Oct 1997 11:44:45 -0700 (PDT) Received: from lab58-12.ims.advantis.com ([192.231.11.167]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA24615 for ; Tue, 7 Oct 1997 11:44:30 -0700 (PDT) Received: (from uucp@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id OAA21232; Tue, 7 Oct 1997 14:33:54 -0400 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma010730; Tue Oct 7 14:33:51 1997 Received: from d5664655.ims.advantis.com () by carfax.ims.advantis.com (8.8.5/) with ESMTP id OAA570018; Tue, 7 Oct 1997 14:44:32 -0400 sender hfarkas@d5664655.ims.advantis.com for Received: from localhost (Henry Farkas) by d5664655.ims.advantis.com (8.8.5/) with SMTP id OAA18232; Tue, 7 Oct 1997 14:44:31 -0400 sender hfarkas@d5664655.ims.advantis.com for Date: Tue, 7 Oct 1997 14:44:31 -0400 (EDT) From: "Henry W. Farkas" To: Andy Lewis cc: "Caldwell, Matt" , "'Firewalls@GreatCircle.COM'" Subject: RE: hosts.allow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Oct 1997, Andy Lewis wrote: > On Tue, 7 Oct 1997, Caldwell, Matt wrote: > Where might I get TCPwrappers? ftp://coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers/ =========================================================================== You can no more win a war than you can win an earthquake. -Jeanette Rankin PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53 From owner-firewalls-list Tue Oct 7 13:05:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15480; Tue, 7 Oct 1997 10:56:35 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA15330 for ; Tue, 7 Oct 1997 10:55:49 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA26748; Tue, 7 Oct 1997 13:57:30 -0400 Received: from vaxf.PIOS.COM (vaxf.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IOJ0DDCBW08WXQ2T@gemini.pios.com> for firewalls@GreatCircle.COM; Tue, 07 Oct 1997 13:58:08 -0400 (EDT) Received: from ghost (192.168.14.150) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IOJ0BC4HAO8Y572Q@PIOS.PIOS.COM> for firewalls@GreatCircle.COM; Tue, 07 Oct 1997 13:56:31 -0400 (EDT) Date: Tue, 07 Oct 1997 10:57:09 -0700 From: Bill Stout Subject: RE: what ports to pass for exchange/outlook X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19971007175709.0101adf4@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might want to consider using PPTP, Net-net Tunnel servers, or PC-Firewall Tunnel VPNs rather than opening a slew of ports for each new service on your firewall. The more you let through, the less of a firewall it is. Behind the tunnel use packet filtering to decide who gets to what (security in layers). As someone stated before, firewalls are good at filtering solicited services, and not so good at filtering unsolicited services. I submit that for these new unsolicited services you have to fall back on strong authentication & encryption rather than rely on a generic proxy. Proxy developers can't keep up with all new applications, since proxies essentially are copies of that application running on a gateway machine(i.e.; to proxy, to act for). I believe the future of firewalls will be as a group of proxy servers, VPN machines and secure application servers. (Oh, here he goes with that farm thing again...). ;) Bill Stout From owner-firewalls-list Tue Oct 7 13:14:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA21938; Tue, 7 Oct 1997 11:27:13 -0700 (PDT) Received: from gate1.shellus.com (gate1.shellus.com [204.71.91.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA21879 for ; Tue, 7 Oct 1997 11:26:49 -0700 (PDT) Received: by gate1.shellus.com; id NAA27835; Tue, 7 Oct 1997 13:29:09 -0500 (CDT) Received: from unknown(134.163.2.2) by gate1.shellus.com via smap (3.2) id xma027069; Tue, 7 Oct 97 13:28:01 -0500 Received: from icsscxh1 by icsrv01 (AIX 4.1/UCB 5.64/FEJ.AIX.1.2) id AA59104; Tue, 7 Oct 1997 13:26:22 -0500 Received: by icsscxh1.shell.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCD324.FF3E2F00@icsscxh1.shell.com>; Tue, 7 Oct 1997 13:29:11 -0500 Message-Id: From: "Bowers T (Thomas) at MSXSSC" To: "'firewalls@greatcircle.com'" , "'Russ'" Subject: RE: VPNs and PPTP Date: Tue, 7 Oct 1997 13:28:01 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have practical experience running large numbers of concurrent sessions through a PPTP server? We've measured an x % performance penalty (relative to throughput for a PPTP session versus a non-PPTP session) Basically a performance penalty doesn't bother me... it the thought of many cumulative flows dragging down a common point of convergence (i.e. the server) My gut feeling isn't that its not practical to expect PPTP to scale well... It might work great for a limited set of users but if many people started using it, it wouldn't perform as well as other hardware-based products... >---------- >From: Russ[SMTP:Russ.Cooper@rc.on.ca] >Sent: Tuesday, October 07, 1997 7:17 AM >To: firewalls@greatcircle.com >Subject: RE: VPNs and PPTP > >> 1) weak authentication > >Security Dynamics say they have made PPTP work with SecurID. > >> 2) slower > >Than what?? Personally, with PPP compression, my speeds have been quite >reasonable, dare I say fast? > >> 3) bitch to install and figure out routing > >Details, details, details, its not a bitch to install, although it may >be a bitch to figure out the routing if you haven't read the >manuals...;-] > >> 4) GRE doesn't pass through all firewalls > >Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a >generic protocol, which FW doesn't support passing GRE through? > >> 5) precious little debug information > >Interesting, you can get full PPP debug information through RAS. As for >the PPTP control channel, well that may be an area lacking. Of course >you could just sniff 1723 and see for yourself, but I suppose you think >their should be some sort of logging?? With Routing and Remote Access >Server (RRAS) you do get a whole lot more information. > > 6) uses existing NT RAS administrative model > >I don't see why this is a big issue, for customers who are upgrading >modem connections to ISP-style connections, its logical. > > 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). > > 8) black box implementation > >and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of >black boxes around these days...;-] > > 9) Extra hardware if you're not currently running NT server > NT server isn't cheap. > >and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN >is definitely not unique to PPTP, and few of them are cheap. Maybe the >point should be that if you *are* running NT, its FREE. > > 10) uses existing user database > >most see this as an advantage, but obviously coupled with item #1 above >could be a disadvantage. It certainly doesn't have to be your existing >user database, you could easily create a separate domain with a single >user for each person connecting in and then use Trusts to determine what >they can get to. IOW, it doesn't have to use an existing user database. > > 11) no key mgt > >well, maybe that's because their are no keys...;-]...but really, isn't >this one of the reasons for #1 above? SecurID is supposed to work, I've >been told it works, but I haven't seen it work yet with PPTP. > > 12) transports IPX and native NETBEUI > >and this is a bad thing(tm)??? Better talk to those folks over at >Network-1, their Firewall/Plus transports anything, and I mean >anything...;-] > >Don't get me wrong, I'm not advocating the use of PPTP or saying its the >best thing since sliced bread or anything. As always, I just don't like >the idea that things MS get slammed due to lack of understanding. PPTP >is proprietary, since it wasn't readily adopted, and will eventually be >L2TP instead, so mass deployment may not be a good idea until you've >talked to MS and found out whether the upgrade is going to be painless >or not (if you do, let me know). > >If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes >a whole lot of sense in my mind. > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security > From owner-firewalls-list Tue Oct 7 14:16:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11015; Tue, 7 Oct 1997 13:20:57 -0700 (PDT) Received: from u1.abs.net (u1.abs.net [207.114.0.131]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA10978 for ; Tue, 7 Oct 1997 13:20:43 -0700 (PDT) Received: from smtp.normandev.com (root@smtp.normandev.com [207.114.72.7]) by u1.abs.net (8.8.5/8.8.5) with ESMTP id QAA22632 for ; Tue, 7 Oct 1997 16:22:31 -0400 (EDT) Received: from firewall (firewall.normandev.com [207.114.72.3]) by smtp.normandev.com (8.7.5/8.7.3) with SMTP id KAA01691 for ; Tue, 7 Oct 1997 10:19:35 -0400 Received: by NORMANMAIL with Internet Mail Service (5.0.1457.3) id <4CAKT43W>; Tue, 7 Oct 1997 16:23:09 -0400 Message-ID: <310DA102753AD111A9DD0060976CEEB71512@NORMANMAIL> From: Tim Shoemaker To: "'firewalls@greatcircle.com'" Subject: Security Show Date: Tue, 7 Oct 1997 16:23:08 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For anyone interested there is a security show in the Baltimore Convention Center on Wednesday and Thursday Oct 7&8 from 10 to 4pm. If anyone is interested please get in touch with me. We will be exhibiting the Norman Firewall version 4.0 for HP-UX and Sun Solaris through HP on both days so stop by and check us out! Thanks, Tim Shoemaker Norman Development, USA http://www.normandev.com or http://www.norman.com From owner-firewalls-list Tue Oct 7 14:18:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA12652; Tue, 7 Oct 1997 13:30:10 -0700 (PDT) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA12498 for ; Tue, 7 Oct 1997 13:29:35 -0700 (PDT) Received: from bbdo.com by relay1.smtp.psi.net (8.8.5/SMI-5.4-PSI) id QAA25004; Tue, 7 Oct 1997 16:31:20 -0400 (EDT) Message-ID: Date: 7 Oct 1997 16:19:01 -0500 From: "David Glosser" Subject: Internet email security & r To: "firewalls" X-Mailer: Mail*Link SMTP-QM 4.1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 16:16:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA12089; Tue, 7 Oct 1997 16:00:27 -0700 (PDT) Received: from mail2.noc.netcom.net (mail2.noc.netcom.net [199.183.9.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA12043 for ; Tue, 7 Oct 1997 16:00:13 -0700 (PDT) Received: from svl-mail ([149.64.70.9]) by mail2.noc.netcom.net (8.8.5/8.8.5) with SMTP id QAA03501; Tue, 7 Oct 1997 16:06:04 -0700 (PDT) Received: from scitor.com ([149.64.70.9]) by svl-mail (InterScan E-Mail VirusWall NT) Received: from ccMail by scitor.com (IMA Internet Exchange 2.1 Enterprise) id 000363BA; Tue, 7 Oct 97 16:04:02 -0700 Mime-Version: 1.0 Date: Tue, 7 Oct 1997 16:01:20 -0700 Message-ID: <000363BA.1249@scitor.com> From: dbovee@scitor.com (David Bovee) Subject: Re: Internet email security & r To: "firewalls" , "David Glosser" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May I interpret this as a question that has *already* been answered...? "...why it is not appropriate for corporate use?" ^^^ Pardon me, but isn't a lot of business conducted via Internet email daily? Anyway, what's the different the Internet email and email going from a subnetted/firewalled corporate intranet to an entirely different intranet within the same large corporation??? -David Bovee ______________________________ Reply Separator _________________________________ Subject: Internet email security & r Author: "David Glosser" at Internet Date: 10/7/97 3:59 PM Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 16:48:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15504; Tue, 7 Oct 1997 16:30:27 -0700 (PDT) Received: from mail2.noc.netcom.net (mail2.noc.netcom.net [199.183.9.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA15485 for ; Tue, 7 Oct 1997 16:30:10 -0700 (PDT) Received: from svl-mail ([149.64.70.9]) by mail2.noc.netcom.net (8.8.5/8.8.5) with SMTP id QAA04457; Tue, 7 Oct 1997 16:36:08 -0700 (PDT) Received: from scitor.com ([149.64.70.9]) by svl-mail (InterScan E-Mail VirusWall NT) Received: from ccMail by scitor.com (IMA Internet Exchange 2.1 Enterprise) id 000363E1; Tue, 7 Oct 97 16:34:06 -0700 Mime-Version: 1.0 Date: Tue, 7 Oct 1997 16:30:14 -0700 Message-ID: <000363E1.1249@scitor.com> From: dbovee@scitor.com (David Bovee) Subject: Re[2]: VPNs and PPTP To: "'firewalls@greatcircle.com'" , "'Russ'" , "Bowers T (Thomas) _at_MSXSSC" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you willing to divulge the quantitative data? I am personally curious to know what sort of impact you have measured as a result of PPTP? We are in the process of putting up such a server and expect it to service hundreds of sessions daily, which probably is not in the range of the load you were initially questioning...? Thanks. -David Bovee ______________________________ Reply Separator _________________________________ Subject: RE: VPNs and PPTP Author: "Bowers T (Thomas) _at_MSXSSC" at Internet Date: 10/7/97 4:28 PM Does anyone have practical experience running large numbers of concurrent sessions through a PPTP server? We've measured an x % performance penalty (relative to throughput for a PPTP session versus a non-PPTP session) Basically a performance penalty doesn't bother me... it the thought of many cumulative flows dragging down a common point of convergence (i.e. the server) My gut feeling isn't that its not practical to expect PPTP to scale well... It might work great for a limited set of users but if many people started using it, it wouldn't perform as well as other hardware-based products... >---------- >From: Russ[SMTP:Russ.Cooper@rc.on.ca] >Sent: Tuesday, October 07, 1997 7:17 AM >To: firewalls@greatcircle.com >Subject: RE: VPNs and PPTP > >> 1) weak authentication > >Security Dynamics say they have made PPTP work with SecurID. > >> 2) slower > >Than what?? Personally, with PPP compression, my speeds have been quite >reasonable, dare I say fast? > >> 3) bitch to install and figure out routing > >Details, details, details, its not a bitch to install, although it may >be a bitch to figure out the routing if you haven't read the >manuals...;-] > >> 4) GRE doesn't pass through all firewalls > >Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a >generic protocol, which FW doesn't support passing GRE through? > >> 5) precious little debug information > >Interesting, you can get full PPP debug information through RAS. As for >the PPTP control channel, well that may be an area lacking. Of course >you could just sniff 1723 and see for yourself, but I suppose you think >their should be some sort of logging?? With Routing and Remote Access >Server (RRAS) you do get a whole lot more information. > > 6) uses existing NT RAS administrative model > >I don't see why this is a big issue, for customers who are upgrading >modem connections to ISP-style connections, its logical. > > 7) no support for non-MS based servers and clients. > >and SecuRemote runs on...??? (no slam against CP, but it only runs on >W95 and NT, right (or server to server as long as their both CP FWs) >Same is true of more than a few VPN clients). > > 8) black box implementation > >and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of >black boxes around these days...;-] > > 9) Extra hardware if you're not currently running NT server > NT server isn't cheap. > >and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN >is definitely not unique to PPTP, and few of them are cheap. Maybe the >point should be that if you *are* running NT, its FREE. > > 10) uses existing user database > >most see this as an advantage, but obviously coupled with item #1 above >could be a disadvantage. It certainly doesn't have to be your existing >user database, you could easily create a separate domain with a single >user for each person connecting in and then use Trusts to determine what >they can get to. IOW, it doesn't have to use an existing user database. > > 11) no key mgt > >well, maybe that's because their are no keys...;-]...but really, isn't >this one of the reasons for #1 above? SecurID is supposed to work, I've >been told it works, but I haven't seen it work yet with PPTP. > > 12) transports IPX and native NETBEUI > >and this is a bad thing(tm)??? Better talk to those folks over at >Network-1, their Firewall/Plus transports anything, and I mean >anything...;-] > >Don't get me wrong, I'm not advocating the use of PPTP or saying its the >best thing since sliced bread or anything. As always, I just don't like >the idea that things MS get slammed due to lack of understanding. PPTP >is proprietary, since it wasn't readily adopted, and will eventually be >L2TP instead, so mass deployment may not be a good idea until you've >talked to MS and found out whether the upgrade is going to be painless >or not (if you do, let me know). > >If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes >a whole lot of sense in my mind. > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security > From owner-firewalls-list Tue Oct 7 17:01:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21080; Tue, 7 Oct 1997 14:11:59 -0700 (PDT) Received: from custmail.Internex.NET (custmail.internex.net [199.2.14.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA20883 for ; Tue, 7 Oct 1997 14:11:10 -0700 (PDT) Received: from logistix.com (gatekeeper.logistix.com [205.158.31.130]) by custmail.Internex.NET (8.8.5/8.8.5) with SMTP id OAA14767 for ; Tue, 7 Oct 1997 14:12:20 -0700 (PDT) Received: from snm.logistix.com by logistix.com (SMI-8.6/SMI-SVR4) id OAA01110; Tue, 7 Oct 1997 14:12:20 -0700 Received: from fremont.logistix.com by snm.logistix.com (SMI-8.6/SMI-SVR4) id OAA29220; Tue, 7 Oct 1997 14:21:43 -0700 Received: from sirius.com ([10.11.51.245]) by fremont.logistix.com (Netscape Mail Server v1.1) with ESMTP id AAA78 for ; Tue, 7 Oct 1997 14:07:56 -0700 Message-ID: <343AA6D7.AAAEA938@sirius.com> Date: Tue, 07 Oct 1997 14:17:11 -0700 From: "Alberto U. Begliomini" Organization: Coldstone Consulting X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: PIX Firewall and DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a PIX Firewall running 4.0.7 and DNS configured with a split-horizon topology. The old DNS servers are running BIND 4.8.3 and they work fine. I also have two new servers, one internal and one external running BIND 4.9.6 and unfortunately I have problems with those. Every time the new internal server forward a query to the external server (I use the "forwarders" directive and the "forward-only" option) it takes several tries for the internal server to get a response. This does not happen with the old servers. To debug the problem, I have also tried to forward the queries from the new internal server to the old internal server and even if this introduces an additional hop, it works fine and fast. Forwarding queries from the new internal server to the old external server cause the problem to happen again. It looks like every time I try to forward the queries from the new server running 4.9.6 to any of the DNS servers (old or new) on the DMZ through the PIX I run into troubles. I have tried this configuration from different internal servers running 4.9.6 or with the 4.9.3 that comes with the Solaris recommended 2.5.1 patches, same result. I wonder if anybody has the same DNS topology (split-horizon) with BIND at level 4.9.x and a PIX router in the middle, running without any performance problem. Any idea? -- Alberto U. Begliomini Email: aub@sirius.com Coldstone Consulting Phone: 415-370-7723 Theory guides, experiment decides. Fax: 415-631-8722 From owner-firewalls-list Tue Oct 7 19:01:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA02303; Tue, 7 Oct 1997 18:47:43 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA02273 for ; Tue, 7 Oct 1997 18:47:34 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult.n14191) with SMTP id VAA23072; Tue, 7 Oct 1997 21:49:29 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BCD36B.30262960@zandar.judgefamily.org>; Tue, 7 Oct 1997 21:51:38 -0400 Message-ID: <01BCD36B.30262960@zandar.judgefamily.org> From: Joseph Judge To: firewalls , David Glosser , "'David Bovee'" Subject: RE: Internet email security & r Date: Tue, 7 Oct 1997 21:51:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll hazard a position on the subject ... but realize that I know email is used for business over the Internet and is viable. But I also realize folks have varying ideas of what "business" is (info, customer contact versus regulated business correspondence). Within a company, your company controls the elements that affect the mail flow. This can give better quality and assurance of delivery ... but also can give a increased level of security. Our employees are bonded; the dns servers are monitored and protected from Internet-based coercion; the mail servers are restricted access in a controlled physical environ also. On the Internet, your firewall gateway or email gateways have to trust that the DNS server "out there" who says that "att.com" is relayed through "foo.bar.net" is giving valid information. That foo.bar.net is a ??? machine located at ??? run by ??? who are sure(?) not to peek around in the email spool ? and it has quality metrics in place so that email is delivered in a timely fashion? You can increase your trust that the communications are private by using PGP, SMIME, etc ... but the other factors are still an unknown quantity. In the financial world, for example, I would guess that the SEC wouldn't allow "business correspondence" to occur over email -- they have strict rules (i.e. must acknowledge communication within 48 hrs., etc). -- joe ---------- From: David Bovee[SMTP:dbovee@scitor.com] Sent: Tuesday, October 07, 1997 7:01 PM To: firewalls; David Glosser Subject: Re: Internet email security & r May I interpret this as a question that has *already* been answered...? "...why it is not appropriate for corporate use?" ^^^ Pardon me, but isn't a lot of business conducted via Internet email daily? Anyway, what's the different the Internet email and email going from a subnetted/firewalled corporate intranet to an entirely different intranet within the same large corporation??? -David Bovee ______________________________ Reply Separator _________________________________ Subject: Internet email security & r Author: "David Glosser" at Internet Date: 10/7/97 3:59 PM Subject: Internet email security & reliability I apologize if this is not directly related to firewalls, but I did a search of the Net and couldn't find anything.... Are there any white papers, studies, hard facts, etc. that are related to the lack of security and reliability of internet e-mail and why it is not appropriate for corporate use? Any articles, pointers, links, publications, etc. (or suggestions of other forums) would be appreciated. Please e-mail be directly since I know this not directly related to firewalls; I'll post a summary. Thanks in advance David Glosser glosser@bbdo.com From owner-firewalls-list Tue Oct 7 22:16:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA23427; Tue, 7 Oct 1997 22:05:54 -0700 (PDT) Received: from magpage.com (alaska.magpage.com [204.179.92.50]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA23418 for ; Tue, 7 Oct 1997 22:05:40 -0700 (PDT) Received: from [204.179.92.181] (modem131.magpage.com [204.179.92.181]) by magpage.com (8.8.7/8.8.5) with ESMTP id BAA06905 for ; Wed, 8 Oct 1997 01:07:30 -0400 (EDT) X-Sender: kozmando@mail.magpage.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Oct 1997 02:47:16 -0400 To: Firewalls@GreatCircle.COM From: kozmando Subject: OpenStep Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings and Salutations, What firewall solutions (packet filter and proxy) are there for OpenStep and where can they be found? What firewalls support XTI and/or Streams and wctbf? (macintosh Open Transport is a superset) If Apple decides to run OT native on Rhapsody, how will this affect firewall implementation? If one was going to put together a commercial firewall for Rhapsody, what tools would one use, what existing free code base would serve best (TIS FWTK)? Has anyone ported a firewall to mklinux? Is it free? koz From owner-firewalls-list Tue Oct 7 23:30:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28432; Tue, 7 Oct 1997 23:21:46 -0700 (PDT) Received: from ntserver.newoak.com (gatekeeper.newoak.com [146.115.61.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA28408 for ; Tue, 7 Oct 1997 23:21:37 -0700 (PDT) Received: from mike-feinstein ([10.0.21.199]) by ntserver.newoak.com (Netscape Mail Server v2.02) with ESMTP id AAA49 for ; Wed, 8 Oct 1997 02:35:24 -0400 Message-ID: <343B26C0.A7C275D@newoak.com> Date: Wed, 08 Oct 1997 02:22:56 -0400 From: mfeinstein@newoak.com (Michael G. Feinstein) Reply-To: mfeinstein@newoak.com Organization: New Oak Communications X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: VPNs and PPTP X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You may want to check out my company's product, the NOC 4000. It is a dedicated machine that can terminate large numbers of many different types of tunnels, including PPTP. We can terminate up to 2,000 simultaneous sessions, up to 45 Mbps of aggregated bandwdith. Our web site address is http://www.newoak.com -- Michael Feinstein New Oak Communications VP, Product Marketing 125 Nagog Park Tel: 978-266-1011 x103 Acton, MA 01720 Fax: 978-266-1080 http://www.newoak.com mfeinstein@newoak.com From owner-firewalls-list Wed Oct 8 01:46:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA09805; Wed, 8 Oct 1997 01:34:40 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA09788 for ; Wed, 8 Oct 1997 01:34:29 -0700 (PDT) Received: by fw4.tns.co.za; id KAA01039; Wed, 8 Oct 1997 10:36:03 +0200 (SAT) Message-Id: <199710080836.KAA01039@fw4.tns.co.za> Received: from unknown(89.0.3.186) by fw4.tns.co.za via smap (V3.1.1) id xma001030; Wed, 8 Oct 97 10:35:53 +0200 Reply-To: From: "Billy Verreynne" To: , Subject: Re: VPNs and PPTP Date: Wed, 8 Oct 1997 10:34:06 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Michael G. Feinstein wrote > You may want to check out my company's product, the NOC 4000. It is a > dedicated machine that can terminate large numbers of many different > types of tunnels, including PPTP. We can terminate up to 2,000 > simultaneous sessions, up to 45 Mbps of aggregated bandwdith. I can terminate up 1000+ plus connections using a shovel to dig up the fibre cable and wirecutters to cut it. Much cheaper than your solution I think. Think it's funny? Well, it really happened a Friday afternoon a few years back when Sun City was hosting Miss World the next night (and no I was not responsible ). Worse, the guy (engineering contractor) who cut the cable, did it at both ends and threw about a metre long cable in the back of his pickup before driving home for the weekend. Ever tried to patch a cable when you're missing a meter? All casino computers were down, all hotels computers and there were no telecoms to the outside world. Maybe firewalls should include offensive systems to? - like targeting computers systems connected to a few strategically placed M60's and M203's... ;-) Billy From owner-firewalls-list Wed Oct 8 06:16:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA25324; Wed, 8 Oct 1997 06:11:39 -0700 (PDT) Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA25317 for ; Wed, 8 Oct 1997 06:11:10 -0700 (PDT) Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id JAA17517 for ; Wed, 8 Oct 1997 09:12:53 -0400 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCD3CA.54C2AC30@exchsmtp.ColumbiaSC.NCR.COM>; Wed, 8 Oct 1997 09:12:41 -0400 Message-ID: From: "Caldwell, Matt" To: "'firewalls'" , "'David Glosser'" , "'dbovee@scitor.com'" Subject: RE: Internet email security & r Date: Wed, 8 Oct 1997 09:14:54 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Believe it or not but there are some issues with having a different mail system other than SMTP for a Corporate environment. SMTP servers that are with in a firewall usually trust the computers in that subnet thus email is easily faked. Email could be spoofed from a near IP. Commercial email packages (such as Lotus Notes, Exchange, maybe even cc:Mail) make it a little more difficult to spoof or fake email from with in the corporate network because a lot of these servers are not solely client side oriented. You can restrict email from outside being faked, but in most cases you must trust your corporate subnet. Some have encryption systems built in that allow for mail to be protected from (not very good systems) plain text viewing. SMTP Mail can be appropriate or not appropriate, it depends on your company, and how much money your willing to spend. >---------- >From: dbovee@scitor.com[SMTP:dbovee@scitor.com] >Sent: Tuesday, October 07, 1997 7:01 PM >To: firewalls; David Glosser >Subject: Re: Internet email security & r > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee > > > > >______________________________ Reply Separator >_________________________________ >Subject: Internet email security & r >Author: "David Glosser" at Internet >Date: 10/7/97 3:59 PM > > >Subject: Internet email security & reliability > >I apologize if this is not directly related to firewalls, but I did a search >of the Net and couldn't find anything.... > >Are there any white papers, studies, hard facts, etc. that are related to the >lack of security and reliability of internet e-mail and why it is not >appropriate for corporate use? > >Any articles, pointers, links, publications, etc. (or suggestions of other >forums) would be appreciated. Please e-mail be directly since I know this >not >directly related to firewalls; I'll post a summary. > >Thanks in advance >David Glosser >glosser@bbdo.com > Matthew F. Caldwell - Security Analyst -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VC3 Systems Engineering http://www.vc3.com email: matt.caldwell@vc3.com pager: matt.caldwell@pager.vc3.com Office: (803) 939-2322 Pager: (803) 690-2505 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Senders of unsolicited commercial E-Mail to this account implicitly agree to a $1000.00 proofing fee -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzQf9JoAAAEEAL2IIJjuEqgzzi0gL5pHmdZNwSxBd7fjmS4/aVVFQAPEN2O6 bRt3wMZ5MiDbPbgnIDFCNR49Sjlew9ie1sxg07yTAdSPItrK4X3+MfmjaJ309JjP /AO9RpOeZGtKqca9/LlYl8HV7hx+oaJ6LT3z/Dax7JgAfbaUrws09AHbijaZAAUR tCtNYXR0aGV3IEYuIENhbGR3ZWxsIDxtYXR0LmNhbGR3ZWxsQHZjMy5jb20+ =2M64 -----END PGP PUBLIC KEY BLOCK----- > > > From owner-firewalls-list Wed Oct 8 06:46:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26301; Wed, 8 Oct 1997 06:32:12 -0700 (PDT) Received: from slowy.NETCS.COM (slowy.netcs.com [138.199.32.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26293 for ; Wed, 8 Oct 1997 06:32:03 -0700 (PDT) Received: from netcs.com (16.185.144.1) by slowy.NETCS.COM (NPlex 1.3.159); 8 Oct 1997 15:33:51 +0200 Message-ID: <343B8BBE.25691EDE@netcs.com> Date: Wed, 08 Oct 1997 15:33:50 +0200 From: Oliver Korfmacher Reply-To: okorf@netcs.com Organization: NetCS GmbH X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: NAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi- this there a FAQ for NAT? please reply direct. Thanks. -- Gruesse, Oliver Korfmacher (okorf@netcs.com, whois OK11 URL: http://www.netcs.com/PEOPLE/okorf.html) From owner-firewalls-list Wed Oct 8 07:30:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26950; Wed, 8 Oct 1997 06:42:50 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA26940 for ; Wed, 8 Oct 1997 06:42:41 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id JAA26166; Wed, 8 Oct 1997 09:43:44 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma026133; Wed, 8 Oct 97 09:43:19 -0400 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id JAA27371; Wed, 8 Oct 1997 09:43:02 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id JAA04734; Wed, 8 Oct 1997 09:43:01 -0400 (EDT) Message-ID: <343B8DEC.31DFF4F5@erenj.com> Date: Wed, 08 Oct 1997 08:43:08 -0500 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: David Bovee CC: firewalls@greatcircle.com Subject: Re: Internet email security & r References: <000363BA.1249@scitor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Bovee wrote: > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee As has been mentioned in another note... if the email stays in the control of the same corp the whole time, there is a better chance of being able to control the security around its path, including controlling who is watching it go by. Still gotta watch out for the disgruntled employee, but, hey, just pay them lots of money (-: -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Wed Oct 8 07:59:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05599; Wed, 8 Oct 1997 07:40:52 -0700 (PDT) Received: from pinux.selfin.net ([194.244.74.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA05480 for ; Wed, 8 Oct 1997 07:40:21 -0700 (PDT) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id WAA31283; Wed, 8 Oct 1997 22:34:53 +0200 Message-Id: <199710082034.WAA31283@pinux.selfin.net> From: "Franco RUGGIERI" To: "Engasser, Charlie" Cc: Subject: R: Firewall-1, packet -VS- Proxy Date: Wed, 8 Oct 1997 15:10:58 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Very glad to have such an exhaustive reply. Let me reply starting with your last proposal: since I'm a newcomer in the firewall field, I' d very much appreciate your keeping your promise of giving me (and all the interested other ones) the address of the rep yoiu mention. I'm also glad to see that your preferred Firewalls are exactly the same ones I'd cite, if asked for. In cauda venenum: every word of your comment about not smart sys admins is true, but maybe I mislead you by using the word "smart". I meant that "Errare humanum est", and that it is preferrable not to have to deal with cumbersom tasks. Were it not so we would still be working with Assembler. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Engasser, Charlie > A: 'Franco RUGGIERI' > Cc: 'Firewalls@GreatCircle.COM' > Oggetto: RE: Firewall-1, packet -VS- Proxy > Data: domenica 5 ottobre 1997 19.42 > > 1) It doesn't harden the system (Unix or NT or whatever it runs/will run > on) by itself: it's up to the security admin to harden it: what if > he/she > is not so smart to do it properly? > > 1: Firewall-1 does install a kernel driver between the NIC driver and > the OS. (except on HPUX). So at least in theory the OS should be > protected by whatever the firewall itself is hardened against. As for > the sys admin not being smart enough to do it, well, companies get what > they pay for. > > If the admin person isn't savvy enough to do it right, then that's not > the fault of the firewall. Personally I find it appalling that someone > would claim to be an administrator of their company's network security > and take it on blind faith that a product protects them as claimed (or > for that matter does anything as claimed). So what if one firewall says > it hardens the system it's on? What exactly does that mean anyway? Do > >>you<< know? In my opinion, the cost of a firewall product itself is > only part of the equation, the other half is cost of testing the product > once it's setup. If you are not willing to fork over $$$ (beit time, > resources, product or services) then it really doesn't matter if someone > tells you the system was automagically "hardened" does it? > > 2) setting up the rules is a real headache, most of it defining all the > objects that make up the network. And everything which is difficult to > implement is error prone. > > 2: Setting up rules in Firewall-1 is easier than the other 1/2 dozen > firewall's I've used and looked at. First off, Firewall-1 is cabable if > resolving network names just as any other system would, through DNS, > HOSTS, NIS or SNMP. If the rest of your network is running properly, > defining network objects is nothing more difficult than telling > Firewall-1 what the name of the system is, and letting it do all the > hard stuff (like remembering IP addresses). The only objects that need > to be defined are the ones that are directly affected by the rules > policy. If you wish to define a global rule based on a subnet, then you > define the subnet, then all systems in that subnet are affected by the > rule in question. > > As for the previous poster, I don't think that I would decide on > Gauntlet unless I had already put a few more firewalls on a testbed. > Gauntlet is rated fairly well as far as security goes, but it's > performance figures suck. It drops packets left and right when under > high loads. If you want a contact # of a rep I know that would be happy > to get you eval copies of just about anything drop me an email. As for > the systems >>I<< would personally look at I would start with: > > Firewall-1, AltaVista, Raptor, Gauntlet, Cisco PIX (hardware). > > I would avoid at all costs: > > Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail > me for details if you need them. > > > > > > > From owner-firewalls-list Wed Oct 8 08:31:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11464; Wed, 8 Oct 1997 08:21:39 -0700 (PDT) Received: from marble.litc.lockheed.com (marble.litc.lockheed.com [198.7.15.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA11445 for ; Wed, 8 Oct 1997 08:21:33 -0700 (PDT) Received: from arkons.lmsc.lockheed.com (arkons.lmsc.lockheed.com [129.197.2.84]) by marble.litc.lockheed.com (8.8.3/8.8.2) with ESMTP id JAA01684 for ; Wed, 8 Oct 1997 09:23:35 -0600 (MDT) Received: by ARKONS with Internet Mail Service (5.0.1457.3) id ; Wed, 8 Oct 1997 08:23:40 -0700 Message-ID: From: "Sadler, Connie J" To: "'fwalls'" Subject: POP across a firewlll... Date: Wed, 8 Oct 1997 08:23:33 -0700 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1457.3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a "safe" way to support POP through a firewall? Any help or direction would be appreciated! Connie From owner-firewalls-list Wed Oct 8 08:47:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11953; Wed, 8 Oct 1997 08:25:33 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA11910 for ; Wed, 8 Oct 1997 08:25:23 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id LAA14497; Wed, 8 Oct 1997 11:27:54 -0400 (EDT) Date: Wed, 8 Oct 1997 11:27:54 -0400 (EDT) From: Information Security Message-Id: <199710081527.LAA14497@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: RE: Internet email security & r Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Tue Oct 7 22:35:03 1997 > From: Joseph Judge > Subject: RE: Internet email security & r > > I'll hazard a position on the subject ... but realize that > I know email is used for business over the Internet and > is viable. But I also realize folks have varying ideas of > what "business" is (info, customer contact versus > regulated business correspondence). > > In the financial world, for example, I would guess that the > SEC wouldn't allow "business correspondence" to occur > over email -- they have strict rules (i.e. must acknowledge > communication within 48 hrs., etc). No, there is heavy use of the Internet for business correspondence without any red tape. Traders regularly send list of stocks and offering prices around to each other, I remember one list called "AXEs", whatever that is. They sent it daily to other firms to get them to trade. There are all sorts of reports, orders for equipment, IPOs sent to the SEC even. It's when the IPO hasn't yet become public information, or a company's financing summary evaluation is sent out, that it becomes a security incident. Or trade confirmations: another no-no. While traders sending out financial talk email is a violation of SEC rules, it is not actively tracked by companies. We're talking firewall SMTP traffic capture for analyzing the traders' email. ---guy From owner-firewalls-list Wed Oct 8 09:01:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA14795; Wed, 8 Oct 1997 08:46:27 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA14753 for ; Wed, 8 Oct 1997 08:46:09 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id LAA12984; Wed, 8 Oct 1997 11:18:16 -0400 (EDT) Date: Wed, 8 Oct 1997 11:18:16 -0400 (EDT) From: Information Security Message-Id: <199710081518.LAA12984@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: Internet email security & reliability Cc: dbovee@scitor.com, glosser@bbdo.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Posted and emailed ] > Subject: Internet email security & r > Author: "David Glosser" at Internet > Date: 10/7/97 3:59 PM > > > Subject: Internet email security & reliability > > I apologize if this is not directly related to firewalls, but I did a search > of the Net and couldn't find anything.... > > Are there any white papers, studies, hard facts, etc. that are related to the > lack of security and reliability of internet e-mail and why it is not > appropriate for corporate use? > > Any articles, pointers, links, publications, etc. (or suggestions of other > forums) would be appreciated. Please e-mail be directly since I know this not > directly related to firewalls; I'll post a summary. > > Thanks in advance > David Glosser > glosser@bbdo.com Of course Internet email is related to firewall security!!! > Date: Tue, 7 Oct 1997 16:01:20 -0700 > From: dbovee@scitor.com (David Bovee) > Subject: Re: Internet email security & r > To: "firewalls" , > "David Glosser" > > May I interpret this as a question that has *already* been > answered...? > > "...why it is not appropriate for corporate use?" > ^^^ > > Pardon me, but isn't a lot of business conducted via Internet email > daily? Anyway, what's the different the Internet email and email > going from a subnetted/firewalled corporate intranet to an entirely > different intranet within the same large corporation??? > > -David Bovee What's the difference? Security incidents on the firewall box! > Thread: Five Months Statistics > ---- ------ ---------- > > I created and did the traffic analysis for five months before handing it > off. The time includes a 2.5 month parallel run with the new person. > > o caught over 400,000 lines of Salomon proprietary source code outbound > > o Risk Management reports ("positions") caught outbound, including DRMS > (Derivatives) going to someone who started working for Merrill Lynch > > o Risk Management reports inbound: Phibro positions [Salomon subsidiary] > > o Internal product documentation and trading desk procedures outbound > > o Many hostname/username/password transmissions for Salomon's internal systems > > o Many Sybase database passwords, including SA passwords > > o People working on their own businesses while within Salomon > > o Someone soliciting people for porno videos from Salomon > > o Phibro Chart of Accounts and internal accounting procedures > > o Year-end summary of lawsuits filed against subsidiary Basis Petroleum > > o Pirating of third-party copyright programs > > o Other firms' IUO (Internal Use Only) inbound > > o Our detailed systems inventory > > o Determined what PGP (encrypted) traffic was occurring > > o Salomon's Official Restricted List being repeatedly transmitted outbound > (list of securities Salomon can't purchase without a conflict of interest) > > o Unreleased Financing Summaries and unreleased IPO's: SEC violations > > o Internal Use Only documents > > o Trade confirmations > > o JobTalk hits concerning internal budget details by an SOO. > > o JobTalk hit of a resume of a risk management person who wanted to > "explain how it works" here > > o Hundreds of router (security) configurations > > o 42,000 lines of OASYS data > > o router and bridge passwords > > o Hostname/username/password for unmonitored outbound ISDN access from Salomon > > o An FBI investigation into theft of Salomon's Risk Management source code > > o An accepted-for-FBI-investigation into theft of FDTS source code > > o RadioMail: spotted that all the big cheeses who use it have all their highly > sensitive email going out over the unprotected Internet, because we were too > cheap to buy a transmitter, and so are forwarding all the email over the > Internet to RadioMail's transmitter!!! > > o The key to one's financial life: Social Security numbers of Salomon > retirees transmitted in/out the Internet. Names, birth dates... > > o caught our proprietary infrastructure code running at JP Morgan Well, you asked for "studies" / hard facts. If you are a large corporation, you are guaranteed to have continuing Internet email traffic security incidents. It didn't matter how many times the employees were told Internet email was being monitored: it's apparently human nature to do it anyway. Why, one can transfer megabytes without barely having to move. I didn't matter if every employee had to sign and return a form concerning Internet email monitoring. Go figure. ---- I've sold this NSA-like keyword-based Internet Email Risk Management Analytics to a NYC company, Aspen Computers Inc. It's going into the first major beta client company in the next two weeks. "It" meaning the complete rewrite, so it is no longer proprietary to the companies where I originally implemented it as a consultant. Plus, of course, "new and improved". ;-) Anyway, it's not for sale yet, but if you want information, email nox@panix.com. Larger companies are being targeted first; please email from the company, and include, if you would, some misc info: o approx. Mb of daily email traffic o do you have a security incident reporting procedure o have you been getting at least one email security incident a week ...and any other color or questions. All your internal systems are connected to the rest of the world via your firewall box. If you don't know what's passing through SMTP, you've got a joke for a firewall. ---guy@panix.com From owner-firewalls-list Wed Oct 8 10:32:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00275; Wed, 8 Oct 1997 10:17:56 -0700 (PDT) Received: from bbnplanet.com ([198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA29735 for ; Wed, 8 Oct 1997 10:11:26 -0700 (PDT) Received: from pasilla.bbnplanet.com by mail.bbnplanet.com id aa07173; 8 Oct 97 13:12 EDT Received: by pasilla.bbnplanet.com (SMI-8.6/SMI-4.1) id NAA28194; Wed, 8 Oct 1997 13:12:10 -0400 Message-Id: <199710081712.NAA28194@pasilla.bbnplanet.com> Subject: Re: POP across a firewlll... To: "Sadler, Connie J" Date: Wed, 8 Oct 1997 13:12:09 -0400 (EDT) From: Ed Forbes Cc: firewalls@greatcircle.com In-Reply-To: from "Sadler, Connie J" at Oct 8, 97 08:23:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Connie, > Does anyone know of a "safe" way to support POP through a firewall? Any > help or direction would be appreciated! I guess it all depends upon what you mean by "support". If you have a POP server on the outside of your firewall, then you just put a plug into your firewall letting your inside users contact the POP server and download their mail. This is pretty simple. If you have a POP server inside the firewall, then you can configure your firewall to just relay the mail into it. Hope this helps, Ed From owner-firewalls-list Wed Oct 8 11:31:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04416; Wed, 8 Oct 1997 11:14:23 -0700 (PDT) Received: from WorldHQ.com ([195.188.92.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA04383 for ; Wed, 8 Oct 1997 11:14:13 -0700 (PDT) Received: from firebird.worldhq.com..worldhq.com. ([195.188.105.83]) by WorldHQ.com (8.8.7/Nohj.2.0) with SMTP id TAA08242; Wed, 8 Oct 1997 19:11:16 +0100 (BST) Date: Wed, 8 Oct 1997 19:11:16 +0100 (BST) Message-Id: <199710081811.TAA08242@WorldHQ.com> From: Phil Cracknell To: Adam Shostack Cc: "Firewall Wizards (Marcus J. Ranum's new moderated mail list)" , Firewalls Alias , Frank Willoughby , Kevin Brown - NetComm Subject: System Spec for Penetration test MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.22 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've cc'd this to firewalls and firewall-wizards, it may be off-topic, so I apologise up front; I need a little advice on the spec of a laptop for penetration testing. Originally I wanted a Sparcbook, but this is not possible now (for lots of reasons) so I thought about a high-powered pentium laptop and loading Solaris X86 and I can then also install NT. Does X86 support most PCM/CIA network cards? Would I be best advised to choose a SCSI-based disk/CD for ease of install? (X86 again!) Can you think of anything else? Many thanks ------------------------------------------------------------- Edward Cracknell - Security Administrator From owner-firewalls-list Wed Oct 8 12:31:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11427; Wed, 8 Oct 1997 12:21:26 -0700 (PDT) Received: from gabriel.advsys.com (gabriel.advsys.com [198.49.218.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA11419 for ; Wed, 8 Oct 1997 12:21:20 -0700 (PDT) Received: from sting.advsys.com ([129.203.1.25]) by gabriel.advsys.com (8.8.7/8.8.7) with ESMTP id PAA16804 for ; Wed, 8 Oct 1997 15:23:09 -0400 (EDT) Received: from geek.advsys.com (geek [129.203.1.22]) by sting.advsys.com (8.8.6/8.8.6) with ESMTP id PAA00318 for ; Wed, 8 Oct 1997 15:23:00 -0400 (EDT) Received: (from gabrams@localhost) by geek.advsys.com (8.7/8.7) id PAA04896; Wed, 8 Oct 1997 15:24:25 -0400 (EDT) From: "Gary O. Abrams" Message-Id: <199710081924.PAA04896@geek.advsys.com> Subject: Re: System Spec for Penetration test To: firewalls@greatcircle.com Date: Wed, 8 Oct 1997 15:24:25 -0400 (EDT) In-Reply-To: <199710081811.TAA08242@WorldHQ.com> from "Phil Cracknell" at Oct 8, 97 07:11:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Cracknell scribbled: > > I've cc'd this to firewalls and firewall-wizards, it may be off-topic, > so I apologise up front; > > I need a little advice on the spec of a laptop for penetration testing. > > Originally I wanted a Sparcbook, but this is not possible now (for lots > of reasons) so I thought about a high-powered pentium laptop and > loading Solaris X86 and I can then also install NT. > > Does X86 support most PCM/CIA network cards? > > Would I be best advised to choose a SCSI-based disk/CD for ease of > install? (X86 again!) > You take a look at the Solaris Hardware Compatibility List, which can be found at: http://access1.sun.com/certify/hcl.html. later, -- Gary From owner-firewalls-list Wed Oct 8 15:43:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA23663; Wed, 8 Oct 1997 14:20:25 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id OAA23653 for firewalls@greatcircle.com; Wed, 8 Oct 1997 14:20:21 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA06745 for ; Tue, 7 Oct 1997 09:48:30 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.7/8.8.7) with ESMTP id MAA23412; Tue, 7 Oct 1997 12:50:10 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.8.7/8.8.7) with SMTP id MAA03772; Tue, 7 Oct 1997 12:49:07 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Tue, 7 Oct 1997 12:49:07 -0400 (EDT) From: "Paul D. Robertson" Reply-To: "Paul D. Robertson" To: "Engasser, Charlie" cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewall-1, packet -VS- Proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The quoting on your reply is very mixed up, but I'll try to address these. On Tue, 7 Oct 1997, Engasser, Charlie wrote: > >Looking at past exploits, and Checkpoint's reaction to the OOB bug in > >Windows NT, I would say that the hosting machine's services for > >administration and VPN support seem to be unhardened, and vulnerable to > >expliotation without extra work. If those responses are indicitive of > >the > >overall argument of a hardened system versus a shim in the driver > >layer, > >then that shim boat just don't float. > > > >Checkpoint released a patch for 3.0 that dropped all urgent data, so? So, it leads to the obvious conclusion that a host *should* be hardened, and that putting potection near the driver layers _does not_ provide a level of security sufficient to prevent the 'firewall' host from being successfully attacked. > >And if you are running it on NT you can also install the OOBFIX if you > >are that paranoid. I'm too paranoid to run NT, as a matter of fact. But it is directly illustrative of the point that packet filters are not a clean cut solution. > > > >> it hardens the system it's on? What exactly does that mean anyway? Do > >> >>you<< know? In my opinion, the cost of a firewall product itself is > > > >If the vendor can't quantify 'harden' to your satisfaction, you're > >dealing > >with the wrong vendor. > > > >That is one of the very reasons I said to avoid Secure. That and lousy > >phone support with people that obviously didn't know their own > >products. I've never had a problem with Secure Computing, and NSA's evaluation of Sidewinder seems to be very positive. http://mitten.ie.org/ Firewalling is about security, and all the customer support in the world doesn't make up for an improperly chosen or configured platform. > > > >There is value to having a hardened OS, network > >stack, filesystem, etc. A great deal of value in many instances, a > >number > >of which depend on the specific installation. For instance, if your > >firewall is going to play with a global authentication strategy, then > >you'll want to know the stack can survive low-level attacks. > > > >I never said that a hardened OS wasn't bad strategy, I mearly said that > >I don't take a vendors claims at face value. . You seemed to be dismissive of hardening, or the quantification thereof. In the case of Sidewinder specifically, I've always gotten good technical answers from Secure Computing when I've asked the relevent questions. The same is true of Data General's under evaluation B-2 system with BDM's Cybershield, as well as TIS' implementation of Gauntlet on BSD. Hardening a host has a lot of value, and I don't believe it should be easily dismissed, or scorned because of a lack of understanding from one person. > >Sorry, I just don't see why you'd take it on blind faith. Again, as I > >stated in my earlier message, if you are not willing to test a > >firewall's feature sets against what the vendor claims, then what's the > >point of putting it in? Why should anyone dismiss Firewall-1 out of > >hand just because they have "heard" that it's hard to configure and > >that it doesn't automatically harden the OS? So what? This goes back to > >my experiences with Secure, they >>insisted<< you could pass NBT > >traffic through Borderware, but NOBODY could tell me how to do it. Why > >say it's possible, but it really isn't? They said you >should< be able > >to do it with 4 (I was running 3.1) but then, nobody would let me have > >an eval copy to test it because I didn't buy a support contract (Border > >Technologies didn't require a support contract, but after Secure bought > >them out, they did). I've never had Borderware on my list of things to test, but I've also never had a problem getting evaluation copies of products from any vendor. Most of that is probably because I represent a large potential sale, so I won't expound more on it. > > > >> As for the previous poster, I don't think that I would decide on > >> Gauntlet unless I had already put a few more firewalls on a testbed. > >> Gauntlet is rated fairly well as far as security goes, but it's > >> performance figures suck. It