From owner-firewalls-list Sat Nov 1 15:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09228; Sat, 1 Nov 1997 14:18:15 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA09056 for ; Sat, 1 Nov 1997 14:17:44 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA21538; Sat, 1 Nov 1997 12:01:24 -0500 Date: Sat, 1 Nov 1997 12:01:21 -0500 (EST) From: Rabid Wombat To: Miles Lott cc: "'firewalls@GreatCircle.COM'" Subject: RE: Advertisement: "Fish Lovers Only" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It wan't spam, it was a stego'd invitation to Lucky Green's Halloween party. Everybody spawn ... On Tue, 28 Oct 1997, Miles Lott wrote: > What's with all the spam on this list? > > > From owner-firewalls-list Sat Nov 1 15:44:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09215; Sat, 1 Nov 1997 14:18:12 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA09047 for ; Sat, 1 Nov 1997 14:17:43 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA21584; Sat, 1 Nov 1997 12:34:37 -0500 Date: Sat, 1 Nov 1997 12:34:33 -0500 (EST) From: Rabid Wombat To: Arthur Young cc: Christopher Hornor , "firewalls@GreatCircle.COM" Subject: RE: (no subject) In-Reply-To: <01BCE388.EF23F5E0@ahy@ziplink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes. The infamous Marcus Ranum moved the implementation into hardware several years ago to improve speed. On Tue, 28 Oct 1997, Arthur Young wrote: > Isn't that hardware? > > -----Original Message----- > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > Sent: Tuesday, October 28, 1997 9:24 PM > To: Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: Re: (no subject) > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > I am looking for information regarding your most powerful firewall and > > filter software . > > do you have any suggestions ?? If possible in Japanese. > > > > Thank you, > > Chris Hornor > > > > > > > > > > From owner-firewalls-list Sat Nov 1 16:45:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA07045; Sat, 1 Nov 1997 16:39:39 -0800 (PST) Received: from sensible.instinctive.com ([209.48.136.141]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA07014 for ; Sat, 1 Nov 1997 16:39:25 -0800 (PST) Received: (qmail 8010 invoked by uid 0); 2 Nov 1997 00:37:33 -0000 Received: from unknown (HELO dietcoke) (unknown) by unknown with SMTP; 2 Nov 1997 00:37:33 -0000 Message-Id: <3.0.3.32.19971101194043.00b7e7b0@sensible.instinctive.com> X-Sender: gregh@sensible.instinctive.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 01 Nov 1997 19:40:43 -0500 To: firewalls@GreatCircle.COM From: Greg Haverkamp Subject: Re: sex,lies, and application proxy based fw vs Check Point In-Reply-To: References: <"Your message with ID" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary R. Wolfe responded to Paul Robertson (11:41 AM 10/31/97 -0700): >> Actually 'Out Of Band', which is a perfectly well-defined packet which >> should be, if definined in the application layer protocol, processed >> immediately (hence out of band), rather than in the order it was received >> in the TCP stream. OOB data is indicated by the URG flag set in the >> packet. As Darren has pointed out, the applications programmer of an >> application receiving OOB data must specificily ask to receive such >> data. It's important to understand that this is a perfectly >> legitimate, well-defined TCP packet which was being handled incorrectly by >> Microsoft's TCP implementations. Hence my assertion that packet filters >> (with or without state) don't protected from Internetwork or lower >> transport layer problems that they don't know about. >> >Paul, > are you saying that a proxy will not pass this flag through? It will reset >the URG flag? What if the application needs that flag for proper operation? I believe he's saying what has been central to his point all along: 1) an application gateway will "pass" only what is needed by the application in question; meanwhile, 2) a typical SPF will pass whatever it doesn't know to be bad. The key to the above lies in the use of "pass." An application gateway will (should) look at the data coming from side A and, using knowledge of the application in question, rebuild that data on side B based on the data from side A. The only time an URG flag should be set is if the application gateway knows that URG flags are to be passed from side A to side B. Otherwise, it won't make it across, because the application gateway doesn't copy the packet, it builds it. On the other hand, unless an SPF knows about the URG flag being a bad thing for an application, it will tend to pass the packet along. Or, as an alternative, it would have to block all URG flags unless it knew that they were valid for a particular application. Hope I didn't put any incorrect words in anyone's mouth. Greg From owner-firewalls-list Sat Nov 1 21:29:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA09465; Sat, 1 Nov 1997 20:55:01 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA09409 for ; Sat, 1 Nov 1997 20:54:46 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sat, 1 Nov 1997 10:29:32 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> From: Russ To: firewalls@GreatCircle.COM Cc: "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sat, 1 Nov 1997 10:29:31 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMO, TIS are extremely concerned, now that they are a public corporation, with the marketing perception of AGs. The fact that two SPF vendors are equaling their shipped boxes figures must have a significant impact on their expected projections. Fred Avolio has combined valuable information with marketing specific rhetoric in an attempt to refocus potential customer attention on what should be a very important decision. I have mixed feelings about the method, but the decision is important enough to warrant ardent discussion. I fail to understand why most security professionals don't appreciate this in a similar fashion. Its extremely expensive, and very difficult, to prove that one implemented Firewall is "better" than another implement Firewall, in the same facility. Recreating the test traffic to obtain a valid comparison, while ensuring that the traffic is "real-world" to the customer's regular traffic, normally prevents such comparisons. Therefore, the marketing of SPF vs. AG must come down to "religious" issues for most customers. If TIS, the leading AG vendor, did not offer some sound bytes that will win customers their resellers would likely do it for them. Better to lead than to follow I always say. CP is equally culpable in such activities, as are most vendors. I think Frank made a valid point, originally, when he said that this was a new tact for TIS, and one he didn't appreciate (regardless of his motives). TIS has always led by action, not words, but in today's market this has clearly not been enough. Ideally, I too would have preferred to see them stay out of this sort of marketing, but clearly business dictates otherwise. If, as security professionals, you don't appreciate the marketing battle that's been going on for the last 2 or 3 years, I'd suggest your missing something. SPF vs. AG give customers a basis to describe their general needs, and a way to ascribe their policies and beliefs. Understanding how an MIS manager views security (vis-a-vis SPF vs. AG) allows us to move more quickly to determine how to secure it (by being able to talk in their terms). Understanding, fully, all "generations" of Firewalls is essential, just as essential as understanding perceptions about those "generations". In the final analysis, I suspect the document wasn't intended to "prove" anything, merely add food for thought in the never-ending "how" discussion. It will certainly be interesting should Fred decide to provide us with insight into demonstrating some of his claims (both pro and con). Particularly with the introduction of network appliances and the onslaught of encryption. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From owner-firewalls-list Sat Nov 1 21:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA17417; Sat, 1 Nov 1997 21:31:14 -0800 (PST) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA17374 for ; Sat, 1 Nov 1997 21:31:02 -0800 (PST) Received: by fw4.tns.co.za; id HAA01597; Sun, 2 Nov 1997 07:30:35 +0200 (SAT) Message-Id: <199711020530.HAA01597@fw4.tns.co.za> Received: from unknown(89.1.0.48) by fw4.tns.co.za via smap (V3.1.1) id xma001594; Sun, 2 Nov 97 07:30:27 +0200 From: "Billy Verreynne" To: Subject: Re: Linux et al PFs Date: Sat, 1 Nov 1997 11:25:09 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > john wrote: > > I couldn't agree with you more in that respect- Linux will definatly > outpreform NT, both in speed, reliability, and the amount of users it can > serve. The only applications we use NT for is custom stuff- and only > because we have to. Anything serious is done from the UN*X spectrum. Off topic, but anyway. This is absolute bull. It's like saying that you need to have a 16" dick to satisfy a women. Crap. When talking about who can outperform who get the facts right. What platform - RISC or CISC, single CPU, SMP or even clusters? What service(s) is/are being compared? Are the service(s) from the same vendor (i.e. how good is the code)? Are the network architecture the same? (i.e. same topology, same number of segments etc.). What network cards are being used and what are the driver versions? How many users are being served? Are the same clients used? What is used as the baseline for the comparison and what is compared and why? etc etc. So some people have a hard on for BSD, others for Linux, NT or even OS/2. So what. I prefer Burger King to McDonalds. But to simply say that anything serious is done Unix belongs in alt.urban.legends. regards, Billy From owner-firewalls-list Sat Nov 1 23:14:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA04849; Sat, 1 Nov 1997 22:59:01 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA04787 for ; Sat, 1 Nov 1997 22:58:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id BAA14486; Sun, 2 Nov 1997 01:56:17 -0500 (EST) From: Adam Shostack Message-Id: <199711020656.BAA14486@homeport.org> Subject: Re: Obtaining an Export License In-Reply-To: <199710311656.LAA13095@panix2.panix.com> from Information Security at "Oct 31, 97 11:56:46 am" To: guy@panix.com (Information Security) Date: Sun, 2 Nov 1997 01:56:16 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PKZIP's encryption methods are not secure. The fact that they use 96 bit keys is irrelevant. See the Sci.crypt archives RISKs archives: http://catless.ncl.ac.uk/Risks/16.39.html http://infinity.nus.sg/cypherpunks/dir.archive-95.11.22-95.11.28/0096.html Because the US regulations are designed to limit the spread of crypto by fear, uncertainty, and doubt, I'll suggest that the fact that the key is 96 bits probably makes zip unexportable. I suggest PGP, which can be found outside the US, and implements zip compression as part of its encryption. I've been using PGP as a general purpose compression/ascii encoder for a while. Adam Information Security wrote: | > From owner-firewalls-list@GreatCircle.COM Fri Oct 31 10:34:51 1997 | > > | > >How does one go about obtaining an Export License for a given encryption | > >software? We have offices in the U.S. and Malaysia where we need to use | > >96-bit pkzip software (customer requirement). | | Wouldn't you be better off locating an outside-of-the-USA site | for the software, and importing it? | | ---guy | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Sun Nov 2 05:29:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03518; Sun, 2 Nov 1997 05:27:51 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA03511 for ; Sun, 2 Nov 1997 05:27:46 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id IAA04079; Sun, 2 Nov 1997 08:28:46 -0500 (EST) Date: Sun, 2 Nov 1997 08:28:46 -0500 (EST) From: Information Security Message-Id: <199711021328.IAA04079@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: Altavista SMTPin bungling? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Sat Nov 1 22:07:06 1997 > > Hi (first post!) > > Ive been reading your stuff for a while - and it looks like you are the > people to send this to. > > We are looking at a scenario where we might open an alternative route to > the backoffice SMTP server for an exclusively trusted host, as we arent > too happy with the Altavista FW's handling of SMTPin. We seem to have > 'lost' a lot of mail. No reverse DNS lookups should be used for SMTP: it violates the RFC to require the 'From' to be authenticated. (Anyone remember Chuck Yerkes saying this many moons ago?) Just use IP addresses or unauthenticated 'From' for any filtering/blocking. ---guy From owner-firewalls-list Sun Nov 2 06:29:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA08371; Sun, 2 Nov 1997 06:19:57 -0800 (PST) Received: from xfrsparc.tic.com ([206.225.55.37]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA08344 for ; Sun, 2 Nov 1997 06:19:48 -0800 (PST) Received: from casa-pc.tic.com by xfrsparc.tic.com (8.8.5/xfrsparc.1.3) id IAA03375; Sun, 2 Nov 1997 08:18:57 -0600 (CST) Received: from localhost by casa-pc.tic.com (8.8.6/sub.1.6) id IAA00846; Sun, 2 Nov 1997 08:18:57 -0600 Message-Id: <199711021418.IAA00846@casa-pc.tic.com> To: firewalls@greatcircle.com Subject: Re: sex,lies, and application proxy based fw vs Check Point In-reply-to: Your message of "Sat, 01 Nov 1997 10:29:31 EST." <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> Date: Sun, 02 Nov 1997 08:18:56 -0600 From: Smoot Carl-Mitchell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been following this discussion with some interest and have been quiet up to this point in time. I have set up both TIS's Gauntlet and Checkpoint's Firewall-1 for clients. So I've had real world experience with both. The discussion about which method (AGs or SPF) is interesting, but not particularly relevant in today's networking market. When Firewall-1 first came out, I got an evaluation copy from Sun. I never used it because it looked like just another packet filter with a flashy user interface. I could do much the same thing with any good filtering router. In fairness FW-1 has added a number of features to the basic package which give it similar functionality to an AG. I personally find AGs conceptually easier to understand, but that is because of my background and experience with them. I did completely missed the point of what FW-1 was all about. It sold, I believe, because it had that GUI. As an old networking pro, I hated GUIs because they limited what I could do. I later learned that FW-1 does have an underlying linear language, so the GUI just adds flash to the basic package. However, that flash, I believe, is an important marketing tool. I've come to believe that GUIs are really designed for the purchasing managers and not for the technical people that need to use an actual product. A GUI is basically packaging. They usually do not add any functionality to a package, but any good marketing person will tell you that flash sells, almost regardless of the underlying technology. I call this principal the triumph of marketing over technology. Before I get roasted by the Checkpoint folks, I do believe they have some good underlying technology. Whether SPF is better technology than AG is debatable. However, Checkpoint did understand marketing and they shipped their product with a flashy GUI for marketing purposes. It evidently worked. They should be congratulated for understanding why products sell. Smoot Carl-Mitchell Texas Internet Consulting 2836 San Gabriel Austin, TX 78705 +1 512 477-3320 From owner-firewalls-list Sun Nov 2 07:29:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14219; Sun, 2 Nov 1997 07:19:57 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA14212 for ; Sun, 2 Nov 1997 07:19:51 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 10:19:35 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> From: Russ To: "'Tim Lebrun'" , firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: PPTP configuration Date: Sun, 2 Nov 1997 10:19:34 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So we have a T1 internet connection run which (from the outside) >first, goes through a Cisco 7000 router, then through a Gauntlet >firewall, and then the users get logged on to a NT Ras server >using PPTP. And from there the users can go and do anything >on the network, ie: Mail, Novell, Tn3270, Telnet. First let me say that my position on PPTP has changed, as you'll likely notice from the message below. You will have a couple of problems with this configuration. 1. There is no way within NT or via PPTP to force the users to use NT boxes as their clients. 2. Only NT-NT communications can be forced to *not* use LanMan hashes for their passwords. 3. PPTP uses the OWF hash of the password as the shared key for encrypting the PPTP session. This information is sent at the session setup of every PPTP connection. 4. When the OWF hash is based on the *LanMan* hash of the password, it is extremely weak and subject to brute force decryption based on known, available, methods and tools. 5. The shared key, derived as per #3 above, is used *every* time a connection is established, and remains the same until the user changes their password. It is therefore long-lived (certainly live much longer than a reasonable average of 3 days it might take to brute force the LanMan key space). 6. Given NT's TCP sequence predictability, hijacking a PPTP session based on a Win95 client (or an NT client *not* configured to *not* use LanMan) should be a straight-forward process. The bottom line, in my current opinion, is that the use of PPTP cannot be relied upon to be secure. While it may be possible to prevent a Win95 client from obtaining a successful completed login to your PPTP server (say by forcing checks during the login script processing, mandatory profiles, etc...) there is no way to prevent them from trying to connect using a LanMan hash. As such, their passwords could be made available to hackers. Once captured, they could subsequently be used on NT clients to establish successful logins by hackers. Security Dynamics have said that it is possible to use SecurID with PPTP. Even if this is done I am still not convinced it would be sufficient to overcome the issues. 1. If the SecurID token value is used as the client password in the steps listed above, then the session would be encrypted with an extremely weak value (known to be a number of a specific length). Real-time brute force would likely be possible (obviously depends on the length of the sessions). Trial-and-error over a period of time would likely yield at least one session hijack, then depending on who's session is captured... 2. Assuming that the SecurID token value is not used as the session encryption key, then the risks are still present for hijacking (since the session key would then be derived from the client password). IOWs, SecurID has not really added anything to the security of the solution. 3. Assuming that normal client authentication takes place first, then the SecurID authentication, then the session encrypted with the original client password hash, you still have the same problems. The only viable solution would be for Security Dynamics to combine the SecurID token value with the client password hash (in some reasonable fashion) and then use this new value as the basis for the session encryption. If this is done, then the entire solution becomes very viable (IMO) and well worth investigating. Unfortunately I haven't asked Security Dynamics for these specifics, maybe someone from there can comment?? Finally, if you are in a situation where you can trust the clients to use NT (remember, you have no way to enforce this policy), then PPTP remains a valid mechanism IMO. The issues arise when you either; a) cannot trust the clients to use NT only, b) must use Win95 clients, c) do not have control over whether or not the NT clients have disabled LanMan hashes. Cheers, Russ From owner-firewalls-list Sun Nov 2 07:44:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14320; Sun, 2 Nov 1997 07:22:56 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA14313 for ; Sun, 2 Nov 1997 07:22:41 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id KAA17982; Sun, 2 Nov 1997 10:22:12 -0500 (EST) Message-Id: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 2 Nov 1997 04:20:14 -0500 To: Firewalls@greatcircle.com From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: , Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doug Bridgens queried the FW Listocracy with a dangerously big and simple request: >> Would some kind person please give a brief summary of where the IT >> world is in terms of encryption methods? There seem to be lots of Paul D. Robertson responded: >All over the place. There are many good, and many bad products out there, >it tends to be up to the user to evaluate which are which. General >initiatives other than SSL tend to be not quite there yet. All true, more or less -- but there are a couple of other ways of looking at this scene. In the first place, crypto has become, and will become more so, the heartland of information security. And the heart of the heartland will always be dedicated hardware: chips and secured memory modules (which can offer relatively more speed, assurance, and stored-data integrity.) This is the allure of smartcards, for where the user meets the network, and special-purpose encryptors elsewhere, for high-speed and/or high-security environments. Another guideline: in cryptography "old" (relatively speaking) is good. Americans from Missouri (the "show me" state) are famous for their hard-headed demand for real-world demonstrations rather than airy explanations. When it comes to crypto, all the pros, everywhere, are from Missouri. All the noise about algorithms and key-lengths tends to obscure the fact that the really dangerous aspect of applied cryptography is in the actual implementation of a crypto system. Thus, implementation code which has held up (a) under widespread scrutiny and (b) in a wide variety of working systems will always be trusted more than any other crypto system (new or well-known) which can't match it on those two criteria. In their respective categories, this is the huge advantage that reference implementations of DES (among the symmetric systems,) and RSA (among the asymmetric systems) hold over their often-impressive cryptographic competitors. Corporate compsec pros like those on this list will likely stay with DES (or 3DES, which sacrifices little or none of the credibility of 56-bit DES) long after apparently stronger and more flexible alternatives are available because they've come to trust the implementations they use. (And when they switch, it will be to something with a multi-year track record of widespread implementation.) >> different types are they hardware/software and how do they actually work >> in practice. >Completely implementation dependent, normally based on the algorithm. There are three categories of crypto tools: classic symmetric algorithms; assymmetric (public key) algorithms; and hashes (one-way functions.) You should go elsewhere to learn the basics of what they offer, and how different classes of algorithms (e.g., stream vs block ciphers) are structured to optimize various functions. (Today, I'd say that the choice between hw or sw is based on cost and the relative need for security/assurance or speed -- irrespective of the algorithm.) The advent of corporate and national public key infrastructures (PKI) seems likely to introduce a major paradigm shift in the economics of Information Security. PKI -- and specifically, the mechanism of a digital signature -- will allow us to offer security as a productivity enhancer, rather than the costly pain in the ass that compsec and comsec have traditionally been. Within the context of an X509 certificate-based PKI, contracts, purchase orders, administrative agreements can be exchanged and signed online. This is expected to offer significant efficiencies both within corporate bureaucracies and for trade among commercial entities which have had no previous contact with one another. The attractiveness of this model is such that there is an enormous drive to push it into praxis -- even before the logistics of key and certificate management and the relevant legal issues have been settled. Here in the States, there are small to tiny Gnostic cults (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based public key implementations, but -- as you've doubtless noted in Europe -- internationally, and in the US commercial world, RSA-based PK tech is almost universal. This is, in part, because stable RSA implementations have been in the field for15 years; and, in part, due to the particular weight of defacto standardization in PKI. (Even within the US military -- as our DoD finally discovered with Fortezza -- when someone wants to place a PO for toilet paper or ball bearings, they want to be able to exchange digital signatures with someone other than other US military sites.) >> Also I am based in Europe so does this mean I have better >> (more secure) encryption tools to work with, as apposed to the US? If >No, it simply means that you aren't allowed to use strong US developed >tools. US laws are currently based on the export of strong encryption, >not its creation. Your non-American "encryption tools" are almost surely stronger, "more secure," that those which are currently allowed to be exported from the US -- but, for the commercial market, that is not really the issue. Outside of PKI, there is not much of a market for crypto, per se. The demand is for crypto-enhanced functionality in various applications, utilities, or operating systems. US export control regulations effectively limit the strength of the crypto that can be shipped integrated into those products -- and often, US vendors still have no strong international competition for the products which provide the base functionality. (Products like Xpresso, Safe Passage, and Fortify are now available to inject or supplement the limited-strength crypto in American-made webservers or browsers, for example -- but the exception proves the rule. In most other categories of software, your options as a non-American seeking to buy _integrated_ strong crypto are probably limited.) >> this is a bit too much to ask of the list then can someone point me to a >> document that is current? > >Scneier's Applied Cryptography 2nd Ed. for protocols That's Bruce Schneier: >http://www.tis.com/docs/research/crypto/index.html for a fair product list > >sci.crypt for discussions > All good suggestions. I might also suggest you review the relevant IETF RFCs and the mailing lists of the various IETF Working Groups: The ISO or your own national standards group may have similar discussion groups. Paul noted earlier that the user today is all but "on his own" in evaluating the quality of various cryptographic products. I suggest that users are well served if they stick by the recommendations of the various standards organizations with regard to algorithms and, to the extent possible, implementation guidelines. Crypto standardization is highly political -- with both competitive and government pressures, sometimes bizarrely so -- but (key length issues aside) what emerges from these groups is likely to be comparatively solid on implementation. The (American) National Computer Security Association has also recently developed consortiums of American and European crypto vendors which will attempt certify crypto implementation code as meeting certain minimal standards. Such certification efforts have been quite controversial in firewalls, but it may be less so in crypto. If successful, this effort or others like it may help raise a threshold barrier against poor implementations. I should also note that I've been a consultant to SDTI, the parent company for RSADSI (which holds a US-only patent on RSA public key cryptography) for many years. I apologize to all for the discursive length. Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From owner-firewalls-list Sun Nov 2 08:14:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA20819; Sun, 2 Nov 1997 08:10:31 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA20726 for ; Sun, 2 Nov 1997 08:10:09 -0800 (PST) Received: (qmail 482 invoked by uid 500); 2 Nov 1997 16:50:25 -0000 Date: Sun, 2 Nov 1997 11:50:25 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Nov 1997, Russ wrote: > IMO, TIS are extremely concerned, now that they are a public > corporation, with the marketing perception of AGs. The fact that two SPF > vendors are equaling their shipped boxes figures must have a significant > impact on their expected projections. Fred Avolio has combined valuable > information with marketing specific rhetoric in an attempt to refocus > potential customer attention on what should be a very important > decision. Which is immaterial to the subsequent discussion of technical features which ensued. > Its extremely expensive, and very difficult, to prove that one > implemented Firewall is "better" than another implement Firewall, in the > same facility. Recreating the test traffic to obtain a valid comparison, > while ensuring that the traffic is "real-world" to the customer's > regular traffic, normally prevents such comparisons. Therefore, the > marketing of SPF vs. AG must come down to "religious" issues for most > customers. Which doesn't mean that a number of people haven't done such tests. I think your predicates may hold true for 'most customers', but that different predicates, and resultant answers should apply for security professionals. Just because you, or your customers, or your company (genericly, not personally) can't do valid tests doesn't make valid tests any less relevent. > I think Frank made a valid point, originally, when he said that this was > a new tact for TIS, and one he didn't appreciate (regardless of his Not very new, it was discussed quite some time ago on c.s.f. > If, as security professionals, you don't appreciate the marketing battle > that's been going on for the last 2 or 3 years, I'd suggest your missing > something. SPF vs. AG give customers a basis to describe their general If, as security professionals, we don't take the time to learn each of the issues behind the technologies, and can't seperate the marketing issues from the technological ones, then I'd suggest we'd be missing a bigger piece of the pie. I'm tasked with evaluating and implementing technologies, not marketing departments. That requires that I know to ask if a packet filter drops FO=1 packets, or if an application gateway MITMs SSL to pass it through an HTTP gateway, not if "hackers prefer xyzzy", or "Wunderwall is sold in K-Mart with a bottle opener." > in their terms). Understanding, fully, all "generations" of Firewalls is > essential, just as essential as understanding perceptions about those > "generations". Being able to understand and articulate the technologies are more important for those of us in the field. If one of my business units is trying to make a security decision based on perception, it's my job to go hit them with the clue hammer. That generally takes a day at the white board, irregardless of which perception they're making the choice based on. Calling them generations is IMO a misnomer, since I don't happen to believe that they are replacements for each other. They're different animals, they can and do interbreed into hybrids, but there are circumstances where one is more appropriate that the other for each case. I've got some problems with the way some application proxy vendors (including TIS) handle some protocols as well as the way that packet filters handle them, but after the intial vendor bashing, this thread was about the technologies and we've only gone to implementations where it was necessary to prove or disprove a point. For what it's worth, this thread has probably been the best overall discussion this list has had in about a year. I've put packet filters, application gateways, and hybrids into various places. I think I've got a good grasp of the technologies, as well as the implementations. I also have a good grasp of the business case and the particular threat models. While I'm aware of the marketing issues, I don't think they are relevent to the technical discussion which this bloomed into. I don't known why we're vectoring back to the marketing stuff here, since the first couple of notes pretty much covered that ground. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 09:29:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA29015; Sun, 2 Nov 1997 09:25:18 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA29006 for ; Sun, 2 Nov 1997 09:25:11 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 12:24:51 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705553A@ns.ntadvice.com> From: Russ To: "'Paul D. Robertson'" Cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sun, 2 Nov 1997 12:24:51 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Which is immaterial to the subsequent discussion of technical features >which ensued. I made my point specifically because the marketing aspects of the discussion were not, IMO, fully discussed. Much of Fred's document attempts to persuade the reader about a particular technology based on marketing information, not solely on technology (quoting IDC for example). Denver Systems did this and everyone railed at them, but because Fred is Fred we should just bow our heads and forget marketing rhetoric? I didn't think so, hence my comments. FWIW, I did send Fred, privately, my comments on how I thought his market-speak was ill-stated. An attempt to appease the trigger-happy flamers from repeating their inferno on me. Once Fred's replied, I'll happily restate them in public (see that's the difference that Fred deserves vs. Denver Systems). >Which doesn't mean that a number of people haven't done such tests. I >think your predicates may hold true for 'most customers', but that >different predicates, and resultant answers should apply for security >professionals. Just because you, or your customers, or your company >(genericly, not personally) can't do valid tests doesn't make valid tests >any less relevent. I, my customers, and my company can do valid tests. While your parenthetic disclaimer "(generically, not personally)" may be have been enough in your mind, the wording comes off sounding too much like a personal reproach for my liking. I never said that the tests weren't valid, but no test results exist in the public realm that can reliably be used by anyone who chooses not to do the tests themselves (or cannot). Therefore no valid test results exist for the vast majority of customers wishing to implement Firewall solutions, hence my point that the marketing of the products/technology is a very large factor in the decision process. An example of this is any test done in any magazine/publication, since the test criteria is not specific to the person reading the results, the results come down to being marketing material rather than valid technical data. Who cares, for example, how much traffic can be pumped through a FW if the traffic is not representative of your own traffic? - What effect does, say, doubling the amount of SMTP traffic and halving the amount of HTTP traffic (in a given test mix) have on the overall performance of FWs? Obviously such changes are likely to have more impact on AGs than on SPFs, but who can say for sure? - What about encrypted traffic, how does that affect the performance of the various boxes, or more complex protocols like NBT or even FTP, do both technologies handle them equally well, if not, what's the difference? - If I run each Proxy in a different user context, how much of a performance hit do I see vs. using a single context for all Proxies? - Does a FW-FW VPN create the same load as a Client-FW VPN? The list goes on and on, and is very valid for all customers, but unless they do the tests themselves any reported values are near worthless (read: marketing information). Since much of the rhetoric that is thrown around, both by the vendors and by the security professionals, is based solely on their own tests/experience, or a few controlled tests done by vendors, or generic tests done by publications, none of which that I've seen can be reliably used by anyone whom the tests weren't designed for, I put it to you that much of what "professionals" say about the technology is based on what I call "marketing information". FWIW, I would like to see protocol-by-protocol comparisons for security gateways. They should present a list of threats tested, as well as the performance during those tests. They should be done unencrypted and encrypted. Then a rough mix of traffic can be thrown at the boxes to give an idea of overhead of mixing protocols. A comprehensive table like this would, IMO, put an end to much of the discussion. NCSA/DataComms, can you here me?? [Paul's description of his personal abilities snipped] >While I'm aware of the marketing issues, I >don't think they are relevent to the technical discussion which this >bloomed into. I don't known why we're vectoring back to the marketing >stuff here, since the first couple of notes pretty much covered that ground. The first sentence explains the second. You don't think marketing is relevant to the technical discussion, hence you don't understand why I made my points about marketing being important. Rather than trying to blow off my opinions, why not instead ask me why I think their relevant next time, maybe you'll learn something (boy do I wish I had a "clue hammer")...;-] Cheers, Russ From owner-firewalls-list Sun Nov 2 09:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA29098; Sun, 2 Nov 1997 09:29:52 -0800 (PST) Received: from gargoyle.clark.net (pm1-61.dcwt.infi.net [208.136.65.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA29080 for ; Sun, 2 Nov 1997 09:29:43 -0800 (PST) Received: (qmail 709 invoked by uid 500); 2 Nov 1997 18:10:03 -0000 Date: Sun, 2 Nov 1997 13:10:03 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ , firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Paul D. Robertson wrote: > Which doesn't mean that a number of people haven't done such tests. I > think your predicates may hold true for 'most customers', but that > different predicates, and resultant answers should apply for security > professionals. Just because you, or your customers, or your company > (genericly, not personally) can't do valid tests doesn't make valid tests Because I wasn't particularly clear here, "genericly, not personally" was meant to change the statement to mean that it applied to a generic set of people, not Russ in particular. I was in no way casting aspersions on Russ' abilities to perform tests, and apologize if it seemed that way. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 09:59:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA00907; Sun, 2 Nov 1997 09:47:31 -0800 (PST) Received: from gargoyle.clark.net (pm1-61.dcwt.infi.net [208.136.65.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA00816 for ; Sun, 2 Nov 1997 09:47:12 -0800 (PST) Received: (qmail 786 invoked by uid 500); 2 Nov 1997 18:27:32 -0000 Date: Sun, 2 Nov 1997 13:27:32 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705553A@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Russ wrote: > >Which doesn't mean that a number of people haven't done such tests. I > >think your predicates may hold true for 'most customers', but that > >different predicates, and resultant answers should apply for security > >professionals. Just because you, or your customers, or your company > >(genericly, not personally) can't do valid tests doesn't make valid > tests > >any less relevent. > > I, my customers, and my company can do valid tests. While your > parenthetic disclaimer "(generically, not personally)" may be have been > enough in your mind, the wording comes off sounding too much like a > personal reproach for my liking. I have clarified this. I will again repeat that it was not specificly aimed at you, and in no way was meant to cast such aspersions. > I never said that the tests weren't valid, but no test results exist in > the public realm that can reliably be used by anyone who chooses not to > do the tests themselves (or cannot). Therefore no valid test results > exist for the vast majority of customers wishing to implement Firewall > solutions, hence my point that the marketing of the products/technology > is a very large factor in the decision process. Parts of tests certainly can though. Since I'm not going to cast aspersions at particular products, let's just say that there is a set of test results which can be applicable. For example, testing products to performance failure, and noting the failure characteristics can be applicable to anyone using that device. > I put it to you that much of what "professionals" say about the > technology is based on what I call "marketing information". I'll agree with that. > The first sentence explains the second. You don't think marketing is > relevant to the technical discussion, hence you don't understand why I > made my points about marketing being important. Rather than trying to > blow off my opinions, why not instead ask me why I think their relevant > next time, maybe you'll learn something (boy do I wish I had a "clue > hammer")...;-] Ok, could you explain why you think that particular instances of marketing rhetoric are applicable to the general discussion of base technologies? Surely the technology works the same way that the technology works regardless of what any particular company says about it? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 10:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11218; Sun, 2 Nov 1997 10:37:54 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA11201 for ; Sun, 2 Nov 1997 10:37:45 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 13:37:29 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705553E@ns.ntadvice.com> From: Russ To: "'Paul D. Robertson'" Cc: firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sun, 2 Nov 1997 13:37:29 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have clarified this. Thanks...;-] >Parts of tests certainly can though. Since I'm not going to cast >aspersions at particular products, let's just say that there is a set of >test results which can be applicable. For example, testing products to >performance failure, and noting the failure characteristics can be >applicable to anyone using that device. Testing to failure is only valid if the traffic used to create the failure matches (to varying degrees) the traffic you expect to see. Today we talk about "throughput", and rarely see the characteristics of the data being used for the test. As I said, some traffic puts higher demand on the technology. How do we know that the mix used in one of those publication evaluations is sufficiently equal across all technologies, or, sufficient representative across all customers? If the IDC or some other body were to come out and say "The average mix of traffic across an average company's gateway is thusly formed...", and then that same mix was used in a test, then I'd say we would have a valid benchmark to make *some* comparisons/judgements from. The effect on that benchmark based on variations in the mix could substantially change the results. (let's call the test GAPING, for General Application Performance of InterNet Gateways...;-]) Example, I go out and buy the solution that offers the best GAPING results, my mix is pretty close to the GAPING criteria. Everything is wonderful. Over the next year, I implement VPN technology for a large segment of my vast salesforce. My particular solution may, or may not, be the best solution for this change in the mix (i.e. thousands of encrypted external connections). Granted, no solution may be able to make the transition well, and revisions to the solution may make stated test results change over time. IMO, anything other than per protocol, encrypted and non-encrypted, saturation test results are the only results which would serve a valid public purpose. These you could pick amongst to construct your own comparisons. >Ok, could you explain why you think that particular instances of marketing >rhetoric are applicable to the general discussion of base technologies? >Surely the technology works the same way that the technology works >regardless of what any particular company says about it? All solutions that cannot be implemented are useless, agreed? Wire-cutters are the best security mechanism around, but hardly useful. Anything above wire-cutters has some component that affects the userbase. I use the term userbase to describe not only the end-clients, but also the administrative staff, IS folks, purchasing department all the way up to the CEO who wants to make a public statement about an affiliation with a particular vendor. I think all rhetoric is wrong, but not all marketing is rhetoric. As I've said before, test results are marketing information, and those test results could be presented in such a way as to make a substantial impact on the userbase, and therefore the technology. If, through performance testing, you could substantially prove that Vendor A's FTP capabilities were significantly slower (read: say 3 times slower) than Vendor B's, and this information was used over and over again in marketing information, chances are we'd see a substantial change to the underlying technology. Security programmers are not, very often, sitting around purely thinking of the next best security idea they can. More often than not they're hard at work trying to solve the next marketing question that's been raised. Its a rare place indeed where marketing is not dictating (to a large extent) what gets done when and in what version. APIs, for example, are an important technological component. They are also an extremely valuable marketing tool. If I have a set of well written APIs into my solution, I'm more likely to be able to convince vendors to add to it. If they do, the public perception that the solution is "good" will increase, regardless of whether or not it really is "good" or not. 3rd parties will not write add-ons because I've got a good API, or good underlying technology, they'll write them because they believe they'll sell a lot piggy-backing on my market-share. Hence the technology ends up getting shaped around the vendor with good marketing techniques (read: Microsoft) CP with OPSec is an attempt to do this, and no doubt TIS' relationship with Microsoft will be a similar attempt. I would prefer to see a balance between SPFs and AGs, as both have their place, but this balance can only be achieved with sufficient marketing information to ensure that one does not dominate the other. If OPSec is incredibly effective, and a non-OPSec vendor tries to move forward without a strong alliance group, it will, IMO, lose market-share. This may not matter to those of you who care less whether you're buying your product from a "big" or "little" vendor, but it makes a huge difference as to whether or not that vendor can continue to develop solutions into the long-term future at all. Look at Tandem Computers, who for the longest time were a marginal vendor. Excellent solution, priced at a level customers would purchase, yet the company could not continue to survive without massive changes. The changes had to happen for the technology to continue to be viable (you make far more money on new customers than you do on existing ones, in case anyone hadn't noticed). So, technology for technologies sake is wonderful, but without marketing it has little value as a long-term solution. How far away do you think we are from Macs becoming PCs? (don't answer, take it as an observation). Cheers, Russ From owner-firewalls-list Sun Nov 2 14:59:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27551; Sun, 2 Nov 1997 14:57:14 -0800 (PST) Received: from softway95.softway.com (softway95.softway.com [206.80.1.38]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA27528 for ; Sun, 2 Nov 1997 14:57:05 -0800 (PST) Received: from softway.com ([207.174.14.69]) by softway95.softway.com (8.8.5/8.6.12) with ESMTP id OAA01709; Sun, 2 Nov 1997 14:56:35 -0800 (PST) Message-ID: <345D053A.8BAE82A7@softway.com> Date: Sun, 02 Nov 1997 15:56:58 -0700 From: Jason Zions Organization: Softway Systems Inc. X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Russ CC: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: [NTSEC] RE: PPTP configuration References: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The issues arise when you either; a) > cannot trust the clients to use NT only, b) must use Win95 clients, c) > do not have control over whether or not the NT clients have disabled > LanMan hashes. So there's no way to force the NT server to refuse LanMan hashes? That'd be the easiest and most obvious way to avoid the issue; must mean that it's impossible. :-( Jason From owner-firewalls-list Sun Nov 2 15:14:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA26793; Sun, 2 Nov 1997 14:48:58 -0800 (PST) Received: from gargoyle.clark.net (pm1-48.dcwt.infi.net [208.136.65.48]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA26749 for ; Sun, 2 Nov 1997 14:48:41 -0800 (PST) Received: (qmail 1584 invoked by uid 500); 2 Nov 1997 23:29:07 -0000 Date: Sun, 2 Nov 1997 18:29:07 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705553E@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Russ wrote: > Testing to failure is only valid if the traffic used to create the > failure matches (to varying degrees) the traffic you expect to see. Right. Fortunately (or rather probably more unfortunately) we can look at the current attack methodologies and find out where the failure characteristics of a good deal of network devices lie. > Today we talk about "throughput", and rarely see the characteristics of > the data being used for the test. As I said, some traffic puts higher > demand on the technology. How do we know that the mix used in one of > those publication evaluations is sufficiently equal across all > technologies, or, sufficient representative across all customers? We ask them what their methodology was. Just like we tend to ask firewall and platform vendors specific detailed questions about the internals of their products. How easy that information is to get, how current it stays, and how truthful the answers play out to be is how you start to build a trust model for a vendor. I'm frequently very pleastantly surprised at how far vendors are willing to go these days on the basis of mutual trust without even the standard non-disclosure agreement. I find myself considering that in my trust model, because frequently I'm able to find out failure modes, thresholds and programming models without going through six months of teeth pulling. Then we can move much more quickly to the due dilligence phase, where I can ask for specific proof of the assertions, or build test cases to prove or disprove them. > If the IDC or some other body were to come out and say "The average mix > of traffic across an average company's gateway is thusly formed...", and > then that same mix was used in a test, then I'd say we would have a > valid benchmark to make *some* comparisons/judgements from. The effect > on that benchmark based on variations in the mix could substantially > change the results. (let's call the test GAPING, for General Application > Performance of InterNet Gateways...;-]) There is certainly a lot of work to be done in this area. I'd prefer to see it from a completely vendor neutral source. The problem with the current testing model (you know who you are), IMO, is that with the vendor feedback loop fully engaged, we can't guage how well designed the product was. Also, just like the paper certifications for some administrators, it's more a measure of how well you test than how well you perform on the job. > IMO, anything other than per protocol, encrypted and non-encrypted, > saturation test results are the only results which would serve a valid > public purpose. These you could pick amongst to construct your own > comparisons. The problem here is implementation vs. weighting. As has been pointed out before, comparing a 300Mhz Sparc to a 200Mhz isn't always relevent. I'd love to see some sort of concise scaling and cost-per-unit as well as maximum performance metric, but I don't think it's safe to assume that will happen in a way that won't be superceded every few weeks for a while. Hardware cycles are getting as bad as software ones these days. > All solutions that cannot be implemented are useless, agreed? > Wire-cutters are the best security mechanism around, but hardly useful. Which doesn't change the technology, only its potential application. > Anything above wire-cutters has some component that affects the > userbase. I use the term userbase to describe not only the end-clients, > but also the administrative staff, IS folks, purchasing department all > the way up to the CEO who wants to make a public statement about an > affiliation with a particular vendor. > > I think all rhetoric is wrong, but not all marketing is rhetoric. As > I've said before, test results are marketing information, and those test > results could be presented in such a way as to make a substantial impact > on the userbase, and therefore the technology. If, through performance > testing, you could substantially prove that Vendor A's FTP capabilities > were significantly slower (read: say 3 times slower) than Vendor B's, > and this information was used over and over again in marketing > information, chances are we'd see a substantial change to the underlying > technology. Were performance your only metric, and were it likely that said change was possible without breaking the underlying codebase. > > Security programmers are not, very often, sitting around purely thinking > of the next best security idea they can. More often than not they're > hard at work trying to solve the next marketing question that's been > raised. Its a rare place indeed where marketing is not dictating (to a > large extent) what gets done when and in what version. APIs, for For the general marketplace, that's certainly true. In the security marketplace, for instance TCB type systems, it's still not a total corruption, since most of those companies don't tend to have large marketing organizations yet. > example, are an important technological component. They are also an > extremely valuable marketing tool. If I have a set of well written APIs > into my solution, I'm more likely to be able to convince vendors to add > to it. If they do, the public perception that the solution is "good" > will increase, regardless of whether or not it really is "good" or not. > 3rd parties will not write add-ons because I've got a good API, or good > underlying technology, they'll write them because they believe they'll > sell a lot piggy-backing on my market-share. Right, which is why I think it's more important to evaulate the technology, for instance "Is an API useful, or does it decrease security?" versus listening to the marketing folks, or indeed the programming staff tell me how wonderful it is. The more informed the buyer is, the less effective the marketing hype. > Hence the technology ends up getting shaped around the vendor with good > marketing techniques (read: Microsoft) CP with OPSec is an attempt to do > this, and no doubt TIS' relationship with Microsoft will be a similar > attempt. For some companies that's true. For others, the technologies get shaped around other things. I'm still of the opinion that it is possible to buy security products from companies who do security well, not marketing well, over time that may change, or may not, depending on how many me's there are, and what the business requirements evolve into. > I would prefer to see a balance between SPFs and AGs, as both have their > place, but this balance can only be achieved with sufficient marketing > information to ensure that one does not dominate the other. If OPSec is > incredibly effective, and a non-OPSec vendor tries to move forward > without a strong alliance group, it will, IMO, lose market-share. This > may not matter to those of you who care less whether you're buying your > product from a "big" or "little" vendor, but it makes a huge difference > as to whether or not that vendor can continue to develop solutions into > the long-term future at all. Look at Tandem Computers, who for the If at that point, the situation were such that the solution needed to be upgraded, and the alternatives weren't accpetable, and the vendor wasn't making enough to move forward, obviously we'd either have to choose a less palatable solution, not do whatever it is we were doing, or buy the vendor. Just as obviously, not everyone has those options. I also tend to thing that packet filters have their place. There are things that packet filters don't do, stateful, stateless, or both. While it's certainly true that there are things that application gateways don't do as well, I've never argued otherwise, I just happen to think they're more easily solvable at border routers, or host IP stacks than the obverse are at a packet filter. > So, technology for technologies sake is wonderful, but without marketing > it has little value as a long-term solution. How far away do you think > we are from Macs becoming PCs? (don't answer, take it as an > observation). I'll still choose security over marketing. Buying a technology for its security properties rather than its marketing ones is still important to me. That doesn't mean its exclusionary, it just means that I won't buy well-marketed obscurity when I have a poorly marketed security solution. Maybe not as obviously, it is important to be able to set a realistic lifecycle on any solution. While we've come a long way from the early eighties lifecycle design methodologies, a great deal of it is still pertinent. Despite all the marketing hoopla, solid network security engineering hasn't changed a great deal in principle from that period either, and if you bank on a single solution from a single vendor, no matter what their current size, and never re-evaluate, or question that choice, then I think we all know where you'll go. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 16:14:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA04700; Sun, 2 Nov 1997 16:06:48 -0800 (PST) Received: from gargoyle.clark.net (pm1-48.dcwt.infi.net [208.136.65.48]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA04673 for ; Sun, 2 Nov 1997 16:06:37 -0800 (PST) Received: (qmail 1769 invoked by uid 500); 3 Nov 1997 00:47:05 -0000 Date: Sun, 2 Nov 1997 19:47:05 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Vin McLellan cc: Firewalls@greatcircle.com, Doug.Bridgens@3Dlabs.com Subject: Re: FIREWALL: Encryption round up? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Vin McLellan wrote: > The advent of corporate and national public key infrastructures > (PKI) seems likely to introduce a major paradigm shift in the economics of > Information Security. PKI -- and specifically, the mechanism of a digital > signature -- will allow us to offer security as a productivity enhancer, > rather than the costly pain in the ass that compsec and comsec have > traditionally been. I'm not sure that national PKI brings anything to the table. Corporate PKI, will almost definitely be a good thing. Given the history in trade of government supplied credentials, I think national PKIs will probably be more of an abuse vector, though I would guess that some Corporate PKIs could turn that way should the usage for corporate keys extend beyond the traditional corporate boundries. Unfortunately, the potential volume revenues in this area are making it difficult to generate much support for freeware initiatives and multiple-certificate scenerios where more complex trust boundries can be created. Not that those wouldn't make trust modeling more difficult. > Here in the States, there are small to tiny Gnostic cults > (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based > public key implementations, but -- as you've doubtless noted in Europe -- > internationally, and in the US commercial world, RSA-based PK tech is > almost universal. This is, in part, because stable RSA implementations With the expiration of D-H and H-M, I think we'll probably see a shift in this. Certainly things are looking like they're starting to shift that way with SSL V3. D-H/SHA/3DES is certainly attractive to those of us who would rather not pay for our trust infrastructure on a server-by-server basis. It is possible that the freeing of PK in the US will generate much more software than before, especially if the export restrictions were to die a reasonably quick death. While your points are well worth noting, and RSA is indeed in a very strong position as far as extension of trust, until last month, there really wasn't a viable alternative to licensed PK exchange, and the Hellman-Merkle patent gave rise to questions on if there were *any* alternative. With that out of the way, we're in a pretty unique situation. In the least, it should be interesting. > Paul noted earlier that the user today is all but "on his own" in > evaluating the quality of various cryptographic products. I suggest that > users are well served if they stick by the recommendations of the various > standards organizations with regard to algorithms and, to the extent > possible, implementation guidelines. Crypto standardization is highly > political -- with both competitive and government pressures, sometimes > bizarrely so -- but (key length issues aside) what emerges from these > groups is likely to be comparatively solid on implementation. Very good advice, and worth leaving in as a repetition. > > The (American) National Computer Security Association > has also recently developed consortiums of American > and European crypto vendors which will attempt certify crypto > implementation code as meeting certain minimal standards. Such > certification efforts have been quite controversial in firewalls, but it > may be less so in crypto. If successful, this effort or others like it may > help raise a threshold barrier against poor implementations. I think in crypto it's easier to say what an implementation should do. With a more defined environment, we'll see much less questioning since the testing methodology should be that much easier to implement. This is certainly a barrier which needs raising. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 17:44:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA15390; Sun, 2 Nov 1997 17:17:37 -0800 (PST) Received: from ns.cmbchina.com ([202.96.161.112]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA15339 for ; Sun, 2 Nov 1997 17:17:21 -0800 (PST) Received: from cmbchina.com ([10.1.4.25]) by ns.cmbchina.com (Netscape Mail Server v2.0) with ESMTP id AAA4253 for ; Mon, 3 Nov 1997 09:17:20 +0900 Message-ID: <345D2610.F687B011@cmbchina.com> Date: Mon, 03 Nov 1997 09:17:04 +0800 From: fw1@cmbchina.com (fw1) X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Firewall-1 on Windows NT Platform Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Everybody: Can anybody give me EVAL SERIAL NUMBER of Firewal-1 on Windows NT 4.0 platform? Thanks for your help! From owner-firewalls-list Sun Nov 2 18:01:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA19170; Sun, 2 Nov 1997 17:49:22 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA19155 for ; Sun, 2 Nov 1997 17:49:15 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 20:48:58 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667055548@ns.ntadvice.com> From: Russ To: "'Jason Zions'" , Russ Cc: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: [NTSEC] RE: PPTP configuration Date: Sun, 2 Nov 1997 20:48:57 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So there's no way to force the NT server to refuse LanMan hashes? That'd >be the easiest and most obvious way to avoid the issue; must mean that >it's impossible. :-( I honestly don't think its a matter of being impossible, as surely it isn't. One thing I would look for, however, is just whether or not all NT functions that involve hashes are done using NT hashes only (this would be a logical extrapolation of their statement that LM hashes are only removed if enforced on both the server *and* the client). I do think its a matter that to do so would prevent the use of Win95, and I believe MS feels this setting would cause to many support issues. It would also glaringly focus attention on the insecurities of Win95 (not that they try and say it is secure, just that they probably don't want it pointed out so vividly). Humble opinions all of my own. Cheers, Russ From owner-firewalls-list Sun Nov 2 20:39:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA03311; Sun, 2 Nov 1997 20:15:50 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA03294 for ; Sun, 2 Nov 1997 20:15:43 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id XAA18376; Sun, 2 Nov 1997 23:15:25 -0500 (EST) Message-Id: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 2 Nov 1997 21:43:25 -0500 To: "Paul D. Robertson" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: Firewalls@greatcircle.com, Doug.Bridgens@3Dlabs.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: >> The advent of corporate and national public key infrastructures >> (PKI) seems likely to introduce a major paradigm shift in the economics of >> Information Security. PKI -- and specifically, the mechanism of a digital >> signature -- will allow us to offer security as a productivity enhancer, >> rather than the costly pain in the ass that compsec and comsec have >> traditionally been. Paul D. Robertson responded: >I'm not sure that national PKI brings anything to the table. Corporate >PKI, will almost definitely be a good thing. Given the history in trade >of government supplied credentials, I think national PKIs will probably >be more of an abuse vector, though I would guess that some Corporate PKIs >could turn that way should the usage for corporate keys extend beyond the >traditional corporate boundries. Unfortunately, the potential volume >revenues in this area are making it difficult to generate much support >for freeware initiatives and multiple-certificate scenerios where more >complex trust boundries can be created. Not that those wouldn't make >trust modeling more difficult. I think the overwhelming value of PKI will be inter-corporate, in the open economy, with interoperability of the sort demonstrated by the widespread adoption of S/MIME. Internal corporate CAs can offer neat administrative efficiences, but commerce exists only within a larger economy. Governments (e.g., Canada) will sponsor or license National CAs -- and at various level of government, they will surely have their own CAs issuing certificates for government employees and officials -- but the full potential of digital sigs in Commerce will only come from CAs (like GTE, Verisign, etc.) which offer certificates binding corporate or individual identities and public key pairs which can be validated by receiving parties anywhere in a economy. Eventually, I expect these CA to be honored internationally, but for the immediate future I expect national laws to define their scope with legislation. > >> Here in the States, there are small to tiny Gnostic cults >> (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based >> public key implementations, but -- as you've doubtless noted in Europe -- >> internationally, and in the US commercial world, RSA-based PK tech is >> almost universal. This is, in part, because stable RSA implementations >With the expiration of D-H and H-M, I think we'll probably see a shift in >this. Certainly things are looking like they're starting to shift that >way with SSL V3. D-H/SHA/3DES is certainly attractive to those >of us who would rather not pay for our trust infrastructure on a >server-by-server basis. It is possible that the freeing of PK in the US >will generate much more software than before, especially if the export >restrictions were to die a reasonably quick death. > >While your points are well worth noting, and RSA is indeed in a very strong >position as far as extension of trust, until last month, there really >wasn't a viable alternative to licensed PK exchange, and the >Hellman-Merkle patent gave rise to questions on if there were *any* >alternative. With that out of the way, we're in a pretty unique >situation. In the least, it should be interesting. Since the RSA patent has only three (3!!) years to run in the US, (and unpatented RSA is widely used worldwide,) I think it is extremely unlikely that any of the alternative PKI structure has a chance of drawing major investment. Successful intra-corporate CAs can be based on any PKI model -- but the lesson of Fortezza is that anything other than an RSA-based PKI today exists only in an ghetto, isolated from cert-based PK exchanges with the larger RSA-based PKI economy. The huge installed base of RSA code worldwide -- and the committment of the major CAs -- and Microsoft, Netscape, IBM and the rest of the S/MIME consortium -- to RSA code they know, use, and trust makes for, IMNSHO, an overwhelming barrier to entry for Diffie-Hellman-based PKI. Again, in three years, the RSA algorithms are equally free in the US -- and in most of the world, all the alternatives are available at no cost. Here, where developers license RSA -- and there, where they don't -- RSA is the overwhelming choice. (Mostly, I would argue, because that trusted base of 15 years of RSA implementation code now exists.) How RSA captured the market is an interesting study, but not directly relevant here. In an alternative universe, this situation might have been reversed. I don't think the RSA model has any huge intrinsic superiority over the D-H/SHA/3DES model you suggest, but the RSA model has the installed base, the most trusted code base, and the committment of the major vendors, abroad and in the US. And, PKI (again, the lesson of Fortezza) is a winner-take-all proposition. Re the IETF: The IESG and some of the IETF security area WGs have a real problem with intellectual property rights in cryptography. Despite an IAB policy to the contrary, they detest them. (I'd love to see a Congressional investigation into the way the IETF has handled proposed standards for encryption in Internet e-mail; but OTOH I'd hate to give that much ammunition to those who argue for a government takeover of Internet governance.) I expect the facts of the market will render their own verdict on the IETF and the passionate anti-RSA crusades among the IETF's volunteer technocrats. The major vendors, I suggest, have already been heard from. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Sun Nov 2 23:14:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA14621; Sun, 2 Nov 1997 23:12:19 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA14604 for ; Sun, 2 Nov 1997 23:12:09 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id CAA18691; Mon, 3 Nov 1997 02:09:32 -0500 (EST) From: Adam Shostack Message-Id: <199711030709.CAA18691@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 2, 97 04:20:14 am" To: vin@shore.net (Vin McLellan) Date: Mon, 3 Nov 1997 02:09:31 -0500 (EST) Cc: Firewalls@GreatCircle.COM, Doug.Bridgens@3Dlabs.com, proberts@clark.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If the really dangerous aspect of a cryptosystem system is the implementation, and the code must hold up under widespread scrutiny, it can not be hardware. On one side, trusting users with cyrpto code on a genreal purpose computer whose maker tells you its not a secure platform is, well, foolish. On the other, trusting hardware is a tough thing. I can play mind games with you to demonstrate that you can't really trust that the hardware was done right without routinely stripping random units down with a microscope. (Its easier with software to demonstrate it correct) Moti Young and Adam Young have a wonderful set of papers on Kleptography; the art of making apparently compliant cryptographic black boxes screw their users. Persuing a holy grail of hardware or smartcards or standard libraries of tools is, well, persuing a holy grail. Cryptography is hard, and looks to stay hard for the forseeable future. The stunningly clever work of Oded Goldreich on the scientific foundations of modern cryptography provide a direction that looks very promising, but the road will not be short. I think that standard libraries of functions, once we have standard libraries for the basic building blocks, will be more useful than hardware. Hardware is simply not flexible enough. (And, no, we don't have a standard library today. BSAFE is not available outside the US, and is priced out of the reach of most startups who would like to add cryptography as an incidental. Its easier to justify doing something half baked when the price starts at $70k.) SSLeay is looking good, if it were documented and the random numbers were done better. Adam Vin McLellan wrote: | All true, more or less -- but there are a couple of other ways of | looking at this scene. In the first place, crypto has become, and will | become more so, the heartland of information security. And the heart of | the heartland will always be dedicated hardware: chips and secured memory | modules (which can offer relatively more speed, assurance, and stored-data | integrity.) This is the allure of smartcards, for where the user meets the | network, and special-purpose encryptors elsewhere, for high-speed and/or | high-security environments. [...] | All the noise about algorithms and key-lengths tends to obscure the | fact that the really dangerous aspect of applied cryptography is in the | actual implementation of a crypto system. Thus, implementation code which | has held up (a) under widespread scrutiny and (b) in a wide variety of | working systems will always be trusted more than any other crypto system | (new or well-known) which can't match it on those two criteria. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 3 02:14:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA29084; Mon, 3 Nov 1997 02:06:48 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA29041 for ; Mon, 3 Nov 1997 02:06:34 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id FAA26088; Mon, 3 Nov 1997 05:06:22 -0500 (EST) Message-Id: In-Reply-To: <199711030709.CAA18691@homeport.org> References: from Vin McLellan at "Nov 2, 97 04:20:14 am" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Nov 1997 05:07:12 -0500 To: "Adam Shostack" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: firewalls@greatcircle.com, "Paul D. Robertson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan huffed and puffed: >| In the first place, crypto has become, and will >| become more so, the heartland of information security. And the heart of >| the heartland will always be dedicated hardware: chips and secured memory >| modules (which can offer relatively more speed, assurance, and stored-data >| integrity.) This is the allure of smartcards, for where the user meets the >| network, and special-purpose encryptors elsewhere, for high-speed and/or >| high-security environments. >[...] >| All the noise about algorithms and key-lengths tends to obscure the >| fact that the really dangerous aspect of applied cryptography is in the >| actual implementation of a crypto system. Thus, implementation code which >| has held up (a) under widespread scrutiny and (b) in a wide variety of >| working systems will always be trusted more than any other crypto system >| (new or well-known) which can't match it on those two criteria. Adam Shostack stepped in with a needle and made his point with a deft poke: > If the really dangerous aspect of a cryptosystem system is the >implementation, and the code must hold up under widespread scrutiny, >it can not be hardware. Ouch! A jab that is unfortunately not inappropriate. Actually, I was thinking of documentation which could be reviewed by many, while the validation of the documentation against the implementation would be done by a few overly-conscientious, well-funded wizards like yourself, Adam. Ok. I am unconfortable with the paradox, but I still don't see any way out of it yet. What HW offers sw can not; and what SW offers hw can not. > On one side, trusting users with crypto code on a general >purpose computer whose maker tells you its not a secure platform is, >well, foolish. On the other, trusting hardware is a tough thing. I >can play mind games with you to demonstrate that you can't really >trust that the hardware was done right without routinely stripping >random units down with a microscope. So the choice is to be either foolish or tough & trusting? Sounds about right.... I've been saying for years that folks will never fully appreciate the elegant and wholly-obvious simplicity of hand-held authentication tokens (which have no circuit connection to a cpu or a network) until we start wondering what -- besides what it is supposed to do -- our smartcard might be doing. (Still, I can't see memorizing yard-long primes, nor keeping the Keys to the Kingdom in freely-accessible memory... so I already carry a couple of smartcards in addition to my SecurID. ) > Persuing a holy grail of hardware or smartcards or standard >libraries of tools is, well, persuing a holy grail. Cryptography is >hard, and looks to stay hard for the forseeable future. The >stunningly clever work of Oded Goldreich on the scientific foundations >of modern cryptography provide a direction that looks very promising, >but the road will not be short. As is often the case, Adam, your post has sent me off to the library. Thank you. But, for all the vaunted "flexibility" and easy validation you find in wholly-software crypto -- do you really think you will escape depending on hardware, given _it's_ meritorious advantages??? > I think that standard libraries of functions, once we have >standard libraries for the basic building blocks, will be more useful >than hardware. Hardware is simply not flexible enough. (And, no, we >don't have a standard library today. BSAFE is not available outside >the US, and is priced out of the reach of most startups who would like >to add cryptography as an incidental. Its easier to justify doing >something half baked when the price starts at $70k.) SSLeay >is looking good, if it were documented and the random numbers were >done better. Good argument. I don't know anything about the pricing of B-safe licenses. (Although I'll always remember that Phil Zimmerman rejected an RSA PKC license at $5K to put PGP into freeware circulation;-) OTOH, B-safe now includes not only RSAPKC and the full shelf of Ron Rivest's prodigious creativity (MD2, MD5, RC2, RC4, RC5) but SHA-1, Diffie-Hellman, Bloom-Shamir, DSA/DSS, DES, 3DES, DESX, etc.) Everything but the kitchen sink; for UNIX, WIN, and Mac platforms. I've heard rumors, however, that RSADSI was planning to eventually license B-safe module-by-module. If and when that happens, I agree it could open the B-safe library to a much broader range of potential licensees. You could visit your Congressman about the export issues -- but personally, I don't think the NSA will let go of US policy until it becomes apparent to everyone (even pols) that 21st Century e-commerce can't develop on a party line. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Mon Nov 3 03:29:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08443; Mon, 3 Nov 1997 03:26:55 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA08430 for ; Mon, 3 Nov 1997 03:26:49 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id GAA19213; Mon, 3 Nov 1997 06:23:53 -0500 (EST) From: Adam Shostack Message-Id: <199711031123.GAA19213@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 3, 97 05:07:12 am" To: vin@shore.net (Vin McLellan) Date: Mon, 3 Nov 1997 06:23:53 -0500 (EST) Cc: adam@homeport.org, firewalls@greatcircle.com, proberts@clark.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: | > If the really dangerous aspect of a cryptosystem system is the | >implementation, and the code must hold up under widespread scrutiny, | >it can not be hardware. | | Ok. I am unconfortable with the paradox, but I still don't see any | way out of it yet. What HW offers sw can not; and what SW offers hw can not. Indeed. My suspicion is that crypto-hardware will go the way of the supercomputer. While it offers many advantages, the price performance is not there to justify it, which will push the price up. Positive feedback loop. At the same time, the capabilities of a basic intel box running a free unix and acting as a crypto-peripheral are growing. The Libretto (from Toshiba) is a p-75 with 32 mb of ram that's about the size of the Newton. I'd be suprized if Toshiba would refuse an offer to buy just the motherboards in the 10,00 unit range. There is one area where co-processors will survive for a while, and that is exponentiation. NCipher has some very cool boxes that can do about 300 RSA signatures per second. This blows away general purpose computers. They incidentally offer FIPS 140 level 2 protection for your keys, but I couldn't sell management on that. (Even when management knows *and pays* the cost of doing the right thing without FIPS 140 hardware) Speed I can sell to businesses. As far as smartcards for the home user, I don't see it. Verifone may decide to do SET for credit cards, which means that they will be deployed, but I'll save my rant on the two types of smartcards for another day. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 3 05:44:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA15029; Mon, 3 Nov 1997 05:28:11 -0800 (PST) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA15013 for ; Mon, 3 Nov 1997 05:28:04 -0800 (PST) Received: (from pokey@localhost) by maddie.atlantic.com (8.8.5/8.7.3) id IAA24891; Mon, 3 Nov 1997 08:27:45 -0500 From: Rick Romkey Message-Id: <199711031327.IAA24891@maddie.atlantic.com> Subject: Re: Firewall-1 on Windows NT Platform To: fw1@cmbchina.com (fw1) Date: Mon, 3 Nov 1997 08:27:44 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <345D2610.F687B011@cmbchina.com> from "fw1" at Nov 3, 97 09:17:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi Everybody: > Can anybody give me EVAL SERIAL NUMBER of Firewal-1 on Windows NT > 4.0 platform? > Thanks for your help! > Eval licenses are now being distributed by resellers who can aquire a "bank" of them from CheckPoint. If you require a TEMPORARY license, contact an authorized CheckPoint reseller. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From owner-firewalls-list Mon Nov 3 06:29:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21027; Mon, 3 Nov 1997 06:27:04 -0800 (PST) Received: from corinto.argo.es (corinto.argo.es [194.235.99.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA20950 for ; Mon, 3 Nov 1997 06:26:45 -0800 (PST) Received: from argo.es (jcea@castor.argo.es [194.235.99.4]) by corinto.argo.es (8.8.5/8.8.5) with ESMTP id PAA14299; Mon, 3 Nov 1997 15:24:28 +0100 (MET) Message-ID: <345DFB0F.DEE80C86@argo.es> Date: Mon, 03 Nov 1997 15:25:51 -0100 From: "=?iso-8859-1?Q?Jes=FAs?= Cea =?iso-8859-1?Q?Avi=F3n?=" Reply-To: jcea@argo.es Organization: Argo Redes y Servicios Telematicos, S.A. X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Don Lewis CC: firewalls@GreatCircle.COM, hacking@argo.es Subject: Re: "SYN" protection product leads References: <199710291014.CAA27966@salsa.gv.tsc.tdk.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don Lewis wrote: > } * Linux: No backlog. No memory. When a Syn arrives, a hash is > } calculated to generate an unique ISN. The packet is replied using > } that value (cookie) and silenly dropped. If the original syn was > } faked, nothing is done. If the syn was real, the remote computer > } will send us an ACK with the correct values and conection is > } established. The ideal solution if faking hashes is difficult > } (cryptography rules, of course). > > This is somewhat risky if you have listening sockets in the same > port range that is used for outgoing connections and you are > protecting the listening sockets with something like a Cisco > "established" filter rule. This type of filter protects listening > connections by blocking any initial incoming SYN packets. If an > outsider is able to fake the hash, he can send an initial ACK packet > which would look like the final packet in the three way connection > handshake. Because the inside host doesn't keep any state until the > connection is established, it would be fooled into thinking it had > gotten the initial SYN and sent the reply, so it would set up the > connection. The packet filter would not block the > initial incoming packet, since it would have an ACK and not have a > SYN, making the filter think the packet was a reply to an established > outgoing connection. Of course, all the security, in this scheme, came from the HASH. If the hash isn't secure or isn't implemented with care, you are **doomed**. In fact you can reseed the hash each five minutes, for example, if you are paranoid enough. > You should be safe with a stateful packet filter that doesn't open the > path for incoming packets unless it has seen an outgoing SYN packet. Yes, you are right. Only enable incoming packet if (apart from SYN packets): a) You send a SYN. So it's an outgoing connection. b) You send a SYN+ACK. It's the second step in the handshake for an incomming connection. Nevertheless, my idea was to implement the SYN cookie scheme at the firewall, in order to protect the DMZ from external SYN flooding against bad behaved hosts (read: Windows machines :) and to avoid sequence number prediction. An interesting addition to SPF, don't it? What do you think? -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/_/_/_/ PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibnitz From owner-firewalls-list Mon Nov 3 08:38:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA28816; Mon, 3 Nov 1997 08:06:59 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA28809 for ; Mon, 3 Nov 1997 08:06:54 -0800 (PST) Received: by SLA_NT2 with Internet Mail Service (5.0.1457.3) id ; Mon, 3 Nov 1997 08:04:05 -0800 Message-ID: From: "Stackpole, Bill" To: "'Tim Lebrun'" , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 08:04:03 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP only works on NT so your remote users will have to at least be running 4.0 workstation. My experience hasn't been good with this protocol although I haven't tried the implementation. If your ISP doesn't used fixed IP addresses then you will have to open up PPTP to the world which means the world can attach your internal RAS server. The other problem I ran into was the inablility to access resources on the PPTP (RAS) server itself. Seems that NT server couldn't route between the tunnel IP address and it's own IP. Again this may be something that Steelhead fixed. > -----Original Message----- > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > Sent: Friday, October 31, 1997 2:20 PM > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: PPTP configuration > > I would like some expert opinions on > the setup that we are looking at > implementing. > We want to eventually get > rid of our dial-in rack and allow > users to enter our network through > the internet. So we have a T1 > internet connection run which (from > the outside) first, goes through a > Cisco 7000 router, then through a > Gauntlet firewall, and then the > users get logged on to a NT Ras > server using PPTP. And from there > the users can go and do anything on > the network, ie: Mail, Novell, > Tn3270, Telnet. > My Question is - what are the > possible problems with kind of > setup? > From owner-firewalls-list Mon Nov 3 08:44:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA00295; Mon, 3 Nov 1997 08:33:52 -0800 (PST) Received: from gateway.adidasus.com (spfrw001.adidasus.com [208.146.114.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA00285 for ; Mon, 3 Nov 1997 08:33:46 -0800 (PST) Received: by gateway.adidasus.com; id LAA19125; Mon, 3 Nov 1997 11:33:34 -0500 (EST) Received: from unknown(10.75.10.7) by gateway.adidasus.com via smap (4.0a) id xma019118; Mon, 3 Nov 97 11:33:22 -0500 Message-ID: <345DFCFB.5FE664FC@internetmci.com> Date: Mon, 03 Nov 1997 11:34:03 -0500 From: Tim Lebrun X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: "Stackpole, Bill" CC: firewalls@GreatCircle.COM Subject: Re: PPTP configuration References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>PPTP only works on NT so your remote users will have to at least be > >>running 4.0 workstation. > > Actually M$ just released a Dialup Networking upgrade which allows 95 to > do PPTP. > >>My experience hasn't been good with this protocol although I haven't > >>tried the implementation. > >>If your ISP doesn't used fixed IP addresses then you will have to open > >>up PPTP to the world which means the world can attach your internal RAS > > >>server. The other problem I ran into was the inablility to access > >>resources on the PPTP (RAS) server itself. Seems that NT server > >>couldn't route between the tunnel IP address and it's own IP. Again > >>this may be something that Steelhead fixed. > > > -----Original Message----- > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > > > I would like some expert opinions on > > the setup that we are looking at > > implementing. > > We want to eventually get > > rid of our dial-in rack and allow > > users to enter our network through > > the internet. So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. And from there > > the users can go and do anything on > > the network, ie: Mail, Novell, > > Tn3270, Telnet. > > My Question is - what are the > > possible problems with kind of > > setup? > > From owner-firewalls-list Mon Nov 3 09:59:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08696; Mon, 3 Nov 1997 09:47:12 -0800 (PST) Received: from subforce1.substance.com ([204.94.189.254]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA08647 for ; Mon, 3 Nov 1997 09:47:00 -0800 (PST) Received: from pc575.examen.com ([158.222.64.246] (may be forged)) by subforce1.substance.com (8.8.6/8.6.9) with ESMTP id JAA05334; Mon, 3 Nov 1997 09:45:40 -0800 Message-Id: <199711031745.JAA05334@subforce1.substance.com> From: "linus" To: "Arthur Young" , "'Rabid Wombat'" , "Christopher Hornor" Cc: Subject: Re: (no subject) Date: Mon, 3 Nov 1997 09:44:01 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are indeed wise and with tao to suggest most powerful firewall of all master! I am in awe of your network ninja skill, you honor our craft! ---------- > From: Arthur Young > To: 'Rabid Wombat' ; Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: RE: (no subject) > Date: Tuesday, October 28, 1997 7:03 AM > > Isn't that hardware? > > -----Original Message----- > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > Sent: Tuesday, October 28, 1997 9:24 PM > To: Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: Re: (no subject) > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > I am looking for information regarding your most powerful firewall and > > filter software . > > do you have any suggestions ?? If possible in Japanese. > > > > Thank you, > > Chris Hornor > > > > > > > > From owner-firewalls-list Mon Nov 3 10:14:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10880; Mon, 3 Nov 1997 10:04:59 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA10846 for ; Mon, 3 Nov 1997 10:04:49 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA14254; Mon, 3 Nov 1997 10:01:07 -0800 Date: Mon, 3 Nov 1997 10:01:07 -0800 (PST) From: Leonard Miyata To: Russ cc: "'Jason Zions'" , Russ , firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: [NTSEC] RE: PPTP configuration In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C667055548@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somewhere on the Microsoft web site, (security section?) they have an article on how to turn off (via the registry) the Lan Manager hash for Win NT 4.0. Its a pity Microsoft didn't port the full NT PPTP implementation as part of the Dial-Up 1.2 upgrade. One would hope Microsoft won't make the same mistake with the KERBEROS port for NT 5.0 and offer support in the Memphis release.... Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com On Sun, 2 Nov 1997, Russ wrote: > >So there's no way to force the NT server to refuse LanMan hashes? > That'd > >be the easiest and most obvious way to avoid the issue; must mean that > >it's impossible. :-( > > I honestly don't think its a matter of being impossible, as surely it > isn't. One thing I would look for, however, is just whether or not all > NT functions that involve hashes are done using NT hashes only (this > would be a logical extrapolation of their statement that LM hashes are > only removed if enforced on both the server *and* the client). > > I do think its a matter that to do so would prevent the use of Win95, > and I believe MS feels this setting would cause to many support issues. > It would also glaringly focus attention on the insecurities of Win95 > (not that they try and say it is secure, just that they probably don't > want it pointed out so vividly). > > Humble opinions all of my own. > > Cheers, > Russ > > From owner-firewalls-list Mon Nov 3 11:19:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA16096; Mon, 3 Nov 1997 10:41:43 -0800 (PST) Received: from commons.cmold.com (commons.cmold.com [204.255.183.49]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA16019 for ; Mon, 3 Nov 1997 10:41:28 -0800 (PST) Received: (from Uactech@localhost) by commons.cmold.com (8.8.7/8.6.12) with UUCP id OAA20096; Mon, 3 Nov 1997 14:49:29 -0500 (EST) X-Authentication-Warning: commons.cmold.com: Uactech set sender to gaarder@spencer.actech.com using -f Received: from ovid.actech.com (ovid [198.41.4.14]) by spencer.actech.com (8.7.1/8.7.1) with ESMTP id NAA00890; Mon, 3 Nov 1997 13:35:02 -0500 (EST) Received: (from gaarder@localhost) by ovid.actech.com (8.7.1/8.7.1) id NAA26793; Mon, 3 Nov 1997 13:35:13 -0500 (EST) Date: Mon, 3 Nov 1997 13:35:13 -0500 (EST) Message-Id: <199711031835.NAA26793@ovid.actech.com> From: Steve Gaarder To: Tim Lebrun Cc: firewalls@GreatCircle.COM Subject: Re: PPTP configuration In-Reply-To: <345DFCFB.5FE664FC@internetmci.com> References: <345DFCFB.5FE664FC@internetmci.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Lebrun writes: > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > Sent: Friday, October 31, 1997 2:20 PM > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: PPTP configuration > So we have a T1 > internet connection run which (from > the outside) first, goes through a > Cisco 7000 router, then through a > Gauntlet firewall, and then the > users get logged on to a NT Ras > server using PPTP. You may have a problem getting through your Gauntlet, since it is an application gateway. PPTP uses neither TCP nor UDP, but one of the lesser-known protocols in the IP family (I forget just which one), so a tcp "plug gateway" will not do the trick. You would need a proxy specifically designed for PPTP. I don't know of such a beast; does anyone? Steve Gaarder Network and Systems Administrator gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA From owner-firewalls-list Mon Nov 3 12:59:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA00121; Mon, 3 Nov 1997 12:37:57 -0800 (PST) Received: from gateway.mpath.com (gateway.mpath.com [204.242.182.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA00106 for ; Mon, 3 Nov 1997 12:37:50 -0800 (PST) Received: from mpath.com (nodserv.mpath.com [206.233.214.16]) by gateway.mpath.com (8.8.5/8.8.5) with ESMTP id MAA05152; Mon, 3 Nov 1997 12:37:45 -0800 (PST) Received: from localhost (vision@localhost) by mpath.com (8.8.5/8.8.5) with SMTP id MAA15398; Mon, 3 Nov 1997 12:37:39 -0800 (PST) Date: Mon, 3 Nov 1997 12:37:38 -0800 (PST) From: Max Vision To: Steve Gaarder cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: Re: PPTP configuration In-Reply-To: <199711031835.NAA26793@ovid.actech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correct me if I'm wrong, but PPTP uses TCP 1723. Max On Mon, 3 Nov 1997, Steve Gaarder wrote: > Tim Lebrun writes: > > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. > > You may have a problem getting through your Gauntlet, since it is an > application gateway. PPTP uses neither TCP nor UDP, but one of the > lesser-known protocols in the IP family (I forget just which one), so > a tcp "plug gateway" will not do the trick. You would need a proxy > specifically designed for PPTP. I don't know of such a beast; does > anyone? > > Steve Gaarder Network and Systems Administrator > gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA > From owner-firewalls-list Mon Nov 3 13:59:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA05198; Mon, 3 Nov 1997 13:30:07 -0800 (PST) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA05177 for ; Mon, 3 Nov 1997 13:29:59 -0800 (PST) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCE85C.8F280090@irwin-exch2.army.mil>; Mon, 3 Nov 1997 13:29:49 -0800 Message-ID: From: G2 Security Division To: "'Cimmino, Marcos'" , "'Olivier@teamwork.co.za'" , "'winspace@geko.net.au'" Cc: "'firewalls@greatcircle.com'" Subject: RE: SCO how secure ? Date: Mon, 3 Nov 1997 13:26:30 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The federal government has a page with the Trusted Product information. URL is http://www.radium.ncsc.mil/tpep/epl/index.html The page has links to the Rainbow series, the orange book drives the trusted computer base ratings. -----Original Message----- From: Cimmino, Marcos [SMTP:MCimmino@uniFON.com.ar] Sent: Monday, October 27, 1997 6:47 AM To: 'Olivier@teamwork.co.za'; 'winspace@geko.net.au' Cc: 'firewalls@greatcircle.com' Subject: RE: SCO how secure ? Hello to everybody >Can Somebody please tell me where I can find the Trusted Product Evaluation Program? Thank you very much >---------- >From: Norman Widders[SMTP:winspace@geko.net.au] >Sent: Lunes 27 de Octubre de 1997 10:18 >To: Olivier@teamwork.co.za >Cc: firewalls@greatcircle.com >Subject: SCO how secure ? > >+----------------------------------------------------------------------- >---- >| On or about Mon, 27 Oct 1997 06:46:02 +0200, >| Wim Olivier wrote: >+----------------------------------------------------------------------- >---- > >> IT IS C2 COMPLIANT. > > ^^^^^ > >Where is one single document that shows that SCO has >passed the 'Trusted Product Evaluation Program' ? > >Based upon SCO's own documents they said >'it meets C2 requirements' this is not the same as >being on the Trusted Product Evaluation Program. > >Please share any documentation that you know of with _all_ >of us if you know something that proves SCO is C2... >Not that C2 is worth much... imho > > >-- >Yours faithfully, Norman Widders. > >+----------------------------------------------------------- >| winspace@geko.net.au >| www.geocities.com/researchtriangle/4431 >| Paladin Corporation Pty. Ltd. >+----------------------------------------------------------- > > > From owner-firewalls-list Mon Nov 3 14:29:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09419; Mon, 3 Nov 1997 14:16:00 -0800 (PST) Received: from ns.rc.on.ca (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA09409 for ; Mon, 3 Nov 1997 14:15:49 -0800 (PST) Received: by ns.rc.on.ca with Internet Mail Service (5.5.1939.0) id ; Mon, 3 Nov 1997 17:15:36 -0500 Message-ID: <418996AD2954D11180860000E8D5C66778C5@ns.rc.on.ca> From: Russ To: "'Max Vision'" , Steve Gaarder Cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 17:15:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Correct me if I'm wrong, but PPTP uses TCP 1723. >Max Ok Max, I'll correct you, 'cause your wrong...;-] Actually, the PPTP control channel uses TCP/UDP 1723 (in practice it seems to only use TCP). However, the "payload", or actual useful part of the PPTP stream is held within IP 47, GRE, Generic Routing Encapsulation protocol. You're tunneling PPP within IP, hence the need for an encapsulated channel. The 1723 channel controls the flow of the PPTP session. Common mistake. Cheers, Russ From owner-firewalls-list Mon Nov 3 14:44:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA10702; Mon, 3 Nov 1997 14:30:07 -0800 (PST) Received: from abhiweb.com (bonn.abhiweb.com [205.138.236.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA10690 for ; Mon, 3 Nov 1997 14:30:00 -0800 (PST) Received: from pc-bruce.InternetDevices.com (pc-bruce.abhiweb.com [205.138.236.31]) by abhiweb.com (8.6.12/8.6.12) with SMTP id OAA02323 for ; Mon, 3 Nov 1997 14:28:49 -0800 Message-Id: <3.0.5.32.19971103143516.009f1350@bonn.abhiweb.com> X-Sender: byrd@bonn.abhiweb.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 03 Nov 1997 14:35:16 -0800 To: firewalls@GreatCircle.COM From: Bruce Byrd Subject: Re: PPTP configuration In-Reply-To: References: <199711031835.NAA26793@ovid.actech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the Network TeleSystems PPTP FAQ, www.nts.com (NTS sells a Mac and Win 3.1 PPTP client)- Q: How do I configure my company's firewall or network traffic filters to allow me to tunnel to our NT RAS from outside of our network? A: Configure your firewall or filters to pass through all Generic Routing Encapsulation (GRE, which is IP protocol 0x2F) packets and TCP/IP traffic to and from port 1723 on your NT RAS. Bruce At 12:37 PM 11/3/97 -0800, Max Vision wrote: >Correct me if I'm wrong, but PPTP uses TCP 1723. >Max > ----------------------------------------------------------- Bruce Byrd Internet Devices Inc. www.InternetDevices.com "Our new Fort Knox Firewall Device provides a turnkey security solution for small and medium sized companies" From owner-firewalls-list Mon Nov 3 14:59:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA12892; Mon, 3 Nov 1997 14:43:02 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA12803 for ; Mon, 3 Nov 1997 14:42:39 -0800 (PST) Received: by SLA_NT2 with Internet Mail Service (5.0.1457.3) id ; Mon, 3 Nov 1997 14:39:04 -0800 Message-ID: From: "Stackpole, Bill" To: "'Max Vision'" , Steve Gaarder Cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 14:39:02 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That's correct but the protocol is type 47 which is not tcp or udp so some firewall proxies will not support it. > -----Original Message----- > From: Max Vision [SMTP:vision@mpath.com] > Sent: Monday, November 03, 1997 12:38 PM > To: Steve Gaarder > Cc: Tim Lebrun; firewalls@GreatCircle.COM > Subject: Re: PPTP configuration > > Correct me if I'm wrong, but PPTP uses TCP 1723. > Max > > On Mon, 3 Nov 1997, Steve Gaarder wrote: > > > Tim Lebrun writes: > > > > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > > Sent: Friday, October 31, 1997 2:20 PM > > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > > Subject: PPTP configuration > > > So we have a T1 > > > internet connection run which (from > > > the outside) first, goes through a > > > Cisco 7000 router, then through a > > > Gauntlet firewall, and then the > > > users get logged on to a NT Ras > > > server using PPTP. > > > > You may have a problem getting through your Gauntlet, since it is an > > application gateway. PPTP uses neither TCP nor UDP, but one of the > > lesser-known protocols in the IP family (I forget just which one), > so > > a tcp "plug gateway" will not do the trick. You would need a proxy > > specifically designed for PPTP. I don't know of such a beast; does > > anyone? > > > > Steve Gaarder Network and Systems Administrator > > gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA > > From owner-firewalls-list Mon Nov 3 17:29:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA08833; Mon, 3 Nov 1997 17:27:27 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id RAA08825 for ; Mon, 3 Nov 1997 17:27:21 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA25800; Mon, 3 Nov 1997 19:05:26 -0500 Date: Mon, 3 Nov 1997 19:05:22 -0500 (EST) From: Rabid Wombat To: linus cc: Arthur Young , Christopher Hornor , firewalls@GreatCircle.COM Subject: Re: (no subject) In-Reply-To: <199711031745.JAA05334@subforce1.substance.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, all credit for the hardware design goes to Marcus Ranum. He used to have a web page up with a picture and installation instructions, but I think he took it down to make room for his B&W photos. -r.w. The ancient masters were subtle, mysterious, profound, responsive. The depth of their knowledge is unfanthomable. On Mon, 3 Nov 1997, linus wrote: > You are indeed wise and with tao to suggest most powerful firewall of all > master! I am in awe of your network ninja skill, you honor our craft! > > ---------- > > From: Arthur Young > > To: 'Rabid Wombat' ; Christopher Hornor > > > Cc: firewalls@GreatCircle.COM > > Subject: RE: (no subject) > > Date: Tuesday, October 28, 1997 7:03 AM > > > > Isn't that hardware? > > > > -----Original Message----- > > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > > Sent: Tuesday, October 28, 1997 9:24 PM > > To: Christopher Hornor > > Cc: firewalls@GreatCircle.COM > > Subject: Re: (no subject) > > > > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > > > I am looking for information regarding your most powerful firewall and > > > filter software . > > > do you have any suggestions ?? If possible in Japanese. > > > > > > Thank you, > > > Chris Hornor > > > > > > > > > > > > > From owner-firewalls-list Mon Nov 3 18:14:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA11657; Mon, 3 Nov 1997 17:57:40 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA11621 for ; Mon, 3 Nov 1997 17:57:26 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id UAA10333; Mon, 3 Nov 1997 20:57:16 -0500 (EST) Message-Id: In-Reply-To: <3.0.32.19971103091612.00905a10@best.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Nov 1997 20:57:53 -0500 To: "Steve G. Steinberg" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan opined: >>Again, in three years, the RSA algorithms are equally free in the US -- and >>in most of the world, all the alternatives are available at no cost. Here, >>where developers license RSA -- and there, where they don't -- RSA is the >>overwhelming choice. (Mostly, I would argue, because that trusted base of >>15 years of RSA implementation code now exists.) Steve G. Steinberg responded: >Hmm, are you explicitly not talking about elliptical curve here? >Seems like that because of the low-computation/memory requirements >of ECC, Certicom has had an awfull lot of luck getting wireless >and smartcard manufacturers to sign deals with them. Motorola >has already announced that all their 2-way pagers will use ECC, >which means given expected sales, their will be _many_ more devices >with ECC than with RSA in 5 years. And, if as you say, winner >takes all in PKI, that would seem to say that ECC will eventually >be able to displace RSA on the desktop. > >What am I missing? EC is a elegant technology and Certicom is a neat company with a lot of talented people. The Motorola pager deal is certainly not the last occasion where the demands of a specific application will lead developers to choose either EC or D-H/DSA. EC's apparent advantages -- smaller keys, less communication, less storage -- were particularly relevant to the pager deal, and EC's relative slow calculation of digital signatures was maybe not so important. RSA's major advantage against all alternatives, as I noted earlier, lies in its extensive trusted code base (from RSADSI, as well as from numerous independent sources, particularly in Europe) and the 15 years it has been the subject to intensive study and research. By contrast, major implementations of EC are relatively recent. The recent and unexpected discovery of weaknesses in some classes of ECs by Nigel Smart, of Hewlett Packard Labs, only reminded us that the strengths and weaknesses of EC are still being researched, documented, and quantified. (I note, however, that new version of RSA's B-Safe cryptographic toolkit will include a variety of EC modules.) Several of the industry's leading cryptographers -- e.g., Arjen Lenstra of Citibank, Taher ElGamal of Netscape, and Michael Wiener of Entrust -- have lately echoed the (perhaps less disinterested;-) warnings of Ron Rivest, Len Adleman, and Claus Schnoor that EC cryptosystems, while potentially very interesting, is not yet quite ready for prime time. Weiner, the chief cryptographer at Entrust Technologies, recently offered what I thought was fascinating (and from a cryptographer, unusually straightforward) comment on Entrust's choice of RSA's PKC as the foundation for its PKI product line. Weiner highlighted RSA's "very fast" digital signature verification and public-key encryption as major technical advantages over all competitors -- specifically including EC. (Dr. Weiner's comments may also explain why RSA-based S/MIME was so rapidly and widely adopted by the leading e-mail vendors -- while the IETF's security cadre dithers about, bitching about the illegitimacy of patents on crypto systems, and trying to score points for D-H based PGP.) Said Weiner: "The competitors to RSA are systems based on the discrete logarithm problem, such as DSA, Diffie-Hellman, and the elliptic curve variants of DSA and Diffie-Hellman. These schemes are competitive with RSA on speed of digital signature generation and private-key decryption, but are up to two orders of magnitude slower at digital signature verification and public-key encryption. "The importance of the speed of signature verification and public-key encryption can be seen from the way that cryptography is used in a PKI. Consider the example of secure email. An email is signed just once, but that signature must be verified by each recipient. Certificates and revocation lists are signed once by a Certification Authority (CA), but are typically verified many thousands of times. "A full-scale PKI will have multiple cross-certified CAs requiring end user software to verify multiple certificates and revocation lists to complete a single transaction. When encrypting email, the symmetric key used to encrypt the email contents must be individually encrypted for each recipient so that many public-key encryptions must be performed to send a single email. These operations are quite fast when using RSA, but are much slower when using DSA, Diffie-Hellman, or their elliptic curve variants. "The main advantage that elliptic curve cryptography has over other public-key algorithms is that its digital signatures and encrypted symmetric keys are shorter. This is not important for most applications on PCs, but there are other applications where this can be important. Elliptic curve operations can also be implemented fairly compactly in custom silicon. "Public-Key Infrastructures should be flexible enough to handle the full range of popular public-key algorithms available. Currently, RSA is the most widely used, and this is likely to continue to be the case due to its advantages of fast digital signature verification and fast public-key encryption." /end Weiner quote/ PKC-threatening "breakthroughs" in mathematics are, by definition, unpredicable; and some applications can very effectively leverage particular aspects of EC, D-H, or the DSA. Withall, it makes sense to open up the various PKC standards to all the options and let experience guide us. (We are, after all, talking about using this math as the foundation for the 21st Century economy. Lord knows, such a structure must be algorithm-agile!) For general purpose PKC apps, however, RSA's trusted code base seems likely continue to dominate the market -- long after the RSA/MIT public key patent expires, in fact. There are, btw, a number of schemes to precompute the DSA in order to boost the performance of EC and D-H to nearly match the speed of RSA in some PKI apps. I understand, however, that even the US government has had to acknowledge that there are patents which seem to cover this approach. RSADSI has one; I think MIT has another. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Mon Nov 3 18:45:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA16745; Mon, 3 Nov 1997 18:40:01 -0800 (PST) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA16737 for ; Mon, 3 Nov 1997 18:39:48 -0800 (PST) Received: from rush.nsr.hp.com (rush.nsr.hp.com [15.17.36.5]) by palrel1.hp.com (8.8.6/8.8.5tis) with ESMTP id SAA28397; Mon, 3 Nov 1997 18:39:26 -0800 (PST) Received: from nsr.hp.com (hpwxx034.sgp.hp.com) by rush.nsr.hp.com with ESMTP (1.39.111.2/16.2+CNS 4.0.1 ) id AA102421215; Mon, 3 Nov 1997 18:40:15 -0800 Message-Id: <345E8A78.D827195@nsr.hp.com> Date: Tue, 04 Nov 1997 10:37:44 +0800 From: Kevin Steves Organization: Hewlett-Packard X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: Russ Cc: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: PPTP configuration References: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > 6. Given NT's TCP sequence predictability, hijacking a PPTP session > based on a Win95 client (or an NT client *not* configured to *not* use > LanMan) should be a straight-forward process. Can you expand on this attack? I'm guessing it might be blind (can't see responses) and may be against the PPTP control connection; or maybe you're referring to predicting TCP ISNs in the GRE encapsulated, PPP encrypted TCP segment? Kevin From owner-firewalls-list Mon Nov 3 19:30:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15585; Mon, 3 Nov 1997 18:30:55 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [156.153.255.219]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA15570 for ; Mon, 3 Nov 1997 18:30:47 -0800 (PST) Received: from rush.nsr.hp.com (rush.nsr.hp.com [15.17.36.5]) by palrel3.hp.com (8.8.5/8.8.5tis) with ESMTP id SAA22816; Mon, 3 Nov 1997 18:30:40 -0800 (PST) Received: from nsr.hp.com (hpwxx034.sgp.hp.com) by rush.nsr.hp.com with ESMTP (1.39.111.2/16.2+CNS 4.0.1 ) id AA102320690; Mon, 3 Nov 1997 18:31:30 -0800 Message-Id: <345E8869.9159107D@nsr.hp.com> Date: Tue, 04 Nov 1997 10:28:57 +0800 From: Kevin Steves Organization: Hewlett-Packard X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: Russ Cc: firewalls@GreatCircle.COM Subject: Re: PPTP configuration References: <418996AD2954D11180860000E8D5C66778C5@ns.rc.on.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > Actually, the PPTP control channel uses TCP/UDP 1723 (in practice it > seems to only use TCP). However, the "payload", or actual useful part of > the PPTP stream is held within IP 47, GRE, Generic Routing Encapsulation > protocol. You're tunneling PPP within IP, hence the need for an > encapsulated channel. The 1723 channel controls the flow of the PPTP > session. According to an MS whitepaper I have titled "Understanding PPTP" (sorry, don't have a web reference), "The IP datagrams are created using a modified version of the Internet GRE protocol (GRE is defined in RFCs 1701 and 1702)". Anyone know what was "modified" in GRE? Kevin From owner-firewalls-list Mon Nov 3 20:55:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA17252; Mon, 3 Nov 1997 18:45:41 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA17180 for ; Mon, 3 Nov 1997 18:45:16 -0800 (PST) Received: from sover.net (usr2a18.rut.sover.net [206.25.64.214]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id VAA23381 for ; Mon, 3 Nov 1997 21:45:11 -0500 (EST) Message-ID: <345E8D1E.D9F2ABEC@sover.net> Date: Mon, 03 Nov 1997 21:49:02 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Ever seen this in practice?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was flipping through some Cisco training material and ran across a communication property that I do not believe I have ever seen in the field. The subject was regarding how segments are handled at the transport layer. The text stated that when there are multiple sessions taking place between two IP hosts, that the sessions could be multiplexed together in order to decrease the number of required packets. In other words, let's assume host "A" has three users logged on who all have active Telnet sessions taking place to host "B". According to the text, these three sessions could be combined into a single IP packet using multiple transport headers to distinguish each unique session (i.e. source and reply ports) and multiple payloads. In fact, it was explained to me that all traffic does not have to be initiated from the same host or even be the same transport or service. For example I could be using HTTP from host "A" to "B" while host "B" has initiated a Telnet and SNMP back to host "A". All three sessions could me multiplexed into the same set of IP packets. While normally I place little weight in events I have never measured with an analyzer, the source of this info was the Cisco training manuals. I did however find some other things that I _know_ are mistakes, but we will not go there... So has anyone actually ever seen this before? If so, how does a firewall deal with this type of connection? This would speak volumes to inspecting payload. I would assume that a firewall/filter that simply makes decisions based upon the data located at a certain offset from the preamble field would probably miss this. I would also assume that the support of this type of multiplexing would be vendor specific. Anyone out there doing it? Thanks in advance! Chris ************************************** cbrenton@sover.net http://www.amazon.com/exec/obidos/ats-query/0740-8883012-887529 "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." From owner-firewalls-list Mon Nov 3 22:27:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA26131; Mon, 3 Nov 1997 19:53:55 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id TAA26121 for firewalls@greatcircle.com; Mon, 3 Nov 1997 19:53:53 -0800 (PST) Received: from ns.nexus.net.mx (nexusparc.acnet.net [167.114.25.165]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA08409 for ; Fri, 31 Oct 1997 09:19:27 -0800 (PST) Received: (from jdelgado@localhost) by ns.nexus.net.mx (8.8.5/8.7.2) id MAA16636; Fri, 31 Oct 1997 12:08:29 -0600 (CST) Date: Fri, 31 Oct 1997 12:08:28 -0600 (CST) From: Jose Luis Delgado To: Firewalls@GreatCircle.COM Subject: Help with Raptor !! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI to everybody! I'm looking for a bit of your help! I'm going to install in a machine with this characteristics: Sparc20 160MB (I'm going to upgrade to 256MB) 2HD (1GB each) 1 microprocessor (I'm going to put one more) this software: - Solaris 2.5.1 - Eagle Raptor Firewall! - WebNotes Question: Am I going to have PERFORMANCE problems with this characteristics? is my hardware enough? else... which? Thanks in advance! P.S.: I'm not in your mailing list... yet, can you response directly? From owner-firewalls-list Mon Nov 3 22:29:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25656; Mon, 3 Nov 1997 19:50:54 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id TAA25636 for firewalls@greatcircle.com; Mon, 3 Nov 1997 19:50:50 -0800 (PST) Received: from moria.imaginet.fr (moria.imaginet.fr [194.51.83.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA16802 for ; Fri, 31 Oct 1997 00:22:01 -0800 (PST) Received: from imaginet.fr (zoltar.imaginet.fr [194.51.83.150]) by moria.imaginet.fr via ESMTP (950215.SGI.8.6.10/911001.SGI) id JAA10010; Fri, 31 Oct 1997 09:22:16 +0100 Received: from altair.gods.imaginet.fr (altair.gods.imaginet.fr [195.68.1.72]) by imaginet.fr (8.7.5/8.7.31) with SMTP id JAA26044; Fri, 31 Oct 1997 09:22:47 +0100 (MET) Message-Id: <199710310822.JAA26044@imaginet.fr> Comments: Authenticated sender is From: "Lionel MARIE" Organization: Imaginet France To: firewalls@GreatCircle.COM, Steve and Jill Lodin Date: Fri, 31 Oct 1997 09:18:24 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: "SYN" protection product leads... Reply-to: Lionel.MARIE@imaginet.fr In-reply-to: <2.2.16.19971030144330.2957fb26@pop.iquest.net> X-mailer: Pegasus Mail for Win32 (v2.54) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all There is a good introduction & access-lists at : http://www.amazing.com/internet/ -Lionel. > Date: Thu, 30 Oct 1997 09:43:30 -0500 > To: firewalls@GreatCircle.COM > From: Steve and Jill Lodin > Subject: Re: "SYN" protection product leads... > At 08:15 PM 10/28/97 +0100, you wrote: > >On Tue, 28 Oct 1997, James Terry wrote: > > > >> i'm looking for info on systems that could provide fault-tolerant > >> protection against "SYN" attacks > > There is a recent article in one of the IEEE magazines by some Purdue > University COAST researchers. Try searching the IEEE web site. > > > Steve > -- > Steve Lodin > swlodin@iquest.net > http://members.iquest.net/~swlodin/ > > > From owner-firewalls-list Tue Nov 4 02:59:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA18011; Tue, 4 Nov 1997 02:47:39 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA18004 for ; Tue, 4 Nov 1997 02:47:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id FAA25794; Tue, 4 Nov 1997 05:44:35 -0500 (EST) From: Adam Shostack Message-Id: <199711041044.FAA25794@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 3, 97 08:57:53 pm" To: vin@shore.net (Vin McLellan) Date: Tue, 4 Nov 1997 05:44:35 -0500 (EST) Cc: sgs@best.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: | >with ECC than with RSA in 5 years. And, if as you say, winner | >takes all in PKI, that would seem to say that ECC will eventually | >be able to displace RSA on the desktop. (I don't buy the winner take all approach to PKI. There need to be gateways between pagers and email and the web; its perfectly feasable that we'll see ECC pagers, DH/DSS mail, and RSA web certificates all co-deployed. The programmers are different, the language is different (in the case of pagers), etc. I also don't buy much of the global PKI expectations that seem to be floating about; I'll post more on that later.) | EC is a elegant technology and Certicom is a neat company with a | lot of talented people. The Motorola pager deal is certainly not the last | Several of the industry's leading cryptographers -- e.g., Arjen | Lenstra of Citibank, Taher ElGamal of Netscape, and Michael Wiener of | Entrust -- have lately echoed the (perhaps less disinterested;-) warnings | of Ron Rivest, Len Adleman, and Claus Schnoor that EC cryptosystems, while | potentially very interesting, is not yet quite ready for prime time. While I personally agree with the RSA camp, that ECC are only ready for prime time where RSA can't go for performance and memory, there are a *LOT* of very talented cryptographers at Certicom. Moti Young, Don Beaver, Neal Koblitz, and plenty of other really first rate people have joined the company. I can't believe these folks didn't think long and hard about the system. | | (Dr. Weiner's comments may also explain why RSA-based S/MIME was so | rapidly and widely adopted by the leading e-mail vendors -- while the | IETF's security cadre dithers about, bitching about the illegitimacy of | patents on crypto systems, and trying to score points for D-H based PGP.) RSA's S/MIME gets into products becuase theres a toolkit for it. Now that the PGP SDK is shipping as well, expect to see lots more PGP based tools. There are a lot more deployed users of PGP than users of S/MIME, based on PGP keys on business cards, web pages, etc. The issue that the IETF is waiting on is RSA's refusal to state that standard pricing for use of the RSA patent in S/MIME applications will be made available, as well as change control being ceded to the IETF. Claiming that the IETF 'dithers' is pure crapola taken from a press release. The IETF has a clear process; RSA knows what it is, and is playing games rather than addressing the issues. The IETF process is not always easy to follow, but it does tend to produce useful standards better than anyone elses' process. If the IETF took the RSA proposal as it stands, the IETF would be rubber stamping a standard from RSA, compelling people who want to comply with the standard to negotiate a deal with RSA. If RSA makes the terms open and clear to all comers, then that may be possible. As it stands, all IETF acceptance of RSA's proposal would mean is that RSA can call S/MIME 'standards compliant,' which is clearly important to them. But given their apparent lack of willingness to pay the price of those standards, they're not advancing. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Tue Nov 4 03:59:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA25649; Tue, 4 Nov 1997 03:39:08 -0800 (PST) Received: from prop.caribnet.net (prop.caribnet.net [205.214.195.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA25565 for ; Tue, 4 Nov 1997 03:38:50 -0800 (PST) Received: from localhost (konk@localhost) by prop.caribnet.net (8.8.7/8.8.0) with SMTP id HAA06249 for ; Tue, 4 Nov 1997 07:50:01 -0400 Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) From: Joe Smith To: firewalls@GreatCircle.COM Subject: SSL WatchGuard Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings I have been tasked with looking at several firewalls, and I have been reading your posts with interest. The reviews that I have read have rated CheckPoint, WatchGuard and Sunscrean the highest. The one that I am tending towards is the WatchGuard system. Do any of you on this list have RL experence with it? Are there any other problems with WatchGuard that I should know about? Thanks for the help! John From owner-firewalls-list Tue Nov 4 05:44:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06672; Tue, 4 Nov 1997 05:38:53 -0800 (PST) Received: from snowball.webtrek.com (snowball.webtrek.com [206.239.36.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06665 for ; Tue, 4 Nov 1997 05:38:45 -0800 (PST) Received: from localhost (klemmerj@localhost) by snowball.webtrek.com (8.8.5/8.8.5) with SMTP id IAA30772; Tue, 4 Nov 1997 08:38:13 -0500 Date: Tue, 4 Nov 1997 08:38:12 -0500 (EST) From: Joe Klemmer Reply-To: Firewall list To: Darren Reed cc: john , gwhalin@numerix.com, firewalls@GreatCircle.COM Subject: Re: Linux et al PFs In-Reply-To: <199710311300.FAA23870@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Nov 1997, Darren Reed wrote: > p.s. one thing which does concern me about Linux is the bugs which seem > to be always getting fixed...I only started reading the kernel mailling > list recently and I was shocked at some of the things which were a > problem, especially as I believed 2.0.30 was "stable & relatively bugfree". > (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be > less of those type of bugs...) The buggieness of the 2.0.3x kernels is more related to Linus having a baby and moving to the US than anything else. They are definitely atypical of the norm for "production" kernels. --- Microsoft is not the answer. | In a World Without Fences, Microsoft is the question, | Who Needs Gates? NO is the answer. | Linux - http://www.linux.org From owner-firewalls-list Tue Nov 4 05:59:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06814; Tue, 4 Nov 1997 05:45:34 -0800 (PST) Received: from snowball.webtrek.com (snowball.webtrek.com [206.239.36.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06807 for ; Tue, 4 Nov 1997 05:45:29 -0800 (PST) Received: from localhost (klemmerj@localhost) by snowball.webtrek.com (8.8.5/8.8.5) with SMTP id IAA30831; Tue, 4 Nov 1997 08:45:31 -0500 Date: Tue, 4 Nov 1997 08:45:31 -0500 (EST) From: Joe Klemmer Reply-To: Firewall list To: "Jonathan M. Bresler" cc: Firewall list Subject: Re: Linux et al PFs In-Reply-To: <199710311355.IAA23333@kryten.frb.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 31 Oct 1997, Jonathan M. Bresler wrote: > >> FreeBSD/OpenBSD/NetBSD etc has proven to generally be reliable in > >> high-stress conditions, but isn't quite as easy to setup. > > > > It must have been a long time since you've looked at Linux, then. > >It's current state is equal or better at networking that the BSD's. > > please show me number better than ftp.cdrom.com > > 200GB/day (average) > 228GB/day (high to date) Check with DejaNews. That's running on Linux and handling the entire News feed archive. --- "To be considered half as good as a man, a woman must work twice as hard. Fortunately, this is not difficult..." From owner-firewalls-list Tue Nov 4 06:51:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15095; Tue, 4 Nov 1997 06:40:18 -0800 (PST) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA15077 for ; Tue, 4 Nov 1997 06:40:07 -0800 (PST) Received: from localhost.127.0.0 (dyn1031c.dialin.rad.net.id [202.154.42.31]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id VAA28063 for ; Tue, 4 Nov 1997 21:40:05 +0700 (WIB) Message-ID: <345F3229.1AAE@indo-mail.com> Date: Tue, 04 Nov 1997 21:33:13 +0700 From: Doy X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Hijak detection Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guys, I wonder if there are firewall/intrusion detection products that can deal with TCP session hijack.. I didn't see threads related to this topic in the last half year ..okay, I'm new to this list.. ;) Suppose the TCP session is not encrypted, and the attacker is on the packet's route, what can we do about it? Surrender..?? Of course not. We can build statistical analysis on number of invalid packets that transmitted on each session. Has anybody done this? Is this approach valid anyway? I'd like to see other solutions/products beside encryption/routing/netw. segmentation. regards, Doy From owner-firewalls-list Tue Nov 4 07:14:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14768; Tue, 4 Nov 1997 06:38:07 -0800 (PST) Received: from ntserver.newoak.com ([146.115.61.251]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA14746 for ; Tue, 4 Nov 1997 06:37:59 -0800 (PST) Received: from mike-feinstein ([10.0.21.186]) by ntserver.newoak.com (Netscape Mail Server v2.02) with ESMTP id AAA43; Mon, 3 Nov 1997 23:08:29 -0500 Message-ID: <345E6FE4.BAF2018@newoak.com> Date: Mon, 03 Nov 1997 19:44:20 -0500 From: mfeinstein@newoak.com (Michael G. Feinstein) Reply-To: mfeinstein@newoak.com Organization: New Oak Communications X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "Stackpole, Bill" CC: "'Tim Lebrun'" , firewalls@GreatCircle.COM Subject: Re: PPTP configuration X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As mentioned in a previous reply, Microsoft has release PPTP for Windows 95 as part of the Dial-Up Networking 1.2 Upgrade. This is available for free on the Microsoft Web site. Keep in mind that running the PPTP protocol doesn't mean that you are terminating the session on an NT server. My company's product, the NOC 4000, can serve as a PPTP server (among other things) for up to 2,000 simultaneous sessions and 45 Mbps of aggregated tunneled, compressed, and encrypted traffic. It has a full firewall filtering mechanism built in so that it doesn't suffer from the fixed IP address issue mentioned below. The NOC 4000 is designed to run in parallel to your firewall, either directly connected to the Internet WAN connection or behind a router which is connecting your LAN to the Internet. Check out our Web site at http://www.newoak.com for more information. You can also reply to me directly for more specific product information. Stackpole, Bill wrote: > PPTP only works on NT so your remote users will have to at least be > running 4.0 workstation. > My experience hasn't been good with this protocol although I haven't > tried the implementation. > If your ISP doesn't used fixed IP addresses then you will have to open > > up PPTP to the world which means the world can attach your internal > RAS > server. The other problem I ran into was the inablility to access > resources on the PPTP (RAS) server itself. Seems that NT server > couldn't route between the tunnel IP address and it's own IP. Again > this may be something that Steelhead fixed. > > > -----Original Message----- > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > > > I would like some expert opinions on > > the setup that we are looking at > > implementing. > > We want to eventually get > > rid of our dial-in rack and allow > > users to enter our network through > > the internet. So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. And from there > > the users can go and do anything on > > the network, ie: Mail, Novell, > > Tn3270, Telnet. > > My Question is - what are the > > possible problems with kind of > > setup? > > -- Michael Feinstein New Oak Communications VP, Product Marketing 125 Nagog Park Tel: 978-266-1011 x103 Acton, MA 01720 Fax: 978-266-1080 http://www.newoak.com mfeinstein@newoak.com Pager: 800-592-6311 From owner-firewalls-list Tue Nov 4 07:40:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA17065; Tue, 4 Nov 1997 06:53:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16917 for ; Tue, 4 Nov 1997 06:52:23 -0800 (PST) Received: from newfed.frb.gov by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA17568; Tue, 4 Nov 1997 06:02:53 -0800 (PST) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.7/8.8.7) with UUCP id IAA13677 for GreatCircle.COM!firewalls; Tue, 4 Nov 1997 08:38:07 -0500 (EST) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA28006; Tue, 4 Nov 97 08:53:49 EST Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.7/8.8.5) with SMTP id IAA06227 for ; Tue, 4 Nov 1997 08:53:08 -0500 (EST) Message-Id: <199711041353.IAA06227@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Firewall list Subject: Re: Linux et al PFs In-Reply-To: Your message of "Tue, 04 Nov 1997 08:45:31 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 04 Nov 1997 08:53:08 -0500 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> please show me number better than ftp.cdrom.com >> >> 200GB/day (average) >> 228GB/day (high to date) > > Check with DejaNews. That's running on Linux and handling the >entire News feed archive. deja-news regularly bounces mail destined for some newsgroups. the may be doing very well, but could be doing better yet. if you have been or are advocating linux, perhaps you would be kind enough to check with DejaNews. ;) jmb From owner-firewalls-list Tue Nov 4 07:47:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22341; Tue, 4 Nov 1997 07:27:20 -0800 (PST) Received: from resu01.wei.sk.ca (resu01.wei.sk.ca [204.83.14.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22255 for ; Tue, 4 Nov 1997 07:27:03 -0800 (PST) Received: by resu01.wei.sk.ca (1.39.111.2/16.2) id AA142506616; Tue, 4 Nov 1997 09:16:56 -0600 Received: from unknown(1.10.20.4) by resu01.wei.sk.ca via smap (3.2) id xma014220; Tue, 4 Nov 97 09:16:30 -0600 Received: by refs04.wei.sk.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCE903.CF03D5C0@refs04.wei.sk.ca>; Tue, 4 Nov 1997 09:27:02 -0600 Message-Id: From: "Walsh, Hilda" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Tue, 4 Nov 1997 09:27:00 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The user "shanner" is no longer at Wascana Energy. Please delete from your Mailing Lists......thx!! Hilda Walsh E-mail Administrator (306) 781-8331 walsh@wei.sk.ca >---------- >From: System Administrator[SMTP:postmaster@wei.sk.ca] >Sent: Tuesday, November 04, 1997 9:03 AM >To: ^Exchange Administrators >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > shanner@wei.sk.ca > >The message that caused this notification was: > > To: Firewalls@GreatCircle.COM > From: Firewalls@GreatCircle.COM > Subject: Hijak detection > > > From owner-firewalls-list Tue Nov 4 09:01:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA28469; Tue, 4 Nov 1997 08:02:36 -0800 (PST) Received: from sj-fte02-sun.cisco.com (sj-fte02-sun.cisco.com [171.68.200.96]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA28453 for ; Tue, 4 Nov 1997 08:02:31 -0800 (PST) Received: from localhost (rbharani@localhost) by sj-fte02-sun.cisco.com (8.6.11/CA/950118) with SMTP id IAA18240 for ; Tue, 4 Nov 1997 08:02:38 -0800 Date: Tue, 4 Nov 1997 08:02:38 -0800 (PST) From: Rakesh Bharania To: Firewalls@GreatCircle.COM Subject: Re: PPTP In-Reply-To: <199711041100.DAA18470@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those who werre curious earlier, PPTP uses IP protocol type 47 (GRE) and TCP 1723. Cheers, --- Rakesh Bharania "The Cosmic Armadillo" V: (408) 526-5981 Cisco Systems TAC (Applications Team) F: (408) 527-2636 San Jose, CA "Cisco Systems? Aren't those the guys with the trucks?" From owner-firewalls-list Tue Nov 4 09:13:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29041; Tue, 4 Nov 1997 08:09:10 -0800 (PST) Received: from freedom.gmsociety.org ([209.116.153.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29006 for ; Tue, 4 Nov 1997 08:08:59 -0800 (PST) Received: (from brad@localhost) by freedom.gmsociety.org (8.8.5/8.7.3) id LAA17744; Tue, 4 Nov 1997 11:08:42 -0500 From: Brad Message-Id: <199711041608.LAA17744@freedom.gmsociety.org> Subject: Re: Hijak detection To: doy@indo-mail.com (Doy) Date: Tue, 4 Nov 1997 11:08:41 -0500 (EST) Cc: firewalls@greatcircle.com Reply-To: anarch@freedom.gmsociety.org In-Reply-To: <345F3229.1AAE@indo-mail.com> from "Doy" at Nov 4, 97 09:33:13 pm X-Mailer: ELM [version 2.4 PL25 PGP7] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming NetSonar vulnerability scanner. Handles hijacking and much more, also works at fast ethernet and fddi speeds. Wrath > > Guys, > > I wonder if there are firewall/intrusion detection products that can > deal with TCP session hijack.. I didn't see threads related to this > topic in the last half year ..okay, I'm new to this list.. ;) > > Suppose the TCP session is not encrypted, and the attacker is on the > packet's route, what can we do about it? Surrender..?? > > Of course not. We can build statistical analysis on number of invalid > packets that transmitted on each session. Has anybody done this? Is this > approach valid anyway? > > I'd like to see other solutions/products beside encryption/routing/netw. > segmentation. > > regards, > Doy > From owner-firewalls-list Tue Nov 4 09:56:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09189; Tue, 4 Nov 1997 09:14:11 -0800 (PST) Received: from relay.de.uu.net (relay.de.uu.net [192.76.144.64]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA04812 for ; Tue, 4 Nov 1997 08:48:41 -0800 (PST) Received: from prosecco.munich.ibm.de [192.54.74.2] by relay.de.uu.net with ESMTP (5.61c:012/2.7.0.l-relay) id RAA03231; Tue, 4 Nov 1997 17:48:37 +0100 (MET) Received: (from smap@localhost) by prosecco. (fw-afx-1) id RAA28532 for ; Tue, 4 Nov 1997 17:49:33 +0100 Received: from cerberus.ak.munich.ibm.com(9.23.4.12) by prosecco.munich.ibm.de via smap (V1.3) id sma029296; Tue Nov 4 17:49:24 1997 Received: from barolo.munich.de.ibm.com (barolo.munich.de.ibm.com [9.165.98.98]) by cerberus (8.8.3/8.7afx1) with ESMTP id RAA22430 for ; Tue, 4 Nov 1997 17:48:30 +0100 Received: (from afx@localhost) by barolo (8.8.5/8.7afx2) id RAA16264; Tue, 4 Nov 1997 17:48:28 +0100 Message-ID: <19971104174828.35945@barolo.munich.de.ibm.com> Date: Tue, 4 Nov 1997 17:48:28 +0100 From: Andreas Siegert To: "'firewalls'" Subject: Bay networks and filtering References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 In-Reply-To: ; from "Steven Johnson (BUS)" on Thu, Oct 30, 1997 at 10:30:16AM -0500 X-Organisation: IBM Unternehmensberatung GmbH / IT Security Consulting X-Address: Leopoldstrasse 175, 80804 Muenchen, Germany X-Phone: +49-89-4504-4509 (internal 945-4509), Fax -3853 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for Information on the filtering capabilities of Bay networks Routers. I know that there is a firewall-1 Module for them, but I am looking for the basic stuff. Can I do sensible Syn/Ack checks with plenty of rules, specific to in and outbound traffic? Can I log all specific to rules? I have seen quite a few of their web pages, but all I found was rather crude (only 31 rules, no SYN/ACK check), is that really true in current releases? thanks for any hints afx -- Andreas Siegert afx@ibm.de / afx@barolo.munich.de.ibm.com / AFX at IPNET PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05 From owner-firewalls-list Tue Nov 4 12:16:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29091; Tue, 4 Nov 1997 08:09:45 -0800 (PST) Received: from resu01.wei.sk.ca (resu01.wei.sk.ca [204.83.14.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29072 for ; Tue, 4 Nov 1997 08:09:35 -0800 (PST) Received: by resu01.wei.sk.ca (1.39.111.2/16.2) id AA171289172; Tue, 4 Nov 1997 09:59:32 -0600 Received: from unknown(1.10.20.4) by resu01.wei.sk.ca via smap (3.2) id xma017107; Tue, 4 Nov 97 09:59:24 -0600 Received: by refs04.wei.sk.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCE909.C8D5BF00@refs04.wei.sk.ca>; Tue, 4 Nov 1997 10:09:49 -0600 Message-Id: From: "Walsh, Hilda" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Tue, 4 Nov 1997 10:09:48 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The user "shanner" is no longer at Wascana Energy. Please delete from your Mailing Lists......thx!! Hilda Walsh E-mail Administrator (306) 781-8331 walsh@wei.sk.ca >---------- >From: System Administrator[SMTP:postmaster@wei.sk.ca] >Sent: Tuesday, November 04, 1997 10:06 AM >To: ^Exchange Administrators >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > shanner@wei.sk.ca > >The message that caused this notification was: > > To: 'Firewalls@GreatCircle.COM' > From: 'Firewalls@GreatCircle.COM' > Subject: FW: Notification: Inbound Mail Failur > > > From owner-firewalls-list Tue Nov 4 12:12:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27416; Tue, 4 Nov 1997 10:48:39 -0800 (PST) Received: from ovid.kub.spink.sd.us (csd2-074.sd.cybernex.net [204.141.237.74]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27289 for ; Tue, 4 Nov 1997 10:48:08 -0800 (PST) Received: from localhost (vince@localhost [127.0.0.1]) by ovid.kub.spink.sd.us (8.8.7/8.7.3) with SMTP id MAA21189; Tue, 4 Nov 1997 12:53:04 -0600 Date: Tue, 4 Nov 1997 12:53:04 -0600 (CST) From: Vince Kub X-Sender: vince@ovid.kub.spink.sd.us To: Andreas Siegert cc: "'firewalls'" Subject: Re: Bay networks and filtering In-Reply-To: <19971104174828.35945@barolo.munich.de.ibm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Andreas Siegert wrote: > Hi, > > I am looking for Information on the filtering capabilities of Bay networks > Routers. I know that there is a firewall-1 Module for them, but I am looking > for the basic stuff. Can I do sensible Syn/Ack checks with plenty of rules, > specific to in and outbound traffic? Can I log all specific to rules? > > I have seen quite a few of their web pages, but all I found was rather crude > (only 31 rules, no SYN/ACK check), is that really true in current releases? > > thanks for any hints > afx With 10.x GAME they got to 128 rules but, at least with what I've seen, the general efficiency of filtering is much worse than with IOS. (I suspect there must be substantially different algorithmic approaches in the internal code between Bay/Cisco.) We ended up replacing all the Bay stuff with Cisco 7206s where we needing filtering rules. Even end users commented on the perceptible difference in "crispness" in surfing the Web, etc. The logging is much weaker than with IOS (you can tell if it dropped a TCP or UDP packet but not the source or destination ports of the packet) and the management software (Site Manager) is - well let's be charitable and say it is an excellent late '80s implementation of an engineer's tool that Marketing must have decided to "get a GUI" for. I like Bay's switches but they have traditionally been a few years behind the curve with router technology, at least in terms of feature set. They are supposedly quite fast but, again in anecdotal observation, are not well suited to "high accountability" projects. Enough opinion for you? ;-) - VAK From owner-firewalls-list Tue Nov 4 14:08:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20770; Tue, 4 Nov 1997 13:16:22 -0800 (PST) Received: from hotmail.com (F45.hotmail.com [207.82.250.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA20701 for ; Tue, 4 Nov 1997 13:15:59 -0800 (PST) Received: (qmail 21082 invoked by uid 0); 4 Nov 1997 21:15:50 -0000 Message-ID: <19971104211550.21081.qmail@hotmail.com> Received: from 206.15.64.10 by www.hotmail.com with HTTP; Tue, 04 Nov 1997 13:15:50 PST X-Originating-IP: [206.15.64.10] From: "Alexis Zephrides" To: firewalls@greatcircle.com Subject: Private web-based email with SSL secure??? Content-Type: text/plain Date: Tue, 04 Nov 1997 13:15:50 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I consult for an ISP that has a couple of Intel 266 Pentiums, 1 500Mhz Alpha and a Sparc all running linux. We have been talking about writing our own web based email app (like HotMail) so that our users can get mail remotely. We have only found one app like this that runs under Linux and it is written in PERL. If we use SSL on the web server, will the entire e-mail session be encrypted including login? The POP server is behind the Firewall as well. Thanks in advance, Alexis Agean Consulting ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Tue Nov 4 15:01:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28464; Tue, 4 Nov 1997 10:53:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA28271 for ; Tue, 4 Nov 1997 10:52:24 -0800 (PST) Received: from main.geminisecure.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA18529; Tue, 4 Nov 1997 09:53:32 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA19204; Tue, 4 Nov 1997 09:50:01 -0800 Date: Tue, 4 Nov 1997 09:49:59 -0800 (PST) From: Leonard Miyata To: firewalls@GreatCircle.COM Subject: Disabling LAN Manager on NT Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I double checked my reference. At http://www.microsoft.com/security/ There is a ftp link to patch that will turn off LANManager authentication on Windows NT. Be sure to read the details involved.... Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc From owner-firewalls-list Tue Nov 4 15:02:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25692; Tue, 4 Nov 1997 13:52:59 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA25653 for ; Tue, 4 Nov 1997 13:52:45 -0800 (PST) Message-Id: <199711042152.NAA25653@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA006390345; Wed, 5 Nov 1997 08:52:25 +1100 From: Darren Reed Subject: Re: Linux et al PFs To: firewalls@GreatCircle.COM Date: Wed, 5 Nov 1997 08:52:25 +1100 (EDT) Cc: zaph0d@phawd.com-stock.com, gwhalin@numerix.com In-Reply-To: from "Joe Klemmer" at Nov 4, 97 08:38:12 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Joe Klemmer, sie said: > > On Sat, 1 Nov 1997, Darren Reed wrote: > > > p.s. one thing which does concern me about Linux is the bugs which seem > > to be always getting fixed...I only started reading the kernel mailling > > list recently and I was shocked at some of the things which were a > > problem, especially as I believed 2.0.30 was "stable & relatively bugfree". > > (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be > > less of those type of bugs...) > > The buggieness of the 2.0.3x kernels is more related to Linus > having a baby and moving to the US than anything else. They are > definitely atypical of the norm for "production" kernels. I'm not sure that this puts Linux in a more favourable light. If he gets hit by a bus or is otherwise incapacitated for a length of time, are you saying that Linux would suffer as a result ? Darren From owner-firewalls-list Tue Nov 4 15:27:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22654; Tue, 4 Nov 1997 13:34:24 -0800 (PST) Received: from typhoon.dstc.qut.edu.au (typhoon.dstc.qut.edu.au [131.181.71.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA22628 for ; Tue, 4 Nov 1997 13:34:08 -0800 (PST) Received: from absinthe.dialup.dstc.edu.au (adamb.dialup.dstc.edu.au [130.102.177.159]) by typhoon.dstc.qut.edu.au (8.8.5/8.8.5) with SMTP id HAA09060; Wed, 5 Nov 1997 07:33:52 +1000 (EST) Message-Id: <3.0.32.19971104221328.00923e10@zikzak.net> X-Sender: adamb@zikzak.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Nov 1997 06:31:56 +1000 To: cbrenton@sover.net, firewalls@GreatCircle.COM From: Adam Burns Subject: Re: Ever seen this in practice?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:49 PM 03/11/97 -0500, Chris Brenton wrote: > >So has anyone actually ever seen this before? If so, how does a firewall >deal with this type of connection? This would speak volumes to >inspecting payload. I would assume that a firewall/filter that simply >makes decisions based upon the data located at a certain offset from the >preamble field would probably miss this. > This encapsulation reminds me of ssh IP packet forwarding. Granted not quite the same as your 'multiplexor', ssh has the ability to tunnel IP packets end to end within a single encrypted "sheath" TCP connection. Adam. -NetStorm-----------------------------------------[adamb@netstorm.net.au] adam burns central++vortex po box 3168 vortex@netstorm.net.au SBBC 4101 australia PGP: http://www.netstorm.net.au/pgp/netstorm.net.au/adamb.html ------------------------------------------------------------------------- storming the reality network into a state of suspended disbelief From owner-firewalls-list Tue Nov 4 15:39:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA29480; Tue, 4 Nov 1997 14:15:44 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA29405 for ; Tue, 4 Nov 1997 14:15:25 -0800 (PST) Message-Id: <199711042215.OAA29405@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA012251555; Wed, 5 Nov 1997 09:12:35 +1100 From: Darren Reed Subject: Re: sex,lies, and application proxy based fw vs Check Point To: ryanr@sybase.com (Ryan Russell) Date: Wed, 5 Nov 1997 09:12:34 +1100 (EDT) Cc: ccf15429@cc.iitd.ernet.in, proberts@clark.net, firewalls@GreatCircle.COM In-Reply-To: <8825653F.0064A83B.00@gwwest.sybase.com> from "Ryan Russell" at Oct 29, 97 11:24:23 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ryan Russell, sie said: > > The OOB bug is interesting because it's a layer-4 problem, > and points out one of the things that Checkpoint didn't > take into account when they are passing packets through. Doesn't that give you cause to stop and think about whether their marketting hype about "layer 1 - 7" filtering actually means anything useful ? Darren From owner-firewalls-list Tue Nov 4 15:40:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA04281; Tue, 4 Nov 1997 14:47:31 -0800 (PST) Received: from cneeson-sun.cisco.com (cneeson-sun.cisco.com [171.68.98.158]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA04244 for ; Tue, 4 Nov 1997 14:47:17 -0800 (PST) Received: from localhost (cneeson@localhost) by cneeson-sun.cisco.com (8.6.11/CA/950118) with SMTP id JAA23287; Wed, 5 Nov 1997 09:47:14 +1100 Date: Wed, 5 Nov 1997 09:47:13 +1100 (EST) From: Colin Neeson To: Firewall list cc: Darren Reed , john , gwhalin@numerix.com Subject: Re: Linux et al PFs In-Reply-To: Message-ID: X-Avian: This message conforms to RFC1149 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Joe Klemmer wrote: |On Sat, 1 Nov 1997, Darren Reed wrote: | |> p.s. one thing which does concern me about Linux is the bugs which seem |> to be always getting fixed...I only started reading the kernel mailling |> list recently and I was shocked at some of the things which were a |> problem, especially as I believed 2.0.30 was "stable & relatively bugfree". |> (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be |> less of those type of bugs...) | | The buggieness of the 2.0.3x kernels is more related to Linus |having a baby and moving to the US than anything else. They are |definitely atypical of the norm for "production" kernels. | *WHO* *CARES*?! Move back to the firewall discussion please. All of this should be living on comp.os.linux.advocacy.i.don't.want.it.on.the.firewalls.list.any.more. Thanks. -Colin From owner-firewalls-list Tue Nov 4 16:44:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15778; Tue, 4 Nov 1997 16:05:50 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA15722 for ; Tue, 4 Nov 1997 16:05:37 -0800 (PST) Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdogu26166; Tue, 4 Nov 1997 19:05:42 -0500 (EST) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA13620; Tue, 4 Nov 97 19:03:31 EST Date: Tue, 4 Nov 1997 19:03:31 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Howl for help Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sara Gordon, please send your current e-mail address to the Dawg. Urgent. Black Synapse is tying knots in my tail and it h_u_r_t_s. Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Tue Nov 4 18:30:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA09093; Tue, 4 Nov 1997 18:16:04 -0800 (PST) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA08856 for ; Tue, 4 Nov 1997 18:15:20 -0800 (PST) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xSuz8-0006pp-00; Wed, 5 Nov 1997 03:14:22 +0100 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 5 Nov 97 03:14 MET Received: by lina.inka.de id m0xSukU-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 5 Nov 1997 02:59:14 +0100 (CET) Message-Id: Date: Wed, 5 Nov 1997 02:59:14 +0100 From: Bernd Eckenfels To: cbrenton@sover.net Cc: firewalls@greatcircle.com Subject: Re: Ever seen this in practice?? References: <345E8D1E.D9F2ABEC@sover.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <345E8D1E.D9F2ABEC@sover.net>; from Chris Brenton on Mon, Nov 03, 1997 at 09:49:02PM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Nov 3, Chris Brenton wrote > The subject was regarding how segments are handled at the transport > layer. The text stated that when there are multiple sessions taking > place between two IP hosts, that the sessions could be multiplexed > together in order to decrease the number of required packets. Hmm.. well.. there are a few solutions like: Term/TIA/SLIRP via TCP or tunneling via ssh. But Idont think there is a multiplexing-only Solution (other than RPC based). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Nov 4 20:21:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22712; Tue, 4 Nov 1997 20:04:30 -0800 (PST) Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA22697 for ; Tue, 4 Nov 1997 20:04:22 -0800 (PST) Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id PAA18243 for ; Wed, 5 Nov 1997 15:14:21 +1100 (EST) Received: from euphoria.abm.com.au(203.16.203.130) by paranoia.abm.com.au via smap (V1.3) id sma018239; Wed Nov 5 15:13:58 1997 Received: by euphoria. (SMI-8.6/SMI-SVR4) id PAA18417; Wed, 5 Nov 1997 15:04:30 +1100 Message-Id: <199711050404.PAA18417@euphoria.> Received: from austlabs.ozemail.com.au(203.108.63.220) by euphoria via smap (V1.3) id sma018412; Wed Nov 5 15:04:19 1997 From: "Jan Zeilinga" To: Subject: why use a smtp proxy Date: Wed, 5 Nov 1997 13:56:42 +1100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The current purposed configuration is to allow smtp traffic through the firewall to our exchange server. The exchange server then decides what to do with the mail and routes it on-wards to its destined servers within our network. My question is would you use the smtp security server with firewall-1 to do this, no security server at all or allow connections to port 25 from the internet, or install an other smtp proxy... What purpose would the smtp proxy serve? Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Tue Nov 4 23:29:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA07184; Tue, 4 Nov 1997 23:21:46 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA07176 for ; Tue, 4 Nov 1997 23:21:39 -0800 (PST) Received: from pm4-22.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA05351; Wed, 5 Nov 97 02:20:27 -0500 Message-Id: <3.0.3.32.19971105022156.01424a88@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 05 Nov 1997 02:21:56 -0500 To: anarch@freedom.gmsociety.org From: Frank Willoughby Subject: Re: Hijak detection Cc: doy@indo-mail.com (Doy), firewalls@greatcircle.com In-Reply-To: <199711041608.LAA17744@freedom.gmsociety.org> References: <345F3229.1AAE@indo-mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:08 AM 11/4/97 -0500, Brad wrote: >Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming NetSonar vulnerability scanner. >Handles hijacking and much more, also works at fast ethernet and fddi speeds. > >Wrath Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be able to stop session hijacking? Any hacker who is worth their salt will be able to roll their own custom packets to be exactly what the firewall would expect the packets to be (including source/destination info, sequence numbers, etc.) The only defense against session hijacking that I'm aware of is to encrypt from point-to-point. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-list Wed Nov 5 00:14:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA10006; Wed, 5 Nov 1997 00:05:27 -0800 (PST) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA09992 for ; Wed, 5 Nov 1997 00:05:20 -0800 (PST) Received: from www (xpl102.xnc.de [194.77.5.66]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id JAA12435; Wed, 5 Nov 1997 09:05:11 +0100 Message-ID: <346028B7.47765EE8@edina.xnc.com> Date: Wed, 05 Nov 1997 09:05:11 +0100 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Jan Zeilinga CC: Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy References: <199711050404.PAA18417@euphoria.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan Zeilinga wrote: > > Hi, > > The current purposed configuration is to allow smtp traffic through the > firewall to our exchange server. The exchange server then decides what to > do with the mail and routes it on-wards to its destined servers within our > network. My question is would you use the smtp security server with > firewall-1 to do this, no security server at all or allow connections to > port 25 from the internet, or install an other smtp proxy... > > What purpose would the smtp proxy serve? > > Jan Zeilinga > Unix/Network consultant > abm Australasia Pty Ltd > Tel 613-94159166 > Fax 613-94159245 Hi ! Mostly, e-mail daemons suffer from being attackable by: 1. unallowed commands (defained in RFC's), like the sendmail "|...." cammand. 2. buffer overflows. That means, you can put a program into them mailprograms stack and execute with (mostly) root rights. To prevent this, there are PROXY's, like smpd, which are small, without functionality and hoped, not to be vulnerable to buffer overflow's. They also let just commands pass through, wich are defined by RFC. All other are blocked. sendmail, e.g. does the opposite. First it lets all pass, then filters. It can be too late then. cu, Guido Stepken From owner-firewalls-list Wed Nov 5 01:31:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA22831; Wed, 5 Nov 1997 01:14:18 -0800 (PST) Received: from mail.secureservers.net (geek-gw.ptw.com [207.212.186.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA21648 for ; Wed, 5 Nov 1997 01:03:24 -0800 (PST) Received: (qmail 22805 invoked from network); 5 Nov 1997 09:08:42 -0000 Received: from localhost (bextreme@127.0.0.1) by localhost with SMTP; 5 Nov 1997 09:08:42 -0000 Date: Wed, 5 Nov 1997 01:08:41 -0800 (PST) From: Jesse Brown X-Sender: bextreme@geek-gw.ptw.com To: Stepken cc: Jan Zeilinga , Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy In-Reply-To: <346028B7.47765EE8@edina.xnc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Stepken wrote: > Jan Zeilinga wrote: > > > > Hi, > > > > The current purposed configuration is to allow smtp traffic through the > > firewall to our exchange server. The exchange server then decides what to > > do with the mail and routes it on-wards to its destined servers within our > > network. My question is would you use the smtp security server with > > firewall-1 to do this, no security server at all or allow connections to > > port 25 from the internet, or install an other smtp proxy... > > > > What purpose would the smtp proxy serve? > > > > Jan Zeilinga > > Unix/Network consultant > > abm Australasia Pty Ltd > > Tel 613-94159166 > > Fax 613-94159245 > Hi ! > > Mostly, e-mail daemons suffer from being attackable by: > 1. unallowed commands (defained in RFC's), like the sendmail "|...." > cammand. Ummm. Wrong. This is a bug. Not an 'unallowed command'. One of the problems of programs like sendmail is the overwhelming complexity of the program. Because of this bugs can abound and unintented results are often the outcome. > 2. buffer overflows. That means, you can put a program into them > mailprograms stack and execute with (mostly) root rights. > It depends on the mailer whether or not you can get root. For instance, qmails smtp daemon (which processes incoming mail) is not priveledged. All it does it pass mail onto the mail queue system (which also does not run as root). Therefor a buffer overflow attack in qmails smtp daemon won't do a heck of alot for an attack. > To prevent this, there are PROXY's, like smpd, which are small, without > functionality and hoped, not to be vulnerable to buffer overflow's. > They also let just commands pass through, wich are defined by RFC. > All other are blocked. > an application proxy (like smtpd) are not mail handlers. Rather, it reads an incoming connection and generates another connection to the internal machine - sending along all the data it knows to send. As these proxys are supposed to be the first line of defense they are usually extensivly checked for buffer overflow and other problems. Remember, it is not a mail server of a mail client. just a PROXY. it merely handles the exchange of data. > sendmail, e.g. does the opposite. First it lets all pass, then filters. > It can be too late then. Sendmail is mail server software. It can be configure to drop connections from a certain host, etc. > > cu, Guido Stepken > > -J From owner-firewalls-list Wed Nov 5 01:44:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA11200; Wed, 5 Nov 1997 00:12:42 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA11160 for ; Wed, 5 Nov 1997 00:12:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA01853; Wed, 5 Nov 1997 03:09:33 -0500 (EST) From: Adam Shostack Message-Id: <199711050809.DAA01853@homeport.org> Subject: Re: Hijak detection In-Reply-To: <3.0.3.32.19971105022156.01424a88@in.net> from Frank Willoughby at "Nov 5, 97 02:21:56 am" To: frankw@in.net (Frank Willoughby) Date: Wed, 5 Nov 1997 03:09:32 -0500 (EST) Cc: anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are real defenses, and there are hacks. Host security is a solid defense, firewalls are a hack. Point to point encryption is a real defense, but there are hacks available. The point that (doy?) made is that session hijacking produces a flood of shit as you jam in packets in the hopes of getting the numbers right. (Since the other guy is transmitting at the same time as you, you often send a slew of packets, to get them into the stack first.) There are a number of papers on detecting this sort of thing, many published in the months after Tsutomo was hacked. Thus, you can detect an attack, and perhaps respond to it. Its not an ideal defense. (point to point cryptographic *authentication*, not encryption, is the ideal defense. Encryption is, of course useful for other things.) However, we should not let the best become the enemy of the good. Adam Frank Willoughby wrote: | At 11:08 AM 11/4/97 -0500, Brad wrote: | >Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming | NetSonar vulnerability scanner. | >Handles hijacking and much more, also works at fast ethernet and fddi speeds. | > | >Wrath | | Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be | able | to stop session hijacking? Any hacker who is worth their salt will be able | to | roll their own custom packets to be exactly what the firewall would expect | the | packets to be (including source/destination info, sequence numbers, etc.) | The | only defense against session hijacking that I'm aware of is to encrypt from | point-to-point. | | Best Regards, | | | Frank | The opinions of the author of this mail may not necessarily be | representative of the opinions of Fortifed Networks, Inc. | | Fortified Networks, Inc. - http://www.fortified.com/ | Expert (vendor-neutral) Computer and Network Security Consulting | Phone: (317) 573-0800 Fax: (317) 573-0817 | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Wed Nov 5 05:59:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA13463; Wed, 5 Nov 1997 05:57:58 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA13456 for ; Wed, 5 Nov 1997 05:57:51 -0800 (PST) Received: from pm2-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17180; Wed, 5 Nov 97 08:56:43 -0500 Message-Id: <3.0.3.32.19971105085813.012fb454@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 05 Nov 1997 08:58:13 -0500 To: Adam Shostack From: Frank Willoughby Subject: Re: Hijak detection Cc: frankw@in.net (Frank Willoughby), anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM In-Reply-To: <199711050809.DAA01853@homeport.org> References: <3.0.3.32.19971105022156.01424a88@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: >There are real defenses, and there are hacks. Host security is a >solid defense, firewalls are a hack. Point to point encryption is a >real defense, but there are hacks available. Which particular hacks are you referring to? (If you wish, feel free to e-mail me this off-line). >The point that (doy?) made is that session hijacking produces a flood >of shit as you jam in packets in the hopes of getting the numbers >right. (Since the other guy is transmitting at the same time as you, >you often send a slew of packets, to get them into the stack first.) This step shouldn't be necessary. Monitor the packets going to/from the firewall (or target system), bring down the victim's system on the outside (OOB, etc.), and then send in the correct packets to the firewall/system. The firewall wouldn't notice the difference, and it is likely, the victim would chalk up the problem to network difficulties. >There are a number of papers on detecting this sort of thing, many >published in the months after Tsutomo was hacked. I've seen several of these and didn't see anything that would deter the aforementioned attack. OTOH, location-based authentication (based on GPS) *might* slow this attack down for the near future, but only for the military folks. The current resolution of GPS wouldn't deter this type of attack for civilians - at least not today. If you have the time, I would be interested in a reference or pointer about a method which does not use encryption to deter session hijacking (other than GPS location-based authentication). >Thus, you can detect an attack, and perhaps respond to it. In the aforementioned attack, the firewall would not be aware that anything was up (or even care). By the time the victim recovered, the bad guy would already be into the internal system. >Its not an >ideal defense. (point to point cryptographic *authentication*, not >encryption, is the ideal defense. Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down a serious attacker. 8< [snip] Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-list Wed Nov 5 06:14:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13706; Wed, 5 Nov 1997 06:06:55 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA13691 for ; Wed, 5 Nov 1997 06:06:49 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA03367; Wed, 5 Nov 1997 09:03:59 -0500 (EST) From: Adam Shostack Message-Id: <199711051403.JAA03367@homeport.org> Subject: Re: Hijak detection In-Reply-To: <3.0.3.32.19971105085813.012fb454@in.net> from Frank Willoughby at "Nov 5, 97 08:58:13 am" To: frankw@in.net (Frank Willoughby) Date: Wed, 5 Nov 1997 09:03:59 -0500 (EST) Cc: adam@homeport.org, frankw@in.net, anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby wrote: | At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: | >There are real defenses, and there are hacks. Host security is a | >solid defense, firewalls are a hack. Point to point encryption is a | >real defense, but there are hacks available. | | Which particular hacks are you referring to? (If you wish, feel free | to e-mail me this off-line). The suggestion that Doy made, perhaps the new wheel group product. | >The point that (doy?) made is that session hijacking produces a flood | >of shit as you jam in packets in the hopes of getting the numbers | >right. (Since the other guy is transmitting at the same time as you, | >you often send a slew of packets, to get them into the stack first.) | | This step shouldn't be necessary. Monitor the packets going to/from | the firewall (or target system), bring down the victim's system on | the outside (OOB, etc.), and then send in the correct packets to the | firewall/system. The firewall wouldn't notice the difference, and it | is likely, the victim would chalk up the problem to network difficulties. You assume a perfect attacker. I assume script kiddies. There are more script kiddies than perfect attackers. If you spend time watching real attacks on real systems, you realize how many idiots are out there. | >There are a number of papers on detecting this sort of thing, many | >published in the months after Tsutomo was hacked. | | I've seen several of these and didn't see anything that would deter | the aforementioned attack. OTOH, location-based authentication | (based on GPS) *might* slow this attack down for the near future, | but only for the military folks. The current resolution of GPS | wouldn't deter this type of attack for civilians - at least not | today. I have no clue what you're talking about, other than that paper about location escrow by Denning. Anyone who can't redo their TCP stack to break that can't execute a perfect hijack either. | If you have the time, I would be interested in a reference or pointer | about a method which does not use encryption to deter session hijacking | (other than GPS location-based authentication). Pointer: Doy's previous posts about the statistical deviations in bad packets when hijacking takes place. | >Its not an | >ideal defense. (point to point cryptographic *authentication*, not | >encryption, is the ideal defense. | | Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down | a serious attacker. No, such as IPsecurity AH packets. SSL3 using seperate keys to authenticate and encrypt a session. I apologize for my lack of precision, I should have said cryptographic integrity protection for the session. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Wed Nov 5 06:45:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14728; Wed, 5 Nov 1997 06:29:05 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA14709 for ; Wed, 5 Nov 1997 06:28:59 -0800 (PST) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.8/8.8.8) with ESMTP id JAA08406; Wed, 5 Nov 1997 09:29:16 -0500 (EST) Received: from localhost (proberts@localhost) by clark.net (8.8.8/8.8.8) with SMTP id JAA16114; Wed, 5 Nov 1997 09:29:15 -0500 (EST) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Wed, 5 Nov 1997 09:29:15 -0500 (EST) From: "Paul D. Robertson" To: Adam Shostack cc: Frank Willoughby , firewalls@GreatCircle.COM Subject: Re: Hijak detection In-Reply-To: <199711050809.DAA01853@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Adam Shostack wrote: > The point that (doy?) made is that session hijacking produces a flood > of shit as you jam in packets in the hopes of getting the numbers > right. (Since the other guy is transmitting at the same time as you, > you often send a slew of packets, to get them into the stack first.) > There are a number of papers on detecting this sort of thing, many > published in the months after Tsutomo was hacked. Even in an ideal hijack, you'd see traffic from the attacker and the victim at the same time, one would suppose you could alert on that even if the attacker was sniffing sequence numbers instead of guessing them. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Wed Nov 5 07:14:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18144; Wed, 5 Nov 1997 07:08:33 -0800 (PST) Received: from cleopatra.ultra.net (cleopatra.ultra.net [199.232.56.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA18107 for ; Wed, 5 Nov 1997 07:08:22 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by cleopatra.ultra.net (8.8.5/ult1.05) with SMTP id KAA15725; Wed, 5 Nov 1997 10:08:36 -0500 (EST) Received: by joespc.judgefamily.org with Microsoft Mail id <01BCE9D2.D3EF2380@joespc.judgefamily.org>; Wed, 5 Nov 1997 10:08:56 -0500 Message-ID: <01BCE9D2.D3EF2380@joespc.judgefamily.org> From: Joseph Judge To: "Firewalls@GreatCircle.COM" , "'Jan Zeilinga'" Subject: RE: why use a smtp proxy Date: Wed, 5 Nov 1997 10:08:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan - It is all a matter of risks and what you are willing to take on ... versus the cost of doing it another way. So: - do you trust that the Exchange server was written with risk and security in mind ? - do you think they wrote robust code (no buffer overruns that could compromise the box via the SMTP handling code?) - if not, then what would be the risk ... with this box sitting uncontained on your company net? (and I type this with a straight face, even after seeing the way MS programmers handle the exception conditions in their code. Read the Risks forum for various MS server "unexpected behaviors") - Do you want to offer the full suite of SMTP "verbs" to the outside world - realize that *anyone* can just 'telnet' to this port from the Internet and will be talking directly to a machine "inside your trusted zone" (to use silly marketing speak) etc, etc, etc, . think along those lines. I don't know about FW-1's proxy, but they may have addressed these items to reduce the risk that the inside SMTP server (whatever it is from old sendmail with the wizard bug from years ago to the newest spiffiest SMTPd). See how well smap/smapd from Marcus has lasted over the years --- minimalistic, well thought-out design that has been protecting bad email servers since like 87 or '88? (that is like an eon in Internet time). -- -joe ---------- From: Jan Zeilinga[SMTP:j.zeilinga@abm.com.au] Sent: Tuesday, November 04, 1997 9:56 PM To: Firewalls@GreatCircle.COM Subject: why use a smtp proxy Hi, The current purposed configuration is to allow smtp traffic through the firewall to our exchange server. The exchange server then decides what to do with the mail and routes it on-wards to its destined servers within our network. My question is would you use the smtp security server with firewall-1 to do this, no security server at all or allow connections to port 25 from the internet, or install an other smtp proxy... What purpose would the smtp proxy serve? Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Wed Nov 5 08:30:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22907; Wed, 5 Nov 1997 07:35:29 -0800 (PST) Received: from cleopatra.ultra.net (cleopatra.ultra.net [199.232.56.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22862 for ; Wed, 5 Nov 1997 07:35:17 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by cleopatra.ultra.net (8.8.5/ult1.05) with SMTP id KAA24671 for ; Wed, 5 Nov 1997 10:35:35 -0500 (EST) Received: by joespc.judgefamily.org with Microsoft Mail id <01BCE9D6.98905440@joespc.judgefamily.org>; Wed, 5 Nov 1997 10:35:55 -0500 Message-ID: <01BCE9D6.98905440@joespc.judgefamily.org> From: Joseph Judge To: "'Firewalls Mailing List'" Subject: FIX protocol Date: Wed, 5 Nov 1997 10:34:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The FIX protocol (http://www.fixprotocol.org/) is becoming more and popular in the financial community. I am involved in a project at work to pursue extending the use of this outside of the point-to-point private links (read: they want to use FIX over the Internet). Anyone in the firewalls community have any hands-on with FIX? --joe From owner-firewalls-list Wed Nov 5 08:45:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29498; Wed, 5 Nov 1997 08:08:15 -0800 (PST) Received: from garuda.barc.ernet.in (garuda.barc.ernet.in [202.41.86.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA29386 for ; Wed, 5 Nov 1997 08:07:44 -0800 (PST) Received: from sparc03.barc.ernet.in by garuda.barc.ernet.in via SMTP (940816.SGI.8.6.9/940406.SGI) for id WAA05157; Mon, 3 Nov 1997 22:24:12 -0800 Received: from localhost by sparc03.barc.ernet.in (4.1/SMI-4.1) id AA15766; Tue, 4 Nov 97 11:56:45 IST Date: Tue, 4 Nov 1997 11:56:45 +0530 (IST) From: "c.s.r.murthy" To: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Sirs! We have a class `C` internet address space at our disposal. I want to split into two subnets and connect them using firewall. I want to keep important systems like DNS and MAIL server on the subnet outside firewall which will have direct internet access. Hosts inside fire wall should have internet access for all applications, whereas internet hosts should be prevented from accessing hosts on subnet inside firewall. MAIL server Does anybody know how to configure linux FWTK for this setup Thanks in advance From owner-firewalls-list Wed Nov 5 09:09:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23192; Wed, 5 Nov 1997 07:36:45 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22994 for ; Wed, 5 Nov 1997 07:35:55 -0800 (PST) Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA29242; Wed, 5 Nov 1997 10:33:33 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA14954; Wed, 5 Nov 1997 10:33:30 -0500 (EST) Date: Wed, 5 Nov 1997 10:33:30 -0500 (EST) Message-Id: <199711051533.KAA14954@SPARKY.CF.CS.YALE.EDU> To: anarch@freedom.gmsociety.org, frankw@in.net Subject: Re: Hijak detection Cc: doy@indo-mail.com, firewalls@greatcircle.com From: "H. Morrow Long" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Frank Willoughby >Perhaps I'm missing something. Why would Wheelgroup's NetRanger >product be able to stop session hijacking? Any hacker who is worth >their salt will be able to roll their own custom packets to be exactly >what the firewall would expect the packets to be (including >source/destination info, sequence numbers, etc.) The only defense >against session hijacking that I'm aware of is to encrypt from >point-to-point. They may pro-actively allow the network admin/infosec officer terminate the TCP in real-time from the network by sending TCP resets for the TCP session to both endpoints of the conversation being hijacked, and also possibly send ICMP 'destination unreachable' messages to both endpoint hosts as well (though that is a much more drastic step to take and would likely cause all TCP connections between the two machines to be torn down). H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX) INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469@pager.mcb.com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09 From owner-firewalls-list Wed Nov 5 09:12:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29317; Wed, 5 Nov 1997 08:07:15 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29230 for ; Wed, 5 Nov 1997 08:06:55 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id SAA17746 for ; Wed, 5 Nov 1997 18:07:05 +0200 (EET) Date: Wed, 5 Nov 1997 18:07:04 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <199711022315.PAA29474@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Smoot Carl-Mitchell wrote: > I've come to believe that GUIs are really designed for the purchasing > managers and not for the technical people that need to use an actual > product. A GUI is basically packaging. They usually do not add any > functionality to a package, but any good marketing person will tell > you that flash sells, almost regardless of the underlying technology. There still is more than just marketing. What a good GUI sometimes can do is to save your time, and the time of good networking and security professionals is not really cheap. So sometimes a good professional using a graphical interface can do much more in shorter time than someone using just a command-line interface. There are some assumptions I make with this: the person working with the GUI must know what is under it and what really happens with every button he presses. He must know how to use the product without the GUI and preferably have general knowledge of both the network protocols and may be even other vendors products. Still I believe with the rate of firewalls installed every day growing rapidly, there is a very big number of people who have bought a firewall solution based just on marketing. There just are not enough security people available. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Wed Nov 5 09:44:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02090; Wed, 5 Nov 1997 08:27:45 -0800 (PST) Received: from pinux.selfin.net ([194.244.74.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA02077 for ; Wed, 5 Nov 1997 08:27:34 -0800 (PST) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id AAA04439; Thu, 6 Nov 1997 00:19:11 +0100 Message-Id: <199711052319.AAA04439@pinux.selfin.net> From: "Franco RUGGIERI" To: "Billy Verreynne" Cc: "GreatCircle forum" Subject: R: Unlimited Users Firewalls Date: Wed, 5 Nov 1997 16:12:09 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Billy, maybe I'm biassed by my deep love towards a company whose workhorse (dubbed by the year it was finally released) too many times so far has left me stranded, by just losing few, but meaningful, kilobytes of key stuff. When you say: "The problem I believe is that NT's IP is not always robust enough to survive a hacker attack." you are firing an A-bomb, IMHO. Aren't you? Do I correctly understand you if I say that, since firewalls are here to ward off hackers' attacks, it's better not to rely on an NT since its IP isn't up to the task we want to use it? This reminds me of having heard that, in the early decades of this century, a racing car maker overlooked the importance of brakes by saying: "My cars are to run, not to stop". It has disappeared from the marketplace. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Billy Verreynne > A: ygerman@genre.com; yati@mod.gov.my > Cc: Firewalls@GreatCircle.COM > Oggetto: Re: Unlimited Users Firewalls > Data: giovedì 23 ottobre 1997 10.32 > > > ygerman@genre.com wrote: > > > I would also say stay away from NT firewalls because the NT TCP/IP > > stack is not as robust as Unix in a high volume environment. > > On what facts do you base this? AFAIK the problems with Microsoft's > implementation of TCP/IP have more to do with incorrectly handling packets > that were incorrectly assembled (e.g. the OOB problem which gave all the > dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not > always respond as it should - what about SYN stealth scans? > > A company I know have been using NT with SQL-Server across a WAN for a > number of years now. The volumes are pretty high - hundreds of users doing > OLTP transactions. The problem has never been with TCP/IP on NT, but rather > with SQL-Server and the Microsoft client (Win95) DB library. > > I have worked with NT since the first beta, and TCP/IP IMHO was never a > problem, but rather the use of it (like running NetBIOS pipes across TCP/IP > instead of using sockets). Of course Microsoft was naive in believing they > could implement the RFCs for TCP/IP without paying much attention to wrong > IP packets. But remember these IP packets are almost always the result of > hacker attacks. In a standard high volume business environment NT's IP is > stable and robust enough IMHO. The problem I believe is that NT's IP is not > always robust enough to survive a hacker attack. > > NT has received a lot of flak, especially from the Unix lovers, but it is > still a good operating system and one that is used (as with Unix) > throughout the world by many companies for running mission critical > applications. > > regards, > Billy From owner-firewalls-list Wed Nov 5 09:46:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02167; Wed, 5 Nov 1997 08:28:15 -0800 (PST) Received: from pinux.selfin.net ([194.244.74.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA02137 for ; Wed, 5 Nov 1997 08:28:01 -0800 (PST) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id AAA04448; Thu, 6 Nov 1997 00:19:37 +0100 Message-Id: <199711052319.AAA04448@pinux.selfin.net> From: "Franco RUGGIERI" To: Cc: "GreatCircle forum" Subject: R: Unlimited Users Firewalls Date: Wed, 5 Nov 1997 16:52:42 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig, please tell me your opinion on this statement of mine (many people have been burned alive for much less than that). A firewall is something that must not be tampered with, so the fewer people know something about it (in the organization it is there to protect) the better. Thus, a UNIX O.S. is a good thing in an environment where many people know NT, i.e. almost everywhere. TIA. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Craig I. Hagan > A: Billy Verreynne > Cc: ygerman@genre.com; yati@mod.gov.my; Firewalls@GreatCircle.COM > Oggetto: Re: Unlimited Users Firewalls > Data: sabato 25 ottobre 1997 3.37 > > > > dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not > > always respond as it should - what about SYN stealth scans? > > what about them? you are ignoring the disease by addressing the > symptoms. the fact is that you can't yet state with certainity > that MS's tcp code is safe/secure. > > > > > A company I know have been using NT with SQL-Server across a WAN for a > > number of years now. The volumes are pretty high - hundreds of users doing > > OLTP transactions. The problem has never been with TCP/IP on NT, but rather > > with SQL-Server and the Microsoft client (Win95) DB library. > > > > hundreds of users isn't high volume. more imporatantly, hundreds > of users with what expectation of response time? I would expect > sub-second (200ms) worst case response time for a production > DB engine with so low a load. > > > > stable and robust enough IMHO. The problem I believe is that NT's IP is not > > always robust enough to survive a hacker attack. > > > NT has received a lot of flak, especially from the Unix lovers, but it is > > still a good operating system and one that is used (as with Unix) > > throughout the world by many companies for running mission critical > > applications. > > I would argue that NT still has much more flak to go as fortune 1000 > companies start trying to take it out of pilot and into production for > certain 'mission critical' applications. > > I argue that the ideas behind NT -- that unix, although a good operating > system, is too complex for the average business due to the scarcity of > knowledgeable people -- is reasonable. however, to then say that NT is > good because it is the _only_ OS to fill that need (regardless of > shortcomings) is a little premature. Ask me again in five years when NT > has had a chance to incubate a bit longer. Currently, i don't consider it > reasonable to compare a young (few year old) os against unix which has > been around for a generation in terms of robustness, etc. > > -- craig > > ---------------------------------------------------------------------------- --- > Craig I. Hagan "It's a small world, but I wouldn't want to back it up" > hagan(at)cih.com "True hackers don't die, their ttl expires" > "It takes a village to raise an idiot, but an idiot can raze a village" > > Stop the spread of spam, use a sendmail condom! > http://www.cih.com/~hagan/smtpd-hacks > From owner-firewalls-list Wed Nov 5 09:48:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA05701; Wed, 5 Nov 1997 08:53:43 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA05691 for ; Wed, 5 Nov 1997 08:53:26 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA24623; Wed, 5 Nov 1997 11:59:11 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd24621aaa; Wed Nov 5 16:59:09 1997 Date: Wed, 5 Nov 1997 11:59:09 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Franco RUGGIERI cc: GreatCircle forum Subject: Re: R: Unlimited Users Firewalls In-Reply-To: <199711052319.AAA04448@pinux.selfin.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Craig, > please tell me your opinion on this statement of mine (many people have > been burned alive for much less than that). > > A firewall is something that must not be tampered with, so the fewer people > know something about it (in the organization it is there to protect) the > better. Thus, a UNIX O.S. is a good thing in an environment where many > people know NT, i.e. almost everywhere. many takes. the short one is that if the above were true, and the firewall person left, was hit by a bus, etc, then the company is *FUCKED*. Additionally, you may need to change the firewall to reflect changes in security policy -- after all, the firewall merely enacts policy, it doesn't create it. A better method, imho, of saying it (perhaps what you meant) would be: " Firewalls exist to enact corporate security policy. Since this policy changes infrequently, access controls to the firewall should be both severely restricted, and logged in such a way as to make any and all actions obvious to an experienced administrator. Additionally, all changes made to the firewall must go through authorized change control procedures so that they can accurately reflect the security policy, and the coding can be properly reviewed to make sure that policy is correctly enacted. " IMHO, knowledge is a good thing: if everyone knew about the firewall, how it worked, and WHY it did what it did, and even the source code of the firewall, it shouldn't matter if the firewall properly enacts your policies (and they demand stringent access control). In fact, if the people in the company were knowledgeable, then they would likely know the policy and WHY it was in effect. As for the OS choice of the firewall, unix/NT/OS2/mac/DOS/whatever, security through obscurity is the worst case scenario in that you are banking on people not knowing something rather than proper access controls and channels to facilitate this. A better question might be: if you are using unix/NT/OS2/mac/DOS/whatever for a firewall, how could people (both internal and external) gain unauthorized access to the firewall? If your policy states that this should not be, then you should take every action to prevent it. For an NT machine, it may mean not participating in a domain, blocking all of the RPC/auth/whatever ports,disabling a rack of services,etc. for unix it may mean not participating in a YP/NIS domain, not running RPC/portmapper and a myriad of other daemons, etc. same ideas, different OS. But, all comes down to policy and properly enacting it. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks From owner-firewalls-list Wed Nov 5 09:54:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09764; Wed, 5 Nov 1997 09:27:55 -0800 (PST) Received: from ss1.digex.net (ss1.digex.net [204.91.97.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09699 for ; Wed, 5 Nov 1997 09:27:38 -0800 (PST) Received: from 172.16.5.57 (pix000211.staff.digex.net [206.205.168.223]) by ss1.digex.net (8.8.4/8.8.4) with SMTP id MAA18739 for ; Wed, 5 Nov 1997 12:27:45 -0500 (EST) X-Mailer: InterCon tcpCONNECT4 4.0.2 (Macintosh) MIME-Version: 1.0 Message-Id: <9711051228.AA08574@172.16.5.57> Date: Wed, 5 Nov 1997 12:28:08 -0500 From: "Roberta Long" To: firewalls@GreatCircle.COM Subject: Info about v-one products? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone has been asking me about these products. Can anyone provide me with first-hand experiences in dealing with this company and their products? Roberta From owner-firewalls-list Wed Nov 5 09:55:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09852; Wed, 5 Nov 1997 09:28:15 -0800 (PST) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09777 for ; Wed, 5 Nov 1997 09:27:57 -0800 (PST) Received: from dyabolyk.com (dino.underground.net [207.213.51.18]) by columbia.digiweb.com (8.8.8/8.8.5) with ESMTP id MAA28970 for ; Wed, 5 Nov 1997 12:28:06 -0500 (EST) Mail-For: Message-ID: <3460AC60.B2A70B29@dyabolyk.com> Date: Wed, 05 Nov 1997 09:26:57 -0800 From: jonathan tobin/DBK Reply-To: dyabolyk@dyabolyk.com Organization: _.._.>.---- X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: NT Server Security References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may not be specifically related to firewalls, but I'd like to know if there are any sites or mailinglists that deal with NT Server Securtiy. Any leads would be most appreciated. --jt From owner-firewalls-list Wed Nov 5 09:56:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10355; Wed, 5 Nov 1997 09:31:53 -0800 (PST) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA10346 for ; Wed, 5 Nov 1997 09:31:47 -0800 (PST) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id JAA01650; Wed, 5 Nov 1997 09:32:03 -0800 (PST) Received: from arrakis.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id JAA21035; Wed, 5 Nov 1997 09:32:02 -0800 (PST) Received: by arrakis.verisign.com (SMI-8.6/SMI-SVR4) id JAA27141; Wed, 5 Nov 1997 09:31:59 -0800 Date: Wed, 5 Nov 1997 09:31:59 -0800 From: varmav@verisign.com (Vik Varma) Message-Id: <199711051731.JAA27141@arrakis.verisign.com> To: Firewalls@GreatCircle.COM, murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 8L3if8/hgyK9PHYjOahc2Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello Sirs! > > We have a class `C` internet address space at our disposal. I want to > split into two subnets and connect them using firewall. I want to keep > important systems like DNS and MAIL server on the subnet outside firewall > which will have direct internet access. Hosts inside fire wall should have > internet access for all applications, whereas internet hosts should be > prevented from accessing hosts on subnet inside firewall. MAIL server > > Does anybody know how to configure linux FWTK for this setup Is there a reason you want a valid class C address space inside your firewall? Why not just use one of the private class C addresses specified in RFC 1918? This is typically what you want to do, using the firewall box as your gateway to the world and have it perform NAT (via proxies) on all external services. -- Vik Varma VeriSign, Inc System Administrator (650) 429-3352 Operations, Information Systems Vik.Varma@verisign.com From owner-firewalls-list Wed Nov 5 09:58:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10829; Wed, 5 Nov 1997 09:40:45 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA10822 for ; Wed, 5 Nov 1997 09:40:37 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by cypress.idir.net (8.8.5/8.8.4) with SMTP id LAA27080; Wed, 5 Nov 1997 11:39:50 -0600 Date: Wed, 5 Nov 1997 11:39:49 -0600 (CST) From: Jason Keimig To: Adam Shostack cc: Frank Willoughby , firewalls@GreatCircle.COM Subject: Re: Hijak detection In-Reply-To: <199711050809.DAA01853@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point that (doy?) made is that session hijacking produces a flood > of shit as you jam in packets in the hopes of getting the numbers > right. (Since the other guy is transmitting at the same time as you, > you often send a slew of packets, to get them into the stack first.) > There are a number of papers on detecting this sort of thing, many > published in the months after Tsutomo was hacked. Actually, the attacker does the _least_ amount of work, in terms of the packet storms that result from hi-jacking a session. The fundamental aspect of hijacking revolves around de-syncing the state machine of the connection between the two attacked hosts. The "flood" you refer to is simply the result of the unsuspecting hosts ACKing packets that are not in-line with the current sequence numbers that THEY believe are correct. Since the attacker (assumably) inserts _something_ into the connection, the resultant SEQ/ACK pair will always be different between the two unsuspecting hosts. As the attacker continues to insert data into the stream, the receiving host ACKs this data, but the other end sees the ACK as out of bounds with its idea of the current state. So, it just ACKs the ACK. This perpetuates as ACKs answering ACKs. Hence, the eternal ACK storm. What actually kills this ack storm is a lost packet. Once one ACK is dropped, the storm disappears. This is a function of the network load and reliablity of the the layer-1 medium. So yes, you _can_ detect these ACK storms, but what you really want to see in the packets you pick up is the idea of the desynchronized state machine. Locating WHEN the desynch occured gives a little more information. Something nobody really ever talks about in foiling/detecting all of these IP spoofing attacks is to look at the layer-2 information of suspected forged attacks. That and looking at packet IDs can give fairly certain proof that some clown really is trying to do something evil. Of course, proxys and bridges CAN complicate things tho... Granted that this analysis is in itself limited, but all of the "hacking" tools out there TODAY just do simple Layer 3/4 forgings -- and these are easy to detect. -J. From owner-firewalls-list Wed Nov 5 10:37:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA11141; Wed, 5 Nov 1997 09:56:01 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA11134 for ; Wed, 5 Nov 1997 09:55:53 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA04939; Wed, 5 Nov 1997 09:52:32 -0800 Date: Wed, 5 Nov 1997 09:52:32 -0800 (PST) From: Leonard Miyata To: Russ cc: firewalls@greatcircle.com, ntsecurity@iss.net Subject: RE: Disabling LAN Manager on NT In-Reply-To: <418996AD2954D11180860000E8D5C66778EB@ns.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay Russ, I submit to greater authority on the subject, Please accept my humble apologies..... I don't monitor the ntsecurity forum and missed this thread... (Now I wonder if the KERBEROS port for NT5 is going to fix this problem??) Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 5 Nov 1997, Russ wrote: > This can only be enforced if both the client and the server have it > disabled. From KB article Q147706; > > "To eliminate LM authentication with protocols other than remote file > sharing (for example, Microsoft RPC, RAS, Internet Information Server > (IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the > client and the server need to have the hotfix installed." > > The key only affects whether or not LM is going to be sent, not whether > or not its going to be accepted. Your comments are a mis-representation > of the facts and I would suggest you correct them in public. You cannot > "turn off LANManager authentication on Windows NT", you can only prevent > it from being sent. > > If I don't see a correct in a couple of days I'll send one myself, since > you're contradicting what I've said publicly (seemingly insistently). > > Cheers, > Russ > > From owner-firewalls-list Wed Nov 5 13:10:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17566; Wed, 5 Nov 1997 12:27:10 -0800 (PST) Received: from dfw-ix11.ix.netcom.com (dfw-ix11.ix.netcom.com [206.214.98.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA17557 for ; Wed, 5 Nov 1997 12:27:00 -0800 (PST) From: dje@dmc22.com Received: (from smap@localhost) by dfw-ix11.ix.netcom.com (8.8.4/8.8.4) id OAA15753 for ; Wed, 5 Nov 1997 14:27:12 -0600 (CST) Date: Wed, 5 Nov 1997 14:27:12 -0600 (CST) Message-Id: <199711052027.OAA15753@dfw-ix11.ix.netcom.com> Received: from trn-nj4-02.ix.netcom.com(206.214.121.98) by dfw-ix11.ix.netcom.com via smap (V1.3) id rma014164; Wed Nov 5 14:19:43 1997 To: firewalls@greatcircle.com Subject: Systems Engineer Needed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking to hire a Systems Engineer to provide Pre-Sales technical support, perform product technical presentations and demonstrations for networking software installed on Unix, Novell and Windows NT platforms. The requirements include: Knowlege of one or more of the previously mentioned platforms, strong communication skills, and the ability to get people excited about new technologies. We're one of the largest software companies in the world. Candidate can report to any one of three offices in New Jersey (southern, central and northern). Compensation 50,000 - $90,000, outstanding benefits (including company paid medical and dental). Company that has been consistantly rated one of the best companies to work for in North America. If you know someone that would be interested I can be contacted at: Dave Eide Voice: (609) 584-9000 ext 273 Fax (609) 584-9575 Email dje@dmc22.com From owner-firewalls-list Wed Nov 5 17:40:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA10228; Wed, 5 Nov 1997 17:14:51 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id RAA09084 for firewalls@greatcircle.com; Wed, 5 Nov 1997 17:06:32 -0800 (PST) Received: from public.sta.net.cn (public.sta.net.cn [202.96.199.97]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA21201 for ; Tue, 4 Nov 1997 19:49:17 -0800 (PST) Received: from public.sta.net.cn ([202.96.201.28]) by public.sta.net.cn (8.8.7/8.8.7) with ESMTP id LAA11805 for ; Wed, 5 Nov 1997 11:49:16 +0800 (CST) Message-ID: <345FF08C.981DE78A@public.sta.net.cn> Date: Wed, 05 Nov 1997 12:05:33 +0800 From: NetSea X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 17:41:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA09085; Wed, 5 Nov 1997 17:06:36 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id RAA09035 for firewalls@greatcircle.com; Wed, 5 Nov 1997 17:06:08 -0800 (PST) Received: from smurf.cali-net.com ([209.75.104.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA03353 for ; Tue, 4 Nov 1997 14:40:36 -0800 (PST) Received: from localhost (circle@localhost) by smurf.cali-net.com (8.8.7/8.8.7-Sendmail unsolicited email through this server is illegal) with SMTP id SAA18108; Tue, 4 Nov 1997 18:33:32 GMT Date: Tue, 4 Nov 1997 18:33:31 +0000 ( ) From: RHS Linux User To: Doy cc: "Firewalls@GreatCircle.COM" Subject: Re: Hijak detection In-Reply-To: <345F3229.1AAE@indo-mail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Doy wrote: > Guys, > > I wonder if there are firewall/intrusion detection products that can > deal with TCP session hijack.. I didn't see threads related to this > topic in the last half year ..okay, I'm new to this list.. ;) > > Suppose the TCP session is not encrypted, and the attacker is on the > packet's route, what can we do about it? Surrender..?? > Detecting hijaking from inside your network, or hijaking comming from another route would be easy to detect by a intrusion detection system that maintains a ARP list of currently active TCP sessions and their corresponding hardware addresses. Then have the program detect any packets comming from a different hardware address that wasn't assigned to that specific IP. I don't know of any way you could prevent non-blind hijacking, except for the fact that you may end up seeing out of seqence packets or packets with duplicate sequence numbers arrive at the victim's host after the hijak begins. If you could remedy a method of doing this reliably you could then have the intrusion detection software enable a filter in your firewall/router, or perhaps send a RST packet to the server shutting off the session. > Of course not. We can build statistical analysis on number of invalid > packets that transmitted on each session. Has anybody done this? Is this > approach valid anyway? > > I'd like to see other solutions/products beside encryption/routing/netw. > segmentation. > This was just a thought, I probably overlooked something simpler. Just another reason not to use the telnet protocol. Jean-Christophe Smith California Network Solutions jean@internet-security.com http://www.cali-net.com From owner-firewalls-list Wed Nov 5 19:10:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA15999; Wed, 5 Nov 1997 17:44:33 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id QAA08046 for firewalls@greatcircle.com; Wed, 5 Nov 1997 16:59:22 -0800 (PST) Received: from public.sta.net.cn (public.sta.net.cn [202.96.199.97]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA23804 for ; Mon, 3 Nov 1997 19:38:15 -0800 (PST) Received: from public.sta.net.cn (ts2-68.sta.net.cn [202.96.198.196]) by public.sta.net.cn (8.8.7/8.8.7) with ESMTP id LAA08040 for ; Tue, 4 Nov 1997 11:38:05 +0800 (CST) Message-ID: <345E9C6A.7CEC0584@public.sta.net.cn> Date: Tue, 04 Nov 1997 11:54:18 +0800 From: NetSea X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 21:06:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA17340; Wed, 5 Nov 1997 20:33:56 -0800 (PST) Received: from garuda.barc.ernet.in (garuda.barc.ernet.in [202.41.86.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA17123 for ; Wed, 5 Nov 1997 20:31:20 -0800 (PST) Received: from sparc03.barc.ernet.in by garuda.barc.ernet.in via SMTP (940816.SGI.8.6.9/940406.SGI) id UAA02497; Wed, 5 Nov 1997 20:19:08 -0800 Received: from localhost by sparc03.barc.ernet.in (4.1/SMI-4.1) id AA19870; Thu, 6 Nov 97 09:52:00 IST Date: Thu, 6 Nov 1997 09:52:00 +0530 (IST) From: "c.s.r.murthy" To: Vik Varma Cc: Firewalls@GreatCircle.COM, murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) In-Reply-To: <199711051731.JAA27141@arrakis.verisign.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Vik Varma wrote: > > Hello Sirs! > > > > We have a class `C` internet address space at our disposal. I want to > > split into two subnets and connect them using firewall. I want to keep > > important systems like DNS and MAIL server on the subnet outside firewall > > which will have direct internet access. Hosts inside fire wall should have > > internet access for all applications, whereas internet hosts should be > > prevented from accessing hosts on subnet inside firewall. MAIL server > > > > Does anybody know how to configure linux FWTK for this setup > > Is there a reason you want a valid class C address space inside your firewall? > Why not just use one of the private class C addresses specified in RFC 1918? > This is typically what you want to do, using the firewall box as your gateway to > the world and have it perform NAT (via proxies) on all external services. > > -- > Vik Varma VeriSign, Inc > System Administrator (650) 429-3352 > Operations, Information Systems Vik.Varma@verisign.com > Thanks for the reply sir! Actually I dont want to use NAT as it consumes more time for each packet. I want to have a simple filter which takes forwarding decissions based on IP address only and it should not go for NAT. Is there any such firewall software available ? From owner-firewalls-list Wed Nov 5 21:08:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA14933; Wed, 5 Nov 1997 20:22:36 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA14806 for ; Wed, 5 Nov 1997 20:22:11 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id UAA03635; Wed, 5 Nov 1997 20:23:57 -0800 (PST) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA07643; Wed, 5 Nov 97 20:24:37 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256547.001835FA ; Wed, 5 Nov 1997 20:24:26 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: netsea@public.sta.net.cn Cc: firewalls@GreatCircle.COM Message-Id: <88256547.0018C9B7.00@gwwest.sybase.com> Date: Wed, 5 Nov 1997 20:32:30 -0800 Subject: Re: Help : Cisco access list Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That doesn't give you much protection... if you want inside people to connect to arbitrary Internet resources, about the best you can do is only allow established packets in. Note, of course, that this will not work with UDP services, and a fair number of TCP services, like FTP. Telnet and WWW will work. Ryan netsea@public.sta.net.cn on 11/04/97 08:05:33 PM To: firewalls@GreatCircle.COM cc: (bcc: Ryan Russell/SYBASE) Subject: Help : Cisco access list Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 22:29:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA04077; Wed, 5 Nov 1997 22:15:15 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA03869 for ; Wed, 5 Nov 1997 22:14:34 -0800 (PST) Received: from clonvick-pc.cisco.com (houcons.cisco.com [171.68.41.7]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id WAA10023; Wed, 5 Nov 1997 22:14:20 -0800 (PST) Message-Id: <2.2.32.19971106061246.006de0a0@localhost> X-Sender: clonvick@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Nov 1997 00:12:46 -0600 To: NetSea , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Help : Cisco access list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Hong, Take a look at http://www/warp/public/701/31.html to see some options on how you can accomplish this as well as how to take some other security measures. Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 At 12:05 PM 11/5/97 +0800, NetSea wrote: >Hi, everybody, > >I have an CISCO 4500 router (A) in my office. It connects > > > > Router A (in my office) Router B ( from ISP ) > _______ _______ > | |s0 s0| | > |_______|-------------------|_______|--------- INTERNET > xxx.xxx.xxx.aa xxx.xxx.xxx.bb > > >to a Router (B) from ISP. What I want to do is that all hosts in my >office can access Internet resources such as WWW, but the outside >world can not access any host in my office through the routers. How >should I configure the routers to achieve that? > >Thanks in advance! > >Hong > >---------------------------------------------- >Shen Hong Network Engineer >NetSea Computer Co. Ltd. >E-mail: netsea@public.sta.net.cn >---------------------------------------------- > > > > From owner-firewalls-list Wed Nov 5 23:08:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA27613; Wed, 5 Nov 1997 21:38:09 -0800 (PST) Received: from blackbird.jetlink.net (blackbird.jetlink.net [206.72.64.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA27387 for ; Wed, 5 Nov 1997 21:37:29 -0800 (PST) Received: from gnss.com (ppp-208-19-49-228.isdn.jetlink.net [208.19.49.228]) by blackbird.jetlink.net (8.8.7/CSE) with ESMTP id VAA13652; Wed, 5 Nov 1997 21:37:18 -0800 (PST) Message-ID: <3461577C.3BE1595E@gnss.com> Date: Wed, 05 Nov 1997 21:37:00 -0800 From: "osiris@gnss.com" Reply-To: osiris@gnss.com Organization: Global Network Security Systems X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Jyri Kaljundi CC: Firewalls@GreatCircle.COM Subject: Re: sex,lies, and application proxy based fw vs Check Point References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jyri Kaljundi wrote: > On Sun, 2 Nov 1997, Smoot Carl-Mitchell wrote: > > > I've come to believe that GUIs are really designed for the purchasing > > managers and not for the technical people that need to use an actual > > product. A GUI is basically packaging. They usually do not add any > > functionality to a package, but any good marketing person will tell > > you that flash sells, almost regardless of the underlying technology. > > There still is more than just marketing. What a good GUI sometimes can do > is to save your time, and the time of good networking and security > professionals is not really cheap. So sometimes a good professional using > a graphical interface can do much more in shorter time than someone using > just a command-line interface. Sometimes. And sometimes, the number of clicks (or menus deep) required make it a time-waster, too. On the issue of whether it's marketing or not, though, I am inclined to agree that much of it is marketing. Certainly, the development of a GUI-based app is more expensive and time-consuming. Those efforts are presumably done with the hope that a GUI will attract a wider customer base. Equally, however, I am not sure that using a GUI-based security application is any less saavy than using a CLI app. (Nor does it neccessarily show evidence that the operator doesn't know what he/she is doing.) In either case, you are rarely - if ever - going to have the source. Therefore, you cannot truly know whether the product can be trusted, but only whether it serves its intended purpose. So, when your job is applying security controls system-wide, GUI tools can come in handy and there's no reason not to use them. But, I will certainly agree that many people purchase firewall solutions on marketing alone. (Which is why I am equally certain that firewall products produced by or in conjunction with Microsoft will become extremely popular. Hmm. That says a whole lot right there. ;-) > > > There are some assumptions I make with this: the person working with the > GUI must know what is under it and what really happens with every button > he presses. He must know how to use the product without the GUI and > preferably have general knowledge of both the network protocols and may be > even other vendors products. > > Still I believe with the rate of firewalls installed every day growing > rapidly, there is a very big number of people who have bought a firewall > solution based just on marketing. There just are not enough security > people available. > > Jyri Kaljundi > jk@stallion.ee > AS Stallion Ltd > http://www.stallion.ee/ From owner-firewalls-list Wed Nov 5 23:14:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA13359; Wed, 5 Nov 1997 23:01:47 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA13315 for ; Wed, 5 Nov 1997 23:01:37 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256547.0026A4B4 ; Wed, 5 Nov 1997 23:02:05 -0800 X-Lotus-FromDomain: ALMADEN To: firewalls@GreatCircle.COM Message-ID: <88256547.001FCA61.00@mailgw1.almaden.ibm.com> Date: Wed, 5 Nov 1997 22:58:17 -0800 Subject: Re: Help : Cisco access list Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On router A: int s0 access-group 100 in access-list 100 permit tcp any any established access-list 100 permit udp any any access-list 100 deny ip any any log This allows outbound TCP connections and any UDP connections. It prevents inbound TCP connections and ICMP (and all other protocols) in either direction. Among the changes that could be made to somewhat increase security: * Anti address spoofing, in both directions. * Restriction of UDP (but you will probably need to allow port 53 to support DNS requests). Note that other followers of this list can point out many exposures with just this form of protection (simple packet filtering). The largest of these is probably that if a single machine on your network is compromised, they are all exposed to direct, unfiltered attacks. Tony Rall >> I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? << From owner-firewalls-list Thu Nov 6 00:14:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA24593; Thu, 6 Nov 1997 00:04:19 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA24585 for ; Thu, 6 Nov 1997 00:04:14 -0800 (PST) Received: from edina.xenologics.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id AAA00613; Thu, 6 Nov 1997 00:04:09 -0800 (PST) Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id JAA10393; Thu, 6 Nov 1997 09:03:21 +0100 Message-ID: <342EFDD0.478ED9A9@edina.xnc.com> Date: Mon, 29 Sep 1997 03:01:04 +0200 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Jesse Brown CC: Jan Zeilinga , Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jesse Brown wrote: > > > > Mostly, e-mail daemons suffer from being attackable by: > > 1. unallowed commands (defined in RFC's), like the sendmail "|...." > > cammand. > > Ummm. Wrong. This is a bug. Not an 'unallowed command'. One of the > problems of programs like sendmail is the overwhelming complexity of the > program. Because of this bugs can abound and unintented results are often > the outcome. Correct, sorry. But in the RFC's you can find lots of agreements, how daemons can communicate. > > 2. buffer overflows. That means, you can put a program into them > > mailprograms stack and execute with (mostly) root rights. > > > > It depends on the mailer whether or not you can get root. For instance, > qmails smtp daemon (which processes incoming mail) is not priveledged. All > it does it pass mail onto the mail queue system (which also does not > run as root). Therefor a buffer overflow attack in qmails smtp daemon > won't do a heck of alot for an attack. I'd always prefer the short code of a proxy, which passes mail to a program, running in user-mode. Under LINUX and FreeBSD it has been shown, that a escape from chroot() and user-mode to root is still possible. 1. aim must be a very strict selection of commands. > > To prevent this, there are PROXY's, like smpd, which are small, without > > functionality and hoped, not to be vulnerable to buffer overflow's. > > They also let just commands pass through, wich are defined by RFC. > > All other are blocked. > > > > an application proxy (like smtpd) are not mail handlers. Rather, it reads > an incoming connection and generates another connection to the internal > machine - sending along all the data it knows to send. > > As these proxys are supposed to be the first line of defense they are > usually extensivly checked for buffer overflow and other problems. True, but this is no guarantee > Remember, it is not a mail server of a mail client. just a PROXY. it > merely handles the exchange of data. > > > sendmail, e.g. does the opposite. First it lets all pass, then filters. > > It can be too late then. > > Sendmail is mail server software. It can be configure to drop connections > from a certain host, etc. I also have some scripts to let sednmail run under user account. It works, but i don't really care, seems too dangerous to me... > > > > cu, Guido Stepken > > > > > > -J From owner-firewalls-list Thu Nov 6 00:29:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26242; Thu, 6 Nov 1997 00:26:29 -0800 (PST) Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA26193 for ; Thu, 6 Nov 1997 00:26:15 -0800 (PST) Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id KAA06179 for ; Thu, 6 Nov 1997 10:30:40 +0200 (SAT) Received: by citadel via recvmail id 6143; Thu Nov 6 10:29:59 1997 by gram.cdsec.com (8.8.5/8.8.5) id JAA12905 for firewalls@greatcircle.com; Thu, 6 Nov 1997 09:32:10 +0200 (SAT) From: Graham Wheeler Message-Id: <199711060732.JAA12905@cdsec.com> Subject: Re: Hijak detection To: firewalls@greatcircle.com Date: Thu, 6 Nov 1997 09:32:09 +0200 (SAT) In-Reply-To: <3.0.3.32.19971105022156.01424a88@in.net> from "Frank Willoughby" at Nov 5, 97 02:21:56 am X-Mailer: ELM [version 2.4 PL25-h4.1] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be > able > to stop session hijacking? Any hacker who is worth their salt will be able > to > roll their own custom packets to be exactly what the firewall would expect > the > packets to be (including source/destination info, sequence numbers, etc.) > The > only defense against session hijacking that I'm aware of is to encrypt from > point-to-point. Agreed. The arguments that there will be packets seen from both the hijacker and the hijackee are specious; a sophisticated hijacker will be able to filter out the hijackee's traffic as well as inject their own (in fact that's the easy part). It wouldn't be easy to do this by hand, but a gateway machine could be modified so that it watched for a certain TCP connection, and then stopped forwarding the legit packets and instead injected its own. This wouldn't require any manual intervention and if done properly cannot be detected. regards Graham -- Dr Graham Wheeler E-mail: gram@cdsec.com Citadel Data Security Phone: +27(21)23-6065/6/7 Internet/Intranet Network Specialists Mobile: +27(83)-253-9864 Firewalls/Virtual Private Networks Fax: +27(21)24-3656 Data Security Products WWW: http://www.cdsec.com/ From owner-firewalls-list Thu Nov 6 00:44:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28847; Thu, 6 Nov 1997 00:41:53 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA28751 for ; Thu, 6 Nov 1997 00:41:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA08487; Thu, 6 Nov 1997 03:39:57 -0500 (EST) From: Adam Shostack Message-Id: <199711060839.DAA08487@homeport.org> Subject: Re: Hijak detection In-Reply-To: <199711060823.JAA18887@marc.ksfw.esb.eur.deuba.com> from Marc Heuse at "Nov 6, 97 09:23:50 am" To: marc.heuse@mail.deuba.com Date: Thu, 6 Nov 1997 03:39:57 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc Heuse wrote: | Hi, | | > | >The point that (doy?) made is that session hijacking produces a flood | > | >of shit as you jam in packets in the hopes of getting the numbers | > | >right. (Since the other guy is transmitting at the same time as you, | > | >you often send a slew of packets, to get them into the stack first.) | > | This step shouldn't be necessary. Monitor the packets going to/from | > | the firewall (or target system), bring down the victim's system on | > | the outside (OOB, etc.), and then send in the correct packets to the | > | firewall/system. The firewall wouldn't notice the difference, and it | > | is likely, the victim would chalk up the problem to network difficulties. | > You assume a perfect attacker. I assume script kiddies. There are | > more script kiddies than perfect attackers. If you spend time | > watching real attacks on real systems, you realize how many idiots are | > out there. | | Are you trying to protect networks from kiddies or real hackers? | You must try to prevent and detect hacks from the experts, because they | do the real damage, not some kids searching for fun. It depends on who I'm protecting. When I do work with a bank, both, of course. When I have my home computer, I protect it from the script kiddies. (Script kiddies, btw, is a term to describe the 14 year old who downloads an exploit, doesn't understand it, but uses it on you anyway. There are *lots* of script kiddies.) Also, I suspect that the people who broke into the CIA, DOJ, Kleigman Furs, Labour, etc, were not professionals, but script kiddies. If you don't think that was real damage, ask the folks who will never again be promoted; ask them about how happy management was to have to deal with the problem. With Deutche Bank, you clearly also need to worry about professionals breaking in to steal money. But its a mistake to say "Well, it won't stop a pro, lets not bother." If there are tools that you can use to stop both, great. But making the pro sweat is a useful thing in its own right. | And to add something useful to the discussion: | | the possiblity to detect hijacking from the client side is only possible | if the attacker chooses an attack type which does not change the routing | path of the packets. Then you can see ACK packets while your connection | either is freezed or terminated. ... | to summarize, you can only detect the attack with some luck on the server | side - if the attacker does not control a router in the path. | otherwise - you can't :-( ... so use ssltelnet, deslogin, ssh, kerberos etc. | and trop telnet, r-commands and one-time-passwords. Absolutely. If you re-read my original message on the subject, I said that this would be a hack, not a real defense. But it might be a useful hack. (And incidentally, one time passwords are still useful in the context of encrypted logins. For forcing strong passwords, for managing termination of access, for preventing password sharing, etc. Your milage will vary with the system you use.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Thu Nov 6 01:14:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04495; Thu, 6 Nov 1997 01:12:11 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA04346 for ; Thu, 6 Nov 1997 01:11:38 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id EAA08583; Thu, 6 Nov 1997 04:09:25 -0500 (EST) From: Adam Shostack Message-Id: <199711060909.EAA08583@homeport.org> Subject: Re: Hijak detection In-Reply-To: from Jason Keimig at "Nov 5, 97 11:39:49 am" To: jkeimig@idir.net (Jason Keimig) Date: Thu, 6 Nov 1997 04:09:25 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jason, You are absolutely correct. My error. I suggest everyone re-read your post, since it is succinct, clear, and correct, whereas my post, was, at best, succinct, clear, and misleading. :) Adam Jason Keimig wrote: | | | > The point that (doy?) made is that session hijacking produces a flood | > of shit as you jam in packets in the hopes of getting the numbers | > right. (Since the other guy is transmitting at the same time as you, | > you often send a slew of packets, to get them into the stack first.) | > There are a number of papers on detecting this sort of thing, many | > published in the months after Tsutomo was hacked. | | Actually, the attacker does the _least_ amount of work, in terms of the | packet storms that result from hi-jacking a session. The fundamental aspect | of hijacking revolves around de-syncing the state machine of the connection | between the two attacked hosts. | | The "flood" you refer to is simply the result of the unsuspecting hosts | ACKing packets that are not in-line with the current sequence numbers that | THEY believe are correct. Since the attacker (assumably) inserts | _something_ into the connection, the resultant SEQ/ACK pair will always be | different between the two unsuspecting hosts. As the attacker continues to | insert data into the stream, the receiving host ACKs this data, but the | other end sees the ACK as out of bounds with its idea of the current state. | So, it just ACKs the ACK. This perpetuates as ACKs answering ACKs. Hence, | the eternal ACK storm. | | What actually kills this ack storm is a lost packet. Once one ACK is | dropped, the storm disappears. This is a function of the network load and | reliablity of the the layer-1 medium. | | So yes, you _can_ detect these ACK storms, but what you really want to see | in the packets you pick up is the idea of the desynchronized state machine. | Locating WHEN the desynch occured gives a little more information. Something | nobody really ever talks about in foiling/detecting all of these IP spoofing | attacks is to look at the layer-2 information of suspected forged attacks. | That and looking at packet IDs can give fairly certain proof that some clown | really is trying to do something evil. Of course, proxys and bridges CAN | complicate things tho... Granted that this analysis is in itself limited, | but all of the "hacking" tools out there TODAY just do simple Layer 3/4 forgings | -- and these are easy to detect. | | -J. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Thu Nov 6 01:29:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA06335; Thu, 6 Nov 1997 01:18:52 -0800 (PST) Received: from relay3.Austria.EU.net (relay3.Austria.EU.net [193.154.160.103]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA06251 for ; Thu, 6 Nov 1997 01:18:34 -0800 (PST) Received: from vie.co.at (uucp@localhost) by relay3.Austria.EU.net (8.8.6/8.8.6) with UUCP id KAA15621 for firewalls@GreatCircle.COM; Thu, 6 Nov 1997 10:10:29 +0100 (MET) Received: (from hvt@localhost) by oz.vie.co.at (8.6.12/8.6.9) id JAA13149 for firewalls@GreatCircle.COM; Thu, 6 Nov 1997 09:25:33 GMT From: anton horvath Message-Id: <199711060925.JAA13149@oz.vie.co.at> Subject: Cisco config examples To: firewalls@GreatCircle.COM Date: Thu, 6 Nov 1997 09:25:33 +0000 (GMT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have little chances to work with a cisco, but I am often asked to look into configs of our partners. Could someone point me to detailed and good explained configuration examples in the net. thanks, anton -- Office address (Vienna Airport) : Private address : Co. Anton Horvath Anton Horvath Flughafen Wien AG. Hptpl. 31 Postfach 1 A-1300, Vienna A-7100, Neusiedl/See Austria Austria Voice: (++43 - 1) 7007 Ext: 2837 Voice: (++43 - 02167) 8560 Fax: (++43 - 1) 7007 Ext: 5188 EMail: hvt@vie.co.at From owner-firewalls-list Thu Nov 6 01:40:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26021; Thu, 6 Nov 1997 00:24:46 -0800 (PST) Received: from vogon.de.deuba.com (vogon.de.deuba.com [194.175.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA25959 for ; Thu, 6 Nov 1997 00:24:30 -0800 (PST) Received: by vogon.de.deuba.com id AA65064; Thu, 6 Nov 1997 09:23:34 +0100 Received: vogon.de.deuba.com via smap (V2.0) id xma006180; Thu, 6 Nov 97 09:23:26 +0100 Received: by smap.mail.deuba.com id JAA25714; Thu, 6 Nov 1997 09:23:03 +0100 Received: proxy2.esb.eur.deuba.com via smap (V2.0) id xma050004; Thu, 6 Nov 97 09:22:43 +0100 Received: from marc.ksfw.esb.eur.deuba.com by marvin.ose.eur.deuba.com id JAA33532; Thu, 6 Nov 1997 09:24:17 +0100 Received: (from marc@localhost) by marc.ksfw.esb.eur.deuba.com (8.8.7/8.8.5) id JAA18887; Thu, 6 Nov 1997 09:23:50 +0100 From: Marc Heuse Message-Id: <199711060823.JAA18887@marc.ksfw.esb.eur.deuba.com> Subject: Re: Hijak detection In-Reply-To: <199711051403.JAA03367@homeport.org> from Adam Shostack at "Nov 5, 97 09:03:59 am" To: adam@homeport.org (Adam Shostack) Date: Thu, 6 Nov 1997 09:23:50 +0100 (CET) Cc: firewalls@greatcircle.com Reply-To: marc.heuse@mail.DeuBa.COM X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > | >The point that (doy?) made is that session hijacking produces a flood > | >of shit as you jam in packets in the hopes of getting the numbers > | >right. (Since the other guy is transmitting at the same time as you, > | >you often send a slew of packets, to get them into the stack first.) > | This step shouldn't be necessary. Monitor the packets going to/from > | the firewall (or target system), bring down the victim's system on > | the outside (OOB, etc.), and then send in the correct packets to the > | firewall/system. The firewall wouldn't notice the difference, and it > | is likely, the victim would chalk up the problem to network difficulties. > You assume a perfect attacker. I assume script kiddies. There are > more script kiddies than perfect attackers. If you spend time > watching real attacks on real systems, you realize how many idiots are > out there. Are you trying to protect networks from kiddies or real hackers? You must try to prevent and detect hacks from the experts, because they do the real damage, not some kids searching for fun. And to add something useful to the discussion: the possiblity to detect hijacking from the client side is only possible if the attacker chooses an attack type which does not change the routing path of the packets. Then you can see ACK packets while your connection either is freezed or terminated. from the server side you can detect multiple (and some of them invalid) ACK packets when the attack starts. If the attacker terminates the session of the client or changes the routing path, this will stop shortly after the overtake. You can also detect RST packets generated by the client if the session was terminated from the client side (by the attacker) (From the RFC 793): (CLOSED STATE, SEGMENT ARRIVES) An incoming segment not containing a RST causes a RST to be sent in response. however if the attacker controls a router a simple deny rule on a ciso for example like access-list 101 deny tcp victim 0.0.0.0 target 0.0.0.0 would do the trick. to summarize, you can only detect the attack with some luck on the server side - if the attacker does not control a router in the path. otherwise - you can't :-( ... so use ssltelnet, deslogin, ssh, kerberos etc. and trop telnet, r-commands and one-time-passwords. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Thu Nov 6 03:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA14117; Thu, 6 Nov 1997 03:15:44 -0800 (PST) Received: from tom.fjcomp.com (tom.fjcomp.com [194.200.142.228]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA14109 for ; Thu, 6 Nov 1997 03:15:36 -0800 (PST) Received: from tilly.fjcomp.com ([145.227.24.19]) by tom.fjcomp.com (Netscape Mail Server v2.02) with ESMTP id AAA1854 for ; Thu, 6 Nov 1997 11:12:47 +0000 Received: from minn.dsbc.icl.co.uk ([145.227.19.59]) by tilly.fjcomp.com (Netscape Mail Server v2.02) with ESMTP id AAA9088; Thu, 6 Nov 1997 11:12:24 +0000 Received: (from mbm@localhost) by minn.dsbc.icl.co.uk (8.8.7/8.8.5) id LAA03425; Thu, 6 Nov 1997 11:14:19 GMT From: Malcolm Mladenovic Message-Id: <199711061114.LAA03425@minn.dsbc.icl.co.uk> Subject: Re: Ever seen this in practice?? To: cbrenton@sover.net Date: Thu, 6 Nov 1997 11:14:19 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <345E8D1E.D9F2ABEC@sover.net> from "Chris Brenton" at Nov 3, 97 09:49:02 pm Reply-To: mbm@fjcomp.com (Malcolm Mladenovic) Organization: Fujitsu, Bracknell, Berkshire, UK Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So has anyone actually ever seen this before? If so, how does a firewall > deal with this type of connection? This would speak volumes to > inspecting payload. I would assume that a firewall/filter that simply > makes decisions based upon the data located at a certain offset from the > preamble field would probably miss this. Sounds like TMux - RFC 1692. I don't know what its current status is. There is a paragraph in the RFC suggesting that non-TMux routers should be set to block all TMux packets - causing the hosts to fall back to normal. -Malcolm From owner-firewalls-list Thu Nov 6 03:55:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA16487; Thu, 6 Nov 1997 03:39:16 -0800 (PST) Received: from oakland-ws-34.clark.net (oakland-ws-34.clark.net [204.245.172.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA16480 for ; Thu, 6 Nov 1997 03:39:09 -0800 (PST) From: mht@clark.net Received: from highlander (187.middletown-07.va.dial-access.ATT.net [12.68.19.187]) by oakland-ws-34.clark.net (8.8.5/8.8.5) with SMTP id GAA18336; Thu, 6 Nov 1997 06:54:17 -0500 Message-Id: <3.0.3.32.19971106063624.00a333f0@pop.clark.net> X-Sender: mht@pop.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 06:36:24 -0500 To: Joe Smith , firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard Cc: Kimberly Chen In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For more information about Seattle Software Laboratories WatchGuard Firebox 10/100 products, please refer to the following URL: www.watchguard.com For general sales inquires please email sales@watchguard.com. At 07:50 AM 11/4/97 -0400, Joe Smith wrote: >Greetings > >I have been tasked with looking at several firewalls, and I have been >reading your posts with interest. The reviews that I have read have rated >CheckPoint, WatchGuard and Sunscrean the highest. The one that I am >tending towards is the WatchGuard system. > >Do any of you on this list have RL experence with it? Are there any other >problems with WatchGuard that I should know about? > >Thanks for the help! > >John > > From owner-firewalls-list Thu Nov 6 05:44:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA18711; Thu, 6 Nov 1997 05:06:45 -0800 (PST) Received: from gatekeeper.oss.akzonobel.nl (gatekeeper.oss.akzonobel.nl [192.87.3.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA18703 for ; Thu, 6 Nov 1997 05:06:37 -0800 (PST) Received: (from mail@localhost) by gatekeeper.oss.akzonobel.nl (8.7.5/8.7.3) id OAA25588 for ; Thu, 6 Nov 1997 14:20:34 +0100 (MET) Received: from apou02.akzonobel.nl(145.49.90.250) by gatekeeper.oss.akzonobel.nl via smap (V2.0alpha) id xma029607; Thu, 6 Nov 97 14:17:36 +0100 Received: by apou02.akzonobel.nl id OAA04967; Thu, 6 Nov 1997 14:03:25 GMT Date: Thu, 6 Nov 1997 14:03:25 GMT Received: from umc by apou02.akzonobel.nl via MR/VESTA with conversational-MRIF; Thu, 06 Nov 97 14:03:24 +0000 Posted: Thu, 06 Nov 97 07:54:33 +0000 From: "Donald Six" Message-ID: <1733540706111997/A00723/FATHER> App-Message-ID: <1733540706111997/A00723/FATHER/11BB31F61D00> To: "Firewalls Mailing List" Reply-Requested-From: "Firewalls Mailing List" Subject: A review or last opinion Sensitivity: Company-Confidential Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a review, or anyone's opinion, on Network-1's FireWall/Plus firewall. From owner-firewalls-list Thu Nov 6 05:59:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA21863; Thu, 6 Nov 1997 05:44:13 -0800 (PST) Received: from hq15.pcmail.ingr.com (hq15.pcmail.ingr.com [129.135.251.243]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA21092 for ; Thu, 6 Nov 1997 05:36:21 -0800 (PST) Received: by HQ15 with Internet Mail Service (5.0.1458.49) id ; Thu, 6 Nov 1997 07:36:36 -0600 Message-ID: From: "Jarmon, Don R" To: "'Andreas Siegert'" Cc: "'firewalls'" Subject: RE: Bay networks and filtering Date: Thu, 6 Nov 1997 07:36:34 -0600 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's some template examples. This filter templates resides in the wf/config directory. Construct filters for the interface's inbound traffic. The answer to your questions is yes. Baynetworks filtering capabilities seems to be one of there best keep secrets. Some of the features are software version dependent. Hope this helps. If now, 1-800-2LANWAN. > -----Original Message----- > From: Andreas Siegert [SMTP:afx@ibm.de] > Sent: Tuesday, November 04, 1997 10:48 AM > To: 'firewalls' > Subject: Bay networks and filtering > > Hi, > > I am looking for Information on the filtering capabilities of Bay > networks > Routers. I know that there is a firewall-1 Module for them, but I am > looking > for the basic stuff. Can I do sensible Syn/Ack checks with plenty of > rules, > specific to in and outbound traffic? Can I log all specific to rules? > > I have seen quite a few of their web pages, but all I found was rather > crude > (only 31 rules, no SYN/ACK check), is that really true in current > releases? > > thanks for any hints > afx > -- > Andreas Siegert afx@ibm.de / afx@barolo.munich.de.ibm.com / AFX > at IPNET > PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05 begin 600 TEMPLATE.FLT M5$5-4$Q!5$4@5$A%7T))5%]35$]04U](15)%(0T*#0H)4%)/5$]#3TP@25`- M"@T*"0E!0U1)3TX-"@D)"4Q/1PT*"0D)1%)/4`T*"0E%3D1?04-424].#0H- M"@D)1DE%3$0@25!?1$535$E.051)3TY?041$4D534PT*"0D),"XP+C`N,"TR M-34N,C4U+C(U-2XR-34-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP- M"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TY%5U-&145$7T58 M0TA!3D=%#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4 M#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$12 M15-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45. M1%]&245,1`T*#0H)"49)14Q$(%5$4%]33U520T5?4$]25`T*"0D),3$Y+3$Q M.0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E.051)3TY?4$]2 M5`T*"0D),3$Y+3$Q.0T*"0E%3D1?1DE%3$0-"@T*"45.1%]04D]43T-/3`T* M#0I%3D1?5$5-4$Q!5$4-"@T*5$5-4$Q!5$4@04Q,3U=?15A415).04Q?3E10 M#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4#0H)"45. M1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$1215-3#0H) M"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45.1%]&245, M1`T*#0H)"49)14Q$(%5$4%]33U520T5?4$]25`T*"0D),3(S+3$R,PT*"0E% M3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E.051)3TY?4$]25`T*"0D) M,3(S+3$R,PT*"0E%3D1?1DE%3$0-"@T*"45.1%]04D]43T-/3`T*#0I%3D1? M5$5-4$Q!5$4-"@T*5$5-4$Q!5$4@04Q,3U=?15A415).04Q?5$-07T1!5$%? M15A#2$<-"@T*"5!23U1/0T],($E0#0H-"@D)04-424].#0H)"0E!0T-%4%0- M"@D)14Y$7T%#5$E/3@T*#0H)"49)14Q$($E07T1%4U1)3D%424].7T%$1%)% M4U,-"@D)"6YN;BYN;FXN;FYN+FYN;@T*"0E%3D1?1DE%3$0-"@T*"0E&245, M1"!40U!?1$535$E.051)3TY?4$]25`T*"0D),3`R-"TV-34S-0T*"0E%3D1? M1DE%3$0-"@T*"0E&245,1"!54T527T1%1DE.140@4D5&.DA%041%4E]%3D0@ M3T9&4T54.C$P-"!"251724142#HX#0H)"0DP6#$P+3!8,3`-"@D)14Y$7T9) M14Q$#0H-"@E%3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!, M051%($%,3$]77T585$523D%,7U1#4%]!0T-%4U,-"@T*"5!23U1/0T],($E0 M#0H-"@D)04-424].#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49) M14Q$($E07T1%4U1)3D%424].7T%$1%)%4U,-"@D)"6YN;BYN;FXN;FYN+FYN M;@T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!?1$535$E.051)3TY?4$]2 M5`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!54T52 M7T1%1DE.140@4D5&.DA%041%4E]%3D0@3T9&4T54.C$P-"!"251724142#HX M#0H)"0DP6#$X+3!8,3@-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP- M"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77T585$523D%,7U1# M4%]#3TY.14-4#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-# M15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]! M1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FX-"@D)14Y$7T9)14Q$#0H-"@D) M1DE%3$0@5$-07T1%4U1)3D%424].7U!/4E0-"@D)"3$P,C0M-C4U,S4-"@D) M14Y$7T9)14Q$#0H-"@D)1DE%3$0@55-%4E]$149)3D5$(%)%1CI(14%$15)? M14Y$($]&1E-%5#HQ,#0@0DE45TE$5$@Z.`T*"0D),%@Q,BTP6#$R#0H)"45. M1%]&245,1`T*#0H)14Y$7U!23U1/0T],#0H-"D5.1%]414U03$%410T*#0I4 M14U03$%412!!3$Q/5U])3E1%4DY!3%]&5%!?04-#15-3#0H-"@E04D]43T-/ M3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T* M"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN M;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$ M(%1#4%]33U520T5?4$]25`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0- M"@T*"0E&245,1"!40U!?1$535$E.051)3TY?4$]25`T*"0D),C`M,C$-"@D) M14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H- M"E1%35!,051%($%,3$]77TE.5$523D%,7TE#35`-"@T*"5!23U1/0T],($E0 M#0H-"@D)04-424].#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49) M14Q$($E07U!23U1/0T],#0H)"0DQ+3$-"@D)14Y$7T9)14Q$#0H-"@E%3D1? M4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE. M5$523D%,7T1.4U]!0T-%4U,-"@T*"5!23U1/0T],($E0#0H-"@D)04-424]. M#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49)14Q$($E07T1%4U1) M3D%424].7T%$1%)%4U,-"@D)"6YN;BYN;FXN;FYN+FYN;BUN;FXN;FYN+FYN M;BYN;FX-"@D)14Y$7T9)14Q$#0H-"@D)1DE%3$0@54107U-/55)#15]03U)4 M#0H)"0DU,RTU,PT*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E. M051)3TY?4$]25`T*"0D)-3,M-3,-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/ M5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE.5$52 M3D%,7TA45%!?04-#15-3#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T* M"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y! M5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN M;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$(%1#4%]33U520T5?4$]25`T* M"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!?1$53 M5$E.051)3TY?4$]25`T*"0D).#`M.#`-"@D)14Y$7T9)14Q$#0H-"@E%3D1? M4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE. M5$523D%,7U--5%!?04-#15-3#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/ M3@T*"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-4 M24Y!5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN M;FXN;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$(%1#4%]33U520T5?4$]2 M5`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!? M1$535$E.051)3TY?4$]25`T*"0D),C4M,C4-"@D)14Y$7T9)14Q$#0H-"@E% ?3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"@== ` end From owner-firewalls-list Thu Nov 6 06:30:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA27132; Thu, 6 Nov 1997 06:14:27 -0800 (PST) Received: from mail1.eni.net (mail1.eni.net [205.214.51.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA23986 for ; Thu, 6 Nov 1997 05:56:27 -0800 (PST) Received: from rzedeck.eni.net ([206.135.230.58]) by mail1.eni.net (8.8.5/8.8.5) with SMTP id FAA21260; Thu, 6 Nov 1997 05:57:31 -0800 (PST) Received: by rzedeck.eni.net with Microsoft Mail id <01BCEA91.7FF436C0@rzedeck.eni.net>; Thu, 6 Nov 1997 08:53:49 -0500 Message-ID: <01BCEA91.7FF436C0@rzedeck.eni.net> From: Rachel Zedeck To: "firewalls@GreatCircle.COM" , "'Roberta Long'" Subject: RE: Info about v-one products? Date: Thu, 6 Nov 1997 08:53:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Roberta: I've finished their firewall training for three of their product sets. = This product's focus has been changed from a stand alone firewall to a = bundled product. I would be happy to give you more information on it = depending on the application you need. It works very well with = Gauntlet, Raptor, even Checkpoint and uses some fine grain filtering = tools which are very interesting. Rachel=20 ---------- From: Roberta Long[SMTP:robertal@digex.net] Sent: Wednesday, November 05, 1997 12:28 PM To: firewalls@GreatCircle.COM Subject: Info about v-one products? Someone has been asking me about these products. Can anyone provide me = with=20 first-hand experiences in dealing with this company and their products? = Roberta From owner-firewalls-list Thu Nov 6 10:49:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06576; Thu, 6 Nov 1997 06:58:52 -0800 (PST) Received: from gateway.adidasus.com (spfrw001.adidasus.com [208.146.114.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA06505 for ; Thu, 6 Nov 1997 06:58:33 -0800 (PST) Received: by gateway.adidasus.com; id JAA09710; Thu, 6 Nov 1997 09:58:35 -0500 (EST) Received: from unknown(10.75.10.7) by gateway.adidasus.com via smap (4.0a) id xma009707; Thu, 6 Nov 97 09:58:09 -0500 Message-ID: <3461DB2C.99A0C536@internetmci.com> Date: Thu, 06 Nov 1997 09:58:52 -0500 From: Tim Lebrun X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: Chris Lonvick CC: NetSea , firewalls@GreatCircle.COM Subject: Re: Help : Cisco access list References: <2.2.32.19971106061246.006de0a0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a cisco mailing list that anyone knows of ?????? Chris Lonvick wrote: > Hello Hong, > > Take a look at > http://www/warp/public/701/31.html > to see some options on how you can accomplish this as well as how > to take some other security measures. > > Hope this helps, > > Chris Lonvick > Cisco Systems > Corporate Consulting > Houston, TX, USA > +1.713.778.5663 > > At 12:05 PM 11/5/97 +0800, NetSea wrote: > >Hi, everybody, > > > >I have an CISCO 4500 router (A) in my office. It connects > > > > > > > > Router A (in my office) Router B ( from ISP ) > > _______ _______ > > | |s0 s0| | > > |_______|-------------------|_______|--------- INTERNET > > xxx.xxx.xxx.aa xxx.xxx.xxx.bb > > > > > >to a Router (B) from ISP. What I want to do is that all hosts in my > >office can access Internet resources such as WWW, but the outside > >world can not access any host in my office through the routers. How > >should I configure the routers to achieve that? > > > >Thanks in advance! > > > >Hong > > > >---------------------------------------------- > >Shen Hong Network Engineer > >NetSea Computer Co. Ltd. > >E-mail: netsea@public.sta.net.cn > >---------------------------------------------- > > > > > > > > From owner-firewalls-list Thu Nov 6 11:00:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA13565; Thu, 6 Nov 1997 10:17:42 -0800 (PST) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA28620 for ; Thu, 6 Nov 1997 08:52:27 -0800 (PST) Received: from ramon.openu.ac.il[rafi] by tavor.openu.ac.il with SMTP id AA27941 (5.67a8/IDA-1.5 for ); Thu, 6 Nov 1997 18:52:33 +0200 Received: from localhost (nullhost.openu.ac.il)[] by ramon.openu.ac.il with SMTP id AA19948 (5.67a8/IDA-1.5); Thu, 6 Nov 1997 18:52:29 +0200 Date: Thu, 6 Nov 1997 18:52:27 +0200 (IST) From: Rafi Sadowsky X-Sender: rafi@ramon To: Donald Six Cc: Firewalls Mailing List Subject: Re: A review or last opinion { Network-1 Firewall plus ] In-Reply-To: <1733540706111997/A00723/FATHER> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would appreciate copies if this if possible thanks, Rafi -- Rafi Sadowsky rafi@oumail.openu.ac.il Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410 Mangler ( :-) | member ILAN-CERT(CERT-L@VM.TAU.AC.IL) Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi On Thu, 6 Nov 1997, Donald Six wrote: > I am looking for a review, or anyone's opinion, on Network-1's FireWall/Plus > firewall. > From owner-firewalls-list Thu Nov 6 11:07:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11723; Thu, 6 Nov 1997 10:08:02 -0800 (PST) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA11698 for ; Thu, 6 Nov 1997 10:07:52 -0800 (PST) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id KAA19035; Thu, 6 Nov 1997 10:07:50 -0800 (PST) Received: from arrakis.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id KAA09283; Thu, 6 Nov 1997 10:07:45 -0800 (PST) Received: by arrakis.verisign.com (SMI-8.6/SMI-SVR4) id KAA28804; Thu, 6 Nov 1997 10:07:42 -0800 Date: Thu, 6 Nov 1997 10:07:42 -0800 From: varmav@verisign.com (Vik Varma) Message-Id: <199711061807.KAA28804@arrakis.verisign.com> To: murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: qeOUmx+G21K+y05qF9Pbeg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Thanks for the reply sir! > > Actually I dont want to use NAT as it consumes more time for each packet. > I want to have a simple filter which takes forwarding decissions based > on IP address only and it should not go for NAT. > > Is there any such firewall software available ? Sure. That's just a normal packet filter firewall. Check out Firewall-1 from CheckPoint or PIX from Cisco, to mention only two. Of course, there are many others as well. -- Vik Varma VeriSign, Inc System Administrator (650) 429-3352 Operations, Information Systems Vik.Varma@verisign.com From owner-firewalls-list Thu Nov 6 11:14:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10343; Thu, 6 Nov 1997 10:00:12 -0800 (PST) Received: from fcdcfw.co.franklin.oh.us (co.franklin.oh.us [198.234.34.194]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA10208 for ; Thu, 6 Nov 1997 09:59:47 -0800 (PST) Received: from cmplser1.co.franklin.oh.us by fcdcfw.co.franklin.oh.us (AIX 4.1/UCB 5.64/4.03) id AA17806; Thu, 6 Nov 1997 12:57:32 -0500 Received: from fcdcemail.co.franklin.oh.us by cmplser1.co.franklin.oh.us (Lotus SMTP MTA v1.05 (274.9 11-27-1996)) with SMTP id 85256547.00635277; Thu, 6 Nov 1997 13:04:51 -0400 Received: from fcdcy684 ([10.0.9.121]) by fcdcemail.co.franklin.oh.us (Netscape Mail Server v2.0) with SMTP id AAA40 for ; Thu, 6 Nov 1997 12:56:53 -0500 Message-Id: <3.0.3.32.19971106130004.009526d0@mail> X-Sender: dbmcglumphy@mail X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 13:00:04 -0500 To: firewalls@GreatCircle.COM From: dbmcglumphy@co.franklin.oh.us (David B. McGlumphy) Subject: Proxy recommendations Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am the Webmaster for a county data center in Ohio. We currently are using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. The proxy seems to hang for long periods of time after a few hours of running, forcing us to do frequent restarts. We have a brand new Risc box in and are looking at alternatives to Netscape's Proxy Server. Does anyone have any suggestions for a good proxy server? We are looking at ~500 users doing only http (for now). Thanks for any help, Dave McGlumphy David McGlumphy, WebMaster PHONE: (614) 462-6795 Franklin County Data Center FAX: (614) 462-6311 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us Columbus, Ohio 43215 dmcglump@ix.netcom.com ef770@kanga.cwru.edu ** The opinions expressed herein are those of the author and not those of Franklin County Data Center or any other company, governmental agency, or organization. ** __ _ _ _ () , | LINUX / ) ' ) ) ) /`-'| /) / |Choice of a / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation / / | ' ' From owner-firewalls-list Thu Nov 6 11:20:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA17660; Thu, 6 Nov 1997 10:49:49 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA17618 for ; Thu, 6 Nov 1997 10:49:38 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Thu, 6 Nov 1997 10:46:41 -0800 Message-ID: From: "Stackpole, Bill" To: "'anton horvath'" , firewalls@GreatCircle.COM Subject: RE: Cisco config examples Date: Thu, 6 Nov 1997 10:46:39 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All the Cisco IOS documentation is available via their web site and most include examples. The docs are divided into two parts (a command reference and a "how to" guide) so make sure and look at both sets of documents to get the whole picture. > -----Original Message----- > From: anton horvath [SMTP:hvt@vie.co.at] > Sent: Thursday, November 06, 1997 1:26 AM > To: firewalls@GreatCircle.COM > Subject: Cisco config examples > > Hi, > > I have little chances to work with a cisco, but I am often asked > to look into configs of our partners. > > Could someone point me to detailed and good explained configuration > examples in the net. > > thanks, anton > > -- > Office address (Vienna Airport) : Private address : > Co. Anton Horvath Anton Horvath > Flughafen Wien AG. Hptpl. 31 > Postfach 1 > A-1300, Vienna A-7100, Neusiedl/See > Austria Austria > Voice: (++43 - 1) 7007 Ext: 2837 Voice: (++43 - 02167) 8560 > Fax: (++43 - 1) 7007 Ext: 5188 > EMail: hvt@vie.co.at From owner-firewalls-list Thu Nov 6 12:09:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16783; Thu, 6 Nov 1997 07:48:02 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA16753 for ; Thu, 6 Nov 1997 07:47:51 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id JAA02452; Thu, 6 Nov 1997 09:14:52 -0600 Date: Thu, 6 Nov 1997 09:14:51 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: NetSea cc: firewalls@GreatCircle.COM Subject: Re: Help : Cisco access list In-Reply-To: <345FF08C.981DE78A@public.sta.net.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Utilize an inside and outside access listing configuration in which packets not requested are denied. +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@cheez.lowprofile.net | Computer Networking Specialist | | cheez@globalreach.net | Remote Management Specialist | | cheez@hotmail.com | Linux/Windows NT Specialist | +------If at first you don't succeed, redefine success.--------+ On Wed, 5 Nov 1997, NetSea wrote: Date: Wed, 05 Nov 1997 12:05:33 +0800 From: NetSea To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Thu Nov 6 13:20:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01865; Thu, 6 Nov 1997 11:59:53 -0800 (PST) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01683 for ; Thu, 6 Nov 1997 11:59:16 -0800 (PST) Received: from ramon.openu.ac.il[rafi] by tavor.openu.ac.il with SMTP id AA02751 (5.67a8/IDA-1.5 for ); Thu, 6 Nov 1997 21:59:41 +0200 Received: from localhost (nullhost.openu.ac.il)[] by ramon.openu.ac.il with SMTP id AA20195 (5.67a8/IDA-1.5); Thu, 6 Nov 1997 21:59:38 +0200 Date: Thu, 6 Nov 1997 21:59:35 +0200 (IST) From: Rafi Sadowsky X-Sender: rafi@ramon To: "David B. McGlumphy" Cc: firewalls@GreatCircle.COM Subject: Re: Proxy recommendations In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you may want too try Squid: http://squid.nlanr.net/Squid/ it's a PD version of harvest ( high ) which is a hgh perfomance http proxy -even though netscape proxy works fine -- Rafi Sadowsky rafi@oumail.openu.ac.il Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410 Mangler ( :-) | member ILAN-CERT(CERT-L@VM.TAU.AC.IL) Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi On Thu, 6 Nov 1997, David B. McGlumphy wrote: > Hello, > I am the Webmaster for a county data center in Ohio. We currently are > using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of > running, forcing us to do frequent restarts. We have a brand new Risc box > in and are looking at alternatives to Netscape's Proxy Server. Does anyone > have any suggestions for a good proxy server? We are looking at ~500 users > doing only http (for now). Thanks for any help, > Dave McGlumphy > > > > David McGlumphy, WebMaster PHONE: (614) 462-6795 > Franklin County Data Center FAX: (614) 462-6311 > 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us > Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > > ** The opinions expressed herein are those of the author and not those > of Franklin County Data Center or any other company, governmental > agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU > /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' > From owner-firewalls-list Thu Nov 6 13:22:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27101; Thu, 6 Nov 1997 11:39:22 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA26893 for ; Thu, 6 Nov 1997 11:38:41 -0800 (PST) Received: from zepher.milkyway.com ([12.70.0.195]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB21700; Thu, 6 Nov 1997 19:39:09 +0000 Message-Id: <3.0.3.32.19971106143424.006c6ef4@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 14:34:24 -0500 To: "Franco RUGGIERI" , "Billy Verreynne" From: Steve Kruse Subject: Re: R: Unlimited Users Firewalls Cc: "GreatCircle forum" In-Reply-To: <199711052319.AAA04439@pinux.selfin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, all, not to make a blatantly commercial statement here...hold your flames!! However, at Milkyway, our evaluation of the NT stack caused us to completely throw it out and *replace it* with a fully hardened stack. As far as I know, we are the only FW company producing an NT version that does that, rather than just patching / diddling with the NT version of the stack. Of course, we believe we have the better mouse trap!!!! Download an eval at http://www.milkyway.com if you want to check it out. I say that this is not a "commercial posting" in that I am merely agreeing that others feel the NT stack is not secure, but to educate that there ARE ways to have NT and still be secure! Comments welcome ... Flames ignored with vigor! Steve Kruse At 03:12 PM 11/5/97 +0000, Franco RUGGIERI wrote: >Billy, >maybe I'm biassed by my deep love towards a company whose workhorse (dubbed >by the year it was finally released) too many times so far has left me >stranded, by just losing few, but meaningful, kilobytes of key stuff. >When you say: "The problem I believe is that NT's IP is not always robust >enough to survive a hacker attack." you are firing an A-bomb, IMHO. Aren't >you? >Do I correctly understand you if I say that, since firewalls are here to >ward off hackers' attacks, it's better not to rely on an NT since its IP >isn't up to the task we want to use it? >This reminds me of having heard that, in the early decades of this century, >a racing car maker overlooked the importance of brakes by saying: "My cars >are to run, not to stop". It has disappeared from the marketplace. > >------------------------------- >Franco RUGGIERI >fruggieri@selfin.net > >---------- >> Da: Billy Verreynne >> A: ygerman@genre.com; yati@mod.gov.my >> Cc: Firewalls@GreatCircle.COM >> Oggetto: Re: Unlimited Users Firewalls >> Data: gioved=EC 23 ottobre 1997 10.32 >>=20 >> > ygerman@genre.com wrote: >> >> > I would also say stay away from NT firewalls because the NT TCP/IP=20 >> > stack is not as robust as Unix in a high volume environment. >>=20 >> On what facts do you base this? AFAIK the problems with Microsoft's >> implementation of TCP/IP have more to do with incorrectly handling >packets >> that were incorrectly assembled (e.g. the OOB problem which gave all the >> dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not >> always respond as it should - what about SYN stealth scans? >>=20 >> A company I know have been using NT with SQL-Server across a WAN for a >> number of years now. The volumes are pretty high - hundreds of users >doing >> OLTP transactions. The problem has never been with TCP/IP on NT, but >rather >> with SQL-Server and the Microsoft client (Win95) DB library.=20 >>=20 >> I have worked with NT since the first beta, and TCP/IP IMHO was never a >> problem, but rather the use of it (like running NetBIOS pipes across >TCP/IP >> instead of using sockets). Of course Microsoft was naive in believing >they >> could implement the RFCs for TCP/IP without paying much attention to >wrong >> IP packets. But remember these IP packets are almost always the result of >> hacker attacks. In a standard high volume business environment NT's IP is >> stable and robust enough IMHO. The problem I believe is that NT's IP is >not >> always robust enough to survive a hacker attack. >>=20 >> NT has received a lot of flak, especially from the Unix lovers, but it is >> still a good operating system and one that is used (as with Unix) >> throughout the world by many companies for running mission critical >> applications. >>=20 >> regards, >> Billy > ***************************************************** * Steve Kruse Milkyway Networks * * Network Systems Engineer 1342 E. Vine St. #224 * * 407-847-8977 Voice Kissimmee, FL 34744 * * 407-847-7203 Fax http://www.milkyway.com * ***************************************************** From owner-firewalls-list Thu Nov 6 13:23:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12871; Thu, 6 Nov 1997 12:41:44 -0800 (PST) Received: from NetComm.IE (carpet.rotterdam.luna.net [194.151.24.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA12799 for ; Thu, 6 Nov 1997 12:41:25 -0800 (PST) Received: from kevinbr.horizon.ie (mobile-104-113.horizon.ie [193.120.104.113]) by NetComm.IE (8.8.5/8.8.3) with SMTP id VAA11710; Thu, 6 Nov 1997 21:41:11 GMT Message-Id: <3.0.5.32.19971106203931.007c8100@www.netcomm.ie> X-Sender: kevinbr@www.netcomm.ie X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 06 Nov 1997 20:39:31 +0000 To: dbmcglumphy@co.franklin.oh.us (David B. McGlumphy), firewalls@GreatCircle.COM From: Kevin Brown Subject: Re: Proxy recommendations In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Look at squid........ Kevin At 13:00 06/11/97 -0500, David B. McGlumphy wrote: >Hello, > I am the Webmaster for a county data center in Ohio. We currently are >using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of >running, forcing us to do frequent restarts. We have a brand new Risc box >in and are looking at alternatives to Netscape's Proxy Server. Does anyone >have any suggestions for a good proxy server? We are looking at ~500 users >doing only http (for now). Thanks for any help, > Dave McGlumphy > > > >David McGlumphy, WebMaster PHONE: (614) 462-6795 >Franklin County Data Center FAX: (614) 462-6311 >373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us >Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > >** The opinions expressed herein are those of the author and not those >of Franklin County Data Center or any other company, governmental >agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU >/__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' > > From owner-firewalls-list Thu Nov 6 13:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14283; Thu, 6 Nov 1997 12:47:21 -0800 (PST) Received: from keymaster.rnb.com (keymaster.rnb.com [204.178.81.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA03497 for ; Thu, 6 Nov 1997 12:07:39 -0800 (PST) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Received: By keymaster.rnb.com via smap (3.2) id xma014803; Thu, 6 Nov 97 15:07:38 -0500 Message-ID: X-Mailer: XFMail 1.2-beta-103097 [p0] on Solaris X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Date: Thu, 06 Nov 1997 15:07:36 -0500 (EST) Organization: Republic National Bank From: Ken Kempster To: (David B. McGlumphy) Subject: RE: Proxy recommendations Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use Gauntlet here. Works good and we're doing over 200,000 hits on http per day. On 06-Nov-97 David B. McGlumphy wrote : > Hello, > I am the Webmaster for a county data center in Ohio. We currently are > using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of > running, forcing us to do frequent restarts. We have a brand new Risc box > in and are looking at alternatives to Netscape's Proxy Server. Does anyone > have any suggestions for a good proxy server? We are looking at ~500 users > doing only http (for now). Thanks for any help, > Dave McGlumphy > > > > David McGlumphy, WebMaster PHONE: (614) 462-6795 > Franklin County Data Center FAX: (614) 462-6311 > 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us > Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > > ** The opinions expressed herein are those of the author and not those > of Franklin County Data Center or any other company, governmental > agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU > /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Systems Consultant _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-list Thu Nov 6 13:26:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA09781; Thu, 6 Nov 1997 12:30:22 -0800 (PST) Received: from ns (ns.ami.net [207.87.243.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA09565 for ; Thu, 6 Nov 1997 12:29:42 -0800 (PST) Received: by ns (5.x/SMI-SVR4) id AA01099; Thu, 6 Nov 1997 15:33:35 -0500 Date: Thu, 6 Nov 1997 15:33:35 -0500 From: destry@ami.net (Richard Fronck) Message-Id: <9711062033.AA01099@ns> To: Firewalls@GreatCircle.COM Subject: syslogd on SunOS doesn't work Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our SunOS based firewall solution only logs 10% of the log messages! This affects every firewall, that uses syslogd, running on any SunOS. I noticed that our throughput totals for our firewalls didn't match up with the totals from the router. I checked, and the firewall and it is only logging 10% of the proxy log output during peak utilization. We generate approximately 3 log messages per connection. We generate approximately 1500 processes/connections per minute. But, we only log approximately 150 - 200 messages per minute. We should log approximately 4500 - 6000 messages per minute. Here's the problem: (from http://sunsolve.sun.com) SUN SYSLOG DAEMON BUG INFORMATION: Bug Id 1144033 states "the streams log driver can drop syslog messages under heavy loads" Bug Id 1225626 "There is no guarantee that syslog() will actually be successful in its logging. Unfortunately, this works as designed." Here's the solution: ***NONE*** Sun says that logging is "improved" in Solaris 2.6, but they don't intend to "fix" it. (This would take a re-write of the entire streams library.) This is what I found. (The code that I used was taken from one of the bug id's and modified slightly) While the new OS is better, it's still not fixed. Both machines had a load average of >1% at run time. Solaris 2.5.1 logs 5.559% of the log requests. Logged 559 out 10,000 Solaris 2.6 logs 87.21% of the log requests. Logged 8721 out 10,000 uname -a SunOS hostname001 5.4 G __m8 in /log_syslog=1000, count= 57 Search for __m9 in /log_syslog=1000, count= 55 wc of /log_syslog= 559 /log_syslog -- end Results on Solaris 2.5.1 ----------------------------------------- uname -a SunOS hostname002 5.6 Generic sun4m sparc SUNW,SPARCstation-5 -- Results on Solaris 2.6 ----------------------------------------------- Search for __m0 in /log_syslog=1000, count= 872 Search for __m1 in /log_syslog=1000, count= 872 Search for __m2 in /log_syslog=1000, count= 872 Search for __m3 in /log_syslog=1000, count= 872 Search for __m4 in /log_syslog=1000, count= 872 Search for __m5 in /log_syslog=1000, count= 871 Search for __m6 in /log_syslog=1000, count= 872 Search for __m7 in /log_syslog=1000, count= 872 Search for __m8 in /log_syslog=1000, count= 873 Search for __m9 in /log_syslog=1000, count= 873 wc of /log_syslog= 8721 /log_syslog -- end Results on Solaris 2.6 ------------------------------------------- -- code ---------------------------------------------------------------- #include #include main() { int i; system("cp /etc/syslog.conf /rette.syslog.conf"); system("echo 'local0.debug /log_syslog' > /etc/syslog.conf"); remove("/log_syslog"); system("touch /log_syslog"); system("kill -HUP `cat /etc/syslog.pid`"); sleep(1); for (i=0; i<1000; i++) { syslog( LOG_LOCAL0 | LOG_INFO, "__m0" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m1" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m2" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m3" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m4" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m5" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m6" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m7" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m8" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m9" ); } sleep(15); system("mv /rette.syslog.conf /etc/syslog.conf"); sleep(1); system("kill -HUP `cat /etc/syslog.pid`"); sleep(1); printf("\nSearch for __m0 in /log_syslog=%d, count= ",i); system("grep -c __m0 /log_syslog"); printf("\nSearch for __m1 in /log_syslog=%d, count= ",i); system("grep -c __m1 /log_syslog"); printf("\nSearch for __m2 in /log_syslog=%d, count= ",i); system("grep -c __m2 /log_syslog"); printf("\nSearch for __m3 in /log_syslog=%d, count= ",i); system("grep -c __m3 /log_syslog"); printf("\nSearch for __m4 in /log_syslog=%d, count= ",i); system("grep -c __m4 /log_syslog"); printf("\nSearch for __m5 in /log_syslog=%d, count= ",i); system("grep -c __m5 /log_syslog"); printf("\nSearch for __m6 in /log_syslog=%d, count= ",i); system("grep -c __m6 /log_syslog"); printf("\nSearch for __m7 in /log_syslog=%d, count= ",i); system("grep -c __m7 /log_syslog"); printf("\nSearch for __m8 in /log_syslog=%d, count= ",i); system("grep -c __m8 /log_syslog"); printf("\nSearch for __m9 in /log_syslog=%d, count= ",i); system("grep -c __m9 /log_syslog"); printf("\nwc of /log_syslog= "); system("wc -l /log_syslog"); } -- end code ------------------------------------------------------------- Thanks, Destry From owner-firewalls-list Thu Nov 6 13:28:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14457; Thu, 6 Nov 1997 12:48:42 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA26874 for ; Thu, 6 Nov 1997 11:38:39 -0800 (PST) Received: from zepher.milkyway.com ([12.70.0.195]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA21700; Thu, 6 Nov 1997 19:39:05 +0000 Message-Id: <3.0.3.32.19971106142148.006c284c@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 14:21:48 -0500 To: hagan@cih.com, Franco RUGGIERI From: Steve Kruse Subject: Re: R: Unlimited Users Firewalls Cc: GreatCircle forum In-Reply-To: References: <199711052319.AAA04448@pinux.selfin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IMHO...an additional policy would include something to the effect: "...the security manager shall escrow with the (pick one here..President, Technology manager, Operations manager...) office all passwords, access controls, keys and other such mechanisms to which the Security Officer normally has the only access. This information shall be placed in a sealed envelope, proctected by a security seal or other tamperproof mechanism, and locked in a secure cabinet, safe or desk to which only the escrow officer has access. This information shall be updated and re-sealed upon any change within the same business day such changes are made".... If the S.O. **DOES** get hit by a bus, at least SOMEONE can get access to the FW, routers and other things should it become necessary. Comments welcome...Flames Ignored! At 04:59 PM 11/5/97 +0000, Craig I. Hagan wrote: >> Craig, >> please tell me your opinion on this statement of mine (many people have >> been burned alive for much less than that). >> >> A firewall is something that must not be tampered with, so the fewer people >> know something about it (in the organization it is there to protect) the >> better. Thus, a UNIX O.S. is a good thing in an environment where many >> people know NT, i.e. almost everywhere. > >many takes. > >the short one is that if the above were true, and the firewall person >left, was hit by a bus, etc, then the company is *FUCKED*. Additionally, >you may need to change the firewall to reflect changes in security policy >-- after all, the firewall merely enacts policy, it doesn't create it. > >A better method, imho, of saying it (perhaps what you meant) would be: > >" >Firewalls exist to enact corporate security policy. Since this policy >changes infrequently, access controls to the firewall should be both >severely restricted, and logged in such a way as to make any and all >actions obvious to an experienced administrator. Additionally, all changes >made to the firewall must go through authorized change control procedures >so that they can accurately reflect the security policy, and the coding >can be properly reviewed to make sure that policy is correctly enacted. >" > >IMHO, knowledge is a good thing: if everyone knew about the firewall, how >it worked, and WHY it did what it did, and even the source code of the >firewall, it shouldn't matter if the firewall properly enacts your >policies (and they demand stringent access control). In fact, if the >people in the company were knowledgeable, then they would likely know the >policy and WHY it was in effect. > >As for the OS choice of the firewall, unix/NT/OS2/mac/DOS/whatever, >security through obscurity is the worst case scenario in that you are >banking on people not knowing something rather than proper access controls >and channels to facilitate this. > >A better question might be: if you are using unix/NT/OS2/mac/DOS/whatever >for a firewall, how could people (both internal and external) gain >unauthorized access to the firewall? If your policy states that this >should not be, then you should take every action to prevent it. For an NT >machine, it may mean not participating in a domain, blocking all of the >RPC/auth/whatever ports,disabling a rack of services,etc. for unix it may >mean not participating in a YP/NIS domain, not running RPC/portmapper and >a myriad of other daemons, etc. same ideas, different OS. But, all comes >down to policy and properly enacting it. > > >-- craig > >--------------------------------------------------------------------- - ---------- >Craig I. Hagan "It's a small world, but I wouldn't want to back it up" >hagan(at)cih.com "True hackers don't die, their ttl expires" > "It takes a village to raise an idiot, but an idiot can raze a village" > > Stop the spread of spam, use a sendmail condom! > http://www.cih.com/~hagan/smtpd-hacks > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNGIYqtIk6V3CiVjTEQJeHACfQtXcFobqsoxx/XChihqRGBHU/okAoJst 1l+5ojo5GOdwxN6PTpFaxbkZ =6bY+ -----END PGP SIGNATURE----- ***************************************************** * Steve Kruse Milkyway Networks * * Network Systems Engineer 1342 E. Vine St. #224 * * 407-847-8977 Voice Kissimmee, FL 34744 * * 407-847-7203 Fax http://www.milkyway.com * ***************************************************** From owner-firewalls-list Thu Nov 6 14:01:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22290; Thu, 6 Nov 1997 13:51:16 -0800 (PST) Received: from macmail.sonicsys.com (macmail.sonicsys.com [209.19.28.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA22245 for ; Thu, 6 Nov 1997 13:51:03 -0800 (PST) Received: from [209.19.28.54] by with SMTP id BAI2961672997; Thu, 06 Nov 1997 14:56:38 X-Sender: denis@macmail.sonicsys.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Nov 1997 14:53:13 -0800 To: firewalls@GreatCircle.com From: Denis Lesak Subject: Sonic Interpol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are a new firewall vendor that is offering the industry's first full featured Internet Security Appliance for $1999. The Interpol features: Web Browser Managed Stateful Inspection packet security ISDN - T1 1 year CyberNOT subscription Remote Access Authentification (MD5 based security) NAT Network Address Translation DMZ for public servers Installs in under 20 minutes! Any questions? Please review www.sonicsys.com Contact: sales@sonicsys.com ____________________________________________________________________ Denis Lesak denis@sonicsys.com Regional Sales Manager 408.736.1900 ext 106 575 N Pastoria Ave 408.736.7228 fax Sunnyvale, CA 94086 Web: http://www.sonicsys.com Do you want Plug N Play firewall protection for under $2,000? http://www.sonicsys.com/Interpol.html ____________________________________________________________________ From owner-firewalls-list Thu Nov 6 14:03:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20924; Thu, 6 Nov 1997 13:40:52 -0800 (PST) Received: from powerlite (powerlite.unitedspacealliance.com [161.40.253.23]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA20767 for ; Thu, 6 Nov 1997 13:40:05 -0800 (PST) Received: by powerlite (SMI-8.6/SMI-SVR4) id PAA16294; Thu, 6 Nov 1997 15:28:45 -0600 Date: Thu, 6 Nov 1997 15:28:45 -0600 From: sarak@powerlite.rsoc.rockwell.com (Sara Kensington) Message-Id: <199711062128.PAA16294@powerlite> To: firewalls@GreatCircle.COM Subject: [ANNOUNCE] NASA Computer Security Conference Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: mFlsHr0oas45j/gpHIUkcA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a short notice for those that have an interest in this sort of thing; There will be a NASA Sponsored Computer Security Conference, Dec 8th-13th 1997, with two and four day workshops given on Dec 8th & 9th and 11th & 12th in Galveston, Texas at the San Luis Resort and Convention Center. Dec 10th is pretty much dedicated to product demonstrations and installation classes, and this conference includes examinations and certifications for those that like paper for the wall :) For up-to-date information, please refer to the URL http://www2.unitedspacealliance.com/itse/ or, you can call from 8:00 am to 5:00 pm Central Time, Monday thru Friday toll free: 1-888-258-8859 ext:280 for more information. Sara Kensington IT Security Engineering Team Penetration Testing United Space Alliance sarak@powerlite.rsoc.rockwell.com .ps Please accept my apologies to those who may interpret this as SPAM From owner-firewalls-list Thu Nov 6 17:25:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA17542; Thu, 6 Nov 1997 16:02:28 -0800 (PST) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA17514 for ; Thu, 6 Nov 1997 16:02:17 -0800 (PST) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEACD.6BBEE880@irwin-exch2.army.mil>; Thu, 6 Nov 1997 16:02:45 -0800 Message-ID: From: G2 Security Division To: "'BSTACKPO@sla.com'" , "'firewalls@greatcircle.com'" , "Burnett, Charles" , "McCray, John" Subject: FW: DMZ Implementation Date: Thu, 6 Nov 1997 15:59:25 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks like a classic implementation. Highlighted section on "customers...DMZ hosts...administrative functions" suggested to me that your organization might have a separation of duties between a network security officer and system administrators for various hosts within the DMZ. We are looking at some reorganization possibilities. Contrary to public belief, the government is also susceptible to the "doing more with less" routine. Whereas doctrine normally calls for the person owning the system to provide security, most computer specialists focus on connectivity functions. Thus we have to think about retraining traditional security policy people to assume more technically-oriented security duties. KFW >---------- >From: Stackpole, Bill[SMTP:BSTACKPO@sla.com] >Sent: Friday, October 31, 1997 7:58 AM >To: 'Gaddy Gumbao' >Cc: 'firewalls' >Subject: RE: DMZ Implementation > >I can give you my method and I'm sure there are other ways to do this. >I put a third interface into my firewall server and set up rules that >allow external access to hosts on the DMZ limited to the services they >provide (e.g., Web, FTP, etc.) I also set up rules that allow internal >users to access DMZ hosts. Also limited to the services those users >require. And finally I set up rules that allow DMZ hosts to access >specific hosts and services they require on the external and/or internal >network. > >I allow no transparent connections, everything goes though the proxies. >I use different private addressing on the DMZ and internal networks and >I do the manufacture's recommended security fixes and configurations to the DMZ hosts. As a final measure I recommend to my customers that they >have a good backup and restore capability for their DMZ hosts and that they >restrict administrative functions on DMZ hosts to the system >console ONLY. > >> -----Original Message----- >> From: Gaddy Gumbao [SMTP:succesor@mnl.sequel.net] >> Sent: Friday, October 31, 1997 10:34 AM >> To: rob.holman@ganda.demon.co.uk; firewalls@greatcircle.com >> Subject: DMZ Implementation >> >> >> >> >> hi there guys, >> >> Would anyone there would like to help me setup a DMZ. >> Where can I get a reference or a notes on what or how to setup a DMZ. >> >> I 'm running Checkpoint firewall-1 on our Network. >> >> Thanks >> >> Gaddy >> System Administrator >> > From owner-firewalls-list Thu Nov 6 22:44:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA28107; Thu, 6 Nov 1997 22:33:08 -0800 (PST) Received: from mail.azid.com (diazo.azid.com [207.240.15.195]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA28093 for ; Thu, 6 Nov 1997 22:33:02 -0800 (PST) Received: (qmail 4016 invoked from network); 7 Nov 1997 06:33:41 -0000 Received: from diazo.azid.com (207.240.15.195) by diazo.azid.com with SMTP; 7 Nov 1997 06:33:41 -0000 Date: Thu, 6 Nov 1997 23:33:41 -0700 (MST) From: Eric Johnson To: Joe Smith cc: firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One more thing: I don't know this for a fact, but empirically it seems that the Firebox slows down noticably if the loghost is under heavy load. So: Pick a capable loghost. --Eric --- Eric Johnson (ej@azid.com) Arizona Internet Developers Inc. (AZID.COM) http://www.azid.com/ +1-602 { 996-9682(v) | 333-2043(f) | 289-1628(p) } On Tue, 4 Nov 1997, Joe Smith wrote: : Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) : From: Joe Smith : To: firewalls@GreatCircle.COM : Subject: SSL WatchGuard : : Greetings : : I have been tasked with looking at several firewalls, and I have been : reading your posts with interest. The reviews that I have read have rated : CheckPoint, WatchGuard and Sunscrean the highest. The one that I am : tending towards is the WatchGuard system. : : Do any of you on this list have RL experence with it? Are there any other : problems with WatchGuard that I should know about? : : Thanks for the help! : : John : From owner-firewalls-list Thu Nov 6 22:59:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA27986; Thu, 6 Nov 1997 22:31:00 -0800 (PST) Received: from mail.azid.com (diazo.azid.com [207.240.15.195]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA27979 for ; Thu, 6 Nov 1997 22:30:47 -0800 (PST) Received: (qmail 4009 invoked from network); 7 Nov 1997 06:31:13 -0000 Received: from diazo.azid.com (207.240.15.195) by diazo.azid.com with SMTP; 7 Nov 1997 06:31:13 -0000 Date: Thu, 6 Nov 1997 23:31:13 -0700 (MST) From: Eric Johnson To: Joe Smith cc: firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Joe, [ couldn't resist: any Hendrix fans here? ] We use the Firebox here and have installed two so far at client sites. The thing I like least about it so far: in the GUI you get Incoming and Outgoing tabs for each service (eg. ftp) that you allow/deny. With three interfaces, it would be nice if the GUI gave Incoming/Outgoing tabs *for each interface*. Example: The other day, under time pressure, we wanted to drop a box on the (otherwise unused) Optional interface and enable ftp from it to (only) my ftp host on the outside. From the GUI's perspective, Outgoing means Internal/Optional to External; however, I already had a config setup for Any Internal to Any External ftp; to restrict that Optional host to a specific External host hosed my existing rules. However, the GUI writes plaintext config files, so if I got ambitious, I'm sure I could roll-my-own config easily enough, and I have already successfully hand-edited config files. It's Linux-based, quick and easy to setup (with the "CIO Friendly"TM Win95 GUI (actually, it's an X GUI ported to Win32: how ironic :-)), logs to a syslog host on the internal interface, can be remotely configured/monitored/rebooted via the GUI; boots from a single floppy, which can be write protected :-) We have not pushed ours very hard, but are told that the 10Mb box will do "wire speed for up to 300 simultaneous sessions", whatever that means. The 10/100Mb box would be more capable still. For $3500 I think it's a smokin' deal. Caveat: AZID is a WatchGuard reseller. Regards, --Eric --- Eric Johnson (ej@azid.com) Arizona Internet Developers Inc. (AZID.COM) http://www.azid.com/ +1-602 { 996-9682(v) | 333-2043(f) | 289-1628(p) } On Tue, 4 Nov 1997, Joe Smith wrote: : Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) : From: Joe Smith : To: firewalls@GreatCircle.COM : Subject: SSL WatchGuard : : Greetings : : I have been tasked with looking at several firewalls, and I have been : reading your posts with interest. The reviews that I have read have rated : CheckPoint, WatchGuard and Sunscrean the highest. The one that I am : tending towards is the WatchGuard system. : : Do any of you on this list have RL experence with it? Are there any other : problems with WatchGuard that I should know about? : : Thanks for the help! : : John From owner-firewalls-list Thu Nov 6 23:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA04957; Thu, 6 Nov 1997 23:27:07 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA04948 for ; Thu, 6 Nov 1997 23:27:02 -0800 (PST) Received: from ttruitt-pc.cisco.com (sj-dial-3-4.cisco.com [171.68.179.5]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id XAA10525; Thu, 6 Nov 1997 23:27:02 -0800 (PST) Message-Id: <3.0.3.32.19971106232306.0083cc30@diablo.cisco.com> X-Sender: ttruitt@diablo.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 23:23:06 -0700 To: Tim Lebrun From: "R. Todd Truitt" Subject: Re: Help : Cisco access list Cc: NetSea , firewalls@GreatCircle.COM In-Reply-To: <3461DB2C.99A0C536@internetmci.com> References: <2.2.32.19971106061246.006de0a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 AM 11/6/97 -0500, Tim Lebrun wrote: >Is there a cisco mailing list that anyone knows of ?????? > Try the newsgroup comp.dcom.sys.cisco. Also, as Chris pointed out, the Cisco web page is very serious and very good. Go to www.cisco.com -> service and support -> docs or tech tips or tech tools. Cheers, --T _________________________________________________________________________ R. Todd Truitt ttruitt@cisco.com Systems Engineer PGP Public Key: Security, Availabilty and Management Specialist http://pgpkeys.mit.edu Cisco Systems, Inc. 303.220.6164 From owner-firewalls-list Fri Nov 7 01:59:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA19975; Fri, 7 Nov 1997 01:50:35 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA19968 for ; Fri, 7 Nov 1997 01:50:30 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id EAA02903 for firewalls@greatcircle.com; Fri, 7 Nov 1997 04:52:30 -0500 (EST) Date: Fri, 7 Nov 1997 04:52:30 -0500 (EST) From: Information Security Message-Id: <199711070952.EAA02903@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Thu Nov 6 18:21:40 1997 > > Just a short notice for those that have an interest in > this sort of thing; Maybe, maybe not. > There will be a NASA Sponsored Computer Security Conference, > Dec 8th-13th 1997, with two and four day workshops given on > Dec 8th & 9th and 11th & 12th in Galveston, Texas at the > San Luis Resort and Convention Center. Dec 10th is pretty > much dedicated to product demonstrations and installation > classes, and this conference includes examinations and > certifications for those that like paper for the wall :) > > For up-to-date information, please refer to the URL > > http://www2.unitedspacealliance.com/itse/ Problem! This seminar, "Security Management and the Internet", comes up as: Technology for Information Security Conference `97 We're sorry, this page is under construction. We'll have more information soon. Please stop back. Why, so does seminar, "The Future of Computer Forensics". As does "The Wizard of OZ on Information Security". Why, there are seventeen dead seminars!!! Yes, this _does_ sound like NASA quality stuff. You know, like the recent mad scientist B-movie NASA brought us: need seven lightbulbs worth of juice for Cassini? Hey, let's load it up with 72 pounds of ceramicized plutonium! Good thing it didn't blow up on launch. Hopefully, in two years when it does a planetary gravity-assist flyby of Earth at 40,000 miles per hour, it will miss Earth. Because NASA documents say that 20 pounds of the plutonium will become _respirable_ particles. NASA is the last place on Earth one should go to for risk assessment. > Sara Kensington > IT Security Engineering Team > Penetration Testing > United Space Alliance > sarak@powerlite.rsoc.rockwell.com > > .ps Please accept my apologies to those who may > interpret this as SPAM Spam? Why would you be worried a little ol' conference would be spam? # TISC '97 is the first to bring the predominant security relevant # certification programs for both government and industry together, # in one place, at one time, at one cost. # # This year, the Certified Recovery Planner (CRP) by Harris Recovery # Institute and the Certified Information Systems Security Professional # (CISSP) by the International Information Systems Security Certification # Consortium (ISC2) examinations will be offered to those who are qualified # and desire to take the certification examination and who have contacted the # respective associations to arrange seating and payment of certification fees. Right: spam. I remember when the State of New Jersey wanted to certify programmers. It didn't go over well. It didn't happen. The only plus I can see is the "Firewalls and Beyond" seminar is given by a "Marcus Ranum", which is very close to the name of someone well known to the security community. ---guy From owner-firewalls-list Fri Nov 7 03:14:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA29499; Fri, 7 Nov 1997 03:10:25 -0800 (PST) Received: from iva.laus.hr ([194.152.247.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA29490 for ; Fri, 7 Nov 1997 03:10:12 -0800 (PST) Received: from laus.dbk.laus.hr (laus.dbk.laus.hr [194.152.247.130]) by iva.laus.hr (8.8.5/8.8.4) with ESMTP id MAA03326; Fri, 7 Nov 1997 12:08:51 +0100 Received: from sioux (sioux.dbk.laus.hr [194.152.247.137]) by laus.dbk.laus.hr (8.8.5/8.8.4) with SMTP id MAA21163; Fri, 7 Nov 1997 12:11:14 GMT Message-Id: <3.0.2.32.19971107121203.00933160@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Fri, 07 Nov 1997 12:12:03 +0200 To: Ken Kempster , (David B. McGlumphy) From: Mario Misic Subject: RE: Proxy recommendations Cc: firewalls@GreatCircle.COM In-Reply-To: References: <3.0.3.32.19971106130004.009526d0@mail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:07 1997.11.06 -0500, Ken Kempster wrote: >We use Gauntlet here. Works good and we're >doing over 200,000 hits on http per day. > > > >On 06-Nov-97 David B. McGlumphy wrote >: >> Hello, >> I am the Webmaster for a county data center in Ohio. We currently are >> using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. >> The proxy seems to hang for long periods of time after a few hours of >> running, forcing us to do frequent restarts. We have a brand new Risc box >> in and are looking at alternatives to Netscape's Proxy Server. Does anyone >> have any suggestions for a good proxy server? We are looking at ~500 users >> doing only http (for now). Thanks for any help, Hi! Are you running Gauntlet on RS/6000 - AIX machine ? I heard that it is not possible to run Gauntlet on AIX! By M2 ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Mario Misic | e-mail: mario@laus.hr ~ ~ CC Computer Consulting | Tel: +385 (20) 411-136 ~ ~ Janjevska 15 | +385 (1) 6552-330 ~ ~ 20 000 Dubrovnik | Fax: +385 (20) 411-136 ~ ~ Hrvatska (Croatia) | URL: http://www.laus.hr ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>>>>> Every dog will have his day ! <<<<<<<<<<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-list Fri Nov 7 04:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA06584; Fri, 7 Nov 1997 04:01:55 -0800 (PST) Received: from beaadmin.bea.doc.gov (beaadmin.bea.doc.gov [198.76.170.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA06576 for ; Fri, 7 Nov 1997 04:01:51 -0800 (PST) Received: by beaadmin.bea.doc.gov; id HAA01887; Fri, 7 Nov 1997 07:02:02 -0500 (EST) Received: from unknown(172.25.1.5) by beaadmin.bea.doc.gov via smap (3.2) id xma001883; Fri, 7 Nov 97 07:02:01 -0500 Received: from BEA-Message_Server by bea.doc.gov with Novell_GroupWise; Fri, 07 Nov 1997 07:03:27 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 07 Nov 1997 07:03:14 -0500 From: Bill Moulyn To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #529 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Which one are you concerned with Ed? From owner-firewalls-list Fri Nov 7 06:15:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13487; Fri, 7 Nov 1997 06:08:21 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA13470 for ; Fri, 7 Nov 1997 06:08:12 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id KAA06272; Fri, 7 Nov 1997 10:08:10 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma006012; Fri, 7 Nov 97 09:07:19 -0500 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id KAA29518; Fri, 7 Nov 1997 10:00:33 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id IAA12060; Fri, 7 Nov 1997 08:59:30 -0500 (EST) Message-ID: <34631EEE.3F54BC7E@erenj.com> Date: Fri, 07 Nov 1997 08:00:14 -0600 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: Information Security CC: firewalls@greatcircle.com Subject: Re: [ANNOUNCE] NASA Computer Security Conference References: <199711070952.EAA02903@panix2.panix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security (Guy) wrote: > The only plus I can see is the "Firewalls and Beyond" seminar is > given by a "Marcus Ranum", which is very close to the name of > someone well known to the security community. Hmm, I recognized another name, William Cheswick.... I seem to recall that his name comes up in the discussions of firewalls and security on occasion. (-: Several other speakers known in the industry are slated. I'm not an icon in the industry and certainly no wizard, but I would recommend this conference, certainly for anybody that lives in the area. Plenty of time and opportunity to exchange ideas with other attendees and the speakers. Nice location. IMO, the different certifications are no better or worse than any other industry type certifications. And, before certification, test or no, you have to show evidence of 3 years experience in the area your are testing for (novel idea, eh?). The certifications are already in existence, this just an easy opportunity to review for the exams and sit for them. I am not associated with NASA, but have enjoyed and learned from the last two TISC conferences. -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Fri Nov 7 07:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16828; Fri, 7 Nov 1997 06:58:17 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16794 for ; Fri, 7 Nov 1997 06:58:05 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id JAA27782 for ; Fri, 7 Nov 1997 09:58:12 -0500 (EST) Message-Id: <199711071458.JAA27782@mail.atl.bellsouth.net> From: "Steve Jackson Brown" To: Subject: Finjan Surfin Gate Review Date: Fri, 7 Nov 1997 09:55:48 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an interesting review of Finjan SurfinGate I found. http://www.rstcorp.com/hostile-applets/drowning.html From owner-firewalls-list Fri Nov 7 08:00:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23653; Fri, 7 Nov 1997 07:45:52 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA23644 for ; Fri, 7 Nov 1997 07:45:45 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA06418 for ; Fri, 7 Nov 1997 16:46:21 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA10974 for ; Fri, 7 Nov 1997 16:45:35 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Fri, 7 Nov 1997 16:47:07 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABA@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: FIN Scanning through all kind of packet-filtering firewalls? Date: Fri, 7 Nov 1997 16:47:04 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! The FIN scanning method (presented in Phrack Magazine 49, article 15) where you can scan for open ports on a host behind a packet-filtering firewall even though your rules denys it is certainly working on Checkpoint ver. 2.1(a) but I wonder if anyone have experiences with other firewall software or verisons of software (packet-filtering, do I have to mention that again?)?=20 I know that the behavior is possible because of a bug in the BSD = netcode which most UNIX-systems today seem to run but I have not heard of any patches (Alan Cox, are you still alive?). Should I look for patches for my O.S or for my firewall software? Are Ciscos vulnerable with IOS-versions below 11? I have heard romours.... Please, I don't want tons of mail asking, how do you do that? or do you have there source code? If you are interested of how it works (and it works good), read the article at http://www.infowar.com/iwftp/Phrack/Phrack49/P49-15.txt which deals = with the details. You can also try nmap which is in Phrack Magazine 51, article 11 and is a great scanning-program which supports more scanning-methods! It's also VERY fast! Keep on the good work Fyodor!!! Name: Robert St=E5hlbrand Company: Ericsson Telecom AB Company-Address: Fl=F6jelbergsv=E4gen 1C, Box 333 Zip-Code: 431 24 M=F6lndal Phone Number: +46 31 747 6162 Fax Number: +46 31 747 3777 Email: robert.stahlbrand@nmac.ericsson.se From owner-firewalls-list Fri Nov 7 08:15:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA25272; Fri, 7 Nov 1997 08:04:13 -0800 (PST) Received: from svvan200.sierrasys.com (svvan200.sierrasys.com [192.251.26.40]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA25239 for ; Fri, 7 Nov 1997 08:04:02 -0800 (PST) Received: by svvan200.sierrasys.com with Internet Mail Service (5.0.1458.49) id ; Fri, 7 Nov 1997 08:03:30 -0800 Message-ID: From: Craig Ward To: firewalls@greatcircle.com Subject: RE: [ANNOUNCE] NASA Computer Security Conference Date: Fri, 7 Nov 1997 08:01:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good grief! More luddite fud mongering. Will it never end? Please take this elsewhere. > > -----Original Message----- > From: Information Security [SMTP:guy@panix.com] > Sent: Friday, November 07, 1997 1:53 AM > To: firewalls@greatcircle.com > Subject: Re: [ANNOUNCE] NASA Computer Security Conference > ... > You know, like the recent mad scientist B-movie NASA brought us: need > seven lightbulbs worth of juice for Cassini? Hey, let's load it up > with 72 pounds of ceramicized plutonium! Good thing it didn't blow > up on launch. Hopefully, in two years when it does a planetary > gravity-assist flyby of Earth at 40,000 miles per hour, it will > miss Earth. Because NASA documents say that 20 pounds of the plutonium > will become _respirable_ particles. > > NASA is the last place on Earth one should go to for risk assessment. > > > From owner-firewalls-list Fri Nov 7 09:44:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06599; Fri, 7 Nov 1997 09:41:27 -0800 (PST) Received: from ns2.ge.com (ns2.ge.com [192.35.39.25]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA06583 for ; Fri, 7 Nov 1997 09:41:13 -0800 (PST) From: CCCRE.CCULL@capital.ge.com Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns2.ge.com (8.8.7/8.8.6) with ESMTP id MAA13355 for ; Fri, 7 Nov 1997 12:45:03 -0500 (EST) Received: from CAPITAL.GE.COM ([3.113.164.135]) by thomas.ge.com (8.8.7/8.8.7) with SMTP id MAA19865 for ; Fri, 7 Nov 1997 12:41:27 -0500 (EST) Received: by CAPITAL.GE.COM (Soft-Switch LMS 2.0) with snapi via CCCREGWY id 0013800003384938; Fri, 7 Nov 1997 12:39:19 -0500 To: " - (052)firewalls(a)GreatCircle.COM" Subject: Re[2]: [ANNOUNCE] NASA Computer Security Conference Message-ID: <0013800003384938000002L082*@MHS> Date: Fri, 7 Nov 1997 12:39:19 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oh yeah, this is a great forum for discussion of the risks of plutonium by someone who evidently has NO training on the matter. as an ex-nuclear field-type person, i can tell you that i have no fears (and no vested interest in the success of)of this tree-hugger overblown bullshit case of enviromentalism. you're probably the same type of goober who swears by electric cars even though they cause more pollution, the just move the source..... From owner-firewalls-list Fri Nov 7 10:00:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA07565; Fri, 7 Nov 1997 09:55:18 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA07537 for ; Fri, 7 Nov 1997 09:55:11 -0800 (PST) From: Neil_Buckley/CAM/Lotus@lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id MAA05962; Fri, 7 Nov 1997 12:53:16 -0500 Received: from MTA2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AB21909; Fri, 7 Nov 1997 12:49:47 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 85256548.0062D4B1 ; Fri, 7 Nov 1997 12:59:29 -0500 X-Lotus-Fromdomain: LOTUS@MTA To: firewalls@greatcircle.com Message-Id: <85256548.00439F0A.00@mta2.lotus.com> Date: Fri, 7 Nov 1997 12:57:20 -0500 Subject: Penetration Detection Tools Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anyone have recomendations for third party penetration detection tools, I am fairly familiar with most freeware products for UNIX, but I need a company wide solution. Thanks in advance for any info, Neil Buckley nbuckley@lotus.com From owner-firewalls-list Fri Nov 7 11:00:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15748; Fri, 7 Nov 1997 10:54:24 -0800 (PST) Received: from spiffy.paradigmsim.com (spiffy.paradigmsim.com [206.7.114.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA15738 for ; Fri, 7 Nov 1997 10:54:17 -0800 (PST) Received: from kennyspc.paradigmsim.com by spiffy.paradigmsim.com via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id MAA16100; Fri, 7 Nov 1997 12:52:34 -0600 Received: by kennyspc.paradigmsim.com with Microsoft Mail id <01BCEB7C.99D3D500@kennyspc.paradigmsim.com>; Fri, 7 Nov 1997 12:56:44 -0600 Message-ID: <01BCEB7C.99D3D500@kennyspc.paradigmsim.com> From: Ken Atkinson To: " - (052)firewalls(a)GreatCircle.COM" , "'CCCRE.CCULL@capital.ge.com'" Subject: RE: Re[2]: [ANNOUNCE] NASA Computer Security Conference Date: Fri, 7 Nov 1997 12:56:43 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SHUT UP. FIREWALLS remember. ---------- From: CCCRE.CCULL@capital.ge.com[SMTP:CCCRE.CCULL@capital.ge.com] Sent: Friday, November 07, 1997 11:39 AM To: - (052)firewalls(a)GreatCircle.COM Subject: Re[2]: [ANNOUNCE] NASA Computer Security Conference oh yeah, this is a great forum for discussion of the risks of plutonium by someone who evidently has NO training on the matter. as an ex-nuclear field-type person, i can tell you that i have no fears (and no vested interest in the success of)of this tree-hugger overblown bullshit case of enviromentalism. you're probably the same type of goober who swears by electric cars even though they cause more pollution, the just move the source..... From owner-firewalls-list Fri Nov 7 11:15:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14448; Fri, 7 Nov 1997 10:44:31 -0800 (PST) Received: from wpmail.gbr.epa.gov (wpmail.gbr.epa.gov [204.46.159.160]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA14409 for ; Fri, 7 Nov 1997 10:44:21 -0800 (PST) Received: from gbdomain-Message_Server by wpmail.gbr.epa.gov with Novell_GroupWise; Fri, 07 Nov 1997 12:43:00 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 07 Nov 1997 12:41:40 -0600 From: MIKE JENKINS To: firewalls@greatcircle.com Subject: Re: syslogd on SunOS doesn't work Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shouldn't that first line of code be "#!/bin/sh"? ;-) (Use the 'logger' command to send stuff to syslog.) This is horrible. Sigh. > ---code ---------------------------------------------------------------- >#include >#include > >main() >{ > int i; > > system("cp /etc/syslog.conf /rette.syslog.conf"); > system("echo 'local0.debug /log_syslog' > /etc/syslog.conf"); > remove("/log_syslog"); > system("touch /log_syslog"); > system("kill -HUP `cat /etc/syslog.pid`"); > sleep(1); > > for (i=0; i<1000; i++) > { > syslog( LOG_LOCAL0 | LOG_INFO, "__m0" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m1" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m2" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m3" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m4" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m5" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m6" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m7" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m8" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m9" ); > } > sleep(15); > system("mv /rette.syslog.conf /etc/syslog.conf"); > sleep(1); > system("kill -HUP `cat /etc/syslog.pid`"); > sleep(1); > printf("\nSearch for __m0 in /log_syslog=%d, count= ",i); > system("grep -c __m0 /log_syslog"); > printf("\nSearch for __m1 in /log_syslog=%d, count= ",i); > system("grep -c __m1 /log_syslog"); > printf("\nSearch for __m2 in /log_syslog=%d, count= ",i); > system("grep -c __m2 /log_syslog"); > printf("\nSearch for __m3 in /log_syslog=%d, count= ",i); > system("grep -c __m3 /log_syslog"); > printf("\nSearch for __m4 in /log_syslog=%d, count= ",i); > system("grep -c __m4 /log_syslog"); > printf("\nSearch for __m5 in /log_syslog=%d, count= ",i); > system("grep -c __m5 /log_syslog"); > printf("\nSearch for __m6 in /log_syslog=%d, count= ",i); > system("grep -c __m6 /log_syslog"); > printf("\nSearch for __m7 in /log_syslog=%d, count= ",i); > system("grep -c __m7 /log_syslog"); > printf("\nSearch for __m8 in /log_syslog=%d, count= ",i); > system("grep -c __m8 /log_syslog"); > printf("\nSearch for __m9 in /log_syslog=%d, count= ",i); > system("grep -c __m9 /log_syslog"); > printf("\nwc of /log_syslog= "); > system("wc -l /log_syslog"); >} >---end code ------------------------------------------------------------- From owner-firewalls-list Fri Nov 7 11:29:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19742; Fri, 7 Nov 1997 11:25:56 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA19713 for ; Fri, 7 Nov 1997 11:25:48 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA21105 for firewalls@GreatCircle.COM; Fri, 7 Nov 1997 14:27:50 -0500 (EST) Date: Fri, 7 Nov 1997 14:27:50 -0500 (EST) From: Information Security Message-Id: <199711071927.OAA21105@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good grief, people, the crack at NASA for needlessly risking shooting a large amount of plutonium up in a space shot was just a shot in passing. I was reporting that the spam referenced a very poorly done WWW. And, no, I am actually pro-nuclear and pro-space exploration, and yes, it was an incredibly stupid thing for NASA to do. If you want extended details, email me subject "Requesting Cassini Flame" and I'll send it to you. (for those who think I'm wrong, or anti-technology). Otherwise, yes, let's drop it. Sheesh. ---guy From owner-firewalls-list Fri Nov 7 12:30:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA27945; Fri, 7 Nov 1997 12:15:07 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA27692; Fri, 7 Nov 1997 12:14:30 -0800 (PST) Message-Id: <199711072014.MAA27692@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA206603179; Fri, 7 Nov 1997 15:06:19 -0500 Date: Fri, 7 Nov 1997 15:06:19 -0500 From: gary flynn To: firewalls@GreatCircle.COM, owner-firewalls-list@GreatCircle.COM Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: > > The FIN scanning method (presented in Phrack Magazine 49, article 15) > where you can scan for open ports on a host behind a packet-filtering > firewall even though your rules denys it is certainly working on > Checkpoint ver. 2.1(a) What exactly do you mean by working? You must have some type of filter that allows port communications if the sessions are established internally like the Cisco "established" ACL. I'm not familiar with Checkpoint but any packet filter that is filtering on a destination port is going to toss the packet regardless of the SYN or any other flag unless there is some special programming. It may get to the router/firewall itself if its an output filter or it may get through a Cisco-like "established" filter but I don't think its going to get through anything else. Gary Flynn Network Analyst James Madison University From owner-firewalls-list Fri Nov 7 12:57:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA01630; Fri, 7 Nov 1997 12:42:38 -0800 (PST) Received: from mail.halsp.hitachi.com (unknown-112-2.halsp.hitachi.com [198.70.112.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA01545 for ; Fri, 7 Nov 1997 12:42:19 -0800 (PST) Received: from pop.halsp.hitachi.com by mail.halsp.hitachi.com (SMI-8.6/SMI-SVR4) id MAA28823; Fri, 7 Nov 1997 12:38:45 -0800 Received: from coho ([137.168.6.112]) by pop.halsp.hitachi.com (Netscape Messaging Server 3.01) with SMTP id AAA29948 for ; Fri, 7 Nov 1997 12:42:55 -0800 Message-ID: <34637EA0.3D83@halsp.hitachi.com> Date: Fri, 07 Nov 1997 12:48:32 -0800 From: Eric Vanuska X-Mailer: Mozilla 3.01Gold (X11; I; HP-UX A.09.05 9000/710) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Extensions to Radius Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, We are using Radius for authentication and would like to hack radiusd to accomodate authentication to a Netscape LDAP 2.0 server, using the client digital certificate and user ID, i.e. instead of include'ing ACE.h in radiusd.c, include LDAP.h. Has onyone tried this? If so, do have some source code you want to share? :) If not, does anyone want to share any thoughts on this adventure? Thanks, in advance, EricV. From owner-firewalls-list Fri Nov 7 13:00:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA03103; Fri, 7 Nov 1997 12:54:55 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA03084 for ; Fri, 7 Nov 1997 12:54:46 -0800 (PST) Received: from tc24650 by csc.com via smtpd with smtp id for ; Fri, 7 Nov 97 15:55 EST (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <34637FB6.E61@csc.com> Date: Fri, 07 Nov 1997 15:53:10 -0500 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Information Security CC: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference References: <199711071927.OAA21105@panix2.panix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security wrote: > > Good grief, people, the crack at NASA for needlessly risking shooting > a large amount of plutonium up in a space shot was just a shot in passing. Second shot. -- Joe Loiacono (301) 415-6153 Computer Sciences Corporation http://www.csc.com From owner-firewalls-list Fri Nov 7 13:31:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA03706; Fri, 7 Nov 1997 13:01:25 -0800 (PST) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA03680 for ; Fri, 7 Nov 1997 13:01:15 -0800 (PST) Received: from apd.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 7 Nov 1997 21:01:49 UT Received: from tssdc.saic.com (tssdc.saic.com [149.8.88.104]) by monster.apd.saic.com (8.6.12/8.6.12) with SMTP id PAA04482; Fri, 7 Nov 1997 15:59:17 -0500 Received: by tssdc.saic.com(Lotus SMTP MTA v1.06 (346.4 3-18-1997)) id 85256548.0078E9EE ; Fri, 7 Nov 1997 17:00:42 -0400 X-Lotus-FromDomain: SAIC From: "David Sulser" To: Neil_Buckley/CAM/Lotus@lotus.com cc: firewalls@GreatCircle.COM Message-ID: <85256548.00733765.00@tssdc.saic.com> Date: Fri, 7 Nov 1997 16:03:11 -0400 Subject: Re: Penetration Detection Tools Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Sulser 11-07-97 04:03 PM If you want to go the audit reduction route, do check out http://www.saic.com/it/cmds/index.html It's in another part of the company, so I don't sell it. I have seen it work it and it is effective. David Sulser Vienna, Va. "Neil_Buckley/CAM/Lotus"@lotus.com on 11/07/97 12:57:20 PM To: firewalls@GreatCircle.COM cc: (bcc: David Sulser/SAIC) Subject: Penetration Detection Tools Hello, Does anyone have recomendations for third party penetration detection tools, I am fairly familiar with most freeware products for UNIX, but I need a company wide solution. Thanks in advance for any info, Neil Buckley nbuckley@lotus.com From owner-firewalls-list Fri Nov 7 16:42:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24370; Fri, 7 Nov 1997 15:07:57 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA24359 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:07:54 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA26741 for ; Thu, 6 Nov 1997 14:18:41 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-42.cisco.com [171.68.53.42]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id OAA17439; Thu, 6 Nov 1997 14:18:33 -0800 (PST) Message-Id: <3.0.3.32.19971106171832.007f1be0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 17:18:32 -0500 To: Tim Lebrun From: Paul Ferguson Subject: Re: Help : Cisco access list Cc: Chris Lonvick , NetSea , firewalls@GreatCircle.COM In-Reply-To: <3461DB2C.99A0C536@internetmci.com> References: <2.2.32.19971106061246.006de0a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 AM 11/6/97 -0500, Tim Lebrun wrote: >Is there a cisco mailing list that anyone knows of ?????? > If you wish to subscribe to the Cisco mailing list, please send your request (subscribe cisco) to cisco-request@spot.colorado.edu. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From owner-firewalls-list Fri Nov 7 16:44:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24008; Fri, 7 Nov 1997 15:04:41 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA23992 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:04:37 -0800 (PST) Received: from freedom.gmsociety.org ([209.116.153.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA19127 for ; Wed, 5 Nov 1997 20:44:58 -0800 (PST) Received: (from brad@localhost) by freedom.gmsociety.org (8.8.5/8.7.3) id XAA03871; Wed, 5 Nov 1997 23:45:17 -0500 From: Brad Message-Id: <199711060445.XAA03871@freedom.gmsociety.org> Subject: Re: Hijak detection To: circle@cali-net.com (RHS Linux User) Date: Wed, 5 Nov 1997 23:45:17 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "RHS Linux User" at Nov 4, 97 06:33:31 pm X-Mailer: ELM [version 2.4 PL25 PGP7] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that NetRanger is looking for the flood of packets that can/will be gereated in order to match the SN. Doesn't this basically produce an ACK "storm" that is detectable and can thus be reacted upon (TCP RESET)? > On Tue, 4 Nov 1997, Doy wrote: > > > Guys, > > > > I wonder if there are firewall/intrusion detection products that can > > deal with TCP session hijack.. I didn't see threads related to this > > topic in the last half year ..okay, I'm new to this list.. ;) > > > > Suppose the TCP session is not encrypted, and the attacker is on the > > packet's route, what can we do about it? Surrender..?? > > > Detecting hijaking from inside your network, or hijaking comming from > another route would be easy to detect by a intrusion detection system that > maintains a ARP list of currently active TCP sessions and their > corresponding hardware addresses. Then have the program detect any packets > comming from a different hardware address that wasn't assigned to that > specific IP. > > I don't know of any way you could prevent non-blind hijacking, except for > the fact that you may end up seeing out of seqence packets or packets with > duplicate sequence numbers arrive at the victim's host after the hijak > begins. If you could remedy a method of doing this reliably you could then > have the intrusion detection software enable a filter in your > firewall/router, or perhaps send a RST packet to the server shutting off > the session. > > > Of course not. We can build statistical analysis on number of invalid > > packets that transmitted on each session. Has anybody done this? Is this > > approach valid anyway? > > > > I'd like to see other solutions/products beside encryption/routing/netw. > > segmentation. > > > > This was just a thought, I probably overlooked something simpler. > Just another reason not to use the telnet protocol. > > Jean-Christophe Smith > California Network Solutions > jean@internet-security.com > http://www.cali-net.com > > From owner-firewalls-list Fri Nov 7 16:45:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA23495; Fri, 7 Nov 1997 15:03:00 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA23484 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:02:56 -0800 (PST) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA18797 for ; Wed, 5 Nov 1997 15:31:04 -0800 (PST) Received: from localhost.127.0.0 (dyn1031c.dialin.rad.net.id [202.154.42.31]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id GAA14178; Thu, 6 Nov 1997 06:30:14 +0700 (WIB) Message-ID: <346101AE.6B99@indo-mail.com> Date: Thu, 06 Nov 1997 06:30:54 +0700 From: Doy X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: Adam Shostack CC: Brad , RHS Linux User , "H. Morrow Long" , Frank Willoughby , anarch@freedom.gmsociety.org, firewalls@GreatCircle.COM Subject: Re: Hijak detection References: <199711051403.JAA03367@homeport.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm agree that host authentication is the only real defense. I think network level encryption will defend against this kind of attack too. Transport level encryption might stop hijacking, but still vulnerable to DoS attack (the attacker might still able to put both hosts in desynchronized mode). When I made my previous post, I assume a situation where we couldn't apply any kind of authentication and encryption, and to made the situation worse, the packets is routed via a segment where a highly motivated proffesional (goverment ;-)) spy cracker(tm) is ready to hijack... Given the situation, the only chance to detect the attack is to analyze invalid packets (sequence number) transmitted by a session. Problems : 1. How do we detect a hijack. Even in normal TCP conversation, there are lot of packets with invalid SN (duplication, etc.), so how we decide if an invalid packet is part of a hijacked session and which is not? 2. How to determine which is the attacker and which is the victim. By using only TCP seq. num., we definitely CAN NOT decide which is the attacker and which is the victim, because a skilled attacker would most likely only send 'good' packet, making the victim looks bad. While a 'young' attacker probably still making mistakes on calculating SN, thus making both attacker and victim look bad. By looking at route information in the packet (if available) will provide important clue, but still not reliable if your network use multiple route. Looking at the H/W address of a packet won't help much, because you'll only see the gateway H/W address in the packet. 3. To make the situation worse... The attacker might send OOB packets, change route information, or other DoS attack to the victim. The firewall/IDS should aware that these are parts of the hijacking procedure, and terminate the victim's sessions immediately. So, I didn't make any suggestion about a product. Nor I sell any. Infact, if WheelGroup claims that their product can deal with TCP hijack attack, how the heck they're doing it? regards, Doy Adam Shostack wrote: > > Frank Willoughby wrote: > | At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: > > | >There are real defenses, and there are hacks. Host security is a > | >solid defense, firewalls are a hack. Point to point encryption is a > | >real defense, but there are hacks available. > | > | Which particular hacks are you referring to? (If you wish, feel free > | to e-mail me this off-line). > > The suggestion that Doy made, perhaps the new wheel group product. > > | >The point that (doy?) made is that session hijacking produces a flood > | >of shit as you jam in packets in the hopes of getting the numbers > | >right. (Since the other guy is transmitting at the same time as you, > | >you often send a slew of packets, to get them into the stack first.) > | > | This step shouldn't be necessary. Monitor the packets going to/from > | the firewall (or target system), bring down the victim's system on > | the outside (OOB, etc.), and then send in the correct packets to the > | firewall/system. The firewall wouldn't notice the difference, and it > | is likely, the victim would chalk up the problem to network difficulties. > > You assume a perfect attacker. I assume script kiddies. There are > more script kiddies than perfect attackers. If you spend time > watching real attacks on real systems, you realize how many idiots are > out there. > > | >There are a number of papers on detecting this sort of thing, many > | >published in the months after Tsutomo was hacked. > | > | I've seen several of these and didn't see anything that would deter > | the aforementioned attack. OTOH, location-based authentication > | (based on GPS) *might* slow this attack down for the near future, > | but only for the military folks. The current resolution of GPS > | wouldn't deter this type of attack for civilians - at least not > | today. > > I have no clue what you're talking about, other than that > paper about location escrow by Denning. Anyone who can't redo their > TCP stack to break that can't execute a perfect hijack either. > > | If you have the time, I would be interested in a reference or pointer > | about a method which does not use encryption to deter session hijacking > | (other than GPS location-based authentication). > > Pointer: Doy's previous posts about the statistical deviations in bad > packets when hijacking takes place. > > | >Its not an > | >ideal defense. (point to point cryptographic *authentication*, not > | >encryption, is the ideal defense. > | > | Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down > | a serious attacker. > > No, such as IPsecurity AH packets. SSL3 using seperate keys > to authenticate and encrypt a session. I apologize for my lack of > precision, I should have said cryptographic integrity protection for > the session. > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume From owner-firewalls-list Fri Nov 7 16:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA14364; Fri, 7 Nov 1997 14:17:56 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA14322 for ; Fri, 7 Nov 1997 14:17:42 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Fri, 7 Nov 1997 14:17:19 -0800 Message-ID: From: Jerry Huyghe To: "'Steve Jackson Brown'" , firewalls@greatcircle.com Subject: RE: Finjan Surfin Gate Review Date: Fri, 7 Nov 1997 14:17:18 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The review you point to shows the problems with the so-called "Java and ActiveX security" approach used by McAfee and FinJan. Simply blocking known web sites with Vandal applets or filtering names of known hostile classes will not block targeted attacks or new threats. Vandals are not viruses. They deliver their payload or steal the information they want as soon as they enter your system. Viruses, on the other hand, can be isolated and sent to a vendor for analysis before they cause irrevocable damage. Furthermore, Vandals do not replicate and can be written in ANY programming language. The quick fix, which was implemented by FinJan and McAfee, is to use URL filtering or scanning techniques to look for known vandals. Even with known vandals, these techniques can be bypassed easily by rewriting the vandal applet or placing it on a new site. If somebody writes an ActiveX control designed to only attack when it is in YOUR network, FinJan and McAfee's proposed solutions will not block the attack. Similarly, attacks written in Javascript, automatic plug-ins, or trojan horses would not be blocked at all. We believe the most effective solution is to create a browser sandbox- a more generic and effective approach. This should be built in to the OS but is not. Any Internet content is restricted from accessing certain parts of the drive. An ActiveX control should not delete files from the root directory or read a file in the My Documents folder. Furthermore, an anti-vandal sandbox will block vandals written in Javascript, hostile plug-ins, and booby-trapped web links. Protection from vandal applets is a new technology which is still being defined...any thoughts? Jerry Huyghe Product Manager eSafe Technologies http://www.esafe.com > -----Original Message----- > From: Steve Jackson Brown [SMTP:sjbrown@bellsouth.net] > Sent: Friday, November 07, 1997 6:56 AM > To: firewalls@greatcircle.com > Subject: Finjan Surfin Gate Review > > Here's an interesting review of Finjan SurfinGate I found. > > http://www.rstcorp.com/hostile-applets/drowning.html > > From owner-firewalls-list Fri Nov 7 17:10:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08241; Fri, 7 Nov 1997 16:58:04 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA08234 for ; Fri, 7 Nov 1997 16:57:59 -0800 (PST) Received: from sover.net (usr2a22.rut.sover.net [206.25.64.218]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id TAA17870 for ; Fri, 7 Nov 1997 19:58:37 -0500 (EST) Message-ID: <3463BA21.BBC8D010@sover.net> Date: Fri, 07 Nov 1997 20:02:25 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Ever seen this in practice?? References: <199711061114.LAA03425@minn.dsbc.icl.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Malcolm Mladenovic wrote: > > Sounds like TMux - RFC 1692. I don't know what its current status is. > There is a paragraph in the RFC suggesting that non-TMux routers should > be set to block all TMux packets - causing the hosts to fall back to normal. Exactly right! Took a breeze through the RFC and it describes the exact conditions I was describing. One paragraph in particular I would like to quote: "The multiplexing is achieved by combining the individual segments, (H,B1) through (H,Bn), into a single message. This single message has an IP header which is equal to H, but having in the PROTOCOL field the value 18 which is the protocol number of the TMux protocol. This IP header is followed by all the segments, B1 through Bn. Each segment, Bi, is preceded by a 4 octet TMux mini header. This contains the number of the protocol to which this segment is addressed. It also contains the total length of this segment, including this mini header. Since this mini header is not otherwise protected by a check-sum, it also includes a checksum field which just covers this mini header." So, per the RFC, an IP packet containing multiple sessions should have a value of "18" in the IP protocol ID field. Since TCP uses "6", and UDP uses "17" (if memory serves), this gives a very distinct method of filtering out this type of traffic without the need to inspect payload. That assumes, of course, that someone has not figured out how to break it. Thanks for the feedback! ************************************** cbrenton@sover.net http://www.amazon.com/exec/obidos/ats-query/0740-8883012-887529 "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." From owner-firewalls-list Fri Nov 7 18:45:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA25184; Fri, 7 Nov 1997 18:24:55 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA25161 for ; Fri, 7 Nov 1997 18:24:46 -0800 (PST) Received: (qmail 29264 invoked from smtpd); 8 Nov 1997 02:25:25 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Nov 1997 02:25:25 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id UAA22620; Fri, 7 Nov 1997 20:25:24 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA15340; Fri, 7 Nov 1997 20:27:51 -0600 From: Peter da Silva Message-Id: <9711080227.AA15340@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: jerry@us.esafe.com (Jerry Huyghe) Date: Fri, 7 Nov 1997 20:27:51 -0600 (CST) Cc: sjbrown@bellsouth.net, firewalls@greatcircle.com In-Reply-To: from "Jerry Huyghe" at Nov 7, 97 02:17:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Protection from vandal applets is a new technology which is still being > defined...any thoughts? Use the approach in HTML: don't allow the applets the ability to perform dangerous acts. If you want to do more, then explicitly download and install a plugin. That way you have control and you have to perform an explicit install before you're exposed. The only applet technology I know of that does this is the Tk plugin, which actually removes all dangerous commands from the interpreter before running the applet, so even if it's hostile it has no access to anything outside the sandbox. From owner-firewalls-list Sat Nov 8 01:00:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26136; Sat, 8 Nov 1997 00:48:53 -0800 (PST) Received: from messiah.cableinet.net (messiah.cableinet.net [194.117.157.68]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA26129 for ; Sat, 8 Nov 1997 00:48:46 -0800 (PST) Received: (qmail 18914 invoked from network); 8 Nov 1997 09:52:05 -0000 Received: from lions.cableinet.net (193.38.113.5) by messiah with SMTP; 8 Nov 1997 09:52:05 -0000 Received: from known-space (usr109-bas.cableinet.co.uk [194.117.148.119]) by lions.cableinet.net (950413.SGI.8.6.12/951211.SGI) via SMTP id IAA11390 for ; Sat, 8 Nov 1997 08:37:25 GMT From: "Sam Thornton" To: "Firewalls Mailing List" Subject: IngresNet Date: Sat, 8 Nov 1997 08:48:34 -0000 Message-ID: <01bcec23$1938e1e0$779475c2@known-space> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0156_01BCEC23.1938E1E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0156_01BCEC23.1938E1E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear all, I have recently been asked if we can connect an external site, through = our Firewall, to an Ingres database. The remote client will be using CA OpenRoad which, (I'm lead to belive), = uses IngresNet. I've talked to the DB admin/support team and they have = no idea as to how IngresNet works.. in fact they told me all that would = be needed was a telnet session(!). Does anyone have any details on IngresNet e.g. tcp/udp port numbers, any = quirks (such as dynamic port re-allocation as in sql*net) or anything = else that would be pertinent when trying to pass this, in as secure a = manner as possible, through a Firewall. Thanks, Sam. ------=_NextPart_000_0156_01BCEC23.1938E1E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear all, 
 
I have recently been asked if we can = connect an=20 external site, through our Firewall, to an Ingres database.
 
The remote client will be using CA = OpenRoad=20 which, (I'm lead to belive), uses IngresNet. I've talked to the DB = admin/support=20 team and they have no idea as to how IngresNet works.. in fact they told = me all=20 that would be needed was a telnet session(!).
 
Does anyone have any details on = IngresNet e.g.=20 tcp/udp port numbers, any quirks (such as dynamic port re-allocation as = in=20 sql*net) or anything else that would be pertinent when trying to pass = this, in=20 as secure a manner as possible, through a Firewall.
 
Thanks,
 
Sam.
------=_NextPart_000_0156_01BCEC23.1938E1E0-- From owner-firewalls-list Sat Nov 8 01:30:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA26531; Sat, 8 Nov 1997 01:07:30 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA26521 for ; Sat, 8 Nov 1997 01:07:23 -0800 (PST) Message-Id: <199711080907.BAA26521@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA205130075; Sat, 8 Nov 1997 20:07:55 +1100 From: Darren Reed Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? To: gary@habanero.jmu.edu (gary flynn) Date: Sat, 8 Nov 1997 20:07:54 +1100 (EDT) Cc: firewalls@GreatCircle.COM, firewall-wizards@nfs.net In-Reply-To: <199711072014.MAA27692@honor.greatcircle.com> from "gary flynn" at Nov 7, 97 03:06:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from gary flynn, sie said: > > > From: > > > > The FIN scanning method (presented in Phrack Magazine 49, article 15) > > where you can scan for open ports on a host behind a packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a) [...] > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. I wouldn't be so sure about that. Checkpoint's FW-1 will pass all packets through with the ACK flag set (except, I think SYN-ACK) but will strip the body of any data. They do this so that they can rebuild state for a connection which has remained open over (say) the firewall rebooting or connection information expiring. If the reply packet was returned, anyway, there's your scan! Darren From owner-firewalls-list Sat Nov 8 03:01:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA29636; Sat, 8 Nov 1997 01:39:41 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA29611 for ; Sat, 8 Nov 1997 01:39:26 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id KAA27370 for ; Sat, 8 Nov 1997 10:40:11 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id KAA15086 for ; Sat, 8 Nov 1997 10:39:25 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Sat, 8 Nov 1997 10:40:57 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABB@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'gary flynn'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Sat, 8 Nov 1997 10:40:53 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok! I will explain myself a little bit better......... > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 7 november 1997 21:06 > To: firewalls@GreatCircle.COM; owner-firewalls-list@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? >=20 > > From: > >=20 > > The FIN scanning method (presented in Phrack Magazine 49, article > 15) > > where you can scan for open ports on a host behind a > packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a)=20 >=20 > What exactly do you mean by working? You must have some type of > filter that allows port communications if the sessions are > established internally like the Cisco "established" ACL.=20 > [Robert St=E5hlbrand] =20 > What I mean by working is even though I have rules that denys any = type > of packets (tcp, udp) to a specific host behind my firewall, I can > still scan it for open ports (TCP only)!!! But in my logger it looks > like the firewall is dropping all packets but a sniffer on the inside > proofs that the packet gets through!!! > The packets are small fragmented (I think that even none-fragmented > works too but it's not verifyed yet) packets with the FIN-flag set > (indicating that it's the last packet in a TCP-session) and if the > remote host is sending back a Reset, the port is closed, otherwise > it's open. >=20 > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. >=20 > It may get to the router/firewall itself if its an output filter > or it may get through a Cisco-like "established" filter but I > don't think its going to get through anything else. > [Robert St=E5hlbrand] =20 > NO!!!! The packet gets through!!!!!!!!!!!!!!!! (Unless my sniffer is > spoked :-)) Read the article in Phrack Magazine!!! >=20 > Gary Flynn > Network Analyst > James Madison University > [Robert St=E5hlbrand] =20 >=20 > /Robert St=E5hlbrand, System and Security responsible, = nmac.ericsson.se From owner-firewalls-list Sat Nov 8 04:06:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA04239; Sat, 8 Nov 1997 03:52:43 -0800 (PST) Received: from lms03.us.ibm.com (lms03.ny.us.ibm.com [198.133.22.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA04232 for ; Sat, 8 Nov 1997 03:52:35 -0800 (PST) Received: from US.IBM.COM (d03lms01.boulder.ibm.com [9.99.80.11]) by lms03.us.ibm.com (8.8.7/8.8.7) with SMTP id HAA07968 for ; Sat, 8 Nov 1997 07:50:31 -0500 Received: by US.IBM.COM (Soft-Switch LMS 2.0) with snapi via D03AU001 id 5030100012801184; Sat, 8 Nov 1997 06:53:08 -0500 From: D03NM014/03/M/IBM To: Subject: Trish Sundgaard/Dallas/IBM is out of the office. Message-ID: <5030100012801184000002L042*@MHS> Date: Sat, 8 Nov 1997 06:53:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am out of the office from 11/07/97, returning 11/12/97. You will rec= eive only this notification of my absence prior to my return, at which time = I will respond. = From owner-firewalls-list Sat Nov 8 08:25:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA22861; Sat, 8 Nov 1997 08:19:01 -0800 (PST) Received: from server-one ([207.0.213.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA22854 for ; Sat, 8 Nov 1997 08:18:55 -0800 (PST) Received: from [207.0.213.73] by server-one (NTMail 3.02.13) with ESMTP id ia116488 for ; Sat, 8 Nov 1997 12:19:32 -0400 Reply-To: From: "melissa jimenez" To: "=?ISO-8859-1?Q?Robert_St=E5hlbrand?=" , "'gary flynn'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Sat, 8 Nov 1997 12:13:28 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <16193196740821@iamnet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk xcvcvxc ---------- De: Robert Ståhlbrand A: 'gary flynn' CC: 'firewalls@greatcircle.com' Asunto: RE: FIN Scanning through all kind of packet-filtering firewalls? Fecha: Sábado, 8 de Noviembre de 1997 05:40 AM Ok! I will explain myself a little bit better......... > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 7 november 1997 21:06 > To: firewalls@GreatCircle.COM; owner-firewalls-list@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? > > > From: > > > > The FIN scanning method (presented in Phrack Magazine 49, article > 15) > > where you can scan for open ports on a host behind a > packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a) > > What exactly do you mean by working? You must have some type of > filter that allows port communications if the sessions are > established internally like the Cisco "established" ACL. > [Robert Ståhlbrand] > What I mean by working is even though I have rules that denys any type > of packets (tcp, udp) to a specific host behind my firewall, I can > still scan it for open ports (TCP only)!!! But in my logger it looks > like the firewall is dropping all packets but a sniffer on the inside > proofs that the packet gets through!!! > The packets are small fragmented (I think that even none-fragmented > works too but it's not verifyed yet) packets with the FIN-flag set > (indicating that it's the last packet in a TCP-session) and if the > remote host is sending back a Reset, the port is closed, otherwise > it's open. > > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. > > It may get to the router/firewall itself if its an output filter > or it may get through a Cisco-like "established" filter but I > don't think its going to get through anything else. > [Robert Ståhlbrand] > NO!!!! The packet gets through!!!!!!!!!!!!!!!! (Unless my sniffer is > spoked :-)) Read the article in Phrack Magazine!!! > > Gary Flynn > Network Analyst > James Madison University > [Robert Ståhlbrand] > > /Robert Ståhlbrand, System and Security responsible, nmac.ericsson.se ---------- From owner-firewalls-list Sat Nov 8 10:25:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29849; Sat, 8 Nov 1997 10:11:39 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29824 for ; Sat, 8 Nov 1997 10:11:30 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id UAA16886 for ; Sat, 8 Nov 1997 20:12:13 +0200 (EET) Date: Sat, 8 Nov 1997 20:12:13 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Security certification (Was: Re: [ANNOUNCE] NASA Computer ...) In-Reply-To: <199711080900.BAA26375@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy Howard wrote: > IMO, the different certifications are no better or worse than any other > industry type certifications. And, before certification, test or no, > you have to show evidence of 3 years experience in the area your are > testing for (novel idea, eh?). The certifications are already in > existence, this just an easy opportunity to review for the exams and sit > for them. Personally I have not taken any of these exams because of financial reasons, but I would think that at leas I personally would benefit of them: perhaps by going through some check lists, read books and articles on points I feel I don't know enough about etc. Something like CISSP or CISA exam would put pressure on me to find more time for additional studies on the subjects, and this could not be bad for me. Another question is how you will use your certification later, is it for you to test yourself or to tell people how smart you are. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Sat Nov 8 13:10:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA00870; Sat, 8 Nov 1997 13:06:24 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA00862 for ; Sat, 8 Nov 1997 13:06:13 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id QAA21589; Sat, 8 Nov 1997 16:03:38 -0500 (EST) From: Adam Shostack Message-Id: <199711082103.QAA21589@homeport.org> Subject: Re: Finjan Surfin Gate Review In-Reply-To: <9711080227.AA15340@baileynm.com> from Peter da Silva at "Nov 7, 97 08:27:51 pm" To: peter@baileynm.com (Peter da Silva) Date: Sat, 8 Nov 1997 16:03:38 -0500 (EST) Cc: jerry@us.esafe.com, sjbrown@bellsouth.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll mention that Security-7 (www.security7.com) has a product that will look through the Java classes or ActiveX controls and allow you to block things that you don't like. (Thus, you could block all Java that calls the file io classes.) Adam Peter da Silva wrote: | > Protection from vandal applets is a new technology which is still being | > defined...any thoughts? | | Use the approach in HTML: don't allow the applets the ability to perform | dangerous acts. If you want to do more, then explicitly download and | install a plugin. That way you have control and you have to perform an | explicit install before you're exposed. | | The only applet technology I know of that does this is the Tk plugin, which | actually removes all dangerous commands from the interpreter before running | the applet, so even if it's hostile it has no access to anything outside the | sandbox. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Sat Nov 8 13:40:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02734; Sat, 8 Nov 1997 13:28:31 -0800 (PST) Received: from hotmail.com (F26.hotmail.com [207.82.250.37]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA02704 for ; Sat, 8 Nov 1997 13:28:21 -0800 (PST) Received: (qmail 18652 invoked by uid 0); 8 Nov 1997 21:29:07 -0000 Message-ID: <19971108212907.18651.qmail@hotmail.com> Received: from 209.75.196.2 by www.hotmail.com with HTTP; Sat, 08 Nov 1997 13:29:07 PST X-Originating-IP: [209.75.196.2] From: "Alexis Zephrides" To: ben@edelweb.fr, firewalls@greatcircle.com Subject: Re: Private web-based email with SSL secure??? Content-Type: text/plain Date: Sat, 08 Nov 1997 13:29:07 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What is this ap that you've found? I've been thinking of the same thing >meself for awhile now. > >Ben. > >On Tue, 4 Nov 1997, Alexis Zephrides wrote: > >> Hello: >> >> I consult for an ISP that has a couple of Intel 266 Pentiums, >> 1 500Mhz Alpha and a Sparc all running linux. We have been talking >> about writing our own web based email app (like HotMail) so that >> our users can get mail remotely. We have only found one app like this >> that runs under Linux and it is written in PERL. If we use SSL >> on the web server, will the entire e-mail session be encrypted including >> login? The POP server is behind the Firewall as well. >> >> Thanks in advance, >> >> Alexis >> Agean Consulting The original app we were looking at was EMU but we have just found a new one called Clio (http://www.clio.com) that is faster, more stable and has more features. We also liked the price at $1 per user for a license ;-) With SSL on the server we have found that the entire session is encrypted (we used a Network General Sniffer) including the login and password. --Alexis Aegean Consulting ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Sat Nov 8 14:25:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08906; Sat, 8 Nov 1997 14:15:07 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA08881 for ; Sat, 8 Nov 1997 14:14:59 -0800 (PST) Received: (qmail 2238 invoked from smtpd); 8 Nov 1997 22:15:41 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Nov 1997 22:15:41 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA17344 for ; Sat, 8 Nov 1997 16:15:41 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA01637; Sat, 8 Nov 1997 16:18:08 -0600 From: Peter da Silva Message-Id: <9711082218.AA01637@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: firewalls@GreatCircle.COM Date: Sat, 8 Nov 1997 16:18:08 -0600 (CST) In-Reply-To: <199711082103.QAA21589@homeport.org> from "Adam Shostack" at Nov 8, 97 04:03:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) It's not possible for it to do that even in theory for general ActiveX controls, because they can contain arbitrary '386 instructions, possibly encrypted or compressed with unknown algorithms to reduce size or protect intellectual property. For Java, I suppose you could do it. The problem is that the authors of legitimate applets will have no way of knowing what the rules they're subject to are. It's better to make that sort of thing explicit in the specification for the applet language even if that prevents you from doing some useful things. From owner-firewalls-list Sat Nov 8 14:40:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08404; Sat, 8 Nov 1997 14:10:50 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA08355 for ; Sat, 8 Nov 1997 14:10:30 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by cypress.idir.net (8.8.5/8.8.4) with SMTP id QAA01782 for ; Sat, 8 Nov 1997 16:11:15 -0600 Date: Sat, 8 Nov 1997 16:11:14 -0600 (CST) From: Jason Keimig To: firewalls@greatcircle.com Subject: Re: Hijak detection Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm agree that host authentication is the only real defense. I think > network level encryption will defend against this kind of attack too. > Transport level encryption might stop hijacking, but still vulnerable to > DoS attack (the attacker might still able to put both hosts in > desynchronized mode). All true and very relevent. You COULD even encrypt most of the headers, but this breaks things like NAT and proxy services. > 1. How do we detect a hijack. > Even in normal TCP conversation, there are lot of packets with > invalid SN (duplication, etc.), so how we decide if an invalid packet is > part of a hijacked session and which is not? The duplication is not as severe as you would see with a hijacked session. You will generally see several hundred ACKed packets thrown around for each new packet introduced by the hijacker. > 2. How to determine which is the attacker and which is the victim. > By using only TCP seq. num., we definitely CAN NOT decide which is > the attacker and which is the victim, because a skilled attacker would > most likely only send 'good' packet, making the victim looks bad. While > a 'young' attacker probably still making mistakes on calculating SN, > thus making both attacker and victim look bad. This is true if you look at only a single ACK on one side of the stream. If you compare the ACKs from both sides, you can see the side that has been spoon-fed data by the attacker as their ACK # will be higher than the supposedly corresponding SEQ # of the unmolested side. This is due to the fact that the SEQ/ACK pair is based solely on the # of bytes sent/received after the session has been established. This pair is by no means a security mechanism in the purest sense. It is used primary to keep the sides in synch with one another. The fact that it prevents accepting data out of order is really just a security side effect inherent with connection-oriented bitstreams. > By looking at route information in the packet (if available) will > provide important clue, but still not reliable if your network use > multiple route. This really is a non-issue as just about all routers and hosts nowadays have source-routing disabled. I realize that there is a possibility for misconfigured boxes, but this is a reaching effort that generally does not turn up anything. That is, a source-routed packet will set off too many alarms and gives away all covertness of the attack. > Looking at the H/W address of a packet won't help much, because > you'll only see the gateway H/W address in the packet. Actually, this is where you will see the mistakes of a 'young' attacker. Calculating the SEQ/ACK # of a session is fairly straight-forward once the highjacking has commenced: you just have to wade through all of the ACK syncs between the two hosts. As I stated in another post, JUST ABOUT all of the scripts/prgrams out there that do various forms of IP spoofing (I did find an old SunOS forging tool in my archives that modified the MAC address of the outgoing packet) do NOT address the layer-2 issue. Forged IP packets from user space WILL STILL CONTAIN the source MAC address of the host used to forge the packet. This is trivial to detect. The "professional" hacker (the word professional used loosely here) will have a modified IP stack that addresses this issue by swapping out the local MAC with that of forged IP-layer-2 mapping. There are still some tricks to catch this, the attacker just has to be careful on how this mapping is obtained (this is part of my thesis, I've had to deal with this aspect quite intimately!). So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of the offending hosts performing ANY kind of spoofing attack. There is also the analysis of the IP packet ID that I won't get into. Although it can used be for detection purposes, it gives less information on _who_ is doing the attack. > 3. To make the situation worse... > The attacker might send OOB packets, change route information, or > other DoS attack to the victim. The firewall/IDS should aware that these > are parts of the hijacking procedure, and terminate the victim's > sessions immediately. OOB packets aren't usually handled by the end host in the purest sense and routers, by definition, don't accept redirects. Where do these aspects come into play? > Infact, if WheelGroup claims that their product can deal with TCP hijack > attack, how the heck they're doing it? Good question, any takers? -J. From owner-firewalls-list Sat Nov 8 19:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA27861; Sat, 8 Nov 1997 19:22:54 -0800 (PST) Received: from maildeliver0.tiac.net (maildeliver0.tiac.net [199.0.65.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA27854 for ; Sat, 8 Nov 1997 19:22:49 -0800 (PST) Received: from mx1.tiac.net (mx1.tiac.net [199.0.65.251]) by maildeliver0.tiac.net (8.8.7/8.8) with ESMTP id WAA13106 for ; Sat, 8 Nov 1997 22:23:40 -0500 (EST) Received: from rhill.icenetsys.com (icenetsys.com [206.119.11.248]) by mx1.tiac.net (8.8.7/8.6.9) with SMTP id WAA01148 for ; Sat, 8 Nov 1997 22:23:38 -0500 (EST) Message-Id: <2.2.32.19971109032822.01d1ca50@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 08 Nov 1997 22:28:22 -0500 To: firewalls@GreatCircle.COM From: "Richard A. Hill" Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:52 11/7/97 -0500, you wrote: > >You know, like the recent mad scientist B-movie NASA brought us: need >seven lightbulbs worth of juice for Cassini? Hey, let's load it up >with 72 pounds of ceramicized plutonium! Good thing it didn't blow >up on launch. Hopefully, in two years when it does a planetary >gravity-assist flyby of Earth at 40,000 miles per hour, it will >miss Earth. Because NASA documents say that 20 pounds of the plutonium >will become _respirable_ particles. > >NASA is the last place on Earth one should go to for risk assessment. > Now now, let's keep the politics out of the list .. otherwise I'd have to respond and rebut the respirable particle claim with quotes from other experts, and you'ld have to bring in nuclear-phobes and I'd bring in nuclear-philes and we'ld tie the entire list up for weeks in a useless flame war and everyone would be sick of us in two days. Let's just say that some of us have more realistic risk expectations than others and that I'ld rather see a flawed NASA than none at all. And FYI, I just brought up that website and all seminars are appropriately documented and listed Richard ####################################################### Richard A. Hill rhill@icenetsys.com RichHill@AOL.com "That which does not kill us should not be given a second chance" ################################################################ From owner-firewalls-list Sun Nov 9 05:55:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA23551; Sun, 9 Nov 1997 05:49:00 -0800 (PST) Received: from kaja.octonline.com ([207.6.35.100]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA23544 for ; Sun, 9 Nov 1997 05:48:55 -0800 (PST) Received: from dabion.kaja ([207.6.35.181]) by kaja.octonline.com (2.0 Build 2119 (Berkeley 8.8.4)/8.8.4) with ESMTP id IAA03718 for ; Sun, 09 Nov 1997 08:50:56 -0500 Message-Id: <199711091350.IAA03718@kaja.octonline.com> From: "Don A. Abion" To: Subject: university project Date: Sun, 9 Nov 1997 08:48:14 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello there, my name is Don and I'm in need of a firewall software for a school project that my group and I are attempting to complete. We are taking a course dealing with software evaluation methods, and we have limited resourses when it comes to firewalls. So far, we've found free downloadable firewall softwares, but they run off windows NT, and none of us have access to that operating system. We need a firewall software to evaluate, and we need is something that has GUI capabilities so that a full demonstration can be performed (thus, win95 would be great). If you can recommend any free downloads for firewall software which doesn't require much memory and be able to run off win95 on a stand alone system, we would be very greatful. Thank you for time concerning our request. Don dabion@octonline.com dabio@acs.ryerson.ca From owner-firewalls-list Sun Nov 9 06:40:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26896; Sun, 9 Nov 1997 06:30:48 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA26875 for ; Sun, 9 Nov 1997 06:30:42 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id JAA18917; Sun, 9 Nov 1997 09:33:03 -0500 (EST) Date: Sun, 9 Nov 1997 09:33:03 -0500 (EST) From: Information Security Message-Id: <199711091433.JAA18917@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Sat Nov 8 23:02:53 1997 > From: "Richard A. Hill" > > At 04:52 11/7/97 -0500, you wrote: > > Now now, let's keep the politics out of the list . Actually, the politics of encryption are quite important, but I will avoid discussing the (weak) encryption tie-in unless people keep bringing it up. > And FYI, I just brought up that website and > all seminars are appropriately documented and listed Excellent. That means the main reason I "posted" got immediate results. > At 04:52 11/7/97 -0500, guy wrote: > >Because NASA documents say that 20 pounds of the plutonium > >will become _respirable_ particles. > > [I can] rebut the respirable particle > claim with quotes from other experts... Email me to do so. * Final Environmental Impact Statement for the Cassini Mission * ----- ------------- ------ --------- --- --- ------- ------- * * NASA, June 1995 * ---- ---- ---- * * For all the reentry cases studied, about 32 to 34 percent of the * plutonium dioxide from the three RTGs is expected to be released * at high altitude...these are [deadly] respirable particles... And: good luck. ;-) I am *deleting* the Cassini flame out of the Cryptography Manifesto, so get your copy now if you want to see it. ---guy From owner-firewalls-list Sun Nov 9 06:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29079; Sun, 9 Nov 1997 06:47:22 -0800 (PST) Received: from blackbird.jetlink.net (blackbird.jetlink.net [206.72.64.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA29064 for ; Sun, 9 Nov 1997 06:47:16 -0800 (PST) Received: from gnss.com (ppp-208-19-49-166.isdn.jetlink.net [208.19.49.166]) by blackbird.jetlink.net (8.8.7/CSE) with ESMTP id GAA24877; Sun, 9 Nov 1997 06:48:00 -0800 (PST) Message-ID: <3465CD13.6F22AB15@gnss.com> Date: Sun, 09 Nov 1997 06:47:47 -0800 From: "osiris@gnss.com" Reply-To: osiris@gnss.com Organization: Global Network Security Systems X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: "Don A. Abion" CC: Firewalls@GreatCircle.COM Subject: Re: university project References: <199711091350.IAA03718@kaja.octonline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is what GNSS has on the subject, but perhaps some other list members can offer more substantial links or resources. (Note that we cannot provide an endorsement for these products as we have not evaluated them at this firm, i.e., batteries not included, force majeur, look both ways before crossing, restrictions may apply, etc. :-) PC Personal Firewall for 95 http://www.softwarebuilders.com/SBI_Mall/Info_PC_Secure.html NetProxy for 95 ftp://software.ieway.com/netprx12.zip and the docs on it: http://www.grok.co.uk/netproxy/overview.html WinProxy Download page: http://www.ositis.com/menu2.htm and docs: http://www.ositis.com/ PC Desktop Firewall for 95 http://www.signal9.com/misc/special.html EDArmor 95 http://www.emdent.com/pages/arm95perpr.htm InternetGate for 95 http://www.bmtmicro.com/catalog/igatewin.html Good luck with your project. (This has been a public service from the staff at http://www.gnss.com) Don A. Abion wrote: > hello there, > > my name is Don and I'm in need of a firewall software for a school project > that my group and I are attempting to complete. We are taking a course > dealing with software evaluation methods, and we have limited resourses > when it comes to firewalls. So far, we've found free downloadable firewall > softwares, but they run off windows NT, and none of us have access to that > operating system. We need a firewall software to evaluate, and we need is > something that has GUI capabilities so that a full demonstration can be > performed (thus, win95 would be great). If you can recommend any free > downloads for firewall software which doesn't require much memory and be > able to run off win95 on a stand alone system, we would be very greatful. > Thank you for time concerning our request. > > Don > > dabion@octonline.com > dabio@acs.ryerson.ca From owner-firewalls-list Sun Nov 9 13:55:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21266; Sun, 9 Nov 1997 13:41:30 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA21249 for ; Sun, 9 Nov 1997 13:41:22 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id QAA16408; Sun, 9 Nov 1997 16:41:26 -0500 (EST) Message-Id: <199711092141.QAA16408@mail.atl.bellsouth.net> From: "Steve Jackson Brown" To: "Adam Shostack" , "Peter da Silva" Cc: , Subject: Re: Finjan Surfin Gate Review Date: Sun, 9 Nov 1997 16:38:49 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How do these products protect you if the web site you are visiting is using SSL to transfer the Java applets? It would seem that if it is encrypted, it would be impossible to inspect Java applets, making it useless. One thing I thought that was ironic in the http://www.rstcorp.com/hostile-applets/drowning.html review was the install script for Finjan was xhost + How security knowledgable is a security company when they build install scripts that open you up to worst attacks? Is anyone actually buying or deploying this Java security stuff? Is it alot of hype? ---------- > From: Adam Shostack > To: Peter da Silva > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; firewalls@GreatCircle.COM > Subject: Re: Finjan Surfin Gate Review > Date: Saturday, November 08, 1997 4:03 PM > > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) > > Adam > > > Peter da Silva wrote: > | > Protection from vandal applets is a new technology which is still being > | > defined...any thoughts? > | > | Use the approach in HTML: don't allow the applets the ability to perform > | dangerous acts. If you want to do more, then explicitly download and > | install a plugin. That way you have control and you have to perform an > | explicit install before you're exposed. > | > | The only applet technology I know of that does this is the Tk plugin, which > | actually removes all dangerous commands from the interpreter before running > | the applet, so even if it's hostile it has no access to anything outside the > | sandbox. > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > From owner-firewalls-list Sun Nov 9 15:40:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA28361; Sun, 9 Nov 1997 15:39:05 -0800 (PST) Received: from gatekeeper.bh.org (gatekeeper.bh.org [204.68.182.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA28349 for ; Sun, 9 Nov 1997 15:39:00 -0800 (PST) Received: from bh.org (bhhome.bh.org [204.68.182.2]) by gatekeeper.bh.org (8.8.5/8.8.5) with ESMTP id SAA14041; Sun, 9 Nov 1997 18:40:40 -0500 Message-ID: <346649FA.41AB2077@bh.org> Date: Sun, 09 Nov 1997 18:40:43 -0500 From: Bill Heiser X-Mailer: Mozilla 4.03 [en] (WinNT; U) MIME-Version: 1.0 To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Re: [FW1] Does FW-1 support Point to Point Tunneling Protocol? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > I have discovered that Microsoft has a way to do Virtual Private > > Networks through something they call PPTP (Point to Point Tunneling > Protocol). > > It is basically an encryption between a client Win95 to a WinNT RAS > server. What do people think about this? It sounds scary to me. :) Does PPTP provide a high enough level of security to warrant its use for a VPN like this essentially bypassing the firewall? From owner-firewalls-list Sun Nov 9 19:57:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA10533; Sun, 9 Nov 1997 19:40:40 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA10522 for ; Sun, 9 Nov 1997 19:40:33 -0800 (PST) Received: (qmail 18081 invoked by uid 500); 10 Nov 1997 03:43:45 -0000 Date: Sun, 9 Nov 1997 22:43:45 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Steve Jackson Brown cc: firewalls@GreatCircle.COM Subject: Re: Finjan Surfin Gate Review In-Reply-To: <199711092141.QAA16408@mail.atl.bellsouth.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Nov 1997, Steve Jackson Brown wrote: > One thing I thought that was ironic in the > http://www.rstcorp.com/hostile-applets/drowning.html review was the install > script for Finjan was xhost + > How security knowledgable is a security company when they build install > scripts that open you up to > worst attacks? I haven't been following this thread since inception, so apologies if this has been covered before. For anyone who's interested, Mark LaDue has been posting Finjan's reactions to the review in comp.security.firewalls. It certainly makes interesting reading. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 9 20:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA13667; Sun, 9 Nov 1997 20:45:54 -0800 (PST) Received: from molhub.mol.net.my (aimsvan.mol.net.my [202.190.128.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA13653 for ; Sun, 9 Nov 1997 20:45:49 -0800 (PST) Received: from mit.com.my by molhub.mol.net.my; Mon, 10 Nov 97 12:50:27 +0800 Received: by mit_svr with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 12:17:08 +0800 Message-ID: From: Chai Lim Chong To: Firewalls@GreatCircle.COM Subject: Strange firewall log messages Date: Mon, 10 Nov 1997 12:16:59 +0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, My TIS firewall recorded these strange messages several times in a day. But disappeared on the following day and did not appear again. Can anyone explain to me what these lines are all about ? Nov 7 11:01:25 MYserver vmunix: securityalert: tcp from 127.0.0.1:2807 to 127.0.0.1 on unserved port 2121 Nov 7 11:02:01 MYserver vmunix: securityalert: tcp from 127.0.0.1:2814 to 127.0.0.1 on unserved port 2121 Nov 7 11:02:38 MYserver vmunix: securityalert: tcp from 127.0.0.1:2818 to 127.0.0.1 on unserved port 2121 Nov 7 11:03:49 MYserver vmunix: securityalert: tcp from 127.0.0.1:2825 to 127.0.0.1 on unserved port 2121 Nov 7 11:03:49 MYserver vmunix: securityalert: tcp from 127.0.0.1:2826 to 127.0.0.1 on unserved port 2121 Thanks in advance.. Regards, Chai Lim Chong Lcchai@mit.com.my From owner-firewalls-list Mon Nov 10 00:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26056; Mon, 10 Nov 1997 00:43:49 -0800 (PST) Received: from spock.bitmailer.com (spock.bitmailer.com [194.179.94.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA26049 for ; Mon, 10 Nov 1997 00:43:43 -0800 (PST) Received: from ns.bitmailer.com (ns.bitmailer.com [194.179.94.1]) by spock.bitmailer.com (8.8.5/8.8.6) with SMTP id JAA08190; Mon, 10 Nov 1997 09:28:33 +0100 Received: from alex(src addr [194.179.94.99]) (2474 bytes) by ns.bitmailer.com via smail with P\:esmtp /R:smart_host /T:smtp (sender: ) id for ; Mon, 10 Nov 1997 10:23:42 +0100 (MET) Message-Id: From: "Angel López Escobar" To: , Subject: RE: Penetration Detection Tools Date: Mon, 10 Nov 1997 09:13:31 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BCEDB8.EA2219C0" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Este es un mensaje con múltiples partes en formato MIME. ------=_NextPart_000_01BCEDB8.EA2219C0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, Have a look to www.iss.net, they have tools for that. Regards, ---------- > De: Neil_Buckley/CAM/Lotus@lotus.com > A: firewalls@greatcircle.com > Asunto: Penetration Detection Tools > Fecha: viernes 7 de noviembre de 1997 18:57 > > Hello, > > Does anyone have recomendations for third party penetration detection > tools, I am fairly familiar with most freeware products for UNIX, but I > need a company wide solution. > > Thanks in advance for any info, > > Neil Buckley > nbuckley@lotus.com > > ------=_NextPart_000_01BCEDB8.EA2219C0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi,

Have a look to = www.iss.net, they have tools for = that.

Regards,

----------
> De: Neil_Buckley/CAM/Lotus@lotus.com
> A: firewalls@greatcircle.com
> Asunto: Penetration Detection Tools
> = Fecha: viernes 7 de noviembre de 1997 18:57
>
> = Hello,
>
>      Does anyone have = recomendations for third party penetration detection
> tools, =  I am fairly familiar with most freeware products for UNIX, but = I
> need a company wide solution.
>
> Thanks in = advance for any info,
>
> Neil Buckley
> nbuckley@lotus.com
>
>

------=_NextPart_000_01BCEDB8.EA2219C0-- From owner-firewalls-list Mon Nov 10 04:41:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA13781; Mon, 10 Nov 1997 04:39:01 -0800 (PST) Received: from relay.eunet.pt (relay.EUnet.pt [193.126.4.65]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA13774 for ; Mon, 10 Nov 1997 04:38:53 -0800 (PST) Received: (from uucp@localhost) by relay.eunet.pt (8.8.5/8.8.5) with UUCP id MAA02244 for firewalls@greatcircle.com; Mon, 10 Nov 1997 12:39:52 GMT Received: from eniac (eniac [128.22.4.16]) by btagate (8.6.12/8.6.12) with SMTP id NAA10781 for ; Mon, 10 Nov 1997 13:50:20 GMT Message-Id: <1.5.4.32.19971110114253.00924910@btagate> X-Sender: sys6849@btagate X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Nov 1997 11:42:53 +0000 To: firewalls@greatcircle.com From: Paulo Jorge Delgado Subject: Need help comparing solutions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, The company I work for has decided to connect to the Internet using a firewall solution. This is a rather long story, but after creating a workgroup with people from IT Security, Systems Management and Telecomunications, creating a Security Policy and contacting several vendors, we decided to propose a solution integrating several products, connected in series: - A firewall using statefull inspection - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) - A proxy based access control aplication (for "URL censorship") - A proxy based firewall - A suite of auditing tools With this we aimed at creating a screened subnet architecture, with special focus on redundacy. We wanted to make sure that compromising one of the elements of the solution, the others would still be able to provide some measure of security and eventualy detect attacks coming from the compromised element. Someone else is proposing a cheaper solution, something like: +------------+ | Statefull | | Outside ----+ inspection +------+ networks | firewall | | +--------------+ +-----+------+ | | Dual-homed | | | | | Netscape | | Internal | +---+ Proxy Server +-----+ network | | | HTTP, FTP, | | +-----+-------+ | | Gopher | | | Netscape | +--------------+ | Mail Server | +-------------+ They say that Netscape proxy server gives some additional security, complementing the firewall, so this would also be a redundant solution and with the added benefit of reducing the number of licences I need on the firewall. I don't know this Netscape Proxy Server, but I feel that it can't act as a real firewall. Can someone on the list comment on the relative security of this cheaper solution? Many thanks, Paulo +-------------------------------+---------------------------------------+ | Paulo Jorge Delgado | Internet: Paulo.Delgado@bta.pt | | Banco Totta & Acores | Office: +351-1-7922467 | | Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481 | | 1000 Lisboa | | | Portugal | | +-------------------------------+---------------------------------------+ From owner-firewalls-list Mon Nov 10 05:26:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA17135; Mon, 10 Nov 1997 05:19:52 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA17102 for ; Mon, 10 Nov 1997 05:19:46 -0800 (PST) Message-Id: <199711101319.FAA17102@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA258237369; Mon, 10 Nov 1997 08:09:29 -0500 Date: Mon, 10 Nov 1997 08:09:29 -0500 From: gary flynn To: avalon@coombs.anu.edu.au, gary@habanero.jmu.edu Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? Cc: firewall-wizards@nfs.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Darren Reed > > I'm not familiar with Checkpoint but any packet filter that is > > filtering on a destination port is going to toss the packet > > regardless of the SYN or any other flag unless there is some > > special programming. > > I wouldn't be so sure about that. Checkpoint's FW-1 will pass all > packets through with the ACK flag set (except, I think SYN-ACK) > but will strip the body of any data. They do this so that they can > rebuild state for a connection which has remained open over (say) > the firewall rebooting or connection information expiring. If the > reply packet was returned, anyway, there's your scan! I didn't think about that. I should have capitalized "packet filter" :) One normally thinks of state and proxy firewalls as somewhat more secure than a simple packet filter but in this case the opposite may be true. From owner-firewalls-list Mon Nov 10 06:00:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA19474; Mon, 10 Nov 1997 05:47:09 -0800 (PST) Received: from eldec.eldec.com ([208.213.94.130]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA19453 for ; Mon, 10 Nov 1997 05:47:02 -0800 (PST) Received: by eldec.eldec.com; id AA165569544; Mon, 10 Nov 1997 08:45:44 -0500 Received: from unknown(130.30.60.2) by eldec.eldec.com via smap (V3.1.1) id xma016473; Mon, 10 Nov 97 08:45:18 -0500 Received: from bdc003nt.eldec.com by unix11.eldec.com with SMTP (1.37.109.4/16.2) id AA27657; Mon, 10 Nov 97 05:46:39 -0800 Received: by bdc003nt.eldec.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCED9C.0B2C1250@bdc003nt.eldec.com>; Mon, 10 Nov 1997 05:46:51 -0800 Message-Id: From: "Lau, Chris" To: "'firewalls@greatcircle.com'" Subject: spam Date: Mon, 10 Nov 1997 05:46:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Does anyone have a solution on how to stop spam email at the firewall level? We are using TIS Gauntlet. Some one out there is using our company name to send out spam email. We are getting many angry replies to us asking us to stop spamming. We were not the ones doing it. Christopher Lau Crane-Eldec Corp. (425) 743-8150 clau@eldec.com From owner-firewalls-list Mon Nov 10 06:16:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21889; Mon, 10 Nov 1997 06:07:31 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA21875 for ; Mon, 10 Nov 1997 06:07:25 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA28028; Mon, 10 Nov 1997 09:05:59 -0500 (EST) From: Adam Shostack Message-Id: <199711101405.JAA28028@homeport.org> Subject: Re: Finjan Surfin Gate Review In-Reply-To: <199711092141.QAA16408@mail.atl.bellsouth.net> from Steve Jackson Brown at "Nov 9, 97 04:38:49 pm" To: sjbrown@bellsouth.net (Steve Jackson Brown) Date: Mon, 10 Nov 1997 09:05:59 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think they do protect you if the connection is encrypted, or if the attacker is very clever. However, there are a lot of dumb attackers, and I think that you may block some attacks with it. (Of course, you really want a langauge thats safe, running on a reasonable OS. But since we don't have that, Java and ActiveX firewalls may be coming.) Adam Steve Jackson Brown wrote: [Charset ISO-8859-1 unsupported, filtering to ASCII...] | How do these products protect you if the web site you are visiting is using | SSL to transfer the Java applets? | | It would seem that if it is encrypted, it would be impossible to inspect | Java applets, making it useless. | | One thing I thought that was ironic in the | http://www.rstcorp.com/hostile-applets/drowning.html review was the install | script for Finjan was xhost + | How security knowledgable is a security company when they build install | scripts that open you up to | worst attacks? | | Is anyone actually buying or deploying this Java security stuff? Is it | alot of hype? | ---------- | > From: Adam Shostack | > To: Peter da Silva | > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; firewalls@GreatCircle.COM | > Subject: Re: Finjan Surfin Gate Review | > Date: Saturday, November 08, 1997 4:03 PM | > | > I'll mention that Security-7 (www.security7.com) has a product that | > will look through the Java classes or ActiveX controls and allow you | > to block things that you don't like. (Thus, you could block all Java | > that calls the file io classes.) | > | > Adam | > | > | > Peter da Silva wrote: | > | > Protection from vandal applets is a new technology which is still | being | > | > defined...any thoughts? | > | | > | Use the approach in HTML: don't allow the applets the ability to | perform | > | dangerous acts. If you want to do more, then explicitly download and | > | install a plugin. That way you have control and you have to perform an | > | explicit install before you're exposed. | > | | > | The only applet technology I know of that does this is the Tk plugin, | which | > | actually removes all dangerous commands from the interpreter before | running | > | the applet, so even if it's hostile it has no access to anything | outside the | > | sandbox. | > | | > | > | > -- | > "It is seldom that liberty of any kind is lost all at once." | > -Hume | > | > | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 10 08:13:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27626; Mon, 10 Nov 1997 07:32:50 -0800 (PST) Received: from serv1.cyberaccess.fr ([195.132.13.234]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA27547 for ; Mon, 10 Nov 1997 07:32:28 -0800 (PST) Received: from cyberaccess.fr ([195.132.13.195]) by serv1.cyberaccess.fr (Netscape Messaging Server 3.0) with ESMTP id AAA5245; Mon, 10 Nov 1997 16:31:25 +0100 Message-ID: <34672A1A.9F65ADCE@cyberaccess.fr> Date: Mon, 10 Nov 1997 16:37:07 +0100 From: "Christian ALT" X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@greatcircle.com" Subject: nmap on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried to compile nmap under Solaris 2.5.1 GCC 2.7.2.1and I have some problems finding or changing some includes netinet/ip_tcp.h : No such file or directory If someone has a pointer for me or any other information I would be gratfull to any help. Christian ALT From owner-firewalls-list Mon Nov 10 08:27:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA29333; Mon, 10 Nov 1997 07:41:57 -0800 (PST) Received: from relay.norwest.com (relay.Norwest.Com [198.74.26.65]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA29238 for ; Mon, 10 Nov 1997 07:41:38 -0800 (PST) Message-Id: <199711101541.HAA29238@honor.greatcircle.com> Received: by relay.norwest.com (1.37.109.20/16.2) id AA043386562; Mon, 10 Nov 1997 09:42:42 -0600 Received: from msgmsp1.norwest.com(162.101.130.4) by relay.norwest.com via smap (V1.3) id smaa28990; Mon Nov 10 08:55:57 1997 Received: by msgmsp1.norwest.com with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 08:55:00 -0600 From: "Hudspeth, Todd" To: "'firewalls@greatcircle.com'" Subject: Performance Testing Tools Date: Mon, 10 Nov 1997 08:53:48 -0600 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone aware of any performance measurement tools that would simulate thousands of users performing various methods of access to and through a firewall? Such as, internal to external ftp, http, https, telnet and VPN? Thanks, Todd Hudspeth Norwest Services, Inc. todd.hudspeth@norwest.com From owner-firewalls-list Mon Nov 10 08:28:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03551; Mon, 10 Nov 1997 08:02:54 -0800 (PST) Received: from pandora.gsionline.com ([204.254.209.241]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA03532 for ; Mon, 10 Nov 1997 08:02:47 -0800 (PST) Received: from pandora.gsionline.com by pandora.gsionline.com (NTMail 3.02.09) with ESMTP id da213957 for ; Mon, 10 Nov 1997 11:04:55 -0500 Message-Id: <3.0.1.32.19971110110100.008ef0d0@peter> X-Sender: nbk#204.254.209.2@peter X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 10 Nov 1997 11:01:00 -0500 To: "Lau, Chris" From: NB Keenan Subject: Re: spam Cc: firewalls@greatcircle.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone have a solution on how to stop spam email at the firewall >level? We are using TIS Gauntlet. Some one out there is using our >company name to send out spam email. We are getting many angry replies >to us asking us to stop spamming. We were not the ones doing it. I've heard of a device called a "lawyer" that is very effective at stopping people from using your company name without your permission. From owner-firewalls-list Mon Nov 10 08:30:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA02129; Mon, 10 Nov 1997 07:54:23 -0800 (PST) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA02061 for ; Mon, 10 Nov 1997 07:54:08 -0800 (PST) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEDC6.DD33FA90@xchangebox2.USADOMAIN1>; Mon, 10 Nov 1997 10:53:23 -0500 Message-ID: From: "Zilber, Alexey" To: "'Anton J Aylward'" , "'john'" Cc: "'Jonathan M. Bresler'" , "'Firewall list'" Subject: RE: Pissing Contest (wasRe: Linux et al PFs ) Date: Mon, 10 Nov 1997 10:54:48 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Coming back from vacation, I'd just like to add to this dead thread that there's a WIRED article comparing all the OS's. They ranked Linux right up there, even above FreeBSD for the amount of load it can handle without chocking. >---------- >From: john[SMTP:zaph0d@phawd.com-stock.com] >Sent: Friday, October 31, 1997 3:58 PM >To: Anton J Aylward >Cc: Jonathan M. Bresler; Firewall list >Subject: Re: Pissing Contest (wasRe: Linux et al PFs ) > >He's simply demonstrateing FreeBSD's ability to handle network traffic >more efficently. > >Which, directly affects firewalls preformance and security, and therefore >is very relivant to firewalls discussion. > >On Fri, 31 Oct 1997, Anton J Aylward wrote: > >> At 08:55 AM 31/10/97 -0500, Jonathan M. Bresler wrote: >> > >> > please show me number better than ftp.cdrom.com >> >> Could you guys move this off the list to provate e-mail. >> This is no longer constructive to the issue of firewalls. >> I could equaly make the argument that a firewall is like >> a fuse so you want to to go down to isolate & protect the >> internal network. You can chop the logic any which way you >> want, but once it gets ito "My X is bigger than yours" we >> are not chopping logic any more. >> >> /anton >> >> -------------------------------------------------------------------------- >> Anton J Aylward | So, Two cheers for Democracy: one >> The Strahn & Strachan Group Inc | because it admits variety and two >> Information Security Consultants | because it permits criticism. >> Voice: (416) 494-8661 | - E. M. Forster >> Fax: (416) 494-8803 | >> > > From owner-firewalls-list Mon Nov 10 08:31:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27554; Mon, 10 Nov 1997 07:32:32 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA27498 for ; Mon, 10 Nov 1997 07:32:17 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA05250 for ; Mon, 10 Nov 1997 16:33:10 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA26601 for ; Mon, 10 Nov 1997 16:32:06 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 16:33:43 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABE@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Mon, 10 Nov 1997 16:33:41 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi again! Tomorrow I will continue my investigations with my FW-1 and if I find the time, do a test with a ip-filtering program called IP-filter. I will try to cover as much as possible like for example, small fragmented packets (24 byte, maybe less) FIN-scanning etc. I will report the results to the list as soon as possible. /Robert > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 10 november 1997 14:09 > To: avalon@coombs.anu.edu.au; gary@habanero.jmu.edu > Cc: firewall-wizards@nfs.net; firewalls@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? > > > From: Darren Reed > > > I'm not familiar with Checkpoint but any packet filter that is > > > filtering on a destination port is going to toss the packet > > > regardless of the SYN or any other flag unless there is some > > > special programming. > > > > I wouldn't be so sure about that. Checkpoint's FW-1 will pass all > > packets through with the ACK flag set (except, I think SYN-ACK) > > but will strip the body of any data. They do this so that they can > > rebuild state for a connection which has remained open over (say) > > the firewall rebooting or connection information expiring. If the > > reply packet was returned, anyway, there's your scan! > > I didn't think about that. I should have capitalized > "packet filter" :) > > One normally thinks of state and proxy firewalls as somewhat more > secure than a simple packet filter but in this case the opposite > may be true. From owner-firewalls-list Mon Nov 10 08:46:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08050; Mon, 10 Nov 1997 08:35:14 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08032 for ; Mon, 10 Nov 1997 08:35:01 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 08:32:40 -0800 Message-ID: From: "Stackpole, Bill" To: "'Paulo Jorge Delgado'" , firewalls@greatcircle.com Subject: RE: Need help comparing solutions Date: Mon, 10 Nov 1997 08:32:38 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Either you guys are really paranoid or you have something very valuable to protect. Just a curiousity factor but did your workgroup do any risk analysis before coming up with this solution? - A firewall using statefull inspection This could be integrated into the router along with a good set of filters to protect you "DMZ". - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) So far the best solutions for this are on stand-alone systems but several major vendors are moving to integrate this functionality into their firewall servers. - A proxy based access control aplication (for "URL censorship") Personally I'd bag this and write an acceptible use policy, have employees sign it and fire those that violate it. However, vendor like Raptor do have some "URL censorship" add-ons. Or you could use a passive monitor like ON Tech's Internet Manager. - A proxy based firewall An alternative to a second firewall might be a good monitoring system like NetRanger that would alert you to attacks and/or wrongful usage. Unless of course you are looking for some of the other benefits that a proxy might provide like Web page caching. - A suite of auditing tools - ??? Router based firewalls don't require per user licenses and most of the passive monitors I've seen don't require them either. As for the Netscape proxy, it works. So doesn't the Microsoft proxy. Are they firewalls? Hardly. > -----Original Message----- > From: Paulo Jorge Delgado [SMTP:Paulo.Delgado@bta.pt] > Sent: Monday, November 10, 1997 3:43 AM > To: firewalls@greatcircle.com > Subject: Need help comparing solutions > > Hello, > > The company I work for has decided to connect to the Internet using > a firewall solution. This is a rather long story, but after creating > a workgroup with people from IT Security, Systems Management and > Telecomunications, creating a Security Policy and contacting > several vendors, we decided to propose a solution integrating > several products, connected in series: > > - A firewall using statefull inspection > - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) > - A proxy based access control aplication (for "URL censorship") > - A proxy based firewall > - A suite of auditing tools > > With this we aimed at creating a screened subnet architecture, with > special focus on redundacy. We wanted to make sure that compromising > one of the elements of the solution, the others would still be able > to provide some measure of security and eventualy detect attacks > coming from the compromised element. > > Someone else is proposing a cheaper solution, something like: > > +------------+ > | Statefull | | > Outside ----+ inspection +------+ > networks | firewall | | +--------------+ > +-----+------+ | | Dual-homed | | > | | | Netscape | | Internal > | +---+ Proxy Server +-----+ network > | | | HTTP, FTP, | | > +-----+-------+ | | Gopher | | > | Netscape | +--------------+ > | Mail Server | > +-------------+ > > They say that Netscape proxy server gives some additional security, > complementing the firewall, so this would also be a redundant solution > and with the added benefit of reducing the number of licences I need > on the firewall. > > I don't know this Netscape Proxy Server, but I feel that it can't act > as a real firewall. Can someone on the list comment on the relative > security of this cheaper solution? > > Many thanks, > > Paulo > > +-------------------------------+------------------------------------- > --+ > | Paulo Jorge Delgado | Internet: Paulo.Delgado@bta.pt > | > | Banco Totta & Acores | Office: +351-1-7922467 > | > | Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481 > | > | 1000 Lisboa | > | > | Portugal | > | > +-------------------------------+------------------------------------- > --+ From owner-firewalls-list Mon Nov 10 10:09:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA15126; Mon, 10 Nov 1997 09:39:25 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA15068 for ; Mon, 10 Nov 1997 09:39:09 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 09:39:39 -0800 Message-ID: From: Jerry Huyghe To: "'Adam Shostack'" , peter@baileynm.com Cc: sjbrown@bellsouth.net, firewalls@GreatCircle.COM Subject: RE: Finjan Surfin Gate Review Date: Mon, 10 Nov 1997 09:39:37 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, Security-7 has a good product, but it is a gateway solution, which will not stop SSL or VPN encrypted transmissions. It must be combined with solid runtime protection. Sincerely, Jerry Huyghe Product Manager eSafe Technologies > -----Original Message----- > From: Adam Shostack [SMTP:adam@homeport.org] > Sent: Saturday, November 08, 1997 1:04 PM > To: peter@baileynm.com > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; > firewalls@GreatCircle.COM > Subject: Re: Finjan Surfin Gate Review > > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) > > Adam > > > Peter da Silva wrote: > | > Protection from vandal applets is a new technology which is still > being > | > defined...any thoughts? > | > | Use the approach in HTML: don't allow the applets the ability to > perform > | dangerous acts. If you want to do more, then explicitly download and > | install a plugin. That way you have control and you have to perform > an > | explicit install before you're exposed. > | > | The only applet technology I know of that does this is the Tk > plugin, which > | actually removes all dangerous commands from the interpreter before > running > | the applet, so even if it's hostile it has no access to anything > outside the > | sandbox. > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > From owner-firewalls-list Mon Nov 10 10:15:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA14567; Mon, 10 Nov 1997 09:36:50 -0800 (PST) Received: from bastion.smacek.com (bastion.smacek.com [207.250.113.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA14549 for ; Mon, 10 Nov 1997 09:36:41 -0800 (PST) Received: from rgplinux.smacek.com (rgplinux.smacek.com [207.250.113.2]) by bastion.smacek.com (8.8.5/8.8.5) with ESMTP id LAA19435 for ; Mon, 10 Nov 1997 11:31:47 -0600 Received: from rgplinux.smacek.com (localhost [127.0.0.1]) by rgplinux.smacek.com (8.8.5/8.8.5) with SMTP id LAA04360 for ; Mon, 10 Nov 1997 11:38:25 -0600 Message-ID: X-Mailer: XFMail 1.1 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 10 Nov 1997 11:31:19 -0600 (CST) From: Rich Peiffer To: firewalls@greatcircle.com Subject: SNMP Scan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem with various sites continuously scanning my nets for any host willing to answer an SNMP service request (UDP port 161). The scan typically happens once or twice a day, and is getting quite annoying. It appears that my firewall is rejecting the requests properly, but I am wondering what my next step should be? I have attempted to contact the admin of the domains where the attacks appear to be originating. The problems there are obvious (large dialup networks, spoofed source addreses, etc.) Should I maybe be dumping the contents of some of these packets? If so, what should I be looking for? Is there a gaping hole in SNMP somewhere? I am considering filtering out these rejected packet messages from my syslog files as they tend to cloud up the rest of the messages which are important. There is also one other thing that bothers me regarding this issue. Most packets are rejected by my external router when they are inbound on the interface connected to the internet. I just recently noticed the packet destined to the external router itself appears to make it in, and the router's response is rejected. The following is an example of what I am getting: Nov 10 09:53:55 bastion kernel: IP fw-out deny eth1 UDP 207.250.113.129:161 207. 198.221.100:2142 L=89 S=0x00 I=27282 F=0x0000 T=64 *** the above message is from my external router, note it appears to be a response to the attack, not the attack itself. Nov 10 09:53:55 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.191:161 L=89 S=0x00 I=18239 F=0x0000 T=112 *** this message is a "normal" rejection. Nov 10 09:53:57 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.129:161 L=89 S=0x00 I=34111 F=0x0000 T=112 *** here is a "normal" rejection from my external router which occured just after the above two rejections. I am wondering what the first syslog entry above means. Any request for service 161 from outside my net (207.250.113.xxx) should have been rejected on it's way in. I have checked my total firewall configuration over many times, and it appears to be OK. Any advice or explanations would be appreciated! TIA. -Rich -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 From owner-firewalls-list Mon Nov 10 11:13:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24477; Mon, 10 Nov 1997 10:25:20 -0800 (PST) Received: from relay.allstate.com (relay.allstate.com [167.127.242.253]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA24421 for ; Mon, 10 Nov 1997 10:25:07 -0800 (PST) Received: from mail.allstate.com by relay.allstate.com (AIX 3.2/UCB 5.64/4.03) id AA23578; Mon, 10 Nov 1997 12:28:34 -0600 Received: from Allstate-Message_Server by allstate.com with Novell_GroupWise; Mon, 10 Nov 1997 12:26:08 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 10 Nov 1997 12:25:08 -0600 From: Michael Martinson To: firewalls@GreatCircle.com Subject: What Linux version is best for Firewall? Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm putting together the pieces and parts for a firewall. I've read that Red Hat is the best version of Linux for a stripped down proxy firewall. I'm just making sure that Red Hat is the version which most firewalls are on. I've checked out: http://www.ssc.com/lj/issue25/1204.html and found that it has a lot of help. I'm wondering if anyone is willing to give me a list of what patches they do to the Kernel to make it as secure as possible. Michael Martinson Senior Systems Software Programmer Lincoln Benefit Life 1(800)525-2799 x8710 martimdp@allstate.com From owner-firewalls-list Mon Nov 10 11:15:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29855; Mon, 10 Nov 1997 10:53:08 -0800 (PST) Received: from firewall.co.alameda.ca.us (firewall.co.alameda.ca.us [166.107.250.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29554 for ; Mon, 10 Nov 1997 10:52:03 -0800 (PST) Received: (from Administrator@localhost) by firewall.co.alameda.ca.us (1.0 (Berkeley 8.7) Build 341/Configuration 4) id KAA00199 for ; Mon, 10 Nov 1997 10:07:31 -0800 Received: from msmail.co.alameda.ca.us(166.107.250.98) by firewall via smtp-gw id xma1404.tmp; Mon, 10 Nov 97 10:07:07 -0800 Received: by msmail.co.alameda.ca.us with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 10:05:47 -0800 Message-ID: <88B8AB5C9DD0CF11B1310000F821B7799704DA@msmail.co.alameda.ca.us> From: "Noe, John, ITD" To: "'firewalls'" Date: Mon, 10 Nov 1997 10:05:44 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I am a firewall administrator for County Government offices in California. Our shop is starting to beocme quite security conscious (finally). We are using the Centri product (3.x.). I am struggling with the question of opening up ports on the firewall for our users. What is the real world way of dealing with these requests? Opening up the ports, but only between specific sources and destinations? also, will soon be installing Cisco PIX... Any words good or bad? How about sendmail, DNS servers for the untrusted network? Thanks! john John R. Noe 510.272.3864 From owner-firewalls-list Mon Nov 10 11:42:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA07780; Mon, 10 Nov 1997 11:34:41 -0800 (PST) Received: from saturn.hrz.tu-chemnitz.de (saturn.hrz.tu-chemnitz.de [134.109.132.51]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA07634 for ; Mon, 10 Nov 1997 11:34:09 -0800 (PST) Received: from mailbox.hrz.tu-chemnitz.de by saturn.hrz.tu-chemnitz.de with Local SMTP (PP); Mon, 10 Nov 1997 20:34:53 +0100 Received: from cello.hrz.tu-chemnitz.de (cello.hrz.tu-chemnitz.de [134.109.72.62]) by mailbox.hrz.tu-chemnitz.de (8.8.5/8.8.3) with ESMTP id UAA07822; Mon, 10 Nov 1997 20:34:52 +0100 (MET) Received: from localhost by cello.hrz.tu-chemnitz.de (8.8.5/client-1.5) id UAA03125; Mon, 10 Nov 1997 20:34:51 +0100 Date: Mon, 10 Nov 1997 20:34:51 +0100 (MET) From: Johannes Schwabe To: "Lau, Chris" cc: "'firewalls@greatcircle.com'" Subject: Re: spam In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Nov 1997, Lau, Chris wrote: > Hi: > > Does anyone have a solution on how to stop spam email at the firewall > level? We are using TIS Gauntlet. Some one out there is using our This issue is not too much related to firewalls. > company name to send out spam email. We are getting many angry replies > to us asking us to stop spamming. We were not the ones doing it. > I fear you provided not enough information. Does the spammer use your mail servers to relay his spam ? If so, you should block relaying. But you cannot stop anybody with technical means from forging From: and Reply-To: headers. You should use social (contacting the provider / upstream provider of the spammer) or juridical (suing the spammer) means. Contact me if you need assistance. From owner-firewalls-list Mon Nov 10 12:56:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA19386; Mon, 10 Nov 1997 12:26:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA19324 for ; Mon, 10 Nov 1997 12:26:33 -0800 (PST) Received: from bastion.smacek.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA23173; Mon, 10 Nov 1997 12:27:05 -0800 (PST) Received: from rgplinux.smacek.com (rgplinux.smacek.com [207.250.113.2]) by bastion.smacek.com (8.8.5/8.8.5) with ESMTP id OAA22971 for ; Mon, 10 Nov 1997 14:21:07 -0600 Received: from rgplinux.smacek.com (localhost [127.0.0.1]) by rgplinux.smacek.com (8.8.5/8.8.5) with SMTP id OAA08003 for ; Mon, 10 Nov 1997 14:27:34 -0600 Message-ID: X-Mailer: XFMail 1.1 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Date: Mon, 10 Nov 1997 14:26:56 -0600 (CST) From: Rich Peiffer To: firewalls@GreatCircle.COM Subject: FW: Message not deliverable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem with various sites continuously scanning my nets for any host willing to answer an SNMP service request (UDP port 161). The scan typically happens once or twice a day, and is getting quite annoying. It appears that my firewall is rejecting the requests properly, but I am wondering what my next step should be? I have attempted to contact the admin of the domains where the attacks appear to be originating. The problems there are obvious (large dialup networks, spoofed source addreses, etc.) Should I maybe be dumping the contents of some of these packets? If so, what should I be looking for? Is there a gaping hole in SNMP somewhere? I am considering filtering out these rejected packet messages from my syslog files as they tend to cloud up the rest of the messages which are important. There is also one other thing that bothers me regarding this issue. Most packets are rejected by my external router when they are inbound on the interface connected to the internet. I just recently noticed the packet destined to the external router itself appears to make it in, and the router's response is rejected. The following is an example of what I am getting: Nov 10 09:53:55 bastion kernel: IP fw-out deny eth1 UDP 207.250.113.129:161 207. 198.221.100:2142 L=89 S=0x00 I=27282 F=0x0000 T=64 *** the above message is from my external router, note it appears to be a response to the attack, not the attack itself. Nov 10 09:53:55 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.191:161 L=89 S=0x00 I=18239 F=0x0000 T=112 *** this message is a "normal" rejection. Nov 10 09:53:57 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.129:161 L=89 S=0x00 I=34111 F=0x0000 T=112 *** here is a "normal" rejection from my external router which occured just after the above two rejections. I am wondering what the first syslog entry above means. Any request for service 161 from outside my net (207.250.113.xxx) should have been rejected on it's way in. I have checked my total firewall configuration over many times, and it appears to be OK. Any advice or explanations would be appreciated! TIA. -Rich -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 From owner-firewalls-list Mon Nov 10 13:12:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA25908; Mon, 10 Nov 1997 12:57:36 -0800 (PST) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA25830 for ; Mon, 10 Nov 1997 12:57:18 -0800 (PST) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEDF1.3B61AED0@xchangebox2.USADOMAIN1>; Mon, 10 Nov 1997 15:56:39 -0500 Message-ID: From: "Zilber, Alexey" To: "'Firewall list'" Cc: "'jmb@FRB.GOV'" , "'hagan@cih.com'" Subject: RE: Pissing Contest (wasRe: Linux et al PFs ) Date: Mon, 10 Nov 1997 15:58:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oops, sorry it wasn't Wired. Wired had something else. This was on INTERNETWEEK. Comparing all the major OS's (inlcuding Linux and BSD). Quite an interesting article.. and aptly named too... >http://www.techweb.com/se/directlink.cgi?INW19970901S0125 From owner-firewalls-list Mon Nov 10 14:01:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15081; Mon, 10 Nov 1997 12:07:48 -0800 (PST) Received: from pecos-int.iphase.com ([157.175.3.200]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA14954 for ; Mon, 10 Nov 1997 12:07:21 -0800 (PST) Received: by pecos-int.iphase.com; id AA09850; Mon, 10 Nov 97 14:08:25 CST Received: from rodan.iphase.com(157.175.111.4) by pecos.iphase.com via smap (3.2) id xma009756; Mon, 10 Nov 97 14:07:55 -0600 Received: from iphase.com (chip-fddi [157.175.140.220]) by rodan.Iphase.COM (8.8.7/8.8.7) with ESMTP id OAA03960; Mon, 10 Nov 1997 14:10:05 -0600 (CST) Message-Id: <34676996.567AC049@iphase.com> Date: Mon, 10 Nov 1997 14:07:50 -0600 From: Patrick Larkin Jr Organization: Interphase Corporation X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 4.1.3 sun4c) Mime-Version: 1.0 Newsgroups: comp.security.firewalls,comp.lang.java.security To: Firewalls@greatcircle.com, plarkin@iphase.com Subject: Summary on Java Sanity Check Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I Posted a query titled "Sanity Check my Java/Security Stance" to "comp.security.firewalls" and "comp.lang.java.security" Newsgroups and also "firewalls@greatcircle.com" mailing list. Got 12 replies. The list below summarizes them (Note, the total exceeds 12 because some folks offered multiple statements). In cases where there were more than one particular statement, I took the liberty of paraphrasing the best one and adding to the count for each additional one that had the same basic principle. QTY Statement ---- ----------------------------------------------------------------------- 4 We face these same issues, please post your results (or "the answer") 4 Buy our product, it protects you (or "you can buy protection") 4 Real world business apps in Java are few and far between 2 We dont allow it, we dont leave it up to users. 2 put PCs on the DMZ 2 Be careful about relying on a policy alone Here were some notable quotes (included in counts above): * So what are these business related sites that insist you must use JAVA ? Have yet to get an answer to that one. * After our users claimed they had to have Java to do their work, turns out it was to see what other companies were doing with Java. * Despite this type of "policy" I have found that both users and management will hold you responsible with the attitude of "YOU should have known that THEY couldn't possibly know better as to which Java sites to trust". Be careful -- when problems occur, some people look first for a fall guy and second for a solution. Conclusions: Judging from this, I had nobody say they Let it through their firewall unabated.Furthermore, there seems to be more folks asking the question than there are answers. We have yet to have formulated an "answer".... I'm still waiting for the users to provide an example URL and info to back up their claims that "Sun, 3com and other big companies let it through". Also, it is worth noting that the day after my posting, I got a telephone voicemail from a guy at 'Digitivity' trying to sell me his "protection". I did not post my phone number (though it is obtainable via the net). I did not ask for telephone calls or sales pitches. Thus, I wont be buying that product. I get enough "spam" email as it is... the last thing I need is more of it, and over the phone too. Thank you all for your insight and for responding, Original Posting: > Ok, my users are getting restless and are beginning to say "I can't do my > job because Java is blocked by the Firewall". Therefore, I'm curious to > know what the current stance is in the industry regarding letting Java thru. > > We've had TIS Gauntlet for a couple years now, and installed their blocker > for Java, JavaScript and ActiveX as soon as it came out. During that time, > we'd see numerous postings on bugtraq, cert, and so on about Java security > problems. I've not really followed THESE NGs, but the lists have pretty > much quieted down regarding Java. > > Initially, I thought if we could get Gauntlet to check site > certificates at the firewall, that would be best, but the more > I think about it, I dont want to make a career out of fulfilling > "please add XYZ.com to the 'permit java' list" requests. > > So the questions are: > Do most company's let Java thru the firewall nowadays? > If so, what conditions do you place on it? > > We do not want our proprietary source code, nor other confidential > business files leaking out. We have probably half our users on Win95 > and the other half on SunOS or Solaris. Although my department only > supports Netscape Navigator/Communicator, there are quite a few who > install their "browser of choice". With site certificates in Netscape v4.x, > I feel a little more comfortable letting Java through. Given this > culture, here is the stance I'm considering: > We will open up our firewall to Java which brings with it > certain risks... To minimize these risks we recommend you > ONLY run Netscape Communicator v4.03 or higher and learn > about Site Certificates before checking the "Enable Java(script)" > buttons in the config screens. Determining what Java sites > can be trusted is YOUR RESPONSIBILITY. Failure to make prudent > use of the above mentioned security mechanisms can lead to > problems for which we cannot be responsible. > Is this a reasonable policy given the state of Java and Netscape v4.x? > Are we missing anything? Is it too strict or not strict enough? > > Finally, I envision seeding everyone's certificates with a few major > sites like sun, netscape, etc. and set it to "deny ALL java > unless it's site certificate is one of these". > Is there a URL that explains how to set this up and/or explains > to my average user how to manage certificates? > The pages I've found at www.netscape.com are pretty lame on these > issues, but surely they're buried somewhere there (or somewhere else). > > Please followup to me directly via Email as I'm sure this has been rehashed > many times. TIA for all your help! -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Patrick Larkin Jr -SysAdm, Texan, Drummer, Patriot- From owner-firewalls-list Mon Nov 10 15:51:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA09682; Mon, 10 Nov 1997 11:43:17 -0800 (PST) Received: from ns.gmds.com ([206.98.109.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA09628 for ; Mon, 10 Nov 1997 11:43:00 -0800 (PST) Date: Mon, 10 Nov 1997 11:43:00 -0800 (PST) From: bookinfo@answerme.com Message-Id: <199711101943.LAA09628@honor.greatcircle.com> Received: from answerme.com ([207.34.181.196]) by ns.gmds.com (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-43306U2500L250S0) with SMTP id AAA309; Sat, 8 Nov 1997 23:50:10 -0800 To: bookinfo@answerme.com Subject: 5-Become a #1 Best-Selling Author.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -------------------------------------------------------------------------------------------- Steal the #1 spot on the BEST-SELLER LISTS Do you want to get Published NOW? Here's how you do it... -------------------------------------------------------------------------------------------- FACT: Did you know that 95% of first-time authors who try to get published end up with a handful of rejection letters instead of those Million dollars advances you hear about? Only a fraction of submitted manuscripts are published and the MAJORITY of them are sadly thrown into the pile of "unwanted" manuscripts... * DO you have a dream to see yourself in print? NOW & not years later? * DO you want to know how writers are making MILLIONS of dollars out of their once rejected books? * DO you want to see your book on the BEST SELLER charts and in major bookstore chains? * DO you want to see *YOUR BOOK* sell thousands of copies instead of sitting in a rejection pile of manuscripts? If you answered YES to all of these questions, then please read on... Discover how you can get your book out of those worthless piles of manuscripts and on to the Best-Sellers Lists instead! ------------------------------------------------------------------------------------------------------------ You want to Publish your Book-And, you want to Publish it NOW! The way to do this is Self-Publishing... ----------------------------------------------------------------------------------------------------------- Does the prospect of Self-Publishing scare you? DON'T LET IT! This field in Publishing is very profitable and producing your own books has never been easier! It's the best way to get NOTICED... Did you know that Mark Twain, an author in history started out by self-publishing? Yes, it is true... So how do you publish your book with great success so that you DO get NOTICED? ORDER OUR SELF-PUBLISHING KIT Why? Because this kit contains everything you will ever need to know about publishing your own book. You'll know exactly how the executives at the Conglomerates do it. ------------------------------------------------------------------------------------------------- You will BENEFIT from getting VALUABLE INSIDE information from our Kit! ------------------------------------------------------------------------------------------------- Major publishers don't want you to have this kit because once you read through the materials, you'll be all playing on the same field--their field! The Kit is written in a easy-to-follow format and there are no fancy terms that will confuse you. Here is what the kit REVEALS that nobody else will tell you: * You'll gain compelling insight on what REALLY works and what doesn't in publishing books. The case studies will show you how publishers made their BEST-SELLER success and how you can too. *· Gain a sharp edge by discovering how to write your book so that it is BEST-SELLER material. Major publishers know this vital method, but you will never hear about it. * Discover how to get your books into major bookstore chains, such as BARNES AND NOBLE and all the other biggies... * Getting reviewed is a BIG break-through for authors... See how to get raving reviews in Major publications like the New York Times and other prominent reviewers. * Discover how to get your book into BOOK CLUBS. Some clubs have over a million members... If your book makes it as a FEATURED SELECTION, it will be sent to ALL the members automatically... That will mean more sales and PROMOTION as a writer for you-and legions of fans who will WANT your next book as soon as it's printed!!! * A publishing Timetable (the ones that BIG publishing houses follow): Know exactly what to do and when you should do it. You'll need this list of events! * Benefit from a massive information-filled resource directory filled with valuable contact information and numbers of key people in the industry that you MUST have. All this hard-to-find information will be yours! * Use these 30 creative ideas to raise money. Part of the problem with Self-Publishing is finding the money to do it. These creative methods are PROVEN and SURE-FIRE ways to get the money you need... You'll even see how to get grants (FREE money)! Self-publishing is very profitable and can make you a celebrity author. The methods in the kit will show you EVERYTHING. Just look at the author of The Celestine Prophecy-his story has made publishing history!! He SELF-PUBLISHED his book and went off to become a MAJOR AUTHOR! Not only did Warner Books scoop up this title for a colossal $800,000, the book as been on the best-seller's list, holding the title of the longest running hardcover fiction to hit the charts! All this because he self-published his book? You bet! So where do you want to be now? In the "Slush Pile" or on the charts with a hefty check to show for it? If you've been rejected too many times, it's not the end for you!!! The Self-Publishing Kit will help you GET PUBLISHED-NOW! If it's your dream to be published and become a celebrity author, order the self publishing kit today. You'll feel on top of the world when you're #1 on the BEST-SELLER LISTS! -------------------------------------------------------------------------------------- HURRY and ORDER the Self-Publishing Kit Today! If you order within 10 days we'll give it to you for **$18.95** The Kits are selling fast and ...QUANTITIES ARE LIMITED... After the 10 days the kit will be priced at $26.95. So hurry and take advantage of our 10 day offer! ---------------------------------------------------------------------------------------- The Kit comes with a 100% money-back guarantee. Try the methods. If they don't work for you, send it back for a FULL refund! (less shipping & handling). You're Publishing future is in YOUR hands. Editors and Agents are NOT concerned about your career...To see yourself on the Best-Seller's List, you must take action- TODAY! Order the Self-Publishing Kit and begin your publishing career NOW... SELF-PUBLISHING: * is your key to getting Published and Getting noticed... * will fulfill your dream to be #1 on the Best-Seller's list... * will ensure that one day you will be at the major bookstore chains blissfully signing away autographs... Experience and live the dreams you desire and DESERVE!--ORDER your copy of the Self-Publishing kit today... To order, please fill out the form below and mail it to us! ------------------------------------------------------------------------------------------------------------------------------------- YES, I want to order The Self-Publishing Kit and take control of my publishing future right away... I am ordering within 10 days so that I can get in on the 10 day special! Number of copies: ____ PRICING: Canadian and US Residents $18.95 + $5.00 (P&H) per kit. International $18.95 + $10.00 (P&H) per kit **100% Money-back guarantee** (All Prices in US DOLLARS ONLY-Canadian / International orders, note that your checks and money orders must be written in US dollars/currency or there will be delays in your order). TOTAL AMOUNT ENCLOSED: $ ______________US DOLLARS ( ) Check ( ) Money Order (Payable to: Future Books) Sorry, no VISA or MasterCard accepted. NAME ___________________________________________ ADDRESS ________________________________________ __________________________________________________ CITY _________________ STATE_______ ZIP __________ TEL ( ) ________________ EMAIL __________________ Mail your orders to: Future Books Order Dept. 1197SL5 34A-2755 Lougheed Hwy., Suite 510 Port Coquitlam, BC, V3B 5Y9 Canada Please allow two to three weeks for your order to be processed and sent. Checks will have to clear before kits can be sent out. THANK YOU FOR YOUR ORDER! PS: If you have any friends who could use this kit, forward a copy of this letter to them!!! From owner-firewalls-list Mon Nov 10 15:52:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27786; Mon, 10 Nov 1997 10:43:42 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27689 for ; Mon, 10 Nov 1997 10:43:17 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id MAA29200; Mon, 10 Nov 1997 12:11:18 -0600 Date: Mon, 10 Nov 1997 12:11:17 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: "Hudspeth, Todd" cc: "'firewalls@greatcircle.com'" Subject: Re: Performance Testing Tools In-Reply-To: <199711101541.HAA29238@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd- Personally, I know of none. But I would suggest just writing a few shell scripts and putting them on outside machines, being careful not to overload the machines. that do nothing but hit ports 21, 23, 25, 80, and 110 repeatedly. You might wish to do some other ports too, but those are the main ones. You could also use a portscanner on each machine, running 4-8 copies of the program on each machine, and set it to repeatedly scan the first 200 ports. That would be a pretty good stress test for a firewall. Sorry i cant offer any rock solid information, but good luck. Luck be with ye, +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@cheez.lowprofile.net | Computer Networking Specialist | | cheez@globalreach.net | Remote Management Specialist | | cheez@hotmail.com | Linux/Windows NT Specialist | +------If at first you don't succeed, redefine success.--------+ On Mon, 10 Nov 1997, Hudspeth, Todd wrote: Date: Mon, 10 Nov 1997 08:53:48 -0600 From: "Hudspeth, Todd" To: "'firewalls@greatcircle.com'" Subject: Performance Testing Tools Is anyone aware of any performance measurement tools that would simulate thousands of users performing various methods of access to and through a firewall? Such as, internal to external ftp, http, https, telnet and VPN? Thanks, Todd Hudspeth Norwest Services, Inc. todd.hudspeth@norwest.com From owner-firewalls-list Mon Nov 10 16:06:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA15966; Mon, 10 Nov 1997 14:38:51 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA15959 for ; Mon, 10 Nov 1997 14:38:42 -0800 (PST) Received: (qmail 11249 invoked from smtpd); 10 Nov 1997 22:39:48 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Nov 1997 22:39:48 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA24227 for ; Mon, 10 Nov 1997 16:39:48 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA19600; Mon, 10 Nov 1997 16:42:16 -0600 From: Peter da Silva Message-Id: <9711102242.AA19600@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: firewalls@GreatCircle.COM Date: Mon, 10 Nov 1997 16:42:16 -0600 (CST) In-Reply-To: from "Jerry Huyghe" at Nov 10, 97 09:39:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yes, Security-7 has a good product, but it is a gateway solution, which > will not stop SSL or VPN encrypted transmissions. It must be combined > with solid runtime protection. Adam also sent me private mail stating that for most applets it will work just fine, even though a really malicious one would be able to sneak through if it was obscured by compression or encryption. The problem I see is that there is readily available code to perform that sort of encryption in virus writer's toolkits, many of which are publicly advertised in hobbyist magazines "for research purposes". So anyone writing a malicious applet can easily hide it in an apparently innocuous program by running a stealth virus generator and making the malicious code the payload. The whole issue of scanning for dangerous code is a fundamentally broken approach to security. It's failed spectacularly for virus detectors (though it's beena tremendous success for virus detector COMPANIES as people have to keep paying danegelt to McAfee and Symantec to keep up the arms race), and it will fail even more spectacularly here (virus writers are primarily ego driven. With hostile applets, where you can force the code to be executed where and when you want, when you know your victim has a communication link up, you can get real money out of the deal). The only viable solution is a strong sandbox that doesn't contain any tools that can be used to violate the integrity of the user's system. Yes, this will limit the end-user's ability to do some interesting and useful things with applets. What a SHAME. The poor user will need to actually DOWNLOAD and INSTALL a plugin (after verifying that it really came from an entity that he can successfuly sue if it contains malicious code). I think that's a small price to pay for a modicum of security. In terms of the technology available currently... last week i suggested that Safe Tcl was the only really secure sandbox. It's the one that's been developed the most, but there are a couple of other interesting options: ActiveX and native code: this is almost criminally lax about security. Java: It's pretty safe from stealth-type abuse, so scanning is an option... and in fact that's how its security model works. Experience has shown that there's still work to be done. Visual Basic: If used as a sandbox... all I can say is "Word Macro Virus". Javascript: It's a pretty limited interpreter. It's got more potential holes than HTML, but they seem pretty much to be limited to privacy issues. Safe Tcl: It's got a lot more capability than Javascript, and has proven itself pretty secure. At least one large regional ISP has been using it for server-side customer scripting without untoward events. Postscript: There's been a couple of problems with people using poorly designed security to change printer settings, and a hole in the setup code in Ghostscript, but in a browser context where configuration isn't done through the scripting language that's not an issue. I'd really like to see browsers with embedded Postscript interpreters, other than Adobe's pretty but illegible PDF. Safe Perl, and so on: There's been some work in making "safe" versions of other popular scripting languages. I don't know of any that are really suitable for plugins or applets. Advanced HTML: Netscape and others have had problems with adding new features to HTML that have caused problems in association with Javascript (for example, the frame bug). On the other hand it's a language that's very easy to scan, and with a bit more care it can be extended into a much more capable language than it is now, without compromising security. Has anyone seen anything interesting done with embedded Postscript or more procedurally oriented HTML (the war over whether HTML is descriptive or layout oriented has, of course, been lost to the glamor kiddies)? -- %!PS true(<; Mon, 10 Nov 1997 16:01:41 -0800 (PST) Received: (qmail 23022 invoked from network); 11 Nov 1997 01:03:32 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 11 Nov 1997 01:03:32 -0000 Date: Mon, 10 Nov 1997 17:03:31 -0800 (PST) From: Jesse Brown X-Sender: bextreme@geek-gw.ptw.com To: Michael Martinson cc: firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Distribution you are running it one is usually less important than the Kernel Version. (As most of the firewalling code built into Linux is in the Kernel). I personally run SLackware, and haven't had a problem yet. -J On Mon, 10 Nov 1997, Michael Martinson wrote: > I'm putting together the pieces and parts > for a firewall. I've read that Red Hat is > the best version of Linux for a stripped > down proxy firewall. I'm just making sure > that Red Hat is the version which most > firewalls are on. > > I've checked out: > http://www.ssc.com/lj/issue25/1204.html > and found that it has a lot of help. I'm > wondering if anyone is willing to give me a > list of what patches they do to the Kernel > to make it as secure as possible. > > Michael Martinson > Senior Systems Software Programmer > Lincoln Benefit Life > 1(800)525-2799 x8710 > martimdp@allstate.com > > -- Jesse Brown - bextreme@pobox.com From owner-firewalls-list Mon Nov 10 16:22:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27897; Mon, 10 Nov 1997 10:44:13 -0800 (PST) Received: from beta.mcit.com (beta.mcit.com [199.249.19.143]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27848 for ; Mon, 10 Nov 1997 10:43:56 -0800 (PST) Received: from ndcrelay.mcit.com (ndcrelay.mcit.com [166.37.172.49]) by beta.mcit.com (8.8.7/) with ESMTP id MAA27784; Mon, 10 Nov 1997 12:44:53 -0600 (CST) Received: from imeid02.mcit.com.mci.com (imeid02.mcit.com [166.37.221.14]) by ndcrelay.mcit.com (8.8.5/) with ESMTP id NAA17724; Mon, 10 Nov 1997 13:44:53 -0500 (EST) Received: from localHost ([166.41.52.104]) by imeid02.mcit.com.mci.com (Intermail v3.1 117 223) with SMTP id <19971110184452.OHIA4591@[166.41.52.104]>; Mon, 10 Nov 1997 12:44:52 -0600 Date: Mon, 10 Nov 1997 11:44 -0700 (MST) From: Steve Lindauer To: "Hudspeth, Todd" CC: "'firewalls@greatcircle.com'" Subject: Re: Performance Testing Tools X-Mailer: MailRoom v1.0d Message-Id: <19971110184452.OHIA4591@[166.41.52.104]> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd, Check these: Company Product Website -------- -------- --------- Auto Tester Inc. AutoTester Web www.autotester.com Centerline Software QC/Advantage www.centerline.com Compuware QA Center www.compuware.com Eastern Systems TestWeb www.easternsystems.com Mercury Interactive Astra SiteManager www.merc-int.com Astria SiteTest Web Test Platinum Technology Web Qualify www.platinum.com Final Exam Pure Astria Corp Performix.Web www.pureatria.com Rational Software SQA LoadTest 6.0 www.sqa.com Seque Software SilkTest www.segue.com SilkPerformer Softbridge Automated Test www.sbridge.com Facility 4.0 Software Research TCAT for Java www.soft.com Steve ------------------------------ Message-Id: <199711101541.HAA29238@honor.greatcircle.com> From: "Hudspeth, Todd" To: "'firewalls@greatcircle.com'" Subject: Performance Testing Tools Date: Mon, 10 Nov 1997 08:53:48 -0600 Sender: firewalls-owner@GreatCircle.COM Is anyone aware of any performance measurement tools that would simulate thousands of users performing various methods of access to and through a firewall? Such as, internal to external ftp, http, https, telnet and VPN? Thanks, Todd Hudspeth Norwest Services, Inc. todd.hudspeth@norwest.com From owner-firewalls-list Mon Nov 10 16:22:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA13315; Mon, 10 Nov 1997 12:00:53 -0800 (PST) Received: from netcom19.netcom.com (netcom19.netcom.com [192.100.81.132]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA13264 for ; Mon, 10 Nov 1997 12:00:41 -0800 (PST) Received: from localhost (xod@localhost) by netcom19.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.02)) with SMTP id MAA06552; Mon, 10 Nov 1997 12:01:37 -0800 (PST) Date: Mon, 10 Nov 1997 12:01:37 -0800 (PST) From: Nyarlathotep X-Sender: xod@netcom19 To: =?iso-8859-1?Q?Robert_St=E5hlbrand?= cc: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? In-Reply-To: <43BED8177D10D011A69A0800092C15D70BBABE@haig.oplab.nmac.ericsson.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, How's about someone tossing us a Solaris FIN scanner so we can all test our firewalls and post the results? This is juicy info and I'd certainly like to know about the gaping hole in my 10K firewall solution. m@ Matthew Ashcraft, | =20 Unix, Netware, The Net | "Our lives are but file cache buffers and Rock n Roll | to the filesystem of existence." - YT xod@netcom.com, |=20 On Mon, 10 Nov 1997, [iso-8859-1] Robert St=E5hlbrand wrote: > Hi again! >=20 > Tomorrow I will continue my investigations with my FW-1 and if I find > the time, do a test with a ip-filtering program called IP-filter. I > will try to cover as much as possible like for example, small fragmented > packets (24 byte, maybe less) FIN-scanning etc. >=20 > I will report the results to the list as soon as possible. >=20 > /Robert >=20 > > -----Original Message----- > > From:=09gary flynn [SMTP:gary@habanero.jmu.edu] > > Sent:=09den 10 november 1997 14:09 > > To:=09avalon@coombs.anu.edu.au; gary@habanero.jmu.edu > > Cc:=09firewall-wizards@nfs.net; firewalls@GreatCircle.COM > > Subject:=09Re: FIN Scanning through all kind of packet-filtering > > firewalls? > >=20 > > > From: Darren Reed > > > > I'm not familiar with Checkpoint but any packet filter that is > > > > filtering on a destination port is going to toss the packet > > > > regardless of the SYN or any other flag unless there is some > > > > special programming. > > >=20 > > > I wouldn't be so sure about that. Checkpoint's FW-1 will pass all > > > packets through with the ACK flag set (except, I think SYN-ACK) > > > but will strip the body of any data. They do this so that they can > > > rebuild state for a connection which has remained open over (say) > > > the firewall rebooting or connection information expiring. If the > > > reply packet was returned, anyway, there's your scan! > >=20 > > I didn't think about that. I should have capitalized > > "packet filter" :) > >=20 > > One normally thinks of state and proxy firewalls as somewhat more > > secure than a simple packet filter but in this case the opposite > > may be true. =20 >=20 From owner-firewalls-list Mon Nov 10 19:50:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA16362; Mon, 10 Nov 1997 19:45:58 -0800 (PST) Received: from newton.tedhome.ml.org (einstein.globaldialog.com [156.46.146.232]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA16334 for ; Mon, 10 Nov 1997 19:45:46 -0800 (PST) Received: from newton.tedhome.ml.org (localhost.tedhome.ml.org [127.0.0.1]) by newton.tedhome.ml.org (8.8.5/8.8.5) with ESMTP id VAA26181 for ; Mon, 10 Nov 1997 21:53:30 -0600 Message-Id: <199711110353.VAA26181@newton.tedhome.ml.org> X-Mailer: exmh version 2.0zeta 7/24/97 To: firewalls@GreatCircle.COM Subject: support for NetMeeting From: Ted Serreyn Reply-To: tserreyn@pop.globaldialog.com X-url: http://www.globaldialog.com/~tserreyn X-Face: "/SG<2*!'j/cS|G61.QFAio,seg@KyL|6_h"W0aGAQ>ztMA; Mon, 10 Nov 1997 21:56:41 -0800 (PST) Received: from cynthia.cynthia.com (cynthia.cynthia.com [208.201.152.17]) by mainserver.surfnetusa.com (NTMail 3.03.0013/1a.aagj) with ESMTP id pa112413 for ; Mon, 10 Nov 1997 21:58:53 +0000 X-Sender: cynthia@mail.surfnetusa.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Nov 1997 21:58:30 -0800 To: cynthia@usenix.org From: cynthia@usenix.org (Cynthia Deno) Subject: USENIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you responsible for your company's security? Are you looking for real-world implementions for security issues? If you are, plan to attend: 7TH USENIX SECURITY SYMPOSIUM January 26-29, 1998 San Antonio, Texas Marriott RiverCenter Hotel Program Chair: Avi Rubin, AT&T Research Labs Sponsored by USENIX, the Advanced Computing Systems Association In cooperation with the CERT Coordination Center ================================================ Register now online: http://www.usenix.org/events/sec98/ Early registration discount deadline: January 5, 1998 ============================================== *January 26-27: Tutorial Program *January 28-29: Refereed presentations and invited talks *January 28-29: Exhibition: FREE admission: 1.408.335.9445 or cynthia@usenix.org Learn about the newest tools in tutorials, hear the latest solutions offered by researchers, and talk with some of the leading lights in the security community. Speakers include: *Bill Cheswick *Carl Ellison *Dan Geer *Arjen Lenstra *Alfred Menezes *Clifford Neuman *JoAnn Perry *Marcus Ranum *Jon Rochlis *Avi Rubin *Shabbir Safdar *Bruce Schneier Be sure to sign up early for your choice among the eight tutorials --they often fill up fast. Topics include: *Java, NT, and Web Security *Cryptography *Certification *How to Handle Incidents *What Every Hacker Already Knows From owner-firewalls-list Tue Nov 11 01:23:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA15204; Tue, 11 Nov 1997 01:02:41 -0800 (PST) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.200.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA15179 for ; Tue, 11 Nov 1997 01:02:26 -0800 (PST) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id BAA10207; Tue, 11 Nov 1997 01:03:37 -0800 (PST) Date: Tue, 11 Nov 1997 01:03:37 -0800 (PST) From: "Sameer R. Manek" To: Michael Martinson cc: firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm putting together the pieces and parts > for a firewall. I've read that Red Hat is > the best version of Linux for a stripped > down proxy firewall. I'm just making sure > that Red Hat is the version which most > firewalls are on. Basicly any version of linux is as good as any other, the only reason I've heard that Redhat is better is the fact that the RPMs are signed. You can't take a redhat or slackware install and call it a firewall, you need to harden it by removing everything you don't need. IMHO the rpms provide no more security, since all redhat just ftps the same software, configures it and distributes it. All a signed rpm tells you is the software wasn't tampered with from the the time they compiled it to the time you installed it. It realisticly doesn't tell you if the source code was tampered with. Personally I'd use tripwire to build a database, store it on a cd, and use that method to detect compromise. Sameer Manek From owner-firewalls-list Tue Nov 11 03:36:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26853; Tue, 11 Nov 1997 03:05:15 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA26819 for ; Tue, 11 Nov 1997 03:04:57 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id NAA06997; Tue, 11 Nov 1997 13:05:56 +0200 (EET) Date: Tue, 11 Nov 1997 13:05:55 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM cc: Patrick Larkin Jr Subject: Re: Summary on Java Sanity Check In-Reply-To: <199711102207.OAA09960@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Larkin Jr wrote: > * So what are these business related sites that insist you must use > JAVA ? Have yet to get an answer to that one. Until now I personally have denied Java/JavaScript/ActiveX on every firewall where it could be done that I have installed. And the main reason there has been that the users will not miss anything, because mostly Java is used just for entertainment and not serious apps. But now we have an example of a financial stock information service, with real-time stock quotes etc. Like all the users have said, it is a useful and valuable tool for their business use (mostly banks, investment firms etc. which usually have strick security rules and policies). And all the graphs and tickers there are implemented in Java, so this is a hard question now, what to do about it on the firewalls. We understand both the sides, Java opens up great functionality changes, you can not do this without it, on the other side I would not really want to let it through any firewall I manage. Signed applets are probably the only way to secure this (which means you must trust the applet author and the certifyer), but do any firewalls offer letting through only applets signed by certain CA's? The Baltic Investor page is at http://bnsnews.bns.ee/investor/ if anyone cares to have a look at it. P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Tue Nov 11 04:36:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA07114; Tue, 11 Nov 1997 04:17:33 -0800 (PST) Received: from hotmail.com (F3.hotmail.com [207.82.250.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA07069 for ; Tue, 11 Nov 1997 04:17:20 -0800 (PST) Received: (qmail 18778 invoked by uid 0); 11 Nov 1997 12:18:35 -0000 Message-ID: <19971111121835.18777.qmail@hotmail.com> Received: from 152.102.151.68 by www.hotmail.com with HTTP; Tue, 11 Nov 1997 04:18:35 PST X-Originating-IP: [152.102.151.68] From: "Desmond Teh" To: firewalls@greatcircle.com Subject: HTTP transparent proxy Content-Type: text/plain Date: Tue, 11 Nov 1997 04:18:35 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Does anyone know of any products that can do transparent http proxy. Example, something that sit between users and the internet that able to represent a browser to access to the web without any changes need to be done on the client side. No configuration on client for proxy server, socks etc like what the current proxy servers Microsoft Proxy Server, Netscape Proxy server etc have to do. Best Regards Desmond ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Tue Nov 11 04:51:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23029; Tue, 11 Nov 1997 02:21:13 -0800 (PST) Received: from vogon.de.deuba.com (vogon.de.deuba.com [194.175.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA22964 for ; Tue, 11 Nov 1997 02:20:13 -0800 (PST) Received: by vogon.de.deuba.com id AA61146; Tue, 11 Nov 1997 11:19:59 +0100 Received: vogon.de.deuba.com via smap (V2.0) id xma078030; Tue, 11 Nov 97 11:19:31 +0100 Received: by smap.mail.deuba.com id LAA09670; Tue, 11 Nov 1997 11:19:04 +0100 Received: proxy2.esb.eur.deuba.com via smap (V2.0) id xma024232; Tue, 11 Nov 97 11:19:00 +0100 Received: from localhost.deuba.com by marvin.ose.eur.deuba.com id LAA06904; Tue, 11 Nov 1997 11:20:42 +0100 Received: (from marc@localhost) by localhost.deuba.com (8.8.7/8.8.5) id LAA20341; Tue, 11 Nov 1997 11:20:17 +0100 From: Marc Heuse Message-Id: <199711111020.LAA20341@localhost.deuba.com> Subject: strip-down filelist To: linux-security@redhat.com Date: Tue, 11 Nov 1997 11:20:16 +0100 (CET) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, When installing a Linux system for a proxy/firwall/gateway/router/victim purpose you have to strip it down to make the security on the host as tight as possible. Removing compilers, suid/sgid files, mounting readonly etc. etc. In other words, stuff that you do again and again. One approach is to delete everything you know you don't need. The other and better approach is just to make a list of all files you really need and removing all the rest. Is there anyone who has done that for a system? (not especially Linux ... *BSD, Solaris, HP, AIX etc. are interesting too.) I think such a discussion about could improve security on our bastion hosts. Comments, lists etc. welcome. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Tue Nov 11 05:06:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA25465; Tue, 11 Nov 1997 02:54:35 -0800 (PST) Received: from alpha.netvision.net.il (alpha.NetVision.net.il [194.90.1.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA25439 for ; Tue, 11 Nov 1997 02:54:25 -0800 (PST) Received: from station-1 (ts048p6.pop3b.netvision.net.il [199.203.203.116]) by alpha.netvision.net.il (8.8.6/8.8.6) with SMTP id NAA05584 for ; Tue, 11 Nov 1997 13:01:09 +0200 (IST) From: "Itai Dor-on" To: Subject: MSPROXY2 + PPTP Date: Tue, 11 Nov 1997 10:49:30 +0200 Message-ID: <01bcee7e$b9ba5e20$03a8a8c0@station-1.dor-on.co.il> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA-1; boundary="----=_NextPart_000_0061_01BCEE8F.7D0317E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0061_01BCEE8F.7D0317E0 Content-Type: text/plain; charset="iso-8859-8" Content-Transfer-Encoding: 7bit Does anyone have experience using PROXY2 + RRAS to establish a VPN between two networks? Tnx Itai Dor-on ------=_NextPart_000_0061_01BCEE8F.7D0317E0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII5DCCAjww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4 RTCCAnkwggHioAMCAQICEFIfNR3ycH4AK77KWYcE1TkwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQ cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk5MDYyNzIz NTk1OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYD VQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0c xrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/ cariQPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/ AgEBMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAwfr3 AudXyhF1xpwM+it3T4dFFzvj0sHaD1g5jq6VmQOhqKE4/nmakxcLl4Y5x8poNGa7x4hF9sgMBe6+ lyXv4NRu5H+ddlzOfboUoq4Ln/tnW0ilZyWvGWSI9nLYKSeqNxJqsSivJ4MYZWyN7UCeTcR4qIbs 6SxQv6b5DduwpkowggQjMIIDjKADAgECAhBnsm1m3c/AxKxtmAvSKAZ6MA0GCSqGSIb3DQEBBAUA MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMr VmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzEwMjQwMDAw MDBaFw05ODEwMjQyMzU5NTlaMIIBIDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlT aWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz Y3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4g YnkgUmVmLixMSUFCLkxURChjKTk2MTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNy b3NvZnQgRnVsbCBTZXJ2aWNlMRUwEwYDVQQDEwxJdGFpICBEb3Itb24xJzAlBgkqhkiG9w0BCQEW GHNpbGljb21AbmV0dmlzaW9uLm5ldC5pbDBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQFgvS9Voo579 zbdTz3cPwTqWZ7wUodgnkILBIdwoK7+Ah92wzp8MFfY/N2ZNfTl23Jm6lYKCnwYGkcrmVDWRMgMC AwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwga8GA1UdIASBpzCAMIAGC2CGSAGG+EUBBwEBMIAwKAYI KwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5W ZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBs aWFiLiBsdGQuIChjKTk3IFZlcmlTaWduAAAAAAAAMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZI AYb4RQEGAwR4FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1 OWRhNzViYzRiYzk3MDE3NDdkYTVjZmVkMTQxYmVhZGIyYmQyZTg5MjEzYTU2ZmY4ZDIxMTQ5OWFh MmJiNDVmZGYzZWE0NTE5MA0GCSqGSIb3DQEBBAUAA4GBAFj+833JnW4gWB3gY9fIlXrFaZdkhULg SCup45ab5J6pL3SVZLHNdzM4gfgn64BYxrvu79P/vgG9/whZRRgw9ZoPIFiNYyQqbr2vQDXeMFeQ o4Fygq+T7i2kHzH6vb67HampFIZYhgNneT8BIJqLqq8iFabS+hd23zlRESkn797VMYIBOjCCATYC AQEwdjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNV BAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGeybWbdz8DE rG2YC9IoBnowCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN AQkFMQ8XDTk3MTExMTEwNDkzMFowIwYJKoZIhvcNAQkEMRYEFE6Uyy0T+5juzqxSutPKjkWlwQGG MA0GCSqGSIb3DQEBAQUABEBOpfyGI91T+/BMyOor+MPTb7SXADE8lnYN8EPbiM6mmSN3TyPHwT0Y Pw2/np+6J/E22fm6sMgJSKIXRYCFjhUhAAAAAAAA ------=_NextPart_000_0061_01BCEE8F.7D0317E0-- From owner-firewalls-list Tue Nov 11 05:21:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA14276; Tue, 11 Nov 1997 05:10:43 -0800 (PST) Received: from transfer.usit.net (transfer.usit.net [208.10.171.67]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA14257 for ; Tue, 11 Nov 1997 05:10:35 -0800 (PST) Received: from dqisystems.com ([199.1.59.2]) by transfer.usit.net (8.8.7/8.8.5) with ESMTP id IAA05687; Tue, 11 Nov 1997 08:11:42 -0500 (EST) Received: from gcollins.dqisystems.com ([172.16.128.100]) by dqisystems.com (8.8.5/8.6.12) with SMTP id IAA16141; Tue, 11 Nov 1997 08:06:03 -0500 Reply-To: "Greg Collins" From: "Greg Collins" To: , Subject: Re: support for NetMeeting Date: Tue, 11 Nov 1997 08:04:20 -0500 Message-ID: <01bceea2$535c45c0$648010ac@gcollins.dqisystems.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Netmeeting uses UDP for the audio and video, therefore your firewall must pass/proxy UDP in order for NetMeeting to work properly. If you only want text chat and apps sharing you should be able to run that through a proxy firewall (using TCP). I am running a GlobeServer firewall and have been able to run the TCP portion of NetMeeting with no problems. Greg Collins Data Quest Information Systems voice -423-588-4757 fax - 423-945-3846 gcollins@dqisystems.com "I have but one thing which cannot be taken from me, and that is my integrity. It I must give up of my own will." -----Original Message----- From: Ted Serreyn To: firewalls@GreatCircle.COM Date: Tuesday, November 11, 1997 6:17 AM Subject: support for NetMeeting >Checkpoint firewall-1 does not seem to support Netmeeting with NAT. Based on >this, what products are out there that can proxy Microsoft Netmeeting? > >Any ideas? My understanding is that Raptor will support NetMeeting? Is this >true? Any others support it with or without NAT? > >NAT == Network Address Translation. > >Ted Serreyn >Allied Computer Group > >-- >|Ted Serreyn tserreyn@pop.globaldialog.com| > > From owner-firewalls-list Tue Nov 11 05:37:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26585; Tue, 11 Nov 1997 03:02:58 -0800 (PST) Received: from alpha.netvision.net.il (alpha.NetVision.net.il [194.90.1.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA26429 for ; Tue, 11 Nov 1997 03:02:16 -0800 (PST) Received: from station-1 (ts048p6.pop3b.netvision.net.il [199.203.203.116]) by alpha.netvision.net.il (8.8.6/8.8.6) with SMTP id NAA31688 for ; Tue, 11 Nov 1997 13:08:59 +0200 (IST) From: "Itai Dor-on" To: Subject: Checkpoint CCSE certification Date: Tue, 11 Nov 1997 10:57:21 +0200 Message-ID: <01bcee7f$d2383ed0$03a8a8c0@station-1.dor-on.co.il> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA-1; boundary="----=_NextPart_000_006A_01BCEE90.95B7E710" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_006A_01BCEE90.95B7E710 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I started checkpoint CCSA,CCSE course yesterday. After I saw that the material consists of only basic PowerPoint presentations I ran away. Did anyone else experience this disdain approach to what is considered a serious high technical level subject? Cheers, Itai ------=_NextPart_000_006A_01BCEE90.95B7E710 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII5DCCAjww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4 RTCCAnkwggHioAMCAQICEFIfNR3ycH4AK77KWYcE1TkwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQ cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk5MDYyNzIz NTk1OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYD VQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0c xrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/ cariQPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/ AgEBMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAwfr3 AudXyhF1xpwM+it3T4dFFzvj0sHaD1g5jq6VmQOhqKE4/nmakxcLl4Y5x8poNGa7x4hF9sgMBe6+ lyXv4NRu5H+ddlzOfboUoq4Ln/tnW0ilZyWvGWSI9nLYKSeqNxJqsSivJ4MYZWyN7UCeTcR4qIbs 6SxQv6b5DduwpkowggQjMIIDjKADAgECAhBnsm1m3c/AxKxtmAvSKAZ6MA0GCSqGSIb3DQEBBAUA MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMr VmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzEwMjQwMDAw MDBaFw05ODEwMjQyMzU5NTlaMIIBIDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlT aWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz Y3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4g YnkgUmVmLixMSUFCLkxURChjKTk2MTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNy b3NvZnQgRnVsbCBTZXJ2aWNlMRUwEwYDVQQDEwxJdGFpICBEb3Itb24xJzAlBgkqhkiG9w0BCQEW GHNpbGljb21AbmV0dmlzaW9uLm5ldC5pbDBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQFgvS9Voo579 zbdTz3cPwTqWZ7wUodgnkILBIdwoK7+Ah92wzp8MFfY/N2ZNfTl23Jm6lYKCnwYGkcrmVDWRMgMC AwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwga8GA1UdIASBpzCAMIAGC2CGSAGG+EUBBwEBMIAwKAYI KwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5W ZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBs aWFiLiBsdGQuIChjKTk3IFZlcmlTaWduAAAAAAAAMBEGCWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZI AYb4RQEGAwR4FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1 OWRhNzViYzRiYzk3MDE3NDdkYTVjZmVkMTQxYmVhZGIyYmQyZTg5MjEzYTU2ZmY4ZDIxMTQ5OWFh MmJiNDVmZGYzZWE0NTE5MA0GCSqGSIb3DQEBBAUAA4GBAFj+833JnW4gWB3gY9fIlXrFaZdkhULg SCup45ab5J6pL3SVZLHNdzM4gfgn64BYxrvu79P/vgG9/whZRRgw9ZoPIFiNYyQqbr2vQDXeMFeQ o4Fygq+T7i2kHzH6vb67HampFIZYhgNneT8BIJqLqq8iFabS+hd23zlRESkn797VMYIBOjCCATYC AQEwdjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNV BAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGeybWbdz8DE rG2YC9IoBnowCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN AQkFMQ8XDTk3MTExMTEwNTcyMVowIwYJKoZIhvcNAQkEMRYEFKMwIbm+OZADSrPFx9V6gPBeT/Pr MA0GCSqGSIb3DQEBAQUABEApFfA3PSHCgWd7jSHxwP/hXVotghjKcff8dpVspRIf9hwirByM0S+6 8jnwTmS4DLm2pOJkCpGWCdb/btyUjcN2AAAAAAAA ------=_NextPart_000_006A_01BCEE90.95B7E710-- From owner-firewalls-list Tue Nov 11 06:06:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA23039; Tue, 11 Nov 1997 05:53:51 -0800 (PST) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA22985 for ; Tue, 11 Nov 1997 05:53:35 -0800 (PST) Received: from pasilla.bbnplanet.com by mail.bbnplanet.com id aa02563; 11 Nov 97 8:54 EST Received: by pasilla.bbnplanet.com (SMI-8.6/SMI-4.1) id IAA15493; Tue, 11 Nov 1997 08:54:42 -0500 Message-Id: <199711111354.IAA15493@pasilla.bbnplanet.com> Subject: Re: strip-down filelist To: Marc Heuse Date: Tue, 11 Nov 1997 08:54:42 -0500 (EST) From: Ed Forbes Cc: linux-security@redhat.com, firewalls@greatcircle.com In-Reply-To: <199711111020.LAA20341@localhost.deuba.com> from "Marc Heuse" at Nov 11, 97 11:20:16 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Marc, > When installing a Linux system for a proxy/firwall/gateway/router/victim > purpose you have to strip it down to make the security on the host as tight > as possible. Removing compilers, suid/sgid files, mounting readonly etc. etc. > In other words, stuff that you do again and again. > > One approach is to delete everything you know you don't need. > > The other and better approach is just to make a list of all files you really > need and removing all the rest. Maybe I missed a subtle point, but what exactly is the difference between these two approaches. The first approach is to delete everything you don't need and the second approach is to make a list and then delete everything you don't need. The only difference seems to be the list itself which would seem to be implied in approach number 1 (hence how would you know what you don't need). Thanks, Ed From owner-firewalls-list Tue Nov 11 07:08:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA07648; Tue, 11 Nov 1997 07:02:05 -0800 (PST) Received: from relay.convey.ru (relay.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA07592 for ; Tue, 11 Nov 1997 07:01:46 -0800 (PST) Received: (from ark@localhost) by relay.convey.ru (8.8.5/8.7.3) id SAA29819; Tue, 11 Nov 1997 18:02:39 +0300 (MSK) From: "Alex A. Smirnoff" Message-Id: <199711111502.SAA29819@relay.convey.ru> Subject: Re: Sonic Interpol To: denis@sonicsys.com (Denis Lesak) Date: Tue, 11 Nov 1997 18:02:39 +0300 (MSK) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Denis Lesak" at Nov 6, 97 02:53:13 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > We are a new firewall vendor that is offering the industry's first full > featured Internet Security Appliance for $1999. The Interpol features: I can't call the thing that thinks "Internet is Web" and lacks *any* protocol support except HTTP (and does even that bad enough to be unaware of Java/A-X/etc.) "full-featured". > Any questions? Please review www.sonicsys.com been there ,seen demo.. > ____________________________________________________________________ > Denis Lesak denis@sonicsys.com > Regional Sales Manager 408.736.1900 ext 106 > 575 N Pastoria Ave 408.736.7228 fax > Sunnyvale, CA 94086 Web: http://www.sonicsys.com > > Do you want Plug N Play firewall protection for under $2,000? Then get a FreebSD , ask someone to plug it and Play. From owner-firewalls-list Tue Nov 11 07:21:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA07621; Tue, 11 Nov 1997 07:01:54 -0800 (PST) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA07576 for ; Tue, 11 Nov 1997 07:01:38 -0800 (PST) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id KAA00877; Tue Nov 11 10:02:28 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id KAA27057; Tue, 11 Nov 1997 10:02:27 -0500 Subject: Re: Summary on Java Sanity Check References: Date: 11 Nov 1997 10:02:26 -0500 In-Reply-To: Jyri Kaljundi's message of "Tue, 11 Nov 1997 13:05:55 +0200 (EET)" Message-ID: Lines: 15 X-Mailer: Gnus v5.4.65/XEmacs 20.2 To: Firewalls@GreatCircle.COM From: Douglas McNaught Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jyri Kaljundi writes: > P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) ActiveX: Absolutely. It's probably been done by now. Java: I don't think so--the whole thing is designed not to let you download and run arbitrary binaries. Barring a big undiscovered security hole, I think Java is safe from this one. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-list Tue Nov 11 07:36:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09072; Tue, 11 Nov 1997 07:11:41 -0800 (PST) Received: from delta.ece.nwu.edu (delta.ece.nwu.edu [129.105.5.103]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA09054 for ; Tue, 11 Nov 1997 07:11:34 -0800 (PST) Received: (from bonomi@localhost) by delta.ece.nwu.edu (8.8.5/8.8.3) id JAA17258; Tue, 11 Nov 1997 09:11:25 -0600 (CST) Date: Tue, 11 Nov 1997 09:11:25 -0600 (CST) From: Robert Bonomi Message-Id: <199711111511.JAA17258@delta.ece.nwu.edu> To: Marc.Heuse@mail.deuba.com, ejf@bbnplanet.com Subject: Re: strip-down filelist Cc: firewalls@GreatCircle.COM, linux-security@redhat.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + Date: Tue, 11 Nov 1997 08:54:42 -0500 (EST) + From: Ed Forbes + Cc: linux-security@redhat.com, firewalls@GreatCircle.COM + Sender: firewalls-owner@GreatCircle.COM + + Hi Marc, + + > When installing a Linux system for a proxy/firwall/gateway/router/victim + > purpose you have to strip it down to make the security on the host as tight + > as possible. Removing compilers, suid/sgid files, mounting readonly etc. etc. + > In other words, stuff that you do again and again. + > + > One approach is to delete everything you know you don't need. + > + > The other and better approach is just to make a list of all files you really + > need and removing all the rest. + + Maybe I missed a subtle point, but what exactly is the difference between + these two approaches. The first approach is to delete everything you + don't need and the second approach is to make a list and then delete + everything you don't need. The only difference seems to be the list + itself which would seem to be implied in approach number 1 (hence how + would you know what you don't need). + + Thanks, + Ed + "In theory, there is no difference between theory and practice, However, in actual practice, there _is_ a difference." The concept applies here as well. One tends to end up with _three_ lists -- "these I know I need, and thus have to keep", "_these_ I know I -don't- need, and know I can delete safely", and "*THESE* I'm *not*sure* about". Handling of this third group *IS* the difference between the two approaches. Approach #1 _leaves_ them on the machine, Approach #2 *removes* them. Machines 'sanitized' using approach #2 tend to break in unexpected ways, at unexpected times -- whereupon you have to find that item (or items) on list #3 that _should_ have been on list #1. From owner-firewalls-list Tue Nov 11 07:48:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06912; Tue, 11 Nov 1997 06:58:16 -0800 (PST) Received: from vogon.de.deuba.com (vogon.de.deuba.com [194.175.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA06867 for ; Tue, 11 Nov 1997 06:58:01 -0800 (PST) Received: by vogon.de.deuba.com id AA61080; Tue, 11 Nov 1997 15:57:48 +0100 Received: vogon.de.deuba.com via smap (V2.0) id xma063630; Tue, 11 Nov 97 15:57:32 +0100 Received: by smap.mail.deuba.com id PAA13686; Tue, 11 Nov 1997 15:57:07 +0100 Received: proxy2.esb.eur.deuba.com via smap (V2.0) id xma047950; Tue, 11 Nov 97 15:56:39 +0100 Received: from localhost.deuba.com by marvin.ose.eur.deuba.com id PAA31238; Tue, 11 Nov 1997 15:58:21 +0100 Received: (from marc@localhost) by localhost.deuba.com (8.8.7/8.8.5) id PAA24266; Tue, 11 Nov 1997 15:57:52 +0100 From: Marc Heuse Message-Id: <199711111457.PAA24266@localhost.deuba.com> Subject: Re: strip-down filelist To: ejf@bbnplanet.com Date: Tue, 11 Nov 1997 15:57:51 +0100 (CET) Cc: linux-security@redhat.com, firewalls@greatcircle.com Reply-To: marc.heuse@mail.DeuBa.COM X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > > One approach is to delete everything you know you don't need. > > The other and better approach is just to make a list of all files you > > really need and removing all the rest. > Maybe I missed a subtle point, but what exactly is the difference between > these two approaches. The first approach is to delete everything you > don't need and the second approach is to make a list and then delete > everything you don't need. The only difference seems to be the list > itself which would seem to be implied in approach number 1 (hence how > would you know what you don't need). Okay whats the difference? easy, lets make an example. lets say you've always used redhat version 1.0 and used the "I_know_what_I_dont_need_so_delete_that_stuff.sh" to wipe all the useless crap away you didn't need to use for your favorit firewall implementation Now redhat v2.0 emerges, with bug fixes, replaces programs etc. etc. if you now run your "I_know_what etc.sh" script, you'll miss stuff which was a) introduced as new programs/libraries/modules in the new version and b) if something is missing from the new release, your "I_know etc.sh" script won't know that. It just knows what it can delete without problems. with the other approach you a) erase all those new evil suid stuff you didn't know about (yet) b) you can print an error if a file in the list is not found on the system. in other words, there is the possibility in missing critical files in the 1st approach. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Tue Nov 11 07:51:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14074; Tue, 11 Nov 1997 07:37:30 -0800 (PST) Received: from cardinal.almerco.ca (cardinal.almerco.ca [206.186.171.40]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA13933 for ; Tue, 11 Nov 1997 07:37:00 -0800 (PST) Received: from blackbird (buse.almerco.ca [206.186.171.2]) by cardinal.almerco.ca (8.8.5/8.8.5) with SMTP id KAA29920; Tue, 11 Nov 1997 10:49:54 -0500 Message-Id: <3.0.3.32.19971111103803.0097f2b0@mail.almerco.ca> X-Sender: biron@mail.almerco.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 11 Nov 1997 10:38:03 -0500 To: Jyri Kaljundi From: Mario Biron Subject: Re: Summary on Java Sanity Check Cc: Firewalls@GreatCircle.COM In-Reply-To: References: <199711102207.OAA09960@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) In Java, I don't know... it's interpreted so I'm not really sure (the sandbox should prevent any attemp to run propriary code). But in ActiveX, sure as hell you could do it! From owner-firewalls-list Tue Nov 11 08:21:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16620; Tue, 11 Nov 1997 07:55:18 -0800 (PST) Received: from relay1.rcs.ru (relay1.rcs.ru [194.84.206.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA16449 for ; Tue, 11 Nov 1997 07:53:49 -0800 (PST) Received: from old.wuppy.rcs.ru (gw-3266Cdx-4LL.wuppy.rcs.ru [194.84.206.196]) by relay1.rcs.ru (8.8.7/bwm) with SMTP id SAA05593 for ;Tue, 11 Nov 1997 18:55:10 +0300 (MSK) X-Rcpt-to: Received: from R49BS (R49BS [194.84.206.38]) by old.wuppy.rcs.ru (NTMail 3.02.13) with ESMTP id pa001783 for ; Tue, 11 Nov 1997 18:55:40 +0300 From: "Roman V. Palagin" To: Subject: Anonymous Proxy Access Date: Tue, 11 Nov 1997 18:55:37 +0300 Message-ID: <01bceeba$4095d420$26ce54c2@dhcp.wuppy.rcs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 X-Info: Evaluation version at old.wuppy.rcs.ru Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I need to supply anonymous Web-proxy service for several class C nets. Just after installing, the Proxy works OK, accordingly with MS Proxy docs (Password authentication in WWW service: Allow anonymous is checked, Basic Clear Text and Win NT CH/R are cleared). But it seems to be very strange the Proxy begins to ask authentication after indefinite time interval (2-12 hrs). However, the Proxy cannot define the type of authentication and says simply "Access Denied", as Basic Clear Text and Win NT CH/R are disabled. This can be repaired only by Proxy server restart. There is no error messages in System Event Log and Proxy's Logs. MSIE on the client side just says: "requested header not found". THE QUESTION IS: Does anyone has such problem? And how it can be solved? Server Software: Windows NT server 4.0 + SP3 + All hot-fixes IIS 3.0 MS Proxy Server 2.0 Eval Client Software: MSIE 3.02 (russian) Netscape Navigator 3.01Gold (Win32/Unix) Thanx for your support. ------------------------ Roman V. Palagin Network Administrator From owner-firewalls-list Tue Nov 11 09:36:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01573; Tue, 11 Nov 1997 09:01:37 -0800 (PST) Received: from homer.facm.fit.edu (homer.facm.fit.edu [163.118.70.71]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA01507 for ; Tue, 11 Nov 1997 09:01:21 -0800 (PST) From: ccurtis@facm.fit.edu Received: from localhost (ccurtis@localhost) by homer.facm.fit.edu (8.8.5/8.6.12) with SMTP id MAA00473 for ; Tue, 11 Nov 1997 12:22:42 -0500 Date: Tue, 11 Nov 1997 12:22:42 -0500 (EST) X-Sender: ccurtis@homer To: firewalls@greatcircle.com Subject: Archive/ICQ Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, A while ago there was some discussion about how to allow ICQ through a firewall. We have users who would like to use ICQ and have asked me to open the (simple PF) firewall for this use. I've looked through the mirabalis site some but couldn't find and technical details (protocol, port) and was wondering what the resolution was. Could some kind soul point me to an archive of this list, or tell me the port/protocols used? Thanks, Christopher From owner-firewalls-list Tue Nov 11 09:46:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA27947; Tue, 11 Nov 1997 08:47:27 -0800 (PST) Received: from netra2.cyberec.com (netra2.cyberec.com [202.60.252.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA27756 for ; Tue, 11 Nov 1997 08:46:39 -0800 (PST) Received: from techie.com (max1-112.cyberec.com [202.60.252.112]) by netra2.cyberec.com (8.8.4/8.7.3) with ESMTP id AAA13328 for ; Wed, 12 Nov 1997 00:45:06 +0800 (HKT) Message-ID: <34688DEC.E262FD3A@techie.com> Date: Wed, 12 Nov 1997 00:55:09 +0800 From: Emmanuel Yiu Reply-To: e@techie.com Organization: Home of ICE X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May I know the your opinion on the CISA and CISSP certification in the information security field. It's appealing in the strong business sense merged with technical understanding. It sounds more compelling than spending your time on vendor run security training like the CCSE. Emmanuel From owner-firewalls-list Tue Nov 11 09:51:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10476; Tue, 11 Nov 1997 09:39:34 -0800 (PST) Received: from send1b.yahoomail.com (send1b.yahoomail.com [205.180.60.23]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA10455 for ; Tue, 11 Nov 1997 09:39:29 -0800 (PST) Message-ID: <19971111174036.20269.rocketmail@send1b.yahoomail.com> Received: from [207.95.110.95] by send1b; Tue, 11 Nov 1997 09:40:36 PST Date: Tue, 11 Nov 1997 09:40:36 -0800 (PST) From: Russell J Foster Subject: Re: MSPROXY2 + PPTP To: Itai Dor-on , firewalls@GreatCircle.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes. It works quite well. ---Itai Dor-on wrote: > Does anyone have experience using PROXY2 + RRAS to establish a VPN > between two networks? == ----------------------------------------------------------- Russell J Foster, MCSE The Spectrum Group rjf312@yahoo.com Oak Brook, IL ----------------------------------------------------------- __________________________________________________________________ Sent by Yahoo! Mail. Get your free e-mail at http://mail.yahoo.com From owner-firewalls-list Tue Nov 11 10:51:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15167; Tue, 11 Nov 1997 10:13:37 -0800 (PST) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA15158 for ; Tue, 11 Nov 1997 10:13:31 -0800 (PST) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.8/8.8.6) with SMTP id KAA25416; Tue, 11 Nov 1997 10:08:28 -0800 Date: Tue, 11 Nov 1997 10:12:03 -0800 (PST) From: David Lang To: Desmond Teh cc: firewalls@GreatCircle.COM Subject: Re: HTTP transparent proxy In-Reply-To: <19971111121835.18777.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Why is it that you are not willing to use the proxy config option that is part of every browser? It sounds as if you are making things much harder then they need to be. David Lang On Tue, 11 Nov 1997, Desmond Teh wrote: > Date: Tue, 11 Nov 1997 04:18:35 PST > From: Desmond Teh > To: firewalls@GreatCircle.COM > Subject: HTTP transparent proxy > > Hi, > > Does anyone know of any products that can do transparent http proxy. > Example, something that sit between users and the internet that able to > represent a browser to access to the web without any changes need to be > done on the client side. No configuration on client for proxy server, > socks etc like what the current proxy servers Microsoft Proxy Server, > Netscape Proxy server etc have to do. > > Best Regards > Desmond > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNGif9z7msCGEppcbAQEHbAf9Gv+keG24FLhd+OgAPRj59HEv1YZDiGtO d6c/8sbnD9Tv0O/r4cWTvsbBho8OqkMcYJHYSMB4GZyjs3pgxivWyRxp7hR0AjPz nsn5Tvuo3oC6oG7JUEmZicst8HgSbVrLubKXDGdvkD6GSo/i6wOmUaV/CBERncg3 928WpQJnulvV6zGvuz2Lk3sSzcO+rl4KMtRPEVe2iz20F/47iLDdFO8F7AXeKkFN LXuF/CCfUjJYFAtGZcVafeIXsU1XOu1PhJ8RCpAK3oUbBwX2wuTfbrDfdsK8s1EN 5tvB8vQpCog1EwOUhbjLuHV9JbvgISImv3J/e6x+ycmlcxHrYZmXOg== =mLTA -----END PGP SIGNATURE----- From owner-firewalls-list Tue Nov 11 13:06:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA09663; Tue, 11 Nov 1997 12:50:35 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA09646 for ; Tue, 11 Nov 1997 12:50:29 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id QAA21569; Tue, 11 Nov 1997 16:51:39 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma021564; Tue, 11 Nov 97 15:51:31 -0500 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id QAA09749; Tue, 11 Nov 1997 16:51:25 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id PAA09902; Tue, 11 Nov 1997 15:51:24 -0500 (EST) Message-ID: <3468C57C.FF6D5DF@erenj.com> Date: Tue, 11 Nov 1997 14:52:13 -0600 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: David Lang CC: Desmond Teh , firewalls@GreatCircle.COM Subject: Re: HTTP transparent proxy References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most vendor implementations of "transparent HTTP proxy" don't necessarily mean the absence of some sort of initial browser configuration work. The common use means that the user doesn't have to logon on to the proxy machine or get verified for each interaction with the Internet. I have not heard of any product being "transparent" as you describe. --------- > On Tue, 11 Nov 1997, Desmond Teh wrote: > > Hi, > > > > Does anyone know of any products that can do transparent http proxy. > > Example, something that sit between users and the internet that able to > > represent a browser to access to the web without any changes need to be > > done on the client side. No configuration on client for proxy server, > > socks etc like what the current proxy servers Microsoft Proxy Server, > > Netscape Proxy server etc have to do. > > > > Best Regards > > Desmond -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Tue Nov 11 14:41:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA20906; Tue, 11 Nov 1997 14:26:32 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA20898 for firewalls@greatcircle.com; Tue, 11 Nov 1997 14:26:30 -0800 (PST) Received: from serv1.cyberaccess.fr ([195.132.13.234]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA27504 for ; Mon, 10 Nov 1997 07:32:18 -0800 (PST) Received: from cyberaccess.fr ([195.132.13.195]) by serv1.cyberaccess.fr (Netscape Messaging Server 3.0) with ESMTP id AAA5244; Mon, 10 Nov 1997 16:31:28 +0100 Message-ID: <34672C32.1016BD74@cyberaccess.fr> Date: Mon, 10 Nov 1997 16:45:54 +0100 From: "Christian ALT" X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@greatcircle.com" Subject: bugtraq how to join Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry to bother the mailing list to ask, how to join bugtraq. I have tried several ways found in relativ documentation as well as many altavista search but with no success. TIA Christian ALT From owner-firewalls-list Tue Nov 11 14:42:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA20852; Tue, 11 Nov 1997 14:26:07 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA20842 for firewalls@greatcircle.com; Tue, 11 Nov 1997 14:26:05 -0800 (PST) Received: from sun10.sti.ac.cn (sun10.sti.ac.cn [168.160.1.25]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA27129 for ; Mon, 10 Nov 1997 01:06:42 -0800 (PST) Received: from istiy.yn.cn ([168.160.151.1]) by sun10.sti.ac.cn (8.6.8.1/8.6.6) with SMTP id RAA09550; Mon, 10 Nov 1997 17:13:21 +0800 Received: from elephant.istiy.yn.cn by istiy.yn.cn (5.x/SMI-SVR4) id AA12595; Mon, 10 Nov 1997 17:03:05 +0800 Received: from dell ([168.160.151.7]) by elephant.istiy.yn.cn (5.x/SMI-SVR4) id AA01893; Mon, 10 Nov 1997 17:00:51 +0800 Message-Id: <3467AE90.6B2E@elephant.istiy.yn.cn> Date: Mon, 10 Nov 1997 17:02:08 -0800 From: tj Reply-To: tj@elephant.istiy.yn.cn X-Mailer: Mozilla 3.0Gold (WinNT; I) Mime-Version: 1.0 To: MIKE JENKINS Cc: firewalls@greatcircle.com Subject: help about cisco 2511 config References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,every one here,I have two question about the cisco 2511 router: 1. I set up the speed of whole 16 async port to 115200, and turn on the modem autoconfig,(my modem's speed 1s 33600,),then I dial in use ppp, but it does not work.So I change the the speed of whole 16 async port to 14400,then I can get conneted.So I want to know if someone can tell me how to resove it or if you use cisco 2511 also, please send me your configuration. 2.I read the hand book and it said you can use reverse telnet to config your modem,like "telnet 233.233.233.1 2001" (where 233.233.233.1 is my cisco 2511's ip address ,and 2001 means the 1st async port),thus I can use the at commant to config the modem ,but now I can not ,it said " connect is refused by host".So who can tell me why and how ? thanks a lot. Tian Jun From owner-firewalls-list Tue Nov 11 14:43:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21664; Tue, 11 Nov 1997 14:32:21 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA21649 for firewalls@greatcircle.com; Tue, 11 Nov 1997 14:32:18 -0800 (PST) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA07958 for ; Mon, 10 Nov 1997 23:02:03 -0800 (PST) Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id IAA06537; Tue, 11 Nov 1997 08:02:49 +0100 Message-ID: <34680318.10BFDF97@edina.xnc.com> Date: Tue, 11 Nov 1997 08:02:48 +0100 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Jesse Brown CC: Michael Martinson , firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! LINUX is LINUX. Take DEBIAN. There are enough wholes in every LINUX version. You have to remove nearly everything, that can be dangerous, compile all replaced daemons statically..... A lot of work to do before you can just think about to use LINUX as firewall. I have made several attacked linux much safer and i am still waiting for new attacks. (Give telnet account to everybody, wait and you'll see, what i am talking about) One could even escape the chroot() environment, getting root account... After i removed just everything i found to be attackable by buffer overflows (most programs), seems, that LINUX is good enough for FIREWALL purposes. I am writing down my experiences at the moment, it takes some time. But do not expect LINUX to be able to do more than just firewalling. I think every UNIX with even more tasks running are insecure (e.g.BORDERWARE ......) With NT it's a bigger problem, because you can't remove libs and kernel features. You have to test for buffer overflows. regards, Guido Stepken > On Mon, 10 Nov 1997, Michael Martinson wrote: > > > I'm putting together the pieces and parts > > for a firewall. I've read that Red Hat is > > the best version of Linux for a stripped > > down proxy firewall. I'm just making sure > > that Red Hat is the version which most > > firewalls are on. > > > > I've checked out: > > http://www.ssc.com/lj/issue25/1204.html > > and found that it has a lot of help. I'm > > wondering if anyone is willing to give me a > > list of what patches they do to the Kernel > > to make it as secure as possible. > > > > Michael Martinson > > Senior Systems Software Programmer > > Lincoln Benefit Life > > 1(800)525-2799 x8710 > > martimdp@allstate.com > > > > > > -- > Jesse Brown - bextreme@pobox.com From owner-firewalls-list Tue Nov 11 14:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA16882; Tue, 11 Nov 1997 13:50:31 -0800 (PST) Received: from uqam.ca (anis.telecom.uqam.ca [132.208.250.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA16803 for ; Tue, 11 Nov 1997 13:50:06 -0800 (PST) Received: from LAMISSPC ([132.208.196.29]) by uqam.ca (8.8.5/8.8.4) with SMTP id QAA14347; Tue, 11 Nov 1997 16:44:43 -0500 (EST) Message-ID: <3468C3AA.6B64@rocketmail.com> Date: Tue, 11 Nov 1997 15:44:26 -0500 From: Eric Reply-To: cplus@rocketmail.com X-Mailer: Mozilla 3.01 [fr] (Win95; I) MIME-Version: 1.0 To: MICHAEL@hicom.loughborough.ac.uk, michael@uk.ac.lut.hicom, gt6468c@prism.gatech.edu, coup@gnu.ai.mit.edu, cklaus@hotsun.nersc.gov, security@net.ohio-state.edu, mxcert@mxcert.org.mx, ry15@uni-karlsruhe.de, cert-l@taunivm.tau.ac.il, cocot@osc.versant.com, gnu@toad.com, route@infonexus.com, bgross@uiuc.edu, firewalls@greatcircle.com, pbx@crackhouse.com, mrnobody@pil.net Subject: ID MY IP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) Can someone tell me if by having the IP (adresse) of someone if I can find his name and his Internet service provider ? From owner-firewalls-list Tue Nov 11 15:27:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21944; Tue, 11 Nov 1997 14:35:31 -0800 (PST) Received: from sd.pbx.org (p11-34.hftd.dialin.ntplx.com [204.213.188.73]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA21937 for ; Tue, 11 Nov 1997 14:35:24 -0800 (PST) Received: from lsd.pbx.org (segfault@lsd.pbx.org [192.168.0.1]) by sd.pbx.org (8.8.6/8.8.5) with SMTP id RAA06078; Tue, 11 Nov 1997 17:31:48 -0500 Date: Tue, 11 Nov 1997 17:31:47 -0500 (EST) From: "Mark 'segfault' Guzman" To: "Sameer R. Manek" cc: Michael Martinson , firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the distribution doesnt matter, you can add rpm support to any distro. Just get linux, recompile the kernel with firewall support, setup the rules, check the system for bugs/openings and let it run On Tue, 11 Nov 1997, Sameer R. Manek wrote: > > > I'm putting together the pieces and parts > > for a firewall. I've read that Red Hat is > > the best version of Linux for a stripped > > down proxy firewall. I'm just making sure > > that Red Hat is the version which most > > firewalls are on. > > Basicly any version of linux is as good as any other, the only reason I've > heard that Redhat is better is the fact that the RPMs are signed. You > can't take a redhat or slackware install and call it a firewall, you need > to harden it by removing everything you don't need. > > IMHO the rpms provide no more security, since all redhat just ftps the > same software, configures it and distributes it. All a signed rpm tells > you is the software wasn't tampered with from the the time they compiled > it to the time you installed it. It realisticly doesn't tell you if the > source code was tampered with. > > Personally I'd use tripwire to build a database, store it on a cd, and use > that method to detect compromise. > > Sameer Manek > > .--------------------------------------------. Murphy's Corollary: It is impossible to make anything foolproof because fools are so ingenious Mark Guzman -=- Liquid Synergy Designs seg@lsd.pbx.org `--------------------------------------------' From owner-firewalls-list Tue Nov 11 15:33:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA23485; Tue, 11 Nov 1997 14:51:47 -0800 (PST) Received: from compute.com (compute.compute.com [192.215.246.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA17134 for ; Tue, 11 Nov 1997 13:51:50 -0800 (PST) Received: from verio.net (s70h203.jvnc.net) by compute.com (4.1/SMI-4.1) id AA07906; Tue, 11 Nov 97 13:52:04 PST Message-Id: <3468D2EE.7BF1764D@verio.net> Date: Tue, 11 Nov 1997 13:49:34 -0800 From: Robert Roell X-Mailer: Mozilla 4.03 [en] (Win95; U) Mime-Version: 1.0 To: Andy Howard Cc: David Lang , Desmond Teh , firewalls@GreatCircle.COM Subject: Re: HTTP transparent proxy References: <3468C57C.FF6D5DF@erenj.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alot of the security proxy systems do support transparent proxing as described. Raptor for example listens to requests directed through it by routing and passes them onto the outside world. By default the proxy listens only on port 80, but can be configured to listen on additional ports such as 8000, 8080, 8008, etc. And as stated requires no extra configuration on the client end. Rob Andy Howard wrote: > > Most vendor implementations of "transparent HTTP proxy" don't > necessarily mean the absence of some sort of initial browser > configuration work. The common use means that the user doesn't have to > logon on to the proxy machine or get verified for each interaction with > the Internet. I have not heard of any product being "transparent" as > you describe. > --------- > > > On Tue, 11 Nov 1997, Desmond Teh wrote: > > > > Hi, > > > > > > Does anyone know of any products that can do transparent http proxy. > > > Example, something that sit between users and the internet that able to > > > represent a browser to access to the web without any changes need to be > > > done on the client side. No configuration on client for proxy server, > > > socks etc like what the current proxy servers Microsoft Proxy Server, > > > Netscape Proxy server etc have to do. > > > > > > Best Regards > > > Desmond > > -- > Andy Howard > achowar@erenj.com > -- the above comments are mine only-- -- ------------------------------------------------------------- V E R I O C O N S U L T I N G G R O U P Robert Roell Senior Internet Engineer rob@verio.net Phone 714-450-8400 ------------------------------------------------------------- From owner-firewalls-list Tue Nov 11 15:33:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA23557; Tue, 11 Nov 1997 14:52:55 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA17284 for firewalls@greatcircle.com; Tue, 11 Nov 1997 13:53:15 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA22240 for ; Fri, 7 Nov 1997 23:07:41 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by cypress.idir.net (8.8.5/8.8.4) with SMTP id BAA10322; Sat, 8 Nov 1997 01:06:27 -0600 Date: Sat, 8 Nov 1997 01:06:27 -0600 (CST) From: Jason Keimig To: Doy cc: Adam Shostack , Brad , RHS Linux User , "H. Morrow Long" , Frank Willoughby , anarch@freedom.gmsociety.org, firewalls@GreatCircle.COM Subject: Re: Hijak detection In-Reply-To: <346101AE.6B99@indo-mail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm agree that host authentication is the only real defense. I think > network level encryption will defend against this kind of attack too. > Transport level encryption might stop hijacking, but still vulnerable to > DoS attack (the attacker might still able to put both hosts in > desynchronized mode). All true and very relevent. You COULD even encrypt most of the headers, but this breaks things like NAT and proxy services. > 1. How do we detect a hijack. > Even in normal TCP conversation, there are lot of packets with > invalid SN (duplication, etc.), so how we decide if an invalid packet is > part of a hijacked session and which is not? The duplication is not as severe as you would see with a hijacked session. You will generally see several hundred ACKed packets thrown around for each new packet introduced by the hijacker. > 2. How to determine which is the attacker and which is the victim. > By using only TCP seq. num., we definitely CAN NOT decide which is > the attacker and which is the victim, because a skilled attacker would > most likely only send 'good' packet, making the victim looks bad. While > a 'young' attacker probably still making mistakes on calculating SN, > thus making both attacker and victim look bad. This is true if you look at only a single ACK on one side of the stream. If you compare the ACKs from both sides, you can see the side that has been spoon-fed data by the attacker as their ACK # will be higher than the supposedly corresponding SEQ # of the unmolested side. This is due to the fact that the SEQ/ACK pair is based solely on the # of bytes sent/received after the session has been established. This pair is by no means a security mechanism in the purest sense. It is used primary to keep the sides in synch with one another. The fact that it prevents accepting data out of order is really just a security side effect inherent with connection-oriented bitstreams. > By looking at route information in the packet (if available) will > provide important clue, but still not reliable if your network use > multiple route. This really is a non-issue as just about all routers and hosts nowadays have source-routing disabled. I realize that there is a possibility for misconfigured boxes, but this is a reaching effort that generally does not turn up anything. That is, a source-routed packet will set off too many alarms and gives away all covertness of the attack. > Looking at the H/W address of a packet won't help much, because > you'll only see the gateway H/W address in the packet. Actually, this is where you will see the mistakes of a 'young' attacker. Calculating the SEQ/ACK # of a session is fairly straight-forward once the highjacking has commenced: you just have to wade through all of the ACK syncs between the two hosts. As I stated in another post, JUST ABOUT all of the scripts/prgrams out there that do various forms of IP spoofing (I did find an old SunOS forging tool in my archives that modified the MAC address of the outgoing packet) do NOT address the layer-2 issue. Forged IP packets from user space WILL STILL CONTAIN the source MAC address of the host used to forge the packet. This is trivial to detect. The "professional" hacker (the word professional used loosely here) will have a modified IP stack that addresses this issue by swapping out the local MAC with that of forged IP-layer-2 mapping. There are still some tricks to catch this, the attacker just has to be careful on how this mapping is obtained (this is part of my thesis, I've had to deal with this aspect quite intimately!). So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of the offending hosts performing ANY kind of spoofing attack. There is also the analysis of the IP packet ID that I won't get into. Although it can used be for detection purposes, it gives less information on _who_ is doing the attack. > 3. To make the situation worse... > The attacker might send OOB packets, change route information, or > other DoS attack to the victim. The firewall/IDS should aware that these > are parts of the hijacking procedure, and terminate the victim's > sessions immediately. OOB packets aren't usually handled by the end host in the purest sense and routers, by definition, don't accept redirects. Where do these aspects come into play? > Infact, if WheelGroup claims that their product can deal with TCP hijack > attack, how the heck they're doing it? Good question, any takers? -J. From owner-firewalls-list Tue Nov 11 19:48:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA14280; Tue, 11 Nov 1997 19:24:06 -0800 (PST) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA14273 for ; Tue, 11 Nov 1997 19:23:59 -0800 (PST) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id WAA01020; Tue, 11 Nov 1997 22:08:41 -0500 From: "Michael H. Warfield" Message-Id: <199711120308.WAA01020@alcove.wittsend.com> Subject: Re: ID MY IP In-Reply-To: <3468C3AA.6B64@rocketmail.com> from Eric at "Nov 11, 97 03:44:26 pm" To: cplus@rocketmail.com Date: Tue, 11 Nov 1997 22:08:41 -0500 (EST) Cc: MICHAEL@hicom.loughborough.ac.uk.wittsend.com, michael@uk.ac.lut.hicom.wittsend.com, gt6468c@prism.gatech.edu, coup@gnu.ai.mit.edu, cklaus@hotsun.nersc.gov, security@net.ohio-state.edu, mxcert@mxcert.org.mx, ry15@uni-karlsruhe.de.wittsend.com, cert-l@taunivm.tau.ac.il, cocot@osc.versant.com, gnu@toad.com, route@infonexus.com, bgross@uiuc.edu, firewalls@GreatCircle.COM, pbx@crackhouse.com, mrnobody@pil.net X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric enscribed thusly: > 1) Can someone tell me if by having the IP (adresse) of someone if I can > find his name and his Internet service provider ? In order... Probably not. Probably... Although... In my case... Yes... and Maybe (if you look hard)... :-) 130.205.x.x Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From owner-firewalls-list Tue Nov 11 20:36:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA20107; Tue, 11 Nov 1997 20:23:14 -0800 (PST) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA20061 for ; Tue, 11 Nov 1997 20:23:03 -0800 (PST) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id XAH10529; Tue, 11 Nov 1997 23:23:49 EST To: ccurtis@facm.fit.edu Cc: firewalls@GreatCircle.COM Date: Tue, 11 Nov 1997 20:02:59 -0800 Subject: Re: Archive/ICQ Message-ID: <19971111.201953.5903.6.wiseleo@juno.com> References: X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 1-14 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a matter of fact, mirabilis.com _does_ have a firewalls concerned forum. And it was quite active last time I checked. *** Leonid S. Knyshov Information Systems Analyst wiseleo@juno.com (for MIME messages: wiseleo@hotmail.com) On Tue, 11 Nov 1997 12:22:42 -0500 (EST) ccurtis@facm.fit.edu writes: >Hello, > >A while ago there was some discussion about how to allow ICQ through a >firewall. We have users who would like to use ICQ and have asked me >to >open the (simple PF) firewall for this use. I've looked through the >mirabalis site some but couldn't find and technical details (protocol, From owner-firewalls-list Tue Nov 11 21:36:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA28822; Tue, 11 Nov 1997 21:23:06 -0800 (PST) Received: from arthur.software.net (arthur.software.net [207.82.53.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA28812 for ; Tue, 11 Nov 1997 21:23:00 -0800 (PST) Received: from john.software.net (002.untrusted.cybersource.com [207.82.53.196]) by arthur.software.net (Netscape Mail Server v2.0) with SMTP id AAA1480 for ; Tue, 11 Nov 1997 21:24:22 -0700 From: "John Pettitt" To: Subject: Internal Access control options -secureid, BoKS, ... Date: Tue, 11 Nov 1997 21:24:20 -0800 Message-ID: <01bcef2b$3adb1600$0201a8c0@john.software.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, we are upgrading some of our internal access controls in light of users being incapable of choosing realistic passwords (and not keeping them a secret when they do). We're looking at going with SecureID as an authentication system but have some issues: We want to use it on every system (I.E. all machines are bastions) rather than as a perimeter screen. The issue we have with this is tokens are a one shot deal and we have to wait 60 seconds before we can log into another system. Since we're running 10's of machines in an OLTP environment (web servers) this gets to be a pain real fast. Our supplier is suggesting we look at BoKS which seems to offer a single login solution, the customer list (mostly banks) is impressive, but I'm a little skeptical of such things. Do any of you have any knowledge of BoKS? Is it any good? What else should we look at? Are there alternatives to secureid that support NT, Solaris, HP/UX and Netscape Servers? John From owner-firewalls-list Wed Nov 12 04:07:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA26264; Wed, 12 Nov 1997 04:03:22 -0800 (PST) Received: from sema.fr (mailrelay.sema.fr [193.106.58.161]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA26254 for ; Wed, 12 Nov 1997 04:03:12 -0800 (PST) Received: from ntr-exchange.telis-sc.fr (MCCSJ101.U-3MRS.FR [192.134.100.101]) by sema.fr (8.8.4/8.8.4) with SMTP id NAA02972 for ; Wed, 12 Nov 1997 13:02:34 +0100 (MET) Received: by ntr-exchange.telis-sc.fr with Microsoft Exchange (IMC 4.0.837.3) id <01BCEF69.65210A80@ntr-exchange.telis-sc.fr>; Wed, 12 Nov 1997 12:49:20 +0100 Message-ID: From: "BOURUT Pierre (NTR)" To: "'firewalls@greatcircle.com'" Subject: milkyway Date: Wed, 12 Nov 1997 12:49:11 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! Does anone has good or bad experience with milkyway's firewall securIT for NT ? Thanks for your private ou public comments. -------------------------------------------------------- Pierre Bourut / SEMA GROUP +33 (0)1 46 14 55 22 From owner-firewalls-list Wed Nov 12 04:36:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA28488; Wed, 12 Nov 1997 04:35:05 -0800 (PST) Received: from isis.nsu.ru (isis.nsu.ru [193.124.209.132]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA28441 for ; Wed, 12 Nov 1997 04:34:41 -0800 (PST) Received: from is05 (is05.isis.nsu.ru [193.124.220.198]) by isis.nsu.ru (8.8.5/8.8.5) with SMTP id SAA04626; Wed, 12 Nov 1997 18:17:14 +0600 From: "Vitaliy Zoloterv" To: "Michael H. Warfield" , Cc: , , , , , , , , , , , , , , , Subject: Re: ID MY IP Date: Wed, 12 Nov 1997 18:06:14 +0600 Message-ID: <01bcef63$5fd9a0b0$c6dc7cc1@is05.isis.nsu.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Eric enscribed thusly: >> 1) Can someone tell me if by having the IP (adresse) of someone if I can >> find his name and his Internet service provider ? You can try: whois IP in my case: whois -h whois.ripe.net 193.124.169.58 Vitaliy. > > In order... > > Probably not. > > Probably... > > Although... In my case... Yes... and Maybe (if you look hard)... > :-) > > 130.205.x.x > > Mike >-- > Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com > (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > From owner-firewalls-list Wed Nov 12 05:52:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA07184; Wed, 12 Nov 1997 05:47:10 -0800 (PST) Received: from sam.networx.ie (ts04-07.dublin.indigo.ie [194.125.148.84]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA07177 for ; Wed, 12 Nov 1997 05:47:03 -0800 (PST) Received: from mike (mike.networx.ie [194.9.12.33]) by sam.networx.ie (8.8.5/8.8.5) with SMTP id MAA14217; Wed, 12 Nov 1997 12:38:35 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Date: Wed, 12 Nov 1997 12:37:08 GMT From: Michael Ryan Reply-To: mike@NetworX.ie Subject: Re: HTTP transparent proxy To: Robert Roell cc: Andy Howard , David Lang , Desmond Teh , firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Nov 1997 13:49:34 -0800 Robert Roell wrote: > Alot of the security proxy systems do support transparent proxing as > described. > > Raptor for example listens ...[snip] The combination of Squid and IP Filter on a FreeBSD or Solaris box allows this to be done also. If using FreeBSD, then the whole solution is free :-) Bye, Mike --- From owner-firewalls-list Wed Nov 12 06:22:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA08263; Wed, 12 Nov 1997 06:06:09 -0800 (PST) Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA08250 for ; Wed, 12 Nov 1997 06:06:04 -0800 (PST) Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id KAA20493 for ; Wed, 12 Nov 1997 10:07:29 -0500 Message-Id: <3.0.3.32.19971112090721.00988920@mail.iss.net> X-Sender: tdoty@mail.iss.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Wed, 12 Nov 1997 09:07:21 -0500 To: firewalls@greatcircle.com From: Ted Doty Subject: Re: Penetration Detection Tools Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Nov 1997 12:57:20, Neil Buckley wrote: > Does anyone have recomendations for third party penetration detection >tools, I am fairly familiar with most freeware products for UNIX, but I >need a company wide solution. You can download our intrusion detection software from http://www.iss.net/prod/rs.html You can also download our firewall scanner from http://www.iss.net/prod/isb.html - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From owner-firewalls-list Wed Nov 12 08:14:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03836; Wed, 12 Nov 1997 07:54:42 -0800 (PST) Received: from newfed.frb.gov (newfed.frb.gov [198.3.221.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA03817 for ; Wed, 12 Nov 1997 07:54:34 -0800 (PST) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.8/8.8.8) with UUCP id KAA23765; Wed, 12 Nov 1997 10:21:21 -0500 (EST) (envelope-from jmb@FRB.GOV) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA17700; Wed, 12 Nov 97 09:15:52 EST Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.7/8.8.5) with SMTP id JAA04649; Wed, 12 Nov 1997 09:15:07 -0500 (EST) (envelope-from jmb@kryten.frb.gov) Message-Id: <199711121415.JAA04649@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: "Zilber, Alexey" Cc: "'Firewall list'" , "'jmb@FRB.GOV'" , "'hagan@cih.com'" Subject: Re: Pissing Contest (wasRe: Linux et al PFs ) In-Reply-To: Your message of "Mon, 10 Nov 1997 15:58:07 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 12 Nov 1997 09:15:06 -0500 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Oops, sorry it wasn't Wired. Wired had something else. This was on >INTERNETWEEK. Comparing all the major OS's (inlcuding Linux and BSD). > >Quite an interesting article.. and aptly named too... > >>http://www.techweb.com/se/directlink.cgi?INW19970901S0125 my last gasp for this thread. forgive me for responding this last time. General Observations: FreeBSD was running in 64MB of memory. BSDI, Linux, NT, SCO were running in 128MB of memory. prior to FreeBSD-2.2.5, you had to recompile the kernel to use more than 64MB. the testers did not read the boot messages which informed them of this fact. (for example: real memory = 25165824 (24576K bytes)) they did notice that the machine was swapping ;) Criticisms: they reports results inconsistently. they dont report which version of NT they used. the table of results is full of holes. the machine has 2 cpu's but they talk about this for the NT results only. for NT they report that "the system started its 10 users runs on par with the UNIX systems we examined" 10 users??? where are the numbers for 10 users. for FreeBSD-2.2.2 they report "the system leaped past its competitors with 100 simulated users, but then seemed to peark and fall back with 200 users and 300 users." but they dont report numbers for FreeBSD and 100 users. they dont report number for 200 users for any system but FreeBSD. while they mention Walnut Creek cdrom, they fail to say that the 106GB per day (as of 9/7/97, now 250GB per day) the 106GB per day number does not match the thruput they report. they report 606bBps, ftp.cdrom.com does 1286kBps (106 * 1024 * 1024 * 1024) / (24 * 60 * 60 * 1024) they do not even mention the wide variation in connections/sec vs thruput from 1:4.22 (Linux 100 users ) to 1:2.53 (BSDI 300 users) Their Numbers: users OS 100 200 300 BSDI-3.0 205 -- 326 connections per second 630 -- 827 kilobytes per second FreeBSD-2.2.2 -- 232 188 -- 598 606 Linux-RH-4.2 153 -- 230 646 -- 996 NT -- -- 247 4.0?? SP?? -- -- 694 SCO-5.0.4 122 -- 83 413 -- 296 My Conclusion: had this been a high-school science project, my teachers would have failed me for writing such a report ;) Final Question: now, do you have any numbers to report that even come close to ftp.cdrom.com? jmb From owner-firewalls-list Wed Nov 12 10:42:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA07504; Wed, 12 Nov 1997 10:41:18 -0800 (PST) Received: from archimedes.inoc.sj.nec.com (archimedes.inoc.sj.nec.com [131.241.31.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA07496 for ; Wed, 12 Nov 1997 10:41:07 -0800 (PST) Received: by inoc.sj.nec.com (8.7.3/YDL1.7-930126.17) id KAA10760(archimedes.inoc.sj.nec.com); Wed, 12 Nov 1997 10:41:48 -0800 (PST) Received: by sj.nec.com (8.8.5+2.7Wbeta5/YDL1.7-940623.1) id KAA18315(netkeeper.sj.nec.com); Wed, 12 Nov 1997 10:41:49 -0800 (PST) Received: (from smtp@localhost) by firenode2.ibu.sj.nec.com (8.8.5/8.7.3) id KAA01516; Wed, 12 Nov 1997 10:41:25 -0800 (PST) Received: from powerball.ibu.sj.nec.com (powerball.ibu.sj.nec.com [131.241.70.52]) by firenode2.ibu.sj.nec.com id rfKAA01513; Wed Nov 12 10:40:06 1997 Message-ID: X-Mailer: XFMail 1.1 [p0] on FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Wed, 12 Nov 1997 10:34:59 -0800 (PST) From: Eric Lunow To: desmond_teh@hotmail.com, firewalls@GreatCircle.com, achowar@erenj.com Subject: Re: Transparent Proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of vendors support Transparent Proxy features exactly as you described - true application level proxying without requiring special client modifications or configuration. The PrivateNet firewall from NEC, now discontinued, had that very feature. I also believe Borderware, Raptor, and TIS Gauntlet currently have products that support transparent proxies. --------------------------------- Eric Lunow 12-Nov-97 10:34:59 ---------------------------------- From owner-firewalls-list Wed Nov 12 10:58:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA07493; Wed, 12 Nov 1997 10:39:53 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA07486 for ; Wed, 12 Nov 1997 10:39:48 -0800 (PST) Received: from yessi.scanda.com.mx by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA00570; Wed, 12 Nov 1997 10:40:06 -0800 (PST) Received: from chivigon ([192.168.18.85]) by yessi.scanda.com.mx (8.7.6/8.7.3) with SMTP id NAA09614; Wed, 12 Nov 1997 13:24:59 -0600 Received: by localhost with Microsoft MAPI; Wed, 12 Nov 1997 12:06:59 -0600 Message-ID: <01BCEF63.7A71A440.evillarreal@scanda.com.mx> From: Erick Alejandro Villarreal Galvez To: "'John Pettitt'" , "Firewalls@GreatCircle.COM" Subject: RE: Internal Access control options -secureid, BoKS, ... Date: Wed, 12 Nov 1997 12:06:56 -0600 Organization: Omniscope X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BoKS is a good product, and as far as I have work with it, is very easy to manage and provides a numerous ways for authentication: user passwords, user & system passwords, tokens (SecurID). BoKS has a complete set of Password Management: length, banned list of passwords, look for certain strings, etc. Security Dynamics, which produces the solution call ACE/Server works under NT, HPUX, AIX & Soalris, and about two months ago, it bought DynaSoft, the former producer of BoKS. This means, that the integration of both products will be very fine and strong versus SeOS, Omniguard, etc. About the 60 secons issue, you can tell Security Dynamics to programm the token to change every 30 seconds, this is the minimum, and the maximum of 5 minutes. With BoKS you will have a SSS0 (Secure Single Sign On) solution, because you can design which users and which services are going to be authenticated in this method, once the user logs in, at a single point. Regards, hope this help. And, yes, Security Dynamics ACE/Agent under Netscape Server is available. And yes, I'm a VAR (Value Added Reseller) of Security Dynamics and DynaSoft here in MEXICO!!!!!!!!! Saludos. Erick Alejandro Villarreal Galvez Omniscope - Grupo SCANDA Coordinador de Seguridad Informatica Miguel Laurent #804. Letran Valle. Voz: (525) 422-2724 C.P. 03650 Fax: (525) 422-2780 Mexico, D.F. e-mail: evillarreal@scanda.com.mx -----Original Message----- From: John Pettitt [SMTP:jpp@cybersource.com] Sent: Tuesday, November 11, 1997 11:24 PM To: Firewalls@GreatCircle.COM Subject: Internal Access control options -secureid, BoKS, ... Hi, we are upgrading some of our internal access controls in light of users being incapable of choosing realistic passwords (and not keeping them a secret when they do). We're looking at going with SecureID as an authentication system but have some issues: We want to use it on every system (I.E. all machines are bastions) rather than as a perimeter screen. The issue we have with this is tokens are a one shot deal and we have to wait 60 seconds before we can log into another system. Since we're running 10's of machines in an OLTP environment (web servers) this gets to be a pain real fast. Our supplier is suggesting we look at BoKS which seems to offer a single login solution, the customer list (mostly banks) is impressive, but I'm a little skeptical of such things. Do any of you have any knowledge of BoKS? Is it any good? What else should we look at? Are there alternatives to secureid that support NT, Solaris, HP/UX and Netscape Servers? John From owner-firewalls-list Wed Nov 12 11:59:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA13951; Wed, 12 Nov 1997 11:51:46 -0800 (PST) Received: from minos.petrel.ch (minos.petrel.ch [144.85.10.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA13889 for ; Wed, 12 Nov 1997 11:51:19 -0800 (PST) From: karim.saouli@petrel.net Received: from pyramid.petrel.ch (pyramid.petrel.ch [144.85.7.199]) by minos.petrel.ch (6.7.5/8.7.2) with ESMTP id UAA02312 for ; Wed, 12 Nov 1997 20:51:41 +0100 (MET) Received: by pyramid.petrel.ch with Internet Mail Service (5.0.1458.49) id ; Wed, 12 Nov 1997 20:53:26 +0100 Message-ID: <814F37E04AF4D0119240006097AC5C1E0C2DCA@pyramid.petrel.ch> To: "'Robert Roell'" , Andy Howard Cc: David Lang , Desmond Teh , firewalls@GreatCircle.COM Subject: RE: HTTP transparent proxy Date: Wed, 12 Nov 1997 20:53:25 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A true transparent proxy is now available from Cisco System, it's known as Cache Engine. It is for the moment only supporting http proxying, it has to be combined with a cisco 7000 series router. Additional information can be found at the following URL: http://www.cisco.com/warp/public/751/cache/index.shtml The concept is quite interesting actually. my 2 cents Karim Saouli Network Engineer Petrel Communications S.A. > -----Original Message----- > From: Robert Roell [SMTP:rob@verio.net] > Sent: mardi, 11. novembre 1997 22:50 > To: Andy Howard > Cc: David Lang; Desmond Teh; firewalls@GreatCircle.COM > Subject: Re: HTTP transparent proxy > > Alot of the security proxy systems do support transparent proxing as > described. > > Raptor for example listens to requests directed through it by routing > and passes them onto the outside world. By default the proxy listens > only on port 80, but can be configured to listen on additional ports > such as 8000, 8080, 8008, etc. And as stated requires no extra > configuration on the client end. > > Rob > > > Andy Howard wrote: > > > > Most vendor implementations of "transparent HTTP proxy" don't > > necessarily mean the absence of some sort of initial browser > > configuration work. The common use means that the user doesn't have > to > > logon on to the proxy machine or get verified for each interaction > with > > the Internet. I have not heard of any product being "transparent" > as > > you describe. > > --------- > > > > > On Tue, 11 Nov 1997, Desmond Teh wrote: > > > > > > Hi, > > > > > > > > Does anyone know of any products that can do transparent http > proxy. > > > > Example, something that sit between users and the internet that > able to > > > > represent a browser to access to the web without any changes > need to be > > > > done on the client side. No configuration on client for proxy > server, > > > > socks etc like what the current proxy servers Microsoft Proxy > Server, > > > > Netscape Proxy server etc have to do. > > > > > > > > Best Regards > > > > Desmond > > > > -- > > Andy Howard > > achowar@erenj.com > > -- the above comments are mine only-- > > -- > ------------------------------------------------------------- > V E R I O C O N S U L T I N G G R O U P > > Robert Roell > Senior Internet Engineer > > rob@verio.net Phone 714-450-8400 > ------------------------------------------------------------- From owner-firewalls-list Wed Nov 12 14:12:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21582; Wed, 12 Nov 1997 13:52:35 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA21556 for firewalls@greatcircle.com; Wed, 12 Nov 1997 13:52:23 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA02937 for ; Tue, 11 Nov 1997 22:02:47 -0800 (PST) Message-Id: <199711120602.WAA02937@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA105194478; Wed, 12 Nov 1997 17:01:18 +1100 From: Darren Reed Subject: Re: Hijak detection To: jkeimig@idir.net (Jason Keimig) Date: Wed, 12 Nov 1997 17:01:18 +1100 (EDT) Cc: doy@indo-mail.com, adam@homeport.org, brad@freedom.gmsociety.org, circle@cali-net.com, morrow.long@yale.edu, frankw@in.net, anarch@freedom.gmsociety.org, firewalls@GreatCircle.COM In-Reply-To: from "Jason Keimig" at Nov 8, 97 01:06:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Jason Keimig, sie said: > > So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of > the offending hosts performing ANY kind of spoofing attack. Only if you're on the same LAN. All routers will replace the source MAC address with their own when routing. From owner-firewalls-list Wed Nov 12 14:14:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21521; Wed, 12 Nov 1997 13:51:38 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA21513 for firewalls@greatcircle.com; Wed, 12 Nov 1997 13:51:36 -0800 (PST) Received: from sun10.sti.ac.cn (sun10.sti.ac.cn [168.160.1.25]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA14787 for ; Tue, 11 Nov 1997 19:36:16 -0800 (PST) From: tj@elephant.istiy.yn.cn Received: from istiy.yn.cn ([168.160.151.1]) by sun10.sti.ac.cn (8.6.8.1/8.6.6) with SMTP id LAA19009 for ; Wed, 12 Nov 1997 11:44:14 +0800 Received: from elephant.istiy.yn.cn by istiy.yn.cn (5.x/SMI-SVR4) id AA14320; Wed, 12 Nov 1997 11:35:27 +0800 Received: by elephant.istiy.yn.cn (5.x/SMI-SVR4) id AA00818; Wed, 12 Nov 1997 11:34:02 +0800 Date: Wed, 12 Nov 1997 11:34:02 +0800 (CST) To: firewalls@greatcircle.com Subject: help about cisco 2511 config Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,every one here,I have two question about the cisco 2511 router: 1. I set up the speed of whole 16 async port to 115200, and turn on the modem autoconfig,(my modem's speed 1s 33600,),then I dial in use ppp, but it does not work.So I change the the speed of whole 16 async port to 14400,then I can get conneted.So I want to know if someone can tell me how to resove it or if you use cisco 2511 also, please send me your configuration. 2.I read the hand book and it said you can use reverse telnet to config your modem,like "telnet 233.233.233.1 2001" (where 233.233.233.1 is my cisco 2511's ip address ,and 2001 means the 1st async port),thus I can use the at commant to config the modem ,but now I can not ,it said " connect is refused by host".So who can tell me why and how ? thanks a lot. Tian Jun From owner-firewalls-list Wed Nov 12 14:15:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21492; Wed, 12 Nov 1997 13:51:13 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA21484 for firewalls@greatcircle.com; Wed, 12 Nov 1997 13:51:10 -0800 (PST) Received: from geocities.com ([209.1.224.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA10699 for ; Tue, 11 Nov 1997 13:02:17 -0800 (PST) Received: from test.test.ro (ppp01.braila.iiruc.ro [193.226.145.211]) by geocities.com (8.8.5/8.8.5) with SMTP id MAA19290; Tue, 11 Nov 1997 12:58:25 -0800 (PST) Message-Id: <199711112058.MAA19290@geocities.com> Comments: Authenticated sender is From: "Gabriel Dura" To: ccurtis@facm.fit.edu Date: Tue, 11 Nov 1997 23:02:33 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Archive/ICQ Reply-to: dura@geocities.com CC: firewalls@GreatCircle.COM In-reply-to: X-mailer: Pegasus Mail for Windows (v2.54) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk post Hello Christopher, ICQ uses UDP port 4000 to conect to the mirabilis.com server. You do not have to open any other TCP/UDP ports if your firewall or proxy supports SOCKS. In Preferences dialog click the Connection tab and chose "I'm using a permanent internet connection (LAN)" first, then "I am behind a firewall". After that click the "Firewall Settings" buton and chose from the next dialog the type of firewall, SOCKS connection and configure ICQ for each user. I think that's all. Although my personal opinion, and I believe I'm not the only one, is not to use it until Mirabilis will offer full technical support. You could also try to get more information on ICQ mailing list. Check their WEB page for subscribing information. The information above is valid for ICQ Version 1.111. Hope it helps, Gabriel > From: ccurtis@facm.fit.edu > Date: Tue, 11 Nov 1997 12:22:42 -0500 (EST) > To: firewalls@GreatCircle.COM > Subject: Archive/ICQ > Hello, > > A while ago there was some discussion about how to allow ICQ through > a firewall. We have users who would like to use ICQ and have asked > me to open the (simple PF) firewall for this use. I've looked > through the mirabalis site some but couldn't find and technical > details (protocol, port) and was wondering what the resolution was. > Could some kind soul point me to an archive of this list, or tell me > the port/protocols used? > > Thanks, > Christopher > From owner-firewalls-list Wed Nov 12 14:17:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21449; Wed, 12 Nov 1997 13:49:58 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA21439 for firewalls@greatcircle.com; Wed, 12 Nov 1997 13:49:55 -0800 (PST) Received: from znet.groupz.net (znet.groupz.net [204.116.90.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA23109 for ; Tue, 11 Nov 1997 05:54:38 -0800 (PST) Received: from CTA14 ([204.208.244.160]) by znet.groupz.net with SMTP (1.37.109.24/16.2) id AA134185886; Tue, 11 Nov 1997 08:44:46 -0500 Received: by CTA14 with Microsoft Mail id <01BCEE7F.7D46A3D0@CTA14>; Tue, 11 Nov 1997 08:54:58 -0500 Message-Id: <01BCEE7F.7D46A3D0@CTA14> From: Ken Simmons To: "firewalls@GreatCircle.COM" Subject: RE: strip-down filelist Date: Tue, 11 Nov 1997 08:54:36 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are also building a firewall box. This will benefit us greatly. Now, remove Sendmail...... -----Original Message----- From: Marc Heuse [SMTP:Marc.Heuse@mail.DeuBa.COM] Sent: Tuesday, November 11, 1997 5:20 AM To: linux-security@redhat.com Cc: firewalls@GreatCircle.COM Subject: strip-down filelist Hi Folks, When installing a Linux system for a proxy/firwall/gateway/router/victim purpose you have to strip it down to make the security on the host as tight as possible. Removing compilers, suid/sgid files, mounting readonly etc. etc. In other words, stuff that you do again and again. One approach is to delete everything you know you don't need. The other and better approach is just to make a list of all files you really need and removing all the rest. Is there anyone who has done that for a system? (not especially Linux ... *BSD, Solaris, HP, AIX etc. are interesting too.) I think such a discussion about could improve security on our bastion hosts. Comments, lists etc. welcome. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Wed Nov 12 17:43:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA13951; Wed, 12 Nov 1997 17:38:44 -0800 (PST) Received: from mail.pin-net.de (mail1.pin-net.de [195.4.153.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA13920 for ; Wed, 12 Nov 1997 17:38:31 -0800 (PST) Received: from rennmaschine (port47.pin-net.de [195.4.154.112]) by mail.pin-net.de (8.8.4/8.7.3) with SMTP id DAA18821 for ; Thu, 13 Nov 1997 03:37:55 +0100 Message-ID: <346A5A7A.57ED@presidency.com> Date: Thu, 13 Nov 1997 02:40:10 +0100 From: sz-techserv Organization: Schleswig Holsteinischer Zeitungsverlag X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: problem with netscape 3 - no firewall content Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks ! this may not directly deal with firewalls but my mates here in my companie asked me some questions I do not know an answer to, so I`m asking, too, maybe, one of You can help me, netscape`s web site didn`t help me, too, sadly. The problem we have is that the netscape browser sends the complete history to the server the customer is accessing. That means a webmaster can see where the user using his server has been before as You all should know from Your own expiriences. The question is simple: How do I stop netscape from writing down the history : in what file does the browser write these informations ? We have a few url`s we would NOT like to show to people from outsides and we simply cannot search the history of the browser every time before starting surfing the www. And bye the way: Is there a chance to change the send informations about the browser, the OS and the Hardware platform ? thanks for Your help already Christian Petersen-Clausen hostmaster Schleswig Holsteinischer Zeitungsverlag www.shz.de please replye to my private e mail adress hostmaster@presidency.com From owner-firewalls-list Wed Nov 12 19:46:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA29811; Wed, 12 Nov 1997 19:33:57 -0800 (PST) Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA29763 for ; Wed, 12 Nov 1997 19:33:45 -0800 (PST) Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.6/8.6.9) with SMTP id LAA26727; Thu, 13 Nov 1997 11:30:07 GMT Date: Thu, 13 Nov 1997 11:30:07 +0000 ( ) From: Ederlindo Cojuangco To: sz-techserv cc: Firewalls@GreatCircle.COM Subject: Re: problem with netscape 3 - no firewall content In-Reply-To: <346A5A7A.57ED@presidency.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Nov 1997, sz-techserv wrote: ********some parts deleted********** > > The problem we have is that the netscape browser sends the complete > history to the server the customer is accessing. That means a webmaster > can see where the user using his server has been before as You all > should know from Your own expiriences. The question is simple: How do I > stop netscape from writing down the history : in what file does the > browser write these informations ? We have a few url`s we would NOT > like to show to people from outsides and we simply cannot search the > history of the browser every time before starting surfing the www. ============ The file that records the history of all the www sites accessed is the "netscape.hst". Yes, I also would like not to record all the activity done on accessing the sites. What I did was to delete the file "netscape.hst" but it will not solve bec. it keeps on recording...we'll it's part on the netscape program. Any good suggestions out there? ederts ============ > > And bye the way: Is there a chance to change the send informations about > the browser, the OS and the Hardware platform ? > > thanks for Your help already > > > Christian Petersen-Clausen > hostmaster Schleswig Holsteinischer Zeitungsverlag > www.shz.de > > please replye to my private e mail adress hostmaster@presidency.com > From owner-firewalls-list Wed Nov 12 19:57:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA02007; Wed, 12 Nov 1997 19:54:23 -0800 (PST) Received: from hotmail.com (F45.hotmail.com [207.82.250.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA01978 for ; Wed, 12 Nov 1997 19:54:15 -0800 (PST) Received: (qmail 8976 invoked by uid 0); 13 Nov 1997 03:55:29 -0000 Message-ID: <19971113035529.8974.qmail@hotmail.com> Received: from 202.54.19.24 by www.hotmail.com with HTTP; Wed, 12 Nov 1997 19:55:29 PST X-Originating-IP: [202.54.19.24] From: "Revati Damle" To: firewalls@GreatCircle.COM Subject: Gauntlet firewall Content-Type: text/plain Date: Wed, 12 Nov 1997 19:55:29 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I wanted to know more about pros/cons of Gauntlet firewall. I have read that configuring is a bit problem with this. Does anybody have hands on experience? R.Damle ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Wed Nov 12 20:57:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA11569; Wed, 12 Nov 1997 20:42:57 -0800 (PST) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA08372 for ; Wed, 12 Nov 1997 20:23:02 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult.n14767) with SMTP id XAA08531; Wed, 12 Nov 1997 23:24:08 -0500 (EST) Received: by joespc.judgefamily.org with Microsoft Mail id <01BCEFC2.494B5960@joespc.judgefamily.org>; Wed, 12 Nov 1997 23:25:39 -0500 Message-ID: <01BCEFC2.494B5960@joespc.judgefamily.org> From: Joseph Judge To: "firewalls@GreatCircle.COM" , "'Ken Simmons'" Subject: RE: strip-down filelist Date: Wed, 12 Nov 1997 21:51:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Sunworld Online's Peter Galvin has a Solaris Security FAQ which describes the steps to take to "tighten" down a solaris box ... the details are great and the concepts help you solve the other OSs. --joe ---------- From: Ken Simmons[SMTP:simmonsk@groupz.net] Sent: Tuesday, November 11, 1997 8:54 AM To: firewalls@GreatCircle.COM Subject: RE: strip-down filelist We are also building a firewall box. This will benefit us greatly. Now, remove Sendmail...... -----Original Message----- From: Marc Heuse [SMTP:Marc.Heuse@mail.DeuBa.COM] Sent: Tuesday, November 11, 1997 5:20 AM To: linux-security@redhat.com Cc: firewalls@GreatCircle.COM Subject: strip-down filelist Hi Folks, When installing a Linux system for a proxy/firwall/gateway/router/victim purpose you have to strip it down to make the security on the host as tight as possible. Removing compilers, suid/sgid files, mounting readonly etc. etc. In other words, stuff that you do again and again. One approach is to delete everything you know you don't need. The other and better approach is just to make a list of all files you really need and removing all the rest. Is there anyone who has done that for a system? (not especially Linux ... *BSD, Solaris, HP, AIX etc. are interesting too.) I think such a discussion about could improve security on our bastion hosts. Comments, lists etc. welcome. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Thu Nov 13 00:42:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA24026; Thu, 13 Nov 1997 00:31:54 -0800 (PST) Received: from mail.computronic.at ([194.177.146.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA24010 for ; Thu, 13 Nov 1997 00:31:43 -0800 (PST) Received: from atambs0e ([195.212.97.39]) by mail.computronic.at (post.office MTA v2.0 0813 ID# 0-33306U110) with ESMTP id AAA162; Thu, 13 Nov 1997 09:34:01 +0100 Message-ID: <346ABBED.9B263F33@computronic.at> Date: Thu, 13 Nov 1997 09:35:58 +0100 From: "Barfuß Egon jun." Reply-To: egon@computronic.at Organization: Home X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM, ntsecurity@iss.net, hackers@FreeBSD.COM Subject: Need a Firewall but don´t know which one X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, Big problem! We are running an internet server but till now we don´t have any firewall. Now I´m searching one but don´t know which one I should take. I found a site http://www.waterw.com/~manowar/vendor.html with many various products and platforms and I got some informations about WatchGuard. Does anyone know something about it? Is NT a good platform??? I heard that it is a bit unsecure because some problems with TCP/IP ports and Redbutton. What do you think about it and which platform/system is the best/better one?? Thanks in advance Egon -- Egon Barfusz Gottschallingerstr. 6 4030 Linz mailto:egon@computronic.at mailto:egon.barfusz@ambos.co.at From owner-firewalls-list Thu Nov 13 01:28:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA25071; Thu, 13 Nov 1997 01:02:38 -0800 (PST) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA25009 for ; Thu, 13 Nov 1997 01:02:17 -0800 (PST) Received: by malraux.matranet.com; id JAA20658; Thu, 13 Nov 1997 09:55:33 +0100 (CET) Received: from hugo.imatranet.com(192.0.2.10) by malraux.matranet.com via smap (2.0f) id xma020641; Thu, 13 Nov 97 09:55:05 +0100 Received: from kafka.matranet.com ([192.0.2.22]) by hugo.imatranet.com (post.office MTA v2.0 0813 ID# 0-18250U90) with SMTP id AAD85; Thu, 13 Nov 1997 10:07:01 +0100 Reply-To: "Xavier Fauquet" From: "Xavier Fauquet" To: "Ekaterina N. Ivannikova" , Cc: Subject: Re: strong encryption for Europeans Date: Mon, 10 Nov 1997 21:27:32 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1008.3 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.1008.3 Message-ID: <19971113090658446.AAD85@kafka.matranet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Take a look at www.matranet.com MATRAnet is a french company developping software for intranet and internet. We developp security, administration and communication solutions over the intranet. We developped a VPN product called M>Tunnel with strong encryption (DES 56 and triple DES). Xavier -----Message d'origine----- De : Ekaterina N. Ivannikova À : firewalls@greatcircle.com Cc : firewall-wizards@nfr.net Date : lundi 27 octobre 1997 15:31 Objet : strong encryption for Europeans >Dear firewall experts, > >I would like to know which options are available to Europeans with regard >to strong encryption VPNs. It appears that most of well known firewall >vendors are US companies and their VPNs are subjects to US law export >restrictions. >Another question: how strong is Check Point's FWZ1 ? What is its key >length ? Are there any estimates as to how breakable it is ? Our local FW-1 >reseller could not enlighten me in the matter. > >Thank you. > >Ekaterina Ivannikova > > From owner-firewalls-list Thu Nov 13 02:42:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA25086; Thu, 13 Nov 1997 01:02:54 -0800 (PST) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA25069 for ; Thu, 13 Nov 1997 01:02:37 -0800 (PST) Received: by malraux.matranet.com; id JAA20669; Thu, 13 Nov 1997 09:55:33 +0100 (CET) Received: from hugo.imatranet.com(192.0.2.10) by malraux.matranet.com via smap (2.0f) id xma020643; Thu, 13 Nov 97 09:55:05 +0100 Received: from kafka.matranet.com ([192.0.2.22]) by hugo.imatranet.com (post.office MTA v2.0 0813 ID# 0-18250U90) with SMTP id AAE85; Thu, 13 Nov 1997 10:07:02 +0100 Reply-To: "Xavier Fauquet" From: "Xavier Fauquet" To: "Simon J. Gerraty" , Cc: Subject: Re: IIOP and Wonderwall (?) Date: Mon, 10 Nov 1997 21:31:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="x-user-defined" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1008.3 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.1008.3 Message-ID: <19971113090658446.AAE85@kafka.matranet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can I get more information on that proxy ? Xavier -----Message d'origine----- De : Simon J. Gerraty Groupes de discussion : lists.firewalls À : rnourse@intrepid.intersect.net Cc : firewalls@greatcircle.com Date : dimanche 26 octobre 1997 11:51 Objet : Re: IIOP and Wonderwall (?) > I'm looking for experience with CORBA IIOP being passed through >a firewall. Apparently the port assignments for this are dynamic and >the only product I have heard of that can handle this is >"Wonderwall", an add-in for the Raptor solution. Does anyone know of Actually to the best of my knowledge Wonderwall is a product from IONA and slated to be bundled with their OrbixWeb product. I've used the beta versions. It is certainly not dependent on any particular firewall vendor/setup. I've not looked at any other solutions - basically I stumbled across Wonderwall shortly after doing a rough design of what a simple IIOP proxy would need to do - and Wonderwall did 90% of what I wanted. Wonderwall only looks at the IIOP header to decide whether the request should be forwarded. Ideally the proxy should have available the IDL for each of the interfaces and be able to test the request against it. Such a proxy was developed by a project group at one of my client sites and Wonderwall was to be used to front-end that proxy - though in a less complex firewall you could have ditched Wonderwall entirely. For simpler situations or low risk ones, wonderwall is probably ok by itself. As to dynamic port assignments, the range required is usually quite configurable and many applications can tune their requirements to the point where only a small range is required to be allowed through the choke router. --sjg for -- Simon J. Gerraty #include /* imagine something _very_ witty here */ From owner-firewalls-list Thu Nov 13 04:07:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02236; Thu, 13 Nov 1997 01:42:21 -0800 (PST) Received: from obelix.hrz.tu-chemnitz.de (obelix.hrz.tu-chemnitz.de [134.109.132.55]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA02088 for ; Thu, 13 Nov 1997 01:41:42 -0800 (PST) Received: from mailbox.hrz.tu-chemnitz.de by obelix.hrz.tu-chemnitz.de with Local SMTP (PP); Thu, 13 Nov 1997 10:41:54 +0100 Received: from pandora.hrz.tu-chemnitz.de (pandora.hrz.tu-chemnitz.de [134.109.132.63]) by mailbox.hrz.tu-chemnitz.de (8.8.5/8.8.3) with ESMTP id KAA21126; Thu, 13 Nov 1997 10:41:51 +0100 (MET) Received: from localhost by pandora.hrz.tu-chemnitz.de (8.8.5/client-1.5) id KAA11984; Thu, 13 Nov 1997 10:41:50 +0100 Date: Thu, 13 Nov 1997 10:41:48 +0100 (MET) From: Johannes Schwabe To: "Barfu Egon jun." cc: firewalls@GreatCircle.COM, ntsecurity@iss.net, hackers@FreeBSD.COM Subject: =?ISO-8859-1?Q?Re=3A_Need_a_Firewall_but_don=B4t_know_which?= =?ISO-8859-1?Q?_one?= In-Reply-To: <346ABBED.9B263F33@computronic.at> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Nov 1997, Barfu Egon jun. wrote: > What do you think about it and which platform/system is the best/better > one?? I think you sound like someone who sees a firewall as the ultimate solution to security problems, which it is not, of course. See http://flummi.de/~bofh/security-faq.html. From owner-firewalls-list Thu Nov 13 04:57:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA08294; Thu, 13 Nov 1997 02:26:56 -0800 (PST) Received: from gw.pinewood.nl (gw.pinewood.nl [194.171.50.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA08196 for ; Thu, 13 Nov 1997 02:26:25 -0800 (PST) Received: (from smap@localhost) by gw.pinewood.nl (8.8.4/8.6.12) id LAA25698; Thu, 13 Nov 1997 11:26:19 +0100 (CET) X-Authentication-Warning: gw.pinewood.nl: smap set sender to using -f Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma025696; Thu Nov 13 11:26:13 1997 Received: (from ewout@localhost) by pwood1.pinewood.nl (8.7.3/8.6.12) id LAA10755; Thu, 13 Nov 1997 11:26:12 +0100 (MET) From: "Ewout Meij" Message-Id: <971113112612.ZM10751@pwood1.pinewood.nl> Date: Thu, 13 Nov 1997 11:26:12 +0100 In-Reply-To: =?iso-8859-1?Q?=22Barfu=DF_Egon_jun=2E=22_=3Cegon=40computron?= =?iso-8859-1?Q?ic=2Eat=3E?= =?iso-8859-1?Q?________=22=5BNTSEC=5D_Need_a_Firewall_but_don=B4t_know_wh?= =?iso-8859-1?Q?ich_one=22_=28Nov_13=2C__9=3A35=29?= References: <346ABBED.9B263F33@computronic.at> X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (4.0.1 13Jan97) To: =?iso-8859-1?Q?=22Barfu=DF_Egon_jun=2E=22?= , firewalls@GreatCircle.COM, ntsecurity@iss.net, hackers@FreeBSD.COM Subject: =?iso-8859-1?Q?Re=3A_=5BNTSEC=5D_Need_a_Firewall_but_don=B4t_know?= =?iso-8859-1?Q?_which_one?= MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Nov 13, 9:35, Barfu=DF Egon jun. wrote: > Subject: [NTSEC] Need a Firewall but don=B4t know which one > > Hi there, > > Big problem! > We are running an internet server but till now we don=B4t have any > firewall. [snip] I guess you'll draw a *lot* of extra attention to your site this way ;-) current hits 009413 and counting! From owner-firewalls-list Thu Nov 13 05:14:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA19317; Thu, 13 Nov 1997 03:40:15 -0800 (PST) Received: from callisto ([205.129.215.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA19310 for ; Thu, 13 Nov 1997 03:40:09 -0800 (PST) Message-Id: Date: 13 Nov 1997 06:35:38 -0500 From: "Jerry Edmiston" Subject: NetScape vs Explorer To: "firewalls GreatCircle" X-Mailer: Mail*Link SMTP-QM 4.0.0 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 6:15 = AM OFFICE MEMO NetScape vs Explorer Date: = 11/13/97 I understand this is a firewall server group and this subject may seem to = stray from the subject, but in our shop it does tie in. I apologize in = advance if others see differently. Currently we have NetScape as our = inTERnet browser, pointing the proxies to the firewall interface. We also = have an inTRAnet utilizing 2 internal domains, with the root in Texas, tha= t are defined in the no proxy section. Everything is fine and works well. = We have decided to migrate to M/S Explorer because it is free with NT and = Win '95, but I have noticed that Explorer will only resolve 'no-proxy' = alloctions via a host name, not domain names. This seems to dismantle the = DNS structure and force us to defining host name and doing away with ou = internal root. Unless I am missing something we can no longer use domain = names to access our inTRAnet and internal DNS. Am I correct in my assumpti= on or am I missing something. Where do I define the domain names that I = want Explorer to use the internal DNS to resolve, or can I...thanks in = advance for any help...jle9@eci-esyst.com From owner-firewalls-list Thu Nov 13 05:28:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29231; Thu, 13 Nov 1997 05:12:57 -0800 (PST) Received: from VMSrelay2.pcy.mci.net (vmsrelay2.pcy.mci.net [204.71.0.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA24324 for ; Thu, 13 Nov 1997 04:24:37 -0800 (PST) From: cdone@worldnet.att.net Received: from worldnet.att.net (usr3-dialup11.mix1.Bloomington.mci.net) by MAIL-RELAY.PCY.MCI.NET (PMDF V5.1-10 #10044) with SMTP id <01IPXZTZIW78003F0F@MAIL-RELAY.PCY.MCI.NET> for firewalls@greatcircle.com; Thu, 13 Nov 1997 02:17:36 EST Date: Thu, 13 Nov 1997 02:17:36 -0500 (EST) Date-warning: Date header was inserted by MAIL-RELAY.PCY.MCI.NET Subject: Fortunes made saving environment To: firewalls@greatcircle.com Message-id: <01IPY0OKGGMK003F0F@MAIL-RELAY.PCY.MCI.NET> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One Source Worldwide Team Builders WILL CREATE MILLIONAIRES -7 month old company -Megalevel marketing plan -Seamless support system -People placed in YOUR Downline! Earn $3000 Monthly with 15 Distributors Earn $10,000 Monthly with 39 Distributors Earn $20,000 Monthly with 100 Distributors We Believe In Team Building! Team building brings in 6 figure incomes in just 30 days throughout the company Do you know anyone who does laundry? Take your share of a $20 billion market THE LAUNDRY CD -Replaces Laundry Detergent and Softeners -Saves Money -Saves Water -Eliminates Chemicals -Extends Clothing Life -100% Hypoallergenic -Easy to Sell -Saves the Environment For information about this opportunity please call (818) 754-5770 Or visit http://www.surfworld.com To be removed from this please reply with remove in the subject. From owner-firewalls-list Thu Nov 13 05:44:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01754; Thu, 13 Nov 1997 05:37:22 -0800 (PST) Received: from mail.fearernet.com (mail.fearernet.com [207.22.35.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA01681 for ; Thu, 13 Nov 1997 05:37:06 -0800 (PST) Received: from localhost (mfearer@localhost) by mail.fearernet.com (8.8.4/8.8.4) with SMTP id JAA01632; Thu, 13 Nov 1997 09:05:55 -0500 Date: Thu, 13 Nov 1997 09:05:54 -0500 (EST) From: Mark Fearer To: "Barfu Egon jun." cc: firewalls@GreatCircle.COM, ntsecurity@iss.net, hackers@FreeBSD.COM Subject: Re: [NTSEC] Need a Firewall but dont know which one In-Reply-To: <346ABBED.9B263F33@computronic.at> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try checking out www.raptor.com. We are running the Eagle NT 4.0 where I work. Same GUI as the unix version. ----------- Mark Fearer mfearer@mail.fearernet.com On Thu, 13 Nov 1997, Barfu Egon jun. wrote: >=20 > Hi there, >=20 > Big problem! > We are running an internet server but till now we don=B4t have any > firewall. Now I=B4m searching one but don=B4t know which one I should tak= e. >=20 > I found a site http://www.waterw.com/~manowar/vendor.html with many > various products and platforms and I got some informations about > WatchGuard. Does anyone know something about it? >=20 > Is NT a good platform??? I heard that it is a bit unsecure because some > problems with TCP/IP ports and Redbutton. >=20 > What do you think about it and which platform/system is the best/better > one?? >=20 > Thanks in advance >=20 > Egon >=20 > -- > Egon Barfusz > Gottschallingerstr. 6 > 4030 Linz > mailto:egon@computronic.at > mailto:egon.barfusz@ambos.co.at >=20 >=20 From owner-firewalls-list Thu Nov 13 07:10:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA12829; Thu, 13 Nov 1997 06:37:10 -0800 (PST) Received: from gkbkup2.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA12820 for ; Thu, 13 Nov 1997 06:37:02 -0800 (PST) Received: by gkbkup2.bridge.com; id IAA05473; Thu, 13 Nov 1997 08:37:35 -0600 (CST) Received: from dns1srv.bridge.com(167.76.56.13) by gkbkup2.bridge.com via smap (3.2) id xma005425; Thu, 13 Nov 97 08:37:19 -0600 Received: from ignatz (ignatz.bridge.com [167.76.24.6]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id IAA23250; Thu, 13 Nov 1997 08:38:01 -0600 (CST) Date: Thu, 13 Nov 1997 08:38:00 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: Jerry Edmiston cc: firewalls GreatCircle Subject: Re: NetScape vs Explorer In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This does tangentially relate to firewalls -- how do you configure your browser to use the firewall or not in an intelligent manner? MSIE, surprisingly enough, supports the proxy autoconfig script definition created by NetScape. If you configure the browser to use the autoconfig script, you can get as creative as you want in defining where to go for connecting to which server. You can mix and match different proxies, SOCKS proxies, and direct connections, depending on the target server and protocol. You can even give a list of connection methods, with different proxies; it is supposed to try them in sequence until it succeeds in making a connection. You can use host names, FQDNs, and/or IP addresses in the script's logic. Our public servers are in the same domain that we use internally, but they can only be connected to internally through the firewall's proxy. So our autoconfig script uses the DIRECT method for all local addresses and names *except* those explicitly listed as requiring the PROXY method. All foreign names and addresses go PROXY. In the past we had an internal caching proxy. At that time the script said go to the internal proxy first, then directly to the firewall if that failed, so they'd still get connected if the internal cache went down. See http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html for details. -- KH On 13 Nov 1997, Jerry Edmiston wrote: > Subject: Time: 6:15 AM > OFFICE MEMO NetScape vs Explorer Date: 11/13/97 > From owner-firewalls-list Thu Nov 13 07:24:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA17780; Thu, 13 Nov 1997 07:11:53 -0800 (PST) Received: from cliff.bms.com (cliff.bms.com [140.176.1.102]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA17771 for ; Thu, 13 Nov 1997 07:11:48 -0800 (PST) Received: from zim.bms.com (pendragon.zim.bms.com) by cliff.bms.com (PMDF V5.1-10 #22413) with SMTP id <01IPYH8VPZSE006ECV@cliff.bms.com> for Firewalls@GreatCircle.com; Thu, 13 Nov 1997 10:12:06 EST Received: from ccmail.zim.bms.com by zim.bms.com (4.1/SMI-4.1) id AA13984; Thu, 13 Nov 1997 10:12:55 -0500 (EST) Received: from cc:Mail by ccmail.zim.bms.com id AA879439042; Tue, 11 Nov 1997 16:36:05 -0500 (EST) Date: Tue, 11 Nov 1997 16:36:05 -0500 (EST) From: "Guse, Darren J." Subject: Re[2]: Summary on Java Sanity Check To: jk@stallion.ee, Mario Biron Cc: Firewalls@GreatCircle.com Message-id: <9710138794.AA879439042@ccmail.zim.bms.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ______________________________ Reply Separator _________________________________ >>P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) >In Java, I don't know... it's interpreted so I'm not really sure (the >sandbox should prevent any attemp to run propriary code). But in ActiveX, >sure as hell you could do it! What pentium bug??? From owner-firewalls-list Thu Nov 13 08:06:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19446; Thu, 13 Nov 1997 07:20:11 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA19408 for ; Thu, 13 Nov 1997 07:20:02 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id KAA19985; Thu, 13 Nov 1997 10:18:32 -0500 (EST) From: Adam Shostack Message-Id: <199711131518.KAA19985@homeport.org> Subject: Re: Finjan Surfin Gate Review In-Reply-To: <9711102242.AA19600@baileynm.com> from Peter da Silva at "Nov 10, 97 04:42:16 pm" To: peter@baileynm.com (Peter da Silva) Date: Thu, 13 Nov 1997 10:18:32 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter, I agree 100% with the content of what you say here. Unfortunately, we've seen time and time again that people are not willing to pay extra up front for security or reliability. Firewalls are an example of this failure; I can take the essense of your argument (that security has to be designed into a system, not bolted on haphazardly) and argue that firewalls are a bad thing. However, as long as people will be clamoring to allow Java and ActiveX through the firewall, a real application aware gateway might help provide some protection. An example: We're all familiar with the multi-stage "perfect activeX crime," where my first control changes the list of acceptable certificates, my second turns off loging, my third steals your (), my fourth restores the original settings. A gateway that understands ActiveX, could, in theory check the signatures and cert chains on incoming code, and only allow code thats been signed in accordance with the site's policy in. This is not great security; I'm not arguing that its a better approach than Peter's. But I expect it is one that will be adopted by the market who doesn't want to pay to put NT on all their desktops, where at least you get some memort protection, some logging, and some security. Adam Peter da Silva wrote: | The whole issue of scanning for dangerous code is a fundamentally broken | approach to security. It's failed spectacularly for virus detectors (though | it's beena tremendous success for virus detector COMPANIES as people have | to keep paying danegelt to McAfee and Symantec to keep up the arms race), | and it will fail even more spectacularly here (virus writers are primarily | ego driven. With hostile applets, where you can force the code to be executed | where and when you want, when you know your victim has a communication link | up, you can get real money out of the deal). | | The only viable solution is a strong sandbox that doesn't contain any tools | that can be used to violate the integrity of the user's system. Yes, this | will limit the end-user's ability to do some interesting and useful things | with applets. What a SHAME. The poor user will need to actually DOWNLOAD and | INSTALL a plugin (after verifying that it really came from an entity that he | can successfuly sue if it contains malicious code). I think that's a small | price to pay for a modicum of security. | %!PS | true(<; Thu, 13 Nov 1997 08:32:13 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199711131632.IAA29061@honor.greatcircle.com> Received: by europa.lif.icnet.uk; Thu, 13 Nov 1997 16:33:37 GMT Subject: Re[2]: Summary on Java Sanity Check To: firewalls@greatcircle.com Date: Thu, 13 Nov 1997 16:33:36 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) > > >In Java, I don't know... it's interpreted so I'm not really sure (the > >sandbox should prevent any attemp to run propriary code). But in ActiveX, > >sure as hell you could do it! > > > What pentium bug??? > Don't you mean which pentium bug? B-) -- David Harley | alt.comp.virus FAQ D.Harley@icrf.icnet.uk | & Anti-Virus Web Page Support & Security Analyst | Folk London On-Line gig-list Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/ From owner-firewalls-list Thu Nov 13 08:59:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02504; Thu, 13 Nov 1997 08:54:12 -0800 (PST) Received: from ITSUSNOW.COM (smtp.itsusnow.com [38.246.66.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA02467 for ; Thu, 13 Nov 1997 08:54:01 -0800 (PST) Received: from ITS-NSS-DOMAIN-Message_Server by ITSUSNOW.COM with Novell_GroupWise; Thu, 13 Nov 1997 11:52:30 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 13 Nov 1997 11:51:52 -0500 From: Justin peltier To: jle9@eci-esyst.com, firewalls@greatcircle.com Subject: Re: NetScape vs Explorer Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For this situation it might be easiest to solve if your firewall supports split level DNS. Rator does this. It allows you to associate internal addresses to names, and list forwarders for external sites. Then just set your DNS on your clients to point to the Raptor. >>> "Jerry Edmiston" 11/13 6:35 AM >>> Subject: Time: 6:15 AM OFFICE MEMO NetScape vs Explorer Date: 11/13/97 I understand this is a firewall server group and this subject may seem to stray from the subject, but in our shop it does tie in. I apologize in advance if others see differently. Currently we have NetScape as our inTERnet browser, pointing the proxies to the firewall interface. We also have an inTRAnet utilizing 2 internal domains, with the root in Texas, that are defined in the no proxy section. Everything is fine and works well. We have decided to migrate to M/S Explorer because it is free with NT and Win '95, but I have noticed that Explorer will only resolve 'no-proxy' alloctions via a host name, not domain names. This seems to dismantle the DNS structure and force us to defining host name and doing away with ou internal root. Unless I am missing something we can no longer use domain names to access our inTRAnet and internal DNS. Am I correct in my assumption or am I missing something. Where do I define the domain names that I want Explorer to use the internal DNS to resolve, or can I...thanks in advance for any help...jle9@eci-esyst.com From owner-firewalls-list Thu Nov 13 09:24:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05436; Thu, 13 Nov 1997 09:10:58 -0800 (PST) Received: from server.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA05395 for ; Thu, 13 Nov 1997 09:10:46 -0800 (PST) Received: from localhost (perlsta@localhost) by server.local.sunyit.edu (8.8.7/8.8.5) with SMTP id NAA15440; Thu, 13 Nov 1997 13:15:58 -0500 (EST) X-Authentication-Warning: server.local.sunyit.edu: perlsta owned process doing -bs Date: Thu, 13 Nov 1997 13:15:57 -0500 (EST) From: Alfred Perlstein X-Sender: perlsta@server.local.sunyit.edu To: "Barfuß Egon jun." cc: firewalls@GreatCircle.COM, ntsecurity@iss.net, hackers@FreeBSD.com Subject: Re: Need a Firewall but don´t know which one In-Reply-To: <346ABBED.9B263F33@computronic.at> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk simply, FreeBSD offers a firewall where TCP and UDP traffic can be blocked, allowed or even diverted into a program for it to processes. and it's free. -Al On Thu, 13 Nov 1997, Barfu=DF Egon jun. wrote: > Hi there, >=20 > Big problem! > We are running an internet server but till now we don=B4t have any > firewall. Now I=B4m searching one but don=B4t know which one I should tak= e. >=20 > I found a site http://www.waterw.com/~manowar/vendor.html with many > various products and platforms and I got some informations about > WatchGuard. Does anyone know something about it? >=20 > Is NT a good platform??? I heard that it is a bit unsecure because some > problems with TCP/IP ports and Redbutton. >=20 > What do you think about it and which platform/system is the best/better > one?? >=20 > Thanks in advance >=20 > Egon >=20 > -- > Egon Barfusz > Gottschallingerstr. 6 > 4030 Linz > mailto:egon@computronic.at > mailto:egon.barfusz@ambos.co.at >=20 >=20 >=20 From owner-firewalls-list Thu Nov 13 10:54:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12283; Thu, 13 Nov 1997 09:50:30 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA12269 for ; Thu, 13 Nov 1997 09:50:24 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Thu, 13 Nov 1997 09:48:31 -0800 Message-ID: From: "Stackpole, Bill" To: "'Guse, Darren J.'" Cc: Firewalls@GreatCircle.com Subject: RE: Re[2]: Summary on Java Sanity Check Date: Thu, 13 Nov 1997 09:48:29 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If any of you Active-X types know how to translate C code into Active-X calls here's the bug exploit. /* If you execute F0 0F C7 C8 on a Pentium and Pentium MMX CPUs the CPU will lock up. This will not work on Pentium Pro and Pentium II, AMD K6 and Cyrix 6x86 cpus. It is an invalid form of cmpxchg8b eax with a lock prefix. */ char badopcodes[5] = {0xf0, 0x0f, 0xc7, 0xc8}; void main () { void (*crashP5)() = badopcodes; crashP5(); } Crashed my NT Workstation machine in a heart beat. > -----Original Message----- > From: Guse, Darren J. [SMTP:dguse@ccmail.zim.bms.com] > Sent: Tuesday, November 11, 1997 1:36 PM > To: jk@stallion.ee; Mario Biron > Cc: Firewalls@GreatCircle.com > Subject: Re[2]: Summary on Java Sanity Check > > > > > ______________________________ Reply Separator > _________________________________ > > >>P.S. The new Pentium bug, could this be implemented in Java or > ActiveX :) > > >In Java, I don't know... it's interpreted so I'm not really sure (the > > >sandbox should prevent any attemp to run propriary code). But in > ActiveX, > >sure as hell you could do it! > > > What pentium bug??? From owner-firewalls-list Thu Nov 13 10:59:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA20436; Thu, 13 Nov 1997 10:39:12 -0800 (PST) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA20274 for ; Thu, 13 Nov 1997 10:38:44 -0800 (PST) Received: from localhost (610 bytes) by apu.rcp.net.pe via sendmail with P:stdio/R:inet_hosts/T:smtp (sender: ) (ident using unix) id for ; Thu, 13 Nov 1997 13:38:56 -0500 (EST) (Smail-3.2.0.96 1997-Jun-2 #4 built 1997-Nov-8) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Real Audio port To: firewalls@GreatCircle.COM Date: Thu, 13 Nov 1997 13:38:56 -0500 (EST) PGP-FingerPrint: 55 B9 83 D2 61 71 E6 6B 1E CE FD B5 F7 AA F1 B5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please guys, what port does Real Audio use? Thanks, Enrique Vadillo- -- RCP - Internet Peru Fax: +51 1 241-1320 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) From owner-firewalls-list Thu Nov 13 11:50:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01017; Thu, 13 Nov 1997 11:34:33 -0800 (PST) Received: from mail.co.santa-barbara.ca.us ([161.213.144.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA00916 for ; Thu, 13 Nov 1997 11:34:12 -0800 (PST) Received: from pc3202a by mail.co.santa-barbara.ca.us (Unoverica 2.90c) id 00000BE0; Thu, 13 Nov 1997 11:33:34 -0800 Message-ID: <346B5657.2C8C@co.santa-barbara.ca.us> Date: Thu, 13 Nov 1997 11:34:47 -0800 From: John snyder Reply-To: Snyder@co.santa-barbara.ca.us Organization: Santa Barbara County X-Mailer: Mozilla 3.0C-E-KIT (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: BorderManager Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My management has requested that I look into BorderManager from Novell as a candidate firewall solution. I'm interested in contacting anyone with some experience running this product. Thanks in advance for your opinions and guidance, jhs From owner-firewalls-list Thu Nov 13 11:56:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA21707; Thu, 13 Nov 1997 10:45:38 -0800 (PST) Received: from hicks.valleynet.bc.ca ([206.12.160.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA21691 for ; Thu, 13 Nov 1997 10:45:30 -0800 (PST) Received: from TIMEDOUT@[194.229.190.5] (port 62424 [194.229.190.5]) by hicks.valleynet.bc.ca with SMTP id <331809-104>; Thu, 13 Nov 1997 10:42:34 +0000 From: "Kevin Traas" To: , Cc: Subject: Re: Re[2]: Summary on Java Sanity Check Date: Thu, 13 Nov 1997 19:44:46 +0100 Message-ID: <01bcf064$36f2aa00$f50d4fc1@kevint.baan-institute.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >>P.S. The new Pentium bug, could this be implemented in Java or ActiveX :) >> >But in ActiveX, sure as hell you could do it! >> What pentium bug??? >Don't you mean which pentium bug? B-) .... I think he means this one: http://support.intel.com/support/processors/pentium/ppiie/index.htm Later, Kevin Traas From owner-firewalls-list Thu Nov 13 12:43:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA06591; Thu, 13 Nov 1997 12:14:05 -0800 (PST) Received: from cortex.NSMA.Arizona.EDU (cortex.NSMA.Arizona.EDU [128.196.180.125]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA06540 for ; Thu, 13 Nov 1997 12:13:53 -0800 (PST) Received: from cortex (localhost [127.0.0.1]) by cortex.NSMA.Arizona.EDU (8.7.5/8.7.5) with ESMTP id NAA17452; Thu, 13 Nov 1997 13:17:54 -0700 (MST) Message-Id: <199711132017.NAA17452@cortex.NSMA.Arizona.EDU> To: firewalls@greatcircle.com, netsecurity@iss.net Cc: "Barfuß Egon jun." , ddw@cortex.NSMA.Arizona.EDU Subject: Re: Need a Firewall but don't know which one In-reply-to: Your message of "Thu, 13 Nov 1997 13:15:57 EST." Date: Thu, 13 Nov 1997 13:17:53 -0700 From: Doug Wellington Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously: >> We are running an internet server but till now we don't have any >> firewall. Now I'm searching one but don't know which one I should take. I suggest getting two books from the O'Reilly people - "Practical Unix and Internet Security" and "Building Internet Firewalls". Read through them and decide which type of firewall you feel most comfortable with. Make the choice of whether you want to buy a commercial system or build one from the free parts on the net. If you want a commercial system, find the vendor you like with that type of firewall, and only then get the operating system that firewall works on. If you want to "roll your own", then you'll be faced with a lot of other decisions, but if you read those two books, you'll have a pretty good idea of what they are... >> Is NT a good platform??? I heard that it is a bit unsecure because some >> problems with TCP/IP ports and Redbutton. Well, as for the first question, yes, NT is a "good" platform. As for the security part - well, for a firewall, it's more important to look at what the firewall vendor has done with it. *ALL* operating systems are insecure "out of the box"... >> What do you think about it and which platform/system is the best/better >> one?? This is a "religious" question. Please refer back to my first paragraph... -Doug Doug Wellington ddw@nsma.arizona.edu Network and System Administrator ARL, Division of Neural Systems, Memory and Aging The University of Arizona, Tucson, AZ (520) 626-6023 (520) 291-0481 pager (520) 626-2618 fax I DON'T buy anything from spammers, and I KEEP TRACK OF WHO SPAMS ME. I put up with ads on the TV because they pay for programming. When spammers pay for the Internet, then I'll start listening to spam. From owner-firewalls-list Thu Nov 13 12:43:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA08036; Thu, 13 Nov 1997 12:27:41 -0800 (PST) Received: from mail.gwi.net (mail.gwi.net [204.120.68.142]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA07999 for ; Thu, 13 Nov 1997 12:27:32 -0800 (PST) Received: from river.gwi.net (jgreene@river.gwi.net [204.120.68.6]) by mail.gwi.net (8.8.7/8.8.7) with SMTP id PAA20872; Thu, 13 Nov 1997 15:28:44 -0500 (EST) Date: Thu, 13 Nov 1997 15:28:43 -0500 (EST) From: "James W. Greene" To: Enrique Vadillo cc: firewalls@GreatCircle.COM Subject: Re: Real Audio port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk it uses port 7070 On Thu, 13 Nov 1997, Enrique Vadillo wrote: > Please guys, what port does Real Audio use? > > Thanks, > > Enrique Vadillo- > -- > RCP - Internet Peru > Fax: +51 1 241-1320 > Web Site: http://www.rcp.net.pe (PERU) > Mirror Web Site: http://ekeko.rcp.net.pe (USA) > > From owner-firewalls-list Thu Nov 13 13:30:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA08287; Thu, 13 Nov 1997 12:30:28 -0800 (PST) Received: from nebula.is.rpslmc.edu (nebula.is.rpslmc.edu [144.74.19.111]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA08280 for ; Thu, 13 Nov 1997 12:30:16 -0800 (PST) From: ddrumm@rush.edu Received: (qmail 4845 invoked by uid 2001); 13 Nov 1997 20:36:51 -0000 Date: Thu, 13 Nov 1997 14:36:51 -0600 (CST) To: "Stackpole, Bill" cc: "'Guse, Darren J.'" , Firewalls@GreatCircle.com Subject: RE: Re[2]: Summary on Java Sanity Check In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Nov 1997, Stackpole, Bill wrote: > If any of you Active-X types know how to translate C code into Active-X > calls here's the bug exploit. [snip] > Crashed my NT Workstation machine in a heart beat. > > What pentium bug??? This is a poke (anyone remember poke and peek?) at an invalid Op Code for the Pentium. NT and Linux and whatever else will crash when you hit those OpCodes. The fix, I guess, is to use a PPro or a P2 or a Cyrix or a AMD K6. -- Daniel G. Drumm - ddrumm@rush.edu Rush Presbyterian St. Luke's Medical Center - Chicago, IL Network Division - Information Services From owner-firewalls-list Thu Nov 13 16:11:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA08032; Thu, 13 Nov 1997 15:23:28 -0800 (PST) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07953 for ; Thu, 13 Nov 1997 15:22:47 -0800 (PST) Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01730; Thu, 13 Nov 1997 16:59:05 -0800 (PST) Message-ID: <34689DAE.8A4FBB26@intergate.bc.ca> Date: Tue, 11 Nov 1997 10:02:23 -0800 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Angel Lpez Escobar CC: Neil_Buckley/CAM/Lotus@lotus.com, firewalls@GreatCircle.COM Subject: Re: Penetration Detection Tools X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Angel Lpez Escobar wrote: > > > Does anyone have recomendations for third party penetration > detection > > tools, I am fairly familiar with most freeware products for UNIX, > but I > > need a company wide solution. Take a look at http://www.axent.com - they have a number of tools for auditing, intrusion detection, UNIX access mgmt as well as a pretty good general security website. -- Sean Elrington Choreo Systems - Vancouver (604) 737-3993 www.choreosystems.com seane@choreo.ca ===================================================== Firewalls, encryption, security tools X.11, NFS, TCP/IP Messaging and Directory software ===================================================== From owner-firewalls-list Thu Nov 13 16:13:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA12803; Thu, 13 Nov 1997 16:10:34 -0800 (PST) Received: from mailgw2.fhg.de (fhg.de [153.96.1.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA12745; Thu, 13 Nov 1997 16:10:21 -0800 (PST) From: danwilk35@yvv.com Received: by mailgw2.fhg.de (fhg.de); Fri, 14 Nov 1997 01:13:13 +0100 (MET) X-ENV: (mailgw2.fhg.de) danwilk35@yvv.com -> Received: by mailgw2.fhg.de (fhg.de) with SMTP; Fri, 14 Nov 1997 01:09:41 +0100 (MET) from 153.96.1.1 Date: Thu, 13 Nov 97 19:07:19 EST To: Friend@public.com Subject: Re: Wendy's web page. Message-ID: <> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 
                                       CLICK HERE TO TAKE A LOOK
 
If you're over 18 you'll want to SEE THIS! 
FREE LIVE CYBERSEX 24 HOURS A DAY
RIGHT ON YOUR COMPUTER SCREEN !!!
 
 You can watch Them do it all LIVE, talk live
 and get these gorgeous models to do anything!
 You tell them what to do, and they do it
 right on your computer screen!!!
 
HOT YOUNG GIRLS AND GUYS
And the best part is its FREE !!!
  
 CLICK HERE TO TAKE A LOOK
 
 
TO SEE THIS HOT   F R E E  WEB PAGE GO TO:    http://207.247.5.82/2449

NO CREDIT CARD OR 900# STUFF....   ITS FREE !!!


From owner-firewalls-list  Thu Nov 13 16:16:45 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07908; Thu, 13 Nov 1997 15:22:25 -0800 (PST)
Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07866 for ; Thu, 13 Nov 1997 15:22:11 -0800 (PST)
Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01754; Thu, 13 Nov 1997 16:59:10 -0800 (PST)
Message-ID: <34689DC0.8758E14B@intergate.bc.ca>
Date: Tue, 11 Nov 1997 10:02:41 -0800
From: Sean Elrington 
Reply-To: seane@choreo.ca
Organization: Choreo Systems
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Angel Lpez Escobar 
CC: Neil_Buckley/CAM/Lotus@lotus.com, firewalls@GreatCircle.COM
Subject: Re: Penetration Detection Tools
X-Priority: 3 (Normal)
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Angel Lpez Escobar wrote:

>
> >      Does anyone have recomendations for third party penetration
> detection
> > tools,  I am fairly familiar with most freeware products for UNIX,
> but I
> > need a company wide solution.

Take a look at http://www.axent.com - they have a number of tools for
auditing, intrusion detection, UNIX access mgmt as well as a pretty good
general security website.
--
Sean Elrington
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com  seane@choreo.ca
=====================================================
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software
=====================================================





From owner-firewalls-list  Thu Nov 13 16:22:49 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07977; Thu, 13 Nov 1997 15:23:04 -0800 (PST)
Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07876 for ; Thu, 13 Nov 1997 15:22:12 -0800 (PST)
Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01691; Thu, 13 Nov 1997 16:58:53 -0800 (PST)
Message-ID: <346896DB.FBB20BD@intergate.bc.ca>
Date: Tue, 11 Nov 1997 09:33:18 -0800
From: Sean Elrington 
Reply-To: seane@choreo.ca
Organization: Choreo Systems
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Klaus.Kolari@valmet.com
CC: Firewalls@GreatCircle.COM
Subject: Re: httpd stopped responding on Raptor V3.1
X-Priority: 3 (Normal)
References: <"51502:1*"@MHS>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Klaus.Kolari@valmet.com wrote:

> Item Subject: Downgraded Lotus Notes Message Text
>
> Form : COMMENT
>
> Author : CN=Klaus Kolari/OU=VHO/O=VALMET
>
> Comment : Hello,
>
> has anybody experienced a situation where httpd all of a
> sudden just stops responding on a Raptor V3.1 firewall? In
> the logfiles there's nothing extraordinary, only some
> [connect failed] messages. And what's even more bizarre is
> that everything else (telnet, ftp, news etc.) works, httpd
> only won't answer anymore.
>
> Thanks,
> Klaus Kolari,
> Charlotte, NC

The version you are using is at least a year old (the current release is
4.x and 5.0 is due within a few weeks). Like most firewalls  circa '96
it had its share of bugs. You can try re-booting (or NET STOP EAGLE and
NET START EAGLE) but you would simply be better off upgrading.
--
Sean Elrington
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com  seane@choreo.ca
=====================================================
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software
=====================================================





From owner-firewalls-list  Thu Nov 13 16:25:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA08026; Thu, 13 Nov 1997 15:23:25 -0800 (PST)
Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07943 for ; Thu, 13 Nov 1997 15:22:45 -0800 (PST)
Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01612; Thu, 13 Nov 1997 16:58:43 -0800 (PST)
Message-ID: <3468955D.2E1A0281@intergate.bc.ca>
Date: Tue, 11 Nov 1997 09:26:55 -0800
From: Sean Elrington 
Reply-To: seane@choreo.ca
Organization: Choreo Systems
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Jose Luis Delgado 
CC: Firewalls@GreatCircle.COM
Subject: Re: Help with Raptor !!
X-Priority: 3 (Normal)
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Jose Luis Delgado wrote:

> HI to everybody!
>
> I'm looking for a bit of your help!
>
> I'm going to install in a machine with this characteristics:
>
> Sparc20
> 160MB  (I'm going to upgrade to 256MB)
> 2HD (1GB each)
> 1 microprocessor (I'm going to put one more)
>
> this software:
> - Solaris 2.5.1
> - Eagle Raptor Firewall!
> - WebNotes
>
> Question:
>
> Am I going to have PERFORMANCE problems with this characteristics?
>
> is my hardware enough?
>
> else... which?
>
> Thanks in advance!
>
> P.S.: I'm not in your mailing list... yet, can you response directly?

How many users are you going to be supporting? Will you be using
encryption (VPN)? What is the speed of your internet connection?
It sounds like you don't have anything to worry about unless you are
anticipating a lot of traffic.
What is WebNotes - I think you mean WebNot ;-)

--
Sean Elrington
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com  seane@choreo.ca
=====================================================
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software
=====================================================





From owner-firewalls-list  Thu Nov 13 17:13:18 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27316; Thu, 13 Nov 1997 14:18:29 -0800 (PST)
Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA27214 for ; Thu, 13 Nov 1997 14:17:45 -0800 (PST)
Received: (from mhw@localhost)
	by alcove.wittsend.com (8.8.7/8.8.7) id RAA14182;
	Thu, 13 Nov 1997 17:17:26 -0500
From: "Michael H. Warfield" 
Message-Id: <199711132217.RAA14182@alcove.wittsend.com>
Subject: Re: Re[2]: Summary on Java Sanity Check
In-Reply-To:  from "ddrumm@rush.edu" at "Nov 13, 97 02:36:51 pm"
To: ddrumm@rush.edu
Date: Thu, 13 Nov 1997 17:17:26 -0500 (EST)
Cc: BSTACKPO@sla.com, dguse@ccmail.zim.bms.com, Firewalls@GreatCircle.COM
X-Mailer: ELM [version 2.4ME+ PL33 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

ddrumm@rush.edu enscribed thusly:
> On Thu, 13 Nov 1997, Stackpole, Bill wrote:

> > If any of you Active-X types know how to translate C code into Active-X
> > calls here's the bug exploit.

> [snip]

> > Crashed my NT Workstation machine in a heart beat.
> > >      What pentium bug???

> This is a poke (anyone remember poke and peek?) at an invalid Op Code for
> the Pentium. NT and Linux and whatever else will crash when you hit those
> OpCodes. 

> The fix, I guess, is to use a PPro or a P2 or a Cyrix or a AMD K6.

	For Linux, BSD, and SCO Unix (others to follow) there are now patches.
A little creative manipulation of the MMU with some invalid page table entries
results in a trap the OS can intercept before the instruction can do its
damage...

> --
> Daniel G. Drumm - ddrumm@rush.edu
> Rush Presbyterian St. Luke's Medical Center - Chicago, IL
> Network Division - Information Services

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

From owner-firewalls-list  Thu Nov 13 17:24:02 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07812; Thu, 13 Nov 1997 15:21:47 -0800 (PST)
Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07784 for ; Thu, 13 Nov 1997 15:21:34 -0800 (PST)
Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01560; Thu, 13 Nov 1997 16:58:37 -0800 (PST)
Message-ID: <346891A4.354742D9@intergate.bc.ca>
Date: Tue, 11 Nov 1997 09:11:04 -0800
From: Sean Elrington 
Reply-To: seane@choreo.ca
Organization: Choreo Systems
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: sz-techserv 
CC: firewalls@GreatCircle.COM
Subject: Re: Eagle Raptor firewall
X-Priority: 3 (Normal)
References: <3458BDF5.7286@presidency.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

sz-techserv wrote:

> Hi folks,
>
> lately, we got a new firewall here at our companie and I`m forced to
> set
> it up. It is an Eagle Raptor Firewall (check details at
> http://www.raptor.dk/prodinfo/ds/eagle/eagle.html ) and there is where
>
> my trouble starts: I have no experience with this product. So, the
> question I have is easy: has anyone of You ever worked with this one,
> is
> there something special to look after or does anyone have any tips n
> tricks on maintaining and of course setting it up ?
> ..could really save me some time...
>
> thx a lot...
>
> Christian Petersen-Clausen
> www.shz.de
> hostmaster Schleswig Holsteinischer Zeitungsverlag

Raptor is fairly stable and easy to work with but keep the following in
mind

1. if you are using NT domain authentication read that section carefully
in the manual since the syntax is critical in setting up the groups
2. close the GUI when you are not using it  to save memory and increase
performance
3. don't be cheap with network cards (this actually applies to all
firewalls) since they will have a big impact on your overall performance

4. get the most current patches from both MSoft and Raptor (and don't
overlook and updates the NIC card vendor may have issued)
5. don't forget to add static routes to NT if you have routers behind
the firewall
--
Sean Elrington
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com  seane@choreo.ca
=====================================================
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software
=====================================================





From owner-firewalls-list  Thu Nov 13 17:45:15 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA06079; Thu, 13 Nov 1997 15:05:46 -0800 (PST)
Received: from ITSUSNOW.COM (smtp.itsusnow.com [38.246.66.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA06044 for ; Thu, 13 Nov 1997 15:05:34 -0800 (PST)
Received: from ITS-NSS-DOMAIN-Message_Server by ITSUSNOW.COM
	with Novell_GroupWise; Thu, 13 Nov 1997 18:04:08 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Thu, 13 Nov 1997 18:03:40 -0500
From: Justin peltier 
To: Snyder@co.santa-barbara.ca.us, firewalls@GreatCircle.COM
Subject: Re: BorderManager
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I've installed many bordermanager firewalls. The best featurw is the proxy cache feature that sppeds up web access considerably. The downside is the filter is a little bit criptic and hard to close off all gaps. Don't enable default filtering without a table though, it will close of all of bordermanager. If you have any specific questions please ask.
jpeltier226@itsusnow.com


===============================
Jason Logan Cooper, CNA
Ideal Technology Solutions U.S., Inc.
jcooper@ITSUSNOW.COM
3138 Hilton Road  Ferndale MI  48220
phone 248.398.5500  ext 231
===============================

>>> John snyder  11/13 2:34 PM >>>
My management has requested that I look into BorderManager from Novell
as  a candidate firewall solution. 

I'm interested in contacting anyone with some experience running this
product.

Thanks in advance for your opinions and guidance,
jhs
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         

From owner-firewalls-list  Thu Nov 13 17:58:09 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09088; Thu, 13 Nov 1997 15:35:28 -0800 (PST)
Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA09042 for ; Thu, 13 Nov 1997 15:35:13 -0800 (PST)
Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102])
	by mail.diginsite.com (8.8.8/8.8.6) with SMTP id PAA12538;
	Thu, 13 Nov 1997 15:29:34 -0800
Date: Thu, 13 Nov 1997 15:33:28 -0800 (PST)
From: David Lang 
To: ddrumm@rush.edu
cc: "Stackpole, Bill" ,
        "'Guse, Darren J.'" ,
        Firewalls@GreatCircle.COM
Subject: RE: Re[2]: Summary on Java Sanity Check
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

yes, This is not a poke at NT. It is pointing out that with activeX it is
possible to have a page that you go to that will CRASH you machine at the
hardware level. If you can do this with Java as well this is an EXTREAMLY good
reason not to allow either through the firewall.

If anyone can setup a "click here to crash you machine" page I would like to
know the URL. It would do wonders for convincing people that java/activeX can be
dangerous.

David Lang
 


On Thu, 13 Nov 1997 ddrumm@rush.edu wrote:

> Date: Thu, 13 Nov 1997 14:36:51 -0600 (CST)
> From: ddrumm@rush.edu
> To: "Stackpole, Bill" 
> Cc: "'Guse, Darren J.'" ,
>     Firewalls@GreatCircle.COM
> Subject: RE: Re[2]: Summary on Java Sanity Check
> 
> On Thu, 13 Nov 1997, Stackpole, Bill wrote:
> 
> > If any of you Active-X types know how to translate C code into Active-X
> > calls here's the bug exploit.
> 
> [snip]
> 
> > Crashed my NT Workstation machine in a heart beat.
> > >      What pentium bug???
> 
> This is a poke (anyone remember poke and peek?) at an invalid Op Code for
> the Pentium. NT and Linux and whatever else will crash when you hit those
> OpCodes. 
> 
> The fix, I guess, is to use a PPro or a P2 or a Cyrix or a AMD K6.
> 
> --
> Daniel G. Drumm - ddrumm@rush.edu
> Rush Presbyterian St. Luke's Medical Center - Chicago, IL
> Network Division - Information Services
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNGuOSz7msCGEppcbAQHndwgAk2uD4uWXbc1YhcslnQG0m7oEcPI8QOkm
UqcHXjEXg9bldSGb/2RZYE70IcIa5Q1RbV+y3KDBMmYmbo3AU6RIEZy3S88/hMmr
BaqRw0pDVe/VDDW2CVCYRasjQ12UvuI1e4YMdOCe0asCLTCvcaEGxHwlUQqs4RlM
FN1PyM+pNOcRec8cPy5ECCg17WmM8cfZFTC0yxlSLTTJoygtaDeGaTOHrl354T5C
qkDZsDzxklW1J0sL4aM5mPftnN1sIAVqZ73w0kgUxO1re7Lr7y02pUKqaMPiXbQr
KxEJKI8zj+09m/yUy1j/MLxw/N1IF0r8MepaTqkw1HcDmcMdXh7sTQ==
=TL+4
-----END PGP SIGNATURE-----


From owner-firewalls-list  Thu Nov 13 18:13:09 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07944; Thu, 13 Nov 1997 15:22:46 -0800 (PST)
Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [205.206.192.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07877 for ; Thu, 13 Nov 1997 15:22:13 -0800 (PST)
Received: from seane.choreo.ca (pm34s7.intergate.bc.ca [207.34.182.18]) by diablo.intergate.bc.ca (8.8.7/8.6.9) with ESMTP id QAA01779; Thu, 13 Nov 1997 16:59:14 -0800 (PST)
Message-ID: <34689DCB.F12474EC@intergate.bc.ca>
Date: Tue, 11 Nov 1997 10:02:52 -0800
From: Sean Elrington 
Reply-To: seane@choreo.ca
Organization: Choreo Systems
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Angel Lpez Escobar 
CC: Neil_Buckley/CAM/Lotus@lotus.com, firewalls@GreatCircle.COM
Subject: Re: Penetration Detection Tools
X-Priority: 3 (Normal)
References: 
Content-Type: multipart/alternative; boundary="------------EFB3DB328C1DE491F87EBC0C"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


--------------EFB3DB328C1DE491F87EBC0C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Angel Lpez Escobar wrote:

>
> >      Does anyone have recomendations for third party penetration
> detection
> > tools,  I am fairly familiar with most freeware products for UNIX,
> but I
> > need a company wide solution.

Take a look at http://www.axent.com - they have a number of tools for
auditing, intrusion detection, UNIX access mgmt as well as a pretty good
general security website.
--
Sean Elrington
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com  seane@choreo.ca
=====================================================
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software
=====================================================


--------------EFB3DB328C1DE491F87EBC0C
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit



Angel Lpez Escobar wrote:

 

>     
Does anyone have recomendations for third party penetration detection

> tools, 
I am fairly familiar with most freeware products for UNIX, but I

> need a
company wide solution.

Take a look at http://www.axent.com - they have a number of tools for auditing,
intrusion detection, UNIX access mgmt as well as a pretty good general
security website.

--

Sean Elrington

Choreo Systems - Vancouver

(604) 737-3993 www.choreosystems.com  seane@choreo.ca

=====================================================

Firewalls, encryption, security tools

X.11, NFS, TCP/IP

Messaging and Directory software

=====================================================

 



--------------EFB3DB328C1DE491F87EBC0C--



From owner-firewalls-list  Thu Nov 13 18:28:09 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA05277; Thu, 13 Nov 1997 18:26:10 -0800 (PST)
Received: from gate5.gateway.com ([208.215.59.159]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA05219 for ; Thu, 13 Nov 1997 18:25:48 -0800 (PST)
Received: by gate5.gateway.com; id UAA13926; Thu, 13 Nov 1997 20:25:56 -0600 (CST)
Received: from taltos.tla.org(207.77.241.130) by lsf009.gateway.com via smap (3.2)
	id xma013896; Thu, 13 Nov 97 20:25:47 -0600
Received: (from carson@localhost)
	by taltos.tla.org (8.8.6/8.8.6) id VAA11938;
	Thu, 13 Nov 1997 21:23:38 -0500 (EST)
Date: Thu, 13 Nov 1997 21:23:38 -0500 (EST)
Message-Id: <199711140223.VAA11938@taltos.tla.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: carson@tla.org
To: "Lau, Chris" 
Cc: "'firewalls@greatcircle.com'" 
Subject: Re: spam
In-Reply-To: 
References: 
X-Mailer: VM 6.22 under 19.15 XEmacs Lucid
Reply-To: carson@tla.org
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "Chris" == Lau, Chris  writes:

Chris> Does anyone have a solution on how to stop spam email at the firewall
Chris> level? We are using TIS Gauntlet. Some one out there is using our
Chris> company name to send out spam email. We are getting many angry replies
Chris> to us asking us to stop spamming. We were not the ones doing it.

Yep. Talk to your Gauntlet rep and yell at them to roll out the
anti-relaying patches faster. We (MSDWD, They Who Cut My Paycheck) are
probably going to fork over US$12k to TIS's consulting arm to get the fix
faster. Latest I heard is it should get rolled into the commercial release
1H'98. The more folks who scream at TIS about this, the faster it will get
done. It's all about perceived importance and marketing.

-- 
Carson Gaspar -- carson@cs.columbia.edu carson@tla.org carson@cugc.org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body

From owner-firewalls-list  Thu Nov 13 18:56:35 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA02727; Thu, 13 Nov 1997 14:44:28 -0800 (PST)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA26029 for firewalls@greatcircle.com; Thu, 13 Nov 1997 14:09:40 -0800 (PST)
Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA04384 for ; Wed, 12 Nov 1997 08:00:56 -0800 (PST)
Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3)
	id ; Wed, 12 Nov 1997 07:58:19 -0800
Message-ID: 
From: "Stackpole, Bill" 
To: "'tj@elephant.istiy.yn.cn'" ,
        MIKE JENKINS
	 
Cc: firewalls@greatcircle.com
Subject: RE: help about cisco 2511 config
Date: Wed, 12 Nov 1997 07:58:17 -0800
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: multipart/mixed;
	boundary="---- =_NextPart_000_01BCEF40.BD2BC900"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_000_01BCEF40.BD2BC900
Content-Type: text/plain

Here's a couple of Cisco docs that helped me get things to work.  One of
the big issues is getting the modem to lock its data rate on the dte
side.  Some modem can be configured to lock the rate. Other you need to
set up a script on the Cisco side so the modem can learn the rate.

  
> -----Original Message-----
> From:	tj [SMTP:tj@elephant.istiy.yn.cn]
> Sent:	Monday, November 10, 1997 5:02 PM
> To:	MIKE JENKINS
> Cc:	firewalls@greatcircle.com
> Subject:	help about cisco 2511 config
> 
> Hi,every one here,I have two question about the cisco 2511 router:
> 
> 1. I set up the speed of whole 16  async port to 115200, and turn 
> on the modem autoconfig,(my modem's speed 1s 33600,),then I dial 
> in use ppp, but it does not work.So I change the the speed of whole
> 16  async port to 14400,then I can get conneted.So I want to know if
> someone can tell me how to resove it or if you use cisco 2511 also,
> please send me your configuration.
> 2.I read the hand book and it said you can use reverse telnet to
> config
> your modem,like "telnet 233.233.233.1 2001" (where 233.233.233.1 is my
> 
> cisco 2511's ip address ,and 2001 means the 1st async port),thus I can
> 
> use the at commant to config the modem ,but now I can not ,it said "
> connect
> is refused by host".So who can tell me why and how ?
> 
> 
> thanks a lot.
> Tian Jun

------ =_NextPart_000_01BCEF40.BD2BC900
Content-Type: text/html;
	name="21.html"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="21.html"





Cisco - Basic Modem Cabling and Configuration



3D"navbar"


3D"Strip_TechTips"

Basic Modem Cabling and Configuration
 




Introduction

This document will show you how to configure most popular modems to =
work
on a Cisco access server or on a router's console/AUX port. The first
section, "RS-232 Cabling," provides important background information,
but if you're already familiar with modem cabling, go ahead and skip to
the section called "Configuring the Cisco Side" on page 3.



RS-232 Cabling

The end-to-end topology for a dial-in connection looks like this:

--------            --------
|Cisco |  --------  |access|  -------  --------  --------  -----------
|Access|->|RS-232|->|server|->|PSTN*|->|client|->|RS-232|->|client PC|
|Server|  --------  |modem |  -------  |modem |  --------  |or router|
--------            --------  *Public  --------            -----------
                               Switch
                               Telephone
                               Network


The Cisco access server and the client PC or router are generally =
called
Data Terminal Equipment (DTE), and the server and client modems are
called Data Circuit-terminating Equipment (DCE).


To connect a modem to a Cisco 2500, or RJ-45-based console or AUX port,
use the setup below. See the faxback document "Cabling Guide for RJ-45
Console and AUX Ports" for more details.

  console/AUX port----Rolled RJ-45 Cable + CAB-MMOD----Modem


To connect a modem to a Cisco 4000 or 7000, or DB-25-based AUX port, =
use
the setup below.

  AUX Port----DB-25 Straight Cable----Modem


The Cisco access server uses three pairs of wires to connect the DCE to
the DTE. In each pair, one wire transmits, and the other receives.
These pairs are TX/RX, RTS/CTS, and DTR/DCD. Each pair requires =
specific
configuration on both the DTE and the DCE.



TX/RX - Data Transfer

Transmit: DTE >---TX---> DCE


Receive: DTE <---RX---< DCE


Transmit and receive speed is set on the modem using the TX/RX wire
pair. Notice that the DCE  transmits on RX and receives on TX.


Rule


The speeds at which the two devices are communicating on the RS-232 =
must
be the same. If they are not, you'll get a speed mismatch, where either
garbage or nothing appears on the screen when dialing in to the modem.


Configuration Reference Notes

    

  • access server: speed xxxxx

    

  • modem: configuration commands vary from modem to modem. Check your
    modem manual under options such as port-rate adjust, =
buffered
mode, or
    lock dte. Often, just turning on error correction for the =
modem
will
    make it go into buffered mode, which may lock the speed.

    
    In order to lock the modem at the new access server speed, you may =
need
    to set the speed on the access server first, then send an AT =
command to
    the modem with a reverse telnet. You'll find more details about =
this in
    the section "Connecting the Modem" below.



RTS/CTS - Hardware Flow Control

Request to Send: DTE >---RTS---> DCE


Clear to Send: DTE <---CTS---< DCE


This pair of wires indicates the ability of a device to receive data.
For example, when the DCE has a full data buffer and can no longer
accept data from the DTE for transmitting, it will lower the CTS =
signal.
When the access server can no longer accept data, it lowers the RTS
signal.


Rule


Both the access server and the modem must agree to hardware handshake
with CTS/RTS.


Configuration Reference Notes

    

  • access server: flowcontrol hardware

    

  • modem: configuration commands vary from modem to modem. Look for
    "Hardware Handshaking" or "RTS/CTS Flow Control" in the modem =
manual.


Both the access server and the modem must be set for Hardware Flow
Control. If they do not agree on handshaking, they will tend to =
overflow
each other's buffers. Dropped characters or packet errors are typical
signs of a handshaking mismatch.



DTR/DCD - Modem Control

Data Terminal Ready: DTE >---DTR---> DCE


Data Carrier Detect: DTE <---DCD---< DCE


This pair of wires is used between the DTE and the DCE to initiate and
receive calls. When the access server is ready, DTR output is high. The
access server lowers DTR to drop any existing calls and return to the
stored configuration. The modem uses DCD output to indicate that a call
has arrived that needs servicing by the access server. The modem drops
DCD to indicate loss of the call.


Rule


The access server and modem must agree on the function of DTR and DCD.


Configuration Reference Notes

    

  • access server:  modem inout or modem ri-is-cd

    
    Use modem inout to allow incoming and outgoing connections =
to the
modem.
    You will need modem inout  while configuring the modem. Use
modem ri-is-
    cd to allow incoming only connections. Cabling other than what =
we
    suggested at the beginning of this section can cause modem control =
to
    fail since modem DCD may not be wired.

    

  • modem:  usually &c1 and &d2

    
    This is often referred to as RS-232 standard operation.



Configuring the Cisco Side

Now let's start configuring. On the Cisco, this line configuration
usually works best:

  line x
  ! where x =3D TTY #. AUX port is 1 on router, last_tty+1 on access =
server.
  speed 38400
  ! Set to highest speed in common between modem and port.
  flow hard
  ! RTS/CTS flowcontrol.  CTS only on ASM.
  modem inout
  ! Drop connection on loss of CD, Cycle DTR for connection close


Each line in this configuration assumes that the modem will be set up =
in
a specific way, which you'll see how to accomplish using the chart at
the end of this document. Specifically, it assumes that we will lock =
DTE
speed, set hardware (RTS/CTS) flowcontrol, set carrier detect to =
reflect
the actual carrier state, and set the modem to hang up on loss of DTR.
Flowcontrol and modem control are not available on pre-9.21 router aux
ports.

    

  • If flowcontrol is not available, stay at 9600 baud.

  • Don't use the Cisco autobaud feature. Today's modems do a much =
better
    job.

  • If you are routing over the AUX port, remember that each character
    generates a processor interrupt. Abnormally high CPU may be =
resolved by
    using a lower AUX port speed.


Bit rate trivia:

    

  • 38400  is the maximum speed for the 500-CS and AUX ports.

  • 57600  is the maximum speed for ASM, STS-10.

  • 115200 is the maximum speed for the 25xx access servers.



Connecting the Modem

Attach the modem to a port, and configure your modem using reverse
connection. To do this, issue the command

  telnet x.x.x.x 20yy


where x.x.x.x is any active, connected, and up interface on the Cisco
device and yy is the line number to which you want to connect.* You can
issue this telnet command from anywhere on the network that can ping
x.x.x.x.



Recall that 01 is the AUX port on a router. On an Access
server, the
    AUX port is the last_tty+1 - that is, on a 16-port Access Server, =
the
    AUX port is port 17.



If you get a connection refused, either someone already has a =
connection
to that port or there is an exec (prompt) running on that port. Clear
the line from the console to try again by issuing the command

  clear line yy


where yy is the line number. If it still fails, make sure that you have
set modem inout for that line.  If you don't have modem control (as in
pre-9.21 AUX ports), set no exec on the line before making a reverse
connection. If you still get a connection refused, disconnect the =
modem,
issue the command

  telnet x.x.x.x 20yy


and then reconnect and configure the modem. As a last resort, configure
the modem using an external terminal. Be sure to clear the line before
each connection attempt.



Configuring the Modem

Once you've attached to the modem at the same speed to which the Cisco
port will be set (through a reverse telnet connection), you're ready to
issue the AT commands. You can build the exact command string you need
from the attached chart. Just follow these steps:

    

  1. As a minimum, you must start with the information in the REQUIRED =
FOR
     ALL column and the EC/COMPRESSION pair that  you need (either BEST =
or
     NO). Use the BEST pair for applications that are primarily file
     transfer. Use the NO pair for connections that are primarily ARA,
     Xremote, or interactive packet-protocol (SLIP/PPP) traffic. =
Generally,
     Cisco recommends BEST. Adjust your configuration as your needs =
change.

    

  2. If you have an AUX port (or no modem control), add the AUX PORT
     section.  Remember to limit to 9600 bps if you have no flow =
control.

    

  3. Add the PLAT SPEC ASM only for ASM platforms, and CAB-MDCE if you
     have a 500-CS with a CAB-MDCE.

    

  4. Finalize the string with an &W.


For example, a Microcom modem with best error correction/compression
with an ASM would need this string:

  AT&FS0=3D1&C1&D3\Q3\J0\N6%C1\Q2&W



Some Hard-Learned Hints and Tricks


    

  • If you dial up and connect, and you get no response, try ^U =
(clear
    line) and ^Q (XON) and a few returns to wake it up.

    

  • If you type "quit" and the modem doesn't hang up, the modem is not
    watching DTR or you have not set modem inout on the Cisco.

    

  • If you land in someone else's session when you dial in, the modem =
is
    not dropping CD on disconnect or you have not set up modem inout on =
the
    Cisco.
    
    Remember, you cannot set up modem control on pre-9.21 router aux
ports.
 
    

  • If you issue a +++ on the dialing modem, followed by an
ATO to
    reconnect and you find that you are frozen, this means the =
answering
    modem saw and interpreted the +++ when it was echoed to you. =
 This
is a
    bug - a fairly common one - in the answering modem.  Set ATS2=3D255 =
or
    ATS2=3D128 on the answering modem.

    

  • If you have autoselect turned on for the line (9.21 and =
after), a
carriage return is required to see a prompt.

    

  • If you do hardware flow control (which is recommended), make sure =
the
    Router/Access Server's line (DTE) and the modem (DCE) both have =
that
    feature enabled. Having one on and the other one off will cause you =
to
    lose data.

    

  • If you have an MDCE, your life will be a lot simpler if you turn it
    into an MMOD by moving pin 6 to pin 8 (most modems use CD and not =
DSR to
    indicate the presence of a carrier). Otherwise, some modems can be
    programmed to sprocide carrier information via DSR (see chart =
below). If
    you do not know what an MDCE is, disregard this paragraph.



Deciphering the Chart

*NA* means that option is not available on that modem.


--> means the command on the right will take care of that =
function.


<-- means the command on the left will take care of that =
function.


AUX PORT parameters are only required for pre-9.21 aux ports or =
any
other port without modem control set.


PLAT SPEC parameters are the platform specific parameters =
required for
ASM (no RTS) or 500-CS CAB-MCDCE (requires DSR to performs the CD
function).


COMMENTS alert you to modem-specific weirdness.

              =3D=3D=3D=3D=3D=3D=3D=3D=3DREQUIRED FOR ALL=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3DEC/COMPRESSION=3D=3D=3D=3D=3D=3D=3D


MODEM BRAND     FD  AA  CD  DTR  RTS/CTS LOCK DTE  Best   Best   No     =
 No
                            Hngp   Flow    Speed   Error  Comp   Error  =
 Comp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
Codex 3260      &F S0=3D1 &C1 &D3    *FL3     *SC1    *SM3   *DC1   =
*SM1  *DC0


USR Courier     &F S0=3D1 &C1 &D3   &H1&R2    &B1     &M4    &K1    &M0 =
  &K0
USR Sportster


Global Village  &F S0=3D1 &C1 &D3    \Q3      \J0     \N7    %C1    \N0 =
  %C0
Teleport Gold


AT&T Paradyne   &F S0=3D1 &C1 &D3    \Q3      --->    \N7    %C1    \N0 =
  %C0
Dataport


Hayes modems    &F S0=3D1 &C1 &D3    &K3      &Q6     &Q5    &Q9    &Q6 =
  <---
Accura/Optima


Microcom        &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
  %C0
QX4232 series


Motorola UDS    &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
  %C0
FastTalk II


Multitech       &F S0=3D1 &C1 &D3    &E4      $BA0    &E1    &E15   &E0 =
  &E14
MT1432 MT932


Viva            &F S0=3D1 &C1 &D3    &K3      --->    \N3    %M3    \N0 =
  %M0
14.4/9642c


ZyXel           &F S0=3D1 &C1 &D3    &H3      &B1     &K4    <---   &K0 =
  <---
U-1496E


Supra           &F S0=3D1 &C1 &D3    &K3      --->    \N3    %C1    \N0 =
  %C0
V.32bis/28.8


ZOOM            &F S0=3D1 &C1 &D3    &K3      --->    \N3    %C2    \N0 =
  %C0
14.4


Practical       &F S0=3D1 &C1 &D3    &K3      --->    &Q5   &Q9     &Q6 =
  <---
Peripherals


Megahertz       &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
  %C0






                =3DAUX PORT=3D =3DPLAT SPEC=3D
MODEM BRAND     No    No    ASM   CAB-  Write   COMMENTS
                Echo  Res   only  MDCE  Memory
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D


Codex 3260      E0    Q1    *NA*  &S1   &W


USR Courier     E0    Q1    &R1   *NA*  &W      Cool stuff on =
ftp.usr.com
USR Sportster


Global Village  E0    Q1    \Q2   *NA*  &W
Teleport Gold


AT&T Paradyne   E0    Q1    \Q2   *NA*  &W
Dataport


Hayes modems    E0    Q1    *NA*  *NA*  &W
Accura/Optima


Microcom        E0    Q1    \Q2   *NA*   &W     Almost all Microcom =
modems
QX4232 series                                   have similar config =
params.


Motorola UDS    E0    Q1    \Q2   *NA*   &W
FastTalk II


Multitech       E0    Q1    &E12  &S1   &W      Lock speed with =
AT$SB38400
All models                                      (or your favorite =
speed)


Viva            E0    Q1    *NA*  &S1   &W
14.4/9642c


ZyXel           E0    Q1    *NA*  &S1   &W      Cool stuff on =
ftp.zyxel.com
U-1496E


Supra           E0    Q1    *NA*  &S1   &W
V.32bis/28.8


ZOOM            E0    Q1    *NA*  &S1   &W
14.4


Practical       E0    Q1    *NA*  *NA*  &W      Based on PC288LCD. May =
vary.
Peripherals


Megahertz       E0    Q1    \Q2   *NA*   &W




Posted: Jun 19 15:42:06 1995





Copyright 1996 =A9Cisco Systems Inc. 


------ =_NextPart_000_01BCEF40.BD2BC900
Content-Type: text/html;
	name="13.html"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="13.html"





Cisco - Modem Configuration For Those Who Hate Modems



3D"navbar"

3D"Strip_TechTips"

Modem Configuration For Those Who Hate Modems






Introduction

This document will show you how to configure most popular modems to =
work on
the Cisco access server or on the console/aux port of our routers. =
Also,
we'll give you some insider hints and tricks that we've found helpful =
in
taming troublesome modems.



Configuring the Cisco Side

This line configuration usually works best:

   line x
   ! where x =3D TTY #. Aux port is 1 on router, last_tty+1 on access =
server.
   speed 38400
   ! Set to highest speed in common between modem and port.
   flow hard
   ! RTS/CTS flowcontrol.  CTS only on ASM.
   modem inout
   ! Drop connection on loss of CD, Cycle DTR for connection close
   transport input all
   ! Use all supported protocols (including MOP and Telnet)


Each line in this configuration assumes that the modem will be set up =
in a
specific way, which you'll see how to accomplish using the chart at the =
end
of this document. Specifically, it assumes that we will lock DTE speed, =
set
hardware (RTS/CTS) flowcontrol, set carrier detect to reflect the =
actual
carrier state, and set the modem to hang up on loss of DTR. Flowcontrol =
and
modem control are not available on pre-9.21 router aux ports.

    

  • If flowcontrol is not available, stay at 9600 baud.

  • Don't use the Cisco autobaud feature. Today's modems do a much =
better
    job.

  • If you are routing over the aux port, remember that each character
    generates a processor interrupt. Abnormally high CPU may be =
resolved by
    using a lower AUX port speed.


Bit rate trivia:

    

  • 38400  is the maximum speed for the 500-CS

  • 57600  is the maximum speed for ASM, STS-10 and AUX ports

  • 115200 is the maximum speed for the 25xx access servers



Connecting the Modem

Attach the modem to a port, and configure your modem using reverse
connection. To do this, issue the command
   telnet x.x.x.x 20yy


where x.x.x.x is any active, connected, and up interface on the Cisco
device and yy is the line number to which you want to connect.* You can
issue this telnet command from anywhere on the network that can ping
x.x.x.x.



Recall that 01 is the aux port on a router. On an Access =
server, the AUX
    port is the last_tty+1 - that is, on a 16-port Access Server, the =
AUX
    port is port 17.



If you get a connection refused, either someone already has a =
connection to
that port or there is an exec (prompt) running on that port. Clear the =
line
from the console to try again by issuing the command

   clear line yy


where yy is the line number. If it still fails, make sure that you have =
set
modem inout for that line.  If you don't have modem control (as in =
pre-9.21
aux ports), set no exec on the line before making a reverse connection. =
If
you still get a connection refused, disconnect the modem, issue the =
command

   telnet x.x.x.x 20yy


and then reconnect and configure the modem. As a last resort, configure =
the
modem using an external terminal. Be sure to clear the line before each
connection attempt.



Configuring the Modem

Once you've attached to the modem at the same speed to which the Cisco =
port
will be set (through a reverse telnet connection), you're ready to =
issue
the AT commands. You can build the exact command string you need from =
the
attached chart. Just follow these steps:

    

  1. As a minimum, you must start with the information in the REQUIRED =
FOR ALL
   column and the EC/COMPRESSION pair that  you need (either BEST or =
NO). Use
   the BEST pair for applications that are primarily file transfer. Use =
the
   NO pair for connections that are primarily ARA, Xremote, or =
interactive
   packet-protocol (SLIP/PPP) traffic. Generally, Cisco recommends =
BEST.
   Adjust your configuration as your needs change.

    

  2. If you have an AUX port (or no modem control), add the AUX PORT =
section.
   Remember to limit to 9600 bps if you have no flow control.

    

  3. Add the PLAT SPEC ASM only for ASM platforms, and CAB-MDCE if you =
have a
   500-CS with a CAB-MDCE.

    

  4. Finalize the string with an &W.


For example, a Microcom modem with best error correction/compression =
with
an ASM would need this string:

   AT&FS0=3D1&C1&D3\Q3\J0\N6%C1\Q2&W



Some Hard-Learned Hints and Tricks


    

  • If you dial up and connect, and you get no response, try ^U =
(clear=20
line)
    and ^Q (XON) and a few returns to wake it up.

    

  • If you type quit and the modem doesn't hang up, the modem is =
not=20
watching
    DTR or you have not set up modem inout on the Cisco.

    

  • If you land in someone else's session when you dial in, the modem =
is not
    dropping CD on disconnect or you have not set up modem inout on the
    Cisco. Remember, you cannot set up modem control on pre-9.21 router =
aux
    ports.

    

  • If you issue a +++ on the dialing modem, followed by an =
ATO=20
to reconnect
    and you find that you are frozen, this means the answering modem =
saw and
    interpreted the +++ when it was echoed to you.  This is a =
bug - a=20
fairly
    common one - in the answering modem.  Set ATS2=3D255 or ATS2=3D128 =
on the
    answering modem.

    

  • If you have autoselect turned on for the line (9.21 and =
after), a=20
carriage return is
    required to see a prompt.

    

  • If you elect to do hardware flow control (which is recommended), =
make
    sure the Router/Access Server's line (DTE) and the modem (DCE) both =
have
    that feature enabled. Having one on and the other one off will =
cause you
    to lose data.

    

  • If you have an MDCE, your life will be a lot simpler if you turn it =
into
    an MMOD by moving pin 6 to pin 8 (most modems use CD and not DSR to
    indicate the presence of a carrier). Otherwise, some modems can be
    programmed to sprocide carrier info via DSR (see chart below). If =
you do
    not know what an MDCE is, disregard this paragraph.



Deciphering the Chart

*NA* means that option is not available on that modem.

--> means the command on the right will take care of that =
function.

<-- means the command on the left will take care of that =
function.


AUX PORT parameters are only required for pre-9.21 aux ports or any =
other
port without modem control set.


PLAT SPEC parameters are the platform specific parameters required for =
ASM
(no RTS) or 500-CS CAB-MCDCE (requires DSR to performs the CD =
function).


COMMENTS alert you to modem-specific weirdness.

------------------------------------------------------------------------=
-----
                --------REQUIRED FOR ALL----------  =
------EC/COMPRESSION-----
MODEM BRAND     FD  AA  CD  DTR   RTS/CTS LOCK DTE  Best   Best   No    =
 No
                            Hngp   Flow    Speed    Error  Comp   Error =
 Comp
------------------------------------------------------------------------=
-----
Codex 3260      &F S0=3D1 &C1 &D3    *FL3     *SC1    *SM3   *DC1   =
*SM1   *DC0


USR Courier     &F S0=3D1 &C1 &D3   &H1&R2    &B1     &M4    &K1    &M0 =
   &K0
USR Sportster


Global Village  &F S0=3D1 &C1 &D3    \Q3      \J0     \N7    %C1    \N0
%C0
Teleport Gold


AT&T Paradyne   &F S0=3D1 &C1 &D3    \Q3      --->    \N7    %C1    \N0 =
   %C0
Dataport


Hayes modems    &F S0=3D1 &C1 &D3    &K3      &Q6     &Q5    &Q9    &Q6 =
   <---
Accura/Optima


Microcom        &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
   %C0
QX4232 series


Motorola UDS    &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
   %C0
FastTalk II


Multitech       &F S0=3D1 &C1 &D3    &E4      $BA0    &E1    &E15   &E0 =
   &E14
MT1432 MT932


Viva            &F S0=3D1 &C1 &D3    &K3      --->    \N3    %M3    \N0 =
   %M0
14.4/9642c


ZyXel           &F S0=3D1 &C1 &D3    &H3      &B1     &K4    <---   &K0 =
   <---
U-1496E


Supra           &F S0=3D1 &C1 &D3    &K3      --->    \N3    %C1    \N0 =
   %C0
V.32bis/28.8


ZOOM            &F S0=3D1 &C1 &D3    &K3      --->    \N3    %C2    \N0 =
   %C0
14.4


Practical       &F S0=3D1 &C1 &D3    &K3      --->    &Q5   &Q9     &Q6 =
   <---
Peripherals


Megahertz       &F S0=3D1 &C1 &D3    \Q3      \J0     \N6    %C1    \N0 =
   %C0


------------------------------------------------------------------------=
-----
               -AUX PORT-  -PLAT SPEC-
MODEM BRAND     No    No    ASM   CAB-  Write   COMMENTS
                Echo  Res   only  MDCE  Memory
------------------------------------------------------------------------=
-----
Codex 3260      E0    Q1    *NA*  &S1   &W


USR Courier     E0    Q1    &R1   *NA*  &W      Cool stuff on =
ftp.usr.com
USR Sportster


Global Village  E0    Q1    \Q2   *NA*  &W
Teleport Gold


AT&T Paradyne   E0    Q1    \Q2   *NA*  &W
Dataport


Hayes modems    E0    Q1    *NA*  *NA*  &W
Accura/Optima


Microcom        E0    Q1    \Q2   *NA*   &W     Almost all Microcom =
modems
QX4232 series                                   have similar config =
params.


Motorola UDS    E0    Q1    \Q2   *NA*   &W
FastTalk II


Multitech       E0    Q1    &E12  &S1   &W      Lock speed with =
AT$SB38400
All models                                      (or your favorite =
speed)


Viva            E0    Q1    *NA*  &S1   &W
14.4/9642c


ZyXel           E0    Q1    *NA*  &S1   &W      Cool stuff on =
ftp.zyxel.com
U-1496E


Supra           E0    Q1    *NA*  &S1   &W
V.32bis/28.8


ZOOM            E0    Q1    *NA*  &S1   &W
14.4


Practical       E0    Q1    *NA*  *NA*  &W      Based on PC288LCD.  May =
vary.
Peripherals


Megahertz       E0    Q1    \Q2   *NA*   &W




Posted: Tue Jun 24 11:00:29 PDT 1997






Copyright 1996 © Cisco Systems Inc. 


------ =_NextPart_000_01BCEF40.BD2BC900--


From owner-firewalls-list  Thu Nov 13 18:58:21 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA25586; Thu, 13 Nov 1997 14:06:33 -0800 (PST)
Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA25566 for ; Thu, 13 Nov 1997 14:06:16 -0800 (PST)
Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3)
	id ; Thu, 13 Nov 1997 14:04:18 -0800
Message-ID: 
From: "Stackpole, Bill" 
To: "'vadillo@apu.rcp.net.pe'" ,
        firewalls@GreatCircle.COM
Subject: RE: Real Audio port
Date: Thu, 13 Nov 1997 14:04:16 -0800
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

realAudio	6970-
	7170/udp	Return ports
realAudio	7070/tcp	Control poer


> -----Original Message-----
> From:	vadillo@apu.rcp.net.pe [SMTP:vadillo@apu.rcp.net.pe]
> Sent:	Thursday, November 13, 1997 10:39 AM
> To:	firewalls@GreatCircle.COM
> Subject:	Real Audio port
> 
> Please guys, what port does Real Audio use?
> 
> Thanks,
> 
> Enrique Vadillo- 
> -- 
> RCP - Internet Peru
> Fax: +51 1 241-1320
> Web Site: http://www.rcp.net.pe (PERU)
> Mirror Web Site: http://ekeko.rcp.net.pe (USA)

From owner-firewalls-list  Thu Nov 13 19:43:10 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA16561; Thu, 13 Nov 1997 19:35:42 -0800 (PST)
Received: from ns.wzrd.com ([206.99.165.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA16512 for ; Thu, 13 Nov 1997 19:35:24 -0800 (PST)
Received: from vectra (ppp7.wzrd.com [206.99.165.107]) by ns.wzrd.com (8.8.8/8.7.3) with SMTP id WAA25637; Thu, 13 Nov 1997 22:34:08 -0500 (EST)
Received: by localhost with Microsoft MAPI; Thu, 13 Nov 1997 22:34:20 -0500
Message-ID: <01BCF084.48998060.jwagner@wzrd.com>
From: Jeffrey Wagner 
To: "'Snyder@co.santa-barbara.ca.us'" ,
        "firewalls@GreatCircle.COM" 
Subject: RE: BorderManager
Date: Thu, 13 Nov 1997 22:34:08 -0500
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

My advice is to stay away, far away.  We have this implemented at customer 
sites by their direction and have nothing but problems.  Abends 3-4 times per 
day are not uncommon.  Don't try to run static packet filtering and dynamic 
packet filtering on the same server.  I'll guarantee Abends.  Run each process 
on its' own server.  Also, I'm told the NAT causes Abends.

We're classifying this product really as a Beta release at this point.  When it 
hit the market, I'd consider it an Alpha release.  There's been 3 major patch 
kits to the product within the last 6 weeks.  If you're really interested in 
the product, I would recommend waiting several months to let the dust settle.

Please keep in mind we have only CNE's and MCNE's on staff and are a Platinum 
reseller.  We're not just fooling around with the product.

I hope this helps.


Jeffrey Wagner
Project Manager
Western New York Computing
MCNE, MCSE, CSA, A+
jwagner@wzrd.com
jeffw@wnycs.com


On Thursday, November 13, 1997 2:35 PM, John Snyder 
[SMTP:Snyder@co.santa-barbara.ca.us] wrote:
> My management has requested that I look into BorderManager from Novell
> as  a candidate firewall solution.
>
> I'm interested in contacting anyone with some experience running this
> product.
>
> Thanks in advance for your opinions and guidance,
> jhs

From owner-firewalls-list  Thu Nov 13 20:14:15 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA25989; Thu, 13 Nov 1997 14:09:17 -0800 (PST)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA25966 for firewalls@greatcircle.com; Thu, 13 Nov 1997 14:09:11 -0800 (PST)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA06382 for ; Wed, 12 Nov 1997 05:22:37 -0800 (PST)
Received: from pm3-29.in.net by su1.in.net with SMTP (5.65/1.2-eef)
	id AA23887; Wed, 12 Nov 97 08:26:30 -0500
Message-Id: <3.0.3.32.19971112081854.006aa2ec@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 12 Nov 1997 08:18:54 -0500
To: Jason Keimig 
From: Frank Willoughby 
Subject: Re: Hijak detection
Cc: Doy , Adam Shostack ,
        Brad ,
        RHS Linux User ,
        "H. Morrow Long" ,
        Frank Willoughby , anarch@freedom.gmsociety.org,
        firewalls@GreatCircle.COM
In-Reply-To: 
References: <346101AE.6B99@indo-mail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 01:06 AM 11/8/97 -0600, Jason Keimig wrote:

>> I'm agree that host authentication is the only real defense. I think
>> network level encryption will defend against this kind of attack too.
>> Transport level encryption might stop hijacking, but still vulnerable to
>> DoS attack (the attacker might still able to put both hosts in
>> desynchronized mode).

If host authentication were done right, I suppose it could be used as a real
defense.  Since I haven't seen any types of host authentication which will
work across the Internet, I submit that the only real defense is to encrypt
the connection (at least the payload, not the headers - at this point in
time).

>All true and very relevent.  You COULD even encrypt most of the headers, but
>this breaks things like NAT and proxy services.

I disagree slightly with the first sentence.  See above.


>> 1. How do we detect a hijack. 
>>    Even in normal TCP conversation, there are lot of packets with
>> invalid SN (duplication, etc.), so how we decide if an invalid packet is
>> part of a hijacked session and which is not? 
>
> The duplication is not as severe as you would see with a hijacked session.
>You will generally see several hundred ACKed packets thrown around for each
>new packet introduced by the hijacker.

It seems to me that an expert attacker would have no problem in taking over
the session without producing a couple of hundred of unexpected ACKed packets.


>> 2. How to determine which is the attacker and which is the victim.
>>    By using only TCP seq. num., we definitely CAN NOT decide which is
>> the attacker and which is the victim, because a skilled attacker would
>> most likely only send 'good' packet, making the victim looks bad. While
>> a 'young' attacker probably still making mistakes on calculating SN,
>> thus making both attacker and victim look bad.
>
>  This is true if you look at only a single ACK on one side of the stream.
 If
>you compare the ACKs from both sides, you can see the side that has been
>spoon-fed data by the attacker as their ACK # will be higher than the
>supposedly corresponding SEQ # of the unmolested side.  This is due to the
>fact that the SEQ/ACK pair is based solely on the # of bytes sent/received
>after the session has been established.
>  This pair is by no means a security mechanism in the purest sense.  It is
>used primary to keep the sides in synch with one another.  The fact that
>it prevents accepting data out of order is really just a security side
>effect inherent with connection-oriented bitstreams.
>

If the "good-guy"'s system on the remote side is brought to its knees (via
a Denial-of-Service attack, etc.), then there is nothing really to compare
against.  Also, it is trivial for seasoned hackers to supply the Sequence
Numbers as well as pretty much any other info you would expect to find in 
the packets.


>>    By looking at route information in the packet (if available) will
>> provide important clue, but still not reliable if your network use
>> multiple route.
>
>  This really is a non-issue as just about all routers and hosts nowadays
have
>source-routing disabled.  I realize that there is a possibility for
>misconfigured boxes, but this is a reaching effort that generally does not
>turn up anything.  That is, a source-routed packet will set off too many
>alarms and gives away all covertness of the attack.


>>    Looking at the H/W address of a packet won't help much, because
>> you'll only see the gateway H/W address in the packet.
>
>  Actually, this is where you will see the mistakes of a 'young' attacker.
>Calculating the SEQ/ACK # of a session is fairly straight-forward once the
>highjacking has commenced: you just have to wade through all of the ACK
>syncs between the two hosts.  As I stated in another post, JUST ABOUT all of
>the scripts/prgrams out there that do various forms of IP spoofing (I did
>find an old SunOS forging tool in my archives that modified the MAC
address of
>the outgoing packet) do NOT address the layer-2 issue.  Forged IP packets
>from user space WILL STILL CONTAIN the source MAC address of the host used
>to forge the packet.  This is trivial to detect.
>
>  The "professional" hacker (the word professional used loosely here) will
>have a modified IP stack that addresses this issue by swapping out the local
>MAC with that of forged IP-layer-2 mapping.  There are still some tricks to
>catch this, the attacker just has to be careful on how this mapping is
>obtained (this is part of my thesis, I've had to deal with this aspect quite
>intimately!).
>
>  So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of
>the offending hosts performing ANY kind of spoofing attack.
>
>  There is also the analysis of the IP packet ID that I won't get into.
>Although it can used be for detection purposes, it gives less information
>on _who_ is doing the attack.
>
>> 3. To make the situation worse...
>>    The attacker might send OOB packets, change route information, or
>> other DoS attack to the victim. The firewall/IDS should aware that these
>> are parts of the hijacking procedure, and terminate the victim's
>> sessions immediately.
>
>  OOB packets aren't usually handled by the end host in the purest sense and
>routers, by definition, don't accept redirects.  Where do these aspects come
>into play?
>
>> Infact, if WheelGroup claims that their product can deal with TCP hijack
>> attack, how the heck they're doing it?
>
>Good question, any takers?

I called Wheelgroup.  They claim their technology is proprietary and won't
go into how this is accomplished.  

If their technology is reactive, it requires that they be able to detect a 
session which has been hijacked by a professional.  Given the ability of a
professional's ability to generate custom packets on the fly, I'm not (yet) 
convinced that there is any way around this without using encrypted
sessions.  
If there is a way, I would like to look under the hood to see what is really 
going on.

If their technology is proactive, then this might be a different story.  I
thought of several possible solutions how this might be accomplished, but 
most of these require hacking the TCP/IP stack, or requiring clients to 
have special hardware or software.

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800     Fax: (317) 573-0817


From owner-firewalls-list  Thu Nov 13 20:15:07 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA23190; Thu, 13 Nov 1997 20:10:02 -0800 (PST)
Received: from khtp.usm.my ([161.142.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA22985 for ; Thu, 13 Nov 1997 20:09:05 -0800 (PST)
Received: from khtp.usm.my ([10.35.1.125]) by khtp.usm.my
          (Netscape Mail Server v1.1) with ESMTP id AAA60
          for ; Fri, 14 Nov 1997 12:10:35 +0800
Message-ID: <346BD637.382F33B7@khtp.usm.my>
Date: Fri, 14 Nov 1997 12:40:23 +0800
From: skkhoo@khtp.usm.my (Khoo Soo Kim)
Reply-To: skkhoo@khtp.usm.my
Organization: KTMSB-KTPC-PKNK
X-Mailer: Mozilla 4.03 [en] (Win95; I)
MIME-Version: 1.0
To: "Firewalls@GreatCircle.COM" 
Subject: Firewall which running UDP
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,
Has anyone know any firewall solution which works well with UDP ?


From owner-firewalls-list  Thu Nov 13 22:41:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA17940; Thu, 13 Nov 1997 19:42:56 -0800 (PST)
Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA17892 for ; Thu, 13 Nov 1997 19:42:38 -0800 (PST)
Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM)
	id AA06051; Thu, 13 Nov 1997 22:44:27 -0500
Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM)
	id AA16387; Thu, 13 Nov 1997 22:43:34 -0500
Date: Thu, 13 Nov 1997 22:43:34 -0500 (EST)
From: Gordy Thompson 
Reply-To: Gordy Thompson 
To: David Lang 
Cc: ddrumm@rush.edu, "Stackpole, Bill" ,
        "'Guse, Darren J.'" ,
        Firewalls@GreatCircle.COM
Subject: RE: Re[2]: Summary on Java Sanity Check
In-Reply-To: 
Message-Id: 
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	This moved on bugtraq yesterday; I haven't tried it myself, but
you asked ...

From: Darren Reed 
Subject:      What were the opcodes to hang a Pentium again? (fwd)
To: BUGTRAQ@NETSPACE.ORG
X-Status:

> From: Lloyd Wood 
>
> You can now test if you're vulnerable to the more recently discovered
> Microsoft and Intel problems.
>
>       http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/
>
> If you're running Internet Explorer 4 on a Pentium, you can easily verify
> for yourself that these problems exist by attempting to load this page --
> but do save your work first. (Internet Explorer 3 is immune.)
>
> This page automatically exploits both the recently-discovered Pentium bug,
> and the recently discovered Explorer 4 res:// buffer overflow bug, via a
> trivial piece of autoexecuting HTML -- which could easily be emailed.
>
> Two orthogonal separate bugs combine to more than the sum of their parts;
> emergent behaviour due to complexity in computer systems.
>


On Thu, 13 Nov 1997, David Lang wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> yes, This is not a poke at NT. It is pointing out that with activeX it is
> possible to have a page that you go to that will CRASH you machine at the
> hardware level. If you can do this with Java as well this is an EXTREAMLY good
> reason not to allow either through the firewall.
>
> If anyone can setup a "click here to crash you machine" page I would like to
> know the URL. It would do wonders for convincing people that java/activeX can be
> dangerous.
>
> David Lang
>
>
>
> On Thu, 13 Nov 1997 ddrumm@rush.edu wrote:
>
> > Date: Thu, 13 Nov 1997 14:36:51 -0600 (CST)
> > From: ddrumm@rush.edu
> > To: "Stackpole, Bill" 
> > Cc: "'Guse, Darren J.'" ,
> >     Firewalls@GreatCircle.COM
> > Subject: RE: Re[2]: Summary on Java Sanity Check
> >
> > On Thu, 13 Nov 1997, Stackpole, Bill wrote:
> >
> > > If any of you Active-X types know how to translate C code into Active-X
> > > calls here's the bug exploit.
> >
> > [snip]
> >
> > > Crashed my NT Workstation machine in a heart beat.
> > > >      What pentium bug???
> >
> > This is a poke (anyone remember poke and peek?) at an invalid Op Code for
> > the Pentium. NT and Linux and whatever else will crash when you hit those
> > OpCodes.
> >
> > The fix, I guess, is to use a PPro or a P2 or a Cyrix or a AMD K6.
> >
> > --
> > Daniel G. Drumm - ddrumm@rush.edu
> > Rush Presbyterian St. Luke's Medical Center - Chicago, IL
> > Network Division - Information Services
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNGuOSz7msCGEppcbAQHndwgAk2uD4uWXbc1YhcslnQG0m7oEcPI8QOkm
> UqcHXjEXg9bldSGb/2RZYE70IcIa5Q1RbV+y3KDBMmYmbo3AU6RIEZy3S88/hMmr
> BaqRw0pDVe/VDDW2CVCYRasjQ12UvuI1e4YMdOCe0asCLTCvcaEGxHwlUQqs4RlM
> FN1PyM+pNOcRec8cPy5ECCg17WmM8cfZFTC0yxlSLTTJoygtaDeGaTOHrl354T5C
> qkDZsDzxklW1J0sL4aM5mPftnN1sIAVqZ73w0kgUxO1re7Lr7y02pUKqaMPiXbQr
> KxEJKI8zj+09m/yUy1j/MLxw/N1IF0r8MepaTqkw1HcDmcMdXh7sTQ==
> =TL+4
> -----END PGP SIGNATURE-----
>
>


--
Gordon T. Thompson                                        gordy@nytimes.com
Manager, Internet Services                                212-556-1386
The New York Times                                        fax: 212-556-1636
   The Times and I have an arrangement: Neither of us speaks for the other.




From owner-firewalls-list  Fri Nov 14 00:32:06 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA12050; Thu, 13 Nov 1997 23:44:34 -0800 (PST)
Received: from mail.computronic.at ([194.177.146.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA08763 for ; Thu, 13 Nov 1997 23:34:29 -0800 (PST)
Received: from atambs0e ([195.212.97.39]) by mail.computronic.at
          (post.office MTA v2.0 0813 ID# 0-33306U110) with ESMTP id AAA167
          for ; Fri, 14 Nov 1997 08:36:57 +0100
Message-ID: <346C000E.8A509069@computronic.at>
Date: Fri, 14 Nov 1997 08:38:54 +0100
From: "Barfuß Egon jun." 
Reply-To: egon@computronic.at
Organization: Home
X-Mailer: Mozilla 4.01 [en] (WinNT; I)
MIME-Version: 1.0
To: Firewalls@greatcircle.com
Subject: Re: Need a firewall but don´t know which one
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I think I will buy one of the following firewalls:
            FireWall - 1
            SessionWall - 3
            WatchGuard

As a platform i want to use Linux. Is this possible with these products
and what do you think about them?
Does anyone of you have information and experience with one of them?
Are these firewalls good and how much do they cost????

Thanks in advance
        Egon

--
mailto:egon@computronic.at



From owner-firewalls-list  Fri Nov 14 00:42:54 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA26005; Thu, 13 Nov 1997 14:09:25 -0800 (PST)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA25992 for firewalls@greatcircle.com; Thu, 13 Nov 1997 14:09:19 -0800 (PST)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA07025 for ; Wed, 12 Nov 1997 05:40:46 -0800 (PST)
Received: from pm3-29.in.net by su1.in.net with SMTP (5.65/1.2-eef)
	id AA23895; Wed, 12 Nov 97 08:26:35 -0500
Message-Id: <3.0.3.32.19971112082223.006a9d3c@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 12 Nov 1997 08:22:23 -0500
To: Darren Reed 
From: Frank Willoughby 
Subject: Re: Hijak detection
Cc: jkeimig@idir.net (Jason Keimig), doy@indo-mail.com, adam@homeport.org,
        brad@freedom.gmsociety.org, circle@cali-net.com, morrow.long@yale.edu,
        frankw@in.net, anarch@freedom.gmsociety.org, firewalls@GreatCircle.COM
In-Reply-To: <9711120606.AA22000@su1.in.net>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 05:01 PM 11/12/97 +1100, Darren Reed wrote:
>In some mail from Jason Keimig, sie said:
>> 
>>   So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of
>> the offending hosts performing ANY kind of spoofing attack.
>
>Only if you're on the same LAN.  All routers will replace the source MAC
>address with their own when routing.

Hackers can also burn their own PROMS, if they need to.  At this point, 
even Layer-2 info will be seen as valid on the same LAN (particularly 
after a Denial-of-Service attack).

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800     Fax: (317) 573-0817


From owner-firewalls-list  Fri Nov 14 00:43:22 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA07067; Thu, 13 Nov 1997 23:29:20 -0800 (PST)
Received: from server1.dakota.net (server1.dakota.net [198.247.205.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA06828 for ; Thu, 13 Nov 1997 23:28:31 -0800 (PST)
Received: from odin.mountaintop.org [198.247.205.166]  with smtp 
	by server1.dakota.net with smtp 
	(Smail3.1.29.1 #10) id m0xWGC3-0005AHC; Fri, 14 Nov 97 01:29 CST
From: "Troy" 
To: "Enrique Vadillo" , 
Subject: Re: Real Audio port
Date: Fri, 14 Nov 1997 01:29:40 -0600
Message-ID: <01bcf0cf$11d68820$0201a8c0@odin.mountaintop.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Data:       udp 6970-7170 
Control:   tcp 7070

-----Original Message-----
From: Enrique Vadillo 
To: firewalls@GreatCircle.COM 
Date: Thursday, November 13, 1997 2:16 PM
Subject: Real Audio port


>Please guys, what port does Real Audio use?
>
>Thanks,
>
>Enrique Vadillo- 
>-- 
>RCP - Internet Peru
>Fax: +51 1 241-1320
>Web Site: http://www.rcp.net.pe (PERU)
>Mirror Web Site: http://ekeko.rcp.net.pe (USA)
>
>


From owner-firewalls-list  Fri Nov 14 00:43:45 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA13995; Thu, 13 Nov 1997 23:51:37 -0800 (PST)
Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA04123 for ; Thu, 13 Nov 1997 23:20:31 -0800 (PST)
Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id IAA26284; Fri, 14 Nov 1997 08:20:37 +0100
Message-ID: <346BFBC3.2B73DF06@edina.xnc.com>
Date: Fri, 14 Nov 1997 08:20:35 +0100
From: Stepken 
Organization: F.S.S.
X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: Peter da Silva 
CC: firewalls@greatcircle.com
Subject: Re: SANDBOX with LINUX, was Finjan Sufin Gate....
References: <9711102311.AA12971@baileynm.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi Peter, sorry for my late response, my system date does mix things up.

> > win95-drawbridge-linux-firewall-internet
> > win96
> > win97
> 
> > Should work with the free X-Server for win95 and Netscape in user-mode
> > installed on linux. Absolutely virus-free active-x free and java free
> > you can have netnews.....
> 

Yes , i have tried to analyse my config, seems to be ok, so far.
Next few weeks i'll write a howto.

The Free X-Server:

http://www.microimages.com/freestuf

greetings, Guido Stepken

From owner-firewalls-list  Fri Nov 14 02:46:05 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA00450; Thu, 13 Nov 1997 23:08:58 -0800 (PST)
Received: from server1.dakota.net (server1.dakota.net [198.247.205.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA00233 for ; Thu, 13 Nov 1997 23:08:11 -0800 (PST)
Received: from odin.mountaintop.org [198.247.205.166]  with smtp 
	by server1.dakota.net with smtp 
	(Smail3.1.29.1 #10) id m0xWFsY-0005ACC; Fri, 14 Nov 97 01:09 CST
From: "Troy" 
To: 
Subject: Pentium bug - CYRIX BUG.
Date: Fri, 14 Nov 1997 01:09:32 -0600
Message-ID: <01bcf0cc$4177dbe0$0201a8c0@odin.mountaintop.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Luckily, there is a fix for the Cyrix lockup bug:

http://www.tux.org/~balsa/linux/cyrix/p11.html

------- Forwarded Message Follows ------
Date:          Thu, 13 Nov 1997 20:34:32 -0500 (EST)
To:            web-consultants@just4u.com
From:          Rainmaker 
Reply-to:      web-consultants@just4u.com
Subject:       WC:>: More chip problems
BUGS GALORE: INTEL, CYRIX FIGHT GLITCHES IN THEIR CHIPS
   http://www.news.com/News/Item/0%2C4%2C16312%2C00.html?nd (Intel)
   http://www.news.com/News/Item/0%2C4%2C16347%2C00.html?nd (Cyrix)
This week, the chip world seems to have more bugs than Starship
Troopers.
Intel has posted a bug fix for Linux servers for its "FO" bug, and a chip
from Cyrix may have a bug similar to Intel's
---------------------
Linux - Where do you want to go tomorrow?
http://www.debian.org
t r o y @ d a k o t a . n e t 
http://www.dakota.net/~troy


From owner-firewalls-list  Fri Nov 14 03:58:39 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA22586; Fri, 14 Nov 1997 03:44:24 -0800 (PST)
Received: from BBPC4.tconl.com (mail.tconl.com [204.26.80.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA22579 for ; Fri, 14 Nov 1997 03:44:17 -0800 (PST)
Received: from elfering8188.tconl.com ([10.41.0.67]) by BBPC4.tconl.com
          (Netscape Mail Server v2.02) with ESMTP id AAA3156
          for ; Fri, 14 Nov 1997 05:49:17 -0600
Message-ID: <346C2749.43D6F743@tconl.com>
Date: Fri, 14 Nov 1997 04:26:17 -0600
From: Dave Elfering 
Reply-To: elfering@tconl.com
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Firewall Decision Criterea
X-Priority: 3 (Normal)
References: <199711140643.WAA22767@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I've been beating a dead horse over our decision process to select a
firewall product. 

The short list includes: (in order of preference)
   - TIS Gauntlet (Best of the proxies)
   - Checkpoint Firewall-1 (slick but is stateful inspection
trustworthy?)
   - CyberGuard (slick and secure, but is it scaleable on an X86
platform?)
others in the mix for healthy comparison:
   - Sidewinder (Just haven't seen it)
   - Plain old FWTK (If all else fails theres ol' reliable)

After reading all the color glossies there seem to be few real
differentatiors between them. 

I've researched all the technical aspects (like the black cloud over
Firewall-1's stateful inspection), but what has me potentially whittling
down to the  final vendor is financial data. Of the four companies, only
Checkpoint is making any money. TIS's problem seems to simply boil down
to investment in the new release, but Cyberguard's data has me
wondering. Has anyone else looked at the financial status of the
firewall vendors as a selecion criterea or am I chasing a red herring.

I thought the security market was going bananas, so I hadn't imagined
anyone losing money. I also wonder about overall market direction now
that larger companies are getting into the act like Novell, Mickeysoft,
etc. The whole industry looks to me to be at a shake out point (look at
Milkyway). Maybe I'm just being anal retentive...

Dave Elfering
elfering@worldnet.att.net

From owner-firewalls-list  Fri Nov 14 04:02:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA13332; Fri, 14 Nov 1997 02:43:37 -0800 (PST)
Received: from stargate.ctp.com (stargate.ctp.com [149.44.2.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA29520 for ; Fri, 14 Nov 1997 01:13:36 -0800 (PST)
Received: from ctp.com (wormhole.ctp.com [149.44.3.33]) by stargate.ctp.com (8.6.12/8.6.12) with ESMTP id EAA24962 for ; Fri, 14 Nov 1997 04:15:01 -0500
Received: from jaguar.ctp.com (jaguar.ctp.com [149.44.109.17])
	by ctp.com (8.8.6/8.8.5) with SMTP id EAA27166
	for ; Fri, 14 Nov 1997 04:15:00 -0500 (EST)
Received: by jaguar.ctp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52)
	id <01BCF0B4.8E1FA7B0@jaguar.ctp.com>; Fri, 14 Nov 1997 04:19:52 -0500
Message-ID: 
From: Dennis Nwaigbo 
To: "'firewalls@greatcircle.com'" 
Subject: Enterprise Security 
Date: Fri, 14 Nov 1997 04:19:51 -0500
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Iam new in firewalls and security design for a large enterprise.  I am
working on enterprise security design and management.  I have the
following areas to consider:

Network
-
-
-
Desktop
-
-
-

Remote Access
-
-
-


Can any one be kind enough to tell me what I should be considering most
as far as those three areas are concerned.  For example, If I looking at
the Network security, what are security issues should be looking at.

I will appreciate any help from any one.  Thanks in advance

Dennis

From owner-firewalls-list  Fri Nov 14 05:13:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA02551; Fri, 14 Nov 1997 05:11:58 -0800 (PST)
Received: from alaska.bitline.com.br ([200.245.15.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA02447 for ; Fri, 14 Nov 1997 05:11:32 -0800 (PST)
Received: from modem23.bitline.com.br ([200.245.15.63])
          by alaska.bitline.com.br (Netscape Mail Server v2.02) with SMTP
          id AAA199 for ;
          Fri, 14 Nov 1997 11:05:17 -0300
Received: by modem23.bitline.com.br with Microsoft Mail
	id <01BCF0EE.64544BE0@modem23.bitline.com.br>; Fri, 14 Nov 1997 11:13:53 -0300
Message-ID: <01BCF0EE.64544BE0@modem23.bitline.com.br>
From: Paulino Michelazzo 
To: "'Firewalls@GreatCircle.COM'" 
Subject: Infos about firewall
Date: Fri, 14 Nov 1997 11:12:50 -0300
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dear friends:

I have a network here and i need connect this net over to the Internet, =
but i believe that i need a firewall between my network and the =
Internet.
Well, the SO here is a Windows NT Server 4 running with IIS and a =
Exchange Mail. What the firewall for this connection ?

Thanks for any information

-----------------------------------------------------------
Paulino Michelazzo - Microsoft Certified Professional
http://www.civila.com/brasil/paulino
Mailto:pem@provedor.com
ICQ Number: 2911392

=00=00

From owner-firewalls-list  Fri Nov 14 05:44:19 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03786; Fri, 14 Nov 1997 05:19:47 -0800 (PST)
Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA03596 for ; Fri, 14 Nov 1997 05:19:12 -0800 (PST)
Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227])
	by mail.the-wire.com (8.8.8/8.8.8) with SMTP id IAA02171
	for ; Fri, 14 Nov 1997 08:19:46 -0500 (EST)
Message-Id: <3.0.32.19971114082532.009ffae0@mail.the-wire.com>
X-Sender: anton@mail.the-wire.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Fri, 14 Nov 1997 08:25:56 -0500
To: firewalls@greatcircle.com
From: Anton J Aylward 
Subject: System resource controller
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm looking for a program like the AIX system resource 
controller.

Situation is this: Normal "separation of Duties" methods of
security applied to DNS.   A DNS administrator with a 
login ID of "bind" owns the resource files.   This is to 
avoid doing everything as root!  Apropriate support via
symlinks and whatever.

But when a change has been made there is a need to HUP the 
named.  Since named runs on a privileged port it is run
as root.  The userID "bind" can't HUP it.

Under AIX there is the system resource controller.
"bind" can be put in a group which can execute this.
Not a perfect solution as this means "bind" can start and 
stop other resources too ;-(

Does anyone have a better suggestion?
Constraint: vendor supplied versions of the daemons are to
be used.  

And yes, I know about sudo and the adminshell.

/anton


--------------------------------------------------------------------------
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 421-8182            | constraints and items which do not add
  Fax: (416) 421-8183            | value." - Dr. Mildred G Pryor, 1995 

From owner-firewalls-list  Fri Nov 14 05:58:38 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06963; Fri, 14 Nov 1997 05:36:01 -0800 (PST)
Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06873 for ; Fri, 14 Nov 1997 05:35:42 -0800 (PST)
Received: by relay.hq.tis.com; id IAA15079; Fri, 14 Nov 1997 08:36:35 -0500 (EST)
Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0a)
	id xma015073; Fri, 14 Nov 97 08:35:53 -0500
Received: from gildor.hq.tis.com (relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id IAA07443; Fri, 14 Nov 1997 08:34:14 -0500 (EST)
Message-Id: <3.0.3.32.19971114083546.0070573c@localhost>
X-Sender: avolio@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Fri, 14 Nov 1997 08:35:46 -0500
To: elfering@tconl.com, Firewalls@greatcircle.com
From: Frederick M Avolio 
Subject: Re: Firewall Decision Criterea
In-Reply-To: <346C2749.43D6F743@tconl.com>
References: <199711140643.WAA22767@honor.greatcircle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You had me with you right up until financial data as a telling factor.  In
considering financials you need to consider time public, other businesses,
opther investments, acquisitions, etc.  So, by your criteria you should go
with IBM or Microsoft.

Both have things that people in their organizations call firewalls.

My suggestion -- now that you have a short list, start talking to
customers of those products and get future plans from each of the top 3
vendors on your list.

f

At 04:26 AM 11/14/97 -0600, Dave Elfering wrote:
>I've been beating a dead horse over our decision process to select a
>firewall product. 
>
>The short list includes: (in order of preference)
>   - TIS Gauntlet (Best of the proxies)
>   - Checkpoint Firewall-1 (slick but is stateful inspection
>trustworthy?)
>   - CyberGuard (slick and secure, but is it scaleable on an X86
>platform?)
>others in the mix for healthy comparison:
>   - Sidewinder (Just haven't seen it)
>   - Plain old FWTK (If all else fails theres ol' reliable)
>
>After reading all the color glossies there seem to be few real
>differentatiors between them. 
>
>I've researched all the technical aspects (like the black cloud over
>Firewall-1's stateful inspection), but what has me potentially whittling
>down to the  final vendor is financial data. Of the four companies, only
>Checkpoint is making any money. TIS's problem seems to simply boil down
>to investment in the new release, but Cyberguard's data has me
>wondering. Has anyone else looked at the financial status of the
>firewall vendors as a selecion criterea or am I chasing a red herring.
>
>I thought the security market was going bananas, so I hadn't imagined
>anyone losing money. I also wonder about overall market direction now
>that larger companies are getting into the act like Novell, Mickeysoft,
>etc. The whole industry looks to me to be at a shake out point (look at
>Milkyway). Maybe I'm just being anal retentive...
>
>Dave Elfering
>elfering@worldnet.att.net
>
>

From owner-firewalls-list  Fri Nov 14 07:22:35 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13847; Fri, 14 Nov 1997 06:13:10 -0800 (PST)
Received: from lab321.ru (anonymous1.omsk.net.ru [194.226.32.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA09673 for ; Fri, 14 Nov 1997 05:50:32 -0800 (PST)
Received: from lab321.ru (kev.l321.omsk.net.ru [194.226.33.68])
	by lab321.ru (8.8.5-MVC-230497/8.8.5) with ESMTP id TAA08272;
	Fri, 14 Nov 1997 19:44:06 +0600 (OSK)
Message-ID: <346CAA7D.A3521404@lab321.ru>
Date: Fri, 14 Nov 1997 19:46:05 +0000
From: Eugeny Kuzakov 
Organization: Powered by FreeBSD.
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-971022-SNAP i386)
MIME-Version: 1.0
To: Alfred Perlstein 
CC: "Barfuß Egon jun." , firewalls@GreatCircle.COM,
        ntsecurity@iss.net, hackers@FreeBSD.com
Subject: Re: Need a Firewall but don´t know which one
References: 
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Alfred Perlstein wrote:
> 
> simply, FreeBSD offers a firewall where TCP and UDP traffic can be
> blocked, allowed or even diverted into a program for it to processes.
ipfw ? I like more ipfilter.
It can customize responses to packets.

-- 
	Best wishes, Eugeny Kuzakov
		Laboratory 321 ( Omsk, Russia )
		kev@lab321.ru

From owner-firewalls-list  Fri Nov 14 07:25:05 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16151; Fri, 14 Nov 1997 06:23:24 -0800 (PST)
Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16121 for ; Fri, 14 Nov 1997 06:23:16 -0800 (PST)
Received: from uucp3.UU.NET by relay6.UU.NET with SMTP 
	(peer crosschecked as: uucp3.UU.NET [192.48.96.34])
	id QQdpqf02154; Fri, 14 Nov 1997 09:24:52 -0500 (EST)
Received: from dakia.UUCP by uucp3.UU.NET with UUCP/RMAIL
        ; Fri, 14 Nov 1997 09:24:44 -0500
Received: from localhost (asim@localhost)
	by mail.cyberaccess.com.pk (8.8.5/8.8.5) with SMTP id TAA13421;
	Fri, 14 Nov 1997 19:24:04 +0500
Date: Fri, 14 Nov 1997 19:24:04 +0500 (PKT)
From: asim 
To: Eric Lunow 
cc: desmond_teh@hotmail.com, firewalls@GreatCircle.com, achowar@erenj.com
Subject: Re: Transparent Proxy
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

A recent article about the ipfwadm utility used by Linux, mentions that
this utility also offers transparent proxing (without modification on the
client side).

Asim Rasheed

On Wed, 12 Nov 1997, Eric Lunow wrote:

> A number of vendors support Transparent Proxy features exactly
> as you described - true application level proxying without requiring
> special client modifications or configuration.
> The PrivateNet firewall from NEC, now discontinued,
> had that very feature. I also believe Borderware,
> Raptor, and TIS Gauntlet currently have products that support
> transparent proxies.
> ---------------------------------
> Eric Lunow 
> 12-Nov-97  10:34:59
> ----------------------------------
> 


From owner-firewalls-list  Fri Nov 14 07:43:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24473; Fri, 14 Nov 1997 07:19:08 -0800 (PST)
Received: from newton.tedhome.ml.org (einstein.globaldialog.com [156.46.146.232]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA24459 for ; Fri, 14 Nov 1997 07:19:00 -0800 (PST)
Received: from newton.tedhome.ml.org (localhost.tedhome.ml.org [127.0.0.1])
	by newton.tedhome.ml.org (8.8.5/8.8.5) with ESMTP id JAA06086;
	Fri, 14 Nov 1997 09:26:28 -0600
Message-Id: <199711141526.JAA06086@newton.tedhome.ml.org>
X-Mailer: exmh version 2.0zeta 7/24/97
To: egon@computronic.at
cc: Firewalls@GreatCircle.COM
Subject: Re: Need a firewall but don t know which one 
Reply-To: tserreyn@pop.globaldialog.com
In-reply-to: Your message of "Fri, 14 Nov 1997 08:38:54 +0100."
             <346C000E.8A509069@computronic.at> 
X-url: http://www.globaldialog.com/~tserreyn
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 14 Nov 1997 09:26:28 -0600
From: Ted Serreyn 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Thre are few if no commercial firewalls for linux.  None of the major players 
have decided to release products for this platform.  If you really want to use 
linux, you're stuck writing your own with TIS, sf, or something like that.  
Take a look at the following url:

http://www.ifi.unizh.ch/groups/bauknecht/SINUS/firewall.html

the bottom of the page had some interesting links.  I thought there was one 
commerical firewall product based on Linux, but the name escapes me at the 
moment.  Currently I'm running linux as my personal firewall with some custom 
monitoring tools.

Ted serreyn

-- 
|Ted Serreyn          tserreyn@pop.globaldialog.com|



From owner-firewalls-list  Fri Nov 14 07:53:20 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA18772; Fri, 14 Nov 1997 06:36:12 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA18757 for ; Fri, 14 Nov 1997 06:36:05 -0800 (PST)
Received: from saturn.hrz.tu-chemnitz.de by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id GAA14418; Fri, 14 Nov 1997 06:36:49 -0800 (PST)
Received: from mailbox.hrz.tu-chemnitz.de by saturn.hrz.tu-chemnitz.de 
          with Local SMTP (PP); Fri, 14 Nov 1997 15:34:47 +0100
Received: from pandora.hrz.tu-chemnitz.de (pandora.hrz.tu-chemnitz.de [134.109.132.63]) 
          by mailbox.hrz.tu-chemnitz.de (8.8.5/8.8.3) with ESMTP id PAA13272;
          Fri, 14 Nov 1997 15:34:42 +0100 (MET)
Received: from localhost by pandora.hrz.tu-chemnitz.de (8.8.5/client-1.5) 
          id PAA20140; Fri, 14 Nov 1997 15:34:40 +0100
Date: Fri, 14 Nov 1997 15:34:37 +0100 (MET)
From: Johannes Schwabe 
To: Anton J Aylward 
cc: firewalls@GreatCircle.COM
Subject: Re: System resource controller
In-Reply-To: <3.0.32.19971114082532.009ffae0@mail.the-wire.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 14 Nov 1997, Anton J Aylward wrote:

> Situation is this: Normal "separation of Duties" methods of
> security applied to DNS.   A DNS administrator with a 
> login ID of "bind" owns the resource files.   This is to 
> avoid doing everything as root!  Apropriate support via
> symlinks and whatever.
> 
> But when a change has been made there is a need to HUP the 
> named.  Since named runs on a privileged port it is run
> as root.  The userID "bind" can't HUP it.

Write a program to find out the PID of named and kill it. Make that
program SUID root and accessible by user "bind" only. Take care that
the SUID program cannot be misused.


From owner-firewalls-list  Fri Nov 14 08:25:12 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA25740; Fri, 14 Nov 1997 07:30:13 -0800 (PST)
Received: from di2.disclosure.com (di2.disclosure.com [206.181.208.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA25697 for ; Fri, 14 Nov 1997 07:30:02 -0800 (PST)
Received: from smtpgate.disclosure.com (smtpgate.disclosure.com [192.168.101.5])
	by di2.disclosure.com (8.8.7/8.8.7) with SMTP id KAA12403
	for ; Fri, 14 Nov 1997 10:31:24 -0500 (EST)
Received: from ccMail by smtpgate.disclosure.com
  (IMA Internet Exchange 2.12 Enterprise) id 00050E66; Fri, 14 Nov 1997 10:33:08 -0500
Mime-Version: 1.0
Date: Fri, 14 Nov 1997 10:24:12 -0500
Message-ID: <00050E66.3452@disclosure.com>
From: Larry.Riley@disclosure.com (Larry Riley)
Subject: DCOM Security Question?
To: firewalls@Greatcircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     My company is looking at using Microsoft's Distributed Component 
     Object Model (DCOM) on a project we are going to deploy in the near 
     future.
     
     I understand that most of the industry backs the use of Common Object 
     Request Broker Architecture (CORBA) as the standard object bus.  
     However, my programmers are telling me that DCOM is much better 
     especially in the areas of ease of use, management and security.
     
     My concern is with the DCOM reference counting design that requires 
     active objects to be regularly pinged over the network. Reference 
     counting manages the life cycle of instantiated components. With it, 
     an object increments a counter whenever an instance is created and 
     decrements the counter whenever an instance is destroyed.
     DCOM has no way of knowing when a client object has abruptly 
     terminated, therefore, it must verify that the object reference held 
     by the client is still active by pinging it. It's easy to picture how 
     a large number of active objects could easily swamp the network
     with traffic.  Additionally, this seem to be a remote procedure call 
     (RPC) that may open security holes and if my firewall doesn't allow 
     ping through the firewall this would be a problem.
     
     If anyone is using DCOM or has any comments on the use of it over a 
     public network I would appreciate your comments.
     
     Thanks,
     
     Larry

From owner-firewalls-list  Fri Nov 14 08:30:01 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA20754; Fri, 14 Nov 1997 06:45:00 -0800 (PST)
Received: from ITSUSNOW.COM (smtp.itsusnow.com [38.246.66.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA20681 for ; Fri, 14 Nov 1997 06:44:45 -0800 (PST)
Received: from ITS-NSS-DOMAIN-Message_Server by ITSUSNOW.COM
	with Novell_GroupWise; Fri, 14 Nov 1997 09:43:04 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Fri, 14 Nov 1997 09:42:46 -0500
From: Justin peltier 
To: egon@computronic.at, Firewalls@greatcircle.com
Subject: Re: Need a firewall but don t know which one
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Firewall-1 is $4990 and I found it to be the best. There is a reason it hold 44% marketshare.

>>> "Barfu* Egon jun."  11/14 2:38 AM >>>
Hi,

I think I will buy one of the following firewalls:
            FireWall - 1
            SessionWall - 3
            WatchGuard

As a platform i want to use Linux. Is this possible with these products
and what do you think about them?
Does anyone of you have information and experience with one of them?
Are these firewalls good and how much do they cost????

Thanks in advance
        Egon

--
mailto:egon@computronic.at 


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

From owner-firewalls-list  Fri Nov 14 08:31:45 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21570; Fri, 14 Nov 1997 06:51:18 -0800 (PST)
Received: from ITSUSNOW.COM (smtp.itsusnow.com [38.246.66.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA21543 for ; Fri, 14 Nov 1997 06:51:10 -0800 (PST)
Received: from ITS-NSS-DOMAIN-Message_Server by ITSUSNOW.COM
	with Novell_GroupWise; Fri, 14 Nov 1997 09:49:53 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Fri, 14 Nov 1997 09:49:18 -0500
From: Justin peltier 
To: dnwaig@ctp.com, firewalls@greatcircle.com
Subject: Re: Enterprise Security
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



>>> Dennis Nwaigbo  11/14 4:19 AM >>>
Iam new in firewalls and security design for a large enterprise.  I am
working on enterprise security design and management.  I have the
following areas to consider:

Network
-
-
-
Desktop
-
-
-

Remote Access
-
-
-


Can any one be kind enough to tell me what I should be considering most
as far as those three areas are concerned.  For example, If I looking at
the Network security, what are security issues should be looking at.

I will appreciate any help from any one.  Thanks in advance

Dennis
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

From owner-firewalls-list  Fri Nov 14 09:17:44 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16336; Fri, 14 Nov 1997 06:24:45 -0800 (PST)
Received: from firewall.mobility.com (firewall.mobility.com [161.216.124.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA16253 for ; Fri, 14 Nov 1997 06:24:19 -0800 (PST)
Message-Id: <199711141424.GAA16253@honor.greatcircle.com>
Received: from [161.216.252.1] by firewall.mobility.com
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 14 Nov 1997 14:25:45 UT
Received: from ex13.mobility.com ([161.217.3.50]) by [161.216.252.1]
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 14 Nov 1997 14:19:41 UT
Received: by CC20EHUB04.mobility.com with Internet Mail Service (5.0.1458.49)
	id ; Fri, 14 Nov 1997 09:25:43 -0500
From: "Grigorof, Adrian" 
To: firewalls@GreatCircle.COM
Subject: RE: Eagle Raptor firewall
Date: Fri, 14 Nov 1997 09:25:08 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: multipart/mixed;
	boundary="---- =_NextPart_000_01BCF0DF.4820BE90"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_000_01BCF0DF.4820BE90
Content-Type: text/plain;
	charset="iso-8859-1"

No offense, but the best tip is to read the manual and the next best
trick is to check the web site (www.raptor.com) for more details...
definitely will save you time!

Adrian


	sz-techserv wrote:

	> Hi folks,
	>
	> lately, we got a new firewall here at our companie and I`m
forced to
	> set
	> it up. It is an Eagle Raptor Firewall (check details at
	> http://www.raptor.dk/prodinfo/ds/eagle/eagle.html ) and there
is where
	>
	> my trouble starts: I have no experience with this product. So,
the
	> question I have is easy: has anyone of You ever worked with
this one,
	> is
	> there something special to look after or does anyone have any
tips n
	> tricks on maintaining and of course setting it up ?
	> ..could really save me some time...
	>
	> thx a lot...
	>
	> Christian Petersen-Clausen
	> www.shz.de
	> hostmaster Schleswig Holsteinischer Zeitungsverlag




------ =_NextPart_000_01BCF0DF.4820BE90
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64

eJ8+IiwOAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQSAAQAaAAAAUkU6IEVhZ2xlIFJhcHRvciBmaXJld2FsbADdCAEJ
gAEAIQAAAEVDQjQ0OTc3M0I1Q0QxMTE5MjFCNDQ0NTUzNTQwMDAwAN0GASCAAwAOAAAAzQcLAA4A
CQAZACoABQA+AQEFgAMADgAAAM0HCwAOAAkAGQAIAAUAHAEBDYAEAAIAAAACAAIAAQOQBgCcDAAA
KQAAAAsAAgABAAAAAwAuAAAAAABAADkAgOjWGwnxvAEeAHAAAQAAABYAAABFYWdsZSBSYXB0b3Ig
ZmlyZXdhbGwAAAACAXEAAQAAABsAAAABvPDb4WrqJ2ArXLMR0ZDlAIBfMdLRAAsmZ8AAAgEJEAEA
AADPBwAAywcAAEwQAABMWkZ1X9CYoAMACgByY3BnMTI1cjIMYGMxAzABBwtgbpEOEDAzMw8WZmUP
kk8B9wKkA2MCAGNoCsBzhGV0AtFwcnEyAACSKgqhbm8SUCAwAdCFAdA2D6AwNTA0FCGzAdAUEDR9
B20S8mYHQPsFQAdtfQKDAFAD1BH/Ewv+YhPhFFATshqEFNAHExXnsGhlbHYYsA3gYRdhqwKRCOY7
CW8wHZ9lDjD+NR7KH+EfnyCpHrQg0h8/PyMPIs0iTyB/Hs8QYDI4/yiaKbEpbyp5HrQqoikPLN/v
LJ0sHypPLhQ5DlAxZDLBhyrjMsACgnN0eWwHkB8cIBiwAAATUAPwZGN0CmwKsVw1GGFkanVzNDAF
EGdoBUIXwgwBY4cJwDUgAzBzbmV4GMAvB7AFsADAAnNzAFBzYpYyFFA0IGET8FxrCeD+cAuQNP81
YwhgNVALgBww+mUcUGwBQDZbDDA3JCrANzoABKALgGcqsTemYmH9GKBkAiA4YDgGHCA2UD5R/CAx
M/MOUDlfOm87fwBR/zy8AKA3Lj8/QEYz5A/AQU9/Ql9Dbw5QPK9Fz0bfQHMz+wKCExBjOSBOYTZQ
QHAccEkcUCBEARBhdRZBUAUKwGEJwGFwaCBGRwIhOOQoAGZpLQ+QOF8BQDvwUvNJzzVjYgsgcs8J
UFUSGDBVEnc0KAEYkP5wAdBQMjZ/TV9OZlKQUVBbBRACMC1R8ANhOhZgb6FacFN1YmoFkHRacKBE
YXRlOjjkNlK//1PPVN9V71b5NIBAYw4hTmFvPXYOUFgvWT5SPEEYkSDuSEBRBJA45DdcL10/Xk+/
X107z2B/D5BsMAjQYgqw/HQ4TLoPVEjQYn9jhmzA82SQC1B5L1IAX3ALEWUF/nM45CrAZf9nD2gf
X29XD79uH28vcDVaklo0W2k5cn93Nf8DMGxzOXZfd299YET4b2N1B4ACMAXQUcBPlo91ZFB1DGAJ
UGNmMn5osVARSHlwBJBqMWscwf0BVTNJMXsBevB7MHQRAYD+blrwAGAJ8FBgf8ACATigfWESZQDw
f8A0QIMgDlB26QiQd2sLgGRuAIciBPD/B0AQYQFADgBz4kBCiIUCEN5vBUIYsRLyW4BtC1FbgKAg
QzpcXFnAb1Gh3m1R8AMQB5CLME0N4ANg5HNvAYAgTwEgDeCGcFpcjOZFAMADEC5OMHTfg7AYoHsw
N+FqMnhI8Y6i/VD0YwMgEvMAgAWQHEBEYf9JkA5wOKCQggGQACCREodx/4ABAcGQgRhwD3AAAEmQ
DND5AZAgLhzSkHgOUJEyFkD/e4CRr5K/k88PwEmQBYGVb9uWf5ePbG4ASZBslS+Z732a9SmT/CgA
mM+dr5rkYvwgKAKRns+Qw1wQnH+hP/+iT6NfkPBl0KSikX+mD6cf/5P8KsCkr6ovqz+sT5DwesD/
qS+uv6/PsNQK+QMweu97/3V9jXs4gCCMoBBQkKEs5CBiahAgdBwgukAHkPu6cQUgIAQAuoC5oB2w
t9DruoMDgXUHQCAAcLv0OCLzusUFEGNru1UYYAWQviD5upJ3ZbAwAJCK4bBScZC9HDBkFePAQAuA
uvF7ZQAAWVBFUkxJTkuDHBACQHA6Ly93wlDmLlGxu5ByLgWgi7ACkPUS8mRbcGHAEz1RC4AOIQAg
ANDJ6nn5ugDOEYyCAKoAS1CpCwIAxeAXxeEPBcXhd8aDLgByAGHAAHAAdABvxwHG8Opjx4FtxeHg
xO3G8MXgjmjHYcdwx1A6AC/KQf/Gn8epylDF4BzQApLAQBiQPxZBCMEL8oHVwlzMkikgf4XxvEAF
sBOAAQABkAMQc/6F0AFxkAMAW4Bv8L8wAxB3AyBJEFCxeQhguxEHgCG/CoUKhbWUtl+3b8EBQXQA
/QcwbtKP05NqMIQy0+/U/yHDU2JrbWuyoyBf/4BAAxBbYRyg0vYIwQBBN6NxOGBzei1bgBhgGKBy
Xna/MANgW4HWfD5lAGn1z3Fs2tAs3sbex4rCb/DzujC/QCBnicGbQDggB+D/cZAdsHBQ0XEcIM/h
W3C5sD8IcL6QA3ATMQiQvLNJYO+LsIXxjSC78W/exxih3sfhUIAgdXAu5FAFQLth/QORRVGQNGAH
8MKji8HiZX4ovqTQFeMR3sfB744wax4vGQAEcAuAAhAvZHOuL0BQ56HshC64YG0DIG/PYLzFz+G7
YXfi0t/vbb/RMLggCGACYBOAsqNzWnDuSRwQ0bITUCA4MIMhCJD+bo0g0UG6kLqBu2Hr0g5wcnTm
0FNvujC6kd7HcXsKUDQwaQIg8Ra7YUBQc355WnAYcOcy0fA4ILmxIP5Z0gFkor8wBbBJYDfg8nj/
9qHf17tR3sfuBIyQB4Dywb9AkXVABZAHMbuCCQBvviD/w9BbgAXABbFOMAeR9nXxQ//2cbsSBCDW
ZvoRvfL4krxB/1nhC3FAgrzC9uEFoAhwE3FPGKEccECR5oMgP97HLv/C8VEgN+C7wdFw0TDRoweA
t/qD0iMCwC7u7/gweOHRzwkA83AE398wQ2hMYPTRjedRUBiwZMJuLUO2EN+4AB4w3sfCUjSAeo4w
9AjeaBNg7WBOAPxSUxhgNGH7GABAoEjfkAuR0NGIAOLRpCBaDNB0dQ9wc2Sx/bYQZ9Z81uXaZoWB
2z/DMAZ9xeARsAAeADFAAQAAABEAAABBR1JJR09STzI4NzRCRTMyAAAAAAMAGkAAAAAAHgAwQAEA
AAARAAAAQUdSSUdPUk8yODc0QkUzMgAAAAADABlAAAAAAAMANgAAAAAACwAAgAggBgAAAAAAwAAA
AAAAAEYAAAAAA4UAAAAAAAADAAGACCAGAAAAAADAAAAAAAAARgAAAAAQhQAAAAAAAAMAAoAIIAYA
AAAAAMAAAAAAAABGAAAAAFKFAAC3DQAAHgADgAggBgAAAAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAE
AAAAOC4wAAMABIAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwAFgAggBgAAAAAAwAAAAAAA
AEYAAAAADoUAAAAAAAADAAaACCAGAAAAAADAAAAAAAAARgAAAAARhQAAAAAAAAMAB4AIIAYAAAAA
AMAAAAAAAABGAAAAABiFAAAAAAAAHgAIgAggBgAAAAAAwAAAAAAAAEYAAAAANoUAAAEAAAABAAAA
AAAAAB4ACYAIIAYAAAAAAMAAAAAAAABGAAAAADeFAAABAAAAAQAAAAAAAAAeAAqACCAGAAAAAADA
AAAAAAAARgAAAAA4hQAAAQAAAAEAAAAAAAAAAwAmAAAAAAADAIAQ/////wIB+T8BAAAAbgAAAAAA
AADcp0DIwEIQGrS5CAArL+GCAQAAAAYAAAAvTz1CRUxMTU9CSUxJVFkvT1U9SFVCL0NOPVJFQ0lQ
SUVOVFMvQ049TVMtTUFJTC9DTj1XUklORk9URUNIL0NOPUFHUklHT1JPMjg3NEJFMzIAAAAeAPg/
AQAAABEAAABHcmlnb3JvZiwgQWRyaWFuAAAAAB4AOEABAAAAEQAAAEFHUklHT1JPMjg3NEJFMzIA
AAAAAgH7PwEAAABuAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAABgAAAC9PPUJFTExNT0JJTElU
WS9PVT1IVUIvQ049UkVDSVBJRU5UUy9DTj1NUy1NQUlML0NOPVdSSU5GT1RFQ0gvQ049QUdSSUdP
Uk8yODc0QkUzMgAAAB4A+j8BAAAAEQAAAEdyaWdvcm9mLCBBZHJpYW4AAAAAHgA5QAEAAAARAAAA
QUdSSUdPUk8yODc0QkUzMgAAAABAAAcwwPyhegjxvAFAAAgwcBPwLwnxvAEeAD0AAQAAAAUAAABS
RTogAAAAAB4AHQ4BAAAAFgAAAEVhZ2xlIFJhcHRvciBmaXJld2FsbAAAAAsAKQAAAAAACwAjAAAA
AAADAAYQMjINHgMABxCHAgAAAwAQEAAAAAADABEQAAAAAB4ACBABAAAAZQAAAE5PT0ZGRU5TRSxC
VVRUSEVCRVNUVElQSVNUT1JFQURUSEVNQU5VQUxBTkRUSEVORVhUQkVTVFRSSUNLSVNUT0NIRUNL
VEhFV0VCU0lURShXV1dSQVBUT1JDT00pRk9STU9SRUQAAAAAwgc=

------ =_NextPart_000_01BCF0DF.4820BE90--

From owner-firewalls-list  Fri Nov 14 09:20:01 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08098; Fri, 14 Nov 1997 08:40:21 -0800 (PST)
Received: from amhost4.amcham.com.br (amhost4.amcham.com.br [200.224.17.194]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08042 for ; Fri, 14 Nov 1997 08:40:04 -0800 (PST)
Received: from planenge (localhost [127.0.0.1])
	by amhost4.amcham.com.br (8.8.6/8.8.6) with SMTP id OAA26684
	for ; Fri, 14 Nov 1997 14:41:42 -0200 (EDT)
Received: by planenge with Microsoft Mail
	id <01BCF10B.835BD860@planenge>; Fri, 14 Nov 1997 14:42:21 -0300
Message-ID: <01BCF10B.835BD860@planenge>
From: Mario Pinho 
To: "'Firewalls@GreatCircle.COM'" 
Subject: DANGER!!! E-MAIL HACKER FOUND!!! RES: Infos about firewall
Date: Fri, 14 Nov 1997 14:42:19 -0300
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Please,

Do not answer the previous message from "pcm@provedor.com". The guy had =
deviated the below message that never arrives to me. He is a declarated =
hacker (as you can see - if you understand portuguese) in his personal =
home page.

Also please provide the deletion of this guy from our list.

Regards,

Mario A. Pinho
Security Consultant

-----Mensagem original-----
De:		Paulino Michelazzo=20
Enviada em:		Friday, November 14, 1997 11:13 AM
Para:		'Firewalls@GreatCircle.COM'
Assunto:		Infos about firewall

Dear friends:

I have a network here and i need connect this net over to the Internet, =
but i believe that i need a firewall between my network and the =
Internet.
Well, the SO here is a Windows NT Server 4 running with IIS and a =
Exchange Mail. What the firewall for this connection ?

Thanks for any information

-----------------------------------------------------------
Paulino Michelazzo - Microsoft Certified Professional
http://www.civila.com/brasil/paulino
Mailto:pem@provedor.com
ICQ Number: 2911392


>From    @.com.br Fri Nov 14 12:38 EDT 1997
Received: from global01.global.com.uy (localhost [127.0.0.1])
	by br (8.8.6/8.8.6) with ESMTP id MAA16885
	for ; Fri, 14 Nov 1997 12:37:43 -0200 (EDT)
Received: by globe.global.com.uy with Internet Mail Service (5.0.1457.3)
	id ; Fri, 14 Nov 1997 11:43:32 -0300
Received: from FINAMBRAS by global01.global.com.uy with SMTP (Microsoft =
Exchange Internet Mail Service Version 5.0.1457.7)
	id WKCRTHSM; Fri, 14 Nov 1997 11:43:23 -0300
Received: by   with Internet Mail Service (5.0.1457.3)
	id ; Fri, 14 Nov 1997 12:42:12 -0200
Message-ID: 
From: @
To: "'mpinho@amcham.com.br'" 
Subject: !
Date: Fri, 14 Nov 1997 11:42:10 -0300
X-Priority: 3
Return-Receipt-To:=20
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by =
amhost4.amcham.com.br id MAA16885
Content-Type: text/plain;
	charset=3D"iso-8859-1"
Content-Length: 733
















>From owner-firewalls-list@GreatCircle.COM Fri Nov 14 12:44 EDT 1997

From owner-firewalls-list  Fri Nov 14 10:44:00 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA03559; Fri, 14 Nov 1997 10:35:33 -0800 (PST)
Received: from netcom12.netcom.com (netcom12.netcom.com [192.100.81.124]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA03540 for ; Fri, 14 Nov 1997 10:35:24 -0800 (PST)
Received: from localhost (xod@localhost)
	by netcom12.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.02)) with SMTP id KAA21779
	for ; Fri, 14 Nov 1997 10:36:46 -0800 (PST)
Date: Fri, 14 Nov 1997 10:36:45 -0800 (PST)
From: Nyarlathotep 
X-Sender: xod@netcom12
To: Firewalls@GreatCircle.COM
Subject: Re: problem with netscape 3 - no firewall content
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hello,

I don't know exactly how it works in W95 but in unix we just make the
history file read only and change the contents to something we want the
webhost to see.  Mine used to say:

Alert!  Virus Activated!

Ideally, you should call netscape and pester them to produce software that
is easy to secure.  That's the only thing they have over Microsloth.

m@

Matthew Ashcraft,             |  
Unix, Netware, The Net        | "Sorry, but my karma just ran over your dogma."
and Rock n Roll               | 
xod@netcom.com,               | 

On Thu, 13 Nov 1997, Ederlindo Cojuangco wrote:

> 
> 
> On Thu, 13 Nov 1997, sz-techserv wrote:
> 	********some parts deleted**********
> > 
> > The problem we have is that the netscape browser sends the complete
> > history to the server the customer is accessing. That means a webmaster
> > can see where the user using his server has been before as You all
> > should know from Your own expiriences. The question is simple: How do I
> > stop netscape from writing down the history : in what file does the
> > browser write these informations ? We have a few url`s we would NOT
> > like  to show to people from outsides and we simply cannot search the
> > history of the browser every time before starting surfing the www.
> ============
> 	The file that records the history of all the www sites accessed is
> the "netscape.hst".  Yes, I also would like not to record all the activity
> done on accessing the sites.  What I did was to delete the file
> "netscape.hst" but it will not solve bec. it keeps on recording...we'll
> it's part on the netscape program.
> 	Any good suggestions out there?
> 
> ederts
> ============
> > 
> > And bye the way: Is there a chance to change the send informations about
> > the browser, the OS and the Hardware platform ?
> > 
> > thanks for Your help already
> > 
> > 
> > Christian Petersen-Clausen
> > hostmaster Schleswig Holsteinischer Zeitungsverlag
> > www.shz.de
> > 
> > please replye to my private e mail adress hostmaster@presidency.com
> > 
> 


From owner-firewalls-list  Fri Nov 14 10:50:51 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA19775; Fri, 14 Nov 1997 09:33:17 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA19707 for ; Fri, 14 Nov 1997 09:33:01 -0800 (PST)
From: dharris@kcp.com
Received: from kcpgw.kcp.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id JAA15111; Fri, 14 Nov 1997 09:33:47 -0800 (PST)
Message-Id: <199711141733.JAA15111@mycroft.GreatCircle.COM>
Received: by kcpgw.kcp.com id AA24593
  (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com);
  Fri, 14 Nov 1997 11:33:49 -0600
Received: by kcpgw.kcp.com (Internal Mail Agent-2);
  Fri, 14 Nov 1997 11:33:49 -0600
Received: by kcpgw.kcp.com (Internal Mail Agent-1);
  Fri, 14 Nov 1997 11:33:49 -0600
Mime-Version: 1.0
Date: Fri, 14 Nov 1997 11:28:32 -0600
Subject: Re: System resource controller
To: firewalls@GreatCircle.COM, Anton J Aylward 
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Platinum Technology (www.platinum.com) has a tool which allows resource 
control on a per user basis, including the ability to provide controlled 
access to operations which would otherwise require a su root.  This might 
provide a solution.  It does not require kernel mods or modifications to 
standard daemons.


______________________________ Reply Separator _________________________________
Subject: System resource controller
Author:  Anton J Aylward  at INTERNET-MAIL
Date:    11/14/97 8:25 AM


I'm looking for a program like the AIX system resource 
controller.

Situation is this: Normal "separation of Duties" methods of 
security applied to DNS.   A DNS administrator with a 
login ID of "bind" owns the resource files.   This is to 
avoid doing everything as root!  Apropriate support via 
symlinks and whatever.

But when a change has been made there is a need to HUP the 
named.  Since named runs on a privileged port it is run
as root.  The userID "bind" can't HUP it.

Under AIX there is the system resource controller. 
"bind" can be put in a group which can execute this.
Not a perfect solution as this means "bind" can start and 
stop other resources too ;-(

Does anyone have a better suggestion?
Constraint: vendor supplied versions of the daemons are to 
be used.  

And yes, I know about sudo and the adminshell.

/anton


-------------------------------------------------------------------------- 
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 421-8182            | constraints and items which do not add
  Fax: (416) 421-8183            | value." - Dr. Mildred G Pryor, 1995 

From owner-firewalls-list  Fri Nov 14 12:00:46 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA11928; Fri, 14 Nov 1997 11:11:01 -0800 (PST)
Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA11882 for ; Fri, 14 Nov 1997 11:10:48 -0800 (PST)
From: emobley@kpmg.com
Received: by p0015c01.kpmg.com; id OAA25513; Fri, 14 Nov 1997 14:12:16 -0500 (EST)
Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2)
	id xma025037; Fri, 14 Nov 97 14:11:44 -0500
Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.8.6/8.8.6) with SMTP id OAA26247 for ; Fri, 14 Nov 1997 14:07:39 -0500 (EST)
Received: from ccMail by mailgate3.kpmg.com
  (IMA Internet Exchange 2.1 Enterprise) id 000C6FCA; Fri, 14 Nov 97 14:09:34 -0500
Mime-Version: 1.0
Date: Fri, 14 Nov 1997 11:01:52 -0500
Message-ID: <000C6FCA.3365@kpmg.com>
Subject: Linux SU log
To: firewalls@greatcircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Hello,
     
     I'm using RedHat Linux 4.1 and I've noticed that it does not keep the 
     traditional /var/adm/sulog.  I can't find anything that records SU's.  
     Does anybody know how I can configure /etc/syslog.conf (I assume 
     that's where I'd want to do it) or whatever to get the logging of SU's 
     that I need?
     
     
     Thanks,
     
     
     Ed

From owner-firewalls-list  Fri Nov 14 12:02:26 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23679; Fri, 14 Nov 1997 07:13:17 -0800 (PST)
Received: from compaq1.lucentncg.com (lucentncg.com [207.113.5.65]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA19302 for ; Fri, 14 Nov 1997 06:39:06 -0800 (PST)
Received: from ncg1.lucentncg.com by compaq1.lucentncg.com
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 14 Nov 1997 14:51:38 UT
Received: by ncg1.lucentncg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BCF0D8.E0178050@ncg1.lucentncg.com>; Fri, 14 Nov 1997 08:39:52 -0600
Message-ID: 
From: "Davis, Rob" 
To: "'firewalls@greatcircle.com'" 
Subject:  [NTSEC] Re: Need a Firewall but dont know which one
Date: Fri, 14 Nov 1997 08:38:53 -0600
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

So what is the best firewall?

The technology to develop a *secure* firewall is very well understood
today.  You could easily use a Linux box with freely available tools
installed on an old 486 that would be very secure and support the most
commonly available services.  Security is a lot of smoke and mirrors
sometimes ;-)

(I'll assume a professional security consultant is installing regardless
of firewall type - money well spent from my experiences).

So why should you pay for firewall software?  You pay for a firewall
because you have a set of requirements and circumstances that are best
met by a certain firewall vendor. =20
	* protocols supported
	* ability to customize for new applications
	* logging
	* throughput
	* o/s supported
	* log analysis capabilities
	* ease of administration
	* stability of vendor (will they be around next year?)
	* responsiveness to customer requests
	* third-party tools (virus scanning, etc)
	* types of authentication
	* et al.

I install Check Point and Raptor for example.  The two firewalls
approach security from different philosophical viewpoints, but both have
their place depending on what the customer wants and their enviroment.
I install on both UNIX and NT as well.  Both have their place depending
on the customer's environment and skill set. =20

What's the best firewall today?  I haven't installed every firewall, so
I'm really not sure.  You could read an *independent* lab test, but the
lab probably won't accuractely reflect your environment.  A lab test
only reflects the results of a small subset of possible environmental
variables - good info to have but not gospel.

Don't ask what is the best firewall.  Assess the needs and requirements
of your organization and then ask which firewall best meets your
requirements for a price you can afford.  After this assessment you may
have to adjust the price you are willing to pay or modify your
requirements.

regards,

Rob
________________________________
Rob Davis 
Lucent Technologies, Network Consulting Group
Network Consultant
http://www.lucentncg.com
(972) 419-3815
1-800-SKY-PAGE #126-9384

-----Original Message-----
From:	mike syiek [SMTP:msyiek@andovercg.com]
Sent:	Thursday, November 13, 1997 4:21 PM
To:	Barfu Egon jun.
Cc:	firewalls@GreatCircle.om; ntsecurity@iss.net
Subject:	Re: [NTSEC] Re: Need a Firewall but dont know which one


you guys will be missing the best:

http://www.tis.com

Gauntlet Firewall

Barfu=DF Egon jun. wrote:

> Hi,
>
> I think I will buy one of the following firewalls:
>             FireWall - 1
>             SessionWall - 3
>             WatchGuard
>
> As a platform i want to use Linux. Is this possible with these =
products
> and what do you think about them?
> Does anyone of you have information and experience with one of them?
> Are these firewalls good and how much do they cost????
>
> Thanks in advance
>         Egon
>
> --
> mailto:egon@computronic.at



From owner-firewalls-list  Fri Nov 14 12:28:44 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19000; Fri, 14 Nov 1997 11:43:29 -0800 (PST)
Received: from mailhub.stratus.com (mailhub.stratus.com [134.111.1.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA14310 for ; Fri, 14 Nov 1997 11:22:32 -0800 (PST)
From: Dick_Wall@stratus.com
Received: from na2.stratus.com (na2.stratus.com [134.111.82.93]) by mailhub.stratus.com (8.8.5/8.8.2) with ESMTP id OAA21648 for ; Fri, 14 Nov 1997 14:26:48 -0500 (EST)
Received: from  (root@localhost)
	by na2.stratus.com (8.8.5/8.8.5) with SMTP id OAA11736
	for firewalls@greatcircle.com; Fri, 14 Nov 1997 14:13:29 -0500 (EST)
X-OpenMail-Hops: 1
Date: Fri, 14 Nov 97 14:12:59 -0500
Message-Id: 
Subject: What To Do ??
MIME-Version: 1.0
TO: firewalls@greatcircle.com
Content-Type: text/plain; charset=US-ASCII; name="What"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm looking for a recommendation for the following ..

 - I have a secure LAN "A"

 - I have a less than secure LAN "B"

 - The users on LAN "A" need to execute rsh commands to hosts on LAN "B"

 - Today, we use a Cisco router and utilize the "established" filter,
which allows "B" responses, to come back to "A" hosts.  That is, if the
ACK bit is on, the filter allows the packets from "B" to go to "A"
hosts.

 - The execution of rsh commands, apparently result in new connect
requests from "B", and those request choose a port of 1023 or "less". 
Successive requests choose the next lower port number.

 - As this is not a high security risk environment, we normally would
allow TCP ports >1024 to be initiated from "B" to "A".  (We do this to
allow standard FTP to work).

 THE PROBLEM:

  - The reverse connections fall into the well known port range. I'd
rather not open those.  

  THE REAL QUESTIONS:

  - How many ports should I open, if I were so inclined to open ports
below 1023?  That is, is there an expected lower limit that rsh might
use?

  - Is there any way to configured the rshd process, to select ports
"above" 1023?

  - Got any other ideas of how to execute rsh commands from the secure
LAN "A" to hosts on the less than secure LAN "B".

  As usual .. thanks for any info ..

Dick


From owner-firewalls-list  Fri Nov 14 14:29:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09503; Fri, 14 Nov 1997 14:03:22 -0800 (PST)
Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA09467 for ; Fri, 14 Nov 1997 14:03:11 -0800 (PST)
From: emobley@kpmg.com
Received: by p0015c01.kpmg.com; id RAA18136; Fri, 14 Nov 1997 17:04:41 -0500 (EST)
Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2)
	id xma018026; Fri, 14 Nov 97 17:04:32 -0500
Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.8.6/8.8.6) with SMTP id RAA28148 for ; Fri, 14 Nov 1997 17:00:26 -0500 (EST)
Received: from ccMail by mailgate3.kpmg.com
  (IMA Internet Exchange 2.1 Enterprise) id 000C7B88; Fri, 14 Nov 97 17:05:42 -0500
Mime-Version: 1.0
Date: Fri, 14 Nov 1997 13:44:11 -0500
Message-ID: <000C7B88.3365@kpmg.com>
Subject: Linux SU log
To: firewalls@greatcircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Hello,
     
     I'm using RedHat Linux 4.1 and I've noticed that it does not keep the 
     traditional /var/adm/sulog.  I can't find anything that records SU's.  
     Does anybody know how I can configure /etc/syslog.conf (I assume 
     that's where I'd want to do it) or whatever to get the logging of SU's 
     that I need?
     
     
     Thanks,
     
     
     Ed

From owner-firewalls-list  Fri Nov 14 14:44:27 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09518; Fri, 14 Nov 1997 14:03:48 -0800 (PST)
Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA09511 for ; Fri, 14 Nov 1997 14:03:40 -0800 (PST)
From: emobley@kpmg.com
Received: by p0015c01.kpmg.com; id RAA18440; Fri, 14 Nov 1997 17:05:12 -0500 (EST)
Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2)
	id xma018194; Fri, 14 Nov 97 17:04:45 -0500
Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.8.6/8.8.6) with SMTP id RAA28191 for ; Fri, 14 Nov 1997 17:00:38 -0500 (EST)
Received: from ccMail by mailgate3.kpmg.com
  (IMA Internet Exchange 2.1 Enterprise) id 000C7B9C; Fri, 14 Nov 97 17:05:57 -0500
Mime-Version: 1.0
Date: Fri, 14 Nov 1997 13:48:48 -0500
Message-ID: <000C7B9C.3365@kpmg.com>
Subject: Linux SU log
To: firewalls@GreatCircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     



     Hello,
     
     I'm using RedHat Linux 4.1 and I've noticed that it does not keep the 
     traditional /var/adm/sulog.  I can't find anything that records SU's.  
     Does anybody know how I can configure /etc/syslog.conf (I assume 
     that's where I'd want to do it) or whatever to get the logging of SU's 
     that I need?
     
     
     Thanks,
     
     
     Ed

From owner-firewalls-list  Fri Nov 14 21:58:25 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA05926; Fri, 14 Nov 1997 21:42:36 -0800 (PST)
Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA05919 for ; Fri, 14 Nov 1997 21:42:27 -0800 (PST)
Received: from cypress.idir.net (cypress.idir.net [204.189.68.16])
          by cypress.idir.net (8.8.5/8.8.4) with SMTP
	  id XAA16112; Fri, 14 Nov 1997 23:40:57 -0600
Date: Fri, 14 Nov 1997 23:40:57 -0600 (CST)
From: Jason Keimig 
To: Darren Reed 
cc: firewalls@greatcircle.com
Subject: Re: Hijak detection
In-Reply-To: <199711120601.AAA26773@cypress.idir.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> > 
> >   So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of
> > the offending hosts performing ANY kind of spoofing attack.
> 
> Only if you're on the same LAN.  All routers will replace the source MAC
> address with their own when routing.

Oops!  My bad... of course this analysis works only for detecting attackers
that sit on the local segment.  

Layer-2 analysis really is the first step in the monitoring process.   There
are a couple of additional pieces of information that can be gleaned from
packets that can reveal some things that even "expert" attackers cannot get
around at all times.  These approaches are little more arduous, reveal less,
and require more state maintenance on a per packet/connection/host basis.
Definately not a scalable approach for arbitrarily sized networks, but it
can give insight.

I guess if it was all a one stop shop, we wouldn't need this list, eh?


-Jason


From owner-firewalls-list  Fri Nov 14 22:43:56 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA10990; Fri, 14 Nov 1997 22:35:59 -0800 (PST)
Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA10975 for ; Fri, 14 Nov 1997 22:35:51 -0800 (PST)
Received: from cypress.idir.net (cypress.idir.net [204.189.68.16])
          by cypress.idir.net (8.8.5/8.8.4) with SMTP
	  id AAA20433 for ; Sat, 15 Nov 1997 00:34:28 -0600
Date: Sat, 15 Nov 1997 00:34:28 -0600 (CST)
From: Jason Keimig 
To: firewalls@greatcircle.com
Subject: Re: Hijak detection
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> > The duplication is not as severe as you would see with a hijacked session.
> >You will generally see several hundred ACKed packets thrown around for each
> >new packet introduced by the hijacker.
> 
> It seems to me that an expert attacker would have no problem in taking over
> the session without producing a couple of hundred of unexpected ACKed packets.

The point was that the attacker himself does not participate in the ACK food
fight.  Its a result of the two valid endpoints that are in a desynced
state: one is trying to tell the other what its idea of the current state
the connection should be.  A dropped packet is the only way to end this
spat, given reliable network stacks on an unreliable medium.


> > This is true if you look at only a single ACK on one side of the stream. If
> >you compare the ACKs from both sides, you can see the side that has been
> >spoon-fed data by the attacker as their ACK # will be higher than the
> >supposedly corresponding SEQ # of the unmolested side.  This is due to the
> >fact that the SEQ/ACK pair is based solely on the # of bytes sent/received
> >after the session has been established.
> > This pair is by no means a security mechanism in the purest sense.  It is
> >used primary to keep the sides in synch with one another.  The fact that
> >it prevents accepting data out of order is really just a security side
> >effect inherent with connection-oriented bitstreams.
> >
> 
> If the "good-guy"'s system on the remote side is brought to its knees (via
> a Denial-of-Service attack, etc.), then there is nothing really to compare

What denial of service attacks prevent a host from responding to flows that
are already in a CONNECTED state?  Okay, the F00F bug just made the
headlines, but there are a large number of other types of boxes out there
that you just simply can't lock up.  Heck, before the F00F storm, what could
you do to lock up x86 boxes with the type of DoS you describe?

> against.  Also, it is trivial for seasoned hackers to supply the Sequence
> Numbers as well as pretty much any other info you would expect to find in 
> the packets.

The information forgery is a given from the evil side.  You simply cannot
get around (as the attacker) what the unsuspecting hosts will spit out onto
a shared medium.  Whats the multicast paradigm? "Anybody can send, receivers
just selectively ignore."  So here, the receiver (monitor) "decides" to
listen everybody.... what's an attacker to do?
  
-Jason



From owner-firewalls-list  Fri Nov 14 22:48:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA06039; Fri, 14 Nov 1997 21:49:50 -0800 (PST)
Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id VAA06032 for ; Fri, 14 Nov 1997 21:49:42 -0800 (PST)
Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id GAA19808; Sat, 15 Nov 1997 06:51:03 +0100
Message-ID: <346D3845.60F7A5D5@edina.xnc.com>
Date: Sat, 15 Nov 1997 06:51:01 +0100
From: Guido Stepken 
Organization: F.S.S.
X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: Dan Stromberg 
CC: firewalls@greatcircle.com
Subject: Frontend for TCPDUMP sniffer :)))
References: <34475040.0@lps.tina.agr.st.com>
		    <62jpvi$kqu@dfw-ixnews1.ix.netcom.com> <62lhun$pq8@knot.queensu.ca>
		    <62lriv$kl9@nuhou.aloha.net> <62qke3$qbe@knot.queensu.ca>
		    <3460ac2c.0@news1.ibm.net>
		    
		     <645pus$o1$1@twin.wasatch.com> <199711142143.NAA26787@bingy.acs.uci.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dan Stromberg wrote:
> 
> Where's the GUI for tcpdump?
> 
> In article <3468070E.2E70CC81@edina.xnc.com> you write:
>  <>
> <> In article ,
> <>         Security Adm  writes:
> <>
> <> > I am sorry but I had to through this in... for a skewl project I went to
> <> > the BVA(gov't vertan agency of some kind) an I got to work with a 30,000
> <> > dollar packet sniffer. Why the hell they spent 30 grand on it I don't
> <> > know, but this is where our money is going to.
> <>
> <> We have a "30,000 dollar packet sniffer", an HP Internet Advisor.
> <> There's more to it than just sniffing though.
> <>
> <> This particular box can decode just about every protocol known to
> <> man (TCP, IPX, SNA, AppleTalk, etc etc), it can speak most
> <> flavors of ethernet and things like V.35 and RS-232 as well. You
> <> can hook it directly to a T1 (built-in CSU/DSU) and decode frame
> <> relay packets, evaluate timing, etc.  The whole right-hand side
> <> of it is covered with jacks for plugging in various types of
> <> media.
> <>
> <> In short, it does a *lot* of things besides sniff packets.  This
> <> box is more of a general-purpose LAN and WAN evaluator tool. 99%
> <> of the time you don't need it, but the 1% is worth thousands of
> <> billable dollars .
> <
>  <, e.g. ISDN.
> <
> ; Fri, 14 Nov 1997 23:48:25 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA14504; Sat, 15 Nov 1997 02:53:14 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Sat, 15 Nov 1997 02:48:55 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Sat, 15 Nov 1997 02:48:43 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #541 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Sat Nov 15 02:58:57 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04447; Sat, 15 Nov 1997 01:37:17 -0800 (PST)
Received: from rivertrade.com ([206.145.121.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA04329 for ; Sat, 15 Nov 1997 01:36:42 -0800 (PST)
Received: from WESTGATE-Message_Server by rivertrade.com
	with Novell_GroupWise; Sat, 15 Nov 1997 03:40:28 -0600
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Sat, 15 Nov 1997 03:40:08 -0600
From: Brian Bosveld 
Reply-To: bosveld@rivertrade.com
To: Firewalls@GreatCircle.COM
Subject: Re:Firewalls-Digest V6 #542
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be on vacation from November 12 through November 26.  If you need assistance before then, please contact Mark Miller at 659-4343.  

>>> "Firewalls@GreatCircle.COM" 11/15/97 03:00 >>>


Firewalls-Digest      Saturday, November 15 1997      Volume 06 : Number 542



In this issue:

        Re: Hijak detection
        Frontend for TCPDUMP sniffer :)))
        Firewalls-Digest V6 #541 -Reply

See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.

----------------------------------------------------------------------

Date: Sat, 15 Nov 1997 00:34:28 -0600 (CST)
From: Jason Keimig 
Subject: Re: Hijak detection

> > The duplication is not as severe as you would see with a hijacked session.
> >You will generally see several hundred ACKed packets thrown around for each
> >new packet introduced by the hijacker.
> 
> It seems to me that an expert attacker would have no problem in taking over
> the session without producing a couple of hundred of unexpected ACKed packets.

The point was that the attacker himself does not participate in the ACK food
fight.  Its a result of the two valid endpoints that are in a desynced
state: one is trying to tell the other what its idea of the current state
the connection should be.  A dropped packet is the only way to end this
spat, given reliable network stacks on an unreliable medium.


> > This is true if you look at only a single ACK on one side of the stream. If
> >you compare the ACKs from both sides, you can see the side that has been
> >spoon-fed data by the attacker as their ACK # will be higher than the
> >supposedly corresponding SEQ # of the unmolested side.  This is due to the
> >fact that the SEQ/ACK pair is based solely on the # of bytes sent/received
> >after the session has been established.
> > This pair is by no means a security mechanism in the purest sense.  It is
> >used primary to keep the sides in synch with one another.  The fact that
> >it prevents accepting data out of order is really just a security side
> >effect inherent with connection-oriented bitstreams.
> >
> 
> If the "good-guy"'s system on the remote side is brought to its knees (via
> a Denial-of-Service attack, etc.), then there is nothing really to compare

What denial of service attacks prevent a host from responding to flows that
are already in a CONNECTED state?  Okay, the F00F bug just made the
headlines, but there are a large number of other types of boxes out there
that you just simply can't lock up.  Heck, before the F00F storm, what could
you do to lock up x86 boxes with the type of DoS you describe?

> against.  Also, it is trivial for seasoned hackers to supply the Sequence
> Numbers as well as pretty much any other info you would expect to find in 
> the packets.

The information forgery is a given from the evil side.  You simply cannot
get around (as the attacker) what the unsuspecting hosts will spit out onto
a shared medium.  Whats the multicast paradigm? "Anybody can send, receivers
just selectively ignore."  So here, the receiver (monitor) "decides" to
listen everybody.... what's an attacker to do?
  
- -Jason

------------------------------

Date: Sat, 15 Nov 1997 06:51:01 +0100
From: Guido Stepken 
Subject: Frontend for TCPDUMP sniffer :)))

Dan Stromberg wrote:
> 
> Where's the GUI for tcpdump?
> 
> In article <3468070E.2E70CC81@edina.xnc.com> you write:
>  <>
> <> In article ,
> <>         Security Adm  writes:
> <>
> <> > I am sorry but I had to through this in... for a skewl project I went to
> <> > the BVA(gov't vertan agency of some kind) an I got to work with a 30,000
> <> > dollar packet sniffer. Why the hell they spent 30 grand on it I don't
> <> > know, but this is where our money is going to.
> <>
> <> We have a "30,000 dollar packet sniffer", an HP Internet Advisor.
> <> There's more to it than just sniffing though.
> <>
> <> This particular box can decode just about every protocol known to
> <> man (TCP, IPX, SNA, AppleTalk, etc etc), it can speak most
> <> flavors of ethernet and things like V.35 and RS-232 as well. You
> <> can hook it directly to a T1 (built-in CSU/DSU) and decode frame
> <> relay packets, evaluate timing, etc.  The whole right-hand side
> <> of it is covered with jacks for plugging in various types of
> <> media.
> <>
> <> In short, it does a *lot* of things besides sniff packets.  This
> <> box is more of a general-purpose LAN and WAN evaluator tool. 99%
> <> of the time you don't need it, but the 1% is worth thousands of
> <> billable dollars .
> <
>  <, e.g. ISDN.
> <
> 
Subject: Firewalls-Digest V6 #541 -Reply

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

------------------------------

End of Firewalls-Digest V6 #542
*******************************

To unsubscribe from Firewalls-Digest, send the following command
in the body of a message to "Majordomo@GreatCircle.COM":

unsubscribe firewalls-digest

If you want to subscribe or unsubscribe an address other than the
account the mail is coming from, such as a local redistribution list,
then append that address to the command; for example, to subscribe
"local-firewalls":

subscribe firewalls-digest local-firewalls@your.domain.net

A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".

Compressed back issues are available for anonymous FTP from
FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).

 

From owner-firewalls-list  Sat Nov 15 05:43:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA19459; Sat, 15 Nov 1997 05:30:20 -0800 (PST)
Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA19452 for ; Sat, 15 Nov 1997 05:30:15 -0800 (PST)
Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227])
	by mail.the-wire.com (8.8.8/8.8.8) with SMTP id IAA06955;
	Sat, 15 Nov 1997 08:30:50 -0500 (EST)
Message-Id: <3.0.32.19971115073934.02bbd1b0@mail.the-wire.com>
X-Sender: anton@mail.the-wire.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Sat, 15 Nov 1997 08:37:44 -0500
To: Johannes Schwabe ,
        Anton J Aylward 
From: Anton J Aylward 
Subject: Re: System resource controller
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 03:34 PM 14/11/97 +0100, Johannes Schwabe wrote:
## Reply Start ##
>On Fri, 14 Nov 1997, Anton J Aylward wrote:
>
>> Situation is this: Normal "separation of Duties" methods of
>> security applied to DNS.   A DNS administrator with a 
>> login ID of "bind" owns the resource files.   This is to 
>> avoid doing everything as root!  Apropriate support via
>> symlinks and whatever.
>> 
>> But when a change has been made there is a need to HUP the 
>> named.  Since named runs on a privileged port it is run
>> as root.  The userID "bind" can't HUP it.
>
>Write a program to find out the PID of named and kill it. Make that
>program SUID root and accessible by user "bind" only. Take care that
>the SUID program cannot be misused.

I'm long past this stage.
More specifically, I have such a program - began life as a shell script -
which looks for all the appropriate .pid files.  Under LINUX its easy - 
look in /var/run.    So even that is more general than your specific one.
However, AIX's tool is more general still, start, stop, refresh....

But I don't like writing code if its reinventing the wheel.
Which was the point my question.  If its already been written,
someone has thought this thru and perhaps seen things I haven't.

/anton





## Reply End ##

From owner-firewalls-list  Sat Nov 15 15:42:07 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11107; Sat, 15 Nov 1997 13:46:41 -0800 (PST)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id NAA11099 for firewalls@greatcircle.com; Sat, 15 Nov 1997 13:46:38 -0800 (PST)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA19457 for ; Thu, 13 Nov 1997 22:27:33 -0800 (PST)
Message-Id: <199711140627.WAA19457@honor.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA012728570; Fri, 14 Nov 1997 17:22:50 +1100
From: Darren Reed 
Subject: Re: Hijak detection
To: frankw@in.net (Frank Willoughby)
Date: Fri, 14 Nov 1997 17:22:50 +1100 (EDT)
Cc: avalon@coombs.anu.edu.au, jkeimig@idir.net, doy@indo-mail.com,
        adam@homeport.org, brad@freedom.gmsociety.org, circle@cali-net.com,
        morrow.long@yale.edu, frankw@in.net, anarch@freedom.gmsociety.org,
        firewalls@GreatCircle.COM
In-Reply-To: <3.0.3.32.19971112082223.006a9d3c@in.net> from "Frank Willoughby" at Nov 12, 97 08:22:23 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Frank Willoughby, sie said:
> 
> At 05:01 PM 11/12/97 +1100, Darren Reed wrote:
> >In some mail from Jason Keimig, sie said:
> >> 
> >>   So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of
> >> the offending hosts performing ANY kind of spoofing attack.
> >
> >Only if you're on the same LAN.  All routers will replace the source MAC
> >address with their own when routing.
> 
> Hackers can also burn their own PROMS, if they need to.  At this point, 
> even Layer-2 info will be seen as valid on the same LAN (particularly 
> after a Denial-of-Service attack).

So what's this got to do with IP spoofing ?  And if I can burn my own
PROMS and put them in the router (unless you meant EEPROM), why would
I even bother with IP spoofing ?

The original posting by Jason mentioned that in most packet spoofing
hackers didn't properly forge the ethernet header (which they can do)
then it is obvious that the packets are spoofs.  Spoofing the source
ethernet address (for example) is much easier than bruning PROMs.

He went on to say that looking for these bad source layer-2 addresses
is a good indication of spoofing.  My point was that after hopping
through several routers, etc, you lose the layer-2 info anyway, so
looking at it in an attempt to determine which packets are spoofs is
rather pointless - UNLESS the spoofing is taking place on the _same_
LAN.

Darren


From owner-firewalls-list  Sun Nov 16 00:58:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA21245; Sun, 16 Nov 1997 00:56:52 -0800 (PST)
Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA21238 for ; Sun, 16 Nov 1997 00:56:46 -0800 (PST)
Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id UAA09666 for ; Sun, 16 Nov 1997 20:08:58 +1100 (EST)
Received: from euphoria.abm.com.au(203.16.203.130) by paranoia.abm.com.au via smap (V1.3)
	id sma009664; Sun Nov 16 20:08:54 1997
Received: by euphoria. (SMI-8.6/SMI-SVR4)
	id TAA06497; Sun, 16 Nov 1997 19:58:47 +1100
Message-Id: <199711160858.TAA06497@euphoria.>
Received: from port2.bris.technet2000.com.au(203.31.165.102) by euphoria via smap (V1.3)
	id sma006494; Sun Nov 16 19:58:27 1997
From: "Jan Zeilinga" 
To: 
Subject: auto secure from Platinum
Date: Sun, 16 Nov 1997 18:50:28 +1100
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I realize this is off the topic.. 

but has anyone had experience with products like autosecure from Platinum. 
 I am especially interested in comments about it in regards to securing
unix and if it live ups to its expectation.


Jan Zeilinga 
Unix/Network consultant
abm Australasia Pty Ltd
Tel 613-94159166
Fax 613-94159245


From owner-firewalls-list  Sun Nov 16 02:13:40 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA01708; Sun, 16 Nov 1997 02:07:48 -0800 (PST)
Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA01645 for ; Sun, 16 Nov 1997 02:07:29 -0800 (PST)
Received: (from adm@localhost)
	by icicle.winternet.com (8.8.8/8.8.8) id EAA03234;
	Sun, 16 Nov 1997 04:09:14 -0600 (CST)
Received: from tundra.winternet.com(198.174.169.11) by icicle.winternet.com via smap (V2.0)
	id xma003197; Sun, 16 Nov 97 04:08:53 -0600
Date: Sun, 16 Nov 1997 04:08:53 -0600 (CST)
From: Ron DuFresne 
To: Jan Zeilinga 
cc: Firewalls@GreatCircle.COM
Subject: Re: auto secure from Platinum
In-Reply-To: <199711160858.TAA06497@euphoria.>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Sun, 16 Nov 1997, Jan Zeilinga wrote:

> I realize this is off the topic.. 
> 
> but has anyone had experience with products like autosecure from Platinum. 
>  I am especially interested in comments about it in regards to securing
> unix and if it live ups to its expectation.
> 

Which Platinum are you refering to?  There are a few of them around...

Later,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


From owner-firewalls-list  Sun Nov 16 03:13:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA07556; Sun, 16 Nov 1997 02:58:42 -0800 (PST)
Received: from upshield.uniq.com.au (upstop.uniq.com.au [192.195.152.113]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA07549 for ; Sun, 16 Nov 1997 02:58:35 -0800 (PST)
Received: (from smtp@localhost) by upshield.uniq.com.au id WAA27126
  (8.8.7/IDA-1.6); Sun, 16 Nov 1997 22:00:10 +1100 (EST)
Received: from upshoo.uniq.com.au(192.195.152.130), claiming to be "upserv.uniq.com.au"
 via SMTP by upshield.uniq.com.au, id smtpdAAAa006bo; Sun Nov 16 22:00:04 1997
Received: from basil.uniq.com.au (basil.uniq.com.au [192.168.3.1]) by upserv.uniq.com.au with ESMTP id VAA15196
  (8.8.5/IDA-1.6); Sun, 16 Nov 1997 21:59:58 +1100 (EST)
Received: (from pauline@localhost) by basil.uniq.com.au id VAA03439
  (8.8.5/IDA-1.6); Sun, 16 Nov 1997 21:59:43 +1100 (EST)
Date: Sun, 16 Nov 1997 21:59:43 +1100 (EST)
From: Pauline van Winsen - Uniq Professional Services 
Message-ID: <199711161059.VAA03439@basil.uniq.com.au>
To: CLau@ELDEC.com, carson@tla.org
Subject: Re: spam
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-MD5: +kSLLUnAv4RwhkoabMwQ/A==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

hi chris & carson,

> >>>>> "Chris" == Lau, Chris  writes:
> 
> Chris> Does anyone have a solution on how to stop spam email at the firewall
> Chris> level? We are using TIS Gauntlet. Some one out there is using our
> Chris> company name to send out spam email. We are getting many angry replies
> Chris> to us asking us to stop spamming. We were not the ones doing it.
> 
> Yep. Talk to your Gauntlet rep and yell at them to roll out the
> anti-relaying patches faster. We (MSDWD, They Who Cut My Paycheck) are
> probably going to fork over US$12k to TIS's consulting arm to get the fix
> faster. Latest I heard is it should get rolled into the commercial release
> 1H'98. The more folks who scream at TIS about this, the faster it will get
> done. It's all about perceived importance and marketing.

if you can't wait for a vendor fix, check out smtpd:

http://www.obtuse.com/smtpd.html

it's freely avail. a drop-in replacement for smap/smapd. runs in a chroot
environment, forks off the MTA of your choice for delivery (sound familiar?)
& has the most sophisticated anti-spam features i have found.

i replaced smap/smapd with smtpd about 3 months ago & have been very 
pleased with the results. no relaying & much, much less spam.

useful for ISP's who have to handle a large number of domains as it has 
the ability to match on the nameserver a domain is using. same feature
is also useful for dropping mail from known spamhauses.
smtpd can also defer mail from domainnames which do not resolve quite easily.

check out the docs for the full list of features.

hope this helps,
pauline

Pauline van Winsen                                   pauline@uniq.com.au
Uniq Professional Services Pty Ltd                       www.uniq.com.au
PO Box 70, Paddington, NSW 2021,                      (Sydney) Australia
Phone: +61-2-9380-6360      Fax: +61-2-9380-6416      Pager: 016 287 000
"The ultimate goal of most girls is usually marriage rather than a
continued career in the business world."
	       Choosing a Girl's Career - Book 8, Woman's World, circa 1964.

From owner-firewalls-list  Sun Nov 16 05:28:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA16186; Sun, 16 Nov 1997 04:59:52 -0800 (PST)
Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA16179 for ; Sun, 16 Nov 1997 04:59:46 -0800 (PST)
Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227])
	by mail.the-wire.com (8.8.8/8.8.8) with SMTP id IAA28703;
	Sun, 16 Nov 1997 08:00:07 -0500 (EST)
Message-Id: <3.0.32.19971115185827.009967e0@mail.the-wire.com>
X-Sender: anton@mail.the-wire.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Sun, 16 Nov 1997 08:03:15 -0500
To: "Jan Zeilinga" , 
From: Anton J Aylward 
Subject: Re: why use a smtp proxy
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 01:56 PM 05/11/97 +1100, Jan Zeilinga wrote:
## Reply Start ##

>The current purposed configuration is to allow smtp traffic through the
>firewall to our exchange server.  The exchange server then decides what to
>do with the mail and routes it on-wards to its destined servers within our
>network.  My question is would you use the smtp security server with
>firewall-1  to do this, no security server at all or  allow connections to
>port 25 from the internet, or install an other smtp proxy... 
>
>What purpose would the smtp proxy serve?

If we consider, as mathematicians and logicians are wont to do,
a limiting case.   Lets also simplify it, running back to the
classical router+bastion+router model.

Inside, there is a mail server, a single point of contact for all
mail operations.  Lets call it "MailHost".  It holds all the internal 
mailboxes, however you choose to implement them.  It is inaccessible
from the outside, and hence can be considered 'protected' to whatever
degree the 'firewall' is doing so.  (pardon my mad cackle at this point)

Outside, there is "MailGate", which is the mail server seen from the
internet.  This may be the bastion, or something dedicated on the DMZ.
It is here that you run your stripped down mail daemon.  This daemon
is so incredibly dumb its not true.   It merely accepts mail messages.
Its so dumb it cannot be spoofed - that is its definitely not sendmail.
Its job is purely to accept mail into a spool area.   

There is also a relayer program, the second part of the STORE AND FORWARD
proxy.  This is marginally less dumb.   Where if a hacker were to break
in to the listener daemon, it would find out nothing about the internal
network, its users or names or configuration, the relayer at least knows 
that there IS an internal network, and what its name is.

Now ideally, the listener will run chrooted and asynchronous to the
relayer; that is the listener will NEVER spawn (fork/execl) the relayer.

The relayer knows the name of the internal network (and possibly any
supported virtual domains).  This is can discard messages which spammers
are using your site as a forwarder for.  (sorry about the grammar there)
The job of the relayer is purely to pass the messages thru the 'firewall'
to the MailHost.

The MailHost has the knowledge of the internal network and the users.

Use of suitable firewall configuration, filters on the routers and perhaps
TCPWrappers means that MailHost will accept mail ONLY from the internal 
network and MailGate.  We can argue about the protection for MailGate
endlessly.

For outgoing mail, there is a similar set of filters, and MailGate
will only accept it if it comes from MailHost.  Issues like 'hostname
stripping', so that all mail seems to come from "user@domain.com" rather 
than "user@internalhost.domain.com" can be done by the MailHost.

There are many variations on this.

The advantages are many.  You may consider that if Mailgate is taken
out by an attack form the internet then MailHost survives; it can queue 
outgoing messages and deal with the internal flow.  

Some sources suggest having a Mailgate separate from the bastion/firewall, 
so that if the MailGate is taken out other services still function, and
conversely of the bastion is taken out the MailGate can still queue 
incoming messages.   Once again, there are permutations.

That is a broad outline.  Its also probably a more comprehensive
answer than you asked for.   Its also not very innovative; this
is pretty standard stuff.   The move to put a "firewall in a box"
is clouding the issues of "Separation of Duties/Process" which were
once an important part of security design.

/anton

## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 421-8182            | constraints and items which do not add
  Fax: (416) 421-8183            | value." - Dr. Mildred G Pryor, 1995 

From owner-firewalls-list  Sun Nov 16 05:58:42 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA20539; Sun, 16 Nov 1997 05:46:55 -0800 (PST)
Received: from mail.binarybus.com ([204.245.72.233]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA20523 for ; Sun, 16 Nov 1997 05:46:48 -0800 (PST)
Received: from binarybus.com [207.205.131.193] by mail.binarybus.com
  (SMTPD32-4.02) id A50517D01DC; Sat, 15 Nov 1997 19:57:41 EST5EDT
From: Jon Luman
To: emily@abraxis.com
Subject: Income Tax Reform
Reply-To: 
Date: Sun, 16 Nov 1997 08:07:46 -0400
Message-Id: <12564235322.GAA15852@binarybus.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In 1991, the IRS reported that there were 163 million "taxpayers", and in a seperate report, they claimed that they received 111 million tax filings for that year. What happened to the other 52 million? The Internal Revenue Service is silent about them. Some probably got to tax-filing time, didn't have the money, and are hiding under the bed in fear. But many, many of these "missing" people learned how to be EXEMPT from the IRS and the
Federal Income Tax, and have permanently dropped out of the system!

To learn more about income tax freedom in America, stop in at:

http://FutureGate.com/tax_buster

or, get more information by autoresponse, just send an e-mail to:

taxnews@futuregate.com

Best Regards, Jon

----------------------------------------------------------------------

FutureGate.com also Hosts these great sites:

AutoBuy - The Buyers Resource - http://FutureGate.com/autobuy
The Watkins Products Catalog - Online - http://FutureGate.com/watkins_catalog
Submit Your Site to 200+ - http://FutureGate.com/supersubmit
Marie's Country Music Island - http://FutureGate.com/autobuy/country_music/cwel.html
-----------------------------------------------------------------------


To be removed from future mailings, just hit REPLY and type REMOVE in the subject line, then send.







From owner-firewalls-list  Sun Nov 16 07:58:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01131; Sun, 16 Nov 1997 07:46:43 -0800 (PST)
Received: from pili.adn.edu.ph ([165.220.57.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA01114 for ; Sun, 16 Nov 1997 07:46:35 -0800 (PST)
Received: from localhost (onio@localhost)
	by pili.adn.edu.ph (8.8.5/8.8.5) with SMTP id IAA04911;
	Mon, 17 Nov 1997 08:09:27 +0800 (PHT)
Date: Mon, 17 Nov 1997 08:09:27 +0800 (PHT)
From: onio 
To: Khoo Soo Kim 
cc: "Firewalls@GreatCircle.COM" 
Subject: Re: Firewall which running UDP
In-Reply-To: <346BD637.382F33B7@khtp.usm.my>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

try Socks!
	

On Fri, 14 Nov 1997, Khoo Soo Kim wrote:

> Hi,
> Has anyone know any firewall solution which works well with UDP ?
> 
> 


From owner-firewalls-list  Sun Nov 16 23:58:46 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA07575; Sun, 16 Nov 1997 23:50:31 -0800 (PST)
Received: from smtp.bankinter.es (dns.bankinter.es [194.75.4.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA07568 for ; Sun, 16 Nov 1997 23:50:25 -0800 (PST)
Received: from develop by smtp.bankinter.es (SMI-8.6/SMI-SVR4)
	id IAA02423; Mon, 17 Nov 1997 08:50:02 +0100
Message-ID: <346FF7B1.EC5A7E80@nexo.es>
Date: Mon, 17 Nov 1997 07:52:18 +0000
From: "Batista, M." 
Organization: Unión de Transportes Insulares, S.A.
X-Mailer: Mozilla 4.0 [en] (WinNT; I)
MIME-Version: 1.0
To: onio 
CC: Khoo Soo Kim ,
        "Firewalls@GreatCircle.COM" 
Subject: Re: Firewall which running UDP
X-Priority: 3 (Normal)
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

onio wrote:

> try Socks!
>
>
> On Fri, 14 Nov 1997, Khoo Soo Kim wrote:
>
> > Hi,
> > Has anyone know any firewall solution which works well with UDP ?
> >
> >

 Try udprelay, Socks works over TCP.!


From owner-firewalls-list  Mon Nov 17 01:43:43 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA14637; Mon, 17 Nov 1997 01:41:20 -0800 (PST)
Received: from purveyor.DresdnerBank.de (purveyor.DresdnerBank.de [193.98.252.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA14594 for ; Mon, 17 Nov 1997 01:41:09 -0800 (PST)
Received: from fz9exz01.dresdner-bank.de (unverified [193.98.252.230]) by purveyor.DresdnerBank.de
 (Integralis SMTPRS 2.04) with SMTP id ;
 Mon, 17 Nov 1997 10:24:56 +0100
Received: by fz9exz01.dresdner-bank.de with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52)
	id <01BCF342.9094C030@fz9exz01.dresdner-bank.de>; Mon, 17 Nov 1997 10:21:27 +0100
Message-Id: 
From: "Becker, Christoph" 
To: "'firewalls@greatcircle.com'" 
Subject: PIX Firewall Manager
Date: Mon, 17 Nov 1997 10:18:08 +0100
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are having problems to install the PIX Firewall Manager, Version
4.1.2 to our NT-Clients (NT 4.0 Workstation).

We have local administration rights but any time we're starting the
installation program and acknowledge the 'Welcome-window' with 'next' a
message appears 'You are not authorized to run this installer.
Terminating....'
As the next step we've become administrator-rights in the domain, but
there's the same problem.

Is there anyone who has installed the PIX-Firewall-manager??
Are there any special ways to get a running program??

______________________________________________
Christoph Becker
Dresdner Bank AG Frankfurt
Konzernstab Organisation
IT-Systemimplementierung
Netzwerksysteme

Telefon: +49 69 263 - 16484
Fax:     +49 69 263 - 11375
e-Mail:  Christoph.Becker@Dresdner-Bank.com
WWW:     http://www.dresdner-bank.de
______________________________________________




From owner-firewalls-list  Mon Nov 17 02:28:26 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA22256; Mon, 17 Nov 1997 02:23:34 -0800 (PST)
Received: from yankee.yankeegas.com (yankee.yankeegas.com [204.29.137.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA22232 for ; Mon, 17 Nov 1997 02:23:26 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA25842; Mon, 17 Nov 1997 05:28:42 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Mon, 17 Nov 1997 05:24:12 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Mon, 17 Nov 1997 05:23:30 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #544 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Mon Nov 17 05:13:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02993; Mon, 17 Nov 1997 04:58:05 -0800 (PST)
Received: from paranor.ca.cch.com (paranor.ca.cch.com [192.139.248.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA02986 for ; Mon, 17 Nov 1997 04:58:00 -0800 (PST)
Received: by paranor.ca.cch.com; id AA03902; Mon, 17 Nov 97 07:57:42 EST
Received: from frodo.ca.cch.com(192.139.241.7) by paranor.ca.cch.com via smap (3.2)
	id xma003894; Mon, 17 Nov 97 07:57:40 -0500
Received: from phoenix.ca.cch.com (phoenix [192.139.241.8])
	by ca.cch.com (8.8.5/8.8.5) with ESMTP id HAA20015
	for ; Mon, 17 Nov 1997 07:57:53 -0500 (EST)
From: Larry Chin 
Received: (from larry@localhost)
	by phoenix.ca.cch.com (8.8.5/8.8.5) id IAA00711
	for Firewalls@GreatCircle.COM; Mon, 17 Nov 1997 08:00:33 -0500 (EST)
Date: Mon, 17 Nov 1997 08:00:33 -0500 (EST)
Message-Id: <199711171300.IAA00711@phoenix.ca.cch.com>
To: Firewalls@GreatCircle.COM
Subject: Re: Firewall which running UDP
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

mbatistad@nexo.es wrote:

|  Try udprelay, Socks works over TCP.!


has anyone ported udprelay to SunOs 4.1.x and/or Solaris 2.6, and if so
would you be willing to share the source with an entirely overworked
sysadmin.

thanks

Mon Nov 17 08:00:24 EST 1997
=====================================================================
Larry Chin {Larry_Chin@ca.cch.com}	CCH Canadian Ltd.
Phone: 416-224-2224 ext. 6349		90 Sheppard Ave E
Fax:   416-224-1414			North York, Ontario, M2N 3A1
=====================================================================

For every complex problem, there is a solution that is simple, neat,
and wrong.
		-- H. L. Mencken



From owner-firewalls-list  Mon Nov 17 09:28:55 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16594; Mon, 17 Nov 1997 09:07:14 -0800 (PST)
Received: from newman.aventail.com (newman.aventail.com [199.238.236.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA16587 for ; Mon, 17 Nov 1997 09:07:06 -0800 (PST)
Received: from smtp.in.aventail.com (bucknaked.in.aventail.com [192.168.1.68])
	by newman.aventail.com (8.8.5/8.8.5) with ESMTP id JAA23283;
	Mon, 17 Nov 1997 09:08:18 -0800 (PST)
X-Mailer: exmh version 2.0zeta 7/24/97
From: marcvh@aventail.com (Marc VanHeyningen)
To: "Batista, M." , Firewalls@GreatCircle.COM
Subject: Re: Firewall which running UDP 
In-reply-to: Your message of "Mon, 17 Nov 1997 07:52:18 GMT."
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 17 Nov 1997 09:08:18 -0800
Message-ID: <10910.879786498@smtp.in.aventail.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > > Has anyone know any firewall solution which works well with UDP ?

> > try Socks!

>  Try udprelay, Socks works over TCP.!

SOCKSv4 works over TCP. SOCKSv5 handles UDP as well (not perfectly but
it works for a lot of apps.)  Unfortunately the UDP space is diverse
enough that whether something "works well with UDP" depends what exactly
you're trying to do with it (and, of course, what your security requirements
are.)

-- 
Marc VanHeyningen                 marcvh@aventail.com
Internet Security Architect
Aventail                          http://www.aventail.com/




From owner-firewalls-list  Mon Nov 17 09:29:59 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16757; Mon, 17 Nov 1997 09:14:19 -0800 (PST)
Received: from Cadabratech.com ([207.61.6.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA16750 for ; Mon, 17 Nov 1997 09:14:11 -0800 (PST)
Received: from moe.UUCP (moe@localhost) by Cadabratech.com (8.6.12/8.6.9) with UUCP id MAA22345 for GreatCircle.COM!Firewalls; Mon, 17 Nov 1997 12:10:42 -0500
Received: from willie.cadabra.ca by moe.cadabra.ca (5.x/SMI-SVR4)
	id AA29135; Mon, 17 Nov 1997 11:57:25 -0500
Date: Mon, 17 Nov 1997 11:57:25 -0500
From: dons@Cadabratech.com (Don Shesnicky)
Message-Id: <9711171657.AA29135@moe.cadabra.ca>
To: Firewalls@GreatCircle.COM
Subject: tcp/udp port numbers
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Does anyone have a complete list of port numbers? I have a firewall
where I am seeing traffic on port 161 but haven't been able to
track it down. All of the hosts behind the firewall are NT boxes
and I'm thinking that it's related to WINS. It seems that when I
do a Network browse it starts firing off packets to all IP addresses
on the other side of the firewall via udp port 161. It seems to start
at one IP and then increment bit wise.

I've found some web pages that list port numbers but they're pretty
much the same as unix:/etc/services.

Don

From owner-firewalls-list  Mon Nov 17 09:58:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21329; Mon, 17 Nov 1997 09:55:46 -0800 (PST)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21312 for ; Mon, 17 Nov 1997 09:55:40 -0800 (PST)
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id MAA24255; Mon, 17 Nov 1997 12:57:31 -0500 (EST) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id MAA09357; Mon, 17 Nov 1997 12:57:28 -0500 (EST)
Date: Mon, 17 Nov 1997 12:57:28 -0500 (EST)
Message-Id: <199711171757.MAA09357@SPARKY.CF.CS.YALE.EDU>
To: Firewalls@GreatCircle.COM, dons@Cadabratech.com
Subject: Re:  tcp/udp port numbers
From: "H. Morrow Long" 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Note that UDP port 161 is SNMP.  SNMP also makes use of UDP port 162
to send trap/alert messages.

You can find a list of the well known and registered TCP and UDP port
numbers at :

	ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

Though malicious SNMP scanning does exist (it can identify "open" HP
hubs and printers for one thing) there are many cases of software
sending out SNMP probes in the natural course of events (programs which
use SNMP as one tool to attempt to map out a network via SNMP, printer
drivers attempting to browse and probe for HP printers to list for
users wishing to select a printer, network management stations
'discovering' managed objects with SNMP agents and associated MIBs,
etc).  Browsing remote SNMP MIBs you can often determine the remote
system type, OS level and other useful information when managing and
doing an inventory of your network (of course in the wrong hands that
info can be used against you).

>From: dons@Cadabratech.com (Don Shesnicky)
>Does anyone have a complete list of port numbers? I have a firewall
>where I am seeing traffic on port 161 but haven't been able to
>track it down. All of the hosts behind the firewall are NT boxes
>and I'm thinking that it's related to WINS. It seems that when I
>do a Network browse it starts firing off packets to all IP addresses
>on the other side of the firewall via udp port 161. It seems to start
>at one IP and then increment bit wise.
>
>I've found some web pages that list port numbers but they're pretty
>much the same as unix:/etc/services.  > >Don >

H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer
175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX)
INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu
PAGE: (203)370-3081, (800)347-2574,   mailto:1165469@pager.mcb.com  PIN# 1165469
PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C  4D 7C 22 56 80 BA 84 09

From owner-firewalls-list  Mon Nov 17 10:13:47 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21793; Mon, 17 Nov 1997 09:58:12 -0800 (PST)
Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21722 for ; Mon, 17 Nov 1997 09:57:56 -0800 (PST)
Received: (from james@localhost) by services.state.mo.us (8.8.3/8.8.0) id MAA11268; Mon, 17 Nov 1997 12:00:17 -0600 (CST)
Date: Mon, 17 Nov 1997 12:00:16 -0600 (CST)
From: James Proffer 
X-Sender: james@services
To: Don Shesnicky 
cc: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

ftp://venera.isi.edu/in-notes/iana/assignments/port-numbers


On Mon, 17 Nov 1997, Don Shesnicky wrote:

> 
> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to
> track it down. All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don
> 

--
Missouri State Data Center     <*> James Proffer: UNIX sysadm
Missouri Government Information |  mailto:james@mail.state.mo.us
for the citizens of Missouri    |  http://www.state.mo.us/server.shtml
and the citizens of the world   |  (573) 751-1544  Fax: (573) 751-3299


From owner-firewalls-list  Mon Nov 17 10:59:37 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27540; Mon, 17 Nov 1997 10:26:50 -0800 (PST)
Received: from maildeliver0.tiac.net (maildeliver0.tiac.net [199.0.65.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27433 for ; Mon, 17 Nov 1997 10:26:28 -0800 (PST)
Received: from www.hollyfeld.org (www.hollyfeld.org [204.130.199.143]) by maildeliver0.tiac.net (8.8.7/8.8) with ESMTP id NAA01462; Mon, 17 Nov 1997 13:27:57 -0500 (EST)
Received: from www.hollyfeld.org (www.hollyfeld.org [204.130.199.143])
          by www.hollyfeld.org (8.8.4/8.8.4) with SMTP
	  id NAA14144; Mon, 17 Nov 1997 13:34:23 -0500
Date: Mon, 17 Nov 1997 13:34:22 -0500 (EST)
From: Daniel Garcia 
To: Don Shesnicky 
cc: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to

According to my /etc/services file, 161 is the snmp port.

> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don
> 


From owner-firewalls-list  Mon Nov 17 11:33:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29374; Mon, 17 Nov 1997 10:37:37 -0800 (PST)
Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA29324 for ; Mon, 17 Nov 1997 10:37:25 -0800 (PST)
Received: from pasilla.bbnplanet.com by mail.bbnplanet.com id aa07310;
          17 Nov 97 13:39 EST
Received: by pasilla.bbnplanet.com (SMI-8.6/SMI-4.1)
	id NAA18459; Mon, 17 Nov 1997 13:39:05 -0500
Message-Id: <199711171839.NAA18459@pasilla.bbnplanet.com>
Subject: Re: tcp/udp port numbers
To: Don Shesnicky 
Date: Mon, 17 Nov 1997 13:39:05 -0500 (EST)
From: Ed Forbes 
Cc: Firewalls@greatcircle.com
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca> from "Don Shesnicky" at Nov 17, 97 11:57:25 am
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Does anyone have a complete list of port numbers?

There are lots of web pages.  I think rs.internic.net has one.

> I have a firewall where I am seeing traffic on port 161 but
> haven't been able to track it down.

Port 161 is SNMP.

> All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don

From owner-firewalls-list  Mon Nov 17 11:35:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05202; Mon, 17 Nov 1997 11:04:57 -0800 (PST)
Received: from pop.netgate.net (pop.netgate.net [204.145.147.7]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA05079 for ; Mon, 17 Nov 1997 11:04:32 -0800 (PST)
Received: from workhorse (d151.netgate.net [205.214.160.190])
	by pop.netgate.net (8.8.5/8.8.5) with SMTP id MAA13885
	for ; Mon, 17 Nov 1997 12:22:46 -0800 (PST)
From: "David Silva" 
To: 
Subject: Re: tcp/udp port numbers
Date: Mon, 17 Nov 1997 10:59:45 -0800
Message-ID: <01bcf38a$f81826a0$bea0d6cd@workhorse>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Check your "SERVICES" file in the Windows directory (assuming you have a
windows box).

Port 161 is SNMP (UDP)

-----Original Message-----
From: Don Shesnicky 
To: Firewalls@GreatCircle.COM 
Date: Monday, November 17, 1997 10:54 AM
Subject: tcp/udp port numbers


>
>Does anyone have a complete list of port numbers? I have a firewall
>where I am seeing traffic on port 161 but haven't been able to
>track it down. All of the hosts behind the firewall are NT boxes
>and I'm thinking that it's related to WINS. It seems that when I
>do a Network browse it starts firing off packets to all IP addresses
>on the other side of the firewall via udp port 161. It seems to start
>at one IP and then increment bit wise.
>
>I've found some web pages that list port numbers but they're pretty
>much the same as unix:/etc/services.
>
>Don
>


From owner-firewalls-list  Mon Nov 17 11:37:28 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA03999; Mon, 17 Nov 1997 10:59:27 -0800 (PST)
Received: from blackhole1.tactik.com (bgs1.tactik.com [206.47.15.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA03954 for ; Mon, 17 Nov 1997 10:59:15 -0800 (PST)
Received: from blackyqe0.ceb.qc.ca (blackyqe0.ceb.qc.ca [204.101.110.2])
	by blackhole1 with ESMTP (DuhMail/2.0)
	id OAA00727; Mon, 17 Nov 1997 14:18:10 -0500
Received: from [204.101.110.173] ([204.101.110.173])
	by ceb.qc.ca with ESMTP (DuhMail/2.0)
	id OAA08941; Mon, 17 Nov 1997 14:12:40 -0500
X-Authentication-Warning: ceb.qc.ca: Host [204.101.110.173] claimed to be tactik-nt-173
Message-ID: <3470941F.EB97D1F1@emergis.com>
Date: Mon, 17 Nov 1997 13:59:43 -0500
From: Alex Fournier 
Reply-To: afournie@emergis.com
X-Mailer: Mozilla 4.01 [en] (WinNT; I)
MIME-Version: 1.0
To: Don Shesnicky 
CC: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers
X-Priority: 3 (Normal)
References: <9711171657.AA29135@moe.cadabra.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Port 161 is used for SNMP.  One of your stations must be running Network
Management software and is probing the network for existing devices...

Alex

Don Shesnicky wrote:

> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to
> track it down. All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
>
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
>
> Don

--
Alex Fournier
Consultant -- Bell
e-mail: afournie@emergis.com



From owner-firewalls-list  Mon Nov 17 12:16:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA12455; Mon, 17 Nov 1997 11:43:36 -0800 (PST)
Received: from Cadabratech.com ([207.61.6.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA07489 for ; Mon, 17 Nov 1997 11:15:08 -0800 (PST)
Received: from moe.UUCP (moe@localhost) by Cadabratech.com (8.6.12/8.6.9) with UUCP id OAA25329 for GreatCircle.COM!Firewalls; Mon, 17 Nov 1997 14:10:33 -0500
Received: from willie.cadabra.ca by moe.cadabra.ca (5.x/SMI-SVR4)
	id AA01393; Mon, 17 Nov 1997 13:58:35 -0500
Date: Mon, 17 Nov 1997 13:58:35 -0500
From: dons@Cadabratech.com (Don Shesnicky)
Message-Id: <9711171858.AA01393@moe.cadabra.ca>
To: Firewalls@GreatCircle.COM
Subject: tcp/udp port numbers - more
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Thanks everyone for the list of port numbers, I went and retreived
one good one.

But it is bizarre, I just went to check the logs on the firewall 
to make sure I had the port numbers and everything right - sure
enough our NT domain server is trying tp scan out to the other side
of the firewall on udp port 161, first trying IP address .6, then 
.7, .8 and so on. There is no SNMP setup on that server.


Don

From owner-firewalls-list  Mon Nov 17 12:17:41 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24974; Mon, 17 Nov 1997 10:13:37 -0800 (PST)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA22577 for ; Mon, 17 Nov 1997 10:01:32 -0800 (PST)
Received: from big-dawgs.cisco.com (herndon-dhcp-30.cisco.com [171.68.53.30]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id KAA17585; Mon, 17 Nov 1997 10:02:46 -0800 (PST)
Message-Id: <3.0.5.32.19971117130244.007de5a0@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 17 Nov 1997 13:02:44 -0500
To: dons@Cadabratech.com (Don Shesnicky)
From: Paul Ferguson 
Subject: Re: tcp/udp port numbers
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Don:

 snmp            161/tcp    SNMP
 snmp            161/udp    SNMP

The most accurate & current port assignments are maintained
at:

 ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

- paul

At 11:57 AM 11/17/97 -0500, Don Shesnicky wrote:

>
>Does anyone have a complete list of port numbers? I have a firewall
>where I am seeing traffic on port 161 but haven't been able to
>track it down. All of the hosts behind the firewall are NT boxes
>and I'm thinking that it's related to WINS. It seems that when I
>do a Network browse it starts firing off packets to all IP addresses
>on the other side of the firewall via udp port 161. It seems to start
>at one IP and then increment bit wise.
>
>I've found some web pages that list port numbers but they're pretty
>much the same as unix:/etc/services.
>
>Don
>


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
mailto:ferguson@cisco.com                         c i s c o S y s t e m s

From owner-firewalls-list  Mon Nov 17 13:01:35 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17613; Mon, 17 Nov 1997 12:51:16 -0800 (PST)
Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA17534 for ; Mon, 17 Nov 1997 12:50:57 -0800 (PST)
Received: from localhost (dwhitlow@localhost)
	by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id UAA00900;
	Mon, 17 Nov 1997 20:51:46 GMT
Date: Mon, 17 Nov 1997 20:51:46 +0000 (GMT)
From: Dave Whitlow 
Reply-To: Dave Whitlow 
To: Don Shesnicky 
cc: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 17 Nov 1997, Don Shesnicky wrote:

> Date: Mon, 17 Nov 1997 11:57:25 -0500
> From: Don Shesnicky 
> To: Firewalls@GreatCircle.COM
> Subject: tcp/udp port numbers

> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to track it
> down. All of the hosts behind the firewall are NT boxes and I'm thinking
> that it's related to WINS. It seems that when I do a Network browse it
> starts firing off packets to all IP addresses on the other side of the
> firewall via udp port 161. It seems to start at one IP and then
> increment bit wise. 

> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.

Yes.  In your /etc/services you should find the line

snmp            161/udp

and you may find

snmp            161/tcp

161 is the assigned port for SNMP.  It looks like your NT box is trying to
find things to manage.

RFC1700 provides the full list of assigned ports (and lots of other
assigned numbers).  This isn't all the port numbers you'll see in use,
just those which have been formally allocated.

Best regards,

Dave
-------------------------------------------------------------------------
Dave Whitlow, Idsec Ltd, Harrow, HA1 1EJ, UK
Mail: dwhitlow@idsec.co.uk                   Web:  http://www.idsec.co.uk





From owner-firewalls-list  Mon Nov 17 13:15:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19737; Mon, 17 Nov 1997 13:02:46 -0800 (PST)
Received: from smtp.enteract.com (david.enteract.com [206.54.252.252]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA19699 for ; Mon, 17 Nov 1997 13:02:35 -0800 (PST)
Received: (qmail 22958 invoked from network); 17 Nov 1997 21:04:21 -0000
Received: from jimst.sa.enteract.com (HELO jimst.enteract.com) (207.229.133.64)
  by david.enteract.com with SMTP; 17 Nov 1997 21:04:21 -0000
Received: by localhost with Microsoft MAPI; Mon, 17 Nov 1997 15:04:14 -0600
Message-ID: <01BCF36A.11C2E700.jimst@enteract.com>
From: James Strompolis 
Reply-To: "jimst@enteract.com" 
To: "'Don Shesnicky'" ,
        "Firewalls@GreatCircle.COM"
	 
Subject: RE: tcp/udp port numbers
Date: Mon, 17 Nov 1997 15:03:17 -0600
Organization: Aleph Consultants, Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Don & anyone in need:

Here is a list of ports and their numbers in ASCII.  It is not in 
comma-delimited format so may be difficult to read and/or use.  I got it 
from the configuration file of a program I use to run port scans from 
Windows boxes called PortScan.  You can find the program out on the web. 
 You could copy this file directly into a PortScan configuration file to 
have a large list of ports to scan.  If I'm missing any or have any wrong, 
please let me know.

- James Strompolis
  Aleph Consultants, Inc.
  jimst@enteract.com

On Monday, November 17, 1997 10:57 AM, Don Shesnicky 
[SMTP:dons@Cadabratech.com] wrote:
>
> Does anyone have a complete list of port numbers? 


From owner-firewalls-list  Mon Nov 17 14:34:53 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA27033; Mon, 17 Nov 1997 13:56:00 -0800 (PST)
Received: from upshield.uniq.com.au (upstop.uniq.com.au [192.195.152.113]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA26994 for ; Mon, 17 Nov 1997 13:55:48 -0800 (PST)
Received: (from smtp@localhost) by upshield.uniq.com.au id IAA05344
  (8.8.7/IDA-1.6); Tue, 18 Nov 1997 08:57:44 +1100 (EST)
Received: from upshoo.uniq.com.au(192.195.152.130), claiming to be "upserv.uniq.com.au"
 via SMTP by upshield.uniq.com.au, id smtpdAAAa001JO; Tue Nov 18 08:57:34 1997
Received: from basil.uniq.com.au (basil.uniq.com.au [192.168.3.1]) by upserv.uniq.com.au with ESMTP id IAA19832
  (8.8.5/IDA-1.6); Tue, 18 Nov 1997 08:57:31 +1100 (EST)
Received: (from pauline@localhost) by basil.uniq.com.au id IAA07465
  (8.8.5/IDA-1.6); Tue, 18 Nov 1997 08:57:16 +1100 (EST)
Date: Tue, 18 Nov 1997 08:57:16 +1100 (EST)
From: Pauline van Winsen - Uniq Professional Services 
Message-ID: <199711172157.IAA07465@basil.uniq.com.au>
To: Firewalls@GreatCircle.COM, Larry_Chin@ca.cch.com
Subject: Re: Firewall which running UDP
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-MD5: zr8aOzDctLjGJGU7wKdRUg==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 
> mbatistad@nexo.es wrote:
> 
> |  Try udprelay, Socks works over TCP.!

socks5 works over udp. check out www.socks.nec.com.

cheers,
pauline

Pauline van Winsen                                   pauline@uniq.com.au
Uniq Professional Services Pty Ltd                       www.uniq.com.au
PO Box 70, Paddington, NSW 2021,                      (Sydney) Australia
Phone: +61-2-9380-6360      Fax: +61-2-9380-6416      Pager: 016 287 000
"You'll need a dress for dancing. Unless you're going steady with 
someone in the Diplomatic Corps, you won't really need a full-length 
ball gown."
   Fashion Sense - The Single Woman - Book 2, Woman's World, circa 1964.

From owner-firewalls-list  Mon Nov 17 15:16:00 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA06217; Mon, 17 Nov 1997 14:57:47 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA06200 for ; Mon, 17 Nov 1997 14:57:40 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id PAA14505; Mon, 17 Nov 1997 15:01:03 -0800 (PST)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AC00307; Mon, 17 Nov 97 15:01:49 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256552.007AB92C ; Mon, 17 Nov 1997 14:20:27 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"
To: dons@Cadabratech.com
Cc: Firewalls@GreatCircle.COM
Message-Id: <88256552.0078359C.00@gwwest.sybase.com>
Date: Mon, 17 Nov 1997 13:53:58 -0800
Subject: Re: tcp/udp port numbers - more
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Does it have any HP printer management software?

I've caught HP drivers doing this...in fact, some of the Internet
sites it reached were not amused.

                    Ryan





dons@Cadabratech.com on 11/17/97 10:58:35 AM

To:   Firewalls@GreatCircle.COM
cc:    (bcc: Ryan Russell/SYBASE)
Subject:  tcp/udp port numbers - more





Thanks everyone for the list of port numbers, I went and retreived
one good one.
But it is bizarre, I just went to check the logs on the firewall
to make sure I had the port numbers and everything right - sure
enough our NT domain server is trying tp scan out to the other side
of the firewall on udp port 161, first trying IP address .6, then
.7, .8 and so on. There is no SNMP setup on that server.

Don






From owner-firewalls-list  Mon Nov 17 15:29:48 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09812; Mon, 17 Nov 1997 15:23:44 -0800 (PST)
Received: from netcom19.netcom.com (netcom19.netcom.com [192.100.81.132]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA09751 for ; Mon, 17 Nov 1997 15:23:30 -0800 (PST)
Received: from localhost (xod@localhost)
	by netcom19.netcom.com (8.8.5-r-beta/8.8.5/(NETCOM v1.02)) with SMTP id PAA18615
	for ; Mon, 17 Nov 1997 15:25:29 -0800 (PST)
Date: Mon, 17 Nov 1997 15:25:28 -0800 (PST)
From: Nyarlathotep 
X-Sender: xod@netcom19
To: firewalls@greatcircle.com
Subject: aftpd on Solaris 2.5.1
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

Has anyone gotten aftpd to compile under solaris 2.5.1.  I have downloaded
the code and had the local unix programmer go over and he says it can't be
run.  Would anyone care to prove him wrong?

Thanks,
m@


Matthew Ashcraft,             | "The only way to avoid all frightening
Unix, Netware, The Net        | choices is to leave society and become
and Rock n Roll               | a hermit, and that is a frightening choice."
xod@netcom.com,               | -Richard Bach


From owner-firewalls-list  Mon Nov 17 15:44:37 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA10279; Mon, 17 Nov 1997 15:25:53 -0800 (PST)
Received: from janus.arc.ab.ca (janus.arc.ab.ca [128.144.50.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA10271 for ; Mon, 17 Nov 1997 15:25:47 -0800 (PST)
Received: from network1 (network1.arc.ab.ca) by arc.ab.ca (PMDF V5.1-8 #20122)
 with SMTP id <01IQ4FIIR84W9H0F36@arc.ab.ca> for Firewalls@GreatCircle.COM;
 Mon, 17 Nov 1997 16:27:21 MST
Date: Mon, 17 Nov 1997 16:35:25 -0700
From: Blair Nowakowsky 
Subject: Re: tcp/udp port numbers
In-reply-to: <9711171657.AA29135@moe.cadabra.ca>
X-Sender: nowakowsky@arc.ab.ca
To: dons@Cadabratech.com (Don Shesnicky), Firewalls@GreatCircle.COM
Message-id: <3.0.3.32.19971117163525.009461d0@arc.ab.ca>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Content-type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Check out RFC1340.  It is the RFC for Assigned Numbers and contains TCP/UDP
port assignments and more.  It is 118 pages.  I found it at the
www.internic.net site.  Search for RFC1340.

TNX
Blair.

At 11:57 AM 11/17/97 -0500, Don Shesnicky wrote:
>
>Does anyone have a complete list of port numbers? I have a firewall
>where I am seeing traffic on port 161 but haven't been able to
>track it down. All of the hosts behind the firewall are NT boxes
>and I'm thinking that it's related to WINS. It seems that when I
>do a Network browse it starts firing off packets to all IP addresses
>on the other side of the firewall via udp port 161. It seems to start
>at one IP and then increment bit wise.
>
>I've found some web pages that list port numbers but they're pretty
>much the same as unix:/etc/services.
>
>Don
>
|  Alberta | Blair Nowakowsky           |
| Research | (403)/450-5172             |
|  Council | nowakowsky@arc.ab.ca       |

From owner-firewalls-list  Mon Nov 17 16:28:23 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA06638; Mon, 17 Nov 1997 15:00:38 -0800 (PST)
Received: from smtp.enteract.com (david.enteract.com [206.54.252.252]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA06610 for ; Mon, 17 Nov 1997 15:00:27 -0800 (PST)
Received: (qmail 685 invoked from network); 17 Nov 1997 23:02:28 -0000
Received: from jimst.sa.enteract.com (HELO jimst.enteract.com) (207.229.133.64)
  by david.enteract.com with SMTP; 17 Nov 1997 23:02:28 -0000
Received: by localhost with Microsoft MAPI; Mon, 17 Nov 1997 17:02:22 -0600
Message-ID: <01BCF37A.925A91A0.jimst@enteract.com>
From: James Strompolis 
Reply-To: "jimst@enteract.com" 
To: "'Don Shesnicky'" ,
        "Firewalls@GreatCircle.COM"
	 
Subject: RE: tcp/udp port numbers - more
Date: Mon, 17 Nov 1997 17:02:04 -0600
Organization: Aleph Consultants, Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
X-MS-Attachment: portlist.txt 0 00-00-1980 00:00
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Sorry,  I forgot the attachment.  Here it is.

 

- James Strompolis
  Aleph Consultants, Inc.
  jimst@enteract.com

begin 600 portlist.txt
M86-A2 H,3$V*0T*86YS871R861E&5C("@U,3(I#0IF:6YG97(@*#&QI8V5N("@Q,C@I#0IH96US("@Q-3$I#0IH;W-T;F%M
M92 H,3 Q*0T*:&]S=',R+6YS("@X,2D-"FAT=' @*#@P*0T*:6UA<#(@*#$T
M,RD-"FEN9W)E2 H,3'D@*#0W*0T*;7-R<&,@*#$S-2D-"FUU;'1I<&QE>" H,3" H,2D-"G1E;&YE=" H,C,I#0IT96UP;R H-3(V*0T*=&9T
M<" H-CDI#0IT:6UE("@S-RD-"G5A86,@*#$T-2D-"G5N87-S:6=N960@*#$P
M*0T*=6YA sites it reached were not amused.
> 

Yep - it's running JetAdmin. You think this is doing it? I've noticed
alot of strange packets running around. We have a mopier (HP 5Si?)
which has a JetDirect box built in and I've  seen some packets heading
across to tcp port 9000.

Don


From owner-firewalls-list  Mon Nov 17 17:48:08 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA26038; Mon, 17 Nov 1997 16:47:11 -0800 (PST)
Received: from osh1.datasync.com (osh1.datasync.com [205.216.82.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA25981 for ; Mon, 17 Nov 1997 16:46:57 -0800 (PST)
Received: from localhost (rogerspl@localhost) by osh1.datasync.com (8.8.7/Datasync) with SMTP id SAA00435; Mon, 17 Nov 1997 18:48:43 -0600
X-Authentication-Warning: osh1.datasync.com: rogerspl owned process doing -bs
Date: Mon, 17 Nov 1997 18:48:43 -0600 (CST)
From: "Paul L. Rogers" 
To: Don Shesnicky 
cc: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I may have seen this behavior from a couple of Microsoft
Windows 95 boxes.

The first case was apparently caused by someone configuring
the box with a netmask of 255.255.225.0 instead of 255.255.255.0.
The netmask was corrected and the port 161 "storm" ceased.

In the second case, the administrator of the box could find the
cause and the plan is to wipe the disk and reinstall.

Paul...

On Mon, 17 Nov 1997, Don Shesnicky wrote:

> Date: Mon, 17 Nov 1997 11:57:25 -0500
> From: Don Shesnicky 
> To: Firewalls@GreatCircle.COM
> Subject: tcp/udp port numbers
> 
> 
> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to
> track it down. All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don
> 


From owner-firewalls-list  Mon Nov 17 17:54:23 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA06095; Mon, 17 Nov 1997 17:31:49 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA06045 for ; Mon, 17 Nov 1997 17:31:37 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id RAA04324; Mon, 17 Nov 1997 17:35:10 -0800 (PST)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB19703; Mon, 17 Nov 97 17:35:57 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256553.0008B0E2 ; Mon, 17 Nov 1997 17:34:55 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"
To: dons@Cadabratech.com
Cc: Firewalls@GreatCircle.COM
Message-Id: <88256553.000847BC.00@gwwest.sybase.com>
Date: Mon, 17 Nov 1997 17:33:39 -0800
Subject: Re: tcp/udp port numbers - more
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



It was JetAdmin in my case.

I had some particularly bad behavior...
One of my users was in from out of town,
and plugged in her laptop, and was using DHCP.

She was on a net with a subnet of of my
130.214 class B.  I was getting complaints from
a school at something like 130.252.

I checked the firewall logs, and it had started
at 130.255.255.255 and was working it's was down.
She didn't even have the main JetAdmin program
loaded at the time.  It had thrown a small program
in the startup section in the registry.  It showed
up in the Win95 task list when I did ctrl-alt-del.

                         Ryan





dons@Cadabratech.com on 11/17/97 04:27:44 PM

To:   Ryan Russell/SYBASE
cc:   Firewalls@GreatCircle.COM
Subject:  Re: tcp/udp port numbers - more





>
> Does it have any HP printer management software?
>
> I've caught HP drivers doing this...in fact, some of the Internet
> sites it reached were not amused.
>
Yep - it's running JetAdmin. You think this is doing it? I've noticed
alot of strange packets running around. We have a mopier (HP 5Si?)
which has a JetDirect box built in and I've  seen some packets heading
across to tcp port 9000.
Don






From owner-firewalls-list  Mon Nov 17 19:28:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21630; Mon, 17 Nov 1997 19:14:19 -0800 (PST)
Received: from Cadabratech.com ([207.61.6.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA21623 for ; Mon, 17 Nov 1997 19:14:13 -0800 (PST)
Received: from moe.UUCP (moe@localhost) by Cadabratech.com (8.6.12/8.6.9) with UUCP id WAA04794 for GreatCircle.COM!Firewalls; Mon, 17 Nov 1997 22:10:20 -0500
Received: from willie.cadabra.ca by moe.cadabra.ca (5.x/SMI-SVR4)
	id AA07703; Mon, 17 Nov 1997 22:07:33 -0500
Date: Mon, 17 Nov 1997 22:07:33 -0500
From: dons@Cadabratech.com (Don Shesnicky)
Message-Id: <9711180307.AA07703@moe.cadabra.ca>
To: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers - more
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I just noticed that JetAdmin has a TCP Discovery under Options>Preferences.
 
Now, I appear to have two different versions of JetAdmin because the one
on my domain server does not have the options that are on another box. The 
one on the domain server was setup to broadcast on it's network AND the one
on the other side of the firewall. So that was where the IP scan was 
coming from. 

The other box's JetAadmin has more options - you can tell it to just hit
certain IP addresses to find it's printer and it has the (more dangerous)
"broadcast on another network" in the Advanced option.

In any case, it doesn't seem to work very well. I have tried to tell 
JetAdmin to look for two JetDirect connected printers but it never finds the 
second printer. On the domain server, it already had my mopier but when I 
tell it the IP address of an hp6mp it never finds it.

Also noticed in JetAdmin that you can double click on a printer and it
will give you all sorts of SNMP data so that was why it was sending out
scans on the SNMP port. I would bet that it is looking for a certain
MIB item and if it finds it then it knows it has an HP printer.

Now let's see - no one's PC can see the Tektronix printer and lpr on the PCs
is trying to hit every printer on the system before it will let you print
to -Pprinter - why? who knows but if it cannot connect to every one it won't
let you print - wait it's worse than that, even if you don't have a printer
but have a raw lpr port still on the system, it still tries to hit it...ugghhh

Don

From owner-firewalls-list  Mon Nov 17 19:44:00 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA23070; Mon, 17 Nov 1997 19:37:20 -0800 (PST)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.1.89]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA23051 for ; Mon, 17 Nov 1997 19:37:12 -0800 (PST)
Received: from zepher.milkyway.com (hdn93-244.hil.compuserve.com [206.175.100.244]) by m6.sprynet.com (8.6.12/8.6.12) with SMTP id TAA25761; Mon, 17 Nov 1997 19:39:10 -0800
Message-Id: <3.0.3.32.19971117223736.00698dfc@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 17 Nov 1997 22:37:36 -0500
To: "Ryan Russell", dons@Cadabratech.com
From: Steve Kruse 
Subject: Re: tcp/udp port numbers - more
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <88256553.000847BC.00@gwwest.sybase.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

An Application Gateway Firewall would (presumably) stop this from happening
unless you specifically opened a hole for it.  Is it safe to "ass-u-me"
that you were running a packet filter and allowing anything that
established "inside" as OK to the outside?  Just curious...

Steve Kruse
At 05:33 PM 11/17/97 -0800, Ryan Russell wrote:
>
>
>It was JetAdmin in my case.
>
>I had some particularly bad behavior...
>One of my users was in from out of town,
>and plugged in her laptop, and was using DHCP.
>
>She was on a net with a subnet of of my
>130.214 class B.  I was getting complaints from
>a school at something like 130.252.
>
>I checked the firewall logs, and it had started
>at 130.255.255.255 and was working it's was down.
>She didn't even have the main JetAdmin program
>loaded at the time.  It had thrown a small program
>in the startup section in the registry.  It showed
>up in the Win95 task list when I did ctrl-alt-del.
>
>                         Ryan
>
>
>
>
>
>dons@Cadabratech.com on 11/17/97 04:27:44 PM
>
>To:   Ryan Russell/SYBASE
>cc:   Firewalls@GreatCircle.COM
>Subject:  Re: tcp/udp port numbers - more
>
>
>
>
>
>>
>> Does it have any HP printer management software?
>>
>> I've caught HP drivers doing this...in fact, some of the Internet
>> sites it reached were not amused.
>>
>Yep - it's running JetAdmin. You think this is doing it? I've noticed
>alot of strange packets running around. We have a mopier (HP 5Si?)
>which has a JetDirect box built in and I've  seen some packets heading
>across to tcp port 9000.
>Don
>
>
>
>
>
**************************************************
* Steve Kruse                  Milkyway Networks *
* Network Sales Support    1342 E. Vine St. #224 *
*                            Kissimmee, FL 34744 *
* http://www.milkyway.com      skruse@milkwy.com *
**************************************************

From owner-firewalls-list  Mon Nov 17 20:02:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA23443; Mon, 17 Nov 1997 19:42:44 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA23436 for ; Mon, 17 Nov 1997 19:42:38 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id TAA07489; Mon, 17 Nov 1997 19:46:16 -0800 (PST)
Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA29302; Mon, 17 Nov 97 19:47:02 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256553.0014C9E3 ; Mon, 17 Nov 1997 19:47:04 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"
To: jsk347@sprynet.com
Cc: dons@Cadabratech.com, Firewalls@GreatCircle.COM
Message-Id: <88256553.001468FA.00@gwwest.sybase.com>
Date: Mon, 17 Nov 1997 19:46:07 -0800
Subject: Re: tcp/udp port numbers - more
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


My policy permits inside users to access just about
any outside service.  I disallowed SNMP for a
while until I tracked that problem down.  I use FW1, but
had I had an AG in place that had the capability to allow
SNMP out, I would have allowed it.

                    Ryan





jsk347@sprynet.com on 11/17/97 07:37:36 PM

To:   Ryan Russell/SYBASE, dons@Cadabratech.com
cc:   Firewalls@GreatCircle.COM
Subject:  Re: tcp/udp port numbers - more




An Application Gateway Firewall would (presumably) stop this from happening
unless you specifically opened a hole for it.  Is it safe to "ass-u-me"
that you were running a packet filter and allowing anything that
established "inside" as OK to the outside?  Just curious...
Steve Kruse
At 05:33 PM 11/17/97 -0800, Ryan Russell wrote:
>
>
>It was JetAdmin in my case.
>
>I had some particularly bad behavior...
>One of my users was in from out of town,
>and plugged in her laptop, and was using DHCP.
>
>She was on a net with a subnet of of my
>130.214 class B.  I was getting complaints from
>a school at something like 130.252.
>
>I checked the firewall logs, and it had started
>at 130.255.255.255 and was working it's was down.
>She didn't even have the main JetAdmin program
>loaded at the time.  It had thrown a small program
>in the startup section in the registry.  It showed
>up in the Win95 task list when I did ctrl-alt-del.
>
>                         Ryan
>
>
>
>
>
>dons@Cadabratech.com on 11/17/97 04:27:44 PM
>
>To:   Ryan Russell/SYBASE
>cc:   Firewalls@GreatCircle.COM
>Subject:  Re: tcp/udp port numbers - more
>
>
>
>
>
>>
>> Does it have any HP printer management software?
>>
>> I've caught HP drivers doing this...in fact, some of the Internet
>> sites it reached were not amused.
>>
>Yep - it's running JetAdmin. You think this is doing it? I've noticed
>alot of strange packets running around. We have a mopier (HP 5Si?)
>which has a JetDirect box built in and I've  seen some packets heading
>across to tcp port 9000.
>Don
>
>
>
>
>
**************************************************
* Steve Kruse                  Milkyway Networks *
* Network Sales Support    1342 E. Vine St. #224 *
*                            Kissimmee, FL 34744 *
* http://www.milkyway.com      skruse@milkwy.com *
**************************************************






From owner-firewalls-list  Mon Nov 17 20:05:03 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24650; Mon, 17 Nov 1997 19:55:47 -0800 (PST)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.1.89]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA24589 for ; Mon, 17 Nov 1997 19:55:33 -0800 (PST)
Received: from zepher.milkyway.com (hdn93-244.hil.compuserve.com [206.175.100.244]) by m6.sprynet.com (8.6.12/8.6.12) with SMTP id TAA06344; Mon, 17 Nov 1997 19:57:25 -0800
Message-Id: <3.0.3.32.19971117225715.006a2e84@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 17 Nov 1997 22:57:15 -0500
To: "Ryan Russell"
From: Steve Kruse 
Subject: Re: tcp/udp port numbers - more
Cc: dons@Cadabratech.com, Firewalls@GreatCircle.COM
In-Reply-To: <88256553.001468FA.00@gwwest.sybase.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ryan:
Ok..granted, many places allow most anything OUT as a normal policy.
Again, just a curious question, but under what circumstances would you be
using SNMP to an outside resource unless, perhaps, you have an outsourced
admin monitoring  your net (though even at that, I would presume many would
use a VPN with high level encryption in doing so).  Not being judgemental,
mind you, just curious as to why is all.  I've read lots of nasty things
about SNMP (even V2) as being a real security bug-a-boo.  Most sites I have
worked with do not let SNMP out of the internal net.  Thanks.

Steve
At 07:46 PM 11/17/97 -0800, Ryan Russell wrote:
>
>My policy permits inside users to access just about
>any outside service.  I disallowed SNMP for a
>while until I tracked that problem down.  I use FW1, but
>had I had an AG in place that had the capability to allow
>SNMP out, I would have allowed it.
>
>                    Ryan
>
>
>
>
>
>jsk347@sprynet.com on 11/17/97 07:37:36 PM
>
>To:   Ryan Russell/SYBASE, dons@Cadabratech.com
>cc:   Firewalls@GreatCircle.COM
>Subject:  Re: tcp/udp port numbers - more
>
>
>
>
>An Application Gateway Firewall would (presumably) stop this from happening
>unless you specifically opened a hole for it.  Is it safe to "ass-u-me"
>that you were running a packet filter and allowing anything that
>established "inside" as OK to the outside?  Just curious...
>Steve Kruse
>At 05:33 PM 11/17/97 -0800, Ryan Russell wrote:
>>
>>
>>It was JetAdmin in my case.
>>
>>I had some particularly bad behavior...
>>One of my users was in from out of town,
>>and plugged in her laptop, and was using DHCP.
>>
>>She was on a net with a subnet of of my
>>130.214 class B.  I was getting complaints from
>>a school at something like 130.252.
>>
>>I checked the firewall logs, and it had started
>>at 130.255.255.255 and was working it's was down.
>>She didn't even have the main JetAdmin program
>>loaded at the time.  It had thrown a small program
>>in the startup section in the registry.  It showed
>>up in the Win95 task list when I did ctrl-alt-del.
>>
>>                         Ryan
>>
>>
>>
>>
>>
>>dons@Cadabratech.com on 11/17/97 04:27:44 PM
>>
>>To:   Ryan Russell/SYBASE
>>cc:   Firewalls@GreatCircle.COM
>>Subject:  Re: tcp/udp port numbers - more
>>
>>
>>
>>
>>
>>>
>>> Does it have any HP printer management software?
>>>
>>> I've caught HP drivers doing this...in fact, some of the Internet
>>> sites it reached were not amused.
>>>
>>Yep - it's running JetAdmin. You think this is doing it? I've noticed
>>alot of strange packets running around. We have a mopier (HP 5Si?)
>>which has a JetDirect box built in and I've  seen some packets heading
>>across to tcp port 9000.
>>Don
>>
>>
>>
>>
>>
>**************************************************
>* Steve Kruse                  Milkyway Networks *
>* Network Sales Support    1342 E. Vine St. #224 *
>*                            Kissimmee, FL 34744 *
>* http://www.milkyway.com      skruse@milkwy.com *
>**************************************************
>
>
>
>
>

From owner-firewalls-list  Mon Nov 17 20:13:49 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA25378; Mon, 17 Nov 1997 20:03:11 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA25313 for ; Mon, 17 Nov 1997 20:02:53 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id UAA07802; Mon, 17 Nov 1997 20:06:31 -0800 (PST)
Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA01026; Mon, 17 Nov 97 20:07:17 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256553.0016A53B ; Mon, 17 Nov 1997 20:07:20 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"
To: jsk347@sprynet.com
Cc: dons@Cadabratech.com, Firewalls@GreatCircle.COM
Message-Id: <88256553.00160FEB.00@gwwest.sybase.com>
Date: Mon, 17 Nov 1997 20:06:21 -0800
Subject: Re: tcp/udp port numbers - more
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



Well, the situation you describe is allowing SNMP
in...I'm letting it out.  I have routers that live "outside"
as well as agreements with other companies that allow
me to monitor their equipment.  Some of my users have home
nets they wish to monitor, some of my professional services
people do consulting with other companies, and I occasionally
feel the need to SNMP scan something myself.

It does make the outside a little more vulnerable to my users,
but you'd probably rather have an attack come from me,
because I log everything my users do and, because I use
NAT, my users can't spoof their source address.

                    Ryan





jsk347@sprynet.com on 11/17/97 07:57:15 PM

To:   Ryan Russell/SYBASE
cc:   dons@Cadabratech.com, Firewalls@GreatCircle.COM
Subject:  Re: tcp/udp port numbers - more




Ryan:
Ok..granted, many places allow most anything OUT as a normal policy.
Again, just a curious question, but under what circumstances would you be
using SNMP to an outside resource unless, perhaps, you have an outsourced
admin monitoring  your net (though even at that, I would presume many would
use a VPN with high level encryption in doing so).  Not being judgemental,
mind you, just curious as to why is all.  I've read lots of nasty things
about SNMP (even V2) as being a real security bug-a-boo.  Most sites I have
worked with do not let SNMP out of the internal net.  Thanks.
Steve
At 07:46 PM 11/17/97 -0800, Ryan Russell wrote:
>
>My policy permits inside users to access just about
>any outside service.  I disallowed SNMP for a
>while until I tracked that problem down.  I use FW1, but
>had I had an AG in place that had the capability to allow
>SNMP out, I would have allowed it.
>
>                    Ryan
>
>
>
>
>
>jsk347@sprynet.com on 11/17/97 07:37:36 PM
>
>To:   Ryan Russell/SYBASE, dons@Cadabratech.com
>cc:   Firewalls@GreatCircle.COM
>Subject:  Re: tcp/udp port numbers - more
>
>
>
>
>An Application Gateway Firewall would (presumably) stop this from
happening
>unless you specifically opened a hole for it.  Is it safe to "ass-u-me"
>that you were running a packet filter and allowing anything that
>established "inside" as OK to the outside?  Just curious...
>Steve Kruse
>At 05:33 PM 11/17/97 -0800, Ryan Russell wrote:
>>
>>
>>It was JetAdmin in my case.
>>
>>I had some particularly bad behavior...
>>One of my users was in from out of town,
>>and plugged in her laptop, and was using DHCP.
>>
>>She was on a net with a subnet of of my
>>130.214 class B.  I was getting complaints from
>>a school at something like 130.252.
>>
>>I checked the firewall logs, and it had started
>>at 130.255.255.255 and was working it's was down.
>>She didn't even have the main JetAdmin program
>>loaded at the time.  It had thrown a small program
>>in the startup section in the registry.  It showed
>>up in the Win95 task list when I did ctrl-alt-del.
>>
>>                         Ryan
>>
>>
>>
>>
>>
>>dons@Cadabratech.com on 11/17/97 04:27:44 PM
>>
>>To:   Ryan Russell/SYBASE
>>cc:   Firewalls@GreatCircle.COM
>>Subject:  Re: tcp/udp port numbers - more
>>
>>
>>
>>
>>
>>>
>>> Does it have any HP printer management software?
>>>
>>> I've caught HP drivers doing this...in fact, some of the Internet
>>> sites it reached were not amused.
>>>
>>Yep - it's running JetAdmin. You think this is doing it? I've noticed
>>alot of strange packets running around. We have a mopier (HP 5Si?)
>>which has a JetDirect box built in and I've  seen some packets heading
>>across to tcp port 9000.
>>Don
>>
>>
>>
>>
>>
>**************************************************
>* Steve Kruse                  Milkyway Networks *
>* Network Sales Support    1342 E. Vine St. #224 *
>*                            Kissimmee, FL 34744 *
>* http://www.milkyway.com      skruse@milkwy.com *
>**************************************************
>
>
>
>
>






From owner-firewalls-list  Mon Nov 17 20:44:29 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA29699; Mon, 17 Nov 1997 20:28:39 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA29571 for ; Mon, 17 Nov 1997 20:28:13 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id UAA08176 for ; Mon, 17 Nov 1997 20:31:51 -0800 (PST)
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA02721; Mon, 17 Nov 97 20:32:36 PST
Received: (from unixsvr1@localhost)
          by notesgw2.sybase.com (8.8.4/8.8.4)
	  id UAA21285 for @sybgate.sybase.com:firewalls@greatcircle.com; Mon, 17 Nov 1997 20:32:35 -0800 (PST)
Message-Id: <199711180432.UAA21285@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  328794B742F9AB768825655300180F2B; Mon, 17 Nov 97 20:32:34 EDT
To: jsk347 
Cc: firewalls 
From: Ryan Russell/SYBASE
  
Date: 17 Nov 97 20:30:54 EDT
Subject: Re: tcp/udp port numbers - more
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Well, I don't allow SNMP traps, if that's what you mean.
The way FW1 works is that it only allows SNMP in from
the device being managed if an internal device spoke
to the outside device first.  Since FW1 doesn't implement
a full SNMP proxy, it does this by setting a timer.  One would
also want rules in place to protect from spoofing, if possible.

But yes, if I had an inside user that was polling an outside
device, someone else on the Internet could send a packet
from UDP port 161 to whatever source port I used, within
the appropriate amount of time, and it would get in.  In the situation
mentioned before, a whole lot of addresses could have
gotten a packet in.. but someone would have had to been monitoring
the line.  That's not impossible of course, but makes it more difficult.
At that point, one would have to rely on the inside SNMP 
poller to deal properly with this spoofed packet.  You could probably
fool it into thinking something weird about the device it was polling.

Of course, if someone can monitor the line and inject packets,
they can probably hijack any connection you have, and you're
pretty screwed.

    Ryan







jsk347@sprynet.com on 11/17/97 08:19:20 PM
To: Ryan Russell/SYBASE
cc:  
Subject: Re: tcp/udp port numbers - more



Ok..good points all.  Hadn't thought of users monitoring their home nets
but if you are monitoring your routers on the "other side" of the net,
doesn't that imply you are letting SNMP "in" at that side?  In that case,
other than the obvious "spoofing" which you can protect against, how do you
defend them from SNMP attacks from other net users?  I'm not really sure
just how much of a threat SNMP attacks really are, but I've read some
paranoia about them.  When I see something like this thread, I get curious
as to if there really ARE any attacks to worry about or not.  Thanks for
your patience with my questions! Just always trying to learn one more thing
about the wacky world of security.

Steve
At 08:06 PM 11/17/97 -0800, you wrote:
>
>
>Well, the situation you describe is allowing SNMP
>in...I'm letting it out.  I have routers that live "outside"
>as well as agreements with other companies that allow
>me to monitor their equipment.  Some of my users have home
>nets they wish to monitor, some of my professional services
>people do consulting with other companies, and I occasionally
>feel the need to SNMP scan something myself.
>
>It does make the outside a little more vulnerable to my users,
>but you'd probably rather have an attack come from me,
>because I log everything my users do and, because I use
>NAT, my users can't spoof their source address.
>
>                    Ryan
>
>
>
>
>
>jsk347@sprynet.com on 11/17/97 07:57:15 PM
>
>To:   Ryan Russell/SYBASE
>cc:   dons@Cadabratech.com, Firewalls@GreatCircle.COM
>Subject:  Re: tcp/udp port numbers - more
>
>
>
>
>Ryan:
>Ok..granted, many places allow most anything OUT as a normal policy.
>Again, just a curious question, but under what circumstances would you be
>using SNMP to an outside resource unless, perhaps, you have an outsourced
>admin monitoring  your net (though even at that, I would presume many would
>use a VPN with high level encryption in doing so).  Not being judgemental,
>mind you, just curious as to why is all.  I've read lots of nasty things
>about SNMP (even V2) as being a real security bug-a-boo.  Most sites I have
>worked with do not let SNMP out of the internal net.  Thanks.
>Steve
>At 07:46 PM 11/17/97 -0800, Ryan Russell wrote:
>>
>>My policy permits inside users to access just about
>>any outside service.  I disallowed SNMP for a
>>while until I tracked that problem down.  I use FW1, but
>>had I had an AG in place that had the capability to allow
>>SNMP out, I would have allowed it.
>>
>>                    Ryan
>>
>>
>>
>>
>>
>>jsk347@sprynet.com on 11/17/97 07:37:36 PM
>>
>>To:   Ryan Russell/SYBASE, dons@Cadabratech.com
>>cc:   Firewalls@GreatCircle.COM
>>Subject:  Re: tcp/udp port numbers - more
>>
>>
>>
>>
>>An Application Gateway Firewall would (presumably) stop this from
>happening
>>unless you specifically opened a hole for it.  Is it safe to "ass-u-me"
>>that you were running a packet filter and allowing anything that
>>established "inside" as OK to the outside?  Just curious...
>>Steve Kruse
>>At 05:33 PM 11/17/97 -0800, Ryan Russell wrote:
>>>
>>>
>>>It was JetAdmin in my case.
>>>
>>>I had some particularly bad behavior...
>>>One of my users was in from out of town,
>>>and plugged in her laptop, and was using DHCP.
>>>
>>>She was on a net with a subnet of of my
>>>130.214 class B.  I was getting complaints from
>>>a school at something like 130.252.
>>>
>>>I checked the firewall logs, and it had started
>>>at 130.255.255.255 and was working it's was down.
>>>She didn't even have the main JetAdmin program
>>>loaded at the time.  It had thrown a small program
>>>in the startup section in the registry.  It showed
>>>up in the Win95 task list when I did ctrl-alt-del.
>>>
>>>                         Ryan
>>>
>>>
>>>
>>>
>>>
>>>dons@Cadabratech.com on 11/17/97 04:27:44 PM
>>>
>>>To:   Ryan Russell/SYBASE
>>>cc:   Firewalls@GreatCircle.COM
>>>Subject:  Re: tcp/udp port numbers - more
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> Does it have any HP printer management software?
>>>>
>>>> I've caught HP drivers doing this...in fact, some of the Internet
>>>> sites it reached were not amused.
>>>>
>>>Yep - it's running JetAdmin. You think this is doing it? I've noticed
>>>alot of strange packets running around. We have a mopier (HP 5Si?)
>>>which has a JetDirect box built in and I've  seen some packets heading
>>>across to tcp port 9000.
>>>Don
>>>
>>>
>>>
>>>
>>>
>>**************************************************
>>* Steve Kruse                  Milkyway Networks *
>>* Network Sales Support    1342 E. Vine St. #224 *
>>*                            Kissimmee, FL 34744 *
>>* http://www.milkyway.com      skruse@milkwy.com *
>>**************************************************
>>
>>
>>
>>
>>
>
>
>
>
>




From owner-firewalls-list  Mon Nov 17 22:28:21 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA02079; Mon, 17 Nov 1997 22:22:38 -0800 (PST)
Received: from yankee.yankeegas.com (yankee.yankeegas.com [204.29.137.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA02064 for ; Mon, 17 Nov 1997 22:22:32 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA23598; Tue, 18 Nov 1997 01:27:58 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Tue, 18 Nov 1997 01:23:28 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Tue, 18 Nov 1997 01:22:53 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #545 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Mon Nov 17 22:42:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA02416; Mon, 17 Nov 1997 22:31:03 -0800 (PST)
Received: from mercury.st.rim.or.jp (mercury.st.rim.or.jp [202.255.181.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA02390 for ; Mon, 17 Nov 1997 22:30:56 -0800 (PST)
Received: (from shio@localhost) by mercury.st.rim.or.jp (8.8.5/3.4Wbeta6-rimnet) id PAA01098 for Firewalls@GreatCircle.COM; Tue, 18 Nov 1997 15:33:01 +0900 (JST)
Date: Tue, 18 Nov 1997 15:33:01 +0900 (JST)
From: Makoto Shiotsuki 
Message-Id: <199711180633.PAA01098@mercury.st.rim.or.jp>
To: Firewalls@GreatCircle.COM
Subject: Technical comparison of security scanner products
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Does anyone know some technical comparisons of 
security scanner products like ISS?

I've read the recent NetworkWorld's article at:
http://www.nwfusion.com/reviews/1027rev.html

Are there any other ones?

Thanks,
Makoto Shiotsuki


From owner-firewalls-list  Mon Nov 17 23:57:28 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA15531; Mon, 17 Nov 1997 23:46:07 -0800 (PST)
Received: from slowy.NETCS.COM (slowy.netcs.com [138.199.32.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA15480 for ; Mon, 17 Nov 1997 23:45:54 -0800 (PST)
Received: from netcs.com (138.199.32.21) by slowy.NETCS.COM (NPlex 1.3.159); 18 Nov 1997 08:48:00 +0100
Message-ID: <34714830.3B1FD1B@netcs.com>
Date: Tue, 18 Nov 1997 08:48:00 +0100
From: Oliver Korfmacher 
Reply-To: okorf@netcs.com
Organization: NetCS GmbH
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: 416
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Folks,

can somebody drop me a personal brief explanation for
the port 416 tcp/udp silverplatter service?
Thanks in advance,


-- 
Gruesse,

        Oliver Korfmacher (okorf@netcs.com, whois OK11
                        URL: http://www.netcs.com/PEOPLE/okorf.html)

From owner-firewalls-list  Tue Nov 18 00:12:20 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA11856; Mon, 17 Nov 1997 23:30:57 -0800 (PST)
Received: from helm.bbnplanet.com (helm.bbnplanet.com [199.94.209.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA11780 for ; Mon, 17 Nov 1997 23:30:40 -0800 (PST)
Received: from localhost (jrines@localhost)
	by helm.bbnplanet.com (8.8.5/8.8.5) with SMTP id CAA25070;
	Tue, 18 Nov 1997 02:32:41 -0500 (EST)
X-Authentication-Warning: helm.bbnplanet.com: jrines owned process doing -bs
Date: Tue, 18 Nov 1997 02:32:40 -0500 (EST)
From: Joe Rines 
To: Don Shesnicky 
cc: Firewalls@greatcircle.com
Subject: Re: tcp/udp port numbers
In-Reply-To: <9711171657.AA29135@moe.cadabra.ca>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Don,

Port 161/udp is used for snmp.

----------------------------------------------------------------
Joe Rines
GTE Internetworking 
Network Operations Center        
150 CambridgePark Drive     
Cambridge, MA 02140  
617-873-5570


        ______ ________ _____
       / ____//__  ___// ___/
      / / ___   / /   / /__
     / / /  /  / /   / ___/ 
    / /__/ /  / /   / /___        
   /______/  /_/   /_____/ 

"Internetworking Powered by BBN"
----------------------------------------------------------------




On Mon, 17 Nov 1997, Don Shesnicky wrote:

> 
> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to
> track it down. All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don
> 


From owner-firewalls-list  Tue Nov 18 02:57:42 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09388; Tue, 18 Nov 1997 02:17:11 -0800 (PST)
Received: from yankee.yankeegas.com (yankee.yankeegas.com [204.29.137.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA09361 for ; Tue, 18 Nov 1997 02:16:55 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA23298; Tue, 18 Nov 1997 05:22:23 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Tue, 18 Nov 1997 05:17:58 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Tue, 18 Nov 1997 05:17:14 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #546 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Tue Nov 18 04:21:02 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20688; Tue, 18 Nov 1997 03:42:08 -0800 (PST)
Received: from relay.convey.ru (proxy.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA20681 for ; Tue, 18 Nov 1997 03:42:01 -0800 (PST)
Received: (from ark@localhost) by relay.convey.ru (8.8.5/8.7.3) id OAA27270; Tue, 18 Nov 1997 14:43:52 +0300 (MSK)
From: "Alex A. Smirnoff" 
Message-Id: <199711181143.OAA27270@relay.convey.ru>
Subject: Re: Technical comparison of security scanner products
To: shio@st.rim.or.jp (Makoto Shiotsuki)
Date: Tue, 18 Nov 1997 14:43:51 +0300 (MSK)
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <199711180633.PAA01098@mercury.st.rim.or.jp> from "Makoto Shiotsuki" at Nov 18, 97 03:33:01 pm
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

nuqneH,

> Does anyone know some technical comparisons of 
> security scanner products like ISS?
> 
> I've read the recent NetworkWorld's article at:
> http://www.nwfusion.com/reviews/1027rev.html
> 
> Are there any other ones?

I am writing one (though it is not hi priority task for me but..)
btw if you have some thoughts on that topic,some personal expirience
with any products please write me to ark@mpak.convey.ru i'll try
to summarize all info i get.


From owner-firewalls-list  Tue Nov 18 07:45:20 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA09985; Tue, 18 Nov 1997 07:18:43 -0800 (PST)
Received: from mailsv.logility.com ([207.17.68.58]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA09974 for ; Tue, 18 Nov 1997 07:18:35 -0800 (PST)
Received: by mailsve with Internet Mail Service (5.0.1457.3)
	id ; Tue, 18 Nov 1997 10:28:10 -0500
Message-ID: <313626D24208D1118F21006097D22B1E05379A@mailsve>
From: "Kleinfelter, Susan" 
To: "'Firewalls@GreatCircle.COM'" 
Subject: Do proxies always do NAT?
Date: Tue, 18 Nov 1997 10:28:09 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: multipart/alternative;
	boundary="---- =_NextPart_001_01BCF40C.AB220690"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_001_01BCF40C.AB220690
Content-Type: text/plain

We are trying to determine which firewall products we can run our
Microsoft DCOM-based application through.  

The challenges in sending DCOM through a firewall are that 1) DCOM
dynamically assigns port numbers to server processes, so clients connect
to different ports at different times, and 2) DCOM server writes its own
raw IP address in its outbound packets, and the client must send its
requests to that IP address, not the IP address of a proxy.  We can run
DCOM through a packet filter if we open an appropriate range of ports
and tell DCOM server to limit its dynamic port assignments to those
ports (details at http://www.wam.umd.edu/~mikenel/dcom/dcomfw.htm ).
Because of the raw IP addresses in the packets, though, any firewall
that insists on doing address translation prevents DCOM from going
through.

Am I right in thinking that an application proxy on a firewall will
*always* involve address translation?  Some firewalls have 'generic'
TCP/IP proxies or 'plug gateways' (not sure if there's a difference).
Do these also *always* involve address translation?  Anyone know of
proxies or gateways that will process packets addressed not to them but
to a known IP address inside the firewall, and pass the packets on with
their original source and destination addresses after examining them?
Checkpoint FW1's 'stateful inspection' also looks like it moves packets
from one interface to another - can anyone tell me if it necessarily
involves address hiding?  

If a TCP proxy can be made to leave the original addresses on the
packets, could it also be made to listen on a wide range of ports (to
handle the dynamic port assignment)?

Thanks for any assistance.

-Susan Kleinfelter

Susan Kleinfelter
Logility Inc.
skleinfelter@logility.com
All opinions expressed are mine, not my employer's.

------ =_NextPart_001_01BCF40C.AB220690
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable










We are trying to determine which =
firewall products we can run our Microsoft DCOM-based application =
through. 



The challenges in sending DCOM =
through a firewall are that 1) DCOM dynamically assigns port numbers to =
server processes, so clients connect to different ports at different =
times, and 2) DCOM server writes its own raw IP address in its outbound =
packets, and the client must send its requests to that IP address, not =
the IP address of a proxy.  We can run DCOM through a packet =
filter if we open an appropriate range of ports and tell DCOM server to =
limit its dynamic port assignments to those ports (details at =
http://www.wam.umd.edu/~mikenel/dcom/dcomfw.htm ).  Because of the raw IP =
addresses in the packets, though, any firewall that insists on doing =
address translation prevents DCOM from going through.




Am I right in thinking that an =
application proxy on a firewall will *always* involve address =
translation?  Some firewalls have 'generic' TCP/IP proxies or =
'plug gateways' (not sure if there's a difference).  Do these also =
*always* involve address translation?  Anyone know of proxies or =
gateways that will process packets addressed not to them but to a known =
IP address inside the firewall, and pass the packets on with their =
original source and destination addresses after examining them?  =
Checkpoint FW1's 'stateful inspection' also looks like it moves packets =
from one interface to another - can anyone tell me if it necessarily =
involves address hiding? 




If a TCP proxy can be made to leave =
the original addresses on the packets, could it also be made to listen =
on a wide range of ports (to handle the dynamic port =
assignment)?




Thanks for any assistance.



-Susan Kleinfelter



Susan Kleinfelter

Logility Inc.

skleinfelter@logility.com

All opinions expressed are mine, not =
my employer's.





------ =_NextPart_001_01BCF40C.AB220690--

From owner-firewalls-list  Tue Nov 18 09:33:02 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA18309; Tue, 18 Nov 1997 09:14:03 -0800 (PST)
Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA18271 for ; Tue, 18 Nov 1997 09:13:52 -0800 (PST)
Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24])
	by dns.eng.auburn.edu (8.8.5/8.6.4) with ESMTP id LAA17942
	for ; Tue, 18 Nov 1997 11:15:58 -0600 (CST)
From: Doug Hughes 
Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id LAA01132; Tue, 18 Nov 1997 11:15:56 -0600
Date: Tue, 18 Nov 1997 11:15:56 -0600
Subject: Re: tcp/udp port numbers (correction Re: rfc1340
To: firewalls@greatcircle.com
Message-Id: 
X-Mailer: TkMail 4.0beta8
In-Reply-To: <3.0.3.32.19971117163525.009461d0@arc.ab.ca> 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



>Check out RFC1340.  It is the RFC for Assigned Numbers and contains TCP/UDP
>port assignments and more.  It is 118 pages.  I found it at the
>www.internic.net site.  Search for RFC1340.
>

Just a correction - RFC1340 has been obsoleted by RFC1700 since October 1994.
(oops).

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug@eng.auburn.edu



From owner-firewalls-list  Tue Nov 18 10:06:09 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA19938; Tue, 18 Nov 1997 09:31:31 -0800 (PST)
Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA19918 for ; Tue, 18 Nov 1997 09:31:23 -0800 (PST)
Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id MAA22848; Tue, 18 Nov 1997 12:34:00 -0500
X-Authentication-Warning: cih-gw.cih.com: mail set sender to  using -f
Received: from cih-gw.cih.com(204.69.206.1)
 via SMTP by cih-gw.cih.com, id smtpd22844aaa; Tue Nov 18 17:33:53 1997
Date: Tue, 18 Nov 1997 12:33:53 -0500 (EST)
From: "Craig I. Hagan" 
Reply-To: hagan@cih.com
To: "Kleinfelter, Susan" 
cc: "'Firewalls@GreatCircle.COM'" 
Subject: Re: Do proxies always do NAT?
In-Reply-To: <313626D24208D1118F21006097D22B1E05379A@mailsve>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> We are trying to determine which firewall products we can run our
> Microsoft DCOM-based application through.  

right now, i'd hazard that your best bet would be a custom rolled dcom
proxy. (heck, i've been looking for something that handles DCE/RPC and/or
MSRPC -- aren't they the same on the wire?). Making a transparent version
of the above would likely solve your problem. 

> 
> The challenges in sending DCOM through a firewall are that 1) DCOM
> dynamically assigns port numbers to server processes, so clients connect
> to different ports at different times, and 2) DCOM server writes its own
> raw IP address in its outbound packets, and the client must send its
> requests to that IP address, not the IP address of a proxy.  We can run

a smart proxy would be able to inspect the packet and alter the ip address
and any relevant checksums. the hard part would be writing it.

> DCOM through a packet filter if we open an appropriate range of ports
> and tell DCOM server to limit its dynamic port assignments to those
> ports (details at http://www.wam.umd.edu/~mikenel/dcom/dcomfw.htm ).
> Because of the raw IP addresses in the packets, though, any firewall
> that insists on doing address translation prevents DCOM from going
> through.

risk analysis: what is the risk of openning your DCOM ports
to either the world or to the specific site? perhaps
a reasonable method might be to do the following:

inside DCOM host ---> packetfilter --> outside DCOM host -...- remote DCOMhost

the idea is that inside sends its requests to a forwarding agent
(outside), which handles the actual conversation. then the pfilt can allow
inside to talk with outside and vice versa, but, you aren't allowing
anyone else to talk to inside.  you can then construct your DCOM
forwarding server on outside to handle things like access control, etc for
inside. 

> 

> Am I right in thinking that an application proxy on a firewall will
> *always* involve address translation?  Some firewalls have 'generic'

I'm not sure how address translation follows from a proxy server.  They
technically are very different animals. The idea of a proxy firewall is
that the application proxies UNDERSTAND the application being proxied, so
they can properly inspect the dataflow to make sure that it is safe. they
also can alter the dataflow so that you inside machine can talk to an
outside machine and vice-versa (if permitted) without problem. 

The trick is that you will need a proxy that specifically understands
your protocol if it is to be handled in any sort of secure/reliable
manner if it is to be proxied effectively.

-- craig

-------------------------------------------------------------------------------
Craig I. Hagan     "It's a small world, but I wouldn't want to back it up"
hagan(at)cih.com        "True hackers don't die, their ttl expires"
  	"It takes a village to raise an idiot, but an idiot can raze a village"

	Stop the spread of spam, use a sendmail condom!
	     http://www.cih.com/~hagan/smtpd-hacks



From owner-firewalls-list  Tue Nov 18 10:28:39 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23019; Tue, 18 Nov 1997 10:16:38 -0800 (PST)
Received: from gate2.gateway.com (gate2.gateway.com [208.215.59.156]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA23012 for ; Tue, 18 Nov 1997 10:16:32 -0800 (PST)
Received: by gate2.gateway.com; id MAA02271; Tue, 18 Nov 1997 12:17:30 -0600 (CST)
Received: from unknown(10.12.2.4) by lsf006.gateway.com via smap (V3.1)
	id xma002266; Tue, 18 Nov 97 12:17:02 -0600
Received: by nsc-108.gw2k.com with Internet Mail Service (5.0.1458.49)
	id ; Tue, 18 Nov 1997 12:19:17 -0600
Message-ID: <4DC06EB4D923D111A6540000C11084DACF3D@NSC-110>
From: "Zarinelli, Alain" 
To: "'firewalls@greatcircle.com'" 
Subject: E-mail Spamming
Date: Tue, 18 Nov 1997 12:19:19 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: multipart/alternative;
	boundary="---- =_NextPart_001_01BCF41C.30D7EC50"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_001_01BCF41C.30D7EC50
Content-Type: text/plain;
	charset="iso-8859-1"

All: Does anybody have a good idea on how to prevent spammers from using
our mail servers for relaying their trash? My idea was to drop all mail
the mail-hubs receive from non-company domains addressed to non-company
domains, that would at least prevent other people from getting bombarded
with crap seemingly coming from us. Anybody have any ideas? We are using
'smap' on Gauntlet, which calls 'sendmail.'

Thanks.

Alain - Mea culpa, mea ultima culpa, not Gateway's...

------ =_NextPart_001_01BCF41C.30D7EC50
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable










All: Does anybody have a good idea on =
how to prevent spammers from using our mail servers for relaying their =
trash? My idea was to drop all mail the mail-hubs receive from =
non-company domains addressed to non-company domains, that would at =
least prevent other people from getting bombarded with crap seemingly =
coming from us. Anybody have any ideas? We are using 'smap' on =
Gauntlet, which calls 'sendmail.'




Thanks.



Alain - Mea culpa, mea ultima culpa, not =
Gateway's...





------ =_NextPart_001_01BCF41C.30D7EC50--

From owner-firewalls-list  Tue Nov 18 10:58:41 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA26825; Tue, 18 Nov 1997 10:47:28 -0800 (PST)
Received: from ra.nso.org (ra.nso.org [206.103.141.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA26735 for ; Tue, 18 Nov 1997 10:47:09 -0800 (PST)
Received: from osiris (osiris.nso.org [206.103.141.40]) by ra.nso.org
          (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA67
          for ; Tue, 18 Nov 1997 13:51:44 -0500
Message-Id: <3.0.3.32.19971118135631.00a62220@isr.net>
X-Sender: research@isr.net (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
X-Priority: 1 (Highest)
Date: Tue, 18 Nov 1997 13:56:31 -0500
To: firewalls@GreatCircle.COM
From: research@isr.net (R & D)
Subject: service/indirectly related
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


f.y.i.
Nov 14-97

==

Micropolis Corp. has called it a day. The longtime storage vendor, located in 
Chatsworth, Calif., filed for Chapter 11 protection. A recording at the
company's 
headquarters said Micropolis' parent company, Singapore Technologies Pte
Ltd of 
Singapore, had "decided to exit the disk drive business."

Singapore Technologies said it made the decision because intense
competition in the 
high end of the storage market in 1997 created "severe price erosion."
Revenue for the 
first three quarters of 1997, totaling 200 million Singapore dollars, was
insufficient to 
cover overhead, the company said.

==


> all customer services and support are stopped


rgds

ISR




From owner-firewalls-list  Tue Nov 18 11:30:45 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA02774; Tue, 18 Nov 1997 11:17:26 -0800 (PST)
Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA02571 for ; Tue, 18 Nov 1997 11:16:28 -0800 (PST)
Received: from tc24650 by csc.com
	via smtpd with smtp
	id 
	for ; Tue, 18 Nov 97 14:17 EST
	(/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97)
Message-ID: <3471E934.6CC2@csc.com>
Date: Tue, 18 Nov 1997 14:15:00 -0500
From: Joe Loiacono 
Organization: Computer Sciences Corporation
X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m)
MIME-Version: 1.0
To: Don Shesnicky 
CC: Firewalls@GreatCircle.COM
Subject: Re: tcp/udp port numbers - more
References: <9711171858.AA01393@moe.cadabra.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hah! I've seen these snmp scans before. I thought perhaps it was a
runaway application... but an HP JetDirect printer ?!?! Ha, ha, ha ...

Joe
-- 
Joe Loiacono                         (301) 415-6153
Computer Sciences Corporation    http://www.csc.com

From owner-firewalls-list  Tue Nov 18 12:42:51 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12084; Tue, 18 Nov 1997 12:13:37 -0800 (PST)
Received: from syr.edu (syr.edu [128.230.1.49]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA12075; Tue, 18 Nov 1997 12:13:25 -0800 (PST)
Received: from syr.edu by syr.edu (8.8.5/CNS)
	id PAA14069; Tue, 18 Nov 1997 15:15:31 -0500 (EST)
Message-ID: <3471F761.A8219E62@syr.edu>
Date: Tue, 18 Nov 1997 15:15:30 -0500
From: Peter Morissey 
X-Mailer: Mozilla 4.02 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com
Subject: 7200 v. 7500 access-lists
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does a 7500 provide any great advantages for doing
incoming access lists on a 45 mb internet connection?

The process switching for 7200 and RSP4 is rated at
10K PPS by Cisco. If you make the assumption that
everything will be processed switched due to the access
lists, then the 7500 cost can't be justified.

The assumption about acces lists and process switching
is questionable, since the stats our existing 7010 show
mostly route cache switching, even though we have access
lists.

The other factor is netflow switching. This can greatly
improve performance by more than a factor of 10, but
I'm wondering how much it helps when a lot of the traffic
is WWW, with lots of short duration connections.

It is very difficult getting information from Cisco regarding
these questions, so any other input would be greatly appreciated.

Pete M.




From owner-firewalls-list  Tue Nov 18 13:28:27 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23125; Tue, 18 Nov 1997 13:24:42 -0800 (PST)
Received: from janus.arc.ab.ca (janus.arc.ab.ca [128.144.50.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA23097 for ; Tue, 18 Nov 1997 13:24:34 -0800 (PST)
Received: from network1 (network1.arc.ab.ca) by arc.ab.ca (PMDF V5.1-8 #20122)
 with SMTP id <01IQ5PKREZ0U9H0R4H@arc.ab.ca> for firewalls@greatcircle.com;
 Tue, 18 Nov 1997 14:26:16 MST
Date: Tue, 18 Nov 1997 14:34:16 -0700
From: Blair Nowakowsky 
Subject: Re: tcp/udp port numbers (correction Re: rfc1340
In-reply-to: 
X-Sender: nowakowsky@arc.ab.ca
To: firewalls@greatcircle.com
Message-id: <3.0.3.32.19971118143416.00935320@arc.ab.ca>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Content-type: text/plain; charset="us-ascii"
References: <3.0.3.32.19971117163525.009461d0@arc.ab.ca>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Oops I have been corrected.  Sorry about that.  

I have checked the RFC1700 and downloaded it for reference.  I don't always
know when an RFC is obsoleted.

TNX
Blair.

At 11:15 AM 11/18/97 -0600, Doug Hughes wrote:
>
>
>>Check out RFC1340.  It is the RFC for Assigned Numbers and contains TCP/UDP
>>port assignments and more.  It is 118 pages.  I found it at the
>>www.internic.net site.  Search for RFC1340.
>>
>
>Just a correction - RFC1340 has been obsoleted by RFC1700 since October 1994.
>(oops).
>
>--
>____________________________________________________________________________
>Doug Hughes					Engineering Network Services
>System/Net Admin  				Auburn University
>			doug@eng.auburn.edu
>
>
>
|  Alberta | Blair Nowakowsky           |
| Research | (403)/450-5172             |
|  Council | nowakowsky@arc.ab.ca       |

From owner-firewalls-list  Tue Nov 18 13:55:01 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23275; Tue, 18 Nov 1997 13:25:42 -0800 (PST)
Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA23237 for ; Tue, 18 Nov 1997 13:25:30 -0800 (PST)
Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3)
	id ; Tue, 18 Nov 1997 13:24:15 -0800
Message-ID: 
From: "Stackpole, Bill" 
To: "'dons@Cadabratech.com'" , Firewalls@GreatCircle.COM
Subject: RE: tcp/udp port numbers
Date: Tue, 18 Nov 1997 13:24:13 -0800
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

snmp            161/tcp    SNMP
snmp            161/udp    SNMP

Might well be coming from your hubs or some other SNMP manageable
device.

> -----Original Message-----
> From:	dons@Cadabratech.com [SMTP:dons@Cadabratech.com]
> Sent:	Monday, November 17, 1997 8:57 AM
> To:	Firewalls@GreatCircle.COM
> Subject:	tcp/udp port numbers
> 
> 
> Does anyone have a complete list of port numbers? I have a firewall
> where I am seeing traffic on port 161 but haven't been able to
> track it down. All of the hosts behind the firewall are NT boxes
> and I'm thinking that it's related to WINS. It seems that when I
> do a Network browse it starts firing off packets to all IP addresses
> on the other side of the firewall via udp port 161. It seems to start
> at one IP and then increment bit wise.
> 
> I've found some web pages that list port numbers but they're pretty
> much the same as unix:/etc/services.
> 
> Don

From owner-firewalls-list  Tue Nov 18 13:56:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21928; Tue, 18 Nov 1997 13:15:35 -0800 (PST)
Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA21776; Tue, 18 Nov 1997 13:14:50 -0800 (PST)
Message-Id: <199711182114.NAA21776@honor.greatcircle.com>
Received: by habanero.jmu.edu
	(1.37.109.16/16.2) id AA251347261; Tue, 18 Nov 1997 16:07:41 -0500
Date: Tue, 18 Nov 1997 16:07:41 -0500
From: gary flynn 
To: firewalls-digest@GreatCircle.COM, firewalls@GreatCircle.COM,
        owner-firewalls-list@GreatCircle.COM
Subject: Re:  7200 v. 7500 access-lists
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I'm going to respond with hearsay and conjecture.
Sorry I don't have anything definite.

> From: Peter Morissey 
> 
> Does a 7500 provide any great advantages for doing
> incoming access lists on a 45 mb internet connection?
> 
> The process switching for 7200 and RSP4 is rated at
> 10K PPS by Cisco. If you make the assumption that
> everything will be processed switched due to the access
> lists, then the 7500 cost can't be justified.

I think you're right....particularly since the 7200 processor
is faster than the 7500. 

Netflow and future IOS releases may change the picture though.

> The assumption about acces lists and process switching
> is questionable, since the stats our existing 7010 show
> mostly route cache switching, even though we have access
> lists.

According to a web page describing the smurf attack at 
www.quadrunner.com/~chuegen/smurf.cgi, 11.1(14)CA has
a feature that allows all but two denied packets to be
fast switched and 11.1(14.1)CA has a feature that allows
the administrator to log access-list matches at a defined
interval and "process logged packets not at that interval
in the fast path".
 
> The other factor is netflow switching. This can greatly
> improve performance by more than a factor of 10, but
> I'm wondering how much it helps when a lot of the traffic
> is WWW, with lots of short duration connections.

Anyone know what the "average" packet count of a "average"
Web URL request is :) ? I'd guess at least ten and less than
50 except for large graphics and files but I'm totally 
clueless. With the popularity of the Web, that number of
packets could be multiplied by a fairly large user base.
If we assume that no additional overhead is incurred on the
first Netflow packet, then there could be significant
advantages due to the aggregate number of packets across

My $0.02 worth.

Gary Flynn
Network Analyst
James Madison University
the router even though the individual connections are short.

From owner-firewalls-list  Tue Nov 18 14:42:14 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA04498; Tue, 18 Nov 1997 14:29:35 -0800 (PST)
Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA04459 for ; Tue, 18 Nov 1997 14:29:25 -0800 (PST)
From: tpe@dmc22.com
Received: from dmc22.com by smtp2.interramp.com (8.8.5/SMI-5.4-PSI)
	id RAA26425; Tue, 18 Nov 1997 17:31:37 -0500 (EST)
Date: Tue, 18 Nov 1997 17:31:37 -0500 (EST)
Message-Id: <199711182231.RAA26425@smtp2.interramp.com>
To: firewalls@greatcircle.com
Subject: Business Systems Analyst Needed
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I queried the Boolean expression "Lotus AND SQL AND analyst" in the Diedre Moire
Million Plus resume database and several Internet search engines.  One of the retrieved
resumes, postings or pages advertised your email address indicating that you would welcome
email inquiries on related subjects.  Hence I am writing to ask for your assistance.

I am looking to hire a  Business Systems Analyst to conduct testing, QA, writing and
documentation of manuals, technical writing and full life cycle support.

Knowledge of Lotus Notes, SQL, C, C++, Visual C++ required.

Position is located in New York City.

The company is a national clearing house for the settlement of securities trades markets with
more 2700 employees nation wide and securities holdings valued at $12.6 trillion.

If you know someone that might be interested I can be contacted at:
Thom Erickson
Voice: 609-584-9000 ext. 259  
Fax: 609-584-9575  
E-mail: tpe@dmc22.com

OUR ANTI-SPAM POLICY

We DO NOT send unsolicited email. We DO NOT send email to lists purchased from any
list marketing vendor or producer.

We do send email to individuals that included their email address on their resume or
advertised their email address, thusly soliciting inquiries, on postings or web sites which
discuss job or resumes or professional or industrial matters related to the job opportunity we
are trying to fill. 

Sometimes, people forget they submitted their email address to Diedre Moire, included it on
their resume or solicited response on postings or pages. In rare situations, individuals' email
addresses are advertised without their knowledge or consent.  In any case, we gladly react to
any request that we cease future mailings by placing a filter on our mailing software and
removing your resume from the Diedre Moire Million Plus resume database.  If you do not
want to hear from us type "remove" in the subject field and send via the reply command or
address to rem@dmc22.com. We will cease mailings and remove your resume for the Diedre
Moire Million Plus resume database. Please note that over seventy-five Fortune 500
Corporations and many more small and medium companies tap that database when hiring.
Removal of your resume may, in many instances, eliminate your access to jobs at those
companies.

GENERAL DRAW SOLICITATION

We DO NOT support general draw solicitation.  General draw is a technique used to "troll"
for potential prospects by sending mass quantities of announcements to groups of people in
the hopes that some might respond with a general interest.  

We only announce specific job openings that must be filled immediately and endeavor to
contact only those individuals who indicated interest in the related area and made their email
addresses available via public posting or resume submission. 

SUGGESTIONS

If you wish to suggest ways in which we might better serve, you can contact Stephen M.
Reuning at (609) 584-9000 ext 301 

Our address is 
Diedre Moire Corporation, Inc.
510 Horizon Center 
Robbinsville, New Jersey 08691



From owner-firewalls-list  Tue Nov 18 17:36:21 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22756; Tue, 18 Nov 1997 16:54:13 -0800 (PST)
Received: from brooks.na-cp.rnp.br ([200.136.100.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA22749 for ; Tue, 18 Nov 1997 16:54:04 -0800 (PST)
Received: from brooks (forster@brooks [200.136.100.19])
	by brooks.na-cp.rnp.br (8.8.8/8.8.8) with SMTP id WAA10694;
	Tue, 18 Nov 1997 22:54:55 -0200 (EDT)
Date: Tue, 18 Nov 1997 22:54:53 -0200 (EDT)
From: Antonio Paulo Salgado Forster 
X-Sender: forster@brooks
Reply-To: Antonio Paulo Salgado Forster 
To: "Zarinelli, Alain" 
cc: "'firewalls@greatcircle.com'" 
Subject: Re: E-mail Spamming
In-Reply-To: <4DC06EB4D923D111A6540000C11084DACF3D@NSC-110>
Message-ID: 
Organization: Rede Nacional de Pesquisa - RNP
MIME-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="---- =_NextPart_001_01BCF41C.30D7EC50"
Content-ID: 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

------ =_NextPart_001_01BCF41C.30D7EC50
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
Content-ID: 

Check  http://www.sprocket.com/Security/Stopping-UCE.html

Regards,

Antonio Paulo Salgado Forster  
Operacoes em Redes - RNP


On Tue, 18 Nov 1997, Zarinelli, Alain wrote:

> Date: Tue, 18 Nov 1997 12:19:19 -0600
> From: "Zarinelli, Alain" 
> To: "'firewalls@greatcircle.com'" 
> Subject: E-mail Spamming
> 
> All: Does anybody have a good idea on how to prevent spammers from using
> our mail servers for relaying their trash? My idea was to drop all mail
> the mail-hubs receive from non-company domains addressed to non-company
> domains, that would at least prevent other people from getting bombarded
> with crap seemingly coming from us. Anybody have any ideas? We are using
> 'smap' on Gauntlet, which calls 'sendmail.'
> 
> Thanks.
> 
> Alain - Mea culpa, mea ultima culpa, not Gateway's...
> 

------ =_NextPart_001_01BCF41C.30D7EC50--

From owner-firewalls-list  Tue Nov 18 20:27:48 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA08381; Tue, 18 Nov 1997 20:15:14 -0800 (PST)
Received: from arjun.eurolink.stpn.soft.net (arjun.eurolink.stpn.soft.net [204.143.116.78]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA08305 for ; Tue, 18 Nov 1997 20:14:55 -0800 (PST)
Received: from shambhu by arjun.eurolink.stpn.soft.net (SMI-8.6/SMI-SVR4)
	id JAA29115; Wed, 19 Nov 1997 09:49:25 +0530
Received: by shambhu with Microsoft Mail
	id <01BCF4D0.45673D60@shambhu>; Wed, 19 Nov 1997 09:48:21 +0530
Message-ID: <01BCF4D0.45673D60@shambhu>
From: Shambhu Prasad 
To: "Firewalls (E-mail)" 
Subject: Proxy Authentication for Netscape
Date: Wed, 19 Nov 1997 09:48:20 +0530
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I observed that while connecting to the proxy server through Netscape it =
authenticate some users and for few users it says "Authentication =
Fails". While Connecting through Internet Explorer it Authenticates all =
the users with the same User ID & Password.

Anyone can help me out ?


With Regards,
		 =20
Shambhu Prasad Sah		Tel   : +91(11) 6941831, 6946619 =20
(Network Engineer)		Fax   : +91(11) 6943732
Eurolink Systems Ltd		email : sprasad@eurolink.stpn.soft.net
New Delhi, India		web   : www.eurolink-systems.com

" Eurolink and I have an arrangement: Neither of us speaks for the =
other. "
		=20
			* * * * * * * * * * * *



From owner-firewalls-list  Tue Nov 18 20:42:23 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA09420; Tue, 18 Nov 1997 20:23:27 -0800 (PST)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA09366; Tue, 18 Nov 1997 20:23:14 -0800 (PST)
Received: from mtibodea-pc.cisco.com (sj-dial-3-20.cisco.com [171.68.179.21]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA01098; Tue, 18 Nov 1997 20:25:30 -0800 (PST)
Message-Id: <3.0.3.32.19971118232020.006bbaa0@lint.cisco.com>
X-Sender: mtibodea@lint.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 18 Nov 1997 23:20:20 -0500
To: firewalls-digest@GreatCircle.COM, firewalls@GreatCircle.COM,
        owner-firewalls-list@GreatCircle.COM
From: Mike Tibodeau 
Subject: Re:  7200 v. 7500 access-lists
In-Reply-To: <199711182114.NAA21776@honor.greatcircle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Pete, et al-

I will try to make my response quick and accurate, but I will
not guarantee complete.  Do not assume that all access lists 
are process switched.  That is a myth.

The switching path used by ip packets varies depending on the 
version of the IOS and the type of access list.

Since 10.3
  Switching Path 	Access list Type 

  SSP 			Simple & Extended outbound lists, completely 
			disabled for any inbound list 
  Autonomous 		Disabled per interface for outbound lists, 
			completely disabled for any inbound (cbus/cxbus) 
  Fast 		All supported 
  Process 		All supported 

Since 11.0(3)
  Switching Path 	Access list Type 
  
  SSP			All supported 
  Autonomous 		Disabled per interface for outbound lists, completely 
			disabled for any inbound (cbus/cxbus) list 
  Fast 		All supported 
  Process 		All supported  

Netflow can give you significant performance improvement, but hit a
key issue -- if flows are small, the overall benefit is not as great. I
do not have stats on that, but I can try to find them or get someone
to find them for you.  

Also, please let me know if you run into "more difficulties" trying to
get information and we will work to improve that.

Cheers.

-Mike

At 04:07 PM 11/18/97 -0500, gary flynn wrote:
>
>I'm going to respond with hearsay and conjecture.
>Sorry I don't have anything definite.
>
>> From: Peter Morissey 
>> 
>> Does a 7500 provide any great advantages for doing
>> incoming access lists on a 45 mb internet connection?
>> 
>> The process switching for 7200 and RSP4 is rated at
>> 10K PPS by Cisco. If you make the assumption that
>> everything will be processed switched due to the access
>> lists, then the 7500 cost can't be justified.
>
>I think you're right....particularly since the 7200 processor
>is faster than the 7500. 
>
>Netflow and future IOS releases may change the picture though.
>
>> The assumption about acces lists and process switching
>> is questionable, since the stats our existing 7010 show
>> mostly route cache switching, even though we have access
>> lists.
>
>According to a web page describing the smurf attack at 
>www.quadrunner.com/~chuegen/smurf.cgi, 11.1(14)CA has
>a feature that allows all but two denied packets to be
>fast switched and 11.1(14.1)CA has a feature that allows
>the administrator to log access-list matches at a defined
>interval and "process logged packets not at that interval
>in the fast path".
> 
>> The other factor is netflow switching. This can greatly
>> improve performance by more than a factor of 10, but
>> I'm wondering how much it helps when a lot of the traffic
>> is WWW, with lots of short duration connections.
>
>Anyone know what the "average" packet count of a "average"
>Web URL request is :) ? I'd guess at least ten and less than
>50 except for large graphics and files but I'm totally 
>clueless. With the popularity of the Web, that number of
>packets could be multiplied by a fairly large user base.
>If we assume that no additional overhead is incurred on the
>first Netflow packet, then there could be significant
>advantages due to the aggregate number of packets across
>
>My $0.02 worth.
>
>Gary Flynn
>Network Analyst
>James Madison University
>the router even though the individual connections are short.
>
>

From owner-firewalls-list  Tue Nov 18 22:12:34 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA22551; Tue, 18 Nov 1997 22:04:34 -0800 (PST)
Received: from a4000.rapid.net (a4000.rapid.net [38.178.148.7]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA22544 for ; Tue, 18 Nov 1997 22:04:28 -0800 (PST)
Received: from a2000 (a2000.rapid.net [38.178.148.4])
	by a4000.rapid.net (8.8.5/RAPID.NET-8.8.5) with SMTP id BAA24543
	for ; Wed, 19 Nov 1997 01:06:41 -0500 (EST)
Message-Id: <3.0.5.32.19971119010758.03710190@rapid.net>
X-Sender: rick@rapid.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 19 Nov 1997 01:07:58 -0500
To: Firewalls@GreatCircle.COM
From: Rick Hardy 
Subject: PPTP & Routing
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all,

I have been given the task of looking at MS's PPTP, and MS Proxy Server.
One of the things that the client would like to do is have users in the
field(Internet) use PPTP and connect to our LAN/WAN.  I have been looking
for answers, but thus far haven't found what I am looking for.  If my
understanding of PPTP works, it can be looked at almost like a bridge
between two networks?  So, if a client in the field connects(Via Internet)
to a server running RRAS they would have access to the same internal
segment as the RRAS box?!?  Now, if we then wanted that user to access our
private frame WAN then how would the Internet registered IP addresses find
their way through the private frame??? (IE if we used 192.168.xxx.xxx and
10.x.x.x addresses AND the routers knew of no other routes...) I guess what
I am asking is this?


Can that user access the WAN or can they only access the LAN that the RRAS
is connected to?

If routing table changes were made, could they then access the WAN?


Thank you,


--=Rick=--


From owner-firewalls-list  Wed Nov 19 00:58:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA03864; Wed, 19 Nov 1997 00:49:42 -0800 (PST)
Received: from arjun.eurolink.stpn.soft.net (arjun.eurolink.stpn.soft.net [204.143.116.78]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA03854 for ; Wed, 19 Nov 1997 00:49:30 -0800 (PST)
Received: from shambhu by arjun.eurolink.stpn.soft.net (SMI-8.6/SMI-SVR4)
	id OAA05035; Wed, 19 Nov 1997 14:21:33 +0530
Received: by shambhu with Microsoft Mail
	id <01BCF4F6.48C910C0@shambhu>; Wed, 19 Nov 1997 14:20:27 +0530
Message-ID: <01BCF4F6.48C910C0@shambhu>
From: Shambhu Prasad 
To: "'emobley@kpmg.com'" 
Cc: "Firewalls (E-mail)" 
Subject: RE: Linux SU log
Date: Wed, 19 Nov 1997 14:20:21 +0530
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


-----Original Message-----
From:	emobley@kpmg.com [SMTP:emobley@kpmg.com]
Sent:	Saturday, November 15, 1997 12:14 AM
To:	firewalls@greatcircle.com
Subject:	Linux SU log

     Hello,
     
     I'm using RedHat Linux 4.1 and I've noticed that it does not keep the 
     traditional /var/adm/sulog.  I can't find anything that records SU's.  
     Does anybody know how I can configure /etc/syslog.conf (I assume 
     that's where I'd want to do it) or whatever to get the logging of SU's 
     that I need?
     
vi  /etc/default/su   or    /etc/defaults/su

check the location of sulog.
--------------
sample su
  	

# SULOG determines the location of the file used to log all su attempts
#
SULOG=/var/adm/sulog

# CONSOLE determines whether attempts to su to root should be logged
# to the named device
#
#CONSOLE=/dev/console

# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:

# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin

# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
# to log all su attempts.  LOG_NOTICE messages are generated for su's to
# root, LOG_INFO messages are generated for su's to other users, and LOG_CRIT
# messages are generated for failed su attempts.
"su" [Read only] 25 lines, 703 characters
                                                                               

With Regards,
		  
Shambhu Prasad Sah		Tel   : +91(11) 6941831, 6946619  
(Network Engineer)		Fax   : +91(11) 6943732
Eurolink Systems Ltd		email : sprasad@eurolink.stpn.soft.net
New Delhi, India		web   : www.eurolink-systems.com

" Eurolink and I have an arrangement: Neither of us speaks for the other. "
		 
			* * * * * * * * * * * *

     
     Thanks,
     
     
     Ed

From owner-firewalls-list  Wed Nov 19 01:56:45 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA05694; Wed, 19 Nov 1997 01:13:35 -0800 (PST)
Received: from sibexlink.com.my ([161.142.198.74]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA05687 for ; Wed, 19 Nov 1997 01:13:28 -0800 (PST)
Received: from sibexlink.sibexlink.com.my by sibexlink.com.my with SMTP
	(1.37.109.16/16.2) id AA033022532; Wed, 19 Nov 1997 17:12:12 +0730
Received: from Kenny.sibexlink.com.my (unverified [161.142.198.138]) by sibexlink.sibexlink.com.my
 (EMWAC SMTPRS 0.83) with SMTP id ;
 Wed, 19 Nov 1997 17:13:19 +0800
Message-Id: <3472AE20.71FB929C@sibexlink.com.my>
Date: Wed, 19 Nov 1997 17:15:14 +0800
From: Kenny Kueh Kian Hong 
Organization: Sibexlink Sdn Bhd
X-Mailer: Mozilla 4.01 [en] (Win95; I)
Mime-Version: 1.0
To: firewalls@greatcircle.com
Subject: Information Service Provider Online
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Please feel free to come in this site URL://http://www.sibexlink.com.my.
Sibexlink is a information service provider online.




From owner-firewalls-list  Wed Nov 19 03:19:27 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA23194; Wed, 19 Nov 1997 03:02:03 -0800 (PST)
Received: from yankee.yankeegas.com (yankee.yankeegas.com [204.29.137.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA23186 for ; Wed, 19 Nov 1997 03:01:57 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA26196; Wed, 19 Nov 1997 06:07:33 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Wed, 19 Nov 1997 06:03:01 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Wed, 19 Nov 1997 06:02:23 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #547 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Wed Nov 19 05:25:25 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06567; Wed, 19 Nov 1997 05:08:08 -0800 (PST)
Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA06560; Wed, 19 Nov 1997 05:08:03 -0800 (PST)
Received: from tc24650 by csc.com
	via smtpd with smtp
	id 
	for ; Wed, 19 Nov 97 08:10 EST
	(/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97)
Message-ID: <3472E4B4.441B@csc.com>
Date: Wed, 19 Nov 1997 08:08:05 -0500
From: Joe Loiacono 
Organization: Computer Sciences Corporation
X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m)
MIME-Version: 1.0
To: Peter Morissey 
CC: firewalls@greatcircle.com, firewalls-digest@greatcircle.com
Subject: Re: 7200 v. 7500 access-lists
References: <3471F761.A8219E62@syr.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Peter Morissey wrote:
> 
> The other factor is netflow switching. This can greatly
> improve performance by more than a factor of 10, but
> I'm wondering how much it helps when a lot of the traffic
> is WWW, with lots of short duration connections.

I think very soon we will see an ever increasing amount of
high-bandwidth WWW applications like audio and video-streaming (RTP). So
the netflow switching will become increasingly more valuable. QOS will
become critical.

Joe
-- 
Joe Loiacono                         (301) 415-6153
Computer Sciences Corporation    http://www.csc.com

From owner-firewalls-list  Wed Nov 19 05:29:12 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06782; Wed, 19 Nov 1997 05:15:46 -0800 (PST)
Received: from nic.hq.cic.net (nic.hq.cic.net [209.57.92.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06755 for ; Wed, 19 Nov 1997 05:15:38 -0800 (PST)
Received: from chaos.iagnet.net (cappy@chaos.iagnet.net [207.206.8.175]) by nic.hq.cic.net (8.8.8/IAG/CICNet) with SMTP id IAA27874 for ; Wed, 19 Nov 1997 08:17:59 -0500 (EST)
Message-Id: <3.0.3.32.19971119081726.00968100@iagnet.net>
X-Sender: mdavis@iagnet.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 19 Nov 1997 08:17:26 -0500
To: firewalls@greatcircle.com
From: "Matthew T. Davis" 
Subject: MBONE
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all,

Has anyone had any luck passing MBONE through a firewall, specifically
through FW-1?  I have a few ppl on our network that would like to get it,
but I have yet to really grasp how it works so I can pass it.  Thanks in
advance.


--
Matthew T. Davis      NOC Coordinator          Internet Access Group
mdavis@@iagnet.net    support@@iagnet.net      http://www.iagnet.net
DID: (216) 902-5469   Tech: (216) 902-5460     Main: 1-800-637-4IAG

From owner-firewalls-list  Wed Nov 19 08:08:39 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10505; Wed, 19 Nov 1997 06:01:49 -0800 (PST)
Received: from ntserver.newoak.com ([146.115.61.251]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA10489 for ; Wed, 19 Nov 1997 06:01:41 -0800 (PST)
Received: from mike-feinstein.newoak.com ([10.0.1.9])
          by ntserver.newoak.com (Netscape Mail Server v2.02) with ESMTP
          id AAA185; Wed, 19 Nov 1997 09:19:06 -0500
Message-ID: <3472F18D.4EA38832@newoak.com>
Date: Wed, 19 Nov 1997 09:02:53 -0500
From: mfeinstein@newoak.com (Michael G. Feinstein)
Reply-To: mfeinstein@newoak.com
Organization: New Oak Communications
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: Rick Hardy 
CC: Firewalls@GreatCircle.COM
Subject: Re: PPTP & Routing
X-Priority: 3 (Normal)
References: <3.0.5.32.19971119010758.03710190@rapid.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

PPTP gives the user an IP address on your private network which is
encapsulated inside the traffic sent on the public Internet.  The
packets come out of the PPTP server and are routed on your private LAN
like any other packets on that segment.  One thing PPTP doesn't do a
good job with is giving you access back out to the Internet.  When you
have the PPTP tunnel open, all the traffic goes through the tunnel.
Microsoft's PPTP server doesn't do a good job sending traffic back out
to the Internet if the user is trying to simultaneously access the
private LAN and public Internet.

You may want to check out my company's product, the NOC 4000 Extranet
Access Switch.  It acts as a PPTP server, and IPsec tunnel mode server,
and includes the ability to customize a user profile which includes
custom filtering, bandwidth management, and security parameters.  Our
Web address is http://www.newoak.com.  By the way, our product can
handle the 'split' traffic case described above.

--
Michael Feinstein                        New Oak Communications
VP, Product Marketing                    125 Nagog Park
Tel: 978-266-1011 x103                   Acton, MA  01720
Fax: 978-266-1080                        http://www.newoak.com
mfeinstein@newoak.com                    Pager: 800-592-6311



From owner-firewalls-list  Wed Nov 19 08:32:05 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01506; Wed, 19 Nov 1997 08:01:40 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA01318 for ; Wed, 19 Nov 1997 08:01:08 -0800 (PST)
Received: from corporate.dukepower.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id HAA05872; Wed, 19 Nov 1997 07:14:45 -0800 (PST)
Received: from dpnstr.dukepower.com by corporate.dukepower.com
          via smtpd (for mycroft.greatcircle.com [198.102.244.35]) with SMTP; 19 Nov 1997 15:14:45 UT
Received: from dpcmail.dukepower.com (dpcmail.dukepower.com [162.113.64.65])
	by dpnstr.dukepower.com (8.8.8/8.8.8) with SMTP id KAA23022
	for ; Wed, 19 Nov 1997 10:14:45 -0500
Received: by dpcmail.dukepower.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 85256554.0053A70A ; Wed, 19 Nov 1997 10:13:42 -0500
X-Lotus-FromDomain: PEC@DUKEPOWER
From: "Robert Laird"
To: Firewalls@GreatCircle.COM
Message-ID: <86256554.00536E66.00@dpcmail.dukepower.com>
Date: Wed, 19 Nov 1997 09:13:41 -0600
Subject: opinions about Java?
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


My experience with Java through a firewall is that it's sl-o-o-o-o-o-wwww.
It seems to take forever to load and then another forever to run.  I can't
find anything in the firewall itself that is slowing it down, so I'm
wondering
if large Java apps are simply .... SLOW!

What is your opinion about whether large Java apps are appropriate
for mission critical purposes when uses by Internet clients, traversing
a firewall?




From owner-firewalls-list  Wed Nov 19 10:02:13 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12504; Wed, 19 Nov 1997 09:25:51 -0800 (PST)
Received: from imsp015.netvigator.com (imsp015.netvigator.com [205.252.144.206]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA12455 for ; Wed, 19 Nov 1997 09:25:29 -0800 (PST)
Received: from js-computer (yckam011040.netvigator.com [205.252.147.168]) by imsp015.netvigator.com (8.8.5/8.7.3) with SMTP id BAA11618 for ; Thu, 20 Nov 1997 01:26:35 +0800 (HKT)
Message-Id: <199711191726.BAA11618@imsp015.netvigator.com>
Date: Mon, 03 Nov 1997 15:00:43 +0800
From: M S Szeto <"ims02@netvigator.com"@netvigator.com>
Reply-To: "ims02@netvigator.com"@netvigator.com
X-Mailer: Mozilla 3.0Gold (Win95; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Security concerns on IP addressing
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dear all,

Does anybody know if my private network is going to be connected
to the Internet, what are the most appropriate approach relating to 
network security on using the IP addressing scheme on my private
network?

If I follow the RFC1918, what are the benefit? Is a firewall
still be necessary connected between my private network and Internet?

Many thanks.

From owner-firewalls-list  Wed Nov 19 10:03:44 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12880; Wed, 19 Nov 1997 09:28:20 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA03642 for ; Wed, 19 Nov 1997 08:08:26 -0800 (PST)
Received: from ereapp.erenj.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id GAA05454; Wed, 19 Nov 1997 06:46:18 -0800 (PST)
Received: (from smap@localhost)
	by ereapp.erenj.com (8.8.5/8.8.5) id KAA22318
	for ; Wed, 19 Nov 1997 10:46:13 -0400
Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0)
	id xma022267; Wed, 19 Nov 97 09:46:00 -0500
Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248])
	by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id KAA21717
	for ; Wed, 19 Nov 1997 10:45:37 -0400
Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3])
	by clmail.erenj.com (8.8.5/8.8.5) with SMTP id JAA21060
	for ; Wed, 19 Nov 1997 09:45:35 -0500 (EST)
Message-ID: <3472FBCB.2781E494@erenj.com>
Date: Wed, 19 Nov 1997 08:46:35 -0600
From: Andy Howard 
Organization: Exxon Computing Services Company
X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: HTTP transparent proxy
References:  <3468C57C.FF6D5DF@erenj.com> <3468D2EE.7BF1764D@verio.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I am combining all the answers that have come back to me, either via the
list or directly.  Sorry for any repeats, but I thot all the answers in
one place might be useful to somebody.  I make no claims as to the
accuracy of the info, I am just cutting and pasting the
answers............
--------------

> Alot of the security proxy systems do support transparent proxing as
> described.
> 
> Raptor for example listens to requests directed through it by routing
> and passes them onto the outside world.  By default the proxy listens
> only on port 80, but can be configured to listen on additional ports
> such as 8000, 8080, 8008, etc.  And as stated requires no extra
> configuration on the client end.
--------------------------

cisco cache engine, netcache when used transparently. Even Squid.

You just need a way to direct the packets, which can be done with some
routers
or using something like ip-filter. 
------------------------

actually I have heard of a hardware-based transparent proxy (http)
product... if I recall well, it is called "cache engine" made by
cisco. Quite nice... it can handle all the http access to the outside,
caching lots o GB, and the user doest not even know that he/she is
using a http proxy.   Check it at www.cisco.com.
----------

The combination of Squid and IP Filter on a FreeBSD or Solaris box
allows this to be done also.  If using FreeBSD, then the whole
solution is free :-)
----------

A true  transparent proxy is now available from Cisco System, it's known
as Cache Engine.
It is for the moment only supporting http proxying, it has to be
combined with a cisco 7000 
series router.

Additional information can be found at the following URL:
http://www.cisco.com/warp/public/751/cache/index.shtml

The concept is quite interesting actually.
-------------

Milkyway offers a proxy firewall on Sun and NT that
doesn't require proxy configuration within the browser.  An eval copy of
the
NT version is available at www.milkyway.com
------------

A number of vendors support Transparent Proxy features exactly
as you described - true application level proxying without requiring
special client modifications or configuration.
The PrivateNet firewall from NEC, now discontinued,
had that very feature. I also believe Borderware,
Raptor, and TIS Gauntlet currently have products that support
transparent proxies.
------------

A recent article about the ipfwadm utility used by Linux, mentions that
this utility also offers transparent proxing (without modification on
the
client side).
-----------

A recent article about the ipfwadm utility used by Linux, mentions that
this utility also offers transparent proxing (without modification on
the
client side).

-- 
Andy Howard
achowar@erenj.com
-- the above comments are mine only--

From owner-firewalls-list  Wed Nov 19 12:44:46 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA02425; Wed, 19 Nov 1997 12:26:00 -0800 (PST)
Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA02281 for ; Wed, 19 Nov 1997 12:24:58 -0800 (PST)
Received: from tc24650 by csc.com
	via smtpd with smtp
	id 
	for ; Wed, 19 Nov 97 15:26 EST
	(/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97)
Message-ID: <34734ACD.33A0@csc.com>
Date: Wed, 19 Nov 1997 15:23:41 -0500
From: Joe Loiacono 
Organization: Computer Sciences Corporation
X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m)
MIME-Version: 1.0
To: "Matthew T. Davis" 
CC: firewalls@greatcircle.com
Subject: Re: MBONE
References: <3.0.3.32.19971119081726.00968100@iagnet.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Matthew T. Davis wrote:
> 
> Hello all,
> 
> Has anyone had any luck passing MBONE through a firewall, specifically
> through FW-1?  I have a few ppl on our network that would like to get it,
> but I have yet to really grasp how it works so I can pass it.  Thanks in
> advance.

Depends on your configuration. If your multicast router and clients are
inside the firewall, and you're using a GRE tunnel from your provider,
then you need to pass IP protocols DVMRP (set up a match: ip_p=2 for
Firewall-1) and GRE (set up a match: ip_p=47 for Firewall-1) from your
provider's tunnel end-point to your tunnel endpoint, through the
firewall.

If your router and clients are on opposite sides of the firewall, you'll
need to pass IGMP through the firewall between them.

Joe
--  
Joe Loiacono                         (301) 415-6153
Computer Sciences Corporation    http://www.csc.com

From owner-firewalls-list  Wed Nov 19 14:16:50 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA07482; Wed, 19 Nov 1997 13:28:58 -0800 (PST)
Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA07379 for ; Wed, 19 Nov 1997 13:28:09 -0800 (PST)
Received: from [198.115.179.81] (vin.shore.net [198.115.179.81])
	by relay1.shore.net (8.8.7/8.8.7) with ESMTP id QAA06667;
	Wed, 19 Nov 1997 16:29:17 -0500 (EST)
Message-Id: 
In-Reply-To: <01bcef2b$3adb1600$0201a8c0@john.software.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 19 Nov 1997 16:22:09 -0500
To: "John Pettitt" 
From: Vin McLellan 
Subject: Re: Internal Access control options -secureid, BoKS, ...
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	John Pettitt  queried the FW Listocracy:

>Hi, we are upgrading some of our internal access controls in light of users
>being incapable of choosing realistic passwords (and not keeping them a
>secret when they do).

	An echo of the poet Horace: "Natruram expellas furca, tamen usque
recurret" Freehand translation:-) Human nature is resiliant and damn
stubborn. Any policy which tries to deny or banish it -- even when it is
enforced with a pitchfork -- is ultimately doomed.  (Welcome, JP, to the
ranks of the Realists!)

	I hope you will report back to the List on what
authentication/access control tech you eventually choose (and why) to
address your (multi-level?) access problem. Web farms are new and a
potentially huge business, and managing security for surfers, farm
administrators, (and remote clients who want direct control of web
content,) is a challenge with many potential responses -- some better than
others.  The web farm is also an environment where the idea of a security
perimeter is inherently silly, right?

>We're looking at going with SecureID as an authentication system but have
>some issues:
>
>We want to use it on every system (I.E. all machines are bastions) rather
>than as a perimeter screen.  The issue we have with this is tokens are a one
>shot deal and we have to wait 60 seconds before we can log into another
>system.  Since we're running 10's of machines in an OLTP environment (web
>servers) this gets to be a pain real fast.

	As Erick pointed out, you can get a 30-second SecurID (and in
praxis, the delay is typically a fraction of that.) In rare environments, I
grant, any delay is an issue.... If your staff will be using SecurID in the
WebID configuration to access your Netscape servers, I've got a hack that
might be useful.  (I've been a consultant to SDTI for many years.)

	WebID demands two-factor SecurID authentication, and can also
_require_ SSL, before allowing a user access to protected web directories,
pages, etc., within an otherwise open website. When a user makes a
connection and authenticates through WebID, the ACE/Server lodges a cookie
in the user's browser to make it a pseudo-stateful connection (allowing
repeated http hits, without re-authentication.)
The cookie can be timed, or otherwise set to implode. It can also, however,
allow repeated access to all servers in the same (Internet) domain: e.g.
www.domain.com.

	Even if your web farm actually has many domains, routing your admin
connection thru a packet filter which can change www domain names -- so the
standard browser used by your staff sees all the farm's servers as a single
domain -- can allow repeated, immediate, and fully-authenticated local
access to multiple web servers.  (The WebID cookie can also report the name
of the user with each hit -- ask SDTI for the supplementary code -- so the
web access privileges can be personalized.)

	Obviously, if you allow, or plan to allow, remote access to the
farm's servers for your content providers, this becomes cumbersome, however.

>Our supplier is suggesting we look at BoKS which seems to offer a single
>login solution, the customer list (mostly banks) is impressive, but I'm a
>little skeptical of such things.

	As I'm sure many folks have told you, this sounds like the blind
man who feels the elephant's ear, and then, some distance away, the
elephant's hind leg... and assumes, not unreasonably, that he's dealing
with two different critters;-) SDTI owns RSA (to which I know CyberSource
has already made a major committment) and SDTI/RSA recently purchased
Dynasoft, the Swedish firm which developed BoKS.
In '98 -- sez SDTI -- ACE/SecurID token-based authentication and the BoKS'
suite of UNIX access coordinators, and client/server Single Sign-on and PKI
technologies will be merged into a single modular product line, to be
enhanced throughout by RSA crypto.

	BoKS (a Swedish acronym for Secure Access Control) is best known as
a multiple-server Single Sign-on (SSO) architecture which (a) scales
extremely well, (b) is extraordinarily resiliant and robust (c) wraps both
UNIX and NT client apps, rather than requiring some equivalent of
"kerberizing" all application code, and (d) supports a full public key
infrastructure (PKI) with an integrated X509-based Certification Authority
(CA.)

	SDTI has said it will offer BoKS agents for NT servers in '98 too.

	Being skeptical about global PKI is reasonable, given the level of
hype, the relatively frail infrastructure, and the limited experience
anyone has had with extended multi-server key and certificate management.
Local, corporate, PKI is much less daunting, and IMNSHO, PKC is about to
flip the system and data security world topsy-turvy. (PKI -- and in
particular, multi-functional digital signatures, has the potential to
transform InfoSec from a burdensome obligation into a
productivity-enhancer, with a concrete and vivid payback.  New problems,
surely -- but nicer work, if we can get it;-)

	Being skeptical about single sign-on is also reasonable, given the
challenges of Kerberos/DCE, the SSO model best known in the US.  (Being
skeptical about synchronized data bases among multiple networked servers is
surely reasonable too, given the difficulty many vendors have had in
delivering truely scalable solutions.)
The List, I'm certain, would be very interested in your evaluation of how
well BoKS addresses these issues.

	BoKS is an elegant -- but big and functionally-rich -- solution to
demands for Enterprise-oriented authentication, access control, data
integrity and communications security.  Architectural options are abundant.
Many, perhaps most, sites today implement only a portion of the BoKS
Security Suite.

	The financial community -- under great pressure from both their
internal and external auditors -- has created a mini-bandwagon for BoKS,
particularly in volatile, high-security, trading-floor environments (bonds,
currencies, stocks, etc.)   Chase Manhattan, Citibank, and Wells Fargo
(three of the top four US banks) are reportedly standardizing on BoKS'
access control systems.  Typically, however, these banks are using BoKS in
all-UNIX environments, and for now, only for centralized authentication and
access control (supplementary to the file-level access control that is
still maintained in each Unix host.)

	CyberSource's issues and criteria is likely to be quite different.
It sounds like you are offering open HTTP connections, and e-commerce
backoffice support, for a warehouse of bastion-configured webservers.  Tell
us more.  We don't hear much, on this List, about life without the warm and
snuggly protection of a FW guardian;-)

	The banks wanted, above all, robust, scalable, and
cryptographically-secure authentication -- centralized and easily audited
-- for legacy UNIX applications.

	One US bank's internal network, for example, already has _400_
synchronized (replicated-master) BoKS servers in a much larger global
network.   I think the largest BoKS installation today is on a Swedish
government network that supports 15,000 users -- but the BoKS design spec
credibly promises support for up to100,000 users.

>Do any of you have any knowledge of BoKS?  Is it any good?  What else should
>we look at?  Are there alternatives to secureid that support NT, Solaris,
>HP/UX and Netscape Servers?
>
	I think the FW community has potentially a lot to learn from
CyberSource's evaluation of its various options.  I hope you will share it
with the List.

	Suerte,
		_Vin

      Vin McLellan + The Privacy Guild + 
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                                  -- <@><@> --



From owner-firewalls-list  Wed Nov 19 15:20:36 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA17822; Wed, 19 Nov 1997 14:57:07 -0800 (PST)
Received: from jurua.dcc.fua.br (jurua.dcc.fua.br [200.17.49.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA14157 for ; Wed, 19 Nov 1997 14:30:42 -0800 (PST)
Received: from purus.dcc.fua.br (purus [200.17.49.16])
          by jurua.dcc.fua.br (8.8.5/8.8.4) with ESMTP
	  id WAA19476 for ; Wed, 19 Nov 1997 22:32:57 GMT
Received: (from ebm@localhost)
          by purus.dcc.fua.br (8.8.5/8.8.4)
	  id RAA17444 for Firewalls@GreatCircle.COM; Wed, 19 Nov 1997 17:25:43 -0400
Date: Wed, 19 Nov 1997 17:25:43 -0400
From: Edierley Batista Messias 
Message-Id: <199711192125.RAA17444@purus.dcc.fua.br>
To: Firewalls@GreatCircle.COM
Subject: Packet-Filtering-Rules
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-MD5: h9JGFF+PEhuSOEo0tamYRw==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

================================================================================
Hi people of GreatCircle

I start to build a firewall here in my site,
and a constructed the Bastion Host with all the Proxy Servers
My architeture is Screened Host.

So now, I need to build the packet filtering rules on the router,
a Cisco 2508.

Do you know some sites that have some rules for example, like Telnet and HTTP?

I searched for every sites but a coudn't find anyone.

So, since now thank you for everybody. 


Edierley Messias
http://www.dcc.fua.br/~segredu/firewall
http://www.fua.br/~ebm
ebm@dcc.fua.br
                          O/
                         /|
                         / \
================================================================================                          

From owner-firewalls-list  Wed Nov 19 16:27:11 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA02650; Wed, 19 Nov 1997 16:23:18 -0800 (PST)
Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA02641 for ; Wed, 19 Nov 1997 16:23:13 -0800 (PST)
Received: from frank_laptop.vtmednet.com ([192.240.38.222]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id QAA07641; Wed, 19 Nov 1997 16:25:18 -0800 (PST)
Message-Id: <3.0.1.32.19971119192438.00e20b7c@ins.com>
X-Sender: santia_f@ins.com
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Wed, 19 Nov 1997 19:24:38 -0500
To: "ims02@netvigator.com"@netvigator.com, firewalls@GreatCircle.COM
From: Frank Santiago 
Subject: Re: Security concerns on IP addressing
In-Reply-To: <199711191726.BAA11618@imsp015.netvigator.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

"The benefit that you get from private addressing is that you can grow your
internal IP networks without worrying about running out of addresses(using
10.0.0.0 for example). Also, You can eliminate the risk of inadvertently
using other networks legitimate addresses."  You have to consider the
effort of
changing the IP addresses in the whole network!  Some people combine, both
registered IP addresses with private IP addresses. This way you can still
use your existing IP addressing and then add private address for new subnets.
(try to use DHCP). 

If you want to connect your private network to the Internet, it is 
a good idea to use a firewall.You want to control the access to your
network.  Too many hackers out there! Also, because you are not suppose to
advertise RFC1918 to the Internet, you can use the firewall to do Network
Address Translation(NAT). The Cisco PIX is an excellent solution for this
type of network.

I'm working in a project  using registered ip addresses, private
ip address, NAT, DHCP and the PIX firewall. If you want to talk about
implementing something similar in your network or if you have
any questions, please don't hesitate to page me:(888)812-2098

____________________________________________________________
           INTERNATIONAL NETWORK SERVICES 
____________________________________________________________
Frank Santiago                Phone: (919)319-0400 x346(INS)
Network Systems Engineer      Pager: (888)812-2098
Cisco Certified, CCIE #2651   
____________________________________________________________
	    	    I LOVE THIS GAME

At 03:00 PM 11/3/97 +0800, M S Szeto wrote:
>Dear all,
>
>Does anybody know if my private network is going to be connected
>to the Internet, what are the most appropriate approach relating to 
>network security on using the IP addressing scheme on my private
>network?
>
>If I follow the RFC1918, what are the benefit? Is a firewall
>still be necessary connected between my private network and Internet?
>
>Many thanks.
>
>


From owner-firewalls-list  Wed Nov 19 17:11:56 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA10158; Wed, 19 Nov 1997 17:10:23 -0800 (PST)
Received: from jurua.dcc.fua.br (jurua.dcc.fua.br [200.17.49.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA10095 for ; Wed, 19 Nov 1997 17:09:54 -0800 (PST)
Received: from purus.dcc.fua.br (purus [200.17.49.16])
          by jurua.dcc.fua.br (8.8.5/8.8.4) with ESMTP
	  id BAA16464 for ; Thu, 20 Nov 1997 01:12:52 GMT
Received: (from ebm@localhost)
          by purus.dcc.fua.br (8.8.5/8.8.4)
	  id UAA18430 for Firewalls@GreatCircle.COM; Wed, 19 Nov 1997 20:05:25 -0400
Date: Wed, 19 Nov 1997 20:05:25 -0400
From: Edierley Batista Messias 
Message-Id: <199711200005.UAA18430@purus.dcc.fua.br>
To: Firewalls@GreatCircle.COM
Subject: Packet=Filtering=Rules
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-MD5: joexejM2WBZJ85Ma7ahcZg==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

================================================================================
Hi people of GreatCircle

I start to build a firewall here in my site,
and a constructed the Bastion Host with all the Proxy Servers
My architeture is Screened Host.

So now, I need to build the packet filtering rules on the router,
a Cisco 2508.

Do you know some sites that have some rules for example, like Telnet and HTTP?

I searched for every sites but a coudn't find anyone.

So, since now thank you for everybody. 


Edierley Messias
http://www.dcc.fua.br/~segredu/firewall
http://www.fua.br/~ebm
ebm@dcc.fua.br
                          O/
                         /|
                         / \
================================================================================
                         

From owner-firewalls-list  Wed Nov 19 17:27:18 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA10630; Wed, 19 Nov 1997 17:16:15 -0800 (PST)
Received: from arapaho.cse.ucsc.edu (arapaho.cse.ucsc.edu [128.114.7.12]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id RAA10619 for ; Wed, 19 Nov 1997 17:16:11 -0800 (PST)
Received: (from eyethink@localhost) by arapaho.cse.ucsc.edu (8.6.10/8.6.12) id RAA25678; Wed, 19 Nov 1997 17:17:56 -0800
Date: Wed, 19 Nov 1997 17:17:56 -0800
From: "Carl A. Wescott" 
Message-Id: <199711200117.RAA25678@arapaho.cse.ucsc.edu>
To: Todd.Hudspeth@norwest.com, firewalls@GreatCircle.COM
Subject: Re:  Performance Testing Tools
Cc: Carl.Wescott@Schwab.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


	Is anyone aware of any performance measurement tools that would simulate
	thousands of users performing various methods of access to and through a
	firewall?  Such as, internal to external ftp, http, https, telnet and
	VPN?

PurePerformix will cover http and https.

--Carl

	Thanks,

	Todd Hudspeth
	Norwest Services, Inc.

	todd.hudspeth@norwest.com


From owner-firewalls-list  Wed Nov 19 18:45:43 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA20408; Wed, 19 Nov 1997 18:28:07 -0800 (PST)
Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA20398 for ; Wed, 19 Nov 1997 18:28:01 -0800 (PST)
Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP 
	(peer crosschecked as: [198.102.66.11])
	id QQdqko17174; Wed, 19 Nov 1997 21:30:06 -0500 (EST)
Received: from localhost 
	by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93)
	id AA20118; Wed, 19 Nov 97 21:28:31 EST
Date: Wed, 19 Nov 1997 21:28:31 -0500 (EST)
From: Sick Puppy 
To: firewalls@GreatCircle.com
Subject: DNS stuff
Message-Id: 
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I would really like to do something nasty to the thoughtless bastard
that sent me e-mail offering to sell me a dog intelligence test for $20.

Anyway, on to the DNS question.  Suppose that we academic researchers have
our own little corner of the Internet that we call happydawg.net, an
e-mail server mailgate.happydawg.net and a web sever www.happydawg.net.
Also suppose that we are tired of being broke academics and want to make a
small commercial venture.  We want to change our entire domain from 
happydawg.net to xxxcatabuse.com, with mailgate.xxxcatabuse.com and web
server www.xxxcatabuse.com

Our DNS is a little SCO box, battered and cracked so many times its
surprising it still runs.  Can we alias our entire present domain
happydawg.net to xxxcatabuse.net with an entry in the DNS or do we have
to set up a new DNS?  Many references on the Internet will point to the
old happydawg.net and we need to get the whole lot redirected to
xxxcatabuse.com

We are researchers.  We are not expected to know this kind of practical
stuff.  Thats why I am asking you security perfessors.

                      Sick Puppy, the (original) Cat_Eating_Dawg
    







From owner-firewalls-list  Wed Nov 19 21:12:28 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA28656; Wed, 19 Nov 1997 20:58:00 -0800 (PST)
Received: from extranet.abirnet1.com (extranet.abirnet.com [206.165.182.206]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA28647 for ; Wed, 19 Nov 1997 20:57:54 -0800 (PST)
Received: from ziv_note.abirnet.com ([210.126.192.156])
	by extranet.abirnet1.com (8.8.5/8.8.5) with SMTP id XAA15763;
	Wed, 19 Nov 1997 23:00:01 -0600
Date: Thu, 20 Nov 97 07:04:35 +0200
From: Ziv Dascalu  
Subject: Re: Performance Testing Tools 
To: "Carl A. Wescott"  , firewalls@GreatCircle.COM,
        Todd.Hudspeth@norwest.com
Cc: Carl.Wescott@Schwab.com
X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc.
X-Priority: 3 (Normal)
References: <199711200117.RAA25678@arapaho.cse.ucsc.edu> 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


--- On Wed, 19 Nov 1997 17:17:56 -0800  "Carl A. Wescott"  wrote:
> 
> 	Is anyone aware of any performance measurement tools that would simulate
> 	thousands of users performing various methods of access to and through a
> 	firewall?  Such as, internal to external ftp, http, https, telnet and
> 	VPN?
> 
> PurePerformix will cover http and https.
> 
> --Carl
> 
> 	Thanks,
> 
> 	Todd Hudspeth
> 	Norwest Services, Inc.
> 
> 	todd.hudspeth@norwest.com

---------------End of Original Message-----------------

if you want to test te network traffic you may want to record a week worth of network
traffic with a sniffer and play it with a very 
small interval between the packets
ZIv
...=====  A B I R N E T          Active Network Protection  =====
AbirNet returns network control back to your company. SessionWall-3 provides you all the 
capabilities you need to fearlessly connect your business to the Internet and effectively 
manage your Intranet usage in a single, easy to use, affordable software product.
See us at http://www.AbirNet.com or call (817)251-7000 or (800)245-1688.
========== Get an EVALUATION COPY at  ===========


From owner-firewalls-list  Wed Nov 19 21:27:16 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA29161; Wed, 19 Nov 1997 21:14:48 -0800 (PST)
Received: from extranet.abirnet1.com (extranet.abirnet.com [206.165.182.206]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA29154 for ; Wed, 19 Nov 1997 21:14:42 -0800 (PST)
Received: from ziv_note.abirnet.com ([210.126.192.156])
	by extranet.abirnet1.com (8.8.5/8.8.5) with SMTP id XAA16296;
	Wed, 19 Nov 1997 23:16:53 -0600
Date: Thu, 20 Nov 97 07:21:02 +0200
From: Ziv Dascalu  
Subject: Re: Penetration Detection Tools 
To: firewalls@GreatCircle.COM, Neil_Buckley/CAM/Lotus@lotus.com
X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc.
X-Priority: 3 (Normal)
References: <85256548.00439F0A.00@mta2.lotus.com> 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


--- On Fri, 7 Nov 1997 12:57:20 -0500  Neil_Buckley/CAM/Lotus@lotus.com wrote:
> Hello,
> 
>      Does anyone have recomendations for third party penetration detection
> tools,  I am fairly familiar with most freeware products for UNIX, but I
> need a company wide solution.
> 
> Thanks in advance for any info,
> 
> Neil Buckley
> nbuckley@lotus.com
> 

---------------End of Original Message-----------------

you need to look at the search engines under the term "intrusion detection"
there are many many tools ranging from low level tcp-ip security up to network
scanners for anti-virus and malaises applets

hope this helps
Ziv


...=====  A B I R N E T          Active Network Protection  =====
AbirNet returns network control back to your company. SessionWall-3 provides you all the 
capabilities you need to fearlessly connect your business to the Internet and effectively 
manage your Intranet usage in a single, easy to use, affordable software product.
See us at http://www.AbirNet.com or call (817)251-7000 or (800)245-1688.
========== Get an EVALUATION COPY at  ===========


From owner-firewalls-list  Thu Nov 20 02:42:28 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA21566; Thu, 20 Nov 1997 02:23:38 -0800 (PST)
Received: from arjun.eurolink.stpn.soft.net (arjun.eurolink.stpn.soft.net [204.143.116.78]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA21539 for ; Thu, 20 Nov 1997 02:23:12 -0800 (PST)
Received: from shambhu by arjun.eurolink.stpn.soft.net (SMI-8.6/SMI-SVR4)
	id PAA10855; Thu, 20 Nov 1997 15:57:14 +0530
Received: by shambhu with Microsoft Mail
	id <01BCF5CC.CE883DE0@shambhu>; Thu, 20 Nov 1997 15:56:04 +0530
Message-ID: <01BCF5CC.CE883DE0@shambhu>
From: Shambhu Prasad 
To: "Firewalls (E-mail)" 
Subject: Message not deliverable
Date: Thu, 20 Nov 1997 15:55:58 +0530
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I observed that while connecting to the proxy server through Netscape it
authenticate some users and for few users it says "Authentication Fails". While
Connecting through Internet Explorer it Authenticates all the users with the
same User ID & Password.

Anyone can help me out ?


With Regards,
                  
Shambhu Prasad Sah              Tel   : +91(11) 6941831, 6946619  
(Network Engineer)              Fax   : +91(11) 6943732
Eurolink Systems Ltd            email : sprasad@eurolink.stpn.soft.net
New Delhi, India                web   : www.eurolink-systems.com

" Eurolink and I have an arrangement: Neither of us speaks for the other. "
                 
                        * * * * * * * * * * * *



From owner-firewalls-list  Thu Nov 20 04:12:31 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA22505; Thu, 20 Nov 1997 02:32:44 -0800 (PST)
Received: from relay.mail.pipex.net (duct.mail.pipex.net [158.43.128.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA22498 for ; Thu, 20 Nov 1997 02:32:37 -0800 (PST)
Received: (qmail 13516 invoked from network); 20 Nov 1997 10:34:50 -0000
Received: from unknown (HELO 3Dlabs.com) (193.133.230.34)
  by relay.mail.pipex.net with SMTP; 20 Nov 1997 10:34:50 -0000
Received: from  by 3Dlabs.com (4.1/SMI-4.1)
	id AB13634; Thu, 20 Nov 97 10:34:22 GMT
Received: by exchuk01.3dlabs.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BCF59E.F66A70E0@exchuk01.3dlabs.com>; Thu, 20 Nov 1997 10:27:54 -0000
Message-Id: 
From: Doug Bridgens 
To: "'Ziv Dascalu'" ,
        "'Carl A. Wescott'"
	 ,
        "'firewalls@GreatCircle.COM'"
	 ,
        "'Todd.Hudspeth@norwest.com'"
	 
Cc: "'Carl.Wescott@Schwab.com'" 
Subject: RE: Performance Testing Tools 
Date: Thu, 20 Nov 1997 10:27:53 -0000
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

A company called Performance Awareness (http://www.pacorp.com/) do
automated testing software.   I have used their software before and it
is good.   I've used their software for testing and perfomance work.

Doug
(By the way I have nothing to do with PA).

>-----Original Message-----
>From:	Ziv Dascalu [SMTP:ziv@AbirNet.com]
>Sent:	Thursday, November 20, 1997 5:05 AM
>To:	Carl A. Wescott; firewalls@GreatCircle.COM; Todd.Hudspeth@norwest.com
>Cc:	Carl.Wescott@Schwab.com
>Subject:	Re: Performance Testing Tools 
>
>
>--- On Wed, 19 Nov 1997 17:17:56 -0800  "Carl A. Wescott"
> wrote:
>> 
>> 	Is anyone aware of any performance measurement tools that would simulate
>> 	thousands of users performing various methods of access to and through a
>> 	firewall?  Such as, internal to external ftp, http, https, telnet and
>> 	VPN?
>> 
>> PurePerformix will cover http and https.
>> 
>> --Carl
>> 
>> 	Thanks,
>> 
>> 	Todd Hudspeth
>> 	Norwest Services, Inc.
>> 
>> 	todd.hudspeth@norwest.com
>
>---------------End of Original Message-----------------
>
>if you want to test te network traffic you may want to record a week worth of
>network
>traffic with a sniffer and play it with a very 
>small interval between the packets
>ZIv
>...=====  A B I R N E T          Active Network Protection  =====
>AbirNet returns network control back to your company. SessionWall-3 provides
>you all the 
>capabilities you need to fearlessly connect your business to the Internet and
>effectively 
>manage your Intranet usage in a single, easy to use, affordable software
>product.
>See us at http://www.AbirNet.com or call (817)251-7000 or (800)245-1688.
>========== Get an EVALUATION COPY at  ===========
>

From owner-firewalls-list  Thu Nov 20 04:27:09 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA23961; Thu, 20 Nov 1997 02:50:13 -0800 (PST)
Received: from yankee.yankeegas.com (yankee.yankeegas.com [204.29.137.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA23943 for ; Thu, 20 Nov 1997 02:50:04 -0800 (PST)
Received: from smtp.yankeegas.com by yankee.yankeegas.com (AIX 4.1/UCB 5.64/4.03)
          id AA21778; Thu, 20 Nov 1997 05:55:35 -0500
Received: from EAST-Message_Server by yankeegas.com
	with Novell_GroupWise; Thu, 20 Nov 1997 05:51:04 -0500
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Thu, 20 Nov 1997 05:50:34 -0500
From: BRAD LOWE 
Reply-To: LOWEB@yankeegas.com
To: Firewalls@GreatCircle.COM
Subject: Firewalls-Digest V6 #548 -Reply
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the office until Friday, November 21st.  If you need support prior to that date please contact the Help Desk at 639-4357 (they can page me if necessary).  Thank you.

From owner-firewalls-list  Thu Nov 20 04:57:32 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00931; Thu, 20 Nov 1997 04:18:08 -0800 (PST)
Received: from server-one ([207.0.213.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA00891 for ; Thu, 20 Nov 1997 04:17:53 -0800 (PST)
Received: from [207.0.213.5] by server-one (NTMail 3.02.13) with ESMTP id fa129043 for ; Thu, 20 Nov 1997 08:20:22 -0400
Reply-To: "Esteban Vasquez" 
From: "Esteban Vasquez" 
To: 
Subject: Voice over IP
Date: Thu, 20 Nov 1997 08:20:24 -0400
Message-ID: <01bcf5ae$ad74d140$05d500cf@administrativo.iamnet.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_002E_01BCF58D.26633140"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

------=_NextPart_000_002E_01BCF58D.26633140
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi, i am systeam adminitrator in a venezuelan ISP
We going to implement a Frame Relay backbone and need information for =
security in the use of voice systems over frame relay or any data =
systems



------=_NextPart_000_002E_01BCF58D.26633140
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable










Hi, i am =
systeam=20
adminitrator in a venezuelan ISP


We going =
to implement=20
a Frame Relay backbone and need information for security in the use of =
voice=20
systems over frame relay or any data systems


 


 


------=_NextPart_000_002E_01BCF58D.26633140--


From owner-firewalls-list  Thu Nov 20 05:12:10 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA03040; Thu, 20 Nov 1997 04:46:15 -0800 (PST)
Received: from niavaran.ipm.ac.ir ([194.165.20.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA03011 for ; Thu, 20 Nov 1997 04:45:47 -0800 (PST)
Received: from karun.ipm.ac.ir (karun.ipm.ac.ir [194.165.20.21]) by niavaran.ipm.ac.ir (8.6.8.1/SCA-6.6)  with SMTP
	id MAA10919 for ; Thu, 20 Nov 1997 12:49:14 GMT
Received: from KARUN/SpoolDir by karun.ipm.ac.ir (Mercury 1.13);
    Thu, 20 Nov 97 16:15:22 +330
Received: from SpoolDir by KARUN (Mercury 1.13); Thu, 20 Nov 97 16:15:12 +330
From: "Shakila Shayan" 
Organization:  IPM
To: Firewalls@GreatCircle.com
Date:          Thu, 20 Nov 1997 16:15:09 GMT+330
Subject:       about securing web pages
X-mailer: Pegasus Mail v3.22
Message-ID: <34D2A3FCA@karun.ipm.ac.ir>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello there
We want to secure our intranet which consists some Web server connecting to 
some clients and... in such a way that specially our web pages be secure and
can have some access control on them,i.e via remote access or direct access
we could be able to define levels of access for the user to the databases.
I have seen web sites and servers and web pages that are not accessible to 
every body and may have some defined authentication for specific users,ask 
for some passwords or some registration or something like that. 
My question is that how can we implement such secure web pages,and what is 
the beginning point to do this..
thanks

From owner-firewalls-list  Thu Nov 20 05:57:07 1997
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA08675; Thu, 20 Nov 1997 05:33:19 -0800 (PST)
Received: from niavaran.ipm.ac.ir ([194.165.20.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA08651 for ; Thu, 20 Nov 1997 05:32:55 -0800 (PST)
Received: from karun.ipm.ac.ir (karun.ipm.ac.ir [194.165.20.21]) by niavaran.ipm.ac.ir (8.6.8.1/SCA-6.6)  with SMTP
	id NAA10978 for ; Thu, 20 Nov 1997 13:35:44 GMT
Received: from KARUN/SpoolDir by karun.ipm.ac.ir (Mercury 1.13);
    Thu, 20 Nov 97 17:01:52 +330
Received: from SpoolDir by KARUN (Mercury 1.13); Thu, 20 Nov 97 17:01:51 +330
From: "Shakila Shayan" 
Organization:  IPM
To: Firewalls@GreatCircle.com
Date:          Thu, 20 Nov 1997 17:01:43 GMT+330
Subject:       about securing web pages
X-mailer: Pegasus Mail v3.22
Message-ID: <414386D21@karun.ipm.ac.ir>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hello there
We want to