From firewalls-owner  Thu Jan  1 00:29:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA27144; Thu, 1 Jan 1998 00:27:03 -0800 (PST)
Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA27137 for <firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 00:26:54 -0800 (PST)
Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84])
	by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id KAA05797;
	Thu, 1 Jan 1998 10:29:37 +0200
From: "Hagit" <hagit@abirnet.com>
To: <firewalls@GreatCircle.COM>, "Paul Alukal" <pva@bluerose.tju.edu>
Subject: Re: Intrusion Detection - Switched Network
Date: Thu, 1 Jan 1998 10:34:28 +0200
Message-ID: <01bd1690$12fb4240$54d35ac2@hagit1.abirnet.co.il>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

SessionWall-3 is an Intrusion Detection System that works in a switched network
environment.

<snip>

>The question is this. If the network is fully switched, how effective
>is any intrusion detection system (without using an shared hub)? By
>switched network, I mean each network device  is connected directly to
>a port on a switch. The switch technology gives each port a different
>virtual circuit through the switch (unlike a shared hub), that even
>makes sniffing difficult (or impossible).
>

Even when working in a switched network  IP addresses can be spoofed, machines
can get SYN flooded, or attacked in many other ways. working in switched
environment does not mean being protected from intrusions.

>Some thoughts are to place the intrusion detection system near a choke
>point (like a firewall), but this will still need some shared hub.
>Installing any intrusion detection system on a firewall itself is out
>of question (due to complexity).
>

What we begin to see today, is IDS shaking hands with routers and firewalls,
where the IDS could control the firewall or the router, OPSEC for controlling
firewall-1 is a good example for that trend.

>Assuming the network will have ATM backbone with different VLAN's in
>the network, we can think of an intrusion detection system with
>multiple interfaces to each VLAN, still if the network is switched, how
>effective will be the intrusion detection?
>
Plug the IDS  into the monitoring port of the switched hub, it should be
effective enough. What can cause the IDS to be less effective is the load on the
netwrok, if the network is highly loaded, IDS which monitors each packet going
on the net, can miss some of the traffic. In SessionWall-3, you can exclude
services to reduce the system load and remain effective even in high utilized
environments.

>Is there any commercial (or other) system which is capable of doing a
>true intrusion detection in these kind of situations?
>
>Thanks in advance for any comments or suggestions.
>
>Paul Alukal

Try SessionWall-3, it is preconfigured to work in the monitoring port of a
switched hub.
You can download a test drive at http://www.abirnet.com

Hagit Oron
 AbirNet
  --------------------------------------------------------------------------
   AbirNet provides the next generation in Internet and Intranet Protection
    Get an EVALUATION COPY at <http://www.AbirNet.com>
---------------------------------------------------------------------------




From firewalls-owner  Thu Jan  1 02:29:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09704; Thu, 1 Jan 1998 02:06:06 -0800 (PST)
Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA09649 for <firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 02:05:10 -0800 (PST)
Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84])
	by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id MAA09121;
	Thu, 1 Jan 1998 12:07:42 +0200
From: "Hagit" <hagit@abirnet.com>
To: <firewalls@GreatCircle.COM>, "Lars Bertelsen" <lbe@login.dknet.dk>
Subject: Re: Intrusion Detection - Question.
Date: Thu, 1 Jan 1998 12:12:34 +0200
Message-ID: <01bd169d$c72af640$54d35ac2@hagit1.abirnet.co.il>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Wed 31 Dec 1997 you Wrote:
>Now I think I'm definitely missing something here!
>
>When we are talking about intrusion detection in this context, what is it
>that people mean?
>I can think of several things, but it seems to me that this is a well
>established set of meanings of which I seem to be unaware. God how I hate
>that! :-)

The term IDS is used to describe a machine that monitors the traffic  on the
network  looking for known signatures of what might be attack on one or more of
the devices (Servers, stations, routers etc).

>
>Another question springs to mind: While I can easily see the problems
>discussed in accessing packet information in a switched environment, and
>while I fully understand it's implications from the point of view of
>network troubleshooting, I'm not shure I understand why it has to be a
>problem from a security point of view.
>

Working in switched environment does not mean protecting the network from
intruders.
Since IDS work by monitoring all network traffic, it is impossible  for such a
system to work in a switched environment, unless of course it is plugged in the
promiscious port of the switch.

>>From what I have read I assume that we are talking about some sort of
>sniffing on the network, looking for specific sorts of traffic that
>shouldn't be there (or should but isn't!).
>
>As i see it, intrusion from a practical point of view means that you have
>one or more connections to the world.
>It would also seem to me that you would have to have one or more servers
>worth protecting.
>

Why just servers?
Wouldn't  you like to know if someone is WinNuking workstations?
Wouldn't you like to know if someone is trying to Land attack your Cicso router?
Some Intrusion detection systems can detect Malicious HTML signatures, wouldn't
you like to know which user just downloaded (or recived email) containing such a
signature?

>Now I can't help thinking that the simple approach would be to do the
>sniffing at the connection to the world, either by means of monitoring that
>specific port in the switch or if that is not possible then by simply
>attaching a small hub to the port and plugging the sniffer and the router
>into that hub.

You can plug Intrusion detetction system in some vulenrable locations in the
network, the segment that opens the network to the outside world is certainly
one of them.

>Assuming that intrusion means intrusion from the outside, I can't see other
>than that any unwanted traffic would have to come this way!
>
>Now we might want to take this one step further and protect ourselves
>against "inside intrusion" too; people actually sitting on the internal net
>and doing things they shouldn't, either from actual machines on the network
>or through unathorized backdoors (I still remember the number of users  who
>got hopping mad when we switched to digital phones and they couldn't user
>their PC card modems any more! :-) )

All recent surveys about intrusion detection indicate that most of the
intrusions come from users inside the network.
Plugging an Intrusion Detection System in every segment of the network is a good
protection.

>
>Again it would seem to me to be a question of identifying the danger points
>and do the monitoring there.
>Aggreed, this is more complicated than just sniffing everything on a
>non-switched network, and if there are many servers it might be a fairly
>big job to set up. But I can't see why it would be anything that couldn't
>be solved with the technologies that we already have at our disposals.
>

Can you expand here, to what technologies do you refer?


Cheers
Hagit
  --------------------------------------------------------------------------
   AbirNet provides the next generation in Internet and Intranet Protection
   Get an EVALUATION COPY at <http://www.AbirNet.com>
---------------------------------------------------------------------------




From firewalls-owner  Thu Jan  1 04:44:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA19489; Thu, 1 Jan 1998 04:34:01 -0800 (PST)
Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA19472 for <firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 04:33:52 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.178.24]) by mtigwc03.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAB1182;
          Thu, 1 Jan 1998 12:36:36 +0000
Message-Id: <3.0.3.32.19980101073410.00860d50@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Thu, 01 Jan 1998 07:34:10 -0500
To: Frank Willoughby <frankw@in.net>, James Terry <james@imx-exchange.com>
Subject: Re: firewall audit service referral -reply
Cc: firewalls@GreatCircle.COM
In-Reply-To: <3.0.3.32.19971231220823.007cc220@in.net>
References: <34AA9991.62140279@imx-exchange.com>
 <418996AD2954D11180860000E8D5C667018538@ns.rc.on.ca>
 <3488EB31.B5D806F6@gnss.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

<comments within>


>>could anyone recommend a good firewall testing service?
>>
>>thanks,
>>james@imx-exchange.com
>
>It depends on what you are looking for.  
>
>Fortified Networks does firewall testing for customers (corporations,
>governments, etc).  
>
>FNITL is an independent test laboratory for testing firewalls & other
>InfoSec products.
>The most frequent testing performed are Quality Assurance Tests of Internet
>Firewalls 
>& other InfoSec products - primarily for vendors, etc.

This is just one of many companies that perform these kind of services.

>
>CAUTION:
>Beware of any organizations which will perform a remote firewall
>penetration test.
>This is an inherently dangerous practice which has the potential of leading
>hackers
>to their next victims.

There are several big N-1 firms that do the above for a large fee plus they
offer other services as well.. As Frank states in his CAUTION message, be
aware of any big N-1 firm that state they have expert resources inhouse.
When inquiring to companies to perform the remote firewall penetration
test, ask them about their methodology, their deliverables and the risk
analysis before they conduct a test.

/mht

>
>Best Regards,
>
>
>Frank
>The opinions of the author of this mail may not necessarily be 
>representative of the opinions of Fortifed Networks, Inc.
>
>Fortified Networks, Inc. - http://www.fortified.com/
>Home of the Free Internet Firewall Evaluation Checklist
>Expert (vendor-neutral) Computer and Network Security Solutions
>Phone: (317) 573-0800     Fax: (317) 573-0817
>
>
------------------------------------------------------
"GREETINGS PROFESSOR FALKEN."
	"SHALL WE PLAY A GAME??"
------------------------------------------------------


From firewalls-owner  Thu Jan  1 09:29:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA02557; Thu, 1 Jan 1998 09:16:57 -0800 (PST)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA02549 for <firewalls@greatcircle.com>; Thu, 1 Jan 1998 09:16:48 -0800 (PST)
Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA03330; Thu, 1 Jan 1998 12:14:25 -0500 (EST)
From: Adam Shostack <adam@homeport.org>
Message-Id: <199801011714.MAA03330@homeport.org>
Subject: Re: off topic: ssl setup on web server - now browser crypto strength
In-Reply-To: <199801010150.MAA14312@gate.quick.com.au> from "Simon J. Gerraty" at "Jan 1, 98 12:50:07 pm"
To: sjg@quick.com.au (Simon J. Gerraty)
Date: Thu, 1 Jan 1998 12:14:25 -0500 (EST)
Cc: firewalls@greatcircle.com (Firewalls mailing list)
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Simon J. Gerraty wrote:

| Yes I had a lok at it and it works very well.  I had no trouble setting up
| 128bit sessions to an apache server.  Problem is that whether the author
| wrote this thing outside the U.S. or not, he chose a U.S. based site? as
| home for it :-)  so we are back to all the shadows of ITAR.

	I use it as well.  Easier than filling out the form on
Netscape's web pages. :)

	Someone else pointed out that only the READMEs sit in the US.

| The other problem with something like fortify is that it may provoke the U.S.
| govt into revoking export of all versions of netscape etc.

	Worrying about this is giving in to that most pernicious of
policemen, the policeman within.  One can spend months worrying about
all the implications of having anything at all American involved in
writing crypto, leading to not writing crypto code at all.  If Uncle
Sam wants to try to tell Netscape and Microsoft that they can't even
export weak crypto, then there will be enough money involved to
demonstrate that the law is an ass and in violation of the 1st
Ammendment to our Constitution.

	Incidentally, John Gilmore has recently put up for FTP without
restriction an authenticating DNS server in source form, including
RSAREF.  See Risks 19.51 or .52 for details.

	The government is free to respond, but has to explain its
actions.

Adam





| Like I said, a non-U.S. origin web browser is the best solution... :-)
| (Oh, and I don't see that happening anytime soon :-)
| 
| --sjg
| 


-- 
"Remember, the holiday I'm currently celebrating has nothing to
 do with love, and everything to do with a guerilla war against
 an invading hegemony."					  - NJM


From firewalls-owner  Thu Jan  1 11:29:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA10168; Thu, 1 Jan 1998 11:28:32 -0800 (PST)
Received: from dns1.enterprise.net (dns1.enterprise.net [194.72.192.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA10161 for <firewalls@greatcircle.com>; Thu, 1 Jan 1998 11:28:24 -0800 (PST)
Received: from ppp387.enterprise.net (ppp220.enterprise.net [194.72.195.220])
	by dns1.enterprise.net (8.8.5/8.8.5) with SMTP id TAA05298
	for <firewalls@greatcircle.com>; Thu, 1 Jan 1998 19:27:46 GMT
Received: by ppp387.enterprise.net with Microsoft Mail
	id <01BD16EB.19432B80@ppp387.enterprise.net>; Thu, 1 Jan 1998 19:26:03 -0500
Message-ID: <01BD16EB.19432B80@ppp387.enterprise.net>
From: Gadbois <gadbois@enterprise.net>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: Firewall  Security Advisory
Date: Thu, 1 Jan 1998 19:25:07 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Forwarding this advisory I received on the Checkpoint FW-1 in case you haven't seen it.  Take care.

Brian

> Original Message Follows

>WE HAVE RECEIVED INFORMATION CONCERNING A SECURITY PROBLEM
>PRESENT IN CHECKPOINT'S FIREWALL-1 WHICH ALLOWS UNAUTHORIZED USERS TO
>ACCESS THE SNMP DAEMON RUNNING ON THE FIREWALL. THIS ALLOWS OUTSIDERS
> TO OBTAIN INTERNAL AND CONFIDENTIAL INFORMATION ABOUT THE INSTALLATION AND
>OPERATION OF THE FIREWALL AND THE NETWORK WHICH IT PROTECTS, WITHOUT
>BEING TRACED.  THE FOLLOWING ADVISORY IS A RETRANSMISSION OF A SECURE
>NETWORKS INC. ADVISORY PUBLISHED ON 9 DEC 97.
>[*** START SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" **
>*]
> 
>PROBLEM DESCRIPTION: THE DEFAULT RECOMMENDED CONFIGURATION OF
>FIREWALL-1 ALLOWS OUTSIDE USERS TO OBTAIN CONFIDENTIAL OPERATION AND
>STATISTICAL INFORMATION FROM THE SIMPLE NETWORK MANAGEMENT PROTOCOL
>(SNMP) DAEMON.
>ONCE OBTAINED, THIS INFORMATION CAN BE USED BY POTENTIAL INTRUDERS TO
>FIND VULNERABILITIES IN THE FIREWALL OR CONNECTED SYSTEMS. IN ADDITION,
>POTENTIAL INTRUDERS CAN OBTAIN STATISTICS ON THE FIREWALL'S OPERATION.
>FINDING SOFTWARE ON THE FIREWALL WITH KNOWN VULNERABILITIES CAN, IN SOME
>CASES, BE EXPLOITED IMMEDIATELY TO CAUSE A DENIAL OF SERVICE (DOS) AT
>TACK.
>IT IS POSSIBLE FOR PEOPLE WISHING TO SEE THE VOLUME OF TRAFFIC GOING IN
>AND OUT OF A TARGET FIREWALL'S NETWORK TO OBTAIN THIS INFORMATION IN A
>FORM THAT CAN BE DIRECTLY IMPORTED INTO ANY NUMBER OF NETWORK MONITORING
>TOOLS THAT CAN GRAPH IT BY TIME OF DAY.
> 
>TECHNICAL DETAILS: FIREWALL-1 MAKES USE OF THE SNMP SERVICE ON ALL
>PLATFORMS TO OBTAIN INFORMATION ABOUT THE MACHINE ON WHICH THE FIREWALL
>IS RUNNING, AND TO SHOW THE USER REAL-TIME STATISTICS ABOUT THE FIREWALL.
>FOR THOSE UNFAMILIAR WITH THE FIREWALL-1 USER INTERFACE, THE FIRST OPTION
>AVAILABLE IN THE GLOBAL PROPERTIES DIALOG BOX IS:
>     "ENABLE FIREWALL-1 CONTROL CONNECTIONS [ESSENTIAL]" [1].
>THE WORD 'ESSENTIAL' IS CONTAINED IN THE USER INTERFACE WINDOW ITSELF,
>CAUSING UNFAMILIAR USERS TO BE VERY RELUCTANT TO REMOVE IT SINCE THEY
>FEEL THE VENDOR SHOULD KNOW BEST ABOUT THIS.
>THE DEFAULT CONFIGURATION IS TO HAVE THIS SELECTED AND MARKED "FIRST" SO
>THAT IT IS EVALUATED BEFORE THE RULE-SET DEFINED BY THE FIREWALL
>ADMINISTRATOR. SINCE FIREWALL-1 OPERATIONS ON A FIRST-MATCH RATHER THAN
>A BEST-MATCH PRINCIPLE, NOTHING IN THE RULE-SET OVERRIDES THIS.
>THE DOCUMENTATION MAKES IT VERY CLEAR THAT WHILE THIS BOX IS SELECTED,
>CONTROL CONNECTIONS REQUIRED FOR USE OF THE REMOTE GUI ARE ONLY ALLOWED
>IF THE IP ADDRESS IS LISTED IN A SPECIFIC TEXT FILE. ALL OTHER CONNECTION
>ATTEMPTS WILL BE REJECTED. NO MENTION IS MADE OF THE FACT THAT ACCESS IS
>ALLOWED TO THE SNMP PORTS FROM ANY ADDRESS. IF ACCESS WERE RESTRICTED TO
>ADDRESSES THAT APPEAR IN THE TEXT FILE, THIS PROBLEM WOULD BE PRESENT TO
>A LESSER DEGREE, ALLOWING AN ATTACKER TO SPOOF UDP PACKETS TO SET
>VARIABLES, WITHOUT NEEDING TO RECEIVE A REPLY.
>THE SNMP DAEMON REVEALS THE VERSION OF THE OPERATING SYSTEM AND FIREWALL,
>AS WELL AS THE CONFIGURATION OF THE SECURITY PERIMETER SUCH AS THE
>PRESENCE OR ABSENCE OF A SERVICE NETWORK (DMZ). THE OS VENDOR'S SNMP
>DAEMON WILL GENERALLY MAKE AVAILABLE INFORMATION SUCH AS A LIST OF ALL
>ACTIVE CONNECTIONS, A LIST OF ALL RUNNING SERVICES AND THE ENTIRE ROUTING
>TABLE (WHICH IF THE FIREWALL RUNS RIP CONTAINS A SIZABLE AMOUNT OF
>INFORMATION). INFORMATION SUCH AS THE AMOUNT OF TRAFFIC TRAVELING ON ANY
>GIVEN INTERFACE CAN BE USEFUL FOR COMPETITORS GAINING INFORMATION ON
>NETWORK TRAFFIC.
>IN ADDITION TO THE STANDARD MIB, VARIOUS VENDORS MAKE THEIR OWN
>INFORMATION AVAILABLE VIA ENTERPRISE MIBS. AS THE REFERANCE SECTION TO
>THIS ADVISORY NOTES, THIS MAY BE IMPORTANT FOR NT USERS OF THE CHECKPOINT
>FIREWALL [2].
>CHECKPOINT HAS THEIR OWN ENTERPRISE MIB (ENTERPRISES.1919). THIS PROVIDES
>OTHER INFORMATION USEFUL TO THE POTENTIAL INTRUDER SUCH AS THE NUMBER OF
>DENIED, DROPPED, ALLOWED AND LOGGED PACKETS AS WELL AS THE CURRENT STATE
>OF THE FIREWALL. PROVIDED AS WELL, IS THE TEXT OF THE LAST SNMP TRAP
>GENERATED.
>TO AN INTRUDER, THE INFORMATION OBTAINED CAN IN MANY CASES POINT THEM
>DIRECTLY TO A WAY IN WHICH THEY CAN GAIN REMOTE ACCESS TO THE PROTECTED
>NETWORK.
>ACCESS TO THE SNMP DAEMON IS ALLOWED IN RULE-SET 0 (PROPERTIES) NO
>LOGGING OF THESE ACCESSES IS MADE.
> 
>VULNERABLE OPERATING SYSTEMS AND SOFTWARE: ALL PLATFORMS RUNNING
>VERSIONS OF FIREWALL-1 FROM CHECKPOINT WHERE THE ADMINISTRATOR HAS NOT
>DISABLED THE "ENABLE REMOTE CONNECTIONS" OPTION FROM THE PROPERTIES, OR
>HAS IN SOME OTHER WAY ENABLED ACCESS TO THE SNMP SERVER ON THE FIREWALL.
>
>FIX INFORMATION:
> 
>A.  VENDOR PATCH: ACCORDING TO CHECKPOINT SOFTWARE, A PATCH FOR THIS
>PROBLEM IS AVAILABLE VIA:
>      HTTP://WWW.CHECKPOINT.COM/SUPPORT (ALL LOWERCASE)
>IT SHOULD BE NOTED THAT THIS URL IS PASSWORD PROTECTED AND IS ONLY
>ACCESSABLE VIA CHECKPOINT AUTHORIZED RESELLERS.
>B.  QUICK FIX: IMMEDIATELY UNSELECT THE "ENABLE REMOTE CONNECTIONS"
>OPTION. ALSO, BLOCK ALL SNMP TRAFFIC AT YOUR BORDER ROUTER (UDP PORT 161).
>IF YOU ABSOLUTELY REQUIRE REMOTE ACCESS, A QUALIFIED SECURITY
>ADMINISTRATOR CAN ASSIST YOU IN DESIGNING A POLICY THAT GRANTS THIS
>ACCESS IN THE REGULAR RULE-BASE.  PLEASE NOTE THAT THIS SUGGESTION IS
>NOT SUPPORTED BY CHECKPOINT AND IS PROVIDED WITHIN THIS ADVISORY ON AN
>'AS IS' BASIS. SNI (SECURE NETWORKS INC.) ACCEPTS NO LIABILTY FOR THIS
>SUGGESTED FIX, AND END USERS SHOULD APPLY IT ONLY AFTER CONSULTING THEIR
>IN-HOUSE SECURITY ADMINISTRATOR.
> 
>ADDITIONAL INFORMATION: THE INFORMATION PROVIDED IN THIS ADVISORY 
>WAS PROVIDED TO SNI BY STEVE BIRNBAUM <SBIRN@SECURITY.ORG.IL>.
> 
>REFERENCES (FROM FOOTNOTES IN TEXT ABOVE):
>     [1] MANAGING FIREWALL-1 USING THE WINDOWS GUI, FIGURE 1-11.
>     [2] BUGTRAQ MAILING LIST POST CONCERNING MIB ENTERPRISES.77
>A RECENT POST TO A SECURITY MAILING LIST BY CHRISTOPHER ROULAND
>(CROULAND@EXAMNYC.LEHMAN.COM) POINTED OUT THAT THE MICROSOFT LAN-MANAGER
>ENTERPRISE MIB (ENTERPRISES.77) LISTED VAST AMOUNTS OF INFORMATION THAT
>SHOULD BE HEAVILY GUARDED.
>THIS INCLUDES A LIST OF RUNNING SERVICES AND THEIR STATE, A LIST OF ALL
>USERS THAT EXIST ON THE MACHINE, ANY CONNECTED SHARES AND THE NUMBEROF
>FAILED PASSWORD ATTEMPTS AMONG OTHER THINGS. FURTHER, HE FOUND A CERTAIN
>VARIABLE THAT COULD BE SET TO 0 IN MICROSOFT'S ENTERPRISE MIB WHICH
>RESULTED IN A CLEARING OF THE WINS DATABASE. GIVING SUCH INFORMATION AS
>THE PRESENCE OF ANY SHARES AND THE USER LIST ON A FIREWALL IS A POSSIBLY
>DISASTROUS BREACH OF SECURITY.
>[*** END SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" ***]
> 


From firewalls-owner  Thu Jan  1 12:48:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15218; Thu, 1 Jan 1998 12:33:24 -0800 (PST)
Received: from cmcl2.nyu.edu (NYU.EDU [128.122.253.92]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA15189 for <firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 12:33:16 -0800 (PST)
Received: from [128.122.237.106] ("port 2048"@DIAL6-ASYNC38.DIAL.NET.NYU.EDU)
 by cmcl2.nyu.edu (PMDF V5.1-10 #24942)
 with ESMTP id <0EM40052UH2IKM@cmcl2.nyu.edu> for firewalls@GreatCircle.COM;
 Thu,  1 Jan 1998 15:32:45 -0500 (EST)
Date: Thu, 01 Jan 1998 15:32:45 -0500 (EST)
Date-warning: Date header was inserted by cmcl2.nyu.edu
From: Jimmy Kyriannis <jimmy.kyriannis@nyu.edu>
Subject: Re: Intrusion Detection - Switched Network
In-reply-to: <199712301602.LAA15151@bluerose.tju.edu>
X-Sender: kyriann@cmcl2-f.nyu.edu
To: Paul Alukal <pva@bluerose.tju.edu>
Cc: firewalls@GreatCircle.COM
Message-id: <v03102800b0d166d26564@[128.122.175.192]>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I can't speak for ATM-only switches, but some conventional LAN switches,
such as the Catalyst allow for the administrative creation of a port which
can present all traffic flowing through a VLAN.  As long as the bandwidth
available on this port exceeds the total bandwidth consumed by the VLAN,
you'll be able to use that port for sniffing/analysis purposes without
packet loss.  According to Cisco engineers, the Catalyst 5x00's, at least,
do this in hardware with no performance loss.


Jimmy

At 11:02 AM -0500 12/30/97, Paul Alukal wrote:
>Hello everyone,
>
>I am interested in any feedback from users who use any type of
>intrusion detection systems (commercial or others) on a switched
>network.
>
>The question is this. If the network is fully switched, how effective
>is any intrusion detection system (without using an shared hub)? By
>switched network, I mean each network device  is connected directly to
>a port on a switch. The switch technology gives each port a different
>virtual circuit through the switch (unlike a shared hub), that even
>makes sniffing difficult (or impossible).
>
>Some thoughts are to place the intrusion detection system near a choke
>point (like a firewall), but this will still need some shared hub.
>Installing any intrusion detection system on a firewall itself is out
>of question (due to complexity).
>
>Assuming the network will have ATM backbone with different VLAN's in
>the network, we can think of an intrusion detection system with
>multiple interfaces to each VLAN, still if the network is switched, how
>effective will be the intrusion detection?
>
>Is there any commercial (or other) system which is capable of doing a
>true intrusion detection in these kind of situations?
>
>Thanks in advance for any comments or suggestions.
>
>Paul Alukal




From firewalls-owner  Thu Jan  1 13:29:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20716; Thu, 1 Jan 1998 13:23:38 -0800 (PST)
Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA20706 for <firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 13:23:26 -0800 (PST)
Received: from ziv_note.abirnet.com (ziv-note.abirnet.co.il [194.90.211.23])
	by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id XAA32641;
	Thu, 1 Jan 1998 23:22:30 +0200
Date: Thu,  1 Jan 98 23:21:08 +0200
From: Ziv Dascalu  <ziv@AbirNet.com>
Subject: Re: Intrusion Detection - Switched Network 
To: blast  <blast@broder.com>, Rabid Wombat  <wombat@mcfeely.bsfs.org>
Cc: "Paul D. Robertson"  <proberts@clark.net>, firewalls@GreatCircle.COM,
        Paul Alukal  <pva@bluerose.tju.edu>
X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc.
X-Priority: 3 (Normal)
References: <Pine.BSF.3.91.971231042041.13583A-100000@mcfeely.bsfs.org> 
Message-ID: <Chameleon.883689801.ziv@ziv_note.abirnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


--- On Wed, 31 Dec 1997 04:24:13 -0500 (EST)  Rabid Wombat <wombat@mcfeely.bsfs.org> wrote:
> 
> Switches are designed to support a large volume of traffic; if you 
> aggregate all the traffic in multiple collision domains onto one 
> monitoring segment, you'd flood it. Hence the decision to provide a 
> monitoring port that can handle one collision domain at a time.
> 
> -r.w.
> 
> On Tue, 30 Dec 1997, blast wrote:
> 
> > On Tue, 30 Dec 1997, Paul D. Robertson wrote:
> > 
> > > On Tue, 30 Dec 1997, Paul Alukal wrote:
> > > 
> > > > Is there any commercial (or other) system which is capable of doing a
> > > > true intrusion detection in these kind of situations?
> > > 
> > > Most good switches will allow you to set particular ports to get all 
> > > traffic as if it were a hub.  This is where you configure the IDS.
> > 
> > Paul Alukal has a valid question and I have yet to find any 
> > 'administrative' port on any switch that facilitates an IDS
> > on each segment concurrently.
> > 
> > Paul Robertson is right in saying that most "good switches"
> > have a port (single) to monitor a particular "domain" (collision/VLAN).
> > Problem is that these ports were not designed with an IDS in mind and 
> > may only offer your IDS a view one world (collision-domain) at a time.
> > This constraint may or may not facilitate your IDS.
> > 

---------------End of Original Message-----------------

So a possible solution for IDS systems may be point solution in critical places or having it 
physically connected to multiple segments by supporting multiple NICs

Ziv

...=====  A B I R N E T          Active Network Protection  	(http://www.abirnet.com) =====


From firewalls-owner  Thu Jan  1 23:44:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA14253; Thu, 1 Jan 1998 23:34:39 -0800 (PST)
Received: from mastech.com (firewall.mastech.com [208.0.144.226]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA14243 for <Firewalls@GreatCircle.COM>; Thu, 1 Jan 1998 23:34:34 -0800 (PST)
Received: by firewall.mastech.com id <26993>; Fri, 2 Jan 1998 02:30:50 -0500
From: "P Mohan" <mohanp@india.mastech.com>
To: Firewalls@GreatCircle.COM
Date: Fri, 2 Jan 1998 02:52:59 -0500
Subject: FTP server
Reply-to: mohanp@india.mastech.com
X-mailer: Pegasus Mail for Windows (v2.23)
Message-Id: <98Jan2.023050est.26993@firewall.mastech.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Friends,

I am planning to setup one FTP server (Internet) and give access to 
my client to use that. How do I do this ? Is there any web site where 
I can get more info on this?  


Thanks in advance

P.Mohan
mohanp@india.mastech.com

From firewalls-owner  Fri Jan  2 03:14:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA27225; Fri, 2 Jan 1998 03:00:18 -0800 (PST)
Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA27210 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 03:00:10 -0800 (PST)
Received: by castle.us-state.gov; id AA22398; Fri, 2 Jan 98 05:59:29 EST
Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr)
	id sma022384; Fri Jan  2 05:59:22 1998
Received: by pubhost.us-state.gov; id AA06061; Fri, 2 Jan 98 05:59:18 EST
Received: by localhost with Microsoft MAPI; Fri, 2 Jan 1998 05:54:38 -0500
Message-Id: <01BD1742.E93E3350@gcrum@us-state.gov>
From: Gary Crumrine <gcrum@us-state.gov>
Reply-To: "gcrum@us-state.gov" <gcrum@us-state.gov>
To: "'Ted Doty'" <ted@iss.net>,
        "firewalls@greatcircle.com"
	 <firewalls@greatcircle.com>
Subject: RE: Intrusion Detection - Switched Network
Date: Fri, 2 Jan 1998 05:54:37 -0500
Organization: US Dept of State
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Some very important points that you bring out Ted, is that 1) Network 
monitoring tools are to be considered only a part of the whole picture, and 
not relied upon to be the ultimate wall of defense.  It should only be used 
to flag activity that requires further review by your administrative and 
security staff.  2) In this day and age, my opinion is that the biggest 
threat we see is from the inside...  When working with forensic data from 
various customer sites, it appears much more activity on our so called 
trusted networks is occurring that is not detected.  Industry is slowly 
turning their eyes internally, and it is good they have begun to do so. 
 Any tool that can be used flag this activity is sorely needed and a 
welcome relief to those of us who used to sit and pound out script after 
script in order to keep one step ahead of the bad guys.  The only thing I 
fear though, is that we will soon rely too much on this technology, and 
lose the skills and insight you gain from in depth study of log data. 
  Nothing quite as satisfying as your daily dose of analytics I always 
say...;^)

-----Original Message-----
From:	Ted Doty [SMTP:ted@iss.net]
Sent:	Wednesday, December 31, 1997 10:44 AM
To:	firewalls@greatcircle.com
Subject:	Re: Intrusion Detection - Switched Network

On Tue, 30 Dec 1997 13:06:19 -0500 (EST), Brad <brad@freedom.gmsociety.org>
wrote:

>> I am interested in any feedback from users who use any type of
>> intrusion detection systems (commercial or others) on a switched
>> network.
>
>THis is a problem I think every vendor is facing at this point.  I am not
>aware of any product that will do this yet.

ODS has a product called the "Secure Switch", which includes our RealSecure
IDS.  Look at http://www.ods.com and click on "Security".

>There are workarounds, host based intrusion detection being one, but this
>can get unweildy if you have hundred or thousands of hosts that need to be 
>installedon and managed.  Then there is the overhead associated with
>running IDS on each host.

Host based and network based IDS do different things, have different
strengths and weaknesses, and should be used for different purposes.

Network based IDS is efficient from a management point of view (a single
device can collect IDS information for an entire subnet), but is somewhat
subject to false positives (reporting an event as possibly malicious when
it is not, e.g. reporting a large number of legitimate hits on a fast web
server as a possible Syn flood).

Host based IDS requires more management effort, does not typically act in
real time, but has access to more refined levels of information (host audit
logs), so has a much lower level of false positives.

An appropriate strategy might be to run network IDS for wide coverage, with
host based IDS on critical systems, or on hosts that are reported to be
engaged in suspicious activity by the network IDS.

>> The question is this. If the network is fully switched, how effective
>> is any intrusion detection system (without using an shared hub)?

It has to be in the hub if you want to do network based IDS on fully
switched networks.  The IDS has to live somewhere on the data path.

>> Some thoughts are to place the intrusion detection system near a choke
>> point (like a firewall), but this will still need some shared hub.
>> Installing any intrusion detection system on a firewall itself is out
>> of question (due to complexity).

[snip]

>A problem with this is that you dont see the internal traffic, only stuff
>passing through that choke point.
>
>I envision that IDS will need to be integrated into the switches, and
>routers, themselves somehow, as an extra card, additions to switch or
>router OS's, etc...

It's a much more compelling argument to integrate IDS with a switch, rather
than with either firewalls or routers.  Since a standalone IDS could use
the firewall or router API (e.g. Checkpoint's OpSec) to update access
rules, the firewalls can concentrate on firewalling and the routers can
focus on routing.  One advantage of disassociating the IDS from the
firewall is that an IDS deep inside your network could update the Internet
perimeter defenses; this is useful for things like Smurf attacks.

Still ,the only way to get on the data path in switched networks is to
integrate into the switch itself.

Note that we're talking about two different types of monitoring here.  IDS
in combination with firewalls (and probably routers, too) is primarilly
focused on enhancing external security (strengthing the perimeter).  IDS in
the switch is primarily useful for detecting internal threats and misuse.
Internal IDS is most effectively used as deterence.  In other words, let
everyone know that monitoring is going on.

>> Assuming the network will have ATM backbone with different VLAN's in
>> the network, we can think of an intrusion detection system with
>> multiple interfaces to each VLAN, still if the network is switched, how
>> effective will be the intrusion detection?

Don't think you should need multiple interfaces, as long as the IDS
understands how to grok an ATM cell stream.  There are a lot of possible
encapsulations: RFC 1577, LANE, "Legacy" formats like Fore IP.  You may
need to do some network tuning. ;-)

>Thisis definitely feasable, but you bring up another problem, IDS systems
>that work at ATM speeds, of which, again I know of none.
>The closest thing that I know if is NetRanger, from WheelGroup, which 
scale
>up to full FDDI and Fast Ethernet speeds.  Butnot even NetRanger can work
>with ATM yet.

The ODS SecureSwitch has ATM/OC-3 interface modules.  I haven't seen any
performance figures, but it appears to be a supported configuration.

I haven't heard of any published performance tests for IDS systems.  If
anyone from the trade press is listening, this might be a useful article
for the community.

Disclaimer: I work for ISS, which makes RealSecure, which runs in the ODS
SecureSwitch.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE


From firewalls-owner  Fri Jan  2 03:44:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA02900; Fri, 2 Jan 1998 03:37:00 -0800 (PST)
Received: from proteus.asyk.ase.gr (proteus.asyk.ase.gr [193.242.241.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA02738 for <Firewalls@GreatCircle.com>; Fri, 2 Jan 1998 03:36:27 -0800 (PST)
Received: by proteus.asyk.ase.gr with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52)
	id <01BD1783.5C8A3D00@proteus.asyk.ase.gr>; Fri, 2 Jan 1998 13:35:59 +0200
Message-ID: <c=US%a=_%p=ASYK_S.A.%l=PROTEUS-980102113557Z-762@proteus.asyk.ase.gr>
From: Vasilis Vergotis <V.Vergotis@asyk.ase.gr>
To: "'Firewalls@GreatCircle.com'" <Firewalls@GreatCircle.com>
Subject: DNS and Mail setup via firewall
Date: Fri, 2 Jan 1998 13:35:57 +0200
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello to everybody and happy new year!

I would be gratefull if you could give some advice to the following
theme:

There has been recently taken place to my company's network, a firewall
instalation whitch has been placed in front of the Internet connection.
Therefore the network has been split into a public part (whitch contains
nothing for the moment), a DMZ zone (whitch contains the public DNS and
mail server) and the internal private network (whitch contains the
internal DNS and mail server).

The external mail server receives the mail for the zone company.gr  and
it forwards it to the internal mail server via SMTP. The external DNS
server knows nothing about the internal.

Internally the DNS server is knows only the zone internal.company.gr for
whitch he is primary and for the things he does not know he asks the
external DNS server. The internal mail server receives the mail for the
zone internal.company.gr as well as the mail for the zone company.gr
that the external mail server forwards.

The problem is that the internal mail server cannot deliver mail to the
account with the e-mail address user@company.gr that has been created to
him. It sends back a message reporting that the recipient is unknown.

What goes wrong with the above configuration? I suspect that there is
something wrong with the DNS. Do i have to use the same zone
(company.gr) both for the internal and the DMZ network ? Can i use
e-mail addresses xxx@company.gr for the internal network with the above
configuration ?

Please send any help to my personal address to as i am not a member of
the list.

Thanks in advance,

Vassilis.


From firewalls-owner  Fri Jan  2 04:44:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA04913; Fri, 2 Jan 1998 03:49:59 -0800 (PST)
Received: from bermuda.io.com (bermuda.io.com [199.170.88.7]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA04843 for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 03:49:40 -0800 (PST)
Received: from localhost (cooper@localhost)
	by bermuda.io.com (8.8.5/8.8.5) with SMTP id FAA10413
	for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 05:49:09 -0600 (CST)
X-Authentication-Warning: bermuda.io.com: cooper owned process doing -bs
Date: Fri, 2 Jan 1998 05:49:09 -0600 (CST)
From: William Cooper <cooper@io.com>
To: "'firewalls@greatcircle.com'" <firewalls@GreatCircle.COM>
Subject: Re: Firewall  Security Advisory
In-Reply-To: <01BD16EB.19432B80@ppp387.enterprise.net>
Message-ID: <Pine.BSI.3.96.980102053409.10016A-100000@bermuda.io.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

this is a lame-

- properly configured this should never have been a problem, tho
admittedly it was a prob. w/ default config. on FW-1 until recently

- it is no longer a default on FW-1 and hasn't been for a month+

- patch was avail. 3 weeks+ before sec. advisory was posted

- this was posted to BUGTRAQ over 3 weeks ago, if you're serious about
network security and you didn't see it there, _and_ you managed to miss
the numberous references in the trade rags, _AND_ you didn't bother to
check CheckPoint's site to see if there were any new patches available,
you don't deserve to know about it in the first place (MO).  info re:
bugtraq at http://www.geek-girl.com/bugtraq/.

- bill

cooper@io.com

On Thu, 1 Jan
1998, Gadbois wrote:

> Forwarding this advisory I received on the Checkpoint FW-1 in case you
> haven't seen it.  Take care. 



From firewalls-owner  Fri Jan  2 06:44:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15472; Fri, 2 Jan 1998 06:42:53 -0800 (PST)
Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA15464 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 06:42:46 -0800 (PST)
Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id JAA28004 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 09:42:14 -0500
Message-Id: <3.0.3.32.19980102093733.00a09100@mail.iss.net>
X-Sender: tdoty@mail.iss.net
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32)
Date: Fri, 02 Jan 1998 09:37:33 -0500
To: firewalls@greatcircle.com
From: Ted Doty <ted@iss.net>
Subject: Re: Intrusion Detection - Question.
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 31 Dec 1997 09:50:47, "Paul D. Robertson" <proberts@clark.net> wrote:

On Wed, 31 Dec 1997, Lars Bertelsen wrote:

>> When we are talking about intrusion detection in this context, what is it
>> that people mean?
>> I can think of several things, but it seems to me that this is a well
>> established set of meanings of which I seem to be unaware. God how I hate
>> that! :-)
>
>At least from my perspective, we're discussing network monitoring tools 
>such as NFR, NetRanger, etc.  Which can alert based on certain traffic 
>patterns which are typicly associated with network intrusion.

A couple concrete examples might help clarify the distinction between what
firewalls and IDS do.  A firewall will typically grant or restrict access
to services (e.g. HTTP) based on policy (internal users can use browsers to
access arbitrary sites, external users are only allowed access to the DMZ
firewall).  IDS, on the other hand, looks for patterns within the allowed
traffic that suggests a deviation from policy, typically be exploiting a
vulnerability in a client or server program to gain additional privileges.

One such example is the Microsoft Internet Explorer 3.0/3.01 but that
causes the browser to locally execute URLs that have a .url or .lnk
extension.  An attacker could set up a web page offering cool inducements
("Click here for nude gifs of Socks the cat!") which in actuality point to
Mail_me_all_your_cached_passwords.url.

Another example is DNS.  Since we all rely on DNS to associate hard to
remember IP addresses from easy to remember hostnames, the firewall has to
pass incoming DNS traffic (at least from particular sources).  One known
attack returns an address longer than 4 bytes, to overflow a buffer in some
DNS implementations and execute arbitrary commands.

Typically the IDS will take appropriate action when it sees this kind of
shenanigans, for example killing the session with appropriately crafted TCP
RST messages, adding new firewall rules to block the miscreant, and making
pagers sing and network management consoles glow appropriately.

There seem to be two flavors of IDS, one that looks for known bad
signatures, and one that uses an expert system to detect patterns falling
outside the norm.  My examples use signatures (these are actual examples
from our RealSecure IDS).  The Network Intrusion Detection Expert System
(NIDES) from SRI is an example of a learning system to detect anomolous
usage patterns.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

From firewalls-owner  Fri Jan  2 07:14:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18839; Fri, 2 Jan 1998 07:08:21 -0800 (PST)
Received: from mco.edu (mco004.mco.edu [136.247.10.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA18802 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 07:08:11 -0800 (PST)
Received: from mco-Message_Server by mco.edu
	with Novell_GroupWise; Fri, 02 Jan 1998 10:06:27 -0500
Message-Id: <s4acbc23.088@mco.edu>
X-Mailer: Novell GroupWise 4.1
Date: Fri, 02 Jan 1998 10:06:01 -0500
From: Jeff Zarend <jzarend@mco.edu>
To: firewalls@greatcircle.com
Subject: Batch load of users
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I want to batch load a user list for Checkpoint's Firewall-1.  I will use
DBIMPORT.
My problem is that the password field looks like it needs to be encrypted.
I have a flat text file, with the passwords in clear text (I randomly
generated the passwords).  Does anyone have a utility to encrypt
the text passwords, so they are acceptable to Firewall-1's batch load?

Thanks,
Jeff Zarend
Medical College of Ohio
jzarend@mco.edu
(419) 383-4505
 

From firewalls-owner  Fri Jan  2 07:45:14 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20983; Fri, 2 Jan 1998 07:23:45 -0800 (PST)
Received: from tcs-sec.com (tcsfw-1.tcs-sec.com [208.219.129.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA20913 for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 07:23:29 -0800 (PST)
Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id LAA00059; Fri, 2 Jan 1998 11:24:58 -0500
Received: from lambic.tcs-sec.com(205.197.27.135) by tcsfw-1.tcs-sec.com via smap (V1.3)
	id sma000057; Fri Jan  2 11:24:46 1998
Message-Id: <3.0.5.32.19980102102426.007d13c0@lambic>
X-Sender: gperry@lambic
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 02 Jan 1998 10:24:26 -0500
To: Frank Willoughby <frankw@in.net>, James Terry <james@imx-exchange.com>
From: Gregory Perry <gperry@tcs-sec.com>
Subject: Re: firewall audit service referral
Cc: firewalls@GreatCircle.COM
In-Reply-To: <3.0.3.32.19971231220823.007cc220@in.net>
References: <34AA9991.62140279@imx-exchange.com>
 <418996AD2954D11180860000E8D5C667018538@ns.rc.on.ca>
 <3488EB31.B5D806F6@gnss.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>CAUTION:
>Beware of any organizations which will perform a remote firewall
>penetration test.
>This is an inherently dangerous practice which has the potential of leading
>hackers
>to their next victims.
>
>Best Regards,
>
>
>Frank

I don't guess I understand what you are getting at, remote penetration
testing is an absolute necessity for any type of Internet related security
audit - which would you rather happen, have an outside firm discover flaws
in your Internet connected network, or have a hacker find and exploit the
flaw(s) instead?



__________________________________________________________________

Gregory Perry                                phone:  703.318.7134
Trusted Computer Solutions, Inc.               fax:  703.318.5041
13873 Park Center Road Suite 225        email: gperry@tcs-sec.com
Herndon, VA  20171                         http://www.tcs-sec.com
__________________________________________________________________

From firewalls-owner  Fri Jan  2 08:00:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19764; Fri, 2 Jan 1998 07:14:33 -0800 (PST)
Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA19709 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 07:14:20 -0800 (PST)
Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id KAA29532; Fri, 2 Jan 1998 10:13:55 -0500
Message-Id: <3.0.3.32.19980102100915.00a09530@mail.iss.net>
X-Sender: tdoty@mail.iss.net
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32)
Date: Fri, 02 Jan 1998 10:09:15 -0500
To: "gcrum@us-state.gov" <gcrum@us-state.gov>
From: Ted Doty <ted@iss.net>
Subject: RE: Intrusion Detection - Switched Network
Cc: "firewalls@greatcircle.com" <firewalls@greatcircle.com>
In-Reply-To: <01BD1742.E93E3350@gcrum@us-state.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 05:54 AM 1/2/98 -0500, Gary Crumrine wrote:
>Some very important points that you bring out Ted, is that 1) Network 
>monitoring tools are to be considered only a part of the whole picture, and 
>not relied upon to be the ultimate wall of defense.  It should only be used 
>to flag activity that requires further review by your administrative and 
>security staff.  

Well, not really.  Some traffic can be identified as known bad (for
example, session hijacking attacks), and the IDS should take action to stop
it.  You don't want the admins involved, because by the time a human can
react the damage is already done.

OTOH, other types of events can be "interesting" without even being
"suspicious".  For example, suppose I see cleartext SMB passwords going
across my LAN.  This can mean all kinds of things, only some of which are
malicious.  I may have old LAN Manager clients, so my NT servers are
defaulting down to a brain dead authentication scheme.  I may have a
misconfiguration in one of my servers.  Or I might have a man-in-the-middle
password downgrade attack in progress.  In any case, I'll have to do some
investigating to determine what's really going on, and whether it needs
action.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

From firewalls-owner  Fri Jan  2 08:09:08 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20053; Fri, 2 Jan 1998 07:16:30 -0800 (PST)
Received: from friday.datasource.net (friday.datasource.net [205.183.26.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA19865 for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 07:15:43 -0800 (PST)
Received: from friday.datasource.net (root@localhost) by friday.datasource.net (8.7.5/8.7.3) with ESMTP id JAA07116; Fri, 2 Jan 1998 09:13:33 -0600 (CST)
Received: from datasource.net ([192.168.0.80]) by friday.datasource.net (8.7.5/8.7.3) with ESMTP id JAA07112; Fri, 2 Jan 1998 09:13:32 -0600 (CST)
Message-ID: <34AD0616.9B0187DF@datasource.net>
Date: Fri, 02 Jan 1998 09:21:58 -0600
From: Nathan Steinbauer <nathan@datasource.net>
Reply-To: nathan@datasource.net
Organization: DataSource Hagen
X-Mailer: Mozilla 4.02 [en] (Win95; I)
MIME-Version: 1.0
To: Modify <mdy@sekurity.org>
CC: "N.Z. Sanderson" <sanderson_nz@hotmail.com>, firewalls@GreatCircle.COM
Subject: Re: Borderware vs Firewall - 1
References: <Pine.LNX.3.96.971231110819.19037A-100000@obscure.sekurity.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In defense of Secure Computing, Borderware is made for small to medium
sized companies.  In a 12,000 desktop company Secure would recommend
their Sidewinder, which does handle heavy usage well and is very
flexible.

My $.02

Nate


Modify wrote:
> 
> I tested both products and I would choose Firewall1 over Borderware any
> day.  (Personal Opinion)  I found that Borderware couldnt handle heavy
> loads (probably okay for a small company)  The help was crap and the
> service wasnt all that wonderful either!  Firewall1 had decent help and
> pretty darn good service from the home office.  Also, Firewall1 handled
> the large load we needed with 12,000 people in this company.  Firewall1
> also had a much more crisp, clear, easy to use interface for rule sets
> etc..etc..  All of which is personal opinion.
> 
> Modify
> 
> On Tue, 30 Dec 1997, N.Z. Sanderson wrote:
> 
> > Hi there . . .
> >
> > I am looking to at a comparison of two Firewall products:
> >
> > 1/    Secure Computings Borderware
> > 2/    Checkpoints Firewall - 1
> > ________
> > H  E  L  P
> > ---------
> > Has anyone either have there own comparison OR an opinion (good/bad) on
> > the above products.
> >
> > look forward to some answers . . . . . as these firewalls look good on
> > paper but how are they implemented.
> >
> > thanks in advance for your help . .
> >
> > Nigel Sanderson
> >
> >
> > ______________________________________________________
> > Get Your Private, Free Email at http://www.hotmail.com
> >

-- 
Nathan Steinbauer
Internet Consultant
DataSource Hagen
612.844.1459
nathan@datasource.net
http://www.datasource.net

From firewalls-owner  Fri Jan  2 08:11:12 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18677; Fri, 2 Jan 1998 07:07:39 -0800 (PST)
Received: from imo11.mx.aol.com (imo11.mx.aol.com [198.81.19.165]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA18670 for <Firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 07:07:34 -0800 (PST)
From: GCrum2 <GCrum2@aol.com>
Message-ID: <ba63ceb0.34ad0295@aol.com>
Date: Fri, 2 Jan 1998 10:06:58 EST
To: Firewalls@GreatCircle.COM
Subject: firewRe: Looking for a good conference on firewalls and network s
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
Organization: AOL (http://www.aol.com)
X-Mailer: Inet_Mail_Out (IMOv11)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I heard that the person who is teaching this course in question is in trouble
for stealing the material and is being sued.   I would really hate to spend
money and schedule flights etc for this course, only to show up and find out
that the course was cancelled because of someone's legal troubles.   

I am very surprised that their employer knowingly lets them continue to use
their name in the advertizement, or lets the person to continue to represent
them on the speaking tour.  Somehow, I tend to shy away from people involved
with shady acts for some reason.  If the charges are true, I'd have a problem
with that.  

I guess though, that we should give them the benefit of the doubt...the truth
seems to have a way of coming out in the end, so I will reserve judgement
until then.  Just use caution.  

As for SANS in general, I find them a very informative and forthright
organization.  In the Washington DC area, there are several very good
conferences that are held each year.  Infowarcom is one of those, as well as
one put on by NCSA I think...not sure.  COMNET and fed imaging are others that
come to mind.

-----Original Message-----
From:	<snip>
Sent:	Wednesday, December 31, 1997 7:05 PM
To:	Pablo Martinez; Firewalls@GreatCircle.COM
Subject:	Re: Looking for a good conference on firewalls and network security
-reply

I was just perusing the SANS May Conference, and found a course titled
"Firewall Management and Troubleshooting"  Anybody know anything about the
speaker or the contents of the course.???




At 03:17 PM 12/18/97 -0500, Pablo Martinez wrote:
>I am relatively new to this area and I am in the process of 
>registering in a couple of courses on network/Internet security. 
>I would also like to attend to a good conference/symposium on 
>network security (including firewalls) where I could get info on the 
>latest trends and research (courses usually do not cover that 
>in detail).  Any suggestions?  So far I have info on 
>
> - 1998 IEEE Symposium on Security and Privacy
> - The Internet Society's Symposium on Network and Distributed System 
>   Security
>
>thanks,
>-- 
>Pablo Martinez				101 Crawfords Corner Rd	
>Internet Communications Business 	Holmdel, NJ 07733-3030
>Lucent Technologies			732 817-2731
>pablo@lucent.com			732 817-4504 FAX
>
>



From firewalls-owner  Fri Jan  2 09:14:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10009; Fri, 2 Jan 1998 09:06:11 -0800 (PST)
Received: from landfield.com (ns.landfield.com [208.196.145.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09948 for <Firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 09:05:54 -0800 (PST)
Received: (from kent@localhost)
	by landfield.com (8.8.8/8.8.8) id LAA21021;
	Fri, 2 Jan 1998 11:06:21 -0600 (CST)
From: Kent Landfield <kent@landfield.com>
Message-Id: <199801021706.LAA21021@landfield.com>
Subject: Re: FTP server
To: mohanp@india.mastech.com
Date: Fri, 2 Jan 1998 11:06:20 -0600 (CST)
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <98Jan2.023050est.26993@firewall.mastech.com> from "P Mohan" at Jan 2, 98 02:52:59 am
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

# Friends,
# 
# I am planning to setup one FTP server (Internet) and give access to 
# my client to use that. How do I do this ? Is there any web site where 
# I can get more info on this?  
# 
# 
# Thanks in advance
# 
# P.Mohan
# mohanp@india.mastech.com

Take a look at the WU-FTPD Resource Center 

	httpd://www.landfield.com/wu-ftpd.

-- 
Kent Landfield                        Phone: 1-817-545-2502             
Email: kent@landfield.com             http://www.landfield.com/
Email: kent@nfr.net                   http://www.nfr.net/
Please send comp.sources.misc related mail to kent@landfield.com
Search the Usenet Hypertext FAQ Archive at http://www.faqs.org/faqs/

From firewalls-owner  Fri Jan  2 11:44:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA23781; Fri, 2 Jan 1998 11:42:07 -0800 (PST)
Received: from tcs-sec.com (tcsfw-1.tcs-sec.com [208.219.129.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA23774 for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 11:41:59 -0800 (PST)
Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id PAA01148 for <firewalls@GreatCircle.COM>; Fri, 2 Jan 1998 15:43:30 -0500
Received: from lambic.tcs-sec.com(205.197.27.135) by tcsfw-1.tcs-sec.com via smap (V1.3)
	id sma001146; Fri Jan  2 15:43:15 1998
Message-Id: <3.0.5.32.19980102144255.007f53d0@lambic>
X-Sender: gperry@lambic
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 02 Jan 1998 14:42:55 -0500
To: <firewalls@GreatCircle.COM>
From: Gregory Perry <gperry@tcs-sec.com>
Subject: Re: Intrusion Detection - Question.
In-Reply-To: <01bd169d$c72af640$54d35ac2@hagit1.abirnet.co.il>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Working in switched environment does not mean protecting the network from
>intruders.
>Since IDS work by monitoring all network traffic, it is impossible  for
such a
>system to work in a switched environment, unless of course it is plugged
in the
>promiscious port of the switch.
>
>>>From what I have read I assume that we are talking about some sort of
>>sniffing on the network, looking for specific sorts of traffic that
>>shouldn't be there (or should but isn't!).
>>
>>Now I can't help thinking that the simple approach would be to do the
>>sniffing at the connection to the world, either by means of monitoring that
>>specific port in the switch or if that is not possible then by simply
>>attaching a small hub to the port and plugging the sniffer and the router
>>into that hub.

Where is RMON-2 and 3 at in terms of dispatching intelligent agents to
detect intrusions (or other suspicious network activity) as opposed to
running a port on the hub in promiscuous mode?

Bandwidth concerns would be enough to merit a proactive agent type scenario
as opposed to a centralized management server that parses all data on the
network, ATM would be out for this application for example...


__________________________________________________________________

Gregory Perry                                phone:  703.318.7134
Trusted Computer Solutions, Inc.               fax:  703.318.5041
13873 Park Center Road Suite 225        email: gperry@tcs-sec.com
Herndon, VA  20171                         http://www.tcs-sec.com
__________________________________________________________________

From firewalls-owner  Fri Jan  2 13:14:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA28904; Fri, 2 Jan 1998 13:04:11 -0800 (PST)
Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA28897 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 13:04:02 -0800 (PST)
Received: from lightech.com.ar (plata.gaucho.com.ar [200.5.254.173])
	by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id UAA17781;
	Fri, 2 Jan 1998 20:41:01 GMT
Message-ID: <34AD01AF.97E7A701@lightech.com.ar>
Date: Fri, 02 Jan 1998 18:03:11 +0300
From: Sergio Bollini <sbollini@lightech.com.ar>
Organization: LighTech
X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.5.1 sun4m)
MIME-Version: 1.0
To: "fw-1-mailinglist@us.checkpoint.com" <fw-1-mailinglist@us.checkpoint.com>,
        "firewalls@greatcircle.com" <firewalls@greatcircle.com>
Subject: fw-1 asmtpd banner
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all!

Just a little question: does anybody know how to modify the fw-1 smtp
server's banner? I think it isn't a good idea to advertise that you are
using a firewall (not to mention product and version).

TIA

--
Sergio E. Bollini
LighTech                        Voice:  (54-1) 373-1141
Ayacucho 563. Piso 13 Dto "A"   FAX:    (54-1) 373-1215
(1026)  Buenos Aires            e-mail: sbollini@lightech.com.ar
Argentina                       URL:    http://www.lightech.com.ar




From firewalls-owner  Fri Jan  2 15:14:52 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07465; Fri, 2 Jan 1998 15:07:48 -0800 (PST)
Received: from vulcan.achq.dnd.ca ([205.200.255.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA07448 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 15:07:41 -0800 (PST)
Received: by vulcan.achq.dnd.ca; (5.65v3.2/1.3/10May95) id AA03205; Fri, 2 Jan 1998 17:10:31 -0600
Message-Id: <34AD73E7.DF4A5A0F@vulcan.achq.dnd.ca>
Date: Fri, 02 Jan 1998 17:10:34 -0600
Received: from [205.200.255.102] by vulcan (smtpxd); id XA03202
From: Rob Janzen <rob@vulcan.achq.dnd.ca>
Reply-To: rob@vulcan.achq.dnd.ca
Organization: 17 Wing Winnipeg
X-Mailer: Mozilla 4.03 [en] (Win95; I)
Mime-Version: 1.0
To: firewalls@greatcircle.com
Subject: TACAS+ Authentication
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Good morning:

I curently have a systems running CiscoSecure 1.x to provide tacas+
authentication for dial-in users.

The system running it is using SunOS 4.1.4.  To reduce the numbers of
versions of UNIX that I need to maintain, I would like to upgrade the
server to Solaris.  I have two questions:

Will CiscoSecure 1.x run under Solaris?
If not, can anyone recommend a good freeware replacement that will?

(Our budget is tight enough that avoiding paying for an upgrade is a
*good thing*....)

Thanks.

Rob Janzen


From firewalls-owner  Fri Jan  2 17:44:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA16806; Fri, 2 Jan 1998 17:29:42 -0800 (PST)
Received: from gatekeeper.bh.org (gatekeeper.bh.org [204.68.182.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA16799 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 17:29:37 -0800 (PST)
Received: from bh.org (bhhome.bh.org [204.68.182.2])
	by gatekeeper.bh.org (8.8.8/8.8.5) with ESMTP id UAA13649;
	Fri, 2 Jan 1998 20:27:57 -0500
Message-ID: <34AD9480.A6B46B48@bh.org>
Date: Fri, 02 Jan 1998 20:29:36 -0500
From: Bill Heiser <bill@bh.org>
X-Mailer: Mozilla 4.04 [en] (WinNT; U)
MIME-Version: 1.0
To: Sergio Bollini <sbollini@lightech.com.ar>
CC: "fw-1-mailinglist@us.checkpoint.com" <fw-1-mailinglist@us.checkpoint.com>,
        "firewalls@greatcircle.com" <firewalls@greatcircle.com>
Subject: Re: [FW1] fw-1 asmtpd banner
References: <34AD01AF.97E7A701@lightech.com.ar>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



Sergio Bollini wrote:

> Just a little question: does anybody know how to modify the fw-1 smtp
> server's banner? I think it isn't a good idea to advertise that you are
> using a firewall (not to mention product and version).

I second this request - the SMTP Security Server should definitly not
advertise what it is ...




From firewalls-owner  Fri Jan  2 18:59:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA23882; Fri, 2 Jan 1998 18:55:39 -0800 (PST)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA23875 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 18:55:34 -0800 (PST)
Received: from lint.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with ESMTP id SAA23336; Fri, 2 Jan 1998 18:55:03 -0800 (PST)
Message-ID: <34ADA873.A5D3427F@lint.cisco.com>
Date: Fri, 02 Jan 1998 18:54:44 -0800
From: "Roger W. Farnsworth" <rfarnswo@cisco.com>
Reply-To: rfarnswo@cisco.com
Organization: Cisco Systems, Inc.
X-Mailer: Mozilla 4.04 [en] (Win95; U)
MIME-Version: 1.0
To: rob@vulcan.achq.dnd.ca
CC: firewalls@greatcircle.com
Subject: Re: TACAS+ Authentication
References: <34AD73E7.DF4A5A0F@vulcan.achq.dnd.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Rob,

Cisco's main AAA servers are commercially supported products for Solaris
and Windows NT.  Cisco Secure ACS is the family name.  We provide
support and regular maintenance releases for these products.  We also
charge for them.

With that said, there are freeware reference implementations of TACACS+
available via anonymous ftp from Cisco.  

ftp://ftp-eng/pub/tacacs+/

These software downloads are provided for the convenience of software
developers looking to code their own T+ servers and or applications. 
Cisco provides this software as-is, without warranty or support, for
those that have a need for it.

The latest version (including docs) is available at:

ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z

If you would like to download the reference implementation and compile
it for Solaris, feel free.  But you will be on your own for support
outside the included documentation.  If you don't have the budget for a
supported copy of Cisco Secure, but do have the budget to do your own
compiling, troubleshooting, and bug fixes, then this is probably the
right way to go.  Personally, I'd rather pay for the program and let
Cisco take the abuse.  ;-)

Cheers,

R.

Rob Janzen wrote:
> 
> Good morning:
> 
> I curently have a systems running CiscoSecure 1.x to provide tacas+
> authentication for dial-in users.
> 
> The system running it is using SunOS 4.1.4.  To reduce the numbers of
> versions of UNIX that I need to maintain, I would like to upgrade the
> server to Solaris.  I have two questions:
> 
> Will CiscoSecure 1.x run under Solaris?
> If not, can anyone recommend a good freeware replacement that will?
> 
> (Our budget is tight enough that avoiding paying for an upgrade is a
> *good thing*....)
> 
> Thanks.
> 
> Rob Janzen

-- 

Roger W. Farnsworth
Manager, Cisco Security Solutions

From firewalls-owner  Fri Jan  2 21:14:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA03099; Fri, 2 Jan 1998 20:59:44 -0800 (PST)
Received: from davinci.netaxis.COM (davinci.netaxis.com [198.69.103.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA03091 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 20:59:39 -0800 (PST)
From: ME22g701Q@worktow1est.com
Received: from Z9R84HG6q (jac-fl3-13.ix.netcom.com [204.31.245.109]) by davinci.netaxis.COM (8.8.8/8.7.3) with SMTP id XAA13560; Fri, 2 Jan 1998 23:44:00 -0500 (EST)
DATE: 01 Jan 98 11:59:53 PM
Message-ID: <052aM05d4tWmmp7KunH>
TO: eduacation@children423.net
SUBJECT: Give Your Child "One of the Best Children's Videos""
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The holidays are upon us.  If you're like a lot of people, you struggle to
find gifts for your children that will entertain and amuse them at the same
time.  Well, here's a gift that will delight your child -

A Is For Airplane!

"A Is For Airplane" is the award-winning educational video that shows kids
all the fun and teamwork involved in running an airline.  "A Is For Airplane"
gets viewers behind the scenes at the airport!  Kids get to see:

*  The ticket counter!
*  Inside the baggage system!
*  On the ramp with the baggage loaders and fuelers!
*  In the catering kitchens!
*  Inside the control tower!
*  In the hangar with the mechanics!
*  At the boarding gate!
*  And even in the COCKPIT of a real Boeing 757!

Parenting Magazine calls "A Is For Airplane" "One of the Best Videos of
1996!"  It's also Approved by the Parent's Choice Foundation!

Thousands of copies of "A Is For Airplane" have been sold for $14.95, but as
an Internet Special this holiday season you can get "A Is For Airplane" for
only $11.95 (plus shipping and handling.)  ORDER TODAY FOR GUARANTEED HOLIDAY
DELIVERY!

You can order "A Is For Airplane" by calling our toll-free number -
800-250-4210.

If you'd like more information, visit our Website at
www.ppmm.com/jfp/jfp1297.htm

or CLICK HERE!

Thank you for your time...

Johnson Family Productions
Madison, WI


From firewalls-owner  Fri Jan  2 21:59:46 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA09298; Fri, 2 Jan 1998 21:52:35 -0800 (PST)
Received: from ns.telegroup.com (ns.telegroup.com [208.219.0.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA09291 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 21:52:29 -0800 (PST)
Received: from telegroup.com ([208.219.1.30])
	by ns.telegroup.com (8.8.5/8.8.5) with SMTP id XAA12345
	for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 23:48:38 -0600 (CST)
Received: from radius.telegroup.com (radius.telegroup.com [10.1.2.10])
	by telegroup.com (8.8.5/8.8.5) with ESMTP id XAA19679
	for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 23:52:10 -0600 (CST)
Received: from mandrake.telegroup.com (macke@[208.219.1.177]) by radius.telegroup.com (8.8.5/8.8.3) with SMTP id XAA27619 for <firewalls@greatcircle.com>; Fri, 2 Jan 1998 23:52:10 -0600 (CST)
Date: Fri, 2 Jan 1998 23:52:09 -0600 (CST)
From: Brian Macke <macke@telegroup.com>
Reply-To: bmacke@telegroup.com
To: firewalls@greatcircle.com
Subject: Re: Give Your Child "One of the Best Children's Videos""
In-Reply-To: <052aM05d4tWmmp7KunH>
Message-ID: <Pine.LNX.3.96.980102234312.26916B-100000@mandrake.telegroup.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 1 Jan 1998 ME22g701Q@worktow1est.com wrote:

> [ More advertising drivel ]

> *  The ticket counter!
> *  Inside the baggage system!
> *  On the ramp with the baggage loaders and fuelers!
> *  In the catering kitchens!
> *  Inside the control tower!
> *  In the hangar with the mechanics!
> *  At the boarding gate!
> *  And even in the COCKPIT of a real Boeing 757!

What? No grisly images of a bust/shakedown of someone attempting to
smuggle drugs through an airport? What better message for little kiddies
than showing what will happen if you're not smart and hide your drugs the
right way....

> Parenting Magazine calls "A Is For Airplane" "One of the Best Videos of
> 1996!"  It's also Approved by the Parent's Choice Foundation!

....and the Firewalls Mailing list calls this "S is for SPAM and L is for
lawsuit."

> Thousands of copies of "A Is For Airplane" have been sold for $14.95, but as
> an Internet Special this holiday season you can get "A Is For Airplane" for
> only $11.95 (plus shipping and handling.)  ORDER TODAY FOR GUARANTEED HOLIDAY
> DELIVERY!

Well, whoopie! That'll get me outta my Dilbertesque cave and talk to
humans for the first time in years...

> or CLICK HERE!

WHERE? WHERE? I keep clicking and nothing happens?!?! Is this a VIRUS? Do
I need the Quickmail Upgrade so I can click on things and make things
magically happen??? The Help Desk is busy... HELP ME!

-Brian James Macke					macke@telegroup.com
 Unix SysAdmin/Security Specialist			Telegroup, Inc.
    "In order to get that which you wish for, you must first get that which 
     builds it."			-- Unknown


From firewalls-owner  Sat Jan  3 00:44:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA18672; Sat, 3 Jan 1998 00:29:27 -0800 (PST)
Received: from do.nachtwacht.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA18662 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 00:29:21 -0800 (PST)
Received: from localhost (arjan@localhost)
          by do.nachtwacht.nl (8.8.4/8.8.4) with SMTP
	  id KAA00543; Sat, 3 Jan 1998 10:29:29 +0100
Date: Sat, 3 Jan 1998 10:29:29 +0100 (MET)
From: Arjan Vos <arjan@pino.demon.nl>
To: Gregory Perry <gperry@tcs-sec.com>
cc: Frank Willoughby <frankw@in.net>, James Terry <james@imx-exchange.com>,
        firewalls@greatcircle.com
Subject: Re: firewall audit service referral
In-Reply-To: <3.0.5.32.19980102102426.007d13c0@lambic>
Message-ID: <Pine.LNX.3.95.980103102238.514A-100000@do.nachtwacht.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 2 Jan 1998, Gregory Perry wrote:

> >CAUTION:
> >Beware of any organizations which will perform a remote firewall
> >penetration test.
> >This is an inherently dangerous practice which has the potential of leading
> >hackers
> >to their next victims.
> >
> >Best Regards,
> >
> >
> >Frank
> 
> I don't guess I understand what you are getting at, remote penetration
> testing is an absolute necessity for any type of Internet related security
> audit - which would you rather happen, have an outside firm discover flaws
> in your Internet connected network, or have a hacker find and exploit the
> flaw(s) instead?
> 

Some months ago, there has been some discussions on this list about the
dangers - and pros and cons so to say - of doing remote penetration tests.
Frank did make some good points for *not* doing remote penetration tests,
though I think his points are not a reason enough for skipping these
tests. They do however bring forward the requirements of care that should
be taken when doing remote tests. And unfortunately it is true that some
companies who do penetation testing do not take enough care - maybe then
it is better not to perform remote penetration tests.

Check out the archives, because the discussion was very interesting...

Gr. Arjan

--
Eat hard
Sleep hard
Wear glasses if you need them


From firewalls-owner  Sat Jan  3 04:14:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02881; Sat, 3 Jan 1998 04:01:06 -0800 (PST)
Received: from relay.kacst.edu.sa (ns1.kacst.edu.sa [198.77.88.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02874 for <Firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 04:00:59 -0800 (PST)
Received: from ns1.kfupm.edu.sa ([198.77.102.26]) by relay.kacst.edu.sa (8.7.5/8.7.3) with ESMTP id OAA21000 for <Firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 14:55:35 -0300 (GMT)
Received: from dpc107.dpc.kfupm.edu.sa ([196.15.32.8]) by ns1.kfupm.edu.sa (8.7.5/8.7.3) with ESMTP id OAA45704 for <Firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 14:54:06 +0300
Received: (from s961807@localhost) by dpc107.dpc.kfupm.edu.sa (8.7.5/8.7.3) id OAA101299; Sat, 3 Jan 1998 14:56:43 +0300
Date: Sat, 3 Jan 1998 14:56:42 +0300 (SAUST)
From: zaki al-halal <s961807@dpc.kfupm.edu.sa>
To: Firewalls@GreatCircle.COM
Message-ID: <Pine.A32.3.91.980103145610.52342G-100000@dpc107.dpc.kfupm.edu.sa>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



From firewalls-owner  Sat Jan  3 06:29:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA11981; Sat, 3 Jan 1998 06:26:35 -0800 (PST)
Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA11945 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 06:26:25 -0800 (PST)
Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM)
	id IAA22263; Sat, 3 Jan 1998 08:20:20 -0600 (CST)
Date: Sat, 3 Jan 1998 08:20:20 -0600 (CST)
From: Dick Brooks <dick@tech-comm.com>
Message-Id: <199801031420.IAA22263@alpha2000.tech-comm.com>
To: rfarnswo@cisco.com, rob@vulcan.achq.dnd.ca
Subject: Re: TACAS+ Authentication
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Roger wrote:

>The latest version (including docs) is available at:

>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z

I just tried to donload the above and recevied an error:

ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory


Dick Brooks                            dick@8760.com
Chief Technical Officer                Tel. 205-250-8053
Group 8760 LLC                         WWW URL:  http://www.8760.com/
SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS INDUSTRIES

From firewalls-owner  Sat Jan  3 09:29:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20127; Sat, 3 Jan 1998 09:17:06 -0800 (PST)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA20120 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 09:17:02 -0800 (PST)
Received: from rfarnswo-pc.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA18506; Sat, 3 Jan 1998 09:16:17 -0800 (PST)
Message-Id: <3.0.3.32.19980103091340.008954d0@lint.cisco.com>
X-Sender: rfarnswo@lint.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sat, 03 Jan 1998 09:13:40 -0800
To: Dick Brooks <dick@tech-comm.com>, rob@vulcan.achq.dnd.ca
From: "Roger  W. Farnsworth" <rfarnswo@cisco.com>
Subject: Re: TACACS+ Authentication
Cc: firewalls@greatcircle.com
In-Reply-To: <199801031420.IAA22263@alpha2000.tech-comm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Let me check.

R.

At 08:20 AM 1/3/98 -0600, Dick Brooks wrote:
>Roger wrote:
>
>>The latest version (including docs) is available at:
>
>>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>
>I just tried to donload the above and recevied an error:
>
>ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory
>
>
>Dick Brooks                            dick@8760.com
>Chief Technical Officer                Tel. 205-250-8053
>Group 8760 LLC                         WWW URL:  http://www.8760.com/
>SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS
INDUSTRIES
>
>

From firewalls-owner  Sat Jan  3 09:44:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21409; Sat, 3 Jan 1998 09:37:07 -0800 (PST)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21385 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 09:37:00 -0800 (PST)
Received: from rfarnswo-pc.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA23618 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 09:36:48 -0800 (PST)
Message-Id: <3.0.3.32.19980103093623.008935e0@lint.cisco.com>
X-Sender: rfarnswo@lint.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sat, 03 Jan 1998 09:36:23 -0800
To: firewalls@greatcircle.com
From: "Roger  W. Farnsworth" <rfarnswo@cisco.com>
Subject: Re: TACACS+ Authentication
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dick,

I'm puzzled.  I just downloaded the file with no problems.  9:22a PST.  I
got it while connected with Netscape and again with my ftp client.  I can't
imagine what the problem might be.  If you keep having problems, please
contact me directly and we'll try to sort it out.

R.

At 08:20 AM 1/3/98 -0600, Dick Brooks wrote:
>Roger wrote:
>
>>The latest version (including docs) is available at:
>
>>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>
>I just tried to donload the above and recevied an error:
>
>ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory
>
>
>Dick Brooks                            dick@8760.com
>Chief Technical Officer                Tel. 205-250-8053
>Group 8760 LLC                         WWW URL:  http://www.8760.com/
>SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS
INDUSTRIES
>
>

From firewalls-owner  Sat Jan  3 11:28:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01286; Sat, 3 Jan 1998 11:08:28 -0800 (PST)
Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01271 for <firewalls@greatcircle.com>; Sat, 3 Jan 1998 11:08:17 -0800 (PST)
Received: (qmail 26215 invoked from network); 3 Jan 1998 20:08:05 +0100
Received: from line-208-135.dial.matav.net (HELO default) (145.236.208.135)
  by mail.matav.hu with SMTP; 3 Jan 1998 20:08:05 +0100
Reply-To: "Takacs Istvan" <anonymus@mail.matav.hu>
From: "Takacs Istvan" <anonymus@mail.matav.hu>
To: <firewalls@greatcircle.com>
Subject: Re: Re: Intrusion Detection - Switched Network
Date: Sat, 3 Jan 1998 20:06:54 +0100
Message-ID: <01bd187a$c1752ac0$LocalHost@default>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> It has to be in the hub if you want to do network based IDS on fully
> switched networks.  The IDS has to live somewhere on the data path.

Could you offer me a product, which has that kind of security feature?

Regards.

                           Istvan Takacs
           mailto:anonymus@mail.matav.hu

p.s.: Happy New Year!



From firewalls-owner  Sat Jan  3 11:29:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01285; Sat, 3 Jan 1998 11:08:25 -0800 (PST)
Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01272 for <Firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 11:08:17 -0800 (PST)
Received: (qmail 26184 invoked from network); 3 Jan 1998 20:08:00 +0100
Received: from line-208-135.dial.matav.net (HELO default) (145.236.208.135)
  by mail.matav.hu with SMTP; 3 Jan 1998 20:08:00 +0100
Reply-To: "Takacs Istvan" <anonymus@mail.matav.hu>
From: "Takacs Istvan" <anonymus@mail.matav.hu>
To: <Firewalls@GreatCircle.COM>
Subject: Any document about cracker's technic?
Date: Sat, 3 Jan 1998 19:55:51 +0100
Message-ID: <01bd1879$3656a780$LocalHost@default>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Could you offer me some good links, books, videos
or any kind of documents about the crackers technics?

You always talk about the IDS, and how they work.
But I'd like to know what I have to look for in my company's
network.
We just started to use the commercial side of Internet and for this
reason I think we have to prepare to the crackers attacks.

I don't ask for exact description, just for how they try to
break into the internal network.

Thank you!

Regards.

                            Istvan Takacs
               mailto:anonymus@mail.matav.hu

p.s.: Please, write to my own address, too. Thanks.


From firewalls-owner  Sat Jan  3 14:59:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA16629; Sat, 3 Jan 1998 14:46:48 -0800 (PST)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA16622 for <firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 14:46:42 -0800 (PST)
Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id XAA06477;
	Sat, 3 Jan 1998 23:44:32 +0100 (MET)
Message-Id: <3.0.5.32.19980103234333.00926a10@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 03 Jan 1998 23:43:33 +0100
To: "Roger  W. Farnsworth" <rfarnswo@cisco.com>, firewalls@GreatCircle.COM
From: Eric Vyncke <evyncke@cisco.com>
Subject: Re: TACACS+ Authentication
Cc: dick@8760.com
In-Reply-To: <3.0.3.32.19980103093623.008935e0@lint.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dick,

I have just done it as well from outside Cisco (so there is no
protection involved), be sure to use
ftp://ftp-eng.cisco.com/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z

with the cisco.com that Roger forgot ;-)

Best regards

-eric

At 09:36 3/01/98 -0800, Roger  W. Farnsworth wrote:
>Dick,
>
>I'm puzzled.  I just downloaded the file with no problems.  9:22a PST.  I
>got it while connected with Netscape and again with my ftp client.  I can't
>imagine what the problem might be.  If you keep having problems, please
>contact me directly and we'll try to sort it out.
>
>R.
>
>At 08:20 AM 1/3/98 -0600, Dick Brooks wrote:
>>Roger wrote:
>>
>>>The latest version (including docs) is available at:
>>
>>>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>>
>>I just tried to donload the above and recevied an error:
>>
>>ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z
>>local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory
>>
>>
>>Dick Brooks                            dick@8760.com
>>Chief Technical Officer                Tel. 205-250-8053
>>Group 8760 LLC                         WWW URL:  http://www.8760.com/
>>SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS
>INDUSTRIES
>>
>>
>
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From firewalls-owner  Sat Jan  3 17:14:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA26380; Sat, 3 Jan 1998 17:03:11 -0800 (PST)
Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA26373 for <firewalls@GreatCircle.COM>; Sat, 3 Jan 1998 17:03:07 -0800 (PST)
Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM)
	id SAA23375; Sat, 3 Jan 1998 18:56:58 -0600 (CST)
Date: Sat, 3 Jan 1998 18:56:58 -0600 (CST)
From: Dick Brooks <dick@tech-comm.com>
Message-Id: <199801040056.SAA23375@alpha2000.tech-comm.com>
To: evyncke@cisco.com, firewalls@GreatCircle.COM, rfarnswo@cisco.com
Subject: Re: TACACS+ Authentication
Cc: dick@8760.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Thanks.

From firewalls-owner  Sat Jan  3 20:14:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA09006; Sat, 3 Jan 1998 20:00:23 -0800 (PST)
Received: from peyote.coast.net (peyote.coast.net [206.84.176.169]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA08979; Sat, 3 Jan 1998 20:00:14 -0800 (PST)
Received: from peyote.coast.net (kimminau@peyote.coast.net [206.84.176.169])
	by peyote.coast.net (8.8.7/8.8.7) with SMTP id WAA27686;
	Sat, 3 Jan 1998 22:59:38 -0500
Date: Sat, 3 Jan 1998 22:59:38 -0500 (EST)
From: Eric Kimminau <kimminau@mail.coast.net>
To: Firewalls@GreatCircle.COM
cc: firewalls-digest@GreatCircle.COM, V.Vergotis@asyk.ase.gr
Subject: Re: Firewalls-Digest V7 #3
In-Reply-To: <199801030901.BAA21198@honor.greatcircle.com>
Message-ID: <Pine.LNX.3.96.980103224805.27553A-100000@peyote.coast.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Sat, 3 Jan 1998, Firewalls-Digest wrote:
> Date: Fri, 2 Jan 1998 13:35:57 +0200
> From: Vasilis Vergotis <V.Vergotis@asyk.ase.gr>
> Subject: DNS and Mail setup via firewall
> 
> Hello to everybody and happy new year!

Happy New Year!
 
> The external mail server receives the mail for the zone company.gr  and
> it forwards it to the internal mail server via SMTP. The external DNS
> server knows nothing about the internal.
> 
> Internally the DNS server is knows only the zone internal.company.gr for

this is a problem unless you have DNS set up correctly with MV records for
company.gr which forwards to the external mail server which would then
forward to user@internal.company.gr. A much simpler solution would be to
MX mail.company.gr to mail.internal.company.gr on the internal DNS
server.

> whitch he is primary and for the things he does not know he asks the
> external DNS server. The internal mail server receives the mail for the
> zone internal.company.gr as well as the mail for the zone company.gr
> that the external mail server forwards.

so as far as everyone inside the company is concerned, the internal mail
server IS company.gr. You should also be looking in the sendmail book
concerning CW records.

Hope that helps.
                                Eric.
=============================================================================
"I am the downhill tumble and roll champ, king of the toad finders, captain
of the high altitude tree branch vista club, second place finisher in the
round the yard backward dash, premier burper state division, sodbuster and
worm scout first order, and generalissimo of the mud and mayhem society."
                                                               Calvin, 1995  
Eric Kimminau                                            kimminau@coast.net  


From firewalls-owner  Sun Jan  4 01:59:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA03873; Sun, 4 Jan 1998 01:51:18 -0800 (PST)
Received: from xanadu.io.com (xanadu.io.com [199.170.88.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA03779 for <Firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 01:50:59 -0800 (PST)
Received: from localhost (cooper@localhost)
	by xanadu.io.com (8.8.5/8.8.5) with SMTP id DAA18322;
	Sun, 4 Jan 1998 03:50:46 -0600 (CST)
X-Authentication-Warning: xanadu.io.com: cooper owned process doing -bs
Date: Sun, 4 Jan 1998 03:50:46 -0600 (CST)
From: William Cooper <cooper@io.com>
To: Takacs Istvan <anonymus@mail.matav.hu>
cc: Firewalls@GreatCircle.COM
Subject: Re: Any document about cracker's technic?
In-Reply-To: <01bd1879$3656a780$LocalHost@default>
Message-ID: <Pine.BSI.3.96.980104031519.21128A-100000@xanadu.io.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

www.rootshell.com is a good place for exploits used to break/break into
systems.  for a million others just do a web search!

- bill



On Sat, 3 Jan 1998, Takacs Istvan wrote:

> Hi,
> 
> Could you offer me some good links, books, videos
> or any kind of documents about the crackers technics?
> 
> You always talk about the IDS, and how they work.
> But I'd like to know what I have to look for in my company's
> network.
> We just started to use the commercial side of Internet and for this
> reason I think we have to prepare to the crackers attacks.
> 
> I don't ask for exact description, just for how they try to
> break into the internal network.
> 
> Thank you!
> 
> Regards.
> 
>                             Istvan Takacs
>                mailto:anonymus@mail.matav.hu
> 
> p.s.: Please, write to my own address, too. Thanks.
> 

- bill

cooper@io.com


From firewalls-owner  Sun Jan  4 08:00:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19625; Sun, 4 Jan 1998 07:47:26 -0800 (PST)
Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA19618 for <firewalls@greatcircle.com>; Sun, 4 Jan 1998 07:47:20 -0800 (PST)
Received: (qmail 11569 invoked from network); 4 Jan 1998 16:47:18 +0100
Received: from line-208-102.dial.matav.net (HELO default) (145.236.208.102)
  by mail.matav.hu with SMTP; 4 Jan 1998 16:47:18 +0100
Reply-To: "Takacs Istvan" <anonymus@mail.matav.hu>
From: "Takacs Istvan" <anonymus@mail.matav.hu>
To: <firewalls@greatcircle.com>
Subject: Re: Any documents about crackers techniks?
Date: Sun, 4 Jan 1998 16:37:39 +0100
Message-ID: <01bd1926$b052a5e0$LocalHost@default>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I'd like to thanks for everyone, who sent me an answer for the topic
above!

Thank you very much!

Regards.

                         Istvan Takacs 
          mailto:anonymus@mail.matav.hu


From firewalls-owner  Sun Jan  4 08:44:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA24197; Sun, 4 Jan 1998 08:36:42 -0800 (PST)
Received: from www.allensysgroup.com ([205.245.8.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA24190 for <firewalls@greatcircle.com>; Sun, 4 Jan 1998 08:36:38 -0800 (PST)
Received: from bobby ([166.55.57.197]) by www.allensysgroup.com
          (Post.Office MTA v3.1 release PO205e ID# 0-40603U300L100S0)
          with ESMTP id AAA131; Sun, 4 Jan 1998 11:35:03 -0500
From: bbrown@allensysgroup.com (Bobby Brown)
To: "Takacs Istvan" <anonymus@mail.matav.hu>, <firewalls@greatcircle.com>
Subject: Re: Any documents about crackers techniks?
Date: Sun, 4 Jan 1998 11:41:26 -0500
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: 7bit
Message-ID: <19980104163502140.AAA131@bobby>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

With your thanks, how about a summary of your responses
that should always be sent back to the list.

Bobby


----------
> From: Takacs Istvan <anonymus@mail.matav.hu>
> To: firewalls@greatcircle.com
> Subject: Re: Any documents about crackers techniks?
> Date: Sunday, January 04, 1998 10:37 AM
> 
> Hi,
> 
> I'd like to thanks for everyone, who sent me an answer for the topic
> above!
> 
> Thank you very much!
> 
> Regards.
> 
>                          Istvan Takacs 
>           mailto:anonymus@mail.matav.hu

From firewalls-owner  Sun Jan  4 08:59:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA23883; Sun, 4 Jan 1998 08:29:25 -0800 (PST)
Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA23869 for <firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 08:29:20 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.178.232]) by mtigwc04.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAA15543
          for <firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 16:29:11 +0000
Message-Id: <3.0.3.32.19980104112649.00a21cd0@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 04 Jan 1998 11:26:49 -0500
To: firewalls@GreatCircle.COM
Subject: Has anyone compared SessionWall 3 release 2 to Network Flight
  Recorder??
In-Reply-To: <01bd1926$b052a5e0$LocalHost@default>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Just wondering if anyone out there has compared SessionWall 3 Release 
2 versus Network Flight Recorder or similiar products??

/mht
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353
xJe2oM35qExWltqP/CVKhIGE
=PqpV
-----END PGP SIGNATURE-----

------------------------------------------------------
"GREETINGS PROFESSOR FALKEN."
	"SHALL WE PLAY A GAME??"
------------------------------------------------------


From firewalls-owner  Sun Jan  4 09:59:41 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05724; Sun, 4 Jan 1998 09:50:06 -0800 (PST)
Received: from smtp1.mailsrvcs.net (smtp1.gte.net [207.115.153.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA05712 for <firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 09:50:00 -0800 (PST)
Received: from earnhart ([199.180.4.35])
	by smtp1.mailsrvcs.net  with SMTP id LAA22421;
	Sun, 4 Jan 1998 11:49:11 -0600 (CST)
Message-ID: <007e01bc8b5a$b40e12f0$2304b4c7@earnhart.gte.net>
From: "Gregg Earnhart" <ge@gte.net>
To: <mht@clark.net>, <firewalls@GreatCircle.COM>
Subject: Re: Has anyone compared SessionWall 3 release 2 to Network Flight Recorder??
Date: Mon, 7 Jul 1997 23:52:13 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have had SessionWall since the first Beta.  I have had RealSecure prior to
SessionWall.  I hate RealSecure!  I played with NFR for a week or two and
being a GUI guy, I went back to SessionWall.  A whole new look in
SessionWall is coming out next week!!!  Many of the request that I had from
Abirnet have been added in (unusual for a company to actually add features
that are requested ---ISS).  I hope to deploy SessionWall after the first of
the year.

Gregg Earnhart
GTE

---------------------------
The views expressed are simply my own and no one else.
---------------------------
-----Original Message-----
From: mht@clark.net <mht@clark.net>
To: firewalls@GreatCircle.COM <firewalls@GreatCircle.COM>
Date: Sunday, January 04, 1998 12:14 PM
Subject: Has anyone compared SessionWall 3 release 2 to Network Flight
Recorder??


>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello,
>
>Just wondering if anyone out there has compared SessionWall 3 Release
>2 versus Network Flight Recorder or similiar products??
>
>/mht
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353
>xJe2oM35qExWltqP/CVKhIGE
>=PqpV
>-----END PGP SIGNATURE-----
>
>------------------------------------------------------
>"GREETINGS PROFESSOR FALKEN."
> "SHALL WE PLAY A GAME??"
>------------------------------------------------------
>


From firewalls-owner  Sun Jan  4 10:44:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08586; Sun, 4 Jan 1998 10:38:10 -0800 (PST)
Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA08551 for <firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 10:38:01 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.178.232]) by mtigwc04.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAA26242;
          Sun, 4 Jan 1998 18:37:51 +0000
Message-Id: <3.0.3.32.19980104133527.00a38d40@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 04 Jan 1998 13:35:27 -0500
To: "Gregg Earnhart" <ge@gte.net>, <firewalls@GreatCircle.COM>
Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder??
In-Reply-To: <007e01bc8b5a$b40e12f0$2304b4c7@earnhart.gte.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregg,

<comments within>

At 11:52 PM 7/7/97 -0500, Gregg Earnhart wrote:
>I have had SessionWall since the first Beta.  I have had RealSecure 
prior to
>SessionWall. 

I just received Session Wall Release 2, and I saw some significant 
changes but not enough changes to allow myself to use a product that 
ships with no real documentation.. :(  I still have a problem with 
their license agreement which cannot be printed out from their 
installation script.

 I hate RealSecure! 

Yes, I tend to agree with you on that.  RealSecure is a very powerful 
tool, but it requires a clear understanding in what options you 
choose in a particular environment when using it..

 I played with NFR for a week or two and
>being a GUI guy, I went back to SessionWall.  A whole new look in
>SessionWall is coming out next week!!!

Overall, I wish one of the local trades magazines would initiate a 
Consumer Report comparison of the current IDS tools  or "clue-
gathering tools" available and new ones that are emerging...  (HINT, 
HINT)


/mht
  Many of the request that I had from
>Abirnet have been added in (unusual for a company to actually add 
features
>that are requested ---ISS).  I hope to deploy SessionWall after the 
first of
>the year.
>
>Gregg Earnhart
>GTE
>
>---------------------------
>The views expressed are simply my own and no one else.
>---------------------------
>-----Original Message-----
>From: mht@clark.net <mht@clark.net>
>To: firewalls@GreatCircle.COM <firewalls@GreatCircle.COM>
>Date: Sunday, January 04, 1998 12:14 PM
>Subject: Has anyone compared SessionWall 3 release 2 to Network 
Flight
>Recorder??
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Hello,
>>
>>Just wondering if anyone out there has compared SessionWall 3 
Release
>>2 versus Network Flight Recorder or similiar products??
>>
>>/mht
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGP for Personal Privacy 5.0
>>Charset: noconv
>>
>>iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353
>>xJe2oM35qExWltqP/CVKhIGE
>>=PqpV
>>-----END PGP SIGNATURE-----
>>
>>------------------------------------------------------
>>"GREETINGS PROFESSOR FALKEN."
>> "SHALL WE PLAY A GAME??"
>>------------------------------------------------------
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNK/WbZazO9ALfO1FEQLqngCdG29jn+TChYlWGqv+bpWHooWJgnAAoLlW
9Nsz8YbouSuIxIepwiGNyU/F
=WvLa
-----END PGP SIGNATURE-----


From firewalls-owner  Sun Jan  4 12:14:43 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA18814; Sun, 4 Jan 1998 12:04:48 -0800 (PST)
Received: from jurua.dcc.fua.br (jurua.dcc.fua.br [200.17.49.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA18776 for <Firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 12:04:35 -0800 (PST)
Received: from taruman.dcc.fua.br (taruman [200.17.49.19])
          by jurua.dcc.fua.br (8.8.5/8.8.4) with ESMTP
	  id UAA17064 for <Firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 20:04:00 GMT
Received: (from ebm@localhost)
          by taruman.dcc.fua.br (8.8.5/8.8.4)
	  id OAA17268 for Firewalls@GreatCircle.COM; Sun, 4 Jan 1998 14:59:15 -0400
Date: Sun, 4 Jan 1998 14:59:15 -0400
From: Edierley Batista Messias <ebm@dcc.fua.br>
Message-Id: <199801041859.OAA17268@taruman.dcc.fua.br>
To: Firewalls@GreatCircle.COM
Subject: Service in Port 1049
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-MD5: 8tn+H3r7opkBssNMBwe62A==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi everbody.

Some body know, some service that run in port 1049?

Thanks.

Edierley Messias
ebm@dcc.fua.br

From firewalls-owner  Sun Jan  4 13:29:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25886; Sun, 4 Jan 1998 13:22:22 -0800 (PST)
Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA25869 for <firewalls@greatcircle.com>; Sun, 4 Jan 1998 13:22:14 -0800 (PST)
Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM)
	id PAA24851; Sun, 4 Jan 1998 15:16:02 -0600 (CST)
Date: Sun, 4 Jan 1998 15:16:02 -0600 (CST)
From: Dick Brooks <dick@tech-comm.com>
Message-Id: <199801042116.PAA24851@alpha2000.tech-comm.com>
To: anonymus@mail.matav.hu, bbrown@allensysgroup.com,
        firewalls@greatcircle.com
Subject: Re: Any documents about crackers techniks?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Bobby writes:

>With your thanks, how about a summary of your responses
>that should always be sent back to the list.

>Bobby

Good point. The solution required two things:

Use the FQDN ftp-eng.cisco.com to access the host, the original post only 
contained ftp-eng. 

Remove the + from tacacs+ (i.e. tacacs).

Dick Brooks

From firewalls-owner  Sun Jan  4 13:44:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA26389; Sun, 4 Jan 1998 13:31:24 -0800 (PST)
Received: from imo18.mx.aol.com (imo18.mx.aol.com [198.81.19.175]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA26380 for <firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 13:31:15 -0800 (PST)
From: Kf4aejmatt <Kf4aejmatt@aol.com>
Message-ID: <be6a3a40.34affca1@aol.com>
Date: Sun, 4 Jan 1998 16:18:22 EST
To: firewalls@GreatCircle.COM
Subject: scientific atlanta 8590,8600
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
Organization: AOL (http://www.aol.com)
X-Mailer: Inet_Mail_Out (IMOv11)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

i have a 8590 and a 8600 and i like to find the by-pass chip for one of them
please call me or e-mail me back
or send the information to
Matt Arnold 
50 lee rd 225
smiths,al 36877
334-298-2939

From firewalls-owner  Sun Jan  4 15:14:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA06196; Sun, 4 Jan 1998 15:11:02 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA06139 for <Firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 15:10:37 -0800 (PST)
Received: from ppp-101.atinet.com.au (ppp-101.atinet.com.au [203.35.110.101]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id va025267 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 10:09:50 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id KAA06431; Mon, 5 Jan 1998 10:10:30 +1100
X-Fubar: winspace@atinet.com.au
From: "Norman Widders" <winspace@atinet.com.au>
Date: Mon, 5 Jan 1998 10:10:52 +1000 (GMT)
Subject: Hardware for seperating LAN from dialouts
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.33.883955452-105157383731395.beethoven>
X-Mailer: Paladin IMAP4 Client v2.33
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.33.beethoven.883955452.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Just wondered if anybody has used those hardware devices
that disable LAN connections while a modem dials out
to the Internet.

It detects when the modem is active thus severing the
link to the LAN physically and reconnects the LAN
once the modem has disconnected from the LAN. 

The device is connected to both the modem and LAN and
sounds good in theory and I am just wondering
what other peoples experience with these are, at $85
it is an ideal solution for small organisations
that just want to poll their ISP a few times a day
for email.

--
Wheres my valium ?



From firewalls-owner  Sun Jan  4 17:44:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA20776; Sun, 4 Jan 1998 17:34:43 -0800 (PST)
Received: from sophia.pacific.net.sg (sophia.pacific.net.sg [203.120.90.81]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA20769 for <FIREWALLS@GreatCircle.COM>; Sun, 4 Jan 1998 17:34:38 -0800 (PST)
Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85])
	by sophia.pacific.net.sg with ESMTP
	id JAA25767 for <FIREWALLS@GreatCircle.COM>; Mon, 5 Jan 1998 09:35:13 +0800 (SGT)
Received: from benmgmt.sin-co.sg.dhl.com ([199.40.38.112])
        by pop1.pacific.net.sg with ESMTP
        id JAA05408 for <FIREWALLS@GreatCircle.COM>; Mon, 5 Jan 1998 09:34:37 +0800 (SGT)
Message-ID: <34B03918.DB1755B5@sin-co.sg.dhl.com>
Date: Mon, 05 Jan 1998 09:36:24 +0800
From: Hardi Ismail - Human Resources <hardi@sin-co.sg.dhl.com>
Reply-To: hardi@sin-co.sg.dhl.com
Organization: DHL International - Singapore Country Office
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: FIREWALLS@GreatCircle.COM
Subject: (no subject)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

USUBSCRIBE FIREWALLS


From firewalls-owner  Sun Jan  4 23:15:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA12545; Sun, 4 Jan 1998 23:01:45 -0800 (PST)
Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA12536 for <Firewalls@GreatCircle.COM>; Sun, 4 Jan 1998 23:01:38 -0800 (PST)
Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84])
	by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id JAA18255;
	Mon, 5 Jan 1998 09:00:39 +0200
From: "Hagit" <hagit@abirnet.com>
To: "Edierley Batista Messias" <ebm@dcc.fua.br>, <Firewalls@GreatCircle.COM>
Subject: Re: Service in Port 1049
Date: Mon, 5 Jan 1998 09:06:05 +0200
Message-ID: <01bd19a8$63b2bc20$54d35ac2@hagit1.abirnet.co.il>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

No UDP or TCP service on port 1049 is listed in the IANA list.
See ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

Hagit 
 --------------------------------------------------------------------------
   AbirNet provides the next generation in Internet and Intranet Protection
   Get an EVALUATION COPY at <http://www.AbirNet.com> 
---------------------------------------------------------------------------
        

-----Original Message-----
From: Edierley Batista Messias <ebm@dcc.fua.br>
To: Firewalls@GreatCircle.COM <Firewalls@GreatCircle.COM>
Date: Sunday, January 04, 1998 10:45 PM
Subject: Service in Port 1049


>Hi everbody.
>
>Some body know, some service that run in port 1049?
>
>Thanks.
>
>Edierley Messias
>ebm@dcc.fua.br


From firewalls-owner  Mon Jan  5 00:29:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA19237; Mon, 5 Jan 1998 00:15:22 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA19216 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 00:15:04 -0800 (PST)
Received: from ppp-122.atinet.com.au (ppp-122.atinet.com.au [203.35.110.122]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id sa025368 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 19:14:30 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id TAA07973; Mon, 5 Jan 1998 19:14:59 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Mon, 5 Jan 1998 18:40:26 +1000 (GMT)
Subject: rootshell has a mailing list
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.33.883986026-959915837345291.beethoven>
X-Mailer: Paladin IMAP4 Client v2.33
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.33.beethoven.883986026.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

folks,

www.rootshell.com has a mailing list, well worth subscribing imho
just to keep abreast of current exploits, useful if you like to see
what it is that they are using on us... just started on 1/2/1998, ymmv

--
wheres my valium ?


From firewalls-owner  Mon Jan  5 00:44:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA19449; Mon, 5 Jan 1998 00:23:59 -0800 (PST)
Received: from guvnor.blackwell.co.uk (guvnor.blackwell.co.uk [194.130.176.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA19442 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 00:23:53 -0800 (PST)
Received: from exchange1.blackwell.co.uk by guvnor.blackwell.co.uk (MX V4.2
          VAX) with SMTP; Mon, 05 Jan 1998 08:24:52 BST
Received: by EXCHANGE1 with Internet Mail Service (5.0.1458.49) id <ZCX5F3WC>;
          Mon, 5 Jan 1998 08:27:09 -0000
Message-ID: <3BFE2589D330D111AE87006008062DE40DB551@pc37.blackwell.co.uk>
From: Martin Hepworth <martin.hepworth@blackwell.co.uk>
To: "'Simon J. Gerraty'" <sjg@quick.com.au>,
        Pauline van Winsen - Uniq
    Professional Services <Pauline.van.Winsen@uniq.com.au>
CC: firewalls@greatcircle.com
Subject: RE: off topic: ssl setup on web server - now browser crypto stren gth
Date: Mon, 5 Jan 1998 08:24:59 -0000
X-Priority: 3
X-Mailer: Internet Mail Service (5.0.1458.49)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> -----Original Message-----
> From:	Simon J. Gerraty [SMTP:sjg@quick.com.au]
> Sent:	Thursday, January 01, 1998 1:50 AM
> To:	Pauline van Winsen - Uniq Professional Services
> Cc:	firewalls@greatcircle.com
> Subject:	Re: off topic: ssl setup on web server - now browser
> crypto strength
> 
> Pauline van Winsen writes:
> >> Of course folk outside the U.S. are stuffed anyway, until a decent
> >> non-U.S. based browser (not limited to 40bit RC4) comes along.
> >> I don't think there is any interest in any govt anywhere to see
> this issue
> >> solved to the satisfaction of net users though.
> 
> >has anyone checked out fortify?
> 
> >http://www.geocities.com/Eureka/Plaza/6333/
> 
> Yes I had a lok at it and it works very well.  I had no trouble
> setting up
> 128bit sessions to an apache server.  Problem is that whether the
> author
> wrote this thing outside the U.S. or not, he chose a U.S. based site?
> as
> home for it :-)  so we are back to all the shadows of ITAR.
> 
	[Martin Hepworth]  In that case check out:
	ftp.ox.ac.uk/pub/crypto/SSL

	The actual software is based in three locations - two in the UK,
one in OZ, so although the 'advert' is in the US the actual
download-ables are outside the US........sounds like a gray area in ITAR
to me ?-)  

From firewalls-owner  Mon Jan  5 01:31:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA28541; Mon, 5 Jan 1998 01:17:11 -0800 (PST)
Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA27885 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 01:15:36 -0800 (PST)
Received: (qmail 16289 invoked from network); 5 Jan 1998 10:15:40 +0100
Received: from line-210-27.dial.matav.net (HELO default) (145.236.210.27)
  by mail.matav.hu with SMTP; 5 Jan 1998 10:15:40 +0100
Reply-To: "Takacs Istvan" <anonymus@mail.matav.hu>
From: "Takacs Istvan" <anonymus@mail.matav.hu>
To: <firewalls@greatcircle.com>
Subject: Answers for cackers techniks
Date: Mon, 5 Jan 1998 10:15:24 +0100
Message-ID: <01bd19ba$74986dc0$LocalHost@default>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Here are the received answers.

==================================================================
> Visit the l0pht group www.l0pht.com.. for some information
==================================================================
> www.rootshell.com is a good place for exploits used to break/break into
> systems.  for a million others just do a web search!
==================================================================
> There are many ways hackers can get access to your network, and there are
new
> ways invented everyday.
> Now, you don't need to know about ALL the ways out there, you need to
focus only
> of those vulnerabilities of the devices that are connected on your
network,
> meaning  servers, routers, workstation etc.

> A good start in protecting your network will be to install all the latest
> service packs, hot fixes and patches, and keep looking if new ones come
by. This
> is usually a free service.
> You are already subscribed to the firewalls mailing list where new
intrusion
> signatures are discussed, so you will get posted.
> An Intrusion detection system is highly recommended especially for someone
who
> just started Internet connection. These systems will monitor the traffic
going
> on your LAN, you can track WWW sites users are viewing and of course get
real
> time alerts when someone is doing malicious activity on the net.
> After getting to know your net traffic, your next step should be firewall
which
> you should configure according to all the data you collected using the
> monitoring and IDS.
=================================================================
> Try "Maximum Security: A Hacker's Guide to Protecting Your Internet Site
> and network". Published by Macmillan Computer Publishing, authored by
> Anonymous. I don't know the ISBN, but you can find it here:
> http://www.amazon.com
> and searching their catalog. The book came out sometime last year.
> (August, 1997, I believe). It is a very comprehensive coverage of cracking
> techniques.
=================================================================
> Try  http://www.unitedcouncil.org/hackt.html I think you will be
> impressed with the amount of info we have.
=================================================================
> I do a weekly newsletter on network security, that includes hacker info.
> Let me know if you would like to see a copy.
email   alan@livingston.com
=================================================================


Regards

                         Istvan Takacs
         mailto:anonymus@mail.matav.hu


From firewalls-owner  Mon Jan  5 04:44:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17920; Mon, 5 Jan 1998 04:32:03 -0800 (PST)
Received: from mailout02.btx.dtag.de (mailout02.btx.dtag.de [194.25.2.150]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA17913 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 04:31:57 -0800 (PST)
Received: from (fwd11.btx.dtag.de) [194.25.2.171] 
	by mailout02.btx.dtag.de with smtp 
	id 0xpBhJ-0005cR-00; Mon, 5 Jan 1998 13:32:01 +0100
Received:  (0407352555-0001(btxid)@[193.159.17.104]) 
	by fwd11.btx.dtag.de with (S3.1.29.1) 
	id <m0xpBh7-0003eIC>; Mon, 5 Jan 1998 13:31:49 +0100
Message-Id: <m0xpBh7-0003eIC@fwd11.btx.dtag.de>
Date: Mon, 5 Jan 1998 13:31:49 +0100
To: firewalls@greatcircle.com
Subject: Comparision of Firewall Products
X-Mailer: T-Online eMail 2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
X-Sender: 0407352555-0001@t-online.de
From: MarkusLindingerHamburg@t-online.de (Lindinger)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are about to implement a firewall system for about 500 users.
I checked the papers from Borderware, FW-1, Raptor´s Eagle Firewall,
TIS/Gauntlet and Sidewinder (I suppose, I should contact Cisco too?).

After that, I have a rude survey about their features, but not about 
their proof and abilities in practise. 

Who can give some pros and cons, to get a better background?

Thanks
Markus


From firewalls-owner  Mon Jan  5 05:45:06 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA24279; Mon, 5 Jan 1998 05:22:27 -0800 (PST)
Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA24249 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 05:22:18 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.178.197]) by mtigwc04.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAA16124;
          Mon, 5 Jan 1998 13:22:03 +0000
Message-Id: <3.0.3.32.19980105081940.00808730@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 05 Jan 1998 08:19:40 -0500
To: MarkusLindingerHamburg@t-online.de (Lindinger), firewalls@GreatCircle.COM
Subject: Re: Comparision of Firewall Products
In-Reply-To: <m0xpBh7-0003eIC@fwd11.btx.dtag.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus,

I think LAN TIMES did a comparison report a while back. Check out=20
www.lantimes.com

Your security policy, network architecture, business model, needs and=20
technical resources, etc should also factor into your equation while=20
evaluating the different firewall systems.

A firewall is just one component of many when installing a firewall=20
system for your particular organization.=20


/mht

At 01:31 PM 1/5/98 +0100, Lindinger wrote:
>We are about to implement a firewall system for about 500 users.
>I checked the papers from Borderware, FW-1, Raptor=B4s Eagle Firewall,
>TIS/Gauntlet and Sidewinder (I suppose, I should contact Cisco=20
too?).
>
>After that, I have a rude survey about their features, but not about=20

>their proof and abilities in practise.=20
>
>Who can give some pros and cons, to get a better background?
>
>Thanks
>Markus
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNLDd65azO9ALfO1FEQJLFgCfWxzyhiIvGzbRWNYFdHDDPk/CtGkAn2ZB
e5TGzoXA/bjIggVJDuqN9QDl
=3Db4Dl
-----END PGP SIGNATURE-----


From firewalls-owner  Mon Jan  5 07:15:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01167; Mon, 5 Jan 1998 07:06:43 -0800 (PST)
Received: from mail.sunbeach.net (mail.sunbeach.net [205.214.199.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA01133 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 07:06:28 -0800 (PST)
Received: from mercury [205.214.195.1] by mail.sunbeach.net
  (SMTPD32-4.03) id AB9081B50122; Mon, 05 Jan 1998 10:17:52 +03d00
Message-Id: <3.0.3.32.19980105110522.007347a0@mail.sunbeach.net>
X-Sender: ian@mail.sunbeach.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 05 Jan 1998 11:05:22 -0400
To: <winspace@atinet.com.au>, <Firewalls@GreatCircle.COM>
From: Ian KC Worrell <ian@sunbeach.net>
Subject: Re: Hardware for seperating LAN from dialouts
In-Reply-To: <Paladin.2.33.883955452-105157383731395.beethoven>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I use my lap top in the office, and it has both a network card and a modem
in it.  As my office network is on a different IP address range that my
Internet Connection, I can actually have both connected at the same time!

There seems to be no problem with the routing at all!

Ian

At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>Just wondered if anybody has used those hardware devices
>that disable LAN connections while a modem dials out
>to the Internet.
>
>It detects when the modem is active thus severing the
>link to the LAN physically and reconnects the LAN
>once the modem has disconnected from the LAN. 
>
>The device is connected to both the modem and LAN and
>sounds good in theory and I am just wondering
>what other peoples experience with these are, at $85
>it is an ideal solution for small organisations
>that just want to poll their ISP a few times a day
>for email.
>
>--
>Wheres my valium ?
>
>
>
>


From firewalls-owner  Mon Jan  5 07:30:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA02308; Mon, 5 Jan 1998 07:25:59 -0800 (PST)
Received: from steed.jerboa.com (steed.jerboa.com [209.21.153.162]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA02296 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 07:25:50 -0800 (PST)
Received: by steed.jerboa.com; id KAA08326; Mon, 5 Jan 1998 10:27:03 -0500 (EST)
Received: from squirrel.jerboa.com(10.0.0.200) by steed.jerboa.com via smap (4.0a)
	id xma008324; Mon, 5 Jan 98 10:26:50 -0500
Received: from emma.jerboa.com (emma.jerboa.com [10.0.0.60]) by squirrel.jerboa.com (8.8.5/8.7.3) with SMTP id KAA19562; Mon, 5 Jan 1998 10:26:14 -0500 (EST)
Message-Id: <3.0.3.32.19980105102235.00af6230@squirrel>
X-Sender: ian@squirrel
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 05 Jan 1998 10:22:35 -0500
To: mht@clark.net, MarkusLindingerHamburg@t-online.de (Lindinger),
        firewalls@GreatCircle.COM
From: Ian Poynter <ian@jerboa.com>
Subject: Re: Comparision of Firewall Products
In-Reply-To: <3.0.3.32.19980105081940.00808730@pop3.clark.net>
References: <m0xpBh7-0003eIC@fwd11.btx.dtag.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 08:19 AM 1/5/98 -0500, mht@clark.net wrote:
>I think LAN TIMES did a comparison report a while back. Check out 
>www.lantimes.com

Be careful with this one, the test methodology didn't look at security at all 
(see http://www.lantimes.com/97/97aug/708a060c.html; they didn't test 
installation either).  I wasn't completely happy that the performance numbers 
were comparing apples with apples either.  Still, it's useful as a feature 
comparison, though.

>Your security policy, network architecture, business model, needs and 
>technical resources, etc should also factor into your equation while 
>evaluating the different firewall systems.
>
>A firewall is just one component of many when installing a firewall 
>system for your particular organization. 

Now this I agree with :-).

Ian


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNLD6usj1wUcX1Ha3EQID8QCg2Q6gT0RaW4kQMP+WBWQ3bAH70GoAnj0S
hf30Ml+vAOoa4IGD/fiTstGN
=lXXh
-----END PGP SIGNATURE-----

-----
Ian Poynter                                        ian@jerboa.com
Jerboa, Inc.                                      +1-617-492-8084
PO Box 382648, Cambridge, MA 02238          http://www.jerboa.com
Providing unbiased Internet consulting for businesses.
Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95  7C CE FD D3 57 4E 15 73
           DSS: 2769 277A 9F69 F605 3743  D574 C8F5 C147 17D4 76B7

From firewalls-owner  Mon Jan  5 07:44:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03750; Mon, 5 Jan 1998 07:41:29 -0800 (PST)
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA03736 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 07:41:23 -0800 (PST)
Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id KAA09273 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 10:40:47 -0500 (EST)
Received: from woodux.woodbridge.com by eagle.woodbridge.com
          via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 5 Jan 1998 15:37:10 UT
Received: from simonyi ([192.81.85.21]) by woodux with SMTP
	(1.39.111.2/16.2) id AA031504897; Mon, 5 Jan 1998 10:41:37 -0500
Received: by localhost with Microsoft MAPI; Mon, 5 Jan 1998 10:38:41 -0500
Message-Id: <01BD19C6.17027D20.msimonyi@woodbridge.com>
From: Michael Simonyi <msimonyi@woodbridge.com>
To: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>
Subject: named service
Date: Mon, 5 Jan 1998 10:38:40 -0500
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

To all

We are running an HP 817 w/ HPUX 10.0, and every once and a while the named 
service hangs.  It's still a running process but does not do anything.
I have to kill it and restart it and then every things fine.

Any clues? Do I need as patch?  Is there any way I can monitor the process 
and to see it's in trouble rather than having our help line ring off the 
wall?

Mike


From firewalls-owner  Mon Jan  5 08:27:48 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08376; Mon, 5 Jan 1998 08:13:28 -0800 (PST)
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08115 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 08:12:35 -0800 (PST)
Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id LAA14726 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 11:11:56 -0500 (EST)
Received: from woodux.woodbridge.com by eagle.woodbridge.com
          via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 5 Jan 1998 16:08:19 UT
Received: from simonyi ([192.81.85.21]) by woodux with SMTP
	(1.39.111.2/16.2) id AA037326766; Mon, 5 Jan 1998 11:12:46 -0500
Received: by localhost with Microsoft MAPI; Mon, 5 Jan 1998 11:09:50 -0500
Message-Id: <01BD19CA.711D0F60.msimonyi@woodbridge.com>
From: Michael Simonyi <msimonyi@woodbridge.com>
To: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>
Subject: Raptor 
Date: Mon, 5 Jan 1998 11:09:49 -0500
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

To all:

We have an HP 712 w/ HPUX 10.01 running the Raptor FW.

Problem :

After every reboot, the system is fine.  Then after about a week or two the 
log file starts recording the following error messages:

    Eagle notifyd: 605 Can't execute /usr/bin/mailx (to many open files)
    Eagle notifyd: 606 failed to notify:transport=mail priority=Alert, 
(root,0)

We keep bumping up our number of open files, the problem goes away. Then it 
comes right back.  We have reconfigured the box several times and up'd the 
files open to allow more than our primary host.  We just can't clean this 
problem up.

Mike  


From firewalls-owner  Mon Jan  5 09:30:45 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA12250; Mon, 5 Jan 1998 08:38:08 -0800 (PST)
Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA12226 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 08:38:01 -0800 (PST)
Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88])
	by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id KAA24549;
	Mon, 5 Jan 1998 10:46:44 -0600
Date: Mon, 5 Jan 1998 10:46:44 -0600 (CST)
From: "Daniel \"Cheez\" Brown" <cheez@cheez.lowprofile.net>
To: Michael Simonyi <msimonyi@woodbridge.com>
cc: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>
Subject: Re: named service
In-Reply-To: <01BD19C6.17027D20.msimonyi@woodbridge.com>
Message-ID: <Pine.LNX.3.95.980105104456.24540A-100000@cheez.lowprofile.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Michael-
	Upgrade to HPUX 10.10 / 10.20 because there is a bug in HPUX 10.01
named. You can also patch it with one of the PHSS patches out by HP, but my
feeling is that 10.10 is much better than 10.01. Patching it will work as
well.

Good luck,

+----Daniel "Cheez" Brown------------Global Data Systems-------+
| http://cheez.lowprofile.net | Security Advisor, Global Reach |
|     cheez@lowprofile.net    |  Cisco Systems WAN Specialist  |
| UNIX/Linux/HP-UX specialist |  Remote Management Specialist  |
|      If at first you don't succeed, redefine success.        |
| Contrary to popular opinion, UNIX is user friendly. It just  |
+-happens to be very selective about who it makes friends with.+

On Mon, 5 Jan 1998, Michael Simonyi wrote:

> To all
> 
> We are running an HP 817 w/ HPUX 10.0, and every once and a while the named 
> service hangs.  It's still a running process but does not do anything.
> I have to kill it and restart it and then every things fine.
> 
> Any clues? Do I need as patch?  Is there any way I can monitor the process 
> and to see it's in trouble rather than having our help line ring off the 
> wall?
> 
> Mike
> 


From firewalls-owner  Mon Jan  5 10:15:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA24724; Mon, 5 Jan 1998 09:44:34 -0800 (PST)
Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA22774 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 09:36:13 -0800 (PST)
Received: from lightech.com.ar (router1-p04.pccp.com.ar [200.0.253.20])
	by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id RAA21387;
	Mon, 5 Jan 1998 17:13:39 GMT
Message-ID: <34B1007E.9B1CE4A4@lightech.com.ar>
Date: Mon, 05 Jan 1998 12:47:11 -0300
From: Sergio Bollini <sbollini@lightech.com.ar>
Reply-To: sbollini@lightech.com.ar
Organization: LighTech
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>,
        "Mailing List, Firewall-1" <fw-1-mailinglist@us.checkpoint.com>
Subject: FW-1 3.0 and Solaris 2.6 ok?
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB846C7587AF8D45A2076687C"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a cryptographically signed message in MIME format.

--------------msB846C7587AF8D45A2076687C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello all!
Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is
there any issues or unsolved problems?
TIA

--
Sergio E. Bollini
LighTech                        Voice:  (54-1) 373-1141
Ayacucho 563. Piso 13 Dto "A"   FAX:    (54-1) 373-1215
(1026)  Buenos Aires            e-mail: sbollini@lightech.com.ar
Argentina                       URL:    http://www.lightech.com.ar


--------------msB846C7587AF8D45A2076687C
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIQDwYJKoZIhvcNAQcCoIIQADCCD/wCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
Dn0wggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP
BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy
aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw
MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl
cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh
bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT
IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs
YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B
CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt
Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND
7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO
MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz
IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl
IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp
bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD
UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx
ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs
IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ
QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE
BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0
b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l
IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW
ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu
IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo
ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us
IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl
cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl
IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5
IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl
cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz
IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl
c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM
SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD
VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB
VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ
RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS
Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg
V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF
UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50
cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1
dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh
dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB
AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN
dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud
EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICfTCCAeagAwIBAgIUdRNrWPOAaVd1pqJNWRBNnOp2
SvEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTk3MDYyNDA3MDAwMFoXDTk5MDYyNDA3MDAwMFowYjERMA8GA1UEBxMISW50
ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFz
cyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW
7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTARBglghkgBhvhCAQEEBAMCAQYw
DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAkgxL6bqT
zf/a5mD9nmQDZhUvVjw4TGhKR8Xzq48l2WZDc0MVc0S+FEiBWncMzHrq2bG88ov/EbHfFFBI
3GUdC4n5oV5IUm/ttWv0uAhMOPC5iWcpD+DgN/em69T01UKpXf295558G+dPhS0EoWAuhbjr
4vrvFAUmFRhVbxOhHXEwggIxMIIBmgIFAqQAAAEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTk5
MTIzMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcw
NQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76
OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTX
jzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQAB
MA0GCSqGSIb3DQEBAgUAA4GBAFJzuppV3Nw/gn2wkJhiKoJMdgBuJT3VwglwVwEMD3cfGKH7
HGAOoHU7SSFB/qdcLUxCSdP/KNiM6p3+yQfid4JTI95V885Ek/r6TL3KNvNbZrKeyPIMXl7U
obQhCTPKO1n8ksI4/K3ZliTgLfqjKfUzaHhOtLyfaTXiqJiUczvEMYIBWjCCAVYCAQEwdjBi
MREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT
K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEHhfzaLUPIQW
ZlqMwKN/uq0wCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTk4MDEwNTE1NDcxMVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIB
KDAjBgkqhkiG9w0BCQQxFgQUvUw2hIXMhd7pzjmhowv70dA+ZdwwDQYJKoZIhvcNAQEBBQAE
QF83JxCdoG8l0WhRM3xC/rhtlhfB2YZMSN/Za6dzrmGeGeVvei6xj/fkgJQdnyutqWr9NXG0
DK68C01HoAMFirM=
--------------msB846C7587AF8D45A2076687C--



From firewalls-owner  Mon Jan  5 10:32:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA03198; Mon, 5 Jan 1998 10:23:19 -0800 (PST)
Received: from raven.axent.com (raven.axent.com [205.159.112.243]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA03190 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 10:23:09 -0800 (PST)
Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
	id <Z8P5DYYF>; Mon, 5 Jan 1998 11:25:41 -0700
Message-ID: <D76E0932FE4ED11196880060B06716E90DF88F@raven.axent.com>
From: Darin Fisher <oz@axent.com>
To: "'Takacs Istvan'" <anonymus@mail.matav.hu>, Firewalls@GreatCircle.COM
Subject: RE: Any document about cracker's technic?
Date: Mon, 5 Jan 1998 11:25:38 -0700
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Try:

http://www.axent.com/swat/swat.html
http://www.l0pht.com

thanx
darin

----
#include <cya/company/disclaim.h>
"In order to succeed, one must pay attention" 

-----Original Message-----
From: Takacs Istvan [mailto:anonymus@mail.matav.hu]
Sent: Saturday, January 03, 1998 11:56 AM
To: Firewalls@GreatCircle.COM
Subject: Any document about cracker's technic?


Hi,

Could you offer me some good links, books, videos
or any kind of documents about the crackers technics?

You always talk about the IDS, and how they work.
But I'd like to know what I have to look for in my company's
network.
We just started to use the commercial side of Internet and for this
reason I think we have to prepare to the crackers attacks.

I don't ask for exact description, just for how they try to
break into the internal network.

Thank you!

Regards.

                            Istvan Takacs
               mailto:anonymus@mail.matav.hu

p.s.: Please, write to my own address, too. Thanks.

From firewalls-owner  Mon Jan  5 13:30:54 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23758; Mon, 5 Jan 1998 12:01:13 -0800 (PST)
Received: from deimos.frii.com (deimos.frii.com [208.146.240.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA23698 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 12:00:51 -0800 (PST)
Received: from ralph (ralph.ball.com [162.18.91.40]) by deimos.frii.com (8.8.5/8.8.4) with SMTP id NAA16743 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 13:01:15 -0700 (MST)
Message-ID: <34B13BF6.979@frii.com>
Date: Mon, 05 Jan 1998 13:00:54 -0700
From: "Franklin R. Jones" <grat@frii.com>
Organization: Wyldwood Computing
X-Mailer: Mozilla 3.04 (X11; I; SunOS 5.5.1 sun4u)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: FW-1 3.0 and Solaris 2.6 ok?
References: <34B1007E.9B1CE4A4@lightech.com.ar>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Sergio Bollini wrote:

> Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is
> there any issues or unsolved problems?
> TIA

	No hands on as of yet, but 2.6 is listed as "supported" OS
rev for V3. I haven't run into any problems application-wise upgrading
to 2.6 from 2.5.x, so my feelings are that it would be a reliable
config. There is a recommeded patch cluster out for 2.6 which includes
several (8 or 9) security patches for various things and I would
recommend installing the cluster.

fj..

From firewalls-owner  Mon Jan  5 13:34:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA15653; Mon, 5 Jan 1998 11:25:49 -0800 (PST)
Received: from elmont.dart.org (elmont.dart.org [207.86.10.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA15469 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 11:25:08 -0800 (PST)
Message-ID:  <7724B134818D357C%7724B134818D357C@dart.org>
Date: Mon, 5 Jan 1998 13:25:12 -0500
From: fw-list@dart.org
To: firewalls@greatcircle.com
Subject: land.c hack code
X-SMF-Hop-Count: 1
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-Mailer: Connect2-SMTP 4.32 MHS/SMF to SMTP Gateway
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Message Source: http://207.86.10.38/msg/fw-list/M908.HTM
From: Darwin Collins


Does anyone know where I can get a copy of the land.c hack code.

Basically, I need to test some homebrewed stuff, and see if it can handle it.

Thanks


From firewalls-owner  Mon Jan  5 13:34:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09562; Mon, 5 Jan 1998 10:57:39 -0800 (PST)
Received: from NOC.cs.ruu.nl (magic.cs.ruu.nl [131.211.80.22]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA09484 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 10:57:14 -0800 (PST)
Received: from localhost (edwin@localhost)
	by NOC.cs.ruu.nl (8.8.6/8.8.6/UU-CS) with ESMTP id TAA25709
	for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 19:57:11 +0100 (MET)
Date: Mon, 5 Jan 1998 19:57:11 +0100 (MET)
From: Edwin Kremer <edwin@NOC.cs.ruu.nl>
X-Sender: edwin@magic.cs.ruu.nl
To: Firewalls List <firewalls@GreatCircle.COM>
Subject: ANN/CfP: 1st International SANE Conference
Message-ID: <Pine.GSO.3.96.980105194954.25688C-100000@magic.cs.ruu.nl>
X-Org: Department of Computer Science; Utrecht University
X-Org: P.O. Box 80.089; 3508 TB  Utrecht; The Netherlands.
X-Org: phone: +31-30-2534104; telefax: +31-30-2513791
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

below you'll find the announcement and call for papers for the SANE'98
conference to be held on November 18-20 in Maastricht, The Netherlands,
and organized by the NLUUG and co-sponsored by USENIX and Stichting NLnet.

Security and firewalls-related paper submissions are very welcome.

If you prefer to read the Call for Papers in a different format, please
visit the SANE'98 WWW site:

	http://www.nluug.nl/events/sane98/


Thanks for your time.

		best regards,
						--[ Edwin ]--
--
Edwin H. Kremer, systems- and network administrator.   <edwin.kremer@cs.ruu.nl>
Dept. of Computer Science,  Utrecht University, The Netherlands   [WHOIS: ehk3]
-------------------- http://www.cs.ruu.nl/people/edwin/ -----------------------

---------------------------------------------------------------------------
                      Announcement and Call for Papers


                      1st International SANE Conference

                            November 18-20, 1998

                         Maastricht, The Netherlands


 A conference organized by the NLUUG, the UNIX User Group - The Netherlands
   co-sponsored by USENIX, the Advanced Computing Systems Association, and
                               Stichting NLnet


--------
OVERVIEW
--------
Technology is  advancing,  the  systems  administration  profession  is
changing  rapidly,  and you have to master new skills to keep apace. At
the  International  SANE   (System   Administration   and   Networking)
conference  you  can  join the community of system administrators while
attending a program that brings you the latest  in  tools,  techniques,
security and networking. You can learn from tutorials, refereed papers,
invited  talks  and  Birds-of-a-Feather  sessions.  Visit  the   Vendor
Exhibition for the hottest products and the latest books available. The
official language at the conference will  be  English.  The  conference
will  be  located  at  the Maastricht Exposition and Conference Center,
MECC.

----------------
TUTORIAL PROGRAM
----------------
On Wednesday November 18, 1998, up to four in-depth tutorials  will  be
presented to you by the most popular and widely acclaimed speakers.

------------------
TECHNICAL SESSIONS
------------------
Two  days   of   technical   sessions,   including   keynote   address,
presentations  of  refereed  papers  and  invited talks will follow the
tutorial day.

---------------------
CONFERENCE ORGANIZERS
---------------------
Program Co-chairs:
  Edwin Kremer, Department of Computer Science, Utrecht University
  Jan Christiaan van Winkel, AT Computing
Program Committee:
  Jos Alsters, C&CZ, KU Nijmegen
  Bob Eskes, ASR, Hollandse Signaalapparaten
  Peter den Haan, C&CZ, KU Nijmegen
  Patrick Schoo, Department of Mathematics, Utrecht University
  Michael Utermöhle, Dept. of Computer Science, University of Paderborn
  Jos Vos, X/OS Experts in Open Systems
  Elizabeth Zwicky, Silicon Graphics, Inc.
Event Organization:
  Chel van Gennip, Hiscom
  Mariëlle Klatten, NLUUG
  Monique Rours, NLUUG

---------------
IMPORTANT DATES
---------------
Extended abstracts due:      April 17, 1998
Notification to speakers:       May 8, 1998
Final papers due:         September 4, 1998

Complete program and registration information will be available in June
1998. To receive information about the conference, please contact:

	sane98-info@nluug.nl

or visit the conference WWW site:

	http://www.nluug.nl/events/sane98/


-----------------
CONFERENCE TOPICS
-----------------
Presentations are being solicited in areas including but not limited to:

   * Security tools and techniques
   * Managing enterprise-wide email (what about UCE?)
   * Experiences with free software, including operating systems, in a
     professional environment
   * Innovative system administration tools & techniques
   * Distributed or automated system administration
   * Incorporation of commercial system administration technology
   * Adventures in nomadic and wireless computing
   * Intranet development, support, and maintenance
   * Integrating new networking technologies
   * Integration of heterogeneous platforms
   * Performance analysis, monitoring and tuning
   * Support strategies in use at your site
   * Effective training techniques for system administration and users

-------------
INVITED TALKS
-------------
If you have a topic of interest that is not (yet) very well suited  for
a  refereed  paper  submission, please submit a proposal for an invited
talk to the Program Committee at the address: sane98@nluug.nl

--------------------------
REFEREED PAPER SUBMISSIONS
--------------------------
An extended abstract of up to four pages  is  required  for  the  paper
selection  process.  Abstracts  accompanied by non-disclosure agreement
forms are not acceptable  and  will  be  returned  unread.  Authors  of
accepted  submissions must provide a final paper for publication in the
conference proceedings. Final papers are held in the highest confidence
prior  to publication in the conference proceedings. Authors agree with
publication of the final paper in the members-only area  on  the  NLUUG
WWW   site  and/or  the  conference  CD-ROM.   Please  submit  extended
abstracts by one of the following methods:

 E-mail to:        sane98@nluug.nl
 Fax to:           +31 20 6950018
 Postal mail to:   NLUUG
                   PO Box 22727
                   1100 DE AMSTERDAM
                   The Netherlands

---------------------------------------------------------------------------


From firewalls-owner  Mon Jan  5 13:34:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01490; Mon, 5 Jan 1998 10:15:14 -0800 (PST)
Received: from viper.netsolv.com (jridgway.jxn.netdoor.com [208.137.130.254]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29629 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 10:05:18 -0800 (PST)
Received: from viper ([172.30.100.3]) by viper.netsolv.com
          (Netscape Messaging Server 3.01)  with SMTP id 294
          for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 12:05:27 -0600
Received: from netsolv.com ([206.58.71.2])
	by pike.netdoor.com (8.8.8/8.8.5) with SMTP id MAA02085
	for <jridgway@netdoor.com>; Mon, 5 Jan 1998 12:00:19 -0600 (CST)
Received: from loudecho.us.checkpoint.com [206.184.151.194] by netsolv.com with ESMTP
  (SMTPD32-4.02c) id AE43201501CA; Mon, 05 Jan 1998 11:02:27 EST5EDT
Received: from localhost (daemon@localhost)
          by loudecho.us.checkpoint.com (8.8.8/8.8.4) with SMTP
	  id JAA29559; Mon, 5 Jan 1998 09:47:19 -0800 (PST)
Received: by loudecho.us.checkpoint.com (bulk_mailer v1.5 with hacks by jwright@us.checkpoint.com); Mon, 5 Jan 1998 09:37:48 -0800
Received: (from majordom@localhost)
          by loudecho.us.checkpoint.com (8.8.8/8.8.4)
	  id JAA28644 for fw-1-mailinglist-outgoing; Mon, 5 Jan 1998 09:37:38 -0800 (PST)
Received: from peets.us.checkpoint.com ([206.184.151.193])
          by loudecho.us.checkpoint.com (8.8.8/8.8.4) with ESMTP
	  id JAA28571 for <fw-1-mailinglist@loudecho.us.checkpoint.com>; Mon, 5 Jan 1998 09:36:48 -0800 (PST)
Received: from oak.us.checkpoint.com (oak.us.checkpoint.com [206.86.35.94]) by peets.us.checkpoint.com (8.8.7/8.8.3) with SMTP id JAA22848 for <fw-1-mailinglist@peets.us.checkpoint.com>; Mon, 5 Jan 1998 09:37:50 -0800 (PST)
Received: (qmail 6480 invoked by alias); 5 Jan 1998 17:36:44 -0000
Delivered-To: fw-1-mailinglist@us.checkpoint.com
Received: (qmail 6470 invoked from network); 5 Jan 1998 17:36:41 -0000
Received: from tango.lightech.com.ar (200.0.253.134)
  by oak.us.checkpoint.com with SMTP; 5 Jan 1998 17:36:41 -0000
Received: from lightech.com.ar (router1-p04.pccp.com.ar [200.0.253.20])
	by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id RAA21387;
	Mon, 5 Jan 1998 17:13:39 GMT
Message-ID: <34B1007E.9B1CE4A4@lightech.com.ar>
Date: Mon, 05 Jan 1998 12:47:11 -0300
From: Sergio Bollini <sbollini@lightech.com.ar>
Reply-To: sbollini@lightech.com.ar
Organization: LighTech
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>,
        "Mailing List, Firewall-1" <fw-1-mailinglist@us.checkpoint.com>
Subject: [FW1] FW-1 3.0 and Solaris 2.6 ok?
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB846C7587AF8D45A2076687C"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


This is a cryptographically signed message in MIME format.

--------------msB846C7587AF8D45A2076687C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello all!
Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is
there any issues or unsolved problems?
TIA

--
Sergio E. Bollini
LighTech                        Voice:  (54-1) 373-1141
Ayacucho 563. Piso 13 Dto "A"   FAX:    (54-1) 373-1215
(1026)  Buenos Aires            e-mail: sbollini@lightech.com.ar
Argentina                       URL:    http://www.lightech.com.ar


--------------msB846C7587AF8D45A2076687C
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIQDwYJKoZIhvcNAQcCoIIQADCCD/wCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
Dn0wggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP
BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy
aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw
MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl
cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh
bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT
IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs
YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B
CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt
Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND
7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO
MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz
IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl
IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp
bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD
UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx
ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs
IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ
QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE
BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0
b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l
IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW
ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu
IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo
ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us
IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl
cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl
IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5
IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl
cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz
IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl
c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM
SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD
VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB
VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ
RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS
Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg
V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF
UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50
cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1
dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh
dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB
AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN
dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud
EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICfTCCAeagAwIBAgIUdRNrWPOAaVd1pqJNWRBNnOp2
SvEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTk3MDYyNDA3MDAwMFoXDTk5MDYyNDA3MDAwMFowYjERMA8GA1UEBxMISW50
ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFz
cyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW
7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTARBglghkgBhvhCAQEEBAMCAQYw
DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAkgxL6bqT
zf/a5mD9nmQDZhUvVjw4TGhKR8Xzq48l2WZDc0MVc0S+FEiBWncMzHrq2bG88ov/EbHfFFBI
3GUdC4n5oV5IUm/ttWv0uAhMOPC5iWcpD+DgN/em69T01UKpXf295558G+dPhS0EoWAuhbjr
4vrvFAUmFRhVbxOhHXEwggIxMIIBmgIFAqQAAAEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTk5
MTIzMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcw
NQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76
OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTX
jzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQAB
MA0GCSqGSIb3DQEBAgUAA4GBAFJzuppV3Nw/gn2wkJhiKoJMdgBuJT3VwglwVwEMD3cfGKH7
HGAOoHU7SSFB/qdcLUxCSdP/KNiM6p3+yQfid4JTI95V885Ek/r6TL3KNvNbZrKeyPIMXl7U
obQhCTPKO1n8ksI4/K3ZliTgLfqjKfUzaHhOtLyfaTXiqJiUczvEMYIBWjCCAVYCAQEwdjBi
MREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT
K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEHhfzaLUPIQW
ZlqMwKN/uq0wCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTk4MDEwNTE1NDcxMVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIB
KDAjBgkqhkiG9w0BCQQxFgQUvUw2hIXMhd7pzjmhowv70dA+ZdwwDQYJKoZIhvcNAQEBBQAE
QF83JxCdoG8l0WhRM3xC/rhtlhfB2YZMSN/Za6dzrmGeGeVvei6xj/fkgJQdnyutqWr9NXG0
DK68C01HoAMFirM=
--------------msB846C7587AF8D45A2076687C--




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


From firewalls-owner  Mon Jan  5 13:45:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA10378; Mon, 5 Jan 1998 13:15:47 -0800 (PST)
Received: from moat.pweh.com ([192.54.250.131]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA00140 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 12:32:36 -0800 (PST)
Received: (from uucp@localhost)
	by moat.pweh.com (8.8.8/8.8.8) id PAA10742
	for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 15:32:44 -0500 (EST)
Received: from drawbridge.eh.pweh.com(191.29.71.250) by moat.pweh.com via smap (4.0a)
	id xma010708; Mon, 5 Jan 98 15:32:41 -0500
Received: (from uucp@localhost)
	by drawbridge.eh.pweh.com (8.8.8/8.8.8) id PAA16539
	for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 15:32:40 -0500 (EST)
Received: from fs17005.eh.pweh.com(191.29.170.5) by drawbridge.eh.pweh.com via smap (4.0a)
	id xma016461; Mon, 5 Jan 98 15:32:33 -0500
Received: from clbdev2.eh.pweh.com by pweh011.eh.pweh.com (SMI-8.6/SMI-SVR4)
	id PAA29328; Mon, 5 Jan 1998 15:32:31 -0500
Received: (from miorelli@localhost)
	by clbdev2.eh.pweh.com (8.8.5/8.8.5) id PAA05221
	for firewalls@greatcircle.com; Mon, 5 Jan 1998 15:32:32 -0500 (EST)
Date: Mon,  5 Jan 98 15:32 EST
From: BoB Miorelli <miorelli@pweh.com>
To: firewalls@greatcircle.com
Received: from miorelli by clbdev2.eh.pweh.com; Mon,  5 Jan 98 15:32 EST
Subject: NT Web proxy server
Content-Type: text/plain
Message-ID: <34b1435f0.1464@clbdev2.eh.pweh.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi --

I'm looking for a Web proxy server that does caching for
my kid's school (K-8).  The computer lab is networked
to a server which would run the proxy.  The server
is a Pentium running NT 4.0.  I'm looking for
recommendations on proxy server software from anyone
that is running it on NT 4.0 using a dialup-on-demand
type of setup.  The only proxy servers for NT that
I am aware of are Microsoft and Netscape, but I'm
sure there are others.

Any and all comments are welcome.

Thanks.

-->BoB 


-->BoB Miorelli, Pratt & Whitney
miorelli@pweh.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
In theory, theory and practice are the same; 
in practice they are distinct.

From firewalls-owner  Mon Jan  5 13:59:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA08519; Mon, 5 Jan 1998 13:08:00 -0800 (PST)
Received: from c00069-100lez.eos.ncsu.edu (c00069-100lez.eos.ncsu.edu [152.1.26.28]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA08482 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 13:07:50 -0800 (PST)
Received: from localhost (jkwilli2@localhost)
          by c00069-100lez.eos.ncsu.edu (8.8.4/EC02Jan97) with SMTP
	  id QAA23031; Mon, 5 Jan 1998 16:07:54 -0500 (EST)
X-Authentication-Warning: c00069-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs
Date: Mon, 5 Jan 1998 16:07:53 -0500 (EST)
From: Ken Williams <jkwilli2@unity.ncsu.edu>
X-Sender: jkwilli2@c00069-100lez.eos.ncsu.edu
To: fw-list@dart.org
cc: firewalls@GreatCircle.COM
Subject: Re: land.c hack code
In-Reply-To: <7724B134818D357C%7724B134818D357C@dart.org>
Message-ID: <Pine.SOL.3.96.980105160424.22809A-100000@c00069-100lez.eos.ncsu.edu>
X-Bullshit: The header is genuine....WTF did you expect?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 5 Jan 1998 fw-list@dart.org wrote:

>Message Source: http://207.86.10.38/msg/fw-list/M908.HTM
>>From: Darwin Collins
>
>
>Does anyone know where I can get a copy of the land.c hack code.
>
>Basically, I need to test some homebrewed stuff, and see if it can handle it.
>
>Thanks
>

you can get a copy of land.c and also the enhanced version, latierra.c,
from http://www.rootshell.com
the specific URL's for these two are:
http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/land.c
http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/latierra.c

for reference, they are in the Nov '97 archive at rootshell.com.

you will also probably want to check out teardrop.c too.  the URL for that
source code is:
http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/teardrop.c

hasta,

Ken 

/<--------------{ TATTOOMAN -aka- rute }-------------->\  
  NCSU Computer Science    Member of E.H.A.P.   
  jkwilli2@unity.ncsu.edu  http://www.hackers.com/ehap/ 
  UNIX ICQ UIN# 4231260    ehap@hackers.com     
  FTP Site:  ftp://152.7.11.38/pub/personal/tattooman/
  WWW 2:     http://www4.ncsu.edu/~jkwilli2/
\<---------{ http://152.7.11.38/~tattooman/ }--------->/




From firewalls-owner  Mon Jan  5 14:28:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14728; Mon, 5 Jan 1998 13:47:42 -0800 (PST)
Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA14721 for <Firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 13:47:38 -0800 (PST)
From: trall@almaden.ibm.com
Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997))  id 88256583.0077C768 ; Mon, 5 Jan 1998 13:48:18 -0800
X-Lotus-FromDomain: ALMADEN
To: Firewalls@GreatCircle.COM
Message-ID: <88256583.00757996.00@mailgw1.almaden.ibm.com>
Date: Mon, 5 Jan 1998 13:47:38 -0800
Subject: Re: Hardware for seperating LAN from dialouts
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ian KC Worrell <ian@sunbeach.net> wrote:
>I use my lap top in the office, and it has both a network card and a modem
>in it.  As my office network is on a different IP address range that my
>Internet Connection, I can actually have both connected at the same time!
>
>There seems to be no problem with the routing at all!
>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>Just wondered if anybody has used those hardware devices
>>that disable LAN connections while a modem dials out
>>to the Internet.
>>
>>It detects when the modem is active thus severing the
>>link to the LAN physically and reconnects the LAN
>>once the modem has disconnected from the LAN.
>>
>>The device is connected to both the modem and LAN and
>>sounds good in theory and I am just wondering
>>what other peoples experience with these are, at $85
>>it is an ideal solution for small organisations
>>that just want to poll their ISP a few times a day
>>for email.

Yes, it's generally possible to arrange the routing so that you can
simultaneously connect with a modem and your lan interface.  And that's
fine if you don't care about security (but then why are you posting to this
list?).

Assuming the lan is behind a firewall, most administrators don't want
uncontrolled lan machines connecting directly to the Internet.

There is a degree of protection obtained if the machine is disconnected
from the lan while the modem is being used to access the Internet (and a
device that does this automatically would make this easier).  But when you
hangup and reconnect your lan, you're still exposing the lan to viruses,
etc. that were acquired while dialed to the Internet.  A trojan horse
could, for example, slurp up confidential data on your lan, then dial the
Internet (or wait until the next time you do it), and send the data to your
competitor.

In summary, you probably shouldn't do this at all unless the dialing host
is reasonably secure itself.

Tony Rall



From firewalls-owner  Mon Jan  5 15:22:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21008; Mon, 5 Jan 1998 14:22:30 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA20778 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 14:21:49 -0800 (PST)
Received: from magna.com.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id OAA16965; Mon, 5 Jan 1998 14:20:27 -0800 (PST)
Received: from magna.magna.com.au (saccess-01-082.magna.com.au [203.111.79.82]) by magna.com.au (8.8.5/8.6.10) with SMTP id JAA13462; Tue, 6 Jan 1998 09:20:58 +1100 (EST)
Date: Tue, 6 Jan 1998 09:20:58 +1100 (EST)
Message-Id: <199801052220.JAA13462@magna.com.au>
X-Sender: iank@magna.com.au
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Ian KC Worrell <ian@sunbeach.net>
From: Ian Krieger <iank@magna.com.au>
Subject: Re: Hardware for seperating LAN from dialouts
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Sorry I may be mistaken but most users would be running windows 95 on their
laptops and desktops in offices, sorry guys, Win95 dosen't support IP
routing,like there's a supprise, hence you would not need to overly worry
about having to sever you network connection when wanting to retrieve mail
every once and again.

If I have misunderstood the question / query, well hey I'm only human.


Ian.

At 11:05 AM 1/5/98 -0400, you wrote:
>I use my lap top in the office, and it has both a network card and a modem
>in it.  As my office network is on a different IP address range that my
>Internet Connection, I can actually have both connected at the same time!
>
>There seems to be no problem with the routing at all!
>
>Ian
>
>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>Just wondered if anybody has used those hardware devices
>>that disable LAN connections while a modem dials out
>>to the Internet.
>>
>>It detects when the modem is active thus severing the
>>link to the LAN physically and reconnects the LAN
>>once the modem has disconnected from the LAN. 
>>
>>The device is connected to both the modem and LAN and
>>sounds good in theory and I am just wondering
>>what other peoples experience with these are, at $85
>>it is an ideal solution for small organisations
>>that just want to poll their ISP a few times a day
>>for email.
>>
>>--
>>Wheres my valium ?
>>
>>
>>
>>
>
>
>
----------------------------------------------------------------
Ian W Krieger					IanK@Magna.com.au

"qlm tera'ngan!" - Translated from Klingon "Attention Earther!"


From firewalls-owner  Mon Jan  5 16:00:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09148; Mon, 5 Jan 1998 15:48:19 -0800 (PST)
Received: from ns.acadiacom.net (ns.acadiacom.net [206.104.52.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA08950 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 15:47:45 -0800 (PST)
Received: from unitedcouncil.org (unverified [206.104.52.77]) by ns.acadiacom.net
 (Rockliffe SMTPRA 2.1.4) with ESMTP id <B0000595991@ns.acadiacom.net> for <firewalls@GreatCircle.COM>;
 Mon, 05 Jan 1998 17:50:36 -0600
Message-ID: <348689F7.F62A57A2@unitedcouncil.org>
Date: Thu, 04 Dec 1997 05:46:16 -0500
From: Sandman <sandman@unitedcouncil.org>
Reply-To: sandman@unitedcouncil.org
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: land.c hack code
References: <7724B134818D357C%7724B134818D357C@dart.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 http://www.unitedcouncil.org has it in the The C Source Code Library.

       -Sandman
The United Council
http://www.unitedcouncil.org
sandman@unitedcouncil


From firewalls-owner  Mon Jan  5 16:14:41 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA11611; Mon, 5 Jan 1998 16:01:58 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA11560 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 16:01:43 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id QAA20812; Mon, 5 Jan 1998 16:03:28 -0800 (PST)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB09026; Mon, 5 Jan 98 16:04:41 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256584.00007D14 ; Mon, 5 Jan 1998 16:05:20 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"<ryanr@sybase.com>
To: iank@magna.com.au
Cc: ian@sunbeach.net, firewalls@GreatCircle.COM
Message-Id: <88256583.00839BF7.00@gwwest.sybase.com>
Date: Mon, 5 Jan 1998 16:00:07 -0800
Subject: Re: Hardware for seperating LAN from dialouts
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Actually, Win95 DOES support routing.  And, I'm told it
even works in OSR2.

The point is, it doesn't need to route.  If you're connected to
the Internet & your LAN at the same time, and I break into
your machine (via the Internet,) I now have control of a machine on
your LAN.

It's against MY company policy... as the saying goes,
your paranoia level may vary..

                    Ryan





iank@magna.com.au on 01/05/98 02:20:58 PM

To:   ian@sunbeach.net
cc:   firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE)
Subject:  Re: Hardware for seperating LAN from dialouts




Sorry I may be mistaken but most users would be running windows 95 on their
laptops and desktops in offices, sorry guys, Win95 dosen't support IP
routing,like there's a supprise, hence you would not need to overly worry
about having to sever you network connection when wanting to retrieve mail
every once and again.
If I have misunderstood the question / query, well hey I'm only human.

Ian.
At 11:05 AM 1/5/98 -0400, you wrote:
>I use my lap top in the office, and it has both a network card and a modem
>in it.  As my office network is on a different IP address range that my
>Internet Connection, I can actually have both connected at the same time!
>
>There seems to be no problem with the routing at all!
>
>Ian
>
>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>Just wondered if anybody has used those hardware devices
>>that disable LAN connections while a modem dials out
>>to the Internet.
>>
>>It detects when the modem is active thus severing the
>>link to the LAN physically and reconnects the LAN
>>once the modem has disconnected from the LAN.
>>
>>The device is connected to both the modem and LAN and
>>sounds good in theory and I am just wondering
>>what other peoples experience with these are, at $85
>>it is an ideal solution for small organisations
>>that just want to poll their ISP a few times a day
>>for email.
>>
>>--
>>Wheres my valium ?
>>
>>
>>
>>
>
>
>
----------------------------------------------------------------
Ian W Krieger                      IanK@Magna.com.au
"qlm tera'ngan!" - Translated from Klingon "Attention Earther!"






From firewalls-owner  Mon Jan  5 18:07:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28114; Mon, 5 Jan 1998 17:49:27 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA28039 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 17:49:10 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id UAA22068 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 20:51:10 -0500 (EST)
Date: Mon, 5 Jan 1998 20:51:10 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: firewalls@GreatCircle.COM
Subject: Bank Security
Message-ID: <Pine.SOL.3.91.980105204225.20137I-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi all:

I am looking any info regarding bank security requirements (I know that
it is a knid of sensetive...:-)) and implementations. It would be greatly 
appreciated if anyone can help on this.

TIA

_ming

From firewalls-owner  Mon Jan  5 18:29:55 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA27207; Mon, 5 Jan 1998 17:45:00 -0800 (PST)
Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA26975 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 17:44:17 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.178.197]) by mtigwc04.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAB17479;
          Tue, 6 Jan 1998 01:44:26 +0000
Message-Id: <3.0.3.32.19980105203733.00a62540@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Mon, 05 Jan 1998 20:37:33 -0500
To: Ian Poynter <ian@jerboa.com>,
        MarkusLindingerHamburg@t-online.de (Lindinger),
        firewalls@GreatCircle.COM
Subject: Re: Comparision of Firewall Products
In-Reply-To: <3.0.3.32.19980105102235.00af6230@squirrel>
References: <3.0.3.32.19980105081940.00808730@pop3.clark.net>
 <m0xpBh7-0003eIC@fwd11.btx.dtag.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

<comments within>


At 10:22 AM 1/5/98 -0500, Ian Poynter wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At 08:19 AM 1/5/98 -0500, mht@clark.net wrote:
>>I think LAN TIMES did a comparison report a while back. Check out 
>>www.lantimes.com
>
>Be careful with this one, the test methodology didn't look at security at
all 
>(see http://www.lantimes.com/97/97aug/708a060c.html; they didn't test 
>installation either).  I wasn't completely happy that the performance
numbers 
>were comparing apples with apples either.  Still, it's useful as a feature 
>comparison, though.

Yes, I will tend to agree with Ian on his point, the test methodology used
did not test the installation procedures, but listed features of each, pros
and cons.  But as Ian points out it is a starting point in comparison
testing. :)

>
>>Your security policy, network architecture, business model, needs and 
>>technical resources, etc should also factor into your equation while 
>>evaluating the different firewall systems.
>>
>>A firewall is just one component of many when installing a firewall 
>>system for your particular organization. 
>
>Now this I agree with :-).

To add to this point, on each point stated, a rating or point should be
assigned to each factor when evaluating a firewall system, either you can
use a scale of 1-10 when evaluating a solution or solutions to a particular
organization..


/mht

>
>Ian
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQA/AwUBNLD6usj1wUcX1Ha3EQID8QCg2Q6gT0RaW4kQMP+WBWQ3bAH70GoAnj0S
>hf30Ml+vAOoa4IGD/fiTstGN
>=lXXh
>-----END PGP SIGNATURE-----
>
>-----
>Ian Poynter                                        ian@jerboa.com
>Jerboa, Inc.                                      +1-617-492-8084
>PO Box 382648, Cambridge, MA 02238          http://www.jerboa.com
>Providing unbiased Internet consulting for businesses.
>Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95  7C CE FD D3 57 4E 15 73
>           DSS: 2769 277A 9F69 F605 3743  D574 C8F5 C147 17D4 76B7
>
>
------------------------------------------------------
"GREETINGS PROFESSOR FALKEN."
	"SHALL WE PLAY A GAME??"
------------------------------------------------------


From firewalls-owner  Mon Jan  5 20:15:40 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA16605; Mon, 5 Jan 1998 20:09:20 -0800 (PST)
Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA16597 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 20:09:14 -0800 (PST)
Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201])
	by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id XAA10773;
	Mon, 5 Jan 1998 23:10:08 -0500 (EST)
Message-Id: <199801060410.XAA10773@mail.atl.bellsouth.net>
From: "Steve Jackson Brown" <sjbrown@bellsouth.net>
To: <mht@clark.net>, <firewalls@GreatCircle.COM>
Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder??
Date: Mon, 5 Jan 1998 23:04:33 -0500
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




> Yes, I tend to agree with you on that.  RealSecure is a very powerful 
> tool, but it requires a clear understanding in what options you 
> choose in a particular environment when using it..

Here are two Abirnet vs. RealSecure comparisions I found on ww.zdnet.com:

http://www.zdnet.com/pcweek/reviews/0421/21wall.html
and
http://www.zdnet.com/pcweek/reviews/0929/29wall.html

It looks to me from the review that one is a swiss-army knife that watches
all kind of network
issues and one is optimized for network security. Read the reviews to form
your own opinion. In
searching for comparisions, the most recent Top Technology Picks for '97 of
PC Week was IDS technology:
   
http://www.zdnet.com/pcweek/sr/1222/22netb.html

So far now, 2 magazines picked IDS as a top technology released in 1997. It
will be interesting to find
out what new technology is going to be released in 1998.  Anyone know of
any reviews of other IDS 
systems?

> Overall, I wish one of the local trades magazines would initiate a 
> Consumer Report comparison of the current IDS tools  or "clue-
> gathering tools" available and new ones that are emerging...  (HINT, 
> HINT)

Is NFR really an intrusion detection system?  From the web site,
www.nfr.com, 

"NFRs provide valuable information about the growth of your network, its
usage patterns, bottlenecks and potential mis-configurations, and more.
Imagine the usefulness of being able to learn how any aspect of your
network has changed over time! NFR also lets you store and browse data you
want to gather as it passes through or within your network."

This description seems like performance monitoring and network traffic
policy monitoring.  It's probably possible someone could build an intrusion
detection system with NFR. NFR itself does not seem like
an intrusion detection package. 

Maybe CSI or NCSA could do the "Consumer Reports" of IDS tools.  


From firewalls-owner  Mon Jan  5 22:14:43 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA25455; Mon, 5 Jan 1998 22:04:28 -0800 (PST)
Received: from aims.gov.au (pearl.aims.gov.au [138.7.32.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA25445 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 22:04:22 -0800 (PST)
Received: from aims.gov.au by aims.gov.au (SMI-8.6/SMI-SVR4)
	id QAA10286; Tue, 6 Jan 1998 16:04:36 +1000
Message-ID: <34B1C8DC.2BE94D49@aims.gov.au>
Date: Tue, 06 Jan 1998 16:02:04 +1000
From: Kerry Jones <kjones@aims.gov.au>
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: DNS on firewall??
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Simple question. Is it a good idea to run a DNS server on a
Firewall?????

AUNIC require at least 2 DNS servers, so I am trying to decide where to
configure the 2nd DNS server for our domain (Primary one is currently on
the DMZ). Will putting the secondary DNS on the firewall create a
security hole in the Firewall which would best be avoided????????
Is it acceptable (secure) to put the DNS and other services (e.g.
http/ftp) on the Firewall??

What do you think??
What are your opinions??

I have a fairly standard setup as follows;

Internet
    |
 router
    |
 firewall - dmz (1 machine: http/ftp/dns)
      |
  internal network.

--
Kerry Jones
kjones@aims.gov.au


From firewalls-owner  Mon Jan  5 22:59:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA00600; Mon, 5 Jan 1998 22:46:15 -0800 (PST)
Received: from imo18.mx.aol.com (imo18.mx.aol.com [198.81.19.175]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA00593 for <firewalls@GreatCircle.COM>; Mon, 5 Jan 1998 22:46:11 -0800 (PST)
From: MYundt <MYundt@aol.com>
Message-ID: <6dda8f0f.34b1d341@aol.com>
Date: Tue, 6 Jan 1998 01:46:24 EST
To: firewalls@GreatCircle.COM
Subject: tocom
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
Organization: AOL (http://www.aol.com)
X-Mailer: Inet_Mail_Out (IMOv11)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have a tocom 5507 and I was wondering about a replacement

From firewalls-owner  Mon Jan  5 23:44:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03366; Mon, 5 Jan 1998 23:35:11 -0800 (PST)
Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA03348 for <firewalls@greatcircle.com>; Mon, 5 Jan 1998 23:35:03 -0800 (PST)
Received: from [198.115.179.81] (vin.shore.net [198.115.179.81])
	by relay1.shore.net (8.8.7/8.8.7) with ESMTP id CAA27133;
	Tue, 6 Jan 1998 02:35:10 -0500 (EST)
Message-Id: <v03007803b0d78aac7c00@[198.115.179.81]>
In-Reply-To: <Pine.SOL.3.91.980105204225.20137I-100000@hq.si.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 6 Jan 1998 02:35:10 -0500
To: Ming Lu <mlu@hq.si.net>
From: Vin McLellan <vin@shore.net>
Subject: Re: Bank Security
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ming Lu <mlu@hq.si.net> wrote:
>
>I am looking any info regarding bank security requirements (I know that
>it is a knid of sensetive...:-)) and implementations. It would be greatly
>appreciated if anyone can help on this.

Hi Ming:

	As you doubtless know, US government export policy tries to limit
the relative strength of the crypto used in international commerce so as to
sustain its eavesdropping and signals intelligence capabilities.

	In some product categories, Web-based transactions among them, the
US government allows US vendors to supply strong crypto to banks for
certain types of web-based transactions.  Even then, however, there are
typically constraints on _exactly_ what type of "financial" info can be
strongly encrypted in the "enhanced" SSL channel and on what type of
banking institution is allowed to use those servers. To qualify for access
to strong SSL products from US vendors, an international bank must be
further qualified by a American CA.

	Non-Americans who seek strong crypto for web-based commerce and
online banking transactions might be interested in three rather

1. Fortify: http://www.geocities.com/Eureka/Plaza/6333/

"Fortify is a program that provides world-wide, unconditional, full
strength 128-bit cryptography to users of Netscape Navigator (v3) and
Communicator (v4)."

2. Xpresso and Twister: http://www.brokat.com/uk/solutions.html

"The XPRESSO Security Package=AE consists of the XPRESSO Security Server,
which is integrated into the existing web server environment of an Internet
service
provider, and the Java based XPRESSO Client, which can easily be loaded and
executed in the customer's browser. After loading the XPRESSO Client in the
browser via a standard SSL browser/web server channel, an additional 128 bit
encrypted channel is installed between the XPRESSO Client and the XPRESSO
Security Server. "

("The XPRESSO Security Package=AE is one gateway of the electronic services
delivery platform BROKAT Twister, which forms the basis for most BROKAT
Internet banking solutions. Twister allows the easy and flexible integration=
 of
online transactions in arbitrary system environments.")

3. Stronghold and Safe Passage: http://stronghold.ukweb.com/

"The popular Stronghold server and the new Safe Passage web proxy together
provide
 complete point-to-point 128-bit (or greater) encryption. "

	Surete,

		_Vin

"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.

 *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548



From firewalls-owner  Tue Jan  6 02:14:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA16934; Tue, 6 Jan 1998 02:11:22 -0800 (PST)
Received: from mail1.teleport.com (mail1.teleport.com [192.108.254.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA16925 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 02:11:16 -0800 (PST)
Received: from dark_corner (ip-pdx35-38.teleport.com [206.163.127.118]) by mail1.teleport.com (8.8.7/8.7.3) with SMTP id CAA25879; Tue, 6 Jan 1998 02:11:27 -0800 (PST)
Message-Id: <199801061011.CAA25879@mail1.teleport.com>
X-Sender: signe@mail.teleport.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Tue, 06 Jan 1998 02:11:07 -0800
To: Ken Williams <jkwilli2@unity.ncsu.edu>, fw-list@dart.org
From: Jay Rossiter / Signe <signe@teleport.com>
Subject: Re: land.c hack code
Cc: firewalls@GreatCircle.COM
In-Reply-To: <Pine.SOL.3.96.980105160424.22809A-100000@c00069-100lez.eos
 .ncsu.edu>
References: <7724B134818D357C%7724B134818D357C@dart.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 16:07 98/01/05 -0500, Ken Williams wrote:
>you can get a copy of land.c and also the enhanced version, latierra.c,
>from http://www.rootshell.com
>the specific URL's for these two are:
>http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/land.c
>http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/latierra.c

	...One minor problem with giving the URLs for those files out, is that the
directories they are in change at regular intervals.  (As stated on the
rootshell website)

The 'archive-acz9smq232qz7avi9jeacjvd" is just a random alphanumeric string
that it generates.


---
PGP Located on PGP Keyservers, and by fingering 'ammonia@teleport.com'
Key fingerprint =  BF 2D 7E F4 41 A5 FD 30  B1 91 1D BA 35 28 A4 8C
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
GCS/GAT d- s:- a--- C++++ S+++ P+ L++ E---- W+++ N+++ o-- K- w++++ O---- 
M-- V-- PS+ PE Y+ PGP++ t+ 5 X+ R+++ tv-- b+ DI+++ D++ G++ e h++ r+++ z** 




From firewalls-owner  Tue Jan  6 02:29:41 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA18243; Tue, 6 Jan 1998 02:22:04 -0800 (PST)
Received: from promete.tetm.tubitak.gov.tr (promete.tetm.tubitak.gov.tr [193.140.80.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA18140 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 02:21:45 -0800 (PST)
Received: from localhost by promete.tetm.tubitak.gov.tr; (5.65/1.1.8.2/27Dec95-0156PM)
	id AA26397; Tue, 6 Jan 1998 12:22:27 +0300
Date: Tue, 6 Jan 1998 12:22:27 +0300 (EET)
From: Levent Yuce <ylevent@promete.tetm.tubitak.gov.tr>
To: firewalls@GreatCircle.COM
Message-Id: <Pine.OSF.3.95.980106121928.26086B-100000@promete.tetm.tubitak.gov.tr>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I am new in this mailling list ,I am very interested in security ,I would
like to receive some addresses about security and more info that you can
send to my address.

With my best wishes
Levent yuce
ylevent@tubitak.gov.tr


From firewalls-owner  Tue Jan  6 04:14:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00951; Tue, 6 Jan 1998 04:11:13 -0800 (PST)
Received: from server-one ([207.0.213.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA00944 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 04:11:08 -0800 (PST)
Received: from [207.0.213.5] by server-one (NTMail 3.02.13) with ESMTP id wa175704 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 08:11:18 -0400
Reply-To: "Esteban Vasquez" <esteban@iamnet.com>
From: "Esteban Vasquez" <esteban@iamnet.com>
To: "BoB Miorelli" <miorelli@pweh.com>, <firewalls@greatcircle.com>
Subject: Re: NT Web proxy server
Date: Tue, 6 Jan 1998 08:11:21 -0400
Message-ID: <01bd1a9c$33439790$05d500cf@administrativo.iamnet.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Try wingate at www.wingate.net

-----Original Message-----
From: BoB Miorelli <miorelli@pweh.com>
To: firewalls@greatcircle.com <firewalls@greatcircle.com>
Date: Lunes 5 de Enero de 1998 06:23 PM
Subject: NT Web proxy server


>Hi --
>
>I'm looking for a Web proxy server that does caching for
>my kid's school (K-8).  The computer lab is networked
>to a server which would run the proxy.  The server
>is a Pentium running NT 4.0.  I'm looking for
>recommendations on proxy server software from anyone
>that is running it on NT 4.0 using a dialup-on-demand
>type of setup.  The only proxy servers for NT that
>I am aware of are Microsoft and Netscape, but I'm
>sure there are others.
>
>Any and all comments are welcome.
>
>Thanks.
>
>-->BoB 
>
>
>-->BoB Miorelli, Pratt & Whitney
>miorelli@pweh.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>In theory, theory and practice are the same; 
>in practice they are distinct.


From firewalls-owner  Tue Jan  6 04:59:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02281; Tue, 6 Jan 1998 04:54:19 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA02267 for <Firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 04:54:05 -0800 (PST)
Received: from ppp-137.atinet.com.au (ppp-137.atinet.com.au [203.35.110.137]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ba025637 for <Firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 23:53:30 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id WAA23922; Tue, 6 Jan 1998 22:08:49 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Tue, 6 Jan 1998 22:08:59 +1000 (GMT)
Subject: Re: Hardware for seperating LAN from dialouts
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.33.884084939-761423411187931.beethoven>
X-Mailer: Paladin IMAP4 Client v2.33
In-Reply-To: <199801052220.JAA13462@magna.com.au>
References: <199801052220.JAA13462@magna.com.au>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.33.beethoven.884084939.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

<thread>

hmmm further to seperating the LAN while dialing out with
the modem..

quoting mjr, the only 100% solution is physically cutting
the wire or words to that effect.. which is what the device 
is _supposed_ to do while the unix boxen is connected to 
the (C) Internet.

</thread>

--
wheres my valium ?




From firewalls-owner  Tue Jan  6 05:14:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02282; Tue, 6 Jan 1998 04:54:27 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA02268 for <Firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 04:54:10 -0800 (PST)
Received: from ppp-137.atinet.com.au (ppp-137.atinet.com.au [203.35.110.137]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ca025638 for <Firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 23:53:33 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id WAA23861; Tue, 6 Jan 1998 22:02:19 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Tue, 6 Jan 1998 22:02:28 +1000 (GMT)
Subject: Re: Hardware for seperating LAN from dialouts
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.33.884084549-328024486547110.beethoven>
X-Mailer: Paladin IMAP4 Client v2.33
In-Reply-To: <199801052220.JAA13462@magna.com.au>
References: <199801052220.JAA13462@magna.com.au>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.33.beethoven.884084549.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

running win95 ? no
routing/forwarding ? no

The modem is on a BSD box that dials out, whether it has
routing/forwarding or not is not the issue.. 

The issue is that the unix box _if_ it was taken over
could be used to launch attacks against the LAN and internal
servers... another scenario mentioned is that if the box
was comprimised whats to stop the attacker enabling routing/forwarding,
lowering all defences, and then forcing a reboot... next time it dials 
out.. wham ! 

A hardware device that physically disconnects the rj45 while the modem
is alive sounds nice... ymmv

Who the hell gives users modems on their desk anyway, shoot first
ask questions later, imho.

--
wheres my valium ?





From firewalls-owner  Tue Jan  6 05:29:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02244; Tue, 6 Jan 1998 04:53:52 -0800 (PST)
Received: from mail-gw1.fmso.navy.mil (mail-gw1.fmso.navy.mil [138.155.40.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02217 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 04:53:43 -0800 (PST)
Received: from 138.155.40.96 (moose.fmso.navy.mil [138.155.40.96]) by mail-gw1.fmso.navy.mil (8.8.5/8.6.12) with ESMTP id HAA21201 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 07:06:44 -0500
Received: from fmso.navy.mil (unverified [138.155.40.100]) by 138.155.40.96
 (Integralis SMTPRS 2.04) with SMTP id <B0000017622@138.155.40.96>;
 Tue, 06 Jan 1998 07:49:06 -0500
Received: from ccMail by fmso.navy.mil
  (IMA Internet Exchange 2.12 Enterprise) id 00062295; Tue, 6 Jan 1998 07:55:41 -0500
MIME-Version: 1.0
Date: Tue, 6 Jan 1998 07:49:23 -0500
Message-Id: <00062295.001261@mech.disa.mil>
From: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP)
Subject: Re[2]: Hardware for seperating LAN from dialouts
To: Ian KC Worrell <ian@sunbeach.net>, Ian Krieger <iank@magna.com.au>
Cc: firewalls@greatcircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     With Windows 95 (even WfWg 3.11) you can have multiple network 
     interfaces each with a separate IP address and IP packets will be 
     routed properly.  For this to work, you must set up a static routing 
     table.  For the situation described below you can reach both the LAN 
     through the network card and the Internet through the modem 
     simultaneously.  If the LAN does not have any connectivity to the 
     Internet, the default router would be out through the modem 
     connection.  Static routes must be set up for IP addresses on the LAN 
     that are on different network segments than your network card.  
     Windows 95 will not learn dynamic routes and it will not forward IP 
     packets.  If you set the "Enable IP Routing" checkbox in TCP/IP 
     properties on a Windows 95 system, you will lock-up it when it is 
     restarted (back up your registry before doing this).


______________________________ Reply Separator _________________________________
Subject: Re: Hardware for seperating LAN from dialouts
Author:  Ian Krieger <iank@magna.com.au> at internet-emh1
Date:    1/6/98 9:20 AM


Sorry I may be mistaken but most users would be running windows 95 on their 
laptops and desktops in offices, sorry guys, Win95 dosen't support IP 
routing,like there's a supprise, hence you would not need to overly worry 
about having to sever you network connection when wanting to retrieve mail 
every once and again.
     
If I have misunderstood the question / query, well hey I'm only human.
     
     
Ian.
     
At 11:05 AM 1/5/98 -0400, you wrote:
>I use my lap top in the office, and it has both a network card and a modem 
>in it.  As my office network is on a different IP address range that my 
>Internet Connection, I can actually have both connected at the same time! 
>
>There seems to be no problem with the routing at all! 
>
>Ian
>
>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>Just wondered if anybody has used those hardware devices 
>>that disable LAN connections while a modem dials out 
>>to the Internet.
>>
>>It detects when the modem is active thus severing the 
>>link to the LAN physically and reconnects the LAN 
>>once the modem has disconnected from the LAN. 
>>
>>The device is connected to both the modem and LAN and 
>>sounds good in theory and I am just wondering
>>what other peoples experience with these are, at $85 
>>it is an ideal solution for small organisations 
>>that just want to poll their ISP a few times a day 
>>for email.
>>
>>--
>>Wheres my valium ?
>>
>>
>>
>>
>
>
>
---------------------------------------------------------------- 
Ian W Krieger                                   IanK@Magna.com.au
     
"qlm tera'ngan!" - Translated from Klingon "Attention Earther!"
     

From firewalls-owner  Tue Jan  6 05:44:55 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02432; Tue, 6 Jan 1998 04:58:30 -0800 (PST)
Received: from mail-gw1.fmso.navy.mil (mail-gw1.fmso.navy.mil [138.155.40.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02421 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 04:58:23 -0800 (PST)
Received: from 138.155.40.96 (moose.fmso.navy.mil [138.155.40.96]) by mail-gw1.fmso.navy.mil (8.8.5/8.6.12) with ESMTP id HAA21409 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 07:11:26 -0500
Received: from fmso.navy.mil (unverified [138.155.40.100]) by 138.155.40.96
 (Integralis SMTPRS 2.04) with SMTP id <B0000017636@138.155.40.96>;
 Tue, 06 Jan 1998 07:53:06 -0500
Received: from ccMail by fmso.navy.mil
  (IMA Internet Exchange 2.12 Enterprise) id 000622BB; Tue, 6 Jan 1998 07:59:18 -0500
MIME-Version: 1.0
Date: Tue, 6 Jan 1998 07:52:57 -0500
Message-Id: <000622BB.001261@mech.disa.mil>
From: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP)
Subject: Re[2]: Hardware for seperating LAN from dialouts
To: iank@magna.com.au, "Ryan Russell"<ryanr@sybase.com>
Cc: ian@sunbeach.net, firewalls@greatcircle.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     But this is true only if you are running a service (daemon) that can 
     be exploited.  If you do not share any resources on your system, are 
     not running FTPD, TELNETD, or HTTPD, what else is running that can be 
     subverted for illicit use?
     
     
     Randal


______________________________ Reply Separator _________________________________
Subject: Re: Hardware for seperating LAN from dialouts
Author:  "Ryan Russell"<ryanr@sybase.com> at internet-emh1
Date:    1/5/98 4:00 PM


     
Actually, Win95 DOES support routing.  And, I'm told it 
even works in OSR2.
     
The point is, it doesn't need to route.  If you're connected to 
the Internet & your LAN at the same time, and I break into
your machine (via the Internet,) I now have control of a machine on 
your LAN.
     
It's against MY company policy... as the saying goes, 
your paranoia level may vary..
     
                    Ryan
     
     
     
     
     
iank@magna.com.au on 01/05/98 02:20:58 PM
     
To:   ian@sunbeach.net
cc:   firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE) 
Subject:  Re: Hardware for seperating LAN from dialouts
     
     
     
     
Sorry I may be mistaken but most users would be running windows 95 on their 
laptops and desktops in offices, sorry guys, Win95 dosen't support IP 
routing,like there's a supprise, hence you would not need to overly worry 
about having to sever you network connection when wanting to retrieve mail 
every once and again.
If I have misunderstood the question / query, well hey I'm only human.
     
Ian.
At 11:05 AM 1/5/98 -0400, you wrote:
>I use my lap top in the office, and it has both a network card and a modem 
>in it.  As my office network is on a different IP address range that my 
>Internet Connection, I can actually have both connected at the same time! 
>
>There seems to be no problem with the routing at all! 
>
>Ian
>
>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>Just wondered if anybody has used those hardware devices 
>>that disable LAN connections while a modem dials out 
>>to the Internet.
>>
>>It detects when the modem is active thus severing the 
>>link to the LAN physically and reconnects the LAN 
>>once the modem has disconnected from the LAN.
>>
>>The device is connected to both the modem and LAN and 
>>sounds good in theory and I am just wondering
>>what other peoples experience with these are, at $85 
>>it is an ideal solution for small organisations 
>>that just want to poll their ISP a few times a day 
>>for email.
>>
>>--
>>Wheres my valium ?
>>
>>
>>
>>
>
>
>
---------------------------------------------------------------- 
Ian W Krieger                      IanK@Magna.com.au
"qlm tera'ngan!" - Translated from Klingon "Attention Earther!"
     
     
     
     
     

From firewalls-owner  Tue Jan  6 07:01:09 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09711; Tue, 6 Jan 1998 05:41:57 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA09693 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 05:41:49 -0800 (PST)
Received: from m6.sprynet.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id FAA20037; Tue, 6 Jan 1998 05:40:35 -0800 (PST)
Received: from zepher (hdn88-048.hil.compuserve.com [206.175.98.48]) by m6.sprynet.com (8.6.12/8.6.12) with SMTP id FAA25976; Tue, 6 Jan 1998 05:41:25 -0800
Message-Id: <3.0.3.32.19980106084416.006a2dd8@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 06 Jan 1998 08:44:16 -0500
To: Kerry Jones <kjones@aims.gov.au>, firewalls@GreatCircle.COM
From: Steve Kruse <jsk347@sprynet.com>
Subject: Re: DNS on firewall??
In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 04:02 PM 1/6/98 +1000, Kerry Jones wrote:
>Hi,
>
>Simple question. Is it a good idea to run a DNS server on a
>Firewall?????
>
>     ((((stuff deleted)))
>--
>Kerry Jones
>kjones@aims.gov.au
>

Kerry:

Speaking "as a general rule", it would be far better to put your internal 
DNS on your private net and NOT on the firewall.  Let the firewall be a 
firewall...not an application server, and that includes DNS.  There are, I 
believe, some firewalls out there that have a "secure(???)" version of DNS 
that is built into them and for that, I suspose it would be OK, but unless 
you have one of those, I would not put it on.  Far better to err on the side 
of safety that to save a little bit of money for the cost of a PC to run your 
DNS behind the firewall.  Once you put your internal DNS up, some simple rules
will allow the DNS traffic to get through.

My US$.02...your milage may vary.

Steve Kruse
Milkyway Networks

From firewalls-owner  Tue Jan  6 07:31:09 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15416; Tue, 6 Jan 1998 06:07:38 -0800 (PST)
Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA15239 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 06:06:58 -0800 (PST)
Received: (qmail 24606 invoked by uid 500); 6 Jan 1998 14:13:13 -0000
Date: Tue, 6 Jan 1998 09:13:12 -0500 (EST)
From: "Paul D. Robertson" <proberts@clark.net>
X-Sender: proberts@gargoyle
To: RANDAL LATHROP <RANDAL_LATHROP@mech.disa.mil>
cc: Ian KC Worrell <ian@sunbeach.net>, Ian Krieger <iank@magna.com.au>,
        firewalls@GreatCircle.COM
Subject: Re: Re[2]: Hardware for seperating LAN from dialouts
In-Reply-To: <00062295.001261@mech.disa.mil>
Message-ID: <Pine.LNX.3.91.980106090838.24557B-100000@gargoyle>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 6 Jan 1998, RANDAL LATHROP wrote:

>      With Windows 95 (even WfWg 3.11) you can have multiple network 
>      interfaces each with a separate IP address and IP packets will be 
>      routed properly.  For this to work, you must set up a static routing 
>      table.  For the situation described below you can reach both the LAN 

*Or* you need to have a program that does routing.  The Win95 original beta
included such code.  I doubt that it would that difficult to hack up 
something either.  

>      Windows 95 will not learn dynamic routes and it will not forward IP 
>      packets.  If you set the "Enable IP Routing" checkbox in TCP/IP 
                ^ By default, as shipped.  

Unless you have total control over the machine configuration, especially 
during Internet usage, it is best not to rely on its configuration for 
security.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From firewalls-owner  Tue Jan  6 07:58:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA08867; Tue, 6 Jan 1998 05:37:52 -0800 (PST)
Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA08820 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 05:37:40 -0800 (PST)
Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49)
	id <Z6K5SX58>; Tue, 6 Jan 1998 07:39:49 -0600
Message-ID: <CE0690979441D111B55D0000F840E2B908171D@MAILSERVER1.MDC.COM>
From: "Waegner.Rick" <RWaegner@hou.mdc.com>
To: firewalls@GreatCircle.COM, "'Franklin R. Jones'" <grat@frii.com>
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Date: Tue, 6 Jan 1998 07:39:47 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are currently implementing FW-1 v3.0 on a solaris 2.6 platform and
have had  problems. Yes, Solaris 2.6 is "supported" but not by the FW-1
package that will be dilivered to you, you must download all of the
packages that make up the "FW-1 V3.0 b" (DES, FW-1, Motif Intfc,
etc...). If you install 3.0 on Solaris 2.6, the machine will get stuck
in a reboot cycle that can only be fixed with a reload of the OS. FW-1
V3.0 will mangle /etc/rcS.d/S30rootusr.sh upon install and reboot. Once
this "bug" is fixed with the downloaded 3.0b, it seems to be very
stable.
Rick Waegner

The Boeing Company
UNIX Sysadmin
richard.a.waegner@boeing.com
281.283.5485

> ----------
> From: 	Franklin R. Jones
> Sent: 	Monday, January 5, 1998 15:00
> To: 	firewalls@GreatCircle.COM
> Subject: 	Re: FW-1 3.0 and Solaris 2.6 ok?
> 
> Sergio Bollini wrote:
> 
> > Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6?
> Is
> > there any issues or unsolved problems?
> > TIA
> 
> 	No hands on as of yet, but 2.6 is listed as "supported" OS
> rev for V3. I haven't run into any problems application-wise upgrading
> to 2.6 from 2.5.x, so my feelings are that it would be a reliable
> config. There is a recommeded patch cluster out for 2.6 which includes
> several (8 or 9) security patches for various things and I would
> recommend installing the cluster.
> 
> fj..
> 

From firewalls-owner  Tue Jan  6 08:00:22 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA18264; Tue, 6 Jan 1998 06:20:18 -0800 (PST)
Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA18251 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 06:20:12 -0800 (PST)
Received: (qmail 24644 invoked by uid 500); 6 Jan 1998 14:26:32 -0000
Date: Tue, 6 Jan 1998 09:26:32 -0500 (EST)
From: "Paul D. Robertson" <proberts@clark.net>
X-Sender: proberts@gargoyle
To: RANDAL LATHROP <RANDAL_LATHROP@mech.disa.mil>
cc: iank@magna.com.au, Ryan Russell <ryanr@sybase.com>, ian@sunbeach.net,
        firewalls@GreatCircle.COM
Subject: Re: Re[2]: Hardware for seperating LAN from dialouts
In-Reply-To: <000622BB.001261@mech.disa.mil>
Message-ID: <Pine.LNX.3.91.980106091410.24557C-100000@gargoyle>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 6 Jan 1998, RANDAL LATHROP wrote:

>      But this is true only if you are running a service (daemon) that can 
>      be exploited.  If you do not share any resources on your system, are 

Or a client that can be exploited, or if portions of the OS can be 
exploited...

If you've got a few thousand users, and you have enough control over the 
OS, stack, clients, and configuration, as well as a way to audit that, 
then you're doing well enough to probably not worry about it.  For the 
real world, it's *trivially* easy to get a user to load (a) a demo for 
finance/mailroom/logistics/pick_a_target, or (b) a game, or extension to 
Quake, or (c) New version of a browser, E-mail client, or IRC program.  
If it's done right, most of them will get the IS people to lend them a 
modem for the duration of the attack... er demo.

How many places go through testing new Internet clients on a test bed 
with modems, LAN cards, and record and decode the traffic?  How many 
places have enough control over their user population to specify client 
versions, and distribution channels?  Probably about as many who run 
virus suscptable systems with no scanners, no protection, and who get 
zero incidents.  Next time you see a virus, ask yourself what would have 
happened if that was a sleeping trojan... 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From firewalls-owner  Tue Jan  6 08:50:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA09136; Tue, 6 Jan 1998 08:08:38 -0800 (PST)
Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA09123 for <firewalls@GreatCircle.com>; Tue, 6 Jan 1998 08:08:32 -0800 (PST)
Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP 
	(peer crosschecked as: [198.102.66.11])
	id QQdxee25252; Tue, 6 Jan 1998 11:08:50 -0500 (EST)
Received: from localhost 
	by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93)
	id AA04699; Tue, 6 Jan 98 11:05:03 EST
Date: Tue, 6 Jan 1998 11:05:03 -0500 (EST)
From: Sick Puppy <sikpuppy@maestro.maestro.com>
To: firewalls@GreatCircle.com
Subject: Wannabe needs a good book
Message-Id: <Pine.SUN.3.96.980106105930.4657A-100000@maestro.maestro.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Over the past few years our educational research has provided us with a
great deal of information on Internet services, operating systems and
various protocols.  However, all of it is very narrowly focused and
platform specific.  One of our wannabe's, ChewYou, (oriental as the name
implies), need a good top down introduction to networking.  Sorry to say
we have nothing like that.  Can someone please suggest a good book on the
general topic of networking, with some emphasis on TCP/IP, that we can
steal?
                                                 SP, tCED


From firewalls-owner  Tue Jan  6 09:01:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09492; Tue, 6 Jan 1998 05:40:30 -0800 (PST)
Received: from maildeliver0.tiac.net (maildeliver0.tiac.net [199.0.65.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA09448 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 05:40:17 -0800 (PST)
Received: from www.hollyfeld.org (root@dns.hollyfeld.org [204.130.199.1]) by maildeliver0.tiac.net (8.8.7/8.8) with ESMTP id IAA15661; Tue, 6 Jan 1998 08:40:34 -0500 (EST)
Received: from www.hollyfeld.org (www.hollyfeld.org [204.130.199.143])
          by www.hollyfeld.org (8.8.4/8.8.4) with SMTP
	  id IAA17373; Tue, 6 Jan 1998 08:40:55 -0500
Date: Tue, 6 Jan 1998 08:40:54 -0500 (EST)
From: Daniel Garcia <dgarcia@hollyfeld.org>
To: MYundt <MYundt@aol.com>
cc: firewalls@GreatCircle.COM
Subject: Re: tocom
In-Reply-To: <6dda8f0f.34b1d341@aol.com>
Message-ID: <Pine.LNX.3.95.980106084040.30838A-100000@www.hollyfeld.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 6 Jan 1998, MYundt wrote:
> I have a tocom 5507 and I was wondering about a replacement

And you asked about this on the firewalls list because....

--Dg


From firewalls-owner  Tue Jan  6 09:02:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19212; Tue, 6 Jan 1998 08:53:43 -0800 (PST)
Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA19155 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 08:53:11 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id KAA28389 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 10:53:56 -0600
Message-Id: <199801061653.KAA28389@starbase.tos.net>
Received: from unknown(172.16.1.147) by starbase.tos.net via smap (V1.3)
	id sma028385; Tue Jan  6 10:53:46 1998
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Tue, 06 Jan 1998 10:50:13 -0600
To: Firewalls Mailing List <firewalls@greatcircle.com>
From: MacGyver <macgyver@tos.net>
Subject: Re: Bank Security
In-Reply-To: <v03007803b0d78aac7c00@[198.115.179.81]>
References: <Pine.SOL.3.91.980105204225.20137I-100000@hq.si.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 02:35 AM 1/6/98 -0500, you wrote:
>Ming Lu <mlu@hq.si.net> wrote:
>>
>>I am looking any info regarding bank security requirements (I know that
>>it is a knid of sensetive...:-)) and implementations. It would be greatly
>>appreciated if anyone can help on this.
>

Another software solution you might wish to consider:


http://www.datafellows.com

They provide high-grade crypto solutions both in the US and abroad.  They
offer a web-server add-on of sorts that allows you to employ encryption
levels up to 2048 bit.  Of course you pay for this flexibility with the
high prices...



From firewalls-owner  Tue Jan  6 09:11:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19913; Tue, 6 Jan 1998 08:58:09 -0800 (PST)
Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA19839 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 08:57:51 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id KAA28419 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 10:58:56 -0600
Message-Id: <199801061658.KAA28419@starbase.tos.net>
Received: from unknown(172.16.1.147) by starbase.tos.net via smap (V1.3)
	id sma028417; Tue Jan  6 10:58:26 1998
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Tue, 06 Jan 1998 10:54:53 -0600
To: Firewalls Mailing List <firewalls@greatcircle.com>
From: MacGyver <macgyver@tos.net>
Subject: Stateful Inspection Anyone?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi folks,

I've been wondering this for a while, but just haven't gotten around to
asking anyone yet:

Checkpoint's Firewall-1 has a feature known as "stateful inspection" which
they tout as the end-all and be-all of packet-filtering and inspection.
Anyone had any experience in using this feature or have any thoughts
regarding stateful inspection?  How large of a performance impact is there
when stateful inspection is enabled?  Are the gains worth the added load?

Hope this spurs some interesting discussion.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ^               Habeeb J. Dihu
     -'   `-            Managing Senior Technologist
   " '     ` "          Cirrus Technologies
 "  '       `  "        
"  '      .  `  "                  
"  '    .' ` `  "       'I don't believe in the no-win scenario'
 " `   '    `' "           -- Captain James T. Kirk,  Star Trek II: TWK
   `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon
    '                    could go to China.`'
                           -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



From firewalls-owner  Tue Jan  6 09:13:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05013; Tue, 6 Jan 1998 07:43:56 -0800 (PST)
Received: from mco.edu (mco004.mco.edu [136.247.10.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA04998 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 07:43:49 -0800 (PST)
Received: from mco-Message_Server by mco.edu
	with Novell_GroupWise; Tue, 06 Jan 1998 10:42:39 -0500
Message-Id: <s4b20a9f.044@mco.edu>
X-Mailer: Novell GroupWise 4.1
Date: Tue, 06 Jan 1998 10:42:30 -0500
From: Jeff Zarend <jzarend@mco.edu>
To: firewalls@greatcircle.com
Subject: AHTTPD.LOG filling up
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm having a problem with Firewall-1's AHTTPD.LOG looping & filling up the
system
disk drive.  This is on NT 4.0.  Is or has anyone else experienced this?


Jeff Zarend
Systems Manager
Medical College of Ohio
jzarend@mco.edu
 

From firewalls-owner  Tue Jan  6 09:15:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA04376; Tue, 6 Jan 1998 07:40:19 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA04317 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 07:40:05 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id KAA29131; Tue, 6 Jan 1998 10:42:08 -0500 (EST)
Date: Tue, 6 Jan 1998 10:42:08 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: Kerry Jones <kjones@aims.gov.au>
cc: firewalls@GreatCircle.COM
Subject: Re: DNS on firewall??
In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au>
Message-ID: <Pine.SOL.3.91.980106102255.28649C-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


If you don't use split DNS, I don't see the real difference between
puting both dns servers on DMZ and one on firewall, another in the
DMZ. Actually put primary one on the firewall and put the secondary
on DMZ would be better choice than both of them on DMZ. 

_ming

On Tue, 6 Jan 1998, Kerry Jones wrote:

> Hi,
> 
> Simple question. Is it a good idea to run a DNS server on a
> Firewall?????
> 
> AUNIC require at least 2 DNS servers, so I am trying to decide where to
> configure the 2nd DNS server for our domain (Primary one is currently on
> the DMZ). Will putting the secondary DNS on the firewall create a
> security hole in the Firewall which would best be avoided????????
> Is it acceptable (secure) to put the DNS and other services (e.g.
> http/ftp) on the Firewall??
> 
> What do you think??
> What are your opinions??
> 
> I have a fairly standard setup as follows;
> 
> Internet
>     |
>  router
>     |
>  firewall - dmz (1 machine: http/ftp/dns)
>       |
>   internal network.
> 
> --
> Kerry Jones
> kjones@aims.gov.au
> 
> 

From firewalls-owner  Tue Jan  6 09:15:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21714; Tue, 6 Jan 1998 09:07:21 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21698 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 09:07:15 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id MAA00208; Tue, 6 Jan 1998 12:09:18 -0500 (EST)
Date: Tue, 6 Jan 1998 12:09:18 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: BoB Miorelli <miorelli@pweh.com>
cc: firewalls@GreatCircle.COM
Subject: Re: NT Web proxy server
In-Reply-To: <34b1435f0.1464@clbdev2.eh.pweh.com>
Message-ID: <Pine.SOL.3.91.980106113432.29472A-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


You can use Squid, which is free and VERY easy to set up;
http://squid.nlant.net/Squid. It is VERY FAST. Sun's new web cache
server based on this code (because of its performance). OS plateform
you can use either Linux (free) or solaris x86 (take look at
http://www.standishgroup.com/syst.html). As to the hardware, you can
use 486 or better with at leat 64 M RAM; At leat 2G hard disk space (
it really depends on  a lot of other factors, such as cache expiration
time, etc.) just for cache itself (1 G would be more than enough for
UNIX OS, unless you would like to do something else on the same machine).
As to the 04/19/97, squid had been ported to OS/2 Warp platform. I am 
sure that someone may also have ported it to NT, if NT is really you favored
platform...:-). drop a mail to squid-users@nlanr.net, someone will help
you out on this. If you need help on UNIX plateforms, I would be more than
glad to help.

_ming

On Mon, 5 Jan 1998, BoB Miorelli wrote:

> Hi --
> 
> I'm looking for a Web proxy server that does caching for
> my kid's school (K-8).  The computer lab is networked
> to a server which would run the proxy.  The server
> is a Pentium running NT 4.0.  I'm looking for
> recommendations on proxy server software from anyone
> that is running it on NT 4.0 using a dialup-on-demand
> type of setup.  The only proxy servers for NT that
> I am aware of are Microsoft and Netscape, but I'm
> sure there are others.
> 
> Any and all comments are welcome.
> 
> Thanks.
> 
> -->BoB 
> 
> 
> -->BoB Miorelli, Pratt & Whitney
> miorelli@pweh.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
> In theory, theory and practice are the same; 
> in practice they are distinct.
> 

From firewalls-owner  Tue Jan  6 09:30:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08260; Tue, 6 Jan 1998 08:03:51 -0800 (PST)
Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08229 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 08:03:42 -0800 (PST)
From: mht@clark.net
Received: from highlander ([12.68.19.215]) by mtigwc04.worldnet.att.net
          (post.office MTA v2.0 0613 ) with SMTP id AAA24167;
          Tue, 6 Jan 1998 16:04:01 +0000
Message-Id: <3.0.3.32.19980106110133.03931100@pop3.clark.net>
X-Sender: mht@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 06 Jan 1998 11:01:33 -0500
To: "Steve Jackson Brown" <sjbrown@bellsouth.net>, <firewalls@GreatCircle.COM>
Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder??
In-Reply-To: <199801060410.XAA10773@mail.atl.bellsouth.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Another article that needs mentioning is Network Magazine October, 1997
www.network-mag.com "Detecting Network Intruders"  :)



At 11:04 PM 1/5/98 -0500, Steve Jackson Brown wrote:
>
>
>
>> Yes, I tend to agree with you on that.  RealSecure is a very powerful 
>> tool, but it requires a clear understanding in what options you 
>> choose in a particular environment when using it..
>
>Here are two Abirnet vs. RealSecure comparisions I found on ww.zdnet.com:
>
>http://www.zdnet.com/pcweek/reviews/0421/21wall.html
>and
>http://www.zdnet.com/pcweek/reviews/0929/29wall.html
>
>It looks to me from the review that one is a swiss-army knife that watches
>all kind of network
>issues and one is optimized for network security. Read the reviews to form
>your own opinion. In
>searching for comparisions, the most recent Top Technology Picks for '97 of
>PC Week was IDS technology:
>   
>http://www.zdnet.com/pcweek/sr/1222/22netb.html
>
>So far now, 2 magazines picked IDS as a top technology released in 1997. It
>will be interesting to find
>out what new technology is going to be released in 1998.  Anyone know of
>any reviews of other IDS 
>systems?
>
>> Overall, I wish one of the local trades magazines would initiate a 
>> Consumer Report comparison of the current IDS tools  or "clue-
>> gathering tools" available and new ones that are emerging...  (HINT, 
>> HINT)
>
>Is NFR really an intrusion detection system?  From the web site,
>www.nfr.com, 
>
>"NFRs provide valuable information about the growth of your network, its
>usage patterns, bottlenecks and potential mis-configurations, and more.
>Imagine the usefulness of being able to learn how any aspect of your
>network has changed over time! NFR also lets you store and browse data you
>want to gather as it passes through or within your network."
>
>This description seems like performance monitoring and network traffic
>policy monitoring.  It's probably possible someone could build an intrusion
>detection system with NFR. NFR itself does not seem like
>an intrusion detection package. 
>
>Maybe CSI or NCSA could do the "Consumer Reports" of IDS tools.  


>
>

From firewalls-owner  Tue Jan  6 09:45:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03512; Tue, 6 Jan 1998 07:35:13 -0800 (PST)
Received: from gate.eds.de (gate.eds.de [204.71.114.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA03462 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 07:34:49 -0800 (PST)
Received: from online.ols.de.eds.com (ep160768.ols.de.eds.com) by gate.eds.de with SMTP id AA14749
  (InterLock SMTP Gateway 3.0 for <firewalls@greatcircle.com>);
  Tue, 6 Jan 1998 15:34:18 GMT
Received: from ep161081 (ep161081.ols.de.eds.com [134.46.190.55])
	by online.ols.de.eds.com (8.8.8/8.8.8) with SMTP id RAA26818;
	Tue, 6 Jan 1998 17:38:46 +0100
Message-Id: <3.0.3.32.19980106163903.0091b100@mail.ols.de.eds.com>
X-Sender: bzwrdw@mail.ols.de.eds.com
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32)
Date: Tue, 06 Jan 1998 16:39:03 +0100
To: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP)
From: Oliver Kubis <oliverk@ols-eds.de>
Subject: Re: Re[2]: Hardware for seperating LAN from dialouts
Cc: firewalls@greatcircle.com, ryanr@sybase.com
In-Reply-To: <000622BB.001261@mech.disa.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

IMHO, dangers differ from the type of operating system and services of the
machine the modem is attached to. A unix, carrying a number of additional
services, might be more vulnerable to attack than a 'simple' standard PC,
not running any of those services.

What happens to services on connected systems (PC is connected to a LAN,
which might have a ftp server somewhere...) - do you think the PC with ip
forwarding/routing could be an entry point to attack other computers on the
attached network?

Apart from any services being used for illicit use, could other risks arise
from people sniffing on network traffic that passes the exposed computer?
Do you think that's possible?

-- Oliver

PS: A fuzzy search of the firewall archives (at
http://www.nexial.nl/cgi-bin/firewalls) returned some interesting hints on
the potential dangers of dial-out connections with parallel LAN connection
- I searched for "forwarding dial modems" and got some good results.

---------------
At 07:52 06.01.98 -0500, you wrote:
>     But this is true only if you are running a service (daemon) that can 
>     be exploited.  If you do not share any resources on your system, are 
>     not running FTPD, TELNETD, or HTTPD, what else is running that can be 
>     subverted for illicit use?
>     
>     
>     Randal
>
>
>______________________________ Reply Separator
_________________________________
>Subject: Re: Hardware for seperating LAN from dialouts
>Author:  "Ryan Russell"<ryanr@sybase.com> at internet-emh1
>Date:    1/5/98 4:00 PM
>
>
>     
>Actually, Win95 DOES support routing.  And, I'm told it 
>even works in OSR2.
>     
>The point is, it doesn't need to route.  If you're connected to 
>the Internet & your LAN at the same time, and I break into
>your machine (via the Internet,) I now have control of a machine on 
>your LAN.
>     
>It's against MY company policy... as the saying goes, 
>your paranoia level may vary..
>     
>                    Ryan
>     
>     
>     
>     
>     
>iank@magna.com.au on 01/05/98 02:20:58 PM
>     
>To:   ian@sunbeach.net
>cc:   firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE) 
>Subject:  Re: Hardware for seperating LAN from dialouts
>     
>     
>     
>     
>Sorry I may be mistaken but most users would be running windows 95 on their 
>laptops and desktops in offices, sorry guys, Win95 dosen't support IP 
>routing,like there's a supprise, hence you would not need to overly worry 
>about having to sever you network connection when wanting to retrieve mail 
>every once and again.
>If I have misunderstood the question / query, well hey I'm only human.
>     
>Ian.
>At 11:05 AM 1/5/98 -0400, you wrote:
>>I use my lap top in the office, and it has both a network card and a modem 
>>in it.  As my office network is on a different IP address range that my 
>>Internet Connection, I can actually have both connected at the same time! 
>>
>>There seems to be no problem with the routing at all! 
>>
>>Ian
>>
>>At 10:10 AM 1/5/98 +1000, Norman Widders wrote:
>>>Just wondered if anybody has used those hardware devices 
>>>that disable LAN connections while a modem dials out 
>>>to the Internet.
>>>
>>>It detects when the modem is active thus severing the 
>>>link to the LAN physically and reconnects the LAN 
>>>once the modem has disconnected from the LAN.
>>>
>>>The device is connected to both the modem and LAN and 
>>>sounds good in theory and I am just wondering
>>>what other peoples experience with these are, at $85 
>>>it is an ideal solution for small organisations 
>>>that just want to poll their ISP a few times a day 
>>>for email.
>>>
>>>--
>>>Wheres my valium ?
>>>
>>>
>>>
>>>
>>
>>
>>
>---------------------------------------------------------------- 
>Ian W Krieger                      IanK@Magna.com.au
>"qlm tera'ngan!" - Translated from Klingon "Attention Earther!"


--
Oliver Kubis
EDS Electronic Data Systems Industrien (Deutschland) GmbH
Phone +49-6142-80-2942 Fax +49-6142-80-1755 Email oliverk@ols-eds.de
PGP key fingerprint = C1 ED 3E E0 95 B5 05 28  A4 A4 E5 72 33 A7 20 B0

"It's a small world, unless you have to clean it." - Roger Wilco

From firewalls-owner  Tue Jan  6 11:57:07 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22453; Tue, 6 Jan 1998 11:33:22 -0800 (PST)
Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA22356 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 11:33:00 -0800 (PST)
Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49)
	id <Z6K5SZ11>; Tue, 6 Jan 1998 13:35:09 -0600
Message-ID: <CE0690979441D111B55D0000F840E2B908172D@MAILSERVER1.MDC.COM>
From: "Waegner.Rick" <RWaegner@hou.mdc.com>
To: "'Franklin R. Jones'" <grat@frii.com>
Cc: firewalls@greatcircle.com
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Date: Tue, 6 Jan 1998 13:35:06 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

fj,

	No, they are not on the release cd YET!!! You can download them
from the sun web site.
We did not know about the "bug" until AFTER we paid xxxx.xx for it! I
was NOT very happy. Let me know how it goes!


Rick Waegner

The Boeing Company
UNIX Sysadmin
richard.a.waegner@boeing.com
281.283.5485

> ----------
> From: 	Franklin R. Jones
> Sent: 	Tuesday, January 6, 1998 13:54
> To: 	Waegner.Rick
> Cc: 	firewalls@greatcircle.com
> Subject: 	Re: FW-1 3.0 and Solaris 2.6 ok?
> 
> Waegner.Rick wrote:
> > 
> > We are currently implementing FW-1 v3.0 on a solaris 2.6 platform
> and
> > have had  problems. Yes, Solaris 2.6 is "supported" but not by the
> FW-1
> > package that will be dilivered to you, you must download all of the
> > packages that make up the "FW-1 V3.0 b" (DES, FW-1, Motif Intfc,
> > etc...). If you install 3.0 on Solaris 2.6, the machine will get
> stuck
> > in a reboot cycle that can only be fixed with a reload of the OS.
> FW-1
> 
> 	ouch!
> 
> > V3.0 will mangle /etc/rcS.d/S30rootusr.sh upon install and reboot.
> Once
> > this "bug" is fixed with the downloaded 3.0b, it seems to be very
> > stable.
> 
> Thanks for the heads up, Rick. I'm about to head down that trail
> myself.
> You make referece to all the packages that make up V3.0b, are these
> FW1 patches (e.g. from the sun web site) or FW1 product packages (on 
> the release CD)?
> 
> also nice that they make no mention of this problem in the install
> docs that I've seen...
> 
> fj..
> 

From firewalls-owner  Tue Jan  6 11:59:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA13752; Tue, 6 Jan 1998 10:55:51 -0800 (PST)
Received: from deimos.frii.com (deimos.frii.com [208.146.240.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA13582 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 10:55:17 -0800 (PST)
Received: from ralph (ralph.ball.com [162.18.91.40]) by deimos.frii.com (8.8.5/8.8.4) with SMTP id LAA15975; Tue, 6 Jan 1998 11:54:52 -0700 (MST)
Message-ID: <34B27DEA.61EF@frii.com>
Date: Tue, 06 Jan 1998 11:54:34 -0700
From: "Franklin R. Jones" <grat@frii.com>
Organization: Wyldwood Computing
X-Mailer: Mozilla 3.04 (X11; I; SunOS 5.5.1 sun4u)
MIME-Version: 1.0
To: "Waegner.Rick" <RWaegner@hou.mdc.com>
CC: firewalls@greatcircle.com
Subject: Re: FW-1 3.0 and Solaris 2.6 ok?
References: <CE0690979441D111B55D0000F840E2B908171D@MAILSERVER1.MDC.COM>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Waegner.Rick wrote:
> 
> We are currently implementing FW-1 v3.0 on a solaris 2.6 platform and
> have had  problems. Yes, Solaris 2.6 is "supported" but not by the FW-1
> package that will be dilivered to you, you must download all of the
> packages that make up the "FW-1 V3.0 b" (DES, FW-1, Motif Intfc,
> etc...). If you install 3.0 on Solaris 2.6, the machine will get stuck
> in a reboot cycle that can only be fixed with a reload of the OS. FW-1

	ouch!

> V3.0 will mangle /etc/rcS.d/S30rootusr.sh upon install and reboot. Once
> this "bug" is fixed with the downloaded 3.0b, it seems to be very
> stable.

Thanks for the heads up, Rick. I'm about to head down that trail myself.
You make referece to all the packages that make up V3.0b, are these
FW1 patches (e.g. from the sun web site) or FW1 product packages (on 
the release CD)?

also nice that they make no mention of this problem in the install
docs that I've seen...

fj..

From firewalls-owner  Tue Jan  6 13:06:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01567; Tue, 6 Jan 1998 07:22:58 -0800 (PST)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA01540 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 07:22:47 -0800 (PST)
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id KAA10458; Tue, 6 Jan 1998 10:22:53 -0500 (EST) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id KAA17141; Tue, 6 Jan 1998 10:22:50 -0500 (EST)
Date: Tue, 6 Jan 1998 10:22:50 -0500 (EST)
Message-Id: <199801061522.KAA17141@SPARKY.CF.CS.YALE.EDU>
To: RANDAL_LATHROP@mech.disa.mil, iank@magna.com.au, ryanr@sybase.com
Subject: Re:  Re[2]: Hardware for seperating LAN from dialouts
Cc: firewalls@greatcircle.com, ian@sunbeach.net
From: "H. Morrow Long" <morrow.long@yale.edu>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP) wrote:
>     But this is true only if you are running a service (daemon) that can 
>     be exploited.  If you do not share any resources on your system, are 
>     not running FTPD, TELNETD, or HTTPD, what else is running that can be 
>     subverted for illicit use?

You have to be very careful about file/disk shares on Windows 95 PCs,
when dialing out to the Internet.  Most "shares" that users have set
up are very insecurely passworded and are read/write.  Filesharing
should be turned off if you are connected to the Internet and 
NetBIOS over TCP/IP (esp. TCP port 139) is not filtered out.

Port scan a Windows 95 PC and you will see a service listening at port
139 usually.  Not only can file shares be attached but there may be
remote access to RPC services and the registry....

Windows 95 actually warns you to turn off file sharing when you use 
dial-up networking to connect to the Internet (and there is a patch
to make it do so for cable modems now as well) but not if you are on
a LAN attached to the Internet.

And of course then there are the people who bring up CC, PCAnywhere, etc.
on their Windows 95 machines....

- Morrow


From firewalls-owner  Tue Jan  6 14:01:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA05378; Tue, 6 Jan 1998 12:32:17 -0800 (PST)
Received: from new-murphey.tenet.edu (new-murphey.tenet.edu [198.213.2.103]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA05367 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 12:32:11 -0800 (PST)
Received: from newmail.tenet.edu
          (wanmaster.wichita-falls.isd.tenet.edu [207.64.60.184])
          by new-murphey.tenet.edu (Post.Office MTA v3.1.2
          release (PO203-101c) ID# 0-40960U100000L30000S0) with ESMTP
          id AAA16668 for <firewalls@GreatCircle.COM>;
          Tue, 6 Jan 1998 14:32:30 -0600
Message-ID: <34B294C2.583B0C00@newmail.tenet.edu>
Date: Tue, 06 Jan 1998 14:32:02 -0600
From: "ALBERT KIRCHHOFF" <albertk@tenet.edu>
Organization: Wichita Falls Independent School District
X-Mailer: Mozilla 4.03 [en] (Win95; I)
MIME-Version: 1.0
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: Problem using Proxy Next with FW-1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are a K-12 school district. Our acceptable use policy requires HTTP
users to authenticate through our firewall before allowing our users
access to the Internet. We are pointing the "Proxy Next" to a box behind
the firewall which provides filtering with SURFWATCH.

Periodically, after authenticating, the browser will say that it has
contacted the host and is waiting for a reply and finally return with
the error "Document contains no data"?




From firewalls-owner  Tue Jan  6 14:01:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA13977; Tue, 6 Jan 1998 13:17:15 -0800 (PST)
Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA13804 for <firewalls@GreatCircle.com>; Tue, 6 Jan 1998 13:16:40 -0800 (PST)
From: CHRIS.NICHOLS@EY.COM
Received: by gateway2.ey.com id AA25592
  (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.com);
  Tue, 6 Jan 1998 16:17:00 -0500
Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1);
  Tue, 6 Jan 1998 16:17:00 -0500
To: "        -         (052)firewalls(a)GreatCircle.com" <firewalls@GreatCircle.com>
Subject: NT Web proxy server
Message-Id: <0014500016645557000002L072*@MHS>
Date: Tue, 6 Jan 1998 16:14:20 -0500
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Novell's Border Manager does caching amongst other things.

Chris

---------------------- Forwarded by Chris Nichols/MissouriKansas/AUDIT/EYLLP/US
on 01/06/98 07:41 AM ---------------------------

        firewalls-owner@GreatCircle.COM
        01/05/98 05:20 PM
Please respond to firewalls-owner@GreatCircle.COM @ INTERNET
To: firewalls@GreatCircle.COM @ INTERNET
cc:
Subject: NT Web proxy server

Hi --

I'm looking for a Web proxy server that does caching for
my kid's school (K-8).  The computer lab is networked
to a server which would run the proxy.  The server
is a Pentium running NT 4.0.  I'm looking for
recommendations on proxy server software from anyone
that is running it on NT 4.0 using a dialup-on-demand
type of setup.  The only proxy servers for NT that
I am aware of are Microsoft and Netscape, but I'm
sure there are others.

Any and all comments are welcome.

Thanks.

-->BoB


-->BoB Miorelli, Pratt & Whitney
miorelli@pweh.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In theory, theory and practice are the same;
in practice they are distinct.

From firewalls-owner  Tue Jan  6 14:29:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA04078; Tue, 6 Jan 1998 12:23:59 -0800 (PST)
Received: from firewall.mobility.com (firewall.mobility.com [161.216.124.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA03827 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 12:23:10 -0800 (PST)
Message-Id: <199801062023.MAA03827@honor.greatcircle.com>
Received: from [161.216.252.1] by firewall.mobility.com
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 6 Jan 1998 20:23:28 UT
Received: from ex13.mobility.com ([161.217.3.50]) by [161.216.252.1]
          via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 6 Jan 1998 20:15:16 UT
Received: by CC20EHUB04.mobility.com with Internet Mail Service (5.0.1458.49)
	id <Z30VPL9F>; Tue, 6 Jan 1998 15:23:22 -0500
From: "Grigorof, Adrian" <agrigoro@mobility.com>
To: firewalls@greatcircle.com
Subject: E-mail Encryption
Date: Tue, 6 Jan 1998 15:21:57 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: multipart/mixed;
	boundary="---- =_NextPart_000_01BD1AB7.06336210"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_000_01BD1AB7.06336210
Content-Type: text/plain;
	charset="iso-8859-1"

I am looking for a product to be used in encrypting e-mail to be sent
over the Internet. I've heard something about a product called Puffer by
Briggs Softworks but I haven't tested it so far.  

The ideal software should be user friendly otherwise it won't be used by
"normal" users...how can you stop them from sending clear text messages
or unencrypted attachments?

Any ideas, suggestions?

Thanks,

Adrian Grigorof
Internet Administrator
Bell Mobility Cellular Inc.
Toronto
www.bellmobility.ca






------ =_NextPart_000_01BD1AB7.06336210
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64

eJ8+IhcUAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQSAAQASAAAARS1tYWlsIEVuY3J5cHRpb24AYAYBCYABACEAAABD
QjIzMTg0Rjc2ODZEMTExOTIxQjQ0NDU1MzU0MDAwMAC/BgEggAMADgAAAM4HAQAGAA8AFwAUAAIA
GAEBBYADAA4AAADOBwEABgAPABUAOQACADsBAQ2ABAACAAAAAgACAAEDkAYAlAsAACkAAAALAAIA
AQAAAAMALgAAAAAAQAA5AOA2s7zgGr0BHgBwAAEAAAASAAAAUG9ydCBEZXNjcmlwdGlvbnMAAAAC
AXEAAQAAABsAAAABvQ5Wg1I5s0ZeehQR0ZMBAIBfwR+IAyI5jSAAAgEJEAEAAADUBgAA0AYAAKgO
AABMWkZ19aVHiQMACgByY3BnMTI1cjIMYGMxAzABBwtgbpEOEDAzMw8WZmUPkk8B9wKkA2MCAGNo
CsBzhGV0AtFwcnEyAACSKgqhbm8SUCAwAdCFAdA2D6AwNTA0FCGzAdAUEDR9B20S8mYHQPsFQAdt
fQKDAFAD1BH/Ewv+YhPhFFATshqEFNAHExXnsGhlbHYYsA3gYRdhqwKRCOY7CW8wHZ9lDjD+NR7K
H+EfnyCpHrQg0h8/PyMPIs0iTyB/Hs8QYDI4/yiaKbEpbyp5HrQqoikPLN/vLJ0sHypPLhQ5DlAx
ZDLBhyrjMsACgnN0eWwHkB8cIBiwAAATUAPwZGN0CmwKsVw1GGFkanVzNDAFEGdoBUIXwgwBY4cJ
wDUgAzBzbmV4GMAvB7AFsADAAnNzAFBzYpYyFFA0IGET8FxrCeD+cAuQNP81YwhgNVALgBww+mUc
UGwBQDZbDDA3JCrANzoABKALgGcqsTemYmH9GKBkAiA4YDgGHCA2UD5R/CAxM/MOUDlfOm87fwBR
/zy8AKA3Lj8/QEYz5A/AQU9/Ql9Dbw5QPK9Fz0bfQHMz+wKCExBjOSBOYTZQQHAccEkcUCBEARBh
dRZBUAUKwGEJwGFwaCBGRwIhOOQoAGZpLQ+QOF8BQDvwUvNJzzVjYgsgcs8JUFUSGDBVEnc0KAEY
kP5wAdBQMjZ/TV9OZlKQUVBbBRACMC1R8ANhOhZgb6FacFN1YmoFkHRacKBEYXRlOjjkNlK//1PP
VN9V71b5NIBAYw4hTmFvPXYOUFgvWT5SPEEYkSDuSEBRBJA45DdcL10/Xk+/X107z2B/D5BsMAjQ
Ygqw/HQ4TLoPVEjQYn9jhmzA82SQC1B5L1IAX3ALEWUF/nM45CrAZf9nD2gfX29XD79uH28vcDVa
klo0W2k5cn93Nf8DMGxzOXZfd299YET4b2N1B4ACMAXQUcBPlo91ZFB1DGAJUGNmMn5osVARSHlw
BJBqMWscwf0BVTNJMXsBevB7MHQRAYD+blrwAGAJ8FBgf8ACATigfWESZQDwf8A0QIMgDlB26QiQ
d2sLgGRuAIciBPD/B0AQYQFADgBz4kBCiIUCEN5vBUIYsRLyW4BtC1FbgKAgQzpcXFnAb1Gh3m1R
8AMQB5CLME0N4ANg5HNvAYAgTwEgDeCGcFpcjOZFAMADEC5OMHTfg7AYoHswN+FqMnhI8Y6i/VD0
YwMgEvMAgAWQHEBEYf9JkA5wOKCQggGQACCREodx/4ABAcGQgRhwD3AAAEmQDND5AZAgLhzSkHgO
UJEyFkD/e4CRr5K/k88PwEmQBYGVb9uWf5ePbG4ASZBslS+Z732a9SmT/CgAmM+dr5rkYvwgKAKR
ns+Qw1wQnH+hP/+iT6NfkPBl0KSikX+mD6cf/5P8KsCkr6ovqz+sT5DwesD/qS+uv6/PsNQK+QMw
eu97/7F9jXtJIIuhCQBvh2H3QKCF8bmgIBkABHAOcAVAcHRvIGITgLgACYAgP7YxCfAFAIMQHHBA
kWUt743yuzUYoIARb2SxuzAcINwgSQIwBJEYsC6+cAAQ/HF1icATgFCxQEFwcYyQ/weAvkBAggGg
agG6mYgRNGDPN+Ac4jeyOGBQdQEgBJCrwli7YHnCSUK4MWcGQeWMoXcFsGtzApC7YMER/7mQGHAc
UAuQv0W7IQeQW4C/u9EFQIyQulAKwL8AIAqF/QqFVL5RtqBAUAMgjJJwUfW9gWgIYGw34Lt0BcAD
UP8IkIWQb/C94L5BdNAEAMmBvwVAxYDGqbt2xAFyAGQCYD+/VBNQOKIAEM6HyyNzhe/KoAfgHJAD
oHkIYL2Qu0D+cL4yi7ADUr2SQHOQIL/x28dBOEAgB4FJEGcHkQWx/nU4ILw0u8FbcAGQGGB/8mRz
P8iMQW7EEMmic9osvZB1xQDHYWkCINWe98lgAHDFsCzVvXQABzADoH5HuDEFsIygCoW+htohbb8L
gAQAuCBbcAWwCoVCHDBxAyBNb2IDEFCAxBBD591xUSDbY2MuyPba4QIw/m8KhQKSCJDK0BXjytAL
gAc0MJBAZQBZUEVSTBhJTkscEAJAcDov9C934tAuu3DCAARg3dSuLhyQwkES8mRbcGHgkws9UQuA
MXTwIADQyQDqefm6zhGMggAAqgBLqQsCAFXmsBfmsRTmsXfnUy5AAGIAZQBs6BFtNABv59Fp6BHo
wHQAonnnsWMAYeax4OW9GjjmsWjpEekgcAA6/AAv67Hnb+h/6YLrwOaw/xzQApLK0BiQFkEIwQvy
gdX/4t8ckRzRyIzyP+AjCvO2X1e3b+GB3/Z95rEA93AeADFAAQAAABEAAABBR1JJR09STzI4NzRC
RTMyAAAAAAMAGkAAAAAAHgAwQAEAAAARAAAAQUdSSUdPUk8yODc0QkUzMgAAAAADABlAAAAAAAMA
NgAAAAAACwAAgAggBgAAAAAAwAAAAAAAAEYAAAAAA4UAAAAAAAADAAGACCAGAAAAAADAAAAAAAAA
RgAAAAAQhQAAAAAAAAMAAoAIIAYAAAAAAMAAAAAAAABGAAAAAFKFAAC3DQAAHgADgAggBgAAAAAA
wAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOC4wAAMABIAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAA
AAAACwAFgAggBgAAAAAAwAAAAAAAAEYAAAAADoUAAAAAAAADAAaACCAGAAAAAADAAAAAAAAARgAA
AAARhQAAAAAAAAMAB4AIIAYAAAAAAMAAAAAAAABGAAAAABiFAAAAAAAAHgAIgAggBgAAAAAAwAAA
AAAAAEYAAAAANoUAAAEAAAABAAAAAAAAAB4ACYAIIAYAAAAAAMAAAAAAAABGAAAAADeFAAABAAAA
AQAAAAAAAAAeAAqACCAGAAAAAADAAAAAAAAARgAAAAA4hQAAAQAAAAEAAAAAAAAAAwAmAAAAAAAD
AIAQ/////wIB+T8BAAAAbgAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAYAAAAvTz1CRUxMTU9C
SUxJVFkvT1U9SFVCL0NOPVJFQ0lQSUVOVFMvQ049TVMtTUFJTC9DTj1XUklORk9URUNIL0NOPUFH
UklHT1JPMjg3NEJFMzIAAAAeAPg/AQAAABEAAABHcmlnb3JvZiwgQWRyaWFuAAAAAB4AOEABAAAA
EQAAAEFHUklHT1JPMjg3NEJFMzIAAAAAAgH7PwEAAABuAAAAAAAAANynQMjAQhAatLkIACsv4YIB
AAAABgAAAC9PPUJFTExNT0JJTElUWS9PVT1IVUIvQ049UkVDSVBJRU5UUy9DTj1NUy1NQUlML0NO
PVdSSU5GT1RFQ0gvQ049QUdSSUdPUk8yODc0QkUzMgAAAB4A+j8BAAAAEQAAAEdyaWdvcm9mLCBB
ZHJpYW4AAAAAHgA5QAEAAAARAAAAQUdSSUdPUk8yODc0QkUzMgAAAABAAAcwQGsjad8avQFAAAgw
QDUE7uAavQEeAD0AAQAAAAEAAAAAAAAAHgAdDgEAAAASAAAARS1tYWlsIEVuY3J5cHRpb24AAAAL
ACkAAAAAAAsAIwAAAAAAAwAGEG2xnR0DAAcQlAEAAAMAEBAAAAAAAwAREAAAAAAeAAgQAQAAAGUA
AABJQU1MT09LSU5HRk9SQVBST0RVQ1RUT0JFVVNFRElORU5DUllQVElOR0UtTUFJTFRPQkVTRU5U
T1ZFUlRIRUlOVEVSTkVUSVZFSEVBUkRTT01FVEhJTkdBQk9VVEFQUk9EVUNUAAAAALp6

------ =_NextPart_000_01BD1AB7.06336210--

From firewalls-owner  Tue Jan  6 16:46:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13011; Tue, 6 Jan 1998 15:43:23 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA13004 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 15:43:17 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id SAA04728; Tue, 6 Jan 1998 18:44:49 -0500 (EST)
Date: Tue, 6 Jan 1998 18:44:49 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: Darin Fisher <oz@axent.com>
cc: "'Olivier NOUET'" <Olivier.Nouet@cominfo.fr>,
        "'FWLIST'" <firewalls@GreatCircle.COM>
Subject: RE: A site about security
In-Reply-To: <D76E0932FE4ED11196880060B06716E9026284@raven.axent.com>
Message-ID: <Pine.SOL.3.91.980106184346.29472C-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I got message:"HTTP/1.0 403 Access Forbidden"

_ming

On Mon, 29 Dec 1997, Darin Fisher wrote:

> Check out http://www.axent.com/swat/
> 
> ----
> #include <cya/company/disclaim.h>
> "In order to succeed, one must pay attention" 
> 
> -----Original Message-----
> From: Olivier NOUET [mailto:Olivier.Nouet@cominfo.fr]
> Sent: Wednesday, December 24, 1997 1:04 AM
> To: 'FWLIST'
> Subject: A site about security
> 
> 
> 
> 
> 	I'm looking for a site about security problems, with real life
> problems (reports of attacks, problems on softs, etc...) to make a
> summary.
> 	Thanks !!
> 
> Olivier Nouet/Cominfo
> 

From firewalls-owner  Tue Jan  6 16:48:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA05368; Tue, 6 Jan 1998 15:09:06 -0800 (PST)
Received: from nx.numerix.com (nx.numerix.com [208.214.237.66]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA05323 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 15:08:54 -0800 (PST)
Received: from nx.numerix.com  by nx.numerix.com (8.8.7/8.8.6) with SMTP id RAA30201; Tue, 6 Jan 1998 17:08:50 -0600
Date: Tue, 6 Jan 1998 17:10:54 -0600 (CST)
From: Greg Whalin <gwhalin@numerix.com>
To: "Grigorof, Adrian" <agrigoro@mobility.com>
cc: firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <199801062023.MAA03827@honor.greatcircle.com>
Message-ID: <Pine.LNX.3.96.980106171036.25274D-100000@co.numerix.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

How about PGP?  Or how about Netscape with client certificates?

--------------------
Greg Whalin
gwhalin@numerix.com

On Tue, 6 Jan 1998, Grigorof, Adrian wrote:

> I am looking for a product to be used in encrypting e-mail to be sent
> over the Internet. I've heard something about a product called Puffer by
> Briggs Softworks but I haven't tested it so far.  
> 
> The ideal software should be user friendly otherwise it won't be used by
> "normal" users...how can you stop them from sending clear text messages
> or unencrypted attachments?
> 
> Any ideas, suggestions?
> 
> Thanks,
> 
> Adrian Grigorof
> Internet Administrator
> Bell Mobility Cellular Inc.
> Toronto
> www.bellmobility.ca
> 
> 
> 
> 
> 
> 


From firewalls-owner  Tue Jan  6 16:49:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13412; Tue, 6 Jan 1998 15:46:17 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA03318 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 15:00:08 -0800 (PST)
Received: from hotmail.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id OAA23885; Tue, 6 Jan 1998 14:58:59 -0800 (PST)
Received: (qmail 6992 invoked by uid 0); 6 Jan 1998 22:59:58 -0000
Message-ID: <19980106225958.6991.qmail@hotmail.com>
Received: from 203.15.102.65 by www.hotmail.com with HTTP;
	Tue, 06 Jan 1998 14:59:58 PST
X-Originating-IP: [203.15.102.65]
From: "Paul Jones" <pj_27@hotmail.com>
To: firewalls@GreatCircle.COM
Subject: Real Audio
Content-Type: text/plain
Date: Tue, 06 Jan 1998 14:59:58 PST
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

We would like some information regarding the security implications of 
running Real Audio through our firewall (Gauntlet).

Any information you can provide would be appreciated.


Thanks in advance,

Paul

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

From firewalls-owner  Tue Jan  6 17:39:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13127; Tue, 6 Jan 1998 15:44:16 -0800 (PST)
Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA13112 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 15:44:09 -0800 (PST)
Received: from [207.213.51.19] (19.underground.net [207.213.51.19] (may be forged))
	by columbia.digiweb.com (8.8.8/8.8.5) with ESMTP id SAA04487;
	Tue, 6 Jan 1998 18:43:07 -0500 (EST)
X-Sender: dyabolyk@digiweb.com
Message-Id: <l03130304b0d871555aa5@[207.213.51.19]>
In-Reply-To: <Pine.SUN.3.96.980106105930.4657A-100000@maestro.maestro.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 6 Jan 1998 15:42:29 -0800
To: Sick Puppy <sikpuppy@maestro.com>, firewalls@GreatCircle.COM
From: aldous valdheims <dyabolyk@dyabolyk.com>
Subject: Re: Wannabe needs a good book
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 11:05 AM -0500 1.6.1998, Sick Puppy wrote:
>Can someone please suggest a good book on the
>general topic of networking, with some emphasis on TCP/IP, that we can
>steal?

One of my favorites is Computer Networks, 2nd edition by I think it is
tannenbaum, but I may have to be corrected on that, I don't have a copy of
it with me right now.  It gives a really thorough coverage of network
protocols and network layers, from the actual wiring on up to applications.
Get it and get crazy.


--jt





From firewalls-owner  Tue Jan  6 18:15:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA14277; Tue, 6 Jan 1998 15:51:14 -0800 (PST)
Received: from aims.gov.au (pearl.aims.gov.au [138.7.32.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA09621 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 15:26:49 -0800 (PST)
Received: from aims.gov.au by aims.gov.au (SMI-8.6/SMI-SVR4)
	id JAA07504; Wed, 7 Jan 1998 09:27:08 +1000
Message-ID: <34B2BD37.402DDEBC@aims.gov.au>
Date: Wed, 07 Jan 1998 09:24:39 +1000
From: Kerry Jones <kjones@aims.gov.au>
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Split DNS??
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

This is a great Mailing list..I am so impressed with the answers I got
from my last question DNS on Firewalls!!.. I'm going to ask another..

What are the benefits of running split DNS??? Is it more secure?? Or is
it a pain in the ass which doesn't increase security much at all?? Can
someone give me a bit of an overview of how it would be done.

Is it a simple matter of running 1 DNS on the DMZ (for internet) and
another totally separate DNS on the internal network (for local
machines)??  Would the 2 DNS servers be totally independent of one
another or would one have to update the other one?

Thanks in advance...

--
Kerry Jones
kjones@aims.gov.au


From firewalls-owner  Tue Jan  6 18:16:08 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA14442; Tue, 6 Jan 1998 15:52:41 -0800 (PST)
Received: from www.allensysgroup.com ([205.245.8.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA04910 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 15:06:49 -0800 (PST)
Received: from houdini ([10.1.4.76]) by www.allensysgroup.com
          (Post.Office MTA v3.1 release PO205e ID# 0-40603U300L100S0)
          with ESMTP id AAA210; Tue, 6 Jan 1998 18:05:32 -0500
From: alanb@allensysgroup.com (Alan Bolt)
To: "Grigorof, Adrian" <agrigoro@mobility.com>, <firewalls@greatcircle.com>
Subject: Re: E-mail Encryption
Date: Tue, 6 Jan 1998 18:18:36 -0500
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Message-ID: <19980106230532656.AAA210@houdini>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Have you not looked into PGP?
It has grown to have much better interface
for users and does what you seem to want

Bobby Brown
Network Administrator
Allen Systems Group

----------
> From: Grigorof, Adrian <agrigoro@mobility.com>
> To: firewalls@greatcircle.com
> Subject: E-mail Encryption
> Date: Tuesday, January 06, 1998 3:21 PM
> 
> I am looking for a product to be used in encrypting e-mail to be sent
> over the Internet. I've heard something about a product called Puffer by
> Briggs Softworks but I haven't tested it so far.  
> 
> The ideal software should be user friendly otherwise it won't be used by
> "normal" users...how can you stop them from sending clear text messages
> or unencrypted attachments?
> 
> Any ideas, suggestions?
> 
> Thanks,
> 
> Adrian Grigorof
> Internet Administrator
> Bell Mobility Cellular Inc.
> Toronto
> www.bellmobility.ca
> 
> 
> 
> 
> 
> 

From firewalls-owner  Tue Jan  6 18:18:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA14673; Tue, 6 Jan 1998 15:54:48 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA07928 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 15:19:43 -0800 (PST)
Received: from gdsconnect.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id NAA22901; Tue, 6 Jan 1998 13:29:43 -0800 (PST)
Received: from altos.gdsconnect.com ([192.168.27.2]) by fws.gdsconnect.com with ESMTP id <17922>; Tue, 6 Jan 1998 16:32:04 -0500
Received: by ALTOS with Internet Mail Service (5.0.1457.3)
	id <Z8V3WSBB>; Tue, 6 Jan 1998 16:37:05 -0500
Message-ID: <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
From: Gordon LaSane <glasane@gdsconnect.com>
To: MacGyver <macgyver@tos.net>,
        Firewalls Mailing List <firewalls@GreatCircle.COM>
Subject: RE: Stateful Inspection Anyone?  Explore your options.
Date: Tue, 6 Jan 1998 16:37:03 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

One of the biggest complaints about stateful inspection is that if the
state table becomes corrupt, the network could become vulnerable to the
outside. 

Check out application gateways, these proxy servers take a users request
for an Internet service and forward it to the actual service. Proxies
replace the actual service, acting as a gateway and are for this reason
commonly referred to as application gateways.

Visit http://www.securecomputing.com or contact me.

	Gordon LaSane

	Global  Data  Systems, Inc.
	Internet and Intranet Firewalls and Security Group
	Consulting and Installing Solutions for Your Company's Data
Security:
	Remote User Authentication
	Internet Access
	Virtual Private Networks
	Web Filtering
	Intranets
	Firewalls	
		
	Gordon LaSane
	781/740-8818 x13 ph
	781/740-8830 fax

	glasane@gdsconnect.com

	Visit us on the web at   http://www.gdsconnect.com



	-----Original Message-----
	From:	MacGyver [SMTP:macgyver@tos.net]
	Sent:	Tuesday, January 06, 1998 11:55 AM
	To:	Firewalls Mailing List
	Subject:	Stateful Inspection Anyone?

	Hi folks,

	I've been wondering this for a while, but just haven't gotten
around to
	asking anyone yet:

	Checkpoint's Firewall-1 has a feature known as "stateful
inspection" which
	they tout as the end-all and be-all of packet-filtering and
inspection.
	Anyone had any experience in using this feature or have any
thoughts
	regarding stateful inspection?  How large of a performance
impact is there
	when stateful inspection is enabled?  Are the gains worth the
added load?

	Hope this spurs some interesting discussion.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	        ^               Habeeb J. Dihu
	     -'   `-            Managing Senior Technologist
	   " '     ` "          Cirrus Technologies
	 "  '       `  "        
	"  '      .  `  "                  
	"  '    .' ` `  "       'I don't believe in the no-win scenario'
	 " `   '    `' "           -- Captain James T. Kirk,  Star Trek
II: TWK
	   `  ' _  _ '          'There is an old Vulcan proverb, `Only
Nixon
	    '                    could go to China.`'
	                           -- Captain Spock, Star Trek VI: TUC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


From firewalls-owner  Tue Jan  6 19:00:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA02536; Tue, 6 Jan 1998 17:19:06 -0800 (PST)
Received: from hotmail.com (F81.hotmail.com [207.82.250.187]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id RAA02498 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 17:18:54 -0800 (PST)
Received: (qmail 2295 invoked by uid 0); 7 Jan 1998 01:19:17 -0000
Message-ID: <19980107011917.2294.qmail@hotmail.com>
Received: from 203.15.102.65 by www.hotmail.com with HTTP;
	Tue, 06 Jan 1998 17:19:14 PST
X-Originating-IP: [203.15.102.65]
From: "Paul Jones" <pj_27@hotmail.com>
To: firewalls@greatcircle.com
Subject: Real Audio
Content-Type: text/plain
Date: Tue, 06 Jan 1998 17:19:14 PST
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

We would like some information regarding the security implications of 
running Real Audio through our firewall (Gauntlet).

Any information you can provide would be appreciated.


Thanks in advance,

Paul

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

From firewalls-owner  Tue Jan  6 19:02:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA16581; Tue, 6 Jan 1998 16:01:34 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA16479 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 16:01:15 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id TAA04907; Tue, 6 Jan 1998 19:03:21 -0500 (EST)
Date: Tue, 6 Jan 1998 19:03:21 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: John Palmer <jpalmer@pobox.com>
cc: "joej@ultranet.com" <joej@ma.ultranet.com>,
        "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: RE: Intro & question: looking for FW recommendation
In-Reply-To: <3.0.3.32.19971229185509.006be284@netsync.net>
Message-ID: <Pine.SOL.3.91.980106185335.29472D-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 29 Dec 1997, John Palmer wrote:

> At 08:46 AM 12/29/97 -0500, Joseph Judge wrote:
> >Step 1 --- Work with the corporate folks ... 
> 
> I'm all for working with corporate IS. But that comes last on my list of
[snip]
 
> It's obvious that one possible solution would be to use the same firewall
> that corporate uses. The only problem there is that corporate bought the
> equivalent of a greyhound bus, where we only need a four-door [car] to meet
> our needs. I can't cost-justify their hardware/software implementation
> locally. With a lower user-licensed copy, and NT on Intel (instead of a
> non-Intel box) I can.

You can use either linux or solaris x86 with a 486 or better. It would be 
much better solution than... in anyway. just look at 
http://www.standishgroup.com/syst.html.
 
> 
> Working on that aspect now. I'll check out the book you recommended. A
> search through Amazon.com turned up many books, have a list of them on my
> desk... somewhere. But which book to start with...?... this is what
> prompted me to look around more before blatantly buying books. You're
> probably right though... any book would be helpful. :)

<Firewalls and Internet Security> and < Building Internet Firewalls> are 
two good books to start with.
 
_ming

From firewalls-owner  Tue Jan  6 19:06:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA02561; Tue, 6 Jan 1998 09:59:09 -0800 (PST)
Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA02502 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 09:58:53 -0800 (PST)
Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA06588; Tue, 6 Jan 1998 09:52:34 -0800
Date: Tue, 6 Jan 1998 09:52:33 -0800 (PST)
From: Leonard Miyata <leonard@geminisecure.com>
To: Kerry Jones <kjones@aims.gov.au>
cc: firewalls@GreatCircle.COM
Subject: Re: DNS on firewall??
In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au>
Message-ID: <Pine.BSD/.3.91.980106093842.6575A-100000@main.geminisecure.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi There

If your talking about a PUBLIC Secondary DNS Server....
Remember, the purpose of the Public Secondary DNS is to
provide backup records of the Primary. If your Primary
DNS Server goes down in the middle of the night, your
Secondary Server (which anyone can find by asking the
root DNS server for the official postings) can be used
to query items like, where to forward SMTP mail
for delivery to your site, or where your official WWW
web server is located. A Public DNS server must of course 
be in a PUBLIC location, (like your ISP or a different 
subnet in your DMZ) for fault tolerance.

If your talking about a PRIVATE DNS Server, (such
as used in a 'split' DNS configuration) for resolving
private name/address of your internal net, Parts of it may
be on the firewall to allow inside access to the DMZ,
but this is a PRIVATE configuration, and is a totally
different issue....

Personal Opinions provided by
Leonard Miyata
aka leonard@geminisecure.com
GEMINI COMPUTERS Inc.

On Tue, 6 Jan 1998, Kerry Jones wrote:

> Hi,
> 
> Simple question. Is it a good idea to run a DNS server on a
> Firewall?????
> 
> AUNIC require at least 2 DNS servers, so I am trying to decide where to
> configure the 2nd DNS server for our domain (Primary one is currently on
> the DMZ). Will putting the secondary DNS on the firewall create a
> security hole in the Firewall which would best be avoided????????
> Is it acceptable (secure) to put the DNS and other services (e.g.
> http/ftp) on the Firewall??
> 
> What do you think??
> What are your opinions??
> 
> I have a fairly standard setup as follows;
> 
> Internet
>     |
>  router
>     |
>  firewall - dmz (1 machine: http/ftp/dns)
>       |
>   internal network.
> 
> --
> Kerry Jones
> kjones@aims.gov.au
> 
> 

From firewalls-owner  Tue Jan  6 19:06:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA21683; Tue, 6 Jan 1998 16:18:26 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA21664 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 16:18:18 -0800 (PST)
Received: from starbase.tos.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id QAA24620; Tue, 6 Jan 1998 16:17:09 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id SAA31044 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 18:18:55 -0600
Message-Id: <199801070018.SAA31044@starbase.tos.net>
Received: from macgyver-1.pr.mcs.net(205.253.24.113) by starbase.tos.net via smap (V1.3)
	id sma031040; Tue Jan  6 18:18:38 1998
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Tue, 06 Jan 1998 18:14:58 -0600
To: Firewalls Mailing List <firewalls@GreatCircle.COM>
From: MacGyver <macgyver@tos.net>
Subject: Re: E-mail Encryption
In-Reply-To: <199801062023.MAA03827@honor.greatcircle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 03:21 PM 1/6/98 -0500, you wrote:
>I am looking for a product to be used in encrypting e-mail to be sent
>over the Internet. I've heard something about a product called Puffer by
>Briggs Softworks but I haven't tested it so far.  
>

Actually, I recommend two products for this:  PGP for the encryption
portion, and Eudora for the mail client.

>The ideal software should be user friendly otherwise it won't be used by
>"normal" users...how can you stop them from sending clear text messages
>or unencrypted attachments?

Using Eudora 4.0 onward (I'm not sure if previous versions support this
feature), you have the ability to set an "output filter", which can be set
to call any arbitrary program.  PGP 5.0+ has a Eudora plugin option that
you can use to automagically guarantee that all emails sent out are
encrypted in an invisible way to the user.

>
>Any ideas, suggestions?
>
>Thanks,
>
>Adrian Grigorof
>Internet Administrator
>Bell Mobility Cellular Inc.
>Toronto
>www.bellmobility.ca
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ^               Habeeb J. Dihu
     -'   `-            Managing Senior Technologist
   " '     ` "          Cirrus Technologies
 "  '       `  "        
"  '      .  `  "                  
"  '    .' ` `  "       'I don't believe in the no-win scenario'
 " `   '    `' "           -- Captain James T. Kirk,  Star Trek II: TWK
   `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon
    '                    could go to China.`'
                           -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



From firewalls-owner  Tue Jan  6 19:43:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA02549; Tue, 6 Jan 1998 17:19:09 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA02426 for <Firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 17:18:41 -0800 (PST)
Received: from mail-syd.atinet.com.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id RAA25008; Tue, 6 Jan 1998 17:17:31 -0800 (PST)
Received: from ppp-127.atinet.com.au (ppp-127.atinet.com.au [203.35.110.127]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ba025793 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 12:17:09 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id MAA31941; Wed, 7 Jan 1998 12:17:48 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Wed, 7 Jan 1998 12:17:50 +1000 (GMT)
Subject: RE: E-mail Encryption
To: <agrigoro@mobility.com>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.33.884135870-640068234193792.beethoven>
X-Mailer: Paladin IMAP4 Client v2.33
In-Reply-To: <199801062023.MAA03827@honor.greatcircle.com>
References: <199801062023.MAA03827@honor.greatcircle.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.33.beethoven.884135870.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 6 Jan 1998 15:21:57 -0500
"Grigorof, Adrian" <agrigoro@mobility.com> wrote:

Sorry about the plug folks but it was requested :)

You might want to try Paladin which has PGP 5 and a fairly 
friendly interface. It also uses DES internally, forces 
users to use strong passwords and has a few other features... 
not a commercial product yet so get it while its free, if you 
are interested. (Diamond and Sapphire are options)

For normal users, you still will face a learning-curve explaining
to them about Public-keys and all that but nothing a little training
wont fix.

The current version only encrypts the email message but future
releases will encrypt the attachments also, sometime 2nd Quarter.
Oh its an IMAP4 client not POP3, and has Authenticated-SMTP also.


> I am looking for a product to be used in encrypting e-mail to be sent
> over the Internet. I've heard something about a product called Puffer by
> Briggs Softworks but I haven't tested it so far.  
> 
> The ideal software should be user friendly otherwise it won't be used by
> "normal" users...how can you stop them from sending clear text messages
> or unencrypted attachments?

--
Yours faithfully, Norman Widders.

+-----------------------------------------------------------
|   winspace@atinet.com.au
|   http://www.geocities.com/researchtriangle/4431
|   Home of the Paladin IMAP4 E-Mail client.
|   Paladin Corporation Pty. Ltd.      
+-----------------------------------------------------------



From firewalls-owner  Tue Jan  6 19:45:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA07103; Tue, 6 Jan 1998 17:42:11 -0800 (PST)
Received: from strato-fe0.ultra.net (strato-fe0.ultra.net [146.115.8.190]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA07061 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 17:42:01 -0800 (PST)
Received: from joespc.judgefamily.org (joesmac.ma.ultranet.com [146.115.236.247]) by strato-fe0.ultra.net (8.8.5/ult.n14767) with SMTP id UAA19404; Tue, 6 Jan 1998 20:42:23 -0500 (EST)
Received: by localhost with Microsoft MAPI; Tue, 6 Jan 1998 20:43:54 -0500
Message-ID: <01BD1AE3.CDC54D80.joej@ultranet.com>
From: Joseph Judge <joej@ultranet.com>
Reply-To: "joej@ultranet.com" <joej@ultranet.com>
To: "'Paul Jones'" <pj_27@hotmail.com>,
        "firewalls@GreatCircle.COM"
	 <firewalls@GreatCircle.COM>
Subject: RE: Real Audio
Date: Tue, 6 Jan 1998 20:43:53 -0500
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


What info are you looking for ? Security issues or how-to ?

Gauntlet should have a "rap" (real audio proxy) ... which requires the
internal clients to be configured for TCP via the firewall proxy.

	-- joe


On Tuesday, January 06, 1998 6:00 PM, Paul Jones 
[SMTP:pj_27@hotmail.com] wrote:
> Hi,
>
> We would like some information regarding the security implications of
>
> running Real Audio through our firewall (Gauntlet).
>
> Any information you can provide would be appreciated.
>
>
> Thanks in advance,
>
> Paul
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com


From firewalls-owner  Tue Jan  6 19:47:09 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA07575; Tue, 6 Jan 1998 17:45:54 -0800 (PST)
Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA27881 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 16:59:09 -0800 (PST)
Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.8/8.6.9) with SMTP id IAA32408; Wed, 7 Jan 1998 08:50:52 GMT
Date: Wed, 7 Jan 1998 08:50:52 +0000 (   )
From: Ederlindo Cojuangco <derts@cebu.mozcom.com>
To: "Grigorof, Adrian" <agrigoro@mobility.com>
cc: firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <199801062023.MAA03827@honor.greatcircle.com>
Message-ID: <Pine.LNX.3.95.980107084848.32389A-100000@cebu.mozcom.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	How about PGP key?  I was searching information with regards to
this PGP (Pretty Good Privacy) Key and unfortunately I was not able to
look for a software on how to use this one?  Any idea out there?  Just
curious on how to use this one.
	Thanks.

ederts

On Tue, 6 Jan 1998, Grigorof, Adrian wrote:

> I am looking for a product to be used in encrypting e-mail to be sent
> over the Internet. I've heard something about a product called Puffer by
> Briggs Softworks but I haven't tested it so far.  
> 
> The ideal software should be user friendly otherwise it won't be used by
> "normal" users...how can you stop them from sending clear text messages
> or unencrypted attachments?
> 
> Any ideas, suggestions?
> 
> Thanks,
> 
> Adrian Grigorof
> Internet Administrator
> Bell Mobility Cellular Inc.
> Toronto
> www.bellmobility.ca
> 
> 
> 
> 
> 
> 


From firewalls-owner  Tue Jan  6 19:47:12 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA07254; Tue, 6 Jan 1998 17:43:48 -0800 (PST)
Received: from gateway.mpath.com (gateway.mpath.com [204.242.182.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA07246 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 17:43:43 -0800 (PST)
Received: from mpath.com (nodserv.mpath.com [206.233.214.16])
	by gateway.mpath.com (8.8.5/8.8.5) with ESMTP id RAA25094;
	Tue, 6 Jan 1998 17:44:07 -0800 (PST)
Received: from localhost (vision@localhost)
	by mpath.com (8.8.5/8.8.5) with SMTP id RAA06165;
	Tue, 6 Jan 1998 17:43:34 -0800 (PST)
Date: Tue, 6 Jan 1998 17:43:34 -0800 (PST)
From: Max Vision <vision@mpath.com>
To: Paul Jones <pj_27@hotmail.com>
cc: firewalls@GreatCircle.COM
Subject: Re: Real Audio
In-Reply-To: <19980106225958.6991.qmail@hotmail.com>
Message-ID: <Pine.SOL.3.95.980106173756.1006C-100000@nodserv.mpath.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If you mean allowing outside access to a realaudio server at your site:
 not likely, but possible.  any server can receive a denial of service
 attack, but compromise (via protocol or overflow bugs) of something
 like a non-authenticating audio server is extremely unlikely.

If you mean allowing your users to listen to realaudio on the net:
 no security threat.
 (unless you have gullible users clicking on a realaudio file that
  instructs them to change their password to "changeme" or something
  equally r00tish. :)

Max

On Tue, 6 Jan 1998, Paul Jones wrote:
> Hi,
> 
> We would like some information regarding the security implications of 
> running Real Audio through our firewall (Gauntlet).
> 
> Any information you can provide would be appreciated.
> 
> Thanks in advance,
> 
> Paul
> 


From firewalls-owner  Tue Jan  6 20:45:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA05667; Tue, 6 Jan 1998 19:45:07 -0800 (PST)
Received: from fw.itm-inst.com ([206.239.41.100]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA28885 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 19:18:13 -0800 (PST)
Received: by fw.itm-inst.com; id WAA11476; Tue, 6 Jan 1998 22:17:48 -0500 (EST)
Received: from unknown(10.0.3.121) by fw.itm-inst.com via smap (2.0)
	id xma011472; Tue, 6 Jan 98 22:17:19 -0500
Message-Id: <3.0.3.32.19980106221344.00700264@fw.itm-inst.com>
X-Sender: rmurphy@fw.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 06 Jan 1998 22:13:44 -0500
To: "Paul Jones" <pj_27@hotmail.com>
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: Re: Real Audio
Cc: firewalls@GreatCircle.COM
In-Reply-To: <19980106225958.6991.qmail@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 02:59 PM 1/6/98 PST, Paul Jones wrote:
>We would like some information regarding the security implications of 
>running Real Audio through our firewall (Gauntlet).
The Gauntlet RealAudio proxy verifies that the setup protocol is indeed
RealAudio; once the setup is complete it opens a single point UDP forwarder
from the outside to the system running the player. 
Given the nature of the protocol, and the endpoint verification, there's
not much you could do to exploit the connection. 

If you permit HTTP, you shouldn't be worried about RealAudio/RealVideo.
HTTP hosts all sorts of exploits..
	-Rick


From firewalls-owner  Tue Jan  6 21:31:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA22895; Tue, 6 Jan 1998 21:03:32 -0800 (PST)
Received: from m23.boston.juno.com (m23.boston.juno.com [205.231.100.188]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA22756 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 21:03:05 -0800 (PST)
Received: (from jnthomas1@juno.com)
 by m23.boston.juno.com (queuemail) id AHI29146; Wed, 07 Jan 1998 00:02:24 EST
To: firewalls@GreatCircle.COM
Date: Tue, 6 Jan 1998 20:29:19 -0800
Subject: FW-1 xlate.conf
Message-ID: <19980106.202921.3526.2.jnthomas1@juno.com>
X-Mailer: Juno 1.49
X-Juno-Line-Breaks: 1,6,8-12
From: jnthomas1@juno.com (Jeff Thomas)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Running FW-1 2.1 on Solaris 2.51.  Ran fwxlconf to add the ip address
translation.  When installing the policy
I get a message saying "Error in line xx illegal token <^[>".  Had no
problems adding translation or with previous attempts.  I used cat -vet
to see all control characters in the file.  Nothing wrong in the file. I
do not see this character pattern in the file.   I tried removing several
lines, but the error just reports a different line.
Any suggestions.  Sun said 2.1 may be bug friendly and recommended
upgrding to 2.1C or 3.0


jeff thomas
jnthomas1@juno.com

From firewalls-owner  Tue Jan  6 21:39:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA22927; Tue, 6 Jan 1998 21:03:38 -0800 (PST)
Received: from m23.boston.juno.com (m23.boston.juno.com [205.231.100.188]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA22778 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 21:03:09 -0800 (PST)
Received: (from jnthomas1@juno.com)
 by m23.boston.juno.com (queuemail) id AHH29146; Wed, 07 Jan 1998 00:02:24 EST
To: firewalls@GreatCircle.COM
Date: Tue, 6 Jan 1998 20:08:06 -0800
Subject: FW-1 Xlate.conf
Message-ID: <19980106.202921.3526.1.jnthomas1@juno.com>
X-Mailer: Juno 1.49
X-Juno-Line-Breaks: 1,3,5,7,9-14
From: jnthomas1@juno.com (Jeff Thomas)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Running FW-1 2.1 on Solaris 2.51.  I added an entry through fwxlconf. 
When I went to do policy
install I got a message saying "error in line xx illegal token <^[>". 
The line is not the most recent entry, but
several lines above.  Previous compliations have been no problems.  I did
cat -vet on the xlate.conf file
to see all the control characters and see no problems.  Any ideas how to
get rid of this error. Do I need
to zap out the xlate.conf file and start over?  Sun said 2.1 is
bug-friendly.  Recommended upgrading
to 2.1C or 3.0.  Need to add entries to xlate.conf immediately


jeff thomas
jnthomas1@juno.com

From firewalls-owner  Tue Jan  6 21:40:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA18150; Tue, 6 Jan 1998 20:46:16 -0800 (PST)
Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA09080 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 20:01:55 -0800 (PST)
Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.8/8.6.9) with SMTP id LAA06293; Wed, 7 Jan 1998 11:52:29 GMT
Date: Wed, 7 Jan 1998 11:52:28 +0000 (   )
From: Ederlindo Cojuangco <derts@cebu.mozcom.com>
To: Alan Bolt <alanb@allensysgroup.com>
cc: "Grigorof, Adrian" <agrigoro@mobility.com>, firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <19980106230532656.AAA210@houdini>
Message-ID: <Pine.LNX.3.95.980107115038.6288A-100000@cebu.mozcom.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	Is there any site where we can download it?  All I got from my
search is only an information but no software to use it.  Can anybody have
any idea on this matter?
	Thanks in advance.

ederts
	
On Tue, 6 Jan 1998, Alan Bolt wrote:

> Have you not looked into PGP?
> It has grown to have much better interface
> for users and does what you seem to want
> 
> Bobby Brown
> Network Administrator
> Allen Systems Group
> 
> ----------
> > From: Grigorof, Adrian <agrigoro@mobility.com>
> > To: firewalls@greatcircle.com
> > Subject: E-mail Encryption
> > Date: Tuesday, January 06, 1998 3:21 PM
> > 
> > I am looking for a product to be used in encrypting e-mail to be sent
> > over the Internet. I've heard something about a product called Puffer by
> > Briggs Softworks but I haven't tested it so far.  
> > 
> > The ideal software should be user friendly otherwise it won't be used by
> > "normal" users...how can you stop them from sending clear text messages
> > or unencrypted attachments?
> > 
> > Any ideas, suggestions?
> > 
> > Thanks,
> > 
> > Adrian Grigorof
> > Internet Administrator
> > Bell Mobility Cellular Inc.
> > Toronto
> > www.bellmobility.ca
> > 
> > 
> > 
> > 
> > 
> > 
> 


From firewalls-owner  Tue Jan  6 21:42:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA19037; Tue, 6 Jan 1998 20:50:36 -0800 (PST)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA10105 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 20:07:30 -0800 (PST)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id IAA24002; Tue, 6 Jan 1998 08:59:03 -0500
Date: Tue, 6 Jan 1998 08:59:01 -0500 (EST)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: Sick Puppy <sikpuppy@maestro.com>
cc: firewalls@GreatCircle.COM
Subject: Re: Wannabe needs a good book
In-Reply-To: <Pine.SUN.3.96.980106105930.4657A-100000@maestro.maestro.com>
Message-ID: <Pine.BSF.3.91.980106083703.23952C-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Wombat's Newbie Reading List:

Internetworking with TCP/IP
Volume 1
Douglas Comer
Prentice Hall
ISBN 0-13-468505-9

(Comer also has a general networking book out, but I loaned it to a 
newbie at the office - it is a better place to start for the novice than 
the above)

Internet Routing Architectures
Bassam Halabi
Cisco Press
ISBN 1-56205-652-2

The O'Reily "zoo" books
Getting Connected: The Internet at 56k and up (good newbie book)
TCP/IP
DNS and Bind
Sendmail
System Administration
Managing IP Networks with Cisco Routers
 (at http://www.oreilly.com - I'm to lazy to type the ISBNs)


Interconnections
Bridges and Routers
Radia Perlman
Addison Wesley
ISBN 0-201-56332-0
a bit dated in some areas, but good theoretical background on algorithms and 
the early "building blocks" - Master this, and you can be an "oldbie." 


... and "read an RFC a week" ...  :)
http://www.cis.ohio-state.edu/hypertext/information/rfc.html


-r.w.


On Tue, 6 Jan 1998, Sick Puppy wrote:

> Over the past few years our educational research has provided us with a
> great deal of information on Internet services, operating systems and
> various protocols.  However, all of it is very narrowly focused and
> platform specific.  One of our wannabe's, ChewYou, (oriental as the name
> implies), need a good top down introduction to networking.  Sorry to say
> we have nothing like that.  Can someone please suggest a good book on the
> general topic of networking, with some emphasis on TCP/IP, that we can
> steal?
>                                                  SP, tCED
> 
> 

From firewalls-owner  Tue Jan  6 21:43:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09648; Tue, 6 Jan 1998 10:34:48 -0800 (PST)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA09618 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 10:34:39 -0800 (PST)
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id NAA04791; Tue, 6 Jan 1998 13:34:15 -0500 (EST) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id NAA17454; Tue, 6 Jan 1998 13:34:12 -0500 (EST)
Date: Tue, 6 Jan 1998 13:34:12 -0500 (EST)
Message-Id: <199801061834.NAA17454@SPARKY.CF.CS.YALE.EDU>
To: RANDAL_LATHROP@mech.disa.mil, oliverk@ols-eds.de
Subject: Re: Re[2]: Hardware for seperating LAN from dialouts
Cc: firewalls@greatcircle.com, ryanr@sybase.com
From: "H. Morrow Long" <morrow.long@yale.edu>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

oliverk@ols-eds.de wrote:
>What happens to services on connected systems (PC is connected to a LAN,
>which might have a ftp server somewhere...) - do you think the PC with ip
>forwarding/routing could be an entry point to attack other computers on the
>attached network?

Yes.  It is a somewhat remote possibility as someone would have to know
about the dialup link, the networks and hosts involved -- and source
routing would most likely have to be enabled on the PC w/IP-forwarding
dialup up the Internet.  Presuming you are getting a different dynamic
IP address each time you dial up via PPP the possibility that someone
might exploit it is fairly remote. But it is a possibility nonetheless,
and one that should not be discounted by anyone with valuables to protect.

>Apart from any services being used for illicit use, could other risks arise
>from people sniffing on network traffic that passes the exposed computer?
>Do you think that's possible?

Yes.  Presuming you could install a remote sniffer on many networks
there is a good changed you would find yourself on a PC attached to a
LAN hub without eavesdrop protection (or on a hub where the port
protection has not been configured).

Note that running an anonymous FTP server on a PC on your LAN which is
also dialed up to the Internet presents an immediate security problem
to your internal network because many FTP servers allow the FTP 'port
bounce' attack ( a remote client of the anonymous FTP server can
request that an ftp-data connection be established from the FTP server
to a port on a 3rd party host.  In this way one can probe your internal
network for services and weaknesses.).

H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer
175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX)
INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu
PAGE: (203)370-3081, (800)347-2574,   mailto:1165469@pager.mcb.com  PIN# 1165469
PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C  4D 7C 22 56 80 BA 84 09

From firewalls-owner  Tue Jan  6 21:43:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA06074; Tue, 6 Jan 1998 19:48:03 -0800 (PST)
Received: from pentagon.io.com (pentagon.io.com [199.170.88.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA02656 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 19:31:20 -0800 (PST)
Received: from localhost (cooper@localhost)
	by pentagon.io.com (8.8.5/8.8.5) with SMTP id VAA10893;
	Tue, 6 Jan 1998 21:31:26 -0600 (CST)
X-Authentication-Warning: pentagon.io.com: cooper owned process doing -bs
Date: Tue, 6 Jan 1998 21:31:26 -0600 (CST)
From: William Cooper <cooper@io.com>
To: Gordon LaSane <glasane@gdsconnect.com>
cc: MacGyver <macgyver@tos.net>,
        Firewalls Mailing List <firewalls@GreatCircle.COM>
Subject: RE: Stateful Inspection Anyone?  Explore your options.
In-Reply-To: <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
Message-ID: <Pine.BSI.3.96.980106211319.9610A-100000@pentagon.io.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On Tue, 6 Jan 1998, Gordon LaSane wrote:

> Visit http://www.xxxxxxxxxxxxxx.com or contact me.

[shameless advertising deleted]

i haven't checked the charter recently, but almost certainly this kind of
blatant advertising is not permitted, at the very least it's not
appropriate for dist. to the list (IMO) so keep it in private email.

> 	Hi folks,
> 

> 	I've been wondering this for a while, but just haven't gotten
> around to
> 	asking anyone yet: 
> 
> 	Checkpoint's Firewall-1 has a feature known as "stateful
> inspection" 

"stateful inspection" is not a feature, it's the name for the technology
upon which the FireWall-1 product is based.  in a nutshell it refers to
the fact that each packet is inspected "in context."  say you wanted to
allow your users to ftp download to their hosts (protected by FW-1) thru
the firewall.  now say a packet show up from the Internet that says it's
a packet destined for host 192.3.3.3 (a protected host) and is in response
to an FTP request made from that machine.  FW-1 looks at that packet in
context by examining the logs and searching for the outbound FTP request
that this packet is supposed to be in response to.  if there was no
outbound request, the incoming packet is refused.

> which
> 	they tout as the end-all and be-all of packet-filtering and
> inspection.
> 	Anyone had any experience in using this feature or have any
> thoughts
> 	regarding stateful inspection?

anyone who uses FW-1 has experience w/ stateful inspection.

>  How large of a performance
> impact is there
> 	when stateful inspection is enabled?  Are the gains worth the
> added load?

FW-1 will currently run at speeds of up ot 86Mbps, w/ fastpath enabled,
on a big sun box w/ lots of RAM.

> 
> 	Hope this spurs some interesting discussion.

hope you go do some reading before asking your next question, i applaud
your curiousity but your questions should be a little better researched.
all of the above info is easy to find.

Regards,

- bill

cooper@io.com


From firewalls-owner  Tue Jan  6 21:45:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA21076; Tue, 6 Jan 1998 18:42:45 -0800 (PST)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA20900 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 18:42:13 -0800 (PST)
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id VAA24449; Tue, 6 Jan 1998 21:42:10 -0500 (EST) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id VAA18330; Tue, 6 Jan 1998 21:42:08 -0500 (EST)
Date: Tue, 6 Jan 1998 21:42:08 -0500 (EST)
Message-Id: <199801070242.VAA18330@SPARKY.CF.CS.YALE.EDU>
To: firewalls@GreatCircle.COM, glasane@gdsconnect.com, macgyver@tos.net
Subject: RE: Stateful Inspection Anyone?  Explore your options.
From: "H. Morrow Long" <morrow.long@yale.edu>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There is no guaruntee that application specific proxies (aka
application level gateways) won't misbehave, malfunction or be
misconfigured either.

It is entirely within the realm of possibility that someone someday
might come upon a way to make an inbound telnet proxy service on a
firewall proxy server overflow a buffer (or overwrite some other memory
region) or otherwise discover and exploit a bug which could allow them to
bypass a 'strong authentication' challenge and be allowed into an
internal corporate network (which is why allowing any inbound access from
the Internet to your internal secure net -- even when strongly authenticated
 -- is always riskier than not doing so.).

>From: Gordon LaSane <glasane@gdsconnect.com>	...
>One of the biggest complaints about stateful inspection is that if the
>state table becomes corrupt, the network could become vulnerable to the
>outside. 
>
>Check out application gateways, these proxy servers take a users request
>for an Internet service and forward it to the actual service. Proxies
>replace the actual service, acting as a gateway and are for this reason
>commonly referred to as application gateways.


H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer
175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX)
INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu
PAGE: (203)370-3081, (800)347-2574,   mailto:1165469@pager.mcb.com  PIN# 1165469
PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C  4D 7C 22 56 80 BA 84 09

From firewalls-owner  Tue Jan  6 21:45:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA02810; Tue, 6 Jan 1998 21:37:40 -0800 (PST)
Received: from relay2.phx.genuity.net (relay2.phx.genuity.net [207.240.5.57]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA02715 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 21:37:21 -0800 (PST)
Received: from x-files.genuity.net (x-files.genuity.net [207.240.3.45])
	by relay2.phx.genuity.net (8.8.7/8.8.5) with ESMTP id FAA08547
	for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 05:37:46 GMT
Received: by X-FILES with Internet Mail Service (5.0.1458.49)
	id <CMBN96Y8>; Tue, 6 Jan 1998 22:38:14 -0700
Message-ID: <2E8F4FDB9F00D01186A6080009B30C7F02253FE9@X-FILES>
From: Scott Knievel <sknievel@genuity.net>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: INSPECT language
Date: Tue, 6 Jan 1998 22:38:11 -0700
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I am looking for some good information on the INSPECT language for
CheckPoints FireWall-1 product.   Any suggestions?

Thanks,

Scott Knievel
Technical Support Engineer
Genuity Inc.
www.genuity.net

From firewalls-owner  Tue Jan  6 22:15:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA03519; Tue, 6 Jan 1998 21:45:18 -0800 (PST)
Received: from gate.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA26994 for <firewalls@greatcircle.com>; Tue, 6 Jan 1998 21:16:52 -0800 (PST)
Received: (from sjg@localhost) by gate.quick.com.au (8.8.5/8.7.3) id QAA29168; Wed, 7 Jan 1998 16:16:54 +1100 (EST)
Date: Wed, 7 Jan 1998 16:16:54 +1100 (EST)
From: "Simon J. Gerraty" <sjg@quick.com.au>
Message-Id: <199801070516.QAA29168@gate.quick.com.au>
To: Kerry Jones <kjones@aims.gov.au>
Cc: firewalls@greatcircle.com
Subject: Re: Split DNS??
References: <34B2BD37.402DDEBC@aims.gov.au>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Kerry,

>What are the benefits of running split DNS??? Is it more secure?? Or is
>it a pain in the ass which doesn't increase security much at all?? Can
>someone give me a bit of an overview of how it would be done.

The main benefit of running a split DNS is to provide different MX lists
to internal vs external MTAs.  The alternative is that external mail
is always delayed while the first connection attempt to an unreachable
internal mailhost times out, or internal mail is needlessly routed via
the firewall (which may be unacceptable for other reasons).

The simplest way to run a split DNS is to have a DNS server on the 
firewall or DMZ (or even your friendly ISP if you trust them)
which is registered externally as authoritative for your domain.
Then run another server (or two :-) internally that are also 
authoritative for the domain, but have a more complete picture.
Note that your firewall uses the internal nameservers not the
external one - that's just for outsiders.

Some folk like split DNS because they think that "hiding" their internal
hostnames makes them more secure.  Such info leaks out in so many ways
that this "security by obscurity" is a myth.

Having said that, there is no need for your external DNS to contain 
much more than an NS list, an MX list and the address of your firewall.  

There are more specific details that need to be sorted out as to
how your internal nameservers resolve external names (or even if
they do), but the above  should get you started.

--sjg


From firewalls-owner  Tue Jan  6 22:47:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA04825; Tue, 6 Jan 1998 21:50:51 -0800 (PST)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA04669 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 21:50:18 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id VAA29970; Tue, 6 Jan 1998 21:52:17 -0800 (PST)
Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA15660; Tue, 6 Jan 98 21:53:30 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256585.002079A3 ; Tue, 6 Jan 1998 21:54:42 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"<ryanr@sybase.com>
To: glasane@gdsconnect.com
Cc: macgyver@tos.net, firewalls@GreatCircle.COM
Message-Id: <88256585.001FDAA6.00@gwwest.sybase.com>
Date: Tue, 6 Jan 1998 21:49:15 -0800
Subject: RE: Stateful Inspection Anyone? Explore your options.
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


One of the biggest complaints about proxies is that
if the TCP connection table becomes corrupt, the network
could become vulnerable to the outside.

Quit spreading FUD.

               Ryan






glasane@gdsconnect.com on 01/06/98 01:37:03 PM

To:   macgyver@tos.net, firewalls@GreatCircle.COM
cc:    (bcc: Ryan Russell/SYBASE)
Subject:  RE: Stateful Inspection Anyone?  Explore your options.




One of the biggest complaints about stateful inspection is that if the
state table becomes corrupt, the network could become vulnerable to the
outside.
Check out application gateways, these proxy servers take a users request
for an Internet service and forward it to the actual service. Proxies
replace the actual service, acting as a gateway and are for this reason
commonly referred to as application gateways.
Visit http://www.securecomputing.com or contact me.
     Gordon LaSane
     Global  Data  Systems, Inc.
     Internet and Intranet Firewalls and Security Group
     Consulting and Installing Solutions for Your Company's Data
Security:
     Remote User Authentication
     Internet Access
     Virtual Private Networks
     Web Filtering
     Intranets
     Firewalls
     Gordon LaSane
     781/740-8818 x13 ph
     781/740-8830 fax
     glasane@gdsconnect.com
     Visit us on the web at   http://www.gdsconnect.com


     -----Original Message-----
     From:     MacGyver [SMTP:macgyver@tos.net]
     Sent:     Tuesday, January 06, 1998 11:55 AM
     To:  Firewalls Mailing List
     Subject:  Stateful Inspection Anyone?
     Hi folks,
     I've been wondering this for a while, but just haven't gotten
around to
     asking anyone yet:
     Checkpoint's Firewall-1 has a feature known as "stateful
inspection" which
     they tout as the end-all and be-all of packet-filtering and
inspection.
     Anyone had any experience in using this feature or have any
thoughts
     regarding stateful inspection?  How large of a performance
impact is there
     when stateful inspection is enabled?  Are the gains worth the
added load?
     Hope this spurs some interesting discussion.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             ^               Habeeb J. Dihu
          -'   `-            Managing Senior Technologist
        " '     ` "          Cirrus Technologies
      "  '       `  "
     "  '      .  `  "
     "  '    .' ` `  "       'I don't believe in the no-win scenario'
      " `   '    `' "           -- Captain James T. Kirk,  Star Trek
II: TWK
        `  ' _  _ '          'There is an old Vulcan proverb, `Only
Nixon
         '                    could go to China.`'
                                -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






From firewalls-owner  Tue Jan  6 23:45:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA15642; Tue, 6 Jan 1998 22:58:16 -0800 (PST)
Received: from mailhub.vector.co.za (mailhub.vector.co.za [192.96.164.70]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA15561 for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 22:57:54 -0800 (PST)
Received: from vcsfk.co.za (vcsfk.vector.co.za [192.96.164.71]) by mailhub.vector.co.za (8.7.5/8.7) with SMTP id IAA19757; Wed, 7 Jan 1998 08:57:15 +0200 (SAT)
Received: from vcsfk by vcsfk.co.za (SMI-8.6/SMI-SVR4)
	id IAA00612; Wed, 7 Jan 1998 08:57:32 -0200
Message-Id: <199801071057.IAA00612@vcsfk.co.za>
Date: Wed, 7 Jan 1998 08:57:31 -0200 (GMT)
From: Feroz Khan - VCS <Feroz.Khan@VECTOR.CO.ZA>
Reply-To: Feroz Khan - VCS <Feroz.Khan@VECTOR.CO.ZA>
Subject: Re: FW-1 3.0 and Solaris 2.6 ok?
To: RWaegner@hou.mdc.com, grat@frii.com
Cc: firewalls@GreatCircle.COM
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: VWCK0tG1j2ZswcO/jo9/oA==
X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4c sparc 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

There seems to be some confusion with regards to Solaris 2.6 and FW-1. Here
is what I have tested:

Checkpoint: Works with 3.0b or greater.

Solstice:  Must be installed on 2.5.1 first. One of the following patches
           must then be installed:
             Non-VPN - 105477
             VPN-FWZ - 105478
             VPN-DES - 105474
           At this point, you can do an OS upgrade to Solaris 2.6.
           
Hope this helps,
Feroz
           


From firewalls-owner  Wed Jan  7 02:37:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA21075; Wed, 7 Jan 1998 01:45:52 -0800 (PST)
Received: from szrtfw2.szerencsejatek.hu ([194.88.40.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA12370 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 00:58:30 -0800 (PST)
Message-Id: <199801070858.AAA12370@honor.greatcircle.com>
Received: from SZRTFW2 [194.88.40.3]
	(HELO localhost)
	by szrtfw2.szerencsejatek.hu (AltaVista Mail V1.0/1.0 BL18 listener)
	id 0000_002b_34b3_4438_3490;
	Wed, 07 Jan 1998 10:00:40 +0100
From: "Takacs Istvan" <anonymus@mail.matav.hu>
To: <firewalls@greatcircle.com>
Subject: LanOptics Guardian???
Date: Wed, 7 Jan 1998 08:04:23 +0100
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1162
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Have you ever used that firewall above? What is your experience?
I've read some articles about it, but they seem as an official
advertisement
from the LanOptics.

Thank you.

Regards.

	      Istvan Takacs 
      mailto:anonymus@mail.matav.hu

From firewalls-owner  Wed Jan  7 04:45:54 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08550; Wed, 7 Jan 1998 03:49:48 -0800 (PST)
Received: from send1b.yahoomail.com (send1b.yahoomail.com [205.180.60.23]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA08511 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 03:49:33 -0800 (PST)
Message-ID: <19980107114944.20663.rocketmail@send1b.yahoomail.com>
Received: from [193.106.105.2] by send1b; Wed, 07 Jan 1998 03:49:44 PST
Date: Wed, 7 Jan 1998 03:49:44 -0800 (PST)
From: BEAUVALOT Erik <erik_beauvalot@yahoo.com>
Subject: Re: Real Audio
To: Rick Murphy <rmurphy@itm-inst.com>, Paul Jones <pj_27@hotmail.com>
Cc: firewalls@GreatCircle.COM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

take a look at :

	http://www.beauvalot.com/ra

	You have every thing to configure your
	proxy to be able to play real audio file ....

Regards,




---Rick Murphy <rmurphy@itm-inst.com> wrote:
>
> At 02:59 PM 1/6/98 PST, Paul Jones wrote:
> >We would like some information regarding the security implications
of 
> >running Real Audio through our firewall (Gauntlet).
> The Gauntlet RealAudio proxy verifies that the setup protocol is
indeed
> RealAudio; once the setup is complete it opens a single point UDP
forwarder
> from the outside to the system running the player. 
> Given the nature of the protocol, and the endpoint verification,
there's
> not much you could do to exploit the connection. 
> 
> If you permit HTTP, you shouldn't be worried about
RealAudio/RealVideo.
> HTTP hosts all sorts of exploits..
> 	-Rick
> 
> 

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com


From firewalls-owner  Wed Jan  7 05:31:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA18949; Wed, 7 Jan 1998 05:15:08 -0800 (PST)
Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA18931 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 05:14:50 -0800 (PST)
Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.7.6/8.6.12) with SMTP id IAA01713 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 08:15:13 -0500 (EST)
Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BD1B44.07FB2EB0@exchsmtp.ColumbiaSC.NCR.COM>; Wed, 7 Jan 1998 08:12:44 -0500
Message-ID: <c=US%a=_%p=NCR%l=ENGPO-980107131412Z-21305@exchsmtp.ColumbiaSC.NCR.COM>
From: "Caldwell, Matt" <caldwm@xgate.columbiasc.ncr.com>
To: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: RE: firewall audit service referral
Date: Wed, 7 Jan 1998 08:14:12 -0500
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

However, remote penetration testing does have it's Pro's, It saves the
customer travel time and the expenses 
associated. It is always good to investigate who you are dealing with,
and to at least see someone face to face to talk about non-disclosure
agreements and that sort of thing.  I have had an incident in which the
roles where switched, the customer was not legitimate and wanted me to
attack a legitimate company. Beware who you do business with and how. I
have learned one thing and that is security is not inherently safety.

Matthew F. Caldwell - Security Analyst
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Visionary Corporate Computing Concepts (VC3)
Email:        matt.caldwell@vc3.com
Company Web: http://www.vc3.com/
Personal  Web: http://www.vc3.com/~caldwm
Office Phone: 803-733-7333
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

>----------
>From: 	Frank Willoughby[SMTP:frankw@in.net]
>Sent: 	Wednesday, December 31, 1997 11:08 PM
>To: 	James Terry
>Cc: 	firewalls@GreatCircle.COM
>Subject: 	Re: firewall audit service referral
>
>At 11:14 AM 12/31/97 -0800, James Terry <james@imx-exchange.com> allegedly
>wrote:
>
>8< [snip]
>
>
>>Hello,
>>
>>could anyone recommend a good firewall testing service?
>>
>>thanks,
>>james@imx-exchange.com
>
>It depends on what you are looking for.  
>
>Fortified Networks does firewall testing for customers (corporations,
>governments, etc).  
>
>FNITL is an independent test laboratory for testing firewalls & other
>InfoSec products.
>The most frequent testing performed are Quality Assurance Tests of Internet
>Firewalls 
>& other InfoSec products - primarily for vendors, etc.
>
>CAUTION:
>Beware of any organizations which will perform a remote firewall
>penetration test.
>This is an inherently dangerous practice which has the potential of leading
>hackers
>to their next victims.
>
>Best Regards,
>
>
>Frank
>The opinions of the author of this mail may not necessarily be 
>representative of the opinions of Fortifed Networks, Inc.
>
>Fortified Networks, Inc. - http://www.fortified.com/
>Home of the Free Internet Firewall Evaluation Checklist
>Expert (vendor-neutral) Computer and Network Security Solutions
>Phone: (317) 573-0800     Fax: (317) 573-0817
>

From firewalls-owner  Wed Jan  7 06:01:55 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA05025; Wed, 7 Jan 1998 03:21:05 -0800 (PST)
Received: from staffmail.ccn.ac.uk (staffmail.ccn.ac.uk [194.66.186.89]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA04983 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 03:20:42 -0800 (PST)
Received: by staffmail.ccn.ac.uk with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BD1B5E.6E8D4630@staffmail.ccn.ac.uk>; Wed, 7 Jan 1998 11:21:43 -0000
Message-ID: <c=US%a=_%p=City_College_Nor%l=STAFFMAIL-980107112141Z-7472@staffmail.ccn.ac.uk>
From: "Marriage, Michael" <mikem@ccn.ac.uk>
To: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: MS Proxy and netmeeting
Date: Wed, 7 Jan 1998 11:21:41 -0000
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Has anyone configured MS Proxy to work with netmeeting? If so what are
the key points that I should be looking at. We have barred NETBIOS like
packets on site though our router. Is this going to cause problems with
Netmeeting.

Is there an up to date list of TCP/IP information on ports used by the
myriad microsoft network aware packages in a human readable form for us
very mere mortals.

i.e.
	Net Meeting
	Secure HTTP ( ok so its no Microsoft but they use it )
	NetBIOS
	Visual interdev ( copy to web functions )
	ODBC
---------------------------------------------------------------------
Mike Marriage
Systems Engineering Team Leader
City College Norwich

Email   mikem@ccn.ac.uk
Tel	01603 773025
Fax      01603 773122 ( Please mark for my attention ) 
------------------------------------------------------------------------
-



From firewalls-owner  Wed Jan  7 06:16:00 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA23760; Wed, 7 Jan 1998 06:03:09 -0800 (PST)
Received: from lafcol (lafcol.lafayette.edu [139.147.8.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA23732 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 06:02:59 -0800 (PST)
Received: from localhost by lafcol (SMI-8.6/SMI-SVR4)
	id JAA05054; Wed, 7 Jan 1998 09:02:44 -0500
Date: Wed, 7 Jan 1998 09:02:37 -0500 (EST)
From: John Mulligan <mulligan@lafcol.lafayette.edu>
To: firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <Pine.LNX.3.96.980106171036.25274D-100000@co.numerix.com>
Message-ID: <Pine.SOL.3.93.980107085530.4959B-100000@lafcol.lafayette.edu>
X-UIN: 1058259
X-URL: http://www.lafayette.edu/~mulligaj
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 6 Jan 1998, Greg Whalin wrote:
> How about PGP?  Or how about Netscape with client certificates?

This may not be what you are looking for, but I recently purchased Eudora
Pro 3.03 and it came bundled with a PGP 5 plug-in.  It was integrated
rather nicely with the mailer (and the Win95 file explorer as well).  The
bundle I got had no support for RSA keys, just DSS, but you can download a
upgrade to use RSA keys for just $5.  It may be a good solution if you
have a whole lot of "regular" users that dont want a lot of hassle.

I would definitly look into PGP rather than other encryption products.
Its (sort-of) free, the source is public so its secure, and it is already
widely used.

Also... I just read an article in Computer Shopper about how the IETF is
conisdering using PGP as a standard for email encryption/signing.  I dont
know how true that is, but it is something to consider.  ....If someone
cares to comment (off the list) about that.

One more... I use PINE 3.93 to send most of my mail, and it comes with
hooks built in to use PGP.  Its a great solution if you need unix platform
stuff.

Well... thats my two cents.

- - john


John P. Mulligan <mulligaj@lafayette.edu>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNLOLAn+KnP1k0ErJAQH6XQMAun3QRjE3ERT/TbWu/gDU7Yr4vLWOCpr5
wWrW8BL84FjWHXjPH2fMipNrMhY1SUaJ0t0vCKpDpAaw4yRbd6gKzZe90JnEHA5p
LuCv2q/cmEoL7jTBuvh6oikKmxEgeP9u
=qytl
-----END PGP SIGNATURE-----


From firewalls-owner  Wed Jan  7 06:31:02 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08163; Wed, 7 Jan 1998 03:48:00 -0800 (PST)
Received: from uwns.underworld.net (uwns.student.umd.edu [129.2.176.105]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA08100 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 03:47:43 -0800 (PST)
Received: from localhost (carl@localhost)
	by uwns.underworld.net (8.8.7/8.8.6) with SMTP id GAA10784;
	Wed, 7 Jan 1998 06:47:37 -0500
Date: Wed, 7 Jan 1998 06:47:36 -0500 (EST)
From: carl <carl@outside.net>
X-Sender: carl@uwns.underworld.net
To: Ederlindo Cojuangco <derts@cebu.mozcom.com>
cc: Alan Bolt <alanb@allensysgroup.com>,
        "Grigorof, Adrian" <agrigoro@mobility.com>, firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <Pine.LNX.3.95.980107115038.6288A-100000@cebu.mozcom.com>
Message-ID: <Pine.LNX.3.96.980107064708.10777A-100000@uwns.underworld.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


www.pgp.com would probably be a pretty good place to start...

Carl Downing
Outside Broadcast Network

"Why did he bother her?"

On Wed, 7 Jan 1998, Ederlindo Cojuangco wrote:

> 	Is there any site where we can download it?  All I got from my
> search is only an information but no software to use it.  Can anybody have
> any idea on this matter?
> 	Thanks in advance.
> 
> ederts
> 	
> On Tue, 6 Jan 1998, Alan Bolt wrote:
> 
> > Have you not looked into PGP?
> > It has grown to have much better interface
> > for users and does what you seem to want
> > 
> > Bobby Brown
> > Network Administrator
> > Allen Systems Group
> > 
> > ----------
> > > From: Grigorof, Adrian <agrigoro@mobility.com>
> > > To: firewalls@greatcircle.com
> > > Subject: E-mail Encryption
> > > Date: Tuesday, January 06, 1998 3:21 PM
> > > 
> > > I am looking for a product to be used in encrypting e-mail to be sent
> > > over the Internet. I've heard something about a product called Puffer by
> > > Briggs Softworks but I haven't tested it so far.  
> > > 
> > > The ideal software should be user friendly otherwise it won't be used by
> > > "normal" users...how can you stop them from sending clear text messages
> > > or unencrypted attachments?
> > > 
> > > Any ideas, suggestions?
> > > 
> > > Thanks,
> > > 
> > > Adrian Grigorof
> > > Internet Administrator
> > > Bell Mobility Cellular Inc.
> > > Toronto
> > > www.bellmobility.ca
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 


From firewalls-owner  Wed Jan  7 07:05:43 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08502; Wed, 7 Jan 1998 03:49:29 -0800 (PST)
Received: from mail.zrz.TU-Berlin.DE (mail.zrz.TU-Berlin.DE [130.149.4.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA15671 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 01:16:11 -0800 (PST)
Received: from fb3-s7.math.tu-berlin.de by mail.zrz.TU-Berlin.DE 
          with SMTP (IC-PP); Wed, 7 Jan 1998 10:14:58 +0100
Received: from fb3-s12.math.TU-Berlin.DE by fb3-s7.math.tu-berlin.de with SMTP 
          id AA02599 (5.67b8/IDA-1.4.4); Wed, 7 Jan 1998 10:14:47 +0100
Received: by fb3-s12.math.tu-berlin.de id AA18809 (5.67b8/IDA-1.4.4);
          Wed, 7 Jan 1998 10:13:46 +0100
Date: Wed, 7 Jan 1998 10:13:46 +0100
Message-Id: <199801070913.AA18809@fb3-s12.math.tu-berlin.de>
From: Bogdan Pelc <pelc@fb3-s7.math.tu-berlin.de>
To: kjones@aims.gov.au
Cc: firewalls@greatcircle.com
In-Reply-To: <34B2BD37.402DDEBC@aims.gov.au> (message from Kerry Jones on Wed, 07 Jan 1998 09:24:39 +1000)
Subject: Re: Split DNS??
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "KJ" == Kerry Jones <kjones@aims.gov.au> writes:

  KJ> Hi, This is a great Mailing list..I am so impressed with the answers
  KJ> I got from my last question DNS on Firewalls!!.. I'm going to ask
  KJ> another..

  KJ> What are the benefits of running split DNS??? Is it more secure?? Or
  KJ> is it a pain in the ass which doesn't increase security much at all??
  KJ> Can someone give me a bit of an overview of how it would be done.

  KJ> Is it a simple matter of running 1 DNS on the DMZ (for internet) and
  KJ> another totally separate DNS on the internal network (for local
  KJ> machines)??  Would the 2 DNS servers be totally independent of one
  KJ> another or would one have to update the other one?

  KJ> Thanks in advance...

  KJ> -- Kerry Jones kjones@aims.gov.au

Hi, I am new on the list, so Hallo Everybody.

DNS.
Some Firewalls have its own SplitDNS-proxies, which implement secure DNS
(For example Eagle from Raptor). The securest way to setup DNS I know ist:
2 DNS-Server.
First on the Firewall. It's fake-server. It knows only about the ftp, www
and so on. So it knows the firewall itself and some Machines on DMZ you
want to expose. But be carefull I would do IP-Redirection inorder to hide
the IP_Information for the DMZ!
Second on your Internal network. It knows all internal Maschines.

Attention:
The Machines schould be so configured, that:
1. Internal Machines, DMZ Machines _AND_ Firewall itself (!!!) (so all
Machines) ask the internal server for the IP. Is it internal IP, than it
knows it (he is the primary server for your internal Domain). Is it other
IP, so it forwards the question to the fakeserver on the FW and it makes the
question to the next DNS-Server on the internet and so on. When it gets the
answer it replies to the internal server and it replies to the Machine.

There are some Problems with the IN-addr.arpa but one can do it right.

Hope it helps.

-- 
____________________________________________________________________________
     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
			  pelc@math.tu-berlin.de

Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ...  (FISH)

From firewalls-owner  Wed Jan  7 07:27:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA28823; Wed, 7 Jan 1998 02:45:49 -0800 (PST)
Received: from voyager.viser.net (voyager.viser.net [209.104.200.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA25882 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 02:18:29 -0800 (PST)
From: brian@viser.net
Received: from viser.net (salm-40.viser.net [209.104.200.70])
	by voyager.viser.net (8.8.7/8.8.7) with SMTP id CAA27696;
	Wed, 7 Jan 1998 02:21:30 -0800 (PST)
Date: Wed, 7 Jan 1998 02:21:30 -0800 (PST)
Message-Id: <199801071021.CAA27696@voyager.viser.net>
To: brian@viser.net
Subject: Warning!
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

WARNING! AFTER YOU CALL MY AMAZING RECORDED HOTLINE at the phone number below and receive your FREE report, NO OTHER PASSAGE TO WEALTH WILL EVER MAKE SENSE TO YOU AGAIN!  I will show you how to eliminate your fears of being poor forever!

DISCOVER THE SECRETS TO IMMEDIATE HOME BASED INCOME!  I have invented a failproof automatic money generating business that works by itself, month after month and YEAR AFTER YEAR, BY ITSELF!

If you are interested in becoming successful NOW!  Then simply CALL MY AMAZING RECORDED MESSAGE AT 503-390-5735 or 503-371-5848 and you will receive your FREE information about how you will become successful IMMEDIATELY!  

Thank you,

National Home Office Council
Brian L. Lee
President


From firewalls-owner  Wed Jan  7 08:10:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA21300; Wed, 7 Jan 1998 01:48:32 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA16205 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 01:17:47 -0800 (PST)
Received: from inet.unisource.nl by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id BAA29002; Wed, 7 Jan 1998 01:16:40 -0800 (PST)
Received: from inet.unisource.nl (lassie.gv-itf.unisource.nl [62.12.30.6])
	by inet.unisource.nl (8.8.5/8.8.5) with ESMTP id KAA13055
	for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:17:39 +0100 (MET)
Message-ID: <34B346FD.604A8185@inet.unisource.nl>
Date: Wed, 07 Jan 1998 10:12:29 +0100
From: Andre van der Lans <andre.van.der.lans@inet.unisource.nl>
Organization: Unisource Business Networks
X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Audit and Scanning tools
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Buenos dias, Buenos nodges, Buenos Aires

Does anyboby know if there are some audit and scanning tools available
for Firewalls, which can automaticaly scan logfiles for hacking attempts
and which can generate reports on traffick and other activities,

Regards, Andre


-- 
Andre van der Lans
Unisource Business Networks Netherlands bv
Koningin Sophie St 120, 2595 TM The Hague
Tel +31 703711069, Fax +31 703712638
Email: andre.van.der.lans@inet.unisource.nl

From firewalls-owner  Wed Jan  7 08:23:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA03459; Wed, 7 Jan 1998 00:20:27 -0800 (PST)
Received: from inet.unisource.nl (mail.inet.unisource.nl [194.151.95.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA03395 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 00:20:12 -0800 (PST)
Received: from inet.unisource.nl (lassie.gv-itf.unisource.nl [62.12.30.6])
	by inet.unisource.nl (8.8.5/8.8.5) with ESMTP id JAA12368;
	Wed, 7 Jan 1998 09:20:36 +0100 (MET)
Message-ID: <34B3399E.FC1D7A47@inet.unisource.nl>
Date: Wed, 07 Jan 1998 09:15:26 +0100
From: Andre van der Lans <andre.van.der.lans@inet.unisource.nl>
Organization: Unisource Business Networks
X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: Randall Kizer <rkizer@guten.sddpc.org>, firewalls@GreatCircle.COM
Subject: Re: Firewall for ISP
References: <3.0.3.32.19971219073449.0092f250@guten.sannet.gov>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Randall Kizer wrote:
> 
> Jaime,
> 
> We've just implemented a PIX firewall to evaluate it.  Would you, or anyone
> else reading this e-mail, please share your experiences with this product.
> You mentioned "it has some weakness", can you be more specific?  What are
> some of its strengths?
> 
> Randall
> rkizer@sddpc.org
> 
> >From: "Jaime Blanco" <support@sinfo.net>
> >To: <firewalls@greatcircle.com>
> >Cc: <inet-access@earth.com>
> >Subject: Firewall for ISP
> >Date: Wed, 17 Dec 1997 20:38:06 -0500
Beunos dias,

The Cisco PIX isn't realy a firewall. It's a cut through proxy which
means that when a packet is checked for authentication, the PIX simply
gona forward all these packages and none of the following packages are
beeing screened. It's difficult to get the logging done and the ligging
is alsow done with syslog on a remote machine ( The PIX hasn't got a
hard disk). Another issue is that the GUI quits working when the
configurationfile has more than 400 entries. 

Last but not least, the Cisco PIX is a expensive product and for the
same prise or less you can get a much better Firewall.

-- 
Andre van der Lans
Unisource Business Networks Netherlands bv
Koningin Sophie St 120, 2595 TM The Hague
Tel +31 703711069, Fax +31 703712638
Email: andre.van.der.lans@inet.unisource.nl

From firewalls-owner  Wed Jan  7 09:01:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12580; Wed, 7 Jan 1998 07:33:55 -0800 (PST)
Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA12550 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 07:33:46 -0800 (PST)
Received: (qmail 22396 invoked from smtpd); 7 Jan 1998 15:34:16 -0000
Received: from web.nmti.com (root@198.178.0.201)
  by fw.nmti.com with SMTP; 7 Jan 1998 15:34:16 -0000
Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA24190; Wed, 7 Jan 1998 09:34:15 -0600
Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM)
	id AA10534; Wed, 7 Jan 1998 09:36:59 -0600
From: Peter da Silva <peter@baileynm.com>
Message-Id: <9801071536.AA10534@baileynm.com>
Subject: Re: E-mail Encryption
To: macgyver@tos.net (MacGyver)
Date: Wed, 7 Jan 1998 09:36:59 -0600 (CST)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199801070018.SAA31044@starbase.tos.net> from "MacGyver" at Jan 6, 98 06:14:58 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Using Eudora 4.0 onward (I'm not sure if previous versions support this
> feature), you have the ability to set an "output filter", which can be set
> to call any arbitrary program.  PGP 5.0+ has a Eudora plugin option that
> you can use to automagically guarantee that all emails sent out are
> encrypted in an invisible way to the user.

Unfortunately PGP 5.0+ encryption is incompatible with PGP 2.6, which is
what most of the people who use PGP are using. I understand the political
reasons for switching to D-H key exchange to get out from under RSA, but
I'm going to stick with 2.6 until there's a really compatible upgrade path
that works on both protocols and all platforms.

From firewalls-owner  Wed Jan  7 09:32:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA22455; Wed, 7 Jan 1998 01:58:07 -0800 (PST)
Received: from binariang.maxisnet.com.my ([202.190.228.82]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA13035 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 01:02:28 -0800 (PST)
Received: from SUBGTD-Message_Server by binariang.maxisnet.com.my
	with Novell_GroupWise; Wed, 07 Jan 1998 16:48:47 +0800
Message-Id: <s4b3b1ef.072@binariang.maxisnet.com.my>
X-Mailer: Novell GroupWise 4.1
Date: Wed, 07 Jan 1998 17:48:18 +0800
From: Low Peng Chiew (Griffin) <LOWPC@binariang.maxisnet.com.my>
To: glasane@gdsconnect.com, ryanr@sybase.com
Cc: firewalls@GreatCircle.COM, macgyver@tos.net
Subject: Re: RE: Stateful Inspection Anyone? Explore your options.
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>> "Ryan Russell" <ryanr@sybase.com> 01/07 1:49 PM >>>

One of the biggest complaints about proxies is that
if the TCP connection table becomes corrupt, the network
could become vulnerable to the outside.

Quit spreading FUD.

 -Are you implying that this is only a very small possibility 
-or none at all?

-ciao!

----- he who knows not, --------------------
------and knows not he knows not, ----
------he's probably a salesman--------

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

From firewalls-owner  Wed Jan  7 10:14:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA21943; Wed, 7 Jan 1998 01:53:58 -0800 (PST)
Received: from mail.zrz.TU-Berlin.DE (mail.zrz.TU-Berlin.DE [130.149.4.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA17571 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 01:23:44 -0800 (PST)
Received: from fb3-s7.math.tu-berlin.de by mail.zrz.TU-Berlin.DE 
          with SMTP (IC-PP); Wed, 7 Jan 1998 10:23:20 +0100
Received: from fb3-s12.math.TU-Berlin.DE by fb3-s7.math.tu-berlin.de with SMTP 
          id AA02798 (5.67b8/IDA-1.4.4); Wed, 7 Jan 1998 10:23:13 +0100
Received: by fb3-s12.math.tu-berlin.de id AA09645 (5.67b8/IDA-1.4.4);
          Wed, 7 Jan 1998 10:22:12 +0100
Date: Wed, 7 Jan 1998 10:22:12 +0100
Message-Id: <199801070922.AA09645@fb3-s12.math.tu-berlin.de>
From: Bogdan Pelc <pelc@fb3-s7.math.tu-berlin.de>
To: kjones@aims.gov.au
Cc: firewalls@greatcircle.com
In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au> (message from Kerry Jones on Tue, 06 Jan 1998 16:02:04 +1000)
Subject: Re: DNS on firewall??
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


 Hi,
 Simple question. Is it a good idea to run a DNS server on a
 Firewall?????

 AUNIC require at least 2 DNS servers, so I am trying to decide where to
 configure the 2nd DNS server for our domain (Primary one is currently on
 the DMZ). Will putting the secondary DNS on the firewall create a
====
I would not place primary DNS for my internal domain on the DMZ.
====
 security hole in the Firewall which would best be avoided????????
 Is it acceptable (secure) to put the DNS and other services (e.g.
 http/ftp) on the Firewall??

 What do you think??
 What are your opinions??

 I have a fairly standard setup as follows;

Internet
    |
 router
    |
 firewall - dmz (1 machine: http/ftp/dns)
      |
  internal network.

Oh, please. Primary DNS on ftp/http-Host? Are you sure it is secure?

====== It is three-homed FW. I is not the first time I see that one names
this DMZ. It is not DMZ it is only one Interface of the firewall. It would
be DMZ if you would have router between FW and internal net. You ask what's
the difference? I say, think aboout sniffing :) ===

[... TEXT DELETED ...]

So long!

-- 
____________________________________________________________________________
     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
			  pelc@math.tu-berlin.de

Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ...  (FISH)

From firewalls-owner  Wed Jan  7 10:32:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA08395; Wed, 7 Jan 1998 07:15:53 -0800 (PST)
Received: from eos4.edmin.com (eos4.edmin.com [207.67.208.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA01600 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 06:45:04 -0800 (PST)
Received: from eos4 (eos4.edmin.com [207.67.208.3]) by eos4.edmin.com (8.8.5/8.8.9) with SMTP id GAA04269; Wed, 7 Jan 1998 06:47:01 -0800 (PST)
Date: Wed, 7 Jan 1998 06:47:00 -0800 (PST)
From: bk <sp@eos4.edmin.com>
X-Sender: sp@eos4
To: Ederlindo Cojuangco <derts@cebu.mozcom.com>
cc: Alan Bolt <alanb@allensysgroup.com>,
        "Grigorof, Adrian" <agrigoro@mobility.com>, firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <Pine.LNX.3.95.980107115038.6288A-100000@cebu.mozcom.com>
Message-ID: <Pine.UW2.3.94.980107064458.4245E-100000@eos4>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



good morning:

for eudora with the pgp plugin try:

www.qualcomm.com or www.eudora.com

for pgp:

www.pgp.com

bobbi

On Wed, 7 Jan 1998, Ederlindo Cojuangco wrote:

> 	Is there any site where we can download it?  All I got from my
> search is only an information but no software to use it.  Can anybody have
> any idea on this matter?
> 	Thanks in advance.
> 
> ederts
> 	
> On Tue, 6 Jan 1998, Alan Bolt wrote:
> 
> > Have you not looked into PGP?
> > It has grown to have much better interface
> > for users and does what you seem to want
> > 
> > Bobby Brown
> > Network Administrator
> > Allen Systems Group
> > 
> > ----------
> > > From: Grigorof, Adrian <agrigoro@mobility.com>
> > > To: firewalls@greatcircle.com
> > > Subject: E-mail Encryption
> > > Date: Tuesday, January 06, 1998 3:21 PM
> > > 
> > > I am looking for a product to be used in encrypting e-mail to be sent
> > > over the Internet. I've heard something about a product called Puffer by
> > > Briggs Softworks but I haven't tested it so far.  
> > > 
> > > The ideal software should be user friendly otherwise it won't be used by
> > > "normal" users...how can you stop them from sending clear text messages
> > > or unencrypted attachments?
> > > 
> > > Any ideas, suggestions?
> > > 
> > > Thanks,
> > > 
> > > Adrian Grigorof
> > > Internet Administrator
> > > Bell Mobility Cellular Inc.
> > > Toronto
> > > www.bellmobility.ca
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 
> 










From firewalls-owner  Wed Jan  7 12:05:54 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA21330; Wed, 7 Jan 1998 01:48:53 -0800 (PST)
Received: from mail.zrz.TU-Berlin.DE (mail.zrz.TU-Berlin.DE [130.149.4.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA21310 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 01:48:39 -0800 (PST)
Received: from fb3-s7.math.tu-berlin.de by mail.zrz.TU-Berlin.DE 
          with SMTP (IC-PP); Wed, 7 Jan 1998 10:49:00 +0100
Received: from fb3-s12.math.TU-Berlin.DE by fb3-s7.math.tu-berlin.de with SMTP 
          id AA03442 (5.67b8/IDA-1.4.4); Wed, 7 Jan 1998 10:48:53 +0100
Received: by fb3-s12.math.tu-berlin.de id AA09611 (5.67b8/IDA-1.4.4);
          Wed, 7 Jan 1998 10:47:52 +0100
Date: Wed, 7 Jan 1998 10:47:52 +0100
Message-Id: <199801070947.AA09611@fb3-s12.math.tu-berlin.de>
From: Bogdan Pelc <pelc@fb3-s7.math.tu-berlin.de>
To: sjg@quick.com.au
Cc: kjones@aims.gov.au, firewalls@greatcircle.com
In-Reply-To: <199801070516.QAA29168@gate.quick.com.au> (sjg@quick.com.au)
Subject: Re: Split DNS??
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "SJG" == Simon J Gerraty <sjg@quick.com.au> writes:

  SJG> Kerry,
  >> What are the benefits of running split DNS??? Is it more secure?? Or
  >> is it a pain in the ass which doesn't increase security much at all??
  >> Can someone give me a bit of an overview of how it would be done.

  SJG> The main benefit of running a split DNS is to provide different MX
  SJG> lists to internal vs external MTAs.  The alternative is that
  SJG> external mail is always delayed while the first connection attempt
  SJG> to an unreachable internal mailhost times out, or internal mail is
  SJG> needlessly routed via the firewall (which may be unacceptable for
  SJG> other reasons).

  SJG> The simplest way to run a split DNS is to have a DNS server on the
  SJG> firewall or DMZ (or even your friendly ISP if you trust them) which
  SJG> is registered externally as authoritative for your domain.  Then run
  SJG> another server (or two :-) internally that are also authoritative
  SJG> for the domain, but have a more complete picture.  Note that your
  SJG> firewall uses the internal nameservers not the external one - that's
  SJG> just for outsiders.

Yeah.

  SJG> Some folk like split DNS because they think that "hiding" their
  SJG> internal hostnames makes them more secure.  Such info leaks out in
  SJG> so many ways that this "security by obscurity" is a myth.

Really. If I have FW so conigured, that I have service Redirections and
IP-Hiding, I have no modems in my company, which I don't know about then
there is no way for internal-IP to go to the outside world. I mean there is
no way through the FW, I don't mean that one worker tells it somebody and
he tells it somebody and so on, but Hacker on the other side of our Earth
would in the most cases know no of my workers and their freinds (I hope so
:)
If I have proxies then I have this plus, that i cannot talk to ftp http and
so on directly, only through my proxies and if they are intelligent (for
example after 1000 POST oparetion between some time interval, thay droped
the connection) then I am a little bit in plus.

BTW.
I would take the test IP-Adresses (192.168.* and 10.* and so on) for my
internal network. So the IP-Range is known, but If I have FW between
I can do nothing to get to my internal Machines (well nearly nothing)
I think it is a kind of security. For I can do source routing but My FW
hopefully do not route such packets. My FW do IP-Spoofing
detection. test-ip are not routeable through the Internet (they should not
be routeable). And if hobby-Invader tries to get into my company (it is NOT
tu-berlin.de :))) it is more difficult for him if I have IP-hiding if he's
profi than I have a big Problem, but than it is not only ip-Hiding where I
have problems. But if my DNS is secure then I have some plus on my side,
but if it is insecure (it is really easie to do it so) then I have no
chance and the /etc/motd sais to me on a rainy morning: I got you! And the
rain bevomes havier and havier ... ;)))

  SJG> Having said that, there is no need for your external DNS to contain
  SJG> much more than an NS list, an MX list and the address of your
  SJG> firewall.

  SJG> There are more specific details that need to be sorted out as to how
  SJG> your internal nameservers resolve external names (or even if they
  SJG> do), but the above should get you started.

  SJG> --sjg

What are your Opinions?

-- 
____________________________________________________________________________
     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
			  pelc@math.tu-berlin.de

Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ...  (FISH)


From firewalls-owner  Wed Jan  7 12:15:02 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01831; Wed, 7 Jan 1998 11:17:53 -0800 (PST)
Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27884 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:58:37 -0800 (PST)
Received: from [132.197.71.1] by gte.com (8.8.4/8.8.4)
X-Sender: rhb1@pophost.gte.com
Message-Id: <v02130506b0d983b02fb1@[132.197.71.1]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 7 Jan 1998 15:11:23 -0400
To: rmckosky@gte.com, enorris@gte.com, djuitt@gte.com, ccarroll@gte.com,
        Jyri Kaljundi <jk@stallion.ee>, Firewalls@GreatCircle.COM,
        rhb1@gte.com
From: rhb1@gte.com (Bob Bryant)
Subject: test
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

test

*******************************************************************************
Robert Bryant                           email           rhb1@gte.com
Member Technical Staff                  Fax             617-466-2838
Secure Systems Department
GTE Labrotories                         office ph       617-466-2821
40 Sylvan Rd    MS/55                   Cell ph         617-733-7757
Waltham, MA 02254
****************************************************************************
***



From firewalls-owner  Wed Jan  7 12:26:48 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14129; Wed, 7 Jan 1998 12:13:09 -0800 (PST)
Received: from redcross.dk (ns.redcross.dk [147.29.204.52]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA14094 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 12:12:59 -0800 (PST)
Received: from [192.168.51.1] by redcross.dk with ESMTP (Eudora Internet Mail
 Server 2.0); Wed, 7 Jan 1998 21:23:45 +0100
X-Sender: lars-bertelsen@mail.redcross.dk
Message-Id: <v03130300b0d9a2881d3b@[192.168.51.1]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Eudora 2.0.1
X-Charset: US-DK
X-Char-Esc: 29
To: firewalls@GreatCircle.COM
From: Lars Bertelsen <lbe@login.dknet.dk>
Subject: Cern HTTP vs Squid?
Date: Wed, 7 Jan 1998 21:23:46 +0100
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anyone have an opinion on which of these is the safer to use as a
caching HTTP proxy? Silly me! Of course you do! Right? :-))

Lars Bertelsen
Gartnervang 29         tlf. 4635 1115
4000 Roskilde, DK      e-mail of choice: lbe@login.dknet.dk



From firewalls-owner  Wed Jan  7 12:29:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01343; Wed, 7 Jan 1998 11:15:17 -0800 (PST)
Received: from proxy1.ect.gov.br (proxy1.ect.gov.br [200.18.88.240]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA09646 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 09:38:33 -0800 (PST)
Received: from sac00001.desit (unverified [10.1.2.1]) by proxy1.ect.gov.br
 (EMWAC SMTPRS 0.83) with SMTP id <B0000000373@proxy1.ect.gov.br>;
 Wed, 07 Jan 1998 14:38:10 -0300
Received: by sac00001.desit with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BD1B48.1E659150@sac00001.desit>; Wed, 7 Jan 1998 08:41:59 -0300
Message-ID: <c=US%a=_%p=ECT%l=SAC00001-980107114158Z-239@sac00001.desit>
From: Alex do Nascimento <alexn@ect.gov.br>
To: "'Ming Lu'" <mlu@hq.si.net>
Cc: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: RE: A site about security
Date: Wed, 7 Jan 1998 08:41:58 -0300
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ming, 

Try http://www.axent.com/swat/swat.htm

	Bye
		Alex.

>----------
>De: 	Ming Lu[SMTP:mlu@hq.si.net]
>Enviada: 	Tuesday, January 06, 1998 8:44 PM
>Para: 	Darin Fisher
>Cc: 	'Olivier NOUET'; 'FWLIST'
>Assunto: 	RE: A site about security
>
>
>I got message:"HTTP/1.0 403 Access Forbidden"
>
>_ming
>
>

From firewalls-owner  Wed Jan  7 12:31:07 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01965; Wed, 7 Jan 1998 11:19:12 -0800 (PST)
Received: from ns.rc.on.ca (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA16607 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:07:31 -0800 (PST)
Received: by ns.rc.on.ca with Internet Mail Service (5.5.1939.0)
	id <ZA5NGC3R>; Wed, 7 Jan 1998 13:07:51 -0500
Message-ID: <418996AD2954D11180860000E8D5C66701868C@ns.rc.on.ca>
From: Russ <Russ.Cooper@rc.on.ca>
To: "'Firewalls Mailing List'" <firewalls@GreatCircle.COM>
Subject: Goodbye, and thanks!
Date: Wed, 7 Jan 1998 13:07:45 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1939.0)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Just a note to say goodbye, and thanks very much. The Firewalls list,
and its members, gave me an opportunity that I can never repay, so
thanks for that.

Unfortunately, 90% of the spam I do receive comes to me through the
Firewalls list, and since there clearly is no intention on stopping it,
or even curtailing it, the list's usefulness has become null.

I'll be establishing a moderated "Using NT with Firewalls" list some
time in the near future to promote my favorite topic, I'll let you know.
If any non-Telco organization can use an NT Consultant on a recurring
basis (say a weekly call for example) drop me a note at
Russ.Cooper@rc.on.ca

Cheers,
Russ Cooper
R.C. Consulting, Inc. - NT/Internet Security
Owner and Moderator of the NTBugTraq mailing list -
http://www.ntbugtraq.com


From firewalls-owner  Wed Jan  7 12:32:59 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA08317; Wed, 7 Jan 1998 11:42:21 -0800 (PST)
Received: from ziggy.stardust.com (ziggy.stardust.com [205.184.205.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA08197 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 11:42:00 -0800 (PST)
Received: from allens (allens.stardust.com [205.184.204.73])
	by ziggy.stardust.com (8.8.7/8.8.7) with SMTP id LAA05980;
	Wed, 7 Jan 1998 11:42:11 -0800
Message-Id: <3.0.5.32.19980107114055.00a21c80@stardust.com>
X-Sender: lazlor@stardust.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 07 Jan 1998 11:40:55 -0800
To: Peter da Silva <peter@baileynm.com>, macgyver@tos.net (MacGyver)
From: "Allen K. Smith" <lazlor@stardust.com>
Subject: Re: E-mail Encryption
Cc: firewalls@GreatCircle.COM
In-Reply-To: <9801071536.AA10534@baileynm.com>
References: <199801070018.SAA31044@starbase.tos.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I use the commercial version of pgp 5.0 and it supports both RSA and DH.

At 09:36 AM 1/7/98 -0600, Peter da Silva wrote:
>> Using Eudora 4.0 onward (I'm not sure if previous versions support this
>> feature), you have the ability to set an "output filter", which can be set
>> to call any arbitrary program.  PGP 5.0+ has a Eudora plugin option that
>> you can use to automagically guarantee that all emails sent out are
>> encrypted in an invisible way to the user.
>
>Unfortunately PGP 5.0+ encryption is incompatible with PGP 2.6, which is
>what most of the people who use PGP are using. I understand the political
>reasons for switching to D-H key exchange to get out from under RSA, but
>I'm going to stick with 2.6 until there's a really compatible upgrade path
>that works on both protocols and all platforms.
>
>

Allen Smith, lazlor@stardust.com
IP Multicast.  Turn it on and tune-in to the future.

From firewalls-owner  Wed Jan  7 12:34:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28100; Wed, 7 Jan 1998 10:59:47 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA28050 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:59:35 -0800 (PST)
Received: from camel8.mindspring.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id KAA03495; Wed, 7 Jan 1998 10:58:12 -0800 (PST)
Received: from jeffknt ([38.214.19.38])
	by camel8.mindspring.com (8.8.5/8.8.5) with SMTP id NAA12242;
	Wed, 7 Jan 1998 13:57:37 -0500 (EST)
Received: by localhost with Microsoft MAPI; Wed, 7 Jan 1998 13:54:17 -0500
Message-ID: <01BD1B73.BF1D9D60.jeffk@secure-it.net>
From: Jeff Kalwerisky <jeffk@secure-it.net>
Reply-To: "jeffk@secure-it.net" <jeffk@secure-it.net>
To: "'Andre van der Lans'" <andre.van.der.lans@inet.unisource.nl>
Cc: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: RE: Audit and Scanning tools
Date: Wed, 7 Jan 1998 13:54:15 -0500
Organization: SecureIT
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi Andre:

>>Does anybody know if there are some audit and scanning tools available
for Firewalls, which can automatically scan logfiles for hacking attempts
and which can generate reports on traffic and other activities,

Good point. It's usually difficult to see what's actually happening in a 
firewall log file. I heard it recently described - very aptly - as "... 
having your nose up against the window"!

Since you asked, here's a (low-key) plug.

SecureIT has a product, called SecureVIEW, which creates a data mart from a 
firewall's logfile so that you can "slice and dice" the info in the log. 
The log data can then be viewed by user department, time of day, type of 
traffic, sites visited, kind of security threat, etc., etc.,  with a nice 
array of graphs, bar charts, and reports.
Download a copy from the Web site:  www.secure-it.net

Happy 1998. (:-)

Regards,
Jeff Kalwerisky			Ph:  770.248.1005
Director, Consulting Services		Fax: 770,248.1006
SecureIt, Inc.			Email: jeffk@secure-it.net
3770 Data Drive			Web: www. secure-it.net
Norcross, GA 30092
"Securing Information Technology Assets"




From firewalls-owner  Wed Jan  7 12:59:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA18231; Wed, 7 Jan 1998 12:41:22 -0800 (PST)
Received: from bbp0100e01.pacifico.fin.ec (pacifico.fin.ec [157.100.165.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA18086 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 12:40:23 -0800 (PST)
From: SVelaste@pacifico.fin.ec
Received: by BBP0100E01 with Internet Mail Service (5.0.1458.49)
	id <Z48Z21BA>; Wed, 7 Jan 1998 15:36:19 -0500
Message-ID: <50DE363880FBD011931C0001FA449C1A01D9221C@BBP0100E00>
To: firewalls@GreatCircle.COM
Subject: Test Proxy and FireWall.
Date: Wed, 7 Jan 1998 15:35:45 -0500
X-Priority: 1
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain;
	charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Hi, I=B4m testing Proxy and FireWall products and need programs to =
test
> security and reliabitity from them. If any of you have a program to
> make this testing more real please send them to me.
>=20
> Best regards.
>=20
> Spencer Velastegui Nunez (* SVelaste@pacifico.fin.ec)
> Las opiniones del autor de este mensaje no necesariamente
> son representativas de las opiniones del Banco del Pacifico.
>=20
> Banco del Pacifico Grupo Financiero, - http://www.bp.fin.ec
> Administracion de Redes y Proyectos - Div. de Tecnologia
> * Telf.(593 04) 328-333 ext.5000
> Guayaquil-Ecuador.

From firewalls-owner  Wed Jan  7 14:00:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA05615; Wed, 7 Jan 1998 00:29:31 -0800 (PST)
Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA05374 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 00:28:46 -0800 (PST)
Received: (from mail@localhost) by majestix.skp.de (8.7.5/8.7.3) id JAA21194; Wed, 7 Jan 1998 09:30:02 +0100
X-Authentication-Warning: majestix.skp.de: mail set sender to <lau@skp.de> using -f
Received: from hagbard(192.168.0.5) by majestix.skp.de via smap (V1.3)
	id sma021182; Wed Jan  7 09:29:50 1998
Date: Wed, 07 Jan 1998 09:28:02 +0100
To: Gordon LaSane <glasane@gdsconnect.com>
From: Oliver Lau <lau@skp.de>
Cc: <firewalls@GreatCircle.COM>, Martin Sauer <ms@majestix.skp.de>
Subject: Re[2]: Stateful Inspection Anyone?  Explore your options.
In-Reply-To: <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
References: <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
X-encrypted: 128 bit stable
Message-Id: <34B358B255.B791.lau@skp.de>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver 1.20
X-Priority: 4
X-MSMail-Priority: Low
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greetings, Gordon!

On Tue, 6 Jan 1998 16:37:03 -0500
Gordon LaSane <glasane@gdsconnect.com> wrote:

|  One of the biggest complaints about stateful inspection is that if the
|  state table becomes corrupt, the network could become vulnerable to the
|  outside.

You surely haven't had a look inside stateful inspection firewalls, have
you? You have to distinguish between two possibilities on how tables
can become corrupt:

	1.) accidentally deleted entries
	2.) forged entries

Accidentally deleted entries only have one effect: active connections
become inactive and therefore further packets belonging to this
connections could no longer traverse the firewall.

Forged entries may have the effect you described. But this is a point
where we discuss the security of the firewall itself and not the
security services a firewall should provide for networks.

|
|  [snipped commercial offerings]
|



Regards,
Oliver Lau
[CTO]
Sauer und Partner GmbH, NetzwerkTechnologie und Sicherheit
Dietrich-Bonhoeffer-Strasse 1-3, 35037 Marburg, Germany
fon: +49 6421 938300, fax: +49 6421 938390, URL: http://www.skp.de/
PGP-Fingerprint: 6696 C8B6 F351 A381  D1C9 BC41 98F2 6DE3

From firewalls-owner  Wed Jan  7 14:15:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA16154; Wed, 7 Jan 1998 12:26:30 -0800 (PST)
Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA16057 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 12:26:10 -0800 (PST)
Received: from [198.115.179.81] (vin.shore.net [198.115.179.81])
	by relay1.shore.net (8.8.7/8.8.7) with ESMTP id PAA17577;
	Wed, 7 Jan 1998 15:26:15 -0500 (EST)
Message-Id: <v03007800b0d956439d78@[198.115.179.81]>
In-Reply-To: <199801062023.MAA03827@honor.greatcircle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 7 Jan 1998 15:26:46 -0500
To: "Grigorof, Adrian" <agrigoro@mobility.com>
From: Vin McLellan <vin@shore.net>
Subject: Re: E-mail Encryption
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	Adrian Grigorof <agrigoro@mobility.com> queried the List:

>I am looking for a product to be used in encrypting e-mail to be sent
>over the Internet. I've heard something about a product called Puffer by
>Briggs Softworks but I haven't tested it so far.

	Kent Brigg's Puffer is a classy piece of code, a general-purpose
encryption engine for Windows -- available in freeware and commercial
versions, both for the US/Canadian market and and the larger "export"
market outside those boundries. See: http://www.briggsoft.com/puffer.htm
Puffer uses Diffie-Hellman PKC, 40-bit PC1 (a clone of Ron Rivest's RC4) in
export versions,  and 128 bit CAST or 160-bit Blowfish for the US/Canada
versions.

	I suggest, however, that you might want to review your operational
requirements to determine if you really want your users to be restricted in
their exchange of encrypted e-mail (and digital signatures, which have vast
utility yet to be explored in most organizations) to only those who have
obtained Puffer.

	(You're a Canadian firm. Do you really want your users to be
isolated from the Canada's all-government RSA-based PKI that, as I recall,
Entrust will establish this year?)

	The crucial idea behind e-mail (encypted or otherwise) is that it
is a message format which can be read by almost anyone you send it to.
Subcultures of geeks like me and thee (including the volunteers active in
the various IETF WGs) get caught up in fads, lobbying efforts, and
marketing campaigns -- but without a market-driven defacto standard that
allows for interoperability, without the scale available in a hierarchial
PKI infrastructure, e-mail encryption will always be just a curiousity.

	There have been many proposed IETF standards for e-mail encryption
over the past decade.  They all died; quite embarrassing, really.  PGP has
been a wonderful user-driven small-scale option, but it (though I loved it
myself) has never been more than a pimple on this huge market's lazy and
lugubrious ass.

	The defining event for this technology was the incorporation of
_interoperable_ S/MIME-enabled e-mail packages in Netscape Communicator and
Microsoft Outlook and Outlook Express last year.  That alone made
user-friendly e-mail crypt/decrypt (and digital signatures!) available on
tens of millions of desktops with the ubiquitous browser.

	Entrust, OpenSoft, Baltimore, Deming/Worldtalk already have S/MIME
products in the market -- with non-American vendors (e.g., Baltimore)
offering full strong-crypto interoperability with American products using
RC2, DES and 3DES -- and I think there are now a half-dozen developer's
kits available internationally.  According to Giga Research, another _40_
vendors of e-mail and other communications software (including Novell and
IBM) are wholly committed to the S/MIME format -- and why not, now that
S/MIME in the browsers offers them universal interoperability!

	Worldtalk, a US company, offers a WorldSecure Client for Microsoft
E-mail that integrates S/MIME with the Windows 95 Inbox (Windows Messaging
Service), Microsoft Exchange client, as well as Microsoft Outlook. They've
also got a plug-in for Eudora Pro.  Worldsecure works with these '95/NT
clients using virtually any messaging service, including those provided by
Microsoft Exchange Server, Microsoft Mail 3.2/3.5, and POP3/IMAP4 servers
(including Worldtalk's NetTalk.)  See:
<http://www.worldtalk.com/html/secure/sm.htm>

	The cool thing is that encrypted e-mail fromWorldtalk customers in
Toronto can be freely exchanged with British or German users of, say,
Mailsecure (on Microsoft Exchange or Outlook, sold internationally by
Baltimore Technologies, an Irish firm.)
<http://www.baltimore.ie/mailsecure.htm>  In this exchange, both parties
can be using DES; RC2 (128-bit default,) or 3DES (112-bit key) for message
confidentiality -- with 1024 or 2048-bit RSA public key tech used for key
exchange and digital signatures on message digests (MD4 or SHA-1.)

	I'm not particularly objective in the crypto wars, since I've been
a long-term consultant to SDTI, which -- for another 1,000 days -- owns the
(US-only) patent for RSA's PKC, which is used for key-exchange and digital
sigs in S/MIME.  But surely it is self-evident that the multiple
alternatives -- however good their technology; however fervent their
supporters -- pale beside that market fact of universal interoperability.
No one company could forge this community of users; it took a conscious and
shared design decision by the bulk of the international vendor community --
both on the mail protocol, and in the common commitment to RSA keys and the
X509 Certs.

>The ideal software should be user friendly otherwise it won't be used by
>"normal" users

	The ideal, but of course!  (Although I think interoperability and
international availability are right up there with user-friendliness as
design priorities.)  Do you want to exchange a digitally-signed contract,
or RFP, or a job proposal, or a tax return, or a job offer only with your
friends and associates -- or isn't it more likely that tomorrow you'll want
to get it all (confidentiality, authentication, non-repudiation) in your
e-mail exwith people today unknown?

>...how can you stop them from sending clear text messages
>or unencrypted attachments?

	I think we are going to continue to see many efforts to imbed this
type of security policy -- including key-recovery for e-mail -- in the
technology with filters and the like. Personally, I find them wrong-headed,
intrusive, impolitic, and often counterproductive.  (Although I think
Baltimore and others offer such mail-server-based control schemes for
S/MIME too. <bah, humbug!>)

	On the other hand, a educational campaign to illustrate the
commercial and organization advantages of digital signatures (with or
without encryption) could develop new user habits based on the power of PKC
as a productivity-enhancer.  Security mavens could become Enablers who help
the users achieve what _they_ want; rather than pain-in-the-rear corporate
cops who demand that their users burden themselves with layers of
rigamarole, which often makes it more difficult and more costly for them to
get their jobs done -- whatever the fiduciary justification.

	Encrypted e-mail -- authenticated messages, legally binding
signatures, with non-repudiation -- can make life easier and more
productive for user.   Now,  wouldn't that toss corporate security into a
revolutionary posture vis a vis our users?

	Suerte,

		_Vin

"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.

 *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548



From firewalls-owner  Wed Jan  7 17:01:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA09131; Wed, 7 Jan 1998 16:57:25 -0800 (PST)
Received: from ns2.shopping.com (ns2.shopping.com [208.139.183.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA09109 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 16:57:19 -0800 (PST)
Received: from greyghost ([208.139.183.248])
          by ns2.shopping.com (2.0 Build 2119 (Berkeley 8.8.4)/8.8.4) with SMTP
	  id QAA00532 for <firewalls@GreatCircle.COM>; Wed, 07 Jan 1998 16:57:52 -0800
Message-Id: <3.0.1.32.19980107165819.0091f700@ns2.shopping.com>
X-Sender: jpham@ns2.shopping.com
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Wed, 07 Jan 1998 16:58:19 -0800
To: firewalls@GreatCircle.COM
From: Joy Pham <jpham@ns2.shopping.com>
Subject: Remote Access
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

How do you all feel about having users dial into the network using Carbon
Copy?  How much security breach are we talking about?  I've personally do
not like any kind of remote control software but I really don't have any
valid arguments as to why we can't implement it at my company.  Any ideas,
suggestions, arguments would be appreciated.

Thank you,
Joy


From firewalls-owner  Wed Jan  7 17:09:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA07739; Wed, 7 Jan 1998 14:24:13 -0800 (PST)
Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA07666 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 14:23:55 -0800 (PST)
Received: (qmail 24702 invoked from smtpd); 7 Jan 1998 22:24:23 -0000
Received: from web.nmti.com (root@198.178.0.201)
  by fw.nmti.com with SMTP; 7 Jan 1998 22:24:23 -0000
Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA10354; Wed, 7 Jan 1998 16:24:22 -0600
Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM)
	id AA13340; Wed, 7 Jan 1998 16:27:06 -0600
From: Peter da Silva <peter@baileynm.com>
Message-Id: <9801072227.AA13340@baileynm.com>
Subject: Re: E-mail Encryption
To: jsk347@sprynet.com (Steve Kruse)
Date: Wed, 7 Jan 1998 16:27:06 -0600 (CST)
Cc: peter@baileynm.com, macgyver@tos.net, firewalls@GreatCircle.COM
In-Reply-To: <3.0.3.32.19980107160808.006a33b4@m6.sprynet.com> from "Steve Kruse" at Jan 7, 98 04:08:08 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> I think it might have been mentioned on here, but there is a $5.00
> "up-downgrade" that lets you use the RSA which IS compatabile with PGP 2.x.
>  Check the PGP website for info.  

And if I'm not running Windoze?


From firewalls-owner  Wed Jan  7 17:12:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA25311; Wed, 7 Jan 1998 15:45:08 -0800 (PST)
Received: from f85.hotmail.com (F85.hotmail.com [207.82.250.191]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA15574 for <firewalls@GreatCircle.com>; Wed, 7 Jan 1998 14:57:11 -0800 (PST)
Received: (from root@localhost)
	by f85.hotmail.com (8.8.5/8.8.5) id OAA11676;
	Wed, 7 Jan 1998 14:57:25 -0800 (PST)
Message-Id: <199801072257.OAA11676@f85.hotmail.com>
Received: from 15.255.208.3 by www.hotmail.com with HTTP;
	Wed, 07 Jan 1998 14:57:24 PST
X-Originating-IP: [15.255.208.3]
From: "James Lau" <jlau@hotmail.com>
To: firewalls@GreatCircle.com
Cc: jlau@hotmail
Subject: Content filtering
Content-Type: text/plain
Date: Wed, 07 Jan 1998 14:57:24 PST
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all,

This may be a little bit off topic but please bare with me or 
points me to a right mailing list.

I'm looking for a solution to filter the contents of web traffics,
ftp files and email.  I know this is not totally firewall related
but there are a few firewall products can do that. (That's why I
ask.)  Unfortunately most (may be all) of them use proxy which
require changes of configuration which we cannot force my users
to do.  Is there any solution out there which doesn't require
changing of configuration?  Or is the proxy the only solution?
Any ideas?

Thanks in advance.
James

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

From firewalls-owner  Wed Jan  7 17:51:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA25554; Wed, 7 Jan 1998 15:47:13 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA20212 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 15:18:29 -0800 (PST)
Received: from mail.mel.aone.net.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id PAA05779; Wed, 7 Jan 1998 15:17:10 -0800 (PST)
Received: from PORSCHE (d254-1.cpe.Maroochydore.aone.net.au [203.61.33.254])
	by mail.mel.aone.net.au (8.8.6/8.8.6) with SMTP id KAA20802;
	Thu, 8 Jan 1998 10:17:55 +1100 (EST)
Message-Id: <3.0.32.19980108091436.0089a5a0@starvision.net.au>
X-Sender: shanem@starvision.net.au
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 08 Jan 1998 09:14:38 +1000
To: "Marriage, Michael" <mikem@ccn.ac.uk>,
        "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
From: Shane Miller <shanem@sv.net.au>
Subject: Re: MS Proxy and netmeeting
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 11:21 7/01/98 -0000, Marriage, Michael wrote:
>Has anyone configured MS Proxy to work with netmeeting? If so what are
>the key points that I should be looking at. We have barred NETBIOS like
>packets on site though our router. Is this going to cause problems with
>Netmeeting.
>
>Is there an up to date list of TCP/IP information on ports used by the
>myriad microsoft network aware packages in a human readable form for us
>very mere mortals.
<snip>

Microsoft has technical information NetMeeting including a section on
configuring a firewall for use with NetMeeting at
http://www.microsoft.com/netmeeting/reskit/

Don't know about similar info on other MS products.

Regards



Shane Miller

Network Administrator
Caloundra City Libraries
Queensland, Australia.

Voice:  +61 (7) 5499 5405    
GSM:  +61 (412) 877 371
Fax:  +61 (7) 5491 8756

From firewalls-owner  Wed Jan  7 18:08:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20765; Wed, 7 Jan 1998 15:22:01 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA20744 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 15:21:54 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id SAA19741; Wed, 7 Jan 1998 18:24:05 -0500 (EST)
Date: Wed, 7 Jan 1998 18:24:05 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: Peter da Silva <peter@baileynm.com>
cc: MacGyver <macgyver@tos.net>, firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <9801071536.AA10534@baileynm.com>
Message-ID: <Pine.SOL.3.91.980107181919.18133B-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 7 Jan 1998, Peter da Silva wrote:

> > Using Eudora 4.0 onward (I'm not sure if previous versions support this
> > feature), you have the ability to set an "output filter", which can be set
> > to call any arbitrary program.  PGP 5.0+ has a Eudora plugin option that
> > you can use to automagically guarantee that all emails sent out are
> > encrypted in an invisible way to the user.
> 
> Unfortunately PGP 5.0+ encryption is incompatible with PGP 2.6, which is
> what most of the people who use PGP are using. I understand the political
> reasons for switching to D-H key exchange to get out from under RSA, but
> I'm going to stick with 2.6 until there's a really compatible upgrade path
> that works on both protocols and all platforms.
> 

I agree with you too, I am quite pleased with 2.6 especially 2.63i version.
but PGP 5.0+ encryption is becoming more and more popular too, specially 
among PC users, a kind of Bill G phenomenon...:-(.

_ming

From firewalls-owner  Wed Jan  7 18:46:13 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA29326; Wed, 7 Jan 1998 18:32:37 -0800 (PST)
Received: from promenade.geocities.com (promenade.geocities.com [206.111.43.199]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA29275 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 18:32:26 -0800 (PST)
Received: from geocities.com ([206.252.145.145]) by promenade.geocities.com
          (Post.Office MTA Undefined release Undefined
          ID# 0-44422U200L2S100) with ESMTP id AAA28680
          for <firewalls@GreatCircle.COM>; Tue, 6 Jan 1998 19:37:29 -0800
Message-ID: <34B2F88B.338919A@geocities.com>
Date: Tue, 06 Jan 1998 22:37:47 -0500
From: jfielden@geocities.com (Josh Fielden)
X-Mailer: Mozilla 4.03 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: Wannabe needs a good book
References: <l03130304b0d871555aa5@[207.213.51.19]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Well, I always recommend anythign O'Reilly, but "TCP/IP Network
Administration" is really good. It's a "Blue Cover"

JF

aldous valdheims wrote:
> 
> At 11:05 AM -0500 1.6.1998, Sick Puppy wrote:
> >Can someone please suggest a good book on the
> >general topic of networking, with some emphasis on TCP/IP, that we can
> >steal?
> 
> One of my favorites is Computer Networks, 2nd edition by I think it is
> tannenbaum, but I may have to be corrected on that, I don't have a copy of
> it with me right now.  It gives a really thorough coverage of network
> protocols and network layers, from the actual wiring on up to applications.
> Get it and get crazy.
> 
> --jt

From firewalls-owner  Wed Jan  7 19:15:46 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA02099; Wed, 7 Jan 1998 11:20:32 -0800 (PST)
Received: from post3.inre.asu.edu (post3.inre.asu.edu [129.219.10.148]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA20010 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:21:46 -0800 (PST)
Received: from general3.asu.edu by asu.edu (PMDF V5.1-10 #24133)
 with ESMTP id <01IS3DPUYYJ48X7DW8@asu.edu> for firewalls@GreatCircle.COM; Wed,
 7 Jan 1998 11:22:14 MST
Received: from general3.asu.edu (localhost [127.0.0.1])
 by general3.asu.edu (8.8.5/8.8.5) with SMTP id LAA12415; Wed,
 07 Jan 1998 11:22:07 -0700 (MST)
Date: Wed, 07 Jan 1998 11:22:07 -0700 (MST)
From: Vandana Shah <vana.shah@asu.edu>
Subject: Re: E-mail Encryption
In-reply-to: <19980106230532656.AAA210@houdini>
X-Sender: vanashah@general3.asu.edu
To: Alan Bolt <alanb@allensysgroup.com>
Cc: "Grigorof, Adrian" <agrigoro@mobility.com>, firewalls@GreatCircle.COM
Message-id: <Pine.SOL.3.91.980107112140.12193A-100000@general3.asu.edu>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,
	Can u expand the word PGP. I am not aware of that.
thanks

-Vandana
On Tue, 6 Jan 1998, Alan Bolt wrote:

> Have you not looked into PGP?
> It has grown to have much better interface
> for users and does what you seem to want
> 
> Bobby Brown
> Network Administrator
> Allen Systems Group
> 
> ----------
> > From: Grigorof, Adrian <agrigoro@mobility.com>
> > To: firewalls@greatcircle.com
> > Subject: E-mail Encryption
> > Date: Tuesday, January 06, 1998 3:21 PM
> > 
> > I am looking for a product to be used in encrypting e-mail to be sent
> > over the Internet. I've heard something about a product called Puffer by
> > Briggs Softworks but I haven't tested it so far.  
> > 
> > The ideal software should be user friendly otherwise it won't be used by
> > "normal" users...how can you stop them from sending clear text messages
> > or unencrypted attachments?
> > 
> > Any ideas, suggestions?
> > 
> > Thanks,
> > 
> > Adrian Grigorof
> > Internet Administrator
> > Bell Mobility Cellular Inc.
> > Toronto
> > www.bellmobility.ca
> > 
> > 
> > 
> > 
> > 
> > 
> 

*********
Vandana Shah
1031 E Lemon Street, #31
Tempe, AZ 85281

ph: (602)927-9720
email: vshah@asu.edu


From firewalls-owner  Wed Jan  7 21:01:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA23153; Wed, 7 Jan 1998 20:25:55 -0800 (PST)
Received: from dfw-ix7.ix.netcom.com (dfw-ix7.ix.netcom.com [206.214.98.7]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA23003 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 20:25:25 -0800 (PST)
From: pads@mouse.com
Received: (from smap@localhost)
          by dfw-ix7.ix.netcom.com (8.8.4/8.8.4)
	  id WAA24028; Wed, 7 Jan 1998 22:23:02 -0600 (CST)
Date: Wed, 7 Jan 1998 22:23:02 -0600 (CST)
Received: from 1cust198.tnt2.oxnard.ca.da.uu.net(208.252.94.198) by dfw-ix7.ix.netcom.com via smap (V1.3)
	id rma022562; Wed Jan  7 22:22:14 1998
Subject: Personalized Mouse Pads
Message-Id: <eaep.3.0.reg.SteIUZ.35802.8512173611@smtp.ix.netcom.com>
Content-Type: TEXT/PLAIN charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


     Have you ever wondered why your mother gave you the name she did?  Were you named after 
a close relative, family friend or possibly a television celebrity?  

     Well, we can't tell you why either!  However, what we can tell you is exactly what your name 
means!  

     We print your name and it's meaning on an attractive mouse pad with a custom art background 
of vibrant colors and scenery.  Not only is it pleasant to look at, but everytime you sit down to your 
computer, you'll be reminded of just how great you are. 

     We have the largest most comprehensive database of names anywhere.  And we can print 
names in both Spanish and English.

     We are so sure you'll be pleased with your personalized mouse pad, that we offer a 30 day 
unconditional money back guarantee.

     Placing your order is easy too!  Just complete the order form below and mail it along with just $10 
plus shipping and handling. (see below), and we will rush your personalized mouse pad by first class 
mail. 

     Choose your background preference!!

ABC BLOCKS                                         ANGELS                                         CLOUDS   

DOLPHINS                                            PRAYING HANDS                          SPORTS 

TEDDY BEAR                                        UNICORN                    or               WATERFALL

                                                              EASY ORDER FORM   

NAME REQUESTED                            MALE/FEMALE                               BACKGROUND PREF.

_________________                            ____________                     ________________________

_________________                            ____________                     ________________________

_________________                            ____________                     ________________________

QUANITY ORDERED_______________                  AMOUNT SENT$_______________

CASH CHECK OR MONEY ORDER'S ONLY!!!!                       US FUNDS ONLY!!!!!!!

USA MAILORDERS $12 EA                                   ALL OTHER ORDERS $14 EA
(includes $2 shipping/handling charge)                   (includes $4 shipping/handling charge)

MOST ORDERS SHIPPED WITHIN 48 HOURS.  IF  PAYING BY CHECK,  YOUR ORDER WILL 
BE SENT IMMEDIATELY FOLLOWING BANK APPROVAL.

PLEASE MAIL YOUR ORDER TO:       3J PRODUCTS
                                                               PO BOX 7183
                                                               OXNARD CA 93031

              


From firewalls-owner  Wed Jan  7 21:44:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA07263; Wed, 7 Jan 1998 21:15:26 -0800 (PST)
Received: from hotmail.com (F79.hotmail.com [207.82.250.185]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id VAA07167 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 21:15:02 -0800 (PST)
Received: (qmail 26928 invoked by uid 0); 8 Jan 1998 05:15:38 -0000
Message-ID: <19980108051538.26927.qmail@hotmail.com>
Received: from 207.151.71.1 by www.hotmail.com with HTTP;
	Wed, 07 Jan 1998 21:15:38 PST
X-Originating-IP: [207.151.71.1]
From: "The Shepherd" <the__shepherd@hotmail.com>
To: firewalls@greatcircle.com
Subject: Fwd: Re: Goodbye, and thanks! --- (or, SPAM from the SPAM 
    haters)
Content-Type: text/plain
Date: Wed, 07 Jan 1998 21:15:38 PST
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Unfortunately, 90% of the spam I do receive comes to me through the
>Firewalls list, and since there clearly is no intention on stopping
>it, or even curtailing it, the list's usefulness has become null.

Hear, Hear. (Although, I think you're being just a *tad* harsh.  The
occasional religious discussions about *nix vs. NT are pretty
entertaining, and you must admit you are amused by Sick Puppy's
inane rantings.)


Case-in-point:
>If any non-Telco organization can use an NT Consultant on a recurring
>basis (say a weekly call for example) drop me a note at
>Russ.Cooper@rc.on.ca

Gotta Love it.




______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

From firewalls-owner  Wed Jan  7 21:48:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA21308; Wed, 7 Jan 1998 15:25:11 -0800 (PST)
Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA21253 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 15:24:57 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id RAA08936; Wed, 7 Jan 1998 17:09:06 -0600
Received: from unknown(172.16.1.216) by starbase.tos.net via smap (V1.3)
	id sma008929; Wed Jan  7 17:08:58 1998
Message-Id: <Version.32.19980107163553.01064e50@smtp.tos.net>
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Wed, 07 Jan 1998 17:05:20 -0600
To: Peter da Silva <peter@baileynm.com>, jsk347@sprynet.com (Steve Kruse)
From: MacGyver <macgyver@tos.net>
Subject: Re: E-mail Encryption
Cc: peter@baileynm.com, firewalls@GreatCircle.COM
In-Reply-To: <9801072227.AA13340@baileynm.com>
References: <3.0.3.32.19980107160808.006a33b4@m6.sprynet.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

At 04:27 PM 1/7/98 -0600, Peter da Silva wrote:
>> I think it might have been mentioned on here, but there is a $5.00
>> "up-downgrade" that lets you use the RSA which IS compatabile with PGP 2.x.
>>  Check the PGP website for info.  
>
>And if I'm not running Windoze?
> 

If you're not running on a Mac or Win95/98, you can grab PGP 4.x.
It fully supports RSA, as does the COMMERCIAL version of PGP 5.x, which if
you plan to use it for anything other than personal use, you have to buy
anyway.  PGP 5.x (commercial) is NOT incompatible with previous versions of
PGP, but is a superset of functions provided in previous versions.


- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ^               Habeeb J. Dihu
     -'   `-            Managing Senior Technologist
   " '     ` "          Cirrus Technologies
 "  '       `  "        
"  '      .  `  "                  
"  '    .' ` `  "       'I don't believe in the no-win scenario'
 " `   '    `' "           -- Captain James T. Kirk,  Star Trek II: TWK
   `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon 
    '                    could go to China.`'
                           -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNLQKL1TtNfTWxXdNAQH/uQP/STbPuT3/+6Fc6gzMPC3/Nc6wSUC8p5kl
qfb4cv4q8TYeXms8Kx6Z2VxPNsE//oT2ls5obfZsibVEjl3DM/HW6Chcv857B2Lo
TfkB1MzFupr9vbLWRcRVj4YSBt6IEY2lVhGrFZzm3H4yknb8Gj16aHf5ddePorN1
ocFl+MNLg8A=
=g8hP
-----END PGP SIGNATURE-----


From firewalls-owner  Wed Jan  7 22:39:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA05633; Wed, 7 Jan 1998 21:04:50 -0800 (PST)
Received: from c00956-100lez.eos.ncsu.edu (c00956-100lez.eos.ncsu.edu [152.1.26.76]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA25681 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 18:16:34 -0800 (PST)
Received: from localhost (jkwilli2@localhost)
          by c00956-100lez.eos.ncsu.edu (8.8.4/UC02Jan97) with SMTP
	  id VAA16765; Wed, 7 Jan 1998 21:16:38 -0500 (EST)
X-Authentication-Warning: c00956-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs
Date: Wed, 7 Jan 1998 21:16:38 -0500 (EST)
From: Ken Williams <jkwilli2@unity.ncsu.edu>
X-Sender: jkwilli2@c00956-100lez.eos.ncsu.edu
To: Peter da Silva <peter@baileynm.com>
cc: Steve Kruse <jsk347@sprynet.com>, macgyver@tos.net,
        firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <9801072227.AA13340@baileynm.com>
Message-ID: <Pine.SOL.3.96.980107211304.16517A-100000@c00956-100lez.eos.ncsu.edu>
X-PreMailer: Microsoft-Unix '99 ProMail ver 0.98 beta
X-Content: Justify my text? I'm sorry but it has no excuse.
X-Crypto: When cryptography is outlawed
X-Crypto: bayl bhgynjf jvyy unir cevinpl.
X-Disclaimer: This email is meant for educational purposes only.
X-Disclaimer: The contents of this email do not reflect the thoughts
X-Disclaimer: or opinions of either myself or my employer.
X-Disclaimer: Any errors in spelling
X-Disclaimer: tact or fact are transmission errors.
X-Disclaimer: The best safeguard
X-Disclaimer: second only to abstinence
X-Disclaimer: is the use of a good mail filter.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 7 Jan 1998, Peter da Silva wrote:

>> I think it might have been mentioned on here, but there is a $5.00
>> "up-downgrade" that lets you use the RSA which IS compatabile with PGP 2.x.
>>  Check the PGP website for info.  
>
>And if I'm not running Windoze?

then you can get it for *nix or mac too from www.pgp.com and do the same
thing.  in the case of some *nix versions, i know that there is virtually
100% downward compatibility between the Unix 5.0 and Unix 2.6 versions.

Respectfully,

Ken 

/<--------------{ TATTOOMAN -aka- rute }-------------->\  
  NCSU Computer Science    Member of E.H.A.P.   
  jkwilli2@unity.ncsu.edu  http://www.hackers.com/ehap/ 
  UNIX ICQ UIN# 4231260    ehap@hackers.com     
  FTP Site:  ftp://152.7.11.38/pub/personal/tattooman/
  WWW 2:     http://www4.ncsu.edu/~jkwilli2/
\<---------{ http://152.7.11.38/~tattooman/ }--------->/




From firewalls-owner  Wed Jan  7 22:45:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA12685; Wed, 7 Jan 1998 21:43:28 -0800 (PST)
Received: from imsp015.netvigator.com (imsp015.netvigator.com [205.252.144.206]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA12638 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 21:43:16 -0800 (PST)
Received: from js-computer (hhtam037039.netvigator.com [208.139.101.39])
	by imsp015.netvigator.com (8.8.8/8.8.8) with SMTP id NAA05952
	for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 13:43:23 +0800 (HKT)
Message-Id: <199801080543.NAA05952@imsp015.netvigator.com>
Date: Sun, 01 Feb 1998 08:52:25 +0800
From: MS <"ims02@netvigator.com"@netvigator.com>
Reply-To: "ims02@netvigator.com"@netvigator.com
X-Mailer: Mozilla 3.0Gold (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Proxy Servers on DMZ??
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Does anybody tell me whether the proxy servers (eg WEB, email) be placed
at DMZ segment
instead of at internal segment so as to protect the internal network?

Jim

From firewalls-owner  Wed Jan  7 22:45:48 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA10193; Wed, 7 Jan 1998 21:31:34 -0800 (PST)
Received: from gate.quick.com.au (gate.quick.com.au [203.12.250.130]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA10127 for <firewalls@greatcircle.com>; Wed, 7 Jan 1998 21:31:18 -0800 (PST)
Received: (from sjg@localhost) by gate.quick.com.au (8.8.5/8.7.3) id QAA12993; Thu, 8 Jan 1998 16:30:26 +1100 (EST)
Date: Thu, 8 Jan 1998 16:30:26 +1100 (EST)
From: "Simon J. Gerraty" <sjg@quick.com.au>
Message-Id: <199801080530.QAA12993@gate.quick.com.au>
To: Bogdan Pelc <pelc@fb3-s7.math.tu-berlin.de>
Cc: firewalls@greatcircle.com
Subject: Re: Split DNS??
References: <199801070947.AA09611@fb3-s12.math.tu-berlin.de>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Bogdan Pelc writes:
>  SJG> Some folk like split DNS because they think that "hiding" their
>  SJG> internal hostnames makes them more secure.  Such info leaks out in
>  SJG> so many ways that this "security by obscurity" is a myth.

>Really. If I have FW so conigured, that I have service Redirections and

The most common means by which such info "leaks" is in e-mail and news
headers.  You can configure sendmail on your firewall to hide
from addresses etc, but unless you make sendmail remove Received
headers (bad idea btw), the original hostname and each hop will be 
leaked.  Regardless of whether you have an air gap such info can
be useful for social engineering ("Hi, I'm from XYZ, I need to 
install an urgent patch on host fubar and the sysadmin is away...
what's the passwd?") lame, but you get the idea.  If asked nicely
many people are only too pleased to help :-)


>What are your Opinions?

That depends on the site.  My own little site here runs two bind's on
the firewall, one that the outside world looks at and is bound to
the ppp interface only, and another which is a secondary for my 
internal domains and forwards via the bind on the ppp interface 
(its the only one the kernel will allow to talk to the outside world)
and the other internal nameservers forward to the bind listening
on the firewall's ethernet.  External sites provide secondary DNS
for my external view.

I also run the firewalls and DNS for a _big_ corp, and there I set
things up such that there is zero DNS traffic through the firewall.
The reasons are many but include:
1. internally rooted DNS allows extended disconnection from Internet
without impact on corporate network.
2. use of illegal nets on corp net means external address resolution
is meaningless in most cases.
3. the forwarding model described above does not scale well to 
_big_ corporate nets.
4. passing zero DNS traffic through firewall ensures that Internet
is not poluted with internal roots.

--sjg


>-- 
>____________________________________________________________________________
>     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
>			  pelc@math.tu-berlin.de

>Do You realize , that this world is totally FUGAZI, where are the poets,
>where are the visionaries ...  (FISH)


From firewalls-owner  Thu Jan  8 00:42:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA10023; Wed, 7 Jan 1998 23:43:51 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA09841 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 23:43:16 -0800 (PST)
Received: from ppp-129.atinet.com.au (ppp-129.atinet.com.au [203.35.110.129]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id fa026265 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:42:49 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id SAA19992; Thu, 8 Jan 1998 18:43:36 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Thu, 8 Jan 1998 18:43:34 +1000 (GMT)
Subject: Re: E-mail Encryption
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.34.884245414-379889516353721.beethoven>
X-Mailer: Paladin IMAP4 Client v2.34
In-Reply-To: <Version.32.19980107163553.01064e50@smtp.tos.net>
References: <3.0.3.32.19980107160808.006a33b4@m6.sprynet.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.34.beethoven.884245414.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 07 Jan 1998 17:05:20 -0600
MacGyver <macgyver@tos.net> wrote:

In case it wasnt mentioned...

For those outside the USA goto http://www.pgpi.com 
where they scanned the software in from printouts.. ie source.
assuming one wants to roll-ones-own.... 

> If you're not running on a Mac or Win95/98, you can grab PGP 4.x.
> It fully supports RSA, as does the COMMERCIAL version of PGP 5.x, which if
> you plan to use it for anything other than personal use, you have to buy
> anyway.  PGP 5.x (commercial) is NOT incompatible with previous versions of
> PGP, but is a superset of functions provided in previous versions.

--
wheres my valium ?


From firewalls-owner  Thu Jan  8 01:15:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA11449; Wed, 7 Jan 1998 23:49:24 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA11297 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 23:48:56 -0800 (PST)
Received: from ppp-129.atinet.com.au (ppp-129.atinet.com.au [203.35.110.129]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ea026368 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:48:53 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id SAA20037; Thu, 8 Jan 1998 18:49:40 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Thu, 8 Jan 1998 18:49:39 +1000 (GMT)
Subject: RE: Fwd: Re: Goodbye, and thanks! --- (or, SPAM from the SPAM     haters)
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.34.884245779-559473724372095.beethoven>
X-Mailer: Paladin IMAP4 Client v2.34
In-Reply-To: <19980108051538.26927.qmail@hotmail.com>
References: <19980108051538.26927.qmail@hotmail.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.34.beethoven.884245779.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 07 Jan 1998 21:15:38 PST
"The Shepherd" <the__shepherd@hotmail.com> wrote:

Heres to Spam, heres to sikpuppy, heres to fluffy-pink handcuffs and bondage...
.. heres to Microsoft purchasing hotmail.com B)

Just my $0.02c


> >Unfortunately, 90% of the spam I do receive comes to me through the
> >Firewalls list, and since there clearly is no intention on stopping
> >it, or even curtailing it, the list's usefulness has become null.
> 
> Hear, Hear. (Although, I think you're being just a *tad* harsh.  The
> occasional religious discussions about *nix vs. NT are pretty
> entertaining, and you must admit you are amused by Sick Puppy's
> inane rantings.)

--
wheres my valium ?



From firewalls-owner  Thu Jan  8 02:32:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA08504; Wed, 7 Jan 1998 23:36:15 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA08465 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 23:35:57 -0800 (PST)
Received: from ppp-129.atinet.com.au (ppp-129.atinet.com.au [203.35.110.129]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id da026263 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:35:46 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id SAA19935; Thu, 8 Jan 1998 18:36:33 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Thu, 8 Jan 1998 18:36:31 +1000 (GMT)
Subject: relative strengths of different encyrption techniques
To: <TB186459@shellus.com>
CC: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.34.884244991-154472847641083.beethoven>
X-Mailer: Paladin IMAP4 Client v2.34
In-Reply-To: <D193F6640135D111B2A800805F8B6002021891@icsscx03.shell.com>
References: <D193F6640135D111B2A800805F8B6002021891@icsscx03.shell.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.34.beethoven.884244991.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 7 Jan 1998 16:46:31 -0600
"Bowers T (Thomas)  at MSXSSC" <TB186459@shellus.com> wrote:

PGP recommends 3k bits nowadays just to be safe...

> 
> I'm not a crpytologist but...
> 
> I've been asked to estimate the time it takes to crack various
> encyrption
> techniques...
> 
> Yes...  I understand the more bits, the better...
> 
> 
> I understand that most reasonable people will deploy the best technique
> available...  and so will we.    That, however, doesn't alleviate me
> from
> trying to estimate how many days/months/years/light_years of compute
> cycles it will take for someone to crack the technique we select.
> 
> 
> Are there any references on the relative strengths of different
> encyrption
> techniques...  
> 
> 
> Any help would be appreciated...
> 
> 
> 
> T. Bowers
> 
> 
> 
> 
> 
> Tom Bowers
> Network Engineering
> Shell Services Company
> PHONE:  (1)  713-245-1269
> FAX:  (1) 713-245-1010
> E-MAIL: tbowers@shellus.com

--
Yours faithfully, Norman Widders.

+-----------------------------------------------------------
|   winspace@atinet.com.au
|   http://www.atinet.com.au/~winspace/
|   Home of the Paladin IMAP4 E-Mail client.
|   Paladin Corporation Pty. Ltd.      
+-----------------------------------------------------------



From firewalls-owner  Thu Jan  8 02:38:14 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA23555; Thu, 8 Jan 1998 00:44:59 -0800 (PST)
Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA13364 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 23:55:29 -0800 (PST)
Received: from ppp-129.atinet.com.au (ppp-129.atinet.com.au [203.35.110.129]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ca026392 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:55:19 +1100
Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id SAA20079; Thu, 8 Jan 1998 18:56:05 +1100
From: "Norman Widders" <winspace@atinet.com.au>
Date: Thu, 8 Jan 1998 18:56:03 +1000 (GMT)
Subject: Re: Split DNS??
To: <Firewalls@GreatCircle.COM>
Reply-To: <winspace@atinet.com.au>
Organization: Paladin Corporation
Message-Id: <Paladin.2.34.884246163-961060383185765.beethoven>
X-Mailer: Paladin IMAP4 Client v2.34
In-Reply-To: <199801080530.QAA12993@gate.quick.com.au>
References: <199801070947.AA09611@fb3-s12.math.tu-berlin.de>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-ID: <Paladin.2.34.beethoven.884246163.1>
X-Info: All Things Internet POP3 Server
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 8 Jan 1998 16:30:26 +1100 (EST)
"Simon J. Gerraty" <sjg@quick.com.au> wrote:

Talking about sendmail and rewriting From: headers (which I do)...

hmmm, The Message-id: field also can give away internal machine names too...
depending upon who is creating this header field and how....
Have a close look at the RFC822 headers and you will see for yourself...


> The most common means by which such info "leaks" is in e-mail and news
> headers.  You can configure sendmail on your firewall to hide
> from addresses etc, but unless you make sendmail remove Received
> headers (bad idea btw), the original hostname and each hop will be 
> leaked.  Regardless of whether you have an air gap such info can
> be useful for social engineering ("Hi, I'm from XYZ, I need to 
> install an urgent patch on host fubar and the sysadmin is away...
> what's the passwd?") lame, but you get the idea.  If asked nicely
> many people are only too pleased to help :-)
> 
> 
> >What are your Opinions?
> 
> That depends on the site.  My own little site here runs two bind's on
> the firewall, one that the outside world looks at and is bound to
> the ppp interface only, and another which is a secondary for my 
> internal domains and forwards via the bind on the ppp interface 
> (its the only one the kernel will allow to talk to the outside world)
> and the other internal nameservers forward to the bind listening
> on the firewall's ethernet.  External sites provide secondary DNS
> for my external view.
> 
> I also run the firewalls and DNS for a _big_ corp, and there I set
> things up such that there is zero DNS traffic through the firewall.
> The reasons are many but include:
> 1. internally rooted DNS allows extended disconnection from Internet
> without impact on corporate network.
> 2. use of illegal nets on corp net means external address resolution
> is meaningless in most cases.
> 3. the forwarding model described above does not scale well to 
> _big_ corporate nets.
> 4. passing zero DNS traffic through firewall ensures that Internet
> is not poluted with internal roots.
> 
> --sjg
> 
> 
> >-- 
> >____________________________________________________________________________
> >     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
> >			  pelc@math.tu-berlin.de
> 
> >Do You realize , that this world is totally FUGAZI, where are the poets,
> >where are the visionaries ...  (FISH)

--
Yours faithfully, Norman Widders.

+-----------------------------------------------------------
|   winspace@atinet.com.au
|   http://www.atinet.com.au/~winspace/
|   Home of the Paladin IMAP4 E-Mail client.
|   Paladin Corporation Pty. Ltd.      
+-----------------------------------------------------------



From firewalls-owner  Thu Jan  8 04:46:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA18332; Thu, 8 Jan 1998 03:12:55 -0800 (PST)
Received: from gatekeeper.alcatel.no (ns0.alcatel.no [193.213.238.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA18236 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 03:12:29 -0800 (PST)
Received: from alcatel.no by gatekeeper.alcatel.no (8.8.8/Alcanet-SC)
	id MAA23197; Thu, 8 Jan 1998 12:13:07 +0100 (MET)
Message-ID: <34B4B4C3.9EC9778B@alcatel.no>
Date: Thu, 08 Jan 1998 12:13:07 +0100
From: Kare Presttun <Kare.Presttun@alcatel.no>
Organization: Alcanet International
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Re: Firewalls-Digest V7 #11
References: <199801080915.BAA29122@honor.greatcircle.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Sorry about the previous post. Some bug in my mail client
made the message go out when I hit "return" while in edit
mode. Hope it does not happen again.

Best regards,
-- =

--------------------------------------------------------
K=E5re Presttun                     Alcanet International
Tel   : +47 2263 7601             P.O. Box 60
Fax   : +47 2263 8887             N-0508 Oslo
Mobile: +47 9082 7068             NORWAY
mailto:Kare.Presttun@alcatel.no   http://www.alcatel.no/

From firewalls-owner  Thu Jan  8 05:16:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA23458; Thu, 8 Jan 1998 03:50:19 -0800 (PST)
Received: from robban.IP80 (smtp2.port80.se [193.14.170.78]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA23356 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 03:49:53 -0800 (PST)
Received: from robban (localhost [127.0.0.1])
          by robban (Viking/0.9.32-dev) with SMTP
          (for multiple);
          Thu, 08 Jan 1998 12:49:05 +0100
Message-Id: <3.0.5.32.19980108124904.00b37a00@robtex.com>
X-Sender: robban@robtex.com
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Thu, 08 Jan 1998 12:49:04 +0100
To: BoB Miorelli <miorelli@pweh.com>, firewalls@greatcircle.com
From: Robert Olsson <robban@robtex.com>
Subject: Re: NT Web proxy server
In-Reply-To: <34b1435f0.1464@clbdev2.eh.pweh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Please try our product "Viking". It does dialup, caching, url-filter in
addition to other functions like being a web/intranet-server and mailserver.

http://www.robtex.com/viking/

Regards

Robert Olsson
RobTex

At 15:32 1998-01-05 EST, you wrote:
>Hi --
>
>I'm looking for a Web proxy server that does caching for
>my kid's school (K-8).  The computer lab is networked
>to a server which would run the proxy.  The server
>is a Pentium running NT 4.0.  I'm looking for
>recommendations on proxy server software from anyone
>that is running it on NT 4.0 using a dialup-on-demand
>type of setup.  The only proxy servers for NT that
>I am aware of are Microsoft and Netscape, but I'm
>sure there are others.
>
>Any and all comments are welcome.
>
>Thanks.
>
>-->BoB 
>
>
>-->BoB Miorelli, Pratt & Whitney
>miorelli@pweh.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>In theory, theory and practice are the same; 
>in practice they are distinct.
>



From firewalls-owner  Thu Jan  8 05:46:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA08210; Thu, 8 Jan 1998 05:39:47 -0800 (PST)
Received: from smtp2.mailsrvcs.net (smtp2.gte.net [207.115.153.31]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA08192 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 05:39:40 -0800 (PST)
Received: from glearnhart ([206.124.85.16])
	by smtp2.mailsrvcs.net  with SMTP id HAA20553
	for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 07:39:46 -0600 (CST)
Message-ID: <003c01bd1c3b$01552f50$10557cce@glearnhart.gte.net>
From: "Gregg Earnhart" <ge@gte.net>
To: <firewalls@greatcircle.com>
Subject: Intrusion detection
Date: Thu, 8 Jan 1998 07:40:38 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0039_01BD1C08.B66FD3A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

------=_NextPart_000_0039_01BD1C08.B66FD3A0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Does a list discussing intrusion detection exists?
Is there a need for such a list or NG to discuss intrusion detection
systems?


Gregg Earnhart
Sr. Security Engineer


------=_NextPart_000_0039_01BD1C08.B66FD3A0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Does a list discussing intrusion detection exists?<BR>Is there a =
need for=20
such a list or NG to discuss intrusion =
detection<BR>systems?<BR><BR><BR>Gregg=20
Earnhart<BR>Sr. Security Engineer<BR></DIV></BODY></HTML>

------=_NextPart_000_0039_01BD1C08.B66FD3A0--


From firewalls-owner  Thu Jan  8 06:01:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09103; Thu, 8 Jan 1998 05:45:26 -0800 (PST)
Received: from ykbgate ([195.33.225.162]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA09079 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 05:45:18 -0800 (PST)
Received: by ykbgate; (5.65v3.2/1.3/10May95) id AA15265; Thu, 8 Jan 1998 11:33:46 +0200
Received: by plaza.ykb.com; (5.65v3.2/1.3/10May95) id AA20617; Thu, 8 Jan 1998 15:41:24 +0200
X-Lotus-Fromdomain: YKBNOTES
From: "icakmakli"<icakmakli@ykb.com>
To: firewalls@GreatCircle.COM
Message-Id: <C2256586.004BB43E.00@newsserv.ykb.com>
Date: Thu, 8 Jan 1998 15:46:07 +0200
Subject: Invision
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Has anybody run Invision Workstation through the firewall? Is there any
information about the CSK Software's Invision program on which ports it
runs? Regards.



From firewalls-owner  Thu Jan  8 06:31:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13648; Thu, 8 Jan 1998 06:10:10 -0800 (PST)
Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA13497 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 06:09:41 -0800 (PST)
Received: from clonvick-pc.cisco.com (houcons.cisco.com [171.68.41.7]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id GAA06608; Thu, 8 Jan 1998 06:09:45 -0800 (PST)
Message-Id: <2.2.32.19980108140808.0088d480@localhost>
X-Sender: clonvick@localhost
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 08 Jan 1998 08:08:08 -0600
To: Andre van der Lans <andre.van.der.lans@inet.unisource.nl>,
        Randall Kizer <rkizer@guten.sddpc.org>, firewalls@GreatCircle.COM
From: Chris Lonvick <clonvick@cisco.com>
Subject: Re: Firewall for ISP
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Just a point here - the "cut-through proxy" feature is an in-stream
authentication mechanism tied to TACACS+ or RADIUS for Telnet, FTP 
and HTTP.  All packets in all streams are checked.  The Product 
Overview that explains this is at
  http://www.cisco.com/univercd/cc/td/doc/prod_cat/pcpix.htm

OBTW, I received 53 copies of the original note from Jaime's
repetitious mailer.  Does this qualify me for some prize?
(For the humor impaired: this is it. :-)

Later,

Chris Lonvick
Cisco Systems
Consulting Engineering
Houston, TX, USA
+1.713.778.5663

At 09:15 AM 1/7/98 +0100, Andre van der Lans wrote:
>Randall Kizer wrote:
>> 
>> Jaime,
>> 
>> We've just implemented a PIX firewall to evaluate it.  Would you, or anyone
>> else reading this e-mail, please share your experiences with this product.
>> You mentioned "it has some weakness", can you be more specific?  What are
>> some of its strengths?
>> 
>> Randall
>> rkizer@sddpc.org
>> 
>> >From: "Jaime Blanco" <support@sinfo.net>
>> >To: <firewalls@greatcircle.com>
>> >Cc: <inet-access@earth.com>
>> >Subject: Firewall for ISP
>> >Date: Wed, 17 Dec 1997 20:38:06 -0500
>Beunos dias,
>
>The Cisco PIX isn't realy a firewall. It's a cut through proxy which
>means that when a packet is checked for authentication, the PIX simply
>gona forward all these packages and none of the following packages are
>beeing screened. It's difficult to get the logging done and the ligging
>is alsow done with syslog on a remote machine ( The PIX hasn't got a
>hard disk). Another issue is that the GUI quits working when the
>configurationfile has more than 400 entries. 
>
>Last but not least, the Cisco PIX is a expensive product and for the
>same prise or less you can get a much better Firewall.
>
>-- 
>Andre van der Lans
>Unisource Business Networks Netherlands bv
>Koningin Sophie St 120, 2595 TM The Hague
>Tel +31 703711069, Fax +31 703712638
>Email: andre.van.der.lans@inet.unisource.nl
>
>


From firewalls-owner  Thu Jan  8 06:56:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14557; Thu, 8 Jan 1998 06:14:40 -0800 (PST)
Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA14487 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 06:14:24 -0800 (PST)
Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.8/8.6.9) with SMTP id WAA02339 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 22:05:29 GMT
Date: Thu, 8 Jan 1998 22:05:28 +0000 (   )
From: Ederlindo Cojuangco <derts@cebu.mozcom.com>
To: firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <Pine.SOL.3.91.980107181919.18133B-100000@hq.si.net>
Message-ID: <Pine.LNX.3.95.980108220103.2331B-100000@cebu.mozcom.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	Whew!  I am done with my research.  I know some are already using
PGP but for those who are curious like me try to visit this page:
        http://www.pgpi.com
	Hope this helps.
	Thanks for all your mails.


ederts


From firewalls-owner  Thu Jan  8 06:57:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA10381; Thu, 8 Jan 1998 05:53:18 -0800 (PST)
Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA10352 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 05:53:11 -0800 (PST)
Received: (from pokey@localhost) by maddie.atlantic.com (8.8.5/8.7.3) id IAA30843; Thu, 8 Jan 1998 08:52:28 -0500
From: Rick Romkey <pokey@maddie.atlantic.com>
Message-Id: <199801081352.IAA30843@maddie.atlantic.com>
Subject: Re: FW-1 3.0 and Solaris 2.6 ok?
To: macgyver@tos.net (MacGyver)
Date: Thu, 8 Jan 1998 08:52:27 -0500 (EST)
Cc: TrevorPaquette@mcc.net, Feroz.Khan@VECTOR.CO.ZA, firewalls@GreatCircle.COM,
        RWaegner@hou.mdc.com, grat@frii.com
In-Reply-To: <Version.32.19980107203027.0134bbc0@smtp.tos.net> from "MacGyver" at Jan 7, 98 08:33:28 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> That's not been my experience at all.  We've installed over two dozen FW1
> installations recently on Solaris 2.6, with FW1 3.0b.  The only cavaet is
> to make sure you do *NOT* attempt to install FW1 "out of the box" download
> the "patched" version that Sun distributes as a patch (it's really a whole
> new set of binaries).  Once you do that, you're in good shape.

According to CheckPoint, Sun does not release different binaries than
ChecPoint themselves.  They simply re-package what CheckPoint creates.

-Rick

----------------------------------------------------------------------------
 Rick E Romkey     |          A T L A N T I C           |     Internet
pokey@atlantic.com |  Computing Technology Corporation  |   Specialists
 (860) 667-9596    |     http://www.atlantic.com/       |    
-----------------------------------------------------------------------------


From firewalls-owner  Thu Jan  8 06:59:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA10500; Thu, 8 Jan 1998 05:53:48 -0800 (PST)
Received: from honcho.columbiasc.ncr.com (h153-78-17-231.NCR.COM [153.78.17.231]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA10447 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 05:53:34 -0800 (PST)
Received: from exchsmtp.ColumbiaSC.NCR.COM (xgate.ColumbiaSC.NCR.COM [153.78.17.107]) by honcho.columbiasc.ncr.com (8.7.6/8.6.12) with SMTP id IAA15487 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 08:54:14 -0500 (EST)
Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63)
	id <01BD1C12.A4E6A550@exchsmtp.ColumbiaSC.NCR.COM>; Thu, 8 Jan 1998 08:51:43 -0500
Message-ID: <c=US%a=_%p=NCR%l=ENGPO-980108135314Z-25613@exchsmtp.ColumbiaSC.NCR.COM>
From: "Caldwell, Matt" <caldwm@xgate.columbiasc.ncr.com>
To: "'Bowers T (Thomas)  at MSXSSC'" <TB186459@shellus.com>
Cc: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: RE: relative strengths of different encryption techniques
Date: Thu, 8 Jan 1998 08:53:14 -0500
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I suggest you get "Applied Cryptography" from Amazon or Such, it has a
reference section that has a chart to show the time relative to the
processor speed etc. 

Matthew F. Caldwell - Security Analyst
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Visionary Corporate Computing Concepts (VC3)
Email:        matt.caldwell@vc3.com
Company Web: http://www.vc3.com/
Personal  Web: http://www.vc3.com/~caldwm
Office Phone: 803-733-7333
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

>----------
>From: 	Bowers T (Thomas)  at MSXSSC[SMTP:TB186459@shellus.com]
>Sent: 	Wednesday, January 07, 1998 5:46 PM
>To: 	'firewalls@greatcircle.com'
>Subject: 	relative strengths of different encyrption techniques
>
>
>I'm not a crpytologist but...
>
>I've been asked to estimate the time it takes to crack various
>encyrption
>techniques...
>
>Yes...  I understand the more bits, the better...
>
>
>I understand that most reasonable people will deploy the best technique
>available...  and so will we.    That, however, doesn't alleviate me
>from
>trying to estimate how many days/months/years/light_years of compute
>cycles it will take for someone to crack the technique we select.
>
>
>Are there any references on the relative strengths of different
>encyrption
>techniques...  
>
>
>Any help would be appreciated...
>
>
>
>T. Bowers
>
>
>
>
>
>Tom Bowers
>Network Engineering
>Shell Services Company
>PHONE:  (1)  713-245-1269
>FAX:  (1) 713-245-1010
>E-MAIL: tbowers@shellus.com
>

From firewalls-owner  Thu Jan  8 07:01:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA11834; Thu, 8 Jan 1998 06:00:50 -0800 (PST)
Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA11766 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 06:00:35 -0800 (PST)
Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49)
	id <CQKK5NR5>; Thu, 8 Jan 1998 08:03:02 -0600
Message-ID: <CE0690979441D111B55D0000F840E2B9081735@MAILSERVER1.MDC.COM>
From: "Waegner.Rick" <RWaegner@hou.mdc.com>
To: "Paquette, Trevor" <TrevorPaquette@mcc.net>,
        "'Feroz Khan - VCS'"
	 <Feroz.Khan@VECTOR.CO.ZA>,
        "'MacGyver'" <macgyver@tos.net>
Cc: firewalls@GreatCircle.COM, grat@frii.com
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Date: Thu, 8 Jan 1998 08:03:00 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Habeeb,

	You are correct about FW-1 3.0b and Solaris 2.6 working fine.
But, the original question was FW-1 3.0 and Solaris 2.6. BTW FW-1 3.0 is
what you get from Sun, Checkpoint is already shipping FW-1 3.0b as well
are their VAR's (except Sun!!)

Rick Waegner

The Boeing Company
UNIX Sysadmin
richard.a.waegner@boeing.com
281.283.5485

> ----------
> From: 	MacGyver
> Sent: 	Wednesday, January 7, 1998 21:33
> To: 	Paquette, Trevor; 'Feroz Khan - VCS'
> Cc: 	firewalls@GreatCircle.COM; Waegner.Rick; grat@frii.com
> Subject: 	RE: FW-1 3.0 and Solaris 2.6 ok?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> At 02:35 PM 1/7/98 -0700, Paquette, Trevor wrote:
> >Huh?? Are you then saying that Firewall-1 3.0b cannot be installed on
> a
> >Solaris 2.6 system out of the box? One must install Solaris 2.5.1,
> THEN
> >install Firewall-1 3.0b, THEN upgrade to Solaris 2.6??
> >
> >That smells very fishy to me. Have you confirmed this with Sun? 
> >
> 
> That's not been my experience at all.  We've installed over two dozen
> FW1
> installations recently on Solaris 2.6, with FW1 3.0b.  The only cavaet
> is
> to make sure you do *NOT* attempt to install FW1 "out of the box"
> download
> the "patched" version that Sun distributes as a patch (it's really a
> whole
> new set of binaries).  Once you do that, you're in good shape.
> 
> The only Solaris 2.6 issue that came back to bite me is that Sun
> hasn't yet
> released 2.6 drivers for it's SBus Quad-Ethernet cards -- who'd have
> figured they'd release an OS without at least drivers for some
> standard and
> semi-standard peripherals.
> 
> 
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~
>         ^               Habeeb J. Dihu
>      -'   `-            Managing Senior Technologist
>    " '     ` "          Cirrus Technologies
>  "  '       `  "        
> "  '      .  `  "                  
> "  '    .' ` `  "       'I don't believe in the no-win scenario'
>  " `   '    `' "           -- Captain James T. Kirk,  Star Trek II:
> TWK
>    `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon 
>     '                    could go to China.`'
>                            -- Captain Spock, Star Trek VI: TUC
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Business Security 5.5.2
> 
> iQCVAwUBNLQ6+FTtNfTWxXdNAQGmuwP/Rq1/YrKq8T5fPDnrwnkIvdnu9kOwPL1v
> gMm33RXtOv0nHyyhiuHd2WdaCkwf0Gmcpcw6xW53MlvmXllMHx4rbsU3Eiv/oIrX
> JzAs4U8GFg/afymQEi3mu9EOMSr3aztdHUryZS8rp+L2lAEv/mknacmEX4x0GOYf
> wVYLXWbyN+s=
> =MBO7
> -----END PGP SIGNATURE-----
> 

From firewalls-owner  Thu Jan  8 07:03:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14692; Thu, 8 Jan 1998 06:15:19 -0800 (PST)
Received: from mail.zrz.TU-Berlin.DE (mail.zrz.TU-Berlin.DE [130.149.4.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA10754 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 05:55:04 -0800 (PST)
Received: from fb3-s7.math.tu-berlin.de by mail.zrz.TU-Berlin.DE 
          with SMTP (IC-PP); Thu, 8 Jan 1998 14:54:56 +0100
Received: from fb3-s12.math.TU-Berlin.DE by fb3-s7.math.tu-berlin.de with SMTP 
          id AA16891 (5.67b8/IDA-1.4.4); Thu, 8 Jan 1998 14:54:53 +0100
Received: by fb3-s12.math.tu-berlin.de id AA19530 (5.67b8/IDA-1.4.4);
          Thu, 8 Jan 1998 14:53:52 +0100
Date: Thu, 8 Jan 1998 14:53:52 +0100
Message-Id: <199801081353.AA19530@fb3-s12.math.tu-berlin.de>
From: Bogdan Pelc <pelc@fb3-s7.math.tu-berlin.de>
To: sjg@quick.com.au
Cc: firewalls@greatcircle.com
In-Reply-To: <199801080530.QAA12993@gate.quick.com.au> (sjg@quick.com.au)
Subject: Re: Split DNS??
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "SJG" == Simon J Gerraty <sjg@quick.com.au> writes:


[... TEXT DELETED ...]

  SJG> The most common means by which such info "leaks" is in e-mail and
  SJG> news headers.  You can configure sendmail on your firewall to hide

Yes, I must think about for a moment ... I will write later.

  SJG> from addresses etc, but unless you make sendmail remove Received
  SJG> headers (bad idea btw), the original hostname and each hop will be
  SJG> leaked.  Regardless of whether you have an air gap such info can be
  SJG> useful for social engineering ("Hi, I'm from XYZ, I need to install
  SJG> an urgent patch on host fubar and the sysadmin is away...  what's
  SJG> the passwd?") lame, but you get the idea.  If asked nicely many
  SJG> people are only too pleased to help :-)

[... TEXT DELETED ...]


  SJG> That depends on the site.  My own little site here runs two bind's
  SJG> on the firewall, one that the outside world looks at and is bound to
  SJG> the ppp interface only, and another which is a secondary for my
  SJG> internal domains and forwards via the bind on the ppp interface (its
  SJG> the only one the kernel will allow to talk to the outside world) and
  SJG> the other internal nameservers forward to the bind listening on the
  SJG> firewall's ethernet.  External sites provide secondary DNS for my
  SJG> external view.

Well, yes for small site with not to high security it's ok, i think. But if
your Firewall get hacked, also your both DNS get hacked, didn' they?  If
you have primary DNS for your Site in the internal network (for example
network with test-IPs 10. than I have to hack one machine more, that is the
Internal DNS-Server). Yes I know if the FW get hacked, than the game is
nearly over, but I think its somewhat more dificult. I have to go through
the DMZ, I have to go through the router to my internal net, and this I can
do only with the FW-IP, so I have to install my hack-software on the FW
first and so on ...

  SJG> I also run the firewalls and DNS for a _big_ corp, and there I set
  SJG> things up such that there is zero DNS traffic through the firewall.
  SJG> The reasons are many but include: 1. internally rooted DNS allows
  SJG> extended disconnection from Internet without impact on corporate

I don't understand Point Nr. 1. Sorry :(

  SJG> network. 2. use of illegal nets on corp net means external address
  SJG> resolution is meaningless in most cases.  3. the forwarding model
  SJG> described above does not scale well to _big_ corporate nets.
  SJG> 4. passing zero DNS traffic through firewall ensures that Internet
  SJG> is not poluted with internal roots.

2.3 I don't understand it either. So if I am on the Corp-net, and I want to
nslookup www.microsoft.com, so how do I get the IP if I have no DNS-traffic
through the FW? It seems that I get the IP from DNS on the firewall. Did
you mean that? But so there is no problem to have primary DNS on Corp-net
for the Corp-net with forward to the Firewall, which have forward to my ISP.

4. I cannot imagine that, because it's one DNS-forward more as for the
situation without the firewall (If I have no FW than I forward to my
ISP-DNS directly). If I have caching server it should scale
good. I have here site with 400+ Machines, and DNS is OK. I cannot imagine,
that one DNS-forward more and caching DNS-Server should not scale good.

Could you please explain?

[... TEXT DELETED ...]

-- 
____________________________________________________________________________
     Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
			  pelc@math.tu-berlin.de

Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ...  (FISH)



From firewalls-owner  Thu Jan  8 07:05:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA05722; Wed, 7 Jan 1998 21:06:44 -0800 (PST)
Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA00241 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 18:36:38 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id UAA10441; Wed, 7 Jan 1998 20:37:31 -0600
Received: from macgyver-1.pr.mcs.net(205.253.24.113) by starbase.tos.net via smap (V1.3)
	id sma010438; Wed Jan  7 20:37:06 1998
Message-Id: <Version.32.19980107203027.0134bbc0@smtp.tos.net>
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Wed, 07 Jan 1998 20:33:28 -0600
To: "Paquette, Trevor" <TrevorPaquette@mcc.net>,
        "'Feroz Khan - VCS'" <Feroz.Khan@VECTOR.CO.ZA>
From: MacGyver <macgyver@tos.net>
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Cc: firewalls@GreatCircle.COM, RWaegner@hou.mdc.com, grat@frii.com
In-Reply-To: <C925EB174777D111BAA50060083DB80E023C64@A01EX001.mcc.net>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

At 02:35 PM 1/7/98 -0700, Paquette, Trevor wrote:
>Huh?? Are you then saying that Firewall-1 3.0b cannot be installed on a
>Solaris 2.6 system out of the box? One must install Solaris 2.5.1, THEN
>install Firewall-1 3.0b, THEN upgrade to Solaris 2.6??
>
>That smells very fishy to me. Have you confirmed this with Sun? 
>

That's not been my experience at all.  We've installed over two dozen FW1
installations recently on Solaris 2.6, with FW1 3.0b.  The only cavaet is
to make sure you do *NOT* attempt to install FW1 "out of the box" download
the "patched" version that Sun distributes as a patch (it's really a whole
new set of binaries).  Once you do that, you're in good shape.

The only Solaris 2.6 issue that came back to bite me is that Sun hasn't yet
released 2.6 drivers for it's SBus Quad-Ethernet cards -- who'd have
figured they'd release an OS without at least drivers for some standard and
semi-standard peripherals.


- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ^               Habeeb J. Dihu
     -'   `-            Managing Senior Technologist
   " '     ` "          Cirrus Technologies
 "  '       `  "        
"  '      .  `  "                  
"  '    .' ` `  "       'I don't believe in the no-win scenario'
 " `   '    `' "           -- Captain James T. Kirk,  Star Trek II: TWK
   `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon 
    '                    could go to China.`'
                           -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNLQ6+FTtNfTWxXdNAQGmuwP/Rq1/YrKq8T5fPDnrwnkIvdnu9kOwPL1v
gMm33RXtOv0nHyyhiuHd2WdaCkwf0Gmcpcw6xW53MlvmXllMHx4rbsU3Eiv/oIrX
JzAs4U8GFg/afymQEi3mu9EOMSr3aztdHUryZS8rp+L2lAEv/mknacmEX4x0GOYf
wVYLXWbyN+s=
=MBO7
-----END PGP SIGNATURE-----


From firewalls-owner  Thu Jan  8 07:05:12 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA26457; Wed, 7 Jan 1998 10:50:35 -0800 (PST)
Received: from firewall1-int.glaxowellcome.com (firewall1.glaxowellcome.com [192.58.204.204]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA26432 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 10:50:23 -0800 (PST)
Received: by firewall1-int.glaxowellcome.com id OAA23460; Wed, 7 Jan 1998 14:00:42 -0500 (EST)
Received: from ussun2m.glaxo.com(152.51.20.99) by firewall1.glaxo.com via smap (3.2)
	id xma023444; Wed, 7 Jan 98 14:00:28 -0500
Received: by ussun2m.glaxo.com id NAA19678; Wed, 7 Jan 1998 13:48:21 -0500 (EST)
Received: by us1n36.glaxo.com with Internet Mail Service (5.0.1458.49)
	id <CL91X1X8>; Wed, 7 Jan 1998 13:50:38 -0500
Message-ID: <EDD7839F2926D1119E200080D870054638AF75@us2n24.glaxo.com>
From: "Hull, Gary G" <ggh14854@glaxowellcome.com>
To: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: RE: E-Mail Encryption
Date: Wed, 7 Jan 1998 13:50:28 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Can anyone tell me how the Secret Agent product of AT&T compares to that
of WorldTalks Secure Messenger?
Gary G. Hull
Senior Manager - Systems Security
Tel : (919) 483-2921 - Fax : (919)  483-0208
email: ggh14854@glaxowellcome.com 


> ----------
> From: 	G2 Security Division[SMTP:AFZJ-I-S@IRWIN.ARMY.MIL]
> Sent: 	Wednesday, January 07, 1998 12:08 PM
> To: 	'firewalls@GreatCircle.COM'
> Subject: 	Re:  E-Mail Encryption
> 
> On Tue, 6 Jan 1998, Grigorof, Adrian wrote:
> > I am looking for a product to be used in encrypting e-mail to be
> sent
> over the Internet.
> 
> Have you looked at AT&T's Secret Agent?  It is a digital signature and
> 
> encryption utility.  It runs National Institut of Standards and
> Technology 
> (NIST) DES, NIST Digital Signature Standard, NIST Secure Hash
> Standards 
> (See FIPS 180-1), Diffie-Hellman, RSA, and Triple DES.  It interfaces
> with 
> PCMCIA cards for message authentication and I believe hardware
> encryption 
> via e.g., FORTEZZA.  Their reps at the National Information Systems 
> Security Conference indicated that planned version upgrades would
> allow one 
> to set up a macro on MS WORD so a user could run the encryption from a
> GUI 
> button.
> 
> Try http://www.att.com/bcs/secure_software
> 
> Wolfgang at (760) 380-3379
> 

From firewalls-owner  Thu Jan  8 07:05:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08109; Wed, 7 Jan 1998 09:31:19 -0800 (PST)
Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA08077 for <Firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 09:31:11 -0800 (PST)
Received: from [132.197.71.1] by gte.com (8.8.4/8.8.4)
X-Sender: rhb1@pophost.gte.com
Message-Id: <v02130503b0d969bb1696@[132.197.71.1]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 7 Jan 1998 13:44:16 -0400
To: rmckosky@gte.com, enorris@gte.com, djuitt@gte.com, ccarroll@gte.com,
        Jyri Kaljundi <jk@stallion.ee>, Firewalls@GreatCircle.COM,
        rhb1@gte.com
From: rhb1@gte.com (Bob Bryant)
Subject: ctia hotel confirmations
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have confirmed with the Salt Lake City Hilton that the following hotel
reservations have been made.
name                    dates                   confirmation  #
R stanley               13-16                   832781
C Carroll               13-16                   832780
R McKosky          12-16                   832816
Djuitt                     13-16                   831992
R Bryant                12-16                   832815
E Norris                  12-16                  831991
I did this so we would not get the "Mary and Joseph" responce in the lobby.

*******************************************************************************
Robert Bryant                           email           rhb1@gte.com
Member Technical Staff                  Fax             617-466-2838
Secure Systems Department
GTE Labrotories                         office ph       617-466-2821
40 Sylvan Rd    MS/55                   Cell ph         617-733-7757
Waltham, MA 02254
****************************************************************************
***



From firewalls-owner  Thu Jan  8 07:07:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21969; Wed, 7 Jan 1998 13:05:21 -0800 (PST)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.2.89]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA21961 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 13:05:14 -0800 (PST)
Received: from zepher (hdn90-069.hil.compuserve.com [206.175.99.69]) by m6.sprynet.com (8.6.12/8.6.12) with SMTP id NAA03004; Wed, 7 Jan 1998 13:05:27 -0800
Message-Id: <3.0.3.32.19980107160808.006a33b4@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 07 Jan 1998 16:08:08 -0500
To: Peter da Silva <peter@baileynm.com>, macgyver@tos.net (MacGyver)
From: Steve Kruse <jsk347@sprynet.com>
Subject: Re: E-mail Encryption
Cc: firewalls@GreatCircle.COM
In-Reply-To: <9801071536.AA10534@baileynm.com>
References: <199801070018.SAA31044@starbase.tos.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I think it might have been mentioned on here, but there is a $5.00
"up-downgrade" that lets you use the RSA which IS compatabile with PGP 2.x.
 Check the PGP website for info.  

Steve Kruse

At 09:36 AM 1/7/98 -0600, Peter da Silva wrote:
>> Using Eudora 4.0 onward (I'm not sure if previous versions support this
>> feature), you have the ability to set an "output filter", which can be set
>> to call any arbitrary program.  PGP 5.0+ has a Eudora plugin option that
>> you can use to automagically guarantee that all emails sent out are
>> encrypted in an invisible way to the user.
>
>Unfortunately PGP 5.0+ encryption is incompatible with PGP 2.6, which is
>what most of the people who use PGP are using. I understand the political
>reasons for switching to D-H key exchange to get out from under RSA, but
>I'm going to stick with 2.6 until there's a really compatible upgrade path
>that works on both protocols and all platforms.
>

From firewalls-owner  Thu Jan  8 07:07:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA26945; Wed, 7 Jan 1998 13:36:01 -0800 (PST)
Received: from gate4.mcc.net (gate4.mcc.net [207.245.25.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA26785 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 13:35:12 -0800 (PST)
Received: from [10.1.1.25] ([10.1.1.25] EHLO a01ex001.mcc.net ident: SOCKFAULT1 [port 1731]) by gate.mcc.net with ESMTP id <421805-13943>; Wed, 7 Jan 1998 14:35:31 -0700
Received: by A01EX001.mcc.net with Internet Mail Service (5.0.1458.49)
	id <CFL02107>; Wed, 7 Jan 1998 14:35:34 -0700
Message-ID: <C925EB174777D111BAA50060083DB80E023C64@A01EX001.mcc.net>
From: "Paquette, Trevor" <TrevorPaquette@mcc.net>
To: "'Feroz Khan - VCS'" <Feroz.Khan@VECTOR.CO.ZA>
Cc: firewalls@GreatCircle.COM, RWaegner@hou.mdc.com, grat@frii.com
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Date: 	Wed, 7 Jan 1998 14:35:31 -0700
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Huh?? Are you then saying that Firewall-1 3.0b cannot be installed on a
Solaris 2.6 system out of the box? One must install Solaris 2.5.1, THEN
install Firewall-1 3.0b, THEN upgrade to Solaris 2.6??

That smells very fishy to me. Have you confirmed this with Sun? 

> -----Original Message-----
> From:	Feroz Khan - VCS [SMTP:Feroz.Khan@VECTOR.CO.ZA]
> Sent:	Wednesday, January 07, 1998 3:58 AM
> To:	RWaegner@hou.mdc.com; grat@frii.com
> Cc:	firewalls@GreatCircle.COM
> Subject:	Re: FW-1 3.0 and Solaris 2.6 ok?
> 
> Hi,
> 
> There seems to be some confusion with regards to Solaris 2.6 and FW-1.
> Here
> is what I have tested:
> 
> Checkpoint: Works with 3.0b or greater.
> 
> Solstice:  Must be installed on 2.5.1 first. One of the following
> patches
>            must then be installed:
>              Non-VPN - 105477
>              VPN-FWZ - 105478
>              VPN-DES - 105474
>            At this point, you can do an OS upgrade to Solaris 2.6.
>            
> Hope this helps,
> Feroz
>            

From firewalls-owner  Thu Jan  8 07:07:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA04769; Wed, 7 Jan 1998 09:17:30 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA04509 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 09:16:39 -0800 (PST)
Received: from inergen.sybase.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id JAA01526; Wed, 7 Jan 1998 09:09:47 -0800 (PST)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id JAA27822; Wed, 7 Jan 1998 09:11:52 -0800 (PST)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB20240; Wed, 7 Jan 98 09:13:06 PST
Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256585.0067673A ; Wed, 7 Jan 1998 09:14:17 -0800
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell"<ryanr@sybase.com>
To: LOWPC@binariang.maxisnet.com.my
Cc: glasane@gdsconnect.com, firewalls@GreatCircle.COM, macgyver@tos.net
Message-Id: <88256585.005D9269.00@gwwest.sybase.com>
Date: Wed, 7 Jan 1998 09:08:30 -0800
Subject: Re: RE: Stateful Inspection Anyone? Explore your options.
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I'm implying that 's a small possibility, at least as far as
my experience goes.  The possibility of state table corruption
has been discussed as a potential problem, but since I've
been on the list, no one has mentioned that they've seen it happen.

Whatever the chances are aside, I believe that the same problem
would exist for the TCP connection tables that the OS maintains that
proxies rely on.  The code and data structures would be very similar
between the two (though, this is a guess on my part.. I haven't actually
written a SPF firewall or a TCP stack for an OS.)

The problem of corrupt memory would likely affect any security software
in adverse ways.  I don't know of any (with the possible exception of
virus scanners) that do any self-integritity checking.

I mostly took exception because the guy making the statement appeared
to be doing so in order to make a sales pitch.

                              Ryan






>>> "Ryan Russell" <ryanr@sybase.com> 01/07 1:49 PM >>>

One of the biggest complaints about proxies is that
if the TCP connection table becomes corrupt, the network
could become vulnerable to the outside.

Quit spreading FUD.

 -Are you implying that this is only a very small possibility
-or none at all?

-ciao!

----- he who knows not, --------------------
------and knows not he knows not, ----
------he's probably a salesman--------














                !
!



From firewalls-owner  Thu Jan  8 07:09:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA05940; Wed, 7 Jan 1998 14:15:49 -0800 (PST)
Received: from merlot.im1ru12.org (iq-ind-dns000-net-67.iquest.net [209.43.13.67]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA05820 for <firewalls@GreatCircle.COM>; Wed, 7 Jan 1998 14:15:24 -0800 (PST)
Received: (qmail 20523 invoked by uid 512); 7 Jan 1998 22:07:01 -0000
Date: Wed, 7 Jan 1998 17:07:01 -0500 (EST)
From: "Chad O'leary" <chad@rumor.net>
X-Sender: chad@merlot.im1ru12.org
To: Andre van der Lans <andre.van.der.lans@inet.unisource.nl>
cc: Randall Kizer <rkizer@guten.sddpc.org>, firewalls@GreatCircle.COM
Subject: Re: Firewall for ISP
In-Reply-To: <34B3399E.FC1D7A47@inet.unisource.nl>
Message-ID: <Pine.LNX.3.96.980107160345.18590E-100000@merlot.im1ru12.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I hope this starts some PIX discussion, it's not meant to be total
flame mail. 

On Wed, 7 Jan 1998, Andre van der Lans wrote:

> Randall Kizer wrote:
> > 
> > Jaime,
> > 
> > We've just implemented a PIX firewall to evaluate it.  Would you, or anyone
> > else reading this e-mail, please share your experiences with this product.
> > You mentioned "it has some weakness", can you be more specific?  What are
> > some of its strengths?
> > 
> > Randall
> > rkizer@sddpc.org
> > 
> > >From: "Jaime Blanco" <support@sinfo.net>
> > >To: <firewalls@greatcircle.com>
> > >Cc: <inet-access@earth.com>
> > >Subject: Firewall for ISP
> > >Date: Wed, 17 Dec 1997 20:38:06 -0500
> Beunos dias,
> 
> The Cisco PIX isn't realy a firewall.

Insert flame here...

> It's a cut through proxy which

It's a stateful packet filter, NOT a proxy.

> means that when a packet is checked for authentication, the PIX simply
> gona forward all these packages and none of the following packages are
> beeing screened.

Ummmm. Each packet header is inspected. The payload can be inspected.
i.e. SMTP data which would normally make sendmail puke is denied. If you
want to block java, just enable it. That's a little more than "a packet is
checked." 

> It's difficult to get the logging done

It's on by default! Type show syslog.

> and the ligging
> is alsow done with syslog on a remote machine

CAN be done. You don't have to. I personally like it that way.

> ( The PIX hasn't got a
> hard disk).

One less thing to break! 

> Another issue is that the GUI quits working when the
> configurationfile has more than 400 entries.

OK, you have a point. Sounds like a bug. Report it to Cisco if you want.
I looked at the "GUI" (web based) after it had been here for a while. It
was functional. But command line is much faster and more intuitive for
*me*. Others may care, do your part and report the bug.

> Last but not least, the Cisco PIX is a expensive product and for the
> same prise or less you can get a much better Firewall.

Do your homework. The solution depends on the environment and the
application.
 
> 
> -- 
> Andre van der Lans
> Unisource Business Networks Netherlands bv
> Koningin Sophie St 120, 2595 TM The Hague
> Tel +31 703711069, Fax +31 703712638
> Email: andre.van.der.lans@inet.unisource.nl
> 

--Chad


From firewalls-owner  Thu Jan  8 07:49:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21330; Thu, 8 Jan 1998 06:45:34 -0800 (PST)
Received: from filer2.isc.rit.edu (filer2.isc.rit.edu [129.21.3.107]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16503 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 06:22:27 -0800 (PST)
Received: from grace.isc.rit.edu by osfmail.isc.rit.edu (PMDF V5.1-10 #21576)
 with ESMTP id <0EMG00J6SYMIRC@osfmail.isc.rit.edu> for
 firewalls@GreatCircle.COM; Thu,  8 Jan 1998 09:23:06 -0500 (EST)
Received: from localhost (jlt8903@localhost) by grace.isc.rit.edu (8.8.5/8.8.5)
 with SMTP id JAA24077 for <firewalls@GreatCircle.COM>; Thu,
 08 Jan 1998 09:23:06 -0500 (EST)
Date: Thu, 08 Jan 1998 09:23:05 -0500 (EST)
From: Jason Terwilliger <jlt8903@osfmail.isc.rit.edu>
Subject: Re: Wannabe needs a good book
In-reply-to: <Pine.BSF.3.91.980106083703.23952C-100000@mcfeely.bsfs.org>
X-Sender: jlt8903@grace.isc.rit.edu
To: firewalls@GreatCircle.COM
Message-id: <Pine.OSF.3.95.980108091752.11743D-100000@grace.isc.rit.edu>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
X-Authentication-warning: grace.isc.rit.edu: jlt8903 owned process doing -bs
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> Wombat's Newbie Reading List:
> 
> Internetworking with TCP/IP
> Volume 1
> Douglas Comer
> Prentice Hall
> ISBN 0-13-468505-9
> 
> (Comer also has a general networking book out, but I loaned it to a 
> newbie at the office - it is a better place to start for the novice than 
> the above)

I believe the general networking book by D. Comer you refer to is

"Computer Networks and Internets"
Prentice Hall
ISBN 0-13-239070-1

It's a pretty good book for the beginner (we used it for our first couple
courses in networking). The price (general retail) is US$66

Hope this is what you were talking about.

~Jason


From firewalls-owner  Thu Jan  8 10:01:13 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA26948; Thu, 8 Jan 1998 09:39:24 -0800 (PST)
Received: from redcross.dk (ns.redcross.dk [147.29.204.52]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA26903 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 09:39:14 -0800 (PST)
Received: from [192.168.51.1] by redcross.dk with ESMTP (Eudora Internet Mail
 Server 2.0); Thu, 8 Jan 1998 18:50:01 +0100
X-Sender: lars-bertelsen@mail.redcross.dk
Message-Id: <v03130303b0dacfa09fb9@[192.168.51.1]>
In-Reply-To: <199801080543.NAA05952@imsp015.netvigator.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Eudora 2.0.1
X-Charset: US-DK
X-Char-Esc: 29
To: firewalls@GreatCircle.COM
From: Lars Bertelsen <lbe@login.dknet.dk>
Subject: Re: Proxy Servers on DMZ??
Date: Thu, 8 Jan 1998 18:50:02 +0100
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In your message you write:

>Hi,
>
>Does anybody tell me whether the proxy servers (eg WEB, email) be placed
>at DMZ segment
>instead of at internal segment so as to protect the internal network?
>
>Jim

The proxies would be on a machine in the dmz. This way, if someone invades
your proxy server they still have the very conservatively configured
internal router to contend with.
It is essential in this scheme that the internal router  is configured on
the basis that the proxy server is considered "hostile", meaning that it
should have very limited access to your internal network.

Lars Bertelsen
Gartnervang 29         tlf. 4635 1115
4000 Roskilde, DK      e-mail of choice: lbe@login.dknet.dk



From firewalls-owner  Thu Jan  8 10:16:47 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01396; Thu, 8 Jan 1998 10:01:24 -0800 (PST)
Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA01331 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 10:01:03 -0800 (PST)
Received: (from mail@localhost)
          by starbase.tos.net (8.8.4/8.8.4)
	  id MAA17853; Thu, 8 Jan 1998 12:01:25 -0600
Received: from gatekeeper1.bakernet.com(208.193.53.2) by starbase.tos.net via smap (V1.3)
	id sma017837; Thu Jan  8 12:01:02 1998
Message-Id: <Version.32.19980108115241.00dffef0@smtp.tos.net>
X-Sender: macgyver@smtp.tos.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Thu, 08 Jan 1998 11:57:14 -0600
To: "Waegner.Rick" <RWaegner@hou.mdc.com>,
        "Paquette, Trevor" <TrevorPaquette@mcc.net>,
        "'Feroz Khan - VCS'" <Feroz.Khan@VECTOR.CO.ZA>
From: MacGyver <macgyver@tos.net>
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
Cc: firewalls@GreatCircle.COM, grat@frii.com
In-Reply-To: <CE0690979441D111B55D0000F840E2B9081735@MAILSERVER1.MDC.COM
 >
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

At 08:03 AM 1/8/98 -0600, Waegner.Rick wrote:
>Habeeb,
>
>	You are correct about FW-1 3.0b and Solaris 2.6 working fine.
>But, the original question was FW-1 3.0 and Solaris 2.6. BTW FW-1 3.0 is
>what you get from Sun, Checkpoint is already shipping FW-1 3.0b as well
>are their VAR's (except Sun!!)
>
>Rick Waegner

My apologies...it was late, and I wasn't clear. :)  What Sun sends you is
the 3.0 version, what they call the "patch" to fix it is really the 3.0b
version which you download. :)


- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ^               Habeeb J. Dihu
     -'   `-            Managing Senior Technologist
   " '     ` "          Cirrus Technologies
 "  '       `  "        
"  '      .  `  "                  
"  '    .' ` `  "       'I don't believe in the no-win scenario'
 " `   '    `' "           -- Captain James T. Kirk,  Star Trek II: TWK
   `  ' _  _ '          'There is an old Vulcan proverb, `Only Nixon 
    '                    could go to China.`'
                           -- Captain Spock, Star Trek VI: TUC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNLUTeVTtNfTWxXdNAQEXqwP/ScrtZOY8jNl0lKE9QDyGuIkLQ0gPd6He
NQbXMvi9Q5nZhO+eCuzD3oUWxaX/UC74ja4jHXTv2ieODCalDkhNPomFmN/J05e8
mLqBOd1AqMiEnOG4vJvt/rhemnErtNw18FnWLKjVOam4cEKHJUNZEY6ZpbTH8ffJ
q7Oud4JNEj4=
=lPrB
-----END PGP SIGNATURE-----


From firewalls-owner  Thu Jan  8 10:24:47 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11981; Thu, 8 Jan 1998 08:29:54 -0800 (PST)
Received: from Zool.AirTouch.COM (zool.airtouch.com [151.144.254.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA11812 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 08:29:19 -0800 (PST)
From: Mike.Skala@zool.AirTouch.COM
Received: from notes.airtouch.com by Zool.AirTouch.COM (SMI-8.6/SMI-SVR4)
	id IAA20789; Thu, 8 Jan 1998 08:29:41 -0800
Received: by notes.airtouch.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 88256586.005AAD9A ; Thu, 8 Jan 1998 08:30:26 -0800
X-Lotus-FromDomain: AIRTOUCH
To: TB186459@shellus.com, firewalls@greatcircle.com
Message-ID: <88256586.005964B9.00@notes.airtouch.com>
Date: Thu, 8 Jan 1998 08:33:25 -0800
Subject: Re: relative strengths of different encyrption techniques
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk






Mike Skala@AIRTOUCH
01/08/98 08:33 AM

To start:

A 56-bit key can be broken on average in 2(superscript: 55) = 3.6 x 10
(superscript: 16) trials or

Trials/Second       Time Required
1                   10(superscript: 9) years
10(superscript: 3)                 10(superscript: 6) years
10(superscript: 6)                 10(superscript: 3) years
10(superscript: 9)                 1 year
10(superscript: 12)                10 hours

Also, in amount of time needed to mount a $1 million hardware brute-force
attack:

Year 56-bit         112-bit        128-bit

1995 3 years        10(superscript: 17) years      10(superscript: 22)
years
2000 115 days  10(superscript: 16) years      10(superscript: 21) years
2010 1.5 days  10(superscript: 14) years      10(superscript: 19) years
2020 21 minutes     10(superscript: 12) years      10(superscript: 17 )
years
2030 13 seconds     10(superscript: 10) years      10(superscript: 15)
years

Note:     DES = 56-bit key
     Triple DES = equivalent to 112-bit key
     IDEA (Int'l Data Encryption Algorithm = 128-bit key

I hope the superscripting came through for the numbers above.

Source:  Schneier, Bruce, "E-Mail Security: How to Keep Your Electronic
Messages Private" via Dr. Howard Podell's seminar on "Enterprise Security:
WWW, Internet, and Intranet Security Issues for Effective Systems
Development."






TB186459@shellus.com on 01/07/98 02:46:31 PM


To:   firewalls@greatcircle.com
cc:    (bcc: Mike Skala/Corporate/AirTouch)
Subject:  relative strengths of different encyrption techniques





I'm not a crpytologist but...
I've been asked to estimate the time it takes to crack various
encyrption
techniques...
Yes...  I understand the more bits, the better...

I understand that most reasonable people will deploy the best technique
available...  and so will we.    That, however, doesn't alleviate me
from
trying to estimate how many days/months/years/light_years of compute
cycles it will take for someone to crack the technique we select.

Are there any references on the relative strengths of different
encyrption
techniques...

Any help would be appreciated...


T. Bowers




Tom Bowers
Network Engineering
Shell Services Company
PHONE:  (1)  713-245-1269
FAX:  (1) 713-245-1010
E-MAIL: tbowers@shellus.com






From firewalls-owner  Thu Jan  8 12:01:58 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA22653; Thu, 8 Jan 1998 09:20:12 -0800 (PST)
Received: from citel.upc.es (citel.upc.es [147.83.36.47]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21695 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 09:15:50 -0800 (PST)
Received: from alu-etsetb.upc.es (jolibus.upc.es [147.83.36.68])
	by citel.upc.es (8.8.8/8.8.5) with ESMTP id SAA29033
	for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 18:14:36 GMT
Message-ID: <34B509E4.D64A08FD@alu-etsetb.upc.es>
Date: Thu, 08 Jan 1998 18:16:20 +0100
From: Francesc Guasch <frankie@alu-etsetb.upc.es>
X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.0.32 i586)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Re: Proxy Servers on DMZ??
References: <199801080543.NAA05952@imsp015.netvigator.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

MS wrote:
> 
> Hi,
> 
> Does anybody tell me whether the proxy servers (eg WEB, email) be placed
> at DMZ segment
> instead of at internal segment so as to protect the internal network?
> 
imho the proxy server weakens the box and the network so being
in the dmz protects your internal network from attaks produced
there.

-- 
 ^-^.-----.             mailto:frankie@citel.upc.es
 o o       )            http://citel.upc.es/~frankie
  Y (_ (___(ssss

From firewalls-owner  Thu Jan  8 12:03:45 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18027; Thu, 8 Jan 1998 08:54:30 -0800 (PST)
Received: from mailme.wirehub.nl (ns2.wirehub.net [194.165.94.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA17877 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 08:53:59 -0800 (PST)
Received: from NLPC067.UTRECHT ([195.118.0.19])
	by mailme.wirehub.nl (8.8.7/8.8.7) with ESMTP id RAA22502
	for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 17:54:24 +0100 (CET)
Message-Id: <199801081654.RAA22502@mailme.wirehub.nl>
From: "Johan Teekens" <calculus@pi.net>
To: <firewalls@GreatCircle.COM>
Subject: IBM firewall
Date: Thu, 8 Jan 1998 17:55:12 +0100
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Next week an RS6000, model 43p, with AIX, is going to be delivered to me,
on wich I have to install the IBM firewall, this is not exactly what I
wanted, I wanted Raptor or Linux, but for political reasons we have to buy
the IBM firewall.
Has anyone any experience with it, what are the advantages? How stable is
it? Where are it's holes?

It's not that I don' t trust it or anything, but this software is quite new
for me, and the art of automation this to decrease the risk of anything
going wrong, I can't estimate that risk at the moment.

Can anyone tell me what is going to happen to me?

From firewalls-owner  Thu Jan  8 12:05:13 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA21799; Thu, 8 Jan 1998 11:24:36 -0800 (PST)
Received: from ns1.content.net (ns1.content.net [198.87.147.254]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA06887 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 10:28:08 -0800 (PST)
Received: from localhost (richard@localhost)
	by ns1.content.net (8.8.4/8.8.6) with SMTP id NAA17770;
	Thu, 8 Jan 1998 13:27:10 -0500 (EST)
Date: Thu, 8 Jan 1998 13:27:09 -0500 (EST)
From: Richard Stiennon <richard@stiennon.com>
X-Sender: richard@ns1.content.net
To: "Caldwell, Matt" <caldwm@xgate.columbiasc.ncr.com>
cc: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>,
        beberg@distributed.net
Subject: RE: relative strengths of different encryption techniques
In-Reply-To: <c=US%a=_%p=NCR%l=ENGPO-980108135314Z-25613@exchsmtp.ColumbiaSC.NCR.COM>
Message-ID: <Pine.GSO.3.95.980108130638.5859J-100000@ns1.content.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Thu, 8 Jan 1998, Caldwell, Matt wrote:

> I suggest you get "Applied Cryptography" from Amazon or Such, it has a
> reference section that has a chart to show the time relative to the
> processor speed etc. 
> 

*PLEASE* use this URL to purchase Applied Cryptography by Bruce Schneier

http://www.amazon.com/exec/obidos/ISBN=0471117099/distributednetA/

You will be helping to fund the RC5-64 key cracking effort at
www.distributed.net

A most worthy cause :-)
If you are not already participating it is easy to grab the client and
become part of the biggest computer in history.

-Richard Stiennon


From firewalls-owner  Thu Jan  8 12:09:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27799; Thu, 8 Jan 1998 11:58:09 -0800 (PST)
Received: from ihgw1.lucent.com (ihgw1.lucent.com [207.19.48.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA27786 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 11:58:03 -0800 (PST)
To: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>,
        Pablo Martinez <pablo@lucent.com>
Received: from mtgbcs.mt.lucent.com by ihig1.firewall.lucent.com (SMI-8.6/EMS-L sol2)
	id OAA21524; Thu, 8 Jan 1998 14:18:28 -0600
Received: from lucent.com by  mtgbcs.mt.lucent.com (SMI-8.6/EMS-1.3.1 sol2)
	id PAA18799; Thu, 8 Jan 1998 15:00:18 -0500
Message-ID: <34B532C5.A16CA63E@lucent.com>
Date: Thu, 08 Jan 1998 15:10:45 -0500
From: Pablo Martinez <pablo@lucent.com>
Organization: Lucent Technologies
X-Mailer: Mozilla 4.04 [en] (WinNT; U)
MIME-Version: 1.0
Original-To: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>,
        Pablo Martinez <pablo@lucent.com>
Subject: Diferrence between Circuit-level Gateway and a generic application proxy
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have a question for you guys.  What is the key difference between 
a generic application proxy running in an application gateway firewall 
and a circuit-level gateway?  I know that the circuit gateway 
is a proxy that runs at the transport layer while the application 
proxy runs at the application layer.  However,  the part that 
confuses me a little is that it is "generic."  Are these generic 
proxies just "forwarding" a specified protocol to a specified port 
on an specified separate server for further procesing (similar 
to Raptor's Generic Service Passer)? 


-- 
Pablo Martinez				101 Crawfords Corner Rd	
Internet Communications Business 	Holmdel, NJ 07733-3030
Lucent Technologies			732 817-2731
pablo@lucent.com			732 817-4504 FAX

From firewalls-owner  Thu Jan  8 12:11:57 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21696; Thu, 8 Jan 1998 09:15:51 -0800 (PST)
Received: from enteract.com (enteract.com [206.54.252.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21079 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 09:12:17 -0800 (PST)
Received: from jimst.alephconsult.com (jimst.sa.enteract.com [207.229.133.64]) by enteract.com (8.8.8/8.7.6) with SMTP id LAA11899; Thu, 8 Jan 1998 11:12:39 -0600 (CST)
Received: by localhost with Microsoft MAPI; Thu, 8 Jan 1998 11:12:35 -0600
Message-ID: <01BD1C26.526493A0.jimst@enteract.com>
From: James Strompolis <jimst@enteract.com>
Reply-To: "jimst@enteract.com" <jimst@enteract.com>
To: "'Kerry Jones'" <kjones@aims.gov.au>,
        "firewalls@GreatCircle.COM"
	 <firewalls@GreatCircle.COM>
Subject: RE: DNS on firewall??
Date: Thu, 8 Jan 1998 11:08:11 -0600
Organization: Aleph Consultants, Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Why not pay your ISP to be your secondary?  Takes the secondary off-site making things somewhat more reliable.

- James Strompolis
  Aleph Consultants, Inc.
  jimst@enteract.com

On Tuesday, January 06, 1998 12:02 AM, Kerry Jones [SMTP:kjones@aims.gov.au] wrote:
> Hi,
> 
> Simple question. Is it a good idea to run a DNS server on a
> Firewall?????
> 
> AUNIC require at least 2 DNS servers, so I am trying to decide where to
> configure the 2nd DNS server for our domain (Primary one is currently on
> the DMZ). Will putting the secondary DNS on the firewall create a
> security hole in the Firewall which would best be avoided????????
> Is it acceptable (secure) to put the DNS and other services (e.g.
> http/ftp) on the Firewall??
> 
> What do you think??
> What are your opinions??
> 
> I have a fairly standard setup as follows;
> 
> Internet
>     |
>  router
>     |
>  firewall - dmz (1 machine: http/ftp/dns)
>       |
>   internal network.
> 
> --
> Kerry Jones
> kjones@aims.gov.au
> 


From firewalls-owner  Thu Jan  8 13:16:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA06443; Thu, 8 Jan 1998 12:47:16 -0800 (PST)
Received: from new-murphey.tenet.edu (new-murphey.tenet.edu [198.213.2.103]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA06301 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 12:46:47 -0800 (PST)
Received: from newmail.tenet.edu
          (wanmaster.wichita-falls.isd.tenet.edu [207.64.60.184])
          by new-murphey.tenet.edu (Post.Office MTA v3.1.2
          release (PO203-101c) ID# 0-40960U100000L30000S0) with ESMTP
          id AAA22823 for <firewalls@greatcircle.com>;
          Thu, 8 Jan 1998 14:47:24 -0600
Message-ID: <34B53B41.4C00D331@newmail.tenet.edu>
Date: Thu, 08 Jan 1998 14:46:58 -0600
From: "ALBERT KIRCHHOFF" <albertk@tenet.edu>
Organization: Wichita Falls Independent School District
X-Mailer: Mozilla 4.03 [en] (Win95; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Problems with Proxy Next in Firewall-1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are a K-12 school district. Our acceptable use policy requires HTTP
users to authenticate through our firewall before allowing our users
access to the Internet. We are pointing the "Proxy Next" to a box behind

the firewall which provides filtering with SURFWATCH.

Periodically, after authenticating, the browser will say that it has
contacted the host and is waiting for a reply and finally return with
the error "Document contains no data"?



Thanks in advance,
albertk@tenet.edu


From firewalls-owner  Thu Jan  8 13:31:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18796; Thu, 8 Jan 1998 08:57:49 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA18724 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 08:57:22 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id LAA00384; Thu, 8 Jan 1998 11:59:26 -0500 (EST)
Date: Thu, 8 Jan 1998 11:59:25 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: MacGyver <macgyver@tos.net>
cc: "Paquette, Trevor" <TrevorPaquette@mcc.net>,
        "'Feroz Khan - VCS'" <Feroz.Khan@VECTOR.CO.ZA>,
        firewalls@GreatCircle.COM, RWaegner@hou.mdc.com, grat@frii.com
Subject: RE: FW-1 3.0 and Solaris 2.6 ok?
In-Reply-To: <Version.32.19980107203027.0134bbc0@smtp.tos.net>
Message-ID: <Pine.SOL.3.91.980108115651.29893A-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 7 Jan 1998, MacGyver wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> At 02:35 PM 1/7/98 -0700, Paquette, Trevor wrote:
> >Huh?? Are you then saying that Firewall-1 3.0b cannot be installed on a
> >Solaris 2.6 system out of the box? One must install Solaris 2.5.1, THEN
> >install Firewall-1 3.0b, THEN upgrade to Solaris 2.6??
> >
> >That smells very fishy to me. Have you confirmed this with Sun? 
> >
> 
> That's not been my experience at all.  We've installed over two dozen FW1
> installations recently on Solaris 2.6, with FW1 3.0b.  The only cavaet is
> to make sure you do *NOT* attempt to install FW1 "out of the box" download
> the "patched" version that Sun distributes as a patch (it's really a whole
> new set of binaries).  Once you do that, you're in good shape.
> 
> The only Solaris 2.6 issue that came back to bite me is that Sun hasn't yet
> released 2.6 drivers for it's SBus Quad-Ethernet cards -- who'd have
> figured they'd release an OS without at least drivers for some standard and
> semi-standard peripherals.
> 

Did you mean Fast quad-ethernet card (100/10) or Quad-Ethernet card (10)?

_ming

From firewalls-owner  Thu Jan  8 14:31:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA16567; Thu, 8 Jan 1998 13:33:03 -0800 (PST)
Received: from vector.dalsemi.com (vector.DALSEMI.COM [198.3.123.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA16503 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 13:32:46 -0800 (PST)
Received: from galahad.dalsemi.com (galahad.dalsemi.com [180.0.42.20]) by vector.dalsemi.com (8.7.5/8.6.5) with SMTP id PAA17168; Thu, 8 Jan 1998 15:33:11 -0600 (CST)
Received: from ssawicki.dalsemi.com (ssawicki.dalsemi.com [180.0.60.61]) by galahad.dalsemi.com (8.6.beta.10/8.3) with SMTP id PAA22417; Thu, 8 Jan 1998 15:42:40 -0600
Received: by ssawicki.dalsemi.com with Microsoft Mail
	id <01BD1C4A.BAD94240@ssawicki.dalsemi.com>; Thu, 8 Jan 1998 15:33:12 -0600
Message-ID: <01BD1C4A.BAD94240@ssawicki.dalsemi.com>
From: Scott Sawicki <ssawicki@dalsemi.com>
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>,
        "'Mike.Skala@AIRTOUCH.com'" <Mike.Skala@AIRTOUCH.com>
Subject: RE: relative strengths of different encyrption techniques
Date: Thu, 8 Jan 1998 15:33:11 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

for 1024bit public key cryptography for email and transactions see:

	http://www.dalsemi.com/News_Center/Press_Releases/1998/4q97.html
	http://www.ibutton.com/Crypto/


From firewalls-owner  Thu Jan  8 14:42:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18904; Thu, 8 Jan 1998 08:59:03 -0800 (PST)
Received: from cs.tamu.edu (clavin.cs.tamu.edu [128.194.130.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA18884 for <Firewalls@greatcircle.com>; Thu, 8 Jan 1998 08:58:50 -0800 (PST)
Received: from cs.tamu.edu (pvme43 [128.194.136.74])
	by cs.tamu.edu (8.8.8/8.8.8) with ESMTP id KAA02787
	for <Firewalls@greatcircle.com>; Thu, 8 Jan 1998 10:57:26 -0600 (CST)
Message-ID: <34B505F4.9C8D23E4@cs.tamu.edu>
Date: Thu, 08 Jan 1998 10:59:32 -0600
From: Jeff Bourne <bournej@cs.tamu.edu>
X-Mailer: Mozilla 4.03 [en] (Win95; U)
MIME-Version: 1.0
To: Firewalls@greatcircle.com
Subject: Re: ctia hotel confirmations
References: <v02130503b0d969bb1696@[132.197.71.1]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

So what???

Bob Bryant wrote:
> 
> I have confirmed with the Salt Lake City Hilton that the following hotel
> reservations have been made.
> name                    dates                   confirmation  #
> R stanley               13-16                   832781
> C Carroll               13-16                   832780
> R McKosky          12-16                   832816
> Djuitt                     13-16                   831992
> R Bryant                12-16                   832815
> E Norris                  12-16                  831991
> I did this so we would not get the "Mary and Joseph" responce in the lobby.
> 
> *******************************************************************************
> Robert Bryant                           email           rhb1@gte.com
> Member Technical Staff                  Fax             617-466-2838
> Secure Systems Department
> GTE Labrotories                         office ph       617-466-2821
> 40 Sylvan Rd    MS/55                   Cell ph         617-733-7757
> Waltham, MA 02254
> ****************************************************************************
> ***

-- 
CPT(P) Jeff Bourne      H: (409)-268-7543
4004 Oaklawn            W: (409)-862-4871
Bryan, TX  77801        F: (409)-260-0149

From firewalls-owner  Thu Jan  8 15:32:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA06209; Thu, 8 Jan 1998 08:05:06 -0800 (PST)
Received: from maili.intern.Austria.EU.net (melone.austria.eu.net [193.154.142.240]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA06080 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 08:04:36 -0800 (PST)
Received: from vindobona.intern.austria.eu.net (vindobona.intern.Austria.EU.net [192.168.191.165])
	by maili.intern.Austria.EU.net (8.8.6/8.8.6) with ESMTP id RAA23413;
	Thu, 8 Jan 1998 17:05:01 -0100 (GMT)
Received: (from cr@localhost) by vindobona.intern.austria.eu.net (8.7.6/8.7.3) id RAA01030; Thu, 8 Jan 1998 17:04:37 +0100
Date: Thu, 8 Jan 1998 17:04:37 +0100
Message-Id: <199801081604.RAA01030@vindobona.intern.austria.eu.net>
From: Christian Reiser <C.Reiser@Austria.EU.net>
To: chad@rumor.net
CC: andre.van.der.lans@inet.unisource.nl, rkizer@guten.sddpc.org,
        firewalls@GreatCircle.COM
In-reply-to: <Pine.LNX.3.96.980107160345.18590E-100000@merlot.im1ru12.org>
	(chad@rumor.net)
Subject: Re: Firewall for ISP
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>> Another issue is that the GUI quits working when the
>> configurationfile has more than 400 entries.
>
>OK, you have a point. Sounds like a bug. Report it to Cisco if you want.
>I looked at the "GUI" (web based) after it had been here for a while. It
>was functional. But command line is much faster and more intuitive for
>*me*. Others may care, do your part and report the bug.

Sorry, but there is one point I don't understand. What do you need a
config-file for, that has more than 400 entries? I wouldn't understand it any
more. 

I installed 3 PIX in the last month for customers having about 50 lines each
(including all the default staff). For ordinary installations you don't need
more than that.

Here in our office I run a slightly more complicated configuration with 74
lines, but I can't imagine a configuration with more than 100 lines.

BTW, I also prefere the command line interface.

Greatings from Vienna/Austria
mfg
CR

-- 
Christian Reiser (EUnet Austria)      e-mail: C.Reiser@Austria.EU.net
Tel: +431 899 33-0                         http://www.Austria.EU.net/
Fax: +431 899 33-533        CR86-RIPE         priv: C.Reiser@ieee.org
      To get my PGP-Key send e-mail with Subject: Query PGP Key

From firewalls-owner  Thu Jan  8 15:54:03 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08565; Thu, 8 Jan 1998 10:35:11 -0800 (PST)
Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA08449 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 10:34:41 -0800 (PST)
From: phoenix@clark.net
Received: from clark.net (phoenix@explorer.clark.net [168.143.0.7])
	by mail.clark.net (8.8.8/8.8.8) with ESMTP id NAA18858;
	Thu, 8 Jan 1998 13:35:19 -0500 (EST)
Received: from localhost (phoenix@localhost) by clark.net (8.8.8/8.8.8) with SMTP id NAA29766; Thu, 8 Jan 1998 13:35:14 -0500 (EST)
X-Authentication-Warning: clark.net: phoenix owned process doing -bs
Date: Thu, 8 Jan 1998 13:35:13 -0500 (EST)
To: Bob Bryant <rhb1@gte.com>
cc: rmckosky@gte.com, enorris@gte.com, djuitt@gte.com, ccarroll@gte.com,
        Jyri Kaljundi <jk@stallion.ee>, Firewalls@GreatCircle.COM
Subject: Re: ctia hotel confirmations
In-Reply-To: <v02130503b0d969bb1696@[132.197.71.1]>
Message-ID: <Pine.GSO.3.96.980108133125.26102A-100000@clark.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Umm... good thing we're all friends here.  This information has
serious practical joke value.  ;)  I wonder how many cancellations The
Salt Lake City Hilton will receive...


On Wed, 7 Jan 1998, Bob Bryant wrote:

> I have confirmed with the Salt Lake City Hilton that the following hotel
> reservations have been made.
> name                    dates                   confirmation  #
> R stanley               13-16                   832781
> C Carroll               13-16                   832780
> R McKosky          12-16                   832816
> Djuitt                     13-16                   831992
> R Bryant                12-16                   832815
> E Norris                  12-16                  831991
> I did this so we would not get the "Mary and Joseph" responce in the lobby.
> 
> *******************************************************************************
> Robert Bryant                           email           rhb1@gte.com
> Member Technical Staff                  Fax             617-466-2838
> Secure Systems Department
> GTE Labrotories                         office ph       617-466-2821
> 40 Sylvan Rd    MS/55                   Cell ph         617-733-7757
> Waltham, MA 02254
> ****************************************************************************
> ***


Trees:2 Skiers:0



From firewalls-owner  Thu Jan  8 17:30:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA09418; Thu, 8 Jan 1998 08:18:56 -0800 (PST)
Received: from mailrelay.atsi.com ([204.209.211.162]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA09322 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 08:18:33 -0800 (PST)
Received: (from styx@localhost) by mailrelay.atsi.com (8.7.5/8.6.9) id KAA28766 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 10:24:23 -0700
Received: from mailhub.atsi.com by mailrelay.atsi.com via smap (V2.0)
	id xma028760; Thu, 8 Jan 98 10:24:04 -0700
Received: from zeus.atsi.com (BRobinson@atsi.com) by atsi.com (8.8.7/8.8.7) with SMTP id JAA24819; Thu, 8 Jan 1998 09:15:59 -0700 (MST)
Received: by zeus.atsi.com (SMI-8.6/SMI-SVR4)
	id JAA06461; Thu, 8 Jan 1998 09:20:22 -0700
Date: Thu, 8 Jan 1998 09:20:22 -0700
Message-Id: <199801081620.JAA06461@zeus.atsi.com>
From: Bret Robinson <brobinso@atsi.com>
To: firewalls@greatcircle.com
Subject: SKIP question
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have a question about SKIP that I hope someone can help me with. We are
testing a set-up that will allow employees to access our internal network
from home and also allow us to connect to partners' sites using SKIP. The
two set-ups are shown below:

   Employee access                Partner site access
  -----------------              ---------------------

      home-pc                        partner network
         |                                  |
         |                                  |
         |                                  |
         |                                  |
    SKIP firewall                     SKIP firewall
         |                                  |
         |                                  |
         |                                  |
         |                                  |
   internal host(s)                   SKIP firewall
                                            |
                                            |
                                            |
                                            |
                                      internal host(s)



Access between both the home-pc and SKIP firewall/gateway and between the
two SKIP firewall/gateways is across the local cable companies network 
(ie - Internet/untrusted network). The product(s) that we are testing is
Sun's SKIP and their EFS software that runs on the SKIP firewall. We have
also done the same test using just SKIP - without the EFS. Connecting to an
internal host from the PC (using SKIP for Win95) was working until the
cable company reconfigured their routers. We are using an "unregistered"
network address on our internal network and it turns out that packets being
sent back to the PC have a source address of the internal machine. The
routers are configured to drop any packets that *don't* have a source
address of the our DMZ. Sooo, my question is does any one know how to
configure SKIP (or EFS) so that the packets going back to the PC through
the SKIP firewall have the source address re-written with the address of
the external interface of that machine. We did get this to work using EFS,
but the PC doesn't seem to want to look inside that packet to find the
*real* IP packet. Is there something that we need to configure on the PC to
see the encrypted packet? Or is there something else missing in the config
of the SKIP firewall? Also, is the set-up we are trying to achieve with our
business partners possible just using SKIP? Its probably possible with SKIP
and EFS, but we don't want to have all our partners go out and by a new
Sparc and SKIP/EFS. We are hoping we can use Solaris x86 and SKIP for the
SKIP firewalls/gateways.

The home-pc has been configured to use encryption between itself and the
external interface of the SKIP gateway and also between itself and the
internal network using the SKIP gateway as the "tunnel".

The SKIP firewall/gateway is a Sparc Ultra running both SKIP and EFS. We
are also testing using another gateway running Solaris x86 with just
SKIP. Both are running Solaris 2.5.1.

The local Sun SE's have not been able to resolve the question yet. They
also tell me that SKIP encrypts the entire IP packet and puts it into
another packet (as the data portion) regardless of whether the packet is
going through a tunnel or not. Is this true?

Any help would be *very* appreciated.

Bret Robinson

| Bret Robinson, Snr. System Admin    \       Voice: +1-403-213-8413        |
| Applied Terravision Systems, Inc.    \        Fax: +1-403-264-2122        | 
| Calgary, Alberta     Canada           \     Web site: www.atsi.com        |
| BRobinson@atsi.com                     \                                  |
|       "Keep your stick on the ice"      \___ o  <- puck (for US viewers)  |

From firewalls-owner  Thu Jan  8 17:32:03 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA04220; Thu, 8 Jan 1998 12:36:18 -0800 (PST)
Received: from asd ([209.1.236.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA04178 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 12:36:05 -0800 (PST)
Received: by shared1-mail.whowhere.com id <36926-251>; Thu, 8 Jan 1998 12:36:33 -0800
To: firewalls@greatcircle.com
Date: 	Thu, 08 Jan 1998 12:36:27 -0700
From: "Simon K Ash" <simon.ash@eudoramail.com>
Message-ID: <DEPNKAAJNCMOHAAA@shared1-mail.whowhere.com>
Mime-Version: 1.0
X-Sent-Mail: on
X-Mailer: MailCity Service
Subject: Proxy server to hide IP Add.. from your Firewall
X-Sender-Ip: 203.98.17.26
Organization: Eudora Web-Mail  (http://www.eudoramail.com)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Question 1

Is it possible to use a proxy server (such a MS Proxy) inside Firewall-1, to hide
a group of IP Addresses from Firewall-1. This would allow you to buy a 100 node licence
and have it protecting 250 in reality, and greatly reduce the cost of Firewall-1.


Can anyone see any problems with this concept?



Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com

From firewalls-owner  Thu Jan  8 17:33:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA02019; Thu, 8 Jan 1998 12:22:35 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA01945 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 12:22:17 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id PAA02713; Thu, 8 Jan 1998 15:24:22 -0500 (EST)
Date: Thu, 8 Jan 1998 15:24:22 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: Ryan Russell <ryanr@sybase.com>
cc: LOWPC@binariang.maxisnet.com.my, glasane@gdsconnect.com,
        firewalls@GreatCircle.COM, macgyver@tos.net
Subject: Re: RE: Stateful Inspection Anyone? Explore your options.
In-Reply-To: <88256585.005D9269.00@gwwest.sybase.com>
Message-ID: <Pine.SOL.3.91.980108152251.29893E-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 7 Jan 1998, Ryan Russell wrote:

> 
> I'm implying that 's a small possibility, at least as far as
> my experience goes.  The possibility of state table corruption
> has been discussed as a potential problem, but since I've
> been on the list, no one has mentioned that they've seen it happen.
> 
> Whatever the chances are aside, I believe that the same problem
> would exist for the TCP connection tables that the OS maintains that
> proxies rely on.  The code and data structures would be very similar
> between the two (though, this is a guess on my part.. I haven't actually
> written a SPF firewall or a TCP stack for an OS.)
> 
> The problem of corrupt memory would likely affect any security software
> in adverse ways.  I don't know of any (with the possible exception of
> virus scanners) that do any self-integritity checking.
> 
> I mostly took exception because the guy making the statement appeared
> to be doing so in order to make a sales pitch.
> 
>                               Ryan

I talked to him, he is nice guy, but also a salsman though.

_ming

From firewalls-owner  Thu Jan  8 17:34:59 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA02761; Thu, 8 Jan 1998 12:26:16 -0800 (PST)
Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA02687 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 12:25:54 -0800 (PST)
Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id PAA02734; Thu, 8 Jan 1998 15:27:53 -0500 (EST)
Date: Thu, 8 Jan 1998 15:27:53 -0500 (EST)
From: Ming Lu <mlu@hq.si.net>
To: "Caldwell, Matt" <caldwm@xgate.columbiasc.ncr.com>
cc: "'Bowers T (Thomas) at MSXSSC'" <TB186459@shellus.com>,
        "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: RE: relative strengths of different encryption techniques
In-Reply-To: <c=US%a=_%p=NCR%l=ENGPO-980108135314Z-25613@exchsmtp.ColumbiaSC.NCR.COM>
Message-ID: <Pine.SOL.3.91.980108152653.29893F-100000@hq.si.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


It is a damm good book!

_ming

On Thu, 8 Jan 1998, Caldwell, Matt wrote:

> I suggest you get "Applied Cryptography" from Amazon or Such, it has a
> reference section that has a chart to show the time relative to the
> processor speed etc. 
> 
> Matthew F. Caldwell - Security Analyst
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Visionary Corporate Computing Concepts (VC3)
> Email:        matt.caldwell@vc3.com
> Company Web: http://www.vc3.com/
> Personal  Web: http://www.vc3.com/~caldwm
> Office Phone: 803-733-7333
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> >----------
> >From: 	Bowers T (Thomas)  at MSXSSC[SMTP:TB186459@shellus.com]
> >Sent: 	Wednesday, January 07, 1998 5:46 PM
> >To: 	'firewalls@greatcircle.com'
> >Subject: 	relative strengths of different encyrption techniques
> >
> >
> >I'm not a crpytologist but...
> >
> >I've been asked to estimate the time it takes to crack various
> >encyrption
> >techniques...
> >
> >Yes...  I understand the more bits, the better...
> >
> >
> >I understand that most reasonable people will deploy the best technique
> >available...  and so will we.    That, however, doesn't alleviate me
> >from
> >trying to estimate how many days/months/years/light_years of compute
> >cycles it will take for someone to crack the technique we select.
> >
> >
> >Are there any references on the relative strengths of different
> >encyrption
> >techniques...  
> >
> >
> >Any help would be appreciated...
> >
> >
> >
> >T. Bowers
> >
> >
> >
> >
> >
> >Tom Bowers
> >Network Engineering
> >Shell Services Company
> >PHONE:  (1)  713-245-1269
> >FAX:  (1) 713-245-1010
> >E-MAIL: tbowers@shellus.com
> >
> 

From firewalls-owner  Thu Jan  8 17:39:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22569; Thu, 8 Jan 1998 16:31:15 -0800 (PST)
Received: from abhiweb.com (idi-fk-gw.abhiweb.com [205.138.236.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA22488 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 16:30:50 -0800 (PST)
Message-Id: <3.0.5.32.19980108163752.008d2360@bonn.abhiweb.com>
X-Sender: byrd@bonn.abhiweb.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 08 Jan 1998 16:37:52 -0800
To: firewalls@GreatCircle.COM
From: Bruce Byrd <byrd@internetdevices.com>
Subject: Re: NT Web proxy server
In-Reply-To: <34b1435f0.1464@clbdev2.eh.pweh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You might want to consider the Fort Knox Firewall Device from Internet
Devices. It's a proxy firewall (with transparent and authenticated proxy
support), web cache, URL blocker, spam email filter, and more. It's a stand
alone box and is mangaged with a web browser. 

Info, documentation, and pricing at:

http://www.InternetDevices.com

Regards,

Bruce Byrd
Internet Devices, Inc. 

At 03:32 PM 1/5/98 EST, BoB Miorelli wrote:
>Hi --
>
>I'm looking for a Web proxy server that does caching for
>my kid's school (K-8).  The computer lab is networked
>to a server which would run the proxy.  The server
>is a Pentium running NT 4.0.  I'm looking for
>recommendations on proxy server software from anyone
>that is running it on NT 4.0 using a dialup-on-demand
>type of setup.  The only proxy servers for NT that
>I am aware of are Microsoft and Netscape, but I'm
>sure there are others.
>
>Any and all comments are welcome.
>
>Thanks.
>
>-->BoB 
>
>
>-->BoB Miorelli, Pratt & Whitney
>miorelli@pweh.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>In theory, theory and practice are the same; 
>in practice they are distinct.
>
>

From firewalls-owner  Thu Jan  8 18:18:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA18354; Thu, 8 Jan 1998 16:11:25 -0800 (PST)
Received: from kanga.ichr.uwa.edu.au (kanga.ichr.uwa.edu.au [130.95.224.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA18314 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 16:11:11 -0800 (PST)
References: TVWTICHR, Company Limited by Guarantee, ACN 009 278 755
Received: from roo (www2 [130.95.224.12])
	by kanga.ichr.uwa.edu.au (8.8.7/8.8.7) with SMTP id IAA27367
	for <firewalls@GreatCircle.COM>; Fri, 9 Jan 1998 08:11:53 +0800 (WST)
Message-Id: <199801090011.IAA27367@kanga.ichr.uwa.edu.au>
Date: Fri, 9 Jan 1998 08:11:53 +0800 (WST)
From: John Gibbins <johng@ichr.uwa.edu.au>
Reply-To: John Gibbins <johng@ichr.uwa.edu.au>
Subject: Re: FW-1 3.0 and Solaris 2.6 ok?
To: firewalls@GreatCircle.COM
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: Jzn7vvF9J+ZmQL2LWqOwXA==
X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Feroz Khan - VCS <Feroz.Khan@VECTOR.CO.ZA> said:
> 
> There seems to be some confusion with regards to Solaris 2.6 and FW-1. Here
> is what I have tested:
> 
> Checkpoint: Works with 3.0b or greater.
> 
> Solstice:  Must be installed on 2.5.1 first. One of the following patches
>            must then be installed:
>              Non-VPN - 105477
>              VPN-FWZ - 105478
>              VPN-DES - 105474
>            At this point, you can do an OS upgrade to Solaris 2.6.
>            
> Hope this helps,
> Feroz

I'm not sure what the supported position is, but I did an initial install
of Sol2.6 (no patches) and installed 3.0b directly on top.  I have had no
problems with it.  I received an updated copy of fwmod.5.x.o with 3.0b which
I copied in after installing fw1.  We don't have the encrytion option (I doubt
this makes any difference, but just in case).   

Having to install one O/S and then upgrade seems a bit messy.

I might also note that I successfully tried 3.0b on a Solaris 2.4 machine
without problems.  I am told that this is not a supported platform, so
maybe I don't push the system very hard :-)

regards
johng 
--
John Gibbins                           TVW Telethon Institute
The University of Western Australia             for Child Health Research
email:  johng@ichr.uwa.edu.au          PO Box 855                   ,-_|\
Phone:  +61-8-93408547                 WEST PERTH  W.A. 6872       /     \
Fax:    +61-8-93883414                 AUSTRALIA                   *_,-._/
A crank is a little thing that makes revolutions - Henry George         v


From firewalls-owner  Thu Jan  8 18:32:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA20717; Thu, 8 Jan 1998 16:21:50 -0800 (PST)
Received: from spiffy.paradigmsim.com (spiffy.paradigmsim.com [206.7.114.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA20675 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 16:21:38 -0800 (PST)
Received: from kennyspc.paradigmsim.com by spiffy.paradigmsim.com via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO)
	 id SAA04147; Thu, 8 Jan 1998 18:12:40 -0600
Received: by kennyspc.paradigmsim.com with Microsoft Mail
	id <01BD1C62.69320360@kennyspc.paradigmsim.com>; Thu, 8 Jan 1998 18:22:43 -0600
Message-ID: <01BD1C62.69320360@kennyspc.paradigmsim.com>
From: Ken Atkinson <kenny@paradigmsim.com>
To: Bob Bryant <rhb1@gte.com>, "'phoenix@clark.net'" <phoenix@clark.net>
Cc: "rmckosky@gte.com" <rmckosky@gte.com>,
        "enorris@gte.com"
	 <enorris@gte.com>,
        "djuitt@gte.com" <djuitt@gte.com>,
        "ccarroll@gte.com" <ccarroll@gte.com>, Jyri Kaljundi <jk@stallion.ee>,
        "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>
Subject: RE: ctia hotel confirmations
Date: Thu, 8 Jan 1998 18:22:42 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

what a dumbass.

----------
From: 	phoenix@clark.net[SMTP:phoenix@clark.net]
Sent: 	Thursday, January 08, 1998 7:35 AM
To: 	Bob Bryant
Cc: 	rmckosky@gte.com; enorris@gte.com; djuitt@gte.com; ccarroll@gte.com; Jyri Kaljundi; Firewalls@GreatCircle.COM
Subject: 	Re: ctia hotel confirmations

     Umm... good thing we're all friends here.  This information has
serious practical joke value.  ;)  I wonder how many cancellations The
Salt Lake City Hilton will receive...


On Wed, 7 Jan 1998, Bob Bryant wrote:

> I have confirmed with the Salt Lake City Hilton that the following hotel
> reservations have been made.
> name                    dates                   confirmation  #
> R stanley               13-16                   832781
> C Carroll               13-16                   832780
> R McKosky          12-16                   832816
> Djuitt                     13-16                   831992
> R Bryant                12-16                   832815
> E Norris                  12-16                  831991
> I did this so we would not get the "Mary and Joseph" responce in the lobby.
> 
> *******************************************************************************
> Robert Bryant                           email           rhb1@gte.com
> Member Technical Staff                  Fax             617-466-2838
> Secure Systems Department
> GTE Labrotories                         office ph       617-466-2821
> 40 Sylvan Rd    MS/55                   Cell ph         617-733-7757
> Waltham, MA 02254
> ****************************************************************************
> ***


Trees:2 Skiers:0





From firewalls-owner  Thu Jan  8 19:01:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA00318; Thu, 8 Jan 1998 17:04:42 -0800 (PST)
Received: from ns.ISPNSP.NET (ns.ispnsp.net [207.112.214.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id RAA00291 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 17:04:33 -0800 (PST)
Received: from ispnsp.net by ns.ISPNSP.NET (SMI-8.6/SMI-SVR4)
	id TAA17082; Thu, 8 Jan 1998 19:14:09 -0600
Message-ID: <34B52294.50219B8@ispnsp.net>
Date: Thu, 08 Jan 1998 19:01:40 +0000
From: hostmaster <hostmaster@ISPNSP.NET>
Organization: ISPNSP.NET
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Re: usubscribe firewalls
References: <199712090603.WAA16035@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



> usubscribe firewalls




From firewalls-owner  Thu Jan  8 19:19:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA18733; Thu, 8 Jan 1998 13:47:50 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA18653 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 13:47:35 -0800 (PST)
Received: from hotmail.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426)
	id NAA15246; Thu, 8 Jan 1998 13:46:38 -0800 (PST)
Received: (qmail 23288 invoked by uid 0); 8 Jan 1998 21:47:20 -0000
Message-ID: <19980108214720.23287.qmail@hotmail.com>
Received: from 206.66.180.230 by www.hotmail.com with HTTP;
	Thu, 08 Jan 1998 13:47:20 PST
X-Originating-IP: [206.66.180.230]
From: "conor coghlan" <conor_coghlan@hotmail.com>
To: firewalls@GreatCircle.COM
Subject: fw v router
Content-Type: text/plain
Date: Thu, 08 Jan 1998 13:47:20 PST
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

what are some of the advantages and disadvantages of using a firewall vs 
a router to secure an internal portion of your network that may not be 
secure? when is a router sufficient? why would you need more than a 
router.

thanks in advance



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

From firewalls-owner  Thu Jan  8 20:10:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA01362; Thu, 8 Jan 1998 17:09:24 -0800 (PST)
Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA01319 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 17:09:12 -0800 (PST)
Received: from localhost (dlang@localhost)
	by mail.diginsite.com (8.8.8/8.8.6) with SMTP id RAA20298;
	Thu, 8 Jan 1998 17:58:43 -0800
Date: Thu, 8 Jan 1998 17:58:43 -0800 (PST)
From: David Lang <dlang@diginsite.com>
To: Christian Reiser <C.Reiser@Austria.EU.net>
cc: chad@rumor.net, andre.van.der.lans@inet.unisource.nl,
        rkizer@guten.sddpc.org, firewalls@GreatCircle.COM
Subject: Re: Firewall for ISP
In-Reply-To: <199801081604.RAA01030@vindobona.intern.austria.eu.net>
Message-ID: <Pine.LNX.3.96.980108175550.11860B-100000@mail.diginsite.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

as you need a different line for each source/destination/service
combination it can add up quickly.

Case in point (from an internal firewall implementation with the PIX)

10 source machines
10 destinations
6 services telnet, ftp, dns, mail, web, ssl
600 lines (assuming you are needing to let them in from the "outside"

David Lang

On Thu, 8 Jan 1998, Christian Reiser wrote:

> 
> >> Another issue is that the GUI quits working when the
> >> configurationfile has more than 400 entries.
> >
> >OK, you have a point. Sounds like a bug. Report it to Cisco if you want.
> >I looked at the "GUI" (web based) after it had been here for a while. It
> >was functional. But command line is much faster and more intuitive for
> >*me*. Others may care, do your part and report the bug.
> 
> Sorry, but there is one point I don't understand. What do you need a
> config-file for, that has more than 400 entries? I wouldn't understand it any
> more. 
> 
> I installed 3 PIX in the last month for customers having about 50 lines each
> (including all the default staff). For ordinary installations you don't need
> more than that.
> 
> Here in our office I run a slightly more complicated configuration with 74
> lines, but I can't imagine a configuration with more than 100 lines.
> 
> BTW, I also prefere the command line interface.
> 
> Greatings from Vienna/Austria
> mfg
> CR
> 
> -- 
> Christian Reiser (EUnet Austria)      e-mail: C.Reiser@Austria.EU.net
> Tel: +431 899 33-0                         http://www.Austria.EU.net/
> Fax: +431 899 33-533        CR86-RIPE         priv: C.Reiser@ieee.org
>       To get my PGP-Key send e-mail with Subject: Query PGP Key
> 


From firewalls-owner  Thu Jan  8 20:16:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA22981; Thu, 8 Jan 1998 18:51:10 -0800 (PST)
Received: from i-2000.com (i-2000.com [204.97.92.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA22815 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:50:17 -0800 (PST)
From: edpaudit@i-2000.com
Received: from [206.231.224.246] (edpaudit.dh.i-2000.com [206.231.224.246]) by i-2000.com (8.8.8/8.7) with SMTP id VAA22878 for <Firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 21:51:00 -0500 (EST)
Date: Thu, 8 Jan 1998 21:51:00 -0500 (EST)
Message-Id: <199801090251.VAA22878@i-2000.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Subject: Firewall Audit Tools
To: Firewalls@GreatCircle.COM
X-Mailer: SPRY Mail Version: 04.10.06.22
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There are tools that can be used for auditing and reviewing Internet security at 
 an outfit called ISS. I think their Web site is www.iss.com

Jeffrey Loewenstein
edpaudit@i-2000.com 

From firewalls-owner  Thu Jan  8 20:43:57 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA28032; Thu, 8 Jan 1998 19:15:21 -0800 (PST)
Received: from fw.itm-inst.com ([206.239.41.100]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA22862 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:50:26 -0800 (PST)
Received: by fw.itm-inst.com; id VAA18070; Thu, 8 Jan 1998 21:50:18 -0500 (EST)
Received: from unknown(10.0.3.121) by fw.itm-inst.com via smap (2.0)
	id xma018062; Thu, 8 Jan 98 21:49:58 -0500
Message-Id: <3.0.3.32.19980108214702.006d5964@fw.itm-inst.com>
X-Sender: rmurphy@fw.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Thu, 08 Jan 1998 21:47:02 -0500
To: Oliver Lau <lau@skp.de>
From: Rick Murphy <rmurphy@itm-inst.com>
Subject: Re: Re[2]: Stateful Inspection Anyone?  Explore your options.
Cc: <firewalls@GreatCircle.COM>
In-Reply-To: <34B358B255.B791.lau@skp.de>
References: <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
 <A1F2B23A4F10D1118DDB00A0C9193FCF016C01@ALTOS>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 09:28 AM 1/7/98 +0100, Oliver Lau wrote:
>You surely haven't had a look inside stateful inspection firewalls, have
>you? You have to distinguish between two possibilities on how tables
>can become corrupt:
>
>	1.) accidentally deleted entries
>	2.) forged entries
You forgot at least one other reason:
 - You neglected to disable IP forwarding. Before the firewall starts
to inspect, you're wide open.
Yeah, it's a "user configuration error". Unfortunately, that's the
way the OS works by default.
	-Rick


From firewalls-owner  Thu Jan  8 20:46:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA23814; Thu, 8 Jan 1998 18:55:10 -0800 (PST)
Received: from abhiweb.com (idi-fk-gw.abhiweb.com [205.138.236.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA23766 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 18:54:56 -0800 (PST)
Message-Id: <3.0.5.32.19980108190146.00abb8d0@bonn.abhiweb.com>
X-Sender: byrd@bonn.abhiweb.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 08 Jan 1998 19:01:46 -0800
To: "James Lau" <jlau@hotmail.com>, firewalls@GreatCircle.COM
From: Bruce Byrd <byrd@internetdevices.com>
Subject: Re: Content filtering
Cc: hotmail!jlau@uunet.uu.net
In-Reply-To: <199801072257.OAA11676@f85.hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Check out the Fort Knox Firewall Device from Internet Devices. It has
transparent HTTP, SMTP, and FTP proxies which don't require client
reconfiguration. Web site filtering can be done with individually defined
filters or through a URL blocking feature using a list licensed from Cyber
Patrol. SMTP filtering criteria can be To/From/Size/MIME type. 

http://www.InternetDevices.com

Regards,

Bruce Byrd
Internet Devices, Inc. 


At 02:57 PM 1/7/98 PST, James Lau wrote:
>Hello all,
>
>This may be a little bit off topic but please bare with me or 
>points me to a right mailing list.
>
>I'm looking for a solution to filter the contents of web traffics,
>ftp files and email.  I know this is not totally firewall related
>but there are a few firewall products can do that. (That's why I
>ask.)  Unfortunately most (may be all) of them use proxy which
>require changes of configuration which we cannot force my users
>to do.  Is there any solution out there which doesn't require
>changing of configuration?  Or is the proxy the only solution?
>Any ideas?
>
>Thanks in advance.
>James
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>

From firewalls-owner  Thu Jan  8 21:22:43 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA05032; Thu, 8 Jan 1998 19:42:11 -0800 (PST)
Received: from nm.cnnic.net.cn (nm.cnnic.net.cn [159.226.1.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA04958 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 19:41:56 -0800 (PST)
From: guard@cnnic.net.cn
Received: from cnnic.net.cn (localhost [127.0.0.1]) by nm.cnnic.net.cn (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA03191 for <firewalls@GreatCircle.COM>; Fri, 9 Jan 1998 11:46:02 -0800
Message-ID: <34B67E79.9D027911@cnnic.net.cn>
Date: Fri, 09 Jan 1998 11:46:01 -0800
X-Mailer: Mozilla 4.02 [en] (X11; I; IRIX64 6.2 IP28)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Stateful inspection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello everybody,
I am expecting some further information about Stateful inspection.
I mean its theory and practice ,and if possible its implemention
mechanism.
I first heard this technique from checkpoint.
Anyone can tell me that or good referal sites ?
Thanks a lot .


From firewalls-owner  Thu Jan  8 21:29:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA24330; Thu, 8 Jan 1998 11:40:12 -0800 (PST)
Received: from send1a.yahoomail.com (send1a.yahoomail.com [205.180.60.22]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA24302 for <firewalls-digest@greatcircle.com>; Thu, 8 Jan 1998 11:40:05 -0800 (PST)
Message-ID: <19980108194024.28438.rocketmail@send1a.yahoomail.com>
Received: from [158.107.48.99] by send1a; Thu, 08 Jan 1998 11:40:24 PST
Date: Thu, 8 Jan 1998 11:40:24 -0800 (PST)
From: Spyke <googlyoogly@yahoo.com>
Subject: Firewall Security in a Microsoft World
To: firewalls-digest@greatcircle.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I have a few questions that I hope that the group can answer to some
degree for a Windows NT 4.0 setup:

1) Microsoft Proxy 2.0 is very easy to administer. To allow services
that aren't already proxied (HTTP/SHTTP/FTP) administrators have
simply allowed the installation of Winsock on client computers and
allowed the traffic through the Winsock proxy. An example would be
AOL, POP, or a proprietary protocol that you initiate through a
specific port, but subsequent connections can't be tied to a specific
return port. What known risks is being taken on by freely allowing
these Winsock services through the Winsock proxy. After all, it *is* a
proxy.

2) Microsoft Proxy 2.0 recommends that the server service be unbound
from the Internet NIC. For easy administration, administrators still
allow the server service to be bound to the *internal* NIC. (Remote
administration of IIS, disk volumes, remote backup, etc.) Are there
any risks with this implementation?

Your answers would be appreciated. I'm curious what technical security
reasons would cause these configurations to be insecure. Please,
simply stating that because it is a proprietary Microsoft product,
thus insecure, doesn't really help anyone.

Thank you!



_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com


From firewalls-owner  Thu Jan  8 21:41:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA23156; Thu, 8 Jan 1998 21:10:02 -0800 (PST)
Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA22914 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 21:09:01 -0800 (PST)
Received: (from mhw@localhost)
	by alcove.wittsend.com (8.8.7/8.8.7) id XAA11337;
	Thu, 8 Jan 1998 23:55:02 -0500
From: "Michael H. Warfield" <mhw@wittsend.com>
Message-Id: <199801090455.XAA11337@alcove.wittsend.com>
Subject: Re: Re[2]: Stateful Inspection Anyone?  Explore your options.
In-Reply-To: <3.0.3.32.19980108214702.006d5964@fw.itm-inst.com> from Rick Murphy at "Jan 8, 98 09:47:02 pm"
To: rmurphy@itm-inst.com (Rick Murphy)
Date: Thu, 8 Jan 1998 23:55:01 -0500 (EST)
Cc: lau@skp.de, firewalls@GreatCircle.COM
X-Mailer: ELM [version 2.4ME+ PL33 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Rick Murphy enscribed thusly:
> At 09:28 AM 1/7/98 +0100, Oliver Lau wrote:
> >You surely haven't had a look inside stateful inspection firewalls, have
> >you? You have to distinguish between two possibilities on how tables
> >can become corrupt:
> >
> >	1.) accidentally deleted entries
> >	2.) forged entries
> You forgot at least one other reason:
>  - You neglected to disable IP forwarding. Before the firewall starts
> to inspect, you're wide open.
> Yeah, it's a "user configuration error". Unfortunately, that's the
> way the OS works by default.
> 	-Rick

	Gee Wiz!  I'll bet if you forget to disable IP forwarding on a
Proxy firewall, that firewall will be real useful too!  Or how about
proxy firewalls that you THINK are safe and have no IP forwarding
enabled, but you neglete to make sure it is also incapable of source routing?
I know of at least one common OS that has source routing enabled in its
TCP/IP stack with no way to disable it (short of replacing the stack with
another vendor's).

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

From firewalls-owner  Thu Jan  8 22:02:03 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA01266; Thu, 8 Jan 1998 21:45:38 -0800 (PST)
Received: from mail.secureservers.net (geek-gw.ptw.com [207.212.186.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id VAA29287 for <firewalls@greatcircle.com>; Thu, 8 Jan 1998 21:36:56 -0800 (PST)
Received: (qmail 30017 invoked from network); 9 Jan 1998 05:58:31 -0000
Received: from localhost (bextreme@127.0.0.1)
  by localhost with SMTP; 9 Jan 1998 05:58:31 -0000
Date: Thu, 8 Jan 1998 21:58:29 -0800 (PST)
From: Jesse Brown <bextreme@pobox.com>
X-Sender: bextreme@geek-gw.ptw.com
To: firewalls@greatcircle.com
Subject: HTTP/POP3/SMTP Proxies? 
Message-ID: <Pine.LNX.3.96.980108215758.1869C-100000@geek-gw.ptw.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello, I was wondering if anyone had any recommendations for free proxy
software that will run on x86 Linux that can either proxy HTTP, POP3,
SMTP, etc, or just a general proxy that will allow me to redirect a
connection like http. 

-J

--
Jesse Brown - bextreme@pobox.com  



From firewalls-owner  Thu Jan  8 22:07:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22234; Thu, 8 Jan 1998 11:27:09 -0800 (PST)
Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA23367 for <firewalls@GreatCircle.COM>; Thu, 8 Jan 1998 09:23:23 -0800 (PST)
Received: from localhost (dlang@localhost)
	by mail.diginsite.com (8.8.8/8.8.6) with SMTP id KAA05674;
	Thu, 8 Jan 1998 10:14:10 -0800
Date: Thu, 8 Jan 1998 10:14:10 -0800 (PST)
From: David Lang <dlang@diginsite.com>
To: MacGyver <macgyver@tos.net>
cc: Peter da Silva <peter@baileynm.com>, Steve Kruse <jsk347@sprynet.com>,
        firewalls@GreatCircle.COM
Subject: Re: E-mail Encryption
In-Reply-To: <Version.32.19980107163553.01064e50@smtp.tos.net>
Message-ID: <Pine.LNX.3.96.980108101240.5443B-100000@mail.diginsite.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

PGP 5. allows you to use the RSA keys. If you do it is compatable with the
2.6 version, however if you use the default settings you cannot
inter-operate with the RSA encryption.

David Lang



On Wed, 7 Jan 1998, MacGyver wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> At 04:27 PM 1/7/98 -0600, Peter da Silva wrote:
> >> I think it might have been mentioned on here, but there is a $5.00
> >> "up-downgrade" that lets you use the RSA which IS compatabile with PGP 2.x.
> >>  Check the PGP website for info.  
> >
> >And if I'm not running Windoze?
> > 
> 
> If you're not running on a Mac or Win95/98, you can grab PGP 4.x.
> It fully supports RSA, as does