From firewalls-owner Thu Jan 1 00:29:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA27144; Thu, 1 Jan 1998 00:27:03 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA27137 for ; Thu, 1 Jan 1998 00:26:54 -0800 (PST) Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id KAA05797; Thu, 1 Jan 1998 10:29:37 +0200 From: "Hagit" To: , "Paul Alukal" Subject: Re: Intrusion Detection - Switched Network Date: Thu, 1 Jan 1998 10:34:28 +0200 Message-ID: <01bd1690$12fb4240$54d35ac2@hagit1.abirnet.co.il> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SessionWall-3 is an Intrusion Detection System that works in a switched network environment. >The question is this. If the network is fully switched, how effective >is any intrusion detection system (without using an shared hub)? By >switched network, I mean each network device is connected directly to >a port on a switch. The switch technology gives each port a different >virtual circuit through the switch (unlike a shared hub), that even >makes sniffing difficult (or impossible). > Even when working in a switched network IP addresses can be spoofed, machines can get SYN flooded, or attacked in many other ways. working in switched environment does not mean being protected from intrusions. >Some thoughts are to place the intrusion detection system near a choke >point (like a firewall), but this will still need some shared hub. >Installing any intrusion detection system on a firewall itself is out >of question (due to complexity). > What we begin to see today, is IDS shaking hands with routers and firewalls, where the IDS could control the firewall or the router, OPSEC for controlling firewall-1 is a good example for that trend. >Assuming the network will have ATM backbone with different VLAN's in >the network, we can think of an intrusion detection system with >multiple interfaces to each VLAN, still if the network is switched, how >effective will be the intrusion detection? > Plug the IDS into the monitoring port of the switched hub, it should be effective enough. What can cause the IDS to be less effective is the load on the netwrok, if the network is highly loaded, IDS which monitors each packet going on the net, can miss some of the traffic. In SessionWall-3, you can exclude services to reduce the system load and remain effective even in high utilized environments. >Is there any commercial (or other) system which is capable of doing a >true intrusion detection in these kind of situations? > >Thanks in advance for any comments or suggestions. > >Paul Alukal Try SessionWall-3, it is preconfigured to work in the monitoring port of a switched hub. You can download a test drive at http://www.abirnet.com Hagit Oron AbirNet -------------------------------------------------------------------------- AbirNet provides the next generation in Internet and Intranet Protection Get an EVALUATION COPY at --------------------------------------------------------------------------- From firewalls-owner Thu Jan 1 02:29:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09704; Thu, 1 Jan 1998 02:06:06 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA09649 for ; Thu, 1 Jan 1998 02:05:10 -0800 (PST) Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id MAA09121; Thu, 1 Jan 1998 12:07:42 +0200 From: "Hagit" To: , "Lars Bertelsen" Subject: Re: Intrusion Detection - Question. Date: Thu, 1 Jan 1998 12:12:34 +0200 Message-ID: <01bd169d$c72af640$54d35ac2@hagit1.abirnet.co.il> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed 31 Dec 1997 you Wrote: >Now I think I'm definitely missing something here! > >When we are talking about intrusion detection in this context, what is it >that people mean? >I can think of several things, but it seems to me that this is a well >established set of meanings of which I seem to be unaware. God how I hate >that! :-) The term IDS is used to describe a machine that monitors the traffic on the network looking for known signatures of what might be attack on one or more of the devices (Servers, stations, routers etc). > >Another question springs to mind: While I can easily see the problems >discussed in accessing packet information in a switched environment, and >while I fully understand it's implications from the point of view of >network troubleshooting, I'm not shure I understand why it has to be a >problem from a security point of view. > Working in switched environment does not mean protecting the network from intruders. Since IDS work by monitoring all network traffic, it is impossible for such a system to work in a switched environment, unless of course it is plugged in the promiscious port of the switch. >>From what I have read I assume that we are talking about some sort of >sniffing on the network, looking for specific sorts of traffic that >shouldn't be there (or should but isn't!). > >As i see it, intrusion from a practical point of view means that you have >one or more connections to the world. >It would also seem to me that you would have to have one or more servers >worth protecting. > Why just servers? Wouldn't you like to know if someone is WinNuking workstations? Wouldn't you like to know if someone is trying to Land attack your Cicso router? Some Intrusion detection systems can detect Malicious HTML signatures, wouldn't you like to know which user just downloaded (or recived email) containing such a signature? >Now I can't help thinking that the simple approach would be to do the >sniffing at the connection to the world, either by means of monitoring that >specific port in the switch or if that is not possible then by simply >attaching a small hub to the port and plugging the sniffer and the router >into that hub. You can plug Intrusion detetction system in some vulenrable locations in the network, the segment that opens the network to the outside world is certainly one of them. >Assuming that intrusion means intrusion from the outside, I can't see other >than that any unwanted traffic would have to come this way! > >Now we might want to take this one step further and protect ourselves >against "inside intrusion" too; people actually sitting on the internal net >and doing things they shouldn't, either from actual machines on the network >or through unathorized backdoors (I still remember the number of users who >got hopping mad when we switched to digital phones and they couldn't user >their PC card modems any more! :-) ) All recent surveys about intrusion detection indicate that most of the intrusions come from users inside the network. Plugging an Intrusion Detection System in every segment of the network is a good protection. > >Again it would seem to me to be a question of identifying the danger points >and do the monitoring there. >Aggreed, this is more complicated than just sniffing everything on a >non-switched network, and if there are many servers it might be a fairly >big job to set up. But I can't see why it would be anything that couldn't >be solved with the technologies that we already have at our disposals. > Can you expand here, to what technologies do you refer? Cheers Hagit -------------------------------------------------------------------------- AbirNet provides the next generation in Internet and Intranet Protection Get an EVALUATION COPY at --------------------------------------------------------------------------- From firewalls-owner Thu Jan 1 04:44:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA19489; Thu, 1 Jan 1998 04:34:01 -0800 (PST) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA19472 for ; Thu, 1 Jan 1998 04:33:52 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.178.24]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB1182; Thu, 1 Jan 1998 12:36:36 +0000 Message-Id: <3.0.3.32.19980101073410.00860d50@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 01 Jan 1998 07:34:10 -0500 To: Frank Willoughby , James Terry Subject: Re: firewall audit service referral -reply Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.3.32.19971231220823.007cc220@in.net> References: <34AA9991.62140279@imx-exchange.com> <418996AD2954D11180860000E8D5C667018538@ns.rc.on.ca> <3488EB31.B5D806F6@gnss.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>could anyone recommend a good firewall testing service? >> >>thanks, >>james@imx-exchange.com > >It depends on what you are looking for. > >Fortified Networks does firewall testing for customers (corporations, >governments, etc). > >FNITL is an independent test laboratory for testing firewalls & other >InfoSec products. >The most frequent testing performed are Quality Assurance Tests of Internet >Firewalls >& other InfoSec products - primarily for vendors, etc. This is just one of many companies that perform these kind of services. > >CAUTION: >Beware of any organizations which will perform a remote firewall >penetration test. >This is an inherently dangerous practice which has the potential of leading >hackers >to their next victims. There are several big N-1 firms that do the above for a large fee plus they offer other services as well.. As Frank states in his CAUTION message, be aware of any big N-1 firm that state they have expert resources inhouse. When inquiring to companies to perform the remote firewall penetration test, ask them about their methodology, their deliverables and the risk analysis before they conduct a test. /mht > >Best Regards, > > >Frank >The opinions of the author of this mail may not necessarily be >representative of the opinions of Fortifed Networks, Inc. > >Fortified Networks, Inc. - http://www.fortified.com/ >Home of the Free Internet Firewall Evaluation Checklist >Expert (vendor-neutral) Computer and Network Security Solutions >Phone: (317) 573-0800 Fax: (317) 573-0817 > > ------------------------------------------------------ "GREETINGS PROFESSOR FALKEN." "SHALL WE PLAY A GAME??" ------------------------------------------------------ From firewalls-owner Thu Jan 1 09:29:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA02557; Thu, 1 Jan 1998 09:16:57 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA02549 for ; Thu, 1 Jan 1998 09:16:48 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA03330; Thu, 1 Jan 1998 12:14:25 -0500 (EST) From: Adam Shostack Message-Id: <199801011714.MAA03330@homeport.org> Subject: Re: off topic: ssl setup on web server - now browser crypto strength In-Reply-To: <199801010150.MAA14312@gate.quick.com.au> from "Simon J. Gerraty" at "Jan 1, 98 12:50:07 pm" To: sjg@quick.com.au (Simon J. Gerraty) Date: Thu, 1 Jan 1998 12:14:25 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simon J. Gerraty wrote: | Yes I had a lok at it and it works very well. I had no trouble setting up | 128bit sessions to an apache server. Problem is that whether the author | wrote this thing outside the U.S. or not, he chose a U.S. based site? as | home for it :-) so we are back to all the shadows of ITAR. I use it as well. Easier than filling out the form on Netscape's web pages. :) Someone else pointed out that only the READMEs sit in the US. | The other problem with something like fortify is that it may provoke the U.S. | govt into revoking export of all versions of netscape etc. Worrying about this is giving in to that most pernicious of policemen, the policeman within. One can spend months worrying about all the implications of having anything at all American involved in writing crypto, leading to not writing crypto code at all. If Uncle Sam wants to try to tell Netscape and Microsoft that they can't even export weak crypto, then there will be enough money involved to demonstrate that the law is an ass and in violation of the 1st Ammendment to our Constitution. Incidentally, John Gilmore has recently put up for FTP without restriction an authenticating DNS server in source form, including RSAREF. See Risks 19.51 or .52 for details. The government is free to respond, but has to explain its actions. Adam | Like I said, a non-U.S. origin web browser is the best solution... :-) | (Oh, and I don't see that happening anytime soon :-) | | --sjg | -- "Remember, the holiday I'm currently celebrating has nothing to do with love, and everything to do with a guerilla war against an invading hegemony." - NJM From firewalls-owner Thu Jan 1 11:29:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA10168; Thu, 1 Jan 1998 11:28:32 -0800 (PST) Received: from dns1.enterprise.net (dns1.enterprise.net [194.72.192.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA10161 for ; Thu, 1 Jan 1998 11:28:24 -0800 (PST) Received: from ppp387.enterprise.net (ppp220.enterprise.net [194.72.195.220]) by dns1.enterprise.net (8.8.5/8.8.5) with SMTP id TAA05298 for ; Thu, 1 Jan 1998 19:27:46 GMT Received: by ppp387.enterprise.net with Microsoft Mail id <01BD16EB.19432B80@ppp387.enterprise.net>; Thu, 1 Jan 1998 19:26:03 -0500 Message-ID: <01BD16EB.19432B80@ppp387.enterprise.net> From: Gadbois To: "'firewalls@greatcircle.com'" Subject: Firewall Security Advisory Date: Thu, 1 Jan 1998 19:25:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarding this advisory I received on the Checkpoint FW-1 in case you haven't seen it. Take care. Brian > Original Message Follows >WE HAVE RECEIVED INFORMATION CONCERNING A SECURITY PROBLEM >PRESENT IN CHECKPOINT'S FIREWALL-1 WHICH ALLOWS UNAUTHORIZED USERS TO >ACCESS THE SNMP DAEMON RUNNING ON THE FIREWALL. THIS ALLOWS OUTSIDERS > TO OBTAIN INTERNAL AND CONFIDENTIAL INFORMATION ABOUT THE INSTALLATION AND >OPERATION OF THE FIREWALL AND THE NETWORK WHICH IT PROTECTS, WITHOUT >BEING TRACED. THE FOLLOWING ADVISORY IS A RETRANSMISSION OF A SECURE >NETWORKS INC. ADVISORY PUBLISHED ON 9 DEC 97. >[*** START SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" ** >*] > >PROBLEM DESCRIPTION: THE DEFAULT RECOMMENDED CONFIGURATION OF >FIREWALL-1 ALLOWS OUTSIDE USERS TO OBTAIN CONFIDENTIAL OPERATION AND >STATISTICAL INFORMATION FROM THE SIMPLE NETWORK MANAGEMENT PROTOCOL >(SNMP) DAEMON. >ONCE OBTAINED, THIS INFORMATION CAN BE USED BY POTENTIAL INTRUDERS TO >FIND VULNERABILITIES IN THE FIREWALL OR CONNECTED SYSTEMS. IN ADDITION, >POTENTIAL INTRUDERS CAN OBTAIN STATISTICS ON THE FIREWALL'S OPERATION. >FINDING SOFTWARE ON THE FIREWALL WITH KNOWN VULNERABILITIES CAN, IN SOME >CASES, BE EXPLOITED IMMEDIATELY TO CAUSE A DENIAL OF SERVICE (DOS) AT >TACK. >IT IS POSSIBLE FOR PEOPLE WISHING TO SEE THE VOLUME OF TRAFFIC GOING IN >AND OUT OF A TARGET FIREWALL'S NETWORK TO OBTAIN THIS INFORMATION IN A >FORM THAT CAN BE DIRECTLY IMPORTED INTO ANY NUMBER OF NETWORK MONITORING >TOOLS THAT CAN GRAPH IT BY TIME OF DAY. > >TECHNICAL DETAILS: FIREWALL-1 MAKES USE OF THE SNMP SERVICE ON ALL >PLATFORMS TO OBTAIN INFORMATION ABOUT THE MACHINE ON WHICH THE FIREWALL >IS RUNNING, AND TO SHOW THE USER REAL-TIME STATISTICS ABOUT THE FIREWALL. >FOR THOSE UNFAMILIAR WITH THE FIREWALL-1 USER INTERFACE, THE FIRST OPTION >AVAILABLE IN THE GLOBAL PROPERTIES DIALOG BOX IS: > "ENABLE FIREWALL-1 CONTROL CONNECTIONS [ESSENTIAL]" [1]. >THE WORD 'ESSENTIAL' IS CONTAINED IN THE USER INTERFACE WINDOW ITSELF, >CAUSING UNFAMILIAR USERS TO BE VERY RELUCTANT TO REMOVE IT SINCE THEY >FEEL THE VENDOR SHOULD KNOW BEST ABOUT THIS. >THE DEFAULT CONFIGURATION IS TO HAVE THIS SELECTED AND MARKED "FIRST" SO >THAT IT IS EVALUATED BEFORE THE RULE-SET DEFINED BY THE FIREWALL >ADMINISTRATOR. SINCE FIREWALL-1 OPERATIONS ON A FIRST-MATCH RATHER THAN >A BEST-MATCH PRINCIPLE, NOTHING IN THE RULE-SET OVERRIDES THIS. >THE DOCUMENTATION MAKES IT VERY CLEAR THAT WHILE THIS BOX IS SELECTED, >CONTROL CONNECTIONS REQUIRED FOR USE OF THE REMOTE GUI ARE ONLY ALLOWED >IF THE IP ADDRESS IS LISTED IN A SPECIFIC TEXT FILE. ALL OTHER CONNECTION >ATTEMPTS WILL BE REJECTED. NO MENTION IS MADE OF THE FACT THAT ACCESS IS >ALLOWED TO THE SNMP PORTS FROM ANY ADDRESS. IF ACCESS WERE RESTRICTED TO >ADDRESSES THAT APPEAR IN THE TEXT FILE, THIS PROBLEM WOULD BE PRESENT TO >A LESSER DEGREE, ALLOWING AN ATTACKER TO SPOOF UDP PACKETS TO SET >VARIABLES, WITHOUT NEEDING TO RECEIVE A REPLY. >THE SNMP DAEMON REVEALS THE VERSION OF THE OPERATING SYSTEM AND FIREWALL, >AS WELL AS THE CONFIGURATION OF THE SECURITY PERIMETER SUCH AS THE >PRESENCE OR ABSENCE OF A SERVICE NETWORK (DMZ). THE OS VENDOR'S SNMP >DAEMON WILL GENERALLY MAKE AVAILABLE INFORMATION SUCH AS A LIST OF ALL >ACTIVE CONNECTIONS, A LIST OF ALL RUNNING SERVICES AND THE ENTIRE ROUTING >TABLE (WHICH IF THE FIREWALL RUNS RIP CONTAINS A SIZABLE AMOUNT OF >INFORMATION). INFORMATION SUCH AS THE AMOUNT OF TRAFFIC TRAVELING ON ANY >GIVEN INTERFACE CAN BE USEFUL FOR COMPETITORS GAINING INFORMATION ON >NETWORK TRAFFIC. >IN ADDITION TO THE STANDARD MIB, VARIOUS VENDORS MAKE THEIR OWN >INFORMATION AVAILABLE VIA ENTERPRISE MIBS. AS THE REFERANCE SECTION TO >THIS ADVISORY NOTES, THIS MAY BE IMPORTANT FOR NT USERS OF THE CHECKPOINT >FIREWALL [2]. >CHECKPOINT HAS THEIR OWN ENTERPRISE MIB (ENTERPRISES.1919). THIS PROVIDES >OTHER INFORMATION USEFUL TO THE POTENTIAL INTRUDER SUCH AS THE NUMBER OF >DENIED, DROPPED, ALLOWED AND LOGGED PACKETS AS WELL AS THE CURRENT STATE >OF THE FIREWALL. PROVIDED AS WELL, IS THE TEXT OF THE LAST SNMP TRAP >GENERATED. >TO AN INTRUDER, THE INFORMATION OBTAINED CAN IN MANY CASES POINT THEM >DIRECTLY TO A WAY IN WHICH THEY CAN GAIN REMOTE ACCESS TO THE PROTECTED >NETWORK. >ACCESS TO THE SNMP DAEMON IS ALLOWED IN RULE-SET 0 (PROPERTIES) NO >LOGGING OF THESE ACCESSES IS MADE. > >VULNERABLE OPERATING SYSTEMS AND SOFTWARE: ALL PLATFORMS RUNNING >VERSIONS OF FIREWALL-1 FROM CHECKPOINT WHERE THE ADMINISTRATOR HAS NOT >DISABLED THE "ENABLE REMOTE CONNECTIONS" OPTION FROM THE PROPERTIES, OR >HAS IN SOME OTHER WAY ENABLED ACCESS TO THE SNMP SERVER ON THE FIREWALL. > >FIX INFORMATION: > >A. VENDOR PATCH: ACCORDING TO CHECKPOINT SOFTWARE, A PATCH FOR THIS >PROBLEM IS AVAILABLE VIA: > HTTP://WWW.CHECKPOINT.COM/SUPPORT (ALL LOWERCASE) >IT SHOULD BE NOTED THAT THIS URL IS PASSWORD PROTECTED AND IS ONLY >ACCESSABLE VIA CHECKPOINT AUTHORIZED RESELLERS. >B. QUICK FIX: IMMEDIATELY UNSELECT THE "ENABLE REMOTE CONNECTIONS" >OPTION. ALSO, BLOCK ALL SNMP TRAFFIC AT YOUR BORDER ROUTER (UDP PORT 161). >IF YOU ABSOLUTELY REQUIRE REMOTE ACCESS, A QUALIFIED SECURITY >ADMINISTRATOR CAN ASSIST YOU IN DESIGNING A POLICY THAT GRANTS THIS >ACCESS IN THE REGULAR RULE-BASE. PLEASE NOTE THAT THIS SUGGESTION IS >NOT SUPPORTED BY CHECKPOINT AND IS PROVIDED WITHIN THIS ADVISORY ON AN >'AS IS' BASIS. SNI (SECURE NETWORKS INC.) ACCEPTS NO LIABILTY FOR THIS >SUGGESTED FIX, AND END USERS SHOULD APPLY IT ONLY AFTER CONSULTING THEIR >IN-HOUSE SECURITY ADMINISTRATOR. > >ADDITIONAL INFORMATION: THE INFORMATION PROVIDED IN THIS ADVISORY >WAS PROVIDED TO SNI BY STEVE BIRNBAUM . > >REFERENCES (FROM FOOTNOTES IN TEXT ABOVE): > [1] MANAGING FIREWALL-1 USING THE WINDOWS GUI, FIGURE 1-11. > [2] BUGTRAQ MAILING LIST POST CONCERNING MIB ENTERPRISES.77 >A RECENT POST TO A SECURITY MAILING LIST BY CHRISTOPHER ROULAND >(CROULAND@EXAMNYC.LEHMAN.COM) POINTED OUT THAT THE MICROSOFT LAN-MANAGER >ENTERPRISE MIB (ENTERPRISES.77) LISTED VAST AMOUNTS OF INFORMATION THAT >SHOULD BE HEAVILY GUARDED. >THIS INCLUDES A LIST OF RUNNING SERVICES AND THEIR STATE, A LIST OF ALL >USERS THAT EXIST ON THE MACHINE, ANY CONNECTED SHARES AND THE NUMBEROF >FAILED PASSWORD ATTEMPTS AMONG OTHER THINGS. FURTHER, HE FOUND A CERTAIN >VARIABLE THAT COULD BE SET TO 0 IN MICROSOFT'S ENTERPRISE MIB WHICH >RESULTED IN A CLEARING OF THE WINS DATABASE. GIVING SUCH INFORMATION AS >THE PRESENCE OF ANY SHARES AND THE USER LIST ON A FIREWALL IS A POSSIBLY >DISASTROUS BREACH OF SECURITY. >[*** END SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" ***] > From firewalls-owner Thu Jan 1 12:48:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15218; Thu, 1 Jan 1998 12:33:24 -0800 (PST) Received: from cmcl2.nyu.edu (NYU.EDU [128.122.253.92]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA15189 for ; Thu, 1 Jan 1998 12:33:16 -0800 (PST) Received: from [128.122.237.106] ("port 2048"@DIAL6-ASYNC38.DIAL.NET.NYU.EDU) by cmcl2.nyu.edu (PMDF V5.1-10 #24942) with ESMTP id <0EM40052UH2IKM@cmcl2.nyu.edu> for firewalls@GreatCircle.COM; Thu, 1 Jan 1998 15:32:45 -0500 (EST) Date: Thu, 01 Jan 1998 15:32:45 -0500 (EST) Date-warning: Date header was inserted by cmcl2.nyu.edu From: Jimmy Kyriannis Subject: Re: Intrusion Detection - Switched Network In-reply-to: <199712301602.LAA15151@bluerose.tju.edu> X-Sender: kyriann@cmcl2-f.nyu.edu To: Paul Alukal Cc: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't speak for ATM-only switches, but some conventional LAN switches, such as the Catalyst allow for the administrative creation of a port which can present all traffic flowing through a VLAN. As long as the bandwidth available on this port exceeds the total bandwidth consumed by the VLAN, you'll be able to use that port for sniffing/analysis purposes without packet loss. According to Cisco engineers, the Catalyst 5x00's, at least, do this in hardware with no performance loss. Jimmy At 11:02 AM -0500 12/30/97, Paul Alukal wrote: >Hello everyone, > >I am interested in any feedback from users who use any type of >intrusion detection systems (commercial or others) on a switched >network. > >The question is this. If the network is fully switched, how effective >is any intrusion detection system (without using an shared hub)? By >switched network, I mean each network device is connected directly to >a port on a switch. The switch technology gives each port a different >virtual circuit through the switch (unlike a shared hub), that even >makes sniffing difficult (or impossible). > >Some thoughts are to place the intrusion detection system near a choke >point (like a firewall), but this will still need some shared hub. >Installing any intrusion detection system on a firewall itself is out >of question (due to complexity). > >Assuming the network will have ATM backbone with different VLAN's in >the network, we can think of an intrusion detection system with >multiple interfaces to each VLAN, still if the network is switched, how >effective will be the intrusion detection? > >Is there any commercial (or other) system which is capable of doing a >true intrusion detection in these kind of situations? > >Thanks in advance for any comments or suggestions. > >Paul Alukal From firewalls-owner Thu Jan 1 13:29:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20716; Thu, 1 Jan 1998 13:23:38 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA20706 for ; Thu, 1 Jan 1998 13:23:26 -0800 (PST) Received: from ziv_note.abirnet.com (ziv-note.abirnet.co.il [194.90.211.23]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id XAA32641; Thu, 1 Jan 1998 23:22:30 +0200 Date: Thu, 1 Jan 98 23:21:08 +0200 From: Ziv Dascalu Subject: Re: Intrusion Detection - Switched Network To: blast , Rabid Wombat Cc: "Paul D. Robertson" , firewalls@GreatCircle.COM, Paul Alukal X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Wed, 31 Dec 1997 04:24:13 -0500 (EST) Rabid Wombat wrote: > > Switches are designed to support a large volume of traffic; if you > aggregate all the traffic in multiple collision domains onto one > monitoring segment, you'd flood it. Hence the decision to provide a > monitoring port that can handle one collision domain at a time. > > -r.w. > > On Tue, 30 Dec 1997, blast wrote: > > > On Tue, 30 Dec 1997, Paul D. Robertson wrote: > > > > > On Tue, 30 Dec 1997, Paul Alukal wrote: > > > > > > > Is there any commercial (or other) system which is capable of doing a > > > > true intrusion detection in these kind of situations? > > > > > > Most good switches will allow you to set particular ports to get all > > > traffic as if it were a hub. This is where you configure the IDS. > > > > Paul Alukal has a valid question and I have yet to find any > > 'administrative' port on any switch that facilitates an IDS > > on each segment concurrently. > > > > Paul Robertson is right in saying that most "good switches" > > have a port (single) to monitor a particular "domain" (collision/VLAN). > > Problem is that these ports were not designed with an IDS in mind and > > may only offer your IDS a view one world (collision-domain) at a time. > > This constraint may or may not facilitate your IDS. > > ---------------End of Original Message----------------- So a possible solution for IDS systems may be point solution in critical places or having it physically connected to multiple segments by supporting multiple NICs Ziv ...===== A B I R N E T Active Network Protection (http://www.abirnet.com) ===== From firewalls-owner Thu Jan 1 23:44:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA14253; Thu, 1 Jan 1998 23:34:39 -0800 (PST) Received: from mastech.com (firewall.mastech.com [208.0.144.226]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA14243 for ; Thu, 1 Jan 1998 23:34:34 -0800 (PST) Received: by firewall.mastech.com id <26993>; Fri, 2 Jan 1998 02:30:50 -0500 From: "P Mohan" To: Firewalls@GreatCircle.COM Date: Fri, 2 Jan 1998 02:52:59 -0500 Subject: FTP server Reply-to: mohanp@india.mastech.com X-mailer: Pegasus Mail for Windows (v2.23) Message-Id: <98Jan2.023050est.26993@firewall.mastech.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Friends, I am planning to setup one FTP server (Internet) and give access to my client to use that. How do I do this ? Is there any web site where I can get more info on this? Thanks in advance P.Mohan mohanp@india.mastech.com From firewalls-owner Fri Jan 2 03:14:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA27225; Fri, 2 Jan 1998 03:00:18 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA27210 for ; Fri, 2 Jan 1998 03:00:10 -0800 (PST) Received: by castle.us-state.gov; id AA22398; Fri, 2 Jan 98 05:59:29 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma022384; Fri Jan 2 05:59:22 1998 Received: by pubhost.us-state.gov; id AA06061; Fri, 2 Jan 98 05:59:18 EST Received: by localhost with Microsoft MAPI; Fri, 2 Jan 1998 05:54:38 -0500 Message-Id: <01BD1742.E93E3350@gcrum@us-state.gov> From: Gary Crumrine Reply-To: "gcrum@us-state.gov" To: "'Ted Doty'" , "firewalls@greatcircle.com" Subject: RE: Intrusion Detection - Switched Network Date: Fri, 2 Jan 1998 05:54:37 -0500 Organization: US Dept of State X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some very important points that you bring out Ted, is that 1) Network monitoring tools are to be considered only a part of the whole picture, and not relied upon to be the ultimate wall of defense. It should only be used to flag activity that requires further review by your administrative and security staff. 2) In this day and age, my opinion is that the biggest threat we see is from the inside... When working with forensic data from various customer sites, it appears much more activity on our so called trusted networks is occurring that is not detected. Industry is slowly turning their eyes internally, and it is good they have begun to do so. Any tool that can be used flag this activity is sorely needed and a welcome relief to those of us who used to sit and pound out script after script in order to keep one step ahead of the bad guys. The only thing I fear though, is that we will soon rely too much on this technology, and lose the skills and insight you gain from in depth study of log data. Nothing quite as satisfying as your daily dose of analytics I always say...;^) -----Original Message----- From: Ted Doty [SMTP:ted@iss.net] Sent: Wednesday, December 31, 1997 10:44 AM To: firewalls@greatcircle.com Subject: Re: Intrusion Detection - Switched Network On Tue, 30 Dec 1997 13:06:19 -0500 (EST), Brad wrote: >> I am interested in any feedback from users who use any type of >> intrusion detection systems (commercial or others) on a switched >> network. > >THis is a problem I think every vendor is facing at this point. I am not >aware of any product that will do this yet. ODS has a product called the "Secure Switch", which includes our RealSecure IDS. Look at http://www.ods.com and click on "Security". >There are workarounds, host based intrusion detection being one, but this >can get unweildy if you have hundred or thousands of hosts that need to be >installedon and managed. Then there is the overhead associated with >running IDS on each host. Host based and network based IDS do different things, have different strengths and weaknesses, and should be used for different purposes. Network based IDS is efficient from a management point of view (a single device can collect IDS information for an entire subnet), but is somewhat subject to false positives (reporting an event as possibly malicious when it is not, e.g. reporting a large number of legitimate hits on a fast web server as a possible Syn flood). Host based IDS requires more management effort, does not typically act in real time, but has access to more refined levels of information (host audit logs), so has a much lower level of false positives. An appropriate strategy might be to run network IDS for wide coverage, with host based IDS on critical systems, or on hosts that are reported to be engaged in suspicious activity by the network IDS. >> The question is this. If the network is fully switched, how effective >> is any intrusion detection system (without using an shared hub)? It has to be in the hub if you want to do network based IDS on fully switched networks. The IDS has to live somewhere on the data path. >> Some thoughts are to place the intrusion detection system near a choke >> point (like a firewall), but this will still need some shared hub. >> Installing any intrusion detection system on a firewall itself is out >> of question (due to complexity). [snip] >A problem with this is that you dont see the internal traffic, only stuff >passing through that choke point. > >I envision that IDS will need to be integrated into the switches, and >routers, themselves somehow, as an extra card, additions to switch or >router OS's, etc... It's a much more compelling argument to integrate IDS with a switch, rather than with either firewalls or routers. Since a standalone IDS could use the firewall or router API (e.g. Checkpoint's OpSec) to update access rules, the firewalls can concentrate on firewalling and the routers can focus on routing. One advantage of disassociating the IDS from the firewall is that an IDS deep inside your network could update the Internet perimeter defenses; this is useful for things like Smurf attacks. Still ,the only way to get on the data path in switched networks is to integrate into the switch itself. Note that we're talking about two different types of monitoring here. IDS in combination with firewalls (and probably routers, too) is primarilly focused on enhancing external security (strengthing the perimeter). IDS in the switch is primarily useful for detecting internal threats and misuse. Internal IDS is most effectively used as deterence. In other words, let everyone know that monitoring is going on. >> Assuming the network will have ATM backbone with different VLAN's in >> the network, we can think of an intrusion detection system with >> multiple interfaces to each VLAN, still if the network is switched, how >> effective will be the intrusion detection? Don't think you should need multiple interfaces, as long as the IDS understands how to grok an ATM cell stream. There are a lot of possible encapsulations: RFC 1577, LANE, "Legacy" formats like Fore IP. You may need to do some network tuning. ;-) >Thisis definitely feasable, but you bring up another problem, IDS systems >that work at ATM speeds, of which, again I know of none. >The closest thing that I know if is NetRanger, from WheelGroup, which scale >up to full FDDI and Fast Ethernet speeds. Butnot even NetRanger can work >with ATM yet. The ODS SecureSwitch has ATM/OC-3 interface modules. I haven't seen any performance figures, but it appears to be a supported configuration. I haven't heard of any published performance tests for IDS systems. If anyone from the trade press is listening, this might be a useful article for the community. Disclaimer: I work for ISS, which makes RealSecure, which runs in the ODS SecureSwitch. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From firewalls-owner Fri Jan 2 03:44:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA02900; Fri, 2 Jan 1998 03:37:00 -0800 (PST) Received: from proteus.asyk.ase.gr (proteus.asyk.ase.gr [193.242.241.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id DAA02738 for ; Fri, 2 Jan 1998 03:36:27 -0800 (PST) Received: by proteus.asyk.ase.gr with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD1783.5C8A3D00@proteus.asyk.ase.gr>; Fri, 2 Jan 1998 13:35:59 +0200 Message-ID: From: Vasilis Vergotis To: "'Firewalls@GreatCircle.com'" Subject: DNS and Mail setup via firewall Date: Fri, 2 Jan 1998 13:35:57 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello to everybody and happy new year! I would be gratefull if you could give some advice to the following theme: There has been recently taken place to my company's network, a firewall instalation whitch has been placed in front of the Internet connection. Therefore the network has been split into a public part (whitch contains nothing for the moment), a DMZ zone (whitch contains the public DNS and mail server) and the internal private network (whitch contains the internal DNS and mail server). The external mail server receives the mail for the zone company.gr and it forwards it to the internal mail server via SMTP. The external DNS server knows nothing about the internal. Internally the DNS server is knows only the zone internal.company.gr for whitch he is primary and for the things he does not know he asks the external DNS server. The internal mail server receives the mail for the zone internal.company.gr as well as the mail for the zone company.gr that the external mail server forwards. The problem is that the internal mail server cannot deliver mail to the account with the e-mail address user@company.gr that has been created to him. It sends back a message reporting that the recipient is unknown. What goes wrong with the above configuration? I suspect that there is something wrong with the DNS. Do i have to use the same zone (company.gr) both for the internal and the DMZ network ? Can i use e-mail addresses xxx@company.gr for the internal network with the above configuration ? Please send any help to my personal address to as i am not a member of the list. Thanks in advance, Vassilis. From firewalls-owner Fri Jan 2 04:44:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA04913; Fri, 2 Jan 1998 03:49:59 -0800 (PST) Received: from bermuda.io.com (bermuda.io.com [199.170.88.7]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA04843 for ; Fri, 2 Jan 1998 03:49:40 -0800 (PST) Received: from localhost (cooper@localhost) by bermuda.io.com (8.8.5/8.8.5) with SMTP id FAA10413 for ; Fri, 2 Jan 1998 05:49:09 -0600 (CST) X-Authentication-Warning: bermuda.io.com: cooper owned process doing -bs Date: Fri, 2 Jan 1998 05:49:09 -0600 (CST) From: William Cooper To: "'firewalls@greatcircle.com'" Subject: Re: Firewall Security Advisory In-Reply-To: <01BD16EB.19432B80@ppp387.enterprise.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk this is a lame- - properly configured this should never have been a problem, tho admittedly it was a prob. w/ default config. on FW-1 until recently - it is no longer a default on FW-1 and hasn't been for a month+ - patch was avail. 3 weeks+ before sec. advisory was posted - this was posted to BUGTRAQ over 3 weeks ago, if you're serious about network security and you didn't see it there, _and_ you managed to miss the numberous references in the trade rags, _AND_ you didn't bother to check CheckPoint's site to see if there were any new patches available, you don't deserve to know about it in the first place (MO). info re: bugtraq at http://www.geek-girl.com/bugtraq/. - bill cooper@io.com On Thu, 1 Jan 1998, Gadbois wrote: > Forwarding this advisory I received on the Checkpoint FW-1 in case you > haven't seen it. Take care. From firewalls-owner Fri Jan 2 06:44:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15472; Fri, 2 Jan 1998 06:42:53 -0800 (PST) Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA15464 for ; Fri, 2 Jan 1998 06:42:46 -0800 (PST) Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id JAA28004 for ; Fri, 2 Jan 1998 09:42:14 -0500 Message-Id: <3.0.3.32.19980102093733.00a09100@mail.iss.net> X-Sender: tdoty@mail.iss.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Fri, 02 Jan 1998 09:37:33 -0500 To: firewalls@greatcircle.com From: Ted Doty Subject: Re: Intrusion Detection - Question. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 31 Dec 1997 09:50:47, "Paul D. Robertson" wrote: On Wed, 31 Dec 1997, Lars Bertelsen wrote: >> When we are talking about intrusion detection in this context, what is it >> that people mean? >> I can think of several things, but it seems to me that this is a well >> established set of meanings of which I seem to be unaware. God how I hate >> that! :-) > >At least from my perspective, we're discussing network monitoring tools >such as NFR, NetRanger, etc. Which can alert based on certain traffic >patterns which are typicly associated with network intrusion. A couple concrete examples might help clarify the distinction between what firewalls and IDS do. A firewall will typically grant or restrict access to services (e.g. HTTP) based on policy (internal users can use browsers to access arbitrary sites, external users are only allowed access to the DMZ firewall). IDS, on the other hand, looks for patterns within the allowed traffic that suggests a deviation from policy, typically be exploiting a vulnerability in a client or server program to gain additional privileges. One such example is the Microsoft Internet Explorer 3.0/3.01 but that causes the browser to locally execute URLs that have a .url or .lnk extension. An attacker could set up a web page offering cool inducements ("Click here for nude gifs of Socks the cat!") which in actuality point to Mail_me_all_your_cached_passwords.url. Another example is DNS. Since we all rely on DNS to associate hard to remember IP addresses from easy to remember hostnames, the firewall has to pass incoming DNS traffic (at least from particular sources). One known attack returns an address longer than 4 bytes, to overflow a buffer in some DNS implementations and execute arbitrary commands. Typically the IDS will take appropriate action when it sees this kind of shenanigans, for example killing the session with appropriately crafted TCP RST messages, adding new firewall rules to block the miscreant, and making pagers sing and network management consoles glow appropriately. There seem to be two flavors of IDS, one that looks for known bad signatures, and one that uses an expert system to detect patterns falling outside the norm. My examples use signatures (these are actual examples from our RealSecure IDS). The Network Intrusion Detection Expert System (NIDES) from SRI is an example of a learning system to detect anomolous usage patterns. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From firewalls-owner Fri Jan 2 07:14:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18839; Fri, 2 Jan 1998 07:08:21 -0800 (PST) Received: from mco.edu (mco004.mco.edu [136.247.10.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA18802 for ; Fri, 2 Jan 1998 07:08:11 -0800 (PST) Received: from mco-Message_Server by mco.edu with Novell_GroupWise; Fri, 02 Jan 1998 10:06:27 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 02 Jan 1998 10:06:01 -0500 From: Jeff Zarend To: firewalls@greatcircle.com Subject: Batch load of users Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to batch load a user list for Checkpoint's Firewall-1. I will use DBIMPORT. My problem is that the password field looks like it needs to be encrypted. I have a flat text file, with the passwords in clear text (I randomly generated the passwords). Does anyone have a utility to encrypt the text passwords, so they are acceptable to Firewall-1's batch load? Thanks, Jeff Zarend Medical College of Ohio jzarend@mco.edu (419) 383-4505 From firewalls-owner Fri Jan 2 07:45:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20983; Fri, 2 Jan 1998 07:23:45 -0800 (PST) Received: from tcs-sec.com (tcsfw-1.tcs-sec.com [208.219.129.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA20913 for ; Fri, 2 Jan 1998 07:23:29 -0800 (PST) Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id LAA00059; Fri, 2 Jan 1998 11:24:58 -0500 Received: from lambic.tcs-sec.com(205.197.27.135) by tcsfw-1.tcs-sec.com via smap (V1.3) id sma000057; Fri Jan 2 11:24:46 1998 Message-Id: <3.0.5.32.19980102102426.007d13c0@lambic> X-Sender: gperry@lambic X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 02 Jan 1998 10:24:26 -0500 To: Frank Willoughby , James Terry From: Gregory Perry Subject: Re: firewall audit service referral Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.3.32.19971231220823.007cc220@in.net> References: <34AA9991.62140279@imx-exchange.com> <418996AD2954D11180860000E8D5C667018538@ns.rc.on.ca> <3488EB31.B5D806F6@gnss.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >CAUTION: >Beware of any organizations which will perform a remote firewall >penetration test. >This is an inherently dangerous practice which has the potential of leading >hackers >to their next victims. > >Best Regards, > > >Frank I don't guess I understand what you are getting at, remote penetration testing is an absolute necessity for any type of Internet related security audit - which would you rather happen, have an outside firm discover flaws in your Internet connected network, or have a hacker find and exploit the flaw(s) instead? __________________________________________________________________ Gregory Perry phone: 703.318.7134 Trusted Computer Solutions, Inc. fax: 703.318.5041 13873 Park Center Road Suite 225 email: gperry@tcs-sec.com Herndon, VA 20171 http://www.tcs-sec.com __________________________________________________________________ From firewalls-owner Fri Jan 2 08:00:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19764; Fri, 2 Jan 1998 07:14:33 -0800 (PST) Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA19709 for ; Fri, 2 Jan 1998 07:14:20 -0800 (PST) Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id KAA29532; Fri, 2 Jan 1998 10:13:55 -0500 Message-Id: <3.0.3.32.19980102100915.00a09530@mail.iss.net> X-Sender: tdoty@mail.iss.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Fri, 02 Jan 1998 10:09:15 -0500 To: "gcrum@us-state.gov" From: Ted Doty Subject: RE: Intrusion Detection - Switched Network Cc: "firewalls@greatcircle.com" In-Reply-To: <01BD1742.E93E3350@gcrum@us-state.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:54 AM 1/2/98 -0500, Gary Crumrine wrote: >Some very important points that you bring out Ted, is that 1) Network >monitoring tools are to be considered only a part of the whole picture, and >not relied upon to be the ultimate wall of defense. It should only be used >to flag activity that requires further review by your administrative and >security staff. Well, not really. Some traffic can be identified as known bad (for example, session hijacking attacks), and the IDS should take action to stop it. You don't want the admins involved, because by the time a human can react the damage is already done. OTOH, other types of events can be "interesting" without even being "suspicious". For example, suppose I see cleartext SMB passwords going across my LAN. This can mean all kinds of things, only some of which are malicious. I may have old LAN Manager clients, so my NT servers are defaulting down to a brain dead authentication scheme. I may have a misconfiguration in one of my servers. Or I might have a man-in-the-middle password downgrade attack in progress. In any case, I'll have to do some investigating to determine what's really going on, and whether it needs action. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From firewalls-owner Fri Jan 2 08:09:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA20053; Fri, 2 Jan 1998 07:16:30 -0800 (PST) Received: from friday.datasource.net (friday.datasource.net [205.183.26.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA19865 for ; Fri, 2 Jan 1998 07:15:43 -0800 (PST) Received: from friday.datasource.net (root@localhost) by friday.datasource.net (8.7.5/8.7.3) with ESMTP id JAA07116; Fri, 2 Jan 1998 09:13:33 -0600 (CST) Received: from datasource.net ([192.168.0.80]) by friday.datasource.net (8.7.5/8.7.3) with ESMTP id JAA07112; Fri, 2 Jan 1998 09:13:32 -0600 (CST) Message-ID: <34AD0616.9B0187DF@datasource.net> Date: Fri, 02 Jan 1998 09:21:58 -0600 From: Nathan Steinbauer Reply-To: nathan@datasource.net Organization: DataSource Hagen X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Modify CC: "N.Z. Sanderson" , firewalls@GreatCircle.COM Subject: Re: Borderware vs Firewall - 1 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In defense of Secure Computing, Borderware is made for small to medium sized companies. In a 12,000 desktop company Secure would recommend their Sidewinder, which does handle heavy usage well and is very flexible. My $.02 Nate Modify wrote: > > I tested both products and I would choose Firewall1 over Borderware any > day. (Personal Opinion) I found that Borderware couldnt handle heavy > loads (probably okay for a small company) The help was crap and the > service wasnt all that wonderful either! Firewall1 had decent help and > pretty darn good service from the home office. Also, Firewall1 handled > the large load we needed with 12,000 people in this company. Firewall1 > also had a much more crisp, clear, easy to use interface for rule sets > etc..etc.. All of which is personal opinion. > > Modify > > On Tue, 30 Dec 1997, N.Z. Sanderson wrote: > > > Hi there . . . > > > > I am looking to at a comparison of two Firewall products: > > > > 1/ Secure Computings Borderware > > 2/ Checkpoints Firewall - 1 > > ________ > > H E L P > > --------- > > Has anyone either have there own comparison OR an opinion (good/bad) on > > the above products. > > > > look forward to some answers . . . . . as these firewalls look good on > > paper but how are they implemented. > > > > thanks in advance for your help . . > > > > Nigel Sanderson > > > > > > ______________________________________________________ > > Get Your Private, Free Email at http://www.hotmail.com > > -- Nathan Steinbauer Internet Consultant DataSource Hagen 612.844.1459 nathan@datasource.net http://www.datasource.net From firewalls-owner Fri Jan 2 08:11:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18677; Fri, 2 Jan 1998 07:07:39 -0800 (PST) Received: from imo11.mx.aol.com (imo11.mx.aol.com [198.81.19.165]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA18670 for ; Fri, 2 Jan 1998 07:07:34 -0800 (PST) From: GCrum2 Message-ID: Date: Fri, 2 Jan 1998 10:06:58 EST To: Firewalls@GreatCircle.COM Subject: firewRe: Looking for a good conference on firewalls and network s Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Organization: AOL (http://www.aol.com) X-Mailer: Inet_Mail_Out (IMOv11) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I heard that the person who is teaching this course in question is in trouble for stealing the material and is being sued. I would really hate to spend money and schedule flights etc for this course, only to show up and find out that the course was cancelled because of someone's legal troubles. I am very surprised that their employer knowingly lets them continue to use their name in the advertizement, or lets the person to continue to represent them on the speaking tour. Somehow, I tend to shy away from people involved with shady acts for some reason. If the charges are true, I'd have a problem with that. I guess though, that we should give them the benefit of the doubt...the truth seems to have a way of coming out in the end, so I will reserve judgement until then. Just use caution. As for SANS in general, I find them a very informative and forthright organization. In the Washington DC area, there are several very good conferences that are held each year. Infowarcom is one of those, as well as one put on by NCSA I think...not sure. COMNET and fed imaging are others that come to mind. -----Original Message----- From: Sent: Wednesday, December 31, 1997 7:05 PM To: Pablo Martinez; Firewalls@GreatCircle.COM Subject: Re: Looking for a good conference on firewalls and network security -reply I was just perusing the SANS May Conference, and found a course titled "Firewall Management and Troubleshooting" Anybody know anything about the speaker or the contents of the course.??? At 03:17 PM 12/18/97 -0500, Pablo Martinez wrote: >I am relatively new to this area and I am in the process of >registering in a couple of courses on network/Internet security. >I would also like to attend to a good conference/symposium on >network security (including firewalls) where I could get info on the >latest trends and research (courses usually do not cover that >in detail). Any suggestions? So far I have info on > > - 1998 IEEE Symposium on Security and Privacy > - The Internet Society's Symposium on Network and Distributed System > Security > >thanks, >-- >Pablo Martinez 101 Crawfords Corner Rd >Internet Communications Business Holmdel, NJ 07733-3030 >Lucent Technologies 732 817-2731 >pablo@lucent.com 732 817-4504 FAX > > From firewalls-owner Fri Jan 2 09:14:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10009; Fri, 2 Jan 1998 09:06:11 -0800 (PST) Received: from landfield.com (ns.landfield.com [208.196.145.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09948 for ; Fri, 2 Jan 1998 09:05:54 -0800 (PST) Received: (from kent@localhost) by landfield.com (8.8.8/8.8.8) id LAA21021; Fri, 2 Jan 1998 11:06:21 -0600 (CST) From: Kent Landfield Message-Id: <199801021706.LAA21021@landfield.com> Subject: Re: FTP server To: mohanp@india.mastech.com Date: Fri, 2 Jan 1998 11:06:20 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <98Jan2.023050est.26993@firewall.mastech.com> from "P Mohan" at Jan 2, 98 02:52:59 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # Friends, # # I am planning to setup one FTP server (Internet) and give access to # my client to use that. How do I do this ? Is there any web site where # I can get more info on this? # # # Thanks in advance # # P.Mohan # mohanp@india.mastech.com Take a look at the WU-FTPD Resource Center httpd://www.landfield.com/wu-ftpd. -- Kent Landfield Phone: 1-817-545-2502 Email: kent@landfield.com http://www.landfield.com/ Email: kent@nfr.net http://www.nfr.net/ Please send comp.sources.misc related mail to kent@landfield.com Search the Usenet Hypertext FAQ Archive at http://www.faqs.org/faqs/ From firewalls-owner Fri Jan 2 11:44:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA23781; Fri, 2 Jan 1998 11:42:07 -0800 (PST) Received: from tcs-sec.com (tcsfw-1.tcs-sec.com [208.219.129.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA23774 for ; Fri, 2 Jan 1998 11:41:59 -0800 (PST) Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id PAA01148 for ; Fri, 2 Jan 1998 15:43:30 -0500 Received: from lambic.tcs-sec.com(205.197.27.135) by tcsfw-1.tcs-sec.com via smap (V1.3) id sma001146; Fri Jan 2 15:43:15 1998 Message-Id: <3.0.5.32.19980102144255.007f53d0@lambic> X-Sender: gperry@lambic X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 02 Jan 1998 14:42:55 -0500 To: From: Gregory Perry Subject: Re: Intrusion Detection - Question. In-Reply-To: <01bd169d$c72af640$54d35ac2@hagit1.abirnet.co.il> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Working in switched environment does not mean protecting the network from >intruders. >Since IDS work by monitoring all network traffic, it is impossible for such a >system to work in a switched environment, unless of course it is plugged in the >promiscious port of the switch. > >>>From what I have read I assume that we are talking about some sort of >>sniffing on the network, looking for specific sorts of traffic that >>shouldn't be there (or should but isn't!). >> >>Now I can't help thinking that the simple approach would be to do the >>sniffing at the connection to the world, either by means of monitoring that >>specific port in the switch or if that is not possible then by simply >>attaching a small hub to the port and plugging the sniffer and the router >>into that hub. Where is RMON-2 and 3 at in terms of dispatching intelligent agents to detect intrusions (or other suspicious network activity) as opposed to running a port on the hub in promiscuous mode? Bandwidth concerns would be enough to merit a proactive agent type scenario as opposed to a centralized management server that parses all data on the network, ATM would be out for this application for example... __________________________________________________________________ Gregory Perry phone: 703.318.7134 Trusted Computer Solutions, Inc. fax: 703.318.5041 13873 Park Center Road Suite 225 email: gperry@tcs-sec.com Herndon, VA 20171 http://www.tcs-sec.com __________________________________________________________________ From firewalls-owner Fri Jan 2 13:14:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA28904; Fri, 2 Jan 1998 13:04:11 -0800 (PST) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA28897 for ; Fri, 2 Jan 1998 13:04:02 -0800 (PST) Received: from lightech.com.ar (plata.gaucho.com.ar [200.5.254.173]) by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id UAA17781; Fri, 2 Jan 1998 20:41:01 GMT Message-ID: <34AD01AF.97E7A701@lightech.com.ar> Date: Fri, 02 Jan 1998 18:03:11 +0300 From: Sergio Bollini Organization: LighTech X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: "fw-1-mailinglist@us.checkpoint.com" , "firewalls@greatcircle.com" Subject: fw-1 asmtpd banner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! Just a little question: does anybody know how to modify the fw-1 smtp server's banner? I think it isn't a good idea to advertise that you are using a firewall (not to mention product and version). TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 (1026) Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Fri Jan 2 15:14:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07465; Fri, 2 Jan 1998 15:07:48 -0800 (PST) Received: from vulcan.achq.dnd.ca ([205.200.255.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA07448 for ; Fri, 2 Jan 1998 15:07:41 -0800 (PST) Received: by vulcan.achq.dnd.ca; (5.65v3.2/1.3/10May95) id AA03205; Fri, 2 Jan 1998 17:10:31 -0600 Message-Id: <34AD73E7.DF4A5A0F@vulcan.achq.dnd.ca> Date: Fri, 02 Jan 1998 17:10:34 -0600 Received: from [205.200.255.102] by vulcan (smtpxd); id XA03202 From: Rob Janzen Reply-To: rob@vulcan.achq.dnd.ca Organization: 17 Wing Winnipeg X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: TACAS+ Authentication Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good morning: I curently have a systems running CiscoSecure 1.x to provide tacas+ authentication for dial-in users. The system running it is using SunOS 4.1.4. To reduce the numbers of versions of UNIX that I need to maintain, I would like to upgrade the server to Solaris. I have two questions: Will CiscoSecure 1.x run under Solaris? If not, can anyone recommend a good freeware replacement that will? (Our budget is tight enough that avoiding paying for an upgrade is a *good thing*....) Thanks. Rob Janzen From firewalls-owner Fri Jan 2 17:44:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA16806; Fri, 2 Jan 1998 17:29:42 -0800 (PST) Received: from gatekeeper.bh.org (gatekeeper.bh.org [204.68.182.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA16799 for ; Fri, 2 Jan 1998 17:29:37 -0800 (PST) Received: from bh.org (bhhome.bh.org [204.68.182.2]) by gatekeeper.bh.org (8.8.8/8.8.5) with ESMTP id UAA13649; Fri, 2 Jan 1998 20:27:57 -0500 Message-ID: <34AD9480.A6B46B48@bh.org> Date: Fri, 02 Jan 1998 20:29:36 -0500 From: Bill Heiser X-Mailer: Mozilla 4.04 [en] (WinNT; U) MIME-Version: 1.0 To: Sergio Bollini CC: "fw-1-mailinglist@us.checkpoint.com" , "firewalls@greatcircle.com" Subject: Re: [FW1] fw-1 asmtpd banner References: <34AD01AF.97E7A701@lightech.com.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sergio Bollini wrote: > Just a little question: does anybody know how to modify the fw-1 smtp > server's banner? I think it isn't a good idea to advertise that you are > using a firewall (not to mention product and version). I second this request - the SMTP Security Server should definitly not advertise what it is ... From firewalls-owner Fri Jan 2 18:59:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA23882; Fri, 2 Jan 1998 18:55:39 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA23875 for ; Fri, 2 Jan 1998 18:55:34 -0800 (PST) Received: from lint.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with ESMTP id SAA23336; Fri, 2 Jan 1998 18:55:03 -0800 (PST) Message-ID: <34ADA873.A5D3427F@lint.cisco.com> Date: Fri, 02 Jan 1998 18:54:44 -0800 From: "Roger W. Farnsworth" Reply-To: rfarnswo@cisco.com Organization: Cisco Systems, Inc. X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: rob@vulcan.achq.dnd.ca CC: firewalls@greatcircle.com Subject: Re: TACAS+ Authentication References: <34AD73E7.DF4A5A0F@vulcan.achq.dnd.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob, Cisco's main AAA servers are commercially supported products for Solaris and Windows NT. Cisco Secure ACS is the family name. We provide support and regular maintenance releases for these products. We also charge for them. With that said, there are freeware reference implementations of TACACS+ available via anonymous ftp from Cisco. ftp://ftp-eng/pub/tacacs+/ These software downloads are provided for the convenience of software developers looking to code their own T+ servers and or applications. Cisco provides this software as-is, without warranty or support, for those that have a need for it. The latest version (including docs) is available at: ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z If you would like to download the reference implementation and compile it for Solaris, feel free. But you will be on your own for support outside the included documentation. If you don't have the budget for a supported copy of Cisco Secure, but do have the budget to do your own compiling, troubleshooting, and bug fixes, then this is probably the right way to go. Personally, I'd rather pay for the program and let Cisco take the abuse. ;-) Cheers, R. Rob Janzen wrote: > > Good morning: > > I curently have a systems running CiscoSecure 1.x to provide tacas+ > authentication for dial-in users. > > The system running it is using SunOS 4.1.4. To reduce the numbers of > versions of UNIX that I need to maintain, I would like to upgrade the > server to Solaris. I have two questions: > > Will CiscoSecure 1.x run under Solaris? > If not, can anyone recommend a good freeware replacement that will? > > (Our budget is tight enough that avoiding paying for an upgrade is a > *good thing*....) > > Thanks. > > Rob Janzen -- Roger W. Farnsworth Manager, Cisco Security Solutions From firewalls-owner Fri Jan 2 21:14:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA03099; Fri, 2 Jan 1998 20:59:44 -0800 (PST) Received: from davinci.netaxis.COM (davinci.netaxis.com [198.69.103.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA03091 for ; Fri, 2 Jan 1998 20:59:39 -0800 (PST) From: ME22g701Q@worktow1est.com Received: from Z9R84HG6q (jac-fl3-13.ix.netcom.com [204.31.245.109]) by davinci.netaxis.COM (8.8.8/8.7.3) with SMTP id XAA13560; Fri, 2 Jan 1998 23:44:00 -0500 (EST) DATE: 01 Jan 98 11:59:53 PM Message-ID: <052aM05d4tWmmp7KunH> TO: eduacation@children423.net SUBJECT: Give Your Child "One of the Best Children's Videos"" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The holidays are upon us. If you're like a lot of people, you struggle to find gifts for your children that will entertain and amuse them at the same time. Well, here's a gift that will delight your child - A Is For Airplane! "A Is For Airplane" is the award-winning educational video that shows kids all the fun and teamwork involved in running an airline. "A Is For Airplane" gets viewers behind the scenes at the airport! Kids get to see: * The ticket counter! * Inside the baggage system! * On the ramp with the baggage loaders and fuelers! * In the catering kitchens! * Inside the control tower! * In the hangar with the mechanics! * At the boarding gate! * And even in the COCKPIT of a real Boeing 757! Parenting Magazine calls "A Is For Airplane" "One of the Best Videos of 1996!" It's also Approved by the Parent's Choice Foundation! Thousands of copies of "A Is For Airplane" have been sold for $14.95, but as an Internet Special this holiday season you can get "A Is For Airplane" for only $11.95 (plus shipping and handling.) ORDER TODAY FOR GUARANTEED HOLIDAY DELIVERY! You can order "A Is For Airplane" by calling our toll-free number - 800-250-4210. If you'd like more information, visit our Website at www.ppmm.com/jfp/jfp1297.htm or CLICK HERE! Thank you for your time... Johnson Family Productions Madison, WI From firewalls-owner Fri Jan 2 21:59:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA09298; Fri, 2 Jan 1998 21:52:35 -0800 (PST) Received: from ns.telegroup.com (ns.telegroup.com [208.219.0.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA09291 for ; Fri, 2 Jan 1998 21:52:29 -0800 (PST) Received: from telegroup.com ([208.219.1.30]) by ns.telegroup.com (8.8.5/8.8.5) with SMTP id XAA12345 for ; Fri, 2 Jan 1998 23:48:38 -0600 (CST) Received: from radius.telegroup.com (radius.telegroup.com [10.1.2.10]) by telegroup.com (8.8.5/8.8.5) with ESMTP id XAA19679 for ; Fri, 2 Jan 1998 23:52:10 -0600 (CST) Received: from mandrake.telegroup.com (macke@[208.219.1.177]) by radius.telegroup.com (8.8.5/8.8.3) with SMTP id XAA27619 for ; Fri, 2 Jan 1998 23:52:10 -0600 (CST) Date: Fri, 2 Jan 1998 23:52:09 -0600 (CST) From: Brian Macke Reply-To: bmacke@telegroup.com To: firewalls@greatcircle.com Subject: Re: Give Your Child "One of the Best Children's Videos"" In-Reply-To: <052aM05d4tWmmp7KunH> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Jan 1998 ME22g701Q@worktow1est.com wrote: > [ More advertising drivel ] > * The ticket counter! > * Inside the baggage system! > * On the ramp with the baggage loaders and fuelers! > * In the catering kitchens! > * Inside the control tower! > * In the hangar with the mechanics! > * At the boarding gate! > * And even in the COCKPIT of a real Boeing 757! What? No grisly images of a bust/shakedown of someone attempting to smuggle drugs through an airport? What better message for little kiddies than showing what will happen if you're not smart and hide your drugs the right way.... > Parenting Magazine calls "A Is For Airplane" "One of the Best Videos of > 1996!" It's also Approved by the Parent's Choice Foundation! ....and the Firewalls Mailing list calls this "S is for SPAM and L is for lawsuit." > Thousands of copies of "A Is For Airplane" have been sold for $14.95, but as > an Internet Special this holiday season you can get "A Is For Airplane" for > only $11.95 (plus shipping and handling.) ORDER TODAY FOR GUARANTEED HOLIDAY > DELIVERY! Well, whoopie! That'll get me outta my Dilbertesque cave and talk to humans for the first time in years... > or CLICK HERE! WHERE? WHERE? I keep clicking and nothing happens?!?! Is this a VIRUS? Do I need the Quickmail Upgrade so I can click on things and make things magically happen??? The Help Desk is busy... HELP ME! -Brian James Macke macke@telegroup.com Unix SysAdmin/Security Specialist Telegroup, Inc. "In order to get that which you wish for, you must first get that which builds it." -- Unknown From firewalls-owner Sat Jan 3 00:44:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA18672; Sat, 3 Jan 1998 00:29:27 -0800 (PST) Received: from do.nachtwacht.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA18662 for ; Sat, 3 Jan 1998 00:29:21 -0800 (PST) Received: from localhost (arjan@localhost) by do.nachtwacht.nl (8.8.4/8.8.4) with SMTP id KAA00543; Sat, 3 Jan 1998 10:29:29 +0100 Date: Sat, 3 Jan 1998 10:29:29 +0100 (MET) From: Arjan Vos To: Gregory Perry cc: Frank Willoughby , James Terry , firewalls@greatcircle.com Subject: Re: firewall audit service referral In-Reply-To: <3.0.5.32.19980102102426.007d13c0@lambic> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 Jan 1998, Gregory Perry wrote: > >CAUTION: > >Beware of any organizations which will perform a remote firewall > >penetration test. > >This is an inherently dangerous practice which has the potential of leading > >hackers > >to their next victims. > > > >Best Regards, > > > > > >Frank > > I don't guess I understand what you are getting at, remote penetration > testing is an absolute necessity for any type of Internet related security > audit - which would you rather happen, have an outside firm discover flaws > in your Internet connected network, or have a hacker find and exploit the > flaw(s) instead? > Some months ago, there has been some discussions on this list about the dangers - and pros and cons so to say - of doing remote penetration tests. Frank did make some good points for *not* doing remote penetration tests, though I think his points are not a reason enough for skipping these tests. They do however bring forward the requirements of care that should be taken when doing remote tests. And unfortunately it is true that some companies who do penetation testing do not take enough care - maybe then it is better not to perform remote penetration tests. Check out the archives, because the discussion was very interesting... Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From firewalls-owner Sat Jan 3 04:14:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02881; Sat, 3 Jan 1998 04:01:06 -0800 (PST) Received: from relay.kacst.edu.sa (ns1.kacst.edu.sa [198.77.88.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02874 for ; Sat, 3 Jan 1998 04:00:59 -0800 (PST) Received: from ns1.kfupm.edu.sa ([198.77.102.26]) by relay.kacst.edu.sa (8.7.5/8.7.3) with ESMTP id OAA21000 for ; Sat, 3 Jan 1998 14:55:35 -0300 (GMT) Received: from dpc107.dpc.kfupm.edu.sa ([196.15.32.8]) by ns1.kfupm.edu.sa (8.7.5/8.7.3) with ESMTP id OAA45704 for ; Sat, 3 Jan 1998 14:54:06 +0300 Received: (from s961807@localhost) by dpc107.dpc.kfupm.edu.sa (8.7.5/8.7.3) id OAA101299; Sat, 3 Jan 1998 14:56:43 +0300 Date: Sat, 3 Jan 1998 14:56:42 +0300 (SAUST) From: zaki al-halal To: Firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sat Jan 3 06:29:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA11981; Sat, 3 Jan 1998 06:26:35 -0800 (PST) Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA11945 for ; Sat, 3 Jan 1998 06:26:25 -0800 (PST) Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM) id IAA22263; Sat, 3 Jan 1998 08:20:20 -0600 (CST) Date: Sat, 3 Jan 1998 08:20:20 -0600 (CST) From: Dick Brooks Message-Id: <199801031420.IAA22263@alpha2000.tech-comm.com> To: rfarnswo@cisco.com, rob@vulcan.achq.dnd.ca Subject: Re: TACAS+ Authentication Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Roger wrote: >The latest version (including docs) is available at: >ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z I just tried to donload the above and recevied an error: ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory Dick Brooks dick@8760.com Chief Technical Officer Tel. 205-250-8053 Group 8760 LLC WWW URL: http://www.8760.com/ SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS INDUSTRIES From firewalls-owner Sat Jan 3 09:29:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20127; Sat, 3 Jan 1998 09:17:06 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA20120 for ; Sat, 3 Jan 1998 09:17:02 -0800 (PST) Received: from rfarnswo-pc.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA18506; Sat, 3 Jan 1998 09:16:17 -0800 (PST) Message-Id: <3.0.3.32.19980103091340.008954d0@lint.cisco.com> X-Sender: rfarnswo@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 03 Jan 1998 09:13:40 -0800 To: Dick Brooks , rob@vulcan.achq.dnd.ca From: "Roger W. Farnsworth" Subject: Re: TACACS+ Authentication Cc: firewalls@greatcircle.com In-Reply-To: <199801031420.IAA22263@alpha2000.tech-comm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let me check. R. At 08:20 AM 1/3/98 -0600, Dick Brooks wrote: >Roger wrote: > >>The latest version (including docs) is available at: > >>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z > >I just tried to donload the above and recevied an error: > >ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z >local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory > > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS INDUSTRIES > > From firewalls-owner Sat Jan 3 09:44:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21409; Sat, 3 Jan 1998 09:37:07 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21385 for ; Sat, 3 Jan 1998 09:37:00 -0800 (PST) Received: from rfarnswo-pc.cisco.com (rfarnswo-isdn2.cisco.com [171.68.22.43]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA23618 for ; Sat, 3 Jan 1998 09:36:48 -0800 (PST) Message-Id: <3.0.3.32.19980103093623.008935e0@lint.cisco.com> X-Sender: rfarnswo@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 03 Jan 1998 09:36:23 -0800 To: firewalls@greatcircle.com From: "Roger W. Farnsworth" Subject: Re: TACACS+ Authentication Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dick, I'm puzzled. I just downloaded the file with no problems. 9:22a PST. I got it while connected with Netscape and again with my ftp client. I can't imagine what the problem might be. If you keep having problems, please contact me directly and we'll try to sort it out. R. At 08:20 AM 1/3/98 -0600, Dick Brooks wrote: >Roger wrote: > >>The latest version (including docs) is available at: > >>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z > >I just tried to donload the above and recevied an error: > >ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z >local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory > > >Dick Brooks dick@8760.com >Chief Technical Officer Tel. 205-250-8053 >Group 8760 LLC WWW URL: http://www.8760.com/ >SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS INDUSTRIES > > From firewalls-owner Sat Jan 3 11:28:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01286; Sat, 3 Jan 1998 11:08:28 -0800 (PST) Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01271 for ; Sat, 3 Jan 1998 11:08:17 -0800 (PST) Received: (qmail 26215 invoked from network); 3 Jan 1998 20:08:05 +0100 Received: from line-208-135.dial.matav.net (HELO default) (145.236.208.135) by mail.matav.hu with SMTP; 3 Jan 1998 20:08:05 +0100 Reply-To: "Takacs Istvan" From: "Takacs Istvan" To: Subject: Re: Re: Intrusion Detection - Switched Network Date: Sat, 3 Jan 1998 20:06:54 +0100 Message-ID: <01bd187a$c1752ac0$LocalHost@default> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > It has to be in the hub if you want to do network based IDS on fully > switched networks. The IDS has to live somewhere on the data path. Could you offer me a product, which has that kind of security feature? Regards. Istvan Takacs mailto:anonymus@mail.matav.hu p.s.: Happy New Year! From firewalls-owner Sat Jan 3 11:29:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01285; Sat, 3 Jan 1998 11:08:25 -0800 (PST) Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01272 for ; Sat, 3 Jan 1998 11:08:17 -0800 (PST) Received: (qmail 26184 invoked from network); 3 Jan 1998 20:08:00 +0100 Received: from line-208-135.dial.matav.net (HELO default) (145.236.208.135) by mail.matav.hu with SMTP; 3 Jan 1998 20:08:00 +0100 Reply-To: "Takacs Istvan" From: "Takacs Istvan" To: Subject: Any document about cracker's technic? Date: Sat, 3 Jan 1998 19:55:51 +0100 Message-ID: <01bd1879$3656a780$LocalHost@default> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Could you offer me some good links, books, videos or any kind of documents about the crackers technics? You always talk about the IDS, and how they work. But I'd like to know what I have to look for in my company's network. We just started to use the commercial side of Internet and for this reason I think we have to prepare to the crackers attacks. I don't ask for exact description, just for how they try to break into the internal network. Thank you! Regards. Istvan Takacs mailto:anonymus@mail.matav.hu p.s.: Please, write to my own address, too. Thanks. From firewalls-owner Sat Jan 3 14:59:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA16629; Sat, 3 Jan 1998 14:46:48 -0800 (PST) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA16622 for ; Sat, 3 Jan 1998 14:46:42 -0800 (PST) Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id XAA06477; Sat, 3 Jan 1998 23:44:32 +0100 (MET) Message-Id: <3.0.5.32.19980103234333.00926a10@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 03 Jan 1998 23:43:33 +0100 To: "Roger W. Farnsworth" , firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: TACACS+ Authentication Cc: dick@8760.com In-Reply-To: <3.0.3.32.19980103093623.008935e0@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dick, I have just done it as well from outside Cisco (so there is no protection involved), be sure to use ftp://ftp-eng.cisco.com/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z with the cisco.com that Roger forgot ;-) Best regards -eric At 09:36 3/01/98 -0800, Roger W. Farnsworth wrote: >Dick, > >I'm puzzled. I just downloaded the file with no problems. 9:22a PST. I >got it while connected with Netscape and again with my ftp client. I can't >imagine what the problem might be. If you keep having problems, please >contact me directly and we'll try to sort it out. > >R. > >At 08:20 AM 1/3/98 -0600, Dick Brooks wrote: >>Roger wrote: >> >>>The latest version (including docs) is available at: >> >>>ftp://ftp-eng/pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z >> >>I just tried to donload the above and recevied an error: >> >>ftp> get pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z >>local: pub/tacacs+/tac_plus.F4.0.1.alpha.tar.Z: No such file or directory >> >> >>Dick Brooks dick@8760.com >>Chief Technical Officer Tel. 205-250-8053 >>Group 8760 LLC WWW URL: http://www.8760.com/ >>SECURE ELECTRONIC COMMERCE SOLUTIONS FOR HEALTHCARE AND NATURAL GAS >INDUSTRIES >> >> > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From firewalls-owner Sat Jan 3 17:14:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA26380; Sat, 3 Jan 1998 17:03:11 -0800 (PST) Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA26373 for ; Sat, 3 Jan 1998 17:03:07 -0800 (PST) Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM) id SAA23375; Sat, 3 Jan 1998 18:56:58 -0600 (CST) Date: Sat, 3 Jan 1998 18:56:58 -0600 (CST) From: Dick Brooks Message-Id: <199801040056.SAA23375@alpha2000.tech-comm.com> To: evyncke@cisco.com, firewalls@GreatCircle.COM, rfarnswo@cisco.com Subject: Re: TACACS+ Authentication Cc: dick@8760.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks. From firewalls-owner Sat Jan 3 20:14:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA09006; Sat, 3 Jan 1998 20:00:23 -0800 (PST) Received: from peyote.coast.net (peyote.coast.net [206.84.176.169]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA08979; Sat, 3 Jan 1998 20:00:14 -0800 (PST) Received: from peyote.coast.net (kimminau@peyote.coast.net [206.84.176.169]) by peyote.coast.net (8.8.7/8.8.7) with SMTP id WAA27686; Sat, 3 Jan 1998 22:59:38 -0500 Date: Sat, 3 Jan 1998 22:59:38 -0500 (EST) From: Eric Kimminau To: Firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM, V.Vergotis@asyk.ase.gr Subject: Re: Firewalls-Digest V7 #3 In-Reply-To: <199801030901.BAA21198@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 3 Jan 1998, Firewalls-Digest wrote: > Date: Fri, 2 Jan 1998 13:35:57 +0200 > From: Vasilis Vergotis > Subject: DNS and Mail setup via firewall > > Hello to everybody and happy new year! Happy New Year! > The external mail server receives the mail for the zone company.gr and > it forwards it to the internal mail server via SMTP. The external DNS > server knows nothing about the internal. > > Internally the DNS server is knows only the zone internal.company.gr for this is a problem unless you have DNS set up correctly with MV records for company.gr which forwards to the external mail server which would then forward to user@internal.company.gr. A much simpler solution would be to MX mail.company.gr to mail.internal.company.gr on the internal DNS server. > whitch he is primary and for the things he does not know he asks the > external DNS server. The internal mail server receives the mail for the > zone internal.company.gr as well as the mail for the zone company.gr > that the external mail server forwards. so as far as everyone inside the company is concerned, the internal mail server IS company.gr. You should also be looking in the sendmail book concerning CW records. Hope that helps. Eric. ============================================================================= "I am the downhill tumble and roll champ, king of the toad finders, captain of the high altitude tree branch vista club, second place finisher in the round the yard backward dash, premier burper state division, sodbuster and worm scout first order, and generalissimo of the mud and mayhem society." Calvin, 1995 Eric Kimminau kimminau@coast.net From firewalls-owner Sun Jan 4 01:59:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA03873; Sun, 4 Jan 1998 01:51:18 -0800 (PST) Received: from xanadu.io.com (xanadu.io.com [199.170.88.6]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA03779 for ; Sun, 4 Jan 1998 01:50:59 -0800 (PST) Received: from localhost (cooper@localhost) by xanadu.io.com (8.8.5/8.8.5) with SMTP id DAA18322; Sun, 4 Jan 1998 03:50:46 -0600 (CST) X-Authentication-Warning: xanadu.io.com: cooper owned process doing -bs Date: Sun, 4 Jan 1998 03:50:46 -0600 (CST) From: William Cooper To: Takacs Istvan cc: Firewalls@GreatCircle.COM Subject: Re: Any document about cracker's technic? In-Reply-To: <01bd1879$3656a780$LocalHost@default> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk www.rootshell.com is a good place for exploits used to break/break into systems. for a million others just do a web search! - bill On Sat, 3 Jan 1998, Takacs Istvan wrote: > Hi, > > Could you offer me some good links, books, videos > or any kind of documents about the crackers technics? > > You always talk about the IDS, and how they work. > But I'd like to know what I have to look for in my company's > network. > We just started to use the commercial side of Internet and for this > reason I think we have to prepare to the crackers attacks. > > I don't ask for exact description, just for how they try to > break into the internal network. > > Thank you! > > Regards. > > Istvan Takacs > mailto:anonymus@mail.matav.hu > > p.s.: Please, write to my own address, too. Thanks. > - bill cooper@io.com From firewalls-owner Sun Jan 4 08:00:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA19625; Sun, 4 Jan 1998 07:47:26 -0800 (PST) Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA19618 for ; Sun, 4 Jan 1998 07:47:20 -0800 (PST) Received: (qmail 11569 invoked from network); 4 Jan 1998 16:47:18 +0100 Received: from line-208-102.dial.matav.net (HELO default) (145.236.208.102) by mail.matav.hu with SMTP; 4 Jan 1998 16:47:18 +0100 Reply-To: "Takacs Istvan" From: "Takacs Istvan" To: Subject: Re: Any documents about crackers techniks? Date: Sun, 4 Jan 1998 16:37:39 +0100 Message-ID: <01bd1926$b052a5e0$LocalHost@default> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd like to thanks for everyone, who sent me an answer for the topic above! Thank you very much! Regards. Istvan Takacs mailto:anonymus@mail.matav.hu From firewalls-owner Sun Jan 4 08:44:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA24197; Sun, 4 Jan 1998 08:36:42 -0800 (PST) Received: from www.allensysgroup.com ([205.245.8.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA24190 for ; Sun, 4 Jan 1998 08:36:38 -0800 (PST) Received: from bobby ([166.55.57.197]) by www.allensysgroup.com (Post.Office MTA v3.1 release PO205e ID# 0-40603U300L100S0) with ESMTP id AAA131; Sun, 4 Jan 1998 11:35:03 -0500 From: bbrown@allensysgroup.com (Bobby Brown) To: "Takacs Istvan" , Subject: Re: Any documents about crackers techniks? Date: Sun, 4 Jan 1998 11:41:26 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Message-ID: <19980104163502140.AAA131@bobby> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With your thanks, how about a summary of your responses that should always be sent back to the list. Bobby ---------- > From: Takacs Istvan > To: firewalls@greatcircle.com > Subject: Re: Any documents about crackers techniks? > Date: Sunday, January 04, 1998 10:37 AM > > Hi, > > I'd like to thanks for everyone, who sent me an answer for the topic > above! > > Thank you very much! > > Regards. > > Istvan Takacs > mailto:anonymus@mail.matav.hu From firewalls-owner Sun Jan 4 08:59:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA23883; Sun, 4 Jan 1998 08:29:25 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA23869 for ; Sun, 4 Jan 1998 08:29:20 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.178.232]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA15543 for ; Sun, 4 Jan 1998 16:29:11 +0000 Message-Id: <3.0.3.32.19980104112649.00a21cd0@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 04 Jan 1998 11:26:49 -0500 To: firewalls@GreatCircle.COM Subject: Has anyone compared SessionWall 3 release 2 to Network Flight Recorder?? In-Reply-To: <01bd1926$b052a5e0$LocalHost@default> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Just wondering if anyone out there has compared SessionWall 3 Release 2 versus Network Flight Recorder or similiar products?? /mht -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353 xJe2oM35qExWltqP/CVKhIGE =PqpV -----END PGP SIGNATURE----- ------------------------------------------------------ "GREETINGS PROFESSOR FALKEN." "SHALL WE PLAY A GAME??" ------------------------------------------------------ From firewalls-owner Sun Jan 4 09:59:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05724; Sun, 4 Jan 1998 09:50:06 -0800 (PST) Received: from smtp1.mailsrvcs.net (smtp1.gte.net [207.115.153.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA05712 for ; Sun, 4 Jan 1998 09:50:00 -0800 (PST) Received: from earnhart ([199.180.4.35]) by smtp1.mailsrvcs.net with SMTP id LAA22421; Sun, 4 Jan 1998 11:49:11 -0600 (CST) Message-ID: <007e01bc8b5a$b40e12f0$2304b4c7@earnhart.gte.net> From: "Gregg Earnhart" To: , Subject: Re: Has anyone compared SessionWall 3 release 2 to Network Flight Recorder?? Date: Mon, 7 Jul 1997 23:52:13 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had SessionWall since the first Beta. I have had RealSecure prior to SessionWall. I hate RealSecure! I played with NFR for a week or two and being a GUI guy, I went back to SessionWall. A whole new look in SessionWall is coming out next week!!! Many of the request that I had from Abirnet have been added in (unusual for a company to actually add features that are requested ---ISS). I hope to deploy SessionWall after the first of the year. Gregg Earnhart GTE --------------------------- The views expressed are simply my own and no one else. --------------------------- -----Original Message----- From: mht@clark.net To: firewalls@GreatCircle.COM Date: Sunday, January 04, 1998 12:14 PM Subject: Has anyone compared SessionWall 3 release 2 to Network Flight Recorder?? >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello, > >Just wondering if anyone out there has compared SessionWall 3 Release >2 versus Network Flight Recorder or similiar products?? > >/mht >-----BEGIN PGP SIGNATURE----- >Version: PGP for Personal Privacy 5.0 >Charset: noconv > >iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353 >xJe2oM35qExWltqP/CVKhIGE >=PqpV >-----END PGP SIGNATURE----- > >------------------------------------------------------ >"GREETINGS PROFESSOR FALKEN." > "SHALL WE PLAY A GAME??" >------------------------------------------------------ > From firewalls-owner Sun Jan 4 10:44:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08586; Sun, 4 Jan 1998 10:38:10 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA08551 for ; Sun, 4 Jan 1998 10:38:01 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.178.232]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA26242; Sun, 4 Jan 1998 18:37:51 +0000 Message-Id: <3.0.3.32.19980104133527.00a38d40@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 04 Jan 1998 13:35:27 -0500 To: "Gregg Earnhart" , Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder?? In-Reply-To: <007e01bc8b5a$b40e12f0$2304b4c7@earnhart.gte.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregg, At 11:52 PM 7/7/97 -0500, Gregg Earnhart wrote: >I have had SessionWall since the first Beta. I have had RealSecure prior to >SessionWall. I just received Session Wall Release 2, and I saw some significant changes but not enough changes to allow myself to use a product that ships with no real documentation.. :( I still have a problem with their license agreement which cannot be printed out from their installation script. I hate RealSecure! Yes, I tend to agree with you on that. RealSecure is a very powerful tool, but it requires a clear understanding in what options you choose in a particular environment when using it.. I played with NFR for a week or two and >being a GUI guy, I went back to SessionWall. A whole new look in >SessionWall is coming out next week!!! Overall, I wish one of the local trades magazines would initiate a Consumer Report comparison of the current IDS tools or "clue- gathering tools" available and new ones that are emerging... (HINT, HINT) /mht Many of the request that I had from >Abirnet have been added in (unusual for a company to actually add features >that are requested ---ISS). I hope to deploy SessionWall after the first of >the year. > >Gregg Earnhart >GTE > >--------------------------- >The views expressed are simply my own and no one else. >--------------------------- >-----Original Message----- >From: mht@clark.net >To: firewalls@GreatCircle.COM >Date: Sunday, January 04, 1998 12:14 PM >Subject: Has anyone compared SessionWall 3 release 2 to Network Flight >Recorder?? > > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>Hello, >> >>Just wondering if anyone out there has compared SessionWall 3 Release >>2 versus Network Flight Recorder or similiar products?? >> >>/mht >>-----BEGIN PGP SIGNATURE----- >>Version: PGP for Personal Privacy 5.0 >>Charset: noconv >> >>iQA/AwUBNK+4SJazO9ALfO1FEQJ50gCeIhEsOQPhkBQgNuXFutjsNyVbYjoAn353 >>xJe2oM35qExWltqP/CVKhIGE >>=PqpV >>-----END PGP SIGNATURE----- >> >>------------------------------------------------------ >>"GREETINGS PROFESSOR FALKEN." >> "SHALL WE PLAY A GAME??" >>------------------------------------------------------ >> > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNK/WbZazO9ALfO1FEQLqngCdG29jn+TChYlWGqv+bpWHooWJgnAAoLlW 9Nsz8YbouSuIxIepwiGNyU/F =WvLa -----END PGP SIGNATURE----- From firewalls-owner Sun Jan 4 12:14:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA18814; Sun, 4 Jan 1998 12:04:48 -0800 (PST) Received: from jurua.dcc.fua.br (jurua.dcc.fua.br [200.17.49.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA18776 for ; Sun, 4 Jan 1998 12:04:35 -0800 (PST) Received: from taruman.dcc.fua.br (taruman [200.17.49.19]) by jurua.dcc.fua.br (8.8.5/8.8.4) with ESMTP id UAA17064 for ; Sun, 4 Jan 1998 20:04:00 GMT Received: (from ebm@localhost) by taruman.dcc.fua.br (8.8.5/8.8.4) id OAA17268 for Firewalls@GreatCircle.COM; Sun, 4 Jan 1998 14:59:15 -0400 Date: Sun, 4 Jan 1998 14:59:15 -0400 From: Edierley Batista Messias Message-Id: <199801041859.OAA17268@taruman.dcc.fua.br> To: Firewalls@GreatCircle.COM Subject: Service in Port 1049 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-MD5: 8tn+H3r7opkBssNMBwe62A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everbody. Some body know, some service that run in port 1049? Thanks. Edierley Messias ebm@dcc.fua.br From firewalls-owner Sun Jan 4 13:29:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25886; Sun, 4 Jan 1998 13:22:22 -0800 (PST) Received: from alpha2000.tech-comm.com ([209.149.125.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA25869 for ; Sun, 4 Jan 1998 13:22:14 -0800 (PST) Received: by alpha2000.tech-comm.com; (8.8.5/1.1.8.2/05Jun95-1217PM) id PAA24851; Sun, 4 Jan 1998 15:16:02 -0600 (CST) Date: Sun, 4 Jan 1998 15:16:02 -0600 (CST) From: Dick Brooks Message-Id: <199801042116.PAA24851@alpha2000.tech-comm.com> To: anonymus@mail.matav.hu, bbrown@allensysgroup.com, firewalls@greatcircle.com Subject: Re: Any documents about crackers techniks? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bobby writes: >With your thanks, how about a summary of your responses >that should always be sent back to the list. >Bobby Good point. The solution required two things: Use the FQDN ftp-eng.cisco.com to access the host, the original post only contained ftp-eng. Remove the + from tacacs+ (i.e. tacacs). Dick Brooks From firewalls-owner Sun Jan 4 13:44:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA26389; Sun, 4 Jan 1998 13:31:24 -0800 (PST) Received: from imo18.mx.aol.com (imo18.mx.aol.com [198.81.19.175]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA26380 for ; Sun, 4 Jan 1998 13:31:15 -0800 (PST) From: Kf4aejmatt Message-ID: Date: Sun, 4 Jan 1998 16:18:22 EST To: firewalls@GreatCircle.COM Subject: scientific atlanta 8590,8600 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Organization: AOL (http://www.aol.com) X-Mailer: Inet_Mail_Out (IMOv11) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i have a 8590 and a 8600 and i like to find the by-pass chip for one of them please call me or e-mail me back or send the information to Matt Arnold 50 lee rd 225 smiths,al 36877 334-298-2939 From firewalls-owner Sun Jan 4 15:14:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA06196; Sun, 4 Jan 1998 15:11:02 -0800 (PST) Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id PAA06139 for ; Sun, 4 Jan 1998 15:10:37 -0800 (PST) Received: from ppp-101.atinet.com.au (ppp-101.atinet.com.au [203.35.110.101]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id va025267 for ; Mon, 5 Jan 1998 10:09:50 +1100 Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id KAA06431; Mon, 5 Jan 1998 10:10:30 +1100 X-Fubar: winspace@atinet.com.au From: "Norman Widders" Date: Mon, 5 Jan 1998 10:10:52 +1000 (GMT) Subject: Hardware for seperating LAN from dialouts To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v2.33 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: All Things Internet POP3 Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just wondered if anybody has used those hardware devices that disable LAN connections while a modem dials out to the Internet. It detects when the modem is active thus severing the link to the LAN physically and reconnects the LAN once the modem has disconnected from the LAN. The device is connected to both the modem and LAN and sounds good in theory and I am just wondering what other peoples experience with these are, at $85 it is an ideal solution for small organisations that just want to poll their ISP a few times a day for email. -- Wheres my valium ? From firewalls-owner Sun Jan 4 17:44:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA20776; Sun, 4 Jan 1998 17:34:43 -0800 (PST) Received: from sophia.pacific.net.sg (sophia.pacific.net.sg [203.120.90.81]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA20769 for ; Sun, 4 Jan 1998 17:34:38 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by sophia.pacific.net.sg with ESMTP id JAA25767 for ; Mon, 5 Jan 1998 09:35:13 +0800 (SGT) Received: from benmgmt.sin-co.sg.dhl.com ([199.40.38.112]) by pop1.pacific.net.sg with ESMTP id JAA05408 for ; Mon, 5 Jan 1998 09:34:37 +0800 (SGT) Message-ID: <34B03918.DB1755B5@sin-co.sg.dhl.com> Date: Mon, 05 Jan 1998 09:36:24 +0800 From: Hardi Ismail - Human Resources Reply-To: hardi@sin-co.sg.dhl.com Organization: DHL International - Singapore Country Office X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: FIREWALLS@GreatCircle.COM Subject: (no subject) X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk USUBSCRIBE FIREWALLS From firewalls-owner Sun Jan 4 23:15:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA12545; Sun, 4 Jan 1998 23:01:45 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA12536 for ; Sun, 4 Jan 1998 23:01:38 -0800 (PST) Received: from hagit1.abirnet.co.il (hagit1.abirnet.co.il [194.90.211.84]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id JAA18255; Mon, 5 Jan 1998 09:00:39 +0200 From: "Hagit" To: "Edierley Batista Messias" , Subject: Re: Service in Port 1049 Date: Mon, 5 Jan 1998 09:06:05 +0200 Message-ID: <01bd19a8$63b2bc20$54d35ac2@hagit1.abirnet.co.il> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No UDP or TCP service on port 1049 is listed in the IANA list. See ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Hagit -------------------------------------------------------------------------- AbirNet provides the next generation in Internet and Intranet Protection Get an EVALUATION COPY at --------------------------------------------------------------------------- -----Original Message----- From: Edierley Batista Messias To: Firewalls@GreatCircle.COM Date: Sunday, January 04, 1998 10:45 PM Subject: Service in Port 1049 >Hi everbody. > >Some body know, some service that run in port 1049? > >Thanks. > >Edierley Messias >ebm@dcc.fua.br From firewalls-owner Mon Jan 5 00:29:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA19237; Mon, 5 Jan 1998 00:15:22 -0800 (PST) Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA19216 for ; Mon, 5 Jan 1998 00:15:04 -0800 (PST) Received: from ppp-122.atinet.com.au (ppp-122.atinet.com.au [203.35.110.122]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id sa025368 for ; Mon, 5 Jan 1998 19:14:30 +1100 Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id TAA07973; Mon, 5 Jan 1998 19:14:59 +1100 From: "Norman Widders" Date: Mon, 5 Jan 1998 18:40:26 +1000 (GMT) Subject: rootshell has a mailing list To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v2.33 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: All Things Internet POP3 Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk folks, www.rootshell.com has a mailing list, well worth subscribing imho just to keep abreast of current exploits, useful if you like to see what it is that they are using on us... just started on 1/2/1998, ymmv -- wheres my valium ? From firewalls-owner Mon Jan 5 00:44:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA19449; Mon, 5 Jan 1998 00:23:59 -0800 (PST) Received: from guvnor.blackwell.co.uk (guvnor.blackwell.co.uk [194.130.176.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA19442 for ; Mon, 5 Jan 1998 00:23:53 -0800 (PST) Received: from exchange1.blackwell.co.uk by guvnor.blackwell.co.uk (MX V4.2 VAX) with SMTP; Mon, 05 Jan 1998 08:24:52 BST Received: by EXCHANGE1 with Internet Mail Service (5.0.1458.49) id ; Mon, 5 Jan 1998 08:27:09 -0000 Message-ID: <3BFE2589D330D111AE87006008062DE40DB551@pc37.blackwell.co.uk> From: Martin Hepworth To: "'Simon J. Gerraty'" , Pauline van Winsen - Uniq Professional Services CC: firewalls@greatcircle.com Subject: RE: off topic: ssl setup on web server - now browser crypto stren gth Date: Mon, 5 Jan 1998 08:24:59 -0000 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > -----Original Message----- > From: Simon J. Gerraty [SMTP:sjg@quick.com.au] > Sent: Thursday, January 01, 1998 1:50 AM > To: Pauline van Winsen - Uniq Professional Services > Cc: firewalls@greatcircle.com > Subject: Re: off topic: ssl setup on web server - now browser > crypto strength > > Pauline van Winsen writes: > >> Of course folk outside the U.S. are stuffed anyway, until a decent > >> non-U.S. based browser (not limited to 40bit RC4) comes along. > >> I don't think there is any interest in any govt anywhere to see > this issue > >> solved to the satisfaction of net users though. > > >has anyone checked out fortify? > > >http://www.geocities.com/Eureka/Plaza/6333/ > > Yes I had a lok at it and it works very well. I had no trouble > setting up > 128bit sessions to an apache server. Problem is that whether the > author > wrote this thing outside the U.S. or not, he chose a U.S. based site? > as > home for it :-) so we are back to all the shadows of ITAR. > [Martin Hepworth] In that case check out: ftp.ox.ac.uk/pub/crypto/SSL The actual software is based in three locations - two in the UK, one in OZ, so although the 'advert' is in the US the actual download-ables are outside the US........sounds like a gray area in ITAR to me ?-) From firewalls-owner Mon Jan 5 01:31:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA28541; Mon, 5 Jan 1998 01:17:11 -0800 (PST) Received: from mail.matav.hu (castor.matav.net [145.236.224.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA27885 for ; Mon, 5 Jan 1998 01:15:36 -0800 (PST) Received: (qmail 16289 invoked from network); 5 Jan 1998 10:15:40 +0100 Received: from line-210-27.dial.matav.net (HELO default) (145.236.210.27) by mail.matav.hu with SMTP; 5 Jan 1998 10:15:40 +0100 Reply-To: "Takacs Istvan" From: "Takacs Istvan" To: Subject: Answers for cackers techniks Date: Mon, 5 Jan 1998 10:15:24 +0100 Message-ID: <01bd19ba$74986dc0$LocalHost@default> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Here are the received answers. ================================================================== > Visit the l0pht group www.l0pht.com.. for some information ================================================================== > www.rootshell.com is a good place for exploits used to break/break into > systems. for a million others just do a web search! ================================================================== > There are many ways hackers can get access to your network, and there are new > ways invented everyday. > Now, you don't need to know about ALL the ways out there, you need to focus only > of those vulnerabilities of the devices that are connected on your network, > meaning servers, routers, workstation etc. > A good start in protecting your network will be to install all the latest > service packs, hot fixes and patches, and keep looking if new ones come by. This > is usually a free service. > You are already subscribed to the firewalls mailing list where new intrusion > signatures are discussed, so you will get posted. > An Intrusion detection system is highly recommended especially for someone who > just started Internet connection. These systems will monitor the traffic going > on your LAN, you can track WWW sites users are viewing and of course get real > time alerts when someone is doing malicious activity on the net. > After getting to know your net traffic, your next step should be firewall which > you should configure according to all the data you collected using the > monitoring and IDS. ================================================================= > Try "Maximum Security: A Hacker's Guide to Protecting Your Internet Site > and network". Published by Macmillan Computer Publishing, authored by > Anonymous. I don't know the ISBN, but you can find it here: > http://www.amazon.com > and searching their catalog. The book came out sometime last year. > (August, 1997, I believe). It is a very comprehensive coverage of cracking > techniques. ================================================================= > Try http://www.unitedcouncil.org/hackt.html I think you will be > impressed with the amount of info we have. ================================================================= > I do a weekly newsletter on network security, that includes hacker info. > Let me know if you would like to see a copy. email alan@livingston.com ================================================================= Regards Istvan Takacs mailto:anonymus@mail.matav.hu From firewalls-owner Mon Jan 5 04:44:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17920; Mon, 5 Jan 1998 04:32:03 -0800 (PST) Received: from mailout02.btx.dtag.de (mailout02.btx.dtag.de [194.25.2.150]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA17913 for ; Mon, 5 Jan 1998 04:31:57 -0800 (PST) Received: from (fwd11.btx.dtag.de) [194.25.2.171] by mailout02.btx.dtag.de with smtp id 0xpBhJ-0005cR-00; Mon, 5 Jan 1998 13:32:01 +0100 Received: (0407352555-0001(btxid)@[193.159.17.104]) by fwd11.btx.dtag.de with (S3.1.29.1) id ; Mon, 5 Jan 1998 13:31:49 +0100 Message-Id: Date: Mon, 5 Jan 1998 13:31:49 +0100 To: firewalls@greatcircle.com Subject: Comparision of Firewall Products X-Mailer: T-Online eMail 2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Sender: 0407352555-0001@t-online.de From: MarkusLindingerHamburg@t-online.de (Lindinger) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are about to implement a firewall system for about 500 users. I checked the papers from Borderware, FW-1, Raptor�s Eagle Firewall, TIS/Gauntlet and Sidewinder (I suppose, I should contact Cisco too?). After that, I have a rude survey about their features, but not about their proof and abilities in practise. Who can give some pros and cons, to get a better background? Thanks Markus From firewalls-owner Mon Jan 5 05:45:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA24279; Mon, 5 Jan 1998 05:22:27 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA24249 for ; Mon, 5 Jan 1998 05:22:18 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.178.197]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA16124; Mon, 5 Jan 1998 13:22:03 +0000 Message-Id: <3.0.3.32.19980105081940.00808730@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 05 Jan 1998 08:19:40 -0500 To: MarkusLindingerHamburg@t-online.de (Lindinger), firewalls@GreatCircle.COM Subject: Re: Comparision of Firewall Products In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Markus, I think LAN TIMES did a comparison report a while back. Check out=20 www.lantimes.com Your security policy, network architecture, business model, needs and=20 technical resources, etc should also factor into your equation while=20 evaluating the different firewall systems. A firewall is just one component of many when installing a firewall=20 system for your particular organization.=20 /mht At 01:31 PM 1/5/98 +0100, Lindinger wrote: >We are about to implement a firewall system for about 500 users. >I checked the papers from Borderware, FW-1, Raptor=B4s Eagle Firewall, >TIS/Gauntlet and Sidewinder (I suppose, I should contact Cisco=20 too?). > >After that, I have a rude survey about their features, but not about=20 >their proof and abilities in practise.=20 > >Who can give some pros and cons, to get a better background? > >Thanks >Markus > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNLDd65azO9ALfO1FEQJLFgCfWxzyhiIvGzbRWNYFdHDDPk/CtGkAn2ZB e5TGzoXA/bjIggVJDuqN9QDl =3Db4Dl -----END PGP SIGNATURE----- From firewalls-owner Mon Jan 5 07:15:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01167; Mon, 5 Jan 1998 07:06:43 -0800 (PST) Received: from mail.sunbeach.net (mail.sunbeach.net [205.214.199.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA01133 for ; Mon, 5 Jan 1998 07:06:28 -0800 (PST) Received: from mercury [205.214.195.1] by mail.sunbeach.net (SMTPD32-4.03) id AB9081B50122; Mon, 05 Jan 1998 10:17:52 +03d00 Message-Id: <3.0.3.32.19980105110522.007347a0@mail.sunbeach.net> X-Sender: ian@mail.sunbeach.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 05 Jan 1998 11:05:22 -0400 To: , From: Ian KC Worrell Subject: Re: Hardware for seperating LAN from dialouts In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use my lap top in the office, and it has both a network card and a modem in it. As my office network is on a different IP address range that my Internet Connection, I can actually have both connected at the same time! There seems to be no problem with the routing at all! Ian At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >Just wondered if anybody has used those hardware devices >that disable LAN connections while a modem dials out >to the Internet. > >It detects when the modem is active thus severing the >link to the LAN physically and reconnects the LAN >once the modem has disconnected from the LAN. > >The device is connected to both the modem and LAN and >sounds good in theory and I am just wondering >what other peoples experience with these are, at $85 >it is an ideal solution for small organisations >that just want to poll their ISP a few times a day >for email. > >-- >Wheres my valium ? > > > > From firewalls-owner Mon Jan 5 07:30:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA02308; Mon, 5 Jan 1998 07:25:59 -0800 (PST) Received: from steed.jerboa.com (steed.jerboa.com [209.21.153.162]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA02296 for ; Mon, 5 Jan 1998 07:25:50 -0800 (PST) Received: by steed.jerboa.com; id KAA08326; Mon, 5 Jan 1998 10:27:03 -0500 (EST) Received: from squirrel.jerboa.com(10.0.0.200) by steed.jerboa.com via smap (4.0a) id xma008324; Mon, 5 Jan 98 10:26:50 -0500 Received: from emma.jerboa.com (emma.jerboa.com [10.0.0.60]) by squirrel.jerboa.com (8.8.5/8.7.3) with SMTP id KAA19562; Mon, 5 Jan 1998 10:26:14 -0500 (EST) Message-Id: <3.0.3.32.19980105102235.00af6230@squirrel> X-Sender: ian@squirrel X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 05 Jan 1998 10:22:35 -0500 To: mht@clark.net, MarkusLindingerHamburg@t-online.de (Lindinger), firewalls@GreatCircle.COM From: Ian Poynter Subject: Re: Comparision of Firewall Products In-Reply-To: <3.0.3.32.19980105081940.00808730@pop3.clark.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 08:19 AM 1/5/98 -0500, mht@clark.net wrote: >I think LAN TIMES did a comparison report a while back. Check out >www.lantimes.com Be careful with this one, the test methodology didn't look at security at all (see http://www.lantimes.com/97/97aug/708a060c.html; they didn't test installation either). I wasn't completely happy that the performance numbers were comparing apples with apples either. Still, it's useful as a feature comparison, though. >Your security policy, network architecture, business model, needs and >technical resources, etc should also factor into your equation while >evaluating the different firewall systems. > >A firewall is just one component of many when installing a firewall >system for your particular organization. Now this I agree with :-). Ian -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNLD6usj1wUcX1Ha3EQID8QCg2Q6gT0RaW4kQMP+WBWQ3bAH70GoAnj0S hf30Ml+vAOoa4IGD/fiTstGN =lXXh -----END PGP SIGNATURE----- ----- Ian Poynter ian@jerboa.com Jerboa, Inc. +1-617-492-8084 PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com Providing unbiased Internet consulting for businesses. Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73 DSS: 2769 277A 9F69 F605 3743 D574 C8F5 C147 17D4 76B7 From firewalls-owner Mon Jan 5 07:44:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03750; Mon, 5 Jan 1998 07:41:29 -0800 (PST) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA03736 for ; Mon, 5 Jan 1998 07:41:23 -0800 (PST) Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id KAA09273 for ; Mon, 5 Jan 1998 10:40:47 -0500 (EST) Received: from woodux.woodbridge.com by eagle.woodbridge.com via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 5 Jan 1998 15:37:10 UT Received: from simonyi ([192.81.85.21]) by woodux with SMTP (1.39.111.2/16.2) id AA031504897; Mon, 5 Jan 1998 10:41:37 -0500 Received: by localhost with Microsoft MAPI; Mon, 5 Jan 1998 10:38:41 -0500 Message-Id: <01BD19C6.17027D20.msimonyi@woodbridge.com> From: Michael Simonyi To: "Firewalls@GreatCircle.COM" Subject: named service Date: Mon, 5 Jan 1998 10:38:40 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all We are running an HP 817 w/ HPUX 10.0, and every once and a while the named service hangs. It's still a running process but does not do anything. I have to kill it and restart it and then every things fine. Any clues? Do I need as patch? Is there any way I can monitor the process and to see it's in trouble rather than having our help line ring off the wall? Mike From firewalls-owner Mon Jan 5 08:27:48 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08376; Mon, 5 Jan 1998 08:13:28 -0800 (PST) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08115 for ; Mon, 5 Jan 1998 08:12:35 -0800 (PST) Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id LAA14726 for ; Mon, 5 Jan 1998 11:11:56 -0500 (EST) Received: from woodux.woodbridge.com by eagle.woodbridge.com via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 5 Jan 1998 16:08:19 UT Received: from simonyi ([192.81.85.21]) by woodux with SMTP (1.39.111.2/16.2) id AA037326766; Mon, 5 Jan 1998 11:12:46 -0500 Received: by localhost with Microsoft MAPI; Mon, 5 Jan 1998 11:09:50 -0500 Message-Id: <01BD19CA.711D0F60.msimonyi@woodbridge.com> From: Michael Simonyi To: "Firewalls@GreatCircle.COM" Subject: Raptor Date: Mon, 5 Jan 1998 11:09:49 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all: We have an HP 712 w/ HPUX 10.01 running the Raptor FW. Problem : After every reboot, the system is fine. Then after about a week or two the log file starts recording the following error messages: Eagle notifyd: 605 Can't execute /usr/bin/mailx (to many open files) Eagle notifyd: 606 failed to notify:transport=mail priority=Alert, (root,0) We keep bumping up our number of open files, the problem goes away. Then it comes right back. We have reconfigured the box several times and up'd the files open to allow more than our primary host. We just can't clean this problem up. Mike From firewalls-owner Mon Jan 5 09:30:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA12250; Mon, 5 Jan 1998 08:38:08 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA12226 for ; Mon, 5 Jan 1998 08:38:01 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id KAA24549; Mon, 5 Jan 1998 10:46:44 -0600 Date: Mon, 5 Jan 1998 10:46:44 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: Michael Simonyi cc: "Firewalls@GreatCircle.COM" Subject: Re: named service In-Reply-To: <01BD19C6.17027D20.msimonyi@woodbridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael- Upgrade to HPUX 10.10 / 10.20 because there is a bug in HPUX 10.01 named. You can also patch it with one of the PHSS patches out by HP, but my feeling is that 10.10 is much better than 10.01. Patching it will work as well. Good luck, +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@lowprofile.net | Cisco Systems WAN Specialist | | UNIX/Linux/HP-UX specialist | Remote Management Specialist | | If at first you don't succeed, redefine success. | | Contrary to popular opinion, UNIX is user friendly. It just | +-happens to be very selective about who it makes friends with.+ On Mon, 5 Jan 1998, Michael Simonyi wrote: > To all > > We are running an HP 817 w/ HPUX 10.0, and every once and a while the named > service hangs. It's still a running process but does not do anything. > I have to kill it and restart it and then every things fine. > > Any clues? Do I need as patch? Is there any way I can monitor the process > and to see it's in trouble rather than having our help line ring off the > wall? > > Mike > From firewalls-owner Mon Jan 5 10:15:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA24724; Mon, 5 Jan 1998 09:44:34 -0800 (PST) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA22774 for ; Mon, 5 Jan 1998 09:36:13 -0800 (PST) Received: from lightech.com.ar (router1-p04.pccp.com.ar [200.0.253.20]) by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id RAA21387; Mon, 5 Jan 1998 17:13:39 GMT Message-ID: <34B1007E.9B1CE4A4@lightech.com.ar> Date: Mon, 05 Jan 1998 12:47:11 -0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" , "Mailing List, Firewall-1" Subject: FW-1 3.0 and Solaris 2.6 ok? Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB846C7587AF8D45A2076687C" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msB846C7587AF8D45A2076687C Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello all! Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is there any issues or unsolved problems? TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 (1026) Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------msB846C7587AF8D45A2076687C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQDwYJKoZIhvcNAQcCoIIQADCCD/wCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Dn0wggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICfTCCAeagAwIBAgIUdRNrWPOAaVd1pqJNWRBNnOp2 SvEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MB4XDTk3MDYyNDA3MDAwMFoXDTk5MDYyNDA3MDAwMFowYjERMA8GA1UEBxMISW50 ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFz cyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW 7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTARBglghkgBhvhCAQEEBAMCAQYw DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAkgxL6bqT zf/a5mD9nmQDZhUvVjw4TGhKR8Xzq48l2WZDc0MVc0S+FEiBWncMzHrq2bG88ov/EbHfFFBI 3GUdC4n5oV5IUm/ttWv0uAhMOPC5iWcpD+DgN/em69T01UKpXf295558G+dPhS0EoWAuhbjr 4vrvFAUmFRhVbxOhHXEwggIxMIIBmgIFAqQAAAEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTk5 MTIzMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcw NQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76 OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTX jzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQAB MA0GCSqGSIb3DQEBAgUAA4GBAFJzuppV3Nw/gn2wkJhiKoJMdgBuJT3VwglwVwEMD3cfGKH7 HGAOoHU7SSFB/qdcLUxCSdP/KNiM6p3+yQfid4JTI95V885Ek/r6TL3KNvNbZrKeyPIMXl7U obQhCTPKO1n8ksI4/K3ZliTgLfqjKfUzaHhOtLyfaTXiqJiUczvEMYIBWjCCAVYCAQEwdjBi MREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEHhfzaLUPIQW ZlqMwKN/uq0wCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTk4MDEwNTE1NDcxMVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIB KDAjBgkqhkiG9w0BCQQxFgQUvUw2hIXMhd7pzjmhowv70dA+ZdwwDQYJKoZIhvcNAQEBBQAE QF83JxCdoG8l0WhRM3xC/rhtlhfB2YZMSN/Za6dzrmGeGeVvei6xj/fkgJQdnyutqWr9NXG0 DK68C01HoAMFirM= --------------msB846C7587AF8D45A2076687C-- From firewalls-owner Mon Jan 5 10:32:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA03198; Mon, 5 Jan 1998 10:23:19 -0800 (PST) Received: from raven.axent.com (raven.axent.com [205.159.112.243]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA03190 for ; Mon, 5 Jan 1998 10:23:09 -0800 (PST) Received: by raven.axent.com with Internet Mail Service (5.0.1458.49) id ; Mon, 5 Jan 1998 11:25:41 -0700 Message-ID: From: Darin Fisher To: "'Takacs Istvan'" , Firewalls@GreatCircle.COM Subject: RE: Any document about cracker's technic? Date: Mon, 5 Jan 1998 11:25:38 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try: http://www.axent.com/swat/swat.html http://www.l0pht.com thanx darin ---- #include "In order to succeed, one must pay attention" -----Original Message----- From: Takacs Istvan [mailto:anonymus@mail.matav.hu] Sent: Saturday, January 03, 1998 11:56 AM To: Firewalls@GreatCircle.COM Subject: Any document about cracker's technic? Hi, Could you offer me some good links, books, videos or any kind of documents about the crackers technics? You always talk about the IDS, and how they work. But I'd like to know what I have to look for in my company's network. We just started to use the commercial side of Internet and for this reason I think we have to prepare to the crackers attacks. I don't ask for exact description, just for how they try to break into the internal network. Thank you! Regards. Istvan Takacs mailto:anonymus@mail.matav.hu p.s.: Please, write to my own address, too. Thanks. From firewalls-owner Mon Jan 5 13:30:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23758; Mon, 5 Jan 1998 12:01:13 -0800 (PST) Received: from deimos.frii.com (deimos.frii.com [208.146.240.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA23698 for ; Mon, 5 Jan 1998 12:00:51 -0800 (PST) Received: from ralph (ralph.ball.com [162.18.91.40]) by deimos.frii.com (8.8.5/8.8.4) with SMTP id NAA16743 for ; Mon, 5 Jan 1998 13:01:15 -0700 (MST) Message-ID: <34B13BF6.979@frii.com> Date: Mon, 05 Jan 1998 13:00:54 -0700 From: "Franklin R. Jones" Organization: Wyldwood Computing X-Mailer: Mozilla 3.04 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: FW-1 3.0 and Solaris 2.6 ok? References: <34B1007E.9B1CE4A4@lightech.com.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sergio Bollini wrote: > Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is > there any issues or unsolved problems? > TIA No hands on as of yet, but 2.6 is listed as "supported" OS rev for V3. I haven't run into any problems application-wise upgrading to 2.6 from 2.5.x, so my feelings are that it would be a reliable config. There is a recommeded patch cluster out for 2.6 which includes several (8 or 9) security patches for various things and I would recommend installing the cluster. fj.. From firewalls-owner Mon Jan 5 13:34:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA15653; Mon, 5 Jan 1998 11:25:49 -0800 (PST) Received: from elmont.dart.org (elmont.dart.org [207.86.10.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA15469 for ; Mon, 5 Jan 1998 11:25:08 -0800 (PST) Message-ID: <7724B134818D357C%7724B134818D357C@dart.org> Date: Mon, 5 Jan 1998 13:25:12 -0500 From: fw-list@dart.org To: firewalls@greatcircle.com Subject: land.c hack code X-SMF-Hop-Count: 1 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.32 MHS/SMF to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message Source: http://207.86.10.38/msg/fw-list/M908.HTM From: Darwin Collins Does anyone know where I can get a copy of the land.c hack code. Basically, I need to test some homebrewed stuff, and see if it can handle it. Thanks From firewalls-owner Mon Jan 5 13:34:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09562; Mon, 5 Jan 1998 10:57:39 -0800 (PST) Received: from NOC.cs.ruu.nl (magic.cs.ruu.nl [131.211.80.22]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA09484 for ; Mon, 5 Jan 1998 10:57:14 -0800 (PST) Received: from localhost (edwin@localhost) by NOC.cs.ruu.nl (8.8.6/8.8.6/UU-CS) with ESMTP id TAA25709 for ; Mon, 5 Jan 1998 19:57:11 +0100 (MET) Date: Mon, 5 Jan 1998 19:57:11 +0100 (MET) From: Edwin Kremer X-Sender: edwin@magic.cs.ruu.nl To: Firewalls List Subject: ANN/CfP: 1st International SANE Conference Message-ID: X-Org: Department of Computer Science; Utrecht University X-Org: P.O. Box 80.089; 3508 TB Utrecht; The Netherlands. X-Org: phone: +31-30-2534104; telefax: +31-30-2513791 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, below you'll find the announcement and call for papers for the SANE'98 conference to be held on November 18-20 in Maastricht, The Netherlands, and organized by the NLUUG and co-sponsored by USENIX and Stichting NLnet. Security and firewalls-related paper submissions are very welcome. If you prefer to read the Call for Papers in a different format, please visit the SANE'98 WWW site: http://www.nluug.nl/events/sane98/ Thanks for your time. best regards, --[ Edwin ]-- -- Edwin H. Kremer, systems- and network administrator. Dept. of Computer Science, Utrecht University, The Netherlands [WHOIS: ehk3] -------------------- http://www.cs.ruu.nl/people/edwin/ ----------------------- --------------------------------------------------------------------------- Announcement and Call for Papers 1st International SANE Conference November 18-20, 1998 Maastricht, The Netherlands A conference organized by the NLUUG, the UNIX User Group - The Netherlands co-sponsored by USENIX, the Advanced Computing Systems Association, and Stichting NLnet -------- OVERVIEW -------- Technology is advancing, the systems administration profession is changing rapidly, and you have to master new skills to keep apace. At the International SANE (System Administration and Networking) conference you can join the community of system administrators while attending a program that brings you the latest in tools, techniques, security and networking. You can learn from tutorials, refereed papers, invited talks and Birds-of-a-Feather sessions. Visit the Vendor Exhibition for the hottest products and the latest books available. The official language at the conference will be English. The conference will be located at the Maastricht Exposition and Conference Center, MECC. ---------------- TUTORIAL PROGRAM ---------------- On Wednesday November 18, 1998, up to four in-depth tutorials will be presented to you by the most popular and widely acclaimed speakers. ------------------ TECHNICAL SESSIONS ------------------ Two days of technical sessions, including keynote address, presentations of refereed papers and invited talks will follow the tutorial day. --------------------- CONFERENCE ORGANIZERS --------------------- Program Co-chairs: Edwin Kremer, Department of Computer Science, Utrecht University Jan Christiaan van Winkel, AT Computing Program Committee: Jos Alsters, C&CZ, KU Nijmegen Bob Eskes, ASR, Hollandse Signaalapparaten Peter den Haan, C&CZ, KU Nijmegen Patrick Schoo, Department of Mathematics, Utrecht University Michael Uterm�hle, Dept. of Computer Science, University of Paderborn Jos Vos, X/OS Experts in Open Systems Elizabeth Zwicky, Silicon Graphics, Inc. Event Organization: Chel van Gennip, Hiscom Mari�lle Klatten, NLUUG Monique Rours, NLUUG --------------- IMPORTANT DATES --------------- Extended abstracts due: April 17, 1998 Notification to speakers: May 8, 1998 Final papers due: September 4, 1998 Complete program and registration information will be available in June 1998. To receive information about the conference, please contact: sane98-info@nluug.nl or visit the conference WWW site: http://www.nluug.nl/events/sane98/ ----------------- CONFERENCE TOPICS ----------------- Presentations are being solicited in areas including but not limited to: * Security tools and techniques * Managing enterprise-wide email (what about UCE?) * Experiences with free software, including operating systems, in a professional environment * Innovative system administration tools & techniques * Distributed or automated system administration * Incorporation of commercial system administration technology * Adventures in nomadic and wireless computing * Intranet development, support, and maintenance * Integrating new networking technologies * Integration of heterogeneous platforms * Performance analysis, monitoring and tuning * Support strategies in use at your site * Effective training techniques for system administration and users ------------- INVITED TALKS ------------- If you have a topic of interest that is not (yet) very well suited for a refereed paper submission, please submit a proposal for an invited talk to the Program Committee at the address: sane98@nluug.nl -------------------------- REFEREED PAPER SUBMISSIONS -------------------------- An extended abstract of up to four pages is required for the paper selection process. Abstracts accompanied by non-disclosure agreement forms are not acceptable and will be returned unread. Authors of accepted submissions must provide a final paper for publication in the conference proceedings. Final papers are held in the highest confidence prior to publication in the conference proceedings. Authors agree with publication of the final paper in the members-only area on the NLUUG WWW site and/or the conference CD-ROM. Please submit extended abstracts by one of the following methods: E-mail to: sane98@nluug.nl Fax to: +31 20 6950018 Postal mail to: NLUUG PO Box 22727 1100 DE AMSTERDAM The Netherlands --------------------------------------------------------------------------- From firewalls-owner Mon Jan 5 13:34:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01490; Mon, 5 Jan 1998 10:15:14 -0800 (PST) Received: from viper.netsolv.com (jridgway.jxn.netdoor.com [208.137.130.254]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29629 for ; Mon, 5 Jan 1998 10:05:18 -0800 (PST) Received: from viper ([172.30.100.3]) by viper.netsolv.com (Netscape Messaging Server 3.01) with SMTP id 294 for ; Mon, 5 Jan 1998 12:05:27 -0600 Received: from netsolv.com ([206.58.71.2]) by pike.netdoor.com (8.8.8/8.8.5) with SMTP id MAA02085 for ; Mon, 5 Jan 1998 12:00:19 -0600 (CST) Received: from loudecho.us.checkpoint.com [206.184.151.194] by netsolv.com with ESMTP (SMTPD32-4.02c) id AE43201501CA; Mon, 05 Jan 1998 11:02:27 EST5EDT Received: from localhost (daemon@localhost) by loudecho.us.checkpoint.com (8.8.8/8.8.4) with SMTP id JAA29559; Mon, 5 Jan 1998 09:47:19 -0800 (PST) Received: by loudecho.us.checkpoint.com (bulk_mailer v1.5 with hacks by jwright@us.checkpoint.com); Mon, 5 Jan 1998 09:37:48 -0800 Received: (from majordom@localhost) by loudecho.us.checkpoint.com (8.8.8/8.8.4) id JAA28644 for fw-1-mailinglist-outgoing; Mon, 5 Jan 1998 09:37:38 -0800 (PST) Received: from peets.us.checkpoint.com ([206.184.151.193]) by loudecho.us.checkpoint.com (8.8.8/8.8.4) with ESMTP id JAA28571 for ; Mon, 5 Jan 1998 09:36:48 -0800 (PST) Received: from oak.us.checkpoint.com (oak.us.checkpoint.com [206.86.35.94]) by peets.us.checkpoint.com (8.8.7/8.8.3) with SMTP id JAA22848 for ; Mon, 5 Jan 1998 09:37:50 -0800 (PST) Received: (qmail 6480 invoked by alias); 5 Jan 1998 17:36:44 -0000 Delivered-To: fw-1-mailinglist@us.checkpoint.com Received: (qmail 6470 invoked from network); 5 Jan 1998 17:36:41 -0000 Received: from tango.lightech.com.ar (200.0.253.134) by oak.us.checkpoint.com with SMTP; 5 Jan 1998 17:36:41 -0000 Received: from lightech.com.ar (router1-p04.pccp.com.ar [200.0.253.20]) by tango.lightech.com.ar (8.8.7/8.8.7) with ESMTP id RAA21387; Mon, 5 Jan 1998 17:13:39 GMT Message-ID: <34B1007E.9B1CE4A4@lightech.com.ar> Date: Mon, 05 Jan 1998 12:47:11 -0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" , "Mailing List, Firewall-1" Subject: [FW1] FW-1 3.0 and Solaris 2.6 ok? Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB846C7587AF8D45A2076687C" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msB846C7587AF8D45A2076687C Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello all! Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? Is there any issues or unsolved problems? TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 (1026) Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------msB846C7587AF8D45A2076687C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQDwYJKoZIhvcNAQcCoIIQADCCD/wCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Dn0wggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICfTCCAeagAwIBAgIUdRNrWPOAaVd1pqJNWRBNnOp2 SvEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ bmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MB4XDTk3MDYyNDA3MDAwMFoXDTk5MDYyNDA3MDAwMFowYjERMA8GA1UEBxMISW50 ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFz cyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQC2FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW 7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTARBglghkgBhvhCAQEEBAMCAQYw DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEAkgxL6bqT zf/a5mD9nmQDZhUvVjw4TGhKR8Xzq48l2WZDc0MVc0S+FEiBWncMzHrq2bG88ov/EbHfFFBI 3GUdC4n5oV5IUm/ttWv0uAhMOPC5iWcpD+DgN/em69T01UKpXf295558G+dPhS0EoWAuhbjr 4vrvFAUmFRhVbxOhHXEwggIxMIIBmgIFAqQAAAEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTk5 MTIzMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcw NQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76 OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTX jzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQAB MA0GCSqGSIb3DQEBAgUAA4GBAFJzuppV3Nw/gn2wkJhiKoJMdgBuJT3VwglwVwEMD3cfGKH7 HGAOoHU7SSFB/qdcLUxCSdP/KNiM6p3+yQfid4JTI95V885Ek/r6TL3KNvNbZrKeyPIMXl7U obQhCTPKO1n8ksI4/K3ZliTgLfqjKfUzaHhOtLyfaTXiqJiUczvEMYIBWjCCAVYCAQEwdjBi MREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEHhfzaLUPIQW ZlqMwKN/uq0wCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTk4MDEwNTE1NDcxMVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIB KDAjBgkqhkiG9w0BCQQxFgQUvUw2hIXMhd7pzjmhowv70dA+ZdwwDQYJKoZIhvcNAQEBBQAE QF83JxCdoG8l0WhRM3xC/rhtlhfB2YZMSN/Za6dzrmGeGeVvei6xj/fkgJQdnyutqWr9NXG0 DK68C01HoAMFirM= --------------msB846C7587AF8D45A2076687C-- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ From firewalls-owner Mon Jan 5 13:45:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA10378; Mon, 5 Jan 1998 13:15:47 -0800 (PST) Received: from moat.pweh.com ([192.54.250.131]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA00140 for ; Mon, 5 Jan 1998 12:32:36 -0800 (PST) Received: (from uucp@localhost) by moat.pweh.com (8.8.8/8.8.8) id PAA10742 for ; Mon, 5 Jan 1998 15:32:44 -0500 (EST) Received: from drawbridge.eh.pweh.com(191.29.71.250) by moat.pweh.com via smap (4.0a) id xma010708; Mon, 5 Jan 98 15:32:41 -0500 Received: (from uucp@localhost) by drawbridge.eh.pweh.com (8.8.8/8.8.8) id PAA16539 for ; Mon, 5 Jan 1998 15:32:40 -0500 (EST) Received: from fs17005.eh.pweh.com(191.29.170.5) by drawbridge.eh.pweh.com via smap (4.0a) id xma016461; Mon, 5 Jan 98 15:32:33 -0500 Received: from clbdev2.eh.pweh.com by pweh011.eh.pweh.com (SMI-8.6/SMI-SVR4) id PAA29328; Mon, 5 Jan 1998 15:32:31 -0500 Received: (from miorelli@localhost) by clbdev2.eh.pweh.com (8.8.5/8.8.5) id PAA05221 for firewalls@greatcircle.com; Mon, 5 Jan 1998 15:32:32 -0500 (EST) Date: Mon, 5 Jan 98 15:32 EST From: BoB Miorelli To: firewalls@greatcircle.com Received: from miorelli by clbdev2.eh.pweh.com; Mon, 5 Jan 98 15:32 EST Subject: NT Web proxy server Content-Type: text/plain Message-ID: <34b1435f0.1464@clbdev2.eh.pweh.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi -- I'm looking for a Web proxy server that does caching for my kid's school (K-8). The computer lab is networked to a server which would run the proxy. The server is a Pentium running NT 4.0. I'm looking for recommendations on proxy server software from anyone that is running it on NT 4.0 using a dialup-on-demand type of setup. The only proxy servers for NT that I am aware of are Microsoft and Netscape, but I'm sure there are others. Any and all comments are welcome. Thanks. -->BoB -->BoB Miorelli, Pratt & Whitney miorelli@pweh.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In theory, theory and practice are the same; in practice they are distinct. From firewalls-owner Mon Jan 5 13:59:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA08519; Mon, 5 Jan 1998 13:08:00 -0800 (PST) Received: from c00069-100lez.eos.ncsu.edu (c00069-100lez.eos.ncsu.edu [152.1.26.28]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA08482 for ; Mon, 5 Jan 1998 13:07:50 -0800 (PST) Received: from localhost (jkwilli2@localhost) by c00069-100lez.eos.ncsu.edu (8.8.4/EC02Jan97) with SMTP id QAA23031; Mon, 5 Jan 1998 16:07:54 -0500 (EST) X-Authentication-Warning: c00069-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs Date: Mon, 5 Jan 1998 16:07:53 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00069-100lez.eos.ncsu.edu To: fw-list@dart.org cc: firewalls@GreatCircle.COM Subject: Re: land.c hack code In-Reply-To: <7724B134818D357C%7724B134818D357C@dart.org> Message-ID: X-Bullshit: The header is genuine....WTF did you expect? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Jan 1998 fw-list@dart.org wrote: >Message Source: http://207.86.10.38/msg/fw-list/M908.HTM >>From: Darwin Collins > > >Does anyone know where I can get a copy of the land.c hack code. > >Basically, I need to test some homebrewed stuff, and see if it can handle it. > >Thanks > you can get a copy of land.c and also the enhanced version, latierra.c, from http://www.rootshell.com the specific URL's for these two are: http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/land.c http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/latierra.c for reference, they are in the Nov '97 archive at rootshell.com. you will also probably want to check out teardrop.c too. the URL for that source code is: http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/teardrop.c hasta, Ken /<--------------{ TATTOOMAN -aka- rute }-------------->\ NCSU Computer Science Member of E.H.A.P. jkwilli2@unity.ncsu.edu http://www.hackers.com/ehap/ UNIX ICQ UIN# 4231260 ehap@hackers.com FTP Site: ftp://152.7.11.38/pub/personal/tattooman/ WWW 2: http://www4.ncsu.edu/~jkwilli2/ \<---------{ http://152.7.11.38/~tattooman/ }--------->/ From firewalls-owner Mon Jan 5 14:28:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14728; Mon, 5 Jan 1998 13:47:42 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA14721 for ; Mon, 5 Jan 1998 13:47:38 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 88256583.0077C768 ; Mon, 5 Jan 1998 13:48:18 -0800 X-Lotus-FromDomain: ALMADEN To: Firewalls@GreatCircle.COM Message-ID: <88256583.00757996.00@mailgw1.almaden.ibm.com> Date: Mon, 5 Jan 1998 13:47:38 -0800 Subject: Re: Hardware for seperating LAN from dialouts Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian KC Worrell wrote: >I use my lap top in the office, and it has both a network card and a modem >in it. As my office network is on a different IP address range that my >Internet Connection, I can actually have both connected at the same time! > >There seems to be no problem with the routing at all! >At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>Just wondered if anybody has used those hardware devices >>that disable LAN connections while a modem dials out >>to the Internet. >> >>It detects when the modem is active thus severing the >>link to the LAN physically and reconnects the LAN >>once the modem has disconnected from the LAN. >> >>The device is connected to both the modem and LAN and >>sounds good in theory and I am just wondering >>what other peoples experience with these are, at $85 >>it is an ideal solution for small organisations >>that just want to poll their ISP a few times a day >>for email. Yes, it's generally possible to arrange the routing so that you can simultaneously connect with a modem and your lan interface. And that's fine if you don't care about security (but then why are you posting to this list?). Assuming the lan is behind a firewall, most administrators don't want uncontrolled lan machines connecting directly to the Internet. There is a degree of protection obtained if the machine is disconnected from the lan while the modem is being used to access the Internet (and a device that does this automatically would make this easier). But when you hangup and reconnect your lan, you're still exposing the lan to viruses, etc. that were acquired while dialed to the Internet. A trojan horse could, for example, slurp up confidential data on your lan, then dial the Internet (or wait until the next time you do it), and send the data to your competitor. In summary, you probably shouldn't do this at all unless the dialing host is reasonably secure itself. Tony Rall From firewalls-owner Mon Jan 5 15:22:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21008; Mon, 5 Jan 1998 14:22:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA20778 for ; Mon, 5 Jan 1998 14:21:49 -0800 (PST) Received: from magna.com.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA16965; Mon, 5 Jan 1998 14:20:27 -0800 (PST) Received: from magna.magna.com.au (saccess-01-082.magna.com.au [203.111.79.82]) by magna.com.au (8.8.5/8.6.10) with SMTP id JAA13462; Tue, 6 Jan 1998 09:20:58 +1100 (EST) Date: Tue, 6 Jan 1998 09:20:58 +1100 (EST) Message-Id: <199801052220.JAA13462@magna.com.au> X-Sender: iank@magna.com.au X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ian KC Worrell From: Ian Krieger Subject: Re: Hardware for seperating LAN from dialouts Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry I may be mistaken but most users would be running windows 95 on their laptops and desktops in offices, sorry guys, Win95 dosen't support IP routing,like there's a supprise, hence you would not need to overly worry about having to sever you network connection when wanting to retrieve mail every once and again. If I have misunderstood the question / query, well hey I'm only human. Ian. At 11:05 AM 1/5/98 -0400, you wrote: >I use my lap top in the office, and it has both a network card and a modem >in it. As my office network is on a different IP address range that my >Internet Connection, I can actually have both connected at the same time! > >There seems to be no problem with the routing at all! > >Ian > >At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>Just wondered if anybody has used those hardware devices >>that disable LAN connections while a modem dials out >>to the Internet. >> >>It detects when the modem is active thus severing the >>link to the LAN physically and reconnects the LAN >>once the modem has disconnected from the LAN. >> >>The device is connected to both the modem and LAN and >>sounds good in theory and I am just wondering >>what other peoples experience with these are, at $85 >>it is an ideal solution for small organisations >>that just want to poll their ISP a few times a day >>for email. >> >>-- >>Wheres my valium ? >> >> >> >> > > > ---------------------------------------------------------------- Ian W Krieger IanK@Magna.com.au "qlm tera'ngan!" - Translated from Klingon "Attention Earther!" From firewalls-owner Mon Jan 5 16:00:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA09148; Mon, 5 Jan 1998 15:48:19 -0800 (PST) Received: from ns.acadiacom.net (ns.acadiacom.net [206.104.52.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA08950 for ; Mon, 5 Jan 1998 15:47:45 -0800 (PST) Received: from unitedcouncil.org (unverified [206.104.52.77]) by ns.acadiacom.net (Rockliffe SMTPRA 2.1.4) with ESMTP id for ; Mon, 05 Jan 1998 17:50:36 -0600 Message-ID: <348689F7.F62A57A2@unitedcouncil.org> Date: Thu, 04 Dec 1997 05:46:16 -0500 From: Sandman Reply-To: sandman@unitedcouncil.org X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: land.c hack code References: <7724B134818D357C%7724B134818D357C@dart.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.unitedcouncil.org has it in the The C Source Code Library. -Sandman The United Council http://www.unitedcouncil.org sandman@unitedcouncil From firewalls-owner Mon Jan 5 16:14:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA11611; Mon, 5 Jan 1998 16:01:58 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA11560 for ; Mon, 5 Jan 1998 16:01:43 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id QAA20812; Mon, 5 Jan 1998 16:03:28 -0800 (PST) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB09026; Mon, 5 Jan 98 16:04:41 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256584.00007D14 ; Mon, 5 Jan 1998 16:05:20 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: iank@magna.com.au Cc: ian@sunbeach.net, firewalls@GreatCircle.COM Message-Id: <88256583.00839BF7.00@gwwest.sybase.com> Date: Mon, 5 Jan 1998 16:00:07 -0800 Subject: Re: Hardware for seperating LAN from dialouts Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, Win95 DOES support routing. And, I'm told it even works in OSR2. The point is, it doesn't need to route. If you're connected to the Internet & your LAN at the same time, and I break into your machine (via the Internet,) I now have control of a machine on your LAN. It's against MY company policy... as the saying goes, your paranoia level may vary.. Ryan iank@magna.com.au on 01/05/98 02:20:58 PM To: ian@sunbeach.net cc: firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE) Subject: Re: Hardware for seperating LAN from dialouts Sorry I may be mistaken but most users would be running windows 95 on their laptops and desktops in offices, sorry guys, Win95 dosen't support IP routing,like there's a supprise, hence you would not need to overly worry about having to sever you network connection when wanting to retrieve mail every once and again. If I have misunderstood the question / query, well hey I'm only human. Ian. At 11:05 AM 1/5/98 -0400, you wrote: >I use my lap top in the office, and it has both a network card and a modem >in it. As my office network is on a different IP address range that my >Internet Connection, I can actually have both connected at the same time! > >There seems to be no problem with the routing at all! > >Ian > >At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>Just wondered if anybody has used those hardware devices >>that disable LAN connections while a modem dials out >>to the Internet. >> >>It detects when the modem is active thus severing the >>link to the LAN physically and reconnects the LAN >>once the modem has disconnected from the LAN. >> >>The device is connected to both the modem and LAN and >>sounds good in theory and I am just wondering >>what other peoples experience with these are, at $85 >>it is an ideal solution for small organisations >>that just want to poll their ISP a few times a day >>for email. >> >>-- >>Wheres my valium ? >> >> >> >> > > > ---------------------------------------------------------------- Ian W Krieger IanK@Magna.com.au "qlm tera'ngan!" - Translated from Klingon "Attention Earther!" From firewalls-owner Mon Jan 5 18:07:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28114; Mon, 5 Jan 1998 17:49:27 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA28039 for ; Mon, 5 Jan 1998 17:49:10 -0800 (PST) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id UAA22068 for ; Mon, 5 Jan 1998 20:51:10 -0500 (EST) Date: Mon, 5 Jan 1998 20:51:10 -0500 (EST) From: Ming Lu To: firewalls@GreatCircle.COM Subject: Bank Security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I am looking any info regarding bank security requirements (I know that it is a knid of sensetive...:-)) and implementations. It would be greatly appreciated if anyone can help on this. TIA _ming From firewalls-owner Mon Jan 5 18:29:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA27207; Mon, 5 Jan 1998 17:45:00 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA26975 for ; Mon, 5 Jan 1998 17:44:17 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.178.197]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB17479; Tue, 6 Jan 1998 01:44:26 +0000 Message-Id: <3.0.3.32.19980105203733.00a62540@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 05 Jan 1998 20:37:33 -0500 To: Ian Poynter , MarkusLindingerHamburg@t-online.de (Lindinger), firewalls@GreatCircle.COM Subject: Re: Comparision of Firewall Products In-Reply-To: <3.0.3.32.19980105102235.00af6230@squirrel> References: <3.0.3.32.19980105081940.00808730@pop3.clark.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:22 AM 1/5/98 -0500, Ian Poynter wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >At 08:19 AM 1/5/98 -0500, mht@clark.net wrote: >>I think LAN TIMES did a comparison report a while back. Check out >>www.lantimes.com > >Be careful with this one, the test methodology didn't look at security at all >(see http://www.lantimes.com/97/97aug/708a060c.html; they didn't test >installation either). I wasn't completely happy that the performance numbers >were comparing apples with apples either. Still, it's useful as a feature >comparison, though. Yes, I will tend to agree with Ian on his point, the test methodology used did not test the installation procedures, but listed features of each, pros and cons. But as Ian points out it is a starting point in comparison testing. :) > >>Your security policy, network architecture, business model, needs and >>technical resources, etc should also factor into your equation while >>evaluating the different firewall systems. >> >>A firewall is just one component of many when installing a firewall >>system for your particular organization. > >Now this I agree with :-). To add to this point, on each point stated, a rating or point should be assigned to each factor when evaluating a firewall system, either you can use a scale of 1-10 when evaluating a solution or solutions to a particular organization.. /mht > >Ian > > >-----BEGIN PGP SIGNATURE----- >Version: PGP for Personal Privacy 5.0 >Charset: noconv > >iQA/AwUBNLD6usj1wUcX1Ha3EQID8QCg2Q6gT0RaW4kQMP+WBWQ3bAH70GoAnj0S >hf30Ml+vAOoa4IGD/fiTstGN >=lXXh >-----END PGP SIGNATURE----- > >----- >Ian Poynter ian@jerboa.com >Jerboa, Inc. +1-617-492-8084 >PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com >Providing unbiased Internet consulting for businesses. >Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73 > DSS: 2769 277A 9F69 F605 3743 D574 C8F5 C147 17D4 76B7 > > ------------------------------------------------------ "GREETINGS PROFESSOR FALKEN." "SHALL WE PLAY A GAME??" ------------------------------------------------------ From firewalls-owner Mon Jan 5 20:15:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA16605; Mon, 5 Jan 1998 20:09:20 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA16597 for ; Mon, 5 Jan 1998 20:09:14 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id XAA10773; Mon, 5 Jan 1998 23:10:08 -0500 (EST) Message-Id: <199801060410.XAA10773@mail.atl.bellsouth.net> From: "Steve Jackson Brown" To: , Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder?? Date: Mon, 5 Jan 1998 23:04:33 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yes, I tend to agree with you on that. RealSecure is a very powerful > tool, but it requires a clear understanding in what options you > choose in a particular environment when using it.. Here are two Abirnet vs. RealSecure comparisions I found on ww.zdnet.com: http://www.zdnet.com/pcweek/reviews/0421/21wall.html and http://www.zdnet.com/pcweek/reviews/0929/29wall.html It looks to me from the review that one is a swiss-army knife that watches all kind of network issues and one is optimized for network security. Read the reviews to form your own opinion. In searching for comparisions, the most recent Top Technology Picks for '97 of PC Week was IDS technology: http://www.zdnet.com/pcweek/sr/1222/22netb.html So far now, 2 magazines picked IDS as a top technology released in 1997. It will be interesting to find out what new technology is going to be released in 1998. Anyone know of any reviews of other IDS systems? > Overall, I wish one of the local trades magazines would initiate a > Consumer Report comparison of the current IDS tools or "clue- > gathering tools" available and new ones that are emerging... (HINT, > HINT) Is NFR really an intrusion detection system? From the web site, www.nfr.com, "NFRs provide valuable information about the growth of your network, its usage patterns, bottlenecks and potential mis-configurations, and more. Imagine the usefulness of being able to learn how any aspect of your network has changed over time! NFR also lets you store and browse data you want to gather as it passes through or within your network." This description seems like performance monitoring and network traffic policy monitoring. It's probably possible someone could build an intrusion detection system with NFR. NFR itself does not seem like an intrusion detection package. Maybe CSI or NCSA could do the "Consumer Reports" of IDS tools. From firewalls-owner Mon Jan 5 22:14:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA25455; Mon, 5 Jan 1998 22:04:28 -0800 (PST) Received: from aims.gov.au (pearl.aims.gov.au [138.7.32.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA25445 for ; Mon, 5 Jan 1998 22:04:22 -0800 (PST) Received: from aims.gov.au by aims.gov.au (SMI-8.6/SMI-SVR4) id QAA10286; Tue, 6 Jan 1998 16:04:36 +1000 Message-ID: <34B1C8DC.2BE94D49@aims.gov.au> Date: Tue, 06 Jan 1998 16:02:04 +1000 From: Kerry Jones X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: DNS on firewall?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Simple question. Is it a good idea to run a DNS server on a Firewall????? AUNIC require at least 2 DNS servers, so I am trying to decide where to configure the 2nd DNS server for our domain (Primary one is currently on the DMZ). Will putting the secondary DNS on the firewall create a security hole in the Firewall which would best be avoided???????? Is it acceptable (secure) to put the DNS and other services (e.g. http/ftp) on the Firewall?? What do you think?? What are your opinions?? I have a fairly standard setup as follows; Internet | router | firewall - dmz (1 machine: http/ftp/dns) | internal network. -- Kerry Jones kjones@aims.gov.au From firewalls-owner Mon Jan 5 22:59:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA00600; Mon, 5 Jan 1998 22:46:15 -0800 (PST) Received: from imo18.mx.aol.com (imo18.mx.aol.com [198.81.19.175]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA00593 for ; Mon, 5 Jan 1998 22:46:11 -0800 (PST) From: MYundt Message-ID: <6dda8f0f.34b1d341@aol.com> Date: Tue, 6 Jan 1998 01:46:24 EST To: firewalls@GreatCircle.COM Subject: tocom Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Organization: AOL (http://www.aol.com) X-Mailer: Inet_Mail_Out (IMOv11) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a tocom 5507 and I was wondering about a replacement From firewalls-owner Mon Jan 5 23:44:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03366; Mon, 5 Jan 1998 23:35:11 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA03348 for ; Mon, 5 Jan 1998 23:35:03 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id CAA27133; Tue, 6 Jan 1998 02:35:10 -0500 (EST) Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 6 Jan 1998 02:35:10 -0500 To: Ming Lu From: Vin McLellan Subject: Re: Bank Security Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ming Lu wrote: > >I am looking any info regarding bank security requirements (I know that >it is a knid of sensetive...:-)) and implementations. It would be greatly >appreciated if anyone can help on this. Hi Ming: As you doubtless know, US government export policy tries to limit the relative strength of the crypto used in international commerce so as to sustain its eavesdropping and signals intelligence capabilities. In some product categories, Web-based transactions among them, the US government allows US vendors to supply strong crypto to banks for certain types of web-based transactions. Even then, however, there are typically constraints on _exactly_ what type of "financial" info can be strongly encrypted in the "enhanced" SSL channel and on what type of banking institution is allowed to use those servers. To qualify for access to strong SSL products from US vendors, an international bank must be further qualified by a American CA. Non-Americans who seek strong crypto for web-based commerce and online banking transactions might be interested in three rather 1. Fortify: http://www.geocities.com/Eureka/Plaza/6333/ "Fortify is a program that provides world-wide, unconditional, full strength 128-bit cryptography to users of Netscape Navigator (v3) and Communicator (v4)." 2. Xpresso and Twister: http://www.brokat.com/uk/solutions.html "The XPRESSO Security Package=AE consists of the XPRESSO Security Server, which is integrated into the existing web server environment of an Internet service provider, and the Java based XPRESSO Client, which can easily be loaded and executed in the customer's browser. After loading the XPRESSO Client in the browser via a standard SSL browser/web server channel, an additional 128 bit encrypted channel is installed between the XPRESSO Client and the XPRESSO Security Server. " ("The XPRESSO Security Package=AE is one gateway of the electronic services delivery platform BROKAT Twister, which forms the basis for most BROKAT Internet banking solutions. Twister allows the easy and flexible integration= of online transactions in arbitrary system environments.") 3. Stronghold and Safe Passage: http://stronghold.ukweb.com/ "The popular Stronghold server and the new Safe Passage web proxy together provide complete point-to-point 128-bit (or greater) encryption. " Surete, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Tue Jan 6 02:14:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA16934; Tue, 6 Jan 1998 02:11:22 -0800 (PST) Received: from mail1.teleport.com (mail1.teleport.com [192.108.254.26]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA16925 for ; Tue, 6 Jan 1998 02:11:16 -0800 (PST) Received: from dark_corner (ip-pdx35-38.teleport.com [206.163.127.118]) by mail1.teleport.com (8.8.7/8.7.3) with SMTP id CAA25879; Tue, 6 Jan 1998 02:11:27 -0800 (PST) Message-Id: <199801061011.CAA25879@mail1.teleport.com> X-Sender: signe@mail.teleport.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 06 Jan 1998 02:11:07 -0800 To: Ken Williams , fw-list@dart.org From: Jay Rossiter / Signe Subject: Re: land.c hack code Cc: firewalls@GreatCircle.COM In-Reply-To: References: <7724B134818D357C%7724B134818D357C@dart.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:07 98/01/05 -0500, Ken Williams wrote: >you can get a copy of land.c and also the enhanced version, latierra.c, >from http://www.rootshell.com >the specific URL's for these two are: >http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/land.c >http://www.rootshell.com/archive-acz9smq232qz7avi9jeacjvd/199711/latierra.c ...One minor problem with giving the URLs for those files out, is that the directories they are in change at regular intervals. (As stated on the rootshell website) The 'archive-acz9smq232qz7avi9jeacjvd" is just a random alphanumeric string that it generates. --- PGP Located on PGP Keyservers, and by fingering 'ammonia@teleport.com' Key fingerprint = BF 2D 7E F4 41 A5 FD 30 B1 91 1D BA 35 28 A4 8C =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GCS/GAT d- s:- a--- C++++ S+++ P+ L++ E---- W+++ N+++ o-- K- w++++ O---- M-- V-- PS+ PE Y+ PGP++ t+ 5 X+ R+++ tv-- b+ DI+++ D++ G++ e h++ r+++ z** From firewalls-owner Tue Jan 6 02:29:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA18243; Tue, 6 Jan 1998 02:22:04 -0800 (PST) Received: from promete.tetm.tubitak.gov.tr (promete.tetm.tubitak.gov.tr [193.140.80.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id CAA18140 for ; Tue, 6 Jan 1998 02:21:45 -0800 (PST) Received: from localhost by promete.tetm.tubitak.gov.tr; (5.65/1.1.8.2/27Dec95-0156PM) id AA26397; Tue, 6 Jan 1998 12:22:27 +0300 Date: Tue, 6 Jan 1998 12:22:27 +0300 (EET) From: Levent Yuce To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am new in this mailling list ,I am very interested in security ,I would like to receive some addresses about security and more info that you can send to my address. With my best wishes Levent yuce ylevent@tubitak.gov.tr From firewalls-owner Tue Jan 6 04:14:50 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00951; Tue, 6 Jan 1998 04:11:13 -0800 (PST) Received: from server-one ([207.0.213.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA00944 for ; Tue, 6 Jan 1998 04:11:08 -0800 (PST) Received: from [207.0.213.5] by server-one (NTMail 3.02.13) with ESMTP id wa175704 for ; Tue, 6 Jan 1998 08:11:18 -0400 Reply-To: "Esteban Vasquez" From: "Esteban Vasquez" To: "BoB Miorelli" , Subject: Re: NT Web proxy server Date: Tue, 6 Jan 1998 08:11:21 -0400 Message-ID: <01bd1a9c$33439790$05d500cf@administrativo.iamnet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try wingate at www.wingate.net -----Original Message----- From: BoB Miorelli To: firewalls@greatcircle.com Date: Lunes 5 de Enero de 1998 06:23 PM Subject: NT Web proxy server >Hi -- > >I'm looking for a Web proxy server that does caching for >my kid's school (K-8). The computer lab is networked >to a server which would run the proxy. The server >is a Pentium running NT 4.0. I'm looking for >recommendations on proxy server software from anyone >that is running it on NT 4.0 using a dialup-on-demand >type of setup. The only proxy servers for NT that >I am aware of are Microsoft and Netscape, but I'm >sure there are others. > >Any and all comments are welcome. > >Thanks. > >-->BoB > > >-->BoB Miorelli, Pratt & Whitney >miorelli@pweh.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >In theory, theory and practice are the same; >in practice they are distinct. From firewalls-owner Tue Jan 6 04:59:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02281; Tue, 6 Jan 1998 04:54:19 -0800 (PST) Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA02267 for ; Tue, 6 Jan 1998 04:54:05 -0800 (PST) Received: from ppp-137.atinet.com.au (ppp-137.atinet.com.au [203.35.110.137]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ba025637 for ; Tue, 6 Jan 1998 23:53:30 +1100 Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id WAA23922; Tue, 6 Jan 1998 22:08:49 +1100 From: "Norman Widders" Date: Tue, 6 Jan 1998 22:08:59 +1000 (GMT) Subject: Re: Hardware for seperating LAN from dialouts To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v2.33 In-Reply-To: <199801052220.JAA13462@magna.com.au> References: <199801052220.JAA13462@magna.com.au> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: All Things Internet POP3 Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hmmm further to seperating the LAN while dialing out with the modem.. quoting mjr, the only 100% solution is physically cutting the wire or words to that effect.. which is what the device is _supposed_ to do while the unix boxen is connected to the (C) Internet. -- wheres my valium ? From firewalls-owner Tue Jan 6 05:14:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02282; Tue, 6 Jan 1998 04:54:27 -0800 (PST) Received: from mail-syd.atinet.com.au (atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA02268 for ; Tue, 6 Jan 1998 04:54:10 -0800 (PST) Received: from ppp-137.atinet.com.au (ppp-137.atinet.com.au [203.35.110.137]) by mail-syd.atinet.com.au (NTMail 3.02.13) with ESMTP id ca025638 for ; Tue, 6 Jan 1998 23:53:33 +1100 Received: from beethoven (beethoven.winspace.net [192.168.0.2]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id WAA23861; Tue, 6 Jan 1998 22:02:19 +1100 From: "Norman Widders" Date: Tue, 6 Jan 1998 22:02:28 +1000 (GMT) Subject: Re: Hardware for seperating LAN from dialouts To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v2.33 In-Reply-To: <199801052220.JAA13462@magna.com.au> References: <199801052220.JAA13462@magna.com.au> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: All Things Internet POP3 Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk running win95 ? no routing/forwarding ? no The modem is on a BSD box that dials out, whether it has routing/forwarding or not is not the issue.. The issue is that the unix box _if_ it was taken over could be used to launch attacks against the LAN and internal servers... another scenario mentioned is that if the box was comprimised whats to stop the attacker enabling routing/forwarding, lowering all defences, and then forcing a reboot... next time it dials out.. wham ! A hardware device that physically disconnects the rj45 while the modem is alive sounds nice... ymmv Who the hell gives users modems on their desk anyway, shoot first ask questions later, imho. -- wheres my valium ? From firewalls-owner Tue Jan 6 05:29:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02244; Tue, 6 Jan 1998 04:53:52 -0800 (PST) Received: from mail-gw1.fmso.navy.mil (mail-gw1.fmso.navy.mil [138.155.40.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02217 for ; Tue, 6 Jan 1998 04:53:43 -0800 (PST) Received: from 138.155.40.96 (moose.fmso.navy.mil [138.155.40.96]) by mail-gw1.fmso.navy.mil (8.8.5/8.6.12) with ESMTP id HAA21201 for ; Tue, 6 Jan 1998 07:06:44 -0500 Received: from fmso.navy.mil (unverified [138.155.40.100]) by 138.155.40.96 (Integralis SMTPRS 2.04) with SMTP id ; Tue, 06 Jan 1998 07:49:06 -0500 Received: from ccMail by fmso.navy.mil (IMA Internet Exchange 2.12 Enterprise) id 00062295; Tue, 6 Jan 1998 07:55:41 -0500 MIME-Version: 1.0 Date: Tue, 6 Jan 1998 07:49:23 -0500 Message-Id: <00062295.001261@mech.disa.mil> From: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP) Subject: Re[2]: Hardware for seperating LAN from dialouts To: Ian KC Worrell , Ian Krieger Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With Windows 95 (even WfWg 3.11) you can have multiple network interfaces each with a separate IP address and IP packets will be routed properly. For this to work, you must set up a static routing table. For the situation described below you can reach both the LAN through the network card and the Internet through the modem simultaneously. If the LAN does not have any connectivity to the Internet, the default router would be out through the modem connection. Static routes must be set up for IP addresses on the LAN that are on different network segments than your network card. Windows 95 will not learn dynamic routes and it will not forward IP packets. If you set the "Enable IP Routing" checkbox in TCP/IP properties on a Windows 95 system, you will lock-up it when it is restarted (back up your registry before doing this). ______________________________ Reply Separator _________________________________ Subject: Re: Hardware for seperating LAN from dialouts Author: Ian Krieger at internet-emh1 Date: 1/6/98 9:20 AM Sorry I may be mistaken but most users would be running windows 95 on their laptops and desktops in offices, sorry guys, Win95 dosen't support IP routing,like there's a supprise, hence you would not need to overly worry about having to sever you network connection when wanting to retrieve mail every once and again. If I have misunderstood the question / query, well hey I'm only human. Ian. At 11:05 AM 1/5/98 -0400, you wrote: >I use my lap top in the office, and it has both a network card and a modem >in it. As my office network is on a different IP address range that my >Internet Connection, I can actually have both connected at the same time! > >There seems to be no problem with the routing at all! > >Ian > >At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>Just wondered if anybody has used those hardware devices >>that disable LAN connections while a modem dials out >>to the Internet. >> >>It detects when the modem is active thus severing the >>link to the LAN physically and reconnects the LAN >>once the modem has disconnected from the LAN. >> >>The device is connected to both the modem and LAN and >>sounds good in theory and I am just wondering >>what other peoples experience with these are, at $85 >>it is an ideal solution for small organisations >>that just want to poll their ISP a few times a day >>for email. >> >>-- >>Wheres my valium ? >> >> >> >> > > > ---------------------------------------------------------------- Ian W Krieger IanK@Magna.com.au "qlm tera'ngan!" - Translated from Klingon "Attention Earther!" From firewalls-owner Tue Jan 6 05:44:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02432; Tue, 6 Jan 1998 04:58:30 -0800 (PST) Received: from mail-gw1.fmso.navy.mil (mail-gw1.fmso.navy.mil [138.155.40.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA02421 for ; Tue, 6 Jan 1998 04:58:23 -0800 (PST) Received: from 138.155.40.96 (moose.fmso.navy.mil [138.155.40.96]) by mail-gw1.fmso.navy.mil (8.8.5/8.6.12) with ESMTP id HAA21409 for ; Tue, 6 Jan 1998 07:11:26 -0500 Received: from fmso.navy.mil (unverified [138.155.40.100]) by 138.155.40.96 (Integralis SMTPRS 2.04) with SMTP id ; Tue, 06 Jan 1998 07:53:06 -0500 Received: from ccMail by fmso.navy.mil (IMA Internet Exchange 2.12 Enterprise) id 000622BB; Tue, 6 Jan 1998 07:59:18 -0500 MIME-Version: 1.0 Date: Tue, 6 Jan 1998 07:52:57 -0500 Message-Id: <000622BB.001261@mech.disa.mil> From: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP) Subject: Re[2]: Hardware for seperating LAN from dialouts To: iank@magna.com.au, "Ryan Russell" Cc: ian@sunbeach.net, firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But this is true only if you are running a service (daemon) that can be exploited. If you do not share any resources on your system, are not running FTPD, TELNETD, or HTTPD, what else is running that can be subverted for illicit use? Randal ______________________________ Reply Separator _________________________________ Subject: Re: Hardware for seperating LAN from dialouts Author: "Ryan Russell" at internet-emh1 Date: 1/5/98 4:00 PM Actually, Win95 DOES support routing. And, I'm told it even works in OSR2. The point is, it doesn't need to route. If you're connected to the Internet & your LAN at the same time, and I break into your machine (via the Internet,) I now have control of a machine on your LAN. It's against MY company policy... as the saying goes, your paranoia level may vary.. Ryan iank@magna.com.au on 01/05/98 02:20:58 PM To: ian@sunbeach.net cc: firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE) Subject: Re: Hardware for seperating LAN from dialouts Sorry I may be mistaken but most users would be running windows 95 on their laptops and desktops in offices, sorry guys, Win95 dosen't support IP routing,like there's a supprise, hence you would not need to overly worry about having to sever you network connection when wanting to retrieve mail every once and again. If I have misunderstood the question / query, well hey I'm only human. Ian. At 11:05 AM 1/5/98 -0400, you wrote: >I use my lap top in the office, and it has both a network card and a modem >in it. As my office network is on a different IP address range that my >Internet Connection, I can actually have both connected at the same time! > >There seems to be no problem with the routing at all! > >Ian > >At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>Just wondered if anybody has used those hardware devices >>that disable LAN connections while a modem dials out >>to the Internet. >> >>It detects when the modem is active thus severing the >>link to the LAN physically and reconnects the LAN >>once the modem has disconnected from the LAN. >> >>The device is connected to both the modem and LAN and >>sounds good in theory and I am just wondering >>what other peoples experience with these are, at $85 >>it is an ideal solution for small organisations >>that just want to poll their ISP a few times a day >>for email. >> >>-- >>Wheres my valium ? >> >> >> >> > > > ---------------------------------------------------------------- Ian W Krieger IanK@Magna.com.au "qlm tera'ngan!" - Translated from Klingon "Attention Earther!" From firewalls-owner Tue Jan 6 07:01:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09711; Tue, 6 Jan 1998 05:41:57 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA09693 for ; Tue, 6 Jan 1998 05:41:49 -0800 (PST) Received: from m6.sprynet.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA20037; Tue, 6 Jan 1998 05:40:35 -0800 (PST) Received: from zepher (hdn88-048.hil.compuserve.com [206.175.98.48]) by m6.sprynet.com (8.6.12/8.6.12) with SMTP id FAA25976; Tue, 6 Jan 1998 05:41:25 -0800 Message-Id: <3.0.3.32.19980106084416.006a2dd8@m6.sprynet.com> X-Sender: jsk347@m6.sprynet.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 06 Jan 1998 08:44:16 -0500 To: Kerry Jones , firewalls@GreatCircle.COM From: Steve Kruse Subject: Re: DNS on firewall?? In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:02 PM 1/6/98 +1000, Kerry Jones wrote: >Hi, > >Simple question. Is it a good idea to run a DNS server on a >Firewall????? > > ((((stuff deleted))) >-- >Kerry Jones >kjones@aims.gov.au > Kerry: Speaking "as a general rule", it would be far better to put your internal DNS on your private net and NOT on the firewall. Let the firewall be a firewall...not an application server, and that includes DNS. There are, I believe, some firewalls out there that have a "secure(???)" version of DNS that is built into them and for that, I suspose it would be OK, but unless you have one of those, I would not put it on. Far better to err on the side of safety that to save a little bit of money for the cost of a PC to run your DNS behind the firewall. Once you put your internal DNS up, some simple rules will allow the DNS traffic to get through. My US$.02...your milage may vary. Steve Kruse Milkyway Networks From firewalls-owner Tue Jan 6 07:31:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15416; Tue, 6 Jan 1998 06:07:38 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA15239 for ; Tue, 6 Jan 1998 06:06:58 -0800 (PST) Received: (qmail 24606 invoked by uid 500); 6 Jan 1998 14:13:13 -0000 Date: Tue, 6 Jan 1998 09:13:12 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: RANDAL LATHROP cc: Ian KC Worrell , Ian Krieger , firewalls@GreatCircle.COM Subject: Re: Re[2]: Hardware for seperating LAN from dialouts In-Reply-To: <00062295.001261@mech.disa.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Jan 1998, RANDAL LATHROP wrote: > With Windows 95 (even WfWg 3.11) you can have multiple network > interfaces each with a separate IP address and IP packets will be > routed properly. For this to work, you must set up a static routing > table. For the situation described below you can reach both the LAN *Or* you need to have a program that does routing. The Win95 original beta included such code. I doubt that it would that difficult to hack up something either. > Windows 95 will not learn dynamic routes and it will not forward IP > packets. If you set the "Enable IP Routing" checkbox in TCP/IP ^ By default, as shipped. Unless you have total control over the machine configuration, especially during Internet usage, it is best not to rely on its configuration for security. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 6 07:58:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA08867; Tue, 6 Jan 1998 05:37:52 -0800 (PST) Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA08820 for ; Tue, 6 Jan 1998 05:37:40 -0800 (PST) Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49) id ; Tue, 6 Jan 1998 07:39:49 -0600 Message-ID: From: "Waegner.Rick" To: firewalls@GreatCircle.COM, "'Franklin R. Jones'" Subject: RE: FW-1 3.0 and Solaris 2.6 ok? Date: Tue, 6 Jan 1998 07:39:47 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently implementing FW-1 v3.0 on a solaris 2.6 platform and have had problems. Yes, Solaris 2.6 is "supported" but not by the FW-1 package that will be dilivered to you, you must download all of the packages that make up the "FW-1 V3.0 b" (DES, FW-1, Motif Intfc, etc...). If you install 3.0 on Solaris 2.6, the machine will get stuck in a reboot cycle that can only be fixed with a reload of the OS. FW-1 V3.0 will mangle /etc/rcS.d/S30rootusr.sh upon install and reboot. Once this "bug" is fixed with the downloaded 3.0b, it seems to be very stable. Rick Waegner The Boeing Company UNIX Sysadmin richard.a.waegner@boeing.com 281.283.5485 > ---------- > From: Franklin R. Jones > Sent: Monday, January 5, 1998 15:00 > To: firewalls@GreatCircle.COM > Subject: Re: FW-1 3.0 and Solaris 2.6 ok? > > Sergio Bollini wrote: > > > Does anybody know is FW-1 3.0b will work correctly on Solaris 2.6? > Is > > there any issues or unsolved problems? > > TIA > > No hands on as of yet, but 2.6 is listed as "supported" OS > rev for V3. I haven't run into any problems application-wise upgrading > to 2.6 from 2.5.x, so my feelings are that it would be a reliable > config. There is a recommeded patch cluster out for 2.6 which includes > several (8 or 9) security patches for various things and I would > recommend installing the cluster. > > fj.. > From firewalls-owner Tue Jan 6 08:00:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA18264; Tue, 6 Jan 1998 06:20:18 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id GAA18251 for ; Tue, 6 Jan 1998 06:20:12 -0800 (PST) Received: (qmail 24644 invoked by uid 500); 6 Jan 1998 14:26:32 -0000 Date: Tue, 6 Jan 1998 09:26:32 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: RANDAL LATHROP cc: iank@magna.com.au, Ryan Russell , ian@sunbeach.net, firewalls@GreatCircle.COM Subject: Re: Re[2]: Hardware for seperating LAN from dialouts In-Reply-To: <000622BB.001261@mech.disa.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Jan 1998, RANDAL LATHROP wrote: > But this is true only if you are running a service (daemon) that can > be exploited. If you do not share any resources on your system, are Or a client that can be exploited, or if portions of the OS can be exploited... If you've got a few thousand users, and you have enough control over the OS, stack, clients, and configuration, as well as a way to audit that, then you're doing well enough to probably not worry about it. For the real world, it's *trivially* easy to get a user to load (a) a demo for finance/mailroom/logistics/pick_a_target, or (b) a game, or extension to Quake, or (c) New version of a browser, E-mail client, or IRC program. If it's done right, most of them will get the IS people to lend them a modem for the duration of the attack... er demo. How many places go through testing new Internet clients on a test bed with modems, LAN cards, and record and decode the traffic? How many places have enough control over their user population to specify client versions, and distribution channels? Probably about as many who run virus suscptable systems with no scanners, no protection, and who get zero incidents. Next time you see a virus, ask yourself what would have happened if that was a sleeping trojan... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 6 08:50:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA09136; Tue, 6 Jan 1998 08:08:38 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA09123 for ; Tue, 6 Jan 1998 08:08:32 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdxee25252; Tue, 6 Jan 1998 11:08:50 -0500 (EST) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA04699; Tue, 6 Jan 98 11:05:03 EST Date: Tue, 6 Jan 1998 11:05:03 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Wannabe needs a good book Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Over the past few years our educational research has provided us with a great deal of information on Internet services, operating systems and various protocols. However, all of it is very narrowly focused and platform specific. One of our wannabe's, ChewYou, (oriental as the name implies), need a good top down introduction to networking. Sorry to say we have nothing like that. Can someone please suggest a good book on the general topic of networking, with some emphasis on TCP/IP, that we can steal? SP, tCED From firewalls-owner Tue Jan 6 09:01:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09492; Tue, 6 Jan 1998 05:40:30 -0800 (PST) Received: from maildeliver0.tiac.net (maildeliver0.tiac.net [199.0.65.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA09448 for ; Tue, 6 Jan 1998 05:40:17 -0800 (PST) Received: from www.hollyfeld.org (root@dns.hollyfeld.org [204.130.199.1]) by maildeliver0.tiac.net (8.8.7/8.8) with ESMTP id IAA15661; Tue, 6 Jan 1998 08:40:34 -0500 (EST) Received: from www.hollyfeld.org (www.hollyfeld.org [204.130.199.143]) by www.hollyfeld.org (8.8.4/8.8.4) with SMTP id IAA17373; Tue, 6 Jan 1998 08:40:55 -0500 Date: Tue, 6 Jan 1998 08:40:54 -0500 (EST) From: Daniel Garcia To: MYundt cc: firewalls@GreatCircle.COM Subject: Re: tocom In-Reply-To: <6dda8f0f.34b1d341@aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Jan 1998, MYundt wrote: > I have a tocom 5507 and I was wondering about a replacement And you asked about this on the firewalls list because.... --Dg From firewalls-owner Tue Jan 6 09:02:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19212; Tue, 6 Jan 1998 08:53:43 -0800 (PST) Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA19155 for ; Tue, 6 Jan 1998 08:53:11 -0800 (PST) Received: (from mail@localhost) by starbase.tos.net (8.8.4/8.8.4) id KAA28389 for ; Tue, 6 Jan 1998 10:53:56 -0600 Message-Id: <199801061653.KAA28389@starbase.tos.net> Received: from unknown(172.16.1.147) by starbase.tos.net via smap (V1.3) id sma028385; Tue Jan 6 10:53:46 1998 X-Sender: macgyver@smtp.tos.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 06 Jan 1998 10:50:13 -0600 To: Firewalls Mailing List From: MacGyver Subject: Re: Bank Security In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:35 AM 1/6/98 -0500, you wrote: >Ming Lu wrote: >> >>I am looking any info regarding bank security requirements (I know that >>it is a knid of sensetive...:-)) and implementations. It would be greatly >>appreciated if anyone can help on this. > Another software solution you might wish to consider: http://www.datafellows.com They provide high-grade crypto solutions both in the US and abroad. They offer a web-server add-on of sorts that allows you to employ encryption levels up to 2048 bit. Of course you pay for this flexibility with the high prices... From firewalls-owner Tue Jan 6 09:11:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19913; Tue, 6 Jan 1998 08:58:09 -0800 (PST) Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA19839 for ; Tue, 6 Jan 1998 08:57:51 -0800 (PST) Received: (from mail@localhost) by starbase.tos.net (8.8.4/8.8.4) id KAA28419 for ; Tue, 6 Jan 1998 10:58:56 -0600 Message-Id: <199801061658.KAA28419@starbase.tos.net> Received: from unknown(172.16.1.147) by starbase.tos.net via smap (V1.3) id sma028417; Tue Jan 6 10:58:26 1998 X-Sender: macgyver@smtp.tos.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 06 Jan 1998 10:54:53 -0600 To: Firewalls Mailing List From: MacGyver Subject: Stateful Inspection Anyone? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, I've been wondering this for a while, but just haven't gotten around to asking anyone yet: Checkpoint's Firewall-1 has a feature known as "stateful inspection" which they tout as the end-all and be-all of packet-filtering and inspection. Anyone had any experience in using this feature or have any thoughts regarding stateful inspection? How large of a performance impact is there when stateful inspection is enabled? Are the gains worth the added load? Hope this spurs some interesting discussion. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ Habeeb J. Dihu -' `- Managing Senior Technologist " ' ` " Cirrus Technologies " ' ` " " ' . ` " " ' .' ` ` " 'I don't believe in the no-win scenario' " ` ' `' " -- Captain James T. Kirk, Star Trek II: TWK ` ' _ _ ' 'There is an old Vulcan proverb, `Only Nixon ' could go to China.`' -- Captain Spock, Star Trek VI: TUC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Jan 6 09:13:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05013; Tue, 6 Jan 1998 07:43:56 -0800 (PST) Received: from mco.edu (mco004.mco.edu [136.247.10.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA04998 for ; Tue, 6 Jan 1998 07:43:49 -0800 (PST) Received: from mco-Message_Server by mco.edu with Novell_GroupWise; Tue, 06 Jan 1998 10:42:39 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 06 Jan 1998 10:42:30 -0500 From: Jeff Zarend To: firewalls@greatcircle.com Subject: AHTTPD.LOG filling up Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem with Firewall-1's AHTTPD.LOG looping & filling up the system disk drive. This is on NT 4.0. Is or has anyone else experienced this? Jeff Zarend Systems Manager Medical College of Ohio jzarend@mco.edu From firewalls-owner Tue Jan 6 09:15:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA04376; Tue, 6 Jan 1998 07:40:19 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA04317 for ; Tue, 6 Jan 1998 07:40:05 -0800 (PST) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id KAA29131; Tue, 6 Jan 1998 10:42:08 -0500 (EST) Date: Tue, 6 Jan 1998 10:42:08 -0500 (EST) From: Ming Lu To: Kerry Jones cc: firewalls@GreatCircle.COM Subject: Re: DNS on firewall?? In-Reply-To: <34B1C8DC.2BE94D49@aims.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you don't use split DNS, I don't see the real difference between puting both dns servers on DMZ and one on firewall, another in the DMZ. Actually put primary one on the firewall and put the secondary on DMZ would be better choice than both of them on DMZ. _ming On Tue, 6 Jan 1998, Kerry Jones wrote: > Hi, > > Simple question. Is it a good idea to run a DNS server on a > Firewall????? > > AUNIC require at least 2 DNS servers, so I am trying to decide where to > configure the 2nd DNS server for our domain (Primary one is currently on > the DMZ). Will putting the secondary DNS on the firewall create a > security hole in the Firewall which would best be avoided???????? > Is it acceptable (secure) to put the DNS and other services (e.g. > http/ftp) on the Firewall?? > > What do you think?? > What are your opinions?? > > I have a fairly standard setup as follows; > > Internet > | > router > | > firewall - dmz (1 machine: http/ftp/dns) > | > internal network. > > -- > Kerry Jones > kjones@aims.gov.au > > From firewalls-owner Tue Jan 6 09:15:50 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA21714; Tue, 6 Jan 1998 09:07:21 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA21698 for ; Tue, 6 Jan 1998 09:07:15 -0800 (PST) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id MAA00208; Tue, 6 Jan 1998 12:09:18 -0500 (EST) Date: Tue, 6 Jan 1998 12:09:18 -0500 (EST) From: Ming Lu To: BoB Miorelli cc: firewalls@GreatCircle.COM Subject: Re: NT Web proxy server In-Reply-To: <34b1435f0.1464@clbdev2.eh.pweh.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can use Squid, which is free and VERY easy to set up; http://squid.nlant.net/Squid. It is VERY FAST. Sun's new web cache server based on this code (because of its performance). OS plateform you can use either Linux (free) or solaris x86 (take look at http://www.standishgroup.com/syst.html). As to the hardware, you can use 486 or better with at leat 64 M RAM; At leat 2G hard disk space ( it really depends on a lot of other factors, such as cache expiration time, etc.) just for cache itself (1 G would be more than enough for UNIX OS, unless you would like to do something else on the same machine). As to the 04/19/97, squid had been ported to OS/2 Warp platform. I am sure that someone may also have ported it to NT, if NT is really you favored platform...:-). drop a mail to squid-users@nlanr.net, someone will help you out on this. If you need help on UNIX plateforms, I would be more than glad to help. _ming On Mon, 5 Jan 1998, BoB Miorelli wrote: > Hi -- > > I'm looking for a Web proxy server that does caching for > my kid's school (K-8). The computer lab is networked > to a server which would run the proxy. The server > is a Pentium running NT 4.0. I'm looking for > recommendations on proxy server software from anyone > that is running it on NT 4.0 using a dialup-on-demand > type of setup. The only proxy servers for NT that > I am aware of are Microsoft and Netscape, but I'm > sure there are others. > > Any and all comments are welcome. > > Thanks. > > -->BoB > > > -->BoB Miorelli, Pratt & Whitney > miorelli@pweh.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > In theory, theory and practice are the same; > in practice they are distinct. > From firewalls-owner Tue Jan 6 09:30:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08260; Tue, 6 Jan 1998 08:03:51 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08229 for ; Tue, 6 Jan 1998 08:03:42 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.19.215]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA24167; Tue, 6 Jan 1998 16:04:01 +0000 Message-Id: <3.0.3.32.19980106110133.03931100@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 06 Jan 1998 11:01:33 -0500 To: "Steve Jackson Brown" , Subject: Re: SessionWall 3 release 2 vs Network Flight Recorder?? In-Reply-To: <199801060410.XAA10773@mail.atl.bellsouth.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another article that needs mentioning is Network Magazine October, 1997 www.network-mag.com "Detecting Network Intruders" :) At 11:04 PM 1/5/98 -0500, Steve Jackson Brown wrote: > > > >> Yes, I tend to agree with you on that. RealSecure is a very powerful >> tool, but it requires a clear understanding in what options you >> choose in a particular environment when using it.. > >Here are two Abirnet vs. RealSecure comparisions I found on ww.zdnet.com: > >http://www.zdnet.com/pcweek/reviews/0421/21wall.html >and >http://www.zdnet.com/pcweek/reviews/0929/29wall.html > >It looks to me from the review that one is a swiss-army knife that watches >all kind of network >issues and one is optimized for network security. Read the reviews to form >your own opinion. In >searching for comparisions, the most recent Top Technology Picks for '97 of >PC Week was IDS technology: > >http://www.zdnet.com/pcweek/sr/1222/22netb.html > >So far now, 2 magazines picked IDS as a top technology released in 1997. It >will be interesting to find >out what new technology is going to be released in 1998. Anyone know of >any reviews of other IDS >systems? > >> Overall, I wish one of the local trades magazines would initiate a >> Consumer Report comparison of the current IDS tools or "clue- >> gathering tools" available and new ones that are emerging... (HINT, >> HINT) > >Is NFR really an intrusion detection system? From the web site, >www.nfr.com, > >"NFRs provide valuable information about the growth of your network, its >usage patterns, bottlenecks and potential mis-configurations, and more. >Imagine the usefulness of being able to learn how any aspect of your >network has changed over time! NFR also lets you store and browse data you >want to gather as it passes through or within your network." > >This description seems like performance monitoring and network traffic >policy monitoring. It's probably possible someone could build an intrusion >detection system with NFR. NFR itself does not seem like >an intrusion detection package. > >Maybe CSI or NCSA could do the "Consumer Reports" of IDS tools. > > From firewalls-owner Tue Jan 6 09:45:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03512; Tue, 6 Jan 1998 07:35:13 -0800 (PST) Received: from gate.eds.de (gate.eds.de [204.71.114.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA03462 for ; Tue, 6 Jan 1998 07:34:49 -0800 (PST) Received: from online.ols.de.eds.com (ep160768.ols.de.eds.com) by gate.eds.de with SMTP id AA14749 (InterLock SMTP Gateway 3.0 for ); Tue, 6 Jan 1998 15:34:18 GMT Received: from ep161081 (ep161081.ols.de.eds.com [134.46.190.55]) by online.ols.de.eds.com (8.8.8/8.8.8) with SMTP id RAA26818; Tue, 6 Jan 1998 17:38:46 +0100 Message-Id: <3.0.3.32.19980106163903.0091b100@mail.ols.de.eds.com> X-Sender: bzwrdw@mail.ols.de.eds.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Tue, 06 Jan 1998 16:39:03 +0100 To: RANDAL_LATHROP@mech.disa.mil (RANDAL LATHROP) From: Oliver Kubis Subject: Re: Re[2]: Hardware for seperating LAN from dialouts Cc: firewalls@greatcircle.com, ryanr@sybase.com In-Reply-To: <000622BB.001261@mech.disa.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMHO, dangers differ from the type of operating system and services of the machine the modem is attached to. A unix, carrying a number of additional services, might be more vulnerable to attack than a 'simple' standard PC, not running any of those services. What happens to services on connected systems (PC is connected to a LAN, which might have a ftp server somewhere...) - do you think the PC with ip forwarding/routing could be an entry point to attack other computers on the attached network? Apart from any services being used for illicit use, could other risks arise from people sniffing on network traffic that passes the exposed computer? Do you think that's possible? -- Oliver PS: A fuzzy search of the firewall archives (at http://www.nexial.nl/cgi-bin/firewalls) returned some interesting hints on the potential dangers of dial-out connections with parallel LAN connection - I searched for "forwarding dial modems" and got some good results. --------------- At 07:52 06.01.98 -0500, you wrote: > But this is true only if you are running a service (daemon) that can > be exploited. If you do not share any resources on your system, are > not running FTPD, TELNETD, or HTTPD, what else is running that can be > subverted for illicit use? > > > Randal > > >______________________________ Reply Separator _________________________________ >Subject: Re: Hardware for seperating LAN from dialouts >Author: "Ryan Russell" at internet-emh1 >Date: 1/5/98 4:00 PM > > > >Actually, Win95 DOES support routing. And, I'm told it >even works in OSR2. > >The point is, it doesn't need to route. If you're connected to >the Internet & your LAN at the same time, and I break into >your machine (via the Internet,) I now have control of a machine on >your LAN. > >It's against MY company policy... as the saying goes, >your paranoia level may vary.. > > Ryan > > > > > >iank@magna.com.au on 01/05/98 02:20:58 PM > >To: ian@sunbeach.net >cc: firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE) >Subject: Re: Hardware for seperating LAN from dialouts > > > > >Sorry I may be mistaken but most users would be running windows 95 on their >laptops and desktops in offices, sorry guys, Win95 dosen't support IP >routing,like there's a supprise, hence you would not need to overly worry >about having to sever you network connection when wanting to retrieve mail >every once and again. >If I have misunderstood the question / query, well hey I'm only human. > >Ian. >At 11:05 AM 1/5/98 -0400, you wrote: >>I use my lap top in the office, and it has both a network card and a modem >>in it. As my office network is on a different IP address range that my >>Internet Connection, I can actually have both connected at the same time! >> >>There seems to be no problem with the routing at all! >> >>Ian >> >>At 10:10 AM 1/5/98 +1000, Norman Widders wrote: >>>Just wondered if anybody has used those hardware devices >>>that disable LAN connections while a modem dials out >>>to the Internet. >>> >>>It detects when the modem is active thus severing the >>>link to the LAN physically and reconnects the LAN >>>once the modem has disconnected from the LAN. >>> >>>The device is connected to both the modem and LAN and >>>sounds good in theory and I am just wondering >>>what other peoples experience with these are, at $85 >>>it is an ideal solution for small organisations >>>that just want to poll their ISP a few times a day >>>for email. >>> >>>-- >>>Wheres my valium ? >>> >>> >>> >>> >> >> >> >---------------------------------------------------------------- >Ian W Krieger IanK@Magna.com.au >"qlm tera'ngan!" - Translated from Klingon "Attention Earther!" -- Oliver Kubis EDS Electronic Data Systems Industrien (Deutschland) GmbH Phone +49-6142-80-2942 Fax +49-6142-80-1755 Email oliverk@ols-eds.de PGP key fingerprint = C1 ED 3E E0 95 B5 05 28 A4 A4 E5 72 33 A7 20 B0 "It's a small world, unless you have to clean it." - Roger Wilco From firewalls-owner Tue Jan 6 11:57:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA22453; Tue, 6 Jan 1998 11:33:22 -0800 (PST) Received: from mailserver1.mdc.com (MAILSERVER1.LGB.CAL.BOEING.COM [129.200.140.50]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA22356 for ; Tue, 6 Jan 1998 11:33:00 -0800 (PST) Received: by MAILSERVER1.MDC.COM with Internet Mail Service (5.0.1458.49) id ; Tue, 6 Jan 1998 13:35:09 -0600 Message-ID: From: "Waegner.Rick" To: "'Franklin R. Jones'" Cc: firewalls@greatcircle.com Subject: RE: FW-1 3.0 and Solaris 2.6 ok? Date: Tue, 6 Jan 1998 13:35:06 -0600 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fj, No, they are not on the release cd YET!!! You can download them from the sun web site. We did not know about the "bug" until AFTER we paid xxxx.xx for it! I was NOT very happy. Let me know how it goes! Rick Waegner The Boeing Company UNIX Sysadmin richard.a.waegner@boeing.com 281.283.5485 > ---------- > From: Franklin R. Jones > Sent: Tuesday, January 6, 1998 13:54 > To: Waegner.Rick > Cc: firewalls@greatcircle.com > Subject: Re: FW-1 3.0 and Solaris 2.6 ok? > > Waegner.Rick wrote: > > > > We are currently implementing FW-1 v3.0 on a solaris 2.6 platform > and > > have had problems. Yes, Solaris 2.6 is "supported" but not by the > FW-1 > > package that will be dilivered to you, you must download all of the > > packages that make up the "FW-1 V3.0 b" (DES, FW-1, Motif Intfc, > > etc...). If you install 3.0 on Solaris 2.6, the machine will get > stuck > > in a reboot cycle that can only be fixed with a reload of the OS. > FW-1 > > ouch! > > > V3.0 will mangle /etc/rcS.d/S30rootusr.sh upon install and reboot. > Once > > this "bug" is fixed with the downloaded 3.0b, it seems to be very > > stable. > > Thanks for the heads up, Rick. I'm about to head down that trail > myself. > You make referece to all the packages that make up V3.0b, are these > FW1 patches (e.g. from the sun web site) or FW1 product packages (on > the release CD)? > > also nice that they make no mention of this problem in the install > docs that I've seen... > > fj.. > From firewalls-owner Tue Jan 6 11:59:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA13752; Tue, 6 Jan 1998 10:55:51 -0800 (PST) Received: from deimos.frii.com (deimos.frii.com [208.146.240.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA13582 for