From firewalls-owner Sun Feb 1 00:26:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA24672; Sat, 31 Jan 1998 21:56:52 -0800 (PST) Received: from cs.weber.edu (cs.weber.edu [137.190.16.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id VAA24631 for ; Sat, 31 Jan 1998 21:56:42 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA18453; Sat, 31 Jan 98 23:07:23 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA06696; Sat, 31 Jan 1998 23:07:29 -0700 Date: Sat, 31 Jan 1998 23:07:28 -0700 (MST) From: Henry Hertz Hobbit To: Doug Hughes Cc: firewalls@greatcircle.com Subject: Re: anti-sniffer warfare In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jan 1998, Doug Hughes wrote: > I don't think the effort would be worth it. Most sniffers are totally > passive devices, and by their nature, the only way to detect them > is physical inspection of your cable plant. Correct. > One thing that may be helpful in preventing hardware sniffer attachment > is via security enabled hubs where the MAC address of all ports is > hard-wired into the hub. Unused ports would be administratively disabled. > This will prevent somebody from unplugging a machine and plugging in a > sniffer. It will also prevent somebody from using an unoccupied port > on the off change that they would get access to the hub itself (which > should be in a locked closet). Aside from the fact that not all hubs support this, does anybody really have the time to do it with all the other stuff that they have to get done? If you or anybody else reading this can point us to any sites that are doing this successfully and what hubs would be the best to use, I think that we would all benefit. I guess it kind of depends on the volatility of the network you are on which at most places I have been is quite high. The Hobbit This message can't possibly have come from me! smrsh is not running so it *must* have come from somebody else going into the smtp port!!! From firewalls-owner Sun Feb 1 00:45:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA23930; Sat, 31 Jan 1998 13:10:30 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA23761 for ; Sat, 31 Jan 1998 13:09:56 -0800 (PST) From: harley@icrf.icnet.uk Received: (from harley@localhost) by europa.lif.icnet.uk (8.8.8/8.8.8) id VAA19702 for firewalls@greatcircle.com; Sat, 31 Jan 1998 21:15:10 GMT Message-Id: <199801312115.VAA19702@europa.lif.icnet.uk> Subject: re: UNIX viruses & worms To: firewalls@greatcircle.com Date: Sat, 31 Jan 1998 21:15:10 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To: David Harley > cc: firewalls@GreatCircle.COM > > On Fri, 30 Jan 1998, David Harley wrote: > > >: Where can i find information about UNIX viruses and worms? > > Actually, I didn't. I was quoting the person to whose post I responded with some information. Please be a little more careful about attributing quotations on public lists. > -- David Harley | alt.comp.virus FAQ D.Harley@icrf.icnet.uk | & Anti-Virus Web Page Support & Security Analyst | Folk London On-Line gig-list Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/ From firewalls-owner Sun Feb 1 03:09:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA06475; Sun, 1 Feb 1998 01:22:25 -0800 (PST) Received: from fw.telekom.com.my ([192.228.240.8]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA03155 for ; Sun, 1 Feb 1998 01:00:44 -0800 (PST) Received: from s12131.telekom.com.my ([200.34.5.144]) by firewall.fw.telekom.com.my with ESMTP id <27779-1>; Sun, 1 Feb 1998 17:12:56 +0800 Message-ID: <34D51B8E.BC130171@telekom.com.my> Date: Mon, 2 Feb 1998 09:04:15 +0800 From: Vijay Valayatham Organization: Telekom Malaysia X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Stefano Crivellaro CC: firewalls@greatcircle.com Subject: Re: Useful readings X-Priority: 3 (Normal) References: <3.0.1.32.19980201002218.007fac20@relay.ml.swapnet.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.iss.net/vd/library.html is an ok start. Vijay. Stefano Crivellaro wrote: > > Hi everybody > > I'm new to this list. > > Is there any good text/document/web primer on the Net which I could read > toget myself introduced to the security (firewalls, packet filtering, > bastion hosts) issues? > > thanks a lot for your help > > S.Crivellaro --------------------------------------------------------------------- Vijay Valayatham vijay@telekom.com.my From firewalls-owner Sun Feb 1 03:52:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA27711; Sun, 1 Feb 1998 00:32:50 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id AAA27694 for firewalls@greatcircle.com; Sun, 1 Feb 1998 00:32:46 -0800 (PST) Received: from ns2.harborcom.net (ns2.harborcom.net [206.158.4.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA24416 for ; Fri, 30 Jan 1998 18:16:15 -0800 (PST) Received: from frodo.harborcom.net (theboss) [206.158.4.250] by ns2.harborcom.net with smtp (Exim 1.82 #1) id 0xySYA-00059x-00; Fri, 30 Jan 1998 21:20:54 -0500 Comments: Authenticated sender is From: "Vince Doss" To: Firewalls@GreatCircle.COM Date: Fri, 30 Jan 1998 21:19:55 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: setting up a bastion host on a linux system In-reply-to: <199801291244.GAA01347@barney.iamerica.net> X-mailer: Pegasus Mail for Win32 (v2.54) Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 29 Jan 98 at 6:44, Henry Hollenberg wrote: > > Thanks for the reply M. Asim Rasheed: > "Henry, go to http://www.linux.org and search for Firewall-HOWTO" > > I'll reread this howto....I'm sure I'll pick up some more from it on second review. > > I guess the tricky part of setting up the bastion host to me will be stripping the > system down after the needed software (DNS, http server, SMTP etc) is installed and > working. > > That is: > removing binaries such as gcc, scripting languages, X, etc > > editing the startup files > > editing inetd.conf > > etc... Perhaps this is may be too obvious however, the setup for RedHat 4.2 prompts you for which packages you want to install. It allows you a bit of lattitude in your choices i.e. gcc, X, compiler, emacs...etc. If you do not select these packages then they will not be installed. I can not comment on any other distributions, but would assume there are similarities. > > The theory i understand, and the inetd.conf i think i'll be able to pare down > easily enough but it's going thru the "bins" and the startup files that I'm > sketchy on. The Howto is a little vague in this area as well. > > So if someone has been thru this with one of the linux distributions and > kept notes.......it might serve as a valuable guide/double check-list. > > I'm probably going to use Debian and try to turn in my step by step to the > Firewalls list maintainer to see if it might be helpful to others. > > Thanks > > Henry Hollenberg > speed@barney.iamerica.net > > > Vince Doss vincent@harborcom.net From firewalls-owner Sun Feb 1 04:06:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA11621; Sun, 1 Feb 1998 04:03:58 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id EAA11614 for ; Sun, 1 Feb 1998 04:03:53 -0800 (PST) Received: (qmail 15612 invoked from smtpd); 1 Feb 1998 12:08:40 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Feb 1998 12:08:40 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id GAA03379; Sun, 1 Feb 1998 06:08:40 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA23840; Sun, 1 Feb 1998 06:11:30 -0600 From: Peter da Silva Message-Id: <9802011211.AA23840@baileynm.com> Subject: Re: anti-sniffer warfare To: hhhobbit@icarus.weber.edu (Henry Hertz Hobbit) Date: Sun, 1 Feb 1998 06:11:29 -0600 (CST) Cc: Doug.Hughes@Eng.Auburn.EDU, firewalls@greatcircle.com In-Reply-To: from "Henry Hertz Hobbit" at Jan 31, 98 11:07:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One thing you could do is use switches or secure hubs, which would at least only deliver broadcasts to the sniffer. They'd still get some traffic but they wouldn't get stuff aimed at specific MAC addresses, unless my understanding of how these devices work is completely wonky. From firewalls-owner Sun Feb 1 05:06:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08258; Sat, 31 Jan 1998 14:12:49 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id OAA08248 for firewalls@greatcircle.com; Sat, 31 Jan 1998 14:12:46 -0800 (PST) Received: from hydra.dra.hmg.gb (hydra.dra.hmg.gb [192.5.29.32]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA03744 for ; Wed, 28 Jan 1998 05:42:03 -0800 (PST) Message-Id: <199801281342.FAA03744@honor.greatcircle.com> Received: from elfedw.dra.hmg.gb by hydra.dra.hmg.gb with SMTP ; Wed, 28 Jan 98 13:41:16 GMT Comments: Authenticated sender is From: "Elfed T. Weaver" Organization: DERA To: firewalls@GreatCircle.com Date: Wed, 28 Jan 1998 13:43:57 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Differences X-mailer: Pegasus Mail for Win32 (v2.54) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IPSEC (IP Security Option) by the OSI network model is transport layer encryption. See the IETF network security group for details ( http://www.ietf.org ) *** The IP security protocols as defined by the IETF operate at the NETWORK (IP) layer hence the term IP security. There are two security protocols defined : 1. Authentication Header (AH) - - providing authentication and integrity services; 2. Encapsulating Security Protocol (ESP) - providing privacy and optional, authentication and integrity services. for more details see www.ietf.org/ids.by.wg/ipsec.html *** *** SKIP (Simple Key management for IP) is a superset of IPSEC, with the addition of in-line keying of IPSEC encryption and authentication keys. This is still transport layer encryption. Details are available at http://skip.incog.com Superset ? SKIP was a key management protocol (IKMP) proposed for use with the IPSec protocols. In its basic form it is quite simple although not very flexible. To achieve the flexibility required by the IETF Working Group (WG) responsible for developing the IKMP SKIPs developers (SUN) defined a number of add-on protocols, this resulted in a complex suite of protocols. Consequently, the key management protocol mandated for use with IPv6 by the IETF IPSec WG is ISAKMP (Internet Security Association and Key Management Protocol). This protocol, in its native form, provides both the flexibility and forward migration path (to enable new key exchanges to be integrated as and when they are developed) required by the IPSec WG. Note: both IPSec and ISAKMP can be used over IPv4 based networks in fact, the majority of implementations currently available are for IPv4. for more details see www.ietf.org/ids.by.wg/ipsec.html *** SSL (Secure Socket Layer ???) by OSI network model is a session/application based authentication and encrption. Netscape originated the protical ( http://www.netscape.com to search for their SSL white paper). The most significant difference between network and session based encryption/authentication, is that with network layer, anything that goes over IP is protected, but with session based encryption/authentication, you need security aware applications to complete the security handshake. (e.g. Netscape Navigator >= 3.0, IE >=3.0, and a SSL aware Web Server) *** depends on how IPSec services are applied ? *** Note: IPSec can be used to protect applications IF the system is able to provide the required level of granularity for Security Association (SA) identification i.e. if information is available which can be used to identify application X. then a SA can be negotiated with the peer entity and used to protect the communications. *** The main advantage of SSL is that identification and authentication (via X.509 certificates) is well documented, while with SKIP/IPSEC, the standards are still in a state of flux (e.g. ISAKMP key exchange) *** ISAKMP is not in a state of flux, it HAS BEEN MANADATED for IPv6, SKIP HAS NOT. The MAJORITY of vendors implementing IPSec capable products are implementing ISAKMP as their key management protocol. Also, specifications for the use of ISAKMP to support the security services defined for the OSPFv2 and RIPv2 Internet routing protocols are currently being developed. *** All of these can be used as part of a VPN deployment. The question you must ask first is 'What kind of VPN do I want?' Depending on how paranoid you are, you can have all of the above, with the addition of application encryption (e.g. S/MIME, PGP, SHTTP ), smart tokens, WAN Link encryption, bio-metric ID scanners, Multi-level CMWs, etc. etc. **************************************************** "The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body." Elfed T. Weaver DERA Malvern UK weaver@hydra.dra.hmg.gb **************************************************** From firewalls-owner Sun Feb 1 05:51:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA26409; Sun, 1 Feb 1998 05:39:51 -0800 (PST) Received: from hq15.pcmail.ingr.com (hq15.pcmail.ingr.com [129.135.251.243]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA26400 for ; Sun, 1 Feb 1998 05:39:46 -0800 (PST) Received: by HQ15 with Internet Mail Service (5.0.1458.49) id <1ANGMDWD>; Sun, 1 Feb 1998 07:44:44 -0600 Message-ID: From: "Jarmon, Don R" To: "'Hountz'" Cc: firewalls Subject: RE: Help Date: Sun, 1 Feb 1998 07:44:41 -0600 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This would depending on what type of output you seek and logfile format. You might check out http://www.marketwave.com for a free product called HitList 3.0. Handles common log format (CLF) just find. > ---------- > From: Hountz[SMTP:hountz@diningtable.com] > Reply To: Hountz > Sent: Thursday, January 29, 1998 11:05 PM > To: firewalls@GreatCircle.com > Subject: Help > > Hello: > > Anyone know where I can find a firewall log analysiser...? > > > > > Thanks > Larry J. Hountz > --- > (o o) > ___ooO_(_)_Ooo___ > > Webmaster > for > http://www.diningtable.com > http://www.shopmetrocentre.com > http://www.sportworks.com > http://www.theassisttant.net > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ...................................................................... > ...... > > > From firewalls-owner Sun Feb 1 07:37:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA06834; Sun, 1 Feb 1998 07:29:42 -0800 (PST) Received: from cs.weber.edu (cs.weber.edu [137.190.16.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA06827 for ; Sun, 1 Feb 1998 07:29:36 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA20069; Sun, 1 Feb 98 08:40:01 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA09215; Sun, 1 Feb 1998 08:40:06 -0700 Date: Sun, 1 Feb 1998 08:40:06 -0700 (MST) From: Henry Hertz Hobbit To: "Michael J. Maravillo" Cc: Henry Hollenberg , Firewalls@GreatCircle.COM Subject: Re: http server for bastion host In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jan 1998, Michael J. Maravillo wrote: > On Thu, 29 Jan 1998, Henry Hollenberg wrote: > > >I saw that the CERN http server was reccomended in Chapman and > > Zwicky so started checking it out, but the first thing I read > > knocked it: > [...] > >Should I look for something else.....they made it sound pretty > > good in the book, cacheing and all. Comments? > > Get Apache... http://www.apache.org You get what you pay for. If you also subscribe to the Bugtraq mailing list, you immediately realize that Apache has it's share of security holes. The price is lower, but so is the security level. If this isn't a concern, then by all means go ahead and get it. Apache makes an excellent product, and despite what I just said they have been very good at patching any holes as they find them. If you want a higher level of security I would advise that you get a Netscape server. CERN's product was the first, and as always with the first, getting the darn thing to work is a higher priority than security. Netscape site: http://www.netscape.com/ http://www.netscape.com/download/index.html?cp=hmp01sdow Just my .02 The Hobbit This message can't possibly have come from me! smrsh is not running so it *must* have come from somebody else going into the smtp port!!! From firewalls-owner Sun Feb 1 08:36:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA13210; Sun, 1 Feb 1998 08:21:44 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA09679 for ; Sun, 1 Feb 1998 07:55:28 -0800 (PST) Received: from cs.weber.edu by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA28751; Sun, 1 Feb 1998 07:58:08 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA20135; Sun, 1 Feb 98 09:05:09 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA09267; Sun, 1 Feb 1998 09:05:13 -0700 Date: Sun, 1 Feb 1998 09:05:13 -0700 (MST) From: Henry Hertz Hobbit To: "Corey J. Anderson" Cc: Gary Mills , "firewalls@GreatCircle.COM" Subject: Re: Sniffer tools In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Jan 1998, Corey J. Anderson wrote: > > When a sniffer is sniffing, its NIC is in promiscous mode. This > shows up on other sniffers. > Not necessarily. It seems to me that most people that write this are usually referring to something running on some sort of UNIX or Windows NT server rather than a dedicated laptop sniffer like one from Data General, et al. You *can* put their NIC card into promiscuous mode, but most of the time you don't because that *generates* network traffic. If they do that, I don't even need a sniffer to see another sniffer. It will show up on even an umbrella manager like HPOV. Why don't people run their sniffers in this manner? Usually, about the time I am connecting a dedicated sniffer on that segment was because HPOV or similar umbrella manager shows a problem there - really bad if it cycles between orange/red, but nothing shows amiss in the analysis of the network device. OSPF or other routing config correct, etc. Time to go see if that darn rat chewed through the line again ... well, not really but I keep expecting it to happen one of these days 8^). Then you want the sniffer to be passive because you want to see what is going wrong (yup, the guy took out those nice 8' 10base-2 lines between the machines and replaced them with nice short 2' lines). Didn't need to bring down the sniffer after all. The Hobbit This message can't possibly have come from me! smrsh is not running so it *must* have come from somebody else going into the smtp port!!! From firewalls-owner Sun Feb 1 09:07:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA17084; Sun, 1 Feb 1998 08:55:26 -0800 (PST) Received: from dinosaur.privsys.gip.net (dinosaur.gip.net [204.59.155.63]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA17068 for ; Sun, 1 Feb 1998 08:55:20 -0800 (PST) Received: from dinosaur by dinosaur.privsys.gip.net (SMI-8.6/SMI-SVR4) id MAA19194; Sun, 1 Feb 1998 12:07:48 -0500 Date: Sun, 1 Feb 1998 12:07:47 -0500 (EST) From: Ming Lu X-Sender: mlu@dinosaur To: "Michael J. Maravillo" cc: Henry Hollenberg , Firewalls@GreatCircle.COM Subject: Re: http server for bastion host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also check out http://squid.nlanr.net/, use apache and squid together give you better performance and controls. _ming On Fri, 30 Jan 1998, Michael J. Maravillo wrote: ->On Thu, 29 Jan 1998, Henry Hollenberg wrote: -> ->>I saw that the CERN http server was reccomended in Chapman and Zwicky so started ->>checking it out, but the first thing I read knocked it: ->[...] ->>Should I look for something else.....they made it sound pretty good in the book, ->>cacheing and all. Comments? -> ->Get Apache... http://www.apache.org -> -> ->Mike ->[ Michael J. Maravillo Philippines Online ] ->[ System Administrator PGP KeyID: 470AED9D InfoDyne, Incorporated ] ->[ http://www.philonline.com/~mmj/ (632) 890-0204 ] -> -> -> ============================================================================ Ming Lu Email: mlu@hq.si.net Network Tech Consulting Engineer Phone: 703-689-5290 (w) Engineering Division 703-855-4194 (m) Global One Telecommunications, LLT. 703-689-6575 (f) ============================================================================ "Do not pay attention to every word people say, or you may hear your servant cursing you ---- for you know in your heart that many times you yourself have cursed others." From firewalls-owner Sun Feb 1 09:14:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA14064; Sun, 1 Feb 1998 08:35:42 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA14047 for ; Sun, 1 Feb 1998 08:35:36 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id JAA02959; Sun, 1 Feb 1998 09:40:26 -0700 (MST) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id JAA18307; Sun, 1 Feb 1998 09:32:55 -0700 (MST) Date: Sun, 1 Feb 1998 09:32:54 -0700 (MST) From: Marc Slemko To: Henry Hertz Hobbit cc: Firewalls@GreatCircle.COM Subject: Re: http server for bastion host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Feb 1998, Henry Hertz Hobbit wrote: > On Fri, 30 Jan 1998, Michael J. Maravillo wrote: > > > On Thu, 29 Jan 1998, Henry Hollenberg wrote: > > > > >I saw that the CERN http server was reccomended in Chapman and > > > Zwicky so started checking it out, but the first thing I read > > > knocked it: > > [...] > > >Should I look for something else.....they made it sound pretty > > > good in the book, cacheing and all. Comments? > > > > Get Apache... http://www.apache.org > > You get what you pay for. If you also subscribe to the Bugtraq > mailing list, you immediately realize that Apache has it's share > of security holes. The price is lower, but so is the security level. > If this isn't a concern, then by all means go ahead and get it. > Apache makes an excellent product, and despite what I just said > they have been very good at patching any holes as they find them. > If you want a higher level of security I would advise that you > get a Netscape server. CERN's product was the first, and as always > with the first, getting the darn thing to work is a higher priority > than security. Netscape site: Huh? Why exactly do you think Netscape's server is going to be magically secure and will have no security holes? Because they don't go through and do security reviews of it and announce any problems they find publicly? Because the source isn't available so it is harder for people to find those holes? I can give you a list of servers that have never had any security holes publicly announced. If I spent some time, I could also give you a list of holes in most or all of them. There have been no general exploits found in the past year for Apache that can be exploited remotely without pre-existing access, and I suggest that if someone already has access to your bastion then Apache isn't your concern. Whatever server you run, you should run it chrooted. -- Marc Slemko | Apache team member marcs@znep.com | marc@apache.org From firewalls-owner Sun Feb 1 10:37:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA02836; Sun, 1 Feb 1998 10:32:55 -0800 (PST) Received: from dinosaur.privsys.gip.net (dinosaur.gip.net [204.59.155.63]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA02819 for ; Sun, 1 Feb 1998 10:32:48 -0800 (PST) Received: from dinosaur by dinosaur.privsys.gip.net (SMI-8.6/SMI-SVR4) id NAA20943; Sun, 1 Feb 1998 13:45:18 -0500 Date: Sun, 1 Feb 1998 13:45:18 -0500 (EST) From: Ming Lu X-Sender: mlu@dinosaur To: Marc Slemko cc: Henry Hertz Hobbit , Firewalls@GreatCircle.COM Subject: Re: http server for bastion host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Agree. One can restrict users access http bastion host/apache server by creating ftp access only, using wu-ftpd, or on solaris 2.6, configure the anonymous ftp server (use solaris ftpd daemon) to accept ftp only access. _ming On Sun, 1 Feb 1998, Marc Slemko wrote: ->On Sun, 1 Feb 1998, Henry Hertz Hobbit wrote: -> ->> On Fri, 30 Jan 1998, Michael J. Maravillo wrote: ->> ->> > On Thu, 29 Jan 1998, Henry Hollenberg wrote: ->> > ->> > >I saw that the CERN http server was reccomended in Chapman and ->> > > Zwicky so started checking it out, but the first thing I read ->> > > knocked it: ->> > [...] ->> > >Should I look for something else.....they made it sound pretty ->> > > good in the book, cacheing and all. Comments? ->> > ->> > Get Apache... http://www.apache.org ->> ->> You get what you pay for. If you also subscribe to the Bugtraq ->> mailing list, you immediately realize that Apache has it's share ->> of security holes. The price is lower, but so is the security level. ->> If this isn't a concern, then by all means go ahead and get it. ->> Apache makes an excellent product, and despite what I just said ->> they have been very good at patching any holes as they find them. ->> If you want a higher level of security I would advise that you ->> get a Netscape server. CERN's product was the first, and as always ->> with the first, getting the darn thing to work is a higher priority ->> than security. Netscape site: -> ->Huh? Why exactly do you think Netscape's server is going to be magically ->secure and will have no security holes? Because they don't go through and ->do security reviews of it and announce any problems they find publicly? ->Because the source isn't available so it is harder for people to find ->those holes? I can give you a list of servers that have never had any ->security holes publicly announced. If I spent some time, I could also ->give you a list of holes in most or all of them. -> ->There have been no general exploits found in the past year for Apache that ->can be exploited remotely without pre-existing access, and I suggest that ->if someone already has access to your bastion then Apache isn't your ->concern. -> ->Whatever server you run, you should run it chrooted. -> ->-- -> Marc Slemko | Apache team member -> marcs@znep.com | marc@apache.org -> -> ============================================================================ Ming Lu Email: mlu@hq.si.net Network Tech Consulting Engineer Phone: 703-689-5290 (w) Engineering Division 703-855-4194 (m) Global One Telecommunications, LLT. 703-689-6575 (f) ============================================================================ "Do not pay attention to every word people say, or you may hear your servant cursing you ---- for you know in your heart that many times you yourself have cursed others." From firewalls-owner Sun Feb 1 11:29:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA08815; Sun, 1 Feb 1998 11:11:09 -0800 (PST) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA08760 for ; Sun, 1 Feb 1998 11:10:52 -0800 (PST) Received: from blazer.cist.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Feb 1998 19:15:44 UT Received: from obiwan (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Sun, 01 Feb 1998 14:18:00 -0500 From: "Chris Kostick" To: "Mike Scott" , Subject: Re: MS Proxy Server 2.0 Date: Sun, 1 Feb 1998 14:17:46 -0500 Message-ID: <01bd2f46$13cefb70$109c0895@obiwan.cist.saic.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_006D_01BD2F1C.2AF8F370" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_006D_01BD2F1C.2AF8F370 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable >I'd be interested to hear any comments or experiences of those of you >who have implemented MS Proxy 2.0 as a firewall solution. The MS blurb >claims this is a firewall, but how does this compare to a 'real' >firewall like Eagle or FW-1. These are expensive in comparison so what >extra would I get for the money? We are looking at putting in a = firewall >at the moment, and will have a WWW proxy behind it for caching anyway, >but what extra will an extra device give me.=20 Myself and a coworker (teresa fishburn) just finished an article that = was published in NT Systems magazine about the security of MSP 2.0. The = basic conclusions that we came up with are: Conclusions Microsoft=92s Proxy Server 2.0 is being advertised as having = =93firewall-class=94 security functionality and it does represent a = significant improvement over version 1.0 in this area. In this article = we looked at many of the new security features of Proxy Server 2.0 and = while it has firewall-like capabilities, it still has a little maturing = to do before it can be compared to today=92s commercial firewall = products. The main areas needing improvement are: a.. It is primarily for outgoing, internal authentication of = communications. A firewall should be capable of performing strong = authentication internally or externally with a variety of mechanisms = such as one-time passwords or token cards; b.. Client-side modification is required for transparency and that = is only available for Windows-based clients; c.. When inbound traffic is allowed, reliance of all security is = placed on the end applications. This is because even though it is = proxy-based, it still functions as a circuit-level relay proxy; and d.. The alerting and reporting functions are still weak. If Microsoft hopes to push Proxy Server 2.0 as a firewall solution, = then improvements in the above are necessary. Additional firewall = technologies would also have to be considered such as VPN support (other = than just PPTP) and content filtering. Proxy Server 2.0 does have many features that are perfect for small = environments that want to be connected to the Internet and are not = looking to offer many services to external users. Configured correctly = it can be very secure and well hidden. Out of that list my biggest complaint is the lack of transparency. = Clients are either Windows-based with the MSP client software added, or = SOCKS-based for UNIX hosts. I like the idea of total transparency = without modification to the end systems in a firewall product.=20 -- chris ------=_NextPart_000_006D_01BD2F1C.2AF8F370 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
>I'd be interested to hear any comments or experiences of those = of=20 you
>who have implemented MS Proxy 2.0 as a firewall solution. The = MS=20 blurb
>claims this is a firewall, but how does this compare to a=20 'real'
>firewall like Eagle or FW-1. These are expensive in = comparison so=20 what
>extra would I get for the money? We are looking at putting = in a=20 firewall
>at the moment, and will have a WWW proxy behind it for = caching=20 anyway,
>but what extra will an extra device give me. =
 
 
Myself and a coworker = (teresa=20 fishburn) just finished an article that was published in NT Systems = magazine=20 about the security of MSP 2.0. The basic conclusions that we came up = with=20 are:
 
<quote>
 
Conclusions
Microsoft’s=20 Proxy Server 2.0 is being advertised as having = “firewall-class”=20 security functionality and it does represent a significant improvement = over=20 version 1.0 in this area.  In this article we looked at many of the = new=20 security features of Proxy Server 2.0 and while it has firewall-like=20 capabilities, it still has a little maturing to do before it can be = compared to=20 today’s commercial firewall products.  The main areas needing = improvement are: 
  • It is primarily for = outgoing,=20 internal authentication of communications.  A firewall should = be=20 capable of performing strong authentication internally or externally = with a=20 variety of mechanisms such as one-time passwords or token = cards;
  • Client-side = modification is=20 required for transparency and that is only available for = Windows-based=20 clients;
  • When inbound traffic = is allowed,=20 reliance of all security is placed on the end applications.  = This is=20 because even though it is proxy-based, it still functions as a = circuit-level=20 relay proxy; and
  • The alerting and = reporting=20 functions are still weak.
If Microsoft hopes to = push Proxy=20 Server 2.0 as a firewall solution, then improvements in the above are=20 necessary.  Additional firewall technologies would also have to be=20 considered such as VPN support (other than just PPTP) and content=20 filtering.
 
Proxy Server 2.0 does = have many=20 features that are perfect for small environments that want to be = connected to=20 the Internet and are not looking to offer many services to external = users. =20 Configured correctly it can be very secure and well=20 hidden.
 
<end quote>
 
Out of that list my biggest = complaint is=20 the lack of transparency. Clients are either Windows-based with the MSP = client=20 software added, or SOCKS-based for UNIX hosts. I like the idea of total=20 transparency without modification to the end systems in a firewall = product.=20  
 
--
chris
 
------=_NextPart_000_006D_01BD2F1C.2AF8F370-- From firewalls-owner Sun Feb 1 14:06:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25344; Sun, 1 Feb 1998 13:54:14 -0800 (PST) Received: from dinosaur.privsys.gip.net (dinosaur.gip.net [204.59.155.63]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA25334 for ; Sun, 1 Feb 1998 13:54:09 -0800 (PST) Received: from dinosaur by dinosaur.privsys.gip.net (SMI-8.6/SMI-SVR4) id RAA00467; Sun, 1 Feb 1998 17:06:45 -0500 Date: Sun, 1 Feb 1998 17:06:45 -0500 (EST) From: Ming Lu X-Sender: mlu@dinosaur To: Bob De Witt cc: peter@baileynm.com, firewalls@GreatCircle.COM Subject: Re: Proxy Server and FW-1 In-Reply-To: <199801281959.LAA16072@yginsburg.el.nec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://squid.nlanr.net/ Giant Squid live in the deep, deep sea and no one ever witness it alive.......-) _ming On Wed, 28 Jan 1998, Bob De Witt wrote: ->On Tue, 27 Jan 1998, Peter da Silva wrote: ->> ->> If you're going for an HTTP-proxy-only instead of a filter why not dike out ->> the firewall-1 completely and stick a squid on a nailed down FreeBSD or ->> Linux box between yourself and the Internet? You'd save even more money! -> ->So, what exactly is a 'squid', if you please? ->Thanks, ->and Ciao, ->Bob -> ->Robert De Witt, ->rdew@el.nec.com -> ============================================================================ Ming Lu Email: mlu@hq.si.net Network Tech Consulting Engineer Phone: 703-689-5290 (w) Engineering Division 703-855-4194 (m) Global One Telecommunications, LLT. 703-689-6575 (f) ============================================================================ "Do not pay attention to every word people say, or you may hear your servant cursing you ---- for you know in your heart that many times you yourself have cursed others." From firewalls-owner Sun Feb 1 15:07:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27674; Sun, 1 Feb 1998 14:44:26 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA27649 for ; Sun, 1 Feb 1998 14:44:16 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA23642; Sat, 31 Jan 1998 23:51:05 -0500 Date: Sat, 31 Jan 1998 23:48:31 -0500 (EST) From: Rabid Wombat To: "Corey J. Anderson" cc: Gary Mills , "firewalls@GreatCircle.COM" Subject: Re: Sniffer tools In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Jan 1998, Corey J. Anderson wrote: > > When a sniffer is sniffing, its NIC is in promiscous mode. This shows up > on other sniffers. > Only with a limited number of recent NICs based on certain chipsets. In general, the above is false. From firewalls-owner Sun Feb 1 15:49:59 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27624; Sun, 1 Feb 1998 14:43:10 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA27617 for ; Sun, 1 Feb 1998 14:43:02 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA23657; Sat, 31 Jan 1998 23:57:38 -0500 Date: Sat, 31 Jan 1998 23:56:27 -0500 (EST) From: Rabid Wombat To: Henry Hertz Hobbit cc: Doug Hughes , firewalls@GreatCircle.COM Subject: Re: anti-sniffer warfare In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have set up secure LANs using both Synoptics/Bay Networks and 3Com hubs. Setting this up is not difficult; administering it long-term in a large environment is. You need a well-documented cable plant, end stations documented by user, location, cable drop, MAC address and IP address, and, of course, your hubs documented by location, cable drop-to-port and MAC address-to-port. You need a system that allows your records to be maintained accurately by your staff. Your users and help desk will need to know that only a specific system is permitted on a specific port, and your maintenance technicians will need to know that swapping out a NIC, PC, etc. will require that the MAC address assigned to a given port will also need to be changed. When you think of "standard" swap-out troubleshooting procedures, you can see why this is a problem. -r.w. On Sat, 31 Jan 1998, Henry Hertz Hobbit wrote: > On Fri, 30 Jan 1998, Doug Hughes wrote: > > > > I don't think the effort would be worth it. Most sniffers are totally > > passive devices, and by their nature, the only way to detect them > > is physical inspection of your cable plant. > > Correct. > > > One thing that may be helpful in preventing hardware sniffer attachment > > is via security enabled hubs where the MAC address of all ports is > > hard-wired into the hub. Unused ports would be administratively disabled. > > This will prevent somebody from unplugging a machine and plugging in a > > sniffer. It will also prevent somebody from using an unoccupied port > > on the off change that they would get access to the hub itself (which > > should be in a locked closet). > > Aside from the fact that not all hubs support this, does anybody > really have the time to do it with all the other stuff that they > have to get done? If you or anybody else reading this can point us > to any sites that are doing this successfully and what hubs would > be the best to use, I think that we would all benefit. I guess it > kind of depends on the volatility of the network you are on which > at most places I have been is quite high. > > > The Hobbit > > This message can't possibly have come from me! smrsh is not running > so it *must* have come from somebody else going into the smtp port!!! > From firewalls-owner Sun Feb 1 17:16:48 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27616; Sun, 1 Feb 1998 14:42:54 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA27609 for ; Sun, 1 Feb 1998 14:42:47 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id AAA23696; Sun, 1 Feb 1998 00:40:15 -0500 Date: Sun, 1 Feb 1998 00:37:41 -0500 (EST) From: Rabid Wombat To: Rabbi Haim Cassorla cc: Lon Taulbee , Firewalls@GreatCircle.COM Subject: Re: banned URL list required -Reply In-Reply-To: <007601bd280b$1bc839a0$0328fccc@fd.valuu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IANAL, but I have to agree with the Rabbi on this one: - If you (the company) monitor/restrict content, you could be viewed as an editor, and would have a higher level of legal responsibility for the traffic that originates at your site. ... You restrict based on content, and this content was sent from your company, therefore you must have approved it ... This could probably be applied to received content as well, if you are filtering this. - Filtering web sites is bound to fail, if failure is anything less that 100% effectiveness. You will not be able to prevent employees from viewing unaceptable content any more than you could reasonably expect to prevent them from bringing unacceptable printed content into the workplace. Do you search your staff's briefcases, purses, etc. for porno mags on their way into work every day? I didn't think so. Would you act on a staff member posting centerfolds on the walls of their office? Yes. -The solution is to have a professionally developed employee handbook, which outlines, amoung other things, that professional conduct is expected in the workplace, and that the display of materials that could reasonably be expected to offend others is not tolerated. It is best to establish the line between an employee's fresdom of speach and resonable expectation of priovacy vs. the rights of others to a tolerable work environment prior to experiencing problems. This way, you've restricted your requirement to reacting to an offence (take that down, and don't put anything like that up on your wall/monitor in the future, rather than being responsible for allowing it to get up on the wall/monitor in the first place). - In terms of monitoring of electronic content, my recommendation is that you inform employees that monitoring is available and implemented, and site visits are logged, but that this information is only used in responce to complaints or incidents, and that, for example, the head of IS and the head of HR must consent to review of an employee's electronic content/activities before content will be reviewed. It is important to establish what the employee's reasonable expectation to privacy is, and where it ends. - I generally recommend that companies allow limited personal use of computer system resources, based on guideline of individual discretion and expectation of professional behavior, much as they generally allow limited personal use of, for example, telephones and photocopiers. You should also stress the need to, at minimum, insert a disclaimer on personal messages posted to public forums, and recommend that employees obtain personal accounts for such postings in preference to posting from company accounts. State that the company does have a right to protect its public image, and that posting of content that reflects negatively on the company from a company account is grounds for disciplinary action, up to/including dismissal and/or legal procedings. - In the specific case of web browser abuse, state that although the company allows limited personal use (as described above), standards of professional behavior apply, and mis-use of company time will not be tolerated. A chronic recreational web browsing employee falls into the same category as one who spends hours each day on personal telephone calls; in short, they can be dismissed for lack of productivity. - I've generally found that once the above guidelines have been established, one written warning which is not specific to content, but only to behavior, is generally sufficient to stop the problem. If this fails, a second warning, coupled with an invitation to step on over to HR to discuss why specific activities violate company policy (Mr. Smith, your repeated access and display of ... has been found offensive by your co-workers and violates company policy) will almost certainly do the trick. All the probelm cases I've come across so far (gov't and private sector) were easily dealt with, once the ground rules and ability to act on infractions were established with the employee. -r.w. On Fri, 23 Jan 1998, Rabbi Haim Cassorla wrote: > Now, let's see, according to your interpretation, your use of vulgar and > unacceptable vocabulary, (in my opinion), opens you to lawsuits --- in your > opinion. > > Get a life! > > The issue is whether or not you exercise editorial rights over what appears. > > Shalom > Rabbi Haim Cassorla > > -----Original Message----- > From: Lon Taulbee > To: jkwilli2@unity.ncsu.edu > Cc: Firewalls@GreatCircle.com > Date: Friday, January 23, 1998 2:38 AM > Subject: RE: banned URL list required -Reply > > > >This is not a moral issue. It is a business decision to ensure company > >property is used for company business. Take your moral issues outside > >the work place. If you're the owner then you can dictate what you will > >or won't allow on company "workstations". If you don't like it, go > >somewhere else, start your own business. Not allowing people to visit > >sex sights is bigger than a moral issue. You are opening yourself up to > >huge law suits due to sexual harassment claims, because someone saw > >pictures on your monitor that was offensive to them. You can call it > >what you want, but it is a reality in our society today. You're shoving > >your morals (or lack of) down my throat by allowing this crap to come > >into the work place, and I don't want to have to look at it or deal with it > >(not even inadvertently). > > > >>>> Ken Williams 01/22/98 4:14am >>> > >On Thu, 22 Jan 1998, R. Bakker wrote: > > > >>I think http:\\www.websense.com is what you are looking for. It is a > >server based system with a database full of unwanted url's works with > >fw 1 netscape & m'softproxy also nt version available. > >> > >>Remco Bakker PointNet Security Systems > >>Tel 31 (0)577 46 27 15 fax 46 26 27 mobile 31 (06) 51 30 30 61 > >>http://www.pointnet.nl/pss > >>PSS maakt deel uit van de PointGroup > > > >the question here is: Do you really want to have a third party making > >your private ethical and moral decisions for you? what happens when > >you > >find out that their Board of Directors is full of John Birch Society > >members? and that they have added political, social, religious and ethics > >related websites to their "blacklist/Salem witch trials docket"? > > > >don't believe the hype. > > > >controlled paranoia is a maintainer of freedom. > > > >Ken Williams > > > >/--------------| TATTOOMAN -aka- rute |--------------\ > > NCSU Computer Science VP of The E.H.A.P. Corp. > > jkwilli2@unity.ncsu.edu http://www.hackers.com/ehap/ > > UNIX ICQ UIN# 4231260 ehap@hackers.com > > FTP Site: ftp://152.7.11.38/pub/personal/tattooman/ > > WWW 2: http://www4.ncsu.edu/~jkwilli2/ > > PGP Key: http://www4.ncsu.edu/~jkwilli2/pgp.asc > > http://www4.ncsu.edu/~jkwilli2/pgp_fingerprint > >\---------| http://152.7.11.38/~tattooman/ |---------/ > > > > > > > > > > > From firewalls-owner Sun Feb 1 19:08:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA07910; Sun, 1 Feb 1998 18:58:42 -0800 (PST) Received: from norway.it.earthlink.net (norway-c.it.earthlink.net [204.119.177.49]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id SAA07903 for ; Sun, 1 Feb 1998 18:58:38 -0800 (PST) Received: from default (1Cust32.tnt3.sfo3.da.uu.net [153.37.9.32]) by norway.it.earthlink.net (8.8.7/8.8.5) with SMTP id TAA10397 for ; Sun, 1 Feb 1998 19:03:40 -0800 (PST) Message-ID: <34D53707.3FA9@earthlink.net> Date: Sun, 01 Feb 1998 19:01:27 -0800 From: Kemal Abuhan X-Mailer: Mozilla 3.0 (Win95; I; 16bit) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: System Administrator(firewall) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello folks, sorry for the bandwidth waist. I would like to get in direct contact with Firewalls@GreatCircle.com thanks From firewalls-owner Sun Feb 1 19:21:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA09910; Sun, 1 Feb 1998 19:18:16 -0800 (PST) Received: from gargoyle.clark.net (pm2-83.dcwt.infi.net [208.136.65.83]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id TAA09893 for ; Sun, 1 Feb 1998 19:18:04 -0800 (PST) Received: by gargoyle.clark.net (VMailer, from userid 500) id 32C32CD8A2; Sun, 1 Feb 1998 22:27:35 -0500 (EST) Date: Sun, 1 Feb 1998 22:27:35 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Rabid Wombat Cc: firewalls@GreatCircle.COM Subject: Re: anti-sniffer warfare In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 31 Jan 1998, Rabid Wombat wrote: > Your users and help desk will need to know that only a specific system is > permitted on a specific port, and your maintenance technicians will need > to know that swapping out a NIC, PC, etc. will require that the MAC This can be alternately managed by specifying the MAC address in the configuration, which will still need to be added when installing new drives or PCs. If it's tied to the user, or a wall port/floor number then it is easier to manage, though you lose some obscurity, but gain back some of the administrative difficulty. It tends to be easier to do for managed systems like servers and routers than for end-user workstations, but it has to become part of the troubleshooting and installation procedures, or you'll spend a lot of time fighting it. > address assigned to a given port will also need to be changed. When you > think of "standard" swap-out troubleshooting procedures, you can see why > this is a problem. I swapped out all the users, the new ones are still a problem! ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sun Feb 1 20:08:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA08239; Sun, 1 Feb 1998 19:05:12 -0800 (PST) Received: from gargoyle.clark.net (pm2-83.dcwt.infi.net [208.136.65.83]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id TAA08222 for ; Sun, 1 Feb 1998 19:05:00 -0800 (PST) Received: by gargoyle.clark.net (VMailer, from userid 500) id 32C3219319; Sun, 1 Feb 1998 22:13:52 -0500 (EST) Date: Sun, 1 Feb 1998 22:13:51 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Rabid Wombat Cc: Firewalls@GreatCircle.COM Subject: Re: banned URL list required -Reply In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Feb 1998, Rabid Wombat wrote: > IANAL, but I have to agree with the Rabbi on this one: > > - If you (the company) monitor/restrict content, you could be viewed as an > editor, and would have a higher level of legal responsibility for the > traffic that originates at your site. ... You restrict based on content, > and this content was sent from your company, therefore you must have > approved it ... This could probably be applied to received content as > well, if you are filtering this. For a service provider, this is _probably_ true, for a company it hasn't been held as law as of yet. My local lawgeeks hold the opinion that this is akin to 900 number blocking at the switch. They also hold the opinion that the company may disallow access to things it knows aren't in its interest without regard to what it doesn't know about. Rather than playing lawyer, I'd suggest that anyone considering blocking do so only after discussing it with their company's legal counsel, and getting that opinion in writing. > > - Filtering web sites is bound to fail, if failure is anything less that > 100% effectiveness. You will not be able to prevent employees from > viewing unaceptable content any more than you could reasonably expect to > prevent them from bringing unacceptable printed content into the > workplace. Do you search your staff's briefcases, purses, etc. for porno > mags on their way into work every day? I didn't think so. Would you act > on a staff member posting centerfolds on the walls of their office? Yes. A linear progression of your logic would hold the administrators liable for attacks which were successful if they were blocking things for attacks and missed one, didn't know about one, etc., and I'm certainly not going to vote for that approach. In the end, I suppose we'll see that one in court in a shareholder vs. company or adminstrator suit at which point we'll know the precedent and how it applies to any harmful information, at the content or transport layer. The thought of possible personal liability _should_ have us all pounding on the lawyers doors. Also, it doesn't mean that filtering isn't meaningful, or doesn't have use. There may or may not be some benifit to be gained from trying to protect your users. Would you rather fire someone for viewing unacceptable content at the wrong time, or present them with the usage policy they weren't paying attention to at the personnel briefing? Would you rather have a lawsuit because some temporary worker, intern, or visitor decided to try out www.disgusting_acts_with_NT_Server.com while NOW was visiting, or have that person review your policy on access? > environment prior to experiencing problems. This way, you've > restricted your requirement to reacting to an offence (take that down, > and don't put anything like that up on your wall/monitor in the future, > rather than being responsible for allowing it to get up on the > wall/monitor in the first place). One of the arguments against this is that reacting can get you in trouble in some jurisdictions instead of acting. Companies have successfully dodged suits with the "bad apple" defense because they were proactive about what is constrained as harassment (NEC vs someone was the test for this in the US). > - In terms of monitoring of electronic content, my recommendation is that > you inform employees that monitoring is available and implemented, and > site visits are logged, but that this information is only used in responce > to complaints or incidents, and that, for example, the head of IS and the > head of HR must consent to review of an employee's electronic > content/activities before content will be reviewed. It is important to > establish what the employee's reasonable expectation to privacy is, and > where it ends. It is also important to make sure that adminsitrative access isn't hindered, because once you create an expectation of privacy (in the US) ECPA kicks in, and your network guy doing sniffer traces to diagnose a network problem who decided to joke with a coworker about a site he saw them hit suddenly becomes legal liability #1. Having to find the head of HR and the head of IS at 3am because you suspect an HTTP tunnel to someone's machine can be a serious liablility, moreso if you don't do it and they were in to download gigabytes of over that fast company conneciton. Personally, I'd rather go strong on the wording and have procedures which take a more "private" view than to put my administrative and diagnostic tools and personnel in ECPA or any privacy law's way. I think that ethics statements for administrative personnel would be a better way to go than statements of privacy for users, YMMV. While IANAL either, and (though its not obvious) I'm not a proponent of heavy monitoring except by automated equipment for usage trending, I think it is important to note where case law has been, and not go off half-cocked on the basis of the Prodigy decision which never reached full closure since it was settled out of court. I strongly urge that people setting up policies and monitoring tools talk with the company's counsel about the company's interests and not try to do it themselves, there are a bunch of issues in each direction, and you're a hell of a lot safer pointing at the lawyer than a mailing list ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sun Feb 1 20:52:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA18299; Sun, 1 Feb 1998 19:55:35 -0800 (PST) Received: from mail.elp.rr.com (ns.elp.rr.com [24.92.96.1]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id TAA18251 for ; Sun, 1 Feb 1998 19:55:21 -0800 (PST) Received: from bigkahuna.elp.rr.com (dt07q2n83.elp.rr.com [24.92.112.131]) by mail.elp.rr.com (8.8.7/8.8.8) with SMTP id VAA24100 for ; Sun, 1 Feb 1998 21:00:15 -0700 (MST) Message-Id: <1.5.4.32.19980202035957.00723fbc@elp.rr.com> X-Sender: rosteen1@elp.rr.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Feb 1998 20:59:57 -0700 To: Firewalls@GreatCircle.COM From: Rick Osteen Subject: smurf attach Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the ignorance, but what is a "Smurf Attack"? Thanks for any insight, Rick Osteen From firewalls-owner Sun Feb 1 21:07:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA15021; Sun, 1 Feb 1998 19:41:14 -0800 (PST) Received: from barney.iamerica.net (barney.iamerica.net [206.81.41.4]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id TAA14991 for ; Sun, 1 Feb 1998 19:41:05 -0800 (PST) Received: (from speed@localhost) by barney.iamerica.net (8.8.3/8.8.3) id VAA04786 for Firewalls@GreatCircle.COM; Sun, 1 Feb 1998 21:40:25 -0600 Date: Sun, 1 Feb 1998 21:40:25 -0600 From: Henry Hollenberg Message-Id: <199802020340.VAA04786@barney.iamerica.net> To: Firewalls@GreatCircle.COM Subject: Re: setting up a bastion host on a linux system Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 2eszgS9P/NO0SqkSuA+Smg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Vince Doss wrote: > >Perhaps this is may be too obvious however, the setup for RedHat 4.2 >prompts you for which packages you want to install. It allows you a >bit of lattitude in your choices i.e. gcc, X, compiler, emacs...etc. >If you do not select these packages then they will not be installed. >I can not comment on any other distributions, but would assume there >are similarities. That's sort of what I was planning on doing....I'm going to try using Debian....I've just sorted thru all the packages it installed in one of the default modes and I think I'll try to figure out a way to pass it a custom list of packages I want installed....then install the firewall services....then see if it can't be stripped down a little more. Thanks for the reply Henry Hollenberg speed@barney.iamerica.net From firewalls-owner Sun Feb 1 21:29:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA29618; Sun, 1 Feb 1998 20:50:19 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id UAA29596 for ; Sun, 1 Feb 1998 20:50:12 -0800 (PST) Received: from clonvick-pc.cisco.com ([171.70.238.6]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA06183; Sun, 1 Feb 1998 20:54:21 -0800 (PST) Message-Id: <3.0.32.19980201225124.006eac14@diablo> X-Sender: clonvick@diablo X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 01 Feb 1998 22:51:30 -0600 To: Rabid Wombat , Rabbi Haim Cassorla From: Chris Lonvick Subject: Re: banned URL list required -Reply Cc: Lon Taulbee , Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:37 AM 2/1/98 -0500, Rabid Wombat wrote: > >-The solution is to have a professionally developed employee handbook, >which outlines, amoung other things, that professional conduct is expected >in the workplace, and that the display of materials that could reasonably >be expected to offend others is not tolerated. It is best to establish >the line between an employee's fresdom of speach and resonable >expectation of priovacy vs. the rights of others to a tolerable work >environment prior to experiencing problems. This way, you've >restricted your requirement to reacting to an offence (take that down, >and don't put anything like that up on your wall/monitor in the future, >rather than being responsible for allowing it to get up on the >wall/monitor in the first place). > Don't re-do work that has already been done. In most large U.S. corporations, this has already been done as the direct consequence of the many sexual harassment lawsuits filed over the past few years. (Please, let's don't spawn a new thread here to discuss that.) I've seen many corporations make their employees attend "awareness" sessions and annually sign a letter saying that they've read the policy and will abide by it. These companies have very detailed sections of their policies that explain proper and improper behavior, as well as the consequences of failure to comply. You should tie access to the Internet to these same policies rather than trying to re-create the wheel. Spend some time with your HR department. >- In terms of monitoring of electronic content, my recommendation is that >you inform employees that monitoring is available and implemented, and >site visits are logged, but that this information is only used in responce >to complaints or incidents, and that, for example, the head of IS and the >head of HR must consent to review of an employee's electronic >content/activities before content will be reviewed. It is important to >establish what the employee's reasonable expectation to privacy is, and >where it ends. > Yes. Definitely. I can't recall if it is a legal thing of if it's just an urban myth, (but I remember that it has been discussed on this list before) you could get in trouble for not informing the users that you are logging their activities. Maybe something about an illegal wiretap. The corporate policies (or firewall policies) should also notify the users that the content on the Internet is not the responsibility of the corporation or the firewall administrators. The users may find content that is personally disagreeable, or that violates your policy since they cannot know the content of a link or of a site ahead of time. Let them know that they should disreguard this objectionable material and move on. If it violates the policy, let them know that accidents do happen and people should not be punished for them. If they cannot live with the fact that they may encounter this material, then they should make a personal decision that they will not utilize the Internet. Even the U.S. Supreme Court has recognized the rights of people who hold conscientious objections. ---some text deleted for brevity--- I have administered a firewall and I have helped write policies. The best advice that I can give is - make sure that the firewall provides acceptable enforcement of the corporate policy. - make sure that the firewall lives up to the expectations of the users. - make sure that the policies indemnify the firewall administrator of any blame for stuff beyond his control. I found the third one somewhat distasteful. However, I was informed that we live in a litigious society and that a bit of CYA was just good common sense. Again, however, discuss this with your own HR department and see what they recommend. Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 From firewalls-owner Sun Feb 1 21:41:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA24374; Sun, 1 Feb 1998 20:23:02 -0800 (PST) Received: from c00953-100lez.eos.ncsu.edu (c00953-100lez.eos.ncsu.edu [152.1.26.73]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id UAA24347 for ; Sun, 1 Feb 1998 20:22:52 -0800 (PST) Received: from localhost (jkwilli2@localhost) by c00953-100lez.eos.ncsu.edu (8.8.4/UC02Jan97) with SMTP id XAA06613; Sun, 1 Feb 1998 23:27:45 -0500 (EST) X-Authentication-Warning: c00953-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs Date: Sun, 1 Feb 1998 23:27:44 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00953-100lez.eos.ncsu.edu To: "Gene H. Miller" cc: firewalls@GreatCircle.COM Subject: Re: [NTSEC] Transplant passwords from UNIX to NT In-Reply-To: Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 31 Jan 1998, Ken Williams wrote: >On Sat, 31 Jan 1998, Gene H. Miller wrote: > >>We have a SUN/UNIX system for student use where students have assigned user >>IDs and private passwords. We also have an NT system using same user IDs >>but different passwords. What is the best way to replace the current NT >>passwords with the UNIX passwords? Preferably this could be automated and >>done over the network, but I doubt it's possible. Is manually entering new >>passwords the only way? >> >>Thanks for the help, >>Gene Miller >>gmiller@tir.com >> Same deal here at NCSU. We are handling it by using Kerberos and NDS, and NOT using NT domains. Ken Williams From firewalls-owner Sun Feb 1 22:32:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA08440; Sun, 1 Feb 1998 21:38:01 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id VAA08424 for ; Sun, 1 Feb 1998 21:37:53 -0800 (PST) Received: by ALABAMA.CF.CS.YALE.EDU id AAA19657; Mon, 2 Feb 1998 00:42:51 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: from sparky.cf.cs.yale.edu(128.36.31.4) by ALABAMA.CF.CS.YALE.EDU via smap (V1.3) id sma019644; Mon Feb 2 00:42:25 1998 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id AAA08785; Mon, 2 Feb 1998 00:42:24 -0500 (EST) Date: Mon, 2 Feb 1998 00:42:24 -0500 (EST) Message-Id: <199802020542.AAA08785@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, rosteen1@elp.rr.com Subject: Re: smurf attach Cc: bklein@panix.com From: "H. Morrow Long" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Osteen wrote: >Sorry for the ignorance, but what is a "Smurf Attack"? A smurf" attack is one which uses forged ICMP echo requests (generally with a source IP address of an innocent victim site) sent to the broadcast address of a net or subnet on an 'assisting' intermediate (and also innocent site). The attack uses bounce via the intermediate site not only to hide the source of the attack but also the 'multiplier' effect of the broadcast response obtained to gain an amplified 'boost' for flooding the final destination (the forged source IP of the original ICMP echo request which is where the multiple ICMP echo replies from all the hosts responding to the broadcast will be sent) often saturating the destination Internet link or inundating the host. Not only are 'smurf's sent to the common 'all-ones' broadcast addresses of LANs ( e.g. 192.168.1.255 ) but recent (as sites have begun to filter out packets to the standard destination 'all-ones' broadcast addresses ) attacks use the alternative 'all-zeros' broadcast addresses (which most hosts will respond to as well) have been used as destinations (e.g. 192.168.1.0). Solutions (one, a combination or all): 1. At the border -- filter out ICMP (and UDP or all IP to protect against future broadcast attacks) to the internal broadcast addresses of your subnets (both all-one and all-zero patterns). 2. Or filter out all ICMP (or just ECHO msgs) from the Internet. 3. Turn off directed broadcast capabilities for IP in all of your routers. 4. Disable ICMP from responding to broadcast pings (requires kernel mods -- see recently released Phrack for example of moving 'ping' response out of kernel-space into userland). This would have to be done in every host with ICMP level connectivity to the Internet which may be impractical on a large scale. To be a good network neighbor you may also want to filter out any outgoing packets from your network going out to obviously recognizable broadcast addresses on remote Internet site networks ( *.*.*.0, *.*.*.255 -- you will not be able to filter -- unfortunately -- when remote ISPs hand out tiny network portions w/subnet masks of 255.255.255.128/192/224/240, etc.). For more info: Recommendations by CISCO and others in documents : http://www.cisco.com/warp/public/707/5.html ftp://ds.internic.net/rfc/rfc2267.txt http://www.quadrunner.com/~c-huegen/smurf.cgi H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX) INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469@pager.mcb.com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09 From firewalls-owner Sun Feb 1 23:36:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA27378; Sun, 1 Feb 1998 23:31:32 -0800 (PST) Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id XAA27371 for ; Sun, 1 Feb 1998 23:31:27 -0800 (PST) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id XAA18244 for ; Sun, 1 Feb 1998 23:30:33 -0800 (PST) Received: from tmpbeta.livingston.com ([149.198.65.50]) by server.livingston.com (8.8.5/8.6.9) with SMTP id XAA19163 for ; Sun, 1 Feb 1998 23:36:04 -0800 (PST) Received: from localhost by tmpbeta.livingston.com (SMI-8.6/SMI-SVR4) id XAA12975; Sun, 1 Feb 1998 23:34:48 -0800 Date: Sun, 1 Feb 1998 23:34:47 -0800 (PST) From: Josh Richards X-Sender: jrichard@tmpbeta To: firewalls@GreatCircle.COM Subject: Re: System Administrator(firewall) In-Reply-To: <34D53707.3FA9@earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Feb 1998, Kemal Abuhan wrote: > Hello folks, sorry for the bandwidth waist. > > I would like to get in direct contact with Firewalls@GreatCircle.com Well that is certainly live and direct! ;-) So what do you need? ---- Josh Richards - Beta Engineer Lucent Technologies (Remote Access Business Unit) (formerly Livingston Enterprises, Inc.) From firewalls-owner Sun Feb 1 23:52:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA29521; Sun, 1 Feb 1998 23:49:09 -0800 (PST) Received: from marvin.ose.eur.deuba.com (gate0.de.deuba.com [193.150.166.50]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id XAA29447 for ; Sun, 1 Feb 1998 23:48:54 -0800 (PST) Received: from julia.ksfw.eur.deuba.com by marvin.ose.eur.deuba.com id IAA32952; Mon, 2 Feb 1998 08:53:57 +0100 Received: (from marc@localhost) by julia.ksfw.eur.deuba.com (8.8.8/8.8.5) id IAA20213 for firewalls@greatcircle.com; Mon, 2 Feb 1998 08:50:07 +0100 From: Marc Heuse Message-Id: <199802020750.IAA20213@julia.ksfw.eur.deuba.com> Subject: anti-sniffer warfare - Solution To: firewalls@greatcircle.com Date: Mon, 2 Feb 1998 08:50:07 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, I found a very easy way to detect a sniffing computer from remote. It's really simple: How does an ethernetcard normally work? It takes a look at every (ethernet-)frame on the wire and looks for his ethernet-id or the broadcast-id. If found, it takes the frame and hands it to the next upper layer, f.e. the unix kernel. If you craft a packet for a special host, with a *wrong* ethernet address, it won't reply - unless it's in promiscious mode! And this is the easy solution (, which is only usable within a subnet): Install a scanner program on a server on each subnet. All it needs to have is an entry in /etc/ether like # /etc/ethers scantarget 01:01:01:01:01:01 # scantarget ip is the subnet's brodcast # address. then disable the broadcast ip on the interface and finally sending a ping to "scantarget" once a minute. This doesn't need root, easy to set up and manage. Drawback: one server in the subnet can't reply to a broadcast packet and some operating systems do not reply to a broadcast ping (like AIX). Solution to these two problems is pinging each host directly with a fake ethernet address (I think ipsend from the ip_filter packag has this feature). Final Drawback: An attacker can modify the kernel to check the hardware address of the received packet. But well, this will detect 98% of the script kiddies. Below is the output of my test: julia:/ # arp -a Address HWtype HWaddress Flags Mask Iface marc ether 00:20:35:B3:4C:6A C * eth0 julia:/ # arp -d marc julia:/ # arp -s marc 11:11:11:11:11:11 julia:/ # arp -a Address HWtype HWaddress Flags Mask Iface marc ether 11:11:11:11:11:11 CM * eth0 julia:/ # ping marc PING marc (x.x.x.x): 56 data bytes --- marc ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [ then I turned on promisc. mode on the server "marc" by starting "sniffit" ] julia:/ # ping marc PING marc (x.x.x.x): 56 data bytes 64 bytes from x.x.x.x: icmp_seq=0 ttl=64 time=0.7 ms 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.7 ms --- marc ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.7/0.7/0.7 ms julia:/ # arp -a Address HWtype HWaddress Flags Mask Iface marc ether 11:11:11:11:11:11 CM * eth0 [ Here I turned the sniffer on server "marc" off ] julia:/ # ping marc PING marc (x.x.x.x): 56 data bytes --- marc ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Mon Feb 2 00:22:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA03376; Mon, 2 Feb 1998 00:06:23 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id AAA03290 for ; Mon, 2 Feb 1998 00:06:03 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id JAA02819 for ; Mon, 2 Feb 1998 09:11:04 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id KAA18553 for ; Mon, 2 Feb 1998 10:13:05 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Feb 1998 09:11:02 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBB36@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Patrick Lee'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Printing firewall-1 rules Date: Mon, 2 Feb 1998 09:11:00 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ehhh....! Are you running on an NT-platform or something? I run on a Solaris 2.5.1-platform and using version 2.1a and in this version there isn't any options at all considering printing. You are able to print the logs but not the rules and that's it! /Robert, Ericsson Telecom AB > -----Original Message----- > From: Patrick Lee [SMTP:pat@patlee.org] > Sent: den 30 januari 1998 16:34 > To: Robert St=E5hlbrand > Cc: firewalls@greatcircle.com > Subject: RE: Printing firewall-1 rules >=20 > Bring up a Windows GUI Policy Editor and you can print all you want. > The print > out is not the greatest if you have many rules because it wants to = fit > all the > rules onto one page, but it's doable. >=20 > At 03:27 AM 1/30/98 , Robert St=E5hlbrand wrote: > > I have been screaming for this option too. It REALLY is a shame = that > > there isn't a possibility to print your rules in an easy way (not > using > > snapshot or xv etc.). > > > > > Is there a simple way of printing the firewall-1 filtering rules > as > > > displayed in the main window? From firewalls-owner Mon Feb 2 00:52:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA04285; Mon, 2 Feb 1998 00:13:17 -0800 (PST) Received: from marvin.ose.eur.deuba.com (gate0.de.deuba.com [193.150.166.50]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id XAA01230 for ; Sun, 1 Feb 1998 23:56:48 -0800 (PST) Received: from julia.ksfw.eur.deuba.com by marvin.ose.eur.deuba.com id JAA30998; Mon, 2 Feb 1998 09:01:51 +0100 Received: (from marc@localhost) by julia.ksfw.eur.deuba.com (8.8.8/8.8.5) id IAA20219; Mon, 2 Feb 1998 08:57:56 +0100 From: Marc Heuse Message-Id: <199802020757.IAA20219@julia.ksfw.eur.deuba.com> Subject: Re: anti-sniffer warfare In-Reply-To: <98Jan30.123222est.26885@virginia.dsava.com> from "Icore, Joshua" at "Jan 30, 98 12:35:03 pm" To: jicore@dsava.com (Icore, Joshua) Date: Mon, 2 Feb 1998 08:57:56 +0100 (CET) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > A more direct approach would be to run something like cpm from CERT. cpm can > be run out of cron on unix boxes and checks to see which if any devices are in > promiscuous mode by checking the devices status via ioctl's. If an attacker finds this program he'll modify it so it won't report anything. This is almost trivial. A better approach for an attacker would be load a kernel module (if supported by the operating system) which does prevent showing the PROMISC flag from the ethernet card. > For the really paranoid, with source access, one can always wrap/trap the > SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and issue > a warning. this would be a good solution. Someone would need to patch the system to get around this, and to detect this and remove the protection is a hard work, too much for most of the script kiddies. btw. linux reports a "kernel: eth0: Promiscuous mode enabled" ... > Since IFF_PROMISC is already resitricted on *nix systems to euid 0, add code > to write to a log, or send mail if the IFF_PROMISC flag is set. well - whats the use? If an attacker has got root to run a sniffer, he can too modify the logs. Solution: send a log message to another host. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Mon Feb 2 02:07:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA23084; Mon, 2 Feb 1998 01:46:21 -0800 (PST) Received: from venus.compunet.de (venus.compunet.de [193.102.107.6]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id BAA22942 for ; Mon, 2 Feb 1998 01:45:47 -0800 (PST) From: Manuel.Gil@gecits-eu.com Received: from mail.gecits-eu.com (mailge.compunet.de [193.98.133.26]) by venus.compunet.de (AIX4.2/UCB 8.7/8.7) with SMTP id KAB35180 for ; Mon, 2 Feb 1998 10:34:27 +0100 (NFT) Received: by mail.gecits-eu.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 4125659F.00363529 ; Mon, 2 Feb 1998 10:52:05 +0100 X-Lotus-FromDomain: GECITS-EU@GECITS-EXT To: firewalls@greatcircle.com Message-ID: <4125659F.0035A49B.00@mail.gecits-eu.com> Date: Mon, 2 Feb 1998 10:50:33 +0100 Subject: WEB Authentication Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I am looking for a tool to authentificate the clients over several WEB servers in a centralized way. The problem is that all the tools that I had found, needs a software installed in the WEB servers (Security Dynamics, RAPTOR Axcess, etc...) and in more of the cases in the client too. Does anybody know a product that doesn't need software either in the WEB server and in the client? It's that mean that work using X.509 certificates or similar. Thanks and best regards Manuel Gil GE Capital IT Solutions , S.L. System Engineering Edif. Torre Serrano C./ Serrano 47, Madrid 28001, Spain Phone: +34 1 4368839/00, Fax: +34 1 5769883, Mobile: 909 457616 Internet: Manuel.Gil@GECITS-EU.COM From firewalls-owner Mon Feb 2 03:37:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA05172; Mon, 2 Feb 1998 03:11:41 -0800 (PST) Received: from bom2.vsnl.net.in (bom2.vsnl.net.in [202.54.1.1]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id DAA05066 for ; Mon, 2 Feb 1998 03:11:13 -0800 (PST) Received: from rakesh-goyal ([202.54.51.23]) by bom2.vsnl.net.in (8.8.5/8.8.5) with SMTP id QAA27968; Mon, 2 Feb 1998 16:46:48 +0530 (IST) Received: by rakesh-goyal with Microsoft Mail id <01BD2FFB.3B0AC420@rakesh-goyal>; Mon, 2 Feb 1998 16:54:31 +0530 Message-ID: <01BD2FFB.3B0AC420@rakesh-goyal> From: RAKESH GOYAL To: "'firewalls@GreatCircle.COM'" Cc: "'ntsecurity@iss.net'" Subject: Computer Crimes Date: Mon, 2 Feb 1998 16:52:54 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ecomonic Time, India has an article on Computer Crimes in India. Read at - http://www.economictimes.com/200198/20econ14.htm From firewalls-owner Mon Feb 2 03:52:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08281; Mon, 2 Feb 1998 03:23:30 -0800 (PST) Received: from bom2.vsnl.net.in (bom2.vsnl.net.in [202.54.1.1]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id DAA08244 for ; Mon, 2 Feb 1998 03:23:16 -0800 (PST) Received: from rakesh-goyal ([202.54.51.23]) by bom2.vsnl.net.in (8.8.5/8.8.5) with SMTP id QAA14165; Mon, 2 Feb 1998 16:58:42 +0530 (IST) Received: by rakesh-goyal with Microsoft Mail id <01BD2FFC.E4CC4BE0@rakesh-goyal>; Mon, 2 Feb 1998 17:06:25 +0530 Message-ID: <01BD2FFC.E4CC4BE0@rakesh-goyal> From: RAKESH GOYAL To: "'firewalls@GreatCircle.COM'" Cc: "'ntsecurity@iss.net'" Subject: RE: Computer Crimes Date: Mon, 2 Feb 1998 17:06:17 +0530 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BD2FFC.E4D573A0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BD2FFC.E4D573A0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Ecomonic Time, India has an article on Computer Crimes in India. Read at - http://www.economictimes.com/200198/20econ14.htm ------ =_NextPart_000_01BD2FFC.E4D573A0 Content-Type: application/octet-stream; name="z-Computer crimes log an exp...url" Content-Transfer-Encoding: base64 W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9aHR0cDovL3d3dy5lY29ub21pY3RpbWVzLmNvbS8yMDAx OTgvMjBlY29uMTQuaHRtDQo= ------ =_NextPart_000_01BD2FFC.E4D573A0-- From firewalls-owner Mon Feb 2 04:22:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA13197; Mon, 2 Feb 1998 03:53:04 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id DAA13162 for ; Mon, 2 Feb 1998 03:52:52 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-77.cisco.com [171.68.53.77]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id DAA03808; Mon, 2 Feb 1998 03:57:51 -0800 (PST) Message-Id: <3.0.5.32.19980202065750.0086cc90@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 02 Feb 1998 06:57:50 -0500 To: Rick Osteen From: Paul Ferguson Subject: Smurf Attack [Was: Re: smurf attach] Cc: Firewalls@GreatCircle.COM In-Reply-To: <1.5.4.32.19980202035957.00723fbc@elp.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See: http://www.quadrunner.com/~chuegen/smurf.txt - paul At 08:59 PM 2/1/98 -0700, Rick Osteen wrote: >Sorry for the ignorance, but what is a "Smurf Attack"? > >Thanks for any insight, >Rick Osteen > > > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Feb 2 05:07:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA25570; Mon, 2 Feb 1998 04:46:51 -0800 (PST) Received: from patlee.patlee.org (port13.dial2.GAIN-NY.com [208.132.240.108]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id EAA25353 for ; Mon, 2 Feb 1998 04:46:03 -0800 (PST) Received: by patlee.patlee.org from localhost (router,SLMail V2.6); Mon, 02 Feb 1998 07:50:05 -0500 Received: by patlee.patlee.org from patlee.patlee.org (127.0.0.1::mail daemon; unverified,SLMail V2.6); Mon, 02 Feb 1998 07:50:04 -0500 X-Sender: patlee@panix2.panix.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 02 Feb 1998 07:49:59 -0500 To: Robert Stehlbrand From: Patrick Lee Subject: RE: Printing firewall-1 rules Cc: "'firewalls@greatcircle.com'" In-Reply-To: <43BED8177D10D011A69A0800092C15D70BBB36@haig.oplab.nmac.eri csson.se> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message-Id: <19980202075005.0719f1f8.in@patlee.patlee.org> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can mix and match management server and firewall module. I run the firewall modules on Sun Solaris 2.5.1 and the management module on Windows NT 4.0. It works great. Further, you can use the Windows 95/NT version of the log viewer and policy editor to manage a management server that resides on Sun Solaris 2.5.1. I had that working as well for a while. The Windows 95/NT version of the policy editor allows printing of the rules. The print out isn't great, but it works. This is all done with version 3.0a. At 03:11 AM 2/2/98 , Robert Stehlbrand wrote: > Ehhh....! Are you running on an NT-platform or something? > I run on a Solaris 2.5.1-platform and using version 2.1a and in this > version there isn't any options at all considering printing. You are > able to print the logs but not the rules and that's it! From firewalls-owner Mon Feb 2 05:37:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03271; Mon, 2 Feb 1998 05:24:57 -0800 (PST) Received: from firstnetcom.atinet.com.au (mail-syd.atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id FAA03185 for ; Mon, 2 Feb 1998 05:24:35 -0800 (PST) Received: from ppp-109.atinet.com.au (ppp-109.atinet.com.au [203.35.110.109]) by firstnetcom.atinet.com.au (NTMail 3.02.10) with ESMTP id la006485 for ; Tue, 3 Feb 1998 00:28:08 +1100 Received: from wagner (wagner.winspace.net [192.168.0.6]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id AAA17972; Tue, 3 Feb 1998 00:29:22 +1100 From: "Norman Widders" Date: Tue, 3 Feb 1998 00:29:17 +1000 (GMT) Subject: Re: [NTSEC] Transplant passwords from UNIX to NT To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v3.0 In-Reply-To: References: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: ATINet POP3 Server - http://www.atinet.com.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Feb 1998 23:27:44 -0500 (EST) Ken Williams wrote: Anybody interested in integrating Unix and NT authentication might be interested in the work done on GINA Nigel Williams NISGINA http://www.dcs.qmw.ac.uk/~williams/ Dougs GINA http://www.arch.usyd.edu.au/~doug/gina.html Kereberos plus Gina (KerbNet) http://www.lanl.gov/divisions/cic/ComputingAtLANL/services/kerberos/kerbnet- 1.2-docs/install.html > > > >>We have a SUN/UNIX system for student use where students have assigned user > >>IDs and private passwords. We also have an NT system using same user IDs > >>but different passwords. What is the best way to replace the current NT > >>passwords with the UNIX passwords? Preferably this could be automated and > >>done over the network, but I doubt it's possible. Is manually entering new > >>passwords the only way? > >> > >>Thanks for the help, > >>Gene Miller > >>gmiller@tir.com > >> > > Same deal here at NCSU. We are handling it by using Kerberos and NDS, and > NOT using NT domains. > > Ken Williams -- wheres my valium ? From firewalls-owner Mon Feb 2 05:52:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06325; Mon, 2 Feb 1998 05:43:19 -0800 (PST) Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id FAA06270 for ; Mon, 2 Feb 1998 05:43:06 -0800 (PST) Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id IAA16990 for ; Mon, 2 Feb 1998 08:48:10 -0500 Message-Id: <3.0.3.32.19980202084240.009cf6e0@mail.iss.net> X-Sender: tdoty@mail.iss.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Mon, 02 Feb 1998 08:42:40 -0500 To: firewalls@greatcircle.com From: Ted Doty Subject: Re: Sniffer tools Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jan 1998 11:04:20 +0700, Emmanuel Gadaix wrote: >You might want to have a look at the "Network Packet Capture FAQ" published >by the folks at ISS (doesn't it sound better than the old "Sniffer FAQ" ?) We've been informed by Network Associates that "Sniffer" is a registered trademark of Network Associates. Thus the name change. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From firewalls-owner Mon Feb 2 06:41:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06203; Mon, 2 Feb 1998 05:42:45 -0800 (PST) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id FAA06073 for ; Mon, 2 Feb 1998 05:42:17 -0800 (PST) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id NAA11597; Mon, 2 Feb 1998 13:48:22 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 02 Feb 98 13:48:18 +0000 Date: 02 Feb 98 13:48:18 +0000 Delivery-Date: 02 Feb 98 13:48:22 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34cac604-Tubarao] X400-Recipients: firewalls@GreatCircle.com Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: alternatives to Security Dynamics Autoforwarded: FALSE To: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: alternatives Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also, SafeWord from Secure Computing (www.securecomputing.com) ---------- From: firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] Sent: sábado, 31 de janeiro de 1998 19:30 To: kathleen@montana.msfc.nasa.gov; firewalls@greatcircle.com; Mark.Shininger@stdreg.com Subject: Re: alternatives to Security Dynamics <> Comments: Authenticated sender is From firewalls-owner Mon Feb 2 07:08:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14039; Mon, 2 Feb 1998 06:16:55 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id GAA14019 for ; Mon, 2 Feb 1998 06:16:48 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.8.5/8.6.4) with ESMTP id IAA05941 for ; Mon, 2 Feb 1998 08:21:55 -0600 (CST) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA02574; Mon, 2 Feb 1998 08:21:54 -0600 Date: Mon, 2 Feb 1998 08:21:54 -0600 Subject: Re: anti-sniffer warfare To: firewalls@greatcircle.com Message-Id: X-Mailer: TkMail 4.0beta9 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Fri, 30 Jan 1998, Doug Hughes wrote: > > >> I don't think the effort would be worth it. Most sniffers are totally >> passive devices, and by their nature, the only way to detect them >> is physical inspection of your cable plant. > >Correct. > >> One thing that may be helpful in preventing hardware sniffer attachment >> is via security enabled hubs where the MAC address of all ports is >> hard-wired into the hub. Unused ports would be administratively disabled. >> This will prevent somebody from unplugging a machine and plugging in a >> sniffer. It will also prevent somebody from using an unoccupied port >> on the off change that they would get access to the hub itself (which >> should be in a locked closet). > >Aside from the fact that not all hubs support this, does anybody >really have the time to do it with all the other stuff that they >have to get done? If you or anybody else reading this can point us >to any sites that are doing this successfully and what hubs would >be the best to use, I think that we would all benefit. I guess it >kind of depends on the volatility of the network you are on which >at most places I have been is quite high. > > >The Hobbit > >This message can't possibly have come from me! smrsh is not running >so it *must* have come from somebody else going into the smtp port!!! > We like the HP hubs with the management module. You can get the hub port to 1) send an alarm when the MAC address changes (which doesn't really help if the intruder assumes the MAC address of the machine) 2) shutdown the port if the MAC address changes 3) prevent passive eavesdropping on a port by only allowing packets through to the MAC address tied to that port 4) all of the above However, in security mode, you CANNOT daisy-chain other hubs off of a port. the switchover from one MAC address to another is extremely slow and results in lost connectivity for all daisy-chained hosts. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu * Reply to me, or reply to the list, but please don't do both. From firewalls-owner Mon Feb 2 07:33:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA05741; Mon, 2 Feb 1998 05:40:22 -0800 (PST) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id FAA05680 for ; Mon, 2 Feb 1998 05:40:07 -0800 (PST) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id NAA11595; Mon, 2 Feb 1998 13:46:12 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 02 Feb 98 13:46:08 +0000 Date: 02 Feb 98 13:46:08 +0000 Delivery-Date: 02 Feb 98 13:46:12 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34cac5ff-Tubarao] X400-Recipients: firewalls@GreatCircle.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: 107.107.107.107 and 85.85.85.85 Autoforwarded: FALSE To: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: 107.107.107. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sean, You're right, this is not in the scope of the mailing-list. I'm willing to help, but maybe it's better if you give me your e-mail and I'll try to do it personally. My mail is manuel.ricca@pararede.pt. The problem you described must be some misconfiguration on the pc side. What service is the pc trying to attach to (NFS, DNS, WINS?). Did you look at the TCP/IP configuration on the pc? Greetings, manuel ---------- From: -firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] Sent: -domingo, 1 de fevereiro de 1998 11:30 To: -Firewalls@GreatCircle.COM Subject: -107.107.107.107 and 85.85.85.85 This may be a stupid question or a question not for this list... I have an internal pc that keeps trying to attach to one of these two IP addresses and is getting denied. Since these are not NIC addrs and not on my internal network anywhere, what is the significance of these IP addresses and if I see them what should I look for? Thanks in advance? Sean From firewalls-owner Mon Feb 2 08:11:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26602; Mon, 2 Feb 1998 07:09:49 -0800 (PST) Received: from se.mediaone.net (stjohns.se.mediaone.net [24.129.0.68]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id HAA26495 for ; Mon, 2 Feb 1998 07:09:28 -0800 (PST) Received: from dmartin ([24.129.62.26]) by se.mediaone.net (Netscape Messaging Server 3.01) with ESMTP id AAA19517; Mon, 2 Feb 1998 10:14:31 -0500 Message-ID: <34D59D0D.1BFEE7EF@usa.net> Date: Mon, 02 Feb 1998 10:16:45 +0000 From: Don Martin Reply-To: grey@usa.net Organization: New Edge Technologies X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Manuel.Gil@gecits-eu.com CC: firewalls@GreatCircle.COM Subject: Re: WEB Authentication X-Priority: 3 (Normal) References: <4125659F.0035A49B.00@mail.gecits-eu.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently tackled something similar to this. I'm also interested to hear what security folks in general think of my idea. I put up a certificate server, created our own CA as a corporate intranet, setup a secure server, and then a web server outside the firewall. We have dial-up access using Radius - UNIX system authentication for mere PPP connections, or ActivCard DES key authentication for full NT domain access. I installed the Telnet module, written for perl, on the secure web server. The users, on a secure link, enters his/her userid and password in the secure web form, which then calls a perl script to actually telnet to an internal UNIX box used for authentication. The Telnet module logs the user in with the user id and password given in the form, and then can execute a suid program which will change the users password if desired - it also removes the admin flag for AIX so the user won't have to change their password when logging in the next time. The very same UNIX box is being used for Radius authentication for those users not requiring full NT domain access. This way, remote access users can actually change their own Radius login passwords. We have some active server stuff setup for the NT domain password as well. It would be very simple to just verify that the user id and password were correct, but I'm fairly interested to hear how other security professionals look at this solution. Don Martin New Edge Tech. Manuel.Gil@gecits-eu.com wrote: > Hi all: > > I am looking for a tool to authentificate the clients over several WEB > > servers in a centralized way. The problem is that all the tools that I > had > found, needs a software installed in the WEB servers (Security > Dynamics, > RAPTOR Axcess, etc...) and in more of the cases in the client too. > > Does anybody know a product that doesn't need software either in the > WEB > server and in the client? It's that mean that work using X.509 > certificates > or similar. > > Thanks and best regards > > Manuel Gil > GE Capital IT Solutions , S.L. > System Engineering > Edif. Torre Serrano > C./ Serrano 47, Madrid 28001, Spain > Phone: +34 1 4368839/00, Fax: +34 1 5769883, Mobile: 909 457616 > Internet: Manuel.Gil@GECITS-EU.COM From firewalls-owner Mon Feb 2 08:30:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21972; Mon, 2 Feb 1998 06:50:05 -0800 (PST) Received: from area013.be (news.area013.be [194.149.72.13]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id GAA21804 for ; Mon, 2 Feb 1998 06:49:30 -0800 (PST) Received: from schulen1.area013.be by area013.be; Mon, 02 Feb 98 15:56:28 +0100 Message-Id: <3.0.3.32.19980202154747.00850550@mailhost.area013.be> X-Sender: geert.surkijn@mailhost.area013.be X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 02 Feb 1998 15:47:47 +0100 To: firewalls@greatcircle.com From: Geert Surkijn Subject: Wrong addres !!! Please change... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there... You're trying to send mail to an account at our mailserver. mal240@herk.area013.be please change this into : mal240@area013.be and nothing else please... *** - *** Greetings from AREA 013 Gateway *** - *** ... -> http://www.area013.be/ <- ... [Kiezelweg 121 - 3540 Herk-de-Stad - Belgium] Tel. : +32-13-555.271 (Mo-Thu 09h-21h & Fr-Sat 09h-17h CET) Fax. : +32-13-553.342 (bbs. : +32-13-522.676) From firewalls-owner Mon Feb 2 09:08:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11355; Mon, 2 Feb 1998 08:17:56 -0800 (PST) Received: from garrison.com (gw.garrison.com [207.193.95.97]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id IAA11311 for ; Mon, 2 Feb 1998 08:17:46 -0800 (PST) Received: by garrison.com; id JAA19073; Tue, 3 Feb 1998 09:58:22 -0600 (CST) Received: from sdsh4-32.flash.net(209.30.93.32) by gw.garrison.com via smap (3.2) id xma019071; Tue, 3 Feb 98 09:58:04 -0600 Message-Id: <3.0.5.32.19980202082417.007a79c0@pop.flash.net> X-Sender: jeromie@pop.flash.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 02 Feb 1998 08:24:17 -0800 To: firewalls@greatcircle.com From: Jeromie Jackson Subject: Firewall Tests/Comparisons Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone has a comprehensive list of the comparisons done on firewall technologies. I have found the LanTimes ones, as well as the Data Communcation references: LanTimes http://www.lantimes.com/lantimes/usetech/compare/pcfirewa.html LanTimes http://www.raptor.com/news/lantimes/firetext.html#trade Data Communcations '97 http://www.data.com/lab_tests/firewalls97.html Data Communications '95 http://www.data.com/Lab_Tests/Firewalls.html and was wondering if anyone has any others I can add to my list. I see IDC did one, although they are wanting a sizeable amount for their report. Any more references would be greatly appreciated. E-mail me, and I'll submit a compilation to the mailing list. =-=-=-=-=-=-=-=-=-=-=-=-==-= Jeromie Jackson - CISSP Senior Security Engineer Garrison Technologies 100 Congress Ave. STE:2100 Austin, TX 78701 760-633-1843 jeromie@garrison.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Mon Feb 2 09:23:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA14745; Mon, 2 Feb 1998 08:34:23 -0800 (PST) Received: from sant2.stanleyassoc.com (sant2.stanleyassoc.com [206.105.119.6]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id IAA14694 for ; Mon, 2 Feb 1998 08:34:11 -0800 (PST) Received: by sant2.stanleyassoc.com with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Feb 1998 11:38:21 -0500 Message-ID: <5A31901B7391D111831A0060081FB6B0033DA3@sant2.stanleyassoc.com> From: Bill Frazier To: "'firewalls@greatcircle.com'" Subject: IP-IPX Gateways Date: Mon, 2 Feb 1998 11:38:19 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have received a number of responses concerning this and the major question everyone has is "What application is this being used for?" Well the premise behind this request is this. Employee's that have a personal ISP account's either through Erols, AOL, compuserve, PSI etc. can gain access to the interior network while working at home. Not all ISP's support IPX routing. Therefore there would have to be some type of IP to IPX translation. We are dealing with multiple locations(buildings) and approximately 2000 employee's living in a tri-state area and trying to implement a single point of entry to the backbone. I realize that this also creates a security problem but will deal with that next. I know I've seen this thread before but, I am currently in the need for implementing a IP-IPX gateway for a large corporation. Any thoughts or inputs would be greatly appreciated. * Bill William T. Frazier Director of Networking & Telecommunications wtf@stanleyassoc.com (703) 739-7445 (Direct) (703) 683-0039 (Fax) From firewalls-owner Mon Feb 2 10:36:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA08930; Mon, 2 Feb 1998 05:56:09 -0800 (PST) Received: from syr.edu (syr.edu [128.230.1.49]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id FAA08899; Mon, 2 Feb 1998 05:55:57 -0800 (PST) Received: from syr.edu (syru200-175.syr.edu [128.230.200.175]) by syr.edu (8.8.8/8.8.8) with ESMTP id JAA04228; Mon, 2 Feb 1998 09:01:04 -0500 (EST) Message-ID: <34D5D199.EB7A009A@syr.edu> Date: Mon, 02 Feb 1998 09:00:58 -0500 From: Peter Morissey X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #47 References: <199801311200.EAA26726@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ---------- > From: Gary Mills > Sent: Thursday, January 29, 1998 1:20:42 PM > To: firewalls@GreatCircle.COM > Subject: Sniffer tools > I was at a security conference this year and someone mentioned a tool to > find out if someone has a sniffer on your network. Does any one have a idea > of what that might be? > Thanks > Gary Mills > gary.mills@experian.com > Since a Sniffer is a passive device, it is impossible to tell unless you monitor the hardware such as a Unix box, that can be running the Sniffer. This has already been pointed out. The best thing to do is take preventative measures. Switching is very effective. If every device has it's own switched port, then anyone sniffing on that port will only see traffic destined for the MAC address on that port. Of course broadcasts are an exception, and yes a sophisticated hacker can gleen some information from broadcasts that can be used to break in to a host, but this requires a much greater level of sophistication than what it takes to run a sniffer program. The other problem is that if someone runs a sniffer on a server, that has multiple sessions on the same switched port, those sessions will still be vulnerable to sniffing. Here you want to watch for promiscuous mode etc. on the host as was discussed in other posts. Another step you can take is encryption. Applications that encrypt passwords is a good first step because it takes very little skill to run a Sniffer and find passwords. Once you've got the passwords and logins, it's a no-brainer. The next step is to encrypt the data itself. From firewalls-owner Mon Feb 2 11:07:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15129; Mon, 2 Feb 1998 10:45:47 -0800 (PST) Received: from mail.diginsite.com ([208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id KAA15080 for ; Mon, 2 Feb 1998 10:45:30 -0800 (PST) Received: from localhost (dlang@localhost) by mail.diginsite.com (8.8.8/8.8.6) with SMTP id KAA20154; Mon, 2 Feb 1998 10:35:01 -0800 Date: Mon, 2 Feb 1998 10:33:46 -0800 (PST) From: David Lang To: Rabid Wombat cc: "Corey J. Anderson" , Gary Mills , "firewalls@GreatCircle.COM" Subject: Re: Sniffer tools In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk not to mention that you can create a 10/100baseT cable with no transmit wires to move ANY packets from the card to the network. David Lang On Sat, 31 Jan 1998, Rabid Wombat wrote: > > > On Thu, 29 Jan 1998, Corey J. Anderson wrote: > > > > > When a sniffer is sniffing, its NIC is in promiscous mode. This shows up > > on other sniffers. > > > > Only with a limited number of recent NICs based on certain chipsets. In > general, the above is false. > From firewalls-owner Mon Feb 2 11:22:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10148; Mon, 2 Feb 1998 10:24:09 -0800 (PST) Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id KAA09984 for ; Mon, 2 Feb 1998 10:23:34 -0800 (PST) From: dharris@kcp.com Message-Id: <199802021823.KAA09984@honor.greatcircle.com> Received: by kcpgw.kcp.com id AA02589 (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM); Mon, 2 Feb 1998 12:28:18 -0600 Received: by kcpgw.kcp.com (Internal Mail Agent-2); Mon, 2 Feb 1998 12:28:18 -0600 Received: by kcpgw.kcp.com (Internal Mail Agent-1); Mon, 2 Feb 1998 12:28:18 -0600 Mime-Version: 1.0 Date: Mon, 2 Feb 1998 12:22:31 -0600 Subject: Re: 107.107.107.107 and 85.85.85.85 To: Firewalls , FreakaZoid Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 'whois' to the InterNIC shows that 107.0.0.0 and 85.0.0.0 are IANA-reserved addresses with Joyce K. Reynolds (JKRey@ISI.EDU, 310-822-1511) as the contact. ______________________________ Reply Separator _________________________________ Subject: 107.107.107.107 and 85.85.85.85 Author: FreakaZoid at INTERNET-MAIL Date: 1/29/98 2:41 PM This may be a stupid question or a question not for this list... I have an internal pc that keeps trying to attach to one of these two IP addresses and is getting denied. Since these are not NIC addrs and not on my internal network anywhere, what is the significance of these IP addresses and if I see them what should I look for? Thanks in advance? Sean From firewalls-owner Mon Feb 2 11:30:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08178; Mon, 2 Feb 1998 10:17:38 -0800 (PST) Received: from syr.edu (syr.edu [128.230.1.49]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id KAA07981; Mon, 2 Feb 1998 10:17:01 -0800 (PST) Received: from syr.edu (syru200-175.syr.edu [128.230.200.175]) by syr.edu (8.8.8/8.8.8) with ESMTP id NAA16633; Mon, 2 Feb 1998 13:22:09 -0500 (EST) Message-ID: <34D60ECA.D71D9030@syr.edu> Date: Mon, 02 Feb 1998 13:22:03 -0500 From: Peter Morissey X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Checkpoint Var in Central New York Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone recommend a Checkpoint VAR/reseller/distributor with local coverage in Syracuse New York? Also, does the per node pricing consider how many devices are accessing the protected devices, or is it just determined by the amount of devices protected? From firewalls-owner Mon Feb 2 14:41:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14844; Mon, 2 Feb 1998 13:15:51 -0800 (PST) Received: from hef.ncanet.com (hef.ncanet.com [206.63.127.3]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id NAA14643 for ; Mon, 2 Feb 1998 13:15:09 -0800 (PST) Received: from maccom2.maccom ([207.181.205.90]) by hef.ncanet.com (Netscape Mail Server v2.02) with SMTP id AAA6722; Mon, 2 Feb 1998 13:21:21 -0800 From: mcassidy@NCAnet.com (Mike Cassidy) To: "Peter Morissey" , Cc: Subject: Re: Checkpoint Var in Central New York Date: Mon, 2 Feb 1998 13:22:09 -0800 Message-ID: <01bd3020$9ee16420$02c7c7c7@maccom2.maccom> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tom Koci with Network Computing Architects (781) 871-7780 or tkoci@ncanet.com Michael A. Cassidy Marketing Manager NCA - National Premier Provider of Internetworking, Telco Services, Network Security and Multivendor Support. http://www.ncanet.com -----Original Message----- From: Peter Morissey To: Firewalls@GreatCircle.COM ; firewalls-digest@GreatCircle.COM Date: Monday, February 02, 1998 1:07 PM Subject: Checkpoint Var in Central New York >Can anyone recommend a Checkpoint VAR/reseller/distributor >with local coverage in Syracuse New York? > >Also, does the per node pricing consider how many >devices are accessing the protected devices, or is it >just determined by the amount of devices protected? > From firewalls-owner Mon Feb 2 15:39:59 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22962; Mon, 2 Feb 1998 13:49:30 -0800 (PST) Received: from maersk.com (mail.apmoller.com [193.88.46.86]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id NAA22851 for ; Mon, 2 Feb 1998 13:49:07 -0800 (PST) Received: by maersk.com id WAA183.21; Mon, 2 Feb 1998 22:53:29 -0500 Message-Id: <199802030353.WAA183.21@maersk.com> Date: Mon, 02 Feb 98 22:52:37 +0000 To: firewalls@GreatCircle.COM From: MDCBRS@MAERSK.COM (Schmidt, Brian/BRS) Subject: MHS29058 Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TO : FIREWALLS FROM: Schmidt, Brian/BRS REFN: MHS29058 98.02.02 22:59 CET MS Proxy 2.0 and Netscape Hi all. I need to hear if anybody has any knowledge about running Netscape clients against a MS Proxy server 2.0. I keep getting acces denied, when prompted for logon password. Thanks in advance Brian From firewalls-owner Mon Feb 2 16:04:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA18697; Mon, 2 Feb 1998 15:42:47 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id PAA18643 for ; Mon, 2 Feb 1998 15:42:35 -0800 (PST) Received: from cwiz.com by relay1.UU.NET with SMTP (peer crosschecked as: [208.210.163.10]) id QQebbb16308; Mon, 2 Feb 1998 18:47:45 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id RAA08576; Mon, 2 Feb 1998 17:49:20 -0600 Date: Mon, 2 Feb 1998 17:49:20 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199802022349.RAA08576@cwiz.com> To: ppmorris@syr.edu Subject: Re: Checkpoint Var in Central New York Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter, Try Michele Harrington (michh@qualix.com) with Qualix Group, Inc. 650-638-4162 ------------------------------------------ Martin D. Baldenegro Qualix Group, Inc. Manager - Global Support Engineering Team Manager - Qualix Technology Training Phone - (972)355-5159 Email - mdb@qualix.COM For Qualix Technology Training please see: URL - http://www.cwiz.com/training.html ------------------------------------------ From firewalls-owner Mon Feb 2 16:07:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20012; Mon, 2 Feb 1998 15:49:27 -0800 (PST) Received: from mercury.imx-exchange.com (mercury.imx-exchange.com [207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id PAA19994 for ; Mon, 2 Feb 1998 15:49:20 -0800 (PST) Received: from dsween.imx-exchange.com by mercury.imx-exchange.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) id 1BDMG9DW; Mon, 2 Feb 1998 15:56:25 -0800 Message-ID: <001301bd3035$e79f0400$67c9bdce@dsween.imx-exchange.com> Reply-To: "Dan Sween" From: "Dan Sween" To: , "Mike Scott" , "Chris Kostick" Cc: "James Terry" Subject: Re: MS Proxy Server 2.0 Date: Mon, 2 Feb 1998 15:54:31 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MS proxy server certainly does not work with pptp .. you cannot get MS proxy to know anything about the GRE protocol.. microsoft will confirm this.. (I tried to get this to work and moved on to NAT1000 at ttp://www.nevod.com -- removing proxy server all together). proxy is not an 'industry-strength' firewall. use FW-1 or something else. (and not netscape's proxy solution either) dan -----Original Message----- From: Chris Kostick To: Mike Scott ; firewalls@GreatCircle.COM Date: Sunday, February 01, 1998 12:12 PM Subject: Re: MS Proxy Server 2.0 >I'd be interested to hear any comments or experiences of those of you >who have implemented MS Proxy 2.0 as a firewall solution. The MS blurb >claims this is a firewall, but how does this compare to a 'real' >firewall like Eagle or FW-1. These are expensive in comparison so what >extra would I get for the money? We are looking at putting in a firewall >at the moment, and will have a WWW proxy behind it for caching anyway, >but what extra will an extra device give me. Myself and a coworker (teresa fishburn) just finished an article that was published in NT Systems magazine about the security of MSP 2.0. The basic conclusions that we came up with are: Conclusions Microsoft’s Proxy Server 2.0 is being advertised as having “firewall-class” security functionality and it does represent a significant improvement over version 1.0 in this area. In this article we looked at many of the new security features of Proxy Server 2.0 and while it has firewall-like capabilities, it still has a little maturing to do before it can be compared to today’s commercial firewall products. The main areas needing improvement are: a.. It is primarily for outgoing, internal authentication of communications. A firewall should be capable of performing strong authentication internally or externally with a variety of mechanisms such as one-time passwords or token cards; b.. Client-side modification is required for transparency and that is only available for Windows-based clients; c.. When inbound traffic is allowed, reliance of all security is placed on the end applications. This is because even though it is proxy-based, it still functions as a circuit-level relay proxy; and d.. The alerting and reporting functions are still weak. If Microsoft hopes to push Proxy Server 2.0 as a firewall solution, then improvements in the above are necessary. Additional firewall technologies would also have to be considered such as VPN support (other than just PPTP) and content filtering. Proxy Server 2.0 does have many features that are perfect for small environments that want to be connected to the Internet and are not looking to offer many services to external users. Configured correctly it can be very secure and well hidden. Out of that list my biggest complaint is the lack of transparency. Clients are either Windows-based with the MSP client software added, or SOCKS-based for UNIX hosts. I like the idea of total transparency without modification to the end systems in a firewall product. --chris From firewalls-owner Mon Feb 2 16:22:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA25172; Mon, 2 Feb 1998 16:14:32 -0800 (PST) Received: from norwich.valley.net (norwich.valley.net [198.115.160.12]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id QAA25155 for ; Mon, 2 Feb 1998 16:14:26 -0800 (PST) Received: from lyme.VALLEY.NET (lyme [198.115.160.11]) by norwich.valley.net (8.8.5/8.8.5) with SMTP id TAA10337 for ; Mon, 2 Feb 1998 19:18:55 -0500 Received: by lyme.VALLEY.NET (blitz.valley.net) via SMTP from v2-p-117.valley.net for Firewalls@GreatCircle.com id <2116313> 02 Feb 98 19:23:46 EST X-Sender: randy.witlicki@pop.valley.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Feb 1998 19:20:57 -0500 To: Firewalls@GreatCircle.com From: "Randy.Witlicki." Subject: Inter-vendor LAN-to-LAN VPN connectivity? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, What's the current state of inter-vendor VPN tunnel connectivity? Can a VPN originating at a Firewall-1, or a PIX, or an Eagle Raptor, or a Gauntlet firewall communicate via an encrypted LAN to LAN link to a different vendor's firewall and hence to the destination LAN inside the distant firewall ? I know that "It should happen when IPSec happens", but what about today ? Thanks for any advice and help. - Randy - From firewalls-owner Mon Feb 2 17:23:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA07874; Mon, 2 Feb 1998 14:40:26 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id OAA07671 for ; Mon, 2 Feb 1998 14:39:27 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id RAA23176; Mon, 2 Feb 1998 17:43:31 -0500 (EST) Message-Id: In-Reply-To: <4125659F.0035A49B.00@mail.gecits-eu.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Feb 1998 17:34:55 -0500 To: Manuel.Gil@gecits-eu.com From: Vin McLellan Subject: Re: WEB Authentication Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi all: > >I am looking for a tool to authentificate the clients over several WEB >servers in a centralized way. The problem is that all the tools that I had >found, needs a software installed in the WEB servers (Security Dynamics, >RAPTOR Axcess, etc...) and in more of the cases in the client too. > >Does anybody know a product that doesn't need software either in the WEB >server and in the client? It's that mean that work using X.509 certificates >or similar. =A1Hola Manuel! Most web servers can use SSL, with X509 certificates, to verify the identity of a webserver _and_ the identity of the user -- or at least the user's PC or workstation, with a optional client-side cert. You'd need to either issue certificates from your own CA, or get both server and client certs from EuroSign or COST or one of the big American or Canadian PKI certificate vendors. [This becomes more reasonable for non-Yanks now that Farrell McKay's freeware Fortify is available to upgrade Netscape browsers to strong-crypto (DES, 3DES, and 128-bit RC2 or RC4) for SSL See: http://www.fortify.net . [Bulletin: Informed pro-crypto activists now suggest that exploit code to upgrade Netscape's 4.X Messenger -- to make all the S/MIME options American enjoy (including DES, 3DES, and 64-bit and128-bit RC2) available to secure the international browser's e-mail -- will be available on the Net in the near future. No word of similar hacks to upgrade S/MIME in IE or other clients. End of the World! Stay tuned: Film at 11!!] There are several approaches which can allow you to "authenticate the clients over several web servers," although they vary with different servers, and perhaps even with different server certificates. (There are also a lot of options for "centralized control" -- a buzz-word with a lot of different meanings.) When setting up a secure connection in SSL, many SSL clients, including Netscape, seem to check the common name of the certificate against the name of the webserver in the URL. If it doesn't match, the browser warns the users and things get confusing. This is why the preferred format for the "common name" of an SSL server is a simple DNS name like "www.widgets.com". To support muliple servers, you can use a round-robin DNS to sent each request for to different IP addresses. Netscape, at least, doesn't check to see that the IP address matches the original domain name, so this should work. For other options, check out the WWW FAQs for info on browser or client authentication. For more sensitive material, of course, you should consider stronger (two-factor) user authentication with a user-held smartcard or token. Anything to get the PK keys and certs off that desktop and into the user's pocket or purse! Suerte, _Vin > >Manuel Gil >GE Capital IT Solutions , S.L. >System Engineering >Edif. Torre Serrano >C./ Serrano 47, Madrid 28001, Spain >Phone: +34 1 4368839/00, Fax: +34 1 5769883, Mobile: 909 457616 >Internet: Manuel.Gil@GECITS-EU.COM ---------- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Mon Feb 2 19:12:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA27927; Mon, 2 Feb 1998 18:47:23 -0800 (PST) Received: from ns.woolworths.com.au (ns.woolworths.com.au [203.26.178.140]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id RAA10538 for ; Mon, 2 Feb 1998 17:27:31 -0800 (PST) From: ftorabi@woolworths.com.au Received: by ns.woolworths.com.au; id LAA21871; Tue, 3 Feb 1998 11:50:45 +1100 (EST) Received: from nmisdcgfcs003.nsw.woolworths.com.au(191.4.210.203) by pdcfire1.woolworths.com.au via smap (3.2) id xma021865; Tue, 3 Feb 98 11:50:36 +1100 Received: by nmisdcgfcs003.nsw.woolworths.com.au with Internet Mail Service (5.0.1458.49) id ; Tue, 3 Feb 1998 12:29:30 +1100 Message-ID: To: firewalls@GreatCircle.COM Subject: MS Proxy 2.0 and Netscape Date: Tue, 3 Feb 1998 12:30:05 +1100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes I had the same bloody problem. You should try to go to the IIS security and play with the Anonymous-cleartext-nt challenge/response to set up your web security for non-windows workstations. MS proxy might have a few bugs in it when accessing secure sites so you may need to talk to Microsoft. ----------------------------------------------- TO : FIREWALLS FROM: Schmidt, Brian/BRS REFN: MHS29058 98.02.02 22:59 CET MS Proxy 2.0 and Netscape Hi all. I need to hear if anybody has any knowledge about running Netscape clients against a MS Proxy server 2.0. I keep getting acces denied, when prompted for logon password. Thanks in advance Brian From firewalls-owner Mon Feb 2 19:57:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA28326; Mon, 2 Feb 1998 18:49:29 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id SAA24987 for ; Mon, 2 Feb 1998 18:35:20 -0800 (PST) Received: from a4000.rapid.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id SAA13316; Mon, 2 Feb 1998 18:29:00 -0800 (PST) Received: from a2000 (a2000.rapid.net [38.178.148.4]) by a4000.rapid.net (8.8.5/RAPID.NET-8.8.5) with SMTP id VAA19434 for ; Mon, 2 Feb 1998 21:30:18 -0500 (EST) Message-Id: <3.0.5.32.19980202213921.03b9f590@rapid.net> X-Sender: rick@rapid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 02 Feb 1998 21:39:21 -0500 To: firewalls@GreatCircle.COM From: Rick Hardy Subject: Encryption Domains.... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have a question concerning the way encryption domains work and what modules are required to do an encryption domain. First, I have a situation where two firewalls (1st is Enterprise version, with DES running under Solaris 2.51 FW-1 ver 30b, 2nd is Firewall Module with DES) are being used as gateways to the same hosts. One has access via RAS(Straight dialup, then authenticates to FW via SecureRemote, this works since the GW is the Enterprise FW) the other has access via the Internet. Here is my problem, I get an error saying 'Overlapping Encryption Domain'... To Solve this issue, can I use NAT?(I know, not a perfect solution but it should work!) My second issue has me perplexed! When I try to athenticate to the FW-1 box with ONLY the FW-1 Firewall Module and DES encryption, I get an error saying that it is NOT a Certificate Authority, and to check with my Sys Admin if the FW Gateway is a Control Module@! Huh??? Does a Firewall-1 Gateway NEED to be a control module to authenticate via Secure Remote?? I didn't think so, and I've looked at all the docs..... Anyone have any ideas on either of these?!!? Thanks in advance! --=Rick=-- From firewalls-owner Mon Feb 2 21:00:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA25211; Mon, 2 Feb 1998 20:25:49 -0800 (PST) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id UAA25102 for ; Mon, 2 Feb 1998 20:25:27 -0800 (PST) Received: from mclmx.mail.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 3 Feb 1998 04:30:42 UT Received: from mcl-its-exbh01.mail.saic.com by mclmx.mail.saic.com; Mon, 2 Feb 98 23:30:41 -0500 Received: by mcl-its-exbh01.mail.saic.com with Internet Mail Service (5.0.1458.49) id ; Mon, 2 Feb 1998 23:27:34 -0500 Message-ID: <11DEBAD8FCE0D01186FF0000F8052A01C7DFD4@net_sol_ex01.netsol.com> From: "Crowe, Peter" To: "'ftorabi@woolworths.com.au'" , firewalls@GreatCircle.COM Subject: RE: MS Proxy 2.0 and Netscape Date: Mon, 2 Feb 1998 23:31:01 -0500 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Make sure you check both your sharing permissions and folder\file permissions (if running NTFS). I've also had the same problem but only got it working properly with either 1) using Explorer 2) implementing the above. Cheers Peter > -----Original Message----- > From: ftorabi@woolworths.com.au [SMTP:ftorabi@woolworths.com.au] > Sent: Monday, February 02, 1998 8:30 PM > To: firewalls@GreatCircle.COM > Subject: MS Proxy 2.0 and Netscape > > Yes I had the same bloody problem. > You should try to go to the IIS security and play with the > Anonymous-cleartext-nt challenge/response to set up your web security > for non-windows workstations. > MS proxy might have a few bugs in it when accessing secure sites so > you > may need to talk to Microsoft. > > > ----------------------------------------------- > TO : FIREWALLS > FROM: Schmidt, Brian/BRS > > REFN: MHS29058 98.02.02 22:59 CET > > MS Proxy 2.0 and Netscape > Hi all. > > I need to hear if anybody has any knowledge about running Netscape > clients against a MS Proxy server 2.0. > > I keep getting acces denied, when prompted for logon password. > > Thanks in advance > Brian From firewalls-owner Mon Feb 2 21:07:48 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA06218; Mon, 2 Feb 1998 19:23:30 -0800 (PST) Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id TAA06003 for ; Mon, 2 Feb 1998 19:22:51 -0800 (PST) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id TAA23237 for ; Mon, 2 Feb 1998 19:21:55 -0800 (PST) Received: from tmpbeta.livingston.com ([149.198.65.50]) by server.livingston.com (8.8.5/8.6.9) with SMTP id TAA03829 for ; Mon, 2 Feb 1998 19:27:27 -0800 (PST) Received: from localhost by tmpbeta.livingston.com (SMI-8.6/SMI-SVR4) id TAA14121; Mon, 2 Feb 1998 19:26:13 -0800 Date: Mon, 2 Feb 1998 19:26:12 -0800 (PST) From: Josh Richards X-Sender: jrichard@tmpbeta To: Firewalls@GreatCircle.COM Subject: Re: Inter-vendor LAN-to-LAN VPN connectivity? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Feb 1998, Randy.Witlicki. wrote: > Hello, > > What's the current state of inter-vendor VPN tunnel connectivity? > Can a VPN originating at a Firewall-1, or a PIX, or an Eagle Raptor, > or a Gauntlet firewall communicate via an encrypted LAN to LAN link to a > different vendor's firewall and hence to the destination LAN inside the > distant firewall ? > I know that "It should happen when IPSec happens", but what about > today ? > > Thanks for any advice and help. > This is somewhat dependent on the vendor and which RFCs/Drafts they are reading as they write their code.. Attempts are being made to get interop testing coordinated through various "get togethers" and whatnot among the different vendors.. The main issues causing incompatibility are: 1. Key negotiation (ISAKMP/Oakley/SKIP/etc.) 2. Supported ayload encryption protocols (ESP being: DES, 3DES,Blowfish,etc.) 3. Key sizes (i.e. think U.S. Export..) 4. Various protocol extensions (i.e. payload compression) There is of course PPTP and L2TP to consider also.. ---- Josh Richards - - [Beta Engineer] LUCENT Technologies - Remote Access Business Unit (formerly Livingston Enterprises, Inc.) http://www.livingston.com/ From firewalls-owner Mon Feb 2 21:51:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13716; Mon, 2 Feb 1998 15:10:15 -0800 (PST) Received: from dragon.ender.com (dragon.ender.com [206.79.254.229]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id PAA13684 for ; Mon, 2 Feb 1998 15:10:04 -0800 (PST) Received: from localhost (matt@localhost) by dragon.ender.com (8.8.6/8.8.5) with SMTP id QAA00696; Mon, 2 Feb 1998 16:20:29 -0800 Date: Mon, 2 Feb 1998 16:20:28 -0800 (PST) From: Matt Wallace To: Bill Gray cc: firewalls-digest@GreatCircle.COM Subject: Re: Firewall Reporting Software In-Reply-To: <34D6001A.8F38227F@inel.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Feb 1998, Bill Gray wrote: > I have developed some stuff in-house that, in a very simple-minded way, > does the following: > > - Packages Firewall-1 logs into daily (24 hr, midnite to midnite) > chunks; > > - Off-loads these chunks to a configurable destination host; > > - Provides simple web-based search access to these logs on the > destination host; > > - Does some other log management (automatic switching, archiving). > > Almost all of it is sh(1). This stuff is not cleanly packaged, but if > there is any interest I might be persuaded to bottle it. > -- We actually developed something very similar in-house, including real-time logfile streaming to a central host (encrypted), switching of configurations (for true enterprise management, where you can have fully distinct sets of entities, and not just different rulesets), monitoring with automatic down notification, and some other functions, including a rule-base export-to-plaintext script. 99% of this was done with shell scripts, barring a bit of code on the firewall side to send the UDP datagrams with the logfiles (we decided that the loss-rate of UDP was acceptable for logs). I think its sad that so much functionality is missing from FW-1, but so it goes. -Matt From firewalls-owner Mon Feb 2 21:51:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09898; Mon, 2 Feb 1998 14:50:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id NAA19330 for ; Mon, 2 Feb 1998 13:35:14 -0800 (PST) Received: from helium.tip.nl by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA09045; Mon, 2 Feb 1998 12:44:42 -0800 (PST) Received: from memo.home.nl by helium.tip.nl with smtp (Smail3.2 #23) id m0xzSmF-001YvTC; Mon, 2 Feb 1998 21:47:35 +0100 (MET) From: "Rodney van den Oever" To: Subject: Re: smurf attach Date: Mon, 2 Feb 1998 21:30:19 +0100 Message-ID: <01bd3019$611c4440$0c00000a@memo.home.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Sun, 01 Feb 1998 20:59:57 -0700 >From: Rick Osteen >Subject: smurf attach >Sorry for the ignorance, but what is a "Smurf Attack"? >Thanks for any insight, >Rick Osteen A smurf is a small blueish creature wearing a white hat and trousers. As far as I know it's only spotted in Holland, Belgium and maybe France. Be gentle with them for they are a extincting species. I you suddenly see them in large quantities, you can be sure an attack is at hand! (Sorry, just couldn't resist :-) Rodney van den Oever / roever@nse.simac.nl / +31 71 3670838 'No matter where you go, there you are.' - From a plaque on the starship Excelsior, in Star Trek VI: The Undiscovered Country From firewalls-owner Mon Feb 2 21:51:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA24860; Mon, 2 Feb 1998 20:23:54 -0800 (PST) Received: from c00957-100lez.eos.ncsu.edu (c00957-100lez.eos.ncsu.edu [152.1.26.77]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id UAA24823 for ; Mon, 2 Feb 1998 20:23:44 -0800 (PST) Received: from localhost (jkwilli2@localhost) by c00957-100lez.eos.ncsu.edu (8.8.4/UC02Jan97) with SMTP id XAA12847; Mon, 2 Feb 1998 23:28:51 -0500 (EST) X-Authentication-Warning: c00957-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs Date: Mon, 2 Feb 1998 23:28:50 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00957-100lez.eos.ncsu.edu To: Dave Innes cc: firewalls@GreatCircle.COM Subject: Re: confidentiality agreement In-Reply-To: <01bd3031$67e789c0$3cc8010a@innesdave> Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Feb 1998, Dave Innes wrote: >Does someone have or could point me to a confidentiality agreement one would have >consultants or 3rd party firewall testing companies sign, to management a >somewhat of a comfortable feeling...thanks > contact either Charles Palmer of the Global Security Analysis Laboratory of IBM Research, or visit the Rhino9 Security Research Team's website at http://www.rhino9.org/ and contact them. both of these two organisations are very familiar with the "Get Out of Jail Free" contracts commonly used for 3rd party remote or full network audits. hope this helps, TATTOOMAN /-=-=-=-=-=-=-=-=-=-=-=-[ TATTOOMAN ]-=-=-=-=-=-=-=-=-=-=-=-\ | NC State Computer Science Dept VP of The E. H. A. P. Corp. | | jkwilli2@adm.csc.ncsu.edu http://www.hackers.com/ehap/ | | jkwilli2@unity.ncsu.edu ehap@hackers.com | | WWW---[ http://152.7.11.38/~tattooman/ | | FTP---[ ftp://152.7.11.38/pub/personal/tattooman/ | | WW2---[ http://www4.ncsu.edu/~jkwilli2/ | | W3B---[ http://152.7.11.38/~tattooman/w3board/ | | PGP---[ http://www4.ncsu.edu/~jkwilli2/pgp.asc | | 35 E1 32 C7 C9 EF A0 AB 9D FE 8E FC 2D 68 55 44 | \-=-=-=-=-=-=-[ http://152.7.11.38/~tattooman/ ]-=-=-=-=-=-=-/ From firewalls-owner Mon Feb 2 21:51:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA25857; Mon, 2 Feb 1998 09:27:47 -0800 (PST) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id JAA25664 for ; Mon, 2 Feb 1998 09:26:48 -0800 (PST) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id RAA12023; Mon, 2 Feb 1998 17:32:43 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 02 Feb 98 17:32:35 +0000 Date: 02 Feb 98 17:32:35 +0000 Delivery-Date: 02 Feb 98 17:32:43 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34cacc57-Tubarao] X400-Recipients: firewalls@GreatCircle.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: Firewall-1 and NAT. Please help! Autoforwarded: FALSE To: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: Firewall-1 a Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, the arp was working fine. The problem was that I didn't have a hosts file defined for FW-1. It sounds stupid enough, but it does say in the manual that you have to do it. Thanks, manuel ---------- From: -cbrenton@sover.net[SMTP:cbrenton@sover.net] Sent: -quarta-feira, 28 de janeiro de 1998 4:30 To: -manuel ricca Cc: -firewalls@GreatCircle.COM Subject: -Re: Firewall-1 and NAT. Please help! manuel.ricca@pararede.pt wrote: > Created the file local.arp at c:\winnt\fw\bin with the line > . > > Now, I'm sitting at a machine on the external net (just a net, no router yet) and > desperately running ping. > I can reach the real IP (192.168...), which I suppose is OK. > I cannot reach the machine with the fake IP. >From experience, this does not work on NT. Sun gives you a -P (for publish) option when creating ARP cache entries which allows the machine to reply to ARP requests for other IP address. I think Checkpoint was *hoping* that the local.arp file would work the same way which it does not. Instead, create an ARP entry on any hosts on the external side of your firewall (your test machine and the router when it arrives) that uses the legal translated address and the firewall's MAC. Cheers, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Mon Feb 2 22:33:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05291; Mon, 2 Feb 1998 07:51:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id HAA05136 for ; Mon, 2 Feb 1998 07:50:55 -0800 (PST) Received: from mast.webhooks.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA05706; Mon, 2 Feb 1998 07:53:32 -0800 (PST) Received: from DannyGumport.com ([166.55.67.226]) by mast.webhooks.com (Post.Office MTA v3.1.2 release (PO203-101c) ID# 554-33936U100L100S0) with ESMTP id AAA26542; Mon, 2 Feb 1998 10:52:35 -0500 Message-ID: <34D5EB65.24904137@DannyGumport.com> Date: Mon, 02 Feb 1998 10:51:01 -0500 From: dgumport@dannygumport.com (Danny Gumport) Organization: dgDOTcom X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: winspace@atinet.com.au CC: Firewalls@GreatCircle.COM Subject: Re: [NTSEC] Transplant passwords from UNIX to NT References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You also might want to talk to people at Transarc if you are using DCE. A large wall street firm had transarc build a new gina that integrates with DCE without using any NT domain servers. All user profiles/prefs are stored in dfs space and are accessable from anywhere on the net. very cool. -Danny G Norman Widders wrote: > > On Sun, 1 Feb 1998 23:27:44 -0500 (EST) > Ken Williams wrote: > > Anybody interested in integrating Unix and NT authentication might be > interested in the work done on GINA > > Nigel Williams NISGINA http://www.dcs.qmw.ac.uk/~williams/ > > Dougs GINA http://www.arch.usyd.edu.au/~doug/gina.html > > Kereberos plus Gina (KerbNet) > http://www.lanl.gov/divisions/cic/ComputingAtLANL/services/kerberos/kerbnet- > 1.2-docs/install.html > > > > > > >>We have a SUN/UNIX system for student use where students have assigned user > > >>IDs and private passwords. We also have an NT system using same user IDs > > >>but different passwords. What is the best way to replace the current NT > > >>passwords with the UNIX passwords? Preferably this could be automated and > > >>done over the network, but I doubt it's possible. Is manually entering new > > >>passwords the only way? > > >> > > >>Thanks for the help, > > >>Gene Miller > > >>gmiller@tir.com > > >> > > > > Same deal here at NCSU. We are handling it by using Kerberos and NDS, and > > NOT using NT domains. > > > > Ken Williams > > -- > wheres my valium ? -- ________________________________________________________________________ Danny Gumport Phone: (212) 593-0689 mailto:Me@DannyGumport.com Fax: (212) 832-7502 http://WWW.DannyGumport.com From firewalls-owner Mon Feb 2 22:33:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA03726; Mon, 2 Feb 1998 09:59:27 -0800 (PST) Received: from luomat.peak.org (cc344191-a.ewndsr1.nj.home.com [24.2.83.40]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id JAA03403 for ; Mon, 2 Feb 1998 09:58:29 -0800 (PST) Received: (from luomat@localhost) by luomat.peak.org (8.8.8/8.8.8) id NAA22703; Mon, 2 Feb 1998 13:03:31 -0500 (GMT-0500) Message-Id: <199802021803.NAA22703@luomat.peak.org> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 4.1mach v148) X-Image-URL: http://www.peak.org/~luomat/next/luomat@peak.org.tiff In-Reply-To: <3.0.3.32.19980202154747.00850550@mailhost.area013.be> X-Nextstep-Mailer: Mail 4.1mach (Enhance 2.1) Received: by NeXT.Mailer (1.148.RR) From: Timothy J Luoma Date: Mon, 2 Feb 98 13:03:26 -0500 To: Geert Surkijn Subject: Re: Wrong addres !!! Please change... cc: firewalls@GreatCircle.COM References: <3.0.3.32.19980202154747.00850550@mailhost.area013.be> X-Image-URL-Disclaimer: hey, it's off my student ID, gimme a break ;-) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Author: Geert Surkijn Original-Date: Mon, 02 Feb 1998 15:47:47 +0100 Message-ID: <3.0.3.32.19980202154747.00850550@mailhost.area013.be> > You're trying to send mail to an account at our mailserver. > > mal240@herk.area013.be > > please change this into : mal240@area013.be and nothing else please... Geert This is something you will have to do yourself. Unsubscribe the wrong address (send a message 'unsubscribe' in the BODY of the message not the Subject to majordomo@greatcircle.com) and then subscribe the correct address. Make sure you KEEP the confirmation message which tells you how to unsubscribe. TjL ( posted to the list to try and avoid a major flame war tangent ) From firewalls-owner Mon Feb 2 22:33:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA28919; Mon, 2 Feb 1998 14:08:01 -0800 (PST) Received: from mail3.bellglobal.com ([198.235.216.132]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id OAA28808 for ; Mon, 2 Feb 1998 14:07:39 -0800 (PST) Received: from innesdave ([204.191.150.58]) by mail3.bellglobal.com (Netscape Mail Server v2.02) with ESMTP id AAA1711 for ; Mon, 2 Feb 1998 17:12:44 -0500 From: dainnes@royal-canada.com (Dave Innes) To: Subject: confidentiality agreement Date: Mon, 2 Feb 1998 17:22:18 -0600 Message-ID: <01bd3031$67e789c0$3cc8010a@innesdave> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0011_01BD2FFF.1D4D19C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0011_01BD2FFF.1D4D19C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Does someone have or could point me to a confidentiality agreement one = would have consultants or 3rd party firewall testing companies sign, to management = a somewhat of a comfortable feeling...thanks=20 ------=_NextPart_000_0011_01BD2FFF.1D4D19C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Does someone have or could point me to a=20 confidentiality agreement one would have
consultants or 3rd party firewall testing = companies=20 sign, to management a
somewhat of a comfortable=20 feeling...thanks 
------=_NextPart_000_0011_01BD2FFF.1D4D19C0-- From firewalls-owner Mon Feb 2 22:36:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08079; Mon, 2 Feb 1998 14:41:41 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id OAA07975 for ; Mon, 2 Feb 1998 14:41:15 -0800 (PST) Received: from gateway-out.corp.usweb.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA09863; Mon, 2 Feb 1998 14:44:25 -0800 (PST) Received: by gateway-out.corp.usweb.com; id OAA27395; Mon, 2 Feb 1998 14:38:39 -0800 Received: from mailhub.corp.usweb.com(172.16.51.4) by gateway-out.corp.usweb.com via smap (V3.1.1) id xma027392; Mon, 2 Feb 98 14:38:38 -0800 Received: by mailhub.corp.usweb.com with Internet Mail Service (5.0.1458.49) id ; Mon, 2 Feb 1998 14:45:45 -0800 Message-ID: <365DC84A57F3D01187E700805FC19048836857@mailhub.corp.usweb.com> From: Daniel Todd To: "'firewalls@greatcircle.com'" Subject: RE: setting up a bastion host on a linux system Date: Mon, 2 Feb 1998 14:45:42 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've done this in the past by doing a full install with 2 disks, Move what you don't want on the running system to the secondary disk and then removing that disk when the machine goes into production. You can always recompile the kernel, add patches, update etc. by plugging in and mounting the secondary disk. Alternatively you can have multiple machines similarly configured and do all the compiling on a "development" machine and then distribute the new binaries. cheers, dan > -----Original Message----- > From: Henry Hollenberg [mailto:speed@barney.iamerica.net] > Sent: Sunday, February 01, 1998 7:40 PM > To: Firewalls@GreatCircle.COM > Subject: Re: setting up a bastion host on a linux system > > > > >Vince Doss wrote: > > > >Perhaps this is may be too obvious however, the setup for RedHat 4.2 > >prompts you for which packages you want to install. It allows you a > >bit of lattitude in your choices i.e. gcc, X, compiler, emacs...etc. > >If you do not select these packages then they will not be installed. > >I can not comment on any other distributions, but would assume there > >are similarities. > > That's sort of what I was planning on doing....I'm going to try using > Debian....I've just sorted thru all the packages it installed in one > of the default modes and I think I'll try to figure out a way to pass > it a custom list of packages I want installed....then install the > firewall services....then see if it can't be stripped down a little > more. > > Thanks for the reply > > Henry Hollenberg > speed@barney.iamerica.net > From firewalls-owner Mon Feb 2 22:44:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14027; Mon, 2 Feb 1998 10:41:09 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id KAA13995 for ; Mon, 2 Feb 1998 10:41:00 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA00320; Mon, 2 Feb 1998 10:37:47 -0800 Date: Mon, 2 Feb 1998 10:37:46 -0800 (PST) From: Leonard Miyata To: "Elfed T. Weaver" cc: firewalls@GreatCircle.COM Subject: Re: Differences In-Reply-To: <199801281342.FAA03744@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are indeed correct in pointing out that IPSEC with ISAKMP key exchange is mandatory for IPv6 with SKIP being optional. To make a decision on their use in a VPN network, you must know somthing about the strengths of each protocol. SKIP is indeed a superset of IPSEC but not of ISAKMP. Behind each SKIP header, there is indeed a AH and/or ESP packet payload. The SKIP header contains the encryption/authentication keys for the IPSEC payload, encrypted in the shared secret derived from pre-distrubeted Diffie-Helman values. IPSEC with ISAKMP uses the application layer ISAKMP daemon to negotiate one time encryption/authentication keys for use in a Security Association of finite life. Since the SKIP shared secrets are pre-distrubuted, there is no handshaking overhead to establish a encrypted connection. To require a ISAKMP handshake just to deliver a single UDP packet..... On the otherhand, SKIP X.509 signed identities have a lifetime of months to years, compared to ISAKMP Security Assocation lifetime of hours to days, which makes ISAKMP less prone to brute force key attacks (that is assuming you don't trust the statement that the small size of the encrypted keys in the SKIP header is too small to provide useful information to crack the shared secret. Thats the SKIP assumption). IMHO, both SKIP and ISAKMP share a common weakeness. Peer to peer key exchange cannot be trusted unless ownership of the key can be verified by some other means (Web of trust, digital signiture of a X.509 CA, KERBEROS ticket etc) This still boils down to the fact that SKIP, ISAKMP, and other peer to peer protocols are only COMPONENTS of a VPN. Implied requirements (X.509 hierarchy, PF_KEY application support, etc) must be taken into account when designing a VPN Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 28 Jan 1998, Elfed T. Weaver wrote: > > Superset ? > > SKIP was a key management protocol (IKMP) proposed for use > with the IPSec protocols. In its basic form it is quite simple > although not very flexible. To achieve the flexibility required by > the IETF Working Group (WG) responsible for developing the IKMP SKIPs > developers (SUN) defined a number of add-on protocols, this resulted > in a complex suite of protocols. > > Consequently, the key management protocol mandated for use with IPv6 > by the IETF IPSec WG is ISAKMP (Internet Security Association and Key > Management Protocol). This protocol, in its native form, provides > both the flexibility and forward migration path (to enable new key > exchanges to be integrated as and when they are developed) required > by the IPSec WG. > > Note: both IPSec and ISAKMP can be used over IPv4 based networks in > fact, the majority of implementations currently available are for > IPv4. > > for more details see www.ietf.org/ids.by.wg/ipsec.html > > > From firewalls-owner Mon Feb 2 22:44:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA23525; Mon, 2 Feb 1998 09:15:21 -0800 (PST) Received: from eloi.inel.gov (eloi.INEL.GOV [204.134.135.13]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id JAA23490 for ; Mon, 2 Feb 1998 09:15:11 -0800 (PST) Received: from inel.gov ([134.20.173.76]) by eloi.inel.gov (Post.Office MTA v3.1 release PO203a ID# 0-36734U600L100S0) with ESMTP id AAA13168 for ; Mon, 2 Feb 1998 10:21:30 -0700 Message-ID: <34D6001A.8F38227F@inel.gov> Date: Mon, 02 Feb 1998 10:19:22 -0700 From: Bill Gray Organization: Idaho National Engineering & Environmental Laboratory X-Mailer: Mozilla 4.03 [en] (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: Firewall Reporting Software Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy wrote > ... > Has anybody on the list found reporting software for TIS Gauntlet or > Firewall-1 that really works? > ... I have developed some stuff in-house that, in a very simple-minded way, does the following: - Packages Firewall-1 logs into daily (24 hr, midnite to midnite) chunks; - Off-loads these chunks to a configurable destination host; - Provides simple web-based search access to these logs on the destination host; - Does some other log management (automatic switching, archiving). Almost all of it is sh(1). This stuff is not cleanly packaged, but if there is any interest I might be persuaded to bottle it. -- Bill Gray whg@inel.gov From firewalls-owner Mon Feb 2 22:44:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA24600; Mon, 2 Feb 1998 09:20:42 -0800 (PST) Received: from relay1.jet.msk.su (relay1.jet.msk.su [194.87.88.34]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with SMTP id JAA24567 for ; Mon, 2 Feb 1998 09:20:31 -0800 (PST) Received: from tiger (tiger.jet.msk.su) [193.124.4.1] by relay1.jet.msk.su with smtp (Exim 1.82 #1) id 0xzPci-0000oB-00; Mon, 2 Feb 1998 20:25:32 +0300 Received: from h-10-166.service.jet.msk.su [192.168.10.166] by tiger.jet.msk.su with smtp (Exim 1.73 #2) id 0xzPch-0006Jn-00; Mon, 2 Feb 1998 20:25:31 +0300 Received: from localhost (jet.msk.su) [127.0.0.1] by h-10-166.service.jet.msk.su with esmtp (Exim 1.82 #1) id 0xzPbD-0007iQ-00; Mon, 2 Feb 1998 20:23:59 +0300 X-Mailer: exmh version 2.0 12/22/97 To: firewalls@greatcircle.com Subject: Re: anti-sniffer warfare - Solution In-reply-to: Your message of "Mon, 02 Feb 1998 08:50:07 +0100." <199802020750.IAA20213@julia.ksfw.eur.deuba.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Feb 1998 20:23:59 +0300 From: Denis Golubev Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi folks, > > > I found a very easy way to detect a sniffing computer from remote. > > It's really simple: > > How does an ethernetcard normally work? It takes a look at every > (ethernet-)frame on the wire and looks for his ethernet-id or the > broadcast-id. If found, it takes the frame and hands it to the > next upper layer, f.e. the unix kernel. > > If you craft a packet for a special host, with a *wrong* ethernet > address, it won't reply - unless it's in promiscious mode! > Looks fine, but it hardly depend on OS/network interface card. [skip] RS/6000 box with NTX and AIX 4.1.4 doesn't send ARP replies at all when NTX is in promiscious mode. Sun/Solaris box with le card has same behavior when le is in promiscious mode and in normal operating mode. It doesn't replay to ping with spoofed MAC address. So I may cath some of RS/6000 boxes when they are in promiscious mode, but Suns successfully hide snooping mode from this remote probe. > > > > Mit freundlichen Gruessen, > Marc Heuse > [skip] Best regards, Denis --------------------------------- Denis Golubev, Moscow, Russia Jet Infosystems Technical Staff Phone: (+7 095) 973-48-48 E-mail: dlg@jet.msk.su Fax: (+7 095) 973-48-42 From firewalls-owner Mon Feb 2 22:44:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA25487; Mon, 2 Feb 1998 09:25:44 -0800 (PST) Received: from mailer.syr.edu (mailer.syr.edu [128.230.20.20]) by honor.greatcircle.com (8.8.5/Honor-980201-1) with ESMTP id JAA25454 for ; Mon, 2 Feb 1998 09:25:32 -0800 (PST) Received: from rodan.syr.edu by mailer.syr.edu (LSMTP for Windows NT v1.1a) with SMTP id <0.62A1CE40@mailer.syr.edu>; Mon, 2 Feb 1998 12:30:46 -0500 Received: from localhost (rgrimsha@localhost) by rodan.syr.edu (8.8.5/8.8.5) with SMTP id MAA04114; Mon, 2 Feb 1998 12:30:39 -0500 (EST) X-Authentication-Warning: rodan.syr.edu: rgrimsha owned process doing -bs Date: Mon, 2 Feb 1998 12:30:35 -0500 (EST) From: Randy Grimshaw X-Sender: rgrimsha@rodan.syr.edu To: Doug Wellington cc: firewalls@GreatCircle.COM, ddw@fornix.NSMA.Arizona.EDU Subject: Re: Sniffer tools In-Reply-To: <199801302154.OAA27327@fornix.NSMA.Arizona.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What if you tracked changes in your routers arp cache to identinfy new devices added to your network and actively checked each one with cpm or promisc ? <> Previously: > >> 'ifstatus' can be used to monitor NIC card(s) on a machine for > >> promiscuous (sp?) mode. A quick search on the web should find the > >> source. > >This will tell you if the interface of a system you are on is running in > >promiscous mode. It will NOT tell you if other machines, including ones > >you may not be aware of, are running in promiscous mode. > > Yes, there is virtually NO way to determine if there is "a" machine on > your net sniffing packets. Using ifstatus will tell you if one of "your" > computers is being used for sniffing, but you won't be able to tell > if someone has plugged in their own computer to sniff. This is a nice > argument for putting in switched ethernet. A switch will greatly reduce > the amount of information that can be sniffed. (Of course, if YOU are > the one that wants to sniff, it will limit the information that you'll > get as well...) > > -Doug > > Doug Wellington > ddw@nsma.arizona.edu > Network and System Administrator > ARL, Division of Neural Systems, Memory and Aging > The University of Arizona, Tucson, AZ > (520) 626-6023 > (520) 291-0481 pager > (520) 626-2618 fax > > I DON'T buy anything from spammers, and I KEEP TRACK OF WHO SPAMS ME. > > I put up with ads on the TV because they pay for programming. When > spammers pay for the Internet, then I'll start putting up with spam. > From firewalls-owner Mon Feb 2 23:53:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA22001; Mon, 2 Feb 1998 22:18:52 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA21956 for ; Mon, 2 Feb 1998 22:18:41 -0800 (PST) Received: from clonvick-pc.cisco.com ([171.70.238.6]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA29536; Mon, 2 Feb 1998 09:28:55 -0800 (PST) Message-Id: <3.0.32.19980202112441.006eb2f4@diablo> X-Sender: clonvick@diablo X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 02 Feb 1998 11:26:03 -0600 To: FreakaZoid , Firewalls From: Chris Lonvick Subject: Re: 107.107.107.107 and 85.85.85.85 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Try swapping out the NIC card. Decimal 85 resolves to 0b01010101 which is just too regular to not be noticed as some sort of possible hardware failure. Decimal 107 is 0b01101011 which is not as regular, but the repition is still noticable. If that doesn't work, try sniffing the wire to see what IP protocol it is attempting to connect to. Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 At 02:41 PM 1/29/98 -0600, FreakaZoid wrote: >This may be a stupid question or a question not for this list... > >I have an internal pc that keeps trying to attach to one of these two IP >addresses and is getting denied. > >Since these are not NIC addrs and not on my internal network anywhere, >what is the significance of these IP addresses and if I see them what >should I look for? > >Thanks in advance? > >Sean > > > From firewalls-owner Tue Feb 3 01:01:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA23826; Tue, 3 Feb 1998 00:47:32 -0800 (PST) Received: from zeus.centaur.de (zeus.centaur.de [194.120.119.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA23818 for ; Tue, 3 Feb 1998 00:47:23 -0800 (PST) Received: from localhost (haag@localhost) by zeus.centaur.de (8.8.7/8.8.7) with SMTP id LAA28349; Tue, 3 Feb 1998 11:50:43 +0100 X-Authentication-Warning: zeus.centaur.de: haag owned process doing -bs Date: Tue, 3 Feb 1998 11:50:43 +0100 (MET) From: Elmar Haag To: Woody Weaver cc: Kevin Brown , firewalls@GreatCircle.COM Subject: Re: SecureRemote Client In-Reply-To: <3.0.5.32.19980130154340.00a30830@199.233.153.153> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jan 1998, Woody Weaver wrote: > At 12:41 AM 1/30/98 +0000, you wrote: > >Hi, > > > > > >Will the secure remote client work behind a NAT obx? > > No. Because the NAT rewrites packet headers, the packet integrity is > violated and the firewall refuses to decrypt. Is this sure? Did you try this already or is it only a presumption? Elmar > > >I AM authenticated though. > > Because for authentication purposes, packet headers don't matter! > > --woody > > > Robert Wooddell Weaver email: woody.weaver@wiltelnsi.com > Senior Systems Engineer voice: 510.358.3972 > Wiltel NSI pager: 510.702.4334 > ---------------------------------------------------------------------- Elmar Haag CENTAUR COMMUNICATION Urbanstrasse 68 haag@centaur.de Xlink PoP Heilbronn 74074 Heilbronn http://www.centaur.de Tel +49 7131 799 258 Fax +49 7131 799 260 From firewalls-owner Tue Feb 3 02:52:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02825; Tue, 3 Feb 1998 01:42:02 -0800 (PST) Received: from bbcgate.bbc.co.uk (gatea.bbc.co.uk [132.185.132.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA18574 for ; Tue, 3 Feb 1998 00:16:15 -0800 (PST) Received: from mail.radio.bbc.co.uk (rimfall.radio.bbc.co.uk [132.185.47.21]) by bbcgate.bbc.co.uk (8.8.8/8.7.2) with SMTP id IAA24259 for ; Tue, 3 Feb 1998 08:21:20 GMT Received: from nr-comms.radio.bbc.co.uk by mail.radio.bbc.co.uk with SMTP id AA00743 (5.67b/IDA-1.4.4 for ); Tue, 3 Feb 1998 08:21:17 GMT Message-Id: <199802030821.AA00743@mail.radio.bbc.co.uk> X-Nvlenv-01Date-Transferred: 3-Feb-1998 2:26:37 +0000; at link1.bbc To: Firewalls@GreatCircle.COM Date: 02 Feb 98 18:34:00 GMT From: hassai01@cent-directorates.bh.bbc.co.uk (Ivan Hassan) Subject: Migration Indication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The mail you sent Ivan Hassan was forwarded to a new Exchange address. The new address is Ivan Hassan in the address list MAIN/Exchange Recipients, or BBC/MAIN/HASSAI01 if you are using MS Mail. If you selected this address from your Personal Address Book, please update your list by re-entering the address from the Global Address List. If you need help doing this, please contact your administrator. From firewalls-owner Tue Feb 3 03:57:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA03083; Tue, 3 Feb 1998 01:44:20 -0800 (PST) Received: from bbcgate.bbc.co.uk (gatea.bbc.co.uk [132.185.132.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA18860 for ; Tue, 3 Feb 1998 00:18:01 -0800 (PST) Received: from mail.radio.bbc.co.uk (rimfall.radio.bbc.co.uk [132.185.47.21]) by bbcgate.bbc.co.uk (8.8.8/8.7.2) with SMTP id IAA24623 for ; Tue, 3 Feb 1998 08:23:15 GMT Received: from nr-comms.radio.bbc.co.uk by mail.radio.bbc.co.uk with SMTP id AA01027 (5.67b/IDA-1.4.4 for ); Tue, 3 Feb 1998 08:23:15 GMT Message-Id: <199802030823.AA01027@mail.radio.bbc.co.uk> X-Nvlenv-01Date-Transferred: 3-Feb-1998 2:57:13 +0000; at link1.bbc To: Firewalls@GreatCircle.COM Date: 03 Feb 98 02:58:00 GMT From: hassai01@cent-directorates.bh.bbc.co.uk (Ivan Hassan) Subject: Migration Indication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The mail you sent Ivan Hassan was forwarded to a new Exchange address. The new address is Ivan Hassan in the address list MAIN/Exchange Recipients, or BBC/MAIN/HASSAI01 if you are using MS Mail. If you selected this address from your Personal Address Book, please update your list by re-entering the address from the Global Address List. If you need help doing this, please contact your administrator. From firewalls-owner Tue Feb 3 05:31:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA02357; Tue, 3 Feb 1998 05:16:39 -0800 (PST) Received: from eclipse.esr.com (eclipse.esr.com [204.77.128.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA02333 for ; Tue, 3 Feb 1998 05:16:30 -0800 (PST) Received: from cerberus.esr.com by eclipse.esr.com with SMTP (5.65/1.2-eef) id AA20695; Tue, 3 Feb 98 08:22:20 -0500 Received: from esig.esr.com by cerberus.esr.com via smtpd (for eclipse.esr.com [204.77.128.18]) with SMTP; 3 Feb 1998 13:00:06 UT Received: by esig.esr.com; Tue, 3 Feb 98 8:34:08 EST Date: Tue, 3 Feb 98 8:30:34 EST Message-Id: X-Priority: 3 (Normal) To: , From: "Mike Weaver, Senior Systems Consultant" Subject: re: Firewall Reporting Software X-Incognito-Sn: 946 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Telemate makes an excellent package that runs on NT or 95. It works with both of the firewalls you mention as well as some additional hardware such as Cisco routers. www.telemate.com ------------- Original Text From: Bill Gray , on 2/2/98 10:19 AM: Sick Puppy wrote > ... > Has anybody on the list found reporting software for TIS Gauntlet or > Firewall-1 that really works? > ... I have developed some stuff in-house that, in a very simple-minded way, does the following: - Packages Firewall-1 logs into daily (24 hr, midnite to midnite) chunks; - Off-loads these chunks to a configurable destination host; - Provides simple web-based search access to these logs on the destination host; - Does some other log management (automatic switching, archiving). Almost all of it is sh(1). This stuff is not cleanly packaged, but if there is any interest I might be persuaded to bottle it. -- Bill Gray whg@inel.gov ####################################################### # Mike Weaver Electronic Systems, Inc # # Senior Systems Consultant Richmond, Virginia # # mike@esr.com (804) 649-1800, ext 206 # ####################################################### # Network Integration Services, Consulting, Internet # # A Commercial Internet Exchange Member # ####################################################### From firewalls-owner Tue Feb 3 05:38:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10310; Tue, 3 Feb 1998 02:54:02 -0800 (PST) Received: from bacchus.aandi.co.jp ([210.145.217.166]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA10224 for ; Tue, 3 Feb 1998 02:53:41 -0800 (PST) Received: from HirakawaSatoko.aandi.co.jp ([172.16.10.176]) by bacchus.aandi.co.jp (2.0 Build 2144 (Berkeley 8.8.4)/8.8.4) with SMTP id TAA00662; Tue, 03 Feb 1998 19:57:29 +0900 Date: Tue, 03 Feb 1998 19:57:29 +0900 Message-Id: <199802031057.TAA00662@bacchus.aandi.co.jp> From: Satoko Hirakawa To: firewalls@Greatcircle.COM Cc: Kevin Brown , Woody Weaver , Elmar Haag Subject: Re[2]: SecureRemote Client In-Reply-To: References: <3.0.5.32.19980130154340.00a30830@199.233.153.153> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.23 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is this about FireWall-1? If so, I've read that the "use encapsulation" button makes NAT w/ SecuRemote works. This button is on the Encryption property of the firewall's workstation property. By the way, this is an option for FW-1 ver 3.0a and higher w/ SecuRemote ver 3.0 and higher. I've never tried it myself, though...... ================================================ > On Fri, 30 Jan 1998, Woody Weaver wrote: > > > At 12:41 AM 1/30/98 +0000, you wrote: > > >Hi, > > > > > > > > >Will the secure remote client work behind a NAT obx? > > > > No. Because the NAT rewrites packet headers, the packet integrity is > > violated and the firewall refuses to decrypt. > > Is this sure? Did you try this already or is it only a presumption? > > > Elmar > > > > > > >I AM authenticated though. > > > > Because for authentication purposes, packet headers don't matter! > > > > --woody > > > > > > Robert Wooddell Weaver email: woody.weaver@wiltelnsi.com > > Senior Systems Engineer voice: 510.358.3972 > > Wiltel NSI pager: 510.702.4334 > > > > ---------------------------------------------------------------------- > Elmar Haag CENTAUR COMMUNICATION Urbanstrasse 68 > haag@centaur.de Xlink PoP Heilbronn 74074 Heilbronn > http://www.centaur.de Tel +49 7131 799 258 Fax +49 7131 799 260 > ================================================ Satoko Hirakawa email: hirakawa@aandi.co.jp Advanced Information Technology Division A&I System Co., Ltd. From firewalls-owner Tue Feb 3 05:56:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20553; Tue, 3 Feb 1998 03:56:48 -0800 (PST) Received: from drs3000.icl.kazan.su (drs3000.icl.kazan.su [194.135.83.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA19757 for ; Tue, 3 Feb 1998 03:50:18 -0800 (PST) Received: from pc37.icl.kazan.su (pc037.icl.kazan.su [194.135.83.37]) by drs3000.icl.kazan.su (8.7.3/8.7.3) with SMTP id OAA13547 for ; Tue, 3 Feb 1998 14:52:57 +0300 (MSK) Date: Tue, 3 Feb 1998 14:52:57 +0300 (MSK) Message-Id: <199802031152.OAA13547@drs3000.icl.kazan.su> X-Sender: kirsha@pop3.icl.kazan.su X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Victor Kirsha Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscribe firewalls From firewalls-owner Tue Feb 3 06:15:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA17915; Tue, 3 Feb 1998 00:13:45 -0800 (PST) Received: from maersk.dk (fw1ibm.mdata.dk [194.196.49.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA17743 for ; Tue, 3 Feb 1998 00:13:12 -0800 (PST) From: MDCBRS@maerskdata.dk Received: from mdcext.cph.maersknet.com (mdws271.cph.dnk.maersknet.com [10.45.31.10]) by maersk.dk (8.7.4/8.7.3) with SMTP id JAA12748 for ; Tue, 3 Feb 1998 09:22:59 +0100 Received: by mdcext.cph.maersknet.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 412565A0.002D97F8 ; Tue, 3 Feb 1998 09:18:00 +0100 X-Lotus-FromDomain: MDCLN@MDELN To: firewalls@GreatCircle.COM Message-ID: Date: Tue, 3 Feb 1998 09:18:31 +0100 Subject: RE: MS Proxy 2.0 and Netscape Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you very much for your answers. I can see I didn't put enough information in my question mail. Tanks to you I now got it working with Anonymous logon, does this mean, NT challenge/response doesn't work with netscape clients. Thanks in advance. Brian PETERC@MCS {SMTP:peterc on 03-02-98 07:05:59 To: Brian Schmidt/Maersk Data/DK@MDCLN RCV00020@MCS {SMTP:ftorabi@woolworths.com.au} @ MCS RCV00030@MCS {SMTP:firewalls@GreatCircle.COM} @ MCS cc: Subject: MHS04854 From: "Crowe, Peter" Sender: firewalls-owner@GreatCircle.COM To: "'ftorabi@woolworths.com.au'", firewalls@GreatCircle.COM Subject: RE: MS Proxy 2.0 and Netscape Make sure you check both your sharing permissions and folder\file permissions (if running NTFS). I've also had the same problem but only got it working properly with either 1) using Explorer 2) implementing the above. Cheers Peter > -----Original Message----- > From: ftorabi@woolworths.com.au [SMTP:ftorabi@woolworths.com.au] > Sent: Monday, February 02, 1998 8:30 PM > To: firewalls@GreatCircle.COM > Subject: MS Proxy 2.0 and Netscape > > Yes I had the same bloody problem. > You should try to go to the IIS security and play with the > Anonymous-cleartext-nt challenge/response to set up your web security > for non-windows workstations. > MS proxy might have a few bugs in it when accessing secure sites so > you > may need to talk to Microsoft. > > > ----------------------------------------------- > TO : FIREWALLS > FROM: Schmidt, Brian/BRS > > REFN: MHS29058 98.02.02 22:59 CET > > MS Proxy 2.0 and Netscape > Hi all. > > I need to hear if anybody has any knowledge about running Netscape > clients against a MS Proxy server 2.0. > > I keep getting acces denied, when prompted for logon password. > > Thanks in advance > Brian From firewalls-owner Tue Feb 3 06:23:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA19149; Tue, 3 Feb 1998 03:46:49 -0800 (PST) Received: from corpus.cz (ns.corpus.cz [194.213.34.200]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA19014 for ; Tue, 3 Feb 1998 03:46:06 -0800 (PST) Received: from ws14.corpus.cz (marek@marek [194.213.34.219]) by corpus.cz (8.8.8/8.8.8) with ESMTP id MAA12557 for ; Tue, 3 Feb 1998 12:51:10 +0100 (MET) Received: (from marek@localhost) by ws14.corpus.cz (8.8.3/8.8.7) id MAA00294; Tue, 3 Feb 1998 12:51:09 +0100 Message-ID: <19980203125108.30692@corpus.cz> Date: Tue, 3 Feb 1998 12:51:08 +0100 From: Marek Kubita To: firewalls@GreatCircle.COM Subject: FW-1 and FIN scanning (was: nmap tool) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: =?iso-8859-2?Q?=3Cno=2Eid=3E=3B_from_Robert_St=E5hlbrand_on_Fri=2C_Jan_3?= =?iso-8859-2?Q?0=2C_1998_at_08=3A44=3A48AM_+0100?= Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, a few days ago I have made a statement here that FW-1 is not vulnerable to FIN-scanning. Unfortunately this is not true; thanks to Robert Stahlbrand, who noticed this. The behavior of FW-1 is quite strange: If the FIN packets from the scanner match a rule with "Reject" action, the FIN-scanning doesn't work: scanner gets no replies for any scanned ports and so nmap reports all ports as listening. The attempts are logged as rejected. However, if the packets are caught by "Drop" rule, the packets are also logged, but they pass through FW-1 to the destination (verified by sniffer) and the replies do pass back, so nmap detects the listening ports. The packets are logged as dropped. I am forwarding this message to FW-1 mailing list. Maybe this problem can be solved by some additional INSPECT code in FW-1 configuration. On Fri, Jan 30, 1998 at 08:44:48AM +0100, Robert Stahlbrand wrote: > So you trust your logs *smile*! > My logs tells me the same but what happends in reality? > My first thought was the same as yours. It looked like FW-1 takes care > of it properly but when I put a sniffer on the inside network I was > suprised that I saw traffic flowing through my firewall, coming from my > intruder-Linux box on the outside. > > I run FW-1 but a lower version (2.1a) inside our Intranet between the > backbone of Ericsson-Intranet and into our environment. If you have time > I would like you to verify this with your 3.0-version. There might be > differences how that packets are handled. > What does the the nmap-tool tells you? Does it find any good ports? > > Anyone at Checkpoint reading this??? > > /Robert St=E5hlbrand, Ericsson Telecom AB > > > -----Original Message----- > > From: Marek Kubita [SMTP:marek@corpus.cz] > > Sent: den 28 januari 1998 18:26 > > To: firewalls@GreatCircle.COM > > Subject: Re: nmap tool > > > > On Sat, Jan 24, 1998 at 09:37:33AM +0100, Robert Stahlbrand wrote: > > > [...] > > > One example is that you can scan through your packetfiltering firewall > > > (such as Checkpoints FW-1) and see what ports that are open on machines > > > behind the firewall. This method is called FIN-scanning and as you > > > probably know, a packet-filtering firewall ONLY looks at packets with the > > > SYN-flag set (initiation of a TCP-session) which means that packets with > > > the FIN-flag set will actually PASS YOUR FIREWALL. > > > [...] > > > > I tried nmap FIN scanning with Checkpoint FW-1 v3.0 and the packets > > were correctly dropped and logged. The FW-1 checks every packet, not just > > SYN ones. > > -- . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : : Czech Republic . : tel. +420-2-701719, 701748, fax 704814 . From firewalls-owner Tue Feb 3 06:39:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA04201; Tue, 3 Feb 1998 05:35:13 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA04168 for ; Tue, 3 Feb 1998 05:35:04 -0800 (PST) Received: from europe.cisco.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA16830; Tue, 3 Feb 1998 04:40:05 -0800 (PST) Received: from evyncke-pc.cisco.com (par-async24.cisco.com [144.254.77.35]) by europe.cisco.com (8.8.6/8.8.6) with SMTP id NAA05982; Tue, 3 Feb 1998 13:41:14 +0100 (MET) Message-Id: <3.0.5.32.19980203114535.00832100@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 03 Feb 1998 11:45:35 +0100 To: Marc Heuse , firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: anti-sniffer warfare - Solution In-Reply-To: <199802020750.IAA20213@julia.ksfw.eur.deuba.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nice idea, but working only for a sniffer with a TCP/IP stack... and most sniffer are really passive so they will never answer... -eric At 08:50 2/02/98 +0100, Marc Heuse wrote: >Hi folks, > > >I found a very easy way to detect a sniffing computer from remote. > >It's really simple: > >How does an ethernetcard normally work? It takes a look at every >(ethernet-)frame on the wire and looks for his ethernet-id or the >broadcast-id. If found, it takes the frame and hands it to the >next upper layer, f.e. the unix kernel. > >If you craft a packet for a special host, with a *wrong* ethernet >address, it won't reply - unless it's in promiscious mode! > >And this is the easy solution (, which is only usable within a subnet): >Install a scanner program on a server on each subnet. All it needs to >have is an entry in /etc/ether like > ># /etc/ethers >scantarget 01:01:01:01:01:01 # scantarget ip is the subnet's brodcast > # address. > >then disable the broadcast ip on the interface and finally sending a >ping to "scantarget" once a minute. This doesn't need root, easy to set >up and manage. >Drawback: one server in the subnet can't reply to a broadcast packet and >some operating systems do not reply to a broadcast ping (like AIX). >Solution to these two problems is pinging each host directly with a fake >ethernet address (I think ipsend from the ip_filter packag has this feature). >Final Drawback: An attacker can modify the kernel to check the hardware >address of the received packet. But well, this will detect 98% of the script >kiddies. > > >Below is the output of my test: > >julia:/ # arp -a >Address HWtype HWaddress Flags Mask Iface >marc ether 00:20:35:B3:4C:6A C * eth0 >julia:/ # arp -d marc >julia:/ # arp -s marc 11:11:11:11:11:11 >julia:/ # arp -a >Address HWtype HWaddress Flags Mask Iface >marc ether 11:11:11:11:11:11 CM * eth0 >julia:/ # ping marc >PING marc (x.x.x.x): 56 data bytes > >--- marc ping statistics --- >3 packets transmitted, 0 packets received, 100% packet loss > >[ then I turned on promisc. mode on the server "marc" by starting "sniffit" ] > >julia:/ # ping marc >PING marc (x.x.x.x): 56 data bytes >64 bytes from x.x.x.x: icmp_seq=0 ttl=64 time=0.7 ms >64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.7 ms > >--- marc ping statistics --- >2 packets transmitted, 2 packets received, 0% packet loss >round-trip min/avg/max = 0.7/0.7/0.7 ms >julia:/ # arp -a >Address HWtype HWaddress Flags Mask Iface >marc ether 11:11:11:11:11:11 CM * eth0 > >[ Here I turned the sniffer on server "marc" off ] > >julia:/ # ping marc >PING marc (x.x.x.x): 56 data bytes > >--- marc ping statistics --- >1 packets transmitted, 0 packets received, 100% packet loss > > > > > >Mit freundlichen Gruessen, > Marc Heuse > > >This message and any statements expressed therein are those of myself >and not of the Deutsche Bank AG or its subsidiary companies. > > > >Type Bits/KeyID Date User ID >pub 2048/DB5C03C5 1997/09/23 Marc Heuse > >-----BEGIN PGP PUBLIC KEY BLOCK----- >Version: 2.6.3i > >mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L >KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG >YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC >CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL >Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg >o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h >cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 >AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL >XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP >AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 >RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x >rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A >MuixTDbuf3Jph2jEG6r4Dw== >=/n63 >-----END PGP PUBLIC KEY BLOCK----- > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From firewalls-owner Tue Feb 3 07:22:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16169; Tue, 3 Feb 1998 06:47:25 -0800 (PST) Received: from panic.inta.net (panic.inta.net [194.70.70.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA15999 for ; Tue, 3 Feb 1998 06:46:47 -0800 (PST) Received: (from dom@localhost) by panic.inta.net (0/0) id OAA17948 for firewalls@GreatCircle.COM; Tue, 3 Feb 1998 14:51:58 GMT Message-Id: <199802031451.OAA17948@panic.inta.net> Subject: Re: Raptor - Limiting Access to Telnet by range of IP's To: firewalls@GreatCircle.COM Date: Tue, 3 Feb 1998 14:51:57 +0000 (GMT) In-Reply-To: <34CE37CC.8E62C321@pdc.com> from "Robert Spence" at Jan 27, 98 01:38:52 pm From: Dominic J Hulewicz Organisation: Intanet Communications, U.K. Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a previous message, Robert Spence wrote: : : Please keep in mind that by allowing non-encrypted telnet from the : Internet via an ISP, all information passed between the client and : server is accessable to EVERYONE on the Internet. This includes : any username/passwords that are entered. : : An alternative would be to utilize a product such as Eagle Remote, : which would encrypt all traffic between the client and the FW. ... or Secure Shell ( http://escert.upc.es/others/ssh/ ) SSH clients are available for Windows 3.1x/95/NT, Macs and most flavours of Unix, and as the name implies it provides a secure, encrypted session between hosts. (apologies if this suggestion isn't applicable to your requirements, I missed the start of this thread :*) Dom. -- Dominic J. Hulewicz - mailto:dom@inta.net - http://www.intanet.com/dom From firewalls-owner Tue Feb 3 07:54:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24907; Tue, 3 Feb 1998 07:26:27 -0800 (PST) Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA24841 for ; Tue, 3 Feb 1998 07:26:06 -0800 (PST) Received: (qmail 6496 invoked by uid 1000); 3 Feb 1998 15:31:16 -0000 Message-ID: <19980203153116.6494.qmail@softworx.netvision.net.il> X-Mailer: exmh version 2.0.1 12/23/97 To: firewalls@GreatCircle.COM Cc: Marek Kubita From: Steve Birnbaum Subject: Re: FW-1 and FIN scanning (was: nmap tool) In-Reply-To: Your message of "Tue, 03 Feb 1998 12:51:08 +0100." <19980203125108.30692@corpus.cz> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_990011880P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 03 Feb 1998 17:31:16 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_990011880P Content-Type: text/plain; charset=us-ascii marek@corpus.cz said: > However, if the packets are caught by "Drop" rule, the packets are > also logged, but they pass through FW-1 to the destination (verified > by sniffer) and the replies do pass back, so nmap detects the > listening ports. The packets are logged as dropped. I believe this is considered a "feature". Check if the data of the original packet was passed through or if it is just the header. I believe the reason for this is to allow sessions interrupted by an installation of the policy to not be terminated when the state table is cleared. However, I believe that only packets that would possibly be allowed by a reverse rule will see such behaviour. There was a message a couple of months ago to this list that made the same discovery. Steve -- sbirn@security.org.il Phone: +972-2-6795860 --Standard Disclaimer-- Fight Internet Spam! http://www.vix.com/spam/ (PGP key available) --==_Exmh_990011880P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.3ia iQEVAwUBNNc4QgNowu66bCy5AQFUgAf/RvYdLPf2rFxvyyaTfZrkltyN4Rtpqt2a y/48FUV+ngZqpC5oEpnYMtdM7mpw3SFVfUIBY10Yn3VcQf6jckIMaJUtueVrHfHg r5ffaktoGuhMVz5bqg/rq8qFZKYfBstIi0FDVxOOk7Lf2x4fye6y7WW4kkDuM3tB YPdLmpETr5KGZxPmvcFZ0qEVRyy+V0RtLjsX3hidzKtrugNVxXSbKzR9EoTGvpwP zh4cwNNjL82mY4RZR71m1QeryioUk1nugx5+ybxZ1or7vvf3/cDE56B5eRG9LVf2 enkHcxY4zR4DqvSAE8AflHp4YHXQgLsZl/LAyjeWZHf3KhsjG0hQVQ== =3BAP -----END PGP MESSAGE----- --==_Exmh_990011880P-- From firewalls-owner Tue Feb 3 09:09:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA29635; Tue, 3 Feb 1998 07:55:10 -0800 (PST) Received: from emshub-u.stratcom.af.mil (J0.stratcom.af.mil [143.250.1.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA29603 for ; Tue, 3 Feb 1998 07:54:57 -0800 (PST) Received: by emshub-u.stratcom.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD3083.D7619EB0@emshub-u.stratcom.af.mil>; Tue, 3 Feb 1998 09:12:24 -0600 Message-ID: From: "Kernan, Anthony C. (SSgt)~U" To: "'gc'" Subject: tcpmux service Date: Tue, 3 Feb 1998 09:12:33 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please explain what tcpmux service is and what it's for ? Anthony C. Kernan SSgt, USAF Offutt AFB, Ne 402-232-5227 dsn 272-5227 kernana@stratcom.af.mil From firewalls-owner Tue Feb 3 09:22:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03643; Tue, 3 Feb 1998 08:15:26 -0800 (PST) Received: from bluerose.tju.edu (bluerose.TJU.EDU [147.140.150.41]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA03398 for ; Tue, 3 Feb 1998 08:14:34 -0800 (PST) Received: from bluerose.tju.edu (pva@localhost [127.0.0.1]) by bluerose.tju.edu (8.8.6/8.8.6) with ESMTP id LAA08276; Tue, 3 Feb 1998 11:20:02 -0500 (EST) Message-Id: <199802031620.LAA08276@bluerose.tju.edu> To: firewalls@GreatCircle.COM, pva@bluerose.tju.edu Subject: Re: anti-sniffer warfare Date: Tue, 03 Feb 1998 11:20:01 -0500 From: Paul Alukal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We like the HP hubs with the management module. You can get the hub >port to >1) send an alarm when the MAC address changes (which doesn't really >help if the intruder assumes the MAC address of the machine) >2) shutdown the port if the MAC address changes >3) prevent passive eavesdropping on a port by only allowing packets >through to the MAC address tied to that port >4) all of the above Something I have noticed in these kind of port locking mechanism is if an intruder can access the hub/switch, with some special sequence on the reset key, they will be able to reset the device to factory settings. (The device I am talking is not the one mentioned above, but switches from a well known manufacturer of network equipments). Paul V. Alukal Thomas Jefferson University Hospital Philadelphia From firewalls-owner Tue Feb 3 10:22:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA20925; Tue, 3 Feb 1998 09:35:13 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA18287 for ; Tue, 3 Feb 1998 09:19:34 -0800 (PST) From: manuel.ricca@pararede.pt Received: from x400gtw.pararede.pt by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA19187; Tue, 3 Feb 1998 09:22:16 -0800 (PST) Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id RAA14147; Tue, 3 Feb 1998 17:24:17 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 03 Feb 98 17:24:12 +0000 Date: 03 Feb 98 17:24:12 +0000 Delivery-Date: 03 Feb 98 17:24:17 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34cadfbe-Tubarao] X400-Recipients: firewalls@greatcircle.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: Re: Differences Autoforwarded: FALSE To: firewalls@GreatCircle.COM (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: Re: Differences Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Peer to peer key exchange cannot be trusted unless ownership of the key can be verified by some other means (Web of trust, digital signiture of a X.509 CA, KERBEROS ticket etc)" Why not? What about Diffie-Helman itself for key exchange? It does resist MITM attacks. ---------- From: -firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] Sent: -segunda-feira, 2 de fevereiro de 1998 22:30 To: -weaver@hydra.dra.hmg.gb Cc: -firewalls@GreatCircle.COM Subject: -Re: Differences You are indeed correct in pointing out that IPSEC with ISAKMP key exchange is mandatory for IPv6 with SKIP being optional. To make a decision on their use in a VPN network, you must know somthing about the strengths of each protocol. SKIP is indeed a superset of IPSEC but not of ISAKMP. Behind each SKIP header, there is indeed a AH and/or ESP packet payload. The SKIP header contains the encryption/authentication keys for the IPSEC payload, encrypted in the shared secret derived from pre-distrubeted Diffie-Helman values. IPSEC with ISAKMP uses the application layer ISAKMP daemon to negotiate one time encryption/authentication keys for use in a Security Association of finite life. Since the SKIP shared secrets are pre-distrubuted, there is no handshaking overhead to establish a encrypted connection. To require a ISAKMP handshake just to deliver a single UDP packet..... On the otherhand, SKIP X.509 signed identities have a lifetime of months to years, compared to ISAKMP Security Assocation lifetime of hours to days, which makes ISAKMP less prone to brute force key attacks (that is assuming you don't trust the statement that the small size of the encrypted keys in the SKIP header is too small to provide useful information to crack the shared secret. Thats the SKIP assumption). IMHO, both SKIP and ISAKMP share a common weakeness. Peer to peer key exchange cannot be trusted unless ownership of the key can be verified by some other means (Web of trust, digital signiture of a X.509 CA, KERBEROS ticket etc) This still boils down to the fact that SKIP, ISAKMP, and other peer to peer protocols are only COMPONENTS of a VPN. Implied requirements (X.509 hierarchy, PF_KEY application support, etc) must be taken into account when designing a VPN Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 28 Jan 1998, Elfed T. Weaver wrote: > > Superset ? > > SKIP was a key management protocol (IKMP) proposed for use > with the IPSec protocols. In its basic form it is quite simple > although not very flexible. To achieve the flexibility required by > the IETF Working Group (WG) responsible for developing the IKMP SKIPs > developers (SUN) defined a number of add-on protocols, this resulted > in a complex suite of protocols. > > Consequently, the key management protocol mandated for use with IPv6 > by the IETF IPSec WG is ISAKMP (Internet Security Association and Key > Management Protocol). This protocol, in its native form, provides > both the flexibility and forward migration path (to enable new key > exchanges to be integrated as and when they are developed) required > by the IPSec WG. > > Note: both IPSec and ISAKMP can be used over IPv4 based networks in > fact, the majority of implementations currently available are for > IPv4. > > for more details see www.ietf.org/ids.by.wg/ipsec.html > > > From firewalls-owner Tue Feb 3 10:37:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA09808; Tue, 3 Feb 1998 08:35:53 -0800 (PST) Received: from marvin.ose.eur.deuba.com (gate0.de.deuba.com [193.150.166.50]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA07747 for ; Tue, 3 Feb 1998 08:28:50 -0800 (PST) Received: from julia.ksfw.eur.deuba.com by marvin.ose.eur.deuba.com id RAA08636; Tue, 3 Feb 1998 17:33:59 +0100 Received: (from marc@localhost) by julia.ksfw.eur.deuba.com (8.8.8/8.8.5) id RAA31506 for firewalls@greatcircle.com; Tue, 3 Feb 1998 17:29:52 +0100 From: Marc Heuse Message-Id: <199802031629.RAA31506@julia.ksfw.eur.deuba.com> Subject: Re: anti-sniffer warfare - Solution To: firewalls@greatcircle.com Date: Tue, 3 Feb 1998 17:29:52 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Nice idea, but working only for a sniffer with a TCP/IP stack... and > most sniffer are really passive so they will never answer... > > -eric well, I think we are talking about sniffing via a host (with tcpdump etc.) where this is a good solution. But I must confirm that this methond does not work with AIX :-( I'll try to check this with Solaris the next days. Did anyone else checked for other operating systems? HP-UX anyone? If you want general protection against sniffing, you can only use smart hubs or switches with pressure shielded cables - or phiber optic cables (well you can sniff on them too, but wuth good hardware you can detect this) ... and all these stuff won't help against all possibilities. You can't securely get people off your wire if they've got local access. No chance. And - finally - once you've got a (you think) 99.9% proof conecpt - well, you bought Tempest computer hardware, did you? ;-) > At 08:50 2/02/98 +0100, Marc Heuse wrote: > >I found a very easy way to detect a sniffing computer from remote. > >It's really simple: > >How does an ethernetcard normally work? It takes a look at every > >(ethernet-)frame on the wire and looks for his ethernet-id or the > >broadcast-id. If found, it takes the frame and hands it to the > >next upper layer, f.e. the unix kernel. > >If you craft a packet for a special host, with a *wrong* ethernet > >address, it won't reply - unless it's in promiscious mode! Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Tue Feb 3 11:58:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01442; Tue, 3 Feb 1998 08:05:39 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA20289 for ; Tue, 3 Feb 1998 07:05:53 -0800 (PST) Received: from devmac1. by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA18034; Tue, 3 Feb 1998 07:09:09 -0800 (PST) Received: from kchoudhary by devmac1. (SMI-8.6/SMI-SVR4) id KAA26113; Tue, 3 Feb 1998 10:19:19 -0500 Message-ID: <34D7311E.46FE119@access.digex.net> Date: Tue, 03 Feb 1998 10:00:46 -0500 From: Kunal Choudhary Organization: Thomas Publishing X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #51 X-Priority: 3 (Normal) References: <199802030633.WAA25789@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I've been told by Checkpoint support that v3.0b needs ip forwarding turned on at the bastion host to work. The assure me that this is completely safe, since the firewall inspects all packets anyway. I find this surprising, esp considering that v2.1 never required this. Any feedback will be appreciated. Thanks Kunal Choudhary From firewalls-owner Tue Feb 3 11:58:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA28688; Tue, 3 Feb 1998 07:47:06 -0800 (PST) Received: from dsava.com (virginia.dsava.com [192.234.181.65]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA28654 for ; Tue, 3 Feb 1998 07:46:53 -0800 (PST) Received: by virginia.dsava.com id <26885>; Tue, 3 Feb 1998 10:50:17 -0500 Date: Tue, 3 Feb 1998 10:51:20 -0500 From: "Icore, Joshua" To: "Marc Heuse" Cc: "firewalls" Subject: Re: anti-sniffer warfare Message-Id: <98Feb3.105017est.26885@virginia.dsava.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > >> A more direct approach would be to run something like cpm from CERT. cpm can be run out of cron on unix boxes and checks to see which if any devices >> are in promiscuous mode by checking the devices status via ioctl's. > > If an attacker finds this program he'll modify it so it won't > report > anything. This is almost trivial. This is true of any host based software of course, but it is one step... > A better approach for an attacker would be load a kernel module (if supported by the operating system) which does prevent showing the > PROMISC flag from the ethernet card. Agreed, also, the attacker would want to load a module to prevent the ethernet card from responding to frames that are not sent to its MAC address to prevent active detection by a remote host.... >> For the really paranoid, with source access, one can always wrap/trap the SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and > issue a warning. > > this would be a good solution. Someone would need to patch the system to get around this, and to detect this and remove the protection is a > hard work, too much for most of the script kiddies. btw. linux reports a "kernel: eth0: Promiscuous mode enabled" ... As do {Free,Net,Open}BSD >> Since IFF_PROMISC is already resitricted on *nix systems to euid 0, add code to write to a log, or send mail if the IFF_PROMISC flag is set. > > well - whats the use? If an attacker has got root to run a sniffer, he can too modify the logs. Solution: send a log message to another host. > Marc Heuse True, but the attacker can also disable syslog, add a static route and arp entry (if needed) for the log host to the localhost...The possibilities are endless... Respectfully, Joshua R. Icore --- Joshua R. Icore Network Security Engineer Decision-Science Applications, Inc. 1110 N. Glebe Rd., Suite 400 Arlington, VA 22201 PGP Key fingerprint = BB E5 D6 01 D7 9A 29 CE 6A 30 8D 99 82 79 11 D6 jicore@dsava.com pager: 1.800.800.7759 (jicore-pager@dsava.com) voice: 703.243.2500 fax: 703.875.9231 From firewalls-owner Tue Feb 3 12:05:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19387; Tue, 3 Feb 1998 11:46:40 -0800 (PST) Received: from cosmo.batesusa.com (cosmo.batesusa.com [206.20.127.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA19183 for ; Tue, 3 Feb 1998 11:45:53 -0800 (PST) Received: from localhost (alex@localhost) by cosmo.batesusa.com (8.8.8/8.8.8) with SMTP id OAA19548 for ; Tue, 3 Feb 1998 14:52:02 -0500 (EST) Date: Tue, 3 Feb 1998 14:52:02 -0500 (EST) From: Alexey Zilber To: firewalls@greatcircle.com Subject: Please take me off the list. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My old email was: azilber@usanetworks.com From firewalls-owner Tue Feb 3 12:10:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA20311; Tue, 3 Feb 1998 11:49:50 -0800 (PST) Received: from dns.eng.auburn.edu ([131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA20226 for ; Tue, 3 Feb 1998 11:49:27 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.8.5/8.6.4) with ESMTP id NAA05624 for ; Tue, 3 Feb 1998 13:54:06 -0600 (CST) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id NAA08764; Tue, 3 Feb 1998 13:54:04 -0600 Date: Tue, 3 Feb 1998 13:54:04 -0600 Subject: Re: Sniffer tools To: firewalls@greatcircle.com Message-Id: X-Mailer: TkMail 4.0beta9 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >What if you tracked changes in your routers arp cache to identinfy new >devices added to your network and actively checked each one with cpm or >promisc ? > What if it's an NT box? What if it's a DOS box? What if it's running OS/2? What if it has the transmit pairs cut? way way too many ways around it. Physical inspection is the only completely 100% way. It's also fairly easy to change the hardware address of a NIC to anything you want it to be (this is required for protocols like Decnet). You can pretend to be any machine. If a machine drops off the net for a second and then comes back. Are you likely to think it's a hacker that has assummed the identity of some PC? Of course not, but it is possible. It all depends on how much time you want to spend fighting this sort of thing. The best defense are switched or secure hubs so that promiscuous mode doesn't buy the person much. THey can only see traffic destined for that port. If you go further and use link-level encryption, even if they can see traffic, they won't be able to understand it. cpm/promisc might be enough to inhibit script-kiddies on a homogenous unix network of some sort. Personally, I'd rather spend a few more dollars for a better hub. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Tue Feb 3 12:50:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23601; Tue, 3 Feb 1998 12:14:57 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA23592 for ; Tue, 3 Feb 1998 12:14:53 -0800 (PST) Received: from mailman.sni.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA20770; Tue, 3 Feb 1998 12:18:12 -0800 (PST) Received: from neologics.com (lgv.com [204.133.131.2]) by mailman.sni.net (8.8.5/8.7.3) with SMTP id NAA13343 for ; Tue, 3 Feb 1998 13:03:49 -0700 (MST) Received: from godzilla (unverified [204.133.131.181]) by neologics.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 03 Feb 1998 13:25:38 -0700 Received: by localhost with Microsoft MAPI; Tue, 3 Feb 1998 13:22:45 -0700 Message-ID: <01BD30A6.D0A26550.scott@neologics.com> From: Scott Robert Lenz To: "Firewalls@GreatCircle.COM" Subject: RE: Firewalls-Digest V7 #51 Date: Tue, 3 Feb 1998 13:22:44 -0700 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is this on an NT server? If so, IP forewarding opens up a large hole inside any security perimeter. Although I am not familiar enough with Checkpoint to know how it intercepts packets, I am surprised that they say that forewarding must be active. Even Microsoft states that when using thier MS proxy server, that IP forewarding MUST be disabled. -----Original Message----- From: Kunal Choudhary [SMTP:kunalc@access.digex.net] Sent: Tuesday, February 03, 1998 8:01 AM To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #51 Hi all, I've been told by Checkpoint support that v3.0b needs ip forwarding turned on at the bastion host to work. The assure me that this is completely safe, since the firewall inspects all packets anyway. I find this surprising, esp considering that v2.1 never required this. Any feedback will be appreciated. Thanks Kunal Choudhary From firewalls-owner Tue Feb 3 15:28:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA12471; Tue, 3 Feb 1998 14:10:21 -0800 (PST) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id OAA12454 for ; Tue, 3 Feb 1998 14:10:13 -0800 (PST) Received: from www (root@xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id XAA04638; Tue, 3 Feb 1998 23:15:19 +0100 Message-ID: <34D79700.6CBAE481@www.firmen-info.de> Date: Tue, 03 Feb 1998 23:15:28 +0100 From: Stepken Organization: Freie Software Systeme X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: Kunal Choudhary CC: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #51 References: <199802030633.WAA25789@honor.greatcircle.com> <34D7311E.46FE119@access.digex.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kunal Choudhary wrote: > > Hi all, > > I've been told by Checkpoint support that v3.0b needs ip forwarding > turned on at the bastion host to work. The assure me that this is > completely safe, since the firewall inspects all packets anyway. I find > this surprising, esp considering that v2.1 never required this. Any > feedback will be appreciated. > > Thanks > > Kunal Choudhary Nothing can be said against ip-forwarding on a bastion host. Denial of service attacks of the firewall software itself are very often successfull. In the case, that the filter itself is vulnerable (can be researched with windasm or numega bounds checker) your network is in very big troubles, because the kernel forwards all packages then by going back to default settings. NCSA testing center has definitely not published some troubles with filters while booting up. I recommend to check your firewall configuration. Don't trust NCSA ! cu, Guido Stepken From firewalls-owner Tue Feb 3 16:07:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA22042; Tue, 3 Feb 1998 15:02:50 -0800 (PST) Received: from dinosaur.privsys.gip.net (dinosaur.gip.net [204.59.155.63]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA21932 for ; Tue, 3 Feb 1998 15:02:28 -0800 (PST) Received: from dinosaur by dinosaur.privsys.gip.net (SMI-8.6/SMI-SVR4) id SAA27233; Tue, 3 Feb 1998 18:15:24 -0500 Date: Tue, 3 Feb 1998 18:15:24 -0500 (EST) From: Ming Lu X-Sender: mlu@dinosaur To: Scott Robert Lenz cc: "Firewalls@GreatCircle.COM" Subject: RE: Firewalls-Digest V7 #51 In-Reply-To: <01BD30A6.D0A26550.scott@neologics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You were misinformed! _ming On Tue, 3 Feb 1998, Scott Robert Lenz wrote: ->Is this on an NT server? If so, IP forewarding opens up a large hole inside ->any security perimeter. Although I am not familiar enough with Checkpoint ->to know how it intercepts packets, I am surprised that they say that ->forewarding must be active. Even Microsoft states that when using thier MS ->proxy server, that IP forewarding MUST be disabled. -> -> -> ->-----Original Message----- ->From: Kunal Choudhary [SMTP:kunalc@access.digex.net] ->Sent: Tuesday, February 03, 1998 8:01 AM ->To: Firewalls@GreatCircle.COM ->Subject: Re: Firewalls-Digest V7 #51 -> ->Hi all, -> ->I've been told by Checkpoint support that v3.0b needs ip forwarding ->turned on at the bastion host to work. The assure me that this is ->completely safe, since the firewall inspects all packets anyway. I find ->this surprising, esp considering that v2.1 never required this. Any ->feedback will be appreciated. -> ->Thanks -> ->Kunal Choudhary -> ============================================================================ Ming Lu Email: mlu@hq.si.net Network Tech Consulting Engineer Phone: 703-689-5290 (w) Engineering Division 703-855-4194 (m) Global One Telecommunications, LLT. 703-689-6575 (f) ============================================================================ "Do not pay attention to every word people say, or you may hear your servant cursing you ---- for you know in your heart that many times you yourself have cursed others." From firewalls-owner Tue Feb 3 16:22:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA17183; Tue, 3 Feb 1998 14:34:44 -0800 (PST) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id OAA14603 for ; Tue, 3 Feb 1998 14:21:40 -0800 (PST) Received: from www (root@xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id XAA05004; Tue, 3 Feb 1998 23:24:38 +0100 Message-ID: <34D7992E.653120DC@www.firmen-info.de> Date: Tue, 03 Feb 1998 23:24:47 +0100 From: Stepken Organization: Freie Software Systeme X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: "Michael J. Maravillo" CC: Henry Hollenberg , Firewalls@GreatCircle.COM Subject: Re: http server for bastion host References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael J. Maravillo wrote: > > On Thu, 29 Jan 1998, Henry Hollenberg wrote: > > >I saw that the CERN http server was reccomended in Chapman and Zwicky so started > >checking it out, but the first thing I read knocked it: > [...] > >Should I look for something else.....they made it sound pretty good in the book, > >cacheing and all. Comments? > > Get Apache... http://www.apache.org No ! Don't do that !!!! I really recommend CERN http with chroot() options. Ask Wolfgang Ley from cert.dfn.de for his special setup. CERN server is bullet proof. Apache has much too much problems with buffer overflows in certain configurations. Wait for next version of LINUX and the corrected GCC to avoid buffer overflows. Will be out in a few month. (stack, heap corrections, see geek-girl and stack-patch for gcc) A bastion host never should have more functions as needed. (no DNS, no httpd, no direct sendmail....) cu, Guido Stepken From firewalls-owner Tue Feb 3 16:56:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA26258; Tue, 3 Feb 1998 15:26:11 -0800 (PST) Received: from mailman.sni.net (mailman.sni.net [199.117.27.25]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA26229 for ; Tue, 3 Feb 1998 15:26:02 -0800 (PST) Received: from neologics.com (lgv.com [204.133.131.2]) by mailman.sni.net (8.8.5/8.7.3) with SMTP id QAA06683 for ; Tue, 3 Feb 1998 16:16:46 -0700 (MST) Received: from godzilla (unverified [204.133.131.181]) by neologics.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 03 Feb 1998 16:38:37 -0700 Received: by localhost with Microsoft MAPI; Tue, 3 Feb 1998 16:35:45 -0700 Message-ID: <01BD30C1.C64DC9D0.scott@neologics.com> From: Scott Robert Lenz To: "Firewalls@GreatCircle.COM" Subject: RE: Firewalls-Digest V7 #51 Date: Tue, 3 Feb 1998 16:35:43 -0700 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please Elaborate. We have found that even WITH MSProxy enabled AND IP routing enabled, IP packets were still able to pass through and bypass the MSProxy server. If you could elaborate how this is NOT possible, I would be very interested. Scott Lenz Director, Network Operations NeoLogics Software & Services, LLC -----Original Message----- From: Ming Lu [SMTP:mlu@privsys.gip.net] Sent: Tuesday, February 03, 1998 4:15 PM To: Scott Robert Lenz Cc: Firewalls@GreatCircle.COM Subject: RE: Firewalls-Digest V7 #51 You were misinformed! _ming On Tue, 3 Feb 1998, Scott Robert Lenz wrote: ->Is this on an NT server? If so, IP forewarding opens up a large hole inside ->any security perimeter. Although I am not familiar enough with Checkpoint ->to know how it intercepts packets, I am surprised that they say that ->forewarding must be active. Even Microsoft states that when using thier MS ->proxy server, that IP forewarding MUST be disabled. -> -> -> ->-----Original Message----- ->From: Kunal Choudhary [SMTP:kunalc@access.digex.net] ->Sent: Tuesday, February 03, 1998 8:01 AM ->To: Firewalls@GreatCircle.COM ->Subject: Re: Firewalls-Digest V7 #51 -> ->Hi all, -> ->I've been told by Checkpoint support that v3.0b needs ip forwarding ->turned on at the bastion host to work. The assure me that this is ->completely safe, since the firewall inspects all packets anyway. I find ->this surprising, esp considering that v2.1 never required this. Any ->feedback will be appreciated. -> ->Thanks -> ->Kunal Choudhary -> ======================================================================== ==== Ming Lu Email: mlu@hq.si.net Network Tech Consulting Engineer Phone: 703-689-5290 (w) Engineering Division 703-855-4194 (m) Global One Telecommunications, LLT. 703-689-6575 (f) ======================================================================== ==== "Do not pay attention to every word people say, or you may hear your servant cursing you ---- for you know in your heart that many times you yourself have cursed others." From firewalls-owner Tue Feb 3 18:19:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA19916; Tue, 3 Feb 1998 17:27:47 -0800 (PST) Received: from hotmail.com (f99.hotmail.com [207.82.250.218]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id RAA19871 for ; Tue, 3 Feb 1998 17:27:33 -0800 (PST) Received: (qmail 352 invoked by uid 0); 4 Feb 1998 01:32:51 -0000 Message-ID: <19980204013251.351.qmail@hotmail.com> Received: from 203.120.247.87 by www.hotmail.com with HTTP; Tue, 03 Feb 1998 17:32:51 PST X-Originating-IP: [203.120.247.87] From: "Chand Basha" To: Firewalls@GreatCircle.COM Subject: best firewall Content-Type: text/plain Date: Tue, 03 Feb 1998 17:32:51 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody I am new to this list. I would like to setup a firewall for my company. I don't which is the most reliable firewall hence I request all of you to suggest me one. I would be very grateful. Thanks in advance. Chand. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From firewalls-owner Tue Feb 3 20:37:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA16173; Tue, 3 Feb 1998 20:26:25 -0800 (PST) Received: from fw.telekom.com.my ([192.228.240.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA16138 for ; Tue, 3 Feb 1998 20:26:09 -0800 (PST) Received: from s12131.telekom.com.my ([200.34.5.144]) by firewall.fw.telekom.com.my with ESMTP id <27782-1>; Wed, 4 Feb 1998 12:38:06 +0800 Message-ID: <34D8CF94.AA3CD1B9@telekom.com.my> Date: Thu, 5 Feb 1998 04:29:08 +0800 From: Vijay Valayatham Organization: Telekom Malaysia X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Marek Kubita CC: firewalls@GreatCircle.COM Subject: Re: FW-1 and FIN scanning (was: nmap tool) X-Priority: 3 (Normal) References: <19980203125108.30692@corpus.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi .. I'm new to the firewall world and have a rather basic question to ask: What exactly is FIN scanning? Appreciate the help. Vijay. Marek Kubita wrote: > > Hi, > > a few days ago I have made a statement here that FW-1 is not vulnerable > to FIN-scanning. Unfortunately this is not true; thanks to Robert > Stahlbrand, who noticed this. > > The behavior of FW-1 is quite strange: > > If the FIN packets from the scanner match a rule with "Reject" action, the > FIN-scanning doesn't work: scanner gets no replies for any scanned ports > and so nmap reports all ports as listening. The attempts are logged as > rejected. > > However, if the packets are caught by "Drop" rule, the packets are also > logged, but they pass through FW-1 to the destination (verified by > sniffer) and the replies do pass back, so nmap detects the listening > ports. The packets are logged as dropped. > > I am forwarding this message to FW-1 mailing list. Maybe this problem can > be solved by some additional INSPECT code in FW-1 configuration. > > On Fri, Jan 30, 1998 at 08:44:48AM +0100, Robert Stahlbrand wrote: > > > So you trust your logs *smile*! > > My logs tells me the same but what happends in reality? > > My first thought was the same as yours. It looked like FW-1 takes care > > of it properly but when I put a sniffer on the inside network I was > > suprised that I saw traffic flowing through my firewall, coming from my > > intruder-Linux box on the outside. > > > > I run FW-1 but a lower version (2.1a) inside our Intranet between the > > backbone of Ericsson-Intranet and into our environment. If you have time > > I would like you to verify this with your 3.0-version. There might be > > differences how that packets are handled. > > What does the the nmap-tool tells you? Does it find any good ports? > > > > Anyone at Checkpoint reading this??? > > > > /Robert St=E5hlbrand, Ericsson Telecom AB > > > > > -----Original Message----- > > > From: Marek Kubita [SMTP:marek@corpus.cz] > > > Sent: den 28 januari 1998 18:26 > > > To: firewalls@GreatCircle.COM > > > Subject: Re: nmap tool > > > > > > On Sat, Jan 24, 1998 at 09:37:33AM +0100, Robert Stahlbrand wrote: > > > > [...] > > > > One example is that you can scan through your packetfiltering firewall > > > > (such as Checkpoints FW-1) and see what ports that are open on machines > > > > behind the firewall. This method is called FIN-scanning and as you > > > > probably know, a packet-filtering firewall ONLY looks at packets with the > > > > SYN-flag set (initiation of a TCP-session) which means that packets with > > > > the FIN-flag set will actually PASS YOUR FIREWALL. > > > > [...] > > > > > > I tried nmap FIN scanning with Checkpoint FW-1 v3.0 and the packets > > > were correctly dropped and logged. The FW-1 checks every packet, not just > > > SYN ones. > > > > > -- > . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : > : Czech Republic . > : tel. +420-2-701719, 701748, fax 704814 . ---------------------------------------------------------------- Vijay Valayatham COINS Project Telekom Malaysia. From firewalls-owner Tue Feb 3 21:22:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA21134; Tue, 3 Feb 1998 21:07:08 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id VAA21114 for ; Tue, 3 Feb 1998 21:07:01 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id KAA28054; Tue, 3 Feb 1998 10:03:16 -0500 Date: Tue, 3 Feb 1998 10:03:13 -0500 (EST) From: Rabid Wombat To: Rick Osteen cc: Firewalls@GreatCircle.COM Subject: Re: smurf attach In-Reply-To: <1.5.4.32.19980202035957.00723fbc@elp.rr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Smurf attacks use a third-party system to attack a target. The third-party system has directed broadcast enabled, and has a fat-pipe to the Internet. The attacker can generate a huge flood of broadcasts from the third-party system, without needing a fat-pipe connection of their own. The use of the third-party system also makes tracking somewhat difficult. -r.w. On Sun, 1 Feb 1998, Rick Osteen wrote: > Sorry for the ignorance, but what is a "Smurf Attack"? > > Thanks for any insight, > Rick Osteen > > From firewalls-owner Tue Feb 3 23:04:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA08565; Tue, 3 Feb 1998 22:42:38 -0800 (PST) Received: from tyche.credo.net (tyche.credo.net [199.107.168.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA08528 for ; Tue, 3 Feb 1998 22:42:21 -0800 (PST) Received: from alectrona.credo.net (alectrona.credo.net [199.107.168.9]) by tyche.credo.net (8.8.8/8.8.8) with SMTP id WAA02639; Tue, 3 Feb 1998 22:47:43 -0800 (PST) Message-Id: <3.0.32.19980203235503.00c1027c@199.107.168.8> Received: from john.credo.net by alectrona.credo.net via smtpd (for mail.credo.net [199.107.168.8]) with SMTP; 4 Feb 1998 06:46:57 UT X-Sender: john@199.107.168.8 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 03 Feb 1998 23:55:04 +0000 To: "Chand Basha" From: John Whittaker Subject: Re: best firewall Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi chand, that is kind of a loaded question. everyone on this list is going to have their own opinion. for my money, i like raptor if you are in an nt environment and tis if you are in a unix environment. but there are situations that i would not recommend either. your best bet is to find a good consultant to help you evaluate your needs and come up with the best possible solution. remember that a firewall is not a silver bullet for security problems, it is just one piece of a comprehensive security policy/posture. good luck. best, john. At 05:32 PM 2/3/98 PST, you wrote: >Hi everybody > >I am new to this list. I would like to setup a firewall for my company. >I don't which is the most reliable firewall hence I request all of you >to suggest me one. > >I would be very grateful. > >Thanks in advance. >Chand. > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > --------------------------------------------------------------------------- ZONEOFTRUST a division of Credo Computer Systems, Inc. --------------------------------------------------------------------------- 22941 Triton Way, 2nd Floor Laguna Hills, CA 92653 (714) 859-0196 tel. (714) 452-0513 fax. http://www.zoneoftrust.com From firewalls-owner Tue Feb 3 23:52:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA18242; Tue, 3 Feb 1998 23:38:53 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA18207 for ; Tue, 3 Feb 1998 23:38:35 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id IAA20503 for ; Wed, 4 Feb 1998 08:43:55 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id JAA29099 for ; Wed, 4 Feb 1998 09:45:55 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id <114V7RF4>; Wed, 4 Feb 1998 08:43:54 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70F3519@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Vijay Valayatham'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 08:43:50 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Read this phrack-magazine article: http://www.infowar.com/iwftp/Phrack49/P49-15.txt /Robert St=E5hlbrand, Ericsson Telecom AB in Sweden > -----Original Message----- > From: Vijay Valayatham [SMTP:vijay@telekom.com.my] > Sent: den 4 februari 1998 21:29 > To: Marek Kubita > Cc: firewalls@GreatCircle.COM > Subject: Re: FW-1 and FIN scanning (was: nmap tool) >=20 > Hi .. I'm new to the firewall world and have a rather basic question > to > ask: What exactly is FIN scanning? Appreciate the help. >=20 > Vijay. >=20 > Marek Kubita wrote: > >=20 > > Hi, > >=20 > > a few days ago I have made a statement here that FW-1 is not > vulnerable > > to FIN-scanning. Unfortunately this is not true; thanks to Robert > > Stahlbrand, who noticed this. > >=20 > > The behavior of FW-1 is quite strange: > >=20 > > If the FIN packets from the scanner match a rule with "Reject" > action, the > > FIN-scanning doesn't work: scanner gets no replies for any scanned > ports > > and so nmap reports all ports as listening. The attempts are logged > as > > rejected. > >=20 > > However, if the packets are caught by "Drop" rule, the packets are > also > > logged, but they pass through FW-1 to the destination (verified by > > sniffer) and the replies do pass back, so nmap detects the = listening > > ports. The packets are logged as dropped. > >=20 > > I am forwarding this message to FW-1 mailing list. Maybe this > problem can > > be solved by some additional INSPECT code in FW-1 configuration. > >=20 > > On Fri, Jan 30, 1998 at 08:44:48AM +0100, Robert Stahlbrand wrote: > >=20 > > > So you trust your logs *smile*! > > > My logs tells me the same but what happends in reality? > > > My first thought was the same as yours. It looked like FW-1 takes > care > > > of it properly but when I put a sniffer on the inside network I > was > > > suprised that I saw traffic flowing through my firewall, coming > from my > > > intruder-Linux box on the outside. > > > > > > I run FW-1 but a lower version (2.1a) inside our Intranet between > the > > > backbone of Ericsson-Intranet and into our environment. If you > have time > > > I would like you to verify this with your 3.0-version. There = might > be > > > differences how that packets are handled. > > > What does the the nmap-tool tells you? Does it find any good > ports? > > > > > > Anyone at Checkpoint reading this??? > > > > > > /Robert St=3DE5hlbrand, Ericsson Telecom AB > > > > > > > -----Original Message----- > > > > From: Marek Kubita [SMTP:marek@corpus.cz] > > > > Sent: den 28 januari 1998 18:26 > > > > To: firewalls@GreatCircle.COM > > > > Subject: Re: nmap tool > > > > > > > > On Sat, Jan 24, 1998 at 09:37:33AM +0100, Robert Stahlbrand > wrote: > > > > > [...] > > > > > One example is that you can scan through your packetfiltering > firewall > > > > > (such as Checkpoints FW-1) and see what ports that are open = on > machines > > > > > behind the firewall. This method is called FIN-scanning and = as > you > > > > > probably know, a packet-filtering firewall ONLY looks at > packets with the > > > > > SYN-flag set (initiation of a TCP-session) which means that > packets with > > > > > the FIN-flag set will actually PASS YOUR FIREWALL. > > > > > [...] > > > > > > > > I tried nmap FIN scanning with Checkpoint FW-1 v3.0 and the > packets > > > > were correctly dropped and logged. The FW-1 checks every = packet, > not just > > > > SYN ones. > > > > > >=20 > > -- > > . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : > > : Czech Republic . > > : tel. +420-2-701719, 701748, fax 704814 . >=20 >=20 > ---------------------------------------------------------------- > Vijay Valayatham > COINS Project > Telekom Malaysia. From firewalls-owner Wed Feb 4 00:37:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28365; Wed, 4 Feb 1998 00:31:11 -0800 (PST) Received: from mail.telstar.net (mail.telstar.net [195.224.26.249]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA28291; Wed, 4 Feb 1998 00:30:47 -0800 (PST) From: JJ1221@YAHOO.COM Received: from yahoo.com (anx-lkf0041.deltanet.com [204.178.202.41]) by mail.telstar.net (8.8.7/8.7.3) with SMTP id JAA09914; Wed, 4 Feb 1998 09:59:51 GMT Date: Wed, 4 Feb 1998 09:59:51 GMT Message-Id: <199802040959.JAA09914@mail.telstar.net> X-Handled-By: telstar mail handling service. To: JJ1221@YAHOO.COM Subject: Cash for your equity Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mortgage rates are at an all time low! If you live in the U.S., own a home, and need any of the following: · One easy low payment for all your depts. · Cash for home improvements, vacations, etc. · Money for your child's education. · A lower interest rate 2nd mortgage · An interest deduction on you money borrowed rather than paying on you current high interest rate debts, with no tax savings. Be debt free up to 3 times faster than what you are currently paying off. Pay off you car and credit card loans. Apply today with Barrington Capital's easy no cost, or obligation online application to see how to make a home equity loan work for you! **Even if you have been denied before, we may be able to help you! We fund with our own money! http://www.loans-usa.com APPLY TODAY, IT'S FREE!! You can also call 714 225-7440 for more information. BARRINGTON CAPITAL http://www.loans-usa.com (removes-your address was given to us as someone who may be interested in a loan... if you would like to be removed please reply with "remove" in the subject heading to: JJ1221@YAHOO.COM From firewalls-owner Wed Feb 4 01:22:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA01993; Wed, 4 Feb 1998 00:52:05 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA01909 for ; Wed, 4 Feb 1998 00:51:46 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id JAA22164 for ; Wed, 4 Feb 1998 09:57:12 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id KAA29468 for ; Wed, 4 Feb 1998 10:59:12 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id <114V7RG5>; Wed, 4 Feb 1998 09:57:10 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70F351C@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Volkmar Scharf'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 09:57:08 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Volkmar Scharf pointed out that the URL I pointed out was wrong. Sorry for wasting bandwith. Here is the correct URL! http://www.infowar.com/iwftp/Phrack/Phrack49/P49-15.txt > -----Original Message----- > From: Volkmar Scharf [SMTP:Volkmar.Scharf@rrze.uni-erlangen.de] > Sent: den 4 februari 1998 09:53 > To: Robert St=E5hlbrand > Subject: Re: FW-1 and FIN scanning (was: nmap tool) >=20 > Robert St=E5hlbrand wrote: > >=20 > > Hi! > >=20 > > Read this phrack-magazine article: > > http://www.infowar.com/iwftp/Phrack49/P49-15.txt > >=20 > > /Robert St=E5hlbrand, Ericsson Telecom AB in Sweden > >=20 > Hi, > the url seems to be wrong: >=20 > 404 Not Found > The requested URL was not found on this server: > /iwftp/Phrack49/P49-15.txt > (g:\domains\infowar\htdocs\users\iwftp\Phrack49\P49-15.txt) >=20 > Yours, > --=20 > Volkmar Scharf > ______________________________________________________________ > Regionales Rechenzentrum Erlangen -Abt. > Kommunikationssysteme- =20 > Martensstr. 1 D-91058 Erlangen Tel. +49 (9131) 85 8134 > http://home.rrze.uni-erlangen.de/~unrz34 From firewalls-owner Wed Feb 4 04:53:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA25273; Wed, 4 Feb 1998 04:04:58 -0800 (PST) Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA21626 for ; Wed, 4 Feb 1998 03:24:34 -0800 (PST) Received: (qmail 10969 invoked by uid 1000); 4 Feb 1998 11:29:52 -0000 Message-ID: <19980204112952.10967.qmail@softworx.netvision.net.il> X-Mailer: exmh version 2.0.1 12/23/97 To: =?iso-8859-1?Q?Robert_St=E5hlbrand?= Cc: "'Marek Kubita'" , "'firewalls@greatcircle.com'" From: Steve Birnbaum Subject: Re: FW-1 and FIN scanning (was: nmap tool) In-Reply-To: Your message of "Wed, 04 Feb 1998 12:21:38 +0100." <43BED8177D10D011A69A0800092C15D70F3520@haig.oplab.nmac.ericsson.se> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_512376660P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 04 Feb 1998 13:29:51 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_512376660P Content-Type: text/plain; charset=us-ascii robert.stahlbrand@nmac.ericsson.se said: > If think this is done with a cache with all current connections. When > you clear the table (installing a policy) he just puts this cache > somewhere and after it has been installed lifting the cache back in > the system. Why should you put in more effort? I'm not so sure about that. Like I said, my understanding is that the connections allowed in are those that might be possible given the outgoing rules. That way it can dynamically rebuild the state table without having to re-establish the connection. If something claiming to be established from outsidebox:80 is allowed to insidebox:4005 then if insidebox doesn't reset the connection but rather responds to it, then it was "surely" part of an established session, allowing the firewall to add it to the table. Steve -- sbirn@security.org.il Phone: +972-2-6795860 (PGP key available) Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My opinions only. --==_Exmh_512376660P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.3ia iQEVAwUBNNhRJwNowu66bCy5AQHR+gf/X8TI6iGy0Q//QjfqkI5Zj6/X8gT6x9x4 OxG3Jiy5HMgpPEnEkM9Af05F+TtVDR/7M0szJpK5fSBD8zPafTHTha02kWi+uWU/ b6qNXZsKmCGieWU/E8JPu3uuEwqxlmDSKgzUCsaVQK6dJNUeGX0UitSetsAGDtZv FxROsxldyV4YX7UC/yowiIHO9RgVap8E2/IEmPamt3tG9ECzL82btd69BR0oNxrT tSmWdtwCZQYhBUe0KQ9aNyoaA5i2xI8oXzvm840I2CLGNORyuHKntRH0gHPLj+S0 0Jr5ngGWM8D3vtIG0ytG8XWORZfEiDFvs74jsBqllvKSO1hAi7BDmQ== =dPE/ -----END PGP MESSAGE----- --==_Exmh_512376660P-- From firewalls-owner Wed Feb 4 05:23:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA25439; Wed, 4 Feb 1998 04:06:50 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA07007 for ; Wed, 4 Feb 1998 01:35:36 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id KAA11924 for ; Wed, 4 Feb 1998 10:40:42 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id LAA29718 for ; Wed, 4 Feb 1998 11:42:31 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id <114V7RHX>; Wed, 4 Feb 1998 10:40:29 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70F351E@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Steve Birnbaum'" , "'Marek Kubita'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 10:40:27 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi again! Been doing some testing with my version of Checkpoints FW-1 (ver 2.1a). 1) First, there is no difference how the packets are handled either you drop or reject the packets with your ruleset in version 2.1a. The packets are according to the log, are correctly dropped or rejected but the packets are passing through to the destination. 2) The packets passing through are holding all data intact. Not only headers and even if Steve is right I wouldn't consider this a feature (even if Checkpoints had this intention). Every way you can scan your hosts on the inside network must be considered a bug. If I knew how, I would shut off this feature. How often do you install = a new ruleset? If you do it every day, think again! If you do it every week, think again! If you do it once a month some may get hung or rejected by some ICMP (destination unreacheble) but what the heck. You can live with that!!! And when I think I don't understand why the connection would close. I can unplug my wire for an hour and when I attach it again my telnet-session (for example) is not closed (unless you hit a key while it's lost) and in this case when you install a a new ruleset it shouldn't hang for more then a second or something like that. 3) I think there are other firewalles vulnerable for this type of scanning. Why don't you guys out there give it a try. I know that Cisco:s IOS 9.X, 10.X, 11.X are immune. Marek Kubita, can you see if data is passing through in version 3.0 and report back if it does? Bye the way, thank you for the politeness in your last mail. /Robert St=E5hlbrand, Ericsson Telecom AB > -----Original Message----- > From: Steve Birnbaum [SMTP:sbirn@security.org.il] > Sent: den 3 februari 1998 16:31 > To: firewalls@GreatCircle.COM > Cc: Marek Kubita > Subject: Re: FW-1 and FIN scanning (was: nmap tool)=20 >=20 >=20 >=20 > marek@corpus.cz said: > > However, if the packets are caught by "Drop" rule, the packets are > > also logged, but they pass through FW-1 to the destination = (verified > > by sniffer) and the replies do pass back, so nmap detects the > > listening ports. The packets are logged as dropped. >=20 > I believe this is considered a "feature". Check if the data of the > original packet was passed through or if it is just the header. > I believe the reason for this is to allow sessions interrupted by an > installation of the policy to not be terminated when the state table > is=20 > cleared. However, I believe that only packets that would possibly be > allowed by a reverse rule will see such behaviour. =20 >=20 > There was a message a couple of months ago to this list that made > the same discovery. >=20 > Steve >=20 >=20 > --=20 > sbirn@security.org.il Phone: +972-2-6795860 --Standard Disclaimer-- > Fight Internet Spam! http://www.vix.com/spam/ (PGP key available) >=20 >=20 >=20 > << File: ATT00131.ATT >>=20 From firewalls-owner Wed Feb 4 05:48:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA25515; Wed, 4 Feb 1998 04:08:15 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA19997 for ; Wed, 4 Feb 1998 03:16:19 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id MAA24395 for ; Wed, 4 Feb 1998 12:21:42 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id NAA30307 for ; Wed, 4 Feb 1998 13:23:42 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id <114V7RJ6>; Wed, 4 Feb 1998 12:21:40 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70F3520@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Steve Birnbaum'" , "'Marek Kubita'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 12:21:38 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > -----Original Message----- > From: Steve Birnbaum [SMTP:sbirn@security.org.il] > Sent: den 4 februari 1998 11:03 > To: Robert St=E5hlbrand > Cc: 'Marek Kubita'; 'firewalls@greatcircle.com' > Subject: Re: FW-1 and FIN scanning (was: nmap tool)=20 >=20 >=20 >=20 > robert.stahlbrand@nmac.ericsson.se said: > > And when I think I don't understand why the connection would close. > I > > can unplug my wire for an hour and when I attach it again my > > telnet-session (for example) is not closed (unless you hit a key > while >=20 > Unlike a packet filter where you generally allow all established > traffic, > Firewall-1 keeps a state table of open connections and dynamically > allows=20 > only the required established traffic. My understanding is that=20 > re-installing the policy clears the state table. Therefore, you'd > have to=20 > send out a new SYN in order for it to add a new entry to the state > table=20 > if it didn't have some way to dynamically re-add running sessions. >=20 > [Robert St=E5hlbrand] =20 > That is one of the strength with Checkpoint 8-) (not allowing > established packets as a general). > What you say is that Checkpoint caches all the current connections = and > when you clear the state table reestablish the connections. Is this > done with a new SYN-packet? Not very likely is it? How would you do > that? Shall the firewall send out the SYN-packet to the > destination-address with the initiators ip-address. That is spoofing > and how should the initiator know that the firewall has sent out this > packet and accept the SYN,ACK he recieves back? This won't work and > you cannot force the initiator to resend a SYN-packet without loosing > the current connection (or force him at all). > If think this is done with a cache with all current connections. When > you clear the table (installing a policy) he just puts this cache > somewhere and after it has been installed lifting the cache back in > the system. Why should you put in more effort? >=20 > If I'm wrong here please describe the progress! >=20 > I still don't see the connection between dropping packets and > reestablishing connections and why only with dropping packets rules > you can pass a not established connection??? >=20 >=20 > However, I agree that this behaviour is not well known and I would > personally rather see sessions lost than allow the ability to scan = the > network. The least that could be done is to make this an option, > disabled > by default, with a nice red friendly warning that pops up when you = try > to > enable it. >=20 > I am, however concerned about your statement that data is passing > through. > Hopefully this behaviour is unique to pre-version 3. > [Robert St=E5hlbrand] =20 >=20 > We will recieve an answer on that pretty soon, I assume from Marek > Kubita? >=20 > Steve >=20 > --=20 > sbirn@security.org.il Phone: +972-2-6795860 (PGP key available) > Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My > opinions only. >=20 > << File: ATT00173.ATT >>=20 > [Robert St=E5hlbrand] =20 >=20 > /Robert St=E5hlbrand, Ericsson Telecom AB From firewalls-owner Wed Feb 4 05:53:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09056; Wed, 4 Feb 1998 05:42:12 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA09034 for ; Wed, 4 Feb 1998 05:42:05 -0800 (PST) Received: from tuminfo2.informatik.tu-muenchen.de by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA25282; Wed, 4 Feb 1998 05:45:29 -0800 (PST) Received: from hphalle0.informatik.tu-muenchen.de ([131.159.4.1] EHLO hphalle0.informatik.tu-muenchen.de ident: IDENT-NOT-QUERIED [port 1138]) by tuminfo2.informatik.tu-muenchen.de with ESMTP id <111325-220>; Wed, 4 Feb 1998 14:46:23 +0000 Received: from schmidts@localhost (fake: hphalle7.informatik.tu-muenchen.de) by hphalle0.informatik.tu-muenchen.de id <1167-19871>; Wed, 4 Feb 1998 14:46:08 +0000 Date: Wed, 4 Feb 1998 14:45:54 +0100 (MET) From: Stefan Schmidt To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #53 In-Reply-To: <199802040438.UAA16847@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, At 08:50 2/02/98 +0100, Marc Heuse wrote: >I found a very easy way to detect a sniffing computer from remote. you should have mentioned where you've read about this "send the echo request to the wrong MAC address" trick and give proper credit. Among other techniques it has been discussed in comp.security.unix beginning Oct 17th 1997 ("Finding a machine which is sniffing on the network") and the "send the echo request to the wrong MAC address" idea was brought up 19th Oct. The old articles of comp.security.unix can be retrieved through www.dejanews.com's power search in the old database. stefan From firewalls-owner Wed Feb 4 06:25:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09190; Wed, 4 Feb 1998 05:42:42 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA09054 for ; Wed, 4 Feb 1998 05:42:11 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id OAA24381 for ; Wed, 4 Feb 1998 14:47:26 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id PAA31017 for ; Wed, 4 Feb 1998 15:49:23 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id <114V7RL8>; Wed, 4 Feb 1998 14:47:21 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70F3524@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'Steve Birnbaum'" , "'Marek Kubita'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 14:47:19 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another hi! We pretty much mean the same thing. The thing you said about a new SYN from "it" did confuse me. You meant a new "SYN" (not really a packet with SYN, just a SYN-alike order to the state-table) to the = state-table. But there is something importent that we have missed that all of a sudden hit me. I don't think that FW-1 consider a packet with a = FIN-flag set to be a part of an established connection! What does FIN-mean? It's a demand to take the session down! That is why is passes through... /Robert St=E5hlbrand, Ericsson Telecom AB > -----Original Message----- > From: Steve Birnbaum [SMTP:sbirn@security.org.il] > Sent: den 4 februari 1998 12:30 > To: Robert St=E5hlbrand > Cc: 'Marek Kubita'; 'firewalls@greatcircle.com' > Subject: Re: FW-1 and FIN scanning (was: nmap tool)=20 >=20 >=20 > robert.stahlbrand@nmac.ericsson.se said: > > If think this is done with a cache with all current connections. > When > > you clear the table (installing a policy) he just puts this cache > > somewhere and after it has been installed lifting the cache back in > > the system. Why should you put in more effort? >=20 > I'm not so sure about that. Like I said, my understanding is that = the > connections allowed in are those that might be possible given the > outgoing > rules. That way it can dynamically rebuild the state table without > having > to re-establish the connection. > If something claiming to be established > from outsidebox:80 is allowed to insidebox:4005 then if insidebox > doesn't > reset the connection but rather responds to it, then it was "surely" > part of > an established session, allowing the firewall to add it to the table. >=20 > Steve >=20 > --=20 > sbirn@security.org.il Phone: +972-2-6795860 (PGP key available) > Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My > opinions only. >=20 > << File: ATT00187.ATT >>=20 From firewalls-owner Wed Feb 4 06:37:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA08826; Wed, 4 Feb 1998 01:57:37 -0800 (PST) Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA08807 for ; Wed, 4 Feb 1998 01:57:23 -0800 (PST) Received: (qmail 10577 invoked by uid 1000); 4 Feb 1998 10:02:49 -0000 Message-ID: <19980204100249.10575.qmail@softworx.netvision.net.il> X-Mailer: exmh version 2.0.1 12/23/97 To: =?iso-8859-1?Q?Robert_St=E5hlbrand?= Cc: "'Marek Kubita'" , "'firewalls@greatcircle.com'" From: Steve Birnbaum Subject: Re: FW-1 and FIN scanning (was: nmap tool) In-Reply-To: Your message of "Wed, 04 Feb 1998 10:40:27 +0100." <43BED8177D10D011A69A0800092C15D70F351E@haig.oplab.nmac.ericsson.se> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_378855008P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 04 Feb 1998 12:02:49 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_378855008P Content-Type: text/plain; charset=us-ascii robert.stahlbrand@nmac.ericsson.se said: > And when I think I don't understand why the connection would close. I > can unplug my wire for an hour and when I attach it again my > telnet-session (for example) is not closed (unless you hit a key while Unlike a packet filter where you generally allow all established traffic, Firewall-1 keeps a state table of open connections and dynamically allows only the required established traffic. My understanding is that re-installing the policy clears the state table. Therefore, you'd have to send out a new SYN in order for it to add a new entry to the state table if it didn't have some way to dynamically re-add running sessions. However, I agree that this behaviour is not well known and I would personally rather see sessions lost than allow the ability to scan the network. The least that could be done is to make this an option, disabled by default, with a nice red friendly warning that pops up when you try to enable it. I am, however concerned about your statement that data is passing through. Hopefully this behaviour is unique to pre-version 3. Steve -- sbirn@security.org.il Phone: +972-2-6795860 (PGP key available) Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My opinions only. --==_Exmh_378855008P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.3ia iQEVAwUBNNg8xwNowu66bCy5AQGKtQf/ZJHNBkauQhkwfucI/2UZdqusUg7Og2kk 7vcjiwXiDb3hDYYaxJjIU1MkxZCJvD1JFN19aGzDE1KYuvVtnmMeg/ikY/fYVSu8 sNIkzK13O025+UwC2sRAdTvlBbU0R9Sf+BwNm5laJAAhyRw6pupP6WP4Rfhd6Yne DV5if+wc5vJQ046qCHbiF55LSJno8UKxJeUH0Eq9gaIe4ffbKaw14snswbYyE5UD tBIYENMyuwycLrCPDHuzlZe5iXg06HxXzb56H1M6G9h4o/f/48n8Sead8z8ecTzv 5XKU6eXUDjqg5WE+CJw7s2HxXa/S7qoi/3GShZJ3xt3CK9cckjmR8w== =WT1f -----END PGP MESSAGE----- --==_Exmh_378855008P-- From firewalls-owner Wed Feb 4 07:35:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA12622; Wed, 4 Feb 1998 02:36:50 -0800 (PST) Received: from hotmail.com (f80.hotmail.com [207.82.250.186]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA12615 for ; Wed, 4 Feb 1998 02:36:45 -0800 (PST) Received: (qmail 15350 invoked by uid 0); 4 Feb 1998 10:42:12 -0000 Message-ID: <19980204104212.15349.qmail@hotmail.com> Received: from 203.120.247.87 by www.hotmail.com with HTTP; Wed, 04 Feb 1998 02:42:12 PST X-Originating-IP: [203.120.247.87] From: "Chand Basha" To: Firewalls@GreatCircle.COM Subject: firewall Content-Type: text/plain Date: Wed, 04 Feb 1998 02:42:12 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Friends I got the solution for my question with subject as: best firewall. I would like to thank all of you for your valuable suggestions. Chand ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From firewalls-owner Wed Feb 4 07:58:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03312; Wed, 4 Feb 1998 07:42:02 -0800 (PST) Received: from ns.datagram.be (ns.datagram.be [195.0.100.253]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA03300 for ; Wed, 4 Feb 1998 07:41:54 -0800 (PST) Received: from canabis.drug.be (dialup006.liege.eunet.be [193.74.147.6]) by ns.datagram.be (8.8.8/8.8.8) with ESMTP id RAA04368; Wed, 4 Feb 1998 17:21:46 +0100 Message-ID: X-Mailer: XFMail 1.2-beta-111997 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <34D056E3.D988F1E5@bull.ch> Date: Wed, 04 Feb 1998 16:45:42 +0100 (MET) X-Face: Xd4)'pr0TvwM([yRD<(#^[Jp[="HHq!VAz-UJqSr7>Mq5nUPqlA9[}T`+7RPVL-#x3Rm:HL.@7Phob8L{]13 C`#$~%t"9PtZ?I(poZbxe.s@y-X1.UG/&*G;>'q:Q6&hYAG6E(49vA2}O34v`GA%*vKiCIW$=BDbfs U+gOFtgYc Reply-To: manu@acm.org Organization: http://linux.rtfm.be From: Emmanuel Tychon To: John Morgan Salomon Subject: RE: Plaintext log files on firewall Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 29-Jan-98 John Morgan Salomon wrote: > I'd be interested in hearing what people have to say regarding > the advisability of storing log or alert files on a firewall > machine in encrypted/binary format as opposed to plain ascii > text? On Linux machines, you can mount and unmount fully encrypted partitions (encryption done by DES). If this partition is used to log messages in /var/log or /var/adm, the game can begin. DES Kernel encryption need a little hack, see the Cryptographis-Filesystems HOWTO. When your linux boot, you can see this: .. loop: registered device at major 7 loop: DES encryption available .. --- Member of the ACM. Look http://www.acm.org ||| | Emmanuel Tychon, O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus (_) | oOO-----OOo | Don't be assimilated, use Linux! | Linux | | \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Wed Feb 4 08:08:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03499; Wed, 4 Feb 1998 07:42:57 -0800 (PST) Received: from ns.datagram.be (ns.datagram.be [195.0.100.253]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA03333 for ; Wed, 4 Feb 1998 07:42:11 -0800 (PST) Received: from canabis.drug.be (dialup006.liege.eunet.be [193.74.147.6]) by ns.datagram.be (8.8.8/8.8.8) with ESMTP id RAA04387 for ; Wed, 4 Feb 1998 17:22:18 +0100 Message-ID: X-Mailer: XFMail 1.2-beta-111997 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624BA@MAIL01> Date: Wed, 04 Feb 1998 16:46:21 +0100 (MET) X-Face: Xd4)'pr0TvwM([yRD<(#^[Jp[="HHq!VAz-UJqSr7>Mq5nUPqlA9[}T`+7RPVL-#x3Rm:HL.@7Phob8L{]13 C`#$~%t"9PtZ?I(poZbxe.s@y-X1.UG/&*G;>'q:Q6&hYAG6E(49vA2}O34v`GA%*vKiCIW$=BDbfs U+gOFtgYc Reply-To: manu@acm.org Organization: http://linux.rtfm.be From: Emmanuel Tychon To: "firewalls@GreatCircle.COM" Subject: RE: MS ProxyServer 2.0 sucks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 27-Jan-98 Lachlan McIntosh wrote: > Microsoft Proxy Server is not just a HTTP based proxy. > It works VERY well and is well worth the cost, and for the most part the > small cost of proxy server is irrelevant > to organisations who are already running NT and have already invested in > client access licences for NT. > Linux or BSD currently don't have any technology that comes close. You forget the most important part of the MSPS 2.0: the clients need to install the "Microsoft Proxy Client". This client exists only for Windows based machine, thus say goodbye to other OSes. I think this is a solution for the dummies. --- Micro$oft -> Where to you want to crash today? ||| | Emmanuel Tychon, O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus (_) | oOO-----OOo | Don't be assimilated, use Linux! | Linux | | \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Wed Feb 4 09:33:59 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA10777; Wed, 4 Feb 1998 08:26:05 -0800 (PST) Received: from romeo.vhb.com ([204.243.173.175]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA10601 for ; Wed, 4 Feb 1998 08:25:28 -0800 (PST) Received: by ROMEO with Internet Mail Service (5.0.1458.49) id <1H76MB5V>; Wed, 4 Feb 1998 11:38:01 -0500 Message-ID: <3A3A180B313CD111A10500609797FEE9C1A7F9@ROMEO> From: "Wall, Chris" To: "'Firewalls@GreatCircle.com'" Subject: Microsoft, TIS, ICSA, and Trend Micro getting together ???? Date: Wed, 4 Feb 1998 11:37:59 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out: http://www.casal.com/semreg.htm Executive Level Presenters from ICSA, Microsoft, Trend Micro, and Trusted Information Systems Microsoft presents Proxy Server(tm) 2.0, = ..... Trusted Information Systems presents Gauntlet=AE Firewalls for Windows NT. = Gauntlet firewalls combine a high-security application gateway and easy management. Designed to compliment Proxy Server 2.0 as well as existing security solutions. Trend Micro presents InterScan VirusWall(tm). Designed especially for Proxy Server 2.0, ...... Any thoughts on this "alliance" ................ Chris Wall Network Administrator hmmmmmmm.......... .=09 From firewalls-owner Wed Feb 4 09:53:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA22788; Wed, 4 Feb 1998 09:34:33 -0800 (PST) Received: from unet.net.com (unet.net.com [134.56.1.48]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA22779 for ; Wed, 4 Feb 1998 09:34:25 -0800 (PST) Received: from wimsey.net.com by unet.net.com (SMI-8.6/SMI-SVR4) id JAA12932; Wed, 4 Feb 1998 09:34:54 -0800 Received: from masala.net.com by wimsey.net.com (SMI-8.6/SMI-SVR4) id JAA11918; Wed, 4 Feb 1998 09:40:10 -0800 Received: from masala by masala.net.com (SMI-8.6/SMI-SVR4) id JAA29764; Wed, 4 Feb 1998 09:40:12 -0800 Message-Id: <199802041740.JAA29764@masala.net.com> Date: Wed, 4 Feb 1998 09:40:12 -0800 (PST) From: Sonu Nayyar Reply-To: Sonu Nayyar Subject: SecurRemote Problems (Win 95) To: Firewalls@GreatCircle.COM Cc: sonu@net.com MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 2HAzbkRd9TC7yDwxeNpgUQ== X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are having some problems getting a Win95 machine running SecuRemote 3.0 to talk with our firewall. The firewall has been setup with VPN and the rule is created. The Win95 machine has no problem connecting to the firewall and exchanging the keys and authenticating. But, when the actual request (for example ftp) is made, there is a connection time out on the Win95 machine. I don't see any packets coming in to the firewall either. When I remove the SecuRemote daemon on the Win95 machine I can ftp fine without any problems. Now, we have a router before the firewall that filters out most services. I did open up ports 256-261 for FW authentication as well as port 21 on this router. Are there ay other ports that I need to open up on this router. Maybe this router is blocking some service that needs to get to the firewall? Any help will be greatly appreciated. Thanks. Sonu From firewalls-owner Wed Feb 4 11:06:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA04467; Wed, 4 Feb 1998 07:49:20 -0800 (PST) Received: from hint.osn.de ([194.45.27.71]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA04378 for ; Wed, 4 Feb 1998 07:49:02 -0800 (PST) Received: from sepp.de (sun.sepp.de [195.88.235.42] (may be forged)) by hint.osn.de (8.8.7/8.8.7) with SMTP id QAA21257; Wed, 4 Feb 1998 16:15:49 +0100 (MET) Received: from WEIDE ([194.49.3.226]) by sepp.de (4.1/SMI-4.1) id AA27538; Wed, 4 Feb 98 16:15:19 +0100 From: dietz_proepper@sepp.de (Dietz Proepper) To: jim@coltano.stortek.com Cc: firewalls@greatcircle.com Subject: Re: UDP Port Scanner Date: Wed, 04 Feb 1998 15:12:56 GMT Organization: S.E.P.P. MED mbH Message-Id: <34ea83f8.85705948@sepp.de> References: <199801302138.OAA07307@coltano.stortek.com> In-Reply-To: <199801302138.OAA07307@coltano.stortek.com> X-Mailer: Forte Agent 1.5/32.451 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jan 1998 14:38:18 -0700 (MST), you wrote: >I need a general purpose UDP port scanner. Does anyone know >where to find such a beast? > Try netcat from the good ppl at L0pht Heavy Industries (it's L-zero-pht), http://www.l0pht.com They've got an Winnozz NT implementation too. regards, ~dietz -- dietz proepper, [software|web] designer, S.E.P.P. MED aka tik on irc, bladerunner on netrek /dev/null: no space left on device. + This is me - not S.E.P.P. MED mbH. Got it? From firewalls-owner Wed Feb 4 11:10:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA06727; Wed, 4 Feb 1998 10:42:23 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA06685 for ; Wed, 4 Feb 1998 10:42:12 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA10579; Wed, 4 Feb 1998 10:38:56 -0800 Date: Wed, 4 Feb 1998 10:38:55 -0800 (PST) From: Leonard Miyata To: manuel.ricca@pararede.pt cc: firewalls@GreatCircle.COM Subject: Re: Differences In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The issue with any Key Distribution/Key Management system is of I&A (Identification and Authentication) of the key. As an example. Lets say you host is contacted by a computer that claims "I'm Bill Clinton's PC, lets exchange public values and talk securely". Even if your expecting a connection with Bill Clinton's PC, How do you know that this PC is actually Bill Clinton's PC. An exchange of DH public values will provide Confidentiality for the connection, but it does not directly identify the host. Some other means (such as a agreed upon X.509 CA, MD5 hash values sent by registered mail...) must be used to authenticate the certificate as being the 'Official' Certificate of the expected host, and not a certificate created by a IP address spoofing host. (By the way, Diffie-Helman is the primay exchange for SKIP, there is a proposal for DH for ISAKMP as well, but both require it in the form of a X.509 signed certificate to provide authentication) Which brings up the issue of VPN deployment. Web of Trust is not scalable to any but small VPN deployment. X.509 is scalable (but only if you provide the infrastructure!) Public (e.g. Internet) use of X.509 is not feasable because the Public X.509 CA hierarchy needed to support it does not exit... LDAP (as a means of publishing X.509 Certificates) may work, but only the latest and greatest applications support it.... (Now if only the US Post Office will get their X.509 CA hierarcy up for public use...) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On 3 Feb 1998 manuel.ricca@pararede.pt wrote: > "Peer to > peer key exchange cannot be trusted unless ownership of the > key can be verified by some other means (Web of trust, digital > signiture of a X.509 CA, KERBEROS ticket etc)" > Why not? What about Diffie-Helman itself for key exchange? > It does resist MITM attacks. > > From firewalls-owner Wed Feb 4 11:34:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA11713; Wed, 4 Feb 1998 11:09:57 -0800 (PST) Received: from romeo.vhb.com ([204.243.173.175]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA11578 for ; Wed, 4 Feb 1998 11:09:26 -0800 (PST) Received: by ROMEO with Internet Mail Service (5.0.1458.49) id <1H76MCF1>; Wed, 4 Feb 1998 14:22:07 -0500 Message-ID: <3A3A180B313CD111A10500609797FEE9C1A7FC@ROMEO> From: "Wall, Chris" To: "'firewalls@GreatCircle.COM'" Subject: FW: Microsoft, TIS, ICSA, and Trend Micro getting together ???? Date: Wed, 4 Feb 1998 14:22:07 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Check out: >=20 > http://www.casal.com/semreg.htm >=20 > Executive Level Presenters from ICSA, > Microsoft, Trend Micro, and Trusted > Information Systems >=20 > Microsoft presents Proxy Server(tm) 2.0, > ..... >=20 > Trusted Information Systems presents > Gauntlet=AE Firewalls for Windows NT. = Gauntlet > firewalls > combine a high-security application gateway > and easy > management. Designed to compliment Proxy > Server 2.0 > as well as existing security solutions. >=20 > Trend Micro presents InterScan > VirusWall(tm). > Designed especially for Proxy Server 2.0, > ...... >=20 > Any thoughts on this "alliance" ................ >=20 > Chris Wall > Network Administrator >=20 >=20 > hmmmmmmm.......... >=20 >=20 > .=09 >=20 From firewalls-owner Wed Feb 4 11:53:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA14876; Wed, 4 Feb 1998 11:27:12 -0800 (PST) Received: from tyche.credo.net (tyche.credo.net [199.107.168.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA14831 for ; Wed, 4 Feb 1998 11:27:01 -0800 (PST) Received: from alectrona.credo.net (alectrona.credo.net [199.107.168.9]) by tyche.credo.net (8.8.8/8.8.8) with SMTP id LAA14112 for ; Wed, 4 Feb 1998 11:32:28 -0800 (PST) Message-Id: <3.0.32.19980204123950.00c1b3c8@199.107.168.8> Received: from john.credo.net by alectrona.credo.net via smtpd (for mail.credo.net [199.107.168.8]) with SMTP; 4 Feb 1998 19:31:42 UT X-Sender: john@199.107.168.8 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Feb 1998 12:39:51 +0000 To: firewalls@greatcircle.com From: John Whittaker Subject: gates gets his just desserts? ;-) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.cnn.com/TECH/computing/9802/04/belgium.gates.ap/ --------------------------------------------------------------------------- ZONEOFTRUST a division of Credo Computer Systems, Inc. --------------------------------------------------------------------------- 22941 Triton Way, 2nd Floor Laguna Hills, CA 92653 (714) 859-0196 tel. (714) 452-0513 fax. http://www.zoneoftrust.com From firewalls-owner Wed Feb 4 14:13:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA16405; Wed, 4 Feb 1998 11:35:40 -0800 (PST) Received: from netcomm.NetComm.IE (whittall.demon.co.uk [194.222.255.208]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA16368 for ; Wed, 4 Feb 1998 11:35:28 -0800 (PST) Received: from pc.netcomm.ie (pc [129.156.240.34]) by netcomm.NetComm.IE (8.8.0/8.7) with SMTP id TAA05398; Wed, 4 Feb 1998 19:37:08 GMT Message-Id: <3.0.5.32.19980204192736.00b32b00@129.156.240.1> X-Sender: kevinbr@129.156.240.1 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 04 Feb 1998 19:27:36 +0000 To: Sonu Nayyar , Firewalls@GreatCircle.COM From: Kevin Brown Subject: Re: SecurRemote Problems (Win 95) Cc: sonu@net.com In-Reply-To: <199802041740.JAA29764@masala.net.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, What are the actions in the rule that you added for the user ( I assume the user is part of a group?). It has to be client encrypt for this to work. ie under the action menu, you have the choice of user , client or session, you must choose client, and then the encrpt action on a submenu ( in the rules editor). It does work, but sadly I cannot ( behind a Linux NAT Box) get it working in my situation, but we have it working fine for other direct Win 95 PC's. Port 259 seems to have significance, there is a protocol called RDP that you must allow to the firewall itself. The protocol is trpdefined for you. Kevin At 09:40 04/02/98 -0800, Sonu Nayyar wrote: >Content-MD5: 2HAzbkRd9TC7yDwxeNpgUQ== >X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >Content-Type: TEXT/plain; charset=us-ascii > > >We are having some problems getting a Win95 machine running >SecuRemote 3.0 to talk with our firewall. The firewall has >been setup with VPN and the rule is created. The Win95 >machine has no problem connecting to the firewall and exchanging >the keys and authenticating. But, when the actual request (for >example ftp) is made, there is a connection time out on the >Win95 machine. I don't see any packets coming in to the firewall >either. > >When I remove the SecuRemote daemon on the Win95 machine I can >ftp fine without any problems. > >Now, we have a router before the firewall that filters out most >services. I did open up ports 256-261 for FW authentication as >well as port 21 on this router. Are there ay other ports that >I need to open up on this router. Maybe this router is blocking >some service that needs to get to the firewall? > >Any help will be greatly appreciated. Thanks. > >Sonu > > > > > From firewalls-owner Wed Feb 4 14:18:11 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA09432; Wed, 4 Feb 1998 13:16:31 -0800 (PST) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA09212 for ; Wed, 4 Feb 1998 13:15:43 -0800 (PST) Received: from venus.corp.portal.com (venus.corp.portal.com [156.151.1.110]) by nova.unix.portal.com (8.8.5/8.8.5) with SMTP id NAA07216 for ; Wed, 4 Feb 1998 13:21:34 -0800 (PST) Received: by venus.corp.portal.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD316F.E80ED920@venus.corp.portal.com>; Wed, 4 Feb 1998 13:22:14 -0800 Message-ID: From: Dana Bourgeois To: "'firewalls@greatcircle.com'" Subject: RE: FW-1 and FIN scanning (was: nmap tool) Date: Wed, 4 Feb 1998 13:22:12 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Then a FIN packet should be passed only if it is part of an established connection. Why allow a non-established connection to be terminated? -fg >-----Original Message----- >From: Robert St=E5hlbrand [SMTP:robert.stahlbrand@nmac.ericsson.se] >Sent: Wednesday, February 04, 1998 5:47 >To: 'Steve Birnbaum'; 'Marek Kubita' >Cc: 'firewalls@greatcircle.com' >Subject: RE: FW-1 and FIN scanning (was: nmap tool)=20 > >Another hi! > >We pretty much mean the same thing. The thing you said about a new SYN >from "it" did confuse me. You meant a new "SYN" (not really a packet >with SYN, just a SYN-alike order to the state-table) to the = state-table. > >But there is something importent that we have missed that all of a >sudden hit me. I don't think that FW-1 consider a packet with a = FIN-flag >set to be a part of an established connection! What does FIN-mean? It's >a demand to take the session down! That is why is passes through... > >/Robert St=E5hlbrand, Ericsson Telecom AB > > >> -----Original Message----- >> From: Steve Birnbaum [SMTP:sbirn@security.org.il] >> Sent: den 4 februari 1998 12:30 >> To: Robert St=E5hlbrand >> Cc: 'Marek Kubita'; 'firewalls@greatcircle.com' >> Subject: Re: FW-1 and FIN scanning (was: nmap tool)=20 >>=20 >>=20 >> robert.stahlbrand@nmac.ericsson.se said: >> > If think this is done with a cache with all current connections. >> When >> > you clear the table (installing a policy) he just puts this cache >> > somewhere and after it has been installed lifting the cache back in >> > the system. Why should you put in more effort? >>=20 >> I'm not so sure about that. Like I said, my understanding is that = the >> connections allowed in are those that might be possible given the >> outgoing >> rules. That way it can dynamically rebuild the state table without >> having >> to re-establish the connection. >> If something claiming to be established >> from outsidebox:80 is allowed to insidebox:4005 then if insidebox >> doesn't >> reset the connection but rather responds to it, then it was "surely" >> part of >> an established session, allowing the firewall to add it to the table. >>=20 >> Steve >>=20 >> --=20 >> sbirn@security.org.il Phone: +972-2-6795860 (PGP key available) >> Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My >> opinions only. >>=20 >> << File: ATT00187.ATT >>=20 From firewalls-owner Wed Feb 4 15:21:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA13500; Wed, 4 Feb 1998 11:18:46 -0800 (PST) Received: from nova.unix.portal.com ([156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA13471 for ; Wed, 4 Feb 1998 11:18:36 -0800 (PST) Received: from venus.corp.portal.com (venus.corp.portal.com [156.151.1.110]) by nova.unix.portal.com (8.8.5/8.8.5) with SMTP id LAA28176 for ; Wed, 4 Feb 1998 11:24:25 -0800 (PST) Received: by venus.corp.portal.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD315F.89690FE0@venus.corp.portal.com>; Wed, 4 Feb 1998 11:25:03 -0800 Message-ID: From: Dana Bourgeois To: "'Rick Hardy'" , "'firewalls@GreatCircle.COM'" Subject: RE: Encryption Domains.... Date: Wed, 4 Feb 1998 11:25:01 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not add another interface to the Enterprise machine and put all your RAS on that subnet? FW-1 will handle what, 32 interfaces? Overlapping encryption domain has to do with the definition of what domains are trusted. You have defined the same trusted domain twice. You probably don't need to set up two objects like that (one for each firewall). I would assume you could set up one object and use it in the rules on both firewalls. IOW I suspect that it isn't a dual firewall issue but a dual object definition issue. Sorry if this is not clear. The Certificate Authority is the trusted host that holds the keys. This is the control module - at least by default. Your firewall and encryption modules might not be able to act as a certificate authority - you should ask Checkpoint for clarification on that point. My guess is that they cannot act as Certificate authorities. Under your Enterprise license, however, you should be able to have multiple control modules which I think CAN be Certificate Authorities. I haven't gone to FW-1 training yet so take these comments with a block of salt.... >-----Original Message----- >From: Rick Hardy [SMTP:rick@rapid.net] >Sent: Monday, February 02, 1998 18:39 >To: firewalls@GreatCircle.COM >Subject: Encryption Domains.... > >Hello, > >I have a question concerning the way encryption domains work and what >modules are required to do an encryption domain. > >First, I have a situation where two firewalls (1st is Enterprise version, >with DES running under Solaris 2.51 FW-1 ver 30b, 2nd is Firewall Module >with DES) are being used as gateways to the same hosts. One has access via >RAS(Straight dialup, then authenticates to FW via SecureRemote, this works >since the GW is the Enterprise FW) the other has access via the Internet. > > >Here is my problem, I get an error saying 'Overlapping Encryption >Domain'... To Solve this issue, can I use NAT?(I know, not a perfect >solution but it should work!) My second issue has me perplexed! > >When I try to athenticate to the FW-1 box with ONLY the FW-1 Firewall >Module and DES encryption, I get an error saying that it is NOT a >Certificate Authority, and to check with my Sys Admin if the FW Gateway is >a Control Module@! Huh??? Does a Firewall-1 Gateway NEED to be a >control module to authenticate via Secure Remote?? I didn't think so, and >I've looked at all the docs..... > > > >Anyone have any ideas on either of these?!!? > > >Thanks in advance! > > >--=Rick=-- > From firewalls-owner Wed Feb 4 16:14:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA16358; Wed, 4 Feb 1998 13:51:36 -0800 (PST) Received: from wt.anixter.com (wt.anixter.com [149.128.105.118]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA16325 for ; Wed, 4 Feb 1998 13:51:30 -0800 (PST) Received: from richf (rich-friedeman.anixter.com) by wt.anixter.com with SMTP (1.40.112.8/16.2-WT4.1) id AA284099929; Wed, 4 Feb 1998 16:05:29 -0600 Message-Id: <3.0.5.32.19980203155222.00a6b100@tech-web.anixter.com> X-Sender: friri01@tech-web.anixter.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 03 Feb 1998 15:52:22 -0600 To: firewalls@greatcircle.com From: reilly Subject: RE: Firewalls-Digest V7 #51 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Is this on an NT server? If so, IP forewarding opens up a large hole inside >any security perimeter. Although I am not familiar enough with Checkpoint >to know how it intercepts packets, I am surprised that they say that >forewarding must be active. Even Microsoft states that when using thier MS >proxy server, that IP forewarding MUST be disabled. > > > under version 3.x of FW-1 on NT, IP forwarding must be enabled. That makes the NT server think it's enough of a router to be able to pass packets between two networks. When you install FW-1, you are asked whether you want FW-1 to control routing...the answer is absolutely _yes_. This disables NT routing when the firewall inspection module is not actually running, as I understand it. So somebody does and 'fwstop', routing stops. All packets are passed through the inspection engine. Reilly From firewalls-owner Wed Feb 4 16:28:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15543; Wed, 4 Feb 1998 16:14:59 -0800 (PST) Received: from ns2.shopping.com (ns2.shopping.com [208.139.183.6]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA15430 for ; Wed, 4 Feb 1998 16:14:34 -0800 (PST) Received: from greyghost ([208.139.183.253] (may be forged)) by ns2.shopping.com (2.5 Build 2626 (Berkeley 8.8.6)/8.8.4) with SMTP id QAA03302 for ; Wed, 04 Feb 1998 16:20:07 -0800 Message-Id: <3.0.1.32.19980204162005.00972e90@ns2.shopping.com> X-Sender: jpham@ns2.shopping.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 04 Feb 1998 16:20:05 -0800 To: firewalls@GreatCircle.COM From: Joy Pham Subject: Web Cache Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I'm looking for some information of Web Cache Server. I know Novell makes a product called BorderManager. What else is out there? Thankk you in advance...Joy From firewalls-owner Wed Feb 4 17:15:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA06144; Wed, 4 Feb 1998 15:35:58 -0800 (PST) Received: from mailhost.directnet1.net (mailhost.directnet1.net [208.143.248.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA28363 for ; Wed, 4 Feb 1998 14:58:46 -0800 (PST) Received: from camarillo ([208.143.205.75]) by mailhost.directnet1.net (Netscape Messaging Server 3.01) with SMTP id 140 for ; Wed, 4 Feb 1998 18:10:17 -0500 X-Sender: fdarden@mailhost.directnet1.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Wed, 04 Feb 1998 18:03:39 -0500 To: firewalls@GreatCircle.COM From: "frank darden" Subject: Question about Onguard/Elron Firewall In-Reply-To: <3.0.3.32.19980130090856.00991cc0@mail.iss.net> References: <3.0.3.32.19980129140601.009d9150@mail.iss.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-ID: <19980204231015365.AAA182.140@camarillo> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to find somene who has implemented the Onguard firewall solution. Any feedback, good or bad, would be appreciated. I am particularly interested in its performance, scalability, and resistance to attack. Thanks! Frank http://www.locked.com From firewalls-owner Wed Feb 4 17:22:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15244; Wed, 4 Feb 1998 16:14:03 -0800 (PST) Received: from ext-int1.dspl.com.au ([203.18.35.254]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA15149 for ; Wed, 4 Feb 1998 16:13:41 -0800 (PST) Received: by ext-inet1.dspl.com.au with Internet Mail Service (5.0.1458.49) id <11G8MYG3>; Thu, 5 Feb 1998 11:19:11 +1100 Message-ID: <91412815A997D111A639008048ED67F64484@ext-inet1.dspl.com.au> From: Jamie Allison To: "'firewalls@greatcircle.com'" Subject: Guardian Firewall Date: Thu, 5 Feb 1998 11:18:36 +1100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: multipart/alternative; boundary="---- =_NextPart_001_01BD3227.E2167D80" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BD3227.E2167D80 Content-Type: text/plain Hi All, Is anyone using the Guardian Firewall for NT or UNIX? I have an eval copy for NT and it seems to be OK. Does anyone have any comments, good or more importantly, bad? Cheers, Jamie. ------ =_NextPart_001_01BD3227.E2167D80 Content-Type: text/html

Hi All,

Is anyone using the Guardian Firewall for NT or UNIX?
I have an eval copy for NT and it seems to be OK.
Does anyone have any comments, good or more importantly, bad?

Cheers, Jamie.

------ =_NextPart_001_01BD3227.E2167D80-- From firewalls-owner Wed Feb 4 18:01:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14750; Wed, 4 Feb 1998 13:39:14 -0800 (PST) Received: from mail01.directions.com.au (zzpmcint.dialin.uq.net.au [203.101.240.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA02963 for ; Wed, 4 Feb 1998 12:50:05 -0800 (PST) Received: by MAIL01 with Internet Mail Service (5.5.1960.3) id <1F4JQ39H>; Thu, 5 Feb 1998 07:03:13 +1000 Message-ID: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> From: Lachlan McIntosh To: "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks Date: Thu, 5 Feb 1998 07:02:59 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, 5 February 1998 1:46, Emmanuel Tychon [SMTP:manu@acm.org] wrote: > > On 27-Jan-98 Lachlan McIntosh wrote: > > > Microsoft Proxy Server is not just a HTTP based proxy. > > > It works VERY well and is well worth the cost, and for the most part the > > small cost of proxy server is irrelevant > > to organisations who are already running NT and have already invested in > > client access licences for NT. > > > Linux or BSD currently don't have any technology that comes close. > > You forget the most important part of the MSPS 2.0: the clients need to install > the "Microsoft Proxy Client". This client exists only for Windows based > machine, thus say goodbye to other OSes. > > I think this is a solution for the dummies. > I don't give a fuck about other OS's! Especially a religiously supported set of freeware applications. My use of Microsoft products is purely commercial. Large customers, who pay large amounts of money, use Microsoft products. In general I\ve found purely Microsoft (NT networks) shops run a lot better than their Unix/Solaris counterparts. I can give specific examples if you like (but not to the list.) There is a VERY large demand for Microsoft products and it is growing. I've never had a customer ask me.... "Can you support our linux system?" I doesn't happen! Lachlan McIntosh > --- > Micro$oft -> Where to you want to crash today? > > ||| | Emmanuel Tychon, > O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus > (_) | > oOO-----OOo | Don't be assimilated, use Linux! > | Linux | | > \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Wed Feb 4 18:03:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA14375; Wed, 4 Feb 1998 13:37:21 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA04855 for ; Wed, 4 Feb 1998 12:59:04 -0800 (PST) Received: from inergen.sybase.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id NAA28637; Wed, 4 Feb 1998 13:02:30 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id NAA02937; Wed, 4 Feb 1998 13:05:36 -0800 (PST) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB04477; Wed, 4 Feb 98 13:03:29 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 882565A1.00742744 ; Wed, 4 Feb 1998 13:08:42 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: sonu@net.com Cc: Firewalls@GreatCircle.COM, sonu@net.com Message-Id: <882565A1.007375C4.00@gwwest.sybase.com> Date: Wed, 4 Feb 1998 13:02:09 -0800 Subject: Re: SecurRemote Problems (Win 95) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My guess is that you're using NAT, and your firewall object is defined by it's internal IP address. Change it to it's external IP address and reinstall the rules, and update the site. Ryan sonu@net.com on 02/04/98 09:40:12 AM Please respond to sonu@net.com To: Firewalls@GreatCircle.COM cc: sonu@net.com (bcc: Ryan Russell/SYBASE) Subject: SecurRemote Problems (Win 95) We are having some problems getting a Win95 machine running SecuRemote 3.0 to talk with our firewall. The firewall has been setup with VPN and the rule is created. The Win95 machine has no problem connecting to the firewall and exchanging the keys and authenticating. But, when the actual request (for example ftp) is made, there is a connection time out on the Win95 machine. I don't see any packets coming in to the firewall either. When I remove the SecuRemote daemon on the Win95 machine I can ftp fine without any problems. Now, we have a router before the firewall that filters out most services. I did open up ports 256-261 for FW authentication as well as port 21 on this router. Are there ay other ports that I need to open up on this router. Maybe this router is blocking some service that needs to get to the firewall? Any help will be greatly appreciated. Thanks. Sonu From firewalls-owner Wed Feb 4 18:50:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA16485; Wed, 4 Feb 1998 13:55:38 -0800 (PST) Received: from newfed.frb.gov (newfed.frb.gov [170.209.32.65]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA16476 for ; Wed, 4 Feb 1998 13:55:30 -0800 (PST) Received: (from umailfwd@localhost) by newfed.frb.gov (8.8.8/8.8.8) with UUCP id QAA02733; Wed, 4 Feb 1998 16:03:11 -0500 (EST) (envelope-from jmb@Frb.GOV) X-Authentication-Warning: newfed.frb.gov: umailfwd set sender to jmb@Frb.GOV using -f Received: from primary.frb.gov. (primary.frb.gov [198.35.131.208]) by new-frbgate.frb.gov (8.8.7/8.8.7) with ESMTP id PAA12868; Wed, 4 Feb 1998 15:48:47 -0500 (EST) Received: from kryten.frb.gov (kryten.frb.gov [198.35.166.171]) by primary.frb.gov. (8.8.6/8.8.6) with ESMTP id PAA21666; Wed, 4 Feb 1998 15:48:46 -0500 (EST) (envelope-from jmb@kryten.frb.gov) Received: from kryten.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.7/8.8.7) with ESMTP id PAA28841; Wed, 4 Feb 1998 15:48:41 -0500 (EST) (envelope-from jmb@kryten.frb.gov) Message-Id: <199802042048.PAA28841@kryten.frb.gov> X-Mailer: exmh version 2.0zeta 7/24/97 To: Leonard Miyata cc: manuel.ricca@pararede.pt, firewalls@GreatCircle.COM Subject: Re: Differences In-reply-to: Your message of "Wed, 04 Feb 1998 10:38:55 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Feb 1998 15:48:40 -0500 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Web of Trust is not scalable to any but small VPN deployment. > X.509 is scalable (but only if you provide the infrastructure!) > Public (e.g. Internet) use of X.509 is not feasable because the > Public X.509 CA hierarchy needed to support it does not exit... > LDAP (as a means of publishing X.509 Certificates) may work, but > only the latest and greatest applications support it.... > (Now if only the US Post Office will get their X.509 CA hierarcy > up for public use...) the only deployed world wide "CA" system is PGP. PGP key servers wide spread. we operate one here ;) Web of Trust is the only game in town at this time. jmb -- Jonathan M. Bresler 202-452-2831 JMB193 breslerj@frb.gov MS-169 Federal Reserve Board of Governors Washington DC 20551 Speaking for myself. Others speak for the Federal Reserve Board of Governors From firewalls-owner Wed Feb 4 19:37:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08181; Wed, 4 Feb 1998 10:51:50 -0800 (PST) Received: from corpus.cz (ns.corpus.cz [194.213.34.200]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA08166 for ; Wed, 4 Feb 1998 10:51:42 -0800 (PST) Received: from ws14.corpus.cz (marek@marek [194.213.34.219]) by corpus.cz (8.8.8/8.8.8) with ESMTP id TAA22081; Wed, 4 Feb 1998 19:56:42 +0100 (MET) Received: (from marek@localhost) by ws14.corpus.cz (8.8.3/8.8.7) id TAA00502; Wed, 4 Feb 1998 19:56:40 +0100 Message-ID: <19980204195640.63372@corpus.cz> Date: Wed, 4 Feb 1998 19:56:40 +0100 From: Marek Kubita To: =?iso-8859-2?Q?Robert_St=E5hlbrand?= Cc: "'Steve Birnbaum'" , "'firewalls@greatcircle.com'" Subject: Re: FW-1 and FIN scanning (was: nmap tool) References: <43BED8177D10D011A69A0800092C15D70F351E@haig.oplab.nmac.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88 In-Reply-To: =?iso-8859-2?Q?=3C43BED8177D10D011A69A0800092C15D70F351E=40haig=2Eoplab?= =?iso-8859-2?Q?=2Enmac=2Eericsson=2Ese=3E=3B_from_Robert_St=E5hlbrand_on?= =?iso-8859-2?Q?_Wed=2C_Feb_04=2C_1998_at_10=3A40=3A27AM_+0100?= Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, On Wed, Feb 04, 1998 at 10:40:27AM +0100, Robert Ståhlbrand wrote: > 1) First, there is no difference how the packets are handled either you > drop or reject the packets with your ruleset in version 2.1a. The > packets are according to the log, are correctly dropped or rejected but > the packets are passing through to the destination. Checked again with 3.0: with reject rule, the FIN packets are passing through, but the replies do not pass back, so all ports appear open to the scanner. Yes, the passed FIN packets are intact, with the data. I would except behaviour like this with "Fastpath" option in FW-1 properties enabled (it speeds up filtering by passing all established packets), but not with the normal setup. It is true that connection can be erased from the connections table (due to rules reinstall or timeout), but the FIN packets should be handled better: eg. 1) clean the FIN packet from data and all unusual flags, send it to the destination 2) filter the response from the destination and always reply with FIN ACK (to close correctly if it is really dropped connection). Maybe we need some publicity (eg. some DoS attack with FIN packets against NT TCP/IP stack), so Checkpoint would implement this (and call it FINDefender :+) -- . Marek Kubita, Corpus spol.s r.o., Praha 10, Sluzeb 4 : : Czech Republic . : tel. +420-2-701719, 701748, fax 704814 . From firewalls-owner Wed Feb 4 20:39:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA07815; Wed, 4 Feb 1998 20:28:32 -0800 (PST) Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA07806 for ; Wed, 4 Feb 1998 20:28:25 -0800 (PST) Received: (from mail@localhost) by starbase.tos.net (8.8.4/8.8.4) id WAA11323; Wed, 4 Feb 1998 22:35:13 -0600 Received: from macgyver-1.pr.mcs.net(205.253.24.113) by starbase.tos.net via smap (V1.3) id sma011315; Wed Feb 4 22:35:11 1998 Message-Id: X-Sender: macgyver@smtp.tos.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Wed, 04 Feb 1998 22:29:37 -0600 To: Lachlan McIntosh , "'firewalls@GreatCircle.COM'" From: MacGyver Subject: RE: MS ProxyServer 2.0 sucks In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 07:02 AM 2/5/98 +1000, Lachlan McIntosh wrote: [religious blurbs about MS and Unix cut] >I don't give a fuck about other OS's! > >Especially a religiously supported set of freeware applications. > >My use of Microsoft products is purely commercial. > >Large customers, who pay large amounts of money, use Microsoft products. > With the risk of starting yet ANOTHER religious war...in the security consulting I've been doing for the past several years, its been my experience than large companies are *ESPECIALLY* heterogeneous environments, where you have some users who are Win 3.1, some Win 95, some NT workstation, some Macs, and some Unix. That's the reality today in corporate America. Corporations decide which OS technologies to use depending on factors ranging from cost and scalability to politics and religious bias. I've used MS Proxy 2.0, and I'll continue to use it where it makes sense. However, in large, heterogeneous environments the limitations of Proxy 2.0 need to be addressed. Things that end users want like RealAudio can't be trivially addressed in 2.0 without deploying the Winsock client DLL to all clients, and as has been mentioned on this list already, that solution is a 95/NT only option. Microsoft's support for de facto Internet proxy standards like SOCKS is present in Proxy 2.0, but it's based on SOCKS 4 and not the more recent SOCKS 5 which has support for things like remote DNS and UDP proxies. Implementing SOCKS 5 support in Proxy 2.0 would have probably addressed a lot of the shortcomings I mentioned earlier. Hopefully, the next release of Proxy will provide that support. Largely due to the above issues, Proxy 2.0 is more difficult to deploy and manage in these heterogeneous environments which are primarly found at large corporate installations. In my experience, I often recommend a blend of proxy products which includes MS Proxy 2.0 to address the needs of the Windows desktop, but unfortunately, it doesn't address the full scope of enterprise-wide deployment of proxy services. >In general I\ve found purely Microsoft (NT networks) shops run a lot >better than their Unix/Solaris counterparts. > "Run a lot better" is a highly subjective term. I'd really question the veracity of such a claim, though, simply because you are comparing apples and oranges. Certainly in sheer network performance, any NT server would lose miserably to a Solaris machine (in fact the disparity is so bad that NT boxes really choke when you try to crank their throughput approaching the gigabit-ethernet range). That said, there is a place for both in the enterprise. In general, firewall machines that are going to be heavily used have tended to be Unix-based, though as NT matures and Intel makes faster processors this is going to change to some degree in the future. Proxy servers have tended to be Wintel platform machines because as a rule, they're much cheaper than their Unix counterparts and generally you deploy multiple proxy servers in larger environments, scaling to meet user needs. >I can give specific examples if you like (but not to the list.) > I'd certainly be interested in seeing any real performance metrics of all NT networks versus all Solaris or some other version of Unix. >There is a VERY large demand for Microsoft products and it is growing. > Nobody questions that there is a high demand for Microsoft products, especially with 90% of desktops in the world running Microsoft operating systems -- I don't think that was the issue here. The real issue is that there are alternatives to MS Proxy 2.0, that whether you like it or not, better address some of the limitations in Proxy. Conversely, there are some features of Proxy 2.0 (remote management comes to mind off the top of my head) that are done very nicely in Proxy that aren't as nice or well-implemented in other solutions. >I've never had a customer ask me.... "Can you support our linux system?" > > >I doesn't happen! > All I can say to this is that it's just not true. I've had numerous Fortune 100 companies who have decided to use Linux or *BSD in their enterprises to handle serious production tasks. There are a lot of reasons for it, ranging from the ability to customize what can be done due to the availability of the source code, to wanting industrial strength firewalls that are highly customizable -- Linux with IP-Masquerading is an extremely effective firewall, and allows you to do quite a bit of things that aren't as easily done in things like Eagle or FW-1. But Linux and its kin have their limitations too -- there really isn't a support organization for it, and there is no "quality control" organization as there is in corporate environments, so you've got to be aware of what you're getting when you use these products and if that's an acceptable tradeoff relative to what you get and what you need, then great. If not, then you move on and determine what commercial package best fits your model. Habeeb. - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ Habeeb J. Dihu -' `- Managing Senior Technologist " ' ` " Cirrus Technologies " ' ` " " ' . ` " " ' .' ` ` " 'I don't believe in the no-win scenario' " ` ' `' " -- Captain James T. Kirk, Star Trek II: TWK ` ' _ _ ' 'There is an old Vulcan proverb, `Only Nixon ' could go to China.`' -- Captain Spock, Star Trek VI: TUC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBNNlAMFTtNfTWxXdNAQH/rAP+PyB9+OaRcuTBh7zjZKyhln611vaxIp/I zs8oYp1H4NPV0YOs9xNZwUIV//nmcok6f5VwyIuz4FlrFkLC8STkJ8hs7NdpN32b alI0TvEH0xxf+QdD0NFdmn6DGLf0JkejiYfiRN3PoHSrO38E4T3MzDffkZ/Hd6G1 URj4RLjh6f8= =8rm8 -----END PGP SIGNATURE----- From firewalls-owner Wed Feb 4 23:52:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28374; Wed, 4 Feb 1998 23:44:07 -0800 (PST) Received: from dijkstra.atlasonline.com (dijkstra.atlasonline.com [208.210.184.42]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA28367 for ; Wed, 4 Feb 1998 23:43:59 -0800 (PST) Received: from master.atlasonline.com (wind@ehdup-c1-2.rmt.net.pitt.edu [136.142.20.132]) by dijkstra.atlasonline.com (8.8.5/8.8.5) with ESMTP id CAA10595; Thu, 5 Feb 1998 02:49:26 -0500 (EST) Received: (from wind@localhost) by master.atlasonline.com (8.8.8/8.7.3) id CAA30321; Thu, 5 Feb 1998 02:49:25 -0500 Date: Thu, 5 Feb 1998 02:49:25 -0500 Message-Id: <199802050749.CAA30321@master.atlasonline.com> From: Allan Wind MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Lachlan McIntosh Cc: "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> References: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> X-Mailer: VM 6.39 under Emacs 19.34.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lachlan McIntosh writes: > On Thursday, 5 February 1998 1:46, Emmanuel Tychon [SMTP:manu@acm.org] > wrote: > > > > On 27-Jan-98 Lachlan McIntosh wrote: > > > > > Microsoft Proxy Server is not just a HTTP based proxy. > > > > > It works VERY well and is well worth the cost, and for the most part > the > > > small cost of proxy server is irrelevant > > > to organisations who are already running NT and have already > invested in > > > client access licences for NT. > > > > > Linux or BSD currently don't have any technology that comes close. > > > > You forget the most important part of the MSPS 2.0: the clients need > to install > > the "Microsoft Proxy Client". This client exists only for Windows > based > > machine, thus say goodbye to other OSes. > > > > I think this is a solution for the dummies. > > > > I don't give a fuck about other OS's! Good for you, life is much simpler in a homogen environment. > Especially a religiously supported set of freeware applications. "I don't give a fuck about other OS's!" > My use of Microsoft products is purely commercial. > > Large customers, who pay large amounts of money, use Microsoft products. ... and Novell, Solaris, HP-UX, AIX, Linux etc. At least the one they call large according to futurne 500. > In general I\ve found purely Microsoft (NT networks) shops run a lot > better than their Unix/Solaris counterparts. Hehe.... > I've never had a customer ask me.... "Can you support our linux system?" Given your statements I would not be surprised. There are companies, albeit still few, that supports it. Most companies, I guess, feel most comfortable with a Microsoft product and don't consider rebooting (asked or not) a problem. It's getting better it seems, it's getting bigger for sure and it's simple - most of the time. BTW. They say Internet Explorer is coming out in a Linux version, maybe you will start geting these questions from your commercial customers regarding other support for other OSs. /Allan -- Allan Wind email: wind@atlassoft.com VP Emerging Technology Group Atlas Software Technologies, Inc. phone: (412) 351-4611 4240 Greensburgh Pike fax: (412) 351-4617 Franklin Center, Suite L-101 Pittsbrugh, PA 15221 From firewalls-owner Thu Feb 5 00:52:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA04532; Thu, 5 Feb 1998 00:41:50 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA04523 for ; Thu, 5 Feb 1998 00:41:45 -0800 (PST) Received: from gnss.com ([207.171.10.76]) by polaris.pacificnet.net (8.8.5/8.8.5) with ESMTP id AAA29679; Thu, 5 Feb 1998 00:45:57 -0800 (PST) env-from (osiris@gnss.com) Message-ID: <34D97D06.B780A7A6@gnss.com> Date: Thu, 05 Feb 1998 00:49:10 -0800 From: Osiris X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Allan Wind CC: Lachlan McIntosh , "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 sucks References: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> <199802050749.CAA30321@master.atlasonline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I've never had a customer ask me.... "Can you support our linux system?" > Given your statements I would not be surprised. In this past month's Network World, there was an article about just this. Linux is now being supported on a fairly regular basis. But, as to the original statement made, there is a damn good reason that "I've never had a customer ask me..." to support their Linux system. Most folks that use Linux know their operating system exceedingly well. Well enough to write their own drivers. But, I'll bet you get a lot of calls from 95 users, though, huh? :-) From firewalls-owner Thu Feb 5 01:22:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA06802; Thu, 5 Feb 1998 01:07:27 -0800 (PST) Received: from relay.convey.ru (relay.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA06721 for ; Thu, 5 Feb 1998 01:07:07 -0800 (PST) Received: (from ark@localhost) by relay.convey.ru (8.8.8/8.7.3) id MAA25452 for archive; Thu, 5 Feb 1998 12:12:29 +0300 (MSK) Message-ID: <19980205121229.17628@convey.ru> Date: Thu, 5 Feb 1998 12:12:29 +0300 From: "Alex A. Smirnoff" To: Joy Pham Cc: firewalls@GreatCircle.COM Subject: Re: Web Cache Server References: <3.0.1.32.19980204162005.00972e90@ns2.shopping.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <3.0.1.32.19980204162005.00972e90@ns2.shopping.com>; from Joy Pham on Wed, Feb 04, 1998 at 04:20:05PM -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, http://squid.nlanr.net On Wed, Feb 04, 1998 at 04:20:05PM -0800, Joy Pham wrote: > Hi all, > > I'm looking for some information of Web Cache Server. I know Novell makes > a product called BorderManager. What else is out there? > > Thankk you in advance...Joy > From firewalls-owner Thu Feb 5 02:31:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA14514; Thu, 5 Feb 1998 01:43:57 -0800 (PST) Received: from atlantique.venturi.net (atlantique.venturi.net [194.78.115.99]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA14415 for ; Thu, 5 Feb 1998 01:43:33 -0800 (PST) Received: from atlantique.venturi.net (atlantique.venturi.net [194.78.115.99]) by atlantique.venturi.net (8.7.6/8.7.3) with SMTP id KAA24871; Thu, 5 Feb 1998 10:51:52 +0100 Date: Thu, 5 Feb 1998 10:51:52 +0100 (MET) From: Andy De Petter To: John Whittaker cc: firewalls@GreatCircle.COM Subject: Re: gates gets his just desserts? ;-) In-Reply-To: <3.0.32.19980204123950.00c1b3c8@199.107.168.8> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What can I say??? I'm happy to be a belgian, and I would have done it too, if I'ld had time to buy some cakes and throw them to Microsnot >8) -Andy ------------------------------------------------------------------- Andy De Petter tel +32 (0)75 295 111 adepette@venturi.net "Abandon all hope, ye who enter here" - Dante, INFERNO ========================================== Wedlock @IRC =========== From firewalls-owner Thu Feb 5 02:40:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA10730; Thu, 5 Feb 1998 01:26:32 -0800 (PST) Received: from venus.compunet.de (venus.compunet.de [193.102.107.6]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA10494 for ; Thu, 5 Feb 1998 01:25:44 -0800 (PST) From: Manuel.Gil@gecits-eu.com Received: from mail.gecits-eu.com (mailge.compunet.de [193.98.133.26]) by venus.compunet.de (AIX4.2/UCB 8.7/8.7) with SMTP id KAA31334; Thu, 5 Feb 1998 10:31:03 +0100 (NFT) Received: by mail.gecits-eu.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 412565A2.00346608 ; Thu, 5 Feb 1998 10:32:19 +0100 X-Lotus-FromDomain: GECITS-EU@GECITS-EXT To: jicore@dsava.com, firewalls@greatcircle.com Message-ID: <412565A2.0034402A.00@mail.gecits-eu.com> Date: Thu, 5 Feb 1998 10:31:16 +0100 Subject: Re: WEB Authentication Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all for the help. Best regards Manuel Gil GE Capital IT Solutions , S.L. System Engineering Edif. Torre Serrano C./ Serrano 47, Madrid 28001, Spain Phone: +34 1 4368839/00, Fax: +34 1 5769883, Mobile: 909 457616 Internet: Manuel.Gil@GECITS-EU.COM From firewalls-owner Thu Feb 5 03:53:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26547; Thu, 5 Feb 1998 03:35:20 -0800 (PST) Received: from relay.convey.ru (relay.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA06226 for ; Thu, 5 Feb 1998 01:03:13 -0800 (PST) Received: (from ark@localhost) by relay.convey.ru (8.8.8/8.7.3) id MAA26430 for archive; Thu, 5 Feb 1998 12:08:26 +0300 (MSK) Message-ID: <19980205120826.47443@convey.ru> Date: Thu, 5 Feb 1998 12:08:26 +0300 From: "Alex A. Smirnoff" To: Lachlan McIntosh Cc: "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 sucks References: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624C6@MAIL01>; from Lachlan McIntosh on Thu, Feb 05, 1998 at 07:02:59AM +1000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, On Thu, Feb 05, 1998 at 07:02:59AM +1000, Lachlan McIntosh wrote: > > the "Microsoft Proxy Client". This client exists only for Windows > based > > machine, thus say goodbye to other OSes. > > > > I think this is a solution for the dummies. > > > > I don't give a fuck about other OS's! > > Especially a religiously supported set of freeware applications. > > My use of Microsoft products is purely commercial. > > Large customers, who pay large amounts of money, use Microsoft products. > I don't give a fuck about your use of Microsoft products. _Large_ customers _never_ do work on M$ products only. M$ does not scale well. Take a closer look and you'll see a big iron behind that 'doze boxes. > In general I\ve found purely Microsoft (NT networks) shops run a lot > better than their Unix/Solaris counterparts. > > I can give specific examples if you like (but not to the list.) > > There is a VERY large demand for Microsoft products and it is growing. > > I've never had a customer ask me.... "Can you support our linux system?" > > > I doesn't happen! > > Lachlan McIntosh > > > --- > > Micro$oft -> Where to you want to crash today? > > > > ||| | Emmanuel Tychon, > > O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus > > (_) | > > oOO-----OOo | Don't be assimilated, use Linux! > > | Linux | | > > \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Thu Feb 5 06:22:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15066; Thu, 5 Feb 1998 06:07:37 -0800 (PST) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA15057 for ; Thu, 5 Feb 1998 06:07:27 -0800 (PST) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id OAA01578; Thu, 5 Feb 1998 14:13:21 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 05 Feb 98 14:13:20 +0000 Date: 05 Feb 98 14:13:20 +0000 Delivery-Date: 05 Feb 98 14:13:21 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34d902a1-Tubarao] X400-Recipients: non-disclosure Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: Differences Autoforwarded: FALSE To: leonard@geminisecure.com (Non Receipt Notification Requested) CC: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: Differences Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't see how the problem would be IP spoofing, since unless the 'spoofer' was on the same net as the 'spoofed', he wouldn't receive you messages (for key exchange, for eg.) anyway. Besides, you can use a one-time password or token scheme to authenticate the remote user, regardless of the PC he's sitting at. CA's give you the means to authenticate to anybody else, and that's why they're used to certify Web objects. You don't need it for peer-to-peer communication. Please do correct me if I'm wrong, I'm still learning a lot of this stuff. manuel ---------- From: -firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] Sent: -quarta-feira, 4 de fevereiro de 1998 21:23 To: -manuel ricca Cc: -firewalls@GreatCircle.COM Subject: -Re: Differences The issue with any Key Distribution/Key Management system is of I&A (Identification and Authentication) of the key. As an example. Lets say you host is contacted by a computer that claims "I'm Bill Clinton's PC, lets exchange public values and talk securely". Even if your expecting a connection with Bill Clinton's PC, How do you know that this PC is actually Bill Clinton's PC. An exchange of DH public values will provide Confidentiality for the connection, but it does not directly identify the host. Some other means (such as a agreed upon X.509 CA, MD5 hash values sent by registered mail...) must be used to authenticate the certificate as being the 'Official' Certificate of the expected host, and not a certificate created by a IP address spoofing host. (By the way, Diffie-Helman is the primay exchange for SKIP, there is a proposal for DH for ISAKMP as well, but both require it in the form of a X.509 signed certificate to provide authentication) Which brings up the issue of VPN deployment. Web of Trust is not scalable to any but small VPN deployment. X.509 is scalable (but only if you provide the infrastructure!) Public (e.g. Internet) use of X.509 is not feasable because the Public X.509 CA hierarchy needed to support it does not exit... LDAP (as a means of publishing X.509 Certificates) may work, but only the latest and greatest applications support it.... (Now if only the US Post Office will get their X.509 CA hierarcy up for public use...) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On 3 Feb 1998 manuel.ricca@pararede.pt wrote: > "Peer to > peer key exchange cannot be trusted unless ownership of the > key can be verified by some other means (Web of trust, digital > signiture of a X.509 CA, KERBEROS ticket etc)" > Why not? What about Diffie-Helman itself for key exchange? > It does resist MITM attacks. > > From firewalls-owner Thu Feb 5 06:53:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA18090; Thu, 5 Feb 1998 06:36:39 -0800 (PST) Received: from bsd.synx.com (rt.synx.com [194.167.81.239]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA18062 for ; Thu, 5 Feb 1998 06:36:30 -0800 (PST) Received: from s3.synx.com (s3 [192.1.1.247]) by bsd.synx.com (8.6.12/8.6.12) with SMTP id PAA06712; Thu, 5 Feb 1998 15:46:24 +0100 Received: from rs1 by s3.synx.com id aa08749; 5 Feb 98 15:32 GMT Date: Thu, 5 Feb 1998 15:33:21 -0100 (GMT) From: Remy NONNENMACHER To: Allan Wind cc: Lachlan McIntosh , "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks In-Reply-To: <199802050749.CAA30321@master.atlasonline.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Feb 1998, Allan Wind wrote: > Lachlan McIntosh writes: > > There are companies, albeit still few, that supports it. Most > companies, I guess, feel most comfortable with a Microsoft product and > don't consider rebooting (asked or not) a problem. It's getting > .... ;) Do not ignore the fact that M$ have really invented the 'fault tolerant' system : they learned the users to be tolerant to faults using only to simple commands : 1 - reboot, 2 - Re-install. No Unix system have never been able to do that !! (Even Tandem miserably relied on hardware). Let recognize, you U*X admins, that you are jealous of this !! (you that can't sleep at the simple idea of one of your U*x production machine would starts crashing once a month) Remy. ---------------- One day, users will realize they have been took for stupid payers.... (This day, better being a used-cars salesman...) From firewalls-owner Thu Feb 5 07:11:48 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22074; Thu, 5 Feb 1998 07:03:22 -0800 (PST) Received: from mailman.enron.com (enefw1.enron.com [192.152.140.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA22045 for ; Thu, 5 Feb 1998 07:03:14 -0800 (PST) From: azhang@ect.enron.com Received: from dserv1.ect.enron.com by mailman.enron.com (SMI-8.6/SMI-4.1) id JAA10060; Thu, 5 Feb 1998 09:08:49 -0600 Received: from hoscl-019.ect.enron.com (hoscl-019.ect.enron.com [172.16.32.125]) by dserv1.ect.enron.com (8.8.5/8.8.5) with SMTP id JAA05507 for ; Thu, 5 Feb 1998 09:08:47 -0600 (CST) Received: by hoscl-019.ect.enron.com (SMI-8.6/SMI-4.1) id JAA27980; Thu, 5 Feb 1998 09:08:42 -0600 Message-Id: <199802051508.JAA27980@hoscl-019.ect.enron.com> Subject: GUI based s/key calculator for Unix To: firewalls@GreatCircle.COM Date: Thu, 5 Feb 1998 09:08:41 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Would anybody know of any GUI based s/key calculator for Unix/Solaris, commercial or freeware? Anchi From firewalls-owner Thu Feb 5 07:37:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26903; Thu, 5 Feb 1998 07:30:16 -0800 (PST) Received: from gkbkup2.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA26894 for ; Thu, 5 Feb 1998 07:30:11 -0800 (PST) Received: by gkbkup2.bridge.com; id JAA26914; Thu, 5 Feb 1998 09:35:04 -0600 (CST) Received: from dns1srv.bridge.com(167.76.56.13) by gkbkup2.bridge.com via smap (3.2) id xma026731; Thu, 5 Feb 98 09:34:38 -0600 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id JAA24485; Thu, 5 Feb 1998 09:35:24 -0600 (CST) Date: Thu, 5 Feb 1998 09:36:31 -0600 (CST) From: Ken Hardy To: azhang@ect.enron.com cc: firewalls@GreatCircle.COM Subject: Re: GUI based s/key calculator for Unix In-Reply-To: <199802051508.JAA27980@hoscl-019.ect.enron.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use a Java-based GUI s/key caluculator. It runs on my Solaris Netscape, if that counts. See http://www.cs.umd.edu/~harry/jotp/ Look at the source ... I seem to recall it writing the secret password to the java console, which is viewable in Netscape. Guess that was a debugging bit left in. It's really handy having it on our intranet website -- I can access s/key from any system with a java-enabled browser, regardless of the platform. We don't allow external telnet through the firewall, but when it was contemplated I pictured putting this calculator in a private directory on our public website so you wouldn't need to have an s/key calculator with you. -KH On Thu, 5 Feb 1998 azhang@ect.enron.com wrote: > Greetings, > > Would anybody know of any GUI based s/key calculator for Unix/Solaris, > commercial or freeware? > > Anchi > From firewalls-owner Thu Feb 5 08:53:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08383; Thu, 5 Feb 1998 08:22:31 -0800 (PST) Received: from bastion.dsava.com ([192.234.181.138]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08284 for ; Thu, 5 Feb 1998 08:22:11 -0800 (PST) Received: from bastion.cse.dsava.com (root@localhost) by bastion.dsava.com with ESMTP id LAA03537; Thu, 5 Feb 1998 11:27:38 -0500 (EST) Received: from cse.dsava.com (fortress.cse.dsava.com [192.168.1.101]) by bastion.cse.dsava.com with ESMTP id LAA03533; Thu, 5 Feb 1998 11:27:38 -0500 (EST) Received: from localhost (jicore@localhost) by cse.dsava.com (8.8.8/8.8.7) with SMTP id LAA13327; Thu, 5 Feb 1998 11:27:37 -0500 (EST) X-Authentication-Warning: fortress.cse.dsava.com: jicore owned process doing -bs Date: Thu, 5 Feb 1998 11:27:22 -0500 (EST) From: "Joshua R. Icore" X-Sender: jicore@fortress.cse.dsava.com To: azhang@ect.enron.com cc: firewalls@GreatCircle.COM Subject: Re: GUI based s/key calculator for Unix In-Reply-To: <98Feb5.105543est.26885@virginia.dsava.com> Message-ID: X-URI: http://www.umiacs.umd.edu/~jicore MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 5 Feb 1998 azhang@ect.enron.com wrote: > Would anybody know of any GUI based s/key calculator for Unix/Solaris, > commercial or freeware? > > Anchi Harry Mantakos, formerly of the CS department at the U of MD, College Park now at Meretrix Technologies, wrote a Java Application and Applet OTP generator compatible with S/Key. You can find it at: http://www.cs.umd.edu/users/harry/jotp. Source is available for both the applet and application. Respectfully, Joshua R. Icore - --- Joshua R. Icore Network Security Engineer Decision-Science Applications 1110 North Glebe Road Suite 400 Arlington, VA 22201 PGP Key Fingerprint = BB E5 D6 01 D7 9A 29 CE 6A 30 8D 99 82 79 11 D6 email: jicore@dsava.com pager: 1.800.800.7759 (jicore-pager@dsava.com) voice: 1.703.243.2500 fax: 1.703.875.9382 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNNnoeTZISIkc52P9AQFk9QP+O2UKhe6J6cGUGXPLzrArMJSFhHM8wZhY Swsvrbhhd1cfC3P55ufn77kUSDy1MJ+DaiHV3WIZrbfM6HRmCh5J0bjJuZdXIV83 LX4g8Z8iyI0O+M2HkcC3S0CULgXhe0xZZ/HJ3OThih/np6goMer+W7lyYOsEyKIG d4Vu3tGACbU= =KMl3 -----END PGP SIGNATURE----- From firewalls-owner Thu Feb 5 09:07:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA12818; Thu, 5 Feb 1998 08:46:19 -0800 (PST) Received: from dencbis94.twcable.com (dencbis94.twcable.com [205.138.118.193]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA12731 for ; Thu, 5 Feb 1998 08:45:56 -0800 (PST) Received: from denmisf01.twcable.com (denmisf01 [198.59.12.1]) by dencbis94.twcable.com (8.8.5/8.8.5) with ESMTP id JAA14493 for ; Thu, 5 Feb 1998 09:51:31 -0700 (MST) Received: from denmisf01 (denmisf01 [198.59.12.1]) by denmisf01.twcable.com (8.8.5/8.8.5) with SMTP id JAA00775 for ; Thu, 5 Feb 1998 09:51:31 -0700 (MST) Date: Thu, 5 Feb 1998 09:51:31 -0700 (MST) From: mcwilkin X-Sender: mcwilkin@denmisf01 To: firewalls@GreatCircle.COM Subject: Wingate 2 vulnerabilities Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, at the risk of asking too generic a question - anybody got any thought on a proxy called WinGate? It appears to be a application proxy w/SOCKS5 support that runs on a M$ NT or 95 (yikes) box. We are in a very autonomous environment where a central site provides div- isional remote offices with mainframe and internet connectivity over Frame Relay. Unfortunately, these remote divisions are starting to explore other alter- natives to Internet access. Fine and dandy until they tie these links into their administrative networks which extends/exposes ours. We have standardized what precautions they should take when going this way but that has been met with heated resistance... What good is a standard if we can't get support from upper management to enforce it? But that is just a whole other argument and part of our nightmare. One division in particular does not to implement our solution and has dec- ided to install this product as a coporate security platform. Weak link in theory in action. Ok, that was real generic... But, I guess I'm looking for some opinionated ammo to shoot these guys down with. Other than the obvious shortcomings inherent in the M$ environment, anyone have any opinions on the product itself? Oh yea, kill the unix vs. windows conflict (not a holy war yet) before it brings this list down. -------------------------------------------------------------------------- Michael C. Wilkinson | IS - Network Analyst | mcwilkin@twcable.com | 1-303-799-1200 x5773 | -------------------------------------------------------------------------- From firewalls-owner Thu Feb 5 10:08:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA22288; Thu, 5 Feb 1998 10:02:33 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA22281 for ; Thu, 5 Feb 1998 10:02:27 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA06144; Thu, 5 Feb 1998 09:59:20 -0800 Date: Thu, 5 Feb 1998 09:59:20 -0800 (PST) From: Leonard Miyata To: manuel.ricca@pararede.pt cc: firewalls@GreatCircle.com Subject: RE: Differences In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, your bringing up several issues here. First, IP spoofing can be stopped ONLY if you have complete control over your network infrastructure, (topology, routers etc.) For connections over the Internet, you do not have this. For a simple explanation of IP spoofing attack, you first take out the legitimate network (with something as simple as a flood ping), set up a router (or exploit someone elses router) to announce that its the new gateway for the new IP spoofed network, and there you go. Second, IP address spoofing can be used to spoof a host identity, but its not the only way... The real issue is the authenticity of the certificate presented to you. If you never actually seen the certificate, how do you know its the 'Official' certificate. (If both parties trust A single third party X.509 CA signiture, this can be accomplished, If you don't agree upon the CA, well...) The trustworthness of the CA can become an issue. If a sign up for a Verisign class 1 certificate and say I'm Bill Clinton, for only a $9.95 a year registration fee do you think they will do a background check to see if I am Bill Clinton? Third, Hand held authenticators and one-time password (Skey), and security tokens (KERBEROS) do have their uses, but are not suitable for all networks tasks. (For instance, are you always logged in and waiting when your sendmail daemon wants to deliver you mail?). Also, these are (OSI network model) session/application authentication, which means you need special support for your authentication method. Using network/transport level authentication and encryption,(SKIP/IPSEC) the challenge and responce handshake is invisible to the application. You can use off the shelf telnet, ftp, etc., and use the SKIP/IPSEC encryption to hide the otherwise clear text traffic. If your really paranoid, you use SKIP/IPSEC to provide host to host authentication (Stopping network attacks from non-authenticated hosts), and combine it with session encryption (SSL, KERBEROS) to provide User authentication and tracking... Fourth, X.509 certificates are used for Web objects (SSL) but are not limited to web objects. The are X.509 requirements and proposals for SKIP, ISAKMP/IPSEC, S/MIME, Secure DNS.... Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On 5 Feb 1998 manuel.ricca@pararede.pt wrote: > I don't see how the problem would be IP spoofing, > since unless the 'spoofer' was on the same net as the 'spoofed', he wouldn't > receive you messages (for key exchange, for eg.) anyway. > Besides, you can use a one-time password or token scheme to authenticate the > remote user, regardess of the PC he's sitting at. > CA's give you the means to authenticate to anybody else, and that's why they're > used to certify Web objects. You don't need it for peer-to-peer communication. > Please do correct me if I'm wrong, I'm still learning a lot of this stuff. > > manuel > From firewalls-owner Thu Feb 5 11:09:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA25810; Thu, 5 Feb 1998 10:55:40 -0800 (PST) Received: from ritig1.rit.reuters.com (ritig1.rit.reuters.com [199.171.195.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA25741 for ; Thu, 5 Feb 1998 10:55:08 -0800 (PST) Received: from ritig6.rit.reuters.com by ritig1.rit.reuters.com; (5.65v3.2/1.1.8.2/14Sep94-0947PM) id AA14613; Thu, 5 Feb 1998 13:59:19 -0500 Received: from ritg4a.rit.reuters.com (unverified [132.10.10.44]) by ritig6.rit.reuters.com (Integralis SMTPRS 2.04) with ESMTP id ; Thu, 05 Feb 1998 13:58:56 -0500 Message-Id: Received: from mr.rit.reuters.com by RITIG4.RIT.REUTERS.COM (PMDF V5.1-10 #23786) id <01IT81N5EI5S8Y5MIC@RITIG4.RIT.REUTERS.COM> for firewalls@greatcircle.com; Thu, 5 Feb 1998 13:58:57 EST Received: with PMDF-MR; Thu, 05 Feb 1998 19:00:42 +0000 (GMT) Alternate-Recipient: prohibited Date: Thu, 05 Feb 1998 19:00:12 +0000 (GMT) From: "Vincent Miragliotta [516] 851-6050" Subject: Re: MS ProxyServer 2.0 sucks!!! In-Reply-To: To: firewalls@greatcircle.com Mime-Version: 1.0 Posting-Date: Thu, 05 Feb 1998 19:00:13 +0000 (GMT) Importance: normal Sensitivity: Company-Confidential A1-Type: MAIL Hop-Count: 2 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Do not ignore the fact that M$ have really invented the 'fault tolerant' >system : they learned the users to be tolerant to faults using only to simple > >> Remy. Is that really what 'fault tolerant' means to you, you IMBECILE. That the users are made tolerant of faults? That is the most ludicrous crock of shit I've seen here yet. And Microshaft has never in its history invented ANYTHING. They copy, repackage and market, PERIOD. And learn how to type in English. -Vincent ------------------------------------------------------------------------ Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. From firewalls-owner Thu Feb 5 11:52:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA03802; Thu, 5 Feb 1998 11:47:48 -0800 (PST) Received: from mail01.directions.com.au (zzpmcint.dialin.uq.net.au [203.101.240.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA03699 for ; Thu, 5 Feb 1998 11:47:25 -0800 (PST) Received: by MAIL01 with Internet Mail Service (5.5.1960.3) id <1F4JQPBQ>; Fri, 6 Feb 1998 06:01:02 +1000 Message-ID: <51D5AE1F9F4ED111A1D6004033CAC69624CB@MAIL01> From: Lachlan McIntosh To: "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 Date: Fri, 6 Feb 1998 06:00:47 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > than large companies are *ESPECIALLY* heterogeneous >environments, where you have some users who are Win 3.1, some Win 95, some >NT workstation, some Macs, and some Unix That's the reality today in > > corporate America. Corporations decide which OS technologies to use > > depending on factors ranging from cost and scalability to politics > and > > religious bias. > > I guess it comes down to where you work. > > I'm in Australia and there has been a big move to NT from Unix and > Novell based networks (and I guess to keep things on an even keel I > would have to say "small to medium networks use....." (there really > arn't any really large companies here) > > The main market where I am in Brisbane is Government and > SemiGovernment. > > Believe me Microsoft has done their work here. > > As you said Politics had a lot to do with it..... > > Also in my experience, the better run networks have moved to NT. > > Where you are it may be different. > > But I can't see myself out of work for the next, ooooo, 25 or so > years........ (what a terrible pity.....) > > Linux may be a better more stable solution (that's free) but that > doesn't mean that people will use it. > > It seems that usage of the "internet" is different here as well. > > There are only two main applications - mail and web browsing. > > Corporations and government simply want to their users access to the > web and want to disallow any connections inwards, they also want > totally intergrated security (you know they create the user once, > assign whatever rights he/she needs and that's it, no buggerising > around with IP addresses, dual logins, stuff like that......) > > If someone can point a better application for the job, I'll gladly > change my mind and start using/recommending another application, but > to my mind the "microsoft sucks - linux will save the free world from > cultural starvation" argument is silly and childish. > > I'm not say that linux is bad, just that I don't think it's a > commercially viable option to have expertise in (at least in > Australia) > > >All I can say to this is that it's just not true. I've had numerous > >Fortune 100 companies who have decided to use Linux or *BSD in their > >enterprises to handle serious production tasks. There are a lot of > reasons > >or it, ranging from the ability to customize what can be done due to > the > >availability of the source code, to wanting industrial strength > firewalls > > (unfortunatly most government IT shops won't allow any OS applications > that don't have a vendors name stamped on them - the ones that are > generally used are VMS, NT, HPUX, solaris and Novell) > > > Lachlan McIntosh From firewalls-owner Thu Feb 5 13:27:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11972; Thu, 5 Feb 1998 12:29:50 -0800 (PST) Received: from josephus.furph.com (josephus.furph.com [38.154.194.160]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA11911 for ; Thu, 5 Feb 1998 12:29:32 -0800 (PST) Received: from localhost (beckers@localhost) by josephus.furph.com (8.8.0/8.8.0) with SMTP id PAA27633 for ; Thu, 5 Feb 1998 15:38:09 -0500 (EST) Date: Thu, 5 Feb 1998 15:38:09 -0500 (EST) From: Becki Kain To: firewalls@GreatCircle.COM Subject: looking for router firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for ideas on good firewall software for routers, and the routers have not been purchased yet, so the brand is flexible. I realise router firewalls are not thought of as "as good as" something like a netra or a bastion host with firewall software on it, but it's what the customer wants (so as to appease both camps of unix and windows). it would be for about 150 pc hosts and 35 unix boxes. thanks beckers From firewalls-owner Thu Feb 5 14:04:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15772; Thu, 5 Feb 1998 12:47:31 -0800 (PST) Received: from mail01.directions.com.au (zzpmcint.dialin.uq.net.au [203.101.240.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA15745 for ; Thu, 5 Feb 1998 12:47:21 -0800 (PST) Received: by MAIL01 with Internet Mail Service (5.5.1960.3) id <1F4JQPC5>; Fri, 6 Feb 1998 07:01:03 +1000 Message-ID: <51D5AE1F9F4ED111A1D6004033CAC69624CE@MAIL01> From: Lachlan McIntosh To: "'Remy NONNENMACHER'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks Date: Fri, 6 Feb 1998 07:00:54 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ;) > Do not ignore the fact that M$ have really invented the 'fault tolerant' > system : they learned the users to be tolerant to faults using only to > simple commands : 1 - reboot, 2 - Re-install. No Unix system have never > been able to do that !! (Even Tandem miserably relied on hardware). > > Let recognize, you U*X admins, that you are jealous of this !! (you that > can't sleep at the simple idea of one of your U*x production machine > would starts crashing once a month) > I must admit, most unix admins are surprised^h^h^h^h^h^h^h shocked that under NT it is better to re-install the OS than rebuild from backup...... :) From firewalls-owner Thu Feb 5 14:08:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11513; Thu, 5 Feb 1998 12:27:12 -0800 (PST) Received: from sainet.sainet.org ([198.102.66.243]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA11491 for ; Thu, 5 Feb 1998 12:27:04 -0800 (PST) Received: from maestro.Maestro.COM (sikpuppy@maestro.com [198.102.66.11]) by sainet.sainet.org (8.8.8/8.8.8) with SMTP id PAA02843 for ; Thu, 5 Feb 1998 15:21:50 -0500 (EST) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA10290; Thu, 5 Feb 98 15:29:44 EST Date: Thu, 5 Feb 1998 15:29:44 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Consulting and Cracking Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some companies that read this list express admiration for our skills and ask us to do consulting. We deeply appreciate the long overdue recognition of our skills. Yeah, right. We don't do no consulting. Tell us which agency you really work for and maybe we can make a deal. Some kewl d00ds ask us how to fry Crisco routers and crack systems. We don't tell nobody. We already been nailed by CERT, Red Beard's wife and KCIA (Korean) and we don't need no more time for reflection or legal hassles. Don't ask for hacks cos we won't tell you. We might trade kewl tewls though. Sick Puppy, the Cat Eating Dawg, aka Paranoid Pup < Sharp fangs tend to get in the way > < How do a Dawg get Presidential KneePads ? > From firewalls-owner Thu Feb 5 14:19:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA17713; Thu, 5 Feb 1998 13:00:43 -0800 (PST) Received: from magellan.knight-ridder.com ([206.28.156.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA17676 for ; Thu, 5 Feb 1998 13:00:32 -0800 (PST) Received: (from uucp@localhost) by magellan.knight-ridder.com (8.8.8/8.8.8) id PAA18894 for ; Thu, 5 Feb 1998 15:53:45 -0500 (EST) Received: from unknown(166.108.236.7) by magellan.knight-ridder.com via smap (V3.1.1) id xma018756; Thu, 5 Feb 98 15:53:25 -0500 Received: by miaxch01.herald.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD3250.3DFA7AC0@miaxch01.herald.com>; Thu, 5 Feb 1998 16:08:05 -0500 Message-ID: From: "Williams, Todd" To: "'firewalls@greatcircle.com'" Subject: Sendmail/smap anti-relay measures Date: Thu, 5 Feb 1998 16:08:04 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any way to prevent a firewall running smapd (port 25) from acting as a mail relay for mail that neither came from, nor is going to, your domain? Our mailer is sendmail 8.8.8, and I've put into my sendmail.cf the anti-relay measures suggested on several websites (sendmail.org being one). If I kill smap & just run sendmail as a daemon, they work great. However, if I run smapd as the primary listener, the rules fail & the mail gets relayed. Thanks! Todd Williams The Miami Herald twilliams@herald.com 305-376-3042 From firewalls-owner Thu Feb 5 14:50:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA10854; Thu, 5 Feb 1998 12:23:08 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA10770 for ; Thu, 5 Feb 1998 12:22:41 -0800 (PST) Received: (qmail 7408 invoked from smtpd); 5 Feb 1998 20:27:40 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Feb 1998 20:27:40 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA16069; Thu, 5 Feb 1998 14:27:40 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA15505; Thu, 5 Feb 1998 14:30:31 -0600 From: Peter da Silva Message-Id: <9802052030.AA15505@baileynm.com> Subject: Re: MS ProxyServer 2.0 To: lachlan@directions.com.au (Lachlan McIntosh) Date: Thu, 5 Feb 1998 14:30:31 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624CB@MAIL01> from "Lachlan McIntosh" at Feb 6, 98 06:00:47 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > There are only two main applications - mail and web browsing. I could put together a bootable floppy that would proxy mail and web browsing using FreeBSD in a couple of days. I can't imagine anyone who only wanted to do news and mail needing more than that, nor can I imagine anyone having any difficulty doing the same with Linux. You would never know the OS was there. There's several canned boxes that do this, available now, have a look at the Whistle Interjet for an example of one that includes a 4 port hub in the box, configured via a keypad on the front. Why add all the complexity, cost, and general flakiness of NT? From firewalls-owner Thu Feb 5 15:03:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA18207; Thu, 5 Feb 1998 13:03:40 -0800 (PST) Received: from ritig1.rit.reuters.com (ritig1.rit.reuters.com [199.171.195.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA18144 for ; Thu, 5 Feb 1998 13:03:27 -0800 (PST) Received: from ritig7.rit.reuters.com by ritig1.rit.reuters.com; (5.65v3.2/1.1.8.2/14Sep94-0947PM) id AA23122; Thu, 5 Feb 1998 16:07:39 -0500 Received: from ritg4a.rit.reuters.com (unverified [132.10.10.44]) by ritig7.rit.reuters.com (Integralis SMTPRS 2.04) with ESMTP id ; Thu, 05 Feb 1998 16:07:25 -0500 Message-Id: Received: from mr.rit.reuters.com by RITIG4.RIT.REUTERS.COM (PMDF V5.1-10 #23786) id <01IT864YIVIO8Y5R5D@RITIG4.RIT.REUTERS.COM> for firewalls@greatcircle.com; Thu, 5 Feb 1998 16:07:13 EST Received: with PMDF-MR; Thu, 05 Feb 1998 21:08:53 +0000 (GMT) Alternate-Recipient: prohibited Date: Thu, 05 Feb 1998 21:08:23 +0000 (GMT) From: "Vincent Miragliotta [516] 851-6050" Subject: Re: MS ProxyServer and the meaning of life In-Reply-To: <34DA2162.C9F89CF0@DannyGumport.com> To: firewalls@greatcircle.com Mime-Version: 1.0 Posting-Date: Thu, 05 Feb 1998 21:08:24 +0000 (GMT) Importance: normal Sensitivity: Company-Confidential A1-Type: MAIL Hop-Count: 2 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Maybe it is time for this thread to be retired. >> -Danny G >> Glad ONE person got the hint. :):):):):):):):):) Nobody subscribed here to read jokes or essays on morals. Enough. When IS M$$$$$ proxy most appropriate? How reliable is it? How is it vulnerable? Anyone know????? :):):):) -Vin :):):):):) ------------------------------------------------------------------------ Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. From firewalls-owner Thu Feb 5 15:35:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA00766; Thu, 5 Feb 1998 14:23:13 -0800 (PST) Received: from name.mcalbds.com ([205.214.199.244]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA00655 for ; Thu, 5 Feb 1998 14:22:50 -0800 (PST) Received: (from uucp@localhost) by name.mcalbds.com (8.8.4/8.8.4) id SAA27180; Thu, 5 Feb 1998 18:31:47 -0400 Received: from laptop.stokes.com(172.18.1.2) by name.mcalbds.com via smap (V2.0) id xma027175; Thu, 5 Feb 98 18:31:40 -0400 Date: Thu, 5 Feb 1998 18:31:35 -0400 (GMT+4) From: Roger Hill X-Sender: rhill@lappie.stokes.com To: "Vincent Miragliotta [516] 851-6050" cc: firewalls@GreatCircle.COM Subject: Re: MS ProxyServer 2.0 sucks!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Feb 1998, Vincent Miragliotta [516] 851-6050 wrote: > Is that really what 'fault tolerant' means to you, you IMBECILE. Actually, I thought he was being sarcastic, and quite amusingly so. > And learn how to type in English. > We are not all fluent in English...be more tolerant of others. Cheers ============================================================================ Roger Hill, P.O.Box 4T, Barbados, West Indies. Tel:246-230-9596 Fax:246-433-8365 E-mail: rhill@mcalbds.com ============================================================================ From firewalls-owner Thu Feb 5 16:07:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11426; Thu, 5 Feb 1998 12:26:39 -0800 (PST) Received: from mast.webhooks.com ([207.106.164.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA11391 for ; Thu, 5 Feb 1998 12:26:27 -0800 (PST) Received: from DannyGumport.com ([166.55.69.146]) by mast.webhooks.com (Post.Office MTA v3.1.2 release (PO203-101c) ID# 554-33936U100L100S0) with ESMTP id AAA3628; Thu, 5 Feb 1998 15:32:03 -0500 Message-ID: <34DA2162.C9F89CF0@DannyGumport.com> Date: Thu, 05 Feb 1998 15:30:26 -0500 From: dgumport@dannygumport.com (Danny Gumport) Organization: dgDOTcom X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: "Vincent Miragliotta [516] 851-6050" CC: firewalls@greatcircle.com Subject: Re: MS ProxyServer 2.0 sucks!!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe it is time for this thread to be retired. -Danny G Vincent Miragliotta [516] 851-6050 wrote: > > >Do not ignore the fact that M$ have really invented the 'fault tolerant' > >system : they learned the users to be tolerant to faults using only to simple > > > >> Remy. > > Is that really what 'fault tolerant' means to you, you IMBECILE. > That the users are made tolerant of faults? That is the most ludicrous crock of > shit I've seen here yet. > > And Microshaft has never in its history invented ANYTHING. They copy, repackage > and market, PERIOD. > > And learn how to type in English. > > -Vincent > > ------------------------------------------------------------------------ > Any views expressed in this message are those of the individual sender, > except where the sender specifically states them to be the views of > Reuters Ltd. _______________________________________________________________________ Danny Gumport mailto:Me@DannyGumport.com http://WWW.DannyGumport.com From firewalls-owner Thu Feb 5 17:29:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15974; Thu, 5 Feb 1998 12:49:49 -0800 (PST) Received: from mail01.directions.com.au (zzpmcint.dialin.uq.net.au [203.101.240.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA15945 for ; Thu, 5 Feb 1998 12:49:38 -0800 (PST) Received: by MAIL01 with Internet Mail Service (5.5.1960.3) id <1F4JQPC6>; Fri, 6 Feb 1998 07:03:23 +1000 Message-ID: <51D5AE1F9F4ED111A1D6004033CAC69624CF@MAIL01> From: Lachlan McIntosh To: "'Vincent Miragliotta [516] 851-6050'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks!!! Date: Fri, 6 Feb 1998 07:03:15 +1000 Sensitivity: Company-Confidential MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ohhhhh nasty!!!! The fact remains that most people, for most applications will put up with it..... you get what you pay for..... A $60,000 server is more reliable than a $2,000 one. For my own use, I'll pay $2,000 (if someone has the need and the budget then they can pay $60,000+) On Friday, 6 February 1998 5:00, Vincent Miragliotta [516] 851-6050 [SMTP:vincent.miragliotta@reuters.com] wrote: > >Do not ignore the fact that M$ have really invented the 'fault tolerant' > >system : they learned the users to be tolerant to faults using only to simple > > > >> Remy. > > Is that really what 'fault tolerant' means to you, you IMBECILE. > That the users are made tolerant of faults? That is the most ludicrous crock of > shit I've seen here yet. > > And Microshaft has never in its history invented ANYTHING. They copy, repackage > and market, PERIOD. > > And learn how to type in English. > > -Vincent > > ------------------------------------------------------------------------ > Any views expressed in this message are those of the individual sender, > except where the sender specifically states them to be the views of > Reuters Ltd. From firewalls-owner Thu Feb 5 17:37:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20890; Thu, 5 Feb 1998 13:30:07 -0800 (PST) Received: from netcomm.NetComm.IE (whittall.demon.co.uk [194.222.255.208]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA20868 for ; Thu, 5 Feb 1998 13:30:00 -0800 (PST) Received: from pc.netcomm.ie (pc [129.156.240.34]) by netcomm.NetComm.IE (8.8.0/8.7) with SMTP id VAA08606; Thu, 5 Feb 1998 21:17:18 GMT Message-Id: <3.0.5.32.19980205210750.01427950@129.156.240.1> X-Sender: kevinbr@129.156.240.1 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 05 Feb 1998 21:07:50 +0000 To: "Vincent Miragliotta [516] 851-6050" , firewalls@GreatCircle.COM From: Kevin Brown Subject: Re: MS ProxyServer 2.0 sucks!!! In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vincent, I think he was joking.......is it me or has the whole world got really serious and touchy and humourless this week? Meanwhile, back at firewalls, anyone want to tell me why secure remote will not work for me.? KB At 19:00 05/02/98 +0000, Vincent Miragliotta [516] 851-6050 wrote: >A1-Type: MAIL >Hop-Count: 2 >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >Content-Type: TEXT/PLAIN; CHARSET=US-ASCII > >>Do not ignore the fact that M$ have really invented the 'fault tolerant' >>system : they learned the users to be tolerant to faults using only to simple >> >>> Remy. > >Is that really what 'fault tolerant' means to you, you IMBECILE. >That the users are made tolerant of faults? That is the most ludicrous crock of >shit I've seen here yet. > >And Microshaft has never in its history invented ANYTHING. They copy, repackage >and market, PERIOD. > >And learn how to type in English. > >-Vincent > >------------------------------------------------------------------------ >Any views expressed in this message are those of the individual sender, >except where the sender specifically states them to be the views of >Reuters Ltd. > > From firewalls-owner Thu Feb 5 17:52:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA01374; Thu, 5 Feb 1998 14:25:44 -0800 (PST) Received: from mail3.bellglobal.com ([198.235.216.132]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA01186 for ; Thu, 5 Feb 1998 14:24:59 -0800 (PST) Received: from innesdave ([204.191.151.85]) by mail3.bellglobal.com (Netscape Mail Server v2.02) with ESMTP id AAA21253 for ; Thu, 5 Feb 1998 17:30:35 -0500 From: dainnes@royal-canada.com (Dave Innes) To: Subject: nondisclosure agreements Date: Thu, 5 Feb 1998 05:35:20 -0600 Message-ID: <01bd322a$2380c9e0$3cc8010a@innesdave> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_01BD31F7.D8E659E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0012_01BD31F7.D8E659E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Have a contractor helping setup and test our firewall looking for a "non-disclosure agreement" am sure other companies in same situation any help is most appreciated. ------=_NextPart_000_0012_01BD31F7.D8E659E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Have a = contractor=20 helping setup and test our firewall 
looking for a=20 "non-disclosure agreement" 
am = sure other=20 companies in same situation 
any help is most=20 appreciated.
------=_NextPart_000_0012_01BD31F7.D8E659E0-- From firewalls-owner Thu Feb 5 18:19:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19461; Thu, 5 Feb 1998 13:10:11 -0800 (PST) Received: from cheez.lowprofile.net ([206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA19367 for ; Thu, 5 Feb 1998 13:09:47 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id PAA24742; Thu, 5 Feb 1998 15:15:18 -0600 Date: Thu, 5 Feb 1998 15:15:18 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: "Vincent Miragliotta [516] 851-6050" cc: firewalls@GreatCircle.COM Subject: Re: MS ProxyServer 2.0 sucks!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vincent- Ease up, man! MicroSoft did invent one thing: The abiltiy to shaft the nation while still making money hand over fist and getting Belgian Cream Pies in the face. But Remy has a valid point: My Windows 95 customers always ask me 'Do I have to reboot the router before the changes will work?'. Thats roughly 75% of the professionals in the IT field that I work with. The rest are us old, outdated Unix geeks who thrive on 'kill -1 PID'. Rebooting has become a way of functioning because of MicroSoft, as opposed to the yearly reboot of your Unix server on Christmas, just to see all the pretty Christmas lights. I think if anyone needs more fault tolerance, it would have to be you. And, in essence, MicroSoft has caused the users to become more tolerant of the fault which is called 'rebooting' and 'downtime'. Ciao, +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@lowprofile.net | Cisco Systems WAN Specialist | | UNIX/Linux/HP-UX specialist | Remote Management Specialist | | If at first you don't succeed, redefine success. | | Contrary to popular opinion, UNIX is user friendly. It just | +-happens to be very selective about who it makes friends with.+ On Thu, 5 Feb 1998, Vincent Miragliotta [516] 851-6050 wrote: > >Do not ignore the fact that M$ have really invented the 'fault tolerant' > >system : they learned the users to be tolerant to faults using only to simple > > > >> Remy. > > Is that really what 'fault tolerant' means to you, you IMBECILE. > That the users are made tolerant of faults? That is the most ludicrous crock of > shit I've seen here yet. > > And Microshaft has never in its history invented ANYTHING. They copy, repackage > and market, PERIOD. > > And learn how to type in English. > > -Vincent > > ------------------------------------------------------------------------ > Any views expressed in this message are those of the individual sender, > except where the sender specifically states them to be the views of > Reuters Ltd. > From firewalls-owner Thu Feb 5 19:09:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA19084; Thu, 5 Feb 1998 13:07:23 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA18762 for ; Thu, 5 Feb 1998 13:06:15 -0800 (PST) Received: by castle.us-state.gov; id AA04775; Thu, 5 Feb 98 16:11:42 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap id sma004732; Thu Feb 5 16:11:12 1998 Received: by pubhost.us-state.gov; id AA28529; Thu, 5 Feb 98 16:11:09 EST Received: by localhost with Microsoft MAPI; Thu, 5 Feb 1998 16:13:23 -0500 Message-Id: <01BD3250.FB7A4A30.gwitte@us-state.gov> From: Greg Witte To: "'Vincent Miragliotta [516] 851-6050'" , "firewalls@greatcircle.com" Subject: RE: MS ProxyServer 2.0 [may not meet your requirements] Date: Thu, 5 Feb 1998 16:13:22 -0500 Organization: Contractor, US Dept of State, IM X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWIW: (From an Exchange mailbox through a Linux MTA via a Sun firewall to a Pine user who tagged a profane message with his own personal disclaimer as "company confidential.) All others, if the shoe fits ........ Im-be-cile: n. 2. a feeble-minded person. Fee-ble-mind-ed: adj. 2. Dull-witted Dull: adj. Lacking mental agility Wit: n. 3a. Ability to perceive and express in an ingeniously humorous way the relationship between seemingly incongruous or disparate things. Hence, Im-be-cile: n. new: the lack of ability to discern a humorously described scenario where the reader resorts to name calling and vulgarisms* in place of quick-witted understanding of dry humor. [*vul-gar-ism: n. 2a. a word, phrase, or manner of expression used chiefly by uncultivated people.] Lastly: From a Monday, August 26, 1996 Los Angeles Times article, entitled "Students Told to Abide by Rules of the Superhighway", the author says "Using the worldwide network to research class projects, send e-mail or explore other computer systems is OK. Sharing passwords, pirating copyrighted software, sending profanity-laced e-mail or using the ^^^^^^^^^^^^^^^^^^^^^^ system to sell something is not. " ... "...policies can teach students discretionary skills they'll need on the job. "Most of them will go into the work force, where they'll have Internet access through their company," Willard said. "It's important for them to recognize that won't be their private account and what they say on it reflects ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ on their company or government agency ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ and therefore those [groups] have a requirement to have some level of control." Michelle V. Rafter writes Internet columns for Reuters and the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Chicago Tribune. Copyright Los Angeles Times Well written and well said. On Thursday, February 05, 1998 2:00 PM, Vincent Miragliotta [516] 851-6050 [SMTP:vincent.miragliotta@reuters.com] wrote: > >Do not ignore the fact that M$ have really invented the 'fault tolerant' > >system : they learned the users to be tolerant to faults using only to simple > > > >> Remy. > > Is that really what 'fault tolerant' means to you, you IMBECILE. > That the users are made tolerant of faults? That is the most ludicrous crock of > ^&*^ I've seen here yet. > > And Microshaft has never in its history invented ANYTHING. They copy, repackage > and market, PERIOD. > > And learn how to type in English. > > -Vincent > > ------------------------------------------------------------------------ > Any views expressed in this message are those of the individual sender, > except where the sender specifically states them to be the views of > Reuters Ltd. These comments are mine, too, but reflect on my company or government agency, and they might even agree. From firewalls-owner Thu Feb 5 20:36:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA16502; Thu, 5 Feb 1998 15:32:22 -0800 (PST) Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA16444 for ; Thu, 5 Feb 1998 15:32:07 -0800 (PST) Received: (from mail@localhost) by starbase.tos.net (8.8.4/8.8.4) id RAA21128; Thu, 5 Feb 1998 17:38:43 -0600 Received: from unknown(172.16.1.146) by starbase.tos.net via smap (V1.3) id sma021126; Thu Feb 5 17:38:22 1998 Message-Id: X-Sender: macgyver@smtp.tos.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 05 Feb 1998 17:32:43 -0600 To: Lachlan McIntosh , Firewalls Mailing List From: MacGyver Subject: RE: MS ProxyServer 2.0 In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624CA@MAIL01> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 05:57 AM 2/6/98 +1000, Lachlan McIntosh wrote: > > > That's the reality today in >> corporate America. Corporations decide which OS technologies to use >> depending on factors ranging from cost and scalability to politics and >> religious bias. > >I guess it comes down to where you work. > >I'm in Australia and there has been a big move to NT from Unix and >Novell based networks (and I guess to keep things on an even keel I >would have to say "small to medium networks use....." (there really >arn't any really large companies here) > That's why I qualified it and said corporate America. I've done consulting in other countries (although not Australia...yet :)) and it's amazing how different the corporate environments and priorities are. >The main market where I am in Brisbane is Government and SemiGovernment. > >Believe me Microsoft has done their work here. > >As you said Politics had a lot to do with it..... > Undoubtedly. Microsoft's marketing arm should be required reading in any college marketing course, in my opinion. They've certainly got their act polished in that regard. >Also in my experience, the better run networks have moved to NT. > Interesting comment. I'm curious -- what did they move over from and what network protocols were they running before and after? If it's a move something akin to Novell running IPX/SPX to say NT running TCP/IP, I'd certainly agree with you that you should see a pretty hefty increase in network performance. However, that isn't necessarily due to being on NT or on any single platform, it's more due to the nature of the protocols they are running. That's why it's really hard to make sweeping statements like that -- they're hard to prove because it's almost always not an apples to apples comparison. Something that would be a better indicator would be to run the same set/suite of tools, network protocols, et al all under one platform and then another, but overall, those types of sweeping generalizations obscure the real underlying cause of performance improvement or degradation. >Where you are it may be different. > >But I can't see myself out of work for the next, ooooo, 25 or so >years........ (what a terrible pity.....) > Yes, if you can spell TCP/IP, it's a good time to be alive. :) >Linux may be a better more stable solution (that's free) but that >doesn't mean that people will use it. > >It seems that usage of the "internet" is different here as well. > >There are only two main applications - mail and web browsing. > >Corporations and government simply want to their users access to the web >and want to disallow any connections inwards, they also want totally >intergrated security (you know they create the user once, assign >whatever rights he/she needs and that's it, no buggerising around with >IP addresses, dual logins, stuff like that......) > I never said that Linux was a better or more stable solution. Linux is getting its place in the enterprise though for certain things. Companies and government alike use Linux...to what degree is really the question, and I wasn't making the case that Linux is as widely used or embraced as any other system, or that it was any better or worse. I'm just saying that I've seen it in use in many places to do different things, just as I've seen NT, Solaris, etc. >If someone can point a better application for the job, I'll gladly >change my mind and start using/recommending another application, but to >my mind the "microsoft sucks - linux will save the free world from >cultural starvation" argument is silly and childish. > Again, I didn't say MS sucks and Linux will save the world, nor did I imply it. I'm simply saying that to say any one tool/application/OS is the "only" or "best" way to go for everyone is an injustice. Each environment is unique, and in some NT is clearly the better route to go, and in others something else is, and in still others it's some combination of technologies and products. >I'm not say that linux is bad, just that I don't think it's a >commercially viable option to have expertise in (at least in Australia) > If Linux is the only expertise someone has, I'd agree with you. However, having many operating systems and environments under your hat is an extremely marketable skill today, and having Linux or any other OS in that list isn't going to hurt you -- it can only help make you more marketable and allow you to explore a broader range of solutions. >>All I can say to this is that it's just not true. I've had numerous >>Fortune 100 companies who have decided to use Linux or *BSD in their >>enterprises to handle serious production tasks. There are a lot of >reasons >>or it, ranging from the ability to customize what can be done due to >the >>availability of the source code, to wanting industrial strength >firewalls > >(unfortunatly most government IT shops won't allow any OS applications >that don't have a vendors name stamped on them - the ones that are >generally used are VMS, NT, HPUX, solaris and Novell) > As I said earlier, irregardless of whether things are officially "sanctioned" or not in companies or governments, inevitably things like Linux will creep in. A lot of that is due to the administrators using Linux or whatever OS at home, and they eventually make headway into using it for some function on the network. Admittedly, it's usually some niche function, however, to say that something isn't there just because it's not "official" would be missing the point. Habeeb - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ Habeeb J. Dihu -' `- Managing Senior Technologist " ' ` " Cirrus Technologies " ' ` " " ' . ` " " ' .' ` ` " 'I don't believe in the no-win scenario' " ` ' `' " -- Captain James T. Kirk, Star Trek II: TWK ` ' _ _ ' 'There is an old Vulcan proverb, `Only Nixon ' could go to China.`' -- Captain Spock, Star Trek VI: TUC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBNNpMF1TtNfTWxXdNAQFzhAP/TW4Wnjir1o6Kx3BfxOksEZ+wmEFnKjj3 +zvP0jiwOxUyjkDVOy19W3I4/O+UQEbYDd3/ve4CF5y7LMGiazz9PP1Z+KNd7KjV cVkUucUPsM+5q4K+aBbFR0NOU8SbVZ68QfOZyCU7AuUZ9awBBstSBcRv18J/sov4 97djb5pIlUw= =pvR2 -----END PGP SIGNATURE----- From firewalls-owner Thu Feb 5 21:38:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22429; Thu, 5 Feb 1998 13:37:41 -0800 (PST) Received: from exchange.apa.org ([192.231.215.209]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA22335 for ; Thu, 5 Feb 1998 13:37:23 -0800 (PST) Received: by exchange.apa.org with Internet Mail Service (5.5.1960.3) id ; Thu, 5 Feb 1998 16:45:47 -0500 Message-ID: From: Richard Casale To: firewalls@GreatCircle.COM Subject: Firewall Failover Date: Thu, 5 Feb 1998 16:45:39 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone out there ever used (successfully) Octopus HA and Firewall-1 (CheckPoint)? From firewalls-owner Thu Feb 5 22:38:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA09073; Thu, 5 Feb 1998 16:52:20 -0800 (PST) Received: from rintintin.gv-itf.unisource.nl (rintintin.gv-itf.unisource.nl [62.12.30.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA00961 for ; Thu, 5 Feb 1998 14:24:00 -0800 (PST) Received: (from frank@localhost) by rintintin.gv-itf.unisource.nl (8.8.5/8.8.5) id XAA07638; Thu, 5 Feb 1998 23:27:12 +0100 Message-ID: <19980205232712.24820@rintintin.gv-itf.unisource.nl> Date: Thu, 5 Feb 1998 23:27:12 +0100 From: Frank de Lange To: mcwilkin Cc: firewalls@GreatCircle.COM Subject: Re: Wingate 2 vulnerabilities References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76 In-Reply-To: ; from mcwilkin on Thu, Feb 05, 1998 at 09:51:31AM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, Feb 05, 1998 at 09:51:31AM -0700, mcwilkin wrote: > Ok, at the risk of asking too generic a question - anybody got any thought > on a proxy called WinGate? > Other than the obvious shortcomings inherent in the M$ environment, anyone > have any opinions on the product itself? To answer your question, please read this repost of a message recently posted to the BUGTRAQ list: From owner-bugtraq@NETSPACE.ORG Thu Feb 5 18:05:03 1998 Date: Fri, 6 Feb 1998 04:49:00 +1300 From: Alan Brown admin access Subject: Wingate abuse problems continue. To: BUGTRAQ@NETSPACE.ORG A heads up for the list's readers. We saw the response to complaints about Wingate's default settings from Wingate's authors several months ago. As a reminder, Wingate is a product to allow IP masquerading through a windows 95 platform. Unfortunately by default it binds to ALL network ports, including the WAN port. Wingate is being used extensively by IRC abusers and is starting to be used heavily by SMTP abusers (ie, Spammers) via the open Socks port on dialup modem connections. As far as I can see, from the point of view of abuse control, wingate is currently a disaster for anyone trying to track abusers. It doesn't log connects by default, so the only way the abusers can be traced is via the netstat command on the victim win95 machine - and most win95 users being relayed through don't have enough of a clue to be able to do this, let alone know that they're being used as pawns in attacks. IRC abuse via Wingates appears to be increasing exponentially as more and more abuse scripts appear which use them. Several seen recently will connect to 50 or more machines in order to effect denial of service attacks on IRC users and services. Presumably the same rapid increase will soon be seen in SMTP relaying attacks. AB -- WWWWW ___________________________ ## o o\ / Frank de Lange \ ================================= }# \| / +31-70-3712708 day \ # WARNING: Do not add these # ##---# _/ +31-320-252965 night \ # addresses to any mass mailing # #### \frank.de.lange@inet.unisource.nl/ # list without prior approval # \ frank.de.lange@net.info.nl / # of the address owner. # ------------------------------ ================================= From firewalls-owner Thu Feb 5 23:18:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA07418; Thu, 5 Feb 1998 19:00:53 -0800 (PST) Received: from mail.clarityconnect.com (mail.clarityconnect.com [206.64.143.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA07395 for ; Thu, 5 Feb 1998 19:00:44 -0800 (PST) Received: from xbwesrtn (206.114.171.26) by mail.clarityconnect.com with SMTP (Eudora Internet Mail Server 2.0.1); Thu, 5 Feb 1998 19:38:23 +0000 Message-Id: <3.0.5.32.19980205194310.007a3690@mail.clarityconnect.com> X-Sender: santercon@mail.clarityconnect.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 05 Feb 1998 19:43:10 -0500 To: firewalls-digest@GreatCircle.COM From: Dave Santeramo Subject: DNS cache attack Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently my employers started to have random porn images appearing on WWW browsers. I concluded that the cache was corrupt and the best course of action was to dump the cache server. I read the announcement from the DOE and suspect we were victims of a cache poisoning attack. Does anyone have any good info regarding such an attack? Dave From firewalls-owner Thu Feb 5 23:37:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03288; Thu, 5 Feb 1998 23:12:40 -0800 (PST) Received: from maili.intern.Austria.EU.net (melone.austria.eu.net [193.154.142.240]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA03261 for ; Thu, 5 Feb 1998 23:12:30 -0800 (PST) Received: from vindobona.intern.austria.eu.net (vindobona.intern.Austria.EU.net [192.168.191.165]) by maili.intern.Austria.EU.net (8.8.6/8.8.6) with ESMTP id IAA26170; Fri, 6 Feb 1998 08:18:43 -0100 (GMT) Received: (from cr@localhost) by vindobona.intern.austria.eu.net (8.7.6/8.7.3) id IAA02004; Fri, 6 Feb 1998 08:18:15 +0100 Date: Fri, 6 Feb 1998 08:18:15 +0100 Message-Id: <199802060718.IAA02004@vindobona.intern.austria.eu.net> From: Christian Reiser To: beckers@josephus.furph.com CC: firewalls@GreatCircle.COM In-reply-to: (message from Becki Kain on Thu, 5 Feb 1998 15:38:09 -0500 (EST)) Subject: Re: looking for router firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am looking for ideas on good firewall software for routers, and the Take a look at the firewall feature set of CISCO (avalable for IOS 11.2 P or higher). Greatings from Vienna/Austria mfg CR -- ~~~~~~~ EUnet auf der Exponet 98 -- Ebene 2, Stand 22 ~~~~~~~ Christian Reiser (EUnet Austria) e-mail: C.Reiser@Austria.EU.net Tel: +431 899 33-0 http://www.Austria.EU.net/ Fax: +431 899 33-533 CR86-RIPE priv: C.Reiser@ieee.org From firewalls-owner Thu Feb 5 23:52:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA11117; Thu, 5 Feb 1998 19:15:16 -0800 (PST) Received: from siamrelay.com (siamrelay.com [192.41.50.181]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA21081 for ; Thu, 5 Feb 1998 17:58:33 -0800 (PST) Received: from production ([202.59.252.139]) by siamrelay.com (8.8.5) id TAA10229; Thu, 5 Feb 1998 19:04:18 -0700 (MST) Message-Id: <3.0.5.32.19980206085108.00b3ee00@pop.siamrelay.com> X-Sender: emmanuel@pop.siamrelay.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 1998 08:51:08 To: firewalls@GreatCircle.COM From: Emmanuel Gadaix Subject: Re: Wingate 2 vulnerabilities In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 AM 2/5/98 -0700, mcwilkin wrote: >Ok, at the risk of asking too generic a question - anybody got any thought >on a proxy called WinGate? Michael, Here is a post from Alan Brown that appeared on Bugtraq today: Sender: Bugtraq List From: Alan Brown admin access Subject: Wingate abuse problems continue. To: BUGTRAQ@NETSPACE.ORG A heads up for the list's readers. We saw the response to complaints about Wingate's default settings from Wingate's authors several months ago. As a reminder, Wingate is a product to allow IP masquerading through a windows 95 platform. Unfortunately by default it binds to ALL network ports, including the WAN port. Wingate is being used extensively by IRC abusers and is starting to be used heavily by SMTP abusers (ie, Spammers) via the open Socks port on dialup modem connections. As far as I can see, from the point of view of abuse control, wingate is currently a disaster for anyone trying to track abusers. It doesn't log connects by default, so the only way the abusers can be traced is via the netstat command on the victim win95 machine - and most win95 users being relayed through don't have enough of a clue to be able to do this, let alone know that they're being used as pawns in attacks. IRC abuse via Wingates appears to be increasing exponentially as more and more abuse scripts appear which use them. Several seen recently will connect to 50 or more machines in order to effect denial of service attacks on IRC users and services. Presumably the same rapid increase will soon be seen in SMTP relaying attacks. AB From firewalls-owner Fri Feb 6 00:43:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20192; Thu, 5 Feb 1998 13:23:20 -0800 (PST) Received: from mast.webhooks.com ([207.106.164.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA20156 for ; Thu, 5 Feb 1998 13:23:06 -0800 (PST) Received: from DannyGumport.com ([166.55.69.146]) by mast.webhooks.com (Post.Office MTA v3.1.2 release (PO203-101c) ID# 554-33936U100L100S0) with ESMTP id AAA3768; Thu, 5 Feb 1998 16:28:46 -0500 Message-ID: <34DA2EAE.805EA3E9@DannyGumport.com> Date: Thu, 05 Feb 1998 16:27:10 -0500 From: dgumport@dannygumport.com (Danny Gumport) Organization: dgDOTcom X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: Lachlan McIntosh CC: "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 - Not a Linux solution... References: <51D5AE1F9F4ED111A1D6004033CAC69624CB@MAIL01> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lachlan, I think you are correct about requiring a corporate backbone for the os on the machines acting as your firewall to the Net. I think the real argument is over security by obscurity (the MS solution - if you know too much then it is not secure) VS open security (security based on the security administrator defining the rules and understanding what happens behind the scenes and being able to integrate multiple vendors solutions based on the load req's of the servers.). MS says build it and it will scale. SUN & SGI says 'model your problem and we will solve it' - I like the latter. -Danny G Lachlan McIntosh wrote: > > > than large companies are *ESPECIALLY* heterogeneous > >environments, where you have some users who are Win 3.1, some Win 95, > some > >NT workstation, some Macs, and some Unix That's the reality today in > > > corporate America. Corporations decide which OS technologies to use > > > depending on factors ranging from cost and scalability to politics > > and > > > religious bias. > > > > I guess it comes down to where you work. > > > > I'm in Australia and there has been a big move to NT from Unix and > > Novell based networks (and I guess to keep things on an even keel I > > would have to say "small to medium networks use....." (there really > > arn't any really large companies here) > > > > The main market where I am in Brisbane is Government and > > SemiGovernment. > > > > Believe me Microsoft has done their work here. > > > > As you said Politics had a lot to do with it..... > > > > Also in my experience, the better run networks have moved to NT. > > > > Where you are it may be different. > > > > But I can't see myself out of work for the next, ooooo, 25 or so > > years........ (what a terrible pity.....) > > > > Linux may be a better more stable solution (that's free) but that > > doesn't mean that people will use it. > > > > It seems that usage of the "internet" is different here as well. > > > > There are only two main applications - mail and web browsing. > > > > Corporations and government simply want to their users access to the > > web and want to disallow any connections inwards, they also want > > totally intergrated security (you know they create the user once, > > assign whatever rights he/she needs and that's it, no buggerising > > around with IP addresses, dual logins, stuff like that......) > > > > If someone can point a better application for the job, I'll gladly > > change my mind and start using/recommending another application, but > > to my mind the "microsoft sucks - linux will save the free world from > > cultural starvation" argument is silly and childish. > > > > I'm not say that linux is bad, just that I don't think it's a > > commercially viable option to have expertise in (at least in > > Australia) > > > > >All I can say to this is that it's just not true. I've had numerous > > >Fortune 100 companies who have decided to use Linux or *BSD in their > > >enterprises to handle serious production tasks. There are a lot of > > reasons > > >or it, ranging from the ability to customize what can be done due to > > the > > >availability of the source code, to wanting industrial strength > > firewalls > > > > (unfortunatly most government IT shops won't allow any OS applications > > that don't have a vendors name stamped on them - the ones that are > > generally used are VMS, NT, HPUX, solaris and Novell) > > > > > > Lachlan McIntosh -- ________________________________________________________________________ Danny Gumport Phone: (212) 593-0689 mailto:Me@DannyGumport.com Fax: (212) 832-7502 http://WWW.DannyGumport.com From firewalls-owner Fri Feb 6 01:53:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA00800; Fri, 6 Feb 1998 01:43:49 -0800 (PST) Received: from central.webforum.de (central.webforum.de [193.141.169.166]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00675 for ; Fri, 6 Feb 1998 01:43:26 -0800 (PST) Received: (from uucp@localhost) by central.webforum.de (8.7.6/8.7.6-webforum) id KAA23733; Fri, 6 Feb 1998 10:49:09 GMT Received: from localhost (klaus@localhost) by gaston.m.isar.de (8.7.6/8.7.6-webforum) with SMTP id KAA31349; Fri, 6 Feb 1998 10:48:48 GMT X-Authentication-Warning: gaston.m.isar.de: klaus owned process doing -bs Date: Fri, 6 Feb 1998 10:48:48 +0000 (WET) From: Klaus Lichtenwalder X-Sender: klaus@gaston.m.isar.de To: "Williams, Todd" cc: "'firewalls@greatcircle.com'" Subject: Re: Sendmail/smap anti-relay measures In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Feb 1998, Williams, Todd wrote: > Is there any way to prevent a firewall running smapd (port 25) from > acting as a mail relay for mail that neither came from, nor is going to, > your domain? Our mailer is sendmail 8.8.8, and I've put into my > sendmail.cf the anti-relay measures suggested on several websites > (sendmail.org being one). If I kill smap & just run sendmail as a > daemon, they work great. However, if I run smapd as the primary > listener, the rules fail & the mail gets relayed. Thanks! > Well, there are patches to smap by Simson Garfinkel that do what you describe. Sorry, can't remember where I got them, but you might find them by checking deja news or mailing me ;-) Klaus Lichtenwalder ------------------------------------------------------------------------ Klaus Lichtenwalder, Dipl. Inform., PGP Key: email to key@Four11.com Lichtenwalder@ACM.org http://www.wp.com/Klaus K.Lichtenwalder@Computer.org fax: +49-89-91072699 Mausoberflaechen sind meistens pelzig -- Ricarda From firewalls-owner Fri Feb 6 02:40:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA25571; Fri, 6 Feb 1998 01:01:18 -0800 (PST) Received: from inet.unisource.nl (mail.inet.unisource.nl [194.151.95.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA25538 for ; Fri, 6 Feb 1998 01:00:35 -0800 (PST) Received: from inet.unisource.nl (inet.unisource.nl [194.151.95.4]) by inet.unisource.nl (8.8.5/8.8.5) with SMTP id KAA18150; Fri, 6 Feb 1998 10:00:39 +0100 (MET) Date: Fri, 6 Feb 1998 10:00:38 +0100 (MET) From: Rob Poland Reply-To: Rob Poland Subject: Re: looking for router firewalls To: firewalls@GreatCircle.COM cc: Becki Kain In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at http://www.cisco.com/warp/public/732/net_foundation/fire_ds.htm for information on the Cisco's IOS Firewall feature set for the 1600 and 2500 series routers. Anyone already has some experiences with Cisco's feature set? RP > I am looking for ideas on good firewall software for routers, and the > routers have not been purchased yet, so the brand is flexible. I realise > router firewalls are not thought of as "as good as" something like a netra > or a bastion host with firewall software on it, but it's what the customer > wants (so as to appease both camps of unix and windows). it would be for > about 150 pc hosts and 35 unix boxes. > > thanks > > beckers > From firewalls-owner Fri Feb 6 02:55:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA03750; Fri, 6 Feb 1998 02:39:00 -0800 (PST) Received: from dmzexc1.dmz.garanti.com.tr ([195.175.151.104]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA03740 for ; Fri, 6 Feb 1998 02:38:54 -0800 (PST) Received: by mailser.dmz.garanti.com.tr with Internet Mail Service (5.0.1458.49) id <11PWPL4R>; Fri, 6 Feb 1998 12:43:31 +0200 Message-ID: <61E076C62A80D111905300805FF50185F23F@gtiexc1.fw.garanti.com.tr> From: "Cihan Subasi (Garanti Ticaret)" To: "'Dave Santeramo'" , firewalls-digest@GreatCircle.COM Subject: RE: DNS cache attack Date: Fri, 6 Feb 1998 12:41:40 +0200 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to have info about the same thing as well!!! > -----Original Message----- > From: Dave Santeramo [SMTP:santercon@mail.clarityconnect.com] > Sent: 06 ?ubat 1998 Cuma 02:43 > To: firewalls-digest@GreatCircle.COM > Subject: DNS cache attack > > > > Recently my employers started to have random porn images appearing > on WWW browsers. I concluded that the cache was corrupt and the > best course of action was to dump the cache server. I read the > announcement from the DOE and suspect we were victims of a cache > poisoning attack. Does anyone have any good info regarding such an > attack? > Dave From firewalls-owner Fri Feb 6 04:36:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27270; Fri, 6 Feb 1998 04:11:50 -0800 (PST) Received: from brasilnet.com.br (admin.brasilnet.com.br [200.251.221.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA22290 for ; Fri, 6 Feb 1998 03:50:02 -0800 (PST) Received: from ppp11.brasilnet.com.br by brasilnet.com.br; (5.65v3.0/1.1.8.2/18Sep96-1223PM) id AA09912; Fri, 6 Feb 1998 10:00:15 -0200 Received: by localhost with Microsoft MAPI; Fri, 6 Feb 1998 09:54:12 -0200 Message-Id: <01BD32E5.2D5533A0.jane-t@usa.net> From: Jane Marie Teichmann To: "'Firewalls@greatcircle.com'" Subject: Re: Firewall Statistics-Summary Date: Fri, 6 Feb 1998 09:54:11 -0200 Organization: Magnesita S/A X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks you all who answered my question. I could not fine realyy any statistics per platform and market tendencies. Here is a summary of the answers I've received. 1. Good place to look for information on firwalls: www.icsa.net 2. The best selling firewall?: checkpoint. (could not find statistics per platforms or tendencies nowadays) Many think Eagle is the leader in NT market. 3. The best firewall? Each one has its own oppinion, but the most of the people suggested these three as the most safe: a) Firewall-1 : http://www.checkpoint.com b) Eagle : http://www.raptor.com c) Gauntlet : http://www.tis.com 4. If what you need is only browser and e-mail, you don't need a firewall at all 5. NT is not as safe as Unix. 6. Market-share is not a good parameter to choose a firewall. You need one that meets your network security policy. 7. The most recent market survey of users was done by CSI and Zona. The top 5 firewalls reported in use were: Check Point Firewall-1 18.89% TIS Gauntlet 15.50% Cisco PIX 12.83% Raptor Eagle 8.72% SCC Sidewinder 6.30% From firewalls-owner Fri Feb 6 04:55:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA08471; Fri, 6 Feb 1998 04:50:33 -0800 (PST) Received: from shell.bnl.net (opengate.4d.net [207.137.152.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA08443 for ; Fri, 6 Feb 1998 04:50:24 -0800 (PST) Received: from localhost (marlowe@localhost) by shell.bnl.net (8.8.8/8.8.7) with SMTP id EAA06907; Fri, 6 Feb 1998 04:57:26 -0800 (PST) (envelope-from marlowe@bnl.net) Date: Fri, 6 Feb 1998 04:57:25 -0800 (PST) From: Matthew Marlowe To: "Cihan Subasi (Garanti Ticaret)" cc: "'Dave Santeramo'" , firewalls-digest@GreatCircle.COM Subject: RE: DNS cache attack In-Reply-To: <61E076C62A80D111905300805FF50185F23F@gtiexc1.fw.garanti.com.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Delete the cache, sadly that is the only way. On Fri, 6 Feb 1998, Cihan Subasi (Garanti Ticaret) wrote: > I would like to have info about the same thing as well!!! > > > -----Original Message----- > > From: Dave Santeramo [SMTP:santercon@mail.clarityconnect.com] > > Sent: 06 ?ubat 1998 Cuma 02:43 > > To: firewalls-digest@GreatCircle.COM > > Subject: DNS cache attack > > > > > > > > Recently my employers started to have random porn images appearing > > on WWW browsers. I concluded that the cache was corrupt and the > > best course of action was to dump the cache server. I read the > > announcement from the DOE and suspect we were victims of a cache > > poisoning attack. Does anyone have any good info regarding such an > > attack? > > Dave > From firewalls-owner Fri Feb 6 05:10:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA22401; Fri, 6 Feb 1998 03:50:23 -0800 (PST) Received: from c00958-100lez.eos.ncsu.edu (c00958-100lez.eos.ncsu.edu [152.1.26.78]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA22228 for ; Fri, 6 Feb 1998 03:49:46 -0800 (PST) Received: from localhost (jkwilli2@localhost) by c00958-100lez.eos.ncsu.edu (8.8.4/UC02Jan97) with SMTP id GAA19464 for ; Fri, 6 Feb 1998 06:54:07 -0500 (EST) X-Authentication-Warning: c00958-100lez.eos.ncsu.edu: jkwilli2 owned process doing -bs Date: Fri, 6 Feb 1998 06:54:07 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00958-100lez.eos.ncsu.edu To: firewalls@GreatCircle.COM Subject: FireWall Humor (FREE INTERNET FIREWALL (fwd)) Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't ELRON make all that stuff that sells for $19.95 on TV, or are they the company that does the higher/lower(?) class Infomercials? Ken=20 ---------- Forwarded message ---------- Date: Fri, 6 Feb 1998 05:45:47 -0400 From: oliver grant To: jkwilli2@unity.ncsu.edu Subject: FREE INTERNET FIREWALL ******************************** **********************************=20 >>ELRON FIREWALL FREE 30-DAY-TRIAL<< Protect your Windows NT and Novell network from hackers=20 with the award winning Elron Firewall FREE Configuration, Installation and FREE Tech Support included =20 >>Call (800) 548-8871 today to get your FREE 30-day trial << Or reply to this email with your contact details Remember there's no cost and no obligation=20 ****************************** ************************************ Dear Network Professional, The Internet is critical resource, but by connecting to the Internet your= =20 network and your valuable data immediately become vulnerable to hacker atta= ck. You've probably known for some time, that you need a firewall -=20 so why have you delayed? Probably because you know that traditional=20 firewalls are costly, complex, require outside consultants and take=20 you and your staff many days to install and configure. There is an answer=85 And its yours to trial absolutely FREE for 30-days,= =20 no cost or obligation. The Elron Firewall is an easy to use, plug and play firewall that runs on a standard Intel PC and includes everything you'll need to protect your Windows NT or NetWare network - including free installation and=20 configuration.=20 Not only does Elron Firewall run on a low cost PC, but we'll even install= =20 and configure your FREE 30-day firewall trial. Your network will be=20 protected easily and quickly - but don't take our word for it, just see=20 what Network Week said about Elron Firewall when they gave it their=20 Editor's Choice Award. "Elron Firewall is a usable straightforward product for securing your= =20 network, and its ease of use makes it superior to its rivals. =20 And, yes - we were able to install it in 20 minutes"=20 NetWork Week, - Elron Firewall Editor's Choice Awa= rd Elron Firewall is a complete plug and play solution, not only will it provi= de protection from hackers but it also includes: *FREE Encryption - create virtual private networks (VPN) using DES/IPSEC=20 standards=20 *FREE IP Address Translation - connect unregistered IP Addresses to the=20 Internet and hide internal IP addresses from hackers, plus when you change= =20 ISPs you won't need to change all your users IP Addresses - a big time save= r! *FREE User Authentication allows travelling executives and sales reps to=20 work remotely with full security *FREE DMZ - segment high traffic parts of your network, like your web serve= r=20 >from the rest of the network for maximum security and control. >>> FREE No Cost No Obligation 30-Day Trial Try Elron Firewall FREE for 30 days. We'll ship you a fully loaded working trial, at no cost and no obligation to you. Plus, we'll walk you step by= =20 step through the installation and configuration of your Elron Firewall so= =20 you can make sure that your network is secure. >>> Try Elron Firewall FREE for 30 days, No Cost, No Obligation <<<< Act now! Reply to this email giving your contact details or call=20 (800) 548-8871 to request your Elron Firewall hardware trial. There's=20 no cost and no obligation. Don't forget to mention your FREE Trial=20 Registration Code: FW0087 Sincerely, Oliver Grant Elron Firewall Customer Service Manager P.S. Act NOW! Call (800) 548-8871 to reserve your free trial today or just reply to this email giving your name, address and telephone number. YOUR FREE Trial Registration Code is FW0087 Some more info for you on Elron Firewall: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #1 =09Runs on a standard Intel Based PC. No need to buy expensive hardware. #2 =09Support for more Protocols, filters and services than any other=20 firewall=20 #3 =09Elron Firewall's Secure32OS is designed specifically for Internet=20 securityand firewall protection #4 =09Protects Unix, Windows NT and NetWare Networks #5=09Hides your IP Addresses from hackers! #6=09Completely Transparent to End-Users. No without Proxy Server Agents or SOCKs modifications #7=093rd Generation Stateful Multi-Layer Inspection (SMLI) -=20 Complete Application Level Protection #8=09ICSA Certified #9=09FREE Configuration, FREE Installation and FREE Tech Support >>> FREE Trial Registration Code: FW0087 **|Liszt/INTERNET-HACKING|jkwilli2@unity.ncsu.edu **|jkwilli2@unity.ncsu.edu From firewalls-owner Fri Feb 6 05:56:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA28121; Fri, 6 Feb 1998 01:35:16 -0800 (PST) Received: from firstnetcom.atinet.com.au (mail-syd.atinet.com.au [203.35.110.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id AAA20182 for ; Fri, 6 Feb 1998 00:34:25 -0800 (PST) Received: from ppp-134.atinet.com.au (ppp-134.atinet.com.au [203.35.110.134]) by firstnetcom.atinet.com.au (NTMail 3.02.10) with ESMTP id ua007898 for ; Fri, 6 Feb 1998 19:38:47 +1100 Received: from wagner (wagner.winspace.net [192.168.0.6]) by mozart.winspace.net (8.8.8/8.7.3) with SMTP id TAA00583; Fri, 6 Feb 1998 19:40:45 +1100 From: "Norman Widders" Date: Fri, 6 Feb 1998 19:40:09 +1000 (GMT) Subject: Re: imapd/ipop3d coredump - the patch. To: Reply-To: Organization: Paladin Corporation Message-Id: X-Mailer: Paladin IMAP4 Client v3.0 In-Reply-To: <19980205114231.31267@texas.net> References: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-ID: X-Info: ATINet POP3 Server - http://www.atinet.com.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Feb 1998 11:42:31 -0600 Michael Douglass wrote: all hell breaks loose if you say oh im running an old version of sendmail, why should it be any different with running the latest imapd... I really hope you folks arent patching old source.... heheh If a linux distro has an old daemon then insist that the packagers replace it with _the_ most recent. mind you i tried this and they usually dont take any notice of you... so download that new source pronto... B) And if you are running an imap2 or imap4 server, replace them immediately with an imap4rev1 server (rfc1730/1732 are dead) > On Thu, Feb 05, 1998 at 09:45:38AM +0200, raf@licj..... (Bugtraq Mirror) said: > > > - if (!(pw && pw->pw_uid)) return NIL; > > > + if (!(pw)) return NIL; > > + if (!(pw->pw_uid)) return NIL; > > > ... why do we need "optimisations" when authentificating users ???? :) > > and btw: in original version root was still able to log in... > > You are very incorrect here. Both your version and the original > version do the exact same thing: If pw = valid_addr && pw->pw_uid > = 0 then it would return NIL; which would deny root. > > However, the _readable_ way to write this would be: > > if( !pw || !pw->pw_uid ) return NIL; > > This stops if pw is not valid or if pw->pw_uid is 0. This is exactly > the same as the frist statement since: > > !(A && B) == !A || !B > > ...only much more readable. > > -- > Michael Douglass > Texas Networking, Inc. > > anyway, I'm off, perl code is making me [a] crosseyed toady -- wheres my valium ? From firewalls-owner Fri Feb 6 05:56:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA13915; Thu, 5 Feb 1998 21:44:35 -0800 (PST) Received: from eshu.request.net ([209.27.77.6]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA13698 for ; Thu, 5 Feb 1998 21:43:56 -0800 (PST) Received: from max.net ([208.204.15.2]) by eshu.request.net with ESMTP id <426-27829>; Fri, 6 Feb 1998 00:49:41 -0500 Received: from zap-mama ([134.7.137.10]) by max.net with SMTP id <1734-12622>; Fri, 6 Feb 1998 00:49:24 -0500 Message-Id: <3.0.3.32.19980206134935.009d7300@bwa.net> X-Sender: lists@bwa.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 06 Feb 1998 13:49:35 To: firewalls@greatcircle.com From: Bret Watson Subject: RE: MS ProxyServer 2.0 In-Reply-To: References: <51D5AE1F9F4ED111A1D6004033CAC69624CA@MAIL01> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Undoubtedly. Microsoft's marketing arm should be required reading in any >college marketing course, in my opinion. They've certainly got their act >polished in that regard. Yep - I too am in Aust. - I've found most sites move to MS mainly due to the Select CDs - also they are used to the Windows paradigm - replete with reboots :{ Its a real pity though, because apart from the user interface Novell and Unix are technically much better OS's - Novell should be ashamed at thier own marketing arm - they regularly tell "almost lies" that are easy for technical people to catch them on e.g. NW4.x is C2 compliant to RED book level where NT is only to orange - wonderful bullshit as NT 3.51 is certified and novell is not... >Interesting comment. I'm curious -- what did they move over from and what >network protocols were they running before and after? If it's a move >From my experience they change over using IPX/SPX and the NT server for some task - like web proxy cache, database or something similar, then the management sees the nice interface, and decideds that it would be better to go ms because they can get network flunkys with MSCE easier and cheaper than NCE or Unix gurus... after that its all downhill - it quickly shows up that NT runs the IPX gateway like a dog with one leg and people complain of slowness connecting to the NT server via IPX, Netbeui is installed and slowly the Novell and Unix stuff falls by the wayside... >>Corporations and government simply want to their users access to the web >>and want to disallow any connections inwards, they also want totally >>intergrated security (you know they create the user once, assign >>whatever rights he/she needs and that's it, no buggerising around with >>IP addresses, dual logins, stuff like that......) Single Sign-on is becoming a big thing, IMHO the work load per person is getting greater and the complexity of their tasks is increasing, they don't want to rememebr several username/passwords and I for one don't want them to write them all down on the FLYNs (translation F'ing little yellow notes).. Cheers, Bret Technical Incursion Countermeasures consulting@bwa.net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9429 8800 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html From firewalls-owner Fri Feb 6 05:56:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA16746; Thu, 5 Feb 1998 12:54:10 -0800 (PST) Received: from mail01.directions.com.au (zzpmcint.dialin.uq.net.au [203.101.240.106]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA16578 for ; Thu, 5 Feb 1998 12:53:38 -0800 (PST) Received: by MAIL01 with Internet Mail Service (5.5.1960.3) id <1F4JQPC7>; Fri, 6 Feb 1998 07:07:16 +1000 Message-ID: <51D5AE1F9F4ED111A1D6004033CAC69624D0@MAIL01> From: Lachlan McIntosh To: "'Alex A. Smirnoff'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: MS ProxyServer 2.0 sucks Date: Fri, 6 Feb 1998 07:06:55 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I still think I make more money than you. Betting your skills on Micro$oft, means an having a skill that's in high demand. Mr Smirnoff, I'd change my skills at once if I thought that I would be better off. On Thursday, 5 February 1998 19:08, Alex A. Smirnoff [SMTP:ark@convey.ru] wrote: > nuqneH, > > On Thu, Feb 05, 1998 at 07:02:59AM +1000, Lachlan McIntosh wrote: > > > the "Microsoft Proxy Client". This client exists only for Windows > > based > > > machine, thus say goodbye to other OSes. > > > > > > I think this is a solution for the dummies. > > > > > > > I don't give a fuck about other OS's! > > > > Especially a religiously supported set of freeware applications. > > > > My use of Microsoft products is purely commercial. > > > > Large customers, who pay large amounts of money, use Microsoft products. > > > I don't give a fuck about your use of Microsoft products. > _Large_ customers _never_ do work on M$ products only. M$ does not scale > well. Take a closer look and you'll see a big iron behind that 'doze > boxes. > > In general I\ve found purely Microsoft (NT networks) shops run a lot > > better than their Unix/Solaris counterparts. > > > > I can give specific examples if you like (but not to the list.) > > > > There is a VERY large demand for Microsoft products and it is growing. > > > > I've never had a customer ask me.... "Can you support our linux system?" > > > > > > I doesn't happen! > > > > Lachlan McIntosh > > > > > --- > > > Micro$oft -> Where to you want to crash today? > > > > > > ||| | Emmanuel Tychon, > > > O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus > > > (_) | > > > oOO-----OOo | Don't be assimilated, use Linux! > > > | Linux | | > > > \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Fri Feb 6 05:56:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA22550; Fri, 6 Feb 1998 00:43:48 -0800 (PST) Received: from alpha3.superonline.com (alpha3.superonline.com [194.242.73.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA22417 for ; Fri, 6 Feb 1998 00:43:19 -0800 (PST) Received: from postman.superonline.net ([207.19.84.119]) by alpha3.superonline.com (Post.Office MTA v3.1 release PO203a ID# 590-40531L0S0) with SMTP id AAA17466 for ; Fri, 6 Feb 1998 10:50:35 +0300 Received: by postman.superonline.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD32ED.241B9FB0@postman.superonline.net>; Fri, 6 Feb 1998 10:51:13 +0200 Message-ID: From: Oliver Tonge To: "'firewalls-digest@GreatCircle.COM'" Cc: "'Dave Santeramo'" , =?iso-8859-1?Q?Kemal_=D6zcan?= Subject: RE: DNS cache attack Date: Fri, 6 Feb 1998 10:51:10 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we had the same problem - I dont have good info on it but this is some advice we got from tech support. Since then its not happened again. I want to turn caching off but they advise us to leave it on and see if it happens again :-/ >>If so, I feel that you are experiencing some cache corruption. The >>only way to fix this is to delete the whole cache I am afraid. The >>simplest (and fastest!) way of doing this is to follow the steps in >>the SP2 release notes which are basically as follows (The wwwproxy -f >>command does work, but takes forever) >> >>* Turn off caching in the GUI >>* Stop/restart the wwwproxy >>* Delete all files in the wwwproxy cache area >>* Delete the .db and .pag files which I believe are in >>/usr/dfws/config >>* Turn on caching in the GUI >>* Stop/restart the wwwproxy >> >---------- >From: Dave Santeramo >Sent: Friday, February 6, 1998 2:43 >To: firewalls-digest@GreatCircle.COM >Subject: DNS cache attack > > > >Recently my employers started to have random porn images appearing >on WWW browsers. I concluded that the cache was corrupt and the >best course of action was to dump the cache server. I read the >announcement from the DOE and suspect we were victims of a cache >poisoning attack. Does anyone have any good info regarding such an >attack? >Dave > From firewalls-owner Fri Feb 6 06:38:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA23946; Fri, 6 Feb 1998 06:10:36 -0800 (PST) Received: from relay.convey.ru (relay.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA14269 for ; Fri, 6 Feb 1998 05:19:02 -0800 (PST) Received: (from ark@localhost) by relay.convey.ru (8.8.8/8.7.3) id QAA16215 for archive; Fri, 6 Feb 1998 16:23:17 +0300 (MSK) Message-ID: <19980206162316.55901@convey.ru> Date: Fri, 6 Feb 1998 16:23:16 +0300 From: "Alex A. Smirnoff" To: azhang@ect.enron.com Cc: firewalls@GreatCircle.COM Subject: Re: GUI based s/key calculator for Unix References: <199802051508.JAA27980@hoscl-019.ect.enron.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <199802051508.JAA27980@hoscl-019.ect.enron.com>; from azhang@ect.enron.com on Thu, Feb 05, 1998 at 09:08:41AM -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, Will write one for $100. Did not do because i thought it is not the thing somebody needs ;) On Thu, Feb 05, 1998 at 09:08:41AM -0600, azhang@ect.enron.com wrote: > Greetings, > > Would anybody know of any GUI based s/key calculator for Unix/Solaris, > commercial or freeware? > > Anchi From firewalls-owner Fri Feb 6 06:40:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA24050; Fri, 6 Feb 1998 06:11:52 -0800 (PST) Received: from maili.intern.Austria.EU.net (melone.austria.eu.net [193.154.142.240]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA17327 for ; Fri, 6 Feb 1998 05:31:51 -0800 (PST) Received: from vindobona.intern.austria.eu.net (vindobona.intern.Austria.EU.net [192.168.191.165]) by maili.intern.Austria.EU.net (8.8.6/8.8.6) with ESMTP id OAA01315; Fri, 6 Feb 1998 14:36:21 -0100 (GMT) Received: (from cr@localhost) by vindobona.intern.austria.eu.net (8.7.6/8.7.3) id OAA02859; Fri, 6 Feb 1998 14:35:52 +0100 Date: Fri, 6 Feb 1998 14:35:52 +0100 Message-Id: <199802061335.OAA02859@vindobona.intern.austria.eu.net> From: Christian Reiser To: jane-t@usa.net CC: Firewalls@GreatCircle.COM In-reply-to: <01BD32E5.2D5533A0.jane-t@usa.net> (message from Jane Marie Teichmann on Fri, 6 Feb 1998 09:54:11 -0200) Subject: Re: Firewall Statistics-Summary Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >3. The best firewall? Each one has its own oppinion, but the most of the >people suggested these three as the most safe: You should not forget the Cisco PIX. mfg CR -- ~~~~~~~ EUnet auf der Exponet 98 -- Ebene 2, Stand 22 ~~~~~~~ Christian Reiser (EUnet Austria) e-mail: C.Reiser@Austria.EU.net Tel: +431 899 33-0 http://www.Austria.EU.net/ Fax: +431 899 33-533 CR86-RIPE priv: C.Reiser@ieee.org From firewalls-owner Fri Feb 6 07:26:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA24136; Fri, 6 Feb 1998 06:13:10 -0800 (PST) Received: from ykbgate ([195.33.225.162]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA15203 for ; Fri, 6 Feb 1998 05:23:45 -0800 (PST) Received: by ykbgate; (5.65v3.2/1.3/10May95) id AA21995; Fri, 6 Feb 1998 11:12:48 +0200 Received: by plaza.ykb.com; (5.65v3.2/1.3/10May95) id AA11713; Fri, 6 Feb 1998 15:23:21 +0200 X-Lotus-Fromdomain: YKBNOTES From: "icakmakli" To: oliver@superonline.net Cc: firewalls-digest@GreatCircle.COM, santercon@mail.clarityconnect.com, kemal@superonline.net Message-Id: Date: Fri, 6 Feb 1998 15:28:29 +0200 Subject: RE: DNS cache attack Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I think we have the same problem I regulary deletes cache or have to restart the the firewall. Any good idea?? Thanks in advance. G?nderilen : firewalls-digest@GreatCircle.COM Bilgi ??in : santercon@mail.clarityconnect.com, kemal@superonline.net G?nderen : oliver@superonline.net Tarih : 06.02.98 10:51 Konu : RE: DNS cache attack --------------------------------------------------------------------------- --------------------------------------------------------------------------- -------------------------------- we had the same problem - I dont have good info on it but this is some advice we got from tech support. Since then its not happened again. I want to turn caching off but they advise us to leave it on and see if it happens again :-/ >>If so, I feel that you are experiencing some cache corruption. The >>only way to fix this is to delete the whole cache I am afraid. The >>simplest (and fastest!) way of doing this is to follow the steps in >>the SP2 release notes which are basically as follows (The wwwproxy -f >>command does work, but takes forever) >> >>* Turn off caching in the GUI >>* Stop/restart the wwwproxy >>* Delete all files in the wwwproxy cache area >>* Delete the .db and .pag files which I believe are in >>/usr/dfws/config >>* Turn on caching in the GUI >>* Stop/restart the wwwproxy >> >---------- >From: Dave Santeramo >Sent: Friday, February 6, 1998 2:43 >To: firewalls-digest@GreatCircle.COM >Subject: DNS cache attack > > > >Recently my employers started to have random porn images appearing >on WWW browsers. I concluded that the cache was corrupt and the >best course of action was to dump the cache server. I read the >announcement from the DOE and suspect we were victims of a cache >poisoning attack. Does anyone have any good info regarding such an >attack? >Dave > From firewalls-owner Fri Feb 6 07:32:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA24185; Fri, 6 Feb 1998 06:14:11 -0800 (PST) Received: from relay.convey.ru (relay.convey.ru [195.182.128.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA16048 for ; Fri, 6 Feb 1998 05:26:47 -0800 (PST) Received: (from ark@localhost) by relay.convey.ru (8.8.8/8.7.3) id QAA16283 for archive; Fri, 6 Feb 1998 16:29:32 +0300 (MSK) Message-ID: <19980206162931.52558@convey.ru> Date: Fri, 6 Feb 1998 16:29:31 +0300 From: "Alex A. Smirnoff" To: Lachlan McIntosh Cc: "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 sucks References: <51D5AE1F9F4ED111A1D6004033CAC69624D0@MAIL01> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <51D5AE1F9F4ED111A1D6004033CAC69624D0@MAIL01>; from Lachlan McIntosh on Fri, Feb 06, 1998 at 07:06:55AM +1000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, No. And i also have bigger penis than you. Don't you think it is somewhat offtopic? On Fri, Feb 06, 1998 at 07:06:55AM +1000, Lachlan McIntosh wrote: > I still think I make more money than you. > > Betting your skills on Micro$oft, means an having a skill that's in high > demand. > > Mr Smirnoff, I'd change my skills at once if I thought that I would be > better off. > > On Thursday, 5 February 1998 19:08, Alex A. Smirnoff > [SMTP:ark@convey.ru] wrote: > > nuqneH, > > > > On Thu, Feb 05, 1998 at 07:02:59AM +1000, Lachlan McIntosh wrote: > > > > the "Microsoft Proxy Client". This client exists only for Windows > > > based > > > > machine, thus say goodbye to other OSes. > > > > > > > > I think this is a solution for the dummies. > > > > > > > > > > I don't give a fuck about other OS's! > > > > > > Especially a religiously supported set of freeware applications. > > > > > > My use of Microsoft products is purely commercial. > > > > > > Large customers, who pay large amounts of money, use Microsoft > products. > > > > > I don't give a fuck about your use of Microsoft products. > > _Large_ customers _never_ do work on M$ products only. M$ does not > scale > > well. Take a closer look and you'll see a big iron behind that 'doze > > boxes. > > > In general I\ve found purely Microsoft (NT networks) shops run a lot > > > better than their Unix/Solaris counterparts. > > > > > > I can give specific examples if you like (but not to the list.) > > > > > > There is a VERY large demand for Microsoft products and it is > growing. > > > > > > I've never had a customer ask me.... "Can you support our linux > system?" > > > > > > > > > I doesn't happen! > > > > > > Lachlan McIntosh > > > > > > > --- > > > > Micro$oft -> Where to you want to crash today? > > > > > > > > ||| | Emmanuel Tychon, > > > > O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus > > > > (_) | > > > > oOO-----OOo | Don't be assimilated, use Linux! > > > > | Linux | | > > > > \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Fri Feb 6 07:41:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29888; Fri, 6 Feb 1998 06:38:14 -0800 (PST) Received: from mail.msy.bellsouth.net (mail.msy.bellsouth.net [205.152.128.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA29847 for ; Fri, 6 Feb 1998 06:38:02 -0800 (PST) Received: from bellsouth.net (host-209-138-33-29.msy.BELLSOUTH.net [209.138.33.29]) by mail.msy.bellsouth.net (8.8.5/8.8.5) with ESMTP id JAA21196 for ; Fri, 6 Feb 1998 09:42:28 -0500 (EST) Message-ID: <34DB20DF.2B3D6434@bellsouth.net> Date: Fri, 06 Feb 1998 08:40:31 -0600 From: FreakaZoid X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Subject: Form Letter... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a "form letter" to send to the owner of a ip domain that it looks like an attack on our network came from. My bosses are concerned of the legal ramifications, and I was just curious as to what some of the other Firewall guru's are using, if anything. Thanks in advance!!!!!! From firewalls-owner Fri Feb 6 08:40:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA05814; Fri, 6 Feb 1998 07:04:29 -0800 (PST) Received: from gdsconnect.com (fws.gdsconnect.com [38.226.121.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA05754 for ; Fri, 6 Feb 1998 07:04:13 -0800 (PST) Received: from altos.gdsconnect.com ([192.168.27.2]) by fws.gdsconnect.com with ESMTP id <17922>; Fri, 6 Feb 1998 10:08:03 -0500 Received: by ALTOS with Internet Mail Service (5.0.1457.3) id <1KN7XWK6>; Fri, 6 Feb 1998 10:15:23 -0500 Message-ID: From: Gordon LaSane To: Jane Marie Teichmann , "'Firewalls@greatcircle.com'" Subject: RE: Firewall Statistics-Summary Date: Fri, 6 Feb 1998 10:15:21 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: multipart/alternative; boundary="---- =_NextPart_001_01BD32E8.22D68ED0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BD32E8.22D68ED0 Content-Type: text/plain Add in Secure Computing http://www.securecomputing.com And you have covered your bases! Gordon LaSane Global Data Systems, Inc. Internet and Intranet Firewalls and Security Group Consulting and Installing Solutions for Your Company's Data Security: Remote User Authentication Internet Access Virtual Private Networks Web Filtering Intranets Firewalls Gordon LaSane 781/740-8818 x13 ph 781/740-8830 fax glasane@gdsconnect.com Visit us on the web at http://www.gdsconnect.com -----Original Message----- From: Jane Marie Teichmann [SMTP:jane-t@usa.net] Sent: Friday, February 06, 1998 6:54 AM To: 'Firewalls@greatcircle.com' Subject: Re: Firewall Statistics-Summary Thanks you all who answered my question. I could not fine realyy any statistics per platform and market tendencies. Here is a summary of the answers I've received. 1. Good place to look for information on firwalls: www.icsa.net 2. The best selling firewall?: checkpoint. (could not find statistics per platforms or tendencies nowadays) Many think Eagle is the leader in NT market. 3. The best firewall? Each one has its own oppinion, but the most of the people suggested these three as the most safe: a) Firewall-1 : http://www.checkpoint.com b) Eagle : http://www.raptor.com c) Gauntlet : http://www.tis.com 4. If what you need is only browser and e-mail, you don't need a firewall at all 5. NT is not as safe as Unix. 6. Market-share is not a good parameter to choose a firewall. You need one that meets your network security policy. 7. The most recent market survey of users was done by CSI and Zona. The top 5 firewalls reported in use were: Check Point Firewall-1 18.89% TIS Gauntlet 15.50% Cisco PIX 12.83% Raptor Eagle 8.72% SCC Sidewinder 6.30% ------ =_NextPart_001_01BD32E8.22D68ED0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

Add in Secure Computing = http://www.securecomputing.com
And you have covered your = bases!

    Gordon LaSane

    Global  Data  = Systems, Inc.
    Internet and Intranet Firewalls and Security = Group
    Consulting and Installing Solutions for Your = Company's Data Security:
    Remote User Authentication
    Internet Access
    Virtual Private Networks
    Web Filtering
    Intranets
    Firewalls      
           
    Gordon LaSane
    781/740-8818 x13 ph
    781/740-8830 fax

    glasane@gdsconnect.com

    Visit us on the web = at   http://www.gdsconnect.com



    -----Original Message-----
    From:   Jane Marie = Teichmann [SMTP:jane-t@usa.net]
    Sent:   Friday, February 06, 1998 6:54 AM
    To:     'Firewalls@greatcircle.com'
    Subject:       = Re: Firewall = Statistics-Summary

    Thanks you all who = answered my question. I could not fine realyy any
    statistics per = platform and market tendencies. Here is a summary of the
    answers I've = received.

    1. Good place to = look for information on firwalls: www.icsa.net

    2. The best selling = firewall?: checkpoint. (could not find statistics per
    platforms or = tendencies nowadays)
         Many think Eagle is the leader = in NT market.

    3. The best = firewall? Each one has its own oppinion, but the most of the
    people suggested = these three as the most safe:

            a) Firewall-1 : http://www.checkpoint.com

            b) Eagle : http://www.raptor.com

            c) Gauntlet : http://www.tis.com

           
    4. If what you need = is only browser and e-mail, you don't need a firewall
    at all

    5. NT is not as = safe as Unix.

    6. Market-share is = not a good parameter to choose a firewall. You need one
    that meets your = network security policy.

    7. The most recent = market survey of users was done by CSI and Zona. The top
    5
    firewalls reported = in use were:

    Check Point = Firewall-1  18.89%
    TIS = Gauntlet            =         15.50%
    Cisco = PIX       =         =         12.83%
    Raptor = Eagle            =          8.72%
    SCC = Sidewinder           = 6.30%

------ =_NextPart_001_01BD32E8.22D68ED0-- From firewalls-owner Fri Feb 6 08:41:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA15664; Fri, 6 Feb 1998 07:46:44 -0800 (PST) Received: from mail1.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA15363 for ; Fri, 6 Feb 1998 07:45:43 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.5.1960.3) id <1J6XL989>; Fri, 6 Feb 1998 07:48:04 -0800 Message-ID: From: "Stackpole, Bill" To: "'Becki Kain'" , firewalls@GreatCircle.COM Subject: RE: looking for router firewalls Date: Fri, 6 Feb 1998 07:48:02 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ascend has a firewall option for their routers and Cisco offers a Firewall Feature Set. I've used both and they both work effectively but lack some of the logging and alert capabilities of full blown firewall servers. > -----Original Message----- > From: Becki Kain [SMTP:beckers@josephus.furph.com] > Sent: Thursday, February 05, 1998 12:38 PM > To: firewalls@GreatCircle.COM > Subject: looking for router firewalls > > I am looking for ideas on good firewall software for routers, and the > routers have not been purchased yet, so the brand is flexible. I > realise > router firewalls are not thought of as "as good as" something like a > netra > or a bastion host with firewall software on it, but it's what the > customer > wants (so as to appease both camps of unix and windows). it would be > for > about 150 pc hosts and 35 unix boxes. > > thanks > > beckers From firewalls-owner Fri Feb 6 09:11:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA00401; Fri, 6 Feb 1998 08:53:39 -0800 (PST) Received: from mocha.foo.org (pr119.pheasantrun.net [208.140.225.119]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA00270 for ; Fri, 6 Feb 1998 08:53:11 -0800 (PST) Received: from mocha.foo.org by mocha.foo.org on Fri, 6 Feb 1998 11:57:27 -0500 (EST) Message-Id: <199802061657.LAA29670@mocha.foo.org> To: firewalls@greatcircle.com Subject: SSL Proxies revisited Date: Fri, 06 Feb 1998 11:57:26 -0500 From: James Croall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A while back, somebody suggested using the HTTP proxy CONNECT method of "SSL proxies" to tunnel arbitrary services. I've started to notice that more people are picking up on this, and now AOL even supports connection to their network via this type of proxy. Some administrators prevent users from exploiting this by only allowing CONNECT's on port 443. This doesn't help the situation too much, since a lot of secure servers out there are running on alternate ports -- and AOL's services can listen on port 443 now too. Why aren't these "proxies" actually looking at the SSL traffic? At least check out the client and server hello messages, make sure they're legit. I've put together some simple patches to Thede Loder's Simple SOCKS Daemon to take advantage of these SSL proxies. Assuming your proxy has not been configured just so, just run it on a unix host behind your firewall and you can use SOCKS4 to make TCP connections out to the world. Bye-bye meaningful audit trail. It works rather nicely with the simple fwtk, Gauntlet, and CERN proxies that I've tried it with. http://www.foo.org/james/misc/ssockd-ssl.txt From firewalls-owner Fri Feb 6 10:07:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA00274; Fri, 6 Feb 1998 08:53:14 -0800 (PST) Received: from mailman.sni.net (mailman.sni.net [199.117.27.25]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA00230 for ; Fri, 6 Feb 1998 08:53:02 -0800 (PST) Received: from neologics.com (lgv.com [204.133.131.2]) by mailman.sni.net (8.8.5/8.7.3) with SMTP id JAA17441 for ; Fri, 6 Feb 1998 09:57:29 -0700 (MST) Received: from godzilla (unverified [204.133.131.181]) by neologics.com (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 06 Feb 1998 10:04:58 -0700 Received: by localhost with Microsoft MAPI; Fri, 6 Feb 1998 10:00:49 -0700 Message-ID: <01BD32E6.19D55480.scott@neologics.com> From: Scott Robert Lenz To: "'firewalls@greatcircle.com'" Subject: FW: LINUX FIREWALLS Date: Fri, 6 Feb 1998 10:00:48 -0700 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do any of you out there believe in a LINUX firewall implementation as a viable resource? My network is currently NT based, but I don't wish to devote EVERYTHING to Microsquash. What I am looking for is some good resources I can review for detailed plans about setting up and installing a LINUX firewall option. Also, does the LINUX option allow for any subnet routing? I, unfortunately, am stuck with using MSMPR to do the routing between subnets (actually, 2 separate, legal Class C Licenses). Whatever any of you can provide in my quest for a better option than MSPROXY would be greatly appreciated. PS: I think we are all professional, and mature enough, not to have to blatantly flame everyone whom asks a simple question. Remember, there was a time that YOU were just a new to the technology as THEM. Scott Lenz NeoLogics Software & Services, LLC Evergreen, CO (303)670-8681 From firewalls-owner Fri Feb 6 10:26:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01554; Fri, 6 Feb 1998 09:00:35 -0800 (PST) Received: from shell.bnl.net (shell.bnl.net [207.137.152.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA01519 for ; Fri, 6 Feb 1998 09:00:26 -0800 (PST) Received: from localhost (marlowe@localhost) by shell.bnl.net (8.8.8/8.8.7) with SMTP id JAA17869; Fri, 6 Feb 1998 09:07:38 -0800 (PST) (envelope-from marlowe@bnl.net) Date: Fri, 6 Feb 1998 09:07:38 -0800 (PST) From: Matthew Marlowe To: FreakaZoid cc: Firewalls Subject: Re: Form Letter... In-Reply-To: <34DB20DF.2B3D6434@bellsouth.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I call the FBI, or report it to MCI. The local authorities of that state if they are local.. Or maybe SS On Fri, 6 Feb 1998, FreakaZoid wrote: > I am looking for a "form letter" to send to the owner of a ip domain > that it looks like an attack on our network came from. > > My bosses are concerned of the legal ramifications, and I was just > curious as to what some of the other Firewall guru's are using, if > anything. > > > Thanks in advance!!!!!! > > From firewalls-owner Fri Feb 6 11:33:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24378; Fri, 6 Feb 1998 10:33:04 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA24369 for ; Fri, 6 Feb 1998 10:32:59 -0800 (PST) Received: (qmail 11847 invoked from smtpd); 6 Feb 1998 18:37:29 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 6 Feb 1998 18:37:29 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA22204; Fri, 6 Feb 1998 12:37:29 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA02338; Fri, 6 Feb 1998 12:40:21 -0600 From: Peter da Silva Message-Id: <9802061840.AA02338@baileynm.com> Subject: Re: Firewall Statistics-Summary To: jane-t@usa.net (Jane Marie Teichmann) Date: Fri, 6 Feb 1998 12:40:21 -0600 (CST) Cc: Firewalls@greatcircle.com In-Reply-To: <01BD32E5.2D5533A0.jane-t@usa.net> from "Jane Marie Teichmann" at Feb 6, 98 09:54:11 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 4. If what you need is only browser and e-mail, you don't need a firewall > at all Yes you do, it's just that it can be a very simple one. From firewalls-owner Fri Feb 6 11:41:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24101; Fri, 6 Feb 1998 10:31:00 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA24074 for ; Fri, 6 Feb 1998 10:30:46 -0800 (PST) Received: (qmail 11828 invoked from smtpd); 6 Feb 1998 18:34:52 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 6 Feb 1998 18:34:52 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA21270; Fri, 6 Feb 1998 12:34:52 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA02322; Fri, 6 Feb 1998 12:37:44 -0600 From: Peter da Silva Message-Id: <9802061837.AA02322@baileynm.com> Subject: Re: MS ProxyServer 2.0 To: lists@bwa.net (Bret Watson) Date: Fri, 6 Feb 1998 12:37:44 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <3.0.3.32.19980206134935.009d7300@bwa.net> from "Bret Watson" at Feb 6, 98 01:49:35 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Its a real pity though, because apart from the user interface Novell and > Unix are technically much better OS's - Novell should be ashamed at thier > own marketing arm - they regularly tell "almost lies" that are easy for > technical people to catch them on e.g. NW4.x is C2 compliant to RED book > level where NT is only to orange - wonderful bullshit as NT 3.51 is > certified and novell is not... Of course NT's certification is for a machine locked down so hard you can't actually run any applications or connect to a network. In any usable config NT isn't C2 certified either. IMHO red or orange book certification is as meaningless as "seive" benchmarks. From firewalls-owner Fri Feb 6 11:55:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27640; Fri, 6 Feb 1998 10:51:43 -0800 (PST) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA27513 for ; Fri, 6 Feb 1998 10:51:12 -0800 (PST) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.8/8.8.6) with SMTP id LAA07677; Fri, 6 Feb 1998 11:45:47 -0800 Date: Fri, 6 Feb 1998 10:52:15 -0800 (PST) From: David Lang To: Scott Robert Lenz cc: "'firewalls@greatcircle.com'" Subject: Re: FW: LINUX FIREWALLS In-Reply-To: <01BD32E6.19D55480.scott@neologics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- I have setup a few linux firewalls. Linux includes packet filtering in the kernel and you can use the TIS FWTK for proxys (I am not familiar with other proxy options for linux). Linux allows full subnet routing so that should not be a problem. as for resources to help you configure it. Linux includes some how-to documents that explain the packet filtering setup and use (usually installed in /usr/doc/faq/howto) David Lang On Fri, 6 Feb 1998, Scott Robert Lenz wrote: > Date: Fri, 6 Feb 1998 10:00:48 -0700 > From: Scott Robert Lenz > To: "'firewalls@greatcircle.com'" > Subject: FW: LINUX FIREWALLS > > Do any of you out there believe in a LINUX firewall implementation as a > viable resource? My network is currently NT based, but I don't wish to > devote EVERYTHING to Microsquash. > > What I am looking for is some good resources I can review for detailed > plans about setting up and installing a LINUX firewall option. > > Also, does the LINUX option allow for any subnet routing? I, unfortunately, > am stuck with using MSMPR to do the routing between subnets (actually, 2 > separate, legal Class C Licenses). > > Whatever any of you can provide in my quest for a better option than > MSPROXY would be greatly appreciated. > > PS: I think we are all professional, and mature enough, not to have to > blatantly flame everyone whom asks a simple question. Remember, there was a > time that YOU were just a new to the technology as THEM. > > > Scott Lenz > NeoLogics Software & Services, LLC > Evergreen, CO > (303)670-8681 > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNNtb4z7msCGEppcbAQEt1Qf/b5d0/s62uUBk7A0WwtADg4yKSiA6unyo xVg4bN3Gmz0npF3iAgyoup6aul3yV7qbTCB6FEh00TzcIuG7F1vNC1a9klDFqPJa TxLe6F916bJoecWA/dlJ/QPzXV0cvyhT2F6a3uANgE3czrNq0kxBuiKO6pIdEVPw f8BuIsiFHkk3D3Afymn82Ji6fgG9nWcAgOZ2Xf90pZPtjNhzNSSWCktZqVkZicCl 0qU2r9QBLYzTVXoUr238h14dH6Lqrw1N6XaBMnLL6eNHFYlVTEoXGThjh81XV4uC M0O9SaQCWDOBzYPqC28Nqf0ovD54NT3ce3ickxM+ALHE+gz+vWJyRg== =leOI -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 6 14:23:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25485; Fri, 6 Feb 1998 13:12:10 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA10144 for ; Fri, 6 Feb 1998 12:05:09 -0800 (PST) Received: from uucp4.UU.NET by relay1.UU.NET with SMTP (peer crosschecked as: uucp4.UU.NET [192.48.96.35]) id QQebpg29775; Fri, 6 Feb 1998 15:09:37 -0500 (EST) Received: from dakia.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Fri, 6 Feb 1998 15:09:35 -0500 Received: from localhost (asim@localhost) by mail.cyberaccess.com.pk (8.8.5/8.8.5) with SMTP id BAA18425; Sat, 7 Feb 1998 01:19:26 +0500 Date: Sat, 7 Feb 1998 01:19:25 +0500 (PKT) From: "M. Asim Rasheed" To: Scott Robert Lenz cc: "'firewalls@greatcircle.com'" Subject: Re: FW: LINUX FIREWALLS In-Reply-To: <01BD32E6.19D55480.scott@neologics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Feb 1998, Scott Robert Lenz wrote: > Do any of you out there believe in a LINUX firewall implementation as a > viable resource? My network is currently NT based, but I don't wish to > devote EVERYTHING to Microsquash. Scott, despite your personal grunge against M$, it is a good policy "security wise" to keep the firewall on a different operating system than the one that you are currently using. And Linux would just fit in nicely in your scenario. > > What I am looking for is some good resources I can review for detailed > plans about setting up and installing a LINUX firewall option. Read the firewall Howto at http://www.linux.org. It would get you started. > > Also, does the LINUX option allow for any subnet routing? I, unfortunately, > am stuck with using MSMPR to do the routing between subnets (actually, 2 > separate, legal Class C Licenses). Unlike, M$ restricted routing capabilities, a Linux box can be used for any viable subnet configuration that you can think of. I remember seeing this thing in one of M$ study materials that they donot recommend the use of the first and the last subnet of an IP address pool. No such thing in Linux. Also that Linux works quite seamlessly with M$ Windows (if you know what you are doing) > > PS: I think we are all professional, and mature enough, not to have to > blatantly flame everyone whom asks a simple question. Remember, there was a > time that YOU were just a new to the technology as THEM. > Don't worry Scott, I remember the time :-) Asim Rasheed Network Operations Engineer Acsys Ltd. From firewalls-owner Fri Feb 6 14:26:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25712; Fri, 6 Feb 1998 13:13:47 -0800 (PST) Received: from gatekeeper.es.dupont.com (gatekeeper.es.dupont.com [192.26.233.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA19039 for ; Fri, 6 Feb 1998 12:42:47 -0800 (PST) Received: from ns1.es.dupont.com (ns1.es.dupont.com [138.196.90.13]) by gatekeeper.es.dupont.com with SMTP id PAA06269 for ; Fri, 6 Feb 1998 15:47:17 -0500 Received: by ns1.es.dupont.com; id AA21590; Fri, 6 Feb 98 15:47:15 -0500 Received: from unca-don (unca-don [138.196.253.33])by eplrx7.es.dupont.com (8.8.8/8.8.5) with SMTP id PAA21856for ; Fri, 6 Feb 1998 15:47:14 -0500 Message-Id: <199802062047.PAA21856@eplrx7.es.dupont.com> Date: Fri, 6 Feb 1998 15:47:14 -0500 (EST) From: Tim Evans Reply-To: Tim Evans Subject: SUMMARY: IPSEC UNIX Clients To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-Md5: adZwXXLagn8wsJmqFo2Oyg== X-Mailer: dtmail 1.2.1 CDE Version 1.2.1 SunOS 5.6 i86pc i386 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Fri, 6 Feb 1998 12:38:30 -0800 (PST) > Subject: Returned mail: User unknown > To: > Auto-Submitted: auto-generated (failure) > > The original message was received at Fri, 6 Feb 1998 12:13:42 -0800 (PST) > from gatekeeper.es.dupont.com [192.26.233.2] > > ----- The following addresses had permanent fatal errors ----- > > > ----- Transcript of session follows ----- I wrote: > >I'm looking for IPSEC-compliant clients for UNIX systems, preferably those > >that may be known to work with Raptor Eagle VPN. Thanks. > > I got only a couple of replies to this. It looks like ssh is the closest thing. > I did hear from a Raptor user (dom@inta.net), who told me he was > successfully passing ssh on port 22 using the Raptor generic service passer. > > For those not familiar with ssh, here's a snippet from the README file > that comes with the distribution: > > "SSH (Secure Shell) is a program to log into another computer over a > network, to execute commands in a remote machine, and to move files > from one machine to another. It provides strong authentication and > secure communications over insecure channels. It is intended as a > replacement for rlogin, rsh, rcp, and rdist." > > For info on ssh, see http://www.cs.hut.fi/ssh/ Note licensing > terms. A commercial implementation is available; see > http://www.datafellows.com/ > -- Tim Evans | E.I. du Pont de Nemours & Co. tkevans@eplrx7.es.dupont.com | Experimental Station (302) 695-9353/8638 (FAX) | P.O. Box 80357 EVANSTK AT A1 AT ESVAX | Wilmington, Delaware 19880-0357 From firewalls-owner Fri Feb 6 14:30:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA27009; Fri, 6 Feb 1998 13:18:52 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA26769 for ; Fri, 6 Feb 1998 13:18:09 -0800 (PST) Received: from gnss.com (pm14-18.pacificnet.net [207.171.10.51]) by polaris.pacificnet.net (8.8.5/8.8.5) with ESMTP id NAA01729; Fri, 6 Feb 1998 13:19:01 -0800 (PST) env-from (osiris@gnss.com) Message-ID: <34DB7F0C.B067697E@gnss.com> Date: Fri, 06 Feb 1998 13:22:20 -0800 From: Osiris X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: "Alex A. Smirnoff" CC: Lachlan McIntosh , "'firewalls@GreatCircle.COM'" Subject: Re: MS ProxyServer 2.0 sucks References: <51D5AE1F9F4ED111A1D6004033CAC69624D0@MAIL01> <19980206162931.52558@convey.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So! One has a bigger penis and the other makes more money. But, I have a question to direct to these two, dueling fellows: Which of you has done more to help your fellow man? This - and not your money or your penis - is the measure of you. You both are highly skilled in a technical field. Lend that wisdom (and not war) to this list. People come to this list to drink up the hard-earned knowledge of those that came before. At this point - between the large penis on one hand and all the money on the other - our visitors are dying of thirst. Alex A. Smirnoff wrote: > nuqneH, > > No. And i also have bigger penis than you. > Don't you think it is somewhat offtopic? > > On Fri, Feb 06, 1998 at 07:06:55AM +1000, Lachlan McIntosh wrote: > > I still think I make more money than you. > > > > Betting your skills on Micro$oft, means an having a skill that's in high > > demand. > > > > Mr Smirnoff, I'd change my skills at once if I thought that I would be > > better off. > > > > On Thursday, 5 February 1998 19:08, Alex A. Smirnoff > > [SMTP:ark@convey.ru] wrote: > > > nuqneH, > > > > > > On Thu, Feb 05, 1998 at 07:02:59AM +1000, Lachlan McIntosh wrote: > > > > > the "Microsoft Proxy Client". This client exists only for Windows > > > > based > > > > > machine, thus say goodbye to other OSes. > > > > > > > > > > I think this is a solution for the dummies. > > > > > > > > > > > > > I don't give a fuck about other OS's! > > > > > > > > Especially a religiously supported set of freeware applications. > > > > > > > > My use of Microsoft products is purely commercial. > > > > > > > > Large customers, who pay large amounts of money, use Microsoft > > products. > > > > > > > I don't give a fuck about your use of Microsoft products. > > > _Large_ customers _never_ do work on M$ products only. M$ does not > > scale > > > well. Take a closer look and you'll see a big iron behind that 'doze > > > boxes. > > > > In general I\ve found purely Microsoft (NT networks) shops run a lot > > > > better than their Unix/Solaris counterparts. > > > > > > > > I can give specific examples if you like (but not to the list.) > > > > > > > > There is a VERY large demand for Microsoft products and it is > > growing. > > > > > > > > I've never had a customer ask me.... "Can you support our linux > > system?" > > > > > > > > > > > > I doesn't happen! > > > > > > > > Lachlan McIntosh > > > > > > > > > --- > > > > > Micro$oft -> Where to you want to crash today? > > > > > > > > > > ||| | Emmanuel Tychon, > > > > > O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus > > > > > (_) | > > > > > oOO-----OOo | Don't be assimilated, use Linux! > > > > > | Linux | | > > > > > \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Fri Feb 6 15:26:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA21819; Fri, 6 Feb 1998 15:19:14 -0800 (PST) Received: from lintjr.cisco.com (lintjr.cisco.com [171.68.10.78]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA21720 for ; Fri, 6 Feb 1998 15:18:53 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-77.cisco.com [171.68.53.77]) by lintjr.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id PAA22073 for ; Fri, 6 Feb 1998 15:23:19 -0800 (PST) Message-Id: <3.0.5.32.19980206182317.007b84d0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 1998 18:23:17 -0500 To: Firewalls Mailing List From: Paul Ferguson Subject: [fwd] In today's Merc.... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI. A colleague passed along this article which appeared in in today's San Jose Mercury News. It illustrates something that mjr has always evangelized -- the fact that while your firewall may be totally secure, your security problems are much worse than you might think. :-) - paul ref: http://www.sjmercury.com/business/center/shipley020698.htm -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Feb 6 15:55:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA27299; Fri, 6 Feb 1998 15:53:22 -0800 (PST) Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.31]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA27223 for ; Fri, 6 Feb 1998 15:53:06 -0800 (PST) Received: by INET-05-IMC with Internet Mail Service (5.5.1960.3) id <1MPGRCHZ>; Fri, 6 Feb 1998 15:55:59 -0800 Message-ID: <5CEA8663F24DD111A96100805FFE658701FDE85A@red-msg-51.dns.microsoft.com> From: Vinod Valloppillil To: "'James Croall'" , firewalls@greatcircle.com Subject: RE: SSL Proxies revisited Date: Fri, 6 Feb 1998 15:55:55 -0800 X-Mailer: Internet Mail Service (5.5.1960.3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (in contrast to the MS Proxy thread, this one seems like an interesting one to survey opinions on...) The SSL proxy spec (here's a pointer: http://cgi.netscape.com/newsref/std/tunneling_ssl.html) foresees the filtering / audit trail issue raised by James below "Due to this fact, the proxy cannot verify that the protocol being spoken is really SSL, and so the proxy configuration should explicitly limit allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for SNEWS, as assigned by the Internet Assigned Numbers Authority). " Do other firewalls out there by default only allow port 443 & 563 for SSL connections? (MS Proxy, for example, only allows these two by default and, via regkey editing, lets an admin do other ports) Are there firewall implementors that ban SSL through their firewalls b/c of the filtering / audit issues James raises? > -----Original Message----- > From: James Croall [SMTP:jcroall@foo.org] > Sent: Friday, February 06, 1998 8:57 AM > To: firewalls@greatcircle.com > Subject: SSL Proxies revisited > > > A while back, somebody suggested using the HTTP proxy CONNECT method > of "SSL proxies" to tunnel arbitrary services. I've started to notice > that more people are picking up on this, and now AOL even supports > connection to their network via this type of proxy. > > Some administrators prevent users from exploiting this by only allowing > CONNECT's on port 443. This doesn't help the situation too much, since > a lot of secure servers out there are running on alternate ports -- and > AOL's services can listen on port 443 now too. > > Why aren't these "proxies" actually looking at the SSL traffic? At least > check out the client and server hello messages, make sure they're legit. > > I've put together some simple patches to Thede Loder's Simple SOCKS > Daemon to take advantage of these SSL proxies. Assuming your proxy > has not been configured just so, just run it on a unix host behind your > firewall and you can use SOCKS4 to make TCP connections out to the > world. > > Bye-bye meaningful audit trail. > > It works rather nicely with the simple fwtk, Gauntlet, and CERN proxies > that I've tried it with. > > http://www.foo.org/james/misc/ssockd-ssl.txt From firewalls-owner Fri Feb 6 17:25:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA13199; Fri, 6 Feb 1998 17:12:16 -0800 (PST) Received: from scctn01.sp.ac.sg (scctn01.sp.edu.sg [164.78.252.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA13098 for ; Fri, 6 Feb 1998 17:11:58 -0800 (PST) Received: from cccp0040 ([164.78.20.215]) by scctn01.sp.ac.sg (8.8.7/8.8.7) with ESMTP id JAA11777 for ; Sat, 7 Feb 1998 09:18:40 +0730 (SST) Message-ID: <34DBB5D1.17CD2018@sp.ac.sg> Date: Sat, 07 Feb 1998 09:16:01 +0800 From: Lim Chay Yong X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: ATM Network Security Issues X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am sourcing for information on Security threats/risks, issues pertaining to ATM networks and devices. Can any one give me pointers and directions to any such documents/web sites? Thanks in advance. ========================================================= Chay Yong LIM Email: limcy@sp.ac.sg Singapore Polytechnic 500, Dover Road Singapore 139651 Tel: (65)-772-1044 ========================================================= From firewalls-owner Fri Feb 6 18:31:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA00966; Fri, 6 Feb 1998 18:10:03 -0800 (PST) Received: from hotmail.com (f90.hotmail.com [207.82.250.196]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id SAA00827 for ; Fri, 6 Feb 1998 18:09:39 -0800 (PST) Received: (qmail 12976 invoked by uid 0); 7 Feb 1998 02:14:10 -0000 Message-ID: <19980207021410.12975.qmail@hotmail.com> Received: from 198.80.42.2 by www.hotmail.com with HTTP; Fri, 06 Feb 1998 18:14:10 PST X-Originating-IP: [198.80.42.2] From: "SheungPak Tang" To: firewalls-digest@GreatCircle.COM Subject: Sun Ultra 5 or Ultra 10 Content-Type: text/plain Date: Fri, 06 Feb 1998 18:14:10 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone used Sun Ultra 5 or Ultra 10 as firewalls? Are there any differences between the Ultra 5 / 10 and the Ultra 2 from a reliability and performance perspective. The Ultra 5 and 10 are much cheaper than the Ultra 2 we have been using. The Ultra 5 and Ultra 10 uses PCI instead of SBus. The NIC cards and software driver are totally different from the Sun SBus systems. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From firewalls-owner Fri Feb 6 18:35:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA02600; Fri, 6 Feb 1998 18:16:19 -0800 (PST) Received: from lintjr.cisco.com (lintjr.cisco.com [171.68.10.78]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA02592 for ; Fri, 6 Feb 1998 18:16:12 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-77.cisco.com [171.68.53.77]) by lintjr.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id SAA01380; Fri, 6 Feb 1998 18:20:34 -0800 (PST) Message-Id: <3.0.5.32.19980206212033.007fb930@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 1998 21:20:33 -0500 To: Lim Chay Yong From: Paul Ferguson Subject: Re: ATM Network Security Issues Cc: firewalls@GreatCircle.COM In-Reply-To: <34DBB5D1.17CD2018@sp.ac.sg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this for starters: http://www.itr.UniSA.Edu.AU/~dstowww/atm_security/ - paul At 09:16 AM 2/7/98 +0800, Lim Chay Yong wrote: >I am sourcing for information on Security threats/risks, issues >pertaining to ATM networks and devices. Can any one give me pointers and >directions to any such documents/web sites? Thanks in advance. > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Feb 6 19:07:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA00340; Fri, 6 Feb 1998 18:05:42 -0800 (PST) Received: from pinky.fennco.com (www.fennco.com [205.217.112.165]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA00311 for ; Fri, 6 Feb 1998 18:05:32 -0800 (PST) Received: (from mail@localhost) by pinky.fennco.com (8.8.7/8.8.7) id UAA24821 for ; Fri, 6 Feb 1998 20:29:20 -0600 X-Authentication-Warning: pinky.fennco.com: mail set sender to using -f Received: from skippy.fennco.com(192.168.1.3) by pinky via smap (V2.0) id xmaa24817; Fri, 6 Feb 98 20:29:10 -0600 Received: by skippy.fennco.com with Microsoft Exchange (IMC 4.0.837.3) id <01BD333B.359EF9A0@skippy.fennco.com>; Fri, 6 Feb 1998 20:10:03 -0600 Message-ID: From: Adam Fenn To: "'M. Asim Rasheed'" Cc: "'Firewalls'" Subject: RE: FW: LINUX FIREWALLS Date: Fri, 6 Feb 1998 20:10:02 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't matter what OS you use.. You aren't supposed to use your broadcast subnets.. (the first and last ones).. Although some routers and do allow you to use subnet 0 (the first one), although it is recommended against, even in the RFC.. Adam >-----Original Message----- >From: M. Asim Rasheed [SMTP:mail!asim@uunet.uu.net] >Sent: Friday, February 06, 1998 3:19 PM >To: Scott Robert Lenz >Cc: 'firewalls@greatcircle.com' >Subject: Re: FW: LINUX FIREWALLS > >Unlike, M$ restricted routing capabilities, a Linux box can be used for >any viable subnet configuration that you can think of. I remember >seeing >this thing in one of M$ study materials that they donot recommend the >use >of the first and the last subnet of an IP address pool. > >No such thing in Linux. > > > From firewalls-owner Fri Feb 6 19:22:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA00398; Fri, 6 Feb 1998 18:06:51 -0800 (PST) Received: from strato-fe0.ultra.net (strato-fe0.ultra.net [146.115.8.190]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA20595 for ; Fri, 6 Feb 1998 17:57:38 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ma.ultranet.com [146.115.236.247]) by strato-fe0.ultra.net (8.8.5/ult.n14767) with SMTP id VAA13944; Fri, 6 Feb 1998 21:02:03 -0500 (EST) Received: by localhost with Microsoft MAPI; Fri, 6 Feb 1998 21:03:36 -0500 Message-ID: <01BD3342.B0D74D00.joej@ultranet.com> From: Joseph Judge Reply-To: "joej@ultranet.com" To: "'Klaus Lichtenwalder'" , "Williams, Todd" Cc: "'firewalls@greatcircle.com'" Subject: RE: Sendmail/smap anti-relay measures Date: Fri, 6 Feb 1998 21:03:35 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk and patches by Craig Hagan (www.cih.org ?) Take the links off of spam.abuse.net/spam site - joe On Friday, February 06, 1998 5:49 AM, Klaus Lichtenwalder [SMTP:Klaus.Lichtenwalder@WebForum.DE] wrote: > On Thu, 5 Feb 1998, Williams, Todd wrote: > > > Is there any way to prevent a firewall running smapd (port 25) from > > acting as a mail relay for mail that neither came from, nor is going > > to, > > your domain? Our mailer is sendmail 8.8.8, and I've put into my > > sendmail.cf the anti-relay measures suggested on several websites > > (sendmail.org being one). If I kill smap & just run sendmail as a > > daemon, they work great. However, if I run smapd as the primary > > listener, the rules fail & the mail gets relayed. Thanks! > > > > Well, there are patches to smap by Simson Garfinkel that do what you > describe. Sorry, can't remember where I got them, but you might find > them by checking deja news or mailing me ;-) > > Klaus Lichtenwalder > ------------------------------------------------------------------ ---- > -- > Klaus Lichtenwalder, Dipl. Inform., PGP Key: email to > key@Four11.com > Lichtenwalder@ACM.org > http://www.wp.com/Klaus > K.Lichtenwalder@Computer.org fax: +49-89- > 91072699 > Mausoberflaechen sind meistens pelzig -- Ricarda From firewalls-owner Fri Feb 6 19:47:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA00379; Fri, 6 Feb 1998 18:06:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA00372 for ; Fri, 6 Feb 1998 18:06:16 -0800 (PST) Received: from strato-fe0.ultra.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id SAA22229; Fri, 6 Feb 1998 18:08:47 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ma.ultranet.com [146.115.236.247]) by strato-fe0.ultra.net (8.8.5/ult.n14767) with SMTP id VAA10747; Fri, 6 Feb 1998 21:08:47 -0500 (EST) Received: by localhost with Microsoft MAPI; Fri, 6 Feb 1998 21:10:20 -0500 Message-ID: <01BD3343.A1803000.joej@ultranet.com> From: Joseph Judge Reply-To: "joej@ultranet.com" To: "'James Croall'" , "firewalls@GreatCircle.COM" Subject: RE: SSL Proxies revisited Date: Fri, 6 Feb 1998 21:10:18 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The proxies can't really look at the traffic ... the keys are client <--> server shared. The only choice is to restrict ports (like you mentioned). Yes, the lazy butts out there just plop their services on socket 443 to get around it. The, sadly, reactive mechanism is to put those external sites in a block list. - joe rant: lazy butt programmers/companies overloading the SSL socket. Yes, I know you can also write a quickie script to "navigate the telnet proxy into 8-bit mode and do the 'connect to server A at socket B' and just run your protocol that way {to get around the firewall} ... and other "wide open" internal -> external proxies. Any SSL proxy out there (or in the works) that will spy on the first communications to see if it *looks* like the initial SSL handshaking ? -- joe On Friday, February 06, 1998 11:57 AM, James Croall [SMTP:jcroall@foo.org] wrote: > > A while back, somebody suggested using the HTTP proxy CONNECT method > of "SSL proxies" to tunnel arbitrary services. I've started to notice > that more people are picking up on this, and now AOL even supports > connection to their network via this type of proxy. > > Some administrators prevent users from exploiting this by only > allowing > CONNECT's on port 443. This doesn't help the situation too much, > since > a lot of secure servers out there are running on alternate ports -- > and > AOL's services can listen on port 443 now too. > > Why aren't these "proxies" actually looking at the SSL traffic? At > least > check out the client and server hello messages, make sure they're > legit. > > I've put together some simple patches to Thede Loder's Simple SOCKS > Daemon to take advantage of these SSL proxies. Assuming your proxy > has not been configured just so, just run it on a unix host behind > your > firewall and you can use SOCKS4 to make TCP connections out to the > world. > > Bye-bye meaningful audit trail. > > It works rather nicely with the simple fwtk, Gauntlet, and CERN > proxies > that I've tried it with. > > http://www.foo.org/james/misc/ssockd-ssl.txt > From firewalls-owner Fri Feb 6 20:57:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA02636; Fri, 6 Feb 1998 20:27:44 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA02513 for ; Fri, 6 Feb 1998 20:27:21 -0800 (PST) Received: from uucp3.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp3.UU.NET [192.48.96.34]) id QQebqo29545; Fri, 6 Feb 1998 23:31:58 -0500 (EST) Received: from dakia.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Fri, 6 Feb 1998 23:32:14 -0500 Received: from localhost (asim@localhost) by mail.cyberaccess.com.pk (8.8.5/8.8.5) with SMTP id JAA15537; Sat, 7 Feb 1998 09:41:11 +0500 Date: Sat, 7 Feb 1998 09:40:53 +0500 (PKT) From: "M. Asim Rasheed" To: Adam Fenn cc: "'Firewalls'" Subject: RE: FW: LINUX FIREWALLS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam, I will disagree with you on this point. With the rapidly dwindling supply of IP addresses, it makes no sense in wasting the IP addresses associated with the first and the last subnets. AFAIK the RFC that you are referring to (1058) has been obsoleted. I am telling you this from my personal experience of installing a Linux firewall on an NT based network in which I used the first and the last subnets with no ill effects whatsoever. M. Asim Rasheed Network Operations Engineer Acsys Ltd. On Fri, 6 Feb 1998, Adam Fenn wrote: > Don't matter what OS you use.. You aren't supposed to use your broadcast > subnets.. (the first and last ones).. Although some routers and do allow > you to use subnet 0 (the first one), although it is recommended against, > even in the RFC.. > > Adam > > >-----Original Message----- > >From: M. Asim Rasheed [SMTP:mail!asim@uunet.uu.net] > >Sent: Friday, February 06, 1998 3:19 PM > >To: Scott Robert Lenz > >Cc: 'firewalls@greatcircle.com' > >Subject: Re: FW: LINUX FIREWALLS > > > >Unlike, M$ restricted routing capabilities, a Linux box can be used for > >any viable subnet configuration that you can think of. I remember > >seeing > >this thing in one of M$ study materials that they donot recommend the > >use > >of the first and the last subnet of an IP address pool. > > > >No such thing in Linux. > > > > > > > From firewalls-owner Fri Feb 6 21:05:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24696; Fri, 6 Feb 1998 19:59:26 -0800 (PST) Received: from starbase.tos.net (starbase.tos.net [208.137.47.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA24482 for ; Fri, 6 Feb 1998 19:58:49 -0800 (PST) Received: (from mail@localhost) by starbase.tos.net (8.8.4/8.8.4) id WAA31224; Fri, 6 Feb 1998 22:04:44 -0600 Received: from macgyver-1.pr.mcs.net(205.253.24.113) by starbase.tos.net via smap (V1.3) id sma031222; Fri Feb 6 22:04:16 1998 Message-Id: X-Sender: macgyver@smtp.tos.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 06 Feb 1998 22:02:36 -0600 To: Scott Robert Lenz , "'firewalls@greatcircle.com'" From: MacGyver Subject: Re: FW: LINUX FIREWALLS In-Reply-To: <01BD32E6.19D55480.scott@neologics.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- >What I am looking for is some good resources I can review for detailed >plans about setting up and installing a LINUX firewall option. > You mentioned MSProxy. If all you need to do is to give your users access to things like WWW and Email, and you don't need to worry about anything coming *INTO* your network from the Internet (or whatever external network you're connecting to), I'd suggest Linux IP-Masquerading. What this does is essentially "masquerade" all your outbound connections going through Linux so that instead of having their own IP address, they have the IP address of the Linux gateway. This gives you a couple of things: 1) You don't have to assign machines in your internal network with "real" IP addresses that are routable on the Internet -- only the Linux gateway needs to have a valid Internet IP address. 2) It hides your true network configuration from anyone on the outside. Since everything appears to be coming from the Linux gateway, the rest of the outside world simply sees it as one very active box, rather than many different connections from different addresses. IP-Masquerading is a simple and rather effective solution if all you need to do is have users going out to the Internet, and you're not concerned with anyone trying to get in. If you need something more...here are a few Linux resources: ftp://sunsite.unc.edu/pub/Linux/HOWTO/NET-3-HOWTO -- good Linux networking overview ftp://sunsite.unc.edu/pub/Linux/HOWTO/Firewall-HOWTO -- info on setting up various firewalls ftp://sunsite.unc.edu/pub/Linux/HOWTO/mini/IP-Alias -- how to multi-home Linux ftp://sunsite.unc.edu/pub/Linux/HOWTO/mini/IP-Masquerade -- More in depth on what I described ftp://sunsite.unc.edu/pub/Linux/HOWTO/mini/IP-Subnetworking -- How subnets work in Linux >Also, does the LINUX option allow for any subnet routing? I, unfortunately, >am stuck with using MSMPR to do the routing between subnets (actually, 2 >separate, legal Class C Licenses). Linux should support any subnet routing scheme you come up with, without a problem. - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ Habeeb J. Dihu -' `- Managing Senior Technologist " ' ` " Cirrus Technologies " ' ` " " ' . ` " " ' .' ` ` " 'I don't believe in the no-win scenario' " ` ' `' " -- Captain James T. Kirk, Star Trek II: TWK ` ' _ _ ' 'There is an old Vulcan proverb, `Only Nixon ' could go to China.`' -- Captain Spock, Star Trek VI: TUC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBNNvc21TtNfTWxXdNAQGNUwP8De30y4mxmkJq8VoJKOwfDwVLtqSPb46r QrGQChCWV9osO6BBsxUx2FLomi5wo6kzZPxsQRPzU3PPzdvLs4VsVZeXqxazUG4k 6lE3kreGvU95NuPmQWTxv+3iqlMRHBBzI1uCGsf2NMdvPDnRFNtbxmmdXejdKh2/ QStQsf7r48s= =1pKT -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 6 22:50:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA26796; Fri, 6 Feb 1998 22:48:47 -0800 (PST) Received: from castle.netlink.co.uk (castle.netlink.co.uk [194.88.140.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA26761 for ; Fri, 6 Feb 1998 22:48:38 -0800 (PST) From: 29438070@mci.com Received: from castle.netlink.co.uk (slip-32-100-92-148.fl.us.ibm.net [32.100.92.148]) by castle.netlink.co.uk (8.8.5/8.8.3) with SMTP id GAA18692; Sat, 7 Feb 1998 06:52:10 GMT Received: from mci.com by mci.com (8.8.5/8.6.5) with SMTP id GAA03697 for ; Sat, 07 Feb 1998 01:46:54 -0600 (EST) Date: Sat, 07 Feb 98 01:46:54 EST To: FamilyMatters@castle.netlink.co.uk Subject: Dental-Optical Plan Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, we work with a group of your local doctors and dentists who would like to offer you a Dental -