From firewalls-owner Sun Mar 1 00:12:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA16133; Thu, 26 Feb 1998 05:05:38 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA15900 for ; Thu, 26 Feb 1998 05:04:52 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA02699; Thu, 26 Feb 98 06:07:37 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA15599; Thu, 26 Feb 1998 06:17:29 -0700 Date: Thu, 26 Feb 1998 06:17:28 -0700 (MST) From: Henry Hertz Hobbit To: dennis_keller@smtp.ddc.dla.mil Cc: firewalls@GreatCircle.COM, gcollins@dqisystems.com Subject: Re: Harsh Security audits? In-Reply-To: <9802258884.AA888440989@smtp.ddc.dla.mil> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 24 Feb 1998 dennis_keller@smtp.ddc.dla.mil wrote: > > Greg, > We have the same problem. Last December we had a serious DoS > attack. Everybody(management) was pointing fingers at the DNS server > (which was a symptom). It seems that I was correct in my assessment > of the situation, that we were indeed the victim of DoS attack. > Management doesn't want to see/hear about problems until a major > intrusion occurs, then it's too late. > I work for an agency of DoD, you would THINK security would be > extremely important (ha, ha). When you have management with a deeply > ingrained sense of touchy-feely horseshit (civilian and military orgs, > doesn't make any difference) you keep getting trounced upon and talk > to deaf ears. > By the way we don't have a firewall installed (yet!), that was put > on hold last September a week prior to deployment. I have had to > peice together a security posture using freeware from CERT, COAST and > other such places. And people wonder why I can't sleep at night! > > Denny > Defense Distribution Center > New Cumberland, PA > email: dkeller@ddc.dla.mil > > Where's my valium!? Sounds to me like you need it; I would also advise circulating the ole rez out there. If I am not mistaken you are sitting on a disaster ready to happen... The Hobbit (not the netcat one) From firewalls-owner Sun Mar 1 00:53:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA01261; Thu, 26 Feb 1998 19:46:26 -0800 (PST) Received: from norm.island.net (norm.island.net [199.60.19.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA01240 for ; Thu, 26 Feb 1998 19:46:17 -0800 (PST) Received: from Boolean.IRENYX.COM (io5p29.ark.com [204.50.2.188]) by norm.island.net (8.8.8/8.8.8/island) with SMTP id TAA11265 for ; Thu, 26 Feb 1998 19:52:48 -0800 Message-Id: <199802270352.TAA11265@norm.island.net> From: "Kevin P. O'Brien" Organization: Computer Tech Support To: firewalls@GreatCircle.COM Date: Thu, 26 Feb 1998 19:52:47 -0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IDS: Re: RE: Simply a Question "?" Reply-to: wildfire@island.net In-reply-to: <01bd42ec$d78d03e0$2fa3d6cd@workhorse.netgate.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to get off this list too! It is easy to get on, and imposiible to get off!!!!! I have been to the homepage and searched the net for weeks now. Please tell me how to get off this list. wildfire@island.net > From: "David Silva" > To: > Subject: IDS: Re: RE: Simply a Question "?" > Date: Thu, 26 Feb 1998 11:29:22 -0800 > ---------------------------------------------------------------------------- > How do I get off this list? > > -----Original Message----- > From: Nistor lubomir > To: 'ids@uow.edu.au' > Date: Thursday, February 26, 1998 11:38 AM > Subject: IDS: RE: Simply a Question "?" > > > >--------------------------------------------------------------------------- > - > >I'm sorry, but this list seems to not to be occupied... > >I can tell you that intelligent defenders of network are very very > >complicated... (not just following rules, but creating them....) > >And to implement neural net you are to make (about) 65536 inputs > >(=ports) and each input has it's subinput systems connected to the > >"brain" and if the primary input(port) is active he analyses sensitive > >parts of subinput... > > > >this is one part... > > > >The brain has more parts that :- filtering parts > > - new rule generation > > - feedback (where those packets ended) > > - feedback2 (new standards of packet > >structure, new bugs.....) > > - one or more black boxes :) > > > >I think that's enough to get your ideas away from this topics. :) > > > >> -----Original Message----- > >> From: M.B., Ghaznavi-Ghoushchi [SMTP:GHAZNAVI@NET1CS.modares.ac.ir] > >> Sent: 26. febru r 1998 15:05 > >> To: ids@uow.edu.au > >> Subject: IDS: Simply a Question "?" > >> > >> ---------------------------------------------------------------------- > >> ------ > >> Allah > >> > >> Hello to all > >> > >> Can anyone tell me about the interrelation of Neural Nets and IDS ? > >> > >> I am waiting for the responses. > >> > >> Regards > >> ghaznavi-ghoushchi > >> > >> > > > > From firewalls-owner Sun Mar 1 00:53:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA08828; Thu, 26 Feb 1998 15:57:47 -0800 (PST) Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA08814 for ; Thu, 26 Feb 1998 15:57:41 -0800 (PST) Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id QAA06125; Thu, 26 Feb 1998 16:03:57 -0800 (PST) Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4) id QAA19443; Thu, 26 Feb 1998 16:03:38 -0800 Date: Thu, 26 Feb 1998 16:03:38 -0800 From: rdew@el.nec.com (Bob De Witt) Message-Id: <199802270003.QAA19443@yginsburg.el.nec.com> To: firewalls@GreatCircle.COM, saeed@cyber.net.pk Subject: Re: NAT question X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saeed, A couple of suggestions. First, if you have not already bought the Cisco 2509, consider the Cisco PIX. It is not too expensive for small companies in the 256 port variety. Beware, however, that Netscape uses about ~6 ports per user surfer, and IE uses ~8. The PIX is designed for NAT. It works REAL GOOOOD! That is a 2-edged sword, which can keep the good guys out, along with the baddies. Next, setup duplicate servers, one outside and one inside. Configure the PIX to only allow calls through from inside, and from the matching machine (inside mail to outside mail, etc.). Use cron to initiate the connection every 'n' minutes, where you determine 'n' based on users needs. The 'n' for 'www' should be larger than the 'n' for mailhost. The fetch for mail occurs during the connection originated from inside! Same for news, ... Setup one of your DMZ machines to do passive monitoring, with the login and sulog files going to a printer. If it is a locked room (I maybe paranoid), it is really hard to hack. Your inside server can drop-ship the configuration files daily, again from inside-to-outside. You cannot keep the best crackers out of the inside, but this will sure slow down those not quite that good. You will need to scan for viruses, and other stuff, too. This does not keep salesmen from coming by with small floppies, and handing out neat games (read trojan horse) which scans your network from the inside and then sends the results outside. Your inside folks don't care, as they access only the inside machines. The outside ones can be had, but only the data file areas are checked, then brought inside. The OS files can be downloaded every (night, week, month, ...) to protect the DMZ machines. > From saeed@cyber.net.pk Thu Feb 26 02:38:55 1998 > Date: Wed, 25 Feb 1998 15:45:35 +0500 > From: saeed@cyber.net.pk (saeed abubakar) > MIME-Version: 1.0 > To: "'firewalls@greatcircle.com'" > Subject: NAT question > X-Priority: 3 (Normal) > Content-Transfer-Encoding: 7bit > > Hi, > > We will be implementing NAT for our Intranet using CISCO 2509, > The question I have for all you Guru's is, I have an Oracle Server > (running ever thing on NT) and a Lotus Notes (again NT) server > accessible to the outside world will implementation of NAT affect their, > approachability from the outside world and for people on the inside. > > I hope my question is comprehended by all. > > Regards > Saeed > -- > Saeed Abubakar > Sr. System Engineer > Network Operations > Cyber Internet Services (Pvt) Ltd. > e-mail :- saeed@cyber.net.pk > web :- http://www.cyber.net.pk > Telephone :- (92 21) 111445566 Ext. 232/201 > Fax :- 92 21 5686745 > At least that's one thought. OK, cats-and-jammers, how about some others? BTW, you still need an access router and a choke router. Maybe that 2509 can be used there. Bob De Witt, rdew@el.nec.com The views expressed herein are my own, and are not attributable to any other source, be it employer, friend or foe. From firewalls-owner Sun Mar 1 01:36:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA20808; Thu, 26 Feb 1998 21:01:47 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA18850 for ; Thu, 26 Feb 1998 16:38:55 -0800 (PST) Received: from fringeware.com (FringeWare.COM [207.170.80.10]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id QAA23855 for ; Thu, 26 Feb 1998 16:44:46 -0800 (PST) Received: (from pacoid@localhost) by fringeware.com (8.8.7/8.8.7) id SAA13690; Thu, 26 Feb 1998 18:44:29 -0600 (CST) From: P Nathan Message-Id: <199802270044.SAA13690@fringeware.com> Subject: Re: Monitoring Web Server To: rdew@el.nec.com (Bob De Witt) Date: Thu, 26 Feb 1998 18:44:29 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199802262337.PAA19427@yginsburg.el.nec.com> from "Bob De Witt" at Feb 26, 98 03:37:44 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Could you forward a copy of the Expect script? I would like to look at > it. Does it run on UNIX or NT or ...? > > TIA, > Bob De Witt, hi bob, i'll send out two Expect scripts, along the lines of the other script sent to the list today, but more robust. the first script reads a file of host/port pairs then attempts to open a TCP connection to each, paging the sysadmin (me) with an alphanumeric msg if the given server fails to respond. consider this a framework to use if you like; the next script is more of what you asked, in terms of actually requesting a particular page. thanx - paco. ps: y'all are responsible of the pager intf; i've got mine but that *won't* be published :) ------------------------------ #!/usr/local/bin/expect -f # fw.lym.ping # # ping wrapper to check the given services # 19970709 Paco X Nathan, Smallworks Inc. # 19971222 PXN, modified for testing TCP services log_user 1 ### error check the command line usage if {[llength $argv] < 1} { puts "usage: fw.cat.ping \ \[\\]" exit 1 } set filename [lindex $argv 0] set pgvictim [lindex $argv 1] set thistime [timestamp -format "%c"] set messages "" ### load the hostname table set input [open $filename "r"] while {[gets $input line] != -1} { scan $line "%s\t%s\t%s\t%s" host port state lasttime set service($host) $port set status($host) $state } close $input ### try to ping each hostname, while ### rewriting the hostname table set output [open $filename "w"] foreach host [array names status] { spawn telnet $host [set service($host)] set timeout 300 set response "dead" expect { "telnet: Unable to connect to remote host: Connection refused" { set response "dead" } "Escape character is" { set response "alive" } timeout { set response "timeout" } } if {[string compare $response $status($host)] != 0} { set messages "$messages[set host] is now $response. " } puts $output "$host\t$service($host)\t$response\t$thistime" } close $output ### test whether there are any messages to send if {[string length $messages] > 0} { if {[string length $pgvictim] > 0} { spawn /usr/local/bin/pageme $pgvictim send "[set messages]\r" send "\004" ;# eof expect { "message sent" { exit 0 } timeout { send_user "timeout on pager\n" } exit 1 } } else { puts $messages exit 0 } } -----data file----------------------------- moo.fringeware.com 666 alive Thu Feb 26 18:00:03 1998 bot.fringeware.com 80 alive Thu Feb 26 18:00:03 1998 www.fringeware.com 80 alive Thu Feb 26 18:00:03 1998 fringeware.com 443 alive Thu Feb 26 18:00:03 1998 From firewalls-owner Sun Mar 1 01:53:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA14776; Thu, 26 Feb 1998 04:59:35 -0800 (PST) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA14756 for ; Thu, 26 Feb 1998 04:59:25 -0800 (PST) Received: from c00952-100lez.eos.ncsu.edu (c00952-100lez.eos.ncsu.edu [152.1.26.72]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id IAA27673; Thu, 26 Feb 1998 08:05:19 -0500 (EST) Date: Thu, 26 Feb 1998 08:05:20 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00952-100lez.eos.ncsu.edu To: Bob De Witt cc: firewalls@GreatCircle.COM, Michael@yginsburg.el.nec.com, Sorbera@yginsburg.el.nec.com Subject: Re: Monitoring Web Server In-Reply-To: <199802252124.NAA18369@yginsburg.el.nec.com> Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 25 Feb 1998, Bob De Witt wrote: > >On Wed Feb 25, 1998, Michael Sorbera wroet: >> >> Does anyone know of a program that will monitor a web server (no ping, >> but an actual access of the URL), and if the access doesn't work, page >> me... >> >> I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or >> UNIX if need be. >> >> Thanks in advance, >> Michael Sorbera >> Webmaster/Network Engineer >> Randolph-Brooks Federal Credit Union >> >You forgat to mention what your net does currently. ie- if you have NFS >running, try to do an 'ed' on a dummy file from within a shell script. >Branch of failure to open the exported dummy file. Or use 'grep' ... > >Why not 'ping'? It is easiest. Ping IS the easiest way to determine if a server is up, but it is not necessarily going to tell you if that web server is actually accessable. For example, if you have a cgi perl script running that has a slight misconfiguration, such as a call to an img tag when there is no img to be called on, you will eventually run your httpd load up so high that the server never fulfills any requests. I recently had such a problem and it took several days for the httpd load to get up to 96% and effectively deny all http requests. Due to the fact that webservers are dynamic in the sense that you are running cgi applications and the websites are always being modified, you have to come up with a better method of monitoring. I would rather use a script that would monitor the httpd loads and email me when the load reached a certain level. >Try tracking the license allocation from an application... > >Just some ideas ... > > Bob De Witt, > rdew@el.nec.com >The views expressed herein are my own, >and are not attributable to any other >source, be it employer, friend or foe. > > I look forward to hearing about a real solution to this question. When you have numerous clients implementing their own cgi scripts, ping is simply not a viable solution. Regards, Ken Williams /--------------------------[ TATTOOMAN ]--------------------------\ | ORG: NC State Computer Science Dept VP of The E. H. A. P. Corp. | | EML: jkwilli2@adm.csc.ncsu.edu ehap@hackers.com | | EML: jkwilli2@unity.ncsu.edu ehap-secure@hackers.com | | WWW: http://www4.ncsu.edu/~jkwilli2/ http://www.hackers.com/ehap/ | | FTP: ftp://152.7.11.38/pub/personal/tattooman/ | | W3B: http://152.7.11.38/~tattooman/w3board/ | | PGP: finger tattooman@152.7.11.38 | \----------------[ http://152.7.11.38/~tattooman/ ]----------------/ From firewalls-owner Sun Mar 1 02:26:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA25911; Thu, 26 Feb 1998 14:54:22 -0800 (PST) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA25861 for ; Thu, 26 Feb 1998 14:54:08 -0800 (PST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id WAA01425; Thu, 26 Feb 1998 22:57:56 GMT Date: Thu, 26 Feb 1998 22:57:56 +0000 (GMT) From: Dave Whitlow Reply-To: Dave Whitlow To: mht@clark.net cc: "Craig I. Hagan" , Greg Collins , firewalls@GreatCircle.COM Subject: Re: Harsh Security audits? -reply In-Reply-To: <3.0.3.32.19980222071120.035bb2d0@pop3.clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please people, I see lots of talk about how to present *our* finding and how dumb these people are and how we should hit'em with the bare truth. I think we're failing them if that's the stance we take. Let's take a step back and look at what we have: 1) Their network security stinks. Are they alone? Hell no, it's pretty common. Tell them that. 2) The sysadmins who run it probably know it stinks too. Trouble is, there are too few of them, doing too much, in too little time. Basically, they need help. 3) Someone commissioned an external review. In my view they score a few points there. Security doesn't earn them money and all too often is only important after it has failed. I suspect most of us know about the horse and the stable door. However, they've got budget *and* used it to pay an outsider to tell them how bad it is, rather than that server upgrade they really needed. Sounds like they're asking for help. And ... what's the best help you can give them then? A "bad" report make everybody look bad. If we make their people look bad the report is either going to be hidden (they don't want heads to roll) or will be used as political ammunition (they want heads to roll). Does this really help them and earn your fee? In my experience most folk who are doing sysadmin jobs can do a reasonable job *if* they are given support. Usually, they're ignored when it is going well, hassled because things are taking too long or used as a football when things break. There is not enough focus on security - that's not what earns revenue for their business. So, the approach I'd suggest is: 1) Don't hide the facts - that would be betraying your own integrity. In any case, you'd lose credibility and who'd commission reports from you in future? However, make the truth *useful* to the recipients. 2) Make the guy who commissioned the report feel like a hero and help him understand the risks and give him a report which he can use to justify spending more money on security. 3) Prioritise the problems and recommendations so they can see what will take them nearer to what you consider acceptable. Like me, most security folk aren't paranoid - they *know* that they really are out to get you ;-) These people just need educating - that's your job. 4) Show them tools that they can use to measure their security problems. I'm not saying this will make things more secure. However, it'll make it easier for them to make the best us of their limited resources. A tool which provides metrics enables them to make it easy to draw pretty charts which can be used to show how the money spent on security is getting results. I can feel the flames coming here but ... without measurements how can you manage? 5) Show them how testing should be part of their deployment and admin cycles and how it can be used to gradually improve things. Make yourselves available when they need ad hoc advice. Call them to check how things are going. If you this, they'll be grateful and happy to pay your fee. They'll have a report which helps them do their job better and .... perhaps thay'll invite you back in 6 months :-) Cheers, Dave ------------------------------------------------------- Dave Whitlow, Idsec Ltd, UK Mail: dwhitlow@idsec.co.uk Web: http://www.idsec.co.uk On Sun, 22 Feb 1998 mht@clark.net wrote: > Date: Sun, 22 Feb 1998 07:11:20 -0500 > From: mht@clark.net > To: "Craig I. Hagan" , > Greg Collins > Cc: firewalls@GreatCircle.COM > Subject: Re: Harsh Security audits? -reply > > Greg et al, > > To provide my .02 worth > > One could present an Executive summary of the overall security assessment > results which can be presented and distributed to key management at your > particular client in a clear and concise fashion. This executive summary > would describe at a high level the significance of the information that > your team was able to obtain, if any, and would "benchmark" your client's > overall security environment against other organizations having similar > technology and information protection concerns. In addition, you could > evaluate the data security environment and present the effectiveness with > which you are addressing the following: > > Enticement Level of information provided to a potential hacker (e.g., > letting an unauthorized user know that a computer of a major enterprise has > been accessed). > Prevention Level of security measures used to prevent unauthorized access > (e.g., dial back, access control software). > Detection Level of active security monitoring and follow-up of unauthorized > access attempts (e.g., review of unauthorized access reports). > > The second half of your report could provide detailed explanations of the > security implications and risks of the exposures found related to the > security assessment. Covering the following: > > The finding or weakness noted; > The implication of the finding or weakness; > The level of risk the finding or weakness poses the organization; > The level of effort required (resources) to correct or minimize the > identified finding or weakness > A detailed solution to correct or minimize the identified finding or weakness. > > > /mht > > > At 06:27 PM 2/21/98 -0500, Craig I. Hagan wrote: > >I think that the real question might be the political need > >for not being harsh: by being blunt, the audit could > >be putting the instigators of the audit's jobs at > >risk whereas by using similar (but less threatening language), > >one might be able to present the information in a manner more > >politically palettable to the rest of the company. > > > >for example, instead of stating that the unix machine is > >wide open to hackers, one might instead recommend bringing > >internet mail server software up to the latest revision > >so as to mimimize risk. says roughly the same thing, > >but in a more passive tone. > > > >-- craig > ------------------------------------------------------ > "Let's Play, GLOBAL THERMO NUCLEAR WAR" > From firewalls-owner Sun Mar 1 02:53:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA17208; Thu, 26 Feb 1998 11:47:36 -0800 (PST) Received: from mail1.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA26685 for ; Thu, 26 Feb 1998 07:56:23 -0800 (PST) Received: by mail.sla.com with Internet Mail Service (5.5.1960.3) id ; Thu, 26 Feb 1998 07:59:52 -0800 Message-ID: From: "Stackpole, Bill" To: "'saeed@cyber.net.pk'" , "'firewalls@greatcircle.com'" Subject: RE: NAT question Date: Thu, 26 Feb 1998 07:59:51 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, you set them up as static translations. ! ! NAT Configuration ! ip nat pool ISP xxx.yyy.zzz.40 xxx.yyy.zzz.62 prefix-length 27 ip nat inside source list 10 pool ISP overload ! Static Translation for STMP & POP3 Server ip nat inside source static 10.100.100.3 xxx.yyy.zzz.36 ! Static Translation for WINFRAME Server ip nat inside source static 10.100.100.2 xxx.yyy.zzz.37 ! Static Translation for LOTUS Notes Server ip nat inside source static 10.100.100.17 xxx.yyy.zzz.35 > -----Original Message----- > From: saeed@cyber.net.pk [SMTP:saeed@cyber.net.pk] > Sent: Wednesday, February 25, 1998 2:46 AM > To: 'firewalls@greatcircle.com' > Subject: NAT question > > Hi, > > We will be implementing NAT for our Intranet using CISCO 2509, > The question I have for all you Guru's is, I have an Oracle > Server > (running ever thing on NT) and a Lotus Notes (again NT) server > accessible to the outside world will implementation of NAT affect > their, > approachability from the outside world and for people on the inside. > > I hope my question is comprehended by all. > > Regards > Saeed > -- > Saeed Abubakar > Sr. System Engineer > Network Operations > Cyber Internet Services (Pvt) Ltd. > e-mail :- saeed@cyber.net.pk > web :- http://www.cyber.net.pk > Telephone :- (92 21) 111445566 Ext. 232/201 > Fax :- 92 21 5686745 From firewalls-owner Sun Mar 1 04:39:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA29030; Thu, 26 Feb 1998 15:11:59 -0800 (PST) Received: from ove.arup.com (ove.arup.com [193.116.20.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA28879 for ; Thu, 26 Feb 1998 15:11:29 -0800 (PST) Received: by ove.arup.com; id XAA15632; Thu, 26 Feb 1998 23:15:55 GMT Received: from a_csun01(69.69.11.1) by ove.arup.com via smap (3.2) id xma015619; Thu, 26 Feb 98 23:15:38 GMT Received: from a_csun14 by arupuk (4.1/SMI-4.1) id AA22894; Thu, 26 Feb 98 23:18:10 GMT Received: from arup.com by a_csun14 (SMI-8.6/SMI-4.1) id XAA08475; Thu, 26 Feb 1998 23:14:06 GMT Received: from comms-Message_Server by arup.com with Novell_GroupWise; Thu, 26 Feb 1998 23:14:06 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 26 Feb 1998 22:52:06 +0000 From: Scott Fagg To: firewalls@greatcircle.com Subject: How to leave the firewalls mailing list. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. Read the mail message sent to you when you first joined, it contains instructions. 2. If you do not have that mail message, send a mail message to : majordomo@greatcircle.com and you will recieve instructions PS sending a mail message to the list with the word USUBSCRIBE in the body or subject is pointless, as far as I know USUBSCRIBE is not even a real word. From firewalls-owner Sun Mar 1 04:39:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03154; Thu, 26 Feb 1998 08:21:11 -0800 (PST) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA02970 for ; Thu, 26 Feb 1998 08:20:32 -0800 (PST) Received: from joatmon (joatmon.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA15339; Thu, 26 Feb 98 11:26:52 EST Received: by joatmon (4.1/SMI-4.1) id AA01541; Thu, 26 Feb 98 11:26:56 EST Date: Thu, 26 Feb 98 11:26:56 EST From: snorthc@nswc.navy.mil (Stephen Northcutt - CD2S) Message-Id: <9802261626.AA01541@joatmon> To: Firewalls@GreatCircle.COM Subject: Low cost ID system Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The firewalls that we have been working with do not seem to log all the traffic on a DMZ. The Intrusion Detection Team at NSWC Dahlgren has been trying to develop several low cost open system approaches to capturing/reducing/analyzing DMZ traffic data. The URLs below lead to a rudimentary capability, but it has worked well for us, the document is word97, tar file is obvious. These URLs are pointed to by: http://www.nswc.navy.mil/ISSEC/Docs/loggingproject.html Documentation (still a bit rough): http://www.nswc.navy.mil/ISSEC/Docs/TRAINING/Stepbystepintrusiondetection.doc Code: http://www.nswc.navy.mil/ISSEC/Docs/loggerTNG.tar The URLs above are simply a cookbook for using tcpdump on a unix OS such as a pentium PC with Linux. It is probably a stretch to even call these "alpha" release quality, we will try to fold in constructive, usable comments to improve the cookbook for all of us. Have fun! Stephen, John, Vicki, Fred, Bill, and Dave From firewalls-owner Sun Mar 1 04:39:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24328; Fri, 27 Feb 1998 15:09:30 -0800 (PST) Received: from xaymaca.com (xaymaca.com [209.49.107.195]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA24265 for ; Fri, 27 Feb 1998 15:09:17 -0800 (PST) From: jojohimself@joblow_sec.com Received: from joblow_sec.com (scs.howard.edu [138.238.128.28]) by xaymaca.com (8.8.8/8.8.8) with ESMTP id SAA05853 for firewalls@greatcircle.com; Fri, 27 Feb 1998 18:10:31 -0500 (EST) Date: Fri, 27 Feb 1998 18:10:31 -0500 (EST) Message-Id: <199802272310.SAA05853@xaymaca.com> reply-to: /dev/null@xaymaca.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -------------------------------- "back to learn from the likes of Aristotle and Plato I think I would. I certainly would have liked to learn from them. If I recall they only taught stuff they had personally invented." Nope... neither Aristotle nor Plato created nor spoke of anything original. If it appeared to be original to their listeners it was because there listeners had not been with them when they were learning. Aristotle, and possibly Plato, was a traveller and it is well documented that he spent much time in Egpyt prior to becoming a famous Philospher. While in Egypt he studied in the Egyptian Mystery System. The Egyptian Mystery System is responsible for the Pyramids... and the rest of the Intelectual accomplishments of early (pre-Athenian) civilization. He then told Alexander... and Alexander went and Confiscated what he wanted and torched the rest. Refer to a book called Stolen Legacy took what he wanted and torched everything else PEace... Even Firewall Admin know their history JoJo AKA RufNec de Ntlect From firewalls-owner Sun Mar 1 04:43:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA00770; Thu, 26 Feb 1998 15:22:06 -0800 (PST) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA00724 for ; Thu, 26 Feb 1998 15:21:50 -0800 (PST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id XAA01568; Thu, 26 Feb 1998 23:27:18 GMT Date: Thu, 26 Feb 1998 23:27:18 +0000 (GMT) From: Dave Whitlow To: Joel Colvin cc: firewalls@GreatCircle.COM Subject: Re: Someone bouncing through my socks proxy. In-Reply-To: <199802251729.JAA16673@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 25 Feb 1998, Joel Colvin wrote: > I have discovered someone using my socks proxy from the outside to mess with > IRC servers and users. I have my router configured such that it will only > forward established connections started from the inside, plus recommend > configs for stopping IP spoofing. From the log though, it looks like this > person was able to connect as if I had no filtering on my router. > The only ports that are open from the outside are DNS and SMTP. I'm going > to shut off socks for now but how do they do this? You *could* have got the filters wrong. I suspect you've tested that though. On the other hand maybe your router isn't getting enough in each packet to decide that it should block it. Check how your router handles fragments. Maybe they're not being too honest in what they show your router ;-) Best regards, Dave ------------------------------------------------------------------------- Dave Whitlow, Idsec Ltd, UK Mail: dwhitlow@idsec.co.uk Web: http://www.idsec.co.uk From firewalls-owner Sun Mar 1 04:43:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA21006; Thu, 26 Feb 1998 05:28:42 -0800 (PST) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA19527 for ; Thu, 26 Feb 1998 05:20:10 -0800 (PST) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v2.0 0813 ID# 0-11837) with SMTP id AAA332; Thu, 26 Feb 1998 08:26:08 -0500 Message-ID: <003601bd42ba$27b89380$0328fccc@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: Subject: Re: Monitoring Web Server Date: Thu, 26 Feb 1998 08:26:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk O'Reilly's WebSite generates an error log entry on each unsuccessful access. I don't think it would be too difficult to build a feature in that would page you when error.log is incremented. Shalom Berakha VeTova Rabbi Haim Cassorla www.valuu.net/ICOR www.HaReshima.com ------------------------------------------------------------------- Jewish Web Net Week ends Friday at sunset ----- www.jww.org -----Original Message----- From: James Strompolis To: 'Michael Sorbera' ; firewalls@GreatCircle.COM Date: Thursday, February 26, 1998 2:57 AM Subject: RE: Monitoring Web Server >On Wednesday, February 25, 1998 9:00 AM, Michael Sorbera >[SMTP:msorber@ibm.net] wrote: >> Does anyone know of a program that will monitor a web server (no ping, >> but an actual access of the URL), and if the access doesn't work, page >> me... > > Accessing an URL just does a DNS lookup of a particular computer and >connects you to the port for that service. HTTP, FTP, etc. > > What's Up at http://www.ipswitch.com will do what you ask. It will scan >the machine for running services and will check the ports for these >services at a user specified interval. It won't fetch a page but will talk >to port 80 (or whatever port you choose) which will let you know things are >OK most of the time. Runs on 95 and/or NT. > >- James Strompolis > Aleph Consultants, Inc. > jimst@enteract.com > From firewalls-owner Sun Mar 1 04:43:50 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA00164; Thu, 26 Feb 1998 06:00:59 -0800 (PST) Received: from mail.state.fl.us (mail.state.fl.us [204.90.27.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA00151 for ; Thu, 26 Feb 1998 06:00:53 -0800 (PST) Received: from booksr [199.250.24.56] by mail.state.fl.us with smtp (Exim 1.73 #2) id 0y83y3-00032V-00; Thu, 26 Feb 1998 09:07:19 -0500 Date: Thu, 26 Feb 1998 10:03:21 -0500 (EST) From: Roger Books Reply-To: Roger Books Subject: Re: Monitoring Web Server To: firewalls@GreatCircle.COM In-Reply-To: <199802252125.NAA18372@yginsburg.el.nec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone know of a program that will monitor a web server (no ping, > > but an actual access of the URL), and if the access doesn't work, page > > me... > > > > I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or > > UNIX if need be. > > You might check into BB (Big Brother). This is mainly unix though. If you want to take a look at my (rewritten version) it's at: http://www.geocities.com/Area51/Cavern/2371/ My version is all C and TCL/Scotty, I don't really think it will run on NT without Mods. The scotty http get pulls the info and stores it into a file, I send it to /dev/null and just make sure the return value is valid. You could send it to a file and then verify the contents. I do my paging with qpage on my Solaris box, but qpage also (I believe) runs on Linux. This is a little heavier duty system than what you are asking for, it does http, snmp, tacacs, %full on disk, items in mail spool, etc etc. Also, before anyone flames me, this, like the regular BB, counts on the client not lieing about who it is. I do some trivial checks to make sure it isn't garbage and make sure the message isn't too long. The part that accepts the input from the clients runs from inetd, so you should wrapper it. It also does a few things like "retry for 10 minutes before paging me after hours", "don't page me during network maintenance time", page me if it comes back, etc etc. The one thing I really need to do though is not have it page me for everything when the local gateway goes down or the MAN in Tallahassee drops. (Our network is bridged over the MAN.) Roger From firewalls-owner Sun Mar 1 04:45:11 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA11055; Thu, 26 Feb 1998 04:39:20 -0800 (PST) Received: from transfer.usit.net (transfer.usit.net [208.10.171.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA10924 for ; Thu, 26 Feb 1998 04:38:54 -0800 (PST) Received: from dqisystems.com ([199.1.59.2]) by transfer.usit.net (8.8.7/8.8.5) with ESMTP id HAA11633; Thu, 26 Feb 1998 07:45:19 -0500 (EST) Received: from gcollins.dqisystems.com ([172.16.128.100]) by dqisystems.com (8.8.5/8.6.12) with SMTP id HAA28125; Thu, 26 Feb 1998 07:37:11 -0500 Reply-To: "Greg Collins" From: "Greg Collins" To: , "'firewalls@greatcircle.com'" Subject: Re: NAT question Date: Thu, 26 Feb 1998 07:36:24 -0500 Message-ID: <01bd42b3$2663dd20$648010ac@gcollins.dqisystems.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, it does not have to effect the outside world. You can do NAT in both directions. If you are implementing NAT as part of a security strategy would it not be better to place those machines outside of the NAT router. That way, you would only be translating addresses outbound from your network. Greg Collins Data Quest Information Systems voice -423-588-4757 fax - 423-945-3846 gcollins@dqisystems.com "I have but one thing which cannot be taken from me, and that is my integrity. It I must give up of my own will." -----Original Message----- From: saeed abubakar To: 'firewalls@greatcircle.com' Date: Thursday, February 26, 1998 6:03 AM Subject: NAT question >Hi, > > We will be implementing NAT for our Intranet using CISCO 2509, > The question I have for all you Guru's is, I have an Oracle Server >(running ever thing on NT) and a Lotus Notes (again NT) server >accessible to the outside world will implementation of NAT affect their, >approachability from the outside world and for people on the inside. > > I hope my question is comprehended by all. > >Regards >Saeed >-- >Saeed Abubakar >Sr. System Engineer >Network Operations >Cyber Internet Services (Pvt) Ltd. >e-mail :- saeed@cyber.net.pk >web :- http://www.cyber.net.pk >Telephone :- (92 21) 111445566 Ext. 232/201 >Fax :- 92 21 5686745 > From firewalls-owner Sun Mar 1 04:45:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27114; Thu, 26 Feb 1998 10:03:44 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA26804 for ; Thu, 26 Feb 1998 10:02:20 -0800 (PST) Received: from wall.cpr.fr (wall.cpr.fr [193.57.80.130]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id JAA18898 for ; Thu, 26 Feb 1998 09:39:23 -0800 (PST) Received: by wall.cpr.fr; id SAA07248; Thu, 26 Feb 1998 18:39:49 +0100 Received: from ccmail.cpr.fr(193.57.80.66) by wall.cpr.fr via smap (3.2) id xma007241; Thu, 26 Feb 98 18:39:33 +0100 Received: from ccMail by ccmail.cpr.fr (IMA Internet Exchange 2.12 Enterprise) id 00037B08; Thu, 26 Feb 1998 18:44:12 +0100 Mime-Version: 1.0 Date: Thu, 26 Feb 1998 18:35:31 +0100 Message-ID: <00037B08.3045@cpr.fr> From: pboyer@cpr.fr (Paul BOYER) Subject: [OFF TOPIC] Please stop conplainning about the spam To: Josh Cohen Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I am doing the opposite of what I say. My apologies for this contradiction. I received more than 100 "how to stop the spam" msg for less than 10 genuine spam msg. "anti-spamming" opinions are worse than spam, particularly in this list. The list is "open" to all, and not only to subscribers. This is a policy choice that has already be discussed plenty of times, it needs not to be discussed on the list. OPEN list contains usually more garbage and also more usefull information. While CLOSED (only open to subscribers) lists contain less usefull information and less garbage. Nevertheless, think about it : this present message is also garbage, even if it comes from a subscriber... I would not subscribe to a list with 100% guaranted not garbage that gives no usefull information. This is why they have less subscribers, and advertising on it is less attractive to spammers... >loop detected. The only well known solution is an open list with excellent, fast, accurate, always responsive and highly skilled moderation, which is the case for very few of them for obvious reasons. Bugtraq is probably the better example. Those skills are not easy to find. Don't complain for not having them for free ! If you really need that kind of service, just pay someone to do the filtering for you, I'm quite sure you will be much more tolerant with small inconvenience such as some easy to discard spamming. Paul Boyer From firewalls-owner Sun Mar 1 04:45:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA21406; Thu, 26 Feb 1998 05:30:51 -0800 (PST) Received: from auto-insurance.com ([199.244.232.50]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA21309 for ; Thu, 26 Feb 1998 05:30:07 -0800 (PST) From: Kevin_Brandich@progressive.com Received: from prgsec.auto-insurance.com by auto-insurance.com (SMI-8.6/SMI-SVR4) id IAA14034; Thu, 26 Feb 1998 08:36:30 -0500 Received: by p6509708.prci.com(Lotus SMTP MTA v1.06 (346.4 3-18-1997)) id 852565B7.004AE4D3 ; Thu, 26 Feb 1998 08:38:02 -0400 X-Lotus-FromDomain: PROGRESSIVE To: msorber@ibm.net cc: firewalls@GreatCircle.COM Message-ID: <852565B7.00499839.00@p6509708.prci.com> Date: Thu, 26 Feb 1998 08:36:28 -0400 Subject: Re: Monitoring Web Server Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Kevin Brandich on 02-26-98 08:36 AM We've done it a few different ways either with perl (on Unix, NT and Win95) or Unix Shell. We use it to check static HTML as well as run to run CGI/ASP scripts. Unix Shell: ------------ SomeHttpCommand="GET /" # get the homepage SomePattern="Welcome" # a pattern that is always the homepage echo $SomeHttpCommand | telnet www.randolph-brooks.net 80 | grep $SomePattern if [ $? -ne 0 ] then echo "you've got problems" else echo "all's well" fi ------------ With perl you have a couple routes to take, either use 'system' to call out to O/S commands and essentially do what is demonstrated above. Or do it more correctly and make the socket calls (it's really easy!). Mike, if you want more details I can send you some perl examples. -- kevin j brandich progressive corporation pacoid @ fringeware.com 02/25/98 04:30 PM To: msorber @ ibm.net cc: firewalls @ GreatCircle.COM (bcc: Kevin Brandich) Subject: Re: Monitoring Web Server > A little off topic...but no where else to go... > > Does anyone know of a program that will monitor a web server (no ping, > but an actual access of the URL), and if the access doesn't work, page > me... we've got an Expect script for this - it talks with a server and port, inputs a web page request and then sends an alphanumeric page if the request fails. can you run Expect on the inspecting system? Paco Nathan FringeWare, Inc. > I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or > UNIX if need be. > > Thanks in advance, > Michael Sorbera > Webmaster/Network Engineer > Randolph-Brooks Federal Credit Union From firewalls-owner Sun Mar 1 04:46:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA28855; Sat, 28 Feb 1998 20:54:53 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA00251 for ; Sat, 28 Feb 1998 08:07:43 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA01897 for ; Sat, 28 Feb 1998 08:13:47 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <16471-24681> convert rfc822-to-8bit; Sat, 28 Feb 1998 17:14:02 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id QAA02035; Sat, 28 Feb 1998 16:52:42 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id QAA06990; Sat, 28 Feb 1998 16:52:40 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id QAA07582; Sat, 28 Feb 1998 16:55:10 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD4469.7F6237C0@mail01.pggm.nl>; Sat, 28 Feb 1998 16:54:13 +0100 Message-ID: From: "Grutter H." To: "'Wong Teck Seng,SAINS'" , "'hussein@act.com.lb'" Cc: "'firewalls@greatcircle.com'" Subject: AW: Internal Hard disk specifications for SU Date: Sat, 28 Feb 1998 16:54:12 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, If you mean you got one and want to know what kind of disk in the root disk you can figure it out your self. Try: mount | grep /.on (enter)# to figure out the devicename for the disk format (enter) # donīt worry nothing serious is going to happen. select disk the disk, probably 0 inq (enter) # to get info quit (enter) # to leave You can also fool around with prtvtoc, prtconf and sysdef Good luck, Hans Grutter PS: We got here a Seagate ST 3255 0N 2.1 GB >---------- >Van: Hussein Ayad[SMTP:hussein@act.com.lb] >Verzonden: vrijdag 27 februari 1998 16:38 >Aan: Wong Teck Seng,SAINS >CC: firewalls@greatcircle.com >Onderwerp: Re: Internal Hard disk specifications for SU > >Hello, >Hard Disk for SUNSparcServer 1000E Could be: >2.1 GB FAST SCSI DRV, Stnadard Connector Part # 370-2070 >OR >1.05 GB SCSI-2 DRV, Standard Connector Part # 370-1963 > >Rgs. >Wong Teck Seng,SAINS wrote: > >> Hi there: >> I wonder if anyone out there knows the internal hard disk >> specifications for SUN Sparc1000E server. Thanks > > > >-- >====================================================================== >Hussein A. AYAD Tel: +961-1-350349 >Service & Operation Manager Mobil: 961-3-727331 >ACT -Automation & Computer Technologies Fax: +961-1-345549 >Bealbeek St. Commodore Bldg.3rd Fl. E-mail: hussein@act.com.lb >P.O.Box: 135302, Beirut - Lebanon http://www.lebanon-online.com/act > >======================================================================== > > > > > From firewalls-owner Sun Mar 1 04:47:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA29983; Fri, 27 Feb 1998 15:37:29 -0800 (PST) Received: from rogue.river.com (rogue.river.com [206.168.172.14]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA29867 for ; Fri, 27 Feb 1998 15:37:05 -0800 (PST) Received: from rogue.river.com (rogue.river.com [206.168.172.14]) by rogue.river.com (8.8.7/8.8.7) with ESMTP id QAA25124; Fri, 27 Feb 1998 16:43:39 -0700 (MST) Message-Id: In-Reply-To: <14385195855566@sev.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 27 Feb 1998 16:43:13 -0700 To: firewalls@greatcircle.com From: "Richard Johnson" Subject: Re: firewall for a Macintosh? Cc: Mitch Gorsha Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:43 -0700 on 2/27/98, Mitch Gorsha wrote: > I should probably duck after asking, but is anyone aware of a firewall > product that can be run on a Macintosh? Either with OS/8 or with Rhapsody? > > thanks ... [mpg] Peter Lewis wrote a Socks v4 application ($50 shareware) for MacOS, though it apparently hasn't been updated in a bit. I had good luck with it when I tried it out just over a year ago. . fwtk should be OK on Rhapsody (either PPC or Intel) with minimal tweaks, but I haven't had a chance to look at it yet. If you're willing to run Net/OpenBSD on your 68k Mac hardware, or linux (MkLinux or PPClinux) on your PPC Mac hardware, fwtk should do fine. That's the route I took. Richard From firewalls-owner Sun Mar 1 04:48:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA26890; Sat, 28 Feb 1998 20:47:50 -0800 (PST) Received: from zeus.centaur.de (zeus.centaur.de [194.120.119.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA28218 for ; Sat, 28 Feb 1998 10:17:03 -0800 (PST) Received: from localhost (haag@localhost) by zeus.centaur.de (8.8.7/8.8.7) with SMTP id VAA25546 for ; Sat, 28 Feb 1998 21:22:05 +0100 X-Authentication-Warning: zeus.centaur.de: haag owned process doing -bs Date: Sat, 28 Feb 1998 21:22:05 +0100 (MET) From: Elmar Haag To: firewalls@GreatCircle.COM Subject: Re: syslog-client for NT In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See http://www.centaur.de/~haag/logger_NT/ Enjoy and send comments (or money ;-) ! Elmar On Thu, 26 Feb 1998, Elmar Haag wrote: > > I wrote a syslog-client for Windows NT/95 that works similar to "logger" > under Unix. We use it for logging FW-1 logging messages to Unix syslogd. > > If someone is interested please email and I will send you the file (.exe) > > Greetings > > Elmar > > ---------------------------------------------------------------------- > Elmar Haag CENTAUR COMMUNICATION Urbanstrasse 68 > haag@centaur.de Xlink PoP Heilbronn 74074 Heilbronn > http://www.centaur.de Tel +49 7131 799 258 Fax +49 7131 799 260 > > > > ---------------------------------------------------------------------- Elmar Haag CENTAUR COMMUNICATION Urbanstrasse 68 haag@centaur.de Xlink PoP Heilbronn 74074 Heilbronn http://www.centaur.de Tel +49 7131 799 258 Fax +49 7131 799 260 From firewalls-owner Sun Mar 1 04:49:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA13379; Sat, 28 Feb 1998 04:37:47 -0800 (PST) Received: from glass.toledolink.com (glass.toledolink.com [205.133.127.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13328 for ; Sat, 28 Feb 1998 04:37:35 -0800 (PST) Received: from dazed.deletus.com (haws@deletus.com [205.133.127.233]) by glass.toledolink.com (8.8.8/8.6.9) with SMTP id HAA16842 for ; Sat, 28 Feb 1998 07:44:21 -0500 (EST) Date: Sat, 28 Feb 1998 02:44:30 -0500 (EST) From: Brad Hall X-Sender: haws@dazed.deletus.com Reply-To: Brad Hall To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls From firewalls-owner Sun Mar 1 04:51:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA25042; Sat, 28 Feb 1998 20:41:11 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA16402 for ; Sat, 28 Feb 1998 07:02:32 -0800 (PST) Received: from pretoria.thema.it ([194.243.127.88]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id HAA00664 for ; Sat, 28 Feb 1998 07:08:28 -0800 (PST) Received: from [194.184.101.45] by pretoria.thema.it (Netscape Mail Server v2.0) with SMTP id AAA212 for ; Sat, 28 Feb 1998 16:10:42 +0000 Received: by Nathan Never.Uniautomation.it with Microsoft Mail id <01BD4462.F6521460@Nathan Never.Uniautomation.it>; Sat, 28 Feb 1998 16:07:26 +0100 Message-ID: <01BD4462.F6521460@Nathan Never.Uniautomation.it> From: Graziano Leuzzi To: "firewalls-digest@GreatCircle.COM" Subject: RE: Radius Solutions for NT Date: Sat, 28 Feb 1998 16:07:25 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > am looking at what RADUIS Solutions are available on an NT Platform.. >Any one have suggestions / Comments >Thanks I know Ascend Access Control. You can find informations about it in http://www.ascend.com CIAO From firewalls-owner Sun Mar 1 04:52:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA02485; Fri, 27 Feb 1998 22:06:06 -0800 (PST) Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA02471 for ; Fri, 27 Feb 1998 22:05:59 -0800 (PST) Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id RAA15130 for ; Sat, 28 Feb 1998 17:28:49 +1100 (EST) Received: from unknown(203.16.201.210) by paranoia.abm.com.au via smap (V1.3) id sma015050; Sat Feb 28 17:28:15 1998 Message-ID: <34F7A778.9977003D@abm.com.au> Date: Sat, 28 Feb 1998 16:58:16 +1100 From: Jan Zeilinga Reply-To: j.zeilinga@abm.com.au Organization: abm Australasia X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: "'firewalls@greatcircle.com'" Subject: single login Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This may be a little bit of the topic but does anyone know of a product that will allow a user to log into a network once. Once logged in the user will have access to his/her allowed systems on the network regardless if the system is UNIX/NT/Novelle etc. This kind of system does have security risks, but it also has secuity advantages. Such as being able to centrally control users access rights, logging if required, and organisation policy controls. Regards Jan Zeilinga From firewalls-owner Sun Mar 1 04:53:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA01122; Fri, 27 Feb 1998 21:58:52 -0800 (PST) Received: from enteract.com (enteract.com [206.54.252.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA01104 for ; Fri, 27 Feb 1998 21:58:43 -0800 (PST) Received: from Default (jimst.sa.enteract.com [207.229.133.64]) by enteract.com (8.8.8/8.7.6) with SMTP id AAA05058; Sat, 28 Feb 1998 00:04:51 -0600 (CST) Received: by localhost with Microsoft MAPI; Sat, 28 Feb 1998 00:04:47 -0600 Message-ID: <01BD43DC.7B47A180.jimst@enteract.com> From: James Strompolis Reply-To: "jimst@enteract.com" To: "'STEVE.CONNOLLY@arpstl-emh2.army.mil'" , " - (052)firewalls(a)greatcircle.com" Subject: RE: Netbios traffic late at night. Date: Sat, 28 Feb 1998 00:02:46 -0600 Organization: Aleph Consultants, Inc. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, February 27, 1998 11:55 AM, STEVE.CONNOLLY@arpstl-emh2.army.mil [SMTP:STEVE.CONNOLLY@arpstl-emh2.army.mil] wrote: > Receiving some interesting if not suspicious activity during late night hours... > I am wondering if anyone has any ideas?? > > We are running 3 proxy servers in an array configuration....With 1500 users, we > probably hit a good deal of remote web servers on a daily basis.... Are these MS Proxy machines? Let me know and I might be able to help there. If so, the web cache is probably set to go out at night and fetch the pages from your most frequently browsed sites to have them fresh and handy for your users in the morning. My guess is that these connections are coming in starting at the time that is set in the proxy configuration (maybe 12:00 midnight?) until it decides it's finished. - James Strompolis Aleph Consultants, Inc. jimst@enteract.com From firewalls-owner Sun Mar 1 04:53:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA28837; Sat, 28 Feb 1998 05:46:22 -0800 (PST) Received: from ns.datagram.be (ns.datagram.be [195.0.100.253]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA28618 for ; Sat, 28 Feb 1998 05:45:30 -0800 (PST) Received: from canabis.drug.be (dialup015.liege.eunet.be [193.74.147.15]) by ns.datagram.be (8.8.8/8.8.8) with ESMTP id PAA04609; Sat, 28 Feb 1998 15:26:19 +0100 Message-ID: X-Mailer: XFMail 1.2 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <34F39CBE.FAA4B3D3@hk.super.net> Date: Sat, 28 Feb 1998 14:50:34 +0100 (MET) X-Face: Xd4)'pr0TvwM([yRD<(#^[Jp[="HHq!VAz-UJqSr7>Mq5nUPqlA9[}T`+7RPVL-#x3Rm:HL.@7Phob8L{]13 C`#$~%t"9PtZ?I(poZbxe.s@y-X1.UG/&*G;>'q:Q6&hYAG6E(49vA2}O34v`GA%*vKiCIW$=BDbfs U+gOFtgYc Reply-To: manu@acm.org Organization: http://linux.rtfm.be From: Emmanuel Tychon To: Vinci Chou Subject: Re: How do we stop the spam...i have one idea...anyone else ? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 25-Feb-98 Vinci Chou wrote: > Do you know what netvigator.com is before you suggest people to deny all > e-mails from netvigator.com ? > It is one of the largest ISPs in Hong Kong. If you do that, you deny > communication with a very large proportion of Internet users in Hong Kong. > Denying emails from a whole domain is not a sensible suggestion unless you > have proven that the whole domain is evil. Denying mail from "netvigator.com" will force this ISP to take measures against spamming. Is this is not the case, it will continue to accept all the connections, like nothing happens. An another way is a "ephemeral deny". Each time i receive a mail from, by example "doom.com", this mail domain will be denied for one week. The domain will be isolated whil the spam is do. --- Micro$oft -> Where to you want to crash today? ||| | Emmanuel Tychon, <$e> O-O | nic-hdl: ET99-RIPE, nic-irc: kosinus (_) | oOO-----OOo | Don't be assimilated, use Linux! | Linux | | \-------/ | PGP key on http://pgp.ai.mit.edu From firewalls-owner Sun Mar 1 06:19:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA05518; Sat, 28 Feb 1998 03:59:38 -0800 (PST) Received: from ACSacs.Com ([206.16.240.117]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA02916 for ; Sat, 28 Feb 1998 03:36:52 -0800 (PST) Date: Sat, 28 Feb 1998 03:43:25 -0800 (PST) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@acsacs.com To: marc@sniff.ct-net.de cc: "Daniel J Blander - Sr. Systems Engineer for ACS" , firewalls@greatcircle.com Subject: Re: Secure OS? (was: Re: HP vs. Solaris) In-Reply-To: <199802270942.JAA07460@home.sniff.ct-net.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I took liberties with the term "Secure OS". My reference was to utilizing an Operating System that was more stable, reliable and able to tune certain functions that FW-1 does not address. For example, FW-1 does not, out of the box, protect against the forwarding of directed broadcasts (land attack I believe). But the Solaris OS allows you to disable this function - as well as Source-Routing, and other options. Another example is the situation you encounter when some bozo (other than yourself ;-) takes down the firewall and can't get it back up again (I've done it, so don't laugh...) but the OS and system are still running. The window may be small, but that may be all the opportunity that is needed. The failure of your firewall software (through software fault or a BTCATK* problem) should not lead to compromise, and if your OS is stable and "secured" independent of the firewall it significantly helps your firewall's ability to perform its duties....and should increase your comfort level (or get more than one hour of sleep each night...in my case) Bottom Line: I wouldn't pick SunOS 4.1.2 with no patches for my firewall, but I would use instead Solaris 2.6 (since many historical security holes have been agressively patched). *Between-The-Chair-And-The-Keyboard On Fri, 27 Feb 1998 marc@sniff.ct-net.de wrote: > Hello Mr. Blander! > > > To pull this back on-topic (a bit).... > > and now a little bit off-topic again ;-) > > You advice to use a secured OS Version. That seems a good idea, > but I would like to know _why_ one should use secure versions? > > Because of a better patch support? > > FW-1's stateful engine is located _under_ the TCP stack and > is part of the kernel. How does a secured OS helps in this > situation? (Well, the application proxies should be more secure) > Is an OS that allows kernel modules a "secure" OS? > > > Regards, Marc > -- > Marc Binderberger 97076 Wuerzburg, Germany > marc@sniff.ct-net.de Powered by FreeBSD ;-) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Sun Mar 1 06:53:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA06468; Sun, 1 Mar 1998 02:19:40 -0800 (PST) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA27128 for ; Sat, 28 Feb 1998 23:19:54 -0800 (PST) Received: from c00069-100lez.eos.ncsu.edu (c00069-100lez.eos.ncsu.edu [152.1.26.28]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id CAA22233; Sun, 1 Mar 1998 02:26:43 -0500 (EST) Date: Sun, 1 Mar 1998 02:26:42 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00069-100lez.eos.ncsu.edu To: wildfire@island.net cc: firewalls@GreatCircle.COM Subject: Re: IDS: Re: RE: Simply a Question "?" In-Reply-To: <199802270352.TAA11265@norm.island.net> Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 26 Feb 1998, Kevin P. O'Brien wrote: >I want to get off this list too! > >It is easy to get on, and imposiible to get off!!!!! Just like crack cocaine huh? >I have been to the homepage and searched the net for weeks now. ROFFLMGDAO! >Please tell me how to get off this list. See below. I felt the need to "share my experience, strength and hope". >wildfire@island.net Kevin, I regret to inform you that you CANNOT get off of this list. I have been trying to get off the list since November of 1974. I have changed email addresses, changed my name, my social security number, moved, changed my mailing address, assumed a new identity, quit my job, divorced my wife, shot my dog, sold my car, got plastic surgury, bribed the list administrator, contacted Janet Reno and begged, asked Ken Starr to investigate, and even renounced my US citizenship and declared that I was a communist, moved to China and renounced all religious beliefs in firewalls. Then, in December, I contacted my lawyer about it; he subscribed!!! I notified the state and federal Attorney General's offices; they all subscribed!!! I decided it was time to stop being "Mr. nice Guy", so I contacted the local police department, the FBI, the CIA, the NSA, the ATF, and the PTL Club. THEY ALL SUBSCRIBED!!! (Although, I understand that the Pentagon still has not implemented an adequate firewall yet). My advice: Contact your sponsor, and then go back and do the first step again. You have to admit that you are powerless over the Firewalls mailing list - that your subscriptions to mailing lists have become unmanageable. All join in the Firewalls Serenity Prayer.... Please Bill G, grant me the serenity to accept my subscription to the Firewalls mailing list. Give me the courage to install a firewall and accept the fact that security is an ongoing process. And give me the wisdom to never get a job as SecAdmin with Microsoft. In Bill G's name I pray. Amen. Ken Williams /--------------------------[ TATTOOMAN ]--------------------------\ | ORG: NC State Computer Science Dept VP of The E. H. A. P. Corp. | | EML: jkwilli2@adm.csc.ncsu.edu ehap@hackers.com | | EML: jkwilli2@unity.ncsu.edu ehap-secure@hackers.com | | WWW: http://www4.ncsu.edu/~jkwilli2/ http://www.hackers.com/ehap/ | | FTP: ftp://152.7.11.38/pub/personal/tattooman/ | | W3B: http://152.7.11.38/~tattooman/w3board/ | | PGP: finger tattooman@152.7.11.38 | \----------------[ http://152.7.11.38/~tattooman/ ]----------------/ From firewalls-owner Sun Mar 1 06:54:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA06946; Sun, 1 Mar 1998 02:23:24 -0800 (PST) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA09433 for ; Sun, 1 Mar 1998 00:03:44 -0800 (PST) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by mail.the-wire.com (8.8.8/8.8.8) with SMTP id DAA04475; Sun, 1 Mar 1998 03:08:26 -0500 (EST) Message-Id: <3.0.32.19980228233329.00a08a30@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 01 Mar 1998 03:12:38 -0500 To: pmarc@cmg.fcnbd.com, Mark Teicher From: Anton J Aylward Subject: Re: Security Engineering vs. Security Auditing Cc: "gcrum@us-state.gov" , christopher_burgher@notes.pw.com, firewalls@greatcircle.com, Bret Watson Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ## Reply Start ## Let me start with the dramatic stuff, which when I first wrote out this reply was nearer the end. The purpose of an audit is not to make the system secure; it is to enable management to have a high degree of confidence about what is going on and that their procedures and controls are working. This does NOT mean eliminating security risks, improving integrity and reliability. Management may WANT to accept, assign or assume those risks. But the point is that they want to know about them and that they are being addressed IN THE WAY THAT MANAGEMENT WANTS. And if management wants what you, as a techie or sysadmin would consider a gaping hole, then that is what management wants. ================================================== At 11:27 AM 26/02/98 -0600, Paul M. Cardon wrote: >This thread has focused on auditing which is generally >about coming in after the fact to see if security goals >have indeed been met. Certainly improvements need to be >made in the auditing 'industry', but shouldn't equal if >not more effort be focused on increasing the number >of competent security _engineers_? Like many contributors to this thread, you're assuming that while we don't live in a perfect world, it is at least attainable, should be attained for its own value, and will be. Its rather like the old physics experiment .... perhaps you want to try this. Take a weight, something a couple of pounds, and a piece of string. Tie the weigh in the middle of the string and lift it by pulling the string out as if you were bragging about how big a fish you caught. Can you get the line of the string completely flat? Or ask it another way, what's the least weight compared to the tensile strength of the string which will permit you to get the string to be completely flat. It helps if you know Zeno and a bit of calculus. >I'm not saying that security auditing is unecessary. >On the contrary I think it is critical. Thank you. >I would simply >argue that we're better off if we have more competent >people designing and implementing security systems in >the first place. Otherwise we are relying too heavily >on somebody to come in and point out the holes after >implementation is complete when it is usually more >difficult to make changes to the system without >significant impact. No, this is the way we have to work, for two reasons. Or at least two reasons. Maybe a lot more. No matter how good you are, as a programmer, say. Your code must always be tested. Not only to see if it functions according to spec, but to see what happens out of spec, rather like buffer over-runs. And an important premise of testing is that the person who wrote the code cannot be the person who tests it. I refer you to any worthwhile text on managing software engineering for the details. Most people - managers included - now accept this. But the idea of only using competent people to do the designs begs too many questions. I'm sure you'll admit there simply aren't enough. So we train more. Great. We've solved every problem. Now we use the same technique to come up with better politicians, bankers, judges..... even programmers. And make sure that they're performing at 100%, flawlessly, all the time. Like computers. ;-) At what point do we take the 'apprentice' and let him do a design of importance in his own right? However, your assumption is flawed at a more basic level. You've assumed that auditing involves >somebody to come in and point out the holes after >implementation is complete. Well as you may have gathered, I'm an auditor, after being a sysadmin/netadmin for many years, and a programmer and kernel hacker before that. I don't work that way. Yes, systems do get designed and redesigned and extended and whole pile of other things that can be called 'design'. Right now, 2/5th of my job is EXCLUSIVELY dealing with the stages BEFORE the design. Not auditing the design, but before that. Refining and auditing policy and the validity of the needs analysis; what the test suites will look like; stuff like this. Now you're probably going to turn round and say "Ah but that isn't auditing...". Pay close attention then to the next paragraph. Yes, I know, there are many auditors, especially those from the Big N-1, who come along and work on a model which is basically the Bean Counters type of financial auditing, sifting thru papers, running ISS scans. This is what Mark Teicher started off this thread, and finally summarized this thread, talking about. (Sorry, bad sentence construct there) The classical financial model that the Big N-1 are using is inappropriate to Information Technology, to embedded systems; to process control; to things like Trading Floor Computing Services. Even though I disagree with Bennett Todd on many counts, when he talks about this kind of auditing - the "grovel ling thru papers" - I agree. Most of my criticism to clients are more likely to be of the class "This is going to fail because it is architecturally unsound, so don't do it" than as listing of their server ports which are open. Yes, if they've asked for the latter kind of audit, my firm will give it to them, but its usually for another reason. Go back to the GASSP reference. Its usually because of a merger or buy out or expansion and an originally documented IS/IT department has grown and changed without being documented. No-one knows what is where and does what or why. This kind of auditing is a "no-blame" stage. Later stages may ask the question "Was a policy document from the days of the mainframe when there were just a few people using PCs for word processing still appropriate today?" and "Are the procedures and controls still appropriate for the new environment". An audit MAY be triggered by a security incident. Management may ask why did this happen, "No don't give me that stuff about a rule in the firewall being wrong, what's our exposure?" This kind of question MAY require a listing of the configuration, and as Bennett Todd points out requires the kind of very experienced people that the Big N-1 simply don't seem to have. When I've encountered them and their proposals I find that the people in my own firm have about as much experience AS INDIVDUALS as their whole teams do. Which is why we're interested in accreditation. We have to fight technically incompetent organizations with very credible sales forces. But also an audit may be triggered by the completion of changes to the 'system' which arose from a previous "Audit", or verifying that the deployment of the changes do in fact meet the audited design. I use the term in quotes. The audit may have said 'we are not satisfying customer needs'. The follow up may be making sure that what was changes was what was supposed to be changed. However, when you say >after >implementation is complete when it is usually more >difficult to make changes to the system without >significant impact. You are 100% correct. But this is the fault of management. Bakc in the 70's, the TQM people were preaching that it is more expensive to do after-production QC than to embed the QA into the whole process from the design onwards. Make the design testable, make the production processes testable, and so on. Substutute the word "security" for "quality" and "auditable" for "testable" and that's what we're facing. One of the management tools we have at my firm is a "Security Awareness Maturity Grid". It a pretty direct crib from P Cosby's book "Quality is Free". Only we've changes "Quality" to "Security" or "Integrity" or "Avalaibility" or "Privacy". Unless management have security awareness, they're never going to design it in. It will always be an afterthought, a bag-on-the-side. This will probably make security an inconvenience, which is why it has got a bad reputation. And because its an after the event, auditing becomes an after-the-event too, as you've described. So its expensive and inconvenient and ends up being highly critical. An information systems security audit is something you should look forward to, because it will prove to your senior management what a good responsible job you have done. Becuase you are one of the >increasing the number >of competent security _engineers_ and are glad to have it proven. ## Reply End ## From firewalls-owner Sun Mar 1 07:53:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA28331; Sun, 1 Mar 1998 06:40:25 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA21574 for ; Sun, 1 Mar 1998 06:04:14 -0800 (PST) From: mht@clark.net Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA00356 for ; Sun, 1 Mar 1998 06:01:16 -0800 (PST) Received: from highlander ([12.68.18.10]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA20728 for ; Sun, 1 Mar 1998 14:01:44 +0000 Message-Id: <3.0.3.32.19980301090134.03746628@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 01 Mar 1998 09:01:34 -0500 To: firewalls@GreatCircle.COM Subject: Re: OFF TOPIC REPLY was Re: The Likes of Atristotle In-Reply-To: <199802272310.SAA05853@xaymaca.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ah yes, and Tom Morris of the Morris Institute also composed a book entitle "If Aristotle Ran General Motors".. /mht For those who would like to do some digging on the poster Here is some information for them whois xaymaca.com XAYMACA Co (XAYMACA-DOM) 2825 13th St NW WASHINGTON, DC 20009 Domain Name: XAYMACA.COM Administrative Contact: Stoessel, Vince (VS796) vince@DIGEX.NET 301-847-6548 (FAX) 301-847-6215 Technical Contact, Zone Contact: Hostmaster Role Account (HRA21-ORG) dns@DIGEX.NET tel.: 301-847-5000 fax.: 301-847-6215 http://www.digex.net Billing Contact: Stoessel, Vince (VS796) vince@DIGEX.NET 301-847-6548 (FAX) 301-847-6215 Record last updated on 13-Feb-98. Record created on 24-Mar-96. Database last updated on 1-Mar-98 04:11:25 EST. Domain servers in listed order: NS.XAYMACA.COM 209.49.107.195 NS.DIGEX.NET 164.109.1.3 Non-authoritative answer: xaymaca.com nameserver = NS.xaymaca.com xaymaca.com nameserver = NS.DIGEX.NET xaymaca.com internet address = 209.49.107.195 Authoritative answers can be found from: xaymaca.com nameserver = NS.xaymaca.com xaymaca.com nameserver = NS.DIGEX.NET NS.xaymaca.com internet address = 209.49.107.195 NS.DIGEX.NET internet address = 164.109.1.3 telnet 209.49.107.195 Trying 209.49.107.195... Connected to 209.49.107.195. Escape character is '^]'. IRIX (xaymaca.com) login: telnet 209.49.107.195 25 Connected to 209.49.107.195. Escape character is '^]'. 220 xaymaca.com ESMTP Sendmail 8.8.8/8.8.8; Sun, 1 Mar 1998 08:49:03 -0500 (EST) HELP 214-This is Sendmail version 8.8.8 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP ". 214-To report bugs in the implementation send email to 214- sendmail-bugs@sendmail.org. 214-For local information send email to Postmaster at your site. 214 End of HELP info thank you very much for the information on your mail relay host.. /mht At 06:10 PM 2/27/98 -0500, jojohimself@joblow_sec.com wrote: > > > >-------------------------------- > "back to learn from the likes of Aristotle and Plato I think > I would. I certainly would have liked to learn from them. > If I recall they only taught stuff they had personally > invented." > >Nope... neither Aristotle nor Plato created nor spoke of anything original. If it appeared to be original to their listeners it was because there listeners had not been with them when they were learning. Aristotle, and possibly Plato, was a traveller and it is well documented that he spent much time in Egpyt prior to becoming a famous Philospher. While in Egypt he studied in the Egyptian Mystery System. The Egyptian Mystery System is responsible for the Pyramids... and the rest of the Intelectual accomplishments of early (pre-Athenian) civilization. He then told Alexander... and Alexander went and Confiscated what he wanted and torched the rest. > >Refer to a book called Stolen Legacy > > > >took what he wanted and torched everything else > >PEace... >Even Firewall Admin know their history >JoJo AKA RufNec de Ntlect > > From firewalls-owner Sun Mar 1 08:53:48 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA23127; Sun, 1 Mar 1998 08:23:05 -0800 (PST) Received: from loas.clark.net (loas.clark.net [168.143.0.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA23027 for ; Sun, 1 Mar 1998 08:22:44 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by loas.clark.net (8.8.8/8.8.8) with SMTP id LAA01685 for ; Sun, 1 Mar 1998 11:29:36 -0500 (EST) Message-Id: <3.0.3.32.19980301112946.00696904@mail.clark.net> X-Sender: mjr@mail.clark.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Sun, 01 Mar 1998 11:29:46 -0500 To: firewalls@greatcircle.com From: "Marcus J. Ranum" Subject: Re: Monitoring Web Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think it'd be pretty simple to program an NFR to do it. You could set up a filter that looks for connection attempts that don't complete, or HTTP connections that return an error, and save them to a log or a statistic. As an added bonus you could have the same filter keep realtime web hit statistics and URL frequency graphs. There are already a couple of filters for web traffic that you could modify to do what you want. Source is downloadable from www.nfr.net mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr From firewalls-owner Sun Mar 1 09:01:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA04462; Sat, 28 Feb 1998 19:25:19 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA04322 for ; Sat, 28 Feb 1998 19:24:47 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.18.10]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB5087; Sun, 1 Mar 1998 03:31:40 +0000 Message-Id: <3.0.3.32.19980228222803.0345cbc0@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 28 Feb 1998 22:28:03 -0500 To: dgumport@dannygumport.com (Danny Gumport), Adler Tzipora , Ziv Dascalu Subject: Re: You have been traced!!! (I just received this in response to a FW posting). Cc: firewalls@GreatCircle.COM In-Reply-To: <34F537EE.F6A70F29@DannyGumport.com> References: <01BD42A2.0BDFE680@tzipint.abirnet.co.il> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Danny Gumport, I actually received a message from abirnet explaining this occurence. Stating it was an error caused by an overzealous QA person. I have hard time understanding this, as I posted a private note to Ziv from Abirnet about this occurrence. I hope that Abirnet fixed the functionality in their next release. /mht At 04:37 AM 2/26/98 -0500, Danny Gumport wrote: >uh....so what ? there was no spam except for your >ridiculous reply - which is spam (an unsolicited commercial >posting). I have reported your site to the US spam-busters group that >will include your domain on their omit list. >Thanks for your id - places like yours waste internet bandwidth. >bozo's. >-Danny G > > >Adler Tzipora wrote: >> >> As part of our company's efforts to avoid Email abuse, >> it is our policy to electronically monitor internal and external Email. >> At least one of your Email messages was monitored. >> >> This message was sent by the AbirNet's >> SessionWall-3 Active Network Protection Tool. >> For more information see http://www.AbirNet.com >> >> ---------------------------------------------------------------------------- --- >> >> Part 1.2 Type: application/ms-tnef >> Encoding: base64 > > ------------------------------------------------------ "GREETINGS PROFESSOR FALKEN." "SHALL WE PLAY A GAME??" ------------------------------------------------------ From firewalls-owner Sun Mar 1 09:09:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA01619; Sun, 1 Mar 1998 08:57:15 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA01590 for ; Sun, 1 Mar 1998 08:57:06 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA12567; Sun, 1 Mar 98 10:00:27 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA00843; Sun, 1 Mar 1998 10:10:22 -0700 Date: Sun, 1 Mar 1998 10:10:21 -0700 (MST) From: Henry Hertz Hobbit To: Mike Hedlund Cc: firewalls@GreatCircle.COM Subject: RE: Monitoring Web Server In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 26 Feb 1998, Mike Hedlund wrote: > > > Many years ago i wrote a little program called pping. its a tcp 'port > pinger' works like regular ping, except over tcp. it doesnt actually get a > file, check checks a tcp port to see if its accepting connections... > > $ pping -v -h www.yahoo.com -t 3 -s 1 -c 3 -p 80 > [1] www.yahoo.com:80 ... [time=6.986ms] accepting connections. > [2] www.yahoo.com:80 ... [time=6.624ms] accepting connections. > [3] www.yahoo.com:80 ... [time=7.122ms] accepting connections. > ----------- www.yahoo.com:80 PPING Stats ---------- > 3 attempts, 3 connections, 0 failures, 0% failure rate > connect time (ms) min/avg/max 6.624/6.911/7.122 > $ > > $ pping -h www.yahoo.com -c 1 -t 3 -p 80 -q > [1] www.yahoo.com:80 ... [time=7.807ms] accepting connections. > $ pping -h www.yahoo.com -c 1 -t 3 -p 81 -q > [1] www.yahoo.com:81 ... connection refused. > $ > > Its a C program that should compile on anything, except windows. :) > Should be easy to port over, but i never bothered. i actually wrote > a windows app that monitors local cpu/memory/disk usage, and a list > of remote sites, and if any of those sites fail a check, it sends mail to > someone... > > If anyone wants either one i'll throw it up on a web page somewere.. Throw it up there! Looks like an interesting program that may have even more uses than you have put it to. Or I guess I should say that others may think of other ways to use it. The Hobbit (NOT the netcat one) From firewalls-owner Sun Mar 1 10:21:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11231; Thu, 26 Feb 1998 13:52:13 -0800 (PST) Received: from chekov.Belgium.eu.net (relay.eunet.be [192.92.130.25]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA11201 for ; Thu, 26 Feb 1998 13:52:04 -0800 (PST) Received: from pcpc (dialup007.mons.eunet.be [193.121.153.7]) by chekov.Belgium.eu.net (8.8.7/8.8.7) with SMTP id WAA25530 for ; Thu, 26 Feb 1998 22:58:10 GMT Message-Id: <3.0.1.32.19980226230111.00b96210@pophost.ping.be> X-Sender: p4u00342@pophost.ping.be X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 26 Feb 1998 23:01:11 +0100 To: firewalls@greatcircle.com From: Philippe Cayphas Subject: Pentagon attacked by Hackers ! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those who are interested... Philippe > > > Pentagon says computers invaded by hackers > > February 25, 1998 > Web posted at: 10:26 a.m. EST (1526 GMT) > > WASHINGTON (CNN) -- > Unidentified hackers penetrated > unclassified U.S. military > computers in a widespread cyber > attack that hit all the military > services, a top Pentagon official > said Wednesday. > > "Fairly heavy cyber attacks" occurred during the past > two weeks, said John Hamre, deputy secretary of defense and the > U.S. military's number two civilian official. > > "It was the most organized and systematic" attack the > Pentagon has seen to date, he said. > > Hamre told defense reporters that the event had "all > the appearances of a game" and apparently was perpetrated > by "a small number of individuals." > > The deputy defense secretary said he was constrained > from divulging too many details about the attacks because > the military was working in cooperation with the Justice Department > in pursuing potential criminal activity. > > The attacks did not appear to be connected with the > ongoing crisis involving Iraq, he said. > > According to Hamre, the attacks appear to be directed > at unclassified information, such as personnel records or > payroll matters. "Our classified networks were intact and not > penetrated," he said. > > He described the attacks as "widespread and modestly > sophisticated," adding that all the military services > "had penetration to some degree." > > He said the department has been attempting in recent > years to update its defenses against such attacks but that more > must be done. "We have to do a good deal more in this area," > he said. > > Hamre said that the attacks appeared to be occurring > at a time when a "hacker contest" was going on. But he did not > say where such an event originated or offer a further > explanation. > > The Associated Press contributed to this report. > --- Ph. Cayphas Sr Engineer - Proget Luxembourg +32 75 64 88 31 From firewalls-owner Sun Mar 1 11:38:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA04966; Sun, 1 Mar 1998 09:17:16 -0800 (PST) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA04946 for ; Sun, 1 Mar 1998 09:17:05 -0800 (PST) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by mail.the-wire.com (8.8.8/8.8.8) with SMTP id MAA10564; Sun, 1 Mar 1998 12:22:03 -0500 (EST) Message-Id: <3.0.32.19980301092930.00a2a5b0@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 01 Mar 1998 12:26:29 -0500 To: manu@acm.org, Vinci Chou From: Anton J Aylward Subject: Re: How do we stop the spam...i have one idea...anyone else ? Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:50 PM 28/02/98 +0100, Emmanuel Tychon wrote: ## Reply Start ## >Denying mail from "netvigator.com" will force this ISP to >take measures against spamming. Is this is not the case, >it will continue to accept all the >connections, like nothing happens. Your logic escapes me. It runs past me then gallops over the hills never to be seen again. Perhaps if EVERY site in the world were to deny mail from this ISP something might happen. Perhaps someone can organize that? Would you like to volunteer? Or better still, how about we set up a new internet for non SPAM mail only. Would you volunteer for that? /anton PS: For the humour impaired: ";-)" ## Reply End ## From firewalls-owner Sun Mar 1 12:06:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00110; Sun, 1 Mar 1998 04:14:04 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA02917 for ; Sun, 1 Mar 1998 02:04:46 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.8.8/PanixU1.4) id FAA27969; Sun, 1 Mar 1998 05:11:36 -0500 (EST) Date: Sun, 1 Mar 1998 05:11:36 -0500 (EST) From: Information Security Message-Id: <199803011011.FAA27969@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: [OFF TOPIC] Please stop complaining about the spam Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: pboyer@cpr.fr (Paul BOYER) > > The list is "open" to all, and not only to subscribers. This is a policy choice > that has already be discussed plenty of times, it needs not to be discussed on > the list. You then proceed to discuss it: > OPEN list contains usually more garbage and also more usefull information. > > While CLOSED (only open to subscribers) lists contain less usefull information > and less garbage. Nevertheless, think about it : this present message is also > garbage, even if it comes from a subscriber... Care to give examples of useful traffic from non-subscribed sources? Also, add to the subscription-confirmation mechanism text that says if you spam the list, you will be fined (acknowledge you will be charged) $500 by each person who wishes to complain about your UCE. And make attempts to do so. > The only well known solution is an open list with excellent, fast, accurate, > always responsive and highly skilled moderation, which is the case for very few > of them for obvious reasons. Hey, no one is looking for perfection. Just queue for manual release items that ring up as spam on the analytic meter... ...and short messages with a line matching the pattern: scrib.*fire ...and delete all MIME messages. ---guy # This message is in MIME format. The first part should be readable text, # while the remaining parts are likely unreadable without MIME-aware tools. # Send mail to mime@docserver.cac.washington.edu for more info. # # ------=_NextPart_000_0107_01BD4082.F37B1D60 # Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1 # Content-ID: # # # usubscribe firewalls # # ------=_NextPart_000_0107_01BD4082.F37B1D60 # Content-Type: TEXT/HTML; CHARSET=iso-8859-1 # Content-Transfer-Encoding: QUOTED-PRINTABLE # Content-ID: # # # # # # # # # #
usubscribe=20 # firewalls
# # ------=_NextPart_000_0107_01BD4082.F37B1D60-- From firewalls-owner Sun Mar 1 12:53:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00470; Sun, 1 Mar 1998 04:16:10 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA06579 for ; Sun, 1 Mar 1998 02:20:46 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.18.10]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA11159; Sun, 1 Mar 1998 10:27:38 +0000 Message-Id: <3.0.3.32.19980301052250.035a3e18@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 01 Mar 1998 05:22:50 -0500 To: bret@rehost.com Subject: Re: Firewall and network security training. -reply Cc: firewalls@greatcircle.com In-Reply-To: <199802271732.MAA19911@rehost.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bret, Absolutely, give credit to where credit is due, whether in the reference section of the talk or in noting it during the talk. I have also attending Cisco courses taught by other organization that in my mind had done a better job in getting the material across that the bonafide Cisco folks, but that was probably more the instructor than the material. Currently, I am very worried the various conference committees may not be doing a very thorough verification of not only the abstracts, the topic and material check to ensure that the material submitted is clearly the work of the potential instructor. I do have some personal experience in having the above incident occurring and it quite interesting how the conference committees were influenced in their decisions on this very same issue. /mht At 12:32 PM 2/27/98 -0500, Bret McDanel wrote: >I dont have a real problem with teachers presenting the work of others. If >that were the case no university would be able to teach everything they >need to.. I think that they should give credit where credit is due, but >if the information is in the public domain (or they bought a book from >someone as reference, and its a 'text book' type deal) ... > >Why should I not be able to use cisco documentation (http://www.cisco.com) >to teach how to make a cisco more secure, when its unreasonable to assume >that I would be able to figure out how to configure a cisco and secure it >without any work from someone else? > >I'd be more wary of the teachers that claim that everything is their own >work, and they rely on no one else to learn stuff.. They are prolly not >quite as good as someone who admits that they actually use resources made >available by others.. > > >---Reply on mail from Mark Teicher about Firewall and network security training. > >> >> TO add to that point, we also need to certify the teachers to ensure >> material they are presenting are in fact their own work, and not the work >> of someone elses. >> >> >> /mht >> > >---End reply >-- >Bret McDanel http://www.rehost.com >Realistic Technologies, Inc. 973-514-1144 > > These opinions are mine, and may not be the same as my employer > > > > ------------------------------------------------------ "GREETINGS PROFESSOR FALKEN." "SHALL WE PLAY A GAME??" ------------------------------------------------------ From firewalls-owner Sun Mar 1 17:23:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA29132; Sat, 28 Feb 1998 17:06:54 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA17893 for ; Sat, 28 Feb 1998 16:26:12 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id QAA15899 for ; Sat, 28 Feb 1998 16:32:20 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA10846; Sat, 28 Feb 98 17:29:07 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA24052; Sat, 28 Feb 1998 17:39:03 -0700 Date: Sat, 28 Feb 1998 17:38:58 -0700 (MST) From: Henry Hertz Hobbit To: klinec@mapcoinc.com Cc: Firewalls@GreatCircle.COM Subject: Re: Dial-up security breach? In-Reply-To: <062565B8.007106EC.00@mercury.mapcoinc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 27 Feb 1998 klinec@mapcoinc.com wrote: > This is a little off-topic, but I thought I would try it anyway. > > We provide Internet access to 300 users enterprise-wide through > our frame-relay WAN connections and our firewall at our corporate > headquarters. Some users have decided to go out and get accounts > with local ISPs and have dial-up connections in Windows95 or > Windows NT to these ISPs. How much of a security risk does > everyone think this may be? Since these users are typically > dynamically assigned an IP address when they log in to their ISP, > they then have TWO IP addresses on their system. One for the > network card and one for the dial-up PPP connection. Could an > attacker use this situation to attack our network? How likely > is this? > > We are trying to eradicate this from our network, but some of > these users are pretty stubborn. I don't understand what they have to be stubborn about. Why do they need internet access TWO ways? It gives two ways in, and even if an attack isn't found it soon will be 8^). Also, all of those dial-up analog lines (assuming interior of company's phone lines are digital) are costing your company $$. Me and a friend were discussing this, and we believe we could access the files on the PC. Sounds to me like you just made your firewall pointless and useless. I know companies that have had firewalls that were never breached, but the modem bank for home access to employees caused numerous break-ins. Yank their phone lines... The Hobbit (NOT the netcat one) From firewalls-owner Sun Mar 1 17:38:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA06966; Sat, 28 Feb 1998 13:25:31 -0800 (PST) Received: from quechua.inka.de (quechua.inka.de [193.197.84.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA06938 for ; Sat, 28 Feb 1998 13:25:18 -0800 (PST) Received: from ms1.ka.inka.de (uu.inka.de) [193.197.84.8] by quechua.inka.de with smtp id 0y8trZ-0008Ga-00; Sat, 28 Feb 1998 22:32:05 +0100 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sat, 28 Feb 98 22:32 MET Received: by lina.inka.de id m0y8tW8-000145C (Debian Smail-3.2.0.100 1997-Dec-8 #2); Sat, 28 Feb 1998 22:09:56 +0100 (CET) Message-ID: <19980228220952.13251@lina> Date: Sat, 28 Feb 1998 22:09:52 +0100 From: Bernd Eckenfels To: Mark Plesser Cc: Adam Fenn , "'Firewalls'" Subject: Re: Protocol 47 References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: ; from Mark Plesser on Thu, Feb 26, 1998 at 01:21:10PM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, there is a Masquerade Module for Linux which can read the TCP Control Connection (Port 1723) for PPTP and can Forward (extended) GRE (Prot 47) Packets. The Patch is from John Hardin and can be found on the Masquerade Site of Indyramp: http://www.indyramp.com/mirrors/ipmasq/pptp.html Greetings Bernd On %M %N, Mark Plesser wrote > > Adam, PPTP is nothing more than GRE tunnel with some encryption and > authentication on top of it. As such, those packets are IP type 47. There > is no TCP or UDP header and, therefore, you can not proxy those packets. > Your best bet is a packet filter like IPF. > > > On Wed, 25 Feb 1998, Adam Fenn wrote: > > > Date: Wed, 25 Feb 1998 17:07:30 -0600 > > From: Adam Fenn > > To: 'Firewalls' > > Subject: Protocol 47 > > > > I am messing around with PPTP on an NT RAS server. I thought I would > > try to proxy PPTP through my bastion host. I pulled out a sniffer to > > figure out what TCP or UDP ports PPTP used.. Turns out PPTP is a > > transport layer protocol of it's own, protocol 47. Like TCP is 6 and > > UDP is 17. Anyone know how I might proxy protocol 47? I am running a > > little Linux i386 machine, with a variety of free proxy applications. > > > > Thanks! > > Adam > > > > Mark Plesser > Morgan Stanley & Co. (212) 762-1990 > 750 7th Avenue, 9th Floor, New York, NY 10019 > -- (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sun Mar 1 18:09:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA07662; Sat, 28 Feb 1998 19:38:13 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA28494 for ; Sat, 28 Feb 1998 19:03:58 -0800 (PST) Received: from kenics.com ([207.159.134.4]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id TAA18255 for ; Sat, 28 Feb 1998 19:10:05 -0800 (PST) Received: from casey_nt (1Cust27.max22.boston.ma.ms.uu.net [153.35.80.27]) by kenics.com (8.8.5/8.8.5) with SMTP id UAA01324 for ; Sat, 28 Feb 1998 20:10:28 -0700 (MST) Received: by casey_nt with Microsoft Mail id <01BD4495.A1468090@casey_nt>; Sat, 28 Feb 1998 22:10:08 -0500 Message-ID: <01BD4495.A1468090@casey_nt> From: "Seamus E. Casey" To: "firewalls@GreatCircle.COM" Subject: RE: Pentagon attacked by Hackers ! Date: Sat, 28 Feb 1998 22:10:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The story has been updated...teenagers...go figure... ;) Full Story from ZDNet: http://www.zdnet.com/zdnn/content/zdnn/0227/290073.html Seamus E. Casey Casey@Kenics.Com ---------- From: Philippe Cayphas[SMTP:Philippe.Cayphas@ping.be] Sent: Saturday, February 28, 1998 22:07 To: firewalls@GreatCircle.COM Subject: Pentagon attacked by Hackers ! For those who are interested... Philippe > > > Pentagon says computers invaded by hackers > > February 25, 1998 > Web posted at: 10:26 a.m. EST (1526 GMT) > > WASHINGTON (CNN) -- > Unidentified hackers penetrated > unclassified U.S. military > computers in a widespread cyber > attack that hit all the military > services, a top Pentagon official > said Wednesday. > > "Fairly heavy cyber attacks" occurred during the past > two weeks, said John Hamre, deputy secretary of defense and the > U.S. military's number two civilian official. > > "It was the most organized and systematic" attack the > Pentagon has seen to date, he said. > > Hamre told defense reporters that the event had "all > the appearances of a game" and apparently was perpetrated > by "a small number of individuals." > > The deputy defense secretary said he was constrained > from divulging too many details about the attacks because > the military was working in cooperation with the Justice Department > in pursuing potential criminal activity. > > The attacks did not appear to be connected with the > ongoing crisis involving Iraq, he said. > > According to Hamre, the attacks appear to be directed > at unclassified information, such as personnel records or > payroll matters. "Our classified networks were intact and not > penetrated," he said. > > He described the attacks as "widespread and modestly > sophisticated," adding that all the military services > "had penetration to some degree." > > He said the department has been attempting in recent > years to update its defenses against such attacks but that more > must be done. "We have to do a good deal more in this area," > he said. > > Hamre said that the attacks appeared to be occurring > at a time when a "hacker contest" was going on. But he did not > say where such an event originated or offer a further > explanation. > > The Associated Press contributed to this report. > --- Ph. Cayphas Sr Engineer - Proget Luxembourg +32 75 64 88 31 From firewalls-owner Sun Mar 1 18:10:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26547; Sat, 28 Feb 1998 07:47:26 -0800 (PST) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA26535 for ; Sat, 28 Feb 1998 07:47:20 -0800 (PST) Received: from joatmon (joatmon.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA21227; Sat, 28 Feb 98 10:53:59 EST Received: by joatmon (4.1/SMI-4.1) id AA03086; Sat, 28 Feb 98 10:54:01 EST Date: Sat, 28 Feb 98 10:54:01 EST From: snorthc@nswc.navy.mil (Stephen Northcutt - CD2S) Message-Id: <9802281554.AA03086@joatmon> To: Firewalls@GreatCircle.COM Subject: Re: Netbios traffic late at night. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk STEVE.CONNOLLY@arpstl-emh2.army.mil wrote: >We are running 3 proxy servers in an array configuration....With 1500 users, we >probably hit a good deal of remote web servers on a daily basis.... >The oddity is that some of those web server try to talk back to us during the >midnight hours. >The firewall is reporting attempted connections via udp/137 which is Netbios >right?? Good eye Steve. Many web services are not satisfied with the amount of info they can collect on you just from the HTTP packet and cookie manipulation, so they come back on 137 to get login names and other fun stuff. BTW, they will keep coming and coming and coming and if you were not blocking 137 could get a lot of info. Crazy world! Stephen Northcutt From firewalls-owner Sun Mar 1 19:09:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26390; Sun, 1 Mar 1998 18:46:44 -0800 (PST) Received: from znet.groupz.net (znet.groupz.net [204.116.90.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA26158 for ; Sun, 1 Mar 1998 18:45:48 -0800 (PST) Received: from znet.groupznet (ags-5200-3-p5.groupz.net) by znet.groupz.net with SMTP (1.37.109.24/16.2) id AA133496071; Sun, 1 Mar 1998 21:34:31 -0500 Received: by localhost with Microsoft MAPI; Sun, 1 Mar 1998 21:49:48 -0500 Message-Id: <01BD455B.F49221C0.simmonsk@splittie.com> From: Ken Simmons To: "'Henry Hertz Hobbit'" , "klinec@mapcoinc.com" Cc: "Firewalls@GreatCircle.COM" Subject: RE: Dial-up security breach? Date: Sun, 1 Mar 1998 21:49:27 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh Joy! Now your employees have an untraceable path for sending company files and other proprietary information. On Saturday, February 28, 1998 7:39 PM, Henry Hertz Hobbit [SMTP:hhhobbit@icarus.weber.edu] wrote: > On Fri, 27 Feb 1998 klinec@mapcoinc.com wrote: > > > This is a little off-topic, but I thought I would try it anyway. > > > > We provide Internet access to 300 users enterprise-wide through > > our frame-relay WAN connections and our firewall at our corporate > > headquarters. Some users have decided to go out and get accounts > > with local ISPs and have dial-up connections in Windows95 or > > Windows NT to these ISPs. From firewalls-owner Sun Mar 1 20:09:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13522; Sun, 1 Mar 1998 19:56:56 -0800 (PST) Received: from mail.intermediatn.net (mail.intermediatn.net [206.151.220.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13511 for ; Sun, 1 Mar 1998 19:56:50 -0800 (PST) Received: from intermediatn.net ([208.148.128.14]) by mail.intermediatn.net (Post.Office MTA v3.1.2 release (PO205-101c) ID# 605-45218U5000L500S0) with ESMTP id AAA199 for ; Sun, 1 Mar 1998 23:03:32 -0500 Message-ID: <34FA59D3.B9AD2D19@intermediatn.net> Date: Sun, 01 Mar 1998 23:03:47 -0800 From: num-lock X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: usubscrible firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls now please From firewalls-owner Sun Mar 1 20:23:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13769; Sun, 1 Mar 1998 19:58:11 -0800 (PST) Received: from dfw-ix14.ix.netcom.com (dfw-ix14.ix.netcom.com [206.214.98.14]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13597 for ; Sun, 1 Mar 1998 19:57:31 -0800 (PST) Received: (from smap@localhost) by dfw-ix14.ix.netcom.com (8.8.4/8.8.4) id WAA28327; Sun, 1 Mar 1998 22:03:28 -0600 (CST) Received: from nyc-ny40-15.ix.netcom.com(199.35.216.207) by dfw-ix14.ix.netcom.com via smap (V1.3) id rma028254; Sun Mar 1 22:03:17 1998 Message-ID: <34FA2FA9.66281588@ix.netcom.com> Date: Sun, 01 Mar 1998 23:03:53 -0500 From: Robert Carbone X-Mailer: Mozilla 4.04 [en] (WinNT; U) MIME-Version: 1.0 To: Ken Williams CC: Bob De Witt , firewalls@GreatCircle.COM, Michael@yginsburg.el.nec.com, Sorbera@yginsburg.el.nec.com Subject: Re: Monitoring Web Server References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To add to this PING uses ICMP - which is one of the protocols which are dropped by routers if exessive traffic is encountered Ken Williams wrote: > On Wed, 25 Feb 1998, Bob De Witt wrote: > > > > >On Wed Feb 25, 1998, Michael Sorbera wroet: > >> > >> Does anyone know of a program that will monitor a web server (no ping, > >> but an actual access of the URL), and if the access doesn't work, page > >> me... > >> > >> I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or > >> UNIX if need be. > >> > >> Thanks in advance, > >> Michael Sorbera > >> Webmaster/Network Engineer > >> Randolph-Brooks Federal Credit Union > >> > >You forgat to mention what your net does currently. ie- if you have NFS > >running, try to do an 'ed' on a dummy file from within a shell script. > >Branch of failure to open the exported dummy file. Or use 'grep' ... > > > >Why not 'ping'? It is easiest. > > Ping IS the easiest way to determine if a server is up, but it is not > necessarily going to tell you if that web server is actually accessable. > For example, if you have a cgi perl script running that has a slight > misconfiguration, such as a call to an img tag when there is no img to be > called on, you will eventually run your httpd load up so high that the > server never fulfills any requests. I recently had such a problem and it > took several days for the httpd load to get up to 96% and effectively deny > all http requests. Due to the fact that webservers are dynamic in the > sense that you are running cgi applications and the websites are always > being modified, you have to come up with a better method of monitoring. I > would rather use a script that would monitor the httpd loads and email me > when the load reached a certain level. > > >Try tracking the license allocation from an application... > > > >Just some ideas ... > > > > Bob De Witt, > > rdew@el.nec.com > >The views expressed herein are my own, > >and are not attributable to any other > >source, be it employer, friend or foe. > > > > > > I look forward to hearing about a real solution to this question. When > you have numerous clients implementing their own cgi scripts, ping is > simply not a viable solution. > > Regards, > > Ken Williams > > /--------------------------[ TATTOOMAN ]--------------------------\ > | ORG: NC State Computer Science Dept VP of The E. H. A. P. Corp. | > | EML: jkwilli2@adm.csc.ncsu.edu ehap@hackers.com | > | EML: jkwilli2@unity.ncsu.edu ehap-secure@hackers.com | > | WWW: http://www4.ncsu.edu/~jkwilli2/ http://www.hackers.com/ehap/ | > | FTP: ftp://152.7.11.38/pub/personal/tattooman/ | > | W3B: http://152.7.11.38/~tattooman/w3board/ | > | PGP: finger tattooman@152.7.11.38 | > \----------------[ http://152.7.11.38/~tattooman/ ]----------------/ -- ___ ___....-----'---`-----....___ ========================================= ___`---..._______...- (___) _|_|_|_ (___) \\____.-'_.---._`-.____// ~~~~`.__`---'__.'~~~~ Robert L. Carbone `~~~' positron@ix.netcom.com Systems Integration Engineer That Which Does Not kill you Makes you hurt that much longer ! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAzH0EB0AAAEDAJ9n/Z1pc6huEtmCxn5S9auUm/JY6AqKyvOMesajpgsqa+VW MVLLTC4EieJf2g5raW3d0GSjm63GNC4PVYbbm4duZfKQfBKPOv9eWuNNxJTYrasp njcwzkGbedG9AZTO/QAFE7Qdcm9iZXJ0IGNhcmJvbmU8cm9iY0BpbXNpLmNvbT6J AHUDBRAx9BBBm3nRvQGUzv0BAUqaAv9TAJ5ABDcaL6GHpW+wme1dApkQhE9mNbBU +Gxe+eulkf/ugFfD1Fdh4+BSM1lk2dDhEc1p8cWTX5WTyzFeJgJo2VJPjsPOG0Zg 1x5v4w7+u5qJeno/8+w2SApTy/ER0sw= =Zw8h -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Sun Mar 1 21:30:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA25539; Sun, 1 Mar 1998 21:08:21 -0800 (PST) Received: from endeavor.flash.net (endeavor.flash.net [209.30.0.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA24629 for ; Sun, 1 Mar 1998 21:01:39 -0800 (PST) Received: from default (sdsh6-226.flash.net [209.30.93.226]) by endeavor.flash.net (8.8.7/8.8.5) with SMTP id XAA16876 for ; Sun, 1 Mar 1998 23:08:43 -0600 (CST) Message-ID: <001001bd4599$75b5bf40$e25d1ed1@default> From: "wardt" To: Date: Sun, 1 Mar 1998 21:10:02 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01BD4556.665396A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_000D_01BD4556.665396A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable usubscrible firewalls ------=_NextPart_000_000D_01BD4556.665396A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
usubscrible firewalls
------=_NextPart_000_000D_01BD4556.665396A0-- From firewalls-owner Sun Mar 1 22:39:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22965; Sun, 1 Mar 1998 20:52:37 -0800 (PST) Received: from dakr004.korea.army.mil ([199.122.35.132]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA22919 for ; Sun, 1 Mar 1998 20:52:25 -0800 (PST) Received: by dakr004.korea.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD45E4.15975060@dakr004.korea.army.mil>; Mon, 2 Mar 1998 14:04:15 +0900 Message-ID: From: "Nance, Kenneth" To: "'klinec@mapcoinc.com'" , "'Henry Hertz Hobbit'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Dial-up security breach? Date: Mon, 2 Mar 1998 14:04:12 +0900 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When we talk security, the issue is what are we trying to protect at what cost? We can impose the hardware, software, firmware and procedural techniques to secure our information and avoid denial of service. Looking at this from the aspect of securing the information, there are some vulnerabilities when e-mail applications (unencrypted) are used. Where does the mail sit prior to delivery? I want to discuss more but, I'll try to get back with you. >---------- >From: Henry Hertz Hobbit[SMTP:hhhobbit@icarus.weber.edu] >Sent: Sunday, March 01, 1998 9:38 AM >To: klinec@mapcoinc.com >Cc: Firewalls@GreatCircle.COM >Subject: Re: Dial-up security breach? > >On Fri, 27 Feb 1998 klinec@mapcoinc.com wrote: > >> This is a little off-topic, but I thought I would try it anyway. >> >> We provide Internet access to 300 users enterprise-wide through >> our frame-relay WAN connections and our firewall at our corporate >> headquarters. Some users have decided to go out and get accounts >> with local ISPs and have dial-up connections in Windows95 or >> Windows NT to these ISPs. How much of a security risk does >> everyone think this may be? Since these users are typically >> dynamically assigned an IP address when they log in to their ISP, >> they then have TWO IP addresses on their system. One for the >> network card and one for the dial-up PPP connection. Could an >> attacker use this situation to attack our network? How likely >> is this? >> >> We are trying to eradicate this from our network, but some of >> these users are pretty stubborn. > >I don't understand what they have to be stubborn about. Why do >they need internet access TWO ways? It gives two ways in, and >even if an attack isn't found it soon will be 8^). Also, all >of those dial-up analog lines (assuming interior of company's >phone lines are digital) are costing your company $$. Me and a >friend were discussing this, and we believe we could access the >files on the PC. Sounds to me like you just made your firewall >pointless and useless. I know companies that have had firewalls >that were never breached, but the modem bank for home access >to employees caused numerous break-ins. > >Yank their phone lines... > > >The Hobbit (NOT the netcat one) > From firewalls-owner Mon Mar 2 00:17:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA26569; Sun, 1 Mar 1998 23:29:57 -0800 (PST) Received: from inet.unisource.nl (mail.inet.unisource.nl [194.151.95.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA26554 for ; Sun, 1 Mar 1998 23:29:49 -0800 (PST) Received: from inet.unisource.nl (inet.unisource.nl [194.151.95.4]) by inet.unisource.nl (8.8.5/8.8.5) with SMTP id IAA21250 for ; Mon, 2 Mar 1998 08:23:24 +0100 (MET) Date: Mon, 2 Mar 1998 08:23:24 +0100 (MET) From: Ger van Hees Reply-To: Ger van Hees Subject: RE: Monitoring Web Server To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know of a program that will monitor a web server (no ping, > but an actual access of the URL), and if the access doesn't work, page > me... Look for a package called NOCOL. It doesn,t do the paging, but it can monitor all kinds of services and hosts. It runs on Unix. Kind regards, Ger van Hees From firewalls-owner Mon Mar 2 00:23:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA28001; Sun, 1 Mar 1998 23:37:31 -0800 (PST) Received: from public.sc.cninfo.net ([202.98.99.140]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA27826 for ; Sun, 1 Mar 1998 23:36:55 -0800 (PST) Received: from hopesc ([10.143.3.196]) by public.sc.cninfo.net (8.8.8/8.8.8) with SMTP id PAA16174 for ; Mon, 2 Mar 1998 15:40:26 +0800 (CST) Message-ID: <008a01bd45af$25c36e40$c4038f0a@hopesc> From: "Guijun" To: Subject: Test Date: Mon, 2 Mar 1998 15:45:15 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0087_01BD45F2.317204C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0087_01BD45F2.317204C0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Test ------=_NextPart_000_0087_01BD45F2.317204C0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable
Test
------=_NextPart_000_0087_01BD45F2.317204C0-- From firewalls-owner Mon Mar 2 01:53:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA20144; Mon, 2 Mar 1998 01:49:27 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA19987 for ; Mon, 2 Mar 1998 01:48:45 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <17094-5918>; Mon, 2 Mar 1998 10:53:15 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02500; Mon, 2 Mar 1998 10:42:09 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA27529; Mon, 2 Mar 1998 10:42:07 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA19019; Mon, 2 Mar 1998 10:44:39 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD45C8.10AEAA60@mail01.pggm.nl>; Mon, 2 Mar 1998 10:43:41 +0100 Message-ID: From: "Grutter H." To: "'dennis_keller@smtp.ddc.dla.mil'" , "'Henry Hertz Hobbit'" Cc: "'firewalls@GreatCircle.COM'" , "'gcollins@dqisystems.com'" Subject: AW: Harsh Security audits? Date: Mon, 2 Mar 1998 10:43:19 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please think and don't yell around that you don't have a firewall. Futher if I where you I would cover my as before the disaster happens. Put your warnings in writing and let it sign by your supirior. Make good backups and wait for the disaster. Then al of a sudden there is a buget for you. This is not the prefable way but sometimes the best one Sleep well, Hans >---------- >Van: Henry Hertz Hobbit[SMTP:hhhobbit@icarus.weber.edu] >Verzonden: donderdag 26 februari 1998 14:17 >Aan: dennis_keller@smtp.ddc.dla.mil >CC: firewalls@GreatCircle.COM; gcollins@dqisystems.com >Onderwerp: Re: Harsh Security audits? > >On Tue, 24 Feb 1998 dennis_keller@smtp.ddc.dla.mil wrote: > >> >> Greg, >> We have the same problem. Last December we had a serious DoS >> attack. Everybody(management) was pointing fingers at the DNS server >> (which was a symptom). It seems that I was correct in my assessment >> of the situation, that we were indeed the victim of DoS attack. >> Management doesn't want to see/hear about problems until a major >> intrusion occurs, then it's too late. >> I work for an agency of DoD, you would THINK security would be >> extremely important (ha, ha). When you have management with a deeply >> ingrained sense of touchy-feely horseshit (civilian and military orgs, >> doesn't make any difference) you keep getting trounced upon and talk >> to deaf ears. >> By the way we don't have a firewall installed (yet!), that was put >> on hold last September a week prior to deployment. I have had to >> peice together a security posture using freeware from CERT, COAST and >> other such places. And people wonder why I can't sleep at night! >> >> Denny >> Defense Distribution Center >> New Cumberland, PA >> email: dkeller@ddc.dla.mil >> >> Where's my valium!? > >Sounds to me like you need it; I would also advise circulating >the ole rez out there. If I am not mistaken you are sitting on >a disaster ready to happen... > >The Hobbit (not the netcat one) > > From firewalls-owner Mon Mar 2 02:47:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA13592; Mon, 2 Mar 1998 01:08:06 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA13552 for ; Mon, 2 Mar 1998 01:07:37 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <14674-29993>; Mon, 2 Mar 1998 10:14:19 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02285; Mon, 2 Mar 1998 10:08:59 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA24289; Mon, 2 Mar 1998 10:08:58 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA17144; Mon, 2 Mar 1998 10:11:31 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD45C3.701E86F0@mail01.pggm.nl>; Mon, 2 Mar 1998 10:10:33 +0100 Message-ID: From: "Grutter H." To: "'firewalls@greatcircle.com'" , "'Ted Doty'" Subject: AW: Harsh Security audits? Date: Mon, 2 Mar 1998 10:10:32 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can solve this problem by routing al the traffic from outside to a host on a separate network. Then let that host send the traffic that is not denied to the companies WAN. Regards, Hans Grutter >---------- >Van: Ted Doty[SMTP:ted@iss.net] >Verzonden: donderdag 26 februari 1998 15:09 >Aan: firewalls@greatcircle.com >Onderwerp: Re: Harsh Security audits? > >On Tue, 24 Feb 98 13:07:03 -0800, dennis_keller@smtp.ddc.dla.mil wrote: > > We have the same problem. Last December we had a serious DoS > attack. > >A bit off the topic of the thread, but you probably can't get away from DoS >problems if you live on the Internet. The implication is that nobody >should get spanked because the organization suffered from an Internet-based >DoS attack (at least if you have the latest patches on your DNS servers, >etc). > >This is why folks are (should be) still keeping their private WANs for >mission-critical applications. > >- Ted > >-------------------------------------------------------------- >Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 >41 Perimeter Center East | Fax: +1 770 395 1972 >Atlanta, GA 30346 USA | Web: http://www.iss.net >-------------------------------------------------------------- >PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE > > From firewalls-owner Mon Mar 2 05:13:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA25223; Mon, 2 Mar 1998 02:21:19 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA25065 for ; Mon, 2 Mar 1998 02:20:39 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <16519-5918>; Mon, 2 Mar 1998 11:24:48 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id LAA02820; Mon, 2 Mar 1998 11:13:22 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id LAA29701; Mon, 2 Mar 1998 11:13:19 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id LAA21176; Mon, 2 Mar 1998 11:15:51 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD45CC.6BD68DF0@mail01.pggm.nl>; Mon, 2 Mar 1998 11:14:52 +0100 Message-ID: From: "Grutter H." To: "'Ken Williams'" , "'Ederlindo Cojuangco'" Cc: "'wildfire@island.net'" , "'firewalls@GreatCircle.COM'" Subject: AW: IDS: Re: RE: Simply a Question "?" Date: Mon, 2 Mar 1998 11:14:48 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alright fellows I don't like that other OS (Or should we call it NOS - Not operating system :-) either but doesn't this go to far? Hans Grutter >---------- >Van: Ederlindo Cojuangco[SMTP:derts@cebu.mozcom.com] >Verzonden: maandag 2 maart 1998 15:49 >Aan: Ken Williams >CC: wildfire@island.net; firewalls@GreatCircle.COM >Onderwerp: Re: IDS: Re: RE: Simply a Question "?" > >> All join in the Firewalls Serenity Prayer.... >> >> Please Bill G, grant me the serenity to accept my subscription to the >> Firewalls mailing list. >> >> Give me the courage to install a firewall and accept the fact that >> security is an ongoing process. >> >> And give me the wisdom to never get a job as SecAdmin with Microsoft. >> >> In Bill G's name I pray. >> >> Amen. >> >> Ken Williams >================ > Isn't Bill G. an anti Christ? 666? Or have you heard of the >"Tortured Souls" when you do something on Excel v.7? > Just curious..... > >*poff* > > > > > From firewalls-owner Mon Mar 2 05:17:06 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA24531; Mon, 2 Mar 1998 04:32:55 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA24339 for ; Mon, 2 Mar 1998 04:31:50 -0800 (PST) Received: from ove.arup.com (ove.arup.com [193.116.20.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA29608 for ; Mon, 2 Mar 1998 03:43:38 -0800 (PST) Received: by ove.arup.com; id LAA24208; Mon, 2 Mar 1998 11:42:05 GMT Received: from a_csun01(69.69.11.1) by ove.arup.com via smap (3.2) id xma024090; Mon, 2 Mar 98 11:41:34 GMT Received: from a_csun14 by arupuk (4.1/SMI-4.1) id AA14206; Mon, 2 Mar 98 11:44:07 GMT Received: from arup.com by a_csun14 (SMI-8.6/SMI-4.1) id LAA19066; Mon, 2 Mar 1998 11:39:58 GMT Received: from comms-Message_Server by arup.com with Novell_GroupWise; Mon, 02 Mar 1998 11:39:57 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 02 Mar 1998 06:38:31 +0000 From: Scott Fagg To: firewalls@GreatCircle.COM Subject: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i did try. did any one get my message ? is someone laughing at me? >>> "wardt" 2/March/1998 03:10pm >>> usubscrible firewalls From firewalls-owner Mon Mar 2 06:09:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA22874; Mon, 2 Mar 1998 02:08:33 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA18407 for ; Mon, 2 Mar 1998 01:38:56 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id BAA23848 for ; Mon, 2 Mar 1998 01:45:13 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <15256-10832>; Mon, 2 Mar 1998 10:44:15 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02404; Mon, 2 Mar 1998 10:31:14 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA26446; Mon, 2 Mar 1998 10:31:12 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA18576; Mon, 2 Mar 1998 10:33:45 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD45C6.8B803BC0@mail01.pggm.nl>; Mon, 2 Mar 1998 10:32:48 +0100 Message-ID: From: "Grutter H." To: "'Firewalls List'" , "'Christopher Hicks'" Subject: AW: windows-based ftp via socks5 Date: Mon, 2 Mar 1998 10:32:47 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, maybe this is the answer your not waiting for but anyway. Don't allow any service your not really need. I mean if the files that the users want so send are not too big and if they have the time let them mail the files and not FTP them. Just a suggestion, Hans >---------- >Van: Christopher Hicks[SMTP:chicks@chicks.net] >Verzonden: donderdag 26 februari 1998 23:56 >Aan: Firewalls List >Onderwerp: windows-based ftp via socks5 > >To provide access to an internal network I've set up socks5 on a >dual-homed linux box. It has been working fine from the inside since most >of the boxes are running linux also and socksified applications have been >installed. BUT the users also want to be able to ftp files from home to >their work machine. As far as I can tell from reading the socks5 >documentation, to get Windows apps to work I have to replace the winsock. >That's something I'd rather avoid. Isn't there /some/ ftp application for >Windows 95 that implements socks5 (or socks4)? I've tried ws_ftp and >netscape 4.0, but I can't seem to configure either to work usefully. >Netscape seems like it should work, but I haven't been able to make it >work yet. > > > >"The number of Unix installations has grown to 10, with more expected." > -- The Unix Programmer's Manual, 2nd edition, June '72 > > > > From firewalls-owner Mon Mar 2 07:25:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA25329; Mon, 2 Mar 1998 07:04:06 -0800 (PST) Received: from ns1 ([195.61.230.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA25313 for ; Mon, 2 Mar 1998 07:03:57 -0800 (PST) Date: Thu, 30 Oct 1997 16:09:33 -0100 Organization: Cedel Group X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.6 sun4u) MIME-Version: 1.0 To: firewalls Subject: Trying to eliminate identification in telnet and ftp Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Bruno MAMER Message-Id: <3458BF4D.DB89720@cedelgroup.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, In my paranoid phase, I'm trying to get rid of the info given out by telnet and ftp daemons when you connect to them. That is, when I do: # telnet machinea Trying xxx.yyy.zzz.ttt... Connected to machinea. Escape character is '^]'. SunOS 5.6 or when I do a # ftp machinea Connected to machinea. 220 machinea FTP server (SunOS 5.6) ready. Name (machinea:john): As you can see I'm running under Solaris 2.6, but also 2.5.1. Any clues as to if it is possible to stop telnet and ftp sending out this info ? and how ? These hosts are behind my firewall but I have to let them be accessible with telnet and ftp Cheers Bruno From firewalls-owner Mon Mar 2 08:11:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA20925; Mon, 2 Mar 1998 06:41:41 -0800 (PST) Received: from ns1.ingrambook.com (ns1.ingrambook.com [208.129.249.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA20750 for ; Mon, 2 Mar 1998 06:40:55 -0800 (PST) Received: from [172.18.16.7] by ns1.ingrambook.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Mar 1998 14:48:04 UT Received: from POP1.INGRAMBOOK.COM (ibc-mainframe.ingrambook.com [172.18.16.106]) by ibcntmail.ingrambook.com (2.0 Build 2144 (Berkeley 8.8.4)/8.8.4) with SMTP id IAA50200 for ; Mon, 02 Mar 1998 08:49:48 -0600 To: firewalls@GreatCircle.COM From: MIKE CARLSON Date: Mon, 2 Mar 98 08:47:00 Subject: PENTAGON ATTACKED BY HACK Message-ID: <8166201/POP1.INGRAMBOOK.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Monday 2-Mar-98 at 8:44am To: SMTP: firewalls@GreatCircle.COM From: MIKE CARLSON IMD-TN-II-MCA Subject: PENTAGON ATTACKED BY HACKERS ! Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those who are interested... Philippe -A followup to that was out this morning - they nailed a 15 year old kid. They said there may be a 2nd involved. Nobody else involved, at least that they're admitting. Didn't they say this was the "most organized and systemic attack" they'd seen? FYI - I saw something about it on cnnfn's site. mac ======================================================================= reply seperator > > > Pentagon says computers invaded by hackers > > February 25, 1998 > Web posted at: 10:26 a.m. EST (1526 GMT) > > WASHINGTON (CNN) -- > Unidentified hackers penetrated > unclassified U.S. military > computers in a widespread cyber > attack that hit all the military > services, a top Pentagon official > said Wednesday. > > "Fairly heavy cyber attacks" occurred during the past > two weeks, said John Hamre, deputy secretary of defense and the > U.S. military's number two civilian official. > > "It was the most organized and systematic" attack the > Pentagon has seen to date, he said. > > Hamre told defense reporters that the event had "all > the appearances of a game" and apparently was perpetrated > by "a small number of individuals." > > The deputy defense secretary said he was constrained > from divulging too many details about the attacks because > the military was working in cooperation with the Justice Department > in pursuing potential criminal activity. > > The attacks did not appear to be connected with the > ongoing crisis involving Iraq, he said. > > According to Hamre, the attacks appear to be directed > at unclassified information, such as personnel records or > payroll matters. "Our classified networks were intact and not > penetrated," he said. > > He described the attacks as "widespread and modestly > sophisticated," adding that all the military services > "had penetration to some degree." > > He said the department has been attempting in recent > years to update its defenses against such attacks but that more > must be done. "We have to do a good deal more in this area," > he said. > > Hamre said that the attacks appeared to be occurring > at a time when a "hacker contest" was going on. But he did not > say where such an event originated or offer a further > explanation. > > The Associated Press contributed to this report. > --- Ph. Cayphas Sr Engineer - Proget Luxembourg +32 75 64 88 31 INGRAM INDUSTRIES 4400 Harding Rd. Nashville, TN 37205 615-298-8200 From firewalls-owner Mon Mar 2 09:01:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA13581; Mon, 2 Mar 1998 01:07:59 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA13541 for ; Mon, 2 Mar 1998 01:07:32 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <14961-10832>; Mon, 2 Mar 1998 10:14:19 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02189; Mon, 2 Mar 1998 10:04:46 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA23959; Mon, 2 Mar 1998 10:04:44 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA16925; Mon, 2 Mar 1998 10:07:17 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD45C2.D8DD0FA0@mail01.pggm.nl>; Mon, 2 Mar 1998 10:06:20 +0100 Message-ID: From: "Grutter H." To: "'Firewalls@GreatCircle.COM'" , "'klinec@mapcoinc.com'" Subject: AW: Dial-up security breach? Date: Mon, 2 Mar 1998 10:06:19 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my opinion this is not very secure. It is something like guard the frontdoor with a army and let the back door wide open. A attackker would probably use this because it is the easiest way. I'm not sure if Windows95 or NT can or will route pakkets between to segments. But a hacker can change the systems to do so. I realyze it is a problem to prevent users from getting their own dailup account. Just offer them the same or better service from your WAN or make it cheaper for them. Also inform them properly about the risks they create. Also make it a company-rule that it is forbidden. If they break the rule just disconnect them from yout WAN. you have to make sure the management agree with this. Good luck, Hans Grutter >---------- >Van: klinec@mapcoinc.com[SMTP:klinec@mapcoinc.com] >Verzonden: vrijdag 27 februari 1998 21:42 >Aan: Firewalls@GreatCircle.COM >Onderwerp: Dial-up security breach? > >This is a little off-topic, but I thought I would try it anyway. > >We provide Internet access to 300 users enterprise-wide through our >frame-relay WAN connections and our firewall at our corporate headquarters. >Some users have decided to go out and get accounts with local ISPs and have >dial-up connections in Windows95 or Windows NT to these ISPs. How much of >a security risk does everyone think this may be? Since these users are >typically dynamically assigned an IP address when they log in to their ISP, >they then have TWO IP addresses on their system. One for the network card >and one for the dial-up PPP connection. Could an attacker use this >situation to attack our network? How likely is this? > >We are trying to eradicate this from our network, but some of these users >are pretty stubborn. > >Thanks, >Curtis Kline >Network System Engineer >MAPCO Coal, Inc. >Tulsa, OK > > > > From firewalls-owner Mon Mar 2 13:42:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA15835; Mon, 2 Mar 1998 09:06:14 -0800 (PST) Received: from flash.microdsi.net (flash.microdsi.net [151.198.86.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAB15271 for ; Mon, 2 Mar 1998 09:01:58 -0800 (PST) Received: from victorjr ([199.173.3.52]) by flash.microdsi.net (Post.Office MTA v3.1 release PO203a ID# 0-36412U2500L250S0) with SMTP id AAA170 for ; Mon, 2 Mar 1998 12:09:59 -0500 Received: by localhost with Microsoft MAPI; Mon, 2 Mar 1998 12:04:24 -0500 Message-ID: <01DAC04A2CBECF119E9800A024821A5FAF8E@BRYCE> From: barris@microdsi.net (barris) Reply-To: "barris@interglobal.com" To: "'firewalls@GreatCircle.COM'" Date: Mon, 2 Mar 1998 12:10:12 -0500 Organization: InterGlobal Multimedia Inc. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls From firewalls-owner Mon Mar 2 13:52:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA13677; Mon, 2 Mar 1998 08:48:18 -0800 (PST) Received: from tyche.credo.net (tyche.credo.net [199.107.168.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA13632 for ; Mon, 2 Mar 1998 08:47:57 -0800 (PST) Received: from alectrona.credo.net (alectrona.credo.net [199.107.168.9]) by tyche.credo.net (8.8.8/8.8.8) with SMTP id IAA10501; Mon, 2 Mar 1998 08:52:37 -0800 (PST) Message-ID: <34FAE321.F6AD0733@zoneoftrust.com> Received: from steve.credo.net by alectrona.credo.net via smtpd (for mail.credo.net [199.107.168.8]) with SMTP; 2 Mar 1998 16:51:46 UT Date: Mon, 02 Mar 1998 08:49:37 -0800 From: Steve McBride Organization: ZONEOFTRUST X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) MIME-Version: 1.0 To: bret@rehost.com CC: STEVE.CONNOLLY@arpstl-emh2.army.mil, firewalls@GreatCircle.COM Subject: Re: Netbios traffic late at night. References: <199803012256.RAA24179@rehost.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My guess is that it is not occuring *only* at night, but that the only time you'll notice all of these requests is at night, because there are not many other entries in the logfile. We get messages similar to this every time one of our clients accesses a Windows NT web server. Steve McBride Bret McDanel wrote: > port 137/udp is wins.. Windows flavor of dns basically.. It is prolly > trying to look up the names of the machines that accessed it.. Why it > would be doing this late at night I dont know (a stats job runs trying to > see who accessed the machine during the day??) From firewalls-owner Mon Mar 2 14:40:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01868; Mon, 2 Mar 1998 10:29:43 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA27925 for ; Mon, 2 Mar 1998 07:31:49 -0800 (PST) Received: from tcs-sec.com (tcsfw-1.tcs-sec.com [208.219.129.41]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA03281 for ; Mon, 2 Mar 1998 06:52:13 -0800 (PST) Received: (from uucp@localhost) by tcs-sec.com (8.8.7/8.6.9) id KAA15608; Mon, 2 Mar 1998 10:56:15 -0500 Received: from lambic.tcs-sec.com(192.168.1.3) by tcssmap via smap (V1.3) id sma015606; Mon Mar 2 10:55:58 1998 Message-Id: <3.0.5.32.19980302095336.007c2cd0@lambic> X-Sender: gperry@lambic X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 02 Mar 1998 09:53:36 -0500 To: klinec@mapcoinc.com, Firewalls@greatcircle.com From: Gregory Perry Subject: Re: Dial-up security breach? In-Reply-To: <062565B8.007106EC.00@mercury.mapcoinc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Horrible idea, most Windows95 users have at least one or two shared directories on their PCs, 99% of the time without any password level protection - it is trivial to access the contents of these directories via Netbios as your ISP is probably not filtering any traffic. --greg At 02:42 PM 2/27/98 -0600, klinec@mapcoinc.com wrote: >This is a little off-topic, but I thought I would try it anyway. > >We provide Internet access to 300 users enterprise-wide through our >frame-relay WAN connections and our firewall at our corporate headquarters. >Some users have decided to go out and get accounts with local ISPs and have >dial-up connections in Windows95 or Windows NT to these ISPs. How much of >a security risk does everyone think this may be? Since these users are >typically dynamically assigned an IP address when they log in to their ISP, >they then have TWO IP addresses on their system. One for the network card >and one for the dial-up PPP connection. Could an attacker use this >situation to attack our network? How likely is this? > >We are trying to eradicate this from our network, but some of these users >are pretty stubborn. > >Thanks, >Curtis Kline >Network System Engineer >MAPCO Coal, Inc. >Tulsa, OK > > > > __________________________________________________________________ Gregory Perry phone: 703.318.7134 Trusted Computer Solutions, Inc. fax: 703.318.5041 13873 Park Center Road Suite 225 email: gperry@tcs-sec.com Herndon, VA 20171 http://www.tcs-sec.com __________________________________________________________________ From firewalls-owner Mon Mar 2 16:01:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01533; Mon, 2 Mar 1998 10:25:09 -0800 (PST) Received: from siu.buap.mx (siu.buap.mx [148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01083 for ; Mon, 2 Mar 1998 07:47:14 -0800 (PST) Received: from localhost (ydomingo@localhost) by siu.buap.mx (8.8.5/8.8.5) with SMTP id DAA16487; Mon, 2 Mar 1998 03:57:34 -0600 Date: Mon, 2 Mar 1998 03:57:34 -0600 (CST) From: DOMINGO VARELA YAHUITL To: Edierley Batista Messias cc: Firewalls@GreatCircle.COM In-Reply-To: <9802261548.AA04534@japura.dcc.fua.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls From firewalls-owner Mon Mar 2 17:44:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA09112; Mon, 2 Mar 1998 08:21:11 -0800 (PST) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA09096 for ; Mon, 2 Mar 1998 08:21:02 -0800 (PST) Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id LAA16694 for ; Mon, 2 Mar 1998 11:27:53 -0500 (EST) Received: from woodux.woodbridge.com by eagle.woodbridge.com via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 2 Mar 1998 16:22:14 UT Received: from simonyi ([192.81.85.21]) by woodux.woodbridge.com with SMTP (1.39.111.2/16.2) id AA182496096; Mon, 2 Mar 1998 11:28:16 -0500 Received: by localhost with Microsoft MAPI; Mon, 2 Mar 1998 11:27:38 -0500 Message-Id: <01BD45CE.34DBEE10.msimonyi@woodbridge.com> From: Michael Simonyi To: "firewalls@GreatCircle.COM" Subject: Solaris Books Date: Mon, 2 Mar 1998 11:27:37 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To whom it may concern. I'm looking for a good book on solaris. Basically looking for topics that revolve around installation and configuration for the Intel platform. Mike From firewalls-owner Mon Mar 2 19:08:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA14250; Mon, 2 Mar 1998 11:17:27 -0800 (PST) Received: from ds11.acs.ucalgary.ca (ds11.acs.ucalgary.ca [136.159.244.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA19693 for ; Mon, 2 Mar 1998 09:24:41 -0800 (PST) Received: from localhost by acs1.acs.ucalgary.ca (AIX 4.1/UCB 5.64/4.03) id AA58624; Mon, 2 Mar 1998 10:20:01 -0700 Date: Mon, 2 Mar 1998 10:19:55 -0700 (MST) From: Peter Cheng-Yue Zhang To: Bruno MAMER Cc: firewalls Subject: Re: Trying to eliminate identification in telnet and ftp In-Reply-To: <3458BF4D.DB89720@cedelgroup.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It sounds very insecure to allow telnet and ftp sessions to your internal machines. Maybe IPSec tunneling is a better option. Peter University Computing Services Tel. (403)-220-4061 On Thu, 30 Oct 1997, Bruno MAMER wrote: > > Hello all, > > In my paranoid phase, I'm trying to get rid of the info given out by > telnet and ftp daemons when you connect to them. That is, when I do: > > # telnet machinea > Trying xxx.yyy.zzz.ttt... > Connected to machinea. > Escape character is '^]'. > > > SunOS 5.6 > > or when I do a > # ftp machinea > Connected to machinea. > 220 machinea FTP server (SunOS 5.6) ready. > Name (machinea:john): > > As you can see I'm running under Solaris 2.6, but also 2.5.1. > > Any clues as to if it is possible to stop telnet and ftp sending out > this info ? and how ? These hosts are behind my firewall but I have to > let them be accessible with telnet and ftp > > Cheers > Bruno > > From firewalls-owner Mon Mar 2 20:23:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA12078; Mon, 2 Mar 1998 11:09:42 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA21164 for ; Mon, 2 Mar 1998 09:31:50 -0800 (PST) Received: from data.fls.dk (ns.data.fls.dk [192.92.224.121]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id JAA04672 for ; Mon, 2 Mar 1998 09:10:44 -0800 (PST) Received: by pc2449.data.fls.dk id <17922>; Mon, 2 Mar 1998 18:15:19 +0100 Message-Id: <98Mar2.181519gmt+0100.17922@pc2449.data.fls.dk> From: jban@data.fls.dk (Jan Bruun Andersen/JBAN) Subject: Re: Trying to eliminate identification in telnet and ftp To: nobody@data.fls.dk () Date: Mon, 2 Mar 1998 18:11:04 +0100 Cc: firewalls@GreatCircle.COM In-Reply-To: <3458BF4D.DB89720@cedelgroup.com> from "Bruno MAMER" at Oct 30, 97 06:09:33 pm X-My-First-Computer: Acorn ATOM, 2K RAM, 4K ROM, 6502 CPU X-My-Latest-Computer: Mac IIsi, 5M RAM, 2M ROM, 68030 CPU X-Geek-Code: GCS d++ -p+ c+(++) u e- m(++) s++ !n h--- g- w- t- y* X-Phone: 36 18 12 00, x1695 X-Fax: 36 18 12 18 X-400: /S=jban/OU=data/O=fls/PRMD=minerva/ADMD=dk400/C=dk/ X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I sit brev skriver Bruno MAMER: > Any clues as to if it is possible to stop telnet and ftp sending out > this info ? and how ? These hosts are behind my firewall but I have to WARNING: The following should only be done by a trained professional - not sure if that includes someone with a CISSP :) Power up that trusty old Emacs editor and edit the printf() string that formats the info-string. -- Jan Bruun Andersen, JBAn/1695, EDS DK "I Windows er du begrænset af de programmer, du har til rådighed. I Unix er du begrænset af din viden." - Ukendt From firewalls-owner Mon Mar 2 20:31:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08404; Mon, 2 Mar 1998 08:16:50 -0800 (PST) Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08380 for ; Mon, 2 Mar 1998 08:16:37 -0800 (PST) Received: by drawbridge.ctc.com; id LAA12768; Mon, 2 Mar 1998 11:23:40 -0500 (EST) Received: from sgi10.ctc.com(147.160.31.8) by drawbridge.ctc.com via smap (V2.0) id xma012752; Mon, 2 Mar 98 11:22:47 -0500 Received: from sgi151.ctc.com by sgi10.ctc.com via ESMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id LAA07849; Mon, 2 Mar 1998 11:22:46 -0500 Received: by sgi151.ctc.com id LAA10052; Mon, 2 Mar 1998 11:22:45 -0500 From: "Dominick Glavach" Message-Id: <980302112245.ZM10050@sgi151.ctc.com> Date: Mon, 2 Mar 1998 11:22:44 -0500 In-Reply-To: Bruno MAMER "Trying to eliminate identification in telnet and ftp" (Oct 30, 4:09pm) References: <3458BF4D.DB89720@cedelgroup.com> Reply-To: glavach@ctc.com X-Mailer: Z-Mail (5.0.0 30July97) To: Bruno MAMER Subject: Re: Trying to eliminate identification in telnet and ftp Cc: firewalls@GreatCircle.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In SunOS 5.6 you can create /etc/default/{telnetd,ftpd} files that contain the BANNER line. BANNER="\\n\\n" would give you two blank lines for your telnet banner Take a look at the telnetd man page for the full description -- ------------------------------------------------------------------- Dominick Glavach, System Administrator glavach@ctc.com Concurrent Technologies Corporation 814/269-2469 -NCSA- PGP fingerprint: F1 EB F3 DE 69 93 80 BF 00 14 77 E9 8B 61 A8 73 PGP Public Key : ftp.ctc.com/pub/PGP-keys/glavach.asc ------------------------------------------------------------------- From firewalls-owner Mon Mar 2 23:44:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA01358; Mon, 2 Mar 1998 22:23:33 -0800 (PST) Received: from dfw-ix1.ix.netcom.com (dfw-ix1.ix.netcom.com [206.214.98.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA01214 for ; Mon, 2 Mar 1998 22:23:05 -0800 (PST) Received: (from smap@localhost) by dfw-ix1.ix.netcom.com (8.8.4/8.8.4) id AAA01889; Tue, 3 Mar 1998 00:29:48 -0600 (CST) Received: from sjc-ca2-11.ix.netcom.com(207.94.249.75) by dfw-ix1.ix.netcom.com via smap (V1.3) id rma001853; Tue Mar 3 00:29:24 1998 X-Sender: frantz@netcom6.netcom.com Message-Id: In-Reply-To: References: <3.0.5.32.19980228002208.008eb7d0@popd.ix.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Mar 1998 21:23:19 -0800 To: Vin McLellan , firewalls@greatcircle.com From: Bill Frantz Subject: Re: Infosec Accountability - 2 cents more Cc: cypherpunks@algebra.com, Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:04 AM -0800 3/2/98, Vin McLellan wrote: >Put more bluntly: If a General had his star >tarnished every time an easily-blocked cyber attack succeeded within his >Command, military payroll and logistics data would surely be much more >securely held than is the norm today. Note that this data should be classified top secret if a surprise attack is planned. > With so many systems and networks now connected to the Internet and >accessible to remote attacks, the lack of any such clearly-defined minimal >standard of appropriate and professional IT stewardship becomes steadily >more egregious. I am fully with Vin on this issue. ------------------------------------------------------------------------- Bill Frantz | Market research shows the | Periwinkle -- Consulting (408)356-8506 | average customer has one | 16345 Englewood Ave. frantz@netcom.com | teat and one testicle. | Los Gatos, CA 95032, USA From firewalls-owner Tue Mar 3 00:24:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA02636; Mon, 2 Mar 1998 10:35:21 -0800 (PST) Received: from nova.unix.portal.com ([156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA02529 for ; Mon, 2 Mar 1998 10:34:59 -0800 (PST) Received: from venus.corp.portal.com (venus.corp.portal.com [156.151.1.110]) by nova.unix.portal.com (8.8.5/8.8.5) with ESMTP id KAA06279 for ; Mon, 2 Mar 1998 10:42:25 -0800 (PST) Received: by venus.corp.portal.com with Internet Mail Service (5.5.1960.3) id ; Mon, 2 Mar 1998 10:42:09 -0800 Message-ID: <188D20A88142D11190E900A0C906BBD37A2AE9@venus.corp.portal.com> From: Dana Bourgeois To: "'Firewalls@GreatCircle.COM'" Subject: RE: Dial-up security breach? Date: Mon, 2 Mar 1998 10:42:08 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT has an entry in the Registry that controls whether packets are forwarded between interfaces (in like manner to Unix). I would guess that the hardest part would be getting permission to change the Registry. -fg > -----Original Message----- > From: Grutter H. [SMTP:GRJN@pggm.nl] > Sent: Monday, March 02, 1998 1:06 > To: 'Firewalls@GreatCircle.COM'; 'klinec@mapcoinc.com' > Subject: AW: Dial-up security breach? > > > In my opinion this is not very secure. It is something like guard the > frontdoor with a army and let the back door wide open. > > A attackker would probably use this because it is the easiest way. I'm > not sure if Windows95 or NT can or will route pakkets between to > segments. But a hacker can change the systems to do so. > > I realyze it is a problem to prevent users from getting their own > dailup > account. Just offer them the same or better service from your WAN or > make it cheaper for them. Also inform them properly about the risks > they > create. > > Also make it a company-rule that it is forbidden. If they break the > rule > just disconnect them from yout WAN. > you have to make sure the management agree with this. > > Good luck, > > Hans Grutter > > > > > > >---------- > >Van: klinec@mapcoinc.com[SMTP:klinec@mapcoinc.com] > >Verzonden: vrijdag 27 februari 1998 21:42 > >Aan: Firewalls@GreatCircle.COM > >Onderwerp: Dial-up security breach? > > > >This is a little off-topic, but I thought I would try it anyway. > > > >We provide Internet access to 300 users enterprise-wide through our > >frame-relay WAN connections and our firewall at our corporate > headquarters. > >Some users have decided to go out and get accounts with local ISPs > and have > >dial-up connections in Windows95 or Windows NT to these ISPs. How > much of > >a security risk does everyone think this may be? Since these users > are > >typically dynamically assigned an IP address when they log in to > their ISP, > >they then have TWO IP addresses on their system. One for the network > card > >and one for the dial-up PPP connection. Could an attacker use this > >situation to attack our network? How likely is this? > > > >We are trying to eradicate this from our network, but some of these > users > >are pretty stubborn. > > > >Thanks, > >Curtis Kline > >Network System Engineer > >MAPCO Coal, Inc. > >Tulsa, OK > > > > > > > > From firewalls-owner Tue Mar 3 01:01:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA24513; Mon, 2 Mar 1998 11:52:23 -0800 (PST) Received: from ideath.parrhesia.com ([208.139.36.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA24216 for ; Mon, 2 Mar 1998 11:51:19 -0800 (PST) Received: from test101.c2.net (emma.c2.net [208.139.48.55]) by ideath.parrhesia.com (8.8.5/8.7.3) with SMTP id MAA06528; Mon, 2 Mar 1998 12:08:11 -0800 (PST) Message-Id: X-Sender: gbroiles@208.139.48.24 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 02 Mar 1998 11:59:49 -0800 To: Vin McLellan , firewalls@greatcircle.com From: Greg Broiles Subject: Re: Infosec Accountability - 2 cents more Cc: cypherpunks@algebra.com In-Reply-To: References: <3.0.5.32.19980228002208.008eb7d0@popd.ix.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:04 PM 3/2/98 -0500, Vin McLellan wrote: > I am, however, offended that such luminaries as Spaf, PGN, and >Simson G. so easily let off those who _now_ have legal and practical >responsibility for the protection of these resources. [...] > But the same token, of course, corporate executives with fiduciary >responsibility for managing corporate resources should be hung out to dry >when they allow infosec protection for corporate assets to fall below some >minimal standard -- except, perhaps, when such risks are explicitly >accepted, with a cost/benefit justification. It's worse than that - the FBI and federal prosecutors take special pains to ensure that customers and shareholders - the ultimate victims of attacks on corporate machines - don't become aware of successful penetrations. It's difficult for shareholders to hold corporate boards accountable - or for boards to hold management accountable - if the attacks are kept secret. And customers can't switch to more secure providers if they don't know whose systems are being broken, and when. See, for example, the government's motion to seal the record of the court's acceptance of a guilty plea in the case of Carlos Salgado, a/k/a Smak, the man captured last year in the San Francisco airport with an encrypted CD with over 100,000 credit card numbers copied from the customer records of one or more ISP's - . Who's going to tell those people that their credit card numbers have been compromised? The ISP's? Nope. The FBI or the US Attorney? Nope. The defendant? Nope. Who knowns how many times Carlos Salgado sold those numbers before he made the mistake of offering to sell them to an informant? Who knows how many times those ISP's have had data stolen subsequently? We don't know, and we can't read the newspaper to find out, because the court's records have been sealed at the request of the government and the ISP's. We don't need a new institution to fight "cyber-crime", we need to stop withholding information from markets so that customers and shareholders can avoid institutions with poor security. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | Export jobs, not crypto. http://www.io.com/~gbroiles | http://www.parrhesia.com From firewalls-owner Tue Mar 3 01:57:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29219; Mon, 2 Mar 1998 10:17:14 -0800 (PST) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA29098 for ; Mon, 2 Mar 1998 10:16:50 -0800 (PST) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.8/8.8.6) with SMTP id KAA30765; Mon, 2 Mar 1998 10:22:59 -0800 Date: Mon, 2 Mar 1998 10:19:52 -0800 (PST) From: David Lang To: Martin Hepworth cc: "'Ken Simmons'" , "'Henry Hertz Hobbit'" , klinec@mapcoinc.com, Firewalls@GreatCircle.COM Subject: RE: Dial-up security breach? In-Reply-To: <3BFE2589D330D111AE87006008062DE4215C31@pc37.blackwell.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- They are probably using the modems for one of two reasons. 1. speed, with 300 users what type of performance do you get from your frame relay? 2. access to otherwise blocked stuff. not knowing your security I can't guess if this applys or not. If they are using the modems for reason two, you need to either accept that they need the services and allow them through or convince them the services are not needed. if they are using modems for speed reasons you can easily convince them to stop using them by upping the speed of your company connection. David lang On Mon, 2 Mar 1998, Martin Hepworth wrote: > Date: Mon, 2 Mar 1998 08:38:49 -0000 > From: Martin Hepworth > To: 'Ken Simmons' , > 'Henry Hertz Hobbit' , klinec@mapcoinc.com > Cc: Firewalls@GreatCircle.COM > Subject: RE: Dial-up security breach? > > > No to mention the 'bad guys' have an untraceable path into your > organisation. This attack is the one Citibank endured a few years ago > and since went for two factor authentication. > > Think of the situation in terms of physical security. You lock the front > door, put a guard on it and check everyone as the come in. BUT the > employees find it easier to get to/from the car park via the emergency > exit and so leave that door wide open!!!! > > Martin Hepworth > Blackwell's Information Services > Tel: +44 1865 792 792 X3233 > > 1st Rule of Computer Security > WYDSIWGY: What You Don't See is What Gets You > > > -----Original Message----- > > From: Ken Simmons [SMTP:simmonsk@groupz.net] > > Sent: Monday, March 02, 1998 2:49 AM > > To: 'Henry Hertz Hobbit'; klinec@mapcoinc.com > > Cc: Firewalls@GreatCircle.COM > > Subject: RE: Dial-up security breach? > > > > Oh Joy! > > Now your employees have an untraceable path for sending company > > files and other proprietary information. > > > > On Saturday, February 28, 1998 7:39 PM, Henry Hertz Hobbit > > [SMTP:hhhobbit@icarus.weber.edu] wrote: > > > On Fri, 27 Feb 1998 klinec@mapcoinc.com wrote: > > > > > > > This is a little off-topic, but I thought I would try it anyway. > > > > > > > > We provide Internet access to 300 users enterprise-wide through > > > > our frame-relay WAN connections and our firewall at our corporate > > > > headquarters. Some users have decided to go out and get accounts > > > > with local ISPs and have dial-up connections in Windows95 or > > > > Windows NT to these ISPs. > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNPr4Sz7msCGEppcbAQFMAgf+Kv70t+WXRS9yRN3hhg7nxmxf+G0eG4AN iFqqQHkQfbLViujfq+V46pGjyCuG977jLIUNMio1jAVbBDVQbmtz4awTWSx5afFT gxzP/0VDf/qPkm/FbeZYUP4sGXb31ffIROgkFguLZg4TYcPcL068dWo8uiEHTsnn Djoa36JmqvzFzfR4ZNNvTf8ZSZRdjl1/p51/MpY5tkzC0x/32lWSVjN39fI0F6YL TTMW6uxhwYJNkLQCoAEPWa9yL2DU8D3RPlaTCgtYhRts53TI2q7J4sY0ced9P/6j RSdu+cUNN5Zfr8ofbnz5DXKWid8MDldNTkDBz6FhDQpysgjjPr+uQw== =vC+G -----END PGP SIGNATURE----- From firewalls-owner Tue Mar 3 02:23:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01274; Mon, 2 Mar 1998 10:24:11 -0800 (PST) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA01211 for ; Mon, 2 Mar 1998 10:23:52 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0y9ZzP-0002Zv-00; Mon, 2 Mar 1998 13:31:00 -0500 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: <3.0.5.32.19980228002208.008eb7d0@popd.ix.netcom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Mar 1998 13:04:44 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Infosec Accountability - 2 cents more Cc: cypherpunks@algebra.com, Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Glave article in Wired News http://www.wired.com/news/news/technology/story/10605.html has Gene Spafford, Peter Neumann, and Simson Garfinkel all blaming recent DoD cyber-attacks on a lack of security, integrity, and QA in products delivery by commercial software firms. >"What we need is direct financial accountability for the companies that are >selling these systems," Garfinkel said. I have no argument with much of this -- certainly not with the skeptical and scornful tone with which these and other infosec professionals have greeted the prospect of General Reno's FBI-based $64M command center to fight (and prosecute) "cyber attacks" from destructive juveniles, hoodlums, and cyber-terrorists like Datastream (the UK teen who romped through Rome AFB systems a couple years back) and the kids who allegedly systematically popped and explored non-classified DoD systems recently. I am, however, offended that such luminaries as Spaf, PGN, and Simson G. so easily let off those who _now_ have legal and practical responsibility for the protection of these resources. (Mind you, Mr. Glave, in shaping his article, doubtless focused and selected the comments he quoted -- and I feel presumptuous criticizing the three most effective educators in infosec. Still....) If military commanders received career-defining fitness reports which appropriately and knowledgeably evaluated the quality of the infosec management and resource protection on their base or ship, they damn well would do better than leave diaper-innocent 6-months-in-the-service sysops with responsibility (and no budget) for safeguarding their Command's digital crown jewels. (I haven't seen details on the recent headlined attacks, but I'd lay 100 to 1 odds that these teen terrorists used well-known, and easily blocked, avenues of attack; and/or exploited poorly-managed password systems... on Internet-connected hosts which had no protective filter or firewall, or perhaps a grossly misconfigured firewall, to safeguard them.) If the military hierarchy used the same standard of accountability to evaluate the quality of infosec management that they routinely use to evaluate the quality of physical security around the base armory, the likelihood that a DoD Command would use a layered and properly-managed defense scheme is much higher. Put more bluntly: If a General had his star tarnished every time an easily-blocked cyber attack succeeded within his Command, military payroll and logistics data would surely be much more securely held than is the norm today. But the same token, of course, corporate executives with fiduciary responsibility for managing corporate resources should be hung out to dry when they allow infosec protection for corporate assets to fall below some minimal standard -- except, perhaps, when such risks are explicitly accepted, with a cost/benefit justification. For much of the past three decades, I thought the lack of accountability for infosec was temporary, a reflection of the utter ignorance of many corporate and military managers about IT. If that was once true, however, it no longer is -- and the fact that a CEO knows nothing about SEC filings or Accounting Principles is not an acceptable excuse for an organization failing to file appropriate and timely reports. What we see today is a systematic evasion of responsibility for appropriate infosec, and there is simply no excuse for it. The painful truth is, of course, that the people most responsible for the lousy state of infosec policy management (what policies, you hear them ask!?) and procedures, and implementation are the audit and infosec professionals themselves, who have never managed to explicitly define -- and help the courts enforce -- a minimal standard of professional system management. Fining or firing a responsible executive (or military commander) who permits a system hosting valuable information to remain vulnerable to attacks described by CERT 48 hours after a world-wide CERT broadcast would be a good example of a minimal standard. With something like that -- and say, a requirement that security hot fixes and vendor patches be applied within 48 hours of them being made available, at least to vulnerable hosts known to hold valuable information or provide crucial services -- half the "threat" would instantly vanish. Such a change in the rules might also ignite a few fires under the squabbling standards groups -- and the spooks more than willing to sacrifice a few corporate databases to keeps infosec standards low for their own intrusive needs -- and might permit the distribution of effective cryptography for network-level encryption... which would go far in addressing another dangerous class of TCP vulnerabilities. With so many systems and networks now connected to the Internet and accessible to remote attacks, the lack of any such clearly-defined minimal standard of appropriate and professional IT stewardship becomes steadily more egregious. Indeed, the existance of such a standard is really a prereq for any claim that a "profession" exists, is it not? Suerte, _Vin ---------- >James Glave's Wired News article at > http://www.wired.com/news/news/technology/story/10605.html >is nice, especially the quote from Peter Neumann about how this >may be a con game by Janet Reno to get more budget. After all, >the Feds has been doing computer security for a while, though >not with the expertise of the NSA. So if they're so hot, >why do they keep getting cracked so badly, and on such critical stuff >as payroll data, which in the government is almost certain to include SSNs? >There's already a National Computer Security Center - she could >ask them for help, rather than starting a competing one. >>LIVERMORE, Calif. (AP) - To combat the threat of cyber attack, Attorney >>General Janet Reno said Friday a new high-tech crime center will be >>created under the jurisdiction of the FBI. >... >> Reno played down the Big Brother aspects of an Internet police >>force. >> "We must not and we will not sacrifice any constitutional >>protections," the attorney general said. > Thanks! > Bill >Bill Stewart, bill.stewart@pobox.com >PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639 ----- Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From firewalls-owner Tue Mar 3 03:23:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA08769; Mon, 2 Mar 1998 20:40:30 -0800 (PST) Received: from m3.sprynet.com (m3.sprynet.com [165.121.2.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA08561 for ; Mon, 2 Mar 1998 20:39:31 -0800 (PST) Received: from [199.174.142.221] (ad39-221.arl.compuserve.com [199.174.142.221]) by m3.sprynet.com (8.8.5/8.8.5) with SMTP id UAA08495; Mon, 2 Mar 1998 20:52:40 -0800 (PST) Message-Id: <199803030452.UAA08495@m3.sprynet.com> To: Gene Spafford Subject: Re: Infosec Accountability - 2 cents more Date: Mon, 02 Mar 98 23:45:53 -0500 From: William Hugh Murray X-Mailer: E-Mail Connection v3.1 CC: "bill.stewart@pobox.com" , "cypherpunks@Algebra.COM" , "firewalls@greatcircle.com" , Vin McClellan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: William Hugh Murray * EMC.Ver #3.1 ] -- Gene writes. >>>I remain convinced this is the first place we need to gets some fixes. Otherwise, the unworthy and the responsible alike are going to be held accountable for what amounts to stopping an avalanche with a trowel.<<< To propose this is to suggest that the problem is simply intractable. I propose to you that we will never fix the network by fixing operating systems. The world deployed more new buggy copies of your favorite operating system today than it patched or replaced. If the only way to secure the network is to fix the operating systems of the nodes, then we will never get there. You may say that the vendors can fix the problem by delivering higher quality operating systems. How long will it take before the number of good ones exceeds the number of bad ones; even assuming that buyers can tell one from another and prefer secure ones to the fastest, most functional, and general ones, a highly unlikely assumption? The bad quality of the operating system is only a contributing factor to the problem. The biggest problem is that the hackers are able to logon. This problem persists because managers who have spent thousands of dollars per seat to provide computing will not spend tens of dollars per seat for strong user authentication. After that we have buffer overflow problems. If one is to trust the reports, the number of these is at best constant to growing. This problem appears to be solidly rooted. Rooted, that is, in a developer and buyer preference for performance over anything but function. The next problem is that the operating system is visible to the public network. If you admit that they are not capable of protecting themselves from their traffic, then why are we connecting them to the public network? Nice people simply do not do that. There is almost never a justification for doing it but the rationale is that they must be connected so we can fix them. I'm sorry? Finally, there is gratuitous system functionality. If there were no command processor then the problems of buffer overflows would be mitigated. If I must choose between patching function and taking it out, I prefer the latter. We are still using operating systems that were built for sharing expensive hardware. As if that were not bad enough, we are using them as if hardware were still expensive. The net is that requiring strong authentication, hiding the operating systems from the network, and removing gratuitous functionality are more important and more effective than trying to replace or patch operating systems. Bill From firewalls-owner Tue Mar 3 04:35:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA11927; Tue, 3 Mar 1998 03:41:09 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA00269 for ; Tue, 3 Mar 1998 02:44:30 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <29358-5918>; Tue, 3 Mar 1998 10:54:18 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02679; Tue, 3 Mar 1998 10:42:19 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA18283; Tue, 3 Mar 1998 10:42:17 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA12032; Tue, 3 Mar 1998 10:44:49 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD4691.40304770@mail01.pggm.nl>; Tue, 3 Mar 1998 10:43:49 +0100 Message-ID: From: "Grutter H." To: "'Grutter H.'" , "'Ioan Jones'" Cc: "'firewalls@GreatCircle.COM'" , "'chicks@chicks.net'" Subject: AW: AW: windows-based ftp via socks5 Date: Tue, 3 Mar 1998 10:43:45 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, my mistake. I meant E-mail. Hans Grutter >---------- >Van: Ioan Jones[SMTP:git97ilj@gorseinon.ac.uk] >Verzonden: dinsdag 3 maart 1998 11:11 >Aan: Grutter H. >Onderwerp: Re: AW: windows-based ftp via socks5 > >From: "Grutter H." >To: "'Firewalls List'" , > "'Christopher Hicks'" >Subject: AW: windows-based ftp via socks5 >Date: Mon, 2 Mar 1998 10:32:47 +0100 > > >Hi, > >maybe this is the answer your not waiting for but anyway. > >Don't allow any service your not really need. I mean if the files that >the users want so send are not too big and if they have the time let >them mail the files and not FTP them. > >Just a suggestion, > >Hans > >>Won`t that be a little costly I mean what about the stamp? >On a more serious note, Post office employes are paid to steel >computer media and sell to hackers and other companys, so be warned. > > From firewalls-owner Tue Mar 3 06:36:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA13816; Tue, 3 Mar 1998 05:31:33 -0800 (PST) Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA29359 for ; Tue, 3 Mar 1998 04:41:32 -0800 (PST) Received: from shake (p10-max2.mel.tig.com.au [209.78.50.74]) by relay.pair.com (8.8.7/8.8.5) with SMTP id HAA16821 for ; Tue, 3 Mar 1998 07:54:37 -0500 (EST) Message-ID: <010c01bd46aa$d44f66c0$4a324ed1@shake> From: "Shake Communications PTY LTD" To: Subject: New Security Firm Launches Online Services Date: Tue, 3 Mar 1998 23:36:41 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk New Security Firm Launches Online Services Shake Communications Pty Ltd, a Melbourne, Australia based security firm, has launched the much-awaited Vulnerabilities Database and Shake Security Journal. Located at http://www.shake.net, the launch is welcome news to security professionals and IT managers throughout the world. For the first time, they have at their finger tips the world's biggest, categorised, searchable and up-to-date collection of vulnerabilities and patches in the hardware and software commonly used by organisations today. No longer must they spend hours wading through the Internet for the same information. No longer do they have to wait for their vendor to send out a patch, fix, or updated version. And no longer do security professionals and IT managers have to wait for hackers to find (and exploit) the holes before they do! Equally, the Shake Security Journal provides security professionals and IT managers with cutting-edge, indepth news, information and analyses on recent events and developments in the security field. Available by subscription, the March edition can be viewed online for free. The Shake Site will offer more online services as demand grows. It is also envisaged that the Site will become an environment where security professionals can exchange news, views and ideas. For more information visit the Shake Web Site at http://www.shake.net From firewalls-owner Tue Mar 3 06:40:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29288; Tue, 3 Mar 1998 04:40:38 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA00204 for ; Tue, 3 Mar 1998 02:44:20 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <29609-5918>; Tue, 3 Mar 1998 10:44:12 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id KAA02560; Tue, 3 Mar 1998 10:33:37 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id KAA17188; Tue, 3 Mar 1998 10:33:35 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id KAA11774; Tue, 3 Mar 1998 10:36:08 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD4690.0A0979B0@mail01.pggm.nl>; Tue, 3 Mar 1998 10:35:09 +0100 Message-ID: From: "Grutter H." To: "'Firewalls@GreatCircle.COM'" , "'Dana Bourgeois'" Subject: AW: Dial-up security breach? Date: Tue, 3 Mar 1998 10:35:08 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, it is very simple. As long the machine is not a FireWall and it has a line to the outside world there is a high risk that hackers will use it to enter the network. If you are willing to take that risk fine. If you are not than you can secure every machine in such a mather that it becomes a firewall it self. The disadvantace is that it is not managable to have 300 firewall's. Greetings, Hans Grutter >---------- >Van: Dana Bourgeois[SMTP:fg@corp.portal.com] >Verzonden: maandag 2 maart 1998 19:42 >Aan: 'Firewalls@GreatCircle.COM' >Onderwerp: RE: Dial-up security breach? > >Windows NT has an entry in the Registry that controls whether packets >are forwarded between interfaces (in like manner to Unix). I would >guess that the hardest part would be getting permission to change the >Registry. > >-fg > >> -----Original Message----- >> From: Grutter H. [SMTP:GRJN@pggm.nl] >> Sent: Monday, March 02, 1998 1:06 >> To: 'Firewalls@GreatCircle.COM'; 'klinec@mapcoinc.com' >> Subject: AW: Dial-up security breach? >> >> >> In my opinion this is not very secure. It is something like guard the >> frontdoor with a army and let the back door wide open. >> >> A attackker would probably use this because it is the easiest way. I'm >> not sure if Windows95 or NT can or will route pakkets between to >> segments. But a hacker can change the systems to do so. >> >> I realyze it is a problem to prevent users from getting their own >> dailup >> account. Just offer them the same or better service from your WAN or >> make it cheaper for them. Also inform them properly about the risks >> they >> create. >> >> Also make it a company-rule that it is forbidden. If they break the >> rule >> just disconnect them from yout WAN. >> you have to make sure the management agree with this. >> >> Good luck, >> >> Hans Grutter >> >> >> >> >> >> >---------- >> >Van: klinec@mapcoinc.com[SMTP:klinec@mapcoinc.com] >> >Verzonden: vrijdag 27 februari 1998 21:42 >> >Aan: Firewalls@GreatCircle.COM >> >Onderwerp: Dial-up security breach? >> > >> >This is a little off-topic, but I thought I would try it anyway. >> > >> >We provide Internet access to 300 users enterprise-wide through our >> >frame-relay WAN connections and our firewall at our corporate >> headquarters. >> >Some users have decided to go out and get accounts with local ISPs >> and have >> >dial-up connections in Windows95 or Windows NT to these ISPs. How >> much of >> >a security risk does everyone think this may be? Since these users >> are >> >typically dynamically assigned an IP address when they log in to >> their ISP, >> >they then have TWO IP addresses on their system. One for the network >> card >> >and one for the dial-up PPP connection. Could an attacker use this >> >situation to attack our network? How likely is this? >> > >> >We are trying to eradicate this from our network, but some of these >> users >> >are pretty stubborn. >> > >> >Thanks, >> >Curtis Kline >> >Network System Engineer >> >MAPCO Coal, Inc. >> >Tulsa, OK >> > >> > >> > >> > > > From firewalls-owner Tue Mar 3 06:41:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA00585; Mon, 2 Mar 1998 19:51:16 -0800 (PST) Received: from ilms.nla.gov.au (ilms.nla.gov.au [192.102.239.30]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA00444 for ; Mon, 2 Mar 1998 19:50:31 -0800 (PST) Received: from gandalf.nla.gov.au (mirkwood.nla.gov.au [203.4.202.35]) by ilms.nla.gov.au (8.6.12/8.6.12) with SMTP id OAA100890 for ; Tue, 3 Mar 1998 14:58:01 +1000 Received: by gandalf.nla.gov.au with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD46AC.400B8D20@gandalf.nla.gov.au>; Tue, 3 Mar 1998 13:57:05 +1000 Message-ID: From: Yinan Yang To: "'Firewalls@GreatCircle.COM'" Subject: FW: Majordomo results Date: Tue, 3 Mar 1998 13:57:04 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone may need to check "Majordomo@GreatCircle.Com"'s scripts. Why it is so hard to get out the list ?! Anyone has similar problems ? Yinan >---------- >From: Majordomo@GreatCircle.COM[SMTP:Majordomo@GreatCircle.COM] >Sent: Tuesday, 3 March 1998 2:14PM >To: Yinan Yang >Subject: Majordomo results > >-- > >>>>> >unsubscribe firewalls yyang@nla.gov.au >**** Command '>unsubscribe' not recognized. >>>>> > >**** Command '>' not recognized. >**** No valid commands found. >**** Commands must be in message BODY, not in HEADER. > >**** Help for Majordomo@GreatCircle.COM: > > >This help message is being sent to you from the Majordomo mailing list >management system at Majordomo@GreatCircle.COM. > >This is version 1.94.4 of Majordomo. > >If you're familiar with mail servers, an advanced user's summary of >Majordomo's commands appears at the end of this message. > >Majordomo is an automated system which allows users to subscribe >and unsubscribe to mailing lists, and to retrieve files from list >archives. > >You can interact with the Majordomo software by sending it commands >in the body of mail messages addressed to "Majordomo@GreatCircle.COM". >Please do not put your commands on the subject line; Majordomo does >not process commands in the subject line. > >You may put multiple Majordomo commands in the same mail message. >Put each command on a line by itself. > >If you use a "signature block" at the end of your mail, Majordomo may >mistakenly believe each line of your message is a command; you will >then receive spurious error messages. To keep this from happening, >either put a line starting with a hyphen ("-") before your signature, >or put a line with just the word > > end > >on it in the same place. This will stop the Majordomo software from >processing your signature as bad commands. > >Here are some of the things you can do using Majordomo: > >I. FINDING OUT WHICH LISTS ARE ON THIS SYSTEM > >To get a list of publicly-available mailing lists on this system, put the >following line in the body of your mail message to Majordomo@GreatCircle.COM: > > lists > >Each line will contain the name of a mailing list and a brief description >of the list. > >To get more information about a particular list, use the "info" command, >supplying the name of the list. For example, if the name of the list >about which you wish information is "demo-list", you would put the line > > info demo-list > >in the body of the mail message. > >II. SUBSCRIBING TO A LIST > >Once you've determined that you wish to subscribe to one or more lists on >this system, you can send commands to Majordomo to have it add you to the >list, so you can begin receiving mailings. > >To receive list mail at the address from which you're sending your mail, >simply say "subscribe" followed by the list's name: > > subscribe demo-list > >If for some reason you wish to have the mailings go to a different address >(a friend's address, a specific other system on which you have an account, >or an address which is more correct than the one that automatically appears >in the "From:" header on the mail you send), you would add that address to >the command. For instance, if you're sending a request from your work >account, but wish to receive "demo-list" mail at your personal account >(for which we will use "jqpublic@my-isp.com" as an example), you'd put >the line > > subscribe demo-list jqpublic@my-isp.com > >in the mail message body. > >Based on configuration decisions made by the list owners, you may be added >to the mailing list automatically. You may also receive notification >that an authorization key is required for subscription. Another message >will be sent to the address to be subscribed (which may or may not be the >same as yours) containing the key, and directing the user to send a >command found in that message back to Majordomo@GreatCircle.COM. (This can >be >a bit of extra hassle, but it helps keep you from being swamped in extra >email by someone who forged requests from your address.) You may also >get a message that your subscription is being forwarded to the list owner >for approval; some lists have waiting lists, or policies about who may >subscribe. If your request is forwarded for approval, the list owner >should contact you soon after your request. > >Upon subscribing, you should receive an introductory message, containing >list policies and features. Save this message for future reference; it >will also contain exact directions for unsubscribing. If you lose the >intro mail and would like another copy of the policies, send this message >to Majordomo@GreatCircle.COM: > > intro demo-list > >(substituting, of course, the real name of your list for "demo-list"). > >III. UNSUBSCRIBING FROM MAILING LISTS > >Your original intro message contains the exact command which should be >used to remove your address from the list. However, in most cases, you >may simply send the command "unsubscribe" followed by the list name: > > unsubscribe demo-list > >(This command may fail if your provider has changed the way your >address is shown in your mail.) > >To remove an address other than the one from which you're sending >the request, give that address in the command: > > unsubscribe demo-list jqpublic@my-isp.com > >In either of these cases, you can tell Majordomo@GreatCircle.COM to remove >the address in question from all lists on this server by using "*" >in place of the list name: > > unsubscribe * > unsubscribe * jqpublic@my-isp.com > >IV. FINDING THE LISTS TO WHICH AN ADDRESS IS SUBSCRIBED > >To find the lists to which your address is subscribed, send this command >in the body of a mail message to Majordomo@GreatCircle.COM: > > which > >You can look for other addresses, or parts of an address, by specifying >the text for which Majordomo should search. For instance, to find which >users at my-isp.com are subscribed to which lists, you might send the >command > > which my-isp.com > >Note that many list owners completely or fully disable the "which" >command, considering it a privacy violation. > >V. FINDING OUT WHO'S SUBSCRIBED TO A LIST > >To get a list of the addresses on a particular list, you may use the >"who" command, followed by the name of the list: > > who demo-list > >Note that many list owners allow only a list's subscribers to use the >"who" command, or disable it completely, believing it to be a privacy >violation. > >VI. RETRIEVING FILES FROM A LIST'S ARCHIVES > >Many list owners keep archives of files associated with a list. These >may include: >- back issues of the list >- help files, user profiles, and other documents associated with the list >- daily, monthly, or yearly archives for the list > >To find out if a list has any files associated with it, use the "index" >command: > > index demo-list > >If you see files in which you're interested, you may retrieve them by >using the "get" command and specifying the list name and archive filename. >For instance, to retrieve the files called "profile.form" (presumably a >form to fill out with your profile) and "demo-list.9611" (presumably the >messages posted to the list in November 1996), you would put the lines > > get demo-list profile.form > get demo-list demo-list.9611 > >in your mail to Majordomo@GreatCircle.COM. > >VII. GETTING MORE HELP > >To contact a human site manager, send mail to >Majordomo-Owner@GreatCircle.COM. >To contact the owner of a specific list, send mail to that list's >approval address, which is formed by adding "-approval" to the user-name >portion of the list's address. For instance, to contact the list owner >for demo-list@GreatCircle.COM, you would send mail to >demo-list-approval@GreatCircle.COM. > >To get another copy of this help message, send mail to >Majordomo@GreatCircle.COM >with a line saying > > help > >in the message body. > >VIII. COMMAND SUMMARY FOR ADVANCED USERS > >In the description below items contained in []'s are optional. When >providing the item, do not include the []'s around it. Items in angle >brackets, such as
, are meta-symbols that should be replaced >by appropriate text without the angle brackets. > >It understands the following commands: > > subscribe [
] > Subscribe yourself (or
if specified) to the named . > > unsubscribe [
] > Unsubscribe yourself (or
if specified) from the named . > "unsubscribe *" will remove you (or
) from all lists. This > _may not_ work if you have subscribed using multiple addresses. > > get > Get a file related to . > > index > Return an index of files you can "get" for . > > which [
] > Find out which lists you (or
if specified) are on. > > who > Find out who is on the named . > > info > Retrieve the general introductory information for the named . > > intro > Retrieve the introductory message sent to new users. Non-subscribers > may not be able to retrieve this. > > lists > Show the lists served by this Majordomo server. > > help > Retrieve this message. > > end > Stop processing commands (useful if your mailer adds a signature). > >Commands should be sent in the body of an email message to >"Majordomo@GreatCircle.COM". Multiple commands can be processed provided >each occurs on a separate line. > >Commands in the "Subject:" line are NOT processed. > >If you have any questions or problems, please contact >"Majordomo-Owner@GreatCircle.COM". > > From firewalls-owner Tue Mar 3 08:19:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA05563; Tue, 3 Mar 1998 05:02:39 -0800 (PST) Received: from m3.sprynet.com (m3.sprynet.com [165.121.1.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA05439 for ; Tue, 3 Mar 1998 05:02:14 -0800 (PST) Received: from [199.174.242.209] (hd62-209.hil.compuserve.com [199.174.242.209]) by m3.sprynet.com (8.8.5/8.8.5) with SMTP id FAA15947; Tue, 3 Mar 1998 05:16:08 -0800 (PST) Message-Id: <199803031316.FAA15947@m3.sprynet.com> To: Gene Spafford Subject: Re: Infosec Accountability - 2 cents more Date: Tue, 03 Mar 98 08:09:23 -0500 From: William Hugh Murray X-Mailer: E-Mail Connection v3.1 CC: "bill.stewart@pobox.com" , "cypherpunks@Algebra.COM" , "firewalls@greatcircle.com" , Vin McClellan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: William Hugh Murray * EMC.Ver #3.1 ] -- Gene writes: >>>I believe that vendors should be held accountable not only for releasing buggy code, but for not building in the simple solutions we know make a difference.<<< At one level, I am not prepared to argue this. There is certainly enough blame to go around. At another, I am not in the blame game. I am in the problem solving business. As I have said, this is a very difficult problem. We are trying to balance genrality, flexibility, availability, ease of use, functionality, and performance against order and discipline. That the former often win should not surprise anybody, least of all us. There will always be successful attacks, just as there are still successful murders, hi-jackings, and bank robberies. These are not necessarily evidence that the custodians have done a bad job. This is what we should tell the press in every case. We should not let them entrap us into playing their blame game. There are no villains here, only people like us doing the best that they can under difficult odds. We should not reflexively start pointing fingers at each other, individually or collectively, every time something goes wrong. If there are villians here, they are the irresponsible childish people kicking over other peoples' sand castles. Neither should we, under pressure, take our eyes off the ball. We are building the infrastructure for the twenty-first century. We must build robust structures whatever the quality of the materials at hand. It is time to recognize that traditional multi-user operating systems are not now, and are not likely to be in our lifetime, strong enough to use in critical roles in our structures. Instead we must learn to use them sparingly, hide them, redact them, and compensate for them. Cheers, Bill -------- REPLY, Original message follows -------- > Date: Monday, 02-Mar-98 11:54 PM > > From: Gene Spafford \ Internet: (spaf@cs.purdue.edu) > To: whmurray@sprynet.com \ Internet: (whmurray@sprynet.com) > cc: bill.stewart@pobox.com \ Internet: (bill.stewart@pobox.com) > cc: cypherpunks@Algebra.COM \ Internet: (cypherpunks@algebra.com) > cc: firewalls@greatcircle.com \ Internet: (firewalls@greatcircle.com) > cc: Vin McClellan \ Internet: (vin@shore.net) > > Subject: Re: Infosec Accountability - 2 cents more > > > The net is that requiring strong authentication, hiding the operating > > systems from the network, and removing gratuitous functionality are more > > important and more effective than trying to replace or patch operating > > systems. > > We agree, but it was not clear. I believe that vendors should be held > accountable not only for releasing buggy code, but for not building in > the simple solutions we know make a difference. This includes better > authentication, selective functionality, and better network > interaction (to name a few). > > Unfortunately, I have an active RSI problem right now, so I am not > going to be able to contribute more to this discussion on-line. > > --spaf > > > -------- REPLY, End of original message -------- From firewalls-owner Tue Mar 3 08:19:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA06177; Mon, 2 Mar 1998 08:06:47 -0800 (PST) Received: from folifw1.wepex.com ([166.49.124.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA05902 for ; Mon, 2 Mar 1998 08:05:39 -0800 (PST) Received: by folifw1.wepex.com; id IAA25427; Mon, 2 Mar 1998 08:01:00 -0800 Received: from csifiapp621.wepex.net(166.49.116.21) by folifw1.wepex.com via smap (3.2) id xma025348; Mon, 2 Mar 98 08:00:37 -0800 Received: by csifiapp621.wepex.net with Internet Mail Service (5.0.1458.49) id ; Mon, 2 Mar 1998 08:12:22 -0800 Message-ID: <59726335C162D111B2CF00805FA7205D1BEB65@csifiapp621.wepex.net> From: "Litney, Tom" To: "'firewall post'" Subject: Re: IDS: Re: RE: Simply a Question "?" Date: Mon, 2 Mar 1998 08:12:20 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I want to get off this list too! >It is easy to get on, and imposiible to get off!!!!! >I have been to the homepage and searched the net for weeks now. >Please tell me how to get off this list. >wildfire@island.net Welcome to the Hotel California! (sorry folks, I couldn't resist :-P ) Disclaimer: The above represents my personal opinions and not an official endorsement or position by the California ISO, my current employer. I reserve the right to disavow them at my convenience. From firewalls-owner Tue Mar 3 09:43:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19362; Tue, 3 Mar 1998 08:37:33 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA19333 for ; Tue, 3 Mar 1998 08:37:22 -0800 (PST) Received: from sover.net (usr0a8.rut.sover.net [206.25.64.108]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id LAA08786 for ; Tue, 3 Mar 1998 11:44:37 -0500 (EST) Message-ID: <34FC33AB.7A8DB752@sover.net> Date: Tue, 03 Mar 1998 11:45:31 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: New Security Firm Launches Online Services References: <010c01bd46aa$d44f66c0$4a324ed1@shake> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shake Communications PTY LTD wrote: > Located at http://www.shake.net, the launch is welcome news to security > professionals and IT managers throughout the world. Yes, we are all dancing in the street. > For the first time, they > have at their finger tips the world's biggest, categorised, searchable and > up-to-date collection of vulnerabilities and patches in the hardware and > software commonly used by organisations today. First time? Have we done our homework? Sure, provided you are willing to *pay* for the service. While this reads like a public service, it is conveniently not mentioned that you need $$$ to get access. Talk about slippery SPAM! Cheers, Chris From firewalls-owner Tue Mar 3 09:46:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA10365; Mon, 2 Mar 1998 13:37:17 -0800 (PST) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA10349 for ; Mon, 2 Mar 1998 13:36:55 -0800 (PST) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v2.0 0813 ID# 0-11837) with SMTP id AAA260; Mon, 2 Mar 1998 16:43:22 -0500 Message-ID: <012701bd4624$525c7580$0328fccc@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "Patrick Prue x-270" Cc: Subject: Re: Radius Solutions for NT Date: Mon, 2 Mar 1998 16:44:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wouldn't use the Livingston Product ---- now Lucent Technologies. We bought it and it would not work, couldn't be configured, and all the help we got from them was complaints about our modem. We are currently suing them. Shalom Berakha VeTova Rabbi Haim Cassorla HY"V www.valuu.net www.HaReshima.com -----Original Message----- From: Patrick Prue x-270 To: 'firewalls@greatcircle.com' Date: Saturday, February 28, 1998 1:55 AM Subject: Radius Solutions for NT >I am looking at what RADUIS Solutions are available on an NT Platform.. >Any one have suggestions / Comments > >Thanks From firewalls-owner Tue Mar 3 10:43:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA25444; Tue, 3 Mar 1998 06:37:05 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA25404 for ; Tue, 3 Mar 1998 06:36:41 -0800 (PST) Received: (from hagan@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id KAA04851; Tue, 3 Mar 1998 10:49:24 -0500 To: Michael Sorbera Cc: firewalls@GreatCircle.COM Subject: Re: Monitoring Web Server References: <34F431F9.D8D1ACB3@ibm.net> From: "Craig I. Hagan" Date: 03 Mar 1998 10:49:23 -0500 In-Reply-To: Michael Sorbera's message of "Wed, 25 Feb 1998 09:00:09 -0600" Message-ID: Lines: 34 X-Mailer: Gnus v5.4.66/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Sorbera writes: > Does anyone know of a program that will monitor a web server (no ping, > but an actual access of the URL), and if the access doesn't work, page > me... > > I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or > UNIX if need be. I've a perl script which, via a config file, goes through a set of machines/ports/GET/expected response specs. I it to run a php script which tells me that the machines are up, the dbmses are running, etc. It will send email should the systems be down at 1,5,15,30,1hr (and every hour beyond) intervals upon outage detection. upon service resumption, one email will be sent. I *believe* that this sucker can run under perl for windows, but, i've never verified this. I'll gladly make it available for ftp tomfoolery if people are interested. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks In Bandwidth we trust From firewalls-owner Tue Mar 3 12:56:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10682; Tue, 3 Mar 1998 10:09:18 -0800 (PST) Received: from siu.buap.mx ([148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA10452 for ; Tue, 3 Mar 1998 10:08:34 -0800 (PST) Received: from localhost (ydomingo@localhost) by siu.buap.mx (8.8.5/8.8.5) with SMTP id GAA19478; Tue, 3 Mar 1998 06:21:01 -0600 Date: Tue, 3 Mar 1998 06:21:00 -0600 (CST) From: DOMINGO VARELA YAHUITL To: firewalls@GreatCircle.COM cc: "'firewalls@GreatCircle.COM'" In-Reply-To: <01DAC04A2CBECF119E9800A024821A5FAF8E@BRYCE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls > From firewalls-owner Tue Mar 3 13:08:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA00599; Tue, 3 Mar 1998 11:25:56 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA00574 for ; Tue, 3 Mar 1998 11:25:47 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with SMTP id OAA03674 for ; Tue, 3 Mar 1998 14:33:08 -0500 (EST) Message-Id: <199803031933.OAA03674@mail.atl.bellsouth.net> From: "Steve" To: Subject: Pentagon Hackers Caught! Date: Tue, 3 Mar 1998 14:31:58 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0007_01BD46B1.1F7578F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0007_01BD46B1.1F7578F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit http://www.zdnet.com/zdnn/content/zdnn/0227/290073.html It took 20 FBI agents to bust 2 kids who hacked the pentagon and the rest of the military branches. I wonder if anyone else is a little worried about how vulnerable the US Military networks are. Maybe the military should invest in network scanning and intrusion detection technology. ------=_NextPart_000_0007_01BD46B1.1F7578F0 Content-Type: application/octet-stream; name="FBI mounts big crackdown on small-town teens.url" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="FBI mounts big crackdown on small-town teens.url" [InternetShortcut] URL=http://www.zdnet.com/zdnn/content/zdnn/0227/290073.html Modified=5018BF365245BD01B2 ------=_NextPart_000_0007_01BD46B1.1F7578F0-- From firewalls-owner Tue Mar 3 13:21:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01319; Tue, 3 Mar 1998 11:29:33 -0800 (PST) Received: from mercury.imx-exchange.com (mercury.imx-exchange.com [207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA01310 for ; Tue, 3 Mar 1998 11:29:28 -0800 (PST) Received: from luna.imx-exchange.com by mercury.imx-exchange.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) id FWY9CB1M; Tue, 3 Mar 1998 11:39:19 -0800 Message-ID: <34FC5BCE.EF4348D6@imx-exchange.com> Date: Tue, 03 Mar 1998 11:36:46 -0800 From: James Terry Organization: IMX X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.6 sun4u) MIME-Version: 1.0 To: "'firewalls@greatcircle.com'" Subject: Re: Books References: <745012C45A6AD111910100A024D626A53142@DAGOBAH> <34F5A91B.36D24A7E@nwa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a quick note for all you bookheads, i've discovered some truly aggressive pricing on "Firewall" books at: "www.bookpool.com" hope this saves you some $. james@imx-exchange.com pertinent disclaimers implied. J. Kris Baca wrote: > > Internet Security (Bellovin & Cheswick) was originally published in > April > 1994, but a second edition, published in Dec. 1997, is available through > > barnesandnoble.com (ISBN 020163466X). A third edition is due in August > 1998 (source: amazon.com). > > Kris > > Jose Caldera wrote: > > > > > > > Hi everybody, > > > > After going through all the certification discussion, I gather some > > information about books that will help us all to understand and > > prepare for the security issue. Especially there is one mentioned > > several times from Bellovin, Cheswick, called Internet Security... > > this book second edition isn't available right now, what we could find > > was first edition from 1994. > > From firewalls-owner Tue Mar 3 13:22:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23997; Tue, 3 Mar 1998 10:57:53 -0800 (PST) Received: from spike1.pikeonline.net (spike1.pikeonline.net [209.48.17.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA23673 for ; Tue, 3 Mar 1998 10:56:49 -0800 (PST) Received: from paladin [209.48.17.142] by spike1.pikeonline.net (SMTPD32-4.02) id A40317630156; Tue, 03 Mar 1998 14:03:31 EST5EDT Message-ID: <34FC5453.5939@pikeonline.net> Date: Tue, 03 Mar 1998 14:04:51 -0500 From: "Keith A. Pachulski" Reply-To: sectech@pikeonline.net Organization: Guardian Group Agency X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: "Litney, Tom" Subject: Re: IDS: Re: RE: Simply a Question "?" References: <59726335C162D111B2CF00805FA7205D1BEB65@csifiapp621.wepex.net> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>I want to get off this list too! >>It is easy to get on, and imposiible to get off!!!!! >>I have been to the homepage and searched the net for weeks now. >>Please tell me how to get off this list. >>wildfire@island.net > Welcome to the Hotel California! > > (sorry folks, I couldn't resist :-P ) > LOL..well, If all else fails, why not just set up a mail filter? Seems easy enough to me. -- ĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨ Keith A. Pachulski PPS, CPI Guardian Group Agency ICQ#7768208 sectech@pikeonline.net http://members.spree.com/guardian95/ ĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨĨ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i Comment: Requires PGP version 2.6 or later. mQCNAzTXzkAAAAEEANV1/rH3cJewH9ryrh/SxrCVvkbi3nS2Zj/19CpnFE9unmDx P49foWc0949Vzc68wQ3U8eJSqzqSiFHik1RP+iL6lNb6omVRjN5IpoVn+vXMGpfU gpIS9G13wEUlwjDYSJG42/IEb8mE8xZPkS5aVT0V75bqZHWy2ceWKqO+/JgVAAUR tCtLZWl0aCBBLiBQYWNodWxza2kgPHNlY3RlY2hAcGlrZW9ubGluZS5uZXQ+iQCV AwUQNNfOQceWKqO+/JgVAQF9ngQAywyaZ+h0ukgY6PN/9IjzZyFuGXxeSe03WuSZ Fb+ALWIEblYXIF1HE52W+tuMcGR2EkJiVvqSqfoqrQEs5PAOVurmTOVNMfoxDS4U 2ggl4SOXWufD9PRJp4BrcSAYMCp6X/d0QLtOinCxe65q/BBAWjspFw7HruTFTvZs uGw++rs= =X1bS -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Tue Mar 3 15:00:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA29091; Tue, 3 Mar 1998 11:17:09 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA29033 for ; Tue, 3 Mar 1998 11:16:56 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with SMTP id OAA28806; Tue, 3 Mar 1998 14:24:06 -0500 (EST) Message-Id: <199803031924.OAA28806@mail.atl.bellsouth.net> From: "Steve" To: "Shake Communications PTY LTD" , Subject: Vulnerability Databases Date: Tue, 3 Mar 1998 14:22:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal In-Reply-To: <010c01bd46aa$d44f66c0$4a324ed1@shake> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > New Security Firm Launches Online Services > > Located at http://www.shake.net, the launch is welcome news to security > professionals and IT managers throughout the world. For the first time, they > have at their finger tips the world's biggest, categorised, searchable and > up-to-date collection of vulnerabilities and patches in the hardware and > software commonly used by organisations today. Check out http://www.infilsec.com and http://www.iss.net/xforce . Each of these sites have comprehensive vulnerability databases and they are free to use. Hardly first time news. > Equally, the Shake Security Journal provides security professionals and IT > managers with cutting-edge, indepth news, information and analyses on recent > events and developments in the security field. Available by subscription, > the March edition can be viewed online for free. Most of the news items can from Risk Digests, a free source. There appears to be not much extra added value other than repackaging freely available information. > > The Shake Site will offer more online services as demand grows. It is also > envisaged that the Site will become an environment where security > professionals can exchange news, views and ideas. Good luck! From firewalls-owner Tue Mar 3 16:52:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA09331; Mon, 2 Mar 1998 18:13:45 -0800 (PST) Received: from mail.elp.rr.com (ns.elp.rr.com [24.92.96.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA09131 for ; Mon, 2 Mar 1998 18:12:59 -0800 (PST) Received: from laptop.elp.rr.com (cda-100bt.elp.rr.com [24.92.96.172]) by mail.elp.rr.com (8.8.7/8.8.8) with ESMTP id TAA23734 for ; Mon, 2 Mar 1998 19:20:08 -0700 (MST) Message-Id: <199803030220.TAA23734@mail.elp.rr.com> From: "Rick Osteen" To: Subject: mac address spoofing??? Date: Mon, 2 Mar 1998 19:13:30 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it possible for a Gateway 2000 pc using windows 95 to spoof the mac address. The 2nd mac is the same as the first but it has a 02 in front of it. for example: 1st mac address : 00:60:81:32:ef:ab 2nd mac address: 02:60:81:32:ef:ab Thanks, Rick Osteen SysAdmin.RR.EP. From firewalls-owner Tue Mar 3 16:52:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA27578; Mon, 2 Mar 1998 12:18:20 -0800 (PST) Received: from mail.state.fl.us (mail.state.fl.us [204.90.27.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA27529 for ; Mon, 2 Mar 1998 12:18:06 -0800 (PST) Received: from booksr [199.250.24.56] by mail.state.fl.us with smtp (Exim 1.73 #2) id 0y9bm1-0006OG-00; Mon, 2 Mar 1998 15:25:17 -0500 Date: Mon, 2 Mar 1998 16:21:16 -0500 (EST) From: Roger Books Reply-To: Roger Books Subject: Re: AW: Dial-up security breach? To: Firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >---------- > >Van: klinec@mapcoinc.com[SMTP:klinec@mapcoinc.com] > >Verzonden: vrijdag 27 februari 1998 21:42 > >Aan: Firewalls@GreatCircle.COM > >Onderwerp: Dial-up security breach? > > > >This is a little off-topic, but I thought I would try it anyway. > > > >We provide Internet access to 300 users enterprise-wide through our > >frame-relay WAN connections and our firewall at our corporate > >headquarters. Some users have decided to go out and get accounts with > >local ISPs and have dial-up connections in Windows95 or Windows NT to these > >ISPs. How much of a security risk does everyone think this may be? Since > >these users are typically dynamically assigned an IP address when they log > >in to their ISP, they then have TWO IP addresses on their system. One for > >the network card and one for the dial-up PPP connection. Could an attacker > >use this situation to attack our network? How likely is this? > > > >We are trying to eradicate this from our network, but some of these users > >are pretty stubborn. Well, my opinion is not going to be very popular (never stopped me before), If you make life too difficult for your users they will defeat your security. If you've ever worked in a shop where management gets paranoid about good passwords you will understand this. You end up forcing everyone to have a completely random, secure, and easily forgettable password and soon you find username/password combinations on sticky notes stuck to monitors. Security is now defeated. If your users are resisting this much, is it possible that they need internet access to affectively accomplish their job, and the firewall policy is such that they can't get out with a company account. Remember that efficiancy is just (if not more) important to the health of your company than security. So, I would recommend talking to these individuals in a non-confrontational manner and ask them why they need a dialup account. The best way to diffuse the problem is to provide a solution that you can manage but lets the users accomplish what they need. It might necessitate lowing the paranoia on your security, or maybe a VPN solution between your firewall and their desktop. A recent magazine I was reading was pointing out that a strategy some of the best managers was using right now was to allow external companies quick and easy access to their internal data. Just in time manufacturing and parts ordering can be a very efficient way to do business, even if it makes us (the network security people) cringe. Roger From firewalls-owner Tue Mar 3 16:53:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA28489; Mon, 2 Mar 1998 12:25:09 -0800 (PST) Received: from escape.com (escape.com [198.6.71.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA28482 for ; Mon, 2 Mar 1998 12:25:04 -0800 (PST) Received: from leet (slip-ppp-5-88.escape.com [205.160.47.88]) by escape.com (8.8.5/8.6.9) with SMTP id PAA07538 for ; Mon, 2 Mar 1998 15:25:27 -0500 (EST) Message-Id: <3.0.5.32.19980302151353.007cc710@jaded.cynicism.com> X-Sender: sar@jaded.cynicism.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 02 Mar 1998 15:13:53 -0500 To: Firewalls@greatcircle.com From: sar Subject: Re: AW: Dial-up security breach? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>---------- >>Van: klinec@mapcoinc.com[SMTP:klinec@mapcoinc.com] >>Verzonden: vrijdag 27 februari 1998 21:42 >>Aan: Firewalls@GreatCircle.COM >>Onderwerp: Dial-up security breach? >> >>This is a little off-topic, but I thought I would try it anyway. >> >>We provide Internet access to 300 users enterprise-wide through our >>frame-relay WAN connections and our firewall at our corporate headquarters. >>Some users have decided to go out and get accounts with local ISPs and have >>dial-up connections in Windows95 or Windows NT to these ISPs. How much of >>a security risk does everyone think this may be? Since these users are >>typically dynamically assigned an IP address when they log in to their ISP, >>they then have TWO IP addresses on their system. One for the network card >>and one for the dial-up PPP connection. Could an attacker use this >>situation to attack our network? How likely is this? >> >>We are trying to eradicate this from our network, but some of these users >>are pretty stubborn. >> >>Thanks, >>Curtis Kline >>Network System Engineer >>MAPCO Coal, Inc. >>Tulsa, OK >> >> >> >> At 10:06 AM 3/2/98 +0100, Gutter H. wrote: > >In my opinion this is not very secure. It is something like guard the >frontdoor with a army and let the back door wide open. > >A attackker would probably use this because it is the easiest way. I'm >not sure if Windows95 or NT can or will route pakkets between to >segments. But a hacker can change the systems to do so. > The real threat is files being randomly stolen from employee pc's. Once you can get network setting, passwords , etc. from a pc you dont need to go through some complex procedure to get 95 to route. I have seen dial-up networking passwords and settings stolen using NBT. >I realyze it is a problem to prevent users from getting their own dailup >account. Just offer them the same or better service from your WAN or >make it cheaper for them. Also inform them properly about the risks they >create. > The employees probably suspect (or know) that all traffic through the WAN is monitored. They just don't want management to know what they are looking at. >Also make it a company-rule that it is forbidden. If they break the rule >just disconnect them from yout WAN. >you have to make sure the management agree with this. > If they are dissconected from the WAN they will be forced to use dial up networking, increasing the chance that sensitive files on their pc's will be stolen. The question is if they have internet access though a WAN, why do they have modems? >Good luck, > >Hans Grutter > > > > > > > From firewalls-owner Tue Mar 3 16:55:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA15535; Mon, 2 Mar 1998 14:07:06 -0800 (PST) Received: from arthur.cs.purdue.edu (arthur.cs.purdue.edu [128.10.2.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA15458 for ; Mon, 2 Mar 1998 14:06:48 -0800 (PST) Received: from dorsai.cs.purdue.edu (0@dorsai.cs.purdue.edu [128.10.2.20]) by arthur.cs.purdue.edu (8.8.7/8.8.7/PURDUE_CS-2.0) with ESMTP id RAA17784; Mon, 2 Mar 1998 17:13:22 -0500 (EST) Received: from localhost (142@localhost [127.0.0.1]) by dorsai.cs.purdue.edu (8.8.7/8.8.7/PURDUE_CS-2.0) with SMTP id RAA06281; Mon, 2 Mar 1998 17:13:19 -0500 (EST) Message-Id: <199803022213.RAA06281@dorsai.cs.purdue.edu> X-Authentication-Warning: dorsai.cs.purdue.edu: 142@localhost [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.7 5/3/96 To: Vin McLellan cc: firewalls@greatcircle.com, cypherpunks@algebra.com, bill.stewart@pobox.com Subject: Re: Infosec Accountability - 2 cents more X-URI: http://www.cs.purdue.edu/people/spaf In-reply-to: Message from Vin McLellan of "Mon, 02 Mar 1998 13:04:44 -0500" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Mar 1998 17:13:18 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin, In most organizations, the responsibility and the authority for security reside in different spots. All too often, the people with the responsibility don't have the training, the budget, or the management support to do as good a job as they know how to do. Meanwhile, the people with the authority to make a difference don't have the training, the risk models, or the economic incentive to do a better job. >From my experience, if any "expert" is quoted as saying that someone should get the axe for allowing a breakin to happen, the person who gets squashed is the poor end administrator who never had the budget or tools to do anything about the situation. He/she simply gets blamed. Thus, I usually don't mention this approach as a high priority item when asked. Yes, I know it is important in the "big picture," but I am not convinced that it is the most important thing. Think about it -- some poor sysadmin is required to run 50 NT boxes without add-on software. She's got to keep all the software up-to-date, answer user questions, do backups, and do minor maintenance. She's told she has to allow access to the WWW and outside ftp for all users. She has to allow unfettered email in and out. Plus, she can't get the budget to hire an assistant, license a scanner, or buy a one-time password system. Along comes a hacker who waltzes in, does some damage, and waltzes out. Who do you think gets the blame and the black mark? The executive who failed to provide funding for an assistant, who rolled over when users demanded unhindered WWW access through the "firewall," and who refused to consider a recommendation for better control over user accounts? Damned unlikely. No, it was the system admin's fault as far as management can see. The military is the same way. The machines are often being run by a tech sergeant who has had 6 months training. The tools, training, and technology are what are provided by planners far away and long ago. Advocating that the people closest to the machines -- even the base comannders -- is going to result in the wrong people being slammed. Right now, the operators/admins don't have a lot of choice. Buy worthless crap from vendor #1, or buy equally buggy crap from vendor #2. How can you secure an OS that requires 2 emergency patches per week for security flaws that have been known about for 20 years? I remain convinced this is the first place we need to gets some fixes. Otherwise, the unworthy and the responsible alike are going to be held accountable for what amounts to stopping an avalanche with a trowel. Cheers, --spaf From firewalls-owner Tue Mar 3 16:56:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA05284; Mon, 2 Mar 1998 13:06:21 -0800 (PST) Received: from sgi4.imagine-inc.com (sgi4.imagine-inc.com [205.218.128.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA05142 for ; Mon, 2 Mar 1998 13:05:47 -0800 (PST) Received: from imaginemedia.com ([205.218.129.242]) by sgi4.imagine-inc.com (Post.Office MTA v3.1 release PO203a ID# 0-45693U500L2S100) with ESMTP id AAA28164; Mon, 2 Mar 1998 13:11:02 -0800 Message-ID: <34FB20CD.6566B191@imaginemedia.com> Date: Mon, 02 Mar 1998 13:12:45 -0800 From: orowley@imaginemedia.com (Owen Rowley) X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: Vin McLellan , cypherpunks@algebra.com, firewalls@greatcircle.com Subject: Re: Infosec Accountability - 2 cents more References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: > If military commanders received career-defining fitness reports > which appropriately and knowledgeably evaluated the quality of the infosec > management and resource protection on their base or ship, they damn well > would do better than leave diaper-innocent 6-months-in-the-service sysops > with responsibility (and no budget) for safeguarding their Command's > digital crown jewels. They also wouldn't cave to user-demand for poking holes in compromising a firewall so night shift could troll the porn sites, or play Quake2. !! > If the military hierarchy used the same standard of accountability > to evaluate the quality of infosec management that they routinely use to > evaluate the quality of physical security around the base armory, the > likelihood that a DoD Command would use a layered and properly-managed > defense scheme is much higher. Put more bluntly: If a General had his star > tarnished every time an easily-blocked cyber attack succeeded within his > Command, military payroll and logistics data would surely be much more > securely held than is the norm today. Never underestimate an Oficers ability to pass the buck - and the blame! > > > But the same token, of course, corporate executives with fiduciary > responsibility for managing corporate resources should be hung out to dry > when they allow infosec protection for corporate assets to fall below some > minimal standard -- except, perhaps, when such risks are explicitly > accepted, with a cost/benefit justification. made more laughable when one considers how many IS departmenst report to CFO's. > For much of the past three decades, I thought the lack of > accountability for infosec was temporary, a reflection of the utter > ignorance of many corporate and military managers about IT. If that was > once true, however, it no longer is -- and the fact that a CEO knows > nothing about SEC filings or Accounting Principles is not an acceptable > excuse for an organization failing to file appropriate and timely reports. > What we see today is a systematic evasion of responsibility for appropriate > infosec, and there is simply no excuse for it. duh! -Thats an agreement "duh" BTW. :-) > The painful truth is, of course, that the people most responsible > for the lousy state of infosec policy management (what policies, you hear > them ask!?) and procedures, and implementation are the audit and infosec > professionals themselves, who have never managed to explicitly define -- > and help the courts enforce -- a minimal standard of professional system > management. connect me-- connect me-- connect me-- oh wait-- reliability-- reliability-- reliability-- What we're vulnerable! protect me-- protect me-- protect me-- Shit! I have to learn how to scale the Walls! exempt me-- exempt me-- exempt me-- We've been hacked? --- *******its YOUR fault!****** -- With so many systems and networks now connected to the Internet and > accessible to remote attacks, the lack of any such clearly-defined minimal > standard of appropriate and professional IT stewardship becomes steadily > more egregious. here here! LUX ./. owen From firewalls-owner Tue Mar 3 16:59:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA01973; Mon, 2 Mar 1998 10:31:15 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA18036 for ; Mon, 2 Mar 1998 06:29:51 -0800 (PST) Received: by castle.us-state.gov; id AA25248; Mon, 2 Mar 98 09:36:33 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap id sma025159; Mon Mar 2 09:35:32 1998 Received: by pubhost.us-state.gov; id AA29672; Mon, 2 Mar 98 09:35:29 EST Received: by localhost with Microsoft MAPI; Mon, 2 Mar 1998 09:38:31 -0500 Message-Id: <01BD45BE.F674E280.gwitte@us-state.gov> From: Greg Witte Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Dial-up security breach? Date: Mon, 2 Mar 1998 09:38:30 -0500 Organization: Contractor, US Dept of State, IM X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've seen this many times where a user feels a particular need for a service that the firewall does not support. In every case I can remember, we didn't feel the service could be safely supported through the WAN, and therefore we certainly didn't want it running through a dial-up link. For the user, who whines like my 5 year old nephew that he really, really neeeeeeeeeeds to the desktop, the rule is that the workstation must come off the network and become a sacrificial lamb. That forces the user to choose between corporate connectivity and department e-mail, or the service. Bottom line: we understand the need for an occasional non-compliant dial-out (repeat outbound. once again, that's outbound. :^) but not on a network station. Greg Witte Contractor, US Department of State Washington DC On Monday, March 02, 1998 12:04 AM, Nance, Kenneth [SMTP:nancek@seoul-1sig.korea.army.mil] wrote: > When we talk security, the issue is what are we trying to protect at > what cost? > > We can impose the hardware, software, firmware and procedural techniques > to secure our information and avoid denial of service. Looking at this > from the aspect of securing the information, there are some > vulnerabilities when e-mail applications (unencrypted) are used. Where > does the mail sit prior to delivery? > > I want to discuss more but, I'll try to get back with you. > >---------- > >From: Henry Hertz Hobbit[SMTP:hhhobbit@icarus.weber.edu] > >Sent: Sunday, March 01, 1998 9:38 AM > >To: klinec@mapcoinc.com > >Cc: Firewalls@GreatCircle.COM > >Subject: Re: Dial-up security breach? > > > >On Fri, 27 Feb 1998 klinec@mapcoinc.com wrote: > > > >> This is a little off-topic, but I thought I would try it anyway. > >> > >> We provide Internet access to 300 users enterprise-wide through > >> our frame-relay WAN connections and our firewall at our corporate > >> headquarters. Some users have decided to go out and get accounts > >> with local ISPs and have dial-up connections in Windows95 or > >> Windows NT to these ISPs. How much of a security risk does > >> everyone think this may be? Since these users are typically > >> dynamically assigned an IP address when they log in to their ISP, > >> they then have TWO IP addresses on their system. One for the > >> network card and one for the dial-up PPP connection. Could an > >> attacker use this situation to attack our network? How likely > >> is this? > >> > >> We are trying to eradicate this from our network, but some of > >> these users are pretty stubborn. > > > >I don't understand what they have to be stubborn about. Why do > >they need internet access TWO ways? It gives two ways in, and > >even if an attack isn't found it soon will be 8^). Also, all > >of those dial-up analog lines (assuming interior of company's > >phone lines are digital) are costing your company $$. Me and a > >friend were discussing this, and we believe we could access the > >files on the PC. Sounds to me like you just made your firewall > >pointless and useless. I know companies that have had firewalls > >that were never breached, but the modem bank for home access > >to employees caused numerous break-ins. > > > >Yank their phone lines... > > > > > >The Hobbit (NOT the netcat one) > > > From firewalls-owner Tue Mar 3 17:02:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA14898; Mon, 2 Mar 1998 11:19:46 -0800 (PST) Received: from dns.portcullis-security.com (dns.portcullis-security.com [194.203.128.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA14726 for ; Mon, 2 Mar 1998 11:19:10 -0800 (PST) Received: from tgb-mailhost.portcullis-security.com (unverified [194.203.128.123]) by dns.portcullis-security.com (Integralis SMTPRS 2.04) with ESMTP id ; Mon, 02 Mar 1998 19:25:46 +0000 Received: by tgb-mailhost.portcullis-security.com with Internet Mail Service (5.0.1457.3) id ; Mon, 2 Mar 1998 19:18:14 -0000 Message-Id: <21905E09B270D111815400C0DFAA153307AF8A@tgb-mailhost.portcullis-security.com> From: Thomas Liam Romanis To: "'firewalls@GreatCircle.COM'" Subject: HP GCC Date: Mon, 2 Mar 1998 19:18:12 -0000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, I wonder of anyone out there can help me out. I desperately need a GNU GCC compiler which is compatible with HP 800 Series 9000. The one I have does not have a compiler, daft huh? Anyway, please help if you can. Cheers,Liam. From firewalls-owner Tue Mar 3 18:00:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA00190; Tue, 3 Mar 1998 11:23:42 -0800 (PST) Received: from teddyr.dyn.ml.org (slip166-72-164-139.tx.us.ibm.net [166.72.164.139]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA00155 for ; Tue, 3 Mar 1998 11:23:31 -0800 (PST) Received: from iname.com (syousif@teddyr.dyn.ml.org [192.168.1.1]) by teddyr.dyn.ml.org (8.8.8/(TeddyR-2.0.4)) with ESMTP id NAA08107; Tue, 3 Mar 1998 13:30:45 -0600 Message-ID: <34FC5A65.8B71DB3D@iname.com> Date: Tue, 03 Mar 1998 13:30:45 -0600 From: Sami Yousif Reply-To: syousif@iname.com Organization: TeddyR Computers X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: mac address spoofing??? References: <199803030220.TAA23734@mail.elp.rr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Osteen wrote: > > Is it possible for a Gateway 2000 pc using windows 95 to spoof the mac > address. > The 2nd mac is the same as the first but it has a 02 in front of it. > > for example: > 1st mac address : 00:60:81:32:ef:ab > 2nd mac address: 02:60:81:32:ef:ab This particular one may have been a "spike" on the wire. (especially if it was only one packet and in one byte, causing data curruption. Unfortunately, that is enough to trigger alarms/switch off intellegant ports.... If its "many" packets, then YES. btw: a search from http://shadowland.cc.utexas.edu/oui.html TV/COM INTERNATIONAL (00:60:81) unknown (02:60:81) So yes, there are some drivers that allow users to change the mac address for the win95 drivers. This is especially true for win95 machines that have the novell client32 installed. (eg: the standard ne2000 driver does not allow it, but the kingston/and other ODI drivers for client32 DOES allow mac addresses to be changed as per the ODI specification to allow for "alternative" cards/shim configurations (like token ring and arcnet) If the win95 machine does not have cleint32 installed, then it is possible that they are booting to dos mode (for games). If they are, they may have the DOS mode odi drivers installed with the hwaddr modifier in the net.cfg (cant remember the syntax offhand, but there is one) Also, are you SURE that it is running win95? If they daul boot into Linux for example, it is trivial for "root" to change the address of the network card. The ne2000 driver under linux allows for it. (If I remember correctly, it was to allow hot swappable "drop in" replacements of machines in case of a problem) eg: ifconfig eth0 hw addr 02:60:81:32:ef:ab would make my network card seem to be the second NIC on your list. [the interface has to be taken down first, hwadress changed, then reconfiged manually or via either the ISC dhcp client or the redhat client (or any other dhcp client)] --- Sami Yousif mailto:syousif@iname.com mailto:syousif@swbell.net http://www.mav.net/teddyr/syousif http://teddyr.home.ml.org ftp://teddyr.dyn.ml.org [eMail sent to any of my addresses is subject to the Conditions outlined in http://www.mav.net/teddyr/emailtos.shtml] [Note: I no longer support ARNet as an ISP nor WTAMU as an educational institution nor LEK as a Computer Supplier] [heard somewhere: "You have the right to remain clueless. Anything you know may be used against you in a court of law"] Another day, so many more LARTS to go. [BOFH, BUFH] From firewalls-owner Tue Mar 3 18:03:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06331; Tue, 3 Mar 1998 09:46:57 -0800 (PST) Received: from web.truevision.net (web.truevision.net [205.180.174.14]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA06082 for ; Tue, 3 Mar 1998 09:45:47 -0800 (PST) Received: from osimail.osi-ve.com (osimail.osi-ve.com [205.180.174.101]) by web.truevision.net (8.8.8/8.8.8) with ESMTP id OAA04465 for ; Tue, 3 Mar 1998 14:03:43 +0400 Received: by DAGOBAH with Internet Mail Service (5.0.1458.49) id ; Tue, 3 Mar 1998 11:16:22 -0400 Message-ID: <745012C45A6AD111910100A024D626A53153@DAGOBAH> From: Jose Caldera To: "'soucpower@geocities.com'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Active content filtering Date: Tue, 3 Mar 1998 11:16:19 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: multipart/alternative; boundary="---- =_NextPart_001_01BD4695.CBF5B1B0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BD4695.CBF5B1B0 Content-Type: text/plain Hi, There is a beta product from cheyenne (now CA): InocuLAN Content Inspector. You can apply for becoming a beta tester in their web page. Seems great to me! Bye, Jose Caldera jcaldera@osi-ve.com http:\\www.osi-ve.com tlf: 58 2 2611727 / 2618234 FAX: 58 2 2616396 OSI Interconexion de Sistemas Abiertos Caracas - Venezuela > -----Original Message----- > From: soucpower@geocities.com [SMTP:soucpower@geocities.com] > Sent: Saturday, December 27, 1997 1:30 PM > To: firewalls@GreatCircle.COM > Subject: Active content filtering > > Hi all, > > We have been asked by our management to securely allow active content > through our firewalls to let people to their job.... Nice request > isn't > it ? > > Now the "do their job" means letting our NT guys access Microsoft's > web > site which is full of active content, and Compaq. Our unix sysadmins > connect to sun, hp... We have started to look at Finjan, eSafe and > Sessionwall. eSafe looks to be quite good. But very complicated to set > up correctly. Finjan and Sessionwall are less suited to our needs. > > I was wondering if there were products which would filter active > content > on base of the web site it came from ? That is if the user is > connecting > to www.microsoft.com, allow active content, but if he is connecting to > www.hackers.net don't. > > Yes I know it means trusting 100% what is on Microsoft's web site, but > I > think it is better than trying to get one of those very complicated > tools to work, without having to define a policy manually for each of > our users. > > Thanks in advance for your input > Bruno ------ =_NextPart_001_01BD4695.CBF5B1B0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

Hi,

There is a beta product from = cheyenne (now CA): InocuLAN Content Inspector. You can apply for = becoming a beta tester in their web page.


Seems great to me!

Bye,

Jose Caldera
jcaldera@osi-ve.com
http:\\www.osi-ve.com
tlf: 58 2 2611727 / 2618234
FAX: 58 2 2616396
OSI Interconexion de Sistemas = Abiertos
Caracas - Venezuela

    -----Original Message-----
    From:   soucpower@geocities.com = [SMTP:soucpower@geocities.com]
    Sent:   Saturday, December 27, 1997 1:30 PM
    To:     firewalls@GreatCircle.COM
    Subject:       = Active content filtering

    Hi all,

    We have been asked = by our management to securely allow active content
    through our = firewalls to let people to their job.... Nice request isn't
    it ?

    Now the "do = their job" means letting our NT guys access Microsoft's web
    site which is full = of active content, and Compaq. Our unix sysadmins
    connect to sun, = hp... We have started to look at Finjan, eSafe and
    Sessionwall. eSafe = looks to be quite good. But very complicated to set
    up correctly. = Finjan and Sessionwall are less suited to our needs.

    I was wondering if = there were products which would filter active content
    on base of the web = site it came from ? That is if the user is connecting
    to = www.microsoft.com, allow active content, but if he is connecting = to
    www.hackers.net = don't.

    Yes I know it means = trusting 100% what is on Microsoft's web site, but I
    think it is better = than trying to get one of those very complicated
    tools to work, = without having to define a policy manually for each of
    our users.

    Thanks in advance = for your input
    Bruno

------ =_NextPart_001_01BD4695.CBF5B1B0-- From firewalls-owner Tue Mar 3 18:06:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA28261; Tue, 3 Mar 1998 15:50:19 -0800 (PST) Received: from ilms.nla.gov.au (ilms.nla.gov.au [192.102.239.30]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA27976 for ; Tue, 3 Mar 1998 15:49:23 -0800 (PST) Received: from gandalf.nla.gov.au (mirkwood.nla.gov.au [203.4.202.35]) by ilms.nla.gov.au (8.6.12/8.6.12) with SMTP id KAA103538 for ; Wed, 4 Mar 1998 10:57:10 +1000 Received: by gandalf.nla.gov.au with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD4753.C4E5E3E0@gandalf.nla.gov.au>; Wed, 4 Mar 1998 09:56:14 +1000 Message-ID: From: Yinan Yang To: "'Firewalls@GreatCircle.COM'" Subject: FW: Majordomo results Date: Wed, 4 Mar 1998 09:56:13 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks all of you Yinan >---------- >From: Yinan Yang >Sent: Wednesday, 4 March 1998 10:53AM >To: 'yann clouet' >Subject: RE: Majordomo results > >Thanks > >I have succeed to unsubscribe without my email address. > ie. unsubscribe firewalls > >So, I think the scripts to check messages can be improved a bit. :-) > >Cheers > >Yinan > >---------- >From: yann clouet[SMTP:clouet@solucom.fr] >Sent: Wednesday, 4 March 1998 3:34AM >To: Yinan Yang >Subject: RE: Majordomo results > >> Someone may need to check "Majordomo@GreatCircle.Com"'s scripts. >> Why it is so hard to get out the list ?! >> >> Anyone has similar problems ? >> > I did when subscribing, > >> >>>>> >unsubscribe firewalls yyang@nla.gov.au >> >**** Command '>unsubscribe' not recognized. >> > For both level (subscribing then confirmation) I had to send >again the message before it works. > Good luck. > > From firewalls-owner Tue Mar 3 18:19:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA16045; Tue, 3 Mar 1998 17:03:32 -0800 (PST) Received: from mermaid.shore.net (mermaid.shore.net [207.244.124.6]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA17078 for ; Tue, 3 Mar 1998 15:13:25 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by mermaid.shore.net with esmtp (Exim) id 0yA0z2-0003Ec-00; Tue, 3 Mar 1998 18:20:26 -0500 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: <199803022213.RAA06281@dorsai.cs.purdue.edu> References: Message from Vin McLellan of "Mon, 02 Mar 1998 13:04:44 -0500" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 3 Mar 1998 18:03:23 -0500 To: spaf@cs.purdue.edu (Gene Spafford) From: Vin McLellan Subject: Re: Infosec Accountability - 2 cents more Cc: William Hugh Murray , , , , , Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gene Spafford wrote: >In most organizations, the responsibility and the authority for security >reside in different spots. All too often, the people with the responsibility >don't have the training, the budget, or the management support to do as good >a job as they know how to do. Meanwhile, the people with the authority to >make a difference don't have the training, the risk models, or the economic >incentive to do a better job. Neatly summarized! You describe an infrastructure with no effective accountability. Now, the question is: what can possibly reconfigure this dangerous, indeed disasterous, model? No one but a fool is going to disagree with the call you, Simson, Peter and others make for greater assurance in commercial OS and application software -- but, Spaf, would better software address the problem you outline here? I suggest it will not and can not. Upgrading the quality of software does nothing to address the problems of resource allocation and risk assessment you so poignantly declare. And can we leave it at that??? >>From my experience, if any "expert" is quoted as saying that someone should >get the axe for allowing a breakin to happen, the person who gets squashed is >the poor end administrator who never had the budget or tools to do anything >about the situation. He/she simply gets blamed. I don't want sacrificial altars either. What I'm asking is: what new convention could be introduced into this situation so that those with authority over the allocation of resources could be routinely confronted with an auditor's demand that they either appropriately fund infosec or accept responsibility for an out-of-scale ratio of risk vs. infosec investment? I'd love to see prominent leaders of this profession like yourself, PGN, and Bill Murray to help us come up with _something_ that will give a network or system administrator a capacity to say that the risk of connecting _that_ system holding _those_ resources to _that_ network with or without a restrictive firewall is irresponsible and unprofessional. Until there is that sort of professional consensus -- some explicit declaration of unprofessional and irresponsible system or risk management -- the sysadmins and network managers have no defense against pressures put upon them by those with authority but no sense of system realtities. I think that ultimately what we need is a semi-independent audit function, and a requirement that out-of-scale risks be overtly acknowledged and reported up the ladder. That would establish a self-correcting system which would allow something more constructive than human sacrifice to come out of forensic reviews of attacks and/or routine infosec audits. But someone, somewhere, has to be invested with both authority and responsibiity -- even such a pairing looks like a new idea in IT infosec management. I'm not so naive as to expect all attacks will ever be blocked. (I think Bill Murray is right when he warns that with a big enough hammer any lock can be broken. An appropriate allocation of resources will often fail to block an inappropirate investment in an attack -- but until there is a professional consensus for the minimal proportion of value vs. risk (and basics like a minimal pattern of patch update and maintenance,) there is no ground to declare any level of carelessness unprofessional or inappropriate. Without that overt "line in the sand," none of the line troops -- not their more knowledgable superiors -- can hope to resist (or even complain about) irresponsible demands that lower or remove system or network defenses. And, of course, without some forced connection between allocation of resources (authority) and the infosec risks accepted (responsibility) there will never be anyone with standing to demand a higher quality of software assurance either! Better OS code would be great -- but a risk model that could force the disconnection of a million LANS from the network (totally, or for all but scheduled and short-term batch uploads and downloads) until the security and integrity of their assets could be reinforced with a firewall, and/or strong user authentication, and/or network crypto, would be a treasure. If such a model (ratio?) could be declared a consensus of infosec professionals, the manager who ignores it could face a serious risk of dismissal, or poor perforance ratings, and/or other types of liability. Surely we can steal that much from the CPAs and other professions which offer models of systematic asset management? Will any such model be perfect? No. OTOH, if there is no effort to define, within the profession, a minimum quality of security administration, or some minimal defense infrastructure for critical assets online, we all know that there will be alternative proposals -- legislative, regulatory, and police -- that seek to address our problems. Suerte, _Vin [...] > >Think about it -- some poor sysadmin is required to run 50 NT boxes without >add-on software. She's got to keep all the software up-to-date, answer user >questions, do backups, and do minor maintenance. She's told she has to allow >access to the WWW and outside ftp for all users. She has to allow unfettered >email in and out. Plus, she can't get the budget to hire an assistant, >license a scanner, or buy a one-time password system. > >Along comes a hacker who waltzes in, does some damage, and waltzes out. Who >do you think gets the blame and the black mark? The executive who failed to >provide funding for an assistant, who rolled over when users demanded >unhindered WWW access through the "firewall," and who refused to consider a >recommendation for better control over user accounts? Damned unlikely. No, >it was the system admin's fault as far as management can see. > >The military is the same way. The machines are often being run by a tech >sergeant who has had 6 months training. The tools, training, and technology >are what are provided by planners far away and long ago. Advocating that the >people closest to the machines -- even the base comannders -- is going to >result in the wrong people being slammed. > >Right now, the operators/admins don't have a lot of choice. Buy worthless >crap from vendor #1, or buy equally buggy crap from vendor #2. How can you >secure an OS that requires 2 emergency patches per week for security flaws >that have been known about for 20 years? I remain convinced this is the >first place we need to gets some fixes. Otherwise, the unworthy and the >responsible alike are going to be held accountable for what amounts to >stopping an avalanche with a trowel. > >Cheers, >--spaf ----- Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From firewalls-owner Tue Mar 3 18:24:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04636; Tue, 3 Mar 1998 11:48:13 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA04612 for ; Tue, 3 Mar 1998 11:48:01 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <14980-5918>; Tue, 3 Mar 1998 20:44:02 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id UAA06257; Tue, 3 Mar 1998 20:38:01 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id UAA27574; Tue, 3 Mar 1998 20:38:02 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id UAA27522; Tue, 3 Mar 1998 20:40:33 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD46E4.7A65C660@mail01.pggm.nl>; Tue, 3 Mar 1998 20:39:35 +0100 Message-ID: From: "Grutter H." To: "'firewalls@GreatCircle.COM'" , "'cbrenton@sover.net'" Subject: AW: New Security Firm Launches Online Services Date: Tue, 3 Mar 1998 20:39:34 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanx for the warning Chris. You say it is not the first time so can you tell me where other (free) sites are than prodive patches? Hans >---------- >Van: Chris Brenton[SMTP:cbrenton@sover.net] >Verzonden: dinsdag 3 maart 1998 17:45 >Aan: firewalls@GreatCircle.COM >Onderwerp: Re: New Security Firm Launches Online Services > >Shake Communications PTY LTD wrote: > >> Located at http://www.shake.net, the launch is welcome news to security >> professionals and IT managers throughout the world. > >Yes, we are all dancing in the street. > > >> For the first time, they >> have at their finger tips the world's biggest, categorised, searchable and >> up-to-date collection of vulnerabilities and patches in the hardware and >> software commonly used by organisations today. > >First time? Have we done our homework? > >Sure, provided you are willing to *pay* for the service. While this reads >like a >public service, it is conveniently not mentioned that you need $$$ to get >access. > >Talk about slippery SPAM! > >Cheers, >Chris > > > > From firewalls-owner Tue Mar 3 20:03:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04645; Tue, 3 Mar 1998 11:48:16 -0800 (PST) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA04617 for ; Tue, 3 Mar 1998 11:48:04 -0800 (PST) Received: from pggm by alushta.NL.net with UUCP id <14590-11679> convert rfc822-to-8bit; Tue, 3 Mar 1998 20:44:03 +0100 Received: from mailhost.pggm.nl by pggm.nl (SMI-8.6/SMI-4.1) id UAA06198; Tue, 3 Mar 1998 20:34:19 +0100 Received: from bj014.pggm.nl by mailhost.pggm.nl (SMI-8.6/SMI-SVR4) id UAA27243; Tue, 3 Mar 1998 20:34:20 +0100 Received: from mail01.pggm.nl by bj014.pggm.nl (SMI-8.6/SMI-SVR4) id UAA27355; Tue, 3 Mar 1998 20:36:49 +0100 Received: by mail01.pggm.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD46E3.F5408A10@mail01.pggm.nl>; Tue, 3 Mar 1998 20:35:52 +0100 Message-ID: From: "Grutter H." To: "'firewall post'" , "'Litney, Tom'" Subject: AW: IDS: Re: RE: Simply a Question "?" Date: Tue, 3 Mar 1998 20:35:50 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Doesnīt this work? (see below) Hans Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls >---------- >Van: Litney, Tom[SMTP:TLitney@caiso.com] >Verzonden: maandag 2 maart 1998 17:12 >Aan: 'firewall post' >Onderwerp: Re: IDS: Re: RE: Simply a Question "?" > > >>I want to get off this list too! >>It is easy to get on, and imposiible to get off!!!!! >>I have been to the homepage and searched the net for weeks now. >>Please tell me how to get off this list. >>wildfire@island.net > >Welcome to the Hotel California! > >(sorry folks, I couldn't resist :-P ) > >Disclaimer: The above represents my personal opinions and not an >official endorsement or position by the California ISO, > my current employer. I reserve the right to disavow them at my >convenience. > > > > From firewalls-owner Tue Mar 3 20:05:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA25616; Tue, 3 Mar 1998 06:39:12 -0800 (PST) Received: from rfc.com ([207.51.216.62]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA25595 for ; Tue, 3 Mar 1998 06:39:00 -0800 (PST) Received: from GMAC-HUB-Message_Server by rfc.com with Novell_GroupWise; Tue, 03 Mar 1998 09:46:09 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 03 Mar 1998 09:48:04 -0500 From: Brett Mayer To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V7 #95 Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 27 Feb 1998 12:54:44 -0500 From: STEVE.CONNOLLY@arpstl-emh2.army.mil Subject: Netbios traffic late at night. Receiving some interesting if not suspicious activity during late night hours... I am wondering if anyone has any ideas?? We are running 3 proxy servers in an array configuration....With 1500 users, we probably hit a good deal of remote web servers on a daily basis.... The oddity is that some of those web server try to talk back to us during the midnight hours. The firewall is reporting attempted connections via udp/137 which is Netbios right?? Anyone have similar occurances? ------------------------------------------------------------------------------------------------------------------------------ 137 is a NetBIOS port, I would suggest blocking all NetBIOS ports 137-139 for the external network. Maybe look at the logs to find the IP addresses and then do some nslookup to find the admins of the machine in question From firewalls-owner Tue Mar 3 21:33:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA13745; Tue, 3 Mar 1998 08:08:45 -0800 (PST) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA13385 for ; Tue, 3 Mar 1998 08:06:57 -0800 (PST) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id QAA24588; Tue, 3 Mar 1998 16:13:50 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 03 Mar 98 16:13:43 +0000 Date: 03 Mar 98 16:13:43 +0000 Delivery-Date: 03 Mar 98 16:13:50 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34e7e483-Tubarao] X400-Recipients: firewalls@greatcircle.com Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: Re: Dial-up security breach? Autoforwarded: FALSE To: firewalls@greatcircle.com (Non Receipt Notification Requested) In-Reply-To: Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: Re: Dial-up Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk They would have to be running a remote access server (such as RAS) wouldn't they? ----------------- Manuel Ricca ParaRede - Tecnologias de Comunicaįão, S.A. R. D. Constantino de Braganįa, 12 1400 Lisboa Portugal Tel: +351 1 3020451 Fax: +351 1 3020444 E-mail: manuel.ricca@pararede.pt ------------------- From: firewalls-owner@GreatCircle.COM To: klinec@mapcoinc.com;Firewalls@greatcircle.com Cc: Subject: Re: Dial-up security breach? Date: 03-03-1998 00:30 Horrible idea, most Windows95 users have at least one or two shared directories on their PCs, 99% of the time without any password level protection - it is trivial to access the contents of these directories via Netbios as your ISP is probably not filtering any traffic. --greg At 02:42 PM 2/27/98 -0600, klinec@mapcoinc.com wrote: >This is a little off-topic, but I thought I would try it anyway. > >We provide Internet access to 300 users enterprise-wide through our >frame-relay WAN connections and our firewall at our corporate headquarters. >Some users have decided to go out and get accounts with local ISPs and have >dial-up connections in Windows95 or Windows NT to these ISPs. How much of >a security risk does everyone think this may be? Since these users are >typically dynamically assigned an IP address when they log in to their ISP, >they then have TWO IP addresses on their system. One for the network card >and one for the dial-up PPP connection. Could an attacker use this >situation to attack our network? How likely is this? > >We are trying to eradicate this from our network, but some of these users >are pretty stubborn. > >Thanks, >Curtis Kline >Network System Engineer >MAPCO Coal, Inc. >Tulsa, OK > > > > __________________________________________________________________ Gregory Perry phone: 703.318.7134 Trusted Computer Solutions, Inc. fax: 703.318.5041 13873 Park Center Road Suite 225 email: gperry@tcs-sec.com Herndon, VA 20171 http://www.tcs-sec.com __________________________________________________________________ From firewalls-owner Wed Mar 4 00:21:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA06452; Tue, 3 Mar 1998 23:57:59 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA06400 for firewalls@greatcircle.com; Tue, 3 Mar 1998 23:57:49 -0800 (PST) Received: from aura.title14.com (aura.title14.com [206.34.180.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA14053 for ; Sun, 1 Mar 1998 07:39:33 -0800 (PST) Received: from localhost (ptrainor@localhost) by aura.title14.com (8.8.5/8.6.9) with SMTP id LAA27431; Sun, 1 Mar 1998 11:52:50 -0500 X-Authentication-Warning: aura.title14.com: ptrainor owned process doing -bs Date: Sun, 1 Mar 1998 11:52:50 -0500 (EST) From: Pat Trainor X-Sender: ptrainor@aura To: Roger Books cc: firewalls@GreatCircle.COM Subject: Re: Monitoring Web Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What's wrong with a simple telnet script to port 80? telnet www.host.com 80 GET / ??? On Thu, 26 Feb 1998, Roger Books wrote: > Date: Thu, 26 Feb 1998 10:03:21 -0500 (EST) > From: Roger Books > To: firewalls@GreatCircle.COM > Subject: Re: Monitoring Web Server > > > > > Does anyone know of a program that will monitor a web server (no ping, > > > but an actual access of the URL), and if the access doesn't work, page > > > me... > > > > > > I would prefer a DOS, Win 3.X or WIN95 solution. But will go to NT or > > > UNIX if need be. > > > > > You might check into BB (Big Brother). This is mainly unix though. If > you want to take a look at my (rewritten version) it's at: > > http://www.geocities.com/Area51/Cavern/2371/ > > My version is all C and TCL/Scotty, I don't really think it will run > on NT without Mods. > > The scotty http get pulls the info and stores it into a file, I send > it to /dev/null and just make sure the return value is valid. You > could send it to a file and then verify the contents. > > I do my paging with qpage on my Solaris box, but qpage also (I believe) > runs on Linux. > > This is a little heavier duty system than what you are asking for, it > does http, snmp, tacacs, %full on disk, items in mail spool, etc etc. > > Also, before anyone flames me, this, like the regular BB, counts on the > client not lieing about who it is. I do some trivial checks to make > sure it isn't garbage and make sure the message isn't too long. The > part that accepts the input from the clients runs from inetd, so you > should wrapper it. It also does a few things like "retry for 10 minutes > before paging me after hours", "don't page me during network maintenance > time", page me if it comes back, etc etc. The one thing I really need > to do though is not have it page me for everything when the local gateway > goes down or the MAN in Tallahassee drops. (Our network is bridged over > the MAN.) > > Roger > pat :) Pat Trainor|System Administration|Network Operations|GTE Internetworking ________________________________________________________________________ __ __ _ _______________________ __ __ ___ _ _ _________ ____ ______GTE_Internetworking__ ___ _ ___ _ __ _ _ __ ____ ____ _________________________ __ __ _ _ _ _ ___ ____ ____ ________Powered_by_BBN_____ ___ _ ___ _ __ _ __ ____ ____ _______________________ __ __ ___ _ ________________________________________________________________________ ptrainor@bbnplanet.com ptrainor@bbn.com ptrainor@bbnplanet.net Perl, PHP/FI, *NIX, HTML, CGI, SQL, RDBMS, NT*, Security, Admin, ... will program for boat From firewalls-owner Wed Mar 4 00:33:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA27190; Tue, 3 Mar 1998 20:31:05 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA27123 for ; Tue, 3 Mar 1998 20:30:47 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id UAA12250 for ; Tue, 3 Mar 1998 20:37:14 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA21820; Tue, 3 Mar 98 21:34:06 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA29567; Tue, 3 Mar 1998 21:44:03 -0700 Date: Tue, 3 Mar 1998 21:44:03 -0700 (MST) From: Henry Hertz Hobbit To: num-lock Cc: firewalls@greatcircle.com Subject: Re: usubscrible firewalls In-Reply-To: <34FA59D3.B9AD2D19@intermediatn.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Mar 1998, num-lock wrote: > usubscrible firewalls > > now please > Then send it to: MajorDomo@GreatCircle.com with message: unsubscribe firewalls (add 'n', remove 'l') From firewalls-owner Wed Mar 4 00:35:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14067; Tue, 3 Mar 1998 12:27:15 -0800 (PST) Received: from mail1.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA13953 for ; Tue, 3 Mar 1998 12:26:52 -0800 (PST) Received: by mail.sla.com with Internet Mail Service (5.5.1960.3) id ; Tue, 3 Mar 1998 12:30:36 -0800 Message-ID: From: "Stackpole, Bill" To: "'rabbi@www.valuu.net'" , Patrick Prue x-270 Cc: firewalls@GreatCircle.COM Subject: RE: Radius Solutions for NT Date: Tue, 3 Mar 1998 12:30:34 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steelbelted RADIUS from Funk Software. Also a good inexpensive product is available from Emerald Software in Spokane, WA. > -----Original Message----- > From: rabbi@www.valuu.net [SMTP:rabbi@www.valuu.net] > Sent: Monday, March 02, 1998 1:44 PM > To: Patrick Prue x-270 > Cc: firewalls@GreatCircle.COM > Subject: Re: Radius Solutions for NT > > I wouldn't use the Livingston Product ---- now Lucent Technologies. We > bought it and it would not work, couldn't be configured, and all the > help we > got from them was complaints about our modem. We are currently suing > them. > > Shalom Berakha VeTova > Rabbi Haim Cassorla HY"V > www.valuu.net > www.HaReshima.com > > -----Original Message----- > From: Patrick Prue x-270 > To: 'firewalls@greatcircle.com' > Date: Saturday, February 28, 1998 1:55 AM > Subject: Radius Solutions for NT > > > >I am looking at what RADUIS Solutions are available on an NT > Platform.. > >Any one have suggestions / Comments > > > >Thanks From firewalls-owner Wed Mar 4 00:37:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA21998; Tue, 3 Mar 1998 10:50:55 -0800 (PST) Received: from loas.clark.net (loas.clark.net [168.143.0.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA21825 for ; Tue, 3 Mar 1998 10:50:16 -0800 (PST) Received: from shell.clark.net (mht@shell [168.143.0.8]) by loas.clark.net (8.8.8/8.8.8) with SMTP id NAA09392; Tue, 3 Mar 1998 13:57:36 -0500 (EST) Date: Tue, 3 Mar 1998 13:57:30 -0500 (EST) From: Mark Teicher To: Chris Brenton cc: firewalls@GreatCircle.COM Subject: Re: New Security Firm Launches Online Services In-Reply-To: <34FC33AB.7A8DB752@sover.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This another reason for the auditing workgroup Bret Watson is putting together to ensure that quality people who have been trained or certified or whatever to back what the company Shake is preaching they can do. Still waiting for a couple of Big N-1 firms to step up and advertise similiar service offerings and state they have players in place.. Let's welcome some of the players that have left one Big N-1 firm and joined another Big N-1 firm in the recent months. Now we can dance in the streets .:) /mht On Tue, 3 Mar 1998, Chris Brenton wrote: > Shake Communications PTY LTD wrote: > > > Located at http://www.shake.net, the launch is welcome news to security > > professionals and IT managers throughout the world. > > Yes, we are all dancing in the street. > > > > For the first time, they > > have at their finger tips the world's biggest, categorised, searchable and > > up-to-date collection of vulnerabilities and patches in the hardware and > > software commonly used by organisations today. > > First time? Have we done our homework? > > Sure, provided you are willing to *pay* for the service. While this reads like a > public service, it is conveniently not mentioned that you need $$$ to get > access. > > Talk about slippery SPAM! > > Cheers, > Chris > > ########################################################## 'Turn on, Boot Up, Jack in' ######################################################### From firewalls-owner Wed Mar 4 00:37:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA04673; Tue, 3 Mar 1998 09:36:42 -0800 (PST) Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA04544 for ; Tue, 3 Mar 1998 09:36:11 -0800 (PST) Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id JAA26514; Tue, 3 Mar 1998 09:42:40 -0800 (PST) Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4) id JAA23023; Tue, 3 Mar 1998 09:42:20 -0800 Date: Tue, 3 Mar 1998 09:42:20 -0800 From: rdew@el.nec.com (Bob De Witt) Message-Id: <199803031742.JAA23023@yginsburg.el.nec.com> To: firewalls@GreatCircle.COM, msimonyi@woodbridge.com Subject: Re: Solaris Books X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, Try the two books from Sunsoft. The first one contains a conversion table from BSD for many programs. 1. Solaris System Administrator's Guide, by Janice Winsor, SunSoft Press 1993 (Ziff-Davis), ISBN 1-56276-080-7 2. Solaris Advanced System Administrator's Guide, by Janice Winsor, SunSoft Press 1993 (Ziff-Davis), ISBN 1-56276-131-5 They are dated, but relevant. If you have Solaris X86 for 2.5[.1] or 2.6, use the Answerbook sections to read about it. A couple more modern books are: 3. UNIX System Administration Handbook, by Evi Nemeth, el al, 2nd ed ONLY, Prentis-Hall, 1995, ISBN 0-13-151051-7 4. O'Reilly set of books Good Luck, Bob De Witt, rdew@el.nec.com The views expressed herein are my own, and are not attributable to any other source, be it employer, friend or foe. > From msimonyi@woodbridge.com Mon Mar 2 18:54:21 1998 > From: Michael Simonyi > To: "firewalls@GreatCircle.COM" > Subject: Solaris Books > Date: Mon, 2 Mar 1998 11:27:37 -0500 > > To whom it may concern. > > I'm looking for a good book on solaris. Basically looking for topics that > revolve around installation and configuration for the Intel platform. > > Mike > > From firewalls-owner Wed Mar 4 01:32:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA05586; Tue, 3 Mar 1998 23:53:27 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA05566 for firewalls@greatcircle.com; Tue, 3 Mar 1998 23:53:22 -0800 (PST) Received: from ceb (bgs1.tactik.com [206.47.15.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA07443 for ; Sat, 28 Feb 1998 23:56:12 -0800 (PST) Received: from ideas-mtl-1.ceb.qc.ca (ideas-mtl-1.ceb.qc.ca [204.101.110.66]) by ceb (SMI-8.6/8.6.11) with ESMTP id DAA12195 for ; Mon, 9 Feb 1998 03:02:39 -0500 Received: from ideas-mtl-1.ceb.qc.ca ([127.0.0.1]) by ideas-mtl-1.ceb.qc.ca (Netscape Messaging Server 3.0) with SMTP id AAA3922; Sun, 1 Mar 1998 03:02:50 -0500 X-UNIX-From: firewalls-owner@GreatCircle.COM Fri Feb 27 21:22 EST 1998 Received: from ceb by tactik.COM (8.6.12/SMI-SVR4) id VAA19375; Fri, 27 Feb 1998 21:22:37 -0500 Received: from bgs1.tactik.com (blackhole1-le2.tactik.com [204.101.110.8]) by ceb (SMI-8.6/8.6.11) with ESMTP id VAA29744 for ; Sat, 7 Feb 1998 21:20:31 -0500 Received: from cerbere.tactik.com (cerbere [206.47.15.2]) by bgs1.tactik.com (8.8.6/8.6.11) with SMTP id VAA14603 for ; Fri, 27 Feb 1998 21:17:40 -0500 (EST) Received: (from uucp@localhost) by bgs2 (SMI-8.6/8.6.11) id VAA22599 for ; Fri, 27 Feb 1998 21:18:53 -0500 Received: from relay3.uu.net(192.48.96.8) by bgs2 via smap (3.2) id xma022597; Fri, 27 Feb 98 21:18:27 -0500 Received: from honor.greatcircle.com by relay3.UU.NET with ESMTP (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) id QQeept03855; Fri, 27 Feb 1998 21:18:53 -0500 (EST) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA24071; Thu, 26 Feb 1998 21:13:16 -0800 (PST) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA29745 for ; Thu, 26 Feb 1998 15:15:26 -0800 (PST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id XAA01533; Thu, 26 Feb 1998 23:20:18 GMT Date: Thu, 26 Feb 1998 23:20:18 +0000 (GMT) From: Dave Whitlow To: Bernd Eckenfels cc: Victor Volpe , firewalls@GreatCircle.COM, vvolpe@ici.com Subject: Re: Public Domain Firewall Source Code In-Reply-To: <19980223183846.10365@lina> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 23 Feb 1998, Bernd Eckenfels wrote: > Hi, > > > Is there any decent public domain firewall software available? If anyone > > can give me a pointer to some sites, it would be very much appreciated. > > you can have a look at http://www.inka.de'/sites/line/freefire-l/ > > (I need to add some links, but the basic info is there) > > Greetings > Bernd > -- Also, you may want to look at http://www.ifi.unizh.ch/ikm/SINUS/ Best regards, Dave ------------------------------------------------------------------------- Dave Whitlow Tel: +44-(0)181-861-2001 Idsec Ltd Fax: +44-(0)181-861-3433 Suite A, 31-33 College Road, Mail: dwhitlow@idsec.co.uk Harrow, HA1 1EJ, UK Web: http://www.idsec.co.uk From firewalls-owner Wed Mar 4 02:46:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA01030; Tue, 3 Mar 1998 23:20:08 -0800 (PST) Received: from leo.emedia.com.tw (leo.emedia.com.tw [210.61.151.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA00853 for ; Tue, 3 Mar 1998 23:19:30 -0800 (PST) Received: from tw.asiansources.com (tw.asiansources.com [210.61.151.48]) by leo.emedia.com.tw (8.8.5/8.8.5) with ESMTP id PAA17514 for ; Wed, 4 Mar 1998 15:36:43 +0800 Received: from twn25 ([192.168.6.25]) by tw.asiansources.com (post.office MTA v2.0 0906 ID# 50-42443U500) with SMTP id AAA9921; Wed, 4 Mar 1998 15:34:03 +0800 Date: Wed, 04 Mar 1998 15:29:09 +0800 From: Joseph Chen To: firewalls@GreatCircle.COM Cc: "'firewalls@GreatCircle.COM'" Message-Id: <34FD02C528A.8846.joseph81@ms12.hinet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.23 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls From firewalls-owner Wed Mar 4 03:25:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA24653; Tue, 3 Mar 1998 22:58:18 -0800 (PST) Received: from c2smtp.herrmann.de ([194.95.204.134]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA24446 for ; Tue, 3 Mar 1998 22:57:32 -0800 (PST) Received: from ws0008nt (194.95.205.195) by c2smtp.herrmann.de (Connect2-SMTP 4.32.0000622) for ; Wed, 4 Mar 1998 08:04:50 +0100 Message-ID: <34FCFD0E.A5C09D1E@mail.teleconsult.de> Date: Wed, 04 Mar 1998 08:04:46 +0100 From: Mario Muehlbauer X-Mailer: Mozilla 4.01 [de] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: FTP-Proxy authentication on Firewall-1 X-Priority: 3 (Normal) References: <199803040059.QAA15136@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running Firewall-1 with the Security Servers enabled. The HTTP-Proxy (Security Server) authentication works very fine. But when I click on a FTP-Download in a HTML-document the Firewall rejects the connection. The log entry says that user "anonymous", which the browser sends to the firewall, is not defined. Now I am searching for a solution where I can use the Firewall-1 FTP-Proxy without allowing FTP-access to all users. I dont want to use Session or Client authentication! Thanks, Mario From firewalls-owner Wed Mar 4 04:03:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA03342; Tue, 3 Mar 1998 23:28:28 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA03274 for firewalls@greatcircle.com; Tue, 3 Mar 1998 23:28:10 -0800 (PST) Received: from kuntur.rcp.net.pe (NS2.rcp.net.pe [161.132.5.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA20693 for ; Fri, 27 Feb 1998 07:56:40 -0800 (PST) Received: from mem.gob.pe(src addr [161.132.54.4]) (1481 bytes) by kuntur.rcp.net.pe via sendmail with P\:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Fri, 27 Feb 1998 11:03:37 -0500 (EST) (Smail-3.2.0.96 1997-Jun-2 #3 built 1997-Aug-18) Received: from MEM/MAIL by mem.gob.pe (Mercury 1.13); Fri, 27 Feb 98 10:57:05 -0500 Received: from MAIL by MEM (Mercury 1.13); Fri, 27 Feb 98 10:56:55 -0500 Received: from pctest.mem.gob.pe by mem.gob.pe (Mercury 1.13); Fri, 27 Feb 98 10:56:53 -0500 Message-ID: <007301bd4399$ac3d55c0$fd0a0a0a@pctest.mem.gob.pe> From: "Sergio Untiveros" To: Subject: Help on MSProxy v2.0! Date: Fri, 27 Feb 1998 11:06:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all; I am using MS Proxy Server v2.0 on NT v4.0. we have a Oracle server v7.2. I want to connect a client win95 with SQL*Net via the proxy server v2.0. my problem is, i can't to grant rigths (Protocol and Port) for to connect to Oracle Server. What Do I do? What Protocol and Port use SQL*NET? The diagram is following: Client Win95 10.10.10.150 + ------------- Proxy Server v2.0---------- Oracle Server SQL*Net v2.0 Waiting your answer via mail. Thanks Sergio Ing. Sergio Untiveros Avilés Consultor en Administración, Análisis Monitoreo y Seguridad de Redes Tel. 511-4750065 Ext. 2661 Cel: 511-9946059 From firewalls-owner Wed Mar 4 04:49:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA01577; Wed, 4 Mar 1998 02:31:14 -0800 (PST) Received: from tpo.fi (mail.tpo.fi [193.185.60.42]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA01478 for ; Wed, 4 Mar 1998 02:30:42 -0800 (PST) Received: from hukka.ej.insta.fi (ej.insta.fi [193.185.240.2]) by tpo.fi (8.8.5/8.8.7) with ESMTP id MAA08735 for ; Wed, 4 Mar 1998 12:29:38 +0200 (EET) Received: (from mail@localhost) by hukka.ej.insta.fi (8.8.5/8.7.5) id MAA05548 for ; Wed, 4 Mar 1998 12:29:38 +0200 Received: from ej_domaincontr.ej.insta.fi(192.0.7.11) via SMTP by hukka.ej.insta.fi, id smtpd05546aaa; Wed Mar 4 12:29:36 1998 Received: by ej_domaincontr.ej.insta.fi with Internet Mail Service (5.0.1457.3) id ; Wed, 4 Mar 1998 12:32:54 +0200 Message-ID: <8FF5423154B4D011B2E90000C0D94FF918D91F@ej_domaincontr.ej.insta.fi> From: =?iso-8859-1?Q?Lepp=E4nen=2C_Tero?= To: "'firewalls@GreatCircle.COM'" Subject: Wrong address Date: Wed, 4 Mar 1998 12:32:53 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kimmo Puranen's new address is ertsu@sci.fi Pls use it ! Best regards, Tero Lepp=E4nen ****************************************************************** Tero Lepp=E4nen tero.leppanen@ej.insta.fi Sarankulmankatu 20 Information System Manager Tel. +358-3-2659773 FIN-33900 TAMPERE =20 Instrumentointi Oy GSM +358-50-5538691 FINLAND Special Systems Fax +358-3-2659501 http://www.insta.fi ****************************************************************** From firewalls-owner Wed Mar 4 05:09:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02468; Wed, 4 Mar 1998 04:51:04 -0800 (PST) Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA02412 for ; Wed, 4 Mar 1998 04:50:44 -0800 (PST) Received: from shake (p16-max1.mel.tig.com.au [209.78.50.16]) by relay.pair.com (8.8.7/8.8.5) with SMTP id HAA19824 for ; Wed, 4 Mar 1998 07:50:33 -0500 (EST) Message-ID: <000701bd4773$6e934bc0$10324ed1@shake> From: "Shake Communications PTY LTD" To: Subject: Shake responds..... Date: Wed, 4 Mar 1998 23:42:41 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, As a Director of Shake Communications I would like to respond to some recent E-Mail messages written by by Chris Brenton, Steve Brown and Mark Teicher. We acknowledge that there are sites such as infilsec and iss which contain lists of vulnerabilities. However we do not believe that they contain the same breadth and depth as the information in the Shake Vulnerabilities Database at http://www.shake.net The Shake Vulnerabilities Database is updated on a daily basis with many security professionals contributing useful information, news and tips. With regard to the Shake Security Journal, the news items described as originating from Risks Digest account for less than 10% of the news on the site. Hardly repackaging. The staff at Shake Communications each have over 6 years (each) of practical, hands on experience in Information Security and Law. They have been trained and have a demonstrated track record in these fields. I personally have worked for many government, public and private companies here in Australia. I have also been using the Internet since 1989. I respect your opinions and defend your right to express them. We believe in the value of our services and back them up with a 100% money back guarantee. Regards Simon Johnson From firewalls-owner Wed Mar 4 05:18:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03473; Wed, 4 Mar 1998 05:04:19 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA03427 for ; Wed, 4 Mar 1998 05:04:08 -0800 (PST) Received: from cerone_m.ins.com (DHCP-206-153.ins.com [199.0.206.153]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id FAA01079 for ; Wed, 4 Mar 1998 05:03:24 -0800 (PST) Message-Id: <3.0.5.32.19980304080322.0084e100@lexicon.ins.com> X-Sender: cerone_m@lexicon.ins.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 04 Mar 1998 08:03:22 -0500 To: firewalls@greatcircle.com From: Michael Cerone Subject: Xfer of Checkpoint user database Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are trying to cut over our Checkpoint FW-1 box to a new machine. But there are problems apparently with transferring the user database. We transferred over the rule base, objects and users database, by bringing over the /opt/fw/conf/objects.C; /opt/fw/conf/fwauth.NDB; /opt/fw/conf/fwusersauth.keys; /opt/fw/database/rules.C files. The rule base worked however, there were user authentication problems. They are using Firewall-1 Passwords for user authentication to allow internal users out to the Web. Some id's appeared to work and others did not. But when we surfed around with the id's that appeared to work we eventually got an error. What happens is that a user authentication window comes up with the error "No user". If we change the password of the bad id we can get it going again for a while, but then eventually the "no user" error comes up. The FW log showed no problems, it showed the authentication and the http connection going through and never showed any rejects even when we got errors. We transferred the files via ftp, in binary mode. The original FW was running 3.0a and the new one is running 3.0b. The rule bases are exactly the same. We put the old box back in and it seemed to work fine. Any thoughts? TIA eoi -- ====================================================================== Mike Cerone michael_cerone@ins.com out,out,outNetwork Systems Engineer, Burlington (781) 221-2230 Ext. 458 International Network Services (781) 221-3554 fax Ad Astra! ====================================================================== From firewalls-owner Wed Mar 4 06:17:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA05350; Wed, 4 Mar 1998 05:17:51 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA05293 for ; Wed, 4 Mar 1998 05:17:34 -0800 (PST) Received: from sover.net (usr0a38.rut.sover.net [206.25.64.138]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id IAA19192; Wed, 4 Mar 1998 08:16:37 -0500 (EST) Message-ID: <34FD5469.6DA29321@sover.net> Date: Wed, 04 Mar 1998 08:17:29 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: "Grutter H." CC: "'firewalls@GreatCircle.COM'" Subject: Re: List of security resources (was: New Security Firm Launches Online Services) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Grutter H. wrote: > You say it is not the first time so can you tell me where other (free) > sites are than prodive patches? Some of my favorites (in no particular order) are: http://www.iss.net/xforce/ http://spider.osfl.disa.mil/cm/security/check_list/check_list.html http://www.secnet.com/ http://www.cert.org/ http://www.ntsecurity.net/ http://www.ntbugtraq.com/ http://www.gocsi.com/excerpt.htm http://www.l0pht.com/ http://www.rootshell.com/ http://www.unitedcouncil.org/ Most of these I have picked up from people on the list pointing them out as references. None of the links will prompt you to enter a credit card number. ;) Cheers, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Wed Mar 4 17:53:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA29824; Wed, 4 Mar 1998 15:41:50 -0800 (PST) Received: from m3.sprynet.com (m3.sprynet.com [165.121.2.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA03015 for ; Wed, 4 Mar 1998 13:45:39 -0800 (PST) Received: from [206.175.192.11] (hd1-011.hil.compuserve.com [206.175.192.11]) by m3.sprynet.com (8.8.5/8.8.5) with SMTP id NAA24383; Wed, 4 Mar 1998 13:51:31 -0800 (PST) Message-Id: <199803042151.NAA24383@m3.sprynet.com> To: Ted Doty Subject: Re: Infosec Accountability - 2 cents more Date: Wed, 04 Mar 98 16:44:38 -0500 From: William Hugh Murray X-Mailer: E-Mail Connection v3.1 CC: "firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: William Hugh Murray * EMC.Ver #3.1 ] -- Ted Doty writes: > And before anyone flames me, I'd be terribly interested in seeing any > large, multi-year body of evidence, collected from a sufficiently wide > variety of sources so that it is generally applicable, showing direct > financial loss based on network intrusion. In spite of all the anecdotal evidence, what you are asking for does not exist. However, even if it did, it would be retrospective. What happened in the past is a good predictor only on a smooth curve; we are confronting a discontinuous curve. Driving through the rear-view mirror is safe only on straight smooth roads. Bill From firewalls-owner Wed Mar 4 19:49:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13308; Wed, 4 Mar 1998 19:34:57 -0800 (PST) Received: from gargoyle.clark.net (pm1-31.dcwt.infi.net [208.136.65.31]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13181 for ; Wed, 4 Mar 1998 19:34:25 -0800 (PST) Received: by gargoyle.clark.net (VMailer, from userid 500) id 32DBB293AE; Wed, 4 Mar 1998 22:38:26 -0500 (EST) Date: Wed, 4 Mar 1998 22:38:25 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: John Whittaker Cc: firewalls@GreatCircle.COM Subject: Re: Shake responds..... In-Reply-To: <3.0.32.19980304090615.00a877c4@199.107.168.8> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Mar 1998, John Whittaker wrote: > >The staff at Shake Communications each have over 6 years (each) of > >practical, hands on experience in Information Security and Law. > >They have been trained and have a demonstrated track record in these > >fields. I personally have worked for many government, public and private > >companies here in Australia. I have also been using the Internet since 1989. > > sad to see someone who has been "using the internet" since 1989 resorting > to spam. Funny, I basicly read that as "I used to use gopher." I know folks who have been using electronic mail for much longer, who are still subject to the same ridicule that they were over a decade ago. How that becomes an attempt to rationalize spam is beyond me. Given the ammount of time it takes to learn, six years is not a long time. Does anyone else find the length of time slightly amusing, or is it just me? Certainly, I've never seen anyone with just six years of experience in a senior position, which generally makes their "track record" more the influence of the person in whatever senior position(s) in the organization rather than theirs. More of a "Mid-level security guys for hire" thing than anything. My take was "Hi, we're from .au, we used to use gopher, and we'd like to sell you our database." Of course, it got the same response all spam does from me, they're on the list of "Not even if Hormel purchased your company, ruled the Internet and some dude named Wallace was declared king." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Mar 4 20:41:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA27964; Wed, 4 Mar 1998 15:31:39 -0800 (PST) Received: from stortek.com (stortek.stortek.com [129.80.22.249]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA27839 for ; Wed, 4 Mar 1998 15:31:15 -0800 (PST) From: jim@coltano.stortek.com Received: from coltano.stortek.com (coltano.stortek.com [129.80.40.2]) by stortek.com (8.8.8/8.7.3) with ESMTP id QAA05599 for ; Wed, 4 Mar 1998 16:30:36 -0700 (MST) Received: (from jim@localhost) by coltano.stortek.com (8.8.6/8.8.6) id QAA09769 for firewalls@greatcircle.com; Wed, 4 Mar 1998 16:30:35 -0700 (MST) Date: Wed, 4 Mar 1998 16:30:35 -0700 (MST) Message-Id: <199803042330.QAA09769@coltano.stortek.com> To: firewalls@greatcircle.com Subject: Passive FTP X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know where I can find source code for an ftp server that _does not_ support passive FTP? ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] From firewalls-owner Wed Mar 4 21:50:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA12612; Wed, 4 Mar 1998 21:36:17 -0800 (PST) Received: from elbert.interrural.net (elbert.interrural.net [206.115.106.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA02119 for ; Wed, 4 Mar 1998 20:42:08 -0800 (PST) From: dosman@gj.net Received: from pluto ([206.115.110.34]) by elbert.interrural.net (Post.Office MTA v3.1 release PO203a ID# 0-37012U5000L500S0) with SMTP id AAA263 for ; Wed, 4 Mar 1998 21:41:27 -0700 To: firewalls@GreatCircle.COM Date: Wed, 4 Mar 1998 21:48:04 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Message-ID: <19980305044126796.AAA263@pluto> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk usubscrible firewalls From firewalls-owner Wed Mar 4 22:05:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA11631; Wed, 4 Mar 1998 21:27:20 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA11608 for ; Wed, 4 Mar 1998 21:27:09 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with SMTP id AAA18496 for ; Thu, 5 Mar 1998 00:26:33 -0500 (EST) Message-Id: <199803050526.AAA18496@mail.atl.bellsouth.net> From: "Steve" To: Subject: Israeli Hacker breaks into 400+ US gov/mil sites Date: Thu, 5 Mar 1998 00:25:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Two frontpage stories on this subject... http://www.wired.com/news/news/technology/story/10713.html http://www.zdnet.com/zdnn/content/zdnn/0304/291288.html An Israel-based hacker named Analyzer apparently is the mastermind behind many of the latest breakins. It'll be interesting to see how the US government deals with this international incident. From firewalls-owner Wed Mar 4 22:55:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA12919; Wed, 4 Mar 1998 21:39:09 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA27133 for ; Wed, 4 Mar 1998 20:22:56 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with SMTP id XAA13115 for ; Wed, 4 Mar 1998 23:22:16 -0500 (EST) Message-Id: <199803050422.XAA13115@mail.atl.bellsouth.net> From: "Steve" To: Subject: Pentagon Hacker mentions Retaliation Date: Wed, 4 Mar 1998 23:21:00 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Saga continues... http://www.wired.com/news/news/technology/story/10666.html One of the young Pentagon hackers who got caught said he was 'roughhoused' by the FBI and his colleages were planning online "retaliatory actions." Apparently his music CD's got confiscated along with his computer equipment. Life is tough. http://www.wired.com/news/news/technology/story/10689.html Apparantly tonight, one of the attackers hacked an ISP's web sites to taunt the FBI. Maybe someone has been watching the movie,'Hackers' too much? With this week's rash of massive NT denial of service attacks across the hundreds of sites, and all these hackers taunting the authorities, I don't think security business will be slowing down anytime soon. From firewalls-owner Wed Mar 4 23:14:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA02453; Wed, 4 Mar 1998 20:43:39 -0800 (PST) Received: from mtigwc05.worldnet.att.net (mtigwc05.worldnet.att.net [204.127.131.35]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA02345 for ; Wed, 4 Mar 1998 20:43:14 -0800 (PST) From: mht@clark.net Received: from highlander ([12.68.20.35]) by mtigwc05.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA208; Thu, 5 Mar 1998 04:42:36 +0000 Message-Id: <3.0.3.32.19980304234123.034de010@pop3.clark.net> X-Sender: mht@pop3.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 04 Mar 1998 23:41:23 -0500 To: "Shake Communications PTY LTD" , Subject: Re: Shake Communications -reply In-Reply-To: <001001bd47ed$a8397140$75324ed1@shake> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:14 PM 3/5/98 +1000, Shake Communications PTY LTD wrote: >Dear Mark, > >Thanks for your e-mail. > >Our claims in relation to the Shake Vulnerabilities Database vis-a-vis >other, established vulnerabilities lists, are based on our own examination >of the existing lists. We make no apologies for that. Our whole aim in >developing the Vulnerabilities Database was to go beyond what the free lists >offer. If we didn't do that, you are right - we could not expect anyone to >pay the $$$ we are asking. Since it is very hard to tell what exact type of examinations your organization has done compared to the various other companies who produce the same type of lists for similiar $$. > >As such, we have worked very hard to develop a more up-to-date database, to >cover more hardware and software, to categorise operating systems, >applications, languages, hardware, etc in an easily searchable format, to >give users information with just enough (not too much) detail on the nature >of a given vulnerability and how to fix it, and to keep the database up to >date. And we will continue working hard to maintain this standard. Seems like you just stating you have created a giant search engine with some search capabilities to allow users to search one database for vulnerabilities instead of many. But are those vulnerabilities, etc any better than those currently existing. There is no way to tell unless one subscribes to your list and does some sort of comparison. > >You raise some good points. A comparative report stating the differences >between our database and those currently available is a good idea. We will >work on that. Also, we will be providing more examples of our >Vulnerabilities Database at our Web Site. Yes, a definite comparison report would be worthwhile but from an independent agency similiar to the NCSA testing of commercial firewall solutions or the recently published SNI paper on the vulnerabilities inherent in most IDS Systems. > >Finally, in relation to staff and training: our management team consists of >myself with a Bachelor of Computing (Information Systems) and Anna Johnson >with Bachelors degrees in Law, Commerce and Arts from the University of >Melbourne. Due to the varying nature of security work, we engage skilled >security professionals depending on the contract at hand. Even so, we >require each person to undertake thorough training in security basics and >client service. We also maintain close links with the IS Department (now >SIMS) of Monash University Yes, you state an important point due to the varying nature of security work, it is very difficult to maintain a level of understanding of security basics and client service. Similiar to the thread that was of most recent posting 'Certifying Security Auditors' . Strange how your advertisement for your company followed shortly after that thread had generated discussions of creating an Auditing Methodology forum to create standards within the security auditing industry..?? > >I guess that may sound like the claims made by the big N-1 firms! Well, I >believe that what distinguishes us is our money-back guarantee: if we don't >give you the results you expect, we will refund your money. This is also the >theory behind providing the March edition of the Shake Security Journal > http://www.shake.net ) for free - you can see the quality and decide for >yourself whether this is the kind of thing you want to subscribe to. Again, it does sound like the claims made by the Big N-1 firms, but as always if a customer is not satisified with the services, they can refuse to pay, so I do not know where your refunding the money is any different. Overall, I am not thoroughly convinced that your company offers a different type of services already offered by other people or organizations engaged in similiar type of work. You had stated you have been using the Internet since 1989, but yet this is the first time I have seen a post by you on this list?? Just makes me a little suspicious /mht > >Thank you, Mark, for taking the time to give us your feedback. I hope this >has cleared up a few things. > >Best regards, > >Simon Johnson > > From firewalls-owner Wed Mar 4 23:46:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA12697; Wed, 4 Mar 1998 21:36:49 -0800 (PST) Received: from ove.arup.com (ove.arup.com [193.116.20.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA12663 for ; Wed, 4 Mar 1998 21:36:35 -0800 (PST) Received: by ove.arup.com; id FAA24034; Thu, 5 Mar 1998 05:33:50 GMT Received: from a_csun01(69.69.11.1) by ove.arup.com via smap (3.2) id xma024029; Thu, 5 Mar 98 05:33:25 GMT Received: from a_csun14 by arupuk (4.1/SMI-4.1) id AA19659; Thu, 5 Mar 98 05:36:01 GMT Received: from arup.com by a_csun14 (SMI-8.6/SMI-4.1) id FAA03864; Thu, 5 Mar 1998 05:31:46 GMT Received: from comms-Message_Server by arup.com with Novell_GroupWise; Thu, 05 Mar 1998 05:31:45 +0000 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 05 Mar 1998 05:17:47 +0000 From: Scott Fagg To: firewalls@greatcircle.com Subject: Passive FTP -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk perhaps comment out the bit that handles the PASV stuff in an ordinary FTP server? assuming your goal is to get an ftp server up and running. >>> 5/March/1998 09:30am >>> Anyone know where I can find source code for an ftp server that _does not_ support passive FTP? ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] From firewalls-owner Wed Mar 4 23:49:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA23625; Wed, 4 Mar 1998 22:17:39 -0800 (PST) Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13728 for ; Wed, 4 Mar 1998 19:37:03 -0800 (PST) Received: from shake (p53-max2.mel.tig.com.au [209.78.50.117]) by relay.pair.com (8.8.7/8.8.5) with SMTP id WAA29439; Wed, 4 Mar 1998 22:25:36 -0500 (EST) Message-ID: <001001bd47ed$a8397140$75324ed1@shake> From: "Shake Communications PTY LTD" To: Cc: Subject: Shake Communications Date: Thu, 5 Mar 1998 14:14:23 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mark, Thanks for your e-mail. Our claims in relation to the Shake Vulnerabilities Database vis-a-vis other, established vulnerabilities lists, are based on our own examination of the existing lists. We make no apologies for that. Our whole aim in developing the Vulnerabilities Database was to go beyond what the free lists offer. If we didn't do that, you are right - we could not expect anyone to pay the $$$ we are asking. As such, we have worked very hard to develop a more up-to-date database, to cover more hardware and software, to categorise operating systems, applications, languages, hardware, etc in an easily searchable format, to give users information with just enough (not too much) detail on the nature of a given vulnerability and how to fix it, and to keep the database up to date. And we will continue working hard to maintain this standard. You raise some good points. A comparative report stating the differences between our database and those currently available is a good idea. We will work on that. Also, we will be providing more examples of our Vulnerabilities Database at our Web Site. Finally, in relation to staff and training: our management team consists of myself with a Bachelor of Computing (Information Systems) and Anna Johnson with Bachelors degrees in Law, Commerce and Arts from the University of Melbourne. Due to the varying nature of security work, we engage skilled security professionals depending on the contract at hand. Even so, we require each person to undertake thorough training in security basics and client service. We also maintain close links with the IS Department (now SIMS) of Monash University I guess that may sound like the claims made by the big N-1 firms! Well, I believe that what distinguishes us is our money-back guarantee: if we don't give you the results you expect, we will refund your money. This is also the theory behind providing the March edition of the Shake Security Journal http://www.shake.net ) for free - you can see the quality and decide for yourself whether this is the kind of thing you want to subscribe to. Thank you, Mark, for taking the time to give us your feedback. I hope this has cleared up a few things. Best regards, Simon Johnson From firewalls-owner Thu Mar 5 01:20:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02749; Thu, 5 Mar 1998 01:12:42 -0800 (PST) Received: from combat.jgaa.com (combat.jgaa.com [193.91.161.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA02721 for ; Thu, 5 Mar 1998 01:12:24 -0800 (PST) Received: from jarlepc (193.91.161.12) by combat.jgaa.com (EMWAC SMTPRS 0.81) with SMTP id ; Thu, 05 Mar 1998 10:12:16 +0100 Message-Id: <3.0.5.32.19980305100945.011542f0@mail.jgaa.com> X-Sender: jgaa@mail.jgaa.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 05 Mar 1998 10:09:45 +0100 To: firewalls@greatcircle.com From: Jarle Aase Subject: Re: Passive FTP In-Reply-To: <199803042330.QAA09769@coltano.stortek.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:30 PM 3/4/98 -0700, jim@coltano.stortek.com wrote: >Anyone know where I can find source code for an ftp server that _does not_ >support passive FTP? If you use the WinTel platform, I can always make an option in the War FTP Daemon to disallow the PASV command... Jarle -- Jarle Aase Author of freeware. NB: The mailserver at mail.jgaa.com will trash all transactions to and from any known spamming domains or email address. See http://www.sica.com/freestuf/mfilter.htm for details. For support/suggestions: alt.comp.jgaa (newsgroup) For information: info@mail.jgaa.com(email, auto-responder) Private Email: jgaa@mail.jgaa.com WWW: http://www.jgaa.com/ From firewalls-owner Thu Mar 5 01:52:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA00787; Thu, 5 Mar 1998 00:58:10 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA21715 for ; Wed, 4 Mar 1998 22:11:07 -0800 (PST) Received: from loas.clark.net (loas.clark.net [168.143.0.13]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id WAA05762 for ; Wed, 4 Mar 1998 22:09:35 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by loas.clark.net (8.8.8/8.8.8) with SMTP id BAA01622; Thu, 5 Mar 1998 01:10:07 -0500 (EST) Message-Id: <3.0.3.32.19980305010652.00692490@mail.clark.net> X-Sender: mjr@mail.clark.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Thu, 05 Mar 1998 01:06:52 -0500 To: Firewalls@GreatCircle.COM From: "Marcus J. Ranum" Subject: Re: Infosec Accountability - 2 cents more Cc: spaf@cs.purdue.edu, vin@shore.net In-Reply-To: <199803040938.BAA21250@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan writes: [...sensible stuff...] > Gene Spafford wrote: > [...more sensible stuff...] I *KNOW* you guys have been around long enough that it won't embarrass you to say the truth we all know and have been dodging for years: THIS ISN'T A TECHNICAL PROBLEM IT'S A MANAGEMENT PROBLEM. Technical solutions, be they concrete (firewalls, IDS', whatever) or procedural (policies, best practices, audits, etc) are not worth their weight in politician's promises unless they are implemented and supported by good management that is funded and motivated to see the job done right. We've all seen hard-working and clueful folks in the trenches trying to Do The Right Thing and failing because they were unsupported by management. Either because management is clueless or careless or ineffective. Ignorance, apathy, and lack of resolve are equally deadly. And all too common. The whole Pentagon thing is a joke. Most security folks who have been around the block a few times have had run-ins with DOD security. I'd be shocked if any of you were shocked by this shocking revalation. My capacity for shock ended the time when a Major at the Pentagon told one of our sales guys that the only way he'd believe he needed a firewall was if I hacked into his network before his eyes. I don't think our sales guy relayed my response.* (Also, my Kung Foo is no good; I don't hack) Security guys bang the drum of accountability - constantly. At a meta-level, what I think is necessary is accountability for bad management, and that's not something that the Government (or most of the private sector) has ever been very good with. Vin's question - "how do you create accountability?" is the key. The answer is simple: Accountability comes from the top based on information that filters up from the bottom. What that means is that the folks in the line of fire have a duty to make sure their management understands is there are any issues that management should understand. If the folks in the line say nothing and sweep the problem under the rug instead of going up the chain of command, it's their problem if there is later an "incident." If management is told and refuses to deal with a problem, then it's management's problem. At that point, senior management doesn't necessarily need to know the details, but only that there was a issue, and that the manager dealt with it. If it later turns out that the manager was wrong, enlightened senior management SHOULD know to deal with the manager, not the folks in the line of fire. Usually that's not how it happens, though. But, believe it or not, there are businesses in the world that are not mismanaged. I don't think there are any governments that are not mismanaged. What's ironic is that I was actually in the armed forces for a while. They taught me about the chain of command while I was doing the low crawl at Ft Dix, eating sand. They said "if you got a problem, make it the Sgt's problem. if he can't solve it, he'll make it the Captain's problem. etc. but if the Sgt says it's your problem, it's YOUR problem, you got a problem with that?" -- what happens with security is that a lot of folks don't even realize it IS a problem. Auditors need to make it their problem. Teachers need to make it their problem. Hackers are making it their problem. When I was a consultant, I had one guy approach me about doing some work for them, to audit their firewall and whatnot, and they explained that they had Booz-Allen in last year and Booz-Allen wrote them a huge list of recommendations and they wanted me to look things over. I asked how many of Booz' recommendations they had taken. "Uh, none." What I guess needs to happen is for that guy's boss to be fired. Or, if the guy's boss had told his boss about the problem, for his boss to be fired. SOMEPLACE, someone had been told there was a negative report and had done nothing about it. That person should be fired if they ever have a security breach. So, back to our friends at the Pentagon. Perhaps someone in the line of fire told their boss "we should secure this better." If they didn't, they deserve to be canned. What kind of network manager responsible for defense systems would be so stupid? Not with my taxpayer's dollars, please! If their boss didn't tell his boss and try to get things changed, then his boss should be canned. If the boss did tell his boss, and the boss^2 didn't do anything, can them, too. Janet Reno is talking about spending massive amounts of taxpayers money to start some cybercrime center nonsense. I'll tell you how to make a FIRM STEP in the right direction, Janet, and it's free and it'll even save us money. Fire the person in charge of information technology for the Pentagon. Fire the entire chain of command** of that organization, right down to the network cabling. Leave that. The cable obviously isn't broken. Next, cut that cable. DON'T TRY TO "SEND A MESSAGE TO THE HACKERS" -- SEND A MESSAGE TO THE MANAGERS. But I'm just fantasizing out loud. :( To me, the most fascinating security experiences I have - the ones that really make me drop my jaw - are the ones where perfectly rational people try to NEGOTIATE a security solution. It goes like this: Person #1: "We should put some security in." Person #2: "But we're a university!" person #1: "We still should do something. How about a firewall?" Person #2: "Arrrr!! ACADEMIC FREEDOM!" Person #1: "How about a firewall that isn't very tight? Let's say, it lets through 5% of the packets?" Person #2: "90%!" Person #1: "How about 40%, surely that's resonable?" Person #2: "I'll settle for 50% but I get to pick them!" Person #1: Sometimes it's fun to remind these players that since the hackers aren't party to the negotiation, they may not feel bound by the genteel agreement #1 and #2 just struck. Having seen this drama played out repeatedly, its amazing that people feel things like firewalls are worth having at all. The firewall's not the problem, here. This is a management problem. Whoever #1 and #2 worked for should have made a decision for them and not taken any guff about it (and been prepared to lose their job if the decision was wrong). Oops accountability again. No, not "accountability" - "leadership" Anyhow, Vin, you're right, accountability is essential. But it's something that comes from principled leadership - not from external auditors and standards. Not even from peer pressure. I think I just realized why I am growing cynical about security. :( "The only way to solve bad management is to become it." mjr. (* "By that logic, Sir, I don't think you should be allowed to buy any tanks until AFTER the first incoming round frags your sorry ass.") (** Hopefully, this would include my old friend the Major who is probably a Colonel by now) -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr From firewalls-owner Thu Mar 5 02:35:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA11912; Wed, 4 Mar 1998 23:35:47 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA10261 for ; Wed, 4 Mar 1998 23:25:50 -0800 (PST) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA25355; Thu, 5 Mar 98 00:21:36 MST Received: by icarus.weber.edu (5.x/SMI-SVR4) id AA04406; Thu, 5 Mar 1998 00:31:37 -0700 Date: Thu, 5 Mar 1998 00:31:32 -0700 (MST) From: Henry Hertz Hobbit To: dosman@gj.net Cc: firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: <19980305044126796.AAA263@pluto> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Mar 1998 dosman@gj.net wrote: > usubscrible firewalls I have noticed that there is a pattern of how people send these in. Before, it was "usubscribe" without the 'n' after the 'u'. Now it is "usubscrible" without the 'n' after the 'u', and with an extra 'l' after the 'b'. To the hackers that got into the Alberta edu site, I emailed a message back to them - maybe they are doing something about it. You think? If you really *WANT* to unsubscribe send mail message to: MajorDomo@GreatCircle.com with message: unsubscribe firewalls I would unsubscribe myself just to see if it works, but I find too much amusement out of messages like the one from Ken Williams (yes I forwarded it on to all the family and friends on my mailing list that have NOT made the mistake of subscribing yet), and I still find some useful information from time to time that I tuck away into my overloaded disk space. Best Wishes u'n'subscrib'*'ing... The Hobbit (NOT the netcat one) From firewalls-owner Thu Mar 5 02:35:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA29912; Wed, 4 Mar 1998 15:43:42 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA08023 for ; Wed, 4 Mar 1998 14:05:56 -0800 (PST) Received: from securemail.diginsite.com (securemail.diginsite.com [206.107.78.4]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id KAA24846 for ; Wed, 4 Mar 1998 10:05:42 -0800 (PST) Received: from mail.diginsite.com (root@mail.diginsite.com [208.2.189.2]) by securemail.diginsite.com (8.8.8/8.8.8) with ESMTP id SAA18705 for ; Wed, 4 Mar 1998 18:02:32 GMT Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.8/8.8.6) with SMTP id JAA25109 for ; Wed, 4 Mar 1998 09:17:54 -0800 Date: Wed, 4 Mar 1998 09:14:11 -0800 (PST) From: David Lang To: firewalls@GreatCircle.COM Subject: Re: Monitoring Web Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- along the same lines, has anyone seen anything that will allow me to write a script to check https servers (port 443)? David Lang -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNP2L5j7msCGEppcbAQEJegf/f2ZY0+sh8r5OPkpB+DsjZTHVSEBTT7fH T2r9Cj3wQ/e3p1oLKELgetL2bypHUZs5l3vr8lXnJAWZiLmPHkUmD/tSq+bfQ/lC iuycUN2lz9lWdP0n90TMqIocWypOM+/rMEdQxG86xqpwt5J0jJAs5ZJgXdMURBOS RjU2D+f5R1Ig271fgK4WtMcnCLsIhLml14LTJRA30TwTDAj/t66lvYdaY3L3qH6p qol77Vkan5nLT6oGRlztxc9lGU5jBAwNC3W40wFP2WEdamj6FUOKahOtOLiREkzO yN3/2t292FnxxTYI6Vkhi6DN8tNmAKLWt9pnCeKqBliRK53C0/bZJA== =p2pm -----END PGP SIGNATURE----- From firewalls-owner Thu Mar 5 02:35:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA29610; Wed, 4 Mar 1998 15:37:43 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA11556 for ; Wed, 4 Mar 1998 14:18:37 -0800 (PST) Received: from tyche.credo.net (tyche.credo.net [199.107.168.8]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id HAA22098 for ; Wed, 4 Mar 1998 07:57:48 -0800 (PST) Received: from alectrona.credo.net (alectrona.credo.net [199.107.168.9]) by tyche.credo.net (8.8.8/8.8.8) with SMTP id HAA12337; Wed, 4 Mar 1998 07:56:52 -0800 (PST) Message-Id: <3.0.32.19980304090615.00a877c4@199.107.168.8> Received: from john.credo.net by alectrona.credo.net via smtpd (for mail.credo.net [199.107.168.8]) with SMTP; 4 Mar 1998 15:56:00 UT X-Sender: john@199.107.168.8 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Mar 1998 09:06:16 +0000 To: "Shake Communications PTY LTD" From: John Whittaker Subject: Re: Shake responds..... Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The staff at Shake Communications each have over 6 years (each) of >practical, hands on experience in Information Security and Law. >They have been trained and have a demonstrated track record in these >fields. I personally have worked for many government, public and private >companies here in Australia. I have also been using the Internet since 1989. sad to see someone who has been "using the internet" since 1989 resorting to spam. john. From firewalls-owner Thu Mar 5 02:35:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08059; Wed, 4 Mar 1998 14:06:04 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA07701 for ; Wed, 4 Mar 1998 14:04:53 -0800 (PST) Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id KAA25000 for ; Wed, 4 Mar 1998 10:27:15 -0800 (PST) Received: from tdoty (tdoty.iss.net [208.21.4.61]) by loki.iss.net (8.8.7/8.7.3) with SMTP id NAA09324; Wed, 4 Mar 1998 13:23:18 -0500 Message-Id: <3.0.3.32.19980304130924.00a1b920@mail.iss.net> X-Sender: tdoty@mail.iss.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Wed, 04 Mar 1998 13:09:24 -0500 To: "Grutter H." From: Ted Doty Subject: Re: AW: Denial of Service [Was Re: Harsh Security audits?] Cc: "'firewalls@greatcircle.com'" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:11 PM 3/4/98 +0100, Grutter H. wrote: > >Yes, you can flood the link but not the whole prive-WAN. So people who >are not using a connection outside the prive-WAN are not bothered by >this. This may or may not be true. If the firewall allows incoming ICMP echo replies, then a smurf using a third party as the attack point may very well be successful against a private WAN. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE From firewalls-owner Thu Mar 5 03:51:54 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA07217; Wed, 4 Mar 1998 14:01:33 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA06948 for ; Wed, 4 Mar 1998 14:00:29 -0800 (PST) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id LAA26083 for ; Wed, 4 Mar 1998 11:33:58 -0800 (PST) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD4759.CCA886E0@irwin-exch2.army.mil>; Wed, 4 Mar 1998 10:39:24 -0800 Message-ID: From: "Wolfgang, Karl" To: "'firewalls@greatcircle.com'" Subject: NewTear DOS, New Countermeasures? Date: Wed, 4 Mar 1998 10:40:06 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most suggestions to addressing risks posed by denial of service (DOS) attacks are host-level solutions - applying operating systems patches to a client or a server. Unfortunately, computer specialists who receive performance ratings base on connectivity or providing services sometimes express reluctance on applying patches. The specialists argue that patches may lack complete testing on various platforms, and thus may cause unintentional denial of service attacks. Would there be other locations within a network architecture where one could apply countermeasures to DOS attacks? In the example below, New Tear uses DNS port addresses to insert its fragmented packets into the targeted system. It seems that remote host requests for DNS ports passing through a local network's defense perimeter should only have legitimate rights to address a specific server. A firewall should reject any requests for docking to a generic computers socket or IP address on a protected network. Karl Wolfgang current quote from: Dept. Computer Science, University of Wollongong, Australia ZenMsg: Computer Security is a utopian dream. Disclaimer: dream at your own risk. >-----Original Message----- >From: Jason Garms [SMTP:jasong@MICROSOFT.COM] >Sent: Wednesday, March 04, 1998 3:53 AM >To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM >Subject: Update on wide-spread NewTear Denial of Service attacks > >First, many thanks to the many organizations that assisted today in >gathering information on the rash of denial of service attacks that have hit >a number of sites on the Internet in the last 24-48 hours. Three important >organizations for overall coordination have been CIAC, CERT and NTBUGTRAQ. >That's in addition to the numerous customers who provided assistance. Thank >you. > >We've gotten network traces for in-process attacks, as well as NT crash >dumps from machines that were attacked. These files came from a number of >different customers who were affected by these denial of service attacks >over the last 24 to 48 hours. We've carefully reviewed the network traces, >and analyzed the crash dumps, and I'd like to share what we found. > >The network sniffs all indicated a two-packet sequence using UDP >fragmentation to exploit a known vulnerability in unpatched Windows 95 and >Windows NT TCP/IP stacks. The traces all indicate the now infamous "DNS" >packet, which has little significance as an actual DNS packet except that it >uses the DNS port address. It's really the setup packet for the >fragmentation attack. The second packet, which is a malformed UDP packet by >many regards, completes the attack and places the unpatched TCP/IP stack in >a unstable state. The DNS port may have been chosen because many sites do >not filter it on their firewalls or routers. However, this is not a DNS >issue in any way, since the corruption is cause in the TCP/IP stack by the >UDP assembly. > >We replayed these packets against unpatched Windows NT and Windows 95 >machines and got the same results as have been reported on in various >forums-mostly blue screens. However, there have been reports of machines >that would simply reboot without first blue screening. We were able to >duplicate that scenario on Windows NT 4.0 systems running only SP1. Other >unpatched systems would blue screen. However, these replayed attacks had no >effect on fully patched Windows NT 4.0 SP3 systems (all hotfixes). The >primary fix that is important here is the "NewTear/Bonk/Boink" update that >was released in January. > >We also reviewed the crash dumps from a number of different sources. None of >these affected machine had the NewTear/Bonk/Boink patch installed. Analysis >of the dump indicated that the cause of failure in all cases was symptomatic >of the corruption caused by fragmented UDP packets, which was addressed by >the NewTear/Bonk/Boink update. Most sites we were in contact with that were >the subject of repeated attacks were no longer affected after installing the >update. > >We have had no reports of fully patched systems being affected by this rash >of attacks. > >We have posted some information on http://www.microsoft.com/security > on this rash of attacks. From >everything we've been able to determine, applying this update is critical to >preventing this problem. The information this issue at >http://www.microsoft.com/security has >links to the NewTear/Bonk/Boink hotfix. > >This hotfix is available for Windows NT 4.0 SP3, Windows NT 3.51 SP5, >Windows 95 Winsock 1.x and Windows 95 Winsock 2.x systems. (Note that the >version for Windows 95 depends on the Winsock version. Last week we released >a complete refresh of the Windows 95 Winsock 2 stack, which includes the >NewTear fix. This information is referenced from the NewTear information on >http://www.microsoft.com/security) > >Thanks, >-JasonG > >Jason Garms >Product Manager >Windows NT Security >Microsoft Corporation > From firewalls-owner Thu Mar 5 04:52:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA00650; Thu, 5 Mar 1998 04:27:32 -0800 (PST) Received: from ddc.dla.mil (ddc.dla.mil [164.87.1.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA00598 for ; Thu, 5 Mar 1998 04:27:10 -0800 (PST) From: dennis_keller@smtp.ddc.dla.mil Received: from smtp.ddc.dla.mil (smtp.ddc.dla.mil [164.87.54.162]) by ddc.dla.mil with SMTP (8.7.5/8.7.3) id HAA00488; Thu, 5 Mar 1998 07:28:40 -0500 (EST) Received: from ccMail by smtp.ddc.dla.mil (ccMail Link to SMTP R6.01.01) id AA889111562; Thu, 05 Mar 98 07:26:22 -0800 Message-Id: <9803058891.AA889111562@smtp.ddc.dla.mil> X-Mailer: ccMail Link to SMTP R6.01.01 Date: Wed, 04 Mar 98 07:22:13 -0800 To: , Cc: , Subject: Re[2]: Infosec Accountability - 2 cents more MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Of course, all of us know Marcus is correct. Management doesn't like nasty, awful terrible news. Just happy news! However, I shall continue with my crusade. Cheers! Denny email: dkeller@ddc.dla.mil ______________________________ Reply Separator _________________________________ Subject: Re: Infosec Accountability - 2 cents more Author: "Marcus J. Ranum" at internet01 Date: 3/5/98 1:06 AM Vin McLellan writes: [...sensible stuff...] > Gene Spafford wrote: > [...more sensible stuff...] I *KNOW* you guys have been around long enough that it won't embarrass you to say the truth we all know and have been dodging for years: THIS ISN'T A TECHNICAL PROBLEM IT'S A MANAGEMENT PROBLEM. Technical solutions, be they concrete (firewalls, IDS', whatever) or procedural (policies, best practices, audits, etc) are not worth their weight in politician's promises unless they are implemented and supported by good management that is funded and motivated to see the job done right. We've all seen hard-working and clueful folks in the trenches trying to Do The Right Thing and failing because they were unsupported by management. Either because management is clueless or careless or ineffective. Ignorance, apathy, and lack of resolve are equally deadly. And all too common. The whole Pentagon thing is a joke. Most security folks who have been around the block a few times have had run-ins with DOD security. I'd be shocked if any of you were shocked by this shocking revalation. My capacity for shock ended the time when a Major at the Pentagon told one of our sales guys that the only way he'd believe he needed a firewall was if I hacked into his network before his eyes. I don't think our sales guy relayed my response.* (Also, my Kung Foo is no good; I don't hack) Security guys bang the drum of accountability - constantly. At a meta-level, what I think is necessary is accountability for bad management, and that's not something that the Government (or most of the private sector) has ever been very good with. Vin's question - "how do you create accountability?" is the key. The answer is simple: Accountability comes from the top based on information that filters up from the bottom. What that means is that the folks in the line of fire have a duty to make sure their management understands is there are any issues that management should understand. If the folks in the line say nothing and sweep the problem under the rug instead of going up the chain of command, it's their problem if there is later an "incident." If management is told and refuses to deal with a problem, then it's management's problem. At that point, senior management doesn't necessarily need to know the details, but only that there was a issue, and that the manager dealt with it. If it later turns out that the manager was wrong, enlightened senior management SHOULD know to deal with the manager, not the folks in the line of fire. Usually that's not how it happens, though. But, believe it or not, there are businesses in the world that are not mismanaged. I don't think there are any governments that are not mismanaged. What's ironic is that I was actually in the armed forces for a while. They taught me about the chain of command while I was doing the low crawl at Ft Dix, eating sand. They said "if you got a problem, make it the Sgt's problem. if he can't solve it, he'll make it the Captain's problem. etc. but if the Sgt says it's your problem, it's YOUR problem, you got a problem with that?" -- what happens with security is that a lot of folks don't even realize it IS a problem. Auditors need to make it their problem. Teachers need to make it their problem. Hackers are making it their problem. When I was a consultant, I had one guy approach me about doing some work for them, to audit their firewall and whatnot, and they explained that they had Booz-Allen in last year and Booz-Allen wrote them a huge list of recommendations and they wanted me to look things over. I asked how many of Booz' recommendations they had taken. "Uh, none." What I guess needs to happen is for that guy's boss to be fired. Or, if the guy's boss had told his boss about the problem, for his boss to be fired. SOMEPLACE, someone had been told there was a negative report and had done nothing about it. That person should be fired if they ever have a security breach. So, back to our friends at the Pentagon. Perhaps someone in the line of fire told their boss "we should secure this better." If they didn't, they deserve to be canned. What kind of network manager responsible for defense systems would be so stupid? Not with my taxpayer's dollars, please! If their boss didn't tell his boss and try to get things changed, then his boss should be canned. If the boss did tell his boss, and the boss^2 didn't do anything, can them, too. Janet Reno is talking about spending massive amounts of taxpayers money to start some cybercrime center nonsense. I'll tell you how to make a FIRM STEP in the right direction, Janet, and it's free and it'll even save us money. Fire the person in charge of information technology for the Pentagon. Fire the entire chain of command** of that organization, right down to the network cabling. Leave that. The cable obviously isn't broken. Next, cut that cable. DON'T TRY TO "SEND A MESSAGE TO THE HACKERS" -- SEND A MESSAGE TO THE MANAGERS. But I'm just fantasizing out loud. :( To me, the most fascinating security experiences I have - the ones that really make me drop my jaw - are the ones where perfectly rational people try to NEGOTIATE a security solution. It goes like this: Person #1: "We should put some security in." Person #2: "But we're a university!" person #1: "We still should do something. How about a firewall?" Person #2: "Arrrr!! ACADEMIC FREEDOM!" Person #1: "How about a firewall that isn't very tight? Let's say, it lets through 5% of the packets?" Person #2: "90%!" Person #1: "How about 40%, surely that's resonable?" Person #2: "I'll settle for 50% but I get to pick them!" Person #1: Sometimes it's fun to remind these players that since the hackers aren't party to the negotiation, they may not feel bound by the genteel agreement #1 and #2 just struck. Having seen this drama played out repeatedly, its amazing that people feel things like firewalls are worth having at all. The firewall's not the problem, here. This is a management problem. Whoever #1 and #2 worked for should have made a decision for them and not taken any guff about it (and been prepared to lose their job if the decision was wrong). Oops accountability again. No, not "accountability" - "leadership" Anyhow, Vin, you're right, accountability is essential. But it's something that comes from principled leadership - not from external auditors and standards. Not even from peer pressure. I think I just realized why I am growing cynical about security. :( "The only way to solve bad management is to become it." mjr. (* "By that logic, Sir, I don't think you should be allowed to buy any tanks until AFTER the first incoming round frags your sorry ass.") (** Hopefully, this would include my old friend the Major who is probably a Colonel by now) -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr From firewalls-owner Thu Mar 5 06:35:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13713; Thu, 5 Mar 1998 06:14:58 -0800 (PST) Received: from lintjr.cisco.com (lintjr.cisco.com [171.68.10.78]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA13693 for ; Thu, 5 Mar 1998 06:14:48 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-103.cisco.com [171.68.53.103]) by lintjr.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id GAA05405; Thu, 5 Mar 1998 06:14:15 -0800 (PST) Message-Id: <3.0.5.32.19980305091410.007dc300@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 05 Mar 1998 09:14:10 -0500 To: Firewalls Mailing List , cisco Users Forum From: Paul Ferguson Subject: White paper: What is a VPN? Cc: Geoff Huston Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I have promised several individuals on each of these lists, here is the announcement of the completed white paper that Geoff Huston (Telstra Internet) and I have just completed: Title: What is a VPN? Abstract: The term "VPN," or Virtual Private Network, has become almost as recklessly used in the networking industry as has "QoS" (Quality of Service) to describe a broad set of problems and "solutions," when the objectives themselves have not been properly articulated. This confusion has resulted in a situation where the popular trade press, industry pundits, and vendors and consumers of networking technologies alike, generally use the term "VPN" as an offhand reference for a set of different technologies. This paper attempts to provide a common sense definition of a VPN, and an overview of different approaches to building them. The paper can be found under the subheading "Presentations, Slideware, and Assorted Cruft" at the URL: http://www.employees.org:80/~ferguson/ This paper is currently only available in a PostScript (.ps) format. The paper (filename: vpn.zip) is also available via anonymous ftp at ftp://ftp.employees.org/ferguson/ Since I have unsubscribed from the firewalls@greatcircle.com mailing list due to the degenerative signal/noise ratio, please direct any comments, concerns, kudos, etc. to either Geoff or myself directly. Cheers, - paul (on vacation) -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Mar 5 07:07:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA22714; Wed, 4 Mar 1998 15:15:12 -0800 (PST) Received: from touchet.rl.gov (touchet.rl.gov [130.97.128.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA22382 for ; Wed, 4 Mar 1998 15:14:03 -0800 (PST) Received: from palouse (palouse.rl.gov [130.97.34.30]) by touchet.rl.gov (8.7.5/8.7.3) with SMTP id PAA07204 for ; Wed, 4 Mar 1998 15:13:12 -0800 (PST) Message-ID: <34FDE006.3547@RL.gov> Date: Wed, 04 Mar 1998 15:13:10 -0800 From: dave kaas X-Mailer: Mozilla 3.01 (X11; U; SunOS 5.3 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SSL through a firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a group that wants to put up a WEB server on our internal network that is accessible from the Internet. It would be an NT 4.0 system with IIS 4.0 with access via a SSL hole through the firewall. There are CGI scrpts/C-code that access the data and format it to send back to the client. Should we be worrried? What should we be concerned about? thank you -- Dave Kaas Internet: dave_kaas@rl.gov Lockheed Martin Services Phone: (509) 376-6386 United States Department of Energy, Richland, WA From firewalls-owner Thu Mar 5 08:34:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA00810; Thu, 5 Mar 1998 07:53:39 -0800 (PST) Received: from homer.facm.fit.edu (homer.facm.fit.edu [163.118.70.71]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA00673 for ; Thu, 5 Mar 1998 07:53:09 -0800 (PST) From: ccurtis@facm.fit.edu Received: (from ccurtis@localhost) by homer.facm.fit.edu (8.8.5/8.6.12) id LAA31420; Thu, 5 Mar 1998 11:05:34 -0500 Date: Thu, 5 Mar 1998 11:05:34 -0500 (EST) X-Sender: ccurtis@homer To: firewalls@greatcircle.com Subject: Linux Encrypted VPN Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this is a bit off-topic, but since the VPN topic just popped up I figured I'd ask ... at least it's not spam. ;-) I was wondering if anyone had a HOWTO pointer or some general ideas on how to create a VPN using Linux. Ideally, the system should encapsulate an IP packet (with a non-routable address) inside another packet as data, fully (128bit) encrypted, which would then be tunnelled to another Linux machine, to decrypt the packet and route it properly. I know Linux will do IP encapsulation (especially for the notebook users) but how would one go about implementing an encryption layer in there? Secondly, one of the key issues dealing with VPNs is authentication. Sadly, I'm not terribly well versed in the OSI models et al, and don't even know where to start in this respect. Does the TCP layer have an extra (or data) field that can store an auth-key, or would I have to use a modificied TCP stack? This system would use, of course, IPv4 ... unless, of course, IPv4 could encapsulate an IPv6 packet that can be authenticated against... Ideas, suggestions? Thanks, Chrisotopher From firewalls-owner Thu Mar 5 09:05:12 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA29121; Thu, 5 Mar 1998 07:46:46 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA28961 for ; Thu, 5 Mar 1998 07:46:08 -0800 (PST) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id HAA12028 for ; Thu, 5 Mar 1998 07:44:43 -0800 (PST) Received: from blazer.cist.saic.com by portal.east.saic.com via smtpd (for miles.greatcircle.com [198.102.244.45]) with SMTP; 5 Mar 1998 15:45:06 UT Received: from explorer (unverified [149.8.156.65]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 05 Mar 1998 10:46:30 -0500 Message-Id: <3.0.5.32.19980305103931.0099a9b0@blazer.cist.saic.com> X-Sender: rtaylor@blazer.cist.saic.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 05 Mar 1998 10:39:31 -0500 To: "Marcus J. Ranum" , Firewalls@greatcircle.com From: Randy Taylor Subject: Re: Infosec Accountability - 2 cents more In-Reply-To: <3.0.3.32.19980305010652.00692490@mail.clark.net> References: <199803040938.BAA21250@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:06 AM 3/5/98 -0500, Marcus wrote: >Vin McLellan writes: >[...sensible stuff...] >> Gene Spafford wrote: >> [...more sensible stuff...] > >I *KNOW* you guys have been around long enough that it >won't embarrass you to say the truth we all know and have >been dodging for years: > > THIS ISN'T A TECHNICAL PROBLEM > IT'S A MANAGEMENT PROBLEM. Give that man a ceegar. :) [.....] >To me, the most fascinating security experiences I have - >the ones that really make me drop my jaw - are the ones >where perfectly rational people try to NEGOTIATE a security >solution. It goes like this: >Person #1: "We should put some security in." >Person #2: "But we're a university!" >person #1: "We still should do something. How about a firewall?" >Person #2: "Arrrr!! ACADEMIC FREEDOM!" >Person #1: "How about a firewall that isn't very tight? Let's say, > it lets through 5% of the packets?" >Person #2: "90%!" >Person #1: "How about 40%, surely that's resonable?" >Person #2: "I'll settle for 50% but I get to pick them!" >Person #1: ROFL! I had almost exactly this conversation and numerous minor variants of it at a site I used to work at. After four years of banging my head against that particularly bureaucratic wall, I left. The old place still gets hacked on a very regular basis. not my problem anymore Sometimes They (TM) just don't get it...and half of the personal struggle oftentimes is realizing they never will. [.....] >Having seen this drama played out repeatedly, its amazing >that people feel things like firewalls are worth having at all. >The firewall's not the problem, here. This is a management >problem. Whoever #1 and #2 worked for should have made a decision >for them and not taken any guff about it (and been prepared to >lose their job if the decision was wrong). Oops accountability >again. No, not "accountability" - "leadership" Erm...I applaud your idealism, but there's this thing about making the house payment/car payment/etc. that makes falling on one's sword easier said than done. In many cases, one's arm is simply too short to box with God. In those cases, and only if the feelings are strong enough, quietly get another job. Once firm offers are on the table, decide on whether or not to stage a "ceremonial sword diving" exhibition. ;) And if you decide to take that route, make it count for something. [.....] >mjr. >-- >Marcus J. Ranum, CEO, Network Flight Recorder, Inc. >work - http://www.nfr.net >home - http://www.clark.net/pub/mjr Just my $0.02. YMMV as always. Best regards, Randy Taylor SAIC (and obviously _not_ speaking for them) From firewalls-owner Thu Mar 5 10:08:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA10237; Thu, 5 Mar 1998 08:43:46 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA10105 for ; Thu, 5 Mar 1998 08:43:20 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Thu, 5 Mar 1998 08:42:24 -0800 Message-ID: From: Jerry Huyghe To: "'Jarle Aase'" , firewalls@greatcircle.com Subject: RE: Passive FTP Date: Thu, 5 Mar 1998 08:42:23 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about the FW-1 FTP security server? It has an option to block PASV FTP. > -----Original Message----- > From: Jarle Aase [SMTP:jgaa@mail.jgaa.com] > Sent: Thursday, March 05, 1998 1:10 AM > To: firewalls@greatcircle.com > Subject: Re: Passive FTP > > At 04:30 PM 3/4/98 -0700, jim@coltano.stortek.com wrote: > >Anyone know where I can find source code for an ftp server that _does > not_ > >support passive FTP? > > If you use the WinTel platform, I can always make an option in the War > FTP > Daemon to disallow the PASV command... > > Jarle > > -- > Jarle Aase > Author of freeware. > > NB: The mailserver at mail.jgaa.com will trash all transactions to and > from > any known spamming domains or email address. > See http://www.sica.com/freestuf/mfilter.htm for details. > > For support/suggestions: alt.comp.jgaa (newsgroup) > For information: info@mail.jgaa.com(email, auto-responder) > Private Email: jgaa@mail.jgaa.com > WWW: http://www.jgaa.com/ > From firewalls-owner Thu Mar 5 11:35:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA12435; Thu, 5 Mar 1998 11:18:12 -0800 (PST) Received: from lucifer.guardian.no (gate.guardian.no [195.1.254.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id LAA12334 for ; Thu, 5 Mar 1998 11:17:49 -0800 (PST) Received: (qmail 7909 invoked by uid 202); 5 Mar 1998 19:16:46 -0000 Message-ID: <19980305201646.30655@lucifer.guardian.no> Date: Thu, 5 Mar 1998 20:16:46 +0100 From: Alexander Kjeldaas To: Henry Hollenberg , Firewalls@GreatCircle.COM Subject: Re: Linux firewall question. References: <199802161653.IAA00827@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: ; from Henry Hollenberg on Thu, Mar 05, 1998 at 10:37:29AM -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, Mar 05, 1998 at 10:37:29AM -0600, Henry Hollenberg wrote: > > A debate has arisen regarding using loadable modules for a linux based > firewall system and I'm trying to sort thru the issues involved. > > I thought I had read somewhere perhaps here that if at all possible > loadable modules should be avoided on a firewall system....ie everything > needed by the kernel and only what is needed should be compiled in. > > But now I've run into strong opinion that the kernel should use loadable > modules. > > Am I off base to insist on _not_ using loadable modules. > > I'd be intrested in any experience anyone could share. > I don't think you're off base. We didn't use loadable modules initially, but later decided that we needed them. We use the securelevel mechanism to turn off the ability to load kernel modules at a specific point in the boot process. That way, much of the risk associated with kernel modules is removed. astor -- Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway From firewalls-owner Thu Mar 5 11:50:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA12154; Thu, 5 Mar 1998 11:17:17 -0800 (PST) Received: from teddyr.dyn.ml.org (slip166-72-164-87.tx.us.ibm.net [166.72.164.87]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA11931 for ; Thu, 5 Mar 1998 11:16:32 -0800 (PST) Received: from iname.com (syousif@teddyr.dyn.ml.org [192.168.1.1]) by teddyr.dyn.ml.org (8.8.8/TeddyR-2.1.1) with ESMTP id NAA10022; Thu, 5 Mar 1998 13:15:51 -0600 Message-ID: <34FEF9E6.CF025AC8@iname.com> Date: Thu, 05 Mar 1998 13:15:50 -0600 From: Sami Yousif Reply-To: syousif@iname.com Organization: TeddyR Computers X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: Henry Hollenberg , firewalls@greatcircle.com Subject: Re: Linux firewall question. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Henry Hollenberg wrote: > > A debate has arisen regarding using loadable modules for a linux based > firewall system and I'm trying to sort thru the issues involved. > > I thought I had read somewhere perhaps here that if at all possible > loadable modules should be avoided on a firewall system....ie everything > needed by the kernel and only what is needed should be compiled in. > > But now I've run into strong opinion that the kernel should use loadable > modules. > > Am I off base to insist on _not_ using loadable modules. > > I'd be intrested in any experience anyone could share. > > Thanks > Personally, I go with the "minimum no modules" approach. for two reasons: Speed and Security. Speed: The leaner the kernel is as far as the firewall is concerned, the quicker it is able to handle packet forwarding/etc. Security: Having module support on a firewall machine invites the possibility that one of the modules can be compromised through a trojan. A compromised module that is loaded on the next reboot would make the firewall useless. It would not be hard to write a trojan module that hooks onto the real one (or even replace the real one). In some environments, the "compromise/risk" may come from either side of the firewall network connection. [I go for the no modules, physically take out floppy drive, set boot to HDD only, password cmos {if possible}, etc... approach] -- --- Sami Yousif mailto:syousif@iname.com mailto:syousif@swbell.net http://www.mav.net/teddyr/syousif http://teddyr.home.ml.org ftp://teddyr.dyn.ml.org [eMail sent to any of my addresses is subject to the Conditions outlined in http://www.mav.net/teddyr/emailtos.shtml] [Note: I no longer support ARNet as an ISP nor WTAMU as an educational institution nor LEK as a Computer Supplier. http://www.mav.net/teddyr/access] [heard somewhere: "You have the right to remain clueless. Anything you know may be used against you in a court of law"] Another day, so many more LARTS to go. [BOFH, BUFH]