From firewalls-owner Wed Apr 1 00:18:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23352; Tue, 31 Mar 1998 12:21:23 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA02920 for ; Mon, 30 Mar 1998 19:28:24 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id TAA05087 for ; Mon, 30 Mar 1998 19:30:53 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id IAA14035; Mon, 30 Mar 1998 08:17:39 -0500 Date: Mon, 30 Mar 1998 08:17:35 -0500 (EST) From: Rabid Wombat To: Michael Meyer LJO cc: "'shimons@bll.co.il'" , "'firewalls@greatcircle.com'" Subject: Re: FW: IPX through a firewall In-Reply-To: <3B5286C7DE27D111B6CB0000F822C74B013352BA@lkgexc2.bb.dec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Letting UDP throguh firewalls is generally a bad idea. On Mon, 30 Mar 1998, Michael Meyer LJO wrote: > Dear Sir or Madam: > Please read RFC1234 located at > http://www.cis.ohio-state.edu/htbin/rfc/rfc1234.html > > This memo describes a method of encapsulating IPX datagrams within UDP > packets so that IPX traffic can travel across an IP Internet. > Sincerely, > Michael C. Meyer > AltaVista Technical Support > altavista-support@digital.com > http://support.altavista-software.com/ > > Use web site for immediate partner support. > > > -----Original Message----- > From: Michael Meyer LJO > Sent: Monday, March 30, 1998 2:09 PM > To: 'shimons@bll.co.il' > Cc: 'firewalls@greatcircle.com' > Subject: IPX through a firewall > > Dear Sir or Madam: > There are few IPX firewalls out there so you would probably be > better served using an IP firewall. Send your IPX to an IP gateway then to > your firewall. Your best bet would be to use Novell NetWare 5.0 with native > IP support. See LAN Times, March 16, 1998. Even though Novell has offered an > IP-based solution for some time with NetWare/IP, that solution merely > "wrapped" the NetWare IPX traffic in IP clothes. > Sincerely, > Michael C. Meyer > AltaVista Technical Support > altavista-support@digital.com > http://support.altavista-software.com/ > > Use web site for immediate partner support. > Date: Wed, 25 Mar 1998 13:24:51 +0000 > From: shimons@bll.co.il > Subject: IPX through a firewall > > If I need to transport the IPX protocol through a firewall, what would be > the pros and cons (security wise) of the following options: > 1. route IPX through the firewall ignoring it completely. > 2. route IPX through a separate router and use the router's ACL > 3. use an IPX firewall (anyone has recommendations/horror stories?) > > pls. CC me as I only read the digest form of the list > TIA, Shimon Silberschlag > > From firewalls-owner Wed Apr 1 01:55:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24375; Tue, 31 Mar 1998 12:28:20 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA04745 for ; Tue, 31 Mar 1998 09:46:06 -0800 (PST) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id JAA22421 for ; Tue, 31 Mar 1998 09:48:35 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yK5AP-0001fc-00; Tue, 31 Mar 1998 12:49:46 -0500 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Date: Tue, 31 Mar 1998 12:49:22 -0500 To: Perry From: Vin McLellan Subject: Re: Laptop security / CMW variants Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perry < queries the List: >1) Can anyone recommend a laptop security product that supports full disk >encryption via a pcmcia card, a bonus would be VPN support for remote >authentication issues. I have reviewed PC/DACS over the past week which >is a software encryption/access control package, but the encryption >segment leaves a lot to be desired security wise (not to mention that the >product sucks). Check out: < I just picked this announcement up off Bizwire. Suerte, _Vin ---- Kasten Chase Applied Research Limited (TSE-KCA) today announced a joint sales and marketing agreement with SPYRUS, a leading electronic commerce company based in San Jose, California, to provide high performance, high security cryptographic technology as part of the world's first PCMCIA FORTEZZA(R)-based secure remote access solution for government agencies. Under the agreement, SPYRUS has developed a FORTEZZA(R)-enabled version of its proprietary Locksmith software application and its LYNKS Privacy Card(tm) for use with Kasten Chase's remote access products. Kasten Chase will deliver secure remote access solutions that include the SPYRUS family of hardware and software products. The SPYRUS products, bundled into the offering, will add desktop protection functionality to the solution that already provides authentication and encryption technology. "Our partnership with SPYRUS is an example of our commitment to offer a total secure access solution to the government and financial markets," said Steve Ducat, vice president of sales for Kasten Chase. "Our partnership with SPYRUS , a leader in cryptographic desktop technology, adds important media encryption capabilities to our existing security portfolio, thereby positioning our offering to become the de facto standard for FORTEZZA(R)-based secure remote access." SPYRUS has developed a customized FORTEZZA(R)-based version of its Locksmith(tm) media encryption software for use with Kasten Chase's OPtiva Secure Plus. Locksmith adds another layer of security features to a remote access application by combining a personal identification number (PIN) with the SPYRUS PCMCIA-compliant LYNKS Privacy Card. LYNKS Privacy Cards enable security-critical capabilities -- user authentication, message privacy, message integrity authentication, and secure storage -- for a FORTEZZA(R)-based media encryption solution. "SPYRUS is leading the e-commerce industry in FORTEZZA(R)-based hardware and software solutions for high performance, high assurance Internet data access and security solutions," said Charlie Scruggs, director of sales for SPYRUS. "Remote access security is becoming an increasing problem for companies, with over 14 million people working from home or remote locations in the United States alone. With solutions such as those developed by SPYRUS and Kasten Chase, the travelling road warrior will no longer need to be concerned about the loss of a laptop computer and the potential damage resulting from misuse of critical corporate information." < --------------- >2) Has anyone done a comparison between the different MLS and/or CMW >oriented OS' (ie Trusted Solaris, HPUX CMW, OSF CMW)? Any information >would be greatly appreciated. I too would be interested if you find a good repository for this sort of comparitive info. You might check out the Dockmaster discussion groups. Contact the NISSC office at the NSA to arrange for access. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + < * 53 Nichols St., Chelsea, MA 02150 USA <<617> 884-5548 From firewalls-owner Wed Apr 1 02:34:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for ; Tue, 31 Mar 1998 22:14:28 -0800 (PST) Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000 Message-ID: <3521DBD2.B29513E0@encomix.es> Date: Wed, 01 Apr 1998 08:16:50 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Questions about ICMP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I have some questions about ICMP filtering, what kind of icmp packets should I filter? In other way, what icmp options can I permit in packets? Im seeking for a RESTRICTIVE policy, but I need to let ping and traceroute get out and in... Thx in advance -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Wed Apr 1 05:05:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21957; Tue, 31 Mar 1998 12:13:42 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA02101 for ; Tue, 31 Mar 1998 09:30:12 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id JAA21503 for ; Tue, 31 Mar 1998 09:03:52 -0800 (PST) Received: from icarus.weber.edu (cs.weber.edu) by cs.weber.edu (4.1/SMI-4.1.1) id AA05287; Tue, 31 Mar 98 10:00:13 MST Received: by icarus.weber.edu (SMI-8.6/SMI-SVR4) id KAA19538; Tue, 31 Mar 1998 10:10:34 -0700 Date: Tue, 31 Mar 1998 10:10:33 -0700 (MST) From: Henry Hertz Hobbit To: Robert Ludwig Cc: "'Firewall'" Subject: Re: Ammunition, please In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Mar 1998, Robert Ludwig wrote: > In fifteen years of security consulting, I have never > been to a site that allowed passwords to age more than 30 > days (on the theory that a moving target is harder to hit). > The idea that since a user's password has been compromised > it should be allowed to remain compromised is equivalent to > saying that since someone has shoplifted something from a store > once, that store should simply leave its doors unlocked forever. > Advice that I find is beyond idiotic and well into irresponsible. No problem with the first idea, but I have a brother that after seeing so many break-ins in the homes in his area, he finally did not lock the door to his house any more. His reasoning? Almost any drug addict or pervert that is going to break in is going to find a very friendly Golden Retriever (way to friendly to people to be a watch-dog, but Doberman and German Shepard owners beware - the ones Barney had a scrap with came out the losers). My brother's view was that he would rather have them take the stuff and NOT break in his $500 door. But then he subscribes to my philosophy that less is frequently more - Zen idea. Hmm, maybe that means that there is a market for stolen doors? HHH PS No, most of the people I meet are quite friendly and my experience is not that they are ALL out to get you. Even many hackers have their own code of ethics - no schools, etc. From firewalls-owner Wed Apr 1 05:19:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21745; Tue, 31 Mar 1998 12:12:03 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA14629 for ; Tue, 31 Mar 1998 03:21:10 -0800 (PST) Received: from giav05.gia.ch (giav05.gia.ch [193.222.224.32]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA19137 for ; Tue, 31 Mar 1998 03:23:36 -0800 (PST) X-Envelope-To: Received: from giav08.gia.ch(193.222.224.16) by giav05.gia.ch via smap (V2.0beta) id xma028012; Tue, 31 Mar 98 13:24:32 +0200 Received: from mmdlt002.m-m.ch ([193.222.225.50]) by giau001.gia.ch (8.8.5/8.8.5) with ESMTP id NAA32563 for ; Tue, 31 Mar 1998 13:24:32 +0200 (MET DST) Received: by MMDLT002 with Internet Mail Service (5.0.1458.49) id ; Tue, 31 Mar 1998 13:24:31 +0200 Message-ID: From: "Berchtold Patrick (GIAPBE)" To: "'Taufik Islam'" , "Firewalls Mailing List (E-Mail)" Subject: AW: Sniffer Date: Tue, 31 Mar 1998 13:24:28 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT's own network monitor is doing quite a good job. It's restriction is that it only records packets that are addressed to or from that host. Say, if you run it on host myhost.foo.bar, you can only see packets that are sent to or from myhost.foo.bar, but not any "3rd party packets" eg from host1.foo.bar to host2.foo.bar The network monitor included in MS SMS is basically the same, but without that boring restriction. The most powerful monitor I know is Sniffer (former NetXRay) from Network Associates. It is easily scalable for your specific needs. See http://www.nai.com/ for more. Another monitor I once heard about is NetAnt from People Network. See http://www.people-network.com/netant.htm for info. But if you have a Linux box at hand I would rather use tcpdump than those above. It's powerful, easy to use and free. Patrick =20 > -----Urspr=FCngliche Nachricht----- > Von: Taufik Islam [SMTP:Tislam@acaonline.org] > Gesendet am: Freitag, 27. M=E4rz 1998 23:21 > An: Firewalls@GreatCircle.COM > Betreff: Sniffer >=20 > Is there a good Packet sniffer that runs on for NT 4.0 ? > Please help me with any information you may have > Thanks >=20 > If you know of any good packet sniffer for UNIX please let me know > also. >=20 > Taufik Islam > Network Engineer, ACA From firewalls-owner Wed Apr 1 06:36:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA22720; Tue, 31 Mar 1998 12:17:48 -0800 (PST) Received: from ee.net (ee.net [206.31.38.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA07853 for ; Mon, 30 Mar 1998 19:53:26 -0800 (PST) Received: from squirrel.interhack.net (modem163.columbus.ee.net [209.51.204.163]) by ee.net (8.8.5/8.8.5) with SMTP id XAA27204; Mon, 30 Mar 1998 23:00:34 -0500 (EST) Message-Id: <3.0.1.32.19980330225327.02fa6a7c@ee.net> X-Sender: clydew@ee.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 30 Mar 1998 22:53:27 -0500 To: quiksilver From: Clyde Williamson Subject: Re: cable modem security Cc: firewalls@GreatCircle.COM In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- There is a secure shell client for NT and Win 95 free at : http://www.hadiko.de/tutorien/benutzerbetreuung/Betreuung/Anleitungen/ freesshwin.html The page is in german but you can use babelfish.altavista.digital.com to translate. Hint: use build 3298059 and cryptlib 1.00 with the patch... all other builds seem to crash when they disconnect.... But I've got it working great. At 21:07 03/30/1998 -0500, you wrote: >well, if you were using unix, you could install Secure Shell. It >encrypts telnet sessions. > >On Mon, 30 Mar 1998, Brett Mayer wrote: > >> >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >> >> >> >> >> >> >I have just installed a cable modem from the @home network to a single >> >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >> >cannot get any support from @home about security. >> > >> >I only plan to run Netscape, and read mail and news groups. What can I do >> >to protect data on this machine from security risks? >> > >> >Ned >> >> >> Brett Mayer >> ESM-Tivoli >> GMAC\RFC >> (612)832-7148 >> >> >> >> > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNSBopseWPtttGqZhAQFUmwf/XAyQW3eQKFZVNdXy48dH8j16Ck5I6QpN FcUVyKW/A9+m8C247kq5DhgrKXrhYXMqa0diGUtLksHTNI4ItW7wjECOsAmMLy6k ycd07kmFF5WH/34YVbKQOZjZcNJ74p5HQGQ519Cl0sZjw5wJ2OPlOqr+TIDqjgK+ FHieDnyUw8v/LLeY5zPH8uBUCH29kpBos1Za0MysQPABi1hcd8j6THMwwdFuyPYH YNax3jhSS8OAbRiIQqwleRpg2jsC2lT9F71tR5Bp8Acis2iXhytuGuEMhC/TKHd0 F7obT8WH5l3C6FXuoS+m6ACV/SPYZ08IW8ig+PHjLPxM54c4VLL+SA== =h7/x -----END PGP SIGNATURE----- Clyde Williamson PGP Public Key found at: http://users1.ee.net/clydew/pgp.htm -------------------------------------------- Quidquid latine dictum sit, altum viditur. | (Anything in Latin sounds profound.) | -------------------------------------------- From firewalls-owner Wed Apr 1 06:37:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA07365; Wed, 1 Apr 1998 03:42:57 -0800 (PST) Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA07320 for ; Wed, 1 Apr 1998 03:42:44 -0800 (PST) From: BrianM@dial.pipex.com Received: (qmail 2056 invoked from network); 1 Apr 1998 11:46:52 -0000 Received: from brianm2.cims.co.uk (HELO brianm2) (194.73.141.14) by smtp.dial.pipex.com with SMTP; 1 Apr 1998 11:46:52 -0000 Reply-To: To: Subject: Cisco Router Config Date: Wed, 1 Apr 1998 13:50:15 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Disposition-Notification-To: "Brian Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SGkgQWxsIChBZ2FpbikNCglFbmNsb3NlZCBwbGVhc2UgZmluZCBhIHNhbXBsZSAoZmFjdGlvdXMp IHJvdXRlciBjb25maWcsIGFzc3VtaW5nIHRoZSBmb2xsb3dpbmcgc2l0dWF0aW9uLCBldGgwOmNv bm5lY3Rpb24gdG8gZmlyZXdhbGwgc2VyMDpsZWFzZWQgbGluZSB0byBpbnRlcm5ldCwgMTkyLjE2 OC4wLjIgaXMgZmlyZXdhbGwsIDE5Mi4xNjguMC4zIGFuZCAuNCBhcmUgbWFuYWdlbWVudCBzdGF0 aW9ucywgc2hvdWxkIHRoaXMgY29uZmlnIHByZXZlbnQgRG9TIGF0dGFja3MsIElQIHNwb29maW5n LCBhbmQgYmUgZ2VuZXJhbGx5IHNlY3VyZT8gIEkga25vdyB0aGF0IHRoZXJlIGlzIG5vIHJvdXRp bmcgZXRjIGV0YyAoSSBqdXN0IGRpZCB0aGlzIGluIG5vdGVwYWQhISkNCg0KVGhhbmtzDQoNCkJy aWFuIE11cnBoeQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0Kbm8gc2VydmljZSB0Y3Atc21hbGwt c2VydmVycw0Kbm8gc2VydmljZSB1ZHAtc21hbGwtc2VydmVycw0Kbm8gaXAgYm9vdHAgc2VydmVy DQpubyBzZXJ2aWNlIGZpbmdlcg0Kc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1z ZWMNCnNlcnZpY2UgdGltZXN0YW1wcyBsb2cgZGF0ZXRpbWUgbXNlYw0Kc2VydmljZSBwYXNzd29y ZC1lbmNyeXB0aW9uDQoNCmVuYWJsZSBwYXNzd29yZCBlbmFibGUNCg0KdXNlcm5hbWUgbWFuYWdl ciBwYXNzd29yZCA3IGxldG1laW4NCg0Kc25tcC1zZXJ2ZXIgY29tbXVuaXR5IHB1YmxpYyBSTyAx DQpzbm1wLXNlcnZlciBjb21tdW5pdHkgcHJpdmF0ZSBSVyAxDQpubyBzbm1wLXNlcnZlciB0cmFw LWF1dGhlbnRpY2F0aW9uDQoNCmludGVyZmFjZSBldGhlcm5ldDANCmlwIGFkZHJlc3MgMTkyLjE2 OC4wLjEgMjU1LjI1NS4yNTUuMA0KaXAgYWNjZXNzLWdyb3VwIDEwMSBpbg0KaXAgYWNjZXNzLWdy b3VwIDExMSBpbg0KDQppbnRlcmZhY2Ugc2VyaWFsMA0KaXAgYWRkcmVzcyAxOTIuMTY4LjEuMSAy NTUuMjU1LjI1NS4wDQppcCBhY2Nlc3MtZ3JvdXAgMTAxIGluDQppcCBhY2Nlc3MtZ3JvdXAgMTEx DQoNCmFjY2Vzcy1saXN0IDEgcGVybWl0IDE5Mi4xNjguMC4yDQphY2Nlc3MtbGlzdCAxIHBlcm1p dCAxOTIuMTY4LjAuMw0KYWNjZXNzLWxpc3QgMSBwZXJtaXQgMTkyLjE2OC4wLjQNCg0KYWNjZXNz LWxpc3QgMTIgcGVybWl0IDE5Mi4xNjguMC4yIDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3Qg MTIgcGVybWl0IDE5Mi4xNjguMC4zIDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3QgMTIgcGVy bWl0IDE5Mi4xNjguMC40IDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3QgMTIgZGVueSBpcCBh bnkgYW55IGxvZw0KDQphY2Nlc3MtbGlzdCA1MSBkZW55IDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1 DQoNCmFjY2Vzcy1saXN0IDEwMSBkZW55IHRjcCAxOTIuMTY4LjAuMSAwLjAuMC4wIDE5Mi4xNjgu MC4xIDAuMC4wLjAgbG9nDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgMTkyLjE2OC4xLjEgMC4w LjAuMCAxOTIuMTY4LjEuMSAwLjAuMC4wIGxvZw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFu eSBhbnkgYW55IGFueSBlcSA1Mw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdWRwIGFueSBhbnkgYW55 IGFueSBlcSA2OQ0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSA4 Nw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSAxMTENCmFjY2Vz cy1saXN0IDEwMSBkZW55IHVkcCBhbnkgYW55IGFueSBhbnkgZXEgMTExDQphY2Nlc3MtbGlzdCAx MDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDIwNDkNCmFjY2Vzcy1saXN0IDEwMSBkZW55 IHRjcCBhbnkgYW55IGFueSBhbnkgZXEgNTEyDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55 IGFueSBhbnkgYW55IGVxIDUxMw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55 IGFueSBlcSA1MTQNCmFjY2Vzcy1saXN0IDEwMSBkZW55IHRjcCBhbnkgYW55IGFueSBhbnkgZXEg NTE1DQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55IGFueSBhbnkgYW55IGVxIDU0MA0KYWNj ZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSAyMDAwDQphY2Nlc3MtbGlz dCAxMDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDIwMDANCmFjY2Vzcy1saXN0IDEwMSBk ZW55IHRjcCBhbnkgYW55IGFueSBhbnkgZXEgMjAwMQ0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdWRw IGFueSBhbnkgYW55IGFueSBlcSAyMDAxDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55IGFu eSBhbnkgYW55IGVxIDYwMDANCmFjY2Vzcy1saXN0IDEwMSBkZW55IHVkcCBhbnkgYW55IGFueSBh bnkgZXEgNjAwMA0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSA2 MDAxDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDYwMDENCmFj Y2Vzcy1saXN0IDEwMSBwZXJtaXQgdGNwIDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1IDAuMC4wLjAg MjU1LjI1NS4yNTUuMjU1IGVzdGFibGlzaGVkDQphY2Nlc3MtbGlzdCAxMDEgcGVybWl0IGlwIDAu MC4wLjAgMjU1LjI1NS4yNTUuMjU1IDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1DQoNCmFjY2Vzcy1s aXN0IDExMSBkZW55IGlwIDE5Mi4xNjguMC4wIDAuMC4wLjI1NSAwLjAuMC4wIDI1NS4yNTUuMjU1 LjI1NSBsb2cNCmFjY2Vzcy1saXN0IDExMSBkZW55IGlwIDE5Mi4xNjguMS4wIDAuMC4wLjI1NSAw LjAuMC4wIDI1NS4yNTUuMjU1LjI1NSBsb2cNCmFjY2Vzcy1saXN0IDExMSBwZXJtaXQgaXAgMTky LjE2OC4wLjAgMC4wLjIuMjU1IGFueQ0KYWNjZXNzLWxpc3QgMTExIGRlbnkgaXAgYW55IGFueSBs b2cNCg0KbGluZSBjb25zb2xlIDANCmxvZ2luDQpwYXNzd29yZCBoZWxsbw0KZXhlYy10aW1lb3V0 IDEgMzANCg0KbGluZSBhdXggMA0KYWNjZXNzLWNsYXNzIDUxIGluDQoNCmxpbmUgdnR5IDAgNA0K YWNjZXNzLWNsYXNzIDEyIGluDQpsb2dpbg0KcGFzc3dvcmQgaGVsbG8NCg== From firewalls-owner Wed Apr 1 06:53:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15378; Tue, 31 Mar 1998 18:45:15 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA15588 for ; Mon, 30 Mar 1998 23:34:34 -0800 (PST) From: amir.ameri@zurich.com Received: from ZURICH.COM ([195.28.226.41]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id XAA11613 for ; Mon, 30 Mar 1998 23:36:44 -0800 (PST) Received: from ZurichNotes.com ([172.29.6.228]) by ZURICH.COM (Soft-Switch LMS 2.0) id 0049600001446180; Tue, 31 Mar 1998 09:36:24 +0200 Received: by ZurichNotes.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id C12565D8.002F574B ; Tue, 31 Mar 1998 09:37:05 +0100 Date: Tue, 31 Mar 1998 08:37:13 +0100 To: Subject: Re: Security Policy Message-ID: X-Lotus-FromDomain: ZURICH Original-Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles, the best source I have so far come across (I wish I had known = of it 8 months ago and could have saved literally thousands of dollars multiplied) is a book by Charles Cresson Wood titled Information Securi= ty Policies Made Easy ISBN =AA1-881585-04-2 Web site: http://www.baselinesoft.com. I could simply say, I don't know of anyth= ing comparable to it (I am talking from a customers perspective). You get a= book and a CD containing all the information, which you simply cut and paste! Amir Ameri ZURINET Security Manager = From firewalls-owner Wed Apr 1 07:25:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA20961; Wed, 1 Apr 1998 06:47:48 -0800 (PST) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA20784 for ; Wed, 1 Apr 1998 06:47:15 -0800 (PST) Received: from blazer.cist.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 14:51:22 UT Received: from obiwan (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Wed, 01 Apr 1998 09:53:58 -0500 From: "Chris Kostick" To: "Roman Ramirez" , Subject: Re: Questions about ICMP Date: Wed, 1 Apr 1998 09:53:40 -0500 Message-ID: <01bd5d7d$f5a86170$109c0895@obiwan.cist.saic.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have some questions about ICMP filtering, what kind of icmp packets >should I filter? > >In other way, what icmp options can I permit in packets? First of all you have a have a device capable of making decisions that includes information about the interface a packet came in on. In most terms, the Internal or External interface. This allows you to differentiate the direction of ICMP Request and Replies. Usually, requests going out and replies coming in are good. The other direction is not so good. Second, you don't want to allow ICMP without some type of state kept about the traffic. For example, if an ICMP "network unreachable" message is received, was there an earlier connection (existing or established) from the identified source to that destination network? If so, allow it through. Otherwise assume it's bogus and drop it. >Im seeking for a RESTRICTIVE policy, but I need to let ping and >traceroute get out and in... Letting ping and traceroute in AND out is not a good idea. At the very least base the decision on the direction of the packet and the ICMP type. In the case of ping, allow the Request to go out and the Reply to come back, but not the reverse. In the case of traceroute, allow ICMP time-exceeded messages to come in. -- Chris From firewalls-owner Wed Apr 1 07:54:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA10358 for ; Mon, 30 Mar 1998 20:07:54 -0800 (PST) Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 for ; Mon, 30 Mar 1998 20:10:11 -0800 (PST) Received: from BUTCHER56@aol.com by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; Mon, 30 Mar 1998 22:38:44 -0500 (EST) From: BUTCHER56 Message-ID: <2bcaadbe.35206546@aol.com> Date: Mon, 30 Mar 1998 22:38:44 EST Mime-Version: 1.0 Subject: Hi I want to meet you im a model! Content-type: multipart/mixed; boundary="part0_891315524_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891315524_boundary Content-ID: <0_891315524@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891315524_boundary Content-ID: <0_891315524@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: BUTCHER56 Return-path: To: BUTCHER56@aol.com Subject: Hi I want to meet you im a model! Date: Mon, 30 Mar 1998 22:21:48 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Come to my home and get inside and you will seem! click here --part0_891315524_boundary-- From firewalls-owner Wed Apr 1 08:39:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA18710; Tue, 31 Mar 1998 13:58:48 -0800 (PST) Received: from ns.telegroup.com (ns.telegroup.com [208.219.0.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA18380 for ; Tue, 31 Mar 1998 13:57:42 -0800 (PST) Received: from radius.telegroup.com (radius.telegroup.com [208.219.5.2]) by ns.telegroup.com (8.8.5/8.8.5) with ESMTP id QAA03644; Tue, 31 Mar 1998 16:00:13 -0600 (CST) Received: from mandrake.telegroup.com (macke@mandrake.telegroup.com [208.219.1.177]) by radius.telegroup.com (8.8.5/8.8.3) with SMTP id QAA01084; Tue, 31 Mar 1998 16:01:23 -0600 (CST) Date: Tue, 31 Mar 1998 16:01:23 -0600 (CST) From: Brian Macke Reply-To: bmacke@telegroup.com To: Roland Mueller cc: lpchiew@pc.jaring.my, Firewalls@GreatCircle.COM Subject: Re: Updated rfc1244? In-Reply-To: <35209020.3535@debis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Damn.. all these resposes.. I thought I was the only one that actually read the RFC. How many places actually use it as an SOP for their envrinments? On Tue, 31 Mar 1998, Roland Mueller wrote: > griffin wrote: > > > > Hi! > > > > I remembered reading somewhere that the RFC1244 > > was to be replaced by a new rfc. Anyone knows > > what that is? > > > > Thanks. > > > > Grif. > You are right, the new site security handbook is RFC 2196 > regards > Roland > -- > _________________________________________________________ > Roland Mueller > Daimler-Benz AG > Bereich Datenschutz > HPC 0179 > 70546 Stuttgart > Tel. (+49) 711-972-2328 Fax. (+49) 711-972-1918 > e-mail: rmueller@debis.com > -Brian James Macke macke@telegroup.com Unix SysAdmin/Security Specialist Telegroup, Inc. "In order to get that which you wish for, you must first get that which builds it." -- Unknown From firewalls-owner Wed Apr 1 08:39:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA13689; Tue, 31 Mar 1998 16:53:08 -0800 (PST) Received: from engine3-dc.wdc.cwi.net (engine3-dc.wdc.cwi.net [205.136.1.212]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA13326 for ; Tue, 31 Mar 1998 16:51:59 -0800 (PST) Received: from firewall1.contcirc.com ([206.142.48.2]) by engine3-dc.wdc.cwi.net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 100-36394U2500L250S0) with SMTP id AAA18873 for ; Tue, 31 Mar 1998 19:50:19 -0500 Received: from circuit by firewall1.contcirc.com (5.x/SMI-SVR4) id AA21782; Tue, 31 Mar 1998 17:55:28 -0700 Received: from pxc3sc302.contcirc.com by circuit (4.1/SMI-4.1) id AA05417; Tue, 31 Mar 98 16:54:41 MST Received: from ccMail by pxc3sc302.contcirc.com (ccMail Link to SMTP R8.00.00) id AA891395885; Tue, 31 Mar 98 17:58:08 -0700 Message-Id: <9803318913.AA891395885@pxc3sc302.contcirc.com> X-Mailer: ccMail Link to SMTP R8.00.00 Date: Tue, 31 Mar 98 17:55:32 -0700 From: "Danny Johnson" To: Subject: Re: cable modem security Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that's a little outdated. The cable modem (for @home anyway) runs on it's own fiber optic line which goes somewhere near your major cross streets. Then a coax line is ran down your street from which all the users are strung from there with coax leading to each house. This is a separate line from your tv cable. Before (I'm not sure how long ago) if you had file and print sharing turned on in win95 then it would be possible for anyone on your street line to view your hard drive by simply using the network neighborhood icon. Most modems today don't allow that even if you have file/print sharing on, i believe, especially the ones @home uses (Motorola and Lancity). As far as using a sniffer, I'm not sure as to what is vulnerable. The sniffer would have to be setup on the same street line to work. But this would only affect the transfer of information not the data stored on your computer which is what you were asking about. If the modem was hooked up directly to a hub there might be some security compromise as well. If you're really paranoid or you network multiple computers from your @home connection consider using some firewall software for use on pc's like pc-firewall or something similar. This is what I have understood, no correctness guarantee here. dj ______________________________ Reply Separator _________________________________ Subject: cable modem security Author: "Brett Mayer" at internet Date: 3/30/98 5:40 PM >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >I have just installed a cable modem from the @home network to a single >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >cannot get any support from @home about security. > >I only plan to run Netscape, and read mail and news groups. What can I do >to protect data on this machine from security risks? > >Ned Brett Mayer ESM-Tivoli GMAC\RFC (612)832-7148 From firewalls-owner Wed Apr 1 09:06:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08834; Wed, 1 Apr 1998 08:13:43 -0800 (PST) Received: from wizard.routers.com (wizard.routers.com [206.222.193.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08795 for ; Wed, 1 Apr 1998 08:13:30 -0800 (PST) Received: from adat0pc.routers.com (adat0pc.routers.com [206.222.193.74]) by wizard.routers.com (8.8.3/8.8.3) with SMTP id KAA01873 for ; Wed, 1 Apr 1998 10:17:44 -0600 (CST) Date: Wed, 1 Apr 1998 10:09:45 -0600 From: Todd Adamson Subject: Re: Sniffer (NetXray) To: firewalls@GreatCircle.com X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been using the NetXray product since about the time thatthey were purchased by NGC (Now NAI). The only negative items that I can say about it are: (1) You have to be careful with the NIC card that you use. Because NetXray uses the NDIS driver from windows or from a manufacturer, Not all of the level 1 errors can be seen - ie. collisions, runts and so forth. If you have the choice, look over their list of suggested NIC cards. (2) I sometimes miss the Expert analysis of the Sniffer product during capture. The good part is that the traces from NetXray can be saved in Sniffer format to get that analysis when you need it. Todd Adamson ta@mgmtcomm.com adat0@routers.com > Windows NT's own network monitor is doing quite a good job. It's > restriction is that it only records packets that are addressed to or > from that host. Say, if you run it on host myhost.foo.bar, you can only > see packets that are sent to or from myhost.foo.bar, but not any "3rd > party packets" eg from host1.foo.bar to host2.foo.bar > > The network monitor included in MS SMS is basically the same, but > without that boring restriction. > > The most powerful monitor I know is Sniffer (former NetXRay) from > Network Associates. It is easily scalable for your specific needs. See > http://www.nai.com/ for more. > > Another monitor I once heard about is NetAnt from People Network. See > http://www.people-network.com/netant.htm for info. > > But if you have a Linux box at hand I would rather use tcpdump than > those above. It's powerful, easy to use and free. > > Patrick > > > > Is there a good Packet sniffer that runs on for NT 4.0 ? > > Please help me with any information you may have > > Thanks > > > > If you know of any good packet sniffer for UNIX please let me know > > also. > > > > Taufik Islam > > Network Engineer, ACA > From firewalls-owner Wed Apr 1 09:20:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA18278; Wed, 1 Apr 1998 09:01:10 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA17966 for ; Wed, 1 Apr 1998 09:00:07 -0800 (PST) Received: from relay2.mail.uk.psi.net (relay2.mail.uk.psi.net [154.32.107.6]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id IAA08472 for ; Wed, 1 Apr 1998 08:34:43 -0800 (PST) Received: from ([193.114.35.5]) [193.114.35.5] by relay2.mail.uk.psi.net with smtp (Exim 1.82 #2) id 0yKQUV-0001Le-00; Wed, 1 Apr 1998 17:35:55 +0100 Received: from staines-mime.trading.centrica.com by [193.114.35.5] via smtpd (for relay2.mail.uk.psi.net [154.32.107.6]) with SMTP; 1 Apr 1998 16:32:13 UT Received: from staines-ex01.trading.centrica.com (unverified [128.1.144.1]) by staines-mime.trading.centrica.com (Integralis SMTPRS 2.04) with ESMTP id ; Wed, 01 Apr 1998 17:35:13 +0100 Received: by staines-ex01.trading.centrica.com with Internet Mail Service (5.5.1960.3) id ; Wed, 1 Apr 1998 17:35:22 +0100 Message-Id: <3E60782BD6C5D111ADD100805F8B824E8158@staines-ex01.trading.centrica.com> From: Steve Pearse To: "'Andrew Cameron'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Raptor. Date: Wed, 1 Apr 1998 17:35:16 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yes, we took off reverse lookups before. we found that Raptor NT is indeed FAST :) , our problem was that we use NT authentication, and somehow the WINS was doing a broadcast not a point to point, we changed that, and wammo, its warp factor 10 :) thanks all for the hints. -----Original Message----- From: Andrew Cameron [mailto:andrew@andy.alt.za] Sent: Tuesday, March 31, 1998 9:54 PM To: Steve Pearse Cc: firewalls@greatcircle.com Subject: Raptor. I do not have any performance problems in Fact we find it very fast. Most performance problems seem to be with incorrectly configured DNS. Try disabling reverse lookups and see if this helps. Steve Pearse Subject: RAPTOR performance We seem to be experiecing performance problems with Raptor, we have around 300 users going through one NT/Compaq 5000/Raptor box (concurrently probably less than 100) and compared to our old borderware proxy, it appears slow. Is this the experience of others here ? should we have used Unix ? We are an NT shop, and like the ease of admin of the NT accounts, are the better performing firewalls that also use the NT SAM ? thanks for any advice ------------------------------------------------------------------------ ----- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ------------------------------------------------------------------------ ---- From firewalls-owner Wed Apr 1 09:34:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11080; Wed, 1 Apr 1998 08:26:15 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA10968 for ; Wed, 1 Apr 1998 08:25:44 -0800 (PST) Received: from zeke.gov.yk.ca ([199.247.128.34]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA08358 for ; Wed, 1 Apr 1998 08:28:01 -0800 (PST) Received: by zeke.gov.yk.ca; id IAA09180; Wed, 1 Apr 1998 08:29:17 -0800 (PST) Received: from unknown(199.247.130.34) by zeke.gov.yk.ca via smap (4.1) id xma009094; Wed, 1 Apr 98 08:28:36 -0800 Received: from 185580 ([199.247.134.102]) by raptor.gov.yk.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id H7VN6XJV; Wed, 1 Apr 1998 08:28:35 -0800 Message-Id: <1.5.4.32.19980401162836.0096e910@mailhost.gov.yk.ca> X-Sender: ynet\kwiat\larry.kwiat@mailhost.gov.yk.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Apr 1998 08:28:36 -0800 To: Vin McLellan , "Paul D. Robertson" From: Larry Kwiat Subject: Re: Ammunition, please Cc: Jesse Brown , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> I think the only real solution is a physical security device (say >>> SecureID) that also takes into account biometrics (retinal scans, finger >>> prints, etc.). Passwords are to easy to guess. > > Paul D. Robertson responded with an >uncharacteristically bloody vision: > >>It's hard enough to get users to take care of laptops, with biometrics, >>now I have to worry about them taking care of their body parts? >> >>Guido the denial-of-serivce expert will be closing down your access >>temporarily... > > Guido and his buddy Mac the Knife don't have to go that far today. One of the difficulties of the security business, is the hype. People get influenced by the James Bond-Saves-The-World mentality. It is far better to keep it simple. In saying the following, I may have erred even on the side of complication. The subject here is risk management. If you "wire" the people to the boxes, you make it worth the risk to take the person with the box. You change the shape of the window of possibility for the perpetrator, but you don't substantially change the situation. Banks have had this problem for years over other types of access issue. Ideally, risks should be parcelled out as a management strategy. When you allow them to aggregate, your risk-management picture is progressing toward getting out of hand. That is not supportable in good risk management, if there are no potential gains. I don't count increasing the risk exposure on human life and limb in order to "raise the ante" and maybe create very temporary deterrance as a gain of anything substantial. A person might examine the risk parcels... Remember, the parcels should be kept separate and managed that way for least risk in general. Parcel: the laptop or other net access device in personal care. Parcel: the key to the laptop, physical or logical, in personal care. Parcel: the owner. Parcel: the network. (this should be also separated out into parcels, I simplify) etc. To allow the physical attributes of the person to become a completely necessary part of the access system is to marry two of the parcels. This is not a real good idea. ...my two cent's worth anyway... L. Sincerely, Larry Kwiat Security Coordinator Government of Yukon Larry.Kwiat@gov.yk.ca Phone: (867) 667-8081 From firewalls-owner Wed Apr 1 11:16:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA05383; Wed, 1 Apr 1998 10:25:17 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA05308 for ; Wed, 1 Apr 1998 10:24:55 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 10:28:23 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C578FA20@mail.citysearch.com> From: Michael Batchelor To: firewalls@GreatCircle.COM Subject: RE: Split DNS config questions Date: Wed, 1 Apr 1998 10:28:19 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the hints and tips from everyone who responded. The part I was not "getting" was the need to duplicate inside and outside zone databases, if inside and outside zones belong to the same domain. Since our outside zones are larger and more dynamic than the inside zone, I have chosen to use a new subdomain for the inside zone, which is relatively stable. This way I avoid having to duplicate the administrative effort for both inside and outside zones. I'll just set up the resolv.conf on inside hosts so that the search order looks at the inside and then the outside domains. > -----Original Message----- > From: Leonard Miyata [SMTP:leonard@geminisecure.com] > Sent: Wednesday, April 01, 1998 9:55 AM > To: Michael Batchelor > Cc: firewalls@GreatCircle.COM > Subject: Re: Split DNS config questions > > Hi There > > First, the best reference for this subject is > Building Internet Firewalls, Chapman & Zwicky > DNS and Bind 2ND EDITION!! Albitz & Liu > Both from O'Reilly & Associates, Inc. > The Two together provide a good write up on the interactions of DNS > Firewalls and DMZ configurations > > The entire purpose of 'Split' DNS is to set up a Private DNS > infrastructure to resolve your internal Private Address, and your > Public Address their allowed to Talk to. Meanwhile, your Official > Public DNS Server Contains your Public address, and resolves Internet > connections. Since the Public Server does not know your internal > Address, > the 'Split' DNS configuration 'hides' the internal addresses from > public > view. By the way... they both use 'Your Domain' but they are duplicate > infrastructure. > > For Complete isolation, not only do you need your Private Primay and > Secondary DNS Servers, you also need a Private root Server granting > your > Private Primary Authoritative for the domain. > > Personal Opinions Provided by > Leonard Miyata > aka leonard@geminisecure.com > Gemini Computers Inc. > > On Tue, 31 Mar 1998, Michael Batchelor wrote: > > > I am having some trouble understanding how split DNS is supposed to > > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some > info on > > the web about split DNS (fwtk FAQ, for instance, has a short > tutorial), > > and have gone over the discussion in the Cheswick/Bellovin firewalls > > book, but still have some unresolved questions: > > > > 1. If I want to use the same domain for internal and external, how > does > > the internal DNS server know when to forward to the firewall? I set > up > > the internal name server as primary for company.com, but > www.company.com > > is an external host. The internal server doesn't want to forward > > queries for www.company.com to the firewall. It returns NXDOMAIN > for > > all outside hosts in the same domain, if the internal server doesn't > > have a record. Must I set up a different internal domain for inside > > DNS? That works, by the way, but I was under the impression that > split > > DNS worked with the same domain inside and outside. It's really > > inconvenient for me to have to make internal.company.com or > whatever. > > > > 2. I prepared a named.cache file for the internal DNS server that > lists > > itself as a root server. Named likes to complain in the log files > about > > "sysquery: no addrs found for root NS ()". If I leave out the > > named.cache from the named.conf, it fails to operate (SRVFAIL > errors). > > If I use the named.cache from rs.internic.net, all answers are > > non-authoritative. > > > > 3. My firewall is actually not listed in the NIC as primary for our > > domain. Our external primaries are co-located at our ISP. So I set > up > > the firewall named as a caching forwarder to the existing external > name > > servers. When the internal server is set up with a subdomain, > rather > > than the same domain as the external hosts, this seems to work OK. > I > > have the firewall named set to log all queries, and it does get the > > queries from the internal server, and forwards to the external. So > I > > think this setup is functionally OK, but wanted to mention it in > case it > > has relevance to my other questions. > > > > Any hints, tips, or URLs to a complete discussion with examples > would be > > very much appreciated. > > > > _______________________________________________________ > > UNIX TEAM - Because it tells me to. > > > > From firewalls-owner Wed Apr 1 11:29:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA19256; Wed, 1 Apr 1998 06:38:15 -0800 (PST) Received: from ecbull20.frec.bull.fr (ecbull20.frec.bull.fr [129.183.1.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA14119 for ; Wed, 1 Apr 1998 01:51:04 -0800 (PST) From: Ciaran.Deignan@bull.net Received: from esquelet (esquelet.frec.bull.fr [129.183.82.33]) by ecbull20.frec.bull.fr (8.8.8/8.8.8) with SMTP id LAA23362; Wed, 1 Apr 1998 11:55:12 +0200 Received: from localhost by esquelet (AIX 4.1/UCB 5.64/4.03) id AA149676; Wed, 1 Apr 1998 11:54:59 +0200 Date: Wed, 1 Apr 1998 11:54:59 +0200 (DFT) X-Sender: deignan@esquelet To: firewalls@GreatCircle.COM Cc: Ghislain.Kerviler@bull.net, Frederic.Soinne@bull.net, Daniel.Sorba@bull.net Subject: Re: NetWall from Bull Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nerijus Krukauskas on 31.03.98 14:30:13 wrote: > Hello, > > Does anyone has any experience with NetWall from Bull? Is it worth to > install this firewall solution? I work for Bull, so my opinion is obviously biased, however Netwall is ICSA (formally NCSA) certified, check out http://www.ncsa.com/fwcd/netwall.html There is good information on how netwall works in the Netwall White Paper at http://www-frec.bull.com/OSBU2_0/wp_netwall.htm , and there is an execelent "how to do it" guide in the Secure-ready White Paper at http://www-frec.bull.com/OSBU2_0/wp_securehp.htm . Netwall is a stateful IP filter, plus "transparent" application proxies (TIS proxies with Bull added-value), plus optional remote control (encrypted connection) and other optional features. The IP filter can group one or more interfaces into security domains (Internal, External, DMZ, User-defined) for collective managament: From any Internal to any DMZ, any service, accept Netwall uses a ergonomic GUI running on the AIX (NT version available) platform (or a remote administration running on an AIX or Windows95 platform). Netwall costs in the region of $10K (50K FF). An entry-level package (IP filtering onlt, limited to 50 "internal" IP addresses) costs in the region of $3K. Hope this helps, Ciaran +-------------------------------------------------------------------------+ Ciaran Deignan Tel: (France) 04 76 29 79 92 BULL XS-BU (http://www-frec.bull.com) Internet Support Project Leader Office: C1/012 Bullcom: 229 79 92 Mail to: C1/023 or Ciaran.Deignan@bull.net Fax: 229 76 89 +-------------------------------------------------------------------------+ From firewalls-owner Wed Apr 1 11:57:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23526; Tue, 31 Mar 1998 12:23:04 -0800 (PST) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA29236 for ; Mon, 30 Mar 1998 19:10:26 -0800 (PST) Received: from 90.san-francisco-16.ca.dial-access.att.net ([12.64.163.90]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA3793; Tue, 31 Mar 1998 03:14:23 +0000 Received: by 90.san-francisco-16.ca.dial-access.att.net with Microsoft Mail id <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net>; Mon, 30 Mar 1998 19:08:39 -0800 Message-ID: <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net> From: Ray Ricardo To: "'firewall-wizards@nfr.net'" , "'firewalls@greatcircle.com'" Subject: FW: FW-1 redundancy Date: Mon, 30 Mar 1998 19:08:19 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Configured properly, dynamic routing can safely be used in the DMZ to achieve redundent firewall availability. If you OWN and CONTROL your exterior and interior routers, you can configure the routers to ONLY recieve routing updates from the security server in the DMZ (using GATED) and configure the security server to ONLY send updates to your exterior and interior routers. No other routing updates would be required. Once this is accomplished, the exterior and interior routers will always have current knowledge of the state of the firewalls in the DMZ. If a firewall fails, the routers will stop recieving routing updates from that server, flush it out of its routing tables and begin sending packets to the other firewall. It is important that this configuration is implemented by a security / network professional who has expert understanding of the risk associated with network routing. This goes against conventional thinking, but done properly, it can be implemented safely. p.s. I would advise using OSPF instead of RIP2. Ray Ricardo > ---------- > From: Jose R. Ferreira[SMTP:jricardo@medidata.com.br] > Sent: Monday, March 30, 1998 9:35 AM > To: Firewalls@GreatCircle.COM > Subject: FW-1 redundancy > > > > > From: Jose R. Ferreira@MLX on 30/03/98 14:35 > > > Hi All, > > I am looking for a solution to give more availability to an Internet > site. > Today its configuration is quite simple: > > > External router > | > _______|___________ > | > FW-1 (Checkpoint) + NAT > | > ______|___________ > | > Internal network > > > > I am thinking about in the diagram below, using a routing protocol > like > OSPF or RIP to inform internal network that there is another route if > a > FireWall or a link fails, using a internal router as a default gateway > for > the internal network. > > > External router > | > _____________|_____________ > | | > | | > FW-1 2.0 FW-1 2.0 > | (NAT) | (NAT) > ______|_______________|____ > | > Internal router > | > | > Internal Network > > > Does anyboby know if the FireWall-1 product supports synchronization > (the state tables and rules are kept in synchronization) ? > > > I have read about a solution from stonesoft, called stonebeat. Does > anybody > have some experience with this product ? > > I am very interested to know your opinion, experience and solutions > for > this situation. > > Regards, > Jose Ricardo > > From firewalls-owner Wed Apr 1 11:57:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24217; Tue, 31 Mar 1998 12:26:49 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA17045 for ; Mon, 30 Mar 1998 18:03:23 -0800 (PST) Received: from mailhost.netvisioninc.com (NS1.netvisioninc.com [207.181.146.2]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id RAA01733 for ; Mon, 30 Mar 1998 17:40:47 -0800 (PST) Received: by NS1.netvisioninc.com with Internet Mail Service (5.5.1960.3) id ; Mon, 30 Mar 1998 20:48:01 -0500 Message-ID: <2110E4FFF059D011966000A024DAB8E709369B@NS1.netvisioninc.com> From: Charles Getty To: "'Brett Mayer'" , "Firewalls (E-mail)" Subject: RE: cable modem security Date: Mon, 30 Mar 1998 20:48:00 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: multipart/alternative; boundary="---- =_NextPart_001_01BD5C47.09562AA0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BD5C47.09562AA0 Content-Type: text/plain That assumes you can put the "cable modem" into a promiscuous mode.... The cable modem is essentially a transparent bridge... Does anyone know of other devices that allow you to access the cable medium? Is there a online copy of this article in 2600? -----Original Message----- From: Brett Mayer [mailto:BMayer@rfc.com] Sent: Monday, March 30, 1998 5:40 PM To: firewalls@GreatCircle.com Subject: cable modem security >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >I have just installed a cable modem from the @home network to a single >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >cannot get any support from @home about security. > >I only plan to run Netscape, and read mail and news groups. What can I do >to protect data on this machine from security risks? > >Ned Brett Mayer ESM-Tivoli GMAC\RFC (612)832-7148 ------ =_NextPart_001_01BD5C47.09562AA0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: cable modem security

That assumes you can put the "cable modem" = into a promiscuous mode....  The cable modem is essentially a = transparent bridge... Does anyone know of other devices that allow you = to access the cable medium?  Is there a online copy of this = article in 2600?  

-----Original Message-----
From: Brett Mayer [mailto:BMayer@rfc.com]
Sent: Monday, March 30, 1998 5:40 PM
To: firewalls@GreatCircle.com
Subject: cable modem security


From what I've heard, the cable modem runs over the = existing cable TV lines strung throughout you're area. Anyone with a = packet sniffer can tap in and see all transmissions. There is a great = article about it in 2600 (the one with the orangutang the = cover)\





>I have just installed a cable modem from the = @home network to a single
>machine running NT 4.0 SP3.  It provides = REALLY GREAT performance, but I
>cannot get any support from @home about = security.
>
>I only plan to run Netscape, and read mail and = news groups.  What can I do
>to protect data on this machine from security = risks?
>
>Ned


Brett Mayer
ESM-Tivoli
GMAC\RFC
(612)832-7148

------ =_NextPart_001_01BD5C47.09562AA0-- From firewalls-owner Wed Apr 1 13:08:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11651; Wed, 1 Apr 1998 10:59:00 -0800 (PST) Received: from geocities.com (mail4.geocities.com [209.1.224.24]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA11626 for ; Wed, 1 Apr 1998 10:58:41 -0800 (PST) Received: from geocities.com (cs103-3.u.washington.edu [140.142.180.39]) by geocities.com (8.8.5/8.8.5) with ESMTP id LAA20679 for ; Wed, 1 Apr 1998 11:02:54 -0800 (PST) Message-ID: <35228F60.14F0AD3D@geocities.com> Date: Wed, 01 Apr 1998 11:02:56 -0800 From: Daniel Walsh X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Subject: Spam! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll make this short, and I know this has nothing to do with firewalls, but. . . SPAM! How do I deal with the "unidentified recipients?" And more importantly, I have recieved several e-mails from an AOL account, that returns an unidentified user response when I tried to get off the list. Help? Maybe a direction to send me in? and more on the subject: I want to thank you guys for the topics. My presentation for my LAN class went much smoother because of this list! thanks dan --------------------------------- Daniel Walsh University of Washington Engineering Alumni Assoc. -Webslave karsus@geocities.com ---------------------------------- From firewalls-owner Wed Apr 1 13:57:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09511; Wed, 1 Apr 1998 10:47:05 -0800 (PST) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA09444 for ; Wed, 1 Apr 1998 10:46:49 -0800 (PST) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.7/8.8.8) id KAA23177; Wed, 1 Apr 1998 10:50:36 -0800 (PST) From: "Marc D. Jackson" Message-Id: <199804011850.KAA23177@Xenon.Stanford.EDU> Subject: Re: FW: FW-1 redundancy To: ray.06@worldnet.att.net (Ray Ricardo) Date: Wed, 1 Apr 1998 10:50:35 -0800 (PST) Cc: firewall-wizards@nfr.net, firewalls@GreatCircle.COM In-Reply-To: <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net> from "Ray Ricardo" at Mar 30, 98 07:08:19 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ray Ricardo writes: > > > Configured properly, dynamic routing can safely be used in the DMZ to > achieve redundent firewall availability. If you OWN and CONTROL your > exterior and interior routers, you can configure the routers to ONLY > recieve routing updates from the security server in the DMZ (using > GATED) and configure the security server to ONLY send updates to your > exterior and interior routers. > > No other routing updates would be required. Once this is accomplished, > the exterior and interior routers will always have current knowledge of > the state of the firewalls in the DMZ. If a firewall fails, the routers > will stop recieving routing updates from that server, flush it out of > its routing tables and begin sending packets to the other firewall. > > It is important that this configuration is implemented by a security / > network professional who has expert understanding of the risk associated > with network routing. This goes against conventional thinking, but done properly, it can be implemented safely. > > p.s. I would advise using OSPF instead of RIP2. You might want to tell why one should use OSPF over RIP2. mj > > Ray Ricardo > > > ---------- > > From: Jose R. Ferreira[SMTP:jricardo@medidata.com.br] > > Sent: Monday, March 30, 1998 9:35 AM > > To: Firewalls@GreatCircle.COM > > Subject: FW-1 redundancy > > > > > > > > > > From: Jose R. Ferreira@MLX on 30/03/98 14:35 > > > > > > Hi All, > > > > I am looking for a solution to give more availability to an Internet > > site. > > Today its configuration is quite simple: > > > > > > External router > > | > > _______|___________ > > | > > FW-1 (Checkpoint) + NAT > > | > > ______|___________ > > | > > Internal network > > > > > > > > I am thinking about in the diagram below, using a routing protocol > > like > > OSPF or RIP to inform internal network that there is another route if > > a > > FireWall or a link fails, using a internal router as a default gateway > > for > > the internal network. > > > > > > External router > > | > > _____________|_____________ > > | | > > | | > > FW-1 2.0 FW-1 2.0 > > | (NAT) | (NAT) > > ______|_______________|____ > > | > > Internal router > > | > > | > > Internal Network > > > > > > Does anyboby know if the FireWall-1 product supports synchronization > > (the state tables and rules are kept in synchronization) ? > > > > > > I have read about a solution from stonesoft, called stonebeat. Does > > anybody > > have some experience with this product ? > > > > I am very interested to know your opinion, experience and solutions > > for > > this situation. > > > > Regards, > > Jose Ricardo > > > > > > > From firewalls-owner Wed Apr 1 15:18:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24727; Wed, 1 Apr 1998 07:04:49 -0800 (PST) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA24670 for ; Wed, 1 Apr 1998 07:04:36 -0800 (PST) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA5059 for ; Wed, 1 Apr 1998 07:08:14 -0800 Message-Id: <3.0.3.32.19980401071144.00a65af0@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Apr 1998 07:11:44 -0800 To: firewalls@greatcircle.com From: rkizer@sddpc.org (Kizer, Randall) Subject: Re: Laptop security / CMW variants In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try looking into Axent's Security Briefcase. For << $100. you can encrypt the files on your laptop, have strong authentication (one-time password) and have a VPN session over an unsecured public network (Internet). At 12:49 PM 3/31/98 -0500, you wrote: >>>> Perry < queries the List: >1) Can anyone recommend a laptop security product that supports full disk >encryption via a pcmcia card, a bonus would be VPN support for remote >authentication issues. I have reviewed PC/DACS over the past week which >is a software encryption/access control package, but the encryption >segment leaves a lot to be desired security wise (not to mention that the >product sucks). Check out: < I just picked this announcement up off Bizwire. Suerte, _Vin ---- Kasten Chase Applied Research Limited (TSE-KCA) today announced a joint sales and marketing agreement with SPYRUS, a leading electronic commerce company based in San Jose, California, to provide high performance, high security cryptographic technology as part of the world's first PCMCIA FORTEZZA(R)-based secure remote access solution for government agencies. Under the agreement, SPYRUS has developed a FORTEZZA(R)-enabled version of its proprietary Locksmith software application and its LYNKS Privacy Card(tm) for use with Kasten Chase's remote access products. Kasten Chase will deliver secure remote access solutions that include the SPYRUS family of hardware and software products. The SPYRUS products, bundled into the offering, will add desktop protection functionality to the solution that already provides authentication and encryption technology. "Our partnership with SPYRUS is an example of our commitment to offer a total secure access solution to the government and financial markets," said Steve Ducat, vice president of sales for Kasten Chase. "Our partnership with SPYRUS , a leader in cryptographic desktop technology, adds important media encryption capabilities to our existing security portfolio, thereby positioning our offering to become the de facto standard for FORTEZZA(R)-based secure remote access." SPYRUS has developed a customized FORTEZZA(R)-based version of its Locksmith(tm) media encryption software for use with Kasten Chase's OPtiva Secure Plus. Locksmith adds another layer of security features to a remote access application by combining a personal identification number (PIN) with the SPYRUS PCMCIA-compliant LYNKS Privacy Card. LYNKS Privacy Cards enable security-critical capabilities -- user authentication, message privacy, message integrity authentication, and secure storage -- for a FORTEZZA(R)-based media encryption solution. "SPYRUS is leading the e-commerce industry in FORTEZZA(R)-based hardware and software solutions for high performance, high assurance Internet data access and security solutions," said Charlie Scruggs, director of sales for SPYRUS. "Remote access security is becoming an increasing problem for companies, with over 14 million people working from home or remote locations in the United States alone. With solutions such as those developed by SPYRUS and Kasten Chase, the travelling road warrior will no longer need to be concerned about the loss of a laptop computer and the potential damage resulting from misuse of critical corporate information." < --------------- >2) Has anyone done a comparison between the different MLS and/or CMW >oriented OS' (ie Trusted Solaris, HPUX CMW, OSF CMW)? Any information >would be greatly appreciated. I too would be interested if you find a good repository for this sort of comparitive info. You might check out the Dockmaster discussion groups. Contact the NISSC office at the NSA to arrange for access. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + < * 53 Nichols St., Chelsea, MA 02150 USA <<617> 884-5548 <<<<<<<< From firewalls-owner Wed Apr 1 18:07:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11029; Wed, 1 Apr 1998 13:16:29 -0800 (PST) Received: from zaphod.axion.bt.co.uk (zaphod.axion.bt.co.uk [132.146.5.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA14229 for ; Wed, 1 Apr 1998 01:51:33 -0800 (PST) Received: from catullus.agw.bt.co.uk by zaphod.axion.bt.co.uk with SMTP (PP); Wed, 1 Apr 1998 10:54:51 +0100 Received: from newgate.agw.bt.co.uk (newgate.agw.bt.co.uk [147.150.193.219]) by catullus.agw.bt.co.uk (8.8.8/8.8.8) with ESMTP id JAA15688 for ; Wed, 1 Apr 1998 09:54:50 GMT Message-Id: <199804010954.JAA15688@catullus.agw.bt.co.uk> Received: by SMSMAINT-NEW with Internet Mail Service (5.5.1960.3) id <2AY3LZSD>; Wed, 1 Apr 1998 10:58:54 +0100 From: "Pearce, Danny" To: Firewalls@GreatCircle.COM Subject: RE: Intranet security products Date: Wed, 1 Apr 1998 10:43:26 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.iss.net - RealSecure/Internet Security Scanner(set of) http://www.wheelgroup.com - NetRanger/NetSonar http://www.nai.com - CyberCop http://www.axent.com - NetRecon Plus a few others that are not so good Abirnet SessionWall NFR Network Flight Recorder (www.nfr.org) ++++++++++++++++++++++++++++++++++++++++++++++++++++ > My employer is looking for a tool that will detect intrusions primarily > from internal sources. We need a solution that will work on NT and > integrates well with Netscape > Suitespot servers. We are setting up an Intranet and are concerned about > internal users that might want to screw around. > > thanks in advance... > > Dave ++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Apr 1 19:10:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA06409; Wed, 1 Apr 1998 12:58:22 -0800 (PST) Received: from hef.ncanet.com (hef.ncanet.com [206.63.127.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA25677 for ; Wed, 1 Apr 1998 09:40:08 -0800 (PST) Received: from tigger2.ncanet.com ([206.63.127.20]) by hef.ncanet.com (Netscape Mail Server v2.02) with SMTP id AAA16639; Wed, 1 Apr 1998 09:45:43 -0800 Message-Id: <3.0.3.32.19980401094441.006c7298@hef.ncanet.com> X-Sender: BobF@hef.ncanet.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Apr 1998 09:44:41 -0800 To: "Berchtold Patrick (GIAPBE)" From: bobf@NCAnet.com (Bob Fitton) Subject: Re: AW: Sniffer Cc: "'Taufik Islam'" , "Firewalls Mailing List (E-Mail)" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You might also look into the Shomiti product line:=20 http://www.shomiti.com/ They have both software-only and hardware solutions, the hardware=20 solutions capable of full 100MB line-rate capture and/or packet=20 generation. At 01:24 PM 3/31/98 +0200, Berchtold Patrick (GIAPBE) wrote: >Windows NT's own network monitor is doing quite a good job. It's >restriction is that it only records packets that are addressed to or >from that host. Say, if you run it on host myhost.foo.bar, you can=20 only >see packets that are sent to or from myhost.foo.bar, but not any=20 "3rd >party packets" eg from host1.foo.bar to host2.foo.bar > >The network monitor included in MS SMS is basically the same, but >without that boring restriction. > >The most powerful monitor I know is Sniffer (former NetXRay) from >Network Associates. It is easily scalable for your specific needs.=20 See >http://www.nai.com/ for more. > >Another monitor I once heard about is NetAnt from People Network.=20 See >http://www.people-network.com/netant.htm for info. > >But if you have a Linux box at hand I would rather use tcpdump than >those above. It's powerful, easy to use and free. > >Patrick > >=20 > >> -----Urspr=FCngliche Nachricht----- >> Von: Taufik Islam [SMTP:Tislam@acaonline.org] >> Gesendet am: Freitag, 27. M=E4rz 1998 23:21 >> An: Firewalls@GreatCircle.COM >> Betreff: Sniffer >>=20 >> Is there a good Packet sniffer that runs on for NT 4.0 ? >> Please help me with any information you may have >> Thanks >>=20 >> If you know of any good packet sniffer for UNIX please let me know >> also. >>=20 >> Taufik Islam >> Network Engineer, ACA > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNSJ9CNl6d/249nb1EQKbrwCgjzwGt84R+5PmjdqcXMXX2yvns4gAn1pw 4A9Thwql1QZ853dBai2Sybb1 =3DrVwk -----END PGP SIGNATURE----- Bob Fitton, Sr. Network Engineer www.NCAnet.com Network Computing Architects 425.451.8995 10245 Main Street, Bellevue WA 98004 FAX.453.3461 From firewalls-owner Wed Apr 1 19:30:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21968; Wed, 1 Apr 1998 14:05:21 -0800 (PST) Received: from imo28.mx.aol.com (imo28.mx.aol.com [198.81.17.72]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA21929 for ; Wed, 1 Apr 1998 14:05:09 -0800 (PST) Received: from JonnyBoy85@aol.com by imo28.mx.aol.com (IMOv13.ems) id PCUYa24392 for ; Wed, 1 Apr 1998 17:08:46 -0500 (EST) From: JonnyBoy85 Message-ID: <5fa01b9b.3522baf1@aol.com> Date: Wed, 1 Apr 1998 17:08:46 EST To: Firewalls@GreatCircle.com Mime-Version: 1.0 Subject: Hi Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Mailer: Windows AOL sub 168 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, thanks for the help and advice from my last post.. Maybe you can help me with another query. Can anybody explain about T1,T2, and T3 lines, they're like ISDN I think. I have tried everywhere to find out about them, and was starting to think that there was no such thing as a T3, but I found out again today that there is. Thanks again everybody.. Jonathan From firewalls-owner Wed Apr 1 20:41:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA26863; Wed, 1 Apr 1998 12:19:25 -0800 (PST) Received: from doggate.exchange.microsoft.com (doggate.exchange.microsoft.com [131.107.88.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA26827 for ; Wed, 1 Apr 1998 12:19:12 -0800 (PST) Received: by DOGGATE with Internet Mail Service (5.5.2190.3) id <2B99FL85>; Wed, 1 Apr 1998 12:23:28 -0800 Message-ID: From: "Vinod Valloppillil (Exchange)" To: firewalls@GreatCircle.COM Subject: great circle spam relay Date: Wed, 1 Apr 1998 12:23:22 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2190.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk is it just me or is anyone else getting a ton of spam relayed by greatcircle.com? From firewalls-owner Wed Apr 1 20:41:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA05367; Wed, 1 Apr 1998 15:12:28 -0800 (PST) Received: from relay.la.tis.com (relay.la.tis.com [198.51.22.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA05269 for ; Wed, 1 Apr 1998 15:12:06 -0800 (PST) Received: by relay.la.tis.com; id PAA17094; Wed, 1 Apr 1998 15:30:44 -0800 (PST) Received: from scintillate.la.tis.com(192.5.49.8) by relay.la.tis.com via smap (3.2) id xma017092; Wed, 1 Apr 98 15:30:44 -0800 Received: from empty (empty.la.tis.com [192.5.49.185]) by scintillate.la.tis.com (8.8.5/8.8.5) with SMTP id PAA15221 for ; Wed, 1 Apr 1998 15:14:21 -0800 (PST) Message-Id: <3.0.5.32.19980401151544.00c39610@pop> X-Sender: lothie@pop X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 01 Apr 1998 15:15:44 -0800 To: firewalls@greatcircle.com From: Lothie/Mimi Herrmann Subject: Re: Questions :) In-Reply-To: <35229D01.3B68@antares.serpro.gov.br> References: <9804011940.AA20572@antares.serpro.gov.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:01 PM 4/1/98 -0300, marcos antonio de sousa wrote: >> > I=B4m using Netscape 3.0 and someone has read my e-mails. >> > How it=B4s possible ? Of course, my question if for someone that don=B4= t >> > know my password :) >> > Thanks and hugs >> > Marcos How do you know they read your email? Anybody with root access can read your email before you POP it to your local machine. That's most likely what happened. -- Lothie/Mimi Herrmann, Senior Network Engineer mailto:lothie@tis.com or mailto:gauntlet-support@tis.com Disclaimer: TIS won't allow me to speak for them, even if I wanted to! From firewalls-owner Wed Apr 1 20:41:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA28571; Wed, 1 Apr 1998 14:41:31 -0800 (PST) Received: from firewall.sni-usa.com (firewall.sni-usa.com [140.231.44.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id OAA28407 for ; Wed, 1 Apr 1998 14:40:47 -0800 (PST) Received: from passer.sni-usa.com by firewall.sni-usa.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 22:27:29 UT Received: from burexserv.sni-usa.com (burexserv.sni-usa.com [136.157.5.6]) by passer.sni-usa.com (SMI-8.6/) with ESMTP for delivery to "" id RAA09941; Wed, 1 Apr 1998 17:36:05 -0500 Received: by burexserv.sni-usa.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 17:47:05 -0500 Message-ID: From: "Page, Sr., Alan" To: Brett Mayer , firewalls@GreatCircle.com Subject: RE: cable modem security Date: Wed, 1 Apr 1998 17:47:03 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to install cable modems for Time Warner with there Road Runner service. When you are connected to a cable modem it is no different then being on a LAN. You are running TCP/IP. There are some good personal firewall programs out than can allow you to add the extra layer of security to your system. Having NTFS as the file system with a secure ACL will also help. but the one thing to remember is it is just a Large network. no different from your average corporations net. Sincerly, Alan Page Sr. Network Consultant Siemens Nixdorf Information Systems email Alan.page@sni-usa.com > -----Original Message----- > From: Brett Mayer [SMTP:BMayer@rfc.com] > Sent: Monday, March 30, 1998 5:40 PM > To: firewalls@GreatCircle.com > Subject: cable modem security > > From what I've heard, the cable modem runs over the existing cable TV > lines strung throughout you're area. Anyone with a packet sniffer can > tap in and see all transmissions. There is a great article about it in > 2600 (the one with the orangutang the cover)\ > > > > > > >I have just installed a cable modem from the @home network to a > single > >machine running NT 4.0 SP3. It provides REALLY GREAT performance, > but I > >cannot get any support from @home about security. > > > >I only plan to run Netscape, and read mail and news groups. What can > I do > >to protect data on this machine from security risks? > > > >Ned > > > Brett Mayer > ESM-Tivoli > GMAC\RFC > (612)832-7148 From firewalls-owner Wed Apr 1 21:40:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA25577; Wed, 1 Apr 1998 16:41:34 -0800 (PST) Received: from ns.mapcoinc.com (ns.mapcoinc.com [206.103.80.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA00797 for ; Wed, 1 Apr 1998 14:51:05 -0800 (PST) From: klinec@mapcoinc.com Received: from mercury.mapcoinc.com (mercury.mapco.com [10.250.8.16]) by ns.mapcoinc.com (AIX4.2/UCB 8.7/8.7) with SMTP id QAA124160 for ; Wed, 1 Apr 1998 16:50:50 -0600 (CST) Received: by mercury.mapcoinc.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 062565D9.007E126D ; Wed, 1 Apr 1998 16:57:02 -0600 X-Lotus-FromDomain: ALLIANCECOAL To: Firewalls@GreatCircle.COM Message-ID: <062565D9.007DACD7.00@mercury.mapcoinc.com> Date: Wed, 1 Apr 1998 16:56:57 -0600 Subject: Bordermanager as firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any first-hand experience with Novell's Bordermanager as a firewall? We are in the process of selecting a firewall product, and one vendor is going to propose Bordermanager. I have to admit, I was a little surprised. I was expecting IBM Firewall (because we're an AIX shop), Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to equate that product with MS Proxy Server. We have a 400-desktop enterprise with eight Frame-Relay connected remote sites, and are looking for a firewall solution for the entire enterprise. In addition, we are in a rapid growth mode, and predict doubling in size both in number of desktops and number of WAN-connected sites by year-end. Any thoughts anyone has would be appreciated. Thanks, Curtis Kline Network Engineer MAPCO Coal, Inc. Tulsa, OK From firewalls-owner Wed Apr 1 22:14:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22475; Wed, 1 Apr 1998 16:26:22 -0800 (PST) Received: from bridge.millstream.net (bridge.millstream.net [208.12.120.211]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA22368 for ; Wed, 1 Apr 1998 16:25:42 -0800 (PST) Received: from localhost (mike@localhost) by bridge.millstream.net (8.8.5/8.8.5) with SMTP id SAA09589; Wed, 1 Apr 1998 18:32:05 -0600 (CST) Date: Wed, 1 Apr 1998 18:32:05 -0600 (CST) From: Mike Bresina To: Daniel Walsh cc: Firewalls Subject: Re: Spam! In-Reply-To: <35228F60.14F0AD3D@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Apr 1998, Daniel Walsh wrote: > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? Check the headers; the spams have been propagated via the list itself. As far as the 'remove' "feature", that's just a way to get away with distributing spam software. Bear in mind that spammers are rarely selling anything; spam is a denial-of-service attack masquerading as business mail. Note the phony unsub posts; they're spelled wrong so majordomo won't recognize the keyword and divert them from the list. Why a listmom of a firewalls list would put up with these shenanigans is beyond me. --------------------------------------- Mike Bresina (mike@vsat.net) System Administrator Intellicom Customer Service Center http://www.vsat.net/ v. (715) 720-1760 f. (715) 720-1762 --------------------------------------- From firewalls-owner Wed Apr 1 22:49:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13392; Wed, 1 Apr 1998 15:46:34 -0800 (PST) Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA13243 for ; Wed, 1 Apr 1998 15:45:55 -0800 (PST) Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id PAA11988; Wed, 1 Apr 1998 15:49:53 -0800 (PST) Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4) id PAA16931; Wed, 1 Apr 1998 15:49:27 -0800 Date: Wed, 1 Apr 1998 15:49:27 -0800 From: rdew@el.nec.com (Bob De Witt) Message-Id: <199804012349.PAA16931@yginsburg.el.nec.com> To: sutherland@mail.com Subject: Re: Breaking the PIX box.. (was: What is a good Firewall?) Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, I have used PIX boxes for several years, albeit sporadically. I have not heard of anyone breaking into a PIX once it was configured. I would really like to know how you did it, so I can take appropriate precautions next time. TIA, Bob De Witt, (this gig email address: rdew@el.nec.com) (next gig [after 4/10/98]email address: rdew@[...tbd...]) The views expressed herein are my own, and are not attributable to any other source, be it employer, friend or foe. > From sutherland@mail.com Thu Mar 26 14:01:49 1998 > From: "Chris Sutherland" > To: > Subject: Breaking the PIX box.. (was: What is a good Firewall?) > Date: Thu, 26 Mar 1998 10:08:33 -0700 > X-MSMail-Priority: Normal > X-Priority: 3 > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Okie Lads, > > as i have had a number of requests, I will post a detailed description of > PIX attacks, possibly even with scripts (but let me make sure i'm not > violating an NDA before i do). Either way, you'll have the juicy bits on > your desktops in a day or two. > > I would like to make this comment as well, and please, just send the flames > directly to me. Given today technology and the skill of our adversaries, > don't you think any company advertising their product as "inpenetrable" to > be incredibly naive? After all, wasn't there a ship that had the same > claims? > > > chris > From firewalls-owner Wed Apr 1 23:26:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22680; Wed, 1 Apr 1998 16:28:08 -0800 (PST) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA22628 for ; Wed, 1 Apr 1998 16:27:42 -0800 (PST) Received: from localhost (1898 bytes) by apu.rcp.net.pe via sendmail with P:stdio/R:inet_hosts/T:smtp (sender: ) (ident using unix) id for ; Wed, 1 Apr 1998 19:29:49 -0500 (EST) (Smail-3.2.0.96 1997-Jun-2 #4 built 1997-Nov-8) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Re: Spam! To: karsus@geocities.com (Daniel Walsh) Date: Wed, 1 Apr 1998 19:29:49 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <35228F60.14F0AD3D@geocities.com> from Daniel Walsh at "Apr 1, 98 11:02:56 am" PGP-FingerPrint: 55 B9 83 D2 61 71 E6 6B 1E CE FD B5 F7 AA F1 B5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For an excellent anti-spam smtp server take a look at: http://www.zmailer.org Enrique Vadillo- ---- Daniel Walsh escribió ---- > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- > > > -- e-mail: vadillo@rcp.net.pe | "Mis opiniones son propias, y no representan http://www.rcp.net.pe (PERU) | forzosamente la opinion de mi institucion". ========================================================================== Red Cientifica Peruana Internet Peru ========================================================================== -- RCP - Intered Peru Fax: +51 1 241-1320 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) From firewalls-owner Thu Apr 2 02:34:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24706; Wed, 1 Apr 1998 12:04:24 -0800 (PST) Received: from antares.serpro.gov.br ([161.148.1.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA24648 for ; Wed, 1 Apr 1998 12:03:54 -0800 (PST) Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) id AA07244; Wed, 1 Apr 1998 16:17:32 -0400 Message-Id: <35229D01.3B68@antares.serpro.gov.br> Date: Wed, 01 Apr 1998 17:01:05 -0300 From: marcos antonio de sousa X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Questions :) References: <9804011940.AA20572@antares.serpro.gov.br> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail Delivery Subsystem wrote: > > ----- Transcript of session follows ----- > >>> RCPT To: > <<< 550 ... User unknown > 550 ... User unknown > > ----- Unsent message follows ----- > Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) > id AA27482; Wed, 1 Apr 1998 15:40:07 -0400 > Message-Id: <3522943C.4D31@antares.serpro.gov.br> > Date: Wed, 01 Apr 1998 16:23:40 -0300 > From: marcos antonio de sousa > X-Mailer: Mozilla 3.0 (Win95; I) > Mime-Version: 1.0 > To: firewall@greatcircle.com > Subject: Questions > References: <9804011750.AA21334@antares.serpro.gov.br> > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > > Mail Delivery Subsystem wrote: > > > > ----- Transcript of session follows ----- > > >>> RCPT To: > > <<< 550 ... User unknown > > 550 ... User unknown > > > > ----- Unsent message follows ----- > > Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) > > id AA33876; Wed, 1 Apr 1998 13:50:42 -0400 > > Message-Id: <35227A97.688A@antares.serpro.gov.br> > > Date: Wed, 01 Apr 1998 14:34:15 -0300 > > From: marcos antonio de sousa > > X-Mailer: Mozilla 3.0 (Win95; I) > > Mime-Version: 1.0 > > To: firewall@GreatCircle.com > > Subject: Questions :) > > Content-Type: text/plain; charset=iso-8859-1 > > Content-Transfer-Encoding: 8bit > > > > Hi friends ... > > I´m using Netscape 3.0 and someone has read my e-mails. > > How it´s possible ? Of course, my question if for someone that don´t > > know my password :) > > Thanks and hugs > > Marcos From firewalls-owner Thu Apr 2 02:34:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21333; Wed, 1 Apr 1998 19:05:09 -0800 (PST) Received: from cupts1 ([202.202.32.33]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA21179 for ; Wed, 1 Apr 1998 19:04:19 -0800 (PST) Received: from Shine81.cqupt.edu.cn ([202.202.35.81]) by cupts1 (5.x/SMI-SVR4) id AA01885; Thu, 2 Apr 1998 10:59:20 +0800 Message-Id: <35230246.234F@cqupt.edu.cn> Date: Thu, 02 Apr 1998 11:13:10 +0800 From: Yang Xiaolong Reply-To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn Organization: CUPT X-Mailer: Mozilla 3.02Gold (Win95; I) Mime-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,All, I have a router Cisco2511(ISO software version 10.2) and Hayes Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact it only supports 9600,if the speed is above 9600,the login window will display some odd codes.My router config is following: ! interface Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 64 async dynamic address async dynamic routing async mode interactive ! From firewalls-owner Thu Apr 2 02:34:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24639; Wed, 1 Apr 1998 19:24:29 -0800 (PST) Received: from name.mcalbds.com ([205.214.199.244]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA24494 for ; Wed, 1 Apr 1998 19:23:55 -0800 (PST) Received: (from uucp@localhost) by name.mcalbds.com (8.8.4/8.8.4) id XAA02100; Wed, 1 Apr 1998 23:32:26 -0400 Received: from laptop.stokes.com(172.18.1.2) by name.mcalbds.com via smap (V2.0) id xma002093; Wed, 1 Apr 98 23:31:57 -0400 Date: Wed, 1 Apr 1998 23:31:55 -0400 (GMT+4) From: Roger Hill X-Sender: rhill@lappie.stokes.com To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Apr 1998, Vinod Valloppillil (Exchange) wrote: > is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > Oh yes. ============================================================================ Roger Hill, P.O.Box 4T, Barbados, West Indies. E-mail:rhill@mcalbds.com Tel:246-436-6530/228-0677/230-9596 Fax:246-433-8365 ============================================================================ From firewalls-owner Thu Apr 2 03:38:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA28517; Wed, 1 Apr 1998 12:30:45 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA28355 for ; Wed, 1 Apr 1998 12:30:06 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id MAA10484 for ; Wed, 1 Apr 1998 12:03:11 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 12:03:23 -0800 Message-ID: From: Jerry Huyghe To: "'Gordon LaSane'" , Doug Drake , Bruno , firewalls mailing list Subject: RE: Virus checking at the firewall level. Date: Wed, 1 Apr 1998 12:03:22 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correction. McAfee does not offer a CVP product, only eSafe (1st CVP product), Symantec, and Integralis. > -----Original Message----- > From: Gordon LaSane [SMTP:glasane@gdsconnect.com] > Sent: Tuesday, March 31, 1998 1:05 PM > To: Doug Drake; Bruno; firewalls mailing list > Subject: RE: Virus checking at the firewall level. >=20 > Hey folks,=20 > The latest state of the art are virus scan products which are CVP > (content vector protocol) compliant.=20 > In this scenario the firewall receives mail, passes the mail to the > virus scan server which validates and passes, or cleanses/quarantines > mail before it is passed back to the firewall for forwarding/logging. > See: McAfee, Symantec and Secure Computing=20 > Gordon LaSane=20 > Global=A0 Data=A0 Systems, Inc.=20 > Internet and Intranet Firewalls and Security Group=20 > Consulting and Installing Solutions for Your Company's Data Security: = > Remote User Authentication=20 > Internet Access=20 > Virtual Private Networks=20 > Web Filtering=20 > Intranets=20 > Firewalls=A0=A0=A0=A0=A0=A0=20 > =A0=A0=A0=A0=A0=A0=A0=20 > Gordon LaSane=20 > 781/740-8818 x13 ph=20 > 781/740-8830 fax=20 > glasane@gdsconnect.com =20 > =09 >=20 >=20 >=20 > ----Original Message-----=20 > From:=A0=A0 Doug Drake [SMTP:ddrake@mci.net]=20 > Sent:=A0=A0 Tuesday, March 31, 1998 7:55 AM=20 > To:=A0=A0=A0=A0 Bruno; firewalls mailing list=20 > Subject:=A0=A0=A0=A0=A0=A0=A0 Re: Virus checking at the firewall = level.=20 > I believe the best way is to perform the check at the desktop.=A0 > There are a=20 > number of products that will allow for automatic updates to the = client > side=20 > Virus checker, when they log-on.ogu=20 > Doug=20 > At 09:08 PM 3/30/98 -0100, Bruno wrote:=20 > >Hello all again,=20 > >=20 > >I posted earlier a question regarding time out problems when virus=20 > >checking at firewall level. The feedback I mainly obtained was, yes, > the=20 > >virus checkers (eliashim, norton, mime sweeper...) have this problem = > >that they need to download the entire file before being able to = check >=20 > >it, during which the browser times out...=20 > >=20 > >Now my question to you people out there is: How do you do it ? Do = you >=20 > >not virus check at the firewall level ? Do you count the end user to > do=20 > >it ? DO you have a miracle solution ?=20 > >=20 > >Thanks for any input=20 > >Bruno=20 > >=20 >=20 > = ********************************************************************** > ******=20 > Doug Drake=20 > Manager Security Products Engineering=20 > (703)715-7388=20 > Vnet 272-7388=20 > E-mail=A0 ddrake@mci.net=20 > = ********************************************************************** > ******=20 From firewalls-owner Thu Apr 2 03:38:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21679; Wed, 1 Apr 1998 19:09:19 -0800 (PST) Received: from theta2.ben2.ucla.edu (theta2.ben2.ucla.edu [164.67.131.36]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA22754 for ; Wed, 1 Apr 1998 09:24:48 -0800 (PST) Received: from zhang ([149.142.110.207]) by theta2.ben2.ucla.edu (8.8.8/8.8.8) with ESMTP id JAA36774; Wed, 1 Apr 1998 09:28:47 -0800 Message-ID: <35227BE1.30508EDA@ucla.edu> Date: Wed, 01 Apr 1998 09:39:45 -0800 From: Randy Zhang Reply-To: hzhang1@ucla.edu Organization: UCLA X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: BrianM@dial.pipex.com CC: firewalls-digest@GreatCircle.COM Subject: Re: Cisco Router Config X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you tested your config? Because I do not think it will work. 2 points to consider: 1) You are using subnet zero 2) The router will not let you config two access groups per interface. Randy BrianM@dial.pipex.com wrote: > Hi All (Again) > Enclosed please find a sample (factious) router config, > assuming the following situation, eth0:connection to firewall > ser0:leased line to internet, 192.168.0.2 is firewall, 192.168.0.3 and > .4 are management stations, should this config prevent DoS attacks, IP > spoofing, and be generally secure? I know that there is no routing > etc etc (I just did this in notepad!!) > > Thanks > > Brian Murphy > ------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > no service tcp-small-servers > no service udp-small-servers > no ip bootp server > no service finger > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > > enable password enable > > username manager password 7 letmein > > snmp-server community public RO 1 > snmp-server community private RW 1 > no snmp-server trap-authentication > > interface ethernet0 > ip address 192.168.0.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 in > > interface serial0 > ip address 192.168.1.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 > > access-list 1 permit 192.168.0.2 > access-list 1 permit 192.168.0.3 > access-list 1 permit 192.168.0.4 > > access-list 12 permit 192.168.0.2 255.255.255.255 > access-list 12 permit 192.168.0.3 255.255.255.255 > access-list 12 permit 192.168.0.4 255.255.255.255 > access-list 12 deny ip any any log > > access-list 51 deny 0.0.0.0 255.255.255.255 > > access-list 101 deny tcp 192.168.0.1 0.0.0.0 192.168.0.1 0.0.0.0 log > access-list 101 deny tcp 192.168.1.1 0.0.0.0 192.168.1.1 0.0.0.0 log > access-list 101 deny tcp any any any any eq 53 > access-list 101 deny udp any any any any eq 69 > access-list 101 deny tcp any any any any eq 87 > access-list 101 deny tcp any any any any eq 111 > access-list 101 deny udp any any any any eq 111 > access-list 101 deny udp any any any any eq 2049 > access-list 101 deny tcp any any any any eq 512 > access-list 101 deny tcp any any any any eq 513 > access-list 101 deny tcp any any any any eq 514 > access-list 101 deny tcp any any any any eq 515 > access-list 101 deny tcp any any any any eq 540 > access-list 101 deny tcp any any any any eq 2000 > access-list 101 deny udp any any any any eq 2000 > access-list 101 deny tcp any any any any eq 2001 > access-list 101 deny udp any any any any eq 2001 > access-list 101 deny tcp any any any any eq 6000 > access-list 101 deny udp any any any any eq 6000 > access-list 101 deny tcp any any any any eq 6001 > access-list 101 deny udp any any any any eq 6001 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 established > access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 > > access-list 111 deny ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 deny ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 permit ip 192.168.0.0 0.0.2.255 any > access-list 111 deny ip any any log > > line console 0 > login > password hello > exec-timeout 1 30 > > line aux 0 > access-class 51 in > > line vty 0 4 > access-class 12 in > login > password hello From firewalls-owner Thu Apr 2 04:48:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA00726; Wed, 1 Apr 1998 17:04:27 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA00717 for ; Wed, 1 Apr 1998 17:04:19 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 17:07:56 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C57B3F79@mail.citysearch.com> From: Michael Batchelor To: Firewalls Subject: RE: Spam! Date: Wed, 1 Apr 1998 17:07:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I must echo Daniel's complaint. I have also received 2-3 spams per day for the last couple of days from an account at AOL telling me "HI I want to meet you I'm a model...". They all were forwarded via the firewalls mailing list. You'd think the firewalls list would have some spam protection... :) Or at least refuse to forward messages to the list that come from non-subscribers. I presume this person spams mailing lists, and lets the list manager do the leg work getting it to multiple recipients. Not good. >Received: from relay2.UU.NET by pascamail-2.pmi with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) > id H0S7H3YY; Wed, 1 Apr 1998 09:37:27 -0800 >Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejgg27335; Wed, 1 Apr 1998 12:37:21 -0500 (EST) >Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 -0800 (PST) >Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA10358 for ; Mon, 30 Mar 1998 20:07:54 -0800 (PST) >Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) > by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 > for ; Mon, 30 Mar 1998 20:10:11 -0800 (PST) >Received: from BUTCHER56@aol.com > by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; > Mon, 30 Mar 1998 22:38:44 -0500 (EST) >From: BUTCHER56 >Message-ID: <2bcaadbe.35206546@aol.com> >Date: Mon, 30 Mar 1998 22:38:44 EST >Mime-Version: 1.0 >Subject: Hi I want to meet you im a model! >Content-type: multipart/mixed; > boundary="part0_891315524_boundary" >X-Mailer: AOL 2.5 for Windows sub 2 >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >To: undisclosed-recipients:; > -----Original Message----- > From: Daniel Walsh [SMTP:karsus@geocities.com] > Sent: Wednesday, April 01, 1998 11:03 AM > To: Firewalls > Subject: Spam! > > I'll make this short, and I know this has nothing to do with > firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the > list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- > From firewalls-owner Thu Apr 2 04:48:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13054; Wed, 1 Apr 1998 06:01:01 -0800 (PST) Received: from ALPHA1.RESTON.MCI.NET (alpha1.Reston.mci.net [204.70.128.80]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA12977 for ; Wed, 1 Apr 1998 06:00:41 -0800 (PST) Received: from mickey ([166.45.1.53]) by ALPHA1.RESTON.MCI.NET (PMDF V5.1-10 #8388) with SMTP id <01IVCLE41HPO000H1F@ALPHA1.RESTON.MCI.NET> for firewalls@GreatCircle.COM; Wed, 1 Apr 1998 09:04:31 EST Date: Wed, 01 Apr 1998 08:59:08 -0500 From: Doug Drake Subject: RE: Virus checking at the firewall level. In-reply-to: X-Sender: ddrake@alpha1.reston.mci.net To: Gordon LaSane , Bruno , firewalls mailing list Message-id: <3.0.3.32.19980401085908.009c5420@alpha1.reston.mci.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Content-type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Conceptually CVP is a wonderful thing but can you give me any numbers on the latency that this process causes on your network? I have not seen anything that will show me benchmarks for CVP bsed virus scanning, especially with a firewall and even more with encryption. If I could get some good numbers I might be infavor of it. But until then, I like speed on my network and virus scaning on the desk top :). At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: >>>> ArialHey folks, ArialThe latest state of the art are virus scan products which are CVP (content vector protocol) compliant. ArialIn this scenario the firewall receives mail, passes the mail to the virus scan server which validates and passes, or cleanses/quarantines mail before it is passed back to the firewall for forwarding/logging. ArialSee: McAfee, Symantec and Secure Computing ArialGordon LaSane ArialGlobal Data Systems, IncArial. Times New RomanInternet and Intranet Firewalls and Security Group Times New RomanConsulting and Installing Solutions for Your Company's Data Security: Times New RomanRemote User Authentication Times New RomanInternet Access Times New RomanVirtual Private Networks Times New RomanWeb Filtering Times New RomanIntranets Times New RomanFirewalls ArialGordon LaSane Arial781/740-8818 x13 ph Arial781/740-8830 fax <Arial0000,0000,ffffglasane@gdsconnect.com Arial-----Original Message----- ArialFrom: Doug Drake [SMTP:ddrake@mci.net] ArialSent: ArialTuesday, March 31, 1998 7:55 AM ArialTo: ArialBruno; firewalls mailing list ArialSubject: ArialRe: Virus checking at the firewall level. ArialI believe the best way is to perform the check at the desktop. There are a Arialnumber of products that will allow for automatic updates to the client side ArialVirus checker, when they log-on.ogu ArialDoug ArialAt 09:08 PM 3/30/98 -0100, Bruno wrote: Arial>Hello all again, Arial> Arial>I posted earlier a question regarding time out problems when virus Arial>checking at firewall level. The feedback I mainly obtained was, yes, the Arial>virus checkers (eliashim, norton, mime sweeper...) have this problem Arial>that they need to download the entire file before being able to check Arial>it, during which the browser times out... Arial> Arial>Now my question to you people out there is: How do you do it ? Do you Arial>not virus check at the firewall level ? Do you count the end user to do Arial>it ? DO you have a miracle solution ? Arial> Arial>Thanks for any input Arial>Bruno Arial> Arial**************************************************************************** ArialDoug Drake ArialManager Security Products Engineering Arial(703)715-7388 ArialVnet 272-7388 ArialE-mail ddrake@mci.net Arial**************************************************************************** <<<<<<<< **************************************************************************** Doug Drake Manager Security Products Engineering (703)715-7388 Vnet 272-7388 E-mail ddrake@mci.net **************************************************************************** From firewalls-owner Thu Apr 2 04:50:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA22799; Wed, 1 Apr 1998 21:40:25 -0800 (PST) Received: from mx4.tm.net.my (mx.tm.net.my [202.188.1.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA22718; Wed, 1 Apr 1998 21:40:04 -0800 (PST) Received: from mx4.tm.net.my ([209.0.90.146]) by mx4.tm.net.my (Post.Office MTA v3.1.2 release (PO203-101c) ID# 581-43702U150000L150000S0) with SMTP id AAB8113; Thu, 2 Apr 1998 13:37:44 +0800 To: DSNTS@NOWERE.NET Message-ID: Date: Wed, 01 Apr 98 21:31:35 EST From: CREATIVESSS333 Subject: ADVERTISE BY EMAIL Reply-To: DSST@NOWHERE.NET.COMAS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you looking for a reliable Direct E-mail Advertising Company? Well look no further!! We have over 1 yr experience in bulk email service. We guarantee our work. Increase your companies profits by up to 100% We will get you hits on your website. We will get you the phone calls! If your involved in MLM this is a Must!!!! 1-888-242-5076 APRIL special 1.3mil -$299.00 150K---$119.00 We can also target names for you. Month of APRIL any order and receive 100k FREE! We also have CO-OP ads starting at $50.00 Just Need Email addresses We have a Brand New Clean list 30days old 10million for only $200.00 Stop fooling around with those dirty addresses. 60-90 DAYS $50.00 PER 2 MILLION 90-120 $25.00 PER 2 MILLION CALL NOW 1-888-242-5076 WE GIVE YOU A GUARANTEE ON OUR WORK! From firewalls-owner Thu Apr 2 05:34:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19889; Tue, 31 Mar 1998 11:57:06 -0800 (PST) Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA19862 for ; Tue, 31 Mar 1998 11:56:51 -0800 (PST) Received: from ax-akl-exchcomm.axon.co.nz by ax-akl-fw.axon.co.nz (8.8.5/1.3.5) with ESMTP id IAA02804 for ; Wed, 1 Apr 1998 08:06:09 +1200 (NZST) Received: by ax-akl-exchcomm.axon.co.nz with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 08:03:49 +1200 Message-ID: <42CCA0F98530D111A77900805F0D52B33B7676@AX-AKL-EXCHANGE> From: "Edkins, Rob - Axon AKL" To: "'David Santeramo'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Intranet security products Date: Wed, 1 Apr 1998 08:03:50 +1200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at Sessionwall 3, from Abirnet. It is a "Suspicious Activity" monitor that has some interesting features. You can download a trial from www.abirnet.com > -----Original Message----- > From: David Santeramo [SMTP:santercon@clarityconnect.com] > Sent: Tuesday, March 31, 1998 10:47 AM > To: Firewalls@GreatCircle.COM > Subject: Intranet security products > > > My employer is looking for a tool that will detect intrusions > primarily > from internal sources. We need a solution that will work on NT and > integrates well with Netscape > Suitespot servers. We are setting up an Intranet and are concerned > about > internal users that might want to screw around. > > thanks in advance... > > Dave > From firewalls-owner Thu Apr 2 05:34:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21295; Wed, 1 Apr 1998 19:04:54 -0800 (PST) Received: from folifw1.wepex.com ([166.49.124.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA06501 for ; Wed, 1 Apr 1998 08:02:54 -0800 (PST) Received: by folifw1.wepex.com; id HAA07814; Wed, 1 Apr 1998 07:54:14 -0800 Received: from csifiapp621.wepex.net(166.49.116.21) by folifw1.wepex.com via smap (3.2) id xma007750; Wed, 1 Apr 98 07:54:00 -0800 Received: by csifiapp621.wepex.net with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 08:06:54 -0800 Message-ID: <59726335C162D111B2CF00805FA7205D5AA0EF@csifiapp621.wepex.net> From: "Litney, Tom" To: "'firewall post'" Subject: Re: Ammunition, please Date: Wed, 1 Apr 1998 08:06:52 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry Vin, I'm afraid I have to side with Paul on this one. Biometrics may be the wave of the future but .... Our physical security people love to use biometric controls. The thing I always try to stress to them is please make it a body part that I could live without. The PS people take great glee in pointing out that as the products get more sophisticated and sensitive even if Guido removed the biometric body part, he still would not achive his ultimate goal, access. They follow up describing the metrics that are used for validation, temperature, blood flow, etc. etc... I remind them that Guido may not know he will be unsuccessful when he tries, but I can't take much consolation in his failure if I'm out a critical body part. :-P Tom >> stuff deleted! Go to the archive to view the thread. From firewalls-owner Thu Apr 2 05:35:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21475; Tue, 31 Mar 1998 12:09:40 -0800 (PST) Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA07204 for ; Mon, 30 Mar 1998 19:50:18 -0800 (PST) Received: from ax-akl-exchcomm.axon.co.nz by ax-akl-fw.axon.co.nz (8.8.5/1.3.5) with ESMTP id PAA08614 for ; Tue, 31 Mar 1998 15:59:29 +1200 (NZST) Received: by ax-akl-exchcomm.axon.co.nz with Internet Mail Service (5.0.1458.49) id ; Tue, 31 Mar 1998 15:57:11 +1200 Message-ID: <42CCA0F98530D111A77900805F0D52B33B7672@AX-AKL-EXCHANGE> From: "Edkins, Rob - Axon AKL" To: "'Rick Murphy'" Cc: Firewalls@GreatCircle.COM Subject: RE: FW-1 redundancy Date: Tue, 31 Mar 1998 15:57:11 +1200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, put you wrong on the load balancing. This refers to Checkpoint's ability to load balance among internal server resources: eg a pool of identical http servers which are behind the Checkpoint firewall. The Synchronisation feature for high availability does support authentication, re-establishing connections if the primary module fails. NB. Forgot to mention, you need Firewall 1 V3.0 for all this stuff. > -----Original Message----- > From: Rick Murphy [SMTP:rmurphy@itm-inst.com] > Sent: Tuesday, March 31, 1998 2:07 PM > To: Edkins, Rob - Axon AKL > Cc: 'Jose R. Ferreira'; Firewalls@GreatCircle.COM > Subject: RE: FW-1 redundancy > > At 08:59 AM 3/31/98 +1200, Edkins, Rob - Axon AKL wrote: > >Firewall 1 actually supports your intended configfuration quite > happily > >and will even load-balance across the 2 Firewalls! > > Does this load balancing work when you're using "security servers"? > Authenticating HTTP? Doing virus scanning? Or is it only available > when you're packet filtering? > -Rick From firewalls-owner Thu Apr 2 05:35:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA07455; Wed, 1 Apr 1998 03:43:30 -0800 (PST) Received: from 12.66.115.5 (5.chicago-11.il.dial-access.att.net [12.66.115.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA07418; Wed, 1 Apr 1998 03:43:19 -0800 (PST) Date: Wed, 1 Apr 1998 03:43:19 -0800 (PST) Message-Id: <199804011143.DAA07418@honor.greatcircle.com> From: promo311@iddqd.org Subject: FREE DEMO of Software That Puts You On Top of 450 Search Engines! X-Reply-To: promo311@iddqd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FREE DEMO OF SOFTWARE THAT SUBMITS YOUR SITE TO OVER 450 SEARCH ENGINES! I thought I would drop you a line today to let you know about the revolutionary new "Search Engine Spider" which will allow you to submit your web page to over 450 different search engines and directories, in the categories YOU CHOOSE! I have a FREE DEMO COPY of the software waiting here for you. If you decide you like it because it's SAVING YOU TONS OF TIME and GETTING YOU TO THE TOP OF THE SEARCH ENGINES, then register and pay only $49.95! How can you go wrong? You get to try it first for free, and only pay if you want to unlock all of its features. Think about how much you paid for your last "submission service" to run just once! You can run this over and over to KEEP YOUR RANK ON THE SEARCH ENGINES! All you have to do to get your FREE DOWNLOAD is visit: http://www.masterpromote.com Just for stopping by, you will have access to our HUGE LIST of FREE CLASSIFIED ADS! Thanks again for your time. I look forward to hearing from you. Best Regards, Joe Halinsdorf President MasterPromote P.S. Reseller opportunities are available! *************************** To be removed, please visit http://www.masterpromote.com and type your name in the "Remove Me!" box to the left. You will then be removed from the database of MasterPromote and many other online marketers. Sorry for any inconveinence we may have caused you. From firewalls-owner Thu Apr 2 05:34:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA03610; Wed, 1 Apr 1998 22:40:18 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA03569 for ; Wed, 1 Apr 1998 22:40:01 -0800 (PST) Received: (qmail 22950 invoked from network); 2 Apr 1998 06:42:21 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 2 Apr 1998 06:42:21 -0000 Message-ID: <35233361.664CA16F@encomix.es> Date: Thu, 02 Apr 1998 08:42:41 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: FW Subject: The return of the ICMP :) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello again: Thx to all who replied to my questions, Ive just read all the messages and Im making my theories :) Ok, step by step I get the next comments: i) If my FW can do this, I should let ICMP requests OUT I should let ICMP replies , Time Exceeded( type 11 ) IN ii) I know, Traceroute can be used to map a network, but I really need to allow that, anyone knows a way to establish a rule to let traceroute in from trusted networks and to return spoofed route info to non-trusted? I seen places where when you try to "traceroute" them the last hop you can get is 1.1.1.1 And next hops are * * * :-? :-? iii) ICMP types usually permitted are: 0 ECHO REPLY -> Let IN 8 ECHO -> Let OUT 3 UNREACHABLE -> Let IN 4 SOURCE-QUEND -> What's that? :) 11 TIME EXCEEDED -> Let IN Am I right? Thx again... -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Thu Apr 2 05:35:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA13575; Wed, 1 Apr 1998 23:43:05 -0800 (PST) Received: from smtp1.mailsrvcs.net (smtp1.gte.net [207.115.153.30]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA16345 for ; Wed, 1 Apr 1998 21:10:16 -0800 (PST) Received: from GTE.net (1Cust136.tnt17.chi5.da.uu.net [153.36.180.136]) by smtp1.mailsrvcs.net with ESMTP id XAA16432; Wed, 1 Apr 1998 23:13:14 -0600 (CST) Message-ID: <35231E43.F46CB4E5@GTE.net> Date: Wed, 01 Apr 1998 23:12:35 -0600 From: Austin X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls CC: Daniel Walsh Subject: Re: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and Spam! References: <35228F60.14F0AD3D@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I suggest that you block all AOL traffic. What has ever come out of AOL that was any good? Also, I've been on the list for sometime now, and I have a few questions that have never really been answered or even asked yet: - I think that Novell is a bad NOS for firewalls, but Microsoft's NT disrupts the space/time dimension. Is it true that NT is a superior waste of space or does John Travolta lay claim to that? - And why do all OS's have two syllables?? Novell, NT, UNIX, Linux, Alpha, Redhat, and others. I did leave out OS/2 'cause it's a virus. I wipe it out whan I encounter it. And it doesn't fit my theory anways. ------ sorry - just being bombastic - all questions are hopefully rhetorical to you......... I hope... to you..... Daniel Walsh wrote: > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- I hope From firewalls-owner Thu Apr 2 06:28:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA19688; Wed, 1 Apr 1998 06:42:05 -0800 (PST) Received: from dns.portcullis-security.com (dns.portcullis-security.com [194.203.128.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA09060 for ; Wed, 1 Apr 1998 01:29:01 -0800 (PST) Received: from tgb-mailhost.portcullis-security.com (unverified [194.203.128.123]) by dns.portcullis-security.com (Integralis SMTPRS 2.04) with ESMTP id ; Wed, 01 Apr 1998 10:32:21 +0100 Received: by tgb-mailhost.portcullis-security.com with Internet Mail Service (5.0.1457.3) id ; Wed, 1 Apr 1998 10:23:46 +0100 Message-Id: <21905E09B270D111815400C0DFAA15330AF23B@tgb-mailhost.portcullis-security.com> From: Tony M Hall To: "'Gordon LaSane'" Cc: "'Firewalls Forum'" Subject: RE: Virus checking at the firewall level. Date: Wed, 1 Apr 1998 10:23:44 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See also: F-Secure Anti-Virus for Firewalls (Data Fellows). http://www.portcullis-security.com/fsav/fs-fire.htm Cheers. Tony H. Portcullis Technical Support: F-Secure Anti-Virus; Integralis MIMEsweeper; Biodata BIGfire Firewall. http://www.portcullis-security.com > ---------- > From: Gordon LaSane[SMTP:glasane@gdsconnect.com] > Sent: Tuesday, March 31, 1998 10:04PM > To: Doug Drake; Bruno; firewalls mailing list > Subject: RE: Virus checking at the firewall level. >=20 > Hey folks,=20 > The latest state of the art are virus scan products which are CVP > (content vector protocol) compliant.=20 > In this scenario the firewall receives mail, passes the mail to the > virus scan server which validates and passes, or cleanses/quarantines > mail before it is passed back to the firewall for forwarding/logging. > See: McAfee, Symantec and Secure Computing=20 > Gordon LaSane=20 > Global=A0 Data=A0 Systems, Inc.=20 > Internet and Intranet Firewalls and Security Group=20 > Consulting and Installing Solutions for Your Company's Data Security: = > Remote User Authentication=20 > Internet Access=20 > Virtual Private Networks=20 > Web Filtering=20 > Intranets=20 > Firewalls=A0=A0=A0=A0=A0=A0=20 > =A0=A0=A0=A0=A0=A0=A0=20 > Gordon LaSane=20 > 781/740-8818 x13 ph=20 > 781/740-8830 fax=20 > glasane@gdsconnect.com =20 > =09 >=20 >=20 >=20 > -----Original Message-----=20 > From:=A0=A0 Doug Drake [SMTP:ddrake@mci.net]=20 > Sent:=A0=A0 Tuesday, March 31, 1998 7:55 AM=20 > To:=A0=A0=A0=A0 Bruno; firewalls mailing list=20 > Subject:=A0=A0=A0=A0=A0=A0=A0 Re: Virus checking at the firewall = level.=20 > I believe the best way is to perform the check at the desktop.=A0 > There are a=20 > number of products that will allow for automatic updates to the = client > side=20 > Virus checker, when they log-on.ogu=20 > Doug=20 > At 09:08 PM 3/30/98 -0100, Bruno wrote:=20 > >Hello all again,=20 > >=20 > >I posted earlier a question regarding time out problems when virus=20 > >checking at firewall level. The feedback I mainly obtained was, yes, > the=20 > >virus checkers (eliashim, norton, mime sweeper...) have this problem = > >that they need to download the entire file before being able to = check >=20 > >it, during which the browser times out...=20 > >=20 > >Now my question to you people out there is: How do you do it ? Do = you >=20 > >not virus check at the firewall level ? Do you count the end user to > do=20 > >it ? DO you have a miracle solution ?=20 > >=20 > >Thanks for any input=20 > >Bruno=20 > >=20 >=20 > = ********************************************************************** > ******=20 > Doug Drake=20 > Manager Security Products Engineering=20 > (703)715-7388=20 > Vnet 272-7388=20 > E-mail=A0 ddrake@mci.net=20 > = ********************************************************************** > ******=20 >=20 From firewalls-owner Thu Apr 2 06:28:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21555; Wed, 1 Apr 1998 19:07:59 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA06157 for ; Wed, 1 Apr 1998 10:30:48 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id KAA09607 for ; Wed, 1 Apr 1998 10:04:22 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA15407; Wed, 1 Apr 1998 09:55:19 -0800 Date: Wed, 1 Apr 1998 09:55:18 -0800 (PST) From: Leonard Miyata To: Michael Batchelor cc: firewalls@GreatCircle.COM Subject: Re: Split DNS config questions In-Reply-To: <9494F3B8EDAED111949B00600815D1C576D43B@mail.citysearch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi There First, the best reference for this subject is Building Internet Firewalls, Chapman & Zwicky DNS and Bind 2ND EDITION!! Albitz & Liu Both from O'Reilly & Associates, Inc. The Two together provide a good write up on the interactions of DNS Firewalls and DMZ configurations The entire purpose of 'Split' DNS is to set up a Private DNS infrastructure to resolve your internal Private Address, and your Public Address their allowed to Talk to. Meanwhile, your Official Public DNS Server Contains your Public address, and resolves Internet connections. Since the Public Server does not know your internal Address, the 'Split' DNS configuration 'hides' the internal addresses from public view. By the way... they both use 'Your Domain' but they are duplicate infrastructure. For Complete isolation, not only do you need your Private Primay and Secondary DNS Servers, you also need a Private root Server granting your Private Primary Authoritative for the domain. Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Tue, 31 Mar 1998, Michael Batchelor wrote: > I am having some trouble understanding how split DNS is supposed to > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some info on > the web about split DNS (fwtk FAQ, for instance, has a short tutorial), > and have gone over the discussion in the Cheswick/Bellovin firewalls > book, but still have some unresolved questions: > > 1. If I want to use the same domain for internal and external, how does > the internal DNS server know when to forward to the firewall? I set up > the internal name server as primary for company.com, but www.company.com > is an external host. The internal server doesn't want to forward > queries for www.company.com to the firewall. It returns NXDOMAIN for > all outside hosts in the same domain, if the internal server doesn't > have a record. Must I set up a different internal domain for inside > DNS? That works, by the way, but I was under the impression that split > DNS worked with the same domain inside and outside. It's really > inconvenient for me to have to make internal.company.com or whatever. > > 2. I prepared a named.cache file for the internal DNS server that lists > itself as a root server. Named likes to complain in the log files about > "sysquery: no addrs found for root NS ()". If I leave out the > named.cache from the named.conf, it fails to operate (SRVFAIL errors). > If I use the named.cache from rs.internic.net, all answers are > non-authoritative. > > 3. My firewall is actually not listed in the NIC as primary for our > domain. Our external primaries are co-located at our ISP. So I set up > the firewall named as a caching forwarder to the existing external name > servers. When the internal server is set up with a subdomain, rather > than the same domain as the external hosts, this seems to work OK. I > have the firewall named set to log all queries, and it does get the > queries from the internal server, and forwards to the external. So I > think this setup is functionally OK, but wanted to mention it in case it > has relevance to my other questions. > > Any hints, tips, or URLs to a complete discussion with examples would be > very much appreciated. > > _______________________________________________________ > UNIX TEAM - Because it tells me to. > > From firewalls-owner Thu Apr 2 06:54:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16395; Thu, 2 Apr 1998 06:25:06 -0800 (PST) Received: from mailer.syr.edu (mailer.syr.edu [128.230.20.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA16340 for ; Thu, 2 Apr 1998 06:24:50 -0800 (PST) Received: from rodan.syr.edu by mailer.syr.edu (LSMTP for Windows NT v1.1a) with SMTP id <0.CF13B310@mailer.syr.edu>; Thu, 2 Apr 1998 9:29:17 -0500 Received: from localhost (rgrimsha@localhost) by rodan.syr.edu (8.8.7/8.8.7) with SMTP id JAA21377; Thu, 2 Apr 1998 09:29:15 -0500 (EST) X-Authentication-Warning: rodan.syr.edu: rgrimsha owned process doing -bs Date: Thu, 2 Apr 1998 09:29:15 -0500 (EST) From: Randy Grimshaw X-Sender: rgrimsha@rodan.syr.edu To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk me too :( <> is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Thu Apr 2 07:25:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA12891; Wed, 1 Apr 1998 23:39:16 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA06950 for ; Wed, 1 Apr 1998 20:23:31 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM) id AA30666; Wed, 1 Apr 1998 23:30:28 -0500 Received: from [170.149.63.45] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA26064; Wed, 1 Apr 1998 23:28:11 -0500 Message-Id: <3.0.1.32.19980401232759.00897250@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 01 Apr 1998 23:27:59 -0500 To: Firewalls@GreatCircle.COM From: "Jon E. Price" Subject: socks versus fw-1 stateful inspection vulnerabilities Cc: gordy@nytimes.com, theresa@nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any known or theoretical insecurities or vulnerabilities or other shortcomings (eg. performance) using socks or the fw-1 stateful inspection technologies? If I have an application that can work with either fw-1 stateful inspection OR a socks relay what criteria can I use to choose? Some possible applications are: irc chat aol instant messenger icq Thanks, Jon --------------------------------------------------------------- Jon E. Price Systems Analyst News Systems The New York Times --------------------------------------------------------------- From firewalls-owner Thu Apr 2 08:25:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA17648; Wed, 1 Apr 1998 06:30:36 -0800 (PST) Received: from krypton.raptor.com (raptor.com [209.48.140.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA17498 for ; Wed, 1 Apr 1998 06:29:51 -0800 (PST) Received: from neon.raptor.com by krypton.raptor.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 17:39:02 UT Received: from work (dlancaster.usnetworks.net [206.61.49.10]) by neon.raptor.com (8.7.3/8.7.3) with SMTP id JAA25860 for ; Wed, 1 Apr 1998 09:27:12 -0500 (EST) From: "Dale Lancaster" To: Subject: RE: Raptor Performance Date: Wed, 1 Apr 1998 08:32:50 -0600 Message-ID: <000701bd5d7b$0c71ff40$0a313dce@work> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with Andrew, its likely a reverse DNS issue. The default behavior of our product is to perform reverse lookups of both the source and destination IP address to obtain the hostnames to store in the log file. If DNS is not configured properly then you will see significant delays due to DNS timeouts. You can disable the reverse lookup feature in the GUI. I have talked to other firewall vendors and they say this is also a common problem for them - misconfigured DNS (and routing :-). You didn't specify exactly what performance you were/were not getting. Email me directly and I will try to work with you on it. As to overall performance, we hired NSTL to run an aggregate throughput test on our latest release, EagleNT 5.0 on a dual Pentium II system. We were able to sustain T-3 rates (for HTTP and FTP transfers). If you are running EagleNT 4.0, you should upgrade to EagleNT 5.0 to get the additional performance enhancements and functionality. best regards, dale ========================================================================== Dale Lancaster Director of Technical Marketing Raptor Systems A Division of Axent Technologies ========================================================================== Date: Tue, 31 Mar 1998 22:53:47 +0200 (GMT+0200) From: Andrew Cameron Subject: Raptor. I do not have any performance problems in Fact we find it very fast. Most performance problems seem to be with incorrectly configured DNS. Try disabling reverse lookups and see if this helps. Steve Pearse Subject: RAPTOR performance We seem to be experiecing performance problems with Raptor, we have around 300 users going through one NT/Compaq 5000/Raptor box (concurrently probably less than 100) and compared to our old borderware proxy, it appears slow. Is this the experience of others here ? should we have used Unix ? We are an NT shop, and like the ease of admin of the NT accounts, are the better performing firewalls that also use the NT SAM ? thanks for any advice - -------------------------------------------------------------------------- --- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ========================================================================== Dale Lancaster Director of Technical Marketing Raptor Systems A Division of Axent Technologies ========================================================================== From firewalls-owner Thu Apr 2 10:37:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA25461; Thu, 2 Apr 1998 09:50:16 -0800 (PST) Received: from ns1.ci.saint-petersburg.fl.us (mail.ci.saint-petersburg.fl.us [208.160.176.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA25440 for ; Thu, 2 Apr 1998 09:50:07 -0800 (PST) Received: from mail by ns1.ci.saint-petersburg.fl.us via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Apr 1998 20:56:30 UT Received: from STPETE_MAIL-Message_Server by mail.ci.saint-petersburg.fl.us with Novell_GroupWise; Thu, 02 Apr 1998 12:52:39 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 12:52:26 -0400 From: Donna Mattick To: firewalls@greatcircle.com Subject: spam relay Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am glad I'm not the only one getting annoyed by "hi I am a model" or "you have won $5000" Donna Mattick City of St. Petersburg Dmmattic@ci.saint-petersburg.fl.us Go DevilRays!!!!!!!! From firewalls-owner Thu Apr 2 12:08:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA22442; Thu, 2 Apr 1998 09:24:01 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA22435 for ; Thu, 2 Apr 1998 09:23:55 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id JAA26444; Thu, 2 Apr 1998 09:30:01 -0800 (PST) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02732; Thu, 2 Apr 98 09:28:16 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DA.005FF56B ; Thu, 2 Apr 1998 09:28:07 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn Cc: firewalls-digest@GreatCircle.COM Message-Id: <882565DA.005FA07C.00@gwwest.sybase.com> Date: Thu, 2 Apr 1998 09:27:46 -0800 Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You didn't send the relevant section: line 1 16 session-timeout 70 exec-timeout 0 30 session-limit 4 arap enable login tacacs modem InOut transport preferred none transport input all rxspeed 115200 txspeed 115200 flowcontrol hardware You'll likely not want all the options I have in my config (unless you want to support ARA.) Also make sure you've got the right initialization string in the chat script. Mine is pretty simple: chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNECT \c Cisco has some reasonable tutorials on their web site. Ryan Yang Xiaolong on 04/01/98 07:13:10 PM Please respond to yangxl@cqupt.edu.cn; Please respond to yl@cquc.edu.cn To: firewalls-digest@GreatCircle.COM cc: (bcc: Ryan Russell/SYBASE) Subject: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Hi,All, I have a router Cisco2511(ISO software version 10.2) and Hayes Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact it only supports 9600,if the speed is above 9600,the login window will display some odd codes.My router config is following: ! interface Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 64 async dynamic address async dynamic routing async mode interactive ! From firewalls-owner Thu Apr 2 12:08:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27659; Thu, 2 Apr 1998 10:08:00 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA27625 for ; Thu, 2 Apr 1998 10:07:45 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA20889; Thu, 2 Apr 1998 10:01:44 -0800 Date: Thu, 2 Apr 1998 10:01:43 -0800 (PST) From: Leonard Miyata To: dmcewen@nsf.gov cc: firewalls@GreatCircle.COM Subject: Re: Re[2]: Split DNS config questions In-Reply-To: <9803028915.AA891536326@yrelay.nsf.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi There Again!! There are a few other tricks you can use to.... Most TCP/IP hosts can support up to 3 DNS nameservers. as an example in the resolv.conf domain Your.domain nameserver A.B.C.X nameserver A.B.C.Y nameserver A.B.C.Z >From what I understand from the documentation, the host will do a sequential check of the nameservers in the order of X,Y,Z until it gets a successful resolution. This could be used on the firewall (in support of proxy gateways) to first check itself to resolve internal names, then the public DNS server for Internet connections. Another paranoid approach is to set up a DNS Server in your DMZ as a non caching forwarder that knows about both your internal and external DNS Servers. DMZ hosts can use it to resolve address and you set your external router/gateway to block DNS request to both your Internal and DMZ forwarder Servers coming from the Internet. This approach is safer then the last as it protects your Internal Server from corrupted DNS records. (The hijacking of the Internic Root servers last summer would be an example of this...) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Thu, 2 Apr 1998 dmcewen@nsf.gov wrote: > Hi back at you, > > I'd like to quickly detail a sample configuration for a couple of > reasons, first to share some experience, and second to see if there > are comments that could improve upon my understanding. For this > example I assume that you are using a proxy firewall so all requests > from inside hosts go the the firewall, and they are relayed to the > target machine with a source IP address of your firewall. > > This example requires that inside users be allowed access to some > Internet resources, and thus need to be able to translate host.domain > to an IP address. > > In this example, you would have 2 DNS servers. One outside which > is registered as your authoritative name server and is configured > as a primary, and one inside which is configured as a primary. > > The outside name server only has addresses for those hosts in > your DMZ and your firewall machine. The named.ca file lists the > root name servers A.ROOT-SERVERS.NET etc... The named.conf file > has entry like: > > zone "company.com" { > type master; > file "company.zone"; > }; > zone "1.1.1.in-addr.arpa" { > type master; > file "company.rev"; > }; > > The outside name server has a /etc/resolv.conf file like: > > domain company.com > nameserver 127.0.0.1 > > This means that named requests from your outside name server go > to it's dns for resolution. > > > The inside server has the same info in the zone and rev files as your outside > server, but also has entries for each inside host. It is likewise a master for > company.com and 1.1.1.in-addr.arpa zone. The /etc/resolv.conf file lists: > > domain company.com > nameserver 127.0.0.1 > > And it has a named.ca file with the root name servers. > > Your firewall machine has a resolv.conf file like: > > domain company.com > nameserver 127.0.0.1 > > which means it uses the inside name server . > > Requests for DNS from outside get sent to the outside name server. > Requests for DNS from the inside get sent to the inside name server. > Requests from the firewall get sent to the inside name server. > > The key here is that DNS requests (UDP and TCP) must both be allowed through > your firewall. > > The other option that I'm aware of is to make your inside name server reside on > the firewall machine. Same configuration as above, but all inside hosts go to > the firewall to get DNS resolution. This way there are no holes in the firewall > but then again, your running another service directly on the firewall which is > open to forged data that can corrupt the DNS cache. > > Thanks for any feedback. > > Don > From firewalls-owner Thu Apr 2 12:21:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00717; Thu, 2 Apr 1998 10:31:32 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA00414 for ; Thu, 2 Apr 1998 10:29:53 -0800 (PST) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id KAA07423 for ; Thu, 2 Apr 1998 10:04:11 -0800 (PST) Received: from c00069-100lez.eos.ncsu.edu (c00069-100lez.eos.ncsu.edu [152.1.26.28]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id NAA21511 for ; Thu, 2 Apr 1998 13:05:14 -0500 (EST) Date: Thu, 2 Apr 1998 13:05:14 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00069-100lez.eos.ncsu.edu To: Firewalls Subject: Re: Spam! In-Reply-To: <35237DE0.AC37DFA5@san.osd.mil> Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Apr 1998, MAJ John Conklin wrote: >I am new to this listserver. I just signed on within the past week. At >around the same time, I was looking at setting up a personal AOL account >through the Netscape 4.04 configuration. I didn't get very far into the >AOL account process, as I realized it wasn't what I needed. Is it >possible that through my actions, I have generated this spamming? The >same day that I aborted my AOL account sign-up, I received this ... >model ...' request. Couldn't possibly be a coincidence now, could it? It's your fault. >Sorry, if I was the cause of this. However, is it possible that actions >that I highlighted above resulted in the mass-spamming that we are all >seeing? If so, what do we do to defend ourselves? Well, I have some buddies down at Fort Bragg with the 82nd Airborne... I think we should hire a crack team of mercenaries to storm AOL headquarters and take out their mail servers with a couple hundred pounds of semtek. Even though that won't stop the SPAM, it will help save the NET from AOL. Regards, Ken Williams ORG: NC State Computer Science Dept VP of The E.H.A.P. Corp. EML: jkwilli2@adm.csc.ncsu.edu ehap@hackers.com WWW: http://152.7.11.38/~tattooman/ http://www.hackers.com/ehap/ PGP: finger tattooman@152.7.11.38 From firewalls-owner Thu Apr 2 13:23:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17929; Thu, 2 Apr 1998 12:13:28 -0800 (PST) Received: from puma.sirinet.net (puma.sirinet.net [198.203.196.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA17703 for ; Thu, 2 Apr 1998 12:12:25 -0800 (PST) Received: (from debie@localhost) by puma.sirinet.net (8.8.8/8.8.6) id OAA01463 for firewalls@greatcircle.com; Thu, 2 Apr 1998 14:16:32 -0600 Date: Thu, 2 Apr 1998 14:16:32 -0600 From: Debie Beley Message-Id: <199804022016.OAA01463@puma.sirinet.net> To: firewalls@greatcircle.com Subject: spam Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check the headers.... From firewalls-owner Thu Apr 2 13:25:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03518; Thu, 2 Apr 1998 07:53:47 -0800 (PST) Received: from boavista.com.br ([200.244.107.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA03452 for ; Thu, 2 Apr 1998 07:53:30 -0800 (PST) Received: from BOAVISTA-Message_Server by boavista.com.br with Novell_GroupWise; Thu, 02 Apr 1998 13:00:18 -0300 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 12:54:30 -0300 From: Cleber Luz Viana To: Firewalls@GreatCircle.COM Subject: Re: Bordermanager as firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whe we test, some firewalls, i was test Border Manager. It is not only a firewall, it have some others features. The cool thing in Border Manager is run over netware, if u use netware in your network will be more simply to administrate your users. Other way, Novell never did a firewall, that is the first one. >>> 01/04/98 19:56:57 >>> Does anyone have any first-hand experience with Novell's Bordermanager as a firewall? We are in the process of selecting a firewall product, and one vendor is going to propose Bordermanager. I have to admit, I was a little surprised. I was expecting IBM Firewall (because we're an AIX shop), Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to equate that product with MS Proxy Server. We have a 400-desktop enterprise with eight Frame-Relay connected remote sites, and are looking for a firewall solution for the entire enterprise. In addition, we are in a rapid growth mode, and predict doubling in size both in number of desktops and number of WAN-connected sites by year-end. Any thoughts anyone has would be appreciated. Thanks, Curtis Kline Network Engineer MAPCO Coal, Inc. Tulsa, OK From firewalls-owner Thu Apr 2 13:27:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00836; Thu, 2 Apr 1998 10:32:56 -0800 (PST) Received: from ntrj01.landesigners.com.br ([200.240.22.210]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA00812 for ; Thu, 2 Apr 1998 10:32:46 -0800 (PST) Received: by NT01 with Internet Mail Service (5.0.1458.49) id <2D47BL2M>; Thu, 2 Apr 1998 15:37:46 -0300 Message-ID: From: Leonardo Pacheco To: "'firewalls@GreatCircle.COM'" Subject: RE: great circle spam relay Date: Thu, 2 Apr 1998 15:35:22 -0300 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Me too, but I had no idea where it was coming from... -----Original Message----- From: Randy Grimshaw [mailto:rgrimsha@mailbox.syr.edu] Sent: Thursday, April 02, 1998 11:29 AM To: Vinod Valloppillil (Exchange) Cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay me too :( <> is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Thu Apr 2 14:15:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26686; Thu, 2 Apr 1998 07:18:15 -0800 (PST) Received: from simba.mpinet.net (mail.mpinet.net [208.6.196.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA26615 for ; Thu, 2 Apr 1998 07:17:58 -0800 (PST) Received: from [207.203.248.35] by simba.mpinet.net (NTMail 3.03.0017/42.aadq) with ESMTP id ma759108 for ; Thu, 2 Apr 1998 10:21:45 +0000 Message-Id: <3.0.32.19980402102112.006856d8@mail.mpinet.net> X-Sender: havoc@mail.mpinet.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Apr 1998 10:21:13 -0800 To: firewalls@greatcircle.com From: havoc Subject: Return of ICMP... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk #set default forwarding policy to masquerade all packets.. (tcp/udp/icmp..) ipfwadm -F -p masq #be sure that incoming accepts atleast the icmp packets to recieve the pings.. ipfwadm -I -p deny ipfwadm -I -a accept -P icmp -S 0/0 -D loc.al.ho.st/32 but now i have heard that being behind a firewall with unclassified addressing one should not try any icmp msging such as pinging or tracerouting.. because the destination hosts might think you are trying to spoof your address .. BUT the new kernel comes with icmp masquerading built into it... so i dunno.. -havoc At 08:42 AM 4/2/98 +0200, you wrote: >Hello again: > >Thx to all who replied to my questions, Ive just read all the messages >and Im making my theories :) > >Ok, step by step I get the next comments: > >i) If my FW can do this, I should let ICMP requests OUT > I should let ICMP replies >, Time Exceeded( type 11 ) IN > >ii) I know, Traceroute can be used to map a network, but I really need >to allow that, anyone knows a way to establish a rule to let traceroute >in from trusted networks and to return spoofed route info to >non-trusted? I seen places where when you try to "traceroute" them the >last hop you can get is 1.1.1.1 And next hops are * * * :-? :-? > >iii) ICMP types usually permitted are: > 0 ECHO REPLY -> Let IN > 8 ECHO -> Let OUT > 3 UNREACHABLE -> Let IN > 4 SOURCE-QUEND -> What's that? :) > 11 TIME EXCEEDED -> Let IN > >Am I right? > >Thx again... > >-- >http://www.encomix.es/users/patowc >mailto://rramirez@encomix.es > > > > From firewalls-owner Thu Apr 2 15:48:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16798; Thu, 2 Apr 1998 06:28:08 -0800 (PST) Received: from gate4.mcc.net (gate4.mcc.net [207.245.25.250]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA16772 for ; Thu, 2 Apr 1998 06:27:59 -0800 (PST) Received: from [10.1.1.25] ([10.1.1.25]:4220 "EHLO a01ex001.mcc.net" ident: "SOCKFAULT1") by gate.mcc.net with ESMTP id <421764-9137>; Thu, 2 Apr 1998 07:32:12 -0700 Received: by a01ex001.mcc.net with Internet Mail Service (5.0.1458.49) id ; Thu, 2 Apr 1998 07:32:22 -0700 Message-ID: From: "Paquette, Trevor" To: "'klinec@mapcoinc.com'" , Firewalls@GreatCircle.COM Subject: RE: Bordermanager as firewall? Date: Thu, 2 Apr 1998 07:32:19 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warning.. one of our customers put in this product and their network throughput for HTTPS dropped like a rock. Your mileage may vary. > -----Original Message----- > From: klinec@mapcoinc.com [SMTP:klinec@mapcoinc.com] > Sent: Wednesday, April 01, 1998 3:57 PM > To: Firewalls@GreatCircle.COM > Subject: Bordermanager as firewall? > > Does anyone have any first-hand experience with Novell's Bordermanager > as a > firewall? We are in the process of selecting a firewall product, and > one > vendor is going to propose Bordermanager. I have to admit, I was a > little > surprised. I was expecting IBM Firewall (because we're an AIX shop), > Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to > equate > that product with MS Proxy Server. > > We have a 400-desktop enterprise with eight Frame-Relay connected > remote > sites, and are looking for a firewall solution for the entire > enterprise. > In addition, we are in a rapid growth mode, and predict doubling in > size > both in number of desktops and number of WAN-connected sites by > year-end. > > Any thoughts anyone has would be appreciated. > > Thanks, > Curtis Kline > Network Engineer > MAPCO Coal, Inc. > Tulsa, OK > From firewalls-owner Thu Apr 2 16:41:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA10275; Thu, 2 Apr 1998 05:54:50 -0800 (PST) Received: from beta.nsf.gov (beta.nsf.gov [206.2.78.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA10229 for ; Thu, 2 Apr 1998 05:54:36 -0800 (PST) From: dmcewen@nsf.gov Received: by beta.nsf.gov; id IAA19184; Thu, 2 Apr 1998 08:58:54 -0500 (EST) Received: from mailman.nsf.gov(128.150.11.2) by beta.nsf.gov via smap (3.2) id xma019173; Thu, 2 Apr 98 08:58:50 -0500 Received: from yrelay.nsf.gov (yrelay.nsf.gov [128.150.195.91]) by mailman.nsf.gov (8.8.4/8.8.4) with SMTP id IAA16976; Thu, 2 Apr 1998 08:58:48 -0500 Received: from ccMail by yrelay.nsf.gov (SMTPLINK V2.11.01) id AA891536326; Thu, 02 Apr 98 08:58:06 EST Date: Thu, 02 Apr 98 08:58:06 EST Message-Id: <9803028915.AA891536326@yrelay.nsf.gov> To: Michael_Batchelor@citysearch.com, Leonard Miyata Cc: firewalls@GreatCircle.COM Subject: Re[2]: Split DNS config questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi back at you, I'd like to quickly detail a sample configuration for a couple of reasons, first to share some experience, and second to see if there are comments that could improve upon my understanding. For this example I assume that you are using a proxy firewall so all requests from inside hosts go the the firewall, and they are relayed to the target machine with a source IP address of your firewall. This example requires that inside users be allowed access to some Internet resources, and thus need to be able to translate host.domain to an IP address. In this example, you would have 2 DNS servers. One outside which is registered as your authoritative name server and is configured as a primary, and one inside which is configured as a primary. The outside name server only has addresses for those hosts in your DMZ and your firewall machine. The named.ca file lists the root name servers A.ROOT-SERVERS.NET etc... The named.conf file has entry like: zone "company.com" { type master; file "company.zone"; }; zone "1.1.1.in-addr.arpa" { type master; file "company.rev"; }; The outside name server has a /etc/resolv.conf file like: domain company.com nameserver 127.0.0.1 This means that named requests from your outside name server go to it's dns for resolution. The inside server has the same info in the zone and rev files as your outside server, but also has entries for each inside host. It is likewise a master for company.com and 1.1.1.in-addr.arpa zone. The /etc/resolv.conf file lists: domain company.com nameserver 127.0.0.1 And it has a named.ca file with the root name servers. Your firewall machine has a resolv.conf file like: domain company.com nameserver 127.0.0.1 which means it uses the inside name server . Requests for DNS from outside get sent to the outside name server. Requests for DNS from the inside get sent to the inside name server. Requests from the firewall get sent to the inside name server. The key here is that DNS requests (UDP and TCP) must both be allowed through your firewall. The other option that I'm aware of is to make your inside name server reside on the firewall machine. Same configuration as above, but all inside hosts go to the firewall to get DNS resolution. This way there are no holes in the firewall but then again, your running another service directly on the firewall which is open to forged data that can corrupt the DNS cache. Thanks for any feedback. Don ______________________________ Reply Separator _________________________________ Subject: Re: Split DNS config questions Author: Leonard Miyata at NOTE Date: 4/2/98 8:01 AM Hi There First, the best reference for this subject is Building Internet Firewalls, Chapman & Zwicky DNS and Bind 2ND EDITION!! Albitz & Liu Both from O'Reilly & Associates, Inc. The Two together provide a good write up on the interactions of DNS Firewalls and DMZ configurations The entire purpose of 'Split' DNS is to set up a Private DNS infrastructure to resolve your internal Private Address, and your Public Address their allowed to Talk to. Meanwhile, your Official Public DNS Server Contains your Public address, and resolves Internet connections. Since the Public Server does not know your internal Address, the 'Split' DNS configuration 'hides' the internal addresses from public view. By the way... they both use 'Your Domain' but they are duplicate infrastructure. For Complete isolation, not only do you need your Private Primay and Secondary DNS Servers, you also need a Private root Server granting your Private Primary Authoritative for the domain. Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Tue, 31 Mar 1998, Michael Batchelor wrote: > I am having some trouble understanding how split DNS is supposed to > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some info on > the web about split DNS (fwtk FAQ, for instance, has a short tutorial), > and have gone over the discussion in the Cheswick/Bellovin firewalls > book, but still have some unresolved questions: > > 1. If I want to use the same domain for internal and external, how does > the internal DNS server know when to forward to the firewall? I set up > the internal name server as primary for company.com, but www.company.com > is an external host. The internal server doesn't want to forward > queries for www.company.com to the firewall. It returns NXDOMAIN for > all outside hosts in the same domain, if the internal server doesn't > have a record. Must I set up a different internal domain for inside > DNS? That works, by the way, but I was under the impression that split > DNS worked with the same domain inside and outside. It's really > inconvenient for me to have to make internal.company.com or whatever. > > 2. I prepared a named.cache file for the internal DNS server that lists > itself as a root server. Named likes to complain in the log files about > "sysquery: no addrs found for root NS ()". If I leave out the > named.cache from the named.conf, it fails to operate (SRVFAIL errors). > If I use the named.cache from rs.internic.net, all answers are > non-authoritative. > > 3. My firewall is actually not listed in the NIC as primary for our > domain. Our external primaries are co-located at our ISP. So I set up > the firewall named as a caching forwarder to the existing external name > servers. When the internal server is set up with a subdomain, rather > than the same domain as the external hosts, this seems to work OK. I > have the firewall named set to log all queries, and it does get the > queries from the internal server, and forwards to the external. So I > think this setup is functionally OK, but wanted to mention it in case it > has relevance to my other questions. > > Any hints, tips, or URLs to a complete discussion with examples would be > very much appreciated. > > _______________________________________________________ > UNIX TEAM - Because it tells me to. > > From firewalls-owner Thu Apr 2 17:08:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA24385; Thu, 2 Apr 1998 16:07:15 -0800 (PST) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA24320 for ; Thu, 2 Apr 1998 16:06:55 -0800 (PST) Received: from cc-smtp.gasonics.com by relay1.smtp.psi.net (8.8.5/SMI-5.4-PSI) id TAA24983; Thu, 2 Apr 1998 19:11:22 -0500 (EST) Received: from ccMail by cc-smtp.gasonics.com (IMA Internet Exchange 2.11 Enterprise) id 000426DE; Thu, 2 Apr 1998 16:30:24 -0800 Mime-Version: 1.0 Date: Thu, 2 Apr 1998 16:09:24 -0800 Message-ID: <000426DE.1537@gasonics.com> From: jqian@gasonics.com (John Qian) To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk REQUEST From firewalls-owner Thu Apr 2 17:54:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA23850; Thu, 2 Apr 1998 16:03:40 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA23047 for ; Thu, 2 Apr 1998 15:59:53 -0800 (PST) Received: from ontime.sabre.net (sabre.net [199.100.49.3]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id PAA16332 for ; Thu, 2 Apr 1998 15:40:27 -0800 (PST) Received: (from uucp@localhost) by ontime.sabre.net (8.6.11/8.6.11) id RAA12483 for ; Thu, 2 Apr 1998 17:41:44 -0600 Received: from ngw.sabre.com(192.168.133.149) by ontime.sabre.net via smap (V1.3) id sma011897; Thu Apr 2 17:37:43 1998 Received: from USGW-Message_Server by sabre.com with Novell_GroupWise; Thu, 02 Apr 1998 17:37:13 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 17:42:37 -0600 From: Jasjit K Singh Reply-To: Jasjit_K_Singh@sabre.com To: Firewalls@greatcircle.com Subject: Firewalls-Digest V7 #146-Auto Answer Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Thu Apr 2 18:50:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA15732; Thu, 2 Apr 1998 15:13:51 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA15716 for ; Thu, 2 Apr 1998 15:13:42 -0800 (PST) Received: (from hagan@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id SAA26548; Thu, 2 Apr 1998 18:19:12 -0500 To: "Jon E. Price" Cc: Firewalls@GreatCircle.COM, gordy@nytimes.com, theresa@nytimes.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <3.0.1.32.19980401232759.00897250@mailgate.nytimes.com> From: "Craig I. Hagan" Date: 02 Apr 1998 18:19:12 -0500 In-Reply-To: "Jon E. Price"'s message of "Wed, 01 Apr 1998 23:27:59 -0500" Message-ID: Lines: 40 X-Mailer: Gnus v5.4.66/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Jon E. Price" writes: > Are there any known or theoretical insecurities or vulnerabilities or other > shortcomings (eg. performance) using socks or the fw-1 stateful inspection > technologies? > > If I have an application that can work with either fw-1 stateful inspection > OR a socks relay what criteria can I use to choose? think risk based. stateful inspection and/or circuit level firewalling (socks) uses either analysis of the network layer, or misdirection of the network layer to achieve security. This allows you to manage a great deal of the risks out there on the net. The issue that you need to confront is what risks do you wish to take/control. For example, socks/SI/masq/NAT firewall technology can't handle things like pulling activeX or java from web pages, they can't easily log what (or permit/deny) type of ftp transaction occurred -- did you put/get, what filename? Nor can they perform email relay prevention/spam filtering, again best done at the application level with an app proxy (smap or smtpd are examples thereof). personally, i think that SI/NAT/masq/etc are good technologies to use in constructing your firewall, but, you would want to add application level proxying to handle those certain situations where SI/etc just doesn't give you the power/flexibility that is needed to properly do your risk management. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks In Bandwidth we trust From firewalls-owner Thu Apr 2 19:06:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15072; Tue, 31 Mar 1998 18:42:34 -0800 (PST) Received: from fw.itm-inst.com (fw.itm-inst.com [206.239.41.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA18244 for ; Mon, 30 Mar 1998 18:08:44 -0800 (PST) Received: by fw.itm-inst.com; id VAA26933; Mon, 30 Mar 1998 21:12:34 -0500 (EST) Received: from sark.itm-inst.com(10.0.3.121) by fw.itm-inst.com via smap (2.0) id xma026928; Mon, 30 Mar 98 21:12:11 -0500 Message-Id: <3.0.3.32.19980330210646.00710158@fw.itm-inst.com> X-Sender: rmurphy@fw.itm-inst.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 30 Mar 1998 21:06:46 -0500 To: "Edkins, Rob - Axon AKL" From: Rick Murphy Subject: RE: FW-1 redundancy Cc: "'Jose R. Ferreira'" , Firewalls@GreatCircle.COM In-Reply-To: <42CCA0F98530D111A77900805F0D52B33B766C@AX-AKL-EXCHANGE> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:59 AM 3/31/98 +1200, Edkins, Rob - Axon AKL wrote: >Firewall 1 actually supports your intended configfuration quite happily >and will even load-balance across the 2 Firewalls! Does this load balancing work when you're using "security servers"? Authenticating HTTP? Doing virus scanning? Or is it only available when you're packet filtering? -Rick From firewalls-owner Thu Apr 2 19:06:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA11848; Wed, 1 Apr 1998 23:34:21 -0800 (PST) Received: from geocities.com (mail6.geocities.com [209.1.224.26]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA04640 for ; Wed, 1 Apr 1998 20:12:55 -0800 (PST) Received: from geocities.com (cs113-9.u.washington.edu [140.142.181.11]) by geocities.com (8.8.5/8.8.5) with ESMTP id UAA08663 for ; Wed, 1 Apr 1998 20:17:11 -0800 (PST) Message-ID: <35231138.66E5C96A@geocities.com> Date: Wed, 01 Apr 1998 20:16:56 -0800 From: Daniel Walsh X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Subject: Circle o' Spam, etc. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, ever since I started on any kind of listserv, I have gotten spam of all kinds! Firewall question: (really!) ;) I did a presentation on firewalls for a class, and I detailed DMZ's, proxys, and application gateways. I still don't know a lot, but in the "professional" world, is there a system (DMZ, proxy, app.gateway, packet filter) that is recommended as a good, general firewall? I know that it depends on the protected network. But, suppose a small corp network. thanks daniel From firewalls-owner Thu Apr 2 19:06:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA14411; Thu, 2 Apr 1998 03:57:24 -0800 (PST) Received: from www.idss.ida.org (www.idss.ida.org [129.246.226.95]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA14349 for ; Thu, 2 Apr 1998 03:57:08 -0800 (PST) Received: from san.osd.mil ([195.8.133.232]) by www.idss.ida.org (post.office MTA v2.0 0813 ID# 0-33302U1110) with ESMTP id AAA516; Thu, 2 Apr 1998 07:00:24 -0500 Message-ID: <35237DE0.AC37DFA5@san.osd.mil> Date: Thu, 02 Apr 1998 14:00:32 +0200 From: MAJ John Conklin Reply-To: jconklin@san.osd.mil Organization: ODC, Denmark X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls CC: Michael Batchelor Subject: Re: Spam! References: <9494F3B8EDAED111949B00600815D1C57B3F79@mail.citysearch.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am new to this listserver. I just signed on within the past week. At around the same time, I was looking at setting up a personal AOL account through the Netscape 4.04 configuration. I didn't get very far into the AOL account process, as I realized it wasn't what I needed. Is it possible that through my actions, I have generated this spamming? The same day that I aborted my AOL account sign-up, I received this ... model ...' request. Sorry, if I was the cause of this. However, is it possible that actions that I highlighted above resulted in the mass-spamming that we are all seeing? If so, what do we do to defend ourselves? --- Michael Batchelor wrote: > I must echo Daniel's complaint. I have also received 2-3 spams per day > for the last couple of days from an account at AOL telling me "HI I want > to meet you I'm a model...". They all were forwarded via the firewalls > mailing list. You'd think the firewalls list would have some spam > protection... :) Or at least refuse to forward messages to the list > that come from non-subscribers. I presume this person spams mailing > lists, and lets the list manager do the leg work getting it to multiple > recipients. Not good. > > > -----Original Message----- > > From: Daniel Walsh [SMTP:karsus@geocities.com] > > Sent: Wednesday, April 01, 1998 11:03 AM > > To: Firewalls > > Subject: Spam! > > > > I'll make this short, and I know this has nothing to do with > > firewalls, but. . . SPAM! How do I deal with the "unidentified > > recipients?" And more importantly, I have recieved several > > e-mails from an AOL account, that returns an unidentified user > > response when I tried to get off the list. > > Help? Maybe a direction to send me in? > > > > thanks > > > > dan > > --------------------------------- > > Daniel Walsh > > University of Washington > > Engineering Alumni Assoc. > > -Webslave > > karsus@geocities.com > > ---------------------------------- From firewalls-owner Thu Apr 2 19:49:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA26975; Thu, 2 Apr 1998 19:42:10 -0800 (PST) Received: from imo25.mx.aol.com (imo25.mx.aol.com [198.81.17.69]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA26918 for ; Thu, 2 Apr 1998 19:41:53 -0800 (PST) Received: from V75ortex@aol.com by imo25.mx.aol.com (IMOv13.ems) id XFRFa10381; Thu, 2 Apr 1998 22:27:38 -0500 (EST) From: V75ortex Message-ID: <85cc294e.3524572c@aol.com> Date: Thu, 2 Apr 1998 22:27:38 EST Mime-Version: 1.0 Subject: Here Content-type: multipart/mixed; boundary="part0_891574058_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891574058_boundary Content-ID: <0_891574058@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891574058_boundary Content-ID: <0_891574058@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: V75ortex Return-path: To: V75ortex@aol.com Subject: Here Date: Thu, 2 Apr 1998 22:14:41 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Click here for 10 free pics --part0_891574058_boundary-- From firewalls-owner Thu Apr 2 20:37:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00939; Thu, 2 Apr 1998 20:11:13 -0800 (PST) Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA00761 for ; Thu, 2 Apr 1998 20:10:24 -0800 (PST) Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.8/8.6.9) with SMTP id MAA11174; Fri, 3 Apr 1998 12:00:24 GMT Date: Fri, 3 Apr 1998 12:00:24 +0000 ( ) From: Ederlindo Cojuangco To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn cc: firewalls-digest@GreatCircle.COM Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? In-Reply-To: <35230246.234F@cqupt.edu.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about the rxspeed and the txspeed of your config? On Thu, 2 Apr 1998, Yang Xiaolong wrote: > Hi,All, > I have a router Cisco2511(ISO software version 10.2) and Hayes > Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact > it only supports 9600,if the speed is above 9600,the login window will > display some odd codes.My router config is following: > > ! > interface Async1 > ip unnumbered Ethernet0 > ip tcp header-compression passive > encapsulation ppp > bandwidth 64 > async dynamic address > async dynamic routing > async mode interactive > ! > From firewalls-owner Fri Apr 3 01:22:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA22167; Thu, 2 Apr 1998 23:43:48 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA21957 for ; Thu, 2 Apr 1998 23:43:03 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 882565DB.002AD5A2 ; Thu, 2 Apr 1998 23:47:52 -0800 X-Lotus-FromDomain: ALMADEN To: Leonard Miyata cc: firewalls@GreatCircle.COM Message-ID: <882565DB.00299204.00@mailgw1.almaden.ibm.com> Date: Thu, 2 Apr 1998 23:45:29 -0800 Subject: Re: Split DNS config questions Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Most TCP/IP hosts can support up to 3 DNS nameservers. as an example in the resolv.conf domain Your.domain nameserver A.B.C.X nameserver A.B.C.Y nameserver A.B.C.Z >From what I understand from the documentation, the host will do a sequential check of the nameservers in the order of X,Y,Z until it gets a successful resolution. This could be used on the firewall (in support of proxy gateways) to first check itself to resolve internal names, then the public DNS server for Internet connections. << This does not generally work. Yes, you can specify multiple nameservers, but when the resolver gets an answer from one of them it no longer questions the others. The resolver (client) sends a recursive query to the first server. If it gets a prompt response (either "here's the answer you wanted" or "I couldn't find an answer") it won't even ask the second nameserver. (OS/2 TCP/IP V3 and up has the only resolver I'm aware of that will can be configured to ask a second server after getting a negative reply; to implement this it makes use of 2 resolv files.) Tony Rall From firewalls-owner Fri Apr 3 05:06:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA28775; Fri, 3 Apr 1998 04:04:05 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA11106 for ; Thu, 2 Apr 1998 03:42:45 -0800 (PST) From: raf@ezunx.com Received: from ezunx.com (44.225.csx.com [206.142.44.225]) by scruz.net (8.8.5/1.34) with ESMTP id DAA27584 for ; Thu, 2 Apr 1998 03:47:08 -0800 (PST) Message-ID: <35237A8E.EC7AE794@ezunx.com> Date: Thu, 02 Apr 1998 06:46:22 -0500 X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: gre and cisco Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the IOS version requirements for passing PPTP through a cisco box and does anyone know of a good place to get some setup examples? thanks From firewalls-owner Fri Apr 3 05:20:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29067; Fri, 3 Apr 1998 04:06:16 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA17814 for ; Thu, 2 Apr 1998 09:00:00 -0800 (PST) Received: from ns.CompuNetServices.com (ns.compunetservices.com [207.15.26.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA05526 for ; Thu, 2 Apr 1998 08:42:31 -0800 (PST) Received: (from tobor@localhost) by ns.CompuNetServices.com (8.8.5/8.7.3) id KAA03110; Thu, 2 Apr 1998 10:39:36 -0600 (CST) Date: Thu, 2 Apr 1998 10:39:36 -0600 (CST) From: Roy Stevens To: firewalls@greatcircle.com Subject: SSH Questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Fri Apr 3 06:34:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26611; Fri, 3 Apr 1998 03:33:43 -0800 (PST) Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA28366 for ; Thu, 2 Apr 1998 16:30:15 -0800 (PST) Received: from localhost (ronald@localhost) by mail.trace.com.tw (8.8.6/8.8.6) with SMTP id IAA29143; Fri, 3 Apr 1998 08:33:44 +0800 X-Comments: ****** Message sent through an Trace account ****** X-http: ****** http://www.trace.com.tw ****** Date: Fri, 3 Apr 1998 08:33:44 +0800 (CST) From: Ronald Wiplinger To: Debie Beley cc: firewalls@GreatCircle.COM Subject: Re: spam In-Reply-To: <199804022016.OAA01463@puma.sirinet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Apr 1998, Debie Beley wrote: > check the headers.... > Did you? How far did your research go? Does the sender domain exist, ..... ? From firewalls-owner Fri Apr 3 07:12:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10848; Fri, 3 Apr 1998 02:38:51 -0800 (PST) Received: from guvnor.blackwell.co.uk (bisgw.blackwell.co.uk [195.70.69.190]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA02995 for ; Thu, 2 Apr 1998 07:51:24 -0800 (PST) Received: from exchange1.blackwell.co.uk by guvnor.blackwell.co.uk (MX V4.2 VAX) with SMTP; Thu, 02 Apr 1998 16:55:43 BST Received: by EXCHANGE1 with Internet Mail Service (5.0.1458.49) id ; Thu, 2 Apr 1998 16:55:23 +0100 Message-ID: <3BFE2589D330D111AE87006008062DE42F127A@pc37.blackwell.co.uk> From: Martin Hepworth To: Firewalls Subject: RE: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and Spam! Date: Thu, 2 Apr 1998 16:55:37 +0100 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well the only is that Scott Adams uses it (and derides it also but...) :-) Martin Hepworth Blackwell's Information Services Tel: +44 1865 792 792 X3233 1st Rule of Computer Security WYDSIWGY: What You Don't See is What Gets You > -----Original Message----- > From: Austin [SMTP:AKallevi@GTE.net] > Sent: Thursday, April 02, 1998 6:13 AM > To: Firewalls > Cc: Daniel Walsh > Subject: Re: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and > Spam! > > I suggest that you block all AOL traffic. What has ever come out of > AOL > that was any good? > > Also, I've been on the list for sometime now, and I have a few > questions > that have never really been answered or even asked yet: > > - I think that Novell is a bad NOS for firewalls, but Microsoft's NT > disrupts the space/time dimension. Is it true that NT is a superior > waste > of space or does John Travolta lay claim to that? > > - And why do all OS's have two syllables?? Novell, NT, UNIX, Linux, > Alpha, > Redhat, and others. I did leave out OS/2 'cause it's a virus. I wipe > it > out whan I encounter it. And it doesn't fit my theory anways. > ------ > sorry - just being bombastic - all questions are hopefully rhetorical > to > you......... I hope... to you..... > > > Daniel Walsh wrote: > > > I'll make this short, and I know this has nothing to do with > firewalls, > > but. . . > > SPAM! How do I deal with the "unidentified recipients?" And more > > importantly, I have recieved several e-mails from an AOL account, > that > > returns an unidentified user response when I tried to get off the > list. > > Help? Maybe a direction to send me in? > > > > and more on the subject: I want to thank you guys for the topics. > My > > presentation for my LAN class went much smoother because of this > list! > > > > thanks > > > > dan > > --------------------------------- > > Daniel Walsh > > University of Washington > > Engineering Alumni Assoc. > > -Webslave > > karsus@geocities.com > > ---------------------------------- > > I hope > From firewalls-owner Fri Apr 3 07:35:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA06222; Fri, 3 Apr 1998 04:38:13 -0800 (PST) Received: from giav05.gia.ch (giav05.gia.ch [193.222.224.32]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA06215 for ; Fri, 3 Apr 1998 04:38:04 -0800 (PST) X-Envelope-To: Received: from giav08.gia.ch(193.222.224.16) by giav05.gia.ch via smap (V2.0beta) id xma017767; Fri, 3 Apr 98 14:41:38 +0200 Received: from mmdlt002.m-m.ch ([193.222.225.50]) by giau001.gia.ch (8.8.5/8.8.5) with ESMTP id OAA24370 for ; Fri, 3 Apr 1998 14:41:40 +0200 (MET DST) Received: by MMDLT002 with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 14:41:40 +0200 Message-ID: From: "Berchtold Patrick (GIAPBE)" To: "Firewalls Mailing List (E-Mail)" Subject: RE: [NTSEC] MS Proxy Server as Firewall? Date: Fri, 3 Apr 1998 14:41:37 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See KB article Q160700 for information on how to change the WSP client state without restarting. > Besides, having to reboot when activating/deactivating the winsock proxy > makes it very cumbersome to use on a portable when moving between sites. Patrick Berchtold IT Security Consultant GIA Grapha Informatik AG Peyermattstrasse 3 CH-4665 Oftringen Phone: +41 62 789 71 71 Fax: +41 62 789 71 99 E-Mail: giapbe@gia.ch WWW: http://www.gia.ch/ From firewalls-owner Fri Apr 3 07:38:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09756; Fri, 3 Apr 1998 05:17:05 -0800 (PST) Received: from bolero-x.rahul.net (bolero.rahul.net [192.160.13.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA09746 for ; Fri, 3 Apr 1998 05:16:56 -0800 (PST) Received: from waltz.rahul.net by bolero-x.rahul.net with SMTP id AA08821 (5.67b8/IDA-1.5 for ); Fri, 3 Apr 1998 05:21:19 -0800 From: Bennett Todd Received: by waltz.rahul.net (5.67b8/jive-a2i-1.0) id AA02005; Fri, 3 Apr 1998 05:21:18 -0800 Date: Fri, 3 Apr 1998 05:21:18 -0800 Message-Id: <199804031321.AA02005@waltz.rahul.net> To: karsus@geocities.com Cc: firewalls@greatcircle.com Subject: The One True Firewall (was Re: Circle o' Spam, etc.) In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >[...] in the "professional" world, is there a system (DMZ, proxy, >app.gateway, packet filter) that is recommended as a good, general >firewall? I know that it depends on the protected network. But, suppose >a small corp network. You will find many opinions out there. Opinions are like [...]. But many people think that a pretty good ``one-size-fits-all'' looks like inside, protected net <==> screening router <==> bastion w/ proxies <==DMZ==> screening router <==> internet You place ``public'' servers on that DMZ --- WWW and so on. Either or both of the screening routers can be ``stateful inspection'' packet filters if you like. Bonus points if you can make the inside screening router, the bastion, and the outside screening router use completely and utterly different IP stacks:-). For a corporate setting, there should be relatively few machines in the DMZ, and they should be exquisitely tightly secured. The vast majority of your clients will be on the inside net, and the proxy on the firewall should be stripping applets. For something wide open and tolerant like an ISP, the picture looks exactly the same, but the majority of the big iron is out in the DMZ, and it's got most of the users so it's not so well secured --- hence you need to back it up carefully, ring it 'round with alarums (tripwire is cool. NFR is cool too) and expect to deal with intrusions periodically. But the ISP should have their business machines --- the ones that track user payment info, accounts payable, etc. --- on an ``inside'' net that's protected just like any other business. If I had to do this today, from scratch, I'd make the inside router a suitable-size Cisco. IOS is great. I'd probably make the bastion host either an intel PC or a sparc, running OpenBSD, qmail, and a small handful of proxies from fwtk. Left entirely to my own devices I'd make the outside screening router with Red Hat Linux and ipfw, with packet reassembly enabled (not that the OpenBSD bastion needs any such coddling, but it might be nice if you put a victim in the DMZ). If cost were no object or there were some pressure applied to run a commercial firewall, you can use an FW-1 or a PIX for that outside screening router. Of course if you've got a Big site, perhaps with multiple T3s coming in or better, that outside screening router wants to be something like a pair of hogged-out Cisco 7513s in HSRP. This whole concept --- a one-size-fits-all firewall architecture --- is predicated on the (controversial) belief that the benefit -vs- risk tradeoffs of various protocols won't end up looking too wildly different from one organization to the next. There are two gross steps in protection level, that more-or-less fit the difference in control between a screening router and an application proxy, and just about any organization will have need of both levels. Starting with the above Big Picture, most of the work comes in sketching in the details: exactly what protocols will be permitted from where to where. That's where all the negotiation and design comes in. -Bennett From firewalls-owner Fri Apr 3 07:42:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11465; Fri, 3 Apr 1998 02:42:56 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA12055 for ; Thu, 2 Apr 1998 14:53:55 -0800 (PST) Received: from mitra.pgt.mpt.gov.br ([200.236.83.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA14034 for ; Thu, 2 Apr 1998 14:56:40 -0800 (PST) Received: from support.pgt.mpt.gov.br (support.pgt.mpt.gov.br [200.236.82.2]) by mitra.pgt.mpt.gov.br (8.8.5/8.8.5) with SMTP id UAA04410; Thu, 2 Apr 1998 20:06:18 -0300 (EST) Reply-To: "Lucas Cotta" From: "Lucas Cotta" To: "Ryan Russell" , , Cc: Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Date: Thu, 2 Apr 1998 20:02:55 -0300 Message-ID: <01bd5e8b$78e9df60$0252ecc8@support.pgt.mpt.gov.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Colleagues, excuse for having entered in your chat. It is that have a problem and it would like help. I noticed that you speak on connection to routers CISCO with ACCESS SERVER. Any help will be well coming. it happens that have to connect a point A in a point B. in the point (A) it is a customer with Unix FreeBSD. in the point (A) I use to do the connection SLIP. I use the following configurations: in the file sysconfig, that is where they are the net parameters ifconfig_sl0 = " inet 200.130.0.1 200.6.48.2 mtu 576 " in the file netstart, that has the net beginnings slattach -clh -s 19200 /dev/ttyd0 everything well knows that this configuration above works. even so, I have an access server in the CISCO 2511 and it would like that this user entered through a LP of 19200 bps called in a door Async. I don't know as I do. It can help. Precise to configure the Interface Async 9 and the Line 9 of this ACCESS SERVER. precise of help. thank you very much LUCAS COTTA -----Mensagem original----- De: Ryan Russell Para: yangxl@cqupt.edu.cn ; yl@cquc.edu.cn Cc: firewalls-digest@GreatCircle.COM Data: Quinta-feira, 2 de Abril de 1998 16:15 Assunto: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? >You didn't send the relevant section: > >line 1 16 > session-timeout 70 > exec-timeout 0 30 > session-limit 4 > arap enable > login tacacs > modem InOut > transport preferred none > transport input all > rxspeed 115200 > txspeed 115200 > flowcontrol hardware > > >You'll likely not want all the options I have in my config (unless >you want to support ARA.) Also make sure you've got the right >initialization string in the chat script. Mine is pretty simple: > >chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c >CONNECT \c > >Cisco has some reasonable tutorials on their web site. > > Ryan > > > > > > >Yang Xiaolong on 04/01/98 07:13:10 PM > >Please respond to yangxl@cqupt.edu.cn; Please respond to yl@cquc.edu.cn > >To: firewalls-digest@GreatCircle.COM >cc: (bcc: Ryan Russell/SYBASE) >Subject: How can Cisco2511 support high speed(above 28.8)dailup network > with Hayes Modem Pool? > > > > >Hi,All, > I have a router Cisco2511(ISO software version 10.2) and Hayes >Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact >it only supports 9600,if the speed is above 9600,the login window will >display some odd codes.My router config is following: > >! >interface Async1 >ip unnumbered Ethernet0 >ip tcp header-compression passive >encapsulation ppp >bandwidth 64 >async dynamic address >async dynamic routing >async mode interactive >! > > > > > > > From firewalls-owner Fri Apr 3 08:35:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA13628; Fri, 3 Apr 1998 02:49:53 -0800 (PST) Received: from att.com (kcgw2.att.com [192.128.133.152]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA10967 for ; Thu, 2 Apr 1998 05:58:45 -0800 (PST) Received: by kcgw2.att.com; Thu Apr 2 07:44 CST 1998 Received: from flf960r1.ems.att.com (flf960r1.ems.att.com [135.71.244.37]) by kcig2.att.att.com (AT&T/GW-1.0) with SMTP id IAA07211 for ; Thu, 2 Apr 1998 08:02:52 -0600 (CST) Received: from flf960bh1.ems.att.com by flf960r1.ems.att.com (SMI-8.6/EMS-1.2 sol2) id JAA29122; Thu, 2 Apr 1998 09:00:43 -0500 Received: by flf960bh1.ems.att.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD5E16.193B9AB0@flf960bh1.ems.att.com>; Thu, 2 Apr 1998 09:02:44 -0500 Message-ID: From: "Fenaughty, Kevin M, SITS" To: "'Firewalls'" Subject: RE: Spam! Date: Thu, 2 Apr 1998 09:03:45 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I feel better now .... I was beginning to think it was just me. The SPAM from the "model" was DEFINITELY unwanted. Can we stop this or is it just an annoyance we must tolerate on a list such as this ? Kevin Fenaughty AT&T Solutions >-----Original Message----- >From: Michael Batchelor [SMTP:Michael_Batchelor@citysearch.com] >Sent: Wednesday, April 01, 1998 8:08 PM >To: Firewalls >Subject: RE: Spam! > >I must echo Daniel's complaint. I have also received 2-3 spams per day >for the last couple of days from an account at AOL telling me "HI I want >to meet you I'm a model...". They all were forwarded via the firewalls >mailing list. You'd think the firewalls list would have some spam >protection... :) Or at least refuse to forward messages to the list >that come from non-subscribers. I presume this person spams mailing >lists, and lets the list manager do the leg work getting it to multiple >recipients. Not good. > >>Received: from relay2.UU.NET by pascamail-2.pmi with SMTP (Microsoft >Exchange Internet Mail Service Version 5.0.1458.49) >> id H0S7H3YY; Wed, 1 Apr 1998 09:37:27 -0800 >>Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP >> (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) >> id QQejgg27335; Wed, 1 Apr 1998 12:37:21 -0500 (EST) >>Received: (majordom@localhost) by honor.greatcircle.com >(8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 >-0800 (PST) >>Received: from miles.greatcircle.com (miles.greatcircle.com >[198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with >ESMTP id UAA10358 for ; Mon, 30 Mar 1998 >20:07:54 -0800 (PST) >>Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) >> by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 >> for ; Mon, 30 Mar 1998 20:10:11 -0800 >(PST) >>Received: from BUTCHER56@aol.com >> by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; >> Mon, 30 Mar 1998 22:38:44 -0500 (EST) >>From: BUTCHER56 >>Message-ID: <2bcaadbe.35206546@aol.com> >>Date: Mon, 30 Mar 1998 22:38:44 EST >>Mime-Version: 1.0 >>Subject: Hi I want to meet you im a model! >>Content-type: multipart/mixed; >> boundary="part0_891315524_boundary" >>X-Mailer: AOL 2.5 for Windows sub 2 >>Sender: firewalls-owner@GreatCircle.COM >>Precedence: bulk >>To: undisclosed-recipients:; > >> -----Original Message----- >> From: Daniel Walsh [SMTP:karsus@geocities.com] >> Sent: Wednesday, April 01, 1998 11:03 AM >> To: Firewalls >> Subject: Spam! >> >> I'll make this short, and I know this has nothing to do with >> firewalls, >> but. . . >> SPAM! How do I deal with the "unidentified recipients?" And more >> importantly, I have recieved several e-mails from an AOL account, that >> returns an unidentified user response when I tried to get off the >> list. >> Help? Maybe a direction to send me in? >> >> and more on the subject: I want to thank you guys for the topics. My >> presentation for my LAN class went much smoother because of this list! >> >> thanks >> >> dan >> --------------------------------- >> Daniel Walsh >> University of Washington >> Engineering Alumni Assoc. >> -Webslave >> karsus@geocities.com >> ---------------------------------- >> > From firewalls-owner Fri Apr 3 08:55:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA15401; Fri, 3 Apr 1998 02:57:02 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA01959 for ; Thu, 2 Apr 1998 13:51:55 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 882565DA.007888D2 ; Thu, 2 Apr 1998 13:56:33 -0800 X-Lotus-FromDomain: ALMADEN To: hzhang1@ucla.edu cc: firewalls-digest@GreatCircle.COM Message-ID: <882565DA.00774929.00@mailgw1.almaden.ibm.com> Date: Thu, 2 Apr 1998 13:56:28 -0800 Subject: Re: Cisco Router Config Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >2 points to consider: >1) You are using subnet zero >2) The router will not let you config two access groups per interface. > >> interface ethernet0 >> ip address 192.168.0.1 255.255.255.0 >> ip access-group 101 in >> ip access-group 111 in >> >> interface serial0 >> ip address 192.168.1.1 255.255.255.0 >> ip access-group 101 in >> ip access-group 111 Using subnet zero isn't such a bad thing, but they aren't even doing that. There is no subnetting at all on these interfaces. (If subnet 0 were actually being used, you should include "ip subnet-zero".) You can have (and normally do) have 2 access groups per interface, but one must be "in" and the other "out". Both of the interfaces shown fail in that respect. Tony Rall Randy Zhang on 04/01/98 09:39:45 AM Please respond to hzhang1@ucla.edu To: BrianM@dial.pipex.com cc: firewalls-digest@GreatCircle.COM Subject: Re: Cisco Router Config Have you tested your config? Because I do not think it will work. 2 points to consider: 1) You are using subnet zero 2) The router will not let you config two access groups per interface. Randy BrianM@dial.pipex.com wrote: > Hi All (Again) > Enclosed please find a sample (factious) router config, > assuming the following situation, eth0:connection to firewall > ser0:leased line to internet, 192.168.0.2 is firewall, 192.168.0.3 and > .4 are management stations, should this config prevent DoS attacks, IP > spoofing, and be generally secure? I know that there is no routing > etc etc (I just did this in notepad!!) > > Thanks > > Brian Murphy > ------------ --------------------------------------------------------------------------- --------------------------------------------------------------------------- -------------------------- > > no service tcp-small-servers > no service udp-small-servers > no ip bootp server > no service finger > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > > enable password enable > > username manager password 7 letmein > > snmp-server community public RO 1 > snmp-server community private RW 1 > no snmp-server trap-authentication > > interface ethernet0 > ip address 192.168.0.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 in > > interface serial0 > ip address 192.168.1.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 > > access-list 1 permit 192.168.0.2 > access-list 1 permit 192.168.0.3 > access-list 1 permit 192.168.0.4 > > access-list 12 permit 192.168.0.2 255.255.255.255 > access-list 12 permit 192.168.0.3 255.255.255.255 > access-list 12 permit 192.168.0.4 255.255.255.255 > access-list 12 deny ip any any log > > access-list 51 deny 0.0.0.0 255.255.255.255 > > access-list 101 deny tcp 192.168.0.1 0.0.0.0 192.168.0.1 0.0.0.0 log > access-list 101 deny tcp 192.168.1.1 0.0.0.0 192.168.1.1 0.0.0.0 log > access-list 101 deny tcp any any any any eq 53 > access-list 101 deny udp any any any any eq 69 > access-list 101 deny tcp any any any any eq 87 > access-list 101 deny tcp any any any any eq 111 > access-list 101 deny udp any any any any eq 111 > access-list 101 deny udp any any any any eq 2049 > access-list 101 deny tcp any any any any eq 512 > access-list 101 deny tcp any any any any eq 513 > access-list 101 deny tcp any any any any eq 514 > access-list 101 deny tcp any any any any eq 515 > access-list 101 deny tcp any any any any eq 540 > access-list 101 deny tcp any any any any eq 2000 > access-list 101 deny udp any any any any eq 2000 > access-list 101 deny tcp any any any any eq 2001 > access-list 101 deny udp any any any any eq 2001 > access-list 101 deny tcp any any any any eq 6000 > access-list 101 deny udp any any any any eq 6000 > access-list 101 deny tcp any any any any eq 6001 > access-list 101 deny udp any any any any eq 6001 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 established > access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 > > access-list 111 deny ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 deny ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 permit ip 192.168.0.0 0.0.2.255 any > access-list 111 deny ip any any log > > line console 0 > login > password hello > exec-timeout 1 30 > > line aux 0 > access-class 51 in > > line vty 0 4 > access-class 12 in > login > password hello From firewalls-owner Fri Apr 3 09:09:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA15288; Fri, 3 Apr 1998 02:55:39 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA16260 for ; Thu, 2 Apr 1998 04:05:02 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA24228 for ; Thu, 2 Apr 1998 03:25:10 -0800 (PST) Received: from sover.net (usr0a35.rut.sover.net [206.25.64.135]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id GAA17743; Thu, 2 Apr 1998 06:26:26 -0500 (EST) Message-ID: <352375FD.EB4185E8@sover.net> Date: Thu, 02 Apr 1998 06:26:53 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: JonnyBoy85 CC: Firewalls@GreatCircle.COM Subject: Re: T1 question (verbose reply) References: <5fa01b9b.3522baf1@aol.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JonnyBoy85 wrote: > Hi all, > thanks for the help and advice from my last post.. > > Maybe you can help me with another query. Can anybody explain about T1,T2, > and T3 lines, they're like ISDN I think. Their sort of alike if you look at one of them in a mirror while hanging up side down. ;) A T1 is a full duplex signal over two pair wire cabling. This wire pair terminates in a receptacle that resembles the square phone jacks used in older homes. T1’s are used for dedicated point to point connections the same as leased lines. Bandwidth on a T1 is available in increments from 64 Kb/s up to 1.544 Mb/s. T1s use time division to break the two wire pairs up into 24 separate channels. Time division is the allotment of available bandwidth based on time increments. In the case of a T1 circuit, each "channel" is allowed to transmit for 5.2 microseconds (ms). This is the amount of time a T1 requires to transmit 8 bits (or 1 byte) of information. At the end of 5.2 ms the channel must stop transmitting and relinquish control of the circuit to the next channel. If the channel has additional information to transmit it must wait 119.8 ms. This is the amount of time it would take to cycle through the other 23 channels so that it is again that channel’s turn to transmit. To determine the available bandwidth on each channel we must first determine the "sample rate". The sample rate is the number of times each channel is allowed to transmit in a 1 second period of time. Since each channel is allowed to transmit for 5.2 ms before releasing control to the next channel we have: 1 (second) /.0000052 (transmit time per channel) = 192,398 transmissions per second This is the total number of transmissions possible in a one second period of time along a T1 line. These 192,398 transmissions are then broken up equally over the 24 channels: 192,398 (transmissions) / 24 (the number of channels) = 8,000 In other words, each of those 24 channels is allowed to transmit 8,000 times per second. This is our "sample rate" or the number of times per second that each channel is sampled or checked to see if it needs to transmit data. To determine the available bandwidth per channel we multiple the sample rate buy the amount of data we can transmit each sample period or: 8 bits X 8000 samples per second = 64 Kb/s So the short answer to all this number crunching is that each of the 24 channels on a T1 line is capable of moving 64 Kb worth of data per second. So with 24 active channels the full bandwidth available on a T1 would be: 64 Kb/s X 24 = 1.536 Mb/s Note that there is 8 Kb/s unaccounted for from the 1.544 Mb/s bandwidth stated in the first paragraph. (1544 Kb/s - 1536 Kb/s = 8 Kb/s). This 8 Kb/s is overhead which goes towards managing the connections. So while a T1 is able to move 1.544 Mb of information per second, only 1.536 Mb can be actual data. While the discrepancy is minor, it is important to note where it is coming from. The nice thing about this setup is that an exchange carrier will lease you individual channels of this T1 referred to as a "fractional T1" based on your bandwidth requirements. If you only need 512 Kb/s then you only need to lease 8 channels. In the long term, this can save a considerable amount of money over leasing a full T1. This can be an ideal solution for a company that only needs 64 or 128 Kb/s now but may want to upgrade to a larger pipe later. By initially connecting via a fractional T1 you will not need to rewire, simply turn on additional channels. These 24 channels can also be broken up and dedicated to different services, i.e., 3 channels can be dedicated to data with 1 channel being dedicated to voice. In this way a single connection can provide connectivity for multiple services. > I have tried everywhere to find out about them, and was starting to think that > there was no such thing as a T3, but I found out again today that there is. Yup, there just not as common. A T3 is bundle of 30 T1's. Total potential bandwidth is around 45 Mb. Hope this helps, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Fri Apr 3 10:11:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10979; Fri, 3 Apr 1998 02:39:43 -0800 (PST) Received: from ns.sikasenbey.or.jp (ns.sikasenbey.or.jp [210.169.217.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA29490 for ; Thu, 2 Apr 1998 22:29:06 -0800 (PST) Received: from jj3dw3.q3q3665f.com ([209.60.248.100]) by ns.sikasenbey.or.jp (SMI-8.6/3.6W) with SMTP id PAA00095; Fri, 3 Apr 1998 15:21:04 +0900 Date: Fri, 3 Apr 1998 15:21:04 +0900 From: 181855d6 <181855d6@msn.com> To: Received: from SMTP.XServer (Smail4.1.19.1 #20) id m0wBzN7-009vdR; Monday, April 6th, 1998 Received: from mail.apache.net(really [164/187]) by relay.comanche.com Saturday, April 4th, 1998 Received: from 32776.21445(really [80110/80111]) by relay.denmark.nl Thursday, April 2nd, 1998 Received: from local.nethost.org(really [24553/24554]) by relay.SS621.net Wednesday, April 1st, 1998 Message-Id: <19943672.886214@relay.comanche.denmark.eu> Tuesday, April 7th, 1998 Reply-To: 181855d6@msn.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Authenticated sender is <181855d6@msn.com> Subject: and Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit EMAIL MARKETING WORKS!! Bull's Eye Gold is the PREMIER email address collection tool. This program allows you to develop TARGETED lists of email addresses. Doctors, florists, MLM, biz opp,...you can collect anything...you are only limited by your imagination! You can even collect email addresses for specific states, cities, and even countries! All you need is your web browser and this program. Our software utilizes the latest in search technology called "spidering". By simply feeding the spider program a starting website it will collect for hours. The spider will go from website to targeted website providing you with thousands upon thousands of fresh TARGETED email addresses. When you are done collecting, the spider removes duplicates and saves the email list in a ready to send format. No longer is it necessary to send millions of ads to get a handful of responses...SEND LESS...EARN MORE!!! A terrific aspect of the Bull's Eye software is that there is no difficult set up involved and no special technical mumbo-jumbo to learn. All you need to know is how to search for your targeted market in one of the many search engines and let the spider do the rest! Not familiar with the search engines? No problem, we provide you with a list of all the top search engines. Just surf to the location of a search engine on your browser then search for the market you wish to reach...it's that easy! For instance if you were looking for email addresses of Doctors in New York all you would do is: 1) Do a search using your favorite search engine by typing in the words doctor(s) and New York 2) Copy the URL (one or more)...that's the stuff after the http://... for instance it might look like http://www.yahoo.com/?doctor(s)/?New+York 3) Press the START button THAT's IT!!! The Bull's Eye spider will go to all the websites that are linked, automatically extracting the email addresses you want. The spider is passive too! That means you can let it run all day or all night while you are working on important things or just having fun on your computer. There is no need to keep a constant watch on it, just feed it your target market and give it praise when it delivers thousands of email addresses at the end of the day! Features of the Bull's Eye Software: * Does TARGETED searches of websites collecting the email addresses you want! * Collects Email addresses by City, State, even specific Countries * Runs Automatically...simply enter the Starting information, press The Start Button, and it does the rest * Filters out duplicates * Keeps track of URLs already visited * Can run 24 hours per day, 7 days per week * Fast and Easy List Management * Also has built in filtering options...you can put in words that it "Must" have while searching,...you can even put in criteria that it "Must NOT Have"...giving you added flexibility * Also imports email addresses from any kind of files (text files, binary files, database files) * List editor handles Multiple files to work on many lists simultaneously * Has a Black-Book feature... avoid sending emails to people who do not want to receive it * Built-in Mail program...send email directly on the internet with just a click of your mouse * Personalized Emails...if the email address has the user's name when it is collected,..you can send Personalized emails!!! * Sort by Location, Server, User Name, Contact Name * Advanced Operations: · Email address lists export in many different formats (HTML, Comma delimited, text file) · Advanced editing...Transfer, Copy, Addition, Delete, Crop, Move to Top/Bottom · Operations between lists...Union, Subtraction, Comparison * Program is Passive,...meaning you can run other programs at the same time CALL FOR MORE INFORMATION 213-980-7850 CALL FOR MORE INFORMATION 213-980-7850 ORDERING INFORMATION Customer Name Company Name Address City State Zip Phone Fax Email Address ______ BULL'S EYE SOFTWARE $259.00 Includes Software, Instructions, Technical Support ______ Shipping & Handling (2-3 Day Fedex) $10.00 (Fedex Overnite) $20.00 ______ TOTAL (CA Residents add applicable sales tax) *All orders are for Win 95 and Win NT *****CREDIT CARDS ACCEPTED***** MASTERCARD VISA AMEX PLEASE CALL 213-980-7850 to process your order 9am-5pm Pacific Time Checks or Money Orders send to: WorldTouch Network Inc. 5670 Wilshire Blvd. Suite 2170 Los Angeles, CA 90036 Please note: Allow 5 business days for all checks to clear before order is shipped. From firewalls-owner Fri Apr 3 10:13:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29668; Fri, 3 Apr 1998 04:09:04 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA19001 for ; Thu, 2 Apr 1998 06:38:35 -0800 (PST) Received: from garlic.negia.net (garlic.negia.net [206.61.0.14]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA29871 for ; Thu, 2 Apr 1998 06:41:24 -0800 (PST) Received: from oak.negia.net (oak.negia.net [206.61.0.154]) by garlic.negia.net (8.8.5/8.8.5) with SMTP id JAA32370; Thu, 2 Apr 1998 09:28:06 -0500 Date: Thu, 2 Apr 1998 09:29:26 -0500 (EST) From: Patrick Darden To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tons and tons and tons and tons. -Patrick Darden -- darden@negia.net System Administrator (706) 546-5787 NE Georgia Internet Access On Wed, 1 Apr 1998, Vinod Valloppillil (Exchange) wrote: > is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Fri Apr 3 10:13:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26952; Fri, 3 Apr 1998 03:45:06 -0800 (PST) Received: from mail.atnet.at (mail.atnet.at [194.152.160.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA26936 for ; Fri, 3 Apr 1998 03:44:55 -0800 (PST) Received: from Standard.prod-net ([194.152.161.3]) by mail.atnet.at (8.8.8/8.6.9) with SMTP id NAA17035 for ; Fri, 3 Apr 1998 13:49:15 +0200 Message-Id: <3.0.5.32.19980403134815.007c4dc0@mail.atnet.at> X-Sender: oekk@mail.atnet.at (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 13:48:15 +0200 To: firewalls@GreatCircle.COM From: Harti Subject: Windows 95 Access over UNIX-Firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use Windows 95 PC's and the TAS-Server (It's like SAMBA but easier and much more expensive :-) from Syntax. We have now a second network and the PC's should have a connection to the TAS server. Our UNIX SUN SOLARIS Firewall-I would allow the access, but the names of the servers are searched via broadcasting and broadcasting is stopped by the firewall. Is there a possibility to tell the IP-Adresses of the netbios-servers to the WIN95 clients? Or is it possible to tell the firewall to route the broadcasts (and make a 10.0.2.255 from the 10.0.2.x net to a 10.1.0.255 for the 10.1.0.x net?) Many thanks Harti ________________________________________________________________ Your mails are being watched. So don't use the words: Police kills drugs or you get points on their files! From firewalls-owner Fri Apr 3 10:13:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03623; Fri, 3 Apr 1998 07:07:34 -0800 (PST) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA03578 for ; Fri, 3 Apr 1998 07:07:24 -0800 (PST) Received: from microl_8 (slip129-37-123-99.oh.us.ibm.net [129.37.123.99]) by out2.ibm.net (8.8.5/8.6.9) with SMTP id PAA250642 for ; Fri, 3 Apr 1998 15:11:55 GMT Message-Id: <199804031511.PAA250642@out2.ibm.net> X-Sender: usinet.daemond@pop4.ibm.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Demo Date: Fri, 03 Apr 1998 10:14:22 -0500 To: firewalls@greatcircle.com From: "steplogic@geocities.com" Subject: the spam wars Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least with AOL spammers you can retaliate. Do what I've been doing: forward their message to postmaster@aol.com with a note to the post master that this is unwelcome spam. Just my two cents. ---------------------------------------------------- my home page is http://www.geocities.com/ResearchTriangle/Lab/6749/ The fastest way to respond to this message is through the ICQ Network.A message sent this way will go directly to my screen. If you have ICQ you can message me to ICQ#:9249485 If you don't have ICQ you can page me through: * My Personal Communication Center: http://wwp.mirabilis.com/9249485 (go there and try it!) * Or you can send me a regular e-mail to my EmailExpress address: 9249485@pager.mirabilis.com Download ICQ at http://www.icq.com/ Include your ICQ details in YOUR e-mail signature: http://www.icq.com/emailsig.html ---------------------------------------------------- From firewalls-owner Fri Apr 3 11:52:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA22605; Fri, 3 Apr 1998 10:59:04 -0800 (PST) Received: from ns1.rconnect.com (ns1.rconnect.com [206.144.249.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA22382 for ; Fri, 3 Apr 1998 10:58:05 -0800 (PST) Received: from heimdall (kprod60.rconnect.com [209.32.14.60]) by ns1.rconnect.com (8.8.7/8.8.7) with SMTP id NAA17035; Fri, 3 Apr 1998 13:01:57 -0600 (CST) Received: from heimdall by kproducts.kproducts.com (8.8.6/8.8.6) with SMTP id NAA00559; Fri, 3 Apr 1998 13:05:20 -0600 (CST) Message-Id: <199804031905.NAA00559@kproducts.kproducts.com> X-Sender: troy@mail.dakota.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 03 Apr 1998 13:07:03 -0600 To: Harti From: Troy Hanson Subject: Re: Windows 95 Access over UNIX-Firewall? Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.5.32.19980403134815.007c4dc0@mail.atnet.at> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does your package (TAS) support the WINS Server capabilities (a la NT)? If so, all you need to do is set up the WINS service. It is extremely simple to set up in samba and NT, most of the work is done by the clients telling the WINS server they are 'up', so all you have to do is enable the WINS server to listen and keep track. You also get the advantage of cutting down on broadcast traffic. I am unaware of any other way to browse across subnets. I know SAMBA supports WINS, both as a server, and as a wins proxy. One gotcha: In Win95, under the WINS Server entry, if you only have one WINS server you need to enter it as both primary and secondary, otherwise sometimes Win95 'forgets' it and blanks it out on reboot. Hope this helps, troy At 01:48 PM 4/3/98 +0200, you wrote: >We use Windows 95 PC's and the TAS-Server (It's like SAMBA but easier and >much more expensive :-) from Syntax. >We have now a second network and the PC's should have a connection to the >TAS server. Our UNIX SUN SOLARIS Firewall-I would allow the access, but the >names of the servers are searched via broadcasting and broadcasting is >stopped by the firewall. >Is there a possibility to tell the IP-Adresses of the netbios-servers to >the WIN95 clients? >Or is it possible to tell the firewall to route the broadcasts (and make a >10.0.2.255 from the 10.0.2.x net to a 10.1.0.255 for the 10.1.0.x net?) > >Many thanks >Harti >________________________________________________________________ >Your mails are being watched. >So don't use the words: Police kills drugs or you get points on their files! > From firewalls-owner Fri Apr 3 11:56:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29114; Fri, 3 Apr 1998 06:49:52 -0800 (PST) Received: from beta.nsf.gov (beta.nsf.gov [206.2.78.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA29091 for ; Fri, 3 Apr 1998 06:49:40 -0800 (PST) From: dmcewen@nsf.gov Received: by beta.nsf.gov; id JAA07953; Fri, 3 Apr 1998 09:54:09 -0500 (EST) Received: from mailman.nsf.gov(128.150.11.2) by beta.nsf.gov via smap (3.2) id xma007926; Fri, 3 Apr 98 09:53:43 -0500 Received: from yrelay.nsf.gov (yrelay.nsf.gov [128.150.195.91]) by mailman.nsf.gov (8.8.4/8.8.4) with SMTP id JAA18309; Fri, 3 Apr 1998 09:53:42 -0500 Received: from ccMail by yrelay.nsf.gov (SMTPLINK V2.11.01) id AA891626021; Fri, 03 Apr 98 09:53:18 EST Date: Fri, 03 Apr 98 09:53:18 EST Message-Id: <9803038916.AA891626021@yrelay.nsf.gov> To: firewalls@GreatCircle.COM, Roy Stevens Subject: Re: SSH Questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SSH provides security via encryption, so it makes it much harder to snoop your data including userid and password. However, if some one is able to comprimise your userid/password, then you have made the firewall a joke because it is so easy to tunnel other protocols via ssh. I'd suggest that inbound ssh only be done with strong auth such as SecurID. ______________________________ Reply Separator _________________________________ Subject: SSH Questions Author: Roy Stevens at NOTE Date: 4/3/98 9:43 AM I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Fri Apr 3 12:07:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA22057; Fri, 3 Apr 1998 06:18:12 -0800 (PST) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA21860 for ; Fri, 3 Apr 1998 06:17:28 -0800 (PST) Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id QAA16949; Fri, 3 Apr 1998 16:20:31 +0200 (METDST) Message-Id: <3.0.5.32.19980403161750.00967e40@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 16:17:50 +0200 To: raf@ezunx.com, firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: gre and cisco In-Reply-To: <35237A8E.EC7AE794@ezunx.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:46 2/04/98 -0500, raf@ezunx.com wrote: >What are the IOS version requirements for passing PPTP through a cisco box >and does anyone know of a good place to get some setup examples? Passing PPTP is quite simple, the extended ACL should permit: - IP protocol 47 (= GRE) - TCP port 1723 (= control port) E.g.: access-list 101 permit tcp xxx yyy eq 1723 access-list 101 permit 47 xxx yyy And extended ACL are fairly old in IOS(these are the ACL with source and destination address), so, your router probably support them. Now, beware that you just open a possibly wide security hole: the IOS router cannot check INSIDE the PPTP connection for IP-spoofing or any other attack. Best regards -eric > >thanks > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From firewalls-owner Fri Apr 3 13:08:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09731; Fri, 3 Apr 1998 02:29:28 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA18480 for ; Thu, 2 Apr 1998 15:30:14 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id PAA15012 for ; Thu, 2 Apr 1998 15:11:50 -0800 (PST) Received: (from hagan@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id SAA26522; Thu, 2 Apr 1998 18:14:01 -0500 To: Charles Getty Cc: "'Brett Mayer'" , "Firewalls (E-mail)" Subject: Re: cable modem security References: <2110E4FFF059D011966000A024DAB8E709369B@NS1.netvisioninc.com> From: "Craig I. Hagan" Date: 02 Apr 1998 18:14:01 -0500 In-Reply-To: Charles Getty's message of "Mon, 30 Mar 1998 20:48:00 -0500" Message-ID: Lines: 28 X-Mailer: Gnus v5.4.66/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Getty writes: > That assumes you can put the "cable modem" into a promiscuous mode.... > The cable modem is essentially a transparent bridge... Does anyone know > of other devices that allow you to access the cable medium? Is there a > online copy of this article in 2600? the lancity NCP box that i've got via mediaone is a smart bridge: i only see packets directed towards my mac or the broadcast. HOWEVER, one can easily snarf someone else's packets with a few send_arp games (make them think that the upstream router has a mac addr of FF:FF:FF:FF:FF:FF). This will give you at least a few minute of sniffing until you need to "refresh" their cache. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks In Bandwidth we trust From firewalls-owner Fri Apr 3 13:13:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09911; Fri, 3 Apr 1998 02:32:10 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA02913 for ; Thu, 2 Apr 1998 03:12:12 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA23510 for ; Thu, 2 Apr 1998 03:15:00 -0800 (PST) Received: from sover.net (usr0a35.rut.sover.net [206.25.64.135]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id GAA16187; Thu, 2 Apr 1998 06:16:13 -0500 (EST) Message-ID: <35237398.16FA66C8@sover.net> Date: Thu, 02 Apr 1998 06:16:40 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: klinec@mapcoinc.com, firewalls@greatcircle.com Subject: Re: Bordermanager as firewall? References: <062565D9.007DACD7.00@mercury.mapcoinc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk klinec@mapcoinc.com wrote: > Does anyone have any first-hand experience with Novell's Bordermanager as a > firewall? > I tended to equate that product with MS Proxy Server. That's a pretty accurate description. There is a proxy for HTTP (which provides cacheing) but pretty much everything else is done via static or dynamic packet filtering. About the biggest difference between the two is that BM supports static NAT so you can reach private address internal systems, while MSP2 does not. The rest of the features are pretty close. I hear that BM 1.5 has some new features but it not yet been released. I agree. Kind of a weird suggestion. I've suggested and deployed BM for NetWare only shops but in mixed environments, I tend to stay away from it. If you are a heavy NDS shop BM can be a good thing, otherwise it may seem like it is more work than it's worth. > We have a 400-desktop enterprise with eight Frame-Relay connected remote > sites, and are looking for a firewall solution for the entire enterprise. > In addition, we are in a rapid growth mode, and predict doubling in size > both in number of desktops and number of WAN-connected sites by year-end. BM would handle the speed issues, the security is a judgement concern. Personally, I would look for a Unix based solution. Cheers, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Fri Apr 3 13:23:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA26554; Fri, 3 Apr 1998 13:03:44 -0800 (PST) Received: from gateway.hannaford.com (gateway.hannaford.com [198.190.28.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA18107 for ; Fri, 3 Apr 1998 10:43:44 -0800 (PST) Received: by gateway.hannaford.com (950413.SGI.8.6.12/940406.SGI.AUTO) for id NAA15928; Fri, 3 Apr 1998 13:46:49 -0500 Received: from lms.hannaford.com(198.190.25.5) by gateway via smap (3.2) id xma015917; Fri, 3 Apr 98 13:46:42 -0500 Received: by LMS0200.HANNAFORD.COM (Soft-Switch LMS 2.1.0.0) with snapi via NOTES id 0002000001562997; Fri, 3 Apr 1998 13:44:10 -0500 From: "Punsky, Bill" To: Internet Subject: Security Scanners Message-ID: <0002000001562997000002L072*@MHS> Date: Fri, 3 Apr 1998 13:44:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, What are the functional differences between SATAN and Ballista (i.e., w= hat vulnerabilities does Ballista check for that SATAN doesn't)? Thanks. = From firewalls-owner Fri Apr 3 14:49:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA25005; Fri, 3 Apr 1998 12:56:23 -0800 (PST) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA24948 for ; Fri, 3 Apr 1998 12:56:07 -0800 (PST) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA17251; Fri, 3 Apr 1998 16:00:36 -0500 Date: Fri, 03 Apr 1998 16:00:32 -0500 From: "Stout, William" Subject: Unwanted data appears inside firewalled network To: "'Firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unwanted data continues to infiltrate our protected network via SMTP, HTTP, NNTP, floppy disks, RAS connections, and VPNs . We have a strong firewall. What gives? Firewalls based on the OSI layers don't work. We need AI/fuzzy logic (OSI layer 8 = intelligence?). Say a cracker builds network attack at OSI layer three. You build a perimeter wall up to layer three, called a packet filter to his traffic out of your domain. The cracker builds an application attack. You raise your perimeter wall to layer seven with a proxy. The cracker builds onto that application (viruses, SPAM, etc). The cracker is looking over your wall again. Now what? We ran out of OSI layers to build our wall. We're mentally confined to this completely artificial layer model. Crackers aren't. We could build an AI system on the perimeter wall to add intelligence on the firewall. Or we could build a network-wide management system (tied into firewalls, virus scanners, & IDS probes) to create a 'ceiling' across the perimeter walls. Bill Stout ______________________________________________________________________ New Bill Stout early warning (4/3/98): Economic shock wave finally coming from Asia. Distribution chip sales way down (1st qtr '98) in Silicon Valley. Other industries to follow. Stock market will drop. Prepare your finances. See: http://www.intel.com/pressroom/archive/releases/CN30498b.HTM http://www.amd.com/news/corppr/9802.html http://www.national.com/news/1998/9803/q3fy98.html From firewalls-owner Fri Apr 3 14:59:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA14976; Fri, 3 Apr 1998 14:31:12 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA14639 for ; Fri, 3 Apr 1998 14:29:47 -0800 (PST) Received: from engine3-dc.wdc.cwi.net (engine3-dc.wdc.cwi.net [205.136.1.212]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA06528 for ; Fri, 3 Apr 1998 14:23:09 -0800 (PST) Received: from firewall1.contcirc.com ([206.142.48.2]) by engine3-dc.wdc.cwi.net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 100-36394U2500L250S0) with SMTP id AAA19951; Fri, 3 Apr 1998 17:18:37 -0500 Received: from circuit by firewall1.contcirc.com (5.x/SMI-SVR4) id AA29800; Fri, 3 Apr 1998 15:23:51 -0700 Received: from pxc3sc302.contcirc.com by circuit (4.1/SMI-4.1) id AA24965; Fri, 3 Apr 98 14:23:03 MST Received: from ccMail by pxc3sc302.contcirc.com (ccMail Link to SMTP R8.00.00) id AA891645850; Fri, 03 Apr 98 15:24:13 -0700 Message-Id: <9804038916.AA891645850@pxc3sc302.contcirc.com> X-Mailer: ccMail Link to SMTP R8.00.00 Date: Fri, 03 Apr 98 15:22:04 -0700 From: "Danny Johnson" To: , Subject: Re: Firewalls-Digest V7 #146-Auto Answer Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You gotta be kidding me! ______________________________ Reply Separator _________________________________ Subject: Firewalls-Digest V7 #146-Auto Answer Author: at INTERNET Date: 4/2/98 5:42 PM I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Fri Apr 3 16:09:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09864; Fri, 3 Apr 1998 02:31:06 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA11885 for ; Thu, 2 Apr 1998 06:03:02 -0800 (PST) Received: from hobbes.risq.qc.ca (hobbes.risq.qc.ca [192.26.210.154]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA28237 for ; Thu, 2 Apr 1998 06:05:52 -0800 (PST) Received: from hobbes.risq.qc.ca (cdupre@localhost) by hobbes.risq.qc.ca (8.8.8/8.8.7) with ESMTP id JAA23253; Thu, 2 Apr 1998 09:07:08 -0500 (EST) Message-Id: <199804021407.JAA23253@hobbes.risq.qc.ca> X-Mailer: exmh version 2.0delta 6/3/97 Organization: RISQ - http://www.risq.qc.ca/ From: Christophe Dupre To: Daniel Walsh cc: Firewalls Subject: Re: Spam! In-reply-to: Your message of "Wed, 01 Apr 1998 11:02:56 PST." <35228F60.14F0AD3D@geocities.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Apr 1998 09:07:08 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? In the last few weeks, this mailing list has relayed a fair amount of spam. Anyway, I'm using procmail for pre-filing of my mail, and all the mail from addresses from which I received SPAM are filed in a SPAM folder, which I empty from time to time. As for protecting a site from SPAM, the basic measure is to disallow mail relaying, except for those domains for which the server is MX. The next step, which is a bit more dangerous, is to implement the RBL (Realtime Blackhole List - see http://maps.vix.com/rbl/ ), which will deny all mail sent from known SPAM relays. we haven't (yet) implemented this measure, where's still thinking through the possible impacts - this could deny non-SPAM mails, also... Think what would happend if AOL was to be added to the RBL. Also, since authentication is not yet used for DNS distribution, someone could possibly poison a secondary DNS... -- Christophe Dupre Analyste de systemes, RISQ inc. 1801 McGill College, suite 800 Tel: (514) 840-1235, ext 6971 Montreal, QC CANADA FAX: (514) 840-1244 "Nous ne sommes pas libres de ne pas etre libres, nous sommes obliges de l'etre" - Fernando Savater #include From firewalls-owner Fri Apr 3 16:14:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10056; Fri, 3 Apr 1998 02:34:04 -0800 (PST) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA08709 for ; Thu, 2 Apr 1998 11:19:05 -0800 (PST) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.8.5/fcnbd/domain/1.5.1) with ESMTP id NAA04665; Thu, 2 Apr 1998 13:23:18 -0600 (CST) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.122.227]) by po-internal.FCNBD.COM (8.8.5/fcnbd/internal-domain/1.5) with ESMTP id NAA05865; Thu, 2 Apr 1998 13:23:16 -0600 (CST) Received: from r9.cmg.fcnbd.com (r9.cmg.FCNBD.COM [147.113.118.125]) by abacab.cmg.FCNBD.COM (8.8.5/fcnbd/server-subdomain/2.4) with ESMTP id NAA16000; Thu, 2 Apr 1998 13:23:15 -0600 (CST) Received: (from pmarc@localhost) by r9.cmg.fcnbd.com (8.8.7/8.8.7) id NAA00340; Thu, 2 Apr 1998 13:17:31 -0600 (CST) Message-Id: <199804021917.NAA00340@r9.cmg.fcnbd.com> MIME-Version: 1.0 (NeXT Mail 4.2mach v148) Content-Type: text/enriched; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline In-Reply-To: <199804010954.JAA15688@catullus.agw.bt.co.uk> X-Nextstep-Mailer: Mail 4.2mach (Enhance 2.0b5) Received: by NeXT.Mailer (1.148) From: "Paul M. Cardon" Date: Thu, 2 Apr 98 13:17:29 -0600 To: "Pearce, Danny" Subject: Re: Intranet security products cc: Firewalls@GreatCircle.COM Reply-To: pmarc@cmg.fcnbd.com References: <199804010954.JAA15688@catullus.agw.bt.co.uk> X-Warners: Yakko, Wakko & Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Pearce, Danny" thus spake unto me: > `http://www.iss.net - RealSecure/Internet Security Scanner(set of) > `http://www.wheelgroup.com - NetRanger/NetSonar > `http://www.nai.com - CyberCop > `http://www.axent.com - NetRecon >=20 > Plus a few others that are not so good >=20 > Abirnet SessionWall > NFR Network Flight Recorder (www.nfr.org) =20 What are your criteria for saying which of these are and aren't good? =20 Are you considering only the scope of the vulnerability database which is of somewhat decreased value in the face of packet manipulation attacks mentioned by the SNI paper? Some versions of the above systems are not able to detect attacks that are in their vulnerability database when an attacker is fragmenting traffic or otherwise manipulating traffic. =20 Are you considering how well the products scale in terms of managing them in a large, heterogeneous, distributed environment? Some of these are limited in the number of monitors that can be deployed per management console, the range of physical media types and network protocols supported, and the bandwidth that the monitor can keep up with. Are they extensible by the end user or does the customer have to rely on the vendor to release new attack signatures? I would hate to have a window of time where a known and understood attack can get by because I am waiting for the next product release. I have yet to see a vendor release updates more frequently than once a month. In some environments that window is too large of an exposure. The worst things we can do as security professionals is say that a product is good or bad without giving the context in which that judgement is made. -paul From firewalls-owner Fri Apr 3 16:20:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03927; Fri, 3 Apr 1998 16:06:49 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA03857 for ; Fri, 3 Apr 1998 16:06:31 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM) id AA31562; Fri, 3 Apr 1998 19:13:48 -0500 Received: from [170.149.212.99] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA09612; Fri, 3 Apr 1998 19:11:29 -0500 Message-Id: <3.0.5.32.19980403191101.008198a0@mailgate.nytimes.com> X-Sender: gordy@mailgate.nytimes.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 19:11:01 -0500 To: "Danny Johnson" From: Gordy Thompson Subject: Re: Firewalls-Digest V7 #146-Auto Answer Cc: , In-Reply-To: <9804038916.AA891645850@pxc3sc302.contcirc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least it's not spam, or "usubscrible" ... At 03:22 PM 4/3/98 -0700, Danny Johnson wrote: > > You gotta be kidding me! > > >______________________________ Reply Separator _________________________________ >Subject: Firewalls-Digest V7 #146-Auto Answer >Author: at INTERNET >Date: 4/2/98 5:42 PM > > >I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. > >Thanks!!! > > > > > ========================================================================== Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212 556 1386 The New York Times fax: 212 556 1636 For years we thought that a million monkeys sitting at a million keyboards would produce the Complete Works of Shakespeare; today, thanks to the Internet, we know that's not true. From firewalls-owner Fri Apr 3 17:40:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03307; Fri, 3 Apr 1998 16:02:34 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA03253 for ; Fri, 3 Apr 1998 16:02:00 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 16:05:56 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C585372D@mail.citysearch.com> From: Michael Batchelor To: dmcewen@nsf.gov, firewalls@GreatCircle.COM, Roy Stevens Subject: RE: SSH Questions Date: Fri, 3 Apr 1998 16:05:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is possible to close these SSH holes. You can configure the sshd to disallow port forwarding and X11 forwarding. Furthermore, you can disable UNIX password authentication, and permit only RSA public key authentication, and also disable the interaction with ssh-agent. If you want maximum paranoia, you can configure sshd to only accept host keys from known hosts, and then have your remote users all create keys for their home PC, or whatever, and install these keys on the host that receives outside SSH logins. Users can exercise paranoia on their own by creating an authorized_keys file in their $HOME/.ssh directory, which contains the public keys of remote users who are allowed access to the account. This will typically contain only the public key of the owner of the account. It's pretty robust, but not straight out of the box with the default config files. As with all things security-related, you must know what you are doing. > -----Original Message----- > From: dmcewen@nsf.gov [SMTP:dmcewen@nsf.gov] > Sent: Friday, April 03, 1998 6:53 AM > To: firewalls@GreatCircle.COM; Roy Stevens > Subject: Re: SSH Questions > > SSH provides security via encryption, so it makes it much harder to > snoop your data including userid and password. However, if some one is > > able to comprimise your userid/password, then you have made the > firewall a joke because it is so easy to tunnel other protocols via > ssh. I'd suggest that inbound ssh only be done with strong auth such > as SecurID. > > > ______________________________ Reply Separator > _________________________________ > Subject: SSH Questions > Author: Roy Stevens at NOTE > Date: 4/3/98 9:43 AM > > > I have started research into running ssh accross the INTERNET. > My preliminary research has shown much promiss. > > I would appreciate any feedback on this. > > I am particularly interested in firewall issues, ie proxy or IP > forwarding problems. > > Thanks for any correspondance. > > TOBOR > > > From firewalls-owner Fri Apr 3 17:53:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09523; Fri, 3 Apr 1998 02:26:19 -0800 (PST) Received: from imo28.mx.aol.com (imo28.mx.aol.com [198.81.17.72]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02656 for ; Thu, 2 Apr 1998 13:56:24 -0800 (PST) Received: from Oasis179@aol.com by imo28.mx.aol.com (IMOv13.ems) id KVNNa19781; Thu, 2 Apr 1998 16:56:39 -0500 (EST) From: Oasis179 Message-ID: <2ac32cd5.35240998@aol.com> Date: Thu, 2 Apr 1998 16:56:39 EST Mime-Version: 1.0 Subject: Im Jenny Content-type: multipart/mixed; boundary="part0_891554199_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891554199_boundary Content-ID: <0_891554199@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891554199_boundary Content-ID: <0_891554199@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: Oasis179 Return-path: To: Oasis179@aol.com Subject: Im Jenny Date: Thu, 2 Apr 1998 16:53:51 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Hi I'm Jenny and I made a webpage which has my picture on it, I think im very pretty, tell me what you think. Click Here --part0_891554199_boundary-- From firewalls-owner Fri Apr 3 18:48:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09405; Fri, 3 Apr 1998 02:24:48 -0800 (PST) Received: from atlantic.leisureplan.co.za (atlantic.leisureplanet.com [196.25.192.37]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA03767 for ; Thu, 2 Apr 1998 05:23:18 -0800 (PST) Received: by atlantic.leisureplan.co.za with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD5E4C.74A667F0@atlantic.leisureplan.co.za>; Thu, 2 Apr 1998 15:31:50 +0200 Message-ID: From: William Evans To: "'firewalls@GreatCircle.COM'" Subject: DOS attacks on NT Date: Thu, 2 Apr 1998 15:31:48 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone tell me whether the following would indicate a DOS attack, or a corrupt TPC/IP configuration on the server. The output below is the result of a netstat -n | grep 0.0.0.0 TCP 205.158.7.34:80 0.0.0.0:18474 TIME_WAIT TCP 205.158.7.34:2950 0.0.0.0:51436 SYN_SENT TCP 205.158.7.34:139 0.0.0.0:18553 ESTABLISHED TCP 205.158.7.34:2254 0.0.0.0:34851 ESTABLISHED TCP 205.158.7.37:80 0.0.0.0:2192 ESTABLISHED TCP 205.158.7.39:80 0.0.0.0:0 TIME_WAIT We are only seeing this on one of our servers. Thanks William From firewalls-owner Fri Apr 3 18:50:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA24706; Fri, 3 Apr 1998 17:57:51 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA24675 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:57:43 -0800 (PST) Received: from CHROMIUM ([165.21.74.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA12802 for ; Mon, 30 Mar 1998 10:15:36 -0800 (PST) Received: from mail pickup service by singnet.com.sg with Microsoft SMTPSVC; Tue, 31 Mar 1998 02:22:00 +0800 Received: from argon.singnet.com.sg - 165.21.74.27 by singnet.com.sg with Microsoft SMTPSVC; Sun, 29 Mar 1998 06:34:47 +0800 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by argon.singnet.com.sg (8.8.8/8.8.8) with ESMTP id GAA13028 for ; Sun, 29 Mar 1998 06:31:22 +0800 (SST) Received: from honor.greatcircle.com by relay4.UU.NET with ESMTP (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) id QQeisg12444; Sat, 28 Mar 1998 17:30:59 -0500 (EST) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA07491; Sat, 28 Mar 1998 12:52:38 -0800 (PST) Received: from acamail1.acaonline.org (acamail1.acaonline.org [207.98.144.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA19846 for ; Fri, 27 Mar 1998 14:20:25 -0800 (PST) Received: by ACA_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Fri, 27 Mar 1998 15:20:58 -0700 Message-ID: <815366BCD402D111960E0000F805887B307DB0@ACA_EXCHANGE> From: Taufik Islam To: Firewalls@GreatCircle.COM Subject: Sniffer Date: Fri, 27 Mar 1998 15:20:56 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a good Packet sniffer that runs on for NT 4.0 ? Please help me with any information you may have Thanks If you know of any good packet sniffer for UNIX please let me know also. Taufik Islam Network Engineer, ACA From firewalls-owner Fri Apr 3 19:35:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA06949; Fri, 3 Apr 1998 16:25:51 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA06853 for ; Fri, 3 Apr 1998 16:25:24 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 16:29:23 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C5859329@mail.citysearch.com> From: Michael Batchelor To: firewalls@GreatCircle.COM Subject: RE: Re[2]: Split DNS config questions Date: Fri, 3 Apr 1998 16:29:20 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As it turns out, a lot of my confusion was from an incorrect configuration on the inside servers. While I had a directive in named.conf for the forwarders, I omitted the option "forward only;". Without this option, named (BIND 8) insists on having a hints file, even if the hints file is full of bogus info. It will replace the hints with whatever it finds via the forwarder. Imagine my confusion when I set the hints file to contain (exactly!) this: . 99999999 IN NS foo.bar.com. foo.bar.com. 99999999 IN A 1.2.3.4 And then discovered the names and addresses of all the root servers in the named_dump.db on the inside servers! They discovered the real root servers via the forwarder. Adding "forward only;" to the options section keeps named from looking for a root server, when it should only be forwarding. No hints file needed. Its cache gets filled only with the results of queries it has satisfied. It's kind of like a default route for DNS, as Rick Murphy put it. He gave me some good insights into how this is supposed to work, and I thank him for taking the time to help me. Here's a sanitized version of my named.conf on the inside server: options { directory "/var/named"; forwarders { 10.0.0.1; }; forward only; }; zone "inside.company.com" in { type master; file "company.hosts"; }; zone "10.in-addr.arpa" in { type master; file "company.10.rev"; }; The named.conf for the firewall server is even simpler (our outside DNS is served by existing hosts at our ISP's facilities). All it has to do is cache and handle queries from the inside servers. options { directory "/var/named"; }; zone "." in { type hint; file "named.cache"; }; Since we already have outside nameservers, we can tighten this up some by setting the firewall named to allow queries only from the inside addresses, and to bind only to the inside interface. YMMV, of course. :) I hope this summary helps someone else get split DNS setup correctly. From firewalls-owner Fri Apr 3 20:15:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03289; Fri, 3 Apr 1998 16:02:18 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA03267 for ; Fri, 3 Apr 1998 16:02:09 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id QAA01367; Fri, 3 Apr 1998 16:08:29 -0800 (PST) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB13090; Fri, 3 Apr 98 16:06:44 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DC.000099D7 ; Fri, 3 Apr 1998 16:06:33 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: "Stout, William" Cc: "'Firewalls@GreatCircle.COM'" Message-Id: <882565DC.0000695E.00@gwwest.sybase.com> Date: Fri, 3 Apr 1998 16:05:53 -0800 Subject: Re: Unwanted data appears inside firewalled network Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, layer 8 is economics, and layer 9 is politics. Since OSI layers rely on the lower layers, it's not possible to build an intelligence layer on top of that. Ryan "Stout, William" on 04/03/98 01:00:32 PM To: "'Firewalls@GreatCircle.COM'" cc: (bcc: Ryan Russell/SYBASE) Subject: Unwanted data appears inside firewalled network Unwanted data continues to infiltrate our protected network via SMTP, HTTP, NNTP, floppy disks, RAS connections, and VPNs . We have a strong firewall. What gives? Firewalls based on the OSI layers don't work. We need AI/fuzzy logic (OSI layer 8 = intelligence?). Say a cracker builds network attack at OSI layer three. You build a perimeter wall up to layer three, called a packet filter to his traffic out of your domain. The cracker builds an application attack. You raise your perimeter wall to layer seven with a proxy. The cracker builds onto that application (viruses, SPAM, etc). The cracker is looking over your wall again. Now what? We ran out of OSI layers to build our wall. We're mentally confined to this completely artificial layer model. Crackers aren't. We could build an AI system on the perimeter wall to add intelligence on the firewall. Or we could build a network-wide management system (tied into firewalls, virus scanners, & IDS probes) to create a 'ceiling' across the perimeter walls. Bill Stout ______________________________________________________________________ New Bill Stout early warning (4/3/98): Economic shock wave finally coming from Asia. Distribution chip sales way down (1st qtr '98) in Silicon Valley. Other industries to follow. Stock market will drop. Prepare your finances. See: http://www.intel.com/pressroom/archive/releases/CN30498b.HTM http://www.amd.com/news/corppr/9802.html http://www.national.com/news/1998/9803/q3fy98.html From firewalls-owner Fri Apr 3 20:20:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA27514; Fri, 3 Apr 1998 18:09:35 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA27496 for firewalls@greatcircle.com; Fri, 3 Apr 1998 18:09:31 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA11393 for ; Tue, 31 Mar 1998 07:02:26 -0800 (PST) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id HAA20560 for ; Tue, 31 Mar 1998 07:04:55 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yK2c2-0000mg-00; Tue, 31 Mar 1998 10:06:07 -0500 X-Sender: vin@shell1.shore.net (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 31 Mar 1998 10:06:44 -0500 To: firewalls@greatcircle.com From: "Renard, Kenneth" Subject: SecurID & a Biometric & a PIN! (Was: Ammunition, please) Cc: "Paul D. Robertson" , Vin McLellan , Jesse Brown Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Great discussion, guys! I have a comment to throw in here that has always concerned me about biometrics. Its not so much the biometric data itself, but how it is used, or more likely, misused. Comments, clarifications, or corrections are welcome. Take an analytical step back and look at the biometric data. The measurement that it takes is going to be transformed into a "signature" of the scan, fingerprint, voice data. This signature/transform must remove (most?) variations among different measurements over time and various measuring devices. The data used (compared) will be relatively static. We've learned from passwords that "static" can be bad. Biometric data has an extremely low degree of secrecy. I can get your fingerprint from your coffee mug, a retinal scan from your eye doctor, a face print from seeing you in the streets, etc. The signature/transform algorithm is assumed to be known (autocorrelation function for voice, etc.). Therefore, I can easily generate the biometric data necessary to assume your identity. "Stealing" the data can be done much easier and secretly than an attack on the body. I, for one, would barely notice a missing coffee mug compared to a missing digit. Assume the data is stolen. The high degree of user authenticity afforded by biometrics comes from the ability of _only_ the valid user to present the biometric data to the "system". A warm, pulsing thumb set upon a measuring device is a good indicator of who you are. Now the problem is comparing that data to a (remote?) database of data without allowing data to be inserted between the measuring device and the compare operation. You must completely authenticate the dialogue between the measuring device and the compare stage and only allow transactions with trusted measuring devices. For example: The "Mission Impossible" scenario where the fingerprint measuring devices appear to be in the wall, with "secured" (behind the wall) wiring into the authentication system. This would be a nice closed system. Only those measuring devices that are securely hardwired into the system are allow to authenticate. On the other hand (pun intended): Your fingerprint device is connected via a serial port to your PC. An attacker could easily unplug the fingerprint device and plug in the coffee mug to give the same response (the stolen biometric data) unless the measuring device itself was authenticated. This is the type of biometric authentication I've seen demo-ed so far. What I'd like to see is a "tamper-proof" token (a la SecurID) that measures the biometric, takes a PIN, and an internal seed to generate authentication data and/or unlock a stored private key. The biometric data would be utilized to its best potential without a significant threat of data insertion. All 3 authentication factors in one credit-card sized token! Well, someday. The perverbial Guido and Mac the Knife are still a problem. How about a duress finger? :-) -Ken From firewalls-owner Fri Apr 3 21:12:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09322; Fri, 3 Apr 1998 02:23:33 -0800 (PST) Received: from loas.clark.net (loas.clark.net [168.143.0.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA13325 for ; Thu, 2 Apr 1998 06:10:16 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by loas.clark.net (8.8.8/8.8.8) with SMTP id JAA12889 for ; Thu, 2 Apr 1998 09:14:31 -0500 (EST) Message-Id: <3.0.3.32.19980402091420.00690c68@mail.clark.net> X-Sender: mjr@mail.clark.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Thu, 02 Apr 1998 09:14:20 -0500 To: Firewalls@GreatCircle.COM From: "Marcus J. Ranum" Subject: Re: great circle spam relay In-Reply-To: <199804020933.BAA12083@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Vinod Valloppillil (Exchange)" writes: >is it just me or is anyone else getting a ton of spam relayed by >greatcircle.com? It's everybody. For those of you who like a lower traffic, spam-free, product plug-free version of a firewalls list, you may want to check out firewall-wizards. The firewall-wizards archives are on http://www.nfr.net/firewall-wizards/archives.html you can join by mailing majordomo@nfr.net. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr From firewalls-owner Fri Apr 3 22:05:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09639; Fri, 3 Apr 1998 02:27:47 -0800 (PST) Received: from wall.cpr.fr (wall.cpr.fr [193.57.80.130]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA15775 for ; Thu, 2 Apr 1998 12:00:46 -0800 (PST) Received: by wall.cpr.fr; id WAA22150; Thu, 2 Apr 1998 22:05:07 +0200 Received: from unknown(193.57.82.188) by wall.cpr.fr via smap (3.2) id xma022144; Thu, 2 Apr 98 22:05:02 +0200 Received: by localhost with Microsoft MAPI; Thu, 2 Apr 1998 22:04:05 +0200 Message-ID: <01BD5E83.40DBDF40.paulboyer@usa.net> From: Paul Boyer To: "'firewalls@GreatCircle.com'" Subject: FW: Virus checking at the firewall level. Date: Thu, 2 Apr 1998 22:04:04 +0200 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, performance is a big issue :( I was told trend micro's one at http://www.trendmicro.com is not using CVP for performance reasons. Has someone experince with it ? Paul -----Original Message----- From: Doug Drake Sent: Wednesday, April 01, 1998 8:59 AM To: Gordon LaSane ; Bruno ; firewalls mailing list Subject: RE: Virus checking at the firewall level. Conceptually CVP is a wonderful thing but can you give me any numbers on the latency that this process causes on your network? I have not seen anything that will show me benchmarks for CVP bsed virus scanning, especially with a firewall and even more with encryption. If I could get some good numbers I might be infavor of it. But until then, I like speed on my network and virus scaning on the desk top :). At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: [Paul BOYER] -snip- From firewalls-owner Fri Apr 3 22:20:11 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA10010; Fri, 3 Apr 1998 22:06:49 -0800 (PST) Received: from smtp.enteract.com (thor.enteract.com [206.54.252.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA09995 for ; Fri, 3 Apr 1998 22:06:42 -0800 (PST) Message-Id: <199804040606.WAA09995@honor.greatcircle.com> Received: (qmail 12024 invoked from network); 4 Apr 1998 06:11:28 -0000 Received: from jimst.sa.enteract.com (HELO Default) (207.229.133.64) by thor.enteract.com with SMTP; 4 Apr 1998 06:11:28 -0000 Reply-To: From: "James Strompolis" To: Subject: RE: Firewalls-Digest V7 #146-Auto Answer Date: Fri, 3 Apr 1998 22:57:41 -0600 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What EXACTLY would you like us to try with you later? Sounds to me as if someone has already had a go. Your welcome!!! - James Strompolis Aleph Consultants, Inc. jimst@enteract.com > -----Original Message----- > From: firewalls-owner@GreatCircle.COM > [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Jasjit K Singh > Sent: Thursday, April 02, 1998 5:43 PM > To: Firewalls@GreatCircle.COM > Subject: Firewalls-Digest V7 #146-Auto Answer > > > I am on maternity leave from 04/06/98 till 05/29/98. Please > try me later. > > Thanks!!! > From firewalls-owner Sat Apr 4 05:01:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19202; Fri, 3 Apr 1998 23:37:53 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA22316 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:44:49 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA15227 for ; Mon, 30 Mar 1998 01:28:53 -0800 (PST) Received: (qmail 9515 invoked from network); 30 Mar 1998 08:33:56 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 30 Mar 1998 08:33:56 -0000 Message-ID: <351F6625.B72FCDCE@encomix.es> Date: Mon, 30 Mar 1998 11:30:14 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: FW Subject: Help about ICMP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I have some questions about filtering ICMP in a firewall... Please, anyone can tell me what kind of icmp packets should be blocked by the firewall? What options and what packets should be rejected? What filtering rules must be applied by the firewall and what by the router? Thx in advance -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Sat Apr 4 05:02:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02350; Sat, 4 Apr 1998 04:33:23 -0800 (PST) Received: from terradir.com ([204.52.186.96]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA03508 for ; Fri, 3 Apr 1998 13:30:10 -0800 (PST) Received: by terradir.com from localhost (router,SLMail V2.6); Fri, 03 Apr 1998 16:37:08 -0500 Received: by terradir.com from system (204.52.186.96::mail daemon; unverified,SLMail V2.6); Fri, 03 Apr 1998 16:37:08 -0500 From: "A.R." To: firewalls@GreatCircle.com Date: Fri, 3 Apr 1998 16:37:07 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Message-Id: <19980403163708.5d0106d4.in@terradir.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all. I wanted to have some information on the fastest/best/reliable network interface card for a dual homed linux firewall machine. please make suggestions clear . thanks in advance A. Rahman Network Administrator From firewalls-owner Sat Apr 4 05:05:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19248; Fri, 3 Apr 1998 23:39:11 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA27413 for firewalls@greatcircle.com; Fri, 3 Apr 1998 18:08:44 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA03749 for ; Tue, 31 Mar 1998 06:09:20 -0800 (PST) From: harley@icrf.icnet.uk Received: (from harley@localhost) by europa.lif.icnet.uk (8.8.8/8.8.8) id PAA09808 for firewalls@greatcircle.com; Tue, 31 Mar 1998 15:14:07 +0100 (BST) Message-Id: <199803311414.PAA09808@europa.lif.icnet.uk> Subject: Virus checking at the firewall level To: firewalls@greatcircle.com Date: Tue, 31 Mar 1998 15:14:06 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Now my question to you people out there is: How do you do it ? Do you > not virus check at the firewall level ? You can, if you can afford the software, hardware and bandwidth. In which case it's a good supplementary defence. It shouldn't be the -only- defence though: there are too many other ways a virus can get in. > Do you count the end user to do > it ? Not if there's any way of making it transparent: running realtime desktop scanning updated automatically by login scripts is a good approach on local networks. > DO you have a miracle solution ? > Errrr...... -- David Harley | alt.comp.virus FAQ D.Harley@icrf.icnet.uk | & Anti-Virus Web Page Support & Security Analyst | Folk London On-Line gig-list Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/ From firewalls-owner Sat Apr 4 05:35:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19338; Fri, 3 Apr 1998 23:41:43 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA19072 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:28:09 -0800 (PST) Received: from master.netmaster.ca (netmaster.ca [204.244.213.44]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA10745 for ; Sun, 29 Mar 1998 11:46:32 -0800 (PST) Received: from netmaster.ca ([204.244.158.24]) by master.netmaster.ca with esmtp id m0yJO66-000HbMC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 29 Mar 1998 11:50:26 -0800 (PST) Message-ID: <351EA7D8.A4C0331F@netmaster.ca> Date: Sun, 29 Mar 1998 11:58:16 -0800 From: "Dana M. Epp" Organization: NetMaster Networking Solutions, Inc X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.0.32 i586) MIME-Version: 1.0 To: Magic Man CC: Daniel Todd , firewalls@greatcircle.com Subject: Re: linux based firewall cookbook... References: <365DC84A57F3D01187E700805FC19048A2A99D@mailhub.corp.usweb.com> <351BC07B.80676CF5@rarebird.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *Sigh* Ok, first off, in a regime in which you are applying serious security, physical security is a large portion of the security managment. You can pretty well hack into any system if you sit right at the damn thing. If someone can boot off a root disk in Linux.. you already blew away three key security policies one should have. #1) Physical security to the machine. #2) Installing or Mounting devices not required. If you don't physically remove the drives, you could be in trouble. Now, realisitically this is an extra step since physical security shouldn't be compromised in the first place. Anyways, long story short, you can boot off a CDRom, floppy or even the harddrive if you got physical security. (Not hard to remove the hard disk if you're at the console.) #3) Mounting FAT on ANY sort of "secure" machine :) OK, OK. Lecture over. However, assuming one can not hack your box because you have no floppy really is asking for trouble. There are a few HOWTOs on how to compromise Linux by simply mounting the file system after the fact, changing root passwd to "" and rebooting. At that point.. the machine is yours. Takes about 3 minutes to take the cover off... so don't assume physical security is NOT an issue, I've seen people carry harddrives around just for such occassions. BTW, I am curious to know WHY someone would have FAT of any sort in a machine used in a security policy. I must have missed the original message, since I can not fathem WHY it would be used in the first place. Magic Man wrote: > > Daniel Todd wrote: > > > This prevents having an insecure msdos file system on your box which is > > the "easy" thing to do with tarballs. It is especially dangerous if it > > is your root fs. You really don't want a root fs that can be edited by > > booting off a DOS floppy. > > If a floppy can be booted, then security is compromised right there. I > can boot any kind of OS via floppy and modify an internal filesystem. > > My firewall box has no floppy drive installed at all. I plugged one in > for the initial install...but it was immediately removed and there's > nothing on the box but a couple of LEDs and a power switch. > > -- > .\\agic .\\an > Rarebird Consulting Services -- Dana M. Epp NetMaster Networking Solutions, Inc. eppdm@netmaster.ca http://www.netmaster.ca " Connecting networks to the Internet..." From firewalls-owner Sat Apr 4 07:14:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09993; Sat, 4 Apr 1998 02:26:58 -0800 (PST) Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA26017 for ; Fri, 3 Apr 1998 06:36:14 -0800 (PST) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id JAA05942 for ; Fri, 3 Apr 1998 09:40:44 -0500 (EST) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQU005R5E3TNQ@lmco.com> for firewalls@greatcircle.com; Fri, 3 Apr 1998 09:40:43 -0500 (EST) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id JAA29518 for ; Fri, 03 Apr 1998 09:34:39 -0500 (EST) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id JAA00800; Fri, 03 Apr 1998 09:40:34 -0500 Date: Fri, 03 Apr 1998 09:40:34 -0500 (EST) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: firewalls@greatcircle.com Reply-to: Christopher Zarcone Message-id: <199804031440.JAA00800@data.camelot> MIME-version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-type: TEXT/plain; charset=us-ascii Content-MD5: P0v7imDjl33aA+WJ2GNt4Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon, Stateful inspection engines suffer the same disadvantages as packet filters, because THEY ARE packet filters. I would say that (my) single biggest problem with packet filtering is application-level security (e.g. how can a packet filter differentiate a sendmail server from a rogue webserver running on port 25? It can't. A proxy can.) OTOH, packet filters are generally faster, mainly because filtering decisions are made in the lower levels of the IP stack. I can't speak from experience, but I've also read stories of state tables becoming corrupt, usually with interesting consequences. Regards, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Date: Wed, 01 Apr 1998 23:27:59 -0500 >From: "Jon E. Price" >Subject: socks versus fw-1 stateful inspection vulnerabilities > >Are there any known or theoretical insecurities or vulnerabilities or other >shortcomings (eg. performance) using socks or the fw-1 stateful inspection >technologies? From firewalls-owner Sat Apr 4 07:20:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19281; Fri, 3 Apr 1998 23:40:19 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA22565 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:45:53 -0800 (PST) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA21494 for ; Mon, 30 Mar 1998 08:22:11 -0800 (PST) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA26098; Mon, 30 Mar 1998 08:25:36 -0800 Message-Id: <3.0.3.32.19980330082851.00a2a560@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 30 Mar 1998 08:28:51 -0800 To: firewalls@greatcircle.com From: rkizer@sddpc.org (Kizer, Randall) Subject: SECURITY ADMINISTRATOR Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please forgive this posting, but I know a lot of qualified people subscribe to this listing, and I need someone very soon. This job is located in San Diego, CA. ESSENTIAL FUNCTIONS: * RACF Administrator * SAP Security Administrator RESPONSIBILITIES: * Participate in the conversion from TOP SECRET to RACF * Evaluate, implement and monitor security tools (UNIX, NT, etc.) * Review audit logs for abnormalities. May require some audit reduction scripts to be written using perl, ksh, etc. * Assist in the support of enterprise firewalls. * Assist in the evaluation and implementation of new information security products. * Assist departments with information security issues. * Periodically conduct security awareness classes. * Assist new projects with interpretation and implementation of security policy. * Assist in writing new security policies. SKILLS, EXPERIENCE & EDUCATION: * 3-5 years experience with RACF * 2-3 years experience with AIX or Solaris * C and/or shell script programming If you're interested, please e-mail me at rkizer@sddpc.org From firewalls-owner Sat Apr 4 07:20:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20342; Sat, 4 Apr 1998 03:05:27 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01794 for ; Fri, 3 Apr 1998 07:00:39 -0800 (PST) Received: from drew.sabre.com (drew.sabre.com [199.100.49.6]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA26800 for ; Fri, 3 Apr 1998 06:07:24 -0800 (PST) Received: (from mailer@localhost) by drew.sabre.com (8.8.7/8.7.4) id IAA00478 for ; Fri, 3 Apr 1998 08:08:36 -0600 (CST) X-Authentication-Warning: drew.sabre.com: mailer set sender to <> using -f Received: from ngw.sabre.com(192.168.133.149) by drew.sabre.com via smap (V2.0) id xma000471; Fri, 3 Apr 98 08:08:15 -0600 Received: from USGW-Message_Server by sabre.com with Novell_GroupWise; Fri, 03 Apr 1998 08:07:47 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 03 Apr 1998 08:13:36 -0600 From: Jasjit K Singh Reply-To: Jasjit_K_Singh@sabre.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V7 #147-Auto Answer Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Sat Apr 4 08:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19310; Sat, 4 Apr 1998 08:26:01 -0800 (PST) Received: from m4.boston.juno.com (m4.boston.juno.com [205.231.101.198]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA19290 for ; Sat, 4 Apr 1998 08:25:52 -0800 (PST) Received: (from daemonman@juno.com) by m4.boston.juno.com (queuemail) id LZL29035; Sat, 04 Apr 1998 11:29:35 EST To: Tislam@acaonline.org Cc: Firewalls@GreatCircle.COM Date: Sat, 4 Apr 1998 08:28:18 -0800 Subject: Re: Sniffer Message-ID: <19980404.082823.3590.24.dAEMONMAN@juno.com> References: <815366BCD402D111960E0000F805887B307DB0@aca_exchange> X-Mailer: Juno 1.49 X-Juno-Line-Breaks: 0-5,7-21 From: daemonman@juno.com (Jack Riley) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try SniffIT..... DaemonMan ---------- Do NOT let them deceive you with the legitimization of their myth! DaemonMan@juno.com On Fri, 27 Mar 1998 15:20:56 -0700 Taufik Islam writes: >Is there a good Packet sniffer that runs on for NT 4.0 ? >Please help me with any information you may have >Thanks > >If you know of any good packet sniffer for UNIX please let me know >also. > >Taufik Islam >Network Engineer, ACA > > > > > _____________________________________________________________________ You don't need to buy Internet access to use free Internet e-mail. Get completely free e-mail from Juno at http://www.juno.com Or call Juno at (800) 654-JUNO [654-5866] From firewalls-owner Sat Apr 4 09:35:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01634; Sat, 4 Apr 1998 09:21:44 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA01505 for ; Sat, 4 Apr 1998 09:21:18 -0800 (PST) Received: from nexus.eng.auburn.edu (20663@nexus.eng.auburn.edu [131.204.12.98]) by dns.eng.auburn.edu (8.8.5/8.6.4) with SMTP id LAA03020 for ; Sat, 4 Apr 1998 11:26:01 -0600 (CST) Received: from localhost by nexus.eng.auburn.edu (SMI-8.6/SMI-SVR4) id LAA15818; Sat, 4 Apr 1998 11:26:00 -0600 Date: Sat, 4 Apr 1998 11:26:00 -0600 (CST) From: Doug Hughes To: firewalls@greatcircle.com Subject: Re: SSH Questions In-Reply-To: <9803038916.AA891626021@yrelay.nsf.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Apr 1998 dmcewen@nsf.gov wrote: > SSH provides security via encryption, so it makes it much harder to > snoop your data including userid and password. However, if some one is > able to comprimise your userid/password, then you have made the > firewall a joke because it is so easy to tunnel other protocols via > ssh. I'd suggest that inbound ssh only be done with strong auth such > as SecurID. > It should be noted that you can disable this tunnelling feature by using 'no-port-forwarding'. Also compromising the userid and password is a lot harder than it sounds since it is encrypted. Somebody would have to be looking over your shoulder. But, it's a good point. ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Sat Apr 4 10:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09738; Sat, 4 Apr 1998 02:24:28 -0800 (PST) Received: from labtech.checklab.com ([208.221.175.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA23848 for ; Fri, 3 Apr 1998 06:26:26 -0800 (PST) From: dclydew@interhack.net Received: from thesquirrel ([207.0.233.62]) by labtech.checklab.com (Netscape Mail Server v2.02) with SMTP id AAA14127; Fri, 3 Apr 1998 09:46:42 -0500 To: "'Roy Stevens'" Cc: Subject: RE: SSH Questions Date: Fri, 3 Apr 1998 09:31:07 -0500 Message-ID: <93725FB2A665D1118E660000F698833C012522@POLPSO1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <93725FB2A665D1118E660000F698833C038C81@POLPSO1> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using ssh from my client (linux and Win 95) to my linux firewall and a remote login to a home network... I'm having no problems forwarding the session through the firewall to the remote client. Just make sure you have the necessary ports open...:) -----Original Message----- From: firewalls-owner@GreatCircle.COM [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Roy Stevens Sent: Thursday, April 02, 1998 11:40 To: firewalls@GreatCircle.COM Subject: SSH Questions I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Sat Apr 4 10:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09631; Sat, 4 Apr 1998 02:23:31 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01802 for ; Fri, 3 Apr 1998 07:00:41 -0800 (PST) Received: from voland.freenet.bishkek.su (voland.freenet.bishkek.su [193.125.230.4]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA26614 for ; Fri, 3 Apr 1998 06:05:47 -0800 (PST) Received: from freenet.bishkek.su (fygrave@freenet.bishkek.su [193.125.230.1]) by voland.freenet.bishkek.su (8.8.4/8.8.4) with ESMTP id UAA17359 for ; Fri, 3 Apr 1998 20:08:25 +0500 Received: from localhost (fygrave@localhost) by freenet.bishkek.su (8.8.4/8.6.12) with SMTP id UAA17254 for ; Fri, 3 Apr 1998 20:07:35 -0500 Date: Fri, 3 Apr 1998 20:07:34 -0500 (GMT+5) From: Fyodor Reply-To: fygrave@usa.net To: "'firewalls mailing list'" Subject: masquerading on NT Message-ID: X-copyright: The content of this message is intellectual property of its author. So are all mistakes. X-lummer: Bill Gates MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello People, My friend wants to set up his NT box as firewall (Bad idea on my mind, but he doesn't like other oses), so the thing he stuck with, is the kind of similarity to IP masquerading used on Linux machines. I seem to have heard something like this called NAT on NT, but i would apprecuate if anyone could give some additional information. Best regards Fyodor --- Fyodor Yarochkin email:fygrave@usa.net http://www.tigerteam.net/linuxgroup/ tel:[996-3312] 474465 echo 'subscribe kalug' | mail majordomo@unslaved.freenet.bishkek.su From firewalls-owner Sat Apr 4 11:20:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28873; Sat, 4 Apr 1998 10:52:46 -0800 (PST) Received: from aspirin.bulnet.com ([212.36.3.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA28709 for ; Sat, 4 Apr 1998 10:52:13 -0800 (PST) From: mediplan@ssdnet.com.ar Received: from localhost (JAA1810@localhost) by aspirin.bulnet.com (8.8.6/8.8.5) with SMTP id WAA12120; Sat, 4 Apr 1998 22:00:22 +0300 Date: Sat, 4 Apr 1998 22:00:22 +0300 Message-Id: <199804041900.WAA12120@aspirin.bulnet.com> X-Authentication-Warning: aspirin.bulnet.com: JAA1810 owned process doing -bs Received: by mediplan.com (bulk_mailer v1.5); Sat, 4 Apr 1998 21:47:11 +0300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Einmalige Gelegenheit To: undisclosed-recipients:; Message-ID: Einmalige Gelegenheit !!! 80.000 Email-Adressen von Oesterreich Gegliedert in: Firmen ca. 18.000 Stk. Universitaeten ca. 30.000 Stk. Private ca. 32.000 Stk. !!!fuer nur OeS 1.390,--!!! und 120.000 Email-Adressen von Deutschland Gegliedert in: Firmen ca. 24.200 Stk. Universitaeten ca. 16.800 Stk. Private ca. 79.000 Stk. !!!fuer nur OeS 1.590,--!!! !!!SONDERPREIS!!! Bei Bestellung der Oesterreichischen und der Deutschen Email-Adressen gemeinsam zahlen Sie den Paketpreis von nur OeS 1.990,-- ! Alle Email-Adressen sind auf dem !aktuellsten! Stand (Jaenner 98) und werden auf je einer Diskette in ASCII-Text Format geliefert. Bei Bestellung innerhalb einer Woche erhalten Sie !kostenlos! ein Email-Programm zusaetzlich. Bestellungen mit Email bitte an: Mediplan@usa.net oder Mediplan@pemail.net Die Lieferung erhalten Sie dann per Postnachnahme. !!! Bitte nicht vergessen....Ihre genaue Postanschrift,Telefon,Fax Mit freundlichen Gruessen Ihr Mediplan-Team From firewalls-owner Sat Apr 4 12:46:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17157; Sat, 4 Apr 1998 12:16:09 -0800 (PST) Received: from mailhost.pi.net (mailhost.pi.net [145.220.3.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA17045 for ; Sat, 4 Apr 1998 12:15:42 -0800 (PST) Received: from nlpc116 (ut112.pi.net [145.220.194.112]) by mailhost.pi.net (8.8.3/8.7.1) with ESMTP id WAA12087 for ; Sat, 4 Apr 1998 22:20:24 +0200 (MET DST) Posted-Date: Sat, 4 Apr 1998 22:20:24 +0200 (MET DST) Message-Id: <199804042020.WAA12087@mailhost.pi.net> From: "Johan Teekens" To: Subject: Re: masquerading on NT Date: Sat, 4 Apr 1998 22:21:15 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I had the same problem 3 months ago, I found Raptor, I think its a great product for the NT platorm. I don't want to say that there is no better firewall. Just check it out, I might be a good choice. regards Johan ---------- > From: Fyodor > To: 'firewalls mailing list' > Subject: masquerading on NT > Date: zaterdag 4 april 1998 03:07 > > > Hello People, > My friend wants to set up his NT box as firewall (Bad idea on my mind, > but he doesn't like other oses), so the thing he stuck with, is the kind > of similarity to IP masquerading used on Linux machines. I seem to have > heard something like this called NAT on NT, but i would apprecuate if > anyone could give some additional information. > > Best regards > Fyodor > --- > Fyodor Yarochkin email:fygrave@usa.net > http://www.tigerteam.net/linuxgroup/ tel:[996-3312] 474465 > echo 'subscribe kalug' | mail majordomo@unslaved.freenet.bishkek.su > From firewalls-owner Sat Apr 4 12:50:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21470; Sat, 4 Apr 1998 12:39:16 -0800 (PST) Received: from puma.sirinet.net (puma.sirinet.net [198.203.196.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA21463 for ; Sat, 4 Apr 1998 12:38:59 -0800 (PST) From: debie@puma.sirinet.net Received: from localhost (debie@localhost) by puma.sirinet.net (8.8.8/8.8.6) with SMTP id OAA29677; Sat, 4 Apr 1998 14:43:15 -0600 Date: Sat, 4 Apr 1998 14:43:15 -0600 (CST) To: Jack Riley cc: Tislam@acaonline.org, Firewalls@GreatCircle.COM Subject: Re: Sniffer In-Reply-To: <19980404.082823.3590.24.dAEMONMAN@juno.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sniffit is wonderful... i also like something like trafshow to show the type of packets that are going across. -------------------------- Deborah Ann Beley Sirius Systems Group, Inc. (580) 355-6436 debie@sirinet.net On Sat, 4 Apr 1998, Jack Riley wrote: > Try SniffIT..... > DaemonMan > ---------- > Do NOT let them deceive you with the legitimization of their myth! > DaemonMan@juno.com > > On Fri, 27 Mar 1998 15:20:56 -0700 Taufik Islam > writes: > >Is there a good Packet sniffer that runs on for NT 4.0 ? > >Please help me with any information you may have > >Thanks > > > >If you know of any good packet sniffer for UNIX please let me know > >also. > > > >Taufik Islam > >Network Engineer, ACA > > > > > > > > > > > > _____________________________________________________________________ > You don't need to buy Internet access to use free Internet e-mail. > Get completely free e-mail from Juno at http://www.juno.com > Or call Juno at (800) 654-JUNO [654-5866] > From firewalls-owner Sat Apr 4 13:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA04256; Sat, 4 Apr 1998 13:42:56 -0800 (PST) Received: from spike1.pikeonline.net (spike1.pikeonline.net [209.48.17.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA04240 for ; Sat, 4 Apr 1998 13:42:49 -0800 (PST) Received: from paladin [209.48.17.14] by spike1.pikeonline.net (SMTPD32-4.02) id AA54A00190; Sat, 04 Apr 1998 16:47:00 EST5EDT Message-Id: <3.0.5.32.19980404164808.007a07c0@spike1.pikeonline.net> X-Sender: sectech@spike1.pikeonline.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Sat, 04 Apr 1998 16:48:08 -0500 To: firewalls@greatcircle.com From: Keith Pachulski Subject: Re: SecurID & a Biometric & a PIN Cc: krenard@securitydynamics.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We've learned from passwords that "static" can be bad. Static passwords are a downfall, fact we all know this already.=20 >etc.). Therefore, I can easily generate the biometric data necessary to generate, ok..now replicate it.. >assume your identity. "Stealing" the data can be done much easier and >secretly than an attack on the body. I, for one, would barely notice a >missing coffee mug compared to a missing digit. Assume the data is >stolen. =20 heh, guess you wouldn`t notice then if I borrowed your pasword file then would you. It all comes down to the issue of security and to what degree an individual is involved in the security process. I for one would notice if anything were moved on my desk let alone turned up missing. >Now the problem is comparing that data >to a (remote?) database of data without allowing data to be inserted >between the measuring device and the compare operation. You must This area can become debatable and depends on the hardware installer and security company governing the biometric devices. I just finished installing a biometric reader in a 4000 office, office building in NYC. The reader is attached via serial port to a PC which stores the photo/info database. At the desk (24/7) is where a guard sits while the client must authenticate with both the biometric reader as well as photo identification. So, unless you can spoof both the facial and fingerprints of the subject, you are not getting into any of my buildings. And no you can`t just prance by the guard and hop into one of the 6 elevators. Accessing the elevators requires a pin number which is changed daily, and only the guard has the new PIN number.=20 Sound complicated? The whole process takes on average 30 seconds. On the other hand (pun intended): Your fingerprint device is connected via a serial port to your PC. An attacker could easily unplug the fingerprint device and plug in the coffee mug to give the same response (the stolen biometric data) unless the measuring device itself was authenticated. This is the type of biometric authentication I've seen demo-ed so far. I suggest you spend more time studying physical security devices before condeming them further. Most of the higher quality readers read the entire print. So your coffee mug scenario is something I can laugh about =3D) no offense. =20 The opinions expressed are mine and not that of my company, its agents, associates or any others I forgot to mention =3D) Have a nice day Just a thought, but how and why are we on the subject of biometrics for a firewalls list? =A7=A7=A7=A7=A7=A7=BB=BB=AD=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0= =B0=B0=B0=B0=B0=AD=AB=AB=A7=A7=A7=A7=A7=A7 Keith A. Pachulski PPS, CPI Guardian Group Agency ICQ#7768208 sectech@pikeonline.net =A7=A7=A7=A7=A7=A7=BB=BB=AD=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0= =B0=B0=B0=B0=B0=AD=AB=AB=A7=A7=A7=A7=A7=A7 From firewalls-owner Sat Apr 4 20:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA02376; Sat, 4 Apr 1998 20:47:05 -0800 (PST) Received: from UPIMSSMTPUSR04 (smtp.email.msn.com [207.68.143.160]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA02369; Sat, 4 Apr 1998 20:46:58 -0800 (PST) Received: from dorian-hanzich - 153.34.103.166 by email.msn.com with Microsoft SMTPSVC; Sat, 4 Apr 1998 20:51:22 -0800 Message-ID: <003501bd604e$f1f32000$a6672299@dorian-hanzich> From: "Dorian Hanzich" To: , , , , , Subject: Polite Request Date: Sat, 4 Apr 1998 20:52:05 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Sirs I have received Unsolicited Bulk E-Mail (UBE) apparently from yourselves or from one of your direct or indirect customers. I don't like it and would ask for your cooperation to put a stop to it. Most of the UBE I receive looks dishonest to me. I am sure your company isn't like that but you would do well to avoid using or permitting the same methods as these "spammers" lest you be tarred with the same brush. Also, you may be aware that a growing number of ISPs are taking to blocking incoming mail from "spam" domains. I don't want that to happen because I might lose legitimate mail and you might be inconvenienced. --- Copy of offending material follows --- > Received: from UPIMSRGSMTP03 - 207.68.152.47 by email.msn.com with Microsoft SMTPSVC; > Sat, 4 Apr 1998 11:36:02 -0800 > Received: from relay7.UU.NET - 192.48.96.17 by msn.com with Microsoft SMTPSVC; > Sat, 4 Apr 1998 11:36:02 -0800 > Received: from honor.greatcircle.com by relay7.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejrq22395; Sat, 4 Apr 1998 14:35:27 -0500 (EST) > Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28873; Sat, 4 Apr 1998 10:52:46 -0800 (PST) > Received: from aspirin.bulnet.com ([212.36.3.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA28709 for ; Sat, 4 Apr 1998 10:52:13 -0800 (PST) > From: mediplan@ssdnet.com.ar > Received: from localhost (JAA1810@localhost) > by aspirin.bulnet.com (8.8.6/8.8.5) with SMTP id WAA12120; > Sat, 4 Apr 1998 22:00:22 +0300 > Date: Sat, 4 Apr 1998 22:00:22 +0300 > Message-Id: <199804041900.WAA12120@aspirin.bulnet.com> > X-Authentication-Warning: aspirin.bulnet.com: JAA1810 owned process doing -bs > Received: by mediplan.com (bulk_mailer v1.5); Sat, 4 Apr 1998 21:47:11 +0300 > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > To: undisclosed-recipients:; > Return-Path: firewalls-owner@GreatCircle.COM > > Einmalige Gelegenheit > To: undisclosed-recipients:; > Message-ID: > > > > > Einmalige Gelegenheit !!! > > 80.000 Email-Adressen von Oesterreich > > Gegliedert in: Firmen ca. 18.000 Stk. > Universitaeten ca. 30.000 Stk. > Private ca. 32.000 Stk. > > !!!fuer nur OeS 1.390,--!!! > > und > > 120.000 Email-Adressen von Deutschland > > Gegliedert in: Firmen ca. 24.200 Stk. > Universitaeten ca. 16.800 Stk. > Private ca. 79.000 Stk. > > !!!fuer nur OeS 1.590,--!!! > > > !!!SONDERPREIS!!! > > Bei Bestellung der Oesterreichischen und der Deutschen Email-Adressen > gemeinsam zahlen Sie den Paketpreis von nur OeS 1.990,-- ! > > Alle Email-Adressen sind auf dem !aktuellsten! Stand (Jaenner 98) und > werden auf je einer Diskette in ASCII-Text Format geliefert. > > Bei Bestellung innerhalb einer Woche erhalten Sie !kostenlos! ein > Email-Programm zusaetzlich. > > > Bestellungen mit Email bitte an: Mediplan@usa.net oder Mediplan@pemail.net > > Die Lieferung erhalten Sie dann per Postnachnahme. > > !!! Bitte nicht vergessen....Ihre genaue Postanschrift,Telefon,Fax > > > Mit freundlichen Gruessen > > Ihr Mediplan-Team > > > > > > > > > From firewalls-owner Sun Apr 5 01:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA18989; Sun, 5 Apr 1998 01:23:34 -0800 (PST) Received: from zika.zika.co.at (hp1.OOeNet.AT [193.81.245.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA18893 for ; Sun, 5 Apr 1998 01:23:12 -0800 (PST) Received: from DialIN21.AS5200.ooenet.at by zika.zika.co.at with SMTP (1.38.193.4/16.2) id AA23935; Sun, 5 Apr 1998 11:35:08 +0200 Message-Id: <35274E8F.64C16169@linznet.at> Date: Sun, 05 Apr 1998 11:27:43 +0200 From: Manfred Hahn Reply-To: hahn@linznet.at Organization: ConnecT-GmbH X-Mailer: Mozilla 4.03 [de] (Win95; I) Mime-Version: 1.0 To: limsks@acapacific.com.sg, firewalls@GreatCircle.COM Subject: ATM-Firewall Content-Type: multipart/mixed; boundary="------------AEA46D04306CBBA153904186" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dies ist eine mehrteilige Nachricht im MIME-Format. --------------AEA46D04306CBBA153904186 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi there !!! have you ever heard of a system called ATLAS ??? ATM-Line-Access-And-Security. It is an ATM-Firewall filtering cells with a speed of 155 Mbs. It support Classical-IP, LAN-Emulation and FORE-IP over ATM. At the end of 1998 it will also support MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will. You can set more then 1000 Filter without any performance decredation. In addition, if two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well. So, what else do you need to secure your data on an ATM-Network. If you need more information here is my phonenumber: ...43-732-377080 or e-mail : hahn@connect-gmbh.de hope I can help !!! Regards --------------AEA46D04306CBBA153904186 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Visitenkarte für Manfred Hahn Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Manfred Hahn n: Hahn;Manfred org: ConnecT GmbH email;internet: hahn@linznet.at title: Netzwerk-Consultant x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard --------------AEA46D04306CBBA153904186-- From firewalls-owner Sun Apr 5 01:50:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA20416; Sun, 5 Apr 1998 01:31:30 -0800 (PST) Received: from mail2.webzone.net (mail2.webzone.net [205.219.23.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA20368 for ; Sun, 5 Apr 1998 01:31:17 -0800 (PST) Message-Id: <199804050931.BAA20368@honor.greatcircle.com> Received: from snoopy ([208.152.102.101]) by mail2.webzone.net (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-0U10L2S100) with SMTP id AAC163 for ; Sun, 5 Apr 1998 04:35:57 -0500 From: "Greg Barnes" Organization: International Network Services To: "Dana M. Epp" Date: Sun, 5 Apr 1998 04:32:51 -0600 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: linux based firewall cookbook... Reply-to: greg_barnes@ins.com CC: Daniel Todd , firewalls@GreatCircle.COM In-reply-to: <351EA7D8.A4C0331F@netmaster.ca> X-PM-Encryptor: QDPGP, 4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Agreed. But once physical security is broken, the discussion should be over. Physical sec is the last bastion of hope. If you can't maintain that wall, then why wouldn't the individual just pocket the drive, rather than fart around booting up, poking around and generally just being a nuisance? Rather than bringing a drive, why not just bring a small handheld drill, whirr whirr whirr whirr, yank and pocket the drive(s)? I mean hey, since you have the RUN of the place, I doubt anyone would notice you doing it eh? It's ridiculous to discuss filesystem security measures after the physical layer has been breached, and I don't care what the filesystem is, if you KNOW what it is and you have physical access, it's game over.....FAT, minix, HPFS, NTFS, ext2, UFS whatever... When the physical layer is breached, you start talking about "Recovery", not "Security". Ok, now I'm off _my_ soap box. =) *grin* On 29 Mar 98, Dana M. Epp wrote about Re: linux based firewall cookbook..: > *Sigh* > > Ok, first off, in a regime in which you are applying serious security, physical > security is a large portion of the security managment. You can pretty well hack > into any system if you sit right at the damn thing. If someone can boot off a root > disk in Linux.. you already blew away three key security policies one should have. > > #1) Physical security to the machine. > #2) Installing or Mounting devices not required. If you don't physically remove > the drives, you could be in trouble. Now, realisitically this is an extra step > since physical security shouldn't be compromised in the first place. Anyways, long > story short, you can boot off a CDRom, floppy or even the harddrive if you got > physical security. (Not hard to remove the hard disk if you're at the console.) > #3) Mounting FAT on ANY sort of "secure" machine :) > > OK, OK. Lecture over. However, assuming one can not hack your box because you have > no floppy really is asking for trouble. There are a few HOWTOs on how to > compromise Linux by simply mounting the file system after the fact, changing root > passwd to "" and rebooting. At that point.. the machine is yours. Takes about 3 > minutes to take the cover off... so don't assume physical security is NOT an > issue, I've seen people carry harddrives around just for such occassions. > > BTW, I am curious to know WHY someone would have FAT of any sort in a machine used > in a security policy. I must have missed the original message, since I can not > fathem WHY it would be used in the first place. > > Magic Man wrote: > > > > Daniel Todd wrote: > > > > > This prevents having an insecure msdos file system on your box which is > > > the "easy" thing to do with tarballs. It is especially dangerous if it > > > is your root fs. You really don't want a root fs that can be edited by > > > booting off a DOS floppy. > > > > If a floppy can be booted, then security is compromised right there. I > > can boot any kind of OS via floppy and modify an internal filesystem. > > > > My firewall box has no floppy drive installed at all. I plugged one in > > for the initial install...but it was immediately removed and there's > > nothing on the box but a couple of LEDs and a power switch. > > > > -- > > .\\agic .\\an > > Rarebird Consulting Services > > -- > Dana M. Epp > > NetMaster Networking Solutions, Inc. > eppdm@netmaster.ca > http://www.netmaster.ca > > " Connecting networks to the Internet..." > > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNSdPwycppdVJoUCjEQI10QCgpD1NsAxpyWiEcBeKmTxEQHBeqskAoOfp 0Ewpyof45SrqHu7V3PKbJRaC =K7so -----END PGP SIGNATURE----- Regards, Greg Barnes Dot Dot : greg_barnes@ins.com Network Systems Engineer RingRing: (918)590-2676 INS // Tulsa Office BeepBeep: (888)485-3995 Woo Woo : (One day soon) "If your vision doesn't cost you something, then it's only a dream..." --Author Unknown From firewalls-owner Sun Apr 5 10:20:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA18931; Sun, 5 Apr 1998 10:18:48 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA18924 for ; Sun, 5 Apr 1998 10:18:43 -0700 (PDT) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id NAA16889 for firewalls@greatcircle.com; Sun, 5 Apr 1998 13:23:35 -0400 From: "Michael H. Warfield" Message-Id: <199804051723.NAA16889@alcove.wittsend.com> Subject: Encryption Survey at computer.org To: firewalls@greatcircle.com Date: Sun, 5 Apr 1998 13:23:35 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In consideration that encryption plays a big role in VPN's, firewalls, and other security issues, I thought that this might be of some interest to the members of the firewalls mailing list... I found this in the latest (April 1998) issue of "Computer" from IEEE: The IEEE Computer Society is conducting a poll on encryption policy. It says "members poll" but they are encouraging non-member participation. While it is unlikely to be a scientifically balanced poll (it's target audience is a little skewed) the more participants the better. They do ask to please only submit one response per person be it by mail, fax, or web... Go to http://www.computer.org and follow the member poll link from there. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Sun Apr 5 12:26:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA27215; Sun, 5 Apr 1998 12:13:51 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA27208 for ; Sun, 5 Apr 1998 12:13:45 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id MAA14304; Sun, 5 Apr 1998 12:20:29 -0700 (PDT) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA26111; Sun, 5 Apr 98 12:18:44 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DD.006A12F4 ; Sun, 5 Apr 1998 12:18:36 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Christopher Zarcone Cc: firewalls@GreatCircle.COM Message-Id: <882565DD.00698286.00@gwwest.sybase.com> Date: Sun, 5 Apr 1998 12:18:23 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Jon, > >Stateful inspection engines suffer the same disadvantages as packet filters, >because THEY ARE packet filters. But they are not JUST packet filters. >I would say that (my) single biggest problem with packet filtering is >application-level security (e.g. how can a packet filter differentiate a >sendmail server from a rogue webserver running on port 25? It can't. A proxy >can.) They can, in the same manner that a proxy can. >OTOH, packet filters are generally faster, mainly because filtering >decisions are made in the lower levels of the IP stack. Unfortunatly, it seems that so far, SPF vendors tend to do the minimum amount of work to get a protocol to pass successfully, which tends to make them run faster. >I can't speak from experience, but I've also read stories of state tables >becoming corrupt, usually with interesting consequences. No, you haven't. What you've heard is AG vendors claim that this could happen. The same vendors fail to point out that they suffer from the same issue if the very similar TCP connection tables built into the OS that they rely on become corrupt. If your hardware flakes out, all bets are off on the security software. Ryan >Regards, > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >Christopher Zarcone - Data Communications Design Analyst >Lockheed Martin Enterprise Information Systems >czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ > My opinions do not necessarily reflect those of my employer. >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >Date: Wed, 01 Apr 1998 23:27:59 -0500 >From: "Jon E. Price" >Subject: socks versus fw-1 stateful inspection vulnerabilities > >Are there any known or theoretical insecurities or vulnerabilities or other >shortcomings (eg. performance) using socks or the fw-1 stateful inspection >technologies? From firewalls-owner Sun Apr 5 13:35:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA08747; Sun, 5 Apr 1998 13:26:17 -0700 (PDT) Received: from www.zdh.de (www.zdh.de [194.77.6.230]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA08689 for ; Sun, 5 Apr 1998 13:25:58 -0700 (PDT) Received: from www (xpl115.xnc.de [194.77.5.79]) by www.zdh.de (8.7.5/8.8.7) with SMTP id XAA12518; Sun, 5 Apr 1998 23:03:20 +0200 Message-ID: <3527E9C5.7644E053@edina.xnc.com> Date: Sun, 05 Apr 1998 22:29:57 +0200 From: Stepken Organization: Freie Software Systeme X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: Ryan Russell CC: Christopher Zarcone , firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <882565DD.00698286.00@gwwest.sybase.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan Russell wrote: > >I can't speak from experience, but I've also read stories of state tables > >becoming corrupt, usually with interesting consequences. > > No, you haven't. What you've heard is AG vendors claim that this could > happen. > The same vendors fail to point out that they suffer from the same issue if > the > very similar TCP connection tables built into the OS that they rely on > become corrupt. If your hardware flakes out, all bets are off on the > security > software. I did some very stressing tests on firewalls with SPF and dynamic rules. I was able to cause some memory overflow, which can be exploited as buffer overflow, depending on the memory model of the OS. Very often they use some well known hashfunctions (e.g. GNU), which also have collisions. Such attacks are very special ones, but theycan be done. regards, Guido Stepken From firewalls-owner Sun Apr 5 17:21:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA07197; Sun, 5 Apr 1998 17:05:18 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA07145 for ; Sun, 5 Apr 1998 17:05:01 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id RAA06163; Sun, 5 Apr 1998 17:11:42 -0700 (PDT) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA11909; Sun, 5 Apr 98 17:09:55 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.0000E670 ; Sun, 5 Apr 1998 17:09:49 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Stepken Cc: firewalls@GreatCircle.COM Message-Id: <882565DE.0000A496.00@gwwest.sybase.com> Date: Sun, 5 Apr 1998 17:09:36 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My claim is that some folks, perhaps with vested interests in seeing leading SPF vendors lose market, have been trying to make people think that state tables are prone to corruption without providing any examples. If you've got details on the problem you've mentioned, I'd love to hear them. Ryan Stepken on 04/05/98 01:29:57 PM To: Ryan Russell/SYBASE cc: Christopher Zarcone , firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Ryan Russell wrote: > >I can't speak from experience, but I've also read stories of state tables > >becoming corrupt, usually with interesting consequences. > > No, you haven't. What you've heard is AG vendors claim that this could > happen. > The same vendors fail to point out that they suffer from the same issue if > the > very similar TCP connection tables built into the OS that they rely on > become corrupt. If your hardware flakes out, all bets are off on the > security > software. I did some very stressing tests on firewalls with SPF and dynamic rules. I was able to cause some memory overflow, which can be exploited as buffer overflow, depending on the memory model of the OS. Very often they use some well known hashfunctions (e.g. GNU), which also have collisions. Such attacks are very special ones, but theycan be done. regards, Guido Stepken From firewalls-owner Sun Apr 5 22:20:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA14058; Sun, 5 Apr 1998 18:01:40 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id SAA14004 for ; Sun, 5 Apr 1998 18:01:26 -0700 (PDT) Received: from uu.inka.de (ms1.ka.inka.de [193.197.84.8]) by mail.ka.inka.de with smtp id 0yM0Mc-0004tF-00; Mon, 6 Apr 1998 03:06:18 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 6 Apr 98 03:06 MET DST Received: by lina.inka.de id m0yM09n-000145C (Debian Smail-3.2.0.101 1997-Dec-17 #2); Mon, 6 Apr 1998 02:53:03 +0200 (CEST) Message-ID: <19980406025300.08447@lina> Date: Mon, 6 Apr 1998 02:53:00 +0200 From: Bernd Eckenfels To: Stepken Cc: firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <882565DD.00698286.00@gwwest.sybase.com> <3527E9C5.7644E053@edina.xnc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1 In-Reply-To: <3527E9C5.7644E053@edina.xnc.com>; from Stepken on Sun, Apr 05, 1998 at 10:29:57PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was able to cause some memory overflow, which can be exploited as > buffer overflow, depending on the memory model of the OS. Which OS generates buffer overflows from Memory shortage? > Very often they use some well known hashfunctions (e.g. GNU), which also > have collisions. Such attacks are very special ones, but theycan be > done. Which hash function has no collisions? Therefore which programmer forgets to check for equality in the resultset a hash-bucket delivers? Have you actually found an exploit? Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Apr 6 00:35:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA21623; Mon, 6 Apr 1998 00:30:14 -0700 (PDT) Received: from dns.portcullis-security.com (dns.portcullis-security.com [194.203.128.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA21612 for ; Mon, 6 Apr 1998 00:30:08 -0700 (PDT) Received: from tgb-mailhost.portcullis-security.com (unverified [194.203.128.123]) by dns.portcullis-security.com (Integralis SMTPRS 2.04) with ESMTP id ; Mon, 06 Apr 1998 08:34:19 +0100 Received: by tgb-mailhost.portcullis-security.com with Internet Mail Service (5.0.1457.3) id ; Mon, 6 Apr 1998 08:25:57 +0100 Message-Id: <21905E09B270D111815400C0DFAA15330B1060@tgb-mailhost.portcullis-security.com> From: Adrian S Ryan To: firewalls@GreatCircle.com, "'A.R.'" Subject: RE: Date: Mon, 6 Apr 1998 08:25:51 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMC8434BT (http://www.smc.com/network/lan/epower2.html) SMC9334BDT (http://www.smc.com/network/lan/fastdpci.html) > ---------- > From: A.R.[SMTP:arahman@terradir.com] > Sent: 03 April 1998 05:37 > To: firewalls@GreatCircle.com > > Greetings all. > > I wanted to have some information on the > fastest/best/reliable network interface card for a dual > homed linux firewall machine. > > please make suggestions clear . > > thanks in advance > > A. Rahman > Network Administrator > From firewalls-owner Mon Apr 6 03:09:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11019; Mon, 6 Apr 1998 02:55:32 -0700 (PDT) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11012 for ; Mon, 6 Apr 1998 02:55:26 -0700 (PDT) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yM8hb-0000Vu-00; Mon, 6 Apr 1998 06:00:32 -0400 X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Apr 1998 05:00:57 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Re: SecurID & a Biometric & a PIN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: tamaster@technologist.com Date: Fri, 6 Feb 1998 12:30:18 -0600 (CST) To: cryptography@c2.net Subject: Biometric HA patent Method and apparatus for securely handling a personal identification number or cryptographic key using biometric techniques (assignee -- mytec technologies inc.) Patent Number: 5712912 Issue Date: 1998 01 27 Inventor(s): Tomko, George J.{#buStoianov, Alexei#} February 6, 1998 MicroPatent via Individual Inc. : Abstract: A method and apparatus using biometric information (such as a fingerprint, an iris structure, etc.) as a cipher for encrypting and decrypting a personal identification number (PIN) which is used as an input to a PIN requiring device. The method of encryption of a PIN includes generating a sequence of random characters representing a PIN to be encrypted; obtaining a generating function such that the random characters are coefficients in an expansion of a square of said generating function over basis functions; and dividing a transform of the generating function by Fourier transformed information image signal to obtain the encrypted PIN. The latter is stored digitally or as a hologram in a personal card or a database. To decrypt the PIN, a full-complex spatial light modulator is illuminated with an optical beam carrying the Fourier transform of the biometric image of an individual to be identified. The encrypted PIN may be also stored in a reflective hologram which is nondestructively attached to a personal card, and the decryption of a PIN comprises illuminating the hologram with the beam carrying the Fourier transform of the biometric image. In other embodiments of the invention, a cipher may be derived from an intensity distribution (captured directly by a camera) of the Fourier spectrum of the biometric image. The PIN may be encrypted and decrypted either optically (with phase conjugation techniques) or digitally (using an encryption algorithm). Ex Claim Text: A method for securely storing at least a personal identification number (PIN), comprising the following steps: obtaining a biometric information signal bearing information from a body part; generating a sequence of random characters to obtain a PIN; obtaining a generating function such that said random characters of said PIN are parameters of said generating function; obtaining a transform of said generating function; encrypting said transform of said generating function with said biometric information signal to obtain an encrypted PIN; and writing said encrypted PIN into a store. writing said encrypted PIN into a store. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Mon Apr 6 03:25:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11201; Mon, 6 Apr 1998 02:57:10 -0700 (PDT) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11146 for ; Mon, 6 Apr 1998 02:56:57 -0700 (PDT) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yM8iq-0000Z1-00; Mon, 6 Apr 1998 06:01:49 -0400 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: <1.5.4.32.19980401162836.0096e910@mailhost.gov.yk.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Apr 1998 05:02:18 -0500 To: Larry Kwiat From: Vin McLellan Subject: Re: SecurID & a Biometric & a PIN Cc: "Paul D. Robertson" , krenard@securid.com, Jesse Brown , firewalls@greatcircle.com, sectech@pikeonline.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Keith A. Pachulski posted informed remarks on current biometric systems but asked: >>Just a thought, but how and why are we on the subject of biometrics for a >>firewalls list? User authentication technology is central to any attempt to restrict data flow through a firewall. Without authentication, there is no basis for access controls -- and without access/egress controls, why bother with a firewall at all? Earlier, Larry Kwiat had waded thru Robertson's wisdom and endured McLellan's grousing to offer summary judgement: >The subject here is risk management. Always is. >If you "wire" the people to the boxes, you make it worth the risk to >take the person with the box. You change the shape of the window of >possibility for the perpetrator, but you don't substantially change >the situation. With respect, Larry, I see this situation quite differently. The topic here is how to bring to bear additional degrees of relative certainty in user authentication. In search of higher degrees of assurance, it makes perfect sense to me to draw upon all three modes by which a computer can authenticate your pre-registered identity -- demands for what you know/hold/are -- in order to increase the certainty of that user authentication. The classical way of justifying this is to point out that using two or three different modes of authentication will, at minimum, require two or three different types of attacks to subvert or corrupt these procedures. Another way of putting it would be to simply point out that it makes a theft of identity much more difficult. Multiple layers of authentication demand a more elaborate attack, more planning, more equipment, and/or (to consider the potential of kidnapping) a vastly greater committment to criminal action, in the face of often much greater criminal penalties. No mechanism or protocol is invulnerable to attack. No assurance is perfect. Within that context, I think demanding a biometric can significantly (if only incrimentally) add to the assurance of an authentication process, and thus, "substantially change the situation." The question of how to do it right, with minimal risk to the integrity of the authentication process, and (in this case) with appropriate political concern for damage to the "owner" of the biometric are separate. (We should be careful not blur the concerns of the two respective "owners" here, particularly -- as may well be the case -- they vary or conflict.) If a thief has to take a person with the box (or, say, a token,) that's a big deal. Kidnapping is not a hacker crime. If subverting an authentication protocol takes a direct physical attack (or surgery;-) or a face-to-face con, or hidden sensors in the victim's steering wheel, that's a big deal too. Most cyberattacks are not the culmination of an extended "Mission Impossible" scam to get a user's bioprint. Paul, Ken, and others have noted that because a biometric is inherently static, it has some notable vulnerabilities, and that raises some scary possibilities if biometric records are lost, stolen, and mishandled as often as passwords, for example, are today. I agree. This raises some interesting design, protocol, and liability issues. Minimizing them will call for ingenuity from engineers, and it could give birth to a whole new legal framework if a citizen is allowed to claim some property right on his or her biometrics. (Europeans probably already have this, but US privacy rights are minimal when it comes to a citizen's right to claim or defend information about himself.) All this does nothing, however, to change the concrete fact that a demand for a biometric at some stage of a user-authentication process -- perhaps, as Ken Renard suggested, wholly internal to a hand-held authentication token, or even _within_ a single chip -- is almost certain to increase the assurance of that authentication. >Banks have had this problem for years over other types of access issue. > >Ideally, risks should be parcelled out as a management strategy. When >you allow them to aggregate, your risk-management picture is progressing >toward getting out of hand. That is not supportable in good risk management, >if there are no potential gains. I don't count increasing the risk exposure >on human life and limb in order to "raise the ante" and maybe create very >temporary deterrance as a gain of anything substantial. I think, Larry, you are too single-minded in looking to the risks involved in demanding or using a biometric. The whole point of a biometric (of _any_ authenticator) is to lessen the vulnerabilities inherent in identity-theft and illicit but privileged access to a protected site, network, or data-file. (Frankly, from the system-security point of view, threats to life and limb can often subvert an authentication mechanism, at least when only money is at stake. Attacks using armed robbery, burglary, "rubber-hose" cryptoanalysis, and leaving a gunman with the bank manager's wife and kid have always been with us, and must be addressed -- but not here, and not out of context.) The issue of whether the value of the biometric, as used, is slight or temporary or useless, is a matter of design, application, and legal context. (From a citizen's point of view, it may well be wise for users or potential users to refuse to allow their own biometric to be captured or used for authentication in some systems, at least until the legal, polical, and technical environment for handling these static and irreplacable identifiers is further developed -- but those concerns are unlikely to diminish pressures to use biometrics when they clearly _do_ help control illicit access or fraud in local systems. Are we gonna see technicians refuse corporate orders to install biometric authentication systems? Possible, but unlikely.) Bob Courtney of IBM, one of the industry's first security evangelists, used to say that nothing useful can be said about a security technology outside of the context of a specific and concrete application. Infosec is always about relative security, right? Sometimes a small incrimental increase in security is sufficient to have an enormous impact in the integrity of the system; or is all that the freight (value of the resources to be protected) will bear or justify. We just can't toss around qualitative terms like "temporary deterrence," or "substantial" and "insubtantial gains," and have them mean anything outside of a specific context. Keith A. Pachulski mentioned some of the physical access controls that are being widely installed today, using full-face, hand, voice, and fingerprint biometrics. This year, tens of millions of people will be registered in biometric authentication systems -- most in anti-fraud public benefits programs, in apps where the a scanner verifies that someone holding a card or permit is the person the card or permit says it belongs to (and that this particular person is in this program's database but once!) Proponents hope that these systems will, almost immediately, save billions in benefit fraud. (They may be right.) Immigration and border crossing stations in several nations will also likely see widespread use of these technologies in the immediate future. In IT apps soon to hit the market, fingerprints will be used to release a bootlock or decrypt the disk of a laptop. The cost of a quality biometric reader has dropped below $100 -- and with the new single-chip fingerprint readers, Moore's Law will rapidly drive the price down further -- so such an investment looks very reasonable, with one out of 13 corporate laptops reported lost or stolen. A brave new world, maybe -- but the world of biometrics is one we are going to have to deal with with reason and principle, not emotion. Suerte, _Vin ----- Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From firewalls-owner Mon Apr 6 04:54:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27525; Mon, 6 Apr 1998 04:48:23 -0700 (PDT) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA27510 for ; Mon, 6 Apr 1998 04:48:15 -0700 (PDT) Received: by malraux.matranet.com; id NAA22536; Mon, 6 Apr 1998 13:34:46 +0200 (CEST) Received: from matranet.com ([192.0.2.22]) by victor.imatranet.com (post.office MTA v2.0 0813 ID# 0-18250U90) with ESMTP id AAA64; Mon, 6 Apr 1998 13:50:10 +0200 Message-ID: <3528C0F9.1E12E52F@matranet.com> Date: Mon, 06 Apr 1998 13:48:09 +0200 From: fauquet@matranet.com (Xavier Fauquet) X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Roman Ramirez CC: FW Subject: Re: Help about ICMP References: <351F6625.B72FCDCE@encomix.es> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Basically, I would block all icmp redirect on the firewall and source routing. If you do not want people to ping your firewall, you should also block the ping on the router itself. It is not always a good idea since you could have a DMZ with a Web Server. People like to ping machines... Max Roman Ramirez wrote: > > Hi: > > I have some questions about filtering ICMP in a firewall... > > Please, anyone can tell me what kind of icmp packets should be blocked > by the firewall? > > What options and what packets should be rejected? > > What filtering rules must be applied by the firewall and what by the > router? > > Thx in advance > > -- > http://www.encomix.es/users/patowc > mailto://rramirez@encomix.es From firewalls-owner Mon Apr 6 05:26:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27653; Mon, 6 Apr 1998 04:50:21 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA27614 for ; Mon, 6 Apr 1998 04:50:05 -0700 (PDT) Received: from ben.edelweb.fr (ben.edelweb.fr [193.51.12.62]) by edelweb.fr with ESMTP id NAA20920; Mon, 6 Apr 1998 13:55:05 +0200 (MET DST) Received: (from ben@localhost) by ben.edelweb.fr (8.8.5/8.6.6) id NAA17811; Mon, 6 Apr 1998 13:57:09 +0200 (MET DST) Date: Mon, 6 Apr 1998 13:57:07 +0200 (MET DST) From: Ben To: Roman Ramirez cc: FW Subject: Re: The return of the ICMP :) In-Reply-To: <35233361.664CA16F@encomix.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > iii) ICMP types usually permitted are: [...] > 4 SOURCE-QUEND -> What's that? :) [...] Source Quench is when a router sends a message to the upstream host to tell that host that it is sending packets too quickly and needs to slow down. Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Mon Apr 6 06:05:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29582; Mon, 6 Apr 1998 05:04:43 -0700 (PDT) Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA29521 for ; Mon, 6 Apr 1998 05:04:29 -0700 (PDT) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id IAA08415; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQZ00AWJR3VIF@lmco.com>; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id IAA18880; Mon, 06 Apr 1998 08:03:29 -0400 (EDT) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id IAA01498; Mon, 06 Apr 1998 08:09:24 -0400 Date: Mon, 06 Apr 1998 08:09:24 -0400 (EDT) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: ryanr@sybase.com Cc: firewalls@greatcircle.com Reply-to: Christopher Zarcone Message-id: <199804061209.IAA01498@data.camelot> MIME-version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-type: TEXT/plain; charset=us-ascii Content-MD5: CkjcorbwPvMrA8MSvP8C1g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan, I suppose I should clarify what I said: Historically I have come to understand "packet filtering" as screening based on IP-level and transport level information. With such limited information, you can't determine with certainty the application-level service; you can only make a best guess. Of course, if you have a more advanced packet filter, you could arbitrarily examine any or all bits in the entire packet. At that point, though, you're basically performing application-level analysis, and incurring the performance penalty, so why not use a proxy? Regards, Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Jon, > > > >Stateful inspection engines suffer the same disadvantages as packet > filters, > >because THEY ARE packet filters. > > But they are not JUST packet filters. > > >I would say that (my) single biggest problem with packet filtering is > >application-level security (e.g. how can a packet filter differentiate a > >sendmail server from a rogue webserver running on port 25? It can't. A > proxy > >can.) > > They can, in the same manner that a proxy can. > From firewalls-owner Mon Apr 6 06:52:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14470; Mon, 6 Apr 1998 06:21:00 -0700 (PDT) Received: from actionweb.com ([209.150.128.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA14457 for ; Mon, 6 Apr 1998 06:20:51 -0700 (PDT) Received: from putergirl.com ([199.227.242.215]) by actionweb.com (8.8.5/8.8.5) with ESMTP id IAA04989 for ; Mon, 6 Apr 1998 08:27:55 -0500 Message-ID: <352901A3.632E7756@putergirl.com> Date: Mon, 06 Apr 1998 09:24:03 -0700 From: Eileen Bonfiglio Organization: PuterGirl, Inc X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: web server set up Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all I am seeking some information on setting up an NT web server and would value any and all info/advice/recommendations. Thanks Eileen From firewalls-owner Mon Apr 6 07:27:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23443; Mon, 6 Apr 1998 07:12:58 -0700 (PDT) Received: from zika.zika.co.at (hp1.OOeNet.AT [193.81.245.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA23380; Mon, 6 Apr 1998 07:12:40 -0700 (PDT) Received: from DialIN18.AS5200.ooenet.at by zika.zika.co.at with SMTP (1.38.193.4/16.2) id AA20993; Mon, 6 Apr 1998 16:25:06 +0200 Message-Id: <3528E402.11ABD40C@linznet.at> Date: Mon, 06 Apr 1998 16:17:38 +0200 From: Manfred Hahn Reply-To: hahn@linznet.at Organization: ConnecT-GmbH X-Mailer: Mozilla 4.03 [de] (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM Subject: ATM-Firewall Content-Type: multipart/mixed; boundary="------------376637A72A207F33E659E89A" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dies ist eine mehrteilige Nachricht im MIME-Format. --------------376637A72A207F33E659E89A Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi there !!! have you ever heard of a system called ATLAS ??? ATM-Line-Access-And-Security. It is an ATM-Firewall filtering cells with a speed of 155 Mbs. It supports Classical-IP, LAN-Emulation and FORE-IP over ATM. At the end of 1998 it will also support MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will. You can set more then 1000 Filter without any performance decredation. In addition, if two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well. So, what else do you need to secure your data on an ATM-Network. If you need more information here is my phonenumber: ...43-732-377080 or e-mail : hahn@connect-gmbh.de hope I can help !!! Regards --------------376637A72A207F33E659E89A Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Visitenkarte für Manfred Hahn Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Manfred Hahn n: Hahn;Manfred org: ConnecT GmbH email;internet: hahn@linznet.at title: Netzwerk-Consultant x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard --------------376637A72A207F33E659E89A-- From firewalls-owner Mon Apr 6 08:06:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27165; Mon, 6 Apr 1998 07:33:40 -0700 (PDT) Received: from web02.globecomm.net (web02.nyc.globecomm.net [207.51.48.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA27141 for ; Mon, 6 Apr 1998 07:33:33 -0700 (PDT) From: mcbryde@iname.com Received: (from root@localhost) by web02.globecomm.net (8.8.8/8.8.0) id JAA00127; Mon, 6 Apr 1998 09:53:27 -0400 (EDT) Date: Mon, 6 Apr 1998 09:53:27 -0400 (EDT) Message-Id: <199804061353.JAA00127@web02.globecomm.net> Content-Type: text/plain MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Content-Transfer-Encoding: 7bit Subject: Opinions on firewall appliances Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading this list for a long time and have never seen firewall appliances like the Fort Knox Policy Router mentioned. For those of us with limited human and cash resources they look attractive. Anyone care to talk me in/out of one? --------------------------------------------------- Get free personalized email at http://www.iname.com From firewalls-owner Mon Apr 6 08:22:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23245; Mon, 6 Apr 1998 07:11:32 -0700 (PDT) Received: from mailhost.unifiedtech.com (paulaner.unifiedtech.com [205.219.167.102]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA23155 for ; Mon, 6 Apr 1998 07:11:12 -0700 (PDT) Received: from unifiedtech.com by mailhost.unifiedtech.com (SMI-8.6/SMI-SVR4) id KAA20153; Mon, 6 Apr 1998 10:14:33 -0400 Message-ID: <3528E32D.A3E4BDBA@unifiedtech.com> Date: Mon, 06 Apr 1998 10:14:05 -0400 From: Mike Jones Organization: Unified Technologies X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Christopher Zarcone CC: ryanr@sybase.com, firewalls@greatcircle.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <199804061209.IAA01498@data.camelot> Content-Type: multipart/mixed; boundary="------------62450AD3CF52D5F366EA1935" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------62450AD3CF52D5F366EA1935 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Christopher Zarcone wrote: > I suppose I should clarify what I said: > Historically I have come to understand "packet filtering" as screening based on > IP-level and transport level information. With such limited information, you > can't determine with certainty the application-level service; you can only make > a best guess. True enough. > > > Of course, if you have a more advanced packet filter, you could arbitrarily > examine any or all bits in the entire packet. At that point, though, you're > basically performing application-level analysis, and incurring the performance > penalty, so why not use a proxy? You're not necessarily incurring the performance penalty, though. If you're doing this in the kernel, you're not incurring the overhead of (at least) two context switches per UDP datagram or TCP message. Generally, I'm not an advocate of putting stuff like this in the kernel, but on a special purpose box I'm willing to make an exception. --------------62450AD3CF52D5F366EA1935 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies email;internet: mike.jones@unifiedtech.com title: Senior Technology Advisor x-mozilla-cpt: ;0 x-mozilla-html: TRUE version: 2.1 end: vcard --------------62450AD3CF52D5F366EA1935-- From firewalls-owner Mon Apr 6 10:29:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA19977; Mon, 6 Apr 1998 09:32:33 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08219 for ; Mon, 6 Apr 1998 08:33:14 -0700 (PDT) Received: from zeke.gov.yk.ca ([199.247.128.34]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA10684 for ; Mon, 6 Apr 1998 08:36:33 -0700 (PDT) Received: by zeke.gov.yk.ca; id IAA20493; Mon, 6 Apr 1998 08:37:53 -0700 (PDT) Received: from unknown(199.247.130.34) by zeke.gov.yk.ca via smap (4.1) id xma020345; Mon, 6 Apr 98 08:36:54 -0700 Received: from 185580 ([199.247.134.102]) by raptor.gov.yk.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id 2D3MXYS2; Mon, 6 Apr 1998 08:36:54 -0700 Message-Id: <1.5.4.32.19980406153655.008ec940@mailhost.gov.yk.ca> X-Sender: ynet\kwiat\larry.kwiat@mailhost.gov.yk.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Apr 1998 08:36:55 -0700 To: "Ryan Russell" , "Stout, William" From: Larry Kwiat Subject: Re: Unwanted data appears inside firewalled network Cc: "'Firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:05 PM 4/3/98 -0800, Ryan Russell wrote: >No, layer 8 is economics, and layer 9 is politics. Since >OSI layers rely on the lower layers, it's not possible to >build an intelligence layer on top of that. > > Ryan ------------------------------------ >We're mentally confined to this completely artificial layer model. >Crackers aren't. We could build an AI system on the perimeter wall to >add intelligence on the firewall. Or we could build a network-wide >management system (tied into firewalls, virus scanners, & IDS probes) to >create a 'ceiling' across the perimeter walls. > >Bill Stout ...right. But I think they really are the first two layers, upon which all else depends. Solid decision making. You've got to come in "under the wire" with these two, before anything of little unforeseen consequence is possible. Ask any engineer. I agree we all too often ignore them. Sincerely, Larry Kwiat Security Coordinator Government of Yukon Larry.Kwiat@gov.yk.ca Phone: (867) 667-8081 From firewalls-owner Mon Apr 6 10:51:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28564; Mon, 6 Apr 1998 10:48:20 -0700 (PDT) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA28544 for ; Mon, 6 Apr 1998 10:48:10 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA06215; Mon, 6 Apr 1998 13:53:09 -0400 Date: Mon, 06 Apr 1998 13:53:04 -0400 From: "Stout, William" Subject: Firewall Layers (was RE: Unwanted data appears inside firewalled network) To: "'Ryan Russell'" Cc: "'Firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ----- Original Message ----- > From: Ryan Russell [SMTP:ryanr@sybase.com] > Sent: Friday, April 03, 1998, 17:05:53 > To: Stout, William > Cc: 'Firewalls@GreatCircle.COM' > Subject: Re: Unwanted data appears inside firewalled network > > No, layer 8 is economics, and layer 9 is politics. Since > OSI layers rely on the lower layers, it's not possible to > build an intelligence layer on top of that. ROTFL - ;D - I knew someone was gonna say that. But you forgot to mention religion. That also adds a 'blind faith' element which often affects the intelligence layer. The thought I poorly expressed, is that we're mentally boxed in by this stupid 7-layer limit. Layer 7 is a catch-all for everything between the 'presentation' and 'user' layers. But the user still has to use the app based on real layers of knowledge, intellect, time, politics, money and other things. First there were (software) routers which had a list of static or learned routes, then gateways with the previous plus a user/password list, then application proxies with the previous plus a list of rules. Next there is a layer of knowledge or management required to run or 'train' that application which is missing. I'm thinking something along the lines of a virus scanner/IDS/e-mail surveillance app, which overseers other application proxies and data based on higher-level rules. This could use 'fuzzy searches' of a rule 'knowledge base' to look for and identify characteristics/sources of SPAM messages, viruses, sensitive files leaving the network, etc. In a firewall this would equate to an advanced rule management system (hmmm, user training is merely memorizing a set of rules). The next statement may be then correct: The next step in firewalls is an advanced rule system. Maybe I should say 'knowledge app' instead of 'AI'. I meant 'Intelligence' as in 'Military Intelligence', not real intellect. 'Conciousness' can be higher yet, I've tracked errors to malfunctions at that layer and the 'Intellect' layer. - :) Bill Stout ________________________________________________________________________ ________ Buy Gold & Silver Even if Y2K (stock market) crashes don't come, everyone else protecting their assets will raise the price. (Be safe - don't travel on Y2K) From firewalls-owner Mon Apr 6 11:20:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29551; Mon, 6 Apr 1998 10:56:18 -0700 (PDT) Received: from www.ctrl-alt-del.com (ctrl-alt-del.com [206.163.47.249]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA29517 for ; Mon, 6 Apr 1998 10:56:07 -0700 (PDT) Received: from localhost (alan@localhost) by www.ctrl-alt-del.com (8.9.0.Beta5/8.8.5) with SMTP id LAA01899; Mon, 6 Apr 1998 11:07:36 GMT Date: Mon, 6 Apr 1998 11:07:36 +0000 (/etc/localtime) From: Alan To: Eileen Bonfiglio cc: firewalls@GreatCircle.COM Subject: Re: web server set up In-Reply-To: <352901A3.632E7756@putergirl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Eileen Bonfiglio wrote: > I am seeking some information on setting up an NT web server and would > value any and all info/advice/recommendations. Check out Apache. The latest betas work great on NT. alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. From firewalls-owner Mon Apr 6 11:21:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA00594; Mon, 6 Apr 1998 11:02:35 -0700 (PDT) Received: from mailer.syr.edu (mailer.syr.edu [128.230.20.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA00583 for ; Mon, 6 Apr 1998 11:02:29 -0700 (PDT) Received: from rodan.syr.edu by mailer.syr.edu (LSMTP for Windows NT v1.1a) with SMTP id <0.5C51D560@mailer.syr.edu>; Mon, 6 Apr 1998 14:07:40 -0400 Received: from localhost (rgrimsha@localhost) by rodan.syr.edu (8.8.7/8.8.7) with SMTP id OAA18082; Mon, 6 Apr 1998 14:07:35 -0400 (EDT) X-Authentication-Warning: rodan.syr.edu: rgrimsha owned process doing -bs Date: Mon, 6 Apr 1998 14:07:35 -0400 (EDT) From: Randy Grimshaw X-Sender: rgrimsha@rodan.syr.edu To: Vin McLellan cc: firewalls@GreatCircle.COM Subject: Re: SecurID & a Biometric & a PIN In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The thought it provokes for me is to hurry up and patent all of the technology our government agencies have been using for years... but being a government agency, places these things in the public domain (after de-classification) and never informs the patent office. This one should tie up the courts for a while. <> Cryptography Mailing List. _Vin> > > Method and apparatus for securely handling a personal identification > number or cryptographic key using biometric techniques > (assignee -- mytec technologies inc.) > > Patent Number: 5712912 > > Issue Date: 1998 01 27 > > Inventor(s): Tomko, George J.{#buStoianov, Alexei#} From firewalls-owner Mon Apr 6 12:21:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12202; Mon, 6 Apr 1998 12:17:48 -0700 (PDT) Received: from mail.eclipse.net (mail.eclipse.net [207.207.192.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA12163 for ; Mon, 6 Apr 1998 12:17:37 -0700 (PDT) Received: from uart (or1-7.eclipse.net [207.207.200.7]) by mail.eclipse.net (8.8.6/8.8.6) with SMTP id PAA25429; Mon, 6 Apr 1998 15:22:32 -0400 (EDT) Date: Mon, 6 Apr 1998 15:22:02 -0400 (EDT) From: quiksilver X-Sender: quik@uart To: JonnyBoy85 cc: firewalls@greatcircle.com Subject: Re: Hi In-Reply-To: <5fa01b9b.3522baf1@aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk actually, T2 lines were invented and used for a short period of time. Today, no one uses them and they are virtually extinct. On Wed, 1 Apr 1998, JonnyBoy85 wrote: > Hi all, > thanks for the help and advice from my last post.. > > Maybe you can help me with another query. Can anybody explain about T1,T2, > and T3 lines, they're like ISDN I think. I have tried everywhere to find out > about them, and was starting to think that there was no such thing as a T3, > but I found out again today that there is. > > Thanks again everybody.. > > Jonathan > > > > From firewalls-owner Mon Apr 6 12:40:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05767; Mon, 6 Apr 1998 11:40:13 -0700 (PDT) Received: from ds5200.sistecol.com (ds5200.sistecol.com [200.9.31.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA05646 for ; Mon, 6 Apr 1998 11:39:16 -0700 (PDT) Received: from texmail.sistecol.com (texmail.sistecol.com [200.9.22.7]) by ds5200.sistecol.com (8.8.8/8.8.8) with ESMTP id NAA18479 for ; Mon, 6 Apr 1998 13:56:50 -0500 Received: by TEXMAIL with Internet Mail Service (5.5.1960.3) id ; Mon, 6 Apr 1998 13:39:31 -0500 Message-ID: <21CD48C59A6AD1119A1F00805F297AFA1EA29B@TEXMAIL> From: Ezequiel Bautista To: Firewalls@GreatCircle.COM Subject: RE: Firewalls-Digest V7 #140 Date: Mon, 6 Apr 1998 13:39:23 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I interesting in "Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network",=20 Company Name: Texins s.a. Contact Person: Ezequiel Bautista Le=F3n Street Address: Cra. 20 # 88 - 20 City: Bogota State:Cundinamarca Zip or Postal Route: 90 1 Country: Colombia (South America) Telephone: + 57 1 218 53 00 Email: bautez@texins.sistecol.com URL: www.sistecol.com/@texins Services: Security Design Security Implemetation Network Management Thanks, Ezequiel Bautista L. Systems Engineer From firewalls-owner Mon Apr 6 12:42:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29362; Mon, 6 Apr 1998 10:55:11 -0700 (PDT) Received: from cs.weber.edu ([137.190.16.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA29339 for ; Mon, 6 Apr 1998 10:54:59 -0700 (PDT) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA01048; Mon, 6 Apr 98 11:55:55 MDT Received: by icarus.weber.edu (SMI-8.6/SMI-SVR4) id MAA05017; Mon, 6 Apr 1998 12:06:14 -0600 Date: Mon, 6 Apr 1998 12:06:13 -0600 (MDT) From: Henry Hertz Hobbit X-Sender: hhhobbit@icarus To: Anonymous Cc: firewalls@greatcircle.com Subject: re: Hackers Suck In-Reply-To: <199803281915.UAA17135@basement.replay.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 28 Mar 1998, Anonymous wrote: > Received: from . (pm3-10-133.ama.arn.net [204.254.144.133]) > by arnet.arn.net (8.8.7/8.8.7) with SMTP id XAA10910 > From: Nobody > Message-Id: <199803280527.XAA10910@arnet.arn.net> > organization: Arnet Inc. > subject: Hackers Suck > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > To: undisclosed-recipients:; > X-UID: 372 > > > Hackers Suck. All they do is cause grief to innocent bystanders. > > is that an attempt at humor? kindly explain what hackers have to do > with bystanders and in what way they have, as you state, caused them 'grief'. > i would be very interested to know. Actually hackers are better people by far than the people trying to catch them. I am referring to the FBI. I forwarded a script in a previous email message that referred to them as the 'Filthy Beelzebub Infidels'. Perhaps I should explain myself. If you all would go to the largest library near you that has the *Journal* *of* *Parapsychology*, you might find that they have been doing hypnotic-induction programming involving *SATANIC* key words. Thus my statement that they are the 'Filthy Beelzebub Infidels'. Can we bust them free of it? HELL NO! Why not? Because [a] the insane Psychiatrists and Psychologists won't do it to themselves, and [b] they won't allow other Psychologists and and Psychiatrists outside their organization to do a peer review of what they are doing. I wonder why? What do hackers do? =================== 1. Waste a lot of time doing something that doesn't help anyone, including themselves. Unfortunately, they are too dumb to see this. 2. Cause a hell of a lot of grief to harried System Administrators that are frequently under-trained or not trained at all and are so busy keeping the systems going that they don't even have time to see that they have the latest patches, etc. In fact, they probably feel good the systems are running at all (thinking of the SCSI problem that plagues this site that wasn't there with an earlier version of the OS). 3. Destroy themselves. I know they don't see it this way, but if they look at what they are doing long and hard and then fast forward when they are in their 70s, 80s, or 90s and facing death square in the face I ask them to do one thing. Can you honestly say that you helped people by hacking into systems? So the people you hacked into made their systems a little more secure. That is like saying all rapists are improving society by making people take even more strigent measures to protect themselves. Do you actually consider this beneficial to others or yourselves? 4. You are proving the FBI's and other organizations claims that all people are bad (certifiably untrue) and giving them all the ammunition they need to ask for connection points on all major trunk lines and at all ISPs, and demanding total control of encryption. They are asking for it you know. Does that mean they will snoop in on everyone? NO! They don't even have the time to pursue more than 10% of computer break-ins (but over a year to develop the Satanic crap they are pursuing). Good ole J Gordon Liddy is now having his case that they should not be given these powers because of Ruby Ridge - Idaho, Waco - Texas, and Richard Jewell being shot down completely by you dumb jackass people hacking into systems. Hackers are you really helping? Do you care about what your activities are doing to totally destroy what the Electronic Frontier Foundation (EFF) does? No, I don't go to Porno sites; my only interest is to make sure there aren't significant government intrusions into this new medium that will severly limit the free flow of informationt that is beneficial to this society. I guess what I am saying is, before we all do our knee jerk reactions to what hackers are doing, *ALL* of us (that ESPECIALLY includes me) need to think about society as a whole. Societies that succeed depend on people doing to others as they would have others do to them. Am I a hacker? No. I can also honestly say that I have never hacked into a system in my life, and for the life of me cannot understand why somebody thinks it is helping somebody. No matter how many security holes that are plugged, more will continue to be exposed. In fact, I have finally concluded that the security holes are endless. Systems are too complex any more to find all of them. So, Mr. Hacker, think long and hard about what you are doing. Are you promoting some insane Pychiatrists/Psychologists at the FBI into destroying hundreds if not thousands of lives with their damn Satanic programming? The most amazing thing about this to me is that almost none of the Psychologists (I have a degree in that area as well as in Math and Computer Science) know they are doing it. I can well imagine why the Psych staff at the FBI want to keep it hidden. If they had what they were doing come up for peer review, it would not only be shot down - the Psychologists & Psychiatrists at the FBI would be locked up in a rubber room where they could not only stop destroying others, but they would not harm themselves as well. They are certifiably insane. So, I have only ONE last question to ask the hackers. If you can honestly say that you are showing your LOVE for others by hacking in then continue hacking in. If you can't answer this question in the affirmative, go do something useful with your lives that helps others. My 0.02 worth Henry Hertz Hobbit PS And I *STILL* claim that most of the people I meet are good people that don't want to harm others - they want to help them. My experience has proved that. From firewalls-owner Mon Apr 6 13:00:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA09321; Mon, 6 Apr 1998 12:00:45 -0700 (PDT) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA09302 for ; Mon, 6 Apr 1998 12:00:37 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA07818; Mon, 6 Apr 1998 15:05:39 -0400 Date: Mon, 06 Apr 1998 15:05:35 -0400 From: "Stout, William" Subject: RE: socks versus fw-1 stateful inspection vulnerabilities To: "'Ryan Russell'" Cc: "'firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk State vs. proxy is a religious issue for some, but then again, some swear by MS-Proxy as a firewall. I've seen the problem first hand, and the Checkpoint-1 report from the NSA points this out also. The NSA pointed out state-based specific vulnerabilities (which their report admits they did not fully test): Exploitation of an allowed service Insider threat - opening up ports to the outside Exploitation of ports opened by a legitimate user Subversion of the stateful packet filtering mechanism The test "Test 6: Overflow of internal tables" describes the overflow, results, and DOS attack. The problem should be fixed by now. Staunch defenders of the packet filter faith deny it ever happened. See http://mitten.ie.org/fw1/fw1.htm#statefulpacket Bill Stout > ----- Original Message ----- > From: Ryan Russell [SMTP:ryanr@sybase.com] > Sent: Sunday, April 05, 1998, 17:09:36 > To: Stout, William > Cc: firewalls@GreatCircle.COM > Subject: Re: socks versus fw-1 stateful inspection vulnerabilities > > My claim is that some folks, perhaps with vested > interests in seeing leading SPF vendors lose market, > have been trying to make people think that state tables > are prone to corruption without providing any examples. > > If you've got details on the problem you've mentioned, I'd > love to hear them. > > Ryan > > > > > > Stepken on 04/05/98 01:29:57 PM > > To: Ryan Russell/SYBASE > cc: Christopher Zarcone , firewalls@GreatCircle.COM > Subject: Re: socks versus fw-1 stateful inspection vulnerabilities > > > > > Ryan Russell wrote: > > > >I can't speak from experience, but I've also read stories of state > tables > > >becoming corrupt, usually with interesting consequences. > > > > No, you haven't. What you've heard is AG vendors claim that this could > > happen. > > The same vendors fail to point out that they suffer from the same issue > if > > the > > very similar TCP connection tables built into the OS that they rely on > > become corrupt. If your hardware flakes out, all bets are off on the > > security > > software. > I did some very stressing tests on firewalls with SPF and dynamic rules. > I was able to cause some memory overflow, which can be exploited as > buffer overflow, depending on the memory model of the OS. > Very often they use some well known hashfunctions (e.g. GNU), which also > have collisions. Such attacks are very special ones, but theycan be > done. > > regards, Guido Stepken > > > > > ----- End Of Original Message ----- From firewalls-owner Mon Apr 6 16:14:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20646; Mon, 6 Apr 1998 15:36:05 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA03759 for ; Mon, 6 Apr 1998 14:05:56 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA14271 for ; Mon, 6 Apr 1998 14:09:23 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id OAA02425; Mon, 6 Apr 1998 14:12:26 -0700 (PDT) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB16129; Mon, 6 Apr 98 14:10:42 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.007453D8 ; Mon, 6 Apr 1998 14:10:36 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Christopher Zarcone Cc: firewalls@greatcircle.com Message-Id: <882565DE.0073F39D.00@gwwest.sybase.com> Date: Mon, 6 Apr 1998 14:10:18 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a number of reasons.. flexibility, speed (I believe that SPFs would be slightly faster than AGs when doing as much work, I might be wrong,) and the fact the SPFs can do more. I'll update my rant soon, and qualify that last point. But, now you've agreed with the short point I was trying to make (that SPFs can do the same thing as AGs if programmed to do so) and I've started into the "Why I think SPFs are cool" discussion, so I'll drop it. Ryan Christopher Zarcone on 04/06/98 05:09:24 AM Please respond to Christopher Zarcone To: Ryan Russell/SYBASE cc: firewalls@greatcircle.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Ryan, I suppose I should clarify what I said: Historically I have come to understand "packet filtering" as screening based on IP-level and transport level information. With such limited information, you can't determine with certainty the application-level service; you can only make a best guess. Of course, if you have a more advanced packet filter, you could arbitrarily examine any or all bits in the entire packet. At that point, though, you're basically performing application-level analysis, and incurring the performance penalty, so why not use a proxy? Regards, Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ > >Jon, > > > >Stateful inspection engines suffer the same disadvantages as packet > filters, > >because THEY ARE packet filters. > > But they are not JUST packet filters. > > >I would say that (my) single biggest problem with packet filtering is > >application-level security (e.g. how can a packet filter differentiate a > >sendmail server from a rogue webserver running on port 25? It can't. A > proxy > >can.) > > They can, in the same manner that a proxy can. > Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 882565DE.0042E411; Mon, 6 Apr 1998 05:10:37 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id FAA26138 for ; Mon, 6 Apr 1998 05:09:41 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02951; Mon, 6 Apr 98 05:09:40 PDT Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by inergen.sybase.com (8.8.4/8.8.4) with ESMTP id FAA22416 for ; Mon, 6 Apr 1998 05:11:23 -0700 (PDT) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id IAA08415; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQZ00AWJR3VIF@lmco.com>; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id IAA18880; Mon, 06 Apr 1998 08:03:29 -0400 (EDT) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id IAA01498; Mon, 06 Apr 1998 08:09:24 -0400 Date: Mon, 06 Apr 1998 08:09:24 -0400 (EDT) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: ryanr@sybase.com Cc: firewalls@greatcircle.com Reply-To: Christopher Zarcone Message-Id: <199804061209.IAA01498@data.camelot> Mime-Version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-Type: TEXT/plain; charset=us-ascii Content-Md5: CkjcorbwPvMrA8MSvP8C1g== From firewalls-owner Mon Apr 6 17:02:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02195; Mon, 6 Apr 1998 13:57:22 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02082 for ; Mon, 6 Apr 1998 13:56:55 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id OAA01665; Mon, 6 Apr 1998 14:03:42 -0700 (PDT) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB14883; Mon, 6 Apr 98 14:01:58 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.007384E8 ; Mon, 6 Apr 1998 14:01:46 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: "Stout, William" Cc: "'firewalls@GreatCircle.COM'" Message-Id: <882565DE.0072A8FC.00@gwwest.sybase.com> Date: Mon, 6 Apr 1998 14:01:29 -0700 Subject: RE: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >State vs. proxy is a religious issue for some, but then again, some >swear by MS-Proxy as a firewall. Indeed, I've participated in such discussions. >I've seen the problem first hand, and the Checkpoint-1 report from the >NSA points this out also. You must be referring to the table filling up, and the firewall dropping connections. I've confirmed this on this list as well. I don't consider this to be a corruption of the table, as it behaves exactly as expected, and disallows new connections and doesn't crash. The one bad thing I will say is that it starts burning CPU time under those conditions, and I don't know why that should be. Perhaps it has to do with the algorithm it uses to clear old entries? Set the fwhmem parameter low, and run IS from ISS through it if you want to see it in action. >The NSA pointed out state-based specific vulnerabilities (which their >report admits they did not fully test): > Exploitation of an allowed service > Insider threat - opening up ports to the outside > Exploitation of ports opened by a legitimate user > Subversion of the stateful packet filtering mechanism In fact, the article states quite clearly that these are not SPF specific, except for the last one. >The test "Test 6: Overflow of internal tables" describes the overflow, >results, and DOS attack. The problem should be fixed by now. Staunch >defenders of the packet filter faith deny it ever happened. See >http://mitten.ie.org/fw1/fw1.htm#statefulpacket I don't deny it happened, and I think I qualify as a staunch SPF defender. As mentioned before, I can confirm those results. I've also seen my old AG go choke regularly, mostly due to slow hardware and an older OS (SunOS on Sparc 5.) The TCP SYN attack is a similar example. If your table fills up, and denies new requests, and doesn't overflow onto the stack or some such, that's really OK, and as it should be. Ryan >Bill Stout Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 882565DE.0068FDBD; Mon, 6 Apr 1998 12:06:47 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id MAA01172 for ; Mon, 6 Apr 1998 12:05:50 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA28776; Mon, 6 Apr 98 12:05:49 PDT Received: from pse02.pios.com ([199.33.129.3]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id MAA11843 for ; Mon, 6 Apr 1998 12:07:32 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA07796; Mon, 6 Apr 1998 15:05:39 -0400 Date: Mon, 06 Apr 1998 15:05:35 -0400 From: "Stout, William" Subject: RE: socks versus fw-1 stateful inspection vulnerabilities To: "'Ryan Russell'" Cc: "'firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From firewalls-owner Mon Apr 6 17:29:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA04639; Mon, 6 Apr 1998 16:22:10 -0700 (PDT) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA04473 for ; Mon, 6 Apr 1998 16:21:33 -0700 (PDT) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA26391; Mon, 6 Apr 1998 16:26:37 -0700 Message-Id: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Apr 1998 16:29:38 -0700 To: firewalls@GreatCircle.Com From: rkizer@sddpc.org (Kizer, Randall) Subject: Novell Question Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe there's someone who can help me with this problem, since I'm not that familiar with Novell. We've recently experienced some problems with "someone" getting into some of our Novell servers with Admin authority, and deleting system files. Novell doesn't have any usable auditing tools, so we've been forced out into the market place to try and find something useable. Does anyone have any recommendations? Any and all suggestions will be most welcome. From firewalls-owner Mon Apr 6 17:54:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20466; Mon, 6 Apr 1998 15:33:53 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA16025 for ; Mon, 6 Apr 1998 15:00:19 -0700 (PDT) Received: from avalon.netcom.net.uk (avalon.netcom.net.uk [194.42.225.7]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA15081 for ; Mon, 6 Apr 1998 14:32:46 -0700 (PDT) Received: from netcomuk.co.uk (dialup-14-38.netcomuk.co.uk [194.42.231.166]) by avalon.netcom.net.uk (8.8.8/8.8.8) with ESMTP id WAA00681 for ; Mon, 6 Apr 1998 22:34:07 +0100 (BST) Message-ID: <35294A7F.6D965E6C@netcomuk.co.uk> Date: Mon, 06 Apr 1998 22:34:55 +0100 From: Pete Philips X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: fw-1 stateful inspection vulnerabilities References: <199804050901.BAA15922@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I would say that (my) single biggest problem with packet filtering is > application-level security (e.g. how can a packet filter differentiate a > sendmail server from a rogue webserver running on port 25? It can't. A proxy > can.) OTOH, packet filters are generally faster, mainly because filtering > decisions are made in the lower levels of the IP stack. This is very interesting. While on the subject of stateful inspection engines, what do people perceive as the fundamental problems with such an approach? I'd be interested to hear what are thought of as the basic weaknesses. Pete. ------------------------------------------------------ | Pete Philips \|/ | | E-mail: alien@netcomuk.co.uk O | ------------------------------------------------------ From firewalls-owner Mon Apr 6 21:21:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA20791; Mon, 6 Apr 1998 20:21:22 -0700 (PDT) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA20580 for ; Mon, 6 Apr 1998 20:20:38 -0700 (PDT) Received: from granite.sover.net (cbrenton@granite.sover.net [204.71.16.16]) by pike.sover.net (8.8.5/8.8.5) with SMTP id XAA04385; Mon, 6 Apr 1998 23:25:47 -0400 (EDT) Date: Mon, 6 Apr 1998 23:25:47 -0400 (EDT) From: cbrenton To: "Kizer, Randall" cc: firewalls@GreatCircle.COM Subject: Re: Novell Question In-Reply-To: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Kizer, Randall wrote: > We've recently experienced some problems with "someone" getting into > some of our Novell servers with Admin authority, and deleting system > files. Novell doesn't have any usable auditing tools, so we've been > forced out into the market place to try and find something useable. If it's NetWare 3.1x, run "security.exe" If it's NetWare 4.x, run "auditcon.exe" > Does anyone have any recommendations? Any and all suggestions will > be most welcome. Kane will do this, but it's expensive Cheers, Chris From firewalls-owner Mon Apr 6 21:35:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26160; Mon, 6 Apr 1998 18:12:47 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA26138 for firewalls@greatcircle.com; Mon, 6 Apr 1998 18:12:40 -0700 (PDT) Received: from merlin.rtpnc.epa.gov (merlin.rtpnc.epa.gov [134.67.208.148]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA13379 for ; Fri, 3 Apr 1998 07:57:06 -0800 (PST) Received: from RT-MAIL2.RTPTOK.EPA.GOV by epamail.epa.gov (PMDF V5.1-8 #22480) with SMTP id <0EQUHLMUD007SW@epamail.epa.gov> for firewalls@greatcircle.com; Fri, 3 Apr 1998 10:56:10 -0500 (EST) Received: from RTPMAINHUB-Message_Server by RT-MAIL2.RTPTOK.EPA.GOV with Novell_GroupWise; Fri, 03 Apr 1998 11:00:36 -0500 Date: Fri, 03 Apr 1998 10:11:14 -0500 From: JOSEPH COSGRIFF Subject: help on telecom To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 X-Mailer: Novell GroupWise 4.1 Content-type: text/plain Content-disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am new to the computer security div. I am attempting to put together an audit program for security measures on a telecom. div., If anyone can provide me any info ref. this I would greatly appreciate it. Thanks, Joe From firewalls-owner Mon Apr 6 23:02:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA21724; Mon, 6 Apr 1998 17:49:12 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA21683 for firewalls@greatcircle.com; Mon, 6 Apr 1998 17:49:04 -0700 (PDT) Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com [204.253.137.241]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA05438 for ; Wed, 1 Apr 1998 15:12:52 -0800 (PST) Received: from mailgate.freddiemac.com ([161.107.79.103]) by hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id RAA03258 for ; Wed, 1 Apr 1998 17:51:15 -0500 (EST) Received: from msmail.freddiemac.com (msmail.freddiemac.com [161.107.79.90]) by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id SAA09717 for ; Wed, 1 Apr 1998 18:14:23 -0500 (EST) Received: from Microsoft Mail (PU Serial #1065) by msmail.freddiemac.com (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm)) id AA-1998Apr01.181005.1065.1652681; Wed, 01 Apr 1998 18:24:46 -0500 From: Rick_McMaster@freddiemac.com (McMaster, Rick) To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez) Message-ID: <1998Apr01.181005.1065.1652681@msmail.freddiemac.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Freddie Mac Date: Wed, 01 Apr 1998 18:24:46 -0500 Subject: RE: Questions about ICMP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not have a real problem with ping to and from specific hosts, but I would never allow traceroute through my firewalls. Using traceroute a person can map your entire internal network. Rick ---------- >From: Roman Ramirez >To: firewalls >Subject: Questions about ICMP >Date: Wednesday, April 01, 1998 6:27AM > >Hello: > >I have some questions about ICMP filtering, what kind of icmp packets >should I filter? > >In other way, what icmp options can I permit in packets? > >Im seeking for a RESTRICTIVE policy, but I need to let ping and >traceroute get out and in... > >Thx in advance > >-- >http://www.encomix.es/users/patowc >mailto://rramirez@encomix.es > > > > >------ Message Header Follows ------ >Received: from mailgate.freddiemac.com by msmail.freddiemac.com > (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm)) > id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500 >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com >[204.253.137.238]) > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896 > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST) >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for >; Wed, 1 Apr 1998 05:54:00 -0500 (EST) >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST) >Received: (majordom@localhost) by honor.greatcircle.com >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800 >(PST) >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for >; Tue, 31 Mar 1998 22:14:28 -0800 (PST) >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000 >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) > by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000 >Message-ID: <3521DBD2.B29513E0@encomix.es> >Date: Wed, 01 Apr 1998 08:16:50 +0200 >From: Roman Ramirez >Organization: EncomIX >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) >MIME-Version: 1.0 >To: firewalls@GreatCircle.COM >Subject: Questions about ICMP >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > > From firewalls-owner Mon Apr 6 23:49:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA18827; Mon, 6 Apr 1998 17:34:40 -0700 (PDT) Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA18799 for ; Mon, 6 Apr 1998 17:34:31 -0700 (PDT) Received: from localhost (ronald@localhost) by mail.trace.com.tw (8.8.6/8.8.6) with SMTP id IAA20335; Tue, 7 Apr 1998 08:38:08 +0800 X-Comments: ****** Message sent through an Trace account ****** X-http: ****** http://www.trace.com.tw ****** Date: Tue, 7 Apr 1998 08:38:08 +0800 (CST) From: Ronald Wiplinger To: Eileen Bonfiglio cc: firewalls@GreatCircle.COM Subject: Re: web server set up In-Reply-To: <352901A3.632E7756@putergirl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Eileen Bonfiglio wrote: > Hi all > > I am seeking some information on setting up an NT web server and would > value any and all info/advice/recommendations. Directory info/advice/recommendations cannot be found on an NT server. (Sorry, I could not resist) > > Thanks > Eileen > From firewalls-owner Tue Apr 7 01:28:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA23139; Mon, 6 Apr 1998 23:04:52 -0700 (PDT) Received: from d06lmsgate.uk.ibm.com (d06lmsgate.uk.ibm.com [195.212.29.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA23110 for ; Mon, 6 Apr 1998 23:04:40 -0700 (PDT) From: "CN=D15ML002/OU=15/OU=M/O=IBM@IBMNL"@us.ibm.com Received: from d06lms02.emea.ibm.com by d06lmsgate.uk.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA68934; Tue, 7 Apr 1998 07:03:12 +0100 Received: by UK.IBM.COM (Soft-Switch LMS 2.0) with snapi via D06AU012 id 5060200014030659; Tue, 7 Apr 1998 06:09:37 +0000 To: <"Firewalls@GreatCircle.COM@IBMLMS06"@us.ibm.com> Subject: Ellen M Wesselingh/Netherlands/IBM is out of the office. Message-Id: <5060200014030659000002L092*@MHS> Date: Tue, 7 Apr 1998 06:09:37 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am out of the office from 06-04-98, returning 09-04-98. You will rec= eive only this notification of my absence prior to my return, at which time = I will respond. I'm on a course 7 & 8 april, 1998. For urgent matters contact UITVM1(ISGRP). = From firewalls-owner Tue Apr 7 02:22:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA23082; Mon, 6 Apr 1998 23:04:16 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA14196 for ; Mon, 6 Apr 1998 22:22:01 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id WAA19316 for ; Mon, 6 Apr 1998 22:25:30 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA25512; Mon, 6 Apr 1998 11:16:03 -0400 Date: Mon, 6 Apr 1998 11:16:00 -0400 (EDT) From: Rabid Wombat To: rkizer@guten.sddpc.org cc: firewalls@GreatCircle.COM Subject: Re: Novell Question In-Reply-To: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try LT Auditor+ at www.bluelance.com. You should also set up protocol analyzers (w/ filters in place to catch only login info at first, so you don't overflow, then set to the MAC address to catch the whole session) to try to obtain the MAC address. Check to determine which accounts have sufficient rights on the machines/directories in question. Change passwords, and keep track of who has access to the new passwords. Keep supervisory access to a minimum. You can also set up a script to run "userlist /a" on a regular basis and pipe the output to a file in an attempt to locate the offending MAC address, time/date, login name and station location. Set up logging on your dial-in access either via your terminal server (if it has this ability), and/or a protocol analyzer. Dial-up by a disgruntled ex-sysadmin is always a prime suspect. Document what you do, and what you find (date, time, who witnessed, what you did, what the intruder did, etc) in case you need this for court, if it comes to that. Oh, and by the way, check to make sure you haven't set up your new-fangled tape backup software to "archive" files older than a certain date. Last time I got called in to check out a situation like this, that is what the "intruder" turned out to be. :) -r.w. On Mon, 6 Apr 1998 rkizer@guten.sddpc.org wrote: > Maybe there's someone who can help me with this problem, since I'm not > that familiar with Novell. > > We've recently experienced some problems with "someone" getting into > some of our Novell servers with Admin authority, and deleting system > files. Novell doesn't have any usable auditing tools, so we've been > forced out into the market place to try and find something useable. > > Does anyone have any recommendations? Any and all suggestions will > be most welcome. > > From firewalls-owner Tue Apr 7 02:24:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26134; Mon, 6 Apr 1998 18:12:39 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA26125 for firewalls@greatcircle.com; Mon, 6 Apr 1998 18:12:36 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA25637 for ; Sat, 4 Apr 1998 06:31:46 -0800 (PST) Received: from gargoyle.clark.net (pm1-67.dcwt.infi.net [208.136.65.67]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA22747 for ; Sat, 4 Apr 1998 06:20:15 -0800 (PST) Received: by gargoyle.clark.net (VMailer, from userid 500) id 32DBB2F632; Sat, 4 Apr 1998 09:30:44 -0500 (EST) Date: Sat, 4 Apr 1998 09:30:43 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: "Renard, Kenneth" Cc: firewalls@GreatCircle.COM, Vin McLellan , Jesse Brown Subject: Re: SecurID & a Biometric & a PIN! (Was: Ammunition, please) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Mar 1998, Renard, Kenneth wrote: > Take an analytical step back and look at the biometric data. The > measurement that it takes is going to be transformed into a "signature" > of the scan, fingerprint, voice data. This signature/transform must > remove (most?) variations among different measurements over time and > various measuring devices. The data used (compared) will be relatively > static. We've learned from passwords that "static" can be bad. You're probably going to see two arguments from this in the near term, first of all, generally they'll be replacing static password systems (ATMs being the most visible case, because PIN numbers are static, and therefore *not* an additional layer of security, drivers' licenses are also static and generally fairly easily reproducable, checks (cheques) even easier to produce), and secondly for most applications, such as banking, something you are is better than something you lose or something you forget, since the customer service costs are much lower when taking care of the 95th percentile of everything working ok. The fraud numbers will have to be pretty high before the banks will look beyond the currently being fielded technology. > Biometric data has an extremely low degree of secrecy. I can get your > fingerprint from your coffee mug, a retinal scan from your eye doctor, a > face print from seeing you in the streets, etc. The signature/transform > algorithm is assumed to be known (autocorrelation function for voice, > etc.). Therefore, I can easily generate the biometric data necessary to > assume your identity. "Stealing" the data can be done much easier and > secretly than an attack on the body. I, for one, would barely notice a > missing coffee mug compared to a missing digit. Assume the data is > stolen. This is true. The three highest points of vulnerability outside of the biometric itself are being able to spoof the analog portion of the collection agent, being able to spoof the digital portion of the collection agent as it goes back to compare records, and being able to spoof a positive ack from the comparrison. I think what you'll see as storage costs drop is that like static passwords, biometric data will be stored at the local authenticating device unless there is some compelling reason (mostly legal) not to. Why wouldn't an ATM that you use regularly cache your biometrics locally, then authenticate you on the spot? Why should your workstation have to go over the network to authenticate you if the risk of compromise of the local authentication data is the same as the risk of spoofing the data itself? > The high degree of user authenticity afforded by biometrics comes from > the ability of _only_ the valid user to present the biometric data to > the "system". A warm, pulsing thumb set upon a measuring device is a > good indicator of who you are. Now the problem is comparing that data > to a (remote?) database of data without allowing data to be inserted > between the measuring device and the compare operation. You must Or in front of it > completely authenticate the dialogue between the measuring device and > the compare stage and only allow transactions with trusted measuring > devices. The transaction thing is generally solvable with digital signatures once you get the code into tamper-resistant packaged silicon. That's where we'll probably see the first "major" steps taken. Of course, if its done right, ATMs, authentication devices for network access, and store scanners won't be exportable from the US. At that point, ITAR either dies or the US drops a multi-billion dollar market, because a *lot* of companies in different countries won't accept the USG having bits of the keys that authenticate them and where they were at a certian time physically. For the same reasons the intel and law enforcement guys are going to want that data pretty badly. I think that US privacy laws need to be stronger to give us a tool in curbing abuses of the technologies. > wall) wiring into the authentication system. This would be a nice > closed system. Only those measuring devices that are securely hardwired > into the system are allow to authenticate. This is only a good model where the resources being authenticated against are local to the authentication mechanism. > What I'd like to see is a "tamper-proof" token (a la SecurID) that > measures the biometric, takes a PIN, and an internal seed to generate > authentication data and/or unlock a stored private key. The biometric > data would be utilized to its best potential without a significant > threat of data insertion. All 3 authentication factors in one > credit-card sized token! Well, someday. The problem is the same one we're seeing with firewalls, unless there's a concerted effort to educate the user populous (in this case the general population), "ease of use" and cost of support are the major factors, and nobody but us "raving paranoid lunatics" are going to fight for something you forget and something you lose. > The perverbial Guido and Mac the Knife are still a problem. How about a > duress finger? :-) Everytime I think about showing my boss my duress finger, I realize that it's an egress finger too... :) It really is a two edged sword, to be useful, the biometric must be unique, but if it's unique then once compromised it's irrevokable. It should be really interesting to see what happens if a program swaps two IDs and you have to try to "prove" you aren't someone else at the DMV... Also, as the technologies get cheaper, undercover law enforcement is going to have a hell of a time, someone with a portable camera sitting outside of the local police academy grabbing face maps will make a mint with the local bad guys. This means that there will be a "legitimate law enforcement need" to corrupt the databases. Running a match of those and the commercial banking records will pull out all the cops pretty quickly... If that's not an attractive target... Ok, I'll stop before it gets gruesome again... I'm not so sure that strong authentication permeating society isn't one of those "be careful what you wish for" things... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Apr 7 04:06:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20506; Tue, 7 Apr 1998 03:52:33 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA20492 for ; Tue, 7 Apr 1998 03:52:27 -0700 (PDT) Received: by castle.us-state.gov; id AA27023; Tue, 7 Apr 98 06:57:33 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap id sma026992; Tue Apr 7 06:57:14 1998 Received: by pubhost.us-state.gov; id AA23569; Tue, 7 Apr 98 06:57:11 EDT Received: by localhost with Microsoft MAPI; Tue, 7 Apr 1998 06:50:57 -0400 Message-Id: <01BD61F1.84441970@gcrum@us-state.gov> From: Gary Crumrine Reply-To: "gcrum@us-state.gov" To: "'firewalls@greatcircle.com'" Subject: Value Add comments Date: Tue, 7 Apr 1998 06:50:55 -0400 Organization: US Dept of State X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone. I am looking for opinions on a few subjects. Care to comment? 1) Justification comments concerning what value is added when they buy in to purchasing and deploying threat management techniques and hardware? 2) At which point do you think you have fulfilled due diligence requirements when employing firewalls, IDS, Usage tracking etc.? 3) Outsourcing. Does it make sense? Is there an expectation of good return on your investment? Are they trustworthy? 4) Periodic review/certification of systems. Are they a necessary evil? How often should they be accomplished? Thanks in advance. I appreciate your ideas From firewalls-owner Tue Apr 7 05:21:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA00131; Tue, 7 Apr 1998 05:06:06 -0700 (PDT) Received: from mail.adpims.com ([208.217.7.191]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA00124 for ; Tue, 7 Apr 1998 05:06:01 -0700 (PDT) From: rcerpa@adpims.com Received: by mail.adpims.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 852565DF.00431812 ; Tue, 7 Apr 1998 08:12:50 -0400 X-Lotus-FromDomain: ADP To: rkizer@sddpc.org Message-ID: <852565DF.0042A85F.00@mail.adpims.com> Date: Tue, 7 Apr 1998 08:12:46 -0400 Subject: Re: Novell Question Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try Audit Track. I don't recall who sells it now, the original company got bought out. rkizer@sddpc.org on 04/06/98 07:29:38 PM To: firewalls@GreatCircle.Com cc: (bcc: Richard Cerpa/ADP/IMS) Subject: Novell Question Maybe there's someone who can help me with this problem, since I'm not that familiar with Novell. We've recently experienced some problems with "someone" getting into some of our Novell servers with Admin authority, and deleting system files. Novell doesn't have any usable auditing tools, so we've been forced out into the market place to try and find something useable. Does anyone have any recommendations? Any and all suggestions will be most welcome. From firewalls-owner Tue Apr 7 05:36:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01293; Tue, 7 Apr 1998 05:24:35 -0700 (PDT) Received: from meijer.com (ftp.meijer.com [208.142.246.129]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA01283 for ; Tue, 7 Apr 1998 05:24:28 -0700 (PDT) Received: from meijer.com ([204.74.134.7]) by meijer.com; Tue, 07 Apr 1998 08:29:38 -0400 Received: from MJR#u#Route-Message_Server by meijer.com with Novell_GroupWise; Tue, 07 Apr 1998 08:29:38 -0400 Message-Id: X-Mailer: Novell GroupWise 5.2 Date: Tue, 07 Apr 1998 08:29:18 -0400 From: "Joseph Pung" To: COSGRIFF.JOSEPH@epamail.epa.gov, firewalls@greatcircle.com Subject: Re: help on telecom Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe=20 There are a couple of programs at this site (I have never used them so I = have no opinion on their value) http://users.aol.com/auditnet/asap_ind.htm.= (Click on the top drop-down box and scroll to telecommunications.) Joe >>> JOSEPH COSGRIFF 04/03 10:11 AM >>> Hello, I am new to the computer security div. I am attempting to put = together an audit program for security measures on a telecom. div., If anyone can provide me any info ref. this I would = greatly appreciate it. Thanks, Joe From firewalls-owner Tue Apr 7 06:35:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13095; Tue, 7 Apr 1998 06:17:46 -0700 (PDT) Received: from mail.msen.com (conch.msen.com [148.59.19.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA13070 for ; Tue, 7 Apr 1998 06:17:37 -0700 (PDT) Received: (from mjo@localhost) by mail.msen.com (8.8.5/8.8.5) id JAA23277 for firewalls@greatcircle.com; Tue, 7 Apr 1998 09:22:55 -0400 (EDT) X-Authentication-Warning: conch.msen.com: mjo set sender to mjo@dojo.mi.org using -f Subject: Re: re: Hackers Suck To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 7 Apr 1998 09:22:54 -0400 (EDT) From: "Mike O'Connor" Reply-To: "Mike O'Connor" Message-Id: <980407092254.mjo@dojo.mi.org> X-Organization: :noitazinagrO-X Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :From: Henry Hertz Hobbit [...] :Beelzebub Infidels'. Perhaps I should explain myself. If you all :would go to the largest library near you that has the *Journal* :*of* *Parapsychology*, you might find that they have been doing :hypnotic-induction programming involving *SATANIC* key words. Thus [...] :3. Destroy themselves. I know they don't see it this way, but if : they look at what they are doing long and hard and then fast : forward when they are in their 70s, 80s, or 90s and facing : death square in the face I ask them to do one thing. Can you [...] : a year to develop the Satanic crap they are pursuing). Good : ole J Gordon Liddy is now having his case that they should not : be given these powers because of Ruby Ridge - Idaho, Waco - Texas, : and Richard Jewell being shot down completely by you dumb jackass [...] :So, Mr. Hacker, think long and hard about what you are doing. Are :you promoting some insane Pychiatrists/Psychologists at the FBI into :destroying hundreds if not thousands of lives with their damn Satanic :programming? The most amazing thing about this to me is that almost I thought there was another mailing list for conspiracy theorists and frothing-at-the-mount lunatics? Perhaps we should explore the use of firewalls and the firewalls mailing list as a "layer 7+" electronic prison? I wonder how much serious hacking a Berferd could do if he had to vomit every time he read crap life this? -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org InterNIC WHOIS: MJO | (has my PGP & Geek Code info) | Phone: +1 248-848-4481 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Why is it that the nuttiest people define reality?" -Dilbert From firewalls-owner Tue Apr 7 06:37:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13205; Tue, 7 Apr 1998 06:18:37 -0700 (PDT) Received: from egate2.citicorp.com (egate2.citicorp.com [192.193.196.194]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA13141 for ; Tue, 7 Apr 1998 06:18:16 -0700 (PDT) Received: by egate2.citicorp.com id AA11786 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Tue, 7 Apr 1998 09:24:36 -0400 Message-Id: <199804071324.AA11786@egate2.citicorp.com> Received: by egate2.citicorp.com (Protected-side Proxy Mail Agent-1); Tue, 7 Apr 1998 09:24:36 -0400 Date: Tue, 07 Apr 1998 09:19:32 -0400 From: Yury German Reply-To: yury.german@citicorp.com Organization: Citicorp X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: "McMaster, Rick" Cc: firewalls Subject: Re: Questions about ICMP References: <1998Apr01.181005.1065.1652681@msmail.freddiemac.com> Content-Type: multipart/alternative; boundary="------------E96961FA606A753EEEDF6EEB" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------E96961FA606A753EEEDF6EEB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit McMaster, Rick wrote: > I do not have a real problem with ping to and from specific hosts, but I > would never allow traceroute through my firewalls. Using traceroute a > person can map your entire internal network. > > Rick > ---------- > >From: Roman Ramirez > >To: firewalls > >Subject: Questions about ICMP > >Date: Wednesday, April 01, 1998 6:27AM > > > >Hello: > > > >I have some questions about ICMP filtering, what kind of icmp packets > >should I filter? > With a traceroute you can map the network but with letting ping ICMP echo through the firewall you allow the intruder the freedom to bring internal servers down with ping of death. While most firewalls are immune I will make a strong assumption that you have internal hosts which are vulnerable, since most system admins do not pay that much attention to security patches. Letting Ping inside the firewall is as dangerous if not more dangerous then traceroute. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Yury German yury.german@citicorp.com Firewall Security Admin yury_german@yahoo.com --------------E96961FA606A753EEEDF6EEB Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit McMaster, Rick wrote:
I do not have a real problem with ping to and from specific hosts, but I
would never allow traceroute through my firewalls.  Using traceroute a
person can map your entire internal network.

Rick
 ----------
>From: Roman Ramirez
>To: firewalls
>Subject: Questions about ICMP
>Date: Wednesday, April 01, 1998 6:27AM
>
>Hello:
>
>I have some questions about ICMP filtering, what kind of icmp packets
>should I filter?
 




With a traceroute you can map the network but with letting ping



ICMP echo through the firewall you allow the intruder the



freedom to bring internal servers down with ping of death.






While most firewalls are immune I will make a strong assumption



that you have internal hosts which are vulnerable, since most



system admins do not pay that much attention to security patches.






Letting Ping inside the firewall is as dangerous if not more dangerous



then traceroute.






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Yury German                      yury.german@citicorp.com
 Firewall Security Admin          yury_german@yahoo.com

 

--------------E96961FA606A753EEEDF6EEB--


From firewalls-owner  Tue Apr  7 06:52:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15698; Tue, 7 Apr 1998 06:38:34 -0700 (PDT)
Received: from actionweb.com ([209.150.128.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA15690 for ; Tue, 7 Apr 1998 06:38:28 -0700 (PDT)
Received: from putergirl.com ([199.227.242.215])
	by actionweb.com (8.8.5/8.8.5) with ESMTP id IAA01614
	for ; Tue, 7 Apr 1998 08:45:47 -0500
Message-ID: <352A5745.58549A3F@putergirl.com>
Date: Tue, 07 Apr 1998 09:41:41 -0700
From: Eileen Bonfiglio 
Organization: PuterGirl, Inc
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.com
Subject: Safe Credit?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Good Morning...

A few months ago I recall some postings on credit card security
issues/ecommerce , theft of such, and would love to have them now, is
there an archive of the postings on the web I missed?

Thanks
Eileen


From firewalls-owner  Tue Apr  7 07:54:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA25423; Tue, 7 Apr 1998 07:22:31 -0700 (PDT)
Received: from di2.disclosure.com (di2.disclosure.com [206.181.208.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA25306 for ; Tue, 7 Apr 1998 07:22:05 -0700 (PDT)
Received: from smtpgate.disclosure.com (smtpgate.disclosure.com [192.168.101.5])
	by di2.disclosure.com (8.8.7/8.8.7) with SMTP id KAA20834;
	Tue, 7 Apr 1998 10:25:46 -0400 (EDT)
Received: from ccMail by smtpgate.disclosure.com
  (IMA Internet Exchange 2.12 Enterprise) id 00094BCE; Tue, 7 Apr 1998 10:29:46 -0400
Mime-Version: 1.0
Date: Tue, 7 Apr 1998 09:55:22 -0400
Message-ID: <00094BCE.3452@disclosure.com>
From: Larry.Riley@disclosure.com (Larry Riley)
Subject: Re: Novell Question
To: firewalls@GreatCircle.COM, rkizer@guten.sddpc.org (Kizer; Randall)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Check out Kane Security Analyst by Intrusion Detection Inc.  


______________________________ Reply Separator _________________________________
Subject: Novell Question
Author:  rkizer@guten.sddpc.org (Kizer; Randall) at Internet
Date:    4/6/98 4:29 PM


Maybe there's someone who can help me with this problem, since I'm not 
that familiar with Novell.
     
We've recently experienced some problems with "someone" getting into 
some of our Novell servers with Admin authority, and deleting system 
files.  Novell doesn't have any usable auditing tools, so we've been 
forced out into the market place to try and find something useable.
     
Does anyone have any recommendations?  Any and all suggestions will 
be most welcome.
     

From firewalls-owner  Tue Apr  7 08:18:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01244; Tue, 7 Apr 1998 07:48:22 -0700 (PDT)
Received: from lapis.cary.mci.net (lapis.cary.mci.net [159.24.13.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01217 for ; Tue, 7 Apr 1998 07:48:13 -0700 (PDT)
Received: from chert (chert [159.24.13.55])
	by lapis.cary.mci.net (8.8.7/8.8.7) with SMTP id OAA00924;
	Tue, 7 Apr 1998 14:53:26 GMT
Date: Tue, 7 Apr 1998 10:53:20 -0400 (EDT)
From: Rusty Zickefoose 
X-Sender: rusty@chert
To: JonnyBoy85 
cc: Firewalls@GreatCircle.COM
Subject: Re: T1 question (verbose reply)
In-Reply-To: <352375FD.EB4185E8@sover.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 2 Apr 1998, Chris Brenton wrote:
> 
> 
> > I have tried everywhere to find out about them, and was starting to think that
> > there was no such thing as a T3, but I found out again today that there is.
> 
> Yup, there just not as common. A T3 is bundle of 30 T1's. Total potential
> bandwidth is around 45 Mb.
> 
> Hope this helps,
> Chris


see
http://www.oreilly.com/reference/dictionary/terms/D/Digital_Transmission_Rate_3.htm


- -- 
Rusty Zickefoose  |  The most exciting phrase to hear in science,
rusty@mci.net     |  the one that heralds new discoveries, is not
                  |  "Eureka!", but "That's funny ..."
                  |  -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNSo94u4+ch/bGDylAQHmkgQAoYnErEt/zLw0PyAwIxmZ7Slu00sqvZxF
O7a+1Ww5QgW7ypRUXvD3dm2cwNn0AsdpFT39Ak8A4lLbPOpL5EhDsKn6qjxs7j7M
PFjVRDgAr6fxoRQaFydaqsEW0YOE8KJLdNa3BKKnC5a3b+xm73hNED4v9avkrZw9
KY7E2VHR6PQ=
=D3cj
-----END PGP SIGNATURE-----


From firewalls-owner  Tue Apr  7 08:21:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA00839; Tue, 7 Apr 1998 07:45:30 -0700 (PDT)
Received: from relay3.smtp.psi.net (relay3.smtp.psi.net [38.8.210.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA00827 for ; Tue, 7 Apr 1998 07:45:24 -0700 (PDT)
Received: from jade by relay3.smtp.psi.net (8.8.5/SMI-5.4-PSI)
	id KAA24223; Tue, 7 Apr 1998 10:50:40 -0400 (EDT)
Received: by localhost with Microsoft MAPI; Tue, 7 Apr 1998 10:50:42 -0400
Message-ID: <01BD6213.02B21D90.cfrancis@intrusion.com>
From: Catherine Francis 
Reply-To: "cfrancis@intrusion.com" 
To: "'firewalls@greatcircle.com'" 
Subject: Re: Novell Question
Date: Tue, 7 Apr 1998 10:50:40 -0400
Organization: Intrusion Detection Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Actually, we'd be glad to send out a free eval copy of the Kane Security 
Analyst, which should give you a pretty good idea of what the security on 
your network looks like, including a list of the IDs with admin 
equivalence, if you want to shoot me an email, Randall.  I apologize for 
the plug, but I had to respond, since I don't think we're -that- expensive. 
:)

Catherine Francis
Research & Development
Intrusion Detection, Inc.
A Security Dynamics Company
(212) 348-8900
cfrancis@intrusion.com

>Date: Mon, 6 Apr 1998 23:25:47 -0400 (EDT)
>From: cbrenton 
>Subject: Re: Novell Question
>
>On Mon, 6 Apr 1998, Kizer, Randall wrote:
>
>> We've recently experienced some problems with "someone" getting into
>> some of our Novell servers with Admin authority, and deleting system
>> files.  Novell doesn't have any usable auditing tools, so we've been
>> forced out into the market place to try and find something useable.
>
>If it's NetWare 3.1x, run "security.exe"
>If it's NetWare 4.x, run "auditcon.exe"
>
>> Does anyone have any recommendations?  Any and all suggestions will
>> be most welcome.
>
>Kane will do this, but it's expensive
>
>Cheers,
>Chris


From firewalls-owner  Tue Apr  7 10:06:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA24452; Tue, 7 Apr 1998 09:27:00 -0700 (PDT)
Received: from firewall.rarebird.net (ppp-207-179.california.com [207.33.25.179]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA24353 for ; Tue, 7 Apr 1998 09:26:39 -0700 (PDT)
Received: from rarebird.net (markus@toucan.rarebird.net [192.168.2.1]) by firewall.rarebird.net (8.8.3/8.8.3) with ESMTP id JAA09433; Tue, 7 Apr 1998 09:12:48 -0700
Message-ID: <352A513C.310F0383@rarebird.net>
Date: Tue, 07 Apr 1998 09:15:56 -0700
From: Magic Man 
Organization: Rarebird Consulting Services
X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: greg_barnes@ins.com
CC: firewalls@greatcircle.com
Subject: Re: linux based firewall cookbook...
References: <199804050931.BAA20368@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greg Barnes wrote:

> It's ridiculous to discuss filesystem security measures after the
> physical layer has been breached, and I don't care what the
> filesystem is, if you KNOW what it is and you have physical access,
> it's game over.....FAT, minix, HPFS, NTFS, ext2, UFS whatever...

That's right...with the possible exception of a completely encrypted
filesystem of some sort.  Then, there are issues of performance and key
management.

-- 
	.\\agic .\\an
	Rarebird Consulting Services

From firewalls-owner  Tue Apr  7 11:06:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08021; Tue, 7 Apr 1998 10:32:33 -0700 (PDT)
Received: from rajan.maricopa.gov (rajan.maricopa.gov [156.42.4.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA07935 for ; Tue, 7 Apr 1998 10:32:13 -0700 (PDT)
Received: from smtpgw.maricopa.gov by rajan.maricopa.gov (5.4R3.10/1.34)
	id AA10579; Tue, 7 Apr 1998 10:55:23 -0700
Received: from SUPCOURT-Message_Server by smtpgw.maricopa.gov
	with Novell_GroupWise; Tue, 07 Apr 1998 10:38:49 -0700
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Tue, 07 Apr 1998 10:39:40 -0700
From: Tom Gardner 
To: firewalls@greatcircle.com
Subject:  Another Novell Question
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anyone know of a Syslogd client app for Netware 4.x ? I have all my Unix and NT hosts writing to a dedicated
syslog host. I want the Netware servers to do the same. Anyone seen such an animal?

Thx Tom G
 


From firewalls-owner  Tue Apr  7 11:17:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03236; Tue, 7 Apr 1998 08:01:53 -0700 (PDT)
Received: from connetsys.com (fw-01.connetsys.com [38.169.221.200]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA03199 for ; Tue, 7 Apr 1998 08:01:42 -0700 (PDT)
Received: from fearless.connetsys.com (fw-mgmt-01 [10.0.2.10]) by connetsys.com (8.8.8/8.7.3) with ESMTP id IAA01197; Tue, 7 Apr 1998 08:07:00 -0700 (PDT)
Received: from fearless (mailhost [10.0.1.40])
	by fearless.connetsys.com (8.8.8/8.8.8) with SMTP id IAA25964;
	Tue, 7 Apr 1998 08:06:59 -0700 (PDT)
Date: Tue, 7 Apr 1998 08:06:59 -0700 (PDT)
From: "William L. Hamlin" 
X-Sender: whamlin@fearless
To: Yury German 
cc: "McMaster, Rick" ,
        firewalls 
Subject: Re: Questions about ICMP
In-Reply-To: <199804071324.AA11786@egate2.citicorp.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Actually, try the following little script:

--->8-------------------

#!/bin/sh
 
for ttl in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
    ping -t $ttl $1 1 2>&1 | head -1
done

---8<-------------------

This works on Solaris; syntax may need to change for other pings.

In short, this uses ping to simulate a traceroute (in a not as pretty way,
mind you).

Personally, I don't let either through.

   - Bill

---
William L. Hamlin
Intranet Systems Architect
Convergent Networking Systems, Inc.

On Tue, 7 Apr 1998, Yury German wrote:

> McMaster, Rick wrote:
> 
> > I do not have a real problem with ping to and from specific hosts, but I
> > would never allow traceroute through my firewalls.  Using traceroute a
> > person can map your entire internal network.
> >
> > Rick
> >  ----------
> > >From: Roman Ramirez
> > >To: firewalls
> > >Subject: Questions about ICMP
> > >Date: Wednesday, April 01, 1998 6:27AM
> > >
> > >Hello:
> > >
> > >I have some questions about ICMP filtering, what kind of icmp packets
> > >should I filter?
> >
> 
> With a traceroute you can map the network but with letting ping
> 
> ICMP echo through the firewall you allow the intruder the
> 
> freedom to bring internal servers down with ping of death.
> 
> While most firewalls are immune I will make a strong assumption
> 
> that you have internal hosts which are vulnerable, since most
> 
> system admins do not pay that much attention to security patches.
> 
> Letting Ping inside the firewall is as dangerous if not more dangerous
> 
> then traceroute.
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>  Yury German                      yury.german@citicorp.com
>  Firewall Security Admin          yury_german@yahoo.com
> 
> 
> 


From firewalls-owner  Tue Apr  7 11:22:08 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11967; Tue, 7 Apr 1998 10:54:59 -0700 (PDT)
Received: from SOLAIR.EUnet.yu (SOLAIR.EUnet.yu [194.247.192.52]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA11906 for ; Tue, 7 Apr 1998 10:54:45 -0700 (PDT)
Received: from perun (P-198.112.EUnet.yu [194.247.198.112])
	by SOLAIR.EUnet.yu (8.8.8/8.8.8) with SMTP id TAA25981
	for ; Tue, 7 Apr 1998 19:59:59 +0200 (MET DST)
Message-ID: <352A699B.573A@Yugoslavia.EU.net>
Date: Tue, 07 Apr 1998 19:59:56 +0200
From: Srdjan Pantic 
Organization: EUnet Yugoslavia
X-Mailer: Mozilla 3.0Gold (Win95; I)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Cisco Centri 4.0 Firewall for NT
References: <199804041034.CAA11910@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
I tried to install my copy on two different machines and got only two
dead
NT. Of course, NT servers on both machines worked perfectly previously,
with two NIC.

  We are working very close with Cisco because we, as ISP, are using a
lot 
of Cisco hardware, but I'm very frustrate with that piece of software.

  Is there any advice regarding Centri or maybe a recommendation for
different 
firewalls for NT?

  And before we start war: yes, it must be software firewall and OS
must be NT. Customer request.

  Thank you in advance.


-- 
 ----- ___                        - Srdjan Pantic, System Engineer
 ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
 --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
 -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
3282760
 --                           ----- http://www.Yugoslavia.EU.net
 -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net


From firewalls-owner  Tue Apr  7 14:11:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02980; Tue, 7 Apr 1998 13:50:11 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02971 for ; Tue, 7 Apr 1998 13:50:02 -0700 (PDT)
Received: from frankw.in.net (pm1-17.in.net [205.160.202.49]) by su1.in.net (8.8.8/8.6.9) with SMTP id UAA20326; Tue, 7 Apr 1998 20:49:34 GMT
Message-Id: <3.0.5.32.19980407155003.007e4d40@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 07 Apr 1998 15:50:03 -0500
To: "Stout, William" 
From: Frank Willoughby 
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Cc: firewalls@GreatCircle.com
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 03:05 PM 4/6/98 -0400, Stout, William wrote:

I'll be exceedingly kind and say that the Checkpoint Firewall-1 firewall
does not meet my level of expectations and I do not deem it worthy enough
to recommend to any of *my* valued customers.

I agree with the NSA's report on the stateful inspection.  The NSA does
good work.  (I also like their style of report-writing, but that's beside
the point).  8^)

I think that many people are overlooking some important criteria when 
evaluating firewalls.  The Stateful Inspection is just the tip of the
iceberg.  A few criteria are listed below, others are available in the 
*free* Firewall Evaluation Checklist which can be downloaded from my 
company's web site.  

Here are a few of my *many* crows to pick with the Firewall-1.  
o You have to put a deny all at the last of the rules to make up for 
   its default stance of being wide open
o It encourages people to do stupid (from a security point-of-view)
   things like permit dangerous (unproxied) services through the 
   firewall - a la' if they support it, it must be OK).
o I don't like the security architecture of the firewall
o Checkpoint came out and stated that proxies were bad and that SMLI
   (pronounced "smelly" - IMHO, appropriate somehow)  8^)
   is much better than proxies.  I find it interesting that Checkpoint
   uses "security servers" (which the rest of us mere mortals call proxies)
   as this is an apparent reversal of their previous position.  If proxies 
   were not secure as Checkpoint previously indicated, then why do they are
   they on the firewall now?
o The only common encryption algorithm used in User->Firewall & Firewall->
   Firewall encryption is their own (PROPRIETARY) FWZ1 encryption algorithm.
   To my knowledge, the source code to FWZ1 has *not* been published, nor has
   it been subjected to a peer review of expert cryptographers.  And this from
   a company which is supposed to provide security?   Bah Humbug.  Any
beginning
   InfoSec Analyst knows that proprietary encryption algorithms should be
avoided
   like the plague.  Only encryption algorithms which have been published and 
   reviewed by expert cryptographers should be used.  If the algorithm hasn't 
   been published and reviewed by expert cryptographers, then how do we know 
   it is strong enough & that there are no backdoors into it???   In the
past, 
   several companies would claim to have a secure (homegrown) encryption 
   algorithm and would post a challenge to the cypherpunks mailing list for 
   someone to crack it.  If they were to do so, they would sell their company
   for $1.00.   2-3 days later, someone would crack the supposedly unbreakable
   algorithm and state that the company can keep their dollar.
o With proxies & logging enabled, it is *slower* than proxy firewalls.  
o The NSA (who is no slouch in getting crypto to work) couldn't get
Checkpoint's
   VPN crypto to work.  
o Checkpoint's lack of support in notifying their customers about the
vulnerability
   that Secure Networks posted.
o Checkpoint's denial that the problem even exists (as visible in their
note in 
   the Computer Security Institute's Alert newsletter).

The above are a few, but how many security problems does a firewall have to
have 
before it is ultimately rejected.  You have to remember, we are talking
about a
security product, not what type of car to buy.  It should be evaluated
primarily
from a security point-of-view (it is, after all, a security product).  It
doesn't
rate a high rating in my book or that of other Information Security Officers I
have talked to.  But hey, what do we know?  We're only Information Security 
Officers - not Checkpoint marketing dweebs.  

I would recommend that the audience at large do their *own* research and come 
to their own conclusions.  'Nuff said.

Best Regards,


Frank





>State vs. proxy is a religious issue for some, but then again, some
>swear by MS-Proxy as a firewall.
>
>I've seen the problem first hand, and the Checkpoint-1 report from the
>NSA points this out also.  
>
>The NSA pointed out state-based specific vulnerabilities (which their
>report admits they did not fully test):
>     Exploitation of an allowed service 
>     Insider threat - opening up ports to the outside 
>     Exploitation of ports opened by a legitimate user 
>     Subversion of the stateful packet filtering mechanism  
>
>The test "Test 6: Overflow of internal tables" describes the overflow,
>results, and DOS attack.  The problem should be fixed by now.  Staunch
>defenders of the packet filter faith deny it ever happened.  See
>http://mitten.ie.org/fw1/fw1.htm#statefulpacket
>
>Bill Stout


8< [snip]

The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Tue Apr  7 16:52:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13224; Tue, 7 Apr 1998 15:11:54 -0700 (PDT)
Received: from poterne.mtl.dmr.ca (poterne.mtl.dmr.ca [198.168.250.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA13217 for ; Tue, 7 Apr 1998 15:11:48 -0700 (PDT)
Received: from Montreal-NS002.Mtl.DMR.CA (montreal-ns002.mtl.dmr.ca [205.151.132.3]) by poterne.mtl.dmr.ca (8.6.11/8.6.6a) with SMTP id SAA18485; Tue, 7 Apr 1998 18:17:03 -0400
Received: by Montreal-NS002.Mtl.DMR.CA(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 852565DF.007ABDBC ; Tue, 7 Apr 1998 18:20:39 -0400
X-Lotus-FromDomain: DMR-CANADA
From: "Dean Ethier"
To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com,
        firewall-wizards@nfr.net
Message-ID: <872565DF.0077AA4D.00@Montreal-NS002.Mtl.DMR.CA>
Date: Tue, 7 Apr 1998 16:17:15 -0600
Subject: DMZ config question
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


What's the accepted method for setting up a DMZ?  Do I just a hub into my
firewall and feed my DMZ from that?  If one host on the DMZ were
compromised, that would leave little protection for anything else on the
DMZ.  Should one also use a router instead of or in conjunction with a hub
to provide some isolation between hosts on the DMZ?  What is generally
done?

Dean Ethier
DMR Consulting Group Inc



From firewalls-owner  Tue Apr  7 17:10:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA14784; Tue, 7 Apr 1998 15:23:27 -0700 (PDT)
Received: from vojuro.fi (vojuro.fi [195.10.151.217]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA14740 for ; Tue, 7 Apr 1998 15:23:14 -0700 (PDT)
Received: from localhost (vojin@localhost)
	by vojuro.fi (8.8.5/8.8.5) with SMTP id BAA24615;
	Wed, 8 Apr 1998 01:28:17 +0300
Date: Wed, 8 Apr 1998 01:28:16 +0300 (EET DST)
From: Vojin Urosevic 
To: Srdjan Pantic 
cc: Firewalls@GreatCircle.COM
Subject: Re: Cisco Centri 4.0 Firewall for NT
In-Reply-To: <352A699B.573A@Yugoslavia.EU.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi!

Try this as an alternative www.ntguard.com/guardian3

regards,

Vojin Urosevic
Claxcom LLC
NT & Linux Solutions.





On Tue, 7 Apr 1998, Srdjan Pantic wrote:

> Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
> I tried to install my copy on two different machines and got only two
> dead
> NT. Of course, NT servers on both machines worked perfectly previously,
> with two NIC.
> 
>   We are working very close with Cisco because we, as ISP, are using a
> lot 
> of Cisco hardware, but I'm very frustrate with that piece of software.
> 
>   Is there any advice regarding Centri or maybe a recommendation for
> different 
> firewalls for NT?
> 
>   And before we start war: yes, it must be software firewall and OS
> must be NT. Customer request.
> 
>   Thank you in advance.
> 
> 
> -- 
>  ----- ___                        - Srdjan Pantic, System Engineer
>  ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
>  --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
>  -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
> 3282760
>  --                           ----- http://www.Yugoslavia.EU.net
>  -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net
> 


From firewalls-owner  Tue Apr  7 17:13:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA10688; Tue, 7 Apr 1998 14:55:41 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id OAA10680 for firewalls@greatcircle.com; Tue, 7 Apr 1998 14:55:37 -0700 (PDT)
Received: from server.alet.it (dns1.alet.it [195.120.14.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id EAA28223 for ; Mon, 6 Apr 1998 04:56:40 -0700 (PDT)
Received: from client2.alet.it (client2.alet.it [195.120.14.21]) by server.alet.it (8.6.12/8.6.9) with SMTP id OAA04157 for ; Mon, 6 Apr 1998 14:02:09 GMT
Message-Id: <199804061402.OAA04157@server.alet.it>
Comments: Authenticated sender is 
From: "Alessandro Battaglia" 
To: firewalls@GreatCircle.COM
Date: Mon, 6 Apr 1998 14:01:18 +0000
Subject: public web and ftp server
Reply-to: jama@alet.it
X-mailer: Pegasus Mail for Win32 (v2.41)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We mantain domains, web and ftp server in housing and virtual 
hosting.
We would like to purse the access to our web and ftp server by the 
proxy server  but i would like that any Internet user can obtain the 
information from our servers. 

Is it possible ?
What's the best software to obtain this goal?

Sorry for my english and many thanks in advance for your help. Any 
advice will be glad.

          _AB_
AleT system manager 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
AleTelematica personalizzata                    Tel. +39 50 894002 
Alessandro Battaglia                                 +39 50 981987
V. delle Palanche 2/E                           Fax  +39 50 894707
Madonna dell'Acqua (PI)ITALY                    http://www.alet.it
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


From firewalls-owner  Tue Apr  7 17:52:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28451; Tue, 7 Apr 1998 17:05:17 -0700 (PDT)
Received: from mail.isla.net (mail.isla.net [207.120.81.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id RAA28434 for ; Tue, 7 Apr 1998 17:05:09 -0700 (PDT)
Received: from isla.net [207.120.81.34] by mail.isla.net with ESMTP
  (SMTPD32-4.02) id A2426CF0154; Tue, 07 Apr 1998 20:09:54 -400
Message-ID: <352AC1A3.21BED3E1@isla.net>
Date: Tue, 07 Apr 1998 20:15:31 -0400
From: Carlos Roque 
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: Dean Ethier 
CC: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com,
        firewall-wizards@nfr.net
Subject: Re: [FW1] DMZ config question
References: <872565DF.0077AA4D.00@Montreal-NS002.Mtl.DMR.CA>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I use a hub between FW and the host at the DMZ (ie WWW server). It works great!.

regards
Carlos Roque

Dean Ethier wrote:

> What's the accepted method for setting up a DMZ?  Do I just a hub into my
> firewall and feed my DMZ from that?  If one host on the DMZ were
> compromised, that would leave little protection for anything else on the
> DMZ.  Should one also use a router instead of or in conjunction with a hub
> to provide some isolation between hosts on the DMZ?  What is generally
> done?
>
> Dean Ethier
> DMR Consulting Group Inc
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================





From firewalls-owner  Tue Apr  7 17:52:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA23904; Tue, 7 Apr 1998 16:35:24 -0700 (PDT)
Received: from sparc.isl.net (sparc.isl.net [199.3.25.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA23895 for ; Tue, 7 Apr 1998 16:35:15 -0700 (PDT)
From: admin8@mauimail.com
Received: from 199.3.25.3 (206-18-113-111.la.inreach.net [206.18.113.111])
	by sparc.isl.net (8.8.5/8.8.5) with SMTP id SAA22627;
	Tue, 7 Apr 1998 18:22:38 -0500 (CDT)
Posted-Date: Tue, 7 Apr 1998 18:22:38 -0500 (CDT)
Date: Tue, 07 Apr 98 16:00:08 EST
To: Friend@public.com
Subject: Registered mail
Message-ID: <>
Reply-To: everyone@somewhere.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You just stumbled upon something big !


Pt or FT
No competition !
No selling ! 
Not MLM !
$1 - $5,000 per week from home, within 30 days !
Daily conference calls !
Complete training and support !
Leads available !

Dear Friend,

	If your tired of the hype , then read on. Everyone wants more and we have the system that can get it. Over 20,000 doctors, lawyers, CPA's and business people, last year alone,  started using our system to create wealth in their spare time. Many are making in excess of $50,000 per month. Speak to them yourself ! 

" I'm a chiropractor in Hawaii and use this system in my spare time to consistently make over $4,000 per week ! " Michael F. Makawao, HI

" I'm a single nurse and mom with 5 kids, have been using the system for 18 months, and last year alone, earned $400,000 ! " Melissa F., Parkersburg, IA

" I was a practicing priest for many years, retired and started using this system. Last week I earned $33,000 and bought my wife a new van - CASH " Jim P., Port Angeles, WA

These people were taught how to turn a one time investment into big money ! 
Is the timing right for you ?

Find out on our discovery call. Risk free and pressure free ! We guarantee it ! 

888 354 3187

	
 To have your name removed form our list, send an email with remove in subject
 to remove.org. We filter against all universal remove lists.



From firewalls-owner  Tue Apr  7 18:06:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28943; Tue, 7 Apr 1998 17:09:10 -0700 (PDT)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.1.89]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA28914 for ; Tue, 7 Apr 1998 17:09:00 -0700 (PDT)
Received: from zepher.milkyway.com (hdn106-020.hil.compuserve.com [206.175.107.20])
	by m6.sprynet.com (8.8.5/8.8.5) with SMTP id RAA13449;
	Tue, 7 Apr 1998 17:14:11 -0700 (PDT)
Message-Id: <3.0.3.32.19980407190402.006d6368@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 07 Apr 1998 19:04:02 -0400
To: Paul Boyer ,
        "'firewalls@GreatCircle.com'" 
From: Steve Kruse 
Subject: Re: FW: Virus checking at the firewall level.
In-Reply-To: <01BD5E83.40DBDF40.paulboyer@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

It seems to me that we are missing an important thread here...it is
NOT what CVP does to performance that is the real issue.  I think we
all know that for every level of security we add (be it electronic or
human) there is a performance hit.  The QUESTION is what price are we
willing to PAY to achieve (this particular) level of security???  If I
am willing to have minimalist security, I can go with a router with a
few filters and get X performance.  If I add an Application Gateway
Firewall like SecurIT (my brand...substitute yours here ;-) then I
have a lot of additional protection but I perhaps have X-1
performance.  If I want to add URL blocking, then I might have X-2
performance...etc.  Each security admin or manager must make the
decision as to what price will I pay for what level of performance. 
That, IMHO, is the real issue to deal with.  Once you make that
decision, then you can deal with whether brand X CVP is faster or
slower than Brand Y.

Steve Kruse

At 10:04 PM 4/2/98 +0200, Paul Boyer wrote:
>Yes, performance is a big issue :(
>
>I was told trend micro's one at http://www.trendmicro.com is not
using CVP for performance reasons.
>
>Has someone experince with it ?
>
>Paul
>
>-----Original Message-----
>From:	Doug Drake  
>Sent:	Wednesday, April 01, 1998 8:59 AM
>To:	Gordon LaSane ; Bruno
; firewalls mailing list

>Subject:	RE: Virus checking at the firewall level.
>
>Conceptually CVP is a wonderful thing but can you give me any numbers
on
>the latency that this process causes on your network? I have not seen
>anything that will show me benchmarks for CVP bsed virus scanning,
>especially with a firewall and even more with encryption.  If I could
get
>some good numbers I might be infavor of it.  But until then,  I like
>speed on my network and virus scaning on the desk top  :).
>
>
>
>
>At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: 
>[Paul BOYER]  -snip- 
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNSqw4eZ40Wmdt8j7EQLunQCgznK1cYgTKUwsL6s7nEIL6y3pXXgAoNoJ
kkWOhx23Q+b3FnwEH+vMhsXj
=2QkH
-----END PGP SIGNATURE-----

***************************************************************************
* Steve Kruse                                skruse@milkyway.com          *
* Milkyway Networks                          jsk347@sprynet.com           *
* Southern Region Sales Mgr.                 PGP Key on most Keyservers   *
* http://www.milkyway.com                    KEY ID: 0x9DB7C8FB           *
* Support your right to privacy.             Encrypt whenever possible!   *
*This sig made from 100% recycled hacking bits stopped by SecurIT Firewall*
       
***************************************************************************

From firewalls-owner  Tue Apr  7 18:33:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA02439; Tue, 7 Apr 1998 17:35:33 -0700 (PDT)
Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA02424 for ; Tue, 7 Apr 1998 17:35:26 -0700 (PDT)
Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id RAA09846; Tue, 7 Apr 1998 17:28:41 -0700 (PDT)
Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4)
	id RAA21081; Tue, 7 Apr 1998 17:28:15 -0700
Date: Tue, 7 Apr 1998 17:28:15 -0700
From: rdew@el.nec.com (Bob De Witt)
Message-Id: <199804080028.RAA21081@yginsburg.el.nec.com>
To: firewalls@GreatCircle.COM, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com
Subject: RE: Questions about ICMP
Cc: rdew@el.nec.com
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Guys,

Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
how do you block the "traceroute" program?

Bob De Witt,
(old email address:   rdew@el.nec.com)
(new email address, after 4/10/98:   rdew@...tbd...)
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.


> From Rick_McMaster@freddiemac.com Mon Apr  6 23:48:50 1998
> From: Rick_McMaster@freddiemac.com (McMaster, Rick)
> To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez)
> Mime-Version: 1.0
> Date: Wed, 01 Apr 1998 18:24:46 -0500
> Subject: RE: Questions about ICMP
> 
> 
> I do not have a real problem with ping to and from specific hosts, but I 
> would never allow traceroute through my firewalls.  Using traceroute a 
> person can map your entire internal network.
> 
> Rick
>  ----------
> >From: Roman Ramirez
> >To: firewalls
> >Subject: Questions about ICMP
> >Date: Wednesday, April 01, 1998 6:27AM
> >
> >Hello:
> >
> >I have some questions about ICMP filtering, what kind of icmp packets
> >should I filter?
> >
> >In other way, what icmp options can I permit in packets?
> >
> >Im seeking  for a RESTRICTIVE policy, but I need to let ping and
> >traceroute get out and in...
> >
> >Thx in advance
> >
> >--
> >http://www.encomix.es/users/patowc
> >mailto://rramirez@encomix.es
> >
> >
> >
> >
> >------ Message Header Follows ------
> >Received: from mailgate.freddiemac.com by msmail.freddiemac.com
> >  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
> >  id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500
> >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
> >[204.253.137.238])
> > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896
> > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST)
> >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by
> >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for
> >; Wed, 1 Apr 1998 05:54:00 -0500 (EST)
> >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP
> > (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
> > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST)
> >Received: (majordom@localhost) by honor.greatcircle.com
> >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800
> >(PST)
> >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by
> >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for
> >; Tue, 31 Mar 1998 22:14:28 -0800 (PST)
> >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000
> >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22)
> >  by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000
> >Message-ID: <3521DBD2.B29513E0@encomix.es>
> >Date: Wed, 01 Apr 1998 08:16:50 +0200
> >From: Roman Ramirez 
> >Organization: EncomIX
> >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586)
> >MIME-Version: 1.0
> >To: firewalls@GreatCircle.COM
> >Subject: Questions about ICMP
> >Content-Type: text/plain; charset=us-ascii
> >Content-Transfer-Encoding: 7bit
> >Sender: firewalls-owner@GreatCircle.COM
> >Precedence: bulk
> >
> >
> 
> 
> 

From firewalls-owner  Tue Apr  7 21:16:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA12202; Tue, 7 Apr 1998 20:44:54 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA12077 for ; Tue, 7 Apr 1998 20:44:29 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804080344.UAA12077@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id A4841AA00F2; Tue, 07 Apr 1998 22:52:36 CST
Date: Tue, 07 Apr 1998 22:52:36 +0100
Subject: who is responsible?
To: Firewalls@GreatCircle.COM
Reply-To: alchodu@wetwetwet.com
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


jasjit, who is responsible for this?? i don't recall any encounter 
with you. but next time, i gotta love to be responsible for next 
one. thank you for your invitation. keep it limited, so that you can 
keep track. i shall give you a cut. is there any connection between 
you and sandra, available at Click here for 10 free 
pics - yours )(*&^%$#@! - chodu in Karachi.



> I am on maternity leave from 04/06/98 till 05/29/98. Please
> try me later.
>
> Thanks!!!
>






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Tue Apr  7 21:36:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA11808; Tue, 7 Apr 1998 20:43:37 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA11659 for ; Tue, 7 Apr 1998 20:43:09 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804080343.UAA11659@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id A4332C800DA; Tue, 07 Apr 1998 22:51:15 CST
Date: Tue, 07 Apr 1998 22:51:15 +0100
Subject: who is responsible?
To: Jasjit_K_Singh@sabre.com
Reply-To: alchodu@wetwetwet.com
Cc: Firewalls@GreatCircle.COM
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


jasjit, who is responsible for this?? i don't recall any encounter 
with you. but next time, i gotta love to be responsible for next 
one. thank you for your invitation. keep it limited, so that you can 
keep track. i shall give you a cut. is there any connection between 
you and sandra, available at Click here for 10 free 
pics - yours )(*&^%$#@! - chodu in Karachi.



> I am on maternity leave from 04/06/98 till 05/29/98. Please
> try me later.
>
> Thanks!!!
>






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Tue Apr  7 22:42:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA10270; Tue, 7 Apr 1998 18:26:24 -0700 (PDT)
Received: from imo26.mx.aol.com (imo26.mx.aol.com [198.81.17.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA10245 for ; Tue, 7 Apr 1998 18:26:15 -0700 (PDT)
Received: from Sumlatino@aol.com
	by imo26.mx.aol.com (IMOv13.ems) id FEUGa02204;
	Tue, 7 Apr 1998 20:19:59 -0500 (EDT)
From: Sumlatino 
Message-ID: <4e5fa8ca.352ac2b2@aol.com>
Date: Tue, 7 Apr 1998 20:19:59 EDT
Mime-Version: 1.0
Subject: hi
Content-type: multipart/mixed;
	boundary="part0_891994800_boundary"
X-Mailer: AOL 2.5 for Windows sub 2
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

--part0_891994800_boundary
Content-ID: <0_891994800@inet_out.mail.aol.com.1>
Content-type: text/plain; charset=US-ASCII

 

--part0_891994800_boundary
Content-ID: <0_891994800@inet_out.mail.aol.com.2>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline

From: Sumlatino 
Return-path: 
To: Sumlatino@aol.com
Subject: hi
Date: Tue, 7 Apr 1998 20:09:29 EDT
Organization: AOL (http://www.aol.com)
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit

Click here for FREE
pictures

--part0_891994800_boundary--

From firewalls-owner  Tue Apr  7 22:51:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA16621; Tue, 7 Apr 1998 21:11:21 -0700 (PDT)
Received: from xfrsparc.tic.com (xfrsparc.tic.com [206.225.55.37]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA16554 for ; Tue, 7 Apr 1998 21:11:05 -0700 (PDT)
Received: from casa-pc.tic.com (root@casa-pc.tic.com [206.225.55.34])
	by xfrsparc.tic.com (8.8.8/8.8.8) with ESMTP id XAA08351
	for ; Tue, 7 Apr 1998 23:16:35 -0500 (CDT)
Received: from casa-pc.tic.com by casa-pc.tic.com (8.8.7/sub.1.6)
	id XAA02676; Tue, 7 Apr 1998 23:16:35 -0500
Message-Id: <199804080416.XAA02676@casa-pc.tic.com>
To: firewalls@greatcircle.com
Subject: Re: Questions about ICMP 
In-reply-to: Your message of "Tue, 07 Apr 1998 17:28:15 PDT."
             <199804080028.RAA21081@yginsburg.el.nec.com> 
Date: Tue, 07 Apr 1998 23:16:35 -0500
From: Smoot Carl-Mitchell 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packet
>s
>with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
>how do you block the "traceroute" program?

Traceroute uses UDP packets to a high port number with the TTL incremented by
one for each packet sent.  It listens for the ICMP Time Expired packets
returning.  That is where it derives the IP addresses of each hop.


Smoot Carl-Mitchell
Texas Internet Consulting
1106 Clayton Lane, Suite 500W
Austin, TX 78723

+1 512 451-6176

From firewalls-owner  Tue Apr  7 22:52:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25339; Tue, 7 Apr 1998 19:33:52 -0700 (PDT)
Received: from sitc.sarawak.gov.my (sitc.sarawak.gov.my [202.185.166.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA25307 for ; Tue, 7 Apr 1998 19:33:44 -0700 (PDT)
Received: from sis_gateway.sains.com.my (unverified [202.185.166.11]) by sitc.sarawak.gov.my
 (EMWAC SMTPRS 0.83) with SMTP id ;
 Wed, 08 Apr 1998 10:39:04 +0800
Message-Id: <199804080239-56977@sains.com.my>
Date: Wed, 08 Apr 1998 10:39:10
X-Mailer: Microsoft Mail with Intergate/SMTP (v1.Free)
From: TSWONG@sains.com.my (Wong Teck Seng,SAINS)
To: firewalls@GreatCircle.COM
Cc: TSWONG@sains.com.my
Subject: Server Sizing
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi, all:
  I wonder if the above topic is applicable here.  I am conducting   
 applies researches on the right sizing of server for the following   
application:
a) Proxy Server
b) Certificate Server
c) Directory Server

The mentioned servers are Netscape product.  Has anyone conducted these   
applies researches?  I would like to know if there are criterias and   
tools that I need to take into considerations for my researches.  Also, I   
wonder if there is any good web site for me to start on this topics.

I would be focusing on two major platforms:
a) WinTel (Window NT and Intel)
b) UNIX (RISC architectire); preferably SOLARIS on SUN.

Deeply appreciate your great advices and helps.

regards,
Teck Seng  


From firewalls-owner  Tue Apr  7 23:49:40 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA07212; Tue, 7 Apr 1998 20:24:12 -0700 (PDT)
Received: from mailman.cisco.com (mailman.cisco.com [171.68.225.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA07199 for ; Tue, 7 Apr 1998 20:24:05 -0700 (PDT)
Received: from clonvick-pc.cisco.com (clonvick-isdn.cisco.com [171.70.238.6]) by mailman.cisco.com (8.8.5-Cisco.2-SunOS.5.5.1.sun4/CISCO.SERVER.1.2) with SMTP id UAA11728; Tue, 7 Apr 1998 20:28:42 -0700 (PDT)
Message-Id: <3.0.32.19980407222630.0070c368@localhost>
X-Sender: clonvick@localhost
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 07 Apr 1998 22:26:37 -0500
To: "Dean Ethier", fw-1-mailinglist@us.checkpoint.com,
        firewalls@GreatCircle.COM, firewall-wizards@nfr.net
From: Chris Lonvick 
Subject: Re: DMZ config question
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Some random thoughts:

Use a switch - If any one system on the DMZ is compromised, then an
  attacker may be able to set up tcpdump (or similar) to capture
  usernames and passwords.  With a switch, the attacker will only
  be able to get passwords on the same system that he has already
  compromised.  He could get that from running crack.  A hub will 
  allow the sniffer package to see all traffic. including the 
  traffic from your internal devices to the rest of the Internet.
  You could use a router, but that gets much more expensive if you 
  have several DMZ devices.  

Don't extend trust between the DMZ devices - If an attacker can 
  compromise one system, you don't want them to be able to use the
  same password to compromise the other devices.  Similarly, don't
  use trusting protocols like NFS between your DMZ devices.

Use your screening router to direct traffic - You want only sessions
  to tcp/80 (http) to go to your web server (..ok, maybe you also want
  tcp/443, but that depends upon what you're doing), tcp/21 and tcp/20
  to go to your FTP server, and tcp/25 to go to your mail server.  Do
  you want any inbound tcp sessions to go to your firewall?  If not,
  then set up filters to disallow them.  Do you want outbound sessions
  initiated from your web server or ftp server?  If not, then disallow
  those as well.

Use your screening router to filter traffic - You may want to stop such
  things as spoofing, directed broadcasts, and source routing.  You may
  also want to limit, or eliminate, ICMP messages.

Hope this helps,

Chris Lonvick
Cisco Systems
Consulting Engineering
Houston, TX, USA
+1.713.778.5663

At 04:17 PM 4/7/98 -0600, Dean Ethier wrote:
>
>What's the accepted method for setting up a DMZ?  Do I just a hub into my
>firewall and feed my DMZ from that?  If one host on the DMZ were
>compromised, that would leave little protection for anything else on the
>DMZ.  Should one also use a router instead of or in conjunction with a hub
>to provide some isolation between hosts on the DMZ?  What is generally
>done?
>
>Dean Ethier
>DMR Consulting Group Inc
>
>
>
>

From firewalls-owner  Tue Apr  7 23:51:14 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24613; Tue, 7 Apr 1998 19:30:24 -0700 (PDT)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.2.89]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA24555 for ; Tue, 7 Apr 1998 19:30:07 -0700 (PDT)
Received: from zepher.milkyway.com (hdn94-003.hil.compuserve.com [209.154.56.3])
	by m6.sprynet.com (8.8.5/8.8.5) with SMTP id TAA04524;
	Tue, 7 Apr 1998 19:35:17 -0700 (PDT)
Message-Id: <3.0.3.32.19980407210033.006d1b98@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 07 Apr 1998 21:00:33 -0400
To: "Stout, William" ,
        "'Firewalls@GreatCircle.COM'" 
From: Steve Kruse 
Subject: Re: Unwanted data appears inside firewalled network
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 04:00 PM 4/3/98 -0500, Stout, William wrote:
>
>Unwanted data continues to infiltrate our protected network via SMTP,
>HTTP, NNTP, floppy disks, RAS connections, and VPNs .
>
>We have a strong firewall.  What gives?
>
>
>Firewalls based on the OSI layers don't work.  We need AI/fuzzy logic
>(OSI layer 8 = intelligence?).
>
>Say a cracker builds network attack at OSI layer three.  You build a
>perimeter wall up to layer three, called a packet filter to his
traffic
>out of your domain.  

An early "solution"...only partly effective as you suggest.

>
>The cracker builds an application attack.  You raise your perimeter
wall
>to layer seven with a proxy. 
>The cracker builds onto that application (viruses, SPAM, etc).  The
>cracker is looking over your wall again.   Now what?  We ran out of
OSI
>layers to build our wall.

Did we?  By the addition of CVP, anti-spamming code, etc. we have
effectively 
built that sort of thing now, haven't we? Of course the more we add to
our
solution, the more price we pay in performance.  What am I missing
here?

>
>We're mentally confined to this completely artificial layer model.
>Crackers aren't.  We could build an AI system on the perimeter wall
to
>add intelligence on the firewall.  Or we could build a network-wide
>management system (tied into firewalls, virus scanners, & IDS probes)
to
>create a 'ceiling' across the perimeter walls.

The AI concept is good, of course, but at what price?  As network
connections
get faster and faster, the firewall performance vs. need for security 
paradigm gets fuzzier and fuzzier.  I don't think every organization
can
afford massively parallel computing for a firewall.  Nor do I believe
that
most can deal with multiple layers of security from multiple vendors
if, 
for no other reason than the training it would require, to maintain. 
I
don't like to think of myself as one who thinks only "inside the box"
but
I'm not sure I see how to implement AI in a reasonable package that
can 
keep up with increasing bandwidth demands (at least at an affordable
price)
at the Firewall Level.

Carrying the concept to a "big brother" syndrome where we have AI that
is 
tied to all of the pieces (Firewall, IDS, Routers, Servers,
Desktops...etc)
didn't IBM build that once (something called "Netview"??)  At least
the
idea was similar as I recall.  Design an interface that can talk to
one of
ANYTHING and report it on a single screen.  Interpret all of the
messages
from all of the devices, put them into plain english (or the language
of 
YOUR country) so the semi-skilled can watch a single monitor?  Maybe,
again,
I'm missing something big, but that concept hasn't flown for the
masses as
yet at least that I know of.  SNMP was going to do that too, but
became a 
big security headache all by itself.

I'd love to hear where we, as a firewall vendor community, can go with
this
to meet Bill's idea.  I'd love to see AI as an integral part of the
security
package.  But as our friends in Redmond don't quite ask, it's not
"Where do
you want to go today?", it's "How the heck do we get there today???"

Steve Kruse

>
>Bill  Stout
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNSrMMOZ40Wmdt8j7EQLT8wCfUjUUF77/A7n+W9ifId87wFUFWFMAn3qq
ixwtCiFRiLSamL213d9YIgKQ
=5R0p
-----END PGP SIGNATURE-----

***************************************************************************
* Steve Kruse                                skruse@milkyway.com          *
* Milkyway Networks                          jsk347@sprynet.com           *
* Southern Region Sales Mgr.                 PGP Key on most Keyservers   *
* http://www.milkyway.com                    KEY ID: 0x9DB7C8FB           *
* Support your right to privacy.             Encrypt whenever possible!   *
*This sig made from 100% recycled hacking bits stopped by SecurIT Firewall*
       
***************************************************************************

From firewalls-owner  Wed Apr  8 01:42:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA17208; Tue, 7 Apr 1998 23:56:01 -0700 (PDT)
Received: from pugmarks.whowho.com (pugmarks.whowho.com [206.114.196.79]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA16974 for ; Tue, 7 Apr 1998 23:55:03 -0700 (PDT)
Received: from localhost (natrajs@localhost) by pugmarks.whowho.com (8.8.7/8.7.3) with SMTP id CAA09172 for ; Wed, 8 Apr 1998 02:55:21 -0500 (CDT)
Date: Wed, 8 Apr 1998 02:55:21 -0500 (CDT)
From: Powertel Boca Ltd 
To: firewalls@greatcircle.com
Subject: Livingston's IRX211 firewall router
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi ,

Has anyone out there installed the IRX211 firewall route from Livingston .
How does the IRX211 compare with Cisco's PIX ?

And a basic question ...

Is a Firewall router better than the software implementation such as
through Checkpoint etc. Or do they complement each other ?

Thanks 


Nataraj,S



From firewalls-owner  Wed Apr  8 02:15:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA08717; Tue, 7 Apr 1998 20:32:55 -0700 (PDT)
Received: from tapti.hss.hns.com (tapti.hss.hns.com [139.85.242.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA04530 for ; Tue, 7 Apr 1998 20:13:23 -0700 (PDT)
Received: from gauravs (gauravs.hss.hns.com [139.85.242.160]) by tapti.hss.hns.com (8.8.2/8.7.3) with SMTP id IAA19691 for ; Wed, 8 Apr 1998 08:49:02 +0530 (IST)
From: "Gaurav Sabharwal" 
To: 
Subject: RE: Cisco Centri 4.0 Firewall for NT
Date: Wed, 8 Apr 1998 08:47:36 +0530
Message-ID: <000301bd629c$e1126020$a0f2558b@gauravs.hss.hns.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
In-Reply-To: <352A699B.573A@Yugoslavia.EU.net>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We had installed Cisco Centri eval copy about a month ago. If I am not
mistaken, Cisco recommends that the NT box should be running SP2 and NOT
SP3. I know that SP2 is hell but this is what Cisco recommended. It worked
perfectly for us on 2 NT boxes but we didn't go for the same.

If you are looking for a NT based firewall, I would suggest Raptor. Pretty
good.

Regards,

Gaurav Sabharwal
gauravs@hss.hns.com
http://www.hssworld.com
http://www.hns.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Always remember you're unique, just like everyone else.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




| -----Original Message-----
| From: firewalls-owner@GreatCircle.COM
| [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Srdjan Pantic
| Sent: Tuesday, April 07, 1998 11:30 PM
| To: Firewalls@GreatCircle.COM
| Subject: Cisco Centri 4.0 Firewall for NT
|
|
| Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
| I tried to install my copy on two different machines and got only two
| dead
| NT. Of course, NT servers on both machines worked perfectly previously,
| with two NIC.
|
|   We are working very close with Cisco because we, as ISP, are using a
| lot
| of Cisco hardware, but I'm very frustrate with that piece of software.
|
|   Is there any advice regarding Centri or maybe a recommendation for
| different
| firewalls for NT?
|
|   And before we start war: yes, it must be software firewall and OS
| must be NT. Customer request.
|
|   Thank you in advance.
|
|
| --
|  ----- ___                        - Srdjan Pantic, System Engineer
|  ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
|  --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
|  -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
| 3282760
|  --                           ----- http://www.Yugoslavia.EU.net
|  -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net
|
|


From firewalls-owner  Wed Apr  8 02:15:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA18751; Tue, 7 Apr 1998 19:04:46 -0700 (PDT)
Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA18691 for ; Tue, 7 Apr 1998 19:04:31 -0700 (PDT)
Received: (from mhw@localhost)
	by alcove.wittsend.com (8.8.7/8.8.7) id WAA03347;
	Tue, 7 Apr 1998 22:09:41 -0400
From: "Michael H. Warfield" 
Message-Id: <199804080209.WAA03347@alcove.wittsend.com>
Subject: Re: Questions about ICMP
In-Reply-To: <199804080028.RAA21081@yginsburg.el.nec.com> from Bob De Witt at "Apr 7, 98 05:28:15 pm"
To: rdew@el.nec.com (Bob De Witt)
Date: Tue, 7 Apr 1998 22:09:41 -0400 (EDT)
Cc: firewalls@GreatCircle.COM, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com, rdew@el.nec.com
X-Mailer: ELM [version 2.4ME+ PL33 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All,

Bob De Witt enscribed thusly:
> Guys,

> Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
> with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
> how do you block the "traceroute" program?

	Close but not quite.  Most traceroutes work by sending out UDP
packets to varying port numbers and varying TTL's.  Quite often you
start of with a particular port and a TTL of 1 and increment each for
each hop.  An ICMP return of TTL expired returns the IP address of that
hop.  The port number is a double check on the depth.

	What this means is that traceroute, in most cases, can be blocked
either by blocking UDP in the "outbound" direction or by blocking ICMP
on the "inbound" direction.

	I say most cases because I know of certain flavors of traceroute on
Windows NT which use ICMP on both sides, the sending and return.  Of course
the return side has to be ICMP.  The sending side, in this case, is also
ICMP due to some incredibly typical brain damage in the Windows socket
library that screws with the classical traceroute paradym of incrementing
TTL and incrementing ports on a UDP socket.

	So...  You can block someone from tracerouting around your network
just by inhibiting UDP at your firewall...  A WISE MOVE ANYWAYS!

> Bob De Witt,
> (old email address:   rdew@el.nec.com)
> (new email address, after 4/10/98:   rdew@...tbd...)
> The views expressed herein are my own,
> and are not attributable to any other
> source, be it employer, friend or foe.


> > From Rick_McMaster@freddiemac.com Mon Apr  6 23:48:50 1998
> > From: Rick_McMaster@freddiemac.com (McMaster, Rick)
> > To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez)
> > Mime-Version: 1.0
> > Date: Wed, 01 Apr 1998 18:24:46 -0500
> > Subject: RE: Questions about ICMP


> > I do not have a real problem with ping to and from specific hosts, but I 
> > would never allow traceroute through my firewalls.  Using traceroute a 
> > person can map your entire internal network.

> > Rick
> >  ----------
> > >From: Roman Ramirez
> > >To: firewalls
> > >Subject: Questions about ICMP
> > >Date: Wednesday, April 01, 1998 6:27AM
> > >
> > >Hello:
> > >
> > >I have some questions about ICMP filtering, what kind of icmp packets
> > >should I filter?
> > >
> > >In other way, what icmp options can I permit in packets?
> > >
> > >Im seeking  for a RESTRICTIVE policy, but I need to let ping and
> > >traceroute get out and in...
> > >
> > >Thx in advance
> > >
> > >--
> > >http://www.encomix.es/users/patowc
> > >mailto://rramirez@encomix.es
> > >
> > >
> > >
> > >
> > >------ Message Header Follows ------
> > >Received: from mailgate.freddiemac.com by msmail.freddiemac.com
> > >  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
> > >  id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500
> > >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
> > >[204.253.137.238])
> > > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896
> > > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST)
> > >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by
> > >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for
> > >; Wed, 1 Apr 1998 05:54:00 -0500 (EST)
> > >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP
> > > (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
> > > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST)
> > >Received: (majordom@localhost) by honor.greatcircle.com
> > >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800
> > >(PST)
> > >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by
> > >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for
> > >; Tue, 31 Mar 1998 22:14:28 -0800 (PST)
> > >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000
> > >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22)
> > >  by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000
> > >Message-ID: <3521DBD2.B29513E0@encomix.es>
> > >Date: Wed, 01 Apr 1998 08:16:50 +0200
> > >From: Roman Ramirez 
> > >Organization: EncomIX
> > >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586)
> > >MIME-Version: 1.0
> > >To: firewalls@GreatCircle.COM
> > >Subject: Questions about ICMP
> > >Content-Type: text/plain; charset=us-ascii
> > >Content-Transfer-Encoding: 7bit
> > >Sender: firewalls-owner@GreatCircle.COM
> > >Precedence: bulk

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

From firewalls-owner  Wed Apr  8 05:18:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17580; Wed, 8 Apr 1998 04:40:42 -0700 (PDT)
Received: from nekkar.lr.isla.pt (mail.lr.isla.pt [195.60.166.220]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA09771 for ; Wed, 8 Apr 1998 01:55:20 -0700 (PDT)
Received: from pc042-L12-e2.lr.isla.pt (pc042-L12-E2.lr.isla.pt [195.60.166.161])
	by nekkar.lr.isla.pt (8.8.7/8.8.7) with SMTP id KAA17358
	for ; Wed, 8 Apr 1998 10:00:38 +0100
Message-Id: <3.0.1.32.19980408100029.00c8f100@mail.lr.isla.pt>
X-Sender: ngg@mail.lr.isla.pt
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Wed, 08 Apr 1998 10:00:29 +0200
To: firewalls@GreatCircle.COM
From: Nuno Guarda 
Subject: RE: Questions about ICMP
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 17:28 07-04-1998 -0700, you wrote:
>Guys,
>
>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
packets
>with a specific Time-To-Live set in stages?  And if ICMP packets are
allowed, 
>how do you block the "traceroute" program?
>

Blocking "outbound" ICMP messages types 3 (destination unreachable: host,
network, port or other) and 11 (time exceeded).

Nuno
-----------------------------------------------------------
Nuno Guarda
Centro de Informatica (CI), ISLA - Leiria
Rua da Cooperativa, S.Romao, Leiria, 2410 Leiria - Portugal
Tel: +351 (44) 820650
Fax: +351 (44) 813021

From firewalls-owner  Wed Apr  8 05:22:55 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA16386; Wed, 8 Apr 1998 04:36:14 -0700 (PDT)
Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA16123 for ; Wed, 8 Apr 1998 04:35:13 -0700 (PDT)
Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr with ESMTP id NAA04447; Wed, 8 Apr 1998 13:33:54 +0200 (MET DST)
Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id NAA28648; Wed, 8 Apr 1998 13:33:53 +0200
Message-Id: <199804081133.NAA28648@champagne.edelweb.fr>
To: rdew@el.nec.com (Bob De Witt)
Cc: firewalls@greatcircle.com, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com
Subject: Re: Questions about ICMP 
In-reply-to: <199804080028.RAA21081@yginsburg.el.nec.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Date: Wed, 08 Apr 1998 13:33:52 +0200
From: Jean-Christophe Touvet 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
> packets
> with a specific Time-To-Live set in stages?

 Actually, there are two main flavors of traceroute:

1. UNIX (Van Jacobson's): high-numbered UDP ports incoming (usually UDP ports
33434 + 3*TTL), ICMP_TIMXCEED or ICMP_UNREACH_PORT outgoing

2. Windows: ICMP_ECHO incoming, ICMP_TIMXCEED or ICMP_ECHOREPLY outgoing

 Any IP protocol could be used. Incidentally, we have developed a TCP variant
which works very well.

> And if ICMP packets are allowed,
> how do you block the "traceroute" program?

 You can't.

    -JCT-

From firewalls-owner  Wed Apr  8 05:24:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17629; Wed, 8 Apr 1998 04:41:28 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00482 for ; Wed, 8 Apr 1998 01:00:37 -0700 (PDT)
Received: from nexus.idirect.com (nexus.idirect.com [207.136.80.55])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id AAA11702
	for ; Wed, 8 Apr 1998 00:50:58 -0700 (PDT)
Received: from ntsvr9-30.idirect.com (x2-2-23.tor.idirect.com [207.136.98.23])
          by nexus.idirect.com (8.8.8/8.8.4) with SMTP
	  id DAA01115 for ; Wed, 8 Apr 1998 03:52:18 -0400 (EDT)
Received: by ntsvr9-30.idirect.com with Microsoft Mail
	id <01BD62A1.FAC96040@ntsvr9-30.idirect.com>; Wed, 8 Apr 1998 03:54:07 -0400
Message-ID: <01BD62A1.FAC96040@ntsvr9-30.idirect.com>
From: Frank Cini 
To: "'jama@alet.it'" ,
        "firewalls@GreatCircle.COM"
	 
Subject: RE: public web and ftp server
Date: Wed, 8 Apr 1998 03:52:43 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Alessandro,

I am not sure what you mean by "purse the access to our web and ftp servers by the proxy server"

I'm going to assume that "purse" is misspelled and you mean pause, or stop the access.  I can think
of two possible ways (without buying extra hardware or software).

1) From the FTP and Web Server
   - In your config files for the ftp and http server, you should be able to deny access from the Proxy IP.
This should work even if all three servers are on the same machine by denying access from 0.0.0.0

2) Alternatively blocking from the proxy to those sites may also be possible.

Both of these will only eliminate the proxy users from being able to access your FTP and Web sites.
... on second thought, these schemes would probably eliminate a majority of them since they wouldn't 
know how to remove the proxy configuration from their web browser and ftp client ;-)

My apologies if I have misinterpreted what you were trying to express.

Regards,

--Frank

-----Original Message-----
From:	Alessandro Battaglia [SMTP:jama@server.alet.it]
Sent:	April 6, 1998 10:01 AM
To:	firewalls@GreatCircle.COM
Subject:	public web and ftp server

We mantain domains, web and ftp server in housing and virtual 
hosting.
We would like to purse the access to our web and ftp server by the 
proxy server  but i would like that any Internet user can obtain the 
information from our servers. 

Is it possible ?
What's the best software to obtain this goal?

Sorry for my english and many thanks in advance for your help. Any 
advice will be glad.

          _AB_
AleT system manager 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
AleTelematica personalizzata                    Tel. +39 50 894002 
Alessandro Battaglia                                 +39 50 981987
V. delle Palanche 2/E                           Fax  +39 50 894707
Madonna dell'Acqua (PI)ITALY                    http://www.alet.it
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


From firewalls-owner  Wed Apr  8 05:27:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA20180; Wed, 8 Apr 1998 05:02:30 -0700 (PDT)
Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA17851 for ; Wed, 8 Apr 1998 04:43:02 -0700 (PDT)
Received: by malraux.matranet.com; id NAA09243; Wed, 8 Apr 1998 13:29:40 +0200 (CEST)
Received: from matranet.com ([192.0.2.22]) by victor.imatranet.com
          (post.office MTA v2.0 0813 ID# 0-18250U90) with ESMTP id AAA72;
          Wed, 8 Apr 1998 13:45:18 +0200
Message-ID: <352B62DB.69019BB8@matranet.com>
Date: Wed, 08 Apr 1998 13:43:23 +0200
From: fauquet@matranet.com (Xavier Fauquet)
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: Powertel Boca Ltd 
CC: firewalls@greatcircle.com
Subject: Re: Livingston's IRX211 firewall router
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I would say that they complement each other. You have better log
capabilities on a software firewall than on a router. 
You could also have fine tuning for specific filtering with software
than you can not have with hardware. 

That is my personal point of you. I have already installed filtering
router with proxies firewall.

Max

Powertel Boca Ltd wrote:
> 
> Hi ,
> 
> Has anyone out there installed the IRX211 firewall route from Livingston .
> How does the IRX211 compare with Cisco's PIX ?
> 
> And a basic question ...
> 
> Is a Firewall router better than the software implementation such as
> through Checkpoint etc. Or do they complement each other ?
> 
> Thanks
> 
> Nataraj,S

From firewalls-owner  Wed Apr  8 05:30:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA10532; Wed, 8 Apr 1998 04:14:22 -0700 (PDT)
Received: from bolero-x.rahul.net (bolero.rahul.net [192.160.13.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id EAA10285 for ; Wed, 8 Apr 1998 04:13:27 -0700 (PDT)
Received: from waltz.rahul.net by bolero-x.rahul.net with SMTP id AA10013
  (5.67b8/IDA-1.5 for ); Wed, 8 Apr 1998 04:18:50 -0700
Received: by waltz.rahul.net (5.67b8/jive-a2i-1.0)
	id AA27838; Wed, 8 Apr 1998 04:18:48 -0700
Message-Id: <19980408041848.50142@waltz.rahul.net>
Date: Wed, 8 Apr 1998 04:18:48 -0700
From: Bennett Todd 
To: firewalls@greatcircle.com
Cc: alien@netcomuk.co.uk
Subject: Re: fw-1 stateful inspection vulnerabilities
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.85e
In-Reply-To: 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

1998-04-06-21:34:55 Pete Philips:
>While on the subject of stateful inspection engines, what do people
>perceive as the fundamental problems with such an approach?

``Stateful inspection'' is an interesting hack. In theory it can do
amazing things. Of course, the difference between theory and practice is
a lot bigger in practice than it is in theory.

In practice, for many jobs an application proxy is a better structure;
use the IP stack on a good OS to reassmble the TCP stream, pass that up
to a local application-layer proxy, examine it, rewrite it if you think
that'll make it taste better, then let the OS's IP stack assemble a new
packet stream out the other side.

Most or all of the same jobs could in theory be done by a stateful
packet filter, as long as it has rewriting rules to let it modify the
packets as they go by. The problem is, for anything fancy --- like
examining and maybe modifying the tcp data stream --- the state rules
get intractibly complex. To do this kind of magic you end up having to
rewrite large parts of a complete TCP/IP implementation --- most
notoriously packet reassembly --- in the lowest-level, most cryptic
``language'' you'll find anywhere. State machines are not easy to write,
debug, or maintain.

Your basic screening router packet filter can make only simple go/no-go
decisions based on what it sees in the current packet. This is useful
for a good many jobs. Further, they're the fastest security perimeter,
and work well with things like Cisco's HSRP to provide really rocking
high availability.

Application proxies are terrific at handling the really complex tasks:
stripping applets from http traffic, trying to prevent people from
mugging poor innocent sendwhales inside your borders, etc. They own this
territory with no competition, and it's worth getting the best platform
for comfortable deployment of application proxies. I am really looking
forward to CMW features hitting the better OSes --- e.g. Orange Linux
(btw, anybody have a current link for that project? My old bookmark has
gone dead).

Packet filters with state rules mostly enjoy the disadvantages of both
camps: they're slower than straight routers (AFAIK there's no stateful
inspection firewall that can pass bits with the speed of a high-end
router); their state makes "high-availability" solutions much much more
complex and fragile than HSRP; and on the other hand they still don't
really effectively look into the data stream and manipulate it in
complex ways.

The one big edge of a stateful packet filter is that some times there
are protocols you need to pass through, and some times it's less work to
impose light restrictions and constraints with a simple stateful
inspection ruleset than the try to write a (possibly very complex)
application level proxy. In that sort of circumstance the additional
restrictions that state tables let you impose can be helpful.

-Bennett

From firewalls-owner  Wed Apr  8 06:06:46 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA23246; Wed, 8 Apr 1998 05:30:58 -0700 (PDT)
Received: from ns2.visidata.com (ns2.visidata.com [208.143.105.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA23182 for ; Wed, 8 Apr 1998 05:30:27 -0700 (PDT)
Received: from tower (visi051.visidata.com [208.143.105.51])
	by ns2.visidata.com (8.8.7/8.8.7) with SMTP id HAA22946;
	Wed, 8 Apr 1998 07:37:20 -0500
Message-Id: <3.0.3.32.19980408073439.00998520@mail.newf.com>
X-Sender: gdo@mail.newf.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 08 Apr 1998 07:34:39 -0500
To: Smoot Carl-Mitchell , firewalls@GreatCircle.COM
From: "Gregory D. Otto" 
Subject: Re: Questions about ICMP 
In-Reply-To: <199804080416.XAA02676@casa-pc.tic.com>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Or in the case of Microsoft it is ICMP messages!!!

Greg

At 11:16 PM 4/7/98 -0500, Smoot Carl-Mitchell wrote:
>>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
packet
>>s
>>with a specific Time-To-Live set in stages?  And if ICMP packets are
allowed, 
>>how do you block the "traceroute" program?
>
>Traceroute uses UDP packets to a high port number with the TTL incremented by
>one for each packet sent.  It listens for the ICMP Time Expired packets
>returning.  That is where it derives the IP addresses of each hop.
>
>
>Smoot Carl-Mitchell
>Texas Internet Consulting
>1106 Clayton Lane, Suite 500W
>Austin, TX 78723
>
>+1 512 451-6176
>

=====================================================================
| Greg Otto                            e-mail:  gdo@newf.com        |
| Network Engineer                     voice:   (713) 718-1358      |
| New Frontier Consulting, Inc.        fax:     (713) 718-1359      |
| Houston, Texas                       www:     http://www.newf.com |
=====================================================================

From firewalls-owner  Wed Apr  8 06:13:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA25174; Wed, 8 Apr 1998 05:42:52 -0700 (PDT)
Received: from camel8.mindspring.com (camel8.mindspring.com [207.69.200.58]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA25103 for ; Wed, 8 Apr 1998 05:42:34 -0700 (PDT)
Received: from jeffknt ([38.214.19.38])
	by camel8.mindspring.com (8.8.5/8.8.5) with SMTP id IAA26411
	for ; Wed, 8 Apr 1998 08:48:02 -0400 (EDT)
Received: by localhost with Microsoft MAPI; Wed, 8 Apr 1998 08:45:16 -0400
Message-ID: <01BD62CA.A786B120.jeffk@secure-it.net>
From: Jeff Kalwerisky 
Reply-To: "jeffk@secure-it.net" 
To: "firewalls@GreatCircle.COM" 
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Date: Wed, 8 Apr 1998 08:45:13 -0400
Organization: SecureIT
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Dear Frank:
It seems like we cannot avoid the quasi-religious, all-or-nothing, "I know 
what's best" arguments on this discuss group.

In response to some of your humble and self-effacing sentiments:

>I'll be exceedingly kind and say that the Checkpoint Firewall-1 firewall
>does not meet my level of expectations and I do not deem it worthy enough
>to recommend to any of *my* valued customers.
Well, dog my cats. That's the most serious criticism since, well, the 
Justice Department: Check Point (please note the spelling) have the 
effrontery to make and even market a product that doesn't meet your 
"expectations". What exactly shall they do to be worthy of your customers 
(presumably the plural there implies at least 2).
BTW Thanks for being "kind"; I'm sure Check Point appreciates the honor.

> I agree with the NSA's report on the stateful inspection.  The NSA does
good work.  (I also like their style of report-writing, but that's beside
the point).  8^)

Thanks goodness for that. I was really, really worried my tax dollars 
funding the NSA were being wasted on stuff like supercomputers or breaking 
the enemy's codes. Also, if you hadn't agreed with their report, Congress 
would presumably have to fire 'em ...

 > I think that many people are overlooking some important criteria when
evaluating firewalls.  The Stateful Inspection is just the tip of the
iceberg.  A few criteria are listed below, others are available in the
*free* Firewall Evaluation Checklist which can be downloaded from my
company's web site.

Thanks for all the free, humble stuff. We will all be sure to use them to 
build our businesses of for making mission-critical decisions in a 
non-religious, objective way.


 Enough, enough, enough.
Let's try keep our esteemed discuss group on point and avoid the "trash my 
unfavorite vendor" syndrome. Just makes everyone testy.
More to the point, computer security proponents will never be regarded as 
"professionals" by  senior management as long as we show ourselves 
incapable of rational argument, understanding that the world is not and 
never will be perfect and that there are elements of business risk 
associated with every course of action. Ranting and raving about technical 
imperfections, without looking at the business needs, is guaranteed to keep 
security on a low, "techie" back burner in the Board rooms. 

From firewalls-owner  Wed Apr  8 07:25:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA00139; Wed, 8 Apr 1998 06:15:43 -0700 (PDT)
Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA00119 for ; Wed, 8 Apr 1998 06:15:33 -0700 (PDT)
Received: from emss04g01.ems.lmco.com ([166.17.13.122])
	by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id JAA32353
	for ; Wed, 8 Apr 1998 09:20:56 -0400 (EDT)
Received: from knight.vf.lmco.com ([166.17.3.50])
 by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0ER30073DJPKBC@lmco.com> for
 firewalls@greatcircle.com; Wed,  8 Apr 1998 09:20:37 -0400 (EDT)
Received: from data.camelot (data.vf.lmco.com [166.17.3.39])
 by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id JAA06423 for
 ; Wed, 08 Apr 1998 09:14:03 -0400 (EDT)
Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id JAA02902; Wed,
 08 Apr 1998 09:19:54 -0400
Date: Wed, 08 Apr 1998 09:19:53 -0400 (EDT)
From: Christopher Zarcone 
Subject: RE: Questions about ICMP
To: firewalls@greatcircle.com
Reply-to: Christopher Zarcone 
Message-id: <199804081319.JAA02902@data.camelot>
MIME-version: 1.0
X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc
Content-type: TEXT/plain; charset=us-ascii
Content-MD5: mls/QcNoJrgfDee/9vxQ1Q==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

traceroute works by sending *UDP* packets with short TTLs. The packets are sent 
to a random high-numbered port on the target host.

ICMP is used for the reply messages, of which there are two:

- Time exceeded (sent by a router when the packet's TTL expires)
- Unreachable port (sent by the target host, because there is no service 
listening on random high-numbered port, well at least you hope there isn't :)

Regards,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Christopher Zarcone - Data Communications Design Analyst
Lockheed Martin Enterprise Information Systems
czarcone@vf.lmco.com  *  Chris.Zarcone@lmco.com  *  czarcone@acm.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       My opinions do not necessarily reflect those of my employer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>Guys,

>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
>with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
>how do you block the "traceroute" program?


From firewalls-owner  Wed Apr  8 09:38:07 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA05771; Wed, 8 Apr 1998 09:34:06 -0700 (PDT)
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA00252 for ; Wed, 8 Apr 1998 08:56:28 -0700 (PDT)
Received: from eagle.woodbridge.com ([206.222.77.97] (may be forged)) by granite.sentex.net (8.8.6/8.6.9) with SMTP id MAA07704 for ; Wed, 8 Apr 1998 12:01:33 -0400 (EDT)
Received: from woodux.woodbridge.com by eagle.woodbridge.com
          via smtpd (for granite.sentex.ca [199.212.134.1]) with SMTP; 8 Apr 1998 15:54:51 UT
Received: from simonyi ([192.81.85.21]) by woodux.woodbridge.com with SMTP
	(1.39.111.2/16.2) id AA164161311; Wed, 8 Apr 1998 12:01:51 -0400
Received: by localhost with Microsoft MAPI; Wed, 8 Apr 1998 12:00:31 -0400
Message-Id: <01BD62E5.EE1924E0.msimonyi@woodbridge.com>
From: Michael Simonyi 
Reply-To: "msimonyi@woodbridge.com" 
To: "'Firewalls@GreatCircle.COM'" 
Subject: Ascend Pipline 25
Date: Wed, 8 Apr 1998 12:00:30 -0400
Organization: woodbridge.com
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anyone know of or heard of security issues with an Ascend Pipeline 25.

Mike


From firewalls-owner  Wed Apr  8 11:13:08 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06006; Wed, 8 Apr 1998 09:36:20 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA13993 for ; Wed, 8 Apr 1998 07:33:24 -0700 (PDT)
Received: from callisto.syr.edu (callisto.syr.edu [128.230.33.135])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id HAA15850
	for ; Wed, 8 Apr 1998 07:37:06 -0700 (PDT)
Received: from localhost (jhrubin@localhost) by callisto.syr.edu (8.8.5/analogue.V2.1) with SMTP id KAA22521 for ; Wed, 8 Apr 1998 10:25:09 -0400 (EDT)
Date: Wed, 8 Apr 1998 10:25:08 -0400 (EDT)
From: Jeff Rubin 
To: firewalls@GreatCircle.COM
Subject: Packet Filtering Router vs. Firewall Implementation
In-Reply-To: <199804081408.HAA10152@honor.greatcircle.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Currently we have a firewall in place in our Internal network (running
Raptor).  We have a number of external hosts (web, mail, news), that are
currently being protected via a packet filtering router.

I was wondering the pro's and con's of staying with the router vs.
installing an external firewall?

Thank you,

Jeffrey Rubin
jhrubin@callisto.syr.edu


From firewalls-owner  Wed Apr  8 12:51:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA11146; Wed, 8 Apr 1998 09:58:13 -0700 (PDT)
Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA11065 for ; Wed, 8 Apr 1998 09:57:53 -0700 (PDT)
Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA11176; Wed, 8 Apr 1998 09:52:46 -0700
Date: Wed, 8 Apr 1998 09:52:46 -0700 (PDT)
From: Leonard Miyata 
To: Dean Ethier 
cc: firewalls@GreatCircle.COM
Subject: Re: DMZ config question
In-Reply-To: <872565DF.0077AA4D.00@Montreal-NS002.Mtl.DMR.CA>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi There

The Book 'Building Internet Firewalls' by Chapman and Zwicky,
O'Reilly & Associates Inc., has an excellent write up on all your
DMZ questions, and a lot more. Highly recommended!. I belive
theres a preview of it at http://www.greatcircle.com

Personal Opinions provided by
Leonard Miyata
aka leonard@geminisecure.com
Gemini Computers Inc.

On Tue, 7 Apr 1998, Dean Ethier wrote:

> 
> What's the accepted method for setting up a DMZ?  Do I just a hub into my
> firewall and feed my DMZ from that?  If one host on the DMZ were
> compromised, that would leave little protection for anything else on the
> DMZ.  Should one also use a router instead of or in conjunction with a hub
> to provide some isolation between hosts on the DMZ?  What is generally
> done?
> 
> Dean Ethier
> DMR Consulting Group Inc
> 
> 
> 

From firewalls-owner  Wed Apr  8 14:58:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01274; Wed, 8 Apr 1998 11:32:27 -0700 (PDT)
Received: from qik.inter7.com (qik.inter7.com [207.252.116.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id LAA28251 for ; Wed, 8 Apr 1998 11:16:02 -0700 (PDT)
Received: (qmail 14461 invoked by uid 1000); 8 Apr 1998 18:21:07 -0000
Date: Wed, 8 Apr 1998 14:21:07 -0400 (EDT)
From: Ken Jones 
X-Sender: kbo@qik
To: Michael Simonyi 
cc: "'Firewalls@GreatCircle.COM'" 
Subject: Re: Ascend Pipline 25
In-Reply-To: <01BD62E5.EE1924E0.msimonyi@woodbridge.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On Wed, 8 Apr 1998, Michael Simonyi wrote:
> Does anyone know of or heard of security issues with an Ascend Pipeline 25.
> 
> Mike
> 

Yes. The pipelines come with simple packet filtering features. They
also sell a firewall package for about $500. I don't know if this
is any good. 

There is a known exploit for ascend pipelines. Information on it
is available at www.rootshell.com. Basicly you send the pipeline
a certain UDP packet at port 9 and it locks up. The pipeline site
has a method for adding a packet filter to block it out, but they
have no fix yet. We tested the exploit against a pipeline 75 and it
indeed locked up and had to be power cycled.

Ken Jones
kbo@inter7.com
www.inter7.com


From firewalls-owner  Wed Apr  8 15:11:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14362; Wed, 8 Apr 1998 10:10:28 -0700 (PDT)
Received: from buffy.isi.net (buffy.isi.net [204.71.194.215]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA14255 for ; Wed, 8 Apr 1998 10:09:45 -0700 (PDT)
Received: from buffy (buffy [204.71.194.215]) by buffy.isi.net (8.8.5/ISI-1.5) with SMTP id KAA12929 for ; Wed, 8 Apr 1998 10:15:11 -0700 (PDT)
Date: Wed, 8 Apr 1998 10:15:10 -0700 (PDT)
From: Mike Hedlund 
X-Sender: mike@buffy
To: firewalls@GreatCircle.COM
Subject: RE: Questions about ICMP
In-Reply-To: <199804081319.JAA02902@data.camelot>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Also, windows traceroute uses icmp only. It doesnt send udp packets to get
the icmp error replies back.. just something to keep in mind. :)

-mike

On Wed, 8 Apr 1998, Christopher Zarcone wrote:

> traceroute works by sending *UDP* packets with short TTLs. The packets are sent 
> to a random high-numbered port on the target host.
> 
> ICMP is used for the reply messages, of which there are two:
> 
> - Time exceeded (sent by a router when the packet's TTL expires)
> - Unreachable port (sent by the target host, because there is no service 
> listening on random high-numbered port, well at least you hope there isn't :)
> 
> Regards,
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Christopher Zarcone - Data Communications Design Analyst
> Lockheed Martin Enterprise Information Systems
> czarcone@vf.lmco.com  *  Chris.Zarcone@lmco.com  *  czarcone@acm.org
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>        My opinions do not necessarily reflect those of my employer.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> >Guys,
> 
> >Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
> >with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
> >how do you block the "traceroute" program?
> 
> 


From firewalls-owner  Wed Apr  8 17:07:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA18400; Wed, 8 Apr 1998 13:23:54 -0700 (PDT)
Received: from ritz.mordor.net (mordor.net [165.254.98.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA18309 for ; Wed, 8 Apr 1998 13:23:11 -0700 (PDT)
Received: (from bet@localhost)
	by ritz.mordor.net (8.8.8/8.8.8/RITZ-NORELAY) id PAA00792;
	Wed, 8 Apr 1998 15:29:56 -0400
Message-ID: <19980408152956.57977@fcmc.com>
Date: Wed, 8 Apr 1998 15:29:56 -0400
From: Bennett Todd 
To: Jeff Rubin 
Cc: firewalls@GreatCircle.COM
Subject: Re: Packet Filtering Router vs. Firewall Implementation
References: <199804081408.HAA10152@honor.greatcircle.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1
In-Reply-To: ; from Jeff Rubin on Wed, Apr 08, 1998 at 10:25:08AM -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

1998-04-08-10:25:08 Jeff Rubin:
> Currently we have a firewall in place in our Internal network (running
> Raptor).  We have a number of external hosts (web, mail, news), that are
> currently being protected via a packet filtering router.
> 
> I was wondering the pro's and con's of staying with the router vs.
> installing an external firewall?

Neat question!

I think it's useful to start by saying, you've already got a firewall. A
firewall is a box which restricts or controls network traffic to implement a
security policy, and a screening router is most definitely a firewall. In
fact, the best-selling firewalls are just clever screening routers.

So let's restate the question as ``do I need a different kind of firewall
outside, protecting the DMZ''.

Opinions differ on that one. I feel that it depends most strongly on what kind
of machines you need to put in the DMZ. Maybe your router is the very best
fit. Unless you _have_ to have some tighter controls than you can implement
with the router, you don't want to deploy a tighter firewall there; for a
given amount of $$$ (hardware, software, and manpower) the tighter the
firewall the slower it passes traffic, especially in latency which ouches
hardest on a WWW server.

Suppose all the machines on your DMZ are solid. They are running good solid
OS implementations --- e.g. Linux, 4.4BSD-based OSes like OpenBSD, FreeBSD,
NetBSD, and BSDI, or a well-supported and good-quality commercial OS. All
machines are running reasonably current versions, and are maintained by people
who track security issues. All unnecessary services have been disabled, and
this has been confirmed with e.g. strobe and nmap and so on. Those services
left open have been configured down _tight_. The machines are seriously
hardened: they use no distributed name service at all, they allow almost no
incoming connections, etc. Besides the services they specifically are there to
offer --- http, ftp, smtp, whatever --- the only other port they listen on is
SSH, and are configured to require full RSA Authentication. The daemons they
use to serve the public protocols are either really really secure by design
(e.g. qmail or VMailer), or else are maybe sloppy but used by an awful lot of
people, and closely maintained (e.g. Apache, wu-ftpd). For that latter
category remember you're obliged to track new releases closely.

So if that sounds like your picture, you don't need any firewall tighter than
a good screening router. That grade of machine can be left exposed to the real
world; the screening router is plenty of added protection, as it guarantees
(properly configured) that people can't forge addresses through it. When
you maintain that guarantee all around the perimeter of the DMZ it's kinda
comforting:-).

But let's take a darker, danker picture. You've got servers running other
OSes, that are known to be easy to crash or burgle remotely due to basic OS
implementation problems. Or maybe you've got a legacy system, runs a service
that can't be replaced, nor even supported, on an ancient platform. Yeah, you
have a skanky old wheezing Vax 11/780 running classic 4BSD from c. '82, or god
help you an NT box. Then you need a firewall that doesn't let packets through
at all under any circumstances, because people have gotten really clever in
recent years about doing cruel and unusual things to IP stacks with oddness in
the packets. Packet filters _can_ catch these things, but only after they've
been specifically taught to look for each one --- there's a lag between when
people discover a new way to crash NT and when the packet filter vendors come
up with rules to drop those packets. Application proxies on the other hand
never let a packet through; instead, they reassemble the TCP data stream,
optionally look at or modify it, then regenerate a fresh new packet stream
containing the payload, using the local OS IP stack.

So whether you need a new firewall or not depends entirely on whether you have
good sturdy boxes in the DMZ. Lots of us strongly favour an architecure of
using only secure boxes out there, and nothing more than a screening router on
the way out the door. Screening routers scale up to the state of the art of
communication facilities, pretty much by definition:-). I'm not prepared to
say it's impossible to set up an application proxy, or a ``stateful
inspection'' packet filter, that can rival the speed and reliability of say a
pair of Cisco 7513s, max-ed out configuration, doing HSRP for high
availability. It may be possible. I wouldn't know how, and I'll betcha it'd
cost lot more money and take a whole lot longer to set up.

-Bennett

From firewalls-owner  Wed Apr  8 20:39:09 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA00974; Wed, 8 Apr 1998 17:34:59 -0700 (PDT)
Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA00892 for ; Wed, 8 Apr 1998 17:34:33 -0700 (PDT)
Received: from mikebat.pmi by pascamail-2.pmi with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
	id H0S7J3BQ; Wed, 8 Apr 1998 17:39:33 -0700
Date: Wed,  8 Apr 1998 17:37:33 -0800
From: Mike Batchelor  
Subject: Re: ssh or IPSec client for DOS? 
To: firewalls@GreatCircle.COM, kzoli@innet.hu
X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc.
X-Priority: 3 (Normal)
References: <199804081825.UAA00671@arthur.innet.hu> 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The closest thing I know of is the F-Secure SSH client for Win 3.1 (16 
bit).  Check out www.datafellows.com.

------------------------
  From: Kinczli Zoltan 
  Subject: ssh or IPSec client for DOS? 
  Date: Wed, 8 Apr 1998 20:20:01 +0000 
  To: firewalls@GreatCircle.COM


> List gurus,
> 
>  has anybody seen an ssh or IPSec client for DOS?
> or any client which is capable of encryption?
> 
>  yes, I know, IPSec is relatively new and in the world of Bill Gates 

> nobody cares with old fashioned DOS staff, but maybe...
> 
>   What I'd like to do: to reach a Unix server, pure terminal 
> emulation, from my good old 286/386 PCs, running DOS.
> 
>   Doing the encryption with routers, standalone devices is an option 

> I know, but anyway I'd like to investigate the mentioned direction 
as 
> well.
> 
>   Any idea would be appreciated, thanks
> 
> Zoltan

---------------End of Original Message-----------------

_______________________________________________________________
UNIX Team - The difference between theory and practice is often 
greater in practice than in theory.
04/08/98 17:37:33

From firewalls-owner  Wed Apr  8 20:39:12 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA08864; Wed, 8 Apr 1998 18:17:27 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA08697 for ; Wed, 8 Apr 1998 18:16:46 -0700 (PDT)
Received: from localhost (ronald@localhost)
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id JAA01861; Thu, 9 Apr 1998 09:19:45 +0800
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
Date: Thu, 9 Apr 1998 09:19:44 +0800 (CST)
From: Ronald Wiplinger 
To: Tom Vayda 
cc: firewalls@GreatCircle.COM
Subject: Re: hi SPAM
In-Reply-To: <199804081641.MAA00488@what.ny.jpmorgan.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Wed, 8 Apr 1998, Tom Vayda wrote:

> IF you are tired of getting spam, I suggest you view the full header, cut and paste it and send to the postmaster@offending organization.  See below, at least you can bring it to their attention.  


... and pray that the header is not faked, otherwise your own mailbox gets
full with not delivered complaints. 

... I use this tiny button labeld "Delete" very successfully instead ;-)


> 
> Perhaps flooding them with complaints will bring some action.
> 
> Tom Vayda 
> 
> Did you ever think that your sole purpose in life
> is to serve as a warning to others?
> 
> ----- Begin Included Message -----
> 
> >From root Wed Apr  8 11:25:36 1998
> Date: Wed, 8 Apr 1998 11:26:23 -0400 (EDT)
> From: AOL Postmaster Aimee Palmer 
> To: Tom Vayda 
> Subject: Re: hi
> MIME-Version: 1.0
> 
> Thank you for reporting this America Online Member e-mail abuse: From:
> Sumlatino@aol.com, Subject: hi  I have investigated the situation using
> America Online's  Terms of Service Agreement (TOS) and basic Netiquette
> principles as a  guide.  Action has been taken on this account.   Members
> reported to AOL for sending unsolicited junk e-mail will be terminated if the
> evidence supports the accusation. 
> 
> Thanks for writing,
> 
> Aimee Palmer 
> Postmaster 
> America Online, Inc. 
> pmd4@aol.net
> 
> 
> 
> ----- End Included Message -----
> 
> 


From firewalls-owner  Wed Apr  8 20:40:00 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA24929; Wed, 8 Apr 1998 16:44:52 -0700 (PDT)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA24900 for ; Wed, 8 Apr 1998 16:44:39 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id QAA07047 for ; Wed, 8 Apr 1998 16:51:56 -0700 (PDT)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB05525; Wed, 8 Apr 98 16:50:11 PDT
Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 882565E0.0082E000 ; Wed, 8 Apr 1998 16:49:30 -0700
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell" 
To: firewalls@greatcircle.com
Message-Id: <882565E0.006DCA42.00@gwwest.sybase.com>
Date: Wed, 8 Apr 1998 16:48:46 -0700
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Exploitation of an Allowed Service

The features of an allowed service could be used to open up other holes in
the firewall. One way to do this would be to use the allowed service to
take over an
inside host. That subverted host (e.g., a web server) could then be used to
 attack other machines on the internal network. This was not tested since
this is a residual
risk for all firewalls when a service is allowed from the outside. The
purpose of our testing is to identify weaknesses in the stateful packet
filter.

Insider threat - opening up ports to the outside

The threat of an attack from the inside is a residual risk for all
firewalls, but it was felt that a special case exists for stateful packet
filters.

Exploitation of ports opened by a legitimate user

They don't come out and say it for this one, but what they're saying is
that if someone is able to
sniff & modify your traffic, they can make bad stuff happen.  This is not
SPF specific, and can
happen with any non-encrypted or signed traffic, firewalled or not.

MY definition if "SPF specific" is that the problem only manifests on SPFs.
  If it's more
likely to happen, that's a fair issue to bring up.  I don't think
intentional subversion by inside
users is really going to be affected by the firewall type.

As for the other item.. I can say that I've gotten impatient enough waiting
 for FW1
to recover that I hard-booted it, and munched a file.

BTW, the postings to the list that you do...something is screwy with your
mail
headers.. I get a bounce for your address.. stoutw@pioneer-standard.com..
and stoutw@pios.com. Just FYI.  I suppose that may be intentional
for spam reasons.

                              Ryan






"Stout, William"  on 04/08/98 12:39:32 PM

To:   Ryan Russell/SYBASE
cc:
Subject:  RE: socks versus fw-1 stateful inspection vulnerabilities




> ----- Original Message -----
> From:   Ryan Russell [SMTP:ryanr@sybase.com]
> Sent:   Monday, April 06, 1998, 14:01:29

> >I've seen the problem first hand, and the Checkpoint-1 report from the
> >NSA points this out also.
>
> You must be referring to the table filling up, and the firewall dropping
> connections.  I've confirmed this on this list as well.  I don't consider

I remember you validating that also.  My experience is that it locked
the system up hard, requiring a hard reset, and fsck'd up files in the
process.

> >The NSA pointed out state-based specific vulnerabilities (which their
> >report admits they did not fully test):
> >     Exploitation of an allowed service
> >     Insider threat - opening up ports to the outside
> >     Exploitation of ports opened by a legitimate user
> >     Subversion of the stateful packet filtering mechanism
>
> In fact, the article states quite clearly that these are not SPF
> specific, except for the last one.

They are SPF specific, but not specific to Firewall-1.  Extract from
http://mitten.ie.org/fw1/fw1.htm#statefulpacket:

"To test for weaknesses in the stateful packet filter, we identified
four categories of attacks that could be applied to any stateful packet
filter (not just Firewall-1):

Exploitation of an allowed service
Insider threat - opening up ports to the outside
Exploitation of ports opened by a legitimate user
Subversion of the stateful packet filtering mechanism

We then determined for each of the attack categories whether a
successful attack would be the result of a weakness in the stateful
packet filter or because of an inherent risk to all stateful packet
filters. Each of these categories is discussed in the following
sections.
...
Insider threat - opening up ports to the outside

The threat of an attack from the inside is a residual risk for all
firewalls, but it was felt that a special case exists for stateful
packet filters. An insider could do plenty of damage without ever having
to touch the firewall. However, an insider behind a stateful packet
filter is in a unique position. By spoofing his or her IP address, the
insider could make it appear that other internal machines are requesting
connections to machines outside of the firewall. These connection
requests could make ports on the internal machines accessible outside
the firewall. "

Bill Stout

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E0.006C1A34;
Wed, 8 Apr 1998 12:40:45 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA26646 for ; Wed, 8 Apr 1998 12:39:46
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA06039; Wed, 8 Apr 98 12:39:45 PDT
Received: from pse02.pios.com ([199.33.129.3])
          by halon.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA18945 for ; Wed, 8 Apr 1998 12:40:01 -0700
(PDT)
Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA24404; Wed, 8 Apr
1998 15:39:34 -0400
Message-Id:

From: "Stout, William" 
To: "'Ryan Russell'" 
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Date: Wed, 8 Apr 1998 15:39:32 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version
4.0.995.52
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit






From firewalls-owner  Wed Apr  8 22:28:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA06106; Wed, 8 Apr 1998 20:26:40 -0700 (PDT)
Received: from fw.itm-inst.com (fw.itm-inst.com [206.239.41.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA06046 for ; Wed, 8 Apr 1998 20:26:24 -0700 (PDT)
Received: by fw.itm-inst.com; id XAA17887; Wed, 8 Apr 1998 23:31:55 -0400 (EDT)
Received: from sark.itm-inst.com(10.0.3.121) by fw.itm-inst.com via smap (2.0)
	id xma017884; Wed, 8 Apr 98 23:31:35 -0400
Message-Id: <3.0.3.32.19980408232801.00724a98@fw.itm-inst.com>
X-Sender: rmurphy@fw.itm-inst.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 08 Apr 1998 23:28:01 -0400
To: Tom Vayda 
From: Rick Murphy 
Subject: Re: hi SPAM
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199804081641.MAA00488@what.ny.jpmorgan.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 12:41 PM 4/8/98 -0400, Tom Vayda wrote:
>IF you are tired of getting spam, I suggest you view the full header,
>cut and paste it and send to the postmaster@offending organization.

Posting here and complaining about the spam does nothing to stop it.
Tom is entirely correct: if you get spam and don't complain about it,
you are *supporting* it.
I report all junk mail back to the originating domain.
	-Rick


From firewalls-owner  Wed Apr  8 23:12:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA10746; Wed, 8 Apr 1998 15:22:51 -0700 (PDT)
Received: from lucifer.adams.edu (lucifer.adams.edu [192.156.134.6]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA10646 for ; Wed, 8 Apr 1998 15:22:24 -0700 (PDT)
Received: from localhost (jjj@localhost)
	by lucifer.adams.edu (8.8.6/8.8.6) with SMTP id QAA11124;
	Wed, 8 Apr 1998 16:27:40 -0600
Date: Wed, 8 Apr 1998 16:27:40 -0600 (MDT)
From: Joel J Jensen 
To: Kinczli Zoltan 
cc: firewalls@GreatCircle.COM
Subject: Re: ssh or IPSec client for DOS?
In-Reply-To: <199804081825.UAA00671@arthur.innet.hu>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 8 Apr 1998, Kinczli Zoltan wrote:

> List gurus,
> 
>  has anybody seen an ssh or IPSec client for DOS?
> or any client which is capable of encryption?

Non-Unix versions of ssh are commercially available from DataFellows.  No,
I'm not affilliated in any way with them.



-------------------------------------------------------------------------------
    Joel J Jensen            |  Adams State College  |  (719)589-7790 (voice)
    jjj@lucifer.adams.edu    |  208 Edgemont Blvd    |  (719)589-7522 (fax)
                             |  Alamosa, CO  81102   |
-------------------------------------------------------------------------------


From firewalls-owner  Wed Apr  8 23:51:07 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06381; Wed, 8 Apr 1998 09:38:57 -0700 (PDT)
Received: from jpmorgan.com (threshold3.jpmorgan.com [169.71.13.12]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA06339 for ; Wed, 8 Apr 1998 09:38:40 -0700 (PDT)
Received: (from uucp@localhost)
	by jpmorgan.com (8.8.5/8.8.5) id MAA10462
	for ; Wed, 8 Apr 1998 12:44:07 -0400 (EDT)
Received: from mrszip.ny.jpmorgan.com(146.149.1.249) by threshold3.jpmorgan.com via smap (4.1)
	id xma009277; Wed, 8 Apr 98 12:41:42 -0400
Received: from atgserve.ny.jpmorgan.com (atgserve.ny.jpmorgan.com [198.75.61.30]) by mrszip.ny.jpmorgan.com (8.8.4/8.7.6) with ESMTP id MAA22568 for ; Wed, 8 Apr 1998 12:41:42 -0400 (EDT)
Received: from what.ny.jpmorgan.com  by atgserve.ny.jpmorgan.com (8.8.5/8.8.5) with ESMTP id MAA25091 for ; Wed, 8 Apr 1998 12:38:03 -0400 (EDT)
From: Tom Vayda 
Received: (tvayda@localhost) by what.ny.jpmorgan.com (8.6.9/8.6.9) id MAA00488 for firewalls@GreatCircle.COM; Wed, 8 Apr 1998 12:41:41 -0400
Date: Wed, 8 Apr 1998 12:41:41 -0400
Message-Id: <199804081641.MAA00488@what.ny.jpmorgan.com>
To: firewalls@GreatCircle.COM
Subject: Re: hi SPAM
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

IF you are tired of getting spam, I suggest you view the full header, cut and paste it and send to the postmaster@offending organization.  See below, at least you can bring it to their attention.  

Perhaps flooding them with complaints will bring some action.

Tom Vayda 

Did you ever think that your sole purpose in life
is to serve as a warning to others?

----- Begin Included Message -----

>From root Wed Apr  8 11:25:36 1998
Date: Wed, 8 Apr 1998 11:26:23 -0400 (EDT)
From: AOL Postmaster Aimee Palmer 
To: Tom Vayda 
Subject: Re: hi
MIME-Version: 1.0

Thank you for reporting this America Online Member e-mail abuse: From:
Sumlatino@aol.com, Subject: hi  I have investigated the situation using
America Online's  Terms of Service Agreement (TOS) and basic Netiquette
principles as a  guide.  Action has been taken on this account.   Members
reported to AOL for sending unsolicited junk e-mail will be terminated if the
evidence supports the accusation. 

Thanks for writing,

Aimee Palmer 
Postmaster 
America Online, Inc. 
pmd4@aol.net



----- End Included Message -----



From firewalls-owner  Wed Apr  8 23:51:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA23864; Wed, 8 Apr 1998 10:52:08 -0700 (PDT)
Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA23850 for ; Wed, 8 Apr 1998 10:52:01 -0700 (PDT)
Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM)
	id AA22856; Wed, 8 Apr 1998 14:00:17 -0400
Received: from [170.149.212.99] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM)
	id AA30266; Wed, 8 Apr 1998 13:57:54 -0400
Message-Id: <3.0.5.32.19980408135627.0083e900@mailgate.nytimes.com>
X-Sender: gordy@mailgate.nytimes.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 08 Apr 1998 13:56:27 -0400
To: firewalls@GreatCircle.COM
From: Gordy Thompson 
Subject: RE: Questions about ICMP
In-Reply-To: <3.0.1.32.19980408100029.00c8f100@mail.lr.isla.pt>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	I apologize if these specific questions have been answered somewhere in
this thread, but if they has I'm afraid I missed them.

	1. OBVIOUSLY no one in his right mind would allow someone on the Internet
to run ping or traceroute through his firewall to probe internal hosts and
routes. And the way to stop this is (true/false):
	o BOTH block all =inbound= UDP packets (other than "reply" packets as
determined by one's Inspect script/UDP relay/whatever mechanism is being
used to regulate UDP transmissions initiated from within)
	o AND block all =outbound= ICMP messages of types 3 and 11.
	(If false, what else needs to be done?)

	2. To test connectivity to remote hosts, however, it may be desirable to
run ping and traceroute FROM WITHIN the firewall to sites on the Internet.
And the way to allow this is (true/false):
	o BOTH permit =outbound= UDP, through the Inspect script, UDP relay, SOCKS
relay or whatever mechanism one uses to regulate UDP transmissions from within
	o AND, in conjunction with that mechanism, allow =inbound= ICMP messages
of types 3 and 11
	(If false, what else needs to be done?
	(If "True, but you don't want to permit that even though you could," WHY
NOT?)

At 10:00 AM 4/8/98 +0200, Nuno Guarda wrote:
>At 17:28 07-04-1998 -0700, you wrote:
>>Guys,
>>
>>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
>packets
>>with a specific Time-To-Live set in stages?  And if ICMP packets are
>allowed, 
>>how do you block the "traceroute" program?
>>
>Blocking "outbound" ICMP messages types 3 (destination unreachable: host,
>network, port or other) and 11 (time exceeded).
>


==========================================================================
Gordon T. Thompson                                      gordy@nytimes.com
Manager, Internet Services                              212 556 1386
The New York Times                                      fax: 212 556 1636
  The Times and I have an arrangement: Neither of us speaks for the other.

From firewalls-owner  Wed Apr  8 23:51:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27928; Wed, 8 Apr 1998 11:14:39 -0700 (PDT)
Received: from arthur.innet.hu (arthur.innet.hu [195.70.43.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA27856 for ; Wed, 8 Apr 1998 11:14:18 -0700 (PDT)
Received: from kakadu (kakadu.innet.hu [195.70.43.3])
	by arthur.innet.hu (8.8.5/8.8.5) with SMTP id UAA00671
	for ; Wed, 8 Apr 1998 20:25:33 +0200
Message-Id: <199804081825.UAA00671@arthur.innet.hu>
From: "Kinczli Zoltan" 
To: firewalls@GreatCircle.COM
Date: Wed, 8 Apr 1998 20:20:01 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: ssh or IPSec client for DOS?
Reply-to: kzoli@innet.hu
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

List gurus,

 has anybody seen an ssh or IPSec client for DOS?
or any client which is capable of encryption?

 yes, I know, IPSec is relatively new and in the world of Bill Gates 
nobody cares with old fashioned DOS staff, but maybe...

  What I'd like to do: to reach a Unix server, pure terminal 
emulation, from my good old 286/386 PCs, running DOS.

  Doing the encryption with routers, standalone devices is an option 
I know, but anyway I'd like to investigate the mentioned direction as 
well.

  Any idea would be appreciated, thanks

Zoltan

From firewalls-owner  Wed Apr  8 23:51:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12819; Wed, 8 Apr 1998 12:35:22 -0700 (PDT)
Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA12707 for ; Wed, 8 Apr 1998 12:34:55 -0700 (PDT)
Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA24427; Wed, 8 Apr 1998 15:40:16 -0400
Message-Id: 
From: "Stout, William" 
To: "'Firewalls@GreatCircle.COM'" 
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Date: Wed, 8 Apr 1998 15:40:15 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> ----- Original Message -----
> From:	Ryan Russell [SMTP:ryanr@sybase.com]
> Sent:	Monday, April 06, 1998, 14:01:29

> >I've seen the problem first hand, and the Checkpoint-1 report from the
> >NSA points this out also.
> 
> You must be referring to the table filling up, and the firewall dropping
> connections.  I've confirmed this on this list as well.  I don't consider

I remember you validating that also.  My experience is that it locked
the system up hard, requiring a hard reset, and fsck'd up files in the
process.

> >The NSA pointed out state-based specific vulnerabilities (which their
> >report admits they did not fully test):
> >     Exploitation of an allowed service
> >     Insider threat - opening up ports to the outside
> >     Exploitation of ports opened by a legitimate user
> >     Subversion of the stateful packet filtering mechanism
> 
> In fact, the article states quite clearly that these are not SPF
> specific, except for the last one.

They are SPF specific, but not specific to Firewall-1.  Extract from
http://mitten.ie.org/fw1/fw1.htm#statefulpacket:
 
"To test for weaknesses in the stateful packet filter, we identified
four categories of attacks that could be applied to any stateful packet
filter (not just Firewall-1): 

Exploitation of an allowed service 
Insider threat - opening up ports to the outside 
Exploitation of ports opened by a legitimate user 
Subversion of the stateful packet filtering mechanism 

We then determined for each of the attack categories whether a
successful attack would be the result of a weakness in the stateful
packet filter or because of an inherent risk to all stateful packet
filters. Each of these categories is discussed in the following
sections. 
...
Insider threat - opening up ports to the outside

The threat of an attack from the inside is a residual risk for all
firewalls, but it was felt that a special case exists for stateful
packet filters. An insider could do plenty of damage without ever having
to touch the firewall. However, an insider behind a stateful packet
filter is in a unique position. By spoofing his or her IP address, the
insider could make it appear that other internal machines are requesting
connections to machines outside of the firewall. These connection
requests could make ports on the internal machines accessible outside
the firewall. "

Bill Stout
	

From firewalls-owner  Thu Apr  9 01:03:41 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA05625; Wed, 8 Apr 1998 23:10:04 -0700 (PDT)
Received: from sprout.ptk.org (sprout.ptk.org [208.226.43.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA18037 for ; Wed, 8 Apr 1998 16:04:44 -0700 (PDT)
Received: from macheric.ptk.org by sprout.ptk.org id aa26342; 8 Apr 98 18:10 CDT
Message-Id: <3.0.1.32.19980408180852.006f74a0@sprout.ptk.org>
X-Sender: eric@sprout.ptk.org
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Wed, 08 Apr 1998 18:08:52 -0500
To: firewalls@greatcircle.com
From: "Eric P. Cummings" 
Subject: NT or Unix
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi
Could anyone tell me what the issues are related to the operating system
under my chosen firewall software.  I have the option of using checkpoint's
firewall-1 on NT, or another firewall software on linux or SCO Unix.  Long
story about how I got in this predicament.
Thanks

Eric P. Cummings
Technical Analyst
Phi Theta Kappa International Honor Society
eric.cummings@ptk.org
(601)984-3561

From firewalls-owner  Thu Apr  9 01:52:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA06380; Wed, 8 Apr 1998 23:15:13 -0700 (PDT)
Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA20407 for ; Wed, 8 Apr 1998 13:34:59 -0700 (PDT)
Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id NAA28813; Wed, 8 Apr 1998 13:39:30 -0700 (PDT)
Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4)
	id NAA21721; Wed, 8 Apr 1998 13:39:02 -0700
Date: Wed, 8 Apr 1998 13:39:02 -0700
From: rdew@el.nec.com (Bob De Witt)
Message-Id: <199804082039.NAA21721@yginsburg.el.nec.com>
To: firewalls@GreatCircle.COM, smoot@tic.com
Subject: Re: Questions about ICMP
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All,

So if the ICMP packets are permitted to go through, how do you stop 'traceroute'?
That was the gentleman's dilema!

Bob De Witt,
(old email address:   rdew@el.nec.com)
(new email address:   rdew@...tbd...)
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.


> From smoot@tic.com Tue Apr  7 23:53:45 1998
> To: firewalls@GreatCircle.COM
> Subject: Re: Questions about ICMP 
> Date: Tue, 07 Apr 1998 23:16:35 -0500
> From: Smoot Carl-Mitchell 
> 
> >Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packet
> >s
> >with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
> >how do you block the "traceroute" program?
> 
> Traceroute uses UDP packets to a high port number with the TTL incremented by
> one for each packet sent.  It listens for the ICMP Time Expired packets
> returning.  That is where it derives the IP addresses of each hop.
> 
> 
> Smoot Carl-Mitchell
> Texas Internet Consulting
> 1106 Clayton Lane, Suite 500W
> Austin, TX 78723
> 
> +1 512 451-6176
> 

From firewalls-owner  Thu Apr  9 02:22:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA06600; Wed, 8 Apr 1998 23:17:51 -0700 (PDT)
Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA29957 for ; Wed, 8 Apr 1998 17:29:37 -0700 (PDT)
Received: from mikebat.pmi by pascamail-2.pmi with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
	id H0S7J3AF; Wed, 8 Apr 1998 17:34:29 -0700
Date: Wed,  8 Apr 1998 17:13:23 -0800
From: Mike Batchelor  
Subject: RE: Questions about ICMP 
To: firewalls@GreatCircle.COM
X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc.
X-Priority: 3 (Normal)
References: <3.0.5.32.19980408135627.0083e900@mailgate.nytimes.com> 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

OK, I got a question about this.  I have Gauntlet 3.2 on Irix 6.2.  It 
uses the native Irix ipfilterd to prevent packet forwarding, and a 
number of other interesting things.  I also provide outgoing socks5 
service on the firewall, in addition to the Gauntlet proxies.  The 
socks5 server from socks.nec.com has provisions for a socks-ified 
traceroute.  Basically, the socks traceroute client traces to the 
socks server, then asks the socks server to run traceroute for the 
rest of the way to the destination, and returns the results to the 
invoking user.

Now, this did not work until I modified the ipfilterd.conf to stop 
dropping ICMP messages on the outside interface.  Gauntlet rightly 
sets it up to drop all ICMP.  With all ICMP blocked, the traceroute 
that socks5 executes does not hear the return ICMP messages, and the 
socks-ified traceroute fails to work.  But our internal network is not 
routeable, so my assumption is that this is fairly harmless, since no 
one on the outside can get a packet to a unrouteable IP address.  The 
farthest they can go is to the firewall itself, and the risk of DOS 
and other bad things is acceptable if in return, we can get the 
diagnostic benefits of being able to trace to outside networks.

So as best as I can tell, since the protected network is not 
routeable, there is no way an outside party can trace to our inside 
network.  My understanding is, the only way to trace from the outside 
to the inside, is if you have a host on the net between the firewall 
and the router.  You could then set up routes to the internal network. 
But the firewall prevents even this from succeeding, since Gauntlet 
does not provide a generic UDP relay.  As best I can tell, allowing 
ICMP on the firewall outside interface places only the firewall at 
some extra risk.  Does anyone agree, disagree?  Have I misunderstood 
something important? :)

Of course, I can tighten the ICMP by dropping all incoming ICMP 
message types except the ones involved with ping and traceroute (3 and 
11, I believe).  I have to do this at the router, since Irix ipfilterd 
does not distinguish ICMP message types.

_______________________________________________________________
UNIX Team - The difference between theory and practice is often 
greater in practice than in theory.
04/08/98 17:13:24

From firewalls-owner  Thu Apr  9 03:08:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11169; Thu, 9 Apr 1998 02:50:31 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11140 for ; Thu, 9 Apr 1998 02:50:16 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804090950.CAA11140@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id ABD33FD009E; Thu, 09 Apr 1998 04:58:43 CST
Date: Thu, 09 Apr 1998 04:58:43 +0100
Subject: firewalls@GreatCircle.COM
To: vayda_tom@jpmorgan.com
Reply-To: alchodu@wetwetwet.com
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


tom, postmaster is my employee and she has taken a loan from me. now 
what will you do.
chodu
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

IF you are tired of getting spam, I suggest you view the full 
header, cut and paste it and send to the postmaster@offending 
organization.  See below, at least you can bring it to their 
attention.  

Perhaps flooding them with complaints will bring some action.

Tom Vayda 

Did you ever think that your sole purpose in life
is to serve as a warning to others?

----- Begin Included Message -----

>From root Wed Apr  8 11:25:36 1998
Date: Wed, 8 Apr 1998 11:26:23 -0400 (EDT)
From: AOL Postmaster Aimee Palmer 
To: Tom Vayda 
Subject: Re: hi
MIME-Version: 1.0

Thank you for reporting this America Online Member e-mail abuse: 
From:
Sumlatino@aol.com, Subject: hi  I have investigated the situation 
using
America Online's  Terms of Service Agreement (TOS) and basic 
Netiquette
principles as a  guide.  Action has been taken on this account.   
Members
reported to AOL for sending unsolicited junk e-mail will be 
terminated if the
evidence supports the accusation. 

Thanks for writing,

Aimee Palmer 
Postmaster 
America Online, Inc. 
pmd4@aol.net



----- End Included Message -----






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Thu Apr  9 03:22:06 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11139; Thu, 9 Apr 1998 02:50:16 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11120 for ; Thu, 9 Apr 1998 02:50:07 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804090950.CAA11120@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id ABC937600A2; Thu, 09 Apr 1998 04:58:33 CST
Date: Thu, 09 Apr 1998 04:58:33 +0100
Subject: firewalls@GreatCircle.COM
To: vayda_tom@jpmorgan.com
Reply-To: alchodu@wetwetwet.com
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


tom, postmaster is my employee and she has taken a loan from me. now 
what will you do.
chodu
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

IF you are tired of getting spam, I suggest you view the full 
header, cut and paste it and send to the postmaster@offending 
organization.  See below, at least you can bring it to their 
attention.  

Perhaps flooding them with complaints will bring some action.

Tom Vayda 

Did you ever think that your sole purpose in life
is to serve as a warning to others?

----- Begin Included Message -----

>From root Wed Apr  8 11:25:36 1998
Date: Wed, 8 Apr 1998 11:26:23 -0400 (EDT)
From: AOL Postmaster Aimee Palmer 
To: Tom Vayda 
Subject: Re: hi
MIME-Version: 1.0

Thank you for reporting this America Online Member e-mail abuse: 
From:
Sumlatino@aol.com, Subject: hi  I have investigated the situation 
using
America Online's  Terms of Service Agreement (TOS) and basic 
Netiquette
principles as a  guide.  Action has been taken on this account.   
Members
reported to AOL for sending unsolicited junk e-mail will be 
terminated if the
evidence supports the accusation. 

Thanks for writing,

Aimee Palmer 
Postmaster 
America Online, Inc. 
pmd4@aol.net



----- End Included Message -----






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Thu Apr  9 03:46:59 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA11666; Thu, 9 Apr 1998 03:00:00 -0700 (PDT)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA11659 for ; Thu, 9 Apr 1998 02:59:53 -0700 (PDT)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id DAA28129;
	Thu, 9 Apr 1998 03:05:21 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id DAA08910;
	Thu, 9 Apr 1998 03:05:20 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id DAA12151;
	Thu, 9 Apr 1998 03:05:18 -0700 (PDT)
From: Don Lewis 
Message-Id: <199804091005.DAA12151@salsa.gv.tsc.tdk.com>
Date: Thu, 9 Apr 1998 03:05:18 -0700
In-Reply-To: Ronald Wiplinger 
       "Re: hi SPAM" (Apr  9,  9:19am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Ronald Wiplinger ,
        Tom Vayda 
Subject: Re: hi SPAM
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Apr 9,  9:19am, Ronald Wiplinger wrote:
} On Wed, 8 Apr 1998, Tom Vayda wrote:
} 
} > IF you are tired of getting spam, I suggest you view the full header, cut and paste it and send to the postmaster@offending organization.  See below, at least you can bring it to their attention.  
} 
} 
} ... and pray that the header is not faked, otherwise your own mailbox gets
} full with not delivered complaints. 

The headers probably are forged in order to deflect complaints from folks
who just hit the reply button.  But we're all firewall wizzards [sp] here,
right? Header reading and deciphering should be in our bag of tricks.
With a little practice, it's pretty easy to sort out the forged headers
from the ones that point to the source of the spam.  From that you can
send complaints to the source of the spam, and pointers to information
on how to secure mail servers to the sites who've been used as unwitting
relays.


Here are some pointers to header reading information that I found
in news.admin.net-abuse.email:

      http://doofus.ml.org/spam/lessons/
      http://www.stopspam.org/email/headers/headers.html
      http://www.ao.net/waytosuccess/nospam.html

Oh, and if the spammer is promoting a web site, don't forget to complain
to the ISP hosting or providing connectivity to the site (unless it
smells like a revenge spam whose purpose is to get you to complain
about the site).  Traceroute and whois are useful tools here.

From firewalls-owner  Thu Apr  9 05:16:22 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29463; Thu, 9 Apr 1998 04:42:15 -0700 (PDT)
Received: from linux.ditec.sk (linux.ditec.sk [195.98.2.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA29367 for ; Thu, 9 Apr 1998 04:41:43 -0700 (PDT)
Received: from hell.ditec.sk (hell.ditec.sk [172.24.1.11]) by linux.ditec.sk (8.8.8/8.8.8) with ESMTP id NAA12391; Thu, 9 Apr 1998 13:56:04 +0100
Received: by hell.ditec.sk with Internet Mail Service (5.5.1960.3)
	id <2QVMT6R4>; Thu, 9 Apr 1998 13:47:12 +0200
Message-ID: <707C937AAFD7D0119B6B00A024C05BCA2F6B18@hell.ditec.sk>
From: Mlynka Richard 
To: firewalls@GreatCircle.COM, "'ntsecurity@iss.net'" 
Subject: Audit of multiple roots
Date: Thu, 9 Apr 1998 13:47:11 +0200 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	Hi,

maybe I'm little bit out off topic, bu tmaybe you can help me.


I try to audit multiple roots (same UID) on one system.

I am able to authenticate multiple roots (
I have nice shell from Mr. Chris Macneill - cmshell.
It's written in C. 
It lets log root with static password and immediately prompts user for
another username and dynamic password - ACE/Server.
Not every user may by dynamically authenticated after logging as root.
)

But I don't know how to audit these multiple roots after dynamic
authenicating.

Digital UNIX has not only UID, RUID, but it has also AUID (audit UID).
I don't know how to set or use this AUID in C program for my purposes.

Any idea about C programming with AUID? Or any different way to solve my
problem?


Regards,

Richard Mlynka
mailto:mlynka@ditec.sk
voice: +421 7 5044448
fax:    +421 7 5044691

From firewalls-owner  Thu Apr  9 05:49:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA11884; Thu, 9 Apr 1998 03:03:08 -0700 (PDT)
Received: from myownemail.com ([207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA08705 for ; Thu, 9 Apr 1998 02:30:52 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804090930.CAA08705@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id A71D3E600B8; Thu, 09 Apr 1998 04:38:37 CST
Date: Thu, 09 Apr 1998 04:38:37 +0100
Subject: firewalls@GreatCircle.COM
To: vayda_tom@jpmorgan.com
Reply-To: alchodu@wetwetwet.com
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


tom, postmaster is my employee and she has taken a loan from me. now 
what will you do.
chodu
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

IF you are tired of getting spam, I suggest you view the full 
header, cut and paste it and send to the postmaster@offending 
organization.  See below, at least you can bring it to their 
attention.  

Perhaps flooding them with complaints will bring some action.

Tom Vayda 

Did you ever think that your sole purpose in life
is to serve as a warning to others?

----- Begin Included Message -----

>From root Wed Apr  8 11:25:36 1998
Date: Wed, 8 Apr 1998 11:26:23 -0400 (EDT)
From: AOL Postmaster Aimee Palmer 
To: Tom Vayda 
Subject: Re: hi
MIME-Version: 1.0

Thank you for reporting this America Online Member e-mail abuse: 
From:
Sumlatino@aol.com, Subject: hi  I have investigated the situation 
using
America Online's  Terms of Service Agreement (TOS) and basic 
Netiquette
principles as a  guide.  Action has been taken on this account.   
Members
reported to AOL for sending unsolicited junk e-mail will be 
terminated if the
evidence supports the accusation. 

Thanks for writing,

Aimee Palmer 
Postmaster 
America Online, Inc. 
pmd4@aol.net



----- End Included Message -----






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Thu Apr  9 06:22:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA10622; Thu, 9 Apr 1998 06:16:47 -0700 (PDT)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA10595 for ; Thu, 9 Apr 1998 06:16:36 -0700 (PDT)
Received: from evyncke-pc.cisco.com (bru-dhcp88.cisco.com [171.68.129.202])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id PAA29478;
	Thu, 9 Apr 1998 15:21:31 +0200 (METDST)
Message-Id: <3.0.5.32.19980409144545.00815330@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 09 Apr 1998 14:45:45 +0200
To: Chris Lonvick , "Dean Ethier",
        firewalls@GreatCircle.COM, firewall-wizards@nfr.net
From: Eric Vyncke 
Subject: Re: DMZ config question
In-Reply-To: <3.0.32.19980407222630.0070c368@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 22:26 7/04/98 -0500, Chris Lonvick wrote:
>Hi,
>
>Some random thoughts:
>
>Use a switch - If any one system on the DMZ is compromised, then an
>  attacker may be able to set up tcpdump (or similar) to capture
>  usernames and passwords.  With a switch, the attacker will only
>  be able to get passwords on the same system that he has already
>  compromised.  He could get that from running crack.  A hub will 
>  allow the sniffer package to see all traffic. including the 
>  traffic from your internal devices to the rest of the Internet.
>  You could use a router, but that gets much more expensive if you 
>  have several DMZ devices.  

And even be more paranoid, use a switch with static mapping
between MAC address and port. The physical port cannot be change
from a remote site while the MAC address could possibly be changed.

Then use static ARP table on *all* devices of the DMZ (including router
and the firewall/proxy server). 

Then, not only sniffing is prevented but also local IP spoofing.

......

Just my paranoid 0,01 EUR

-eric

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From firewalls-owner  Thu Apr  9 07:29:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA13064; Thu, 9 Apr 1998 07:00:38 -0700 (PDT)
Received: from mail.shini.net.cn. ([202.96.203.166]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA13053 for ; Thu, 9 Apr 1998 07:00:27 -0700 (PDT)
Received: from fan.sta.net.cn by mail.shini.net.cn. (SMI-8.6/SMI-SVR4)
	id WAA15929; Thu, 9 Apr 1998 22:08:25 +0800
Message-Id: <3.0.32.19980409220212.007b0170@mail.shini.net.cn>
X-Sender: fanwc@mail.shini.net.cn
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 09 Apr 1998 22:02:33 -0700
To: Ken Jones , Michael Simonyi 
From: fan wangcheng 
Subject: Re: Ascend Pipline 25
Cc: "'Firewalls@GreatCircle.COM'" 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ascend has fixed this UDP problem since March 25.
See ftp://ftp.ascend/pub/Software-Releases/Pipeline/Release-6.0.x/6.0.2/doc

At 14:21 08/04/98 -0400, Ken Jones wrote:
>
>On Wed, 8 Apr 1998, Michael Simonyi wrote:
>> Does anyone know of or heard of security issues with an Ascend Pipeline 25.
>> 
>> Mike
>> 
>
>Yes. The pipelines come with simple packet filtering features. They
>also sell a firewall package for about $500. I don't know if this
>is any good. 
>
>There is a known exploit for ascend pipelines. Information on it
>is available at www.rootshell.com. Basicly you send the pipeline
>a certain UDP packet at port 9 and it locks up. The pipeline site
>has a method for adding a packet filter to block it out, but they
>have no fix yet. We tested the exploit against a pipeline 75 and it
>indeed locked up and had to be power cycled.
>
>Ken Jones
>kbo@inter7.com
>www.inter7.com
>
>
>

From firewalls-owner  Thu Apr  9 08:15:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16307; Thu, 9 Apr 1998 07:42:43 -0700 (PDT)
Received: from mailhub.walrus.com (frog.walrus.com [206.24.16.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA16296 for ; Thu, 9 Apr 1998 07:42:35 -0700 (PDT)
Received: from legato (featfirst210.walrus.com [208.151.51.210]) by mailhub.walrus.com (8.8.6/8.8.6/ad) with ESMTP id KAA06202 for ; Thu, 9 Apr 1998 10:47:47 -0400 (EDT)
Message-Id: <199804091447.KAA06202@mailhub.walrus.com>
From: "Pipeline" 
To: 
Subject: Re: DMZ config question
Date: Thu, 9 Apr 1998 10:46:44 -0400
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

What is DMZ?

----------
> From: Leonard Miyata 
> To: Dean Ethier 
> Cc: firewalls@greatcircle.com
> Subject: Re: DMZ config question
> Date: Wednesday, April 08, 1998 12:52 PM
> 
> Hi There
> 
> The Book 'Building Internet Firewalls' by Chapman and Zwicky,
> O'Reilly & Associates Inc., has an excellent write up on all your
> DMZ questions, and a lot more. Highly recommended!. I belive
> theres a preview of it at http://www.greatcircle.com
> 
> Personal Opinions provided by
> Leonard Miyata
> aka leonard@geminisecure.com
> Gemini Computers Inc.
> 
> On Tue, 7 Apr 1998, Dean Ethier wrote:
> 
> > 
> > What's the accepted method for setting up a DMZ?  Do I just a hub into
my
> > firewall and feed my DMZ from that?  If one host on the DMZ were
> > compromised, that would leave little protection for anything else on
the
> > DMZ.  Should one also use a router instead of or in conjunction with a
hub
> > to provide some isolation between hosts on the DMZ?  What is generally
> > done?
> > 
> > Dean Ethier
> > DMR Consulting Group Inc
> > 
> > 
> > 

From firewalls-owner  Thu Apr  9 08:39:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA17592; Thu, 9 Apr 1998 07:58:47 -0700 (PDT)
Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA17543 for ; Thu, 9 Apr 1998 07:58:27 -0700 (PDT)
Received: from judge.mcom.com (judge.mcom.com [205.217.237.53])
	by netscape.com (8.8.5/8.8.5) with ESMTP id IAA06779
	for ; Thu, 9 Apr 1998 08:03:33 -0700 (PDT)
Received: from netscape.com ([205.217.246.174]) by judge.mcom.com
          (Netscape Messaging Server 3.52)  with ESMTP id AAA6D09
          for ; Thu, 9 Apr 1998 08:03:33 -0700
Message-ID: <352CE345.C5F3962E@netscape.com>
Date: Thu, 09 Apr 1998 08:03:34 -0700
From: Bill Burns 
X-Mailer: Mozilla 4.05 [en] (X11; U; SunOS 5.6 sun4u)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: ICMP, traceroute and FW-1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In case any FW-1 administrators are on this list and NOT on the FW-1
mailing list, I posted some relevant ICMP-related INSPECT code to that
list.  The background and code are available at my web site
http://people.netscape.com/shadow

Cheers,

bill

--
Bill Burns
Senior Security Engineer
Netscape Communications Corp.




From firewalls-owner  Thu Apr  9 14:55:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA08964; Thu, 9 Apr 1998 13:20:24 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA12093; Thu, 9 Apr 1998 11:01:23 -0700 (PDT)
From: infochecks@earthlink.net
Received: from sinbad.net (anchor.sinbad.net [209.165.160.2])
	by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id LAA10190;
	Thu, 9 Apr 1998 11:05:08 -0700 (PDT)
Received: from rangel (1Cust111.tnt1.chi2.da.uu.net [208.250.117.111])
	by sinbad.net (SMI-8.6/SMI-SVR4) with SMTP id JAA00130;
	Thu, 9 Apr 1998 09:34:06 -0800
Date: Thu, 9 Apr 1998 09:34:06 -0800
Subject: Deadbeat Locator
Message-Id: 
Content-Type: TEXT/PLAIN charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Please forgive this onetime mailing.  To discontinue receiving our email simply email back the words
discontinue emails.  Thank you for your cooperation.


Let Infochecks,Inc locate anyone who owes you money.
Only $25 for most current address on record.

Infochecks,Inc
1219 W Fred St
Whiting, IN 46394
219-473-9778              open   24/7

Asset and Employment Searches for $100


From firewalls-owner  Thu Apr  9 15:54:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA07604; Thu, 9 Apr 1998 13:15:05 -0700 (PDT)
Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA07407 for ; Thu, 9 Apr 1998 13:14:14 -0700 (PDT)
Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8])
	by guttenberg.correionet.com.br (8.8.7/8.8.7) with SMTP id RAA03718;
	Thu, 9 Apr 1998 17:16:50 -0300 (EST)
Date: Thu, 9 Apr 1998 17:16:50 -0300 (EST)
From: Bill Coutinho 
X-Sender: bill@guttenberg.correionet.com.br
To: Bennett Todd 
cc: firewalls@GreatCircle.COM, alien@netcomuk.co.uk
Subject: Re: fw-1 stateful inspection vulnerabilities
In-Reply-To: <19980408041848.50142@waltz.rahul.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Bennett Todd  wrote:

> ``Stateful inspection'' is an interesting hack. In theory it can do
> amazing things. Of course, the difference between theory and practice is
> a lot bigger in practice than it is in theory.
> [...]

At last, one concise, clear and straightforward vision of "stateful
inspection" shortcomings. Congratulations!
-- 
Cheers,
Bill.
_________________________________________________________________
                                        B i l l   C o u t i n h o
                                        mailto:bill@dextra.com.br

PGP Public Key at:  http://www.correionet.com.br/~bill/pgpkey.asc


From firewalls-owner  Thu Apr  9 16:12:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA09079; Thu, 9 Apr 1998 13:22:00 -0700 (PDT)
Received: from ns.datagram.be (ns.datagram.be [195.0.100.253]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA04250 for ; Thu, 9 Apr 1998 10:18:18 -0700 (PDT)
Received: from canabis.drug.be (dialup018.liege.eunet.be [193.74.147.18]) by ns.datagram.be (8.8.8/8.8.8) with ESMTP id TAA07300; Thu, 9 Apr 1998 19:57:13 +0200
Message-ID: 
X-Mailer: XFMail 1.2 [p0] on Linux
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <815366BCD402D111960E0000F805887B307DB0@ACA_EXCHANGE>
Date: Thu, 09 Apr 1998 19:21:41 +0200 (MET DST)
X-Face: Xd4)'pr0TvwM([yRD<(#^[Jp[="HHq!VAz-UJqSr7>Mq5nUPqlA9[}T`+7RPVL-#x3Rm:HL.@7Phob8L{]13
 C`#$~%t"9PtZ?I(poZbxe.s@y-X1.UG/&*G;>'q:Q6&hYAG6E(49vA2}O34v`GA%*vKiCIW$=BDbfs
 U+gOFtgYc
Reply-To: manu@acm.org
Organization: http://linux.rtfm.be
From: Emmanuel Tychon 
To: Taufik Islam 
Subject: RE: Sniffer
Cc: Firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On 27-Mar-98 Taufik Islam wrote:

> Is there a good Packet sniffer that runs on for NT 4.0 ?

> If you know of any good packet sniffer for UNIX please let me know also.

To be sure that your machine will not crash while the capture, i suggest to NOT
use an M$ machine :-)

Depending of your needs, i know some Network Sniffers, running under Unix:

        - "tcpdump", of course
        - "sniffit" is a great tool made in Belgium
                (we like Bill, in Belgium :-)
        - "trafshow": Most a trafic analyser, not a sniffer.
        - ...

All these programs runs at least under Linux, and are usable for TCP/IP
protocols. A more accurate answer can be given if you are more verbose!

        - What are your needs?
        - What types of protocol?
        - Raw Data or Interpreted?
        - Online or Offline capture?
        - ...

CU

---
Member of the ACM. Look http://www.acm.org 

       |||      |  Emmanuel Tychon - Belgium
       O-O      |  nic-hdl: ET99-RIPE, nic-irc: kosinus
       (_)      |  
   oOO-----OOo  |  Don't be assimilated, use Linux!
    | Linux |   |  
    \-------/   |  PGP key on http://pgp.ai.mit.edu

From firewalls-owner  Thu Apr  9 16:53:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA16070; Thu, 9 Apr 1998 14:13:27 -0700 (PDT)
Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA15999 for ; Thu, 9 Apr 1998 14:13:04 -0700 (PDT)
Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id OAA27690; Thu, 9 Apr 1998 14:18:24 -0700 (PDT)
Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4)
	id OAA22345; Thu, 9 Apr 1998 14:17:55 -0700
Date: Thu, 9 Apr 1998 14:17:55 -0700
From: rdew@el.nec.com (Bob De Witt)
Message-Id: <199804092117.OAA22345@yginsburg.el.nec.com>
To: Dean_Ethier@dmr.ca, leonard@geminisecure.com
Subject: Re: DMZ config question
Cc: firewalls@GreatCircle.COM
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All,

The Chapman and Zwicky book is indeed very good.  However, both Garfinkel & 
Spafford and Cheswick & Bellovin books are equally good, but different.  Each
one stresses the areas that offend the authors most.  If I had to recommend a
fourth book, I would be hard pressed to decide whether to recommend something
like PGP and/or Cryptographic Analysis, or a GOOD sysadmin set (I have not seen
the second edition of Janice Wilson's books, yet), or another FW book.

But you get the idea, yes?  Notice my own belief that these all overlap a LOT!

Ciao,

Bob De Witt,
(old email address:   rdew@el.nec.com)
(new email address:   rdew@...tbd...)
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.


> From leonard@geminisecure.com Wed Apr  8 14:07:57 1998
> Date: Wed, 8 Apr 1998 09:52:46 -0700 (PDT)
> From: Leonard Miyata 
> To: Dean Ethier 
> cc: firewalls@GreatCircle.COM
> Subject: Re: DMZ config question
> MIME-Version: 1.0
> 
> Hi There
> 
> The Book 'Building Internet Firewalls' by Chapman and Zwicky,
> O'Reilly & Associates Inc., has an excellent write up on all your
> DMZ questions, and a lot more. Highly recommended!. I belive
> theres a preview of it at http://www.greatcircle.com
> 
> Personal Opinions provided by
> Leonard Miyata
> aka leonard@geminisecure.com
> Gemini Computers Inc.
> 
> On Tue, 7 Apr 1998, Dean Ethier wrote:
> 
> > 
> > What's the accepted method for setting up a DMZ?  Do I just a hub into my
> > firewall and feed my DMZ from that?  If one host on the DMZ were
> > compromised, that would leave little protection for anything else on the
> > DMZ.  Should one also use a router instead of or in conjunction with a hub
> > to provide some isolation between hosts on the DMZ?  What is generally
> > done?
> > 
> > Dean Ethier
> > DMR Consulting Group Inc
> > 
> > 
> > 
> 

From firewalls-owner  Thu Apr  9 17:07:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA09331; Thu, 9 Apr 1998 13:25:05 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA02837 for ; Thu, 9 Apr 1998 10:10:15 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id KAA06980
	for ; Thu, 9 Apr 1998 10:00:33 -0700 (PDT)
Received: from ronald.trace.com.tw (ronald@ronald.trace.com.tw [203.67.189.30])
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id AAA07983; Fri, 10 Apr 1998 00:58:58 +0800
Message-Id: <199804091658.AAA07983@mail.trace.com.tw>
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
From: "Ronald Wiplinger" 
To: "Don Lewis" , "Tom Vayda" 
Cc: "firewalls@GreatCircle.COM" 
Date: Fri, 10 Apr 98 01:04:00 +0800
Reply-To: "Ronald Wiplinger" 
X-Mailer: PMMail 1.95a For OS/2
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Re: hi SPAM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 9 Apr 1998 03:05:18 -0700, Don Lewis wrote:

>The headers probably are forged in order to deflect complaints from fol=
ks
>who just hit the reply button.  But we're all firewall wizzards [sp] he=
re,
>right? Header reading and deciphering should be in our bag of tricks.
>With a little practice, it's pretty easy to sort out the forged headers=

>from the ones that point to the source of the spam.  From that you can
>send complaints to the source of the spam, and pointers to information
>on how to secure mail servers to the sites who've been used as unwittin=
g
>relays.


So lets try on a daily life example:


Received: by mail for ronald
 (with Cubic Circle's cucipop (v1.21 1997/08/10) Thu Feb 19 08:54:54 199=
8)
X-From_: your's@net.net  Thu Feb 19 00:12:39 1998
Return-Path: 
Received: from ms4.hinet.net (root@ms4.hinet.net [168.95.4.40])
          by mail.trace.com.tw (8.8.6/8.8.6) with ESMTP
	  id AAA13327; Thu, 19 Feb 1998 00:12:39 +0800
From: your's@net.net
Received: from ------ (h176.s33.ts30.hinet.net [163.30.33.176])
	by ms4.hinet.net (8.8.8/8.8.8) with SMTP id AAA13108;
	Thu, 19 Feb 1998 00:17:02 +0800 (CST)
Date: Thu, 19 Feb 1998 00:17:02 +0800 (CST)
Message-Id: <199802181617.AAA13108@ms4.hinet.net>
To: kancan@trace.com.tw
Subject: =A8D=B7s,=A8D=C5=DC,=A8D=A7=D6=AA=BA=A6=B3=AC=B0=AAB=A4=CD=AD=CC=
!!          12:14:31 AM
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=3D"--------------A10:21:36BZ10:2=
1:36"
Status: RO
X-Status: 


Such messages, we get hundreds a day. Normally, when I see the time in t=
he subject line, than it is a 
message for the little tiny "delete" key. It is a chinese message, which=
 I cannot read anyway on my 
computer.

So what can you see? The address is wrong, the relay points are *.hinet.=
net, which is the government owned 
ISP. Messages to anybody at hinet.net will be certainly keept un-unswere=
d. To call them will not help either. 
To block them would you bring out of business, since hinet.net has 80% o=
f Taiwans users. With each 
modem you buy in Taiwan you get several free Internet accounts, valid fo=
r a few hours, enough time to send 
millions of e-mails.

Now, what would you suggest to do? 
AOL, CompuServe, IBM Net, MSN,  .... all the same spamer. Block them and=
 you are out of business 
yourself. 

And how about the programs floodgate, stealth, ...... which are advertis=
ing that they can change the header. 

And finally, have you tried telnet to send an e-mail? It works also. A l=
ittle `expect' script and you make 
everything that way. Rexx is another way to use an automatic script. Eve=
n from the www it is possible to 
send e-mails.

USA citizen try now to 'punish' for unsolizited e-mails. I can only laug=
h about it. This law is just against the 
USA citizen, but not the outside ones. 


Than the words of the spamer itself: Why this ISP does not allow spam, o=
thers do?, How should I advertise 
my product? Tell the customer it is not allowed, not wished, .... when h=
e gets daily 100 of such ads.

Even MLM systems are advertising, that you get new members by sending ou=
t millions of e-mails, .....

First, I also traced the headers, but I am tired about it, just hit the =
delete key and keep on working for other 
important things, were you earn money. When you head hunt one spamer you=
 just lose, ....


very frustrated



bye

Ronald Wiplinger
Gen. Manager of Wang's Trace Technology Co., Ltd. 
(Taiwan: Taipei, Touyuan, Taichong, Kaohsiung)
Tel: +886 2 2609-0652, Handy: +886 932 251430, Fax: +886 2 2600-0132  
Interphone (G.723.1 as e.g., used in Netmeeting): 203.67.189.35
http://www.trace.net.tw


From firewalls-owner  Thu Apr  9 19:17:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA04313; Thu, 9 Apr 1998 13:02:25 -0700 (PDT)
Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA04207 for ; Thu, 9 Apr 1998 13:02:00 -0700 (PDT)
Received: (from epperson@localhost)
	by hp01.vak12ed.edu (8.8.6 (PHNE_14041)/8.8.6) id PAA25076;
	Thu, 9 Apr 1998 15:59:09 -0400 (EDT)
From: "W.C. (Jay) Epperson" 
Message-Id: <199804091959.PAA25076@hp01.vak12ed.edu>
Subject: Re: DMZ config question
To: evyncke@cisco.com
Date: Thu, 09 Apr 1998 15:59:08 EDT
Cc: firewalls@greatcircle.com
In-Reply-To: <3.0.5.32.19980409144545.00815330@brussels.cisco.com>; from "Eric Vyncke" at Apr 09, 98 2:45 pm
Reply-to: epperson@vak12ed.edu
X-Mailer: Elm [revision: 212.4]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

eric's paranoia induced:
> 
> And even be more paranoid, use a switch with static mapping
> between MAC address and port. The physical port cannot be change
> from a remote site while the MAC address could possibly be changed.
> 
> Then use static ARP table on *all* devices of the DMZ (including router
> and the firewall/proxy server). 
> 
> Then, not only sniffing is prevented but also local IP spoofing.
> 
> ......
> 
> Just my paranoid 0,01 EUR
> 
> -eric
> 
> Eric Vyncke      
> Technical Consultant               Cisco Systems Belgium SA/NV
> Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
> E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

and, of course, be very, very careful about protecting the switch
WRT login access--they compromise that, and you're toast....
--
W.C. Epperson			"I have great faith in fools. 
Chief, Systems Engineering       Self-confidence, my friends call it."
Information Security Officer             --Edgar Allan Poe--
DBA Emeritus
Curmudgeon-for-Life
Virginia Dept. of Education	        
epperson@pen.k12.va.us

From firewalls-owner  Thu Apr  9 19:53:10 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA11641; Thu, 9 Apr 1998 19:14:45 -0700 (PDT)
Received: from antiochus-fe0.ultra.net (antiochus-fe0.ultra.net [146.115.8.188]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA11495 for ; Thu, 9 Apr 1998 19:14:00 -0700 (PDT)
Received: from judgej (judgej.ne.mediaone.net [24.128.59.67]) by antiochus-fe0.ultra.net (8.8.8/ult.n14767) with SMTP id WAA05881 for ; Thu, 9 Apr 1998 22:19:39 -0400 (EDT)
Reply-To: 
From: "Joseph Judge" 
To: 
Subject: top 10 signs you've been hacked ?
Date: Thu, 9 Apr 1998 22:20:17 -0400
Message-ID: <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Any have some entries for a "top ten signs you've been hacked" ?


THANKS

	-- joe


From firewalls-owner  Thu Apr  9 20:37:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA23851; Thu, 9 Apr 1998 20:29:36 -0700 (PDT)
Received: from ruins.tdyc.com (ruins.tdyc.com [170.65.24.56]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA23603 for ; Thu, 9 Apr 1998 20:28:24 -0700 (PDT)
Received: from ruins.tdyc.com (rkrusty@localhost [127.0.0.1])
	by ruins.tdyc.com (8.8.5/8.8.5) with ESMTP id VAA01033;
	Thu, 9 Apr 1998 21:39:33 -0600
Message-Id: <199804100339.VAA01033@ruins.tdyc.com>
X-Mailer: exmh version 1.6.9 8/22/96
To: joej@ultranet.com
cc: firewalls@GreatCircle.COM
Subject: Re: top 10 signs you've been hacked ? 
In-reply-to: Your message of "Thu, 09 Apr 1998 22:20:17 EDT."
             <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 09 Apr 1998 21:39:33 -0600
From: Ivan Moore 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> =

> Any have some entries for a "top ten signs you've been hacked" ?
> =

> =

> THANKS
> =

> 	-- joe


Your computer burps at you when you try to log on!



From firewalls-owner  Thu Apr  9 21:37:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA26576; Thu, 9 Apr 1998 20:41:58 -0700 (PDT)
Received: from nimbus.superior.net (nimbus.superior.net [206.153.96.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA26414 for ; Thu, 9 Apr 1998 20:41:18 -0700 (PDT)
Received: from Daker (pm0-fm-27.superior.net [206.153.102.220])
	by nimbus.superior.net (8.8.8/8.8.8/RB) with SMTP id XAA14094;
	Thu, 9 Apr 1998 23:46:59 -0400 (EDT)
Message-ID: <352DC06B.27B4@superior.net>
Date: Thu, 09 Apr 1998 23:47:07 -0700
From: Greg Dake 
X-Mailer: Mozilla 3.01 (Win95; I; 16bit)
MIME-Version: 1.0
To: joej@ultranet.com
CC: firewalls@GreatCircle.COM
Subject: Re: top 10 signs you've been hacked ?
References: <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If you mean hacked, then a note in the postmaster's mailbox explaining
the security situation and how it could best be handled to keep
criminals from exploiting that hole in the future.

Joseph Judge wrote:
> 
> Any have some entries for a "top ten signs you've been hacked" ?
> 
> THANKS
> 
>         -- joe

From firewalls-owner  Thu Apr  9 22:14:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA26171; Thu, 9 Apr 1998 20:40:14 -0700 (PDT)
Received: from cortex.NSMA.Arizona.EDU (cortex.NSMA.Arizona.EDU [128.196.180.125]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA26121 for ; Thu, 9 Apr 1998 20:39:57 -0700 (PDT)
Received: from cortex (localhost [127.0.0.1]) by cortex.NSMA.Arizona.EDU (8.7.5/8.7.5) with ESMTP id UAA07689; Thu, 9 Apr 1998 20:49:36 -0700 (MST)
Message-Id: <199804100349.UAA07689@cortex.NSMA.Arizona.EDU>
To: firewalls@greatcircle.com
Cc: ddw@cortex.NSMA.Arizona.EDU
Subject: Re: top 10 signs you've been hacked ? 
In-reply-to: Your message of "Thu, 09 Apr 1998 22:20:17 -0400."
             <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net> 
Date: Thu, 09 Apr 1998 20:49:35 -0700
From: Doug Wellington 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Previously:
>Any have some entries for a "top ten signs you've been hacked" ?

Well, sounds like one of those tongue-in-cheek lists, but I definitely
think that number one should be something like:

1. "And the number one sign you've been hacked is that someone in the
Netherlands emails your root account telling you that someone has been
trying to break into their computer from yours..."

Others signs could be:
Some self-appointed IRC watchdog points out IRC traffic from your site.

Some process named "es" has used a lot of your CPU time.

Your tcp wrapper logs (you DO have tcp wrappers installed, don't you?)
don't match with the last log.

You can't change the root password without it switching back when you
login again.

NFR tells you so.

Oops, dinner time, can't think of any more right now...
-Doug

Doug Wellington
ddw@nsma.arizona.edu
Network and System Administrator
ARL, Division of Neural Systems, Memory and Aging
The University of Arizona, Tucson, AZ
(520) 626-6023
(520) 291-0481 pager
(520) 626-2618 fax

I DON'T buy anything from spammers, and I KEEP TRACK OF WHO SPAMS ME.

I put up with ads on the TV because they pay for programming.  When
spammers pay for the Internet, then I'll start putting up with spam.

From firewalls-owner  Thu Apr  9 23:15:48 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA27218; Thu, 9 Apr 1998 20:44:40 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA27003 for ; Thu, 9 Apr 1998 20:43:41 -0700 (PDT)
Received: from localhost (ronald@localhost)
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id LAA11533; Fri, 10 Apr 1998 11:46:07 +0800
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
Date: Fri, 10 Apr 1998 11:46:07 +0800 (CST)
From: Ronald Wiplinger 
To: Joseph Judge 
cc: firewalls@GreatCircle.COM
Subject: Re: top 10 signs you've been hacked ?
In-Reply-To: <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Thu, 9 Apr 1998, Joseph Judge wrote:

> 
> Any have some entries for a "top ten signs you've been hacked" ?
> 
> 
> THANKS
> 
> 	-- joe
> 


1. You go to your computer and you find your harddisk is empty

2. You go to your computer and you find a file called "I was here" or
similar.

3. You find on your web page another one

4. You find on your web page, which looks very familiar to you the phone
number of the competior instead of yours.

5. You find that your password suddenly does not work

6. Your personal account does not allow you anymore to su, sudo

7. Everybody logging is member of the group 0, maybe they do not even need
a password. You find also neew accounts, prefered as "shutup" (next to
shutdown in the password file), somewhere a name like "toor" (which just
tell you, that the hacker might come from a FreeBSD box).

8. You try to find out what is going on, by examin the log files, but they
have only entries of the last minute.

9. You type ps -ax and you find a lots of people there. You kick them out,
they are still here and delete the log files all the time. You turn off
every service, but they are still there. You check the login binary and it
has another length but still the same date/time.

10. Somebody tries to use talk to you and offered you to help you on your
system, he even mention the price for this service, and emphesize that he
has nothing to do with the case.


You pull out the Router, the Ethernet cable, and make the only trust
full action: format the harddisk and re-install the system.


Almost all about happened to me in just 6 hours on 30th September 1997.
The University in Estland, from where the hacker came, did not show any
responisbility, even when you showed them the fragments of the logfile. 

Why??  because hacking is free, is not a crime, not covered by the law,
.....


What have I changed since then?
1. I look at each logfile very often 
2. Installed tripwire
3. Installed modified shells, which log everything what root is doing
extra in a hidden file, somewhere on the local harddisk, as well as on a
extra machine, which is only for logging anymore. From there we save it to
a one-time write able media.
4. No shells for anybody, except 2 people
5. Every service turned off that is not necessary
6. Upgraded to the newest version of software
7. subscribe to several security lists and study the messages carefully.


I am sure it is not all done what we could do, but I try as much as
possible.


bye

Ronald


From firewalls-owner  Thu Apr  9 23:16:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA02411; Thu, 9 Apr 1998 21:15:30 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id VAA02361 for ; Thu, 9 Apr 1998 21:15:16 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id KAA29872; Thu, 9 Apr 1998 10:10:05 -0400
Date: Thu, 9 Apr 1998 10:10:02 -0400 (EDT)
From: Rabid Wombat 
To: Joseph Judge 
cc: firewalls@GreatCircle.COM
Subject: Re: top 10 signs you've been hacked ?
In-Reply-To: <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


7.
8. Your secretary's not the only one in promiscuous mode.
9. Dozens of your system binaries seem to have put on a little weight.
10. There's a MUD running on your Cray.


On Thu, 9 Apr 1998, Joseph Judge wrote:

> 
> Any have some entries for a "top ten signs you've been hacked" ?
> 
> 
> THANKS
> 
> 	-- joe
> 
> 

From firewalls-owner  Thu Apr  9 23:22:45 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA01900; Thu, 9 Apr 1998 21:12:03 -0700 (PDT)
Received: from voicenet.com (mail11.voicenet.com [207.103.0.37]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id VAA01858 for ; Thu, 9 Apr 1998 21:11:50 -0700 (PDT)
Message-Id: <199804100411.VAA01858@honor.greatcircle.com>
Received: (qmail 17124 invoked from network); 10 Apr 1998 04:17:30 -0000
Received: from freebird.voicenet.com (HELO voicenet.com) (207.103.145.253)
  by mail11.voicenet.com with SMTP; 10 Apr 1998 04:17:30 -0000
X-Mailer: exmh version 2.0zeta 7/24/97
To: joej@ultranet.com
Cc: firewalls@greatcircle.com
Subject: Re: top 10 signs you've been hacked ? 
In-reply-to: Your message of "Thu, 09 Apr 1998 22:20:17 EDT."
             <000001bd6427$3420aa20$433b8018@judgej.ne.mediaone.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 10 Apr 1998 00:13:51 -0400
From: Frank Cusack 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

How about:

10. You're suddenly subscribed to a mailing list with poor S/N

> 
> Any have some entries for a "top ten signs you've been hacked" ?
> 
> 
-- 
~frank + Official SysAdmin of the new millenium! + 



From firewalls-owner  Fri Apr 10 00:37:57 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA13518; Thu, 9 Apr 1998 22:32:58 -0700 (PDT)
Received: from mailsrv.szerencsejatek.hu ([194.88.40.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA08721 for ; Thu, 9 Apr 1998 21:59:44 -0700 (PDT)
Received: from TAKACS by mailsrv.szerencsejatek.hu with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
	id 2TNYZP2P; Fri, 10 Apr 1998 07:00:45 +0200
Received: by localhost with Microsoft MAPI; Fri, 10 Apr 1998 07:04:12 +0200
Message-ID: <01BD644E.DD787E50.anonymus@mail.matav.hu>
From: Takacs Istvan 
Reply-To: "anonymus@mail.matav.hu" 
To: "'firewalls@greatcircle.com'" 
Subject: Satan
Date: Fri, 10 Apr 1998 07:04:11 +0200
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

have you ever heard about that program above?
I'm looking for the NT based version.
Could you help me where can I find that?

Regards.

		Istvan Takacs
	mailto:anonymus@mail.matav.hu

p.s.: please, write to my address, too. Thanks.


From firewalls-owner  Fri Apr 10 02:27:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA05172; Fri, 10 Apr 1998 00:43:13 -0700 (PDT)
Received: from kwanon.research.canon.com.au (kwanon.research.canon.com.au [203.12.172.254]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id AAA05026 for ; Fri, 10 Apr 1998 00:42:39 -0700 (PDT)
Received: (qmail 22170 invoked from network); 10 Apr 1998 07:47:43 -0000
Received: from grainger.research.canon.com.au (203.12.174.130)
  by kwanon-le1.research.canon.com.au with SMTP; 10 Apr 1998 07:47:43 -0000
Received: (qmail 28250 invoked from network); 10 Apr 1998 07:47:41 -0000
Received: from cass.research.canon.com.au (203.12.174.231)
  by grainger.research.canon.com.au with SMTP; 10 Apr 1998 07:47:41 -0000
Received: (qmail 10936 invoked by uid 100); 10 Apr 1998 07:47:39 -0000
Message-ID: <19980410074739.10935.qmail@cass.research.canon.com.au>
From: "Andrew Raphael" 
Subject: Re: Livingston's IRX211 firewall router
To: firewalls@GreatCircle.COM
Date: Fri, 10 Apr 1998 17:47:39 +1000 (EST)
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Has anyone out there installed the IRX211 firewall route from Livingston .
>How does the IRX211 compare with Cisco's PIX ?

Yes.  I use them as interior choke routers.  It's nothing like Cisco's
PIX because it doesn't do network address translation.

-- 
Andrew Raphael 
	"Oh! I see, it's your birthday.  It's your big day, and I forgot."

From firewalls-owner  Fri Apr 10 03:07:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA13767; Thu, 9 Apr 1998 22:34:56 -0700 (PDT)
Received: from bridge.millstream.net (bridge.millstream.net [208.12.120.211]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA10356 for ; Thu, 9 Apr 1998 22:10:35 -0700 (PDT)
Received: from localhost (mike@localhost)
	by bridge.millstream.net (8.8.5/8.8.5) with SMTP id AAA25280
	for ; Fri, 10 Apr 1998 00:21:43 -0500 (CDT)
Date: Fri, 10 Apr 1998 00:21:43 -0500 (CDT)
From: Mike Bresina 
To: firewalls@greatcircle.com
Subject: from the web consultant's list
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

---------- Forwarded message ----------
Date: Tue, 24 Feb 1998 16:01:01
From: Rich Kulawiec 
To: mike@millstream.net
Subject: Re: WC:>: This SPAM embodies all ....

On Sun, Feb 22, 1998 at 11:41:14PM -0500, Bob Schmidt wrote:
> It won't be long before ISP's start blocking email on a wholesale basis
> from certain domains because, in their infinite wisdom, they think they're
> entitled to, with no disclosure, no due process, no right of appeal, just
> like, um, the dreaded Big Brother.

It's already being done, because unfortunately, it *has* to be done.

I have blocked certain domains at the *router* level which prevents
all traffic - email, telnet, ftp, web, everything - from getting through.
It's either that or allow spammer sites to render some private
gateways/networks inoperable.

> It won't be long before online services start acting like they are private
> country clubs and can connect out to the net but won't allow anyone from
> out on the net to connect in to them.

AOL, Prodigy and others did that for years; and then did the next worst
thing by unleashing their huge user populations on the 'net without
making the slighest effort to educate them about Internet standards
and practices.

But more to the point, many of the networks connected to the Internet
*are* private, e.g. foobar.com.  The owners of foobar.com are the first,
last, and only arbiters of what traffic they will permit to reach their
systems, as is their right.  It's just that for many years all of us
on the 'net had a mutually cooperative agreement that we would all play
nice and not crack each other's systems and not bombard them with dreck
and so on; the rise in break-in attempts and spam and other destructive
activities has made firewalls and sendmail filters and router blocks
necessary.

It's too bad; the 'net used to be a much more civilized and cooperative
place, but the actions of a relatively few scumbags have screwed it up
for everyone.  Which is in part why I have no mercy whatsoever on spammers.

I've attached two recent notes that were sent to the com-priv list; both
are from Barry Shein, who is another old-timer and who I find to be one
of the most articulate people out there.  I believe Barry's view of
spam NOT as advertising or free speech of anything like that, but as
a thinly-disguised denial-of-service attack launched by malicious
individuals, is the correct one.


---Rsk
Rich Kulawiec
rsk@gsp.org


> From: Barry Shein 
> Date: Wed, 31 Dec 1997 15:38:01 -0500
> To: Multiple recipients of list 
> Subject: Denial of Service Attacks disguised as Spam...
> 
> [The purpose of this note is to change your thinking about Spam]
> 
> Enormous amounts of this so-called "spam" is nothing of the sort, it
> is malicious people using mail ports to conduct denial of service
> attacks. And the sooner we wake up to this fact the better.
> 
> We need a new word for this and to publicize this new
> attitude. Because as soon as someone says "spam" all that comes to
> mind is a Sanford Wallace type pathetically trying to make a buck with
> annoying advertising, and people (in particular law enforcement) just
> won't give "annoying advertising" a moment's thought.
> 
> But I assert that we're dealing with crime and criminals here who
> aren't selling anything.
> 
> Look at the several consecutive log entries attached below ("Spamf"
> and "PATMATCH" mean the msg was blocked by our spam filters.)
> 
> We're receiving about *30,000* of these per day, non-stop, full-blast,
> every few seconds, for days.
> 
> The fact that not one of these is getting past our filters doesn't
> seem to discourage this person, not even over a period of days.
> 
> The network address of the mail relay source has been hacked (notice
> how it changes with every msg), the address ("billy@bingo.edu") is
> phony and forged. This person has gone to great length to hide their
> identity and to make it difficult to block them at the router level.
> Blocking the message itself is relatively easy, but I don't think they
> care, just so long as they can hammer at your mail port day and night.
> 
>     Dec 31 14:36:29 5C:world sendmail[3098]: SpamF: 
> 		(relay=po1.synapse.or.jp [202.208.174.131]) PATMATCH
>     Dec 31 14:37:09 5C:world sendmail[3614]: SpamF: 
> 		(relay=www.dma.be [195.13.24.2]) PATMATCH
>     Dec 31 14:37:10 5C:world sendmail[3623]: SpamF: 
> 		(relay=at.atnet.it [193.207.30.132]) PATMATCH
>     Dec 31 14:37:22 5C:world sendmail[3765]: SpamF: 
> 		(relay=mail.vienna.at [194.158.143.44]) PATMATCH
>    Dec 31 14:37:23 5C:world sendmail[3775]: SpamF: 
> 		(relay=seus.metoc.ns.doe.ca [131.235.30.50]) PATMATCH
> 
> This person is not the only source of this, others are doing the same
> thing.
> 
> I don't believe this person is actually selling anything.
> 
> Can I repeat that?
> 
> 	I DON'T BELIEVE THIS PERSON IS ACTUALLY SELLING ANYTHING
> 
> I do believe this is a malicious person who has learned that if you
> stick some text in a message that appears to be selling something law
> enforcement's mind will go blank and nothing (effective) will be
> done. "It's just annoying advertising, ignore it".
> 
> The analogy which comes to mind is a town where door to door salesman
> can't be considered trespassers on your doorstep. So a group of people
> who want to annoy you don what appear to be door to door salesmen
> accouterments (eg, a suitcase full of new household brushes) and
> stands and bangs and bangs and bangs on your door, day and night.
> 
> And you tell themm to go away. And they ignore you, they keep banging.
> 
> So you call the police, and they say "he's a door to door salesman,
> the law allows him to bang on your door! People bang on people's doors
> all the time. Stop calling us, we can't do anything, ask him to leave
> or ignore him."
> 
> We're being fooled, we're allowing criminals to operate without
> challenge.
> 
> -- 
>         -Barry Shein
> 
> Software Tool & Die    | bzs@world.std.com          | http://www.std.com
> Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
> The World              | Public Access Internet     | Since 1989     *oo*

> From: Barry Shein 
> Date: Fri, 20 Feb 1998 14:28:56 -0500
> To: Multiple recipients of list 
> Subject: Spammers really are criminals, part deux
> 
> To those who doubted that most of the spam being sent out is not
> commercial in intent but, rather, being sent by sociopaths posing as
> "advertisers" to cloud law-enforcement's minds...
> 
> How do we explain the recent spate of spam which was designed to crash
> mail programs, in particular that of one major browser manufacturer,
> such that the message (and any mail which followed it in the mail box)
> couldn't be read?
> 
> Good ad one that can't be read i'nt it!
> 
> The public, and law-enforcement, really are being played off for pure
> jackasses on this spam thing by these two-bit criminals. They've got
> us all dancing their jig and we don't know what to do but to just keep
> dancing to their tune shouting "so what's so wrong with dancing?"
> 
> It's pathetic.
> 
> 
> -- 
>         -Barry Shein
> 
> Software Tool & Die    | bzs@world.std.com          | http://www.std.com
> Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
> The World              | Public Access Internet     | Since 1989     *oo*
____________________________________________________________________
--------------------------------------------------------------------
 Join The Web Consultants Association :  Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------




From firewalls-owner  Fri Apr 10 03:31:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13757; Thu, 9 Apr 1998 19:29:23 -0700 (PDT)
Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13682 for ; Thu, 9 Apr 1998 19:29:00 -0700 (PDT)
Received: from YAY383@aol.com
	by imo20.mx.aol.com (IMOv13.ems) id QGSMa04943;
	Thu, 9 Apr 1998 21:57:44 -0500 (EDT)
From: YAY383 
Message-ID: 
Date: Thu, 9 Apr 1998 21:57:44 EDT
Mime-Version: 1.0
Subject: hi
Content-type: multipart/mixed;
	boundary="part0_892173464_boundary"
X-Mailer: AOL 2.5 for Windows sub 2
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

--part0_892173464_boundary
Content-ID: <0_892173464@inet_out.mail.aol.com.1>
Content-type: text/plain; charset=US-ASCII

 

--part0_892173464_boundary
Content-ID: <0_892173464@inet_out.mail.aol.com.2>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline

From: YAY383 
Return-path: 
To: YAY383@aol.com
Subject: hi
Date: Thu, 9 Apr 1998 19:57:25 EDT
Organization: AOL (http://www.aol.com)
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit

Click Here For 10 Free
Pics

--part0_892173464_boundary--

From firewalls-owner  Fri Apr 10 03:59:04 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA24654; Fri, 10 Apr 1998 02:19:11 -0700 (PDT)
Received: from bmpi.ch ([195.162.166.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA24639 for ; Fri, 10 Apr 1998 02:19:02 -0700 (PDT)
Received: from bmpi.ch (tokaj.bmpi.ch [192.168.0.11])
	by bmpi.ch (8.8.5/8.8.5) with ESMTP id LAA01960
	for ; Fri, 10 Apr 1998 11:25:30 +0200
Message-ID: <352DE534.2234F8BC@bmpi.ch>
Date: Fri, 10 Apr 1998 11:24:04 +0200
From: Stephan Missura 
Organization: BMPI AG
X-Mailer: Mozilla 4.02 [en] (Win95; I)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Front-end for Linux' ipfwadm?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello

Is there some graphical or textual front-end for the Linux firewall
available where the firewall rules can be declared on a higher level
than directly with ipfwadm? (and which generates scripts with the
corresponding ipfwadm commands).

Thanks a lot for your help,
    Stephan Missura

--
Stephan Missura                      Braendle, Missura & Partner Informatik AG
E-mail: stephan.missura@bmpi.ch      Tel: ++ 41 1 463 74 88
WWW:    http://www.bmpi.ch           Fax: ++ 41 1 463 74 89



From firewalls-owner  Fri Apr 10 05:37:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA27555; Fri, 10 Apr 1998 05:36:28 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA27384 for ; Fri, 10 Apr 1998 05:35:32 -0700 (PDT)
Received: from frankw.in.net (pm3-26.in.net [205.160.202.122]) by su1.in.net (8.8.8/8.6.9) with SMTP id MAA01169 for ; Fri, 10 Apr 1998 12:38:37 GMT
Message-Id: <3.0.5.32.19980410073952.007e94c0@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
X-Priority: 1 (Highest)
Date: Fri, 10 Apr 1998 07:39:52 -0500
To: firewalls@GreatCircle.com
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part I/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

				Part I/II

About 30 hours ago, I replied to Ryan Russel's mail.  As of this moment,
my mail entitled "RE: socks versus fw-1 [long]" which was sent directly 
to the mailing list) still hasn't shown up yet.  Although I didn't get a 
response saying it bounced, I never saw a copy of my posting in the list.
30 hours seems to be several times longer than I would expect.  According
to Murphy's Law, my previously posted text will arrive shortly before or
shortly after this mail.  If this does indeed happen, please accept my
apologies in advance for the double-posting.  

FWIW, I split my mail into 2 parts to make things a little easier and 
made a few minor changes to it.


At 08:54 AM 4/8/98 -0700, "Ryan Russell"  allegedly wrote:

>>fw
>Ryan
fw

Ryan brought up some good points in his mail.  Rather than engage 
the casual reader in my opinion about the Checkpoint vs. Ryan's 
opinion, I thought I would quote from the NSA's report.  They're 
neutral and present just the facts.  The advantage is that it 
reduces the hyperbole down to basic verifiable facts.  Any 
decisions about anything should be based on facts - not my 
opinions, and not anyone else's.  

I STRONGLY ENCOURAGE those who are interested to take the time 
to do the proper research before betting your company on the 
choice of any one product - regardless of who makes it.

So, with my deepest & humblest apologies to the folks at 
the NSA who definitely didn't intend on their document being 
(ab)used this way, I'll proceed...


[fw - the original text has been slightly reformatted for clarity]

>>I agree with the NSA's report on the stateful inspection.  
>>The NSA does good work.  (I also like their style of 
>>report-writing, but that's beside the point).  8^)
>
>If you're talking about:
>http://mitten.ie.org/fw1/fw1.htm#statefulpacket
>The worst thing they had to say was that FW-1 didn't 
>pass NFS and NIS through as advertised.

That's not what I read.  Actually, there were a number of 
things that were quite interesting in the report.  FWIW, 
I would recommend that the reader review the report twice.  
The first time for content & general impressions, and the 
second time for a detailed review - concentrating not only 
on what it said, but for what it doesn't say.  If one reads 
only the summaries, much of the detail will be lost.  

There's even a whole section devoted to Stateful Inspection.
As I expected, they found a few problems with it.  One 
problem covered in their report was that open FTP connections 
stayed open - even after the server was rebooted.  This is not 
very swift for a firewall whose "claim to fame" is its ability 
to keep track of the open connections.  This was covered in the 
NSA's report.

FWIW, here's my opinion of Stateful Inspection.  I think that
Stateful Inspection is a brilliant concept (really) - IF it 
is used properly.

If used in *addition-to* proxies, it can be a very valuable
security tool. By itself, or together with Packet Filtering, 
I don't believe it provides the necessary security.  My 
experience bears this out.  YMMV

The main problem I have with Checkpoint is that they recommend 
that the firewall be used with Stateful Inspection *only* - not 
*in-addition-to* proxies.  IMO, this elevates it from YAVE (Yet 
Another Vendor To Evaluate) to a potentially serious problem.
That's my opinion.  As always, YMMV.


>>I think that many people are overlooking some important criteria 
>>when evaluating firewalls.  The Stateful Inspection is just the 
>>tip of the iceberg.  A few criteria are listed below, others are 
>>available in the *free* Firewall Evaluation Checklist which can 
>>be downloaded from my company's web site.
>
>I was hoping to see a comparison.. I see the empty 
>checklist is free, you sell the filled-out version.

Not true.  The commercial version of the checklist is just a more 
comprehensive version of the free checklist.  IMHO, no one, not 
even me, 8^) would be able to keep a comprehensive, comparative 
analysis (checklist or otherwise) of multiple firewalls up-to-date.  
Besides, what one company considers to be important may not be 
important to someone else. 

Just for you, I'll condense the free & commercial checklists into 
two (count 'em) questions - the outcome of which will eliminate 
most of the major firewalls on the market:

1 - Is the firewall an application gateway with strong proxies 
     for a wide variety of applications? (Checkpoint first 
     claimed proxies were bad, and then put a handful of proxies 
     on its firewall and called them "security servers".  This
     is in contrary to their previous position that proxies are
     not as good as Stateful Inspection.

2 - Does the product support User->Firewall encryption?  
     Firewall->Firewall encryption isn't rocket science.  
     Develop a shared secret, send it to the remote site securely 
     (courier, DH, etc.), install it, and you're ready to go.  
     User->Firewall encryption is very difficult to do right.  
     Consequently, there are only a few companies who, (in my 
     book), do it well enough.  IMO, using a proprietary encryption 
     algorithm didn't win Checkpoint any points in this category.

What's the best firewall on the market?  The answer is a resounding 
"it depends....".  Everyone has different business and security 
requirements.  What works well for someone may not work for someone 
else.  In any case, there is a minimum level of security which must 
be maintained to keep the serious attackers at bay.  IMO, most of
the firewalls haven't achieved this minimum level of security.



>>Here are a few of my *many* crows to pick with the 
>>Firewall-1.
>>o You have to put a deny all at the last of the rules 
>>to make up for its default stance of being wide open
>
>Uh..no.  There is an implicit deny at the end of the 
>ruleset.
                                           ^^^

That's exactly my point.  "There is an implicit deny at the 
*END* of the ruleset".  A basic axiom of network security 
design - turn off *all* network services, then turn on only 
those services that you *really* need to use.  

The Firewall-1 violates this basic security design principle.  
IOW, block everything by default, then open up the firewall 
to permit only known *good* services.  IMO, Checkpoint works 
in reverse.  It closes the barn door after the horses are all 
out by placing the deny all at the END of the ruleset instead 
of the beginning.

Further, from my experience, if the "implicit deny at the end 
of the ruleset" was in there, it sure didn't work very well 
when I tested it.  I ran a battery of tests across the Firewall-1 
recently & found a *lot* of vulnerabilities (more than 50).
If the rule was in there & working, then the firewall leaked.


>>o It encourages people to do stupid (from a security 
>> point-of-view) things like permit dangerous (unproxied) 
>> services through the firewall - a la' if they support 
>> it, it must be OK).
>
>Many proxy vendors include a circuit-level gateway that 
>does exactly the same.  What I think you meant to say 
>is that some proxy vendors include application-specific 
>proxies that validate the data better.

You're comparing apples & oranges.  Circuit-level gateways are 
provided for companies who wish to permit secure applications 
through the firewall for which no proxies exist.  It was *not* 
designed for people to punch holes thru the firewall so that 
they can let some (dangerous) services thru the firewall.  The 
*use* of circuit-level gateways is not supported by the vendors.  
Again, it was designed to permit secure apps thru the firewall 
- not to be abused by letting known insecure services thru to 
the inside network.

>From my research, Checkpoint advocates and supports (if you can 
find 'em) letting in known dangerous unproxied services thru 
the firewall.


>>o I don't like the security architecture of 
>>the firewall
>Well, you don't have to I suppose.  Some specifics 
>would be more useful.

Good point.  OK, here's a few that come to mind:
o Insecure Operating System
o Manually configured NAT (instead of automatic)
o Compilers on the firewall (to compile the Inspection rules)
o GUI doesn't reflect the rules or the state of the firewall 
o Checkpoint supplies very few proxies (about *1/4* - 1/3 that 
   of other vendors).  They also advocate that Stateful Inspection 
   is better than using proxies.  If *they're* not comfortable with
   their own proxies, how would a customer feel about using them?
o The firewall "leaks".  If inbound services are blocked, 
   it is still possible to sneak packets thru the firewall.
o In certain cases, the firewall is unable to maintain state 
   information (which is interesting since the whole focus 
   of the product is in this specific area)
o Source code isn't available
o Setting up the VPN can be a real pain.
o The SecureRemote isn't.
o The documentation (perhaps not an architecture issue directly,
   but is problematic, nonetheless.  It's huge & says nothing.
   Probably the best docset I have seen yet was from a vendor
   who summed everything up in 27 pages.  It was very-well written.
   The Checkpoint docset takes up a lot of space 3-4 inches (7.5-10cm)
   and says very little.
o Etc., Etc.

Some of the above are mentioned in the NSA's report.  You mentioned
you read the document.  I saw problems.  You didn't.  Perhaps security 
is in the eye of the beholder.  



More is continued in the next mail - Part II/II (which was sent
a few seconds after this mail).

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Fri Apr 10 06:08:00 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29009; Fri, 10 Apr 1998 05:51:29 -0700 (PDT)
Received: from ritz.mordor.net (mordor.net [165.254.98.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA28933 for ; Fri, 10 Apr 1998 05:50:50 -0700 (PDT)
Received: (from bet@localhost)
	by ritz.mordor.net (8.8.8/8.8.8/RITZ-NORELAY) id HAA10244;
	Fri, 10 Apr 1998 07:58:40 -0400
Message-ID: <19980410075839.29139@fcmc.com>
Date: Fri, 10 Apr 1998 07:58:39 -0400
From: Bennett Todd 
To: Pipeline 
Cc: firewalls@GreatCircle.COM
Subject: What is DMZ? (was Re: DMZ config question)
References: <199804091447.KAA06202@mailhub.walrus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1
In-Reply-To: <199804091447.KAA06202@mailhub.walrus.com>; from Pipeline on Thu, Apr 09, 1998 at 10:46:44AM -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

1998-04-09-10:46:44 Pipeline:
> What is DMZ?

DMZ is a military acronym for De-Militarized Zone; it refers to a sorta
neutral territory --- or more typically no-mans land --- between the armed
borders of two hostile forces.

In firewalls jargon, the DMZ is a partially-protected net; it lies inside the
outer screen, commonly a screening router, but outside the inner wall,
typically a bastion host with application proxies.

The DMZ is where you place public servers, like your web servers and whatnot.

-Bennett

From firewalls-owner  Fri Apr 10 07:22:46 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA10719; Fri, 10 Apr 1998 07:11:20 -0700 (PDT)
Received: from homer.facm.fit.edu (homer.facm.fit.edu [163.118.70.71]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA10664 for ; Fri, 10 Apr 1998 07:10:57 -0700 (PDT)
From: ccurtis@facm.fit.edu
Received: (from ccurtis@localhost) by homer.facm.fit.edu (8.8.5/8.6.12) id KAA19327; Fri, 10 Apr 1998 10:16:21 -0400
Date: Fri, 10 Apr 1998 10:16:20 -0400 (EDT)
X-Sender: ccurtis@homer
To: Ronald Wiplinger 
cc: Don Lewis , Tom Vayda ,
        "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: <199804091658.AAA07983@mail.trace.com.tw>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 10 Apr 1998, Ronald Wiplinger wrote:

> On Thu, 9 Apr 1998 03:05:18 -0700, Don Lewis wrote:
> 
> >The headers probably are forged in order to deflect complaints from folks
> >who just hit the reply button.  But we're all firewall wizzards [sp] here,
> >right? Header reading and deciphering should be in our bag of tricks.

> First, I also traced the headers, but I am tired about it, just hit the
> delete key and keep on working for other important things, were you earn
> money. When you head hunt one spamer you just lose, .... 

Once upon a time I would take the time and effort to construct a polite 
little message that I would send to the owner of the system being used to 
propogate spam, but have since stopped.  It was usually effective, but 
sometimes I got replies debating me the vailidity of spam as e-commerce.  
I've since changed my methods:  if I get spam, I bounce it back to the 
sender, "root@" the sender's host, "webmaster@", and "abuse@" that same 
host.  Typically this is forged, so I'll look at the header and bounce it 
to the same three accounts at the least recent mailer, typically the 
ISP.  Now, this isn't always effective and can probably be construed as 
spam itself, but I figure that if someone is seeing getting spammed by 
one of their own users, they may think twice about it, especially if they 
get 'spammed back', as it were, two or three times for each offense.  If 
there are any troubles and I'm feeling particularly obnoxious, I'll do a 
traceroute to the nearest valid site and bounce the mail to their uplink.

$0.02
Christopher

From firewalls-owner  Fri Apr 10 07:37:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA12817; Fri, 10 Apr 1998 07:33:36 -0700 (PDT)
Received: from hewes.icl.ox.ac.uk (hewes.icl.ox.ac.uk [163.1.35.69]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA12792 for ; Fri, 10 Apr 1998 07:33:25 -0700 (PDT)
Received: from hewes.icl.ox.ac.uk (localhost [127.0.0.1])
	by hewes.icl.ox.ac.uk (8.8.8/8.8.8) with ESMTP id PAA25723Fri, 10 Apr 1998 15:39:04 +0100
Message-Id: <199804101439.PAA25723@hewes.icl.ox.ac.uk>
X-Mailer: exmh version 2.0.1 12/23/97
To: Stephan Missura 
cc: Firewalls@GreatCircle.COM
Subject: Re: Front-end for Linux' ipfwadm? 
In-reply-to: Your message of "Fri, 10 Apr 1998 11:24:04 +0200."
             <352DE534.2234F8BC@bmpi.ch> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 10 Apr 1998 15:39:04 +0200
From: "Mr. Arlington Hewes" 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>>>>> On Fri, 10 Apr 1998, "SM" == Stephan Missura wrote:

  SM> Hello

  SM> Is there some graphical or textual front-end for the Linux firewall
  SM> available where the firewall rules can be declared on a higher level
  SM> than directly with ipfwadm? (and which generates scripts with the
  SM> corresponding ipfwadm commands).

The Dotfile Generator has an ipfwadm module, as I recall.

-DPN

-- 
Mr. Arlington Hewes           (tpcadmin@info.tpc.int)
The TPC.INT Subdomain          (http://www.tpc.int/)

       **************************************************
       ***  FOR GENERAL INFORMATION                   ***
       ***         mailto:tpcfaq@info.tpc.int         ***
       ***  FOR A LIST OF CURRENT COVERAGE            ***
       ***         mailto:tpccover@info.tpc.int       ***
       ***  TO REPORT A PROBLEM (read the FAQ first!) ***
       ***         mailto:support@info.tpc.int        ***
       **************************************************




From firewalls-owner  Fri Apr 10 08:22:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18951; Fri, 10 Apr 1998 08:18:53 -0700 (PDT)
Received: from endor.das.harvard.edu (endor.harvard.edu [128.103.50.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA18831 for ; Fri, 10 Apr 1998 08:18:12 -0700 (PDT)
Received: from aria.deas.harvard.edu (aria.das.harvard.edu [140.247.58.251])
	by endor.das.harvard.edu (8.8.7/8.8.7) with ESMTP id LAA03708
	for ; Fri, 10 Apr 1998 11:23:58 -0400 (EDT)
Received: (from george@localhost)
	by aria.deas.harvard.edu (8.8.8/8.8.8) id LAA02333;
	Fri, 10 Apr 1998 11:23:30 -0400 (EDT)
Date: Fri, 10 Apr 1998 11:23:30 -0400 (EDT)
Message-Id: <199804101523.LAA02333@aria.deas.harvard.edu>
From: George Planansky 
To: Firewalls@GreatCircle.COM
Subject: the dog ate my homework
Reply-to: george@deas.harvard.edu
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This gem was on the wires a few weeks back, but 
Letterman's writers never picked up on it (or did they?).

  1. Your students say they can't turn in the homework 
  assignment because the FBI raided their house last
  night and confiscated all their computer equipment.

-- George

  Date: Thu, 9 Apr 1998 22:20:17 -0400
  From: "Joseph Judge" 
  Subject: top 10 signs you've been hacked ?

  Any have some entries for a "top ten signs you've been hacked" ?


  THANKS

	  -- joe

From firewalls-owner  Fri Apr 10 09:32:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA18401; Fri, 10 Apr 1998 08:11:51 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA18371 for ; Fri, 10 Apr 1998 08:11:40 -0700 (PDT)
Received: from localhost (ronald@localhost)
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id XAA15263; Fri, 10 Apr 1998 23:13:36 +0800
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
Date: Fri, 10 Apr 1998 23:13:36 +0800 (CST)
From: Ronald Wiplinger 
To: ccurtis@facm.fit.edu
cc: Ronald Wiplinger , Don Lewis ,
        Tom Vayda ,
        "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Fri, 10 Apr 1998 ccurtis@facm.fit.edu wrote:

> On Fri, 10 Apr 1998, Ronald Wiplinger wrote:
> 
> > On Thu, 9 Apr 1998 03:05:18 -0700, Don Lewis wrote:
> > 
> > >The headers probably are forged in order to deflect complaints from folks
> > >who just hit the reply button.  But we're all firewall wizzards [sp] here,
> > >right? Header reading and deciphering should be in our bag of tricks.
> 
> > First, I also traced the headers, but I am tired about it, just hit the
> > delete key and keep on working for other important things, were you earn
> > money. When you head hunt one spamer you just lose, .... 
> 
> Once upon a time I would take the time and effort to construct a polite 
> little message that I would send to the owner of the system being used to 
> propogate spam, but have since stopped.  It was usually effective, but 
> sometimes I got replies debating me the vailidity of spam as e-commerce.  
> I've since changed my methods:  if I get spam, I bounce it back to the 
> sender, "root@" the sender's host, "webmaster@", and "abuse@" that same 
> host.  Typically this is forged, so I'll look at the header and bounce it 
> to the same three accounts at the least recent mailer, typically the 
> ISP.  Now, this isn't always effective and can probably be construed as 
> spam itself, but I figure that if someone is seeing getting spammed by 
> one of their own users, they may think twice about it, especially if they 
> get 'spammed back', as it were, two or three times for each offense.  If 
> there are any troubles and I'm feeling particularly obnoxious, I'll do a 
> traceroute to the nearest valid site and bounce the mail to their uplink.
> 


That sounds more for me as a childish revanche. "I cannot get the real
spammer, so I spam to everybody, maybe someone will take action, ..."

Well, we are an ISP, if one of my customer would spam, and I as ISP owner
would be spamed, than be sure I would NOT take any action against the
spamer itself, I would put YOU on the block list. So what have you won
now? 

There was a guy from Finland, who sent me for one message of my customer
about 10.000 messages. Since postmaster, abuse, error and root are all
my accounts, I got it 40.000 times. Do you really think I would trace than
the real spamer, if somebody bomb my site. Simple he is included in the
blocklist.
Sorry folks, but a threaten message does not help!! 

If somebody send me one message I will do something, to keep my house
clean. Mostlikely it is a new commer and will be educated.

We need to find something, that works. To send random people a complaint,
does not solve the problem. 

At the beginning of this threat I said, that I get about 100 unwanted
messages per day. Guess I would trace each one back, would cost me my
working time, .....

bye

Ronald


From firewalls-owner  Fri Apr 10 09:37:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA26165; Fri, 10 Apr 1998 09:03:13 -0700 (PDT)
Received: from homer.facm.fit.edu (homer.facm.fit.edu [163.118.70.71]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA20486 for ; Fri, 10 Apr 1998 08:29:58 -0700 (PDT)
From: ccurtis@facm.fit.edu
Received: (from ccurtis@localhost) by homer.facm.fit.edu (8.8.5/8.6.12) id LAA19916; Fri, 10 Apr 1998 11:35:42 -0400
Date: Fri, 10 Apr 1998 11:35:42 -0400 (EDT)
X-Sender: ccurtis@homer
To: Ronald Wiplinger 
cc: "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 10 Apr 1998, Ronald Wiplinger wrote:

> On Fri, 10 Apr 1998 ccurtis@facm.fit.edu wrote:
> 
> > I've since changed my methods:  if I get spam, I bounce it back to the 
> > sender, "root@" the sender's host, "webmaster@", and "abuse@" that same 
> > host.  Typically this is forged, so I'll look at the header and bounce it 
> > to the same three accounts at the least recent mailer, typically the 
> 
> That sounds more for me as a childish revanche. "I cannot get the real
> spammer, so I spam to everybody, maybe someone will take action, ..."

Not childish at all, and not revenge.  How am I supposed to "get" the 
real spammer, as you say?  About 2% of spam has a valid return address.  
The only option is to go to a higher power.  Now, I see two options: 
either take time out of my work to construct a reasonable customized 
message or just deliver the evidence; I choose the latter.  It's a lot 
easier for me to type "root@", "abuse@", "webmaster@" and click the mouse 
a few times than to do the former.  Why do you consider this spam?  Is it 
because of the multiple addresses?  Don't blame that on me - every *nix 
machine has a 'root' account but in all it's infinite wisdom microsquat 
decided to make it difficult.  Not everyone has a webmaster, but that was 
who I was told to mail on NT machines, and abuse - well, isn't that what 
it's for?  It's certainly not widespread, though.

> Well, we are an ISP, if one of my customer would spam, and I as ISP owner
> would be spamed, than be sure I would NOT take any action against the
> spamer itself, I would put YOU on the block list. So what have you won
> now? 

As long as it is a two-way block, I'd consider it a win.  You've obviously
never gotten a bounced message.  When a message is bounced, the From: line
does not change so it appears that the message come from your sight at
first glance.  There's just another header saying X-Bounced From: (or 
something similar).

> There was a guy from Finland, who sent me for one message of my customer
> about 10.000 messages. Since postmaster, abuse, error and root are all
> my accounts, I got it 40.000 times. Do you really think I would trace than
> the real spamer, if somebody bomb my site. Simple he is included in the
> blocklist.

You would consider 3 and 40,000 equivalent?  And that's a bomb, not spam.

> We need to find something, that works. To send random people a complaint,
> does not solve the problem. 

Should we send mail to the president instead?  Postamster general?  Or 
have we elected a global leader to take care of all of this for us?

Christopher

From firewalls-owner  Fri Apr 10 10:22:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA07959; Fri, 10 Apr 1998 10:09:27 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA07940 for ; Fri, 10 Apr 1998 10:09:16 -0700 (PDT)
Received: from localhost (ronald@localhost)
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id BAA15924; Sat, 11 Apr 1998 01:11:21 +0800
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
Date: Sat, 11 Apr 1998 01:11:21 +0800 (CST)
From: Ronald Wiplinger 
To: ccurtis@facm.fit.edu
cc: "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Fri, 10 Apr 1998 ccurtis@facm.fit.edu wrote:

> Not childish at all, and not revenge.  How am I supposed to "get" the 
> real spammer, as you say?  About 2% of spam has a valid return address.  

With 2% of 100, means 98 messages useless.

> The only option is to go to a higher power.  Now, I see two options: 
> either take time out of my work to construct a reasonable customized 
> message or just deliver the evidence; I choose the latter.  It's a lot 
> easier for me to type "root@", "abuse@", "webmaster@" and click the mouse 
> a few times than to do the former.  Why do you consider this spam?  Is it

Yes, I consider this as sensless spam, because root, abuse, webmaster are
not the spamer. 

 
> because of the multiple addresses?  Don't blame that on me - every *nix 
> machine has a 'root' account but in all it's infinite wisdom microsquat 


With that you hit already the nail. The spamer sites have no root, have no
abuse, have no postmaster ENABLED.
Now whats happen with these undeliverd mails? Yes, you get it back. Now we
found already that only 2% are with a correct return address. So, 98%
times 4, means almost 4 times I get the message. Some are very clever,
they delay the return several days/hours. 

Make the math longer: How many days will you answer 100 messages spam per
day, without killing yourself/mailbox ??

Sorry, I delete the spam and keep myself busy for the business. Nobody pay
you something for that that you have hunted a spamer.

I am waiting for real 'tools', which do everything automatically, however
front up, not even let the spam in.

> decided to make it difficult.  Not everyone has a webmaster, but that was 
> who I was told to mail on NT machines, and abuse - well, isn't that what 
> it's for?  It's certainly not widespread, though.
> 

abuse ???? Hehehe, that is a autoresponder with a nice text, maybe a
ticket number, and that was it.
Are you happy to get such messages? And behind 5 spams from the same
site??
AOL is world champion in that matter! I guess they have already setup
several machines, just to "ticket" the abuse messages.


> > There was a guy from Finland, who sent me for one message of my customer
> > about 10.000 messages. Since postmaster, abuse, error and root are all
> > my accounts, I got it 40.000 times. Do you really think I would trace than
> > the real spamer, if somebody bomb my site. Simple he is included in the
> > blocklist.
> 
> You would consider 3 and 40,000 equivalent?  And that's a bomb, not spam.

Make the math with all the 98%, bounced, undeliverd, multiplied returns,
...

And at the end? well you got a spamer, he will loose MAYBE his account,
get a new one and play araound again. Free e-mails you can get everywhere
now. Till you stop this one he has already another one.


> 
> > We need to find something, that works. To send random people a complaint,
> > does not solve the problem. 
> 
> Should we send mail to the president instead?  Postamster general?  Or 
> have we elected a global leader to take care of all of this for us?


Equal is not equal. You can find a spamer in USA, get some US$ from him,
and you are happy, if the spamer is another country, you get nothing.

Till now there is no "power" to get such people.

Again the example of hinet.net:
They do not act agains spamer, they do not stop the relaying through their
18 mail servers, although already using sendmail 8.8.8
80% of 3 million Taiwan Internet user have a hinet account. To block them
would everybody point as a bad service of your site, not of hinet.

Of course if there would be an organisation, like Internic, and pull out
the IP address of this site (or re-route it to an info server about
spamersites), than I could imagine that it would help quite
quickly to stop spamers. To charge re-registering the site (100 US$) would
not be so difficult to charge, however more important is that they are out
of business for one day, and THAT would hurt a big ISP much more than the
100 US$).

(I remember that kind of punish, as the "rich" people thought they just
need to pay when they are to fast on the highway. They changed the rules:
Not higher punish, just wait two hours at the police office, and you think
twice if you go faster again).

bye

Ronald


From firewalls-owner  Fri Apr 10 10:52:42 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01140; Fri, 10 Apr 1998 09:24:02 -0700 (PDT)
Received: from bas01 (bas01.csfb.com [198.240.130.164]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA00949 for ; Fri, 10 Apr 1998 09:23:10 -0700 (PDT)
Received: (from mailuser@localhost)
	by bas01 (8.8.8/8.8.8/EXT) id MAA01814
	for ; Fri, 10 Apr 1998 12:31:34 -0400 (EDT)
Received: from unknown(169.39.5.57) by bas01 via smap (3.2)
	id xma001812; Fri, 10 Apr 98 12:31:21 -0400
Received: from lmssmtp1.corpny.csfb.com ([169.37.98.134])
	by csfb1.fir.fbc.com. (8.8.8/8.8.8) with ESMTP id MAA10839
	for ; Fri, 10 Apr 1998 12:28:46 -0400 (EDT)
Received: from slon00300.csfb.com (slon00300.gb.csfp.csh.com [159.156.1.180]) by lmssmtp1.corpny.csfb.com (8.8.2/8.8.2) with ESMTP id MAA28883 for ; Fri, 10 Apr 1998 12:28:23 -0400 (EDT) ; g stefan.moser@csfb.com
Received: by slon00300 with Internet Mail Service (5.0.1458.49)
	id <23VPARKZ>; Fri, 10 Apr 1998 17:28:44 +0100
Message-ID: <21D8314B439ED111A4690000F8AE45E5036B6B@slon00302.gb.csfp.csh.com>
From: "Moser, Stefan" 
To: firewalls@GreatCircle.COM
Subject: RE: socks versus fw-1 [Part I/II]
Date: Fri, 10 Apr 1998 17:28:38 +0100
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



> -----Original Message-----
> From: Frank Willoughby [mailto:frankw@in.net]
> Sent: Friday, April 10, 1998 8:40 AM
> To: firewalls@GreatCircle.COM
> Subject: RE: socks versus fw-1 [Part I/II]
> Importance: High

[....]
 
> >>Here are a few of my *many* crows to pick with the 
> >>Firewall-1.
> >>o You have to put a deny all at the last of the rules 
> >>to make up for its default stance of being wide open
> >
> >Uh..no.  There is an implicit deny at the end of the 
> >ruleset.
>                                            ^^^
> 
> That's exactly my point.  "There is an implicit deny at the 
> *END* of the ruleset".  A basic axiom of network security 
> design - turn off *all* network services, then turn on only 
> those services that you *really* need to use.  
> 
> The Firewall-1 violates this basic security design principle.  
> IOW, block everything by default, then open up the firewall 
> to permit only known *good* services.  IMO, Checkpoint works 
> in reverse.  It closes the barn door after the horses are all 
> out by placing the deny all at the END of the ruleset instead 
> of the beginning.

That's semantics! Anybody that is involved with network security
should be intelligent enough in the first place to figure that
out. If not he/she is going to do stupid things with it no matter
what you throw at them.

What worries me actually more about the Checkpoint approach is that
you can switch on/off certain often used services like DNS, ICMP
etc. in the property settings. Confuses the hell out of people
since it prevents you from having an all-in-one view of your
security policy. This is really bad and unnecessary. I actually
confronted a high-level Checkpoint rep in front of a lot of people
once, but I don't think he got my point. I think best practice is to
deny everything in the properties and put *everything* into the policy
proper instead.
 
> Further, from my experience, if the "implicit deny at the end 
> of the ruleset" was in there, it sure didn't work very well 
> when I tested it.  I ran a battery of tests across the Firewall-1 
> recently & found a *lot* of vulnerabilities (more than 50).
> If the rule was in there & working, then the firewall leaked.

Actually never even tested this! I always educated (when I used
to be a consultant :) our customers to put an *explicit* deny at the
end of the rule base if just for the sake of clarity. But I agree,
if it indeed leaks that is very, very bad. Maybe you had some services
still allowed through the property settings (see above)?

> >>o It encourages people to do stupid (from a security 
> >> point-of-view) things like permit dangerous (unproxied) 
> >> services through the firewall - a la' if they support 
> >> it, it must be OK).
> >
> >Many proxy vendors include a circuit-level gateway that 
> >does exactly the same.  What I think you meant to say 
> >is that some proxy vendors include application-specific 
> >proxies that validate the data better.
> 
> You're comparing apples & oranges.  Circuit-level gateways are 
> provided for companies who wish to permit secure applications 
> through the firewall for which no proxies exist.  It was *not* 
> designed for people to punch holes thru the firewall so that 
> they can let some (dangerous) services thru the firewall.  The 
> *use* of circuit-level gateways is not supported by the vendors.  
> Again, it was designed to permit secure apps thru the firewall 
> - not to be abused by letting known insecure services thru to 
> the inside network.

But people do use them when there's enough pressure from the
business. And they might actually think they're safer than just
punching a hole into a stateful inspection fw for that service.
After all they bought the 'more secure' application gateway. I
think the argument works both ways. 
 
> From my research, Checkpoint advocates and supports (if you can 
> find 'em) letting in known dangerous unproxied services thru 
> the firewall.

I never read any of the AG vendors manuals thouroughly but do they
actually tell people 'hey listen, we provide you with a generic
proxy, but you're really are putting your business on the line when
you use it!'? I kind of agree though that the reluctance to venture
out and actually configure a generic proxy might be higher because you
have to do something 'special'. With FW-1 the service definition for
NIS is just two clicks away after all.

However, I'm not sure if it's really the firewall vendors
responsibility to educate users on the characteristics of
individual protocols. But then maybe it is...


> >>o I don't like the security architecture of 
> >>the firewall
> >Well, you don't have to I suppose.  Some specifics 
> >would be more useful.
> 
> Good point.  OK, here's a few that come to mind:
> o Insecure Operating System

Which it shares with most other firewalls. Come to
think of if, is there an AG that does *not* run on
top of an insecure OS?

> o Manually configured NAT (instead of automatic)

Don't see why this would be a problem. BTW, version
3.0 let's you have the choice of generating NAT rules
manually or automatically. Also NAT is now integrated
with the GUI which makes it a hell of lot more
intuitive.

> o Compilers on the firewall (to compile the Inspection rules)

What kind of compilers are you talking about? They're not C
compilers or anything. What exactly would you do with an
inspect code compiler if you were a hacker?

> o GUI doesn't reflect the rules or the state of the firewall

I don't understand what you mean.
 
> o Checkpoint supplies very few proxies (about *1/4* - 1/3 that 
>    of other vendors).  They also advocate that Stateful Inspection 
>    is better than using proxies.  If *they're* not comfortable with
>    their own proxies, how would a customer feel about using them?

As you have observed yourself, they have reversed that position.
They're still short of proxies but they patched at least the worst
holes. However, it is beyond me how they could maintain the position
that for example a straight SMTP connection to your mail server
(preferably running an unpatched version of sendmail) would be
more secure than let's say smap. This actually is what pisses me of
the most about Checkpoint. They must have been fully aware of this
(otherwise they wouldn't have come up with security servers), since
it's not too hard to figure out, but publically denied it for several
years. 

> o The firewall "leaks".  If inbound services are blocked, 
>    it is still possible to sneak packets thru the firewall.
>
> o In certain cases, the firewall is unable to maintain state 
>    information (which is interesting since the whole focus 
>    of the product is in this specific area)

> o Source code isn't available

Again this it shares with most of it's commercial competitors
except maybe TIS but they give you hell of a time to obtain the
source ever since 4.0 cam out.

> o Setting up the VPN can be a real pain.

Well if the NSA hasn't been able to get it working maybe they
are underfunded or don't hire the right people ;o). I have gotten
it to work on several occasions and I don't consider myself
overly intelligent.

> o The SecureRemote isn't.

How?

> o The documentation (perhaps not an architecture issue directly,
>    but is problematic, nonetheless.  It's huge & says nothing.
>    Probably the best docset I have seen yet was from a vendor
>    who summed everything up in 27 pages.  It was very-well written.
>    The Checkpoint docset takes up a lot of space 3-4 inches (7.5-10cm)
>    and says very little.

Agreed, the documentation sucks for the most part. Period.

> Some of the above are mentioned in the NSA's report.  You mentioned
> you read the document.  I saw problems.  You didn't.  Perhaps 
> security 
> is in the eye of the beholder.  

-Stefan

BTW, I'm in now way affiliated with Checkpoint, I do not own Checkpoint
shares, I didn't even got a lousy T-shirt from them.

From firewalls-owner  Fri Apr 10 13:28:09 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02897; Fri, 10 Apr 1998 13:04:06 -0700 (PDT)
Received: from mailsrv.szerencsejatek.hu ([194.88.40.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA00682 for ; Fri, 10 Apr 1998 12:47:30 -0700 (PDT)
Received: from TAKACS by mailsrv.szerencsejatek.hu with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
	id 2TNYZPKF; Fri, 10 Apr 1998 21:48:41 +0200
Received: by localhost with Microsoft MAPI; Fri, 10 Apr 1998 21:52:13 +0200
Message-ID: <01BD64CA.EB833D60.anonymus@mail.matav.hu>
From: Takacs Istvan 
Reply-To: "anonymus@mail.matav.hu" 
To: "'firewalls@greatcircle.com'" 
Subject: SATAN
Date: Fri, 10 Apr 1998 21:51:57 +0200
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Thanks for everyone, who answered me.

I wrote a letter to Dan Farmer, who's the author of the SATAN.
I've got this automatic answer back:

This is a program that is automatically responding to your mail.  Dan
sucks at correspondence; don't hold your breath awaiting a reply.  If
it's vital and you still don't get any signs of life, please accept my
electronic apologies on his behalf.

Best wishes --

-- The robotic slave

----

p.s.  If you're trying to run satan using netscape's browser and it
asks you to save/download the files, go to:

	http://www.trouble.org/~zen/satan/satan-demo/netscape.txt

p.p.s.  If you're having troubles or would like to ask about SATAN, COPS, 
the Internet security survey, etc., try reading the pages at:

	http://www.trouble.org/satan/
	     (or send mail to satan@fish.com for an autoresponder with a FAQ.)
	http://www.trouble.org/cops/
	http://www.trouble.org/survey/
	http://www.trouble.org/security/

And then try asking again if the answers aren't there.  And no, there
is no, nor will there be, a windows 95, NT, Mac, or non-unix version of satan.

p.p.p.s.  If you're writing about Year 2000 compliance of COPS or SATAN,
neither has any date dependent code in them; if the operating system that
they run on are Y2K compliant, they are as well.

p.p.p.p.s. If you want information on music mailing lists, I'm sorry, I don't
run any these days.  Try looking at the band lists at http://www.yahoo.com
for more info on this sort of thing.

I've got an other program, called Ogre. It can run in an NT based network.

http://www.antionline.com/SpecialReports/Ogre/ 

Regards,

		Istvan Takacs
	mailto:anonymus@mail.matav.hu

From firewalls-owner  Fri Apr 10 15:22:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02771; Fri, 10 Apr 1998 13:02:34 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA28720 for ; Fri, 10 Apr 1998 12:34:53 -0700 (PDT)
Received: from bifrost.rootgroup.com (bifrost.rootgroup.com [192.88.205.34])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id MAA27927
	for ; Fri, 10 Apr 1998 12:38:53 -0700 (PDT)
Received: from houdini (houdini.rootgroup.com [199.88.250.66])
          by bifrost.rootgroup.com (8.8.4/8.8.4) with SMTP
	  id NAA19788; Fri, 10 Apr 1998 13:40:15 -0600 (MDT)
Received: from localhost by houdini with SMTP id AA19216
  (5.65c/IDA-1.4.4); Fri, 10 Apr 1998 13:40:14 -0600
Message-Id: <199804101940.AA19216@houdini>
To: Frank Willoughby 
Cc: firewalls@GreatCircle.COM
Subject: Re: socks versus fw-1 [Part I/II] 
In-Reply-To: Your message of "Fri, 10 Apr 1998 07:39:52 CDT."
             <3.0.5.32.19980410073952.007e94c0@in.net> 
Date: Fri, 10 Apr 1998 13:40:14 -0600
From: Olivier Brousse 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




FW-1 works exactly following the basic security design principle
you mention, that is " block everything by default, then open up 
the firewall to permit only known *good* services."

FW-1 checks each incoming packet against rules you have defined,
and will let packets through if and only if it matches one of the rules
you defined (the first) that will let the packet through.

FW-1 installed with *no* rules will block everything.

- Olivier



|  
|  >>Here are a few of my *many* crows to pick with the 
|  >>Firewall-1.
|  >>o You have to put a deny all at the last of the rules 
|  >>to make up for its default stance of being wide open
|  >
|  >Uh..no.  There is an implicit deny at the end of the 
|  >ruleset.
|                                             ^^^
|  
|  That's exactly my point.  "There is an implicit deny at the 
|  *END* of the ruleset".  A basic axiom of network security 
|  design - turn off *all* network services, then turn on only 
|  those services that you *really* need to use.  
|  
|  The Firewall-1 violates this basic security design principle.  
|  IOW, block everything by default, then open up the firewall 
|  to permit only known *good* services.  IMO, Checkpoint works 
|  in reverse.  It closes the barn door after the horses are all 
|  out by placing the deny all at the END of the ruleset instead 
|  of the beginning.
|  
|  Further, from my experience, if the "implicit deny at the end 
|  of the ruleset" was in there, it sure didn't work very well 
|  when I tested it.  I ran a battery of tests across the Firewall-1 
|  recently & found a *lot* of vulnerabilities (more than 50).
|  If the rule was in there & working, then the firewall leaked.
|  

From firewalls-owner  Fri Apr 10 15:22:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA07710; Fri, 10 Apr 1998 13:44:29 -0700 (PDT)
Received: from mailsrv.szerencsejatek.hu ([194.88.40.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA07703 for ; Fri, 10 Apr 1998 13:44:21 -0700 (PDT)
Received: from TAKACS by mailsrv.szerencsejatek.hu with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49)
	id 2TNYZPKJ; Fri, 10 Apr 1998 22:45:36 +0200
Received: by localhost with Microsoft MAPI; Fri, 10 Apr 1998 22:49:03 +0200
Message-ID: <01BD64D2.DC3C48D0.anonymus@mail.matav.hu>
From: Takacs Istvan 
Reply-To: "anonymus@mail.matav.hu" 
To: "'firewalls@greatcircle.com'" 
Subject: SATAN for NT
Date: Fri, 10 Apr 1998 22:49:02 +0200
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Here's the not automatic answer from Dan Farmer;


Ballista and ISS both make commercial scanners that probably
do something like what you're thinking of... I'd suggest you
check them out.  I think they're at:

www.balista.com
www.iss.net


Regards,

		Istvan Takacs
	mailto:anonymus@mail.matav.hu


From firewalls-owner  Fri Apr 10 16:37:33 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03565; Fri, 10 Apr 1998 16:29:21 -0700 (PDT)
Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA03540 for ; Fri, 10 Apr 1998 16:29:07 -0700 (PDT)
Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id XAA28037 for ; Fri, 10 Apr 1998 23:34:57 GMT
Received: from meerkat.mole.org(206.197.192.20) by mole.mole.org via smap (V1.3)
	id sma028030; Fri Apr 10 23:34:32 1998
Received: (from mrm@localhost) by meerkat.mole.org (8.6.11/8.6.9) id QAA08106 for firewalls-digest@greatcircle.com; Fri, 10 Apr 1998 16:34:31 -0700
Date: Fri, 10 Apr 1998 16:34:31 -0700
From: "M.R.Murphy" 
Message-Id: <199804102334.QAA08106@meerkat.mole.org>
To: firewalls-digest@greatcircle.com
Subject: Re: Hi SPAM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


ISP's have to deal with spammers and with folks who think it's a
good idea to bounce spam to abuse, root, webmaster, ...

Both the spammers and the bouncers are a pain; both are part of
doing business; and I wish both would go away and shrivel.  That
won't happen. We cancel spammers agressively, billing them a punitive
fee to their credit card (authorization in our Terms and Conditions)
and cancelling them with no refund.  The bouncers we don't bother
blocking, and we can't do much about. We, the tech support folk,
put them on a "twit list" on the wall and think evil thoughts at
them, wishing them indigestion, hangnails, and general disfunction
which will lead to increased irritability. We're sure it's working.

For postmaster@inetworld.net,
--
Mike Murphy  mrm@Mole.ORG  +1 760 598 5874
Fix the cigarette lighter.

From firewalls-owner  Fri Apr 10 19:07:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA07625; Fri, 10 Apr 1998 18:52:08 -0700 (PDT)
Received: from mail2.webzone.net (mail2.webzone.net [205.219.23.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA07609 for ; Fri, 10 Apr 1998 18:51:58 -0700 (PDT)
Message-Id: <199804110151.SAA07609@honor.greatcircle.com>
Received: from snoopy ([208.152.102.101]) by mail2.webzone.net
          (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-0U10L2S100)
          with SMTP id AAA318; Fri, 10 Apr 1998 20:57:03 -0500
From: "Keaf Seddras Phd." 
Organization: University of Moscow
To: ccurtis@facm.fit.edu
Date: Fri, 10 Apr 1998 20:54:27 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: hi SPAM
Reply-to: greg-ou812@webnology.com
CC: "firewalls@GreatCircle.COM" 
References: 
In-reply-to: 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

How long do you suppose we have to listen to you folks blather on 
about something that has absolutely NOTHING to do with this list?


On 10 Apr 98, ccurtis@facm.fit.edu wrote about Re: hi SPAM:

[tripe and digression snipped for the benefit of all] 
-

Cheers,

Dr. Keaf Seddras
Deacon, Church of O'Malley

"There's a fine line between fishing and standing 
on the shore looking like an idiot."
                                  --Steven Wright

*ANTISPAM-NOTE* To respond to this message, delete the 
'-ou812.' in the reply to address(es).

From firewalls-owner  Fri Apr 10 20:52:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA17133; Fri, 10 Apr 1998 20:37:01 -0700 (PDT)
Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA17075 for ; Fri, 10 Apr 1998 20:36:44 -0700 (PDT)
Received: from localhost (ronald@localhost)
          by mail.trace.com.tw (8.8.6/8.8.6) with SMTP
	  id LAA18724; Sat, 11 Apr 1998 11:35:05 +0800
X-Comments: ******  Message sent through an Trace account  ******
X-http:     ******         http://www.trace.com.tw         ******
Date: Sat, 11 Apr 1998 11:35:05 +0800 (CST)
From: Ronald Wiplinger 
To: "Keaf Seddras Phd." 
cc: ccurtis@facm.fit.edu,
        "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: <199804110151.SAA07609@honor.greatcircle.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Fri, 10 Apr 1998, Keaf Seddras Phd. wrote:

> How long do you suppose we have to listen to you folks blather on 
> about something that has absolutely NOTHING to do with this list?


I wonder why you say that, because:

1. The starting of this threat was that somebody used this list for
spaming

2. A firewall should fight against any unwanted traffic.

> [tripe and digression snipped for the benefit of all] 


From firewalls-owner  Fri Apr 10 23:37:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA00241; Fri, 10 Apr 1998 23:35:20 -0700 (PDT)
Received: from pugmarks.whowho.com (pugmarks.whowho.com [206.114.196.79]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA00231 for ; Fri, 10 Apr 1998 23:35:11 -0700 (PDT)
Received: from localhost (natrajs@localhost) by pugmarks.whowho.com (8.8.7/8.7.3) with SMTP id CAA29175; Sat, 11 Apr 1998 02:36:20 -0500 (CDT)
Date: Sat, 11 Apr 1998 02:36:20 -0500 (CDT)
From: Powertel Boca Ltd 
To: Andrew Raphael 
cc: firewalls@GreatCircle.COM
Subject: Re: Livingston's IRX211 firewall router
In-Reply-To: <19980410074739.10935.qmail@cass.research.canon.com.au>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi 

Thanks Andrew. Apart from network address translation what are the other
benefits that you see in a Cisco PIX over the IRX211? , performance
benefits , that is .


Regards

Nataraj,S


On Fri, 10 Apr 1998, Andrew Raphael wrote:

> >Has anyone out there installed the IRX211 firewall route from Livingston .
> >How does the IRX211 compare with Cisco's PIX ?
> 
> Yes.  I use them as interior choke routers.  It's nothing like Cisco's
> PIX because it doesn't do network address translation.
> 
> -- 
> Andrew Raphael 
> 	"Oh! I see, it's your birthday.  It's your big day, and I forgot."
> 


From firewalls-owner  Sat Apr 11 00:07:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA02251; Fri, 10 Apr 1998 23:52:04 -0700 (PDT)
Received: from paradox.obfuscated.net ([207.90.19.131]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA02159 for ; Fri, 10 Apr 1998 23:51:28 -0700 (PDT)
Received: from localhost (meconlen@localhost)
	by paradox.obfuscated.net (8.8.5/8.8.5) with SMTP id CAA07838;
	Sat, 11 Apr 1998 02:51:40 -0400
X-Authentication-Warning: paradox.obfuscated.net: meconlen owned process doing -bs
Date: Sat, 11 Apr 1998 02:51:39 -0400 (EDT)
From: Michael Conlen 
X-Sender: meconlen@paradox.obfuscated.net
To: "William L. Hamlin" 
cc: Yury German ,
        "McMaster, Rick" ,
        firewalls 
Subject: Re: Questions about ICMP
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In response to filtering ICMP Echo and Echo reply I was wondering what you
felt about letting ICMP echo packets going out through the firewall and
ICMP echo reply back in. The reason I ask is that I've been thinking of
playing with IP over ICMP now that I have the ability to get the IP back
out once on the other side of the fireall. 

Has anyone seen someone try to tunnel (or attempted to do so) IP over
ICMP before?

					Groove on 
					Michael Conlen
					meconlen@intnet.com


   If you cant change your mind are you shure you still have one?


From firewalls-owner  Sat Apr 11 00:50:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA01582; Fri, 10 Apr 1998 23:47:49 -0700 (PDT)
Received: from paradox.obfuscated.net ([207.90.19.131]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA01431 for ; Fri, 10 Apr 1998 23:46:58 -0700 (PDT)
Received: from localhost (meconlen@localhost)
	by paradox.obfuscated.net (8.8.5/8.8.5) with SMTP id CAA07807
	for ; Sat, 11 Apr 1998 02:47:38 -0400
X-Authentication-Warning: paradox.obfuscated.net: meconlen owned process doing -bs
Date: Sat, 11 Apr 1998 02:47:38 -0400 (EDT)
From: Michael Conlen 
X-Sender: meconlen@paradox.obfuscated.net
To: "firewalls@GreatCircle.COM" 
Subject: Re: hi SPAM
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Sat, 11 Apr 1998, Ronald Wiplinger wrote:

> I wonder why you say that, because:
> 
> 1. The starting of this threat was that somebody used this list for
> spaming
> 
> 2. A firewall should fight against any unwanted traffic.

So does anyone know of a product which will allow you to dump email at the
firewall? Possibly a mail server in the DMZ which all host MX records on
the external name server points to, which then will scan the mail and dump
it if the content is unpermissable, and pass it along to servers inside
the firewall if permissable?

I know with Perl its trivial to write a program to check text for content
in the form of regular expressions. If this is applied to all incomming
and possibly outgoing email messages at the firewall you can block
unwanted traific. 

I know its trivial to write because I've done it for my personal email,
however I've not tried to implement it at the mail server before it gets
to the mail delivery agent. 

Being able to filter out all that damn email from Friend@public.com would
make your users a bit happier, and going the other way being able to
filter out outgoing source code and such will make the boss happy, though
depending on your companies email uses you may need someone to monitor
questionable email and decide if you want to forward it on, or dump it.
You may just catch the person leaking company secrets though. 

					Groove on 
					Michael Conlen
					meconlen@intnet.com

Windows NT crashed.
I am the Blue Screen of Death.
No one hears your screams.


From firewalls-owner  Sat Apr 11 00:53:00 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA04835; Sat, 11 Apr 1998 00:08:28 -0700 (PDT)
Received: from paradox.obfuscated.net ([207.90.19.131]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA04731 for ; Sat, 11 Apr 1998 00:07:54 -0700 (PDT)
Received: from localhost (meconlen@localhost)
	by paradox.obfuscated.net (8.8.5/8.8.5) with SMTP id DAA07908;
	Sat, 11 Apr 1998 03:08:34 -0400
X-Authentication-Warning: paradox.obfuscated.net: meconlen owned process doing -bs
Date: Sat, 11 Apr 1998 03:08:33 -0400 (EDT)
From: Michael Conlen 
X-Sender: meconlen@paradox.obfuscated.net
To: "Eric P. Cummings" 
cc: firewalls@greatcircle.com
Subject: Re: NT or Unix
In-Reply-To: <3.0.1.32.19980408180852.006f74a0@sprout.ptk.org>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 8 Apr 1998, Eric P. Cummings wrote:

> Hi
> Could anyone tell me what the issues are related to the operating system
> under my chosen firewall software.  I have the option of using checkpoint's
> firewall-1 on NT, or another firewall software on linux or SCO Unix.  Long
> story about how I got in this predicament.
> Thanks

I would never, ever use SCO for a firewall. There are some serious
problems with its TCP/IP stack and/or the OS software its self. Its the
only UNIX variant which I *must* boot about every two weeks or else
everything goes downhill. I have found problems with TCP sockets being
left hanging open for days and weeks after the software which opened it
exited. This means that at some point in time you run out of sockets. I
have found SCO's support to not only be uninformed, but they have
seriously misled us at times. They have even provided us software which
they patched specificaly for us, then threw away the source code after
they emailed the binaries to us. They have followed the Microsoft policy
of, if all else fails, reinstall! 

I strongly recomend agianst using SCO for your fireall needs. If you wish
to discuss this, and my experience relating to making this recomendation I
will be glad to in private email.

On the other hand Linux has been quite nice to me. I dont remember the
last time I had a forced reboot with Linux (but I seem to have an
inverse Pauli effect on Linux boxes).

					Groove on 
					Michael Conlen
					meconlen@intnet.com

The code was willing,
It considered your request,
But the chips were weak.


From firewalls-owner  Sat Apr 11 01:43:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA05718; Sat, 11 Apr 1998 00:16:19 -0700 (PDT)
Received: from paradox.obfuscated.net ([207.90.19.131]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA05610 for ; Sat, 11 Apr 1998 00:15:27 -0700 (PDT)
Received: from localhost (meconlen@localhost)
	by paradox.obfuscated.net (8.8.5/8.8.5) with SMTP id DAA07942
	for ; Sat, 11 Apr 1998 03:16:13 -0400
X-Authentication-Warning: paradox.obfuscated.net: meconlen owned process doing -bs
Date: Sat, 11 Apr 1998 03:16:12 -0400 (EDT)
From: Michael Conlen 
X-Sender: meconlen@paradox.obfuscated.net
To: firewalls@GreatCircle.COM
Subject: Hacked hosts in a DMZ on a switch
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If a host in a DMZ is hacked and the host is connected to a switch,
wouldnt it be possible to forge ARP packets which supply the MAC address
of 

FF:FF:FF:FF:FF:FF

and start the sniffer up?
					Groove on 
					Michael Conlen
					meconlen@intnet.com

Yesterday it worked
Today it is not working
Windows is like that


From firewalls-owner  Sat Apr 11 04:29:58 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA25957; Sat, 11 Apr 1998 03:03:17 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id CAA21074 for ; Sat, 11 Apr 1998 02:03:27 -0700 (PDT)
Received: from ns.cstnet-hf.net.cn (ns.cstnet-hf.net.cn [210.72.12.1])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id BAA03307
	for ; Sat, 11 Apr 1998 01:05:50 -0700 (PDT)
Received: from hpe25.nic.ustc.edu.cn (hpe25.nic.ustc.edu.cn [202.38.64.1])
	by ns.cstnet-hf.net.cn (8.8.7/8.8.6) with SMTP id QAA03988
	for ; Sat, 11 Apr 1998 16:16:50 -0800
Received: from www.ustc.edu.cn by  hpe25.nic.ustc.edu.cn with SMTP
	(8.6.10/16.2) id QAA00769; Sat, 11 Apr 1998 16:11:22 +0800
Received: from localhost (jwlai@localhost)
	by www.ustc.edu.cn (8.8.7/8.8.6) with SMTP id QAA00228
	for ; Sat, 11 Apr 1998 16:05:49 +0800
Date: Sat, 11 Apr 1998 16:05:49 +0800 (GMT+0800)
From: Junwen Lai 
To: firewalls@GreatCircle.COM
Subject: How can I detect packet sniffer
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

   I am a newer to firewalls, but I want to known how I can detect packet
sniffer in an Ethernet LAN, thanks all who would reply this letter.

  Mick Jagger


From firewalls-owner  Sat Apr 11 05:07:49 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA13515; Sat, 11 Apr 1998 04:31:18 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13506 for ; Sat, 11 Apr 1998 04:31:08 -0700 (PDT)
Received: from frankw.in.net (pm5-25.in.net [205.160.202.185]) by su1.in.net (8.8.8/8.6.9) with SMTP id LAA08282 for ; Sat, 11 Apr 1998 11:34:27 GMT
Message-Id: <3.0.5.32.19980411063541.01098740@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:35:41 -0500
To: firewalls@GreatCircle.com
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part IIa/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is yet another re-send (3rd attempt).  My earlier mail (II/II) 
was sent 40 minutes after I/II.  I checked with my ISP and they say 
they have had no problems.  I have sent & received mails to other 
organizations & lists and have had no major problems.  I've troubleshot 
this as far as I can from here, but it appears (so far) that the only 
common denominator is the firewalls mailserver.  Hopefully the problem 
(where ever it is will be cleaned up soon).

Meanwhile, back at the ranch....  8^)


				Part IIa/II

Continuing from Part I/II:

>>fw
>Ryan
fw


>>o Checkpoint came out and stated that proxies were bad and 
>>  that SMLI (pronounced "smelly" - IMHO, appropriate somehow)  
>>  8^)  is much better than proxies.  I find it interesting 
>>  that Checkpoint uses "security servers" (which the rest of 
>>  us mere mortals call proxies) as this is an apparent reversal 
>>  of their previous position.  If proxies were not secure as 
>>  Checkpoint previously indicated, then why do they are they 
>>  on the firewall now?
>
>I haven't done the necessary research to determine whether 
>the security servers are more like proxies or more like SPFs, 
>so I can't really comment.

I'm sorry.  I was out of line on the "smelly" part.  (The 
combination of the pronunciation of SMLI & my displeasure 
with Checkpoint's application of it were too much to resist).  
At least they realized the wisdom of the pronunciation of 
their SMLI acronym and now refer to it as SPF (Stateful 
>> Packet Filter <<) which I think is more descriptive of 
what it *really* is.


Anyway, I *did* do the research.  One reference about security 
servers being proxies is contained in the NSA's report on page 56/98:

  "The Checkpoint Firewall-1 firewall is equipped 
  to perform rule base filtering based on the protocol 
  itself with the Stateful Packet Inspection / Filtering 
  or with a proxy which Checkpoint calls a Security Server."


>>o The only common encryption algorithm used in 
>>   User->Firewall & Firewall-> Firewall encryption is 
>>   their own (PROPRIETARY) FWZ1 encryption algorithm.
>
>Uh, wrong.  They support DES and whichever SKIP protocols 
>you like.  US only, of course.

I think you misunderstood me.  The operative word in my sentence 
above is "common".  I meant common to *both* User->Firewall *AND* 
Firewall->Firewall VPN connections.



>>To my knowledge, the source code to FWZ1 has *not* 
>>been published, nor has it been subjected to a peer 
>>review of expert cryptographers.  And this from a 
>>company which is supposed to provide security?   
>>Bah Humbug.  Any beginning InfoSec Analyst knows 
>>that proprietary encryption algorithms should be 
>>avoided like the plague.  Only encryption algorithms 
>>which have been published and reviewed by expert 
>>cryptographers should be used.  If the algorithm 
>>hasn't been published and reviewed by expert 
>>cryptographers, then how do we know it is strong 
>>enough & that there are no backdoors into it???   
>>In the past, several companies would claim to 
>>have a secure (homegrown) encryption algorithm and 
>>would post a challenge to the cypherpunks mailing 
>>list for someone to crack it.  If they were to do 
>>so, they would sell their company for $1.00.   
>>2-3 days later, someone would crack the supposedly 
>>unbreakable algorithm and state that the company 
>>can keep their dollar.
>
>All true.  That's why I have the DES version.

Bingo.  If you're aware of this fundamental principle of good 
crypto, don't you think that Checkpoint is aware of this also?  
- Particularly since they designed a couple of VPN solutions
into it?  I'll give them the benefit of a doubt and assume 
this was an oversight and not deliberately designed into the 
product.  Assuming they're smart and have no ulterior motives,
they'll probably drop FWZ1.  They don't need it and it 
destroy(s/ed) their credibility in the security arena.

Out of curiosity, why is Checkpoint being evaluated by the NSA?
One requirement for entrance into the MISSI club is that the
product must be integrated with FORTEZZA.  FORTEZZA is a 
PCMCIA card with extensive authentication/encryption/signature
capabilities.  FWIW, I think FORTEZZA is a little ahead of 
its time.  At some point in the next couple of years, a 
FORTEZZA-like product will be a standard & will probably
be very widely used.  Right now, it's a little expensive,
and I don't think that society is willing to absorb this
cost, but in large quantities, the price could come down
and it would be a VERY attractive option.  But I digress...

Perhaps I'm missing something, but I didn't know that 
Checkpoint had their own FORTEZZA solution.  If this is 
the case, then either the NSA has dropped this requirement 
(hopefully not), or Checkpoint is using someone else's VPN 
solution.  I don't know, but the secure VPN solution from 
V-ONE (their SmartGate VPN Server integrates on a number 
of vendor's firewalls) is a likely bet.  

If the long chain of IFs above is accurate, I find it pretty 
ironic that Checkpoint has to use someone else's VPN solution 
to get looked at by the NSA.  Speaks volumes, doesn't it?


I'll send IIb in 1 hour after this message is sent.

Best Regards,


Frank

The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Sat Apr 11 05:22:41 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA13535; Sat, 11 Apr 1998 04:31:54 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13517 for ; Sat, 11 Apr 1998 04:31:41 -0700 (PDT)
Received: from frankw.in.net (pm5-25.in.net [205.160.202.185]) by su1.in.net (8.8.8/8.6.9) with SMTP id LAA08304 for ; Sat, 11 Apr 1998 11:35:01 GMT
Message-Id: <3.0.5.32.19980411063612.01097140@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:36:12 -0500
To: firewalls@GreatCircle.com
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part IIb/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


                           Part IIb / II

This is message IIb.  Hopefully, this one will get through.  In any event, 
it seems that to me, this is a classic case of "IIb or NOT IIb - that is 
the question".  8^)  8^)  8^)


>>o With proxies & logging enabled, it is *slower* than proxy 
>>firewalls.
>Hasn't been my experience.

How do you know?  



>>o The NSA (who is no slouch in getting crypto to work) 
>>couldn't get Checkpoint's VPN crypto to work.
>
>Strange, the report I've seen (mentioned in the 
>URL above) states that they were able to validate it.  
>The only part that wasn't validated was IPSec, which 
>FW1 doesn't do (or claim to.)

According to pages 8, 11, and 45 of the NSA's report 
(as follows), your statement above is incorrect.

  "The vendor claims described below were selected from 
  the product documentation, sales literature and the 
  Check Point web site."

  "Manual IPSEC:	Not Validated.  
                    IPSec with the AH header did not work."

Further:

  "Exchanging the keys between firewalls was not 
  straightforward.  Numerous errors were encountered 
  with no corresponding troubleshooting procedures.  
  Rebooting and reinstallation of either firewall 
  had no affect.  Upon the advice of the Check Point 
  representative, the workaround to problems with 
  key exchanges was to delete both firewall objects 
  from the network objects list and to recreate them.  
  This seemed to "sync" up the firewalls and the key 
  exchanges were then successful.  While this method 
  worked, it was not optimal.  For example if numerous 
  keys had already been generated, this could be a 
  lengthy and troublesome rebuild." 

What about customers  who have several hundred *thousands* 
of remote clients.  Can you see them regenerating all of 
the keys?  Perhaps even manually? Not likely.  The first 
time it happened, a CIO/CTO would probably replace the 
firewall & use the old one as a boat anchor.


NSA's document further indicates:

  "The FWZ scheme encrypts all the data between 
  the firewalls, but does not hide which services 
  are being used.  This simply means that the FWZ 
  scheme does not support a "tunneling" mode in 
  which the services are encapsulated within an 
  encrypted IP packet. Knowing which services are 
  being used between firewalls enables an attacker 
  to perform traffic analysis and gives a starting 
  point for choosing a particular service to attack."


>>o Checkpoint's lack of support in notifying their 
>>   customers about the vulnerability that Secure 
>>   Networks posted.
>>o Checkpoint's denial that the problem even exists 
     (as visible in their note in the Computer Security 
     Institute's Alert newsletter).
>
>I don't know the story here, so I can't comment.

I do.  Without exception, *none* of the companies I talked
to (who had the Firewall-1), were aware of the SNMP problem
until I told them.  

Out of curiosity, how did you find out about the SNMP 
problem?  Through a friendly call or e-mail from 
Checkpoint, their hidden VAR/Reseller pages, or Bugtraq?  


>>The above are a few, but how many security problems 
>>does a firewall have to have before it is ultimately 
>>rejected.  You have to remember, we are talking about 
>>a security product, not what type of car to buy.  It 
>>should be evaluated primarily from a security point-
>>of-view (it is, after all, a security product).  It 
>>doesn't rate a high rating in my book or that of other 
>>Information Security Officers I have talked to.  But 
>>hey, what do we know?  We're only Information Security
>>Officers - not Checkpoint marketing dweebs.
>
>I dunno, how many basic facts does a security consultant 
>have to be wrong about before he's ultimately rejected?

I don't know, but you're not doing very well so far.  


It appears that your last sentence above was supposed to be a 
personal affront to me.  I wasn't planning on getting into this, 
but I have no problems defending myself.  I thought you knew my
background, but I'll refresh your memory just in case.

In my case, I'm an Information Security Officer (ISO) with over 
8 years experience as a corporate ISO and @ 15-20 years additional
security experience (nukes, intelligence, DoD contracting, Advanced
Research Projects, etc.).  

My first job in as a full-time ISO was working for Digital Equipment 
GmbH (DEC's German subsidiary) where I managed the InfoSec Operations 
for the entire country.  While there, we achieved the highest level 
of security of any country in the world (in a global network of 
120,000 employees, 100K systems) month-after-month for a couple of 
years - that continued even after I left.  I don't know why, but I 
seem to have a (verifiable) knack of making security work well with 
business & turning security into a competitive advantage.  BTW, all 
of the above is verifiable.


I am NOT a "security consultant" who lacks "real-world" experience.  
If you want one, the phone book is full of them.  Just hand us the 
clean-up work.

And your "real-world" experience in securing corporations as an ISO
is ...?



>>I would recommend that the audience at large do their 
>>*own* research and come to their own conclusions.  
>>'Nuff said.
>
>Always a good idea.   I try to help by keeping people 
>from staying things that just aren't true for the products 
>that I'm familiar with.

Truth is relative.  I prefer the facts.  I'll draw my own 
conclusions, thank you.  

Look, no firewall is perfect.  I'll always find at *least* 
a handful of benign security problems with any vendor's 
application-gateway type of firewall and many more (mostly
very serious ones) with a packet filter type of firewall - 
no matter how well they are configured.  Some problems are 
security vulnerabilities and some are engineering design flaws.

FWIW, I think Checkpoint's attempts to market stateful inspection 
as the firewall cure-all are doomed to failure.  People are smarter 
now and they resent being led down the garden path.  They're no 
longer buying into every bit of marketing hype that comes along.  
The stakes are too high.  They can't afford to make a less-than-secure 
choice.  They are *literally* betting their company on their choice of 
a firewall.  They are (finally) taking the time to do the research 
themselves and to make intelligent, informed choices.  It's a good 
start.  I hope the trend continues.

I admire your loyalty to Checkpoint.  Personally, I think it's 
misplaced.  Checkpoint may be good for protecting internal business-
critical systems on an internal LAN from disgruntled employees.
(IOW, it's OK for a relatively low-risk environment), but I 
wouldn't touch it to protect an organization from the serious 
threats from the Internet or other high-risk network.

My loyalties are to my customers.  As you have probably gathered
by now, there are very few firewalls that I deem "worthy enough"
for my customers.  Of the @ 70 firewalls on the market, there
are about 5 that I feel are secure enough to stop a determined
professional attacker.

I take security products apart before I recommend anything 
(and have been doing so for years).  Most recently, I tested 
an Operating System Security product.  It failed.  The main
problem was the product failed on implementation issues.  Of
particular note, it is not an enterprise-wide solution.


May the (right) firewall be with you.  8^)

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Sat Apr 11 06:37:45 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA00999; Sat, 11 Apr 1998 06:32:49 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA27990 for ; Sat, 11 Apr 1998 05:58:47 -0700 (PDT)
Received: from asterix.rby.hk-r.se (asterix-129.rby.hk-r.se [194.47.129.30])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id FAA09980
	for ; Sat, 11 Apr 1998 05:56:11 -0700 (PDT)
Received: from kobold.rby.hk-r.se (pt96mti@kobold [194.47.134.176])
	by asterix.rby.hk-r.se (8.8.7/8.8.7) with ESMTP id OAA16723
	for ; Sat, 11 Apr 1998 14:57:42 +0200 (MET DST)
Received: (from pt96mti@localhost)
	by kobold.rby.hk-r.se (8.8.7/8.8.7) id OAA15297;
	Sat, 11 Apr 1998 14:57:41 +0200 (MET DST)
Date: Sat, 11 Apr 1998 14:57:41 +0200 (MET DST)
Message-Id: <199804111257.OAA15297@kobold.rby.hk-r.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
From: Magnus Timmerby 
To: firewalls@GreatCircle.COM
In-reply-to: Michael Conlen's message of Sat, 11 Apr 1998 02:51:39 -0400 (EDT)
Subject: Re: Questions about ICMP
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Has anyone seen someone try to tunnel (or attempted to do so) IP over
> ICMP before?

It is certainly possible and has been done. I don't remember any
references though, sorry.

/mti

From firewalls-owner  Sat Apr 11 12:22:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA20422; Sat, 11 Apr 1998 12:16:29 -0700 (PDT)
Received: from Callisto.softiron.com (callisto.wiltelnsi.com [199.233.153.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA20415 for ; Sat, 11 Apr 1998 12:16:22 -0700 (PDT)
Received: from 15801008.wiltelnsi.com ([192.168.10.180])
	by Callisto.softiron.com (8.8.7/8.8.7) with SMTP id MAA24336
	for ; Sat, 11 Apr 1998 12:14:10 -0700 (PDT)
Received: by 15801008.wiltelnsi.com with Microsoft Mail
	id <01BD6543.67A32040@15801008.wiltelnsi.com>; Sat, 11 Apr 1998 12:14:41 -0400
Message-ID: <01BD6543.67A32040@15801008.wiltelnsi.com>
From: Lorna Politzer 
To: "'Firewalls Great Circle'" 
Subject: Firewall-1 "yes vaild license/no valid license" problem
Date: Sat, 11 Apr 1998 12:14:39 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Has anyone encountered this problem when installing Checkpoint's
Firewall one?  Evaluation licenses were first installed then removed
once the valid ones were installed.

Notes from our engineer:

I fw putlic -o'd when I entered the pfm25 highav license, then added the
encryption ca license.

fw printlic showed both licenses as valid with no termination date.

fw checklic encryption showed encryption as valid.

fwstart printed out "no license for encryption", and attempting to contact
the certificate authority reports that the local site is not a certificate
authority.

Its this "yes valid license/no valid license" problem that is the confusing
part.


Please advise if you have any suggestions as to how to avert this problem.
Lorna Politzer

From firewalls-owner  Sat Apr 11 13:08:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24027; Sat, 11 Apr 1998 12:46:40 -0700 (PDT)
Received: from hq15.pcmail.ingr.com (hq15.pcmail.ingr.com [129.135.251.243]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA23923 for ; Sat, 11 Apr 1998 12:46:00 -0700 (PDT)
Received: by HQ15 with Internet Mail Service (5.0.1460.8)
	id <2WYSR98F>; Sat, 11 Apr 1998 14:52:31 -0500
Message-ID: 
From: "Jarmon, Don R" 
To: "'firewalls@greatcircle.com'" 
Subject: RE: SATAN for NT
Date: Sat, 11 Apr 1998 14:52:29 -0500
X-Mailer: Internet Mail Service (5.0.1460.8)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You might check out: http://www.webtrends.com/wss/

> ----------
> From: 	Takacs Istvan[SMTP:anonymus@mail.matav.hu]
> Reply To: 	anonymus@mail.matav.hu
> Sent: 	Friday, April 10, 1998 3:49 PM
> To: 	'firewalls@greatcircle.com'
> Subject: 	SATAN for NT
> 
> Hi,
> 
> Here's the not automatic answer from Dan Farmer;
> 
> 
> Ballista and ISS both make commercial scanners that probably
> do something like what you're thinking of... I'd suggest you
> check them out.  I think they're at:
> 
> www.balista.com
> www.iss.net
> 
> 
> Regards,
> 
> 		Istvan Takacs
> 	mailto:anonymus@mail.matav.hu
> 

From firewalls-owner  Sat Apr 11 15:22:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07975; Sat, 11 Apr 1998 15:18:27 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA07967 for ; Sat, 11 Apr 1998 15:18:18 -0700 (PDT)
Received: from frankw.in.net (pm4-10.in.net [205.160.202.138]) by su1.in.net (8.8.8/8.6.9) with SMTP id WAA06974; Sat, 11 Apr 1998 22:20:48 GMT
Message-Id: <3.0.5.32.19980411172159.00f05dd0@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 17:21:59 -0500
To: Junwen Lai 
From: Frank Willoughby 
Subject: Re: How can I detect packet sniffer
Cc: firewalls@GreatCircle.com
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 04:05 PM 4/11/98 +0800, Junwen Lai allegedly wrote:

>   I am a newer to firewalls, but I want to known how I can detect packet
>sniffer in an Ethernet LAN, thanks all who would reply this letter.

Unless you are on the same system as the sniffer, there is no way to detect 
a NIC card running in promiscuous mode on a LAN.

HTH.

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Sat Apr 11 16:07:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA13596; Sat, 11 Apr 1998 16:02:45 -0700 (PDT)
Received: from minsky.reactive.com (Space-Not-Allocated.SESQUI.NET [198.64.198.57]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA12398 for ; Sat, 11 Apr 1998 15:53:21 -0700 (PDT)
Received: from hiro.revenant.com by minsky.reactive.com (NX5.67e/NX3.0M)
	id AA02327; Sat, 11 Apr 98 17:24:23 -0600
Message-Id: <3.0.32.19980411180113.01472288@mail.revenant.com>
X-Sender: jason@mail.revenant.com
X-Mailer: Windows Eudora Pro Version 3.0 Demo (32)
Date: Sat, 11 Apr 1998 18:01:22 -0500
To: firewalls-digest@GreatCircle.COM
From: "Jason L. Asbahr" 
Subject: UnLurk
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Greetings,

This is my first post to the Firewalls list.  I've been very impressive
with the content and professionalism here, a nice change from what's
become of the rest of the public Internet.  :-)

I'm curious about blocking ping'o'death packets, too, but my question
for today regards to NT web server security.  I'm looking for
suggestions (and URLs) for bulletproofing my publically accessible
NT machines.  Also, I'm curious if anyone has anything good or bad to
say about Ascend's line of firewall products?

Thanks,

Jason Asbahr
jason@revenant.com

From firewalls-owner  Sat Apr 11 17:37:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15940; Sat, 11 Apr 1998 16:20:24 -0700 (PDT)
Received: from netcomm.NetComm.IE (whittall.demon.co.uk [194.222.255.208]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA15909 for ; Sat, 11 Apr 1998 16:20:11 -0700 (PDT)
Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id WAA02252; Sat, 11 Apr 1998 22:55:03 GMT
X-Sender: kevinbr@129.156.240.1
Message-Id: 
In-Reply-To: <21D8314B439ED111A4690000F8AE45E5036B6B@slon00302.gb.csfp.csh.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 11 Apr 1998 22:56:46 +0100
To: "Moser, Stefan" 
From: Kevin Brown - NetComm 
Subject: RE: socks versus fw-1 [Part I/II]
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 17:28 +0100 10/4/98, Moser, Stefan wrote:

>
>What worries me actually more about the Checkpoint approach is that
>you can switch on/off certain often used services like DNS, ICMP
>etc. in the property settings. Confuses the hell out of people
>since it prevents you from having an all-in-one view of your
>security policy. This is really bad and unnecessary. I actually
>confronted a high-level Checkpoint rep in front of a lot of people
>once, but I don't think he got my point. I think best practice is to
>deny everything in the properties and put *everything* into the policy
>proper instead.


To many cooks spoil the broth. Once where there were several bodies setting the
rules, someone allowed in DNS to the inside root with the properties, and the
internal fake root dns got wind of the outside, and the outside got wind of the
inside.

Trash! I agree, beware of the properties. Bad design, as you might not look at the
properties when reading the rules.

Kevin



From firewalls-owner  Sat Apr 11 18:07:12 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA13727; Sat, 11 Apr 1998 16:04:19 -0700 (PDT)
Received: from brooks.na-cp.rnp.br (brooks.na-cp.rnp.br [200.136.100.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA13687 for ; Sat, 11 Apr 1998 16:04:01 -0700 (PDT)
Received: from brooks (forster@brooks [200.136.100.19])
	by brooks.na-cp.rnp.br (8.8.8/8.8.8) with SMTP id UAA12289;
	Sat, 11 Apr 1998 20:08:07 -0300 (EST)
Date: Sat, 11 Apr 1998 20:08:04 -0300 (EST)
From: Antonio Paulo Salgado Forster 
X-Sender: forster@brooks
To: Frank Willoughby 
cc: Junwen Lai , firewalls@GreatCircle.COM
Subject: Re: How can I detect packet sniffer
In-Reply-To: <3.0.5.32.19980411172159.00f05dd0@in.net>
Message-ID: 
Organization: Rede Nacional de Pesquisa - RNP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

I've heard something on this list sometime ago about an ideia of
monitoring the systems in the same bus with snmp. The idea was to check if
the interface was capturing an amount of packets above the normal amount,
but I dont know the details. Maybe the one who had the idea could give an
explanation.

Regards,

Antonio Paulo Salgado Forster  
Operacoes em Redes - RNP


On Sat, 11 Apr 1998, Frank Willoughby wrote:

> Date: Sat, 11 Apr 1998 17:21:59 -0500
> From: Frank Willoughby 
> To: Junwen Lai 
> Cc: firewalls@GreatCircle.COM
> Subject: Re: How can I detect packet sniffer
> 
> At 04:05 PM 4/11/98 +0800, Junwen Lai allegedly wrote:
> 
> >   I am a newer to firewalls, but I want to known how I can detect packet
> >sniffer in an Ethernet LAN, thanks all who would reply this letter.
> 
> Unless you are on the same system as the sniffer, there is no way to detect 
> a NIC card running in promiscuous mode on a LAN.
> 
> HTH.
> 
> Best Regards,
> 
> 
> Frank
> The opinions of the author of this mail may not necessarily be 
> representative of the opinions of Fortifed Networks, Inc.
> 
> (c) Fortified Networks, Inc. - http://www.fortified.com/
> Home of the Free Internet Firewall Evaluation Checklist
> Expert (vendor-neutral) Computer and Network Security Solutions
> Phone: (317) 573-0800     Fax: (317) 573-0817
> 


From firewalls-owner  Sat Apr 11 19:22:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA12775; Sat, 11 Apr 1998 19:08:53 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA12671 for ; Sat, 11 Apr 1998 19:08:30 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id TAA15511 for ; Sat, 11 Apr 1998 19:07:05 -0700 (PDT)
Received: from kc.livingston.com (kc.livingston.com [149.198.32.1]) by server.livingston.com (8.8.5/8.6.9) with SMTP id TAA13209 for ; Sat, 11 Apr 1998 19:14:21 -0700 (PDT)
Received: from localhost by kc.livingston.com (SMI-8.6/SMI-SVR4)
	id TAA11163; Sat, 11 Apr 1998 19:15:09 -0700
Date: Sat, 11 Apr 1998 19:15:09 -0700 (PDT)
From: Josh Richards 
X-Sender: jrichard@kc
To: firewalls@GreatCircle.COM
Subject: Re: DMZ config question
In-Reply-To: <199804091447.KAA06202@mailhub.walrus.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 9 Apr 1998, Pipeline wrote:

> What is DMZ?

"De-Militarized Zone"

You may want to take a look at the FAQ..



--jr

----
Josh Richards -  - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/


From firewalls-owner  Sat Apr 11 19:37:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA15498; Sat, 11 Apr 1998 19:33:39 -0700 (PDT)
Received: from smtp.enteract.com (thor.enteract.com [206.54.252.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA15447 for ; Sat, 11 Apr 1998 19:33:25 -0700 (PDT)
Message-Id: <199804120233.TAA15447@honor.greatcircle.com>
Received: (qmail 29092 invoked from network); 12 Apr 1998 02:39:32 -0000
Received: from jimst.sa.enteract.com (HELO penis) (207.229.133.64)
  by thor.enteract.com with SMTP; 12 Apr 1998 02:39:32 -0000
Reply-To: 
From: "James Strompolis" 
To: "'Jason L. Asbahr'" ,
        
Subject: RE: UnLurk
Date: Sat, 11 Apr 1998 21:38:17 -0500
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
In-Reply-To: <3.0.32.19980411180113.01472288@mail.revenant.com>
Importance: Normal
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

http://www.ntbugtraq.com
http://www.microsoft.com/security
http://www.ntshop.net
http://www.it.kth.se/~rom/ntsec.html
http://www.ntsecurity.com
http://www.ticm.com/about/faqnt.html
http://www.nmrc.org/faqs/nt/index.html
http://www.ntinternals.com

- James Strompolis
  Aleph Consultants, Inc.
  jimst@enteract.com

>
> I'm curious about blocking ping'o'death packets, too, but my question
> for today regards to NT web server security.  I'm looking for
> suggestions (and URLs) for bulletproofing my publically accessible
> NT machines.  Also, I'm curious if anyone has anything good or bad to
> say about Ascend's line of firewall products?
>



From firewalls-owner  Sat Apr 11 19:52:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13573; Sat, 11 Apr 1998 19:12:27 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13494 for ; Sat, 11 Apr 1998 19:12:01 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id TAA15552 for ; Sat, 11 Apr 1998 19:10:38 -0700 (PDT)
Received: from kc.livingston.com (kc.livingston.com [149.198.32.1]) by server.livingston.com (8.8.5/8.6.9) with SMTP id TAA13273 for ; Sat, 11 Apr 1998 19:17:53 -0700 (PDT)
Received: from localhost by kc.livingston.com (SMI-8.6/SMI-SVR4)
	id TAA11169; Sat, 11 Apr 1998 19:18:41 -0700
Date: Sat, 11 Apr 1998 19:18:41 -0700 (PDT)
From: Josh Richards 
X-Sender: jrichard@kc
To: firewalls@GreatCircle.COM
Subject: Re: Livingston's IRX211 firewall router
In-Reply-To: <19980410074739.10935.qmail@cass.research.canon.com.au>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 10 Apr 1998, Andrew Raphael wrote:

> >Has anyone out there installed the IRX211 firewall route from Livingston .
> >How does the IRX211 compare with Cisco's PIX ?
> 
> Yes.  I use them as interior choke routers.  It's nothing like Cisco's
> PIX because it doesn't do network address translation.

Very soon it will. I promise. :)

--jr

----
Josh Richards -  - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/


From firewalls-owner  Sat Apr 11 20:04:23 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA14145; Sat, 11 Apr 1998 19:17:32 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA14137 for ; Sat, 11 Apr 1998 19:17:27 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id TAA15573 for ; Sat, 11 Apr 1998 19:16:03 -0700 (PDT)
Received: from kc.livingston.com (kc.livingston.com [149.198.32.1]) by server.livingston.com (8.8.5/8.6.9) with SMTP id TAA13353 for ; Sat, 11 Apr 1998 19:23:18 -0700 (PDT)
Received: from localhost by kc.livingston.com (SMI-8.6/SMI-SVR4)
	id TAA11211; Sat, 11 Apr 1998 19:24:07 -0700
Date: Sat, 11 Apr 1998 19:24:06 -0700 (PDT)
From: Josh Richards 
X-Sender: jrichard@kc
To: firewalls@GreatCircle.COM
Subject: Re: Questions about ICMP
In-Reply-To: <199804111257.OAA15297@kobold.rby.hk-r.se>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 11 Apr 1998, Magnus Timmerby wrote:

> > Has anyone seen someone try to tunnel (or attempted to do so) IP over
> > ICMP before?
> 
> It is certainly possible and has been done. I don't remember any
> references though, sorry.

Look in one of the last 3-4 issues of Phrack .
There is a server/client combo for Solaris that allows a shell session via
ICMP packets.

--jr

----
Josh Richards -  - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/


From firewalls-owner  Sat Apr 11 20:51:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA13370; Sat, 11 Apr 1998 19:11:30 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA13239 for ; Sat, 11 Apr 1998 19:10:50 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id TAA15531 for ; Sat, 11 Apr 1998 19:09:26 -0700 (PDT)
Received: from kc.livingston.com (kc.livingston.com [149.198.32.1]) by server.livingston.com (8.8.5/8.6.9) with SMTP id TAA13252 for ; Sat, 11 Apr 1998 19:16:41 -0700 (PDT)
Received: from localhost by kc.livingston.com (SMI-8.6/SMI-SVR4)
	id TAA11166; Sat, 11 Apr 1998 19:17:29 -0700
Date: Sat, 11 Apr 1998 19:17:29 -0700 (PDT)
From: Josh Richards 
X-Sender: jrichard@kc
To: firewalls@GreatCircle.COM
Subject: Re: Hacked hosts in a DMZ on a switch
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 11 Apr 1998, Michael Conlen wrote:

> If a host in a DMZ is hacked and the host is connected to a switch,
> wouldnt it be possible to forge ARP packets which supply the MAC address
> of 
> 
> FF:FF:FF:FF:FF:FF
> 
> and start the sniffer up?

Yes.  Just because you have a switched Ethernet in place, does not mean
you can't sniff packets destined for other hosts.  You need a router in
the middle to really seperate the two distinct data paths.

--jr

----
Josh Richards -  - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/


From firewalls-owner  Sat Apr 11 22:37:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA13555; Sat, 11 Apr 1998 22:34:51 -0700 (PDT)
Received: from sparc.isl.net (sparc.isl.net [199.3.25.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA13548 for ; Sat, 11 Apr 1998 22:34:40 -0700 (PDT)
From: admin8@mauimail.com
Received: from 199.3.25.3 (206-18-112-60.la.inreach.net [206.18.112.60])
	by sparc.isl.net (8.8.5/8.8.5) with SMTP id AAA10300;
	Sun, 12 Apr 1998 00:39:56 -0500 (CDT)
Posted-Date: Sun, 12 Apr 1998 00:39:56 -0500 (CDT)
Message-Id: <199804120539.AAA10300@sparc.isl.net>
Date: Sat, 11 Apr 98 22:32:43 EST
To: Friend@public.com
Subject: Registered mail
Reply-To: recepient@domain.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You just stumbled upon something big !

Pt or FT !

No competition !No selling ! Not MLM !

$1 - $5,000 per week from home, within 30 days !

Daily conference calls !

Complete training and support !

Leads available !

Dear Friend,	

If your tired of the hype , then read on. 

Everyone wants more and we have the system that can get it.

Over 20,000 doctors, lawyers, CPA's and business people, last year alone, 

started using our system to create wealth in their spare time.

Many are making in excess of $50,000 per month. Speak to them yourself ! " I'm a chiropractor in Hawaii and use this system in my spare time

 to consistently make over $4,000 per week ! " Michael F. Makawao, HI

" I'm a single nurse and mom with 5 kids, have been using the system for 18 months,

 and last year alone, earned $400,000 !  " Melissa F., Parkersburg, IA

" I was a practicing priest for many years, retired and started using this system.

 Last week I earned $33,000 and bought my wife a new van - CASH " Jim P., Port Angeles, WA

These people were taught how to turn a one time investment into big money !

Is the timing right for you ?

Find out on our discovery call. Risk free and pressure free ! We guarantee it !

 888 354 3187	

 To have your name removed form our list,

 send an email with remove in subject to admin2000@postmaster.co.uk.

 We filter against all universal remove lists.


From firewalls-owner  Sun Apr 12 01:52:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA00639; Sun, 12 Apr 1998 01:41:16 -0700 (PDT)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00630 for ; Sun, 12 Apr 1998 01:40:54 -0700 (PDT)
Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA22748;
	Sun, 12 Apr 1998 10:42:21 +0200 (METDST)
Message-Id: <3.0.5.32.19980412103358.008cc400@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sun, 12 Apr 1998 10:33:58 +0200
To: Michael Conlen ,
        "William L. Hamlin" 
From: Eric Vyncke 
Subject: Re: Questions about ICMP
Cc: Yury German ,
        "McMaster, Rick" ,
        firewalls 
In-Reply-To: 
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 02:51 11/04/98 -0400, Michael Conlen wrote:
......

>
>Has anyone seen someone try to tunnel (or attempted to do so) IP over
>ICMP before?
>

You can tunnel IP on the top of ICMP, DNS requests/replies, HTTP, ...
But to do that you obviously need a `bad guy' on the trusted part
of your network...

`Jave applet', did I hear ?

Best regards
-eric

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From firewalls-owner  Sun Apr 12 02:07:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA00621; Sun, 12 Apr 1998 01:40:34 -0700 (PDT)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00609 for ; Sun, 12 Apr 1998 01:39:45 -0700 (PDT)
Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA22751;
	Sun, 12 Apr 1998 10:42:23 +0200 (METDST)
Message-Id: <3.0.5.32.19980412103849.008c9eb0@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sun, 12 Apr 1998 10:38:49 +0200
To: Josh Richards , firewalls@GreatCircle.COM
From: Eric Vyncke 
Subject: Re: Hacked hosts in a DMZ on a switch
In-Reply-To: 
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 19:17 11/04/98 -0700, Josh Richards wrote:
......

>Yes.  Just because you have a switched Ethernet in place, does not mean
>you can't sniff packets destined for other hosts.  You need a router in
>the middle to really seperate the two distinct data paths.

My further comments are slightly out of topic now.

Or, if you trust the switch vendor implementation, you can logically split
the switch
box into two layer two LAN (what is called VLAN). These VLAN could be
totally separated, i.e. without any router between them.



Anyway, with a switch you can normally fairly assume that it is nearly 
impossible to snif: each port receives only the MAC traffic for its own
MAC address + broadcast + possibly multicast.



-eric

>
>--jr
>
>----
>Josh Richards -  - [Beta Engineer]
>LUCENT Technologies - Remote Access Business Unit
>(formerly Livingston Enterprises, Inc.)
>http://www.livingston.com/
>
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From firewalls-owner  Sun Apr 12 02:24:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA00573; Sun, 12 Apr 1998 01:37:25 -0700 (PDT)
Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00541 for ; Sun, 12 Apr 1998 01:37:00 -0700 (PDT)
Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198])
	by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA22745;
	Sun, 12 Apr 1998 10:42:19 +0200 (METDST)
Message-Id: <3.0.5.32.19980412103132.00824ca0@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sun, 12 Apr 1998 10:31:32 +0200
To: Michael Conlen , firewalls@GreatCircle.COM
From: Eric Vyncke 
Subject: Re: Hacked hosts in a DMZ on a switch
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 03:16 11/04/98 -0400, Michael Conlen wrote:
>If a host in a DMZ is hacked and the host is connected to a switch,
>wouldnt it be possible to forge ARP packets which supply the MAC address
>of 
>
>FF:FF:FF:FF:FF:FF
>
>and start the sniffer up?

If you respond fast enough to the ARP request, the answer is yes...
(NB some ARP requestors may complain on this, and other hosts will
perhaps send you ICMP redirect as well).

Now, if you spend money to put a switch in your DMZ, you should
also use static ARP tables for all your DMZ hosts. Then, these
hosts do not rely anymore on the ARP protocol and thus your
attack will be useless ;-)

Of course, you should also secure your switch (one time password,
management via console, ...) and also fix the MAC address/port table
of your switch.

And also, use a dedicated switch for your DMZ (do not use a VLAN
of a shared switch -- just to be paranoid).

Just my 0,01 EUR

-eric

>					Groove on 
>					Michael Conlen
>					meconlen@intnet.com
>
>Yesterday it worked
>Today it is not working
>Windows is like that
>
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@cisco.com          Mobile: +32-75-312.458

From firewalls-owner  Sun Apr 12 02:37:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA00574; Sun, 12 Apr 1998 01:37:27 -0700 (PDT)
Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA00536 for ; Sun, 12 Apr 1998 01:36:48 -0700 (PDT)
Received: (qmail 7942 invoked by uid 1000); 12 Apr 1998 08:42:33 -0000
Message-ID: <19980412084233.7940.qmail@softworx.netvision.net.il>
X-Mailer: exmh version 2.0.1 12/23/97
To: Frank Willoughby 
Cc: firewalls@GreatCircle.com
From: Steve Birnbaum 
Subject: Re: socks versus fw-1 [Part IIb/II] 
In-Reply-To: Your message of "Sat, 11 Apr 1998 06:36:12 CDT."
             <3.0.5.32.19980411063612.01097140@in.net> 
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-179040288P";
	 micalg=pgp-md5; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Sun, 12 Apr 1998 11:42:33 +0300
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

--==_Exmh_-179040288P
Content-Type: text/plain; charset=us-ascii


frankw@in.net said:
> I do.  Without exception, *none* of the companies I talked to (who had
> the Firewall-1), were aware of the SNMP problem until I told them.   

I believe that Checkpoint's policy of dealing with VARs only is what
led them to refuse to send out a vendor notice directly to all
their customers.  It was requested, but denied. 

VARs receive release notes with every patch, and in addition I believe
that all VARs in this case received a copy of Checkpoint's official
response to the SNI advisory which was posted to Checkpoint's web site.

At least the advisory prompted Checkpoint to make the non-DES versions
of the patch available to the public, not requiring them to go through 
their VAR to get it as must be done for all other patches.

I still fail to see why SNMP is required for the administration of
the firewall.  There is a management protocol - why can't things like
the configuration of the NICs be transfered that way?  When using FW1 with
a DES or FWZ1 license, this data is encrypted.  Even without the license,
at least it is a proprietary TCP protocol, not UDP.

  Steve

-- 
sbirn@security.org.il   (PGP key available)
Fight Internet Spam!  http://www.vix.com/spam/  Disclaimer: My opinions only.



--==_Exmh_-179040288P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia

iQEVAwUBNTB+dgNowu66bCy5AQGxOAf/dULbXb+O7r2dYv/Mo5B9A6+K8Zha34eJ
KkliN4j8gUzciMU2+qGO1shi696Gc4+jxqhV8fwfBarqv4bB9lVCBgE41cegVgFe
LMH0ODfzd2J4sx5AKGr5LtZXf6qbDgfpULwRujjR/jvKAQeZEYFiDUL15eJRixkY
dOdrNgL24OTQggkd5usvo1Kq1z7ltaTSVRAgQhApvWBOij2VbbYuSx5Xh67l7W28
1HgxA7orka2n1n8iZ2WEdvQ09XPQcfhqreNxqGUheX5kR5tkdZRFWvWAJVNPZxGb
fiYjiGoNqg//ZYZAXK3M6TuKdYwFfBCICojNbSmV2lztMVFnu7sSOg==
=mLwn
-----END PGP MESSAGE-----

--==_Exmh_-179040288P--

From firewalls-owner  Sun Apr 12 05:07:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA24262; Sun, 12 Apr 1998 05:00:42 -0700 (PDT)
Received: from imo22.mx.aol.com (imo22.mx.aol.com [198.81.17.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA24234 for ; Sun, 12 Apr 1998 05:00:30 -0700 (PDT)
Received: from LocaMaria@aol.com
	by imo22.mx.aol.com (IMOv13.ems) id LUYa002091;
	Sun, 12 Apr 1998 07:34:53 -0500 (EDT)
From: LocaMaria 
Message-ID: <68ea264e.3530a6df@aol.com>
Date: Sun, 12 Apr 1998 07:34:53 EDT
Mime-Version: 1.0
Subject: You've won $50,000
Content-type: multipart/mixed;
	boundary="part0_892380893_boundary"
X-Mailer: AOL 2.5 for Windows sub 2
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

--part0_892380893_boundary
Content-ID: <0_892380893@inet_out.mail.aol.com.1>
Content-type: text/plain; charset=US-ASCII

 

--part0_892380893_boundary
Content-ID: <0_892380893@inet_out.mail.aol.com.2>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline

From: LocaMaria 
Return-path: 
To: LocaMaria@aol.com
Subject: You've won $50,000
Date: Sun, 12 Apr 1998 07:31:15 EDT
Organization: AOL (http://www.aol.com)
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit

Click Here To Get
Your Money

--part0_892380893_boundary--

From firewalls-owner  Sun Apr 12 09:22:48 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16274; Sun, 12 Apr 1998 09:20:22 -0700 (PDT)
Received: from silence.secnet.com (adsl121ip160.cadvision.com [207.228.121.160]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA16266 for ; Sun, 12 Apr 1998 09:20:12 -0700 (PDT)
Received: from localhost (huger@localhost)
	by silence.secnet.com (8.8.5/secnet) with SMTP id KAA21423;
	Sun, 12 Apr 1998 10:52:34 -0600 (MDT)
Date: Sun, 12 Apr 1998 10:52:34 -0600 (MDT)
From: Alfred Huger 
To: Takacs Istvan 
cc: "'firewalls@greatcircle.com'" 
Subject: Re: SATAN for NT
In-Reply-To: <01BD64D2.DC3C48D0.anonymus@mail.matav.hu>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> www.balista.com

Actually, the Ballista Security Auditing System lives at
http://www.secnet.com. 


From firewalls-owner  Sun Apr 12 17:10:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA02622; Sun, 12 Apr 1998 16:59:06 -0700 (PDT)
Received: from bolero.rahul.net (bolero.rahul.net [192.160.13.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA02613 for ; Sun, 12 Apr 1998 16:59:00 -0700 (PDT)
Received: by bolero.rahul.net id AA08107
  (5.67b8/IDA-1.5 for Firewalls@GreatCircle.COM); Sun, 12 Apr 1998 17:05:15 -0700
From: Sukan Makmuri 
Message-Id: <199804130005.AA08107@bolero.rahul.net>
Subject: Re: Chaneg my email address
To: Firewalls@GreatCircle.COM
Date: Sun, 12 Apr 1998 17:05:14 -0700 (PDT)
In-Reply-To: <199804120800.BAA28457@honor.greatcircle.com> from "Firewalls-Digest" at Apr 12, 98 01:00:59 am
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Please change my listed email from sukan@rahul.net to
sukan@alumni.stanford.org.  The former will start boucing email soon.

Thanks,

Sukan


From firewalls-owner  Mon Apr 13 00:09:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA21094; Sun, 12 Apr 1998 23:51:52 -0700 (PDT)
Received: from jackal.intekom.co.za (mail.intekom.co.za [196.25.69.21]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA21059 for ; Sun, 12 Apr 1998 23:51:32 -0700 (PDT)
From: admin8@mauimail.com
Message-Id: <199804130651.XAA21059@honor.greatcircle.com>
Received: from intekom.co.za ([196.25.69.2]) by jackal.intekom.co.za
          (Post.Office MTA Undefined release Undefined
          ID# 0-45367U10000L10000S0) with SMTP id ABY12322;
          Mon, 13 Apr 1998 08:12:08 +0200
Date: Sun, 12 Apr 98 22:26:03 EST
To: Friend@public.com
Subject: Registered mail
Reply-To: recepient@domain.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You just stumbled upon something big !

Pt or FT !

No competition !No selling ! Not MLM !

$1 - $5,000 per week from home, within 30 days !

Daily conference calls !

Complete training and support !

Leads available !

Dear Friend,	

If your tired of the hype , then read on. 

Everyone wants more and we have the system that can get it.

Over 20,000 doctors, lawyers, CPA's and business people, last year alone, 

started using our system to create wealth in their spare time.

Many are making in excess of $50,000 per month. Speak to them yourself ! " I'm a chiropractor in Hawaii and use this system in my spare time

 to consistently make over $4,000 per week ! " Michael F. Makawao, HI

" I'm a single nurse and mom with 5 kids, have been using the system for 18 months,

 and last year alone, earned $400,000 !  " Melissa F., Parkersburg, IA

" I was a practicing priest for many years, retired and started using this system.

 Last week I earned $33,000 and bought my wife a new van - CASH " Jim P., Port Angeles, WA

These people were taught how to turn a one time investment into big money !

Is the timing right for you ?

Find out on our discovery call. Risk free and pressure free ! We guarantee it !

 888 354 3187	Out of the U.S. 1619 678 4228  ext. 6093

 To have your name removed form our list,

 send an email with remove in subject to admin2000@postmaster.co.uk.

 We filter against all universal remove lists.


From firewalls-owner  Mon Apr 13 06:08:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA20128; Mon, 13 Apr 1998 06:02:40 -0700 (PDT)
Received: from mail.state.fl.us (mail.state.fl.us [204.90.27.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA20112 for ; Mon, 13 Apr 1998 06:02:32 -0700 (PDT)
Received: from booksr [199.250.24.56] 
	by mail.state.fl.us with smtp (Exim 1.73 #2)
	id 0yOiyi-0007X3-00; Mon, 13 Apr 1998 09:08:52 -0400
Date: Mon, 13 Apr 1998 09:03:43 -0400 (EDT)
From: Roger Books 
Reply-To: Roger Books 
Subject: Re: How can I detect packet sniffer
To: firewalls@GreatCircle.COM
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Well, there was a claim on comp.security.unix that a sniffer could be
detected via the following procedure (note timings are VERY important).

This assumes you are running your sniffer on a machine that will reply
back, ie, a unix, nt, etc etc box.

Get a good average ping time to a machine when the net was lightly loaded.
You are trying to get the latency.

Generate a large amount of traffic to a non-existant address on the local
net and, while doing this, again measure the latency.  If the latency
is close to the original than the machine is not sniffing.  If the latency
goes up significantly then the machine is having to process packets the
ethernet card should not be sending on, meaning the ethernet card is in
promiscuous mode.

Now, I'm not really sure I buy this, but the author claimed it would
work.  I'd have to see it myself.

Roger

From firewalls-owner  Mon Apr 13 07:38:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA00233; Mon, 13 Apr 1998 07:22:41 -0700 (PDT)
Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA00187 for ; Mon, 13 Apr 1998 07:22:28 -0700 (PDT)
Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8])
	by guttenberg.correionet.com.br (8.8.7/8.8.7) with SMTP id LAA27754;
	Mon, 13 Apr 1998 11:24:07 -0300 (EST)
Date: Mon, 13 Apr 1998 11:24:07 -0300 (EST)
From: Bill Coutinho 
X-Sender: bill@guttenberg.correionet.com.br
To: Josh Richards 
cc: firewalls@GreatCircle.COM
Subject: Re: Livingston's IRX211 firewall router
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Sat, 11 Apr 1998, Josh Richards wrote:

> Very soon it will. I promise. :)

How soon? Will I be able to upgrade my IRX? How much??
-- 
Regards,
Bill.
_________________________________________________________________
                                        B i l l   C o u t i n h o
                                        -- coutinho@dextra.com.br

PGP Public Key at:  http://www.correionet.com.br/~bill/pgpkey.asc


From firewalls-owner  Mon Apr 13 09:09:58 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11429; Mon, 13 Apr 1998 08:54:24 -0700 (PDT)
Received: from siu.buap.mx ([148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA11405 for ; Mon, 13 Apr 1998 08:53:57 -0700 (PDT)
Received: from localhost (ydomingo@localhost)
	by siu.buap.mx (8.8.5/8.8.5) with SMTP id FAA03096;
	Mon, 13 Apr 1998 05:01:45 -0500
Date: Mon, 13 Apr 1998 05:01:45 -0500 (CDT)
From: DOMINGO VARELA YAHUITL 
To: "Renard, Kenneth" 
cc: firewalls@GreatCircle.COM, "Paul D. Robertson" ,
        Vin McLellan , Jesse Brown 
Subject: about of e-mail in the firewall
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

hi all, I hope that will can help please, I have a firewall install and
too have a inet in my firewall, this are run very good, but also I have a
Pc MacIntohs and my problem is that cannot read my e-mail through from
firewall already config my netscape and cannot obtain my e-mail, someone
of yuo can help as config my firewall or my netscape for that I can read
my e-mai though of my Mac...  I hope his anwers...

thank very much

Domingo.-



From firewalls-owner  Mon Apr 13 09:22:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11388; Mon, 13 Apr 1998 08:52:50 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA11366 for ; Mon, 13 Apr 1998 08:52:42 -0700 (PDT)
Received: from frankw.in.net (pm2-07.in.net [205.160.202.71]) by su1.in.net (8.8.8/8.6.9) with SMTP id OAA26488; Mon, 13 Apr 1998 14:59:40 GMT
Message-Id: <3.0.5.32.19980413105727.00ba6340@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 13 Apr 1998 10:57:27 -0500
To: Steve Birnbaum 
From: Frank Willoughby 
Subject: Re: socks versus fw-1 [Part IIb/II] 
Cc: firewalls@GreatCircle.com
In-Reply-To: <19980412084233.7940.qmail@softworx.netvision.net.il>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 11:42 AM 4/12/98 +0300, Steve Birnbaum allegedly wrote:

>frankw@in.net said:
>> I do.  Without exception, *none* of the companies I talked to (who had
>> the Firewall-1), were aware of the SNMP problem until I told them.   
>
>I believe that Checkpoint's policy of dealing with VARs only is what
>led them to refuse to send out a vendor notice directly to all
>their customers.  It was requested, but denied. 

This puts the customer at the mercy of the VAR.  On this alone, I would
drop the vendor like a hot potato.  

SNAFUs happen, people get sick or go on vacation.  Security is too 
important for this type of info to be disclosed to a VAR only (or locally
handled).   Further, this type of approach puts their customers at risk.  
>From what I can remember of the other vendors I have researched, none of 
the serious vendors take the approach of letting the VAR (only) inform 
the customer of vulnerabilities.  Many will inform the customer - even 
if they no longer have a maintenance contract - simply because they feel
they have an obligation to help the customer avoid security problems.
I can't fathom why Checkpoint chose the approach of informing VARs only.
I think it is irresponsible and shows surprisingly little security acumen.


>VARs receive release notes with every patch, and in addition I believe
>that all VARs in this case received a copy of Checkpoint's official
>response to the SNI advisory which was posted to Checkpoint's web site.

So every customer needs to visit Checkpoint's web site.  IF they are 
lucky AND Checkpoint has decided to make and exception to post an 
advisory on their home page, THEN they might find something useful.
Otherwise, they are out of luck.  IMO, any notifications should come
from the vendor and require no actions from the customer to be notified
(other than filling out the registration card for their product).


>At least the advisory prompted Checkpoint to make the non-DES versions
>of the patch available to the public, not requiring them to go through 
>their VAR to get it as must be done for all other patches.

While customers using DES versions weren't informed.


>I still fail to see why SNMP is required for the administration of
>the firewall.  There is a management protocol - why can't things like
>the configuration of the NICs be transfered that way?  When using FW1 with
>a DES or FWZ1 license, this data is encrypted.  Even without the license,
>at least it is a proprietary TCP protocol, not UDP.

You mentioned two points in the above paragraph & the common denominator
is proprietary.  Proprietary encryption is very bad news as I've indicated
in my previous mail.  Proprietary TCP protocols are as well.  Hopefully,
they aren't relying on this for security.

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Mon Apr 13 10:08:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA16398; Mon, 13 Apr 1998 09:51:18 -0700 (PDT)
Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA16380 for ; Mon, 13 Apr 1998 09:51:08 -0700 (PDT)
Received: (qmail 18831 invoked by uid 1000); 13 Apr 1998 16:57:28 -0000
Message-ID: <19980413165728.18829.qmail@softworx.netvision.net.il>
To: Frank Willoughby 
cc: firewalls@GreatCircle.com
From: Steve Birnbaum 
Subject: Re: socks versus fw-1 [Part IIb/II] 
In-reply-to: Your message of "Mon, 13 Apr 1998 10:57:27 CDT."
             <3.0.5.32.19980413105727.00ba6340@in.net> 
Date: Mon, 13 Apr 1998 19:57:28 +0300
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> SNAFUs happen, people get sick or go on vacation.  Security is too 
> important for this type of info to be disclosed to a VAR only (or locally
> handled).   Further, this type of approach puts their customers at risk.  

You have no need to try to convince me.  I think I've more than proven
that that is my belief as well.

> While customers using DES versions weren't informed.

No.  Only VARs were directly informed as far as I know.  It means that
DES owners had to contact their VAR to obtain the patch while FWZ1 or
non-vpn owners could download and install the patch themselves.

> You mentioned two points in the above paragraph & the common denominator
> is proprietary.  Proprietary encryption is very bad news as I've indicated
> in my previous mail.  Proprietary TCP protocols are as well.  Hopefully,

Agreed.  However, my use of "at least" is a big qualifier.  I believe that
you'll agree that even with all the faults of proprietary protocols of
any type, anything is better than a udp protocol with known adverse
security implications.  If the whole point is to convey to the managment
stations the information obtained by the unix command "ifconfig -a",
I still question the need to use SNMP for this.  I can understand that
some large corporations want to see ALL their resources on
an HP OpenView map, but I still believe that the default should be off.

btw, I was looking over the NSA review and tucked away into the SNMP
section (how did they not have enough resources to fully check SNMP???) there
is a recommendation to remove the "enable fw1 control connections" option.

  Steve

---
sbirn@security.org.il  (PGP key available)
Fight Internet Spam!  http://www.vix.com/spam/  Disclaimer: My opinions only.

From firewalls-owner  Mon Apr 13 11:44:56 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA00388; Mon, 13 Apr 1998 11:17:11 -0700 (PDT)
Received: from nova.unix.portal.com ([156.151.1.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA00379 for ; Mon, 13 Apr 1998 11:17:05 -0700 (PDT)
Received: from venus.corp.portal.com (venus.corp.portal.com [156.151.1.110])
	by nova.unix.portal.com (8.8.5/8.8.5) with ESMTP id LAA01776
	for ; Mon, 13 Apr 1998 11:23:36 -0700 (PDT)
Received: by venus.corp.portal.com with Internet Mail Service (5.5.1960.3)
	id ; Mon, 13 Apr 1998 11:23:27 -0700
Message-ID: <188D20A88142D11190E900A0C906BBD3A99079@venus.corp.portal.com>
From: Dana Bourgeois 
To: firewalls@GreatCircle.COM
Subject: RE: hi SPAM
Date: Mon, 13 Apr 1998 11:23:19 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> -----Original Message-----
> From: Michael Conlen [mailto:meconlen@intnet.net]
> Sent: Friday, April 10, 1998 23:48
> To: firewalls@GreatCircle.COM
> Subject: Re: hi SPAM

 
> On Sat, 11 Apr 1998, Ronald Wiplinger wrote:

> > I wonder why you say that, because:

> > 1. The starting of this threat was that somebody used this list for
> > spaming

> > 2. A firewall should fight against any unwanted traffic.

> So does anyone know of a product which will allow you to dump 
> email at the
> firewall? Possibly a mail server in the DMZ which all host MX 
> records on
> the external name server points to, which then will scan the 
> mail and dump
> it if the content is unpermissable, and pass it along to 
> servers inside
> the firewall if permissable?

> I know with Perl its trivial to write a program to check text 
> for content
> in the form of regular expressions. If this is applied to all 
> incomming
> and possibly outgoing email messages at the firewall you can block
> unwanted traific. 

> I know its trivial to write because I've done it for my 
> personal email,
> however I've not tried to implement it at the mail server 
> before it gets
> to the mail delivery agent. 

You would need 2-3 times the horsepower on your DMZ mail filter due to
writing every mail item to disk then reading it back for delivery.  

This should work with any version of sendmail:

1. set up two sendmails, one inbound on the standard port and one
outbound on a custom port.
2. both queue all mail but in different queues and neither do queue
runs.
3. write a PERL program to read the queue (you need two although they
might be the same code) and filter it to another queue.
4. Set up a cron job to run the queue at a regular time interval.  Or
have your filter program do so at the end of a filter run.

If you can hack the sendmail code to integrate your filter program into
the sendmail 8.x hooks then you don't have to do the above.  You can
have sendmail do it while the message is in memory.  I think it's the 
check_mail() function which is the hook.

Or you can set up procmail as a mailer program and have sendmail call it
for all delivery.  I haven't done this myself but have heard it's
supported by procmail and there are instructions on how to do it.

-fg

> Being able to filter out all that damn email from 
> Friend@public.com would
> make your users a bit happier, and going the other way being able to
> filter out outgoing source code and such will make the boss 
> happy, though
> depending on your companies email uses you may need someone to monitor
> questionable email and decide if you want to forward it on, 
> or dump it.
> You may just catch the person leaking company secrets though. 


From firewalls-owner  Mon Apr 13 14:35:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA08427; Mon, 13 Apr 1998 12:19:08 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA08418 for ; Mon, 13 Apr 1998 12:19:01 -0700 (PDT)
Received: from frankw.in.net (pm5-28.in.net [205.160.202.188]) by su1.in.net (8.8.8/8.6.9) with SMTP id SAA12259; Mon, 13 Apr 1998 18:26:01 GMT
Message-Id: <3.0.5.32.19980413142340.015174d0@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 13 Apr 1998 14:23:40 -0500
To: Steve Birnbaum 
From: Frank Willoughby 
Subject: Re: socks versus fw-1 [Part IIb/II] 
Cc: firewalls@GreatCircle.com
In-Reply-To: <19980413165728.18829.qmail@softworx.netvision.net.il>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 07:57 PM 4/13/98 +0300, Steve Birnbaum wrote:


>> You mentioned two points in the above paragraph & the common denominator
>> is proprietary.  Proprietary encryption is very bad news as I've indicated
>> in my previous mail.  Proprietary TCP protocols are as well.  Hopefully,
>
>Agreed.  However, my use of "at least" is a big qualifier.  I believe that
>you'll agree that even with all the faults of proprietary protocols of
>any type, anything is better than a udp protocol with known adverse
>security implications.  If the whole point is to convey to the managment
>stations the information obtained by the unix command "ifconfig -a",
>I still question the need to use SNMP for this.  I can understand that
>some large corporations want to see ALL their resources on
>an HP OpenView map, but I still believe that the default should be off.

I agree.  There are many ways to do this securely without using SNMP
for this.


>btw, I was looking over the NSA review and tucked away into the SNMP
>section (how did they not have enough resources to fully check SNMP???) there
>is a recommendation to remove the "enable fw1 control connections" option.

I found this interesting as well.

Thanks for your mail.


Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Mon Apr 13 14:39:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA08744; Mon, 13 Apr 1998 12:21:37 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA08668; Mon, 13 Apr 1998 12:21:15 -0700 (PDT)
Received: from 208.196.108.128 (chi-ip-1-128.ziplink.net [208.196.108.128])
	by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id MAA26579;
	Mon, 13 Apr 1998 12:25:39 -0700 (PDT)
Date: Mon, 13 Apr 1998 12:25:39 -0700 (PDT)
Message-Id: <199804131925.MAA26579@miles.greatcircle.com>
From: .NLHY@ca0408.cap.gov
To: friend.UWTO@ca0408.cap.gov
Subject:  Parasites
X-Reply-To:  www.expressmailservice.com/mail/trainman
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




Think You Don't Have Parasites??  THINK AGAIN!!


"...when parasites in the water make 400,000 sick in Milwaukee, as 
they did four years ago, and 100 of them die;  and when we know that, 
increasingly here, they get into our bodies through unwashed fruit and
vegetables, undercooked meat or fish..."  ABC World News, May, 1997

"Parasites Looking for a Free Lunch"  National Geographic, Oct., 1997

"...the cat flea helps spread plague, typhus, and other ailments to
people and animals...'

"Schistosomes swimming among bathers have wormed their way into 200
million humans causing debilitating fevers and other maladies..."

Parasites are no longer a third world problem.  You owe it to yourself
and your family to listen to the audio tape  "Are You Clear of 
Parasites?" 10 times more powerful than "Dead Doctors Don't Lie"

For your free tape, please e-mail to www.expressmailserver.com/mail/trainman.

Leave your full name, complete mailing address including zipcode, and
phone# including area code.


Please accept our apology if this letter has inconvenienced you in any
way. 

  



From firewalls-owner  Mon Apr 13 15:15:43 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25629; Mon, 13 Apr 1998 13:59:04 -0700 (PDT)
Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA25426 for ; Mon, 13 Apr 1998 13:58:08 -0700 (PDT)
Received: (qmail 19943 invoked by uid 1000); 13 Apr 1998 21:04:26 -0000
Message-ID: <19980413210426.19941.qmail@softworx.netvision.net.il>
To: "Ryan Russell" 
cc: Frank Willoughby , firewalls@GreatCircle.COM
From: Steve Birnbaum 
Subject: Re: socks versus fw-1 [Part IIb/II] 
In-reply-to: Your message of "Mon, 13 Apr 1998 12:59:44 PDT."
             <882565E5.006D7894.00@gwwest.sybase.com> 
Date: Tue, 14 Apr 1998 00:04:25 +0300
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> If you think about it, the fact that they sell through VARs
> exclusivly means that they don't have customer lists,
> they have VAR lists.

When a 30-day evaulation license is given, they receive a customer
contact name, phone and email.  For every license sold via a VAR,
I believe they receive the same information.  It is possible that in some
specific cases this information will be out of date.  Since the support
contract is with the VAR, it is up to the VAR to maintain the accuracy
of the information.  However, that doesn't mean Checkpoint have nothing.

> They didn't have the opportunity whether they wanted
> to or not.

You sound sure of yourself.  They did.
SNI has always made clear that they approach the vendor before
releasing advisories.

It is always better if the vendor releases a notice to their customers
of a problem.

  Steve

---
sbirn@security.org.il (PGP key available)       Disclaimer: My opinions only,
Fight Internet Spam!  http://www.vix.com/spam/      not those of my employer.

From firewalls-owner  Mon Apr 13 17:23:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA02431; Mon, 13 Apr 1998 14:39:54 -0700 (PDT)
Received: from cerberus.westaff.com (cerberus.westaff.com [205.143.175.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA02385 for ; Mon, 13 Apr 1998 14:39:41 -0700 (PDT)
Received: by cerberus.westaff.com; id OAA12069; Mon, 13 Apr 1998 14:55:05 -0700 (PDT)
Received: from peach.westaff.com(205.143.168.24) by cerberus.westaff.com via smap (4.1)
	id xma012052; Mon, 13 Apr 98 14:54:09 -0700
Received: from peach.westaff.com (sshapiro@localhost [127.0.0.1]) by peach.westaff.com (8.6.9/8.6.9) with ESMTP id OAA12436 for ; Mon, 13 Apr 1998 14:43:19 -0700
Message-Id: <199804132143.OAA12436@peach.westaff.com>
To: firewalls@greatcircle.com
Subject: gauntlet -  problems with http-proxy after upgrading to 4.1
Date: Mon, 13 Apr 1998 14:43:18 -0700
From: Sid Shapiro 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

I just upgraded to gauntlet from 3.2 to 4.1 on Friday, running bsdi
3.0. 

I am now having trouble with the http proxy. General access works just
fine, but long URLs including "special characters" are failing - for
example, I can no longer use any of the investor/stock quote URLs that
I have saved because they have "%" and "&" characters in the URL, nor
can I use yahoo's mapping service because it constructs a URL with
embedded "special characters" in it.

Did I miss something in the release notes? Could anyone point me to
something I've missed - or has anyone run across this and solved it?

Thanks,
--
Sid Shapiro                  (510) 952-2557
Western Staff Services sshapiro@westaff.com

------- End of Forwarded Message


From firewalls-owner  Mon Apr 13 18:15:31 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA07383; Mon, 13 Apr 1998 15:06:44 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA07252 for ; Mon, 13 Apr 1998 15:05:54 -0700 (PDT)
Received: from mailhub1.experian.com ([167.107.229.201])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id PAA29748
	for ; Mon, 13 Apr 1998 15:10:24 -0700 (PDT)
Received: (from uucp@localhost)
	by mailhub1.experian.com (8.8.5/8.8.7) id PAA11157;
	Mon, 13 Apr 1998 15:09:47 -0700 (PDT)
Received: from unknown(167.107.229.130) by mailhub1.experian.com via smap (V1.3)
	id sma011154; Mon Apr 13 15:09:24 1998
Received: from gmills.ora.experian.com (gmills.ora.experian.com [167.107.244.76])
	by dns1 (8.8.5/8.8.5) with SMTP id PAA00326;
	Mon, 13 Apr 1998 15:10:45 -0700 (PDT)
Received: by localhost with Microsoft MAPI; Mon, 13 Apr 1998 14:53:18 -0700
Message-ID: 
From: Gary Mills 
To: "firewalls@GreatCircle.COM" ,
        "fw-1-mailinglist@us.checkpoint.com" 
Subject: SNMP agent
Date: Mon, 13 Apr 1998 15:12:54 -0700
Organization: Experian
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I was asked to look into security issues with HPopenview SNMP Agent.
Does any one have any experience or advice on any known problems with 
installing this agent on DMZ systems such as
mail, web, ftp, firewall, etc... The idea is to monitor activity on these 
external system and send traps to the internal Hpopenview system. Iam not 
sure of the security of the agent or the daemons it may start.

Gary Mills
gary.mills@experian.com



From firewalls-owner  Mon Apr 13 18:15:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA25593; Mon, 13 Apr 1998 16:29:20 -0700 (PDT)
Received: from nucleus.com (nucleus.com [199.45.65.129]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA25254 for ; Mon, 13 Apr 1998 16:27:55 -0700 (PDT)
Received: from loki (pm1-cgy-74.nucleus.com [207.34.67.74])
	by nucleus.com (8.8.8/8.8.8-NIS-11-28.97) with SMTP id RAA03615;
	Mon, 13 Apr 1998 17:46:02 -0600 (MDT)
Message-Id: <3.0.5.32.19980413173555.00c37580@dreamwvr.com>
X-Sender: dreamwvr@dreamwvr.com
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Mon, 13 Apr 1998 17:35:55 -0600
To: Gary Mills ,
        "firewalls@GreatCircle.COM" ,
        "fw-1-mailinglist@us.checkpoint.com" 
From: dreamwvr 
Subject: Re: [FW1] SNMP agent
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

hi Gary,
Last time i checked it did SNMP in the clear which is real uncool
and this was about 6 months ago according to my best knowledge of 
this week;') it has not changed this way. The concept is sound and 
is quite a time saver and such but the security of the protocol sucks:'<
Enough said.

						Regards,
							dreamwvr@dreamwvr.com

At 03:12 PM 4/13/98 -0700, Gary Mills wrote:
>
>I was asked to look into security issues with HPopenview SNMP Agent.
>Does any one have any experience or advice on any known problems with 
>installing this agent on DMZ systems such as
>mail, web, ftp, firewall, etc... The idea is to monitor activity on these 
>external system and send traps to the internal Hpopenview system. Iam not 
>sure of the security of the agent or the daemons it may start.
>
>Gary Mills
>gary.mills@experian.com
>
>
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES. 
Featuring Website Development and Web Strategies of a TOP Developer 
 
"As Unique as the Company You Keep."        "===0 PGP Key Available 
________________________________________________________________________
                                                                   



From firewalls-owner  Mon Apr 13 18:22:54 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA07048; Mon, 13 Apr 1998 12:07:17 -0700 (PDT)
Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA06291 for ; Mon, 13 Apr 1998 12:00:43 -0700 (PDT)
Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id LAA17282 for ; Mon, 13 Apr 1998 11:59:23 -0700 (PDT)
Received: from kc.livingston.com (kc.livingston.com [149.198.32.1]) by server.livingston.com (8.8.5/8.6.9) with SMTP id MAA16446 for ; Mon, 13 Apr 1998 12:06:39 -0700 (PDT)
Received: from localhost by kc.livingston.com (SMI-8.6/SMI-SVR4)
	id MAA14292; Mon, 13 Apr 1998 12:07:28 -0700
Date: Mon, 13 Apr 1998 12:07:28 -0700 (PDT)
From: Josh Richards 
X-Sender: jrichard@kc
To: firewalls@GreatCircle.COM
Subject: Re: Livingston's IRX211 firewall router
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On 13 Apr 1998, Bill Coutinho wrote:

> On Sat, 11 Apr 1998, Josh Richards wrote:
> 
> > Very soon it will. I promise. :)
> 
> How soon? Will I be able to upgrade my IRX? How much??

When it's ready. :-)  Seriously, it is in beta at the moment.  Yes you
will be able to upgrade your IRX, it a ComOS upgrade and we don't charge
for that. 

--jr

----
Josh Richards -  - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/


From firewalls-owner  Mon Apr 13 20:11:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA08612; Mon, 13 Apr 1998 17:35:19 -0700 (PDT)
Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA08604 for ; Mon, 13 Apr 1998 17:35:13 -0700 (PDT)
Received: from judge.mcom.com (judge.mcom.com [205.217.237.53])
	by netscape.com (8.8.5/8.8.5) with ESMTP id RAA05550
	for ; Mon, 13 Apr 1998 17:41:32 -0700 (PDT)
Received: from netscape.com ([205.217.246.174]) by judge.mcom.com
          (Netscape Messaging Server 3.52)  with ESMTP id AAA21B4;
          Mon, 13 Apr 1998 17:41:31 -0700
Message-ID: <3532B0BB.694C8C3C@netscape.com>
Date: Mon, 13 Apr 1998 17:41:31 -0700
From: Bill Burns 
X-Mailer: Mozilla 4.05 [en] (X11; U; SunOS 5.6 sun4u)
MIME-Version: 1.0
To: Gary Mills 
CC: "firewalls@GreatCircle.COM" ,
        "fw-1-mailinglist@us.checkpoint.com" 
Subject: Re: [FW1] SNMP agent
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Yeah, SNMP v2* is pretty icky because of the plaintext passwords ("community
strings").  The SNMP v2c spec was supposed to address that little snarl, but
everyone seems to be working on SNMP v3, which  is supposedly "nearly out".

For SNMP v3 info, check out RFCs:
2271, 2272, 2273, 2274, and 2275

The site "http://www.snmp.com" isn't updated very much so there must be a better
source for that info.

bill


Gary Mills wrote:

> I was asked to look into security issues with HPopenview SNMP Agent.
> Does any one have any experience or advice on any known problems with
> installing this agent on DMZ systems such as
> mail, web, ftp, firewall, etc... The idea is to monitor activity on these
> external system and send traps to the internal Hpopenview system. Iam not
> sure of the security of the agent or the daemons it may start.
>
> Gary Mills
> gary.mills@experian.com
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



--
Bill Burns
Senior Security Engineer
Netscape Communications Corp.




From firewalls-owner  Mon Apr 13 21:29:38 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA08430; Mon, 13 Apr 1998 20:57:03 -0700 (PDT)
Received: from kwanon.research.canon.com.au (kwanon.research.canon.com.au [203.12.172.254]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA08412 for ; Mon, 13 Apr 1998 20:56:53 -0700 (PDT)
Received: (qmail 12769 invoked from network); 14 Apr 1998 04:03:10 -0000
Received: from grainger.research.canon.com.au (203.12.174.130)
  by kwanon-le1.research.canon.com.au with SMTP; 14 Apr 1998 04:03:10 -0000
Received: (qmail 9367 invoked from network); 14 Apr 1998 04:03:09 -0000
Received: from cass.research.canon.com.au (203.12.174.231)
  by grainger.research.canon.com.au with SMTP; 14 Apr 1998 04:03:09 -0000
Received: (qmail 7248 invoked by uid 100); 14 Apr 1998 04:03:05 -0000
Message-ID: <19980414040305.7247.qmail@cass.research.canon.com.au>
From: "Andrew Raphael" 
Subject: Re: Livingston's IRX211 firewall router
To: firewalls@GreatCircle.COM
Date: Tue, 14 Apr 1998 14:03:05 +1000 (EST)
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Apart from network address translation what are the other performance
>benefits that you see in a Cisco PIX over the IRX211?

I've never used a Cisco PIX, so I can't say.

The IRX211 has all the performance I've needed for what I use them for,
which is a 2 Ethernet filtering router between my firewall bastion and
my interior network.  I did use it as an exterior router, but changed
to a Cisco 4000M because I needed 2 Ethernet and BRI.  If I upgrade to
Frame Relay, I'll probably swap the Cisco 4000M and the IRX211.

Disclaimer: happy customer.
-- 
Andrew Raphael 
	"Oh! I see, it's your birthday.  It's your big day, and I forgot."

From firewalls-owner  Mon Apr 13 23:08:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA21259; Mon, 13 Apr 1998 23:04:15 -0700 (PDT)
Received: from softworx.netvision.net.il (softworx.NetVision.net.il [194.90.1.40]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA21251 for ; Mon, 13 Apr 1998 23:04:06 -0700 (PDT)
Received: (qmail 22656 invoked by uid 1000); 14 Apr 1998 06:10:32 -0000
Message-ID: <19980414061032.22654.qmail@softworx.netvision.net.il>
X-Mailer: exmh version 2.0.1 12/23/97
To: "Ryan Russell" 
Cc: Frank Willoughby , firewalls@GreatCircle.COM
From: Steve Birnbaum 
Subject: Re: socks versus fw-1 [Part IIb/II] 
In-Reply-To: Your message of "Mon, 13 Apr 1998 16:43:08 PDT."
             <882565E5.008128E5.00@gwwest.sybase.com> 
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_483621128P";
	 micalg=pgp-md5; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Tue, 14 Apr 1998 09:10:31 +0300
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

--==_Exmh_483621128P
Content-Type: text/plain; charset=us-ascii


ryanr@sybase.com said:
>  I frequently used to get eval licenses by calling tech support folks.
>  They issue  trial licenses every month and give them to tech people.

I don't think they use the single eval license anymore.  VARs are able
to generate a 30 day eval based on the host id which requires a contact
person at the site for whom the license is being generated.

The same procedure is used when generating a paid license.  The only
way to not give this info to Checkpoint is for the VAR or customer (depending
on who'se filling out the form) to intentionally omit information.

> I really doubt they have the info from every (perhaps any) VAR.

It's not an option.  Customer contact info is required to create a licence
for them.

>  Yes, SNI probably did contact them ahead of time, that's why they had
> a workaround ready.

I'll let Alfred get into details about that that if he wants to.

  Steve

-- 
sbirn@security.org.il (PGP key available)       Disclaimer: My opinions only,
Fight Internet Spam!  http://www.vix.com/spam/      not those of my employer.



--==_Exmh_483621128P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia

iQEVAwUBNTL90wNowu66bCy5AQEmgwgArAwFl84ZoSlV4ShSQCZPJwzaoz3SyUDz
qvvr9j0+CQJhkiDu+lApfXOpjuoj3Y2TG1YtmXVl3jMWo6Wj9dRVYqtfaz2lrD3B
TAN6R2LRS+QjmbiLjpMcxucKUfqP9hOLwxzWDeXABa69Oudyj5ghXJOnisIqVK3f
yb1181ZqHQ5sgwlc+0OPNis8s9N1MzHlZZiwM8TkqUVsv/mDiuh51qt00JMODD/J
fq2KNBsUys3TelI8aypveilCABOM0Byt5rBYcYhJb+/eozGSwDue3QdCjZBJMEAr
d9LwyGNyXh2tVRv8VUJT3JkCbhH+h6KkllkzxZdUoNt5npyqAcjntg==
=m2xs
-----END PGP MESSAGE-----

--==_Exmh_483621128P--

From firewalls-owner  Tue Apr 14 01:50:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02759; Tue, 14 Apr 1998 01:11:06 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA24750 for firewalls@greatcircle.com; Mon, 13 Apr 1998 23:28:02 -0700 (PDT)
Received: from fw.roguewave.com (fw2.roguewave.com [208.151.233.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA04104 for ; Wed, 8 Apr 1998 09:21:28 -0700 (PDT)
Received: by fw.roguewave.com; id JAA22146; Wed, 8 Apr 1998 09:26:53 -0700 (PDT)
Received: from cvo.roguewave.com(10.68.9.1)
 via SMTP by fw-int.roguewave.com, id smtpd022138; Wed Apr  8 09:26:49 1998
Received: from rw0328 (rw0328.cvo.roguewave.com [10.68.2.128]) by cvo.roguewave.com (8.8.2/8.8.2) with SMTP id JAA27503; Wed, 8 Apr 1998 09:27:00 -0700 (PDT)
Message-Id: <199804081627.JAA27503@cvo.roguewave.com>
Comments: Authenticated sender is 
From: "Ron Snyder" 
Organization: Rogue Wave Software
To: Jeff Kalwerisky 
Date: Wed, 8 Apr 1998 09:27:28 -0800
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
CC: firewalls@greatcircle.com
In-reply-to: <01BD62CA.A786B120.jeffk@secure-it.net>
X-mailer: Pegasus Mail for Win32 (v2.54)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

[most of jeff's reply to frank has been snipped-- I was unable to 
pick out a minimal portion to include for reference-- if this causes 
a problem for you, email me and I'll send you a copy]

You really ought to go back and read what you wrote-- at least 
Frank's post had some substance.  Your post amounted to nothing more 
than sarcasm.  He posted some opinions and explained them, while you 
did nothing more than delete the technical dissussion and attack his 
non-technical statements.  That wouldn't be because you have no 
ammunition against the technical discussion, would it?

> More to the point, computer security proponents will never be
> regarded as "professionals" by  senior management as long as we show
> ourselves incapable of rational argument, understanding that the

Exactly who demonstrated themselves to be incapable of rational 
argument?

-ron

--
ron snyder   snyder@roguewave.com       |         This space
Rogue Wave Software, Inc                |         intentionally    
{news,unix} admin                       |         left blank
....transmission ends....


From firewalls-owner  Tue Apr 14 01:52:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA02967; Tue, 14 Apr 1998 01:14:00 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA24850 for firewalls@greatcircle.com; Mon, 13 Apr 1998 23:28:31 -0700 (PDT)
Received: from ns.telegroup.com ([208.219.0.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA24033 for ; Wed, 8 Apr 1998 10:53:50 -0700 (PDT)
Received: from radius.telegroup.com (radius.telegroup.com [208.219.5.2])
	by ns.telegroup.com (8.8.5/8.8.5) with ESMTP id MAA24495;
	Wed, 8 Apr 1998 12:57:03 -0500 (CDT)
Received: from mandrake.telegroup.com (macke@mandrake.telegroup.com [208.219.1.177]) by radius.telegroup.com (8.8.5/8.8.3) with SMTP id MAA23988; Wed, 8 Apr 1998 12:59:10 -0500 (CDT)
Date: Wed, 8 Apr 1998 12:59:10 -0500 (CDT)
From: Brian Macke 
Reply-To: bmacke@telegroup.com
To: randy.boroughs@watchguard.com
cc: firewalls@greatcircle.com
Subject: Re: WatchGuard Security System
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm left questioning my effort of five hours last night. I have a feeling
that, like many of my complaints to WatchGuard, this will invariably be
discounted out of hand. In order to salvage those hours of work, I've
crossposted this message to the firewalls mailing list so that someone
might gain something from my effort. I realise now that WatchGuard never
really cared about the faults of its systems, and to that end, it's
customers. I hope that WatchGuard as a whole will change its philosophy
about how it treats its customers to prevent cases like mine in the
future.

Thank you.

[note to the mailing list: This is a CC of an exchange between myself and
WatchGuard, started out of something I had said to the mailing list a few
weeks ago. As I stated above, it does not appear as though WatchGuard will
act on this information, so I will give you the same information that I
gave them. Please note that if you do have the WatchGuard firewall on your
network, you have the potential to incur these problems. While you, as a
customer of WatchGuard, might have had wonderful experiences with them,
bear in mind that this is how they treated a customer that helped the
company get its feet off the ground.]

On Wed, 8 Apr 1998, Randy Boroughs wrote:


> Brian,
> 
> Thank you for taking the time to detail your experiences with our
> company and our product.  You have given me some insight that will
> ultimately improve our company and our products. I now have a personal
> challenge; to create a customer base satisfied enough to invalidate your
> position.  I take this challenge seriously, and hope that one day we can
> chat about WatchGuard's ultimate success.
> 
> Randy Boroughs
> VP of Product Management
> WatchGuard Technologies
> (206) 521-1419 (phone)
> (206) 521-8341 (fax)
> randy.boroughs@watchguard.com
> www.watchguard.com




On Tue, 7 Apr 1998, Brian Macke wrote:

> I've put a lot of thought into how I should respond to this, sometimes
> doubting whether I should respond or not. I think I've come to the
> conclusion that it's for the better that I do outline what problems I had
> with both the WatchGuard product as well as the company itself. While the
> following comments are my opinion, they are based in the experiences I
> had from when I began administering Telegroup's firewall system in
> September of 1997. 
> 
> 1> The 128 rule limit
> 	This, by far, was the worst aspect of the firewall that my company
> could have ever encountered. We only discovered it well after we had lost
> major portions of our production traffic due to the peripheral
> repercussions that I will discuss later. This limit is, allegedly,
> codified and as a result should have been placed in the literature of the
> firewall. A company cannot idly stand by and let its customers discover
> such things on its own. Otherwise, embittered customers, like myself, will
> take such a polarised stance on the company that it will only impede
> public relations like it has in my postings to the Firewalls mailing list.
> 
> 2> The source port blocking issue
> 	This problem appears to have been a direct cause of the
> aforementioned limit. This was not the worst aspect of this problem,
> however, as I'll mention later. To summarise the problem, during normal
> operation, even during low usage times, the firewall would block traffic
> based on the source port of the connection. For example, if there were a
> rule in the firewall allowing outgoing connections to, say, 2099, but the
> incoming rule was to block - when someone would make a normal outgoing
> connection (say, to port 80), and the source port were 2099, that
> connection would get blocked. Here's a diagram:
> 
> Inside			firewall		Outside
> User A			  WG			Web Site
> Dst port = 80					Src Port = 80
> Src port = 2099					Dst Port = 2099
> 			
> 			Rule tcp/2099
> 			Allow any/any outgoing
> 			Deny any/any incoming
> 2099 --------------------Allow------------------> 80
> 2099 <-------------------Deny-------------------- 80
> 
> I hope this illustrates exactly what I'm trying to say that Telegroup
> experienced serious problems with production traffic because of a bug in
> the software for WatchGuard
> 
> 3> Massively poor and judgemental technical support
> 	I do not know if you have any say in the Technical Support area,
> but WG's support was far worse than any company's I have ever experienced
> during my eleven years in the work force. Things massively started off on
> the wrong foot when I was told that I could only use Windows 95/NT or
> Redhat Linux 4.0 for the Console software. I felt highly uncomfortable
> having an extremely old version of RedHat on my workstation, so I
> installed the latest version of Slackware (3.3, if memory serves me
> correctly), and installed the Console software on top of it. I was
> instantly told that it wouldn't work (even after being successful), and
> that it was wrong for me to go outside the recommended install. That may
> be true, but this meant that every single bug report I ever put in for the
> product was met with "It's your fault. You're the aberrant one." even
> after I had taken the console software off the Slackware machine. I gave
> the tech support vivid and undeniable proof that bugs were there, and they
> insisted that it was still because of Slackware. They never listened to me
> once, ever. I can say that rather authoritatively, since I have yet to see
> any of the things I've mentioned in any of the product releases. To this
> day, I believe that Telegroup should have dropped all use of WatchGuard
> upon the first sign that we could no longer get a single person in Tech
> Support to listen to us. 
> 
> 4> Poor hardware
> 	When we signed onto the reseller program, we received three
> fireboxen. Two were sold to satellite offices, and the third was kept for
> replacing our old box (486/100, CD-ROM, 540 meg HD. Worth mentioning now,
> since they're coming up again later). We installed the new box, much to
> the awe of other employees. But shortly after the install, the honeymoon
> was over and it was discovered that the system had a bad floppy drive. We
> RMA'ed the box, and replaced it with a new one. That one also had a bad
> floppy drive. We RMA's that box, got the replacement, and that, too had a
> bad floppy drive. We replaced the drive (with approval from WG), and it
> was then discovered that it was the FDC that was actually bad in all three
> boxes. Oh, it should also be mentioned that it appeared that box #2 had
> other problems as well, since the httpd-proxy and other programs were
> dying with Signal 11's, the bode of bad hardware. 
> We ended up having to revert back to the original box with and old
> configuration because of the serious hardware issues that came up with the
> new box. At that point, we were left with no alternative other than to
> sever our usage of the WG product in all locations and find an appropriate
> alternative.
> 
> 5> Latency
> 	WG has purported that it can handle T1 speeds, but instead we
> found that with even the most sparse configuration, we barely could use
> 50% of our available T1. As more rules were added to the box, the slower
> our connection became until it was barely better than a 256k link. As a
> point of information, I've installed Linux on one of the old 486's, along
> with the ipfwadm package and have been able to get 256kBps transfer rates,
> even with complex configurations on par with the WatchGuard setup. The
> software on the WG boxes is just too bloated to be able to handle a large
> amount of bandwidth.
> 
> 6> Random reboots
> 	This problem was never truly pinpointed, however it had a number
> of suspected parents. The first was, of course, the 128-ruleset limit.
> Others included bugs in the fw-watcher daemon and the control daemon. Tech
> Supports canned response was that I was running Slackware, however the
> reboots occurred even after I had switched to NT. As far as I know, not
> only was this problem never traced back to a source, it was also never
> corrected, either.
> 
> 7> controld
> 	Controld was a thorn in our sides from the minute we installed our
> 2nd firewall. Notification was always dependent on which firewall sent its
> config file to controld first. So we had to make a choice between which
> firewall was more important. Failing that, we ended up having to run
> controld on separate machines in order to get the most out of the
> firewalls. This, allegedly, was solved in 2.3, but we couldn't upgrade to
> it. This was because of....
> 
> 8> 2.3 broke SQL
> 	When ping was fixed, this broke SQL, and Tech Support felt that
> it was a non-issue, so it was dropped, apparently. As a result, production
> traffic was lost, and Telegroup was left running an old, outdated version
> of the software.
> 
> 9> remote upgrades
> 	This was a very big issue that can probably never be solved. We
> were administering two boxes in Europe for our satellite offices, and the
> only way we could upgrade the boxes would be to send a floppy to the
> remote sites, hope they put it in properly, then have them reboot the
> machine. This was a very bad policy from an support standpoint, and we
> needed a way to upgrade the OS on the machines without cutting new
> floppies. Again, lacking any real possibility of this being changed, I felt
> that the WatchGuard was a failure in our situation. 
> 
> ---
> 
> I believe this concludes all of the possible problems I had with the
> WatchGuard when we were using them in production. I'm sure I've left out
> some things, but I believe this is a good sampling of the problems. 
> 
> To preemptively cover the question, I don't believe there is anything that
> could be done to convince me to use any of WatchGuard's products ever
> again. They did have positive points, like the encrypted communications.
> But I stand by my statement that there are too many serious blowbacks to
> the WatchGuard firewall product to actually use it ever again. This
> includes Telegroup, as well as any other company I might work for in the
> future. I feel that the market for "Firewall Appliances" will soon fade
> from the market as people realise that you can't have it all in one box.
> 
> I've worked very hard to change co-workers opinion of what a firewall
> truly is. We're moving away from pointing at a box and saying, "This is
> the firewall," and more towards "This is part of our firewall system." It
> would be very silly for me to endorse a product which attempts to do too
> many things and fails to do at least some of the jobs correctly..
> 
> Bearing all of this in mind, I implore you to take my opinions seriously,
> as I've put a lot of thought into them. I have nothing to really gain by
> sending this letter, but I assume that you do. If WatchGuard's product
> improves, then the next time I post about WG on the firewalls list, I can
> be resoundingly rebutted by someone who's used WG since my bad
> experiences. At that point, I will know that things have changed enough at
> WatchGuard that my views are no longer valid, and I will stop spreading
> them. Until that time, however, I will be up front and honest with anyone
> asking about whether or not I trust WatchGuard as a firewall or as a
> company. 
> 
> 
> On Mon, 6 Apr 1998, Randy Boroughs wrote:
> 
> > Hi Brian,
> > A little over a week ago you commented on the Firewall mailing list that
> > the WatchGuard product "has such serious blowbacks that I wouldn't trust
> > it as a monitor stand, much less a production system."  I obviously have
> > an interest in ensuring that the WatchGuard products are successful
> > security appliances.  Could you please expand upon your comments and
> > give me a better idea of how you arrived at this conclusion.  Thanks for
> > your time.
> > 
> > Randy Boroughs
> > VP of Product Management
> > WatchGuard Technologies
> > (206) 521-1419 (phone)
> > (206) 521-8341 (fax)
> > randy.boroughs@watchguard.com
> > www.watchguard.com
> > 
> 
> -Brian James Macke					macke@telegroup.com
>  Unix SysAdmin/Security Specialist			Telegroup, Inc.
>     "In order to get that which you wish for, you must first get that which 
>      builds it."			-- Unknown
> 
> 
> 
> 

-Brian James Macke					macke@telegroup.com
 Unix SysAdmin/Security Specialist			Telegroup, Inc.
    "In order to get that which you wish for, you must first get that which 
     builds it."			-- Unknown








From firewalls-owner  Tue Apr 14 01:53:57 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28582; Tue, 14 Apr 1998 00:01:09 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id AAA28574 for firewalls@greatcircle.com; Tue, 14 Apr 1998 00:01:06 -0700 (PDT)
Received: from gdsconnect.com (fws.gdsconnect.com [38.226.121.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA01267 for ; Fri, 10 Apr 1998 06:11:04 -0700 (PDT)
Received: from altos.gdsconnect.com ([192.168.27.2]) by fws.gdsconnect.com with ESMTP id <17921>; Fri, 10 Apr 1998 09:26:19 -0400
Received: by ALTOS with Internet Mail Service (5.0.1460.8)
	id <24GFJ72X>; Fri, 10 Apr 1998 09:24:08 -0400
Message-ID: 
From: Gordon LaSane 
To: Bill Coutinho , Bennett Todd 
Cc: firewalls@GreatCircle.COM, alien@netcomuk.co.uk
Subject: RE: fw-1 stateful inspection vulnerabilities
Date: Fri, 10 Apr 1998 09:24:04 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1460.8)
Content-Type: multipart/alternative;
	boundary="---- =_NextPart_001_01BD6483.EF7D6360"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------ =_NextPart_001_01BD6483.EF7D6360
Content-Type: text/plain;
	charset="iso-8859-1"

I found this article from the newsletter published by Secure Computing Corp.
to be helpful in comparing stateful inspection and application gateways. 
Application Gateways vs. Stateful Packet Filters
By Dr. Richard E. Smith
About the author: Dr. Smith is a principal security architect for Secure
Computing Corporation. His recent book, "Internet Cryptography" was
published last summer by Addison Wesley.

Today's major firewalls are often classified in two major categories:
application gateways and stateful packet filters. Secure Computing's
firewall products have always been application gateways, which are
inherently safer both in theory and in practice. This article provides a
brief overview of each of these methods and a comparison of the features
offered by both the application gateway firewall and the stateful packet
filtering firewall.
Background
Before comparing the two, it is helpful to have an understanding of the
original design concept behind each methodology.

Application gateways- the application gateway was designed with the
assumption that no traffic should pass between the internal and external
networks unless the traffic is specifically allowed. For example, a data
packet is not allowed to enter your site unless it is a certain type of
traffic you have specifically stated that you want. These devices are called
"application gateways" because they incorporate special packages to handle
each Internet application protocol.  Application gateways recognize messages
that belong specifically to that protocol and reject all others.

Stateful packet filtering- this technology evolved from basic packet
filtering, which is arguably the oldest firewall technique.  Packet
filtering itself is a very simple technology that is still widely used. It
is founded on the notion of looking at individual Internet packets and
rejecting any packets that look unacceptable. Products with a "built in
firewall" capability often provide a crude packet filtering capability and
nothing else.  An important strength of packet filtering is in its speed: it
is very easy to look at individual packets and pass simple judgement based
on specific packet contents. But the packet filter's weakness is in its
simplicity: not all security questions about an individual packet can be
answered by looking at that specific packet by itself. Stateful packet
filtering was developed as a technique to sidestep the problems with basic
packet filtering. Unlike a simple packet filter, a stateful filter maintains
information about connections and, in some cases, about application level
activities. In practice, such devices can provide similar features to
circuit filters (a device that passes a connection from a client on one side
of the firewall to a server on the other) and some of the features of
application gateways. However, stateful filtering generally falls short of
application gateways.
Feature comparison
The following is a comparison of how the features of the application gateway
stack up against the features offered by the stateful packet filtering
firewall. We believe the results speak for themselves:
Feature 1: All messages not belonging to approved Internet applications are
rejected.
Application gateway - YES
The only messages entering or leaving the site are part of an approved
application protocol. Spurious, unrecognizable packets are discarded.
Stateful packet filter - NO
All packet filters, including stateful ones, contain the essential machinery
necessary to pass any packet between the inside and outside networks. If an
error is made in the filtering rules, either by the manufacturer or by the
site, then some unintended messages may pass through. In practice, this
technique has proven itself unreliable.


Feature 2: All messages that violate applications format requirements are
rejected.
Application gateway - YES
Application specific software examines the incoming messages and can reject
messages in suspicious or improper formats. These blocks a variety of
attacks based on improper packet formatting. For example, many types of
buffer overrun attacks and email attacks that are based on peculiar address
formatting can be blocked.
Stateful packet filter - MAYBE
Stateful packet filters can collect information from a series of packets,
laboriously reconstruct application messages, and make filtering decisions
on the result. This is a relatively complicated and error prone process.
This technique cannot be used to easily and systematically verify a broad
range of application protocol formats. In practice, it has proven itself
unreliable.


Feature 3: Existing identification information is used in application
protocols.
Application gateway - YES
The gateway software can extract user names embedded in application protocol
messages and use those names to make access control decisions. This can
reduce the number of separate sign-ons a user must perform and an
administrator must maintain.
Stateful packet filter - NO
Although it may be possible to do this in conjunction with some part of
application format checking, this feature is never provided using stateful
packet filtering. Typically, stateful packet filters provide user
authentication via a separate login client that associates user identity
with the client's Internet address. This requires a separate set of
authentication services and credentials.


Feature 4: Traffic control can be application specific.
Application gateway - YES
For example, file transfer users can be restricted to only reading or
writing files. Web users can be restricted from accessing particular URLs or
from downloading specific content types like Java applets.
Stateful packet filter - MAYBE
Stateful filters can do this in conjunction with application format
checking. However, these capabilities suffer the same shortcomings as noted
for stateful packet filters in Feature 3 above.







Feature 5: Portable, standard packages can be used for application
filtering.
Application gateway - YES
Application gateway software is usually based on the standard "socket"
interface available in typical operating systems. This allows gateway
products developed for "toolbox" firewalls to be integrated into high-end
firewalls like the Borderware firewall and Sidewinder Security Server that
are based on customized, high security operating systems.  The software
packages that handle specific protocols are often called application
proxies. Commercial application gateways generally provide an extensive
suite of proxies. However, the benefits of application proxies are only
available if an application proxy has been produced for the particular
Internet protocols that a specific site needs. If a site must use a protocol
for which no proxy is available, the site will need to rely on a "generic"
proxy capability to pass that protocol through the firewall. A "generic
proxy" allows any identifiable protocol to traverse the firewall while still
blocking unrecognized packets and undesired protocols. This is usually based
in the "circuit filter" technique. A circuit filter is a device that passes
a connection from a client on one side of the firewall to a server on the
other. For example, a site might need to allow outbound telnet connections,
so the circuit filter will accept outbound telnet connection requests to
port 23, the Telnet connection port. The circuit filter accepts the
connection on the inside and echoes it on the outside, addressing the server
selected by the inside client. Traffic flowing in either direction is
handled inside the firewall on behalf of the circuit set up for that
particular connection. The internal connection is often referred to as a
proxy for the external connection.
Stateful packet filter - NO
Stateful filtering is not based on the standard "socket" interface. Instead,
it uses a radically different "event driven" mechanism to collect
information and apply filtering rules. Because of this, standard packages
for application filtering do not fit directly into a stateful filtering
environment.
In conclusion
As the benefits of application filtering have proven themselves in real
world operations, products based on stateful packet filtering have begun to
integrate application gateway capabilities. Unfortunately, the underlying
packet filtering mechanisms remain, bringing with them inevitable leakage
problems. The essential benefit of a strong application gateway is that it
only passes the traffic specifically required by the site. There is no other
path into the site for the undesired traffic, and there is no underlying
weakness in the design concept that may allow low level traffic to sneak
through. 


	Gordon LaSane

	Global  Data  Systems, Inc.
	Internet and Intranet Firewalls and Security Group
	Consulting and Installing Solutions for Your Company's Data
Security:
	Remote User Authentication
	Internet Access
	Virtual Private Networks
	Web Filtering
	Intranets
	Firewalls	
		
	Gordon LaSane
	781/740-8818 x13 ph
	781/740-8830 fax

	glasane@gdsconnect.com  




		-----Original Message-----
		From:	Bill Coutinho [mailto:bill@dextra.com.br]
		Sent:	Thursday, April 09, 1998 4:17 PM
		To:	Bennett Todd
		Cc:	firewalls@GreatCircle.COM; alien@netcomuk.co.uk
		Subject:	Re: fw-1 stateful inspection vulnerabilities

		Bennett Todd  wrote:

		> ``Stateful inspection'' is an interesting hack. In theory
it can do
		> amazing things. Of course, the difference between theory
and practice is
		> a lot bigger in practice than it is in theory.
		> [...]

		At last, one concise, clear and straightforward vision of
"stateful
		inspection" shortcomings. Congratulations!
		-- 
		Cheers,
		Bill.
	
_________________________________________________________________
		                                        B i l l   C o u t i
n h o
	
mailto:bill@dextra.com.br

		PGP Public Key at:
http://www.correionet.com.br/~bill/pgpkey.asc

------ =_NextPart_001_01BD6483.EF7D6360
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable






RE: fw-1 stateful inspection vulnerabilities




I found this article from the =
newsletter published by Secure Computing Corp. to be helpful in =
comparing stateful inspection and application gateways. 



Application Gateways vs. Stateful =
Packet Filters

By Dr. Richard E. =
Smith

About the =
author: Dr. Smith is a =
principal security architect for Secure Computing Corporation. His =
recent book, "Internet Cryptography" was published last =
summer by Addison Wesley.



Today's major firewalls are often =
classified in two major categories: application gateways and stateful =
packet filters. Secure Computing's firewall products have always been =
application gateways, which are inherently safer both in theory and in =
practice. This article provides a brief overview of each of these =
methods and a comparison of the features offered by both the =
application gateway firewall and the stateful packet filtering =
firewall.



Background

Before comparing the two, it is =
helpful to have an understanding of the original design concept behind =
each methodology.



Application =
gateways- the application =
gateway was designed with the assumption that no traffic should pass =
between the internal and external networks unless the traffic is =
specifically allowed. For example, a data packet is not allowed to =
enter your site unless it is a certain type of traffic you have =
specifically stated that you want. These devices are called =
"application gateways" because they incorporate special =
packages to handle each Internet application protocol.  =
Application gateways recognize messages that belong specifically to =
that protocol and reject all others.



Stateful packet =
filtering- this technology =
evolved from basic packet filtering, which is arguably the oldest =
firewall technique.  Packet filtering itself is a very simple =
technology that is still widely used. It is founded on the notion of =
looking at individual Internet packets and rejecting any packets that =
look unacceptable. Products with a "built in firewall" =
capability often provide a crude packet filtering capability and =
nothing else.  An important strength of packet filtering is in its =
speed: it is very easy to look at individual packets and pass simple =
judgement based on specific packet contents. But the packet filter's =
weakness is in its simplicity: not all security questions about an =
individual packet can be answered by looking at that specific packet by =
itself. Stateful packet filtering was developed as a technique to =
sidestep the problems with basic packet filtering. Unlike a simple =
packet filter, a stateful filter maintains information about =
connections and, in some cases, about application level activities. In =
practice, such devices can provide similar features to circuit filters =
(a device that passes a connection from a client on one side of the =
firewall to a server on the other) and some of the features of =
application gateways. However, stateful filtering generally falls short =
of application gateways.



Feature comparison

The following is a comparison of how =
the features of the application gateway stack up against the features =
offered by the stateful packet filtering firewall. We believe the =
results speak for themselves:



Feature 1: All messages not =
belonging to approved Internet applications are rejected.

Application gateway - YES

The only messages entering or leaving =
the site are part of an approved application protocol. Spurious, =
unrecognizable packets are discarded.



Stateful packet filter - NO

All packet filters, including =
stateful ones, contain the essential machinery necessary to pass any =
packet between the inside and outside networks. If an error is made in =
the filtering rules, either by the manufacturer or by the site, then =
some unintended messages may pass through. In practice, this technique =
has proven itself unreliable.





Feature 2: All messages that =
violate applications format requirements are rejected.

Application gateway - YES

Application specific software =
examines the incoming messages and can reject messages in suspicious or =
improper formats. These blocks a variety of attacks based on improper =
packet formatting. For example, many types of buffer overrun attacks =
and email attacks that are based on peculiar address formatting can be =
blocked.



Stateful packet filter - MAYBE

Stateful packet filters can collect =
information from a series of packets, laboriously reconstruct =
application messages, and make filtering decisions on the result. This =
is a relatively complicated and error prone process. This technique =
cannot be used to easily and systematically verify a broad range of =
application protocol formats. In practice, it has proven itself =
unreliable.





Feature 3: Existing identification =
information is used in application protocols.

Application gateway - YES

The gateway software can extract user =
names embedded in application protocol messages and use those names to =
make access control decisions. This can reduce the number of separate =
sign-ons a user must perform and an administrator must =
maintain.



Stateful packet filter - NO

Although it may be possible to do =
this in conjunction with some part of application format checking, this =
feature is never provided using stateful packet filtering. Typically, =
stateful packet filters provide user authentication via a separate =
login client that associates user identity with the client's Internet =
address. This requires a separate set of authentication services and =
credentials.





Feature 4: Traffic control can be =
application specific.

Application gateway - YES

For example, file transfer users can =
be restricted to only reading or writing files. Web users can be =
restricted from accessing particular URLs or from downloading specific =
content types like Java applets.



Stateful packet filter - MAYBE

Stateful filters can do this in =
conjunction with application format checking. However, these =
capabilities suffer the same shortcomings as noted for stateful packet =
filters in Feature 3 above.















Feature 5: Portable, standard =
packages can be used for application filtering.

Application gateway - YES

Application gateway software is =
usually based on the standard "socket" interface available in =
typical operating systems. This allows gateway products developed for =
"toolbox" firewalls to be integrated into high-end firewalls =
like the Borderware firewall and Sidewinder Security Server that are =
based on customized, high security operating systems.  The =
software packages that handle specific protocols are often called =
application proxies. Commercial application gateways generally provide =
an extensive suite of proxies. However, the benefits of application =
proxies are only available if an application proxy has been produced =
for the particular Internet protocols that a specific site needs. If a =
site must use a protocol for which no proxy is available, the site will =
need to rely on a "generic" proxy capability to pass that =
protocol through the firewall. A "generic proxy" allows any =
identifiable protocol to traverse the firewall while still blocking =
unrecognized packets and undesired protocols. This is usually based in =
the "circuit filter" technique. A circuit filter is a device =
that passes a connection from a client on one side of the firewall to a =
server on the other. For example, a site might need to allow outbound =
telnet connections, so the circuit filter will accept outbound telnet =
connection requests to port 23, the Telnet connection port. The circuit =
filter accepts the connection on the inside and echoes it on the =
outside, addressing the server selected by the inside client. Traffic =
flowing in either direction is handled inside the firewall on behalf of =
the circuit set up for that particular connection. The internal =
connection is often referred to as a proxy for the external =
connection.



Stateful packet filter - NO

Stateful filtering is not based on =
the standard "socket" interface. Instead, it uses a radically =
different "event driven" mechanism to collect information and =
apply filtering rules. Because of this, standard packages for =
application filtering do not fit directly into a stateful filtering =
environment.



In conclusion

As the benefits of application =
filtering have proven themselves in real world operations, products =
based on stateful packet filtering have begun to integrate application =
gateway capabilities. Unfortunately, the underlying packet filtering =
mechanisms remain, bringing with them inevitable leakage =
problems. The essential benefit of a strong application gateway is =
that it only passes the traffic specifically required by the site. =
There is no other path into the site for the undesired traffic, and =
there is no underlying weakness in the design concept that may allow =
low level traffic to sneak through. 




    

    Gordon LaSane

    


    Global  Data  Systems, =
Inc.

    Internet and Intranet =
Firewalls and Security Group

    Consulting and =
Installing Solutions for Your Company's Data =
Security:

    Remote User =
Authentication

    Internet =
Access

    Virtual Private =
Networks

    Web =
Filtering

    Intranets

    Firewalls      =20

           =20

    Gordon LaSane

    781/740-8818 x13 ph

    781/740-8830 fax

    


    glasane@gdsconnect.com

    

    

    

    

      

      -----Original =
Message-----

      From:   Bill Coutinho =
[mailto:bill@dextra.com.br]

      Sent:   Thursday, April 09, 1998 4:17 PM

      To:     Bennett Todd

      Cc:     firewalls@GreatCircle.COM; alien@netcomuk.co.uk

      Subject:       =
 Re: fw-1 stateful inspection =
vulnerabilities

      


      Bennett Todd <bet@rahul.net> =
wrote:

      


      > ``Stateful inspection'' is an =
interesting hack. In theory it can do

      > amazing things. Of course, the =
difference between theory and practice is

      > a lot bigger in practice than it =
is in theory.

      > [...]

      


      At last, one concise, clear and =
straightforward vision of "stateful

      inspection" shortcomings. =
Congratulations!

      -- 

      Cheers,

      Bill.

      _________________________________________________________=
________

               &nb=
sp;           &nb=
sp;           &nb=
sp;      B i l l   C o u t i n h =
o

               &nb=
sp;           &nb=
sp;           &nb=
sp;      mailto:bill@dextra.com.br

      


      PGP Public Key at:  http://www.correionet.com.br/~bill/pgpkey.asc

      




------ =_NextPart_001_01BD6483.EF7D6360--


From firewalls-owner  Tue Apr 14 02:07:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA26821; Mon, 13 Apr 1998 23:38:53 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA26812 for firewalls@greatcircle.com; Mon, 13 Apr 1998 23:38:50 -0700 (PDT)
Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA01122 for ; Thu, 9 Apr 1998 15:43:50 -0700 (PDT)
Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id PAA00168 for ; Thu, 9 Apr 1998 15:49:15 -0700 (PDT)
Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4)
	id PAA22369; Thu, 9 Apr 1998 15:48:47 -0700
Date: Thu, 9 Apr 1998 15:48:47 -0700
From: rdew@el.nec.com (Bob De Witt)
Message-Id: <199804092248.PAA22369@yginsburg.el.nec.com>
To: firewalls@GreatCircle.COM
Subject: Unsubscribing
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All,

I work by contract, due to the 1986 Cobra law and my age.  As such, this gig
is over.  I will subscribe again when my next gig starts, in about 2 weeks.
Will miss the sparkling repartee, but I will rejoin at that time.

Please note:  I did not ask 'how do I get off this &$#*%@ list", as have
others we all know and like ...

Ciao,

Bob De Witt,
(old email address [until 4/10/98]:   rdew@el.nec.com)
(new email address [after 4/23/98]:   rdew@...tbd...)
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.



From firewalls-owner  Tue Apr 14 06:24:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04576; Tue, 14 Apr 1998 01:22:04 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id XAA24076 for firewalls@greatcircle.com; Mon, 13 Apr 1998 23:24:12 -0700 (PDT)
Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com [204.253.137.241]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA11344 for ; Tue, 7 Apr 1998 06:07:42 -0700 (PDT)
Received: from mailgate.freddiemac.com ([161.107.79.103]) by hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id IAA03035 for ; Tue, 7 Apr 1998 08:46:50 -0400 (EDT)
Received: from msmail.freddiemac.com (msmail.freddiemac.com [161.107.79.90])
	by mailgate.freddiemac.com (8.8.5/8.8.5) with SMTP id JAA20030
	for ; Tue, 7 Apr 1998 09:10:15 -0400 (EDT)
Received: from Microsoft Mail (PU Serial #1065)
  by msmail.freddiemac.com (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
  id AA-1998Apr07.091554.1065.1680159; Tue, 07 Apr 1998 09:20:38 -0400
From: Rick_McMaster@freddiemac.com (McMaster, Rick)
To: firewalls@GreatCircle.COM ('firewalls@greatcircle.com')
Message-ID: <1998Apr07.091554.1065.1680159@msmail.freddiemac.com>
X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Organization: Freddie Mac
Date: Tue, 07 Apr 1998 09:20:38 -0400
Subject: TFTP with Raptor
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Does anyone have any information on how to set up TFTP with a Raptor 
firewall?

Thanks

Rick



From firewalls-owner  Tue Apr 14 08:51:22 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA26023; Mon, 13 Apr 1998 23:34:49 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA25879 for ; Mon, 13 Apr 1998 23:34:09 -0700 (PDT)
Received: from frankw.in.net (pm3-03.in.net [205.160.202.99]) by su1.in.net (8.8.8/8.6.9) with SMTP id FAA26613; Tue, 14 Apr 1998 05:41:10 GMT
Message-Id: <3.0.5.32.19980414013855.007c9ca0@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 14 Apr 1998 01:38:55 -0500
To: "Ryan Russell" 
From: Frank Willoughby 
Subject: Re: socks versus fw-1 [Part IIb/II]
Cc: Steve Birnbaum , firewalls@GreatCircle.com
In-Reply-To: <882565E5.006D7894.00@gwwest.sybase.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 12:59 PM 4/13/98 -0700, Ryan Russell allegedly wrote:


>It wasn't so much a refusal on Checkpoint's part...
>If you think about it, the fact that they sell through VARs
>exclusivly means that they don't have customer lists,
>they have VAR lists.

I can't imagine that what you are suggesting is right.  If it were, 
it would be a signal that the company is severely mismanaged and 
that the company is pretty much out of control.  While I disagree 
with the level of security they provide, I wouldn't dream of 
accusing them of gross incompetence or negligence - both of which 
are implied in your statement above.

A few questions:
o What about internal controls in the company?  
o If there are no customer lists & just VAR lists, then how do 
   they maintain sales, licensing, & revenue figures?
o What about maintenance contracts?
o Who is on the hook to provide the customers with the info
   about a security problem about the product?  I suspect
   that it may ultimately be Checkpoint - not each individual
   VAR.  You can delegate authority, but not responsibility.
o If, heaven forbid, the VAR is providing the entire customer 
   support infrastructure, then Checkpoint is worse off than I 
   thought.  I can see the VARs supplying first-level support, 
   but not supplying the complete product support.  

   Sadly, given the number of complaints I have seen on this 
   list about Checkpoint's customer support, it appears that 
   this might actually be the case.  Perhaps support is out
   of Israel.  In this case, it means a transatlantic phone
   call to get the problem fixed.  Shouldn't Checkpoint's US
   subsidiary be providing some type of customer support?

Anyway, whatever the outcome, I think that Checkpoint's 
ultimate fate (for better or for worse) will probably be 
the result of three main factors:
o its product's security architecture / design
o the implementation of the product
o its customer support

So far, it's holding a pretty weak hand.



>If you don't like companies selling through VARs, that's fine.
>That criticism might be quite appropriate given just such an
>occasion.

There's nothing the matter with vendors selling through VARs.
It IS important that the VAR understand the technology they
are dealing with and that they provide adequate product support.


>You should imply that they refused to notify people though.

Didn't they?  It sure seems to me they did.  

To me, what set Checkpoint way back as a serious vendor
in the firewalls market is not only that they had a 
vulnerability, but their reaction when they were notified
of the vulnerability.

Vulnerabilities will continue to exist and are nothing new
to me or other ISOs.  I find them very frequently in firewalls 
and other security products.  However, two things are very important:
o How serious the vulnerability is
o How the vendor reacts when informed of the vulnerability
   (the worse thing they can do is go into denial & not 
   inform their customers)



>They didn't have the opportunity whether they wanted
>to or not.  Convieniently for them, they did exactly as they
>should have, notified the VARs and put something on the web
>site.

I disagree.  According to people that I have talked to and
are in a position to know, Checkpoint had more than enough 
opportunity.  I am aware of several times where Checkpoint 
was contacted about security issues and their calls were
not returned.  


Best Regards,



Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Tue Apr 14 09:07:20 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04803; Tue, 14 Apr 1998 01:27:02 -0700 (PDT)
Received: from netscape2.victoire.fr (www.victoire.fr [195.6.148.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA04789 for ; Tue, 14 Apr 1998 01:26:55 -0700 (PDT)
Received: from spirou.int.victoire.fr ([172.27.16.100])
          by netscape2.victoire.fr (Netscape Mail Server v2.0) with SMTP
          id AAA29154; Tue, 14 Apr 1998 10:32:33 -0100
Received: by localhost with Microsoft MAPI; Tue, 14 Apr 1998 10:32:40 +0200
Message-ID: <01BD6790.A699F0E0.reffray@victoire.fr>
From: Reffray 
To: "'Jason L. Asbahr'" ,
        "firewalls-digest@GreatCircle.COM"
	 
Subject: RE: UnLurk
Date: Tue, 14 Apr 1998 10:32:39 +0200
X-Mailer: Messagerie Internet de Microsoft/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi !

Regarding ping of death, I think that a service pack fixes the problem (SP3).

Here's an address that you can check from times to times in order to know about NT security problems :

	http://www.ntsecurity.net

This site addresses the Ping of death issue.

Regards,
Stephane Reffray




>Greetings,

>This is my first post to the Firewalls list.  I've been very impressive
>with the content and professionalism here, a nice change from what's
>become of the rest of the public Internet.  :-)

>I'm curious about blocking ping'o'death packets, too, but my question
>for today regards to NT web server security.  I'm looking for
>suggestions (and URLs) for bulletproofing my publically accessible
>NT machines.  Also, I'm curious if anyone has anything good or bad to
>say about Ascend's line of firewall products?

>Thanks,

>Jason Asbahr
>jason@revenant.com


From firewalls-owner  Tue Apr 14 09:14:45 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28526; Tue, 14 Apr 1998 00:00:22 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id AAA28446 for firewalls@greatcircle.com; Tue, 14 Apr 1998 00:00:03 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA01940 for ; Fri, 10 Apr 1998 06:15:23 -0700 (PDT)
Received: from frankw.in.net (pm1-30.in.net [205.160.202.62]) by su1.in.net (8.8.8/8.6.9) with SMTP id NAA18586 for ; Fri, 10 Apr 1998 13:18:30 GMT
Message-Id: <3.0.5.32.19980410081945.0107dd10@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
X-Priority: 1 (Highest)
Date: Fri, 10 Apr 1998 08:19:45 -0500
To: firewalls@GreatCircle.com
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part II/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

				Part II/II

Continuing from Part I/II:

>>fw
>Ryan
fw


>>o Checkpoint came out and stated that proxies were bad and 
>>  that SMLI (pronounced "smelly" - IMHO, appropriate somehow)  
>>  8^)  is much better than proxies.  I find it interesting 
>>  that Checkpoint uses "security servers" (which the rest of 
>>  us mere mortals call proxies) as this is an apparent reversal 
>>  of their previous position.  If proxies were not secure as 
>>  Checkpoint previously indicated, then why do they are they 
>>  on the firewall now?
>
>I haven't done the necessary research to determine whether 
>the security servers are more like proxies or more like SPFs, 
>so I can't really comment.

I'm sorry.  I was out of line on the "smelly" part.  (The 
combination of the pronunciation of SMLI & my displeasure 
with Checkpoint's application of it were too much to resist).  
At least they realized the wisdom of the pronunciation of 
their SMLI acronym and now refer to it as SPF (Stateful 
>> Packet Filter <<) which I think is more descriptive of 
what it *really* is.


Anyway, I *did* do the research.  One reference about security 
servers being proxies is contained in the NSA's report on page 56/98:

  "The Checkpoint Firewall-1 firewall is equipped 
  to perform rule base filtering based on the protocol 
  itself with the Stateful Packet Inspection / Filtering 
  or with a proxy which Checkpoint calls a Security Server."


>>o The only common encryption algorithm used in 
>>   User->Firewall & Firewall-> Firewall encryption is 
>>   their own (PROPRIETARY) FWZ1 encryption algorithm.
>
>Uh, wrong.  They support DES and whichever SKIP protocols 
>you like.  US only, of course.

I think you misunderstood me.  The operative word in my sentence 
above is "common".  I meant common to *both* User->Firewall *and* 
Firewall->Firewall VPN connections.



>>To my knowledge, the source code to FWZ1 has *not* 
>>been published, nor has it been subjected to a peer 
>>review of expert cryptographers.  And this from a 
>>company which is supposed to provide security?   
>>Bah Humbug.  Any beginning InfoSec Analyst knows 
>>that proprietary encryption algorithms should be 
>>avoided like the plague.  Only encryption algorithms 
>>which have been published and reviewed by expert 
>>cryptographers should be used.  If the algorithm 
>>hasn't been published and reviewed by expert 
>>cryptographers, then how do we know it is strong 
>>enough & that there are no backdoors into it???   
>>In the past, several companies would claim to 
>>have a secure (homegrown) encryption algorithm and 
>>would post a challenge to the cypherpunks mailing 
>>list for someone to crack it.  If they were to do 
>>so, they would sell their company for $1.00.   
>>2-3 days later, someone would crack the supposedly 
>>unbreakable algorithm and state that the company 
>>can keep their dollar.
>
>All true.  That's why I have the DES version.

Bingo.  If you're aware of this fundamental principle of good 
crypto, don't you think that Checkpoint is aware of this also?  
- Particularly since they designed a couple of VPN solutions
into it?  I'll give them the benefit of a doubt and assume 
this was an oversight and not deliberately designed into the 
product.  Assuming they're smart and have no ulterior motives,
they'll probably drop FWZ1.  They don't need it and it 
destroy(s/ed) their credibility in the security arena.

Out of curiosity, why is Checkpoint being evaluated by the NSA?
One requirement for entrance into the MISSI club is that the
product must be integrated with FORTEZZA.  FORTEZZA is a 
PCMCIA card with extensive authentication/encryption/signature
capabilities.  FWIW, I think FORTEZZA is a little ahead of 
its time.  At some point in the next couple of years, a 
FORTEZZA-like product will be a standard & will probably
be very widely used.  Right now, it's a little expensive,
and I don't think that society is willing to absorb this
cost, but in large quantities, the price could come down
and it would be a VERY attractive option.  But I digress...

Perhaps I'm missing something, but I didn't know that 
Checkpoint had their own FORTEZZA solution.  If this is 
the case, then either the NSA has dropped this requirement 
(hopefully not), or Checkpoint is using someone else's VPN 
solution.  I don't know, but the secure VPN solution from 
V-ONE (their SmartGate VPN Server integrates on a number 
of vendor's firewalls) is a likely bet.  

If the long chain of IFs above is accurate, I find it pretty 
ironic that Checkpoint has to use someone else's VPN solution 
to get looked at by the NSA.  Speaks volumes, doesn't it?



>>o With proxies & logging enabled, it is *slower* than proxy 
>>firewalls.
>Hasn't been my experience.

How do you know?  



>>o The NSA (who is no slouch in getting crypto to work) 
>>couldn't get Checkpoint's VPN crypto to work.
>
>Strange, the report I've seen (mentioned in the 
>URL above) states that they were able to validate it.  
>The only part that wasn't validated was IPSec, which 
>FW1 doesn't do (or claim to.)

According to pages 8, 11, and 45 of the NSA's report 
(as follows), your statement above is incorrect.

  "The vendor claims described below were selected from 
  the product documentation, sales literature and the 
  Check Point web site."

  "Manual IPSEC:	Not Validated.  
                    IPSec with the AH header did not work."

Further:

  "Exchanging the keys between firewalls was not 
  straightforward.  Numerous errors were encountered 
  with no corresponding troubleshooting procedures.  
  Rebooting and reinstallation of either firewall 
  had no affect.  Upon the advice of the Check Point 
  representative, the workaround to problems with 
  key exchanges was to delete both firewall objects 
  from the network objects list and to recreate them.  
  This seemed to "sync" up the firewalls and the key 
  exchanges were then successful.  While this method 
  worked, it was not optimal.  For example if numerous 
  keys had already been generated, this could be a 
  lengthy and troublesome rebuild." 

What about customers  who have several hundred *thousands* 
of remote clients.  Can you see them regenerating all of 
the keys?  Perhaps even manually? Not likely.  The first 
time it happened, a CIO/CTO would probably replace the 
firewall & use the old one as a boat anchor.


NSA's document further indicates:

  "The FWZ scheme encrypts all the data between 
  the firewalls, but does not hide which services 
  are being used.  This simply means that the FWZ 
  scheme does not support a "tunneling" mode in 
  which the services are encapsulated within an 
  encrypted IP packet. Knowing which services are 
  being used between firewalls enables an attacker 
  to perform traffic analysis and gives a starting 
  point for choosing a particular service to attack."


>>o Checkpoint's lack of support in notifying their 
>>   customers about the vulnerability that Secure 
>>   Networks posted.
>>o Checkpoint's denial that the problem even exists 
     (as visible in their note in the Computer Security 
     Institute's Alert newsletter).
>
>I don't know the story here, so I can't comment.

I do.  Without exception, none of the companies I talked
to (who had the Firewall-1), were aware of the SNMP problem
until I told them.  

Out of curiosity, how did you find out about the SNMP 
problem?  Through a friendly call or e-mail from 
Checkpoint, their hidden VAR/Reseller pages, or Bugtraq?  


>>The above are a few, but how many security problems 
>>does a firewall have to have before it is ultimately 
>>rejected.  You have to remember, we are talking about 
>>a security product, not what type of car to buy.  It 
>>should be evaluated primarily from a security point-
>>of-view (it is, after all, a security product).  It 
>>doesn't rate a high rating in my book or that of other 
>>Information Security Officers I have talked to.  But 
>>hey, what do we know?  We're only Information Security
>>Officers - not Checkpoint marketing dweebs.
>
>I dunno, how many basic facts does a security consultant 
>have to be wrong about before he's ultimately rejected?

I don't know, but you're not doing very well so far.  


I wasn't planning on getting into this, but your statement 
above forces my hand.  In my case, I'm an Information Security 
Officer (ISO) with over 8 years experience as a corporate ISO. 
While I was there, we achieved the highest level of security of 
any country in the world (120,000 employees, 100K systems) 
month-after-month for a couple of years - that continued after
I left.  I seem to have a (verifiable) knack of making security 
work well with business & turning security into a competitive 
advantage.  I am not a "security consultant" who lacks 
"real-world" experience.  If you want one, the phone book is 
full of them.  Just hand us the clean-up work.

If you need eye surgery, would you rather go to one who has 
successfully performed eye surgery hundreds of times - or a 
pre-med student who has taken a couple of courses and read 
a few books on the subject?  The choice is yours.

And your "real-world" experience is ...?



>>I would recommend that the audience at large do their 
>>*own* research and come to their own conclusions.  
>>'Nuff said.
>
>Always a good idea.   I try to help by keeping people 
>from staying things that just aren't true for the products 
>that I'm familiar with.

Truth is relative.  I prefer the facts.  I'll draw my own 
conclusions, thank you.  

Look, no firewall is perfect.  I'll always find at *least* 
a handful of benign security problems with any vendor's 
application-gateway type of firewall and many more (mostly
very serious ones) with a packet filter type of firewall - 
no matter how well they are configured.  Some problems are 
security vulnerabilities and some are engineering design flaws.

FWIW, I think Checkpoint's attempts to market stateful inspection 
as the firewall cure-all are doomed to failure.  People are smarter 
now and they resent being led down the garden path.  They're no 
longer buying into every bit of marketing hype that comes along.  
The stakes are too high.  They can't afford to make a less-than-secure 
choice.  They are *literally* betting their company on their choice of 
a firewall.  They are (finally) taking the time to do the research 
themselves and to make intelligent, informed choices.  It's a good 
start.  I hope the trend continues.

May the (right) firewall be with you.  8^)

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817


From firewalls-owner  Tue Apr 14 11:02:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA05141; Tue, 14 Apr 1998 05:44:06 -0700 (PDT)
Received: from mail.state.fl.us (mail.state.fl.us [204.90.27.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA05122 for ; Tue, 14 Apr 1998 05:43:58 -0700 (PDT)
Received: from booksr [199.250.24.56] 
	by mail.state.fl.us with smtp (Exim 1.73 #2)
	id 0yP5AH-0006KB-00; Tue, 14 Apr 1998 08:50:17 -0400
Date: Tue, 14 Apr 1998 08:45:04 -0400 (EDT)
From: Roger Books 
Reply-To: Roger Books 
Subject: Re: [FW1] SNMP agent
To: firewalls@GreatCircle.COM
In-Reply-To: <3.0.5.32.19980413173555.00c37580@dreamwvr.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




> Last time i checked it did SNMP in the clear which is real uncool
> and this was about 6 months ago according to my best knowledge of 
> this week;') it has not changed this way. The concept is sound and 
> is quite a time saver and such but the security of the protocol sucks:'<
> Enough said.

I haven't seen an implimentation of SNMP that isn't in the clear.  In
theory there is authentication/encryption in SNMPv2, however, in reality
nobody wants to spend the CPU time to do the encryption.  So, as far
as I can tell, all SNMP traffic goes across in the clear, including 
such things as community strings.  Makes you think when considering an
SNMP manageable firewall, doesn't it?

Roger

From firewalls-owner  Tue Apr 14 12:31:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA21765; Tue, 14 Apr 1998 07:37:33 -0700 (PDT)
Received: from antiochus-fe0.ultra.net (antiochus-fe0.ultra.net [146.115.8.188]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA19542 for ; Tue, 14 Apr 1998 07:21:03 -0700 (PDT)
Received: from LFORMUS ([146.115.60.90]) by antiochus-fe0.ultra.net (8.8.8/ult.n14767) with SMTP id KAA18814 for ; Tue, 14 Apr 1998 10:27:13 -0400 (EDT)
Received: by LFORMUS with Microsoft Mail
	id <01BD6790.2ADE5F90@LFORMUS>; Tue, 14 Apr 1998 10:29:12 -0400
Message-ID: <01BD6790.2ADE5F90@LFORMUS>
From: "Lisa B. Formus" 
To: "'firewalls@GreatCircle.Com'" 
Subject: Cisco Firewall Feature Set
Date: Tue, 14 Apr 1998 10:29:11 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello everyone-
Has anyone had any issues/problems/ good things heard or bad about Cisco's
Firewall feature set?

Regards,
Lisa B. Formus - :) - lformus@baystate.com
*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * * *
CADKEY ... The Best Choice for 
Everyday Mechanical Design
*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * * *
www.cadkey.com 



From firewalls-owner  Tue Apr 14 12:49:54 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA07763; Tue, 14 Apr 1998 06:05:22 -0700 (PDT)
Received: from carmen.broder.com (carmen.broder.com [207.77.64.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA07748 for ; Tue, 14 Apr 1998 06:05:16 -0700 (PDT)
Received: (from uucp@localhost) by carmen.broder.com (8.8.8/8.7.3) id GAA09209 for ; Tue, 14 Apr 1998 06:11:43 -0700 (PDT)
Received: from pillbox.broder.com(10.10.13.58) by carmen.broder.com via smap (V2.0)
	id xma009207; Tue, 14 Apr 98 06:11:34 -0700
Date: Tue, 14 Apr 1998 06:11:34 -0700 (PDT)
From: blast 
To: firewalls@greatcircle.com
Subject: Re: Livingston's IRX211 firewall router
In-Reply-To: <19980414040305.7247.qmail@cass.research.canon.com.au>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 14 Apr 1998, Andrew Raphael wrote:

> >Apart from network address translation what are the other performance
> >benefits that you see in a Cisco PIX over the IRX211?
> 
> I've never used a Cisco PIX, so I can't say.
> 
> The IRX211 has all the performance I've needed for what I use them for,
> which is a 2 Ethernet filtering router between my firewall bastion and
> my interior network.  I did use it as an exterior router, but changed
> to a Cisco 4000M because I needed 2 Ethernet and BRI.  If I upgrade to
> Frame Relay, I'll probably swap the Cisco 4000M and the IRX211.

On that note,
if anyone is interested in buying one of these IRX-211's used,
please email me.  I have a few that I am not using in production 
and would like to sell.

Thanks,
Tim Keanini 


From firewalls-owner  Tue Apr 14 12:55:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA04957; Tue, 14 Apr 1998 08:43:15 -0700 (PDT)
Received: from Farstar.secapl.com (qs-alt.secapl.com [192.131.69.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA04944 for ; Tue, 14 Apr 1998 08:43:01 -0700 (PDT)
Received: from Cookie.secapl.com (cookie.secapl.com [192.108.247.19])
	by Farstar.secapl.com (8.8.7/8.8.7) with SMTP id KAA75886;
	Tue, 14 Apr 1998 10:42:58 -0500
Received: from Fozzie.secapl.com by Cookie.secapl.com (AIX 3.2/UCB 5.64/4.03)
          id AA98579; Tue, 14 Apr 1998 10:42:48 -0500
Received: from localhost (tony@localhost)
	by fozzie.secapl.com (8.8.6/8.8.6) with ESMTP id LAA11932;
	Tue, 14 Apr 1998 11:42:42 -0400
X-Authentication-Warning: fozzie.secapl.com: tony owned process doing -bs
Date: Tue, 14 Apr 1998 11:42:40 -0400 (EDT)
From: Tony Iannotti 
To: "Berchtold Patrick (GIAPBE)" 
Cc: "'Taufik Islam'" ,
        "Firewalls Mailing List (E-Mail)" 
Subject: Re: AW: Sniffer
In-Reply-To: 
Message-Id: 
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 31 Mar 1998, Berchtold Patrick (GIAPBE) wrote:

> The most powerful monitor I know is Sniffer (former NetXRay) from
> Network Associates. It is easily scalable for your specific needs. See
> http://www.nai.com/ for more.

As I understand it, the NetXRay product is still called NetXRay, the
Sniffer product is a different (more powerful, but needs their proprietary
laptop, actually a re-worked Toshiba, I think)  product. 

> Another monitor I once heard about is NetAnt from People Network. See
> http://www.people-network.com/netant.htm for info.
> 
> But if you have a Linux box at hand I would rather use tcpdump than
> those above. It's powerful, easy to use and free.
> 
> Patrick
> 
>  
> 
> > -----Ursprüngliche Nachricht-----
> > Von:	Taufik Islam [SMTP:Tislam@acaonline.org]
> > Gesendet am:	Freitag, 27. März 1998 23:21
> > An:	Firewalls@GreatCircle.COM
> > Betreff:	Sniffer
> > 
> > Is there a good Packet sniffer that runs on for NT 4.0 ?
> > Please help me with any information you may have
> > Thanks
> > 
> > If you know of any good packet sniffer for UNIX please let me know
> > also.
> > 
> > Taufik Islam
> > Network Engineer, ACA
> 
> 



From firewalls-owner  Tue Apr 14 14:44:06 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA07925; Tue, 14 Apr 1998 06:06:33 -0700 (PDT)
Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA07836 for ; Tue, 14 Apr 1998 06:05:58 -0700 (PDT)
Received: by interlock.reston.ans.net id AA09745
  (InterLock SMTP Gateway 4.1 for firewalls@greatcircle.com);
  Tue, 14 Apr 1998 09:12:24 -0400
Message-Id: <199804141312.AA09745@interlock.reston.ans.net>
Received: by interlock.reston.ans.net (Internal Mail Agent-1);
  Tue, 14 Apr 1998 09:12:24 -0400
Date: Tue, 14 Apr 1998 09:11:57 -0400
From: Paul Sangster 
To: Gary Mills 
Cc: "firewalls@GreatCircle.COM" 
Subject: Re: SNMP agent
References: 
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
	micalg=pgp-md5; boundary=MoZhcV1D07fIPgaa
X-Mailer: Mutt 0.84
In-Reply-To: ; from Gary Mills on Mon, Apr 13, 1998 at 03:12:54PM -0700
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


--MoZhcV1D07fIPgaa
Content-Type: text/plain; charset=us-ascii

Gary,

SNMP is a dangerous protocol to have accessible on the public network
unless you have some assurance that the traffic can't be sniffed.  Your
probably aware of its many vulnerabilities (cleartext community strings,
many people never change their default community strings, UDP-based...)  

We offer a "secure SNMP" offering based on a firewallized 
(modified) version of SNMP Research's extensible agent architecture for 
our InterLock firewall.  This agent supports SNMPv2* which is encrypted/
authenticated SNMP.  The next problem is getting the management station
to speak SNMPv2*.  SNMP Research has an add-on module for OpenView to 
convert SNMPv1 and v2 to v2*.

The SNMPv2* protocol was one of the secure SNMP proposals for SNMPv2
(so its not just some proprietary protocol).  Unfortunately the battles
over how to secure SNMP were too great for the IETF process, so SNMPv2
was left with no additional security.  SNMPv3 looks more promising to
have some security, but in the meantime this is something you can do to
address your question until v3 stabilizes and products ship.

SNMP is really a handy protocol particularly if it can be done securely.
The InterLock has support for several MIBs including HR-MIB (processes,
disk, filesystems...), MIB-II (tcp/ip, interface stats) and a WWW MIB
which includes lots of neat WWW performance information as well as load.

You probably also want to lock down where traps can originate, as 
OpenView could be DOSed by trap storms if your not careful.  This could
probably be limited if your servers are on a 3rd leg of your firewall
and tight security policies are applied controlling the trap UDP packets.

Paul

On Mon, Apr 13, 1998 at 03:12:54PM -0700, Gary Mills wrote:
> I was asked to look into security issues with HPopenview SNMP Agent.
> Does any one have any experience or advice on any known problems with 
> installing this agent on DMZ systems such as
> mail, web, ftp, firewall, etc... The idea is to monitor activity on these 
> external system and send traps to the internal Hpopenview system. Iam not 
> sure of the security of the agent or the daemons it may start.
> 
> Gary Mills
> gary.mills@experian.com
> 
> 

-- 
_______________________________________________________________________
                            Paul Sangster 
 ANS Communications                       Senior Software Engineer
 1875 Campus Commons Dr.                  sangster@reston.ans.net
 Suite 220,  Reston VA 22091              http://www.ans.net/InterLock
_______________________________________________________________________

--MoZhcV1D07fIPgaa
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNTNgnQrwW0NaS5JJAQHHfgMAxoUkVPeE3Tc1YZkOLYvatDctd/PvlMg0
jfCfDCv43IunWG2FpwsvnSQd01cZ1EQhnGfUKn+PtnkeOMYQiCVmXOjd3ZNuSuGG
he7u8zwXvboTccj7ASETNf7a9hMYowoG
=PDBC
-----END PGP SIGNATURE-----

--MoZhcV1D07fIPgaa--

From firewalls-owner  Tue Apr 14 17:00:44 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA13891; Tue, 14 Apr 1998 12:21:01 -0700 (PDT)
Received: from pioneer.state.nd.us (pioneer.state.nd.us [165.234.92.38]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA13756 for ; Tue, 14 Apr 1998 12:20:31 -0700 (PDT)
Received: from techsrvc (techsrvc.isd.state.nd.us [165.234.100.185]) by pioneer.state.nd.us (AIX4.2/UCB 8.7/8.7) with SMTP id OAA44362; Tue, 14 Apr 1998 14:21:46 -0500 (CDT)
Message-Id: <199804141921.OAA44362@pioneer.state.nd.us>
From: "Jeff Carr" 
To: firewalls@GreatCircle.COM ('firewalls@greatcircle.com'),
        Rick_McMaster@freddiemac.com (McMaster, Rick)
Date: Tue, 14 Apr 1998 14:21:15 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: TFTP with Raptor
In-reply-to: <1998Apr07.091554.1065.1680159@msmail.freddiemac.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> From:          Rick_McMaster@freddiemac.com (McMaster, Rick)
> 
> Does anyone have any information on how to set up TFTP with a Raptor 
> firewall?
> 
> Thanks
> 
> Rick
> 

Why would you want to?

Jeff

From firewalls-owner  Tue Apr 14 17:13:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10916; Tue, 14 Apr 1998 09:32:48 -0700 (PDT)
Received: from lewis.mantech.com. (lewis.mantech.com [206.65.236.32]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA10844 for ; Tue, 14 Apr 1998 09:32:29 -0700 (PDT)
Received: from aruba.mantech.com ([206.65.236.182])
	by lewis.mantech.com. (8.8.8/8.8.7) with SMTP id MAA01353
	for ; Tue, 14 Apr 1998 12:34:09 -0400 (EDT)
Message-Id: <3.0.3.32.19980414123348.006a1c00@corp-02.mantech.com>
X-Sender: david.lane@corp-02.mantech.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 14 Apr 1998 12:33:48 -0400
To: firewalls@greatcircle.com
From: "David A. Lane" 
Subject: Ethernet Address Mfg
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greetings,

Someone is trying to make a mess of my system and I have managed to catch
the "MAC" address, but I cannot seem to correlate it to a vendor.  I have
pulled the IANA Ether Types list, but it does not seem to appear.  Anybody
have a lead on 00e0.1E9F.16DB?

Thanks,

DAVID
David A. Lane, CNE
Technical Director
ManTech International Corp.
dlane@mantech.com
+1.703.218.6367

From firewalls-owner  Tue Apr 14 18:39:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA11586; Tue, 14 Apr 1998 12:08:50 -0700 (PDT)
Received: from raven.axent.com ([205.159.112.243]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA11442 for ; Tue, 14 Apr 1998 12:08:18 -0700 (PDT)
Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
	id <2R505JXX>; Tue, 14 Apr 1998 13:12:13 -0600
Message-ID: 
From: Darin Fisher 
To: "'Rick_McMaster@freddiemac.com'" ,
        firewalls@GreatCircle.COM
Subject: RE: TFTP with Raptor
Date: Tue, 14 Apr 1998 13:12:11 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Why would you want to open that security hole on your firewall?

darin

-----------
ICQ: 1287849
-----------
#include 
"In order to succeed, one must pay attention" - Matt Olson


-----Original Message-----
From: Rick_McMaster@freddiemac.com [mailto:Rick_McMaster@freddiemac.com]
Sent: Tuesday, April 07, 1998 7:21 AM
To: firewalls@GreatCircle.COM
Subject: TFTP with Raptor



Does anyone have any information on how to set up TFTP with a Raptor 
firewall?

Thanks

Rick


From firewalls-owner  Tue Apr 14 18:52:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA12580; Tue, 14 Apr 1998 09:42:16 -0700 (PDT)
Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA12560 for ; Tue, 14 Apr 1998 09:42:05 -0700 (PDT)
Received: by relay.rv.tis.com; id MAA21274; Tue, 14 Apr 1998 12:36:58 -0400 (EDT)
Received: from rubicon.rv.tis.com(10.0.1.144) by relay.rv.tis.com via smap (4.1)
	id xma021259; Tue, 14 Apr 98 12:36:55 -0400
Received: from ekoko.va.tis.com (ekoko.va.tis.com [192.168.10.70]) by rubicon.rv.tis.com (8.8.5/8.7.3) with SMTP id MAA06907; Tue, 14 Apr 1998 12:39:29 -0400 (EDT)
Message-Id: <3.0.1.32.19980414123644.0280a694@pop.rv.tis.com>
X-Sender: eroraha@pop.rv.tis.com
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Tue, 14 Apr 1998 12:36:44 -0400
To: Sid Shapiro 
From: Inno Eroraha 
Subject: Re: gauntlet -  problems with http-proxy after upgrading to 4.1
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199804132143.OAA12436@peach.westaff.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

It's always a good idea to be FULLY-patched at all times ;) You may want to
download the latest patches of 4.1, there is at least one for http-gw.
http://www.tis.com/support has some info.

Thanks.

-0-
inno

>Hello,
>
>I just upgraded to gauntlet from 3.2 to 4.1 on Friday, running bsdi
>3.0. 
>
>I am now having trouble with the http proxy. General access works just
>fine, but long URLs including "special characters" are failing - for
>example, I can no longer use any of the investor/stock quote URLs that
>I have saved because they have "%" and "&" characters in the URL, nor
>can I use yahoo's mapping service because it constructs a URL with
>embedded "special characters" in it.
>
>Did I miss something in the release notes? Could anyone point me to
>something I've missed - or has anyone run across this and solved it?
>
>Thanks,
>--
>Sid Shapiro                  (510) 952-2557
>Western Staff Services sshapiro@westaff.com
>
>------- End of Forwarded Message
>
>
>

From firewalls-owner  Tue Apr 14 19:44:25 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA07685; Tue, 14 Apr 1998 09:07:56 -0700 (PDT)
Received: from cerberus.westaff.com (cerberus.westaff.com [205.143.175.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA07602 for ; Tue, 14 Apr 1998 09:07:33 -0700 (PDT)
Received: by cerberus.westaff.com; id JAA03131; Tue, 14 Apr 1998 09:18:09 -0700 (PDT)
Received: from peach.westaff.com(205.143.168.24) by cerberus.westaff.com via smap (4.1)
	id xma003095; Tue, 14 Apr 98 09:17:19 -0700
Received: from peach.westaff.com (sshapiro@localhost [127.0.0.1]) by peach.westaff.com (8.6.9/8.6.9) with ESMTP id JAA25822 for ; Tue, 14 Apr 1998 09:06:27 -0700
Message-Id: <199804141606.JAA25822@peach.westaff.com>
To: firewalls@greatcircle.com
Subject: Summary - problems with http-proxy after upgrading to 4.1
Date: Tue, 14 Apr 1998 09:06:26 -0700
From: Sid Shapiro 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Problems was:
> I just upgraded to 4.1 on Friday, running bsdi 3.0.

> I am now having trouble with the http proxy. General access works
> just fine, but long url's including "special characters" are failing
> - for example, I can no longer use any of the investor/stock quote
> urls that I have saved because they have "%" and "&" characters in
> the url, nor can I use yahoo's mapping service because it constructs
> a url with embedded "special characters" in it.

The answer was apply the patch GFW41.2 which is in the tis ftp
page. Thanks to 
Meenoo Shivdasani 
Ricardo de La Fuente 
Christopher Michael 

for the answer.

Thanks everyone,
--
Sid Shapiro                  (510) 952-2557
Western Staff Services sshapiro@westaff.com




From firewalls-owner  Tue Apr 14 19:44:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA04955; Tue, 14 Apr 1998 11:37:45 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id LAA04906 for firewalls@greatcircle.com; Tue, 14 Apr 1998 11:37:35 -0700 (PDT)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA17322 for ; Mon, 13 Apr 1998 09:57:02 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id KAA12839; Mon, 13 Apr 1998 10:05:04 -0700 (PDT)
Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA19610; Mon, 13 Apr 98 10:03:17 PDT
Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 882565E5.005DACD4 ; Mon, 13 Apr 1998 10:03:10 -0700
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell" 
To: Frank Willoughby 
Cc: firewalls@GreatCircle.COM
Message-Id: <882565E5.005C3EDA.00@gwwest.sybase.com>
Date: Mon, 13 Apr 1998 10:02:34 -0700
Subject: RE: socks versus fw-1 [Part IIa/II]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk






>                   Part IIa/II
Received at 4:35 a.m.  4/11/98 Pacific time.

>Continuing from Part I/II:

>Anyway, I *did* do the research.  One reference about security
>servers being proxies is contained in the NSA's report on page 56/98:
>
>  "The Checkpoint Firewall-1 firewall is equipped
>  to perform rule base filtering based on the protocol
>  itself with the Stateful Packet Inspection / Filtering
>  or with a proxy which Checkpoint calls a Security Server."

This doesn't indicate that they've done any code analysis to
determine how they work.  I was trying to bring up the fact that
they might not be as much like traditional proxies (Albeit
transparent ones) as one might assume.  Since the
question has come up before about Checkpoint's programming
practices, this might not be in their favor.

>>Uh, wrong.  They support DES and whichever SKIP protocols
>>you like.  US only, of course.

>I think you misunderstood me.  The operative word in my sentence
>above is "common".  I meant common to *both* User->Firewall *AND*
>Firewall->Firewall VPN connections.

I've only done VPN with FW1, using both FWZ1 and DES.  Haven't
personally done FW1->FW1.  I've spoken/mailed others who have done
FW1->FW1 with SKIP.  Which one are you claiming doesn't work?

>>All true.  That's why I have the DES version.

>Bingo.  If you're aware of this fundamental principle of good
>crypto, don't you think that Checkpoint is aware of this also?
>- Particularly since they designed a couple of VPN solutions
>into it?  I'll give them the benefit of a doubt and assume
>this was an oversight and not deliberately designed into the
>product.  Assuming they're smart and have no ulterior motives,
>they'll probably drop FWZ1.  They don't need it and it
>destroy(s/ed) their credibility in the security arena.

My understanding is that they "need" it for US export.. that's their
marketing anyway.  I'd rather see them apply for 56bit DES
export and dump FWZ1.  Since they are an Israel-based company,
I'm not sure why the export problem, perhaps they do too much coding in
the US.  Perhaps that affects their export application.  I don't know what
the
Israel export restrictions are, if any.

>Out of curiosity, why is Checkpoint being evaluated by the NSA?
>One requirement for entrance into the MISSI club is that the
>product must be integrated with FORTEZZA.  FORTEZZA is a
>PCMCIA card with extensive authentication/encryption/signature
>capabilities.  FWIW, I think FORTEZZA is a little ahead of
>its time.  At some point in the next couple of years, a
>FORTEZZA-like product will be a standard & will probably
>be very widely used.  Right now, it's a little expensive,
>and I don't think that society is willing to absorb this
>cost, but in large quantities, the price could come down
>and it would be a VERY attractive option.  But I digress...
>
>Perhaps I'm missing something, but I didn't know that
>Checkpoint had their own FORTEZZA solution.  If this is
>the case, then either the NSA has dropped this requirement
>(hopefully not), or Checkpoint is using someone else's VPN
>solution.  I don't know, but the secure VPN solution from
>V-ONE (their SmartGate VPN Server integrates on a number
>of vendor's firewalls) is a likely bet.

I don't know anything about any FORTEZZA plans.  I'd just
as soon do without it, thanks.

>If the long chain of IFs above is accurate, I find it pretty
>ironic that Checkpoint has to use someone else's VPN solution
>to get looked at by the NSA.  Speaks volumes, doesn't it?

Well, as you say, many IFs.. but still, I wouldn't mind having
a choice of VPN clients.  The Checkpoint client has a
couple of features missing that make it not usable for
me.

>Best Regards,
>
>Frank

                         Ryan

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E3.0047C26B;
Sat, 11 Apr 1998 06:03:48 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id GAA24441 for ; Sat, 11 Apr 1998 06:02:45
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA25075; Sat, 11 Apr 98 06:02:44 PDT
Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id GAA24591 for ; Sat, 11 Apr 1998 06:03:01
-0700 (PDT)
Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP
     (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
     id QQekql17697; Sat, 11 Apr 1998 08:49:52 -0400 (EDT)
Received: (majordom@localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970926-1) id EAA13515; Sat, 11 Apr 1998 04:31:18 -0700
(PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by
honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13506 for
; Sat, 11 Apr 1998 04:31:08 -0700 (PDT)
Received: from frankw.in.net (pm5-25.in.net [205.160.202.185]) by
su1.in.net (8.8.8/8.6.9) with SMTP id LAA08282 for
; Sat, 11 Apr 1998 11:34:27 GMT
Message-Id: <3.0.5.32.19980411063541.01098740@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:35:41 -0500
To: firewalls@GreatCircle.COM
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part IIa/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk







From firewalls-owner  Tue Apr 14 19:49:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05150; Tue, 14 Apr 1998 11:38:52 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id LAA05133 for firewalls@greatcircle.com; Tue, 14 Apr 1998 11:38:39 -0700 (PDT)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA13649 for ; Mon, 13 Apr 1998 12:53:55 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id NAA29516; Mon, 13 Apr 1998 13:02:01 -0700 (PDT)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB08721; Mon, 13 Apr 98 13:00:15 PDT
Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 882565E5.006DE00E ; Mon, 13 Apr 1998 13:00:07 -0700
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell" 
To: Frank Willoughby 
Cc: Steve Birnbaum , firewalls@GreatCircle.COM
Message-Id: <882565E5.006D7894.00@gwwest.sybase.com>
Date: Mon, 13 Apr 1998 12:59:44 -0700
Subject: Re: socks versus fw-1 [Part IIb/II]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

It wasn't so much a refusal on Checkpoint's part...
If you think about it, the fact that they sell through VARs
exclusivly means that they don't have customer lists,
they have VAR lists.

If you don't like companies selling through VARs, that's fine.
That criticism might be quite appropriate given just such an
occasion.

You should imply that they refused to notify people though.
They didn't have the opportunity whether they wanted
to or not.  Convieniently for them, they did exactly as they
should have, notified the VARs and put something on the web
site.

                    Ryan





Frank Willoughby  on 04/13/98 08:57:27 AM

To:   Steve Birnbaum 
cc:   firewalls@GreatCircle.COM (bcc: Ryan Russell/SYBASE)
Subject:  Re: socks versus fw-1 [Part IIb/II]




At 11:42 AM 4/12/98 +0300, Steve Birnbaum allegedly wrote:

>frankw@in.net said:
>> I do.  Without exception, *none* of the companies I talked to (who had
>> the Firewall-1), were aware of the SNMP problem until I told them.
>
>I believe that Checkpoint's policy of dealing with VARs only is what
>led them to refuse to send out a vendor notice directly to all
>their customers.  It was requested, but denied.

This puts the customer at the mercy of the VAR.  On this alone, I would
drop the vendor like a hot potato.

SNAFUs happen, people get sick or go on vacation.  Security is too
important for this type of info to be disclosed to a VAR only (or locally
handled).   Further, this type of approach puts their customers at risk.
>From what I can remember of the other vendors I have researched, none of
the serious vendors take the approach of letting the VAR (only) inform
the customer of vulnerabilities.  Many will inform the customer - even
if they no longer have a maintenance contract - simply because they feel
they have an obligation to help the customer avoid security problems.
I can't fathom why Checkpoint chose the approach of informing VARs only.
I think it is irresponsible and shows surprisingly little security acumen.


>VARs receive release notes with every patch, and in addition I believe
>that all VARs in this case received a copy of Checkpoint's official
>response to the SNI advisory which was posted to Checkpoint's web site.

So every customer needs to visit Checkpoint's web site.  IF they are
lucky AND Checkpoint has decided to make and exception to post an
advisory on their home page, THEN they might find something useful.
Otherwise, they are out of luck.  IMO, any notifications should come
from the vendor and require no actions from the customer to be notified
(other than filling out the registration card for their product).


>At least the advisory prompted Checkpoint to make the non-DES versions
>of the patch available to the public, not requiring them to go through
>their VAR to get it as must be done for all other patches.

While customers using DES versions weren't informed.


>I still fail to see why SNMP is required for the administration of
>the firewall.  There is a management protocol - why can't things like
>the configuration of the NICs be transfered that way?  When using FW1 with
>a DES or FWZ1 license, this data is encrypted.  Even without the license,
>at least it is a proprietary TCP protocol, not UDP.

You mentioned two points in the above paragraph & the common denominator
is proprietary.  Proprietary encryption is very bad news as I've indicated
in my previous mail.  Proprietary TCP protocols are as well.  Hopefully,
they aren't relying on this for security.

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E5.005EBD04;
Mon, 13 Apr 1998 10:14:47 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id KAA25854 for ; Mon, 13 Apr 1998 10:13:44
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA20816; Mon, 13 Apr 98 10:13:43 PDT
Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id KAA00944 for ; Mon, 13 Apr 1998 10:14:00
-0700 (PDT)
Received: from honor.greatcircle.com by relay3.UU.NET with ESMTP
     (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
     id QQekym04662; Mon, 13 Apr 1998 13:11:29 -0400 (EDT)
Received: (majordom@localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970926-1) id IAA11388; Mon, 13 Apr 1998 08:52:50 -0700
(PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by
honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA11366 for
; Mon, 13 Apr 1998 08:52:42 -0700 (PDT)
Received: from frankw.in.net (pm2-07.in.net [205.160.202.71]) by su1.in.net
(8.8.8/8.6.9) with SMTP id OAA26488; Mon, 13 Apr 1998 14:59:40 GMT
Message-Id: <3.0.5.32.19980413105727.00ba6340@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 13 Apr 1998 10:57:27 -0500
To: Steve Birnbaum 
From: Frank Willoughby 
Subject: Re: socks versus fw-1 [Part IIb/II]
Cc: firewalls@GreatCircle.COM
In-Reply-To: <19980412084233.7940.qmail@softworx.netvision.net.il>
References: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk







From firewalls-owner  Tue Apr 14 20:46:06 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05103; Tue, 14 Apr 1998 11:38:23 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id LAA05069 for firewalls@greatcircle.com; Tue, 14 Apr 1998 11:38:13 -0700 (PDT)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA08760 for ; Mon, 13 Apr 1998 12:21:42 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id MAA26444; Mon, 13 Apr 1998 12:29:44 -0700 (PDT)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB05383; Mon, 13 Apr 98 12:27:58 PDT
Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 882565E5.006AE8CF ; Mon, 13 Apr 1998 12:27:44 -0700
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell" 
To: Frank Willoughby 
Cc: firewalls@GreatCircle.COM
Message-Id: <882565E5.005DF26D.00@gwwest.sybase.com>
Date: Mon, 13 Apr 1998 12:27:20 -0700
Subject: RE: socks versus fw-1 [Part IIb/II]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk





>                           Part IIb / II

>This is message IIb.  Hopefully, this one will get through.  In any event,
>it seems that to me, this is a classic case of "IIb or NOT IIb - that is
>the question".  8^)  8^)  8^)

Boo!  Received at 4:36 a.m. 4/11/98, Pacific time.


>>>o With proxies & logging enabled, it is *slower* than proxy
>>>firewalls.
>>Hasn't been my experience.
>
>How do you know?

Ran a socks proxy for a long time.  Heck, FW1 even kicks butt
compared to the Cisco access-lists I had in place at one point,
on a 7010 with RP/SSP cards.  It wasn't any kind of controlled
experiment, so the results don't neccessarily match what everyone
else will get.

>>Strange, the report I've seen (mentioned in the
>>URL above) states that they were able to validate it.
>>The only part that wasn't validated was IPSec, which
>>FW1 doesn't do (or claim to.)

>According to pages 8, 11, and 45 of the NSA's report
>(as follows), your statement above is incorrect.
>
>  "The vendor claims described below were selected from
>  the product documentation, sales literature and the
>  Check Point web site."
>
>  "Manual IPSEC:   Not Validated.
>                    IPSec with the AH header did not work."

My statement above is incorrect.  I checked the docs, and
they do claim to support IPSec.

>Further:
>
>  "Exchanging the keys between firewalls was not
>  straightforward.  Numerous errors were encountered
>  with no corresponding troubleshooting procedures.
>  Rebooting and reinstallation of either firewall
>  had no affect.  Upon the advice of the Check Point
>  representative, the workaround to problems with
>  key exchanges was to delete both firewall objects
>  from the network objects list and to recreate them.
>  This seemed to "sync" up the firewalls and the key
>  exchanges were then successful.  While this method
>  worked, it was not optimal.  For example if numerous
>  keys had already been generated, this could be a
>  lengthy and troublesome rebuild."

>What about customers  who have several hundred *thousands*
>of remote clients.  Can you see them regenerating all of
>the keys?  Perhaps even manually? Not likely.  The first
>time it happened, a CIO/CTO would probably replace the
>firewall & use the old one as a boat anchor.

This is a fair critcism.  That procedure could be much easier.
I think you're extending the difficulties of exchanging keys
between gateways to exchanging keys to VPN users,
though.  I had no difficulty getting keys to VPN users,
and I don't think that's what the report is referring to.

>NSA's document further indicates:
>
>  "The FWZ scheme encrypts all the data between
>  the firewalls, but does not hide which services
>  are being used.  This simply means that the FWZ
>  scheme does not support a "tunneling" mode in
>  which the services are encapsulated within an
>  encrypted IP packet. Knowing which services are
>  being used between firewalls enables an attacker
>  to perform traffic analysis and gives a starting
>  point for choosing a particular service to attack."

Tunnelling wasn't supported in the version they tested,
it is now.  You can do it either way.

>I do.  Without exception, *none* of the companies I talked
>to (who had the Firewall-1), were aware of the SNMP problem
>until I told them.
>
>Out of curiosity, how did you find out about the SNMP
>problem?  Through a friendly call or e-mail from
>Checkpoint, their hidden VAR/Reseller pages, or Bugtraq?

Bugtraq and the FW1 mailing list that Checkpoint hosts.  They
posted a mail about how to work around it, but I'm not aware
of any kind of notification from them.

>>>The above are a few, but how many security problems
>>>does a firewall have to have before it is ultimately
>>>rejected.  You have to remember, we are talking about
>>>a security product, not what type of car to buy.  It
>>>should be evaluated primarily from a security point-
>>>of-view (it is, after all, a security product).  It
>>>doesn't rate a high rating in my book or that of other
>>>Information Security Officers I have talked to.  But
>>>hey, what do we know?  We're only Information Security
>>>Officers - not Checkpoint marketing dweebs.
>>
>>I dunno, how many basic facts does a security consultant
>>have to be wrong about before he's ultimately rejected?

>I don't know, but you're not doing very well so far.

>It appears that your last sentence above was supposed to be a
>personal affront to me.  I wasn't planning on getting into this,
>but I have no problems defending myself.  I thought you knew my
>background, but I'll refresh your memory just in case.
>
>In my case, I'm an Information Security Officer (ISO) with over
>8 years experience as a corporate ISO and @ 15-20 years additional
>security experience (nukes, intelligence, DoD contracting, Advanced
>Research Projects, etc.).
>
>My first job in as a full-time ISO was working for Digital Equipment
>GmbH (DEC's German subsidiary) where I managed the InfoSec Operations
>for the entire country.  While there, we achieved the highest level
>of security of any country in the world (in a global network of
>120,000 employees, 100K systems) month-after-month for a couple of
>years - that continued even after I left.  I don't know why, but I
>seem to have a (verifiable) knack of making security work well with
>business & turning security into a competitive advantage.  BTW, all
>of the above is verifiable.

>I am NOT a "security consultant" who lacks "real-world" experience.
>If you want one, the phone book is full of them.  Just hand us the
>clean-up work.

>And your "real-world" experience in securing corporations as an ISO
>is ...?

Didn't claim to have any.  Your qualifications are impressive, but that
isn't a safeguard against being wrong occasionally.  I assume that your
information regarding FW1 is from the evaluation under discussion,
and a review of some sort that you've done?  That won't neccessaily
give you better infomation than someone who uses it daily over
a few years.  It won't keep you informed about what improvements
have been made in later releases.


>>Always a good idea.   I try to help by keeping people
>>from staying things that just aren't true for the products
>>that I'm familiar with.

>Truth is relative.  I prefer the facts.  I'll draw my own
>conclusions, thank you.

If you see a distinction between "truth" and "fact"
in this context, fine.  I believe I've presented some
facts that contradict some of your statements.  And for
someone who is interested in facts, you seem to
put forth a lot of opinion.  For example, what does
Checkpoint's marketing have to do with how
secure the product is?  Do you want the facts about
the product, or do you want to discuss whether their
marketing department is telling the truth?

>FWIW, I think Checkpoint's attempts to market stateful inspection
>as the firewall cure-all are doomed to failure.  People are smarter
>now and they resent being led down the garden path.  They're no
>longer buying into every bit of marketing hype that comes along.
>The stakes are too high.  They can't afford to make a less-than-secure
>choice.  They are *literally* betting their company on their choice of
>a firewall.  They are (finally) taking the time to do the research
>themselves and to make intelligent, informed choices.  It's a good
>start.  I hope the trend continues.

Checkpoint & FW1 aside, I don't see that happening, unfortunatly.

>I admire your loyalty to Checkpoint.  Personally, I think it's
>misplaced.  Checkpoint may be good for protecting internal business-
>critical systems on an internal LAN from disgruntled employees.
>(IOW, it's OK for a relatively low-risk environment), but I
>wouldn't touch it to protect an organization from the serious
>threats from the Internet or other high-risk network.

I don't know if I'd call it loyalty, exactly.  As I said before, I'm
familiar
with the product, and am willing to take the time to correct misstatements
made about it.

>My loyalties are to my customers.  As you have probably gathered
>by now, there are very few firewalls that I deem "worthy enough"
>for my customers.  Of the @ 70 firewalls on the market, there
>are about 5 that I feel are secure enough to stop a determined
>professional attacker.

>I take security products apart before I recommend anything
>(and have been doing so for years).  Most recently, I tested
>an Operating System Security product.  It failed.  The main
>problem was the product failed on implementation issues.  Of
>particular note, it is not an enterprise-wide solution.

I have no problem with being particular about which products one
uses or recommends.  I do have a problem with broad, sweeping
generalizations and incorrect statements.


>May the (right) firewall be with you.  8^)
>
>Best Regards,
>
>
>Frank

                    Ryan


Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E3.0048CD6C;
Sat, 11 Apr 1998 06:15:11 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id GAA24751 for ; Sat, 11 Apr 1998 06:14:08
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA25518; Sat, 11 Apr 98 06:14:08 PDT
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id GAA24716 for ; Sat, 11 Apr 1998 06:14:25
-0700 (PDT)
Received: from honor.greatcircle.com by relay5.UU.NET with ESMTP
     (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
     id QQekqm08136; Sat, 11 Apr 1998 09:07:05 -0400 (EDT)
Received: (majordom@localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970926-1) id EAA13535; Sat, 11 Apr 1998 04:31:54 -0700
(PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by
honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13517 for
; Sat, 11 Apr 1998 04:31:41 -0700 (PDT)
Received: from frankw.in.net (pm5-25.in.net [205.160.202.185]) by
su1.in.net (8.8.8/8.6.9) with SMTP id LAA08304 for
; Sat, 11 Apr 1998 11:35:01 GMT
Message-Id: <3.0.5.32.19980411063612.01097140@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:36:12 -0500
To: firewalls@GreatCircle.COM
From: Frank Willoughby 
Subject: RE: socks versus fw-1 [Part IIb/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk







From firewalls-owner  Tue Apr 14 21:37:17 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA22401; Tue, 14 Apr 1998 10:31:53 -0700 (PDT)
Received: from relay04.netaddress.usa.net (relay04.netaddress.usa.net [204.68.24.184]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA22363 for ; Tue, 14 Apr 1998 10:31:38 -0700 (PDT)
From: zack.whickerman@usa.net
Received: (qmail 1532 invoked from network); 14 Apr 1998 17:33:01 -0000
Received: from www05.netaddress.usa.net (204.68.24.25)
  by relay04.netaddress.usa.net with SMTP; 14 Apr 1998 17:33:01 -0000
Received: (qmail 7184 invoked by uid 60001); 14 Apr 1998 19:44:28 -0000
Message-ID: <19980414194428.7183.qmail@www05.netaddress.usa.net>
Date: Tue, 14 Apr 1998 19:44:28
To: firewalls@greatcircle.com
Subject: Easter present for newly acquired security companies
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



Network associates (mcafee) gave a little Easter
present to its employees.  Cnet has a story on how they laid off a bunch of people last week.

http://www.news.com/News/Item/0,4,20955,00.html


____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

From firewalls-owner  Tue Apr 14 21:52:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA24969; Tue, 14 Apr 1998 13:19:06 -0700 (PDT)
Received: from strato-fe0.ultra.net (strato-fe0.ultra.net [146.115.8.190]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA24739 for ; Tue, 14 Apr 1998 13:18:18 -0700 (PDT)
Received: from LFORMUS ([146.115.60.90]) by strato-fe0.ultra.net (8.8.8/ult.n14767) with SMTP id QAA21620 for ; Tue, 14 Apr 1998 16:19:17 -0400 (EDT)
Received: by LFORMUS with Microsoft Mail
	id <01BD67C1.609A5CC0@LFORMUS>; Tue, 14 Apr 1998 16:21:28 -0400
Message-ID: <01BD67C1.609A5CC0@LFORMUS>
From: "Lisa B. Formus" 
To: "'firewalls@GreatCircle.COM'" 
Subject: Cisco Firewall Feature Set
Date: Tue, 14 Apr 1998 16:21:27 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello everyone-
Has anyone had any issues/problems/ good things heard or bad about Cisco's
Firewall feature set?

Regards,
Lisa B. Formus - :) - lformus@baystate.com
*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * * *
CADKEY ... The Best Choice for 
Everyday Mechanical Design
*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * * *
www.cadkey.com 



From firewalls-owner  Tue Apr 14 23:11:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA29923; Tue, 14 Apr 1998 18:37:32 -0700 (PDT)
Received: from socks1.almaden.ibm.com (wildpig.almaden.ibm.com [198.4.83.36]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id SAA29895 for ; Tue, 14 Apr 1998 18:37:19 -0700 (PDT)
From: trall@almaden.ibm.com
Received: from d53mta01.boulder.ibm.com by socks1.almaden.ibm.com (AIX 4.1/UCB 5.64/4.03)
          id AA74742; Tue, 14 Apr 1998 18:37:59 -0700
Received: by d53mta01.boulder.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997))  id 872565E7.0008F605 ; Tue, 14 Apr 1998 19:37:52 -0600
X-Lotus-Fromdomain: IBMUS
To: "David A. Lane" 
Cc: firewalls@greatcircle.com
Message-Id: <882565E7.0008E242.00@d53mta01.boulder.ibm.com>
Date: Tue, 14 Apr 1998 18:38:57 -0700
Subject: Re: Ethernet Address Mfg
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Someone is trying to make a mess of my system and I have managed to catch
>the "MAC" address, but I cannot seem to correlate it to a vendor.  I have
>pulled the IANA Ether Types list, but it does not seem to appear.  Anybody
>have a lead on 00e0.1E9F.16DB?

Cisco Lightstream

http://www.ucs.ed.ac.uk/~ercm20/cgi/ether-codes.cgi
can be useful.

Tony Rall



From firewalls-owner  Tue Apr 14 23:13:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA10753; Tue, 14 Apr 1998 14:40:18 -0700 (PDT)
Received: from sscnet.com (ursamajor.sscnet.com [195.41.128.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA10628 for ; Tue, 14 Apr 1998 14:39:41 -0700 (PDT)
Received: (from amorsen@localhost)
	by sscnet.com (8.8.5/8.8.5) id XAA27425;
	Tue, 14 Apr 1998 23:40:11 +0200
To: Rick_McMaster@freddiemac.com (McMaster, Rick)
Cc: firewalls@GreatCircle.COM ('firewalls@greatcircle.com')
Subject: Re: TFTP with Raptor
References: <1998Apr07.091554.1065.1680159@msmail.freddiemac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
From: Benny Amorsen 
Date: 14 Apr 1998 23:40:11 +0200
In-Reply-To: Rick_McMaster@freddiemac.com's message of "Tue, 07 Apr 1998 09:20:38 -0400"
Message-ID: 
Lines: 19
X-Mailer: Gnus v5.5/XEmacs 20.3 - "Vatican City"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "RM" == McMaster, Rick  writes:

RM> Does anyone have any information on how to set up TFTP with a
RM> Raptor firewall?

With 5.0 or 5.01 just use the Generic Service Passer. TFTP should be
listed in Protocols already; if not you can add it as UDP port 69.
Create a TFTP-service in Services, and you are all set.

On versions prior to 5.0 you are probably better off using a "Secure
Tunnel" and what is effectively a packet filter.

This assumes that you know about the security risks associated with
passing TFTP through a firewall, of course.


Benny Amorsen

Scandinavian Security Center

From firewalls-owner  Tue Apr 14 23:13:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA27379; Tue, 14 Apr 1998 13:31:36 -0700 (PDT)
Received: from moat.pweh.com ([192.54.250.131]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA27332 for ; Tue, 14 Apr 1998 13:31:23 -0700 (PDT)
Received: (from uucp@localhost)
	by moat.pweh.com (8.8.8/8.8.8) id QAA08466
	for ; Tue, 14 Apr 1998 16:32:44 -0400 (EDT)
Received: from drawbridge.eh.pweh.com(191.29.71.250) by moat.pweh.com via smap (4.0a)
	id xma008290; Tue, 14 Apr 98 16:32:24 -0400
Received: (from uucp@localhost)
	by drawbridge.eh.pweh.com (8.8.8/8.8.8) id QAA22111
	for ; Tue, 14 Apr 1998 16:32:23 -0400 (EDT)
Received: from fs17005.eh.pweh.com(191.29.170.5) by drawbridge.eh.pweh.com via smap (4.0a)
	id xma022103; Tue, 14 Apr 98 16:32:05 -0400
Received: from clbdev2.eh.pweh.com by pweh011.eh.pweh.com (SMI-8.6/SMI-SVR4)
	id QAA13520; Tue, 14 Apr 1998 16:32:00 -0400
Received: (from miorelli@localhost)
	by clbdev2.eh.pweh.com (8.8.5/8.8.5) id QAA23717
	for firewalls@greatcircle.com; Tue, 14 Apr 1998 16:32:04 -0400 (EDT)
Date: Tue, 14 Apr 98 16:32 EDT
From: BoB Miorelli 
To: firewalls@greatcircle.com
Received: from miorelli by clbdev2.eh.pweh.com; Tue, 14 Apr 98 16:32 EDT
Subject: DNS woes
Content-Type: text/plain
Message-ID: <3533c7c30.5ca4@clbdev2.eh.pweh.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi --

I recently upgraded my DNS from named 8.1.1 to 8.1.2-T3B.  Everything
works, except nslookup.  nslookup hangs and named puts the following record
in syslog:

Apr 14 16:21:47 moat.pweh.com named[2241]: refused query on non-query socket from [my.ip.address].59246

My named.conf file (not changed from 8.1.1) is below.

I also know that if I comment out the 'query-source' option, nslookup
resolves locally, but the routers block outbound requests.

I'm sure I need to modify an option, but can't figure out what.


Thanks for any help.


-->BoB Miorelli, Pratt & Whitney
miorelli@pweh.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
In theory, theory and practice are the same; 
in practice they are distinct.


---------------------- named.conf --------------------------------------
options {
	directory "/var/named";
	allow-transfer {
		my.dns.secondary;
	};

	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */

	// uncommented -- router may block it otherwise
	query-source address * port 53;
};

zone "0.0.127.IN-ADDR.ARPA" {
	type master;
	file "localhost.in-addr.127.0.0";
};

zone "pweh.com" {
	type master;
	file "pweh.com";
};

zone "pratt-whitney.com" {
	type master;
	file "pratt-whitney.com";
};

zone "prattwhitney.com" {
	type master;
	file "prattwhitney.com";
};

zone "250.54.192.in-addr.arpa" {
	type master;
	file "pweh.in-addr.192.54.250";
};

zone "." {
	type hint;
	file "root-nameservers";
};



From firewalls-owner  Tue Apr 14 23:13:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA24726; Tue, 14 Apr 1998 13:18:15 -0700 (PDT)
Received: from raven.axent.com ([205.159.112.243]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA24611 for ; Tue, 14 Apr 1998 13:17:48 -0700 (PDT)
Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
	id <2R505JYC>; Tue, 14 Apr 1998 14:21:37 -0600
Message-ID: 
From: Darin Fisher 
To: "'Rick_McMaster@freddiemac.com'" 
Cc: "'firewalls@greatcircle.com'" 
Subject: RE: TFTP with Raptor
Date: Tue, 14 Apr 1998 14:21:34 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Still not a good idea, but what you will need to do is set up a
transparent proxy for this (since tftp does not use any login type
authentication.)  Make sure you limit this to your source and
destination address' only.

darin

-----------
ICQ: 1287849
-----------
#include 
"In order to succeed, one must pay attention" - Matt Olson


-----Original Message-----
From: Rick_McMaster@freddiemac.com [mailto:Rick_McMaster@freddiemac.com]
Sent: Tuesday, April 14, 1998 1:56 PM
To: oz@axent.com
Subject: RE: TFTP with Raptor



It is only to the external router to allow for IOS upgrades.

Rick
 ----------
>From: Darin Fisher
>To: McMaster, Rick; firewalls
>Subject: RE: TFTP with Raptor
>Date: Tuesday, April 14, 1998 3:18PM
>
>Why would you want to open that security hole on your firewall?
>
>darin
>
>-----------
>ICQ: 1287849
>-----------
>#include 
>"In order to succeed, one must pay attention" - Matt Olson
>
>
>-----Original Message-----
>From: Rick_McMaster@freddiemac.com
[mailto:Rick_McMaster@freddiemac.com]
>Sent: Tuesday, April 07, 1998 7:21 AM
>To: firewalls@GreatCircle.COM
>Subject: TFTP with Raptor
>
>
>
>Does anyone have any information on how to set up TFTP with a Raptor
>firewall?
>
>Thanks
>
>Rick
>
>
>------ Message Header Follows ------
>Received: from mailgate.freddiemac.com by msmail.freddiemac.com
>  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
>  id AA-1998Apr14.151802.1065.1093703; Tue, 14 Apr 1998 15:18:02 -0400
>Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
>[204.253.137.238])
> by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id PAA06706
> for ; Tue, 14 Apr 1998 15:07:37 -0400
(EDT)
>Received: from raven.axent.com ([205.159.112.243]) by 
hq1xfwa.freddiemac.com
>(8.8.5/nope) with ESMTP id OAA11316 for ;

Tue,
>14
>Apr 1998 14:43:50 -0400 (EDT)
>Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
> id <2R505JXX>; Tue, 14 Apr 1998 13:12:13 -0600
>Message-ID: 
>From: Darin Fisher 
>To: "'Rick_McMaster@freddiemac.com'" ,
>        firewalls@GreatCircle.COM
>Subject: RE: TFTP with Raptor
>Date: Tue, 14 Apr 1998 13:12:11 -0600
>X-Priority: 3
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.0.1458.49)
>Content-Type: text/plain
>
>

From firewalls-owner  Wed Apr 15 00:11:35 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA18674; Tue, 14 Apr 1998 12:55:13 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id LAA05158 for firewalls@greatcircle.com; Tue, 14 Apr 1998 11:38:52 -0700 (PDT)
Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA08033 for ; Mon, 13 Apr 1998 15:11:46 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
	  id PAA19367; Mon, 13 Apr 1998 15:19:49 -0700 (PDT)
Received: from  by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AB23165; Mon, 13 Apr 98 15:18:02 PDT
Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 882565E5.007A7BD7 ; Mon, 13 Apr 1998 15:17:50 -0700
X-Lotus-Fromdomain: SYBASENOTES
From: "Ryan Russell" 
To: Magnus Timmerby 
Cc: firewalls@GreatCircle.COM
Message-Id: <882565E5.007A5C05.00@gwwest.sybase.com>
Date: Mon, 13 Apr 1998 15:17:26 -0700
Subject: Re: Questions about ICMP
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Route gave a demo at last year's Black Hat Briefings.  I think
the tool was Loki, but I can't be sure.  Check the last few issues
of Phrack at www.phrack.com.

                    Ryan





Magnus Timmerby  on 04/11/98 05:57:41 AM

To:   firewalls@GreatCircle.COM
cc:    (bcc: Ryan Russell/SYBASE)
Subject:  Re: Questions about ICMP




> Has anyone seen someone try to tunnel (or attempted to do so) IP over
> ICMP before?

It is certainly possible and has been done. I don't remember any
references though, sorry.

/mti

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E3.004E9F2A;
Sat, 11 Apr 1998 07:18:45 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id HAA26868 for ; Sat, 11 Apr 1998 07:17:42
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA28056; Sat, 11 Apr 98 07:17:41 PDT
Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id HAA25258 for ; Sat, 11 Apr 1998 07:17:58
-0700 (PDT)
Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP
     (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
     id QQekqr03797; Sat, 11 Apr 1998 10:15:16 -0400 (EDT)
Received: (majordom@localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970926-1) id GAA00999; Sat, 11 Apr 1998 06:32:49 -0700
(PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com
[198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with
ESMTP id FAA27990 for ; Sat, 11 Apr 1998
05:58:47 -0700 (PDT)
Received: from asterix.rby.hk-r.se (asterix-129.rby.hk-r.se
[194.47.129.30])
     by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id FAA09980
     for ; Sat, 11 Apr 1998 05:56:11 -0700 (PDT)

Received: from kobold.rby.hk-r.se (pt96mti@kobold [194.47.134.176])
     by asterix.rby.hk-r.se (8.8.7/8.8.7) with ESMTP id OAA16723
     for ; Sat, 11 Apr 1998 14:57:42 +0200 (MET
DST)
Received: (from pt96mti@localhost)
     by kobold.rby.hk-r.se (8.8.7/8.8.7) id OAA15297;
     Sat, 11 Apr 1998 14:57:41 +0200 (MET DST)
Date: Sat, 11 Apr 1998 14:57:41 +0200 (MET DST)
Message-Id: <199804111257.OAA15297@kobold.rby.hk-r.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
From: Magnus Timmerby 
To: firewalls@GreatCircle.COM
In-Reply-To: Michael Conlen's message of Sat, 11 Apr 1998 02:51:39 -0400
(EDT)
Subject: Re: Questions about ICMP
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk







From firewalls-owner  Wed Apr 15 01:37:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA08734; Tue, 14 Apr 1998 21:11:07 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA08466 for ; Tue, 14 Apr 1998 21:10:16 -0700 (PDT)
From: a0192424hang@worldnet.att.net
Received: from 153.35.239.234 (1Cust106.max13.san-francisco.ca.ms.uu.net [153.35.239.234])
	by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id VAA07407
	for ; Tue, 14 Apr 1998 21:10:50 -0700 (PDT)
Date: Tue, 14 Apr 1998 21:10:50 -0700 (PDT)
Message-Id: <199804150410.VAA07407@miles.greatcircle.com>
Subject:  40 MILLION EMAIL ADDRESSES  CHEAP PRICE!!
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

40 MILLION EMAILS FOR SALE  super low price!

Our Fresh Addresses Will Bring You 
Incredible Results!


http://207.93.198.154/webhost

If you REALLY want to get the word out regarding
your services or products, Bulk Email is the BEST 
way to do so, PERIOD! Advertising in newsroups is 
good but you're competing with hundreds even THOUSANDS
of other ads. Will your customer's see YOUR ad in the 
midst of all the others?

Bulk Email will allow you to DIRECTLY contact your
potential customers. They are much more likely to
take the time to read about what you have to offer 
if it was as easy as reading it via email rather
than searching through countless postings in 
newsgroups.

There is a secret to effective Bulk Email...HIGH
QUALITY LISTS! There are SO many companies offering 
bulk email lists that are months old and it's not
uncommen for HALF of those addresses to be outdated
and undeliverable. Also, most companies offer lists
that they have compiled from addresses extracted from
newsgroups, THE WORST PLACE TO GET ADDRESSES FROM!

Why? Simple, most people that post messages in news-
groups KNOW that their addresses might be extracted
so they use FAKE addresses resulting in undeliverable
messages.

You can now get FRESH, HIGH QUALITY lists of addresses
that have NOT been extracted from newsgroups! Our lists
are compiled of addresses that we have extracted from 
member directories and help forums where you CAN NOT
use fake email addresses! Also, our lists are LESS than
1 month old and are CONSTANTLY updated to remove dupes
and undeliverables! 

Our emails can be downloaded at a web site or be shipped to your home in disks.  Our emails are in text 
form, one line per email.  This form is compatible with Pegasus, Eudora, Microsoft email programs, and many 
other popular email softwares. 

We believe that if you have a great product or service for everyone, you should let everyone know.  Do it 
cost effectively today!  Sending emails doesn't cost you one cent!  In just one night, millions of people will 
know about your company or your corporation.  Market your company by reaching 40,000,000 (40 million) 
fresh customers for only $79.00!!!!


Special Sale!  Buy the 40 Million email addresses today and receive Email Platinum Professional Version 
FREE! Email Platinum Pro is 4 programs in one!  (This message is sent by Email Platinum.  You can too send 
out mass sales letters professionally.)

Email Platinum is an extremely fast mass emailer (150,000 emails per hour with modest Pentium) that does 
four things:

1) Collects email addresses from newsgroups, web sites, or from AOL member files by key words and by 
specific interests.
2) Mail out your sales letters with automated friendly addressing (example: Dear John, Dear Nancy, etc.) 
Ramdomizes from and to field.  One push of a button does it all. Guarantee no cut and paste.
3) Have capability to remove email addresses of people who don't like emails.
4) Post your sales letters to THOUSANDS OF NEWSGROUPS WITH A PUSH OF A BUTTON --- within HALF 
AN HOUR!!

Email Platinum and Email Addresses are your best sales tools! If you have a good product, you will be rich in 
no time.

Call today (415)585-3825.  All for $79. Not a penny extra.

Call today (415)585-3825.  Technical support available 24 hours. Emails are updated regularly. 

We can accept Visa or Master Card. 


http://207.93.198.154/webhost

Or, simply print this form and fill it out.  Mail it along with $79 check or money order to:

Alex Chiu
PO BOX 16547
San Francisco CA  94116
(415) 585-3825

Upon the receipt of your payment, you will immediately be instructed via email or by phone on how to 
download the fresh email addresses.


Name: _________________________________

Address: ________________________________________

_________________________________________________

Telephone number: ___________________________

Email address: ______________________________

-----------------------------------------------------

------------------------------------------------------

Don't want to email millions of people yourself?  No problem.  I can do it for you professionally!  I mail out two 
million emails for you within 3 days for $129!!  Tell me what kind of customer you would want, and I will set 
the target with my highly targeted list.  A mere $129 service includes:

Email two million people. (targeted prospects)
Post advertisement on 2000 newsgroups.
telephone recommendations and technical support on how to make money on the internet.

I guarantee you this is a great way to start your own company on the internet.  Few months later, you will 
be like me making $5000 a month with internet!  Call (415) 585-3825 if you have any question.



From firewalls-owner  Wed Apr 15 02:32:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02061; Tue, 14 Apr 1998 13:57:58 -0700 (PDT)
Received: from raven.axent.com ([205.159.112.243]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA01994 for ; Tue, 14 Apr 1998 13:57:38 -0700 (PDT)
Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
	id <2R505JYK>; Tue, 14 Apr 1998 15:01:41 -0600
Message-ID: 
From: Darin Fisher 
To: "'Rick_McMaster@freddiemac.com'" 
Cc: "'firewalls@greatcircle.com'" 
Subject: RE: TFTP with Raptor
Date: Tue, 14 Apr 1998 15:01:40 -0600
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Yes, by default it does have this set in the Protocol definitions
section, remember to make this transparent (tftp does not have any login
authentication method).

darin

-----------
ICQ: 1287849
-----------
#include 
"In order to succeed, one must pay attention" - Matt Olson



I thought you could not set up a proxy for UDP sessions?

Rick
>
>Still not a good idea, but what you will need to do is set up a
>transparent proxy for this (since tftp does not use any login type
>authentication.)  Make sure you limit this to your source and
>destination address' only.
>
>darin
>
>-----------
>ICQ: 1287849
>-----------
>#include 
>"In order to succeed, one must pay attention" - Matt Olson
>
>
>-----Original Message-----
>From: Rick_McMaster@freddiemac.com
[mailto:Rick_McMaster@freddiemac.com]
>Sent: Tuesday, April 14, 1998 1:56 PM
>To: oz@axent.com
>Subject: RE: TFTP with Raptor
>
>
>
>It is only to the external router to allow for IOS upgrades.
>
>Rick
> ----------
>>From: Darin Fisher
>>To: McMaster, Rick; firewalls
>>Subject: RE: TFTP with Raptor
>>Date: Tuesday, April 14, 1998 3:18PM
>>
>>Why would you want to open that security hole on your firewall?
>>
>>darin
>>
>>-----------
>>ICQ: 1287849
>>-----------
>>#include 
>>"In order to succeed, one must pay attention" - Matt Olson
>>
>>
>>-----Original Message-----
>>From: Rick_McMaster@freddiemac.com
>[mailto:Rick_McMaster@freddiemac.com]
>>Sent: Tuesday, April 07, 1998 7:21 AM
>>To: firewalls@GreatCircle.COM
>>Subject: TFTP with Raptor
>>
>>
>>
>>Does anyone have any information on how to set up TFTP with a Raptor
>>firewall?
>>
>>Thanks
>>
>>Rick
>>
>>
>>------ Message Header Follows ------
>>Received: from mailgate.freddiemac.com by msmail.freddiemac.com
>>  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
>>  id AA-1998Apr14.151802.1065.1093703; Tue, 14 Apr 1998 15:18:02 -0400
>>Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
>>[204.253.137.238])
>> by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id PAA06706
>> for ; Tue, 14 Apr 1998 15:07:37 -0400
>(EDT)
>>Received: from raven.axent.com ([205.159.112.243]) by
>hq1xfwa.freddiemac.com
>>(8.8.5/nope) with ESMTP id OAA11316 for
;
>
>Tue,
>>14
>>Apr 1998 14:43:50 -0400 (EDT)
>>Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
>> id <2R505JXX>; Tue, 14 Apr 1998 13:12:13 -0600
>>Message-ID: 
>>From: Darin Fisher 
>>To: "'Rick_McMaster@freddiemac.com'" ,
>>        firewalls@GreatCircle.COM
>>Subject: RE: TFTP with Raptor
>>Date: Tue, 14 Apr 1998 13:12:11 -0600
>>X-Priority: 3
>>MIME-Version: 1.0
>>X-Mailer: Internet Mail Service (5.0.1458.49)
>>Content-Type: text/plain
>>
>>
>
>------ Message Header Follows ------
>Received: from mailgate.freddiemac.com by msmail.freddiemac.com
>  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
>  id AA-1998Apr14.162724.1065.1094044; Tue, 14 Apr 1998 16:27:24 -0400
>Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
>[204.253.137.238])
> by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id QAA10146
> for ; Tue, 14 Apr 1998 16:16:57 -0400
(EDT)
>Received: from raven.axent.com ([205.159.112.243]) by 
hq1xfwa.freddiemac.com
>(8.8.5/nope) with ESMTP id PAA11284 for ;

Tue,
>14
>Apr 1998 15:53:10 -0400 (EDT)
>Received: by raven.axent.com with Internet Mail Service (5.0.1458.49)
> id <2R505JYC>; Tue, 14 Apr 1998 14:21:37 -0600
>Message-ID: 
>From: Darin Fisher 
>To: "'Rick_McMaster@freddiemac.com'" 
>Cc: "'firewalls@greatcircle.com'" 
>Subject: RE: TFTP with Raptor
>Date: Tue, 14 Apr 1998 14:21:34 -0600
>X-Priority: 3
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.0.1458.49)
>Content-Type: text/plain
>
>

From firewalls-owner  Wed Apr 15 02:33:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA04070; Tue, 14 Apr 1998 18:54:19 -0700 (PDT)
Received: from teddyr.dyn.ml.org (slip166-72-164-158.tx.us.ibm.net [166.72.164.158]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA03774 for ; Tue, 14 Apr 1998 18:53:20 -0700 (PDT)
Received: from iname.com (syousif@teddyr.dyn.ml.org [192.168.1.1])
	by teddyr.dyn.ml.org (8.8.8/8.8.7) with ESMTP id UAA00875;
	Tue, 14 Apr 1998 20:54:29 -0500
Message-ID: <35341350.9B004B56@iname.com>
Date: Tue, 14 Apr 1998 20:54:24 -0500
From: Sami Yousif 
Reply-To: syousif@iname.com
Organization: TeddyR Computers
X-Mailer: Mozilla 4.05 [en] (X11; U; Linux 2.0.33 i586)
MIME-Version: 1.0
To: "David A. Lane" , firewalls@greatcircle.com
Subject: Re: Ethernet Address Mfg
References: <3.0.3.32.19980414123348.006a1c00@corp-02.mantech.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms6E5EB687A695690B260E7F0F"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a cryptographically signed message in MIME format.

--------------ms6E5EB687A695690B260E7F0F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

David A. Lane wrote:
> 
> Greetings,
> 
> Someone is trying to make a mess of my system and I have managed to catch
> the "MAC" address, but I cannot seem to correlate it to a vendor.  I have
> pulled the IANA Ether Types list, but it does not seem to appear.  Anybody
> have a lead on 00e0.1E9F.16DB?

First thing: Remember that MAC addresses CAN be faked....

According to the database at
http://www.cavebear.com/CaveBear/Ethernet/vendor.html
 
the  "00e01e" prefix is used by Cisco. 

That means that what you are seeing is really from the "other" side of
one of the interfaces on your router and thus  shows up as the address
of the router .

What that would allow you to do is "follow" the router trail...
(tedious, but feasable) 

If the system is a Novell fileserver (based on your .sig), are you
passing IPX through your router? If so, does the other side REALLY need
to see your IPX traffic?  If not, you can safely disable IPX on that
router. If IPX is needed, you will need the cooperation of those in
charge of the "other" segments...

A traffic monitor like NetXray would be useful.

A shareware one called "EtherLoad" may also help.(version 2.00 works
great on an old 80286 laptop w/ a pocket ethernet adapter :-)  [can use
ODI or packet drivers]) 

http://ftp.sunet.se/ftp/pub/network/monitoring/ethload/


 

-- 

---
Sami Yousif

mailto:syousif@iname.com
mailto:syousif@swbell.net
http://www.mav.net/teddyr/syousif
http://teddyr.home.ml.org
ftp://teddyr.dyn.ml.org


[eMail sent to any of my addresses is subject to the Conditions outlined
in http://www.mav.net/teddyr/emailtos.shtml]

[Note: I no longer support ARNet (arn.net) as an ISP nor WTAMU
(wtamu.edu) as an educational institution nor LEK (lektech.com) as a
Computer
Supplier] {http://www.mav.net/teddyr/access/banned.shtml}

[heard somewhere: "You have the right to remain clueless. Anything you
know may be used against you in a court of law"]

Another day, so many more LARTS to go. [BOFH, BUFH]