Rik does his usual fantastic job of recording the Firewalls BOF, this time
at the USENIX LISA conference last week in Monterey. What I have here are
just a couple of minor clarifications and expansions.
At 5:45 PM 9/26/95, Rik Farrow wrote:
>====
>Firewalls BOF, 1833, 21 Sept, 1995
>
>Brent Chapman takes over, starting off with the brief history of the BOF
>(started at the Third Usenix Security Symposium in Baltimore three
>years ago). Currently 8,000 subscribers to firewalls, with perhaps
>15,000 readers.
I just checked; the current numbers are 6,810 subscribers to Firewalls and
Firewalls-Digest, but it looks like more of them are local redistribution
aliases and local mail-to-news gateways than I expected, so the "15,000
readers" estimate is probably still in the ballpark.
>Brent Chapman commented on the licensing problem involved in publicky
>available software, such as Majordomo, or the Firewall toolkit.
>
>Marcus Ranum stated that one major concern was divergent versions.
>There were no security problems with the toolkit per se, but there were
>known problems--many of which were dealt with in Gauntlet 3.0. [No one
>mentioned that the issue of how to proceed with extending the toolkit,
>or supporting it, was thoroughly hashed out during the Usenix Security
>Symposium at Salt Lake City. Chapman does comment:]
>"I for one do not want to go down that road again."
In that last comment, I was referring to the divergent code issue, not
necessarily the maintenance/support issue. I had just cited the old
SendmailV5 vs. IDA-Sendmail split as an example; that's the road I wouldn't
want to go down again: having two divergent versions of something both in
widespread use.
>I asked Chapman about the syslog problem. He responded that the problem
>is NOT in the sylog daemon, but in the function call library itself.
>CSRG [Computer Science Research Group at Berkely, which I thought had
>disbanded] threatened to go through all the [UNIX] code and remove all
>unbounded string copies [the problem], but gave up. [snprintf the
>solution, pointed out a particpant in the front row.]
At least one person at CSRG made that threat in 1988, immediately following
the Morris Worm incident (which also exploited a stack buffer overrun, in
the attack it made against Sun finge rdaemons). However, there was just
too much code that had been written that way; they simply didn't have
enough time to go fix it all. The problem is much worse now; there's a lot
more code.
>Ranum asks "Does Lehman have Flowtrans?" What scares Ranum is that the
>Internet is often behind the firewall. Private connections, connections
>to other organizations which are connected to the Internet. The Plan 9
>guys, the Athena guys, have it right. Put security at the presentation
>device.
Marcus was asking about "Quotron", a service which provides real-time stock
and commodities price data to Wall Street firms. One of their delivery
methods (they have several, as I understand it) is a dedicated TCP/IP
leased line from their net to yours. Most Wall Street firms have a link to
Quotron; therefore, Quotron is a possible vector for attack.
Great job, though; I'd forgotten much of the discussion until your message
reminded me!
-Brent
--
Brent Chapman | Great Circle Associates | For Firewalls Tutorial info:
Brent @
GreatCircle .
COM | 1057 West Dana Street | Tutorial-Info @
GreatCircle .
COM
+1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com
Follow-Ups:
|
|
