About multiprocessing Solaris has been tested running up to 64 processors
under UNIX. True Multiprocessing here with almost 100% cpu efficientcy.
Intel starts to crater after 4 typically and runs about 85% efficientcy.
But as you know I am sure that comparing UNIX to PC is like comparing a
sealed envelope to a armored carrier. The real plus of pc's is the price
to acquire one or two or three /etc.
At 09:14 PM 10/16/97 -0700, you wrote:
>
>Firewalls-Digest Thursday, October 16 1997 Volume 06 : Number 490
>
>
>
>In this issue:
>
> (no subject)
> [none]
> Firewalls: Exchange mail proxy in DMZ.
> Firewall-1 on NT
> Simple UDP & ActiveX question
> [none]
> RE: firewalls with linux OS
> Firewalls: www & high port numbers
> RE: Firewalls: Exchange mail proxy in DMZ.
> Re: Firewall-1 on NT
> RE: Firewalls: Exchange mail proxy in DMZ.
> Re: Firewalls: www & high port numbers
> Re: Simple UDP & ActiveX question
> RE: Firewalls: www & high port numbers
> Re: [FW1] Re: Virus Protection on FW-1
> Re: Firewall-1 on NT
> [none]
> [none]
> letter
> Firewall for linux
> [none]
> [none]
> Wrong time logged
> Re: Firewalls: www & high port numbers
> [none]
> RE: Firewalls: Exchange mail proxy in DMZ.
> Re: PIX and other "Black boxes" vs normal firewalls.
> [none]
> RE: Firewalls: www & high port numbers
> Connect: Conceal Encryption Server
> RE: TCP options and firewalls
> Re: [FW1] Re: Virus Protection on FW-1
> Re: Firewalls-Digest V6 #489
> RE: Firewall-1 on NT
> Re: Virus Protection on FW-1
> RE: Simple UDP & ActiveX question
> Re: firewalls with linux OS
> WinGate Proxy
> REMOVES
> Re: PIX and other "Black boxes" vs normal firewalls.
> Re: firewalls with linux OS
> RE: [FW1] Re: Virus Protection on FW-1
>
>See the end of the digest for information on subscribing to the Firewalls
>or Firewalls-Digest mailing lists and on how to retrieve back issues.
>
>----------------------------------------------------------------------
>
>Date: Thu, 16 Oct 1997 12:03:02 +0100
>From: Hilco Jonkeren <H .
Jonkeren @
ahk .
nl>
>Subject: (no subject)
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 08:20:35 -0400
>From: "Tom Rozylowicz"<ROZYLOTA @
acq .
osd .
mil>
>Subject: [none]
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:50:13 +0100
>From: Doug Bridgens <Doug .
Bridgens @
3Dlabs .
com>
>Subject: Firewalls: Exchange mail proxy in DMZ.
>
>Hi,
> Has anyone set up a MS Exchange mail server proxy in the DMZ of their
>firewall? We have a few remote users who will need to access email
>accounts in our servers. Is a mail server proxy the best way to
>achieve this, or are there other ways?
>
>Thanks
>Doug
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 13:37:06 +0200
>From: Mario Muehlbauer <mamuehl @
mail .
teleconsult .
de>
>Subject: Firewall-1 on NT
>
>I need to implement Firewall-1 on Windows NT 4.0.
>
>What securtiy holes could be in NT?
>
>How can I harden the OS?
>
>Please no philosophic discussions about NT versus UNIX!
>
>Mario Muehlbauer
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 15:01:23 +0200
>From: marcelg @
new .
iscorltd .
co .
za (Marcel Groenewald)
>Subject: Simple UDP & ActiveX question
>
>Hi all,
>
>Please tell me if the following statements are true, and if so, if it's a
>good enough reason to stop the relevent services from going accross the
>firewall:
>
>"UDP should be blocked, since it is not possible to reliably authenticate
>the origin of UDP packets"
>
>"ActiveX (but not Java) should be blocked by the firewall"
>
>Thank you
>Marcel Groenewald
>
>/*******************************************************************/
>The views expressed above are not necessarily those of Iscor Limited
>/*******************************************************************/
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:50:22 -0400
>From: Alex Hutton <Alex @
Progressive-Systems .
com>
>Subject: [none]
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 12:29:32 +0200 (MET DST)
>From: Ralf Thomas Klar <klar @
mkm .
de>
>Subject: RE: firewalls with linux OS
>
>On Wed, 15 Oct 1997, Sameer R. Manek wrote:
>
>> On Wed, 15 Oct 1997, Chris Pugrud wrote:
>>
>> > Apache has a pretty good web/ftp proxy function built in. The caching
>> > functionality doesn't seem to be very effective, but I really haven't
>> > played with the settings. For added security I tend to run two apache
>> > daemons, one for the inside with the proxy functions built in, and one
>> > for the outside web server that is stripped and gutted to the bare
>> > essentials (the less code there is, the less that can be compromised).
>> >
>>
>> I like using apache to do double duty as proxy/webserver, but then again
>> my security model isn't as strict as yours probably is. One free proxy
>> server that i've heard is pretty good with performance is Squid,
>> (squid.nlanr.net) Has anyone tried this one out? Any reactions to it's
>> performance/security?
>>
>> Sameer
>
>Squid is really good - we have about 180.000 hits/day and 2 GB www-
>traffic/day. squid runs on a linux-box (amd k6/200, 128 mb ram)
>and there have been absolutly no problems till today.
>
>Ralf
>
>- --
>Ralf Thomas Klar | Tel.: 0721-9663066 | http://www.hadiko.de/
>Klosterweg 28/H210 | Fax.: 0721-9663064 | Das einzige Studenten-
>D-76131 Karlsruhe | eMail: ralf @
hadiko .
de | wohnheim mit ATM-Netz
>
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:42:31 +0100
>From: Doug Bridgens <Doug .
Bridgens @
3Dlabs .
com>
>Subject: Firewalls: www & high port numbers
>
>Hi,
> When browsing the WWW lots of site offer downloadable software. When
>you click on the link to the download you are shoved to a new page at a
>high port number (eg. 34200). When ever a browser tries to go to
>download something it just hangs because the firewall is stopping its
>communication throught the high port number. Can anyone tell me what
>should be doneto allow downloading software from the web but not open up
>every port?
>
>Thanks
>Doug
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 08:06:54 -0700
>From: "Stackpole, Bill" <BSTACKPO @
sla .
com>
>Subject: RE: Firewalls: Exchange mail proxy in DMZ.
>
>If you set Exchange up to do POP3 you can use the POP3 proxy on your
>firewall to give remote users access to their mail.
>
>> -----Original Message-----
>> From: Doug Bridgens [SMTP:Doug .
Bridgens @
3Dlabs .
com]
>> Sent: Thursday, October 16, 1997 1:50 AM
>> To: 'firewalls @
greatcircle .
com'
>> Subject: Firewalls: Exchange mail proxy in DMZ.
>>
>> Hi,
>> Has anyone set up a MS Exchange mail server proxy in the DMZ of
>> their
>> firewall? We have a few remote users who will need to access email
>> accounts in our servers. Is a mail server proxy the best way to
>> achieve this, or are there other ways?
>>
>> Thanks
>> Doug
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 17:07:09 +0000
>From: "Ewout Meij" <ewout @
pinewood .
nl>
>Subject: Re: Firewall-1 on NT
>
>Dear Mario,
>
>Your question comes at a perfect time for me, since I need
>to do (about) the samething.
>
>I think that your qestions are nice for a good discussion but
>that question should be different. Since only the outside
>ethernet adaptor is connected to the net, your focus
>should be on that part of the machine.
>
>Hardening the OS will only be benefical if your FW machine
>is comprimized... in which case (I think) you really only want
>to be notified, and turn the machine off...
>
>What I am going to be looking at and am interested in
>is the basic stability of FW-1 on NT... I have heard from
>sources that Checkpoint is now developing FW-1 for NT and
>than ports it to UNIX, not the otherway around. true?
>
>This should be good for the basic stability of FW-1-on-NT
>but again: I am more interested in the expirences other
>admins have.
>
>Your wish to 'plug holes in NT' is a cry for a tremendus
>list of patches, advisories, updates and other goodies
>but again, what you realy want to look at is all that
>touches your networkcard...
>
>So I would like to ask the list: how much ip-stack in
>a FW-1 config is MS's and how much is replaced by
>Checkpoint's?
>
>emj
>
>On Oct 16, 13:37, Mario Muehlbauer wrote:
>> Subject: Firewall-1 on NT
>> I need to implement Firewall-1 on Windows NT 4.0.
>>
>> What securtiy holes could be in NT?
>>
>> How can I harden the OS?
>>
>> Please no philosophic discussions about NT versus UNIX!
>>
>> Mario Muehlbauer
>>-- End of excerpt from Mario Muehlbauer
>
>
>
>- --
>- -------------------------------------------------------------------
>Ewout Meij Pinewood Automatisering b.v.
>E-mail: ewout @
pinewood .
nl Kluyverweg 2a
>Phone: +31-15 268.25.43 2629 HT Delft
>
>Some man are wise and some are otherwise
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:57:02 -0700
>From: James Terry <james .
terry @
imx-exchange .
com>
>Subject: RE: Firewalls: Exchange mail proxy in DMZ.
>
>There are other ways of course, software being what it is. We've got
>some positive preliminary results from our testing
>of MS pptp over SecureRemote to a translated address. A little costly
>perhaps, but it DOES seem to work.
>
>
>james @
imx-exchange .
com
>
>
>
>
>
>
>>-----Original Message-----
>>From: Doug Bridgens [SMTP:doug .
bridgens @
imxexchange .
com]
>>Sent: Thursday, October 16, 1997 1:50 AM
>>To: 'firewalls @
greatcircle .
com'
>>Subject: Firewalls: Exchange mail proxy in DMZ.
>>
>>Hi,
>> Has anyone set up a MS Exchange mail server proxy in the DMZ of their
>>firewall? We have a few remote users who will need to access email
>>accounts in our servers. Is a mail server proxy the best way to
>>achieve this, or are there other ways?
>>
>>Thanks
>>Doug
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:51:37 -0700 (PDT)
>From: Leonard Miyata <leonard @
geminisecure .
com>
>Subject: Re: Firewalls: www & high port numbers
>
>Hi There
>
>You have encountered the problem with FTP PASSIV mode. Passive mode
>connects from a random high port to a random high port. It is
>directional, as the side initiating the data connection (always
>the Client) always has the SYNC bit set on the first packet. Without a
>true FTP proxy that supports PASSIV mode, you have to open all high port
>to high port connections. By filtering on the SYNC bit, at least
>you can restrict who can start the transfer to only 'inside to
>outside' connections. The book 'Building Internet Firewalls' by
>Chapman and Zwicky has a good write up on the details.
>
>Personal Opinions provided by
>Leonard Miyata
>aka leonard @
geminisecure .
com
>Gemini Computers Inc.
>
>On Thu, 16 Oct 1997, Doug Bridgens wrote:
>
>> Hi,
>> When browsing the WWW lots of site offer downloadable software. When
>> you click on the link to the download you are shoved to a new page at a
>> high port number (eg. 34200). When ever a browser tries to go to
>> download something it just hangs because the firewall is stopping its
>> communication throught the high port number. Can anyone tell me what
>> should be doneto allow downloading software from the web but not open up
>> every port?
>>
>> Thanks
>> Doug
>>
>
>------------------------------
>
>Date: 16 Oct 97 10:18:47 EDT
>From: Ryan Russell/SYBASE <Ryan .
Russell @
sybase .
com>
>Subject: Re: Simple UDP & ActiveX question
>
>It's not possible to reliably authenticate the
>origin of ANY packet unless it's cryptographically
>signed by a trusted party you've previously exchanged
>keys with, and you trust them to manage their keys
>properly. UDP is just easier to spoof.
>
>ActiveX acknowledges the fact that downloaded code
>can essentially do whatever it wants, and it's security is
>based on the fact that the applets are cryptographically
>signed (hopefully by a trustworth party) but the end
>user typically gets to decide if they will download
>an applet, signed by good guys, bad guys, or
>not at all.
>
>Java pretends that it doesn't have security problems.
>The latest also adds a signed-applet-with-full-privs
>mechanism like ActiveX.
>
>So, no, depending on your level of paranoia, none
>of those are good enough.
>
> Ryan
>
>
>
>
>
>
>
>marcelg @
new .
iscorltd .
co .
za (Marcel Groenewald) on 10/16/97 03:01:23 PM
>To: firewalls @
GreatCircle .
COM @ smtp
>cc: (bcc: Ryan Russell/SYBASE)
>Subject: Simple UDP & ActiveX question
>
>Hi all,
>
>Please tell me if the following statements are true, and if so, if it's a
>good enough reason to stop the relevent services from going accross the
>firewall:
>
>"UDP should be blocked, since it is not possible to reliably authenticate
>the origin of UDP packets"
>
>"ActiveX (but not Java) should be blocked by the firewall"
>
>Thank you
>Marcel Groenewald
>
>/*******************************************************************/
>The views expressed above are not necessarily those of Iscor Limited
>/*******************************************************************/
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 10:23:20 -0700
>From: trall @
almaden .
ibm .
com
>Subject: RE: Firewalls: www & high port numbers
>
>"Stackpole, Bill" <BSTACKPO @
sla .
com> wrote:
>>>Some routers and firewalls allow you to filter on "established"
>connections. This feature allows any inbound packets to pass through if
>the connection was established internally (outbound) and will overcome
>this particular problem. However, it may create other security
>problems. I would like to hear from some others about the pit falls of
>using this mechanism.
><<
>
>You're not quite right about the meaning of "established". With Cisco it
>means that any packet with the ACK or RST bit in the flags will match (a
>connection initiation packet normally contains only SYN). If your
>access-list says to permit this, such packets will be allowed through.
>
>This means that an attacker could get packets through to the target simply
>by including the ACK bit. There are some exploits that try to make use of
>this. This could involve:
>
>* Forging the origin IP address to try to match an existing connection
>(generally would need to guess at the TCP sequence number too, but there
>are ways to do this on some stacks).
>
>* Simply probing for flaws in the target's stack; i.e., it should ignore
>any established packet unless it's part of an existing connection, but you
>never know (I haven't heard of successful attacks using this).
>
>Tony Rall
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 14:46:06 -0300
>From: "Kevin Speichts" <kfs @
istar .
ca>
>Subject: Re: [FW1] Re: Virus Protection on FW-1
>
>- -----Original Message-----
>From: Jyri Kaljundi <jk @
stallion .
ee>
>To: Frank Darden <fdarden @
locked .
com>
>Cc: fw-1-mailinglist @
us .
checkpoint .
com <fw-1-mailinglist @
us .
checkpoint .
com>;
>Firewalls mailing list <firewalls @
GreatCircle .
COM>
>Date: Thursday, October 16, 1997 1:46 PM
>Subject: Re: [FW1] Re: Virus Protection on FW-1
>
>snip.
>
>>I don't know about NT, may be that really is so stupid it does not know
>>how to use both processors.
>>
>>Jyri Kaljundi
>>jk @
stallion .
ee
>>AS Stallion Ltd
>>http://www.stallion.ee/
>>
>>
>
>Smartly NT will use both processors, it was designed from the start to use
>them. Unlike other OS's like NetWare where multiprocessor support was
>graphed onto the primary OS.
>
>NT workstation supports 2, NT server supports 4, OEM versions (like Compaq)
>can support up to 32.
>
>If the application isn't multithreaded then it can't take advantage of the
>second processor. The OS will use them for its other services though.
>
>Jyri, please keep the OS religious chatter off this list please and thank
>you.
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 13:02:58 -0500
>From: "Matt Eide" <matte @
sybron .
com>
>Subject: Re: Firewall-1 on NT
>
>Not to be argumentative.
>
>- --------------------Ewout Meij wrote -----------------
>
>
>>Dear Mario,
>>
>>Your question comes at a perfect time for me, since I need
>>to do (about) the samething.
>>
>>I think that your qestions are nice for a good discussion but
>>that question should be different. Since only the outside
>>ethernet adaptor is connected to the net, your focus
>>should be on that part of the machine.
>
>True, only if you have an Internet Firewall and are not worried about
>somebody comprimising it from the inside.
>
>>Hardening the OS will only be benefical if your FW machine
>>is comprimized... in which case (I think) you really only want
>>to be notified, and turn the machine off...
>>
>
>You may also want to prevent that individual from modifying the system
>before you hit the power switch.
>
>
>- -----Snipped -----
>...
>>
>>So I would like to ask the list: how much ip-stack in
>>a FW-1 config is MS's and how much is replaced by
>>Checkpoint's?
>
>I believe the whole stack is replaced. I took a NT 4.0 box and ran Winnuke
>against it and it gave an exception error with TCPIP.SYS.
>
>When I ran Ping of Death2 tests against a box running FW1 2.1 it gave a
>exception error with I believe FW.SYS (maybe wrong name I did not write it
>down and I have not tried it against my box running FW 3.0, maybe later
>today).
>
>FW1 would not forward any packets inbound or outbound after the exception
>error would happen.
>
>That was my experience, somebody a little more literate on the internals of
>FW1 might want to comment.
>
>In response to questions of stability, I got a Compaq Proliant Pentium Pro
>with 3COM NIC's running 2.1C on NT4 running as an Internet firewall that has
>worked great l with moderate usage for the last 8 months.
>
>The only problem I had was when somebody decided to run a Denial of Service
>attack against it. I will sooning be swapping in a box running FW 3.0 and
>I'm pretty confident that I can configure the new Firewall to be more
>resistant to Denial of Service attacks.
>
>
>- --- Snipped Mario Muehlbauer original post -------------
>
>
>that is my two cents, maybe later I will have a little better info on the
>FW-1 TCP/IP stack to post on the list.
>
>Mail me if you would like to talking about this.
>
>Good Luck,
>
>Matt Eide
>Network Admin
>Sybron International
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 23:28:47 +0800
>From: Zhu Chun <zhuchun @
buaa .
edu .
cn>
>Subject: [none]
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 18:17:12 +0200
>From: Marc Dorando <MDorando @
argus .
de>
>Subject: [none]
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 18:14:20 +0200
>From: advide Consonni <owend @
tin .
it>
>Subject: letter
>
>remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 16:36:25 +0100
>From: cuco <cuco @
active .
ch>
>Subject: Firewall for linux
>
>hello Jonah,
>you can see the following url
>http://www.ifi.unizh.ch/ikm/SINUS/firewall.html from the University of
>Zurich. There is a firewall, that runs on linux.
>Greetings
>Alex
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 19:34:55 +0100
>From: Ana Catarina Silva <AC .
Dark .
Shadow @
mail .
telepac .
pt>
>Subject: [none]
>
>Sorry but I'm receiving some mails, I mean a lot of mails and they are not
>for me because they refer to windows and windows nt and I'M NOT INTERESTED.
>
>See if you can arrange the situation.
>
>Best wishes, Ana Catarina Silva.
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 10:35:19 -0400
>From: Arthur Young <ahy @
ziplink .
net>
>Subject: [none]
>
>Is there any product out there that could dynamicly identify the ports used
>by a web site ... e.g. if I connect to a site it would tell me that it is
>using port 80, 81, etc.
>It seems that more and more sites are using multiple ports and it would be
>helpful to identify them to allow secure access through the firewall.
>
>- - Arthur Young, Medical Systems Solutions, Inc.
> (508) 429-3956
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 11:16:26 -0300
>From: Alessandro Jannuzzi <jannuzzi @
csn .
com .
br>
>Subject: Wrong time logged
>
>Hello,
>
>I am experimenting the following problem:
>In my Firewall-1 3.0 log file all entries are been logged in the wrong time.
>I am using two machines, running Solaris, one with the inspection module
and the other with the management module.
>
>The system date is ok in the two machines.
>
>Any tips ?
>
>Thanks in advance.
>
>Regards,
>
>Alessandro Jannuzzi
>jannuzzi @
csn .
com .
br
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 13:57:40 -0500 (CDT)
>From: Peter da Silva <peter @
baileynm .
com>
>Subject: Re: Firewalls: www & high port numbers
>
>> * Simply probing for flaws in the target's stack; i.e., it should ignore
>> any established packet unless it's part of an existing connection, but you
>> never know (I haven't heard of successful attacks using this).
>
>You can probe to see what IPs are behind the firewall and what services
>they're using by looking at whether you get a RST or not.
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 16:10:04 -0400
>From: bob bryant <rhb1 @
gte .
com>
>Subject: [none]
>
>remove
> Bob Bryant Email rbryant @
gte .
com
> Member Technical Staff Fax 617-466-2838
> Secure Systems Department Phone 617-466-2821
> GTE Laboratories Incorporated
> 40 Sylvan Rd
> Waltham, Ma 02254
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 13:47:40 -0700
>From: "Wolfgang, Karl" <WolfganK @
IRWIN .
ARMY .
MIL>
>Subject: RE: Firewalls: Exchange mail proxy in DMZ.
>
>Have you tried using a Remote Access Service with Challenge Handshake
>Authentication Protocol for DES-encrypted authentication? The remote
>user would then pass through to the Exchange server. You could set
>Performance Monitor to alert if unauthorized nasty folks try to access
>the net through the RAS. Of course this assumes that you are using NT
>OS.
>
>Check out Tom Sheldon's book Windows NT Security Handbook for more
>information.
>
>>----------
>>From: Doug Bridgens[SMTP:Doug .
Bridgens @
3Dlabs .
com]
>>Sent: Thursday, October 16, 1997 1:50 AM
>>To: 'firewalls @
greatcircle .
com'
>>Subject: Firewalls: Exchange mail proxy in DMZ.
>>
>>Hi,
>> Has anyone set up a MS Exchange mail server proxy in the DMZ of their
>>firewall? We have a few remote users who will need to access email
>>accounts in our servers. Is a mail server proxy the best way to
>>achieve this, or are there other ways?
>>
>>Thanks
>>Doug
>>
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 21:58:48 GMT
>From: Ambrose Li <news-misc @
mingpaoxpress .
com>
>Subject: Re: PIX and other "Black boxes" vs normal firewalls.
>
>There is also the Borderware firewall, which is also a "black box"
>(once it is installed), also based on "hardened Unix" (BSD).
>
>
>
>In article <343E27D6 .
CAE18E73 @
techie .
com>, Emmanuel Yiu <e @
techie .
com>
wrote:
>>
>>Their solution is kind of neat to me. They have a box which run a
"harden" Linux
>>kernel, this sounds to me a good edge, it is base in UNIX, a lot of
people know
>>it and probably when there is security hole, it will be identified quick and
>>potentially closed quick (owing to the accessibility of source code by
WORLD of
>>experts). You can constantly bugging your vendor of any security hole
that you
>>know from any souce, like this list. This seems to better with PIX as you
depend
>>soly on CISCO for any fix which they may not even ACTIVELY inform you. That
>>serves as the hardware part of the whole solution.
>
>- --
>Ambrose C. Li <acli @
mingpaoxpress .
com> Programmer-analyst (sysadmin)
>Toronto EDP, Ming Pao Daily News +1(416)321-0088 1355 Huntingwood Dr
>Scarborough ON Canada M1S 3J1 [<- work ]
> [ home ->] <acli @
acli .
interlog .
com>
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 17:16:24 -0500 (CDT)
>From: jphillip @
umr .
edu
>Subject: [none]
>
> remove
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 18:05:46 -0400
>From: Steve Kruse <jsk347 @
worldnet .
att .
net>
>Subject: RE: Firewalls: www & high port numbers
>
>- -----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At 03:15 PM 10/16/97 +0000, Stackpole, Bill wrote:
>>Some routers and firewalls allow you to filter on "established"
>>connections. This feature allows any inbound packets to pass
>through if
>>the connection was established internally (outbound) and will
>overcome
>>this particular problem. However, it may create other security
>>problems. I would like to hear from some others about the pit falls
>of
>>using this mechanism.
>
>This becomes a religous issue with some, but the major thing about
>packet filtering is that it relies primarily on IP and port number
>assignments, with some routers going a bit farther to control things
>such as the TCP_EST and other flags. Packet filters are fast and
>efficent.
>
>Using more advanced "filtering" such as "stateful inspection" and
>full Proxy offers more options in tighening down security policy.
>Just one example: With a proxy you can control whether someone can do
>a put or get, chdir etc in an FTP session. This is either impossible
>or very very difficult to do with packet filters. The price paid is
>in slightly degraded performance compared to packet filters.
>
>The security managers decision, as always is: "What is my level of
>paranoia"? What am I willing to pay for my security? Cost of the
>solution? Speed/Performance? Ease of use/administration??
>
>Good luck!
>
>Steve Kruse
>>
>>> -----Original Message-----
>>> From: Doug Bridgens [SMTP:Doug .
Bridgens @
3Dlabs .
com]
>>> Sent: Thursday, October 16, 1997 1:43 AM
>>> To: 'firewalls @
greatcircle .
com'
>>> Subject: Firewalls: www & high port numbers
>>>
>>> Hi,
>>> When browsing the WWW lots of site offer downloadable software.
>
> S T U F F D E L E T E D TO S A V E B A N D W I D T H
>
>rt number (eg. 34200). When ever a browser tries to go to
>>> download something it just hangs because the firewall is stopping
>its
>>> communication throught the high port number. Can anyone tell me
>what
>>> should be doneto allow downloading software from the web but not
>open
>>> up
>>> every port?
>>>
>>> Thanks
>>> Doug
>>
>- -----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQA/AwUBNEaPuNIk6V3CiVjTEQJfngCgraHkfy9ETaxJbyklQ3DVhgQw2kUAn0MX
>pw7hb1f7Ex7g18Hg6p1QWy3F
>=ajmt
>- -----END PGP SIGNATURE-----
>
>*****************************************************
>* Steve Kruse Milkyway Networks *
>* Network Systems Engineer 1342 E. Vine St. #224 *
>* 407-847-8977 Voice Kissimmee, FL 34744 *
>* 407-847-7203 Fax http://www.milkyway.com *
>*****************************************************
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 15:51:53 -0400
>From: Larry .
Riley @
disclosure .
com (Larry Riley)
>Subject: Connect: Conceal Encryption Server
>
> I am looking at evaluating the Connect: Conceal Encryption Server and
> Firewall for Unix from Sterling Commerce, for my company. Does anyone
> have either of these system up and running? Or have tested these
> system in the past?
>
> Thank for your input.
>
> Larry
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:38:34 -0400 (EDT)
>From: "Paul D. Robertson" <proberts @
clark .
net>
>Subject: RE: TCP options and firewalls
>
>On Wed, 15 Oct 1997, Peter Ford wrote:
>
>> I actually mean TCP options, and I am actually interested in
>> "new" TCP options that firewalls might not recognize.
>
>In the case of proxies, the bastion's stack isn't going to pass the
>options through to the clients. So, you may as well say that none of
>them will be recognized for the case of non-packet filters.
>
>Paul
>-
-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>proberts @
clark .
net which may have no basis whatsoever in fact."
> PSB#9280
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 19:39:14 +0300 (EET DST)
>From: Jyri Kaljundi <jk @
stallion .
ee>
>Subject: Re: [FW1] Re: Virus Protection on FW-1
>
>On Thu, 16 Oct 1997, Frank Darden wrote:
>
>> >By the way, does the CheckPoint firewall service take advantage of Windows
>> >NT symmetric multi-processing?
>>
>> Firewall-1 is a single threaded application. In 3.0a, multi-processor
>> support was there, but they have mysteriously removed it from 3.0b. So for
>> the time being, the answer is no, on all platforms.
>
>This should already go into a FAQ somewhere: yes, FireWall-1 at least on
>Solaris Sparc and Solaris x86 Intel does take advantage of
>multiprocessing. Why: because Solaris itself distributes the load between
>two or more processors. Believe me, if you add a second processor to dual
>Pentium for example you can see how it gets better.
>
>I don't know about NT, may be that really is so stupid it does not know
>how to use both processors.
>
>Jyri Kaljundi
>jk @
stallion .
ee
>AS Stallion Ltd
>http://www.stallion.ee/
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:43:46 -0400
>From: tcooper @
hns .
com
>Subject: Re: Firewalls-Digest V6 #489
>
>NT uses TCP ports 138 and 139, as well as UDP 138 and 139.
>> ------------------------------
>> Date: Thu, 16 Oct 1997 16:42:29 +1000 (EST)
>> From: Colin Linahan <cfl @
parkville .
molsci .
csiro .
au>
>> Subject: Windows NT domain through Gauntlet firewall
>>
>> Hi everyone,
>> We want to do what many may consider a security risk - allow Windows
>> NT ports 137,138 and 139 between initially three geographically
>> separate sites.
>
>Make sure that your solution supports TCP and UDP!
>
>> Basically - will someone at another of our sites be able to join
>> or log in to our domain if the PDC is at our site, behind our
>> firewall ?
>
>
>One domain, three sites? PDC at main site with BDC's at remote sites?
>You want your users to do local logins - so setting up a BDC at your
>remotes makes good sense.
>
>Multiple domains - one per site, with trust relationships? This is still
>workable, but again, it's better if you can have a BDC locally to minimize
>WAN traffic.....
>
>Regards,
>Tom
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 15:10:46 +0100
>From: Doug Bridgens <Doug .
Bridgens @
3Dlabs .
com>
>Subject: RE: Firewall-1 on NT
>
>I read an knowledge base (I think) article which said things like rename
>the admin account, disable all no essential accounts, disable all
>non-essential services. You can also set the admin account to be
>accessible only from the console (ie. not remotely). I think most of
>these are set in the registry though.
>
>Doug
>
>>-----Original Message-----
>>From: Mario Muehlbauer [SMTP:mamuehl @
mail .
teleconsult .
de]
>>Sent: Thursday, October 16, 1997 12:37 PM
>>To: Firewalls @
GreatCircle .
COM
>>Subject: Firewall-1 on NT
>>
>>I need to implement Firewall-1 on Windows NT 4.0.
>>
>>What securtiy holes could be in NT?
>>
>>How can I harden the OS?
>>
>>Please no philosophic discussions about NT versus UNIX!
>>
>>Mario Muehlbauer
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 08:58:45 -0400
>From: Frank Darden <fdarden @
locked .
com>
>Subject: Re: Virus Protection on FW-1
>
>At 09:24 PM 7/30/97 -0500, Jay K. Bahel wrote:
>>How much of a performance hit is it to have firewall virus protection
>
>A very large performance hit. None of these products run well when placed
>on the Firewall. (I know Esafe actually warns against this). I should also
>mention that if you run the CVP server by itself on a high end Pentium, the
>CVP actions are nearly transparent to the user.
>
>I strongly recommend only running whats neccesary on your Firewall. Dont
>be penny wise, and pound foolish.
>
>>snap-ins (i.e. ViruSafe and the Symantec solution) installed directly on
>>the firewall server (WINNT) as opposed to on another server using CVP? I
>>plan to have my firewall machine have a LOT of horsepower.
>
>I still recommend you run it seperately.
>
>
>>By the way, does the CheckPoint firewall service take advantage of Windows
>>NT symmetric multi-processing?
>
>Firewall-1 is a single threaded application. In 3.0a, multi-processor
>support was there, but they have mysteriously removed it from 3.0b. So for
>the time being, the answer is no, on all platforms.
>
>>-Jay
>>----------
>>> From: Didier Raelet <didier .
raelet @
nrb .
be>
>
>http://www.locked.com
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 09:04:36 -0700
>From: "Stackpole, Bill" <BSTACKPO @
sla .
com>
>Subject: RE: Simple UDP & ActiveX question
>
>> -----Original Message-----
>> From: marcelg @
new .
iscorltd .
co .
za [SMTP:marcelg @
new .
iscorltd .
co .
za]
>> Sent: Thursday, October 16, 1997 6:01 AM
>> To: firewalls @
greatcircle .
com
>> Subject: Simple UDP & ActiveX question
>>
>> Hi all,
>>
>> Please tell me if the following statements are true, and if so, if
>> it's a
>> good enough reason to stop the relevent services from going accross
>> the
>> firewall:
>>
>> "UDP should be blocked, since it is not possible to reliably
>> authenticate
>> the origin of UDP packets"
>> [Bill Stackpole] It's not possible to reliably authenticate IP
>> packets in general unless you implement some authenication protocol.
>> But if you block all UDP you are going to have significate problems
>> getting services (e.g., DNS) that use UDP to work.
>>
>> "ActiveX (but not Java) should be blocked by the firewall"
>> [Bill Stackpole] ActiveX is a security nightmare. And the developers
>> have openly stated that they have no intention of adding secure
>> features to it. I would definately deny ActiveX use on my network.
>> Java also has some security problems and (in my opinion) it's use
>> should be restricted until Sun has addresses some of the problems that
>> have surfaced.
>>
>> Thank you
>> Marcel Groenewald
>>
>> /*******************************************************************/
>> The views expressed above are not necessarily those of Iscor Limited
>> /*******************************************************************/
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 12:02:39 -0400 (EDT)
>From: "M. Dodge Mumford" <dmumford @
btg .
com>
>Subject: Re: firewalls with linux OS
>
>I've implemented a firewall at home using Linux using the ipfadm package
>that's part of the 2.x.x kernel. I'm not using any of the proxies (yet),
>allowing only a few things out and allowing only one protocol in. It
>appears to be working well, but I haven't bashed on it hard.
>
>A good reference I used to aid in the setup was "Unix Security" from the
>editors of SysAdmin magazine, published this year. It has one chapter
>dedicated to installing a Linux firewall. That chapter was written a
>while ago (while 1.3.68 was the most current), but enough has stayed the
>same to make it worthwhile.
>
>The man pages only started to make sense once I'd installed a few rules
>and tested to see if they did what I'd expected.
>
>Dodge Defensive Information Warfare Group
>M. Dodge Mumford http://www.btg.com
>dmumford @
btg .
com PGP Public Key Available
>
>On Wed, 15 Oct 1997, jonah wrote:
>
>> hello,
>>
>> I need to install a firewall for a non profit organisation.
>> I have almost no budget so it has to be a freeware (or shareware)
>> and to run on a PC with linux OS.
>> This is my first experience in installing and configuring a firewall.
>>
>> I have heard of two solutions : socks and fwtk.
>> does anyone know the differences between this two firewalls ?
>> is there any other free firewalls availables ?
>>
>> If you have any experience with any freeware firewall with linux
>> please answer.
>> Thanks.
>>
>> jonah
>> Paris, France.
>>
>>
>
>------------------------------
>
>Date: Fri, 17 Oct 1997 10:31:08 -0700
>From: Lee Nan Phin <nplee @
mol .
net .
my>
>Subject: WinGate Proxy
>
>Hi all,
>
>Need to seek expert's advise on the above.
>
>We have difficulty setting up Lotus Client accessing Domino server
>through WinGate Proxy server.
>
>I notice that there is no predefine proxy for Lotus Note connection
>(port 1351).
>
>What should I do? Any advise would be appreciated.
>
>Thanks in advance.
>
>Regards.
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 22:04:03 -0500 (CDT)
>From: Andy Lewis <alewis @
mpsi .
net>
>Subject: REMOVES
>
>I get I don't know how many e-mails a day from people
>removing themselves from this list. Isn't there any way to
>not bounce removes to those of us that are on the list?
>
>This certainly could save a heck of alot of BW....
>
>ANdy
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 20:22:16 -0400
>From: "Mark Teicher" <mark-teicher @
worldnet .
att .
net>
>Subject: Re: PIX and other "Black boxes" vs normal firewalls.
>
> This seems to better with PIX as you depend
>> >soly on CISCO for any fix which they may not even ACTIVELY inform you.
>That
>> >serves as the hardware part of the whole solution.
>
>What do you mean by this??
>
>"may not even ACTIVELY inform you"
>
>/mht
>- ----------
>> From: Ambrose Li <news-misc @
mingpaoxpress .
com>
>> To: firewalls @
GreatCircle .
COM
>> Subject: Re: PIX and other "Black boxes" vs normal firewalls.
>> Date: Thursday, October 16, 1997 5:58 PM
>>
>> There is also the Borderware firewall, which is also a "black box"
>> (once it is installed), also based on "hardened Unix" (BSD).
>>
>>
>>
>> In article <343E27D6 .
CAE18E73 @
techie .
com>, Emmanuel Yiu <e @
techie .
com>
>wrote:
>> >
>> >Their solution is kind of neat to me. They have a box which run a
>"harden" Linux
>> >kernel, this sounds to me a good edge, it is base in UNIX, a lot of
>people know
>> >it and probably when there is security hole, it will be identified quick
>and
>> >potentially closed quick (owing to the accessibility of source code by
>WORLD of
>> >experts). You can constantly bugging your vendor of any security hole
>that you
>> >know from any souce, like this list. This seems to better with PIX as
>you depend
>> >soly on CISCO for any fix which they may not even ACTIVELY inform you.
>That
>> >serves as the hardware part of the whole solution.
>>
>> --
>> Ambrose C. Li <acli @
mingpaoxpress .
com> Programmer-analyst (sysadmin)
>> Toronto EDP, Ming Pao Daily News +1(416)321-0088 1355 Huntingwood Dr
>> Scarborough ON Canada M1S 3J1 [<- work ]
>> [ home ->] <acli @
acli .
interlog .
com>
>
>------------------------------
>
>Date: Fri, 17 Oct 1997 05:32:42 +0200
>From: Stepken <stepken @
edina .
xnc .
com>
>Subject: Re: firewalls with linux OS
>
>Chris Pugrud wrote:
>>
>> Part of your firewall planning is needing to determine what to support.
>> In Windows based organizations I have found the answer to generally be
>> http, ftp, and smtp (web and e-mail basically). In this situation it is
>> relatively easy to set up a simple, effective firewall using Linux,
>> Apache, and Qmail.
>>
>> Apache has a pretty good web/ftp proxy function built in. The caching
>> functionality doesn't seem to be very effective, but I really haven't
>> played with the settings. For added security I tend to run two apache
>> daemons, one for the inside with the proxy functions built in, and one
>> for the outside web server that is stripped and gutted to the bare
>> essentials (the less code there is, the less that can be compromised).
>
>Apache is quite stable. You should let it run in chroot() environment.
>For security purposes I really only trust CERN-HTTPD. It's the only
>one, which is bullet proof.
>
>> Qmail is very fast and effective as an e-mail gateway. I would
>> recommend using an internal e-mail server, and just have Qmail relay
>> mail between the world and the office. Qmail also has a very easy setup
>> to disable the relay functionality, so you can avoid being victimized by
>> spammers using your server.
>
>QMAIL still is not bullet proof, but seems to be better than sendmail.
>I'd recommend a sendmail proxy (there are some free ones) and qmail
>running in user-mode.
>
>> If you strip and gut the Linux server appropriately you will end up with
>> a very tight configuration, with only three ports open to attack (http,
>> smtp, and dns). A complete configuration with pwebstats for traffic
>> analysis and reporting, apache, qmail, and all of the tools you acutely
>> need on the server is less than 20 MB. Be sure and setup a separate and
>> large partition for log files.
>
>I am not really sure about, that buffer overflows are not possible
>with bind. I would suggest to be very carefull. I will test it right
>now.
>
>By the way - I've found LINUX to be very stable and save, if you invest
>some time to harden the system.
>
>cu, Guido Stepken
>
>------------------------------
>
>Date: Thu, 16 Oct 1997 11:55:10 -0700
>From: Beau Monday <bmonday @
bsquare .
com>
>Subject: RE: [FW1] Re: Virus Protection on FW-1
>
>That's a cool feature! Sending a single thread to multiple
>processors!
>
>Gotta get me some of that UNIX!
>
>NT supports 8 processors, or up to 32 if you're Compaq (or some other
>large OEM). It's dependent on the app whether it takes advantage of
>multiple processors, it's not a limitation of the OS. It is a failure
>of Firewall-1 that it is unable to take advantage of multiple
>processors.
>
>On the other hand, a second processor would allow *real*
>multi-threaded apps (like services or daemons) to access the second
>processor, perhaps leaving more cycles for Firewall-1 to use on the
>primary processor.
>
>Beau <backing out the door, trying to avoid the impending flames from
>the UNIX folks :-)...>
>
>Beau Monday, MCSE
>Network Administrator Lead
>BSQUARE corporation
>425.519.5931
>bmonday @
bsquare .
com
>
>- -----Original Message-----
>From: Jyri Kaljundi [SMTP:jk @
stallion .
ee]
>Sent: Thursday, October 16, 1997 9:39 AM
>To: Frank Darden
>Cc: fw-1-mailinglist @
us .
checkpoint .
com; Firewalls mailing list
>Subject: Re: [FW1] Re: Virus Protection on FW-1
>
>
>On Thu, 16 Oct 1997, Frank Darden wrote:
>
>> >By the way, does the CheckPoint firewall service take advantage of
>Windows
>> >NT symmetric multi-processing?
>>
>> Firewall-1 is a single threaded application. In 3.0a,
>multi-processor
>> support was there, but they have mysteriously removed it from 3.0b.
>So for
>> the time being, the answer is no, on all platforms.
>
>This should already go into a FAQ somewhere: yes, FireWall-1 at least
>on
>Solaris Sparc and Solaris x86 Intel does take advantage of
>multiprocessing. Why: because Solaris itself distributes the load
>between
>two or more processors. Believe me, if you add a second processor to
>dual
>Pentium for example you can see how it gets better.
>
>I don't know about NT, may be that really is so stupid it does not
>know
>how to use both processors.
>
>Jyri Kaljundi
>jk @
stallion .
ee
>AS Stallion Ltd
>http://www.stallion.ee/
>
>------------------------------
>
>End of Firewalls-Digest V6 #490
>*******************************
>
>To unsubscribe from Firewalls-Digest, send the following command
>in the body of a message to "Majordomo @
GreatCircle .
COM":
>
>unsubscribe firewalls-digest
>
>If you want to subscribe or unsubscribe an address other than the
>account the mail is coming from, such as a local redistribution list,
>then append that address to the command; for example, to subscribe
>"local-firewalls":
>
>subscribe firewalls-digest local-firewalls @
your .
domain .
net
>
>A non-digest (direct mail) version of this list is also available; to
>subscribe to that instead, replace all instances of "firewalls-digest"
>in the commands above with "firewalls".
>
>Compressed back issues are available for anonymous FTP from
>FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
>is the volume number, and "MMM" is the issue number).
>
>
|
|
