RE: Netmeeting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think you are missing his point, and several posters seem to be making this a little too personal, too. He is not addressing the inherent flaws in any other system. We know those exist, too. The point is that NetMeeting is very difficult to proxy effectively with content examination, it uses a potentially large number of ports (compared to SMTP mail traffic), and has no secure method of authenticating and identifying those connecting. I don't care how many other systems are also insecure if I'm specifically discussing NetMeeting. They are off-topic, and I'll address them separately. Tell be about the ones that *are* secure. I'm one of NT's biggest fans. Heck, I'm an MCSE, and *real* proud of it. I like a lot of the software Microsoft develops. But let's face it, MS PPTP, RRAS, and NetMeeting are just too partially designed and/or implemented to be allowed to pass traffic through the outer membrane of any organization that has internal data or systems that are not for public consumption or operation. Period. I would love to see MS improve upon their product, but until they start worrying about quality more and some artificial deadline (that they will undoubtedly miss more than once) less, they will face the same critics in an increasingly harsher light. Products with no real predictable way to ensure their traffic's content and origins (Cu-See-Me, and others, included) should be re-examined by their designers if they are to be used for business purposes inter-organization. Maybe a secure implementation or a content-based proxy (with source code available, at least to third parties like NCSA, etc., for certification) could be written by the designers of the protocol or application for use in corporate settings. I don't know. I do know that I'll not use these things even for personal use as long as I have systems at home that house any sort of personal data that I consider sensitive or need-to-know. I hope I am being clear without preaching too much. This newslist and its postings are not supposed to be a personal affront; they are supposed to be tools to help us constructively develop ways to securely communicate with the outside world from our organizations in a manner that lets us be cautious without becoming hermits. I think I ran over into the third cent . . . ~~ R. Michael Williams, MCSE Nashville, TN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Larry Cannell Sent: Friday, March 19, 1999 6:52 PM To: Firewall List Subject: RE: Netmeeting just my 2 cents but it really does not matter how much perceived value is obtained buy netmeeting if one can't rely on the integrity of the data that is being transmitted period. that is the point and since netmeeting is inherently insecure any data streamed via it is unreliable period. Based on this statement I assume that your organization only allows signed and encrypted email? Or did your organization realize the incredible value email provides, assess the risk, and applied reasonable controls to minimize that risk? b.t.w. there are better products out there IMHO and definately less proprietary which means these days leaving your options open . NetMeeting's T.120 is a little proprietary but it does work with all T.120 MCUs I'm familiar with. I expect their whiteboard will become compliant soon as well. Can VNC or CU-SeeMe make these same statements? Also, NetMeeting can participate in H.323 sessions with many other vendors' products. Larry - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.0.2 iQA/AwUBNvh0HqfPtcH7+PP+EQLagwCgxa/5dAJ09PI9Z2SbiiJiCW1aFMMAoLB3 xAlTwJTV5C35kyDyNk2r9cUy =nyoN -END PGP SIGNATURE- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: High performance/scalable firewalls
Hi, Here's an idea from an article in a Linux Journal, that struck me as one of the smartest, yet simple, ideas I've seen (maybe I don't get out enough, you make up your own mind :-). Let's say we have four web servers and four hosts. 1. Give the hosts RFC 1918 address on the real interfaces. 2. Stick the hosts behind a pair of routers using VRRP/HSRP. 3. On each machine ... a) configure four loopback pseudo interfaces (eg lo0:1, lo0:2, lo0:3, lo0:4). This can be done on Linux and I have also tried Solaris b) configure the four web server real addresses on lo0:[1-4]. c) set up the web servers listening on the appropriate addresses/interfaces You should now have four machines all capable of answering for any of the web servers. 4. Select which host serves which web server by host routes on the routers, ie provide a host route to web server 'a' via the RFC1918 address on the appropriate host. 5. If you use dynamic routing between the routers and the web machines you get automated failover. 6. If you can route by session (every time you see a SYN) you can even do load balancing. This is very simple, and cheap although I've probably not explained this very well. The LJ article was much better. Colin -- Colin Campbell Unix Support CITEC +61 7 3227 7112 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
re.. port vs security
I see my inetd.conf (LINUX) shell stream tcp nowait root/usr/sbin/in.rshd in.rshd ident stream tcp waitnobody /usr/sbin/in.identd in.identd -w -0 http-rman stream tcp nowait.1nobody /usr/sbin/tcpd /usr/sbin btx stream tcp nowait root/usr/sbin/tcpd /usr/lib/xcept4/bin/cepd rplay dgram udp waitroot/usr/sbin/tcpd rplayd -c 60 -s 16384 -d midinet stream tcp nowait root/usr/sbin/tcpd in.midinetd Do you know this port... Are they dangerous...?? - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Stealth snooping
I've been wrestling with this question for some time now, perhaps someone (or many) can give me your thoughts. There are systems that detect intruders or beak-in attempts, apparently part of that "detection" is the identification or logging of a port scanner. BUT, there are scanners out there that claim to be "stealth" scanners by sending the FIN bit. If I understand it correctly, the FIN bit basically states that "this is the end of transmission", then the host sends an RST bit. If this is the case, then how can this be considered stealth since the scanner sending the FIN bit is a) awaiting the RST response, and b) must have it's IP address in the packet? Are there other methods of scanning which truly are stealth, or is it currently not possible to port scan in stealth mode? Any insights to this, or perhaps a better explanation of the FIN bit is greatly appreciated. Thanks. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Check Point Firewall-1
Is Check Point Firewall-1 good enough to pay 5000$ for 50 nodes ??? Is there any cheaper and good firewall for good security? That strongly depends on the OS you use. IMHO I'D _NEVER_ put security related stuff on an NT platform, I'd like to really _KNOW_ what's goin' on with the packets routed through. There are several other packets availabe for NT (Raptor Eagle, Gauntlet etc.) I have no experience in. We're using Linux with packet filtering, TIS and IP logging; works fine, it's cheap (0.00) fast an reliable. We have about 120 nodes inside here getting partially masqueraded and/or going out through squid object cache proxy server... and all this on a P166. If you don't want to put everything together on your own, there's a commercial version available too: http://www.linux-firewall.de. Don't know the price but it's worth the look at. -- Markus Doehr IT Admin AUBI Baubeschläge GmbH Tel.: +49 6503 917 152 Fax : +49 6503 917 190 e-Mail: [EMAIL PROTECTED] MD1139-RIPE * - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Check Point Firewall-1
Mehmet, "Good enough" is a subjective statement. The answer depends of the mission of your organization, and what it stands to lose should your systems become compromised. Is your 50-node organization doing market research on thumb tacks, or is it doing research on quantum computing? One is worth $5000 for security, the other is probably not. If cost is your bottom line, you could build a perfectly serviceable firewall with Linux (total cost: $0, maybe $50 if you buy a bundled distribution like Red Hat or Caldera). This will give you basic packet filtering, not to mention more services (SMTP relay, web server, DNS, etc.) than you'll know what to do with. If you want more robust firewalling, you could add the legacy Firewall Toolkit (total cost: $0) which will give you application-level firewall proxies. You can add in hacks for transparency and patches for extra proxies as you wish. And there is still more freeware for everything else you might want out of a firewall, from log analysis to realtime performance monitoring to penetration testing to intrusion detection/response. IMHO you can build a rock-solid firewall with a high degree of trust, for almost no money *in software licensing*. The real cost for such a firewall would be the cost of building and supporting it yourself. You (or another staff person in your organization) would have to be proficient in general firewalling principles, UNIX, C and C compilation, ipfwadm and FWTK at the very least. If you don't have that expertise, you will have to buy it in the form of additional staff... Regards, Chris Christopher Zarcone Network Security Consultant RPM Consulting, Inc. [EMAIL PROTECTED] #include std.disclaimer.h /* My opinions do not necessarily reflect the opinions of my employer */ Date: Tue, 23 Mar 1999 09:22:58 +0200 From: "Mehmet Sokmen" [EMAIL PROTECTED] Subject: Check Point Firewall-1 Hi, Is Check Point Firewall-1 good enough to pay 5000$ for 50 nodes ??? Is there any cheaper and good firewall for good security? boy - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Check Point Firewall-1
Hi, Is Check Point Firewall-1 good enough to pay 5000$ for 50 nodes ??? Is there any cheaper and good firewall for good security? boy Try WatchGuard (http://www.watchguard.com), it's a good, inexpensive firewall solution for small to medium sized networks. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
firewall-1 outages Anybody see this...
We are experiencing minute outages... These are the log entries in var/adm/messages.. Mar 23 10:41:40 ultrafire unix: ex_expirelist: probably loop Mar 23 14:22:31 ultrafire unix: ex_expirelist: probably loop - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Check Point Firewall-1
Hi, Is Check Point Firewall-1 good enough to pay 5000$ for 50 nodes ??? Is there any cheaper and good firewall for good security? boy Try WatchGuard (http://www.watchguard.com), it's a good, inexpensive firewall solution for small to medium sized networks. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Stealth Snooping
Jesus, If you send a FIN packet to a host it won't return a RST packet if the port is active, it will simply drop it. That's the whole problem. Stealth scanners rely on sending this arbitrary FIN packet to a port and not waiting for a response to determine that it is listening. Only if the port is closed a RST packet is returned. Hope this helps, Marcel Gerardino Seguridad de Informaci¢n CODETEL [EMAIL PROTECTED] PGP Fingerprint: A127 13FD 0B08 8C78 DEF5 FF3D B921 1793 E77F C660 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: High performance/scalable firewalls
[EMAIL PROTECTED] said: Historians claim that David Lang wrote: SSL not much you can do other then to allow it. This is packet filtering stuff. Not really, Netscape, amoungst others makes a http(s) proxy that works in t"reverse mode".. It could act as the real webserver, that way no machines not under your control have access to the webserver (watch that double negative). This would allow for atleast some screening of the application data, as well as you can use a OS with a known/good/robust TCP stack to protect against pathological TCP streams. You also get several optinos on where to install SSL certificates depending on your needs. Sure enough. I'm using Stronghold to do this. Part of the application runs on IIS, so I had to do something to protect it... - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Stealth snooping
Jesus, If you send a FIN packet to a host it won't return a RST packet if the port is active, it will simply drop it. That's the whole problem. Stealth scanners rely on sending this arbitrary FIN packet to a port and not waiting for a response to determine that it is listening. Only if the port is closed a RST packet is returned. Hope this helps, Marcel Gerardino Seguridad de Informaci¢n CODETEL [EMAIL PROTECTED] PGP Fingerprint: A127 13FD 0B08 8C78 DEF5 FF3D B921 1793 E77F C660 Jesus Gonzalez [EMAIL PROTECTED] on 03/23/99 05:59:06 PM (Embedded image moved to file: pic18075.pcx) To: [EMAIL PROTECTED] cc:(bcc: Marcel Gerardino/CODETEL) Subject: Stealth snooping I've been wrestling with this question for some time now, perhaps someone (or many) can give me your thoughts. There are systems that detect intruders or beak-in attempts, apparently part of that "detection" is the identification or logging of a port scanner. BUT, there are scanners out there that claim to be "stealth" scanners by sending the FIN bit. If I understand it correctly, the FIN bit basically states that "this is the end of transmission", then the host sends an RST bit. If this is the case, then how can this be considered stealth since the scanner sending the FIN bit is a) awaiting the RST response, and b) must have it's IP address in the packet? Are there other methods of scanning which truly are stealth, or is it currently not possible to port scan in stealth mode? Any insights to this, or perhaps a better explanation of the FIN bit is greatly appreciated. Thanks. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] (UUEncoded file named: pic18075.pcx follows) begin 644 pic18075.pcx M"@4!"`#!`"L` M```!P@`! F```C ` end - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
CFP: The Insider Volume 3 Issue 2
The Insider has now had the first issue published in the new format - http://www.ticm.com/info/insider/index.html To continue the trend we need more papers. All papers will be refereed by our editorial team (http://www.ticm.com/info/insider/editors.html) Editorial Policy The Insider is a refereed all-electronic journal that welcomes papers in all branches of security, including IT security, Physical security, information security, operational security, etc. Papers can be electronically submitted in MS Word, FrameMaker MIF, plain text and HTML. Research articles as well as articles of more general interest are solicited. These will be published under different headings in the Journal. Refereeing of papers will be conventional, aside from being carried out via e-mail. Publication will be in the month after the paper has been accepted and a completed copyright form has been received. Papers should relate to the relevant field and will usually fall into one of the following categories: Research paper. A paper making an original contribution to security knowledge. Special interest paper. Report on significant aspects of a major or notable project. Review paper for specialists. A critical survey of a relevant area, intended for specialists in the field covered. Review paper for non-specialists. An overview of a relevant area, suitable for a reader with a security or audit background. Tutorial paper. A paper which explains an important subject or clarifies the approach to a matter of design or audit. Technical Communication. A technical communication or a letter to the editors not sufficiently developed or extensive in scope to constitute a full paper. A contribution to discuss a published paper to which the original authors response will be sought. The expected length of acceptable contributions will vary considerably, but 1000 to 2000 words for papers could be the norm. Technical communications should not exceed 1000 words and contributions to discuss papers should not exceed 500 words. Authors should submit an outline (or an abstract) of their proposed paper along with their name and a contact email address to [EMAIL PROTECTED] Yours, Bret Watson - ed Technical Incursion Countermeasures [EMAIL PROTECTED] http://www.ticm.com/ ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security Vol 3 Issue 1 out now http://www.ticm.com/info/insider/index.html - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Encryption of Passwords.
Take a look at the Cisco 1704 ... it's supposed to have VPN support built-in, but I haven't looked into it yet (only found out yesterday). I don't know if the feature is an add-on or a distinct product, but it's a starting place. David Turton, Tek Catalyst -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Monday, March 22, 1999 11:22 AM To: [EMAIL PROTECTED] Subject:Encryption of Passwords. Hi! I know this is off the topic of firewalls, but I have a question regarding encryption of passwords at the router level. First of all can passwords be encrypted on the routers, and if yes, what is used or done to allow encryption of passwords on routers? I would appreciate any advice that you can give. Thanks, Katrina - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]