RE: Load balancing.......
You could try VRRP on the routers or HSRP which ever is supported. Patrick . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pepmiller, Craig E. Sent: 25 February 2000 15:45 To: 'Michael E. Cummins'; Firewalls Mailing List Subject:RE: Load balancing... The problem with two gateways at the client: The client uses the top gateway until it can not reach that gateway. The DSL firewall/router looses connection to the outside world but still responds at 10.0.0.150. Thus the client thinks the path is ok even when the router is discarding all traffic. Have the DSL firewall/router forward traffic to the other firewall/router when the DSL line goes down. Or down the 10.0.0.150 address when the DSL line is down. Thanks- -Craig -Original Message- From: Michael E. Cummins [mailto:[EMAIL PROTECTED]] Sent: Friday, February 25, 2000 8:39 AM To: Firewalls Mailing List Subject: RE: Load balancing... I would love to hear comments on this topic. Yesterday I tried using two different firewall/routers, one hooked to a DSL connection and the other hooked to two POTS lines with dial up accounts. I intended to use the two firewall/routers as gateways, the DSL firewall/router also offering DHCP services. I entered the two firewall/routers as gateways on the 98 clients (10.0.0.150 and 10.0.0.151) with the intention of having a backup slow lane in case the DSL services went down - which they do on a semi-regular basis. (The DSL router was the first entry [150] and the POTS router was second [151]) When the DSL went down, however, the backup POTS line firewall/router never received any HTTP requests, and the client machine browsers would all time out. I could not ping out of the network; it was as if the DSL firewall/router was still hogging the requests and refusing to let the second gateway "play". I suppose my idea of having two gateways entered in all the client machines was bad from the beginning. Can anyone spot my stupidity and smack me back onto the right track of thinking? Or does my idea appear to be sound, and I probably failed somewhere in execution? How would you set up a small network with redundant services like this? -- Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Blanco, Juan Sent: Friday, February 25, 2000 9:12 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: Load balancing... Folks, Any idea or best solution how to do the following: 1 - To have connectivity to two different isp. 2 - Be able to use only one firewall (checkpoint) 3 - One connectivity via a T1 and the second via a DSL 4 - This should be transparent to the users. I really appreciate you help on this... Thanks. Tony Blanco UJA-Federation * \\\|/// \\ - - // ( @ @ ) -oOOo-(_)-oOOo *** Where do you want to be tomorrow. Microsoft. One planet. One internet.Cisco Systems. Super Human Software. Lotus Notes. *** - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
help..
dear sir am trying to compile satan on my linux 7.0 host, i get the following error when i run the 'make linux ' command satan-1.1.1]# make linux The LINUX rules are untested and may be wrong make[1]: Entering directory `/var/satan-1.1.1' cd src/misc; make LIBS= XFLAGS=-I/var/satan-1.1.1/include -DAUTH_GID_T=int RPCGEN=rpcgen make[2]: Entering directory `/var/satan-1.1.1/src/misc' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/var/satan-1.1.1/src/misc' cd src/boot; make LIBS= XFLAGS=-I/var/satan-1.1.1/include -DAUTH_GID_T=int RPCGEN=rpcgen make[2]: Entering directory `/var/satan-1.1.1/src/boot' cc -I. -O -I/var/satan-1.1.1/include -DAUTH_GID_T=int -c -o boot.o boot.c boot.c:24:20: macro strchr requires 2 arguments, but only 1 given make[2]: *** [boot.o] Error 1 make[2]: Leaving directory `/var/satan-1.1.1/src/boot' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/satan-1.1.1' make: *** [linux] Error 2 any ideas pls -- Patrick Karanu ,Bsc Computer Sci., CCNA+ Support Engineer, email: [EMAIL PROTECTED]+ Kenyaweb.com Ltd + +254-02-245630 Fax: +254-02-240870+ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
compiling udprelay
dear sirs Am getting the following error while compiling udp relay in my bastion host.. gcc -o udprelay -O -DSYSV -DRELAYHOST=\firewall.kenyaweb.com\ -DRELAYPORT= -DNOBODY=\patto\ udprelay.c -lsocket udprelay.c: In function `opensocket': udprelay.c:335: `FIONBIO' undeclared (first use in this function) udprelay.c:335: (Each undeclared identifier is reported only once udprelay.c:335: for each function it appears in.) make: *** [udprelay] Error 1 == pls may be someone ca shed some light on these. regards patrick ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
compile error on udp relay
sirs anyone with a working version of udp relay. I get the following error while trying to compile the source code. some patches anything.. complie error: cd ./work; \ make clearerr udpx0 make[1]: Entering directory `/var/temp/udpl-0.1.1/work' make[1]:*** No rule to make target '/lib/aksl_h.dep', needed by 'mtypes.o'. Stop. make[1]: Leaving directory `/var/temp/udpl-0.1.1/work' make: ***[work/udpx0] Error 2 pls help regards patrick ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
pop3
hi, i recently installed a mailserver for linux 7.2 . Am using sendmail 8.11.2/8.11.6. Everything works well as far as smtp is concerned, the main problem is pop3, in that most of the users have constant disconnections while retrieving mail.The problem is the mail is deleted from the server after the last mail is received. so if client has 10 msgs downloads 5 and the connection breaks the next time he accesses the mail the process is repeated recieved the 5 messages again. Is there away to set the pop3 server to delete each mail once it is downloaded by the client. regards pat ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
FW: Syslog Server - here are the links !
check out the following links for nt4 syslog servers: http://www.cls.de/syslog/ http://members.tripod.com/~Andrew_Ross/software/syslogd.htm http://www.netal.com/products.htm Patrick Michel Netscreen, Netscape, Altavista Technical Product Manager mailto:[EMAIL PROTECTED] Visit our Website at: http://www.gcs.ch Gutenberg Communication Systems AG Hardturmstr. 101 CH-8005 Zuerich Tel: +41 1 444 5 999 Fax: +41 1 444 5 888 Support: 157 80 16 (4.23/min) -- From: Paul Gracy[SMTP:[EMAIL PROTECTED]] Sent: Dienstag, 2. März 1999 18:20 To: firewalls Subject: RE: Syslog Server There is also a syslog server for NT available now from Cisco for their PIX. I haven't played with it to see how generic it is. caveat emptor = Paul H. Gracy [EMAIL PROTECTED] phone: 404 705 2873 #include std.disclaimer = -Original Message- From: Paul Chouffet [SMTP:[EMAIL PROTECTED]] Sent: Thursday, February 11, 1999 11:44 AM To: firewalls Subject:Syslog Server -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 can someone tell me how to make an NT 4.0 server a syslog server. thanks -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.0.2 iQA/AwUBNsMIzMnDjelKYjIeEQILWACgwjgup/Ouj/wGym2vqQ0jNzV6lZgAn3DU grvvyU3/SQxHUg1X2meX75uR =ZR6P -END PGP SIGNATURE- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Ms Proxy Configuration
I am looking to install a proxy server ( Ms Proxy 2.0 ) with RRAS being Used for PPTP for a small client that doesnt want a full blown firewall solution . Is there anythings i should look at configuring to further secure the machine over the regular nt hardening techniques? Thanks in advance Patrick Prue Systems And Technology Specialist Fantom Technologies Inc. (905 ) 734-7476 x 270 Patrick Prue (E-mail).vcf Patrick Prue (E-mail).vcf
RE: VPN Best low cost solution?
This is good info. The cost per end-user VPN client looks high to me. I know my Axent-Mobile clients run $60-$65. (Although not according to Axent site, but search most software vendors sites and you'll find these prices.) You may also be able to get bundles of clients with some vendors further lowering your cost. -Original Message- From: Matthew G. Harrigan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 24, 1999 1:40 PM To: Mark Arroyo; Firewalls Subject: Re: VPN Best low cost solution? I've been thinking about writing a cost vs. effectiveness paper on various VPN solutions, both hardware and software based for some time now. Please send me email (do not copy the list) if this would be of interest to you. To more directly answer your question, if you have a firewall in place that will support the initial deployment of the type of VPN you want to create (you mention guantlet), then I would think that the most cost effective solution for you at this point would be to utilize it's capabilities, assuming that the other VPN nodes you wish to deploy will support interoperation with guantlet. If there will be mobile users, and you have a firewall only solution then count on buying shim software for each mobile user at between $100.00 and $200.00 depending on your vendor. If you want to go with a seperate hardware solution (like RedCreek or VPNet), then the hardware cost varies greatly, depending on what kind of deal you can swing, as these companies usually don't sell direct (channel sales only). For 10MBps equipment, prices range from $1000.00 to $3000.00 per unit. The reason for this is that most of the vendor's money is spent in RD, and once the boxes are manufactured, the cost of sale to resellers is pretty minimal, so the boxes go for cheap (which means that the resellers are making a killing on you, to the tune of about 40%). However, you save money on the shims, as companies like RedCreek give them away (I -think-). Additional costs you need to consider are: * Installation (most VPN equipment resellers are sys ints., and they charge for it) * Support contracts. (this is a doosey, as support seems to me to be somewhat under developed in this area) However (and no i'm not pushing this product :-) ), RedCreek's solutions partners program has given them the advantage of pointing to various "best of breed" third parties for said tasks, such as systems installation, integration, support and management. "Please insert an additional $.25 to continue to ramble" Looks like my time is up. :-) Sorry to pontificate. Matt -Original Message- From: Mark Arroyo [EMAIL PROTECTED] To: Firewalls [EMAIL PROTECTED] Date: Tuesday, August 24, 1999 9:24 AM Subject: VPN Best low cost solution? I need a VPN solution for my company. Cost of the solution is a factor. Can anyone help me with their expertise and experience with choosing a solution. Should I use a router based system. Or do something like a Gaunlet VPN system that Network Associates just came up with. Any suggestions would be greatly appreciated. Thanks in advance. Mark Arroyo [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Network browsing through a VPN
The Windows NT resource kit includes a utility called winscl to browse a WINS server from a command line. -Original Message- From: Jen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 25, 1999 11:48 AM To: Tyron Legette; [EMAIL PROTECTED] Subject: Re: Network browsing through a VPN Browsing doesn't really work that great with Microsoft Networking, especially if Win 95 boxes are involved. I do not know what causes this problem to begin with, but I know that we experienced this frequently when we were using SecuRemote (Checkpoint FW-1). It didn't happen consistently, though -- browsing worked for some people, and didn't for others (usually if not exclusively, these were Win 95 machines that experienced the problem; NT users seemed to be okay). If absolutely no one can browse the network, your problem may be different. Do you have any rules applied to the VPN, or are you allowing VPN users full access? I don't know much about Gauntlet except that it's a proxy firewall, so I can't really tell you what to look for. One thing you might check, though, is that if you log all dropped packets you can see what packets are being dropped by the firewall when a VPN client connects. Can you get to a computer by typing \\computername? This should work even if you can't browse the network (you have to know the name of the computer). If not, you may have a WINS issue. Check the client computers to make sure their WINS settings are correct and that they can ping the WINS server by IP address. This won't show that you can access WINS if the firewall is blocking it (I wish there were an easy way to query the WINS server from the command line, but I don't know of one), but if it works (assuming ping isn't also disabled), it'll show you that you can at least connect to the machine. Good luck! Jen - Original Message - From: Tyron Legette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 25, 1999 5:47 AM Subject: Network browsing through a VPN I'm using the VPN version of Gauntlet 5.0 and PGP Desktop Security as the Client, has anyone been able to browse the network though a VPN connection, if so what needs to be done for this to happen? The connection is fine and I can communicate with every server but I can't browse the network to see other NT servers, etc any ideas?? - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Cable Internet Setup...what is the best way?
IMHO the best option is to buy a powerful desktop, install NT or Linux and a real Firewall. The option I would suggest is cheaper and easier but should not be considered secure. UMAX makes a product called UGate+ which is a combination Cable/Modem or DSL Router and DHCP server. Buy this and plug it into your hub. If you are networked using coax I think you will need to buy a small hub with a coax uplink. Connect the hub to the inside port of the UGate+ and the Cable/Modem to the outside port. Set your machines up to use DHCP (In windows this means install TCP/IP and then do nothing to modify it.) The UGate+ will assign IP Addresses to your machines that are compliant with RFC 1918. (You may want to manually assign an IP address to the server. Server's are normally fixed - but in your environment it might not matter.) It will perform network address translation for your machines so when they connect to the internet outside servers can respond to you. This leaves your machines wide open to the internet. UMax claims the UGate+ is also a firewall. The behavior they describe is actually port blocking which I think falls far short of being a firewall. It doesn't mean you shouldn't use it. You will need to open ports 110 and 25 to send and receive email. You will need to open port 80 to browse the web and may want to open the alternate http port 8080. You will need port 443 to view secure web sites and may want to open port 543 which is the alternate https port. Port 21 for FTP. Port 23 for telnet. I'm not sure what you need to do for DNS but you need to find out. I'm not sure what the UGate+ will do with ICMP (like Ping) so people may be able to see into your network and find machines. Blocking ports lowers the probability they will be able to grab files - but it doesn't eliminate it. If you want to add other services (Real G2 for example) I would suggest you take a look at http://www.axent.com. They offer numerous pages of information on proxying particular services with their firewall. If you look at the info for a service you want and open the destination port they specify on your UGate I think you will be in business. (One note, the UGate throttles your connection speed down to about 1.8MbPS. This shouldn't be noticeable in the environment you describe so don't worry about it. -Original Message- From: Daren John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 25, 1999 11:32 AM To: [EMAIL PROTECTED] Subject: Cable Internet Setup...what is the best way? If anyone can help: I have internet access via the local cable operator. I have an NT server, and 3 clients (two desktops and a laptop) What have you found to be the best set up for this type of environment? Regards, DJM ___ Get Free Email and Do More On The Web. Visit http://www.msn.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Network browsing through a VPN
Of course since this a VPN connection there really isn't a DHCP lease. If there is a VPN connectoid (Dial-up Networking entry) you can specify the WINS server in there. (As far as I know that means manually configuring the connectoid on every machine -Original Message- From: Ben Nagy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 25, 1999 9:22 PM To: 'Tyron Legette' Cc: '[EMAIL PROTECTED]' Subject: RE: Network browsing through a VPN I'd put money on the fact that you haven't configured your WINS servers and are just relying on broadcast traffic, which may well get eaten. You need some way to make sure that all clients know how to get to the master browser for the network. The PDC is always the master browser. Make sure that all client machines have an entry for the WINS server on the remote network. You may be able to hand this information out in the DHCP lease when the incoming VPN connection is terminated. Last resort - use an LMHOSTS file on each client. That should work. Cheers! -- Ben Nagy Network Consultant, CPMS Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 -Original Message- From: Tyron Legette [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 25 August 1999 10:18 PM To: '[EMAIL PROTECTED]' Subject: Network browsing through a VPN I'm using the VPN version of Gauntlet 5.0 and PGP Desktop Security as the Client, has anyone been able to browse the network though a VPN connection, if so what needs to be done for this to happen? The connection is fine and I can communicate with every server but I can't browse the network to see other NT servers, etc any ideas?? - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Freegate Internet Appliance
No I don't but I am arrogant enough to think the ability to eliminate firewall pretenders is easy. (For those of you that understand this at a much deeper level - I am not oversimplifying in the examples I give -- I just don't yet understand it like you do.) Does it protect you at the transport layer? Will it filter spoofing attacks? Will it block specific IP ports? Most Likely it succeeds at this level? Does it protect you at the protocol level? Will it make certain that requests for certain protocols are well formed and do not run the risk of causing buffer overruns? Will it make certain that other application protocol level exploits are not in play? Does it protect you at the application layer? Will it filter your email for harmful MIME content? will it check that Java applications, Java Script, and ActiveX script are signed or harmless? Does it have a reasonable strategy to checking recursively for attacks as in if I zip a 90 MB file, and thn zip copies of that file can I hide a virus several layers deep, or can I crash your email with a small file that expands in a chines gift box fashion to something enormous? Does it check that files sent through AIM, ICQ, or IRC are harmless? I think a true firewall checks at the first two levels and can be extended at the third level. I suspect the program you are looking at only operates at the first level I've described. This leaves you open to host of extant and possible exploits. At the second level - Numerous exploits exist that would cause a buffer overrun with malformed requests. The results of these could be the execution of machine code which on the Intel platform could be anything. This is most likely to be a Denial of Service but could include the exposure of private data especialy if paired with programs like Back Orifice or At the Third level this does not include anything that could not be included at a second level attack but is more likely to include the exposure of private data. A far greater range of lusers can attack at this level as demonstrated by the recent and constant barage of attacks that operate at this level. While many users can be educated not to click on any damn thing a possibly equal number cannot. Assume users are dumb enough to click on an attachment because it is there andyou might actually secur your environment. The Zipped_Files 'Worm' operates at thsi level. ( Hey folks we're educated in this shit - Zipped_Files is a virus with an only slightly user dependent transmission method but it is not a Worm. If Zipped_Filles took avntage of the MIME attachment fikename expoit in Outlook it would bgin to cross the border between Worm and Virus. Some user interaction would still be required but when it crosses from clicking an email attachment to merely opening an email or even merely opening email is where I think you start to head to being a Worm. In the strict sense -- as in the way the Jargon file would define it -- opening email is user interaction, but if opening email triggered ransmission I would call it a worm. If the user must go deeper than opening an email to trigger transmission then I think we are talking about a virus. In any event if you are not protected against the third layer of malformed applications then you are not protected against attacks that already exist inthe wild and you could - realistically 0 lose every piece of data on your networks. I would hope that you could recover yesterdays information from a backup - but is an organization wide man-day (realistically more) worth the 4-5K it will cost you to lock down tothis level? -Original Message- From: j [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 25, 1999 11:48 PM To: [EMAIL PROTECTED] Subject: Freegate Internet Appliance We are in the process of evaluating Freegate's OneGate 1000 hardware appliance. It promises firewall, VPN, email, DNS, DHCP, etc, etc... This feels _too_ good to be true, but the $$$ savings are making my CFO pant over the cost savings vs. other solutions we've examined (Email srvr, seperate firewall, seperate VPN hardware, etc). Does anyone have any experience with this beastie? Much appreciated. jim - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: ICMP filtering
There are two dangers to allowing ICMP through the firewall that spring immediately to mind. The first is that you could subject yourself to Denial of Service (DoS) attacks like the ping of death. The second is you could give a cracker an avenue to discover topological about your network. I don't consider that too much of a threat in my environment since I make that information easily available internally anyway but you may feel differently in your environment. I believe Axent Raptor firewall blocks ICMP. -Original Message- From: Sujeet Nayak [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 31, 1999 8:31 AM To: [EMAIL PROTECTED] Subject: ICMP filtering Hi, I see that most of the firewalls pass ICMP messages without filtering. Some of them offer filtering option only for the PING message. Does anybody know the firewalls that deny ICMP messages? Btw, is there any harm if I buy a firewall that allows all the ICMP packets to go through into and out of the private network. Thanks Sujeet __ Get Your Private, Free Email at http://www.hotmail.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: FTP Attempts
http://www.arin.net select the ARIN WHOIS link. ARIN=American Registry of Internet Numbers. (I think.) I don't know if this works for all IP ranges but I haven't had any problems with it yet. -Original Message- From: Alejandro Hoyos [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 02, 1999 9:17 AM To: Bill Fox; Newcomb, Kelly; [EMAIL PROTECTED] Subject: Re: FTP Attempts Could you share with us how you traced the IP address? That looks like a www.networksolutions.com type answer, but I'm not sure how to get it given the IP address. Thanks. --- Bill Fox [EMAIL PROTECTED] wrote: Hi, Perhaps a brief email or phone call to the coodinator (see below) may help in resolving the issue (?). Good Luck! --Bill United States Internet, Inc (NETBLK-SPRINT-D01840) 1127 N Broadway Knoxville, TN 37917 US Netname: SPRINT-D01840 Netblock: 208.24.64.0 - 208.24.95.255 Maintainer: USI Coordinator: Duren, Jon (JD5837-ARIN) [EMAIL PROTECTED] 423 540-7100 Record last updated on 01-Oct-97. Database last updated on 1-Sep-99 16:17:55 EDT. - Original Message - From: Newcomb, Kelly [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 01, 1999 4:12 PM Subject: FTP Attempts I'm getting repeated (regular intervals) ftp attempts to my firewall from an address (208.24.82.140) that I can't seem to track down. While the attempts are being blocked, the continuing log messages are annoying. This has been going on for quite a while now, and I'm wondering if something got caught in a loop and the attempts may not be malicious. (on the other hand... 8-O) Any thoughts? TIA, Kelly --- Kelly Newcomb, CISSP Technical Risk Assessment Consultant Texas Guaranteed Student Loan Corp. E-Mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] __ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Firewall software
Do you want to secure a user's win95 machine while connected to the internet or do you want a firewall that provides protection for a number of users while connected to the internet? If you want the former there are commercial products by Network Solutions and Symantec that claim to accomplish this. They aren't free but it's windows and I don't think you will find a free product in this category today. If you want the latter then I think win95 is a horrible platform. I would strongly suggest setting up an NT, Linux, or FreeBSD box for this purpose. Since you have specified free (you get what you pay for my friend) Linux or FreeBSD is probably the route you want to go. ( again - I don't think you'll find good - free - Windows based software in this category.) I am not a *nix person so I won't recommend any specific products. Windows 95 has no real security. Everyone has full access to a win95 box and all its files so it is not suited to security. (There are also numerous external exploits that are possible for win95/98 and both NT and *nix have robust security communities scrutinizing these platforms. Some people will claim that NT Security is an oxymoron - but I believe with the proper care and feeding an NT box can be adequately secured for most purposes.) -Original Message- From: Javier ECB11HEA [mailto:[EMAIL PROTECTED]] Sent: Friday, September 10, 1999 6:43 AM To: [EMAIL PROTECTED] Subject: Re: Firewall software Ivan Stoyanov wrote: I need to set a firewall, what software do you advise? Me too, but i can't find a free firewall for w95, any suggestions? Thanks in advance -- En ciudad y en carretera, el casco pal pepino, y el cinturon pa'la nevera. Mensaje escrito con electrones 100% reciclados Mensaje escrito con frases y firmas 100% recicladas Javier ECB11HEA - FIN DEL MENSAJE - Sed güenos. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Implementation question
The most common solution you'll see on this list is the establishment of a DMZ by adding a third Network Card to the Firewall. | Internet | Router | Firewall - - - DMZ - - - SMTP Host | Intranet This way if your SMTP Host is compromised your internal network isn't. -Original Message- From: Geoff Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 15, 1999 3:27 PM To: [EMAIL PROTECTED] Subject: Implementation question I'm new to all this Security stuff, so this is probably an old question, but here it is, anyway: Should a mail server be inside or outside a firewall? Here's why I ask. 1) If it's outside, people could break in and get mail until that mail is removed from the server (either by automated automated process or the user). 2) If it's inside, I'd forward port 25 to another machine inside where someone might be able to exploit the MTA to get access to stuff inside the Firewall. Do I misunderstand the problem? Thanks for any insight... Norm! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Marginally on-topic -- Secure remote email access
Pop3 can be used with SSL. You can obtain a difgital ID, open the POP3 SSL port - I forget whch port number. Obtaining a digital ID may be complicated by the fact that you are an international, non-US entity. (I'm not certain of that, but it is certainly the impression the NSA would like me to have.) -Original Message- From: Chris Knox [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 15, 1999 7:15 PM To: [EMAIL PROTECTED] Subject: Marginally on-topic -- Secure remote email access My company is scattered across North and South America, Europe, Asia, Australia and the Pacific Rim. We currently use Notes for internal email but the size of the data transfers while databases synch up has caused some very expensive phone calls. We're getting a lot of pressure to open up POP3 and let users connect accross the Internet. It give me heartburn to think of all those passwords being shuttled around in the clear from random ISPs in Sao Paulo, Moscow, London and who knows where else. To make matters worse the users who travel the most are executives and sales types who are -uhm- technologically -uhm- challenged. I.e. they are doing well if they can set their clock radio. Ideas or pointers to a more appropriate forum? -- Chris Knox [EMAIL PROTECTED] Hypercom, Inc. (602) 504-5888 Unix Systems Support Speaking only for myself. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Building a Firewall- Step 2 ?
I have the book Building Internet Firewalls by O'Reilly(as some you had mentioned) What NEXT ? May I suggest READING the book? ;-) ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: What sort of scan is this ?
maybe nmap with the decoy option -Ddecoy_host1,decoy2,ME,decoy3[,...] Launch scans from decoy host Sep 23 03:56:22 list 100 denied tcp 216.xx.xx.66(47850) - 203.xx.xx.201(23), 1 packet Sep 23 03:56:23 list 100 denied tcp 216.xx.xx.66(47850) - 203.xx.xx.253(23), 1 packet Sep 23 03:56:23 list 100 denied tcp 216.xx.xx.66(47850) - 203.xx.xx.254(23), 1 packet Wouldn't that be `nmap -DME`? ;-) The source is always the same ("216.xx.xx.66"), but the destination is all over the 203.xx.xx.0/24 subnet, always going to port 23. Someone's looking for telnet servers and not being very stealthy. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
AltaVista Firewall - Reading between the lines.
I received a letter from Axent, about a month ago, apologizing for the state of their support. I have never had an issue with Axent's support however I think this is the actual reason for the acquisition. I think they want access to the support team for Compaq/DEC Altavista: 1. Axent is terming this an alliance, not a merger or acquisition. This indicates that they expect an ongoing relationship from this deal. 2. The technologies are largely duplicative. Nearly completely duplicative in fact and while they will rename the Axent products by adding EC they are not expanding their product line or adding much functionality to their existing products. 3. Axent doesn't think they have good support for the Raptor firewall. I don't agree, but the fact that they believe it has been clearly communicated to their clients. 4. Compaq has made it abundantly clear that they have little interest in pursuing any of DEC's prodcut lines. No NT support for the Alpha. Altavista search sold to CMGI. Does DEC make anything else? 5. DEC or what was DEC had great support. Hell that's what Compaq bought - a support team. They've committed this support team for the next year. Just my thoughts. As a straight product acquisition I don't think this would make any sense. -Original Message- From: Houser David DW [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 30, 1999 10:34 AM To: [EMAIL PROTECTED] Subject: RE. AltaVista Firewall Date: Wed, 29 Sep 1999 17:43:22 -0400 (EDT) From: spiff [EMAIL PROTECTED] Subject: Re: test Try http://altavista.software.digital.com for updates and knowledgebase, but the product was sold to AXERT and all Firewall 98 users will have to upgrade to a Raptor firewall. ha. there's customer support for ya. Maybe I'm misreading something here, but the press release at the site mentioned tells me that at least one more version of Altavista will be released before the switch to Raptor is required.That's a heluva site better than the state some mergers leave products with... Q7. How will the acquisition impact AltaVista customers? A7. The key elements moving forward for AltaVista customers include the following: * A migration plan will be developed jointly by AXENT and Compaq and details will be available within the next 60 days. * There will be one more release of the AltaVista Security Products per prior commitment to installed customer base to be delivered before the end of 1999. * The AltaVista products will be formally retired per the migration plan. * Compaq Services will continue to support AltaVista products for one (1) year beyond the retirement notice. * AXENT's Raptor products will be available as the replacement products for the AltaVista Security products over the longer term. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
SSH VPN, Solaris - Solaris or Solaris - NT
I'm trying to use SSH to tunnel a connection from a Solaris box with a SoftPC (x86 emulator, running NT) to a Solaris box. SSH is the preferred method because both machines will have SSH installed already, but I can entertain other suggestions. I have read the HOWTO on using Linux to create a virtual interface that binds to an SSH connection, but is there anything that exists in Solaris or NT to accomplish this? The purpose for this is to tunnel traffic from a security auditor through the network so it appears from the other side of the network and can test the firewall on that side (firewalls on both ends of the network, can only test the local firewall so I'm trying to tunnel to change the idea of "local.") If anyone knows a better solution, please let me know. Thanks! ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: SSH VPN, Solaris - Solaris or Solaris - NT
I'm sorry, I guess I didn't explain the situation properly. I want to run a security auditor from a machine which just happens to be a Solaris box with a SoftPC card running NT inside it. The machine is in charge of the security of a large network with many layers of firewalls. The problem is if the local firewall is configured correctly, this one machine cannot test the remote firewalls because the local firewall will block the traffic. Installing and running auditors at all of the remote firewalls is a less than desirable solution, so the idea I thought of is to tunnel traffic from the local auditor to a remote machine at the remote firewall so my auditing traffic will go through the firewalls and appear on the other side. A quick picture: [Auditor]---[firewall]---[ATM]---[firewall]---[remotehost] ---[Proposed VPN]-- --[TEST TRAFFIC] The VPN would (should?) allow my traffic from the auditor to travel through the network safely to the remote host, which would extract the actual network data from the VPN so the testing traffic would test from the outside in. Ideally, I would like to accomplish this using ssh tunnels, preferably to the extent allowed through patches to the Linux kernel where a virtual interface is created and bound to an ssh connection so the interface may be addressed like any other network interface. Thanks, ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: SSH VPN, Solaris - Solaris or Solaris - NT
Forgive my ignorance I am confused when the term "tunnel" is used referring to SSH and HTTP. I am very familiar with PPTP L2TP and IPSec tunneling. Are we using the term the same? If so how are you tunneling SSH? What's the encapsulation protocol? Your confusion is because in both my question and spiff's reply we are referring to using ssh and http to DO the tunneling, respectively. With ssh, now that I've found more information (though I'm still looking for Solaris-specific information), I know ssh is used to encapsulate a PPP connection. With the http solution, if it is the same product I am thinking of, the IP traffic is 'hidden' as CGI traffic from a web server. There is a good explanation of using SSH to make a VPN (admittedly a rewrite of the Linux VPN HOWTO with their own experiences added in, and IMHO a more thorough explanation than the HOWTO) at: http://www.vpn.outer.net/2e/vpnssh.html I can probably use this info to extend it to Solaris, but if anyone has any experience getting this to work specifically in that environment, I'd appreciate any tips you may have. Thanks! ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Squid probes ?
For those of you who are interested, SANS (www.sans.org) has been looking for data traces on these probes. We're nearing the end of the two week period they were looking for, but I'm sure they appreciate any data anyone has. This is from the last SANS Digest -- A high priority note from our intrusion detection program manager, Stephen Northcutt: Intrusion detection systems ranging from home computers with cable modems to high end government facilities have been reporting a large number of probes to TCP port 3128, the squid proxy service. If your site has a network monitoring capability and you DO NOT run squid and you detect this pattern over the next two weeks, please let us know by sending email to [EMAIL PROTECTED] with intrusion 3128 in the subject line. If you are allowed to send the data trace, please sanitize any of your site's network information (destination host address) and send the data trace as well. Thank you! ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Squid probes ?
From the new SANS newsbits -- In a fabulous example of networked community cooperation, more than 300 security practitioners isolated the behavior of the Internet-wide RingZero Trojan proxy attack, found the Trojan, created defenses, and, as a result, the Russian site that was using it to collect data shut down and many sites improved their defenses against proxy attacks. Congratulations to the 330 people who helped. The good guys won one! See http://www.sans.org/newlook/resources/flashadv.htm for the latest update. All this success flowed from Stephen Northcutt's note asking about suspicious probes. This is about the 3128 probes, obviously. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Exploiting RedHat
Hi, I am not sure it's what you need (I don't know if you need a free and limited tool or this kind of tool) but just take a look at : http://www.ipswitch.com/Products/WhatsUp/index.asp Hope this helps. --- Patrick Stuto PSideo Informatique Av. du Bois de la Chapelle 99, CH-1213 Onex tél. +41 (22) 870 17 16 fax +41 (22) 870 17 17 web http://www.psideo.com -Message d'origine- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Dave Gillett Date: lundi, 11. octobre 1999 11:18 À: [EMAIL PROTECTED] Objet: Re: Exploiting RedHat On 9 Oct 99, at 17:14, Ahbaid Gaffoor wrote: Where can I find information on how to exploit certain OS's? I'm setting up a RedHat based web server and would like to demonstrate the need for security policies to my employer and clients... One of the common scan signatures that we were seeing last Oct- March, we started referring to as "womebody's RedHat box got compromised", because when we notified the admins at the source IP address, that was invariably found to be the case. David G - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Port Monitor and not RE: Exploiting RedHat
I answered the wrong message yesterday. This e-mail was an answer to Port Monitor and not Exploiting RedHat. Hi, I am not sure it's what you need (I don't know if you need a free and limited tool or this kind of tool) but just take a look at : http://www.ipswitch.com/Products/WhatsUp/index.asp Hope this helps. --- Patrick Stuto PSideo Informatique Av. du Bois de la Chapelle 99, CH-1213 Onex tél. +41 (22) 870 17 16 fax +41 (22) 870 17 17 web http://www.psideo.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Unknown internet traffic
The really annoying thing is the Cable Companies consistently claim they do block this traffic. My experience is that you can get it blocked on your local segment by calling them up and complaining. Pretty sad. -Original Message- From: Eric [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 13, 1999 10:51 AM To: Jeff Younker Cc: 'Carric Dooley'; 'The Firewalls List' Subject: Re: Unknown internet traffic
RE: Unknown internet traffic
Just to add my $0.02, which if I'm lucky is worth half that, the cable companies are wise to not put a firewall between you and the net. Once they have done that, they are legally responsible for your safety, and they also don't have to run tech support when the latest streaming application doesn't work or you're trying to open up a non-standard port for some network project for school or anything else. Unlike a corporate environment, they can't block out all but their approved services. What would be better is if they did a better job of educating people on securing their own systems and made people aware such activities were necessary. Unfortunately, most users don't understand the need, the concept, or the techniques, and would rather just ignore the issue. On the plus side, unless you download a trojan, the only vulnerability most Windows users have is the plethora of DoS attacks out there. Since Windows users are used to having to reboot constantly they probably wouldn't even notice the attack. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
PATCH (RE: instant lunch advisory: via hackernews)
The cover of Maruchan's Instant Lunch says ready in 3 minutes. That is definitely not the case. Upon completing extensive research I found that during the second minute Instant Lunch is susceptible to a buffer overflow. The directions on the back are as follows: 1. Fold back lid half way. fill to inside line with "boiling" water 2. Close lid "securely" and let stand 3minutes. 3. Remove lid, stir and enjoy from cup. I have developed a patch workaround for the above problem. Just apply the patch to the directions as given. The problem arises when users misread the directions and don't realize the water is not boiling before being added to the cup of instant lunch. The following patch attempts to account for this situation, since all experienced engineers know you must account for all error conditions. #- CUT -* 1c1 1. Fold back lid half way. fill to inside line with "boiling" water --- 1. Fold back lid half way. 3c3,10 2. Close lid "securely" and let stand 3minutes. --- 2. if(water_is_not_boiling) { add_water(inside_line - 0.5); close_lid(securely); microwave_on_high(180); } else { add_water(inside_line); close_lid(securely); sleep(180); } *-- CUT -# Please note this patch is only a temporary workaround until an official patch is released by the developer. I can not be held responsible if this patch does not work for you, even if it makes it worse. It works fine for me, but YMMV. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: need packet creator utility
I'm looking for utility to create packets with my demands (bits on/off, udp/tcp, inclu. data). I tried spak and stievens but they couldn't compile on RH linux 6. spak uses the OLD... style headers from libc5 (RedHat 4.x, etc.). To port it on RH 5.x, or any other glibc2.x system, the packet field names need to be updated. I started a port of spak to the new headers, but got bored of it. Maybe someone else already did this task, or maybe I'll get around to doing it in the next few days. I just lacked the motivation when doing this at 2am. ;-) ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: BO2k source code
Back Orifice is a brilliant program. You are all fools to not notice its use of the Boolean Anti-Binary Least Square (BABLS) approach. If you have to ask, you wouldn't understand... ~Patrick P.S. It's a joke. Get over it. ;-) - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: *This is* NOT *a rant* ANYMORE [Hors sujet]
Allyay isthay iscussionday aboutyay atwhay anguagelay ouldshay ebay usedyay isyay upidstay. Ethay implesay actfay ofyay ethay attermay isyay ifyay youay antway otay eakspay Anishspay, Enchfray, Ahilisway, ateverwhay, ogay otay ethay appropriateyay istlay inyay ethay appropriateyay anguagelay. Isthay istlay isyay inyay Englishyay, ichwhay isyay ywhay Englishyay isyay usedyay. Ofyay oursecay, evenyay inyay ayay inglesay anguagelay ethay exttay ancay ebay uiteqay ifferentday ependingday onyay erewhay youay areyay omfray. Rough translation (my apologies for meanings lost while translating): All this hyar discusshun about whut language sh'd be used is stoopid. Th' simple fack of th' matter is eff'n yer hankerin' to speak Spanish, French, Swahili, whutevah, hoof it to the appropriate list in th' appropriate language. This hyar list is in English, which is whuffo' English is used, cuss it all t' tarnation. Of course, even in a sin'le language th' text kin be quite diffrunt dependin' on whar yer fum. ~Patrick Vive le temps! Vive le temps! Vive le temps d'hiver! [1] The Dialectizer -- http://www.rinkworks.com/dialect/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: outbound traffic
equal the inbound traffic ? i mean change the ratio from 1:4 to 1:1 ? im just curious because for the last 6 months monitoring our bandwidth the ratio was always 1:4 now its on 1:1. First thing to check is for math errors. :) After that, check for changing user habits. Maybe a lot of users are listening to streaming audio or downloading multimedia files (MP3, MOV, etc.). Of course, there's always the possibility people just aren't hitting your site as much anymore. ;-) Check the numbers. Make sure the output traffic is the same as it's always been. If not you may have another problem. Another possibility is six months may not be a large enough data set, especially with the holiday season approaching. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Dos attacks !
I would like know whether there is a solution for tear drop attack and sys flooding attack for BSD . If so please forward me the site to find the source to me. I could be wrong, but I assume the latest (or even not-so-latest due to the age of the listed attacks) version of the kernel would be immune. Try upgrading your system. I don't have a URL handy, but it should be rather simple to find. I can't do the search for you because you didn't say what flavor of BSD you use (I don't know if it matters or not). Hope this helps, ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Tunneling through firewalls
The point of tunneling is to go through firewalls (well, in your case, anyway). This is why the firewall is rendered useless. If the endpoints of the SSH link have firewalling capabilities you can regain a little bit of security by firewalling the link at the endpoints rather than the firewall you're piercing. For example, if the endpoints were Linux, you could use ipfw or ipchains to block all but approved traffic. ~Patrick -Original Message- Hello, We are thinking of tunneling Telnet and/or VNC through SSH accross a firewall. One of the questions i have is as follows: once SSH is allowed through a firewall, how can you restrict what is being tunneled through it? Let's say I only want Telnet tunneled. I am advised that once you open up the tunnel, any protocol can flow through it and I would have no way of blocking that. Ideas, insights, recommendations, white papers, websites about tunneling are all welcome. Thanks a lot. Saxo - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: DSL vulnerabilities
thought I'd ask what people's opinions are of using DSL *without* a firewall. What are some of the risks? And what types of firewalls might be the best bet for this situation, if one is needed? The risks are the same as any net connection, including a dialup line, except even more so if you get a DSL connection with static IP (of course, you can also get this option with standard dialup...) The above may not be exactly the answer you're looking for, but you said you're doing searches on the Net already, so just look for any list of pros and cons about firewalls, slap "DSL" inline where appropriate, and your paper is done. As a side note, I believe an advisory just came out recently about a Denial of Service against a particular DSL modem or something. Search BugTraQ if interested. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: ipchains letting NetBIOS through?
My firewall is connected to a cablemodem, and it hit me that the cable co. must be doing some filtering on UDP 137-139 (probably due to all the complaints about Windows Network File Shares being easy to access/browse), and they must be dropping those packets so my firewall never sees it and nmap never see an ICMP unreachable (hence the report of a "Port Open"). Just to give you a nod or something, my testing has shown tcp ports 137-139 being filtered as well at several points. My cablemodem service (@Home), my friends' cablemodem service (MediaOne), my work, etc., etc. In all cases, the packets are just silently dropped. I'm not sure how I feel about this. I do know I'd be very upset if they decided to add ports 21,22,23,25, and 110 to the list of ports to block. Granted having even those ports open is against the terms of service. ;-) ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Making POP3 Service Available
I know that this bad security practice to allow the POP3 service to come in, but I need additional internet white papers, concrete evidence, best practices info on why we should not allow this. Anything wrong with running POP if you have an SSL wrapper in place for the transmission of usernames and passwords? ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: How to defeat a proxy firewall
Finally, on a workstation on the private LAN, change the default gateway to point to the vpn servers and add the third IP number to it's LAN port. Now, from this workstation, you can go anywhere. The only thing the firewall admin will see is a really long DNS lookup. An obstacle easily defeated by setting up your own caching name server inside your network and disallowing all traffic from anyone to the outside world, including DNS, except from your caching nameserver. If interested, the DNS-HOWTO explains this very well. http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: port 113
Can anyone explain to me if exist any attack using port 113/tcp I had seen some packets Deny in my logs, incoming from various IP address. 113 is the auth ("ident") port. People can use this information to determine what user id daemons are running as. The idea is that it's much more enticing to get a daemon running as root to send back a shell than a daemon running as nobody. It can also be used to determine what user is trying to make a connection to a server for logging purposes. This is popular for POP and FTP servers so the originating username can be logged. That being said, port 113 is useless and should be blocked. Better yet, don't even run the daemon at all. Back in the days the auth port was good because the Net was open and people were honest. Now, if the auth port is even open, the data is to be untrusted. You can configure identd to return bogus information, incomplete information, or even no information. And this is just using identd. This doesn't even cover funny stuff like writing your own daemon to answer queries or using netcat to spit out garbage. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: port 113
Our experience with port 113, the AUTH port, is that peak performance is maintained with it allowed through the firewall. This does not mean the AUTH service has to be running. A better solution would be for your firewall to RESET, rather than DROP the connection. This way the remote server tears down it's query, rather than waiting for a timeout. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Dealing with port scanners / attackers
I'm not clear on what a port scan accomplishes with a spoofed address unless it is just to make you think you're being scanned from elsewhere. If you're being scanned from a spoofed address, then whoever is trying to find a vulnerability will never know the result, right? Except, of course, when the attacker is spoofing the return address of another machine on the same subnet and can sniff the responses from there or using a tool like idlescan and using an unsuspecting third party to do the scan for them. ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: ports 6671 6771
I suggest you take a good look for the trojan. It´s not impossible that you find it on your computer. It is when you run Linux. ;-) ~Patrick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Redcreek Question
Has anyone installed a ravlin 3200 ? Are these not to complex to configure for point to point 3DES ? - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: site blocking testimonials
Deja.com is blocked b/c of access to all newsgroups - or at least it used to be. I use WebNot, it fulfills my needs, and it is relatively easy to manage -but now to the griping. WebNot uses a list generated by Mattel for a browser blocking product aimed at parents/schools/libraries. WebNot includes a number of categories for blocking but when a site is blocked the product doesn't provide even the basic information on why it is blocked, like what category have they blocked it under. The blocking is IP based and many sites are blocked erroneously. Tripod, GeoCities, et al are all blocked - appropriately given some of the stuff that gets thrown up on these sites - but better information to users trying to access these sites would be useful. Mattel is reticent in removing old, now erroneous blocks. There is an argument that this is because removing old blocks would lower the number of blocked sites in its list, a number which is used as a selling point for the product. The product has been blasted by some free speech advocates, and it has been reverse-engineered as a part of that discussion. The main things for me would be getting old, erroneous blocks off the list, finding what sites are classified as when they are blocked, adding a classification for innocuous content - right now I classify it all as "Search Engines", which isn't accurate, having sites content classified for adults - I'm not using the product to protect children, and telling me at least what a site is classified as when it is blocked. "There are seldom good technological solutions for behavioral problems." -Ed Crowley One tip - Go under the Raptor Bin folder and dig for the HTML errors. One of these is the 403-forbidden message. Rewrite with a mailto link that throws the URL in the subject or body of the message so users can click to send a request to open a site, rather than dealing with you having to guess the URL or hunt through the logs to find the URL. -Original Message- From: kos [mailto:[EMAIL PROTECTED]] Sent: Friday, April 28, 2000 1:46 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: site blocking testimonials Sean, Webnot on Raptor firewall is decent. The database itself is fetched daily by your firewall and is an outsourced service for Axent. It seems to be largely automated because predominant problems with it have to do with blocking too much, for example www.deja.com but they are easily overcome. See http://www.bastard.net/~kos/raptor for a script that can be used to whitelist sites. Later, Kos | Has anyone here had some real-life experiences (good/bad) with | firewall-based WWW site blocking programs? I'm interested in the | obvious issues: | * acceptance | * effectiveness | * whether or not sites are improperly blocked -- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Pc Anywhere Question.
I think I saw it here on the list. But not sure since I cant find any mention of it. A registry hack for Pc Anywhere which stops it from responding to the network scan within pc anywhere. Any help would be greatly appreciated. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Building a Firewall on Slackware
Gary Maltzen wrote: Could anyone guide me to source of information, website, or otherwise to help me with this. IPCHAINS = MASQ : check Rusty's MASQ site http://www.indyramp.com/masq/ You DID read the IPCHAINS-HOWTO, right? http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html There are many that are going over to Linux these days that have never tried it out earlier, wading through all the HOWTOs can make one feel horrified at how to get IPchains and masquerading to work. If you have a cable modem it's even more scary. What would be nice is to have a firewall up and running right at the start, while learning the basics gradually on the way...there are two sites that offer a solution: PMFirewall - http://www.pointman.org (works on all major distribs) Mason - http://users.dhp.com/~whisper/mason/ Instead of implementing all the rules yourself the install script asks you questions on how your machine is setup. Pretty simple and efficient. You can customize your own rules on the way. I'm running Slackware 7.1 with PMFirewall on a 486DX4 with 32 RAM with a Bay Networks cable modem, acting as router/firewall for 2 PII's. We've been running Win95, Win98, Slackware 7.1, Linux-Mandrake 7.1 and OpenLinux 2.3 without any problems. Logging is enabled by default in /var/log/messages. mIRC, ICQ, Internet gaming with Quake and Unreal Tournament, among others, work flawlessly. If you happen to have a 486 with 12 RAM lying around doing nothing try out: LRP - http://lrp.steinkuehler.net/ (firewall on a floppy...!) Better to get something running at once while learning on the way! Regards, - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Building a Firewall on Slackware
Internet Junkbuster deals with URLs and cookies; the firewall script works at a much lower level, restricting which sites and protocols I will allow through my gateway. For example, IJB doesn't block host probes from Central Bank Russia... Nor, for example, will IJB block IMAP or RPC exploits from Taiwan... Yes, I know what you mean, but that depends on how and what the firewall is protecting behind the scenes. If I would have a firewall on a corporate network I would be pretty rigid with the rules but I'm "only" doing this at home. Correct me if I'm being too lazy! :) Banner ads can be shifted to different networks from time to time, isn't it easier having a program or daemon to filter those on its own without oneself tracking them down where they're at? If you just don't want cookies and URLS it would just shut them off without you doing the task of tracking them down. It's a matter of taste, maybe When it comes to probing, that's something else. I've noticed that there has been someone trying to scan for Netbus on my machine in my logs, not heavy probing but from time to time. I've tracked the location, somewhere in South Korea but appearing on different local networks in the same vicinity. Now if I put these on my "black list" chances are I might shut someone out who just happens to live in the same area that I have communications with...just giving this as an example, of course ...what would be a preferable solution? - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
cisco Established keyword
Gernot, The "established" extended ACL keyword only checks for an ACK in packets. Letting packets just because the ACK is set is not good--a number of well known scans work because of this. "Established" is not stateful in any sense of the word. It was an early kludge that was followed by reflexive access lists, another kludge. The FW IOS uses CBAC for true stateful inspection. CBAC works well, but has two problems: it is a tool, and depends upon the skill and knowledge of the person using it; and stateful inspection is completely baffled by tunnelling hacks that use ICMP, SSH, HTTPS, and other protocols (e.g. Loki). --Patrick Darden --Internetworking Manager --Athens Regional Medical Center You Wrote: 1) Every CISCO Router can by default do stateful tcp inspection ("established" keyword. 2) With the IOS Firewall Feature Set it can do full stateful inspection for tcp, udp, and icmp (CBAC and/or reflexive named access lists). - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: cisco Established keyword
On Tue, 25 Jul 2000, Ben Nagy wrote: Personally, I trust reflexive access lists more than CBAC. The best tools are the tools you know best. Reflexive access lists are _not_ a kludge - on the contrary, they work in the traditional manner for a stateful packet filter. When a new connection They are a primitive and early workaround for the open 1023+ port problem, and they don't inspect the contents of a packet. It's version of statefulness is derived from whether the ACK is set, there is no table of connections kept--therefore there is no true statefulness. It is a kludgey attempt at state monitoring. They are intended to allow internally derived connections to work despite changing ports, e.g. active ftp. is opened from inside the network an entry is written into a temporary ACL in RAM which allows return traffic with the inverse source/dest ports etc. Not really. I'm fairly sure that it's _just_ an ACL though - therefore it wouldn't have the capacity to check sequence numbers, make sure that only packets with flag combos that are legal for the current TCP state etc etc. It is just a reflexive ACL, yes. No state tables, no inspection of the internals of packets. CBAC has some really good features - frag reassembly, session audit trails, "inspection" of some simple protocols, dealing with active FTP properly etc. The trouble is that it can only do these things up to a certain point. You can send so many frags that the router stops reassembling them. You can space your bogus commands over such a length of time that the router gives up on holding onto the packets that contained the start of the illegal command etc etc. True, but everything only provides a measure of protection. I agree that CBAC is not the perfect solution, but I don't know of one. CBAC is cheap and effective as far as it goes, but it doesn't go very far--maybe 15 application layer inspection modules built-in, and no method to easily extend it. Basically I'd rather have a simple, almost certainly correctly coded mechanism that I understand than some nebulous inspection engine which can Absolutely, if you understand it, it is a better tool for you to use. only play with a teeny bit of RAM while filtering. There is no docco that I've seen which tells you which stuff is filtered and there is nothing I've Doing a 10 second search for CBAC at www.cisco.com gives me: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm This document gives details such as a complete list of supported protocols: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm#xtocid1359517 seen that indicates that there are versions of the inspect engine itself so I have no assurance that it's a "live" product in terms of development. AFAIK, CBAC is indeed static. It has been ported to the larger routers, but it hasn't changed much lately. Reflexive ACLs have not changed in years either though. Most people use edge routers as either a packet filter for a small, low-risk network or as a fast first line of defence for another style of firewall. Yep. CBAC is not meant for edge routers. I believe it is meant for slightly used internet routers for small businesses--ISDN BRI, a few T1's, etc. With this in mind, I usually promote CBAC as a very small increase in security over reflexive ACLs and (when I use it) tend to only inspect frags and tcp/udp/ftp. It is a *major* increase in security, but only for a limited number of protocols, and its performance hit is considerable. It's usefulness is definitely limited. "Established" is not stateful in any sense of the word. It was an early kludge that was followed by reflexive access lists, another kludge. The FW IOS uses CBAC for true stateful inspection. CBAC works well, but has two problems: it is a tool, and depends upon the skill and knowledge of the person using it; and stateful inspection is completely baffled by tunnelling hacks that use ICMP, SSH, HTTPS, and other protocols (e.g. Loki). --Patrick Darden --Internetworking Manager --Athens Regional Medical Center - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Home Network Security
[EMAIL PROTECTED] wrote: Hello, What do you all recommend for a good home security firewall? I have hear of Black Ice and Zonealarm. That depends on which operating system you will be installing on the machine that will act as the router and, of course, how it is going to be used. What sort of routing software do you have in mind if you're going to install Win9x/NT? A problem that quite a few people have noticed with firewalls running in the background with Windows is overall performance. In the beginning one is just satisfied with getting some kind of firewall up and running but if you don't have enough RAM installed you're going to be disappointed in the long run. I'm using Linux myself on the router for our 3 PC's. I am hooking up 3 PCs to a cable modem connection in a home for a friend. What issues should I be aware concerning security. How would I block netbeui from being broadcast out through the cable modem. Depends on what sort of cable connection they're going to have installed. We have a "party" line over here, lots of folks sharing the main feed. So security has to be pretty tight. If you want a basic security outlook on things for Windows go take a look at how to unbind protocols that you won't be needing: http://grc.com/su-bondage.htm You'll see that you won't have to worry about NetBEUI going anywhere. Your input is greatly appreciated. Thank You al You're feedback on how it goes, likewise. :) - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: What is the best linux platform for security
[EMAIL PROTECTED] wrote: A general question that could lead to interesting things If anyone here were able to start, from scratch, their own firewall, specifically designed on a Linux platform, what would you select as the flavour, taking into consideration the following requirements: If it's just for a small network: 1) Security, something stripped-down and tight Just a minimum kernel booted with a write-protected floppy. No hard disk and no CD-ROM. All services locked down except for SSH - and keep the password for root away from the kiddies! :-) 2) Performance, as that is always an issue Just let it run in RAM and no writing to disk... 3) Popularity, a flavor everyone likes Floppies are still hanging around! 4) Future scope, something everyone will like for a long time to come Keep some copies in the attic - preferably a Maxell 20+2 business pack! 5) Flexibility and Ease, something easy to use and without limitations Just flip on the switch.and turn it off, whenever and whatever! So if anyone here, had the power to do it, and do it right, what would be YOUR flavour? I've already done it!.but if I did it right.. ;) (But Slackware, with just the A + N series installed along with PMFirewall is all I really need in my humble dwelling!) :-) - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: openbsd
Ronneil Camara wrote: I have found an openbsd link for my i386 machine. Are the files listed in http://download.sourceforge.net/pub/mirrors/OpenBSD/2.7/i386/ enough for my installation? Thanks in advance. Ronneil Check out the specs - http://www.openbsd.org/faq/faq4.html 4.2 - The files you need 4.3 - Space needed for a typical installation - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Comparison of firewalling software available
Andrew Thomas wrote: Hi, I'd really appreciate any information that could be offered in the way of comparing various free firewall solutions, e.g. ipfw, ipchains, ipfilter, ipfwadm, for free *NIX based platforms. If you have opinions and/or preferences, I'd like to hear them, with the reason's behind them. Thanks. Andrew Andrew Thomas eye2eye digital distillers (Pty) Ltd office: +27-(0)21-4889820 facsimile: +27-(0)21-4889830 mobile: +27-(0)83-3184070 It depends on what kind of network you will be trying to protect. Some good resources are: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html - it usually starts heregood network examples are included http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html - features tunneling... http://www.robertgraham.com/pubs/firewall-seen.html#2 - firewall forensicswhat are in those logs, anyway?? http://www.sans.org/topten.htm - know one's most common weaknesses...and BIND (named) tops them all. Best regards, - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
SCP
We have a tape machine on our secure network and it makes sense to reach out to the non-secure DMZ and yank back backups through the firewall. That way the connection is established from the inside out. I would like to use an encrypted client/server such as SCP or SSH to do so. Does anyone have any idea how to do this? I guess I could use SSH and begin the tar process. Then I guess I could scp to the external server and get a tarball. I would prefer not to have to tar the external file up on the remote computer so that I don't have to worry about overflowing the filesystem there. I would prefer to have the external computer tar the file over the network (back through the secure VPN that was established outward) onto the tape machine to avoid this problem. One approach I thought of was network mounting the tape machine as a logical drive for the external server, but NFS is a whole additional security headache. Is there some way others are using to establish a secure VPN out to a DMZ server and then snake the data back through that encrypted tunnel back to a backup device? I'm sure others have had this problem in the past. Any references to previous threads would also be appreciated. Thanks in advance, Pat Stingley - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Split DNS
Ben Nagy wrote: (sliced) For bastion hosts, I like djbdns - by DJ Bernstein (author of qmail). http://cr.yp.to A very nice feature on one of the Linux Router Project disk images is the implementation of the DNScache program from the djbdns suite, very nifty tool, that one, along with iproute2 and IPSec. - Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Windows 98 trying to learn about Windows Networks outside of our little world.
First guess I would have would be the "networks.exe" virus cant recall what its actual name is offhand but it spans a process called networks.exe which scans subnets looking for windows file and print sharing which it then replicates itself to and starts the whole process over again.. Hope this helps -Original Message- From: Tomas Huynh [mailto:[EMAIL PROTECTED]] Sent: Monday, September 18, 2000 4:10 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Windows 98 trying to learn about Windows Networks outside of our little world. Correct me if I am wrong, but sounds like someone on that "little 98 machine" is trying to run some sort of network scanner... perhaps getting IP's with known network vulnerabilities to use some kiddie script later on? tomas - From [EMAIL PROTECTED] Mon Sep 18 14:43:54 2000 - Delivered-To: [EMAIL PROTECTED] - From: "John Huggins" [EMAIL PROTECTED] - To: [EMAIL PROTECTED] - Subject: Windows 98 trying to learn about Windows Networks outside of our little world. - Date: Mon, 18 Sep 2000 15:38:19 -0400 - Content-Transfer-Encoding: 7bit - X-Priority: 3 (Normal) - X-MSMail-Priority: Normal - X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 - Importance: Normal - Sender: [EMAIL PROTECTED] - X-Loop: [EMAIL PROTECTED] - Status: RO - - - One of our Windows 98 machines ground to a slow pace today. Then we get an - email from our Internet provider essentially copying a message they received - from some outside person complaining that this little 98 machine was - exploring a whole range of IP addresses on the usual Windows network ports. - - Any body heard of this kinf of virus? If not, can you provide some other - resource links to others in the know? - - I know, I know. We should have been packet filtering our local network from - the Internet, BUT those on high demanded full access to the Internet; For - all I know they belong to the Flat Earth Society. Thus, I let them have - their way, while us few non-flat-earthers protect our individual machines - with things like Zone Alarm. - - J - - - - [To unsubscribe, send mail to [EMAIL PROTECTED] with - "unsubscribe firewalls" in the body of the message.] - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Stateful Inspection vs Packet Filter
iCefoX wrote: Hi Lister, I am trying to do some research on the architectural difference of Stateful flow inspection technology and plain packet filter that is readily find in networkking device like router. I would appreciate for any pointer in terms of reading. On the other hand I guess it would be more easy to understand from an experienmental perspective. I wonder if the is any security guru which could point me to the conduction of some form of basic/simple penetration test so that I can get a better appreciation of these two different technologies. I am assuming that some form of penetration test can circumvent packet filter while not possible to stateful inspection technology given their architectural differences. Cheers! iCefoX You will find useful information that you are looking for on the Penetration Testing mailing list, along with its archives, at: http://www.securityfocus.com/ -- Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: NT password encryption name service
The main issue here lies within the backwards compatibility of LAN Manager Support which breaks the passwords down into 7 character chunks that are all non case sensitive. You can increase the time that l0pht would take dramatically simply by editing the registry to do only NTLM v 2 with no fall back to LAN manager. This of course would eliminate 9x machines being able to login to the network as well as any older Nt machines ( Pre Sp4 ) . By enabling only NTLM then your 14 character password becomes exactly that, a case sensitive 14 character password which would take far longer to run through. BUT.. given the current speeds of processors. ( Benchmarks given are 480 hours to run all possible combinations on a quad xeon 400 ) but this time is probably drastically reduced say running it on 8 way Xeon 700s or higher. And Microsoft actually does salt the passwords when they are encrypted it just so happens its the exact same salt for every password : ) -Original Message- From: "D. Clyde Williamson" D Clyde Williamson [mailto:[EMAIL PROTECTED]] Sent: Friday, December 22, 2000 10:05 AM To: Graham, Randy (RAW) Cc: 'Chris Williamson'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: NT password encryption name service No this is correct. The entire problem with NT's broken scheme hinges on this. Longer passwords don't make safer passwords. Yech! Graham, Randy \(RAW\) writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The reason you get more possible passwords than Chris is because you assume an 8 character password is ((26 + 26 + 10 + 12)^7) * (26 + 26 + 10 + 12) passwords, when because of Microsoft splitting each password into 7 character parts (which can be decrypted seperately) an 8 character password has ((26 + 26 + 10 + 12)^7) + (26 + 26 + 10 + 12) possibilities. Notice that is a + in the middle there. Likewise, a 10 character password (as you gave as an example below) is actually a 7 character password plus a 3 character password for decryption purposes - I come up with 12,151,280,678,248, which is far less then what you came up with. Therefore there are only (74^7)+(74^3) possibilities instead of 74^10. I actually think Chris calculated too high. Unless I'm misunderstanding the l0pht documentation on this terribly, what it says is every password can be broken in to two 7 character chunks, each chunk independent of the other. Therefore, going from 7 characters to 8 characters only adds 74 additional passwords to decode (assuming the character set you mentioned below). That is why someone on this list (already deleted the message, and don't want to search just to get a name) said he only used 7 character of 14 character passwords. Certainly 8, 9, 10, 11, and probably even 12 character passwords don't gain you much beyond 7 characters. And to make it all worse, Microsoft doesn't even salt the passwords, so user A and user B will have the same encoded password from the same plaintext. If I am horribly off here, I'm sure someone will let me know. Randy Graham - -Original Message- From:Chris Williamson [SMTP:[EMAIL PROTECTED]] Sent:Thursday, December 21, 2000 6:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: NT password encryption name service Chris Hastings was incorrect in his calculation... There are only two options in L0phtcrack with special characters, one with 12 Make that (26 lowercase + 26 uppercase + 10 numerals + 12 special characters)^8 with a total of 899 194 740 203 776 (twice as many as Chris calculated, 457,163,239,653,376) and the other with 32 with a total of 6 095 689 385 410 816 If you use a combination of any special character and increase to 10 characters in length you should be fairly secure 53 861 511 409 489 970 176 Or if you are paranoid like my buddy Greg who uses 13 mixed characters 44 736 509 592 539 817 388 662 784 I reckon if he changes this once a month he should be able to stay ahead of a L0phtcracker Regards Chris Williamson :) - - Original Message - From: [EMAIL PROTECTED] To: Bobby Brown [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, December 20, 2000 7:52 PM Subject: RE: NT password encryption name service Using this password as an example (for length and character type), the number of possibilities would be (26 lowercase+26 uppercase+10 numerals+6 special characters)^8 (assuming that the period at the end of the sentence isn't part of the password). This is a total of 457,163,239,653,376 possibilities (compare this with DES encryption at 56-bit which we all know can be brute forced at 72,057,594,037,927,936 possibilities). If you have the period at the end 2^54 68^9 2^55 possibilities. Better but still fewer possibilities than 56-bit encryption... Chris
iptables Traffic Control
Hi! I'm trying to set up traffic shaping on my firewall. The firewall is also serving as a ftp-server and is connected to my provider through a DSL-Link (dynamic ip), 768k down- and 128k upstream. What I want to do is: Split my (upstream) link in two classes using tc, one with 128k, one with 0k. Mark packets orginating from my ftp-server with some value and install an tc filter forcing all ftp-traffic to go through the 0k link, so downloads will never take away bandwidth I need for myself, but be able to borrow unused bandwidth. My first thought was to use the source-ports for markink, but locally generated packets of course use the same ports as passive ftp. Second try: use the connection tracking and state modules and mark packets matching --state RELATED. I tried marking them in the OUTPUT chain of the mangle table, which worked, but only marked the first packet of a connection. Has anyone got some suggestions? Thanks, Patrick McHardy - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: Firewall Load-balancing/Redundancy
You also may want to take a look at Fore/Marconi ESX/NSX FSA (firewall switching agent) which does load balancing over three FW's (Checkpoint or Gauntlet) all IP traffic.Can be used with gig and offers fastpath with TCP traffic. - From: Jeff Deitz [mailto:[EMAIL PROTECTED]] Sent: 05 February 2001 20:20 To: 'Wimmer, Neil T.' Cc: '[EMAIL PROTECTED]' Subject: RE: Firewall Load-balancing/Redundancy You might want to also look at the Radware Fireproof solution. It was one of the first to be Checkpoint OPSEC certified I believe. The problem is that it is located on the high availability hot standby section and not the load balance like it should be. They use to just have 4 interfaces but are now up to 10, with 2 of the interfaces at GB speed. -Original Message- From: Wimmer, Neil T. [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Monday, February 05, 2001 8:55 AM To: [EMAIL PROTECTED] Subject: Firewall Load-balancing/Redundancy I was wondering what other people's experience has been with Rainfinity's Rainwall product. We chose it at the time because it could handle more then two interfaces on a firewall. We tried implementing version 1.5 and seem to be having problems making it work with NAT. They have acknowledged a bug they're working on now. Today I know both Cisco's Arrowpoint and Foundry Network's ServerIron is suppossed to do more then two interfaces. Does anyone have experience and comments on either Cisco or Foundry's solution? Thanks, Neil. - Neil Wimmer Mayo Clinic 200 1st SW Rochester, MN 55905 [EMAIL PROTECTED] 507.284.8047 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
using IPCHAINS to route to internal web server(newbie)
Hello, I'm fairly new at setting up ipchains to firewall a connection and have had great luck with routing from inside to the internet, but after looking at the amn pages and the howto's i cant figure out how to route incoming packets to my internal web server using port #'s. I am wondering if i need to edit my services file to allow connections to a certain port to enable ipchains to route to an internal machine. Any direct or online help would be greatly appreciated. -Pat Orzechowski CCNA - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: URL Screening
We use Websense on our network and have been for almost 3 years - and we are running a PIX firewall. Websense is very easy to set up, very easy to customize, scalable, and works perfectly for our situation. It can also be very expensive - we purchased a 2 year license for Websense for about $20,000 and got a 3rd year free - total cost for 3 years was $20,000. At the end of our contract in June, the cost will go up to $4.00 per seat, which will mean about $120,000 per year for us. But I must say that there is nothing else out there that compares with Websense - it is an excellent piece of software. - Original Message - From: "Don Drocca" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 01, 2001 4:32 PM Subject: URL Screening Does anyone know of an addon URL screening device/software than can be added behind a PIX? _ Get your FREE download of MSN Explorer at http://explorer.msn.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Firewalls-Digest V8 #1578
- Original Message - From: "Firewalls-Digest" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 04, 2001 4:00 AM Subject: Firewalls-Digest V8 #1578 Firewalls-Digest Wednesday, April 4 2001 Volume 08 : Number 1578 In this issue: ACL RE: ACL RE: ACL See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. -- Date: Wed, 4 Apr 2001 11:54:22 -0700 From: "rym" [EMAIL PROTECTED] Subject: ACL Hi guys, I know this is to easy for you guys. But im wondering on how to enable our client to use mirc with this simple access list below. access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq ftp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq smtp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq domain access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq 80 access-list 101 permit ip any any establish access-list 101 permit icmp any any access-list 101 deny ip 203.167.2.0 0.0.0.255 any BTW, my router is cisco 2520 running on IOS 11.0 (9) thanks rym - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] -- Date: Tue, 3 Apr 2001 21:43:19 -0700 From: "jeremy cassidy" [EMAIL PROTECTED] Subject: RE: ACL allow 6667 most servers are 6667 to 6669 sum are 7000 - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of rym Sent: April 4, 2001 11:54 AM To: [EMAIL PROTECTED] Subject: ACL Hi guys, I know this is to easy for you guys. But im wondering on how to enable our client to use mirc with this simple access list below. access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq ftp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq smtp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq domain access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq 80 access-list 101 permit ip any any establish access-list 101 permit icmp any any access-list 101 deny ip 203.167.2.0 0.0.0.255 any BTW, my router is cisco 2520 running on IOS 11.0 (9) thanks rym - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] -- Date: Wed, 4 Apr 2001 15:24:27 +0800 From: [EMAIL PROTECTED] Subject: RE: ACL think this site will help you figure out thew port number. www.isi.edu/in-notes/iana/assignments/port-numbers - - "jeremy cassidy" jeremy_cassidy@mindlTo: "Firewalls" [EMAIL PROTECTED], "rym" ink.bc.ca [EMAIL PROTECTED] Sent by: cc: firewalls-owner@ListsSubject: RE: ACL .GNAC.NET 04/04/01 12:43 PM allow 6667 most servers are 6667 to 6669 sum are 7000 - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of rym Sent: April 4, 2001 11:54 AM To: [EMAIL PROTECTED] Subject: ACL Hi guys, I know this is to easy for you guys. But im wondering on how to enable our client to use mirc with this simple access list below. access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq ftp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq smtp access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq domain access-list 101 permit tcp any 203.167.2.0 0.0.0.255 eq 80 access-list 101 permit ip any any establish access-list 101 permit icmp any any access-list 101 deny ip 203.167.2.0 0.0.0.255 any BTW, my router is cisco 2520 running on IOS 11.0 (9) thanks rym - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] -- End of Firewalls-Digest V8 #1578 To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "[EMAIL PROTECTED]": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that
Re: hacked
MegaNet Domainreg. wrote: I just got 2 redhat 6.2 machines broken into. Anyone seen this root kit and know what the exploit was. Creates user/group tcp and runs an irc robot (psybnc) among other things. Thanks Paul. Don't know about the exploit but you should definitely upgrade the kernel, 2.2.19 is the latest for 2.2.x snip Apr 29 07:44:17 noctech2 kernel: Inspecting /boot/System.map-2.2.14-5.0 Apr 29 07:44:17 noctech2 syslog: klogd startup succeeded Apr 29 07:44:18 noctech2 kernel: Loaded 7337 symbols from /boot/System.map-2.2.14-5.0. Apr 29 07:44:18 noctech2 kernel: Symbols match kernel version 2.2.14. Lots of fixes since that version http://www.linux.org.uk/ -- Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: packet filtering on nameserver
[EMAIL PROTECTED] wrote: Hello list, Quick question.. I have recently been noticing large blocks, like the excerpt below, in my logs on one of my nameservers repeating sereral times per day. I am packet filtering on the machine (xxx.xxx.xxx.xxx) to restrict traffic from everyone on the internet except those who know about it and should be talking to it. Do these look like attempts to flood/compromise the server? Thanks for any input.. May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6 216.220.39.42:59010 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x T=245 (#37) May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6 216.33.35.214:16982 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x T=241 (#37) May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6 64.37.200.46:28705 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x T=243 (#37) They seem to stem from a load balancer that is spewing out unnecessary traffic. This issue has been on the Linux Router Project's mailing list as well, many others from different countries around the world have been getting these in their logs with the same ip's showing up. If they're bugging you just insert rules for each of them without logging them. You will notice that the SYN flag isn't set at the end of the rule lines... -- Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Placement of NAT in relation to firewall logs
I have seen the scenario where clients insist on doing NAT at the perimeter router. This leads to the configuration of the firewall to be configured with private IP addresses on 'external' and 'internal' interfaces. The end result is no way to log or monitor from the firewall any access attempts from public ip address sources. The client insists that this is due to the fact that no one can get through the NAT of the router. I think all that has happened is the masquerading of intrusion attempts from the NAT of the router. Anyone have any comments regarding the placement of the NAT at the router on security vs. logging? Any fresh viewpoints would be welcome. Patrick Kelly CMS Information Services, Inc. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: Allowing outgoing services
Another important point to remember is that any service that is allowed outbound on your firewall will most likely allow the same service inbound as a response to a request from a trusted internal user. Even a seemingly harmless user can create many problems unknowingly. P --- [EMAIL PROTECTED] wrote: OK, this could be a silly question, but it never hurts to ask. (I hope.) Let's say I generally trust all of our internal users. What are the downsides to allowing all services from our internal users going out to the internet? (Of course I would be limiting the incoming services.) Any major problem with this that I am missing? Thanks. Scott __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: MAD
You need to refine the list of ports that are being scanned. Only set the triggers on ports that are open on you systems, certainly this is not 1000 ports. Also you should not be so concerned about a particular port being scanned. You should be more worried about one source IP address scanning many ports in a very a rapid manner, which would indicate that an attempted attack may be happening (most likely scripted). Until you refine your aproach you will be overwhelmed by false positives and useless information. Helper --- Eliyah Lovkoff [EMAIL PROTECTED] wrote: Is there any way to limit the numbers of e-mails sent by CPMAD as a result of port scanning? As long as I understand for each port that is scanned CPMAD sends an e-mail notification.So if 1000 ports are scanned then I receive 1000 e-mails...not very good situation. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: f**k USA government f**k poizonbox
Any network person whose systems were compromised in the last round of these attacks IS lucky!! Lucky they have jobs at all, the security patches for this vuneribilty had been out forever - tisk -tisk to anyone irresponsible enough to overlook the obvious. Also, if your system was compromised and you don't rebuild the box in question - I wish you luck!!:( --- Devin L. Ganger [EMAIL PROTECTED] wrote: On Fri, May 25, 2001 at 02:13:14PM -0700, Eric Robinson wrote: In an ideal world, I suppose we would have time to conduct an exhaustive forensic analysis of each of the 9000+ effected systems. Nope. That's where the risk analysis comes in. How much risk will I be at, versus the amount of labor invested? Full analysis + actions indicated: low risk, extremely high labor. No analysis, rebuild system: low risk, moderate labor. Light analysis, plug holes: unknown risk, low labor. We plugged the hole and moved on. Twenty days later, still no apparent problem or strange activity on the server. No exhaustive analysis performed. No hard drive reformatted. No time wasted. This time. Until the black hats get smarter than your instinct. -- Devin L. Ganger [EMAIL PROTECTED] find / -name *base* -exec chown us:us {} \; su -c someone 'export UP_US=thebomb' for f in great justice ; do sed -e 's/zig//g' $f ; done - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: Penetrating a NAT
Which security experts?? I would like names so I never make the mistake of consulting with them. --- Steve Riley (MCS) [EMAIL PROTECTED] wrote: Some security experts claim that NAT could be used as a firewall (or let's say, some means of hiding the internal network). I have a question about that. The assumption is that no packets could be sent directly from the Internet to clients behind NAT. However, imagine this scenario and tell me whether it's feasible. - ClientA (IP 10.10.10.10) sends a request to ServerA (100.100.100.100). ports are TCP/2000 and TCP/80 respectivly. - NATA (assuming that it's ClientA's edge router) changes the IP from 10.10.10.10 to 200.200.200.200 and the source port from TCP/2000 to TCP/5000. Of course, it recomputes the TCP checksum and all the other headers, registers this in its connection table, and routes the packet to ServerA. - ClientB sniffs the channel and finds out that NATA is sending traffic to ServerA on port TCP/80 with a source port of TCP/5000. - ClientB inspects the payload, looks at the HTTP headers, and finds that the sender is using BrowserX which has a flaw that could allow a malicious code to crash the machine. - ClientB sends a packet (note: no address crafting, yet) that contains the malicious code to NATA with source port TCP/80 and dest port TCP/5000. - ClientB waits for a while, sniffs the channel, and finds out that NATA is still routing traffic sent to ServerA on port TCP/80 and source port TCP/5000. However, ClientB wants to make sure that this is not for another client, and inspects the TCP headers going to ServerA, and finds out that there was no TCP SYN after he sent his malicious packet containing that hostile code. Therefore, ClientA didn't crash and the NAT protected it. - ClientB concludes that NATA was smart enough to include the destination address in the connection table, and it was not routing inside according to port translation alone. - ClientB spoofs ServerA's IP, and this time sends his same packet containing the hostile code, using ServerA's address as the source. - ClientB is still monitoring the channel, but now there's no more traffic from NATA to ServerA on TCP/5000 and TCP/80. He feels joy, as he hacked ClientA, supposedly protected by a NAT machine and a non-routable address. My question is, could this scenario happen in the real world? Sure seems plausible to me. ___ Steve Riley Microsoft Telecommunications Consulting in Denver, Colorado [EMAIL PROTECTED] +1 303 521-4129 (mobile) [EMAIL PROTECTED] (MSN Messenger) www.microsoft.com/ISN/tech_columnists.asp#2 www.microsoft.com/ISN/tech_columnists.asp#2 Applying computer technology is simply finding the right wrench to pound in the correct screw. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: PIX conduits to ACL
Since you are looking for a script to accomplish this task as opposed to just making the changes manually. Which would be easily done in notepad and then applied to the PIX. Unless using conduits is posing a problem for you the upgraded PIX OS's still support conduits and you can use acls on the same pix. If making the conversion from conduits to acls has prompted you to look for an effortless way to accomplish the task not converting the conduits requires less effort than any solution available. --- Jason Lewis [EMAIL PROTECTED] wrote: Anyone know of a tool to convert conduits to ACLs? Progs, scripts, etc... Jason Lewis http://www.packetnexus.com It's not secure Because they told me it was secure. The people at the other end of the link know less about security than you do. And that's scary. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
RE: Penetrating a NAT
If your only tool is a hammer than every problem becomes a nail. --- Ben Nagy [EMAIL PROTECTED] wrote: -Original Message- From: Michael Batchelder [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 02, 2001 1:03 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Penetrating a NAT [Steve Riley] Some security experts claim that NAT could be used as a firewall (or let's say, some means of hiding the internal network). [Michael Batchelder] No security expert I know would assert such a thing. If they did, I'd give their title an instant expertectomy. [Ben Nagy] D'oh. Guess I was never an expert, then. [...] My claim remains that NAT can provide about as much protection as a dumb stateful packet filter. I was taking issue with the part of the sentence that said NAT could be used as a firewall. That is not, at face value, equivalent to the above statement you subsequently made that NAT can provide about as much protection as a dumb stateful packet filter, even with the posit that you and Steve both made that the NAT *implementation* not allow connections from the outside. People use dumb stateful packet filters as firewalls all the time - standard IOS ACLs and ipchains being the worst offenders. What _I'm_ taking issue with is people (and don't take this as a personal insult) making knee-jerk remarks about the security or otherwise of certain solutions which are, IMNSHO, wrong. I hear that NAT one quite a lot. I haven't yet recanted on my claim above, and I've made it a lot of times. I would hate to think that somewhere out there is someone who read all the rhetoric that flew around on this thread and decided that I was a moron and knew nothing about security. Let me be frank - NAT _can_ be used as a firewall. Take a good look at a PIX one day. Sure, it does some tricks, but the core of the device is built for NAT. Although I always use filters for IOS firewalls, they're only there as defense in depth, double-check type things and don't really add anything to the security. [...] Now, if you want to add another posit/given/assumption/whatever that the NAT *implementation* also groks multi-connection protocols like FTP, then you've essentially created a stateful packet filter. If you add this posit, his and your statements become equivalent, and I agree with you that you get the same effect as a dumb stateful packet filter. But that's going very far afield to *define* all that as NAT, and I would then disagree with you on that semantic point... I don't actually care much for active FTP, so I'm happy to have my imaginary site use passive FTP and not know about real FTP. It's more secure that way, anyway. Moreover, my post was arguing (perhaps not explicitly enough) in practical terms against using NAT in this way, as a matter of Expert Security Guy practice. If you had clients to firewall, and your customer's only requirement was for them to be protected while only they initiate connections, would you take your Check Point, PIX, or whatever, and simply set up the many-to-1 NAT, an any-any-any-permit rule, and be done with it? Uh, a PIX is a bad example - that's actually exactly what you'd do. 8) Your point, however, is perfectly valid and quite correct. Defense in depth is a good principle for this sort of thing. Bear in mind, though, that the whole point of defense in depth is to cover you against things that can't happen in theory. That makes defense in depth just as important whether your primary barrier is NAT or a FW-1. [...] IOW, you may be able to drive nails with your forehead, a dead cat, or last month's half-eaten baguette, but why not use the hammer lying next to you? Michael Sometimes all you have is that cat. A realistic and accurate assessment of the security of any solution is critical. Anti-NAT propaganda makes it less likely that assessments will be accurate. This is me saying that NAT is very secure - it's me saying that it's more secure than many people claim. Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: IPCHAINS not Logging correctly
David Ishmael wrote: I've got ipchains running on one of the local Linux servers and have all denied packets being logged. The logs look like: kernel: ll header: ff ff ff ff ff ff 00 a0 c9 06 37 1c 08 00 I know I've seen this before but can't remember what the workaround for it was. A machine which has the mac address, 00:a0:c9:06:37:1c, is sending out broadcasts, ff ff ff ff ff ff, across your network. Just try and track down the machine with the mac #. If you use the iproute2 package you will receive an extra line with the sender's and recipient's ip in hex format with the interface, eth0, eth1, etc. that's getting hit. Commonly known as martian sources. A common problem related to this is the misconfiguration of ethernet cards with multiple interfaces, if you use a cable modem and receive these types of messages from misconfigured machines on the ISP's network from other users, and so forth. -- Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: Encryption vs. inspection.
--- Steve Riley (MCS) [EMAIL PROTECTED] wrote: I think we all here agree that encryption is a good thing. I won't preach to the choir by enumerating the reasons. But what about when encryption prevents legitimate inspection? If you are speaking of a VPN, encryption and authentication typically are first in a firewalls rule base which means that arriving packets are first decrypted and then inspected by the firewall just like any other packet. This has been on my mind lately, and I'll admit that I haven't really figured out yet where I stand, if indeed it's even possible to choose sides. Consider a web server. Normally, the site can be quite well secured with various combinations of firewalls, intrusion detection, and content inspection. ISA Server's HTTP filter is quite good at this. The site can know what's coming in and going out, and take appropriate action based on what it sees. But what if, instead of regular in-the-clear HTTP, the traffic is SSL? Now you've just gotten around the firewall and the IDS: there's no way to know what's passing through. The firewall may be set to allow port 443 but will probably also be set for port 80 HTTP. This is a non issue. If someone develops an exploit that attacks web servers through port 80 or 443 and the webservers have to have these ports open to function what difference would it make if the traffic was encrypted or not. The latest round of F usa hacks had nothing to do with firewalls or IDS's it had to do with lazy administrators and servers that had to allow this inbound traffic to do their job. Even if the firewall inspected the hell out of the traffic it still would have let it through because when it passed the firewall it was nothing more than a HTTP request. If the box wasn't patched it wouldn't matter if you detected the attack the damage was immediate. And you would certainly be able to determine what is passing through. The holder of the private cert key is YOU, the public key is what is used by those visiting the sight. Wouldn't all traffic become diciphered through the use of the two keys (public,private). Hackers will always find a way but atleast with the IDS and firewall you can begin to track and understand the nature of successfull hacks. The server accepts the traffic and does whatever its told. Would the following not-entirely-well-considered rumination be a possible scenario? An attacker uses an SSL-enabled tool to compromise a web server. This tool just happens to exploit the latest discovered vulnerability. The server, unfortunately, hasn't yet been patched. The tool uses SSL to get past firewalls and IDSs, and that's the key, since the site's network has an IDS that would have been triggered had the tool used clear-text HTTP. But if the servers were not patched, you may have seen it happen but it still happened!! It would not have been detected until the signatures for this exploit (IIS) were defined. Before that it would have passed through like a cool breeze. If someone develops a successfull exploit using SSL then the IDS signature will soon reflect this fact and the IDS will detect the hack, not stop it. Until it is a known vunerabilty the IDS will not help, unless a great analyst is at the wheel. control of one box, and can use it to compromise the entire network -- all over SSL and practically invisible to the watchers. I'm curious to know how others have approached the intersection of the seemingly incompatible technologies of encryption and inspection. Is IDS really all that useful, for example? Is it best to put SSL web servers in a separate subnet, kept apart from the rest of the DMZ by yet another firewall? Hardware accelerators (and even ISA) can decrypt then re-encrypt traffic, but wouldn't this appear to break the chain of trust, since I as a user don't know that an intermediate device -- rather than the destination web server -- is actually decrypting the traffic? Does the desire to know everything going in and out of my network mean that I should block all IPSec? NO! IPSEC traffic is decrypted then inspected!! ___ Steve Riley Microsoft Telecommunications Consulting in Denver, Colorado [EMAIL PROTECTED] +1 303 521-4129 (mobile) [EMAIL PROTECTED] (MSN Messenger) www.microsoft.com/ISN/tech_columnists.asp www.microsoft.com/ISN/tech_columnists.asp Applying computer technology is simply finding the right wrench to pound in the correct screw. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: WatchGuard FireBox II
Bad implementation of IPSEC(RUVPN) WebBlocker engine is weak Proxied services are prone to failure No double password verification GPM constantly crashes and is the only easy way to manage the firewall. Watchguard support is weak --- David Ishmael [EMAIL PROTECTED] wrote: Hey all, Anyone out there had any experience with WatchGuard FireBox II, specifically problems or comments on the firewall? David Ishmael, CCNA, IVCP Senior Network Management Engineer Windward Consulting Group, Inc. Phone: (703) 283-7564 Pager: (888) 910-7094 eFax: (425) 969-4707 Fax: (703) 351-9428 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: ICMP packets and Firebox II
There is no mechanism to stop a DOS attack on the fire box. Actually on most firewalls a true DOS attack is impossible to stop. Have your Firewall admin allow the ICMP packets inbound from only that mail server (host). I doubt if your ISP will launch a DOS attack against you, even if they did you would be helpless against it. --- Barry George [EMAIL PROTECTED] wrote: Hi All, We have a Firebox II setup stopping most of what we don't want. Everything has been running nicely, then our city run ISP installed a new mail server. We found that mail from its domain was being slowed down or blocked. On inspection to turns out that our firewall was being hit constantly my there mail server destined for our mail server. Seems they are sending ICMP packets for PMTU discovery, so the Firebox sees these ICMP packets as a possible DoS attack and locks out the domain.Seems the frequency has increased to several packets per second at worst. The ISP says they are just following standard RFC1191 protocols, but something has to have changed as we haven't had this problem before. If we let these through to our mail server are we opening ourselves up to attack? Sorry I don't directly configure the Firebox myself so I'm not sure what config. capabilities it has. I'd appreciate any discussion on this. Barry __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: ICMP packets and Firebox II
A DOS attack is based on making more requests than the devices recieving the requests can handle. A true attack is launched from many locations at the same time and can cripple nearly any network device that is invloved on the recieving end. When traffic is disallowed by the firewall, the firewall still has to determine that it is not allowed (whether by default as you say or not) so enough of this rejected traffic can still bring you down. Also,typically a DOS attack is launched against Web servers in a DMZ that must allow HTTP(80) to function. The chances of someone launching a DOS attack on just any old firewall or webserver is slim to none, what fun would that be. Everybody wants to bring down the big guys. Checkpoint, the leading firewall in the industry has attempted to develop their software (SYNDEFENDER) to stop DOS attacks and in real world tests it failed miserably. remember syn syn/ack ack --- Zachary Uram [EMAIL PROTECTED] wrote: so then firewall totally helpless to DoS attack? that sounds really bad there must be some way around this such as all packets are encrypted to u and are ignored by default On Thu, 7 Jun 2001, patrick kerry wrote: There is no mechanism to stop a DOS attack on the fire box. Actually on most firewalls a true DOS attack is impossible to stop. Have your Firewall admin allow the ICMP packets inbound from only that mail server (host). I doubt if your ISP will launch a DOS attack against you, even if they did you would be helpless against it. --- Barry George [EMAIL PROTECTED] wrote: Hi All, We have a Firebox II setup stopping most of what we don't want. Everything has been running nicely, then our city run ISP installed a new mail server. We found that mail from its domain was being slowed down or blocked. On inspection to turns out that our firewall was being hit constantly my there mail server destined for our mail server. Seems they are sending ICMP packets for PMTU discovery, so the Firebox sees these ICMP packets as a possible DoS attack and locks out the domain.Seems the frequency has increased to several packets per second at worst. The ISP says they are just following standard RFC1191 protocols, but something has to have changed as we haven't had this problem before. If we let these through to our mail server are we opening ourselves up to attack? Sorry I don't directly configure the Firebox myself so I'm not sure what config. capabilities it has. I'd appreciate any discussion on this. Barry __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] [EMAIL PROTECTED] Blessed are those who have not seen and yet have faith. - John 20:29 - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: FW1 is letting the traffic out but not the port starts 'listening'....
Is the any any any rule in both directions?? What are you seeing in the logs when you attempt to make these connections?? Please provide more information for a specific fix to your problem. PK --- Patrick James [EMAIL PROTECTED] wrote: Hi, I have a FW1 version 4.1 SP2 installation on WinNT 4.0 SP6. My network is a simple one where I have couple of servers on the LAN and a Router, the FW1 pretty sits between the LAN Servers and the Router. I configured the proper NAT and security policy settings absolutely no problem with that. The firewall's SMTP port is not 'listening' on behalf of the internal Exchange mail server even though I staticaly NAT-ed it with a global IP addrs. I tried telnet-ing it, but it doesn't go through, but I could browse from this exchange server. I could even telnet port 25 of DMZ's NIC card of Exchange server, showing the service is running perfect. I could find the mails flowing out my network to hotmail.com but not the other way. The current security policy is 'all-all-all'. Any helpers please thanks James _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
FW1 is letting the traffic out but not the port starts 'listening'....
Hi, I have a FW1 version 4.1 SP2 installation on WinNT 4.0 SP6. My network is a simple one where I have couple of servers on the LAN and a Router, the FW1 pretty sits between the LAN Servers and the Router. I configured the proper NAT and security policy settings absolutely no problem with that. The firewall's SMTP port is not 'listening' on behalf of the internal Exchange mail server even though I staticaly NAT-ed it with a global IP addrs. I tried telnet-ing it, but it doesn't go through, but I could browse from this exchange server. I could even telnet port 25 of DMZ's NIC card of Exchange server, showing the service is running perfect. I could find the mails flowing out my network to hotmail.com but not the other way. The current security policy is 'all-all-all'. Any helpers please thanks James _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
RE: FW1 is letting the traffic out but not the port starts 'liste ning'....
Richard, I am doing a manual static NAT (also tried with auto static NAT before). The global IP address of the outer NIC card of the FW is not the same as the NAT-ed IP address of the Exchange server. I I created a local.arp file and also did 'route add' with '-P' option. Tell me where should be the problem. thanks James From: Richard Pitcock [EMAIL PROTECTED] To: 'Patrick James' [EMAIL PROTECTED] Subject: RE: FW1 is letting the traffic out but not the port starts 'liste ning' Date: Sun, 10 Jun 2001 19:20:33 -0400 Are you doing a static network address translation for the internal exchange server (as opposed to hidden). If so is it an address other than the one your using for outbound traffic. Do you have the arp entry in fw-1 and static persistent route statement in NT. Rich -Original Message- From: Patrick James [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 10, 2001 10:53 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: FW1 is letting the traffic out but not the port starts 'listening' Hi, I have a FW1 version 4.1 SP2 installation on WinNT 4.0 SP6. My network is a simple one where I have couple of servers on the LAN and a Router, the FW1 pretty sits between the LAN Servers and the Router. I configured the proper NAT and security policy settings absolutely no problem with that. The firewall's SMTP port is not 'listening' on behalf of the internal Exchange mail server even though I staticaly NAT-ed it with a global IP addrs. I tried telnet-ing it, but it doesn't go through, but I could browse from this exchange server. I could even telnet port 25 of DMZ's NIC card of Exchange server, showing the service is running perfect. I could find the mails flowing out my network to hotmail.com but not the other way. The current security policy is 'all-all-all'. Any helpers please thanks James _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: Firewalls digest, Vol 1 #33 - 7 msgs
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 22, 2001 3:06 PM Subject: Firewalls digest, Vol 1 #33 - 7 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Firewalls digest... Today's Topics: 1. RE: Has anyone heard of this? (Meritt James) 2. Re: Synchronise two servers in DMZ (Ron DuFresne) 3. Re: Real Secure and Firewall-1 ([EMAIL PROTECTED]) 4. RE: Has anyone heard of this? (Scott Godfrey) 5. RE: Need to Lock Down Mail Relay (Young, Beth A.) 6. RE: Why router are vulnerable to FTP and DNS? (Cessna, Michael) 7. RE: Router packet filtering (Cessna, Michael) --__--__-- Message: 1 Date: Fri, 22 Jun 2001 13:31:52 -0400 From: Meritt James [EMAIL PROTECTED] Organization: BAH To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Has anyone heard of this? I used to know several companies that did ethical hacking as a consulting service for companies who wanted reports on how good their security setup was. They did everything from brute force to social engineering. The funny thing was that they used the same tools that are publicly available (nmap, snort, etc.). . Fee for fixing television: $100 Itemized list: hitting the television: $1 knowing where to hit: $99 Same thing. I have the same tools a professional mechanic uses most. He knows better HOW to use them, on what,... Same thing. -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566 --__--__-- Message: 2 Date: Fri, 22 Jun 2001 10:48:10 -0500 (CDT) From: Ron DuFresne [EMAIL PROTECTED] To: Hans Scheffers [EMAIL PROTECTED] Cc: Firewall List [EMAIL PROTECTED] Subject: Re: Synchronise two servers in DMZ I think rsync can run sweetly under ssh, have you looked into that? Others will remind me if I'm incorrect here, but, it sleeps in the back of the mind here, so it might be fact. Then again, it os a friday, laziest day of the week, barring forest fires... Thanks, Ron DuFresne On Fri, 22 Jun 2001, Hans Scheffers wrote: Hi, this is off-topic I know, but I have a small problem. I have two servers in the DMZ (both linux), that have two be syncrhonized on the data files (only on the data files); on both ssh/scp runs, but no telnet/telnetd. server 2 has to receive the data from server 1, but because the amount of the data only changed /new files have to be copied. with cp, i can synchronise dir 2 with dir 1 with the -u / --update parameter. scp doesn't know this option and I cannot find an option that does this in the manpages of ssh/scp Does anyone have a hint on how to do this? greetz Hans ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. --__--__-- Message: 3 Subject: Re: Real Secure and Firewall-1 To: Carl E. Mankinen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], Fredy Santana [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Fri, 22 Jun 2001 20:54:52 +0300 Hi, As stated(unofficially) that Checkpoint RealSecure product will be ISS RealSecure in the near future. It won't be a problem, is it? Regards. -- Ihsan Cakmakli YKT Tel: 90.262.6472861 Fax: 90.262.6471711 [EMAIL PROTECTED] = =20 Carl E. Mankinen = =20 [EMAIL PROTECTED] To: firewalls@plut= o.gnac.com, Fredy Santana [EMAIL PROTECTED] =20 Sent by:cc:= =20 firewalls-admin@plutSubject: Re: Real S= ecure and Firewall-1 =20 o.gnac.com = =20 =
Re: I WANT TO UNSUBSCRIBE BUT HOW PLS HELP !!!!!!!!!!!!!!!!!!1
MEHMET A TOLUAY wrote: - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 09, 2001 11:38 PM Subject: Firewalls digest, Vol 1 #82 - 9 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] Just go to the link where it says unsubscribe: http://lists.gnac.net/mailman/listinfo/firewalls Then go to the bottom of the page and look for the Edit Options line. Put your email address in the field. You will be forwarded to another page. In order to unsubscribe you will have to fill in the line with your password. Then press Unsubscribe. If you forgot it just have it sent to you. This seems complicated but it's to protect people's privacy, so that the service won't be misused by others. -- Patrick Benson Stockholm, Sweden ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Hacking FW-1 programs
Excellent !!! ;-) For once I had fun reading my emails this morning. P ...Les jeux videos n'affectent pas les enfants.Si Pac Man avait eu des effets secondaires sur nous, nous serions tous en train de courir dans une pièce sombre en gobant des cachets tout en écoutant des musiques répétitives... ...computer games don't affect kids, I mean if Pac Man affected us as kids, we'd all run around in a darkened room munching pills and listening to repetitive music... * On 11/07/2001 10:20:30 ZE2 Marx, Jörg wrote: Best article ever read on this list, hehe... Don't feed the trolls ! ;-) cu another J -Original Message- From: J [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 9:39 AM To: [EMAIL PROTECTED] Subject: RE: Hacking FW-1 programs Well, for the determined of spirit, I offer the following advice: A firewall is a difficult thing to get through. First off, most good ones are made of heat-molded concrete with a ludicrously high grain-count, so just the outer layer is going to be hard to get through. See, the challenge is to generate enough heat in one concentrated region so the fine-grain of the concrete shell begin to melt together into an oily sludge. This is a sign things are going well. Additionally, the sludge will help keep the drill-bits cool. Now, at this point, many seasoned professionals will recommend diamond-tipped drill bits. I however, being a beliver in modern technology, prefer the tungsten-carbide bits. While you do replace more of them during an operation, I find they wear predictably and provide a better conduit-area for your needs. Next, you'll have to contend with a re-enforced aluminium-carbon sink-plate. The reason for this layer is to distribute the heat from the outer walls of the firewall to something else; in most cases, foundation beams in the building, sending the heat into the surrounding foundation. The compressed-aluminium will get your tungsten bits very, very hot. I'd also recommend wearing ear protection at this point. Be aware that dogs will start barking for miles around when you hit this layer. Once through the heat-sink, you're faced with one of two typical possibilities: ceramic interior or polycarbonate-platter walls. If you find ceramic, you're in luck, because the ceramic will withstand the pressure of the explosives you'll be using later. The platters, however, are another ball game. All I'll say is: bring a DustBuster! Providing you've come up 7's on the ceramic, you should go ahead and stuff as much plastic-explosive as you can in the hole you've drilled (which was 3 diameter, right?). Most experts, and I concur with them this time, prefer to use Primacord as the detonation device. I've heard of a few nice tricks with wrapping the Prima around the firewall to help cut the outer concrete shell and shatter the wall itself. Step 10: Blow up firewall. If you followed the above steps, you should now have, after the dust settles, a pathway through the firewall into the inner-room that you should be able to walk or crouch through. Grab your spool of CAT5 cable, and tow a lead behind you as you walk through your new hole in the firewall. Once inside, crimp the end of the cable you're holding with a standard RJ45 connector. Take note of the order the colored-wires are in: you'll need to make the other end the same way. Plug into edge router or switch. Walk back to spool. Count out about twenty feet of cable, and cut. Crimp another RJ45 connector on this end, taking care to align the little colored-wires in the same order as the first end, and plug into your computer. I guarantee the firewall will not interrupt any traffic on your line. Hope this helps, J Cheers! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of MNR. E DE BEER Sent: Tuesday, July 10, 2001 8:00 PM To: [EMAIL PROTECTED] Subject: Hacking FW-1 programs Are there any Hack software that I can use to get access to a Firewall-1 without using Inetkey (username and password)? Where can I find this softwhere? ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of MNR. E DE BEER Sent: Tuesday, July 10, 2001 8:00 PM To: [EMAIL PROTECTED] Subject: Hacking FW-1 programs Are there any Hack software that I can use to get access to a Firewall-1 without using Inetkey (username and password)? Where can I find this softwhere? ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: something new afoot, sweeping scans:
Ron DuFresne wrote: Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached and posted below Has a new toy been unleshed, or is this an old toy we have not seen the signature for before: 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] GET /scripts/root.exe?/c+dir HTTP/1.0 404 210 208.1.131.11 - - [18/Sep/2001:10:00:53 -0400] GET /scripts/root.exe?/c+dir HTTP/1.0 404 210 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] GET /MSADC/root.exe?/c+dir HTTP/1.0 404 208 208.1.131.11 - - [18/Sep/2001:10:00:54 -0400] GET /MSADC/root.exe?/c+dir HTTP/1.0 404 208 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 208.1.131.11 - - [18/Sep/2001:10:00:55 -0400] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 232 208.1.131.11 - - [18/Sep/2001:10:00:56 -0400] GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 232 208.1.131.11 - - [18/Sep/2001:10:00:57 -0400] GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 249 There's lots of activity going on at Securityfocus, on the Incidents list, and here's one snippit: http://www.securityfocus.com/archive/75/214799 -- Patrick Benson Stockholm, Sweden ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: (no subject)
Waht do you need help on Carlos? *** IMPORTANT ! ** The content of this email and any attachments are confidential and intended for the named recipient(s) only. If you have received this email in error please notify the sender immediately. Do not disclose the content of this message or make copies. This email was scanned by eSafe Mail for viruses, vandals and other malicious content. ** ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Please assist, tracking or IDS options.
JJ humbly i would like to interject that a consultant cannot replace someone on your own staff that knows something about security -pat On Wed, 24 Oct 2001, J wrote: David: Seriously, your best bet may be an independent consultant. This is for a variety of reasons: --) Independent consultant is not aware of any internal company politics, so that's not a factor should you end up prosecuting the offender; --) Consultant may have expertise in this area that you don't (evidence collection.) --) Once job is done, consultant is done; you don't need to hire them. Lastly, breaching a computer system (in most cases) is a U.S. federal offense. Your local law enforcement, or even the FBI have teams of people dedicated to this problem. You may want to work with them in developing a method to catch the perp. Just my thoughts, JJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Ng Sent: Tuesday, October 23, 2001 5:14 PM To: [EMAIL PROTECTED] Subject: Please assist, tracking or IDS options. Importance: High Dear all, We have a NT network that was hit the other day, in the sense that it was remotely shutdown by an individual somehow. The person might have the passwords and also sound technical expertise in remote utilities. Is there a way for me to trace where the traffic was coming from that day and what IP address? Also, is there a way to automatically capture the screen if it was remotely controlled? Please advise, thanks in advance. Sincerely, David Ng ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Why does ipchains open netbios ports when policy is to deny?
jennyw wrote: I have a default policy of deny on the input chain. I do not open up netbios. And yet when I run nmap to scan my computer, it shows that netbios ports (137/udp, 138/udp, and 139/tcp) are open. It also shows that port 1031/udp is open (I have no idea what this is -- nmap says it's iad2) and that 9/udp is also open (it says service is discard -- I'm also not sure what this is). When I type ipchains -L it does not show the ports as being accepted ... Can someone suggest why this might be happening? Thanks! Jen What is the output of ipchains -nvL? Are you using your own script? If you're trying to nmap within your network perimeter you'll get open ports because they need to be open on the inside, if you need them for your internal boxes. Are you trying with scans from outside your network, from the net? -- Patrick Benson Stockholm, Sweden ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: NAT
didnt know vi had an email client... On 18 Dec 2001 [EMAIL PROTECTED] wrote: jaskdjalskdj :q :q q :quit ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: FW: Win2kAdvance Server
At least while using linux as a firewall one can build the kernel to suit the particular needs of the situation. With msft youre stuck with the os that comes from the box, and have to wait for patches from the manufacturer. On Mon, 28 Jan 2002, Marc Sahr wrote: As if using Linux as a firewall wasn't scary enough... We all know a Linux firewall is unhackable right??? Marc -Original Message- From: piranha piranha [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 27, 2002 10:57 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Win2kAdvance Server i certainly hope not as this would encourage folks to use a M$ product as a firewall...scary thought indeed. piranha hi, On Wed, Jan 23, 2002 at 05:06:38AM +0800, Rodel P Hipolito wrote: Does windows 2k advance server has a built in firewall? or can we modify its registry so that it would act as a firewall? no, but ... if you go to the properties of your network card - properties of tcp/ip - advanced - options - properties of tcp/ip filtering you may enable or disable filtering and set the allowed prts for tcp, udp and the allowed ip protocols. but in fact that's not a firewall. ciao sascha -- Sascha Andres [EMAIL PROTECTED] http://www.programmers-world.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _ http://fastmail.ca/ - Fast Secure Web Email for Canadians ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Cable Modem security
They have started up an @work service with ,what do you know.. IPSec tunneling Seems like they are trying to do the price gouging angle to me -Original Message- From: Erdely, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 15, 2000 3:29 PM To: Firewalls Subject: Re: Cable Modem security I'm going to go out on a limb (looking at his email address) and say @Home. -ME - Original Message - From: "Jimi Aleshin" [EMAIL PROTECTED] To: "Valerie Leveille" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 15, 2000 2:34 PM Subject: Re: Cable Modem security Which Cable Modem Provider is this? Valerie Leveille wrote: I've seen alot of talk about cable modem security (or lack of) and I've got an interesting twist to the story. I'm curious if anyone else has run across this. I have cable modem service at home. I have a firewall set up and occasionally I connect through a VPN tunnel to a local office or to the corporate office to transfer files or to download email. Wellmy cable modem provider just changed the subscriber agreement. Basically it says that if I use a VPN or a VPN tunneling protocol on their network my service will be terminated! I can't believe that I'm going to have to change providers because I'm protecting my data! Has anyone else run into this? Val - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: Redhat 7.0:Securing system
Hans Scheffers wrote: Hi, I have done a out of the box install of redhat 7, this doesn't work anymore with inet.d but with xinetd.d When I look in the directory / config of xinetd.d, I have almost no services that I use, just ssh, ftp. smtp and pop When I do a portscan on the system with nmap I get the following result: nmap -sS localhost Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on localhost (127.0.0.1): (The 1501 ports scanned but not shown below are in state: closed) Since you are hardly using any services why not just turn xinet.d off? In Slackware there are some entries for turning off the superserver in rc.inet2. Those services that you need would probably run fine on their own. Open them up as you need them -- Patrick Benson Stockholm, Sweden - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]