Maybe he is grandstanding a tad, but I think the underlying theme of his
argument is solid. The issue here isn't that you can't forge packets from
Windows - he didn't explain that correctly, and that seems to be the point
everyone is sticking on.
The reason I see to be scared is that suddenly
Hi All,
I'm planning to upgrade my checkpoint firewall 4.0
running on NT to checkpoint 2000 on Windows 2000 on a new hardware. I would like
to know how should i backup my policies network objects and restore it on
to the new system. I visited checkpoint site but didn't find any useful
It seems to me that the cluster is not set up right. The VPN is dependent on
Stateful connection and apparently the cluster is not configured right.
Could you please tell me a bit more on the cluster configuration?
Regards,
Spiros
-Original Message-
From: [EMAIL PROTECTED]
Zachary,
CCNA stands for Cisco Certified Network Associate which is the first in
the training series for the Cisco certification track. I would recommend
taking the certification if you're planning on doing any network engineering
type work as it gives you a good look at routing and the various
Zachary,
I wouldn't consider a filter of any kind to be a firewall. Perhaps that's a
mind-set and an overbearing opinion, but I consider router ACL's or software
engines that monitor content (URL's) as filters where I consider hardware or
software that specifically addresses security measures
Hi,
also does this. If you're doing user/password auth to actually bring up
the
VPN tunnel _as_well_as_ box auth (L2TP in IPSec does this, f'rinstance)
then
And - as L2TP is only kind of 'tunneled PPP' - you can then use any
authentication scheme that PPP supports (= as soon as there is wider
hi list,
i recently installed AOL on my windows2000 router box, but soon realized
that winroute pro won't be able to route the AOL connection...
i gave up on that.
so far so bad, no biggie.
the real annoying thing about that is, that after i uninstalled AOL 6
Software from the computer, winroute
Hi All,
I am assessing a Watchguard Firebox II at present for
our corporate firewall for a LAN of about 350 users,
and I have an issue of how to protect the LAN when
users VPN in from the internet.
They currently have dynamic IP's, and accordingly I
have to allow access to the firewall for
Just a question: Is the FW Management Station running on one of these
machines? If so, than please read the documentation, that if you running a
FW1 VPN Cluster all cluster members must be only FW1 Stations - no
management stations !!
If you have already configured your system like that, forget
Hi all,
In response, feel free to let me know if you know of better list to aim questions
like this:
My client has been portscanned for several weeks now. Upward of thirty scans a day,
with a similar profile. They each scan the IP block owned (and concievably the scan
continues past our
Hi!
I have difficulties with clients that asks to have video and audio
conferences using NetMeeting. The clients are generally after a Linksys
router. And all clients are after Winroute Pro 4.1.
The clients says that they can see the video of the client in the other
side, but can't communicate
At Thu, 7 Jun 2001 it looks like Stefan Guha composed:
humbly_snipped
SG--i have a linux box behind that windows firewall/route.
SG--i am connected from the win2k box to the internet using plain dialup (which
SG--worked w/o problems before btw).
SG--
SG--
SG--can anyone please help ?
SG--if not
Title: Message
Hi All,
We have a Firebox II
setup stopping most of what we don't want. Everything has been running nicely,
then our city run ISP installed a new mail server. We found that mail from its
domain was being slowed down or blocked. On inspection to turns out that our
firewall
Of course, the beauty of the digital age is that skill can be transferred
electronically. Not every script kiddie has to create a trojan installer
capable of loading the correct network interface, just one of them. Once
one good trojan comes out to do that (and probably already has), it just
Andy,
I have not heard that many good things about this product. It seems to have
some nice features but it lacks good technical support and there is no
double password verification available. Additionally, there have been
comments made that the implementation of IPSEC is not very good either.
[snip]
It's been a while since I've done this, but as I recall you need to enable
state sharing in FW1 by creating a configuration file (state.conf???) in
$FWDIR/conf which contains the IP address(es) of the filter modules you want
to share state with.
The links below will also give you a bit
On Thu, 7 Jun 2001, Ari Weisz-Koves wrote:
The reason I see to be scared is that suddenly the mainstream operating
system used by the least cautious people around, with the best
application/os integration providing the easiest trojan methods will by
default be able to be used for packet
I disagree with Steve's assertions about Win XP but the article
dissecting his own DDOS attack was very entertaining. As overstated as it
was he does have a small point. Basically, he is saying that most script
kiddies just use whatever trojan package is available and most
techologically
Hi..
Does anyone know any free packeting sniffing tools
run on windows machine?
You might try Analyzer, a windows sniffer tool available through securityfocus. It
has different kinds of filters such as packet type, source, destination, etc. On the
unfortunate side, all help menus are in
Microsoft has embarked on a campaign known as the war on hostile code, with the
goal of preventing any hostile code from running on users' systems.
Won't this crash Office/Outlook and Win98/2k ??
(sorry I had to do it...)
=)
Starrdust Webmaster [EMAIL PROTECTED] 06/06 4:04 PM
Not to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-Original Message-
From: Ari Weisz-Koves [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 07, 2001 12:01 AM
[...]
Correct me if I'm wrong with the details, but with Windows
95/98/NT/2000
wouldn't the trojan would have to figure out
From what I recall from setting up VPNs from us to sites which used
Checkpoint VPNs in a load balanced environment, the problem is that
Checkpoint runs VPNs slightly differently.
VPNs are between 2 IP addresses. As I recall, in a Checkpoint load-balanced
cluster, the end of the VPN is on the
Look at the auto-updating, plug-in using, trusted signed code
only trojans
currently floating around, then think about the skillset
needed to add a
packet driver and stick around for a reboot.
Why wait? Remember, this is Windows9x we're talking about... do you think a
(l)user would really
On Thu, 7 Jun 2001, Paul D. Robertson wrote:
It really isn't that big of a deal, there are already enough trojaned
Win9x clients out there that even using real addresses doesn't make it
easy to stop them.
Hi Paul,
So is DDoS attacks biggest security threat out there?
It seems to be a big
In the GRC.COM article he talked about how the malicious intruder
was generating bad packets which fragmented en route to their
destination and this produced some cascade effect of millions of
badly formed packets? How does one generate their own packets? Is
it very difficult or length code wise?
Hi,
I don't know what is firebox, but I've got '1' in
/proc/sys/net/ipv4/icmp_echo_ignore_all witch is interpreted by kernel like a
other port attempt. And so, no reply. It's the primary thing that I give in
all my news linuxboxes on the Internet.
this void `ping -s 65635 victim.com` for example
Sounds bleak. So how will security industry deal with this coming
deluge of expected escalatory and intensive proliferation of
virus outbreaks and DDoS attacks?
SDG,
Zach
[EMAIL PROTECTED]
Blessed are those who have not seen and yet have faith. - John 20:29
-
[To unsubscribe, send mail to
Note, though, that if somebody's gotten Sub7 onto a box, they can
probably use it to install libpcap, making ME and NT as capable,
for suitably-written malware, as 2000 and XP
David Gillett
On 6 Jun 2001, at 16:27, Irony wrote:
- From time to time a must read document is published.
Thanks to all for the replies so far. Here is a note from our Firewall
admin on one of the suggestions. Any comments?
Thanks
Barry
Sorry Barry, but I disagree with that statement. We need to block
multiple icmp requests. Hackers can use it as a tool to scan other
services on the network.
Network Operations wrote:
Microsoft has embarked on a campaign known as the war on hostile code, with the
goal of preventing any hostile code from running on users' systems.
Won't this crash Office/Outlook and Win98/2k ??
(sorry I had to do it...)
You may make a better point than you
On Thu, 7 Jun 2001, Zachary Uram wrote:
Hi Paul,
So is DDoS attacks biggest security threat out there?
No, most certainly intrusions are the biggest threat out there. Stopping
intrusions would naturally stop DDoS as well as other attacks.
It seems to be a big problem. Especially for
Title: RE: This is a must read document. It will freak you out
just my $0.02
I think the burden of preventing DDOS attacks needs to be placed on the ISPs not on an operating system or OS manufacturer.
Let's face it most of the PC's on the internet are Windows PC's running with little or no
Don't forget that Microsoft has a vocabulary all of its own. A neutral PC means
100% microsoft applications. Innovate means their right to take over. hostile
code probably means anything not written by Microsoft.
Network Operations [EMAIL PROTECTED] wrote:
Microsoft has embarked on a
Hello all,
I searched the web without issue. Is there any more light on
the subject of IPSec interoperating between PIX and FW-1 firewalls these
days, either CP or Nokia? Could there be a difference in IPSec code
between CP and Nokia?
This has been discussed before, but time
On Thu, 7 Jun 2001, Paul D. Robertson wrote:
No, most certainly intrusions are the biggest threat out there. Stopping
intrusions would naturally stop DDoS as well as other attacks.
Oh I see.
So a machine(s) will be compromised through some mechanism
(trojan, virus, setuid exploit) and the
I wonder how this will fare against OpenBSD?
Zach
On Thu, 7 Jun 2001, Michael Jinks wrote:
http://www.nsa.gov/selinux/
Zachary Uram wrote:
On Thu, 7 Jun 2001, Michael R. Jinks wrote:
More generally, a lot of people much smarter than me (the NSA's Secure
Linux team for
Title: RE: FW: ICMP packets and Firebox II
OK, it might be time for a small clue-fest.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
[...]
Thanks to all for the replies so far. Here is a note from our Firewall
admin on one of the suggestions. Any comments?
I use the winroute product also. I have been happy with the overall package
except for the poor logging. I was in the process of building a linux box
and going with ipchains, because I was uncertain about how secure this
product is. Have you seen any successful attacks on your inside network?
Hey Zach
This is still a long way off and would need to be adopted by companies
like
Cisco etc. Somehow I don't see that happening anytime soon.
Would Cisco, Bay Networks etc. adopt it when it has matured and
is ready for market?
While I'm at it, here's my bit on the XP side of
good point.
emphasis is on getting product to market not ensuring the most
rigorous testing metholodgies.
one gets the impresson security is an afterthough, at best, in
many companies.
On Thu, 7 Jun 2001 [EMAIL PROTECTED] wrote:
Ahem, actually lack of quality assurance testing in software
I have been able to get netmeeting to work behind winroute pro 4.1. I don't
have a linksys, so that must be your problem. Make sure you have port 1720
mapped to inside IP address.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Artur Nurja
Sent:
there is no special reason, but before that AOL install i was as satisfied
with the winroute tool as with the usual ipchains firewall under linux...
so, i guess, AOL is the bitch :)
thanks anyway
-stefan
- Original Message -
From: Bill Schoolcraft [EMAIL PROTECTED]
To: Stefan Guha
There is no mechanism to stop a DOS attack on the fire
box. Actually on most firewalls a true DOS attack is
impossible to stop. Have your Firewall admin allow
the ICMP packets inbound from only that mail server
(host). I doubt if your ISP will launch a DOS attack
against you, even if they did
I've done IPSec FW-1 (on Nokia) to PIX pre-v6 with no problems apart from
the fact that I'd never touched a FW-1 before. It all worked as advertised,
I think. I had to mess about a little but I think that was just me not
knowing the Tao of Firewall-1.
I've put in a v6 PIX, but didn't do IPSec on
Quality assurance should be folded into Product Certification testing
offered by some of the vendors that lurk this list. But Product
Certification or BITS Testing can be very costly depending on the type of
testing that is conducted.
At 07:56 PM 6/7/2001 -0400, Zachary Uram wrote:
good
I wonder how this will fare against OpenBSD?
Or EnGarde Secure Linux, for that matter. ESL also implements Mandatory
Access Control, using LIDS, but is a complete distribution, not a series
of patches and packages. It also includes several other kernel security
changes, host and network
On Fri, 8 Jun 2001, Ari Weisz-Koves wrote:
that only one person needs to write a really good trojan before thousands
can be using it the next week.
And only one person needs to write a good library before thousands can be
using it next week.
I propose just one more argmuent to this
On Thu, 7 Jun 2001 [EMAIL PROTECTED] wrote:
Ahem, actually lack of quality assurance testing in software and
hardware is the biggest threat out on the Internet today. According to
some there hasn't been a new intrusion introduced into the wild except some
type of exploit in code that
On 7 Jun 2001, at 19:23, Carl E. Mankinen wrote:
And this is different from an on-site user, visiting the web
through the corporate firewall, exactly HOW? i.e. I do not see how
this risk is exacerbated if the client connection comes across a VPN
tunnel rather than just a length
49 matches
Mail list logo
