ore info from mailing lists and security
/ 'l33t h4X0R d00dZ websites than textbooks, but when you need a number or a
bit offset it is a pain to go hunting through the web.
Cheers!
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
and purposes.
I don't know if you're doing context based stuff with your existing router
though - I don't think the 5500 supports IOS / Firewall feature set.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-Original Message
in
between.
I'm not sure it's how _I'd_ do it, but I can't see how it's as drastic as
having people able to connect to NB ports on your local network.
So anyway, what did I miss, Chris?
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
rse lookup will take
every IP address, and think "Hmm...I might just check this" and find the
in-arpa PTR record for that IP address. In this case, lo and behold it turns
out to be hax0r.sinville.edu.
As Chris said, there may be other issues depending on what your front line
firewall set
do the job for about a
tenth of the price of a "real" firewall box, and you'll probably still need
an access router to boot.
(like a shadow, Argument Man slips back into the night!)
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
or by port-and-MAC VLAN. If that's STILL not enough I'd sack 'em.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-Original Message-
From: Enrique Fernández [SMTP:[EMAIL PROTECTED]]
Sent: Thursday
use another way of
resolving hostnames? LMHOSTS? Normal (?!) MS browsing without a WINS server?
DNS?
Maybe you could doctor the WINS database manually, if you _must_ use WINS,
and just remove WINS from the dual homed servers' interfaces.
Gotta fly..
--
Ben Nagy
Network Consultant, CPMS Group
or the model of their car.
In summary: The ways in which NT auth sucks shouldn't bother you here, IMO.
The issue is that (I think) you should aim to have an extra layer of
protection for your dialin resources, because they bypass the firewall.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group
three where you "handoff" the
request to the proxy server _inside_ the network (if you didn't have a DMZ
for example), but you'd need to do horrible things with proxy permissions
and packet filtering which I won't go into lest I spend the afterlife in
TCP/IP Hell.[1]
Cheers,
[1] W
lippant. I can think of some cases where it would be cool
to proxy UDP to a Unix box running BIND or something. However, the ONLY
reason to write such a proxy would be because there was no native DNS server
that runs on the firewall that was any good, and that might be politically
difficult to say
services), all the
companies...you get the idea.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-Original Message-
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent: Sunday, May 09, 1999 5:08 PM
really really decide that you are under attack, the rules are 1. Stay
Calm 2. Write Stuff Down.
Cheers,
[1] And I'd love to know where this comes from - anyone know if IIS tries
some weird netbios lookup on clients?
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 84
do
this off a server
If that fails, most of the remote control software will work via TCP/IP as
well as directly connected modem. I'd get them to dial into a remote access
server (Cisco, Shiva, Linux box, NT box etc) and use their client that way -
then at least I could apply _some_ control.
IGood L
because the secret segment is never
transmitted...right? Even Diffie-Helman or something should be proof against
a middleman...
Is there a cryptographer in the house? 8)
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
Well
What's "non-igmp traffic"? Got a packet dump of one of these FW-Killer
packets?
I had a Gauntlet 2.1FW that used to hang for no reason for a while under
suspicious circumstances, but I took the easy option of upgrading it...I'd
be interested to know what the problem is...
--
Ben Na
th another TCP
based service) then IMO a reverse proxy is a pretty reasonable way to do
things.
Couldn't find the thread you referenced, BTW. Mebbe you could fwd it to me
offline?
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (041
be you can use a VPN type connection?
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-Original Message-
From: Tally [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 26, 1999 5:29 AM
To: [EMAIL PROTECTE
ce address at the _Ethernet_ level will always be that
NIC on the firewall, but I don't think you can change that unless you have
two NICs that front onto the same network segment (bizarre).
Is this what you were talking about?
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8
Wow. What characteristic of the NIC allows you to detect this? I would have
thought that it would be purely internal to the system running the NIC...Is
there some weird Ethernet broadcast that the NIC sends when it's entering
promiscuous mode?
--
Ben Nagy
Network Consultant, CPMS Group
rewall is IMHO a big NO-NO. Between business partners or in a
VPN it's another question.
Never in question. 8)
Rudi
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscri
Despite my two messages to the postmaster at gtsgroup, this bizarre
behaviour continues.
I apologise for the messages, even though (despite the spoofed From: ) they
_don't_ come from or indeed _have anything to do with_ me.
Grr.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct
Comments (formatted badly) inline 8b
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-Original Message-
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Saturday, May 29, 1999 9:53 PM
To: Ben Nagy
Cc: [EMAIL
he machine to fulfill your stated aim is enough to make
this solution fundamentally insecure. Now I'm sure you can secure IIS
somehow, but the default setups suck very badly so you probably REALLY need
to know what you're doing.
G'luck!
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct:
ader Stuff, YMMV.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-Original Message-
From: Dimitris Kontoudis [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 24, 1999 2:25 PM
To: [EMAIL PROTECTED]
Subject:
etwork then a Trojan or and internal attacker with some smarts can do
pretty much anything they want. Then again I've never thought about writing
an HTTP proxy and I don't know the spec too well, so I could be mistaken. In
fact, _please_ tell me I'm mistaken.
Cheers,
--
Ben Nagy
Network Consultant, CPM
Anywhere essentially compromises the entire
system (by design).
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct: +61 8 8422 8319Mobile: +61 414 411 520
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 22, 1999
is not only to give yourself
more cover, but also to avoid a situation where multiple firewalls might be
vulnerable to a shared vulnerability (five BSD firewalls are no good if the
same TCP/IP stack implementation bug works on all of them).
--
Ben Nagy
Network Consultant, CPMS Group of Companies
work fine.
Cheers,
[1] Yeah, well this is a simplified explanation, okay? There are some minor
brain benders in setting up edge routers to do IPSec tunnels in NAT
environments, but nothing too hard.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct: +61 8 8422 8319Mobile: +61 414
about a simple network to network
implementation.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct: +61 8 8422 8319Mobile: +61 414 411 520
-Original Message-
From: TC Wolsey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 04, 1999 12:32 AM
To: [EMAIL
FYI
--
Ben Nagy
Network Consultant, CPMS Group of Companies
Direct: +61 8 8422 8319Mobile: +61 414 411 520
-Original Message-
From: Espinola, Micheal [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 07, 1999 4:27 AM
To: '[EMAIL PROTECTED]'
Subject: RE: NT Security
Hello,
I
problem...
Is there a trick?
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Craig I. Hagan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 17, 1999 5:57 AM
To: Burgess, Jeff
Cc: '[EMAIL PROTECTED
Buh?
You're telling me that every NIC on every Sun box has the _same_ MAC
address? Exactly how are "all switches" designed to "handle" that?
Please tell me that I've drastically misinterpreted this.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID
that all client machines have an entry for the WINS server on the
remote network. You may be able to hand this information out in the DHCP
lease when the incoming VPN connection is terminated.
Last resort - use an LMHOSTS file on each client. That should work.
Cheers!
--
Ben Nagy
Network Consultant
s damn MTU discovery thing. I
don't let 'em in, and I've never seen problems - I've seen lots of posts
from people warning of the dangers, and a few from people who claim that, in
the real world, they've never had problems...Could someone give me a moron's
version of The Wonderful World of Fragmentatio
or that the poster
is Just Making It Up?
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Alfonso Lazaro [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 02, 1999 8:46 PM
To: [EMAIL PROTECTED
l of trust in the Internal LAN were not great, or the information
/ resources used in the LAN DMZ were that critical, then I guess this
architecture could be useful.
[Explanatory ASCII Art]
LAN
Router1
DMZ for LAN users
FW1
No man's land
FW2
DMZ for Internet users
Router2
Cheers,
--
Ben Nagy
;trillion-trillion years" (in relation to crypto) again. ;)
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 04, 1999 5:05 AM
To: [EMAIL P
Am I the only one that doesn't know what this is about? Reference?
(feeling lazy for not doing own research)
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Ng, Kenneth (US) [mailto:[EMAIL PROTECTED
. Just make sure that no NAT happens to IPSec'ed
data.
Hope this helps ;)
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Frank Knobbe [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 07, 1999 11:50 PM
port laws for encryption suck.
Thankyou for your time.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 08, 1999 7:12 AM
To: [EMA
-Original Message-
From: Fabio Rocha [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 14 September 1999 10:52 PM
To: Ben Nagy
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Security policy design issues (long)
DISCLAIMER: I am not a WWW / CGI expert. I actually know
squat about
n are just passed through (basically) an SPF. Very fast. As I
understand it, 'normal' Stateful Packet Filters don't neccessarily do this
unless they need to in terms of opening and closing ports. Then again I
could be wrong.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304
strong authentication (like digital certs or something)
because then all that's protecting your client entered data is the stupid
40-bit key and once someone cracks one session they can impersonate you
forever.
So, I would say yes. I think it is bad practice.
Cheers,
--
Ben Nagy
Network Consultant
process is
actually doing the listening.
No points will be awarded for lists of well-known ports, references to the
'netstat' command or suggestions involving "using a real operating system".
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +
. But if the balance still works out
in favour of the *nix solution, I would suggest that you go with one Linux
box and one openBSD box or some similar mis-match of OSs between the two.
You don't want one bug to cut a hole through _both_ your firewalls.
Have fun,
--
Ben Nagy
Network Consultant, CPMS
ne help me out.
Please could someone tell me what is the function of ARP
while doing NAT.
I would also be very thankful if I was pointed to some good
Docs on NAT and co
nfiguring the same on cisco routers.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A8
r feasible as paranoid security freaks like us
make out. Unless it's ultra-sensitive, I'd not worry about it (but use
strong crypto anyway - never hurts to be sure ;).
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe,
ON
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Jean Morissette [mailto:[EMAIL PROTECTED]]
Sent: Saturday, 16 October 1999 11:43 PM
To: Frank Pawlak; [EMAIL PROTECTED]
Subject: RE: InfoSec
matically. If you've gotten it not to, then tell me how!
One more question -
If I setup netbios on the VPN client (and PPTP/RAS server), users can
connect and authenticate and do whatever they can/allowed.
if you have a situation that works, what's the problem?
Cheers,
--
Ben Nagy
Network Co
attain a fairly good level of security with NAT and packet filters on the
router (I sound like a broken record, right?). Remember, the router _is_ a
firewall - it provides directionally differentiated access to network
resources.
(Back to the amazon.com "crypto" challenge...)
--
Ben Na
is turned on, that the firewall
is plugged into the LAN and the power and I have also sacrificed some small
rodentia in the name of Shub-Internet.
Thanks...
[1] Retry, Restart, Reinstall
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubsc
lp,
Michael Sorbera
Webmaster of a Federal Credit Union
"In the land of the clueless, he who has half a clue is King!"
I don't want to be mean, but READ THE SPEC! It's not even that hard to
understand! Email me OOB and I'll give you a shipping address for my editing
cheque. ;)
Chee
that _your_
data going to contractor A isn't readable by contractor B, which is possibly
more important. This is even more compelling if the people have anything
like physical access to any of the wire (you mentioned that there was a
concern RE: access to the switch console port).
Cheers,
--
Ben Nagy
should be asking the vendor of the box that will be doing NAT - they
should have a list.
eg: Cisco's list is here: http://www.cisco.com/warp/public/701/60.html#HDT3
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe
(added arp manual arp cache entries to the
upstream router). And here was me thinking I was just a lazy kludge artist.
Cheers,
--
Ben Nagy
Lazy Kludge Artist, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubs
ttp://www.nai.com/media/pdf/products/tns/Pgpvpn_b.pdf
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
vendor...I think you may need to re-examine
some of your assumptions. I'm not saying you're wrong (except about the SPF
vs Application Gateway thing), but I think that even if you're right you're
quite possibly ignoring any better solutions that may be out there.
Nathan A. Long
Cheers,
vices - Asia Pacific Engineering
Opinions expressed herein are mine, not my
employer's
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscri
the connection to the internal DB through the magic proxy and
everything would be reasonably clean.
If you MUST do it this way, I'd try really hard to get a good, strong WWW
server and platform and a DB that you trust to cope with deliberately
tainted input.
Cheers!
--
Ben Nagy
Network Consultant
these lines on the FW-1 box - I dunno, I'm
not a FW1 guy.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Blanco, Juan [mailto:[EMAIL PROTECTED]]
Sent: Sunday, 21 November 1999 12:10 AM
To: '[EMAIL
sequence and because the "something you know" bit (the PIN or
the passphrase) is longer and more memorable.
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
if they
contain any commands or suspicious looking data - there could be a Bad Thing
out there that uses a trojan which listens for ICMP errors as the activation
signal.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe
rough
to the trusted side of the firewall.
If it's a remote host or if it's more than one machine, use VPN stuff. This
is functionally equivalent to pulling it through to the trusted side, as
above.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mob
to be more specific than and on a different
interface than the route to 90.0.0.x/24.
Any help will be deeply appreciated !!!
**
*
Ing. Gerardo Soto Casados
Compu-Redes
Cheers,
--
Ben Nagy
Network Consultant, CPMS
, but I'll leave that as an exercise to the deranged
reader with too much time to hand-figure binary.
So, for example, 90.0.0.0 through to 90.0.0.31 _can_ be collected in one
statement.
-Original Message-
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 5 January 2000 2:46 PM
you should. Assuming by "initial message" you mean getting your
connection rejected by the SSH daemon.
Cheers!
Jon
G'luck!
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTE
point Thing", then ignore this completely.
Anyway, HTH - any FW-1 guys out there wanna chip in? Huh? ;)
Cheers!
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
tuff with this technique
alone.
Cheers,
--
Ben Nagy
Network Consultant, CPMS Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
ity angle. If you're using NAT then you can be more elegant by
having a NAT mapping for port 113 on all mailserver IP addresses that points
to a "safe" host (I tend to use the router itself) whose TCP stack you trust
to send back a TCP RST in the face of adversity and nasty packets.
it if the router is your only line of
defence but not if it's just a first level screen for another firewall (or
two).
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Jon Earle [mailto:[EMAIL PROTECTED]]
Sent
://www.opus1.com/jmsOpus One
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL
Just a quick one: There's a recent bugtraq post about ICA auth being weak
(using the cunning XOR cipher). That would mean that you have effectively no
security for the usernames / passwords you use to authenticate to the Citrix
server.
You may want to check that out.
Cheers,
--
Ben Nagy
00 5:01 PM
To: [EMAIL PROTECTED]
Subject: Packet Filtering vs. Proxy
[ snip ]
1. When reading abount packet filtering and proxies,
everybody says
that a
proxy gives more security than (stateful) packet
filtering. Can you
explain
why?
Cheers,
--
Ben Nagy
N
-Original Message-
From: Jon Earle [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 13 April 2000 11:18 PM
To: Ben Nagy
Cc: [EMAIL PROTECTED]
Subject: RE: Packet Filtering vs. Proxy
At 05:44 PM 4/13/00 +0930, you wrote:
Strictly speaking, a stateful packet filter only keeps
Pardon my curmudgeonliness. I'm getting over the flu.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, 14 April 2000 2:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Packet Filtering vs. Proxy
Ben Nagy [EMAIL PROTECTED] wrote:
So
Ltd. fax: +44 (0)121 606 0477
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Call me nuts.
This is not to say that I have an axe to grind against the PIX 520 or FW-1 -
but this "endorsement" doesn't do anything to make my impression more
positive.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsu
chele
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
ment has not moved to regulate the
internet. The last few years has seen an extraordinary expansion
of intellectual property rights [...] that is producing an
extraordinary power to own and hence control ideas.
[Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
-
Cheers,
--
Ben Nagy
Network
s.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
flamewars on this and the other FW lists. There's even been one this year.
They're not very interesting though (I know, I was there).
tnx in advance for your patience with just another newbie
rj
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 4
is bad enough.
Implying that you're lecturing to _all_ of us...shudder.
mouss wrote:
The problems with such approach are:
[perfectly reasonable argument snipped for brevity]
regards,
mouss
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To u
ht through without any inspection.
Are you positive that what you want can't be done with a plug proxy? AFAIK
the only reason that they have the ugly packet filter is to block certain
types of traffic at the shim driver level to offer a level of protection for
the host stack.
Cheers,
--
Ben Na
took one look at the virus filtering gear and thought "UhI don't think
so".
*sigh*
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
[many cries of outrage]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
&q
tering Princess" Barbie and "Dup'ed fragged XMAS RST" Barbie.[1]
Again, please cancel any orders of vengeful FSF goons coming to beat me with
GPL'ed rubber hoses.
Cheers,
[1] Note for US readers: This paragraph contains sarcasm.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0
you don't perform NAT at the edge router
(in other words, NAT (if you use NAT) on or before the VPN box).
Note that you may be able to perform both of these functions on the same
box.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubsc
-Original Message-
From: Robinson, Eric [mailto:[EMAIL PROTECTED]]
Sent: Friday, 2 June 2000 1:20 AM
To: 'Ben Nagy'; '[EMAIL PROTECTED]'
Subject: RE: Where Should the VPN Server Go?
By "fairly bad from a crypto point of view," I presume you
refer to Schneier
a
u need to emulate all the state to
trick the remote TCP stack.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
of a sow's ear". And as Grandma always says "
Heads that don't listen, feel".
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
I love ugly, convoluted solutions to apparently simple problems. ;)
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
&q
Bad jokes need sharing...
-Original Message-
From: Paul Hart [mailto:[EMAIL PROTECTED]]
Sent: Friday, 9 June 2000 1:22 AM
To: Ben Nagy
Subject: RE: Soapbox on firewall evals
On Thu, 8 Jun 2000, Ben Nagy wrote:
VPN, content screening, email checking, built-in bidet
My
the stuff going to the x.x.x.201 address is sent to the
correct internal host, multiplexing on TCP source port.
Easy, right?
Cheers!
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubs
[EMAIL PROTECTED]
Network and Information(802)388-7545 ext. 236
Systems ManagerFAX:(802)388-3697
Computer Alternatives, Inc.http://www.computeralt.com
Simple Problems, Ugly Solutions.
I think I should make that my motto.
Cheers!
--
Ben Nagy
Network
.
Dave Leach, MCSE+ I
Systems Security Engineer
EWA, Information and Infrastructure Technologies
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
after five (or so)
minutes. Any limitations with the logging of deny statements on ACLs would
interest me greatly.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Levin, Alexandre [mailto:[EMAIL PROTECTED]]
Sent
of sense. The not-quite-IOS syntax takes a bit of getting used to
though, and the outbound / apply syntax is a tad arcane.
Cheers,
[1] If any Cisco bods want more information for the sake of interest,
contact me OOB.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61
e.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Geoff Nordli [mailto:[EMAIL PROTECTED]]
Sent: Saturday, 24 June 2000 9:59 AM
To: GNAC firewall list (E-mail)
Subject: l2tp and encryption
Could someone plea
worked for spent so much time looking for a fantastic firewall
that they forgot they were planning to implement NT+IIS with ASP as their
e-commerce solution...
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Dan Robb
here have been broken or inefficient in
some way which leads me to suspect that ACL stuff isn't as well understood
as many people think.
Cheers!
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-Original Message-
From: Brian J. Murrell [mailto
,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
1 - 100 of 398 matches
Mail list logo